alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-11-26 20:53:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

esp_tls: enable psk verification mode, added mqtt example using psk authentication

Browse Source
This commit is contained in:
David Cermak
2019-05-23 21:48:08 +02:00
committed by Angus Gratton
parent d260ee6955
commit f3d6a34e7d
13 changed files with 309 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
components/esp-tls/Kconfig
View File

@@ -5,5 +5,16 @@ menu "ESP-TLS"
help
Enable support for creating server side SSL/TLS session
config ESP_TLS_PSK_VERIFICATION
bool "Enable PSK verification"
select MBEDTLS_PSK_MODES
select MBEDTLS_KEY_EXCHANGE_PSK
select MBEDTLS_KEY_EXCHANGE_DHE_PSK
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
select MBEDTLS_KEY_EXCHANGE_RSA_PSK
default n
help
Enable support for pre shared key ciphers
endmenu

19
components/esp-tls/esp_tls.c
View File

@@ -426,6 +426,23 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
if (esp_ret != ESP_OK) {
return esp_ret;
}
mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
} else if (cfg->psk_hint_key) {
#if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
//
// PSK encryption mode is configured only if no certificate supplied and psk pointer not null
ESP_LOGD(TAG, "ssl psk authentication");
ret = mbedtls_ssl_conf_psk(&tls->conf, cfg->psk_hint_key->key, cfg->psk_hint_key->key_size,
(const unsigned char *)cfg->psk_hint_key->hint, strlen(cfg->psk_hint_key->hint));
if (ret != 0) {
ESP_LOGE(TAG, "mbedtls_ssl_conf_psk returned -0x%x", -ret);
ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ERR_TYPE_MBEDTLS, -ret);
return ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED;
}
#else
ESP_LOGE(TAG, "psk_hint_key configured but not enabled in menuconfig: Please enable ESP_TLS_PSK_VERIFICATION option");
return ESP_ERR_INVALID_STATE;
#endif
} else {
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
}
@@ -443,7 +460,7 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
};
esp_err_t esp_ret = set_pki_context(tls, &pki);
if (esp_ret != ESP_OK) {
ESP_LOGE(TAG, "Failed to set server pki context");
ESP_LOGE(TAG, "Failed to set client pki context");
return esp_ret;
}
} else if (cfg->clientcert_buf != NULL || cfg->clientkey_buf != NULL) {

15
components/esp-tls/esp_tls.h
View File

@@ -48,6 +48,7 @@ extern "C" {
#define ESP_ERR_MBEDTLS_SSL_WRITE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0E) /*!< mbedtls api returned error */
#define ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED (ESP_ERR_ESP_TLS_BASE + 0x0F) /*!< mbedtls api returned failed */
#define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED (ESP_ERR_ESP_TLS_BASE + 0x10) /*!< mbedtls api returned failed */
#define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED (ESP_ERR_ESP_TLS_BASE + 0x11) /*!< mbedtls api returned failed */
typedef struct esp_tls_last_error* esp_tls_error_handle_t;
@@ -76,6 +77,15 @@ typedef enum esp_tls_role {
ESP_TLS_SERVER,
} esp_tls_role_t;
/**
* @brief ESP-TLS preshared key and hint structure
*/
typedef struct psk_key_hint {
const uint8_t* key; /*!< key in PSK authentication mode in binary format */
const size_t key_size; /*!< length of the key */
const char* hint; /*!< hint in PSK authentication mode in string format */
} psk_hint_key_t;
/**
* @brief ESP-TLS configuration parameters
*
@@ -159,6 +169,11 @@ typedef struct esp_tls_cfg {
If NULL, server certificate CN must match hostname. */
bool skip_common_name; /*!< Skip any validation of server certificate CN field */
const psk_hint_key_t* psk_hint_key; /*!< Pointer to PSK hint and key. if not NULL (and certificates are NULL)
then PSK authentication is enabled with configured setup.
Important note: the pointer must be valid for connection */
} esp_tls_cfg_t;
#ifdef CONFIG_ESP_TLS_SERVER