From ef9400695f1555b4efcad0148e2fefe84cf6478a Mon Sep 17 00:00:00 2001 From: me-no-dev Date: Mon, 3 Jun 2024 16:22:06 +0300 Subject: [PATCH 1/2] fix(tls): do not attach bundle from runtime --- .../src/NetworkClientSecure.cpp | 2 ++ .../NetworkClientSecure/src/ssl_client.cpp | 23 +++++++++++++++---- .../NetworkClientSecure/src/ssl_client.h | 1 + 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp b/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp index 1ef03f29dff..b9c80b38dd7 100644 --- a/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp +++ b/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp @@ -317,9 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) { void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) { if (bundle != NULL) { esp_crt_bundle_set(bundle, sizeof(bundle)); + attach_ssl_certificate_bundle(true); _use_ca_bundle = true; } else { esp_crt_bundle_detach(NULL); + attach_ssl_certificate_bundle(false); _use_ca_bundle = false; } } diff --git a/libraries/NetworkClientSecure/src/ssl_client.cpp b/libraries/NetworkClientSecure/src/ssl_client.cpp index 41e79ee3803..aedef28163a 100644 --- a/libraries/NetworkClientSecure/src/ssl_client.cpp +++ b/libraries/NetworkClientSecure/src/ssl_client.cpp @@ -26,6 +26,9 @@ const char *pers = "esp32-tls"; +typedef esp_err_t (*crt_bundle_attach_cb)(void *conf); +static crt_bundle_attach_cb _bundle_attach_cb = NULL; + static int _handle_error(int err, const char *function, int line) { if (err == -30848) { return err; @@ -51,6 +54,14 @@ void ssl_init(sslclient_context *ssl_client) { ssl_client->peek_buf = -1; } +void attach_ssl_certificate_bundle(bool att) { + if (att) { + _bundle_attach_cb = &esp_crt_bundle_attach; + } else { + _bundle_attach_cb = NULL; + } +} + int start_ssl_client( sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos @@ -195,11 +206,15 @@ int start_ssl_client( return handle_error(ret); } } else if (useRootCABundle) { - log_v("Attaching root CA cert bundle"); - ret = esp_crt_bundle_attach(&ssl_client->ssl_conf); + if (_bundle_attach_cb != NULL) { + log_v("Attaching root CA cert bundle"); + ret = _bundle_attach_cb(&ssl_client->ssl_conf); - if (ret < 0) { - return handle_error(ret); + if (ret < 0) { + return handle_error(ret); + } + } else { + log_e("useRootCABundle is set, but attach_ssl_certificate_bundle(true); was not called!"); } } else if (pskIdent != NULL && psKey != NULL) { log_v("Setting up PSK"); diff --git a/libraries/NetworkClientSecure/src/ssl_client.h b/libraries/NetworkClientSecure/src/ssl_client.h index 3e07bf6bc2c..52df4f3a912 100644 --- a/libraries/NetworkClientSecure/src/ssl_client.h +++ b/libraries/NetworkClientSecure/src/ssl_client.h @@ -37,6 +37,7 @@ int start_ssl_client( sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos ); +void attach_ssl_certificate_bundle(bool att); int ssl_starttls_handshake(sslclient_context *ssl_client); void stop_ssl_socket(sslclient_context *ssl_client); int data_to_read(sslclient_context *ssl_client); From 648be7d070f9196e4cc28711bdfc1fc1cd549642 Mon Sep 17 00:00:00 2001 From: me-no-dev Date: Mon, 3 Jun 2024 22:07:44 +0300 Subject: [PATCH 2/2] fix(ssl): Make the bundle callback per context --- .../src/NetworkClientSecure.cpp | 4 ++-- libraries/NetworkClientSecure/src/ssl_client.cpp | 16 ++++++---------- libraries/NetworkClientSecure/src/ssl_client.h | 6 +++++- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp b/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp index b9c80b38dd7..f0857c32bac 100644 --- a/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp +++ b/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp @@ -317,11 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) { void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) { if (bundle != NULL) { esp_crt_bundle_set(bundle, sizeof(bundle)); - attach_ssl_certificate_bundle(true); + attach_ssl_certificate_bundle(sslclient.get(), true); _use_ca_bundle = true; } else { esp_crt_bundle_detach(NULL); - attach_ssl_certificate_bundle(false); + attach_ssl_certificate_bundle(sslclient.get(), false); _use_ca_bundle = false; } } diff --git a/libraries/NetworkClientSecure/src/ssl_client.cpp b/libraries/NetworkClientSecure/src/ssl_client.cpp index aedef28163a..c8d5bbd21ea 100644 --- a/libraries/NetworkClientSecure/src/ssl_client.cpp +++ b/libraries/NetworkClientSecure/src/ssl_client.cpp @@ -26,9 +26,6 @@ const char *pers = "esp32-tls"; -typedef esp_err_t (*crt_bundle_attach_cb)(void *conf); -static crt_bundle_attach_cb _bundle_attach_cb = NULL; - static int _handle_error(int err, const char *function, int line) { if (err == -30848) { return err; @@ -54,11 +51,11 @@ void ssl_init(sslclient_context *ssl_client) { ssl_client->peek_buf = -1; } -void attach_ssl_certificate_bundle(bool att) { +void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att) { if (att) { - _bundle_attach_cb = &esp_crt_bundle_attach; + ssl_client->bundle_attach_cb = &esp_crt_bundle_attach; } else { - _bundle_attach_cb = NULL; + ssl_client->bundle_attach_cb = NULL; } } @@ -206,15 +203,14 @@ int start_ssl_client( return handle_error(ret); } } else if (useRootCABundle) { - if (_bundle_attach_cb != NULL) { + if (ssl_client->bundle_attach_cb != NULL) { log_v("Attaching root CA cert bundle"); - ret = _bundle_attach_cb(&ssl_client->ssl_conf); - + ret = ssl_client->bundle_attach_cb(&ssl_client->ssl_conf); if (ret < 0) { return handle_error(ret); } } else { - log_e("useRootCABundle is set, but attach_ssl_certificate_bundle(true); was not called!"); + log_e("useRootCABundle is set, but attach_ssl_certificate_bundle(ssl, true); was not called!"); } } else if (pskIdent != NULL && psKey != NULL) { log_v("Setting up PSK"); diff --git a/libraries/NetworkClientSecure/src/ssl_client.h b/libraries/NetworkClientSecure/src/ssl_client.h index 52df4f3a912..892adc86a95 100644 --- a/libraries/NetworkClientSecure/src/ssl_client.h +++ b/libraries/NetworkClientSecure/src/ssl_client.h @@ -12,6 +12,8 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/error.h" +typedef esp_err_t (*crt_bundle_attach_cb)(void *conf); + typedef struct sslclient_context { int socket; mbedtls_ssl_context ssl_ctx; @@ -24,6 +26,8 @@ typedef struct sslclient_context { mbedtls_x509_crt client_cert; mbedtls_pk_context client_key; + crt_bundle_attach_cb bundle_attach_cb; + unsigned long socket_timeout; unsigned long handshake_timeout; @@ -37,7 +41,7 @@ int start_ssl_client( sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos ); -void attach_ssl_certificate_bundle(bool att); +void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att); int ssl_starttls_handshake(sslclient_context *ssl_client); void stop_ssl_socket(sslclient_context *ssl_client); int data_to_read(sslclient_context *ssl_client);