1 /*
2 * Simple DTLS client demonstration program
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7
8 #if !defined(MBEDTLS_CONFIG_FILE)
9 #include "mbedtls/config.h"
10 #else
11 #include MBEDTLS_CONFIG_FILE
12 #endif
13
14 #include "mbedtls/platform.h"
15
16 #if !defined(MBEDTLS_SSL_CLI_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) || \
17 !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_TIMING_C) || \
18 !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
19 !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_RSA_C) || \
20 !defined(MBEDTLS_CERTS_C) || !defined(MBEDTLS_PEM_PARSE_C)
main(void)21 int main(void)
22 {
23 mbedtls_printf("MBEDTLS_SSL_CLI_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
24 "MBEDTLS_NET_C and/or MBEDTLS_TIMING_C and/or "
25 "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
26 "MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_RSA_C and/or "
27 "MBEDTLS_CERTS_C and/or MBEDTLS_PEM_PARSE_C not defined.\n");
28 mbedtls_exit(0);
29 }
30 #else
31
32 #include <string.h>
33
34 #include "mbedtls/net_sockets.h"
35 #include "mbedtls/debug.h"
36 #include "mbedtls/ssl.h"
37 #include "mbedtls/entropy.h"
38 #include "mbedtls/ctr_drbg.h"
39 #include "mbedtls/error.h"
40 #include "mbedtls/certs.h"
41 #include "mbedtls/timing.h"
42
43 /* Uncomment out the following line to default to IPv4 and disable IPv6 */
44 //#define FORCE_IPV4
45
46 #define SERVER_PORT "4433"
47 #define SERVER_NAME "localhost"
48
49 #ifdef FORCE_IPV4
50 #define SERVER_ADDR "127.0.0.1" /* Forces IPv4 */
51 #else
52 #define SERVER_ADDR "::1"
53 #endif
54
55 #define MESSAGE "Echo this"
56
57 #define READ_TIMEOUT_MS 1000
58 #define MAX_RETRY 5
59
60 #define DEBUG_LEVEL 0
61
62
my_debug(void * ctx,int level,const char * file,int line,const char * str)63 static void my_debug(void *ctx, int level,
64 const char *file, int line,
65 const char *str)
66 {
67 ((void) level);
68
69 mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
70 fflush((FILE *) ctx);
71 }
72
main(int argc,char * argv[])73 int main(int argc, char *argv[])
74 {
75 int ret, len;
76 mbedtls_net_context server_fd;
77 uint32_t flags;
78 unsigned char buf[1024];
79 const char *pers = "dtls_client";
80 int retry_left = MAX_RETRY;
81
82 mbedtls_entropy_context entropy;
83 mbedtls_ctr_drbg_context ctr_drbg;
84 mbedtls_ssl_context ssl;
85 mbedtls_ssl_config conf;
86 mbedtls_x509_crt cacert;
87 mbedtls_timing_delay_context timer;
88
89 ((void) argc);
90 ((void) argv);
91
92 #if defined(MBEDTLS_DEBUG_C)
93 mbedtls_debug_set_threshold(DEBUG_LEVEL);
94 #endif
95
96 /*
97 * 0. Initialize the RNG and the session data
98 */
99 mbedtls_net_init(&server_fd);
100 mbedtls_ssl_init(&ssl);
101 mbedtls_ssl_config_init(&conf);
102 mbedtls_x509_crt_init(&cacert);
103 mbedtls_ctr_drbg_init(&ctr_drbg);
104 mbedtls_entropy_init(&entropy);
105
106 #if defined(MBEDTLS_USE_PSA_CRYPTO)
107 psa_status_t status = psa_crypto_init();
108 if (status != PSA_SUCCESS) {
109 mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
110 (int) status);
111 ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
112 goto exit;
113 }
114 #endif /* MBEDTLS_USE_PSA_CRYPTO */
115
116 mbedtls_printf("\n . Seeding the random number generator...");
117 fflush(stdout);
118
119 if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
120 (const unsigned char *) pers,
121 strlen(pers))) != 0) {
122 mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
123 goto exit;
124 }
125
126 mbedtls_printf(" ok\n");
127
128 /*
129 * 0. Load certificates
130 */
131 mbedtls_printf(" . Loading the CA root certificate ...");
132 fflush(stdout);
133
134 ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_test_cas_pem,
135 mbedtls_test_cas_pem_len);
136 if (ret < 0) {
137 mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned -0x%x\n\n",
138 (unsigned int) -ret);
139 goto exit;
140 }
141
142 mbedtls_printf(" ok (%d skipped)\n", ret);
143
144 /*
145 * 1. Start the connection
146 */
147 mbedtls_printf(" . Connecting to udp/%s/%s...", SERVER_NAME, SERVER_PORT);
148 fflush(stdout);
149
150 if ((ret = mbedtls_net_connect(&server_fd, SERVER_ADDR,
151 SERVER_PORT, MBEDTLS_NET_PROTO_UDP)) != 0) {
152 mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret);
153 goto exit;
154 }
155
156 mbedtls_printf(" ok\n");
157
158 /*
159 * 2. Setup stuff
160 */
161 mbedtls_printf(" . Setting up the DTLS structure...");
162 fflush(stdout);
163
164 if ((ret = mbedtls_ssl_config_defaults(&conf,
165 MBEDTLS_SSL_IS_CLIENT,
166 MBEDTLS_SSL_TRANSPORT_DATAGRAM,
167 MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
168 mbedtls_printf(" failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
169 goto exit;
170 }
171
172 /* OPTIONAL is usually a bad choice for security, but makes interop easier
173 * in this simplified example, in which the ca chain is hardcoded.
174 * Production code should set a proper ca chain and use REQUIRED. */
175 mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
176 mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
177 mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
178 mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
179 mbedtls_ssl_conf_read_timeout(&conf, READ_TIMEOUT_MS);
180
181 if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
182 mbedtls_printf(" failed\n ! mbedtls_ssl_setup returned %d\n\n", ret);
183 goto exit;
184 }
185
186 if ((ret = mbedtls_ssl_set_hostname(&ssl, SERVER_NAME)) != 0) {
187 mbedtls_printf(" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret);
188 goto exit;
189 }
190
191 mbedtls_ssl_set_bio(&ssl, &server_fd,
192 mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout);
193
194 mbedtls_ssl_set_timer_cb(&ssl, &timer, mbedtls_timing_set_delay,
195 mbedtls_timing_get_delay);
196
197 mbedtls_printf(" ok\n");
198
199 /*
200 * 4. Handshake
201 */
202 mbedtls_printf(" . Performing the DTLS handshake...");
203 fflush(stdout);
204
205 do {
206 ret = mbedtls_ssl_handshake(&ssl);
207 } while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
208 ret == MBEDTLS_ERR_SSL_WANT_WRITE);
209
210 if (ret != 0) {
211 mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n",
212 (unsigned int) -ret);
213 goto exit;
214 }
215
216 mbedtls_printf(" ok\n");
217
218 /*
219 * 5. Verify the server certificate
220 */
221 mbedtls_printf(" . Verifying peer X.509 certificate...");
222
223 /* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
224 * handshake would not succeed if the peer's cert is bad. Even if we used
225 * MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
226 if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0) {
227 char vrfy_buf[512];
228
229 mbedtls_printf(" failed\n");
230
231 mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags);
232
233 mbedtls_printf("%s\n", vrfy_buf);
234 } else {
235 mbedtls_printf(" ok\n");
236 }
237
238 /*
239 * 6. Write the echo request
240 */
241 send_request:
242 mbedtls_printf(" > Write to server:");
243 fflush(stdout);
244
245 len = sizeof(MESSAGE) - 1;
246
247 do {
248 ret = mbedtls_ssl_write(&ssl, (unsigned char *) MESSAGE, len);
249 } while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
250 ret == MBEDTLS_ERR_SSL_WANT_WRITE);
251
252 if (ret < 0) {
253 mbedtls_printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
254 goto exit;
255 }
256
257 len = ret;
258 mbedtls_printf(" %d bytes written\n\n%s\n\n", len, MESSAGE);
259
260 /*
261 * 7. Read the echo response
262 */
263 mbedtls_printf(" < Read from server:");
264 fflush(stdout);
265
266 len = sizeof(buf) - 1;
267 memset(buf, 0, sizeof(buf));
268
269 do {
270 ret = mbedtls_ssl_read(&ssl, buf, len);
271 } while (ret == MBEDTLS_ERR_SSL_WANT_READ ||
272 ret == MBEDTLS_ERR_SSL_WANT_WRITE);
273
274 if (ret <= 0) {
275 switch (ret) {
276 case MBEDTLS_ERR_SSL_TIMEOUT:
277 mbedtls_printf(" timeout\n\n");
278 if (retry_left-- > 0) {
279 goto send_request;
280 }
281 goto exit;
282
283 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
284 mbedtls_printf(" connection was closed gracefully\n");
285 goto close_notify;
286
287 default:
288 mbedtls_printf(" mbedtls_ssl_read returned -0x%x\n\n", (unsigned int) -ret);
289 goto exit;
290 }
291 }
292
293 len = ret;
294 mbedtls_printf(" %d bytes read\n\n%s\n\n", len, buf);
295
296 /*
297 * 8. Done, cleanly close the connection
298 */
299 close_notify:
300 mbedtls_printf(" . Closing the connection...");
301
302 /* No error checking, the connection might be closed already */
303 do {
304 ret = mbedtls_ssl_close_notify(&ssl);
305 } while (ret == MBEDTLS_ERR_SSL_WANT_WRITE);
306 ret = 0;
307
308 mbedtls_printf(" done\n");
309
310 /*
311 * 9. Final clean-ups and exit
312 */
313 exit:
314
315 #ifdef MBEDTLS_ERROR_C
316 if (ret != 0) {
317 char error_buf[100];
318 mbedtls_strerror(ret, error_buf, 100);
319 mbedtls_printf("Last error was: %d - %s\n\n", ret, error_buf);
320 }
321 #endif
322
323 mbedtls_net_free(&server_fd);
324 mbedtls_x509_crt_free(&cacert);
325 mbedtls_ssl_free(&ssl);
326 mbedtls_ssl_config_free(&conf);
327 mbedtls_ctr_drbg_free(&ctr_drbg);
328 mbedtls_entropy_free(&entropy);
329 #if defined(MBEDTLS_USE_PSA_CRYPTO)
330 mbedtls_psa_crypto_free();
331 #endif /* MBEDTLS_USE_PSA_CRYPTO */
332
333 #if defined(_WIN32)
334 mbedtls_printf(" + Press Enter to exit this program.\n");
335 fflush(stdout); getchar();
336 #endif
337
338 /* Shell can not handle large exit numbers -> 1 for errors */
339 if (ret < 0) {
340 ret = 1;
341 }
342
343 mbedtls_exit(ret);
344 }
345 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_NET_C &&
346 MBEDTLS_TIMING_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
347 MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_RSA_C && MBEDTLS_CERTS_C &&
348 MBEDTLS_PEM_PARSE_C */
349