diff --git a/components/esp-tls/CMakeLists.txt b/components/esp-tls/CMakeLists.txt index 1cdd1e5b69..561144e70e 100644 --- a/components/esp-tls/CMakeLists.txt +++ b/components/esp-tls/CMakeLists.txt @@ -12,10 +12,10 @@ endif() idf_component_register(SRCS "${srcs}" INCLUDE_DIRS . esp-tls-crypto PRIV_INCLUDE_DIRS "private_include" - # lwip and mbedtls are public requirements becasue esp_tls.h - # includes sys/socket.h and mbedtls header files. - REQUIRES mbedtls lwip - PRIV_REQUIRES http_parser) + # mbedtls is public requirements becasue esp_tls.h + # includes mbedtls header files. + REQUIRES mbedtls + PRIV_REQUIRES lwip http_parser) if(CONFIG_ESP_TLS_USING_WOLFSSL) idf_component_get_property(wolfssl esp-wolfssl COMPONENT_LIB) diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c index 386ecb0883..c3f025e91b 100644 --- a/components/esp-tls/esp_tls.c +++ b/components/esp-tls/esp_tls.c @@ -14,6 +14,7 @@ #include #include "esp_tls.h" +#include "esp_tls_private.h" #include "esp_tls_error_capture_internal.h" #include static const char *TAG = "esp-tls"; @@ -39,6 +40,7 @@ static const char *TAG = "esp-tls"; #define _esp_tls_conn_delete esp_mbedtls_conn_delete #define _esp_tls_net_init esp_mbedtls_net_init #define _esp_tls_get_client_session esp_mbedtls_get_client_session +#define _esp_tls_get_ssl_context esp_mbedtls_get_ssl_context #ifdef CONFIG_ESP_TLS_SERVER #define _esp_tls_server_session_create esp_mbedtls_server_session_create #define _esp_tls_server_session_delete esp_mbedtls_server_session_delete @@ -65,6 +67,7 @@ static const char *TAG = "esp-tls"; #define _esp_tls_init_global_ca_store esp_wolfssl_init_global_ca_store #define _esp_tls_set_global_ca_store esp_wolfssl_set_global_ca_store /*!< Callback function for setting global CA store data for TLS/SSL */ #define _esp_tls_free_global_ca_store esp_wolfssl_free_global_ca_store /*!< Callback function for freeing global ca store for TLS/SSL */ +#define _esp_tls_get_ssl_context esp_wolfssl_get_ssl_context #else /* ESP_TLS_USING_WOLFSSL */ #error "No TLS stack configured" #endif @@ -89,6 +92,18 @@ static ssize_t tcp_write(esp_tls_t *tls, const char *data, size_t datalen) return send(tls->sockfd, data, datalen, 0); } +ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen) +{ + return tls->read(tls, (char *)data, datalen); + +} + +ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen) +{ + return tls->write(tls, (char *)data, datalen); + +} + /** * @brief Close the TLS connection and free any allocated resources. */ @@ -603,6 +618,11 @@ ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls) return _esp_tls_get_bytes_avail(tls); } +void *esp_tls_get_ssl_context(esp_tls_t *tls) +{ + return _esp_tls_get_ssl_context(tls); +} + esp_err_t esp_tls_get_conn_sockfd(esp_tls_t *tls, int *sockfd) { if (!tls || !sockfd) { @@ -629,6 +649,16 @@ esp_err_t esp_tls_get_and_clear_last_error(esp_tls_error_handle_t h, int *esp_tl return last_err; } +esp_err_t esp_tls_get_error_handle(esp_tls_t *tls, esp_tls_error_handle_t *error_handle) +{ + if (!tls || !error_handle) { + return ESP_ERR_INVALID_ARG; + } + + *error_handle = tls->error_handle; + return ESP_OK; +} + esp_err_t esp_tls_init_global_ca_store(void) { return _esp_tls_init_global_ca_store(); diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index a4bbf8e2f2..d46e733782 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -7,18 +7,11 @@ #define _ESP_TLS_H_ #include -#include -#include #include "esp_err.h" #include "esp_tls_errors.h" +#include "sdkconfig.h" #ifdef CONFIG_ESP_TLS_USING_MBEDTLS -#include "mbedtls/platform.h" -#include "mbedtls/net_sockets.h" -#include "mbedtls/esp_debug.h" #include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/error.h" #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS #include "mbedtls/ssl_ticket.h" #endif @@ -27,6 +20,7 @@ #include "wolfssl/ssl.h" #endif + #ifdef __cplusplus extern "C" { #endif @@ -290,66 +284,7 @@ esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg); void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg); #endif /* ! CONFIG_ESP_TLS_SERVER */ -/** - * @brief ESP-TLS Connection Handle - */ -typedef struct esp_tls { -#ifdef CONFIG_ESP_TLS_USING_MBEDTLS - mbedtls_ssl_context ssl; /*!< TLS/SSL context */ - - mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */ - - mbedtls_ctr_drbg_context ctr_drbg; /*!< mbedTLS ctr drbg context structure. - CTR_DRBG is deterministic random - bit generation based on AES-256 */ - - mbedtls_ssl_config conf; /*!< TLS/SSL configuration to be shared - between mbedtls_ssl_context - structures */ - - mbedtls_net_context server_fd; /*!< mbedTLS wrapper type for sockets */ - - mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */ - - mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */ - - mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */ - - mbedtls_pk_context clientkey; /*!< Container for the private key of the client - certificate */ -#ifdef CONFIG_ESP_TLS_SERVER - mbedtls_x509_crt servercert; /*!< Container for the X.509 server certificate */ - - mbedtls_pk_context serverkey; /*!< Container for the private key of the server - certificate */ -#endif -#elif CONFIG_ESP_TLS_USING_WOLFSSL - void *priv_ctx; - void *priv_ssl; -#endif - int sockfd; /*!< Underlying socket file descriptor. */ - - ssize_t (*read)(struct esp_tls *tls, char *data, size_t datalen); /*!< Callback function for reading data from TLS/SSL - connection. */ - - ssize_t (*write)(struct esp_tls *tls, const char *data, size_t datalen); /*!< Callback function for writing data to TLS/SSL - connection. */ - - esp_tls_conn_state_t conn_state; /*!< ESP-TLS Connection state */ - - fd_set rset; /*!< read file descriptors */ - - fd_set wset; /*!< write file descriptors */ - - bool is_tls; /*!< indicates connection type (TLS or NON-TLS) */ - - esp_tls_role_t role; /*!< esp-tls role - - ESP_TLS_CLIENT - - ESP_TLS_SERVER */ - - esp_tls_error_handle_t error_handle; /*!< handle to error descriptor */ - -} esp_tls_t; +typedef struct esp_tls esp_tls_t; /** * @brief Create TLS connection @@ -470,10 +405,7 @@ int esp_tls_conn_http_new_async(const char *url, const esp_tls_cfg_t *cfg, esp_t * if the handshake is incomplete and waiting for data to be available for reading. * In this case this functions needs to be called again when the underlying transport is ready for operation. */ -static inline ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen) -{ - return tls->write(tls, (char *)data, datalen); -} +ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen); /** * @brief Read from specified tls connection into the buffer 'data'. @@ -490,10 +422,7 @@ static inline ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_ * - <0 if read operation was not successful, because either an * error occured or an action must be taken by the calling process. */ -static inline ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen) -{ - return tls->read(tls, (char *)data, datalen); -} +ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen); /** * @brief Close the TLS/SSL connection and free any allocated resources. @@ -536,6 +465,17 @@ ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls); */ esp_err_t esp_tls_get_conn_sockfd(esp_tls_t *tls, int *sockfd); +/** + * @brief Returns the ssl context + * + * @param[in] tls handle to esp_tls context + * + * + * @return - ssl_ctx pointer to ssl context of underlying TLS layer on success + * - NULL in case of error + */ +void *esp_tls_get_ssl_context(esp_tls_t *tls); + /** * @brief Create a global CA store, initially empty. * @@ -607,6 +547,20 @@ esp_err_t esp_tls_get_and_clear_last_error(esp_tls_error_handle_t h, int *esp_tl */ esp_err_t esp_tls_get_and_clear_error_type(esp_tls_error_handle_t h, esp_tls_error_type_t err_type, int *error_code); +/** + * @brief Returns the ESP-TLS error_handle + * + * @param[in] tls handle to esp_tls context + * + * @param[out] error_handle pointer to the error handle. + * + * @return + * - ESP_OK on success and error_handle will be updated with the ESP-TLS error handle. + * + * - ESP_ERR_INVALID_ARG if (tls == NULL || error_handle == NULL) + */ +esp_err_t esp_tls_get_error_handle(esp_tls_t *tls, esp_tls_error_handle_t *error_handle); + #if CONFIG_ESP_TLS_USING_MBEDTLS /** * @brief Get the pointer to the global CA store currently being used. diff --git a/components/esp-tls/esp_tls_errors.h b/components/esp-tls/esp_tls_errors.h index ad104895aa..d87adeb43b 100644 --- a/components/esp-tls/esp_tls_errors.h +++ b/components/esp-tls/esp_tls_errors.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2021-22 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -8,6 +8,10 @@ #define _ESP_TLS_ERRORS_H_ #include "esp_err.h" +#ifdef CONFIG_ESP_TLS_USING_MBEDTLS +#include "mbedtls/error.h" +#endif +/* For wolfSSL, errors are included through ssl.h which is included by default by esp_tls.h */ #ifdef __cplusplus extern "C" { diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index 37a1ca8c48..c870f85f25 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -14,9 +14,11 @@ #include #include "esp_tls_mbedtls.h" +#include "esp_tls_private.h" #include "esp_tls_error_capture_internal.h" #include #include "esp_log.h" +#include "esp_check.h" #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE #include "esp_crt_bundle.h" @@ -139,6 +141,15 @@ exit: } +void *esp_mbedtls_get_ssl_context(esp_tls_t *tls) +{ + if (tls == NULL) { + ESP_LOGE(TAG, "Invalid arguments"); + return NULL; + } + return (void*)&tls->ssl; +} + #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS esp_tls_client_session_t *esp_mbedtls_get_client_session(esp_tls_t *tls) { diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index 6114c6e100..d4ce3c577f 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -115,6 +115,15 @@ static esp_err_t esp_load_wolfssl_verify_buffer(esp_tls_t *tls, const unsigned c } } +void *esp_wolfssl_get_ssl_context(esp_tls_t *tls) +{ + if (tls == NULL) { + ESP_LOGE(TAG, "Invalid arguments"); + return NULL; + } + return (void*)tls->priv_ssl; +} + esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls) { #ifdef CONFIG_ESP_DEBUG_WOLFSSL diff --git a/components/esp-tls/private_include/esp_tls_mbedtls.h b/components/esp-tls/private_include/esp_tls_mbedtls.h index c1c5d4f328..da94f4b2a5 100644 --- a/components/esp-tls/private_include/esp_tls_mbedtls.h +++ b/components/esp-tls/private_include/esp_tls_mbedtls.h @@ -6,6 +6,7 @@ #pragma once #include "esp_tls.h" +#include "esp_tls_private.h" /** * Internal Callback API for mbedtls_ssl_read @@ -55,6 +56,11 @@ static inline void esp_mbedtls_net_init(esp_tls_t *tls) mbedtls_net_init(&tls->server_fd); } +/** + * Return ssl context for mbedTLS stack + */ +void *esp_mbedtls_get_ssl_context(esp_tls_t *tls); + #ifdef CONFIG_ESP_TLS_SERVER /** * Internal Callback for set_server_config diff --git a/components/esp-tls/private_include/esp_tls_private.h b/components/esp-tls/private_include/esp_tls_private.h new file mode 100644 index 0000000000..f071c9b0ff --- /dev/null +++ b/components/esp-tls/private_include/esp_tls_private.h @@ -0,0 +1,90 @@ +/* + * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#pragma once + +/** + * @brief ESP-TLS Connection Handle + */ + +#include +#include +#include +#include "esp_err.h" +#include "esp_tls_errors.h" +#ifdef CONFIG_ESP_TLS_USING_MBEDTLS +#include "mbedtls/platform.h" +#include "mbedtls/net_sockets.h" +#include "mbedtls/esp_debug.h" +#include "mbedtls/ssl.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/error.h" +#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS +#include "mbedtls/ssl_ticket.h" +#endif +#elif CONFIG_ESP_TLS_USING_WOLFSSL +#include "wolfssl/wolfcrypt/settings.h" +#include "wolfssl/ssl.h" +#endif + +struct esp_tls { +#ifdef CONFIG_ESP_TLS_USING_MBEDTLS + mbedtls_ssl_context ssl; /*!< TLS/SSL context */ + + mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */ + + mbedtls_ctr_drbg_context ctr_drbg; /*!< mbedTLS ctr drbg context structure. + CTR_DRBG is deterministic random + bit generation based on AES-256 */ + + mbedtls_ssl_config conf; /*!< TLS/SSL configuration to be shared + between mbedtls_ssl_context + structures */ + + mbedtls_net_context server_fd; /*!< mbedTLS wrapper type for sockets */ + + mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */ + + mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */ + + mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */ + + mbedtls_pk_context clientkey; /*!< Container for the private key of the client + certificate */ +#ifdef CONFIG_ESP_TLS_SERVER + mbedtls_x509_crt servercert; /*!< Container for the X.509 server certificate */ + + mbedtls_pk_context serverkey; /*!< Container for the private key of the server + certificate */ +#endif +#elif CONFIG_ESP_TLS_USING_WOLFSSL + void *priv_ctx; + void *priv_ssl; +#endif + int sockfd; /*!< Underlying socket file descriptor. */ + + ssize_t (*read)(esp_tls_t *tls, char *data, size_t datalen); /*!< Callback function for reading data from TLS/SSL + connection. */ + + ssize_t (*write)(esp_tls_t *tls, const char *data, size_t datalen); /*!< Callback function for writing data to TLS/SSL + connection. */ + + esp_tls_conn_state_t conn_state; /*!< ESP-TLS Connection state */ + + fd_set rset; /*!< read file descriptors */ + + fd_set wset; /*!< write file descriptors */ + + bool is_tls; /*!< indicates connection type (TLS or NON-TLS) */ + + esp_tls_role_t role; /*!< esp-tls role + - ESP_TLS_CLIENT + - ESP_TLS_SERVER */ + + esp_tls_error_handle_t error_handle; /*!< handle to error descriptor */ + +}; diff --git a/components/esp-tls/private_include/esp_tls_wolfssl.h b/components/esp-tls/private_include/esp_tls_wolfssl.h index a0c86730b7..32c9a42917 100644 --- a/components/esp-tls/private_include/esp_tls_wolfssl.h +++ b/components/esp-tls/private_include/esp_tls_wolfssl.h @@ -6,6 +6,7 @@ #pragma once #include "esp_tls.h" +#include "esp_tls_private.h" /** * Internal Callback for creating ssl handle for wolfssl @@ -63,6 +64,11 @@ void esp_wolfssl_free_global_ca_store(void); */ esp_err_t esp_wolfssl_init_global_ca_store(void); +/** + * Return ssl context for wolfSSL stack + */ +void *esp_wolfssl_get_ssl_context(esp_tls_t *tls); + /** * wolfSSL function for Initializing socket wrappers (no-operation for wolfSSL) */ diff --git a/components/esp-tls/test/test_esp_tls.c b/components/esp-tls/test/test_esp_tls.c index e40cd8f14e..f6a0b7aaab 100644 --- a/components/esp-tls/test/test_esp_tls.c +++ b/components/esp-tls/test/test_esp_tls.c @@ -10,6 +10,7 @@ #include "esp_err.h" #include "esp_log.h" #include "esp_mac.h" +#include "sys/socket.h" #if SOC_SHA_SUPPORT_PARALLEL_ENG #include "sha/sha_parallel_engine.h" #elif SOC_SHA_SUPPORT_DMA diff --git a/components/esp_https_server/include/esp_https_server.h b/components/esp_https_server/include/esp_https_server.h index 63f0845161..d47bf205e6 100644 --- a/components/esp_https_server/include/esp_https_server.h +++ b/components/esp_https_server/include/esp_https_server.h @@ -36,7 +36,7 @@ typedef enum { */ typedef struct esp_https_server_user_cb_arg { httpd_ssl_user_cb_state_t user_cb_state; - const esp_tls_t *tls; + esp_tls_t *tls; } esp_https_server_user_cb_arg_t; /** diff --git a/components/esp_https_server/src/https_server.c b/components/esp_https_server/src/https_server.c index 7121d8b0d9..50f581cae1 100644 --- a/components/esp_https_server/src/https_server.c +++ b/components/esp_https_server/src/https_server.c @@ -118,7 +118,7 @@ static esp_err_t httpd_ssl_open(httpd_handle_t server, int sockfd) httpd_ssl_ctx_t *global_ctx = httpd_get_global_transport_ctx(server); assert(global_ctx != NULL); - esp_tls_t *tls = (esp_tls_t *)calloc(1, sizeof(esp_tls_t)); + esp_tls_t *tls = esp_tls_init(); if (!tls) { return ESP_ERR_NO_MEM; } diff --git a/components/tcp_transport/private_include/esp_transport_internal.h b/components/tcp_transport/private_include/esp_transport_internal.h index 05e08b0283..616086e76d 100644 --- a/components/tcp_transport/private_include/esp_transport_internal.h +++ b/components/tcp_transport/private_include/esp_transport_internal.h @@ -1,23 +1,20 @@ -// Copyright 2020 Espressif Systems (Shanghai) PTE LTD -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at - -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* + * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ #ifndef _ESP_TRANSPORT_INTERNAL_H_ #define _ESP_TRANSPORT_INTERNAL_H_ #include "esp_transport.h" +#include "sys/socket.h" #include "sys/queue.h" +#ifdef __cplusplus +extern "C" { +#endif + typedef int (*get_socket_func)(esp_transport_handle_t t); typedef struct esp_foundation_transport { @@ -116,4 +113,8 @@ void esp_transport_esp_tls_destroy(struct transport_esp_tls* transport_esp_tls); */ void esp_transport_set_errors(esp_transport_handle_t t, const esp_tls_error_handle_t error_handle); +#ifdef __cplusplus +} +#endif + #endif //_ESP_TRANSPORT_INTERNAL_H_ diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c index 8a8b2905bb..5794263b03 100644 --- a/components/tcp_transport/transport_ssl.c +++ b/components/tcp_transport/transport_ssl.c @@ -76,7 +76,11 @@ static int esp_tls_connect_async(esp_transport_handle_t t, const char *host, int if (ssl->conn_state == TRANS_SSL_CONNECTING) { int progress = esp_tls_conn_new_async(host, strlen(host), port, &ssl->cfg, ssl->tls); if (progress >= 0) { - ssl->sockfd = ssl->tls->sockfd; + if (esp_tls_get_conn_sockfd(ssl->tls, &ssl->sockfd) != ESP_OK) { + ESP_LOGE(TAG, "Error in obtaining socket fd for the session"); + esp_tls_conn_destroy(ssl->tls); + return -1; + } } return progress; @@ -110,14 +114,23 @@ static int ssl_connect(esp_transport_handle_t t, const char *host, int port, int } if (esp_tls_conn_new_sync(host, strlen(host), port, &ssl->cfg, ssl->tls) <= 0) { ESP_LOGE(TAG, "Failed to open a new connection"); - esp_transport_set_errors(t, ssl->tls->error_handle); + esp_tls_error_handle_t esp_tls_error_handle; + esp_tls_get_error_handle(ssl->tls, &esp_tls_error_handle); + esp_transport_set_errors(t, esp_tls_error_handle); + goto exit_failure; + } + + if (esp_tls_get_conn_sockfd(ssl->tls, &ssl->sockfd) != ESP_OK) { + ESP_LOGE(TAG, "Error in obtaining socket fd for the session"); + goto exit_failure; + } + return 0; + +exit_failure: esp_tls_conn_destroy(ssl->tls); ssl->tls = NULL; ssl->sockfd = INVALID_SOCKET; return -1; - } - ssl->sockfd = ssl->tls->sockfd; - return 0; } static int tcp_connect(esp_transport_handle_t t, const char *host, int port, int timeout_ms) @@ -200,7 +213,12 @@ static int ssl_write(esp_transport_handle_t t, const char *buffer, int len, int int ret = esp_tls_conn_write(ssl->tls, (const unsigned char *) buffer, len); if (ret < 0) { ESP_LOGE(TAG, "esp_tls_conn_write error, errno=%s", strerror(errno)); - esp_transport_set_errors(t, ssl->tls->error_handle); + esp_tls_error_handle_t esp_tls_error_handle; + if (esp_tls_get_error_handle(ssl->tls, &esp_tls_error_handle) == ESP_OK) { + esp_transport_set_errors(t, esp_tls_error_handle); + } else { + ESP_LOGE(TAG, "Error in obtaining the error handle"); + } } return ret; } @@ -233,7 +251,12 @@ static int ssl_read(esp_transport_handle_t t, char *buffer, int len, int timeout int ret = esp_tls_conn_read(ssl->tls, (unsigned char *)buffer, len); if (ret < 0) { ESP_LOGE(TAG, "esp_tls_conn_read error, errno=%s", strerror(errno)); - esp_transport_set_errors(t, ssl->tls->error_handle); + esp_tls_error_handle_t esp_tls_error_handle; + if (esp_tls_get_error_handle(ssl->tls, &esp_tls_error_handle) == ESP_OK) { + esp_transport_set_errors(t, esp_tls_error_handle); + } else { + ESP_LOGE(TAG, "Error in obtaining the error handle"); + } } if (ret == 0) { if (poll > 0) { diff --git a/docs/en/migration-guides/protocols.rst b/docs/en/migration-guides/protocols.rst index 596580a6f7..16720ca39e 100644 --- a/docs/en/migration-guides/protocols.rst +++ b/docs/en/migration-guides/protocols.rst @@ -20,6 +20,7 @@ Most structure fields are now private - Appropriate accessor functions (getter/setter) must be used for the same. A temporary workaround would be to use ``MBEDTLS_PRIVATE`` macro (**not recommended**). - For more details, refer to the official guide `here `__. + SSL ^^^ - Removed support for TLS 1.0, 1.1 and DTLS 1.0 @@ -103,6 +104,19 @@ ESP-TLS Breaking Changes (Summary) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +esp_tls_t structure is now private +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The :cpp:type:`esp_tls_t` has now been made completely private. You cannot access its internal structures directly. Any necessary data that needs to be obtained from the esp-tls handle can be done through respective getter/setter functions. If there is a requirement of a specific getter/setter function please raise an issue on ESP-IDF. + + +The list of newly added getter/setter function is as as follows: + +.. list:: + * :cpp:func:`esp_tls_get_ssl_context` - Obtain the ssl context of the underlying ssl stack from the esp-tls handle. + +Function deprecations and recommended alternatives +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Following table summarizes the deprecated functions removed and their alternatives to be used from ESP-IDF v5.0 onwards. +-----------------------------------+----------------------------------------+ diff --git a/examples/protocols/http2_request/main/http2_request_example_main.c b/examples/protocols/http2_request/main/http2_request_example_main.c index c7efd6c52c..b7fd45bd7d 100644 --- a/examples/protocols/http2_request/main/http2_request_example_main.c +++ b/examples/protocols/http2_request/main/http2_request_example_main.c @@ -22,6 +22,8 @@ #include "nvs_flash.h" #include "protocol_examples_common.h" #include "esp_netif.h" +#include "sdkconfig.h" + #if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE #include "esp_crt_bundle.h" #endif diff --git a/examples/protocols/http_request/main/http_request_example_main.c b/examples/protocols/http_request/main/http_request_example_main.c index 408bdc4615..fdcefda9e6 100644 --- a/examples/protocols/http_request/main/http_request_example_main.c +++ b/examples/protocols/http_request/main/http_request_example_main.c @@ -21,6 +21,7 @@ #include "lwip/sys.h" #include "lwip/netdb.h" #include "lwip/dns.h" +#include "sdkconfig.h" /* Constants that aren't configurable in menuconfig */ #define WEB_SERVER "example.com" diff --git a/examples/protocols/https_request/main/https_request_example_main.c b/examples/protocols/https_request/main/https_request_example_main.c index 882ef2f6c7..ad532f3e17 100644 --- a/examples/protocols/https_request/main/https_request_example_main.c +++ b/examples/protocols/https_request/main/https_request_example_main.c @@ -38,6 +38,7 @@ #include "lwip/dns.h" #include "esp_tls.h" +#include "sdkconfig.h" #if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE #include "esp_crt_bundle.h" #endif diff --git a/examples/protocols/https_server/simple/main/main.c b/examples/protocols/https_server/simple/main/main.c index 8870a1608a..123fcec711 100644 --- a/examples/protocols/https_server/simple/main/main.c +++ b/examples/protocols/https_server/simple/main/main.c @@ -19,6 +19,7 @@ #include #include "esp_tls.h" +#include "sdkconfig.h" /* A simple example that demonstrates how to create GET and POST * handlers and start an HTTPS server. @@ -36,7 +37,7 @@ static esp_err_t root_get_handler(httpd_req_t *req) } #if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK - +#ifdef CONFIG_ESP_TLS_USING_MBEDTLS static void print_peer_cert_info(const mbedtls_ssl_context *ssl) { const mbedtls_x509_crt *cert; @@ -58,7 +59,7 @@ static void print_peer_cert_info(const mbedtls_ssl_context *ssl) free(buf); } - +#endif /** * Example callback function to get the certificate of connected clients, * whenever a new SSL connection is created and closed @@ -75,22 +76,44 @@ static void print_peer_cert_info(const mbedtls_ssl_context *ssl) static void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb) { ESP_LOGI(TAG, "User callback invoked!"); - +#ifdef CONFIG_ESP_TLS_USING_MBEDTLS + mbedtls_ssl_context *ssl_ctx = NULL; +#endif switch(user_cb->user_cb_state) { case HTTPD_SSL_USER_CB_SESS_CREATE: ESP_LOGD(TAG, "At session creation"); // Logging the socket FD - ESP_LOGI(TAG, "Socket FD: %d", user_cb->tls->sockfd); - + int sockfd = -1; + esp_err_t esp_ret; + esp_ret = esp_tls_get_conn_sockfd(user_cb->tls, &sockfd); + if (esp_ret != ESP_OK) { + ESP_LOGE(TAG, "Error in obtaining the sockfd from tls context"); + break; + } + ESP_LOGI(TAG, "Socket FD: %d", sockfd); +#ifdef CONFIG_ESP_TLS_USING_MBEDTLS + ssl_ctx = (mbedtls_ssl_context *) esp_tls_get_ssl_context(user_cb->tls); + if (ssl_ctx == NULL) { + ESP_LOGE(TAG, "Error in obtaining ssl context"); + break; + } // Logging the current ciphersuite - ESP_LOGI(TAG, "Current Ciphersuite: %s", mbedtls_ssl_get_ciphersuite(&user_cb->tls->ssl)); + ESP_LOGI(TAG, "Current Ciphersuite: %s", mbedtls_ssl_get_ciphersuite(ssl_ctx)); +#endif break; + case HTTPD_SSL_USER_CB_SESS_CLOSE: ESP_LOGD(TAG, "At session close"); - +#ifdef CONFIG_ESP_TLS_USING_MBEDTLS // Logging the peer certificate - print_peer_cert_info(&user_cb->tls->ssl); + ssl_ctx = (mbedtls_ssl_context *) esp_tls_get_ssl_context(user_cb->tls); + if (ssl_ctx == NULL) { + ESP_LOGE(TAG, "Error in obtaining ssl context"); + break; + } + print_peer_cert_info(ssl_ctx); +#endif break; default: ESP_LOGE(TAG, "Illegal state!"); diff --git a/examples/protocols/https_server/wss_server/main/wss_server_example.c b/examples/protocols/https_server/wss_server/main/wss_server_example.c index a57eb04557..b501af2e16 100644 --- a/examples/protocols/https_server/wss_server/main/wss_server_example.c +++ b/examples/protocols/https_server/wss_server/main/wss_server_example.c @@ -18,6 +18,7 @@ #include #include "keep_alive.h" +#include "sdkconfig.h" #if !CONFIG_HTTPD_WS_SUPPORT #error This example cannot be used unless HTTPD_WS_SUPPORT is enabled in esp-http-server component configuration diff --git a/tools/ci/check_copyright_ignore.txt b/tools/ci/check_copyright_ignore.txt index fabd425104..5b802b1e38 100644 --- a/tools/ci/check_copyright_ignore.txt +++ b/tools/ci/check_copyright_ignore.txt @@ -1605,7 +1605,6 @@ components/spi_flash/test/test_spi_flash.c components/tcp_transport/include/esp_transport_ssl.h components/tcp_transport/include/esp_transport_tcp.h components/tcp_transport/include/esp_transport_ws.h -components/tcp_transport/private_include/esp_transport_internal.h components/tcp_transport/private_include/esp_transport_utils.h components/tcp_transport/test/tcp_transport_fixtures.h components/tcp_transport/test/test_transport_basic.c