diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..29d1640 --- /dev/null +++ b/.gitignore @@ -0,0 +1,42 @@ +# gtags +GTAGS +GRTAGS +GPATH + +# emacs +.dir-locals.el + +# emacs temp file suffixes +*~ +.#* +\#*# + +# eclipse setting +.settings + +# MacOS directory files +.DS_Store + +# Components Unit Test Apps files +components/**/build +components/**/sdkconfig +components/**/sdkconfig.old + +# Example project files +examples/**/sdkconfig +examples/**/sdkconfig.old +examples/**/build + +# VS Code Settings +.vscode/ + +# VIM files +*.swp +*.swo + +# Clion IDE CMake build & config +.idea/ +cmake-build-*/ + +# ESP-IDF default build directory name +build diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8bfb7ae..0d37f4b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -6,6 +6,7 @@ variables: BATCH_BUILD: "1" V: "0" MAKEFLAGS: "-j5 --no-keep-going" + GIT_SUBMODULE_STRATEGY: recursive # before each job, we need to check if this job is filtered by bot stage/job filter .apply_bot_filter: &apply_bot_filter @@ -25,65 +26,36 @@ variables: - git --version - git submodule update --init --recursive -test_build_esp32: - when: always +.build_idf_template: stage: build - image: "$CI_DOCKER_REGISTRY/esp-idf-doc-env:v4.4-1-v2" + image: espressif/idf:latest tags: - build variables: - IDF_PATH: "$CI_PROJECT_DIR/idf/esp-idf" - before_script: *setup_env + PEDANTIC_FLAGS: "-Werror -Werror=unused-variable -Werror=unused-but-set-variable -Werror=unused-function" + EXTRA_CFLAGS: "${PEDANTIC_FLAGS}" + EXTRA_CXXFLAGS: "${PEDANTIC_FLAGS}" script: - - export PATH="$IDF_PATH/tools:$PATH" - - mkdir idf - - cd idf - - export - - git clone --recursive --depth 1 $GITLAB_SSH_SERVER/idf/esp-idf.git - - pushd esp-idf - - echo "v4.1" > version.txt - - source tools/ci/setup_python.sh - - source tools/ci/configure_ci_environment.sh - - tools/idf_tools.py --non-interactive install && eval "$(tools/idf_tools.py --non-interactive export)" || exit 1 - - popd - - cd ../tools/ci && ./build_exmaples.sh || exit 1 + - cd $CI_PROJECT_DIR/tools/ci + - ./build_examples.sh || exit 1 -test_build_esp8266: - when: always - stage: build - image: $CI_DOCKER_REGISTRY/esp8266-ci-env-new - tags: - - build - variables: - IDF_PATH: "$CI_PROJECT_DIR/idf/ESP8266_RTOS_SDK" - before_script: *setup_env - script: - - export PATH="$IDF_PATH/tools:$PATH" - - mkdir idf - - cd idf - - export - - git clone --recursive --depth 1 $GITLAB_SSH_SERVER/sdk/ESP8266_RTOS_SDK.git - - pushd ESP8266_RTOS_SDK - - echo "v3.3" > version.txt - - tools/idf_tools.py --non-interactive install && eval "$(tools/idf_tools.py --non-interactive export)" || exit 1 - - source tools/ci/configure_ci_environment.sh - - popd - - cd ../tools/ci && ./build_exmaples.sh || exit 1 +build_idf_master: + extends: .build_idf_template + image: espressif/idf:latest +build_idf_v4.4: + extends: .build_idf_template + image: espressif/idf:release-v4.4 push_master_to_github: stage: deploy - image: "$CI_DOCKER_REGISTRY/esp-idf-doc-env:v4.4-1-v2" + image: espressif/idf:latest tags: - deploy only: - master - - /^release\/v/ - - /^v\d+\.\d+(\.\d+)?($|-)/ when: on_success - dependencies: - - test_build_esp32 - - test_build_esp8266 + dependencies: [] variables: GITHUB_PUSH_REFS: refs/remotes/origin/release refs/remotes/origin/master before_script: *setup_env diff --git a/CMakeLists.txt b/CMakeLists.txt index ca040b8..a359adc 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -31,5 +31,7 @@ idf_component_register(SRC_DIRS "${COMPONENT_SRCDIRS}" EXCLUDE_SRCS "${COMPONENT_SRCEXCLUDE_1}" ) target_compile_options(${COMPONENT_LIB} PRIVATE -Wno-cpp -Wno-maybe-uninitialized) -set_source_files_properties(wolfssl/src/ssl.c PROPERTIES COMPILE_FLAGS -Wno-format-truncation) +set_source_files_properties(wolfssl/src/ssl.c PROPERTIES COMPILE_FLAGS "-Wno-format-truncation -Wno-char-subscripts") +set_source_files_properties(wolfssl/wolfcrypt/src/random.c PROPERTIES COMPILE_FLAGS "-Wno-implicit-function-declaration") +set_source_files_properties(wolfssl/wolfcrypt/src/port/Espressif/esp32_aes.c PROPERTIES COMPILE_FLAGS "-Wno-incompatible-pointer-types") target_compile_definitions(${COMPONENT_LIB} PUBLIC WOLFSSL_USER_SETTINGS) diff --git a/Kconfig b/Kconfig index 1e19447..a59bd92 100644 --- a/Kconfig +++ b/Kconfig @@ -1,15 +1,14 @@ menu "wolfSSL" config TLS_STACK_WOLFSSL - bool "Include wolfSSL in esp-tls" + bool "Include wolfSSL in ESP-TLS" default y + select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY help - Includes wolfSSL in the esp-tls so that , esp-tls can be compiled with wolfSSL as its SSL/TLS library. + Includes wolfSSL in ESP-TLS so that it can be compiled with wolfSSL as its SSL/TLS library. config WOLFSSL_HAVE_ALPN - bool "Enable ALPN(Application Layer Protocol Negotiation) in wolfSSL" + bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL" default y - help - Enables ALPN option in wolfSSL. endmenu # wolfSSL diff --git a/examples/https_request/main/https_request_example_main.c b/examples/https_request/main/https_request_example_main.c index a5ade1e..efbaf32 100644 --- a/examples/https_request/main/https_request_example_main.c +++ b/examples/https_request/main/https_request_example_main.c @@ -43,21 +43,21 @@ #include "esp_tls.h" /* Constants that aren't configurable in menuconfig */ -#define WEB_SERVER "www.howsmyssl.com" -#define WEB_PORT "443" -#define WEB_URL "https://www.howsmyssl.com/a/check" +#define WEB_SERVER "api.github.com" +#define WEB_PORT (443) +#define WEB_URL "https://api.github.com/zen" static const char *TAG = "example"; static const char *REQUEST = "GET " WEB_URL " HTTP/1.0\r\n" - "Host: "WEB_SERVER"\r\n" - "User-Agent: esp-idf/1.0 esp32\r\n" - "\r\n"; + "Host: "WEB_SERVER"\r\n" + "User-Agent: esp-idf/1.0 esp32\r\n" + "\r\n"; -/* Root cert for howsmyssl.com, taken from server_root_cert.pem +/* Root cert for api.github.com, taken from server_root_cert.pem The PEM file was extracted from the output of this command: - openssl s_client -showcerts -connect www.howsmyssl.com:443 = ESP_IDF_VERSION_VAL(5, 0, 0) + tls = esp_tls_init(); + if (!tls) { + ESP_LOGE(TAG, "Failed to allocate esp_tls handle!"); + goto exit; + } + + if (esp_tls_conn_http_new_sync(WEB_URL, &cfg, tls) == 1) { + ESP_LOGI(TAG, "Connection established..."); + } else { + ESP_LOGE(TAG, "Connection failed..."); + goto cleanup; + } +#else // ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 0, 0) + tls = esp_tls_conn_http_new(WEB_URL, &cfg); + if (tls != NULL) { ESP_LOGI(TAG, "Connection established..."); } else { ESP_LOGE(TAG, "Connection failed..."); goto exit; } - +#endif //ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 0, 0) + size_t written_bytes = 0; do { - ret = esp_tls_conn_write(tls, - REQUEST + written_bytes, + ret = esp_tls_conn_write(tls, + REQUEST + written_bytes, strlen(REQUEST) - written_bytes); if (ret >= 0) { ESP_LOGI(TAG, "%d bytes written", ret); written_bytes += ret; } else if (ret != ESP_TLS_ERR_SSL_WANT_READ && ret != ESP_TLS_ERR_SSL_WANT_WRITE) { ESP_LOGE(TAG, "esp_tls_conn_write returned 0x%x", ret); - goto exit; + goto cleanup; } - } while(written_bytes < strlen(REQUEST)); + } while (written_bytes < strlen(REQUEST)); ESP_LOGI(TAG, "Reading HTTP response..."); - do - { + do { len = sizeof(buf) - 1; - bzero(buf, sizeof(buf)); + memset(buf, 0x00, sizeof(buf)); + ret = esp_tls_conn_read(tls, (char *)buf, len); - - if(ret == ESP_TLS_ERR_SSL_WANT_WRITE || ret == ESP_TLS_ERR_SSL_WANT_READ) + if (ret == ESP_TLS_ERR_SSL_WANT_WRITE || ret == ESP_TLS_ERR_SSL_WANT_READ) { continue; - - if(ret < 0) - { + } else if (ret < 0) { ESP_LOGE(TAG, "esp_tls_conn_read returned -0x%x", -ret); break; - } - - if(ret == 0) - { + } else if (ret == 0) { ESP_LOGI(TAG, "connection closed"); break; } @@ -128,19 +145,19 @@ static void https_get_task(void *pvParameters) len = ret; ESP_LOGD(TAG, "%d bytes read", len); /* Print response directly to stdout as it is read */ - for(int i = 0; i < len; i++) { + for (int i = 0; i < len; i++) { putchar(buf[i]); } - } while(1); - - exit: - esp_tls_conn_delete(tls); - putchar('\n'); // JSON output doesn't have a newline at end + putchar('\n'); // JSON output doesn't have a newline at end + } while (1); - static int request_count; +cleanup: + esp_tls_conn_destroy(tls); +exit:; + static int request_count = 0; ESP_LOGI(TAG, "Completed %d requests", ++request_count); - for(int countdown = 10; countdown >= 0; countdown--) { + for (int countdown = 10; countdown >= 0; countdown--) { ESP_LOGI(TAG, "%d...", countdown); vTaskDelay(1000 / portTICK_PERIOD_MS); } @@ -150,7 +167,7 @@ static void https_get_task(void *pvParameters) void app_main(void) { - ESP_ERROR_CHECK( nvs_flash_init() ); + ESP_ERROR_CHECK(nvs_flash_init()); ESP_ERROR_CHECK(esp_netif_init()); ESP_ERROR_CHECK(esp_event_loop_create_default()); diff --git a/examples/https_request/main/server_root_cert.pem b/examples/https_request/main/server_root_cert.pem index 1d82449..e3cbad9 100644 --- a/examples/https_request/main/server_root_cert.pem +++ b/examples/https_request/main/server_root_cert.pem @@ -1,26 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow -MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT -AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs -jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp -Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB -U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7 -gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel -/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R -oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E -BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p -ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE -p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE -AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu -Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0 -LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf -r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH -ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8 -S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL -qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p -O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw -UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== +MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI +eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA +BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ +qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v +c6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5 +bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G +A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYI +KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j +b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp +Q2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2Ny +bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAE +NjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgG +BmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr +6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsY +kDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/ +BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hos +Vq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEh +xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA== -----END CERTIFICATE----- diff --git a/examples/wolfssl_client/main/Kconfig.projbuild b/examples/wolfssl_client/main/Kconfig.projbuild index 0c5ecd6..99dbcc3 100644 --- a/examples/wolfssl_client/main/Kconfig.projbuild +++ b/examples/wolfssl_client/main/Kconfig.projbuild @@ -1,9 +1,9 @@ -menu "wolfSSL_client_demo" +menu "Example Configuration" - config CERT_AUTH - bool "Enable_cert_authentication" + config EXAMPLE_SERVER_CERT_VERIFY + bool "Enable Server Certificate Verification" default y help - Enabling this flags authenticates the server certificate while establishing a tls connection + Enabling this option validates the server certificate while establishing a TLS connection. -endmenu # wolfSSL_client_demo +endmenu # Example Configuration diff --git a/examples/wolfssl_client/main/server_root_cert.pem b/examples/wolfssl_client/main/server_root_cert.pem index 1d82449..e3cbad9 100644 --- a/examples/wolfssl_client/main/server_root_cert.pem +++ b/examples/wolfssl_client/main/server_root_cert.pem @@ -1,26 +1,24 @@ -----BEGIN CERTIFICATE----- -MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow -MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT -AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs -jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp -Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB -U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7 -gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel -/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R -oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E -BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p -ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE -p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE -AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu -Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0 -LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf -r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B -AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH -ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8 -S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL -qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p -O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw -UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg== +MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh +MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 +d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD +QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVT +MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI +eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA +BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ +qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v +c6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5 +bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G +A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYI +KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j +b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp +Q2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2Ny +bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAE +NjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgG +BmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr +6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsY +kDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/ +BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hos +Vq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEh +xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA== -----END CERTIFICATE----- diff --git a/examples/wolfssl_client/main/wolfssl_client_demo.c b/examples/wolfssl_client/main/wolfssl_client_demo.c index 978a516..c8e7ff1 100644 --- a/examples/wolfssl_client/main/wolfssl_client_demo.c +++ b/examples/wolfssl_client/main/wolfssl_client_demo.c @@ -27,35 +27,34 @@ #include "wolfssl/ssl.h" #include "esp_netif.h" -#if CONFIG_CERT_AUTH +#if CONFIG_EXAMPLE_SERVER_CERT_VERIFY extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start"); extern const uint8_t server_root_cert_pem_end[] asm("_binary_server_root_cert_pem_end"); #endif /* Constants that aren't configurable in menuconfig */ -#define WEB_SERVER "www.howsmyssl.com" -#define WEB_PORT 443 -#define WEB_URL "https://www.howsmyssl.com/a/check" +#define WEB_SERVER "api.github.com" +#define WEB_PORT (443) +#define WEB_URL "https://api.github.com/zen" #define REQUEST "GET " WEB_URL " HTTP/1.0\r\n" \ - "Host: "WEB_SERVER"\r\n" \ - "User-Agent: esp-idf/1.0 espressif\r\n" \ - "\r\n" - - -//#define DEBUG_WOLFSSL_ON //Note : Uncomment this flag and add following line -//#define DEBUG_WOLFSSL -//to file components/wolfssl/port/user_settings.h -//to turn on Debug logs for wolfssl component + "Host: "WEB_SERVER"\r\n" \ + "User-Agent: esp-idf/1.0 esp32\r\n" \ + "\r\n" +/* + * NOTE: To turn on debug logs for wolfSSL component and this example, uncomment + * #define DEBUF_WOLFSSL in file components/wolfssl/port/user_settings.h + */ #define WOLFSSL_DEMO_THREAD_NAME "wolfssl_client" -#ifdef DEBUG_WOLFSSL_ON -#define WOLFSSL_DEMO_THREAD_STACK_WORDS 4096 +#ifdef DEBUG_WOLFSSL +#define WOLFSSL_DEMO_THREAD_STACK_WORDS 8192 #else -#define WOLFSSL_DEMO_THREAD_STACK_WORDS 2048 -#endif /* DEBUG_WOLFSSL_ON */ +#define WOLFSSL_DEMO_THREAD_STACK_WORDS 4096 +#endif /* DEBUG_WOLFSSL */ #define WOLFSSL_DEMO_THREAD_PRORIOTY 6 #define WOLFSSL_DEMO_SNTP_SERVERS "time.google.com" +#define WOLFSSL_CIPHER_LIST_MAX_SIZE 2048 static const char *TAG = "wolfssl_client"; @@ -63,6 +62,22 @@ const char send_data[] = REQUEST; const int32_t send_bytes = sizeof(send_data); char recv_data[1024] = {0}; +#ifdef DEBUG_WOLFSSL +static void show_ciphers(void) +{ + char *ciphers = calloc(WOLFSSL_CIPHER_LIST_MAX_SIZE, sizeof(char)); + if (ciphers != NULL) { + int ret = wolfSSL_get_ciphers(ciphers, WOLFSSL_CIPHER_LIST_MAX_SIZE); + if (ret == WOLFSSL_SUCCESS) { + ESP_LOGI(TAG, "Available Ciphers: \n%s", ciphers); + } else { + ESP_LOGE(TAG, "Failed to get cipher list!"); + } + free(ciphers); + } +} +#endif + static void get_time() { struct timeval now; @@ -74,88 +89,94 @@ static void get_time() sntp_init(); while (1) { - for (int32_t i = 0; (i < (SNTP_RECV_TIMEOUT / 100)) && now.tv_sec < 1525952900; i++) { - vTaskDelay(100 / portTICK_RATE_MS); + for (int32_t i = 0; (i < (SNTP_RECV_TIMEOUT / 100)) && now.tv_sec < 1657621503; i++) { + vTaskDelay(100 / portTICK_PERIOD_MS); gettimeofday(&now, NULL); } - if (now.tv_sec < 1525952900) { + if (now.tv_sec < 1657621503) { sntp_retry_time = SNTP_RECV_TIMEOUT << sntp_retry_cnt; if (SNTP_RECV_TIMEOUT << (sntp_retry_cnt + 1) < SNTP_RETRY_TIMEOUT_MAX) { sntp_retry_cnt ++; } - ESP_LOGI(TAG,"SNTP get time failed, retry after %d ms", sntp_retry_time); - vTaskDelay(sntp_retry_time / portTICK_RATE_MS); + ESP_LOGI(TAG, "SNTP get time failed, retry after %d ms", sntp_retry_time); + vTaskDelay(sntp_retry_time / portTICK_PERIOD_MS); } else { - ESP_LOGI(TAG,"SNTP get time success"); + ESP_LOGI(TAG, "SNTP get time success"); break; } } } -static void wolfssl_client(void* pv) +static void wolfssl_client(void *pv) { -#ifdef DEBUG_WOLFSSL_ON +#ifdef DEBUG_WOLFSSL wolfSSL_Debugging_ON(); -#endif /* DEBUG_WOLFSSL_ON */ + show_ciphers(); +#endif /* DEBUG_WOLFSSL */ int32_t ret = 0; - const portTickType xDelay = 500 / portTICK_RATE_MS; - WOLFSSL_CTX* ctx = NULL; - WOLFSSL* ssl = NULL; + const TickType_t xDelay = 500 / portTICK_PERIOD_MS; + WOLFSSL_CTX *ctx = NULL; + WOLFSSL *ssl = NULL; int32_t sockfd = -1; struct sockaddr_in sock_addr; - struct hostent* entry = NULL; + struct hostent *entry = NULL; /* CA date verification need system time */ get_time(); while (1) { - ESP_LOGI(TAG,"Setting hostname for TLS session..."); - + ESP_LOGI(TAG, "Setting hostname for TLS session..."); /*get addr info for hostname*/ do { entry = gethostbyname(WEB_SERVER); vTaskDelay(xDelay); } while (entry == NULL); - ESP_LOGI(TAG,"Init wolfSSL..."); + ESP_LOGI(TAG, "Init wolfSSL..."); ret = wolfSSL_Init(); if (ret != WOLFSSL_SUCCESS) { - ESP_LOGI(TAG,"Init wolfSSL failed:%d...", ret); + ESP_LOGI(TAG, "Init wolfSSL failed:%d...", ret); goto failed1; } - ESP_LOGI(TAG,"Set wolfSSL ctx ..."); - ctx = wolfSSL_CTX_new(wolfTLSv1_2_client_method()); - + ESP_LOGI(TAG, "Set wolfSSL ctx ..."); +/* + * NOTE: To turn off TLS 1.3 only mode for wolfSSL component, comment + * #define WOLFSSL_TLS13 in file ../components/wolfssl/port/user_settings.h + */ +#ifdef WOLFSSL_TLS13 + ctx = (void *)wolfSSL_CTX_new(wolfTLSv1_3_client_method()); +#else + ctx = (void *)wolfSSL_CTX_new(wolfTLSv1_2_client_method()); +#endif if (!ctx) { - ESP_LOGI(TAG,"Set wolfSSL ctx failed..."); + ESP_LOGI(TAG, "Set wolfSSL ctx failed..."); goto failed1; } - ESP_LOGI(TAG,"Create socket ..."); + ESP_LOGI(TAG, "Create socket ..."); sockfd = socket(AF_INET, SOCK_STREAM, 0); if (sockfd < 0) { - ESP_LOGI(TAG,"Create socket failed..."); + ESP_LOGI(TAG, "Create socket failed..."); goto failed2; } -#if CONFIG_CERT_AUTH - ESP_LOGI(TAG,"Loading the CA root certificate..."); +#if CONFIG_EXAMPLE_SERVER_CERT_VERIFY + ESP_LOGI(TAG, "Loading the CA root certificate..."); ret = wolfSSL_CTX_load_verify_buffer(ctx, server_root_cert_pem_start, server_root_cert_pem_end - server_root_cert_pem_start, WOLFSSL_FILETYPE_PEM); if (WOLFSSL_SUCCESS != ret) { - ESP_LOGI(TAG,"Loading the CA root certificate failed..."); + ESP_LOGE(TAG, "Loading the CA root certificate failed..."); goto failed3; } - wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_PEER, NULL); #else wolfSSL_CTX_set_verify(ctx, WOLFSSL_VERIFY_NONE, NULL); @@ -164,50 +185,45 @@ static void wolfssl_client(void* pv) memset(&sock_addr, 0, sizeof(sock_addr)); sock_addr.sin_family = AF_INET; sock_addr.sin_port = htons(WEB_PORT); - sock_addr.sin_addr.s_addr = ((struct in_addr*)(entry->h_addr))->s_addr; + sock_addr.sin_addr.s_addr = ((struct in_addr *)(entry->h_addr))->s_addr; - ESP_LOGI(TAG,"Connecting to %s:%d...", WEB_SERVER, WEB_PORT); - ret = connect(sockfd, (struct sockaddr*)&sock_addr, sizeof(sock_addr)); + ESP_LOGI(TAG, "Connecting to %s:%d...", WEB_SERVER, WEB_PORT); + ret = connect(sockfd, (struct sockaddr *)&sock_addr, sizeof(sock_addr)); if (ret) { - ESP_LOGI(TAG,"Connecting to %s:%d failed: %d", WEB_SERVER, WEB_PORT, ret); + ESP_LOGE(TAG, "Connecting to %s:%d failed: %d", WEB_SERVER, WEB_PORT, ret); goto failed3; } - ESP_LOGI(TAG,"Create wolfSSL..."); + ESP_LOGI(TAG, "Create wolfSSL..."); ssl = wolfSSL_new(ctx); - if (!ssl) { - ESP_LOGI(TAG,"Create wolfSSL failed..."); + ESP_LOGE(TAG, "Create wolfSSL failed..."); goto failed3; } - wolfSSL_set_fd(ssl, sockfd); - ESP_LOGI(TAG,"Performing the SSL/TLS handshake..."); + ESP_LOGI(TAG, "Performing the SSL/TLS handshake..."); ret = wolfSSL_connect(ssl); if (WOLFSSL_SUCCESS != ret) { - ESP_LOGI(TAG,"Performing the SSL/TLS handshake failed:%d", ret); + ESP_LOGE(TAG, "Performing the SSL/TLS handshake failed:%d", ret); goto failed4; } - ESP_LOGI(TAG,"Writing HTTPS request..."); + ESP_LOGI(TAG, "Writing HTTPS request..."); ret = wolfSSL_write(ssl, send_data, send_bytes); - if (ret <= 0) { - ESP_LOGI(TAG,"Writing HTTPS request failed:%d", ret); + ESP_LOGE(TAG, "Writing HTTPS request failed:%d", ret); goto failed5; } - ESP_LOGI(TAG,"Reading HTTPS response..."); + ESP_LOGI(TAG, "Reading HTTPS response..."); do { ret = wolfSSL_read(ssl, recv_data, sizeof(recv_data)); - - if (ret <= 0) { - ESP_LOGI(TAG,"Connection closed"); + ESP_LOGW(TAG, "Connection closed"); break; } @@ -215,7 +231,7 @@ static void wolfssl_client(void* pv) for (int i = 0; i < ret; i++) { printf("%c", recv_data[i]); } - printf("\n"); + printf("\n"); } while (1); failed5: @@ -230,17 +246,17 @@ static void wolfssl_client(void* pv) wolfSSL_Cleanup(); for (int countdown = 10; countdown >= 0; countdown--) { - ESP_LOGI(TAG,"%d...", countdown); - vTaskDelay(1000 / portTICK_RATE_MS); + ESP_LOGI(TAG, "%d...", countdown); + vTaskDelay(1000 / portTICK_PERIOD_MS); } - ESP_LOGI(TAG,"Starting again!"); + ESP_LOGI(TAG, "Starting again!"); } } void app_main(void) { - ESP_ERROR_CHECK( nvs_flash_init() ); + ESP_ERROR_CHECK(nvs_flash_init()); ESP_ERROR_CHECK(esp_netif_init()); ESP_ERROR_CHECK(esp_event_loop_create_default()); diff --git a/port/user_settings.h b/port/user_settings.h index 79161a3..f0cb7c8 100755 --- a/port/user_settings.h +++ b/port/user_settings.h @@ -11,27 +11,27 @@ #include "sdkconfig.h" +#undef WOLFSSL_ESPIDF #define WOLFSSL_ESPIDF #define WOLFSSL_ESPWROOM32 #define BENCH_EMBEDDED #define USE_CERT_BUFFERS_2048 +/* TLS 1.3 */ +// #define WOLFSSL_TLS13 #define HAVE_TLS_EXTENSIONS -#define HAVE_SUPPORTED_CURVES -#define WOLFSSL_STATIC_PSK +#define WC_RSA_PSS +#define HAVE_HKDF #define HAVE_AEAD -#define HAVE_SNI -/* ALPN in wolfSSL is enabled by default, can be disabled with menuconfig */ -#define HAVE_ALPN +#define HAVE_SUPPORTED_CURVES /* when you want to use SINGLE THREAD */ /* #define SINGLE_THREADED */ #define NO_FILESYSTEM #define HAVE_AESGCM -#define WC_RSA_PSS -#define HAVE_HKDF +/* when you want to use SHA384 */ #define WOLFSSL_SHA384 #define WOLFSSL_SHA512 #define HAVE_ECC @@ -39,35 +39,46 @@ #define CURVE25519_SMALL #define HAVE_ED25519 +/* ALPN in wolfSSL is enabled by default, can be disabled with menuconfig */ +#define HAVE_ALPN + +#define HAVE_SNI + /* do not use wolfssl defined app_main function used to test esp-wolfssl */ #define NO_MAIN_DRIVER -/* you can disable folowing cipher suits by uncommenting following lines */ -//#define NO_DSA -//#define NO_DH +/* you can disable folowing cipher suites by uncommenting following lines */ +// #define NO_DSA +// #define NO_DH /* These Flags are defined to make wolfssl not use some insecure cipher suites */ #define NO_MD4 #define NO_DES3 #define NO_RC4 #define NO_RABBIT +#define NO_OLD_TLS /* Allows of x509 certs (for wolfssl_get_verify_result function) */ #define OPENSSL_EXTRA_X509_SMALL /* Only requires the peer certificate to validate to a trusted certificate. - * If peer sends additional certificates not in the chain they are allowed, + * If peer sends additional certificates not in the chain they are allowed, * but not trusted */ #define WOLFSSL_ALT_CERT_CHAINS #define WOLFSSL_BASE64_ENCODE +/* Static ciphers are highly discouraged */ +// #define WOLFSSL_STATIC_RSA +// #define WOLFSSL_STATIC_PSK +// #define WOLFSSL_STATIC_DH + /* This enables the most common openssl compatibility layer API's */ #define OPENSSL_EXTRA /* This enables all Openssl compatibility layer functions * Note: this is large and cannot be used with NO_ASN_TIME */ -//#define OPENSSL_ALL +// #define OPENSSL_ALL /* Use smaller version of the certificate checking code */ #define WOLFSSL_SMALL_CERT_VERIFY @@ -76,6 +87,19 @@ #define WOLFSSL_SMALL_STACK #define SMALL_SESSION_CACHE +/* when you want to use pkcs7 */ +/* #define HAVE_PKCS7 */ + +#if defined(HAVE_PKCS7) + #define HAVE_AES_KEYWRAP + #define HAVE_X963_KDF + #define WOLFSSL_AES_DIRECT +#endif + +/* when you want to use aes counter mode */ +/* #define WOLFSSL_AES_DIRECT */ +/* #define WOLFSSL_AES_COUNTER */ + /* esp32-wroom-32se specific definition */ #if defined(WOLFSSL_ESPWROOM32SE) #define WOLFSSL_ATECC508A @@ -91,23 +115,20 @@ /* Define USE_FAST_MATH and SMALL_STACK */ #define ESP32_USE_RSA_PRIMITIVE /* threshold for performance adjustment for hw primitive use */ - /* X bits of G^X mod P greater than */ + /* X bits of G^X mod P greater than */ #define EPS_RSA_EXPT_XBTIS 36 /* X and Y of X * Y mod P greater than */ #define ESP_RSA_MULM_BITS 2000 #endif /* debug options */ -/* #define DEBUG_WOLFSSL */ -/* #define WOLFSSL_ESP32WROOM32_CRYPT_DEBUG */ +// #define DEBUG_WOLFSSL +// #define WOLFSSL_ESP32WROOM32_CRYPT_DEBUG /* #define WOLFSSL_ATECC_DEBUG */ /* date/time */ /* if it cannot adjust time in the device, */ /* enable macro below */ -/* Warning, NO_ASN_TIME disables all certificate date validations - * and should only be used if testing or date is not available - */ #define NO_ASN_TIME #define XTIME time #define XGMTIME(c, t) gmtime((c)) @@ -121,3 +142,6 @@ #define NO_WOLFSSL_ESP32WROOM32_CRYPT_HASH /* #define NO_WOLFSSL_ESP32WROOM32_CRYPT_AES */ /* #define NO_WOLFSSL_ESP32WROOM32_CRYPT_RSA_PRI */ + +/* adjust wait-timeout count if you see timeout in rsa hw acceleration */ +#define ESP_RSA_TIMEOUT_CNT 0x249F00 diff --git a/tools/ci/build_exmaples.sh b/tools/ci/build_examples.sh similarity index 92% rename from tools/ci/build_exmaples.sh rename to tools/ci/build_examples.sh index b173559..9f52b28 100755 --- a/tools/ci/build_exmaples.sh +++ b/tools/ci/build_examples.sh @@ -7,8 +7,7 @@ build_example () { cd $example_dir rm sdkconfig - make defconfig - make -j4 + idf.py build } EXAMPLE_PATHS=$( find ${CI_PROJECT_DIR}/examples/ -type f -name Makefile | grep -v "/components/" | grep -v "/common_components/" | grep -v "/main/" | grep -v "/build_system/cmake/" | sort ) diff --git a/wolfssl b/wolfssl index 3f13b49..57aac1c 160000 --- a/wolfssl +++ b/wolfssl @@ -1 +1 @@ -Subproject commit 3f13b49fa318fbd3216d7da36d942e7c276d3413 +Subproject commit 57aac1c50b45275c7a99eca32ad985998b292dc8