mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'feature/tls1_3_support' into 'master'
esp-tls: add initial support for TLS1.3 connections (client mode) Closes IDF-7251 and IDF-7252 See merge request espressif/esp-idf!23442
This commit is contained in:
commit
cba923788e
@ -72,6 +72,15 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
|
||||
assert(tls != NULL);
|
||||
int ret;
|
||||
esp_err_t esp_ret = ESP_FAIL;
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
|
||||
return esp_ret;
|
||||
}
|
||||
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
|
||||
tls->server_fd.fd = tls->sockfd;
|
||||
mbedtls_ssl_init(&tls->ssl);
|
||||
mbedtls_ctr_drbg_init(&tls->ctr_drbg);
|
||||
@ -220,6 +229,13 @@ ssize_t esp_mbedtls_read(esp_tls_t *tls, char *data, size_t datalen)
|
||||
{
|
||||
|
||||
ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
|
||||
#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
|
||||
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
|
||||
ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
|
||||
}
|
||||
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
|
||||
if (ret < 0) {
|
||||
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||
return 0;
|
||||
|
@ -26,6 +26,9 @@
|
||||
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
|
||||
#include "mbedtls/ssl_ticket.h"
|
||||
#endif
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
#include "psa/crypto.h"
|
||||
#endif
|
||||
#elif CONFIG_ESP_TLS_USING_WOLFSSL
|
||||
#include "wolfssl/wolfcrypt/settings.h"
|
||||
#include "wolfssl/ssl.h"
|
||||
|
@ -2996,7 +2996,7 @@
|
||||
#endif
|
||||
|
||||
/* This flag makes sure that we are not using
|
||||
* any functino that is deprecated by mbedtls */
|
||||
* any function that is deprecated by mbedtls */
|
||||
#define MBEDTLS_DEPRECATED_REMOVED
|
||||
|
||||
#endif /* ESP_CONFIG_H */
|
||||
|
@ -37,6 +37,9 @@
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/error.h"
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
#include "psa/crypto.h"
|
||||
#endif
|
||||
#include "esp_crt_bundle.h"
|
||||
|
||||
|
||||
@ -65,6 +68,14 @@ static void https_get_task(void *pvParameters)
|
||||
mbedtls_ssl_config conf;
|
||||
mbedtls_net_context server_fd;
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
psa_status_t status = psa_crypto_init();
|
||||
if (status != PSA_SUCCESS) {
|
||||
ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
|
||||
return;
|
||||
}
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_init(&ssl);
|
||||
mbedtls_x509_crt_init(&cacert);
|
||||
mbedtls_ctr_drbg_init(&ctr_drbg);
|
||||
@ -110,12 +121,7 @@ static void https_get_task(void *pvParameters)
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print
|
||||
a warning if CA verification fails but it will continue to connect.
|
||||
|
||||
You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code.
|
||||
*/
|
||||
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
||||
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
|
||||
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
|
||||
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
||||
#ifdef CONFIG_MBEDTLS_DEBUG
|
||||
@ -123,10 +129,9 @@ static void https_get_task(void *pvParameters)
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
|
||||
mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
|
||||
mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
|
||||
mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
|
||||
#endif
|
||||
|
||||
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
|
||||
{
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);
|
||||
@ -200,22 +205,28 @@ static void https_get_task(void *pvParameters)
|
||||
bzero(buf, sizeof(buf));
|
||||
ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len);
|
||||
|
||||
if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE)
|
||||
#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
|
||||
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
|
||||
continue;
|
||||
}
|
||||
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
|
||||
if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
|
||||
if(ret < 0)
|
||||
{
|
||||
if (ret < 0) {
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret);
|
||||
break;
|
||||
}
|
||||
|
||||
if(ret == 0)
|
||||
{
|
||||
if (ret == 0) {
|
||||
ESP_LOGI(TAG, "connection closed");
|
||||
break;
|
||||
}
|
||||
@ -223,7 +234,7 @@ static void https_get_task(void *pvParameters)
|
||||
len = ret;
|
||||
ESP_LOGD(TAG, "%d bytes read", len);
|
||||
/* Print response directly to stdout as it is read */
|
||||
for(int i = 0; i < len; i++) {
|
||||
for (int i = 0; i < len; i++) {
|
||||
putchar(buf[i]);
|
||||
}
|
||||
} while(1);
|
||||
@ -234,8 +245,7 @@ static void https_get_task(void *pvParameters)
|
||||
mbedtls_ssl_session_reset(&ssl);
|
||||
mbedtls_net_free(&server_fd);
|
||||
|
||||
if(ret != 0)
|
||||
{
|
||||
if (ret != 0) {
|
||||
mbedtls_strerror(ret, buf, 100);
|
||||
ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
|
||||
}
|
||||
@ -246,7 +256,7 @@ static void https_get_task(void *pvParameters)
|
||||
ESP_LOGI(TAG, "Completed %d requests", ++request_count);
|
||||
printf("Minimum free heap size: %" PRIu32 " bytes\n", esp_get_minimum_free_heap_size());
|
||||
|
||||
for(int countdown = 10; countdown >= 0; countdown--) {
|
||||
for (int countdown = 10; countdown >= 0; countdown--) {
|
||||
ESP_LOGI(TAG, "%d...", countdown);
|
||||
vTaskDelay(1000 / portTICK_PERIOD_MS);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user