-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
drivers: wifi: simplelink: Implement setsockopt() for TLS offload #11522
drivers: wifi: simplelink: Implement setsockopt() for TLS offload #11522
Conversation
Codecov Report
@@ Coverage Diff @@
## master #11522 +/- ##
=========================================
- Coverage 48.42% 48.33% -0.1%
=========================================
Files 270 270
Lines 42131 42118 -13
Branches 10141 10140 -1
=========================================
- Hits 20402 20357 -45
- Misses 17647 17675 +28
- Partials 4082 4086 +4
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for submitting this. Looks good overall, left some remarks to discuss on how to integrate the change into the sample.
} | ||
break; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/* if user wishes to have TCP_NODELAY = FALSE,
* we return EINVAL and fail in the cases below.
Just from above, this will not happen if we break here, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, look like the break is not wanted here. Thanks for catching.
@@ -25,8 +25,14 @@ | |||
|
|||
#if defined(CONFIG_NET_SOCKETS_SOCKOPT_TLS) | |||
#include <net/tls_credentials.h> | |||
#if defined(CONFIG_TLS_CREDENTIAL_FILENAMES) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO we could do all this discrimination in ca_certificate.h
and just include it as it was. The sample code would not need to be modifed at all, as the only difference is on what we keep in the ca_certificate
array.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True, that would appear less intrusive.
#include "ca_certificate.h" | ||
#endif | ||
#define CA_CERTIFICATE_TAG 1 | ||
static const unsigned int ca_cert_len = sizeof(ca_certificate); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to introduce this variable at all? In both cases we store there sizeof(ca_certificate)
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, not needed. Can restore to what it was.
c6192ac
to
90d394a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the doc update
SimpleLink WiFi driver, by setting :option:`CONFIG_NET_SOCKETS_OFFLOAD` | ||
to ``y``. | ||
|
||
Secure socket (TLS) communication is handled as part of the socket APIs, and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is a long sentence with multiple items to do, it would read better as a bullet list:
Secure socket (TLS) communication is handled as part of the socket APIs,
and enabled by:
- setting both :option:`CONFIG_NET_SOCKETS_SOCKOPT_TLS` and
:option:`CONFIG_TLS_CREDENTIAL_FILENAMES` to ``y``,
- using the TI Uniflash tool to program the required certificates and
keys to the secure flash filesystem, and enabling the TI Trusted Root-Certificate Catalog.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, updated per request. Thanks.
6eba743
to
8d04bcc
Compare
recheck |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
|
||
Secure socket (TLS) communication is handled as part of the socket APIs, | ||
and enabled by: | ||
- setting both :option:`CONFIG_NET_SOCKETS_SOCKOPT_TLS` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needs to be a blank line before the first item of a bullet list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so that's why shippable was failing. Thanks for pointing that out!
Rebased, and re-pushed.
Implements setsockopt() for the socket offload driver to process the TLS tags sent in via the Zephyr setsockopt() API, when CONFIG_NET_SOCKETS_SOCKOPT_TLS is chosen. For each tag, the credential filenames are retrieved and set via SimpleLink's sl_SetSockOpt() API. Also, creates a new KConfig option for TLS_CREDENTIAL_FILENAMES. This new option is used by apps/protocols to add TLS credentials via filenames referring to the actual content stored on a secure file system or flash. Handles the IPPROTO_TLS_* socket protocol families in the socket() offloaded API. This was validated on the cc3220sf_launchxl with the http_get sockets sample, with the globalsign_r2.der file loaded to secure flash via the TI Uniflash tool, and using the TI Catalog of known good root CA's. Signed-off-by: Gil Pitney <gil.pitney@linaro.org>
Update the http_get sockets sample to enable association of secure tags with certificate filenames. This allows certificates and keys to be provisioned to the file system on secure flash, without having to include the actual certificates in the application. Validated on the cc3220sf_launchxl board. Signed-off-by: Gil Pitney <gil.pitney@linaro.org>
Reference working sockets example http_get, and add reference to SimpleLink Certificate Handling. Signed-off-by: Gil Pitney <gil.pitney@linaro.org>
8d04bcc
to
24e6017
Compare
Implements setsockopt() for the socket offload driver
to process the TLS tags sent in via the Zephyr setsockopt() API,
when CONFIG_NET_SOCKETS_SOCKOPT_TLS is chosen.
For each tag, the credential filenames are retrieved and
set via SimpleLink's sl_SetSockOpt() API.
Also, creates a new KConfig option for TLS_CREDENTIAL_FILENAMES.
This new option is used by apps/protocols to add TLS credentials
via filenames referring to the actual content stored on a secure file
system or flash.
Handles the IPPROTO_TLS_* socket protocol families in the
socket() offloaded API.
This was validated on the cc3220sf_launchxl with the http_get sockets
sample, with the globalsign_r2.der file loaded to secure flash via
the TI Uniflash tool, and using the TI Catalog of known good
root CA's.