From 571ad19b0d40eec8a69c416ecbb3db9769ffa860 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fin=20Maa=C3=9F?= Date: Tue, 23 Apr 2024 10:16:04 +0200 Subject: [PATCH] mgmt: hawkbit: change the tls certificate tag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Be able to change the tls certicicate tag. Signed-off-by: Fin Maaß --- include/zephyr/mgmt/hawkbit.h | 34 ++++++++++++++++++-- samples/subsys/mgmt/hawkbit/overlay-tls.conf | 1 + samples/subsys/mgmt/hawkbit/sample.yaml | 1 + subsys/mgmt/hawkbit/Kconfig | 34 ++++++++++++++++++++ subsys/mgmt/hawkbit/hawkbit.c | 31 ++++++++++++------ 5 files changed, 89 insertions(+), 12 deletions(-) diff --git a/include/zephyr/mgmt/hawkbit.h b/include/zephyr/mgmt/hawkbit.h index 55bc0e8411c..08da3df1b1c 100644 --- a/include/zephyr/mgmt/hawkbit.h +++ b/include/zephyr/mgmt/hawkbit.h @@ -13,6 +13,8 @@ #ifndef ZEPHYR_INCLUDE_MGMT_HAWKBIT_H_ #define ZEPHYR_INCLUDE_MGMT_HAWKBIT_H_ +#include + #define HAWKBIT_JSON_URL "/default/controller/v1" /** @@ -47,6 +49,7 @@ struct hawkbit_runtime_config { char *server_addr; uint16_t server_port; char *auth_token; + sec_tag_t tls_tag; }; /** @@ -160,7 +163,7 @@ struct hawkbit_runtime_config hawkbit_get_config(void); static inline int hawkbit_set_server_addr(char *addr_str) { struct hawkbit_runtime_config set_config = { - .server_addr = addr_str, .server_port = 0, .auth_token = NULL}; + .server_addr = addr_str, .server_port = 0, .auth_token = NULL, .tls_tag = 0}; return hawkbit_set_config(&set_config); } @@ -175,7 +178,7 @@ static inline int hawkbit_set_server_addr(char *addr_str) static inline int hawkbit_set_server_port(uint16_t port) { struct hawkbit_runtime_config set_config = { - .server_addr = NULL, .server_port = port, .auth_token = NULL}; + .server_addr = NULL, .server_port = port, .auth_token = NULL, .tls_tag = 0}; return hawkbit_set_config(&set_config); } @@ -190,7 +193,22 @@ static inline int hawkbit_set_server_port(uint16_t port) static inline int hawkbit_set_ddi_security_token(char *token) { struct hawkbit_runtime_config set_config = { - .server_addr = NULL, .server_port = 0, .auth_token = token}; + .server_addr = NULL, .server_port = 0, .auth_token = token, .tls_tag = 0}; + + return hawkbit_set_config(&set_config); +} + +/** + * @brief Set the hawkBit TLS tag + * + * @param tag TLS tag to set. + * @retval 0 on success. + * @retval -EAGAIN if probe is currently running. + */ +static inline int hawkbit_set_tls_tag(sec_tag_t tag) +{ + struct hawkbit_runtime_config set_config = { + .server_addr = NULL, .server_port = 0, .auth_token = NULL, .tls_tag = tag}; return hawkbit_set_config(&set_config); } @@ -225,6 +243,16 @@ static inline char *hawkbit_get_ddi_security_token(void) return hawkbit_get_config().auth_token; } +/** + * @brief Get the hawkBit TLS tag. + * + * @return TLS tag. + */ +static inline sec_tag_t hawkbit_get_tls_tag(void) +{ + return hawkbit_get_config().tls_tag; +} + /** * @brief Get the hawkBit action id. * diff --git a/samples/subsys/mgmt/hawkbit/overlay-tls.conf b/samples/subsys/mgmt/hawkbit/overlay-tls.conf index e2b6db68494..c550fcbb89d 100644 --- a/samples/subsys/mgmt/hawkbit/overlay-tls.conf +++ b/samples/subsys/mgmt/hawkbit/overlay-tls.conf @@ -8,3 +8,4 @@ CONFIG_MBEDTLS_HEAP_SIZE=60000 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y +CONFIG_HAWKBIT_USE_TLS=y diff --git a/samples/subsys/mgmt/hawkbit/sample.yaml b/samples/subsys/mgmt/hawkbit/sample.yaml index bce283490f8..4a7bf0db6c7 100644 --- a/samples/subsys/mgmt/hawkbit/sample.yaml +++ b/samples/subsys/mgmt/hawkbit/sample.yaml @@ -29,6 +29,7 @@ tests: - CONFIG_HAWKBIT_DDI_SECURITY_TOKEN="abcd1234" sample.net.hawkbit.tls: extra_configs: + - CONFIG_HAWKBIT_USE_TLS=y - CONFIG_NET_SOCKETS_SOCKOPT_TLS=y sample.net.hawkbit.set_settings_runtime: extra_configs: diff --git a/subsys/mgmt/hawkbit/Kconfig b/subsys/mgmt/hawkbit/Kconfig index 70808ec9ce6..b0c3b35c1af 100644 --- a/subsys/mgmt/hawkbit/Kconfig +++ b/subsys/mgmt/hawkbit/Kconfig @@ -111,6 +111,40 @@ config HAWKBIT_DEVICE_ID_MAX_LENGTH help Maximum length of the device id. +config HAWKBIT_USE_TLS + bool "Use TLS for hawkBit server connection" + depends on NET_SOCKETS_SOCKOPT_TLS + help + Use TLS for hawkBit connection. + +if HAWKBIT_USE_TLS + +choice HAWKBIT_CERT_TAG + prompt "hawkBit certificate tag" + default HAWKBIT_USE_STATIC_CERT_TAG + +config HAWKBIT_USE_STATIC_CERT_TAG + bool "Use static certificate tag" + help + Use static certificate tag for TLS connection to the hawkBit server. + +config HAWKBIT_USE_DYNAMIC_CERT_TAG + bool "Use dynamic certificate tag" + depends on HAWKBIT_SET_SETTINGS_RUNTIME + help + Use dynamic certificate tag for TLS connection to the hawkBit server. + +endchoice + +config HAWKBIT_STATIC_CERT_TAG + int "Static certificate tag" + depends on HAWKBIT_USE_STATIC_CERT_TAG + default 1 + help + Static certificate tag for TLS connection to the hawkBit server. + +endif + module = HAWKBIT module-str = Log Level for hawkbit module-help = Enables logging for hawkBit code. diff --git a/subsys/mgmt/hawkbit/hawkbit.c b/subsys/mgmt/hawkbit/hawkbit.c index f9da2ddd31a..854500850b6 100644 --- a/subsys/mgmt/hawkbit/hawkbit.c +++ b/subsys/mgmt/hawkbit/hawkbit.c @@ -31,11 +31,6 @@ #include "hawkbit_firmware.h" #include "hawkbit_priv.h" -#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) -#define CA_CERTIFICATE_TAG 1 -#include -#endif - LOG_MODULE_REGISTER(hawkbit, CONFIG_HAWKBIT_LOG_LEVEL); #define CANCEL_BASE_SIZE 50 @@ -82,6 +77,9 @@ static struct hawkbit_config { #ifndef CONFIG_HAWKBIT_DDI_NO_SECURITY char ddi_security_token[DDI_SECURITY_TOKEN_SIZE + 1]; #endif +#ifdef CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG + sec_tag_t tls_tag; +#endif #endif /* CONFIG_HAWKBIT_SET_SETTINGS_RUNTIME */ } hb_cfg; @@ -103,6 +101,14 @@ static struct hawkbit_config { #define HAWKBIT_DDI_SECURITY_TOKEN CONFIG_HAWKBIT_DDI_SECURITY_TOKEN #endif /* CONFIG_HAWKBIT_DDI_NO_SECURITY */ +#ifdef CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG +#define HAWKBIT_CERT_TAG hb_cfg.tls_tag +#elif defined(HAWKBIT_USE_STATIC_CERT_TAG) +#define HAWKBIT_CERT_TAG CONFIG_HAWKBIT_STATIC_CERT_TAG +#else +#define HAWKBIT_CERT_TAG 0 +#endif /* CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG */ + struct hawkbit_download { int download_status; int download_progress; @@ -341,7 +347,7 @@ static bool start_http_client(void) struct zsock_addrinfo *addr; struct zsock_addrinfo hints = {0}; int resolve_attempts = 10; - int protocol = IS_ENABLED(CONFIG_NET_SOCKETS_SOCKOPT_TLS) ? IPPROTO_TLS_1_2 : IPPROTO_TCP; + int protocol = IS_ENABLED(CONFIG_HAWKBIT_USE_TLS) ? IPPROTO_TLS_1_2 : IPPROTO_TCP; if (IS_ENABLED(CONFIG_NET_IPV6)) { hints.ai_family = AF_INET6; @@ -371,9 +377,9 @@ static bool start_http_client(void) goto err; } -#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) +#ifdef CONFIG_HAWKBIT_USE_TLS sec_tag_t sec_tag_opt[] = { - CA_CERTIFICATE_TAG, + HAWKBIT_CERT_TAG, }; if (zsock_setsockopt(hb_context.sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_opt, @@ -385,7 +391,7 @@ static bool start_http_client(void) sizeof(HAWKBIT_SERVER)) < 0) { goto err_sock; } -#endif +#endif /* CONFIG_HAWKBIT_USE_TLS */ if (zsock_connect(hb_context.sock, addr->ai_addr, addr->ai_addrlen) < 0) { LOG_ERR("Failed to connect to server"); @@ -759,6 +765,12 @@ int hawkbit_set_config(struct hawkbit_runtime_config *config) hb_cfg.ddi_security_token); } #endif /* CONFIG_HAWKBIT_DDI_NO_SECURITY */ +#ifdef CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG + if (config->tls_tag != 0) { + hb_cfg.tls_tag = config->tls_tag; + LOG_DBG("configured %s: %d", "hawkbit/tls_tag", hb_cfg.tls_tag); + } +#endif /* CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG */ settings_save(); k_sem_give(&probe_sem); } else { @@ -776,6 +788,7 @@ struct hawkbit_runtime_config hawkbit_get_config(void) .server_addr = HAWKBIT_SERVER, .server_port = HAWKBIT_PORT_INT, .auth_token = HAWKBIT_DDI_SECURITY_TOKEN, + .tls_tag = HAWKBIT_CERT_TAG, }; return config;