TLS communication for secure sockets

include/net/net_context.h

@@ -184,6 +184,8 @@ struct net_tcp;
 
 struct net_conn_handle;
 
+struct tls_context;
+
 /**
  * Note that we do not store the actual source IP address in the context
  * because the address is already be set in the network interface struct.
@@ -275,6 +277,11 @@ struct net_context {
 		struct k_fifo recv_q;
 		struct k_fifo accept_q;
 	};
+
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	/** TLS context information */
+	struct tls_context *tls;
+#endif /* CONFIG_NET_SOCKETS_SOCKOPT_TLS */
 #endif /* CONFIG_NET_SOCKETS */
 };
 

include/net/net_ip.h

@@ -54,6 +54,13 @@ enum net_ip_protocol {
 	IPPROTO_ICMPV6 = 58,
 };
 
+/* Protocol numbers for TLS protocols */
+enum net_ip_protocol_secure {
+	IPPROTO_TLS_1_0 = 256,
+	IPPROTO_TLS_1_1 = 257,
+	IPPROTO_TLS_1_2 = 258,
+};
+
 /** Socket type */
 enum net_sock_type {
 	SOCK_STREAM = 1,

include/net/socket.h

@@ -76,67 +76,134 @@ int zsock_getaddrinfo(const char *host, const char *service,
 		      const struct zsock_addrinfo *hints,
 		      struct zsock_addrinfo **res);
 
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+
+int ztls_socket(int family, int type, int proto);
+int ztls_close(int sock);
+int ztls_bind(int sock, const struct sockaddr *addr, socklen_t addrlen);
+int ztls_connect(int sock, const struct sockaddr *addr, socklen_t addrlen);
+int ztls_listen(int sock, int backlog);
+int ztls_accept(int sock, struct sockaddr *addr, socklen_t *addrlen);
+ssize_t ztls_send(int sock, const void *buf, size_t len, int flags);
+ssize_t ztls_recv(int sock, void *buf, size_t max_len, int flags);
+ssize_t ztls_sendto(int sock, const void *buf, size_t len, int flags,
+		    const struct sockaddr *dest_addr, socklen_t addrlen);
+ssize_t ztls_recvfrom(int sock, void *buf, size_t max_len, int flags,
+		      struct sockaddr *src_addr, socklen_t *addrlen);
+int ztls_fcntl(int sock, int cmd, int flags);
+int ztls_poll(struct zsock_pollfd *fds, int nfds, int timeout);
+
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
+
 #if defined(CONFIG_NET_SOCKETS_POSIX_NAMES)
 static inline int socket(int family, int type, int proto)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_socket(family, type, proto);
+#else
 	return zsock_socket(family, type, proto);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline int close(int sock)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_close(sock);
+#else
 	return zsock_close(sock);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline int bind(int sock, const struct sockaddr *addr, socklen_t addrlen)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_bind(sock, addr, addrlen);
+#else
 	return zsock_bind(sock, addr, addrlen);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline int connect(int sock, const struct sockaddr *addr,
 			  socklen_t addrlen)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_connect(sock, addr, addrlen);
+#else
 	return zsock_connect(sock, addr, addrlen);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline int listen(int sock, int backlog)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_listen(sock, backlog);
+#else
 	return zsock_listen(sock, backlog);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline int accept(int sock, struct sockaddr *addr, socklen_t *addrlen)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_accept(sock, addr, addrlen);
+#else
 	return zsock_accept(sock, addr, addrlen);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline ssize_t send(int sock, const void *buf, size_t len, int flags)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_send(sock, buf, len, flags);
+#else
 	return zsock_send(sock, buf, len, flags);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline ssize_t recv(int sock, void *buf, size_t max_len, int flags)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_recv(sock, buf, max_len, flags);
+#else
 	return zsock_recv(sock, buf, max_len, flags);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 /* This conflicts with fcntl.h, so code must include fcntl.h before socket.h: */
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+#define fcntl ztls_fcntl
+#else
 #define fcntl zsock_fcntl
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 
 static inline ssize_t sendto(int sock, const void *buf, size_t len, int flags,
 			     const struct sockaddr *dest_addr,
 			     socklen_t addrlen)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_sendto(sock, buf, len, flags, dest_addr, addrlen);
+#else
 	return zsock_sendto(sock, buf, len, flags, dest_addr, addrlen);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline ssize_t recvfrom(int sock, void *buf, size_t max_len, int flags,
 			       struct sockaddr *src_addr, socklen_t *addrlen)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_recvfrom(sock, buf, max_len, flags, src_addr, addrlen);
+#else
 	return zsock_recvfrom(sock, buf, max_len, flags, src_addr, addrlen);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 static inline int poll(struct zsock_pollfd *fds, int nfds, int timeout)
 {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	return ztls_poll(fds, nfds, timeout);
+#else
 	return zsock_poll(fds, nfds, timeout);
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 }
 
 #define pollfd zsock_pollfd

samples/net/sockets/big_http_download/prj_tls.conf

@@ -0,0 +1,46 @@
+# General config
+CONFIG_NEWLIB_LIBC=y
+
+# Networking config
+CONFIG_NETWORKING=y
+CONFIG_NET_IPV4=y
+CONFIG_NET_IPV6=y
+CONFIG_NET_TCP=y
+CONFIG_NET_SOCKETS=y
+CONFIG_NET_SOCKETS_POSIX_NAMES=y
+
+CONFIG_NET_PKT_TX_COUNT=10
+
+CONFIG_DNS_RESOLVER=y
+CONFIG_DNS_SERVER_IP_ADDRESSES=y
+CONFIG_DNS_SERVER1="192.0.2.2"
+
+# Network driver config
+CONFIG_TEST_RANDOM_GENERATOR=y
+
+# Network address config
+CONFIG_NET_APP_SETTINGS=y
+CONFIG_NET_APP_NEED_IPV4=y
+CONFIG_NET_APP_MY_IPV4_ADDR="192.0.2.1"
+CONFIG_NET_APP_PEER_IPV4_ADDR="192.0.2.2"
+CONFIG_NET_APP_MY_IPV4_GW="192.0.2.2"
+# DHCP configuration. Until DHCP address is assigned,
+# static configuration above is used instead.
+CONFIG_NET_DHCPV4=y
+
+# Network debug config
+CONFIG_NET_LOG=y
+CONFIG_NET_LOG_GLOBAL=y
+CONFIG_SYS_LOG_NET_LEVEL=2
+#CONFIG_NET_DEBUG_SOCKETS=y
+#CONFIG_NET_SHELL=y
+
+# TLS configuration
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=60000
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=16384
+
+CONFIG_MAIN_STACK_SIZE=4096
+CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

samples/net/sockets/big_http_download/src/big_http_download.c

@@ -4,6 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -23,24 +24,34 @@
 #include <net/socket.h>
 #include <kernel.h>
 #include <net/net_app.h>
+
 #define sleep(x) k_sleep(x * 1000)
 
 #endif
 
 /* This URL is parsed in-place, so buffer must be non-const. */
 static char download_url[] =
+#if !defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
     "http://archive.ubuntu.com/ubuntu/dists/xenial/main/installer-amd64/current/images/hd-media/vmlinuz";
+#else
+    "https://www.7-zip.org/a/7z1805.exe";
+#endif /* !defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 /* Quick testing. */
 /*    "http://google.com/foo";*/
 
 /* print("".join(["\\x%02x" % x for x in list(binascii.unhexlify("hash"))])) */
-static uint8_t download_hash[32] = "\x33\x7c\x37\xd7\xec\x00\x34\x84\x14\x22\x4b\xaa\x6b\xdb\x2d\x43\xf2\xa3\x4e\xf5\x67\x6b\xaf\xcd\xca\xd9\x16\xf1\x48\xb5\xb3\x17";
+static uint8_t download_hash[32] =
+#if !defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+"\x33\x7c\x37\xd7\xec\x00\x34\x84\x14\x22\x4b\xaa\x6b\xdb\x2d\x43\xf2\xa3\x4e\xf5\x67\x6b\xaf\xcd\xca\xd9\x16\xf1\x48\xb5\xb3\x17";
+#else
+"\x64\x7a\x9a\x62\x11\x62\xcd\x7a\x50\x08\x93\x4a\x08\xe2\x3f\xf7\xc1\x13\x5d\x6f\x12\x61\x68\x9f\xd9\x54\xaa\x17\xd5\x0f\x97\x29";
+#endif /* !defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
 
 #define SSTRLEN(s) (sizeof(s) - 1)
 #define CHECK(r) { if (r == -1) { printf("Error: " #r "\n"); exit(1); } }
 
 const char *host;
-const char *port = "80";
+const char *port;
 const char *uri_path = "";
 static char response[1024];
 static char response_hash[32];
@@ -113,15 +124,26 @@ void print_hex(const unsigned char *p, int len)
 	}
 }
 
-void download(struct addrinfo *ai)
+void download(struct addrinfo *ai, bool is_tls)
 {
 	int sock;
 
 	cur_bytes = 0;
 
-	sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+	if (is_tls) {
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+		sock = socket(ai->ai_family, ai->ai_socktype, IPPROTO_TLS_1_2);
+# else
+		printf("TLS not supported\n");
+		return;
+#endif
+	} else {
+		sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
+	}
+
 	CHECK(sock);
 	printf("sock = %d\n", sock);
+
 	CHECK(connect(sock, ai->ai_addr, ai->ai_addrlen));
 	sendall(sock, "GET /", SSTRLEN("GET /"));
 	sendall(sock, uri_path, strlen(uri_path));
@@ -183,15 +205,28 @@ int main(void)
 	char *p;
 	unsigned int total_bytes = 0;
 	int resolve_attempts = 10;
+	bool is_tls = false;
 
 	setbuf(stdout, NULL);
 
-	if (strncmp(download_url, "http://", SSTRLEN("http://")) != 0) {
-		fatal("Only http: URLs are supported");
+	if (strncmp(download_url, "http://", SSTRLEN("http://")) == 0) {
+		port = "80";
+		p = download_url + SSTRLEN("http://");
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+	} else if (strncmp(download_url, "https://",
+		   SSTRLEN("https://")) == 0) {
+		is_tls = true;
+		port = "443";
+		p = download_url + SSTRLEN("https://");
+#endif /* defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) */
+	} else {
+		fatal("Only http: "
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+		      "and https: "
+#endif
+		      "URLs are supported");
 	}
 
-	p = download_url + SSTRLEN("http://");
-
 	/* Parse host part */
 	host = p;
 	while (*p && *p != ':' && *p != '/') {
@@ -214,8 +249,8 @@ int main(void)
 		uri_path = p;
 	}
 
-	printf("Preparing HTTP GET request for http://%s:%s/%s\n",
-	       host, port, uri_path);
+	printf("Preparing HTTP GET request for http%s://%s:%s/%s\n",
+		       (is_tls ? "s" : ""), host, port, uri_path);
 
 	hints.ai_family = AF_INET;
 	hints.ai_socktype = SOCK_STREAM;
@@ -248,7 +283,7 @@ int main(void)
 	}
 
 	while (1) {
-		download(res);
+		download(res, is_tls);
 
 		total_bytes += cur_bytes;
 		printf("Total downloaded so far: %uMB\n", total_bytes / (1024 * 1024));

samples/net/sockets/http_get/prj_tls.conf

@@ -0,0 +1,40 @@
+# General config
+CONFIG_NEWLIB_LIBC=y
+
+# Networking config
+CONFIG_NETWORKING=y
+CONFIG_NET_IPV4=y
+CONFIG_NET_IPV6=y
+CONFIG_NET_TCP=y
+CONFIG_NET_SOCKETS=y
+CONFIG_NET_SOCKETS_POSIX_NAMES=y
+
+CONFIG_DNS_RESOLVER=y
+CONFIG_DNS_SERVER_IP_ADDRESSES=y
+CONFIG_DNS_SERVER1="192.0.2.2"
+
+# Network driver config
+CONFIG_TEST_RANDOM_GENERATOR=y
+
+# Network address config
+CONFIG_NET_APP_SETTINGS=y
+CONFIG_NET_APP_NEED_IPV4=y
+CONFIG_NET_APP_MY_IPV4_ADDR="192.0.2.1"
+CONFIG_NET_APP_PEER_IPV4_ADDR="192.0.2.2"
+CONFIG_NET_APP_MY_IPV4_GW="192.0.2.2"
+
+# Network debug config
+CONFIG_NET_LOG=y
+CONFIG_NET_LOG_GLOBAL=y
+CONFIG_SYS_LOG_NET_LEVEL=2
+#CONFIG_NET_DEBUG_SOCKETS=y
+
+# TLS configuration
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_ENABLE_HEAP=y
+CONFIG_MBEDTLS_HEAP_SIZE=30000
+CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=4096
+
+CONFIG_MAIN_STACK_SIZE=4096
+CONFIG_NET_SOCKETS_SOCKOPT_TLS=y