chore: import upstream snapshot with attribution
This commit is contained in:
@@ -0,0 +1,9 @@
|
||||
# The following five lines of boilerplate have to be in your project's
|
||||
# CMakeLists in this exact order for cmake to work correctly
|
||||
cmake_minimum_required(VERSION 3.22)
|
||||
|
||||
|
||||
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
|
||||
# "Trim" the build. Include the minimal set of components, main, and anything it depends on.
|
||||
idf_build_set_property(MINIMAL_BUILD ON)
|
||||
project(https_mbedtls)
|
||||
@@ -0,0 +1,72 @@
|
||||
| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-C61 | ESP32-H2 | ESP32-P4 | ESP32-S2 | ESP32-S3 | Linux |
|
||||
| ----------------- | ----- | -------- | -------- | -------- | -------- | --------- | -------- | -------- | -------- | -------- | ----- |
|
||||
|
||||
# HTTP connection with TLS support using mbedTLS
|
||||
|
||||
(See the README.md file in the upper level 'examples' directory for more information about examples.)
|
||||
|
||||
Simple HTTPS request example that uses mbedTLS to establish a secure socket connection using the certificate bundle with two custom certificates added for verification:
|
||||
|
||||
## How to use example
|
||||
|
||||
### Hardware Required
|
||||
|
||||
* A development board with ESP32/ESP32-S2/ESP32-C3 SoC (e.g., ESP32-DevKitC, ESP-WROVER-KIT, etc.)
|
||||
* A USB cable for power supply and programming
|
||||
|
||||
### Configure the project
|
||||
|
||||
```
|
||||
idf.py menuconfig
|
||||
```
|
||||
* Open the project configuration menu (`idf.py menuconfig`) to configure Wi-Fi or Ethernet. See "Establishing Wi-Fi or Ethernet Connection" section in [examples/protocols/README.md](../../README.md) for more details.
|
||||
|
||||
### Build and Flash
|
||||
|
||||
Build the project and flash it to the board, then run monitor tool to view serial output:
|
||||
|
||||
```
|
||||
idf.py -p PORT flash monitor
|
||||
```
|
||||
|
||||
(Replace PORT with the name of the serial port to use.)
|
||||
|
||||
(To exit the serial monitor, type ``Ctrl-]``.)
|
||||
|
||||
See the Getting Started Guide for full steps to configure and use ESP-IDF to build projects.
|
||||
|
||||
## Example Output
|
||||
|
||||
```
|
||||
I (9599) example_connect: - IPv4 address: 192.168.194.219
|
||||
I (9599) example_connect: - IPv6 address: fe80:0000:0000:0000:266f:28ff:fe80:2c74, type: ESP_IP6_ADDR_IS_LINK_LOCAL
|
||||
I (9609) example: Seeding the random number generator
|
||||
I (9619) example: Attaching the certificate bundle...
|
||||
I (9619) example: Setting hostname for TLS session...
|
||||
I (9629) example: Setting up the SSL/TLS structure...
|
||||
I (9639) example: Connecting to www.howsmyssl.com:443...
|
||||
I (10109) example: Connected.
|
||||
I (10109) example: Performing the SSL/TLS handshake...
|
||||
I (10789) esp-x509-crt-bundle: Certificate validated
|
||||
I (15019) example: Verifying peer X.509 certificate...
|
||||
I (15019) example: Certificate verified.
|
||||
I (15019) example: Cipher suite is TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
|
||||
I (15029) example: Writing HTTP request...
|
||||
I (15039) example: 106 bytes written
|
||||
I (15039) example: Reading HTTP response...
|
||||
HTTP/1.0 200 OK
|
||||
Content-Length: 2091
|
||||
Access-Control-Allow-Origin: *
|
||||
Content-Type: application/json
|
||||
Date: Wed, 08 Sep 2021 09:28:59 GMT
|
||||
Strict-Transport-Security: max-age=631138519; includeSubdomains; preload
|
||||
|
||||
{"given_cipher_suites":["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_CCM","TLS_DHE_RSA_WITH_AES_256_CCM","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8","TLS_DHE_RSA_WITH_AES_256_CCM_8","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CCM","TLS_DHE_RSA_WITH_AES_128_CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8","TLS_DHE_RSA_WITH_AES_128_CCM_8","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CCM","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_256_CCM_8","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_128_CCM","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CCM_8","TLS_EMPTY_RENEGOTIATION_INFO_SCSV"],"ephemeral_keys_supported":true,"session_ticket_supported":true,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":false,"insecure_cipher_suites":{},"tls_version":"TLS 1.2","rating":"Probably Okay"}
|
||||
I (15829) example: Completed 1 requests
|
||||
Minimum free heap size: 189136 bytes
|
||||
I (15839) example: 10...
|
||||
I (16839) example: 9...
|
||||
I (17839) example: 8...
|
||||
I (18839) example: 7...
|
||||
I (19839) example: 6...
|
||||
```
|
||||
@@ -0,0 +1,6 @@
|
||||
# Embed the server root certificate into the final binary
|
||||
#
|
||||
# (If this was a component, we would set COMPONENT_EMBED_TXTFILES here.)
|
||||
idf_component_register(SRCS "https_mbedtls_example_main.c"
|
||||
PRIV_REQUIRES esp_event nvs_flash esp_netif mbedtls
|
||||
INCLUDE_DIRS ".")
|
||||
@@ -0,0 +1,247 @@
|
||||
/* HTTPS GET Example using plain mbedTLS sockets
|
||||
*
|
||||
* Contacts the howsmyssl.com API via TLS v1.2 and reads a JSON
|
||||
* response.
|
||||
*
|
||||
* Adapted from the ssl_client1 example in mbedtls.
|
||||
*
|
||||
* SPDX-FileCopyrightText: The Mbed TLS Contributors
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* SPDX-FileContributor: 2015-2025 Espressif Systems (Shanghai) CO LTD
|
||||
*/
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <inttypes.h>
|
||||
#include "freertos/FreeRTOS.h"
|
||||
#include "freertos/task.h"
|
||||
#include "esp_event.h"
|
||||
#include "esp_log.h"
|
||||
#include "esp_system.h"
|
||||
#include "nvs_flash.h"
|
||||
#include "protocol_examples_common.h"
|
||||
#include "esp_netif.h"
|
||||
|
||||
#include "mbedtls/platform.h"
|
||||
#include "mbedtls/net_sockets.h"
|
||||
#include "mbedtls/esp_debug.h"
|
||||
#include "mbedtls/ssl.h"
|
||||
#include "mbedtls/error.h"
|
||||
#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
|
||||
#include "psa/crypto.h"
|
||||
#endif
|
||||
#include "esp_crt_bundle.h"
|
||||
|
||||
|
||||
/* Constants that aren't configurable in menuconfig */
|
||||
#define WEB_SERVER "www.howsmyssl.com"
|
||||
#define WEB_PORT "443"
|
||||
#define WEB_URL "https://www.howsmyssl.com/a/check"
|
||||
|
||||
static const char *TAG = "example";
|
||||
|
||||
static const char *REQUEST = "GET " WEB_URL " HTTP/1.0\r\n"
|
||||
"Host: "WEB_SERVER"\r\n"
|
||||
"User-Agent: esp-idf/1.0 esp32\r\n"
|
||||
"\r\n";
|
||||
|
||||
|
||||
static void https_get_task(void *pvParameters)
|
||||
{
|
||||
char buf[512];
|
||||
int ret, flags, len;
|
||||
|
||||
mbedtls_ssl_context ssl;
|
||||
mbedtls_x509_crt cacert;
|
||||
mbedtls_ssl_config conf;
|
||||
mbedtls_net_context server_fd;
|
||||
|
||||
mbedtls_ssl_init(&ssl);
|
||||
mbedtls_x509_crt_init(&cacert);
|
||||
ESP_LOGI(TAG, "Seeding the random number generator");
|
||||
|
||||
mbedtls_ssl_config_init(&conf);
|
||||
|
||||
ESP_LOGI(TAG, "Attaching the certificate bundle...");
|
||||
|
||||
ret = esp_crt_bundle_attach(&conf);
|
||||
|
||||
if(ret < 0)
|
||||
{
|
||||
ESP_LOGE(TAG, "esp_crt_bundle_attach returned -0x%x", -ret);
|
||||
abort();
|
||||
}
|
||||
|
||||
ESP_LOGI(TAG, "Setting hostname for TLS session...");
|
||||
|
||||
/* Hostname set here should match CN in server certificate */
|
||||
if((ret = mbedtls_ssl_set_hostname(&ssl, WEB_SERVER)) != 0)
|
||||
{
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
|
||||
abort();
|
||||
}
|
||||
|
||||
ESP_LOGI(TAG, "Setting up the SSL/TLS structure...");
|
||||
|
||||
if((ret = mbedtls_ssl_config_defaults(&conf,
|
||||
MBEDTLS_SSL_IS_CLIENT,
|
||||
MBEDTLS_SSL_TRANSPORT_STREAM,
|
||||
MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
|
||||
{
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_config_defaults returned %d", ret);
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
|
||||
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
|
||||
#ifdef CONFIG_MBEDTLS_DEBUG
|
||||
mbedtls_esp_enable_debug_log(&conf, CONFIG_MBEDTLS_DEBUG_LEVEL);
|
||||
#endif
|
||||
|
||||
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0)
|
||||
{
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_setup returned -0x%x", -ret);
|
||||
goto exit;
|
||||
}
|
||||
|
||||
while(1) {
|
||||
mbedtls_net_init(&server_fd);
|
||||
|
||||
ESP_LOGI(TAG, "Connecting to %s:%s...", WEB_SERVER, WEB_PORT);
|
||||
|
||||
if ((ret = mbedtls_net_connect(&server_fd, WEB_SERVER,
|
||||
WEB_PORT, MBEDTLS_NET_PROTO_TCP)) != 0)
|
||||
{
|
||||
ESP_LOGE(TAG, "mbedtls_net_connect returned -%x", -ret);
|
||||
goto exit;
|
||||
}
|
||||
|
||||
ESP_LOGI(TAG, "Connected.");
|
||||
|
||||
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
|
||||
|
||||
ESP_LOGI(TAG, "Performing the SSL/TLS handshake...");
|
||||
|
||||
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0)
|
||||
{
|
||||
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
|
||||
{
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_handshake returned -0x%x", -ret);
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
|
||||
ESP_LOGI(TAG, "Verifying peer X.509 certificate...");
|
||||
|
||||
if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0)
|
||||
{
|
||||
/* In real life, we probably want to close connection if ret != 0 */
|
||||
ESP_LOGW(TAG, "Failed to verify peer certificate!");
|
||||
bzero(buf, sizeof(buf));
|
||||
mbedtls_x509_crt_verify_info(buf, sizeof(buf), " ! ", flags);
|
||||
ESP_LOGW(TAG, "verification info: %s", buf);
|
||||
}
|
||||
else {
|
||||
ESP_LOGI(TAG, "Certificate verified.");
|
||||
}
|
||||
|
||||
ESP_LOGI(TAG, "Cipher suite is %s", mbedtls_ssl_get_ciphersuite(&ssl));
|
||||
|
||||
ESP_LOGI(TAG, "Writing HTTP request...");
|
||||
|
||||
size_t written_bytes = 0;
|
||||
do {
|
||||
ret = mbedtls_ssl_write(&ssl,
|
||||
(const unsigned char *)REQUEST + written_bytes,
|
||||
strlen(REQUEST) - written_bytes);
|
||||
if (ret >= 0) {
|
||||
ESP_LOGI(TAG, "%d bytes written", ret);
|
||||
written_bytes += ret;
|
||||
} else if (ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != MBEDTLS_ERR_SSL_WANT_READ) {
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_write returned -0x%x", -ret);
|
||||
goto exit;
|
||||
}
|
||||
} while(written_bytes < strlen(REQUEST));
|
||||
|
||||
ESP_LOGI(TAG, "Reading HTTP response...");
|
||||
|
||||
do
|
||||
{
|
||||
len = sizeof(buf) - 1;
|
||||
bzero(buf, sizeof(buf));
|
||||
ret = mbedtls_ssl_read(&ssl, (unsigned char *)buf, len);
|
||||
|
||||
#if CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
|
||||
ESP_LOGD(TAG, "got session ticket in TLS 1.3 connection, retry read");
|
||||
continue;
|
||||
}
|
||||
#endif // CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 && CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS
|
||||
|
||||
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
|
||||
if (ret < 0) {
|
||||
ESP_LOGE(TAG, "mbedtls_ssl_read returned -0x%x", -ret);
|
||||
break;
|
||||
}
|
||||
|
||||
if (ret == 0) {
|
||||
ESP_LOGI(TAG, "connection closed");
|
||||
break;
|
||||
}
|
||||
|
||||
len = ret;
|
||||
ESP_LOGD(TAG, "%d bytes read", len);
|
||||
/* Print response directly to stdout as it is read */
|
||||
for (int i = 0; i < len; i++) {
|
||||
putchar(buf[i]);
|
||||
}
|
||||
} while(1);
|
||||
|
||||
mbedtls_ssl_close_notify(&ssl);
|
||||
|
||||
exit:
|
||||
mbedtls_ssl_session_reset(&ssl);
|
||||
mbedtls_net_free(&server_fd);
|
||||
|
||||
if (ret != 0) {
|
||||
mbedtls_strerror(ret, buf, 100);
|
||||
ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf);
|
||||
}
|
||||
|
||||
putchar('\n'); // JSON output doesn't have a newline at end
|
||||
|
||||
static int request_count;
|
||||
ESP_LOGI(TAG, "Completed %d requests", ++request_count);
|
||||
ESP_LOGI(TAG, "Minimum free heap size: %" PRIu32 " bytes\n", esp_get_minimum_free_heap_size());
|
||||
|
||||
for (int countdown = 10; countdown >= 0; countdown--) {
|
||||
ESP_LOGI(TAG, "%d...", countdown);
|
||||
vTaskDelay(1000 / portTICK_PERIOD_MS);
|
||||
}
|
||||
ESP_LOGI(TAG, "Starting again!");
|
||||
}
|
||||
}
|
||||
|
||||
void app_main(void)
|
||||
{
|
||||
ESP_ERROR_CHECK( nvs_flash_init() );
|
||||
ESP_ERROR_CHECK(esp_netif_init());
|
||||
ESP_ERROR_CHECK(esp_event_loop_create_default());
|
||||
|
||||
/* This helper function configures Wi-Fi or Ethernet, as selected in menuconfig.
|
||||
* Read "Establishing Wi-Fi or Ethernet Connection" section in
|
||||
* examples/protocols/README.md for more information about this function.
|
||||
*/
|
||||
ESP_ERROR_CHECK(example_connect());
|
||||
|
||||
xTaskCreate(&https_get_task, "https_get_task", 8192, NULL, 5, NULL);
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
dependencies:
|
||||
protocol_examples_common:
|
||||
path: ${IDF_PATH}/examples/common_components/protocol_examples_common
|
||||
@@ -0,0 +1,39 @@
|
||||
#!/usr/bin/env python
|
||||
#
|
||||
# SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
import logging
|
||||
import os
|
||||
|
||||
import pytest
|
||||
from pytest_embedded import Dut
|
||||
from pytest_embedded_idf.utils import idf_parametrize
|
||||
|
||||
|
||||
@pytest.mark.ethernet
|
||||
@idf_parametrize('target', ['esp32'], indirect=['target'])
|
||||
def test_examples_protocol_https_mbedtls(dut: Dut) -> None:
|
||||
"""
|
||||
steps: |
|
||||
1. join AP
|
||||
2. connect to www.howsmyssl.com:443
|
||||
3. send http request
|
||||
"""
|
||||
# check and log bin size
|
||||
binary_file = os.path.join(dut.app.binary_path, 'https_mbedtls.bin')
|
||||
bin_size = os.path.getsize(binary_file)
|
||||
logging.info('https_mbedtls_bin_size : {}KB'.format(bin_size // 1024))
|
||||
# start test
|
||||
dut.expect('Connected.', timeout=30)
|
||||
logging.info('TCP connection established with the server\n performing SSL/TLS handshake')
|
||||
dut.expect('Performing the SSL/TLS handshake...')
|
||||
dut.expect('Certificate verified.')
|
||||
logging.info('SSL/TLS handshake successful')
|
||||
dut.expect('Writing HTTP request...')
|
||||
dut.expect('Reading HTTP response...')
|
||||
dut.expect(r'Completed (\d) requests')
|
||||
|
||||
# Read free heap size
|
||||
res = dut.expect(r'Minimum free heap size: (\d+)')[1].decode()
|
||||
if not res:
|
||||
raise ValueError('Maximum heap size info not found')
|
||||
@@ -0,0 +1,12 @@
|
||||
CONFIG_SPIRAM=y
|
||||
CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC=y
|
||||
CONFIG_EXAMPLE_CONNECT_ETHERNET=y
|
||||
CONFIG_EXAMPLE_CONNECT_WIFI=n
|
||||
CONFIG_ETHERNET_INTERNAL_SUPPORT=y
|
||||
CONFIG_ETHERNET_PHY_GENERIC=y
|
||||
CONFIG_ETHERNET_MDC_GPIO=23
|
||||
CONFIG_ETHERNET_MDIO_GPIO=18
|
||||
CONFIG_ETHERNET_PHY_RST_GPIO=5
|
||||
CONFIG_ETHERNET_PHY_ADDR=1
|
||||
CONFIG_EXAMPLE_CONNECT_IPV6=y
|
||||
CONFIG_MBEDTLS_DYNAMIC_BUFFER=y
|
||||
Reference in New Issue
Block a user