mirror of
https://github.com/espressif/esp-idf
synced 2025-03-10 09:39:10 -04:00
Merge branch 'backport/support_tls1_3_v5.0' into 'release/v5.0'
https_mbedtls: update example to support TLS 1.3 connection See merge request espressif/esp-idf!30607
This commit is contained in:
commit
1bec4902b2
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2017-2022 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2017-2024 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@ -80,6 +80,16 @@ typedef enum esp_tls_addr_family {
|
||||
ESP_TLS_AF_INET6, /**< IPv6 address family. */
|
||||
} esp_tls_addr_family_t;
|
||||
|
||||
/*
|
||||
* @brief ESP-TLS TLS Protocol version
|
||||
*/
|
||||
typedef enum {
|
||||
ESP_TLS_VER_ANY = 0, /* No preference */
|
||||
ESP_TLS_VER_TLS_1_2 = 0x1, /* (D)TLS 1.2 */
|
||||
ESP_TLS_VER_TLS_1_3 = 0x2, /* (D)TLS 1.3 */
|
||||
ESP_TLS_VER_TLS_MAX, /* to indicate max */
|
||||
} esp_tls_proto_ver_t;
|
||||
|
||||
/**
|
||||
* @brief ESP-TLS configuration parameters
|
||||
*
|
||||
@ -193,6 +203,7 @@ typedef struct esp_tls_cfg {
|
||||
#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
|
||||
|
||||
esp_tls_addr_family_t addr_family; /*!< The address family to use when connecting to a host. */
|
||||
esp_tls_proto_ver_t tls_version; /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */
|
||||
} esp_tls_cfg_t;
|
||||
|
||||
#ifdef CONFIG_ESP_TLS_SERVER
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@ -72,6 +72,15 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
|
||||
assert(tls != NULL);
|
||||
int ret;
|
||||
esp_err_t esp_ret = ESP_FAIL;
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
|
||||
return esp_ret;
|
||||
}
|
||||
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
|
||||
tls->server_fd.fd = tls->sockfd;
|
||||
mbedtls_ssl_init(&tls->ssl);
|
||||
mbedtls_ctr_drbg_init(&tls->ctr_drbg);
|
||||
@ -84,6 +93,24 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
|
||||
ESP_LOGE(TAG, "Failed to set client configurations, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
|
||||
goto exit;
|
||||
}
|
||||
const esp_tls_proto_ver_t tls_ver = ((esp_tls_cfg_t *)cfg)->tls_version;
|
||||
if (tls_ver == ESP_TLS_VER_TLS_1_3) {
|
||||
#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
ESP_LOGD(TAG, "Setting TLS version to 0x%4x", MBEDTLS_SSL_VERSION_TLS1_3);
|
||||
mbedtls_ssl_conf_min_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3);
|
||||
mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3);
|
||||
#else
|
||||
ESP_LOGW(TAG, "TLS 1.3 is not enabled in config, continuing with default TLS protocol");
|
||||
#endif
|
||||
} else if (tls_ver == ESP_TLS_VER_TLS_1_2) {
|
||||
ESP_LOGD(TAG, "Setting TLS version to 0x%4x", MBEDTLS_SSL_VERSION_TLS1_2);
|
||||
mbedtls_ssl_conf_min_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_2);
|
||||
mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_2);
|
||||
} else if (tls_ver != ESP_TLS_VER_ANY) {
|
||||
ESP_LOGE(TAG, "Unsupported protocol version");
|
||||
esp_ret = ESP_ERR_INVALID_ARG;
|
||||
goto exit;
|
||||
}
|
||||
} else if (tls->role == ESP_TLS_SERVER) {
|
||||
#ifdef CONFIG_ESP_TLS_SERVER
|
||||
esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls);
|
||||
@ -112,11 +139,6 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
|
||||
mbedtls_esp_enable_debug_log(&tls->conf, CONFIG_MBEDTLS_DEBUG_LEVEL);
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
mbedtls_ssl_conf_min_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3);
|
||||
mbedtls_ssl_conf_max_tls_version(&tls->conf, MBEDTLS_SSL_VERSION_TLS1_3);
|
||||
#endif
|
||||
|
||||
if ((ret = mbedtls_ssl_setup(&tls->ssl, &tls->conf)) != 0) {
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%04X", -ret);
|
||||
mbedtls_print_error_msg(ret);
|
||||
@ -220,6 +242,18 @@ ssize_t esp_mbedtls_read(esp_tls_t *tls, char *data, size_t datalen)
|
||||
{
|
||||
|
||||
ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
|
||||
#if CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
// If a post-handshake message is received, connection state is changed to `MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET`
|
||||
// Call mbedtls_ssl_read() till state is `MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET` or return code is `MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET`
|
||||
// to process session tickets in TLS 1.3 connection
|
||||
if (mbedtls_ssl_get_version_number(&tls->ssl) == MBEDTLS_SSL_VERSION_TLS1_3) {
|
||||
while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET || tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET) {
|
||||
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
|
||||
ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
|
||||
}
|
||||
}
|
||||
#endif // CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
|
||||
if (ret < 0) {
|
||||
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||
return 0;
|
||||
|
@ -26,6 +26,9 @@
|
||||
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
|
||||
#include "mbedtls/ssl_ticket.h"
|
||||
#endif
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
#include "psa/crypto.h"
|
||||
#endif
|
||||
#elif CONFIG_ESP_TLS_USING_WOLFSSL
|
||||
#include "wolfssl/wolfcrypt/settings.h"
|
||||
#include "wolfssl/ssl.h"
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2015-2023 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@ -9,6 +9,7 @@
|
||||
|
||||
#include "esp_system.h"
|
||||
#include "esp_log.h"
|
||||
#include "esp_assert.h"
|
||||
#include "esp_check.h"
|
||||
#include "http_parser.h"
|
||||
#include "http_header.h"
|
||||
@ -19,6 +20,8 @@
|
||||
#include "sdkconfig.h"
|
||||
#include "esp_http_client.h"
|
||||
#include "errno.h"
|
||||
#include "esp_random.h"
|
||||
#include "esp_tls.h"
|
||||
|
||||
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_HTTPS
|
||||
#include "esp_transport_ssl.h"
|
||||
@ -26,6 +29,9 @@
|
||||
|
||||
static const char *TAG = "HTTP_CLIENT";
|
||||
|
||||
ESP_STATIC_ASSERT((int)ESP_HTTP_CLIENT_TLS_VER_ANY == (int)ESP_TLS_VER_ANY, "Enum mismatch in esp_http_client and esp-tls");
|
||||
ESP_STATIC_ASSERT((int)ESP_HTTP_CLIENT_TLS_VER_MAX <= (int)ESP_TLS_VER_TLS_MAX, "HTTP client supported TLS is not supported in esp-tls");
|
||||
|
||||
/**
|
||||
* HTTP Buffer
|
||||
*/
|
||||
@ -661,6 +667,7 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co
|
||||
esp_transport_ssl_set_client_cert_data_der(ssl, config->client_cert_pem, config->client_cert_len);
|
||||
}
|
||||
}
|
||||
esp_transport_ssl_set_tls_version(ssl, config->tls_version);
|
||||
|
||||
#if CONFIG_ESP_TLS_USE_DS_PERIPHERAL
|
||||
if (config->ds_data != NULL) {
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2015-2022 Espressif Systems (Shanghai) CO LTD
|
||||
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
@ -60,6 +60,16 @@ typedef enum {
|
||||
HTTP_TRANSPORT_OVER_SSL, /*!< Transport over ssl */
|
||||
} esp_http_client_transport_t;
|
||||
|
||||
/*
|
||||
* @brief TLS Protocol version
|
||||
*/
|
||||
typedef enum {
|
||||
ESP_HTTP_CLIENT_TLS_VER_ANY = 0, /* No preference */
|
||||
ESP_HTTP_CLIENT_TLS_VER_TLS_1_2 = 0x1, /* (D)TLS 1.2 */
|
||||
ESP_HTTP_CLIENT_TLS_VER_TLS_1_3 = 0x2, /* (D)TLS 1.3 */
|
||||
ESP_HTTP_CLIENT_TLS_VER_MAX, /* to indicate max */
|
||||
} esp_http_client_proto_ver_t;
|
||||
|
||||
typedef esp_err_t (*http_event_handle_cb)(esp_http_client_event_t *evt);
|
||||
|
||||
/**
|
||||
@ -115,6 +125,7 @@ typedef struct {
|
||||
size_t client_key_len; /*!< Length of the buffer pointed to by client_key_pem. May be 0 for null-terminated pem */
|
||||
const char *client_key_password; /*!< Client key decryption password string */
|
||||
size_t client_key_password_len; /*!< String length of the password pointed to by client_key_password */
|
||||
esp_http_client_proto_ver_t tls_version; /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */
|
||||
const char *user_agent; /*!< The User Agent string to send with HTTP requests */
|
||||
esp_http_client_method_t method; /*!< HTTP Method */
|
||||
int timeout_ms; /*!< Network timeout in milliseconds */
|
||||
|
@ -1,16 +1,8 @@
|
||||
// Copyright 2015-2018 Espressif Systems (Shanghai) PTE LTD
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2015-2024 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
#ifndef _ESP_TRANSPORT_SSL_H_
|
||||
#define _ESP_TRANSPORT_SSL_H_
|
||||
@ -69,6 +61,14 @@ void esp_transport_ssl_crt_bundle_attach(esp_transport_handle_t t, esp_err_t ((*
|
||||
*/
|
||||
void esp_transport_ssl_enable_global_ca_store(esp_transport_handle_t t);
|
||||
|
||||
/**
|
||||
* @brief Set TLS protocol version for ESP-TLS connection
|
||||
*
|
||||
* @param t ssl transport
|
||||
* @param[in] tls_version TLS version
|
||||
*/
|
||||
void esp_transport_ssl_set_tls_version(esp_transport_handle_t t, esp_tls_proto_ver_t tls_version);
|
||||
|
||||
/**
|
||||
* @brief Set SSL client certificate data for mutual authentication (as PEM format).
|
||||
* Note that, this function stores the pointer to data, rather than making a copy.
|
||||
|
@ -342,6 +342,12 @@ void esp_transport_ssl_enable_global_ca_store(esp_transport_handle_t t)
|
||||
ssl->cfg.use_global_ca_store = true;
|
||||
}
|
||||
|
||||
void esp_transport_ssl_set_tls_version(esp_transport_handle_t t, esp_tls_proto_ver_t tls_version)
|
||||
{
|
||||
GET_SSL_FROM_TRANSPORT_OR_RETURN(ssl, t);
|
||||
ssl->cfg.tls_version = tls_version;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_ESP_TLS_PSK_VERIFICATION
|
||||
void esp_transport_ssl_set_psk_key_hint(esp_transport_handle_t t, const psk_hint_key_t *psk_hint_key)
|
||||
{
|
||||
|
@ -37,6 +37,9 @@
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/error.h"
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
#include "psa/crypto.h"
|
||||
#endif
|
||||
#include "esp_crt_bundle.h"
|
||||
|
||||
|
||||
@ -65,6 +68,14 @@ static void https_get_task(void *pvParameters)
|
||||
mbedtls_ssl_config conf;
|
||||
mbedtls_net_context server_fd;
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_init(&ssl);
|
||||
mbedtls_x509_crt_init(&cacert);
|
||||
mbedtls_ctr_drbg_init(&ctr_drbg);
|
||||
@ -110,23 +121,13 @@ static void https_get_task(void *pvParameters)
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print
|
||||
a warning if CA verification fails but it will continue to connect.
|
||||
|
||||
You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code.
|
||||
*/
|
||||
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
||||
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
|
||||
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
|
||||
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
||||
#ifdef CONFIG_MBEDTLS_DEBUG
|
||||
mbedtls_esp_enable_debug_log(&conf, CONFIG_MBEDTLS_DEBUG_LEVEL);
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
|
||||
mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
|
||||
#endif
|
||||
|
||||
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
|
||||
{
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);
|
||||
@ -200,22 +201,28 @@ static void https_get_task(void *pvParameters)
|
||||
bzero(buf, sizeof(buf));
|
||||
ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len);
|
||||
|
||||
if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE)
|
||||
#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
|
||||
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
|
||||
continue;
|
||||
}
|
||||
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
|
||||
if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
|
||||
if(ret < 0)
|
||||
{
|
||||
if (ret < 0) {
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret);
|
||||
break;
|
||||
}
|
||||
|
||||
if(ret == 0)
|
||||
{
|
||||
if (ret == 0) {
|
||||
ESP_LOGI(TAG, "connection closed");
|
||||
break;
|
||||
}
|
||||
@ -223,7 +230,7 @@ static void https_get_task(void *pvParameters)
|
||||
len = ret;
|
||||
ESP_LOGD(TAG, "%d bytes read", len);
|
||||
/* Print response directly to stdout as it is read */
|
||||
for(int i = 0; i < len; i++) {
|
||||
for (int i = 0; i < len; i++) {
|
||||
putchar(buf[i]);
|
||||
}
|
||||
} while(1);
|
||||
@ -234,8 +241,7 @@ static void https_get_task(void *pvParameters)
|
||||
mbedtls_ssl_session_reset(&ssl);
|
||||
mbedtls_net_free(&server_fd);
|
||||
|
||||
if(ret != 0)
|
||||
{
|
||||
if (ret != 0) {
|
||||
mbedtls_strerror(ret, buf, 100);
|
||||
ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
|
||||
}
|
||||
@ -246,7 +252,7 @@ static void https_get_task(void *pvParameters)
|
||||
ESP_LOGI(TAG, "Completed %d requests", ++request_count);
|
||||
printf("Minimum free heap size: %" PRIu32 " bytes\n", esp_get_minimum_free_heap_size());
|
||||
|
||||
for(int countdown = 10; countdown >= 0; countdown--) {
|
||||
for (int countdown = 10; countdown >= 0; countdown--) {
|
||||
ESP_LOGI(TAG, "%d...", countdown);
|
||||
vTaskDelay(1000 / portTICK_PERIOD_MS);
|
||||
}
|
||||
|
@ -1197,7 +1197,6 @@ components/spi_flash/test/test_mmap.c
|
||||
components/spi_flash/test/test_out_of_bounds_write.c
|
||||
components/spi_flash/test/test_partition_ext.c
|
||||
components/spi_flash/test/test_spi_flash.c
|
||||
components/tcp_transport/include/esp_transport_ssl.h
|
||||
components/tcp_transport/include/esp_transport_ws.h
|
||||
components/tcp_transport/test/tcp_transport_fixtures.h
|
||||
components/tcp_transport/test/test_transport_basic.c
|
||||
|
Loading…
x
Reference in New Issue
Block a user