diff --git a/pkg/lwip/Makefile.include b/pkg/lwip/Makefile.include index dc162f1c2e38..2df269bf39fc 100644 --- a/pkg/lwip/Makefile.include +++ b/pkg/lwip/Makefile.include @@ -1,5 +1,6 @@ INCLUDES += -I$(RIOTBASE)/pkg/lwip/include \ - -I$(PKGDIRBASE)/lwip/src/include + -I$(PKGDIRBASE)/lwip/src/include \ + -I$(PKGDIRBASE)/lwip/src/include/compat/posix PSEUDOMODULES += lwip_arp PSEUDOMODULES += lwip_autoip diff --git a/pkg/lwip/include/arch/cc.h b/pkg/lwip/include/arch/cc.h index fc9eb7857d0b..c34e43f2f26e 100644 --- a/pkg/lwip/include/arch/cc.h +++ b/pkg/lwip/include/arch/cc.h @@ -28,6 +28,8 @@ #include "byteorder.h" #include "mutex.h" +#include "sys/time.h" + #ifdef MODULE_LOG #include "log.h" #endif diff --git a/pkg/lwip/include/lwipopts.h b/pkg/lwip/include/lwipopts.h index c363b63a2373..e6efa509187e 100644 --- a/pkg/lwip/include/lwipopts.h +++ b/pkg/lwip/include/lwipopts.h @@ -144,8 +144,13 @@ extern "C" { #endif /* MODULE_LWIP_SOCK */ #ifdef MODULE_SHELL_COMMANDS +#if LWIP_DEBUG_ENABLED == 1 +#define LWIP_DEBUG 0 +#define SOCKETS_DEBUG LWIP_DBG_ON +#else #define LWIP_DEBUG 1 #endif +#endif #ifndef TCP_LISTEN_BACKLOG # if defined(MODULE_LWIP_SOCK_TCP) @@ -155,7 +160,7 @@ extern "C" { # endif #endif /* TCP_LISTEN_BACKLOG */ -#define LWIP_SOCKET 0 +#define LWIP_SOCKET 1 #define LWIP_DONT_PROVIDE_BYTEORDER_FUNCTIONS #define MEMP_MEM_MALLOC 1 @@ -171,6 +176,13 @@ extern "C" { #define MEM_SIZE (TCPIP_THREAD_STACKSIZE + 6144) #endif +#if MBEDTLS_ENABLED == 1 +#define LWIP_DNS 1 +#define LWIP_TIMEVAL_PRIVATE 0 +#define LWIP_POSIX_SOCKETS_IO_NAMES 1 +#define SO_REUSE 1 +#endif + #ifdef DEVELHELP void sys_mark_tcpip_thread(void); #define LWIP_MARK_TCPIP_THREAD sys_mark_tcpip_thread diff --git a/pkg/lwip/include/netdb.h b/pkg/lwip/include/netdb.h new file mode 100644 index 000000000000..24d5f2453b4f --- /dev/null +++ b/pkg/lwip/include/netdb.h @@ -0,0 +1,14 @@ +#ifndef NETDB_H +#define NETDB_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include "lwip/netdb.h" + +#ifdef __cplusplus +} +#endif + +#endif /* NETDB_H */ diff --git a/pkg/lwip/include/netinet/in.h b/pkg/lwip/include/netinet/in.h new file mode 100644 index 000000000000..3ef3ec133608 --- /dev/null +++ b/pkg/lwip/include/netinet/in.h @@ -0,0 +1,14 @@ +#ifndef NETINET_IN_H +#define NETINET_IN_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include "lwip/inet.h" + +#ifdef __cplusplus +} +#endif + +#endif /* NETINET_IN_H */ diff --git a/pkg/lwip/patches/0001-lwip-patch.patch b/pkg/lwip/patches/0001-lwip-patch.patch new file mode 100644 index 000000000000..fc8076196162 --- /dev/null +++ b/pkg/lwip/patches/0001-lwip-patch.patch @@ -0,0 +1,39 @@ +From 517bc69a216e48ab82542e1d5ec6f3846af80e84 Mon Sep 17 00:00:00 2001 +From: "mariem.charrada" +Date: Tue, 25 Jan 2022 07:33:46 +0100 +Subject: [PATCH] lwip-patch + +--- + src/core/dns.c | 1 + + src/include/lwip/sockets.h | 2 ++ + 2 files changed, 3 insertions(+) + +diff --git a/src/core/dns.c b/src/core/dns.c +index 9d2f61ed..e8d9950e 100644 +--- a/src/core/dns.c ++++ b/src/core/dns.c +@@ -94,6 +94,7 @@ + #include "lwip/memp.h" + #include "lwip/dns.h" + #include "lwip/prot/dns.h" ++#include "lwip/sys.h" + + #include + +diff --git a/src/include/lwip/sockets.h b/src/include/lwip/sockets.h +index d70d36c4..f62b7dd7 100644 +--- a/src/include/lwip/sockets.h ++++ b/src/include/lwip/sockets.h +@@ -671,7 +671,9 @@ int lwip_inet_pton(int af, const char *src, void *dst); + /** @ingroup socket */ + #define close(s) lwip_close(s) + /** @ingroup socket */ ++#if MBEDTLS_ENABLED == 0 + #define fcntl(s,cmd,val) lwip_fcntl(s,cmd,val) ++#endif + /** @ingroup socket */ + #define ioctl(s,cmd,argp) lwip_ioctl(s,cmd,argp) + #endif /* LWIP_POSIX_SOCKETS_IO_NAMES */ +-- +2.25.1 + diff --git a/pkg/mbedtls/Kconfig b/pkg/mbedtls/Kconfig index 162c3a2c6e05..5c60c9388055 100644 --- a/pkg/mbedtls/Kconfig +++ b/pkg/mbedtls/Kconfig @@ -61,6 +61,286 @@ config MBEDTLS_THREADING_ALT help This to allows your own alternate threading implementation. +config MBEDTLS_SSL_TLS_C + bool "Enable the generic SSL/TLS code." + default y + help + This module is required for SSL/TLS + +config MBEDTLS_CIPHER_C + bool "Enable the generic cipher layer" + default y + help + Allow generic cipher layer + +config MBEDTLS_SSL_SERVER_NAME_INDICATION + bool "Enable server name indication" + default y + help + Enable support for RFC 6066 server name indication (SNI) in SSL + +config MBEDTLS_MD_C + bool "Enable the generic message digets layer" + default y + help + This module enables the generic message digets layer + +config MBEDTLS_SSL_PROTO_TLS1_2 + bool "Specify TLS V1.2" + default y + help + Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled) + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + bool "Enable ECDHE ECDSA key exchange" + default y + help + This module Tenables the following ciphersuites (if other requisites are + enabled as well): + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA + MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + +config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED + bool "Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS" + default y + help + This enables the following ciphersuites (if other requisites are + enabled as well): + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 + MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 + MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA + MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA + +config MBEDTLS_RSA_C + bool "Enable the RSA public-key cryptosystem" + default y + help + This module is used by the following key exchanges: + RSA, DHE-RSA, ECDHE-RSA, RSA-PSK + +config MBEDTLS_X509_CRT_PARSE_C + bool "Enable X.509 certificate parsing" + default y + help + This module is required for X.509 certificate parsing + +config MBEDTLS_X509_USE_C + bool "Enable X.509 core for certificates usage" + default y + help + This module is required for the X.509 parsing modules + +config MBEDTLS_PEM_PARSE_C + bool "Enable PEM decoding/parsing" + default y + help + This modules adds support for decoding / parsing PEM files + +config MBEDTLS_BASE64_C + bool "Enable base64 decoding" + default y + help + This module is required for PEM support (required by X.509) + +config MBEDTLS_PKCS1_V15 + bool "Enable support for PKCS1 v1.5 encoding" + default y + help + This enables support for PKCS#1 v1.5 operations + +config MBEDTLS_BIGNUM_C + bool "Enable the multi-precision integer" + default y + help + This module is required for RSA, DHM and ECC (ECDH, ECDSA) support + +config MBEDTLS_OID_C + bool "Enable the OID database" + default y + help + This module translates between OIDs and internal values + +config MBEDTLS_ASN1_PARSE_C + bool "Enable the generic ASN1 parser" + default y + help + This module enables the generic ASN1 parser + +config MBEDTLS_PK_PARSE_C + bool "Enable the generic public key parser" + default y + help + Enables the generic public key parse functions + +config MBEDTLS_PK_C + bool "Enable the generic public key layer" + default y + help + Enables generic public key wrappers + +config MBEDTLS_SSL_CLI_C + bool "Enable the SSL/TLS client" + default y + help + This module is required for SSL/TLS client support + +config MBEDTLS_AES_C + bool "Enable the AES block cipher" + default y + help + This module enables the following ciphersuites (if other requisites are + enabled as well): + MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 + MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA + MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 + MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 + MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA + MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 + MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 + MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA + PEM_PARSE uses AES for decrypting encrypted keys + +config MBEDTLS_NET_C + bool "Enable networking layer" + default y + help + This module only works on POSIX/Unix (including Linux, BSD and OS X) + and Windows. For other platforms, you will want to disable it, and write your + own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). + +config MBEDTLS_CTR_DRBG_C + bool "Enable the CTR_DRBG AES-based random generator" + default y + help + This module provides the CTR_DRBG AES random number generator + +config MBEDTLS_ECDH_C + bool "Enable the elliptic curve Diffie-Hellman library" + default y + help + This module is used by the following key exchanges: + ECDHE-ECDSA, ECDHE-RSA, DHE-PSK + +config MBEDTLS_ECDSA_C + bool "Enable the elliptic curve DSA library" + default y + help + This module is used by the following key exchanges: + ECDHE-ECDSA + +config MBEDTLS_ECP_C + bool "Enable the elliptic curve over GF(p) library" + default y + help + This module requires: + MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED + +config MBEDTLS_ECP_DP_SECP521R1_ENABLED + bool "Enable specific curves within the Elliptic Curve" + default y + help + By default all supported curves are enabled + +config MBEDTLS_ASN1_WRITE_C + bool "Enable the generic ASN1 writer" + default y + help + Enable the generic ASN1 writer + +config MBEDTLS_DHM_C + bool "Enable the Diffie-Hellman-Merkle module" + default y + help + This module is used by the following key exchanges: + DHE-RSA, DHE-PSK + +config MBEDTLS_GCM_C + bool "Enable the Galois/Counter Mode (GCM)" + default y + help + This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other + requisites are enabled as well + +config MBEDTLS_PLATFORM_C + bool "Enable the platform abstraction layer" + default y + help + This module enables abstraction of common (libc) functions + +config MBEDTLS_DEBUG_C + bool "Enable debug messages" + default y + help + This module provides debugging functions + rsource "contrib/entropy/Kconfig" endif # KCONFIG_USEPKG_MBEDTLS diff --git a/pkg/mbedtls/include/riot_mbedtls_config.h b/pkg/mbedtls/include/riot_mbedtls_config.h index 68879b3e9cc2..8ae34f5216bb 100644 --- a/pkg/mbedtls/include/riot_mbedtls_config.h +++ b/pkg/mbedtls/include/riot_mbedtls_config.h @@ -147,6 +147,256 @@ extern "C" { #define CONFIG_MBEDTLS_THREADING_ALT 1 #endif +/** + * + * @brief Enable the generic SSL/TLS code. + */ +#ifndef CONFIG_MBEDTLS_SSL_TLS_C +#define CONFIG_MBEDTLS_SSL_TLS_C 1 +#endif + +/** + * + * @brief Enable the generic cipher layer. + */ +#ifndef CONFIG_MBEDTLS_CIPHER_C +#define CONFIG_MBEDTLS_CIPHER_C 1 +#endif + +/** + * + * @brief Enable support for RFC 6066 server name indication (SNI) in SSL. + */ +#ifndef CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION +#define CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION 1 +#endif + +/** + * + * @brief Enable the generic message digest layer. + */ +#ifndef CONFIG_MBEDTLS_MD_C +#define CONFIG_MBEDTLS_MD_C 1 +#endif + +/** + * + * @brief Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). + */ +#ifndef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 +#define CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 1 +#endif + +/** + * + * @brief Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. + */ +#ifndef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 1 +#endif + +/** + * + * @brief Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. + */ +#ifndef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define CONFIGMBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1 +#endif + +/** + * + * @brief Enable the RSA public-key cryptosystem. + */ +#ifndef CONFIG_MBEDTLS_RSA_C +#define CONFIG_MBEDTLS_RSA_C 1 +#endif + +/** + * + * @brief Enable X.509 certificate parsing. + */ +#ifndef CONFIG_MBEDTLS_X509_CRT_PARSE_C +#define CONFIG_MBEDTLS_X509_CRT_PARSE_C 1 +#endif + +/** + * + * @brief Enable X.509 core for using certificates. + */ +#ifndef CONFIG_MBEDTLS_X509_USE_C +#define CONFIG_MBEDTLS_X509_USE_C 1 +#endif + +/** + * + * @brief Enable PEM decoding / parsing. + */ +#ifndef CONFIG_MBEDTLS_PEM_PARSE_C +#define CONFIG_MBEDTLS_PEM_PARSE_C 1 +#endif + +/** + * + * @brief Enable the Base64 module. + */ +#ifndef CONFIG_MBEDTLS_BASE64_C +#define CONFIG_MBEDTLS_BASE64_C 1 +#endif + +/** + * + * @brief Enable support for PKCS#1 v1.5 encoding. + */ +#ifndef CONFIG_MBEDTLS_PKCS1_V15 +#define CONFIG_MBEDTLS_PKCS1_V15 1 +#endif + +/** + * + * @brief Enable the multi-precision integer library. + */ +#ifndef CONFIG_MBEDTLS_BIGNUM_C +#define CONFIG_MBEDTLS_BIGNUM_C 1 +#endif + +/** + * + * @brief Enable the OID database. + */ +#ifndef CONFIG_MBEDTLS_OID_C +#define CONFIG_MBEDTLS_OID_C 1 +#endif + +/** + * + * @brief Enable the generic ASN1 parser. + */ +#ifndef CONFIG_MBEDTLS_ASN1_PARSE_C +#define CONFIG_MBEDTLS_ASN1_PARSE_C 1 +#endif + +/** + * + * @brief Enable the generic public (asymmetric) key parser. + */ +#ifndef CONFIG_MBEDTLS_PK_PARSE_C +#define CONFIG_MBEDTLS_PK_PARSE_C 1 +#endif + +/** + * + * @brief Enable the generic public (asymmetric) key layer. + */ +#ifndef CONFIG_MBEDTLS_PK_C +#define CONFIG_MBEDTLS_PK_C 1 +#endif + +/** + * + * @brief Enable the SSL/TLS client code. + */ +#ifndef CONFIG_MBEDTLS_SSL_CLI_C +#define CONFIG_MBEDTLS_SSL_CLI_C 1 +#endif + +/** + * + * @brief Enable the AES block cipher. + */ +#ifndef CONFIG_MBEDTLS_AES_C +#define CONFIG_MBEDTLS_AES_C 1 +#endif + +/** + * + * @brief Enable the TCP and UDP over IPv6/IPv4 networking routines. + */ +#ifndef CONFIG_MBEDTLS_NET_C +#define CONFIG_MBEDTLS_NET_C 1 +#endif + +/** + * + * @brief Enable the CTR_DRBG AES-based random generator. + */ +#ifndef CONFIG_MBEDTLS_CTR_DRBG_C +#define CONFIG_MBEDTLS_CTR_DRBG_C 1 +#endif + +/** + * + * @brief Enable the elliptic curve Diffie-Hellman library. + */ +#ifndef CONFIG_MBEDTLS_ECDH_C +#define CONFIG_MBEDTLS_ECDH_C 1 +#endif + +/** + * + * @brief Enable the elliptic curve DSA library. + */ +#ifndef CONFIG_MBEDTLS_ECDSA_C +#define CONFIG_MBEDTLS_ECDSA_C 1 +#endif + +/** + * + * @brief Enable the elliptic curve over GF(p) library. + */ +#ifndef CONFIG_MBEDTLS_ECP_C +#define CONFIG_MBEDTLS_ECP_C 1 +#endif + +/** + * + * @brief EMBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve + * module. + */ +#ifndef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED +#define CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED 1 +#endif + +/** + * + * @brief Enable the generic ASN1 writer. + */ +#ifndef CONFIG_MBEDTLS_ASN1_WRITE_C +#define CONFIG_MBEDTLS_ASN1_WRITE_C 1 +#endif + +/** + * + * @brief Enable the Diffie-Hellman-Merkle module. + */ +#ifndef CONFIG_MBEDTLS_DHM_C +#define CONFIG_MBEDTLS_DHM_C 1 +#endif + +/** + * + * @brief Enable the Galois/Counter Mode (GCM). + */ +#ifndef CONFIG_MBEDTLS_GCM_C +#define CONFIG_MBEDTLS_GCM_C 1 +#endif + +/** + * + * @brief Enable the platform abstraction layer + */ +#ifndef CONFIG_MBEDTLS_PLATFORM_C +#define CONFIG_MBEDTLS_PLATFORM_C 1 +#endif + +/** + * + * @brief Enable the debug functions. + */ +#ifndef CONFIG_MBEDTLS_DEBUG_C +#define CONFIG_MBEDTLS_DEBUG_C 1 +#endif + + #endif /* !CONFIG_KCONFIG_USEPKG_MBEDTLS || DOXYGEN */ #if !IS_ACTIVE(CONFIG_KCONFIG_USEMODULE_MBEDTLS_ENTROPY) || defined(DOXYGEN) @@ -227,8 +477,481 @@ extern "C" { #if CONFIG_MBEDTLS_SHA256_C #define MBEDTLS_SHA256_C 1 #endif + +/** + * + * @brief Enable the generic SSL/TLS code. + * + * Module: library/ssl_tls.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * + * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C + * and at least one of the MBEDTLS_SSL_PROTO_XXX defines + * + * This module is required for SSL/TLS. + */ +#if CONFIG_MBEDTLS_SSL_TLS_C +#define MBEDTLS_SSL_TLS_C 1 +#endif + +/** + * + * @brief Enable the generic cipher layer. + * + * Module: library/cipher.c + * Caller: library/ssl_tls.c + * + * Uncomment to enable generic cipher wrappers. + */ +#if CONFIG_MBEDTLS_CIPHER_C +#define MBEDTLS_CIPHER_C 1 +#endif + +/** + * + * @brief Enable support for RFC 6066 server name indication (SNI) in SSL. + * + * Requires: MBEDTLS_X509_CRT_PARSE_C + * + * Comment this macro to disable support for server name indication in SSL + */ +#if CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION +#define MBEDTLS_SSL_SERVER_NAME_INDICATION 1 +#endif + +/** + * + * @brief Enable the generic message digest layer. + * + * Requires: MBEDTLS_X509_CRT_PARSE_C + * + * Comment this macro to disable support for server name indication in SSL + */ +#if CONFIG_MBEDTLS_MD_C +#define MBEDTLS_MD_C 1 +#endif + +/** + * + * @brief Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled). + * + * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C + * (Depends on ciphersuites) + * + * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 + */ +#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_TLS1_2 1 +#endif + +/** + * + * @brief Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C + */ +#if CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED 1 +#endif + +/** + * + * @brief Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, + * MBEDTLS_X509_CRT_PARSE_C + */ +#if CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED 1 +#endif + +/** + * + * @brief Enable the RSA public-key cryptosystem. + * + * Module: library/rsa.c + * library/rsa_internal.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * library/x509.c + * + * This module is used by the following key exchanges: + * RSA, DHE-RSA, ECDHE-RSA, RSA-PSK + * + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C + */ +#if CONFIG_MBEDTLS_RSA_C +#define MBEDTLS_RSA_C 1 +#endif + +/** + * + * @brief Enable X.509 certificate parsing. + * + * Module: library/x509_crt.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is required for X.509 certificate parsing. + */ +#if CONFIG_MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CRT_PARSE_C 1 +#endif + +/** + * + * @brief Enable X.509 core for using certificates. + * + * Module: library/x509.c + * Caller: library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, + * MBEDTLS_PK_PARSE_C + * + * This module is required for the X.509 parsing modules. + */ +#if CONFIG_MBEDTLS_X509_USE_C +#define MBEDTLS_X509_USE_C 1 +#endif + +/** + * + * @brief Enable PEM decoding / parsing. + * + * Module: library/pem.c + * Caller: library/dhm.c + * library/pkparse.c + * library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c + * + * Requires: MBEDTLS_BASE64_C + * + * This modules adds support for decoding / parsing PEM files. + */ +#if CONFIG_MBEDTLS_PEM_PARSE_C +#define MBEDTLS_PEM_PARSE_C 1 +#endif +/** + * + * @brief Enable the Base64 module. + * + * Module: library/base64.c + * Caller: library/pem.c + * + * This module is required for PEM support (required by X.509). + */ +#if CONFIG_MBEDTLS_BASE64_C +#define MBEDTLS_BASE64_C 1 +#endif + +/** + * + * @brief Enable support for PKCS#1 v1.5 encoding. + * + * Requires: MBEDTLS_RSA_C + * + * This enables support for PKCS#1 v1.5 operations. + */ +#if CONFIG_MBEDTLS_PKCS1_V15 +#define MBEDTLS_PKCS1_V15 1 +#endif + +/** + * + * @brief Enable the multi-precision integer library. + * + * Module: library/bignum.c + * Caller: library/dhm.c + * library/ecp.c + * library/ecdsa.c + * library/rsa.c + * library/rsa_internal.c + * library/ssl_tls.c + * + * This module is required for RSA, DHM and ECC (ECDH, ECDSA) support. + */ +#if CONFIG_MBEDTLS_BIGNUM_C +#define MBEDTLS_BIGNUM_C 1 +#endif + +/** + * + * @brief Enable the OID database. + * + * Module: library/oid.c + * Caller: library/asn1write.c + * library/pkcs5.c + * library/pkparse.c + * library/pkwrite.c + * library/rsa.c + * library/x509.c + * library/x509_create.c + * library/x509_crl.c + * library/x509_crt.c + * library/x509_csr.c + * library/x509write_crt.c + * library/x509write_csr.c + * + * This modules translates between OIDs and internal values. + */ +#if CONFIG_MBEDTLS_OID_C +#define MBEDTLS_OID_C 1 +#endif + +/** + * + * @brief Enable the generic ASN1 parser. + * + * Module: library/asn1.c + * Caller: library/x509.c + * library/dhm.c + * library/pkcs12.c + * library/pkcs5.c + * library/pkparse.c + */ +#if CONFIG_MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_PARSE_C 1 +#endif + +/** + * + * @brief Enable the generic public (asymmetric) key parser. + * + * Module: library/pkparse.c + * Caller: library/x509_crt.c + * library/x509_csr.c + * + * Requires: MBEDTLS_PK_C + * + * Uncomment to enable generic public key parse functions. + */ +#if CONFIG_MBEDTLS_PK_PARSE_C +#define MBEDTLS_PK_PARSE_C 1 +#endif + +/** + * + * @brief Enable the generic public (asymmetric) key layer. + * + * Module: library/pk.c + * Caller: library/ssl_tls.c + * library/ssl_cli.c + * library/ssl_srv.c + * + * Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C + * + * Uncomment to enable generic public key wrappers. + */ +#if CONFIG_MBEDTLS_PK_C +#define MBEDTLS_PK_C 1 +#endif + +/** + * + * @brief Enable the SSL/TLS client code. + * + * Module: library/ssl_cli.c + * Caller: + * + * Requires: MBEDTLS_SSL_TLS_C + * + * This module is required for SSL/TLS client support. + */ +#if CONFIG_MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_CLI_C 1 +#endif + +/** + * + * @brief Enable the AES block cipher. + * + * Module: library/aes.c + * Caller: library/cipher.c + * library/pem.c + * library/ctr_drbg.c + */ +#if CONFIG_MBEDTLS_AES_C +#define MBEDTLS_AES_C 1 +#endif + +/** + * + * @brief Enable the TCP and UDP over IPv6/IPv4 networking routines. + * + * Module: library/net_sockets.c + * + * This module provides networking routines + */ +#if CONFIG_MBEDTLS_NET_C +#define MBEDTLS_NET_C 1 +#endif + +/** + * + * @brief Enable the CTR_DRBG AES-based random generator. + * + * Module: library/ctr_drbg.c + * Caller: + * + * Requires: MBEDTLS_AES_C + * + * This module provides the CTR_DRBG AES random number generator. + */ +#if CONFIG_MBEDTLS_CTR_DRBG_C +#define MBEDTLS_CTR_DRBG_C 1 +#endif + +/** + * + * @brief Enable the elliptic curve Diffie-Hellman library. + * + * Module: library/ecdh.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * + * This module is used by the following key exchanges: + * ECDHE-ECDSA, ECDHE-RSA, DHE-PSK + * + * Requires: MBEDTLS_ECP_C + */ +#if CONFIG_MBEDTLS_ECDH_C +#define MBEDTLS_ECDH_C 1 +#endif + +/** + * + * @brief Enable the elliptic curve DSA library. + * + * Module: library/ecdsa.c + * Caller: + * + * This module is used by the following key exchanges: + * ECDHE-ECDSA + * + * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C, + * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a + * short Weierstrass curve. + */ +#if CONFIG_MBEDTLS_ECDSA_C +#define MBEDTLS_ECDSA_C 1 +#endif + +/** + * + * @brief Enable the elliptic curve over GF(p) library. + * + * Module: library/ecp.c + * Caller: library/ecdh.c + * library/ecdsa.c + * library/ecjpake.c + * + * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED + */ +#if CONFIG_MBEDTLS_ECP_C +#define MBEDTLS_ECP_C 1 +#endif + +/** + * + * @brief EMBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve + * module. By default all supported curves are enabled. + * + */ +#if CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED 1 +#endif + +/** + * + * @brief Enable the generic ASN1 writer. + * + * Module: library/asn1write.c + * Caller: library/ecdsa.c + * library/pkwrite.c + * library/x509_create.c + * library/x509write_crt.c + * library/x509write_csr.c + */ +#if CONFIG_MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_ASN1_WRITE_C 1 +#endif + +/** + * + * @brief Enable the Diffie-Hellman-Merkle module. + * + * Module: library/dhm.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * + * This module is used by the following key exchanges: + * DHE-RSA, DHE-PSK + */ +#if CONFIG_MBEDTLS_DHM_C +#define MBEDTLS_DHM_C 1 +#endif + +/** + * + * @brief Enable the Galois/Counter Mode (GCM). + * + * Module: library/gcm.c + * + * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C + * + * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other + * requisites are enabled as well. + */ +#if CONFIG_MBEDTLS_GCM_C +#define MBEDTLS_GCM_C 1 +#endif + +/** + * + * @brief Enable the platform abstraction layer that allows you to re-assign + * functions like calloc(), free(), snprintf(), printf(), fprintf(), exit(). + * + * Enabling MBEDTLS_PLATFORM_C enables to use of MBEDTLS_PLATFORM_XXX_ALT + * or MBEDTLS_PLATFORM_XXX_MACRO directives, allowing the functions mentioned + * above to be specified at runtime or compile time respectively. + * + * \note This abstraction layer must be enabled on Windows (including MSYS2) + * as other module rely on it for a fixed snprintf implementation. + * + * Module: library/platform.c + * Caller: Most other .c files + * + * This module enables abstraction of common (libc) functions. + */ +#if CONFIG_MBEDTLS_PLATFORM_C +#define MBEDTLS_PLATFORM_C 1 +#endif + +/** + * + * @brief Enable the debug functions. + * + * Module: library/debug.c + * Caller: library/ssl_cli.c + * library/ssl_srv.c + * library/ssl_tls.c + * + * This module provides debugging functions. + */ +#if CONFIG_MBEDTLS_DEBUG_C +#define MBEDTLS_DEBUG_C 1 +#endif /** @endcond */ +// #endif #include "mbedtls/check_config.h" #ifdef __cplusplus diff --git a/pkg/mbedtls/patches/0001-mbedtls-patch.patch b/pkg/mbedtls/patches/0001-mbedtls-patch.patch new file mode 100644 index 000000000000..4a8f7a7c755f --- /dev/null +++ b/pkg/mbedtls/patches/0001-mbedtls-patch.patch @@ -0,0 +1,41 @@ +From 32ff5a1f43f3cbf800cdc5460808f2a5e17a8759 Mon Sep 17 00:00:00 2001 +From: "mariem.charrada" +Date: Tue, 25 Jan 2022 23:18:14 +0100 +Subject: [PATCH] mbedtls-patch + +--- + library/aes.c | 4 ++-- + library/net_sockets.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/library/aes.c b/library/aes.c +index 31824e75c..0261ec566 100644 +--- a/library/aes.c ++++ b/library/aes.c +@@ -376,8 +376,8 @@ static int aes_init_done = 0; + static void aes_gen_tables( void ) + { + int i, x, y, z; +- int pow[256]; +- int log[256]; ++ uint8_t pow[256]; ++ uint8_t log[256]; + + /* + * compute pow and log tables over GF(2^8) +diff --git a/library/net_sockets.c b/library/net_sockets.c +index 5fbe1f764..3d127655d 100644 +--- a/library/net_sockets.c ++++ b/library/net_sockets.c +@@ -33,7 +33,7 @@ + + #if !defined(unix) && !defined(__unix__) && !defined(__unix) && \ + !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \ +- !defined(__HAIKU__) && !defined(__midipix__) ++ !defined(__HAIKU__) && !defined(__midipix__) && !defined(RIOT_VERSION) + #error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h" + #endif + +-- +2.25.1 + diff --git a/tests/mbedtls_test/Makefile b/tests/mbedtls_test/Makefile new file mode 100644 index 000000000000..8683dbbb1f3f --- /dev/null +++ b/tests/mbedtls_test/Makefile @@ -0,0 +1,40 @@ +APPLICATION= lwip_mbedtls_test + +RIOTBASE ?= $(CURDIR)/../.. + +BOARD ?= native + +USEPKG += mbedtls + +USEMODULE += netdev_default +USEMODULE += mbedtls_entropy +USEMODULE += ipv4_addr +USEMODULE += lwip_arp +USEMODULE += lwip_ipv4 +USEMODULE += lwip_ipv6 +USEMODULE += lwip_dhcp_auto +USEMODULE += lwip lwip_netdev +USEMODULE += lwip_udp +USEMODULE += lwip_tcp +USEMODULE += sock_tcp + +# Add also the shell, some shell commands +USEMODULE += shell +USEMODULE += shell_commands +USEMODULE += ps + +# tinydtls needs crypto secure PRNG +USEMODULE += prng_sha1prng +USEMODULE += random + +CFLAGS += -DTHREAD_STACKSIZE_MAIN="(5 * THREAD_STACKSIZE_LARGE + THREAD_EXTRA_STACKSIZE_PRINTF )" +CFLAGS += -DCONFIG_ENTROPY_SOURCE_ADC_HMIN="200" +CFLAGS += -DISR_STACK_SIZE=4096 +CFLAGS += -DLWIP_DEBUG_ENABLED=0 +CFLAGS += -DMBEDTLS_ENABLED=1 +CFLAGS += -D_SOCKLEN_T_DECLARED=1 + +# Change this to 0 show compiler invocation lines by default: +QUIET ?= 1 + +include $(RIOTBASE)/Makefile.include diff --git a/tests/mbedtls_test/README.md b/tests/mbedtls_test/README.md new file mode 100644 index 000000000000..26bb7abc98ad --- /dev/null +++ b/tests/mbedtls_test/README.md @@ -0,0 +1,6 @@ +to start the openssl server: + openssl s_server -key server-prk.pem -cert server-cer.pem -accept 10.0.110.71:44330 -www -debug + +Please, change the IP address to your corresponding interface. + +Kconfig should be configured before the build through make menuconfig. diff --git a/tests/mbedtls_test/ca-cer.pem b/tests/mbedtls_test/ca-cer.pem new file mode 100644 index 000000000000..d44b61ea7361 --- /dev/null +++ b/tests/mbedtls_test/ca-cer.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAocCFGfDEoYXsh2tZvNCX+1ad8gBpKxKMA0GCSqGSIb3DQEBCwUAMIGL +MQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4x +EDAOBgNVBAoMB2V4YW1wbGUxEDAOBgNVBAsMB2V4YW1wbGUxFDASBgNVBAMMC2V4 +YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFleGFtcGxlQGdtYWlsLmNvbTAeFw0y +MjAyMjAxMzMyMTdaFw0yMzAyMjAxMzMyMTdaMIGLMQswCQYDVQQGEwJERTEPMA0G +A1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB2V4YW1wbGUx +EDAOBgNVBAsMB2V4YW1wbGUxFDASBgNVBAMMC2V4YW1wbGUuY29tMSAwHgYJKoZI +hvcNAQkBFhFleGFtcGxlQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAKqWlRGRmVaA10tx8OrB6W/MHK02HyPh8Nl9KO9fst1FxD6pXVjt +zwZcWrZoBGdqc2SdoUnkpVCm2vdSqp1rf9S+QFM3u+1fyhHCzNfkGWSojLuWOtb3 +szGpmq4sG8NU7FEf38k0H+3YrZ6RYrQQ5c/63BMRnqMlKNDW/bX6j///x4srdm/K +2NXypqgR7nQsyq4+As+EJQDIsXY6vhFRtncMK9jki/tZXcPoY63vKqCoiU/+Z4lR +cZeizmECF5uBNwWmwt4u0p7dCrN28oxWoDaQ5TYN9erPC1s+idHWqMJeUpmTf4p1 +q1X4YjD1Zrgbje6SYpRGYNSkgNVgi1TSJOUCAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEAVh6VaSNU+u9dDWhrOh8slzFGZCqkUI5kdngMPGFCLKgKFWfvSt6B7p9VppAt +6yQiFUZG1ih6TNEM2t4kvIDNRTcfxoaDO5K1wrHD/v6z1aJllb1L4qcBJWa9XZXK +8HlvguG6QU+RV34V/Bg52ToOr6dOopeT0sFRyzbOZcirlOFbkLc7e5etk8ZxfbOO +l+cR01gyZCHEJiCdnLr8ZcijSIleNym6TiHtJXDXwyBEfUKQH1e9zeG9cH8R9kGD +J0dlpVwmUT3L3p7rNopId1y9mZpctquXBvo0F1g/bycR5XLEN4LhGTnDgmcz6JdJ +bKvRR2ATdCr4hgjJFtDMw2qzIw== +-----END CERTIFICATE----- diff --git a/tests/mbedtls_test/main.c b/tests/mbedtls_test/main.c new file mode 100644 index 000000000000..3b963d828e72 --- /dev/null +++ b/tests/mbedtls_test/main.c @@ -0,0 +1,222 @@ +/* + * Copyright (C) 2021_ML!PA Consulting GmbH + */ +/** + * @ingroup test app lwip_mbedtls + * @{ + * + * @file + * @brief send encrypted data to the server + * + * @} + * @ author Mariem Charrada + */ + +#include "net/sock/tcp.h" +#include "shell.h" +#include "msg.h" +#include "xtimer.h" + +#include "lwip/debug.h" +#include "mbedtls/debug.h" +#include "net_sockets.h" +#include "ssl.h" +#include "entropy.h" +#include "ctr_drbg.h" +#include "x509_crt.h" + +#define ENABLE_DEBUG 0 +#include "debug.h" + +#define MAIN_QUEUE_SIZE (4) + +static void _lwip_mbedtls_my_debug(void *ctx, int level, const char *file, int line, + const char *str) +{ + ((void)level); + fprintf((FILE *)ctx, "%s:%04d: %s", file, line, str); + fflush((FILE *)ctx); +} + +static const unsigned char ca_certificate[] = + "-----BEGIN CERTIFICATE-----\n" + "MIIDnzCCAocCFGfDEoYXsh2tZvNCX+1ad8gBpKxKMA0GCSqGSIb3DQEBCwUAMIGL\n" + "MQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4x\n" + "EDAOBgNVBAoMB2V4YW1wbGUxEDAOBgNVBAsMB2V4YW1wbGUxFDASBgNVBAMMC2V4\n" + "YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFleGFtcGxlQGdtYWlsLmNvbTAeFw0y\n" + "MjAyMjAxMzMyMTdaFw0yMzAyMjAxMzMyMTdaMIGLMQswCQYDVQQGEwJERTEPMA0G\n" + "A1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB2V4YW1wbGUx\n" + "EDAOBgNVBAsMB2V4YW1wbGUxFDASBgNVBAMMC2V4YW1wbGUuY29tMSAwHgYJKoZI\n" + "hvcNAQkBFhFleGFtcGxlQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + "ADCCAQoCggEBAKqWlRGRmVaA10tx8OrB6W/MHK02HyPh8Nl9KO9fst1FxD6pXVjt\n" + "zwZcWrZoBGdqc2SdoUnkpVCm2vdSqp1rf9S+QFM3u+1fyhHCzNfkGWSojLuWOtb3\n" + "szGpmq4sG8NU7FEf38k0H+3YrZ6RYrQQ5c/63BMRnqMlKNDW/bX6j///x4srdm/K\n" + "2NXypqgR7nQsyq4+As+EJQDIsXY6vhFRtncMK9jki/tZXcPoY63vKqCoiU/+Z4lR\n" + "cZeizmECF5uBNwWmwt4u0p7dCrN28oxWoDaQ5TYN9erPC1s+idHWqMJeUpmTf4p1\n" + "q1X4YjD1Zrgbje6SYpRGYNSkgNVgi1TSJOUCAwEAATANBgkqhkiG9w0BAQsFAAOC\n" + "AQEAVh6VaSNU+u9dDWhrOh8slzFGZCqkUI5kdngMPGFCLKgKFWfvSt6B7p9VppAt\n" + "6yQiFUZG1ih6TNEM2t4kvIDNRTcfxoaDO5K1wrHD/v6z1aJllb1L4qcBJWa9XZXK\n" + "8HlvguG6QU+RV34V/Bg52ToOr6dOopeT0sFRyzbOZcirlOFbkLc7e5etk8ZxfbOO\n" + "l+cR01gyZCHEJiCdnLr8ZcijSIleNym6TiHtJXDXwyBEfUKQH1e9zeG9cH8R9kGD\n" + "J0dlpVwmUT3L3p7rNopId1y9mZpctquXBvo0F1g/bycR5XLEN4LhGTnDgmcz6JdJ\n" + "bKvRR2ATdCr4hgjJFtDMw2qzIw==\n" + "-----END CERTIFICATE-----\n"; + +static int _lwip_mbedtls_client_thread(char *argv1, char *argv2, char *argv3) +{ + int status; + mbedtls_net_context server_fd; + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_x509_crt x509_certificate; + static uint8_t client_connected = 0; + + if (!client_connected) { + /* trusted chain configuration */ + mbedtls_x509_crt_init(&x509_certificate); + DEBUG_PUTS("_lwip_mbedtls_client_thread: CA certificate init succeeded"); + status = mbedtls_x509_crt_parse(&x509_certificate, ca_certificate, sizeof(ca_certificate)); + if (status != 0) { + DEBUG("_lwip_mbedtls_client_thread: CA certificate parse failed -0x%d\n", status); + return -1; + } + DEBUG_PUTS("_lwip_mbedtls_client_thread: CA certificate parse succeeded"); + + /* entropy source and PRNG */ + mbedtls_entropy_init(&entropy); + DEBUG_PUTS("_lwip_mbedtls_client_thread: entropy init succeeded"); + mbedtls_ctr_drbg_init(&ctr_drbg); + DEBUG_PUTS("_lwip_mbedtls_client_thread: random number generation init succeeded"); + status = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0); + if (status != 0) { + DEBUG("_lwip_mbedtls_client_thread: random number generation seed failed -0x%d\n", + status); + return -1; + } + DEBUG_PUTS("_lwip_mbedtls_client_thread: random number generation seed succeeded"); + + /* TLS configuration */ + mbedtls_ssl_config_init(&conf); + DEBUG_PUTS("_lwip_mbedtls_client_thread: ssl config init succeeded"); + status = mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT); + if (status != 0) { + DEBUG("_lwip_mbedtls_client_thread: default ssl configuration failed -0x%d\n", status); + return -1; + } + DEBUG_PUTS("_lwip_mbedtls_client_thread: default ssl configuration succeeded"); + + // all cipher suits will be used + + //load CA certificate + mbedtls_ssl_conf_ca_chain(&conf, &x509_certificate, NULL); + + //a must: ensure that certificates are signed by the CA + mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED); + + //set the random engine + mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); + + //add debug output + mbedtls_ssl_conf_dbg(&conf, _lwip_mbedtls_my_debug, stdout); + mbedtls_debug_set_threshold(1); + + /* TLS context */ + mbedtls_ssl_init(&ssl); + DEBUG_PUTS("_lwip_mbedtls_client_thread: ssl init succeeded"); + mbedtls_ssl_setup(&ssl, &conf); + DEBUG_PUTS("_lwip_mbedtls_client_thread: ssl setup succeeded"); + + /* Establish secure TLS connection */ + mbedtls_net_init(&server_fd); + mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL); + status = mbedtls_net_connect(&server_fd, argv1, argv2, MBEDTLS_NET_PROTO_TCP); + if (status != 0) { + DEBUG("_lwip_mbedtls_client_thread: server connect failed -0x%d\n", status); + return -1; + } + DEBUG_PUTS("_lwip_mbedtls_client_thread: server connect succeeded"); + client_connected = 1; + } + + //verify certificate belongs to the server + status = mbedtls_ssl_set_hostname(&ssl, "example.com"); + if (status != 0) { + DEBUG("_lwip_mbedtls_client_thread: host verification failed -0x%d\n", status); + return -1; + } + DEBUG_PUTS("_lwip_mbedtls_client_thread: ssl set hostname succeeded"); + status = mbedtls_ssl_handshake(&ssl); + if (status != 0) { + DEBUG("_lwip_mbedtls_client_thread: ssl handshake failed -0x%d\n", status); + return -1; + } + DEBUG_PUTS("_lwip_mbedtls_client_thread: ssl handshake succeeded"); + status = mbedtls_ssl_get_verify_result(&ssl); + if (status != 0) { + DEBUG("_lwip_mbedtls_client_thread: certificate verification failed -0x%d\n", status); + return -1; + } + DEBUG_PUTS("_lwip_mbedtls_client_thread: ssl get verify result succeeded"); + size_t write_buf_len = strlen(argv3); + + do { + status = mbedtls_ssl_write(&ssl, (const unsigned char *)(argv3) + status, + write_buf_len - status); + if (status == 0) { + DEBUG("_lwip_mbedtls_client_thread: %d bytes sent to server\n", write_buf_len); + break; + } + else if (status < 0) { + switch (status) { + case MBEDTLS_ERR_SSL_WANT_READ: + case MBEDTLS_ERR_SSL_WANT_WRITE: + case MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS: + case MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS: + { + continue; + } + default: + DEBUG( + "_lwip_mbedtls_client_thread: default case in write ssl should never be reached\n"); + } + } + } while (1); + + DEBUG("_lwip_mbedtls_client_thread: sending encrypted %s to server is DONE :) \n", argv3); + return 0; +} + +static int cmd_tls_connect(int argc, char **argv) +{ + DEBUG_PUTS("main(): cmd_tls_connect started"); + if (argc < 3) { + printf("usage: %s [data]\n", argv[0]); + return -1; + } + + return _lwip_mbedtls_client_thread(argv[1], argv[2], argv[3]); +} + +static const shell_command_t shell_commands[] = { + { "connect", "Perform a TLS connection", cmd_tls_connect }, + { NULL, NULL, NULL } +}; + +int main(void) +{ + msg_t _main_msg_queue[MAIN_QUEUE_SIZE]; + char line_buf[SHELL_DEFAULT_BUFSIZE]; + + DEBUG_PUTS("main(): tls client starting"); + + /* for the thread running the shell */ + msg_init_queue(_main_msg_queue, MAIN_QUEUE_SIZE); + shell_run(shell_commands, line_buf, SHELL_DEFAULT_BUFSIZE); + /* should be never reached */ + + return 0; +} diff --git a/tests/mbedtls_test/server-cer.pem b/tests/mbedtls_test/server-cer.pem new file mode 100644 index 000000000000..ca7fa8ad08ed --- /dev/null +++ b/tests/mbedtls_test/server-cer.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDnzCCAocCFBPFmqTvY7tHNaqF55P7K4AuB03YMA0GCSqGSIb3DQEBCwUAMIGL +MQswCQYDVQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4x +EDAOBgNVBAoMB2V4YW1wbGUxEDAOBgNVBAsMB2V4YW1wbGUxFDASBgNVBAMMC2V4 +YW1wbGUuY29tMSAwHgYJKoZIhvcNAQkBFhFleGFtcGxlQGdtYWlsLmNvbTAeFw0y +MjAyMjAxMzMzNTBaFw0yMzAyMjAxMzMzNTBaMIGLMQswCQYDVQQGEwJERTEPMA0G +A1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB2V4YW1wbGUx +EDAOBgNVBAsMB2V4YW1wbGUxFDASBgNVBAMMC2V4YW1wbGUuY29tMSAwHgYJKoZI +hvcNAQkBFhFleGFtcGxlQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBAMkvng4TlPsckwzkFMLjVU5/sSMhoftgXjLCutbwmSdlQsqcaoE5 +T3ryJ+fQn/bA5G4VHmzJBLDJdjH1caspCCXyBAorqLmU/FPG66nPOXIvzRXAwbjZ +7j9+kogZNVB6MuRHGyMyL3kqSn+Ja0ViyoRcXJHhYbthrDaTtqY4PDR2lAtxBIC5 +ne0VJUf7bFm7KIV/obAnCqhFe3TEiKewQ8EAGoO+uOzBlW8rkBQ7OIb/GEfBEtML +JIbf1Cb1l7/EEsM2DdXN0ELuUJ1CyVnmRBj1GIpA/+b11SQCdpJ51nGhjZwUcQJV +y9UDYS+Q15ybHfXgJL/+MntRCyFpvdBr7WUCAwEAATANBgkqhkiG9w0BAQsFAAOC +AQEAO64IFi0/7avVK9xDW9oyqQEqMMx2zTCw3/byECKLPWNIuIgxUFUwj0/tGU1U +00TK5Nk4AGtT4PprsImiKEbj3OMEHDye/5OtX9U8LfNuEXpWb8QVNodf5xNx2K1l +Gp5MTTpN0rkpBYa6+zi1zd6hD80NcvVgKVeG28IoUY2q/LvH0G9x0nvhzvtzPtVk +FqBI8AhBckBc/BMWOba2YBJOFp2o84RiVLdjwHDCgA1QYe8s74KQBOTcQiIV8r4j +3K1erV6HOkRJHQWTM8eCSRFj+43umey3dPrRlc4TYALVouwOeVZh2oNsmaLTgsoP +HM8Ly3GnYAT08FP4q2/FIiOKEg== +-----END CERTIFICATE----- diff --git a/tests/mbedtls_test/server-prk.pem b/tests/mbedtls_test/server-prk.pem new file mode 100644 index 000000000000..48299bd458af --- /dev/null +++ b/tests/mbedtls_test/server-prk.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyS+eDhOU+xyTDOQUwuNVTn+xIyGh+2BeMsK61vCZJ2VCypxq +gTlPevIn59Cf9sDkbhUebMkEsMl2MfVxqykIJfIECiuouZT8U8brqc85ci/NFcDB +uNnuP36SiBk1UHoy5EcbIzIveSpKf4lrRWLKhFxckeFhu2GsNpO2pjg8NHaUC3EE +gLmd7RUlR/tsWbsohX+hsCcKqEV7dMSIp7BDwQAag7647MGVbyuQFDs4hv8YR8ES +0wskht/UJvWXv8QSwzYN1c3QQu5QnULJWeZEGPUYikD/5vXVJAJ2knnWcaGNnBRx +AlXL1QNhL5DXnJsd9eAkv/4ye1ELIWm90GvtZQIDAQABAoIBAQC9PDji7LBZcosu +uOp+Ve7Lo3gun1gJZp+0B05PFog4chrdETtsyUdlUZkPh0CvjMhQczTnBj2PPDAc +1c1RPYsYhggeuOo/hU/CTX0lgHF8YlH5gBG3meVre9bAhVWMmSR9bBSuimn1Aj6I +r+1imoX68hVwchrHchvWSiKnPoYCoUur4HmyHpD2aRjQNSGq9xcfLvJ9UAj6Ak7e +R0BQpvB667OYICzAAAix/PQDVKuv0swrgfpv+ksAhtu9NV0bZjBDuIaf/ahu+y4t +pqV0ZN1sjP8++NRFAwT+rS3DxnbdP9KMH1O4XlYrwKlOpt+l2i7B2qHb0KbUn7o/ +RkL3wQoBAoGBAOZtPC3cazFO4ZVWDzH71Mbbu2EoRSIiRGVHl4PPTTHvSUjBeidl +xDIR3QosnpvilISBOD7PQI4xsCKfZpT4m9M6QQyFaWmZ9DN1jGnsOniMt2P1pRlZ +UNMQBOwnlzdaLvwGyTgSw4fgSd7pvSR93J8ZGjHqsvGqGA+PgvksQyThAoGBAN+D +nFrXkYFg2LeXXYb+y76cmgkH2NhznkcYTZEUfZOuJexfCBlTX+Q6amwOWNMK+2m9 +I9r3h25e0DFa1fty+RbpczWr3uA8sCvWFHsOrUQXd/q7Jbq9uKJ0hwhHazC51JxU +wBXFQNeGIUsPF12NGniRBNuInxSb1tR4d5P2DdUFAoGAEF3r61n/pyXyMfhF5gf8 +Kg/LdHA20ODcONFn+q3LzuMvMmLDuW6qC+Bm8eUPcwUaBXtkMlnoPPFckGkAEU7D +SrKVkj0bqquLw+fyjEeCM7PTBt+Y1X8ZlZRKtTdurzjRo4cb3ca/arRMqu+xRplG +BWr0CF2iTjYFtX09EVPKhSECgYEAohrGzE+p1QaTRtu91kl3JWBYixIo4BtCgNeM +chtFVFUqZfsqWYvRcSo4wvPI0g8V9kNZ/NYnYBHdtt3lcb+aDlbz2sozE7iQIMrc +Ab/MRCUtPCh9Ham5fgE7afK6OBWesF77DQ8JjwZVoSVp0cyjlSvANSQqE/1OWryg +JSyALa0CgYA45YQxjWHUuo7QPR98/7jrqgVgq0MQygRWEVsTZ1mpNCenYh7QcwIE +HxELyWR3x7ANN8WbmIu3n6X5sGEOh2Y6ZLaFIYGcKn3smGewUxLnBx4oQ/s3Q7e3 +QA6k3xDP9iLmwZXt82R24WA6kAi+CNC6XsAbqdAYpN9M2/xZRpNbEw== +-----END RSA PRIVATE KEY-----