samples: net: add TLS offload support to mqtt_publisher

This commit adds support in the sample to deal with the case when TLS
is offloaded and mbedtls is not necessary.

Signed-off-by: Vincent Wan <vincent.wan@linaro.org>

samples/net/mqtt_publisher/README.rst

@@ -114,6 +114,37 @@ Open another terminal window and type:
 
 	$ mosquitto_sub -t sensors
 
+TLS offloading
+==============
+
+For boards that support this feature, TLS offloading is used by
+specifying ``-DOVERLAY_CONFIG=overlay-tls-offload.conf`` when running cmake.
+
+Using this overlay enables TLS without bringing in mbedtls.
+
+Running on cc3220sf_launchxl
+============================
+
+Offloading on cc3220sf_launchxl also provides DHCP services, so the sample
+uses dynamic IP addresses on this board.
+
+By default, the sample is set up to connect to the broker at the address
+specified by SERVER_ADDR in config.h. If the broker is secured using TLS, users
+should enable TLS offloading, upload the server's certificate
+authority file in DER format to the device filesystem using TI Uniflash,
+and name it "ca_cert.der".
+
+In addition, TLS_SNI_HOSTNAME in main.c should be defined to match the
+Common Name (CN) in the certificate file in order for the TLS domain
+name verification to succeed.
+
+See the note on Provisioning and Fast Connect in :ref:`cc3220sf_launchxl`.
+
+The Secure Socket Offload section has information on programming the
+certificate to flash.
+
+Proceed to test as above.
+
 Sample output
 =============
 

samples/net/mqtt_publisher/boards/cc3220sf_launchxl.conf

@@ -9,8 +9,7 @@ CONFIG_WIFI=y
 CONFIG_WIFI_SIMPLELINK=y
 CONFIG_NET_SOCKETS_OFFLOAD=y
 
-# Enable Secure Socket Offload
-CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
+# Enable TLS credential filenames for secure socket offload
 CONFIG_TLS_CREDENTIAL_FILENAMES=y
 
 # Disable unneeded settings from the base prj.conf:

samples/net/mqtt_publisher/overlay-tls-offload.conf

@@ -0,0 +1,2 @@
+CONFIG_MQTT_LIB_TLS=y
+CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

samples/net/mqtt_publisher/src/main.c

@@ -41,7 +41,7 @@ static bool connected;
 #define APP_PSK_TAG 2
 
 static sec_tag_t m_sec_tags[] = {
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) || defined(CONFIG_NET_SOCKETS_OFFLOAD)
 		APP_CA_CERT_TAG,
 #endif
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -53,7 +53,7 @@ static int tls_init(void)
 {
 	int err = -EINVAL;
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) || defined(CONFIG_NET_SOCKETS_OFFLOAD)
 	err = tls_credential_add(APP_CA_CERT_TAG, TLS_CREDENTIAL_CA_CERTIFICATE,
 				 ca_certificate, sizeof(ca_certificate));
 	if (err < 0) {
@@ -282,7 +282,7 @@ static void client_init(struct mqtt_client *client)
 	tls_config->cipher_list = NULL;
 	tls_config->sec_tag_list = m_sec_tags;
 	tls_config->sec_tag_count = ARRAY_SIZE(m_sec_tags);
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) || defined(CONFIG_NET_SOCKETS_OFFLOAD)
 	tls_config->hostname = TLS_SNI_HOSTNAME;
 #else
 	tls_config->hostname = NULL;

samples/net/mqtt_publisher/src/test_certs.h

@@ -7,6 +7,20 @@
 #ifndef __TEST_CERTS_H__
 #define __TEST_CERTS_H__
 
+#if defined(CONFIG_NET_SOCKETS_OFFLOAD)
+/* By default only certificates in DER format are supported. If you want to use
+ * certificate in PEM format, you can enable support for it in Kconfig.
+ */
+
+#if defined(CONFIG_TLS_CREDENTIAL_FILENAMES)
+static const unsigned char ca_certificate[] = "ca_cert.der";
+#else
+static const unsigned char ca_certificate[] = {
+#include "ca_cert.der.inc"
+};
+#endif
+
+#else
 #include <mbedtls/ssl_ciphersuites.h>
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -109,4 +123,6 @@ const unsigned char client_psk[] = {
 const char client_psk_id[] = "Client_identity";
 #endif
 
+#endif /* CONFIG_NET_SOCKETS_OFFLOAD */
+
 #endif