forked from espressif/esp-idf
feat(esp_tls): Add support for PSK authentication on server side
This commit is contained in:
David Cermak
@@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
|
* SPDX-FileCopyrightText: 2017-2024 Espressif Systems (Shanghai) CO LTD
|
||||||
*
|
*
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
*/
|
*/
|
||||||
@@ -322,6 +322,12 @@ typedef struct esp_tls_cfg_server {
|
|||||||
TLS extensions, such as ALPN and server_certificate_type . */
|
TLS extensions, such as ALPN and server_certificate_type . */
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
|
||||||
|
const psk_hint_key_t* psk_hint_key; /*!< Pointer to PSK hint and key. if not NULL (and the certificate/key is NULL)
|
||||||
|
then PSK authentication is enabled with configured setup.
|
||||||
|
Important note: the pointer must be valid for connection */
|
||||||
|
#endif
|
||||||
|
|
||||||
} esp_tls_cfg_server_t;
|
} esp_tls_cfg_server_t;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -464,7 +470,7 @@ int esp_tls_conn_http_new_async(const char *url, const esp_tls_cfg_t *cfg, esp_t
|
|||||||
* - >=0 if write operation was successful, the return value is the number
|
* - >=0 if write operation was successful, the return value is the number
|
||||||
* of bytes actually written to the TLS/SSL connection.
|
* of bytes actually written to the TLS/SSL connection.
|
||||||
* - <0 if write operation was not successful, because either an
|
* - <0 if write operation was not successful, because either an
|
||||||
* error occured or an action must be taken by the calling process.
|
* error occurred or an action must be taken by the calling process.
|
||||||
* - ESP_TLS_ERR_SSL_WANT_READ/
|
* - ESP_TLS_ERR_SSL_WANT_READ/
|
||||||
* ESP_TLS_ERR_SSL_WANT_WRITE.
|
* ESP_TLS_ERR_SSL_WANT_WRITE.
|
||||||
* if the handshake is incomplete and waiting for data to be available for reading.
|
* if the handshake is incomplete and waiting for data to be available for reading.
|
||||||
@@ -485,7 +491,7 @@ ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen);
|
|||||||
* - 0 if read operation was not successful. The underlying
|
* - 0 if read operation was not successful. The underlying
|
||||||
* connection was closed.
|
* connection was closed.
|
||||||
* - <0 if read operation was not successful, because either an
|
* - <0 if read operation was not successful, because either an
|
||||||
* error occured or an action must be taken by the calling process.
|
* error occurred or an action must be taken by the calling process.
|
||||||
*/
|
*/
|
||||||
ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen);
|
ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen);
|
||||||
|
|
||||||
@@ -586,7 +592,7 @@ void *esp_tls_get_ssl_context(esp_tls_t *tls);
|
|||||||
*
|
*
|
||||||
* @return
|
* @return
|
||||||
* - ESP_OK if creating global CA store was successful.
|
* - ESP_OK if creating global CA store was successful.
|
||||||
* - ESP_ERR_NO_MEM if an error occured when allocating the mbedTLS resources.
|
* - ESP_ERR_NO_MEM if an error occurred when allocating the mbedTLS resources.
|
||||||
*/
|
*/
|
||||||
esp_err_t esp_tls_init_global_ca_store(void);
|
esp_err_t esp_tls_init_global_ca_store(void);
|
||||||
|
|
||||||
@@ -605,7 +611,7 @@ esp_err_t esp_tls_init_global_ca_store(void);
|
|||||||
*
|
*
|
||||||
* @return
|
* @return
|
||||||
* - ESP_OK if adding certificates was successful.
|
* - ESP_OK if adding certificates was successful.
|
||||||
* - Other if an error occured or an action must be taken by the calling process.
|
* - Other if an error occurred or an action must be taken by the calling process.
|
||||||
*/
|
*/
|
||||||
esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes);
|
esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes);
|
||||||
|
|
||||||
|
|||||||
@@ -659,6 +659,18 @@ static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
|
|||||||
ESP_LOGE(TAG, "Failed to set server pki context");
|
ESP_LOGE(TAG, "Failed to set server pki context");
|
||||||
return esp_ret;
|
return esp_ret;
|
||||||
}
|
}
|
||||||
|
#if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
|
||||||
|
} else if (cfg->psk_hint_key) {
|
||||||
|
ESP_LOGD(TAG, "PSK authentication");
|
||||||
|
ret = mbedtls_ssl_conf_psk(&tls->conf, cfg->psk_hint_key->key, cfg->psk_hint_key->key_size,
|
||||||
|
(const unsigned char *)cfg->psk_hint_key->hint, strlen(cfg->psk_hint_key->hint));
|
||||||
|
if (ret != 0) {
|
||||||
|
ESP_LOGE(TAG, "mbedtls_ssl_conf_psk returned -0x%04X", -ret);
|
||||||
|
mbedtls_print_error_msg(ret);
|
||||||
|
ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
|
||||||
|
return ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
} else {
|
} else {
|
||||||
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
|
#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
|
||||||
if (cfg->cert_select_cb == NULL) {
|
if (cfg->cert_select_cb == NULL) {
|
||||||
@@ -789,7 +801,7 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
|
|||||||
#endif
|
#endif
|
||||||
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
|
#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
|
||||||
} else if (cfg->client_session != NULL) {
|
} else if (cfg->client_session != NULL) {
|
||||||
ESP_LOGD(TAG, "Resuing the saved client session");
|
ESP_LOGD(TAG, "Resuming the saved client session");
|
||||||
#endif
|
#endif
|
||||||
} else {
|
} else {
|
||||||
#ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
|
#ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY
|
||||||
|
|||||||
Reference in New Issue
Block a user