espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/esp_tls_check_tls_conn_before_read_write' into 'master'

Browse Source 
Fix/esp tls check tls conn before read write

Closes IDF-15501

See merge request espressif/esp-idf!47068
This commit is contained in:
Aditya Patwardhan
2026-04-13 12:03:45 +05:30
parent 123f040498 f3238ec7d5
commit fd551a3618
9 changed files with 95 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/esp-tls/esp_tls.c
+20 -2
View File
@@ -145,6 +145,15 @@ ssize_t esp_tls_conn_read(esp_tls_t *tls, void *data, size_t datalen)
if (!tls) { if (!tls) {
return -1; return -1;
} }
if (!tls->read) {
return -1;
}
#if CONFIG_MBEDTLS_DYNAMIC_BUFFER
if (tls->is_tls && tls->conn_state != ESP_TLS_DONE) {
ESP_LOGE(TAG, "TLS handshake has not completed, read operation not permitted");
return -1;
}
#endif
return tls->read(tls, (char *)data, datalen); return tls->read(tls, (char *)data, datalen);
} }
@@ -153,6 +162,15 @@ ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen)
if (!tls || !data) { if (!tls || !data) {
return -1; return -1;
} }
if (!tls->write) {
return -1;
}
#if CONFIG_MBEDTLS_DYNAMIC_BUFFER
if (tls->is_tls && tls->conn_state != ESP_TLS_DONE) {
ESP_LOGE(TAG, "TLS handshake has not completed, write operation not permitted");
return -1;
}
#endif
return tls->write(tls, (char *)data, datalen); return tls->write(tls, (char *)data, datalen);
} }
@@ -574,12 +592,12 @@ int esp_tls_conn_new_sync(const char *hostname, int hostlen, int port, const esp
} else if (ret == -1) { } else if (ret == -1) {
ESP_LOGE(TAG, "Failed to open new connection"); ESP_LOGE(TAG, "Failed to open new connection");
return -1; return -1;
} else if (ret == 0 && cfg->timeout_ms >= 0) { } else if (ret == 0 && cfg->timeout_ms > 0) {
uint64_t elapsed_time_us = esp_tls_get_platform_time() - start_time_us; uint64_t elapsed_time_us = esp_tls_get_platform_time() - start_time_us;
if ((elapsed_time_us / 1000) >= cfg->timeout_ms) { if ((elapsed_time_us / 1000) >= cfg->timeout_ms) {
ESP_LOGW(TAG, "Failed to open new connection in specified timeout"); ESP_LOGW(TAG, "Failed to open new connection in specified timeout");
ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT); ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT);
return 0; return -1;
} }
} }
} }
components/esp-tls/esp_tls.h
+9 -2
View File
@@ -420,10 +420,17 @@ esp_tls_t *esp_tls_init(void);
* structure should be zero-initialized * structure should be zero-initialized
* @param[in] tls Pointer to esp-tls as esp-tls handle. * @param[in] tls Pointer to esp-tls as esp-tls handle.
* *
* @note The cfg->timeout_ms parameter controls the connection timeout:
* - timeout_ms > 0: The connection attempt will be aborted if it does not
* complete within the specified duration.
* - timeout_ms <= 0: No application-level timeout is applied. The connection
* relies on the underlying socket timeout (ESP_TLS_DEFAULT_CONN_TIMEOUT).
* On timeout, the function returns -1 and records
* ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT in the error handle.
*
* @return * @return
* - -1 If connection establishment fails. * - -1 If connection establishment fails (including timeout).
* - 1 If connection establishment is successful. * - 1 If connection establishment is successful.
* - 0 If connection state is in progress.
*/ */
int esp_tls_conn_new_sync(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls); int esp_tls_conn_new_sync(const char *hostname, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_t *tls);
components/esp-tls/esp_tls_mbedtls.c
+1
View File
@@ -1196,6 +1196,7 @@ int esp_mbedtls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp
return ESP_ERR_ESP_TLS_SERVER_HANDSHAKE_TIMEOUT; return ESP_ERR_ESP_TLS_SERVER_HANDSHAKE_TIMEOUT;
} }
} }
tls->conn_state = ESP_TLS_DONE;
return ret; return ret;
} }
components/esp-tls/test_apps/.build-test-rules.yml
+6
View File
@@ -0,0 +1,6 @@
# Documentation: .gitlab/ci/README.md#manifest-file-to-control-the-buildtest-apps
components/esp-tls/test_apps:
disable:
- if: IDF_TARGET not in ["esp32c3"]
reason: Testing on one target is enough
components/esp-tls/test_apps/README.md
+2 -2
View File
@@ -1,2 +1,2 @@
| Supported Targets | ESP32 | ESP32-C2 | ESP32-C3 | ESP32-C5 | ESP32-C6 | ESP32-C61 | ESP32-H2 | ESP32-H21 | ESP32-H4 | ESP32-P4 | ESP32-S2 | ESP32-S3 | ESP32-S31 | | Supported Targets | ESP32-C3 |
| ----------------- | ----- | -------- | -------- | -------- | -------- | --------- | -------- | --------- | -------- | -------- | -------- | -------- | --------- | | ----------------- | -------- |
components/esp-tls/test_apps/main/CMakeLists.txt
+4
View File
@@ -1,3 +1,7 @@
idf_component_register(SRC_DIRS "." idf_component_register(SRC_DIRS "."
PRIV_REQUIRES test_utils esp-tls unity PRIV_REQUIRES test_utils esp-tls unity
WHOLE_ARCHIVE) WHOLE_ARCHIVE)
# Expose esp-tls private headers for internal component tests
idf_component_get_property(esp_tls_dir esp-tls COMPONENT_DIR)
target_include_directories(${COMPONENT_LIB} PRIVATE "${esp_tls_dir}/private_include")
components/esp-tls/test_apps/main/test_esp_tls.c
+41
View File
@@ -7,6 +7,7 @@
#include "memory_checks.h" #include "memory_checks.h"
#include "esp_tls.h" #include "esp_tls.h"
#include "esp_tls_custom_stack.h" #include "esp_tls_custom_stack.h"
#include "esp_tls_private.h"
#include "unity.h" #include "unity.h"
#include "esp_err.h" #include "esp_err.h"
#include "esp_log.h" #include "esp_log.h"
@@ -60,6 +61,46 @@ const char *test_key_pem = "-----BEGIN PRIVATE KEY-----\n"\
"Aogx44Fozd1t2hYcozPuZD4s\n"\ "Aogx44Fozd1t2hYcozPuZD4s\n"\
"-----END PRIVATE KEY-----\n"; "-----END PRIVATE KEY-----\n";
static ssize_t dummy_read(esp_tls_t *tls, char *data, size_t datalen) { return (ssize_t)datalen; }
TEST_CASE("esp_tls_conn_write/read reject NULL tls", "[esp-tls]")
{
char buf[16] = {0};
TEST_ASSERT_EQUAL(-1, esp_tls_conn_write(NULL, buf, sizeof(buf)));
TEST_ASSERT_EQUAL(-1, esp_tls_conn_read(NULL, buf, sizeof(buf)));
}
TEST_CASE("esp_tls_conn_write reject NULL data buffer", "[esp-tls]")
{
esp_tls_t *tls = esp_tls_init();
TEST_ASSERT_NOT_NULL(tls);
TEST_ASSERT_EQUAL(-1, esp_tls_conn_write(tls, NULL, 16));
esp_tls_conn_destroy(tls);
}
TEST_CASE("esp_tls_conn_read accepts zero datalen", "[esp-tls]")
{
esp_tls_t *tls = esp_tls_init();
TEST_ASSERT_NOT_NULL(tls);
tls->is_tls = true;
tls->read = dummy_read;
TEST_ASSERT_EQUAL(ESP_OK, esp_tls_set_conn_state(tls, ESP_TLS_DONE));
/* datalen=0 on read is used in some projects, to get the data in the SSL buffers */
TEST_ASSERT_EQUAL(0, esp_tls_conn_read(tls, NULL, 0));
esp_tls_conn_destroy(tls);
}
TEST_CASE("esp_tls_conn_write/read reject unconnected tls", "[esp-tls]")
{
esp_tls_t *tls = esp_tls_init();
TEST_ASSERT_NOT_NULL(tls);
/* read/write function pointers are NULL right after init */
char buf[16] = {0};
TEST_ASSERT_EQUAL(-1, esp_tls_conn_write(tls, buf, sizeof(buf)));
TEST_ASSERT_EQUAL(-1, esp_tls_conn_read(tls, buf, sizeof(buf)));
esp_tls_conn_destroy(tls);
}
#if CONFIG_ESP_TLS_USING_MBEDTLS #if CONFIG_ESP_TLS_USING_MBEDTLS
TEST_CASE("esp-tls init deinit", "[esp-tls]") TEST_CASE("esp-tls init deinit", "[esp-tls]")
{ {
components/esp-tls/test_apps/pytest_esp_tls.py
+12
View File
@@ -0,0 +1,12 @@
# SPDX-FileCopyrightText: 2022-2026 Espressif Systems (Shanghai) CO LTD
# SPDX-License-Identifier: CC0-1.0
import pytest
from pytest_embedded import Dut
from pytest_embedded_idf.utils import idf_parametrize
@pytest.mark.generic
@idf_parametrize('config', ['default'], indirect=['config'])
@idf_parametrize('target', ['esp32c3'], indirect=['target'])
def test_esp_tls(dut: Dut) -> None:
dut.run_all_single_board_cases()
components/esp-tls/test_apps/sdkconfig.ci.default
View File