SPRADB2 august   2023 AM2431 , AM2432 , AM2434 , AM2631 , AM2631-Q1 , AM2632 , AM2632-Q1 , AM2634 , AM2634-Q1 , AM263P2 , AM263P4 , AM263P4-Q1 , AM2732 , AM2732-Q1 , AM6411 , AM6412 , AM6421 , AM6422 , AM6441 , AM6442

 

  1.   1
  2.   Abstract
  3.   Trademarks
  4. 1Introduction
    1. 1.1 Acronyms Used in This Document
  5. 2MbedTLS
    1. 2.1 What is MbedTLS?
    2. 2.2 Why MbedTLS?
    3. 2.3 Application of MbedTLS
  6. 3MbedTLS Over Lwip
    1. 3.1 TLS Server Example (HTTPS Server)
    2. 3.2 TLS Client Example (MQTT Client)

TLS Server Example (HTTPS Server)

This example demonstrates the AM2x device in the form of an HTTPS server which accepts client connections and sends a fixed response back. Here, MbedTLS was used with LwIP to attain the complete functionality.

A top-level working of HTTPS server is described below:

Role of MbedTLS:

  • A TLS config using the server certificate, private key, password for accessing the private key (optional) is created. A standard allocator function creates an altcp PCB for TLS over TCP.
  • The certificate and private key is loaded. Then based on the format of the x509 certificate (DER or PEM), the certificate and keys are parsed.
  • The modulus of the private key is compared with the modulus of the public key present in the certificate. The certificate is signed with private key of trusted CA.
  • The public key is used to verify the above signature. If the verification is complete, then next steps are executed.
  • Pass the TLS config to LwIP application APIs, which internally use the same TLS config in PCB (Process Control Block of the corresponding TCP connection).
  • Using mbedTLS cryptographic functions, certificates and keys are verified. If any parsing error or data inconsistency, certificate and keys invalidation occur, the ongoing network connection is dropped.

Role of LwIP:

  • A LwIP PCB is set up and the PCB is then bind to the defined port (8080 in case of HTTPS). Then the PCB binds the connection to the local port number and IP address, which in this case is attained by a DHCP server.
  • Then the state of TCP connection is set to LISTEN (mode to accept new connections).
  • An altcp_accept callback is set, which handles new incoming connections, allocates memory to manage the connection state, sets callbacks for sending, receiving, error handling and polling.
  • The http_recv callback on getting data, informs TCP PCB that data has been received, then parses the data.
  • The http_poll callback polls the other side of the connection every 2 seconds, if data is not received for 8 seconds, the connection is closed.
  • The http_err callback closes the connection and frees the resources when error emerges.
  • The http_sent callback function is responsible for sending data and getting acknowledgment from the remote host.

Figure 3-2 demonstrates the same with SA2UL cryptography accelerator being used for cryptography (optional). The other alternative is to use MbedTLS software cryptography instead of offloading it to hardware.

GUID-FF897D7E-CF44-432F-A086-6F88234FFD1F-low.pngFigure 3-2 Overview of How HTTPS Server Example Works End to End

For further details, see: AM243x MCU+ SDK: CPSW Lwip HTTPS Server Example