#include <errno.h>
static const char *TAG = "esp-tls";
+static mbedtls_x509_crt *global_cacert = NULL;
#ifdef ESP_PLATFORM
#include <esp_log.h>
return ret;
}
+esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes)
+{
+ if (cacert_pem_buf == NULL) {
+ ESP_LOGE(TAG, "cacert_pem_buf is null");
+ return ESP_ERR_INVALID_ARG;
+ }
+ if (global_cacert != NULL) {
+ mbedtls_x509_crt_free(global_cacert);
+ }
+ global_cacert = (mbedtls_x509_crt *)calloc(1, sizeof(mbedtls_x509_crt));
+ if (global_cacert == NULL) {
+ ESP_LOGE(TAG, "global_cacert not allocated");
+ return ESP_ERR_NO_MEM;
+ }
+ mbedtls_x509_crt_init(global_cacert);
+ int ret = mbedtls_x509_crt_parse(global_cacert, cacert_pem_buf, cacert_pem_bytes);
+ if (ret < 0) {
+ ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
+ mbedtls_x509_crt_free(global_cacert);
+ global_cacert = NULL;
+ return ESP_FAIL;
+ } else if (ret > 0) {
+ ESP_LOGE(TAG, "mbedtls_x509_crt_parse was partly successful. No. of failed certificates: %d", ret);
+ }
+ return ESP_OK;
+}
+
+mbedtls_x509_crt *esp_tls_get_global_ca_store()
+{
+ return global_cacert;
+}
+
+void esp_tls_free_global_ca_store()
+{
+ if (global_cacert) {
+ mbedtls_x509_crt_free(global_cacert);
+ global_cacert = NULL;
+ }
+}
+
static void verify_certificate(esp_tls_t *tls)
{
int flags;
if (!tls) {
return;
}
- mbedtls_x509_crt_free(&tls->cacert);
+ if (tls->cacert_ptr != global_cacert) {
+ mbedtls_x509_crt_free(tls->cacert_ptr);
+ }
+ tls->cacert_ptr = NULL;
mbedtls_entropy_free(&tls->entropy);
mbedtls_ssl_config_free(&tls->conf);
mbedtls_ctr_drbg_free(&tls->ctr_drbg);
mbedtls_ssl_conf_alpn_protocols(&tls->conf, cfg->alpn_protos);
}
- if (cfg->cacert_pem_buf != NULL) {
- mbedtls_x509_crt_init(&tls->cacert);
- ret = mbedtls_x509_crt_parse(&tls->cacert, cfg->cacert_pem_buf, cfg->cacert_pem_bytes);
+ if (cfg->use_global_ca_store == true) {
+ if (global_cacert == NULL) {
+ ESP_LOGE(TAG, "global_cacert is NULL");
+ goto exit;
+ }
+ tls->cacert_ptr = global_cacert;
+ mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+ mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
+ } else if (cfg->cacert_pem_buf != NULL) {
+ tls->cacert_ptr = &tls->cacert;
+ mbedtls_x509_crt_init(tls->cacert_ptr);
+ ret = mbedtls_x509_crt_parse(tls->cacert_ptr, cfg->cacert_pem_buf, cfg->cacert_pem_bytes);
if (ret < 0) {
ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
goto exit;
}
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
- mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->cacert, NULL);
+ mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
} else {
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
}
} else {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
ESP_LOGE(TAG, "mbedtls_ssl_handshake returned -0x%x", -ret);
- if (cfg->cacert_pem_buf != NULL) {
+ if (cfg->cacert_pem_buf != NULL || cfg->use_global_ca_store == true) {
/* This is to check whether handshake failed due to invalid certificate*/
verify_certificate(tls);
}
blocking mode after tls session is established */
int timeout_ms; /*!< Network timeout in milliseconds */
+
+ bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which
+ this bool is set. */
} esp_tls_cfg_t;
/**
mbedtls_x509_crt cacert; /*!< Container for an X.509 certificate */
+ mbedtls_x509_crt *cacert_ptr; /*!< Pointer to the cacert being used. */
+
int sockfd; /*!< Underlying socket file descriptor. */
ssize_t (*read)(struct esp_tls *tls, char *data, size_t datalen); /*!< Callback function for reading data from TLS/SSL
*/
size_t esp_tls_get_bytes_avail(esp_tls_t *tls);
+/**
+ * @brief Create a global CA store with the buffer provided in cfg.
+ *
+ * This function should be called if the application wants to use the same CA store for
+ * multiple connections. The application must call this function before calling esp_tls_conn_new().
+ *
+ * @param[in] cacert_pem_buf Buffer which has certificates in pem format. This buffer
+ * is used for creating a global CA store, which can be used
+ * by other tls connections.
+ * @param[in] cacert_pem_bytes Length of the buffer.
+ *
+ * @return
+ * - ESP_OK if creating global CA store was successful.
+ * - Other if an error occured or an action must be taken by the calling process.
+ */
+esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes);
+
+/**
+ * @brief Get the pointer to the global CA store currently being used.
+ *
+ * The application must first call esp_tls_set_global_ca_store(). Then the same
+ * CA store could be used by the application for APIs other than esp_tls.
+ *
+ * @note Modifying the pointer might cause a failure in verifying the certificates.
+ *
+ * @return
+ * - Pointer to the global CA store currently being used if successful.
+ * - NULL if there is no global CA store set.
+ */
+mbedtls_x509_crt *esp_tls_get_global_ca_store();
+
+/**
+ * @brief Free the global CA store currently being used.
+ *
+ * The memory being used by the global CA store to store all the parsed certificates is
+ * freed up. The application can call this API if it no longer needs the global CA store.
+ */
+void esp_tls_free_global_ca_store();
+
#ifdef __cplusplus
}
projects / esp-idf / commitdiff