ST AN3365 Application note

Secure socket layer (SSL) for STM32F217xx microcontroller

1 Introduction

STM32F217xx microcontrollers feature a complete 10/100 Ethernet MAC, supporting MII
and RMII to interface the PHY, with hardware checksums of the IP, UDP, TCP and ICMP
protocols.

One of the advanced features of the STM32F217xx is the hardware cryptographic processor
for AES/128/192/256, Triple DES, DES, SHA-1, MD5 and RNG.

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptographic protocols
provide security for communications over networks, such as the Internet, and allow client
and server applications to communicate in a way that is private and secure.

The purpose of this application note is to present a demonstration package built on top of a
free SSL/TLS library: the PolarSSL library.

This application note is structured as follows:

● A short glossary is provided in Section 2.

● A general introduction to SSL/TLS is presented in Section 3.

● Section 4 introduces the PolarSSL library.

● Section 5 describes the STM32F217xx hardware cryptographic processors.

● Lastly, Section 6 describes the demonstration package for STM32F217xx.

AN3365

Application note

Note: This application targets only STM32F217xx devices, since the cryptographic acceleration is

not embedded in STM32F207xx devices, and it uses the STM3221G-EVAL board as a
hardware platform.

October 2011 Doc ID 018609 Rev 2 1/42

www.st.com

Contents AN3365

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3 SSL/TLS protocol overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.1 SSL application layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.2 History of the SSL/TLS protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.3 SSL/TLS sub-protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.3.1 SSL Handshake protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.3.2 SSL Record protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3.3.3 SSL Alert protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.3.4 Change Cipher Spec protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

4 PolarSSL library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4.1 License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

5 STM32F217xx hardware cryptography . . . . . . . . . . . . . . . . . . . . . . . . . 15

5.1 Cryptographic processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5.2 Random number generator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5.3 Hash processor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

6 Description of the demonstration package . . . . . . . . . . . . . . . . . . . . . 16

6.1 Package directories and firmware components . . . . . . . . . . . . . . . . . . . . 16

6.1.1 Package directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6.1.2 Firmware components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

6.2 Demonstration settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.2.1 PHY interface configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6.2.2 MAC and IP address settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

6.2.3 STM3221G-EVAL settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

6.3 How to use the demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6.3.1 SSL client demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6.3.2 SSL server demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

6.4 Memory footprint of the SSL demonstrations . . . . . . . . . . . . . . . . . . . . . . 28

6.4.1 SSL client demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

2/42 Doc ID 018609 Rev 2

AN3365 Contents

6.4.2 SSL server demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

8 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Appendix A Additional information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

A.1 Flowcharts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

A.2 Project configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

A.2.1 LwIP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

A.2.2 PolarSSL configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

A.2.3 FreeRTOS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

A.3 Running SSL server demo with Mozilla 3.6.3 . . . . . . . . . . . . . . . . . . . . . . 37

A.4 Running SSL server demo with IE8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

9 Revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Doc ID 018609 Rev 2 3/42

List of tables AN3365

List of tables

Table 1. STM3221G-EVAL jumpers configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Table 2. SSL client demonstration footprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Table 3. SSL server demonstration footprint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table 4. lwIP options for SSL server demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Table 5. lwIP options for SSL client demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Table 6. PolarSSL options: config.h file for SSL server demonstration . . . . . . . . . . . . . . . . . . . . . . 35

Table 7. PolarSSL options: config.h file for SSL client demonstration . . . . . . . . . . . . . . . . . . . . . . . 36

Table 8. FreeRTOS configuration for SSL client demonstration. . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Table 9. FreeRTOS configuration for SSL server demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Table 10. Document revision history . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4/42 Doc ID 018609 Rev 2

AN3365 List of figures

List of figures

Figure 1. SSL application architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Figure 2. SSL sub-protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 3. SSL Handshake protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Figure 4. Handshake protocol to resume an SSL session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Figure 5. SSL Record protocol. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Figure 6. Demonstration package structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Figure 7. PolarSSL & LwIP connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Figure 8. SSL client demonstration architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 9. SSL client demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Figure 10. ssl_server application window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Figure 11. HyperTerminal window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 12. SSL server demonstration architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 13. SSL server demonstration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 14. HTML page displayed on successful connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 15. HyperTerminal SSL server connection status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 16. SSL client task flowchart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Figure 17. SSL server task flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 18. Untrusted connection dialog 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Figure 19. Untrusted connection dialog 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Figure 20. Add Security Exception dialog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Figure 21. Task status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Figure 22. Cannot display webpage error message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Figure 23. Certificate error message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Figure 24. Task status page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Doc ID 018609 Rev 2 5/42

Glossary AN3365

2 Glossary

A

AES: Advanced Encryption Standard

ANSI: American National Standards Institute

API: Application Programming Interface

ARC4: Alleged Rivest Cipher 4

ARP: Address Resolution Protocol

C

CA: Certification Authority

CBC: Cipher Block Chaining

CTR: Counter

D

DES: Data Encryption Standard

DHCP: Dynamic Host Configuration Protocol

DHM: Diffie-Hellman

E

ECB: Electronic CodeBook

F

FIPS: Federal Information Processing Standard

H

HAVEGE: Hardware Volatile Entropy Gathering and Expansion

HMAC: Hash Message Authentication Code

HTTP: Hypertext Transfer Protocol

HTTPS: Hypertext Transfer Protocol Secure

I

IETF: Internet Engineering Task Force

ICMP: Internet Control Message Protocol

IGMP: Internet Group Management Protocol

L

LwIP: Lightweight IP

6/42 Doc ID 018609 Rev 2

AN3365 Glossary

M

MAC: Message Authentication Code

MAC address: Media Access Control address

MCO: Microcontroller Clock Output

MD2: Message Digest Algorithm 2

MII: Media Independent Interface

P

PPP: Point-to-Point Protocol

R

RMII: Reduced Media Independent Interface

RNG: Random Number Generator

RSA: Rivest, Shamir, & Adleman

S

SHA-1: Secure Hashing Algorithm 1

SNMP: Simple Network Management Protocol

SSL: Secure Sockets Layer,

T

TCP/IP: Transmission Control Protocol/Internet Protocol

TLS: Transport Layer Security

T-DES/3-DES: Triple DES

U

UDP: User Datagram Protocol

URL: Uniform Resource Locator

USART: Universal Synchronous & Asynchronous Receiver Transmitter

Doc ID 018609 Rev 2 7/42

SSL/TLS protocol overview AN3365

Application layer

SSL/TSL layer

TCP layer

IP layer

Physical layer

MS18970V1

3 SSL/TLS protocol overview

The Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols provide
communications security over the Internet and allow client/server applications to
communicate in a way that is private and reliable. These protocols are layered above a
transport protocol such as TCP/IP.

SSL is the standard security technology for creating an encrypted link between server and
client. This link ensures that all communication data remains private and secure.

The major objectives of SSL/TLS are:

● Provide data integrity between two communicating applications.

● Protect information transmitted between server and client.

● Authenticate the server to the client.

● Allow the client and server to select the cryptographic algorithms that they both

support.

● Optionally authenticate the client to the server.

● Use public-key encryption techniques to generate shared secrets.

● Establish an encrypted SSL connection.

3.1 SSL application layers

The SSL/TLS application consists of five layers:

● Application layer: the Application Layer refers to the higher-level protocols used by

most applications for network communication.

● SSL/TLS layer: the SSL/TLS layer provides security communication over the Internet.

● TCP layer: the Transport Layer's responsibilities include end-to-end message transfer

capabilities independent of the underlying network, along with error control,
segmentation, flow control, congestion control, and application addressing.

● IP layer: the Internet Protocol layer is responsible for addressing hosts and routing

packets from a source host to the destination host.

● Physical layer: the Physical Layer consists of the basic hardware transmission

technologies of a network.

Figure 1. SSL application architecture

8/42 Doc ID 018609 Rev 2

AN3365 SSL/TLS protocol overview

3.2 History of the SSL/TLS protocols

SSL was developed by Netscape in 1994 to secure transactions over the Internet. Soon
after, the Internet Engineering Task Force (IETF) began work to develop a standard protocol
to provide the same functionality.

● SSL 1.0 (Netscape, 1993): Internal Netscape design.

● SSL 2.0 (Netscape, 1994): This version contained a number of security flaws.

● SSL 3.0 (Netscape, 1996): All Internet browsers support this version of the protocol.

● TLS 1.0 (IETF, 1999): This version was defined in RFC 2246 as an upgrade to SSL 3.0.

“The differences between this protocol and SSL 3.0 are not dramatic, but they are
significant enough that TLS 1.0 and SSL 3.0 do not interoperate”: [1]: RFC 2246: The

TLS protocol version 1.0

Note: The “SSL/TLS” protocols is referred to as “SSL” throughout this document.

3.3 SSL/TLS sub-protocols

The SSL protocol includes four sub-protocols: the SSL Record protocol, the SSL
Handshake protocol, the SSL Alert protocol and the SSL Change Cipher Spec protocol.

Figure 2. SSL sub-protocols

3.3.1 SSL Handshake protocol

The SSL session state is controlled by the SSL Handshake protocol. This protocol involves
using the SSL record protocol to exchange a series of messages between SSL server and
SSL client when they first start communicating. This exchange of messages is designed to
facilitate the following actions:

● The protocol version SSL 3.0 or TLS 1.0

● Allow the client and server to select the cryptographic algorithms, or ciphers, that they

both support

● Authenticate the server to the client

● Optionally authenticate the client to the server

● Use public-key encryption techniques to generate shared secrets

● Establish an encrypted SSL connection

Doc ID 018609 Rev 2 9/42

SSL/TLS protocol overview AN3365

Figure 3. SSL Handshake protocol

1. The client sends a ClientHello message specifying the highest SSL protocol version
(SSL 3.0 or TLS 1.0) it supports, a random number, a list of cipher suites and
compression methods.

2. Server responds with a ServerHello message that contains the chosen protocol
version, another random number, cipher suite and compression method from the
choices offered by the client, and the session ID.

10/42 Doc ID 018609 Rev 2

AN3365 SSL/TLS protocol overview

Note: The client and the server must support at least one common cipher suite, or else the

Handshake protocol fails. The server generally chooses the strongest common cipher suite
they both support.

3. The server sends its digital certificate in an optional certificate message, for example,
the server uses X.509 digital certificates.

4. If no certificate is sent, an optional ServerKeyExchange message is sent containing the
server public information.

5. If the server requires a digital certificate for client authentication, an optional
CertificateRequest message is appended.

6. The server sends a ServerHelloDone message indicating the end of this phase of
negotiation.

7. If the server has sent a CertificateRequest message, the client must send its X.509
client certificate in a Certificate message.

8. The client sends a ClientKeyExchange message. This message contains the pre­master secret number used in the generation of the symmetric encryption keys and the
message authentication code (MAC) keys. The client encrypts pre-master secret
number with the public key of the server.

Note: The public key is sent by the server in the digital certificate or in ServerKeyExchange

message.

9. If the client sent a digital certificate to the server, the client sends a CertificateVerify
message signed with the client's private key. By verifying the signature of this message,
the server can explicitly verify the ownership of the client digital certificate.

10. The client sends a ChangeCipherSpec message announcing that the new parameters
(cipher method, keys) have been loaded.

11. The client sends a Finished message; it is the first message encrypted with the new
cipher method and keys.

12. The server responds with a ChangeCipherSpec and a Finished message from its end.

13. The SSL Handshake protocol ends and the encrypted exchange of application data
can be started.

Resuming SSL session

When the client and the server decide to resume a previous session or to duplicate an
existing session (instead of negotiating new security parameters), the message flow is as
follows:

1. The client sends a ClientHello message using the Session ID of the session to be
resumed.

2. The server checks its session cache for a match. If a match is found, and the server is
willing to re-establish the connection under the specified session state, it sends a
ServerHello message with the same Session ID value.

3. Both client and server must send ChangeCipherSpec messages and proceed directly
to the Finished messages.

4. Once the re-establishment is complete, the client and server may begin to exchange
encrypted application data.

Note: If a Session ID match is not found, the server generates a new session ID and the client and

server perform a full Handshake protocol [1]: RFC 2246: The TLS protocol version 1.0.

Doc ID 018609 Rev 2 11/42

SSL/TLS protocol overview AN3365

Application data

-F1- -F2- -Fn-

Compression

Fragment

Authentification

Encryption

MS18971V1

Figure 4. Handshake protocol to resume an SSL session

3.3.2 SSL Record protocol

The Record protocol takes messages to be transmitted, fragments the data into
manageable blocks, optionally compresses the data, applies a MAC, encrypts, and
transmits the results.

The received data is decrypted, verified, decompressed, and reassembled, then delivered to
higher level clients.

Figure 5. SSL Record protocol

12/42 Doc ID 018609 Rev 2

AN3365 SSL/TLS protocol overview

3.3.3 SSL Alert protocol

The SSL Alert protocol signals problems with the SSL session ranging from simple warnings
(unknown certificate, revoked certificate, expired certificate) to fatal error messages that
immediately terminate the SSL connection.

3.3.4 Change Cipher Spec protocol

The SSL Change Cipher Spec protocol consists of a single message that indicates the end
of the SSL Handshake protocol.

Note: For more information about SSL protocols, please refer to [1]: RFC 2246: The TLS protocol

version 1.0.

Doc ID 018609 Rev 2 13/42