change from openssl to esp_tls

Author: JasenKolev

src/ConnectionContext.hpp

@@ -5,9 +5,9 @@
 #include <IPAddress.h>
 
 // Required for SSL
-#include "openssl/ssl.h"
-#undef read
-
+//#include "openssl/ssl.h"
+//#undef read
+#include <esp_tls.h>
 namespace httpsserver {
 
 class WebsocketHandler;

src/HTTPResponse.hpp

@@ -9,7 +9,8 @@
 #undef write
 #include <vector>
 
-#include <openssl/ssl.h>
+//#include <openssl/ssl.h>
+#include <esp_tls.h>
 
 #include "util.hpp"
 

src/HTTPSConnection.cpp

@@ -22,33 +22,36 @@ bool HTTPSConnection::isSecure() {
  *
  * The call WILL BLOCK if accept(serverSocketID) blocks. So use select() to check for that in advance.
  */
-int HTTPSConnection::initialize(int serverSocketID, SSL_CTX * sslCtx, HTTPHeaders *defaultHeaders) {
+int HTTPSConnection::initialize(int serverSocketID, esp_tls_t * sslCtx, esp_tls_cfg_server_t * cfgSrv, HTTPHeaders *defaultHeaders) {
   if (_connectionState == STATE_UNDEFINED) {
     // Let the base class connect the plain tcp socket
     int resSocket = HTTPConnection::initialize(serverSocketID, defaultHeaders);
-
+    
     // Build up SSL Connection context if the socket has been created successfully
     if (resSocket >= 0) {
-
-      _ssl = SSL_new(sslCtx);
-
-      if (_ssl) {
+//      _ssl = SSL_new(sslCtx);
+      int res=esp_tls_server_session_create(cfgSrv,resSocket,sslCtx);
+      if (0==res) {
+        esp_tls_cfg_server_session_tickets_init(cfgSrv);
+        _ssl = sslCtx;
+        _cfg = cfgSrv;
+        
         // Bind SSL to the socket
-        int success = SSL_set_fd(_ssl, resSocket);
-        if (success) {
-
-          // Perform the handshake
-          success = SSL_accept(_ssl);
-          if (success) {
+        // int success = SSL_set_fd(_ssl, resSocket);
+        if (ESP_OK == esp_tls_get_conn_sockfd(sslCtx,&resSocket)) {
+          
+        //   // Perform the handshake
+        //   success = SSL_accept(_ssl);
+        //   if (success) {
             return resSocket;
-          } else {
-            HTTPS_LOGE("SSL_accept failed. Aborting handshake. FID=%d", resSocket);
-          }
         } else {
-          HTTPS_LOGE("SSL_set_fd failed. Aborting handshake. FID=%d", resSocket);
+             HTTPS_LOGE("SSL_accept failed. Aborting handshake. FID=%d", resSocket);
         }
+        // } else {
+        //   HTTPS_LOGE("SSL_set_fd failed. Aborting handshake. FID=%d", resSocket);
+        // }
       } else {
-        HTTPS_LOGE("SSL_new failed. Aborting handshake. FID=%d", resSocket);
+        HTTPS_LOGE("SSL_new failed. Aborting handshake. Error=%d", res);
       }
 
     } else {
@@ -84,18 +87,10 @@ void HTTPSConnection::closeConnection() {
 
   // Try to tear down SSL while we are in the _shutdownTS timeout period or if an error occurred
   if (_ssl) {
-    if(_connectionState == STATE_ERROR || SSL_shutdown(_ssl) == 0) {
-      // SSL_shutdown will return 1 as soon as the client answered with close notify
-      // This means we are safe to close the socket
-      SSL_free(_ssl);
-      _ssl = NULL;
-    } else if (_shutdownTS + HTTPS_SHUTDOWN_TIMEOUT < millis()) {
-      // The timeout has been hit, we force SSL shutdown now by freeing the context
-      SSL_free(_ssl);
-      _ssl = NULL;
-      HTTPS_LOGW("SSL_shutdown did not receive close notification from the client");
-      _connectionState = STATE_ERROR;
-    }
+    esp_tls_cfg_server_session_tickets_free(_cfg);
+    esp_tls_server_session_delete(_ssl);
+    _ssl = NULL;
+    _connectionState = STATE_ERROR;
   }
 
   // If SSL has been brought down, close the socket
@@ -105,19 +100,19 @@ void HTTPSConnection::closeConnection() {
 }
 
 size_t HTTPSConnection::writeBuffer(byte* buffer, size_t length) {
-  return SSL_write(_ssl, buffer, length);
+  return esp_tls_conn_write(_ssl,buffer,length);// SSL_write(_ssl, buffer, length);
 }
 
 size_t HTTPSConnection::readBytesToBuffer(byte* buffer, size_t length) {
-  return SSL_read(_ssl, buffer, length);
+  return esp_tls_conn_read(_ssl, buffer, length);
 }
 
 size_t HTTPSConnection::pendingByteCount() {
-  return SSL_pending(_ssl);
+  return esp_tls_get_bytes_avail(_ssl);
 }
 
 bool HTTPSConnection::canReadData() {
-  return HTTPConnection::canReadData() || (SSL_pending(_ssl) > 0);
+  return HTTPConnection::canReadData() || (esp_tls_get_bytes_avail(_ssl) > 0);
 }
 
 } /* namespace httpsserver */

src/HTTPSConnection.hpp

@@ -6,8 +6,9 @@
 #include <string>
 
 // Required for SSL
-#include "openssl/ssl.h"
-#undef read
+//#include "openssl/ssl.h"
+//#undef read
+#include <esp_tls.h>
 
 // Required for sockets
 #include "lwip/netdb.h"
@@ -34,7 +35,7 @@ class HTTPSConnection : public HTTPConnection {
   HTTPSConnection(ResourceResolver * resResolver);
   virtual ~HTTPSConnection();
 
-  virtual int initialize(int serverSocketID, SSL_CTX * sslCtx, HTTPHeaders *defaultHeaders);
+  virtual int initialize(int serverSocketID, esp_tls_t * sslCtx,esp_tls_cfg_server_t * cfgSrv, HTTPHeaders *defaultHeaders);
   virtual void closeConnection();
   virtual bool isSecure();
 
@@ -49,8 +50,8 @@ class HTTPSConnection : public HTTPConnection {
 
 private:
   // SSL context for this connection
-  SSL * _ssl;
-
+  esp_tls_t * _ssl;
+  esp_tls_cfg_server_t * _cfg;
 };
 
 } /* namespace httpsserver */

src/HTTPSServer.cpp

@@ -2,17 +2,24 @@
 
 namespace httpsserver {
 
+constexpr char * alpn_protos[] = { "h2", NULL } ;
 
 HTTPSServer::HTTPSServer(SSLCert * cert, const uint16_t port, const uint8_t maxConnections, const in_addr_t bindAddress):
   HTTPServer(port, maxConnections, bindAddress),
   _cert(cert) {
-
+  
   // Configure runtime data
   _sslctx = NULL;
+  _cfg = new esp_tls_cfg_server();
+  _cfg->alpn_protos = (const char **)alpn_protos;
+  _cfg->servercert_buf =cert->getCertData();
+  _cfg->servercert_bytes = cert->getPKLength();
+  _cfg->serverkey_buf= cert->getPKData();
+  _cfg->serverkey_bytes= cert->getPKLength();
 }
 
 HTTPSServer::~HTTPSServer() {
-
+  free(_cfg);
 }
 
 /**
@@ -27,7 +34,7 @@ uint8_t HTTPSServer::setupSocket() {
 
     if (!setupCert()) {
       Serial.println("setupCert failed");
-      SSL_CTX_free(_sslctx);
+//      SSL_CTX_free(_sslctx);
       _sslctx = NULL;
       return 0;
     }
@@ -36,7 +43,7 @@ uint8_t HTTPSServer::setupSocket() {
       return 1;
     } else {
       Serial.println("setupSockets failed");
-      SSL_CTX_free(_sslctx);
+//      SSL_CTX_free(_sslctx);
       _sslctx = NULL;
       return 0;
     }
@@ -50,27 +57,29 @@ void HTTPSServer::teardownSocket() {
   HTTPServer::teardownSocket();
 
   // Tear down the SSL context
-  SSL_CTX_free(_sslctx);
+  if (NULL != _sslctx)
+  //SSL_CTX_free(_sslctx);
   _sslctx = NULL;
 }
 
 int HTTPSServer::createConnection(int idx) {
   HTTPSConnection * newConnection = new HTTPSConnection(this);
   _connections[idx] = newConnection;
-  return newConnection->initialize(_socket, _sslctx, &_defaultHeaders);
+  return newConnection->initialize(_socket, _sslctx, _cfg , &_defaultHeaders);
 }
 
 /**
  * This method configures the ssl context that is used for the server
  */
 uint8_t HTTPSServer::setupSSLCTX() {
-  _sslctx = SSL_CTX_new(TLSv1_2_server_method());
-  if (_sslctx) {
+
+//  _sslctx = SSL_CTX_new(TLSv1_2_server_method());
+  _sslctx =  esp_tls_init();
+  if (NULL != _sslctx) {
     // Set SSL Timeout to 5 minutes
-    SSL_CTX_set_timeout(_sslctx, 300);
+//    SSL_CTX_set_timeout(_sslctx, 300);
     return 1;
   } else {
-    _sslctx = NULL;
     return 0;
   }
 }
@@ -81,22 +90,27 @@ uint8_t HTTPSServer::setupSSLCTX() {
  */
 uint8_t HTTPSServer::setupCert() {
   // Configure the certificate first
-  uint8_t ret = SSL_CTX_use_certificate_ASN1(
-    _sslctx,
-    _cert->getCertLength(),
-    _cert->getCertData()
-  );
-
-  // Then set the private key accordingly
-  if (ret) {
-    ret = SSL_CTX_use_RSAPrivateKey_ASN1(
-      _sslctx,
-      _cert->getPKData(),
-      _cert->getPKLength()
-    );
-  }
-
-  return ret;
+  _cfg->servercert_buf= _cert->getCertData();
+  _cfg->servercert_bytes = _cert->getPKLength();
+  _cfg->serverkey_buf= _cert->getPKData();
+  _cfg->serverkey_bytes= _cert->getPKLength();
+
+  // uint8_t ret = SSL_CTX_use_certificate_ASN1(
+  //   _sslctx,
+  //   _cert->getCertLength(),
+  //   _cert->getCertData()
+  // );
+
+  // // Then set the private key accordingly
+  // if (ret) {
+  //   ret = SSL_CTX_use_RSAPrivateKey_ASN1(
+  //     _sslctx,
+  //     _cert->getPKData(),
+  //     _cert->getPKLength()
+  //   );
+  // }
+
+  return 1;
 }
 
 } /* namespace httpsserver */

src/HTTPSServer.hpp

@@ -8,8 +8,9 @@
 #include <Arduino.h>
 
 // Required for SSL
-#include "openssl/ssl.h"
-#undef read
+//#include "openssl/ssl.h"
+#include <esp_tls.h>
+//#undef read
 
 // Internal includes
 #include "HTTPServer.hpp"
@@ -31,14 +32,16 @@ class HTTPSServer : public HTTPServer {
 public:
   HTTPSServer(SSLCert * cert, const uint16_t portHTTPS = 443, const uint8_t maxConnections = 4, const in_addr_t bindAddress = 0);
   virtual ~HTTPSServer();
-
+  virtual esp_tls_cfg_server_t *getConfig() {return _cfg;}
 private:
   // Static configuration. Port, keys, etc. ====================
   // Certificate that should be used (includes private key)
   SSLCert * _cert;
 
   //// Runtime data ============================================
-  SSL_CTX * _sslctx;
+  //SSL_CTX * _sslctx;
+  esp_tls_t * _sslctx;
+  esp_tls_cfg_server_t * _cfg;
   // Status of the server: Are we running, or not?
 
   // Setup functions