mgmt: hawkbit: change the tls certificate tag

maass-hamburg · fabiobaltieri · commit 571ad19b0d40 · 2024-05-06T22:50:44.000+01:00
Be able to change the tls certicicate tag.

Signed-off-by: Fin Maaß &lt;f.maass@vogl-electronic.com&gt;
diff --git a/include/zephyr/mgmt/hawkbit.h b/include/zephyr/mgmt/hawkbit.h
@@ -13,6 +13,8 @@
 #ifndef ZEPHYR_INCLUDE_MGMT_HAWKBIT_H_
 #define ZEPHYR_INCLUDE_MGMT_HAWKBIT_H_
 
+#include <zephyr/net/tls_credentials.h>
+
 #define HAWKBIT_JSON_URL "/default/controller/v1"
 
 /**
@@ -47,6 +49,7 @@ struct hawkbit_runtime_config {
 	char *server_addr;
 	uint16_t server_port;
 	char *auth_token;
+	sec_tag_t tls_tag;
 };
 
 /**
@@ -160,7 +163,7 @@ struct hawkbit_runtime_config hawkbit_get_config(void);
 static inline int hawkbit_set_server_addr(char *addr_str)
 {
 	struct hawkbit_runtime_config set_config = {
-		.server_addr = addr_str, .server_port = 0, .auth_token = NULL};
+		.server_addr = addr_str, .server_port = 0, .auth_token = NULL, .tls_tag = 0};
 
 	return hawkbit_set_config(&set_config);
 }
@@ -175,7 +178,7 @@ static inline int hawkbit_set_server_addr(char *addr_str)
 static inline int hawkbit_set_server_port(uint16_t port)
 {
 	struct hawkbit_runtime_config set_config = {
-		.server_addr = NULL, .server_port = port, .auth_token = NULL};
+		.server_addr = NULL, .server_port = port, .auth_token = NULL, .tls_tag = 0};
 
 	return hawkbit_set_config(&set_config);
 }
@@ -190,7 +193,22 @@ static inline int hawkbit_set_server_port(uint16_t port)
 static inline int hawkbit_set_ddi_security_token(char *token)
 {
 	struct hawkbit_runtime_config set_config = {
-		.server_addr = NULL, .server_port = 0, .auth_token = token};
+		.server_addr = NULL, .server_port = 0, .auth_token = token, .tls_tag = 0};
+
+	return hawkbit_set_config(&set_config);
+}
+
+/**
+ * @brief Set the hawkBit TLS tag
+ *
+ * @param tag TLS tag to set.
+ * @retval 0 on success.
+ * @retval -EAGAIN if probe is currently running.
+ */
+static inline int hawkbit_set_tls_tag(sec_tag_t tag)
+{
+	struct hawkbit_runtime_config set_config = {
+		.server_addr = NULL, .server_port = 0, .auth_token = NULL, .tls_tag = tag};
 
 	return hawkbit_set_config(&set_config);
 }
@@ -225,6 +243,16 @@ static inline char *hawkbit_get_ddi_security_token(void)
 	return hawkbit_get_config().auth_token;
 }
 
+/**
+ * @brief Get the hawkBit TLS tag.
+ *
+ * @return TLS tag.
+ */
+static inline sec_tag_t hawkbit_get_tls_tag(void)
+{
+	return hawkbit_get_config().tls_tag;
+}
+
 /**
  * @brief Get the hawkBit action id.
  *
diff --git a/samples/subsys/mgmt/hawkbit/overlay-tls.conf b/samples/subsys/mgmt/hawkbit/overlay-tls.conf
@@ -8,3 +8,4 @@ CONFIG_MBEDTLS_HEAP_SIZE=60000
 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
 
 CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
+CONFIG_HAWKBIT_USE_TLS=y
diff --git a/samples/subsys/mgmt/hawkbit/sample.yaml b/samples/subsys/mgmt/hawkbit/sample.yaml
@@ -29,6 +29,7 @@ tests:
       - CONFIG_HAWKBIT_DDI_SECURITY_TOKEN="abcd1234"
   sample.net.hawkbit.tls:
     extra_configs:
+      - CONFIG_HAWKBIT_USE_TLS=y
       - CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
   sample.net.hawkbit.set_settings_runtime:
     extra_configs:
diff --git a/subsys/mgmt/hawkbit/Kconfig b/subsys/mgmt/hawkbit/Kconfig
@@ -111,6 +111,40 @@ config HAWKBIT_DEVICE_ID_MAX_LENGTH
 	help
 	  Maximum length of the device id.
 
+config HAWKBIT_USE_TLS
+	bool "Use TLS for hawkBit server connection"
+	depends on NET_SOCKETS_SOCKOPT_TLS
+	help
+	  Use TLS for hawkBit connection.
+
+if HAWKBIT_USE_TLS
+
+choice HAWKBIT_CERT_TAG
+	prompt "hawkBit certificate tag"
+	default HAWKBIT_USE_STATIC_CERT_TAG
+
+config HAWKBIT_USE_STATIC_CERT_TAG
+	bool "Use static certificate tag"
+	help
+	  Use static certificate tag for TLS connection to the hawkBit server.
+
+config HAWKBIT_USE_DYNAMIC_CERT_TAG
+	bool "Use dynamic certificate tag"
+	depends on HAWKBIT_SET_SETTINGS_RUNTIME
+	help
+	  Use dynamic certificate tag for TLS connection to the hawkBit server.
+
+endchoice
+
+config HAWKBIT_STATIC_CERT_TAG
+	int "Static certificate tag"
+	depends on HAWKBIT_USE_STATIC_CERT_TAG
+	default 1
+	help
+	  Static certificate tag for TLS connection to the hawkBit server.
+
+endif
+
 module = HAWKBIT
 module-str = Log Level for hawkbit
 module-help = Enables logging for hawkBit code.
diff --git a/subsys/mgmt/hawkbit/hawkbit.c b/subsys/mgmt/hawkbit/hawkbit.c
@@ -31,11 +31,6 @@
 #include "hawkbit_firmware.h"
 #include "hawkbit_priv.h"
 
-#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
-#define CA_CERTIFICATE_TAG 1
-#include <zephyr/net/tls_credentials.h>
-#endif
-
 LOG_MODULE_REGISTER(hawkbit, CONFIG_HAWKBIT_LOG_LEVEL);
 
 #define CANCEL_BASE_SIZE 50
@@ -82,6 +77,9 @@ static struct hawkbit_config {
 #ifndef CONFIG_HAWKBIT_DDI_NO_SECURITY
 	char ddi_security_token[DDI_SECURITY_TOKEN_SIZE + 1];
 #endif
+#ifdef CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG
+	sec_tag_t tls_tag;
+#endif
 #endif /* CONFIG_HAWKBIT_SET_SETTINGS_RUNTIME */
 } hb_cfg;
 
@@ -103,6 +101,14 @@ static struct hawkbit_config {
 #define HAWKBIT_DDI_SECURITY_TOKEN CONFIG_HAWKBIT_DDI_SECURITY_TOKEN
 #endif /* CONFIG_HAWKBIT_DDI_NO_SECURITY */
 
+#ifdef CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG
+#define HAWKBIT_CERT_TAG hb_cfg.tls_tag
+#elif defined(HAWKBIT_USE_STATIC_CERT_TAG)
+#define HAWKBIT_CERT_TAG CONFIG_HAWKBIT_STATIC_CERT_TAG
+#else
+#define HAWKBIT_CERT_TAG 0
+#endif /* CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG */
+
 struct hawkbit_download {
 	int download_status;
 	int download_progress;
@@ -341,7 +347,7 @@ static bool start_http_client(void)
 	struct zsock_addrinfo *addr;
 	struct zsock_addrinfo hints = {0};
 	int resolve_attempts = 10;
-	int protocol = IS_ENABLED(CONFIG_NET_SOCKETS_SOCKOPT_TLS) ? IPPROTO_TLS_1_2 : IPPROTO_TCP;
+	int protocol = IS_ENABLED(CONFIG_HAWKBIT_USE_TLS) ? IPPROTO_TLS_1_2 : IPPROTO_TCP;
 
 	if (IS_ENABLED(CONFIG_NET_IPV6)) {
 		hints.ai_family = AF_INET6;
@@ -371,9 +377,9 @@ static bool start_http_client(void)
 		goto err;
 	}
 
-#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+#ifdef CONFIG_HAWKBIT_USE_TLS
 	sec_tag_t sec_tag_opt[] = {
-		CA_CERTIFICATE_TAG,
+		HAWKBIT_CERT_TAG,
 	};
 
 	if (zsock_setsockopt(hb_context.sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_opt,
@@ -385,7 +391,7 @@ static bool start_http_client(void)
 			     sizeof(HAWKBIT_SERVER)) < 0) {
 		goto err_sock;
 	}
-#endif
+#endif /* CONFIG_HAWKBIT_USE_TLS */
 
 	if (zsock_connect(hb_context.sock, addr->ai_addr, addr->ai_addrlen) < 0) {
 		LOG_ERR("Failed to connect to server");
@@ -759,6 +765,12 @@ int hawkbit_set_config(struct hawkbit_runtime_config *config)
 				hb_cfg.ddi_security_token);
 		}
 #endif /* CONFIG_HAWKBIT_DDI_NO_SECURITY */
+#ifdef CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG
+		if (config->tls_tag != 0) {
+			hb_cfg.tls_tag = config->tls_tag;
+			LOG_DBG("configured %s: %d", "hawkbit/tls_tag", hb_cfg.tls_tag);
+		}
+#endif /* CONFIG_HAWKBIT_USE_DYNAMIC_CERT_TAG */
 		settings_save();
 		k_sem_give(&probe_sem);
 	} else {
@@ -776,6 +788,7 @@ struct hawkbit_runtime_config hawkbit_get_config(void)
 		.server_addr = HAWKBIT_SERVER,
 		.server_port = HAWKBIT_PORT_INT,
 		.auth_token = HAWKBIT_DDI_SECURITY_TOKEN,
+		.tls_tag = HAWKBIT_CERT_TAG,
 	};
 
 	return config;

Original file line number	Diff line number	Diff line change
`@@ -8,3 +8,4 @@ CONFIG_MBEDTLS_HEAP_SIZE=60000`
`8`	`8`	`CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384`
`9`	`9`
`10`	`10`	`CONFIG_NET_SOCKETS_SOCKOPT_TLS=y`
	`11`	`+CONFIG_HAWKBIT_USE_TLS=y`