Merge branch 'feat/dynamic_buffer_tls1.3' into 'master'

feat(mbedtls): add support for dynamic buffer for TLS1.3

Closes IDFGH-14708, IDF-12469, IDF-9178, and IDF-1725

See merge request espressif/esp-idf!38258

examples/protocols/https_request/main/Kconfig.projbuild

@@ -23,4 +23,11 @@ menu "Example Configuration"
         bool
         default y if EXAMPLE_LOCAL_SERVER_URL = "FROM_STDIN"
 
+    config EXAMPLE_SSL_PROTO_TLS1_3_CLIENT
+        bool "Enable TLS 1.3 client test"
+        default n
+        select MBEDTLS_SSL_PROTO_TLS1_3
+        help
+            Enable TLS 1.3 client test support for the example.
+
 endmenu

examples/protocols/https_request/main/https_request_example_main.c

@@ -10,7 +10,7 @@
  *
  * SPDX-License-Identifier: Apache-2.0
  *
- * SPDX-FileContributor: 2015-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileContributor: 2015-2025 Espressif Systems (Shanghai) CO LTD
  */
 
 #include <string.h>
@@ -46,9 +46,15 @@
 #include "time_sync.h"
 
 /* Constants that aren't configurable in menuconfig */
-#define WEB_SERVER "www.howsmyssl.com"
+#ifdef CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT
+#define WEB_SERVER "tls13.browserleaks.com"
+#define WEB_PORT "443"
+#define WEB_URL "https://tls13.browserleaks.com/tls"
+#else
+#define WEB_SERVER "howsmyssl.com"
 #define WEB_PORT "443"
 #define WEB_URL "https://www.howsmyssl.com/a/check"
+#endif
 
 #define SERVER_URL_MAX_SZ 256
 
@@ -85,9 +91,15 @@ extern const uint8_t server_root_cert_pem_end[]   asm("_binary_server_root_cert_
 extern const uint8_t local_server_cert_pem_start[] asm("_binary_local_server_cert_pem_start");
 extern const uint8_t local_server_cert_pem_end[]   asm("_binary_local_server_cert_pem_end");
 #if CONFIG_EXAMPLE_USING_ESP_TLS_MBEDTLS
+#if defined(CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT)
+static const int server_supported_ciphersuites[] = {MBEDTLS_TLS1_3_AES_256_GCM_SHA384, MBEDTLS_TLS1_3_AES_128_CCM_SHA256, 0};
+static const int server_unsupported_ciphersuites[] = {MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 0};
+#else
 static const int server_supported_ciphersuites[] = {MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0};
 static const int server_unsupported_ciphersuites[] = {MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 0};
-#endif
+#endif // CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT
+#endif // CONFIG_EXAMPLE_USING_ESP_TLS_MBEDTLS
+
 #ifdef CONFIG_EXAMPLE_CLIENT_SESSION_TICKETS
 static esp_tls_client_session_t *tls_client_session = NULL;
 static bool save_client_session = false;
@@ -119,14 +131,6 @@ static void https_get_request(esp_tls_cfg_t cfg, const char *WEB_SERVER_URL, con
         goto cleanup;
     }
 
-#ifdef CONFIG_EXAMPLE_CLIENT_SESSION_TICKETS
-    /* The TLS session is successfully established, now saving the session ctx for reuse */
-    if (save_client_session) {
-        esp_tls_free_client_session(tls_client_session);
-        tls_client_session = esp_tls_get_client_session(tls);
-    }
-#endif
-
     size_t written_bytes = 0;
     do {
         ret = esp_tls_conn_write(tls,
@@ -166,6 +170,14 @@ static void https_get_request(esp_tls_cfg_t cfg, const char *WEB_SERVER_URL, con
         putchar('\n'); // JSON output doesn't have a newline at end
     } while (1);
 
+#ifdef CONFIG_EXAMPLE_CLIENT_SESSION_TICKETS
+    /* The TLS session is successfully established, now saving the session ctx for reuse */
+    if (save_client_session) {
+        esp_tls_free_client_session(tls_client_session);
+        tls_client_session = esp_tls_get_client_session(tls);
+    }
+#endif
+
 cleanup:
     esp_tls_conn_destroy(tls);
 exit:
@@ -251,6 +263,9 @@ static void https_get_request_using_already_saved_session(const char *url)
     ESP_LOGI(TAG, "https_request using saved client session");
     esp_tls_cfg_t cfg = {
         .client_session = tls_client_session,
+        .cacert_buf = (const unsigned char *) local_server_cert_pem_start,
+        .cacert_bytes = local_server_cert_pem_end - local_server_cert_pem_start,
+        .skip_common_name = true,
     };
     https_get_request(cfg, url, LOCAL_SRV_REQUEST);
     esp_tls_free_client_session(tls_client_session);

examples/protocols/https_request/pytest_https_request.py

@@ -125,6 +125,90 @@ def test_examples_protocol_https_request_cli_session_tickets(dut: Dut) -> None:
         thread1.terminate()
 
 
+@pytest.mark.ethernet
+@pytest.mark.parametrize(
+    'config',
+    [
+        'ssldyn_tls1_3',
+    ],
+    indirect=True,
+)
+@pytest.mark.parametrize('erase_nvs', ['y'], indirect=True)
+@idf_parametrize('target', ['esp32'], indirect=['target'])
+def test_examples_protocol_https_request_dynamic_buffers_tls1_3(dut: Dut) -> None:
+    # Check for tls 1.3 connection using crt bundle with mbedtls dynamic resource enabled
+    # check and log bin size
+    binary_file = os.path.join(dut.app.binary_path, 'https_request.bin')
+    bin_size = os.path.getsize(binary_file)
+    logging.info('https_request_bin_size : {}KB'.format(bin_size // 1024))
+    # start https server
+    server_port = 8070
+    server_file = os.path.join(os.path.dirname(__file__), 'main', 'local_server_cert.pem')
+    key_file = os.path.join(os.path.dirname(__file__), 'main', 'local_server_key.pem')
+    thread1 = multiprocessing.Process(target=start_https_server, args=(server_file, key_file, '0.0.0.0', server_port))
+    thread1.daemon = True
+    thread1.start()
+    logging.info('The server started on localhost:{}'.format(server_port))
+
+    dut.expect('Loaded app from partition at offset', timeout=30)
+    try:
+        try:
+            ip_address = dut.expect(r'IPv4 address: (\d+\.\d+\.\d+\.\d+)[^\d]', timeout=60)[1].decode()
+            print('Connected to AP/Ethernet with IP: {}'.format(ip_address))
+            host_ip = get_host_ip4_by_dest_ip(ip_address)
+            dut.expect('Start https_request example', timeout=30)
+            print('writing to device: {}'.format('https://' + host_ip + ':' + str(server_port)))
+            dut.write('https://' + host_ip + ':' + str(server_port))
+        except pexpect.exceptions.TIMEOUT:
+            raise ValueError('ENV_TEST_FAILURE: Cannot connect to AP/Ethernet')
+        # Check for connection using already saved client session
+        try:
+            dut.expect('https_request to local server', timeout=30)
+            dut.expect(
+                ['Connection established...', 'Reading HTTP response...', 'HTTP/1.1 200 OK', 'connection closed'],
+                expect_all=True,
+            )
+        except Exception:
+            logging.info('Failed to connect to local https server"')
+            raise
+
+        try:
+            dut.expect('https_request using saved client session', timeout=20)
+            dut.expect(
+                ['Connection established...', 'Reading HTTP response...', 'HTTP/1.1 200 OK', 'connection closed'],
+                expect_all=True,
+            )
+        except Exception:
+            logging.info('Failed the test for "https_request using saved client session"')
+            raise
+        # only check if one connection is established
+        logging.info('Testing for "https_request using crt bundle" with mbedtls dynamic resource enabled')
+        try:
+            dut.expect('https_request using crt bundle', timeout=30)
+            dut.expect(
+                [
+                    'Connection established...',
+                    'Reading HTTP response...',
+                    'HTTP/1.1 200 OK',
+                    'TLS 1.3',
+                    'connection closed',
+                ],
+                expect_all=True,
+            )
+        except Exception:
+            logging.info(
+                'Failed the test for "https_request using crt bundle" with TLS 1.3 '
+                'when mbedtls dynamic resource was enabled'
+            )
+            raise
+        logging.info(
+            'Passed the test for "https_request using crt bundle" with TLS 1.3 when '
+            'mbedtls dynamic resource was enabled'
+        )
+    finally:
+        thread1.terminate()
+
+
 @pytest.mark.ethernet
 @pytest.mark.parametrize(
     'config',

examples/protocols/https_request/sdkconfig.ci.ssldyn_tls1_3

@@ -0,0 +1,15 @@
+CONFIG_SPIRAM=y
+CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC=y
+CONFIG_EXAMPLE_CONNECT_ETHERNET=y
+CONFIG_EXAMPLE_CONNECT_WIFI=n
+CONFIG_EXAMPLE_USE_INTERNAL_ETHERNET=y
+CONFIG_EXAMPLE_ETH_PHY_IP101=y
+CONFIG_EXAMPLE_ETH_MDC_GPIO=23
+CONFIG_EXAMPLE_ETH_MDIO_GPIO=18
+CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
+CONFIG_EXAMPLE_ETH_PHY_ADDR=1
+CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
+CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT=y
+CONFIG_EXAMPLE_CLIENT_SESSION_TICKETS=y
+CONFIG_EXAMPLE_LOCAL_SERVER_URL="FROM_STDIN"
+CONFIG_EXAMPLE_LOCAL_SERVER_URL_FROM_STDIN=y

examples/system/ota/simple_ota_example/pytest_simple_ota.py

@@ -391,6 +391,7 @@ def test_examples_protocol_simple_ota_example_with_verify_app_signature_on_updat
     'config',
     [
         'tls1_3',
+        'tls1_3_only_dynamic',
     ],
     indirect=True,
 )

examples/system/ota/simple_ota_example/sdkconfig.ci.tls1_3_only_dynamic

@@ -0,0 +1,13 @@
+CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL="FROM_STDIN"
+CONFIG_EXAMPLE_SKIP_COMMON_NAME_CHECK=y
+CONFIG_EXAMPLE_CONNECT_ETHERNET=y
+CONFIG_EXAMPLE_CONNECT_WIFI=n
+CONFIG_EXAMPLE_USE_INTERNAL_ETHERNET=y
+CONFIG_EXAMPLE_ETH_PHY_IP101=y
+CONFIG_EXAMPLE_ETH_MDC_GPIO=23
+CONFIG_EXAMPLE_ETH_MDIO_GPIO=18
+CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
+CONFIG_EXAMPLE_ETH_PHY_ADDR=1
+CONFIG_EXAMPLE_CONNECT_IPV6=y
+CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y
+CONFIG_MBEDTLS_DYNAMIC_BUFFER=y