Add DTLS support to libcoap using MbedTLS

This update supports DTLS, TLS is a future TODO components/coap/CMakeLists.txt: components/coap/component.mk: Add in the new files that have to be built Replace libcoap/src/coap_notls.c with libcoap/src/coap_mbedtls.c components/coap/libcoap: Update the version to include the current version for supporting MbedTLS components/coap/port/coap_debug.c: components/coap/port/coap_mbedtls.c: components/coap/port/include/coap/coap_dtls.h: New port files for DTLS components/coap/port/include/coap_config_posix.h: Include building with MbedTLS examples/protocols/coap_client/README.md: examples/protocols/coap_client/main/CMakeLists.txt: examples/protocols/coap_client/main/Kconfig.projbuild: examples/protocols/coap_client/main/coap_client_example_main.c: examples/protocols/coap_client/main/component.mk: Update CoAP client to support DTLS examples/protocols/coap_client/main/coap_ca.pem examples/protocols/coap_client/main/coap_client.crt examples/protocols/coap_client/main/coap_client.key New PKI Certs for CoAP client (copied from wpa2_enterprise example) examples/protocols/coap_server/README.md: examples/protocols/coap_server/main/CMakeLists.txt: examples/protocols/coap_server/main/Kconfig.projbuild: examples/protocols/coap_server/main/coap_server_example_main.c: examples/protocols/coap_server/main/component.mk: Update CoAP server to support DTLS Change "no data" to "Hello World!" to prevent confusion examples/protocols/coap_server/main/coap_ca.pem examples/protocols/coap_server/main/coap_server.crt examples/protocols/coap_server/main/coap_server.key New PKI Certs for CoAP server (copied from wpa2_enterprise example) Closes https://github.com/espressif/esp-idf/pull/3345 Closes https://github.com/espressif/esp-idf/issues/1379
2025-08-28 21:33:32 +00:00 · 2019-04-13 12:15:28 +01:00
parent 39f090a4f1
commit 1aaec808da
26 changed files with 4292 additions and 1500 deletions
--- a/examples/protocols/coap_server/main/coap_server_example_main.c
+++ b/examples/protocols/coap_server/main/coap_server_example_main.c
@@ -7,6 +7,13 @@
   CONDITIONS OF ANY KIND, either express or implied.
 */

+/*
+ * WARNING
+ * libcoap is not multi-thread safe, so only this thread must make any coap_*()
+ * calls.  Any external (to this thread) data transmitted in/out via libcoap
+ * therefore has to be passed in/out by xQueue*() via this thread.
+ */
+
 #include <string.h>
 #include <sys/socket.h>

@@ -22,14 +29,39 @@

 #include "protocol_examples_common.h"

+#if 1
+/* Needed until coap_dtls.h becomes a part of libcoap proper */
+#include "libcoap.h"
+#include "coap_dtls.h"
+#endif
 #include "coap.h"

-/* Set this to 9 to get verbose logging from within libcoap */
-#define COAP_LOGGING_LEVEL 0
+/* The examples use simple Pre-Shared-Key configuration that you can set via
+   'make menuconfig'.
+
+   If you'd rather not, just change the below entries to strings with
+   the config you want - ie #define EXAMPLE_COAP_PSK_KEY "some-agreed-preshared-key"
+
+   Note: PSK will only be used if the URI is prefixed with coaps://
+   instead of coap:// and the PSK must be one that the server supports
+   (potentially associated with the IDENTITY)
+*/
+#define EXAMPLE_COAP_PSK_KEY CONFIG_COAP_PSK_KEY
+
+/* The examples use CoAP Logging Level that
+   you can set via 'make menuconfig'.
+
+   If you'd rather not, just change the below entry to a value
+   that is between 0 and 7 with
+   the config you want - ie #define EXAMPLE_COAP_LOG_DEFAULT_LEVEL 7
+*/
+#define EXAMPLE_COAP_LOG_DEFAULT_LEVEL CONFIG_COAP_LOG_DEFAULT_LEVEL

 static char espressif_data[100];
 static int espressif_data_len = 0;

+#define INITIAL_DATA "Hello World!"
+
 /*
 * The resource handler
 */
@@ -59,7 +91,7 @@ hnd_espressif_put(coap_context_t *ctx,

    coap_resource_notify_observers(resource, NULL);

-    if (strcmp (espressif_data, "no data") == 0) {
+    if (strcmp (espressif_data, INITIAL_DATA) == 0) {
        response->code = COAP_RESPONSE_CODE(201);
    }
    else {
@@ -70,7 +102,7 @@ hnd_espressif_put(coap_context_t *ctx,
    (void)coap_get_data(request, &size, &data);

    if (size == 0) {      /* re-init */
-        snprintf(espressif_data, sizeof(espressif_data), "no data");
+        snprintf(espressif_data, sizeof(espressif_data), INITIAL_DATA);
        espressif_data_len = strlen(espressif_data);
    } else {
        espressif_data_len = size > sizeof (espressif_data) ? sizeof (espressif_data) : size;
@@ -88,23 +120,50 @@ hnd_espressif_delete(coap_context_t *ctx,
                     coap_pdu_t *response)
 {
    coap_resource_notify_observers(resource, NULL);
-    snprintf(espressif_data, sizeof(espressif_data), "no data");
+    snprintf(espressif_data, sizeof(espressif_data), INITIAL_DATA);
    espressif_data_len = strlen(espressif_data);
    response->code = COAP_RESPONSE_CODE(202);
 }

-static void coap_example_thread(void *p)
+#ifdef CONFIG_MBEDTLS_COAP_PKI
+
+#ifdef __GNUC__
+#define UNUSED_PARAM __attribute__ ((unused))
+#else /* not a GCC */
+#define UNUSED_PARAM
+#endif /* GCC */
+
+#ifndef min
+#define min(a,b) ((a) < (b) ? (a) : (b))
+#endif
+
+static int
+verify_cn_callback(const char *cn,
+                   const uint8_t *asn1_public_cert UNUSED_PARAM,
+                   size_t asn1_length UNUSED_PARAM,
+                   coap_session_t *session UNUSED_PARAM,
+                   unsigned depth,
+                   int validated UNUSED_PARAM,
+                   void *arg UNUSED_PARAM
+) {
+  coap_log(LOG_INFO, "CN '%s' presented by server (%s)\n",
+           cn, depth ? "CA" : "Certificate");
+  return 1;
+}
+#endif /* CONFIG_MBEDTLS_COAP_PKI */
+
+static void coap_example_server(void *p)
 {
    coap_context_t *ctx = NULL;
-    coap_address_t   serv_addr;
+    coap_address_t serv_addr;
    coap_resource_t *resource = NULL;

-    snprintf(espressif_data, sizeof(espressif_data), "no data");
+    snprintf(espressif_data, sizeof(espressif_data), INITIAL_DATA);
    espressif_data_len = strlen(espressif_data);
-    coap_set_log_level(COAP_LOGGING_LEVEL);
+    coap_set_log_level(EXAMPLE_COAP_LOG_DEFAULT_LEVEL);
+
    while (1) {
-        coap_endpoint_t *ep_udp = NULL;
-        coap_endpoint_t *ep_tcp = NULL;
+        coap_endpoint_t *ep = NULL;
        unsigned wait_ms;

        /* Prepare the CoAP server socket */
@@ -117,14 +176,91 @@ static void coap_example_thread(void *p)
        if (!ctx) {
           continue;
        }
-        ep_udp = coap_new_endpoint(ctx, &serv_addr, COAP_PROTO_UDP);
-        if (!ep_udp) {
+#ifdef CONFIG_MBEDTLS_COAP_PSK
+        /* Need PSK setup before we set up endpoints */
+        coap_context_set_psk(ctx, "CoAP",
+                             (const uint8_t*)EXAMPLE_COAP_PSK_KEY,
+                             sizeof(EXAMPLE_COAP_PSK_KEY)-1);
+#endif /* CONFIG_MBEDTLS_COAP_PSK */
+
+#ifdef CONFIG_MBEDTLS_COAP_PKI
+/* CA cert, taken from coap_ca.pem
+   Server cert, taken from coap_server.crt
+   Server key, taken from coap_server.key
+
+   The PEM, CRT and KEY file are examples taken from the wpa2 enterprise
+   example.
+
+   To embed it in the app binary, the PEM, CRT and KEY file is named
+   in the component.mk COMPONENT_EMBED_TXTFILES variable.
+*/
+extern uint8_t ca_pem_start[] asm("_binary_coap_ca_pem_start");
+extern uint8_t ca_pem_end[]   asm("_binary_coap_ca_pem_end");
+extern uint8_t server_crt_start[] asm("_binary_coap_server_crt_start");
+extern uint8_t server_crt_end[]   asm("_binary_coap_server_crt_end");
+extern uint8_t server_key_start[] asm("_binary_coap_server_key_start");
+extern uint8_t server_key_end[]   asm("_binary_coap_server_key_end");
+            unsigned int ca_pem_bytes = ca_pem_end - ca_pem_start;
+            unsigned int server_crt_bytes = server_crt_end - server_crt_start;
+            unsigned int server_key_bytes = server_key_end - server_key_start;
+            coap_dtls_pki_t dtls_pki;
+
+            memset (&dtls_pki, 0, sizeof(dtls_pki));
+            dtls_pki.version = COAP_DTLS_PKI_SETUP_VERSION;
+            if (ca_pem_bytes) {
+                /*
+                 * Add in additional certificate checking.
+                 * This list of enabled can be tuned for the specific
+                 * requirements - see 'man coap_encryption'.
+                 *
+                 * Note: A list of root ca file can be setup separately using
+                 * coap_context_set_pki_root_cas(), but the below is used to
+                 * define what checking actually takes place.
+                 */
+                dtls_pki.verify_peer_cert        = 1;
+                dtls_pki.require_peer_cert       = 1;
+                dtls_pki.allow_self_signed       = 1;
+                dtls_pki.allow_expired_certs     = 1;
+                dtls_pki.cert_chain_validation   = 1;
+                dtls_pki.cert_chain_verify_depth = 2;
+                dtls_pki.check_cert_revocation   = 1;
+                dtls_pki.allow_no_crl            = 1;
+                dtls_pki.allow_expired_crl       = 1;
+                dtls_pki.allow_bad_md_hash       = 1;
+                dtls_pki.allow_short_rsa_length  = 1;
+                dtls_pki.validate_cn_call_back   = verify_cn_callback;
+                dtls_pki.cn_call_back_arg        = NULL;
+                dtls_pki.validate_sni_call_back  = NULL;
+                dtls_pki.sni_call_back_arg       = NULL;
+            }
+            dtls_pki.pki_key.key_type = COAP_PKI_KEY_PEM_BUF;
+            dtls_pki.pki_key.key.pem_buf.public_cert = server_crt_start;
+            dtls_pki.pki_key.key.pem_buf.public_cert_len = server_crt_bytes;
+            dtls_pki.pki_key.key.pem_buf.private_key = server_key_start;
+            dtls_pki.pki_key.key.pem_buf.private_key_len = server_key_bytes;
+            dtls_pki.pki_key.key.pem_buf.ca_cert = ca_pem_start;
+            dtls_pki.pki_key.key.pem_buf.ca_cert_len = ca_pem_bytes;
+
+            coap_context_set_pki(ctx, &dtls_pki);
+#endif /* CONFIG_MBEDTLS_COAP_PKI */
+
+        ep = coap_new_endpoint(ctx, &serv_addr, COAP_PROTO_UDP);
+        if (!ep) {
           goto clean_up;
        }
-        ep_tcp = coap_new_endpoint(ctx, &serv_addr, COAP_PROTO_TCP);
-        if (!ep_tcp) {
+        ep = coap_new_endpoint(ctx, &serv_addr, COAP_PROTO_TCP);
+        if (!ep) {
           goto clean_up;
        }
+#if defined(CONFIG_MBEDTLS_COAP_PSK) || defined(CONFIG_MBEDTLS_COAP_PKI)
+	if (coap_dtls_is_supported()) {
+            serv_addr.addr.sin.sin_port = htons(COAPS_DEFAULT_PORT);
+            ep = coap_new_endpoint(ctx, &serv_addr, COAP_PROTO_DTLS);
+            if (!ep) {
+               goto clean_up;
+            }
+        }
+#endif /* CONFIG_MBEDTLS_COAP_PSK CONFIG_MBEDTLS_COAP_PKI */
        resource = coap_resource_init(coap_make_str_const("Espressif"), 0);
        if (!resource) {
           goto clean_up;
@@ -165,11 +301,19 @@ void app_main(void)
    tcpip_adapter_init();
    ESP_ERROR_CHECK(esp_event_loop_create_default());

+#if 0
+/* See https://github.com/Ebiroll/qemu_esp32 for further information */
+#include "emul_ip.h"
+    if (is_running_qemu()) {
+        xTaskCreate(task_lwip_init, "task_lwip_init", 2*4096, NULL, 20, NULL); 
+    }
+    else
+#endif
    /* This helper function configures Wi-Fi or Ethernet, as selected in menuconfig.
     * Read "Establishing Wi-Fi or Ethernet Connection" section in
     * examples/protocols/README.md for more information about this function.
     */
    ESP_ERROR_CHECK(example_connect());

-    xTaskCreate(coap_example_thread, "coap", 1024 * 5, NULL, 5, NULL);
+    xTaskCreate(coap_example_server, "coap", 8 * 1024, NULL, 5, NULL);
 }