Skip to content

ports/esp32: Enable mbedtls cert time validation. #13100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2023
Merged

ports/esp32: Enable mbedtls cert time validation. #13100

merged 1 commit into from
Dec 3, 2023

Conversation

Carglglz
Copy link
Contributor

@Carglglz Carglglz commented Nov 30, 2023
edited
Loading

WIP

This was referenced Nov 30, 2023
Merged
Closed
@dpgeorge dpgeorge added this to the release-1.22.0 milestone Dec 1, 2023
dpgeorge
dpgeorge reviewed Dec 1, 2023
View reviewed changes
ports/esp32/main.c Outdated
#include "mbedtls/version.h"
#endif
#ifdef MICROPY_MBEDTLS_PLATFORM_TIME_ALT
#include "mbedtls/mbedtls_config.h"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you want to include #include "mbedtls/platform.h" instead.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mbedtls/platform.h includes mbedtls/platform_time.h, since this only requires mbedtls_platform_set_time I think it's simpler to include platform_time directly.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, sounds good!

ports/esp32/main.c Outdated
#include "mbedtls/platform_time.h"
#else
#include "mbedtls/version.h"
#endif
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this set of includes is needed??

ports/esp32/esp32_common.cmake Outdated
@@ -63,6 +63,8 @@ list(APPEND MICROPY_SOURCE_PORT
mphalport.c
fatfs_port.c
help.c
modtime.c
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line should not be needed.

ports/esp32/mbedtls/mbedtls_port.c Outdated
#include "shared/timeutils/timeutils.h"


#ifdef MICROPY_MBEDTLS_PLATFORM_TIME_ALT
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't you use #ifdef MBEDTLS_PLATFORM_TIME_ALT here instead?

@Carglglz Carglglz force-pushed the esp32_mbedtls_time branch 3 times, most recently from 8407d27 to 93aff62 Compare December 3, 2023 00:15
@Carglglz Carglglz marked this pull request as ready for review December 3, 2023 00:23
dpgeorge
dpgeorge reviewed Dec 3, 2023
View reviewed changes
ports/esp32/mbedtls/mbedtls_config.h Outdated

#define MBEDTLS_HAVE_ASM

time_t platform_mbedtls_time(time_t *timer);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see that this file is indeed included in the build. But that seems to be by accident: esp-idf/components/mbedtls/port/include/mbedtls/esp_config.h includes mbedtls/mbedtls_config.h which is intended to pick up the default mbedtls_config.h from the mbedtls component of the IDF.

So having this file here will completely override the default set of settings.

Why is this file needed? I don't think the MBEDTLS_HAVE_ASM option does anything, that seems to only be needed for x84 architectures.

dpgeorge
dpgeorge reviewed Dec 3, 2023
View reviewed changes
ports/esp32/mbedtls/mbedtls_port.c Outdated
#include "shared/timeutils/timeutils.h"
#include "mbedtls/platform_time.h"

time_t platform_mbedtls_time(time_t *timer) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To keep things simple, you could just put this function in main.c, before the mp_task() function. Then this separate file is not needed, nor are any additional headers like mbedtls_config.h.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, I've just tested this and it is in fact the simplest option, thanks for the help again 🙏🏼 !!

@dpgeorge
Copy link
Member

dpgeorge commented Dec 3, 2023

This looks much better now. Is it ready to be merged?

@Carglglz
Copy link
Contributor Author

Carglglz commented Dec 3, 2023

Yes I've been testing this and it works as expected 👍🏼 .

With this commit now all ports that use mbedtls have cert time validation enabled, so I think a note should be added to SSL/TLS documentation for ssl.CERT_REQUIRED option e.g.

ssl.CERT_REQUIRED

This option requires RTC to be properly set

otherwise MBEDTLS_ERR_X509_CERT_VERIFY_FAILED will be raised or after #13098

ValueError:
The certificate validity starts in the future

@Carglglz @dpgeorge
esp32: Enable mbedtls cert time validation.
30b0ee3 
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
@dpgeorge dpgeorge merged commit 30b0ee3 into micropython:master Dec 3, 2023
@dpgeorge
Copy link
Member

dpgeorge commented Dec 4, 2023

Thanks for testing. Now merged.

@Carglglz Carglglz deleted the esp32_mbedtls_time branch December 4, 2023 01:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dpgeorge dpgeorge dpgeorge left review comments

Assignees
No one assigned
Labels
port-esp32
Projects
None yet
Milestone
release-1.22.0
Development

Successfully merging this pull request may close these issues.
2 participants
@Carglglz @dpgeorge