esp-tls: Add config and api to set and get ciphersuites list

2024-10-05 20:47:46 -04:00 · 2023-04-20 17:45:25 +08:00 · 2023-04-20 17:45:25 +08:00 · f74447103f
commit f74447103f
parent afd0e384db
4 changed files with 31 additions and 0 deletions
--- a/components/esp-tls/esp_tls.c
+++ b/components/esp-tls/esp_tls.c
@ -74,6 +74,7 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_set_global_ca_store        esp_mbedtls_set_global_ca_store                 /*!< Callback function for setting global CA store data for TLS/SSL */
 #define _esp_tls_get_global_ca_store        esp_mbedtls_get_global_ca_store
 #define _esp_tls_free_global_ca_store       esp_mbedtls_free_global_ca_store                /*!< Callback function for freeing global ca store for TLS/SSL */
+#define _esp_tls_get_ciphersuites_list      esp_mbedtls_get_ciphersuites_list
 #elif CONFIG_ESP_TLS_USING_WOLFSSL /* CONFIG_ESP_TLS_USING_MBEDTLS */
 #define _esp_create_ssl_handle              esp_create_wolfssl_handle
 #define _esp_tls_handshake                  esp_wolfssl_handshake
@ -617,6 +618,10 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void)
    return _esp_tls_get_global_ca_store();
 }

+const int *esp_tls_get_ciphersuites_list(void)
+{
+    return _esp_tls_get_ciphersuites_list();
+}
 #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */

 #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@ -193,6 +193,8 @@ typedef struct esp_tls_cfg {
 #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */

    esp_tls_addr_family_t addr_family;      /*!< The address family to use when connecting to a host. */
+    const int *ciphersuites_list;           /*!< Pointer to a zero-terminated array of IANA identifiers of TLS ciphersuites.
+                                                Please check the list validity by esp_tls_get_ciphersuites_list() API */
 } esp_tls_cfg_t;

 #ifdef CONFIG_ESP_TLS_SERVER
@ -649,6 +651,15 @@ esp_err_t esp_tls_get_error_handle(esp_tls_t *tls, esp_tls_error_handle_t *error
 */
 mbedtls_x509_crt *esp_tls_get_global_ca_store(void);

+/**
+ * @brief Get supported TLS ciphersuites list.
+ *
+ * See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 for the list of ciphersuites
+ *
+ * @return  Pointer to a zero-terminated array of IANA identifiers of TLS ciphersuites.
+ *
+ */
+const int *esp_tls_get_ciphersuites_list(void);
 #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
 #ifdef CONFIG_ESP_TLS_SERVER
 /**
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@ -788,6 +788,11 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
        ESP_LOGE(TAG, "You have to provide both clientcert_buf and clientkey_buf for mutual authentication");
        return ESP_ERR_INVALID_STATE;
    }
+
+    if (cfg->ciphersuites_list != NULL && cfg->ciphersuites_list[0] != 0) {
+        ESP_LOGD(TAG, "Set the ciphersuites list");
+        mbedtls_ssl_conf_ciphersuites(&tls->conf, cfg->ciphersuites_list);
+    }
    return ESP_OK;
 }

@ -895,6 +900,11 @@ void esp_mbedtls_free_global_ca_store(void)
    }
 }

+const int *esp_mbedtls_get_ciphersuites_list(void)
+{
+    return mbedtls_ssl_list_ciphersuites();
+}
+
 #ifdef CONFIG_ESP_TLS_USE_SECURE_ELEMENT
 static esp_err_t esp_init_atecc608a(uint8_t i2c_addr)
 {
--- a/components/esp-tls/private_include/esp_tls_mbedtls.h
+++ b/components/esp-tls/private_include/esp_tls_mbedtls.h
@ -136,3 +136,8 @@ mbedtls_x509_crt *esp_mbedtls_get_global_ca_store(void);
 * Callback function for freeing global ca store for TLS/SSL using mbedtls
 */
 void esp_mbedtls_free_global_ca_store(void);
+
+/**
+ * Internal Callback for esp_tls_get_ciphersuites_list
+ */
+const int *esp_mbedtls_get_ciphersuites_list(void);