feat(esp-tls): add option to enable/disable the full set of OCSP checks for wolfSSL (GitHub PR)
Closes IDFGH-13619
See merge request espressif/esp-idf!33700
Previously the *data parameters of esp_tls_conn_read
was required to be non-NULL after espressif/esp-idf!28358.
This prevents users from using a functionality in esp_tls_conn_read
where calling `esp_tls_conn_read(ctx, NULL, 0);` triggers the
transfer of contents from tcp layer to mbedtls (ssl) layer.
After this the user can read the contents from
esp_tls_get_bytes_avail().
This commit removes the additional NULL check on the data field
to keep this functionality enabled.
Almost all sites these days are virtually hosted and hence
SNI (server name indicator TLS extension) should be enabled by
default.
In addition this change enables OCSP (online server status protocol)
support for esp-tls clients using the wolfSSL backend.
The 3 code lines enable OCSP stabling v1.
By default this feature is disabled.
(I will send another PR on esp-wolfssl repository to allow to
enable it easily.)
This change makes the wolfSSL backend sent the complete TLS client certificate
chain. This align the wolfSSL backend with the behavior of the mbedTLS backend.
Some servers need the intermediate certificates to verify a client certificate.
If the provided PEM file contains only a single certificate this change has no effect
and the behavior will be as before.
This impacts higher level APIs to function as someone would expect.
E.g.: esp_websocket_client_config_t.client_cert: when passing here a pem
file containing 2 certificates (the CA's and the client's) it would be
expected that both are transmitted during TLS handshake.
* Users can now use libbsd string.h and sys/cdefs.h functionality
(e.g., strlcpy, containerof) on Linux by just including
string.h or sys/cdefs.h. In other words, the includes are the same
on the Linux target as well as on chips targets (ESP32, etc.).
* libbsd linking is done by the linux component (belongs to common
components) now instead of handling it separately in each component
Only pull in direct dependencies for the test apps, reducing build time
as well making it possible for CI to determine if the test should run or not
when dependencies are changed.
- ESP32-WROOM-32SE has been discontinued and marked as NRND
- This change removes all references to ESP32-WROOM-32SE from IDF
- The example has been migrated to esp-cryptoauthlib repository and it
can be used through the component manager
(https://components.espressif.com/components/espressif/esp-cryptoauthlib)
HTTPD_SSL_CONFIG_DEFAULT used to be a MACRO and hence used to return
a const pointer. With a recent change it started not returning a
const variable. This change reverts the function to its MACRO form.
Updated the https_server example to use static declration
Fixed the error that occurred while performing OTA upgrades over
TLS 1.3 connection. After handshake is completed, post-handshake message
is received and internal state is changed. While performing mbedtls_ssl_read(),
it checks handshake state and if it is not MBEDTLS_SSL_HANDSHAKE_OVER,
mbedtls_ssl_handshake is called again.
For ESP certificate bundle case, the certificate failure error from
underlying TLS stack was not being tracked. Added the fix and also
updated example code showcasing how to retrieve it.
Closes https://github.com/espressif/esp-idf/issues/12034
linux/lwip: Wrap some IO posix functions
* to workaourd the FreeRTOS EINTR issue (when building without lwip)
* to correctly choose the sub-system based on fd (when building with
lwip) -- passing control to either linux/system or to lwip
This commit also addapts tapio-if to provide DHCP client by default and
configurable settings for static IP