espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-05 13:44:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'contrib/github_pr_13618' into 'master'

Browse Source 
fix(esp-tls): make the wolfSSL backend send entire client certificate… (GitHub PR)

Closes IDFGH-12621

See merge request espressif/esp-idf!31055
This commit is contained in:
Aditya Patwardhan
2024-06-03 16:21:30 +08:00
parent cfb8af0cd0 7a1239457e
commit 2f77896198
1 changed files with 25 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
components/esp-tls/esp_tls_wolfssl.c
View File

@@ -97,7 +97,7 @@ static esp_err_t esp_load_wolfssl_verify_buffer(esp_tls_t *tls, const unsigned c
wolf_fileformat = WOLFSSL_FILETYPE_ASN1; wolf_fileformat = WOLFSSL_FILETYPE_ASN1;
} }
if (type == FILE_TYPE_SELF_CERT) { if (type == FILE_TYPE_SELF_CERT) {
if ((*err_ret = wolfSSL_CTX_use_certificate_buffer( (WOLFSSL_CTX *)tls->priv_ctx, cert_buf, cert_len, wolf_fileformat)) == WOLFSSL_SUCCESS) { if ((*err_ret = wolfSSL_CTX_use_certificate_chain_buffer_format( (WOLFSSL_CTX *)tls->priv_ctx, cert_buf, cert_len, wolf_fileformat)) == WOLFSSL_SUCCESS) {
return ESP_OK; return ESP_OK;
} }
return ESP_FAIL; return ESP_FAIL;
@@ -288,6 +288,11 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
free(use_host); free(use_host);
return ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED; return ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED;
} }
/* Mimic the semantics of mbedtls_ssl_set_hostname() */
if ((ret = wolfSSL_CTX_UseSNI(tls->priv_ctx, WOLFSSL_SNI_HOST_NAME, use_host, strlen(use_host))) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_CTX_UseSNI failed, returned %d", ret);
return ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED;
}
free(use_host); free(use_host);
} }
@@ -310,6 +315,24 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
#endif /* CONFIG_WOLFSSL_HAVE_ALPN */ #endif /* CONFIG_WOLFSSL_HAVE_ALPN */
} }
#ifdef CONFIG_WOLFSSL_HAVE_OCSP
/* enable OCSP certificate status check for this TLS context */
if ((ret = wolfSSL_CTX_EnableOCSP((WOLFSSL_CTX *)tls->priv_ctx, WOLFSSL_OCSP_CHECKALL)) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSP failed, returned %d", ret);
return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED;
}
/* enable OCSP stapling for this TLS context */
if ((ret = wolfSSL_CTX_EnableOCSPStapling((WOLFSSL_CTX *)tls->priv_ctx )) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_CTX_EnableOCSPStapling failed, returned %d", ret);
return ESP_ERR_WOLFSSL_CTX_SETUP_FAILED;
}
/* set option to use OCSP v1 stapling with nounce extension */
if ((ret = wolfSSL_UseOCSPStapling((WOLFSSL *)tls->priv_ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE)) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "wolfSSL_UseOCSPStapling failed, returned %d", ret);
return ESP_ERR_WOLFSSL_SSL_SETUP_FAILED;
}
#endif /* CONFIG_WOLFSSL_HAVE_OCSP */
wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd); wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd);
return ESP_OK; return ESP_OK;
} }
@@ -526,7 +549,7 @@ void esp_wolfssl_server_session_delete(esp_tls_t *tls)
esp_err_t esp_wolfssl_init_global_ca_store(void) esp_err_t esp_wolfssl_init_global_ca_store(void)
{ {
/* This function is just to provide consistancy between function calls of esp_tls.h and wolfssl */ /* This function is just to provide consistency between function calls of esp_tls.h and wolfssl */
return ESP_OK; return ESP_OK;
} }