fix(tls_cxx): Added a CI test

espressif · Mar 15, 2024 · d1a4355 · d1a4355
1 parent 790e39b
commit d1a4355
Show file tree

Hide file tree

Showing 13 changed files with 130 additions and 31 deletions.
diff --git a/.github/workflows/tls_cxx__build.yml b/.github/workflows/tls_cxx__build.yml
@@ -0,0 +1,30 @@
+name: "mbedtls-cxx: build-tests"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened, labeled]
+
+jobs:
+  build_tls_cxx:
+    if: contains(github.event.pull_request.labels.*.name, 'tls_cxx') || github.event_name == 'push'
+    name: Build
+    strategy:
+      matrix:
+        idf_ver: ["latest", "release-v5.2", "release-v5.1"]
+        test: [ { app: client, path: "examples/tls_client" }, { app: udp, path: "examples/udp_mutual_auth" }, { app: test, path: "tests/uart_mutual_auth" } ]
+    runs-on: ubuntu-20.04
+    container: espressif/idf:${{ matrix.idf_ver }}
+    steps:
+      - name: Checkout esp-protocols
+        uses: actions/checkout@v3
+        with:
+          submodules: recursive
+      - name: Build ${{ matrix.test.app }} with IDF-${{ matrix.idf_ver }}
+        shell: bash
+        run: |
+          ${IDF_PATH}/install.sh --enable-pytest
+          . ${IDF_PATH}/export.sh
+          python ./ci/build_apps.py ./components/mbedtls_cxx/${{ matrix.test.path }} -vv --preserve-all
diff --git a/README.md b/README.md
@@ -53,3 +53,7 @@ Please refer to instructions in [ESP-IDF](https://github.com/espressif/esp-idf)
 ### ESP PPP Link (eppp)
 
 * Brief introduction [README](components/eppp_link/README.md)
+
+### mbedtls_cxx
+
+* Brief introduction [README](components/mbedtls_cxx/README.md)
diff --git a/components/mbedtls_cxx/README.md b/components/mbedtls_cxx/README.md
@@ -0,0 +1,3 @@
+# mbedtls_cxx
+
+This is a simplified C++ wrapper of mbedTLS for performing TLS and DTLS handshake a communication. This component allows for overriding low level IO functions (`send()` and `recv()`) and thus supporting TLS over various physical channels.
diff --git a/components/mbedtls_cxx/examples/test_certs/test_certs.hpp b/components/mbedtls_cxx/examples/test_certs/test_certs.hpp
@@ -0,0 +1,51 @@
+/*
+ * SPDX-FileCopyrightText: 2024 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+#pragma once
+
+#include "mbedtls_wrap.hpp"
+
+namespace test_certs {
+using pem_format = const unsigned char;
+extern pem_format cacert_start[] asm("_binary_ca_crt_start");
+extern pem_format cacert_end[] asm("_binary_ca_crt_end");
+extern pem_format clientcert_start[] asm("_binary_client_crt_start");
+extern pem_format clientcert_end[] asm("_binary_client_crt_end");
+extern pem_format clientkey_start[] asm("_binary_client_key_start");
+extern pem_format clientkey_end[] asm("_binary_client_key_end");
+extern pem_format servercert_start[] asm("_binary_srv_crt_start");
+extern pem_format servercert_end[] asm("_binary_srv_crt_end");
+extern pem_format serverkey_start[] asm("_binary_srv_key_start");
+extern pem_format serverkey_end[] asm("_binary_srv_key_end");
+
+enum class type {
+    cacert,
+    servercert,
+    serverkey,
+    clientcert,
+    clientkey
+};
+
+#define IF_BUF_TYPE(buf_type)  \
+    if (t == type::buf_type) { \
+        return idf::mbedtls_cxx::const_buf{buf_type ## _start, buf_type ## _end - buf_type ## _start}; \
+    }
+
+static inline idf::mbedtls_cxx::const_buf get_buf(type t)
+{
+    IF_BUF_TYPE(cacert);
+    IF_BUF_TYPE(servercert);
+    IF_BUF_TYPE(serverkey);
+    IF_BUF_TYPE(clientcert);
+    IF_BUF_TYPE(clientkey);
+    return idf::mbedtls_cxx::const_buf{};
+}
+
+static inline const char *get_server_cn()
+{
+    return "espressif.local";
+}
+
+}
diff --git a/components/mbedtls_cxx/examples/uart_mutual_auth/main/CMakeLists.txt b/components/mbedtls_cxx/examples/uart_mutual_auth/main/CMakeLists.txt
diff --git a/.../examples/uart_mutual_auth/CMakeLists.txt → ...cxx/tests/uart_mutual_auth/CMakeLists.txt b/.../examples/uart_mutual_auth/CMakeLists.txt → ...cxx/tests/uart_mutual_auth/CMakeLists.txt
diff --git a/components/mbedtls_cxx/tests/uart_mutual_auth/main/CMakeLists.txt b/components/mbedtls_cxx/tests/uart_mutual_auth/main/CMakeLists.txt
@@ -0,0 +1,2 @@
+idf_component_register(SRCS "uart_mutual.cpp"
+                    INCLUDE_DIRS ".")
diff --git a/components/mbedtls_cxx/tests/uart_mutual_auth/main/Kconfig.projbuild b/components/mbedtls_cxx/tests/uart_mutual_auth/main/Kconfig.projbuild
@@ -0,0 +1,19 @@
+menu "Test Configuration"
+
+    choice TEST_CONNECTION_METHOD
+        prompt "Choose connection method"
+        default TEST_TLS
+        help
+            Select type of connection. Either TLS or DTLS
+
+        config TEST_TLS
+            bool "TLS"
+            help
+                Use TLS method.
+        config TEST_DTLS
+            bool "DTLS"
+            help
+                Use DTLS method.
+    endchoice # TEST_CONNECTION_METHOD
+
+endmenu
diff --git a/...s/uart_mutual_auth/main/idf_component.yml → ...s/uart_mutual_auth/main/idf_component.yml b/...s/uart_mutual_auth/main/idf_component.yml → ...s/uart_mutual_auth/main/idf_component.yml
@@ -3,3 +3,6 @@ dependencies:
   espressif/mbedtls_cxx:
     version: "*"
     override_path: "../../.."
+  test_certs:
+    version: "*"
+    path: "../../../examples/test_certs"
diff --git a/...les/uart_mutual_auth/main/uart_mutual.cpp → ...sts/uart_mutual_auth/main/uart_mutual.cpp b/...les/uart_mutual_auth/main/uart_mutual.cpp → ...sts/uart_mutual_auth/main/uart_mutual.cpp
@@ -12,24 +12,11 @@
 #include "driver/uart.h"
 #include "esp_event.h"
 #include "esp_netif.h"
+#include "test_certs.hpp"
 
 namespace {
-
 constexpr auto *TAG = "uart_mutual_tls";
 
-using pem_format = const unsigned char;
-
-extern pem_format cacert_start[] asm("_binary_ca_crt_start");
-extern pem_format cacert_end[] asm("_binary_ca_crt_end");
-extern pem_format clientcert_start[] asm("_binary_client_crt_start");
-extern pem_format clientcert_end[] asm("_binary_client_crt_end");
-extern pem_format clientkey_start[] asm("_binary_client_key_start");
-extern pem_format clientkey_end[] asm("_binary_client_key_end");
-extern pem_format servercert_start[] asm("_binary_srv_crt_start");
-extern pem_format servercert_end[] asm("_binary_srv_crt_end");
-extern pem_format serverkey_start[] asm("_binary_srv_key_start");
-extern pem_format serverkey_end[] asm("_binary_srv_key_end");
-
 /**
  * Using DTLS the below is set to true.
  * In that case, we need to receive the entire datagram, not a fragment
@@ -40,10 +27,15 @@ extern pem_format serverkey_end[] asm("_binary_srv_key_end");
  * If `use_dgrams` is set to false, we perform TLS on UART stream.
  * The UART driver is already a stream-like API (using ringbufer), so we simple read and write to UART
  */
+#if CONFIG_TEST_TLS
 const bool use_dgrams = false;
+#elif CONFIG_TEST_DTLS
+const bool use_dgrams = true;
+#endif
 }
 
 using namespace idf::mbedtls_cxx;
+using namespace test_certs;
 
 class SecureLink: public Tls {
 public:
@@ -214,14 +206,12 @@ void tls_client()
     const unsigned char message[] = "Hello\n";
     unsigned char reply[128];
     SecureLink client(UART_NUM_2, 4, 5);
-    const_buf cert{clientcert_start, clientcert_end - clientcert_start};
-    const_buf key{clientkey_start, clientkey_end - clientkey_start};
-    if (!client.set_own_cert(cert, key)) {
+    client.set_hostname(get_server_cn());
+    if (!client.set_own_cert(get_buf(type::clientcert), get_buf(type::clientkey))) {
         ESP_LOGE(TAG, "Failed to set own cert");
         return;
     }
-    const_buf ca{cacert_start, cacert_end - cacert_start};
-    if (!client.set_ca_cert(ca)) {
+    if (!client.set_ca_cert(get_buf(type::cacert))) {
         ESP_LOGE(TAG, "Failed to set peer's cert");
         return;
     }
@@ -250,14 +240,11 @@ void tls_server()
 {
     unsigned char message[128];
     SecureLink server(UART_NUM_1, 25, 26);
-    const_buf cert{servercert_start, servercert_end - servercert_start};
-    const_buf key{serverkey_start, serverkey_end - serverkey_start};
-    if (!server.set_own_cert(cert, key)) {
+    if (!server.set_own_cert(get_buf(type::servercert), get_buf(type::serverkey))) {
         ESP_LOGE(TAG, "Failed to set own cert");
         return;
     }
-    const_buf ca{cacert_start, cacert_end - cacert_start};
-    if (!server.set_ca_cert(ca)) {
+    if (!server.set_ca_cert(get_buf(type::cacert))) {
         ESP_LOGE(TAG, "Failed to set peer's cert");
         return;
     }

diff --git a/components/mbedtls_cxx/tests/uart_mutual_auth/sdkconfig.ci.dtls b/components/mbedtls_cxx/tests/uart_mutual_auth/sdkconfig.ci.dtls
@@ -0,0 +1,3 @@
+CONFIG_TEST_DTLS=y
+CONFIG_MBEDTLS_SSL_PROTO_DTLS=y
+CONFIG_PTHREAD_TASK_STACK_SIZE_DEFAULT=8192
diff --git a/...mples/uart_mutual_auth/sdkconfig.defaults → ...x/tests/uart_mutual_auth/sdkconfig.ci.tls b/...mples/uart_mutual_auth/sdkconfig.defaults → ...x/tests/uart_mutual_auth/sdkconfig.ci.tls
@@ -1,2 +1,3 @@
+CONFIG_TEST_TLS=y
 CONFIG_MBEDTLS_SSL_PROTO_DTLS=y
 CONFIG_PTHREAD_TASK_STACK_SIZE_DEFAULT=8192
diff --git a/components/mbedtls_cxx/tests/uart_mutual_auth/sdkconfig.defaults b/components/mbedtls_cxx/tests/uart_mutual_auth/sdkconfig.defaults
@@ -0,0 +1,3 @@
+CONFIG_IDF_TARGET="esp32"
+CONFIG_MBEDTLS_SSL_PROTO_DTLS=y
+CONFIG_PTHREAD_TASK_STACK_SIZE_DEFAULT=8192
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		# mbedtls_cxx

		This is a simplified C++ wrapper of mbedTLS for performing TLS and DTLS handshake a communication. This component allows for overriding low level IO functions (`send()` and `recv()`) and thus supporting TLS over various physical channels.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		idf_component_register(SRCS "uart_mutual.cpp"
		INCLUDE_DIRS ".")