From 5ce93aa257343513eddba53da7f4c78a90b46a8f Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 5 Sep 2023 14:34:04 +0530 Subject: [PATCH 1/3] fix(esp_tls): Refactor esp-tls to remove ESP_TLS_SERVER config option --- components/esp-tls/Kconfig | 13 ++------ components/esp-tls/esp_tls.c | 10 ++----- components/esp-tls/esp_tls.h | 10 +++---- components/esp-tls/esp_tls_mbedtls.c | 30 ++++++++----------- components/esp-tls/esp_tls_wolfssl.c | 19 ++++-------- .../esp-tls/private_include/esp_tls_mbedtls.h | 12 ++------ .../esp-tls/private_include/esp_tls_private.h | 24 ++++++++++----- .../esp-tls/private_include/esp_tls_wolfssl.h | 5 +--- .../esp-tls/test_apps/main/test_esp_tls.c | 2 -- .../esp-tls/test_apps/sdkconfig.defaults | 2 -- 10 files changed, 47 insertions(+), 80 deletions(-) diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig index ac28442ef3..32e1e0db83 100644 --- a/components/esp-tls/Kconfig +++ b/components/esp-tls/Kconfig @@ -38,16 +38,9 @@ menu "ESP-TLS" help Enable session ticket support as specified in RFC5077. - config ESP_TLS_SERVER - bool "Enable ESP-TLS Server" - depends on (ESP_TLS_USING_MBEDTLS && MBEDTLS_TLS_SERVER) || ESP_TLS_USING_WOLFSSL - help - Enable support for creating server side SSL/TLS session, available for mbedTLS - as well as wolfSSL TLS library. - config ESP_TLS_SERVER_SESSION_TICKETS bool "Enable server session tickets" - depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS + depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS help Enable session ticket support as specified in RFC5077 @@ -60,7 +53,7 @@ menu "ESP-TLS" config ESP_TLS_SERVER_CERT_SELECT_HOOK bool "Certificate selection hook" - depends on ESP_TLS_USING_MBEDTLS && ESP_TLS_SERVER + depends on ESP_TLS_USING_MBEDTLS help Ability to configure and use a certificate selection callback during server handshake, to select a certificate to present to the client based on the TLS extensions supplied in @@ -68,7 +61,7 @@ menu "ESP-TLS" config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional" - depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS + depends on ESP_TLS_USING_MBEDTLS help When this option is enabled, the peer (here, the client) certificate is checked by the server, however the handshake continues even if verification failed. By default, the diff --git a/components/esp-tls/esp_tls.c b/components/esp-tls/esp_tls.c index b80edd1679..76265587e9 100644 --- a/components/esp-tls/esp_tls.c +++ b/components/esp-tls/esp_tls.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -64,12 +64,10 @@ static const char *TAG = "esp-tls"; #define _esp_tls_get_client_session esp_mbedtls_get_client_session #define _esp_tls_free_client_session esp_mbedtls_free_client_session #define _esp_tls_get_ssl_context esp_mbedtls_get_ssl_context -#ifdef CONFIG_ESP_TLS_SERVER #define _esp_tls_server_session_create esp_mbedtls_server_session_create #define _esp_tls_server_session_delete esp_mbedtls_server_session_delete #define _esp_tls_server_session_ticket_ctx_init esp_mbedtls_server_session_ticket_ctx_init #define _esp_tls_server_session_ticket_ctx_free esp_mbedtls_server_session_ticket_ctx_free -#endif /* CONFIG_ESP_TLS_SERVER */ #define _esp_tls_get_bytes_avail esp_mbedtls_get_bytes_avail #define _esp_tls_init_global_ca_store esp_mbedtls_init_global_ca_store #define _esp_tls_set_global_ca_store esp_mbedtls_set_global_ca_store /*!< Callback function for setting global CA store data for TLS/SSL */ @@ -83,10 +81,8 @@ static const char *TAG = "esp-tls"; #define _esp_tls_write esp_wolfssl_write #define _esp_tls_conn_delete esp_wolfssl_conn_delete #define _esp_tls_net_init esp_wolfssl_net_init -#ifdef CONFIG_ESP_TLS_SERVER #define _esp_tls_server_session_create esp_wolfssl_server_session_create #define _esp_tls_server_session_delete esp_wolfssl_server_session_delete -#endif /* CONFIG_ESP_TLS_SERVER */ #define _esp_tls_get_bytes_avail esp_wolfssl_get_bytes_avail #define _esp_tls_init_global_ca_store esp_wolfssl_init_global_ca_store #define _esp_tls_set_global_ca_store esp_wolfssl_set_global_ca_store /*!< Callback function for setting global CA store data for TLS/SSL */ @@ -108,7 +104,7 @@ static const char *TAG = "esp-tls"; static esp_err_t create_ssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls) { - return _esp_create_ssl_handle(hostname, hostlen, cfg, tls); + return _esp_create_ssl_handle(hostname, hostlen, cfg, tls, NULL); } static esp_err_t esp_tls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg) @@ -638,7 +634,6 @@ void esp_tls_free_client_session(esp_tls_client_session_t *client_session) #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */ -#ifdef CONFIG_ESP_TLS_SERVER esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg) { #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) @@ -682,7 +677,6 @@ void esp_tls_server_session_delete(esp_tls_t *tls) { return _esp_tls_server_session_delete(tls); } -#endif /* CONFIG_ESP_TLS_SERVER */ ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls) { diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h index 92e7dbfcf7..32eccacb5d 100644 --- a/components/esp-tls/esp_tls.h +++ b/components/esp-tls/esp_tls.h @@ -213,7 +213,6 @@ typedef struct esp_tls_cfg { esp_tls_proto_ver_t tls_version; /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */ } esp_tls_cfg_t; -#ifdef CONFIG_ESP_TLS_SERVER #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS) /** * @brief Data structures necessary to support TLS session tickets according to RFC5077 @@ -228,7 +227,7 @@ typedef struct esp_tls_server_session_ticket_ctx { } esp_tls_server_session_ticket_ctx_t; #endif - +#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK) /** * @brief tls handshake callback * Can be used to configure per-handshake attributes for the TLS connection. @@ -239,7 +238,11 @@ typedef struct esp_tls_server_session_ticket_ctx { * or a specific MBEDTLS_ERR_XXX code, which will cause the handhsake to abort */ typedef mbedtls_ssl_hs_cb_t esp_tls_handshake_callback; +#endif +/** + * @brief ESP-TLS Server configuration parameters + */ typedef struct esp_tls_cfg_server { const char **alpn_protos; /*!< Application protocols required for HTTP2. If HTTP2/ALPN support is required, a list @@ -341,7 +344,6 @@ esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg); * @param cfg server configuration as esp_tls_cfg_server_t */ void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg); -#endif /* ! CONFIG_ESP_TLS_SERVER */ typedef struct esp_tls esp_tls_t; @@ -681,7 +683,6 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void); */ const int *esp_tls_get_ciphersuites_list(void); #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */ -#ifdef CONFIG_ESP_TLS_SERVER /** * @brief Create TLS/SSL server session * @@ -707,7 +708,6 @@ int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls * @param[in] tls pointer to esp_tls_t */ void esp_tls_server_session_delete(esp_tls_t *tls); -#endif /* ! CONFIG_ESP_TLS_SERVER */ /** * @brief Creates a plain TCP connection, returning a valid socket fd on success or an error handle diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index c2730d2df5..5708dfcb95 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -70,7 +70,9 @@ typedef struct esp_tls_pki_t { #endif } esp_tls_pki_t; -esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls) +static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls); + +esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params) { assert(cfg != NULL); assert(tls != NULL); @@ -116,16 +118,16 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const goto exit; } } else if (tls->role == ESP_TLS_SERVER) { -#ifdef CONFIG_ESP_TLS_SERVER - esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls); + if (server_params == NULL) { + /* Server params cannot be NULL when TLS role is server */ + return ESP_ERR_INVALID_ARG; + } + esp_tls_server_params_t *input_server_params = server_params; + esp_ret = input_server_params->set_server_cfg((esp_tls_cfg_server_t *) cfg, tls); if (esp_ret != 0) { ESP_LOGE(TAG, "Failed to set server configurations, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); goto exit; } -#else - ESP_LOGE(TAG, "ESP_TLS_SERVER Not enabled in Kconfig"); - goto exit; -#endif } if ((ret = mbedtls_ctr_drbg_seed(&tls->ctr_drbg, @@ -353,10 +355,6 @@ void esp_mbedtls_cleanup(esp_tls_t *tls) mbedtls_x509_crt_free(tls->cacert_ptr); } tls->cacert_ptr = NULL; -#ifdef CONFIG_ESP_TLS_SERVER - mbedtls_x509_crt_free(&tls->servercert); - mbedtls_pk_free(&tls->serverkey); -#endif mbedtls_x509_crt_free(&tls->cacert); mbedtls_x509_crt_free(&tls->clientcert); mbedtls_pk_free(&tls->clientkey); @@ -478,7 +476,6 @@ static esp_err_t set_global_ca_store(esp_tls_t *tls) return ESP_OK; } -#ifdef CONFIG_ESP_TLS_SERVER #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS int esp_mbedtls_server_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime) { @@ -547,7 +544,7 @@ void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ct } #endif -esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) +static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) { assert(cfg != NULL); assert(tls != NULL); @@ -679,7 +676,6 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) return ESP_OK; } -#endif /* ! CONFIG_ESP_TLS_SERVER */ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t *cfg, esp_tls_t *tls) { @@ -903,7 +899,6 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t return ESP_OK; } -#ifdef CONFIG_ESP_TLS_SERVER /** * @brief Create TLS/SSL server session */ @@ -914,7 +909,9 @@ int esp_mbedtls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp } tls->role = ESP_TLS_SERVER; tls->sockfd = sockfd; - esp_err_t esp_ret = esp_create_mbedtls_handle(NULL, 0, cfg, tls); + esp_tls_server_params_t server_params = {}; + server_params.set_server_cfg = &set_server_config; + esp_err_t esp_ret = esp_create_mbedtls_handle(NULL, 0, cfg, tls, &server_params); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "create_ssl_handle failed, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, esp_ret); @@ -946,7 +943,6 @@ void esp_mbedtls_server_session_delete(esp_tls_t *tls) free(tls); } }; -#endif /* ! CONFIG_ESP_TLS_SERVER */ esp_err_t esp_mbedtls_init_global_ca_store(void) { diff --git a/components/esp-tls/esp_tls_wolfssl.c b/components/esp-tls/esp_tls_wolfssl.c index 9c4f1771a9..733b097429 100644 --- a/components/esp-tls/esp_tls_wolfssl.c +++ b/components/esp-tls/esp_tls_wolfssl.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -44,9 +44,7 @@ static uint8_t psk_key_array[PSK_MAX_KEY_LEN]; static uint8_t psk_key_max_len = 0; #endif /* CONFIG_ESP_TLS_PSK_VERIFICATION */ -#ifdef CONFIG_ESP_TLS_SERVER static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls); -#endif /* CONFIG_ESP_TLS_SERVER */ /* This function shall return the error message when appropriate log level has been set otherwise this function shall do nothing */ @@ -124,7 +122,7 @@ void *esp_wolfssl_get_ssl_context(esp_tls_t *tls) return (void*)tls->priv_ssl; } -esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls) +esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params) { #ifdef CONFIG_ESP_DEBUG_WOLFSSL wolfSSL_Debugging_ON(); @@ -152,16 +150,11 @@ esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const goto exit; } } else if (tls->role == ESP_TLS_SERVER) { -#ifdef CONFIG_ESP_TLS_SERVER esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "Failed to set server configurations, [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); goto exit; } -#else - ESP_LOGE(TAG, "ESP_TLS_SERVER Not enabled in menuconfig"); - goto exit; -#endif } else { ESP_LOGE(TAG, "tls->role is not valid"); @@ -321,7 +314,6 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls return ESP_OK; } -#ifdef CONFIG_ESP_TLS_SERVER static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) { int ret = WOLFSSL_FAILURE; @@ -378,7 +370,6 @@ static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls) wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd); return ESP_OK; } -#endif int esp_wolfssl_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg) { @@ -486,7 +477,6 @@ void esp_wolfssl_cleanup(esp_tls_t *tls) wolfSSL_Cleanup(); } -#ifdef CONFIG_ESP_TLS_SERVER /** * @brief Create TLS/SSL server session */ @@ -497,7 +487,9 @@ int esp_wolfssl_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp } tls->role = ESP_TLS_SERVER; tls->sockfd = sockfd; - esp_err_t esp_ret = esp_create_wolfssl_handle(NULL, 0, cfg, tls); + esp_tls_server_params_t server_params = {}; + server_params.set_server_cfg = &set_server_config; + esp_err_t esp_ret = esp_create_wolfssl_handle(NULL, 0, cfg, tls, &server_params); if (esp_ret != ESP_OK) { ESP_LOGE(TAG, "create_ssl_handle failed, [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret)); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, esp_ret); @@ -531,7 +523,6 @@ void esp_wolfssl_server_session_delete(esp_tls_t *tls) free(tls); } } -#endif /* CONFIG_ESP_TLS_SERVER */ esp_err_t esp_wolfssl_init_global_ca_store(void) { diff --git a/components/esp-tls/private_include/esp_tls_mbedtls.h b/components/esp-tls/private_include/esp_tls_mbedtls.h index 5526bba98c..6bb1071ab0 100644 --- a/components/esp-tls/private_include/esp_tls_mbedtls.h +++ b/components/esp-tls/private_include/esp_tls_mbedtls.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -46,7 +46,7 @@ ssize_t esp_mbedtls_get_bytes_avail(esp_tls_t *tls); /** * Internal Callback for creating ssl handle for mbedtls */ -esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls); +esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void* server_params); /** * mbedTLS function for Initializing socket wrappers @@ -61,13 +61,6 @@ static inline void esp_mbedtls_net_init(esp_tls_t *tls) */ void *esp_mbedtls_get_ssl_context(esp_tls_t *tls); -#ifdef CONFIG_ESP_TLS_SERVER -/** - * Internal Callback for set_server_config - * - * /note :- can only be used with mbedtls ssl library - */ -esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls); /** * Internal Callback for mbedtls_server_session_create @@ -98,7 +91,6 @@ esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_tick */ void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *cfg); #endif -#endif /** * Internal Callback for set_client_config_function diff --git a/components/esp-tls/private_include/esp_tls_private.h b/components/esp-tls/private_include/esp_tls_private.h index dcbb42070e..4341557aaf 100644 --- a/components/esp-tls/private_include/esp_tls_private.h +++ b/components/esp-tls/private_include/esp_tls_private.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -53,21 +53,21 @@ struct esp_tls { mbedtls_x509_crt cacert; /*!< Container for the X.509 CA certificate */ mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */ - + union { mbedtls_x509_crt clientcert; /*!< Container for the X.509 client certificate */ + mbedtls_x509_crt servercert; /*!< Container for the X.509 server certificate */ + }; + union { mbedtls_pk_context clientkey; /*!< Container for the private key of the client certificate */ + mbedtls_pk_context serverkey; /*!< Container for the private key of the server + certificate */ + }; #ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN bool use_ecdsa_peripheral; /*!< Use the ECDSA peripheral for the private key operations. */ uint8_t ecdsa_efuse_blk; /*!< The efuse block number where the ECDSA key is stored. */ #endif -#ifdef CONFIG_ESP_TLS_SERVER - mbedtls_x509_crt servercert; /*!< Container for the X.509 server certificate */ - - mbedtls_pk_context serverkey; /*!< Container for the private key of the server - certificate */ -#endif #elif CONFIG_ESP_TLS_USING_WOLFSSL void *priv_ctx; void *priv_ssl; @@ -95,3 +95,11 @@ struct esp_tls { esp_tls_error_handle_t error_handle; /*!< handle to error descriptor */ }; + +// Function pointer for the server configuration API +typedef esp_err_t (*set_server_config_func_ptr) (esp_tls_cfg_server_t *cfg, esp_tls_t *tls); + +// This struct contains any data that is only specific to the server session and not required by the client. +typedef struct esp_tls_server_params { + set_server_config_func_ptr set_server_cfg; +} esp_tls_server_params_t; diff --git a/components/esp-tls/private_include/esp_tls_wolfssl.h b/components/esp-tls/private_include/esp_tls_wolfssl.h index 32c9a42917..121c13477f 100644 --- a/components/esp-tls/private_include/esp_tls_wolfssl.h +++ b/components/esp-tls/private_include/esp_tls_wolfssl.h @@ -11,7 +11,7 @@ /** * Internal Callback for creating ssl handle for wolfssl */ -int esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls); +int esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params); /** * Internal Callback for wolfssl_handshake @@ -76,7 +76,6 @@ static inline void esp_wolfssl_net_init(esp_tls_t *tls) { } -#ifdef CONFIG_ESP_TLS_SERVER /** * Function to Create ESP-TLS Server session with wolfssl Stack @@ -87,5 +86,3 @@ int esp_wolfssl_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp * Delete Server Session */ void esp_wolfssl_server_session_delete(esp_tls_t *tls); - -#endif diff --git a/components/esp-tls/test_apps/main/test_esp_tls.c b/components/esp-tls/test_apps/main/test_esp_tls.c index e245fc7e8b..f91c279a11 100644 --- a/components/esp-tls/test_apps/main/test_esp_tls.c +++ b/components/esp-tls/test_apps/main/test_esp_tls.c @@ -76,7 +76,6 @@ TEST_CASE("esp-tls global_ca_store set free", "[esp-tls]") esp_tls_free_global_ca_store(); } -#ifdef CONFIG_ESP_TLS_SERVER TEST_CASE("esp_tls_server session create delete", "[esp-tls]") { struct esp_tls *tls = esp_tls_init(); @@ -95,4 +94,3 @@ TEST_CASE("esp_tls_server session create delete", "[esp-tls]") esp_tls_server_session_delete(tls); } -#endif diff --git a/components/esp-tls/test_apps/sdkconfig.defaults b/components/esp-tls/test_apps/sdkconfig.defaults index 60afb44a2e..e8191f02df 100644 --- a/components/esp-tls/test_apps/sdkconfig.defaults +++ b/components/esp-tls/test_apps/sdkconfig.defaults @@ -5,6 +5,4 @@ CONFIG_BOOTLOADER_LOG_LEVEL_WARN=y CONFIG_FREERTOS_WATCHPOINT_END_OF_STACK=y CONFIG_COMPILER_STACK_CHECK_MODE_STRONG=y CONFIG_COMPILER_STACK_CHECK=y - CONFIG_ESP_TASK_WDT_EN=n -CONFIG_ESP_TLS_SERVER=y From d4544a0d5cee10f8b8c58e377934acefb15245f2 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 5 Sep 2023 14:52:39 +0530 Subject: [PATCH 2/3] fix(esp_https_server): Remove dependency on CONFIG_ESP_TLS_SERVER Closes https://github.com/espressif/esp-idf/issues/12023 --- components/esp_https_server/CMakeLists.txt | 6 ++---- components/esp_https_server/Kconfig | 1 - 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/components/esp_https_server/CMakeLists.txt b/components/esp_https_server/CMakeLists.txt index 95c2429115..916597b723 100644 --- a/components/esp_https_server/CMakeLists.txt +++ b/components/esp_https_server/CMakeLists.txt @@ -1,7 +1,5 @@ -if(CONFIG_ESP_HTTPS_SERVER_ENABLE OR CONFIG_IDF_DOC_BUILD) - set(src "src/https_server.c") - set(inc "include") -endif() +set(src "src/https_server.c") +set(inc "include") idf_component_register(SRCS ${src} INCLUDE_DIRS ${inc} diff --git a/components/esp_https_server/Kconfig b/components/esp_https_server/Kconfig index 4fae425f0f..f4cd30282c 100644 --- a/components/esp_https_server/Kconfig +++ b/components/esp_https_server/Kconfig @@ -3,7 +3,6 @@ menu "ESP HTTPS server" config ESP_HTTPS_SERVER_ENABLE bool "Enable ESP_HTTPS_SERVER component" depends on (ESP_TLS_USING_MBEDTLS && MBEDTLS_TLS_SERVER) - select ESP_TLS_SERVER help Enable ESP HTTPS server component From a0d73b5155c8a694f29630015c0d2178d71021e1 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 10 Oct 2023 16:27:59 +0530 Subject: [PATCH 3/3] fix(esp_https_server): Convert HTTPD_SSL_CONFIG_DEFAULT MACRO to function Previously with HTTPD_SSL_CONFIG_DEFAULT being a MACRO, the configuration options could not be applied to it. This was casuing error in multiple scenarios. For e.g., here user_cert_cb is a part of httpd_ssl_config_t which this macro defines. But the type of user_cert_cb (esp_tls_server_callback_t) is only available when it is enabled in esp-tls. The MACRO however cannot be modified to set the defaults based on configuration option. This fix solves the issue without breaking the compatibility --- .../include/esp_https_server.h | 58 +++---------------- .../esp_https_server/src/https_server.c | 54 +++++++++++++++++ .../https_server/simple/sdkconfig.ci | 1 + 3 files changed, 64 insertions(+), 49 deletions(-) diff --git a/components/esp_https_server/include/esp_https_server.h b/components/esp_https_server/include/esp_https_server.h index 1fd31b4543..0a598f602e 100644 --- a/components/esp_https_server/include/esp_https_server.h +++ b/components/esp_https_server/include/esp_https_server.h @@ -104,70 +104,30 @@ struct httpd_ssl_config { esp_https_server_user_cb *user_cb; void *ssl_userdata; /*!< user data to add to the ssl context */ +#if CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK esp_tls_handshake_callback cert_select_cb; /*!< Certificate selection callback to use */ +#endif const char** alpn_protos; /*!< Application protocols the server supports in order of prefernece. Used for negotiating during the TLS handshake, first one the client supports is selected. The data structure must live as long as the https server itself! */ }; typedef struct httpd_ssl_config httpd_ssl_config_t; +/* Macro kept for compatibility reasons */ +#define HTTPD_SSL_CONFIG_DEFAULT httpd_ssl_config_default /** - * Default config struct init - * - * (http_server default config had to be copied for customization) + * Returns the httpd config struct with default initialisation * + * @return + * httpd_ssl_config_t HTTPD ssl config struct + * with default initialisation * Notes: * - port is set when starting the server, according to 'transport_mode' * - one socket uses ~ 40kB RAM with SSL, we reduce the default socket count to 4 * - SSL sockets are usually long-lived, closing LRU prevents pool exhaustion DOS * - Stack size may need adjustments depending on the user application */ -#define HTTPD_SSL_CONFIG_DEFAULT() { \ - .httpd = { \ - .task_priority = tskIDLE_PRIORITY+5, \ - .stack_size = 10240, \ - .core_id = tskNO_AFFINITY, \ - .server_port = 0, \ - .ctrl_port = ESP_HTTPD_DEF_CTRL_PORT+1, \ - .max_open_sockets = 4, \ - .max_uri_handlers = 8, \ - .max_resp_headers = 8, \ - .backlog_conn = 5, \ - .lru_purge_enable = true, \ - .recv_wait_timeout = 5, \ - .send_wait_timeout = 5, \ - .global_user_ctx = NULL, \ - .global_user_ctx_free_fn = NULL, \ - .global_transport_ctx = NULL, \ - .global_transport_ctx_free_fn = NULL, \ - .enable_so_linger = false, \ - .linger_timeout = 0, \ - .keep_alive_enable = false, \ - .keep_alive_idle = 0, \ - .keep_alive_interval = 0, \ - .keep_alive_count = 0, \ - .open_fn = NULL, \ - .close_fn = NULL, \ - .uri_match_fn = NULL \ - }, \ - .servercert = NULL, \ - .servercert_len = 0, \ - .cacert_pem = NULL, \ - .cacert_len = 0, \ - .prvtkey_pem = NULL, \ - .prvtkey_len = 0, \ - .use_ecdsa_peripheral = false, \ - .ecdsa_key_efuse_blk = 0, \ - .transport_mode = HTTPD_SSL_TRANSPORT_SECURE, \ - .port_secure = 443, \ - .port_insecure = 80, \ - .session_tickets = false, \ - .use_secure_element = false, \ - .user_cb = NULL, \ - .ssl_userdata = NULL, \ - .cert_select_cb = NULL, \ - .alpn_protos = NULL, \ -} +httpd_ssl_config_t httpd_ssl_config_default(void); /** * Create a SSL capable HTTP server (secure mode may be disabled in config) diff --git a/components/esp_https_server/src/https_server.c b/components/esp_https_server/src/https_server.c index c224b7c0e1..42a29c3b74 100644 --- a/components/esp_https_server/src/https_server.c +++ b/components/esp_https_server/src/https_server.c @@ -48,6 +48,60 @@ static void httpd_ssl_close(void *ctx) ESP_LOGD(TAG, "Secure socket closed"); } +httpd_ssl_config_t httpd_ssl_config_default(void) +{ + httpd_ssl_config_t config = { + .httpd = { + .task_priority = tskIDLE_PRIORITY + 5, + .stack_size = 10240, + .core_id = tskNO_AFFINITY, + .server_port = 0, + .ctrl_port = ESP_HTTPD_DEF_CTRL_PORT + 1, + .max_open_sockets = 4, + .max_uri_handlers = 8, + .max_resp_headers = 8, + .backlog_conn = 5, + .lru_purge_enable = true, + .recv_wait_timeout = 5, + .send_wait_timeout = 5, + .global_user_ctx = NULL, + .global_user_ctx_free_fn = NULL, + .global_transport_ctx = NULL, + .global_transport_ctx_free_fn = NULL, + .enable_so_linger = false, + .linger_timeout = 0, + .keep_alive_enable = false, + .keep_alive_idle = 0, + .keep_alive_interval = 0, + .keep_alive_count = 0, + .open_fn = NULL, + .close_fn = NULL, + .uri_match_fn = NULL, + }, + .servercert = NULL, + .servercert_len = 0, + .cacert_pem = NULL, + .cacert_len = 0, + .prvtkey_pem = NULL, + .prvtkey_len = 0, + .use_ecdsa_peripheral = false, + .ecdsa_key_efuse_blk = 0, + .transport_mode = HTTPD_SSL_TRANSPORT_SECURE, + .port_secure = 443, + .port_insecure = 80, + .session_tickets = false, + .use_secure_element = false, + .user_cb = NULL, + .ssl_userdata = NULL, +#if CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK + .cert_select_cb = NULL, +#endif + .alpn_protos = NULL, + }; + + return config; +} + /** * SSL socket pending-check function * diff --git a/examples/protocols/https_server/simple/sdkconfig.ci b/examples/protocols/https_server/simple/sdkconfig.ci index 84ffce91b8..5c2b288013 100644 --- a/examples/protocols/https_server/simple/sdkconfig.ci +++ b/examples/protocols/https_server/simple/sdkconfig.ci @@ -1,3 +1,4 @@ CONFIG_ESP_HTTPS_SERVER_ENABLE=y +CONFIG_ESP_TLS_CERT_SELECT_HOOK=y CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK=y CONFIG_EXAMPLE_WIFI_SSID_PWD_FROM_STDIN=y