espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-05 05:34:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feature/mbedtls_session_ticket_support' into 'master'

Browse Source 
Feature/mbedtls session ticket support

Closes IDFGH-5288 and IDF-3242

See merge request espressif/esp-idf!14496
This commit is contained in:
Mahavir Jain
2021-09-17 09:59:02 +00:00
parent 72d5be5264 88f9a6b90f
commit 8b4c0e71a9
14 changed files with 457 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
components/esp-tls/Kconfig
View File

@@ -41,6 +41,27 @@ menu "ESP-TLS"
Enable support for creating server side SSL/TLS session, available for mbedTLS
as well as wolfSSL TLS library.
config ESP_TLS_CLIENT_SESSION_TICKETS
bool "Enable client session tickets"
depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
default n
help
Enable session ticket support as specified in RFC5077.
config ESP_TLS_SERVER_SESSION_TICKETS
bool "Enable server session tickets"
depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
default n
help
Enable session ticket support as specified in RFC5077
config ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT
int "Server session ticket timeout in seconds"
depends on ESP_TLS_SERVER_SESSION_TICKETS
default 86400
help
Sets the session ticket timeout used in the tls server.
config ESP_TLS_PSK_VERIFICATION
bool "Enable PSK verification"
select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS

41
components/esp-tls/esp_tls.c
View File

@@ -38,9 +38,12 @@ static const char *TAG = "esp-tls";
#define _esp_tls_write esp_mbedtls_write
#define _esp_tls_conn_delete esp_mbedtls_conn_delete
#define _esp_tls_net_init esp_mbedtls_net_init
#define _esp_tls_get_client_session esp_mbedtls_get_client_session
#ifdef CONFIG_ESP_TLS_SERVER
#define _esp_tls_server_session_create esp_mbedtls_server_session_create
#define _esp_tls_server_session_delete esp_mbedtls_server_session_delete
#define _esp_tls_server_session_ticket_ctx_init esp_mbedtls_server_session_ticket_ctx_init
#define _esp_tls_server_session_ticket_ctx_free esp_mbedtls_server_session_ticket_ctx_free
#endif /* CONFIG_ESP_TLS_SERVER */
#define _esp_tls_get_bytes_avail esp_mbedtls_get_bytes_avail
#define _esp_tls_init_global_ca_store esp_mbedtls_init_global_ca_store
@@ -568,7 +571,45 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void)
}
#endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
esp_tls_client_session_t *esp_tls_get_client_session(esp_tls_t *tls)
{
return _esp_tls_get_client_session(tls);
}
#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
#ifdef CONFIG_ESP_TLS_SERVER
esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg)
{
#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
if (!cfg || cfg->ticket_ctx) {
return ESP_ERR_INVALID_ARG;
}
cfg->ticket_ctx = calloc(1, sizeof(esp_tls_server_session_ticket_ctx_t));
if (!cfg->ticket_ctx) {
return ESP_ERR_NO_MEM;
}
esp_err_t ret = _esp_tls_server_session_ticket_ctx_init(cfg->ticket_ctx);
if (ret != ESP_OK) {
free(cfg->ticket_ctx);
}
return ret;
#else
return ESP_ERR_NOT_SUPPORTED;
#endif
}
void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg)
{
#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
if (cfg && cfg->ticket_ctx) {
_esp_tls_server_session_ticket_ctx_free(cfg->ticket_ctx);
}
#endif
}
/**
* @brief Create a server side TLS/SSL connection
*/

76
components/esp-tls/esp_tls.h
View File

@@ -20,6 +20,9 @@
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
#include "mbedtls/ssl_ticket.h"
#endif
#elif CONFIG_ESP_TLS_USING_WOLFSSL
#include "wolfssl/wolfcrypt/settings.h"
#include "wolfssl/ssl.h"
@@ -54,6 +57,15 @@ typedef struct psk_key_hint {
const char* hint; /*!< hint in PSK authentication mode in string format */
} psk_hint_key_t;
/**
* @brief esp-tls client session ticket ctx
*/
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
typedef struct esp_tls_client_session {
mbedtls_ssl_session saved_session;
} esp_tls_client_session_t;
#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
/**
* @brief Keep alive parameters structure
*/
@@ -168,9 +180,27 @@ typedef struct esp_tls_cfg {
directly with esp_tls_plain_tcp_connect() API */
struct ifreq *if_name; /*!< The name of interface for data to go through. Use the default interface without setting */
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
esp_tls_client_session_t *client_session; /*! Pointer for the client session ticket context. */
#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
} esp_tls_cfg_t;
#ifdef CONFIG_ESP_TLS_SERVER
#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
/**
* @brief Data structures necessary to support TLS session tickets according to RFC5077
*/
typedef struct esp_tls_server_session_ticket_ctx {
mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */
mbedtls_ctr_drbg_context ctr_drbg; /*!< mbedTLS ctr drbg context structure.
CTR_DRBG is deterministic random
bit generation based on AES-256 */
mbedtls_ssl_ticket_context ticket_ctx; /*!< Session ticket generation context */
} esp_tls_server_session_ticket_ctx_t;
#endif
typedef struct esp_tls_cfg_server {
const char **alpn_protos; /*!< Application protocols required for HTTP2.
If HTTP2/ALPN support is required, a list
@@ -222,7 +252,39 @@ typedef struct esp_tls_cfg_server {
unsigned int serverkey_password_len; /*!< String length of the password pointed to by
serverkey_password */
#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
esp_tls_server_session_ticket_ctx_t * ticket_ctx; /*!< Session ticket generation context.
You have to call esp_tls_cfg_server_session_tickets_init
to use it.
Call esp_tls_cfg_server_session_tickets_free
to free the data associated with this context. */
#endif
} esp_tls_cfg_server_t;
/**
* @brief Initialize the server side TLS session ticket context
*
* This function initializes the server side tls session ticket context
* which holds all necessary data structures to enable tls session tickets
* according to RFC5077.
* Use esp_tls_cfg_server_session_tickets_free to free the data.
*
* @param[in] cfg server configuration as esp_tls_cfg_server_t
* @return
* ESP_OK if setup succeeded
* ESP_ERR_INVALID_ARG if context is already initialized
* ESP_ERR_NO_MEM if memory allocation failed
* ESP_ERR_NOT_SUPPORTED if session tickets are not available due to build configuration
* ESP_FAIL if setup failed
*/
esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg);
/**
* @brief Free the server side TLS session ticket context
*
* @param cfg server configuration as esp_tls_cfg_server_t
*/
void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg);
#endif /* ! CONFIG_ESP_TLS_SERVER */
/**
@@ -613,6 +675,20 @@ void esp_tls_server_session_delete(esp_tls_t *tls);
*/
esp_err_t esp_tls_plain_tcp_connect(const char *host, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_error_handle_t error_handle, int *sockfd);
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
/**
* @brief Obtain the client session ticket
*
* This function should be called when the TLS connection is already established.
* This can be passed again in the esp_tls_cfg_t structure, to appropriate tls session create (e.g. esp_tls_conn_http_new) API for session resumption.
*
* @param[in] esp_tls context as esp_tls_t
* @return
* Pointer to the saved client session.
* NULL on Failure
*/
esp_tls_client_session_t *esp_tls_get_client_session(esp_tls_t *tls);
#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
#ifdef __cplusplus
}
#endif

53
components/esp-tls/esp_tls_errors.h
View File

@@ -14,35 +14,42 @@ extern "C" {
#endif
#define ESP_ERR_ESP_TLS_BASE 0x8000 /*!< Starting number of ESP-TLS error codes */
/* generic esp-tls error codes */
#define ESP_ERR_ESP_TLS_CANNOT_RESOLVE_HOSTNAME (ESP_ERR_ESP_TLS_BASE + 0x01) /*!< Error if hostname couldn't be resolved upon tls connection */
#define ESP_ERR_ESP_TLS_CANNOT_CREATE_SOCKET (ESP_ERR_ESP_TLS_BASE + 0x02) /*!< Failed to create socket */
#define ESP_ERR_ESP_TLS_UNSUPPORTED_PROTOCOL_FAMILY (ESP_ERR_ESP_TLS_BASE + 0x03) /*!< Unsupported protocol family */
#define ESP_ERR_ESP_TLS_FAILED_CONNECT_TO_HOST (ESP_ERR_ESP_TLS_BASE + 0x04) /*!< Failed to connect to host */
#define ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED (ESP_ERR_ESP_TLS_BASE + 0x05) /*!< failed to set/get socket option */
#define ESP_ERR_MBEDTLS_CERT_PARTLY_OK (ESP_ERR_ESP_TLS_BASE + 0x06) /*!< mbedtls parse certificates was partly successful */
#define ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED (ESP_ERR_ESP_TLS_BASE + 0x07) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x08) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x09) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0A) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0B) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0C) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0D) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0E) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0F) /*!< mbedtls api returned failed */
#define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x10) /*!< mbedtls api returned failed */
#define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED (ESP_ERR_ESP_TLS_BASE + 0x11) /*!< mbedtls api returned failed */
#define ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT (ESP_ERR_ESP_TLS_BASE + 0x12) /*!< new connection in esp_tls_low_level_conn connection timeouted */
#define ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x13) /*!< wolfSSL api returned error */
#define ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x14) /*!< wolfSSL api returned error */
#define ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x15) /*!< wolfSSL api returned error */
#define ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x16) /*!< wolfSSL api returned error */
#define ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x17) /*!< wolfSSL api returned failed */
#define ESP_ERR_WOLFSSL_CTX_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x18) /*!< wolfSSL api returned failed */
#define ESP_ERR_WOLFSSL_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x19) /*!< wolfSSL api returned failed */
#define ESP_ERR_WOLFSSL_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1A) /*!< wolfSSL api returned failed */
#define ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT (ESP_ERR_ESP_TLS_BASE + 0x06) /*!< new connection in esp_tls_low_level_conn connection timeouted */
#define ESP_ERR_ESP_TLS_SE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x07) /*< esp-tls use Secure Element returned failed */
#define ESP_ERR_ESP_TLS_TCP_CLOSED_FIN (ESP_ERR_ESP_TLS_BASE + 0x08) /*< esp-tls's TPC transport connection has benn closed (in a clean way) */
/* mbedtls specific error codes */
#define ESP_ERR_MBEDTLS_CERT_PARTLY_OK (ESP_ERR_ESP_TLS_BASE + 0x10) /*!< mbedtls parse certificates was partly successful */
#define ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED (ESP_ERR_ESP_TLS_BASE + 0x11) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x12) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x13) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x14) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x15) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED (ESP_ERR_ESP_TLS_BASE + 0x16) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x17) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x18) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED (ESP_ERR_ESP_TLS_BASE + 0x19) /*!< mbedtls api returned failed */
#define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1A) /*!< mbedtls api returned failed */
#define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1B) /*!< mbedtls api returned failed */
#define ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1C) /*!< mbedtls api returned failed */
/* wolfssl specific error codes */
#define ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED (ESP_ERR_ESP_TLS_BASE + 0x31) /*!< wolfSSL api returned error */
#define ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED (ESP_ERR_ESP_TLS_BASE + 0x32) /*!< wolfSSL api returned error */
#define ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x33) /*!< wolfSSL api returned error */
#define ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x34) /*!< wolfSSL api returned error */
#define ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x35) /*!< wolfSSL api returned failed */
#define ESP_ERR_WOLFSSL_CTX_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x36) /*!< wolfSSL api returned failed */
#define ESP_ERR_WOLFSSL_SSL_SETUP_FAILED (ESP_ERR_ESP_TLS_BASE + 0x37) /*!< wolfSSL api returned failed */
#define ESP_ERR_WOLFSSL_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x38) /*!< wolfSSL api returned failed */
#define ESP_ERR_ESP_TLS_SE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x1B) /*< esp-tls use Secure Element returned failed */
#define ESP_ERR_ESP_TLS_TCP_CLOSED_FIN (ESP_ERR_ESP_TLS_BASE + 0x1C) /*< esp-tls's TPC transport connection has benn closed (in a clean way) */
/**
* Definition of errors reported from IO API (potentially non-blocking) in case of error:

129
components/esp-tls/esp_tls_mbedtls.c
View File

@@ -44,7 +44,6 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki);
static const char *TAG = "esp-tls-mbedtls";
static mbedtls_x509_crt *global_cacert = NULL;
/* This function shall return the error message when appropriate log level has been set, otherwise this function shall do nothing */
static void mbedtls_print_error_msg(int error)
{
@@ -132,12 +131,48 @@ exit:
}
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
esp_tls_client_session_t *esp_mbedtls_get_client_session(esp_tls_t *tls)
{
if (tls == NULL) {
ESP_LOGE(TAG, "esp_tls session context cannot be NULL");
return NULL;
}
esp_tls_client_session_t *client_session = (esp_tls_client_session_t*)calloc(1, sizeof(esp_tls_client_session_t));
if (client_session == NULL) {
ESP_LOGE(TAG, "Failed to allocate memory for client session ctx");
return NULL;
}
int ret = mbedtls_ssl_get_session(&tls->ssl, &(client_session->saved_session));
if (ret != 0) {
ESP_LOGE(TAG, "Error in obtaining the client ssl session");
mbedtls_print_error_msg(ret);
free(client_session);
return NULL;
}
return client_session;
}
#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
int esp_mbedtls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
{
int ret;
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
if (cfg->client_session != NULL) {
ESP_LOGD(TAG, "Reusing the already saved client session context");
if ((ret = mbedtls_ssl_set_session(&tls->ssl, &(cfg->client_session->saved_session))) != 0 ) {
ESP_LOGE(TAG, " mbedtls_ssl_conf_session returned -0x%04X", -ret);
return -1;
}
}
#endif
ret = mbedtls_ssl_handshake(&tls->ssl);
if (ret == 0) {
tls->conn_state = ESP_TLS_DONE;
#ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
esp_ds_release_ds_lock();
#endif
@@ -368,8 +403,75 @@ static esp_err_t set_global_ca_store(esp_tls_t *tls)
return ESP_OK;
}
#ifdef CONFIG_ESP_TLS_SERVER
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
int esp_mbedtls_server_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)
{
int ret = mbedtls_ssl_ticket_write(p_ticket, session, start, end, tlen, lifetime);
#ifndef NDEBUG
if (ret != 0) {
ESP_LOGE(TAG, "Writing session ticket resulted in error code -0x%04X", -ret);
mbedtls_print_error_msg(ret);
}
#endif
return ret;
}
int esp_mbedtls_server_session_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len)
{
int ret = mbedtls_ssl_ticket_parse(p_ticket, session, buf, len);
#ifndef NDEBUG
if (ret != 0) {
ESP_LOGD(TAG, "Parsing session ticket resulted in error code -0x%04X", -ret);
mbedtls_print_error_msg(ret);
}
#endif
return ret;
}
esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_ticket_ctx_t *ctx)
{
if (!ctx) {
return ESP_ERR_INVALID_ARG;
}
mbedtls_ctr_drbg_init(&ctx->ctr_drbg);
mbedtls_entropy_init(&ctx->entropy);
mbedtls_ssl_ticket_init(&ctx->ticket_ctx);
int ret;
esp_err_t esp_ret;
if ((ret = mbedtls_ctr_drbg_seed(&ctx->ctr_drbg,
mbedtls_entropy_func, &ctx->entropy, NULL, 0)) != 0) {
ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned -0x%04X", -ret);
mbedtls_print_error_msg(ret);
esp_ret = ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED;
goto exit;
}
if((ret = mbedtls_ssl_ticket_setup(&ctx->ticket_ctx,
mbedtls_ctr_drbg_random, &ctx->ctr_drbg,
MBEDTLS_CIPHER_AES_256_GCM,
CONFIG_ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT)) != 0) {
ESP_LOGE(TAG, "mbedtls_ssl_ticket_setup returned -0x%04X", -ret);
mbedtls_print_error_msg(ret);
esp_ret = ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED;
goto exit;
}
return ESP_OK;
exit:
esp_mbedtls_server_session_ticket_ctx_free(ctx);
return esp_ret;
}
void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *ctx)
{
if (ctx) {
mbedtls_ssl_ticket_free(&ctx->ticket_ctx);
mbedtls_ctr_drbg_init(&ctx->ctr_drbg);
mbedtls_entropy_free(&ctx->entropy);
}
}
#endif
esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
{
assert(cfg != NULL);
@@ -421,6 +523,18 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
ESP_LOGE(TAG, "Missing server certificate and/or key");
return ESP_ERR_INVALID_STATE;
}
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
if (cfg->ticket_ctx) {
ESP_LOGD(TAG, "Enabling server-side tls session ticket support");
mbedtls_ssl_conf_session_tickets_cb( &tls->conf,
esp_mbedtls_server_session_ticket_write,
esp_mbedtls_server_session_ticket_parse,
&cfg->ticket_ctx->ticket_ctx );
}
#endif
return ESP_OK;
}
#endif /* ! CONFIG_ESP_TLS_SERVER */
@@ -480,6 +594,13 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
#endif
}
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
ESP_LOGD(TAG, "Enabling client-side tls session ticket support");
mbedtls_ssl_conf_session_tickets(&tls->conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
mbedtls_ssl_conf_renegotiation(&tls->conf, MBEDTLS_SSL_RENEGOTIATION_ENABLED);
#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
if (cfg->crt_bundle_attach != NULL) {
#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
ESP_LOGD(TAG, "Use certificate bundle");
@@ -516,6 +637,10 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
#else
ESP_LOGE(TAG, "psk_hint_key configured but not enabled in menuconfig: Please enable ESP_TLS_PSK_VERIFICATION option");
return ESP_ERR_INVALID_STATE;
#endif
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
} else if (cfg->client_session != NULL) {
ESP_LOGD(TAG, "Resuing the saved client session");
#endif
} else {
#ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY

23
components/esp-tls/private_include/esp_tls_mbedtls.h
View File

@@ -76,6 +76,22 @@ int esp_mbedtls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp
* /note :- The function can only be used with mbedtls ssl library
*/
void esp_mbedtls_server_session_delete(esp_tls_t *tls);
#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
/**
* Internal function to setup server side session ticket context
*
* /note :- The function can only be used with mbedtls ssl library
*/
esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_ticket_ctx_t *cfg);
/**
* Internal function to free server side session ticket context
*
* /note :- The function can only be used with mbedtls ssl library
*/
void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *cfg);
#endif
#endif
/**
@@ -83,6 +99,13 @@ void esp_mbedtls_server_session_delete(esp_tls_t *tls);
*/
esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t *cfg, esp_tls_t *tls);
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
/**
* Internal Callback for mbedtls_get_client_session
*/
esp_tls_client_session_t *esp_mbedtls_get_client_session(esp_tls_t *tls);
#endif
/**
* Internal Callback for mbedtls_init_global_ca_store
*/

129
components/esp_common/src/esp_err_to_name.c
View File

@@ -620,75 +620,78 @@ static const esp_err_msg_t esp_err_msg_table[] = {
# ifdef ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED
ERR_TBL_IT(ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED), /* 32773 0x8005 failed to set/get socket option */
# endif
# ifdef ESP_ERR_MBEDTLS_CERT_PARTLY_OK
ERR_TBL_IT(ESP_ERR_MBEDTLS_CERT_PARTLY_OK), /* 32774 0x8006 mbedtls parse certificates was partly successful */
# endif
# ifdef ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED), /* 32775 0x8007 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED), /* 32776 0x8008 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED), /* 32777 0x8009 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32778 0x800a mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED), /* 32779 0x800b mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED), /* 32780 0x800c mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SETUP_FAILED), /* 32781 0x800d mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_WRITE_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_WRITE_FAILED), /* 32782 0x800e mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED), /* 32783 0x800f mbedtls api returned failed */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED), /* 32784 0x8010 mbedtls api returned failed */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED), /* 32785 0x8011 mbedtls api returned failed */
# endif
# ifdef ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT
ERR_TBL_IT(ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT), /* 32786 0x8012 new connection in esp_tls_low_level_conn
ERR_TBL_IT(ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT), /* 32774 0x8006 new connection in esp_tls_low_level_conn
connection timeouted */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED), /* 32787 0x8013 wolfSSL api returned error */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32788 0x8014 wolfSSL api returned error */
# endif
# ifdef ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED), /* 32789 0x8015 wolfSSL api returned error */
# endif
# ifdef ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED), /* 32790 0x8016 wolfSSL api returned error */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED), /* 32791 0x8017 wolfSSL api returned failed */
# endif
# ifdef ESP_ERR_WOLFSSL_CTX_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_CTX_SETUP_FAILED), /* 32792 0x8018 wolfSSL api returned failed */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SETUP_FAILED), /* 32793 0x8019 wolfSSL api returned failed */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_WRITE_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_WRITE_FAILED), /* 32794 0x801a wolfSSL api returned failed */
# endif
# ifdef ESP_ERR_ESP_TLS_SE_FAILED
ERR_TBL_IT(ESP_ERR_ESP_TLS_SE_FAILED), /* 32795 0x801b */
ERR_TBL_IT(ESP_ERR_ESP_TLS_SE_FAILED), /* 32775 0x8007 */
# endif
# ifdef ESP_ERR_ESP_TLS_TCP_CLOSED_FIN
ERR_TBL_IT(ESP_ERR_ESP_TLS_TCP_CLOSED_FIN), /* 32796 0x801c */
ERR_TBL_IT(ESP_ERR_ESP_TLS_TCP_CLOSED_FIN), /* 32776 0x8008 */
# endif
# ifdef ESP_ERR_MBEDTLS_CERT_PARTLY_OK
ERR_TBL_IT(ESP_ERR_MBEDTLS_CERT_PARTLY_OK), /* 32784 0x8010 mbedtls parse certificates was partly successful */
# endif
# ifdef ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED), /* 32785 0x8011 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED), /* 32786 0x8012 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED), /* 32787 0x8013 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32788 0x8014 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED), /* 32789 0x8015 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED), /* 32790 0x8016 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SETUP_FAILED), /* 32791 0x8017 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_WRITE_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_WRITE_FAILED), /* 32792 0x8018 mbedtls api returned error */
# endif
# ifdef ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED), /* 32793 0x8019 mbedtls api returned failed */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED), /* 32794 0x801a mbedtls api returned failed */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED), /* 32795 0x801b mbedtls api returned failed */
# endif
# ifdef ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED), /* 32796 0x801c mbedtls api returned failed */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED), /* 32817 0x8031 wolfSSL api returned error */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32818 0x8032 wolfSSL api returned error */
# endif
# ifdef ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED), /* 32819 0x8033 wolfSSL api returned error */
# endif
# ifdef ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED), /* 32820 0x8034 wolfSSL api returned error */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED), /* 32821 0x8035 wolfSSL api returned failed */
# endif
# ifdef ESP_ERR_WOLFSSL_CTX_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_CTX_SETUP_FAILED), /* 32822 0x8036 wolfSSL api returned failed */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_SETUP_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SETUP_FAILED), /* 32823 0x8037 wolfSSL api returned failed */
# endif
# ifdef ESP_ERR_WOLFSSL_SSL_WRITE_FAILED
ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_WRITE_FAILED), /* 32824 0x8038 wolfSSL api returned failed */
# endif
// components/esp_https_ota/include/esp_https_ota.h
# ifdef ESP_ERR_HTTPS_OTA_BASE

4
components/esp_https_server/include/esp_https_server.h
View File

@@ -63,6 +63,9 @@ struct httpd_ssl_config {
/** Port used when transport mode is insecure (default 80) */
uint16_t port_insecure;
/** Enable tls session tickets */
bool session_tickets;
};
typedef struct httpd_ssl_config httpd_ssl_config_t;
@@ -109,6 +112,7 @@ typedef struct httpd_ssl_config httpd_ssl_config_t;
.transport_mode = HTTPD_SSL_TRANSPORT_SECURE, \
.port_secure = 443, \
.port_insecure = 80, \
.session_tickets = false, \
}
/**

11
components/esp_https_server/src/https_server.c
View File

@@ -145,6 +145,7 @@ static void free_secure_context(void *ctx)
if (cfg->serverkey_buf) {
free((void *)cfg->serverkey_buf);
}
esp_tls_cfg_server_session_tickets_free(cfg);
free(cfg);
free(ssl_ctx);
}
@@ -160,6 +161,16 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
free(ssl_ctx);
return NULL;
}
if (config->session_tickets) {
if ( esp_tls_cfg_server_session_tickets_init(cfg) != ESP_OK ) {
ESP_LOGE(TAG, "Failed to init session ticket support");
free(ssl_ctx);
free(cfg);
return NULL;
}
}
ssl_ctx->tls_cfg = cfg;
/* cacert = CA which signs client cert, or client cert itself , which is mapped to client_verify_cert_pem */
if(config->client_verify_cert_pem != NULL) {

16
examples/protocols/https_request/README.md
View File

@@ -4,6 +4,13 @@ Uses APIs from `esp-tls` component to make a very simple HTTPS request over a se
(See the README.md file in the upper level 'examples' directory for more information about examples.)
### Session Tickets
Session Tickets, specified in [RFC 5077](https://datatracker.ietf.org/doc/html/rfc5077) are a mechanism to distribute encrypted
session-state information to the client in the form of a ticket and a mechanism to present the ticket back to the server. The ticket is created by a TLS server and sent to a TLS client. The TLS client presents the ticket to the TLS server to resume a session. In TLS 1.2, this speeds up handshakes from two to one round-trip.
In ESP-IDF, this feature is supported (for both server and client) when mbedTLS is used as the SSL library.
## How to use example
Before project configuration and build, be sure to set the correct chip target using `idf.py set-target <chip_name>`.
@@ -19,6 +26,15 @@ idf.py menuconfig
```
Open the project configuration menu (`idf.py menuconfig`) to configure Wi-Fi or Ethernet. See "Establishing Wi-Fi or Ethernet Connection" section in [examples/protocols/README.md](../../README.md) for more details.
#### Configuring Client Session Tickets
Note: This example has client session tickets enabled by default.
* Open the project configuration menu (`idf.py menuconfig`)
* In the `Component Config` -> `ESP-TLS` submenu, select the `Enable client session tickets` option.
Ensure that the server has the session tickets feature enabled.
### Build and Flash
Build the project and flash it to the board, then run monitor tool to view serial output:

13
examples/protocols/https_request/example_test.py
View File

@@ -63,6 +63,19 @@ def test_examples_protocol_https_request(env, extra_data):
raise
Utility.console_log("Passed the test for \"https_request using global ca_store\"")
# Check for connection using already saved client session
Utility.console_log("Testing for \"https_request using saved client session\"")
try:
dut1.expect(re.compile('https_request using saved client session'), timeout=20)
dut1.expect_all('Connection established...',
'Reading HTTP response...',
'HTTP/1.1 200 OK',
re.compile('connection closed'))
except Exception:
Utility.console_log("Failed the test for \"https_request using saved client session\"")
raise
Utility.console_log("Passed the test for \"https_request using saved client session\"")
# Check for connection using crt bundle with mbedtls dynamic resource enabled
dut1 = env.get_dut('https_request', 'examples/protocols/https_request', dut_class=ttfw_idf.ESP32DUT, app_config_name='ssldyn')
# check and log bin size

29
examples/protocols/https_request/main/https_request_example_main.c
View File

@@ -67,7 +67,9 @@ static const char REQUEST[] = "GET " WEB_URL " HTTP/1.1\r\n"
*/
extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start");
extern const uint8_t server_root_cert_pem_end[] asm("_binary_server_root_cert_pem_end");
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
esp_tls_client_session_t *tls_client_session = NULL;
#endif
static void https_get_request(esp_tls_cfg_t cfg)
{
char buf[512];
@@ -82,6 +84,12 @@ static void https_get_request(esp_tls_cfg_t cfg)
goto exit;
}
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
/* The TLS session is successfully established, now saving the session ctx for reuse */
if (tls_client_session == NULL) {
tls_client_session = esp_tls_get_client_session(tls);
}
#endif
size_t written_bytes = 0;
do {
ret = esp_tls_conn_write(tls,
@@ -143,6 +151,8 @@ static void https_get_request_using_crt_bundle(void)
https_get_request(cfg);
}
static void https_get_request_using_cacert_buf(void)
{
ESP_LOGI(TAG, "https_request using cacert_buf");
@@ -169,6 +179,19 @@ static void https_get_request_using_global_ca_store(void)
esp_tls_free_global_ca_store();
}
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
static void https_get_request_using_already_saved_session(void)
{
ESP_LOGI(TAG, "https_request using saved client session");
esp_tls_cfg_t cfg = {
.client_session = tls_client_session,
};
https_get_request(cfg);
free(tls_client_session);
tls_client_session = NULL;
}
#endif
static void https_request_task(void *pvparameters)
{
ESP_LOGI(TAG, "Start https_request example");
@@ -176,7 +199,9 @@ static void https_request_task(void *pvparameters)
https_get_request_using_crt_bundle();
https_get_request_using_cacert_buf();
https_get_request_using_global_ca_store();
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
https_get_request_using_already_saved_session();
#endif
ESP_LOGI(TAG, "Finish https_request example");
vTaskDelete(NULL);
}

1
examples/protocols/https_request/sdkconfig.ci
View File

@@ -9,3 +9,4 @@ CONFIG_EXAMPLE_ETH_MDIO_GPIO=18
CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
CONFIG_EXAMPLE_ETH_PHY_ADDR=1
CONFIG_EXAMPLE_CONNECT_IPV6=y
CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS=y

1
examples/protocols/https_request/sdkconfig.defaults Normal file
View File

@@ -0,0 +1 @@
CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS=y