mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
esp-tls api support in https_request
This commit is contained in:
parent
8a1dcc0765
commit
8cd3c47956
@ -47,6 +47,8 @@
|
|||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
#include "mbedtls/certs.h"
|
#include "mbedtls/certs.h"
|
||||||
|
|
||||||
|
#include "esp-tls.h"
|
||||||
|
|
||||||
/* The examples use simple WiFi configuration that you can set via
|
/* The examples use simple WiFi configuration that you can set via
|
||||||
'make menuconfig'.
|
'make menuconfig'.
|
||||||
|
|
||||||
@ -88,7 +90,7 @@ static const char *REQUEST = "GET " WEB_URL " HTTP/1.0\r\n"
|
|||||||
*/
|
*/
|
||||||
extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start");
|
extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start");
|
||||||
extern const uint8_t server_root_cert_pem_end[] asm("_binary_server_root_cert_pem_end");
|
extern const uint8_t server_root_cert_pem_end[] asm("_binary_server_root_cert_pem_end");
|
||||||
|
|
||||||
static esp_err_t event_handler(void *ctx, system_event_t *event)
|
static esp_err_t event_handler(void *ctx, system_event_t *event)
|
||||||
{
|
{
|
||||||
switch(event->event_id) {
|
switch(event->event_id) {
|
||||||
@ -133,78 +135,7 @@ static void initialise_wifi(void)
|
|||||||
static void https_get_task(void *pvParameters)
|
static void https_get_task(void *pvParameters)
|
||||||
{
|
{
|
||||||
char buf[512];
|
char buf[512];
|
||||||
int ret, flags, len;
|
int ret, len;
|
||||||
|
|
||||||
mbedtls_entropy_context entropy;
|
|
||||||
mbedtls_ctr_drbg_context ctr_drbg;
|
|
||||||
mbedtls_ssl_context ssl;
|
|
||||||
mbedtls_x509_crt cacert;
|
|
||||||
mbedtls_ssl_config conf;
|
|
||||||
mbedtls_net_context server_fd;
|
|
||||||
|
|
||||||
mbedtls_ssl_init(&ssl);
|
|
||||||
mbedtls_x509_crt_init(&cacert);
|
|
||||||
mbedtls_ctr_drbg_init(&ctr_drbg);
|
|
||||||
ESP_LOGI(TAG, "Seeding the random number generator");
|
|
||||||
|
|
||||||
mbedtls_ssl_config_init(&conf);
|
|
||||||
|
|
||||||
mbedtls_entropy_init(&entropy);
|
|
||||||
if((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
|
|
||||||
NULL, 0)) != 0)
|
|
||||||
{
|
|
||||||
ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret);
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Loading the CA root certificate...");
|
|
||||||
|
|
||||||
ret = mbedtls_x509_crt_parse(&cacert, server_root_cert_pem_start,
|
|
||||||
server_root_cert_pem_end-server_root_cert_pem_start);
|
|
||||||
|
|
||||||
if(ret < 0)
|
|
||||||
{
|
|
||||||
ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Setting hostname for TLS session...");
|
|
||||||
|
|
||||||
/* Hostname set here should match CN in server certificate */
|
|
||||||
if((ret = mbedtls_ssl_set_hostname(&ssl, WEB_SERVER)) != 0)
|
|
||||||
{
|
|
||||||
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
|
|
||||||
abort();
|
|
||||||
}
|
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Setting up the SSL/TLS structure...");
|
|
||||||
|
|
||||||
if((ret = mbedtls_ssl_config_defaults(&conf,
|
|
||||||
MBEDTLS_SSL_IS_CLIENT,
|
|
||||||
MBEDTLS_SSL_TRANSPORT_STREAM,
|
|
||||||
MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
|
|
||||||
{
|
|
||||||
ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret);
|
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print
|
|
||||||
a warning if CA verification fails but it will continue to connect.
|
|
||||||
|
|
||||||
You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code.
|
|
||||||
*/
|
|
||||||
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
|
||||||
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
|
|
||||||
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
|
||||||
#ifdef CONFIG_MBEDTLS_DEBUG
|
|
||||||
mbedtls_esp_enable_debug_log(&conf, 4);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
|
|
||||||
{
|
|
||||||
ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);
|
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
|
|
||||||
while(1) {
|
while(1) {
|
||||||
/* Wait for the callback to set the CONNECTED_BIT in the
|
/* Wait for the callback to set the CONNECTED_BIT in the
|
||||||
@ -213,61 +144,30 @@ static void https_get_task(void *pvParameters)
|
|||||||
xEventGroupWaitBits(wifi_event_group, CONNECTED_BIT,
|
xEventGroupWaitBits(wifi_event_group, CONNECTED_BIT,
|
||||||
false, true, portMAX_DELAY);
|
false, true, portMAX_DELAY);
|
||||||
ESP_LOGI(TAG, "Connected to AP");
|
ESP_LOGI(TAG, "Connected to AP");
|
||||||
|
struct esp_tls_cfg cfg = {
|
||||||
mbedtls_net_init(&server_fd);
|
.cacert_pem_buf = server_root_cert_pem_start,
|
||||||
|
.cacert_pem_bytes = server_root_cert_pem_end - server_root_cert_pem_start,
|
||||||
ESP_LOGI(TAG, "Connecting to %s:%s...", WEB_SERVER, WEB_PORT);
|
};
|
||||||
|
|
||||||
if ((ret = mbedtls_net_connect(&server_fd, WEB_SERVER,
|
struct esp_tls *tls = esp_tls_conn_http_new(WEB_URL, &cfg);
|
||||||
WEB_PORT, MBEDTLS_NET_PROTO_TCP)) != 0)
|
|
||||||
{
|
if(tls != NULL) {
|
||||||
ESP_LOGE(TAG, "mbedtls_net_connect returned -%x", -ret);
|
ESP_LOGI(TAG, "Connection established...");
|
||||||
goto exit;
|
} else {
|
||||||
|
ESP_LOGE(TAG, "Connection failed...");
|
||||||
|
abort();
|
||||||
}
|
}
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Connected.");
|
|
||||||
|
|
||||||
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
|
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Performing the SSL/TLS handshake...");
|
|
||||||
|
|
||||||
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0)
|
|
||||||
{
|
|
||||||
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
|
|
||||||
{
|
|
||||||
ESP_LOGE(TAG, "mbedtls_ssl_handshake returned -0x%x", -ret);
|
|
||||||
goto exit;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Verifying peer X.509 certificate...");
|
|
||||||
|
|
||||||
if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0)
|
|
||||||
{
|
|
||||||
/* In real life, we probably want to close connection if ret != 0 */
|
|
||||||
ESP_LOGW(TAG, "Failed to verify peer certificate!");
|
|
||||||
bzero(buf, sizeof(buf));
|
|
||||||
mbedtls_x509_crt_verify_info(buf, sizeof(buf), " ! ", flags);
|
|
||||||
ESP_LOGW(TAG, "verification info: %s", buf);
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
ESP_LOGI(TAG, "Certificate verified.");
|
|
||||||
}
|
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Cipher suite is %s", mbedtls_ssl_get_ciphersuite(&ssl));
|
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Writing HTTP request...");
|
|
||||||
|
|
||||||
size_t written_bytes = 0;
|
size_t written_bytes = 0;
|
||||||
do {
|
do {
|
||||||
ret = mbedtls_ssl_write(&ssl,
|
ret = esp_tls_conn_write(tls,
|
||||||
(const unsigned char *)REQUEST + written_bytes,
|
(const char *)REQUEST + written_bytes,
|
||||||
strlen(REQUEST) - written_bytes);
|
strlen(REQUEST) - written_bytes);
|
||||||
if (ret >= 0) {
|
if (ret >= 0) {
|
||||||
ESP_LOGI(TAG, "%d bytes written", ret);
|
ESP_LOGI(TAG, "%d bytes written", ret);
|
||||||
written_bytes += ret;
|
written_bytes += ret;
|
||||||
} else if (ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != MBEDTLS_ERR_SSL_WANT_READ) {
|
} else if (-ret != SSL_ERROR_WANT_WRITE && -ret != SSL_ERROR_WANT_READ) {
|
||||||
ESP_LOGE(TAG, "mbedtls_ssl_write returned -0x%x", -ret);
|
ESP_LOGE(TAG, "esp_tls_conn_write returned -0x%x", ret);
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
} while(written_bytes < strlen(REQUEST));
|
} while(written_bytes < strlen(REQUEST));
|
||||||
@ -278,9 +178,9 @@ static void https_get_task(void *pvParameters)
|
|||||||
{
|
{
|
||||||
len = sizeof(buf) - 1;
|
len = sizeof(buf) - 1;
|
||||||
bzero(buf, sizeof(buf));
|
bzero(buf, sizeof(buf));
|
||||||
ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len);
|
ret = esp_tls_conn_read(tls, (char *)buf, len);
|
||||||
|
|
||||||
if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE)
|
if(-ret == SSL_ERROR_WANT_WRITE || -ret == SSL_ERROR_WANT_READ)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||||
@ -290,7 +190,7 @@ static void https_get_task(void *pvParameters)
|
|||||||
|
|
||||||
if(ret < 0)
|
if(ret < 0)
|
||||||
{
|
{
|
||||||
ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret);
|
ESP_LOGE(TAG, "esp_tls_conn_read returned -0x%x", ret);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -308,18 +208,14 @@ static void https_get_task(void *pvParameters)
|
|||||||
}
|
}
|
||||||
} while(1);
|
} while(1);
|
||||||
|
|
||||||
mbedtls_ssl_close_notify(&ssl);
|
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
mbedtls_ssl_session_reset(&ssl);
|
if(ret != 0)
|
||||||
mbedtls_net_free(&server_fd);
|
|
||||||
|
|
||||||
if(ret != 0)
|
|
||||||
{
|
{
|
||||||
mbedtls_strerror(ret, buf, 100);
|
mbedtls_strerror(ret, buf, 100);
|
||||||
ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
|
ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
esp_tls_conn_delete(tls);
|
||||||
putchar('\n'); // JSON output doesn't have a newline at end
|
putchar('\n'); // JSON output doesn't have a newline at end
|
||||||
|
|
||||||
static int request_count;
|
static int request_count;
|
||||||
|
Loading…
Reference in New Issue
Block a user