libcoap icon indicating copy to clipboard operation
libcoap copied to clipboard

Published 20 hours ago verified publisher icon obgm

Support for wolfSSL?

Open rlillback opened this issue 2 years ago • 13 comments

Is there a plan to support wolfSSL for the crypto library? We have a project that requires dTLS v1.3. The currently supported options (mbedTLS, openSSL, gnuTLS, etc.) do not support dTLS v1.3 yet.

rlillback avatar Feb 05 '23 18:02 rlillback

Is it specifically ConnectionID that you are looking for from RFC9147?

  • After a quick read, it is unclear if wolfSSL fully supports RFC9147.
  • TinyDTLS has a PR https://github.com/eclipse/tinydtls/pull/149 for adding in a ConnectionID (DTLS 1.2 RFC9146).
  • MbedTLS v3.3.0 has support for ConnectionID - should be a small change to libcoap to add in that support.

There currently are no plans to add in wolfSSL as an alternative TLS library, but there is no reason as to why someone cant take this on as a project and we can then get the changes merged in once stable.

mrdeep1 avatar Feb 06 '23 10:02 mrdeep1

It is my understanding that v1.3 has breaking changes that include:

  • Key derivation constructs
  • HelloRetryRequest is used instead of HelloVerifyRequest
  • Session resumption mechanism was changed
  • Changes in record layer encoding
  • Addition of Connection ID

So, there are multiple changes that I'm looking to support.

rlillback avatar Feb 07 '23 16:02 rlillback

OK - Seems as if wolfSSL is one of the very few TLS library implementions. The primary work that needs to be done is in an equivalent coap_{openssl|mbedtls|gnutls|tinydtls}.c TLS library interface file. It does look like coap_openssl.c could be a good starting point using the wolfSSL OpenSSL compatibility header.

mrdeep1 avatar Feb 07 '23 19:02 mrdeep1

I agree that having WolfSSL would be useful because of its so far unique support for DTLS 1.3. (BTW: Another feature that comes with this is support for the elliptic curve 25519.)

obgm avatar Apr 24 '23 11:04 obgm

Supporting session resumption (even just with DTLS 1.2 CID) would be really awesome. +1 also for supporting WolfSSL, although I understand that this is a bit more complex task.

erpalma avatar Jun 29 '23 12:06 erpalma

Supporting session resumption (even just with DTLS 1.2 CID) would be really awesome.

Please see PR #1153 where there is support for CID with later code versions of MbedTLS. Feedback welcome.

mrdeep1 avatar Jun 30 '23 13:06 mrdeep1

Just to mention: Elliptic curve 25519 works with DTLS 1.2 as well, for both ECDHE and ECDSA.

boaks avatar Jul 02 '23 15:07 boaks

@fj-blanco Thanks for your work supporting wolfSSL in libcoap.

Some of your code relies on the latest source for wolfSSL, and so when building the code with Ununtu 22.04 and the latest libwolfssl-dev (5.2.0), there are a lot of build errors. I will take a look at basing things off your code changes and pushing the changes.

mrdeep1 avatar Nov 27 '23 12:11 mrdeep1

@fj-blanco Thanks for your work supporting wolfSSL in libcoap.

Some of your code relies on the latest source for wolfSSL, and so when building the code with Ununtu 22.04 and the latest libwolfssl-dev (5.2.0), there are a lot of build errors. I will take a look at basing things off your code changes and pushing the changes.

Thank you. While I have been working on this both in Ubuntu 22.04 and Debian 11, I haven't focused on version compatibility yet. Any help is appreciated.

I have updated a TODO list here with the main pending issues in the integration that I've identified so far: https://github.com/qursa-uc3m/libcoap-wolfssl/blob/wolfssl/wolfssl_dev/README.md

fj-blanco avatar Nov 27 '23 13:11 fj-blanco

@fj-blanco Thanks for the updated documentation. It does however look like you are still finding the latest wolfSSL build on your Ubuntu 22.04.03 system, rather than the one from libwolfssl-dev - I am getting

libcoap Configuration Summary:
      .....
      build with TCP support         : "yes"
      build DTLS support             : "yes"
         -->  wolfSSL around         : "yes" (found wolfSSL 5.2.0)
              wolfSSL_CFLAGS         : ""
              wolfSSL_LIBS           : "-lwolfssl"
      add default names              : "yes"

followed by compilation errors in coap_wolfssl.c. After fixing the compilation errors, I am not able to get examples/coap-client-wolfssl to talk to examples/coap-server-wolfssl (or for that matter any coap-server-*), getting handshake errors.

mrdeep1 avatar Nov 27 '23 15:11 mrdeep1

@fj-blanco Thanks for the updated documentation. It does however look like you are still finding the latest wolfSSL build on your Ubuntu 22.04.03 system, rather than the one from libwolfssl-dev - I am getting

libcoap Configuration Summary:
      .....
      build with TCP support         : "yes"
      build DTLS support             : "yes"
         -->  wolfSSL around         : "yes" (found wolfSSL 5.2.0)
              wolfSSL_CFLAGS         : ""
              wolfSSL_LIBS           : "-lwolfssl"
      add default names              : "yes"

followed by compilation errors in coap_wolfssl.c. After fixing the compilation errors, I am not able to get examples/coap-client-wolfssl to talk to examples/coap-server-wolfssl (or for that matter any coap-server-*), getting handshake errors.

Have you tried building wolfssl from source with the script install_wolfssl.sh (wolfssl_dev folder)? (you need to run install_liboqs_for_wolfssl.sh if you want to try PQ KEMs and signatures, but not strictly necessary for testing just DTLS 1.3). I'm using a lot of compilation flags (for the OpenSSL compatibility layer, DTLS 1.3, PQ, and so on) and a very recent feature wolfSSL_dtls13_allow_ch_frag. I haven't tried to make compatible the code with libwolfssl-dev yet (don't know if possible).

fj-blanco avatar Nov 27 '23 16:11 fj-blanco

Building wolfssl from source using your ./configure options allows coap-client-wolfss to talk to coap-server-wolfssl, but the client cannot talk to any other server that has a different library, likewise, any client with a non wolfssl TLS library cannot talk to coap-server-wolfssl (only tested PSK so far). Still having trouble with PKI with coap-client-wolfss talking to coap-server-wolfssl with my certificates that works for other TLS implementations. I will try to investigate further.

mrdeep1 avatar Nov 27 '23 16:11 mrdeep1

Building wolfssl from source using your ./configure options allows coap-client-wolfss to talk to coap-server-wolfssl, but the client cannot talk to any other server that has a different library, likewise, any client with a non wolfssl TLS library cannot talk to coap-server-wolfssl (only tested PSK so far). Still having trouble with PKI with coap-client-wolfss talking to coap-server-wolfssl with my certificates that works for other TLS implementations. I will try to investigate further.

Great, thank you. If you're unable to address any of those issues, please provide me with a list of reproducible scenarios, or scenarios that you consider relevant but don't have time to test yourself. I will address them as soon as possible.

fj-blanco avatar Nov 27 '23 17:11 fj-blanco

PR #1358 has been raised for wolfSSL support in libcoap for testing. This took some time to get ready as some (primarily PSK) interoperability issues with other TLS libraries needed to get addressed in the wolfSSL source code as well.

mrdeep1 avatar Apr 10 '24 16:04 mrdeep1

Closing Issue as wolfSSL is now available in het develop branch.

mrdeep1 avatar May 21 '24 10:05 mrdeep1