From 9ce8e1e5a11b3980a7e5d083d26afef8d8ad31c1 Mon Sep 17 00:00:00 2001 From: Riccardo Binetti Date: Fri, 28 Sep 2018 18:45:37 +0200 Subject: [PATCH] transport_ssl: add support for mutual SSL authentication Signed-off-by: David Cermak --- .../tcp_transport/include/esp_transport_ssl.h | 21 +++++++++++++++ components/tcp_transport/transport_ssl.c | 26 +++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h index 2065db6b0e..87577a7eaf 100644 --- a/components/tcp_transport/include/esp_transport_ssl.h +++ b/components/tcp_transport/include/esp_transport_ssl.h @@ -40,6 +40,27 @@ esp_transport_handle_t esp_transport_ssl_init(); */ void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data, int len); +/** + * @brief Set SSL client certificate data for mutual authentication (as PEM format). + * Note that, this function stores the pointer to data, rather than making a copy. + * So we need to make sure to keep the data lifetime before cleanup the connection + * + * @param t ssl transport + * @param[in] data The pem data + * @param[in] len The length + */ +void esp_transport_ssl_set_client_cert_data(esp_transport_handle_t t, const char *data, int len); + +/** + * @brief Set SSL client key data for mutual authentication (as PEM format). + * Note that, this function stores the pointer to data, rather than making a copy. + * So we need to make sure to keep the data lifetime before cleanup the connection + * + * @param t ssl transport + * @param[in] data The pem data + * @param[in] len The length + */ +void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char *data, int len); #ifdef __cplusplus } diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c index 08afe3c19a..f53601ee4c 100644 --- a/components/tcp_transport/transport_ssl.c +++ b/components/tcp_transport/transport_ssl.c @@ -40,6 +40,7 @@ typedef struct { esp_tls_cfg_t cfg; bool ssl_initialized; bool verify_server; + bool mutual_authentication; transport_ssl_conn_state_t conn_state; } transport_ssl_t; @@ -52,6 +53,9 @@ static int ssl_connect_async(esp_transport_handle_t t, const char *host, int por if (ssl->cfg.cacert_pem_buf) { ssl->verify_server = true; } + if (ssl->cfg.clientcert_pem_buf && ssl->cfg.clientkey_pem_buf) { + ssl->mutual_authentication = true; + } ssl->cfg.timeout_ms = timeout_ms; ssl->cfg.non_block = true; ssl->ssl_initialized = true; @@ -73,6 +77,9 @@ static int ssl_connect(esp_transport_handle_t t, const char *host, int port, int if (ssl->cfg.cacert_pem_buf) { ssl->verify_server = true; } + if (ssl->cfg.clientcert_pem_buf && ssl->cfg.clientkey_pem_buf) { + ssl->mutual_authentication = true; + } ssl->cfg.timeout_ms = timeout_ms; ssl->ssl_initialized = true; ssl->tls = esp_tls_conn_new(host, strlen(host), port, &ssl->cfg); @@ -147,6 +154,7 @@ static int ssl_close(esp_transport_handle_t t) esp_tls_conn_delete(ssl->tls); ssl->ssl_initialized = false; ssl->verify_server = false; + ssl->mutual_authentication = false; } return ret; } @@ -168,6 +176,24 @@ void esp_transport_ssl_set_cert_data(esp_transport_handle_t t, const char *data, } } +void esp_transport_ssl_set_client_cert_data(esp_transport_handle_t t, const char *data, int len) +{ + transport_ssl_t *ssl = esp_transport_get_context_data(t); + if (t && ssl) { + ssl->cfg.clientcert_pem_buf = (void *)data; + ssl->cfg.clientcert_pem_bytes = len + 1; + } +} + +void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char *data, int len) +{ + transport_ssl_t *ssl = esp_transport_get_context_data(t); + if (t && ssl) { + ssl->cfg.clientkey_pem_buf = (void *)data; + ssl->cfg.clientkey_pem_bytes = len + 1; + } +} + esp_transport_handle_t esp_transport_ssl_init() { esp_transport_handle_t t = esp_transport_init(); -- 2.40.0