samples/net : Adding mbedTLS sample client

This is a client that uses shared keys to execute a TLS handshake and read
info from the server, information on how to run the test is in the README
file.

Jira: ZEP-327
Jira: ZEP-340
Jira: ZEP-495

Origin: https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz

Change-Id: I10f31f3635f346936807b7c8470b3d6ffb3af283
Signed-off-by: Sergio Rodriguez <sergio.sf.rodriguez@intel.com>

ext/lib/crypto/mbedtls/configs/config-ccm-psk-tls1_2.h

@@ -0,0 +1,98 @@
+/*
+ *  Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+/*
+ * Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
+ * Distinguishing features:
+ * - no bignum, no PK, no X509
+ * - fully modern and secure (provided the pre-shared keys have high entropy)
+ * - very low record overhead with CCM-8
+ * - optimized for low RAM usage
+ *
+ * See README.txt for usage instructions.
+ */
+#ifndef MBEDTLS_CONFIG_H
+#define MBEDTLS_CONFIG_H
+
+/* System support */
+#define MBEDTLS_HAVE_ASM
+#define MBEDTLS_PLATFORM_C
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_MEMORY_BUFFER_ALLOC_C
+#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
+#define MBEDTLS_PLATFORM_EXIT_ALT
+#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
+#define MBEDTLS_PLATFORM_PRINTF_ALT
+#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO int
+
+#if defined(CONFIG_MBEDTLS_TEST)
+#define MBEDTLS_SELF_TEST
+#define MBEDTLS_DEBUG_C
+#else
+#define MBEDTLS_ENTROPY_C
+#endif
+
+/* mbed TLS feature support */
+#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#define MBEDTLS_SSL_PROTO_TLS1_2
+
+/* mbed TLS modules */
+#define MBEDTLS_AES_C
+#define MBEDTLS_CCM_C
+#define MBEDTLS_CIPHER_C
+#define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_MD_C
+#define MBEDTLS_SHA256_C
+#define MBEDTLS_SSL_CLI_C
+#define MBEDTLS_SSL_SRV_C
+#define MBEDTLS_SSL_TLS_C
+
+/* Save RAM at the expense of ROM */
+#define MBEDTLS_AES_ROM_TABLES
+
+/* Save some RAM by adjusting to your exact needs */
+#define MBEDTLS_PSK_MAX_LEN    16 /* 128-bits keys are generally enough */
+
+/*
+ * You should adjust this to the exact number of sources you're using: default
+ * is the "platform_entropy_poll" source, but you may want to add other ones
+ * Minimum is 2 for the entropy test suite.
+ */
+#define MBEDTLS_ENTROPY_MAX_SOURCES 2
+
+/*
+ * Use only CCM_8 ciphersuites, and
+ * save ROM and a few bytes of RAM by specifying our own ciphersuite list
+ */
+#define MBEDTLS_SSL_CIPHERSUITES                        \
+        MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,             \
+        MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8
+
+/*
+ * Save RAM at the expense of interoperability: do this only if you control
+ * both ends of the connection!  (See comments in "mbedtls/ssl.h".)
+ * The optimal size here depends on the typical size of records.
+ */
+#define MBEDTLS_SSL_MAX_CONTENT_LEN             512
+
+#include "mbedtls/check_config.h"
+
+#endif /* MBEDTLS_CONFIG_H */

samples/net/mbedtls_sslclient/Makefile

@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2016 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+KERNEL_TYPE = nano
+BOARD = galileo
+CONF_FILE = prj_galileo.conf
+
+include $(ZEPHYR_BASE)/Makefile.inc

samples/net/mbedtls_sslclient/README

@@ -0,0 +1,107 @@
+mbed TLS ssl client
++++++++++++
+
+This sample code shows a simple client using mbed TLS on top of Zephyr
+
+
+Prerequisites
+=============
+
+- Galileo Gen 2 Development Board
+- USB to UART TTL (CH340, FTDI or equivalent)
+- PC with Linux.
+- screen command and gcc compiler
+- LAN for testing purposes
+
+
+Procedure
+=========
+
+a) Change the server, netmask and client addresses according to your network
+   in src/tcp_cfg.h.
+
+b) From a terminal window, type:
+
+    make pristine && make BOARD=galileo
+
+c) Copy the binary (outdir/zephyr.strip) to the Galileo's boot
+   device. Insert the boot device.
+
+d) Plug the USB side of the USB-UART cable to the PC.
+   Connect the USB-UART cable to the Galileo.
+   Connect the Galileo to the LAN.
+
+e) Open a terminal window, type:
+
+    screen /dev/ttyUSB0 115200
+
+f) Obtain the mbed TLS code from and put it in a well know directory, in
+   your Linux machine, this will be your server.
+
+	- https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
+
+g) cd to that directory and start the server using a the preshared key
+
+# tar -xvzf mbedtls-2.3.0-apache.tgz
+# cd mbedtls-2.3.0
+# CFLAGS="-I$PWD/configs -DMBEDTLS_CONFIG_FILE='<config-ccm-psk-tls1_2.h>'" make
+# ./programs/ssl/ssl_server2 psk=000102030405060708090a0b0c0d0e0f
+
+You should see something like this
+
+  . Seeding the random number generator... ok
+  . Bind on tcp://*:4433/ ... ok
+  . Setting up the SSL/TLS structure... ok
+  . Waiting for a remote connection ...
+
+
+h) Power-up the board
+
+i) 'screen' will show this after a few seconds:
+
+WARNING: no console will be available to OS
+error: no suitable video mode found.
+
+  . Seeding the random number generator... ok
+  . Setting up the SSL/TLS structure... ok
+  . Connecting to tcp/localhost/4433... ok
+  . Performing the SSL/TLS handshake... ok
+  > Write to server: ok
+  . Closing the connection... done
+
+j) The server side should print
+
+  . Waiting for a remote connection ... ok
+  . Performing the SSL/TLS handshake... ok
+    [ Protocol is TLSv1.2 ]
+    [ Ciphersuite is TLS-PSK-WITH-AES-256-CCM-8 ]
+    [ Record expansion is 21 ]
+  < Read from client: 18 bytes read
+
+GET / HTTP/1.0
+
+  > Write to client: 139 bytes written in 1 fragments
+
+HTTP/1.0 200 OK
+Content-Type: text/html
+
+<h2>mbed TLS Test Server</h2>
+<p>Successful connection using: TLS-PSK-WITH-AES-256-CCM-8</p>
+
+  . Closing the connection... done
+
+
+Troubleshooting
+===============
+
+- If the server does not receive the  messages, use a network
+  traffic analyzer, like Wireshark.
+
+- Reset the board
+
+References
+==========
+
+[1] https://www.zephyrproject.org/doc/getting_started/getting_started.html
+[2] https://wiki.zephyrproject.org/view/Galileo_Gen1_Gen2
+[3] https://tls.mbed.org/

samples/net/mbedtls_sslclient/prj_galileo.conf

@@ -0,0 +1,28 @@
+CONFIG_STDOUT_CONSOLE=y
+CONFIG_MINIMAL_LIBC_EXTENDED=y
+CONFIG_TEST_RANDOM_GENERATOR=y
+
+CONFIG_NETWORKING=y
+CONFIG_ETHERNET=y
+CONFIG_ETH_DW=y
+
+CONFIG_NANO_TIMEOUTS=y
+CONFIG_NETWORKING_WITH_TCP=y
+CONFIG_NETWORKING_WITH_IPV4=y
+CONFIG_NETWORKING_IPV6_NO_ND=y
+
+CONFIG_IP_BUF_RX_SIZE=4
+CONFIG_IP_BUF_TX_SIZE=4
+
+
+# Uncomment the following variables for debugging
+
+#CONFIG_NETWORKING_WITH_LOGGING=y
+#CONFIG_NETWORK_IP_STACK_DEBUG_NET_BUF=y
+#CONFIG_NET_BUF_DEBUG=y
+#CONFIG_NETWORK_IP_STACK_DEBUG_CONTEXT=y
+#CONFIG_NETWORK_IP_STACK_DEBUG_TCP_PSOCK=y
+
+CONFIG_MBEDTLS=y
+CONFIG_MBEDTLS_BUILTIN=y
+CONFIG_MBEDTLS_CFG_FILE="config-ccm-psk-tls1_2.h"

samples/net/mbedtls_sslclient/src/Makefile

@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2016 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+ccflags-y +=-I${ZEPHYR_BASE}/net/ip/contiki
+ccflags-y +=-I${ZEPHYR_BASE}/net/ip/contiki/os/lib
+ccflags-y +=-I${ZEPHYR_BASE}/net/ip/contiki/os
+ccflags-y +=-I${ZEPHYR_BASE}/net/ip
+
+obj-y += mini_client.o tcp.o

samples/net/mbedtls_sslclient/src/mini_client.c

@@ -0,0 +1,334 @@
+/*
+ *  Minimal SSL client, used for memory measurements.
+ *  (meant to be used with config-suite-b.h or config-ccm-psk-tls1_2.h)
+ *
+ *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#include <zephyr.h>
+#if defined(CONFIG_STDOUT_CONSOLE)
+#include <stdio.h>
+#define PRINT           printf
+#else
+#include <misc/printk.h>
+#define PRINT           printk
+#endif
+
+#include <errno.h>
+
+#if !defined(CONFIG_MBEDTLS_CFG_FILE)
+#include "mbedtls/config.h"
+#else
+#include CONFIG_MBEDTLS_CFG_FILE
+#endif
+
+#if defined(MBEDTLS_PLATFORM_C)
+#include "mbedtls/platform.h"
+#else
+#include <stdlib.h>
+#define mbedtls_time_t       time_t
+#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
+#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
+#endif
+
+#include <string.h>
+#include "tcp.h"
+#include "tcp_cfg.h"
+
+#include "mbedtls/net.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+#include "mbedtls/memory_buffer_alloc.h"
+static unsigned char heap[20480];
+#endif
+
+/*
+ * Hardcoded values for server host and port
+ */
+#define HOSTNAME "localhost"	/* for cert verification if enabled */
+
+#define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"
+
+const char *pers = "mini_client";
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+const unsigned char psk[] = {
+	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+};
+
+const char psk_id[] = "Client_identity";
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+/* This is tests/data_files/test-ca2.crt, a CA using EC secp384r1 */
+const unsigned char ca_cert[] = {
+	0x30, 0x82, 0x02, 0x52, 0x30, 0x82, 0x01, 0xd7, 0xa0, 0x03, 0x02, 0x01,
+	0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8,
+	0x30, 0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02,
+	0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+	0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a,
+	0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c,
+	0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c,
+	0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x45,
+	0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x33, 0x30, 0x39,
+	0x32, 0x34, 0x31, 0x35, 0x34, 0x39, 0x34, 0x38, 0x5a, 0x17, 0x0d, 0x32,
+	0x33, 0x30, 0x39, 0x32, 0x32, 0x31, 0x35, 0x34, 0x39, 0x34, 0x38, 0x5a,
+	0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+	0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30, 0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a,
+	0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c,
+	0x30, 0x1a, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c,
+	0x61, 0x72, 0x73, 0x73, 0x6c, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x45,
+	0x43, 0x20, 0x43, 0x41, 0x30, 0x76, 0x30, 0x10, 0x06, 0x07, 0x2a, 0x86,
+	0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22,
+	0x03, 0x62, 0x00, 0x04, 0xc3, 0xda, 0x2b, 0x34, 0x41, 0x37, 0x58, 0x2f,
+	0x87, 0x56, 0xfe, 0xfc, 0x89, 0xba, 0x29, 0x43, 0x4b, 0x4e, 0xe0, 0x6e,
+	0xc3, 0x0e, 0x57, 0x53, 0x33, 0x39, 0x58, 0xd4, 0x52, 0xb4, 0x91, 0x95,
+	0x39, 0x0b, 0x23, 0xdf, 0x5f, 0x17, 0x24, 0x62, 0x48, 0xfc, 0x1a, 0x95,
+	0x29, 0xce, 0x2c, 0x2d, 0x87, 0xc2, 0x88, 0x52, 0x80, 0xaf, 0xd6, 0x6a,
+	0xab, 0x21, 0xdd, 0xb8, 0xd3, 0x1c, 0x6e, 0x58, 0xb8, 0xca, 0xe8, 0xb2,
+	0x69, 0x8e, 0xf3, 0x41, 0xad, 0x29, 0xc3, 0xb4, 0x5f, 0x75, 0xa7, 0x47,
+	0x6f, 0xd5, 0x19, 0x29, 0x55, 0x69, 0x9a, 0x53, 0x3b, 0x20, 0xb4, 0x66,
+	0x16, 0x60, 0x33, 0x1e, 0xa3, 0x81, 0xa0, 0x30, 0x81, 0x9d, 0x30, 0x1d,
+	0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x9d, 0x6d, 0x20,
+	0x24, 0x49, 0x01, 0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24,
+	0xc9, 0xdb, 0xfb, 0x36, 0x7c, 0x30, 0x6e, 0x06, 0x03, 0x55, 0x1d, 0x23,
+	0x04, 0x67, 0x30, 0x65, 0x80, 0x14, 0x9d, 0x6d, 0x20, 0x24, 0x49, 0x01,
+	0x3f, 0x2b, 0xcb, 0x78, 0xb5, 0x19, 0xbc, 0x7e, 0x24, 0xc9, 0xdb, 0xfb,
+	0x36, 0x7c, 0xa1, 0x42, 0xa4, 0x40, 0x30, 0x3e, 0x31, 0x0b, 0x30, 0x09,
+	0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x4e, 0x4c, 0x31, 0x11, 0x30,
+	0x0f, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x08, 0x50, 0x6f, 0x6c, 0x61,
+	0x72, 0x53, 0x53, 0x4c, 0x31, 0x1c, 0x30, 0x1a, 0x06, 0x03, 0x55, 0x04,
+	0x03, 0x13, 0x13, 0x50, 0x6f, 0x6c, 0x61, 0x72, 0x73, 0x73, 0x6c, 0x20,
+	0x54, 0x65, 0x73, 0x74, 0x20, 0x45, 0x43, 0x20, 0x43, 0x41, 0x82, 0x09,
+	0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8, 0x30, 0x0c, 0x06,
+	0x03, 0x55, 0x1d, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xff, 0x30,
+	0x0a, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x04, 0x03, 0x02, 0x03,
+	0x69, 0x00, 0x30, 0x66, 0x02, 0x31, 0x00, 0xc3, 0xb4, 0x62, 0x73, 0x56,
+	0x28, 0x95, 0x00, 0x7d, 0x78, 0x12, 0x26, 0xd2, 0x71, 0x7b, 0x19, 0xf8,
+	0x8a, 0x98, 0x3e, 0x92, 0xfe, 0x33, 0x9e, 0xe4, 0x79, 0xd2, 0xfe, 0x7a,
+	0xb7, 0x87, 0x74, 0x3c, 0x2b, 0xb8, 0xd7, 0x69, 0x94, 0x0b, 0xa3, 0x67,
+	0x77, 0xb8, 0xb3, 0xbe, 0xd1, 0x36, 0x32, 0x02, 0x31, 0x00, 0xfd, 0x67,
+	0x9c, 0x94, 0x23, 0x67, 0xc0, 0x56, 0xba, 0x4b, 0x33, 0x15, 0x00, 0xc6,
+	0xe3, 0xcc, 0x31, 0x08, 0x2c, 0x9c, 0x8b, 0xda, 0xa9, 0x75, 0x23, 0x2f,
+	0xb8, 0x28, 0xe7, 0xf2, 0x9c, 0x14, 0x3a, 0x40, 0x01, 0x5c, 0xaf, 0x0c,
+	0xb2, 0xcf, 0x74, 0x7f, 0x30, 0x9f, 0x08, 0x43, 0xad, 0x20,
+};
+#endif /* MBEDTLS_X509_CRT_PARSE_C */
+
+enum exit_codes {
+	exit_ok = 0,
+	ctr_drbg_seed_failed,
+	ssl_config_defaults_failed,
+	ssl_setup_failed,
+	hostname_failed,
+	socket_failed,
+	connect_failed,
+	x509_crt_parse_failed,
+	ssl_handshake_failed,
+	ssl_write_failed,
+};
+
+static int entropy_source(void *data, unsigned char *output, size_t len,
+			  size_t *olen)
+{
+	uint32_t seed;
+	char *ptr = data;
+
+	seed = sys_rand32_get();
+
+	if (!seed) {
+		seed = 7;
+	}
+
+	for (int i = 0; i < len; i++) {
+		seed ^= seed << 13;
+		seed ^= seed >> 17;
+		seed ^= seed << 5;
+		*ptr++ = (char)seed;
+	}
+	*olen = len;
+	return 0;
+}
+
+void tls_client(void)
+{
+	int ret = exit_ok;
+	struct tcp_context ctx;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+	mbedtls_x509_crt ca;
+#endif
+
+	mbedtls_entropy_context entropy;
+	mbedtls_ctr_drbg_context ctr_drbg;
+	mbedtls_ssl_context ssl;
+	mbedtls_ssl_config conf;
+	mbedtls_ctr_drbg_init(&ctr_drbg);
+
+	mbedtls_platform_set_printf(PRINT);
+
+	/*
+	 * 0. Initialize and setup stuff
+	 */
+	mbedtls_ssl_init(&ssl);
+	mbedtls_ssl_config_init(&conf);
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+	mbedtls_x509_crt_init(&ca);
+#endif
+
+	mbedtls_printf("\n  . Seeding the random number generator...");
+	mbedtls_entropy_init(&entropy);
+	mbedtls_entropy_add_source(&entropy, entropy_source, NULL,
+				   MBEDTLS_ENTROPY_MAX_GATHER,
+				   MBEDTLS_ENTROPY_SOURCE_STRONG);
+
+	if (mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
+				  (const unsigned char *)pers,
+				  strlen(pers)) != 0) {
+		ret = ctr_drbg_seed_failed;
+		mbedtls_printf
+		    (" failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n",
+		     -ret);
+		goto exit;
+	}
+	mbedtls_printf(" ok\n");
+
+	mbedtls_printf("  . Setting up the SSL/TLS structure...");
+	if (mbedtls_ssl_config_defaults(&conf,
+					MBEDTLS_SSL_IS_CLIENT,
+					MBEDTLS_SSL_TRANSPORT_STREAM,
+					MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
+		ret = ssl_config_defaults_failed;
+		mbedtls_printf
+		    (" failed\n  ! mbedtls_ssl_config_defaults returned -0x%x\n\n",
+		     -ret);
+		goto exit;
+	}
+
+	mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
+
+#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
+	mbedtls_memory_buffer_alloc_init(heap, sizeof(heap));
+#endif
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+	mbedtls_ssl_conf_psk(&conf, psk, sizeof(psk),
+			     (const unsigned char *)psk_id, sizeof(psk_id) - 1);
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+	if (mbedtls_x509_crt_parse_der(&ca, ca_cert, sizeof(ca_cert)) != 0) {
+		ret = x509_crt_parse_failed;
+		mbedtls_printf
+		    (" failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n",
+		     -ret);
+		goto exit;
+	}
+
+	mbedtls_ssl_conf_ca_chain(&conf, &ca, NULL);
+	mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+#endif
+
+	if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
+		ret = ssl_setup_failed;
+		mbedtls_printf
+		    (" failed\n  ! mbedtls_ssl_setup returned -0x%x\n\n", -ret);
+		goto exit;
+	}
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+	if (mbedtls_ssl_set_hostname(&ssl, HOSTNAME) != 0) {
+		ret = hostname_failed;
+		mbedtls_printf
+		    (" failed\n  ! mbedtls_ssl_set_hostname returned %d\n\n",
+		     ret);
+		goto exit;
+	}
+#endif
+	mbedtls_printf(" ok\n");
+
+	/*
+	 * 1. Start the connection
+	 */
+
+	mbedtls_printf("  . Connecting to tcp %d.%d.%d.%d:%d...",
+		       SERVER_IPADDR0, SERVER_IPADDR1, SERVER_IPADDR2,
+		       SERVER_IPADDR3, SERVER_PORT);
+
+	if (tcp_init(&ctx) != 0) {
+		ret = connect_failed;
+		mbedtls_printf(" failed\n  ! tcp_init returned -0x%x\n\n",
+			       -ret);
+		goto exit;
+	}
+
+	mbedtls_printf(" ok\n");
+
+	mbedtls_ssl_set_bio(&ssl, &ctx, tcp_tx, tcp_rx, NULL);
+
+	mbedtls_printf("  . Performing the SSL/TLS handshake...");
+	if (mbedtls_ssl_handshake(&ssl) != 0) {
+		ret = ssl_handshake_failed;
+		mbedtls_printf
+		    (" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n",
+		     -ret);
+		goto exit;
+	}
+	mbedtls_printf(" ok\n");
+
+	/*
+	 * 2. Write the GET request and close the connection
+	 */
+	mbedtls_printf("  > Write to server:");
+	if (mbedtls_ssl_write(&ssl, (const unsigned char *)GET_REQUEST,
+			      sizeof(GET_REQUEST) - 1) <= 0) {
+		ret = ssl_write_failed;
+		mbedtls_printf
+		    (" failed\n  ! mbedtls_ssl_write returned -0x%x\n\n", -ret);
+		goto exit;
+	}
+	mbedtls_printf(" ok\n");
+
+	mbedtls_printf("  . Closing the connection...");
+	mbedtls_ssl_close_notify(&ssl);
+	mbedtls_printf(" done\n");
+exit:
+
+	mbedtls_ssl_free(&ssl);
+	mbedtls_ssl_config_free(&conf);
+	mbedtls_ctr_drbg_free(&ctr_drbg);
+	mbedtls_entropy_free(&entropy);
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+	mbedtls_x509_crt_free(&ca);
+#endif
+
+}
+
+#define STACK_SIZE		8192
+uint8_t stack[STACK_SIZE];
+
+void main(void)
+{
+	net_init();
+
+	task_fiber_start(stack, STACK_SIZE, (nano_fiber_entry_t) tls_client,
+			 0, 0, 7, 0);
+}

samples/net/mbedtls_sslclient/src/tcp.c

@@ -0,0 +1,165 @@
+/*
+ * Copyright (c) 2016 Intel Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <string.h>
+#include <errno.h>
+#include <misc/printk.h>
+
+#include "tcp_cfg.h"
+#include "tcp.h"
+
+#include <net/ip_buf.h>
+#include <net/net_core.h>
+#include <net/net_socket.h>
+
+#if !defined(CONFIG_MBEDTLS_CFG_FILE)
+#include "mbedtls/config.h"
+#else
+#include CONFIG_MBEDTLS_CFG_FILE
+#endif
+
+#include "mbedtls/ssl.h"
+
+uip_ipaddr_t uip_hostaddr = { {CLIENT_IPADDR0, CLIENT_IPADDR1,
+			       CLIENT_IPADDR2, CLIENT_IPADDR3}
+};
+
+uip_ipaddr_t uip_netmask = { {NETMASK0, NETMASK1, NETMASK2, NETMASK3}
+};
+
+#define CLIENT_IP_ADDR		{ { { CLIENT_IPADDR0, CLIENT_IPADDR1,	\
+				      CLIENT_IPADDR2, CLIENT_IPADDR3 } } }
+
+#define SERVER_IP_ADDR		{ { { SERVER_IPADDR0, SERVER_IPADDR1,	\
+				      SERVER_IPADDR2, SERVER_IPADDR3 } } }
+
+#define INET_FAMILY		AF_INET
+
+int tcp_tx(void *context, const unsigned char *buf, size_t size)
+{
+	struct tcp_context *ctx = context;
+	struct net_buf *nbuf;
+	uint8_t *ptr;
+	int rc = 0;
+	nbuf = ip_buf_get_tx(ctx->net_ctx);
+
+	if (nbuf == NULL) {
+		return -EINVAL;
+	}
+
+	ptr = net_buf_add(nbuf, size);
+	memcpy(ptr, buf, size);
+	ip_buf_appdatalen(nbuf) = size;
+
+	do {
+		rc = net_send(nbuf);
+		fiber_sleep(TCP_RETRY_TIMEOUT);
+		if (rc >= 0) {
+			ip_buf_unref(nbuf);
+			return size;
+		}
+		switch (rc) {
+		case -EINPROGRESS:
+			break;
+		case -EAGAIN:
+		case -ECONNRESET:
+			break;
+		default:
+			ip_buf_unref(nbuf);
+			return -EIO;
+		}
+	} while (1);
+
+	return -EIO;
+}
+
+int tcp_rx(void *context, unsigned char *buf, size_t size)
+{
+	struct tcp_context *ctx = context;
+	struct net_buf *nbuf;
+	int8_t *ptr;
+	int rc, read_bytes;
+
+	if (ctx->rx_nbuf == NULL) {
+		nbuf = net_receive(ctx->net_ctx, TCP_RX_TIMEOUT);
+		rc = -EIO;
+		if (nbuf != NULL) {
+			read_bytes = ip_buf_appdatalen(nbuf);
+			if (read_bytes > size) {
+				memcpy(buf, ip_buf_appdata(nbuf), size);
+				ctx->rx_nbuf = nbuf;
+				ctx->remaining = read_bytes - size;
+				return size;
+			} else {
+				memcpy(buf, ip_buf_appdata(nbuf), read_bytes);
+				rc = read_bytes;
+			}
+			ip_buf_unref(nbuf);
+		}
+	} else {
+		ptr = ip_buf_appdata(ctx->rx_nbuf);
+		read_bytes = ip_buf_appdatalen(ctx->rx_nbuf) - ctx->remaining;
+		ptr += read_bytes;
+		if (ctx->remaining > size) {
+			memcpy(buf, ptr, size);
+			ctx->remaining -= size;
+			rc = size;
+		} else {
+			read_bytes = size < ctx->remaining ? size : ctx->remaining;
+			memcpy(buf, ptr, read_bytes);
+			ip_buf_unref(ctx->rx_nbuf);
+			ctx->remaining = 0;
+			ctx->rx_nbuf = NULL;
+			rc = read_bytes;
+		}
+	}
+
+	return rc;
+}
+
+int tcp_init(struct tcp_context *ctx)
+{
+	static struct in_addr server_addr = SERVER_IP_ADDR;
+	static struct in_addr client_addr = CLIENT_IP_ADDR;
+	static struct net_addr server;
+	static struct net_addr client;
+	char woke = 0;
+
+	server.in_addr = server_addr;
+	server.family = AF_INET;
+
+	client.in_addr = client_addr;
+	client.family = AF_INET;
+
+	ctx->rx_nbuf = NULL;
+	ctx->remaining = 0;
+
+	ctx->net_ctx = net_context_get(IPPROTO_TCP,
+				      &server, SERVER_PORT,
+				      &client, CLIENT_PORT);
+	if (ctx->net_ctx == NULL) {
+		return -EINVAL;
+	}
+
+	/* In order to stablish connection, at least one packet has to be sent,
+	 * sending a 0 size packet is no longer possible,  as noted in
+	 * https://jira.zephyrproject.org/browse/ZEP-612 so at least one byte
+	 * has to be sent.
+	 */
+	tcp_tx(ctx, &woke, 1);
+
+	return 0;
+}

samples/net/mbedtls_sslclient/src/tcp.h

@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2016 Intel Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef _TCP_H_
+#define _TCP_H_
+
+#include <net/net_core.h>
+#include <net/ip_buf.h>
+
+struct tcp_context {
+	struct net_context *net_ctx;
+	struct net_buf *rx_nbuf;
+	int remaining;
+};
+
+int tcp_init(struct tcp_context *ctx);
+int tcp_tx(void *ctx, const unsigned char *buf, size_t size);
+int tcp_rx(void *ctx, unsigned char *buf, size_t size);
+
+#endif

samples/net/mbedtls_sslclient/src/tcp_cfg.h

@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2016 Intel Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef TCP_CONFIG_H_
+#define TCP_CONFIG_H_
+
+#define NETMASK0		255
+#define NETMASK1		255
+#define NETMASK2		255
+#define NETMASK3		0
+
+#define CLIENT_IPADDR0		192
+#define CLIENT_IPADDR1		168
+#define CLIENT_IPADDR2		1
+#define CLIENT_IPADDR3		100
+
+#define SERVER_IPADDR0		192
+#define SERVER_IPADDR1		168
+#define SERVER_IPADDR2		1
+#define SERVER_IPADDR3		1
+
+#define SERVER_PORT	4433
+
+#define CLIENT_PORT	8484
+
+#define TCP_RX_TIMEOUT		50
+
+#define TCP_RETRY_TIMEOUT	50
+
+#endif

samples/net/mbedtls_sslclient/testcase.ini

@@ -0,0 +1,5 @@
+[test]
+tags = net
+build_only = true
+arch_whitelist = x86
+platform_whitelist = galileo