arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-07-14 13:41:23 +03:00
Code Activity

WiFiClientSecure: add option to allow self-signed certificates

Browse Source 
Mainly useful for testing WiFiClientSecure in local environments.

If allowSelfSignedCerts is called before verifyCertChain, then the
certificate chain will be verified, but the final certificate may be
self-signed.
This commit is contained in:
Ivan Grokhotkov
2017-10-08 07:08:51 +08:00
parent 84b046f98c
commit 526f4fbb6c
4 changed files with 63 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
libraries/ESP8266WiFi/src/WiFiClientSecure.cpp
View File

@ -110,6 +110,7 @@ public:
uint8_t* data;
int rc = ssl_read(_ssl, &data);
if (rc < SSL_OK) {
ssl_display_error(rc);
break;
}
}
@ -227,6 +228,25 @@ public:
return true;
}
bool verifyCert()
{
int rc = ssl_verify_cert(_ssl);
if (_allowSelfSignedCerts && rc == SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED)) {
DEBUGV("Allowing self-signed certificate\n");
return true;
} else if (rc != SSL_OK) {
DEBUGV("ssl_verify_cert returned %d\n", rc);
ssl_display_error(rc);
return false;
}
return true;
}
void allowSelfSignedCerts()
{
_allowSelfSignedCerts = true;
}
operator SSL*()
{
return _ssl;
@ -268,6 +288,7 @@ protected:
int _refcnt = 0;
const uint8_t* _read_ptr = nullptr;
size_t _available = 0;
bool _allowSelfSignedCerts = false;
static ClientContext* s_io_ctx;
};
@ -559,96 +580,80 @@ bool WiFiClientSecure::verifyCertChain(const char* domain_name)
if (!_ssl) {
return false;
}
int rc = ssl_verify_cert(*_ssl);
if (rc != SSL_OK) {
DEBUGV("ssl_verify_cert returned %d\n", rc);
if (!_ssl->verifyCert()) {
return false;
}
return _verifyDN(domain_name);
}
bool WiFiClientSecure::setCACert(const uint8_t* pk, size_t size)
void WiFiClientSecure::_initSSLContext()
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
}
bool WiFiClientSecure::setCACert(const uint8_t* pk, size_t size)
{
_initSSLContext();
return _ssl->loadObject(SSL_OBJ_X509_CACERT, pk, size);
}
bool WiFiClientSecure::setCertificate(const uint8_t* pk, size_t size)
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
_initSSLContext();
return _ssl->loadObject(SSL_OBJ_X509_CERT, pk, size);
}
bool WiFiClientSecure::setPrivateKey(const uint8_t* pk, size_t size)
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
_initSSLContext();
return _ssl->loadObject(SSL_OBJ_RSA_KEY, pk, size);
}
bool WiFiClientSecure::setCACert_P(PGM_VOID_P pk, size_t size)
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
_initSSLContext();
return _ssl->loadObject_P(SSL_OBJ_X509_CACERT, pk, size);
}
bool WiFiClientSecure::setCertificate_P(PGM_VOID_P pk, size_t size)
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
_initSSLContext();
return _ssl->loadObject_P(SSL_OBJ_X509_CERT, pk, size);
}
bool WiFiClientSecure::setPrivateKey_P(PGM_VOID_P pk, size_t size)
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
_initSSLContext();
return _ssl->loadObject_P(SSL_OBJ_RSA_KEY, pk, size);
}
bool WiFiClientSecure::loadCACert(Stream& stream, size_t size)
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
_initSSLContext();
return _ssl->loadObject(SSL_OBJ_X509_CACERT, stream, size);
}
bool WiFiClientSecure::loadCertificate(Stream& stream, size_t size)
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
_initSSLContext();
return _ssl->loadObject(SSL_OBJ_X509_CERT, stream, size);
}
bool WiFiClientSecure::loadPrivateKey(Stream& stream, size_t size)
{
if (!_ssl) {
_ssl = new SSLContext;
_ssl->ref();
}
_initSSLContext();
return _ssl->loadObject(SSL_OBJ_RSA_KEY, stream, size);
}
void WiFiClientSecure::allowSelfSignedCerts()
{
_initSSLContext();
_ssl->allowSelfSignedCerts();
}
extern "C" int __ax_port_read(int fd, uint8_t* buffer, size_t count)
{
ClientContext* _client = SSLContext::getIOContext(fd);