Add WiFiClientSecure::setInsecure() to equalize API with ESP8266 (#4648)
This commit is contained in:
parent
b05bdf6904
commit
ef99cd7fe7
@ -73,11 +73,15 @@ public:
|
|||||||
|
|
||||||
bool verify(WiFiClient& client, const char* host) override
|
bool verify(WiFiClient& client, const char* host) override
|
||||||
{
|
{
|
||||||
WiFiClientSecure& wcs = static_cast<WiFiClientSecure&>(client);
|
WiFiClientSecure& wcs = static_cast<WiFiClientSecure&>(client);
|
||||||
wcs.setCACert(_cacert);
|
if (_cacert == nullptr) {
|
||||||
wcs.setCertificate(_clicert);
|
wcs.setInsecure();
|
||||||
wcs.setPrivateKey(_clikey);
|
} else {
|
||||||
return true;
|
wcs.setCACert(_cacert);
|
||||||
|
wcs.setCertificate(_clicert);
|
||||||
|
wcs.setPrivateKey(_clikey);
|
||||||
|
}
|
||||||
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
protected:
|
protected:
|
||||||
|
@ -0,0 +1,61 @@
|
|||||||
|
#include <WiFiClientSecure.h>
|
||||||
|
|
||||||
|
const char* ssid = "your-ssid"; // your network SSID (name of wifi network)
|
||||||
|
const char* password = "your-password"; // your network password
|
||||||
|
|
||||||
|
const char* server = "www.howsmyssl.com"; // Server URL
|
||||||
|
|
||||||
|
WiFiClientSecure client;
|
||||||
|
|
||||||
|
void setup() {
|
||||||
|
//Initialize serial and wait for port to open:
|
||||||
|
Serial.begin(115200);
|
||||||
|
delay(100);
|
||||||
|
|
||||||
|
Serial.print("Attempting to connect to SSID: ");
|
||||||
|
Serial.println(ssid);
|
||||||
|
WiFi.begin(ssid, password);
|
||||||
|
|
||||||
|
// attempt to connect to Wifi network:
|
||||||
|
while (WiFi.status() != WL_CONNECTED) {
|
||||||
|
Serial.print(".");
|
||||||
|
// wait 1 second for re-trying
|
||||||
|
delay(1000);
|
||||||
|
}
|
||||||
|
|
||||||
|
Serial.print("Connected to ");
|
||||||
|
Serial.println(ssid);
|
||||||
|
|
||||||
|
Serial.println("\nStarting connection to server...");
|
||||||
|
client.setInsecure();//skip verification
|
||||||
|
if (!client.connect(server, 443))
|
||||||
|
Serial.println("Connection failed!");
|
||||||
|
else {
|
||||||
|
Serial.println("Connected to server!");
|
||||||
|
// Make a HTTP request:
|
||||||
|
client.println("GET https://www.howsmyssl.com/a/check HTTP/1.0");
|
||||||
|
client.println("Host: www.howsmyssl.com");
|
||||||
|
client.println("Connection: close");
|
||||||
|
client.println();
|
||||||
|
|
||||||
|
while (client.connected()) {
|
||||||
|
String line = client.readStringUntil('\n');
|
||||||
|
if (line == "\r") {
|
||||||
|
Serial.println("headers received");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// if there are incoming bytes available
|
||||||
|
// from the server, read them and print them:
|
||||||
|
while (client.available()) {
|
||||||
|
char c = client.read();
|
||||||
|
Serial.write(c);
|
||||||
|
}
|
||||||
|
|
||||||
|
client.stop();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void loop() {
|
||||||
|
// do nothing
|
||||||
|
}
|
@ -36,6 +36,7 @@ WiFiClientSecure::WiFiClientSecure()
|
|||||||
ssl_init(sslclient);
|
ssl_init(sslclient);
|
||||||
sslclient->socket = -1;
|
sslclient->socket = -1;
|
||||||
sslclient->handshake_timeout = 120000;
|
sslclient->handshake_timeout = 120000;
|
||||||
|
_use_insecure = false;
|
||||||
_CA_cert = NULL;
|
_CA_cert = NULL;
|
||||||
_cert = NULL;
|
_cert = NULL;
|
||||||
_private_key = NULL;
|
_private_key = NULL;
|
||||||
@ -116,17 +117,17 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, int32_t timeout){
|
|||||||
return connect(host, port);
|
return connect(host, port);
|
||||||
}
|
}
|
||||||
|
|
||||||
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *CA_cert, const char *cert, const char *private_key)
|
||||||
{
|
{
|
||||||
return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key);
|
return connect(ip.toString().c_str(), port, CA_cert, cert, private_key);
|
||||||
}
|
}
|
||||||
|
|
||||||
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
|
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *CA_cert, const char *cert, const char *private_key)
|
||||||
{
|
{
|
||||||
if(_timeout > 0){
|
if(_timeout > 0){
|
||||||
sslclient->handshake_timeout = _timeout;
|
sslclient->handshake_timeout = _timeout;
|
||||||
}
|
}
|
||||||
int ret = start_ssl_client(sslclient, host, port, _timeout, _CA_cert, _cert, _private_key, NULL, NULL);
|
int ret = start_ssl_client(sslclient, host, port, _timeout, CA_cert, cert, private_key, NULL, NULL, _use_insecure);
|
||||||
_lastError = ret;
|
_lastError = ret;
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
log_e("start_ssl_client: %d", ret);
|
log_e("start_ssl_client: %d", ret);
|
||||||
@ -138,7 +139,7 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_c
|
|||||||
}
|
}
|
||||||
|
|
||||||
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey) {
|
int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey) {
|
||||||
return connect(ip.toString().c_str(), port,_pskIdent, _psKey);
|
return connect(ip.toString().c_str(), port, pskIdent, psKey);
|
||||||
}
|
}
|
||||||
|
|
||||||
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey) {
|
int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey) {
|
||||||
@ -146,7 +147,7 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskId
|
|||||||
if(_timeout > 0){
|
if(_timeout > 0){
|
||||||
sslclient->handshake_timeout = _timeout;
|
sslclient->handshake_timeout = _timeout;
|
||||||
}
|
}
|
||||||
int ret = start_ssl_client(sslclient, host, port, _timeout, NULL, NULL, NULL, _pskIdent, _psKey);
|
int ret = start_ssl_client(sslclient, host, port, _timeout, NULL, NULL, NULL, pskIdent, psKey, _use_insecure);
|
||||||
_lastError = ret;
|
_lastError = ret;
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
log_e("start_ssl_client: %d", ret);
|
log_e("start_ssl_client: %d", ret);
|
||||||
@ -245,6 +246,16 @@ uint8_t WiFiClientSecure::connected()
|
|||||||
return _connected;
|
return _connected;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void WiFiClientSecure::setInsecure()
|
||||||
|
{
|
||||||
|
_CA_cert = NULL;
|
||||||
|
_cert = NULL;
|
||||||
|
_private_key = NULL;
|
||||||
|
_pskIdent = NULL;
|
||||||
|
_psKey = NULL;
|
||||||
|
_use_insecure = true;
|
||||||
|
}
|
||||||
|
|
||||||
void WiFiClientSecure::setCACert (const char *rootCA)
|
void WiFiClientSecure::setCACert (const char *rootCA)
|
||||||
{
|
{
|
||||||
_CA_cert = rootCA;
|
_CA_cert = rootCA;
|
||||||
|
@ -33,6 +33,7 @@ protected:
|
|||||||
int _lastError = 0;
|
int _lastError = 0;
|
||||||
int _peek = -1;
|
int _peek = -1;
|
||||||
int _timeout = 0;
|
int _timeout = 0;
|
||||||
|
bool _use_insecure;
|
||||||
const char *_CA_cert;
|
const char *_CA_cert;
|
||||||
const char *_cert;
|
const char *_cert;
|
||||||
const char *_private_key;
|
const char *_private_key;
|
||||||
@ -62,6 +63,7 @@ public:
|
|||||||
void stop();
|
void stop();
|
||||||
uint8_t connected();
|
uint8_t connected();
|
||||||
int lastError(char *buf, const size_t size);
|
int lastError(char *buf, const size_t size);
|
||||||
|
void setInsecure(); // Don't validate the chain, just accept whatever is given. VERY INSECURE!
|
||||||
void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex
|
void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex
|
||||||
void setCACert(const char *rootCA);
|
void setCACert(const char *rootCA);
|
||||||
void setCertificate(const char *client_ca);
|
void setCertificate(const char *client_ca);
|
||||||
|
@ -51,13 +51,17 @@ void ssl_init(sslclient_context *ssl_client)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey)
|
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure)
|
||||||
{
|
{
|
||||||
char buf[512];
|
char buf[512];
|
||||||
int ret, flags;
|
int ret, flags;
|
||||||
int enable = 1;
|
int enable = 1;
|
||||||
log_v("Free internal heap before TLS %u", ESP.getFreeHeap());
|
log_v("Free internal heap before TLS %u", ESP.getFreeHeap());
|
||||||
|
|
||||||
|
if (rootCABuff == NULL && pskIdent == NULL && psKey == NULL && !insecure) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
log_v("Starting socket");
|
log_v("Starting socket");
|
||||||
ssl_client->socket = -1;
|
ssl_client->socket = -1;
|
||||||
|
|
||||||
@ -118,7 +122,10 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
|
|||||||
// MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
|
// MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
|
||||||
// MBEDTLS_SSL_VERIFY_NONE if not.
|
// MBEDTLS_SSL_VERIFY_NONE if not.
|
||||||
|
|
||||||
if (rootCABuff != NULL) {
|
if (insecure) {
|
||||||
|
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
|
||||||
|
log_i("WARNING: Skipping SSL Verification. INSECURE!");
|
||||||
|
} else if (rootCABuff != NULL) {
|
||||||
log_v("Loading CA cert");
|
log_v("Loading CA cert");
|
||||||
mbedtls_x509_crt_init(&ssl_client->ca_cert);
|
mbedtls_x509_crt_init(&ssl_client->ca_cert);
|
||||||
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
|
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
|
||||||
@ -126,8 +133,8 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
|
|||||||
mbedtls_ssl_conf_ca_chain(&ssl_client->ssl_conf, &ssl_client->ca_cert, NULL);
|
mbedtls_ssl_conf_ca_chain(&ssl_client->ssl_conf, &ssl_client->ca_cert, NULL);
|
||||||
//mbedtls_ssl_conf_verify(&ssl_client->ssl_ctx, my_verify, NULL );
|
//mbedtls_ssl_conf_verify(&ssl_client->ssl_ctx, my_verify, NULL );
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
// free the ca_cert in the case parse failed, otherwise, the old ca_cert still in the heap memory, that lead to "out of memory" crash.
|
// free the ca_cert in the case parse failed, otherwise, the old ca_cert still in the heap memory, that lead to "out of memory" crash.
|
||||||
mbedtls_x509_crt_free(&ssl_client->ca_cert);
|
mbedtls_x509_crt_free(&ssl_client->ca_cert);
|
||||||
return handle_error(ret);
|
return handle_error(ret);
|
||||||
}
|
}
|
||||||
} else if (pskIdent != NULL && psKey != NULL) {
|
} else if (pskIdent != NULL && psKey != NULL) {
|
||||||
@ -161,11 +168,10 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
|
|||||||
return handle_error(ret);
|
return handle_error(ret);
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
|
return -1;
|
||||||
log_i("WARNING: Use certificates for a more secure communication!");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cli_cert != NULL && cli_key != NULL) {
|
if (!insecure && cli_cert != NULL && cli_key != NULL) {
|
||||||
mbedtls_x509_crt_init(&ssl_client->client_cert);
|
mbedtls_x509_crt_init(&ssl_client->client_cert);
|
||||||
mbedtls_pk_init(&ssl_client->client_key);
|
mbedtls_pk_init(&ssl_client->client_key);
|
||||||
|
|
||||||
@ -173,8 +179,8 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
|
|||||||
|
|
||||||
ret = mbedtls_x509_crt_parse(&ssl_client->client_cert, (const unsigned char *)cli_cert, strlen(cli_cert) + 1);
|
ret = mbedtls_x509_crt_parse(&ssl_client->client_cert, (const unsigned char *)cli_cert, strlen(cli_cert) + 1);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
// free the client_cert in the case parse failed, otherwise, the old client_cert still in the heap memory, that lead to "out of memory" crash.
|
// free the client_cert in the case parse failed, otherwise, the old client_cert still in the heap memory, that lead to "out of memory" crash.
|
||||||
mbedtls_x509_crt_free(&ssl_client->client_cert);
|
mbedtls_x509_crt_free(&ssl_client->client_cert);
|
||||||
return handle_error(ret);
|
return handle_error(ret);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -211,7 +217,7 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
|
|||||||
}
|
}
|
||||||
if((millis()-handshake_start_time)>ssl_client->handshake_timeout)
|
if((millis()-handshake_start_time)>ssl_client->handshake_timeout)
|
||||||
return -1;
|
return -1;
|
||||||
vTaskDelay(10 / portTICK_PERIOD_MS);
|
vTaskDelay(2);//2 ticks
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
@ -29,7 +29,7 @@ typedef struct sslclient_context {
|
|||||||
|
|
||||||
|
|
||||||
void ssl_init(sslclient_context *ssl_client);
|
void ssl_init(sslclient_context *ssl_client);
|
||||||
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey);
|
int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure);
|
||||||
void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
|
||||||
int data_to_read(sslclient_context *ssl_client);
|
int data_to_read(sslclient_context *ssl_client);
|
||||||
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);
|
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);
|
||||||
|
Loading…
Reference in New Issue
Block a user