Merge branch 'feature/tls1_3_support' into 'master'

esp-tls: add initial support for TLS1.3 connections (client mode)

Closes IDF-7251 and IDF-7252

See merge request espressif/esp-idf!23442
This commit is contained in:
Mahavir Jain 2023-04-27 18:13:43 +08:00
commit cba923788e
4 changed files with 49 additions and 20 deletions

View File

@ -72,6 +72,15 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
assert(tls != NULL); assert(tls != NULL);
int ret; int ret;
esp_err_t esp_ret = ESP_FAIL; esp_err_t esp_ret = ESP_FAIL;
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
return esp_ret;
}
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
tls->server_fd.fd = tls->sockfd; tls->server_fd.fd = tls->sockfd;
mbedtls_ssl_init(&tls->ssl); mbedtls_ssl_init(&tls->ssl);
mbedtls_ctr_drbg_init(&tls->ctr_drbg); mbedtls_ctr_drbg_init(&tls->ctr_drbg);
@ -220,6 +229,13 @@ ssize_t esp_mbedtls_read(esp_tls_t *tls, char *data, size_t datalen)
{ {
ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen); ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
}
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
if (ret < 0) { if (ret < 0) {
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
return 0; return 0;

View File

@ -26,6 +26,9 @@
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
#include "mbedtls/ssl_ticket.h" #include "mbedtls/ssl_ticket.h"
#endif #endif
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
#include "psa/crypto.h"
#endif
#elif CONFIG_ESP_TLS_USING_WOLFSSL #elif CONFIG_ESP_TLS_USING_WOLFSSL
#include "wolfssl/wolfcrypt/settings.h" #include "wolfssl/wolfcrypt/settings.h"
#include "wolfssl/ssl.h" #include "wolfssl/ssl.h"

View File

@ -2996,7 +2996,7 @@
#endif #endif
/* This flag makes sure that we are not using /* This flag makes sure that we are not using
* any functino that is deprecated by mbedtls */ * any function that is deprecated by mbedtls */
#define MBEDTLS_DEPRECATED_REMOVED #define MBEDTLS_DEPRECATED_REMOVED
#endif /* ESP_CONFIG_H */ #endif /* ESP_CONFIG_H */

View File

@ -37,6 +37,9 @@
#include "mbedtls/entropy.h" #include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h" #include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
#include "psa/crypto.h"
#endif
#include "esp_crt_bundle.h" #include "esp_crt_bundle.h"
@ -65,6 +68,14 @@ static void https_get_task(void *pvParameters)
mbedtls_ssl_config conf; mbedtls_ssl_config conf;
mbedtls_net_context server_fd; mbedtls_net_context server_fd;
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
return;
}
#endif
mbedtls_ssl_init(&ssl); mbedtls_ssl_init(&ssl);
mbedtls_x509_crt_init(&cacert); mbedtls_x509_crt_init(&cacert);
mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_ctr_drbg_init(&ctr_drbg);
@ -110,12 +121,7 @@ static void https_get_task(void *pvParameters)
goto exit; goto exit;
} }
/* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
a warning if CA verification fails but it will continue to connect.
You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code.
*/
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL); mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
#ifdef CONFIG_MBEDTLS_DEBUG #ifdef CONFIG_MBEDTLS_DEBUG
@ -123,10 +129,9 @@ static void https_get_task(void *pvParameters)
#endif #endif
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4); mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4); mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
#endif #endif
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
{ {
ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret); ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);
@ -200,22 +205,28 @@ static void https_get_task(void *pvParameters)
bzero(buf, sizeof(buf)); bzero(buf, sizeof(buf));
ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len); ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len);
if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) #if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
continue; continue;
}
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
continue;
}
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
ret = 0; ret = 0;
break; break;
} }
if(ret < 0) if (ret < 0) {
{
ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret); ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret);
break; break;
} }
if(ret == 0) if (ret == 0) {
{
ESP_LOGI(TAG, "connection closed"); ESP_LOGI(TAG, "connection closed");
break; break;
} }
@ -234,8 +245,7 @@ static void https_get_task(void *pvParameters)
mbedtls_ssl_session_reset(&ssl); mbedtls_ssl_session_reset(&ssl);
mbedtls_net_free(&server_fd); mbedtls_net_free(&server_fd);
if(ret != 0) if (ret != 0) {
{
mbedtls_strerror(ret, buf, 100); mbedtls_strerror(ret, buf, 100);
ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf); ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
} }