esp-tls: Add API for mbedtls to get and set ciphersuites

2025-05-17 07:06:41 +08:00 · 2023-04-03 20:03:14 +08:00
parent 35375c17be
commit 8552799a4f
4 changed files with 31 additions and 2 deletions
--- a/components/esp-tls/esp_tls.c
+++ b/components/esp-tls/esp_tls.c
@ -54,6 +54,7 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_set_global_ca_store        esp_mbedtls_set_global_ca_store                 /*!< Callback function for setting global CA store data for TLS/SSL */
 #define _esp_tls_get_global_ca_store        esp_mbedtls_get_global_ca_store
 #define _esp_tls_free_global_ca_store       esp_mbedtls_free_global_ca_store                /*!< Callback function for freeing global ca store for TLS/SSL */
+#define _esp_tls_get_ciphersuites_list      esp_mbedtls_get_ciphersuites_list
 #elif CONFIG_ESP_TLS_USING_WOLFSSL /* CONFIG_ESP_TLS_USING_MBEDTLS */
 #define _esp_create_ssl_handle              esp_create_wolfssl_handle
 #define _esp_tls_handshake                  esp_wolfssl_handshake
@ -437,6 +438,10 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void)
    return _esp_tls_get_global_ca_store();
 }

+const int *esp_tls_get_ciphersuites_list(void)
+{
+    return _esp_tls_get_ciphersuites_list();
+}
 #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
 #ifdef CONFIG_ESP_TLS_SERVER
 /**
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@ -200,7 +200,8 @@ typedef struct esp_tls_cfg {
    esp_err_t (*crt_bundle_attach)(void *conf);
                                            /*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification
                                                 bundle for server verification, must be enabled in menuconfig */
-
+    const int *ciphersuites_list;           /*!< Pointer to a zero-terminated array of IANA identifiers of TLS ciphersuites.
+                                                Please check the list validity by esp_tls_get_ciphersuites_list() API */
 } esp_tls_cfg_t;

 #ifdef CONFIG_ESP_TLS_SERVER
@ -574,6 +575,15 @@ esp_err_t esp_tls_get_and_clear_last_error(esp_tls_error_handle_t h, int *esp_tl
 */
 mbedtls_x509_crt *esp_tls_get_global_ca_store(void);

+/**
+ * @brief Get supported TLS ciphersuites list.
+ *
+ * See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 for the list of ciphersuites
+ *
+ * @return  Pointer to a zero-terminated array of IANA identifiers of TLS ciphersuites.
+ *
+ */
+const int *esp_tls_get_ciphersuites_list(void);
 #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
 #ifdef CONFIG_ESP_TLS_SERVER
 /**
@ -602,7 +612,6 @@ int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls
 */
 void esp_tls_server_session_delete(esp_tls_t *tls);
 #endif /* ! CONFIG_ESP_TLS_SERVER */
-
 #ifdef __cplusplus
 }
 #endif
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@ -473,6 +473,11 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
        ESP_LOGE(TAG, "You have to provide both clientcert_buf and clientkey_buf for mutual authentication");
        return ESP_ERR_INVALID_STATE;
    }
+
+    if (cfg->ciphersuites_list != NULL && cfg->ciphersuites_list[0] != 0) {
+        ESP_LOGD(TAG, "Set the ciphersuites list");
+        mbedtls_ssl_conf_ciphersuites(&tls->conf, cfg->ciphersuites_list);
+    }
    return ESP_OK;
 }

@ -569,3 +574,8 @@ void esp_mbedtls_free_global_ca_store(void)
        global_cacert = NULL;
    }
 }
+
+const int *esp_mbedtls_get_ciphersuites_list(void)
+{
+    return mbedtls_ssl_list_ciphersuites();
+}
--- a/components/esp-tls/private_include/esp_tls_mbedtls.h
+++ b/components/esp-tls/private_include/esp_tls_mbedtls.h
@ -102,3 +102,8 @@ mbedtls_x509_crt *esp_mbedtls_get_global_ca_store(void);
 * Callback function for freeing global ca store for TLS/SSL using mbedtls
 */
 void esp_mbedtls_free_global_ca_store(void);
+
+/**
+ * Internal Callback for esp_tls_get_ciphersuites_list
+ */
+const int *esp_mbedtls_get_ciphersuites_list(void);