Re: [PATCH v2 2/6] net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https

8 Nov 2024

On Wed, 6 Nov 2024 at 13:37, Jerome Forissier
jerome.forissier@linaro.org wrote:
...
On 10/24/24 12:24, Ilias Apalodimas wrote:
...
From: Javier Tia javier.tia@linaro.org
The current code support mbedTLS 2.28. Since we are using a newer
version in U-Boot, update the necessary accessors and the lwIP codebase
to work with mbedTLS 3.6.0. It's worth noting that the patches are
already sent to lwIP [0]
While at it enable LWIP_ALTCP_TLS and enable TLS support in lwIP
[0] https://github.com/lwip-tcpip/lwip/pull/47
Signed-off-by: Javier Tia javier.tia@linaro.org
Signed-off-by: Ilias Apalodimas ilias.apalodimas@linaro.org

lib/lwip/Makefile                             |  3 ++
 .../src/apps/altcp_tls/altcp_tls_mbedtls.c    | 39 ++++++++++++-------
 lib/lwip/lwip/src/core/tcp_out.c              | 10 +----
 lib/lwip/u-boot/lwipopts.h                    |  6 +++
 4 files changed, 34 insertions(+), 24 deletions(-)

diff --git a/lib/lwip/Makefile b/lib/lwip/Makefile
index dfcd700ca474..19e5c6897f5a 100644
--- a/lib/lwip/Makefile
+++ b/lib/lwip/Makefile
@@ -53,3 +53,6 @@ obj-y += \
      lwip/src/core/timeouts.o \
      lwip/src/core/udp.o \
      lwip/src/netif/ethernet.o



+obj-$(CONFIG_MBEDTLS_LIB_TLS) += lwip/src/apps/altcp_tls/altcp_tls_mbedtls.o \

lwip/src/apps/altcp_tls/altcp_tls_mbedtls_mem.o



diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
index a8c2fc2ee2cd..ef19821b89e0 100644
--- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
+++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c
@@ -3,7 +3,7 @@

Application layered TCP/TLS connection API (to be used from TCPIP thread)

This file provides a TLS layer using mbedTLS













Unrelated formatting change, do we want to do this in a separate patch maybe?
...

This version is currently compatible with the 2.x.x branch (current LTS).

*/
@@ -70,7 +70,6 @@
 /* @todo: which includes are really needed? */
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
-#include "mbedtls/certs.h"
 #include "mbedtls/x509.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/net_sockets.h"
@@ -81,8 +80,6 @@
 #include "mbedtls/ssl_cache.h"
 #include "mbedtls/ssl_ticket.h"
-#include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */



#include <string.h>
#ifndef ALTCP_MBEDTLS_ENTROPY_PTR
@@ -132,6 +129,16 @@ static err_t altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbed
 static err_t altcp_mbedtls_handle_rx_appldata(struct altcp_pcb *conn, altcp_mbedtls_state_t *state);
 static int altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size);
+static void
+altcp_mbedtls_flush_output(altcp_mbedtls_state_t *state)
+{

if (state->ssl_context.MBEDTLS_PRIVATE(out_left) != 0) {
int flushed = mbedtls_ssl_send_alert_message(&state->ssl_context, 0, 0);
if (flushed) {
 LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_send_alert_message failed: %d\n", flushed));


}
}

+}
/* callback functions from inner/lower connection: */
@@ -524,14 +531,14 @@ altcp_mbedtls_lower_sent(void *arg, struct altcp_pcb *inner_conn, u16_t len)
     LWIP_ASSERT("state", state != NULL);
     LWIP_ASSERT("pcb mismatch", conn->inner_conn == inner_conn);
     /* calculate TLS overhead part to not send it to application */

overhead = state->overhead_bytes_adjust + state->ssl_context.out_left;


overhead = state->overhead_bytes_adjust + state->ssl_context.MBEDTLS_PRIVATE(out_left);
if ((unsigned)overhead > len) {
  overhead = len;
}
/* remove ACKed bytes from overhead adjust counter */
state->overhead_bytes_adjust -= len;
/* try to send more if we failed before (may increase overhead adjust counter) */


mbedtls_ssl_flush_output(&state->ssl_context);


altcp_mbedtls_flush_output(state);
/* remove calculated overhead from ACKed bytes len */
app_len = len - (u16_t)overhead;
/* update application write counter and inform application */

@@ -559,7 +566,7 @@ altcp_mbedtls_lower_poll(void *arg, struct altcp_pcb *inner_conn)
     if (conn->state) {
       altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state;
       /* try to send more if we failed before */

 mbedtls_ssl_flush_output(&state->ssl_context);




 altcp_mbedtls_flush_output(state);
 if (altcp_mbedtls_handle_rx_appldata(conn, state) == ERR_ABRT) {
   return ERR_ABRT;
 }



@@ -683,7 +690,7 @@ altcp_tls_set_session(struct altcp_pcb *conn, struct altcp_tls_session *session)
   if (session && conn && conn->state) {
     altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state;
     int ret = -1;

if (session->data.start)


if (session->data.MBEDTLS_PRIVATE(start))
  ret = mbedtls_ssl_set_session(&state->ssl_context, &session->data);
return ret < 0 ? ERR_VAL : ERR_OK;
}

@@ -776,7 +783,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav
   struct altcp_tls_config *conf;
   mbedtls_x509_crt *mem;

if (TCP_WND < MBEDTLS_SSL_MAX_CONTENT_LEN) {


if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < MBEDTLS_SSL_OUT_CONTENT_LEN) {
  LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS,
    ("altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!\n"));
}

@@ -900,7 +907,7 @@ err_t altcp_tls_config_server_add_privkey_cert(struct altcp_tls_config *config,
     return ERR_VAL;
   }

ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len);


ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
if (ret != 0) {
  LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_public_key failed: %d\n", ret));
  mbedtls_x509_crt_free(srvcert);

@@ -1003,7 +1010,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_
   }
mbedtls_pk_init(conf->pkey);

ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len);


ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
if (ret != 0) {
  LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_key failed: %d 0x%x\n", ret, -1*ret));
  altcp_tls_free_config(conf);

@@ -1189,7 +1196,7 @@ altcp_mbedtls_sndbuf(struct altcp_pcb *conn)
           size_t ret;
 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
           /* @todo: adjust ssl_added to real value related to negotiated cipher */

     size_t max_frag_len = mbedtls_ssl_get_max_frag_len(&state->ssl_context);




     size_t max_frag_len = mbedtls_ssl_get_max_in_record_payload(&state->ssl_context);
     max_len = LWIP_MIN(max_frag_len, max_len);



#endif
           /* Adjust sndbuf of inner_conn with what added by SSL */
@@ -1232,9 +1239,9 @@ altcp_mbedtls_write(struct altcp_pcb *conn, const void *dataptr, u16_t len, u8_t
   /* HACK: if there is something left to send, try to flush it and only
      allow sending more if this succeeded (this is a hack because neither
      returning 0 nor MBEDTLS_ERR_SSL_WANT_WRITE worked for me) */

if (state->ssl_context.out_left) {
mbedtls_ssl_flush_output(&state->ssl_context);
if (state->ssl_context.out_left) {


if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) {
altcp_mbedtls_flush_output(state);
if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) {
  return ERR_MEM;
}
}

@@ -1284,6 +1291,8 @@ altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size)
   while (size_left) {
     u16_t write_len = (u16_t)LWIP_MIN(size_left, 0xFFFF);
     err_t err = altcp_write(conn->inner_conn, (const void *)dataptr, write_len, apiflags);

/* try to send data... */
altcp_output(conn->inner_conn);
if (err == ERR_OK) {
  written += write_len;
  size_left -= write_len;

diff --git a/lib/lwip/lwip/src/core/tcp_out.c b/lib/lwip/lwip/src/core/tcp_out.c
index 64579ee5cbd8..b5d312137368 100644
--- a/lib/lwip/lwip/src/core/tcp_out.c
+++ b/lib/lwip/lwip/src/core/tcp_out.c
@@ -1255,14 +1255,6 @@ tcp_output(struct tcp_pcb *pcb)
   LWIP_ASSERT("don't call tcp_output for listen-pcbs",
               pcb->state != LISTEN);

/* First, check if we are invoked by the TCP input processing

code. If so, we do not output anything. Instead, we rely on the


input processing code to call us when input processing is done


with. */


if (tcp_input_pcb == pcb) {

return ERR_OK;

}

wnd = LWIP_MIN(pcb->snd_wnd, pcb->cwnd);
seg = pcb->unsent;


@@ -2036,7 +2028,7 @@ tcp_rst(const struct tcp_pcb *pcb, u32_t seqno, u32_t ackno,
         u16_t local_port, u16_t remote_port)
 {
   struct pbuf *p;






Unrelated formatting change
...
p = tcp_rst_common(pcb, seqno, ackno, local_ip, remote_ip, local_port, remote_port);
   if (p != NULL) {
     tcp_output_control_segment(pcb, p, local_ip, remote_ip);
diff --git a/lib/lwip/u-boot/lwipopts.h b/lib/lwip/u-boot/lwipopts.h
index 9d618625facb..88d6faf327ae 100644
--- a/lib/lwip/u-boot/lwipopts.h
+++ b/lib/lwip/u-boot/lwipopts.h
@@ -154,4 +154,10 @@
 #define MEMP_MEM_INIT                        1
 #define MEM_LIBC_MALLOC                      1
+#if defined(CONFIG_MBEDTLS_LIB_TLS)
+#define LWIP_ALTCP                      1
+#define LWIP_ALTCP_TLS                  1
+#define LWIP_ALTCP_TLS_MBEDTLS          1
+#endif



#endif /* LWIP_UBOOT_LWIPOPTS_H */
Acked-by: Jerome Forissier jerome.forissier@linaro.org
Thanks,
Thanks I'll get rid of the line changes in v3
...
--
Jerome

    