When no certificate-based ciphersuites are used, mbedTLS compiles out
hostname field and associated functions from its SSL context. This
resulted in compilation error when only PSK-based ciphersuites were
configured.
This commit resolves the issue by compiling-out hostname-related code
from secure sockets implementation on the same basis as mbedTLS does.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
The return of memset is never checked. This patch explicitly ignore
the return to avoid MISRA-C violations.
The only directory excluded directory was ext/* since it contains
only imported code.
Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
sockets_tls subsystem uses entropy driver, yet it does not include
entropy header. This commit fixes this.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This patch enables BSD socket offload to a dedicated
TCP/IP offload engine.
This provides a simpler, more direct mechanism than going
through NET_OFFLOAD (zsock -> net_context -> socket conversions)
for those devices which provide complete TCP/IP offload at the
BSD socket level, and whose use cases do not require
IP routing between multiple network interfaces.
To use, configure CONFIG_NET_SOCKETS_OFFLOAD=y, and register
socket_offload_ops with this module.
Fixes#3706
Signed-off-by: Gil Pitney <gil.pitney@linaro.org>
This is similar to change which was done in 21f31e90ec, unfortunately
this case was missed.
Fixes: #9032
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
The previous code "optimized" and called both net_context_accept()
and net_context_recv() blindly to reset the corresponding callbacks.
But this leads to "wrong state" logging if debugging is enabled, so
clean that up.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
This commit contains several fixes for DTLS implementation, proposed in
a post-merge review of #9338.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add system calls for the zsock implementations of socket,
close, bind, connect, listen, accept, sendto, recvfrom,
fcntl, poll, inet_pton, and getaddrinfo.
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Originally EFAULT was used to indicate NULL pointer error in TLS option
set/get functions. EINVAL was suggested to be more apropriate error code
for this case, hence replace it.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Introduce non-blocking DTLS handshake, used during recv function call.
This prevents from blocking while waiting for initial handshake packet
on non-blocking sockets during receive.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Make TLS poll function verify if decrypted data is available after
socket has notified activity with POLLIN flag. This prevents from giving
false notifications in case data was received on socket but was consumed
by mbedTLS.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Specify timeout value for mbedtls_ssl_read function for DTLS servers.
Adding this can prevent TLS context lockup in case blocking recv is used
and peer has shut down DTLS connection without closing it gracefully.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add support for DTLS recv/recvfrom function.
For DTLS client, recv function requires to have an already established
DTLS connection.
For DTLS servers, this function will try to establish DTLS connection
before receiving data. In case that DTLS handshake fails, recv function
will silently retry.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add support for DTLS send/sendto function.
For DTLS clients, send function will try to establish DTLS connection
before sending data. If DTLS handshake fails, it will return an error.
For DTLS servers, send function requires to have DTLS connection already
established.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
DTLS handshake can return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED, which
indicate that TLS session context should be reset.
Also, store information whether TLS connection has beed established.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add binary IO functions for DTLS connections.
dtls_rx function is more complex than it's TLS counterpart due to fact,
that DTLS does not allow blocking operation for this function. A simple
timeout mechanism was implmented basing on the zsock_poll function.
This function also verifies peer address. As currently only a single
DTLS connection is supported on a socket, if a DTLS connection is
established, and we receive datagram from different peer, it is silently
dropped.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Functions for checking flags set on sockets are needed by TLS sockets as
well, therefore extract them to a separate header file to avoid code
duplication.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add write-only socket option to set role for DTLS connection. This
option is irrelevant for TLS connections.
This options accepts and integer with a TLS role, compatible with
mbedTLS values:
0 - client,
1 - server.
By default, DTLS will assume client role.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
- Remove redundant 'n' defaults. 'n' is the default value for bool
symbols.
This makes the auto-generated documentation clearer as well: You get
"implicitly defaults to n" instead of
"- n if <propagated dependencies>".
- Shorten
<type>
prompt "foo"
to
<type> "foo"
This works for all types, not just bool.
- Various formatting nits.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
Add write only TLS secure option to set peer verification level for
TLS connection.
This option accepts an integer with a peer verification
level, compatible with mbedtls values (0 - none, 1 - optional, 2 -
required.
By default, socket mimics mebdTLS behavior - (none for server, required
for client).
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add TLS secure socket option to read a ciphersuite chosen during TLS
handshake. Might be useful during development.
This is a read-only option that returns an integer containing an
IANA assigned ciphersuite identifier of chosen ciphersuite.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add TLS secure socket option that enables to narrow list of ciphersuites
available for TLS connection.
This option accepts an array of integers with IANA assigned ciphersuite
identifiers and returns such.
By default, every statically configured ciphersuite is available for a
socket and getsockopt returns an array of these.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add write-only TLS secure socket option to set hostname.
This option accepts a string containing the hostname. May be NULL, to
disable hostname verification.
By default, an empty string is set as a hostname for TLS clients,
to enforce hostname verification in mbedTLS.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add TLS secure socket option to select TLS credentials to use.
This option accepts and returns an array of sec_tag_t that indicate
which TLS credentials should be used with specific socket.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add TLS credential management subsystem that enables to register TLS
credentials in the system. Once specific credentials are registered in
the system, they will be available for TLS secure sockets to use.
To use a TLS credential with a socket, the following steps have to be
taken:
1. TLS credential has to be registered in a system-wide pool, using the
API provided in "net/tls_credentials.h" header file.
2. TLS credential (and other TLS parameters) should be set on a socket
using setsockopt().
Note, that there is no need to repeat step 1 for different sockets using
the same credentials. Once TLS credential is registered in the system,
it can be used with mulitple sockets, as long as it's not deleted.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
CONFIG_DNS_RESOLVER is the master switch for DNS resolution support,
for both native and socket APIs. Avoid confusing link errors by
compiling out both dns_resolve_name() and getaddrinfo() if that
option is not enabled.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
Initial implementation of poll() was more of a proof of concept, so
was coded with a single-thread application in mind. As we move to
sockets as the main networking API, make it possible to use poll()
from different threads.
Signed-off-by: Paul Sokolovsky <paul.sokolovsky@linaro.org>
Implement socket poll function for TLS socket. In addition to regular
poll checks, we have to check if there is some decrypted data pending on
mbedTLS.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add entropy source for mbedTLS. If no entropy driver is available, use
non-secure, software entropy source.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add tls_context structure that stored data required by TLS socket
implementation. This structure is allocated from global pool during
socket creation and freed during socket closure.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Add switch to a socket layer that will enable switching socket API to
TLS secure sockets. At this point there is no secure sockets
implementation, so secure socket calls redirect to regular socket calls.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Bool symbols implicitly default to 'n'.
A 'default n' can make sense e.g. in a Kconfig.defconfig file, if you
want to override a 'default y' on the base definition of the symbol. It
isn't used like that on any of these symbols though.
Remove some 'default ""' properties on string symbols too.
Also make definitions more consistent by converting some
config FOO
<type>
prompt "foo"
definitions to a shorter form:
config FOO
<type> "foo"
This shorthand works for int/hex/string symbols too, not just for bool
symbols.
Signed-off-by: Ulf Magnusson <Ulf.Magnusson@nordicsemi.no>
When dns_get_addr_info() returns an error it does not call the
resolve callback, and thus the semaphore will not be given.
This fix will avoid a deadlock situation for various errors.
Added some small tests for getaddrinfo().
Signed-off-by: Stig Bjørlykke <stig.bjorlykke@nordicsemi.no>
Do not lookup DNS AAAA entries if IPv6 is disabled. The result can not
be used anyway because "struct sockaddr" does not have enough space for
IPv6 address in that case.
Signed-off-by: Stig Bjørlykke <stig.bjorlykke@nordicsemi.no>
Make the service parameter optional in getaddrinfo().
The application should be able to use NULL as service when only
interested in the host lookup.
Signed-off-by: Stig Bjørlykke <stig.bjorlykke@nordicsemi.no>
Add support for MSG_DONTWAIT flag in send() and sendto(). This
aligns with the same flag used in recv() and recvfrom().
Signed-off-by: Stig Bjørlykke <stig.bjorlykke@nordicsemi.no>
