1
0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-15 00:02:49 +03:00

Fix minor BearSSL API issues (#4901)

Fixes #4882 and updates GitHub certificate fingerprint to the current one
in BearSSL_Validation example.

When setting a authentication mode or stopping, clear all others out in case
the object is being re-used.

Add in a yield during the SSL handshake to allow a graceful timeout and not
a WDT error when the remote server hiccups.  Thanks to @Jeroen88 for
finding and testing this.
This commit is contained in:
Earle F. Philhower, III
2018-07-16 09:35:00 -07:00
committed by GitHub
parent fcf2ac5d3d
commit 53091882b8
3 changed files with 9 additions and 1 deletions

View File

@ -102,7 +102,7 @@ instead of the while certificate. This is not nearly as secure as real
X.509 validation, but is better than nothing. X.509 validation, but is better than nothing.
)EOF"); )EOF");
BearSSL::WiFiClientSecure client; BearSSL::WiFiClientSecure client;
const uint8_t fp[20] = {0x35, 0x85, 0x74, 0xEF, 0x67, 0x35, 0xA7, 0xCE, 0x40, 0x69, 0x50, 0xF3, 0xC0, 0xF6, 0x80, 0xCF, 0x80, 0x3B, 0x2E, 0x19}; const uint8_t fp[20] = {0x5F, 0xF1, 0x60, 0x31, 0x09, 0x04, 0x3E, 0xF2, 0x90, 0xD2, 0xB0, 0x8A, 0x50, 0x38, 0x04, 0xE8, 0x37, 0x9F, 0xBC, 0x76};
client.setFingerprint(fp); client.setFingerprint(fp);
fetchURL(&client, host, port, path); fetchURL(&client, host, port, path);
} }

View File

@ -79,6 +79,7 @@ void WiFiClientSecure::_clearAuthenticationSettings() {
_use_self_signed = false; _use_self_signed = false;
_knownkey = nullptr; _knownkey = nullptr;
_sk = nullptr; _sk = nullptr;
_ta = nullptr;
} }
@ -177,6 +178,7 @@ void WiFiClientSecure::stop() {
_client->abort(); _client->abort();
} }
WiFiClient::stop(); WiFiClient::stop();
_clearAuthenticationSettings();
_freeSSL(); _freeSSL();
} }
@ -510,6 +512,7 @@ bool WiFiClientSecure::_wait_for_handshake() {
if (br_ssl_engine_current_state(_eng) & BR_SSL_SENDAPP) { if (br_ssl_engine_current_state(_eng) & BR_SSL_SENDAPP) {
_handshake_done = true; _handshake_done = true;
} }
optimistic_yield(1000);
} }
return _handshake_done; return _handshake_done;
} }

View File

@ -59,24 +59,29 @@ class WiFiClientSecure : public WiFiClient {
// Don't validate the chain, just accept whatever is given. VERY INSECURE! // Don't validate the chain, just accept whatever is given. VERY INSECURE!
void setInsecure() { void setInsecure() {
_clearAuthenticationSettings();
_use_insecure = true; _use_insecure = true;
} }
// Assume a given public key, don't validate or use cert info at all // Assume a given public key, don't validate or use cert info at all
void setKnownKey(const BearSSLPublicKey *pk, unsigned usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN) { void setKnownKey(const BearSSLPublicKey *pk, unsigned usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN) {
_clearAuthenticationSettings();
_knownkey = pk; _knownkey = pk;
_knownkey_usages = usages; _knownkey_usages = usages;
} }
// Only check SHA1 fingerprint of certificate // Only check SHA1 fingerprint of certificate
void setFingerprint(const uint8_t fingerprint[20]) { void setFingerprint(const uint8_t fingerprint[20]) {
_clearAuthenticationSettings();
_use_fingerprint = true; _use_fingerprint = true;
memcpy_P(_fingerprint, fingerprint, 20); memcpy_P(_fingerprint, fingerprint, 20);
} }
// Accept any certificate that's self-signed // Accept any certificate that's self-signed
void allowSelfSignedCerts() { void allowSelfSignedCerts() {
_clearAuthenticationSettings();
_use_self_signed = true; _use_self_signed = true;
} }
// Install certificates of trusted CAs or specific site // Install certificates of trusted CAs or specific site
void setTrustAnchors(const BearSSLX509List *ta) { void setTrustAnchors(const BearSSLX509List *ta) {
_clearAuthenticationSettings();
_ta = ta; _ta = ta;
} }
// In cases when NTP is not used, app must set a time manually to check cert validity // In cases when NTP is not used, app must set a time manually to check cert validity