Merge branch 'bugfix/ota_pal' into 'master'

Fix for memory leak in network transport layer and changes to OTA PAL incorporated in the examples.

See merge request app-frameworks/esp-aws-iot!34

examples/http/http_mutual_auth/main/Kconfig.projbuild

@@ -27,15 +27,23 @@ menu "Example Configuration"
 
         config EXAMPLE_USE_SECURE_ELEMENT
         bool "Use secure element (ATECC608A)"
-        depends on ESP_TLS_USE_SECURE_ELEMENT
+        depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
+        # To confirm that we are satisfying the dependancies of secure element
+        select ESP_TLS_USE_SECURE_ELEMENT
+        select CORE_HTTP_USE_SECURE_ELEMENT
+        select CORE_MQTT_USE_SECURE_ELEMENT
         help
             Enable the use of secure element for the example.
             The esp-cryptoauthlib component is required for enabling
             this option.
 
         config EXAMPLE_USE_DS_PERIPHERAL
         bool "Use DS peripheral"
-        depends on ESP_TLS_USE_DS_PERIPHERAL
+        depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED
+        # To confirm that we are satisfying the dependancies of ds peripheral
+        select ESP_TLS_USE_DS_PERIPHERAL
+        select CORE_HTTP_USE_DS_PERIPHERAL
+        select CORE_MQTT_USE_DS_PERIPHERAL
         help
             Enable the use of DS peripheral for the example.
             The DS peripheral on the device must be provisioned first to use this option.

examples/http/http_mutual_auth/main/http_demo_mutual_auth.c

@@ -107,6 +107,11 @@
  */
 static uint8_t userBuffer[ USER_BUFFER_LENGTH ];
 
+/**
+ * @brief Static buffer for TLS Context Semaphore.
+ */
+static StaticSemaphore_t xTlsContextSemaphoreBuffer;
+
 /*-----------------------------------------------------------*/
 
 int aws_iot_demo_main( int argc, char ** argv );
@@ -151,7 +156,7 @@ static int32_t connectToServer( NetworkContext_t * pNetworkContext )
     pNetworkContext->pcHostname = AWS_IOT_ENDPOINT;
     pNetworkContext->xPort = AWS_HTTPS_PORT;
     pNetworkContext->pxTls = NULL;
-    pNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutex();
+    pNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutexStatic(&xTlsContextSemaphoreBuffer);
 
 #ifdef CONFIG_EXAMPLE_USE_SECURE_ELEMENT
     pNetworkContext->pcClientCertPem = NULL;

examples/jobs/main/Kconfig.projbuild

@@ -45,15 +45,23 @@ menu "Example Configuration"
 
         config EXAMPLE_USE_SECURE_ELEMENT
         bool "Use secure element (ATECC608A)"
-        depends on ESP_TLS_USE_SECURE_ELEMENT
+        depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
+        # To confirm that we are satisfying the dependancies of secure element
+        select ESP_TLS_USE_SECURE_ELEMENT
+        select CORE_HTTP_USE_SECURE_ELEMENT
+        select CORE_MQTT_USE_SECURE_ELEMENT
         help
             Enable the use of secure element for the example.
             The esp-cryptoauthlib component is required for enabling
             this option.
 
         config EXAMPLE_USE_DS_PERIPHERAL
         bool "Use DS peripheral"
-        depends on ESP_TLS_USE_DS_PERIPHERAL
+        depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED
+        # To confirm that we are satisfying the dependancies of ds peripheral
+        select ESP_TLS_USE_DS_PERIPHERAL
+        select CORE_HTTP_USE_DS_PERIPHERAL
+        select CORE_MQTT_USE_DS_PERIPHERAL
         help
             Enable the use of DS peripheral for the example.
             The DS peripheral on the device must be provisioned first to use this option.

examples/jobs/main/mqtt_demo_helpers.c

@@ -234,6 +234,11 @@ static uint16_t globalUnsubscribePacketIdentifier = 0U;
  */
 static PublishPackets_t outgoingPublishPackets[ MAX_OUTGOING_PUBLISHES ] = { 0 };
 
+/**
+ * @brief Static buffer for TLS Context Semaphore.
+ */
+static StaticSemaphore_t xTlsContextSemaphoreBuffer;
+
 /*-----------------------------------------------------------*/
 
 /**
@@ -330,7 +335,7 @@ static TlsTransportStatus_t prvConnectToServerWithBackoffRetries( NetworkContext
     BackoffAlgorithmStatus_t xBackoffAlgStatus = BackoffAlgorithmSuccess;
     BackoffAlgorithmContext_t xReconnectParams = { 0 };
     uint16_t usNextRetryBackOff = 0U;
-    pxNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutex();
+    pxNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutexStatic(&xTlsContextSemaphoreBuffer);
 
     pxNetworkContext->pcHostname = democonfigMQTT_BROKER_ENDPOINT;
     pxNetworkContext->xPort = democonfigMQTT_BROKER_PORT;

examples/mqtt/tls_mutual_auth/main/Kconfig.projbuild

@@ -45,15 +45,23 @@ menu "Example Configuration"
 
         config EXAMPLE_USE_SECURE_ELEMENT
         bool "Use secure element (ATECC608A)"
-        depends on ESP_TLS_USE_SECURE_ELEMENT
+        depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
+        # To confirm that we are satisfying the dependancies of secure element
+        select ESP_TLS_USE_SECURE_ELEMENT
+        select CORE_HTTP_USE_SECURE_ELEMENT
+        select CORE_MQTT_USE_SECURE_ELEMENT
         help
             Enable the use of secure element for the example.
             The esp-cryptoauthlib component is required for enabling
             this option.
 
         config EXAMPLE_USE_DS_PERIPHERAL
         bool "Use DS peripheral"
-        depends on ESP_TLS_USE_DS_PERIPHERAL
+        depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED
+        # To confirm that we are satisfying the dependancies of ds peripheral
+        select ESP_TLS_USE_DS_PERIPHERAL
+        select CORE_HTTP_USE_DS_PERIPHERAL
+        select CORE_MQTT_USE_DS_PERIPHERAL
         help
             Enable the use of DS peripheral for the example.
             The DS peripheral on the device must be provisioned first to use this option.

examples/mqtt/tls_mutual_auth/main/mqtt_demo_mutual_auth.c

@@ -337,6 +337,11 @@ static uint8_t buffer[ NETWORK_BUFFER_SIZE ];
  */
 static MQTTSubAckStatus_t globalSubAckStatus = MQTTSubAckFailure;
 
+/**
+ * @brief Static buffer for TLS Context Semaphore.
+ */
+static StaticSemaphore_t xTlsContextSemaphoreBuffer;
+
 /*-----------------------------------------------------------*/
 
 int aws_iot_demo_main( int argc, char ** argv );
@@ -548,7 +553,7 @@ static int connectToServerWithBackoffRetries( NetworkContext_t * pNetworkContext
     pNetworkContext->pcHostname = AWS_IOT_ENDPOINT;
     pNetworkContext->xPort = AWS_MQTT_PORT;
     pNetworkContext->pxTls = NULL;
-    pNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutex();
+    pNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutexStatic(&xTlsContextSemaphoreBuffer);
 
     pNetworkContext->disableSni = 0;
     uint16_t nextRetryBackOff;

examples/ota/ota_http/CMakeLists.txt

@@ -18,3 +18,4 @@ target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/root_cert_auth.pem"
 target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.crt" TEXT)
 target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.key" TEXT)
 target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/http_root_cert_auth.pem" TEXT)
+target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/aws_codesign.crt" TEXT)

examples/ota/ota_http/README.md

@@ -11,23 +11,17 @@ Ensure that keep the `ecdsasigner.crt` file handy, it will be needed in subseque
 For **"Path name of code signing certificate on device"**, put the following value:
 ```
 Code Verify Key
-```  
+```
 This corresponds to `pkcs11configLABEL_CODE_VERIFICATION_KEY` in the `core_pkcs11_config.h` file.  
 
 For **"Path name of file on device"**, put an arbitrary value such as:
 ```
 /
 ```
 
-5. Replace the contents of the file `main/certs/P11_CSK.crt` with the content in `ecdsasigner.crt`  
-Run the following command to generate the NVS certificate image:  
-```sh
-python $IDF_PATH/components/nvs_flash/nvs_partition_generator/nvs_partition_gen.py generate ./ota_http_demo.csv ./ota_http_demo.bin 0x4000
-```  
-Run the following command to program the NVS certificate image:   
-```sh
-python $IDF_PATH/components/esptool_py/esptool/esptool.py -p <UART port> -b 921600 --before default_reset --after hard_reset write_flash --flash_mode dio --flash_size detect --flash_freq 40m 0x310000 ./ota_http_demo.bin
-```
+5. Replace the contents of the file `main/certs/aws_codesign.crt` with the content from the file `ecdsasigner.crt` 
+
+> The code-signing public key certificate will be used by the application binary i.e. the demo, to authenticate a binary that was downloaded for an update (this downloaded firmware would have been signed by the certificate's corresponding private key i.e. `ecdsasigner.key`). 
 
 6. `idf.py menuconfig` and set MQTT endpoint.
 

examples/ota/ota_http/main/Kconfig.projbuild

@@ -43,21 +43,31 @@ menu "Example Configuration"
             The default behaviour is to access the PKI credentials which are embedded in the binary.
             Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details.
 
+
         config EXAMPLE_USE_SECURE_ELEMENT
         bool "Use secure element (ATECC608A)"
-        depends on ESP_TLS_USE_SECURE_ELEMENT
+        depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
+        # To confirm that we are satisfying the dependancies of secure element
+        select ESP_TLS_USE_SECURE_ELEMENT
+        select CORE_HTTP_USE_SECURE_ELEMENT
+        select CORE_MQTT_USE_SECURE_ELEMENT
         help
             Enable the use of secure element for the example.
             The esp-cryptoauthlib component is required for enabling
             this option.
 
         config EXAMPLE_USE_DS_PERIPHERAL
         bool "Use DS peripheral"
-        depends on ESP_TLS_USE_DS_PERIPHERAL
+        depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED
+        # To confirm that we are satisfying the dependancies of ds peripheral
+        select ESP_TLS_USE_DS_PERIPHERAL
+        select CORE_HTTP_USE_DS_PERIPHERAL
+        select CORE_MQTT_USE_DS_PERIPHERAL
         help
             Enable the use of DS peripheral for the example.
             The DS peripheral on the device must be provisioned first to use this option.
 
+
         config EXAMPLE_USE_PLAIN_FLASH_STORAGE
         bool "Use flash storage (default)"
         help

examples/ota/ota_http/main/ota_demo_core_http.c

@@ -90,6 +90,8 @@
     extern const char client_key_pem_end[] asm("_binary_client_key_end");
 #endif
 
+extern const char pcAwsCodeSigningCertPem[] asm("_binary_aws_codesign_crt_start");
+
 /**
  * @brief ALPN (Application-Layer Protocol Negotiation) protocol name for AWS IoT MQTT.
  *
@@ -293,6 +295,11 @@ const AppVersion32_t appFirmwareVersion =
     .u.x.build = APP_VERSION_BUILD,
 };
 
+/**
+ * @brief Static buffer for TLS Context Semaphore.
+ */
+static StaticSemaphore_t xTlsContextSemaphoreBuffer;
+
 /**
  * @brief Network connection context used in this demo for MQTT connection.
  */
@@ -1034,7 +1041,7 @@ static int priv_connectToServerWithBackoffRetries( NetworkContext_t * pNetworkCo
     pNetworkContext->pcHostname = AWS_IOT_ENDPOINT;
     pNetworkContext->xPort = AWS_MQTT_PORT;
     pNetworkContext->pxTls = NULL;
-    pNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutex();
+    pNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutexStatic(&xTlsContextSemaphoreBuffer);
 
     pNetworkContext->disableSni = 0;
     uint16_t nextRetryBackOff;
@@ -1960,6 +1967,13 @@ static int startOTADemo( void )
     /* Set OTA Library interfaces.*/
     setOtaInterfaces( &otaInterfaces );
 
+    /* Set OTA Code Signing Certificate */
+    if( !otaPal_SetCodeSigningCertificate( pcAwsCodeSigningCertPem ) )
+    {
+         LogError( ( "Failed to allocate memory for Code Signing Certificate" ) );
+         returnStatus = EXIT_FAILURE;
+    }
+
     /****************************** Init OTA Library. ******************************/
 
     if( returnStatus == EXIT_SUCCESS )

examples/ota/ota_mqtt/CMakeLists.txt

@@ -16,3 +16,4 @@ project(ota_mqtt)
 target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/root_cert_auth.pem" TEXT)
 target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.crt" TEXT)
 target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/client.key" TEXT)
+target_add_binary_data(${CMAKE_PROJECT_NAME}.elf "main/certs/aws_codesign.crt" TEXT)

examples/ota/ota_mqtt/README.md

@@ -11,23 +11,17 @@ Ensure that keep the `ecdsasigner.crt` file handy, it will be needed in subseque
 For **"Path name of code signing certificate on device"**, put the following value:
 ```
 Code Verify Key
-```  
+```
 This corresponds to `pkcs11configLABEL_CODE_VERIFICATION_KEY` in the `core_pkcs11_config.h` file.  
 
 For **"Path name of file on device"**, put an arbitrary value such as:
 ```
 /
 ```
 
-5. Replace the contents of the file `main/certs/P11_CSK.crt` with the content in `ecdsasigner.crt`  
-Run the following command to generate the NVS certificate image:  
-```sh
-python $IDF_PATH/components/nvs_flash/nvs_partition_generator/nvs_partition_gen.py generate ./ota_mqtt_demo.csv ./ota_mqtt_demo.bin 0x4000
-```  
-Run the following command to program the NVS certificate image:   
-```sh
-python $IDF_PATH/components/esptool_py/esptool/esptool.py -p <UART port> -b 921600 --before default_reset --after hard_reset write_flash --flash_mode dio --flash_size detect --flash_freq 40m 0x310000 ./ota_mqtt_demo.bin
-```
+5. Replace the contents of the file `main/certs/aws_codesign.crt` with the content from the file `ecdsasigner.crt` 
+
+> The code-signing public key certificate will be used by the application binary i.e. the demo, to authenticate a binary that was downloaded for an update (this downloaded firmware would have been signed by the certificate's corresponding private key i.e. `ecdsasigner.key`). 
 
 6. `idf.py menuconfig` and set MQTT endpoint.
 

examples/ota/ota_mqtt/main/Kconfig.projbuild

@@ -45,15 +45,23 @@ menu "Example Configuration"
 
         config EXAMPLE_USE_SECURE_ELEMENT
         bool "Use secure element (ATECC608A)"
-        depends on ESP_TLS_USE_SECURE_ELEMENT
+        depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
+        # To confirm that we are satisfying the dependancies of secure element
+        select ESP_TLS_USE_SECURE_ELEMENT
+        select CORE_HTTP_USE_SECURE_ELEMENT
+        select CORE_MQTT_USE_SECURE_ELEMENT
         help
             Enable the use of secure element for the example.
             The esp-cryptoauthlib component is required for enabling
             this option.
 
         config EXAMPLE_USE_DS_PERIPHERAL
         bool "Use DS peripheral"
-        depends on ESP_TLS_USE_DS_PERIPHERAL
+        depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED
+        # To confirm that we are satisfying the dependancies of ds peripheral
+        select ESP_TLS_USE_DS_PERIPHERAL
+        select CORE_HTTP_USE_DS_PERIPHERAL
+        select CORE_MQTT_USE_DS_PERIPHERAL
         help
             Enable the use of DS peripheral for the example.
             The DS peripheral on the device must be provisioned first to use this option.

examples/ota/ota_mqtt/main/ota_demo_core_mqtt.c

@@ -80,6 +80,8 @@
     extern const char client_key_pem_end[] asm("_binary_client_key_end");
 #endif
 
+extern const char pcAwsCodeSigningCertPem[] asm("_binary_aws_codesign_crt_start");
+
 /**
  * @brief ALPN (Application-Layer Protocol Negotiation) protocol name for AWS IoT MQTT.
  *
@@ -251,6 +253,11 @@ const AppVersion32_t appFirmwareVersion =
     .u.x.build = APP_VERSION_BUILD,
 };
 
+/**
+ * @brief Static buffer for TLS Context Semaphore.
+ */
+static StaticSemaphore_t xTlsContextSemaphoreBuffer;
+
 /**
  * @brief Network connection context used in this demo.
  */
@@ -905,7 +912,7 @@ static int connectToServerWithBackoffRetries( NetworkContext_t * pNetworkContext
     pNetworkContext->pcHostname = AWS_IOT_ENDPOINT;
     pNetworkContext->xPort = AWS_MQTT_PORT;
     pNetworkContext->pxTls = NULL;
-    pNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutex();
+    pNetworkContext->xTlsContextSemaphore = xSemaphoreCreateMutexStatic(&xTlsContextSemaphoreBuffer);
 
     pNetworkContext->disableSni = 0;
     uint16_t nextRetryBackOff;
@@ -1511,6 +1518,13 @@ static int startOTADemo( void )
     /* Set OTA Library interfaces.*/
     setOtaInterfaces( &otaInterfaces );
 
+    /* Set OTA Code Signing Certificate */
+    if( !otaPal_SetCodeSigningCertificate( pcAwsCodeSigningCertPem ) )
+    {
+         LogError( ( "Failed to allocate memory for Code Signing Certificate" ) );
+         returnStatus = EXIT_FAILURE;
+    }
+
     LogInfo( ( "OTA over MQTT demo, Application version %u.%u.%u",
                appFirmwareVersion.u.x.major,
                appFirmwareVersion.u.x.minor,

examples/thing_shadow/main/Kconfig.projbuild

@@ -45,15 +45,23 @@ menu "Example Configuration"
 
         config EXAMPLE_USE_SECURE_ELEMENT
         bool "Use secure element (ATECC608A)"
-        depends on ESP_TLS_USE_SECURE_ELEMENT
+        depends on IDF_TARGET_ESP32 && ESP_TLS_USING_MBEDTLS
+        # To confirm that we are satisfying the dependancies of secure element
+        select ESP_TLS_USE_SECURE_ELEMENT
+        select CORE_HTTP_USE_SECURE_ELEMENT
+        select CORE_MQTT_USE_SECURE_ELEMENT
         help
             Enable the use of secure element for the example.
             The esp-cryptoauthlib component is required for enabling
             this option.
 
         config EXAMPLE_USE_DS_PERIPHERAL
         bool "Use DS peripheral"
-        depends on ESP_TLS_USE_DS_PERIPHERAL
+        depends on ESP_TLS_USING_MBEDTLS && SOC_DIG_SIGN_SUPPORTED
+        # To confirm that we are satisfying the dependancies of ds peripheral
+        select ESP_TLS_USE_DS_PERIPHERAL
+        select CORE_HTTP_USE_DS_PERIPHERAL
+        select CORE_MQTT_USE_DS_PERIPHERAL
         help
             Enable the use of DS peripheral for the example.
             The DS peripheral on the device must be provisioned first to use this option.