• State Not Answered
  • Replies 6 replies
  • Subscribers 68 subscribers
  • Views 214 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 332575
Options

TLS on Thingy91 not working

Anders Reiche

I'm trying to build the zephyr/samples/net/sockets/http_client. I selected thingy91_nrf9160_ns for the board config and it builds and works fine. However when I enable 

CONFIG_NET_SOCKETS_SOCKOPT_TLS I get start getting build errors like this: 
[235/288] Building C object zephyr/subsys/net/CMakeFiles/subsys__net.dir/lib/sockets/sockets_tls.c.obj
C:/ncs/v2.6.1/zephyr/subsys/net/lib/sockets/sockets_tls.c: In function 'tls_session_store':
C:/ncs/v2.6.1/zephyr/subsys/net/lib/sockets/sockets_tls.c:663:15: warning: implicit declaration of function 'mbedtls_ssl_get_session'; did you mean 'mbedtls_ssl_get_version'? [-Wimplicit-function-declaration]
  663 |         ret = mbedtls_ssl_get_session(&context->ssl, &session);
      |               ^~~~~~~~~~~~~~~~~~~~~~~
      |               mbedtls_ssl_get_version
My code is not that interesting as I don't expect it to work yet (semantically) but here it is:
/*
 * Copyright (c) 2019 Intel Corporation
 *
 * SPDX-License-Identifier: Apache-2.0
 */

#include <zephyr/logging/log.h>
LOG_MODULE_REGISTER(lte_app, LOG_LEVEL_DBG);

#include <zephyr/net/net_ip.h>
#include <zephyr/net/socket.h>
#include <zephyr/net/conn_mgr_monitor.h>
#include <zephyr/net/conn_mgr_connectivity.h>

#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
#include <modem/modem_key_mgmt.h>
#include <zephyr/net/tls_credentials.h>
#include "ca_certificate.h"
#endif

#include <zephyr/net/http/client.h>

#include <zephyr/kernel.h>
#include <zephyr/device.h>
#include <zephyr/drivers/gpio.h>
#include <dk_buttons_and_leds.h>
#include <hal/nrf_power.h>  // For the NVIC_SystemReset function
#include <modem/lte_lc.h>
#include <modem/nrf_modem_lib.h>


#define BUTTON_PORT  DT_GPIO_LABEL(DT_ALIAS(sw0), gpios)
#define BUTTON_PIN   DT_GPIO_PIN(DT_ALIAS(sw0), gpios)
#define BUTTON_FLAGS (GPIO_INPUT | DT_GPIO_FLAGS(DT_ALIAS(sw0), gpios))

#define CHECK(r) { if (r == -1) { LOG_ERR("Error: " #r "\n"); exit(1); } }

#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
#define HTTP_PORT 443
#else
#define HTTP_PORT 80
#endif

#define MAX_RECV_BUF_LEN 512

K_SEM_DEFINE(lte_connected, 0, 1);

static uint8_t recv_buf[MAX_RECV_BUF_LEN];

static void button_handler(uint32_t button_state, uint32_t has_changed)
{
	switch (has_changed) {
		case DK_BTN1_MSK:
			printk("Button pressed, restarting MCU...\n");
			k_msleep(100);  // Small delay to allow print message to be sent
			NVIC_SystemReset();  // Trigger a system reset
			break;
	}
}

static void lte_handler(const struct lte_lc_evt *const evt)
{
     switch (evt->type) {
     case LTE_LC_EVT_NW_REG_STATUS:
        if ((evt->nw_reg_status != LTE_LC_NW_REG_REGISTERED_HOME) && (evt->nw_reg_status != LTE_LC_NW_REG_REGISTERED_ROAMING)) {
            break;
        }
		LOG_INF("Network registration status: %s", evt->nw_reg_status == LTE_LC_NW_REG_REGISTERED_HOME ? "Connected - home network" : "Connected - roaming");
		k_sem_give(&lte_connected);
        break;
	case LTE_LC_EVT_RRC_UPDATE:
		LOG_INF("RRC mode: %s", evt->rrc_mode == LTE_LC_RRC_MODE_CONNECTED ?
				"Connected" : "Idle");
		break;
     default:
		break;
     }
}

static int modem_configure(void)
{
	LOG_INF("Initializing modem library");

	int err = nrf_modem_lib_init();
	if (err) {
		LOG_ERR("Failed to initialize the modem library, error: %d", err);
		return err;
	}
	
	LOG_INF("Connecting to LTE network");
	err = lte_lc_connect_async(lte_handler);
	if (err) {
		LOG_ERR("Error in lte_lc_connect_async, error: %d", err);
		return err;
	}

	k_sem_take(&lte_connected, K_FOREVER);
	LOG_INF("Connected to LTE network");
	dk_set_led_on(DK_LED2);

	return 0;
}

static int setup_socket(sa_family_t family, const char *server, int port, int *sock, struct sockaddr *addr, socklen_t addr_len)
{
	const char *family_str = family == AF_INET ? "IPv4" : "IPv6";
	int ret = 0;

	memset(addr, 0, addr_len);
	net_sin(addr)->sin_family = AF_INET;
	net_sin(addr)->sin_port = htons(port);
	inet_pton(family, server, &net_sin(addr)->sin_addr);

	if (IS_ENABLED(CONFIG_NET_SOCKETS_SOCKOPT_TLS)) {
		sec_tag_t sec_tag_list[] = {
			CA_CERTIFICATE_TAG,
		};
		*sock = socket(family, SOCK_STREAM, IPPROTO_TLS_1_2);
		if (*sock >= 0) {
			ret = setsockopt(*sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list, sizeof(sec_tag_list));
			if (ret < 0) {
				LOG_ERR("Failed to set %s secure option (%d)", family_str, -errno);
				ret = -errno;
			}
			ret = setsockopt(*sock, SOL_TLS, TLS_HOSTNAME, TLS_PEER_HOSTNAME, sizeof(TLS_PEER_HOSTNAME));
			if (ret < 0) {
				LOG_ERR("Failed to set %s TLS_HOSTNAME option (%d)", family_str, -errno);
				ret = -errno;
			}
		}
	} else {
		*sock = socket(family, SOCK_STREAM, IPPROTO_TCP);
		LOG_INF("Socket created: %d", *sock);
	}

	if (*sock < 0) {
		LOG_ERR("Failed to create %s HTTP socket (%d)", family_str, -errno);
	}
	return ret;
}

static void response_cb(struct http_response *rsp, enum http_final_call final_data, void *user_data)
{
	if (final_data == HTTP_DATA_MORE) {
		LOG_INF("Partial data received (%zd bytes)", rsp->data_len);
	} else if (final_data == HTTP_DATA_FINAL) {
		LOG_INF("All the data received (%zd bytes)", rsp->data_len);
	}
	LOG_INF("Response to %s", (const char *)user_data);
	LOG_INF("Response status %s", rsp->http_status);
}

static int connect_socket(sa_family_t family, const char *server, int port, int *sock, struct sockaddr *addr, socklen_t addr_len)
{
	int ret = setup_socket(family, server, port, sock, addr, addr_len);
	if (ret < 0 || *sock < 0) {
		return -1;
	}

	ret = connect(*sock, addr, addr_len);
	if (ret < 0) {
		LOG_ERR("Cannot connect to %s remote (%d)", family == AF_INET ? "IPv4" : "IPv6", -errno);
		ret = -errno;
	}
	return ret;
}

static int run_query(void)
{
	LOG_INF("Running query");
	struct sockaddr_in addr4;
	int sock = -1;
	int32_t timeout = 3 * MSEC_PER_SEC;
	int ret = 0;

	if (IS_ENABLED(CONFIG_NET_SOCKETS_SOCKOPT_TLS)) {
		ret = tls_credential_add(CA_CERTIFICATE_TAG, TLS_CREDENTIAL_CA_CERTIFICATE, ca_certificate, sizeof(ca_certificate));
		if (ret < 0) {
			LOG_ERR("Failed to register public certificate: %d", ret);
			return ret;
		}
	}

	if (IS_ENABLED(CONFIG_NET_IPV4)) {
		(void)connect_socket(AF_INET, CONFIG_NET_CONFIG_PEER_IPV4_ADDR, HTTP_PORT, &sock, (struct sockaddr *)&addr4, sizeof(addr4));
	}

	if (sock < 0) {
		LOG_ERR("Cannot create HTTP connection.");
		return -ECONNABORTED;
	}
	
	if (IS_ENABLED(CONFIG_NET_IPV4)) {
		struct http_request req;

		memset(&req, 0, sizeof(req));

		req.method = HTTP_GET;
		req.url = "/";
		req.host = CONFIG_NET_CONFIG_PEER_IPV4_ADDR;
		req.protocol = "HTTP/1.1";
		req.response = response_cb;
		req.recv_buf = recv_buf;
		req.recv_buf_len = sizeof(recv_buf);

		ret = http_client_req(sock, &req, timeout, "IPv4 GET");

		close(sock);
	}
	sock = -1;
	return ret;
}

int main(void)
{
	if (dk_buttons_init(button_handler) != 0) {
		LOG_ERR("Failed to initialize the buttons library");
	}
	
	if (dk_leds_init() != 0) {
		LOG_ERR("Failed to initialize the LED library");
	}

	if (modem_configure()) {
		LOG_ERR("Failed to configure the modem");
		return 0;
	}

	run_query();
	dk_set_led_on(DK_LED2);
	k_sleep(K_FOREVER);

	exit(0);
	return 0;
}
here is my prj.conf:
# Networking config
CONFIG_NETWORKING=y
CONFIG_NET_IPV4=y
CONFIG_NET_TCP=y
CONFIG_NET_NATIVE=n

# Sockets
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_SOCKETS_POLL_MAX=4

# Modem library
CONFIG_NRF_MODEM_LIB=y

# LTE link control
CONFIG_LTE_LINK_CONTROL=y

# Button and LED support
CONFIG_DK_LIBRARY=y

# Network driver config
CONFIG_TEST_RANDOM_GENERATOR=y

# Network address config
CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_NET_CONFIG_NEED_IPV4=y
CONFIG_NET_CONFIG_PEER_IPV4_ADDR="https://catfact.ninja/fact"

# HTTP
CONFIG_HTTP_CLIENT=y

# Network debug config
CONFIG_LOG=y
CONFIG_LOG_MODE_IMMEDIATE=y
CONFIG_NET_LOG=y
CONFIG_NET_SOCKETS_LOG_LEVEL_DBG=y
CONFIG_NET_HTTP_LOG_LEVEL_DBG=y

# Memory
CONFIG_MAIN_STACK_SIZE=4096
CONFIG_NET_BUF_RX_COUNT=80
CONFIG_NET_BUF_TX_COUNT=80

# TLS configuration
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

# CONFIG_MBEDTLS=y
# CONFIG_MBEDTLS_BUILTIN=y
# CONFIG_MBEDTLS_DEBUG=y
# CONFIG_MBEDTLS_ENABLE_HEAP=y
# CONFIG_MBEDTLS_HEAP_SIZE=60000
# CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048

# CONFIG_NET_SOCKETS_ENABLE_DTLS=y
# CONFIG_NET_SOCKETS_TLS_MAX_CONTEXTS=6
# # CONFIG_MBEDTLS_CIPHER_C=y 
# # CONFIG_NRF_SECURITY=y
# # CONFIG_MBEDTLS_TLS_LIBRARY=y
# CONFIG_MODEM_KEY_MGMT=y





############## from https example code for nrf9160 #################
# CONFIG_HEAP_MEM_POOL_SIZE=1024
# CONFIG_NET_IPV6=y
# CONFIG_NET_CONNECTION_MANAGER=y
# CONFIG_NET_CONNECTION_MANAGER_MONITOR_STACK_SIZE=1024
# CONFIG_TFM_PROFILE_TYPE_NOT_SET=y
# CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=4096
# CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=4096
# CONFIG_MBEDTLS_RSA_C=y
# CONFIG_MBEDTLS_TLS_LIBRARY=y
# CONFIG_MBEDTLS_X509_LIBRARY=y
# CONFIG_MBEDTLS_PKCS1_V15=y
# CONFIG_NRF_SECURITY_ADVANCED=y
# CONFIG_NORDIC_SECURITY_BACKEND=y
# CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
# CONFIG_PSA_WANT_ALG_SHA_1=y
# CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
# CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
# CONFIG_PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY=y
# CONFIG_PSA_WANT_RSA_KEY_SIZE_1024=y
# CONFIG_SAMPLE_TFM_MBEDTLS=y
It wont let me add the build log to this post, so I'll reply with it. 
Parents Reply Children
Related