transport_ssl: add support for mutual SSL authentication

Signed-off-by: David Cermak <cermak@espressif.com>

diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h
index 2065db6b0ef0c7de6b9cb5fbb37dd8fc0776b258..87577a7eaf7f9f79003fe0c8b975984a3b93f3b7 100644 (file)
--- a/components/tcp_transport/include/esp_transport_ssl.h
+++ b/components/tcp_transport/include/esp_transport_ssl.h
@@ -40,6 +40,27 @@ esp_transport_handle_t esp_transport_ssl_init();
  */
 void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data, int len);
 
+/**
+ * @brief      Set SSL client certificate data for mutual authentication (as PEM format).
+ *             Note that, this function stores the pointer to data, rather than making a copy.
+ *             So we need to make sure to keep the data lifetime before cleanup the connection
+ *
+ * @param      t     ssl transport
+ * @param[in]  data  The pem data
+ * @param[in]  len   The length
+ */
+void esp_transport_ssl_set_client_cert_data(esp_transport_handle_t t, const char *data, int len);
+
+/**
+ * @brief      Set SSL client key data for mutual authentication (as PEM format).
+ *             Note that, this function stores the pointer to data, rather than making a copy.
+ *             So we need to make sure to keep the data lifetime before cleanup the connection
+ *
+ * @param      t     ssl transport
+ * @param[in]  data  The pem data
+ * @param[in]  len   The length
+ */
+void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char *data, int len);
 
 #ifdef __cplusplus
 }

diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c
index 08afe3c19a53d29a6cfea9032146bd076938d1aa..f53601ee4c303a4194d1295c9c424e310ff8987f 100644 (file)
--- a/components/tcp_transport/transport_ssl.c
+++ b/components/tcp_transport/transport_ssl.c
@@ -40,6 +40,7 @@ typedef struct {
     esp_tls_cfg_t            cfg;
     bool                     ssl_initialized;
     bool                     verify_server;
+    bool                     mutual_authentication;
     transport_ssl_conn_state_t conn_state;
 } transport_ssl_t;
 
@@ -52,6 +53,9 @@ static int ssl_connect_async(esp_transport_handle_t t, const char *host, int por
         if (ssl->cfg.cacert_pem_buf) {
             ssl->verify_server = true;
         }
+        if (ssl->cfg.clientcert_pem_buf && ssl->cfg.clientkey_pem_buf) {
+            ssl->mutual_authentication = true;
+        }
         ssl->cfg.timeout_ms = timeout_ms;
         ssl->cfg.non_block = true;
         ssl->ssl_initialized = true;
@@ -73,6 +77,9 @@ static int ssl_connect(esp_transport_handle_t t, const char *host, int port, int
     if (ssl->cfg.cacert_pem_buf) {
         ssl->verify_server = true;
     }
+    if (ssl->cfg.clientcert_pem_buf && ssl->cfg.clientkey_pem_buf) {
+        ssl->mutual_authentication = true;
+    }
     ssl->cfg.timeout_ms = timeout_ms;
     ssl->ssl_initialized = true;
     ssl->tls = esp_tls_conn_new(host, strlen(host), port, &ssl->cfg);
@@ -147,6 +154,7 @@ static int ssl_close(esp_transport_handle_t t)
         esp_tls_conn_delete(ssl->tls);
         ssl->ssl_initialized = false;
         ssl->verify_server = false;
+        ssl->mutual_authentication = false;
     }
     return ret;
 }
@@ -168,6 +176,24 @@ void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data,
     }
 }
 
+void esp_transport_ssl_set_client_cert_data(esp_transport_handle_t t, const char *data, int len)
+{
+    transport_ssl_t *ssl = esp_transport_get_context_data(t);
+    if (t && ssl) {
+        ssl->cfg.clientcert_pem_buf = (void *)data;
+        ssl->cfg.clientcert_pem_bytes = len + 1;
+    }
+}
+
+void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char *data, int len)
+{
+    transport_ssl_t *ssl = esp_transport_get_context_data(t);
+    if (t && ssl) {
+        ssl->cfg.clientkey_pem_buf = (void *)data;
+        ssl->cfg.clientkey_pem_bytes = len + 1;
+    }
+}
+
 esp_transport_handle_t esp_transport_ssl_init()
 {
     esp_transport_handle_t t = esp_transport_init();