alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'https_server/min_cert_auth_mode_v4.4' into 'release/v4.4'

Browse Source 
https_server: Add config option to set minimum certificate auth mode (v4.4)

See merge request espressif/esp-idf!17796
This commit is contained in:
Mahavir Jain 2022-04-19 16:26:22 +08:00
commit 792eb70334
4 changed files with 38 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
components/esp-tls/Kconfig
View File

@ -19,7 +19,6 @@ menu "ESP-TLS"
select ATCA_MBEDTLS_ECDSA
select ATCA_MBEDTLS_ECDSA_SIGN
select ATCA_MBEDTLS_ECDSA_VERIFY
default n
help
Enable use of Secure Element for ESP-TLS, this enables internal support for
ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.
@ -34,24 +33,21 @@ menu "ESP-TLS"
can only be used when it is appropriately configured for TLS.
Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.
config ESP_TLS_CLIENT_SESSION_TICKETS
bool "Enable client session tickets"
depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
help
Enable session ticket support as specified in RFC5077.
config ESP_TLS_SERVER
bool "Enable ESP-TLS Server"
default n
help
Enable support for creating server side SSL/TLS session, available for mbedTLS
as well as wolfSSL TLS library.
config ESP_TLS_CLIENT_SESSION_TICKETS
bool "Enable client session tickets"
depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
default n
help
Enable session ticket support as specified in RFC5077.
config ESP_TLS_SERVER_SESSION_TICKETS
bool "Enable server session tickets"
depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
default n
help
Enable session ticket support as specified in RFC5077
@ -62,6 +58,17 @@ menu "ESP-TLS"
help
Sets the session ticket timeout used in the tls server.
config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS
help
When this option is enabled, the peer (here, the client) certificate is checked by the server,
however the handshake continues even if verification failed. By default, the
peer certificate is not checked and ignored by the server.
mbedtls_ssl_get_verify_result() can be called after the handshake is complete to
retrieve status of verification.
config ESP_TLS_PSK_VERIFICATION
bool "Enable PSK verification"
select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
@ -69,7 +76,6 @@ menu "ESP-TLS"
select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS
select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
default n
help
Enable support for pre shared key ciphers, supported for both mbedTLS as well as
wolfSSL TLS library.
@ -105,7 +111,6 @@ menu "ESP-TLS"
config ESP_DEBUG_WOLFSSL
bool "Enable debug logs for wolfSSL"
depends on ESP_TLS_USING_WOLFSSL
default n
help
Enable detailed debug prints for wolfSSL SSL library.

4
components/esp-tls/esp_tls_mbedtls.c
View File

@ -500,7 +500,11 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
return esp_ret;
}
} else {
#ifdef CONFIG_ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
#else
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
#endif
}
if (cfg->servercert_buf != NULL && cfg->serverkey_buf != NULL) {

2
examples/protocols/https_server/simple/main/Kconfig.projbuild
View File

@ -2,7 +2,7 @@ menu "Example Configuration"
config EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
bool "Enable user callback with HTTPS Server"
default false
select ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
help
Enable user callback for esp_https_server which can be used to get SSL context (connection information)
E.g. Certificate of the connected client

20
examples/protocols/https_server/simple/main/main.c
View File

@ -41,12 +41,20 @@ static esp_err_t root_get_handler(httpd_req_t *req)
* whenever a new SSL connection is created
*
* Can also be used to other information like Socket FD, Connection state, etc.
*
* NOTE: This callback will not be able to obtain the client certificate if the
* following config `Set minimum Certificate Verification mode to Optional` is
* not enabled (enabled by default in this example).
*
* The config option is found here - Component config ESP-TLS
*
*/
void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
{
ESP_LOGI(TAG, "Session Created!");
const mbedtls_x509_crt *cert;
ESP_LOGI(TAG, "Socket FD: %d", user_cb->tls->sockfd);
const mbedtls_x509_crt *cert;
const size_t buf_size = 1024;
char *buf = calloc(buf_size, sizeof(char));
if (buf == NULL) {
@ -54,9 +62,13 @@ void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
return;
}
mbedtls_x509_crt_info((char *) buf, buf_size - 1, " ", &user_cb->tls->servercert);
ESP_LOGI(TAG, "Server certificate info:\n%s", buf);
memset(buf, 0x00, buf_size);
cert = mbedtls_ssl_get_peer_cert(&user_cb->tls->ssl);
if (cert != NULL) {
mbedtls_x509_crt_info((char *) buf, buf_size - 1, " ", cert);
mbedtls_x509_crt_info((char *) buf, buf_size - 1, " ", cert);
ESP_LOGI(TAG, "Peer certificate info:\n%s", buf);
} else {
ESP_LOGW(TAG, "Could not obtain the peer certificate!");
@ -91,9 +103,9 @@ static httpd_handle_t start_webserver(void)
conf.prvtkey_pem = prvtkey_pem_start;
conf.prvtkey_len = prvtkey_pem_end - prvtkey_pem_start;
#if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
#if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
conf.user_cb = https_server_user_callback;
#endif
#endif
esp_err_t ret = httpd_ssl_start(&server, &conf);
if (ESP_OK != ret) {
ESP_LOGI(TAG, "Error starting server!");