1 /*
2  *  Simple DTLS client demonstration program
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #include "mbedtls/build_info.h"
21 
22 #if defined(MBEDTLS_PLATFORM_C)
23 #include "mbedtls/platform.h"
24 #else
25 #include <stdio.h>
26 #include <stdlib.h>
27 #define mbedtls_printf     printf
28 #define mbedtls_fprintf    fprintf
29 #define mbedtls_exit            exit
30 #define MBEDTLS_EXIT_SUCCESS    EXIT_SUCCESS
31 #define MBEDTLS_EXIT_FAILURE    EXIT_FAILURE
32 #endif
33 
34 #if !defined(MBEDTLS_SSL_CLI_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) ||    \
35     !defined(MBEDTLS_NET_C)  || !defined(MBEDTLS_TIMING_C) ||             \
36     !defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) ||        \
37     !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_RSA_C) ||      \
38     !defined(MBEDTLS_PEM_PARSE_C)
main(void)39 int main( void )
40 {
41     mbedtls_printf( "MBEDTLS_SSL_CLI_C and/or MBEDTLS_SSL_PROTO_DTLS and/or "
42             "MBEDTLS_NET_C and/or MBEDTLS_TIMING_C and/or "
43             "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
44             "MBEDTLS_X509_CRT_PARSE_C and/or MBEDTLS_RSA_C and/or "
45             "MBEDTLS_PEM_PARSE_C not defined.\n" );
46     mbedtls_exit( 0 );
47 }
48 #else
49 
50 #include <string.h>
51 
52 #include "mbedtls/net_sockets.h"
53 #include "mbedtls/debug.h"
54 #include "mbedtls/ssl.h"
55 #include "mbedtls/entropy.h"
56 #include "mbedtls/ctr_drbg.h"
57 #include "mbedtls/error.h"
58 #include "mbedtls/timing.h"
59 #include "test/certs.h"
60 
61 /* Uncomment out the following line to default to IPv4 and disable IPv6 */
62 //#define FORCE_IPV4
63 
64 #define SERVER_PORT "4433"
65 #define SERVER_NAME "localhost"
66 
67 #ifdef FORCE_IPV4
68 #define SERVER_ADDR "127.0.0.1"     /* Forces IPv4 */
69 #else
70 #define SERVER_ADDR "::1"
71 #endif
72 
73 #define MESSAGE     "Echo this"
74 
75 #define READ_TIMEOUT_MS 1000
76 #define MAX_RETRY       5
77 
78 #define DEBUG_LEVEL 0
79 
80 
my_debug(void * ctx,int level,const char * file,int line,const char * str)81 static void my_debug( void *ctx, int level,
82                       const char *file, int line,
83                       const char *str )
84 {
85     ((void) level);
86 
87     mbedtls_fprintf( (FILE *) ctx, "%s:%04d: %s", file, line, str );
88     fflush(  (FILE *) ctx  );
89 }
90 
main(int argc,char * argv[])91 int main( int argc, char *argv[] )
92 {
93     int ret, len;
94     mbedtls_net_context server_fd;
95     uint32_t flags;
96     unsigned char buf[1024];
97     const char *pers = "dtls_client";
98     int retry_left = MAX_RETRY;
99 
100     mbedtls_entropy_context entropy;
101     mbedtls_ctr_drbg_context ctr_drbg;
102     mbedtls_ssl_context ssl;
103     mbedtls_ssl_config conf;
104     mbedtls_x509_crt cacert;
105     mbedtls_timing_delay_context timer;
106 
107     ((void) argc);
108     ((void) argv);
109 
110 #if defined(MBEDTLS_DEBUG_C)
111     mbedtls_debug_set_threshold( DEBUG_LEVEL );
112 #endif
113 
114     /*
115      * 0. Initialize the RNG and the session data
116      */
117     mbedtls_net_init( &server_fd );
118     mbedtls_ssl_init( &ssl );
119     mbedtls_ssl_config_init( &conf );
120     mbedtls_x509_crt_init( &cacert );
121     mbedtls_ctr_drbg_init( &ctr_drbg );
122 
123     mbedtls_printf( "\n  . Seeding the random number generator..." );
124     fflush( stdout );
125 
126     mbedtls_entropy_init( &entropy );
127     if( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
128                                (const unsigned char *) pers,
129                                strlen( pers ) ) ) != 0 )
130     {
131         mbedtls_printf( " failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", ret );
132         goto exit;
133     }
134 
135     mbedtls_printf( " ok\n" );
136 
137     /*
138      * 0. Load certificates
139      */
140     mbedtls_printf( "  . Loading the CA root certificate ..." );
141     fflush( stdout );
142 
143     ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
144                           mbedtls_test_cas_pem_len );
145     if( ret < 0 )
146     {
147         mbedtls_printf( " failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n", (unsigned int) -ret );
148         goto exit;
149     }
150 
151     mbedtls_printf( " ok (%d skipped)\n", ret );
152 
153     /*
154      * 1. Start the connection
155      */
156     mbedtls_printf( "  . Connecting to udp/%s/%s...", SERVER_NAME, SERVER_PORT );
157     fflush( stdout );
158 
159     if( ( ret = mbedtls_net_connect( &server_fd, SERVER_ADDR,
160                                          SERVER_PORT, MBEDTLS_NET_PROTO_UDP ) ) != 0 )
161     {
162         mbedtls_printf( " failed\n  ! mbedtls_net_connect returned %d\n\n", ret );
163         goto exit;
164     }
165 
166     mbedtls_printf( " ok\n" );
167 
168     /*
169      * 2. Setup stuff
170      */
171     mbedtls_printf( "  . Setting up the DTLS structure..." );
172     fflush( stdout );
173 
174     if( ( ret = mbedtls_ssl_config_defaults( &conf,
175                    MBEDTLS_SSL_IS_CLIENT,
176                    MBEDTLS_SSL_TRANSPORT_DATAGRAM,
177                    MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
178     {
179         mbedtls_printf( " failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n", ret );
180         goto exit;
181     }
182 
183     /* OPTIONAL is usually a bad choice for security, but makes interop easier
184      * in this simplified example, in which the ca chain is hardcoded.
185      * Production code should set a proper ca chain and use REQUIRED. */
186     mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL );
187     mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
188     mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
189     mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
190     mbedtls_ssl_conf_read_timeout( &conf, READ_TIMEOUT_MS );
191 
192     if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
193     {
194         mbedtls_printf( " failed\n  ! mbedtls_ssl_setup returned %d\n\n", ret );
195         goto exit;
196     }
197 
198     if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
199     {
200         mbedtls_printf( " failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
201         goto exit;
202     }
203 
204     mbedtls_ssl_set_bio( &ssl, &server_fd,
205                          mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout );
206 
207     mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
208                                             mbedtls_timing_get_delay );
209 
210     mbedtls_printf( " ok\n" );
211 
212     /*
213      * 4. Handshake
214      */
215     mbedtls_printf( "  . Performing the DTLS handshake..." );
216     fflush( stdout );
217 
218     do ret = mbedtls_ssl_handshake( &ssl );
219     while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
220            ret == MBEDTLS_ERR_SSL_WANT_WRITE );
221 
222     if( ret != 0 )
223     {
224         mbedtls_printf( " failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret );
225         goto exit;
226     }
227 
228     mbedtls_printf( " ok\n" );
229 
230     /*
231      * 5. Verify the server certificate
232      */
233     mbedtls_printf( "  . Verifying peer X.509 certificate..." );
234 
235     /* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
236      * handshake would not succeed if the peer's cert is bad.  Even if we used
237      * MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
238     if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
239     {
240 #if !defined(MBEDTLS_X509_REMOVE_INFO)
241         char vrfy_buf[512];
242 #endif
243 
244         mbedtls_printf( " failed\n" );
245 
246 #if !defined(MBEDTLS_X509_REMOVE_INFO)
247         mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
248 
249         mbedtls_printf( "%s\n", vrfy_buf );
250 #endif
251     }
252     else
253         mbedtls_printf( " ok\n" );
254 
255     /*
256      * 6. Write the echo request
257      */
258 send_request:
259     mbedtls_printf( "  > Write to server:" );
260     fflush( stdout );
261 
262     len = sizeof( MESSAGE ) - 1;
263 
264     do ret = mbedtls_ssl_write( &ssl, (unsigned char *) MESSAGE, len );
265     while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
266            ret == MBEDTLS_ERR_SSL_WANT_WRITE );
267 
268     if( ret < 0 )
269     {
270         mbedtls_printf( " failed\n  ! mbedtls_ssl_write returned %d\n\n", ret );
271         goto exit;
272     }
273 
274     len = ret;
275     mbedtls_printf( " %d bytes written\n\n%s\n\n", len, MESSAGE );
276 
277     /*
278      * 7. Read the echo response
279      */
280     mbedtls_printf( "  < Read from server:" );
281     fflush( stdout );
282 
283     len = sizeof( buf ) - 1;
284     memset( buf, 0, sizeof( buf ) );
285 
286     do ret = mbedtls_ssl_read( &ssl, buf, len );
287     while( ret == MBEDTLS_ERR_SSL_WANT_READ ||
288            ret == MBEDTLS_ERR_SSL_WANT_WRITE );
289 
290     if( ret <= 0 )
291     {
292         switch( ret )
293         {
294             case MBEDTLS_ERR_SSL_TIMEOUT:
295                 mbedtls_printf( " timeout\n\n" );
296                 if( retry_left-- > 0 )
297                     goto send_request;
298                 goto exit;
299 
300             case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
301                 mbedtls_printf( " connection was closed gracefully\n" );
302                 ret = 0;
303                 goto close_notify;
304 
305             default:
306                 mbedtls_printf( " mbedtls_ssl_read returned -0x%x\n\n", (unsigned int) -ret );
307                 goto exit;
308         }
309     }
310 
311     len = ret;
312     mbedtls_printf( " %d bytes read\n\n%s\n\n", len, buf );
313 
314     /*
315      * 8. Done, cleanly close the connection
316      */
317 close_notify:
318     mbedtls_printf( "  . Closing the connection..." );
319 
320     /* No error checking, the connection might be closed already */
321     do ret = mbedtls_ssl_close_notify( &ssl );
322     while( ret == MBEDTLS_ERR_SSL_WANT_WRITE );
323     ret = 0;
324 
325     mbedtls_printf( " done\n" );
326 
327     /*
328      * 9. Final clean-ups and exit
329      */
330 exit:
331 
332 #ifdef MBEDTLS_ERROR_C
333     if( ret != 0 )
334     {
335         char error_buf[100];
336         mbedtls_strerror( ret, error_buf, 100 );
337         mbedtls_printf( "Last error was: %d - %s\n\n", ret, error_buf );
338     }
339 #endif
340 
341     mbedtls_net_free( &server_fd );
342 
343     mbedtls_x509_crt_free( &cacert );
344     mbedtls_ssl_free( &ssl );
345     mbedtls_ssl_config_free( &conf );
346     mbedtls_ctr_drbg_free( &ctr_drbg );
347     mbedtls_entropy_free( &entropy );
348 
349 #if defined(_WIN32)
350     mbedtls_printf( "  + Press Enter to exit this program.\n" );
351     fflush( stdout ); getchar();
352 #endif
353 
354     /* Shell can not handle large exit numbers -> 1 for errors */
355     if( ret < 0 )
356         ret = 1;
357 
358     mbedtls_exit( ret );
359 }
360 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_DTLS && MBEDTLS_NET_C &&
361           MBEDTLD_TIMING_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C &&
362           MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_RSA_C && MBEDTLS_PEM_PARSE_C */
363