Ethernet: Secure TCP client

This code example demonstrates the implementation of a secure TCP client with XMC7000 MCU.

In this example, the TCP client establishes a secure connection with a TCP server through an SSL handshake. After the SSL handshake completes successfully, the TCP client turns the user LED ON/OFF based on the command received from the TCP server.

This example uses the Ethernet Core FreeRTOS lwIP mbedtls library of the SDK. This library enables application development based on Ethernet by bundling together various other libraries - FreeRTOS, lwIP TCP/IP stack, Mbed TLS, and Secure sockets. The Secure sockets library provides an easy-to-use API by abstracting the network stack (lwIP) and the security stack (Mbed TLS).

View this README on GitHub.

Provide feedback on this code example.

Requirements

ModusToolbox™ v3.2 or later (tested with v3.3)
Board support package (BSP) minimum required version: 5.0.0
Programming language: C
Other tools: Python v3.8.10
Associated parts: XMC7000 MCU

Supported toolchains (make variable 'TOOLCHAIN')

GNU Arm® Embedded Compiler v11.3.1 (GCC_ARM) – Default value of TOOLCHAIN
Arm® Compiler v6.22 (ARM)
IAR C/C++ Compiler v9.50.2 (IAR)

Note: This code example currently does not support the Arm® Compiler for XMC7100 device.

Supported kits (make variable 'TARGET')

XMC7200 Evaluation Kit (KIT_XMC72_EVK) – Default value of TARGET
XMC7200 Evaluation Kit (KIT_XMC72_EVK_MUR_43439M2)
XMC7100 Evaluation Kit (KIT_XMC71_EVK_LITE_V1)

Hardware setup

This example uses the board's default configuration. See the kit user guide to ensure that the board is configured correctly.

Software setup

See the ModusToolbox™ tools package installation guide for information about installing and configuring the tools package.

Install a terminal emulator if you don't have one. Instructions in this document use Tera Term.

Install the Python interpreter and add it to the top of the system path in environmental variables. This code example is tested with Python 3.8.10.

Using the code example

Create the project

The ModusToolbox™ tools package provides the Project Creator as both a GUI tool and a command line tool.

Use Project Creator GUI

Open the Project Creator GUI tool.

There are several ways to do this, including launching it from the dashboard or from inside the Eclipse IDE. For more details, see the Project Creator user guide (locally available at {ModusToolbox™ install directory}/tools_{version}/project-creator/docs/project-creator.pdf).
On the Choose Board Support Package (BSP) page, select a kit supported by this code example. See Supported kits.

Note: To use this code example for a kit not listed here, you may need to update the source files. If the kit does not have the required resources, the application may not work.
On the Select Application page:

a. Select the Applications(s) Root Path and the Target IDE.

Note: Depending on how you open the Project Creator tool, these fields may be pre-selected for you.

b. Select this code example from the list by enabling its check box.

Note: You can narrow the list of displayed examples by typing in the filter box.

c. (Optional) Change the suggested New Application Name and New BSP Name.

d. Click Create to complete the application creation process.

Use Project Creator CLI

The 'project-creator-cli' tool can be used to create applications from a CLI terminal or from within batch files or shell scripts. This tool is available in the {ModusToolbox™ install directory}/tools_{version}/project-creator/ directory.

Use a CLI terminal to invoke the 'project-creator-cli' tool. On Windows, use the command-line 'modus-shell' program provided in the ModusToolbox™ installation instead of a standard Windows command-line application. This shell provides access to all ModusToolbox™ tools. You can access it by typing "modus-shell" in the search box in the Windows menu. In Linux and macOS, you can use any terminal application.

The following example clones the "Ethernet: Secure TCP client" application with the desired name "EthernetSecureTCPClient" configured for the KIT_XMC72_EVK BSP into the specified working directory, C:/mtb_projects:

project-creator-cli --board-id KIT_XMC72_EVK --app-id mtb-example-ethernet-secure-tcp-client --user-app-name EthernetSecureTCPClient --target-dir "C:/mtb_projects"

The 'project-creator-cli' tool has the following arguments:

Argument	Description	Required/optional
`--board-id`	Defined in the field of the BSP manifest	Required
`--app-id`	Defined in the field of the CE manifest	Required
`--target-dir`	Specify the directory in which the application is to be created if you prefer not to use the default current working directory	Optional
`--user-app-name`	Specify the name of the application if you prefer to have a name other than the example's default name	Optional

Note: The project-creator-cli tool uses the git clone and make getlibs commands to fetch the repository and import the required libraries. For details, see the "Project creator tools" section of the ModusToolbox™ tools package user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mtb_user_guide.pdf).

Open the project

After the project has been created, you can open it in your preferred development environment.

Eclipse IDE

If you opened the Project Creator tool from the included Eclipse IDE, the project will open in Eclipse automatically.

For more details, see the Eclipse IDE for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_ide_user_guide.pdf).

Visual Studio (VS) Code

Launch VS Code manually, and then open the generated {project-name}.code-workspace file located in the project directory.

For more details, see the Visual Studio Code for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_vscode_user_guide.pdf).

Keil µVision

Double-click the generated {project-name}.cprj file to launch the Keil µVision IDE.

For more details, see the Keil µVision for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_uvision_user_guide.pdf).

IAR Embedded Workbench

Open IAR Embedded Workbench manually, and create a new project. Then select the generated {project-name}.ipcf file located in the project directory.

For more details, see the IAR Embedded Workbench for ModusToolbox™ user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mt_iar_user_guide.pdf).

Command line

If you prefer to use the CLI, open the appropriate terminal, and navigate to the project directory. On Windows, use the command-line 'modus-shell' program; on Linux and macOS, you can use any terminal application. From there, you can run various make commands.

For more details, see the ModusToolbox™ tools package user guide (locally available at {ModusToolbox™ install directory}/docs_{version}/mtb_user_guide.pdf).

Operation

Connect the board to your PC using the provided USB cable through the KitProg3 USB connector.
Connect one LAN cable from the target board (client) to the router and another LAN cable from your PC (server) to the router.
Open a terminal program and select the KitProg3 COM port. Set the serial port parameters to 8N1 and 115200 baud.
Open a command shell from the project directory and run the Python TCP secure server ({project directory}\python-secure-tcp-server) by typing in the following command:
```
python tcp_secure_server.py
```
On Linux and macOS, check for the IPv4 address of an Ethernet connection in the network settings under System settings. For example, if the IPv4 address of the Linux or macOS is found to be 192.168.1.2, then replace the following line of code in the tcp_secure_server.py python script with the IPv4 address as shown before running the script.

Replace
```
host = ''       # Symbolic name meaning the local host 
```
with
```
host = '192.168.1.2'       # Symbolic name meaning the local host 
```
Note: Ensure that the firewall settings of your computer allow access to the Python software so as to allow communication with the TCP client. See this community thread.
Change the TCP_SERVER_IP_ADDRESS and TCP_SERVER_PORT macros defined in the secure_tcp_client.h file to match with the computer's(server) IP address and port number. For example, if your computer's IP address is 192.168.1.2 and port number is 50007, update the macros as follows:
```
#define TCP_SERVER_IP_ADDRESS    MAKE_IPV4_ADDRESS(192, 168, 1, 2)
#define TCP_SERVER_PORT          (50007u)
```
Program the board using one of the following:
Using Eclipse IDE
1. Select the application project in the Project Explorer.
2. In the Quick Panel, scroll down, and click <Application Name> Program (KitProg3_MiniProg4).
In other IDEs

Follow the instructions in your preferred IDE.
Using CLI

From the terminal, execute the make program command to build and program the application using the default toolchain to the default target. The default toolchain is specified in the application's Makefile but you can override this value manually:
```
make program TOOLCHAIN=<toolchain>
```
Example:
```
make program TOOLCHAIN=GCC_ARM
```
Determine the PC's (server) IP address.

To determine the IP address, enter the following command in the command shell based on your operating system:

Windows: ipconfig

Linux: curl ifconfig.me

macOS: ifconfig |grep inet
In the terminal program, enter the server IP address determined in Step 7.

Figure 1. Secure TCP client before Ethernet connection

Figure 2. Secure TCP client after Ethernet connection
From the Python secure TCP server, send the command to turn the LED ON/OFF to the TCP client ('0' to turn the LED OFF and '1' to turn the LED ON). Observe the user LED (CYBSP_USER_LED) turning ON/OFF on the board.

Figure 3. Secure TCP client output

Figure 4. Secure TCP server output

Note:
- The code example has been tested in a local LAN setup and in a simple private network, such as a home network with VPN disabled. To test it in a complex network, such as an enterprise network, contact your IT department.
- Ensure that the port used for communication on your PC is an active port. If not, open the firewall port. To display all the blocked and active ports configured in the firewall on the PC, open the command prompt (cmd for Windows) and enter the following command:
```
netsh firewall show state
```

Debugging

You can debug the example to step through the code.

In Eclipse IDE

Use the <Application Name> Debug (KitProg3_MiniProg4) configuration in the Quick Panel. For details, see the "Program and debug" section in the Eclipse IDE for ModusToolbox™ user guide.

In other IDEs

Follow the instructions in your preferred IDE.

Design and implementation

This example executes an RTOS task: TCP client task.

The XMC7000 MCU is configured as a TCP client, which establishes a secure connection with a TCP server through an SSL handshake. During the SSL handshake, the client presents its SSL certificate for verification and verifies the server's identity. The client's SSL certificate used in this example is a self-signed SSL certificate. Once the SSL handshake completes successfully, the TCP client controls the user LED ON/OFF based on the command received from the TCP server. See Creating a self-signed certificate for more details.

Resources and settings

Table 1. Application resources

Resource	Alias/object	Purpose
GPIO (HAL)	CYBSP_USER_LED	User LED

Creating a self-signed SSL certificate

The TCP client demonstrated in this example uses a self-signed SSL certificate. This requires OpenSSL, which is already preloaded in ModusToolbox™. Self-signed SSL certificate means that there is no third-party certificate issuing authority, commonly referred to as CA, involved in the authentication of the client.

Note: Servers connecting to this client must have an exact copy of the SSL certificate to verify the client's identity.

Generate SSL certificate and private key

Follow these steps to generate a self-signed SSL certificate:

Run the following command with a CLI (on Windows, use the command-line modus-shell program provided in ModusToolbox™ instead of a standard Windows command-line application) to generate the CA certificate using the following commands.
Follow the instructions in the command window to provide the details required.
```
openssl ecparam -name prime256v1 -genkey -noout -out root_ca.key
openssl req -new -x509 -sha256 -key root_ca.key -out root_ca.crt -days 1000
```

Generate the client key pair and client certificate (signed using the CA certificate from Step 1).
Follow the instructions in the command window to provide the details required.

openssl ecparam -name prime256v1 -genkey -noout -out client.key
openssl req -new -sha256 -key client.key -out client.csr
openssl x509 -req -in client.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out client.crt -days 1000 -sha256

Follow the instructions in the command window to provide the details required for creating the SSL certificate and private key.

Note: The client.crt file is your client's certificate and client.key is your client's private key.

Related resources

Resources	Links
Application notes	AN234334 – Getting started with XMC7000 MCU on ModusToolbox™ software
Code examples	Using ModusToolbox™ on GitHub
Device documentation	XMC7000 MCU documents
Development kits	Select your kits from the Evaluation board finder.
Libraries on GitHub	mtb-pdl-cat1 – Peripheral Driver Library (PDL) mtb-hal-cat1 – Hardware Abstraction Layer (HAL) library
Middleware on GitHub	mcu-middleware – Links to all MCU middleware
Tools	ModusToolbox™ – ModusToolbox™ software is a collection of easy-to-use libraries and tools enabling rapid development with Infineon MCUs for applications ranging from wireless and cloud-connected systems, edge AI/ML, embedded sense and control, to wired USB connectivity using PSOC™ Industrial/IoT MCUs, AIROC™ Wi-Fi and Bluetooth® connectivity devices, XMC™ Industrial MCUs, and EZ-USB™/EZ-PD™ wired connectivity controllers. ModusToolbox™ incorporates a comprehensive set of BSPs, HAL, libraries, configuration tools, and provides support for industry-standard IDEs to fast-track your embedded application development.

Other resources

Infineon provides a wealth of data at www.infineon.com to help you select the right device, and quickly and effectively integrate it into your design.

For XMC™ MCU devices, see 32-bit XMC™ industrial microcontroller based on Arm® Cortex®-M.

Document history

Document title: CE235601 - Ethernet: Secure TCP client

Version	Description of change
1.0.0	New code example
2.0.0	Updated to support ModusToolbox™ v3.2 Updated to support Ethernet Connection Manager (ECM) v2.0 Added support for KIT_XMC71_EVK_LITE_V1
2.1.0	Enabled D-cache support for XMC7000 devices

All referenced product or service names and trademarks are the property of their respective owners.

The Bluetooth® word mark and logos are registered trademarks owned by Bluetooth SIG, Inc., and any use of such marks by Infineon is under license.

© Cypress Semiconductor Corporation, 2022-2024. This document is the property of Cypress Semiconductor Corporation, an Infineon Technologies company, and its affiliates ("Cypress"). This document, including any software or firmware included or referenced in this document ("Software"), is owned by Cypress under the intellectual property laws and treaties of the United States and other countries worldwide. Cypress reserves all rights under such laws and treaties and does not, except as specifically stated in this paragraph, grant any license under its patents, copyrights, trademarks, or other intellectual property rights. If the Software is not accompanied by a license agreement and you do not otherwise have a written agreement with Cypress governing the use of the Software, then Cypress hereby grants you a personal, non-exclusive, nontransferable license (without the right to sublicense) (1) under its copyright rights in the Software (a) for Software provided in source code form, to modify and reproduce the Software solely for use with Cypress hardware products, only internally within your organization, and (b) to distribute the Software in binary code form externally to end users (either directly or indirectly through resellers and distributors), solely for use on Cypress hardware product units, and (2) under those claims of Cypress's patents that are infringed by the Software (as provided by Cypress, unmodified) to make, use, distribute, and import the Software solely for use with Cypress hardware products. Any other use, reproduction, modification, translation, or compilation of the Software is prohibited.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CYPRESS MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS DOCUMENT OR ANY SOFTWARE OR ACCOMPANYING HARDWARE, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. No computing device can be absolutely secure. Therefore, despite security measures implemented in Cypress hardware or software products, Cypress shall have no liability arising out of any security breach, such as unauthorized access to or use of a Cypress product. CYPRESS DOES NOT REPRESENT, WARRANT, OR GUARANTEE THAT CYPRESS PRODUCTS, OR SYSTEMS CREATED USING CYPRESS PRODUCTS, WILL BE FREE FROM CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, DATA LOSS OR THEFT, OR OTHER SECURITY INTRUSION (collectively, "Security Breach"). Cypress disclaims any liability relating to any Security Breach, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any Security Breach. In addition, the products described in these materials may contain design defects or errors known as errata which may cause the product to deviate from published specifications. To the extent permitted by applicable law, Cypress reserves the right to make changes to this document without further notice. Cypress does not assume any liability arising out of the application or use of any product or circuit described in this document. Any information provided in this document, including any sample design information or programming code, is provided only for reference purposes. It is the responsibility of the user of this document to properly design, program, and test the functionality and safety of any application made of this information and any resulting product. "High-Risk Device" means any device or system whose failure could cause personal injury, death, or property damage. Examples of High-Risk Devices are weapons, nuclear installations, surgical implants, and other medical devices. "Critical Component" means any component of a High-Risk Device whose failure to perform can be reasonably expected to cause, directly or indirectly, the failure of the High-Risk Device, or to affect its safety or effectiveness. Cypress is not liable, in whole or in part, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any use of a Cypress product as a Critical Component in a High-Risk Device. You shall indemnify and hold Cypress, including its affiliates, and its directors, officers, employees, agents, distributors, and assigns harmless from and against all claims, costs, damages, and expenses, arising out of any claim, including claims for product liability, personal injury or death, or property damage arising from any use of a Cypress product as a Critical Component in a High-Risk Device. Cypress products are not intended or authorized for use as a Critical Component in any High-Risk Device except to the limited extent that (i) Cypress's published data sheet for the product explicitly states Cypress has qualified the product for use in a specific High-Risk Device, or (ii) Cypress has given you advance written authorization to use the product as a Critical Component in the specific High-Risk Device and you have signed a separate indemnification agreement.
Cypress, the Cypress logo, and combinations thereof, ModusToolbox, PSoC, CAPSENSE, EZ-USB, F-RAM, and TRAVEO are trademarks or registered trademarks of Cypress or a subsidiary of Cypress in the United States or in other countries. For a more complete list of Cypress trademarks, visit www.infineon.com. Other names and brands may be claimed as property of their respective owners.

License

Infineon/mtb-example-ethernet-secure-tcp-client

About

Resources

License

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages