Zephyr TLS socket options

drivers/net/loopback.c

@@ -69,7 +69,7 @@ static int loopback_send(struct net_if *iface, struct net_pkt *pkt)
 	 * must be dropped. This is very much needed for TCP packets where
 	 * the packet is reference counted in various stages of sending.
 	 */
-	cloned = net_pkt_clone(pkt, K_MSEC(100));
+	cloned = net_pkt_clone(pkt, K_MSEC(100), NET_PKT_CLONE_USER_DATA);
 	if (!cloned) {
 		res = -ENOMEM;
 		goto out;

ext/lib/crypto/mbedtls/Kconfig

@@ -46,6 +46,7 @@ config MBEDTLS_CFG_FILE
 	string "mbed TLS configuration file"
 	depends on MBEDTLS_BUILTIN
 	default "config-mini-tls1_2.h"
+	default "config-tls-generic.h" if NET_TLS || NET_DTLS
 	help
 	  Use a specific mbed TLS configuration file. The default is suitable to
 	  communicate with majority of HTTPS servers on the Internet, but has

ext/lib/crypto/mbedtls/configs/config-tls-generic.h

@@ -0,0 +1,270 @@
+/*
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ * Copyright (c) 2017 Intel Corporation.
+ * Copyright (c) 2018 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Generic configuration for TLS, manageable by Kconfig.
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+/* System support */
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_EXIT_ALT
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+
+#if !defined(CONFIG_ARM)
+#define MBEDTLS_HAVE_ASM
+#endif
+
+#if defined(CONFIG_MBEDTLS_TEST)
+#define MBEDTLS_SELF_TEST
+#define MBEDTLS_DEBUG_C
+#endif
+
+/* mbedTLS feature support */
+
+/* Supported TLS versions */
+#if defined(CONFIG_NET_TLS)
+#if defined(CONFIG_TLS_VERSION_1_0)
+#define MBEDTLS_SSL_PROTO_TLS1
+#endif
+
+#if defined(CONFIG_TLS_VERSION_1_1)
+#define MBEDTLS_SSL_PROTO_TLS1_1
+#endif
+
+#if defined(CONFIG_TLS_VERSION_1_2)
+#define MBEDTLS_SSL_PROTO_TLS1_2
+#endif
+
+/* Module required for TLS */
+#define MBEDTLS_SSL_TLS_C
+#define MBEDTLS_SSL_SRV_C
+#define MBEDTLS_SSL_CLI_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_MD_C
+
+/* TODO Perhaps make this configurable? */
+#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
+#endif /* CONFIG_NET_TLS */
+
+#if defined(CONFIG_NET_DTLS)
+#define MBEDTLS_SSL_PROTO_DTLS
+#define MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#define MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#define MBEDTLS_SSL_COOKIE_C
+#endif
+
+/* Supported key exchange methods */
+#if defined(CONFIG_TLS_KEY_EXCHANGE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_RSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#endif
+
+#if defined(CONFIG_TLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
+#endif
+
+/* Supported cipher modes */
+#if defined(CONFIG_TLS_CIPHER_AES_ENABLED)
+#define MBEDTLS_AES_C
+#endif
+
+#if defined(CONFIG_TLS_CIPHER_CAMELLIA_ENABLED)
+#define MBEDTLS_CAMELLIA_C
+#endif
+
+#if defined(CONFIG_TLS_CIPHER_DES_ENABLED)
+#define MBEDTLS_DES_C
+#endif
+
+#if defined(CONFIG_TLS_CIPHER_CCM_ENABLED)
+#define MBEDTLS_CCM_C
+#endif
+
+#if defined(CONFIG_TLS_CIPHER_CBC_ENABLED)
+#define MBEDTLS_CIPHER_MODE_CBC
+#endif
+
+/* Supported message authentication methods */
+
+#if defined(CONFIG_TLS_MAC_MD5_ENABLED)
+#define MBEDTLS_MD5_C
+#endif
+
+#if defined(CONFIG_TLS_MAC_SHA1_ENABLED)
+#define MBEDTLS_SHA1_C
+#endif
+
+#if defined(CONFIG_TLS_MAC_SHA256_ENABLED)
+#define MBEDTLS_SHA256_C
+#endif
+
+#if defined(CONFIG_TLS_MAC_SHA512_ENABLED)
+#define MBEDTLS_SHA512_C
+#endif
+
+/* Automatic dependencies */
+
+#if defined (MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#define MBEDTLS_DHM_C
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+#define MBEDTLS_ECDH_C
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+#define MBEDTLS_RSA_C
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+#define MBEDTLS_PKCS1_V15
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
+    defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
+#define MBEDTLS_X509_CRT_PARSE_C
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
+#define MBEDTLS_ECDSA_C
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+#define MBEDTLS_ECJPAKE_C
+#endif
+
+#if defined(MBEDTLS_ECDH_C) || \
+    defined(MBEDTLS_ECDSA_C) || \
+    defined(MBEDTLS_ECJPAKE_C)
+#define MBEDTLS_ECP_C
+/* For now use single specific curve, can be configurable in the future */
+#define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#define MBEDTLS_X509_USE_C
+#endif
+
+#if defined(MBEDTLS_X509_USE_C) || \
+    defined(MBEDTLS_ECDSA_C)
+#define MBEDTLS_ASN1_PARSE_C
+#endif
+
+#if defined(MBEDTLS_ECDSA_C)
+#define MBEDTLS_ASN1_WRITE_C
+#endif
+
+#if defined(MBEDTLS_DHM_C) || \
+    defined(MBEDTLS_ECP_C) || \
+    defined(MBEDTLS_RSA_C) || \
+    defined(MBEDTLS_X509_USE_C)
+#define MBEDTLS_BIGNUM_C
+#endif
+
+#if defined(MBEDTLS_RSA_C) || \
+    defined(MBEDTLS_X509_USE_C)
+#define MBEDTLS_OID_C
+#endif
+
+#if defined(MBEDTLS_X509_USE_C)
+#define MBEDTLS_PK_PARSE_C
+#endif
+
+#if defined(MBEDTLS_PK_PARSE_C)
+#define MBEDTLS_PK_C
+#endif
+
+/* mbedTLS modules */
+#if defined (CONFIG_NET_TLS_PEM_CERTIFICATE_FORMAT) && \
+    defined(MBEDTLS_X509_CRT_PARSE_C)
+#define MBEDTLS_PEM_PARSE_C
+#define MBEDTLS_BASE64_C
+#endif
+
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_CTR_DRBG_C
+#endif
+
+#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA512_C)
+#define MBEDTLS_ENTROPY_C
+#endif
+
+/* For test certificates */
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C)
+#define MBEDTLS_CERTS_C
+#endif
+
+#if defined(CONFIG_MBEDTLS_DEBUG)
+#define MBEDTLS_ERROR_C
+#define MBEDTLS_DEBUG_C
+#define MBEDTLS_SSL_DEBUG_ALL
+#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
+#endif
+
+#define MBEDTLS_SSL_MAX_CONTENT_LEN  CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN
+
+#include "mbedtls/check_config.h"
+
+#endif /* MBEDTLS_CONFIG_H */

include/net/net_context.h

@@ -184,6 +184,8 @@ struct net_tcp;
 
 struct net_conn_handle;
 
+struct net_tls;
+
 /**
  * Note that we do not store the actual source IP address in the context
  * because the address is already be set in the network interface struct.
@@ -276,6 +278,11 @@ struct net_context {
 		struct k_fifo accept_q;
 	};
 #endif /* CONFIG_NET_SOCKETS */
+
+#if defined(CONFIG_NET_TLS) || defined(CONFIG_NET_DTLS)
+	/** TLS context information */
+	struct net_tls *tls;
+#endif /* CONFIG_NET_TLS || CONFIG_NET_DTLS */
 };
 
 static inline bool net_context_is_used(struct net_context *context)
@@ -778,7 +785,9 @@ int net_context_update_recv_wnd(struct net_context *context,
 				s32_t delta);
 
 enum net_context_option {
-	NET_OPT_PRIORITY = 1,
+	NET_OPT_PRIORITY         = 1,
+	NET_OPT_TLS_ENABLE       = 2,
+	NET_OPT_TLS_SEC_TAG_LIST = 3,
 };
 
 /**

include/net/net_ip.h

@@ -52,6 +52,9 @@ enum net_ip_protocol {
 	IPPROTO_TCP = 6,
 	IPPROTO_UDP = 17,
 	IPPROTO_ICMPV6 = 58,
+	IPPROTO_TLS_1_0 = 256,
+	IPPROTO_TLS_1_1 = 257,
+	IPPROTO_TLS_1_2 = 258,
 };
 
 /** Socket type */

include/net/net_pkt.h

@@ -1543,15 +1543,26 @@ struct net_buf *net_frag_get_pos(struct net_pkt *pkt,
 				 u16_t offset,
 				 u16_t *pos);
 
+/** Flags for pkt clone operation
+ */
+/** Clone pkt metadata only */
+#define NET_PKT_CLONE_META       0x0
+/** Clone pkt headers */
+#define NET_PKT_CLONE_HDR        0x1
+/** Clone headers and application data */
+#define NET_PKT_CLONE_USER_DATA  0x2
+
 /**
  * @brief Clone pkt and its fragment chain.
  *
  * @param pkt Original pkt to be cloned
  * @param timeout Timeout to wait for free net_buf
+ * @param flags Flags to indicate which parts of the pkt to clone
  *
  * @return NULL if error, clone fragment chain otherwise.
  */
-struct net_pkt *net_pkt_clone(struct net_pkt *pkt, s32_t timeout);
+struct net_pkt *net_pkt_clone(struct net_pkt *pkt, s32_t timeout,
+			      int flags);
 
 /**
  * @brief Get information about predefined RX, TX and DATA pools.