Rebuild the platform espressif32 with DTLS for Arduino framework

r-zlotorzynski · October 26, 2019, 12:19pm

Hello,

I’m implementing a project using Arduino. The project is based on encrypted UDP communication (DTLS). By default, DTLS functionality is not available in Arduino. My question is how to proceed step by step to rebuild the framework with this functionality and then compile my project with this new available functionality?

best regards

maxgerhardt · October 26, 2019, 3:24pm

Configuration options for mbedtls are put in the file esp_config.h. You can either directly enable the mbedtls macros or their surrounding config macros.

github.com

espressif/arduino-esp32/blob/91e095f5a76ec35f06c86689a87892425395b8db/tools/sdk/include/mbedtls/mbedtls/esp_config.h#L1203-L1218


      
          /**
           * \def MBEDTLS_SSL_PROTO_DTLS
           *
           * Enable support for DTLS (all available versions).
           *
           * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0,
           * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2.
           *
           * Requires: MBEDTLS_SSL_PROTO_TLS1_1
           *        or MBEDTLS_SSL_PROTO_TLS1_2
           *
           * Comment this macro to disable support for DTLS
           */
          #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
          #define MBEDTLS_SSL_PROTO_DTLS
          #endif

So the first thing to try would be to add build_flags = -D CONFIG_MBEDTLS_SSL_PROTO_DTLS to the platformio.ini and see if you can compile a firmware which uses DTLS functions. E.g., activating that CONFIG_ macro should make the function mbedtls_ssl_conf_dtls_anti_replay() available so a simple code like

#include <mbedtls/ssl.h>

void app_main() {
   mbedtls_ssl_conf_dtls_anti_replay(NULL, MBEDTLS_SSL_ANTI_REPLAY_ENABLED);
}

should be able to sanity-test it; there should be no undefined reference errors if this works.

Be carefull to delete any CONFIG_MBEDTLS_SSL_PROTO_DTLS references from your sdkconfig.h file if you do this, as this seems to duplicated there otherwise (arduino-esp32/sdkconfig at 5f1dff7dad965581b98ae4dc3fdfe21e3b552072 · espressif/arduino-esp32 · GitHub)

r-zlotorzynski · October 26, 2019, 4:06pm

Ok, I checked it out.
At first the compilation indicated an error: no reference to the indicated method.
Only after rebulid using ESP-IDF tools did the error disappear and the project began to compile.

However, another problem arose after calling the method: mbedtls_ssl_handshake
debug indicates this method’s error (-28928) and interception of communication from mbedtls_ssl_send_t indicates that even Client Hello was not generated.

maxgerhardt · October 27, 2019, 1:21pm

Ok what exactly did you execute to rebuild it “using ESP-IDF tools”?

This is -0x7100 and indicates bad input data.

github.com

Mbed-TLS/mbedtls/blob/b23abcb38df6b38a50fd5cbd2e409811b0dcc67e/include/mbedtls/ssl.h#L76


      
          #endif
          
          #if defined(MBEDTLS_USE_PSA_CRYPTO)
          #include "psa/crypto.h"
          #endif /* MBEDTLS_USE_PSA_CRYPTO */
          
          /*
           * SSL Error codes
           */
          #define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE               -0x7080  /**< The requested feature is not available. */
          #define MBEDTLS_ERR_SSL_BAD_INPUT_DATA                    -0x7100  /**< Bad input parameters to function. */
          #define MBEDTLS_ERR_SSL_INVALID_MAC                       -0x7180  /**< Verification of the message MAC failed. */
          #define MBEDTLS_ERR_SSL_INVALID_RECORD                    -0x7200  /**< An invalid SSL record was received. */
          #define MBEDTLS_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
          #define MBEDTLS_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
          #define MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
          #define MBEDTLS_ERR_SSL_NO_RNG                            -0x7400  /**< No RNG was provided to the SSL module. */
          #define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
          #define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message. */
          #define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
          #define MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED              -0x7600  /**< The own private key or pre-shared key is not set, but needed. */

What is exactly the test firmware and against which server are you talking about? Note that the CONFIG_MBEDTLS_SSL_PROTO_DTLS will generate a ClientHello which wants a HelloVerifyRequest. If your server sends something else you get that error.

github.com

espressif/arduino-esp32/blob/91e095f5a76ec35f06c86689a87892425395b8db/tools/sdk/include/mbedtls/mbedtls/esp_config.h#L1248-L1266


      
          /**
           * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
           *
           * Enable support for HelloVerifyRequest on DTLS servers.
           *
           * This feature is highly recommended to prevent DTLS servers being used as
           * amplifiers in DoS attacks against other hosts. It should always be enabled
           * unless you know for sure amplification cannot be a problem in the
           * environment in which your server operates.
           *
           * \warning Disabling this can ba a security risk! (see above)
           *
           * Requires: MBEDTLS_SSL_PROTO_DTLS
           *
           * Comment this to disable support for HelloVerifyRequest.
           */
          #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
          #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
          #endif

If you do not want that then you musn’t use the CONFIG_ macro but instead the direct collection of mbedtls macros, e.g.

build_flags = -D MBEDTLS_SSL_PROTO_DTLS -D MBEDTLS_SSL_DTLS_ANTI_REPLAY -D MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE -D MBEDTLS_SSL_DTLS_BADMAC_LIMIT

(no MBEDTLS_SSL_DTLS_HELLO_VERIFY included)

azarubkin · October 29, 2019, 9:01am

Uh, I may be mistaken, but as far as I understand, ESP-IDF framework is precompiled in Arduino framework. To recompile ESP-IDF with new settings, you need to use Arduino as ESP-IDF component. More info can be found in this issue.

The relevant lines in your platformio.ini should read:

platform = https://github.com/platformio/platform-espressif32.git
framework = arduino, espidf

r-zlotorzynski · March 20, 2020, 4:07pm

I was able to solve the problem, thank you all for your helpful advice.

Regards