fix(tls): do not attach bundle from runtime (#9763)

me-no-dev · web-flow · commit 546ce3806baf · 2024-06-04T07:57:47.000+03:00
* fix(tls): do not attach bundle from runtime

* fix(ssl): Make the bundle callback per context
diff --git a/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp b/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp
@@ -317,9 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) {
 void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {
   if (bundle != NULL) {
     esp_crt_bundle_set(bundle, sizeof(bundle));
+    attach_ssl_certificate_bundle(sslclient.get(), true);
     _use_ca_bundle = true;
   } else {
     esp_crt_bundle_detach(NULL);
+    attach_ssl_certificate_bundle(sslclient.get(), false);
     _use_ca_bundle = false;
   }
 }
diff --git a/libraries/NetworkClientSecure/src/ssl_client.cpp b/libraries/NetworkClientSecure/src/ssl_client.cpp
@@ -51,6 +51,14 @@ void ssl_init(sslclient_context *ssl_client) {
   ssl_client->peek_buf = -1;
 }
 
+void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att) {
+  if (att) {
+    ssl_client->bundle_attach_cb = &esp_crt_bundle_attach;
+  } else {
+    ssl_client->bundle_attach_cb = NULL;
+  }
+}
+
 int start_ssl_client(
   sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
   const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
@@ -195,11 +203,14 @@ int start_ssl_client(
       return handle_error(ret);
     }
   } else if (useRootCABundle) {
-    log_v("Attaching root CA cert bundle");
-    ret = esp_crt_bundle_attach(&ssl_client->ssl_conf);
-
-    if (ret < 0) {
-      return handle_error(ret);
+    if (ssl_client->bundle_attach_cb != NULL) {
+      log_v("Attaching root CA cert bundle");
+      ret = ssl_client->bundle_attach_cb(&ssl_client->ssl_conf);
+      if (ret < 0) {
+        return handle_error(ret);
+      }
+    } else {
+      log_e("useRootCABundle is set, but attach_ssl_certificate_bundle(ssl, true); was not called!");
     }
   } else if (pskIdent != NULL && psKey != NULL) {
     log_v("Setting up PSK");
diff --git a/libraries/NetworkClientSecure/src/ssl_client.h b/libraries/NetworkClientSecure/src/ssl_client.h
@@ -12,6 +12,8 @@
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/error.h"
 
+typedef esp_err_t (*crt_bundle_attach_cb)(void *conf);
+
 typedef struct sslclient_context {
   int socket;
   mbedtls_ssl_context ssl_ctx;
@@ -24,6 +26,8 @@ typedef struct sslclient_context {
   mbedtls_x509_crt client_cert;
   mbedtls_pk_context client_key;
 
+  crt_bundle_attach_cb bundle_attach_cb;
+
   unsigned long socket_timeout;
   unsigned long handshake_timeout;
 
@@ -37,6 +41,7 @@ int start_ssl_client(
   sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
   const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
 );
+void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att);
 int ssl_starttls_handshake(sslclient_context *ssl_client);
 void stop_ssl_socket(sslclient_context *ssl_client);
 int data_to_read(sslclient_context *ssl_client);

Original file line number	Diff line number	Diff line change
`@@ -317,9 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) {`
`317`	`317`	`void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {`
`318`	`318`	`if (bundle != NULL) {`
`319`	`319`	`esp_crt_bundle_set(bundle, sizeof(bundle));`
	`320`	`+ attach_ssl_certificate_bundle(sslclient.get(), true);`
`320`	`321`	`_use_ca_bundle = true;`
`321`	`322`	`} else {`
`322`	`323`	`esp_crt_bundle_detach(NULL);`
	`324`	`+ attach_ssl_certificate_bundle(sslclient.get(), false);`
`323`	`325`	`_use_ca_bundle = false;`
`324`	`326`	`}`
`325`	`327`	`}`