[PATCH v2 2/6] net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https
Jerome Forissier
jerome.forissier at linaro.org
Wed Nov 6 14:37:16 CET 2024
On 10/24/24 12:24, Ilias Apalodimas wrote:
> From: Javier Tia <javier.tia at linaro.org>
>
> The current code support mbedTLS 2.28. Since we are using a newer
> version in U-Boot, update the necessary accessors and the lwIP codebase
> to work with mbedTLS 3.6.0. It's worth noting that the patches are
> already sent to lwIP [0]
>
> While at it enable LWIP_ALTCP_TLS and enable TLS support in lwIP
>
> [0] https://github.com/lwip-tcpip/lwip/pull/47
>
> Signed-off-by: Javier Tia <javier.tia at linaro.org>
> Signed-off-by: Ilias Apalodimas <ilias.apalodimas at linaro.org>
> ---
> lib/lwip/Makefile | 3 ++
> .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 39 ++++++++++++-------
> lib/lwip/lwip/src/core/tcp_out.c | 10 +----
> lib/lwip/u-boot/lwipopts.h | 6 +++
> 4 files changed, 34 insertions(+), 24 deletions(-)
>
> diff --git a/lib/lwip/Makefile b/lib/lwip/Makefile
> index dfcd700ca474..19e5c6897f5a 100644
> --- a/lib/lwip/Makefile
> +++ b/lib/lwip/Makefile
> @@ -53,3 +53,6 @@ obj-y += \
> lwip/src/core/timeouts.o \
> lwip/src/core/udp.o \
> lwip/src/netif/ethernet.o
> +
> +obj-$(CONFIG_MBEDTLS_LIB_TLS) += lwip/src/apps/altcp_tls/altcp_tls_mbedtls.o \
> + lwip/src/apps/altcp_tls/altcp_tls_mbedtls_mem.o
> diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> index a8c2fc2ee2cd..ef19821b89e0 100644
> --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
> @@ -3,7 +3,7 @@
> * Application layered TCP/TLS connection API (to be used from TCPIP thread)
> *
> * This file provides a TLS layer using mbedTLS
> - *
> + *
Unrelated formatting change, do we want to do this in a separate patch maybe?
> * This version is currently compatible with the 2.x.x branch (current LTS).
> */
>
> @@ -70,7 +70,6 @@
> /* @todo: which includes are really needed? */
> #include "mbedtls/entropy.h"
> #include "mbedtls/ctr_drbg.h"
> -#include "mbedtls/certs.h"
> #include "mbedtls/x509.h"
> #include "mbedtls/ssl.h"
> #include "mbedtls/net_sockets.h"
> @@ -81,8 +80,6 @@
> #include "mbedtls/ssl_cache.h"
> #include "mbedtls/ssl_ticket.h"
>
> -#include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */
> -
> #include <string.h>
>
> #ifndef ALTCP_MBEDTLS_ENTROPY_PTR
> @@ -132,6 +129,16 @@ static err_t altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbed
> static err_t altcp_mbedtls_handle_rx_appldata(struct altcp_pcb *conn, altcp_mbedtls_state_t *state);
> static int altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size);
>
> +static void
> +altcp_mbedtls_flush_output(altcp_mbedtls_state_t *state)
> +{
> + if (state->ssl_context.MBEDTLS_PRIVATE(out_left) != 0) {
> + int flushed = mbedtls_ssl_send_alert_message(&state->ssl_context, 0, 0);
> + if (flushed) {
> + LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_send_alert_message failed: %d\n", flushed));
> + }
> + }
> +}
>
> /* callback functions from inner/lower connection: */
>
> @@ -524,14 +531,14 @@ altcp_mbedtls_lower_sent(void *arg, struct altcp_pcb *inner_conn, u16_t len)
> LWIP_ASSERT("state", state != NULL);
> LWIP_ASSERT("pcb mismatch", conn->inner_conn == inner_conn);
> /* calculate TLS overhead part to not send it to application */
> - overhead = state->overhead_bytes_adjust + state->ssl_context.out_left;
> + overhead = state->overhead_bytes_adjust + state->ssl_context.MBEDTLS_PRIVATE(out_left);
> if ((unsigned)overhead > len) {
> overhead = len;
> }
> /* remove ACKed bytes from overhead adjust counter */
> state->overhead_bytes_adjust -= len;
> /* try to send more if we failed before (may increase overhead adjust counter) */
> - mbedtls_ssl_flush_output(&state->ssl_context);
> + altcp_mbedtls_flush_output(state);
> /* remove calculated overhead from ACKed bytes len */
> app_len = len - (u16_t)overhead;
> /* update application write counter and inform application */
> @@ -559,7 +566,7 @@ altcp_mbedtls_lower_poll(void *arg, struct altcp_pcb *inner_conn)
> if (conn->state) {
> altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state;
> /* try to send more if we failed before */
> - mbedtls_ssl_flush_output(&state->ssl_context);
> + altcp_mbedtls_flush_output(state);
> if (altcp_mbedtls_handle_rx_appldata(conn, state) == ERR_ABRT) {
> return ERR_ABRT;
> }
> @@ -683,7 +690,7 @@ altcp_tls_set_session(struct altcp_pcb *conn, struct altcp_tls_session *session)
> if (session && conn && conn->state) {
> altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state;
> int ret = -1;
> - if (session->data.start)
> + if (session->data.MBEDTLS_PRIVATE(start))
> ret = mbedtls_ssl_set_session(&state->ssl_context, &session->data);
> return ret < 0 ? ERR_VAL : ERR_OK;
> }
> @@ -776,7 +783,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav
> struct altcp_tls_config *conf;
> mbedtls_x509_crt *mem;
>
> - if (TCP_WND < MBEDTLS_SSL_MAX_CONTENT_LEN) {
> + if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < MBEDTLS_SSL_OUT_CONTENT_LEN) {
> LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS,
> ("altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!\n"));
> }
> @@ -900,7 +907,7 @@ err_t altcp_tls_config_server_add_privkey_cert(struct altcp_tls_config *config,
> return ERR_VAL;
> }
>
> - ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len);
> + ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
> if (ret != 0) {
> LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_public_key failed: %d\n", ret));
> mbedtls_x509_crt_free(srvcert);
> @@ -1003,7 +1010,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_
> }
>
> mbedtls_pk_init(conf->pkey);
> - ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len);
> + ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
> if (ret != 0) {
> LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_key failed: %d 0x%x\n", ret, -1*ret));
> altcp_tls_free_config(conf);
> @@ -1189,7 +1196,7 @@ altcp_mbedtls_sndbuf(struct altcp_pcb *conn)
> size_t ret;
> #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
> /* @todo: adjust ssl_added to real value related to negotiated cipher */
> - size_t max_frag_len = mbedtls_ssl_get_max_frag_len(&state->ssl_context);
> + size_t max_frag_len = mbedtls_ssl_get_max_in_record_payload(&state->ssl_context);
> max_len = LWIP_MIN(max_frag_len, max_len);
> #endif
> /* Adjust sndbuf of inner_conn with what added by SSL */
> @@ -1232,9 +1239,9 @@ altcp_mbedtls_write(struct altcp_pcb *conn, const void *dataptr, u16_t len, u8_t
> /* HACK: if there is something left to send, try to flush it and only
> allow sending more if this succeeded (this is a hack because neither
> returning 0 nor MBEDTLS_ERR_SSL_WANT_WRITE worked for me) */
> - if (state->ssl_context.out_left) {
> - mbedtls_ssl_flush_output(&state->ssl_context);
> - if (state->ssl_context.out_left) {
> + if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) {
> + altcp_mbedtls_flush_output(state);
> + if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) {
> return ERR_MEM;
> }
> }
> @@ -1284,6 +1291,8 @@ altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size)
> while (size_left) {
> u16_t write_len = (u16_t)LWIP_MIN(size_left, 0xFFFF);
> err_t err = altcp_write(conn->inner_conn, (const void *)dataptr, write_len, apiflags);
> + /* try to send data... */
> + altcp_output(conn->inner_conn);
> if (err == ERR_OK) {
> written += write_len;
> size_left -= write_len;
> diff --git a/lib/lwip/lwip/src/core/tcp_out.c b/lib/lwip/lwip/src/core/tcp_out.c
> index 64579ee5cbd8..b5d312137368 100644
> --- a/lib/lwip/lwip/src/core/tcp_out.c
> +++ b/lib/lwip/lwip/src/core/tcp_out.c
> @@ -1255,14 +1255,6 @@ tcp_output(struct tcp_pcb *pcb)
> LWIP_ASSERT("don't call tcp_output for listen-pcbs",
> pcb->state != LISTEN);
>
> - /* First, check if we are invoked by the TCP input processing
> - code. If so, we do not output anything. Instead, we rely on the
> - input processing code to call us when input processing is done
> - with. */
> - if (tcp_input_pcb == pcb) {
> - return ERR_OK;
> - }
> -
> wnd = LWIP_MIN(pcb->snd_wnd, pcb->cwnd);
>
> seg = pcb->unsent;
> @@ -2036,7 +2028,7 @@ tcp_rst(const struct tcp_pcb *pcb, u32_t seqno, u32_t ackno,
> u16_t local_port, u16_t remote_port)
> {
> struct pbuf *p;
> -
> +
Unrelated formatting change
> p = tcp_rst_common(pcb, seqno, ackno, local_ip, remote_ip, local_port, remote_port);
> if (p != NULL) {
> tcp_output_control_segment(pcb, p, local_ip, remote_ip);
> diff --git a/lib/lwip/u-boot/lwipopts.h b/lib/lwip/u-boot/lwipopts.h
> index 9d618625facb..88d6faf327ae 100644
> --- a/lib/lwip/u-boot/lwipopts.h
> +++ b/lib/lwip/u-boot/lwipopts.h
> @@ -154,4 +154,10 @@
> #define MEMP_MEM_INIT 1
> #define MEM_LIBC_MALLOC 1
>
> +#if defined(CONFIG_MBEDTLS_LIB_TLS)
> +#define LWIP_ALTCP 1
> +#define LWIP_ALTCP_TLS 1
> +#define LWIP_ALTCP_TLS_MBEDTLS 1
> +#endif
> +
> #endif /* LWIP_UBOOT_LWIPOPTS_H */
Acked-by: Jerome Forissier <jerome.forissier at linaro.org>
Thanks,
--
Jerome
More information about the U-Boot
mailing list