Support for wolfSSL?

[rlillback]

Is there a plan to support wolfSSL for the crypto library?
We have a project that requires dTLS v1.3. The currently supported options (mbedTLS, openSSL, gnuTLS, etc.) do not support dTLS v1.3 yet.

[mrdeep1]

Is it specifically ConnectionID that you are looking for from RFC9147?

• After a quick read, it is unclear if wolfSSL fully supports RFC9147.
• TinyDTLS has a PR Add client dtls connection ID (2.). eclipse/tinydtls#149 for adding in a ConnectionID (DTLS 1.2 RFC9146).
• MbedTLS v3.3.0 has support for ConnectionID - should be a small change to libcoap to add in that support.

There currently are no plans to add in wolfSSL as an alternative TLS library, but there is no reason as to why someone cant take this on as a project and we can then get the changes merged in once stable.

[rlillback]

It is my understanding that v1.3 has breaking changes that include:

• Key derivation constructs
• HelloRetryRequest is used instead of HelloVerifyRequest
• Session resumption mechanism was changed
• Changes in record layer encoding
• Addition of Connection ID

So, there are multiple changes that I'm looking to support.

[mrdeep1]

OK - Seems as if wolfSSL is one of the very few TLS library implementions. The primary work that needs to be done is in an equivalent coap_{openssl|mbedtls|gnutls|tinydtls}.c TLS library interface file. It does look like coap_openssl.c could be a good starting point using the wolfSSL OpenSSL compatibility header.

[obgm]

I agree that having WolfSSL would be useful because of its so far unique support for DTLS 1.3. (BTW: Another feature that comes with this is support for the elliptic curve 25519.)

[erpalma]

Supporting session resumption (even just with DTLS 1.2 CID) would be really awesome. +1 also for supporting WolfSSL, although I understand that this is a bit more complex task.

[mrdeep1]

Supporting session resumption (even just with DTLS 1.2 CID) would be really awesome.

Please see PR #1153 where there is support for CID with later code versions of MbedTLS. Feedback welcome.

[boaks]

Just to mention:
Elliptic curve 25519 works with DTLS 1.2 as well, for both ECDHE and ECDSA.

[mrdeep1]

@fj-blanco Thanks for your work supporting wolfSSL in libcoap.

Some of your code relies on the latest source for wolfSSL, and so when building the code with Ununtu 22.04 and the latest libwolfssl-dev (5.2.0), there are a lot of build errors. I will take a look at basing things off your code changes and pushing the changes.

[fj-blanco]

@fj-blanco Thanks for your work supporting wolfSSL in libcoap.

Some of your code relies on the latest source for wolfSSL, and so when building the code with Ununtu 22.04 and the latest libwolfssl-dev (5.2.0), there are a lot of build errors. I will take a look at basing things off your code changes and pushing the changes.

Thank you. While I have been working on this both in Ubuntu 22.04 and Debian 11, I haven't focused on version compatibility yet. Any help is appreciated.

I have updated a TODO list here with the main pending issues in the integration that I've identified so far: https://github.com/qursa-uc3m/libcoap-wolfssl/blob/wolfssl/wolfssl_dev/README.md

[mrdeep1]

@fj-blanco Thanks for the updated documentation. It does however look like you are still finding the latest wolfSSL build on your Ubuntu 22.04.03 system, rather than the one from libwolfssl-dev - I am getting

libcoap Configuration Summary:
      .....
      build with TCP support         : "yes"
      build DTLS support             : "yes"
         -->  wolfSSL around         : "yes" (found wolfSSL 5.2.0)
              wolfSSL_CFLAGS         : ""
              wolfSSL_LIBS           : "-lwolfssl"
      add default names              : "yes"

followed by compilation errors in coap_wolfssl.c. After fixing the compilation errors, I am not able to get examples/coap-client-wolfssl to talk to examples/coap-server-wolfssl (or for that matter any coap-server-*), getting handshake errors.

[fj-blanco]

@fj-blanco Thanks for the updated documentation. It does however look like you are still finding the latest wolfSSL build on your Ubuntu 22.04.03 system, rather than the one from libwolfssl-dev - I am getting

libcoap Configuration Summary:
      .....
      build with TCP support         : "yes"
      build DTLS support             : "yes"
         -->  wolfSSL around         : "yes" (found wolfSSL 5.2.0)
              wolfSSL_CFLAGS         : ""
              wolfSSL_LIBS           : "-lwolfssl"
      add default names              : "yes"

followed by compilation errors in coap_wolfssl.c. After fixing the compilation errors, I am not able to get examples/coap-client-wolfssl to talk to examples/coap-server-wolfssl (or for that matter any coap-server-*), getting handshake errors.

Have you tried building wolfssl from source with the script install_wolfssl.sh (wolfssl_dev folder)? (you need to run install_liboqs_for_wolfssl.sh if you want to try PQ KEMs and signatures, but not strictly necessary for testing just DTLS 1.3). I'm using a lot of compilation flags (for the OpenSSL compatibility layer, DTLS 1.3, PQ, and so on) and a very recent feature wolfSSL_dtls13_allow_ch_frag. I haven't tried to make compatible the code with libwolfssl-dev yet (don't know if possible).

[mrdeep1]

Building wolfssl from source using your ./configure options allows coap-client-wolfss to talk to coap-server-wolfssl, but the client cannot talk to any other server that has a different library, likewise, any client with a non wolfssl TLS library cannot talk to coap-server-wolfssl (only tested PSK so far). Still having trouble with PKI with coap-client-wolfss talking to coap-server-wolfssl with my certificates that works for other TLS implementations. I will try to investigate further.

[fj-blanco]

Building wolfssl from source using your ./configure options allows coap-client-wolfss to talk to coap-server-wolfssl, but the client cannot talk to any other server that has a different library, likewise, any client with a non wolfssl TLS library cannot talk to coap-server-wolfssl (only tested PSK so far). Still having trouble with PKI with coap-client-wolfss talking to coap-server-wolfssl with my certificates that works for other TLS implementations. I will try to investigate further.

Great, thank you. If you're unable to address any of those issues, please provide me with a list of reproducible scenarios, or scenarios that you consider relevant but don't have time to test yourself. I will address them as soon as possible.

[mrdeep1]

PR #1358 has been raised for wolfSSL support in libcoap for testing. This took some time to get ready as some (primarily PSK) interoperability issues with other TLS libraries needed to get addressed in the wolfSSL source code as well.