espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-31 11:17:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

esp-tls: Add changes to the Cert selection callback PR.

Browse Source
This commit is contained in:
Aditya Patwardhan
2022-10-21 12:51:31 +05:30
parent e6442657fd
commit 6ef7d24fc9
5 changed files with 20 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
components/esp-tls/Kconfig
View File

@@ -59,7 +59,7 @@ menu "ESP-TLS"
config ESP_TLS_SERVER_CERT_SELECT_HOOK config ESP_TLS_SERVER_CERT_SELECT_HOOK
bool "Certificate selection hook" bool "Certificate selection hook"
depends on ESP_TLS_USING_MBEDTLS depends on ESP_TLS_USING_MBEDTLS && ESP_TLS_SERVER
help help
Ability to configure and use a certificate selection callback during server handshake, Ability to configure and use a certificate selection callback during server handshake,
to select a certificate to present to the client based on the TLS extensions supplied in to select a certificate to present to the client based on the TLS extensions supplied in

5
components/esp-tls/esp_tls.h
View File

@@ -198,7 +198,6 @@ typedef struct esp_tls_server_session_ticket_ctx {
#endif #endif
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
/** /**
* @brief tls handshake callback * @brief tls handshake callback
* Can be used to configure per-handshake attributes for the TLS connection. * Can be used to configure per-handshake attributes for the TLS connection.
@@ -209,7 +208,6 @@ typedef struct esp_tls_server_session_ticket_ctx {
* or a specific MBEDTLS_ERR_XXX code, which will cause the handhsake to abort * or a specific MBEDTLS_ERR_XXX code, which will cause the handhsake to abort
*/ */
typedef mbedtls_ssl_hs_cb_t esp_tls_handshake_callback; typedef mbedtls_ssl_hs_cb_t esp_tls_handshake_callback;
#endif
typedef struct esp_tls_cfg_server { typedef struct esp_tls_cfg_server {
const char **alpn_protos; /*!< Application protocols required for HTTP2. const char **alpn_protos; /*!< Application protocols required for HTTP2.
@@ -274,13 +272,14 @@ typedef struct esp_tls_cfg_server {
to free the data associated with this context. */ to free the data associated with this context. */
#endif #endif
void *userdata; /*!< User data to be added to the ssl context.
Can be retrieved by callbacks */
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback that gets called after ClientHello is processed. esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback that gets called after ClientHello is processed.
Can be used as an SNI callback, but also has access to other Can be used as an SNI callback, but also has access to other
TLS extensions, such as ALPN and server_certificate_type . */ TLS extensions, such as ALPN and server_certificate_type . */
#endif #endif
void *userdata; /*!< User data to be add to the ssl context. Can be retrieved by callbacks */
} esp_tls_cfg_server_t; } esp_tls_cfg_server_t;
/** /**

7
components/esp-tls/esp_tls_mbedtls.c
View File

@@ -522,7 +522,7 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
if (cfg->cert_select_cb != NULL) { if (cfg->cert_select_cb != NULL) {
ESP_LOGI(TAG, "Initializing server side certificate selection callback"); ESP_LOGI(TAG, "Initializing server side cert selection cb");
mbedtls_ssl_conf_cert_cb(&tls->conf, cfg->cert_select_cb); mbedtls_ssl_conf_cert_cb(&tls->conf, cfg->cert_select_cb);
} }
#endif #endif
@@ -580,9 +580,10 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
} else { } else {
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
if (cfg->cert_select_cb == NULL) { if (cfg->cert_select_cb == NULL) {
ESP_LOGE(TAG, "Missing server certificate and/or key and no certificate selection callback is defined"); ESP_LOGE(TAG, "No cert select cb is defined");
} else { } else {
ESP_LOGD(TAG, "Missing server certificate and/or key, but certificate selection callback is defined. Callback MUST ALWAYS call mbedtls_ssl_set_hs_own_cert, or the handshake will abort!"); /* At this point Callback MUST ALWAYS call mbedtls_ssl_set_hs_own_cert, or the handshake will abort! */
ESP_LOGD(TAG, "Missing server cert and/or key, but cert selection cb is defined.");
return ESP_OK; return ESP_OK;
} }
#else #else

6
components/esp_https_server/include/esp_https_server.h
View File

@@ -97,10 +97,8 @@ struct httpd_ssl_config {
/** User callback for esp_https_server */ /** User callback for esp_https_server */
esp_https_server_user_cb *user_cb; esp_https_server_user_cb *user_cb;
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback to use */
#endif
void *ssl_userdata; /*!< user data to add to the ssl context */ void *ssl_userdata; /*!< user data to add to the ssl context */
esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback to use */
}; };
typedef struct httpd_ssl_config httpd_ssl_config_t; typedef struct httpd_ssl_config httpd_ssl_config_t;
@@ -150,6 +148,8 @@ typedef struct httpd_ssl_config httpd_ssl_config_t;
.session_tickets = false, \ .session_tickets = false, \
.use_secure_element = false, \ .use_secure_element = false, \
.user_cb = NULL, \ .user_cb = NULL, \
.ssl_userdata = NULL, \
.cert_select_cb = NULL \
} }
/** /**

23
components/esp_https_server/src/https_server.c
View File

@@ -200,13 +200,13 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
} }
esp_tls_cfg_server_t *cfg = (esp_tls_cfg_server_t *)calloc(1, sizeof(esp_tls_cfg_server_t)); esp_tls_cfg_server_t *cfg = (esp_tls_cfg_server_t *)calloc(1, sizeof(esp_tls_cfg_server_t));
if (!cfg) { if (!cfg) {
goto free_ssl_ctx; goto exit;
} }
if (config->session_tickets) { if (config->session_tickets) {
if ( esp_tls_cfg_server_session_tickets_init(cfg) != ESP_OK ) { if ( esp_tls_cfg_server_session_tickets_init(cfg) != ESP_OK ) {
ESP_LOGE(TAG, "Failed to init session ticket support"); ESP_LOGE(TAG, "Failed to init session ticket support");
goto free_cfg; goto exit;
} }
} }
@@ -228,7 +228,7 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
cfg->cacert_bytes = config->cacert_len; cfg->cacert_bytes = config->cacert_len;
} else { } else {
ESP_LOGE(TAG, "Could not allocate memory for client certificate authority"); ESP_LOGE(TAG, "Could not allocate memory for client certificate authority");
goto free_cfg; goto exit;
} }
} }
@@ -241,14 +241,14 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
cfg->servercert_bytes = config->servercert_len; cfg->servercert_bytes = config->servercert_len;
} else { } else {
ESP_LOGE(TAG, "Could not allocate memory for server certificate"); ESP_LOGE(TAG, "Could not allocate memory for server certificate");
goto free_cacert; goto exit;
} }
} else { } else {
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
if (config->cert_select_cb == NULL) { if (config->cert_select_cb == NULL) {
#endif #endif
ESP_LOGE(TAG, "No Server certificate supplied"); ESP_LOGE(TAG, "No Server certificate supplied");
goto free_cacert; goto exit;
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
} else { } else {
ESP_LOGW(TAG, "Server certificate not supplied, make sure to supply it in the certificate selection hook!"); ESP_LOGW(TAG, "Server certificate not supplied, make sure to supply it in the certificate selection hook!");
@@ -260,39 +260,36 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
cfg->use_secure_element = config->use_secure_element; cfg->use_secure_element = config->use_secure_element;
if (!cfg->use_secure_element) { if (!cfg->use_secure_element) {
if (config->prvtkey_pem != NULL && config->prvtkey_len > 0) { if (config->prvtkey_pem != NULL && config->prvtkey_len > 0) {
cfg->serverkey_buf = (unsigned char *) malloc(config->prvtkey_len); cfg->serverkey_buf = malloc(config->prvtkey_len);
if (cfg->serverkey_buf) { if (cfg->serverkey_buf) {
memcpy((char *) cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len); memcpy((char *) cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len);
cfg->serverkey_bytes = config->prvtkey_len; cfg->serverkey_bytes = config->prvtkey_len;
} else { } else {
ESP_LOGE(TAG, "Could not allocate memory for server key"); ESP_LOGE(TAG, "Could not allocate memory for server key");
goto free_servercert; goto exit;
} }
} else { } else {
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
if (config->cert_select_cb == NULL) { if (config->cert_select_cb == NULL) {
ESP_LOGE(TAG, "No Server key supplied and no certificate selection hook is present"); ESP_LOGE(TAG, "No Server key supplied and no certificate selection hook is present");
goto free_servercert; goto exit;
} else { } else {
ESP_LOGW(TAG, "Server key not supplied, make sure to supply it in the certificate selection hook"); ESP_LOGW(TAG, "Server key not supplied, make sure to supply it in the certificate selection hook");
} }
#else #else
ESP_LOGE(TAG, "No Server key supplied"); ESP_LOGE(TAG, "No Server key supplied");
goto free_servercert; goto exit;
#endif #endif
} }
} }
return ssl_ctx; return ssl_ctx;
free_servercert: exit:
free((void *) cfg->servercert_buf); free((void *) cfg->servercert_buf);
free_cacert:
free((void *) cfg->cacert_buf); free((void *) cfg->cacert_buf);
free_cfg:
free(cfg); free(cfg);
free_ssl_ctx:
free(ssl_ctx); free(ssl_ctx);
return NULL; return NULL;
} }