diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig index ac28442ef3..32e1e0db83 100644 --- a/components/esp-tls/Kconfig +++ b/components/esp-tls/Kconfig @@ -38,16 +38,9 @@ menu "ESP-TLS" help Enable session ticket support as specified in RFC5077. - config ESP_TLS_SERVER - bool "Enable ESP-TLS Server" - depends on (ESP_TLS_USING_MBEDTLS && MBEDTLS_TLS_SERVER) || ESP_TLS_USING_WOLFSSL - help - Enable support for creating server side SSL/TLS session, available for mbedTLS - as well as wolfSSL TLS library. - config ESP_TLS_SERVER_SESSION_TICKETS bool "Enable server session tickets" - depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS + depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS help Enable session ticket support as specified in RFC5077 @@ -60,7 +53,7 @@ menu "ESP-TLS" config ESP_TLS_SERVER_CERT_SELECT_HOOK bool "Certificate selection hook" - depends on ESP_TLS_USING_MBEDTLS && ESP_TLS_SERVER + depends on ESP_TLS_USING_MBEDTLS help Ability to configure and use a certificate selection callback during server handshake, to select a certificate to present to the client based on the TLS extensions supplied in @@ -68,7 +61,7 @@ menu "ESP-TLS" config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional" - depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS + depends on ESP_TLS_USING_MBEDTLS help When this option is enabled, the peer (here, the client) certificate is checked by the server, however the handshake continues even if verification failed. By default, the diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c index b80edd1679..76265587e9 100644 --- a/components/esp-tls/esp_tls.c +++ b/components/esp-tls/esp_tls.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -64,12 +64,10 @@ static const char *TAG = "esp-tls"; #define _esp_tls_get_client_session esp_mbedtls_get_client_session #define _esp_tls_free_client_session esp_mbedtls_free_client_session #define _esp_tls_get_ssl_context esp_mbedtls_get_ssl_context -#ifdef CONFIG_ESP_TLS_SERVER #define _esp_tls_server_session_create esp_mbedtls_server_session_create #define _esp_tls_server_session_delete esp_mbedtls_server_session_delete #define _esp_tls_server_session_ticket_ctx_init esp_mbedtls_server_session_ticket_ctx_init #define _esp_tls_server_session_ticket_ctx_free esp_mbedtls_server_session_ticket_ctx_free -#endif /* CONFIG_ESP_TLS_SERVER */ #define _esp_tls_get_bytes_avail esp_mbedtls_get_bytes_avail #define _esp_tls_init_global_ca_store esp_mbedtls_init_global_ca_store #define _esp_tls_set_global_ca_store esp_mbedtls_set_global_ca_store /*!< Callback function for setting global CA store data for TLS/SSL */ @@ -83,10 +81,8 @@ static const char *TAG = "esp-tls"; #define _esp_tls_write esp_wolfssl_write #define _esp_tls_conn_delete esp_wolfssl_conn_delete #define _esp_tls_net_init esp_wolfssl_net_init -#ifdef CONFIG_ESP_TLS_SERVER #define _esp_tls_server_session_create esp_wolfssl_server_session_create #define _esp_tls_server_session_delete esp_wolfssl_server_session_delete -#endif /* CONFIG_ESP_TLS_SERVER */ #define _esp_tls_get_bytes_avail esp_wolfssl_get_bytes_avail #define _esp_tls_init_global_ca_store esp_wolfssl_init_global_ca_store #define _esp_tls_set_global_ca_store esp_wolfssl_set_global_ca_store /*!< Callback function for setting global CA store data for TLS/SSL */ @@ -108,7 +104,7 @@ static const char *TAG = "esp-tls"; static esp_err_t create_ssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls) { - return _esp_create_ssl_handle(hostname, hostlen, cfg, tls); + return _esp_create_ssl_handle(hostname, hostlen, cfg, tls, NULL); } static esp_err_t esp_tls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg) @@ -638,7 +634,6 @@ void esp_tls_free_client_session(esp_tls_client_session_t *client_session) #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ -#ifdef CONFIG_ESP_TLS_SERVER esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg) { #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) @@ -682,7 +677,6 @@ void esp_tls_server_session_delete(esp_tls_t *tls) { return _esp_tls_server_session_delete(tls); } -#endif /* CONFIG_ESP_TLS_SERVER */ ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls) { diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index 92e7dbfcf7..32eccacb5d 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -213,7 +213,6 @@ typedef struct esp_tls_cfg { esp_tls_proto_ver_t tls_version; /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */ } esp_tls_cfg_t; -#ifdef CONFIG_ESP_TLS_SERVER #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) /** * @brief Data structures necessary to support TLS session tickets according to RFC5077 @@ -228,7 +227,7 @@ typedef struct esp_tls_server_session_ticket_ctx { } esp_tls_server_session_ticket_ctx_t; #endif - +#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) /** * @brief tls handshake callback * Can be used to configure per-handshake attributes for the TLS connection. @@ -239,7 +238,11 @@ typedef struct esp_tls_server_session_ticket_ctx { * or a specific MBEDTLS_ERR_XXX code, which will cause the handhsake to abort */ typedef mbedtls_ssl_hs_cb_t esp_tls_handshake_callback; +#endif +/** + * @brief ESP-TLS Server configuration parameters + */ typedef struct esp_tls_cfg_server { const char **alpn_protos; /*!< Application protocols required for HTTP2. If HTTP2/ALPN support is required, a list @@ -341,7 +344,6 @@ esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg); * @param cfg server configuration as esp_tls_cfg_server_t */ void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg); -#endif /* ! CONFIG_ESP_TLS_SERVER */ typedef struct esp_tls esp_tls_t; @@ -681,7 +683,6 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void); */ const int *esp_tls_get_ciphersuites_list(void); #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */ -#ifdef CONFIG_ESP_TLS_SERVER /** * @brief Create TLS/SSL server session * @@ -707,7 +708,6 @@ int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls * @param[in] tls pointer to esp_tls_t */ void esp_tls_server_session_delete(esp_tls_t *tls); -#endif /* ! CONFIG_ESP_TLS_SERVER */ /** * @brief Creates a plain TCP connection, returning a valid socket fd on success or an error handle diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index c2730d2df5..5708dfcb95 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -70,7 +70,9 @@ typedef struct esp_tls_pki_t { #endif } esp_tls_pki_t; -esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls) +static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls); + +esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params) { assert(cfg != NULL); assert(tls != NULL); @@ -116,16 +118,16 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const goto exit; } } else if (tls->role == ESP_TLS_SERVER) { -#ifdef CONFIG_ESP_TLS_SERVER - esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls); + if (server_params == NULL) { + /* Server params cannot be NULL when TLS role is server */ + return ESP_ERR_INVALID_ARG; + } + esp_tls_server_params_t *input_server_params = server_params; + esp_ret = input_server_params->set_server_cfg((esp_tls_cfg_server_t *) cfg, tls); if (esp_ret != 0) { ESP_LOGE(TAG, "Failed to set server configurations, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); goto exit; } -#else - ESP_LOGE(TAG, "ESP_TLS_SERVER Not enabled in Kconfig"); - goto exit; -#endif } if ((ret = mbedtls_ctr_drbg_seed(&tls->ctr_drbg, @@ -353,10 +355,6 @@ void esp_mbedtls_cleanup(esp_tls_t *tls) mbedtls_x509_crt_free(tls->cacert_ptr); } tls->cacert_ptr = NULL; -#ifdef CONFIG_ESP_TLS_SERVER - mbedtls_x509_crt_free(&tls->servercert); - mbedtls_pk_free(&tls->serverkey); -#endif mbedtls_x509_crt_free(&tls->cacert); mbedtls_x509_crt_free(&tls->clientcert); mbedtls_pk_free(&tls->clientkey); @@ -478,7 +476,6 @@ static esp_err_t set_global_ca_store(esp_tls_t *tls) return ESP_OK; } -#ifdef CONFIG_ESP_TLS_SERVER #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS int esp_mbedtls_server_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime) { @@ -547,7 +544,7 @@ void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ct } #endif -esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) +static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) { assert(cfg != NULL); assert(tls != NULL); @@ -679,7 +676,6 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) return ESP_OK; } -#endif /* ! CONFIG_ESP_TLS_SERVER */ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t *cfg, esp_tls_t *tls) { @@ -903,7 +899,6 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t return ESP_OK; } -#ifdef CONFIG_ESP_TLS_SERVER /** * @brief Create TLS/SSL server session */ @@ -914,7 +909,9 @@ int esp_mbedtls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp } tls->role = ESP_TLS_SERVER; tls->sockfd = sockfd; - esp_err_t esp_ret = esp_create_mbedtls_handle(NULL, 0, cfg, tls); + esp_tls_server_params_t server_params = {}; + server_params.set_server_cfg = &set_server_config; + esp_err_t esp_ret = esp_create_mbedtls_handle(NULL, 0, cfg, tls, &server_params); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "create_ssl_handle failed, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, esp_ret); @@ -946,7 +943,6 @@ void esp_mbedtls_server_session_delete(esp_tls_t *tls) free(tls); } }; -#endif /* ! CONFIG_ESP_TLS_SERVER */ esp_err_t esp_mbedtls_init_global_ca_store(void) { diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index 9c4f1771a9..733b097429 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -44,9 +44,7 @@ static uint8_t psk_key_array[PSK_MAX_KEY_LEN]; static uint8_t psk_key_max_len = 0; #endif /* CONFIG_ESP_TLS_PSK_VERIFICATION */ -#ifdef CONFIG_ESP_TLS_SERVER static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls); -#endif /* CONFIG_ESP_TLS_SERVER */ /* This function shall return the error message when appropriate log level has been set otherwise this function shall do nothing */ @@ -124,7 +122,7 @@ void *esp_wolfssl_get_ssl_context(esp_tls_t *tls) return (void*)tls->priv_ssl; } -esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls) +esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params) { #ifdef CONFIG_ESP_DEBUG_WOLFSSL wolfSSL_Debugging_ON(); @@ -152,16 +150,11 @@ esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const goto exit; } } else if (tls->role == ESP_TLS_SERVER) { -#ifdef CONFIG_ESP_TLS_SERVER esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to set server configurations, [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); goto exit; } -#else - ESP_LOGE(TAG, "ESP_TLS_SERVER Not enabled in menuconfig"); - goto exit; -#endif } else { ESP_LOGE(TAG, "tls->role is not valid"); @@ -321,7 +314,6 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls return ESP_OK; } -#ifdef CONFIG_ESP_TLS_SERVER static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) { int ret = WOLFSSL_FAILURE; @@ -378,7 +370,6 @@ static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd); return ESP_OK; } -#endif int esp_wolfssl_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg) { @@ -486,7 +477,6 @@ void esp_wolfssl_cleanup(esp_tls_t *tls) wolfSSL_Cleanup(); } -#ifdef CONFIG_ESP_TLS_SERVER /** * @brief Create TLS/SSL server session */ @@ -497,7 +487,9 @@ int esp_wolfssl_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp } tls->role = ESP_TLS_SERVER; tls->sockfd = sockfd; - esp_err_t esp_ret = esp_create_wolfssl_handle(NULL, 0, cfg, tls); + esp_tls_server_params_t server_params = {}; + server_params.set_server_cfg = &set_server_config; + esp_err_t esp_ret = esp_create_wolfssl_handle(NULL, 0, cfg, tls, &server_params); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "create_ssl_handle failed, [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, esp_ret); @@ -531,7 +523,6 @@ void esp_wolfssl_server_session_delete(esp_tls_t *tls) free(tls); } } -#endif /* CONFIG_ESP_TLS_SERVER */ esp_err_t esp_wolfssl_init_global_ca_store(void) { diff --git a/components/esp-tls/private_include/esp_tls_mbedtls.h b/components/esp-tls/private_include/esp_tls_mbedtls.h index 5526bba98c..6bb1071ab0 100644 --- a/components/esp-tls/private_include/esp_tls_mbedtls.h +++ b/components/esp-tls/private_include/esp_tls_mbedtls.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -46,7 +46,7 @@ ssize_t esp_mbedtls_get_bytes_avail(esp_tls_t *tls); /** * Internal Callback for creating ssl handle for mbedtls */ -esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls); +esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void* server_params); /** * mbedTLS function for Initializing socket wrappers @@ -61,13 +61,6 @@ static inline void esp_mbedtls_net_init(esp_tls_t *tls) */ void *esp_mbedtls_get_ssl_context(esp_tls_t *tls); -#ifdef CONFIG_ESP_TLS_SERVER -/** - * Internal Callback for set_server_config - * - * /note :- can only be used with mbedtls ssl library - */ -esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls); /** * Internal Callback for mbedtls_server_session_create @@ -98,7 +91,6 @@ esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_tick */ void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *cfg); #endif -#endif /** * Internal Callback for set_client_config_function diff --git a/components/esp-tls/private_include/esp_tls_private.h b/components/esp-tls/private_include/esp_tls_private.h index dcbb42070e..4341557aaf 100644 --- a/components/esp-tls/private_include/esp_tls_private.h +++ b/components/esp-tls/private_include/esp_tls_private.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -53,21 +53,21 @@ struct esp_tls { mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */ mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */ - + union { mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */ + mbedtls_x509_crt servercert; /*!< Container for the X.509 server certificate */ + }; + union { mbedtls_pk_context clientkey; /*!< Container for the private key of the client certificate */ + mbedtls_pk_context serverkey; /*!< Container for the private key of the server + certificate */ + }; #ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN bool use_ecdsa_peripheral; /*!< Use the ECDSA peripheral for the private key operations. */ uint8_t ecdsa_efuse_blk; /*!< The efuse block number where the ECDSA key is stored. */ #endif -#ifdef CONFIG_ESP_TLS_SERVER - mbedtls_x509_crt servercert; /*!< Container for the X.509 server certificate */ - - mbedtls_pk_context serverkey; /*!< Container for the private key of the server - certificate */ -#endif #elif CONFIG_ESP_TLS_USING_WOLFSSL void *priv_ctx; void *priv_ssl; @@ -95,3 +95,11 @@ struct esp_tls { esp_tls_error_handle_t error_handle; /*!< handle to error descriptor */ }; + +// Function pointer for the server configuration API +typedef esp_err_t (*set_server_config_func_ptr) (esp_tls_cfg_server_t *cfg, esp_tls_t *tls); + +// This struct contains any data that is only specific to the server session and not required by the client. +typedef struct esp_tls_server_params { + set_server_config_func_ptr set_server_cfg; +} esp_tls_server_params_t; diff --git a/components/esp-tls/private_include/esp_tls_wolfssl.h b/components/esp-tls/private_include/esp_tls_wolfssl.h index 32c9a42917..121c13477f 100644 --- a/components/esp-tls/private_include/esp_tls_wolfssl.h +++ b/components/esp-tls/private_include/esp_tls_wolfssl.h @@ -11,7 +11,7 @@ /** * Internal Callback for creating ssl handle for wolfssl */ -int esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls); +int esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params); /** * Internal Callback for wolfssl_handshake @@ -76,7 +76,6 @@ static inline void esp_wolfssl_net_init(esp_tls_t *tls) { } -#ifdef CONFIG_ESP_TLS_SERVER /** * Function to Create ESP-TLS Server session with wolfssl Stack @@ -87,5 +86,3 @@ int esp_wolfssl_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp * Delete Server Session */ void esp_wolfssl_server_session_delete(esp_tls_t *tls); - -#endif diff --git a/components/esp-tls/test_apps/main/test_esp_tls.c b/components/esp-tls/test_apps/main/test_esp_tls.c index e245fc7e8b..f91c279a11 100644 --- a/components/esp-tls/test_apps/main/test_esp_tls.c +++ b/components/esp-tls/test_apps/main/test_esp_tls.c @@ -76,7 +76,6 @@ TEST_CASE("esp-tls global_ca_store set free", "[esp-tls]") esp_tls_free_global_ca_store(); } -#ifdef CONFIG_ESP_TLS_SERVER TEST_CASE("esp_tls_server session create delete", "[esp-tls]") { struct esp_tls *tls = esp_tls_init(); @@ -95,4 +94,3 @@ TEST_CASE("esp_tls_server session create delete", "[esp-tls]") esp_tls_server_session_delete(tls); } -#endif diff --git a/components/esp-tls/test_apps/sdkconfig.defaults b/components/esp-tls/test_apps/sdkconfig.defaults index 60afb44a2e..e8191f02df 100644 --- a/components/esp-tls/test_apps/sdkconfig.defaults +++ b/components/esp-tls/test_apps/sdkconfig.defaults @@ -5,6 +5,4 @@ CONFIG_BOOTLOADER_LOG_LEVEL_WARN=y CONFIG_FREERTOS_WATCHPOINT_END_OF_STACK=y CONFIG_COMPILER_STACK_CHECK_MODE_STRONG=y CONFIG_COMPILER_STACK_CHECK=y - CONFIG_ESP_TASK_WDT_EN=n -CONFIG_ESP_TLS_SERVER=y