diff --git a/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c b/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c index fec4e5e732..d7da1926e9 100644 --- a/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c +++ b/examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c @@ -37,6 +37,9 @@ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/error.h" +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 +#include "psa/crypto.h" +#endif #include "esp_crt_bundle.h" @@ -65,6 +68,14 @@ static void https_get_task(void *pvParameters) mbedtls_ssl_config conf; mbedtls_net_context server_fd; +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 + psa_status_t status = psa_crypto_init(); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status); + return; + } +#endif + mbedtls_ssl_init(&ssl); mbedtls_x509_crt_init(&cacert); mbedtls_ctr_drbg_init(&ctr_drbg); @@ -110,12 +121,7 @@ static void https_get_task(void *pvParameters) goto exit; } - /* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print - a warning if CA verification fails but it will continue to connect. - - You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code. - */ - mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL); + mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL); mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); #ifdef CONFIG_MBEDTLS_DEBUG @@ -123,10 +129,9 @@ static void https_get_task(void *pvParameters) #endif #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 - mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4); - mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4); + mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); + mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3); #endif - if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) { ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret); @@ -200,22 +205,28 @@ static void https_get_task(void *pvParameters) bzero(buf, sizeof(buf)); ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len); - if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) +#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS + if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) { + ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read"); continue; + } +#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS - if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { + if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) { + continue; + } + + if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { ret = 0; break; } - if(ret < 0) - { + if (ret < 0) { ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret); break; } - if(ret == 0) - { + if (ret == 0) { ESP_LOGI(TAG, "connection closed"); break; } @@ -223,7 +234,7 @@ static void https_get_task(void *pvParameters) len = ret; ESP_LOGD(TAG, "%d bytes read", len); /* Print response directly to stdout as it is read */ - for(int i = 0; i < len; i++) { + for (int i = 0; i < len; i++) { putchar(buf[i]); } } while(1); @@ -234,8 +245,7 @@ static void https_get_task(void *pvParameters) mbedtls_ssl_session_reset(&ssl); mbedtls_net_free(&server_fd); - if(ret != 0) - { + if (ret != 0) { mbedtls_strerror(ret, buf, 100); ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf); } @@ -246,7 +256,7 @@ static void https_get_task(void *pvParameters) ESP_LOGI(TAG, "Completed %d requests", ++request_count); printf("Minimum free heap size: %" PRIu32 " bytes\n", esp_get_minimum_free_heap_size()); - for(int countdown = 10; countdown >= 0; countdown--) { + for (int countdown = 10; countdown >= 0; countdown--) { ESP_LOGI(TAG, "%d...", countdown); vTaskDelay(1000 / portTICK_PERIOD_MS); }