pkg/mbedtls: add TLS support for LWIP

[mariemC]

Contribution description

• The client node connects to openssl server and sends an encrypted message after a handshake and key exchange.
• mbedtls package is added.
• lwip package is also modified.

Testing procedure

• Board used for the test: same5-xpro.
• A wifi shield is used to connect the board to wifi.

Issues/PRs references

-Depends on PR #15671

[benpicco]

Please rebase.
While you are at it, please also prefix the commit messages with the relevant subsystem, so pkg/mbedtls: and pkg/lwip:

[PeterKietzmann]

It should not be necessary to copy the mbedtls header files into pkg/mbedtls/include/

[benpicco]

Nice, tested this on native and looks like it works!
There are some whitespace and code style issues, but first round of review:

[benpicco]

Shouldn't this be

Suggested change

	+ !defined(__HAIKU__) && !defined(__midipix__) && defined(_RIOT_)
	+ !defined(__HAIKU__) && !defined(__midipix__) && !defined(RIOT_VERSION)

[benpicco]

No need to force the use of this driver, sam0_eth, netdev_tap or esp_wifi would work as well - just use netdev_default

[benpicco]

Let's set this using a shell command. Then we also don't need a separate thread - just bump THREAD_STACKSIZE_MAIN if necessary.

static int cmd_tls_connect(int argc, char **argv)
{
    if (argc < 3) {
        printf("usage: %s <host> <port> [data]\n", argv[0]);
        return -1;
    }

    return _lwip_mbedtls_client(argv[1], argv[2]);
}

static const shell_command_t shell_commands[] = {
    { "connect", "Perform a TLS connection", cmd_tls_connect },
    { NULL, NULL, NULL }
};

[benpicco]

Then you can also drop the delay

[benpicco]

No need to loop here - just return

[benpicco]

example.com is usually used for this 😉

[benpicco]

do those have to be global?

[mariemC]

No, they don't

[benpicco]

We could also use data the user supplied as a shell command argument here

[yarrick]

Please fix the trailing whitespaces and the horizontal tabs mentioned by the automatic checks.

[yarrick]

Maybe this and the other one can be a symlink instead? It seems they are already used in the tree.

[yarrick]

Please edit the patch to explain why this is done.

[PeterKietzmann]

Please expose (only necessary) symbols via Kconfig, as requested by @miri64 and @aabadie in a conversation starting somewhere here

[yarrick]

This seems strange - it (LWIP_RAND) is set to the same value in lwipopts? Why is this needed?

[mariemC]

I added (LWIP_RAND) in lwipopts in order to be recognized in build/pkg/lwip/src/core/dns.c:103
But it is already defined in pkg/lwip/include/arch/sys_arch.h:133
=> This will create a redefiniton, therefore I added #if MBEDTLS_ENABLED == 0

[yarrick]

But you define it to the same thing there: random_uint32(). Why not just keep this and remove your extra definition? Make sure the random module is enabled and things should be fine.

[PeterKietzmann]

The CONFIG_* symbols are expected to be generated by Kconfig, but they are not yet included to the Kconfig configuration system. The here and here for reference.

[PeterKietzmann]

1. Do you actually need all symbols? Please only add those that are required.
2. It seem to me that these configs should go into this file which is the Kconfig based point to generate the traditional mbedtls configuration header file.

[mariemC]

1. Yes, all of them are needed, mainly each module requires a few other modules to work correctly therefore it seems quite a lot.
2. Do you mean all of them should be added in pkg/mbedtls/Kconfig?

[PeterKietzmann]

Sorry for responding so late, haven't seen this question. Yes, all of the configuration values that are needed. Please check the existing file Kconfig file (+ existing header file) that I pointed to earlier.

[PeterKietzmann]

@mariemC thanks for cleaning up the configuration files. The implementation and its representation in menuconfig look good at first sight. I do, unfortunately, not have time for a full review + testing. Anyway, some thoughts on the rest of the PR:

• Extend the test README so one knows what to execute (shell commands?), what to expect, and maybe give some context which certificates are included in the folder and how they are incorporated.
• The name of the test folder is suboptimal. Usually, we prefix folders that relate to a package with pkg_. Now pkg_mbedtls exists already. Maybe something like pkg_mbedtls_lwip? In general I was wondering if we should execute some more of the built in mbedtls tests in RIOT. Possible to extract some of the tests that you include there?
• Most of the Kconfig symbols that you include are enabled by default. I think they shouldn't, but the particular test case should enable the relevant ones.