From 8cd3c479562ba31578f28ca54adbea3a7dd6fc39 Mon Sep 17 00:00:00 2001 From: Jitin George Date: Mon, 12 Feb 2018 23:41:31 +0530 Subject: [PATCH] esp-tls api support in https_request --- .../main/https_request_example_main.c | 160 +++--------------- 1 file changed, 28 insertions(+), 132 deletions(-) diff --git a/examples/protocols/https_request/main/https_request_example_main.c b/examples/protocols/https_request/main/https_request_example_main.c index 93aaba74f..1faab9432 100644 --- a/examples/protocols/https_request/main/https_request_example_main.c +++ b/examples/protocols/https_request/main/https_request_example_main.c @@ -47,6 +47,8 @@ #include "mbedtls/error.h" #include "mbedtls/certs.h" +#include "esp-tls.h" + /* The examples use simple WiFi configuration that you can set via 'make menuconfig'. @@ -88,7 +90,7 @@ static const char *REQUEST = "GET " WEB_URL " HTTP/1.0\r\n" */ extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start"); extern const uint8_t server_root_cert_pem_end[] asm("_binary_server_root_cert_pem_end"); - + static esp_err_t event_handler(void *ctx, system_event_t *event) { switch(event->event_id) { @@ -133,78 +135,7 @@ static void initialise_wifi(void) static void https_get_task(void *pvParameters) { char buf[512]; - int ret, flags, len; - - mbedtls_entropy_context entropy; - mbedtls_ctr_drbg_context ctr_drbg; - mbedtls_ssl_context ssl; - mbedtls_x509_crt cacert; - mbedtls_ssl_config conf; - mbedtls_net_context server_fd; - - mbedtls_ssl_init(&ssl); - mbedtls_x509_crt_init(&cacert); - mbedtls_ctr_drbg_init(&ctr_drbg); - ESP_LOGI(TAG, "Seeding the random number generator"); - - mbedtls_ssl_config_init(&conf); - - mbedtls_entropy_init(&entropy); - if((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - NULL, 0)) != 0) - { - ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned %d", ret); - abort(); - } - - ESP_LOGI(TAG, "Loading the CA root certificate..."); - - ret = mbedtls_x509_crt_parse(&cacert, server_root_cert_pem_start, - server_root_cert_pem_end-server_root_cert_pem_start); - - if(ret < 0) - { - ESP_LOGE(TAG, "mbedtls_x509_crt_parse returned -0x%x\n\n", -ret); - abort(); - } - - ESP_LOGI(TAG, "Setting hostname for TLS session..."); - - /* Hostname set here should match CN in server certificate */ - if((ret = mbedtls_ssl_set_hostname(&ssl, WEB_SERVER)) != 0) - { - ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret); - abort(); - } - - ESP_LOGI(TAG, "Setting up the SSL/TLS structure..."); - - if((ret = mbedtls_ssl_config_defaults(&conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT)) != 0) - { - ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret); - goto exit; - } - - /* MBEDTLS_SSL_VERIFY_OPTIONAL is bad for security, in this example it will print - a warning if CA verification fails but it will continue to connect. - - You should consider using MBEDTLS_SSL_VERIFY_REQUIRED in your own code. - */ - mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL); - mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL); - mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); -#ifdef CONFIG_MBEDTLS_DEBUG - mbedtls_esp_enable_debug_log(&conf, 4); -#endif - - if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) - { - ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x\n\n", -ret); - goto exit; - } + int ret, len; while(1) { /* Wait for the callback to set the CONNECTED_BIT in the @@ -213,61 +144,30 @@ static void https_get_task(void *pvParameters) xEventGroupWaitBits(wifi_event_group, CONNECTED_BIT, false, true, portMAX_DELAY); ESP_LOGI(TAG, "Connected to AP"); - - mbedtls_net_init(&server_fd); - - ESP_LOGI(TAG, "Connecting to %s:%s...", WEB_SERVER, WEB_PORT); - - if ((ret = mbedtls_net_connect(&server_fd, WEB_SERVER, - WEB_PORT, MBEDTLS_NET_PROTO_TCP)) != 0) - { - ESP_LOGE(TAG, "mbedtls_net_connect returned -%x", -ret); - goto exit; + struct esp_tls_cfg cfg = { + .cacert_pem_buf = server_root_cert_pem_start, + .cacert_pem_bytes = server_root_cert_pem_end - server_root_cert_pem_start, + }; + + struct esp_tls *tls = esp_tls_conn_http_new(WEB_URL, &cfg); + + if(tls != NULL) { + ESP_LOGI(TAG, "Connection established..."); + } else { + ESP_LOGE(TAG, "Connection failed..."); + abort(); } - - ESP_LOGI(TAG, "Connected."); - - mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL); - - ESP_LOGI(TAG, "Performing the SSL/TLS handshake..."); - - while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) - { - if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) - { - ESP_LOGE(TAG, "mbedtls_ssl_handshake returned -0x%x", -ret); - goto exit; - } - } - - ESP_LOGI(TAG, "Verifying peer X.509 certificate..."); - - if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0) - { - /* In real life, we probably want to close connection if ret != 0 */ - ESP_LOGW(TAG, "Failed to verify peer certificate!"); - bzero(buf, sizeof(buf)); - mbedtls_x509_crt_verify_info(buf, sizeof(buf), " ! ", flags); - ESP_LOGW(TAG, "verification info: %s", buf); - } - else { - ESP_LOGI(TAG, "Certificate verified."); - } - - ESP_LOGI(TAG, "Cipher suite is %s", mbedtls_ssl_get_ciphersuite(&ssl)); - - ESP_LOGI(TAG, "Writing HTTP request..."); - + size_t written_bytes = 0; do { - ret = mbedtls_ssl_write(&ssl, - (const unsigned char *)REQUEST + written_bytes, - strlen(REQUEST) - written_bytes); + ret = esp_tls_conn_write(tls, + (const char *)REQUEST + written_bytes, + strlen(REQUEST) - written_bytes); if (ret >= 0) { ESP_LOGI(TAG, "%d bytes written", ret); written_bytes += ret; - } else if (ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != MBEDTLS_ERR_SSL_WANT_READ) { - ESP_LOGE(TAG, "mbedtls_ssl_write returned -0x%x", -ret); + } else if (-ret != SSL_ERROR_WANT_WRITE && -ret != SSL_ERROR_WANT_READ) { + ESP_LOGE(TAG, "esp_tls_conn_write returned -0x%x", ret); goto exit; } } while(written_bytes < strlen(REQUEST)); @@ -278,9 +178,9 @@ static void https_get_task(void *pvParameters) { len = sizeof(buf) - 1; bzero(buf, sizeof(buf)); - ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len); - - if(ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) + ret = esp_tls_conn_read(tls, (char *)buf, len); + + if(-ret == SSL_ERROR_WANT_WRITE || -ret == SSL_ERROR_WANT_READ) continue; if(ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { @@ -290,7 +190,7 @@ static void https_get_task(void *pvParameters) if(ret < 0) { - ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret); + ESP_LOGE(TAG, "esp_tls_conn_read returned -0x%x", ret); break; } @@ -308,18 +208,14 @@ static void https_get_task(void *pvParameters) } } while(1); - mbedtls_ssl_close_notify(&ssl); - exit: - mbedtls_ssl_session_reset(&ssl); - mbedtls_net_free(&server_fd); - - if(ret != 0) + if(ret != 0) { mbedtls_strerror(ret, buf, 100); ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf); } + esp_tls_conn_delete(tls); putchar('\n'); // JSON output doesn't have a newline at end static int request_count;