詳細步驟:
- 使用rpi-imager建立Raspberry Pi 3+作業系統,使用不含Desktop。
設定WiFi連線與enable SSH。 - 安裝NODE-RED:
~$ sudo apt install build-essential git curl
~$ bash <(curl -sL https://raw.githubusercontent.com/node-red/linux-installers/master/deb/update-nodejs-and-nodered) - 安裝self signed CA certificates:
1.產生一組CA key:
openssl genrsa -des3 -out ca.key 2048
2.製作一組CA 憑證:
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
3.製作 server key:
openssl genrsa -out node_red_tls.key 2048
4. 使用server key製作server憑證需求(certificate request):
openssl req -new -out node_red_tls.csr -key node_red_tls.key
5.製作server憑證:
openssl x509 -req -in node_red_tls.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out node_red_tls.crt -days 360 - 建立NODE-RED flow:輸入剛剛建立的憑證。
- PicoW Client端:
在lwipopts.h加入啟用mbedtls:
加入ca.crt憑證。
/* TCP WND must be at least 16 kb to match TLS record size or you will get a warning "altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!" */ // tls #undef TCP_WND #define TCP_WND 16384 #define LWIP_ALTCP 1 #define LWIP_ALTCP_TLS 1 #define LWIP_ALTCP_TLS_MBEDTLS 1 #define LWIP_DEBUG 1 #define ALTCP_MBEDTLS_DEBUG LWIP_DBG_ON #define ALTCP_MBEDTLS_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED
詳細步驟請參閱下列影片:
程式碼:
- picow_tls_client.c
#include < stdio.h > #include "pico/stdlib.h" #include "pico/cyw43_arch.h" #include "picow_tls_client.h" #include "picow_tls_cert.h" #define TCP_POLL_INTERVAL 10 #define LED_RED_PIN 13 #define LED_GREEN_PIN 14 #define LED_BLUE_PIN 15 #define WIFI_SSID "your-ssid" #define WIFI_PASSWORD "your-password" #define SERVER_IP "your-server-ip" #define SERVER_PORT 20000 static struct altcp_tls_config *tls_config = NULL; err_t tcp_connect_close(TLS_CLIENT_T * tls_client) { tls_client->connected=false; tls_client->dns_found=false; return altcp_close(tls_client->tpcb); } static int32_t buff_remain_len=0; err_t tcp_recv_cb(void *arg, struct altcp_pcb *tpcb, struct pbuf *p, err_t err) { TLS_CLIENT_T *tls_client = (TLS_CLIENT_T*)arg; if (!p) { printf("pbuf null\n"); return tcp_connect_close(tls_client); } if (p->tot_len > 0) { // for test only int32_t len; int32_t offset=0; buff_remain_len = p->tot_len; while (buff_remain_len > 0) { len = buff_remain_len > RECV_BUFF_MAX_LEN ? RECV_BUFF_MAX_LEN : buff_remain_len; pbuf_copy_partial(p, tls_client->recv_buff, len,offset); tls_client->recv_buff[len]=0; printf("%s\n", tls_client->recv_buff); buff_remain_len -= len; offset+=len; } altcp_recved(tpcb, p->tot_len); } gpio_put(LED_GREEN_PIN, !gpio_get(LED_GREEN_PIN)); pbuf_free(p); return ERR_OK; } err_t tcp_sent_cb(void *arg, struct altcp_pcb *tpcb, u16_t len) { return ERR_OK; } err_t tcp_poll_cb(void *arg, struct altcp_pcb *tpcb) { TLS_CLIENT_T *tls_client = (TLS_CLIENT_T*)arg; return tcp_connect_close(tls_client); } void tcp_err_cb(void *arg, err_t err) { printf("tcp error:%d\n"); tcp_connect_close(arg); } err_t tcp_connected_cb(void *arg, struct altcp_pcb *tpcb, err_t err) { TLS_CLIENT_T *tls_client = (TLS_CLIENT_T*)arg; if (err == ERR_OK) { printf("tls server connected \n"); tls_client->connected = true; } return err; } void tls_client_dns_found(const char *name, const ip_addr_t *ipaddr, void *callback_arg) { TLS_CLIENT_T *tls_client = (TLS_CLIENT_T*)callback_arg; if (ipaddr) { printf("DNS resolving complete\n"); tls_client->dns_found=true; tls_client->server_addr = *ipaddr; } else { printf("error resolving hostname %s\n", name); tls_client->dns_found=false; } } int main() { int wifi_stat; err_t tcp_stat; stdio_init_all(); printf("Starting \n"); if (cyw43_arch_init()) { printf("cyw43 init error\n"); return 0; } gpio_init_mask(1 << LED_BLUE_PIN | 1 << LED_GREEN_PIN | 1 << LED_RED_PIN); gpio_set_dir_out_masked(1 << LED_BLUE_PIN | 1 << LED_GREEN_PIN | 1 << LED_RED_PIN); tls_config = altcp_tls_create_config_client(ca_cert, sizeof(ca_cert)); //tls_config = altcp_tls_create_config_client(NULL, 0); assert(tls_config); //led: red gpio_put_masked(1 << LED_BLUE_PIN | 1 << LED_GREEN_PIN | 1 << LED_RED_PIN, 0); gpio_put(LED_RED_PIN, true); // connect to WiFi cyw43_arch_enable_sta_mode(); wifi_stat = cyw43_arch_wifi_connect_timeout_ms(WIFI_SSID, WIFI_PASSWORD, CYW43_AUTH_WPA2_AES_PSK, 30000); if (wifi_stat) { printf("wifi connect error:%d\n", wifi_stat); return 0; } printf("Wifi connected\n"); //led: blue gpio_put_masked(1 << LED_BLUE_PIN | 1 << LED_GREEN_PIN | 1 << LED_RED_PIN, 0); gpio_put(LED_BLUE_PIN, true); // connect to tcp server TLS_CLIENT_T* tls_client = (TLS_CLIENT_T*)calloc(1, sizeof(TLS_CLIENT_T)); // set callback tls_client->tpcb = altcp_tls_new(tls_config, IPADDR_TYPE_ANY); altcp_arg(tls_client->tpcb, tls_client); altcp_sent(tls_client->tpcb, tcp_sent_cb); altcp_recv(tls_client->tpcb, tcp_recv_cb); altcp_poll(tls_client->tpcb, tcp_poll_cb, TCP_POLL_INTERVAL); altcp_err(tls_client->tpcb, tcp_err_cb); /* // if DNS query mbedtls_ssl_set_hostname(altcp_tls_context(tcp_client.tpcb), SERVER_NAME); tls_client->dns_found=false; cyw43_arch_lwip_begin(); tcp_stat = dns_gethostbyname(SERVER_NAME, &tls_client->server_addr, tls_client_dns_found, &tls_client); while(!tls_client->dns_found) { cyw43_arch_poll(); sleep_ms(10); } */ // if not by dns ipaddr_aton(SERVER_IP, &tls_client->server_addr); // connect to server; tls_client->connected = false; tcp_stat = altcp_connect(tls_client->tpcb, &tls_client->server_addr, SERVER_PORT, tcp_connected_cb); if (tcp_stat != ERR_OK) { printf("connect TCP server error:%d\n", tcp_stat); return 0; } absolute_time_t timeout = make_timeout_time_ms(20000); while(!tls_client->connected && absolute_time_diff_us(get_absolute_time(), timeout)>0){ printf("."); cyw43_arch_poll(); sleep_ms(10); } printf("\n"); if (!tls_client->connected) { printf("connection timeout\n"); free(tls_client); return 0; } // led : green gpio_put_masked(1 << LED_BLUE_PIN | 1 << LED_GREEN_PIN | 1 << LED_RED_PIN, 0); gpio_put(LED_GREEN_PIN, true); uint8_t buff[100]; uint32_t idx=0; while(1) { sprintf(buff, "test from PicoW:%020d", idx++); altcp_write(tls_client->tpcb, buff, strlen(buff), TCP_WRITE_FLAG_COPY); cyw43_arch_poll(); cyw43_arch_wait_for_work_until(make_timeout_time_ms(1000)); //sleep_ms(50); } altcp_close(tls_client->tpcb); free(tls_client); cyw43_arch_deinit(); return 0; }
- CMakeLists.txt
# Generated Cmake Pico project file cmake_minimum_required(VERSION 3.13) set(CMAKE_C_STANDARD 11) set(CMAKE_CXX_STANDARD 17) # Initialise pico_sdk from installed location # (note this can come from environment, CMake cache etc) set(PICO_SDK_PATH "/home/duser/pico/pico-sdk") set(PICO_BOARD pico_w CACHE STRING "Board type") # Pull in Raspberry Pi Pico SDK (must be before project) include(pico_sdk_import.cmake) if (PICO_SDK_VERSION_STRING VERSION_LESS "1.4.0") message(FATAL_ERROR "Raspberry Pi Pico SDK version 1.4.0 (or later) required. Your version is ${PICO_SDK_VERSION_STRING}") endif() project(picow_tls_client C CXX ASM) # Initialise the Raspberry Pi Pico SDK pico_sdk_init() # Add executable. Default name is the project name, version 0.1 add_executable(picow_tls_client picow_tls_client.c ) pico_set_program_name(picow_tls_client "picow_tls_client") pico_set_program_version(picow_tls_client "0.1") pico_enable_stdio_uart(picow_tls_client 1) pico_enable_stdio_usb(picow_tls_client 0) # Add the standard library to the build target_link_libraries(picow_tls_client pico_stdlib) # Add the standard include files to the build target_include_directories(picow_tls_client PRIVATE ${CMAKE_CURRENT_LIST_DIR} ${CMAKE_CURRENT_LIST_DIR}/.. # for our common lwipopts or any other standard includes, if required ) # Add any user requested libraries target_link_libraries(picow_tls_client pico_cyw43_arch_lwip_poll pico_lwip_mbedtls pico_mbedtls ) pico_add_extra_outputs(picow_tls_client)
- picow_tls_client.h
#ifndef __PICOW_TLS_CLIENT_H__ #define __PICOW_TLS_CLIENT_H__ #include "lwip/pbuf.h" #include "lwip/altcp_tcp.h" #include "lwip/altcp_tcp.h" #include "lwip/altcp_tls.h" #include "lwip/dns.h" #define RECV_BUFF_MAX_LEN 1024 typedef struct { struct altcp_pcb *tpcb; ip_addr_t server_addr; bool connected; bool dns_found; uint8_t recv_buff[RECV_BUFF_MAX_LEN+1]; } TLS_CLIENT_T; #endif
- lwipopts.h
#ifndef __LWIPOPTS_H__ #define __LWIPOPTS_H__ // Common settings used in most of the pico_w examples // (see https://www.nongnu.org/lwip/2_1_x/group__lwip__opts.html for details) // allow override in some examples #ifndef NO_SYS #define NO_SYS 1 #endif // allow override in some examples #ifndef LWIP_SOCKET #define LWIP_SOCKET 0 #endif #if PICO_CYW43_ARCH_POLL #define MEM_LIBC_MALLOC 1 #else // MEM_LIBC_MALLOC is incompatible with non polling versions #define MEM_LIBC_MALLOC 0 #endif #define MEM_ALIGNMENT 4 #define MEM_SIZE 4000 #define MEMP_NUM_TCP_SEG 32 #define MEMP_NUM_ARP_QUEUE 10 #define PBUF_POOL_SIZE 24 #define LWIP_ARP 1 #define LWIP_ETHERNET 1 #define LWIP_ICMP 1 #define LWIP_RAW 1 #define TCP_WND (8 * TCP_MSS) #define TCP_MSS 1460 #define TCP_SND_BUF (8 * TCP_MSS) #define TCP_SND_QUEUELEN ((4 * (TCP_SND_BUF) + (TCP_MSS - 1)) / (TCP_MSS)) #define LWIP_NETIF_STATUS_CALLBACK 1 #define LWIP_NETIF_LINK_CALLBACK 1 #define LWIP_NETIF_HOSTNAME 1 #define LWIP_NETCONN 0 #define MEM_STATS 0 #define SYS_STATS 0 #define MEMP_STATS 0 #define LINK_STATS 0 // #define ETH_PAD_SIZE 2 #define LWIP_CHKSUM_ALGORITHM 3 #define LWIP_DHCP 1 #define LWIP_IPV4 1 #define LWIP_TCP 1 #define LWIP_UDP 1 #define LWIP_DNS 1 #define LWIP_TCP_KEEPALIVE 1 #define LWIP_NETIF_TX_SINGLE_PBUF 1 #define DHCP_DOES_ARP_CHECK 0 #define LWIP_DHCP_DOES_ACD_CHECK 0 #ifndef NDEBUG #define LWIP_DEBUG 1 #define LWIP_STATS 1 #define LWIP_STATS_DISPLAY 1 #endif #define ETHARP_DEBUG LWIP_DBG_OFF #define NETIF_DEBUG LWIP_DBG_OFF #define PBUF_DEBUG LWIP_DBG_OFF #define API_LIB_DEBUG LWIP_DBG_OFF #define API_MSG_DEBUG LWIP_DBG_OFF #define SOCKETS_DEBUG LWIP_DBG_OFF #define ICMP_DEBUG LWIP_DBG_OFF #define INET_DEBUG LWIP_DBG_OFF #define IP_DEBUG LWIP_DBG_OFF #define IP_REASS_DEBUG LWIP_DBG_OFF #define RAW_DEBUG LWIP_DBG_OFF #define MEM_DEBUG LWIP_DBG_OFF #define MEMP_DEBUG LWIP_DBG_OFF #define SYS_DEBUG LWIP_DBG_OFF #define TCP_DEBUG LWIP_DBG_OFF #define TCP_INPUT_DEBUG LWIP_DBG_OFF #define TCP_OUTPUT_DEBUG LWIP_DBG_OFF #define TCP_RTO_DEBUG LWIP_DBG_OFF #define TCP_CWND_DEBUG LWIP_DBG_OFF #define TCP_WND_DEBUG LWIP_DBG_OFF #define TCP_FR_DEBUG LWIP_DBG_OFF #define TCP_QLEN_DEBUG LWIP_DBG_OFF #define TCP_RST_DEBUG LWIP_DBG_OFF #define UDP_DEBUG LWIP_DBG_OFF #define TCPIP_DEBUG LWIP_DBG_OFF #define PPP_DEBUG LWIP_DBG_OFF #define SLIP_DEBUG LWIP_DBG_OFF #define DHCP_DEBUG LWIP_DBG_OFF /* TCP WND must be at least 16 kb to match TLS record size or you will get a warning "altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!" */ // tls #undef TCP_WND #define TCP_WND 16384 #define LWIP_ALTCP 1 #define LWIP_ALTCP_TLS 1 #define LWIP_ALTCP_TLS_MBEDTLS 1 #define LWIP_DEBUG 1 #define ALTCP_MBEDTLS_DEBUG LWIP_DBG_ON #define ALTCP_MBEDTLS_AUTHMODE MBEDTLS_SSL_VERIFY_REQUIRED #endif /* __LWIPOPTS_H__ */
- mbedtls_config.h
/* Workaround for some mbedtls source files using INT_MAX without including limits.h */ #include < limits.h > #define MBEDTLS_NO_PLATFORM_ENTROPY #define MBEDTLS_ENTROPY_HARDWARE_ALT #define MBEDTLS_SSL_OUT_CONTENT_LEN 2048 #define MBEDTLS_ALLOW_PRIVATE_ACCESS #define MBEDTLS_HAVE_TIME #define MBEDTLS_CIPHER_MODE_CBC #define MBEDTLS_ECP_DP_SECP192R1_ENABLED #define MBEDTLS_ECP_DP_SECP224R1_ENABLED #define MBEDTLS_ECP_DP_SECP256R1_ENABLED #define MBEDTLS_ECP_DP_SECP384R1_ENABLED #define MBEDTLS_ECP_DP_SECP521R1_ENABLED #define MBEDTLS_ECP_DP_SECP192K1_ENABLED #define MBEDTLS_ECP_DP_SECP224K1_ENABLED #define MBEDTLS_ECP_DP_SECP256K1_ENABLED #define MBEDTLS_ECP_DP_BP256R1_ENABLED #define MBEDTLS_ECP_DP_BP384R1_ENABLED #define MBEDTLS_ECP_DP_BP512R1_ENABLED #define MBEDTLS_ECP_DP_CURVE25519_ENABLED #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #define MBEDTLS_PKCS1_V15 #define MBEDTLS_SHA256_SMALLER #define MBEDTLS_SSL_SERVER_NAME_INDICATION #define MBEDTLS_AES_C #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_BIGNUM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_ERROR_C #define MBEDTLS_MD_C #define MBEDTLS_MD5_C #define MBEDTLS_OID_C #define MBEDTLS_PKCS5_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C #define MBEDTLS_PLATFORM_C #define MBEDTLS_RSA_C #define MBEDTLS_SHA1_C #define MBEDTLS_SHA224_C #define MBEDTLS_SHA256_C #define MBEDTLS_SHA512_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TLS_C #define MBEDTLS_X509_CRT_PARSE_C #define MBEDTLS_X509_USE_C #define MBEDTLS_AES_FEWER_TABLES /* TLS 1.2 */ #define MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_GCM_C #define MBEDTLS_ECDH_C #define MBEDTLS_ECP_C #define MBEDTLS_ECDSA_C #define MBEDTLS_ASN1_WRITE_C // The following is needed to parse a certificate #define MBEDTLS_PEM_PARSE_C #define MBEDTLS_BASE64_C
- picow_tls_cert.h
#define ca_cert "-----BEGIN CERTIFICATE-----\n\ . . . -----END CERTIFICATE-----\n"
沒有留言:
張貼留言