wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7936 from gojimmypi/pr-add-espressif-esp-tls-cert-bundle

Browse Source 
Add wolfSSL esp-tls and Certificate Bundle Support
This commit is contained in:
JacobBarthelmeh
2024-09-27 15:22:49 -06:00
committed by GitHub
parent 3178ce60c6 2a354905cb
commit b96e73f9ed
14 changed files with 6667 additions and 85 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
wolfcrypt/src/include.am
View File

@ -123,6 +123,12 @@ EXTRA_DIST += wolfcrypt/src/port/ti/ti-aes.c \
wolfcrypt/src/port/Espressif/esp_sdk_mem_lib.c \
wolfcrypt/src/port/Espressif/esp_sdk_time_lib.c \
wolfcrypt/src/port/Espressif/esp_sdk_wifi_lib.c \
wolfcrypt/src/port/Espressif/esp_crt_bundle/README.md \
wolfcrypt/src/port/Espressif/esp_crt_bundle/cacrt_all.pem \
wolfcrypt/src/port/Espressif/esp_crt_bundle/cacrt_deprecated.pem \
wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c \
wolfcrypt/src/port/Espressif/esp_crt_bundle/gen_crt_bundle.py \
wolfcrypt/src/port/Espressif/esp_crt_bundle/cacrt_local.pem \
wolfcrypt/src/port/Espressif/README.md \
wolfcrypt/src/port/arm/cryptoCell.c \
wolfcrypt/src/port/arm/cryptoCellHash.c \

2
wolfcrypt/src/port/Espressif/README.md
View File

@ -12,7 +12,7 @@ Support for the ESP32 on-board cryptographic hardware acceleration for symmetric
## ESP32 Acceleration
More details about ESP32 HW Accelerationcan be found in:
More details about ESP32 HW Acceleration can be found in:
* [ESP32 Technical Reference Manual](https://espressif.com/sites/default/files/documentation/esp32_technical_reference_manual_en.pdf)
* [ESP32-S2 Technical Reference Manual](https://www.espressif.com/sites/default/files/documentation/esp32-s2_technical_reference_manual_en.pdf)

336
wolfcrypt/src/port/Espressif/esp32_mp.c
View File

@ -35,7 +35,6 @@
*
* Also, beware: "we have uint32_t == unsigned long for both Xtensa and RISC-V"
* see https://github.com/espressif/esp-idf/issues/9511#issuecomment-1207342464
* https://docs.espressif.com/projects/esp-idf/en/latest/esp32/migration-guides/release-5.x/5.0/gcc.html
*/
#ifdef HAVE_CONFIG_H
@ -69,9 +68,70 @@
#include <freertos/semphr.h>
#endif
#define ESP_HW_RSAMAX_BIT 4096
#define ESP_HW_MULTI_RSAMAX_BITS 2048
#define ESP_HW_RSAMIN_BIT 512
#define ESP_HW_RSAMAX_BIT 4096
#if defined(CONFIG_IDF_TARGET_ESP32)
/* See 24.3.2 Large Number Modular Exponentiation:
* esp32_technical_reference_manual_en.pdf
* The RSA Accelerator supports specific operand lengths of N
* {512, 1024, 1536, 2048, 2560, 3072, 3584, 4096} bits
*
* 24.3.4 Large Number Multiplication
* The length of Z is twice that of X and Y . Therefore, the RSA Accelerator
* supports large-number multiplication with only four operand lengths of
* N in {512, 1024, 1536, 2048} */
#define ESP_HW_MOD_RSAMAX_BITS 4096
#define ESP_HW_MULTI_RSAMAX_BITS 2048
#elif defined(CONFIG_IDF_TARGET_ESP32S2)
/* See 18.3.1 Large Number Modular Exponentiation
* esp32-s2_technical_reference_manual_en.pdf
* RSA Accelerator supports operands of length N = (32 * x),
* where x in {1, 2, 3, . . . , 128}. The bit lengths of arguments
* Z, X, Y , M, and r can be arbitrary N, but all numbers in a calculation
* must be of the same length. 32 * 128 = 4096 */
#define ESP_HW_MOD_RSAMAX_BITS 4096
#define ESP_HW_MULTI_RSAMAX_BITS 2048
#elif defined(CONFIG_IDF_TARGET_ESP32S3)
/* See 20.3.1 Large Number Modular Exponentiation
* esp32-s3_technical_reference_manual_en.pdf
* RSA Accelerator supports operands of length N = (32 * x),
* where x in {1, 2, 3, . . . , 128}. The bit lengths of arguments
* Z, X, Y , M, and r can be arbitrary N, but all numbers in a calculation
* must be of the same length. 32 * 128 = 4096 */
#define ESP_HW_MOD_RSAMAX_BITS 4096
#define ESP_HW_MULTI_RSAMAX_BITS 2048
#elif defined(CONFIG_IDF_TARGET_ESP32C3)
/* See 20.3.1 Large Number Modular Exponentiation
* esp32-c3_technical_reference_manual_en.pdf
* RSA Accelerator supports operands of length N = (32 * x),
* where x in {1, 2, 3, . . . , 96}. The bit lengths of arguments
* Z, X, Y , M, and r can be arbitrary N, but all numbers in a calculation
* must be of the same length. 32 * 96 = 3072 */
#define ESP_HW_MOD_RSAMAX_BITS 3072
/* The length of result Z is twice that of operand X and operand Y.
* Therefore, the RSA accelerator only supports large-number multiplication
* with operand length N = 32 * x, where x in {1, 2, 3, . . . , 48}.
* 32 * (96/2) = 32 * (48/2) = 1536 */
#define ESP_HW_MULTI_RSAMAX_BITS 1536
#elif defined(CONFIG_IDF_TARGET_ESP32C6)
/* See 22.3.1 Large-number Modular Exponentiation
* esp32-c6_technical_reference_manual_en.pdf
* The RSA accelerator supports operands of length N = (32 * x),
* where x in {1, 2, 3, . . . , 96}. The bit lengths of arguments
* Z, X, Y , M, and r can be arbitrary N, but all numbers in a calculation
* must be of the same length. 32 * 96 = 3072 */
#define ESP_HW_MOD_RSAMAX_BITS 3072
/* The length of result Z is twice that of operand X and operand Y.
* Therefore, the RSA accelerator only supports large-number multiplication
* with operand length N = 32 * x, where x in {1, 2, 3, . . . , 48}.
* 32 * (96/2) = 32 * (48/2) = 1536 */
#define ESP_HW_MULTI_RSAMAX_BITS 1536
#else
/* No HW on ESP8266, but then we'll not even use this lib.
* Other ESP32 devices not implemented: */
#define ESP_HW_MOD_RSAMAX_BITS 0
#define ESP_HW_MULTI_RSAMAX_BITS 0
#endif
/* (s+(4-1))/ 4 */
#define BYTE_TO_WORDS(s) (((s+3)>>2))
@ -81,6 +141,7 @@
#define BITS_IN_ONE_WORD 32
/* Some minimum operand sizes, fall back to SW if too small: */
#ifndef ESP_RSA_MULM_BITS
#define ESP_RSA_MULM_BITS 16
#endif
@ -93,8 +154,18 @@
#define ESP_RSA_EXPT_YBITS 8
#endif
/* RSA math calculation timeout */
#ifndef ESP_RSA_TIMEOUT_CNT
#define ESP_RSA_TIMEOUT_CNT 0x5000000
#endif
#define ESP_TIMEOUT(cnt) (cnt >= ESP_RSA_TIMEOUT_CNT)
/* Hardware Ready Timeout */
#ifndef ESP_RSA_WAIT_TIMEOUT_CNT
#define ESP_RSA_WAIT_TIMEOUT_CNT 0x20
#endif
#define ESP_WAIT_TIMEOUT(cnt) (cnt >= ESP_RSA_WAIT_TIMEOUT_CNT)
#if defined(CONFIG_IDF_TARGET_ESP32C3)
#include <soc/system_reg.h>
#include <soc/hwcrypto_reg.h>
@ -142,33 +213,42 @@ static portMUX_TYPE wc_rsa_reg_lock = portMUX_INITIALIZER_UNLOCKED;
#ifdef WOLFSSL_HW_METRICS
static unsigned long esp_mp_max_used = 0;
static unsigned long esp_mp_mulmod_small_x_ct = 0;
static unsigned long esp_mp_mulmod_small_y_ct = 0;
static unsigned long esp_mp_max_timeout = 0;
static unsigned long esp_mp_max_timeout = 0; /* Calc duration */
static unsigned long esp_mp_max_wait_timeout; /* HW wait duration */
/* HW Multiplication Metrics */
#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL
static unsigned long esp_mp_mul_usage_ct = 0;
static unsigned long esp_mp_mul_error_ct = 0;
static unsigned long esp_mp_mul_tiny_ct = 0;
static unsigned long esp_mp_mul_max_exceeded_ct = 0;
#endif /* !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MP_MUL */
/* HW Modular Multiplication Metrics */
#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD
static unsigned long esp_mp_mulmod_small_x_ct = 0;
static unsigned long esp_mp_mulmod_small_y_ct = 0;
static unsigned long esp_mp_mulmod_max_exceeded_ct = 0;
static unsigned long esp_mp_mulmod_usage_ct = 0;
static unsigned long esp_mp_mulmod_fallback_ct = 0;
static unsigned long esp_mp_mulmod_even_mod_ct = 0;
static unsigned long esp_mp_mulmod_error_ct = 0;
#endif /* !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_MULMOD */
#endif
/* HW Modular Exponentiation Metrics */
#ifndef NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD
static unsigned long esp_mp_exptmod_usage_ct = 0;
static unsigned long esp_mp_exptmod_error_ct = 0;
static unsigned long esp_mp_exptmod_max_exceeded_ct = 0;
static unsigned long esp_mp_exptmod_fallback_ct = 0;
#endif /* !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
#endif
#endif /* WOLFSSL_HW_METRICS */
/* mutex */
#ifdef SINGLE_THREADED
int single_thread_locked = 0;
/* Although freeRTOS is multithreaded, if we know we'll only be in
* a single thread for wolfSSL, we can avoid the complexity of mutexes. */
static int single_thread_locked = 0;
#else
static wolfSSL_Mutex mp_mutex;
static int espmp_CryptHwMutexInit = 0;
@ -185,7 +265,7 @@ static portMUX_TYPE wc_rsa_reg_lock = portMUX_INITIALIZER_UNLOCKED;
* check if the HW is ready before accessing it
*
* See 24.3.1 Initialization of ESP32 Technical Reference Manual
* https://www.espressif.com/sites/default/files/documentation/esp32_technical_reference_manual_en.pdf
* esp32_technical_reference_manual_en.pdf
*
* The RSA Accelerator is activated by enabling the corresponding peripheral
* clock, and by clearing the DPORT_RSA_PD bit in the DPORT_RSA_PD_CTRL_REG
@ -238,14 +318,23 @@ static int esp_mp_hw_wait_clean(void)
/* no HW timeout if we don't know the platform. assumes no HW */
#endif
#if defined(WOLFSSL_HW_METRICS)
{
esp_mp_max_timeout = (timeout > esp_mp_max_timeout) ? timeout :
esp_mp_max_timeout;
#if defined(WOLFSSL_HW_METRICS)
/* The wait timeout is separate from the overall max calc timeout. */
if (timeout > esp_mp_max_wait_timeout) {
esp_mp_max_wait_timeout = timeout;
}
#endif
/* Also see if the overall timeout has been increased. */
if (timeout > esp_mp_max_timeout) {
esp_mp_max_timeout = timeout;
}
#endif
if (ESP_TIMEOUT(timeout)) {
/* This is highly unusual and will likely only occur in multi-threaded
* application. wolfSSL ctx is not thread safe. */
#ifndef SINGLE_THREADED
ESP_LOGI(TAG, "Consider #define SINGLE_THREADED. See docs");
#endif
ESP_LOGE(TAG, "esp_mp_hw_wait_clean waiting HW ready timed out.");
ret = WC_HW_WAIT_E; /* hardware is busy, MP_HW_BUSY; */
}
@ -293,7 +382,7 @@ static int esp_mp_hw_islocked(void)
* Returns 0 (ESP_OK) if the HW lock was initialized and mutex lock.
*
* See Chapter 24:
* https://www.espressif.com/sites/default/files/documentation/esp32_technical_reference_manual_en.pdf
* esp32_technical_reference_manual_en.pdf
*
* The RSA Accelerator is activated by enabling the corresponding peripheral
* clock, and by clearing the DPORT_RSA_PD bit in the DPORT_RSA_PD_CTRL_REG
@ -332,8 +421,7 @@ static int esp_mp_hw_lock(void)
if (ret == ESP_OK) {
/* lock hardware; there should be exactly one instance
* of esp_CryptHwMutexLock(&mp_mutex ...) in code */
/* TODO - do we really want to wait?
* probably not */
ret = esp_CryptHwMutexLock(&mp_mutex, ESP_MP_HW_LOCK_MAX_DELAY);
if (ret != ESP_OK) {
ESP_LOGE(TAG, "mp engine lock failed.");
@ -529,7 +617,9 @@ static int esp_mp_hw_unlock(void)
ESP_LOGV(TAG, "exit esp_mp_hw_unlock");
}
else {
#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
ESP_LOGW(TAG, "Warning: esp_mp_hw_unlock called when not locked.");
#endif
}
return ret;
@ -736,6 +826,12 @@ static int wait_until_done(word32 reg)
#endif
#if defined(WOLFSSL_HW_METRICS)
if (timeout > esp_mp_max_timeout) {
esp_mp_max_timeout = timeout;
}
#endif
if (ESP_TIMEOUT(timeout)) {
ESP_LOGE(TAG, "rsa operation timed out.");
ret = WC_HW_E; /* MP_HW_ERROR; */
@ -1084,12 +1180,17 @@ int esp_mp_montgomery_init(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M,
mph->hwWords_sz = words2hwords(mph->maxWords_sz);
if ((mph->hwWords_sz << 5) > ESP_HW_RSAMAX_BIT) {
#if defined(WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS) || \
defined(WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS)
ESP_LOGW(TAG, "Warning: hwWords_sz = %d (%d bits)"
" exceeds HW maximum bits (%d), "
" falling back to SW.",
mph->hwWords_sz,
mph->hwWords_sz << 5,
ESP_HW_RSAMAX_BIT);
#endif
/* The fallback error code is expected to be handled by
* caller to perform software instead. */
ret = MP_HW_FALLBACK;
} /* hwWords_sz check */
} /* X and Y size ok */
@ -1285,17 +1386,34 @@ int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z)
Zs = Xs + Ys;
/* RSA Accelerator only supports Large Number Multiplication
* with operand length N = 32 * x,
* where x in {1, 2, 3, . . . , 64} */
if (Xs > 64 || Ys > 64) {
return MP_HW_FALLBACK; /* TODO add count metric on size fallback */
* with certain operand lengths N = (32 * x); See above. */
if (Xs > ESP_HW_MULTI_RSAMAX_BITS) {
#if defined(WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS)
ESP_LOGW(TAG, "mp-mul X %d bits exceeds max bit length (%d)",
Xs, ESP_HW_MULTI_RSAMAX_BITS);
#endif
esp_mp_mul_max_exceeded_ct++;
return MP_HW_FALLBACK;
}
if (Ys > ESP_HW_MULTI_RSAMAX_BITS) {
#if defined(WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS)
ESP_LOGW(TAG, "mp-mul Y %d bits exceeds max bit length (%d)",
Ys, ESP_HW_MULTI_RSAMAX_BITS);
#endif
esp_mp_mul_max_exceeded_ct++;
return MP_HW_FALLBACK;
}
if (Zs <= sizeof(mp_digit)*8) {
/* sizeof(mp_digit) is typically 4 bytes.
* If the total Zs fits into a 4 * 8 = 32 bit word, just do regular math: */
if (Zs <= sizeof(mp_digit) * 8) {
Z->dp[0] = X->dp[0] * Y->dp[0];
Z->used = 1;
#if defined(WOLFSSL_SP_INT_NEGATIVE) || defined(USE_FAST_MATH)
Z->sign = res_sign; /* See above mp_isneg() for negative detection */
#endif
#if defined(WOLFSSL_HW_METRICS)
esp_mp_mul_tiny_ct++;
#endif
return MP_OKAY;
}
@ -1306,13 +1424,21 @@ int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z)
hwWords_sz = words2hwords(maxWords_sz);
resultWords_sz = bits2words(Xs + Ys);
/* sanity check */
/* Final parameter sanity check */
if ( (hwWords_sz << 5) > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "exceeds max bit length(2048) (a)");
ret = MP_HW_FALLBACK; /* Error: value is not able to be used. */
#if defined(WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS)
ESP_LOGW(TAG, "mp-mul exceeds max bit length (%d)",
ESP_HW_MULTI_RSAMAX_BITS);
#endif
#if defined(WOLFSSL_HW_METRICS)
esp_mp_mul_max_exceeded_ct++;
#endif
return MP_HW_FALLBACK; /* Fallback to use SW */
}
}
/* If no initial exit, proceed to hardware multiplication calculations: */
#if defined(CONFIG_IDF_TARGET_ESP32)
/* assumed to be regular ESP32 Xtensa here */
@ -1440,11 +1566,17 @@ int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z)
/* Make sure we are within capabilities of hardware. */
if ((hwWords_sz * BITS_IN_ONE_WORD) > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "exceeds max bit length(%d)", ESP_HW_MULTI_RSAMAX_BITS);
#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
ESP_LOGW(TAG, "exceeds max bit length(%d)",
ESP_HW_MULTI_RSAMAX_BITS);
#endif
ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
}
if ((hwWords_sz * BITS_IN_ONE_WORD * 2) > ESP_HW_RSAMAX_BIT) {
ESP_LOGW(TAG, "result exceeds max bit length(%d)", ESP_HW_RSAMAX_BIT );
#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
ESP_LOGW(TAG, "result exceeds max bit length(%d) * 2",
ESP_HW_RSAMAX_BIT );
#endif
ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
}
@ -1517,21 +1649,30 @@ int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z)
#elif defined(CONFIG_IDF_TARGET_ESP32C6)
/* Unlike the ESP32 that is limited to only four operand lengths,
* the ESP32-C6 The RSA Accelerator supports large-number modular
* multiplication with operands of 128 different lengths.
* multiplication with operands of 96 different lengths. (1 .. 96 words)
*
* X & Y must be represented by the same number of bits. Must be
* enough to represent the larger one. */
* enough to represent the larger one.
*
* Multiplication is limited to 48 different lengths (1 .. 48 words) */
/* Figure out how many words we need to
* represent each operand & the result. */
/* Make sure we are within capabilities of hardware. */
if ((hwWords_sz * BITS_IN_ONE_WORD) > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "exceeds max bit length(%d)", ESP_HW_MULTI_RSAMAX_BITS);
#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
ESP_LOGW(TAG, "RSA mul result hwWords_sz %d exceeds max bit length %d",
hwWords_sz, ESP_HW_MULTI_RSAMAX_BITS);
#endif
ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
}
if ((hwWords_sz * BITS_IN_ONE_WORD * 2) > ESP_HW_RSAMAX_BIT) {
ESP_LOGW(TAG, "result exceeds max bit length(%d)", ESP_HW_RSAMAX_BIT );
#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
ESP_LOGW(TAG, "RSA max result hwWords_sz %d exceeds max bit length %d",
hwWords_sz, ESP_HW_RSAMAX_BIT );
#endif
ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
}
@ -1627,11 +1768,15 @@ int esp_mp_mul(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* Z)
/* Make sure we are within capabilities of hardware. */
if ((hwWords_sz * BITS_IN_ONE_WORD) > ESP_HW_MULTI_RSAMAX_BITS) {
#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
ESP_LOGW(TAG, "exceeds max bit length(%d)", ESP_HW_MULTI_RSAMAX_BITS);
#endif
ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
}
if ((hwWords_sz * BITS_IN_ONE_WORD * 2) > ESP_HW_RSAMAX_BIT) {
#ifdef WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
ESP_LOGW(TAG, "result exceeds max bit length(%d)", ESP_HW_RSAMAX_BIT );
#endif
ret = MP_HW_FALLBACK; /* let SW figure out how to deal with it */
}
@ -1934,10 +2079,9 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
}
#endif
ret = MP_HW_FALLBACK;
/* TODO add debug metrics */
#ifdef WOLFSSL_DEBUG_ESP_RSA_MULM_BITS
{
ESP_LOGV(TAG, "esp_mp_mulmod falling back for ESP_RSA_MULM_BITS!");
ESP_LOGW(TAG, "esp_mp_mulmod falling back for ESP_RSA_MULM_BITS!");
}
#endif
}
@ -2101,9 +2245,11 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
/* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
if (OperandBits > ESP_HW_MULTI_RSAMAX_BITS) {
if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
#ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
ESP_LOGW(TAG, "result exceeds max bit length");
return MP_VAL; /* Error: value is not able to be used. */
#endif
return MP_HW_FALLBACK; /* Error: value is not able to be used. */
}
WordsForOperand = bits2words(OperandBits);
/* alt inline calc:
@ -2190,9 +2336,16 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
/* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
if (OperandBits > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "result exceeds max bit length");
return MP_VAL; /* Error: value is not able to be used. */
if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
#ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
ESP_LOGW(TAG, "mulmod OperandBits = %d "
"result exceeds max bit length %d",
OperandBits, ESP_HW_MOD_RSAMAX_BITS);
#endif
if (mulmod_lock_called) {
ret = esp_mp_hw_unlock();
}
return MP_HW_FALLBACK; /* Error: value is not able to be used. */
}
WordsForOperand = bits2words(OperandBits);
/* alt inline calc:
@ -2282,9 +2435,12 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
/* 3. Write (N_result_bits/32 - 1) to the RSA_MODE_REG. */
OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
if (OperandBits > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "result exceeds max bit length");
return MP_VAL; /* Error: value is not able to be used. */
if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
#ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
ESP_LOGW(TAG, "mp_mulmod OperandBits %d exceeds max bit length %d.",
OperandBits, ESP_HW_MOD_RSAMAX_BITS);
#endif
return MP_HW_FALLBACK; /* Error: value is not able to be used. */
}
WordsForOperand = bits2words(OperandBits);
/* alt inline calc:
@ -2346,7 +2502,9 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
ESP_LOGV(TAG, "Lock not called due to no-lock MP_HW_FALLBACK");
}
else {
ESP_LOGW(TAG, "Lock unexpectedly not called");
#ifdef WOLFSSL_ESP32_HW_LOCK_DEBUG
ESP_LOGW(TAG, "Lock unexpectedly not called for mp_mulmod");
#endif
}
}
@ -2505,8 +2663,8 @@ int esp_mp_mulmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
*
* Z = X^Y mod M
*
* ESP32, Section 24.3.2 https://www.espressif.com/sites/default/files/documentation/esp32_technical_reference_manual_en.pdf
* ESP32S3, Section 20.3.1, https://www.espressif.com/sites/default/files/documentation/esp32-s3_technical_reference_manual_en.pdf
* ESP32, Section 24.3.2 esp32_technical_reference_manual_en.pdf
* ESP32S3, Section 20.3.1, esp32-s3_technical_reference_manual_en.pdf
*
* The operation is based on Montgomery multiplication. Aside from the
* arguments X, Y , and M, two additional ones are needed -r and M'
@ -2623,6 +2781,7 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
#ifdef DEBUG_WOLFSSL
esp_mp_exptmod_depth_counter--;
#endif
return MP_HW_FALLBACK; /* If we can't lock HW, fall back to SW */
}
} /* the only thing we expect is success or busy */
@ -2700,6 +2859,25 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
}
#elif defined(CONFIG_IDF_TARGET_ESP32C3)
OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
#ifdef WOLFSSL_HW_METRICS
ESP_LOGW(TAG, "exptmod operand bits %d exceeds max bit length %d",
OperandBits, ESP_HW_MOD_RSAMAX_BITS);
esp_mp_mulmod_max_exceeded_ct++;
#endif
if (exptmod_lock_called) {
ret = esp_mp_hw_unlock();
}
ESP_LOGV(TAG, "Return esp_mp_exptmod fallback");
/* HW not capable for this size, return error to fall back to SW: */
return MP_HW_FALLBACK;
}
else {
WordsForOperand = bits2words(OperandBits);
}
/* Steps to perform large number modular exponentiation.
* Calculates Z = (X ^ Y) modulo M.
* The number of bits in the operands (X, Y) is N. N can be 32x,
@ -2725,17 +2903,6 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
ret = esp_mp_hw_wait_clean();
}
if (ret == MP_OKAY) {
OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
if (OperandBits > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "result exceeds max bit length");
ret = MP_VAL; /* Error: value is not able to be used. */
}
else {
WordsForOperand = bits2words(OperandBits);
}
}
if (ret == MP_OKAY) {
/* 2. Disable completion interrupt signal; we don't use.
** 0 => no interrupt; 1 => interrupt on completion. */
@ -2786,6 +2953,25 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
/* end if CONFIG_IDF_TARGET_ESP32C3 */
#elif defined(CONFIG_IDF_TARGET_ESP32C6)
OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
#ifdef WOLFSSL_HW_METRICS
ESP_LOGW(TAG, "exptmod operand bits %d exceeds max bit length %d",
OperandBits, ESP_HW_MOD_RSAMAX_BITS);
esp_mp_mulmod_max_exceeded_ct++;
#endif
if (exptmod_lock_called) {
ret = esp_mp_hw_unlock();
}
ESP_LOGV(TAG, "Return esp_mp_exptmod fallback");
/* HW not capable for this size, return error to fall back to SW: */
return MP_HW_FALLBACK;
}
else {
WordsForOperand = bits2words(OperandBits);
}
/* Steps to perform large number modular exponentiation.
* Calculates Z = (X ^ Y) modulo M.
* The number of bits in the operands (X, Y) is N. N can be 32x,
@ -2811,17 +2997,6 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
ret = esp_mp_hw_wait_clean();
}
if (ret == MP_OKAY) {
OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
if (OperandBits > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "result exceeds max bit length");
ret = MP_VAL; /* Error: value is not able to be used. */
}
else {
WordsForOperand = bits2words(OperandBits);
}
}
if (ret == MP_OKAY) {
/* 2. Disable completion interrupt signal; we don't use.
** 0 => no interrupt; 1 => interrupt on completion. */
@ -2864,6 +3039,7 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
}
/* 8. clear and release HW */
ESP_LOGI(TAG, "Unlock esp_mp_exptmod");
if (exptmod_lock_called) {
ret = esp_mp_hw_unlock();
}
@ -2900,9 +3076,12 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
if (ret == MP_OKAY) {
OperandBits = max(max(mph->Xs, mph->Ys), mph->Ms);
if (OperandBits > ESP_HW_MULTI_RSAMAX_BITS) {
ESP_LOGW(TAG, "result exceeds max bit length");
ret = MP_VAL; /* Error: value is not able to be used. */
if (OperandBits > ESP_HW_MOD_RSAMAX_BITS) {
#ifdef WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
ESP_LOGW(TAG, "exptmod operand bits %d exceeds max bit length %d",
OperandBits, ESP_HW_MOD_RSAMAX_BITS);
#endif
ret = MP_HW_FALLBACK; /* Error: value is not able to be used. */
}
else {
WordsForOperand = bits2words(OperandBits);
@ -2978,6 +3157,7 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
#ifdef WOLFSSL_HW_METRICS
esp_mp_max_used = (Z->used > esp_mp_max_used) ? Z->used : esp_mp_max_used;
#endif
ESP_LOGV(TAG, "Return esp_mp_exptmod %d", ret);
return ret;
} /* esp_mp_exptmod */
@ -2988,6 +3168,7 @@ int esp_mp_exptmod(MATH_INT_T* X, MATH_INT_T* Y, MATH_INT_T* M, MATH_INT_T* Z)
#endif /* !NO_RSA || HAVE_ECC */
/* Some optional metrics when using RSA HW Accleration */
#if defined(WOLFSSL_ESP32_CRYPT_RSA_PRI) && defined(WOLFSSL_HW_METRICS)
int esp_hw_show_mp_metrics(void)
{
@ -3004,6 +3185,10 @@ int esp_hw_show_mp_metrics(void)
ESP_LOGI(TAG, "esp_mp_mul HW acceleration enabled.");
ESP_LOGI(TAG, "Number of calls to esp_mp_mul: %lu",
esp_mp_mul_usage_ct);
ESP_LOGI(TAG, "Number of calls to esp_mp_mul with tiny operands: %lu",
esp_mp_mul_tiny_ct);
ESP_LOGI(TAG, "Number of calls to esp_mp_mul HW operand exceeded: %lu",
esp_mp_mul_max_exceeded_ct);
if (esp_mp_mul_error_ct == 0) {
ESP_LOGI(TAG, "Success: no esp_mp_mul() errors.");
}
@ -3025,6 +3210,8 @@ int esp_hw_show_mp_metrics(void)
/* Metrics: esp_mp_mulmod() */
ESP_LOGI(TAG, "Number of calls to esp_mp_mulmod: %lu",
esp_mp_mulmod_usage_ct);
ESP_LOGI(TAG, "Number of calls to esp_mp_mulmod HW operand exceeded: %lu",
esp_mp_mulmod_max_exceeded_ct);
ESP_LOGI(TAG, "Number of fallback to SW mp_mulmod: %lu",
esp_mp_mulmod_fallback_ct);
@ -3065,6 +3252,8 @@ int esp_hw_show_mp_metrics(void)
ESP_LOGI(TAG, "Number of calls to esp_mp_exptmod: %lu",
esp_mp_exptmod_usage_ct);
ESP_LOGI(TAG, "Number of calls to esp_mp_exptmod HW operand exceeded: %lu",
esp_mp_exptmod_max_exceeded_ct);
ESP_LOGI(TAG, "Number of fallback to SW mp_exptmod: %lu",
esp_mp_exptmod_fallback_ct);
if (esp_mp_exptmod_error_ct == 0) {
@ -3078,7 +3267,10 @@ int esp_hw_show_mp_metrics(void)
#endif /* EXPTMOD not disabled !NO_WOLFSSL_ESP32_CRYPT_RSA_PRI_EXPTMOD */
ESP_LOGI(TAG, "Max N->used: esp_mp_max_used = %lu", esp_mp_max_used);
ESP_LOGI(TAG, "Max timeout: esp_mp_max_timeout = %lu", esp_mp_max_timeout);
ESP_LOGI(TAG, "Max hw wait timeout: esp_mp_max_wait_timeout = %lu",
esp_mp_max_wait_timeout);
ESP_LOGI(TAG, "Max calc timeout: esp_mp_max_timeout = 0x%08lx",
esp_mp_max_timeout);
#else
/* no HW math, no HW math metrics */

287
wolfcrypt/src/port/Espressif/esp_crt_bundle/README.md Normal file
View File

@ -0,0 +1,287 @@
# wolfSSL Support for ESP-IDF Certificate Bundles
These files are typically only used when integrating wolfSSL with the ESP-IDF
and with the intention of using Certificate Bundles in the esp-tls component.
See the ESP-IDF `idf.py menuconfig`. A recent version of the [wolfSSL Kconfig](https://github.com/wolfSSL/wolfssl/blob/master/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl/Kconfig)
file is needed. The [template example](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/template)
can be use for creating a project-specific [wolfSSL component](https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif/ESP-IDF/examples/template/components/wolfssl)
when not using a [Managed Component](https://components.espressif.com/components/wolfssl/wolfssl).
## Getting Started
Use the `idf.py menuconfig`,
When in doubt, delete the `./build` directory. This is particularly important when changing Certificate Bundle PEM files.
## Certificate Inspection
The certificates in the bundle are in PEM format. The [gen_crt_bundle.py script](./gen_crt_bundle.py)
converts them to DER format to load into the `x509_crt_imported_bundle_wolfssl_bin_start` binary
array.
To convert a PEM to DER from command-line:
```
MY_CERT_NAME=ISRG_ROOT_X1
openssl x509 -outform der -in "$MY_CERT_NAME".pem -out "$MY_CERT_NAME".der
```
To inspect a DER file:
```
openssl x509 -inform der -in "$MY_CERT_NAME".der -text -noout
```
## Known Problems and Issues
Here are the areas that may need attention. Most are related to older published versions of the ESP-IDF
that may not yet have wolfSSL integration. An updated ESP-IDF is required to use wolfSSL component _in_ the ESP-IDF.
There's a [gojimmypi V5.2.2 WIP Branch](https://github.com/gojimmypi/esp-idf/tree/my_522/components/lwip) for reference
until a PR is created for upstream support.
### Time
The wolfSSL libraries are by default considerably more robust and strict. As such, it is important to have an accurate
time and date setting for the certficate date ranges.. The wolfssL libraries include some
[time helper functions](https://github.com/wolfSSL/wolfssl/blob/master/wolfssl/wolfcrypt/port/Espressif/esp-sdk-lib.h).
These can be enabled with `#define USE_WOLFSSL_ESP_SDK_TIME` in the `user_settings.h`.
Alternatively, the `WOLFSSL_DEBUG_IGNORE_ASN_TIME` can be used to ignore the time. This is strongly discouraged in anything
other than a development / test environment where the time is known to be incorrect.
### Examples may need to have wolfSSL Certificate Bundles enabled.
In cases where [some examples are gated out](https://github.com/espressif/esp-idf/blob/c9df77efbf871d4c3ae9fb828778ff8c4ab36804/examples/protocols/esp_http_client/main/esp_http_client_example.c#L419),
the "or" needs to be added for `CONFIG_WOLFSSL_CERTIFICATE_BUNDLE` option like this:
```
#if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE || CONFIG_WOLFSSL_CERTIFICATE_BUNDLE
```
### Adding Embedded Certificates
The `main` app directory has a [CMakeLists.txt](https://github.com/espressif/esp-idf/blob/6e5414b6c4f265a0adfb56a15fbfbe6beb1f8373/examples/protocols/esp_http_client/main/CMakeLists.txt#L10)
with the `idf_component_register` function:
```
idf_component_register(SRCS "esp_http_client_example.c"
INCLUDE_DIRS "."
REQUIRES ${requires}
EMBED_TXTFILES howsmyssl_com_root_cert.pem
postman_root_cert.pem)
```
This data ends up in the [extern const char](https://github.com/espressif/esp-idf/blob/6e5414b6c4f265a0adfb56a15fbfbe6beb1f8373/examples/protocols/esp_http_client/main/esp_http_client_example.c#L45)
arrays:
```
extern const char howsmyssl_com_root_cert_pem_start[] asm("_binary_howsmyssl_com_root_cert_pem_start");
extern const char howsmyssl_com_root_cert_pem_end[] asm("_binary_howsmyssl_com_root_cert_pem_end");
extern const char postman_root_cert_pem_start[] asm("_binary_postman_root_cert_pem_start");
extern const char postman_root_cert_pem_end[] asm("_binary_postman_root_cert_pem_end");
```
When changing the source files (also located in the `main` directory) - it is usually best to
delete the `./build` directory to ensure fresh contents get parsed in as desired.
VS Code / PlatformIO users can consider deleting the `./pio` and `./vscode` directories.
Visual Studio/VisualGDB users can remove the `./vs` and `.visualgdb`.
### TLS 1.3 issues with howsmyssl.com
Espressif is using the well known https://www.howsmyssl.com/ in the
[examples](https://github.com/espressif/esp-idf/tree/master/examples/protocols/), for instance in
the [esp_http_client](https://github.com/espressif/esp-idf/tree/master/examples/protocols/esp_http_client).
It was recently observed that TLS 1.3 is _not_ currently configured properly on that web site.
See [howsmyssl #716](https://github.com/jmhodges/howsmyssl/issues/716).
As such, when configuring wolfSSL for _only_ TLS 1.3, a `fatal error -313` may occur.
Additionally, not that there's a [cert in the app](https://github.com/espressif/esp-idf/blob/c9df77efbf871d4c3ae9fb828778ff8c4ab36804/examples/protocols/esp_http_client/main/esp_http_client_example.c#L45)
in `howsmyssl_com_root_cert_pem_start`, separate from the bundle certificate data. Take note of this when
attempting to simply change `www.howsmyssl.com` to `www.google.com`.
### postman
Beware there's a hard-coded PEM certificate for the [postman root cert](https://github.com/espressif/esp-idf/blob/c9df77efbf871d4c3ae9fb828778ff8c4ab36804/examples/protocols/esp_http_client/main/esp_http_client_example.c#L48)
(not in the bundle). If you see a failure, the data may need to be updated.
See the comments for adding certificate data, copied here for reference:
>Root cert for howsmyssl.com, taken from howsmyssl_com_root_cert.pem
>The PEM file was extracted from the output of this command:
openssl s_client -showcerts -connect www.howsmyssl.com:443 </dev/null
>The CA root cert is the last cert given in the chain of certs.
>To embed it in the app binary, the PEM file is named
in the component.mk COMPONENT_EMBED_TXTFILES variable.
## Timeout
Occasionally there may be connection timeouts. This is not specific to wolfSSL. The root cause is likely CDN related.
See the `.timeout_ms` and make adjustments as necessary in the `esp_http_client_config_t`:.
```
esp_http_client_config_t config = {
.url = "https://postman-echo.com/post",
.event_handler = _http_event_handler,
.cert_pem = postman_root_cert_pem_start,
.is_async = true,
.timeout_ms = 5000,
};
```
## Failed to load CA
This is expected to be a common error to encounter:
```
E (28454) esp_crt_bundle-wolfssl: Failed to load CA
W (28454) esp_crt_bundle-wolfssl: Warning: found a matching cert, but not added to the Certificate Manager. error: 0
E (28454) esp_crt_bundle-wolfssl: Did not find a matching crt
E (28464) internal.c: ssl != NULL; no callback, verifyFail = 1
W (28474) internal.c: CleanupStoreCtxCallback
E (28474) internal.c: DoCertFatalAlert = -188
E (28484) esp-tls-wolfssl: wolfSSL_connect returned -1, error code: -188
E (28484) esp-tls-wolfssl: Failed to verify peer certificate , returned 24
E (28494) esp-tls: Failed to open new connection
E (28504) transport_base: Failed to open a new connection
E (28514) HTTP_CLIENT: Connection failed, sock < 0
E (28514) HTTP_CLIENT: HTTP request failed: ESP_ERR_HTTP_CONNECT
```
The problem here is that the example [esp_http_client](https://github.com/espressif/esp-idf/tree/master/examples/protocols/esp_http_client)
app _does not work_ immediately out of the box unless changes are made to the source:
```
#ifdef CONFIG_ESP_TLS_USING_WOLFSSL
#include <wolfssl/wolfcrypt/settings.h>
#include <wolfssl/wolfcrypt/port/Espressif/esp-sdk-lib.h>
/* TODO: conditional bundle */
#include <wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h>
#endif
```
` openssl s_client -connect postman-echo.com:443 -CAfile ./postman.pem`
### Component esp-wolfssl needs to be installed
The wrong ESP-IDF toolchain is being used. Use the [gojimmypi my_522 branch](https://github.com/gojimmypi/esp-idf/tree/my_522).
```
-- Component esp-wolfssl needs to be installed. See api-reference/protocols/esp_tls docs.
CMake Error at /mnt/c/SysGCC/esp32/esp-idf/v5.2/tools/cmake/component.cmake:382 (message):
Component esp-wolfssl not found
Call Stack (most recent call first):
/mnt/c/SysGCC/esp32/esp-idf/v5.2/components/esp-tls/CMakeLists.txt:26 (idf_component_get_property)
-- Configuring incomplete, errors occurred!
```
## x509_crt_bundle_wolfssl.S not found
It is important to note that PlatformIO components can NOT be used for esp-tls.
The wolfSSL library MUST be used from either the local project `components` or from the ESP-IDF.
```
*** [.pio\bld_8mb_dbg_wolfssl\.pio\bld_8mb_dbg_wolfssl\x509_crt_bundle_wolfssl.S.o]
Source `.pio\bld_8mb_dbg_wolfssl\x509_crt_bundle_wolfssl.S' not found,
needed by target `.pio\bld_8mb_dbg_wolfssl\.pio\bld_8mb_dbg_wolfssl\x509_crt_bundle_wolfssl.S.o'.
```
## Error couldn't get hostname for not.existent.url
This error is as desired, showing that a bad URL will fail.
```
E (50613) esp-tls: couldn't get hostname for :not.existent.url: getaddrinfo() returns 202, addrinfo=0x0
E (50613) esp-tls: Failed to open new connection
E (50613) transport_base: Failed to open a new connection
E (50623) HTTP_CLIENT: Connection failed, sock < 0
E (50623) HTTP_CLIENT: Error perform http request ESP_ERR_HTTP_CONNECT
```
## Tool doesn't match supported version from list
Edit the `C:\Users\%USER%\.platformio\packages\framework-espidf\tools\tools.json` and replace
`13.2.0_20230928` with the desired version, such as `esp-13.2.0_20240530`.
```
Tool doesn't match supported version from list ['esp-13.2.0_20230928']:
C:/Users/gojimmypi/.platformio/packages/toolchain-xtensa-esp-elf/bin/xtensa-esp32-elf-gcc.exe
```
## ESP_ERROR_CHECK failed: esp_err_t 0xffffffff (ESP_FAIL) at 0x400d3b60
This is a generic `ESP_ERROR_CHECK` result, in this case the default WiFi SSID and password could not connect:
```
I (25970) example_connect: Wi-Fi disconnected, trying to reconnect...
I (28380) example_connect: WiFi Connect failed 7 times, stop reconnect.
ESP_ERROR_CHECK failed: esp_err_t 0xffffffff (ESP_FAIL) at 0x400d3b60
file: "main/esp_http_client_example.c" line 936
func: app_main
expression: example_connect()
abort() was called at PC 0x400890e3 on core 0
```
## Manual Testing
To test if the `howsmyssl` web site has TLS 1.3 working, use the [wolfSSL client example](https://github.com/wolfSSL/wolfssl/tree/master/examples/client):
```bash
./examples/client/client -v 4 -h www.howsmyssl.com -p 443 -g -j
```
Or OpenSSL:
```bash
openssl s_client -connect www.howsmyssl.com:443 -tls1_3 -ciphersuites 'TLS_AES_256_GCM_SHA384'
```
Returns this unintuitive error:
```text
$ openssl s_client -connect www.howsmyssl.com:443 -tls1_3 -ciphersuites 'TLS_AES_256_GCM_SHA384'
CONNECTED(00000003)
4007DA6C617F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 247 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```
Or OpenSSL,
```bash
openssl s_client -tls1_3 -host www.howsmyssl.com -port 443
```

3602
wolfcrypt/src/port/Espressif/esp_crt_bundle/cacrt_all.pem Normal file
View File

File diff suppressed because it is too large Load Diff

198
wolfcrypt/src/port/Espressif/esp_crt_bundle/cacrt_deprecated.pem Normal file
View File

@ -0,0 +1,198 @@
##
## Deprecated CA Root Certificates
## Deprecated CA Root Certificates that get appended to 'cacrt_all.pem'
## These certificates have been removed from the newer Mozilla CA certificate store.
## Refer to https://wiki.mozilla.org/CA/Removed_Certificates for more information.
## These certificates might be removed from ESP-IDF during every major release.
## The current deprecated certificate bundle is up-to-date with the Mozilla cert bundle (cacrt_all.pem) dated Tue Jul 2 03:12:04 2024 GMT
Hongkong Post Root CA 1
=======================
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgICA+gwDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCSEsxFjAUBgNVBAoT
DUhvbmdrb25nIFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3QgUm9vdCBDQSAxMB4XDTAzMDUx
NTA1MTMxNFoXDTIzMDUxNTA0NTIyOVowRzELMAkGA1UEBhMCSEsxFjAUBgNVBAoTDUhvbmdrb25n
IFBvc3QxIDAeBgNVBAMTF0hvbmdrb25nIFBvc3QgUm9vdCBDQSAxMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEArP84tulmAknjorThkPlAj3n54r15/gK97iSSHSL22oVyaf7XPwnU3ZG1
ApzQjVrhVcNQhrkpJsLj2aDxaQMoIIBFIi1WpztUlVYiWR8o3x8gPW2iNr4joLFutbEnPzlTCeqr
auh0ssJlXI6/fMN4hM2eFvz1Lk8gKgifd/PFHsSaUmYeSF7jEAaPIpjhZY4bXSNmO7ilMlHIhqqh
qZ5/dpTCpmy3QfDVyAY45tQM4vM7TG1QjMSDJ8EThFk9nnV0ttgCXjqQesBCNnLsak3c78QA3xMY
V18meMjWCnl3v/evt3a5pQuEF10Q6m/hq5URX208o1xNg1vysxmKgIsLhwIDAQABoyYwJDASBgNV
HRMBAf8ECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIBxjANBgkqhkiG9w0BAQUFAAOCAQEADkbVPK7i
h9legYsCmEEIjEy82tvuJxuC52pF7BaLT4Wg87JwvVqWuspube5Gi27nKi6Wsxkz67SfqLI37pio
l7Yutmcn1KZJ/RyTZXaeQi/cImyaT/JaFTmxcdcrUehtHJjA2Sr0oYJ71clBoiMBdDhViw+5Lmei
IAQ32pwL0xch4I+XeTRvhEgCIDMb5jREn5Fw9IBehEPCKdJsEhTkYY2sEJCehFC78JZvRZ+K88ps
T/oROhUVRsPNH4NbLUES7VBnQRM9IauUiqpOfMGx+6fWtScvl6tu4B3i0RwsH0Ti/L6RoZz71ilT
c4afU9hDDl3WY4JxHYB0yvbiAmvZWg==
-----END CERTIFICATE-----
E-Tugra Certification Authority
===============================
-----BEGIN CERTIFICATE-----
MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNVBAYTAlRSMQ8w
DQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamls
ZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN
ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMw
NTEyMDk0OFoXDTIzMDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmEx
QDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxl
cmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQD
DB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8A
MIICCgKCAgEA4vU/kwVRHoViVF56C/UYB4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vd
hQd2h8y/L5VMzH2nPbxHD5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5K
CKpbknSFQ9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEoq1+g
ElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3Dk14opz8n8Y4e0ypQ
BaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcHfC425lAcP9tDJMW/hkd5s3kc91r0
E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsutdEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gz
rt48Ue7LE3wBf4QOXVGUnhMMti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAq
jqFGOjGY5RH8zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn
rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUXU8u3Zg5mTPj5
dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6Jyr+zE7S6E5UMA8GA1UdEwEB
/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEG
MA0GCSqGSIb3DQEBCwUAA4ICAQAFNzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAK
kEh47U6YA5n+KGCRHTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jO
XKqYGwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c77NCR807
VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3+GbHeJAAFS6LrVE1Uweo
a2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WKvJUawSg5TB9D0pH0clmKuVb8P7Sd2nCc
dlqMQ1DujjByTd//SffGqWfZbawCEeI6FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEV
KV0jq9BgoRJP3vQXzTLlyb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gT
Dx4JnW2PAJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpDy4Q0
8ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8dNL/+I5c30jn6PQ0G
C7TbO6Orb1wdtn7os4I07QZcJA==
-----END CERTIFICATE-----
E-Tugra Global Root CA RSA v3
=============================
-----BEGIN CERTIFICATE-----
MIIF8zCCA9ugAwIBAgIUDU3FzRYilZYIfrgLfxUGNPt5EDQwDQYJKoZIhvcNAQELBQAwgYAxCzAJ
BgNVBAYTAlRSMQ8wDQYDVQQHEwZBbmthcmExGTAXBgNVBAoTEEUtVHVncmEgRUJHIEEuUy4xHTAb
BgNVBAsTFEUtVHVncmEgVHJ1c3QgQ2VudGVyMSYwJAYDVQQDEx1FLVR1Z3JhIEdsb2JhbCBSb290
IENBIFJTQSB2MzAeFw0yMDAzMTgwOTA3MTdaFw00NTAzMTIwOTA3MTdaMIGAMQswCQYDVQQGEwJU
UjEPMA0GA1UEBxMGQW5rYXJhMRkwFwYDVQQKExBFLVR1Z3JhIEVCRyBBLlMuMR0wGwYDVQQLExRF
LVR1Z3JhIFRydXN0IENlbnRlcjEmMCQGA1UEAxMdRS1UdWdyYSBHbG9iYWwgUm9vdCBDQSBSU0Eg
djMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiZvCJt3J77gnJY9LTQ91ew6aEOErx
jYG7FL1H6EAX8z3DeEVypi6Q3po61CBxyryfHUuXCscxuj7X/iWpKo429NEvx7epXTPcMHD4QGxL
sqYxYdE0PD0xesevxKenhOGXpOhL9hd87jwH7eKKV9y2+/hDJVDqJ4GohryPUkqWOmAalrv9c/SF
/YP9f4RtNGx/ardLAQO/rWm31zLZ9Vdq6YaCPqVmMbMWPcLzJmAy01IesGykNz709a/r4d+ABs8q
QedmCeFLl+d3vSFtKbZnwy1+7dZ5ZdHPOrbRsV5WYVB6Ws5OUDGAA5hH5+QYfERaxqSzO8bGwzrw
bMOLyKSRBfP12baqBqG3q+Sx6iEUXIOk/P+2UNOMEiaZdnDpwA+mdPy70Bt4znKS4iicvObpCdg6
04nmvi533wEKb5b25Y08TVJ2Glbhc34XrD2tbKNSEhhw5oBOM/J+JjKsBY04pOZ2PJ8QaQ5tndLB
eSBrW88zjdGUdjXnXVXHt6woq0bM5zshtQoK5EpZ3IE1S0SVEgpnpaH/WwAH0sDM+T/8nzPyAPiM
bIedBi3x7+PmBvrFZhNb/FAHnnGGstpvdDDPk1Po3CLW3iAfYY2jLqN4MpBs3KwytQXk9TwzDdbg
h3cXTJ2w2AmoDVf3RIXwyAS+XF1a4xeOVGNpf0l0ZAWMowIDAQABo2MwYTAPBgNVHRMBAf8EBTAD
AQH/MB8GA1UdIwQYMBaAFLK0ruYt9ybVqnUtdkvAG1Mh0EjvMB0GA1UdDgQWBBSytK7mLfcm1ap1
LXZLwBtTIdBI7zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAImocn+M684uGMQQ
gC0QDP/7FM0E4BQ8Tpr7nym/Ip5XuYJzEmMmtcyQ6dIqKe6cLcwsmb5FJ+Sxce3kOJUxQfJ9emN4
38o2Fi+CiJ+8EUdPdk3ILY7r3y18Tjvarvbj2l0Upq7ohUSdBm6O++96SmotKygY/r+QLHUWnw/q
ln0F7psTpURs+APQ3SPh/QMSEgj0GDSz4DcLdxEBSL9htLX4GdnLTeqjjO/98Aa1bZL0SmFQhO3s
SdPkvmjmLuMxC1QLGpLWgti2omU8ZgT5Vdps+9u1FGZNlIM7zR6mK7L+d0CGq+ffCsn99t2HVhjY
sCxVYJb6CH5SkPVLpi6HfMsg2wY+oF0Dd32iPBMbKaITVaA9FCKvb7jQmhty3QUBjYZgv6Rn7rWl
DdF/5horYmbDB7rnoEgcOMPpRfunf/ztAmgayncSd6YAVSgU7NbHEqIbZULpkejLPoeJVF3Zr52X
nGnnCv8PWniLYypMfUeUP95L6VPQMPHF9p5J3zugkaOj/s1YzOrfr28oO6Bpm4/srK4rVJ2bBLFH
IK+WEj5jlB0E5y67hscMmoi/dkfv97ALl2bSRM9gUgfh1SxKOidhd8rXj+eHDjD/DLsE4mHDosiX
YY60MGo8bcIHX0pzLz/5FooBZu+6kcpSV3uu1OYP3Qt6f4ueJiDPO++BcYNZ
-----END CERTIFICATE-----
E-Tugra Global Root CA ECC v3
=============================
-----BEGIN CERTIFICATE-----
MIICpTCCAiqgAwIBAgIUJkYZdzHhT28oNt45UYbm1JeIIsEwCgYIKoZIzj0EAwMwgYAxCzAJBgNV
BAYTAlRSMQ8wDQYDVQQHEwZBbmthcmExGTAXBgNVBAoTEEUtVHVncmEgRUJHIEEuUy4xHTAbBgNV
BAsTFEUtVHVncmEgVHJ1c3QgQ2VudGVyMSYwJAYDVQQDEx1FLVR1Z3JhIEdsb2JhbCBSb290IENB
IEVDQyB2MzAeFw0yMDAzMTgwOTQ2NThaFw00NTAzMTIwOTQ2NThaMIGAMQswCQYDVQQGEwJUUjEP
MA0GA1UEBxMGQW5rYXJhMRkwFwYDVQQKExBFLVR1Z3JhIEVCRyBBLlMuMR0wGwYDVQQLExRFLVR1
Z3JhIFRydXN0IENlbnRlcjEmMCQGA1UEAxMdRS1UdWdyYSBHbG9iYWwgUm9vdCBDQSBFQ0MgdjMw
djAQBgcqhkjOPQIBBgUrgQQAIgNiAASOmCm/xxAeJ9urA8woLNheSBkQKczLWYHMjLiSF4mDKpL2
w6QdTGLVn9agRtwcvHbB40fQWxPa56WzZkjnIZpKT4YKfWzqTTKACrJ6CZtpS5iB4i7sAnCWH/31
Rs7K3IKjYzBhMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU/4Ixcj75xGZsrTie0bBRiKWQ
zPUwHQYDVR0OBBYEFP+CMXI++cRmbK04ntGwUYilkMz1MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjO
PQQDAwNpADBmAjEA5gVYaWHlLcoNy/EZCL3W/VGSGn5jVASQkZo1kTmZ+gepZpO6yGjUij/67W4W
Aie3AjEA3VoXK3YdZUKWpqxdinlW2Iob35reX8dQj7FbcQwm32pAAOwzkSFxvmjkI6TZraE3
-----END CERTIFICATE-----
Security Communication Root CA
==============================
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIBADANBgkqhkiG9w0BAQUFADBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMP
U0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEw
HhcNMDMwOTMwMDQyMDQ5WhcNMjMwOTMwMDQyMDQ5WjBQMQswCQYDVQQGEwJKUDEYMBYGA1UEChMP
U0VDT00gVHJ1c3QubmV0MScwJQYDVQQLEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzs/5/022x7xZ8V6UMbXaKL0u/ZPtM7orw
8yl89f/uKuDp6bpbZCKamm8sOiZpUQWZJtzVHGpxxpp9Hp3dfGzGjGdnSj74cbAZJ6kJDKaVv0uM
DPpVmDvY6CKhS3E4eayXkmmziX7qIWgGmBSWh9JhNrxtJ1aeV+7AwFb9Ms+k2Y7CI9eNqPPYJayX
5HA49LY6tJ07lyZDo6G8SVlyTCMwhwFY9k6+HGhWZq/NQV3Is00qVUarH9oe4kA92819uZKAnDfd
DJZkndwi92SL32HeFZRSFaB9UslLqCHJxrHty8OVYNEP8Ktw+N/LTX7s1vqr2b1/VPKl6Xn62dZ2
JChzAgMBAAGjPzA9MB0GA1UdDgQWBBSgc0mZaNyFW2XjmygvV5+9M7wHSDALBgNVHQ8EBAMCAQYw
DwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAaECpqLvkT115swW1F7NgE+vGkl3g
0dNq/vu+m22/xwVtWSDEHPC32oRYAmP6SBbvT6UL90qY8j+eG61Ha2POCEfrUj94nK9NrvjVT8+a
mCoQQTlSxN3Zmw7vkwGusi7KaEIkQmywszo+zenaSMQVy+n5Bw+SUEmK3TGXX8npN6o7WWWXlDLJ
s58+OmJYxUmtYg5xpTKqL8aJdkNAExNnPaJUJRDL8Try2frbSVa7pv6nQTXD4IhhyYjH3zYQIphZ
6rBK+1YWc26sTfcioU+tHXotRSflMMFe8toTyyVCUZVHA4xsIcx0Qu1T/zOLjw9XARYvz6buyXAi
FL39vmwLAw==
-----END CERTIFICATE-----
Autoridad de Certificacion Firmaprofesional CIF A62634068
=========================================================
-----BEGIN CERTIFICATE-----
MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UEBhMCRVMxQjBA
BgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1hcHJvZmVzaW9uYWwgQ0lGIEE2
MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEyMzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIw
QAYDVQQDDDlBdXRvcmlkYWQgZGUgQ2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBB
NjI2MzQwNjgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDD
Utd9thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQMcas9UX4P
B99jBVzpv5RvwSmCwLTaUbDBPLutN0pcyvFLNg4kq7/DhHf9qFD0sefGL9ItWY16Ck6WaVICqjaY
7Pz6FIMMNx/Jkjd/14Et5cS54D40/mf0PmbR0/RAz15iNA9wBj4gGFrO93IbJWyTdBSTo3OxDqqH
ECNZXyAFGUftaI6SEspd/NYrspI8IM/hX68gvqB2f3bl7BqGYTM+53u0P6APjqK5am+5hyZvQWyI
plD9amML9ZMWGxmPsu2bm8mQ9QEM3xk9Dz44I8kvjwzRAv4bVdZO0I08r0+k8/6vKtMFnXkIoctX
MbScyJCyZ/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirjaEbsX
LZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/TKI8xWVvTyQKmtFLK
bpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF6NkBiDkal4ZkQdU7hwxu+g/GvUgU
vzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVhOSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1Ud
EwEB/wQIMAYBAf8CAQEwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNH
DhpkLzCBpgYDVR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp
cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBvACAAZABlACAA
bABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBlAGwAbwBuAGEAIAAwADgAMAAx
ADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx
51tkljYyGOylMnfX40S2wBEqgLk9am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qk
R71kMrv2JYSiJ0L1ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaP
T481PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS3a/DTg4f
Jl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5kSeTy36LssUzAKh3ntLFl
osS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF3dvd6qJ2gHN99ZwExEWN57kci57q13XR
crHedUTnQn3iV2t93Jm8PYMo6oCTjcVMZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoR
saS8I8nkvof/uZS2+F0gStRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTD
KCOM/iczQ0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQBjLMi
6Et8Vcad+qMUu2WFbm5PEn4KPJ2V
-----END CERTIFICATE-----
GLOBALTRUST 2020
================
-----BEGIN CERTIFICATE-----
MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkGA1UEBhMCQVQx
IzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVT
VCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYxMDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAh
BgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAy
MDIwMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWi
D59bRatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9ZYybNpyrO
VPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3QWPKzv9pj2gOlTblzLmM
CcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPwyJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCm
fecqQjuCgGOlYx8ZzHyyZqjC0203b+J+BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKA
A1GqtH6qRNdDYfOiaxaJSaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9OR
JitHHmkHr96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj04KlG
DfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9MedKZssCz3AwyIDMvU
clOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIwq7ejMZdnrY8XD2zHc+0klGvIg5rQ
mjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
AwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1Ud
IwQYMBaAFNwuH9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA
VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJCXtzoRlgHNQIw
4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd6IwPS3BD0IL/qMy/pJTAvoe9
iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf+I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS
8cE54+X1+NZK3TTN+2/BT+MAi1bikvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2
HcqtbepBEX4tdJP7wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxS
vTOBTI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0UFodUJ25W5HCEuGwyEn6CMUO+1918
oa2u1qsgEu8KwxCMSZY13At1XrFP1U80DhEgB3VDRemjEdqso5nCtnkn4rnvyOL2NSl6dPrFf4IF
YqYK6miyeUcGbvJXqBUzxvd4Sj1Ce2t+/vdG6tHrju+IaFvowdlxfv1k7/9nR4hYJS8+hge9+6jl
gqispdNpQ80xiEmEU5LAsTkbOYMBMMTyqfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg==
-----END CERTIFICATE-----

33
wolfcrypt/src/port/Espressif/esp_crt_bundle/cacrt_local.pem Normal file
View File

@ -0,0 +1,33 @@
##
## Local CA Root Certificates
##
## Local CA Root Certificates that gets appended to "cacrt_all.pem"
## letsencrypt has generated a cross signed certificate with DST ROOT CA X3
## for compatibility after the expiry of the certificate.
## The new certificate has the ISSUER name as DST Root CA X3.
## Thus, the handshake fails if esp_crt_bundle does not find the
## respective name in the crt_bundle.
## Keeping this certificate for compatibility reasons.
## This will be removed once the cross-signed certificate expires in Sep 2024.
DST Root CA X3
==============
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/MSQwIgYDVQQK
ExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMTDkRTVCBSb290IENBIFgzMB4X
DTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVowPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1
cmUgVHJ1c3QgQ28uMRcwFQYDVQQDEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmT
rE4Orz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEqOLl5CjH9
UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9bxiqKqy69cK3FCxolkHRy
xXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40d
utolucbY38EVAjqr2m7xPi71XAicPNaDaeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0T
AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQ
MA0GCSqGSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69ikug
dB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXrAvHRAosZy5Q6XkjE
GB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZzR8srzJmwN0jP41ZL9c8PDHIyh8bw
RLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubS
fZGL+T0yjWW06XyxV3bqxbYoOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

1564
wolfcrypt/src/port/Espressif/esp_crt_bundle/esp_crt_bundle.c Normal file
View File

File diff suppressed because it is too large Load Diff

360
wolfcrypt/src/port/Espressif/esp_crt_bundle/gen_crt_bundle.py Normal file
View File

@ -0,0 +1,360 @@
#!/usr/bin/env python
#
# gen_crt_bundle.py
#
# Copyright (C) 2006-2024 wolfSSL Inc.
#
# This file is part of wolfSSL.
#
# wolfSSL is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# wolfSSL is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
#
# ESP32 x509 certificate bundle generation utility
#
# Converts PEM and DER certificates to a custom bundle format which stores just the
# subject name and public key to reduce space
#
# The bundle will have the format:
# number of certificates;
# crt 1 subject name length;
# crt 1 public key length;
# crt 1 subject name;
# crt 1 public key;
# crt 2...
from __future__ import with_statement
import argparse
import csv
import os
import re
import unicodedata
import struct
import sys
from io import open
try:
from cryptography import x509
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.x509.oid import NameOID
except ImportError:
print('The cryptography package is not installed.'
'Please refer to the Get Started section of the ESP-IDF Programming Guide for '
'setting up the required packages.')
raise
ca_bundle_bin_file = 'x509_crt_bundle_wolfssl'
quiet = False
def status(msg):
""" Print status message to stderr """
if not quiet:
critical(msg)
def critical(msg):
""" Print critical message to stderr """
sys.stderr.write('gen_crt_bundle.py: ')
sys.stderr.write(msg)
sys.stderr.write('\n')
class CertificateBundle:
def __init__(self):
self.certificates = []
self.compressed_crts = []
if os.path.isfile(ca_bundle_bin_file):
os.remove(ca_bundle_bin_file)
def add_from_path(self, crts_path):
found = False
for file_path in os.listdir(crts_path):
found |= self.add_from_file(os.path.join(crts_path, file_path))
if found is False:
raise InputError('No valid x509 certificates found in %s' % crts_path)
def add_from_file(self, file_path):
try:
if file_path.endswith('.pem'):
status('Parsing certificates from %s' % file_path)
with open(file_path, 'r', encoding='utf-8') as f:
crt_str = f.read()
self.add_from_pem(crt_str)
return True
elif file_path.endswith('.der'):
status('Parsing certificates from %s' % file_path)
with open(file_path, 'rb') as f:
crt_str = f.read()
self.add_from_der(crt_str)
return True
except ValueError:
critical('Invalid certificate in %s' % file_path)
raise InputError('Invalid certificate')
return False
def add_from_pem(self, crt_str):
""" A single PEM file may have multiple certificates """
crt = ''
count = 0
start = False
for strg in crt_str.splitlines(True):
if strg == '-----BEGIN CERTIFICATE-----\n' and start is False:
crt = ''
start = True
elif strg == '-----END CERTIFICATE-----\n' and start is True:
crt += strg + '\n'
start = False
self.certificates.append(x509.load_pem_x509_certificate(crt.encode(), default_backend()))
count += 1
if start is True:
crt += strg
if count == 0:
raise InputError('No certificate found')
status('Successfully added %d certificates' % count)
def add_from_der(self, crt_str):
self.certificates.append(x509.load_der_x509_certificate(crt_str, default_backend()))
status('Successfully added 1 certificate')
def get_subject_text(self, cert):
# Extract subject as a string in the desired format
return ", ".join(
f"/{attribute.oid._name}={attribute.value}" # Adjust as necessary to format as "/C=US/O=..."
for attribute in cert.subject
)
# We are currently sorting in AS FOUND order. wolfSSL does this in wolfSSL_X509_NAME_oneline()
# But for reference, if desired:
#
# /C=TW/O=TAIWAN-CA/OU=Root CA/CN=TWCA Global Root CA
# /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave
desired_dn_order = ["/C=", "/ST=", "/L=", "/O=", "/OU=", "/CN="]
def extract_dn_components(self, cert):
"""
Extract the DN components based on the desired order and return the assembled string.
"""
#dn_dict = {"/C=": "/C=", "/ST=": "/ST=", "/L=": "/L=", "/O=": "/O=", "/OU=": "/OU=", "/CN=": "/CN="}
dn_dict = {"/C=": "", "/ST=": "", "/L=": "", "/O=": "", "/OU=": "", "/CN=": ""}
# Map the actual DN elements to the correct keys in the desired order
for attribute in cert.subject:
if attribute.oid == x509.NameOID.COUNTRY_NAME:
dn_dict["/C="] = attribute.value
elif attribute.oid == x509.NameOID.ORGANIZATIONAL_UNIT_NAME:
dn_dict["/OU="] = attribute.value
elif attribute.oid == x509.NameOID.ORGANIZATION_NAME:
dn_dict["/O="] = attribute.value
elif attribute.oid == x509.NameOID.COMMON_NAME:
dn_dict["/CN="] = attribute.value
elif attribute.oid == x509.NameOID.LOCALITY_NAME:
dn_dict["/L="] = attribute.value
elif attribute.oid == x509.NameOID.STATE_OR_PROVINCE_NAME:
dn_dict["/ST="] = attribute.value
#return ''.join([f"{key}{dn_dict[key]}" for key in self.desired_dn_order])
return dn_dict
def sorting_key(self, cert):
"""
Create a tuple for sorting, where each component is sorted in the order defined by `desired_dn_order`.
If a component is missing, it is replaced with a value that will ensure proper sorting (empty string).
"""
dn_dict = self.extract_dn_components(cert)
return ''.join([f"{key}{dn_dict[key]}" for key in self.desired_dn_order if dn_dict[key]])
def sort_certificates_by_dn_order(self, certificates):
"""
Sort the list of certificates based on the DN string assembled in the specified order.
"""
return sorted(certificates, key=self.sorting_key)
def extract_dn_components_as_is(self, cert):
"""
Extract the DN components exactly as they appear in the certificate.
"""
# dn_string = ', '.join([f"{attribute.oid._name}={attribute.value}" for attribute in cert.subject])
dn_string = ""
result_string = ""
# Mapping of known OIDs to their short names
oid_short_names = {
'commonName': '/CN',
'countryName': '/C',
'stateOrProvinceName': '/ST',
'localityName': '/L',
'organizationName': '/O',
'organizationalUnitName': '/OU'
}
with open("cert_bundle.log", "a") as file:
# Write to the file
file.write("\nNew cert\n\n")
for attribute in cert.subject:
# Use a predefined map for known OIDs, and fallback to the dotted string if not found
oid_full_name = attribute.oid._name if attribute.oid._name else attribute.oid.dotted_string
# The common string uses "/CN" and not "commonName", so we need to swap out keywords such as commonName:
oid_name = oid_short_names.get(oid_full_name, oid_full_name)
file.write(f"oid_name={oid_name}\n")
# Strip unicode
normalized_string = unicodedata.normalize('NFKD', attribute.value)
# Encode to ASCII bytes, ignoring any characters that can't be converted
ascii_bytes = normalized_string.encode('ascii', 'ignore')
# Decode back to ASCII string
ascii_string = ascii_bytes.decode('ascii')
file.write(f"attribute_value={ascii_string}\n")
# assemble the dn string for this cert
dn_string += f"/{oid_name}={ascii_string}"
file.write(f"dn_string={dn_string}\n")
# Remove any unprintable characters
cleaned_string = re.sub(r'[^\x20-\x7E]', ' ', dn_string)
file.write(f"cleaned_string={cleaned_string}\n")
result_string = cleaned_string.replace("=", " ")
file.write(f"result_string={result_string}\n")
# Reminder this is a sort order only; cert NOT modified.
return result_string
def sorting_key_as_is(self, cert):
"""
Use the DN string as found in the certificate as the sorting key.
"""
dn_string = self.extract_dn_components_as_is(cert)
return dn_string
def sort_certificates_by_as_is(self, certificates):
"""
Sort the list of certificates based on the DN string assembled in the specified order.
"""
return sorted(certificates, key=self.sorting_key_as_is)
def create_bundle(self):
# Sort certificates in order to do binary search when looking up certificates
# NOTE: When sorting, see `esp_crt_bundle.c`;
# Use `#define CERT_BUNDLE_UNSORTED` when not sorting.
#
with open("cert_bundle.log", "w") as file:
# Write to the file
file.write("init.\n")
self.certificates = self.sort_certificates_by_as_is(self.certificates)
bundle = struct.pack('>H', len(self.certificates))
for crt in self.certificates:
cert_der = crt.public_bytes(serialization.Encoding.DER)
cert_der_len = len(cert_der)
len_data = struct.pack('>H', cert_der_len)
bundle += len_data
bundle += cert_der
return bundle
def add_with_filter(self, crts_path, filter_path):
filter_set = set()
with open(filter_path, 'r', encoding='utf-8') as f:
csv_reader = csv.reader(f, delimiter=',')
# Skip header
next(csv_reader)
for row in csv_reader:
filter_set.add(row[1])
status('Parsing certificates from %s' % crts_path)
crt_str = []
with open(crts_path, 'r', encoding='utf-8') as f:
crt_str = f.read()
# Split all certs into a list of (name, certificate string) tuples
pem_crts = re.findall(r'(^.+?)\n(=+\n[\s\S]+?END CERTIFICATE-----\n)', crt_str, re.MULTILINE)
filtered_crts = ''
for name, crt in pem_crts:
if name in filter_set:
filtered_crts += crt
self.add_from_pem(filtered_crts)
class InputError(RuntimeError):
def __init__(self, e):
super(InputError, self).__init__(e)
def main():
global quiet
parser = argparse.ArgumentParser(description='ESP-IDF x509 certificate bundle utility')
parser.add_argument('--quiet', '-q', help="Don't print non-critical status messages to stderr", action='store_true')
parser.add_argument('--input', '-i', nargs='+', required=True,
help='Paths to the custom certificate folders or files to parse, parses all .pem or .der files')
parser.add_argument('--filter', '-f', help='Path to CSV-file where the second columns contains the name of the certificates \
that should be included from cacrt_all.pem')
args = parser.parse_args()
quiet = args.quiet
bundle = CertificateBundle()
for path in args.input:
if os.path.isfile(path):
if os.path.basename(path) == 'cacrt_all.pem' and args.filter:
bundle.add_with_filter(path, args.filter)
else:
bundle.add_from_file(path)
elif os.path.isdir(path):
bundle.add_from_path(path)
else:
raise InputError('Invalid --input=%s, is neither file nor folder' % args.input)
status('Successfully added %d certificates in total' % len(bundle.certificates))
crt_bundle = bundle.create_bundle()
with open(ca_bundle_bin_file, 'wb') as f:
f.write(crt_bundle)
if __name__ == '__main__':
try:
main()
except InputError as e:
print(e)
sys.exit(2)

55
wolfcrypt/src/port/Espressif/esp_sdk_time_lib.c
View File

@ -24,15 +24,13 @@
#endif
/* wolfSSL */
/* Always include wolfcrypt/settings.h before any other wolfSSL file. */
/* Reminder: settings.h pulls in user_settings.h; don't include it here. */
#ifdef WOLFSSL_USER_SETTINGS
#include <wolfssl/wolfcrypt/settings.h>
#endif
/* Always include wolfcrypt/settings.h before any other wolfSSL file. */
/* Reminder: settings.h pulls in user_settings.h */
/* Do not explicitly include user_settings.h here. */
#include <wolfssl/wolfcrypt/settings.h>
#if defined(WOLFSSL_ESPIDF) /* Entire file is only for Espressif EDP-IDF */
#include "sdkconfig.h" /* programmatically generated from sdkconfig */
#if defined(WOLFSSL_ESPIDF) /* Entire file is only for Espressif EDP-IDF. */
#include "sdkconfig.h" /* programmatically generated from sdkconfig. */
#if defined(USE_WOLFSSL_ESP_SDK_TIME)
/* Espressif */
@ -121,6 +119,41 @@ esp_err_t esp_sdk_time_lib_init(void)
#define CONFIG_LWIP_SNTP_MAX_SERVERS NTP_SERVER_COUNT
#endif
/* When reproducible builds are enabled in ESP-IDF
* (starting from version 4.0 and above),
* the __DATE__ and __TIME__ macros are deliberately disabled. */
#ifndef __DATE__
#define YEAR 2024
#define MONTH 9
#define DAY 25
#else
/* e.g. __DATE__ "Sep 25 2024" */
#define YEAR ( \
((__DATE__)[7] - '0') * 1000 + \
((__DATE__)[8] - '0') * 100 + \
((__DATE__)[9] - '0') * 10 + \
((__DATE__)[10] - '0') * 1 \
)
#define MONTH ( \
__DATE__[2] == 'n' ? (__DATE__[1] == 'a' ? 1 : 6) \
: __DATE__[2] == 'b' ? 2 \
: __DATE__[2] == 'r' ? (__DATE__[0] == 'M' ? 3 : 4) \
: __DATE__[2] == 'y' ? 5 \
: __DATE__[2] == 'l' ? 7 \
: __DATE__[2] == 'g' ? 8 \
: __DATE__[2] == 'p' ? 9 \
: __DATE__[2] == 't' ? 10 \
: __DATE__[2] == 'v' ? 11 \
: 12 \
)
#define DAY ( \
((__DATE__)[4] - '0') * 10 + \
((__DATE__)[5] - '0') * 1 \
)
#endif
/* our NTP server list is global info */
extern char* ntpServerList[NTP_SERVER_COUNT];
@ -149,9 +182,9 @@ int set_fixed_default_time(void)
/* ideally, we'd like to set time from network,
* but let's set a default time, just in case */
struct tm timeinfo = {
.tm_year = 2024 - 1900,
.tm_mon = 9 - 1, /* Month, where 0 = Jan */
.tm_mday = 3 , /* Day of the month 30 */
.tm_year = YEAR,
.tm_mon = MONTH, /* Month, where 0 = Jan */
.tm_mday = DAY, /* Numeric decimal day of the month */
.tm_hour = 13,
.tm_min = 1,
.tm_sec = 5

3
wolfssl/wolfcrypt/include.am
View File

@ -107,8 +107,9 @@ noinst_HEADERS+= \
wolfssl/wolfcrypt/port/silabs/silabs_random.h \
wolfssl/wolfcrypt/port/st/stm32.h \
wolfssl/wolfcrypt/port/st/stsafe.h \
wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h \
wolfssl/wolfcrypt/port/Espressif/esp-sdk-lib.h \
wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h \
wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h \
wolfssl/wolfcrypt/port/arm/cryptoCell.h \
wolfssl/wolfcrypt/port/Renesas/renesas-tsip-crypt.h \
wolfssl/wolfcrypt/port/Renesas/renesas-fspsm-crypt.h \

8
wolfssl/wolfcrypt/port/Espressif/esp32-crypt.h
View File

@ -233,6 +233,14 @@ enum {
** WOLFSSL_DEBUG_ESP_RSA_MULM_BITS
** Shows a warning when mulm falls back for minimum number of bits.
**
** WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
** Shows a marning when multiplication math bits have exceeded hardware
** capabilities and will fall back to slower software.
**
** WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
** Shows a marning when modular math bits have exceeded hardware capabilities
** and will fall back to slower software.
**
** NO_HW_MATH_TEST
** Even if HW is enabled, do not run HW math tests. See HW_MATH_ENABLED.
**

233
wolfssl/wolfcrypt/port/Espressif/esp_crt_bundle.h Normal file
View File

@ -0,0 +1,233 @@
/* esp_crt_bundle.h
*
* Copyright (C) 2006-2024 wolfSSL Inc.
*
* This file is part of wolfSSL.
*
* wolfSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* wolfSSL is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#ifndef __ESP_CRT_BUNDLE_wolfssl_LIB_H__
#define __ESP_CRT_BUNDLE_wolfssl_LIB_H__
/* This file is typically NOT directly used by applications utilizing the
* wolfSSL libraries. It is used when the wolfssl libary component is configured
* to be utilized by the Espressif ESP-IDF, specifically the esp-tls layer.
*
* See:
* https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-reference/protocols/esp_tls.html
* https://github.com/espressif/esp-idf/blob/master/components/esp-tls/esp_tls.h
*
*******************************************************************************
** Optional Settings:
*******************************************************************************
* WOLFSSL_DEBUG_CERT_BUNDLE_NAME
* Optionally show certificate bundle debugging info.
*
* WOLFSSL_DEBUG_CERT_BUNDLE_NAME
* Optionally show certificate bundle name debugging info.
*
* WOLFSSL_EXAMPLE_VERBOSITY
* Optionally print example application information that may be interesting.
*
* IS_WOLFSSL_CERT_BUNDLE_FORMAT
* This should be left on as no other bundle format is supported at this time.
*
* CB_INLINE
* Normally on, this uses the compiler `inline` decorator for bundle functions
* to be optimized, since they are called during a TLS connection.
*
* See Kconfig file (or use idy.py menufconfig) for other bundle settings.
*/
/* wolfSSL */
/* Always include wolfcrypt/settings.h before any other wolfSSL file. */
/* Be sure to define WOLFSSL_USER_SETTINGS, typically in CMakeLists.txt */
/* Reminder: settings.h pulls in user_settings.h */
/* Do not explicitly include user_settings.h here. */
#include <wolfssl/wolfcrypt/settings.h>
#if defined(WOLFSSL_ESPIDF) /* Entire file is only for Espressif EDP-IDF */
#ifndef WOLFSSL_USER_SETTINGS
#error "WOLFSSL_USER_SETTINGS must be defined for Espressif targts"
#endif
#if defined(CONFIG_ESP_TLS_USING_WOLFSSL) || \
defined(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE)
#ifdef __cplusplus
extern "C" {
#endif
#define WOLFSSL_X509_VERIFY_CALLBACK (void *, WOLFSSL_X509 *, int, uint32_t *)
#include <wolfssl/ssl.h>
typedef struct wolfssl_ssl_config wolfssl_ssl_config;
struct wolfssl_ssl_config
{
WOLFSSL_X509* ca_chain;
WOLFSSL_X509_CRL* ca_crl;
void *priv_ctx;
void *priv_ssl;
};
/**
* @brief Attach and enable use of a bundle for certificate verification
*
* Attach and enable use of a bundle for certificate verification through a
* verification callback.If no specific bundle has been set through
* esp_crt_bundle_set() it will default to the bundle defined in menuconfig
* and embedded in the binary.
*
* Note this must be visible for both the regular bundles, as well as the
*"none" option.
*
* Other code gated out, below, when the "none" option is selected.
*
* @param[in] conf The config struct for the SSL connection.
*
* @return
* - ESP_OK if adding certificates was successful.
* - Other if an error occurred or an action must be taken by the
* calling process.
*/
esp_err_t esp_crt_bundle_attach(void *conf);
#if defined(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE) && \
defined(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE) && \
(CONFIG_WOLFSSL_CERTIFICATE_BUNDLE_DEFAULT_NONE == 1)
/* Certificate bundles are enabled, but the "none" option selected */
#else
/**
* @brief Return ESP_OK for valid bunder, otherwise ESP_FAIL.
*
* Specific to wolfSSL. Not used by ESP-IDF esp-tls layer.
*/
esp_err_t esp_crt_bundle_is_valid(void);
/**
* @brief Return 1 if Cert Bundle loaded, otheriwse 0.
*
* Specific to wolfSSL. Not used by ESP-IDF esp-tls layer.
*/
int wolfssl_cert_bundle_loaded(void);
/**
* @brief Return 1 is a cert from the bundle was needed
* at connection time, otherwise 0.
*
* Specific to wolfSSL. Not used by ESP-IDF esp-tls layer.
*/
int wolfssl_need_bundle_cert(void);
/**
* @brief Disable and dealloc the certification bundle
*
* Used by ESP-IDF esp-tls layer.
*
* Removes the certificate verification callback and deallocates used resources
*
* @param[in] conf The config struct for the SSL connection.
*/
void esp_crt_bundle_detach(wolfssl_ssl_config *conf);
/**
* @brief Set the default certificate bundle used for verification
*
* Used by ESP-IDF esp-tls layer.
*
* Overrides the default certificate bundle only in case of successful
* initialization. In most use cases the bundle should be set through
* menuconfig. The bundle needs to be sorted by subject name since binary
* search is used to find certificates.
*
* @param[in] x509_bundle A pointer to the certificate bundle.
*
* @param[in] bundle_size Size of the certificate bundle in bytes.
*
* @return
* - ESP_OK if adding certificates was successful.
* - Other if an error occured or an action must be taken
* by the calling process.
*/
esp_err_t esp_crt_bundle_set(const uint8_t *x509_bundle, size_t bundle_size);
/**
* @brief Set the issuer and subject values given the current cert.
*
* Used internally by ESP-IDF esp-tls layer. Also helpful for debugging
* and general visibiity to certificate attributes.
*
* The CERT_TAG can be used at the esp-tls or application layer to indicate
* the usage of the respective cert (e.g. the string "peer").
*
* Turn on WOLFSSL_DEBUG_CERT_BUNDLE to also see ASN1 before/after values.
*
* @return
* - WOLFSSL_SUCCESS (1)
* - WOLFSSL_FAILURE (0) if unable to get issues and/or subject.
*/
int wolfSSL_X509_get_cert_items(char* CERT_TAG,
WOLFSSL_X509* cert,
WOLFSSL_X509_NAME** issuer,
WOLFSSL_X509_NAME** subject);
esp_err_t wolfSSL_bundle_cleanup(void);
WOLFSSL_LOCAL void wolfssl_ssl_conf_verify(wolfssl_ssl_config *conf,
int (*f_vrfy) WOLFSSL_X509_VERIFY_CALLBACK,
void *p_vrfy);
WOLFSSL_LOCAL void wolfssl_ssl_conf_authmode(wolfssl_ssl_config *conf,
int authmode);
WOLFSSL_LOCAL void wolfssl_ssl_conf_ca_chain(wolfssl_ssl_config *conf,
WOLFSSL_X509 *ca_chain,
WOLFSSL_X509_CRL *ca_crl);
WOLFSSL_LOCAL void wolfssl_x509_crt_init(WOLFSSL_X509 *crt);
WOLFSSL_LOCAL int esp_crt_verify_callback(void *buf, WOLFSSL_X509 *crt,
int depth, uint32_t *flags);
#ifdef __cplusplus
}
#endif
/* Detect if wolfSSL is enabled, but so are mbedTLS bundles */
#if defined(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE) && \
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
#error "wolfSSL cannot use mbedTLS certificate bundles. Please disable them"
#endif
#endif /* CONFIG_WOLFSSL_CERTIFICATE_BUNDLE */
#endif /* CONFIG_ESP_TLS_USING_WOLFSSL */
#endif /* WOLFSSL_ESPIDF */
#endif /* __ESP_CRT_BUNDLE_wolfssl_LIB_H__ */

65
wolfssl/wolfcrypt/settings.h
View File

@ -551,6 +551,12 @@
* been processed. The following settings are additive; Enabled settings
* from user_settings are not disabled here.
*/
#if defined(CONFIG_ESP_WOLFSSL_TEST_LOOP) && \
CONFIG_ESP_WOLFSSL_TEST_LOOP
#define WOLFSSL_TEST_LOOP 1
#else
#define WOLFSSL_TEST_LOOP 0
#endif
#if (defined(CONFIG_DEBUG_WOLFSSL) && \
CONFIG_DEBUG_WOLFSSL) || \
(defined(CONFIG_ESP_WOLFSSL_DEBUG_WOLFSSL) && \
@ -593,6 +599,14 @@
CONFIG_WOLFSSL_APPLE_HOMEKIT
#define WOLFSSL_APPLE_HOMEKIT
#endif
#if defined(CONFIG_ESP_WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS) && \
CONFIG_ESP_WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
#define WOLFSSL_DEBUG_ESP_HW_MULTI_RSAMAX_BITS
#endif
#if defined(CONFIG_ESP_WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS) && \
CONFIG_ESP_WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
#define WOLFSSL_DEBUG_ESP_HW_MOD_RSAMAX_BITS
#endif
#if defined(CONFIG_TLS_STACK_WOLFSSL) && (CONFIG_TLS_STACK_WOLFSSL)
/* When using ESP-TLS, some old algorithms such as SHA1 are no longer
@ -917,7 +931,58 @@
#undef HAVE_AESGCM
#define HAVE_AESGCM
#endif /* SM */
#endif /* defined(WOLFSSL_ESP32) || defined(WOLFSSL_ESPWROOM32SE) */
/* Final device-specific hardware settings. user_settings.h loaded above. */
/* Counters for RSA wait timeout. CPU and frequency specific. */
#define ESP_RSA_WAIT_TIMEOUT_CNT 0x000020
#if defined(CONFIG_IDF_TARGET_ESP32) || defined(WOLFSSL_ESPWROOM32SE)
#ifndef ESP_RSA_TIMEOUT_CNT
#define ESP_RSA_TIMEOUT_CNT 0x349F00
#endif
#elif defined(CONFIG_IDF_TARGET_ESP32S2)
#ifndef ESP_RSA_TIMEOUT_CNT
#define ESP_RSA_TIMEOUT_CNT 0x349F00
#endif
#elif defined(CONFIG_IDF_TARGET_ESP32S3)
#ifndef ESP_RSA_TIMEOUT_CNT
/* Observed: 0xAE8C8F @ 80MHz */
#define ESP_RSA_TIMEOUT_CNT 0xAF0000
#endif
#elif defined(CONFIG_IDF_TARGET_ESP32C2)
/* See also CONFIG_IDF_TARGET_ESP8684 equivalent */
#ifndef ESP_RSA_TIMEOUT_CNT
#define ESP_RSA_TIMEOUT_CNT 0x349F00
#endif
#elif defined(CONFIG_IDF_TARGET_ESP32C3)
#ifndef ESP_RSA_TIMEOUT_CNT
/* Observed: 0x2624B2 @ 80MHz */
#define ESP_RSA_TIMEOUT_CNT 0x280000
#endif
#elif defined(CONFIG_IDF_TARGET_ESP32C6)
#ifndef ESP_RSA_TIMEOUT_CNT
/* Observed: 144323 @ 80MHz */
#define ESP_RSA_TIMEOUT_CNT 0x160000
#endif
#elif defined(CONFIG_IDF_TARGET_ESP32H2)
#ifndef ESP_RSA_TIMEOUT_CNT
#define ESP_RSA_TIMEOUT_CNT 0x349F00
#endif
#elif defined(CONFIG_IDF_TARGET_ESP8266)
#ifndef ESP_RSA_TIMEOUT_CNT
#define ESP_RSA_TIMEOUT_CNT 0x349F00
#endif
#elif defined(CONFIG_IDF_TARGET_ESP8684)
/* See also CONFIG_IDF_TARGET_ESP8684 equivalent */
#ifndef ESP_RSA_TIMEOUT_CNT
#define ESP_RSA_TIMEOUT_CNT 0x349F00
#endif
#else
#ifndef ESP_RSA_TIMEOUT_CNT
#define ESP_RSA_TIMEOUT_CNT 0x349F00
#endif
#endif
#endif /* WOLFSSL_ESPIDF */
#if defined(WOLFSSL_RENESAS_TSIP)