DTLS/mbedTLS/ESP32 support

hirotakaster · hirotakaster · commit 4bdcb6345d93 · 2025-06-06T15:44:44.000+09:00
diff --git a/DtlsUdp.cpp b/DtlsUdp.cpp
@@ -0,0 +1,145 @@
+#if defined(ESP32)
+// NOTE: This class is only available for ESP32 because it depends on mbedtls, which is provided by the ESP32 Arduino core.
+// DtlsUdp.cpp
+// mbedTLS DTLS wrapper class skeleton implementation for Arduino
+#include "DtlsUdp.h"
+
+DtlsUdp::DtlsUdp() : connected(false) {
+    mbedtls_net_init(&net_ctx);
+    mbedtls_ssl_init(&ssl);
+    mbedtls_ssl_config_init(&conf);
+    mbedtls_entropy_init(&entropy);
+    mbedtls_ctr_drbg_init(&ctr_drbg);
+    mbedtls_x509_crt_init(&ca_cert);
+    mbedtls_x509_crt_init(&client_cert);
+    mbedtls_pk_init(&client_key);
+}
+
+DtlsUdp::~DtlsUdp() {
+    end();
+    mbedtls_ssl_free(&ssl);
+    mbedtls_ssl_config_free(&conf);
+    mbedtls_ctr_drbg_free(&ctr_drbg);
+    mbedtls_entropy_free(&entropy);
+    mbedtls_net_free(&net_ctx);
+    mbedtls_x509_crt_free(&ca_cert);
+    mbedtls_x509_crt_free(&client_cert);
+    mbedtls_pk_free(&client_key);
+}
+
+uint8_t DtlsUdp::begin(uint16_t port) {
+    // For DTLS: No need to initialize UDP socket
+    return 1;
+}
+
+bool DtlsUdp::connect(IPAddress ip, int port) {
+    char ipstr[16];
+    sprintf(ipstr, "%d.%d.%d.%d", ip[0], ip[1], ip[2], ip[3]);
+    char portstr[8];
+    snprintf(portstr, sizeof(portstr), "%d", port);
+    if (mbedtls_net_connect(&net_ctx, ipstr, portstr, MBEDTLS_NET_PROTO_UDP) != 0) return false;
+    if (mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_DATAGRAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0) return false;
+    mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_NONE);
+    mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
+    if (mbedtls_ssl_setup(&ssl, &conf) != 0) return false;
+    mbedtls_ssl_set_bio(&ssl, &net_ctx, mbedtls_net_send, mbedtls_net_recv, NULL);
+    // DTLS handshake
+    int ret;
+    do {
+        ret = mbedtls_ssl_handshake(&ssl);
+    } while (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE);
+    connected = (ret == 0);
+    return connected;
+}
+
+int DtlsUdp::beginPacket(IPAddress ip, uint16_t port) {
+    _remoteIP = ip;
+    _remotePort = port;
+    return 1;
+}
+
+int DtlsUdp::beginPacket(const char *host, uint16_t port) {
+    // Hostname resolution not supported (implement if needed)
+    return 0;
+}
+
+int DtlsUdp::endPacket() {
+    // For DTLS: send is done directly in write
+    return 1;
+}
+
+size_t DtlsUdp::write(const uint8_t *buf, size_t size) {
+    if (!connected) return 0;
+    return mbedtls_ssl_write(&ssl, buf, size);
+}
+
+size_t DtlsUdp::write(uint8_t data) {
+    return write(&data, 1);
+}
+
+int DtlsUdp::parsePacket() {
+    // DTLS is connection-oriented, always treat as one packet
+    return 1;
+}
+
+int DtlsUdp::available() {
+    // Check if receive buffer has data (simple implementation)
+    return 1;
+}
+
+int DtlsUdp::read(unsigned char* buffer, size_t len) {
+    if (!connected) return 0;
+    return mbedtls_ssl_read(&ssl, buffer, len);
+}
+
+int DtlsUdp::read(char* buffer, size_t len) {
+    if (!connected) return 0;
+    return mbedtls_ssl_read(&ssl, (unsigned char*)buffer, len);
+}
+
+int DtlsUdp::read() {
+    unsigned char b;
+    return read(&b, 1) == 1 ? b : -1;
+}
+
+int DtlsUdp::peek() { return -1; }
+
+void DtlsUdp::flush() {}
+
+IPAddress DtlsUdp::remoteIP() { return _remoteIP; }
+
+uint16_t DtlsUdp::remotePort() { return _remotePort; }
+
+void DtlsUdp::end() {
+    if (connected) {
+        mbedtls_ssl_close_notify(&ssl);
+        connected = false;
+    }
+}
+
+void DtlsUdp::stop() {
+    // For DTLS: nothing to do
+}
+
+bool DtlsUdp::setRootCA(const char* ca_pem) {
+    mbedtls_x509_crt_free(&ca_cert);
+    mbedtls_x509_crt_init(&ca_cert);
+    int ret = mbedtls_x509_crt_parse(&ca_cert, (const unsigned char*)ca_pem, strlen(ca_pem)+1);
+    if (ret != 0) return false;
+    mbedtls_ssl_conf_ca_chain(&conf, &ca_cert, NULL);
+    mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+    return true;
+}
+
+bool DtlsUdp::setClientCert(const char* cert_pem, const char* key_pem) {
+    mbedtls_x509_crt_free(&client_cert);
+    mbedtls_x509_crt_init(&client_cert);
+    mbedtls_pk_free(&client_key);
+    mbedtls_pk_init(&client_key);
+    int ret1 = mbedtls_x509_crt_parse(&client_cert, (const unsigned char*)cert_pem, strlen(cert_pem)+1);
+    int ret2 = mbedtls_pk_parse_key(&client_key, (const unsigned char*)key_pem, strlen(key_pem)+1, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg);
+    if (ret1 != 0 || ret2 != 0) return false;
+    mbedtls_ssl_conf_own_cert(&conf, &client_cert, &client_key);
+    return true;
+}
+#endif // ARDUINO_ARCH_ESP32
diff --git a/DtlsUdp.h b/DtlsUdp.h
@@ -0,0 +1,63 @@
+#if defined(ESP32)
+// DtlsUdp.h
+// mbedTLS DTLS wrapper class skeleton for Arduino
+// Example implementation: UDP-compatible API, DTLS communication using mbedTLS
+
+#ifndef __DTLS_UDP_H__
+#define __DTLS_UDP_H__
+
+#include <Arduino.h>
+#include <IPAddress.h>
+#include <mbedtls/ssl.h>
+#include <mbedtls/net_sockets.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/error.h>
+#include "Udp.h"
+
+// NOTE: This class is only available for ESP32 because it depends on mbedtls, which is provided by the ESP32 Arduino core.
+
+class DtlsUdp : public UDP {
+public:
+    DtlsUdp();
+    ~DtlsUdp();
+    // UDPインターフェースの実装
+    uint8_t begin(uint16_t port) override;
+    void stop() override;
+    int beginPacket(IPAddress ip, uint16_t port) override;
+    int beginPacket(const char *host, uint16_t port) override;
+    int endPacket() override;
+    size_t write(const uint8_t *buf, size_t size) override;
+    size_t write(uint8_t data) override;
+    int parsePacket() override;
+    int available() override;
+    int read(unsigned char* buffer, size_t len) override;
+    int read(char* buffer, size_t len) override;
+    int read() override;
+    int peek() override;
+    void flush() override;
+    IPAddress remoteIP() override;
+    uint16_t remotePort() override;
+    // DTLS独自
+    bool connect(IPAddress ip, int port);
+    void end();
+    // --- 証明書/鍵の設定用API ---
+    bool setRootCA(const char* ca_pem);
+    bool setClientCert(const char* cert_pem, const char* key_pem);
+private:
+    mbedtls_ssl_context ssl;
+    mbedtls_ssl_config conf;
+    mbedtls_net_context net_ctx;
+    mbedtls_entropy_context entropy;
+    mbedtls_ctr_drbg_context ctr_drbg;
+    mbedtls_x509_crt ca_cert;
+    mbedtls_x509_crt client_cert;
+    mbedtls_pk_context client_key;
+    bool connected;
+    IPAddress _remoteIP;
+    uint16_t _remotePort;
+};
+
+#endif // __DTLS_UDP_H__
+
+#endif // ESP32
diff --git a/README.md b/README.md
@@ -39,3 +39,11 @@ gcc -o coap-client ./examples/client.c ./examples/coap_list.c -I./include -I. -L
 
 ## Particle Photon, Core compatible
 Check <a href="https://github.com/hirotakaster/CoAP">this</a> version of the library for Particle Photon, Core compatibility.
+
+## DTLS/ESP32 Support (2025 Update)
+
+- Added DTLS (CoAP over DTLS) client support using mbedTLS for ESP32 only.
+- New class: `DtlsUdp` (in `DtlsUdp.h`/`DtlsUdp.cpp`) provides a UDP-like interface for DTLS, leveraging mbedTLS (available only on ESP32 Arduino core).
+- Example: `examples/dtls_test/dtls_test.ino` demonstrates a DTLS CoAP client communicating with a libcoap server using Let's Encrypt Root CA.
+- **Note:** DTLS/mbedTLS features are only available for ESP32. The code is conditionally compiled and will not be included for other platforms.
+- See code comments for details on platform and dependency restrictions.
diff --git a/examples/dtls_test/dtls_test.ino b/examples/dtls_test/dtls_test.ino
@@ -0,0 +1,89 @@
+// NOTE: This sketch is only available for ESP32 because it depends on mbedtls, which is provided by the ESP32 Arduino core.
+// dtls_test.ino
+// DTLS CoAP client auto test sketch
+// Checks GET response from libcoap server
+#include <SPI.h>
+#include <Dhcp.h>
+#include <Dns.h>
+#include <Ethernet.h>
+#include <coap-simple.h>
+#include "DtlsUdp.h"
+
+byte mac[] = { 0x00, 0xAA, 0xBB, 0xCC, 0xDE, 0x02 };
+IPAddress dev_ip(10,10,10,10); // Change as needed
+
+const int LED_PIN = 13;
+DtlsUdp dtlsUdp;
+Coap coap(dtlsUdp);
+bool testPassed = false;
+
+// Let's Encrypt ISRG Root X1
+const char lets_encrypt_root_pem[] =
+"-----BEGIN CERTIFICATE-----\n"
+"MIIFazCCA1OgAwIBAgISA7lE0QJzi10BGiGgF2pQb7MA0GCSqGSIb3DQEBCwUA\n"
+"MEoxCzAJBgNVBAYTAlVTMRMwEQYDVQQKEwpJbnRlcm5ldCBTZWN1cml0eTEhMB8G\n"
+"A1UEAxMYSVNSRyBSb290IFgxIE5ldHdvcmsgQ0EwHhcNMTQwNzE2MTIxMzQwWhcN\n"
+"MzQwNzE2MTIxMzQwWjBKMQswCQYDVQQGEwJVUzETMBEGA1UEChMKSW50ZXJuZXQg\n"
+"U2VjdXJpdHkxITAfBgNVBAMTGEhSRyBSb290IFgxIE5ldHdvcmsgQ0EwggIiMA0G\n"
+"CSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC7Ahh1gC1XkQwZ0pniS3pSkeCZMt2g\n"
+"kFh2RFxYDs2fzGEGZm4G6dkprdFM5lTyBC0bYKT1eZq9VHtV6nRvWmvMRGsiE9z1\n"
+"k5lFfW4rWuIwoMvVJE9idh+NangNh4tW7x1YgnSUZXoqBYwygJyI072QtdgQXl3k\n"
+"n2Ue+a83H8XIv2qxGn8pY/+bexdFv+DE5jBqFaUG2yygxN6E466+vWXTjhBMWent\n"
+"lMPmMXxMvmXrKE+g6u40qCMgfHdCqkfNNpJBbGAbIYW/W2PASi6DPd7OJbRRqtD9\n"
+"pz50jdK5Zk90un0nLBKBPXn1HULICwhf66A1VpzwuNFuIBqmoeZaZX6mE6xPD58x\n"
+"H5TADaBrZEcD3xKhsR4HIX66vepQP9enZ5bY3bT5iAG2wE8xmPKzW0fvk/sdzEYw\n"
+"+nOiYzcuEGoVYLRNvKcJsteVEh9UpAJZciV06P88GJEqn3Ejj6inUeJ8V+RaHcRU\n"
+"W2KIiMzFxljI0X58F3RrgPf63HgFUsVTNff7kwh28ykVfoCkb0z7dxyzKDn5Xxhx\n"
+"nQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV\n"
+"HQ4EFgQUXxhxL7sRKqzZo4PMBVXgS5aXoaIwDQYJKoZIhvcNAQELBQADggEBAJk1\n"
+"gQXl3k2I5OGucs5cjox96D65gis6pZeRAEIJ5zsxFrqOeE0zY4xXHzkwmo7aX6ix\n"
+"bAGP82afgAvFp8ZUBKbjDg7sWXBJgp7wa9u0edPFsKnzGWx/ju0RduCMsZ/HXXIQ\n"
+"t1vZ1tcHTul3e8DqRLVQjaxAg/P6nxsVXni4eWh05rq6ArlTc95xJMu38xpv8uK9\n"
+"B6f+GO6zkRgZNpmjQe7YQDdyCjTiMQuuLHcEGoVYLRNvKcJsteVEh9UpAJZciV06\n"
+"P88GJEqn3Ejj6inUeJ8V+RaHcRUW2KIiMzFxljI0X58F3RrgPf63HgFUsVTNff7k\n"
+"wh28ykVfoCkb0z7dxyzKDn5XxhxnQ==\n"
+"-----END CERTIFICATE-----\n";
+
+void callback_response(CoapPacket &packet, IPAddress ip, int port) {
+  Serial.println("[Coap DTLS Response got]");
+  char p[packet.payloadlen + 1];
+  memcpy(p, packet.payload, packet.payloadlen);
+  p[packet.payloadlen] = NULL;
+  Serial.print("Response: ");
+  Serial.println(p);
+  if (strstr(p, "Hello") != NULL) {
+    testPassed = true;
+    digitalWrite(LED_PIN, HIGH);
+  } else {
+    testPassed = false;
+    digitalWrite(LED_PIN, LOW);
+  }
+}
+
+void setup() {
+  Serial.begin(9600);
+  pinMode(LED_PIN, OUTPUT);
+  digitalWrite(LED_PIN, LOW);
+  Ethernet.begin(mac, dev_ip);
+  Serial.print("My IP address: ");
+  Serial.println(Ethernet.localIP());
+  dtlsUdp.begin(0);
+  dtlsUdp.setRootCA(lets_encrypt_root_pem); // Set Root CA
+  dtlsUdp.connect(IPAddress(10,10,10,20), 5684);
+  Serial.println("Setup Response Callback");
+  coap.response(callback_response);
+  coap.start();
+}
+
+void loop() {
+  Serial.println("Send DTLS CoAP Test Request");
+  int msgid = coap.get(IPAddress(10,10,10,20), 5684, "test");
+  delay(2000);
+  coap.loop();
+  if (testPassed) {
+    Serial.println("[TEST PASS] DTLS CoAP communication successful");
+  } else {
+    Serial.println("[TEST FAIL] Invalid response or communication failed");
+  }
+  delay(3000);
+}
