From 14808c9ac45dffb794d84638b3d4b10940e8ee4b Mon Sep 17 00:00:00 2001 From: "Earle F. Philhower, III" Date: Wed, 3 Oct 2018 20:27:09 -0700 Subject: [PATCH] Add warning when no authenticator, drop verify() (#5205) Print a warning when in debug mode when a BearSSL connection tries to connect without having any defined authentication methods, since it will fail. Completely remove the empty axTLS compatibilty method "::verify(char *fp, char *name)" because it can't be done w/BearSSL w/o user code changes, and always failed. Better to have a compile failure when we know at compile time the app won't do what is expected. Completes the changes started by @d-a-v in PR #4833 --- libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp | 7 +++++++ libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h | 2 +- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp index 05f97d8cc..1491773b4 100644 --- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp +++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp @@ -883,6 +883,13 @@ bool WiFiClientSecure::_connectSSL(const char* hostName) { _freeSSL(); _oom_err = false; +#ifdef DEBUG_ESP_SSL + // BearSSL will reject all connections unless an authentication option is set, warn in DEBUG builds + if (!_use_insecure && !_use_fingerprint && !_use_self_signed && !_knownkey && !_certStore && !_ta) { + DEBUGV("BSSL: Connection *will* fail, no authentication method is setup"); + } +#endif + _sc = std::make_shared(); _eng = &_sc->eng; // Allocation/deallocation taken care of by the _sc shared_ptr _iobuf_in = std::shared_ptr(new unsigned char[_iobuf_in_size], std::default_delete()); diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h index c5af2ebfa..bf4ced5c4 100644 --- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h +++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h @@ -122,7 +122,7 @@ class WiFiClientSecure : public WiFiClient { static bool probeMaxFragmentLength(const String host, uint16_t port, uint16_t len); // AXTLS compatible wrappers - bool verify(const char* fingerprint, const char* domain_name) { (void) fingerprint; (void) domain_name; return false; } // Can't handle this case, need app code changes + // Cannot implement this mode, we need FP before we can connect: bool verify(const char* fingerprint, const char* domain_name) bool verifyCertChain(const char* domain_name) { (void)domain_name; return connected(); } // If we're connected, the cert passed validation during handshake bool setCACert(const uint8_t* pk, size_t size);