espressif/esp-protocols
1
0
Fork 1
mirror of https://github.com/espressif/esp-protocols.git synced 2025-07-30 18:57:28 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat(asio): Add mbedtls specific APIs to use TLS stack specific features

Browse Source 
Use mbedtls specific API to configure hostname for verification
This commit is contained in:
David Cermak
2025-04-07 13:33:15 +02:00
parent 4885d28294
commit ad94cc9502
4 changed files with 62 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
components/asio/examples/ssl_client_server/main/asio_ssl_main.cpp
View File

@ -17,6 +17,8 @@
#include "asio/ssl.hpp" #include "asio/ssl.hpp"
#include "asio/buffer.hpp" #include "asio/buffer.hpp"
#include "esp_pthread.h" #include "esp_pthread.h"
// allows for direct access to mbedtls specifics
#include "asio/ssl/mbedtls_specific.hpp"
extern const unsigned char server_pem_start[] asm("_binary_srv_crt_start"); extern const unsigned char server_pem_start[] asm("_binary_srv_crt_start");
extern const unsigned char server_pem_end[] asm("_binary_srv_crt_end"); extern const unsigned char server_pem_end[] asm("_binary_srv_crt_end");
@ -217,6 +219,7 @@ void ssl_server_thread()
io_context.run(); io_context.run();
} }
void ssl_client_thread() void ssl_client_thread()
{ {
asio::io_context io_context; asio::io_context io_context;
@ -229,6 +232,11 @@ void ssl_client_thread()
asio::ssl::context ctx(asio::ssl::context::tls_client); asio::ssl::context ctx(asio::ssl::context::tls_client);
#if CONFIG_EXAMPLE_CLIENT_VERIFY_PEER #if CONFIG_EXAMPLE_CLIENT_VERIFY_PEER
ctx.add_certificate_authority(cert_chain); ctx.add_certificate_authority(cert_chain);
// mbedtls (from 3.6.3) requires hostname to be set when performing TLS handshake with verify-peer option
// asio::ssl allows for name verification using verification callback, i.e. socket_.set_verify_callback(asio::ssl::host_name_verification()),
// - which is not supported in Espressif ASIO port yet.
// Therefore we provide a way to directly use mbedtls API and here we just configure the expected hostname to verify
asio::ssl::mbedtls::set_hostname(ctx.native_handle(), server_ip);
#endif // CONFIG_EXAMPLE_CLIENT_VERIFY_PEER #endif // CONFIG_EXAMPLE_CLIENT_VERIFY_PEER
Client c(io_context, ctx, endpoints); Client c(io_context, ctx, endpoints);

29
components/asio/port/include/asio/ssl/mbedtls_specific.hpp Normal file
View File

@ -0,0 +1,29 @@
//
// SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once
#include "asio/ssl/context_base.hpp"
#include "asio/ssl/context.hpp"
#include "asio/ssl/detail/openssl_types.hpp"
namespace asio {
namespace ssl {
namespace mbedtls {
/**
* @brief Configures specific hostname to be used in peer verification
*
* @param handle asio::ssl context handle type
* @param name hostname to be verified (std::string ownership will be moved to ssl::context)
*
* @return true on success
*/
bool set_hostname(asio::ssl::context::native_handle_type handle, std::string name);
};
};
} // namespace asio::ssl::mbedtls

9
components/asio/port/mbedtls/include/mbedtls_context.hpp
View File

@ -1,5 +1,5 @@
// //
// SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD // SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
// //
// SPDX-License-Identifier: BSL-1.0 // SPDX-License-Identifier: BSL-1.0
// //
@ -52,6 +52,12 @@ public:
return nullptr; return nullptr;
} }
bool set_hostname(std::string hostname)
{
hostname_ = std::move(hostname);
return true;
}
std::size_t size(container c) const std::size_t size(container c) const
{ {
switch (c) { switch (c) {
@ -70,6 +76,7 @@ public:
const_buffer cert_chain_; const_buffer cert_chain_;
const_buffer private_key_; const_buffer private_key_;
const_buffer ca_cert_; const_buffer ca_cert_;
std::string hostname_;
}; };
/** /**

19
components/asio/port/mbedtls/include/mbedtls_engine.hpp
View File

@ -1,5 +1,5 @@
// //
// SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD // SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
// //
// SPDX-License-Identifier: BSL-1.0 // SPDX-License-Identifier: BSL-1.0
// //
@ -16,6 +16,11 @@ namespace asio {
namespace ssl { namespace ssl {
namespace mbedtls { namespace mbedtls {
bool set_hostname(asio::ssl::context::native_handle_type handle, std::string name)
{
return handle->get()->set_hostname(std::move(name));
}
const char *error_message(int error_code) const char *error_message(int error_code)
{ {
static char error_buf[100]; static char error_buf[100];
@ -25,7 +30,7 @@ const char *error_message(int error_code)
void throw_alloc_failure(const char *location) void throw_alloc_failure(const char *location)
{ {
asio::error_code ec( MBEDTLS_ERR_SSL_ALLOC_FAILED, asio::error::get_mbedtls_category()); asio::error_code ec(MBEDTLS_ERR_SSL_ALLOC_FAILED, asio::error::get_mbedtls_category());
asio::detail::throw_error(ec, location); asio::detail::throw_error(ec, location);
} }
@ -269,6 +274,16 @@ private:
} else { } else {
mbedtls_ssl_conf_ca_chain(&conf_, nullptr, nullptr); mbedtls_ssl_conf_ca_chain(&conf_, nullptr, nullptr);
} }
// Configure hostname before handshake if users pre-configured any
// use NULL if not set (to preserve the default behaviour of mbedtls < v3.6.3)
const char* hostname = !ctx->hostname_.empty() ? ctx->hostname_.c_str() : NULL;
ret = mbedtls_ssl_set_hostname(&ssl_, hostname);
if (ret < 0) {
print_error("mbedtls_ssl_set_hostname", ret);
return false;
}
ret = mbedtls_ssl_setup(&ssl_, &conf_); ret = mbedtls_ssl_setup(&ssl_, &conf_);
if (ret) { if (ret) {
print_error("mbedtls_ssl_setup", ret); print_error("mbedtls_ssl_setup", ret);