sock_tls.h

/*
 * Copyright (C) 2019 Daniele Lacamera
 *
 *
 * This file is subject to the terms and conditions of the GNU Lesser
 * General Public License v2.1. See the file LICENSE in the top level
 * directory for more details.
 */
 
/* @defgroup    module sock_tls
 * @ingroup     pkg_wolfssl
 * @brief       Sock submodule for TLS/DTLS sessions
 *
 * How To Use
 * ----------
 * First you need to @ref including-modules "include" a module that implements
 * this API in your application's Makefile.
 *
 * The `sock_tls` module requires the `wolfssl` package.
 *
 * The application's Makefile should at lease contain the following:
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {Makefile}
 *
 * USEPKG += wolfssl
 * USEMODULE+=sock_tls
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 *
 * ### A Simple DTLS Server
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.c}
 * #include <wolfssl/ssl.h>
 * #include <sock_tls.h>
 *
 * #include <stdio.h>
 * #include <inttypes.h>
 *
 * #include <net/sock/udp.h>
 *
 * #include <stdio.h>
 * #include <stdlib.h>
 * #include <string.h>
 *
 * #define SERVER_PORT 11111
 * #define DEBUG 1
 * extern const unsigned char server_cert[788];
 * extern const unsigned char server_key[121];
 * extern unsigned int server_cert_len;
 * extern unsigned int server_key_len;
 *
 * static sock_tls_t skv;
 * static sock_tls_t *sk = &skv;
 * static const char Test_dtls_string[] = "DTLS OK!";
 *
 * int main(void)
 * {
 *     char buf[64];
 *     int ret;
 *     sock_udp_ep_t local = SOCK_IPV6_EP_ANY;
 *     local.port = SERVER_PORT;
 *
 *     if (sock_dtls_create(sk, &local, NULL, 0, wolfDTLSv1_2_server_method()) != 0) {
 *         printf("Failed to create DTLS socket context\r\n");
 *         return -1;
 *     }
 *     if (wolfSSL_CTX_use_certificate_buffer(sk->ctx, server_cert,
 *                 server_cert_len, SSL_FILETYPE_ASN1 ) != SSL_SUCCESS)
 *     {
 *         printf("Failed to load certificate from memory.\r\n");
 *         return -1;
 *     }
 *
 *     if (wolfSSL_CTX_use_PrivateKey_buffer(sk->ctx, server_key,
 *                 server_key_len, SSL_FILETYPE_ASN1 ) != SSL_SUCCESS)
 *     {
 *         printf("Failed to load private key from memory.\r\n");
 *         return -1;
 *     }
 *     ret = sock_dtls_session_create(sk);
 *     if (ret < 0)
 *     {
 *         printf("Failed to create DTLS session (err: %s)\r\n", strerror(-ret));
 *         return -1;
 *     }
 *     printf("Listening on %d\n", SERVER_PORT);
 *     while(1) {
 *         ret = wolfSSL_accept(sk->ssl);
 *         if (ret != SSL_SUCCESS) {
 *             continue;
 *         }
 *         printf("Connection accepted\r\n");
 *         ret = wolfSSL_read(sk->ssl, buf, 64);
 *         if (ret > 0) {
 *             buf[ret] = (char)0;
 *             printf("Received '%s'\r\n", buf);
 *         }
 *         printf("Sending 'DTLS OK'...\r\n");
 *         wolfSSL_write(sk->ssl, Test_dtls_string, sizeof(Test_dtls_string));
 *         printf("Closing connection.\r\n");
 *         sock_dtls_session_destroy(sk);
 *         sock_dtls_close(sk);
 *         break;
 *     }
 *     return 0;
 * }
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 * Above you see a simple DTLS echo server. It is important to at least include
 * @ref including-modules "include" the IPv6 module of your networking
 * implementation (e.g. `gnrc_ipv6_default` for @ref net_gnrc GNRC) and at least
 * one network device.
 * A separate file should define the buffers used as certificate and private key,
 * in the variables `server_cert`, `private_key` respectively.
 *
 * After including all the needed header files, we use a global object to store
 * the context for incoming DTLS communication. The object contains the reference
 * to the wolfSSL context, the SSL session and the underlying transport socket.
 *
 * For simplicity, we will refer to the address of the object in the static memory,
 * through the pointer `sk`.
 *
 * A constant test string is used later as a reply to incoming connections.
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.c}
 * static sock_tls_t skv;
 * static sock_tls_t *sk = &skv;
 *
 * static const char Test_dtls_string[] = "DTLS OK!";
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 * In the same way as a normal @ref net_sock_udp "UDP socket", in order to be able to
 * listen for incoming packets, we bind the `sock` by setting a local endpoint with
 * a port (`11111` in this case).
 *
 * We then proceed to create the `sock`. It is bound to `local` and thus listens
 * for UDP packets with @ref udp_hdr_t::dst_port "destination port" `12345`.
 * Since we don't need any further configuration we set the flags to 0.
 * The method argument determines which kind of wolfSSL context is associated to
 * the socket.
*
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.c}
 * sock_udp_ep_t local = SOCK_IPV6_EP_ANY;
 * local.port = SERVER_PORT;
 *
 *  if (sock_dtls_create(sk, &local, NULL, 0, wolfDTLSv1_2_server_method()) != 0) {
 *      printf("ERROR: Unable to create DTLS sock\r\n");
 *      return -1;
 *  }
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 * By default, all sock_tls operations in a DTLS context are blocking for a
 * limited amount of time, which depends on the DTLS session timeout. To modify
 * the timeout, use `wolfSSL_dtls_set_timeout_init(sk->ssl)`.
 *
 * Certificate and private key for the server context are loaded from a previously
 * initialized section in memory:
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.c}
 * if (wolfSSL_CTX_use_certificate_buffer(sk->ctx, server_cert,
 *             server_cert_len, SSL_FILETYPE_ASN1 ) != SSL_SUCCESS)
 * {
 *     printf("Failed to load certificate from memory.\r\n");
 *     return -1;
 * }
 *
 * if (wolfSSL_CTX_use_PrivateKey_buffer(sk->ctx, server_key,
 *             server_key_len, SSL_FILETYPE_ASN1 ) != SSL_SUCCESS)
 * {
 *     printf("Failed to load private key from memory.\r\n");
 *     return -1;
 * }
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 * Once the context is configured, the SSL session can be initialized.
 *
 * The listening sock automatically takes care of the DTLS handshake.
 * When the session is established, `wolfSSL_accept()` will finally return
 * `SSL_SUCCESS`.
 *
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.c}
 * ret = sock_dtls_session_create(sk);
 * if (ret < 0)
 * {
 *     printf("Failed to create DTLS session (err: %s)\r\n", strerror(-ret));
 *     return -1;
 * }
 * printf("Listening on %d\n", SERVER_PORT);
 * while(1) {
 *     ret = wolfSSL_accept(sk->ssl);
 *     if (ret != SSL_SUCCESS) {
 *         continue;
 *     }
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 * At this point, the session is established, and encrypted data can be exchanged
 * using `wolfSSL_read()` and `wolfSSL_write()`:
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.c}
 *    ret = wolfSSL_read(sk->ssl, buf, 64);
 *    if (ret > 0) {
 *        buf[ret] = (char)0;
 *        printf("Received '%s'\r\n", buf);
 *    }
 *    printf("Sending 'DTLS OK'...\r\n");
 *    wolfSSL_write(sk->ssl, Test_dtls_string, sizeof(Test_dtls_string));
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 * The session is terminated, and the associated socket is closed.
 *
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ {.c}
 *         sock_dtls_session_destroy(sk);
 *         sock_dtls_close(sk);
 *         break;
 *     }
 *     return 0;
 * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 *
 */
 
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
 
#include <net/sock.h>
#include <wolfssl/ssl.h>
 
#ifndef SOCK_TLS_H
#define SOCK_TLS_H
#ifdef __cplusplus
extern "C" {
#endif
 
int sock_dtls_create(sock_tls_t *sock, const sock_udp_ep_t *local, const sock_udp_ep_t *remote, uint16_t flags, WOLFSSL_METHOD *method);
 
void sock_dtls_set_endpoint(sock_tls_t *sk, const sock_udp_ep_t *addr);
 
int sock_dtls_session_create(sock_tls_t *sk);
 
void sock_dtls_session_destroy(sock_tls_t *sk);
 
void sock_dtls_close(sock_tls_t *sk);
 
#ifdef MODULE_SOCK_TCP
#   error Only support for UDP/IP provided via GNRC stack.
#endif
 
#ifdef __cplusplus
}
#endif
 
#endif /* SOCK_TLS_H */