Minor changes to wolfSSL MQTT demo files (#493)

* Clean up demo config for wolfSSL mutual auth. * Add comment about picking the correct ROOT CA. * uncrustify using_wolfSSL.c and some other code style changes. * Apply suggestions from code review Co-authored-by: Archit Aggarwal <architag@amazon.com>
2025-10-14 16:57:41 -04:00 · 2021-02-04 16:17:34 -08:00 · 2021-02-04 16:17:34 -08:00 · a78cb45d12
commit a78cb45d12
parent dfdf2ddf1f
2 changed files with 154 additions and 136 deletions
--- a/FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth_wolfSSL/demo_config.h
+++ b/FreeRTOS-Plus/Demo/coreMQTT_Windows_Simulator/MQTT_Mutual_Auth_wolfSSL/demo_config.h
@ -76,7 +76,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
 *
 * #define democonfigCLIENT_IDENTIFIER    "insert here."
 */
-#define democonfigCLIENT_IDENTIFIER    "demoDevice"
+
 /**
 * @brief Endpoint of the MQTT broker to connect to.
 *
@ -91,7 +91,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
 *
 * #define democonfigMQTT_BROKER_ENDPOINT    "...insert here..."
 */
-#define democonfigMQTT_BROKER_ENDPOINT      "...insert here..."
+
 /**
 * @brief The port to use for the demo.
 *
@ -102,7 +102,7 @@ extern void vLoggingPrintf(const char* pcFormatString,
 *
 * #define democonfigMQTT_BROKER_PORT    "...insert here..."
 */
-#define democonfigMQTT_BROKER_PORT    8883
+
 /**
 * @brief Server's root CA certificate.
 *
@ -111,16 +111,19 @@ extern void vLoggingPrintf(const char* pcFormatString,
 * in the link below.
 * https://docs.aws.amazon.com/iot/latest/developerguide/server-authentication.html#server-authentication-certs
 *
- * @note This certificate should be PEM-encoded.
 *
- * Must include the PEM header and footer:
- * "-----BEGIN CERTIFICATE-----\n"\
- * "...base64 data...\n"\
- * "-----END CERTIFICATE-----\n"
+ * @note This certificate should be PEM-encoded.
+ * @note Define the path to the certificate, do not copy and paste the certificate
+ * contents to this macro.
+ * @warning If wolfSSL cannot verify the peer when connecting to AWS IoT, try
+ * using the root CA of Starfield Services found at
+ * https://www.amazontrust.com/repository/SFSRootCAG2.pem.
+ * wolfSSL requires that the whole CA certificate chain is trusted. AWS
+ * certificates are cross signed by this CA.
 *
 * #define democonfigROOT_CA_PEM    "...insert here..."
 */
-#define democonfigROOT_CA_PEM     "...insert here..."
+
 /**
 * @brief Client certificate.
 *
@ -129,15 +132,12 @@ extern void vLoggingPrintf(const char* pcFormatString,
 * https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html
 *
 * @note This certificate should be PEM-encoded.
- *
- * Must include the PEM header and footer:
- * "-----BEGIN CERTIFICATE-----\n"\
- * "...base64 data...\n"\
- * "-----END CERTIFICATE-----\n"
+ * @note Define the path to the certificate, do not copy and paste the certificate
+ * contents to this macro.
 *
 * #define democonfigCLIENT_CERTIFICATE_PEM    "...insert here..."
 */
-#define democonfigCLIENT_CERTIFICATE_PEM      "...insert here..."
+
 /**
 * @brief Client's private key.
 *
@ -146,15 +146,12 @@ extern void vLoggingPrintf(const char* pcFormatString,
 * https://docs.aws.amazon.com/iot/latest/developerguide/client-authentication.html
 *
 * @note This private key should be PEM-encoded.
- *
- * Must include the PEM header and footer:
- * "-----BEGIN RSA PRIVATE KEY-----\n"\
- * "...base64 data...\n"\
- * "-----END RSA PRIVATE KEY-----\n"
+ * @note define the path to the certificate, do not copy and paste the certificate
+ * contents to this macro.
 *
 * #define democonfigCLIENT_PRIVATE_KEY_PEM    "...insert here..."
 */
-#define democonfigCLIENT_PRIVATE_KEY_PEM     "...insert here..."
+
 /**
 * @brief Set the stack size of the main demo task.
 *
--- a/FreeRTOS-Plus/Source/Application-Protocols/network_transport/freertos_plus_tcp/using_wolfSSL/using_wolfSSL.c
+++ b/FreeRTOS-Plus/Source/Application-Protocols/network_transport/freertos_plus_tcp/using_wolfSSL/using_wolfSSL.c
@ -98,7 +98,10 @@ static TlsTransportStatus_t initTLS(void);
 *
 *  @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_READ.
 */
-static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context);
+static int wolfSSL_IORecvGlue( WOLFSSL * ssl,
+                               char * buf,
+                               int sz,
+                               void * context );

 /*
 *  @brief  Send date to the socket passed as the context
@ -110,21 +113,26 @@ static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context);
 *
 *  @return received size( > 0 ), #WOLFSSL_CBIO_ERR_CONN_CLOSE, #WOLFSSL_CBIO_ERR_WANT_WRITE.
 */
-static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context);
+static int wolfSSL_IOSendGlue( WOLFSSL * ssl,
+                               char * buf,
+                               int sz,
+                               void * context );


 /*-----------------------------------------------------------*/
-static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
+static int wolfSSL_IORecvGlue( WOLFSSL * ssl,
+                               char * buf,
+                               int sz,
+                               void * context )
 {
    ( void ) ssl; /* to prevent unused warning*/
+    BaseType_t read = 0;

    Socket_t xSocket = ( Socket_t ) context;

-    BaseType_t read;

    read = FreeRTOS_recv( xSocket, ( void * ) buf, ( size_t ) sz, 0 );

-
    if( ( read == 0 ) ||
        ( read == -pdFREERTOS_ERRNO_EWOULDBLOCK ) )
    {
@ -138,16 +146,18 @@ static int wolfSSL_IORecvGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
    {
        /* do nothing */
    }
+
    return ( int ) read;
 }
 /*-----------------------------------------------------------*/

-static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
+static int wolfSSL_IOSendGlue( WOLFSSL * ssl,
+                               char * buf,
+                               int sz,
+                               void * context )
 {
    ( void ) ssl; /* to prevent unused warning*/
-
    Socket_t xSocket = ( Socket_t ) context;
-
    BaseType_t sent = FreeRTOS_send( xSocket, ( void * ) buf, ( size_t ) sz, 0 );

    if( sent == -pdFREERTOS_ERRNO_EWOULDBLOCK )
@ -162,6 +172,7 @@ static int wolfSSL_IOSendGlue(WOLFSSL* ssl, char* buf, int sz, void* context)
    {
        /* do nothing */
    }
+
    return ( int ) sent;
 }

@ -185,8 +196,7 @@ static TlsTransportStatus_t tlsSetup(NetworkContext_t* pNetCtx,
                                      const NetworkCredentials_t * pNetCred )
 {
    TlsTransportStatus_t returnStatus = TLS_TRANSPORT_SUCCESS;
- 
-    /*char errString[80];*/
+    Socket_t xSocket = { 0 };

    configASSERT( pNetCtx != NULL );
    configASSERT( pHostName != NULL );
@ -194,7 +204,6 @@ static TlsTransportStatus_t tlsSetup(NetworkContext_t* pNetCtx,
    configASSERT( pNetCred->pRootCa != NULL );
    configASSERT( pNetCtx->tcpSocket != NULL );

-
    if( pNetCtx->sslContext.ctx == NULL )
    {
        /* Attempt to create a context that uses the TLS 1.3 or 1.2 */
@ -222,7 +231,7 @@ static TlsTransportStatus_t tlsSetup(NetworkContext_t* pNetCtx,

                    if( pNetCtx->sslContext.ssl != NULL )
                    {
-                        Socket_t xSocket = pNetCtx->tcpSocket;
+                        xSocket = pNetCtx->tcpSocket;

                        /* set Recv/Send glue functions to the WOLFSSL object */
                        wolfSSL_SSLSetIORecv( pNetCtx->sslContext.ssl,
@ -383,6 +392,7 @@ TlsTransportStatus_t TLS_FreeRTOS_Connect( NetworkContext_t * pNetworkContext,
 void TLS_FreeRTOS_Disconnect( NetworkContext_t * pNetworkContext )
 {
    WOLFSSL * pSsl = pNetworkContext->sslContext.ssl;
+    WOLFSSL_CTX * pCtx = NULL; 

    /* shutdown an active TLS connection */
    wolfSSL_shutdown( pSsl );
@ -395,7 +405,8 @@ void TLS_FreeRTOS_Disconnect( NetworkContext_t * pNetworkContext )
    Sockets_Disconnect( pNetworkContext->tcpSocket );

    /* free WOLFSSL_CTX object*/
-    WOLFSSL_CTX* pCtx = pNetworkContext->sslContext.ctx;
+    pCtx = pNetworkContext->sslContext.ctx;
+
    wolfSSL_CTX_free( pCtx );
    pNetworkContext->sslContext.ctx = NULL;

@ -415,15 +426,20 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
    iResult = wolfSSL_read( pSsl, pBuffer, bytesToRecv );

    if( iResult > 0 )
+    {
        tlsStatus = iResult;
+    }
    else if( wolfSSL_want_read( pSsl ) == 1 )
+    {
        tlsStatus = 0;
+    }
    else
    {
        tlsStatus = wolfSSL_state( pSsl );
        LogError( ( "Error from wolfSSL_read %d : %s ",
                    iResult, wolfSSL_ERR_reason_error_string( tlsStatus ) ) );
    }
+
    return tlsStatus;
 }

@ -440,15 +456,20 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
    iResult = wolfSSL_write( pSsl, pBuffer, bytesToSend );

    if( iResult > 0 )
+    {
        tlsStatus = iResult;
+    }
    else if( wolfSSL_want_write( pSsl ) == 1 )
+    {
        tlsStatus = 0;
+    }
    else
    {
        tlsStatus = wolfSSL_state( pSsl );
        LogError( ( "Error from wolfSL_write %d : %s ",
                    iResult, wolfSSL_ERR_reason_error_string( tlsStatus ) ) );
    }
+
    return tlsStatus;
 }
 /*-----------------------------------------------------------*/