change(esp-tls): Improve support for wolfssl

Author: gojimmypi

components/esp-tls/CMakeLists.txt

@@ -5,26 +5,113 @@ if(CONFIG_ESP_TLS_USING_MBEDTLS)
 endif()
 
 if(CONFIG_ESP_TLS_USING_WOLFSSL)
+    message(STATUS "esp-tls configured for wolfssl")
     list(APPEND srcs
         "esp_tls_wolfssl.c")
+    set(wolfssl_esp_tls_lib "wolfssl")
+else()
+    unset(wolfssl_esp_tls_lib)
 endif()
 
 set(priv_req http_parser esp_timer)
 if(NOT ${IDF_TARGET} STREQUAL "linux")
     list(APPEND priv_req lwip)
 endif()
 
+message(STATUS "idf_component_register wolfssl_esp_tls_lib: ${wolfssl_esp_tls_lib}")
+
 idf_component_register(SRCS "${srcs}"
                     INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR} esp-tls-crypto
                     PRIV_INCLUDE_DIRS "private_include"
                     # mbedtls is public requirements because esp_tls.h
                     # includes mbedtls header files.
-                    REQUIRES mbedtls
+                    REQUIRES mbedtls ${wolfssl_esp_tls_lib}
                     PRIV_REQUIRES ${priv_req})
 
+# When using wolfSSL for the ESP-TLS (see menuconfig),
+# There are two options:
+#   1) A specified source directory, typically a wolfssl git clone
+#   2) The esp-wolfssl
+# TODO this is duplicate code. See components/wap_supplicant
+message(STATUS "esp-tls config begin")
 if(CONFIG_ESP_TLS_USING_WOLFSSL)
-    idf_component_get_property(wolfssl esp-wolfssl COMPONENT_LIB)
-    target_link_libraries(${COMPONENT_LIB} PUBLIC ${wolfssl})
+    message(STATUS "found CONFIG_ESP_TLS_USING_WOLFSSL")
+    # See https://github.com/wolfSSL/wolfssl/
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_ESPIDF")
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
+
+    # The published wolfSSL 5.7.0 user_settings.h does not include some features that
+    # might be enabled in Kconfig, so enable them here:
+    # set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DHAVE_ALPN")
+    # set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DHAVE_SNI")
+    # set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DOPENSSL_EXTRA_X509_SMALL")
+    # this only works for VisualGDB, not idf.py from command-line
+
+    message(STATUS "CMAKE_HOME_DIRECTORY = ${CMAKE_HOME_DIRECTORY}")
+    message(STATUS "CMAKE_PARENT_LIST_FILE = ${CMAKE_PARENT_LIST_FILE}")
+    message(STATUS "CMAKE_SOURCE_DIR = ${CMAKE_SOURCE_DIR}")
+    message(STATUS "COMPONENT_DIR = ${CMAKE_HOME_DIRECTORY}")
+    message(STATUS "COMPONENT_LIB = ${COMPONENT_LIB}")
+    message(STATUS "FOUND_WOLFSSL = ${FOUND_WOLFSSL}")
+    message(STATUS "PROJECT_DIR = ${PROJECT_DIR}")
+    message(STATUS "WOLFSSL_PROJECT_DIR = ${WOLFSSL_PROJECT_DIR}")
+    message(STATUS "CMAKE_HOME_DIRECTORY = ${CMAKE_HOME_DIRECTORY}")
+    message(STATUS "WOLFSSL_ROOT = ${WOLFSSL_ROOT}")
+
+    if(CONFIG_ESP_TLS_USING_WOLFSSL_SPECIFIED)
+        get_filename_component(CUSTOM_SETTING_WOLFSSL_ROOT_PATH "${CUSTOM_SETTING_WOLFSSL_ROOT}" ABSOLUTE)
+        if(EXISTS "${CUSTOM_SETTING_WOLFSSL_ROOT_PATH}/wolfcrypt/src")
+            message(STATUS "ESP-TLS using wolfSSL in: ${CUSTOM_SETTING_WOLFSSL_ROOT_PATH}")
+        else()
+            message(STATUS "ESP-TLS specified directory does not contain wolfSSL: ${CUSTOM_SETTING_WOLFSSL_ROOT_PATH}")
+        endif()
+        idf_component_get_property(wolfssl wolfssl COMPONENT_LIB)
+        target_link_libraries(${COMPONENT_LIB} PUBLIC ${wolfssl})
+    else()
+        # Is wolfSSL installed in the local project as a Managed Component?
+        set(WOLFSSL_COMPONENT_SEARCH "${PROJECT_DIR}/managed_components/wolfssl__wolfssl")
+        message(STATUS "Searching for wolfSSL in ${WOLFSSL_COMPONENT_SEARCH}")
+        if(EXISTS "${WOLFSSL_COMPONENT_SEARCH}")
+            message(STATUS "Configuring ESP-IDF to use wolfssl in Managed Component: ${WOLFSSL_COMPONENT_SEARCH}")
+            idf_component_get_property(wolfssl wolfssl__wolfssl COMPONENT_LIB)
+        else()
+            # Is wolfSSL installed in the local project as a Managed Component
+            # converted to regular project component?
+            set(WOLFSSL_COMPONENT_SEARCH "${PROJECT_DIR}/components/wolfssl__wolfssl")
+            message(STATUS "Searching for wolfSSL in ${WOLFSSL_COMPONENT_SEARCH}")
+            if(EXISTS "${WOLFSSL_COMPONENT_SEARCH}")
+                message(STATUS
+                      "Configuring ESP-IDF to use wolfssl in Converted Managed Component: ${WOLFSSL_COMPONENT_SEARCH}")
+                idf_component_get_property(wolfssl wolfssl__wolfssl COMPONENT_LIB)
+            else()
+                # Is wolfSSL installed in the local project as a non-maged, regular component?
+                set(WOLFSSL_COMPONENT_SEARCH "${PROJECT_DIR}/components/wolfssl")
+                message(STATUS "Searching for wolfSSL in ${WOLFSSL_COMPONENT_SEARCH}")
+                if(EXISTS "${WOLFSSL_COMPONENT_SEARCH}")
+                    message(STATUS "Configuring ESP-IDF to use wolfssl in Component: ${WOLFSSL_COMPONENT_SEARCH}")
+                    idf_component_get_property(wolfssl wolfssl COMPONENT_LIB)
+                else()
+                    set(WOLFSSL_COMPONENT_SEARCH "${THIS_IDF_PATH}/components/esp-wolfssl")
+                    message(STATUS "Searching for wolfSSL in ${WOLFSSL_COMPONENT_SEARCH}")
+                    if(EXISTS "${WOLFSSL_COMPONENT_SEARCH}")
+                        message(STATUS "Configuring ESP-IDF to use wolfssl from: ${WOLFSSL_COMPONENT_SEARCH}")
+                        message(STATUS "Warning: Using legacy esp-wolfssl. Consider using a Managed Component")
+                        # See https://github.com/espressif/esp-idf
+                        message(STATUS "Configuring ESP-TLS to use esp-wolfssl")
+                        idf_component_get_property(wolfssl esp-wolfssl COMPONENT_LIB)
+                    else()
+                        message(STATUS "Consider installing wolfSSL from "
+                                       "https://components.espressif.com/components/wolfssl/wolfssl")
+                        message(FATAL_ERROR "Component ${component} not found")
+                    endif() # esp-wolfssl
+                endif() # project wolfssl
+            endif() # project converted wolfssl__wolfssl
+        endif() # project managed component wolfssl__wolfssl
+        # idf_component_get_property(wolfssl wolfssl__wolfssl COMPONENT_LIB)
+        target_link_libraries(${COMPONENT_LIB} PUBLIC ${wolfssl})
+    endif()
+else()
+    message(STATUS "ESP-TLS is not configured to use wolfSSL.")
 endif()
 
 if(NOT ${IDF_TARGET} STREQUAL "linux")

components/esp-tls/Kconfig

@@ -6,11 +6,17 @@ menu "ESP-TLS"
             The ESP-TLS APIs support multiple backend TLS libraries. Currently mbedTLS and WolfSSL are
             supported. Different TLS libraries may support different features and have different resource
             usage. Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details.
+
         config ESP_TLS_USING_MBEDTLS
             bool "mbedTLS"
+
         config ESP_TLS_USING_WOLFSSL
-            depends on TLS_STACK_WOLFSSL
             bool "wolfSSL (License info in wolfSSL directory README)"
+            select TLS_STACK_WOLFSSL
+            help
+                This option enables wolfSSL for ESP-TLS.
+                Note: Ensure TLS_STACK_WOLFSSL is enabled to use this option.
+
     endchoice
 
     config ESP_TLS_USE_SECURE_ELEMENT
@@ -100,6 +106,15 @@ menu "ESP-TLS"
             with a server which has a fake identity, provided that the server certificate
             is not provided either through API or other mechanism like ca_store etc.
 
+    config ESP_WOLFSSL_SMALL_CERT_VERIFY
+        bool "Enable SMALL_CERT_VERIFY"
+        depends on ESP_TLS_USING_WOLFSSL
+        default y
+        help
+            Enables server verification with Intermediate CA cert, does not authenticate full chain
+            of trust upto the root CA cert (After Enabling this option client only needs to have Intermediate
+            CA certificate of the server to authenticate server, root CA cert is not necessary).
+
     config ESP_DEBUG_WOLFSSL
         bool "Enable debug logs for wolfSSL"
         depends on ESP_TLS_USING_WOLFSSL

components/esp-tls/esp-tls-crypto/esp_tls_crypto.c

@@ -16,10 +16,14 @@ __attribute__((unused)) static const char *TAG = "esp_crypto";
 #define _esp_crypto_sha1 esp_crypto_sha1_mbedtls
 #define _esp_crypto_base64_encode esp_crypto_bas64_encode_mbedtls
 #elif  CONFIG_ESP_TLS_USING_WOLFSSL
-#include "wolfssl/ssl.h" /* SHA functions are listed in wolfssl/ssl.h */
-#include "wolfssl/wolfcrypt/coding.h"
-#define _esp_crypto_sha1 esp_crypto_sha1_wolfSSL
-#define _esp_crypto_base64_encode esp_crypto_base64_encode_woflSSL
+    #include "wolfssl/wolfcrypt/settings.h"
+    #include "wolfssl/ssl.h" /* some SHA functions are listed in wolfssl/ssl.h */
+    #if defined(CONFIG_ESP_WOLFSSL_OPENSSL_EXTRA) || defined(OPENSSL_EXTRA)
+        #include "wolfssl/openssl/sha.h" /* old SHA functions only available with OpenSSL */
+    #endif
+    #include "wolfssl/wolfcrypt/coding.h"
+    #define _esp_crypto_sha1 esp_crypto_sha1_wolfSSL
+    #define _esp_crypto_base64_encode esp_crypto_base64_encode_woflSSL
 #endif
 
 #ifdef CONFIG_ESP_TLS_USING_MBEDTLS
@@ -81,7 +85,17 @@ static int esp_crypto_base64_encode_woflSSL(unsigned char *dst, size_t dlen, siz
         const unsigned char *src, size_t slen)
 {
     *olen = dlen;
+#if defined(CONFIG_ESP_TLS_USING_WOLFSSL) && (defined(WOLFSSL_BASE64_ENCODE) || !defined(OPENSSL_EXTRA))
+    #if defined(WOLFSSL_BASE64_ENCODE_LINE_LEN)
+        #error "WOLFSSL_BASE64_ENCODE_LINE_LEN is defined - Base64_Encode() will insert newlines. Rebuild without it."
+    #endif
+    #ifndef WOLFSSL_BASE64_ENCODE
+        #warning "WOLFSSL_BASE64_ENCODE is missing - Base64_Encode() is unavailable."
+    #endif
+    return Base64_Encode((const byte *) src, (word32) slen, (byte *) dst, (word32 *) olen);
+#else
     return Base64_Encode_NoNl((const byte *) src, (word32) slen, (byte *) dst, (word32 *) olen);
+#endif
 }
 
 #else

components/esp-tls/esp_tls.c

@@ -114,7 +114,11 @@ static const char *TAG = "esp-tls";
 
 static esp_err_t create_ssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
 {
+#if defined(ESP_IDF_VERSION) && (ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 3, 0))
     return _esp_create_ssl_handle(hostname, hostlen, cfg, tls, NULL);
+#else
+    return _esp_create_ssl_handle(hostname, hostlen, cfg, tls);
+#endif
 }
 
 static esp_err_t esp_tls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
@@ -134,7 +138,7 @@ static ssize_t tcp_write(esp_tls_t *tls, const char *data, size_t datalen)
 
 ssize_t esp_tls_conn_read(esp_tls_t *tls, void  *data, size_t datalen)
 {
-    if (!tls) {
+    if (!tls || !data) {
         return -1;
     }
     return tls->read(tls, (char *)data, datalen);
@@ -461,7 +465,10 @@ static inline esp_err_t tcp_connect(const char *host, int hostlen, int port, con
 
 static int esp_tls_low_level_conn(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls)
 {
-
+    if (!tls) {
+        ESP_LOGE(TAG, "empty esp_tls parameter");
+        return -1;
+    }
     esp_err_t esp_ret;
     /* These states are used to keep a tab on connection progress in case of non-blocking connect,
     and in case of blocking connect these cases will get executed one after the other */
@@ -737,11 +744,17 @@ int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls
 /**
  * @brief      Close the server side TLS/SSL connection and free any allocated resources.
  */
+#ifdef CONFIG_ESP_TLS_USING_WOLFSSL
+int esp_tls_server_session_delete(esp_tls_t *tls)
+    {
+        return _esp_tls_server_session_delete(tls);
+    }
+#else
 void esp_tls_server_session_delete(esp_tls_t *tls)
 {
     return _esp_tls_server_session_delete(tls);
 }
-
+#endif
 ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls)
 {
     return _esp_tls_get_bytes_avail(tls);

components/esp-tls/esp_tls.h

@@ -19,6 +19,8 @@
 #include "mbedtls/ctr_drbg.h"
 #endif
 #elif CONFIG_ESP_TLS_USING_WOLFSSL
+/* ESP_TLS_HAS_WOLFSSL defined only for versions properly supporting wolfSSL */
+#define  ESP_TLS_HAS_WOLFSSL
 #include "wolfssl/wolfcrypt/settings.h"
 #include "wolfssl/ssl.h"
 #endif
@@ -759,8 +761,11 @@ int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls
  *
  * @param[in]  tls  pointer to esp_tls_t
  */
+#ifdef CONFIG_ESP_TLS_USING_WOLFSSL
+int esp_tls_server_session_delete(esp_tls_t *tls);
+#else
 void esp_tls_server_session_delete(esp_tls_t *tls);
-
+#endif
 /**
  * @brief Creates a plain TCP connection, returning a valid socket fd on success or an error handle
  *