/* * Copyright 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ #ifdef __cplusplus extern "C" { #endif #include #include #include #include #include "aws_iot_error.h" #include "aws_iot_log.h" #include "network_interface.h" #include "network_platform.h" #include #include #include #include /*-----------------------------------------------------------*/ static IoT_Error_t connectToAddress( struct sockaddr * pAddrInfo, uint16_t port, int32_t tcpSocket ) { IoT_Error_t returnStatus = SUCCESS; int connectStatus = 0; socklen_t addrInfoLength = 0; uint16_t netPort = 0; struct sockaddr_in * pIpv4Address; struct sockaddr_in6 * pIpv6Address; if( pAddrInfo == NULL ) { IOT_ERROR( "Parameter check failed: pAddrInfo is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else if( pAddrInfo->sa_family != AF_INET && pAddrInfo->sa_family != AF_INET6 ) { IOT_ERROR( "Invalid IP address family.\n" ); returnStatus = TCP_SETUP_ERROR; } else if( tcpSocket < 0 ) { IOT_ERROR( "Invalid socket.\n" ); returnStatus = TCP_SETUP_ERROR; } else { /* Empty else. */ } if( returnStatus == SUCCESS ) { netPort = htons( port ); if( pAddrInfo->sa_family == ( sa_family_t ) AF_INET ) { pIpv4Address = ( struct sockaddr_in * ) pAddrInfo; pIpv4Address->sin_port = netPort; addrInfoLength = ( socklen_t ) sizeof( struct sockaddr_in ); } else { pIpv6Address = ( struct sockaddr_in6 * ) pAddrInfo; pIpv6Address->sin6_port = netPort; addrInfoLength = ( socklen_t ) sizeof( struct sockaddr_in6 ); } IOT_DEBUG( "Attempting to connect to server.\n" ); connectStatus = connect( tcpSocket, pAddrInfo, addrInfoLength ); if( connectStatus == -1 ) { IOT_WARN( "Failed to connect to server.\n" ); ( void ) close( tcpSocket ); returnStatus = TCP_CONNECTION_ERROR; } } return returnStatus; } /*-----------------------------------------------------------*/ static IoT_Error_t socketsConnect( int32_t * pTcpSocket, const char * pHostName, uint16_t port, uint32_t sendTimeoutMs, uint32_t recvTimeoutMs ) { IoT_Error_t returnStatus = SUCCESS; int result = 0; struct addrinfo hints = { 0 }; struct addrinfo * pListHead = NULL; struct addrinfo * pIndex = NULL; struct timeval transportTimeout = { 0 }; if( pTcpSocket == NULL ) { IOT_ERROR( "Parameter check failed: pTcpSocket is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else if( pHostName == NULL ) { IOT_ERROR( "Parameter check failed: pHostName is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else { /* Empty else. */ } if( returnStatus == SUCCESS ) { /* Add hints to retrieve only TCP sockets in getaddrinfo. */ ( void ) memset( &hints, 0, sizeof( hints ) ); hints.ai_family = AF_UNSPEC; hints.ai_socktype = ( int32_t ) SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; if( ( result = getaddrinfo( pHostName, NULL, &hints, &pListHead ) ) != 0 ) { IOT_ERROR( "Failed to resolve DNS: Hostname=%s, ErrorCode=%d.\n", pHostName, result ); returnStatus = FAILURE; } } if( returnStatus == SUCCESS ) { IOT_DEBUG( "Attempt connecting.\n" ); returnStatus = TCP_CONNECTION_ERROR; for( pIndex = pListHead; pIndex != NULL; pIndex = pIndex->ai_next ) { *pTcpSocket = socket( pIndex->ai_family, pIndex->ai_socktype, pIndex->ai_protocol ); if( *pTcpSocket == -1 ) { continue; } returnStatus = connectToAddress( pIndex->ai_addr, port, *pTcpSocket ); if( returnStatus == SUCCESS ) { break; } } if( returnStatus == SUCCESS ) { IOT_DEBUG( "Established TCP connection.\n" ); } else { IOT_ERROR( "Failed to connect.\n" ); } freeaddrinfo( pListHead ); } if( returnStatus == SUCCESS ) { transportTimeout.tv_sec = ( ( ( int64_t ) sendTimeoutMs ) / 1000 ); transportTimeout.tv_usec = ( 1000 * ( ( ( int64_t ) sendTimeoutMs ) % 1000 ) ); result = setsockopt( *pTcpSocket, SOL_SOCKET, SO_SNDTIMEO, &transportTimeout, ( socklen_t ) sizeof( transportTimeout ) ); if( result == -1 ) { IOT_ERROR( "Setting socket send timeout failed.\n" ); returnStatus = TCP_SETUP_ERROR; } } if( returnStatus == SUCCESS ) { transportTimeout.tv_sec = ( ( ( int64_t ) recvTimeoutMs ) / 1000 ); transportTimeout.tv_usec = ( 1000 * ( ( ( int64_t ) recvTimeoutMs ) % 1000 ) ); result = setsockopt( *pTcpSocket, SOL_SOCKET, SO_RCVTIMEO, &transportTimeout, ( socklen_t ) sizeof( transportTimeout ) ); if( result == -1 ) { IOT_ERROR( "Setting socket receive timeout failed.\n" ); returnStatus = TCP_SETUP_ERROR; } } return returnStatus; } /*-----------------------------------------------------------*/ static IoT_Error_t socketDisconnect( int32_t xTcpSocket ) { IoT_Error_t returnStatus = SUCCESS; if( xTcpSocket > 0 ) { ( void ) shutdown( xTcpSocket, SHUT_RDWR ); ( void ) close( xTcpSocket ); } else { IOT_ERROR( "Parameter check failed: xTcpSocket was negative." ); returnStatus = FAILURE; } return returnStatus; } /*-----------------------------------------------------------*/ static IoT_Error_t setRootCa( const SSL_CTX * pSslContext, const char * pRootCaPath ) { IoT_Error_t returnStatus = SUCCESS; FILE * pRootCaFile = NULL; X509 * pRootCa = NULL; if( pSslContext == NULL ) { IOT_ERROR( "Parameter check failed: pSslContext is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else if( pRootCaPath == NULL ) { IOT_ERROR( "Parameter check failed: pRootCaPath is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else { /* Empty else. */ } if( returnStatus == SUCCESS ) { pRootCaFile = fopen( pRootCaPath, "r" ); if( pRootCaFile == NULL ) { IOT_ERROR( "fopen failed to find the root CA certificate file: ROOT_CA_PATH=%s.\n", pRootCaPath ); returnStatus = NETWORK_SSL_CERT_ERROR; } } if( returnStatus == SUCCESS ) { pRootCa = PEM_read_X509( pRootCaFile, NULL, NULL, NULL); if( pRootCa == NULL ) { IOT_ERROR( "PEM_read_X509 failed to parse root CA.\n" ); returnStatus = NETWORK_SSL_CERT_ERROR; } } if( returnStatus == SUCCESS ) { if( X509_STORE_add_cert( SSL_CTX_get_cert_store( pSslContext ), pRootCa ) != 1 ) { IOT_ERROR( "X509_STORE_add_cert failed to add root CA to certificate store.\n" ); returnStatus = NETWORK_SSL_CERT_ERROR; } } if( pRootCa != NULL ) { ( void ) X509_free( pRootCa ); } if( pRootCaFile != NULL ) { if( fclose( pRootCaFile ) != 0 ) { IOT_WARN( "fclose failed to close file %s\n", pRootCaPath ); } } if( returnStatus == SUCCESS ) { IOT_DEBUG( "Successfully imported root CA.\n" ); } return returnStatus; } /*-----------------------------------------------------------*/ static IoT_Error_t setClientCertificate( SSL_CTX * pSslContext, const char * pClientCertPath ) { IoT_Error_t returnStatus = SUCCESS; if( pSslContext == NULL ) { IOT_ERROR( "Parameter check failed: pSslContext is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else if( pClientCertPath == NULL ) { IOT_ERROR( "Parameter check failed: pClientCertPath is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else { /* Empty else. */ } if( returnStatus == SUCCESS ) { if( SSL_CTX_use_certificate_chain_file( pSslContext, pClientCertPath ) != 1 ) { IOT_ERROR( "SSL_CTX_use_certificate_chain_file failed to import client certificate at %s.\n", pClientCertPath ); returnStatus = NETWORK_SSL_CERT_ERROR; } } if( returnStatus == SUCCESS ) { IOT_DEBUG( "Successfully imported client certificate.\n" ); } return returnStatus; } /*-----------------------------------------------------------*/ static IoT_Error_t setPrivateKey( SSL_CTX * pSslContext, const char * pPrivateKeyPath ) { IoT_Error_t returnStatus = SUCCESS; if( pSslContext == NULL ) { IOT_ERROR( "Parameter check failed: pSslContext is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else if( pPrivateKeyPath == NULL ) { IOT_ERROR( "Parameter check failed: pPrivateKeyPath is NULL.\n" ); returnStatus = NULL_VALUE_ERROR; } else { /* Empty else. */ } if( returnStatus == SUCCESS ) { if( SSL_CTX_use_PrivateKey_file( pSslContext, pPrivateKeyPath, SSL_FILETYPE_PEM ) != 1 ) { IOT_ERROR( "SSL_CTX_use_PrivateKey_file failed to import client certificate private key at %s.\n", pPrivateKeyPath ); returnStatus = NETWORK_SSL_CERT_ERROR; } } if( returnStatus == SUCCESS ) { IOT_DEBUG( "Successfully imported client certificate private key.\n" ); } return returnStatus; } /*-----------------------------------------------------------*/ static IoT_Error_t setCredentials( SSL_CTX * pSslContext, const char * pRootCaPath, const char * pClientCertPath, const char * pPrivateKeyPath ) { IoT_Error_t returnStatus = FAILURE; if( pSslContext == NULL ) { IOT_ERROR( "Invalid address info.\n" ); returnStatus = NULL_VALUE_ERROR; } else { if( pRootCaPath != NULL ) { returnStatus = setRootCa( pSslContext, pRootCaPath ); } if( ( returnStatus == SUCCESS ) && ( pClientCertPath != NULL ) ) { returnStatus = setClientCertificate( pSslContext, pClientCertPath ); } if( ( returnStatus == SUCCESS ) && ( pPrivateKeyPath != NULL ) ) { returnStatus = setPrivateKey( pSslContext, pPrivateKeyPath ); } } return returnStatus; } /*-----------------------------------------------------------*/ static IoT_Error_t tlsConnect( TLSConnectParams * connParams, TLSDataParams * dataParams ) { IoT_Error_t returnStatus = SUCCESS; int result = 0; SSL_CTX * pSslContext = NULL; uint8_t sslObjectCreated = 0; const char * alpnProtocols = "\x0ex-amzn-mqtt-ca"; if( returnStatus == SUCCESS ) { #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (OPENSSL_VERSION_NUMBER >= 0x20000000L) pSslContext = SSL_CTX_new( TLSv1_2_client_method() ); #else pSslContext = SSL_CTX_new( TLS_client_method() ); #endif if( pSslContext == NULL ) { IOT_ERROR( "Creation of a new SSL_CTX object failed.\n" ); returnStatus = NETWORK_SSL_INIT_ERROR; } } if( returnStatus == SUCCESS ) { ( void ) SSL_CTX_set_mode( pSslContext, ( long ) SSL_MODE_AUTO_RETRY ); if( setCredentials( pSslContext, connParams->pRootCALocation, connParams->pDeviceCertLocation, connParams->pDevicePrivateKeyLocation ) != SUCCESS ) { IOT_ERROR( "Setting up credentials failed.\n" ); returnStatus = NETWORK_SSL_CERT_ERROR; } } if( returnStatus == SUCCESS ) { dataParams->pSsl = SSL_new( pSslContext ); if( dataParams->pSsl == NULL ) { IOT_ERROR( "SSL_new failed to create a new SSL context.\n" ); returnStatus = NETWORK_SSL_INIT_ERROR; } else { sslObjectCreated = 1u; } } if( returnStatus == SUCCESS ) { ( void ) SSL_set_verify( dataParams->pSsl, SSL_VERIFY_PEER, NULL ); result = SSL_set_fd( dataParams->pSsl, dataParams->xTcpSocket ); if( result != 1 ) { IOT_ERROR( "SSL_set_fd failed to set the socket fd to SSL context.\n" ); returnStatus = NETWORK_SSL_INIT_ERROR; } } if( returnStatus == SUCCESS && connParams->DestinationPort == 443 ) { result = SSL_set_alpn_protos( dataParams->pSsl, alpnProtocols, strlen(alpnProtocols) ); if( result != 0 ) { IOT_ERROR( "SSL_set_alpn_protos failed to ALPN protocols.\n" ); returnStatus = NETWORK_SSL_INIT_ERROR; } } if( returnStatus == SUCCESS ) { result = SSL_connect( dataParams->pSsl ); if( result != 1 ) { IOT_ERROR( "SSL_connect failed to perform TLS handshake.\n" ); returnStatus = SSL_CONNECTION_ERROR; } } if( returnStatus == SUCCESS ) { result = SSL_get_verify_result( dataParams->pSsl ); if( result != X509_V_OK ) { IOT_ERROR( "SSL_get_verify_result failed to verify X509 certificate from peer.\n" ); returnStatus = SSL_CONNECTION_ERROR; } } if( pSslContext != NULL ) { ( void ) SSL_CTX_free( pSslContext ); } if( returnStatus != SUCCESS && sslObjectCreated == 1u ) { ( void ) SSL_free( dataParams->pSsl ); dataParams->pSsl = NULL; } if( returnStatus == SUCCESS ) { IOT_INFO( "Established a TLS connection.\n" ); } return returnStatus; } /*-----------------------------------------------------------*/ IoT_Error_t iot_tls_init( Network * pNetwork, char * pRootCALocation, char * pDeviceCertLocation, char * pDevicePrivateKeyLocation, char * pDestinationURL, uint16_t destinationPort, uint32_t timeout_ms, bool ServerVerificationFlag ) { IoT_Error_t returnStatus = SUCCESS; pNetwork->tlsConnectParams.DestinationPort = destinationPort; pNetwork->tlsConnectParams.pDestinationURL = pDestinationURL; pNetwork->tlsConnectParams.pDeviceCertLocation = pDeviceCertLocation; pNetwork->tlsConnectParams.pDevicePrivateKeyLocation = pDevicePrivateKeyLocation; pNetwork->tlsConnectParams.pRootCALocation = pRootCALocation; pNetwork->tlsConnectParams.timeout_ms = timeout_ms; pNetwork->tlsConnectParams.ServerVerificationFlag = ServerVerificationFlag; pNetwork->connect = iot_tls_connect; pNetwork->read = iot_tls_read; pNetwork->write = iot_tls_write; pNetwork->disconnect = iot_tls_disconnect; pNetwork->isConnected = iot_tls_is_connected; pNetwork->destroy = iot_tls_destroy; ( void ) SSL_library_init(); OpenSSL_add_all_algorithms(); return returnStatus; } /*-----------------------------------------------------------*/ IoT_Error_t iot_tls_is_connected( Network * pNetwork ) { /* Use this to add implementation which can check for physical layer disconnect */ return NETWORK_PHYSICAL_LAYER_CONNECTED; } /*-----------------------------------------------------------*/ IoT_Error_t iot_tls_connect( Network * pNetwork, TLSConnectParams * params ) { IoT_Error_t returnStatus = SUCCESS; if( pNetwork == NULL ) { IOT_ERROR( "Invalid network parameters.\n" ); returnStatus = NULL_VALUE_ERROR; } else if( socketsConnect( &( pNetwork->tlsDataParams.xTcpSocket ), pNetwork->tlsConnectParams.pDestinationURL, pNetwork->tlsConnectParams.DestinationPort, pNetwork->tlsConnectParams.timeout_ms, pNetwork->tlsConnectParams.timeout_ms ) != SUCCESS ) { IOT_ERROR( "Failed at connecting to %s:%d\n", pNetwork->tlsConnectParams.pDestinationURL, pNetwork->tlsConnectParams.DestinationPort ); returnStatus = TCP_CONNECTION_ERROR; } else if( tlsConnect( &pNetwork->tlsConnectParams, &pNetwork->tlsDataParams ) != SUCCESS ) { IOT_ERROR( "Failed at establishing TLS connection\n" ); returnStatus = SSL_CONNECTION_ERROR; } else { /* Empty else. */ } return returnStatus; } /*-----------------------------------------------------------*/ IoT_Error_t iot_tls_write( Network * pNetwork, unsigned char * pMsg, size_t len, Timer * timer, size_t * written_len ) { IoT_Error_t returnStatus = SUCCESS; SSL * pSsl = NULL; int xBytesSent = 0; size_t bytesWritten = 0; int sslError = 0; pSsl = pNetwork->tlsDataParams.pSsl; if( pSsl == NULL ) { return NETWORK_SSL_WRITE_ERROR; } do { xBytesSent = SSL_write( pSsl, pMsg + bytesWritten, len - bytesWritten ); if( xBytesSent <= 0 ) { sslError = SSL_get_error( pSsl, xBytesSent ); if( sslError != SSL_ERROR_WANT_WRITE ) { IOT_ERROR( "Failed to send data over network: SSL_write of OpenSSL failed: ErrorStatus=%s.\n", ERR_reason_error_string( sslError ) ); returnStatus = NETWORK_SSL_WRITE_ERROR; break; } } else { bytesWritten += xBytesSent; if( bytesWritten >= len ) { break; } } } while ( !has_timer_expired( timer ) ); if( returnStatus == SUCCESS && bytesWritten != len ) { returnStatus = NETWORK_SSL_WRITE_TIMEOUT_ERROR; } *written_len = bytesWritten; return returnStatus; } /*-----------------------------------------------------------*/ IoT_Error_t iot_tls_read( Network * pNetwork, unsigned char * pMsg, size_t len, Timer * timer, size_t * read_len ) { IoT_Error_t returnStatus = SUCCESS; SSL * pSsl = NULL; int xBytesReceived = 0; size_t bytesRead = 0; int sslError = 0; pSsl = pNetwork->tlsDataParams.pSsl; if( pSsl == NULL ) { return NETWORK_SSL_READ_ERROR; } do { xBytesReceived = SSL_read( pSsl, pMsg + bytesRead, len - bytesRead ); if( xBytesReceived <= 0 ) { sslError = SSL_get_error( pSsl, xBytesReceived ); if( sslError != SSL_ERROR_WANT_READ ) { IOT_ERROR( "Failed to receive data over network: SSL_read failed: ErrorStatus=%s.\n", ERR_reason_error_string( sslError ) ); returnStatus = NETWORK_SSL_READ_ERROR; break; } } else { bytesRead += xBytesReceived; if( bytesRead >= len ) { break; } } } while ( !has_timer_expired( timer ) ); if( returnStatus == SUCCESS && bytesRead != len ) { if( bytesRead > 0 ) { returnStatus = NETWORK_SSL_READ_TIMEOUT_ERROR; } else { returnStatus = NETWORK_SSL_NOTHING_TO_READ; } } *read_len = bytesRead; return returnStatus; } /*-----------------------------------------------------------*/ IoT_Error_t iot_tls_disconnect( Network * pNetwork ) { IoT_Error_t returnStatus = SUCCESS; SSL * pSsl = NULL; pSsl = pNetwork->tlsDataParams.pSsl; if( pSsl != NULL ) { /* SSL shutdown should be called twice: once to send "close notify" and * once more to receive the peer's "close notify". */ if( SSL_shutdown( pSsl ) == 0 ) { ( void ) SSL_shutdown( pSsl ); } ( void ) SSL_free( pSsl ); } pNetwork->tlsDataParams.pSsl = NULL; ( void ) socketDisconnect( pNetwork->tlsDataParams.xTcpSocket ); pNetwork->tlsDataParams.xTcpSocket = 0; return returnStatus; } /*-----------------------------------------------------------*/ IoT_Error_t iot_tls_destroy( Network * pNetwork ) { return SUCCESS; } /*-----------------------------------------------------------*/ #ifdef __cplusplus } #endif