mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'feature/tls1_3_support' into 'master'
esp-tls: add initial support for TLS1.3 connections (client mode) Closes IDF-7251 and IDF-7252 See merge request espressif/esp-idf!23442
This commit is contained in:
commit
cba923788e
@ -72,6 +72,15 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
|
|||||||
assert(tls != NULL);
|
assert(tls != NULL);
|
||||||
int ret;
|
int ret;
|
||||||
esp_err_t esp_ret = ESP_FAIL;
|
esp_err_t esp_ret = ESP_FAIL;
|
||||||
|
|
||||||
|
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
|
psa_status_t status = psa_crypto_init();
|
||||||
|
if (status != PSA_SUCCESS) {
|
||||||
|
ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
|
||||||
|
return esp_ret;
|
||||||
|
}
|
||||||
|
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
|
|
||||||
tls->server_fd.fd = tls->sockfd;
|
tls->server_fd.fd = tls->sockfd;
|
||||||
mbedtls_ssl_init(&tls->ssl);
|
mbedtls_ssl_init(&tls->ssl);
|
||||||
mbedtls_ctr_drbg_init(&tls->ctr_drbg);
|
mbedtls_ctr_drbg_init(&tls->ctr_drbg);
|
||||||
@ -220,6 +229,13 @@ ssize_t esp_mbedtls_read(esp_tls_t *tls, char *data, size_t datalen)
|
|||||||
{
|
{
|
||||||
|
|
||||||
ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
|
ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
|
||||||
|
#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||||
|
while (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
|
||||||
|
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
|
||||||
|
ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
|
||||||
|
}
|
||||||
|
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||||
|
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -26,6 +26,9 @@
|
|||||||
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
|
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
|
||||||
#include "mbedtls/ssl_ticket.h"
|
#include "mbedtls/ssl_ticket.h"
|
||||||
#endif
|
#endif
|
||||||
|
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
|
#include "psa/crypto.h"
|
||||||
|
#endif
|
||||||
#elif CONFIG_ESP_TLS_USING_WOLFSSL
|
#elif CONFIG_ESP_TLS_USING_WOLFSSL
|
||||||
#include "wolfssl/wolfcrypt/settings.h"
|
#include "wolfssl/wolfcrypt/settings.h"
|
||||||
#include "wolfssl/ssl.h"
|
#include "wolfssl/ssl.h"
|
||||||
|
@ -2996,7 +2996,7 @@
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* This flag makes sure that we are not using
|
/* This flag makes sure that we are not using
|
||||||
* any functino that is deprecated by mbedtls */
|
* any function that is deprecated by mbedtls */
|
||||||
#define MBEDTLS_DEPRECATED_REMOVED
|
#define MBEDTLS_DEPRECATED_REMOVED
|
||||||
|
|
||||||
#endif /* ESP_CONFIG_H */
|
#endif /* ESP_CONFIG_H */
|
||||||
|
@ -37,6 +37,9 @@
|
|||||||
#include "mbedtls/entropy.h"
|
#include "mbedtls/entropy.h"
|
||||||
#include "mbedtls/ctr_drbg.h"
|
#include "mbedtls/ctr_drbg.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
|
#include "psa/crypto.h"
|
||||||
|
#endif
|
||||||
#include "esp_crt_bundle.h"
|
#include "esp_crt_bundle.h"
|
||||||
|
|
||||||
|
|
||||||
@ -65,6 +68,14 @@ static void https_get_task(void *pvParameters)
|
|||||||
mbedtls_ssl_config conf;
|
mbedtls_ssl_config conf;
|
||||||
mbedtls_net_context server_fd;
|
mbedtls_net_context server_fd;
|
||||||
|
|
||||||
|
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
|
psa_status_t status = psa_crypto_init();
|
||||||
|
if (status != PSA_SUCCESS) {
|
||||||
|
ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
mbedtls_ssl_init(&ssl);
|
mbedtls_ssl_init(&ssl);
|
||||||
mbedtls_x509_crt_init(&cacert);
|
mbedtls_x509_crt_init(&cacert);
|
||||||
mbedtls_ctr_drbg_init(&ctr_drbg);
|
mbedtls_ctr_drbg_init(&ctr_drbg);
|
||||||
@ -110,12 +121,7 @@ static void https_get_task(void *pvParameters)
|
|||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print
|
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
|
||||||
a warning if CA verification fails but it will continue to connect.
|
|
||||||
|
|
||||||
You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code.
|
|
||||||
*/
|
|
||||||
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
|
||||||
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
|
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
|
||||||
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
||||||
#ifdef CONFIG_MBEDTLS_DEBUG
|
#ifdef CONFIG_MBEDTLS_DEBUG
|
||||||
@ -123,10 +129,9 @@ static void https_get_task(void *pvParameters)
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
|
mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
|
||||||
mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
|
mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
|
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
|
||||||
{
|
{
|
||||||
ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);
|
ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);
|
||||||
@ -200,22 +205,28 @@ static void https_get_task(void *pvParameters)
|
|||||||
bzero(buf, sizeof(buf));
|
bzero(buf, sizeof(buf));
|
||||||
ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len);
|
ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len);
|
||||||
|
|
||||||
if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE)
|
#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||||
|
if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
|
||||||
|
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
|
||||||
continue;
|
continue;
|
||||||
|
}
|
||||||
|
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||||
|
|
||||||
|
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||||
ret = 0;
|
ret = 0;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(ret < 0)
|
if (ret < 0) {
|
||||||
{
|
|
||||||
ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret);
|
ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(ret == 0)
|
if (ret == 0) {
|
||||||
{
|
|
||||||
ESP_LOGI(TAG, "connection closed");
|
ESP_LOGI(TAG, "connection closed");
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
@ -234,8 +245,7 @@ static void https_get_task(void *pvParameters)
|
|||||||
mbedtls_ssl_session_reset(&ssl);
|
mbedtls_ssl_session_reset(&ssl);
|
||||||
mbedtls_net_free(&server_fd);
|
mbedtls_net_free(&server_fd);
|
||||||
|
|
||||||
if(ret != 0)
|
if (ret != 0) {
|
||||||
{
|
|
||||||
mbedtls_strerror(ret, buf, 100);
|
mbedtls_strerror(ret, buf, 100);
|
||||||
ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
|
ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user