WolfSSL port to provide TLS/DLTS sockets

[danielinux]

This PR is a proposal to integrate basic TLS/DTLS support, wrapping the existing uIP sockets.

The TLS/DTLS support is provided via wolfSSL. A module in apps/wolfssl can be linked with an application to access TLS/DTLS capabilities.

A few extra examples, integrating the wolfSSL module are provided:

• ssl-server
• ssl-client
• dtls (server/client)

Examples have been successfully tested on the minimal-net target, using both IPv4 and IPv6, and on the nRF52x development board, using IPv6 over 6LoWPAN.

On the nRF52, the watchdog is disabled when wolfSSL is in use. This prevents the system to be rebooted if the TLS/DTLS handshake is taking longer than the watchdog interval.

The wolfssl submodule temporarily points to a wolfSSL fork which adds support in the library for uIP and contiki, that's being validated and considered for inclusion. Later versions of this PR will point to the official wolfSSL repository.

Please provide feedback and comments about the approach.

Looking forward to hearing from the contiki community.

--
@danielinux / @wolfSSL

[akmcomau]

Thanks for the great work!

I managed to get this working on an AVR xmega with the PSK-NULL-SHA256 cipher. This patch has saved me a lot of time, although without native sockets I did need to add a few more process yields and checks for the SSL_ERROR_WANT_READ error and retry calling functions.

[danielinux]

@akmcomau thank you for using this patch. Could you share the code modifications you made for your non-native-socket app? It might be really useful to improve this PR. Thanks in advance,

-- @danielinux / @wolfSSL

[akmcomau]

@danielinux I didn't really have to change that much, I don't think you want my whole contiki branch, as it has a large number of changes. I don't have it as a simple commit that I can push to github, but I can make if you like. Here is a summary of what I changed:

In apps/wolfssl/wolfssl.c I removed the calls to wolfSSL_set_using_nonblock() as this didn't seem to be defined in my wolfssl configuration.

Here would be an example of an example server. But there may be more modifications required to also support the SSL_ERROR_WANT_WRITE error code.

`PROCESS_THREAD(server_process, ev, data)
{
PROCESS_BEGIN();

/* make new ssl context */
if ( !(sk = tls_socket_register(wolfTLSv1_2_server_method())) ) {
PRINTF("wolfSSL_CTX_new error\n");
}

/* use psk suite for security */
wolfSSL_CTX_set_psk_server_callback(sk->ctx, my_psk_server_cb);
wolfSSL_CTX_use_psk_identity_hint(sk->ctx, "Identity");
if (wolfSSL_CTX_set_cipher_list(sk->ctx, "PSK-NULL-SHA256") != SSL_SUCCESS) {
printf("Server can't set cipher list\n");
}

tcp_socket_listen(&sk->conn.tcp, SERVER_PORT);

printf("Listening on %d\n", SERVER_PORT);
while(1) {
int len;
int ret;

do {
  PROCESS_WAIT_EVENT();
  printf("Connection Request or Accept Continuation\n");
  ret = tls_socket_accept(sk);
} while (wolfSSL_get_error(sk->ssl, ret) == SSL_ERROR_WANT_READ);
if (ret < 0) {
  printf("Accept returned %d\r\n", ret);
  continue;
}

printf("Connection accepted\r\n");
do {
  memset(http_request, 0, sizeof(http_request));
  do {
    PROCESS_WAIT_EVENT();
    len = wolfSSL_read(sk->ssl, http_request, sizeof(http_request));
  } while (wolfSSL_get_error(sk->ssl, len) == SSL_ERROR_WANT_READ);
  printf("Recv request (%d bytes)\r\n", len);
} while (len < 4 && len != -1);

if (len != -1) {
  printf("Sending response...\r\n");
  wolfSSL_write(sk->ssl, Contiki_http_string, sizeof(Contiki_http_string));
  PROCESS_WAIT_EVENT();
}

printf("Closing connection.\r\n");
tls_socket_close(sk);
sk->ssl = NULL;
printf("Waiting for another connection on %d\n", SERVER_PORT);

}

PROCESS_END();
}`

[danielinux]

@akmcomau this is very helpful, thank you. Indeed I do not need a commit, just curious of what you had to change to make it work in your case. Your description is sufficient for me to adjust my PR.

Once again, thank you for the feedback!

--
@danielinux / @wolfSSL

[hcnhcn012]

Hello, @danielinux, Thanks for porting wolfSSL to contiki. But I have problems in building this, when I copy wolfSSL source dir to /apps/wolfssl then autogen+configure+make at the same time. Then I just tried to build ssl_server in examples, then throws error: dereferencing pointer to incomplete type. It seems that the library is not been linked correctly.

[danielinux]

Hello, @danielinux, Thanks for porting wolfSSL to contiki. But I have problems in building this, when I copy wolfSSL source dir to /apps/wolfssl then autogen+configure+make at the same time. Then I just tried to build ssl_server in examples, then throws error: dereferencing pointer to incomplete type. It seems that the library is not been linked correctly.

Hi @hcnhcn012.
You don't have to copy and compile the library yourself, git can retrieve it as submodule, and contiki integrates it in your application automatically.

Please clone with

git clone --recurse-submodules https://github.com/danielinux/contiki.git

or use

git submodule update --init

after a fresh clone, so that the directory apps/wolfssl is populated.

ssl_server in examples already has APPS=wolfssl in the makefile, so it will build the library as dependency. All you need to do is invoking make with the selected target.

The examples have been successfully tested with make TARGET=minimal-net over a tap device.

For a real-hardware example based on this port, see also our contiki-nRF52 secure boot/secure firmware update demo

[hcnhcn012]

@danielinux Great! Don't know why but tested successfully on my contiki too :). Really appreciate that!