mirror
/
esp-idf
kopia lustrzana https://github.com/espressif/esp-idf
1
0
Forkuj 0
Kod Zgłoszenia Projekty Wydania Wiki Aktywność

cert bundle: Fix memory leak during cert verification 

Also refactors the unit tests and fixes the test case, as it was giving false positives.

Closes IDFGH-2950

Closes https://github.com/espressif/esp-idf/issues/4983
pull/5106/head
Marius Vikhammer 2020-03-26 10:53:50 +08:00
rodzic c9f29e0b59
commit 9ccc5e6d84
6 zmienionych plików z 159 dodań i 180 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

1
components/mbedtls/CMakeLists.txt
Wyświetl plik

@ -1,4 +1,5 @@
idf_build_get_property(idf_target IDF_TARGET)
idf_build_get_property(python PYTHON)
idf_component_register(SRCS "esp_crt_bundle/esp_crt_bundle.c"
INCLUDE_DIRS "port/include" "mbedtls/include" "esp_crt_bundle/include"

31
components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
Wyświetl plik

@ -19,7 +19,6 @@
#include "esp_log.h"
#include "esp_err.h"
#define BUNDLE_HEADER_OFFSET 2
#define CRT_HEADER_OFFSET 4
@ -43,45 +42,48 @@ typedef struct crt_bundle_t {
static crt_bundle_t s_crt_bundle;
static int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int data, uint32_t *flags);
static esp_err_t esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len);
static int esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len);
static esp_err_t esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len)
static int esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len)
{
int ret = ESP_FAIL;
int ret = 0;
mbedtls_x509_crt parent;
const mbedtls_md_info_t *md_info;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_x509_crt_init(&parent);
if ( (ret = mbedtls_pk_parse_public_key(&parent.pk , pub_key_buf, pub_key_len) ) != 0) {
if ( (ret = mbedtls_pk_parse_public_key(&parent.pk, pub_key_buf, pub_key_len) ) != 0) {
ESP_LOGE(TAG, "PK parse failed with error %X", ret);
return ESP_FAIL;
goto cleanup;
}
// Fast check to avoid expensive computations when not necessary
if (!mbedtls_pk_can_do(&parent.pk, child->sig_pk)) {
ESP_LOGE(TAG, "Simple compare failed");
return ESP_FAIL;
ret = -1;
goto cleanup;
}
md_info = mbedtls_md_info_from_type(child->sig_md);
if ( (ret = mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash )) != 0 ) {
ESP_LOGE(TAG, "Internal mbedTLS error %X", ret);
return ESP_FAIL;
goto cleanup;
}
ret = mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent.pk,
child->sig_md, hash, mbedtls_md_get_size( md_info ),
child->sig.p, child->sig.len ) ;
if ( (ret = mbedtls_pk_verify_ext( child->sig_pk, child->sig_opts, &parent.pk,
child->sig_md, hash, mbedtls_md_get_size( md_info ),
child->sig.p, child->sig.len )) != 0 ) {
if (ret != 0) {
ESP_LOGE(TAG, "PK verify failed with error %X", ret);
return ESP_FAIL;
goto cleanup;
}
return ESP_OK;
cleanup:
mbedtls_x509_crt_free(&parent);
return ret;
}
@ -205,6 +207,7 @@ esp_err_t esp_crt_bundle_attach(void *conf)
void esp_crt_bundle_detach(mbedtls_ssl_config *conf)
{
free(s_crt_bundle.crts);
s_crt_bundle.crts = NULL;
if (conf) {
mbedtls_ssl_conf_verify(conf, NULL, NULL);
}

50
components/mbedtls/test/prvtkey.pem
Wyświetl plik

@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAra9Pvr1J4ltGfVdnOv4DVdYTL68UaIKu37r0TMRdBKn5gSKm
nBnvDx4TyMfiaOyo6tADGZPbzYJ2r45Zmo8zoIiUwh9SWHkFghTl+jNp0+1QxRCH
HyRak3ShIZvje+c0xDDgMIv41l62FCE86dNW0gUCC/KgRCInqzsKurbxZU2qjebI
5TKDkOFJsmoaWPb3q2+wEztPpvjGlV33UVX3OK8bJtRKALFn3733E7g5F2qANjOu
S+7jXDzqxw5HD+QZTTH2Kehh/hrV96WeXUVGnMWru2BtYWKD0Pdh7zGcXjP8oSf2
FkVssh+0f9khI9Xz6KzdSIMVEeSrDXRKnyJnDQIDAQABAoIBAEtOCpZZvfIdvxdT
URfb0Jhj5Be1onSZzLaGeavbK7V8+QgLfQ+LkwIL+WoBeGIj0i1VGTL6z79wBIOj
hagk1K6S6WStbeecOU4oP3pW1lijuXRn8R4IhhkO5VoMG/q5yUATLPD/j1lq4Skj
LCT5k9glgbiqbuB7qpVsWP+RmGJiLh3jBDrb1NrZLuDlXhXJO+AF69syxxiyvnFA
s7aVHst2TPXgccA9Fh37GzxN4hratz6n0JAaMxpRdJaJF1sSQQznfrYfxnkwtE1y
ZXS5XgeDjqv00mucZVVzNkhT9WeS0bXd0lblboK2z39cN2YDYrmfEr2HonbTozNj
HPlBG2UCgYEA3zWj3kAFhpl6zrHvcIzaemDxi9pFam2wJLgzeSXuHBSZSazi//qm
Dv7rgP38XsY6MeaqpLW687FZ6yiDg2OLLMc4ho7Rq6mOKjp3nTVHjO+LONfxgWul
evhFIabW056jafecouUSvy/9nvrrA5QEJjaHxg0tREuaGiBBgMXTnd8CgYEAxzMr
NkVHqIis5AzGUJOaF2uTqnXbnM+/+kEkJD6yNzFovsxkaebGQF9LA1s/qiDtZtlH
QiXlDsWl/PrKmvxToBY3v3fJKeAMXValtAtX0h67RX6rJUqXBATT/AOcfdlWoaEt
xTCRwi70xjVoSwnvE8CZAGDyHk3/cjRcOBe5QJMCgYAyy4ApGaSoRtEdrHxyvnsR
knIlg1x8pc2J7ak5DpqrJTzk+UUHP8D+dKCfUC1YW//uTzHSHdEXl+qAi02yXrrT
S9rfNC0exY0mqvuBeRh5SCIEo4/ABgE4hLsmt1L4AYfqm4C3yS2E+KTcwvksbUis
cYhgV6tPeWzuORzu8xX/PQKBgG5puFv+jrel+l71jb7/8Xtlz5W+ehozNTAbh1Ln
xZS+OFb5p/bjSaRIraWQoHtGgRBvAwZxRsOnXlgZEtBRaHDln8TrOn+Rhoj+DB79
4pG/IwJkMa0b6RT7MB0SS12eaFxyoJIaV9CQgnCTDdn6CaCjMqt5EPsnNJ4y06Lr
020tAoGASPmKKVhXJxfhzyzsY9Kk9o31MKISUqVDNimqVDOt8vPZw8m/2WXUVH9T
DnuEGaBmpG22Gs1NxbktsYAUzBeRBpoQ/fNK55eaZorJLs3DfFK604lLClJlQsDd
yfp4LcRNQGodV4Utl6mPOtOFa8nrVGMQn3+M3TK6QTNpjLe87OE=
MIIEpQIBAAKCAQEAySb2QFrQZjQ1EhfN7I+raKrWSWWeYGppqPk3E1sV2y6LSE3M
7cVZyXxcpnP4mcKos3D9k8sbkt05oKcHR2THpWdz5mJn8A7TfJYWnYRHcRuR85th
XC8Pjf3f+JfjXgr/2a2JqHb4fttxoDRwWP1+kbTHa4iERqTFOIhYB9wD8uzbBHJq
IlIGbBHO9J+JxZKVkgDWZfc7zik3YzvkuWju/PmF73BagGxxRDzodzfxhHq1f96J
w10YS9pkhVFLxzOz3O+buwL8plCQplVnpj6J+2MaY4JlUvCcosDkT0EORAtrYGwZ
KJBKn4dRftk8Wbtns7zoJ2SNUL5TZ2oyAb2dwQIDAQABAoIBAQCRmE3tTs5A69Du
A6TdcTAUVnM8NP1ptBw+XgRrUiaDuzC9aPLHt2zB1e4J3S83vBn3p/UjIIQYzV+E
1OED4AJRyoutWdT5gQG6z7gW00QSrm358aGK49VSZUvT17yOuU9u85kMAvDigVvB
JbOb9f/C3yLoxqtXprPJs4ZkSe/hyB0JtRzauDYZnK4JmtgDfGds1cykohbUaeCW
ExUSbi/EPuroowmjEPFmN4tH/C3GtQonwGfjP76GXm8u5Fg8VXYUmb5pnxYcFdvv
shoasbK5lksgK50VP2vA9Y3mIrThRvkWgcv0TZaQWAF/JtdSXIID5WzfsgLbtDQF
hZLk1dDxAoGBAPfAjPAqapNVl4GqSkUWofUHMzZG85fHoPN3INSA0aMr4X9wHFfQ
pQ0ACxuimQj66Vk4rWww+HrsjPfiNMZzoi1exS1tjbQVyTBffrHj8sSdWt8Gw6MB
Pp5ubnCy9pl4lWNHlJZJp2SwAd10LzrizzAQALeEtRmg8meYGZElVUy7AoGBAM/Z
REXLJgaad5V3A2xehrSnknKUwab4LFIrgirZ6h0RXYo+wEHGJpDvM5Vw3sZT+UaJ
Jdlb3cXbqOxWrKlqjKe/S2vNScP7V2Na8l/ySO93PYE0V1Q+EeuNGi41xWC4Dh7o
D7BX2nDm9YBZzNVxM/30/dTzFM+CKrCARsLIXvWzAoGBAOQ4GRv61qXVyHSHO1cd
HB+sfD5ZaXa9S8Q6TqGx8GrQty4/RbyW1BN/oLvaMgKVr3KixQ3OpnYFhW2qkFbm
mdQVYqkQK+Jh1yyaKwkPI8h98wFTJ8/2C4rByzZBhOumqmYDwBoYyvvzLiSjLAag
e56YfzCOLIzpN6K594M+0q6VAoGBALWR5D1gKRjNqbetHxV1QhHg7WMhJkaZOAaU
MYMDmKvJ9sAE72jGE/y6qYJb9pCk3PdMaf8GbKciq9/CG9Vn2fXUe6txy4XkNEP8
OA2vFx3yOY18Tumty3PNcNh7arCCOPuw17vCE3ZbnI2CZRj0amnosjFsJHreCDLl
7GrOJX5XAoGASZXbGykpYJTTr5PGPL/eX0koU1RZ9f6fvVdkfeWNGZfJ4oGkxDcO
fJnzq9wC9YREy6f3eoMrix95RPv4Qo1Wwi2PmtyMFvUdsYckFEhxSN3p4Iqn/nQg
6I7VB0yNqw8ZdP1vBkRcg3kk+QO2tci+OTdpDSKmO5nGjuqpsdBM5/o=
-----END RSA PRIVATE KEY-----

BIN
components/mbedtls/test/server_cert_bundle
Wyświetl plik

Plik binarny nie jest wyświetlany.

79
components/mbedtls/test/server_cert_chain.pem
Wyświetl plik

@ -1,63 +1,20 @@
-----BEGIN CERTIFICATE-----
MIIFODCCAyCgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwWjELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxJDAiBgNVBAMM
G0VzcHJlc3NpZiBJbnRlcm1lZGlhdGUgdGVzdDAeFw0xOTEwMTEwMjU0MDdaFw0z
MDA5MjMwMjU0MDdaMEgxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhTaGFuZ2hhaTES
MBAGA1UECgwJRXNwcmVzc2lmMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCtr0++vUniW0Z9V2c6/gNV1hMvrxRogq7f
uvRMxF0EqfmBIqacGe8PHhPIx+Jo7Kjq0AMZk9vNgnavjlmajzOgiJTCH1JYeQWC
FOX6M2nT7VDFEIcfJFqTdKEhm+N75zTEMOAwi/jWXrYUITzp01bSBQIL8qBEIier
Owq6tvFlTaqN5sjlMoOQ4UmyahpY9verb7ATO0+m+MaVXfdRVfc4rxsm1EoAsWff
vfcTuDkXaoA2M65L7uNcPOrHDkcP5BlNMfYp6GH+GtX3pZ5dRUacxau7YG1hYoPQ
92HvMZxeM/yhJ/YWRWyyH7R/2SEj1fPorN1IgxUR5KsNdEqfImcNAgMBAAGjggEY
MIIBFDAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAzBglghkgBhvhCAQ0E
JhYkT3BlblNTTCBHZW5lcmF0ZWQgU2VydmVyIENlcnRpZmljYXRlMB0GA1UdDgQW
BBR8LwbfGcYMVc++Ugdoc2XXYXUOBzB7BgNVHSMEdDBygBSZ45naA62T1+k4QIyt
n2h1bWyGOKFWpFQwUjELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5naGFpMRIw
EAYDVQQKDAlFc3ByZXNzaWYxHDAaBgNVBAMME0VzcHJlc3NpZiBSb290IFRlc3SC
AhAAMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG
9w0BAQsFAAOCAgEAQ/9JU171woAvQlZ8gmYIOkyIfYQfKmhvw+2DoP+5r1+LOHtO
frg9BshucqXlQ65yRWL8KaAIFKE4e/qBXnD/ZX8R8lR0aMKCgYVW6A1n0wWko/fU
RNXt+sXr+fMX7h0HOC3mzWf2fZkR5B0jUSBQSVkXNt+jkjWOFIGzfHDKldgX5rVX
vNmHwS5zRjbOvPaXrmNpV7wkQ/bRJbnFmbT5V6fwDFzdLzJami86eiT+C68d07/W
We5htv20nYFYdwQJMWYlnGLPPaSE+n5m4QqsrlfR7uOgnuX3RfKHMsiWa7TxLA4g
D9VZq88SQLshec/CIcYlSgnEfa9LxL2mKv386e9YWD2Oho/B33L5tdflihR5m1sd
9xIgka9aXmHu8GEVaBRqzqtIReoa7KfmEQWYjqXH8YdDLMlMKl968Y7c779/SDxC
1ibkanS1+2dPBYpoZldcnbH8w2dguk7luTuPlJxJph6NHGI7bbxL9z6yc5kJi2dS
R4TNXI3UKZ5s7ZUPTv2nYMJIbyEzSjkxinLsr7rFLGlAIpAlRq1C6jmh1ArGA3H2
jK0xYZcMN8Sz9gYV/zk/VTDMmiyZrYmZSxuhQFZCWaLN79z0pi5SefLW+1K6CzNj
hah0wJEtzq492IQS0q3gH82iGM35Ffy+rtAWIsxrL/2wn+cOrPGvRdmR6J0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFjjCCA3agAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCQ04x
ETAPBgNVBAgMCFNoYW5naGFpMRIwEAYDVQQKDAlFc3ByZXNzaWYxHDAaBgNVBAMM
E0VzcHJlc3NpZiBSb290IFRlc3QwHhcNMTkxMDEwMTE1MDMyWhcNMjkxMDA3MTE1
MDMyWjBaMQswCQYDVQQGEwJDTjERMA8GA1UECAwIU2hhbmdoYWkxEjAQBgNVBAoM
CUVzcHJlc3NpZjEkMCIGA1UEAwwbRXNwcmVzc2lmIEludGVybWVkaWF0ZSB0ZXN0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAp7FJAjmfYsTlrcZPRJ3g
+IiKW/Gm3q23X4xzdKUQopth3DPO9FDvnce9e7JwXa1WDF8CZqWkvKrJS0njEAUR
JERLYSr28aVFUyodnfxp/+1B5aJFj7LHampLWXsnVCchHHZB0pYZ6KLrTUU73KKd
WaJODtBrq5g9mNNZqVOOHljgr5r8AJefemsCs+LhGcqq8ZFWeZBwzF2YC0h+55hc
7K5g0MnGnQHD3s5nuuSJ9Grz+NDvzESYjmZfTq56wXN6nQIi+4JYBpAx4y63n6NR
0JPsSePDlnGC4KNmHOeF9nXMgvqEP1doLssKKWdPZub6VQHLTk5ILFr1JKaSPjgj
4twKjCTzxN3dPmxY2KPq+tUtoXFxLxqrJk/HyBwiClxSlwhyAe9iZd3Lh0RFENEf
jS6gdD7coLlkJzALLcUTp0VWFWpPT1MbgYMHnnOuKXjw6KWXz/iuxvOJO4ip3tRf
ssuog/cMwmkxKC9oHfoIPBuafW42/os4aZwy/7fJgAFO/e1/n6T7T2qygNOKBvYq
mS6SWm9OFhUJuUtPlUdvHiVDQx40S0a8Z2Rp4XcuBU0M8Toi3lkEwJX/l89Wsos+
UOITA1B71HxkzHMZQNdXLfnV0tCtC6C3S8IktFm0Kfqa8ruXbjzkKg0I8Wfwyefv
HTc7FRQpyYgXkVLt1ziA+4MCAwEAAaNmMGQwHQYDVR0OBBYEFJnjmdoDrZPX6ThA
jK2faHVtbIY4MB8GA1UdIwQYMBaAFAqo9zQmHYRS1EF/1Fkb31gvGK9HMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IC
AQBl+7vf7T6K7JhHQTFfOlUNoy4rdau6eAfoQE1wybUNIeuKLqhXfn7uLhYLE9Tq
LAYcMN8M8F2MFt7nNifbAFRiXCRRes6tFyQkjqG4SijvGoMiCL3pVYEgrET2qIm8
Rvupsh/u2UuGivy7XzJmMzU6HhTjF/Yfc6AiPkISzMqxLtbzCD+3TOxNe9nalsFv
gmQsCYUqVZCwdThvHMWY7lC+KZ/f0X8gyVHZpx6K/K+MbMSTzZZa7VEjcJcEQZ8r
+Br0e9X3EkGsKbnq/kVouMZGrZtbOXYNjoVStNdobNaJ1d379xbt8UgkvvSUhJoK
Y4pZoO3nZZUHslLDuLNG6m2tk1SHL7NPNhJoAGwqFtLyrUaUaGa+uIXev4xA0Cby
vUn+PXLKo9NcnDI38l/NxVhqWvKAwkWww/GDdic7GGfzJVSr+K4q3dxy3JW1nh4n
gaGSeKrP0lgO5NqJswGFSrY05lx06HKxHRJRtLf8g+llrGrhApRVqjM9t0By7CgK
E/EgGWG6MyGi2YLenFdFzFRgqEsKVn11XV+rkaC1NSu7l7QfTSiHrynBsYcCTnzD
z4QxJvlLon22Jp1qCwFVKXAE9wc/ncENqiA6vbjP9pq5yps+XbO2frdSQcNwHFIR
aaL+u5SAcyr3qV0I7Wghq0Xoo00DV/pm9K78tIamtsmNhw==
MIIDVTCCAj0CFG5WO5Ukqd/0PnrSPIlQnXNjrCUUMA0GCSqGSIb3DQEBCwUAMGIx
CzAJBgNVBAYTAkNOMRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQHDAhTaGFu
Z2hhaTESMBAGA1UECgwJRXNwcmVzc2lmMRcwFQYDVQQDDA5Fc3ByZXNzaWYgUm9v
dDAeFw0yMDAzMjYwNjQxMTlaFw0yMTAzMjEwNjQxMTlaMGwxCzAJBgNVBAYTAkNO
MRMwEQYDVQQIDApTb21lLVN0YXRlMREwDwYDVQQHDAhTaGFuZ2hhaTEhMB8GA1UE
CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRIwEAYDVQQDDAlsb2NhbGhvc3Qw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJJvZAWtBmNDUSF83sj6to
qtZJZZ5gammo+TcTWxXbLotITcztxVnJfFymc/iZwqizcP2TyxuS3TmgpwdHZMel
Z3PmYmfwDtN8lhadhEdxG5Hzm2FcLw+N/d/4l+NeCv/ZrYmodvh+23GgNHBY/X6R
tMdriIRGpMU4iFgH3APy7NsEcmoiUgZsEc70n4nFkpWSANZl9zvOKTdjO+S5aO78
+YXvcFqAbHFEPOh3N/GEerV/3onDXRhL2mSFUUvHM7Pc75u7AvymUJCmVWemPon7
YxpjgmVS8JyiwORPQQ5EC2tgbBkokEqfh1F+2TxZu2ezvOgnZI1QvlNnajIBvZ3B
AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAI2RzAwx1IiyWYPbSQOMjATKG1hiqNJF
fkkqJrSfu93iQyye3Umb/pdUf7v5xgN2NrW5VnRow19VR7uCU4VCCBfx77f0Zp2e
UA13qhT5zljoqgtkU9bHbRfTW/Hq30joKqQz8+Z0Yom6qZA7XjAhXXiHt7I4Noq6
y+HwH08Xr1nII1c6Zc0cDqK9UV02w2v1RJrnGlq3v/CBpanA/nz4LdP5Jqbh79WW
bCe8+Y7WEYR7K4dKSkDugf8ROAaGuCYAbhRMU3tFjNlMRR/5HcBpy7MfUvX6GcI0
QCfe4ugnHXQXNxS0rb2uM6yCHOTiQ5MJjBPh9tRYV9bSko5u/NmwsFU=
-----END CERTIFICATE-----

178
components/mbedtls/test/test_esp_crt_bundle.c
Wyświetl plik

@ -63,15 +63,21 @@ typedef struct {
mbedtls_x509_crt cert;
mbedtls_pk_context pkey;
}mbedtls_endpoint_t;
} mbedtls_endpoint_t;
typedef enum {
ESP_CRT_VALIDATE_UNKNOWN,
ESP_CRT_VALIDATE_OK,
ESP_CRT_VALIDATE_FAIL,
}esp_crt_validate_res_t;
static const char *TAG = "cert_bundle_test";
static volatile bool exit_flag;
esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint);
esp_err_t endpoint_teardown(mbedtls_endpoint_t *endpoint);
esp_err_t server_setup(mbedtls_endpoint_t * server)
esp_err_t server_setup(mbedtls_endpoint_t *server)
{
int ret;
mbedtls_ssl_config_init( &server->conf );
@ -87,52 +93,49 @@ esp_err_t server_setup(mbedtls_endpoint_t * server)
ret = mbedtls_x509_crt_parse( &server->cert, server_cert_chain_pem_start,
server_cert_chain_pem_end - server_cert_chain_pem_start);
if( ret != 0 ) {
if ( ret != 0 ) {
ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned %d", ret );
return ESP_FAIL;
}
ret = mbedtls_pk_parse_key( &server->pkey, (const unsigned char *)server_pk_start ,
ret = mbedtls_pk_parse_key( &server->pkey, (const unsigned char *)server_pk_start,
server_pk_end - server_pk_start, NULL, 0 );
if( ret != 0 ) {
if ( ret != 0 ) {
ESP_LOGE(TAG, "mbedtls_pk_parse_key returned %d", ret );
return ESP_FAIL;
}
ESP_LOGI(TAG, "Bind on https://%s:%s/", SERVER_ADDRESS, SERVER_PORT );
if( ( ret = mbedtls_net_bind( &server->listen_fd, NULL, SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) {
if ( ( ret = mbedtls_net_bind( &server->listen_fd, NULL, SERVER_PORT, MBEDTLS_NET_PROTO_TCP ) ) != 0 ) {
ESP_LOGE(TAG, "mbedtls_net_bind returned %d", ret );
return ESP_FAIL;
}
mbedtls_net_set_nonblock(&server->listen_fd);
ESP_LOGI(TAG, "Seeding the random number generator");
if( ( ret = mbedtls_ctr_drbg_seed( &server->ctr_drbg, mbedtls_entropy_func, &server->entropy,
NULL, 0) ) != 0 ) {
if ( ( ret = mbedtls_ctr_drbg_seed( &server->ctr_drbg, mbedtls_entropy_func, &server->entropy,
NULL, 0) ) != 0 ) {
ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret );
return ESP_FAIL;
}
ESP_LOGI(TAG, "Setting up the SSL data");
if( ( ret = mbedtls_ssl_config_defaults( &server->conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 )
{
if ( ( ret = mbedtls_ssl_config_defaults( &server->conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) ) != 0 ) {
ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret );
return ESP_FAIL;
}
mbedtls_ssl_conf_rng( &server->conf, mbedtls_ctr_drbg_random, &server->ctr_drbg );
mbedtls_ssl_conf_ca_chain( &server->conf, server->cert.next, NULL );
if (( ret = mbedtls_ssl_conf_own_cert( &server->conf, &server->cert, &server->pkey ) ) != 0 )
{
if (( ret = mbedtls_ssl_conf_own_cert( &server->conf, &server->cert, &server->pkey ) ) != 0 ) {
ESP_LOGE(TAG, "mbedtls_ssl_conf_own_cert returned %d", ret );
return ESP_FAIL;
}
if (( ret = mbedtls_ssl_setup( &server->ssl, &server->conf ) ) != 0 )
{
if (( ret = mbedtls_ssl_setup( &server->ssl, &server->conf ) ) != 0 ) {
ESP_LOGE(TAG, "mbedtls_ssl_setup returned %d", ret );
return ESP_FAIL;
}
@ -151,27 +154,33 @@ void server_task(void *pvParameters)
goto exit;
}
ESP_LOGI(TAG, "Waiting for a remote connection" );
if( ( ret = mbedtls_net_accept( &server.listen_fd, &server.client_fd,
NULL, 0, NULL ) ) != 0 ) {
ESP_LOGE(TAG, "mbedtls_net_accept returned %d", ret );
goto exit;
}
bool connected = false;
while (!exit_flag) {
mbedtls_ssl_set_bio( &server.ssl, &server.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
ret = mbedtls_net_accept( &server.listen_fd, &server.client_fd, NULL, 0, NULL );
while(exit_flag == false) {
mbedtls_ssl_handshake( &server.ssl );
if (ret == 0) {
connected = true;
}
if (connected) {
mbedtls_ssl_set_bio( &server.ssl, &server.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL );
ret = mbedtls_ssl_handshake( &server.ssl );
mbedtls_ssl_session_reset(&server.ssl);
connected = false;
}
vTaskDelay(20 / portTICK_PERIOD_MS);
}
ESP_LOGE(TAG, "Server shutdown");
exit:
endpoint_teardown(&server);
xSemaphoreGive(*sema);
vTaskDelete(NULL);
exit:
endpoint_teardown(&server);
xSemaphoreGive(*sema);
vTaskDelete(NULL);
}
esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint)
esp_err_t endpoint_teardown(mbedtls_endpoint_t *endpoint)
{
mbedtls_net_free( &endpoint->client_fd );
mbedtls_net_free( &endpoint->listen_fd );
@ -187,7 +196,7 @@ esp_err_t endpoint_teardown(mbedtls_endpoint_t* endpoint)
return ESP_OK;
}
esp_err_t client_setup(mbedtls_endpoint_t* client)
esp_err_t client_setup(mbedtls_endpoint_t *client)
{
int ret;
mbedtls_ssl_config_init( &client->conf );
@ -199,24 +208,24 @@ esp_err_t client_setup(mbedtls_endpoint_t* client)
mbedtls_ctr_drbg_init( &client->ctr_drbg );
ESP_LOGI(TAG, "Seeding the random number generator");
if((ret = mbedtls_ctr_drbg_seed(&client->ctr_drbg, mbedtls_entropy_func, &client->entropy,
NULL, 0)) != 0) {
if ((ret = mbedtls_ctr_drbg_seed(&client->ctr_drbg, mbedtls_entropy_func, &client->entropy,
NULL, 0)) != 0) {
ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret);
return ESP_FAIL;
}
ESP_LOGI(TAG, "Setting hostname for TLS session...");
/* Hostname set here should match CN in server certificate */
if((ret = mbedtls_ssl_set_hostname(&client->ssl, SERVER_ADDRESS)) != 0) {
/* Hostname set here should match CN in server certificate */
if ((ret = mbedtls_ssl_set_hostname(&client->ssl, SERVER_ADDRESS)) != 0) {
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
return ESP_FAIL;
}
ESP_LOGI(TAG, "Setting up the SSL/TLS structure...");
if((ret = mbedtls_ssl_config_defaults(&client->conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
if ((ret = mbedtls_ssl_config_defaults(&client->conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret);
return ESP_FAIL;
}
@ -230,21 +239,26 @@ esp_err_t client_setup(mbedtls_endpoint_t* client)
return ESP_OK;
}
void client_task(void *pvParameters)
int client_task(const uint8_t *bundle, esp_crt_validate_res_t *res)
{
int ret;
xSemaphoreHandle *sema = (xSemaphoreHandle *) pvParameters;
int ret = ESP_FAIL;
mbedtls_endpoint_t client;
if(client_setup(&client) != ESP_OK) {
*res = ESP_CRT_VALIDATE_UNKNOWN;
if (client_setup(&client) != ESP_OK) {
ESP_LOGE(TAG, "SSL client setup failed");
goto exit;
}
// Set the custom bundle which DOESN'T includes the server's root certificate (default bundle)
esp_crt_bundle_attach(&client.conf);
if (bundle) {
/* Set a bundle different from the menuconfig bundle */
esp_crt_bundle_set(bundle);
}
ESP_LOGI(TAG, "Connecting to %s:%s...", SERVER_ADDRESS, SERVER_PORT);
if ((ret = mbedtls_net_connect(&client.client_fd, SERVER_ADDRESS, SERVER_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) {
@ -256,57 +270,61 @@ void client_task(void *pvParameters)
mbedtls_ssl_set_bio(&client.ssl, &client.client_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle that is missing the server root certificate");
ret = mbedtls_ssl_handshake(&client.ssl);
while ( ( ret = mbedtls_ssl_handshake( &client.ssl ) ) != 0 ) {
if ( ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) {
printf( "mbedtls_ssl_handshake failed with -0x%x\n", -ret );
break;
}
}
ESP_LOGI(TAG, "Verifying peer X.509 certificate for bundle ...");
TEST_ASSERT(mbedtls_ssl_get_verify_result(&client.ssl) != 0);
ret = mbedtls_ssl_get_verify_result(&client.ssl);
*res = (ret == 0) ? ESP_CRT_VALIDATE_OK : ESP_CRT_VALIDATE_FAIL;
// Reset session before new connection
mbedtls_ssl_close_notify(&client.ssl);
mbedtls_ssl_session_reset(&client.ssl);
// Set the custom bundle which includes the server's root certificate
esp_crt_bundle_set(server_cert_bundle_start);
ESP_LOGI(TAG, "Performing the SSL/TLS handshake with bundle containing the server root certificate");
ret = mbedtls_ssl_handshake(&client.ssl);
ESP_LOGI(TAG, "Verifying peer X.509 certificate ...");
ret = mbedtls_ssl_get_verify_result(&client.ssl);
TEST_ASSERT(ret == 0);
if(ret == 0) {
ESP_LOGI(TAG, "Certificate validated");
}
mbedtls_net_free( &client.client_fd);
exit_flag = true;
exit:
mbedtls_ssl_close_notify(&client.ssl);
mbedtls_ssl_session_reset(&client.ssl);
esp_crt_bundle_detach(&client.conf);
endpoint_teardown(&client);
exit:
mbedtls_ssl_close_notify(&client.ssl);
mbedtls_ssl_session_reset(&client.ssl);
esp_crt_bundle_detach(&client.conf);
endpoint_teardown(&client);
xSemaphoreGive(*sema);
vTaskDelete(NULL);
return ret;
}
TEST_CASE("custom certificate bundle", "[mbedtls]")
{
esp_crt_validate_res_t validate_res;
test_case_uses_tcpip();
xSemaphoreHandle exit_sema = xSemaphoreCreateCounting(2, 0);
xSemaphoreHandle exit_sema = xSemaphoreCreateBinary();
xTaskCreate(server_task, "server task", 8192, &exit_sema, 5, NULL);
exit_flag = false;
xTaskCreate(server_task, "server task", 8192, &exit_sema, 10, NULL);
// Wait for the server to start up
vTaskDelay(100 / portTICK_PERIOD_MS);
xTaskCreate(client_task, "https_get_task", 8192, &exit_sema, 5, NULL);
for(int i = 0; i < 2; i++) {
if(!xSemaphoreTake(exit_sema, 10000/portTICK_PERIOD_MS)) {
TEST_FAIL_MESSAGE("exit_sem not released by test task");
}
/* Test with default crt bundle that doesnt contain the ca crt */
client_task(NULL, &validate_res);
TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_FAIL);
/* Test with bundle that does contain the CA crt */
client_task(server_cert_bundle_start, &validate_res);
TEST_ASSERT(validate_res == ESP_CRT_VALIDATE_OK);
exit_flag = true;
if (!xSemaphoreTake(exit_sema, 10000 / portTICK_PERIOD_MS)) {
TEST_FAIL_MESSAGE("exit_sem not released by server task");
}
vSemaphoreDelete(exit_sema);
}
}