asio: option to use wolfSSL as TLS stack for ASIO

Plus other minor update, make openssl aware of current modes (SSL_set_mode)
Update coding style in examples and tests, including copyright notices

components/asio/CMakeLists.txt

@@ -1,5 +1,33 @@
-idf_component_register(SRCS "asio/asio/src/asio.cpp"
-                            "asio/asio/src/asio_ssl.cpp"
-                            "port/src/esp_asio_openssl_stubs.c"
+set(asio_sources "asio/asio/src/asio.cpp")
+
+if (CONFIG_ASIO_SSL_SUPPORT)
+    if(CONFIG_ASIO_USE_ESP_OPENSSL)
+        list(APPEND asio_sources
+                "asio/asio/src/asio_ssl.cpp"
+                "port/src/esp_asio_openssl_stubs.c")
+    endif()
+
+    if(CONFIG_ASIO_USE_ESP_WOLFSSL)
+        list(APPEND asio_sources
+                "asio/asio/src/asio_ssl.cpp")
+    endif()
+endif()
+
+idf_component_register(SRCS ${asio_sources}
                     INCLUDE_DIRS "asio/asio/include" "port/include"
-                    REQUIRES lwip openssl)
+                    REQUIRES lwip)
+
+if (CONFIG_ASIO_SSL_SUPPORT)
+    if(CONFIG_ASIO_USE_ESP_WOLFSSL)
+        idf_component_get_property(wolflib esp-wolfssl COMPONENT_LIB)
+        idf_component_get_property(wolfdir esp-wolfssl COMPONENT_DIR)
+
+        target_link_libraries(${COMPONENT_LIB} PUBLIC ${wolflib})
+        target_include_directories(${COMPONENT_LIB} PUBLIC ${wolfdir}/wolfssl/wolfssl)
+    endif()
+
+    if(CONFIG_ASIO_USE_ESP_OPENSSL)
+        idf_component_get_property(esp_openssl openssl COMPONENT_LIB)
+        target_link_libraries(${COMPONENT_LIB} PUBLIC ${esp_openssl})
+    endif()
+endif()

components/asio/Kconfig

@@ -0,0 +1,25 @@
+menu "ESP-ASIO"
+    config ASIO_SSL_SUPPORT
+        bool "Enable SSL/TLS support of ASIO"
+        default n
+        help
+            Enable support for basic SSL/TLS features, available for mbedTLS/OpenSSL
+            as well as wolfSSL TLS library.
+
+    choice ASIO_SSL_LIBRARY_CHOICE
+        prompt "Choose SSL/TLS library for ESP-TLS (See help for more Info)"
+        default ASIO_USE_ESP_OPENSSL
+        depends on ASIO_SSL_SUPPORT
+        help
+            The ASIO support multiple backend TLS libraries. Currently the mbedTLS with a thin ESP-OpenSSL
+            port layer (default choice) and WolfSSL are supported.
+            Different TLS libraries may support different features and have different resource
+            usage. Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details.
+        config ASIO_USE_ESP_OPENSSL
+            bool "esp-openssl"
+        config ASIO_USE_ESP_WOLFSSL
+            depends on TLS_STACK_WOLFSSL
+            bool "wolfSSL (License info in wolfSSL directory README)"
+    endchoice
+
+endmenu

components/asio/asio

@@ -1 +1 @@
-Subproject commit 61702cd13be0b8c9800a9793daae72768ede26af
+Subproject commit f31694c9f1746ba189a4bcae2e34db15135ddb22

components/asio/component.mk

@@ -2,4 +2,8 @@ COMPONENT_ADD_INCLUDEDIRS := asio/asio/include port/include
 COMPONENT_PRIV_INCLUDEDIRS := private_include
 COMPONENT_SRCDIRS := asio/asio/src port/src
 
+ifeq ($(CONFIG_ASIO_SSL_SUPPORT), )
+COMPONENT_OBJEXCLUDE := asio/asio/src/asio_ssl.o port/src/esp_asio_openssl_stubs.o
+endif
+
 COMPONENT_SUBMODULES += asio

components/asio/port/include/esp_asio_config.h

@@ -40,4 +40,11 @@
 # define ASIO_STANDALONE
 # define ASIO_HAS_PTHREADS
 
+# ifdef CONFIG_ASIO_USE_ESP_OPENSSL
+#  define ASIO_USE_ESP_OPENSSL
+#  define OPENSSL_NO_ENGINE
+# elif CONFIG_ASIO_USE_ESP_WOLFSSL
+#  define ASIO_USE_WOLFSSL
+# endif   // CONFIG_ASIO_USE_ESP_OPENSSL
+
 #endif // _ESP_ASIO_CONFIG_H_

components/asio/port/include/openssl/conf.h

@@ -14,7 +14,13 @@
 
 #ifndef _ESP_ASIO_OPENSSL_CONF_H
 #define _ESP_ASIO_OPENSSL_CONF_H
-
+#include "esp_asio_config.h"
 #include "openssl/esp_asio_openssl_stubs.h"
 
+#if defined(ASIO_USE_WOLFSSL)
+// SSLv3 Methods not present in current wolfSSL library
+#define OPENSSL_NO_SSL3
+#include_next "openssl/conf.h"
+#endif // ASIO_USE_WOLFSSL
+
 #endif // _ESP_ASIO_OPENSSL_CONF_H

components/asio/port/include/openssl/dh.h

@@ -0,0 +1,23 @@
+// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _ESP_ASIO_OPENSSL_DH_STUB_H
+#define _ESP_ASIO_OPENSSL_DH_STUB_H
+// Dummy header needed for ASIO compilation with esp-openssl
+
+#if defined(ASIO_USE_WOLFSSL)
+#include_next "openssl/dh.h"
+#endif // ASIO_USE_WOLFSSL
+
+#endif // _ESP_ASIO_OPENSSL_DH_STUB_H

components/asio/port/include/openssl/esp_asio_openssl_stubs.h

@@ -15,21 +15,57 @@
 #ifndef _ESP_ASIO_OPENSSL_STUBS_H
 #define _ESP_ASIO_OPENSSL_STUBS_H
 
-#include "internal/ssl_x509.h"
-#include "internal/ssl_pkey.h"
-#include "mbedtls/pem.h"
-#include <stdint.h>
-
 /**
  * @note This header contains openssl API which are NOT implemented, and are only provided
  * as stubs or no-operations to get the ASIO library compiled and working with most
  * practical use cases as an embedded application on ESP platform
  */
 
+#if defined(ASIO_USE_WOLFSSL)
+
+#include "wolfssl/ssl.h"
+// esp-wolfssl disables filesystem by default, but the ssl filesystem functions are needed for the ASIO to compile
+//  - so we could either configure wolfSSL to use filesystem
+//  - or use the default wolfSSL and declare the filesystem functions -- preferred option, as whenever
+//    the filesystem functions are used from app code (potential security impact if private keys in a filesystem)
+//    compilation fails with linking errors.
+
+#if defined(NO_FILESYSTEM)
+// WolfSSL methods that are not included in standard esp-wolfssl config, must be defined here
+// as function stubs,  so ASIO compiles, but would get link errors, if these functions were used.
+
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+typedef struct WOLFSSL_CTX      WOLFSSL_CTX;
+
+void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth);
+int SSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*, const char*);
+int SSL_CTX_use_certificate_file(WOLFSSL_CTX*, const char*, int);
+int SSL_CTX_use_certificate_chain_file(WOLFSSL_CTX*, const char*);
+int SSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int);
+int SSL_CTX_use_RSAPrivateKey_file(WOLFSSL_CTX*, const char*, int);
+
+#if defined(__cplusplus)
+} /* extern C */
+#endif
+
+#endif // NO_FILESYSTEM
+
+#elif defined(ASIO_USE_ESP_OPENSSL)
+
+#include "internal/ssl_x509.h"
+#include "internal/ssl_pkey.h"
+#include "mbedtls/pem.h"
+#include <stdint.h>
+
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+
 // The most applicable OpenSSL version wrtt ASIO usage
 #define OPENSSL_VERSION_NUMBER 0x10100001L
 // SSLv2 methods not supported
@@ -40,10 +76,7 @@ extern "C" {
 #define SSL_R_SHORT_READ 219
 #define SSL_OP_ALL 0
 #define SSL_OP_SINGLE_DH_USE 0
-//#define OPENSSL_VERSION_NUMBER 0x10001000L
 #define SSL_OP_NO_COMPRESSION 0
-//#define LIBRESSL_VERSION_NUMBER 1
-//#define PEM_R_NO_START_LINE 110
 // Translates mbedTLS PEM parse error, used by ASIO
 #define PEM_R_NO_START_LINE -MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT
 
@@ -58,9 +91,6 @@ extern "C" {
 
 #define NID_subject_alt_name 85
 
-#define SSL_MODE_RELEASE_BUFFERS            0x00000000L
-#define SSL_MODE_ENABLE_PARTIAL_WRITE       0x00000001L
-#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
 
 #define GEN_DNS		2
 #define GEN_IPADD	7
@@ -153,13 +183,6 @@ void *	X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx);
  */
 int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh);
 
-/**
- * @brief Sets SSL mode -- not implemented
- *
- * Current implementation is no-op
- */
-uint32_t SSL_set_mode(SSL *ssl, uint32_t mode);
-
 /**
  * @brief API provaded as declaration only
  *
@@ -182,4 +205,5 @@ int SSL_CTX_clear_chain_certs(SSL_CTX *ctx);
 } /* extern C */
 #endif
 
+#endif /* ASIO_USE_ESP_OPENSSL, ASIO_USE_WOLFSSL */
 #endif /* _ESP_ASIO_OPENSSL_STUBS_H */

components/asio/port/include/openssl/rsa.h

@@ -0,0 +1,23 @@
+// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _ESP_ASIO_OPENSSL_RSA_STUB_H
+#define _ESP_ASIO_OPENSSL_RSA_STUB_H
+// Dummy header needed for ASIO compilation with esp-openssl
+
+#if defined(ASIO_USE_WOLFSSL)
+#include_next "openssl/rsa.h"
+#endif // ASIO_USE_WOLFSSL
+
+#endif // _ESP_ASIO_OPENSSL_RSA_STUB_H

components/asio/port/include/openssl/x509v3.h

@@ -0,0 +1,23 @@
+// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef _ESP_ASIO_OPENSSL_X509V3_STUB_H
+#define _ESP_ASIO_OPENSSL_X509V3_STUB_H
+// Dummy header needed for ASIO compilation with esp-openssl
+
+#if defined(ASIO_USE_WOLFSSL)
+#include_next "openssl/x509v3.h"
+#endif // ASIO_USE_WOLFSSL
+
+#endif // _ESP_ASIO_OPENSSL_X509V3_STUB_H

components/asio/port/src/esp_asio_openssl_stubs.c

@@ -49,11 +49,6 @@ X509_NAME *X509_get_subject_name(X509 *a)
     return NULL;
 }
 
-uint32_t SSL_set_mode(SSL *ssl, uint32_t mode)
-{
-    return 0;
-}
-
 int SSL_CTX_clear_chain_certs(SSL_CTX *ctx)
 {
     return 1;

components/openssl/include/internal/ssl_code.h

@@ -23,6 +23,10 @@
 #include "tls1.h"
 #include "x509_vfy.h"
 
+/* Used in SSL_set_mode() -- supported mode when using BIO */
+#define SSL_MODE_ENABLE_PARTIAL_WRITE       0x00000001L
+#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L
+
 /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */
 # define SSL_SENT_SHUTDOWN       1
 # define SSL_RECEIVED_SHUTDOWN   2

components/openssl/include/internal/ssl_types.h

@@ -21,6 +21,7 @@
 
 #include "ssl_code.h"
 #include <stddef.h>
+#include <stdint.h>
 
 typedef void SSL_CIPHER;
 
@@ -256,7 +257,7 @@ struct ssl_st
 
     X509_VERIFY_PARAM param;
 
-    int err;
+    uint32_t mode;
 
     void (*info_callback) (const SSL *ssl, int type, int val);
 

components/openssl/include/openssl/err.h

@@ -22,8 +22,8 @@ extern "C" {
 #endif
 
 /**
- * @note This file contains a very simple implementation of error stack provided
- * OpenSSL library. It is OFF by default.
+ * @note This file contains a very simple implementation of error stack
+ * for ESP APIs stubs to OpenSSL
  */
 
 #define OPENSSL_PUT_SYSTEM_ERROR() \

components/openssl/include/openssl/ssl.h

@@ -22,7 +22,7 @@
 #include "internal/ssl_x509.h"
 #include "internal/ssl_pkey.h"
 #include "openssl/bio.h"
-#include "openssl/openssl_err.h"
+#include "openssl/err.h"
 
 /*
 {
@@ -1888,6 +1888,15 @@ openssl_verify_callback SSL_get_verify_callback(const SSL *s);
  */
 void RSA_free(RSA *r);
 
+/**
+ * @brief Sets SSL mode, partially implemented
+ *
+ * @param ssl SSL context
+ *
+ * @return the new mode bitmask after adding mode
+ */
+uint32_t SSL_set_mode(SSL *ssl, uint32_t mode);
+
 #ifdef __cplusplus
 }
 #endif

components/openssl/library/ssl_bio.c

@@ -15,7 +15,7 @@
 #include "ssl_lib.h"
 #include "openssl/bio.h"
 #include "ssl_dbg.h"
-#include "openssl/openssl_err.h"
+#include "openssl/err.h"
 
 #define DEFAULT_BIO_SIZE 1024
 

components/openssl/library/ssl_lib.c

@@ -1597,7 +1597,9 @@ void SSL_set_verify_depth(SSL *ssl, int depth)
 void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
 {
     SSL_ASSERT3(ctx);
-    SSL_ASSERT3(ESP_OPENSSL_VERIFYCB_IS_SUPPORTED);
+    if (verify_callback) {
+        SSL_ASSERT3(ESP_OPENSSL_VERIFYCB_IS_SUPPORTED);
+    }
 
     ctx->verify_mode = mode;
     ctx->default_verify_callback = verify_callback;
@@ -1609,7 +1611,9 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509
 void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
 {
     SSL_ASSERT3(ssl);
-    SSL_ASSERT3(ESP_OPENSSL_VERIFYCB_IS_SUPPORTED);
+    if (verify_callback) {
+        SSL_ASSERT3(ESP_OPENSSL_VERIFYCB_IS_SUPPORTED);
+    }
 
     ssl->verify_mode = mode;
     ssl->verify_callback = verify_callback;
@@ -1669,3 +1673,12 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned
      ctx->ssl_alpn.alpn_list[i] = NULL;
      return 0;
 }
+
+/**
+ * @brief Set the mode, but might assert if the related mode is not supported once session starts
+ */
+uint32_t SSL_set_mode(SSL *ssl, uint32_t mode)
+{
+    ssl->mode |= mode;
+    return ssl->mode;
+}

components/openssl/platform/ssl_pm.c

@@ -25,7 +25,7 @@
 #include "mbedtls/error.h"
 #include "mbedtls/certs.h"
 #include "openssl/bio.h"
-#include "openssl/openssl_err.h"
+#include "openssl/err.h"
 
 #define X509_INFO_STRING_LENGTH 8192
 
@@ -316,7 +316,12 @@ int ssl_pm_handshake(SSL *ssl)
     struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
 
     if (ssl->bio) {
+        // if using BIO, make sure the mode is supported
+        SSL_ASSERT1(ssl->mode & (SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER));
         mbedtls_ssl_set_bio(&ssl_pm->ssl, ssl->bio, mbedtls_bio_send, mbedtls_bio_recv, NULL);
+    } else {
+        // defaults to SSL_read/write using a file descriptor -- expects default mode
+        SSL_ASSERT1(ssl->mode == 0);
     }
 
     ret = ssl_pm_reload_crt(ssl);

components/openssl/test/test_openssl.c

@@ -1,3 +1,17 @@
+/* Copyright (c) 2014, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
 #include "test_utils.h"
 #include "openssl/ssl.h"
 #include "unity.h"

docs/en/api-reference/protocols/asio.rst

@@ -14,12 +14,12 @@ Asio also comes with a number of examples which could be find under Documentatio
 Supported features
 ^^^^^^^^^^^^^^^^^^
 ESP platform port currently supports only network asynchronous socket operations; does not support serial port.
-SSL/TLS support if disabled by default and could be enabled in component configuration menu and choosing TLS library from
+SSL/TLS support is disabled by default and could be enabled in component configuration menu by choosing TLS library from
 
 - mbedTLS with OpenSSL translation layer (default option)
 - wolfSSL
 
-SSL support is very basic at this stage, not including
+SSL support is very basic at this stage and it does include following features:
 
 - Verification callbacks
 - DH property files

examples/protocols/asio/ssl_client_server/main/CMakeLists.txt

@@ -1,3 +1,3 @@
 idf_component_register(SRCS "asio_ssl_main.cpp"
                     INCLUDE_DIRS "."
-        EMBED_TXTFILES cacert.pem prvtkey.pem)
+        EMBED_TXTFILES ca.crt server.key srv.crt)

examples/protocols/asio/ssl_client_server/main/Kconfig.projbuild

@@ -25,4 +25,12 @@ menu "Example Configuration"
         help
             Asio example server ip for the ASIO client to connect to.
 
+    config EXAMPLE_CLIENT_VERIFY_PEER
+        bool "Client to verify peer"
+        default n
+        depends on EXAMPLE_CLIENT
+        help
+            This option sets client's mode to verify peer, default is
+            verify-none
+
 endmenu

examples/protocols/asio/ssl_client_server/main/asio_ssl_main.cpp

@@ -1,3 +1,10 @@
+//
+// Copyright (c) 2003-2019 Christopher M. Kohlhoff (chris at kohlhoff dot com)
+//
+// Distributed under the Boost Software License, Version 1.0. (See accompanying
+// file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt)
+//
+
 #include <string>
 #include "protocol_examples_common.h"
 #include "esp_event.h"
@@ -11,30 +18,36 @@
 #include "asio/buffer.hpp"
 #include "esp_pthread.h"
 
-extern const unsigned char cacert_pem_start[] asm("_binary_cacert_pem_start");
-extern const unsigned char cacert_pem_end[]   asm("_binary_cacert_pem_end");
+extern const unsigned char server_pem_start[] asm("_binary_srv_crt_start");
+extern const unsigned char server_pem_end[]   asm("_binary_srv_crt_end");
 
-extern const unsigned char prvtkey_pem_start[] asm("_binary_prvtkey_pem_start");
-extern const unsigned char prvtkey_pem_end[]   asm("_binary_prvtkey_pem_end");
+extern const unsigned char cacert_pem_start[] asm("_binary_ca_crt_start");
+extern const unsigned char cacert_pem_end[]   asm("_binary_ca_crt_end");
+
+extern const unsigned char prvtkey_pem_start[] asm("_binary_server_key_start");
+extern const unsigned char prvtkey_pem_end[]   asm("_binary_server_key_end");
 
 const asio::const_buffer cert_chain(cacert_pem_start, cacert_pem_end - cacert_pem_start);
 const asio::const_buffer privkey(prvtkey_pem_start, prvtkey_pem_end - prvtkey_pem_start);
-
-using asio::ip::tcp;
+const asio::const_buffer server_cert(server_pem_start, server_pem_end - server_pem_start);
 
 using asio::ip::tcp;
 
 enum { max_length = 1024 };
 
-class client
-{
+class Client {
 public:
-    client(asio::io_context& io_context,
+    Client(asio::io_context& io_context,
            asio::ssl::context& context,
            const tcp::resolver::results_type& endpoints)
             : socket_(io_context, context)
     {
+
+#if CONFIG_EXAMPLE_CLIENT_VERIFY_PEER
         socket_.set_verify_mode(asio::ssl::verify_peer);
+#else
+        socket_.set_verify_mode(asio::ssl::verify_none);
+#endif // CONFIG_EXAMPLE_CLIENT_VERIFY_PEER
 
         connect(endpoints);
     }
@@ -117,10 +130,9 @@ private:
     char reply_[max_length];
 };
 
-class session : public std::enable_shared_from_this<session>
-{
+class Session : public std::enable_shared_from_this<Session> {
 public:
-    session(tcp::socket socket, asio::ssl::context& context)
+    Session(tcp::socket socket, asio::ssl::context& context)
             : socket_(std::move(socket), context)
     {
     }
@@ -174,20 +186,19 @@ private:
     }
 
     asio::ssl::stream<tcp::socket> socket_;
-    char data_[1024];
+    char data_[max_length];
 };
 
-class server
-{
+class Server {
 public:
-    server(asio::io_context& io_context, unsigned short port)
+    Server(asio::io_context& io_context, unsigned short port)
             : acceptor_(io_context, tcp::endpoint(tcp::v4(), port)),
               context_(asio::ssl::context::tls_server)
     {
         context_.set_options(
                 asio::ssl::context::default_workarounds
                 | asio::ssl::context::no_sslv2);
-        context_.use_certificate_chain(cert_chain);
+        context_.use_certificate_chain(server_cert);
         context_.use_private_key(privkey, asio::ssl::context::pem);
 
         do_accept();
@@ -201,7 +212,7 @@ private:
                 {
                     if (!error)
                     {
-                        std::make_shared<session>(std::move(socket), context_)->start();
+                        std::make_shared<Session>(std::move(socket), context_)->start();
                     }
 
                     do_accept();
@@ -225,7 +236,7 @@ void ssl_server_thread()
 {
     asio::io_context io_context;
 
-    server s(io_context, 443);
+    Server s(io_context, 443);
 
     io_context.run();
 }
@@ -240,9 +251,11 @@ void ssl_client_thread()
     auto endpoints = resolver.resolve(server_ip, server_port);
 
     asio::ssl::context ctx(asio::ssl::context::tls_client);
-    ctx.use_certificate_chain(cert_chain);
+#if CONFIG_EXAMPLE_CLIENT_VERIFY_PEER
+    ctx.add_certificate_authority(cert_chain);
+#endif // CONFIG_EXAMPLE_CLIENT_VERIFY_PEER
 
-    client c(io_context, ctx, endpoints);
+    Client c(io_context, ctx, endpoints);
 
     io_context.run();
 

examples/protocols/asio/ssl_client_server/main/ca.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDkzCCAnugAwIBAgIUNI5wldYysh6rtCzYmda6H414aRswDQYJKoZIhvcNAQEL
+BQAwWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJRXNwcmVzc2lmMB4X
+DTIwMDEyMTA5MDk0NloXDTI1MDEyMDA5MDk0NlowWTELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDESMBAGA1UEAwwJRXNwcmVzc2lmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
+MIIBCgKCAQEAyadSpRnIQBVbEAsbpkrKrOMlBOMIUmA8AfNyOYPLfv0Oa5lBiMAV
+3OQDu5tYyFYKwkCUqq65iAm50fPbSH71w1tkja6nZ1yAIM+TvpMlM/WiFGrhY+Tc
+kAcLcKUJyPxrv/glzoVslbqUgIhuhCSKA8uk1+ILcn3nWzPcbcowLx31+AHeZj8h
+bIAdj6vjqxMCFStp4IcA+ikmCk75LCN4vkkifdkebb/ZDNYCZZhpCBnCHyFAjPc4
+7C+FDVGT3/UUeeTy+Mtn+MqUAhB+W0sPDm1n2h59D4Z/MFm0hl6GQCAKeMJPzssU
+BBsRm6zoyPQ4VTqG0uwfNNbORyIfKONMUwIDAQABo1MwUTAdBgNVHQ4EFgQUGYLV
+EkgWzxjpltE6texha7zZVxowHwYDVR0jBBgwFoAUGYLVEkgWzxjpltE6texha7zZ
+VxowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAb2EF4Zg2XWNb
+eZHnzupCDd9jAhwPqkt7F1OXvxJa/RFUSB9+2izGvikGGhuKY4f0iLuqF+bhExD9
+sapDcdFO2Suh4J3onbwEvmKvsv56K3xhapYg8WwPofpkVirnkwFjpQXGzrYxPujg
+BPmSy3psQrhvOr/WH7SefJv2qr4ikaugfE+3enY4PL+C1dSQAuNo1QGgWsZIu0c8
+TZybNZ13vNVMA+tgj2CM8FR3Etaabwtu3TTcAnO7aoBTix/bLBTuZoczhN8/MhG3
+GylmDzFI8a6aKxQL3Fi4PsM82hRKWu3gfs39sR1Ci4V22v8uO5EWBPK0QZvDSc1a
+KwwxI4zA0w==
+-----END CERTIFICATE-----

examples/protocols/asio/ssl_client_server/main/cacert.pem

@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDezCCAmOgAwIBAgIJAPMMNobNczaUMA0GCSqGSIb3DQEBBAUAMHQxEzARBgNV
-BAMTCk15IFRlc3QgQ0ExCzAJBgNVBAgTAkhaMQswCQYDVQQGEwJDTjEcMBoGCSqG
-SIb3DQEJARYNdGVzdEBjZXJ0LmNvbTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0
-aW9uIEF1dGhvcml0eTAeFw0xNjExMTUwNTA0MThaFw0xOTExMTUwNTA0MThaMHQx
-EzARBgNVBAMTCk15IFRlc3QgQ0ExCzAJBgNVBAgTAkhaMQswCQYDVQQGEwJDTjEc
-MBoGCSqGSIb3DQEJARYNdGVzdEBjZXJ0LmNvbTElMCMGA1UEChMcUm9vdCBDZXJ0
-aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
-ggEBALDjSPDlomepHCzbw4MUrquQAU0xTV4/Npb27k9I5TRVTjIoOs/5hNI2LPFW
-e4CREx09ZrT8K3NFOBoSy7bhPAsjGaFxCYYWc9tiX1m5gq3ToVRSmbZ65fE3kvnI
-8E/d5VyzA0OMmWbfaolBSTMoWgqRynEaT+z1Eh2yDTzVFy9eov1DdQFUqGDqbH5b
-QYvTY5Fyem7UcKWAe2yS0j3H4dVtVBKNY7qV3Px08yGAs5fQFgUwhyB5+qwhvkeL
-JdgapGaSTwLgoQKWHbe/lA3NiBIB9hznFUGKo3hmniAvYZbrQcn3tc0l/J4I39v2
-Pm29FAyjWvQyBkGktz2q4elOZYkCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkq
-hkiG9w0BAQQFAAOCAQEAJCJ+97oae/FcOLbPpjCpUQnWqYydgSChgalkZNvr4fVp
-TnuNg471l0Y2oTJLoWn2YcbPSFVOEeKkU47mpjMzucHHp0zGaW9SdzhZalWwmbgK
-q2ijecIbuFHFNedYTk/03K7eaAcjVhD8e0oOJImeLOL6DAFivA1LUnSgXsdGPDtD
-zhISsCPTu+cL1j0yP6HBvLeAyb8kaCWJ05RtiVLRANNHQn/keHajJYpMwnEEbJdG
-cqN3whfJoGVbZ6isEf2RQJ0pYRnP7uGLW3wGkLWxfdto8uER8HVDx7fZpevLIqGd
-1OoSEi3cIJXWBAjx0TLzzhtb6aeIxBJWQqHThtkKdg==
------END CERTIFICATE-----

examples/protocols/asio/ssl_client_server/main/component.mk

@@ -7,5 +7,6 @@
 # please read the ESP-IDF documents if you need to do this.
 #
 
-COMPONENT_EMBED_TXTFILES := cacert.pem
-COMPONENT_EMBED_TXTFILES += prvtkey.pem
+COMPONENT_EMBED_TXTFILES := ca.crt
+COMPONENT_EMBED_TXTFILES += server.key
+COMPONENT_EMBED_TXTFILES += srv.crt

examples/protocols/asio/ssl_client_server/main/prvtkey.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEpAIBAAKCAQEAsONI8OWiZ6kcLNvDgxSuq5ABTTFNXj82lvbuT0jlNFVOMig6
-z/mE0jYs8VZ7gJETHT1mtPwrc0U4GhLLtuE8CyMZoXEJhhZz22JfWbmCrdOhVFKZ
-tnrl8TeS+cjwT93lXLMDQ4yZZt9qiUFJMyhaCpHKcRpP7PUSHbINPNUXL16i/UN1
-AVSoYOpsfltBi9NjkXJ6btRwpYB7bJLSPcfh1W1UEo1jupXc/HTzIYCzl9AWBTCH
-IHn6rCG+R4sl2BqkZpJPAuChApYdt7+UDc2IEgH2HOcVQYqjeGaeIC9hlutByfe1
-zSX8ngjf2/Y+bb0UDKNa9DIGQaS3Parh6U5liQIDAQABAoIBAB9K9jp3xXVlO3DM
-KBhmbkg3n6NSV4eW00d9w8cO9E1/0eeZql3knJS7tNO1IwApqiIAHM1j1yP7WONz
-88oUqpSlzwD6iF7KVhC3pHqxEOdDi0Tpn/viXg+Ab2X1IF5guRTfLnKiyviiCazi
-edqtBtDb3d6Icx9Oc7gBKcpbQFDGt++wSOb5L+xhRm9B5B4l/6byikiPeKqIK5tC
-SoP9Zr1mvpNoGm1P4LvEunFJcRBqVI010VNwfO9P98oVyzJu9/FZZrQxXoY9JdXF
-OM6nbl+hMDM3TkEOda9NvBhImozEAvuc97CaaXyR3XivxMqNqNIb4+syUPa2PCS3
-ZztI5qECgYEA1gbVG6ifpvpbBkDPi3Im8fM3F7FLLrQc48FdFjdMvDhHD9lVKucD
-Uaa8PF9dbbvlu2cwMyfBOKSuWaXxRxRsiqiPmTunS1MvPzQcSrGwUrL2AogGucn6
-+NrLQf5P4H5IpkDQ9ih3zwjO6xKFK1WeYnYpHM8qUBtl6q0YFyVBPu0CgYEA05Pn
-StWA4D7VSbNnVi6lvFyEOUsTrK3v419598TFiq4eXLq6aV8/CQYzKsSzoG+aOZhX
-Li+0uyT5cNzUcXYhTsW1hA/pNhMfxMrYiB1x14zlLp2WRGg4vd/+SxX6d9Yd3acX
-7QzPKgdDicXs9QN8ozJOICKvNbUI53AJdATVEY0CgYEAwvpGeoQLrdq1weSZLrg3
-soOX1QW3MDz1dKdbXjnStkWut0mOxR7fbysuoPFf8/ARQcCnsHKvHCMqkpESVWbN
-2yPkbfxiU8Tcbf/TJljqAOz4ISY6ula/RKZONTixHBrvpEW4GAiV3Q5xMsYUe33s
-ZFaw7YXtTj0ng7tdDvjpj6ECgYEApHdUU9ejVq2BHslWiqe4LbO9FMxHfvO2hgix
-xugupp6y+2Irhb2EQn+PRq+g8hXOzPaezkhHNTKItDL08T3iplkJwJ6dqmszRsZn
-i2dYFzZu8M2PAZ4CfZahFbz/9id7D9HTx3EtmH4NAgvZJpyPRkzUbiaIDDettDpj
-Hsyi1AECgYAPLvjBzQj4kPF8Zo9pQEUcz4pmupRVfv3aRfjnahDK4qZHEePDRj+J
-W7pzayrs1dyN9QLB8pTc424z7f8MB3llCICN+ohs8CR/eW0NEobE9ldDOeoCr1Vh
-NhNSbrN1iZ8U4oLkRTMaDKkVngGffvjGi/q0tOU7hJdZOqNlk2Iahg==
------END RSA PRIVATE KEY-----

examples/protocols/asio/ssl_client_server/main/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAlUCywNhVv4RO2y9h/XGKZ1azzk3jzHpSBzIGO9LoiA8trC/p
+1ykGaUfYPJllYK4HMhC4fUyE3J7tVL2Eskzl26LNPLbEoaBWZM9NhV3iA1/1EtOu
+p6umLx+y3sDfvK35YAOUbjdAlBfhnJ4r8h7oTsxl3J5jZ18zgjJnJi2NEFq/yTpO
+MiwHLWPjy25fDFixfV9UzSvbgt1JaGPmC7c4QkhHzjyp0+ikuvRIw0p9BBNeqBV2
+da3qBMB5FtodUJTAz6o6OKWbTalLjQi6C1H6z9TnY7IrJBUOy/FWkQH/sEsLdscD
+hHa1Dz2oT203QjhzyOSfnNF95D/1MdNcMt6l0wIDAQABAoIBAC1JJTOoMFRc48RT
+myrYQYNbZlEphv3q+2qdfhC2zMFDwbrmCtCy7PQSzYSNkpoEE8DYG/JAvmtmeWJl
+4pZrCK9ctWM/nWfhC3WpBL97nfEiM20T94F+bn0L5Cz8XqaULv839th+QUTt/hGU
+WIctY5VNJXcMQ+MAmtNdUbjex1d3iuxiKHUo4nDoZ8digKFNdtdP5B5nlMq5chCL
+mxNRcsGsx2dDAxbGUapdTVPWHPJKpLOBoSkluDsfd2KZADFU2R1SJpAX9+RYh3HM
+5FTUdHTUaISxbKkgeDKlEM0lqk2TtGUwCyEj098ewi7Wzsu9w60IplPPUJx5FRG6
+jp3wzLkCgYEAxKp5T20rf/7ysX7x053I7VCjDXUxAaWOEj1uS3AhOkl0NaZg7Di+
+y53fWNkcHdkt2n2LqMt/43UgMYq3TVVcq2eunPNF11e1bJw8CjDafwDs4omwwyVn
+lYhPuB4dK2OAib+vU5Zqpp0kZMoxk2MZVgon8z+s8DW/zmB6aFqAWeUCgYEAwkhC
+OgmXKMdjOCVy5t2f5UbY8Y9rV3w8eUATuJ47MMwLr4pGYnKoEn9JB4ltWrHv/u5S
+fOv3tIrrCEvnCoCbOILwCsY5LqTNXgqova8FB6RpMUQCzhDd8LHuvdHv0WMnMzX1
+3PKuqwh8JS55m4WqZRhzr5BFKG4fHPVs4IcaJVcCgYAzzCaJSdqUKqTnJOUydDNQ
+ddWMHNqccWs62J0tF0pZHLGT089hSAzQejMyJnSmU+Ykzr4y5e44DUg+ZCelIZ93
+saYmxlgVwI8THQ8fLADQRIEfpV4996MRmkZM2vmZzOo03Zyi6lIKsga82Rg3lnk8
+1Q3ynknBNpbfF0AGLhfyFQKBgBYlxJ73HutAJ5hr9HhLBYJOnEaVUehMOlycKGNg
+bmD2sdJWEgYBChXpurqIORYguLo4EuE4ySkkuPxeIr14wbkkfBbOWBBwKxUwY+IT
+xKAFZxR9q1AwbgyVTCEJgKw/AGX/HcMNS0omEnjunmBTUYRq0C1QZgHg490aQUor
+PJjLAoGAevzdTpFlVeuKeYh1oDubGO1LinyXpBv7fPFjl+zu4AVbjojcU6yC4OO6
+QvqopE6SyAECKy8kAOFcESPsGc9Lta2XUvI203z7pIVlNVEcJ0+90mQh3Mn1U46l
+sZ49PdRvNwNb5wvkh1UqNsMlGFbRlzMbIk45ou4311kCobowZek=
+-----END RSA PRIVATE KEY-----

examples/protocols/asio/ssl_client_server/main/srv.crt

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC9DCCAdwCFA1lSIcHwYKdB2UqOrZxZnVgPObTMA0GCSqGSIb3DQEBCwUAMFkx
+CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
+cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMMCUVzcHJlc3NpZjAeFw0yMDA2
+MTIwNjA0MTNaFw0yMjA2MDIwNjA0MTNaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJVAssDYVb+ETtsvYf1ximdW
+s85N48x6UgcyBjvS6IgPLawv6dcpBmlH2DyZZWCuBzIQuH1MhNye7VS9hLJM5dui
+zTy2xKGgVmTPTYVd4gNf9RLTrqerpi8fst7A37yt+WADlG43QJQX4ZyeK/Ie6E7M
+ZdyeY2dfM4IyZyYtjRBav8k6TjIsBy1j48tuXwxYsX1fVM0r24LdSWhj5gu3OEJI
+R848qdPopLr0SMNKfQQTXqgVdnWt6gTAeRbaHVCUwM+qOjilm02pS40IugtR+s/U
+52OyKyQVDsvxVpEB/7BLC3bHA4R2tQ89qE9tN0I4c8jkn5zRfeQ/9THTXDLepdMC
+AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAnMYGW+idt37bEE4WPgrRorKWuplR+zHD
+wJFz53DQzyIZJHmJ2hR5U0jNcHy/nMq7tbdz9LZPrVF4lZJ3TJhnmkOKjMFPCQE8
+YcmsP3il6eXgtGqg53InOi/uJqEQ9TfM54cbpp6xKbnmpwk4uprISBRQt7u2ZLk2
+40ED6zgjFPDTYmSjSpb2AN6KUB6PflgVs+4p9ViHNq4U3AlYV/BM0+3G4aMX2wNl
+ZIpQfOyuaYD5MU50mY+O+gDiiypkpYf6a6S4YJ1sMbavDsP7bW5UMnP0jKYR549q
+5hF1fdkXq52DfJ9ya2kl3mANFkKssQV+1KCBMxGoeqfakmJfa03xXA==
+-----END CERTIFICATE-----

examples/protocols/asio/ssl_client_server/partitions.csv

@@ -2,4 +2,4 @@
 # Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap
 nvs,      data, nvs,     0x9000,  0x6000,
 phy_init, data, phy,     0xf000,  0x1000,
-factory,  app,  factory, 0x10000, 1200000,
+factory,  app,  factory, 0x10000, 1400000,

examples/protocols/asio/ssl_client_server/sdkconfig.ci

@@ -3,4 +3,4 @@ CONFIG_EXAMPLE_SERVER=y
 CONFIG_EXAMPLE_SERVER_NAME="localhost"
 CONFIG_EXAMPLE_CONNECT_WIFI=n
 CONFIG_EXAMPLE_CONNECT_ETHERNET=n
-
+CONFIG_EXAMPLE_CLIENT_VERIFY_PEER=y

examples/protocols/asio/ssl_client_server/sdkconfig.defaults

@@ -1,3 +1,4 @@
+CONFIG_ASIO_SSL_SUPPORT=y
 CONFIG_PARTITION_TABLE_CUSTOM=y
 CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv"
 CONFIG_PARTITION_TABLE_FILENAME="partitions.csv"