jacob.eva/arduino-esp32
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add WiFiClientSecure::setInsecure() to equalize API with ESP8266 (#4648)

Browse Source
This commit is contained in:
Me No Dev 2020-12-21 01:09:37 +02:00 committed by GitHub
parent b05bdf6904
commit ef99cd7fe7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 106 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libraries/HTTPClient/src/HTTPClient.cpp
View File

@ -74,9 +74,13 @@ public:
bool verify(WiFiClient& client, const char* host) override bool verify(WiFiClient& client, const char* host) override
{ {
WiFiClientSecure& wcs = static_cast<WiFiClientSecure&>(client); WiFiClientSecure& wcs = static_cast<WiFiClientSecure&>(client);
if (_cacert == nullptr) {
wcs.setInsecure();
} else {
wcs.setCACert(_cacert); wcs.setCACert(_cacert);
wcs.setCertificate(_clicert); wcs.setCertificate(_clicert);
wcs.setPrivateKey(_clikey); wcs.setPrivateKey(_clikey);
}
return true; return true;
} }

61
libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino Normal file
View File

@ -0,0 +1,61 @@
#include <WiFiClientSecure.h>
const char* ssid = "your-ssid"; // your network SSID (name of wifi network)
const char* password = "your-password"; // your network password
const char* server = "www.howsmyssl.com"; // Server URL
WiFiClientSecure client;
void setup() {
//Initialize serial and wait for port to open:
Serial.begin(115200);
delay(100);
Serial.print("Attempting to connect to SSID: ");
Serial.println(ssid);
WiFi.begin(ssid, password);
// attempt to connect to Wifi network:
while (WiFi.status() != WL_CONNECTED) {
Serial.print(".");
// wait 1 second for re-trying
delay(1000);
}
Serial.print("Connected to ");
Serial.println(ssid);
Serial.println("\nStarting connection to server...");
client.setInsecure();//skip verification
if (!client.connect(server, 443))
Serial.println("Connection failed!");
else {
Serial.println("Connected to server!");
// Make a HTTP request:
client.println("GET https://www.howsmyssl.com/a/check HTTP/1.0");
client.println("Host: www.howsmyssl.com");
client.println("Connection: close");
client.println();
while (client.connected()) {
String line = client.readStringUntil('\n');
if (line == "\r") {
Serial.println("headers received");
break;
}
}
// if there are incoming bytes available
// from the server, read them and print them:
while (client.available()) {
char c = client.read();
Serial.write(c);
}
client.stop();
}
}
void loop() {
// do nothing
}

23
libraries/WiFiClientSecure/src/WiFiClientSecure.cpp
View File

@ -36,6 +36,7 @@ WiFiClientSecure::WiFiClientSecure()
ssl_init(sslclient); ssl_init(sslclient);
sslclient->socket = -1; sslclient->socket = -1;
sslclient->handshake_timeout = 120000; sslclient->handshake_timeout = 120000;
_use_insecure = false;
_CA_cert = NULL; _CA_cert = NULL;
_cert = NULL; _cert = NULL;
_private_key = NULL; _private_key = NULL;
@ -116,17 +117,17 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, int32_t timeout){
return connect(host, port); return connect(host, port);
} }
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key) int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *CA_cert, const char *cert, const char *private_key)
{ {
return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key); return connect(ip.toString().c_str(), port, CA_cert, cert, private_key);
} }
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key) int WiFiClientSecure::connect(const char *host, uint16_t port, const char *CA_cert, const char *cert, const char *private_key)
{ {
if(_timeout > 0){ if(_timeout > 0){
sslclient->handshake_timeout = _timeout; sslclient->handshake_timeout = _timeout;
} }
int ret = start_ssl_client(sslclient, host, port, _timeout, _CA_cert, _cert, _private_key, NULL, NULL); int ret = start_ssl_client(sslclient, host, port, _timeout, CA_cert, cert, private_key, NULL, NULL, _use_insecure);
_lastError = ret; _lastError = ret;
if (ret < 0) { if (ret < 0) {
log_e("start_ssl_client: %d", ret); log_e("start_ssl_client: %d", ret);
@ -138,7 +139,7 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_c
} }
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey) { int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey) {
return connect(ip.toString().c_str(), port,_pskIdent, _psKey); return connect(ip.toString().c_str(), port, pskIdent, psKey);
} }
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey) { int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey) {
@ -146,7 +147,7 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskId
if(_timeout > 0){ if(_timeout > 0){
sslclient->handshake_timeout = _timeout; sslclient->handshake_timeout = _timeout;
} }
int ret = start_ssl_client(sslclient, host, port, _timeout, NULL, NULL, NULL, _pskIdent, _psKey); int ret = start_ssl_client(sslclient, host, port, _timeout, NULL, NULL, NULL, pskIdent, psKey, _use_insecure);
_lastError = ret; _lastError = ret;
if (ret < 0) { if (ret < 0) {
log_e("start_ssl_client: %d", ret); log_e("start_ssl_client: %d", ret);
@ -245,6 +246,16 @@ uint8_t WiFiClientSecure::connected()
return _connected; return _connected;
} }
void WiFiClientSecure::setInsecure()
{
_CA_cert = NULL;
_cert = NULL;
_private_key = NULL;
_pskIdent = NULL;
_psKey = NULL;
_use_insecure = true;
}
void WiFiClientSecure::setCACert (const char *rootCA) void WiFiClientSecure::setCACert (const char *rootCA)
{ {
_CA_cert = rootCA; _CA_cert = rootCA;

2
libraries/WiFiClientSecure/src/WiFiClientSecure.h
View File

@ -33,6 +33,7 @@ protected:
int _lastError = 0; int _lastError = 0;
int _peek = -1; int _peek = -1;
int _timeout = 0; int _timeout = 0;
bool _use_insecure;
const char *_CA_cert; const char *_CA_cert;
const char *_cert; const char *_cert;
const char *_private_key; const char *_private_key;
@ -62,6 +63,7 @@ public:
void stop(); void stop();
uint8_t connected(); uint8_t connected();
int lastError(char *buf, const size_t size); int lastError(char *buf, const size_t size);
void setInsecure(); // Don't validate the chain, just accept whatever is given. VERY INSECURE!
void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex
void setCACert(const char *rootCA); void setCACert(const char *rootCA);
void setCertificate(const char *client_ca); void setCertificate(const char *client_ca);

18
libraries/WiFiClientSecure/src/ssl_client.cpp
View File

@ -51,13 +51,17 @@ void ssl_init(sslclient_context *ssl_client)
} }
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey) int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure)
{ {
char buf[512]; char buf[512];
int ret, flags; int ret, flags;
int enable = 1; int enable = 1;
log_v("Free internal heap before TLS %u", ESP.getFreeHeap()); log_v("Free internal heap before TLS %u", ESP.getFreeHeap());
if (rootCABuff == NULL && pskIdent == NULL && psKey == NULL && !insecure) {
return -1;
}
log_v("Starting socket"); log_v("Starting socket");
ssl_client->socket = -1; ssl_client->socket = -1;
@ -118,7 +122,10 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
// MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and // MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
// MBEDTLS_SSL_VERIFY_NONE if not. // MBEDTLS_SSL_VERIFY_NONE if not.
if (rootCABuff != NULL) { if (insecure) {
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
log_i("WARNING: Skipping SSL Verification. INSECURE!");
} else if (rootCABuff != NULL) {
log_v("Loading CA cert"); log_v("Loading CA cert");
mbedtls_x509_crt_init(&ssl_client->ca_cert); mbedtls_x509_crt_init(&ssl_client->ca_cert);
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
@ -161,11 +168,10 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
return handle_error(ret); return handle_error(ret);
} }
} else { } else {
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE); return -1;
log_i("WARNING: Use certificates for a more secure communication!");
} }
if (cli_cert != NULL && cli_key != NULL) { if (!insecure && cli_cert != NULL && cli_key != NULL) {
mbedtls_x509_crt_init(&ssl_client->client_cert); mbedtls_x509_crt_init(&ssl_client->client_cert);
mbedtls_pk_init(&ssl_client->client_key); mbedtls_pk_init(&ssl_client->client_key);
@ -211,7 +217,7 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
} }
if((millis()-handshake_start_time)>ssl_client->handshake_timeout) if((millis()-handshake_start_time)>ssl_client->handshake_timeout)
return -1; return -1;
vTaskDelay(10 / portTICK_PERIOD_MS); vTaskDelay(2);//2 ticks
} }

2
libraries/WiFiClientSecure/src/ssl_client.h
View File

@ -29,7 +29,7 @@ typedef struct sslclient_context {
void ssl_init(sslclient_context *ssl_client); void ssl_init(sslclient_context *ssl_client);
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey); int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure);
void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key); void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
int data_to_read(sslclient_context *ssl_client); int data_to_read(sslclient_context *ssl_client);
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len); int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);