fix(tls): do not attach bundle from runtime (#9763)
* fix(tls): do not attach bundle from runtime * fix(ssl): Make the bundle callback per context
This commit is contained in:
Me No Dev
GitHub
parent
de2fc251db
commit
546ce3806b
3 changed files with 23 additions and 5 deletions
|
|
@ -317,9 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) {
|
||||||
void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {
|
void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {
|
||||||
if (bundle != NULL) {
|
if (bundle != NULL) {
|
||||||
esp_crt_bundle_set(bundle, sizeof(bundle));
|
esp_crt_bundle_set(bundle, sizeof(bundle));
|
||||||
|
attach_ssl_certificate_bundle(sslclient.get(), true);
|
||||||
_use_ca_bundle = true;
|
_use_ca_bundle = true;
|
||||||
} else {
|
} else {
|
||||||
esp_crt_bundle_detach(NULL);
|
esp_crt_bundle_detach(NULL);
|
||||||
|
attach_ssl_certificate_bundle(sslclient.get(), false);
|
||||||
_use_ca_bundle = false;
|
_use_ca_bundle = false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -51,6 +51,14 @@ void ssl_init(sslclient_context *ssl_client) {
|
||||||
ssl_client->peek_buf = -1;
|
ssl_client->peek_buf = -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att) {
|
||||||
|
if (att) {
|
||||||
|
ssl_client->bundle_attach_cb = &esp_crt_bundle_attach;
|
||||||
|
} else {
|
||||||
|
ssl_client->bundle_attach_cb = NULL;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
int start_ssl_client(
|
int start_ssl_client(
|
||||||
sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
|
sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
|
||||||
const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
|
const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
|
||||||
|
|
@ -195,11 +203,14 @@ int start_ssl_client(
|
||||||
return handle_error(ret);
|
return handle_error(ret);
|
||||||
}
|
}
|
||||||
} else if (useRootCABundle) {
|
} else if (useRootCABundle) {
|
||||||
log_v("Attaching root CA cert bundle");
|
if (ssl_client->bundle_attach_cb != NULL) {
|
||||||
ret = esp_crt_bundle_attach(&ssl_client->ssl_conf);
|
log_v("Attaching root CA cert bundle");
|
||||||
|
ret = ssl_client->bundle_attach_cb(&ssl_client->ssl_conf);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
return handle_error(ret);
|
return handle_error(ret);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
log_e("useRootCABundle is set, but attach_ssl_certificate_bundle(ssl, true); was not called!");
|
||||||
}
|
}
|
||||||
} else if (pskIdent != NULL && psKey != NULL) {
|
} else if (pskIdent != NULL && psKey != NULL) {
|
||||||
log_v("Setting up PSK");
|
log_v("Setting up PSK");
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,8 @@
|
||||||
#include "mbedtls/ctr_drbg.h"
|
#include "mbedtls/ctr_drbg.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
|
||||||
|
typedef esp_err_t (*crt_bundle_attach_cb)(void *conf);
|
||||||
|
|
||||||
typedef struct sslclient_context {
|
typedef struct sslclient_context {
|
||||||
int socket;
|
int socket;
|
||||||
mbedtls_ssl_context ssl_ctx;
|
mbedtls_ssl_context ssl_ctx;
|
||||||
|
|
@ -24,6 +26,8 @@ typedef struct sslclient_context {
|
||||||
mbedtls_x509_crt client_cert;
|
mbedtls_x509_crt client_cert;
|
||||||
mbedtls_pk_context client_key;
|
mbedtls_pk_context client_key;
|
||||||
|
|
||||||
|
crt_bundle_attach_cb bundle_attach_cb;
|
||||||
|
|
||||||
unsigned long socket_timeout;
|
unsigned long socket_timeout;
|
||||||
unsigned long handshake_timeout;
|
unsigned long handshake_timeout;
|
||||||
|
|
||||||
|
|
@ -37,6 +41,7 @@ int start_ssl_client(
|
||||||
sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
|
sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
|
||||||
const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
|
const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
|
||||||
);
|
);
|
||||||
|
void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att);
|
||||||
int ssl_starttls_handshake(sslclient_context *ssl_client);
|
int ssl_starttls_handshake(sslclient_context *ssl_client);
|
||||||
void stop_ssl_socket(sslclient_context *ssl_client);
|
void stop_ssl_socket(sslclient_context *ssl_client);
|
||||||
int data_to_read(sslclient_context *ssl_client);
|
int data_to_read(sslclient_context *ssl_client);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue