diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c index 002306dbeb..861861d5de 100644 --- a/components/esp-tls/esp_tls.c +++ b/components/esp-tls/esp_tls.c @@ -141,22 +141,33 @@ err_freeaddr: return ret; } +esp_err_t esp_tls_init_global_ca_store() +{ + if (global_cacert == NULL) { + global_cacert = (mbedtls_x509_crt *)calloc(1, sizeof(mbedtls_x509_crt)); + if (global_cacert == NULL) { + ESP_LOGE(TAG, "global_cacert not allocated"); + return ESP_ERR_NO_MEM; + } + mbedtls_x509_crt_init(global_cacert); + } + return ESP_OK; +} + esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes) { + int ret; if (cacert_pem_buf == NULL) { ESP_LOGE(TAG, "cacert_pem_buf is null"); return ESP_ERR_INVALID_ARG; } - if (global_cacert != NULL) { - mbedtls_x509_crt_free(global_cacert); - } - global_cacert = (mbedtls_x509_crt *)calloc(1, sizeof(mbedtls_x509_crt)); if (global_cacert == NULL) { - ESP_LOGE(TAG, "global_cacert not allocated"); - return ESP_ERR_NO_MEM; + ret = esp_tls_init_global_ca_store(); + if (ret != ESP_OK) { + return ret; + } } - mbedtls_x509_crt_init(global_cacert); - int ret = mbedtls_x509_crt_parse(global_cacert, cacert_pem_buf, cacert_pem_bytes); + ret = mbedtls_x509_crt_parse(global_cacert, cacert_pem_buf, cacert_pem_bytes); if (ret < 0) { ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret); mbedtls_x509_crt_free(global_cacert); diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index 15830d5a3c..38538ed0a3 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -260,10 +260,25 @@ void esp_tls_conn_delete(esp_tls_t *tls); size_t esp_tls_get_bytes_avail(esp_tls_t *tls); /** - * @brief Create a global CA store with the buffer provided in cfg. + * @brief Create a global CA store, initially empty. * - * This function should be called if the application wants to use the same CA store for - * multiple connections. The application must call this function before calling esp_tls_conn_new(). + * This function should be called if the application wants to use the same CA store for multiple connections. + * This function initialises the global CA store which can be then set by calling esp_tls_set_global_ca_store(). + * To be effective, this function must be called before any call to esp_tls_set_global_ca_store(). + * + * @return + * - ESP_OK if creating global CA store was successful. + * - ESP_ERR_NO_MEM if an error occured when allocating the mbedTLS resources. + */ +esp_err_t esp_tls_init_global_ca_store(); + +/** + * @brief Set the global CA store with the buffer provided in pem format. + * + * This function should be called if the application wants to set the global CA store for + * multiple connections i.e. to add the certificates in the provided buffer to the certificate chain. + * This function implicitly calls esp_tls_init_global_ca_store() if it has not already been called. + * The application must call this function before calling esp_tls_conn_new(). * * @param[in] cacert_pem_buf Buffer which has certificates in pem format. This buffer * is used for creating a global CA store, which can be used @@ -271,7 +286,7 @@ size_t esp_tls_get_bytes_avail(esp_tls_t *tls); * @param[in] cacert_pem_bytes Length of the buffer. * * @return - * - ESP_OK if creating global CA store was successful. + * - ESP_OK if adding certificates was successful. * - Other if an error occured or an action must be taken by the calling process. */ esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes);