merging pull request fhessel#169

Author: hakuamesan

Diff for: src/ConnectionContext.hpp

@@ -5,8 +5,7 @@
 #include <IPAddress.h>
 
 // Required for SSL
-#include "openssl/ssl.h"
-#undef read
+#include <esp_tls.h>
 
 namespace httpsserver {
 

Diff for: src/HTTPConnection.cpp

@@ -664,7 +664,7 @@ void handleWebsocketHandshake(HTTPRequest * req, HTTPResponse * res) {
 std::string websocketKeyResponseHash(std::string const &key) {
   std::string newKey = key + "258EAFA5-E914-47DA-95CA-C5AB0DC85B11";
   uint8_t shaData[HTTPS_SHA1_LENGTH];
-  esp_sha(SHA1, (uint8_t*)newKey.data(), newKey.length(), shaData);
+  mbedtls_sha1_ret(SHA1, (uint8_t*)newKey.data(), newKey.length(), shaData);
 
   // Get output size required for base64 representation
   size_t b64BufferSize = 0;

Diff for: src/HTTPConnection.hpp

@@ -6,7 +6,7 @@
 
 #include <string>
 #include <mbedtls/base64.h>
-#include <hwcrypto/sha.h>
+#include <mbedtls/sha1.h>
 #include <functional>
 
 // Required for sockets

Diff for: src/HTTPResponse.hpp

@@ -9,7 +9,7 @@
 #undef write
 #include <vector>
 
-#include <openssl/ssl.h>
+#include <esp_tls.h>
 
 #include "util.hpp"
 

Diff for: src/HTTPSConnection.cpp

@@ -5,7 +5,7 @@ namespace httpsserver {
 
 HTTPSConnection::HTTPSConnection(ResourceResolver * resResolver):
   HTTPConnection(resResolver) {
-  _ssl = NULL;
+  _ssl = esp_tls_init();
 }
 
 HTTPSConnection::~HTTPSConnection() {
@@ -22,35 +22,30 @@ bool HTTPSConnection::isSecure() {
  *
  * The call WILL BLOCK if accept(serverSocketID) blocks. So use select() to check for that in advance.
  */
-int HTTPSConnection::initialize(int serverSocketID, SSL_CTX * sslCtx, HTTPHeaders *defaultHeaders) {
+int HTTPSConnection::initialize(int serverSocketID, esp_tls_cfg_server * cfgSrv, HTTPHeaders *defaultHeaders) {
   if (_connectionState == STATE_UNDEFINED) {
     // Let the base class connect the plain tcp socket
     int resSocket = HTTPConnection::initialize(serverSocketID, defaultHeaders);
 
+    HTTPS_LOGI("Cert len:%d, apn:%s\n", cfgSrv->servercert_bytes, cfgSrv->alpn_protos[0]);
+
     // Build up SSL Connection context if the socket has been created successfully
     if (resSocket >= 0) {
 
-      _ssl = SSL_new(sslCtx);
+      int res = esp_tls_server_session_create(cfgSrv, resSocket, _ssl);
 
-      if (_ssl) {
-        // Bind SSL to the socket
-        int success = SSL_set_fd(_ssl, resSocket);
-        if (success) {
+      if (0 == res) {
+        esp_tls_cfg_server_session_tickets_init(cfgSrv);
+        _cfg = cfgSrv;
 
-          // Perform the handshake
-          success = SSL_accept(_ssl);
-          if (success) {
+          if (ESP_OK == esp_tls_get_conn_sockfd(_ssl, &resSocket)){
             return resSocket;
           } else {
             HTTPS_LOGE("SSL_accept failed. Aborting handshake. FID=%d", resSocket);
           }
-        } else {
-          HTTPS_LOGE("SSL_set_fd failed. Aborting handshake. FID=%d", resSocket);
-        }
       } else {
-        HTTPS_LOGE("SSL_new failed. Aborting handshake. FID=%d", resSocket);
+        HTTPS_LOGE("SSL_new failed. Aborting handshake. Error=%d", res);
       }
-
     } else {
       HTTPS_LOGE("Could not accept() new connection. FID=%d", resSocket);
     }
@@ -84,18 +79,10 @@ void HTTPSConnection::closeConnection() {
 
   // Try to tear down SSL while we are in the _shutdownTS timeout period or if an error occurred
   if (_ssl) {
-    if(_connectionState == STATE_ERROR || SSL_shutdown(_ssl) == 0) {
-      // SSL_shutdown will return 1 as soon as the client answered with close notify
-      // This means we are safe to close the socket
-      SSL_free(_ssl);
-      _ssl = NULL;
-    } else if (_shutdownTS + HTTPS_SHUTDOWN_TIMEOUT < millis()) {
-      // The timeout has been hit, we force SSL shutdown now by freeing the context
-      SSL_free(_ssl);
-      _ssl = NULL;
-      HTTPS_LOGW("SSL_shutdown did not receive close notification from the client");
-      _connectionState = STATE_ERROR;
-    }
+    esp_tls_cfg_server_session_tickets_free(_cfg);
+    esp_tls_server_session_delete(_ssl);
+    _ssl = NULL;
+    _connectionState = STATE_ERROR;
   }
 
   // If SSL has been brought down, close the socket
@@ -105,19 +92,19 @@ void HTTPSConnection::closeConnection() {
 }
 
 size_t HTTPSConnection::writeBuffer(byte* buffer, size_t length) {
-  return SSL_write(_ssl, buffer, length);
+  return esp_tls_conn_write(_ssl, buffer, length);
 }
 
 size_t HTTPSConnection::readBytesToBuffer(byte* buffer, size_t length) {
-  return SSL_read(_ssl, buffer, length);
+  return esp_tls_conn_read(_ssl, buffer, length);
 }
 
 size_t HTTPSConnection::pendingByteCount() {
-  return SSL_pending(_ssl);
+  return esp_tls_get_bytes_avail(_ssl);
 }
 
 bool HTTPSConnection::canReadData() {
-  return HTTPConnection::canReadData() || (SSL_pending(_ssl) > 0);
+  return HTTPConnection::canReadData() || (esp_tls_get_bytes_avail(_ssl) > 0);
 }
 
 } /* namespace httpsserver */

Diff for: src/HTTPSConnection.hpp

@@ -6,8 +6,8 @@
 #include <string>
 
 // Required for SSL
-#include "openssl/ssl.h"
-#undef read
+#include <esp_tls.h>
+
 
 // Required for sockets
 #include "lwip/netdb.h"
@@ -34,7 +34,7 @@ class HTTPSConnection : public HTTPConnection {
   HTTPSConnection(ResourceResolver * resResolver);
   virtual ~HTTPSConnection();
 
-  virtual int initialize(int serverSocketID, SSL_CTX * sslCtx, HTTPHeaders *defaultHeaders);
+  virtual int initialize(int serverSocketID, esp_tls_cfg_server_t * cfgSrv, HTTPHeaders *defaultHeaders);
   virtual void closeConnection();
   virtual bool isSecure();
 
@@ -49,7 +49,8 @@ class HTTPSConnection : public HTTPConnection {
 
 private:
   // SSL context for this connection
-  SSL * _ssl;
+  esp_tls_t * _ssl;
+  esp_tls_cfg_server_t * _cfg; 
 
 };
 

Diff for: src/HTTPSServer.cpp

@@ -2,42 +2,41 @@
 
 namespace httpsserver {
 
+constexpr const char * alpn_protos[] = {"http/1.1", NULL};
 
 HTTPSServer::HTTPSServer(SSLCert * cert, const uint16_t port, const uint8_t maxConnections, const in_addr_t bindAddress):
   HTTPServer(port, maxConnections, bindAddress),
   _cert(cert) {
 
   // Configure runtime data
-  _sslctx = NULL;
+   _cfg = new esp_tls_cfg_server();
+  _cfg->alpn_protos = (const char **)alpn_protos;
+  _cfg->cacert_buf = NULL;
+  _cfg->cacert_bytes = 0;
+  _cfg->servercert_buf =cert->getCertData();
+  _cfg->servercert_bytes = cert->getCertLength();
+  _cfg->serverkey_buf= cert->getPKData();
+  _cfg->serverkey_bytes= cert->getPKLength();
 }
 
 HTTPSServer::~HTTPSServer() {
-
+  free(_cfg);
 }
 
 /**
  * This method starts the server and begins to listen on the port
  */
 uint8_t HTTPSServer::setupSocket() {
   if (!isRunning()) {
-    if (!setupSSLCTX()) {
-      Serial.println("setupSSLCTX failed");
-      return 0;
-    }
-
-    if (!setupCert()) {
-      Serial.println("setupCert failed");
-      SSL_CTX_free(_sslctx);
-      _sslctx = NULL;
-      return 0;
-    }
+    _cfg->servercert_buf= _cert->getCertData();
+    _cfg->servercert_bytes = _cert->getCertLength();
+    _cfg->serverkey_buf= _cert->getPKData();
+    _cfg->serverkey_bytes= _cert->getPKLength();
 
     if (HTTPServer::setupSocket()) {
       return 1;
     } else {
       Serial.println("setupSockets failed");
-      SSL_CTX_free(_sslctx);
-      _sslctx = NULL;
       return 0;
     }
   } else {
@@ -48,31 +47,13 @@ uint8_t HTTPSServer::setupSocket() {
 void HTTPSServer::teardownSocket() {
 
   HTTPServer::teardownSocket();
-
-  // Tear down the SSL context
-  SSL_CTX_free(_sslctx);
-  _sslctx = NULL;
 }
 
 int HTTPSServer::createConnection(int idx) {
   HTTPSConnection * newConnection = new HTTPSConnection(this);
   _connections[idx] = newConnection;
-  return newConnection->initialize(_socket, _sslctx, &_defaultHeaders);
-}
-
-/**
- * This method configures the ssl context that is used for the server
- */
-uint8_t HTTPSServer::setupSSLCTX() {
-  _sslctx = SSL_CTX_new(TLSv1_2_server_method());
-  if (_sslctx) {
-    // Set SSL Timeout to 5 minutes
-    SSL_CTX_set_timeout(_sslctx, 300);
-    return 1;
-  } else {
-    _sslctx = NULL;
-    return 0;
-  }
+  
+  return newConnection->initialize(_socket, _cfg, &_defaultHeaders);
 }
 
 /**
@@ -81,22 +62,11 @@ uint8_t HTTPSServer::setupSSLCTX() {
  */
 uint8_t HTTPSServer::setupCert() {
   // Configure the certificate first
-  uint8_t ret = SSL_CTX_use_certificate_ASN1(
-    _sslctx,
-    _cert->getCertLength(),
-    _cert->getCertData()
-  );
-
-  // Then set the private key accordingly
-  if (ret) {
-    ret = SSL_CTX_use_RSAPrivateKey_ASN1(
-      _sslctx,
-      _cert->getPKData(),
-      _cert->getPKLength()
-    );
-  }
-
-  return ret;
+  _cfg->servercert_buf= _cert->getCertData();
+  _cfg->servercert_bytes = _cert->getCertLength();
+  _cfg->serverkey_buf= _cert->getPKData();
+  _cfg->serverkey_bytes= _cert->getPKLength();
+  return 1;
 }
 
 } /* namespace httpsserver */

Diff for: src/HTTPSServer.hpp

@@ -8,8 +8,7 @@
 #include <Arduino.h>
 
 // Required for SSL
-#include "openssl/ssl.h"
-#undef read
+#include <esp_tls.h>
 
 // Internal includes
 #include "HTTPServer.hpp"
@@ -32,19 +31,21 @@ class HTTPSServer : public HTTPServer {
   HTTPSServer(SSLCert * cert, const uint16_t portHTTPS = 443, const uint8_t maxConnections = 4, const in_addr_t bindAddress = 0);
   virtual ~HTTPSServer();
 
+  virtual esp_tls_cfg_server_t *getConfig() { return _cfg;}
+
 private:
   // Static configuration. Port, keys, etc. ====================
   // Certificate that should be used (includes private key)
   SSLCert * _cert;
 
   //// Runtime data ============================================
-  SSL_CTX * _sslctx;
+  esp_tls_cfg_server_t * _cfg;
+
   // Status of the server: Are we running, or not?
 
   // Setup functions
   virtual uint8_t setupSocket();
   virtual void teardownSocket();
-  uint8_t setupSSLCTX();
   uint8_t setupCert();
 
   // Helper functions

Diff for: src/WebsocketHandler.cpp

@@ -17,7 +17,7 @@ static void dumpFrame(WebsocketFrame frame) {
     case WebsocketHandler::OPCODE_TEXT: opcode = std::string("TEXT"); break;
   }
   ESP_LOGI(
-    TAG,
+    "",
     "Fin: %d, OpCode: %d (%s), Mask: %d, Len: %d",
     (int)frame.fin,
     (int)frame.opCode,