diff --git a/components/mbedtls_cxx/examples/test_certs/CMakeLists.txt b/components/mbedtls_cxx/examples/test_certs/CMakeLists.txt new file mode 100644 index 00000000000..5f59a08249b --- /dev/null +++ b/components/mbedtls_cxx/examples/test_certs/CMakeLists.txt @@ -0,0 +1,8 @@ +idf_component_register( + EMBED_TXTFILES srv.crt + EMBED_TXTFILES srv.key + EMBED_TXTFILES ca.crt + EMBED_TXTFILES client.crt + EMBED_TXTFILES client.key + INCLUDE_DIRS "." + REQUIRES mbedtls_cxx) diff --git a/components/mbedtls_cxx/examples/test_certs/idf_component.yml b/components/mbedtls_cxx/examples/test_certs/idf_component.yml new file mode 100644 index 00000000000..8b11c97cb52 --- /dev/null +++ b/components/mbedtls_cxx/examples/test_certs/idf_component.yml @@ -0,0 +1,4 @@ +dependencies: + espressif/mbedtls_cxx: + version: "*" + override_path: "../.." diff --git a/components/mbedtls_cxx/examples/udp_mutual_auth/README.md b/components/mbedtls_cxx/examples/udp_mutual_auth/README.md new file mode 100644 index 00000000000..4347e0c1cf5 --- /dev/null +++ b/components/mbedtls_cxx/examples/udp_mutual_auth/README.md @@ -0,0 +1,4 @@ +# UDP Mutual authentication example + +This example uses `mbedtls_cxx` to perform a DTLS handshake and exchange a message between server and client. +The example uses UDP sockets on `'localhost'` interface, so no actual connection is needed, it could be run on linux target as well as on ESP32. diff --git a/components/mbedtls_cxx/examples/udp_mutual_auth/main/CMakeLists.txt b/components/mbedtls_cxx/examples/udp_mutual_auth/main/CMakeLists.txt index 62b9d868f3d..4ff54fa1686 100644 --- a/components/mbedtls_cxx/examples/udp_mutual_auth/main/CMakeLists.txt +++ b/components/mbedtls_cxx/examples/udp_mutual_auth/main/CMakeLists.txt @@ -1,4 +1,2 @@ idf_component_register(SRCS "udp_mutual.cpp" - EMBED_TXTFILES ../../test_certs/srv.crt - EMBED_TXTFILES ../../test_certs/srv.key INCLUDE_DIRS ".") diff --git a/components/mbedtls_cxx/examples/udp_mutual_auth/main/idf_component.yml b/components/mbedtls_cxx/examples/udp_mutual_auth/main/idf_component.yml index caa4a93dbce..6077bbd24b4 100644 --- a/components/mbedtls_cxx/examples/udp_mutual_auth/main/idf_component.yml +++ b/components/mbedtls_cxx/examples/udp_mutual_auth/main/idf_component.yml @@ -3,3 +3,6 @@ dependencies: espressif/mbedtls_cxx: version: "*" override_path: "../../.." + test_certs: + version: "*" + path: "../../test_certs" diff --git a/components/mbedtls_cxx/examples/udp_mutual_auth/main/udp_mutual.cpp b/components/mbedtls_cxx/examples/udp_mutual_auth/main/udp_mutual.cpp index ad2bdf0d250..c71e6b0b4a4 100644 --- a/components/mbedtls_cxx/examples/udp_mutual_auth/main/udp_mutual.cpp +++ b/components/mbedtls_cxx/examples/udp_mutual_auth/main/udp_mutual.cpp @@ -7,22 +7,16 @@ #include #include #include -#include #include "esp_log.h" #include "mbedtls_wrap.hpp" +#include "test_certs.hpp" namespace { constexpr auto *TAG = "udp_example"; - -using pem_format = const unsigned char; -extern pem_format servercert_start[] asm("_binary_srv_crt_start"); -extern pem_format servercert_end[] asm("_binary_srv_crt_end"); -extern pem_format serverkey_start[] asm("_binary_srv_key_start"); -extern pem_format serverkey_end[] asm("_binary_srv_key_end"); - } using namespace idf::mbedtls_cxx; +using namespace test_certs; class SecureLink: public Tls { public: @@ -86,7 +80,7 @@ class SecureLink: public Tls { const unsigned char client_id[] = "localhost"; config.client_id = std::make_pair(client_id, sizeof(client_id)); } - if (!init(is_server{server_not_client}, do_verify{false}, &config)) { + if (!init(is_server{server_not_client}, do_verify{true}, &config)) { return false; } @@ -141,6 +135,15 @@ void tls_client() const unsigned char message[] = "Hello\n"; unsigned char reply[128]; SecureLink client; + client.set_hostname(get_server_cn()); + if (!client.set_own_cert(get_buf(type::clientcert), get_buf(type::clientkey))) { + ESP_LOGE(TAG, "Failed to set own cert"); + return; + } + if (!client.set_ca_cert(get_buf(type::cacert))) { + ESP_LOGE(TAG, "Failed to set peer's cert"); + return; + } if (!client.open(false)) { ESP_LOGE(TAG, "Failed to CONNECT! %d", errno); return; @@ -162,12 +165,14 @@ void tls_server() { unsigned char message[128]; SecureLink server; - const_buf cert{servercert_start, servercert_end - servercert_start}; - const_buf key{serverkey_start, serverkey_end - serverkey_start}; - if (!server.set_own_cert(cert, key)) { + if (!server.set_own_cert(get_buf(type::servercert), get_buf(type::serverkey))) { ESP_LOGE(TAG, "Failed to set own cert"); return; } + if (!server.set_ca_cert(get_buf(type::cacert))) { + ESP_LOGE(TAG, "Failed to set peer's cert"); + return; + } ESP_LOGI(TAG, "opening..."); if (!server.open(true)) { ESP_LOGE(TAG, "Failed to OPEN! %d", errno); diff --git a/components/mbedtls_cxx/examples/udp_mutual_auth/sdkconfig.defaults b/components/mbedtls_cxx/examples/udp_mutual_auth/sdkconfig.defaults new file mode 100644 index 00000000000..f4780e83943 --- /dev/null +++ b/components/mbedtls_cxx/examples/udp_mutual_auth/sdkconfig.defaults @@ -0,0 +1,2 @@ +CONFIG_MBEDTLS_SSL_PROTO_DTLS=y +CONFIG_PTHREAD_TASK_STACK_SIZE_DEFAULT=8192