espressif/ESP8266_RTOS_SDK
1
0
Fork 0
mirror of https://github.com/espressif/ESP8266_RTOS_SDK.git synced 2025-05-31 23:50:12 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feature/esp_tls_wolfssl' into 'master'

Browse Source 
Add wolfSSL library in esp_tls component

See merge request sdk/ESP8266_RTOS_SDK!726
This commit is contained in:
Dong Heng
2019-01-30 10:36:25 +08:00
parent ea9c911e69 7cb954abc8
commit e8b19d15a2
3 changed files with 184 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
components/esp-tls/component.mk
View File

@ -1,7 +1,12 @@
ifdef CONFIG_SSL_USING_MBEDTLS
COMPONENT_SRCDIRS := .
COMPONENT_ADD_INCLUDEDIRS := .
else
COMPONENT_SRCDIRS :=
COMPONENT_ADD_INCLUDEDIRS :=
ifdef CONFIG_SSL_USING_MBEDTLS
COMPONENT_SRCDIRS := .
COMPONENT_ADD_INCLUDEDIRS := .
endif
ifdef CONFIG_SSL_USING_WOLFSSL
COMPONENT_SRCDIRS := .
COMPONENT_ADD_INCLUDEDIRS := .
endif

171
components/esp-tls/esp_tls.c
View File

@ -28,7 +28,12 @@
#endif
static const char *TAG = "esp-tls";
#if CONFIG_SSL_USING_MBEDTLS
static mbedtls_x509_crt *global_cacert = NULL;
#else
static unsigned char *global_cacert = NULL;
static unsigned int global_cacert_pem_bytes = 0;
#endif
#ifdef ESP_PLATFORM
#include <esp_log.h>
@ -67,6 +72,7 @@ static ssize_t tcp_read(esp_tls_t *tls, char *data, size_t datalen)
static ssize_t tls_read(esp_tls_t *tls, char *data, size_t datalen)
{
#if CONFIG_SSL_USING_MBEDTLS
ssize_t ret = mbedtls_ssl_read(&tls->ssl, (unsigned char *)data, datalen);
if (ret < 0) {
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
@ -76,6 +82,20 @@ static ssize_t tls_read(esp_tls_t *tls, char *data, size_t datalen)
ESP_LOGE(TAG, "read error :%d:", ret);
}
}
#else
size_t ret = wolfSSL_read(tls->ssl, (unsigned char *)data, datalen);
if (ret < 0) {
ret = wolfSSL_get_error(tls->ssl, ret);
/* peer sent close notify */
if (ret == WOLFSSL_ERROR_ZERO_RETURN) {
return 0;
}
if (ret != WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_ERROR_WANT_WRITE) {
ESP_LOGE(TAG, "read error :%d:", ret);
}
}
#endif
return ret;
}
@ -146,12 +166,14 @@ err_freeaddr:
return ret;
}
esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
{
if (cacert_pem_buf == NULL) {
ESP_LOGE(TAG, "cacert_pem_buf is null");
return ESP_ERR_INVALID_ARG;
}
#if CONFIG_SSL_USING_MBEDTLS
if (global_cacert != NULL) {
mbedtls_x509_crt_free(global_cacert);
}
@ -171,23 +193,43 @@ esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const
ESP_LOGE(TAG, "mbedtls_x509_crt_parse was partly successful. No. of failed certificates: %d", ret);
}
return ESP_OK;
#else
if (global_cacert != NULL) {
esp_tls_free_global_ca_store(global_cacert);
}
global_cacert = (unsigned char *)strndup((const char *)cacert_pem_buf, cacert_pem_bytes);
if (!global_cacert)
return ESP_FAIL;
global_cacert_pem_bytes = cacert_pem_bytes;
return ESP_OK;
#endif
}
mbedtls_x509_crt *esp_tls_get_global_ca_store()
void *esp_tls_get_global_ca_store()
{
return global_cacert;
return (void*)global_cacert;
}
void esp_tls_free_global_ca_store()
{
if (global_cacert) {
#if CONFIG_SSL_USING_MBEDTLS
mbedtls_x509_crt_free(global_cacert);
global_cacert = NULL;
#else
free(global_cacert);
global_cacert = NULL;
global_cacert_pem_bytes = 0;
#endif
}
}
static void verify_certificate(esp_tls_t *tls)
{
#if CONFIG_SSL_USING_MBEDTLS
int flags;
char buf[100];
if ((flags = mbedtls_ssl_get_verify_result(&tls->ssl)) != 0) {
@ -198,13 +240,22 @@ static void verify_certificate(esp_tls_t *tls)
} else {
ESP_LOGI(TAG, "Certificate verified.");
}
#else
int flags;
if ((flags = wolfSSL_get_verify_result(tls->ssl)) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "Failed to verify peer certificate %d!", flags);
} else {
ESP_LOGI(TAG, "Certificate verified.");
}
#endif
}
static void mbedtls_cleanup(esp_tls_t *tls)
static void esp_tls_cleanup(esp_tls_t *tls)
{
if (!tls) {
return;
}
#if CONFIG_SSL_USING_MBEDTLS
if (tls->cacert_ptr != global_cacert) {
mbedtls_x509_crt_free(tls->cacert_ptr);
}
@ -217,12 +268,19 @@ static void mbedtls_cleanup(esp_tls_t *tls)
mbedtls_ctr_drbg_free(&tls->ctr_drbg);
mbedtls_ssl_free(&tls->ssl);
mbedtls_net_free(&tls->server_fd);
#else
wolfSSL_shutdown(tls->ssl);
wolfSSL_free(tls->ssl);
close(tls->sockfd);
wolfSSL_CTX_free(tls->ctx);
wolfSSL_Cleanup();
#endif
}
static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostlen, const esp_tls_cfg_t *cfg)
{
int ret;
#if CONFIG_SSL_USING_MBEDTLS
mbedtls_net_init(&tls->server_fd);
tls->server_fd.fd = tls->sockfd;
mbedtls_ssl_init(&tls->ssl);
@ -326,8 +384,74 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle
return 0;
exit:
mbedtls_cleanup(tls);
esp_tls_cleanup(tls);
return -1;
#else
ret = wolfSSL_Init();
if (ret != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "Init wolfSSL failed: %d", ret);
goto exit;
}
tls->ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method());
if (!tls->ctx) {
ESP_LOGE(TAG, "Set wolfSSL ctx failed");
goto exit;
}
#ifdef HAVE_ALPN
if (cfg->alpn_protos) {
char **alpn_list = (char **)cfg->alpn_protos;
for (; *alpn_list != NULL; alpn_list ++) {
if (wolfSSL_UseALPN(tls->ssl, *alpn_list, strlen(*alpn_list), WOLFSSL_ALPN_FAILED_ON_MISMATCH) != WOLFSSL_SUCCESS) {
ESP_LOGE(TAG, "Use wolfSSL ALPN failed");
goto exit;
}
}
}
#endif
if (cfg->use_global_ca_store == true) {
wolfSSL_CTX_load_verify_buffer(tls->ctx, global_cacert, global_cacert_pem_bytes, WOLFSSL_FILETYPE_PEM);
wolfSSL_CTX_set_verify(tls->ctx, SSL_VERIFY_PEER, NULL);
} else if (cfg->cacert_pem_buf != NULL) {
wolfSSL_CTX_load_verify_buffer(tls->ctx, cfg->cacert_pem_buf, cfg->cacert_pem_bytes, WOLFSSL_FILETYPE_PEM);
wolfSSL_CTX_set_verify(tls->ctx, SSL_VERIFY_PEER, NULL);
} else {
wolfSSL_CTX_set_verify(tls->ctx, SSL_VERIFY_NONE, NULL);
}
if (cfg->clientcert_pem_buf != NULL && cfg->clientkey_pem_buf != NULL) {
wolfSSL_CTX_use_certificate_buffer(tls->ctx, cfg->clientcert_pem_buf, cfg->clientcert_pem_bytes, WOLFSSL_FILETYPE_PEM);
wolfSSL_CTX_use_PrivateKey_buffer(tls->ctx, cfg->clientkey_pem_buf, cfg->clientkey_pem_bytes, WOLFSSL_FILETYPE_PEM);
} else if (cfg->clientcert_pem_buf != NULL || cfg->clientkey_pem_buf != NULL) {
ESP_LOGE(TAG, "You have to provide both clientcert_pem_buf and clientkey_pem_buf for mutual authentication\n\n");
goto exit;
}
tls->ssl = wolfSSL_new(tls->ctx);
if (!tls->ssl) {
ESP_LOGE(TAG, "Create wolfSSL failed");
goto exit;
}
#ifdef HAVE_SNI
/* Hostname set here should match CN in server certificate */
char *use_host = strndup(hostname, hostlen);
if (!use_host) {
goto exit;
}
wolfSSL_set_tlsext_host_name(tls->ssl, use_host);
free(use_host);
#endif
wolfSSL_set_fd(tls->ssl, tls->sockfd);
return 0;
exit:
esp_tls_cleanup(tls);
return -1;
#endif
}
/**
@ -336,7 +460,7 @@ exit:
void esp_tls_conn_delete(esp_tls_t *tls)
{
if (tls != NULL) {
mbedtls_cleanup(tls);
esp_tls_cleanup(tls);
if (tls->sockfd) {
close(tls->sockfd);
}
@ -351,6 +475,7 @@ static ssize_t tcp_write(esp_tls_t *tls, const char *data, size_t datalen)
static ssize_t tls_write(esp_tls_t *tls, const char *data, size_t datalen)
{
#if CONFIG_SSL_USING_MBEDTLS
ssize_t ret = mbedtls_ssl_write(&tls->ssl, (unsigned char*) data, datalen);
if (ret < 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
@ -358,6 +483,15 @@ static ssize_t tls_write(esp_tls_t *tls, const char *data, size_t datalen)
}
}
return ret;
#else
ssize_t ret = wolfSSL_write(tls->ssl, (unsigned char*) data, datalen);
if (ret < 0) {
if (ret != WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_ERROR_WANT_WRITE) {
ESP_LOGE(TAG, "write error :%d:", ret);
}
}
return ret;
#endif
}
static int esp_tls_low_level_conn(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls)
@ -427,6 +561,7 @@ static int esp_tls_low_level_conn(const char *hostname, int hostlen, int port, c
/* falls through */
case ESP_TLS_HANDSHAKE:
ESP_LOGD(TAG, "handshake in progress...");
#if CONFIG_SSL_USING_MBEDTLS
ret = mbedtls_ssl_handshake(&tls->ssl);
if (ret == 0) {
tls->conn_state = ESP_TLS_DONE;
@ -445,6 +580,26 @@ static int esp_tls_low_level_conn(const char *hostname, int hostlen, int port, c
or MBEDTLS_ERR_SSL_WANT_WRITE during handshake */
return 0;
}
#else
ret = wolfSSL_connect(tls->ssl);
if (ret == WOLFSSL_SUCCESS) {
tls->conn_state = ESP_TLS_DONE;
return 1;
} else {
if (ret != WOLFSSL_ERROR_WANT_READ && ret != WOLFSSL_ERROR_WANT_WRITE) {
ESP_LOGE(TAG, "wolfSSL_connect returned -0x%x", -ret);
if (cfg->cacert_pem_buf != NULL || cfg->use_global_ca_store == true) {
/* This is to check whether handshake failed due to invalid certificate*/
verify_certificate(tls);
}
tls->conn_state = ESP_TLS_FAIL;
return -1;
}
/* Irrespective of blocking or non-blocking I/O, we return on getting wolfSSL_want_read
or wolfSSL_want_write during handshake */
return 0;
}
#endif
break;
case ESP_TLS_FAIL:
ESP_LOGE(TAG, "failed to open a new connection");;
@ -490,9 +645,13 @@ int esp_tls_conn_new_async(const char *hostname, int hostlen, int port, const es
size_t esp_tls_get_bytes_avail(esp_tls_t *tls)
{
#if CONFIG_SSL_USING_MBEDTLS
if (!tls) {
ESP_LOGE(TAG, "empty arg passed to esp_tls_get_bytes_avail()");
return ESP_FAIL;
}
return mbedtls_ssl_get_bytes_avail(&tls->ssl);
#else
return 0;
#endif
}

12
components/esp-tls/esp_tls.h
View File

@ -18,6 +18,7 @@
#include <sys/socket.h>
#include <fcntl.h>
#if CONFIG_SSL_USING_MBEDTLS
#include "mbedtls/platform.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/esp_debug.h"
@ -26,6 +27,9 @@
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"
#else
#include "wolfssl/ssl.h"
#endif
#ifdef __cplusplus
extern "C" {
@ -90,6 +94,7 @@ typedef struct esp_tls_cfg {
* @brief ESP-TLS Connection Handle
*/
typedef struct esp_tls {
#if CONFIG_SSL_USING_MBEDTLS
mbedtls_ssl_context ssl; /*!< TLS/SSL context */
mbedtls_entropy_context entropy; /*!< mbedTLS entropy context structure */
@ -112,7 +117,10 @@ typedef struct esp_tls {
mbedtls_pk_context clientkey; /*!< Container for the private key of the client
certificate */
#else
WOLFSSL_CTX *ctx;
WOLFSSL *ssl;
#endif
int sockfd; /*!< Underlying socket file descriptor. */
ssize_t (*esp_tls_read)(struct esp_tls *tls, char *data, size_t datalen); /*!< Callback function for reading data from TLS/SSL
@ -258,7 +266,7 @@ esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const
* - Pointer to the global CA store currently being used if successful.
* - NULL if there is no global CA store set.
*/
mbedtls_x509_crt *esp_tls_get_global_ca_store();
void *esp_tls_get_global_ca_store();
/**
* @brief Free the global CA store currently being used.