fix(tls): do not attach bundle from runtime

me-no-dev · me-no-dev · commit ef9400695f15 · 2024-06-03T16:22:06.000+03:00
diff --git a/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp b/libraries/NetworkClientSecure/src/NetworkClientSecure.cpp
@@ -317,9 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) {
 void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {
   if (bundle != NULL) {
     esp_crt_bundle_set(bundle, sizeof(bundle));
+    attach_ssl_certificate_bundle(true);
     _use_ca_bundle = true;
   } else {
     esp_crt_bundle_detach(NULL);
+    attach_ssl_certificate_bundle(false);
     _use_ca_bundle = false;
   }
 }
diff --git a/libraries/NetworkClientSecure/src/ssl_client.cpp b/libraries/NetworkClientSecure/src/ssl_client.cpp
@@ -26,6 +26,9 @@
 
 const char *pers = "esp32-tls";
 
+typedef esp_err_t (*crt_bundle_attach_cb)(void *conf);
+static crt_bundle_attach_cb _bundle_attach_cb = NULL;
+
 static int _handle_error(int err, const char *function, int line) {
   if (err == -30848) {
     return err;
@@ -51,6 +54,14 @@ void ssl_init(sslclient_context *ssl_client) {
   ssl_client->peek_buf = -1;
 }
 
+void attach_ssl_certificate_bundle(bool att) {
+  if (att) {
+    _bundle_attach_cb = &esp_crt_bundle_attach;
+  } else {
+    _bundle_attach_cb = NULL;
+  }
+}
+
 int start_ssl_client(
   sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
   const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
@@ -195,11 +206,15 @@ int start_ssl_client(
       return handle_error(ret);
     }
   } else if (useRootCABundle) {
-    log_v("Attaching root CA cert bundle");
-    ret = esp_crt_bundle_attach(&ssl_client->ssl_conf);
+    if (_bundle_attach_cb != NULL) {
+      log_v("Attaching root CA cert bundle");
+      ret = _bundle_attach_cb(&ssl_client->ssl_conf);
 
-    if (ret < 0) {
-      return handle_error(ret);
+      if (ret < 0) {
+        return handle_error(ret);
+      }
+    } else {
+      log_e("useRootCABundle is set, but attach_ssl_certificate_bundle(true); was not called!");
     }
   } else if (pskIdent != NULL && psKey != NULL) {
     log_v("Setting up PSK");
diff --git a/libraries/NetworkClientSecure/src/ssl_client.h b/libraries/NetworkClientSecure/src/ssl_client.h
@@ -37,6 +37,7 @@ int start_ssl_client(
   sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
   const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
 );
+void attach_ssl_certificate_bundle(bool att);
 int ssl_starttls_handshake(sslclient_context *ssl_client);
 void stop_ssl_socket(sslclient_context *ssl_client);
 int data_to_read(sslclient_context *ssl_client);

Original file line number	Diff line number	Diff line change
`@@ -317,9 +317,11 @@ void NetworkClientSecure::setCACert(const char *rootCA) {`
`317`	`317`	`void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {`
`318`	`318`	`if (bundle != NULL) {`
`319`	`319`	`esp_crt_bundle_set(bundle, sizeof(bundle));`
	`320`	`+ attach_ssl_certificate_bundle(true);`
`320`	`321`	`_use_ca_bundle = true;`
`321`	`322`	`} else {`
`322`	`323`	`esp_crt_bundle_detach(NULL);`
	`324`	`+ attach_ssl_certificate_bundle(false);`
`323`	`325`	`_use_ca_bundle = false;`
`324`	`326`	`}`
`325`	`327`	`}`