Unverified Commit 546ce380 authored by Me No Dev's avatar Me No Dev Committed by GitHub

fix(tls): do not attach bundle from runtime (#9763)

* fix(tls): do not attach bundle from runtime

* fix(ssl): Make the bundle callback per context
parent de2fc251
...@@ -317,9 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) { ...@@ -317,9 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) {
void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) { void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {
if (bundle != NULL) { if (bundle != NULL) {
esp_crt_bundle_set(bundle, sizeof(bundle)); esp_crt_bundle_set(bundle, sizeof(bundle));
attach_ssl_certificate_bundle(sslclient.get(), true);
_use_ca_bundle = true; _use_ca_bundle = true;
} else { } else {
esp_crt_bundle_detach(NULL); esp_crt_bundle_detach(NULL);
attach_ssl_certificate_bundle(sslclient.get(), false);
_use_ca_bundle = false; _use_ca_bundle = false;
} }
} }
......
...@@ -51,6 +51,14 @@ void ssl_init(sslclient_context *ssl_client) { ...@@ -51,6 +51,14 @@ void ssl_init(sslclient_context *ssl_client) {
ssl_client->peek_buf = -1; ssl_client->peek_buf = -1;
} }
void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att) {
if (att) {
ssl_client->bundle_attach_cb = &esp_crt_bundle_attach;
} else {
ssl_client->bundle_attach_cb = NULL;
}
}
int start_ssl_client( int start_ssl_client(
sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle, sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
...@@ -195,11 +203,14 @@ int start_ssl_client( ...@@ -195,11 +203,14 @@ int start_ssl_client(
return handle_error(ret); return handle_error(ret);
} }
} else if (useRootCABundle) { } else if (useRootCABundle) {
log_v("Attaching root CA cert bundle"); if (ssl_client->bundle_attach_cb != NULL) {
ret = esp_crt_bundle_attach(&ssl_client->ssl_conf); log_v("Attaching root CA cert bundle");
ret = ssl_client->bundle_attach_cb(&ssl_client->ssl_conf);
if (ret < 0) { if (ret < 0) {
return handle_error(ret); return handle_error(ret);
}
} else {
log_e("useRootCABundle is set, but attach_ssl_certificate_bundle(ssl, true); was not called!");
} }
} else if (pskIdent != NULL && psKey != NULL) { } else if (pskIdent != NULL && psKey != NULL) {
log_v("Setting up PSK"); log_v("Setting up PSK");
......
...@@ -12,6 +12,8 @@ ...@@ -12,6 +12,8 @@
#include "mbedtls/ctr_drbg.h" #include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
typedef esp_err_t (*crt_bundle_attach_cb)(void *conf);
typedef struct sslclient_context { typedef struct sslclient_context {
int socket; int socket;
mbedtls_ssl_context ssl_ctx; mbedtls_ssl_context ssl_ctx;
...@@ -24,6 +26,8 @@ typedef struct sslclient_context { ...@@ -24,6 +26,8 @@ typedef struct sslclient_context {
mbedtls_x509_crt client_cert; mbedtls_x509_crt client_cert;
mbedtls_pk_context client_key; mbedtls_pk_context client_key;
crt_bundle_attach_cb bundle_attach_cb;
unsigned long socket_timeout; unsigned long socket_timeout;
unsigned long handshake_timeout; unsigned long handshake_timeout;
...@@ -37,6 +41,7 @@ int start_ssl_client( ...@@ -37,6 +41,7 @@ int start_ssl_client(
sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle, sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
); );
void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att);
int ssl_starttls_handshake(sslclient_context *ssl_client); int ssl_starttls_handshake(sslclient_context *ssl_client);
void stop_ssl_socket(sslclient_context *ssl_client); void stop_ssl_socket(sslclient_context *ssl_client);
int data_to_read(sslclient_context *ssl_client); int data_to_read(sslclient_context *ssl_client);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment