From c682a291e12af205a5b4be37403e246277f7672d Mon Sep 17 00:00:00 2001
From: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Date: Fri, 16 Jun 2017 17:51:32 +0300
Subject: [PATCH] stunnel: Add info how to run echo-client over encrypted link

It is possible to use existing echo-client.c app in Linux and
pipe the network traffic inside a SSL tunnel. This requires that
the Zephyr echo-server sample has TLS support enabled.

Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
---
 README             | 42 ++++++++++++++++++++++++++++++++++++++++++
 echo-apps-cert.pem | 13 +++++++++++++
 stunnel.conf       | 28 ++++++++++++++++++++++++++++
 stunnel.sh         | 24 ++++++++++++++++++++++++
 4 files changed, 107 insertions(+)
 create mode 100644 echo-apps-cert.pem
 create mode 100644 stunnel.conf
 create mode 100755 stunnel.sh

diff --git a/README b/README
index b26526e..3a5a89e 100644
--- a/README
+++ b/README
@@ -64,3 +64,45 @@ output.
 
 Be sure to use Python 3, as it requires a function from the socket module
 that's only available in this version (wrapper around if_nametoindex(3)).
+
+
+Using encrypted SSL link with echo-* programs
+=============================================
+
+Install stunnel
+
+Fedora:
+# dnf install stunnel
+
+Ubuntu:
+# apt-get install stunnel4 -y
+
+Finally run the stunnel script in Linux
+$ ./stunnel.sh
+
+And connect echo-client to this SSL tunnel (note that the IP address
+is the address of Linux host where the tunnel end point is located).
+
+# ./echo-client 2001:db8::2 -t
+
+If you want to re-create the certificates in echo-server in Zephyr samples,
+then they can be created like this (note that you do not need to do this as
+the certs have been prepared already in echo-server sample sources):
+
+$ openssl genrsa -out key.pem 1024
+$ openssl req -new -x509 -key key.pem -out echo-apps-cert.pem -days 10000 \
+	-subj '/CN=localhost'
+
+The cert that is to be embedded into test_certs.h in echo-server, can be
+generated like this:
+$ openssl x509 -in echo-apps-cert.pem  -C -noout
+
+The private key to be embedded into test_certs.h in echo-server can be
+generated like this:
+$ openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in key.pem \
+	  -out pkcs8.der
+
+And then create byte array that can be embedded into
+samples/net/echo_server/src/test_certs.h from that pkcs8.der file like this:
+
+$ hexdump -e '8/1 "0x%02x, " "\n"' pkcs8.der | sed 's/0x  ,//g'
diff --git a/echo-apps-cert.pem b/echo-apps-cert.pem
new file mode 100644
index 0000000..6be8619
--- /dev/null
+++ b/echo-apps-cert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9jCCAV+gAwIBAgIJAPGbT01SK760MA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+BAMMCWxvY2FsaG9zdDAeFw0xNzA2MTQxMjE2NTZaFw00NDEwMzAxMjE2NTZaMBQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA
+09bBufEuK+TaBsNY9sKSh5lFPbuoJEK3+PS2roSvH2iV5c22xiSeyWp06LZxSxDy
+j796zQkVg8LCVJa5dfTcVxebgj0A+sEkYaIQlLsDsZ2+voqLjrxTg8SAqe8yrJJa
+/yDlOVZb2tKQSS5kyyjA+1A2mZJQqAguDKTUp3iii60CAwEAAaNQME4wHQYDVR0O
+BBYEFMVyoJTuZr8UOiS4VhxAdVxtPK8RMB8GA1UdIwQYMBaAFMVyoJTuZr8UOiS4
+VhxAdVxtPK8RMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADgYEAIfBCLNRY
+cZmFHb9rdARjY4CS/klpS8DygTxToE+xf2/U6BnW8C5xaMK3mc/qgJLdHbF5GvEB
++pVgNWXmu5Q4/DB4QkolkktneN9o25c2ayBJb15s5HObsswhEdCT5KlYwozvSRKf
+xVDXoclW3WvMxZp3sAPbPHDvrviRgu644Is=
+-----END CERTIFICATE-----
diff --git a/stunnel.conf b/stunnel.conf
new file mode 100644
index 0000000..90feef9
--- /dev/null
+++ b/stunnel.conf
@@ -0,0 +1,28 @@
+; Configuration file for stunnel to create SSL pipe between
+; echo-* programs running in Linux and Zephyr
+
+foreground = yes
+output = /dev/stdout
+syslog = no
+; Debugging level (7 is greatest debugging output)
+;debug = 7
+TIMEOUTconnect = 10
+TIMEOUTclose = 10
+
+[echo-client-ipv6]
+accept = 2001:db8::2:4242
+CApath = .
+CAfile = echo-apps-cert.pem
+verifyPeer = yes
+checkHost = localhost
+client = yes
+connect = 2001:db8::1:4242
+
+[echo-client-ipv4]
+accept = 192.0.2.2:4242
+CApath = .
+CAfile = echo-apps-cert.pem
+verifyPeer = yes
+checkHost = localhost
+client = yes
+connect = 192.0.2.1:4242
diff --git a/stunnel.sh b/stunnel.sh
new file mode 100755
index 0000000..265891c
--- /dev/null
+++ b/stunnel.sh
@@ -0,0 +1,24 @@
+#!/bin/sh
+#
+# Copyright (c) 2017 Intel Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+CONF_FILE=stunnel.conf
+
+if [ ! -f $CONF_FILE ]; then
+    echo "$0: Configuration file $CONF_FILE not found"
+    exit 1
+fi
+
+stunnel $CONF_FILE