Currently I'm working on some basic OpenSSL. I'm confused about the basic behavior of SSL_write and SSL_read. In the documentation it is not clearly explained how the data is encrypted / decrypted. What I mean? Is the SSL_write, once the SSL_CTX is set and file descriptor assigned, by default encrypting the data or calling the encryption function, or does this have to be done by hand? Do I have to call some encryption function explicitly? Is the same true for the SSL_read? I need a deeper understanding of what SSL_write / read do automatically and what not, or sources where I can fall back to if I'm having issues.
Here is an example that I'm working with.
Example:
SSL *ssl;
int client = accept(server, (struct sockaddr*)&addr, &len); /* accept connection as usual */
printf("Connection: %s:%d\n",inet_ntoa(addr.sin_addr), ntohs(addr.sin_port));
ssl = SSL_new(ctx); /* get new SSL state with context */
SSL_set_fd(ssl, client); /* set connection socket to SSL state */
Servlet(ssl); /* service connection */
Servlet calls
void Servlet(SSL* ssl)
{
char buf[1024];
char reply[1024];
int sd, bytes;
const char* HTMLecho="<html><body><pre>%s</pre></body></html>\n\n";
if ( SSL_accept(ssl) == FAIL ) /* do SSL-protocol accept */
ERR_print_errors_fp(stderr);
else
{
ShowCerts(ssl); /* get any certificates */
bytes = SSL_read(ssl, buf, sizeof(buf)); /* get request */
if ( bytes > 0 )
{
buf[bytes] = 0;
printf("Client msg: \"%s\"\n", buf);
sprintf(reply, HTMLecho, buf); /* construct reply */
SSL_write(ssl, reply, strlen(reply)); /* send reply */
}
else
ERR_print_errors_fp(stderr);
}
sd = SSL_get_fd(ssl); /* get socket connection */
SSL_free(ssl); /* release SSL state */
close(sd); /* close connection */
}
Do I have to call some encryption function explicitly, is the same true for the SSL_read?
No. Encryption is handled within SSL_write automatically as is decryption in SSL_read. Both use the SSL structure which contains the necessary encryption keys once the TLS handshake is finished.
... sources where I can fall back to if I'm having issues
This depends on the issues you have. Both SSL_read and SSL_write have documentation. There are also easy to find examples. Being able to use a search engine helps also a lot to find more information. And StackOverflow is a good place to get help if things don't work as expected.
Related
i made stm32 + rtos + lwip/mqtt solution and it works well. Now i want to use it with embed tls secure connection. I did not find any exemples.
lwip mqtt api supports tls comunication. But there are no such example, just simple mqtt client using code LWIP MQTT Client i used.
I tried to enable embedtls and some options in cubemx, LWIP_ALTCP & LWIP_ALTCP_TLS, add LWIP_ALTCP_TLS_MBEDTLS to Path. It compiled.
How to init mbedtls and add tls cert. this link takes a little info altcp tls
Has anyebody some expirience or working example with stm32 lwip/mqtt + tls (mbedtls) for stm32 lwip stack?
UPD.
Here is my code of mqtt client setup:
struct mqtt_connect_client_info_t ci;
memset(&ci, 0, sizeof(ci));
ci.client_id = "lwip_test";
ci.client_user = "";
ci.client_pass = "";
ci.keep_alive = 0;
ci.tls_config = altcp_tls_create_config_client((const u8_t*)test_cert, sizeof(test_cert));
// create client
client = mqtt_client_new();
// connect client
mqtt_client_connect(client, &resolved, port, mqtt_on_connect, (void *)0, &ci);
I give mqtt client ca certificate and length. I have an error in
altcp_tls_create_config_client_common function (altcp_tls_mbedtls.c) with code -4480 (Failed to allocate memory).
ret = mbedtls_x509_crt_parse(conf->ca, ca, ca_len);
if (ret != 0) {
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_x509_crt_parse ca failed: %d 0x%x", ret, -1*ret));
altcp_mbedtls_free_config(conf);
return NULL;
}
What i am doing wrong, whitch options else i should set up in mbedtls module?
I use default was generated by CubeMX
This thread helped me together with other examples in https://www.nongnu.org/lwip/2_0_x/group__mqtt.html to make the MQTT client work with MbedTLS 2 way authentication. I can now subscribe/publish to the amazon AWS cloud.
So if anybody is interested, here is what I did.
Generate code from CubeMX with LwIP and MbedTLS enabled. Important is to enable MBEDTLS_PLATFORM_MEMORY, MEMP_MEM_MALLOC and LWIP_ALTCP_TLS_MBEDTLS so the library uses alternative calloc/free functions from LwIP (they are set in the altcp_mbedtls_mem_init() function).
I also use MBEDTLS_ENTROPY_HARDWARE_ALT, MBEDTLS_NO_PLATFORM_ENTROPY and MBEDTLS_CTR_DRBG_C enabled, so the MbedTLS library can use the ctr drbg random number generator (initialized in the altcp_tls_create_config() function).
If you use FreeRTOS with your LwIP as I do, it is necessarry to enable MBEDTLS_THREADING_ALT and then in your code call the mbedtls_threading_set_alt() function to enable mutex handling in the MbedTLS library.
Here is then what I do in my code:
mqtt_client_t *client;
struct mqtt_connect_client_info_t client_info;
ip_addr_t server_ip;
/* Somewhere in the code call this to get IP address of the host */
ip_addr_t ipaddr;
err = dns_gethostbyname("host_name", &ipaddr, mqtt_resolved_cb, NULL);
/* Wait until this callback gets the IP */
static void mqtt_resolved_cb(const char *host, const ip_addr_t *ipaddr,
void *callback_arg)
{
/* If resolved IP is known -> set it */
if (ipaddr->addr != 0)
{
server_ip.addr = ipaddr->addr;
}
}
/* Then call this to start MQTT client */
void mqtt_test(const ip_addr_t *ipaddr, uint16_t port,
const uint8_t *ca_cert_str, size_t ca_cert_len,
const uint8_t *dev_cert_str, size_t dev_cert_len,
const uint8_t *dev_key_str, size_t dev_key_len,
const uint8_t *dev_key_pass_str, size_t dev_key_pass_len)
{
/* Setup an empty client info structure */
memset(&mqtt.client_info, 0, sizeof(mqtt.client_info));
/* Set client information */
mqtt.client_info.client_id = "lwip_test";
mqtt.client_info.client_user = NULL;
mqtt.client_info.client_pass = NULL;
mqtt.client_info.keep_alive = 0;
mqtt.client_info.will_topic = NULL;
mqtt.client_info.will_msg = NULL;
mqtt.client_info.will_retain = 0;
mqtt.client_info.will_qos = 0;
/* Set TLS configuration */
mqtt.client_info.tls_config = altcp_tls_create_config_client_2wayauth(
ca_cert_str, ca_cert_len,
dev_key_str, dev_key_len, dev_key_pass_str, dev_key_pass_len,
dev_cert_str, dev_cert_len);
/* Allocate memory for MQTT client */
mqtt.client = mqtt_client_new();
/* Connect to the server */
if (mqtt.client != NULL)
{
err = mqtt_client_connect(
mqtt.client, ipaddr, port,
mqtt_connection_cb, 0, &mqtt.client_info);
}
}
Then the code continues in the standard mqtt callbacks from the example link above.
Thanks and I hope this can help someone else too.
I have an identical configuration, so I can tell you that if you debug code you'll see that it will crash trying to call calloc, if your environment is equal to mine, you have not that system function.
What I did is using calloc implemented in lwip, in particular into altcp module.
I defined via cubemx MBEDTLS_PLATFORM_MEMORY, in order to activate the define ALTCP_MBEDTLS_PLATFORM_ALLOC in altcp_tls_mbedtls_mem.c, then I was able to use
altcp_mbedtls_mem_init() function that specify to mbedtls to use altcp calloc and free.
This function is called into altcp_tls_create_config_client, so if you are going to use it, you don't have to call altcp_mbedtls_mem_init() twice.
In this way you should be able to correctly allocate memory for mbedtls.
you seem to have a memory allocation problem, you can try to increase the heap memory size in lwipopts.h like the following:
#define MEM_SIZE (50 * 1024)
i am new to this forum and the whole thing with Processing.
I have a specific question to ask and thanks a lot for your time and thoughts!
How can i connect my Arduino with Ethernet Shield, getting temperature values from a sensor so they can be seen to a processing script?
In a straight Arduino script, one gets the value, connects from the ethernet shield to a server and does what one likes. I have accomplished that.
In my case i want Arduino to just run the script of reading an analog input value from the sensor.
Is it possible?
I have made the serial connection work and read the values alright through the usb, but with ethernet shield? How can i get the value that arduino reads WITHOUT USB/Serial connection?
ps. i am using WAMP server etc, Windows 7
I am trying the UDP connection script example for both arduino and processing from http://arduino.cc/en/Tutorial/UDPSendReceiveString, but
1)i ain't sure if that's what i need,
2)i have excluded from firewall ports 6000, 8888 for my tests and have put the IP address of my Arduino at the Arduino script and "localhost" at the Processing script
THE CODE COPIED FOR BETTER USE HERE
/*
UDPSendReceive.pde:
This sketch receives UDP message strings, prints them to the serial port
and sends an "acknowledge" string back to the sender
A Processing sketch is included at the end of file that can be used to send
and received messages for testing with a computer.
created 21 Aug 2010
by Michael Margolis
This code is in the public domain.
*/
#include <SPI.h> // needed for Arduino versions later than 0018
#include <Ethernet.h>
#include <EthernetUdp.h> // UDP library from: bjoern#cs.stanford.edu 12/30/2008
// Enter a MAC address and IP address for your controller below.
// The IP address will be dependent on your local network:
byte mac[] = {
0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
IPAddress ip(192, 168, 1, 177);
unsigned int localPort = 8888; // local port to listen on
// buffers for receiving and sending data
char packetBuffer[UDP_TX_PACKET_MAX_SIZE]; //buffer to hold incoming packet,
char ReplyBuffer[] = "acknowledged"; // a string to send back
// An EthernetUDP instance to let us send and receive packets over UDP
EthernetUDP Udp;
void setup() {
// start the Ethernet and UDP:
Ethernet.begin(mac,ip);
Udp.begin(localPort);
Serial.begin(9600);
}
void loop() {
// if there's data available, read a packet
int packetSize = Udp.parsePacket();
if(packetSize)
{
Serial.print("Received packet of size ");
Serial.println(packetSize);
Serial.print("From ");
IPAddress remote = Udp.remoteIP();
for (int i =0; i < 4; i++)
{
Serial.print(remote[i], DEC);
if (i < 3)
{
Serial.print(".");
}
}
Serial.print(", port ");
Serial.println(Udp.remotePort());
// read the packet into packetBufffer
Udp.read(packetBuffer,UDP_TX_PACKET_MAX_SIZE);
Serial.println("Contents:");
Serial.println(packetBuffer);
// send a reply, to the IP address and port that sent us the packet we received
Udp.beginPacket(Udp.remoteIP(), Udp.remotePort());
Udp.write(ReplyBuffer);
Udp.endPacket();
}
delay(10);
}
/*
Processing sketch to run with this example
=====================================================
// Processing UDP example to send and receive string data from Arduino
// press any key to send the "Hello Arduino" message
*/
import hypermedia.net.*;
UDP udp; // define the UDP object
void setup() {
udp = new UDP( this, 6000 ); // create a new datagram connection on port 6000
//udp.log( true ); // <-- printout the connection activity
udp.listen( true ); // and wait for incoming message
}
void draw()
{
}
void keyPressed() {
String ip = "192.168.1.177"; // the remote IP address
int port = 8888; // the destination port
udp.send("Hello World", ip, port ); // the message to send
}
void receive( byte[] data ) { // <-- default handler
//void receive( byte[] data, String ip, int port ) { // <-- extended handler
for(int i=0; i < data.length; i++)
print(char(data[i]));
println();
}
Read those values into a file and use that file to send data to processing. http://py.processing.org/reference/createReader.html
Great scheme. Only one problem. It works perfectly on my system. I loaded my Arudino Uno R3 with your Arduino sketch and loaded the Processing sketch as well. Worked like a charm, first try. Didn't change anything on my Arduino, Windows system, Processing (2.0.3), network, etc.
Could be you have a Arduino board problem (unlikely) or an Ethernet shield problem (sadly, more likely). You could have a network problem (even more likely).
Try Wireshark. You will really just be guessing until you take a look at the Wireshark output. Note that Wireshark has filters. You will need them. Filter out all of the non-UDP traffic.
I have a processing program working on a local machine. It reads data from a local udp port and uses this data to draw circles on my screen. It works, so that great.
But in production the program has to run on an other computer. And I cant get it to work. Processing is presenting me this error message:
opening socket failed!
> address:192.168.1.118, port:6666 [group:null]
> Cannot assign requested address: Cannot bind
Of cource I checked the IP adress and these are OK as it works fine on the local machine. Here is my code for the UDP part:
// import UDP library
import hypermedia.net.*;
String HOST_IP = "192.168.1.118";
UDP udp; // define the UDP object
// get an array ready
int num = 20;
int[] xx = new int[num];
int[] yy = new int[num];
void setup() {
size(1024, 768);
smooth();
//noStroke();
// create a new datagram connection on port 6666
udp = new UDP(this, 6666, HOST_IP);
udp.listen( true );
}
//process events
void draw() {;}
/**
* To perform any action on datagram reception, you need to implement this
* handler in your code. This method will be automatically called by the UDP
* object each time he receive a nonnull message.
* By default, this method have just one argument (the received message as
* byte[] array), but in addition, two arguments (representing in order the
* sender IP address and his port) can be set like below.
*/
// void receive( byte[] data ) { // <-- default handler
void receive( byte[] data ) {
background(255);
// get the "real" message =
// forget the ";\n" at the end <-- !!! only for a communication with Pd !!!
data = subset(data, 0, data.length-2);
String message = new String( data );
// print the result
println(message );
On both machines I use Windows XP And they are connected via a switch and udp cables.
I don't know where to start troubleshooting and how. Any ideas?
Id like to use srp in my current project. But im kinda at a loss as to how i would implement that with openssl. I got the client side running but i dont know how to write the server side. I also couldnt find any documentation orexample implementations of use. What i want is to store the login information inside a database and then retrieve that data when needed. Im using poco for most of the network part so writing the client was rather easy and i sucessfully tested it against other servers. So i would be gratefull for hints as to how to implement the server side.
There is an example of how to do this in file ssl/ssltest.c in OpenSSL archive.
At a high level you register an authentication callback. This callback is called automatically as necessary during SSL_Accept() to authenticate your users.
From ssltest.c example callback looks like the following:
static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
{
SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
{
fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
return SSL3_AL_FATAL;
}
if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,NULL)<0)
{
*ad = SSL_AD_INTERNAL_ERROR;
return SSL3_AL_FATAL;
}
return SSL_ERROR_NONE;
}
To register you call
SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
The arg parameter of callback function is a void pointer passed to your callback so that you can reference any necessary application context in your application from the callback.
To set arg parameter call SSL_CTX_set_srp_cb_arg(s_ctx, mypointer);
It is really this easy. Be sure SRP ciphers are being included in your cipher list.
There is a way to get feedback on autentication failures that can be used to implement countermeasure against high rate online dictionary attack.
To do this call SSL_CTX_set_info_callback(s_ctx,mynotifycallback) to register your callback. Had success using condition below to filter unrelated notifications.
void mynotifycallback(const SSL *s, int reason, int ret)
{
if (reason & SSL_CB_ALERT && ret & SSL3_AD_BAD_RECORD_MAC && SSL_get_srp_username((SSL *)s))
// authentication failure
}
I've been coding an NGINX filter module that can read/write cookies for incoming requests. If a particular cookie isn't set correctly (i.e. authentication cookie), it will set the outgoing header status to the appropriate error code. This works fine per the directions of Evan Miller's tutorial. The next part I'm trying to get working (and haven't thus far) is having the body filter be invoked so I can insert/replace body response text when error responses are encountered. I again followed Evan Miller's tutorial on body filters, and I cannot for the life of me get this working. Here's my setup:
static ngx_http_output_header_filter_pt ngx_http_next_header_filter;
static ngx_http_output_body_filter_pt ngx_http_next_body_filter;
...
...
static ngx_http_module_t ngx_http_source_cookie_module_ctx = {
NULL, /* preconfiguration */
ngx_http_source_cookie_init, /* postconfiguration */
NULL, /* create main configuration */
NULL, /* init main configuration */
NULL, /* create server configuration */
NULL, /* merge server configuration */
ngx_http_source_cookie_create_loc_conf, /* create location configuration */
ngx_http_source_cookie_merge_loc_conf /* merge location configuration */
};
ngx_module_t ngx_http_source_cookie_module = {
NGX_MODULE_V1,
&ngx_http_source_cookie_module_ctx, /* module context */
ngx_http_source_cookie_commands, /* module directives */
NGX_HTTP_MODULE, /* module type */
NULL, /* init master */
NULL, /* init module */
NULL, /* init process */
NULL, /* init thread */
NULL, /* exit thread */
NULL, /* exit process */
NULL, /* exit master */
NGX_MODULE_V1_PADDING
};
/*--------------------------------------------------------------------------*/
/*--------------------------------------------------------------------------*/
static ngx_int_t
ngx_http_source_cookie_header_filter(ngx_http_request_t *r)
{
// this gets invoked
...
}
/*--------------------------------------------------------------------------*/
/*--------------------------------------------------------------------------*/
static ngx_int_t
ngx_http_body_filter(ngx_http_request_t *r, ngx_chain_t *in)
{
// this never get invoked
...
}
/*--------------------------------------------------------------------------*/
/*--------------------------------------------------------------------------*/
static ngx_int_t
ngx_http_source_cookie_init(ngx_conf_t *cf)
{
// registering of my filters
ngx_http_next_header_filter = ngx_http_top_header_filter;
ngx_http_top_header_filter = ngx_http_source_cookie_header_filter;
ngx_http_next_body_filter = ngx_http_top_body_filter;
ngx_http_top_body_filter = ngx_http_body_filter;
return NGX_OK;
}
This is my basic setup, and as far as I can tell, it's spot on all the examples/tutorials I've come across. I'm wondering if there's something different altogether I need to enable... like a NGINX config option, NGINX ./configure compile option, etc.
Any help is greatly appreciated.
I note that Evan doesnt fix http content length in ngx_http_<module_name>_header_filter().
If I dont add http content length(r->headers_out.content_length_n), the inserted text to the end of request will not be output from nginx-1.2.7 stable.
Also you can see footer filter module.