From ca8ac5f919d02bea07b474531981ddbfd64de97c Mon Sep 17 00:00:00 2001 From: Bob Date: Thu, 17 Oct 2019 09:08:59 +0200 Subject: [PATCH 1/7] Fix LoadProhibited (#73) --- src/AsyncTCP.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/AsyncTCP.cpp b/src/AsyncTCP.cpp index df1560d1..89ff6ee3 100644 --- a/src/AsyncTCP.cpp +++ b/src/AsyncTCP.cpp @@ -152,7 +152,10 @@ static bool _remove_events_with_arg(void * arg){ } static void _handle_async_event(lwip_event_packet_t * e){ - if(e->event == LWIP_TCP_CLEAR){ + if(e->arg == NULL){ + // do nothing when arg is NULL + //ets_printf("event arg == NULL: 0x%08x\n", e->recv.pcb); + } else if(e->event == LWIP_TCP_CLEAR){ _remove_events_with_arg(e->arg); } else if(e->event == LWIP_TCP_RECV){ //ets_printf("-R: 0x%08x\n", e->recv.pcb); From bd78ceb0917ecc15fbc2704552f3440addc15aad Mon Sep 17 00:00:00 2001 From: Robert Alfaro Date: Mon, 20 Jan 2020 23:45:19 -0800 Subject: [PATCH 2/7] Use sizeof instead of strlen for const char[] --- src/tcp_mbedtls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/tcp_mbedtls.c b/src/tcp_mbedtls.c index a0ec5266..262bcc26 100644 --- a/src/tcp_mbedtls.c +++ b/src/tcp_mbedtls.c @@ -231,7 +231,7 @@ int tcp_ssl_new_client(struct tcp_pcb *tcp, void *arg, const char* hostname, con mbedtls_ssl_config_init(&tcp_ssl->ssl_conf); mbedtls_ctr_drbg_seed(&tcp_ssl->drbg_ctx, mbedtls_entropy_func, - &tcp_ssl->entropy_ctx, (const unsigned char*)pers, strlen(pers)); + &tcp_ssl->entropy_ctx, (const unsigned char*)pers, sizeof(pers)); if(mbedtls_ssl_config_defaults(&tcp_ssl->ssl_conf, MBEDTLS_SSL_IS_CLIENT, @@ -309,7 +309,7 @@ int tcp_ssl_new_psk_client(struct tcp_pcb *tcp, void *arg, const char* psk_ident mbedtls_ssl_config_init(&tcp_ssl->ssl_conf); mbedtls_ctr_drbg_seed(&tcp_ssl->drbg_ctx, mbedtls_entropy_func, - &tcp_ssl->entropy_ctx, (const uint8_t*)pers, strlen(pers)); + &tcp_ssl->entropy_ctx, (const uint8_t*)pers, sizeof(pers)); if(mbedtls_ssl_config_defaults(&tcp_ssl->ssl_conf, MBEDTLS_SSL_IS_CLIENT, From 410291c3ba82bf51cd74f57a043c7fcbd225b116 Mon Sep 17 00:00:00 2001 From: Robert Alfaro Date: Tue, 21 Jan 2020 00:01:29 -0800 Subject: [PATCH 3/7] Add Kconfig option to control ASYNC_TCP_SSL_ENABLED --- CMakeLists.txt | 4 ++++ Kconfig.projbuild | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index f52e1c93..c7ad8b7a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -13,3 +13,7 @@ set(COMPONENT_REQUIRES register_component() target_compile_options(${COMPONENT_TARGET} PRIVATE -fno-rtti) + +if(CONFIG_ASYNC_TCP_SSL_ENABLED) + target_compile_options(${COMPONENT_TARGET} PRIVATE -DASYNC_TCP_SSL_ENABLED) +endif() diff --git a/Kconfig.projbuild b/Kconfig.projbuild index 17749264..ab9ac57f 100644 --- a/Kconfig.projbuild +++ b/Kconfig.projbuild @@ -27,4 +27,10 @@ config ASYNC_TCP_USE_WDT help Enable WDT for the AsyncTCP task, so it will trigger if a handler is locking the thread. +config ASYNC_TCP_SSL_ENABLED + bool "Enable SSL for AsyncTCP client" + default "n" + help + Enables mbedTLS support for AsyncTCP clients. + endmenu From 43b9fc9134a20157f976a774b0ef49d1ec63e9d0 Mon Sep 17 00:00:00 2001 From: Robert Alfaro Date: Tue, 21 Jan 2020 01:44:44 -0800 Subject: [PATCH 4/7] Optionally include ssl header files --- src/AsyncTCP.cpp | 3 +++ src/AsyncTCP.h | 2 ++ 2 files changed, 5 insertions(+) diff --git a/src/AsyncTCP.cpp b/src/AsyncTCP.cpp index efb2e0a0..d5c03ca9 100644 --- a/src/AsyncTCP.cpp +++ b/src/AsyncTCP.cpp @@ -28,6 +28,9 @@ extern "C"{ #include "lwip/inet.h" #include "lwip/dns.h" #include "lwip/err.h" +#if ASYNC_TCP_SSL_ENABLED +#include "tcp_mbedtls.h" +#endif } #include "esp_task_wdt.h" diff --git a/src/AsyncTCP.h b/src/AsyncTCP.h index d2e4f4ee..8992279b 100644 --- a/src/AsyncTCP.h +++ b/src/AsyncTCP.h @@ -26,8 +26,10 @@ #include "sdkconfig.h" #include #include +#if ASYNC_TCP_SSL_ENABLED #include #include "tcp_mbedtls.h" +#endif extern "C" { #include "freertos/semphr.h" #include "lwip/pbuf.h" From bd1058b30fa2e13f6c77476cb2a640ee78937a31 Mon Sep 17 00:00:00 2001 From: Robert Alfaro Date: Tue, 21 Jan 2020 10:51:59 -0800 Subject: [PATCH 5/7] Add null check for psk_ident and pskey --- src/tcp_mbedtls.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/tcp_mbedtls.c b/src/tcp_mbedtls.c index 262bcc26..a0225e92 100644 --- a/src/tcp_mbedtls.c +++ b/src/tcp_mbedtls.c @@ -325,6 +325,11 @@ int tcp_ssl_new_psk_client(struct tcp_pcb *tcp, void *arg, const char* psk_ident int ret = 0; + if (pskey == NULL || psk_ident == NULL) { + TCP_SSL_DEBUG(" failed\n ! pre-shared key or identity is NULL\n\n"); + return -1; + } + TCP_SSL_DEBUG("setting the pre-shared key.\n"); // convert PSK from hex string to binary if ((strlen(pskey) & 1) != 0 || strlen(pskey) > 2*MBEDTLS_PSK_MAX_LEN) { From eb6630f1feebdb2e7c22dfaada9f1fb64a0cbc18 Mon Sep 17 00:00:00 2001 From: Robert Alfaro Date: Tue, 21 Jan 2020 13:06:34 -0800 Subject: [PATCH 6/7] Do not default to PSK when root_ca is not explcitly set. tcp_ssl_new_client() has a case to handle this. --- src/AsyncTCP.cpp | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/AsyncTCP.cpp b/src/AsyncTCP.cpp index d5c03ca9..45b7472d 100644 --- a/src/AsyncTCP.cpp +++ b/src/AsyncTCP.cpp @@ -977,11 +977,12 @@ int8_t AsyncClient::_connected(void* pcb, int8_t err){ #if ASYNC_TCP_SSL_ENABLED if(_pcb_secure){ bool err = false; - if(_root_ca) { + if (_psk_ident != NULL and _psk != NULL) { + err = tcp_ssl_new_psk_client(_pcb, this, _psk_ident, _psk) < 0; + } + else { err = tcp_ssl_new_client(_pcb, this, _hostname.empty() ? NULL : _hostname.c_str(), _root_ca, _root_ca_len) < 0; - } else { - err = tcp_ssl_new_psk_client(_pcb, this, _psk_ident, _psk) < 0; } if (err) { log_e("closing...."); From 5970648151f69d2d77cc50660d63526442a860c7 Mon Sep 17 00:00:00 2001 From: Robert Alfaro Date: Tue, 21 Jan 2020 15:52:40 -0800 Subject: [PATCH 7/7] Move psk null checks to top of function, remove unneeded include, syntax cleanup. --- src/AsyncTCP.cpp | 6 +----- src/tcp_mbedtls.c | 10 +++++----- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/src/AsyncTCP.cpp b/src/AsyncTCP.cpp index 45b7472d..abd5afd9 100644 --- a/src/AsyncTCP.cpp +++ b/src/AsyncTCP.cpp @@ -28,9 +28,6 @@ extern "C"{ #include "lwip/inet.h" #include "lwip/dns.h" #include "lwip/err.h" -#if ASYNC_TCP_SSL_ENABLED -#include "tcp_mbedtls.h" -#endif } #include "esp_task_wdt.h" @@ -979,8 +976,7 @@ int8_t AsyncClient::_connected(void* pcb, int8_t err){ bool err = false; if (_psk_ident != NULL and _psk != NULL) { err = tcp_ssl_new_psk_client(_pcb, this, _psk_ident, _psk) < 0; - } - else { + } else { err = tcp_ssl_new_client(_pcb, this, _hostname.empty() ? NULL : _hostname.c_str(), _root_ca, _root_ca_len) < 0; } diff --git a/src/tcp_mbedtls.c b/src/tcp_mbedtls.c index a0225e92..8288b8d8 100644 --- a/src/tcp_mbedtls.c +++ b/src/tcp_mbedtls.c @@ -297,6 +297,11 @@ int tcp_ssl_new_client(struct tcp_pcb *tcp, void *arg, const char* hostname, con int tcp_ssl_new_psk_client(struct tcp_pcb *tcp, void *arg, const char* psk_ident, const char* pskey) { tcp_ssl_t* tcp_ssl; + if (pskey == NULL || psk_ident == NULL) { + TCP_SSL_DEBUG(" failed\n ! pre-shared key or identity is NULL\n\n"); + return -1; + } + if(tcp == NULL) return -1; if(tcp_ssl_get(tcp) != NULL) return -1; @@ -325,11 +330,6 @@ int tcp_ssl_new_psk_client(struct tcp_pcb *tcp, void *arg, const char* psk_ident int ret = 0; - if (pskey == NULL || psk_ident == NULL) { - TCP_SSL_DEBUG(" failed\n ! pre-shared key or identity is NULL\n\n"); - return -1; - } - TCP_SSL_DEBUG("setting the pre-shared key.\n"); // convert PSK from hex string to binary if ((strlen(pskey) & 1) != 0 || strlen(pskey) > 2*MBEDTLS_PSK_MAX_LEN) {