diff --git a/components/asio/CMakeLists.txt b/components/asio/CMakeLists.txt index b55dc56ab3..e45f2c95f5 100644 --- a/components/asio/CMakeLists.txt +++ b/components/asio/CMakeLists.txt @@ -1,5 +1,33 @@ -idf_component_register(SRCS "asio/asio/src/asio.cpp" - "asio/asio/src/asio_ssl.cpp" - "port/src/esp_asio_openssl_stubs.c" +set(asio_sources "asio/asio/src/asio.cpp") + +if (CONFIG_ASIO_SSL_SUPPORT) + if(CONFIG_ASIO_USE_ESP_OPENSSL) + list(APPEND asio_sources + "asio/asio/src/asio_ssl.cpp" + "port/src/esp_asio_openssl_stubs.c") + endif() + + if(CONFIG_ASIO_USE_ESP_WOLFSSL) + list(APPEND asio_sources + "asio/asio/src/asio_ssl.cpp") + endif() +endif() + +idf_component_register(SRCS ${asio_sources} INCLUDE_DIRS "asio/asio/include" "port/include" - REQUIRES lwip openssl) + REQUIRES lwip) + +if (CONFIG_ASIO_SSL_SUPPORT) + if(CONFIG_ASIO_USE_ESP_WOLFSSL) + idf_component_get_property(wolflib esp-wolfssl COMPONENT_LIB) + idf_component_get_property(wolfdir esp-wolfssl COMPONENT_DIR) + + target_link_libraries(${COMPONENT_LIB} PUBLIC ${wolflib}) + target_include_directories(${COMPONENT_LIB} PUBLIC ${wolfdir}/wolfssl/wolfssl) + endif() + + if(CONFIG_ASIO_USE_ESP_OPENSSL) + idf_component_get_property(esp_openssl openssl COMPONENT_LIB) + target_link_libraries(${COMPONENT_LIB} PUBLIC ${esp_openssl}) + endif() +endif() diff --git a/components/asio/Kconfig b/components/asio/Kconfig new file mode 100644 index 0000000000..582410e7ce --- /dev/null +++ b/components/asio/Kconfig @@ -0,0 +1,25 @@ +menu "ESP-ASIO" + config ASIO_SSL_SUPPORT + bool "Enable SSL/TLS support of ASIO" + default n + help + Enable support for basic SSL/TLS features, available for mbedTLS/OpenSSL + as well as wolfSSL TLS library. + + choice ASIO_SSL_LIBRARY_CHOICE + prompt "Choose SSL/TLS library for ESP-TLS (See help for more Info)" + default ASIO_USE_ESP_OPENSSL + depends on ASIO_SSL_SUPPORT + help + The ASIO support multiple backend TLS libraries. Currently the mbedTLS with a thin ESP-OpenSSL + port layer (default choice) and WolfSSL are supported. + Different TLS libraries may support different features and have different resource + usage. Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details. + config ASIO_USE_ESP_OPENSSL + bool "esp-openssl" + config ASIO_USE_ESP_WOLFSSL + depends on TLS_STACK_WOLFSSL + bool "wolfSSL (License info in wolfSSL directory README)" + endchoice + +endmenu diff --git a/components/asio/asio b/components/asio/asio index 61702cd13b..f31694c9f1 160000 --- a/components/asio/asio +++ b/components/asio/asio @@ -1 +1 @@ -Subproject commit 61702cd13be0b8c9800a9793daae72768ede26af +Subproject commit f31694c9f1746ba189a4bcae2e34db15135ddb22 diff --git a/components/asio/component.mk b/components/asio/component.mk index 0c2919e24e..30b2907bbb 100644 --- a/components/asio/component.mk +++ b/components/asio/component.mk @@ -2,4 +2,8 @@ COMPONENT_ADD_INCLUDEDIRS := asio/asio/include port/include COMPONENT_PRIV_INCLUDEDIRS := private_include COMPONENT_SRCDIRS := asio/asio/src port/src +ifeq ($(CONFIG_ASIO_SSL_SUPPORT), ) +COMPONENT_OBJEXCLUDE := asio/asio/src/asio_ssl.o port/src/esp_asio_openssl_stubs.o +endif + COMPONENT_SUBMODULES += asio diff --git a/components/asio/port/include/esp_asio_config.h b/components/asio/port/include/esp_asio_config.h index 750f4cbe3f..bcf8c38d40 100644 --- a/components/asio/port/include/esp_asio_config.h +++ b/components/asio/port/include/esp_asio_config.h @@ -40,4 +40,11 @@ # define ASIO_STANDALONE # define ASIO_HAS_PTHREADS +# ifdef CONFIG_ASIO_USE_ESP_OPENSSL +# define ASIO_USE_ESP_OPENSSL +# define OPENSSL_NO_ENGINE +# elif CONFIG_ASIO_USE_ESP_WOLFSSL +# define ASIO_USE_WOLFSSL +# endif // CONFIG_ASIO_USE_ESP_OPENSSL + #endif // _ESP_ASIO_CONFIG_H_ diff --git a/components/asio/port/include/openssl/conf.h b/components/asio/port/include/openssl/conf.h index 9c46bd14a0..f125c3e6cf 100644 --- a/components/asio/port/include/openssl/conf.h +++ b/components/asio/port/include/openssl/conf.h @@ -14,7 +14,13 @@ #ifndef _ESP_ASIO_OPENSSL_CONF_H #define _ESP_ASIO_OPENSSL_CONF_H - +#include "esp_asio_config.h" #include "openssl/esp_asio_openssl_stubs.h" +#if defined(ASIO_USE_WOLFSSL) +// SSLv3 Methods not present in current wolfSSL library +#define OPENSSL_NO_SSL3 +#include_next "openssl/conf.h" +#endif // ASIO_USE_WOLFSSL + #endif // _ESP_ASIO_OPENSSL_CONF_H diff --git a/components/asio/port/include/openssl/dh.h b/components/asio/port/include/openssl/dh.h new file mode 100644 index 0000000000..def713cfd3 --- /dev/null +++ b/components/asio/port/include/openssl/dh.h @@ -0,0 +1,23 @@ +// Copyright 2020 Espressif Systems (Shanghai) PTE LTD +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef _ESP_ASIO_OPENSSL_DH_STUB_H +#define _ESP_ASIO_OPENSSL_DH_STUB_H +// Dummy header needed for ASIO compilation with esp-openssl + +#if defined(ASIO_USE_WOLFSSL) +#include_next "openssl/dh.h" +#endif // ASIO_USE_WOLFSSL + +#endif // _ESP_ASIO_OPENSSL_DH_STUB_H diff --git a/components/asio/port/include/openssl/esp_asio_openssl_stubs.h b/components/asio/port/include/openssl/esp_asio_openssl_stubs.h index 611b4e784e..fde5231722 100644 --- a/components/asio/port/include/openssl/esp_asio_openssl_stubs.h +++ b/components/asio/port/include/openssl/esp_asio_openssl_stubs.h @@ -15,21 +15,57 @@ #ifndef _ESP_ASIO_OPENSSL_STUBS_H #define _ESP_ASIO_OPENSSL_STUBS_H -#include "internal/ssl_x509.h" -#include "internal/ssl_pkey.h" -#include "mbedtls/pem.h" -#include - /** * @note This header contains openssl API which are NOT implemented, and are only provided * as stubs or no-operations to get the ASIO library compiled and working with most * practical use cases as an embedded application on ESP platform */ +#if defined(ASIO_USE_WOLFSSL) + +#include "wolfssl/ssl.h" +// esp-wolfssl disables filesystem by default, but the ssl filesystem functions are needed for the ASIO to compile +// - so we could either configure wolfSSL to use filesystem +// - or use the default wolfSSL and declare the filesystem functions -- preferred option, as whenever +// the filesystem functions are used from app code (potential security impact if private keys in a filesystem) +// compilation fails with linking errors. + +#if defined(NO_FILESYSTEM) +// WolfSSL methods that are not included in standard esp-wolfssl config, must be defined here +// as function stubs, so ASIO compiles, but would get link errors, if these functions were used. + #ifdef __cplusplus extern "C" { #endif +typedef struct WOLFSSL_CTX WOLFSSL_CTX; + +void wolfSSL_CTX_set_verify_depth(WOLFSSL_CTX *ctx,int depth); +int SSL_CTX_load_verify_locations(WOLFSSL_CTX*, const char*, const char*); +int SSL_CTX_use_certificate_file(WOLFSSL_CTX*, const char*, int); +int SSL_CTX_use_certificate_chain_file(WOLFSSL_CTX*, const char*); +int SSL_CTX_use_PrivateKey_file(WOLFSSL_CTX*, const char*, int); +int SSL_CTX_use_RSAPrivateKey_file(WOLFSSL_CTX*, const char*, int); + +#if defined(__cplusplus) +} /* extern C */ +#endif + +#endif // NO_FILESYSTEM + +#elif defined(ASIO_USE_ESP_OPENSSL) + +#include "internal/ssl_x509.h" +#include "internal/ssl_pkey.h" +#include "mbedtls/pem.h" +#include + + +#ifdef __cplusplus +extern "C" { +#endif + + // The most applicable OpenSSL version wrtt ASIO usage #define OPENSSL_VERSION_NUMBER 0x10100001L // SSLv2 methods not supported @@ -40,10 +76,7 @@ extern "C" { #define SSL_R_SHORT_READ 219 #define SSL_OP_ALL 0 #define SSL_OP_SINGLE_DH_USE 0 -//#define OPENSSL_VERSION_NUMBER 0x10001000L #define SSL_OP_NO_COMPRESSION 0 -//#define LIBRESSL_VERSION_NUMBER 1 -//#define PEM_R_NO_START_LINE 110 // Translates mbedTLS PEM parse error, used by ASIO #define PEM_R_NO_START_LINE -MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT @@ -58,9 +91,6 @@ extern "C" { #define NID_subject_alt_name 85 -#define SSL_MODE_RELEASE_BUFFERS 0x00000000L -#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L -#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L #define GEN_DNS 2 #define GEN_IPADD 7 @@ -153,13 +183,6 @@ void * X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx,int idx); */ int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh); -/** - * @brief Sets SSL mode -- not implemented - * - * Current implementation is no-op - */ -uint32_t SSL_set_mode(SSL *ssl, uint32_t mode); - /** * @brief API provaded as declaration only * @@ -182,4 +205,5 @@ int SSL_CTX_clear_chain_certs(SSL_CTX *ctx); } /* extern C */ #endif +#endif /* ASIO_USE_ESP_OPENSSL, ASIO_USE_WOLFSSL */ #endif /* _ESP_ASIO_OPENSSL_STUBS_H */ diff --git a/components/asio/port/include/openssl/rsa.h b/components/asio/port/include/openssl/rsa.h new file mode 100644 index 0000000000..5d9d10e82b --- /dev/null +++ b/components/asio/port/include/openssl/rsa.h @@ -0,0 +1,23 @@ +// Copyright 2020 Espressif Systems (Shanghai) PTE LTD +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef _ESP_ASIO_OPENSSL_RSA_STUB_H +#define _ESP_ASIO_OPENSSL_RSA_STUB_H +// Dummy header needed for ASIO compilation with esp-openssl + +#if defined(ASIO_USE_WOLFSSL) +#include_next "openssl/rsa.h" +#endif // ASIO_USE_WOLFSSL + +#endif // _ESP_ASIO_OPENSSL_RSA_STUB_H diff --git a/components/asio/port/include/openssl/x509v3.h b/components/asio/port/include/openssl/x509v3.h new file mode 100644 index 0000000000..5ae8e78435 --- /dev/null +++ b/components/asio/port/include/openssl/x509v3.h @@ -0,0 +1,23 @@ +// Copyright 2020 Espressif Systems (Shanghai) PTE LTD +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +#ifndef _ESP_ASIO_OPENSSL_X509V3_STUB_H +#define _ESP_ASIO_OPENSSL_X509V3_STUB_H +// Dummy header needed for ASIO compilation with esp-openssl + +#if defined(ASIO_USE_WOLFSSL) +#include_next "openssl/x509v3.h" +#endif // ASIO_USE_WOLFSSL + +#endif // _ESP_ASIO_OPENSSL_X509V3_STUB_H diff --git a/components/asio/port/src/esp_asio_openssl_stubs.c b/components/asio/port/src/esp_asio_openssl_stubs.c index 9fdf53d0d1..6deb099caa 100644 --- a/components/asio/port/src/esp_asio_openssl_stubs.c +++ b/components/asio/port/src/esp_asio_openssl_stubs.c @@ -49,11 +49,6 @@ X509_NAME *X509_get_subject_name(X509 *a) return NULL; } -uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) -{ - return 0; -} - int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) { return 1; diff --git a/components/openssl/include/internal/ssl_code.h b/components/openssl/include/internal/ssl_code.h index 80fdbb20f3..18e687e5f9 100644 --- a/components/openssl/include/internal/ssl_code.h +++ b/components/openssl/include/internal/ssl_code.h @@ -23,6 +23,10 @@ #include "tls1.h" #include "x509_vfy.h" +/* Used in SSL_set_mode() -- supported mode when using BIO */ +#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001L +#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002L + /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 # define SSL_RECEIVED_SHUTDOWN 2 diff --git a/components/openssl/include/internal/ssl_types.h b/components/openssl/include/internal/ssl_types.h index 38c9673548..2871d3a83a 100644 --- a/components/openssl/include/internal/ssl_types.h +++ b/components/openssl/include/internal/ssl_types.h @@ -21,6 +21,7 @@ #include "ssl_code.h" #include +#include typedef void SSL_CIPHER; @@ -256,7 +257,7 @@ struct ssl_st X509_VERIFY_PARAM param; - int err; + uint32_t mode; void (*info_callback) (const SSL *ssl, int type, int val); diff --git a/components/openssl/include/openssl/openssl_err.h b/components/openssl/include/openssl/err.h similarity index 98% rename from components/openssl/include/openssl/openssl_err.h rename to components/openssl/include/openssl/err.h index 930807500e..f4247a4a7c 100644 --- a/components/openssl/include/openssl/openssl_err.h +++ b/components/openssl/include/openssl/err.h @@ -22,8 +22,8 @@ extern "C" { #endif /** - * @note This file contains a very simple implementation of error stack provided - * OpenSSL library. It is OFF by default. + * @note This file contains a very simple implementation of error stack + * for ESP APIs stubs to OpenSSL */ #define OPENSSL_PUT_SYSTEM_ERROR() \ diff --git a/components/openssl/include/openssl/ssl.h b/components/openssl/include/openssl/ssl.h index 6a39c7cd53..4a3376c0db 100644 --- a/components/openssl/include/openssl/ssl.h +++ b/components/openssl/include/openssl/ssl.h @@ -22,7 +22,7 @@ #include "internal/ssl_x509.h" #include "internal/ssl_pkey.h" #include "openssl/bio.h" -#include "openssl/openssl_err.h" +#include "openssl/err.h" /* { @@ -1888,6 +1888,15 @@ openssl_verify_callback SSL_get_verify_callback(const SSL *s); */ void RSA_free(RSA *r); +/** + * @brief Sets SSL mode, partially implemented + * + * @param ssl SSL context + * + * @return the new mode bitmask after adding mode + */ +uint32_t SSL_set_mode(SSL *ssl, uint32_t mode); + #ifdef __cplusplus } #endif diff --git a/components/openssl/library/ssl_bio.c b/components/openssl/library/ssl_bio.c index 46d4616f10..2a70b70aa7 100644 --- a/components/openssl/library/ssl_bio.c +++ b/components/openssl/library/ssl_bio.c @@ -15,7 +15,7 @@ #include "ssl_lib.h" #include "openssl/bio.h" #include "ssl_dbg.h" -#include "openssl/openssl_err.h" +#include "openssl/err.h" #define DEFAULT_BIO_SIZE 1024 diff --git a/components/openssl/library/ssl_lib.c b/components/openssl/library/ssl_lib.c index 46b0cc0fd7..01374a214c 100644 --- a/components/openssl/library/ssl_lib.c +++ b/components/openssl/library/ssl_lib.c @@ -1597,7 +1597,9 @@ void SSL_set_verify_depth(SSL *ssl, int depth) void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) { SSL_ASSERT3(ctx); - SSL_ASSERT3(ESP_OPENSSL_VERIFYCB_IS_SUPPORTED); + if (verify_callback) { + SSL_ASSERT3(ESP_OPENSSL_VERIFYCB_IS_SUPPORTED); + } ctx->verify_mode = mode; ctx->default_verify_callback = verify_callback; @@ -1609,7 +1611,9 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509 void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) { SSL_ASSERT3(ssl); - SSL_ASSERT3(ESP_OPENSSL_VERIFYCB_IS_SUPPORTED); + if (verify_callback) { + SSL_ASSERT3(ESP_OPENSSL_VERIFYCB_IS_SUPPORTED); + } ssl->verify_mode = mode; ssl->verify_callback = verify_callback; @@ -1669,3 +1673,12 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned ctx->ssl_alpn.alpn_list[i] = NULL; return 0; } + +/** + * @brief Set the mode, but might assert if the related mode is not supported once session starts + */ +uint32_t SSL_set_mode(SSL *ssl, uint32_t mode) +{ + ssl->mode |= mode; + return ssl->mode; +} diff --git a/components/openssl/platform/ssl_pm.c b/components/openssl/platform/ssl_pm.c index 6f55da47e3..f5597da587 100644 --- a/components/openssl/platform/ssl_pm.c +++ b/components/openssl/platform/ssl_pm.c @@ -25,7 +25,7 @@ #include "mbedtls/error.h" #include "mbedtls/certs.h" #include "openssl/bio.h" -#include "openssl/openssl_err.h" +#include "openssl/err.h" #define X509_INFO_STRING_LENGTH 8192 @@ -316,7 +316,12 @@ int ssl_pm_handshake(SSL *ssl) struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; if (ssl->bio) { + // if using BIO, make sure the mode is supported + SSL_ASSERT1(ssl->mode & (SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)); mbedtls_ssl_set_bio(&ssl_pm->ssl, ssl->bio, mbedtls_bio_send, mbedtls_bio_recv, NULL); + } else { + // defaults to SSL_read/write using a file descriptor -- expects default mode + SSL_ASSERT1(ssl->mode == 0); } ret = ssl_pm_reload_crt(ssl); diff --git a/components/openssl/test/test_openssl.c b/components/openssl/test/test_openssl.c index f0078847e2..663e9a2c72 100644 --- a/components/openssl/test/test_openssl.c +++ b/components/openssl/test/test_openssl.c @@ -1,3 +1,17 @@ +/* Copyright (c) 2014, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + #include "test_utils.h" #include "openssl/ssl.h" #include "unity.h" diff --git a/docs/en/api-reference/protocols/asio.rst b/docs/en/api-reference/protocols/asio.rst index cd6a40ec30..559759e9e0 100644 --- a/docs/en/api-reference/protocols/asio.rst +++ b/docs/en/api-reference/protocols/asio.rst @@ -14,12 +14,12 @@ Asio also comes with a number of examples which could be find under Documentatio Supported features ^^^^^^^^^^^^^^^^^^ ESP platform port currently supports only network asynchronous socket operations; does not support serial port. -SSL/TLS support if disabled by default and could be enabled in component configuration menu and choosing TLS library from +SSL/TLS support is disabled by default and could be enabled in component configuration menu by choosing TLS library from - mbedTLS with OpenSSL translation layer (default option) - wolfSSL -SSL support is very basic at this stage, not including +SSL support is very basic at this stage and it does include following features: - Verification callbacks - DH property files diff --git a/examples/protocols/asio/ssl_client_server/main/CMakeLists.txt b/examples/protocols/asio/ssl_client_server/main/CMakeLists.txt index 5fd4fe15e8..f962b470c2 100644 --- a/examples/protocols/asio/ssl_client_server/main/CMakeLists.txt +++ b/examples/protocols/asio/ssl_client_server/main/CMakeLists.txt @@ -1,3 +1,3 @@ idf_component_register(SRCS "asio_ssl_main.cpp" INCLUDE_DIRS "." - EMBED_TXTFILES cacert.pem prvtkey.pem) + EMBED_TXTFILES ca.crt server.key srv.crt) diff --git a/examples/protocols/asio/ssl_client_server/main/Kconfig.projbuild b/examples/protocols/asio/ssl_client_server/main/Kconfig.projbuild index a5996f7087..1d03a2af4a 100644 --- a/examples/protocols/asio/ssl_client_server/main/Kconfig.projbuild +++ b/examples/protocols/asio/ssl_client_server/main/Kconfig.projbuild @@ -25,4 +25,12 @@ menu "Example Configuration" help Asio example server ip for the ASIO client to connect to. + config EXAMPLE_CLIENT_VERIFY_PEER + bool "Client to verify peer" + default n + depends on EXAMPLE_CLIENT + help + This option sets client's mode to verify peer, default is + verify-none + endmenu diff --git a/examples/protocols/asio/ssl_client_server/main/asio_ssl_main.cpp b/examples/protocols/asio/ssl_client_server/main/asio_ssl_main.cpp index 8209b680d6..1959f1870e 100644 --- a/examples/protocols/asio/ssl_client_server/main/asio_ssl_main.cpp +++ b/examples/protocols/asio/ssl_client_server/main/asio_ssl_main.cpp @@ -1,3 +1,10 @@ +// +// Copyright (c) 2003-2019 Christopher M. Kohlhoff (chris at kohlhoff dot com) +// +// Distributed under the Boost Software License, Version 1.0. (See accompanying +// file LICENSE_1_0.txt or copy at http://www.boost.org/LICENSE_1_0.txt) +// + #include #include "protocol_examples_common.h" #include "esp_event.h" @@ -11,30 +18,36 @@ #include "asio/buffer.hpp" #include "esp_pthread.h" -extern const unsigned char cacert_pem_start[] asm("_binary_cacert_pem_start"); -extern const unsigned char cacert_pem_end[] asm("_binary_cacert_pem_end"); +extern const unsigned char server_pem_start[] asm("_binary_srv_crt_start"); +extern const unsigned char server_pem_end[] asm("_binary_srv_crt_end"); -extern const unsigned char prvtkey_pem_start[] asm("_binary_prvtkey_pem_start"); -extern const unsigned char prvtkey_pem_end[] asm("_binary_prvtkey_pem_end"); +extern const unsigned char cacert_pem_start[] asm("_binary_ca_crt_start"); +extern const unsigned char cacert_pem_end[] asm("_binary_ca_crt_end"); + +extern const unsigned char prvtkey_pem_start[] asm("_binary_server_key_start"); +extern const unsigned char prvtkey_pem_end[] asm("_binary_server_key_end"); const asio::const_buffer cert_chain(cacert_pem_start, cacert_pem_end - cacert_pem_start); const asio::const_buffer privkey(prvtkey_pem_start, prvtkey_pem_end - prvtkey_pem_start); - -using asio::ip::tcp; +const asio::const_buffer server_cert(server_pem_start, server_pem_end - server_pem_start); using asio::ip::tcp; enum { max_length = 1024 }; -class client -{ +class Client { public: - client(asio::io_context& io_context, + Client(asio::io_context& io_context, asio::ssl::context& context, const tcp::resolver::results_type& endpoints) : socket_(io_context, context) { + +#if CONFIG_EXAMPLE_CLIENT_VERIFY_PEER socket_.set_verify_mode(asio::ssl::verify_peer); +#else + socket_.set_verify_mode(asio::ssl::verify_none); +#endif // CONFIG_EXAMPLE_CLIENT_VERIFY_PEER connect(endpoints); } @@ -117,10 +130,9 @@ private: char reply_[max_length]; }; -class session : public std::enable_shared_from_this -{ +class Session : public std::enable_shared_from_this { public: - session(tcp::socket socket, asio::ssl::context& context) + Session(tcp::socket socket, asio::ssl::context& context) : socket_(std::move(socket), context) { } @@ -174,20 +186,19 @@ private: } asio::ssl::stream socket_; - char data_[1024]; + char data_[max_length]; }; -class server -{ +class Server { public: - server(asio::io_context& io_context, unsigned short port) + Server(asio::io_context& io_context, unsigned short port) : acceptor_(io_context, tcp::endpoint(tcp::v4(), port)), context_(asio::ssl::context::tls_server) { context_.set_options( asio::ssl::context::default_workarounds | asio::ssl::context::no_sslv2); - context_.use_certificate_chain(cert_chain); + context_.use_certificate_chain(server_cert); context_.use_private_key(privkey, asio::ssl::context::pem); do_accept(); @@ -201,7 +212,7 @@ private: { if (!error) { - std::make_shared(std::move(socket), context_)->start(); + std::make_shared(std::move(socket), context_)->start(); } do_accept(); @@ -225,7 +236,7 @@ void ssl_server_thread() { asio::io_context io_context; - server s(io_context, 443); + Server s(io_context, 443); io_context.run(); } @@ -240,9 +251,11 @@ void ssl_client_thread() auto endpoints = resolver.resolve(server_ip, server_port); asio::ssl::context ctx(asio::ssl::context::tls_client); - ctx.use_certificate_chain(cert_chain); +#if CONFIG_EXAMPLE_CLIENT_VERIFY_PEER + ctx.add_certificate_authority(cert_chain); +#endif // CONFIG_EXAMPLE_CLIENT_VERIFY_PEER - client c(io_context, ctx, endpoints); + Client c(io_context, ctx, endpoints); io_context.run(); diff --git a/examples/protocols/asio/ssl_client_server/main/ca.crt b/examples/protocols/asio/ssl_client_server/main/ca.crt new file mode 100644 index 0000000000..894f2959b0 --- /dev/null +++ b/examples/protocols/asio/ssl_client_server/main/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDkzCCAnugAwIBAgIUNI5wldYysh6rtCzYmda6H414aRswDQYJKoZIhvcNAQEL +BQAwWTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDESMBAGA1UEAwwJRXNwcmVzc2lmMB4X +DTIwMDEyMTA5MDk0NloXDTI1MDEyMDA5MDk0NlowWTELMAkGA1UEBhMCQVUxEzAR +BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5 +IEx0ZDESMBAGA1UEAwwJRXNwcmVzc2lmMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAyadSpRnIQBVbEAsbpkrKrOMlBOMIUmA8AfNyOYPLfv0Oa5lBiMAV +3OQDu5tYyFYKwkCUqq65iAm50fPbSH71w1tkja6nZ1yAIM+TvpMlM/WiFGrhY+Tc +kAcLcKUJyPxrv/glzoVslbqUgIhuhCSKA8uk1+ILcn3nWzPcbcowLx31+AHeZj8h +bIAdj6vjqxMCFStp4IcA+ikmCk75LCN4vkkifdkebb/ZDNYCZZhpCBnCHyFAjPc4 +7C+FDVGT3/UUeeTy+Mtn+MqUAhB+W0sPDm1n2h59D4Z/MFm0hl6GQCAKeMJPzssU +BBsRm6zoyPQ4VTqG0uwfNNbORyIfKONMUwIDAQABo1MwUTAdBgNVHQ4EFgQUGYLV +EkgWzxjpltE6texha7zZVxowHwYDVR0jBBgwFoAUGYLVEkgWzxjpltE6texha7zZ +VxowDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAb2EF4Zg2XWNb +eZHnzupCDd9jAhwPqkt7F1OXvxJa/RFUSB9+2izGvikGGhuKY4f0iLuqF+bhExD9 +sapDcdFO2Suh4J3onbwEvmKvsv56K3xhapYg8WwPofpkVirnkwFjpQXGzrYxPujg +BPmSy3psQrhvOr/WH7SefJv2qr4ikaugfE+3enY4PL+C1dSQAuNo1QGgWsZIu0c8 +TZybNZ13vNVMA+tgj2CM8FR3Etaabwtu3TTcAnO7aoBTix/bLBTuZoczhN8/MhG3 +GylmDzFI8a6aKxQL3Fi4PsM82hRKWu3gfs39sR1Ci4V22v8uO5EWBPK0QZvDSc1a +KwwxI4zA0w== +-----END CERTIFICATE----- diff --git a/examples/protocols/asio/ssl_client_server/main/cacert.pem b/examples/protocols/asio/ssl_client_server/main/cacert.pem deleted file mode 100644 index e09c3989cd..0000000000 --- a/examples/protocols/asio/ssl_client_server/main/cacert.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDezCCAmOgAwIBAgIJAPMMNobNczaUMA0GCSqGSIb3DQEBBAUAMHQxEzARBgNV -BAMTCk15IFRlc3QgQ0ExCzAJBgNVBAgTAkhaMQswCQYDVQQGEwJDTjEcMBoGCSqG -SIb3DQEJARYNdGVzdEBjZXJ0LmNvbTElMCMGA1UEChMcUm9vdCBDZXJ0aWZpY2F0 -aW9uIEF1dGhvcml0eTAeFw0xNjExMTUwNTA0MThaFw0xOTExMTUwNTA0MThaMHQx -EzARBgNVBAMTCk15IFRlc3QgQ0ExCzAJBgNVBAgTAkhaMQswCQYDVQQGEwJDTjEc -MBoGCSqGSIb3DQEJARYNdGVzdEBjZXJ0LmNvbTElMCMGA1UEChMcUm9vdCBDZXJ0 -aWZpY2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC -ggEBALDjSPDlomepHCzbw4MUrquQAU0xTV4/Npb27k9I5TRVTjIoOs/5hNI2LPFW -e4CREx09ZrT8K3NFOBoSy7bhPAsjGaFxCYYWc9tiX1m5gq3ToVRSmbZ65fE3kvnI -8E/d5VyzA0OMmWbfaolBSTMoWgqRynEaT+z1Eh2yDTzVFy9eov1DdQFUqGDqbH5b -QYvTY5Fyem7UcKWAe2yS0j3H4dVtVBKNY7qV3Px08yGAs5fQFgUwhyB5+qwhvkeL -JdgapGaSTwLgoQKWHbe/lA3NiBIB9hznFUGKo3hmniAvYZbrQcn3tc0l/J4I39v2 -Pm29FAyjWvQyBkGktz2q4elOZYkCAwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkq -hkiG9w0BAQQFAAOCAQEAJCJ+97oae/FcOLbPpjCpUQnWqYydgSChgalkZNvr4fVp -TnuNg471l0Y2oTJLoWn2YcbPSFVOEeKkU47mpjMzucHHp0zGaW9SdzhZalWwmbgK -q2ijecIbuFHFNedYTk/03K7eaAcjVhD8e0oOJImeLOL6DAFivA1LUnSgXsdGPDtD -zhISsCPTu+cL1j0yP6HBvLeAyb8kaCWJ05RtiVLRANNHQn/keHajJYpMwnEEbJdG -cqN3whfJoGVbZ6isEf2RQJ0pYRnP7uGLW3wGkLWxfdto8uER8HVDx7fZpevLIqGd -1OoSEi3cIJXWBAjx0TLzzhtb6aeIxBJWQqHThtkKdg== ------END CERTIFICATE----- diff --git a/examples/protocols/asio/ssl_client_server/main/component.mk b/examples/protocols/asio/ssl_client_server/main/component.mk index 656f72d7b7..71869b0a3f 100644 --- a/examples/protocols/asio/ssl_client_server/main/component.mk +++ b/examples/protocols/asio/ssl_client_server/main/component.mk @@ -7,5 +7,6 @@ # please read the ESP-IDF documents if you need to do this. # -COMPONENT_EMBED_TXTFILES := cacert.pem -COMPONENT_EMBED_TXTFILES += prvtkey.pem +COMPONENT_EMBED_TXTFILES := ca.crt +COMPONENT_EMBED_TXTFILES += server.key +COMPONENT_EMBED_TXTFILES += srv.crt diff --git a/examples/protocols/asio/ssl_client_server/main/prvtkey.pem b/examples/protocols/asio/ssl_client_server/main/prvtkey.pem deleted file mode 100644 index 4ead61f6ff..0000000000 --- a/examples/protocols/asio/ssl_client_server/main/prvtkey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAsONI8OWiZ6kcLNvDgxSuq5ABTTFNXj82lvbuT0jlNFVOMig6 -z/mE0jYs8VZ7gJETHT1mtPwrc0U4GhLLtuE8CyMZoXEJhhZz22JfWbmCrdOhVFKZ -tnrl8TeS+cjwT93lXLMDQ4yZZt9qiUFJMyhaCpHKcRpP7PUSHbINPNUXL16i/UN1 -AVSoYOpsfltBi9NjkXJ6btRwpYB7bJLSPcfh1W1UEo1jupXc/HTzIYCzl9AWBTCH -IHn6rCG+R4sl2BqkZpJPAuChApYdt7+UDc2IEgH2HOcVQYqjeGaeIC9hlutByfe1 -zSX8ngjf2/Y+bb0UDKNa9DIGQaS3Parh6U5liQIDAQABAoIBAB9K9jp3xXVlO3DM -KBhmbkg3n6NSV4eW00d9w8cO9E1/0eeZql3knJS7tNO1IwApqiIAHM1j1yP7WONz -88oUqpSlzwD6iF7KVhC3pHqxEOdDi0Tpn/viXg+Ab2X1IF5guRTfLnKiyviiCazi -edqtBtDb3d6Icx9Oc7gBKcpbQFDGt++wSOb5L+xhRm9B5B4l/6byikiPeKqIK5tC -SoP9Zr1mvpNoGm1P4LvEunFJcRBqVI010VNwfO9P98oVyzJu9/FZZrQxXoY9JdXF -OM6nbl+hMDM3TkEOda9NvBhImozEAvuc97CaaXyR3XivxMqNqNIb4+syUPa2PCS3 -ZztI5qECgYEA1gbVG6ifpvpbBkDPi3Im8fM3F7FLLrQc48FdFjdMvDhHD9lVKucD -Uaa8PF9dbbvlu2cwMyfBOKSuWaXxRxRsiqiPmTunS1MvPzQcSrGwUrL2AogGucn6 -+NrLQf5P4H5IpkDQ9ih3zwjO6xKFK1WeYnYpHM8qUBtl6q0YFyVBPu0CgYEA05Pn -StWA4D7VSbNnVi6lvFyEOUsTrK3v419598TFiq4eXLq6aV8/CQYzKsSzoG+aOZhX -Li+0uyT5cNzUcXYhTsW1hA/pNhMfxMrYiB1x14zlLp2WRGg4vd/+SxX6d9Yd3acX -7QzPKgdDicXs9QN8ozJOICKvNbUI53AJdATVEY0CgYEAwvpGeoQLrdq1weSZLrg3 -soOX1QW3MDz1dKdbXjnStkWut0mOxR7fbysuoPFf8/ARQcCnsHKvHCMqkpESVWbN -2yPkbfxiU8Tcbf/TJljqAOz4ISY6ula/RKZONTixHBrvpEW4GAiV3Q5xMsYUe33s -ZFaw7YXtTj0ng7tdDvjpj6ECgYEApHdUU9ejVq2BHslWiqe4LbO9FMxHfvO2hgix -xugupp6y+2Irhb2EQn+PRq+g8hXOzPaezkhHNTKItDL08T3iplkJwJ6dqmszRsZn -i2dYFzZu8M2PAZ4CfZahFbz/9id7D9HTx3EtmH4NAgvZJpyPRkzUbiaIDDettDpj -Hsyi1AECgYAPLvjBzQj4kPF8Zo9pQEUcz4pmupRVfv3aRfjnahDK4qZHEePDRj+J -W7pzayrs1dyN9QLB8pTc424z7f8MB3llCICN+ohs8CR/eW0NEobE9ldDOeoCr1Vh -NhNSbrN1iZ8U4oLkRTMaDKkVngGffvjGi/q0tOU7hJdZOqNlk2Iahg== ------END RSA PRIVATE KEY----- diff --git a/examples/protocols/asio/ssl_client_server/main/server.key b/examples/protocols/asio/ssl_client_server/main/server.key new file mode 100644 index 0000000000..2a4d650eac --- /dev/null +++ b/examples/protocols/asio/ssl_client_server/main/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAlUCywNhVv4RO2y9h/XGKZ1azzk3jzHpSBzIGO9LoiA8trC/p +1ykGaUfYPJllYK4HMhC4fUyE3J7tVL2Eskzl26LNPLbEoaBWZM9NhV3iA1/1EtOu +p6umLx+y3sDfvK35YAOUbjdAlBfhnJ4r8h7oTsxl3J5jZ18zgjJnJi2NEFq/yTpO +MiwHLWPjy25fDFixfV9UzSvbgt1JaGPmC7c4QkhHzjyp0+ikuvRIw0p9BBNeqBV2 +da3qBMB5FtodUJTAz6o6OKWbTalLjQi6C1H6z9TnY7IrJBUOy/FWkQH/sEsLdscD +hHa1Dz2oT203QjhzyOSfnNF95D/1MdNcMt6l0wIDAQABAoIBAC1JJTOoMFRc48RT +myrYQYNbZlEphv3q+2qdfhC2zMFDwbrmCtCy7PQSzYSNkpoEE8DYG/JAvmtmeWJl +4pZrCK9ctWM/nWfhC3WpBL97nfEiM20T94F+bn0L5Cz8XqaULv839th+QUTt/hGU +WIctY5VNJXcMQ+MAmtNdUbjex1d3iuxiKHUo4nDoZ8digKFNdtdP5B5nlMq5chCL +mxNRcsGsx2dDAxbGUapdTVPWHPJKpLOBoSkluDsfd2KZADFU2R1SJpAX9+RYh3HM +5FTUdHTUaISxbKkgeDKlEM0lqk2TtGUwCyEj098ewi7Wzsu9w60IplPPUJx5FRG6 +jp3wzLkCgYEAxKp5T20rf/7ysX7x053I7VCjDXUxAaWOEj1uS3AhOkl0NaZg7Di+ +y53fWNkcHdkt2n2LqMt/43UgMYq3TVVcq2eunPNF11e1bJw8CjDafwDs4omwwyVn +lYhPuB4dK2OAib+vU5Zqpp0kZMoxk2MZVgon8z+s8DW/zmB6aFqAWeUCgYEAwkhC +OgmXKMdjOCVy5t2f5UbY8Y9rV3w8eUATuJ47MMwLr4pGYnKoEn9JB4ltWrHv/u5S +fOv3tIrrCEvnCoCbOILwCsY5LqTNXgqova8FB6RpMUQCzhDd8LHuvdHv0WMnMzX1 +3PKuqwh8JS55m4WqZRhzr5BFKG4fHPVs4IcaJVcCgYAzzCaJSdqUKqTnJOUydDNQ +ddWMHNqccWs62J0tF0pZHLGT089hSAzQejMyJnSmU+Ykzr4y5e44DUg+ZCelIZ93 +saYmxlgVwI8THQ8fLADQRIEfpV4996MRmkZM2vmZzOo03Zyi6lIKsga82Rg3lnk8 +1Q3ynknBNpbfF0AGLhfyFQKBgBYlxJ73HutAJ5hr9HhLBYJOnEaVUehMOlycKGNg +bmD2sdJWEgYBChXpurqIORYguLo4EuE4ySkkuPxeIr14wbkkfBbOWBBwKxUwY+IT +xKAFZxR9q1AwbgyVTCEJgKw/AGX/HcMNS0omEnjunmBTUYRq0C1QZgHg490aQUor +PJjLAoGAevzdTpFlVeuKeYh1oDubGO1LinyXpBv7fPFjl+zu4AVbjojcU6yC4OO6 +QvqopE6SyAECKy8kAOFcESPsGc9Lta2XUvI203z7pIVlNVEcJ0+90mQh3Mn1U46l +sZ49PdRvNwNb5wvkh1UqNsMlGFbRlzMbIk45ou4311kCobowZek= +-----END RSA PRIVATE KEY----- diff --git a/examples/protocols/asio/ssl_client_server/main/srv.crt b/examples/protocols/asio/ssl_client_server/main/srv.crt new file mode 100644 index 0000000000..29bfa16641 --- /dev/null +++ b/examples/protocols/asio/ssl_client_server/main/srv.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC9DCCAdwCFA1lSIcHwYKdB2UqOrZxZnVgPObTMA0GCSqGSIb3DQEBCwUAMFkx +CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl +cm5ldCBXaWRnaXRzIFB0eSBMdGQxEjAQBgNVBAMMCUVzcHJlc3NpZjAeFw0yMDA2 +MTIwNjA0MTNaFw0yMjA2MDIwNjA0MTNaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJVAssDYVb+ETtsvYf1ximdW +s85N48x6UgcyBjvS6IgPLawv6dcpBmlH2DyZZWCuBzIQuH1MhNye7VS9hLJM5dui +zTy2xKGgVmTPTYVd4gNf9RLTrqerpi8fst7A37yt+WADlG43QJQX4ZyeK/Ie6E7M +ZdyeY2dfM4IyZyYtjRBav8k6TjIsBy1j48tuXwxYsX1fVM0r24LdSWhj5gu3OEJI +R848qdPopLr0SMNKfQQTXqgVdnWt6gTAeRbaHVCUwM+qOjilm02pS40IugtR+s/U +52OyKyQVDsvxVpEB/7BLC3bHA4R2tQ89qE9tN0I4c8jkn5zRfeQ/9THTXDLepdMC +AwEAATANBgkqhkiG9w0BAQsFAAOCAQEAnMYGW+idt37bEE4WPgrRorKWuplR+zHD +wJFz53DQzyIZJHmJ2hR5U0jNcHy/nMq7tbdz9LZPrVF4lZJ3TJhnmkOKjMFPCQE8 +YcmsP3il6eXgtGqg53InOi/uJqEQ9TfM54cbpp6xKbnmpwk4uprISBRQt7u2ZLk2 +40ED6zgjFPDTYmSjSpb2AN6KUB6PflgVs+4p9ViHNq4U3AlYV/BM0+3G4aMX2wNl +ZIpQfOyuaYD5MU50mY+O+gDiiypkpYf6a6S4YJ1sMbavDsP7bW5UMnP0jKYR549q +5hF1fdkXq52DfJ9ya2kl3mANFkKssQV+1KCBMxGoeqfakmJfa03xXA== +-----END CERTIFICATE----- diff --git a/examples/protocols/asio/ssl_client_server/partitions.csv b/examples/protocols/asio/ssl_client_server/partitions.csv index d01414b8a9..f3aa8e2b48 100644 --- a/examples/protocols/asio/ssl_client_server/partitions.csv +++ b/examples/protocols/asio/ssl_client_server/partitions.csv @@ -2,4 +2,4 @@ # Note: if you have increased the bootloader size, make sure to update the offsets to avoid overlap nvs, data, nvs, 0x9000, 0x6000, phy_init, data, phy, 0xf000, 0x1000, -factory, app, factory, 0x10000, 1200000, +factory, app, factory, 0x10000, 1400000, diff --git a/examples/protocols/asio/ssl_client_server/sdkconfig.ci b/examples/protocols/asio/ssl_client_server/sdkconfig.ci index 958aa45d42..f1c43e8ac7 100644 --- a/examples/protocols/asio/ssl_client_server/sdkconfig.ci +++ b/examples/protocols/asio/ssl_client_server/sdkconfig.ci @@ -3,4 +3,4 @@ CONFIG_EXAMPLE_SERVER=y CONFIG_EXAMPLE_SERVER_NAME="localhost" CONFIG_EXAMPLE_CONNECT_WIFI=n CONFIG_EXAMPLE_CONNECT_ETHERNET=n - +CONFIG_EXAMPLE_CLIENT_VERIFY_PEER=y diff --git a/examples/protocols/asio/ssl_client_server/sdkconfig.defaults b/examples/protocols/asio/ssl_client_server/sdkconfig.defaults index 8ff365b198..7340a4467f 100644 --- a/examples/protocols/asio/ssl_client_server/sdkconfig.defaults +++ b/examples/protocols/asio/ssl_client_server/sdkconfig.defaults @@ -1,3 +1,4 @@ +CONFIG_ASIO_SSL_SUPPORT=y CONFIG_PARTITION_TABLE_CUSTOM=y CONFIG_PARTITION_TABLE_CUSTOM_FILENAME="partitions.csv" CONFIG_PARTITION_TABLE_FILENAME="partitions.csv"