TI CC3200 with enhanced security (advanced)

This tutorial is optional. It extends security and is based on a basic TI CC3200 Xively tutorial.

How to use a more secure configuration of wolfSSL with OCSP stapling

The wolfSSL library is used to create Transport Layer Security (TLS) connections. There is a version of wolfSSL provided on-chip when using the CC3200, but it does not provide Online Certificate Status Protocol stapling (OCSP stapilng) support. OCSP stapling support is crucial in detecting compromised and revoked Certificates, and thus it increases security.

This tutorial provides instructions on building and linking against a newer version of the wolfSSL library so that OCSP stapling can be leveraged by your project.

This tutorial supports Windows and macOS. For Linux, follow the the macOS instructions.

What you will learn

This advanced tutorial will teach you how to use custom wolfSSL library during connecting your CC3200 board to Xively instead of using the on-board TLS solution. This will let you use newest wolfSSL features (e.g. OCSP stapling). Note this will increase overall RAM usage of the final solution since the wolfSSL library will now become part of the deployed application.

Prerequisites

Complete the basic TI CC3200 Xively tutorial before starting this advanced one.

Software you will install during the tutorial

wolfSSL embedded SSL library

Step 1 of 4: Prepare the wolfSSL library

Download wolfSSL library source

  1. Download wolfSSL library source code from wolfSSL.
  2. Put the wolfSSL main directory under the PATH_TO_XIVELY_LIBRARY_MAIN_FOLDER/xively-client-c/src/import/tls/.
  3. Rename the folder so it is just wolfssl. It should not include the version number.

For example, if your version is originally 3.6.8:
PATH_TO_XIVELY_LIBRARY_MAIN_FOLDER/xively-client-c/src/import/tls/wolfssl-3.6.8
rename it to:
PATH_TO_XIVELY_LIBRARY_MAIN_FOLDER/xively-client-c/src/import/tls/wolfssl

For the purpose of this tutorial we will use {..} to mark the PATH_TO_XIVELY_LIBRARY_MAIN_FOLDER/xively-client-c/src/import/tls folder. According to this notation, the wolfSSL main directory is: {..}/wolfssl.

Configure wolfSSL library source

The wolfSSL supports TI-RTOS builds. To prepare the build, configure the paths to TI-RTOS components as described below.

  1. In the {..}/wolfssl/tirtos/products.mak file, set the following variables:
    Alternatively you can follow the steps written on Using wolfSSL with TI-RTOS to generate wolfSSL static library for CC3200 and then continue with step 2.

Depending on the version of the packages installed, the folder of BIOS_INSTALL_DIR may be different. Check inside the c:/ti/tirex-content (Windows) or ~/ti/tirex-content (macOS) folder to ensure the variable references the correct folder.

Windows:

    XDC_INSTALL_DIR        =c:/ti/xdctools_3_32_01_22_core
    BIOS_INSTALL_DIR       =c:/ti/tirex-content/tirtos_cc32xx_2_16_00_08/products/bios_6_45_01_29
    NDK_INSTALL_DIR        =
    TIVAWARE_INSTALL_DIR   =

    export XDCTOOLS_JAVA_HOME=c:/Program Files (x86)/Java/jre1.8.0_51

    ti.targets.arm.elf.M4F =c:/ti/ccsv6/tools/compiler/arm_15.12.3.LTS
    iar.targets.arm.M4F    =
    gnu.targets.arm.M4F    =

macOS:

    XDC_INSTALL_DIR        =/Applications/ti/xdctools_3_32_01_22_core
    BIOS_INSTALL_DIR       =$(HOME)/ti/tirex-content/tirtos_cc32xx_2_16_00_08/products/bios_6_45_01_29
    NDK_INSTALL_DIR        =
    TIVAWARE_INSTALL_DIR   =

    export XDCTOOLS_JAVA_HOME=/Applications/ti/ccsv6/eclipse/jre/Contents/Home

    ti.targets.arm.elf.M4F =/Applications/ti/ccsv6/tools/compiler/arm_15.12.3.LTS
    iar.targets.arm.M4F    =
    gnu.targets.arm.M4F    =

Customize the wolfSSL build

  1. In the {..}/wolfssl/wolfssl/wolfcrypt/settings.h file, add a new platform macro WOLFSSL_NOOS_XIVELY with the following content. This will configure the wolfSSL features needed for connecting to the Xively service.
    Important: The position of this macro matters. Put this new section just before the line #ifdef WOLFSSL_TIRTOS.
        #ifdef WOLFSSL_NOOS_XIVELY

        /*
         *  Wolf cypher settings
         */
        #undef   WOLFSSL_STATIC_RSA
        // #undef   NO_DH
        #define  NO_DH

        #define  NO_DES
        #define  NO_DES3
        #define  NO_DSA
        #define  NO_HC128
        #define  NO_MD4
        #define  NO_OLD_TLS
        #define  NO_PSK
        #define  NO_PWDBASED
        #define  NO_RC4
        #define  NO_RABBIT
        #define  NO_SHA512

        #define SINGLE_THREADED

        #define CUSTOM_RAND_GENERATE xively_ssl_rand_generate

        #define HAVE_SNI
        #define HAVE_OCSP
        #define HAVE_CERTIFICATE_STATUS_REQUEST

        #define SMALL_SESSION_CACHE
        #define NO_CLIENT_CACHE
        #define WOLFSSL_SMALL_STACK
        #define WOLFSSL_USER_IO
        #define TARGET_IS_CC3200

        #define SIZEOF_LONG_LONG 8
        #define NO_WRITEV
        #define NO_WOLFSSL_DIR
        #define USE_FAST_MATH
        #define TFM_TIMING_RESISTANT
        #define NO_DEV_RANDOM
        #define NO_FILESYSTEM
        #define USE_CERT_BUFFERS_2048
        // #define NO_ERROR_STRINGS
        #define USER_TIME
        #define HAVE_ECC
        // #define HAVE_ALPN
        #define HAVE_TLS_EXTENSIONS
        #define HAVE_AESGCM
        // #define HAVE_SUPPORTED_CURVES
        #define ALT_ECC_SIZE

        #ifdef __IAR_SYSTEMS_ICC__
            #pragma diag_suppress=Pa089
        #elif !defined(__GNUC__)
            /* Suppress the sslpro warning */
            #pragma diag_suppress=11
        #endif

        #endif
  1. To compile the above settings, change the following variable in the wolfssl/tirtos/wolfssl.bld file:

     -DWOLFSSL_TIRTOS
    

    to

     -DWOLFSSL_NOOS_XIVELY
    
  1. In the {..}/wolfssl/tirtos/packages/ti/net/wolfssl/package.bld file, comment out the last lines for building hwLib as shown below.
        /*
        var hwLibptions = {incs: wolfsslPathInclude, defs: " -DWOLFSSL_TI_HASH "
               + "-DWOLFSSL_TI_CRYPT -DTARGET_IS_SNOWFLAKE_RA2"};

        var hwLib = Pkg.addLibrary("lib/wolfssl_tm4c_hw", targ, hwLibptions);
        hwLib.addObjects(wolfSSLObjList);
        */
  1. To enable OCSP stapling support, add the "src/ocsp.c" source file to the wolfSSLObjList variable in the {..}/wolfssl/tirtos/packages/ti/net/wolfssl/package.bld file.

Step 2 of 4: Rebuild the Xively C Client library with new PRESET

Rebuilding will persuade the Xively C Client to use the freshly configured wolfSSL solution during its connection to Xively Services. To do this execute the following commands in the root directory of the xively-client-c repository:

Windows:

Set paths for gmake and mkdir:

PATH=%PATH%;c:\ti\ccsv6\utils\bin
PATH=%PATH%;c:\ti\ccsv6\utils\cygwin

Clean and build the library:

gmake PRESET=CC3200 clean
gmake PRESET=CC3200

macOS and Linux:

Clean and build the library:

make PRESET=CC3200 clean
make PRESET=CC3200

Step 3 of 4: Build the wolfSSL embedded SSL library

Execute the following commands from the {..}/wolfssl/tirtos/ folder:

Windows:

    PATH=%PATH%;c:\ti\ccsv6\utils\bin
    gmake -f wolfssl.mak all

macOS:

    make -f wolfssl.mak all

The resulting file is {..}/wolfssl/tirtos/packages/ti/net/wolfssl/lib/wolfssl.aem4f. This is the wolfSSL library that will provide TLS support to the example application.

Step 4 of 4: Extend, clean, and rebuild your client application CCS project

  1. Implement two functions at the end of the main.c file as follows:
        #include <time.h>
        #include <xi_bsp_rng.h>
        #include <xi_bsp_time.h>

        time_t XTIME(time_t * timer)
        {
            return xi_bsp_time_getcurrenttime_seconds();
        }

        uint32_t xively_ssl_rand_generate()
        {
            return xi_bsp_rng_get();
        }
  1. Update the memory map in the cc3200v1p32.cmd file, so it looks like the following:
        MEMORY
        {
            /* Application uses internal RAM for program and data */
            SRAM_CODE (RWX) : origin = 0x20004000, length = 0x3C000
            //SRAM_DATA (RWX) : origin = 0x20017000, length = 0x19000
        }

        /* Section allocation in memory */

        SECTIONS
        {
            .intvecs:   > RAM_BASE
            .init_array : > SRAM_CODE
            .vtable :   > SRAM_CODE
            .text   :   > SRAM_CODE
            .const  :   > SRAM_CODE
            .cinit  :   > SRAM_CODE
            .pinit  :   > SRAM_CODE
            .data   :   > SRAM_CODE
            .bss    :   > SRAM_CODE
            .sysmem :   > SRAM_CODE
            .stack  :   > SRAM_CODE(HIGH)
        }
  1. In Code Composer Studio™, make sure the xively_demo project is highlighted and perform the following actions:
    1. Add the wolfSSL library. Select:
      Project->Properties->Build->ARM Linker->File Search Path:
      wolfssl/tirtos/packages/ti/net/wolfssl/lib/wolfssl.aem4f
    2. Select: Project->Clean...
    3. Select: Project->Build
    4. Select: Run->Debug

This results in a TI CC3200 connected to Xively Services using custom wolfSSL library.

TI CC3200 with enhanced security (advanced)