diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt index 1f6f391411..37abd64355 100644 --- a/components/mbedtls/CMakeLists.txt +++ b/components/mbedtls/CMakeLists.txt @@ -1,4 +1,5 @@ idf_build_get_property(idf_target IDF_TARGET) +idf_build_get_property(python PYTHON) idf_component_register(SRCS "esp_crt_bundle/esp_crt_bundle.c" INCLUDE_DIRS "port/include" "mbedtls/include" "esp_crt_bundle/include" diff --git a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c index 6d99f781ce..c03da8d9a8 100644 --- a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c +++ b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c @@ -19,7 +19,6 @@ #include "esp_log.h" #include "esp_err.h" - #define BUNDLE_HEADER_OFFSET 2 #define CRT_HEADER_OFFSET 4 @@ -43,45 +42,48 @@ typedef struct crt_bundle_t { static crt_bundle_t s_crt_bundle; static int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int data, uint32_t *flags); -static esp_err_t esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len); +static int esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len); -static esp_err_t esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len) +static int esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len) { - int ret = ESP_FAIL; + int ret = 0; mbedtls_x509_crt parent; const mbedtls_md_info_t *md_info; unsigned char hash[MBEDTLS_MD_MAX_SIZE]; mbedtls_x509_crt_init(&parent); - if ( (ret = mbedtls_pk_parse_public_key(&parent.pk , pub_key_buf, pub_key_len) ) != 0) { + if ( (ret = mbedtls_pk_parse_public_key(&parent.pk, pub_key_buf, pub_key_len) ) != 0) { ESP_LOGE(TAG, "PK parse failed with error %X", ret); - return ESP_FAIL; + goto cleanup; } // Fast check to avoid expensive computations when not necessary if (!mbedtls_pk_can_do(&parent.pk, child->sig_pk)) { ESP_LOGE(TAG, "Simple compare failed"); - return ESP_FAIL; + ret = -1; + goto cleanup; } md_info = mbedtls_md_info_from_type(child->sig_md); if ( (ret = mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash )) != 0 ) { ESP_LOGE(TAG, "Internal mbedTLS error %X", ret); - return ESP_FAIL; + goto cleanup; } - ret = mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent.pk, - child->sig_md, hash, mbedtls_md_get_size( md_info ), - child->sig.p, child->sig.len ) ; + if ( (ret = mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent.pk, + child->sig_md, hash, mbedtls_md_get_size( md_info ), + child->sig.p, child->sig.len )) != 0 ) { - if (ret != 0) { ESP_LOGE(TAG, "PK verify failed with error %X", ret); - return ESP_FAIL; + goto cleanup; } - return ESP_OK; +cleanup: + mbedtls_x509_crt_free(&parent); + + return ret; } @@ -205,6 +207,7 @@ esp_err_t esp_crt_bundle_attach(void *conf) void esp_crt_bundle_detach(mbedtls_ssl_config *conf) { free(s_crt_bundle.crts); + s_crt_bundle.crts = NULL; if (conf) { mbedtls_ssl_conf_verify(conf, NULL, NULL); } diff --git a/components/mbedtls/test/prvtkey.pem b/components/mbedtls/test/prvtkey.pem index ac8ee3b17b..bb0a510a7c 100644 --- a/components/mbedtls/test/prvtkey.pem +++ b/components/mbedtls/test/prvtkey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAra9Pvr1J4ltGfVdnOv4DVdYTL68UaIKu37r0TMRdBKn5gSKm -nBnvDx4TyMfiaOyo6tADGZPbzYJ2r45Zmo8zoIiUwh9SWHkFghTl+jNp0+1QxRCH -HyRak3ShIZvje+c0xDDgMIv41l62FCE86dNW0gUCC/KgRCInqzsKurbxZU2qjebI -5TKDkOFJsmoaWPb3q2+wEztPpvjGlV33UVX3OK8bJtRKALFn3733E7g5F2qANjOu -S+7jXDzqxw5HD+QZTTH2Kehh/hrV96WeXUVGnMWru2BtYWKD0Pdh7zGcXjP8oSf2 -FkVssh+0f9khI9Xz6KzdSIMVEeSrDXRKnyJnDQIDAQABAoIBAEtOCpZZvfIdvxdT -URfb0Jhj5Be1onSZzLaGeavbK7V8+QgLfQ+LkwIL+WoBeGIj0i1VGTL6z79wBIOj -hagk1K6S6WStbeecOU4oP3pW1lijuXRn8R4IhhkO5VoMG/q5yUATLPD/j1lq4Skj -LCT5k9glgbiqbuB7qpVsWP+RmGJiLh3jBDrb1NrZLuDlXhXJO+AF69syxxiyvnFA -s7aVHst2TPXgccA9Fh37GzxN4hratz6n0JAaMxpRdJaJF1sSQQznfrYfxnkwtE1y -ZXS5XgeDjqv00mucZVVzNkhT9WeS0bXd0lblboK2z39cN2YDYrmfEr2HonbTozNj -HPlBG2UCgYEA3zWj3kAFhpl6zrHvcIzaemDxi9pFam2wJLgzeSXuHBSZSazi//qm -Dv7rgP38XsY6MeaqpLW687FZ6yiDg2OLLMc4ho7Rq6mOKjp3nTVHjO+LONfxgWul -evhFIabW056jafecouUSvy/9nvrrA5QEJjaHxg0tREuaGiBBgMXTnd8CgYEAxzMr -NkVHqIis5AzGUJOaF2uTqnXbnM+/+kEkJD6yNzFovsxkaebGQF9LA1s/qiDtZtlH -QiXlDsWl/PrKmvxToBY3v3fJKeAMXValtAtX0h67RX6rJUqXBATT/AOcfdlWoaEt -xTCRwi70xjVoSwnvE8CZAGDyHk3/cjRcOBe5QJMCgYAyy4ApGaSoRtEdrHxyvnsR -knIlg1x8pc2J7ak5DpqrJTzk+UUHP8D+dKCfUC1YW//uTzHSHdEXl+qAi02yXrrT -S9rfNC0exY0mqvuBeRh5SCIEo4/ABgE4hLsmt1L4AYfqm4C3yS2E+KTcwvksbUis -cYhgV6tPeWzuORzu8xX/PQKBgG5puFv+jrel+l71jb7/8Xtlz5W+ehozNTAbh1Ln -xZS+OFb5p/bjSaRIraWQoHtGgRBvAwZxRsOnXlgZEtBRaHDln8TrOn+Rhoj+DB79 -4pG/IwJkMa0b6RT7MB0SS12eaFxyoJIaV9CQgnCTDdn6CaCjMqt5EPsnNJ4y06Lr -020tAoGASPmKKVhXJxfhzyzsY9Kk9o31MKISUqVDNimqVDOt8vPZw8m/2WXUVH9T -DnuEGaBmpG22Gs1NxbktsYAUzBeRBpoQ/fNK55eaZorJLs3DfFK604lLClJlQsDd -yfp4LcRNQGodV4Utl6mPOtOFa8nrVGMQn3+M3TK6QTNpjLe87OE= +MIIEpQIBAAKCAQEAySb2QFrQZjQ1EhfN7I+raKrWSWWeYGppqPk3E1sV2y6LSE3M +7cVZyXxcpnP4mcKos3D9k8sbkt05oKcHR2THpWdz5mJn8A7TfJYWnYRHcRuR85th +XC8Pjf3f+JfjXgr/2a2JqHb4fttxoDRwWP1+kbTHa4iERqTFOIhYB9wD8uzbBHJq +IlIGbBHO9J+JxZKVkgDWZfc7zik3YzvkuWju/PmF73BagGxxRDzodzfxhHq1f96J +w10YS9pkhVFLxzOz3O+buwL8plCQplVnpj6J+2MaY4JlUvCcosDkT0EORAtrYGwZ +KJBKn4dRftk8Wbtns7zoJ2SNUL5TZ2oyAb2dwQIDAQABAoIBAQCRmE3tTs5A69Du +A6TdcTAUVnM8NP1ptBw+XgRrUiaDuzC9aPLHt2zB1e4J3S83vBn3p/UjIIQYzV+E +1OED4AJRyoutWdT5gQG6z7gW00QSrm358aGK49VSZUvT17yOuU9u85kMAvDigVvB +JbOb9f/C3yLoxqtXprPJs4ZkSe/hyB0JtRzauDYZnK4JmtgDfGds1cykohbUaeCW +ExUSbi/EPuroowmjEPFmN4tH/C3GtQonwGfjP76GXm8u5Fg8VXYUmb5pnxYcFdvv +shoasbK5lksgK50VP2vA9Y3mIrThRvkWgcv0TZaQWAF/JtdSXIID5WzfsgLbtDQF +hZLk1dDxAoGBAPfAjPAqapNVl4GqSkUWofUHMzZG85fHoPN3INSA0aMr4X9wHFfQ +pQ0ACxuimQj66Vk4rWww+HrsjPfiNMZzoi1exS1tjbQVyTBffrHj8sSdWt8Gw6MB +Pp5ubnCy9pl4lWNHlJZJp2SwAd10LzrizzAQALeEtRmg8meYGZElVUy7AoGBAM/Z +REXLJgaad5V3A2xehrSnknKUwab4LFIrgirZ6h0RXYo+wEHGJpDvM5Vw3sZT+UaJ +Jdlb3cXbqOxWrKlqjKe/S2vNScP7V2Na8l/ySO93PYE0V1Q+EeuNGi41xWC4Dh7o +D7BX2nDm9YBZzNVxM/30/dTzFM+CKrCARsLIXvWzAoGBAOQ4GRv61qXVyHSHO1cd +HB+sfD5ZaXa9S8Q6TqGx8GrQty4/RbyW1BN/oLvaMgKVr3KixQ3OpnYFhW2qkFbm +mdQVYqkQK+Jh1yyaKwkPI8h98wFTJ8/2C4rByzZBhOumqmYDwBoYyvvzLiSjLAag +e56YfzCOLIzpN6K594M+0q6VAoGBALWR5D1gKRjNqbetHxV1QhHg7WMhJkaZOAaU +MYMDmKvJ9sAE72jGE/y6qYJb9pCk3PdMaf8GbKciq9/CG9Vn2fXUe6txy4XkNEP8 +OA2vFx3yOY18Tumty3PNcNh7arCCOPuw17vCE3ZbnI2CZRj0amnosjFsJHreCDLl +7GrOJX5XAoGASZXbGykpYJTTr5PGPL/eX0koU1RZ9f6fvVdkfeWNGZfJ4oGkxDcO +fJnzq9wC9YREy6f3eoMrix95RPv4Qo1Wwi2PmtyMFvUdsYckFEhxSN3p4Iqn/nQg +6I7VB0yNqw8ZdP1vBkRcg3kk+QO2tci+OTdpDSKmO5nGjuqpsdBM5/o= -----END RSA PRIVATE KEY----- diff --git a/components/mbedtls/test/server_cert_bundle b/components/mbedtls/test/server_cert_bundle index 19123f6a93..0b7f09aa06 100644 Binary files a/components/mbedtls/test/server_cert_bundle and b/components/mbedtls/test/server_cert_bundle differ diff --git a/components/mbedtls/test/server_cert_chain.pem b/components/mbedtls/test/server_cert_chain.pem index 1ba9a74b2f..afc99a9e30 100644 --- a/components/mbedtls/test/server_cert_chain.pem +++ b/components/mbedtls/test/server_cert_chain.pem @@ -1,63 +1,20 @@ -----BEGIN CERTIFICATE----- -MIIFODCCAyCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQ04x -ETAPBgNVBAgMCFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxJDAiBgNVBAMM -G0VzcHJlc3NpZiBJbnRlcm1lZGlhdGUgdGVzdDAeFw0xOTEwMTEwMjU0MDdaFw0z -MDA5MjMwMjU0MDdaMEgxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTES -MBAGA1UECgwJRXNwcmVzc2lmMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtr0++vUniW0Z9V2c6/gNV1hMvrxRogq7f -uvRMxF0EqfmBIqacGe8PHhPIx+Jo7Kjq0AMZk9vNgnavjlmajzOgiJTCH1JYeQWC -FOX6M2nT7VDFEIcfJFqTdKEhm+N75zTEMOAwi/jWXrYUITzp01bSBQIL8qBEIier -Owq6tvFlTaqN5sjlMoOQ4UmyahpY9verb7ATO0+m+MaVXfdRVfc4rxsm1EoAsWff -vfcTuDkXaoA2M65L7uNcPOrHDkcP5BlNMfYp6GH+GtX3pZ5dRUacxau7YG1hYoPQ -92HvMZxeM/yhJ/YWRWyyH7R/2SEj1fPorN1IgxUR5KsNdEqfImcNAgMBAAGjggEY -MIIBFDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0E -JhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQW -BBR8LwbfGcYMVc++Ugdoc2XXYXUOBzB7BgNVHSMEdDBygBSZ45naA62T1+k4QIyt -n2h1bWyGOKFWpFQwUjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMRIw -EAYDVQQKDAlFc3ByZXNzaWYxHDAaBgNVBAMME0VzcHJlc3NpZiBSb290IFRlc3SC -AhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG -9w0BAQsFAAOCAgEAQ/9JU171woAvQlZ8gmYIOkyIfYQfKmhvw+2DoP+5r1+LOHtO -frg9BshucqXlQ65yRWL8KaAIFKE4e/qBXnD/ZX8R8lR0aMKCgYVW6A1n0wWko/fU -RNXt+sXr+fMX7h0HOC3mzWf2fZkR5B0jUSBQSVkXNt+jkjWOFIGzfHDKldgX5rVX -vNmHwS5zRjbOvPaXrmNpV7wkQ/bRJbnFmbT5V6fwDFzdLzJami86eiT+C68d07/W -We5htv20nYFYdwQJMWYlnGLPPaSE+n5m4QqsrlfR7uOgnuX3RfKHMsiWa7TxLA4g -D9VZq88SQLshec/CIcYlSgnEfa9LxL2mKv386e9YWD2Oho/B33L5tdflihR5m1sd -9xIgka9aXmHu8GEVaBRqzqtIReoa7KfmEQWYjqXH8YdDLMlMKl968Y7c779/SDxC -1ibkanS1+2dPBYpoZldcnbH8w2dguk7luTuPlJxJph6NHGI7bbxL9z6yc5kJi2dS -R4TNXI3UKZ5s7ZUPTv2nYMJIbyEzSjkxinLsr7rFLGlAIpAlRq1C6jmh1ArGA3H2 -jK0xYZcMN8Sz9gYV/zk/VTDMmiyZrYmZSxuhQFZCWaLN79z0pi5SefLW+1K6CzNj -hah0wJEtzq492IQS0q3gH82iGM35Ffy+rtAWIsxrL/2wn+cOrPGvRdmR6J0= ------END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIIFjjCCA3agAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCQ04x -ETAPBgNVBAgMCFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxHDAaBgNVBAMM -E0VzcHJlc3NpZiBSb290IFRlc3QwHhcNMTkxMDEwMTE1MDMyWhcNMjkxMDA3MTE1 -MDMyWjBaMQswCQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdoYWkxEjAQBgNVBAoM -CUVzcHJlc3NpZjEkMCIGA1UEAwwbRXNwcmVzc2lmIEludGVybWVkaWF0ZSB0ZXN0 -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp7FJAjmfYsTlrcZPRJ3g -+IiKW/Gm3q23X4xzdKUQopth3DPO9FDvnce9e7JwXa1WDF8CZqWkvKrJS0njEAUR -JERLYSr28aVFUyodnfxp/+1B5aJFj7LHampLWXsnVCchHHZB0pYZ6KLrTUU73KKd -WaJODtBrq5g9mNNZqVOOHljgr5r8AJefemsCs+LhGcqq8ZFWeZBwzF2YC0h+55hc -7K5g0MnGnQHD3s5nuuSJ9Grz+NDvzESYjmZfTq56wXN6nQIi+4JYBpAx4y63n6NR -0JPsSePDlnGC4KNmHOeF9nXMgvqEP1doLssKKWdPZub6VQHLTk5ILFr1JKaSPjgj -4twKjCTzxN3dPmxY2KPq+tUtoXFxLxqrJk/HyBwiClxSlwhyAe9iZd3Lh0RFENEf -jS6gdD7coLlkJzALLcUTp0VWFWpPT1MbgYMHnnOuKXjw6KWXz/iuxvOJO4ip3tRf -ssuog/cMwmkxKC9oHfoIPBuafW42/os4aZwy/7fJgAFO/e1/n6T7T2qygNOKBvYq -mS6SWm9OFhUJuUtPlUdvHiVDQx40S0a8Z2Rp4XcuBU0M8Toi3lkEwJX/l89Wsos+ -UOITA1B71HxkzHMZQNdXLfnV0tCtC6C3S8IktFm0Kfqa8ruXbjzkKg0I8Wfwyefv -HTc7FRQpyYgXkVLt1ziA+4MCAwEAAaNmMGQwHQYDVR0OBBYEFJnjmdoDrZPX6ThA -jK2faHVtbIY4MB8GA1UdIwQYMBaAFAqo9zQmHYRS1EF/1Fkb31gvGK9HMBIGA1Ud -EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC -AQBl+7vf7T6K7JhHQTFfOlUNoy4rdau6eAfoQE1wybUNIeuKLqhXfn7uLhYLE9Tq -LAYcMN8M8F2MFt7nNifbAFRiXCRRes6tFyQkjqG4SijvGoMiCL3pVYEgrET2qIm8 -Rvupsh/u2UuGivy7XzJmMzU6HhTjF/Yfc6AiPkISzMqxLtbzCD+3TOxNe9nalsFv -gmQsCYUqVZCwdThvHMWY7lC+KZ/f0X8gyVHZpx6K/K+MbMSTzZZa7VEjcJcEQZ8r -+Br0e9X3EkGsKbnq/kVouMZGrZtbOXYNjoVStNdobNaJ1d379xbt8UgkvvSUhJoK -Y4pZoO3nZZUHslLDuLNG6m2tk1SHL7NPNhJoAGwqFtLyrUaUaGa+uIXev4xA0Cby -vUn+PXLKo9NcnDI38l/NxVhqWvKAwkWww/GDdic7GGfzJVSr+K4q3dxy3JW1nh4n -gaGSeKrP0lgO5NqJswGFSrY05lx06HKxHRJRtLf8g+llrGrhApRVqjM9t0By7CgK -E/EgGWG6MyGi2YLenFdFzFRgqEsKVn11XV+rkaC1NSu7l7QfTSiHrynBsYcCTnzD -z4QxJvlLon22Jp1qCwFVKXAE9wc/ncENqiA6vbjP9pq5yps+XbO2frdSQcNwHFIR -aaL+u5SAcyr3qV0I7Wghq0Xoo00DV/pm9K78tIamtsmNhw== +MIIDVTCCAj0CFG5WO5Ukqd/0PnrSPIlQnXNjrCUUMA0GCSqGSIb3DQEBCwUAMGIx +CzAJBgNVBAYTAkNOMRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQHDAhTaGFu +Z2hhaTESMBAGA1UECgwJRXNwcmVzc2lmMRcwFQYDVQQDDA5Fc3ByZXNzaWYgUm9v +dDAeFw0yMDAzMjYwNjQxMTlaFw0yMTAzMjEwNjQxMTlaMGwxCzAJBgNVBAYTAkNO +MRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQHDAhTaGFuZ2hhaTEhMB8GA1UE +CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRIwEAYDVQQDDAlsb2NhbGhvc3Qw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJJvZAWtBmNDUSF83sj6to +qtZJZZ5gammo+TcTWxXbLotITcztxVnJfFymc/iZwqizcP2TyxuS3TmgpwdHZMel +Z3PmYmfwDtN8lhadhEdxG5Hzm2FcLw+N/d/4l+NeCv/ZrYmodvh+23GgNHBY/X6R +tMdriIRGpMU4iFgH3APy7NsEcmoiUgZsEc70n4nFkpWSANZl9zvOKTdjO+S5aO78 ++YXvcFqAbHFEPOh3N/GEerV/3onDXRhL2mSFUUvHM7Pc75u7AvymUJCmVWemPon7 +YxpjgmVS8JyiwORPQQ5EC2tgbBkokEqfh1F+2TxZu2ezvOgnZI1QvlNnajIBvZ3B +AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAI2RzAwx1IiyWYPbSQOMjATKG1hiqNJF +fkkqJrSfu93iQyye3Umb/pdUf7v5xgN2NrW5VnRow19VR7uCU4VCCBfx77f0Zp2e +UA13qhT5zljoqgtkU9bHbRfTW/Hq30joKqQz8+Z0Yom6qZA7XjAhXXiHt7I4Noq6 +y+HwH08Xr1nII1c6Zc0cDqK9UV02w2v1RJrnGlq3v/CBpanA/nz4LdP5Jqbh79WW +bCe8+Y7WEYR7K4dKSkDugf8ROAaGuCYAbhRMU3tFjNlMRR/5HcBpy7MfUvX6GcI0 +QCfe4ugnHXQXNxS0rb2uM6yCHOTiQ5MJjBPh9tRYV9bSko5u/NmwsFU= -----END CERTIFICATE----- diff --git a/components/mbedtls/test/server_root.pem b/components/mbedtls/test/server_root.pem new file mode 100644 index 0000000000..5854747f9d --- /dev/null +++ b/components/mbedtls/test/server_root.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDpTCCAo2gAwIBAgIUduK+lv/MILT278PPIYz8HkFzhFUwDQYJKoZIhvcNAQEL +BQAwYjELMAkGA1UEBhMCQ04xEzARBgNVBAgMClNvbWUtU3RhdGUxETAPBgNVBAcM +CFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxFzAVBgNVBAMMDkVzcHJlc3Np +ZiBSb290MB4XDTIwMDMyNjA2NDAxMFoXDTI1MDMyNjA2NDAxMFowYjELMAkGA1UE +BhMCQ04xEzARBgNVBAgMClNvbWUtU3RhdGUxETAPBgNVBAcMCFNoYW5naGFpMRIw +EAYDVQQKDAlFc3ByZXNzaWYxFzAVBgNVBAMMDkVzcHJlc3NpZiBSb290MIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9ILzOjsz7dZbABUIoDCBat3MPsv +qd20Jsk3GzkLjY/HjTCMBweq2zt0sRsa+YwCPtQyAsYPtgt/VzRY4TF8jqmSj7Ko +DKOWkbim0O0XDAT8DfkQ32pZC7DnAw/374Vmm/ZmN/yE4zNUjNbjO2weswczcSdL +B3ITsa+OquKYK8J2Pe5gZh/tC0f0I9ks3UplcLyEex8TQZivAK3RL4QWj4j4NJWn +wH5qdizuKStwWEo3FvTP4g95SQItw31HTA8mJcBzCZC0NOZyMckRSmK51XljQ0iU +G7KwK8GNbDC+VUZEt5aGB5QZhCFC2wo5An7u20UHRUWbv4MEgddPDoQ4EwIDAQAB +o1MwUTAdBgNVHQ4EFgQU3inIjbdXp/DgSnVAiJmTlAtKH08wHwYDVR0jBBgwFoAU +3inIjbdXp/DgSnVAiJmTlAtKH08wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAQEAOpLjyXj2e0IaUgJK3lGuJ9u6piehYK1WqPoCR7K7pUnFGyNLu0mq +yfTqNoXV8a7NmM8Vn8ZJ1Gep20JqgvR27o3OE87bT7E/JPUsvbu7MNdfiVxpFWi1 +HxdBrzHr+mcakbhRxI38s3GVNT9Y89Y7FZbE+dqT8SxILk2pVUExfZR/ItazDTxl +95ARCOj/bQPCEN+oLYzS31ORmkJfY2AuJAcJUTCyO4UfpKVFmQeAKlNmTq9Q0a6C +0RlbzZ/PJoB3d265A9fTjlANQ7XzE8GgIJVR7cz5OJzZVxfEr9ME9VfgNrjKyXS3 +FcFQvif6JqX6IbmTenEKi7IfgX2zu1nxtQ== +-----END CERTIFICATE----- diff --git a/components/mbedtls/test/test_esp_crt_bundle.c b/components/mbedtls/test/test_esp_crt_bundle.c index d3835d47a1..e0c8187a65 100644 --- a/components/mbedtls/test/test_esp_crt_bundle.c +++ b/components/mbedtls/test/test_esp_crt_bundle.c @@ -63,15 +63,21 @@ typedef struct { mbedtls_x509_crt cert; mbedtls_pk_context pkey; -}mbedtls_endpoint_t; +} mbedtls_endpoint_t; + +typedef enum { + ESP_CRT_VALIDATE_UNKNOWN, + ESP_CRT_VALIDATE_OK, + ESP_CRT_VALIDATE_FAIL, +}esp_crt_validate_res_t; static const char *TAG = "cert_bundle_test"; static volatile bool exit_flag; -esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint); +esp_err_t endpoint_teardown(mbedtls_endpoint_t *endpoint); -esp_err_t server_setup(mbedtls_endpoint_t * server) +esp_err_t server_setup(mbedtls_endpoint_t *server) { int ret; mbedtls_ssl_config_init( &server->conf ); @@ -87,52 +93,49 @@ esp_err_t server_setup(mbedtls_endpoint_t * server) ret = mbedtls_x509_crt_parse( &server->cert, server_cert_chain_pem_start, server_cert_chain_pem_end - server_cert_chain_pem_start); - if( ret != 0 ) { + if ( ret != 0 ) { ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned %d", ret ); return ESP_FAIL; } - ret = mbedtls_pk_parse_key( &server->pkey, (const unsigned char *)server_pk_start , + ret = mbedtls_pk_parse_key( &server->pkey, (const unsigned char *)server_pk_start, server_pk_end - server_pk_start, NULL, 0 ); - if( ret != 0 ) { + if ( ret != 0 ) { ESP_LOGE(TAG, "mbedtls_pk_parse_key returned %d", ret ); return ESP_FAIL; } ESP_LOGI(TAG, "Bind on https://%s:%s/", SERVER_ADDRESS, SERVER_PORT ); - if( ( ret = mbedtls_net_bind( &server->listen_fd, NULL, SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) { + if ( ( ret = mbedtls_net_bind( &server->listen_fd, NULL, SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) { ESP_LOGE(TAG, "mbedtls_net_bind returned %d", ret ); return ESP_FAIL; } + mbedtls_net_set_nonblock(&server->listen_fd); ESP_LOGI(TAG, "Seeding the random number generator"); - if( ( ret = mbedtls_ctr_drbg_seed( &server->ctr_drbg, mbedtls_entropy_func, &server->entropy, - NULL, 0) ) != 0 ) { + if ( ( ret = mbedtls_ctr_drbg_seed( &server->ctr_drbg, mbedtls_entropy_func, &server->entropy, + NULL, 0) ) != 0 ) { ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret ); return ESP_FAIL; } ESP_LOGI(TAG, "Setting up the SSL data"); - if( ( ret = mbedtls_ssl_config_defaults( &server->conf, - MBEDTLS_SSL_IS_SERVER, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 ) - { + if ( ( ret = mbedtls_ssl_config_defaults( &server->conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 ) { ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret ); return ESP_FAIL; } mbedtls_ssl_conf_rng( &server->conf, mbedtls_ctr_drbg_random, &server->ctr_drbg ); - mbedtls_ssl_conf_ca_chain( &server->conf, server->cert.next, NULL ); - if (( ret = mbedtls_ssl_conf_own_cert( &server->conf, &server->cert, &server->pkey ) ) != 0 ) - { + if (( ret = mbedtls_ssl_conf_own_cert( &server->conf, &server->cert, &server->pkey ) ) != 0 ) { ESP_LOGE(TAG, "mbedtls_ssl_conf_own_cert returned %d", ret ); return ESP_FAIL; } - if (( ret = mbedtls_ssl_setup( &server->ssl, &server->conf ) ) != 0 ) - { + if (( ret = mbedtls_ssl_setup( &server->ssl, &server->conf ) ) != 0 ) { ESP_LOGE(TAG, "mbedtls_ssl_setup returned %d", ret ); return ESP_FAIL; } @@ -151,27 +154,33 @@ void server_task(void *pvParameters) goto exit; } - ESP_LOGI(TAG, "Waiting for a remote connection" ); - if( ( ret = mbedtls_net_accept( &server.listen_fd, &server.client_fd, - NULL, 0, NULL ) ) != 0 ) { - ESP_LOGE(TAG, "mbedtls_net_accept returned %d", ret ); - goto exit; - } + bool connected = false; + while (!exit_flag) { - mbedtls_ssl_set_bio( &server.ssl, &server.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + ret = mbedtls_net_accept( &server.listen_fd, &server.client_fd, NULL, 0, NULL ); - while(exit_flag == false) { - mbedtls_ssl_handshake( &server.ssl ); + if (ret == 0) { + connected = true; + } + + if (connected) { + mbedtls_ssl_set_bio( &server.ssl, &server.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL ); + ret = mbedtls_ssl_handshake( &server.ssl ); + mbedtls_ssl_session_reset(&server.ssl); + connected = false; + } + + vTaskDelay(20 / portTICK_PERIOD_MS); } ESP_LOGE(TAG, "Server shutdown"); - exit: - endpoint_teardown(&server); - xSemaphoreGive(*sema); - vTaskDelete(NULL); +exit: + endpoint_teardown(&server); + xSemaphoreGive(*sema); + vTaskDelete(NULL); } -esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint) +esp_err_t endpoint_teardown(mbedtls_endpoint_t *endpoint) { mbedtls_net_free( &endpoint->client_fd ); mbedtls_net_free( &endpoint->listen_fd ); @@ -187,7 +196,7 @@ esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint) return ESP_OK; } -esp_err_t client_setup(mbedtls_endpoint_t* client) +esp_err_t client_setup(mbedtls_endpoint_t *client) { int ret; mbedtls_ssl_config_init( &client->conf ); @@ -199,24 +208,24 @@ esp_err_t client_setup(mbedtls_endpoint_t* client) mbedtls_ctr_drbg_init( &client->ctr_drbg ); ESP_LOGI(TAG, "Seeding the random number generator"); - if((ret = mbedtls_ctr_drbg_seed(&client->ctr_drbg, mbedtls_entropy_func, &client->entropy, - NULL, 0)) != 0) { + if ((ret = mbedtls_ctr_drbg_seed(&client->ctr_drbg, mbedtls_entropy_func, &client->entropy, + NULL, 0)) != 0) { ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret); return ESP_FAIL; } ESP_LOGI(TAG, "Setting hostname for TLS session..."); - /* Hostname set here should match CN in server certificate */ - if((ret = mbedtls_ssl_set_hostname(&client->ssl, SERVER_ADDRESS)) != 0) { + /* Hostname set here should match CN in server certificate */ + if ((ret = mbedtls_ssl_set_hostname(&client->ssl, SERVER_ADDRESS)) != 0) { ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret); return ESP_FAIL; } ESP_LOGI(TAG, "Setting up the SSL/TLS structure..."); - if((ret = mbedtls_ssl_config_defaults(&client->conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { + if ((ret = mbedtls_ssl_config_defaults(&client->conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT)) != 0) { ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret); return ESP_FAIL; } @@ -230,21 +239,26 @@ esp_err_t client_setup(mbedtls_endpoint_t* client) return ESP_OK; } -void client_task(void *pvParameters) +int client_task(const uint8_t *bundle, esp_crt_validate_res_t *res) { - int ret; - - xSemaphoreHandle *sema = (xSemaphoreHandle *) pvParameters; + int ret = ESP_FAIL; mbedtls_endpoint_t client; - if(client_setup(&client) != ESP_OK) { + *res = ESP_CRT_VALIDATE_UNKNOWN; + + if (client_setup(&client) != ESP_OK) { ESP_LOGE(TAG, "SSL client setup failed"); goto exit; } - // Set the custom bundle which DOESN'T includes the server's root certificate (default bundle) esp_crt_bundle_attach(&client.conf); + if (bundle) { + /* Set a bundle different from the menuconfig bundle */ + esp_crt_bundle_set(bundle); + } + + ESP_LOGI(TAG, "Connecting to %s:%s...", SERVER_ADDRESS, SERVER_PORT); if ((ret = mbedtls_net_connect(&client.client_fd, SERVER_ADDRESS, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) { @@ -256,57 +270,61 @@ void client_task(void *pvParameters) mbedtls_ssl_set_bio(&client.ssl, &client.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL); ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle that is missing the server root certificate"); - ret = mbedtls_ssl_handshake(&client.ssl); + while ( ( ret = mbedtls_ssl_handshake( &client.ssl ) ) != 0 ) { + if ( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) { + printf( "mbedtls_ssl_handshake failed with -0x%x\n", -ret ); + break; + } + } ESP_LOGI(TAG, "Verifying peer X.509 certificate for bundle ..."); - TEST_ASSERT(mbedtls_ssl_get_verify_result(&client.ssl) != 0); + ret = mbedtls_ssl_get_verify_result(&client.ssl); + + *res = (ret == 0) ? ESP_CRT_VALIDATE_OK : ESP_CRT_VALIDATE_FAIL; + // Reset session before new connection mbedtls_ssl_close_notify(&client.ssl); mbedtls_ssl_session_reset(&client.ssl); - - // Set the custom bundle which includes the server's root certificate - esp_crt_bundle_set(server_cert_bundle_start); - - ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle containing the server root certificate"); - ret = mbedtls_ssl_handshake(&client.ssl); - - ESP_LOGI(TAG, "Verifying peer X.509 certificate ..."); - ret = mbedtls_ssl_get_verify_result(&client.ssl); - TEST_ASSERT(ret == 0); - - if(ret == 0) { - ESP_LOGI(TAG, "Certificate validated"); - } + mbedtls_net_free( &client.client_fd); - exit_flag = true; +exit: + mbedtls_ssl_close_notify(&client.ssl); + mbedtls_ssl_session_reset(&client.ssl); + esp_crt_bundle_detach(&client.conf); + endpoint_teardown(&client); - exit: - mbedtls_ssl_close_notify(&client.ssl); - mbedtls_ssl_session_reset(&client.ssl); - esp_crt_bundle_detach(&client.conf); - endpoint_teardown(&client); - xSemaphoreGive(*sema); - vTaskDelete(NULL); + return ret; } TEST_CASE("custom certificate bundle", "[mbedtls]") { + esp_crt_validate_res_t validate_res; + test_case_uses_tcpip(); - xSemaphoreHandle exit_sema = xSemaphoreCreateCounting(2, 0); + xSemaphoreHandle exit_sema = xSemaphoreCreateBinary(); - xTaskCreate(server_task, "server task", 8192, &exit_sema, 5, NULL); + exit_flag = false; + xTaskCreate(server_task, "server task", 8192, &exit_sema, 10, NULL); // Wait for the server to start up vTaskDelay(100 / portTICK_PERIOD_MS); - xTaskCreate(client_task, "https_get_task", 8192, &exit_sema, 5, NULL); - for(int i = 0; i < 2; i++) { - if(!xSemaphoreTake(exit_sema, 10000/portTICK_PERIOD_MS)) { - TEST_FAIL_MESSAGE("exit_sem not released by test task"); - } + /* Test with default crt bundle that doesnt contain the ca crt */ + client_task(NULL, &validate_res); + TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_FAIL); + + /* Test with bundle that does contain the CA crt */ + client_task(server_cert_bundle_start, &validate_res); + TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_OK); + + exit_flag = true; + + if (!xSemaphoreTake(exit_sema, 10000 / portTICK_PERIOD_MS)) { + TEST_FAIL_MESSAGE("exit_sem not released by server task"); } + vSemaphoreDelete(exit_sema); -} \ No newline at end of file +}