espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-02 04:04:31 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'bugfix/enable_crt_bundle_v4.3' into 'release/v4.3'

Browse Source 
esp_https_ota: Enable option of using global_ca_store and x509_crt_bundle

See merge request espressif/esp-idf!18344
This commit is contained in:
Jiang Jiang Jian
2022-06-09 11:12:54 +08:00
parent 64636e002c be783ae29b
commit e04eaca191
5 changed files with 35 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
components/esp_http_client/esp_http_client.c
View File

@@ -630,7 +630,13 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co
goto error; goto error;
} }
if (config->use_global_ca_store == true) { if (config->crt_bundle_attach != NULL) {
#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
esp_transport_ssl_crt_bundle_attach(ssl, config->crt_bundle_attach);
#else //CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
ESP_LOGE(TAG, "use_crt_bundle configured but not enabled in menuconfig: Please enable MBEDTLS_CERTIFICATE_BUNDLE option");
#endif
} else if (config->use_global_ca_store == true) {
esp_transport_ssl_enable_global_ca_store(ssl); esp_transport_ssl_enable_global_ca_store(ssl);
} else if (config->cert_pem) { } else if (config->cert_pem) {
esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem)); esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem));

2
components/esp_http_client/include/esp_http_client.h
View File

@@ -133,6 +133,8 @@ typedef struct {
bool is_async; /*!< Set asynchronous mode, only supported with HTTPS for now */ bool is_async; /*!< Set asynchronous mode, only supported with HTTPS for now */
bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which this bool is set. */ bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which this bool is set. */
bool skip_cert_common_name_check; /*!< Skip any validation of server certificate CN field */ bool skip_cert_common_name_check; /*!< Skip any validation of server certificate CN field */
esp_err_t (*crt_bundle_attach)(void *conf); /*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification
bundle for server verification, must be enabled in menuconfig */
bool keep_alive_enable; /*!< Enable keep-alive timeout */ bool keep_alive_enable; /*!< Enable keep-alive timeout */
int keep_alive_idle; /*!< Keep-alive idle time. Default is 5 (second) */ int keep_alive_idle; /*!< Keep-alive idle time. Default is 5 (second) */
int keep_alive_interval; /*!< Keep-alive interval time. Default is 5 (second) */ int keep_alive_interval; /*!< Keep-alive interval time. Default is 5 (second) */

10
components/esp_https_ota/src/esp_https_ota.c
View File

@@ -160,6 +160,12 @@ static esp_err_t _ota_write(esp_https_ota_t *https_ota_handle, const void *buffe
return err; return err;
} }
static bool is_server_verification_enabled(esp_https_ota_config_t *ota_config) {
return (ota_config->http_config->cert_pem
|| ota_config->http_config->use_global_ca_store
|| !(ota_config->http_config->crt_bundle_attach == NULL));
}
esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_handle_t *handle) esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_handle_t *handle)
{ {
esp_err_t err; esp_err_t err;
@@ -173,8 +179,8 @@ esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_
} }
#if !CONFIG_OTA_ALLOW_HTTP #if !CONFIG_OTA_ALLOW_HTTP
if (!ota_config->http_config->cert_pem) { if (!is_server_verification_enabled(ota_config)) {
ESP_LOGE(TAG, "Server certificate not found in esp_http_client config"); ESP_LOGE(TAG, "No option for server verification is enabled in esp_http_client config.");
*handle = NULL; *handle = NULL;
return ESP_ERR_INVALID_ARG; return ESP_ERR_INVALID_ARG;
} }

12
components/tcp_transport/include/esp_transport_ssl.h
View File

@@ -52,6 +52,16 @@ void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data,
*/ */
void esp_transport_ssl_set_cert_data_der(esp_transport_handle_t t, const char *data, int len); void esp_transport_ssl_set_cert_data_der(esp_transport_handle_t t, const char *data, int len);
/**
* @brief Enable the use of certification bundle for server verfication for
* an SSL connection.
* It must be first enabled in menuconfig.
*
* @param t ssl transport
* @param[in] crt_bundle_attach Function pointer to esp_crt_bundle_attach
*/
void esp_transport_ssl_crt_bundle_attach(esp_transport_handle_t t, esp_err_t ((*crt_bundle_attach)(void *conf)));
/** /**
* @brief Enable global CA store for SSL connection * @brief Enable global CA store for SSL connection
* *
@@ -141,14 +151,12 @@ void esp_transport_ssl_skip_common_name_check(esp_transport_handle_t t);
*/ */
void esp_transport_ssl_use_secure_element(esp_transport_handle_t t); void esp_transport_ssl_use_secure_element(esp_transport_handle_t t);
/** /**
* @brief Set the ds_data handle in ssl context.(used for the digital signature operation) * @brief Set the ds_data handle in ssl context.(used for the digital signature operation)
* *
* @param t ssl transport * @param t ssl transport
* ds_data the handle for ds data params * ds_data the handle for ds data params
*/ */
void esp_transport_ssl_set_ds_data(esp_transport_handle_t t, void *ds_data); void esp_transport_ssl_set_ds_data(esp_transport_handle_t t, void *ds_data);
/** /**

8
components/tcp_transport/transport_ssl.c
View File

@@ -304,6 +304,14 @@ void esp_transport_ssl_use_secure_element(esp_transport_handle_t t)
} }
#endif #endif
void esp_transport_ssl_crt_bundle_attach(esp_transport_handle_t t, esp_err_t ((*crt_bundle_attach)(void *conf)))
{
transport_ssl_t *ssl = esp_transport_get_context_data(t);
if (t && ssl) {
ssl->cfg.crt_bundle_attach = crt_bundle_attach;
}
}
static int ssl_get_socket(esp_transport_handle_t t) static int ssl_get_socket(esp_transport_handle_t t)
{ {
if (t) { if (t) {