Add HTTP client examples

Examples to demonstrate HTTP, HTTPS and TLS validation
Uses the lwip HTTP client

Fixes #318

Author: peterharperuk

pico_w/wifi/CMakeLists.txt

@@ -16,6 +16,7 @@ else()
     add_subdirectory(tcp_server)
     add_subdirectory(freertos)
     add_subdirectory(udp_beacon)
+    add_subdirectory(http_client)
 
     if (NOT PICO_MBEDTLS_PATH)
         message("Skipping tls examples as PICO_MBEDTLS_PATH is not defined")

pico_w/wifi/http_client/CMakeLists.txt

@@ -0,0 +1,51 @@
+add_executable(picow_http_client
+        picow_http_client.c
+        http_common.c
+        )
+target_compile_definitions(picow_http_client PRIVATE
+        WIFI_SSID=\"${WIFI_SSID}\"
+        WIFI_PASSWORD=\"${WIFI_PASSWORD}\"
+        )
+target_include_directories(picow_http_client PRIVATE
+        ${CMAKE_CURRENT_LIST_DIR}
+        ${CMAKE_CURRENT_LIST_DIR}/.. # for our common lwipopts
+        )
+target_link_libraries(picow_http_client
+        pico_cyw43_arch_lwip_threadsafe_background
+        pico_lwip_http
+        pico_stdlib
+        pico_lwip_mbedtls
+        pico_mbedtls
+        )
+pico_add_extra_outputs(picow_http_client)
+
+add_executable(picow_http_client_verify
+        picow_http_verify.c
+        http_common.c
+        )
+target_compile_definitions(picow_http_client_verify PRIVATE
+        WIFI_SSID=\"${WIFI_SSID}\"
+        WIFI_PASSWORD=\"${WIFI_PASSWORD}\"
+        # By default verification is optional (MBEDTLS_SSL_VERIFY_OPTIONAL)
+        # Make it required for this test
+        ALTCP_MBEDTLS_AUTHMODE=MBEDTLS_SSL_VERIFY_REQUIRED
+        )
+target_include_directories(picow_http_client_verify PRIVATE
+        ${CMAKE_CURRENT_LIST_DIR}
+        ${CMAKE_CURRENT_LIST_DIR}/.. # for our common lwipopts
+        )
+target_link_libraries(picow_http_client_verify
+        pico_cyw43_arch_lwip_threadsafe_background
+        pico_lwip_http
+        pico_stdlib
+        pico_lwip_mbedtls
+        pico_mbedtls
+        )
+pico_add_extra_outputs(picow_http_client_verify)
+
+# Ignore warnings from lwip code
+set_source_files_properties(
+        ${PICO_LWIP_PATH}/src/apps/altcp_tls/altcp_tls_mbedtls.c
+        PROPERTIES
+        COMPILE_OPTIONS "-Wno-unused-result"
+        )

pico_w/wifi/http_client/http_common.c

@@ -0,0 +1,92 @@
+/**
+ * Copyright (c) 2023 Raspberry Pi (Trading) Ltd.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include "pico/async_context.h"
+#include "lwip/apps/http_client.h"
+#include "lwip/altcp_tls.h"
+
+typedef struct HTTP_STATE {
+    bool complete;
+    httpc_result_t httpc_result;
+    struct altcp_tls_config *tls_config;
+    altcp_allocator_t tls_allocator;
+    httpc_connection_t settings;
+    const char *hostname;
+} HTTP_STATE_T;
+
+// Gets the content of the headers
+static err_t headers_fn(httpc_state_t *connection, void *arg, struct pbuf *hdr, u16_t hdr_len, u32_t content_len) {
+    printf("\nheaders %u\n", hdr_len);
+
+    u16_t offset = 0;
+    while (offset < hdr->tot_len && offset < hdr_len) {
+        char c = (char)pbuf_get_at(hdr, offset++);
+        putchar(c);
+    }
+    return ERR_OK;
+}
+
+// Gets the content of the body
+static err_t recv_fn(void *arg, struct altcp_pcb *conn, struct pbuf *p, err_t err) {
+    printf("\ncontent err %d\n", err);
+    u16_t offset = 0;
+    while (offset < p->tot_len) {
+        char c = (char)pbuf_get_at(p, offset++);
+        putchar(c);
+    }
+    return ERR_OK;
+}
+
+static void result_fn(void *arg, httpc_result_t httpc_result, u32_t rx_content_len, u32_t srv_res, err_t err) {
+    HTTP_STATE_T *state = (HTTP_STATE_T*)arg;
+    printf("result %d len %u server_response %u err %d\n", httpc_result, rx_content_len, srv_res, err);
+    state->complete = true;
+    state->httpc_result = httpc_result;
+}
+
+// Override altcp_tls_alloc to set sni
+static struct altcp_pcb *altcp_tls_alloc_sni(void *arg, u8_t ip_type) {
+    HTTP_STATE_T *state = (HTTP_STATE_T*)arg;
+    struct altcp_pcb *pcb = altcp_tls_alloc(state->tls_config, ip_type);
+    if (!pcb) {
+        return NULL;
+    }
+    mbedtls_ssl_set_hostname(altcp_tls_context(pcb), state->hostname);
+    return pcb;
+}
+
+// Make a http request
+bool run_http_client_test(async_context_t *context, bool use_https, const uint8_t *cert, size_t cert_len, const char *hostname, const char *url) {
+    HTTP_STATE_T state = { 0 };
+    if (use_https) {
+        state.tls_config = altcp_tls_create_config_client(cert, cert_len);
+        state.tls_allocator.alloc = altcp_tls_alloc_sni;
+        state.tls_allocator.arg = &state;
+        state.settings.altcp_allocator = &state.tls_allocator;
+    } else {
+        // Can't use a cert without https
+        if (cert || cert_len > 0) {
+            return false;
+        }
+    }
+    state.settings.headers_done_fn = headers_fn; // can be null
+    state.settings.result_fn = result_fn;
+    state.hostname = hostname;
+    state.httpc_result = HTTPC_RESULT_ERR_UNKNOWN; // make sure we see real success
+    err_t ret = httpc_get_file_dns(hostname, use_https ? 443 : 80, url, &state.settings, recv_fn, &state, NULL);
+    if (ret != ERR_OK) {
+        panic("http request failed: %d", ret);
+    }
+    while(!state.complete) {
+        async_context_poll(context);
+        async_context_wait_for_work_ms(context, 1000);
+    }
+    if (use_https) {
+        altcp_tls_free_config(state.tls_config);
+    }
+    return state.httpc_result == HTTPC_RESULT_OK;
+}

pico_w/wifi/http_client/lwipopts.h

@@ -0,0 +1,27 @@
+#ifndef _LWIPOPTS_H
+#define _LWIPOPTS_H
+
+// Generally you would define your own explicit list of lwIP options
+// (see https://www.nongnu.org/lwip/2_1_x/group__lwip__opts.html)
+//
+// This example uses a common include to avoid repetition
+#include "lwipopts_examples_common.h"
+
+/* TCP WND must be at least 16 kb to match TLS record size
+   or you will get a warning "altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!" */
+#undef TCP_WND
+#define TCP_WND  16384
+
+#define LWIP_ALTCP 1
+
+// If you don't want to use TLS (just a http request) you can avoid linking to mbedtls and remove the following
+#define LWIP_ALTCP_TLS           1
+#define LWIP_ALTCP_TLS_MBEDTLS   1
+
+// Note bug in lwip with LWIP_ALTCP and LWIP_DEBUG
+// https://savannah.nongnu.org/bugs/index.php?62159
+//#define LWIP_DEBUG 1
+#undef LWIP_DEBUG
+#define ALTCP_MBEDTLS_DEBUG  LWIP_DBG_ON
+
+#endif

pico_w/wifi/http_client/mbedtls_config.h

@@ -0,0 +1,66 @@
+/* Workaround for some mbedtls source files using INT_MAX without including limits.h */
+#include <limits.h>
+
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
+
+#define MBEDTLS_SSL_OUT_CONTENT_LEN    2048
+
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+#define MBEDTLS_HAVE_TIME
+
+#define MBEDTLS_CIPHER_MODE_CBC
+#define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#define MBEDTLS_PKCS1_V15
+#define MBEDTLS_SHA256_SMALLER
+#define MBEDTLS_SSL_SERVER_NAME_INDICATION
+#define MBEDTLS_AES_C
+#define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_BIGNUM_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_ENTROPY_C
+#define MBEDTLS_ERROR_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_MD5_C
+#define MBEDTLS_OID_C
+#define MBEDTLS_PKCS5_C
+#define MBEDTLS_PK_C
+#define MBEDTLS_PK_PARSE_C
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_RSA_C
+#define MBEDTLS_SHA1_C
+#define MBEDTLS_SHA224_C
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_SHA512_C
+#define MBEDTLS_SSL_CLI_C
+#define MBEDTLS_SSL_SRV_C
+#define MBEDTLS_SSL_TLS_C
+#define MBEDTLS_X509_CRT_PARSE_C
+#define MBEDTLS_X509_USE_C
+#define MBEDTLS_AES_FEWER_TABLES
+
+/* TLS 1.2 */
+#define MBEDTLS_SSL_PROTO_TLS1_2
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#define MBEDTLS_GCM_C
+#define MBEDTLS_ECDH_C
+#define MBEDTLS_ECP_C
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_ASN1_WRITE_C
+
+// The following is needed to parse a certificate
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_BASE64_C

pico_w/wifi/http_client/picow_http_client.c

@@ -0,0 +1,37 @@
+/**
+ * Copyright (c) 2023 Raspberry Pi (Trading) Ltd.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include "pico/stdio.h"
+#include "pico/cyw43_arch.h"
+#include "pico/async_context.h"
+
+#define HOST "worldtimeapi.org"
+#define URL_REQUEST "/api/ip"
+
+extern bool run_http_client_test(async_context_t *context, bool use_https, const uint8_t *cert, size_t cert_len, const char *hostname, const char *url);
+
+int main() {
+    stdio_init_all();
+    if (cyw43_arch_init()) {
+        printf("failed to initialise\n");
+        return 1;
+    }
+    cyw43_arch_enable_sta_mode();
+    if (cyw43_arch_wifi_connect_timeout_ms(WIFI_SSID, WIFI_PASSWORD, CYW43_AUTH_WPA2_AES_PSK, 10000)) {
+        printf("failed to connect\n");
+        return 1;
+    }
+    bool result1 = run_http_client_test(cyw43_arch_async_context(), false, NULL, 0, HOST, URL_REQUEST); // http
+    bool result2 = run_http_client_test(cyw43_arch_async_context(), true, NULL, 0, HOST, URL_REQUEST); // https
+    if (!result1 || !result2) {
+        panic("test failed");
+    }
+    cyw43_arch_deinit();
+    printf("Test passed\n");
+    sleep_ms(100);
+    return 0;
+}

pico_w/wifi/http_client/picow_http_verify.c

@@ -0,0 +1,86 @@
+/**
+ * Copyright (c) 2023 Raspberry Pi (Trading) Ltd.
+ *
+ * SPDX-License-Identifier: BSD-3-Clause
+ */
+
+#include <stdio.h>
+#include "pico/stdio.h"
+#include "pico/cyw43_arch.h"
+#include "pico/async_context.h"
+
+// Using this url as we know the root cert won't change for a long time
+#define HOST "fw-download-alias1.raspberrypi.com"
+#define URL_REQUEST "/net_install/boot.sig"
+
+// This is the PUBLIC root certificate exported from a browser
+// Note that the newlines are needed
+#define TLS_ROOT_CERT_OK "-----BEGIN CERTIFICATE-----\n\
+MIIC+jCCAn+gAwIBAgICEAAwCgYIKoZIzj0EAwIwgbcxCzAJBgNVBAYTAkdCMRAw\n\
+DgYDVQQIDAdFbmdsYW5kMRIwEAYDVQQHDAlDYW1icmlkZ2UxHTAbBgNVBAoMFFJh\n\
+c3BiZXJyeSBQSSBMaW1pdGVkMRwwGgYDVQQLDBNSYXNwYmVycnkgUEkgRUNDIENB\n\
+MR0wGwYDVQQDDBRSYXNwYmVycnkgUEkgUm9vdCBDQTEmMCQGCSqGSIb3DQEJARYX\n\
+c3VwcG9ydEByYXNwYmVycnlwaS5jb20wIBcNMjExMjA5MTEzMjU1WhgPMjA3MTEx\n\
+MjcxMTMyNTVaMIGrMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEdMBsG\n\
+A1UECgwUUmFzcGJlcnJ5IFBJIExpbWl0ZWQxHDAaBgNVBAsME1Jhc3BiZXJyeSBQ\n\
+SSBFQ0MgQ0ExJTAjBgNVBAMMHFJhc3BiZXJyeSBQSSBJbnRlcm1lZGlhdGUgQ0Ex\n\
+JjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAcmFzcGJlcnJ5cGkuY29tMHYwEAYHKoZI\n\
+zj0CAQYFK4EEACIDYgAEcN9K6Cpv+od3w6yKOnec4EbyHCBzF+X2ldjorc0b2Pq0\n\
+N+ZvyFHkhFZSgk2qvemsVEWIoPz+K4JSCpgPstz1fEV6WzgjYKfYI71ghELl5TeC\n\
+byoPY+ee3VZwF1PTy0cco2YwZDAdBgNVHQ4EFgQUJ6YzIqFh4rhQEbmCnEbWmHEo\n\
+XAUwHwYDVR0jBBgwFoAUIIAVCSiDPXut23NK39LGIyAA7NAwEgYDVR0TAQH/BAgw\n\
+BgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDaQAwZgIxAJYM+wIM\n\
+PC3wSPqJ1byJKA6D+ZyjKR1aORbiDQVEpDNWRKiQ5QapLg8wbcED0MrRKQIxAKUT\n\
+v8TJkb/8jC/oBVTmczKlPMkciN+uiaZSXahgYKyYhvKTatCTZb+geSIhc0w/2w==\n\
+-----END CERTIFICATE-----\n"
+
+// This is a test certificate
+#define TLS_ROOT_CERT_BAD "-----BEGIN CERTIFICATE-----\n\
+MIIDezCCAwGgAwIBAgICEAEwCgYIKoZIzj0EAwIwgasxCzAJBgNVBAYTAkdCMRAw\n\
+DgYDVQQIDAdFbmdsYW5kMR0wGwYDVQQKDBRSYXNwYmVycnkgUEkgTGltaXRlZDEc\n\
+MBoGA1UECwwTUmFzcGJlcnJ5IFBJIEVDQyBDQTElMCMGA1UEAwwcUmFzcGJlcnJ5\n\
+IFBJIEludGVybWVkaWF0ZSBDQTEmMCQGCSqGSIb3DQEJARYXc3VwcG9ydEByYXNw\n\
+YmVycnlwaS5jb20wHhcNMjExMjA5MTMwMjIyWhcNNDYxMjAzMTMwMjIyWjA6MQsw\n\
+CQYDVQQGEwJHQjErMCkGA1UEAwwiZnctZG93bmxvYWQtYWxpYXMxLnJhc3BiZXJy\n\
+eXBpLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABJ6BQv8YtNiNv7ibLtt4\n\
+lwpgEr2XD4sOl9wu/l8GnGD5p39YK8jZV0j6HaTNkqi86Nly1H7YklzbxhFy5orM\n\
+356jggGDMIIBfzAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgB\n\
+hvhCAQ0EJhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0G\n\
+A1UdDgQWBBRlONP3G2wTERZA9D+VxJABfiaCVTCB5QYDVR0jBIHdMIHagBQnpjMi\n\
+oWHiuFARuYKcRtaYcShcBaGBvaSBujCBtzELMAkGA1UEBhMCR0IxEDAOBgNVBAgM\n\
+B0VuZ2xhbmQxEjAQBgNVBAcMCUNhbWJyaWRnZTEdMBsGA1UECgwUUmFzcGJlcnJ5\n\
+IFBJIExpbWl0ZWQxHDAaBgNVBAsME1Jhc3BiZXJyeSBQSSBFQ0MgQ0ExHTAbBgNV\n\
+BAMMFFJhc3BiZXJyeSBQSSBSb290IENBMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0\n\
+QHJhc3BiZXJyeXBpLmNvbYICEAAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoG\n\
+CCsGAQUFBwMBMAoGCCqGSM49BAMCA2gAMGUCMEHerJRT0WmG5tz4oVLSIxLbCizd\n\
+//SdJBCP+072zRUKs0mfl5EcO7dXWvBAb386PwIxAL7LrgpJroJYrYJtqeufJ3a9\n\
+zVi56JFnA3cNTcDYfIzyzy5wUskPAykdrRrCS534ig==\n\
+-----END CERTIFICATE-----\n"
+
+extern bool run_http_client_test(async_context_t *context, bool use_https, const uint8_t *cert, size_t cert_len, const char *hostname, const char *url);
+
+int main() {
+    stdio_init_all();
+    if (cyw43_arch_init()) {
+        printf("failed to initialise\n");
+        return 1;
+    }
+    cyw43_arch_enable_sta_mode();
+    if (cyw43_arch_wifi_connect_timeout_ms(WIFI_SSID, WIFI_PASSWORD, CYW43_AUTH_WPA2_AES_PSK, 10000)) {
+        printf("failed to connect\n");
+        return 1;
+    }
+    // This should work
+    const uint8_t cert_ok[] = TLS_ROOT_CERT_OK;
+    bool pass1 = run_http_client_test(cyw43_arch_async_context(), true, cert_ok, sizeof(cert_ok), HOST, URL_REQUEST);
+    // Repeat the test with the wrong certificate. It should fail
+    const uint8_t cert_bad[] = TLS_ROOT_CERT_BAD;
+    bool pass2 = !run_http_client_test(cyw43_arch_async_context(), true, cert_bad, sizeof(cert_bad), HOST, URL_REQUEST);
+    if (!pass1 || !pass2) {
+        panic("test failed");
+    }
+    cyw43_arch_deinit();
+    printf("Test passed\n");
+    sleep_ms(100);
+    return 0;
+}