forked from espressif/esp-idf
Merge branch 'bugfix/fix_custom_certificate_test_case' into 'master'
mbedtls: fix custom certificate bundle test case See merge request espressif/esp-idf!19758
This commit is contained in:
Mahavir Jain
@@ -29,6 +29,7 @@
|
|||||||
|
|
||||||
#include "unity.h"
|
#include "unity.h"
|
||||||
#include "test_utils.h"
|
#include "test_utils.h"
|
||||||
|
#include "unity_test_utils.h"
|
||||||
|
|
||||||
#define SERVER_ADDRESS "localhost"
|
#define SERVER_ADDRESS "localhost"
|
||||||
#define SERVER_PORT "4433"
|
#define SERVER_PORT "4433"
|
||||||
@@ -51,6 +52,7 @@ extern const uint8_t wrong_sig_crt_pem_end[] asm("_binary_wrong_sig_crt_esp32_
|
|||||||
extern const uint8_t correct_sig_crt_pem_start[] asm("_binary_correct_sig_crt_esp32_com_pem_start");
|
extern const uint8_t correct_sig_crt_pem_start[] asm("_binary_correct_sig_crt_esp32_com_pem_start");
|
||||||
extern const uint8_t correct_sig_crt_pem_end[] asm("_binary_correct_sig_crt_esp32_com_pem_end");
|
extern const uint8_t correct_sig_crt_pem_end[] asm("_binary_correct_sig_crt_esp32_com_pem_end");
|
||||||
|
|
||||||
|
#define SEM_TIMEOUT 10000
|
||||||
typedef struct {
|
typedef struct {
|
||||||
mbedtls_ssl_context ssl;
|
mbedtls_ssl_context ssl;
|
||||||
mbedtls_net_context listen_fd;
|
mbedtls_net_context listen_fd;
|
||||||
@@ -187,7 +189,7 @@ void server_task(void *pvParameters)
|
|||||||
exit:
|
exit:
|
||||||
endpoint_teardown(&server);
|
endpoint_teardown(&server);
|
||||||
xSemaphoreGive(*sema);
|
xSemaphoreGive(*sema);
|
||||||
vTaskDelete(NULL);
|
vTaskSuspend(NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -250,25 +252,58 @@ esp_err_t client_setup(mbedtls_endpoint_t *client)
|
|||||||
return ESP_OK;
|
return ESP_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
int client_task(const uint8_t *bundle, size_t bundle_size, esp_crt_validate_res_t *res)
|
void client_task(void *pvParameters)
|
||||||
{
|
{
|
||||||
|
SemaphoreHandle_t *client_signal_sem = (SemaphoreHandle_t *) pvParameters;
|
||||||
int ret = ESP_FAIL;
|
int ret = ESP_FAIL;
|
||||||
|
|
||||||
mbedtls_endpoint_t client;
|
mbedtls_endpoint_t client;
|
||||||
|
esp_crt_validate_res_t res = ESP_CRT_VALIDATE_UNKNOWN;
|
||||||
*res = ESP_CRT_VALIDATE_UNKNOWN;
|
|
||||||
|
|
||||||
if (client_setup(&client) != ESP_OK) {
|
if (client_setup(&client) != ESP_OK) {
|
||||||
ESP_LOGE(TAG, "SSL client setup failed");
|
ESP_LOGE(TAG, "SSL client setup failed");
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
esp_crt_bundle_attach(&client.conf);
|
/* Test with default crt bundle that doesnt contain the ca crt */
|
||||||
if (bundle) {
|
ESP_LOGI(TAG, "Connecting to %s:%s...", SERVER_ADDRESS, SERVER_PORT);
|
||||||
/* Set a bundle different from the menuconfig bundle */
|
if ((ret = mbedtls_net_connect(&client.client_fd, SERVER_ADDRESS, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
|
||||||
esp_crt_bundle_set(bundle, bundle_size);
|
ESP_LOGE(TAG, "mbedtls_net_connect returned -%x", -ret);
|
||||||
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ESP_LOGI(TAG, "Connected.");
|
||||||
|
mbedtls_ssl_set_bio(&client.ssl, &client.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
|
||||||
|
|
||||||
|
ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle that is missing the server root certificate");
|
||||||
|
while ( ( ret = mbedtls_ssl_handshake( &client.ssl ) ) != 0 ) {
|
||||||
|
if ( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) {
|
||||||
|
printf( "mbedtls_ssl_handshake failed with -0x%x\n", -ret );
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
ESP_LOGI(TAG, "Verifying peer X.509 certificate for bundle ...");
|
||||||
|
ret = mbedtls_ssl_get_verify_result(&client.ssl);
|
||||||
|
|
||||||
|
res = (ret == 0) ? ESP_CRT_VALIDATE_OK : ESP_CRT_VALIDATE_FAIL;
|
||||||
|
|
||||||
|
if (res == ESP_CRT_VALIDATE_OK) {
|
||||||
|
ESP_LOGI(TAG, "Certificate verification passed!");
|
||||||
|
} else {
|
||||||
|
ESP_LOGE(TAG, "Certificate verification failed!");
|
||||||
|
}
|
||||||
|
TEST_ASSERT(res == ESP_CRT_VALIDATE_FAIL);
|
||||||
|
|
||||||
|
// Reset session before new connection
|
||||||
|
mbedtls_ssl_close_notify(&client.ssl);
|
||||||
|
mbedtls_ssl_session_reset(&client.ssl);
|
||||||
|
mbedtls_net_free( &client.client_fd);
|
||||||
|
|
||||||
|
/* Test with bundle that does contain the CA crt */
|
||||||
|
esp_crt_bundle_attach(&client.conf);
|
||||||
|
esp_crt_bundle_set(server_cert_bundle_start, server_cert_bundle_end - server_cert_bundle_start);
|
||||||
|
|
||||||
ESP_LOGI(TAG, "Connecting to %s:%s...", SERVER_ADDRESS, SERVER_PORT);
|
ESP_LOGI(TAG, "Connecting to %s:%s...", SERVER_ADDRESS, SERVER_PORT);
|
||||||
if ((ret = mbedtls_net_connect(&client.client_fd, SERVER_ADDRESS, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
|
if ((ret = mbedtls_net_connect(&client.client_fd, SERVER_ADDRESS, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
|
||||||
ESP_LOGE(TAG, "mbedtls_net_connect returned -%x", -ret);
|
ESP_LOGE(TAG, "mbedtls_net_connect returned -%x", -ret);
|
||||||
@@ -289,14 +324,14 @@ int client_task(const uint8_t *bundle, size_t bundle_size, esp_crt_validate_res_
|
|||||||
ESP_LOGI(TAG, "Verifying peer X.509 certificate for bundle ...");
|
ESP_LOGI(TAG, "Verifying peer X.509 certificate for bundle ...");
|
||||||
ret = mbedtls_ssl_get_verify_result(&client.ssl);
|
ret = mbedtls_ssl_get_verify_result(&client.ssl);
|
||||||
|
|
||||||
*res = (ret == 0) ? ESP_CRT_VALIDATE_OK : ESP_CRT_VALIDATE_FAIL;
|
res = (ret == 0) ? ESP_CRT_VALIDATE_OK : ESP_CRT_VALIDATE_FAIL;
|
||||||
|
|
||||||
if (*res == ESP_CRT_VALIDATE_OK) {
|
if (res == ESP_CRT_VALIDATE_OK) {
|
||||||
ESP_LOGI(TAG, "Certificate verification passed!");
|
ESP_LOGI(TAG, "Certificate verification passed!");
|
||||||
} else {
|
} else {
|
||||||
ESP_LOGE(TAG, "Certificate verification failed!");
|
ESP_LOGE(TAG, "Certificate verification failed!");
|
||||||
}
|
}
|
||||||
|
TEST_ASSERT(res == ESP_CRT_VALIDATE_OK);
|
||||||
|
|
||||||
// Reset session before new connection
|
// Reset session before new connection
|
||||||
mbedtls_ssl_close_notify(&client.ssl);
|
mbedtls_ssl_close_notify(&client.ssl);
|
||||||
@@ -309,42 +344,45 @@ exit:
|
|||||||
mbedtls_ssl_session_reset(&client.ssl);
|
mbedtls_ssl_session_reset(&client.ssl);
|
||||||
esp_crt_bundle_detach(&client.conf);
|
esp_crt_bundle_detach(&client.conf);
|
||||||
endpoint_teardown(&client);
|
endpoint_teardown(&client);
|
||||||
|
xSemaphoreGive(*client_signal_sem);
|
||||||
return ret;
|
vTaskSuspend(NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
TEST_CASE("custom certificate bundle", "[mbedtls]")
|
TEST_CASE("custom certificate bundle", "[mbedtls]")
|
||||||
{
|
{
|
||||||
esp_crt_validate_res_t validate_res;
|
|
||||||
|
|
||||||
test_case_uses_tcpip();
|
test_case_uses_tcpip();
|
||||||
|
|
||||||
SemaphoreHandle_t signal_sem = xSemaphoreCreateBinary();
|
SemaphoreHandle_t signal_sem = xSemaphoreCreateBinary();
|
||||||
TEST_ASSERT_NOT_NULL(signal_sem);
|
TEST_ASSERT_NOT_NULL(signal_sem);
|
||||||
|
|
||||||
exit_flag = false;
|
exit_flag = false;
|
||||||
xTaskCreate(server_task, "server task", 8192, &signal_sem, 10, NULL);
|
TaskHandle_t server_task_handle;
|
||||||
|
xTaskCreate(server_task, "server task", 8192, &signal_sem, 10, &server_task_handle);
|
||||||
|
|
||||||
// Wait for the server to start up
|
// Wait for the server to start up
|
||||||
if (!xSemaphoreTake(signal_sem, 10000 / portTICK_PERIOD_MS)) {
|
if (!xSemaphoreTake(signal_sem, SEM_TIMEOUT / portTICK_PERIOD_MS)) {
|
||||||
TEST_FAIL_MESSAGE("signal_sem not released, server start failed");
|
TEST_FAIL_MESSAGE("signal_sem not released, server start failed");
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Test with default crt bundle that doesnt contain the ca crt */
|
SemaphoreHandle_t client_signal_sem = xSemaphoreCreateBinary();
|
||||||
client_task(NULL, 0, &validate_res);
|
TEST_ASSERT_NOT_NULL(client_signal_sem);
|
||||||
TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_FAIL);
|
|
||||||
|
|
||||||
/* Test with bundle that does contain the CA crt */
|
TaskHandle_t client_task_handle;
|
||||||
client_task(server_cert_bundle_start, server_cert_bundle_end - server_cert_bundle_start, &validate_res);
|
xTaskCreate(client_task, "client task", 8192, &client_signal_sem, 10, &client_task_handle);
|
||||||
TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_OK);
|
|
||||||
|
if (!xSemaphoreTake(client_signal_sem, SEM_TIMEOUT / portTICK_PERIOD_MS)) {
|
||||||
|
TEST_FAIL_MESSAGE("client_signal_sem not released, client exit failed");
|
||||||
|
}
|
||||||
|
unity_utils_task_delete(client_task_handle);
|
||||||
|
|
||||||
exit_flag = true;
|
exit_flag = true;
|
||||||
|
|
||||||
if (!xSemaphoreTake(signal_sem, 10000 / portTICK_PERIOD_MS)) {
|
if (!xSemaphoreTake(signal_sem, SEM_TIMEOUT / portTICK_PERIOD_MS)) {
|
||||||
TEST_FAIL_MESSAGE("signal_sem not released, server exit failed");
|
TEST_FAIL_MESSAGE("signal_sem not released, server exit failed");
|
||||||
}
|
}
|
||||||
|
unity_utils_task_delete(server_task_handle);
|
||||||
|
vSemaphoreDelete(client_signal_sem);
|
||||||
vSemaphoreDelete(signal_sem);
|
vSemaphoreDelete(signal_sem);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user