Inicio Explorar Axuda
Iniciar sesión
RT-Thread-packages
/
esp-idf
réplica de https://github-proxy.rt-thread.io/RT-Thread-packages/esp-idf.git
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

https_mbedtls: update example to support TLS 1.3 connection

- make server verification mandatory (previously it was optional)
- add PSA crypto init API and handling for session ticket event
- coding style fixes
Mahavir Jain %!s(int64=2) %!d(string=hai) anos
pai
7fd1378fbb
achega
873ac173c4
Modificáronse 1 ficheiros con 29 adicións e 19 borrados
Dividir vista Mostrar estatísticas de Diff
  1. 29 19
      examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c

+ 29 - 19
examples/protocols/https_mbedtls/main/https_mbedtls_example_main.c
Ver ficheiro 

@@ -37,6 +37,9 @@
 
 #include "mbedtls/entropy.h"
 
 #include "mbedtls/ctr_drbg.h"
 
 #include "mbedtls/error.h"
 
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
 
+#include "psa/crypto.h"
 
+#endif
 
 #include "esp_crt_bundle.h"
 
 
 
@@ -65,6 +68,14 @@ static void https_get_task(void *pvParameters)
 
     mbedtls_ssl_config conf;
 
     mbedtls_net_context server_fd;
 
 
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
 
+    psa_status_t status = psa_crypto_init();
 
+    if (status != PSA_SUCCESS) {
 
+        ESP_LOGE(TAG, "Failed to initialize PSA crypto, returned %d\n", (int) status);
 
+        return;
 
+    }
 
+#endif
 
+
 
     mbedtls_ssl_init(&ssl);
 
     mbedtls_x509_crt_init(&cacert);
 
     mbedtls_ctr_drbg_init(&ctr_drbg);
 
@@ -110,12 +121,7 @@ static void https_get_task(void *pvParameters)
 
         goto exit;
 
     }
 
 
-    /* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print
 
-       a warning if CA verification fails but it will continue to connect.
 
-
 
-       You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code.
 
-    */
 
-    mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
+    mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
 
     mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
 
     mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
 
 #ifdef CONFIG_MBEDTLS_DEBUG
 
@@ -123,10 +129,9 @@ static void https_get_task(void *pvParameters)
 
 #endif
 
 
 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
 
-    mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
 
-    mbedtls_ssl_conf_max_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
 
+    mbedtls_ssl_conf_min_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
 
+    mbedtls_ssl_conf_max_tls_version(&conf, MBEDTLS_SSL_VERSION_TLS1_3);
 
 #endif
 
-
 
     if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
 
     {
 
         ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret);
 
@@ -200,22 +205,28 @@ static void https_get_task(void *pvParameters)
 
             bzero(buf, sizeof(buf));
 
             ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len);
 
 
-            if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE)
 
+#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
 
+            if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
 
+                ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
 
                 continue;
 
+            }
 
+#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
 
+
 
+            if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
 
+                continue;
 
+            }
 
 
-            if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
 
+            if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
 
                 ret = 0;
 
                 break;
 
             }
 
 
-            if(ret < 0)
 
-            {
 
+            if (ret < 0) {
 
                 ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret);
 
                 break;
 
             }
 
 
-            if(ret == 0)
 
-            {
 
+            if (ret == 0) {
 
                 ESP_LOGI(TAG, "connection closed");
 
                 break;
 
             }
 
@@ -223,7 +234,7 @@ static void https_get_task(void *pvParameters)
 
             len = ret;
 
             ESP_LOGD(TAG, "%d bytes read", len);
 
             /* Print response directly to stdout as it is read */
 
-            for(int i = 0; i < len; i++) {
 
+            for (int i = 0; i < len; i++) {
 
                 putchar(buf[i]);
 
             }
 
         } while(1);
 
@@ -234,8 +245,7 @@ static void https_get_task(void *pvParameters)
 
         mbedtls_ssl_session_reset(&ssl);
 
         mbedtls_net_free(&server_fd);
 
 
-        if(ret != 0)
 
-        {
 
+        if (ret != 0) {
 
             mbedtls_strerror(ret, buf, 100);
 
             ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
 
         }
 
@@ -246,7 +256,7 @@ static void https_get_task(void *pvParameters)
 
         ESP_LOGI(TAG, "Completed %d requests", ++request_count);
 
         printf("Minimum free heap size: %" PRIu32 " bytes\n", esp_get_minimum_free_heap_size());
 
 
-        for(int countdown = 10; countdown >= 0; countdown--) {
 
+        for (int countdown = 10; countdown >= 0; countdown--) {
 
             ESP_LOGI(TAG, "%d...", countdown);
 
             vTaskDelay(1000 / portTICK_PERIOD_MS);
 
         }