eaw/esp-idf
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

AWS IoT Device SDK Support

Browse Source 
Use device cert/key embedded in firmware, or loaded from filesystem.
This commit is contained in:
Angus Gratton
2016-10-05 16:32:09 +11:00
parent 74817c35f3
commit da660b234c
32 changed files with 2076 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
components/aws_iot/Kconfig Normal file
View File

@@ -0,0 +1,32 @@
menuconfig AWS_IOT_SDK
bool "Amazon Web Services IoT Platform"
help
Select this option to enable support for the AWS IoT platform,
via the esp-idf component for the AWS IoT Device C SDK.
config AWS_IOT_MQTT_HOST
string "AWS IoT Endpoint Hostname"
depends on AWS_IOT_SDK
default ""
help
Default endpoint host name to connect to AWS IoT MQTT/S gateway
This is the custom endpoint hostname and is specific to an AWS
IoT account. You can find it by logging into your AWS IoT
Console and clicking the Settings button. The endpoint hostname
is shown under the "Custom Endpoint" heading on this page.
If you need per-device hostnames for different regions or
accounts, you can override the default hostname in your app.
config AWS_IOT_MQTT_PORT
int "AWS IoT MQTT Port"
depends on AWS_IOT_SDK
default 8883
range 0 65535
help
Default port number to connect to AWS IoT MQTT/S gateway
If you need per-device port numbers for different regions, you can
override the default port number in your app.

1
components/aws_iot/aws-iot-device-sdk-embedded-C Submodule

Submodule components/aws_iot/aws-iot-device-sdk-embedded-C added at 7132505b00

20
components/aws_iot/component.mk Normal file
View File

@@ -0,0 +1,20 @@
#
# Component Makefile
#
ifdef CONFIG_AWS_IOT_SDK
COMPONENT_ADD_INCLUDEDIRS := include aws-iot-device-sdk-embedded-C/include
COMPONENT_SRCDIRS := aws-iot-device-sdk-embedded-C/src port
# Check the submodule is initialised
COMPONENT_SUBMODULES := aws-iot-device-sdk-embedded-C
else
# Disable AWS IoT support
COMPONENT_ADD_INCLUDEDIRS :=
COMPONENT_ADD_LDFLAGS :=
COMPONENT_SRCDIRS :=
endif

60
components/aws_iot/include/aws_iot_config.h Normal file
View File

@@ -0,0 +1,60 @@
/*
* Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/**
* @file aws_iot_config.h
* @brief AWS IoT specific configuration file
*/
#ifndef _AWS_IOT_CONFIG_H_
#define _AWS_IOT_CONFIG_H_
#include "aws_iot_log.h"
// This configuration macro needs to be available globally to enable threading
#define _ENABLE_THREAD_SUPPORT_
// These values are defined in the menuconfig of the AWS IoT component.
// However, you can override these constants from your own code.
#define AWS_IOT_MQTT_HOST CONFIG_AWS_IOT_MQTT_HOST ///< Customer specific MQTT HOST. The same will be used for Thing Shadow
#define AWS_IOT_MQTT_PORT CONFIG_AWS_IOT_MQTT_PORT ///< default port for MQTT/S
// These values are defaults and are used for ShadowConnectParametersDefault.
// You should override them from your own code.
#define AWS_IOT_MQTT_CLIENT_ID "ESP32" ///< MQTT client ID should be unique for every device
#define AWS_IOT_MY_THING_NAME "ESP32" ///< Thing Name of the Shadow this device is associated with
// MQTT PubSub
#define AWS_IOT_MQTT_TX_BUF_LEN 512 ///< Any time a message is sent out through the MQTT layer. The message is copied into this buffer anytime a publish is done. This will also be used in the case of Thing Shadow
#define AWS_IOT_MQTT_RX_BUF_LEN 512 ///< Any message that comes into the device should be less than this buffer size. If a received message is bigger than this buffer size the message will be dropped.
#define AWS_IOT_MQTT_NUM_SUBSCRIBE_HANDLERS 5 ///< Maximum number of topic filters the MQTT client can handle at any given time. This should be increased appropriately when using Thing Shadow
// Thing Shadow specific configs
#define SHADOW_MAX_SIZE_OF_RX_BUFFER (AWS_IOT_MQTT_RX_BUF_LEN + 1) ///< Maximum size of the SHADOW buffer to store the received Shadow message
#define MAX_SIZE_OF_UNIQUE_CLIENT_ID_BYTES 80 ///< Maximum size of the Unique Client Id. For More info on the Client Id refer \ref response "Acknowledgments"
#define MAX_SIZE_CLIENT_ID_WITH_SEQUENCE (MAX_SIZE_OF_UNIQUE_CLIENT_ID_BYTES + 10) ///< This is size of the extra sequence number that will be appended to the Unique client Id
#define MAX_SIZE_CLIENT_TOKEN_CLIENT_SEQUENCE (MAX_SIZE_CLIENT_ID_WITH_SEQUENCE + 20) ///< This is size of the the total clientToken key and value pair in the JSON
#define MAX_ACKS_TO_COMEIN_AT_ANY_GIVEN_TIME 10 ///< At Any given time we will wait for this many responses. This will correlate to the rate at which the shadow actions are requested
#define MAX_THINGNAME_HANDLED_AT_ANY_GIVEN_TIME 10 ///< We could perform shadow action on any thing Name and this is maximum Thing Names we can act on at any given time
#define MAX_JSON_TOKEN_EXPECTED 120 ///< These are the max tokens that is expected to be in the Shadow JSON document. Include the metadata that gets published
#define MAX_SHADOW_TOPIC_LENGTH_WITHOUT_THINGNAME 60 ///< All shadow actions have to be published or subscribed to a topic which is of the formablogt $aws/things/{thingName}/shadow/update/accepted. This refers to the size of the topic without the Thing Name
#define MAX_SIZE_OF_THING_NAME 20 ///< The Thing Name should not be bigger than this value. Modify this if the Thing Name needs to be bigger
#define MAX_SHADOW_TOPIC_LENGTH_BYTES (MAX_SHADOW_TOPIC_LENGTH_WITHOUT_THINGNAME + MAX_SIZE_OF_THING_NAME) ///< This size includes the length of topic with Thing Name
// Auto Reconnect specific config
#define AWS_IOT_MQTT_MIN_RECONNECT_WAIT_INTERVAL 1000 ///< Minimum time before the First reconnect attempt is made as part of the exponential back-off algorithm
#define AWS_IOT_MQTT_MAX_RECONNECT_WAIT_INTERVAL 128000 ///< Maximum time interval after which exponential back-off will stop attempting to reconnect.
#endif /* _AWS_IOT_CONFIG_H_ */

44
components/aws_iot/include/aws_iot_log.h Normal file
View File

@@ -0,0 +1,44 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#pragma once
/* (these two headers aren't used here, but AWS IoT SDK code relies on them
being included from here...) */
#include <stdio.h>
#include <stdlib.h>
#include "esp_log.h"
/* This is a stub replacement for the aws_iot_log.h header in the AWS IoT SDK,
which redirects their logging framework into the esp-idf logging framework.
The current (2.1.1) upstream AWS IoT SDK doesn't allow this as some of its
headers include aws_iot_log.h, but our modified fork does.
*/
// redefine the AWS IoT log functions to call into the IDF log layer
#define IOT_DEBUG(format, ...) ESP_LOGD("aws_iot", format, ##__VA_ARGS__)
#define IOT_INFO(format, ...) ESP_LOGI("aws_iot", format, ##__VA_ARGS__)
#define IOT_WARN(format, ...) ESP_LOGW("aws_iot", format, ##__VA_ARGS__)
#define IOT_ERROR(format, ...) ESP_LOGE("aws_iot", format, ##__VA_ARGS__)
/* Function tracing macros used in AWS IoT SDK,
mapped to "verbose" level output
*/
#define FUNC_ENTRY ESP_LOGV("aws_iot", "FUNC_ENTRY: %s L#%d \n", __func__, __LINE__)
#define FUNC_EXIT_RC(x) \
do { \
ESP_LOGV("aws_iot", "FUNC_EXIT: %s L#%d Return Code : %d \n", __func__, __LINE__, x); \
return x; \
} while(0)

64
components/aws_iot/include/network_platform.h Normal file
View File

@@ -0,0 +1,64 @@
/*
* Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
* Additions Copyright 2016 Espressif Systems (Shanghai) PTE LTD
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
#ifndef IOTSDKC_NETWORK_MBEDTLS_PLATFORM_H_H
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "mbedtls/platform.h"
#include "mbedtls/net.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
#include "mbedtls/debug.h"
#include "mbedtls/timing.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* @brief TLS Connection Parameters
*
* Defines a type containing TLS specific parameters to be passed down to the
* TLS networking layer to create a TLS secured socket.
*/
typedef struct _TLSDataParams {
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
uint32_t flags;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
mbedtls_pk_context pkey;
mbedtls_net_context server_fd;
}TLSDataParams;
#define IOTSDKC_NETWORK_MBEDTLS_PLATFORM_H_H
#ifdef __cplusplus
}
#endif
#endif //IOTSDKC_NETWORK_MBEDTLS_PLATFORM_H_H

45
components/aws_iot/include/threads_platform.h Normal file
View File

@@ -0,0 +1,45 @@
/*
* Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
* Additions Copyright 2016 Espressif Systems (Shanghai) PTE LTD
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
#include "threads_interface.h"
#ifndef AWS_IOTSDK_THREADS_PLATFORM_H
#define AWS_IOTSDK_THREADS_PLATFORM_H
#ifdef __cplusplus
extern "C" {
#endif
#include "freertos/FreeRTOS.h"
#include "freertos/semphr.h"
/**
* @brief Mutex Type
*
* definition of the Mutex struct. Platform specific
*
*/
struct _IoT_Mutex_t {
SemaphoreHandle_t mutex;
};
#ifdef __cplusplus
}
#endif
#endif /* AWS_IOTSDK_THREADS_PLATFORM_H */

40
components/aws_iot/include/timer_platform.h Normal file
View File

@@ -0,0 +1,40 @@
/*
* Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
* Additions Copyright 2016 Espressif Systems (Shanghai) PTE LTD
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
#ifndef AWS_IOT_PLATFORM_H
#define AWS_IOT_PLATFORM_H
#ifdef __cplusplus
extern "C" {
#endif
#include <stdint.h>
#include "timer_interface.h"
/**
* definition of the Timer struct. Platform specific
*/
struct Timer {
uint32_t start_ticks;
uint32_t timeout_ticks;
uint32_t last_polled_ticks;
};
#ifdef __cplusplus
}
#endif
#endif /* AWS_IOT_PLATFORM_H */

408
components/aws_iot/port/network_mbedtls_wrapper.c Normal file
View File

@@ -0,0 +1,408 @@
/*
* Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
* Additions Copyright 2016 Espressif Systems (Shanghai) PTE LTD
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
#include <sys/param.h>
#include <stdbool.h>
#include <string.h>
#include <timer_platform.h>
#include <network_interface.h>
#include "aws_iot_config.h"
#include "aws_iot_error.h"
#include "network_interface.h"
#include "network_platform.h"
#include "mbedtls/esp_debug.h"
#include "esp_log.h"
#include "esp_vfs.h"
static const char *TAG = "aws_iot";
/* This is the value used for ssl read timeout */
#define IOT_SSL_READ_TIMEOUT 10
/*
* This is a function to do further verification if needed on the cert received.
*
* Currently used to print debug-level information about each cert.
*/
static int _iot_tls_verify_cert(void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags) {
char buf[256];
((void) data);
if (LOG_LOCAL_LEVEL >= ESP_LOG_DEBUG) {
ESP_LOGD(TAG, "Verify requested for (Depth %d):", depth);
mbedtls_x509_crt_info(buf, sizeof(buf) - 1, "", crt);
ESP_LOGD(TAG, "%s", buf);
if((*flags) == 0) {
ESP_LOGD(TAG, " This certificate has no flags");
} else {
ESP_LOGD(TAG, "Verify result:%s", buf);
}
}
return 0;
}
static void _iot_tls_set_connect_params(Network *pNetwork, const char *pRootCALocation, const char *pDeviceCertLocation,
const char *pDevicePrivateKeyLocation, const char *pDestinationURL,
uint16_t destinationPort, uint32_t timeout_ms, bool ServerVerificationFlag) {
pNetwork->tlsConnectParams.DestinationPort = destinationPort;
pNetwork->tlsConnectParams.pDestinationURL = pDestinationURL;
pNetwork->tlsConnectParams.pDeviceCertLocation = pDeviceCertLocation;
pNetwork->tlsConnectParams.pDevicePrivateKeyLocation = pDevicePrivateKeyLocation;
pNetwork->tlsConnectParams.pRootCALocation = pRootCALocation;
pNetwork->tlsConnectParams.timeout_ms = timeout_ms;
pNetwork->tlsConnectParams.ServerVerificationFlag = ServerVerificationFlag;
}
IoT_Error_t iot_tls_init(Network *pNetwork, const char *pRootCALocation, const char *pDeviceCertLocation,
const char *pDevicePrivateKeyLocation, const char *pDestinationURL,
uint16_t destinationPort, uint32_t timeout_ms, bool ServerVerificationFlag) {
_iot_tls_set_connect_params(pNetwork, pRootCALocation, pDeviceCertLocation, pDevicePrivateKeyLocation,
pDestinationURL, destinationPort, timeout_ms, ServerVerificationFlag);
pNetwork->connect = iot_tls_connect;
pNetwork->read = iot_tls_read;
pNetwork->write = iot_tls_write;
pNetwork->disconnect = iot_tls_disconnect;
pNetwork->isConnected = iot_tls_is_connected;
pNetwork->destroy = iot_tls_destroy;
pNetwork->tlsDataParams.flags = 0;
return SUCCESS;
}
IoT_Error_t iot_tls_is_connected(Network *pNetwork) {
/* Use this to add implementation which can check for physical layer disconnect */
return NETWORK_PHYSICAL_LAYER_CONNECTED;
}
IoT_Error_t iot_tls_connect(Network *pNetwork, TLSConnectParams *params) {
int ret = SUCCESS;
TLSDataParams *tlsDataParams = NULL;
char portBuffer[6];
char info_buf[256];
if(NULL == pNetwork) {
return NULL_VALUE_ERROR;
}
if(NULL != params) {
_iot_tls_set_connect_params(pNetwork, params->pRootCALocation, params->pDeviceCertLocation,
params->pDevicePrivateKeyLocation, params->pDestinationURL,
params->DestinationPort, params->timeout_ms, params->ServerVerificationFlag);
}
tlsDataParams = &(pNetwork->tlsDataParams);
mbedtls_net_init(&(tlsDataParams->server_fd));
mbedtls_ssl_init(&(tlsDataParams->ssl));
mbedtls_ssl_config_init(&(tlsDataParams->conf));
#ifdef CONFIG_MBEDTLS_DEBUG
mbedtls_esp_enable_debug_log(&(tlsDataParams->conf), 4);
#endif
mbedtls_ctr_drbg_init(&(tlsDataParams->ctr_drbg));
mbedtls_x509_crt_init(&(tlsDataParams->cacert));
mbedtls_x509_crt_init(&(tlsDataParams->clicert));
mbedtls_pk_init(&(tlsDataParams->pkey));
ESP_LOGD(TAG, "Seeding the random number generator...");
mbedtls_entropy_init(&(tlsDataParams->entropy));
if((ret = mbedtls_ctr_drbg_seed(&(tlsDataParams->ctr_drbg), mbedtls_entropy_func, &(tlsDataParams->entropy),
(const unsigned char *) TAG, strlen(TAG))) != 0) {
ESP_LOGE(TAG, "failed! mbedtls_ctr_drbg_seed returned -0x%x", -ret);
return NETWORK_MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED;
}
/* Load root CA...
Certs/keys can be paths or they can be raw data. These use a
very basic heuristic: if the cert starts with '/' then it's a
path, if it's longer than this then it's raw cert data (PEM or DER,
neither of which can start with a slash. */
if (pNetwork->tlsConnectParams.pRootCALocation[0] == '/') {
ESP_LOGD(TAG, "Loading CA root certificate from file ...");
ret = mbedtls_x509_crt_parse_file(&(tlsDataParams->cacert), pNetwork->tlsConnectParams.pRootCALocation);
} else {
ESP_LOGD(TAG, "Loading embedded CA root certificate ...");
ret = mbedtls_x509_crt_parse(&(tlsDataParams->cacert), (const unsigned char *)pNetwork->tlsConnectParams.pRootCALocation,
strlen(pNetwork->tlsConnectParams.pRootCALocation)+1);
}
if(ret < 0) {
ESP_LOGE(TAG, "failed! mbedtls_x509_crt_parse returned -0x%x while parsing root cert", -ret);
return NETWORK_X509_ROOT_CRT_PARSE_ERROR;
}
ESP_LOGD(TAG, "ok (%d skipped)", ret);
/* Load client certificate... */
if (pNetwork->tlsConnectParams.pDeviceCertLocation[0] == '/') {
ESP_LOGD(TAG, "Loading client cert from file...");
ret = mbedtls_x509_crt_parse_file(&(tlsDataParams->clicert),
pNetwork->tlsConnectParams.pDeviceCertLocation);
} else {
ESP_LOGD(TAG, "Loading embedded client certificate...");
ret = mbedtls_x509_crt_parse(&(tlsDataParams->clicert),
(const unsigned char *)pNetwork->tlsConnectParams.pDeviceCertLocation,
strlen(pNetwork->tlsConnectParams.pDeviceCertLocation)+1);
}
if(ret != 0) {
ESP_LOGE(TAG, "failed! mbedtls_x509_crt_parse returned -0x%x while parsing device cert", -ret);
return NETWORK_X509_DEVICE_CRT_PARSE_ERROR;
}
/* Parse client private key... */
if (pNetwork->tlsConnectParams.pDevicePrivateKeyLocation[0] == '/') {
ESP_LOGD(TAG, "Loading client private key from file...");
ret = mbedtls_pk_parse_keyfile(&(tlsDataParams->pkey),
pNetwork->tlsConnectParams.pDevicePrivateKeyLocation,
"");
} else {
ESP_LOGD(TAG, "Loading embedded client private key...");
ret = mbedtls_pk_parse_key(&(tlsDataParams->pkey),
(const unsigned char *)pNetwork->tlsConnectParams.pDevicePrivateKeyLocation,
strlen(pNetwork->tlsConnectParams.pDevicePrivateKeyLocation)+1,
(const unsigned char *)"", 0);
}
if(ret != 0) {
ESP_LOGE(TAG, "failed! mbedtls_pk_parse_key returned -0x%x while parsing private key", -ret);
return NETWORK_PK_PRIVATE_KEY_PARSE_ERROR;
}
/* Done parsing certs */
ESP_LOGD(TAG, "ok");
snprintf(portBuffer, 6, "%d", pNetwork->tlsConnectParams.DestinationPort);
ESP_LOGD(TAG, "Connecting to %s/%s...", pNetwork->tlsConnectParams.pDestinationURL, portBuffer);
if((ret = mbedtls_net_connect(&(tlsDataParams->server_fd), pNetwork->tlsConnectParams.pDestinationURL,
portBuffer, MBEDTLS_NET_PROTO_TCP)) != 0) {
ESP_LOGE(TAG, "failed! mbedtls_net_connect returned -0x%x", -ret);
switch(ret) {
case MBEDTLS_ERR_NET_SOCKET_FAILED:
return NETWORK_ERR_NET_SOCKET_FAILED;
case MBEDTLS_ERR_NET_UNKNOWN_HOST:
return NETWORK_ERR_NET_UNKNOWN_HOST;
case MBEDTLS_ERR_NET_CONNECT_FAILED:
default:
return NETWORK_ERR_NET_CONNECT_FAILED;
};
}
ret = mbedtls_net_set_block(&(tlsDataParams->server_fd));
if(ret != 0) {
ESP_LOGE(TAG, "failed! net_set_(non)block() returned -0x%x", -ret);
return SSL_CONNECTION_ERROR;
} ESP_LOGD(TAG, "ok");
ESP_LOGD(TAG, "Setting up the SSL/TLS structure...");
if((ret = mbedtls_ssl_config_defaults(&(tlsDataParams->conf), MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
ESP_LOGE(TAG, "failed! mbedtls_ssl_config_defaults returned -0x%x", -ret);
return SSL_CONNECTION_ERROR;
}
mbedtls_ssl_conf_verify(&(tlsDataParams->conf), _iot_tls_verify_cert, NULL);
if(pNetwork->tlsConnectParams.ServerVerificationFlag == true) {
mbedtls_ssl_conf_authmode(&(tlsDataParams->conf), MBEDTLS_SSL_VERIFY_REQUIRED);
} else {
mbedtls_ssl_conf_authmode(&(tlsDataParams->conf), MBEDTLS_SSL_VERIFY_OPTIONAL);
}
mbedtls_ssl_conf_rng(&(tlsDataParams->conf), mbedtls_ctr_drbg_random, &(tlsDataParams->ctr_drbg));
mbedtls_ssl_conf_ca_chain(&(tlsDataParams->conf), &(tlsDataParams->cacert), NULL);
ret = mbedtls_ssl_conf_own_cert(&(tlsDataParams->conf), &(tlsDataParams->clicert), &(tlsDataParams->pkey));
if(ret != 0) {
ESP_LOGE(TAG, "failed! mbedtls_ssl_conf_own_cert returned %d", ret);
return SSL_CONNECTION_ERROR;
}
mbedtls_ssl_conf_read_timeout(&(tlsDataParams->conf), pNetwork->tlsConnectParams.timeout_ms);
if((ret = mbedtls_ssl_setup(&(tlsDataParams->ssl), &(tlsDataParams->conf))) != 0) {
ESP_LOGE(TAG, "failed! mbedtls_ssl_setup returned -0x%x", -ret);
return SSL_CONNECTION_ERROR;
}
if((ret = mbedtls_ssl_set_hostname(&(tlsDataParams->ssl), pNetwork->tlsConnectParams.pDestinationURL)) != 0) {
ESP_LOGE(TAG, "failed! mbedtls_ssl_set_hostname returned %d", ret);
return SSL_CONNECTION_ERROR;
}
ESP_LOGD(TAG, "SSL state connect : %d ", tlsDataParams->ssl.state);
mbedtls_ssl_set_bio(&(tlsDataParams->ssl), &(tlsDataParams->server_fd), mbedtls_net_send, NULL,
mbedtls_net_recv_timeout);
ESP_LOGD(TAG, "ok");
ESP_LOGD(TAG, "SSL state connect : %d ", tlsDataParams->ssl.state);
ESP_LOGD(TAG, "Performing the SSL/TLS handshake...");
while((ret = mbedtls_ssl_handshake(&(tlsDataParams->ssl))) != 0) {
if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
ESP_LOGE(TAG, "failed! mbedtls_ssl_handshake returned -0x%x", -ret);
if(ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
ESP_LOGE(TAG, " Unable to verify the server's certificate. ");
}
return SSL_CONNECTION_ERROR;
}
}
ESP_LOGD(TAG, "ok [ Protocol is %s ] [ Ciphersuite is %s ]", mbedtls_ssl_get_version(&(tlsDataParams->ssl)),
mbedtls_ssl_get_ciphersuite(&(tlsDataParams->ssl)));
if((ret = mbedtls_ssl_get_record_expansion(&(tlsDataParams->ssl))) >= 0) {
ESP_LOGD(TAG, " [ Record expansion is %d ]", ret);
} else {
ESP_LOGD(TAG, " [ Record expansion is unknown (compression) ]");
}
ESP_LOGD(TAG, "Verifying peer X.509 certificate...");
if(pNetwork->tlsConnectParams.ServerVerificationFlag == true) {
if((tlsDataParams->flags = mbedtls_ssl_get_verify_result(&(tlsDataParams->ssl))) != 0) {
ESP_LOGE(TAG, "failed");
mbedtls_x509_crt_verify_info(info_buf, sizeof(info_buf), " ! ", tlsDataParams->flags);
ESP_LOGE(TAG, "%s", info_buf);
ret = SSL_CONNECTION_ERROR;
} else {
ESP_LOGD(TAG, "ok");
ret = SUCCESS;
}
} else {
ESP_LOGW(TAG, " Server Verification skipped");
ret = SUCCESS;
}
if(LOG_LOCAL_LEVEL >= ESP_LOG_DEBUG) {
if (mbedtls_ssl_get_peer_cert(&(tlsDataParams->ssl)) != NULL) {
ESP_LOGD(TAG, "Peer certificate information:");
mbedtls_x509_crt_info((char *) info_buf, sizeof(info_buf) - 1, " ", mbedtls_ssl_get_peer_cert(&(tlsDataParams->ssl)));
ESP_LOGD(TAG, "%s", info_buf);
}
}
return (IoT_Error_t) ret;
}
IoT_Error_t iot_tls_write(Network *pNetwork, unsigned char *pMsg, size_t len, Timer *timer, size_t *written_len) {
size_t written_so_far;
bool isErrorFlag = false;
int frags, ret = 0;
TLSDataParams *tlsDataParams = &(pNetwork->tlsDataParams);
for(written_so_far = 0, frags = 0;
written_so_far < len && !has_timer_expired(timer); written_so_far += ret, frags++) {
while(!has_timer_expired(timer) &&
(ret = mbedtls_ssl_write(&(tlsDataParams->ssl), pMsg + written_so_far, len - written_so_far)) <= 0) {
if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
ESP_LOGE(TAG, "failed! mbedtls_ssl_write returned -0x%x", -ret);
/* All other negative return values indicate connection needs to be reset.
* Will be caught in ping request so ignored here */
isErrorFlag = true;
break;
}
}
if(isErrorFlag) {
break;
}
}
*written_len = written_so_far;
if(isErrorFlag) {
return NETWORK_SSL_WRITE_ERROR;
} else if(has_timer_expired(timer) && written_so_far != len) {
return NETWORK_SSL_WRITE_TIMEOUT_ERROR;
}
return SUCCESS;
}
IoT_Error_t iot_tls_read(Network *pNetwork, unsigned char *pMsg, size_t len, Timer *timer, size_t *read_len) {
TLSDataParams *tlsDataParams = &(pNetwork->tlsDataParams);
mbedtls_ssl_context *ssl = &(tlsDataParams->ssl);
mbedtls_ssl_config *ssl_conf = &(tlsDataParams->conf);
uint32_t read_timeout;
size_t rxLen = 0;
int ret;
read_timeout = ssl_conf->read_timeout;
while (len > 0) {
/* Make sure we never block on read for longer than timer has left,
but also that we don't block indefinitely (ie read_timeout > 0) */
mbedtls_ssl_conf_read_timeout(ssl_conf, MAX(1, MIN(read_timeout, left_ms(timer))));
ret = mbedtls_ssl_read(ssl, pMsg, len);
/* Restore the old timeout */
mbedtls_ssl_conf_read_timeout(ssl_conf, read_timeout);
if (ret > 0) {
rxLen += ret;
pMsg += ret;
len -= ret;
} else if (ret == 0 || (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != MBEDTLS_ERR_SSL_TIMEOUT)) {
return NETWORK_SSL_READ_ERROR;
}
// Evaluate timeout after the read to make sure read is done at least once
if (has_timer_expired(timer)) {
break;
}
}
if (len == 0) {
*read_len = rxLen;
return SUCCESS;
}
if (rxLen == 0) {
return NETWORK_SSL_NOTHING_TO_READ;
} else {
return NETWORK_SSL_READ_TIMEOUT_ERROR;
}
}
IoT_Error_t iot_tls_disconnect(Network *pNetwork) {
mbedtls_ssl_context *ssl = &(pNetwork->tlsDataParams.ssl);
int ret = 0;
do {
ret = mbedtls_ssl_close_notify(ssl);
} while(ret == MBEDTLS_ERR_SSL_WANT_WRITE);
/* All other negative return values indicate connection needs to be reset.
* No further action required since this is disconnect call */
return SUCCESS;
}
IoT_Error_t iot_tls_destroy(Network *pNetwork) {
TLSDataParams *tlsDataParams = &(pNetwork->tlsDataParams);
mbedtls_net_free(&(tlsDataParams->server_fd));
mbedtls_x509_crt_free(&(tlsDataParams->clicert));
mbedtls_x509_crt_free(&(tlsDataParams->cacert));
mbedtls_pk_free(&(tlsDataParams->pkey));
mbedtls_ssl_free(&(tlsDataParams->ssl));
mbedtls_ssl_config_free(&(tlsDataParams->conf));
mbedtls_ctr_drbg_free(&(tlsDataParams->ctr_drbg));
mbedtls_entropy_free(&(tlsDataParams->entropy));
return SUCCESS;
}

104
components/aws_iot/port/threads_freertos.c Normal file
View File

@@ -0,0 +1,104 @@
/*
* Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
* Additions Copyright 2016 Espressif Systems (Shanghai) PTE LTD
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
#include "threads_platform.h"
#ifdef __cplusplus
extern "C" {
#endif
/**
* @brief Initialize the provided mutex
*
* Call this function to initialize the mutex
*
* @param IoT_Mutex_t - pointer to the mutex to be initialized
* @return IoT_Error_t - error code indicating result of operation
*/
IoT_Error_t aws_iot_thread_mutex_init(IoT_Mutex_t *pMutex) {
pMutex->mutex = xSemaphoreCreateRecursiveMutex();
return pMutex->mutex ? SUCCESS : MUTEX_INIT_ERROR;
}
/**
* @brief Lock the provided mutex
*
* Call this function to lock the mutex before performing a state change
* Blocking, thread will block until lock request fails
*
* @param IoT_Mutex_t - pointer to the mutex to be locked
* @return IoT_Error_t - error code indicating result of operation
*/
IoT_Error_t aws_iot_thread_mutex_lock(IoT_Mutex_t *pMutex) {
xSemaphoreTakeRecursive(pMutex->mutex, portMAX_DELAY);
return SUCCESS;
}
/**
* @brief Try to lock the provided mutex
*
* Call this function to attempt to lock the mutex before performing a state change
* Non-Blocking, immediately returns with failure if lock attempt fails
*
* @param IoT_Mutex_t - pointer to the mutex to be locked
* @return IoT_Error_t - error code indicating result of operation
*/
IoT_Error_t aws_iot_thread_mutex_trylock(IoT_Mutex_t *pMutex) {
if (xSemaphoreTakeRecursive(pMutex->mutex, 0)) {
return SUCCESS;
} else {
return MUTEX_LOCK_ERROR;
}
}
/**
* @brief Unlock the provided mutex
*
* Call this function to unlock the mutex before performing a state change
*
* @param IoT_Mutex_t - pointer to the mutex to be unlocked
* @return IoT_Error_t - error code indicating result of operation
*/
IoT_Error_t aws_iot_thread_mutex_unlock(IoT_Mutex_t *pMutex) {
if (xSemaphoreGiveRecursive(pMutex->mutex)) {
return SUCCESS;
} else {
return MUTEX_UNLOCK_ERROR;
}
}
/**
* @brief Destroy the provided mutex
*
* Call this function to destroy the mutex
*
* @param IoT_Mutex_t - pointer to the mutex to be destroyed
* @return IoT_Error_t - error code indicating result of operation
*/
IoT_Error_t aws_iot_thread_mutex_destroy(IoT_Mutex_t *pMutex) {
vSemaphoreDelete(pMutex->mutex);
return SUCCESS;
}
#ifdef __cplusplus
}
#endif

83
components/aws_iot/port/timer.c Normal file
View File

@@ -0,0 +1,83 @@
/*
* Copyright 2010-2015 Amazon.com, Inc. or its affiliates. All Rights Reserved.
* Additions Copyright 2016 Espressif Systems (Shanghai) PTE LTD
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/**
* @file timer.c
* @brief FreeRTOS implementation of the timer interface uses ticks.
*/
#ifdef __cplusplus
extern "C" {
#endif
#include <limits.h>
#include "timer_platform.h"
#include "freertos/FreeRTOS.h"
#include "freertos/task.h"
#include "esp_log.h"
const static char *TAG = "aws_timer";
bool has_timer_expired(Timer *timer) {
uint32_t now = xTaskGetTickCount();
bool expired = (now - timer->start_ticks) >= timer->timeout_ticks;
/* AWS IoT SDK isn't very RTOS friendly because it polls for "done
timers" a lot without ever sleeping on them. So we hack in some
amount of sleeping here: if it seems like the caller is polling
an unexpired timer in a tight loop then we delay a tick to let
things progress elsewhere.
*/
if(!expired && now == timer->last_polled_ticks) {
vTaskDelay(1);
}
timer->last_polled_ticks = now;
return expired;
}
void countdown_ms(Timer *timer, uint32_t timeout) {
timer->start_ticks = xTaskGetTickCount();
timer->timeout_ticks = timeout / portTICK_PERIOD_MS;
timer->last_polled_ticks = 0;
}
uint32_t left_ms(Timer *timer) {
uint32_t now = xTaskGetTickCount();
uint32_t elapsed = now - timer->start_ticks;
if (elapsed < timer->timeout_ticks) {
return (timer->timeout_ticks - elapsed) * portTICK_PERIOD_MS;
} else {
return 0;
}
}
void countdown_sec(Timer *timer, uint32_t timeout) {
if (timeout > UINT32_MAX / 1000) {
ESP_LOGE(TAG, "timeout is out of range: %ds", timeout);
}
countdown_ms(timer, timeout * 1000);
}
void init_timer(Timer *timer) {
timer->start_ticks = 0;
timer->timeout_ticks = 0;
timer->last_polled_ticks = 0;
}
#ifdef __cplusplus
}
#endif