From 6ef7d24fc97a3af704263458946053e65e61479b Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Fri, 21 Oct 2022 12:51:31 +0530 Subject: [PATCH] esp-tls: Add changes to the Cert selection callback PR. --- components/esp-tls/Kconfig | 2 +- components/esp-tls/esp_tls.h | 5 ++-- components/esp-tls/esp_tls_mbedtls.c | 7 +++--- .../include/esp_https_server.h | 6 ++--- .../esp_https_server/src/https_server.c | 23 ++++++++----------- 5 files changed, 20 insertions(+), 23 deletions(-) diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig index 6c0d7586bc..ea73d0f979 100644 --- a/components/esp-tls/Kconfig +++ b/components/esp-tls/Kconfig @@ -59,7 +59,7 @@ menu "ESP-TLS" config ESP_TLS_SERVER_CERT_SELECT_HOOK bool "Certificate selection hook" - depends on ESP_TLS_USING_MBEDTLS + depends on ESP_TLS_USING_MBEDTLS && ESP_TLS_SERVER help Ability to configure and use a certificate selection callback during server handshake, to select a certificate to present to the client based on the TLS extensions supplied in diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index d018824f13..07c1c8089d 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -198,7 +198,6 @@ typedef struct esp_tls_server_session_ticket_ctx { #endif -#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) /** * @brief tls handshake callback * Can be used to configure per-handshake attributes for the TLS connection. @@ -209,7 +208,6 @@ typedef struct esp_tls_server_session_ticket_ctx { * or a specific MBEDTLS_ERR_XXX code, which will cause the handhsake to abort */ typedef mbedtls_ssl_hs_cb_t esp_tls_handshake_callback; -#endif typedef struct esp_tls_cfg_server { const char **alpn_protos; /*!< Application protocols required for HTTP2. @@ -274,13 +272,14 @@ typedef struct esp_tls_cfg_server { to free the data associated with this context. */ #endif + void *userdata; /*!< User data to be added to the ssl context. + Can be retrieved by callbacks */ #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback that gets called after ClientHello is processed. Can be used as an SNI callback, but also has access to other TLS extensions, such as ALPN and server_certificate_type . */ #endif - void *userdata; /*!< User data to be add to the ssl context. Can be retrieved by callbacks */ } esp_tls_cfg_server_t; /** diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index 4bd0e5852d..d8aaa991a1 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -522,7 +522,7 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) if (cfg->cert_select_cb != NULL) { - ESP_LOGI(TAG, "Initializing server side certificate selection callback"); + ESP_LOGI(TAG, "Initializing server side cert selection cb"); mbedtls_ssl_conf_cert_cb(&tls->conf, cfg->cert_select_cb); } #endif @@ -580,9 +580,10 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) } else { #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) if (cfg->cert_select_cb == NULL) { - ESP_LOGE(TAG, "Missing server certificate and/or key and no certificate selection callback is defined"); + ESP_LOGE(TAG, "No cert select cb is defined"); } else { - ESP_LOGD(TAG, "Missing server certificate and/or key, but certificate selection callback is defined. Callback MUST ALWAYS call mbedtls_ssl_set_hs_own_cert, or the handshake will abort!"); + /* At this point Callback MUST ALWAYS call mbedtls_ssl_set_hs_own_cert, or the handshake will abort! */ + ESP_LOGD(TAG, "Missing server cert and/or key, but cert selection cb is defined."); return ESP_OK; } #else diff --git a/components/esp_https_server/include/esp_https_server.h b/components/esp_https_server/include/esp_https_server.h index d224a8fa05..071d5b5ff4 100644 --- a/components/esp_https_server/include/esp_https_server.h +++ b/components/esp_https_server/include/esp_https_server.h @@ -97,10 +97,8 @@ struct httpd_ssl_config { /** User callback for esp_https_server */ esp_https_server_user_cb *user_cb; -#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) - esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback to use */ -#endif void *ssl_userdata; /*!< user data to add to the ssl context */ + esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback to use */ }; typedef struct httpd_ssl_config httpd_ssl_config_t; @@ -150,6 +148,8 @@ typedef struct httpd_ssl_config httpd_ssl_config_t; .session_tickets = false, \ .use_secure_element = false, \ .user_cb = NULL, \ + .ssl_userdata = NULL, \ + .cert_select_cb = NULL \ } /** diff --git a/components/esp_https_server/src/https_server.c b/components/esp_https_server/src/https_server.c index bfb4ed4467..f77c775ea3 100644 --- a/components/esp_https_server/src/https_server.c +++ b/components/esp_https_server/src/https_server.c @@ -200,13 +200,13 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con } esp_tls_cfg_server_t *cfg = (esp_tls_cfg_server_t *)calloc(1, sizeof(esp_tls_cfg_server_t)); if (!cfg) { - goto free_ssl_ctx; + goto exit; } if (config->session_tickets) { if ( esp_tls_cfg_server_session_tickets_init(cfg) != ESP_OK ) { ESP_LOGE(TAG, "Failed to init session ticket support"); - goto free_cfg; + goto exit; } } @@ -228,7 +228,7 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con cfg->cacert_bytes = config->cacert_len; } else { ESP_LOGE(TAG, "Could not allocate memory for client certificate authority"); - goto free_cfg; + goto exit; } } @@ -241,14 +241,14 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con cfg->servercert_bytes = config->servercert_len; } else { ESP_LOGE(TAG, "Could not allocate memory for server certificate"); - goto free_cacert; + goto exit; } } else { #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) if (config->cert_select_cb == NULL) { #endif ESP_LOGE(TAG, "No Server certificate supplied"); - goto free_cacert; + goto exit; #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) } else { ESP_LOGW(TAG, "Server certificate not supplied, make sure to supply it in the certificate selection hook!"); @@ -260,39 +260,36 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con cfg->use_secure_element = config->use_secure_element; if (!cfg->use_secure_element) { if (config->prvtkey_pem != NULL && config->prvtkey_len > 0) { - cfg->serverkey_buf = (unsigned char *) malloc(config->prvtkey_len); + cfg->serverkey_buf = malloc(config->prvtkey_len); if (cfg->serverkey_buf) { memcpy((char *) cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len); cfg->serverkey_bytes = config->prvtkey_len; } else { ESP_LOGE(TAG, "Could not allocate memory for server key"); - goto free_servercert; + goto exit; } } else { #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) if (config->cert_select_cb == NULL) { ESP_LOGE(TAG, "No Server key supplied and no certificate selection hook is present"); - goto free_servercert; + goto exit; } else { ESP_LOGW(TAG, "Server key not supplied, make sure to supply it in the certificate selection hook"); } #else ESP_LOGE(TAG, "No Server key supplied"); - goto free_servercert; + goto exit; #endif } } return ssl_ctx; -free_servercert: +exit: free((void *) cfg->servercert_buf); -free_cacert: free((void *) cfg->cacert_buf); -free_cfg: free(cfg); -free_ssl_ctx: free(ssl_ctx); return NULL; }