diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index d6982b740a..ed7165e50f 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -106,12 +106,12 @@ typedef struct esp_tls { mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */ + mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */ + mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */ mbedtls_pk_context clientkey; /*!< Container for the private key of the client certificate */ - - mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */ int sockfd; /*!< Underlying socket file descriptor. */ diff --git a/components/mqtt/esp-mqtt b/components/mqtt/esp-mqtt index 85ee406d03..a7b1cea5b3 160000 --- a/components/mqtt/esp-mqtt +++ b/components/mqtt/esp-mqtt @@ -1 +1 @@ -Subproject commit 85ee406d03fd84f5613c6dead1ea653e384b9559 +Subproject commit a7b1cea5b3e246298607a8c64447765297626f36 diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h index 87577a7eaf..34045ae777 100644 --- a/components/tcp_transport/include/esp_transport_ssl.h +++ b/components/tcp_transport/include/esp_transport_ssl.h @@ -32,7 +32,7 @@ esp_transport_handle_t esp_transport_ssl_init(); /** * @brief Set SSL certificate data (as PEM format). * Note that, this function stores the pointer to data, rather than making a copy. - * So we need to make sure to keep the data lifetime before cleanup the connection + * So this data must remain valid until after the connection is cleaned up * * @param t ssl transport * @param[in] data The pem data @@ -43,7 +43,7 @@ void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data, /** * @brief Set SSL client certificate data for mutual authentication (as PEM format). * Note that, this function stores the pointer to data, rather than making a copy. - * So we need to make sure to keep the data lifetime before cleanup the connection + * So this data must remain valid until after the connection is cleaned up * * @param t ssl transport * @param[in] data The pem data @@ -54,7 +54,7 @@ void esp_transport_ssl_set_client_cert_data(esp_transport_handle_t t, const char /** * @brief Set SSL client key data for mutual authentication (as PEM format). * Note that, this function stores the pointer to data, rather than making a copy. - * So we need to make sure to keep the data lifetime before cleanup the connection + * So this data must remain valid until after the connection is cleaned up * * @param t ssl transport * @param[in] data The pem data diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c index f53601ee4c..f2d3467206 100644 --- a/components/tcp_transport/transport_ssl.c +++ b/components/tcp_transport/transport_ssl.c @@ -39,8 +39,6 @@ typedef struct { esp_tls_t *tls; esp_tls_cfg_t cfg; bool ssl_initialized; - bool verify_server; - bool mutual_authentication; transport_ssl_conn_state_t conn_state; } transport_ssl_t; @@ -50,12 +48,6 @@ static int ssl_connect_async(esp_transport_handle_t t, const char *host, int por { transport_ssl_t *ssl = esp_transport_get_context_data(t); if (ssl->conn_state == TRANS_SSL_INIT) { - if (ssl->cfg.cacert_pem_buf) { - ssl->verify_server = true; - } - if (ssl->cfg.clientcert_pem_buf && ssl->cfg.clientkey_pem_buf) { - ssl->mutual_authentication = true; - } ssl->cfg.timeout_ms = timeout_ms; ssl->cfg.non_block = true; ssl->ssl_initialized = true; @@ -74,12 +66,7 @@ static int ssl_connect_async(esp_transport_handle_t t, const char *host, int por static int ssl_connect(esp_transport_handle_t t, const char *host, int port, int timeout_ms) { transport_ssl_t *ssl = esp_transport_get_context_data(t); - if (ssl->cfg.cacert_pem_buf) { - ssl->verify_server = true; - } - if (ssl->cfg.clientcert_pem_buf && ssl->cfg.clientkey_pem_buf) { - ssl->mutual_authentication = true; - } + ssl->cfg.timeout_ms = timeout_ms; ssl->ssl_initialized = true; ssl->tls = esp_tls_conn_new(host, strlen(host), port, &ssl->cfg); @@ -153,8 +140,6 @@ static int ssl_close(esp_transport_handle_t t) if (ssl->ssl_initialized) { esp_tls_conn_delete(ssl->tls); ssl->ssl_initialized = false; - ssl->verify_server = false; - ssl->mutual_authentication = false; } return ret; } diff --git a/examples/mqtt_ssl_mutual_auth/CMakeLists.txt b/examples/mqtt_ssl_mutual_auth/CMakeLists.txt deleted file mode 100644 index 106b117909..0000000000 --- a/examples/mqtt_ssl_mutual_auth/CMakeLists.txt +++ /dev/null @@ -1,19 +0,0 @@ -cmake_minimum_required(VERSION 3.5) - -get_filename_component(DEV_ROOT "${CMAKE_CURRENT_SOURCE_DIR}" ABSOLUTE) - -set(PROJECT_ROOT "${DEV_ROOT}/") - -set(SUBMODULE_ROOT "${DEV_ROOT}/../../../") - -set(PROJECT_NAME "mqtt_ssl_mutual_auth") - -include($ENV{IDF_PATH}/tools/cmake/project.cmake) - -set(MAIN_SRCS ${PROJECT_ROOT}/main/app_main.c) - -set(EXTRA_COMPONENT_DIRS "${EXTRA_COMPONENT_DIRS} ${SUBMODULE_ROOT}") -set(BUILD_COMPONENTS "${BUILD_COMPONENTS} espmqtt") - -project(${PROJECT_NAME}) - diff --git a/examples/mqtt_ssl_mutual_auth/README.md b/examples/mqtt_ssl_mutual_auth/README.md deleted file mode 100644 index c415cdffb7..0000000000 --- a/examples/mqtt_ssl_mutual_auth/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# ESPMQTT SSL Sample application - -Navigate to the main directory - -``` -cd main -``` - -Generate a client key and a CSR. When you are generating the CSR, do not use the default values. At a minimum, the CSR must include the Country, Organisation and Common Name fields. - -``` -openssl genrsa -out client.key -openssl req -out client.csr -key client.key -new -``` - -Paste the generated CSR in the [Mosquitto test certificate signer](https://test.mosquitto.org/ssl/index.php), click Submit and copy the downloaded `client.crt` in the `main` directory. diff --git a/examples/protocols/mqtt/ssl_mutual_auth/CMakeLists.txt b/examples/protocols/mqtt/ssl_mutual_auth/CMakeLists.txt new file mode 100644 index 0000000000..84bf37525e --- /dev/null +++ b/examples/protocols/mqtt/ssl_mutual_auth/CMakeLists.txt @@ -0,0 +1,10 @@ +# The following four lines of boilerplate have to be in your project's CMakeLists +# in this exact order for cmake to work correctly +cmake_minimum_required(VERSION 3.5) + +include($ENV{IDF_PATH}/tools/cmake/project.cmake) + +project(mqtt_ssl_mutual_auth) + +target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/client.crt" TEXT) +target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/client.key" TEXT) diff --git a/examples/mqtt_ssl_mutual_auth/Makefile b/examples/protocols/mqtt/ssl_mutual_auth/Makefile similarity index 53% rename from examples/mqtt_ssl_mutual_auth/Makefile rename to examples/protocols/mqtt/ssl_mutual_auth/Makefile index c22f41d191..cfc04f81b1 100644 --- a/examples/mqtt_ssl_mutual_auth/Makefile +++ b/examples/protocols/mqtt/ssl_mutual_auth/Makefile @@ -2,12 +2,6 @@ # This is a project Makefile. It is assumed the directory this Makefile resides in is a # project subdirectory. # -# -# This is a project Makefile. It is assumed the directory this Makefile resides in is a -# project subdirectory. -# PROJECT_NAME := mqtt_ssl_mutual_auth -EXTRA_COMPONENT_DIRS += $(PROJECT_PATH)/../../../ include $(IDF_PATH)/make/project.mk - diff --git a/examples/protocols/mqtt/ssl_mutual_auth/README.md b/examples/protocols/mqtt/ssl_mutual_auth/README.md new file mode 100644 index 0000000000..7ffe537041 --- /dev/null +++ b/examples/protocols/mqtt/ssl_mutual_auth/README.md @@ -0,0 +1,81 @@ +# ESP-MQTT SSL Sample application (mutual authentication) + +(See the README.md file in the upper level 'examples' directory for more information about examples.) + +This example connects to the broker test.mosquitto.org using ssl transport with client certificate and as a demonstration subscribes/unsubscribes and send a message on certain topic. + +It uses ESP-MQTT library which implements mqtt client to connect to mqtt broker. + +## How to use example + +### Hardware Required + +This example can be executed on any ESP32 board, the only required interface is WiFi and connection to internet. + +### Configure the project + +``` +make menuconfig +``` + +* Set serial port under Serial Flasher Options. + +* Set ssid and password for the board to connect to AP. + +* Generate your client keys and certificate + +Navigate to the main directory + +``` +cd main +``` + +Generate a client key and a CSR. When you are generating the CSR, do not use the default values. At a minimum, the CSR must include the Country, Organisation and Common Name fields. + +``` +openssl genrsa -out client.key +openssl req -out client.csr -key client.key -new +``` + +Paste the generated CSR in the [Mosquitto test certificate signer](https://test.mosquitto.org/ssl/index.php), click Submit and copy the downloaded `client.crt` in the `main` directory. + +Please note, that the supplied files `client.crt` and `client.key` in the `main` directory are only placeholders for your client certificate and key (i.e. the example "as is" would compile but would not connect to the broker) + +### Build and Flash + +Build the project and flash it to the board, then run monitor tool to view serial output: + +``` +make -j4 flash monitor +``` + +(To exit the serial monitor, type ``Ctrl-]``.) + +See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects. + +## Example Output + +``` +I (3714) event: sta ip: 192.168.0.139, mask: 255.255.255.0, gw: 192.168.0.2 +I (3714) system_api: Base MAC address is not set, read default base MAC address from BLK0 of EFUSE +I (3964) MQTT_CLIENT: Sending MQTT CONNECT message, type: 1, id: 0000 +I (4164) MQTTS_EXAMPLE: MQTT_EVENT_CONNECTED +I (4174) MQTTS_EXAMPLE: sent publish successful, msg_id=41464 +I (4174) MQTTS_EXAMPLE: sent subscribe successful, msg_id=17886 +I (4174) MQTTS_EXAMPLE: sent subscribe successful, msg_id=42970 +I (4184) MQTTS_EXAMPLE: sent unsubscribe successful, msg_id=50241 +I (4314) MQTTS_EXAMPLE: MQTT_EVENT_PUBLISHED, msg_id=41464 +I (4484) MQTTS_EXAMPLE: MQTT_EVENT_SUBSCRIBED, msg_id=17886 +I (4484) MQTTS_EXAMPLE: sent publish successful, msg_id=0 +I (4684) MQTTS_EXAMPLE: MQTT_EVENT_SUBSCRIBED, msg_id=42970 +I (4684) MQTTS_EXAMPLE: sent publish successful, msg_id=0 +I (4884) MQTT_CLIENT: deliver_publish, message_length_read=19, message_length=19 +I (4884) MQTTS_EXAMPLE: MQTT_EVENT_DATA +TOPIC=/topic/qos0 +DATA=data +I (5194) MQTT_CLIENT: deliver_publish, message_length_read=19, message_length=19 +I (5194) MQTTS_EXAMPLE: MQTT_EVENT_DATA +TOPIC=/topic/qos0 +DATA=data +``` + diff --git a/examples/protocols/mqtt/ssl_mutual_auth/main/CMakeLists.txt b/examples/protocols/mqtt/ssl_mutual_auth/main/CMakeLists.txt new file mode 100644 index 0000000000..6b03500639 --- /dev/null +++ b/examples/protocols/mqtt/ssl_mutual_auth/main/CMakeLists.txt @@ -0,0 +1,4 @@ +set(COMPONENT_SRCS "app_main.c") +set(COMPONENT_ADD_INCLUDEDIRS ".") + +register_component() diff --git a/examples/mqtt_ssl_mutual_auth/main/Kconfig.projbuild b/examples/protocols/mqtt/ssl_mutual_auth/main/Kconfig.projbuild similarity index 90% rename from examples/mqtt_ssl_mutual_auth/main/Kconfig.projbuild rename to examples/protocols/mqtt/ssl_mutual_auth/main/Kconfig.projbuild index 1c9c2e6cdc..176d8fb334 100644 --- a/examples/mqtt_ssl_mutual_auth/main/Kconfig.projbuild +++ b/examples/protocols/mqtt/ssl_mutual_auth/main/Kconfig.projbuild @@ -1,4 +1,4 @@ -menu "MQTT Application sample" +menu "Example Configuration" config WIFI_SSID string "WiFi SSID" diff --git a/examples/mqtt_ssl_mutual_auth/main/app_main.c b/examples/protocols/mqtt/ssl_mutual_auth/main/app_main.c old mode 100755 new mode 100644 similarity index 97% rename from examples/mqtt_ssl_mutual_auth/main/app_main.c rename to examples/protocols/mqtt/ssl_mutual_auth/main/app_main.c index f290d15ec1..2ebce48b93 --- a/examples/mqtt_ssl_mutual_auth/main/app_main.c +++ b/examples/protocols/mqtt/ssl_mutual_auth/main/app_main.c @@ -20,7 +20,7 @@ #include "esp_log.h" #include "mqtt_client.h" -static const char *TAG = "MQTTS_SAMPLE"; +static const char *TAG = "MQTTS_EXAMPLE"; static EventGroupHandle_t wifi_event_group; const static int CONNECTED_BIT = BIT0; @@ -63,7 +63,7 @@ static void wifi_init(void) }; ESP_ERROR_CHECK(esp_wifi_set_mode(WIFI_MODE_STA)); ESP_ERROR_CHECK(esp_wifi_set_config(ESP_IF_WIFI_STA, &wifi_config)); - ESP_LOGI(TAG, "start the WIFI SSID:[%s] password:[%s]", CONFIG_WIFI_SSID, "******"); + ESP_LOGI(TAG, "start the WIFI SSID:[%s]", CONFIG_WIFI_SSID); ESP_ERROR_CHECK(esp_wifi_start()); ESP_LOGI(TAG, "Waiting for wifi"); xEventGroupWaitBits(wifi_event_group, CONNECTED_BIT, false, true, portMAX_DELAY); diff --git a/examples/protocols/mqtt/ssl_mutual_auth/main/client.crt b/examples/protocols/mqtt/ssl_mutual_auth/main/client.crt new file mode 100644 index 0000000000..7a3074b907 --- /dev/null +++ b/examples/protocols/mqtt/ssl_mutual_auth/main/client.crt @@ -0,0 +1 @@ +Please paste your client certificate here (follow instructions in README.md) diff --git a/examples/protocols/mqtt/ssl_mutual_auth/main/client.key b/examples/protocols/mqtt/ssl_mutual_auth/main/client.key new file mode 100644 index 0000000000..a956f850c4 --- /dev/null +++ b/examples/protocols/mqtt/ssl_mutual_auth/main/client.key @@ -0,0 +1 @@ +Please paste here your client key (follow instructions in README.md) diff --git a/examples/mqtt_ssl_mutual_auth/main/component.mk b/examples/protocols/mqtt/ssl_mutual_auth/main/component.mk similarity index 100% rename from examples/mqtt_ssl_mutual_auth/main/component.mk rename to examples/protocols/mqtt/ssl_mutual_auth/main/component.mk