Changes needed for default TLS support in zephyr kernel

wolfSSL · Jul 9, 2024 · 4ec07bb · 4ec07bb
1 parent 00e4215
commit 4ec07bb
Show file tree

Hide file tree

Showing 10 changed files with 163 additions and 20 deletions.
diff --git a/src/internal.c b/src/internal.c
@@ -9892,7 +9892,7 @@ ProtocolVersion MakeDTLSv1_3(void)
     word32 LowResTimer(void)
     {
         int64_t t;
-    #if defined(CONFIG_ARCH_POSIX)
+    #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX)
         k_cpu_idle();
     #endif
         t = k_uptime_get(); /* returns current uptime in milliseconds */

diff --git a/src/ssl.c b/src/ssl.c
@@ -1641,6 +1641,34 @@ int wolfSSL_get_ciphers(char* buf, int len)
     return WOLFSSL_SUCCESS;
 }
 
+#ifdef WOLFSSL_GET_CIPHER_BYTES
+int wolfSSL_get_cipher_list_bytes(byte* buf, int *len)
+{
+    const CipherSuiteInfo* ciphers = GetCipherNames();
+    int ciphersSz = GetCipherNamesSize();
+    int i;
+
+    if (len == NULL)
+        return BAD_FUNC_ARG;
+
+    /* For NULL input buffer and non-NULL len, set len */
+    if (buf == NULL) {
+        *len = (ciphersSz * 2);
+        return WOLFSSL_SUCCESS;
+    }
+
+    if (*len < (ciphersSz * 2))
+        return BUFFER_E;
+
+    /* Add each member to the buffer */
+    for (i = 0; i < ciphersSz; i++) {
+        *buf++ = ciphers->cipherSuite0;
+        *buf++ = ciphers->cipherSuite;
+    }
+
+    return WOLFSSL_SUCCESS;
+}
+#endif
 
 #ifndef NO_ERROR_STRINGS
 /* places a list of all supported cipher suites in TLS_* format into "buf"

diff --git a/tests/api.c b/tests/api.c
@@ -1546,24 +1546,24 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void)
 
     const byte cipherList[] =
     {
-        /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ 0xC0, 0x16,
-        /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA  */ 0xC0, 0x39,
-        /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA  */ 0xC0, 0x33,
-        /* TLS_DH_anon_WITH_AES_128_CBC_SHA  */ 0xC0, 0x34,
-        /* TLS_RSA_WITH_AES_256_CBC_SHA      */ 0xC0, 0x35,
-        /* TLS_RSA_WITH_AES_128_CBC_SHA      */ 0xC0, 0x2F,
-        /* TLS_RSA_WITH_NULL_MD5             */ 0xC0, 0x01,
-        /* TLS_RSA_WITH_NULL_SHA             */ 0xC0, 0x02,
-        /* TLS_PSK_WITH_AES_256_CBC_SHA      */ 0xC0, 0x8d,
-        /* TLS_PSK_WITH_AES_128_CBC_SHA256   */ 0xC0, 0xae,
-        /* TLS_PSK_WITH_AES_256_CBC_SHA384   */ 0xC0, 0xaf,
-        /* TLS_PSK_WITH_AES_128_CBC_SHA      */ 0xC0, 0x8c,
-        /* TLS_PSK_WITH_NULL_SHA256          */ 0xC0, 0xb0,
-        /* TLS_PSK_WITH_NULL_SHA384          */ 0xC0, 0xb1,
-        /* TLS_PSK_WITH_NULL_SHA             */ 0xC0, 0x2c,
-        /* SSL_RSA_WITH_RC4_128_SHA          */ 0xC0, 0x05,
-        /* SSL_RSA_WITH_RC4_128_MD5          */ 0xC0, 0x04,
-        /* SSL_RSA_WITH_3DES_EDE_CBC_SHA     */ 0xC0, 0x0A,
+        /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ 0x00, 0x16,
+        /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA  */ 0x00, 0x39,
+        /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA  */ 0x00, 0x33,
+        /* TLS_DH_anon_WITH_AES_128_CBC_SHA  */ 0x00, 0x34,
+        /* TLS_RSA_WITH_AES_256_CBC_SHA      */ 0x00, 0x35,
+        /* TLS_RSA_WITH_AES_128_CBC_SHA      */ 0x00, 0x2F,
+        /* TLS_RSA_WITH_NULL_MD5             */ 0x00, 0x01,
+        /* TLS_RSA_WITH_NULL_SHA             */ 0x00, 0x02,
+        /* TLS_PSK_WITH_AES_256_CBC_SHA      */ 0x00, 0x8d,
+        /* TLS_PSK_WITH_AES_128_CBC_SHA256   */ 0x00, 0xae,
+        /* TLS_PSK_WITH_AES_256_CBC_SHA384   */ 0x00, 0xaf,
+        /* TLS_PSK_WITH_AES_128_CBC_SHA      */ 0x00, 0x8c,
+        /* TLS_PSK_WITH_NULL_SHA256          */ 0x00, 0xb0,
+        /* TLS_PSK_WITH_NULL_SHA384          */ 0x00, 0xb1,
+        /* TLS_PSK_WITH_NULL_SHA             */ 0x00, 0x2c,
+        /* SSL_RSA_WITH_RC4_128_SHA          */ 0x00, 0x05,
+        /* SSL_RSA_WITH_RC4_128_MD5          */ 0x00, 0x04,
+        /* SSL_RSA_WITH_3DES_EDE_CBC_SHA     */ 0x00, 0x0A,
 
         /* ECC suites, first byte is 0xC0 (ECC_BYTE) */
         /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA     */ 0xC0, 0x14,
@@ -1730,6 +1730,41 @@ static int test_wolfSSL_CTX_set_cipher_list_bytes(void)
     return EXPECT_RESULT();
 }
 
+static int test_wolfSSL_get_cipher_list_bytes(void)
+{
+    EXPECT_DECLS;
+#if (defined(WOLFSSL_GET_CIPHER_BYTES)&& \
+    (!defined(NO_WOLFSSL_CLIENT) || !defined(NO_WOLFSSL_SERVER)))
+    WOLFSSL_CTX* ctx = NULL;
+    byte *getCipherList = NULL;
+    word32 cipherListLen = 0;
+
+#ifndef NO_WOLFSSL_SERVER
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
+#else
+    ExpectNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
+#endif
+
+    ExpectTrue(wolfSSL_get_cipher_list_bytes(NULL, (int *)(&cipherListLen)));
+    ExpectIntGT((int)cipherListLen, 0);
+    ExpectNotNull(getCipherList =
+        (byte *)XMALLOC(cipherListLen, NULL, DYNAMIC_TYPE_TMP_BUFFER));
+    ExpectTrue(wolfSSL_get_cipher_list_bytes(
+        getCipherList, (int *)(&cipherListLen)));
+
+    /* Intentionally minimal verification here. Only way to verify would
+     * be a comprehensive list of all possible ciphersuites, which would
+     * break and need to be updated for every addition to the list. That
+     * is a lot of maintinence overhead for this little used function so
+     * call this good enough. */
+
+    XFREE(getCipherList, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+    wolfSSL_CTX_free(ctx);
+#endif /* (WOLFSSL_GET_CIPHER_BYTES && (!NO_WOLFSSL_CLIENT \
+        * || !NO_WOLFSSL_SERVER) */
+
+    return EXPECT_RESULT();
+}
 
 static int test_wolfSSL_CTX_use_certificate_file(void)
 {
@@ -83801,6 +83836,7 @@ TEST_CASE testCases[] = {
     TEST_DECL(test_SSL_CIPHER_get_xxx),
     TEST_DECL(test_wolfSSL_ERR_strings),
     TEST_DECL(test_wolfSSL_CTX_set_cipher_list_bytes),
+    TEST_DECL(test_wolfSSL_get_cipher_list_bytes),
     TEST_DECL(test_wolfSSL_CTX_use_certificate_file),
     TEST_DECL(test_wolfSSL_CTX_use_certificate_buffer),
     TEST_DECL(test_wolfSSL_CTX_use_PrivateKey_file),

diff --git a/wolfcrypt/src/memory.c b/wolfcrypt/src/memory.c
@@ -1207,6 +1207,9 @@ void wolfSSL_Free(void *ptr, void* heap, int type)
             #else
                 free(ptr);
             #endif
+            #ifdef WOLFSSL_DEBUG_MEMORY
+            fprintf(stderr, "Free: %p at %s:%d\n", ptr, func, line);
+            #endif
         #else
             WOLFSSL_MSG("Error trying to call free when turned off");
         #endif /* WOLFSSL_NO_MALLOC */

diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c
@@ -132,6 +132,13 @@
     #include <pthread.h>
 #endif
 
+#if defined(WOLFSSL_ZEPHYR)
+#if defined(CONFIG_BOARD_NATIVE_POSIX)
+#include "native_rtc.h"
+#define CONFIG_RTC
+#endif
+#endif
+
 /* prevent multiple mutex initializations */
 static volatile int initRefCount = 0;
 
@@ -3173,6 +3180,21 @@ time_t z_time(time_t * timer)
 
     #if defined(CONFIG_RTC) && \
         (defined(CONFIG_PICOLIBC) || defined(CONFIG_NEWLIB_LIBC))
+
+    #if defined(CONFIG_BOARD_NATIVE_POSIX)
+
+    /* When using native sim, get time from simulator rtc */
+    uint32_t nsec = 0;
+    uint64_t sec = 0;
+    native_rtc_gettime(RTC_CLOCK_PSEUDOHOSTREALTIME, &nsec, &sec);
+
+    if (timer != NULL)
+        *timer = sec;
+
+    return sec;
+
+    #else
+
     /* Try to obtain the actual time from an RTC */
     static const struct device *rtc = DEVICE_DT_GET(DT_NODELABEL(rtc));
 
@@ -3191,6 +3213,7 @@ time_t z_time(time_t * timer)
             return epochTime;
         }
     }
+    #endif /* defined(CONFIG_BOARD_NATIVE_POSIX) */
     #endif
 
     /* Fallback to uptime since boot. This works for relative times, but

diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
@@ -1169,6 +1169,7 @@ WOLFSSL_API char* wolfSSL_get_cipher_list(int priority);
 WOLFSSL_API char* wolfSSL_get_cipher_list_ex(WOLFSSL* ssl, int priority);
 WOLFSSL_API int  wolfSSL_get_ciphers(char* buf, int len);
 WOLFSSL_API int wolfSSL_get_ciphers_iana(char* buf, int len);
+WOLFSSL_API int  wolfSSL_get_cipher_list_bytes(byte* buf, int *len);
 WOLFSSL_API const char* wolfSSL_get_cipher_name(WOLFSSL* ssl);
 WOLFSSL_API const char* wolfSSL_get_cipher_name_from_suite(
     unsigned char cipherSuite0, unsigned char cipherSuite);

diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
@@ -2112,6 +2112,7 @@ extern void uITRON4_free(void *p) ;
 
     void *z_realloc(void *ptr, size_t size);
     #define realloc   z_realloc
+    #define max MAX
 
     #if !defined(CONFIG_NET_SOCKETS_POSIX_NAMES) && !defined(CONFIG_POSIX_API)
     #define CONFIG_NET_SOCKETS_POSIX_NAMES

diff --git a/zephyr/CMakeLists.txt b/zephyr/CMakeLists.txt
@@ -22,6 +22,7 @@ if(CONFIG_WOLFSSL)
     zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/zephyr/zephyr_init.c)
 
     zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/crl.c)
+    zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/dtls.c)
     zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/dtls13.c)
     zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/internal.c)
     zephyr_library_sources(${ZEPHYR_CURRENT_MODULE_DIR}/src/keys.c)

diff --git a/zephyr/Kconfig b/zephyr/Kconfig
@@ -70,6 +70,29 @@ config WOLFCRYPT_FIPS
 	  Enables FIPS support in wolfCrypt. Requires the wolfSSL FIPS ready
 	  download that includes fips.c/fips_test.c.
 
+config WOLFSSL_DTLS
+  bool "wolfSSL DTLS support"
+  help
+    Enable DTLS support
+
+config WOLFSSL_ALPN
+  bool "wolfSSL ALPN support"
+  help
+    Enable ALPN support
+
+config WOLFSSL_PSK
+  bool "wolfSSL PSK support"
+  help
+    Enable PSK support
+
+config WOLFSSL_MAX_FRAGMENT_LEN
+  int
+  default 3
+  range 1 6
+  help
+    Sets the maximum fragment length wolfSSL will use, values 1-6 correspond to enum values
+    WOLFSSL_MFL_* in ssl.h
+
 config WOLFCRYPT_ARMASM
 	bool "wolfCrypt ARM Assembly support"
 	depends on WOLFSSL_BUILTIN

diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h
@@ -133,16 +133,43 @@ extern "C" {
     #define NO_SESSION_CACHE /* disable session resumption */
 #endif
 
+/* DTLS */
+#if defined(CONFIG_WOLFSSL_DTLS)
+    #define WOLFSSL_DTLS
+    #define HAVE_SOCKADDR
+#endif
+
 /* PSK */
-#define NO_PSK /* disable pre-shared-key support */
+#if defined(CONFIG_WOLFSSL_PSK)
+    #undef NO_PSK
+    #define WOLFSSL_STATIC_PSK
+#else
+    #define NO_PSK /* disable pre-shared-key support */
+#endif
+
+/* ALPN */
+#if defined(CONFIG_WOLFSSL_ALPN)
+    #define HAVE_ALPN
+#endif
 
+#if defined(CONFIG_WOLFSSL_MAX_FRAGMENT_LEN)
+    #define HAVE_MAX_FRAGMENT
+#endif
+
+#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS)
+    #define WOLFSSL_SET_CIPHER_BYTES
+    #define WOLFSSL_GET_CIPHER_BYTES
+#endif
 
 /* ------------------------------------------------------------------------- */
 /* Algorithms */
 /* ------------------------------------------------------------------------- */
 /* RNG */
 #ifndef WC_NO_HASHDRBG
     #define HAVE_HASHDRBG /* Use DRBG SHA2-256 and seed */
+    #ifdef CONFIG_CSPRNG_ENABLED
+        #define WC_RNG_SEED_CB
+    #endif
 #endif
 
 /* ECC */