Merge branch 'feature/wolfssl_tls13' into 'master'

wolfSSL: Support for TLS 1.3

See merge request esp-components/esp-wolfssl!16

Author: mahavirj

.gitignore

@@ -0,0 +1,42 @@
+# gtags
+GTAGS
+GRTAGS
+GPATH
+
+# emacs
+.dir-locals.el
+
+# emacs temp file suffixes
+*~
+.#*
+\#*#
+
+# eclipse setting
+.settings
+
+# MacOS directory files
+.DS_Store
+
+# Components Unit Test Apps files
+components/**/build
+components/**/sdkconfig
+components/**/sdkconfig.old
+
+# Example project files
+examples/**/sdkconfig
+examples/**/sdkconfig.old
+examples/**/build
+
+# VS Code Settings
+.vscode/
+
+# VIM files
+*.swp
+*.swo
+
+# Clion IDE CMake build & config
+.idea/
+cmake-build-*/
+
+# ESP-IDF default build directory name
+build

.gitlab-ci.yml

@@ -6,6 +6,7 @@ variables:
   BATCH_BUILD: "1"
   V: "0"
   MAKEFLAGS: "-j5 --no-keep-going"
+  GIT_SUBMODULE_STRATEGY: recursive
 
 # before each job, we need to check if this job is filtered by bot stage/job filter
 .apply_bot_filter: &apply_bot_filter
@@ -25,65 +26,36 @@ variables:
     - git --version
     - git submodule update --init --recursive
 
-test_build_esp32:
-  when: always
+.build_idf_template:
   stage: build
-  image: "$CI_DOCKER_REGISTRY/esp-idf-doc-env:v4.4-1-v2"
+  image: espressif/idf:latest
   tags:
     - build
   variables:
-    IDF_PATH: "$CI_PROJECT_DIR/idf/esp-idf"
-  before_script: *setup_env
+    PEDANTIC_FLAGS: "-Werror -Werror=unused-variable -Werror=unused-but-set-variable -Werror=unused-function"
+    EXTRA_CFLAGS: "${PEDANTIC_FLAGS}"
+    EXTRA_CXXFLAGS: "${PEDANTIC_FLAGS}"
   script:
-    - export PATH="$IDF_PATH/tools:$PATH"
-    - mkdir idf
-    - cd idf
-    - export 
-    - git clone --recursive --depth 1 $GITLAB_SSH_SERVER/idf/esp-idf.git
-    - pushd esp-idf
-    - echo "v4.1" > version.txt
-    - source tools/ci/setup_python.sh
-    - source tools/ci/configure_ci_environment.sh
-    - tools/idf_tools.py --non-interactive install && eval "$(tools/idf_tools.py --non-interactive export)" || exit 1
-    - popd
-    - cd ../tools/ci && ./build_exmaples.sh || exit 1
+    - cd $CI_PROJECT_DIR/tools/ci
+    - ./build_examples.sh || exit 1
 
-test_build_esp8266:
-  when: always
-  stage: build
-  image: $CI_DOCKER_REGISTRY/esp8266-ci-env-new
-  tags:
-    - build
-  variables:
-    IDF_PATH: "$CI_PROJECT_DIR/idf/ESP8266_RTOS_SDK"
-  before_script: *setup_env
-  script:
-    - export PATH="$IDF_PATH/tools:$PATH"
-    - mkdir idf
-    - cd idf
-    - export
-    - git clone --recursive --depth 1 $GITLAB_SSH_SERVER/sdk/ESP8266_RTOS_SDK.git
-    - pushd ESP8266_RTOS_SDK
-    - echo "v3.3" > version.txt
-    - tools/idf_tools.py --non-interactive install && eval "$(tools/idf_tools.py --non-interactive export)" || exit 1
-    - source tools/ci/configure_ci_environment.sh
-    - popd
-    - cd ../tools/ci && ./build_exmaples.sh || exit 1
+build_idf_master:
+  extends: .build_idf_template
+  image: espressif/idf:latest
 
+build_idf_v4.4:
+  extends: .build_idf_template
+  image: espressif/idf:release-v4.4
 
 push_master_to_github:
   stage: deploy
-  image: "$CI_DOCKER_REGISTRY/esp-idf-doc-env:v4.4-1-v2"
+  image: espressif/idf:latest
   tags:
     - deploy
   only:
     - master
-    - /^release\/v/
-    - /^v\d+\.\d+(\.\d+)?($|-)/
   when: on_success
-  dependencies:
-    - test_build_esp32
-    - test_build_esp8266
+  dependencies: []
   variables:
     GITHUB_PUSH_REFS: refs/remotes/origin/release refs/remotes/origin/master
   before_script: *setup_env

CMakeLists.txt

@@ -31,5 +31,7 @@ idf_component_register(SRC_DIRS "${COMPONENT_SRCDIRS}"
                         EXCLUDE_SRCS "${COMPONENT_SRCEXCLUDE_1}"
                         )
 target_compile_options(${COMPONENT_LIB} PRIVATE -Wno-cpp -Wno-maybe-uninitialized)
-set_source_files_properties(wolfssl/src/ssl.c PROPERTIES COMPILE_FLAGS -Wno-format-truncation)
+set_source_files_properties(wolfssl/src/ssl.c PROPERTIES COMPILE_FLAGS "-Wno-format-truncation -Wno-char-subscripts")
+set_source_files_properties(wolfssl/wolfcrypt/src/random.c PROPERTIES COMPILE_FLAGS "-Wno-implicit-function-declaration")
+set_source_files_properties(wolfssl/wolfcrypt/src/port/Espressif/esp32_aes.c PROPERTIES COMPILE_FLAGS "-Wno-incompatible-pointer-types")
 target_compile_definitions(${COMPONENT_LIB} PUBLIC WOLFSSL_USER_SETTINGS)

Kconfig

@@ -1,15 +1,14 @@
 menu "wolfSSL"
 
     config TLS_STACK_WOLFSSL
-        bool "Include wolfSSL in esp-tls"
+        bool "Include wolfSSL in ESP-TLS"
         default y
+        select FREERTOS_ENABLE_BACKWARD_COMPATIBILITY
         help
-            Includes wolfSSL in the esp-tls so that , esp-tls can be compiled with wolfSSL as its SSL/TLS library.
+            Includes wolfSSL in ESP-TLS so that it can be compiled with wolfSSL as its SSL/TLS library.
 
     config WOLFSSL_HAVE_ALPN
-        bool "Enable ALPN(Application Layer Protocol Negotiation) in wolfSSL"
+        bool "Enable ALPN (Application Layer Protocol Negotiation) in wolfSSL"
         default y
-        help
-            Enables ALPN option in wolfSSL.
 
 endmenu # wolfSSL

examples/https_request/main/https_request_example_main.c

@@ -43,21 +43,21 @@
 #include "esp_tls.h"
 
 /* Constants that aren't configurable in menuconfig */
-#define WEB_SERVER "www.howsmyssl.com"
-#define WEB_PORT "443"
-#define WEB_URL "https://www.howsmyssl.com/a/check"
+#define WEB_SERVER "api.github.com"
+#define WEB_PORT (443)
+#define WEB_URL "https://api.github.com/zen"
 
 static const char *TAG = "example";
 
 static const char *REQUEST = "GET " WEB_URL " HTTP/1.0\r\n"
-    "Host: "WEB_SERVER"\r\n"
-    "User-Agent: esp-idf/1.0 esp32\r\n"
-    "\r\n";
+                             "Host: "WEB_SERVER"\r\n"
+                             "User-Agent: esp-idf/1.0 esp32\r\n"
+                             "\r\n";
 
-/* Root cert for howsmyssl.com, taken from server_root_cert.pem
+/* Root cert for api.github.com, taken from server_root_cert.pem
 
    The PEM file was extracted from the output of this command:
-   openssl s_client -showcerts -connect www.howsmyssl.com:443 </dev/null
+   openssl s_client -showcerts -connect www.api.github.com:443 </dev/null
 
    The CA root cert is the last cert given in the chain of certs.
 
@@ -67,80 +67,97 @@ static const char *REQUEST = "GET " WEB_URL " HTTP/1.0\r\n"
 extern const uint8_t server_root_cert_pem_start[] asm("_binary_server_root_cert_pem_start");
 extern const uint8_t server_root_cert_pem_end[]   asm("_binary_server_root_cert_pem_end");
 
+/*
+ * NOTE: To turn on debug logs for wolfSSL component and this example, uncomment
+ * #define DEBUF_WOLFSSL in file components/wolfssl/port/user_settings.h
+ */
+/*
+ * NOTE: To turn on TLS 1.3 only mode for wolfSSL component, uncomment
+ * #define WOLFSSL_TLS13 in file ../components/wolfssl/port/user_settings.h
+ */
 
 static void https_get_task(void *pvParameters)
 {
     char buf[512];
     int ret, len;
+    esp_tls_t *tls = NULL;
 
-    while(1) {
+    while (1) {
         esp_tls_cfg_t cfg = {
             .cacert_buf  = server_root_cert_pem_start,
             .cacert_bytes = server_root_cert_pem_end - server_root_cert_pem_start,
         };
-        
-        struct esp_tls *tls = esp_tls_conn_http_new(WEB_URL, &cfg);
-        
-        if(tls != NULL) {
+
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 0, 0)
+        tls = esp_tls_init();
+        if (!tls) {
+            ESP_LOGE(TAG, "Failed to allocate esp_tls handle!");
+            goto exit;
+        }
+
+        if (esp_tls_conn_http_new_sync(WEB_URL, &cfg, tls) == 1) {
+            ESP_LOGI(TAG, "Connection established...");
+        } else {
+            ESP_LOGE(TAG, "Connection failed...");
+            goto cleanup;
+        }
+#else // ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 0, 0)
+        tls = esp_tls_conn_http_new(WEB_URL, &cfg);
+        if (tls != NULL) {
             ESP_LOGI(TAG, "Connection established...");
         } else {
             ESP_LOGE(TAG, "Connection failed...");
             goto exit;
         }
-        
+#endif //ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(5, 0, 0)
+
         size_t written_bytes = 0;
         do {
-            ret = esp_tls_conn_write(tls, 
-                                     REQUEST + written_bytes, 
+            ret = esp_tls_conn_write(tls,
+                                     REQUEST + written_bytes,
                                      strlen(REQUEST) - written_bytes);
             if (ret >= 0) {
                 ESP_LOGI(TAG, "%d bytes written", ret);
                 written_bytes += ret;
             } else if (ret != ESP_TLS_ERR_SSL_WANT_READ  && ret != ESP_TLS_ERR_SSL_WANT_WRITE) {
                 ESP_LOGE(TAG, "esp_tls_conn_write  returned 0x%x", ret);
-                goto exit;
+                goto cleanup;
             }
-        } while(written_bytes < strlen(REQUEST));
+        } while (written_bytes < strlen(REQUEST));
 
         ESP_LOGI(TAG, "Reading HTTP response...");
 
-        do
-        {
+        do {
             len = sizeof(buf) - 1;
-            bzero(buf, sizeof(buf));
+            memset(buf, 0x00, sizeof(buf));
+
             ret = esp_tls_conn_read(tls, (char *)buf, len);
-            
-            if(ret == ESP_TLS_ERR_SSL_WANT_WRITE  || ret == ESP_TLS_ERR_SSL_WANT_READ)
+            if (ret == ESP_TLS_ERR_SSL_WANT_WRITE  || ret == ESP_TLS_ERR_SSL_WANT_READ) {
                 continue;
-            
-            if(ret < 0)
-           {
+            } else if (ret < 0) {
                 ESP_LOGE(TAG, "esp_tls_conn_read  returned -0x%x", -ret);
                 break;
-            }
-
-            if(ret == 0)
-            {
+            } else if (ret == 0) {
                 ESP_LOGI(TAG, "connection closed");
                 break;
             }
 
             len = ret;
             ESP_LOGD(TAG, "%d bytes read", len);
             /* Print response directly to stdout as it is read */
-            for(int i = 0; i < len; i++) {
+            for (int i = 0; i < len; i++) {
                 putchar(buf[i]);
             }
-        } while(1);
-
-    exit:
-        esp_tls_conn_delete(tls);    
-        putchar('\n'); // JSON output doesn't have a newline at end
+            putchar('\n'); // JSON output doesn't have a newline at end
+        } while (1);
 
-        static int request_count;
+cleanup:
+        esp_tls_conn_destroy(tls);
+exit:;
+        static int request_count = 0;
         ESP_LOGI(TAG, "Completed %d requests", ++request_count);
 
-        for(int countdown = 10; countdown >= 0; countdown--) {
+        for (int countdown = 10; countdown >= 0; countdown--) {
             ESP_LOGI(TAG, "%d...", countdown);
             vTaskDelay(1000 / portTICK_PERIOD_MS);
         }
@@ -150,7 +167,7 @@ static void https_get_task(void *pvParameters)
 
 void app_main(void)
 {
-    ESP_ERROR_CHECK( nvs_flash_init() );
+    ESP_ERROR_CHECK(nvs_flash_init());
     ESP_ERROR_CHECK(esp_netif_init());
     ESP_ERROR_CHECK(esp_event_loop_create_default());
 

examples/https_request/main/server_root_cert.pem

@@ -1,26 +1,24 @@
 -----BEGIN CERTIFICATE-----
-MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
-MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
-DkRTVCBSb290IENBIFgzMB4XDTIwMTAwNzE5MjE0MFoXDTIxMDkyOTE5MjE0MFow
-MjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxCzAJBgNVBAMT
-AlIzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwIVKMz2oJTTDxLs
-jVWSw/iC8ZmmekKIp10mqrUrucVMsa+Oa/l1yKPXD0eUFFU1V4yeqKI5GfWCPEKp
-Tm71O8Mu243AsFzzWTjn7c9p8FoLG77AlCQlh/o3cbMT5xys4Zvv2+Q7RVJFlqnB
-U840yFLuta7tj95gcOKlVKu2bQ6XpUA0ayvTvGbrZjR8+muLj1cpmfgwF126cm/7
-gcWt0oZYPRfH5wm78Sv3htzB2nFd1EbjzK0lwYi8YGd1ZrPxGPeiXOZT/zqItkel
-/xMY6pgJdz+dU/nPAeX1pnAXFK9jpP+Zs5Od3FOnBv5IhR2haa4ldbsTzFID9e1R
-oYvbFQIDAQABo4IBaDCCAWQwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
-BAMCAYYwSwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5p
-ZGVudHJ1c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTE
-p7Gkeyxx+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEE
-AYLfEwEBATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2Vu
-Y3J5cHQub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0
-LmNvbS9EU1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYf
-r52LFMLGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0B
-AQsFAAOCAQEA2UzgyfWEiDcx27sT4rP8i2tiEmxYt0l+PAK3qB8oYevO4C5z70kH
-ejWEHx2taPDY/laBL21/WKZuNTYQHHPD5b1tXgHXbnL7KqC401dk5VvCadTQsvd8
-S8MXjohyc9z9/G2948kLjmE6Flh9dDYrVYA9x2O+hEPGOaEOa1eePynBgPayvUfL
-qjBstzLhWVQLGAkXXmNs+5ZnPBxzDJOLxhF2JIbeQAcH5H0tZrUlo5ZYyOqA7s9p
-O5b85o3AM/OJ+CktFBQtfvBhcJVd9wvlwPsk+uyOy2HI7mNxKKgsBTt375teA2Tw
-UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
+MIIEFzCCAv+gAwIBAgIQB/LzXIeod6967+lHmTUlvTANBgkqhkiG9w0BAQwFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0yMTA0MTQwMDAwMDBaFw0zMTA0MTMyMzU5NTlaMFYxCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxMDAuBgNVBAMTJ0RpZ2lDZXJ0IFRMUyBI
+eWJyaWQgRUNDIFNIQTM4NCAyMDIwIENBMTB2MBAGByqGSM49AgEGBSuBBAAiA2IA
+BMEbxppbmNmkKaDp1AS12+umsmxVwP/tmMZJLwYnUcu/cMEFesOxnYeJuq20ExfJ
+qLSDyLiQ0cx0NTY8g3KwtdD3ImnI8YDEe0CPz2iHJlw5ifFNkU3aiYvkA8ND5b8v
+c6OCAYIwggF+MBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFAq8CCkXjKU5
+bXoOzjPHLrPt+8N6MB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA4G
+A1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdgYI
+KwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5j
+b20wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdp
+Q2VydEdsb2JhbFJvb3RDQS5jcnQwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2Ny
+bDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDA9BgNVHSAE
+NjA0MAsGCWCGSAGG/WwCATAHBgVngQwBATAIBgZngQwBAgEwCAYGZ4EMAQICMAgG
+BmeBDAECAzANBgkqhkiG9w0BAQwFAAOCAQEAR1mBf9QbH7Bx9phdGLqYR5iwfnYr
+6v8ai6wms0KNMeZK6BnQ79oU59cUkqGS8qcuLa/7Hfb7U7CKP/zYFgrpsC62pQsY
+kDUmotr2qLcy/JUjS8ZFucTP5Hzu5sn4kL1y45nDHQsFfGqXbbKrAjbYwrwsAZI/
+BKOLdRHHuSm8EdCGupK8JvllyDfNJvaGEwwEqonleLHBTnm8dqMLUeTF0J5q/hos
+Vq4GNiejcxwIfZMy0MJEGdqN9A57HSgDKwmKdsp33Id6rHtSJlWncg+d0ohP/rEh
+xRqhqjn1VtvChMQ1H3Dau0bwhr9kAMQ+959GG50jBbl9s08PqUU643QwmA==
 -----END CERTIFICATE-----

examples/wolfssl_client/main/Kconfig.projbuild

@@ -1,9 +1,9 @@
-menu "wolfSSL_client_demo"
+menu "Example Configuration"
 
-    config CERT_AUTH
-        bool      "Enable_cert_authentication"
+    config EXAMPLE_SERVER_CERT_VERIFY
+        bool      "Enable Server Certificate Verification"
         default   y
         help
-	          Enabling this flags authenticates the server certificate while establishing a tls connection
+	          Enabling this option validates the server certificate while establishing a TLS connection.
 
-endmenu # wolfSSL_client_demo
+endmenu # Example Configuration