Fix minor BearSSL API issues (#4901)

Fixes #4882 and updates GitHub certificate fingerprint to the current one in BearSSL_Validation example. When setting a authentication mode or stopping, clear all others out in case the object is being re-used. Add in a yield during the SSL handshake to allow a graceful timeout and not a WDT error when the remote server hiccups. Thanks to @Jeroen88 for finding and testing this.
2025-06-15 00:02:49 +03:00 · 2018-07-16 09:35:00 -07:00
parent fcf2ac5d3d
commit 53091882b8
3 changed files with 9 additions and 1 deletions
--- a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
+++ b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
@ -102,7 +102,7 @@ instead of the while certificate.  This is not nearly as secure as real
 X.509 validation, but is better than nothing.
 )EOF");
  BearSSL::WiFiClientSecure client;
-  const uint8_t fp[20] = {0x35, 0x85, 0x74, 0xEF, 0x67, 0x35, 0xA7, 0xCE, 0x40, 0x69, 0x50, 0xF3, 0xC0, 0xF6, 0x80, 0xCF, 0x80, 0x3B, 0x2E, 0x19};
+  const uint8_t fp[20] = {0x5F, 0xF1, 0x60, 0x31, 0x09, 0x04, 0x3E, 0xF2, 0x90, 0xD2, 0xB0, 0x8A, 0x50, 0x38, 0x04, 0xE8, 0x37, 0x9F, 0xBC, 0x76};
  client.setFingerprint(fp);
  fetchURL(&client, host, port, path);
 }
--- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
@ -79,6 +79,7 @@ void WiFiClientSecure::_clearAuthenticationSettings() {
  _use_self_signed = false;
  _knownkey = nullptr;
  _sk = nullptr;
+  _ta = nullptr;
 }


@ -177,6 +178,7 @@ void WiFiClientSecure::stop() {
    _client->abort();
  }
  WiFiClient::stop();
+  _clearAuthenticationSettings();
  _freeSSL();
 }

@ -510,6 +512,7 @@ bool WiFiClientSecure::_wait_for_handshake() {
    if (br_ssl_engine_current_state(_eng) & BR_SSL_SENDAPP) {
      _handshake_done = true;
    }
+    optimistic_yield(1000);
  }
  return _handshake_done;
 }
--- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
@ -59,24 +59,29 @@ class WiFiClientSecure : public WiFiClient {

    // Don't validate the chain, just accept whatever is given.  VERY INSECURE!
    void setInsecure() {
+      _clearAuthenticationSettings();
      _use_insecure = true;
    }
    // Assume a given public key, don't validate or use cert info at all
    void setKnownKey(const BearSSLPublicKey *pk, unsigned usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN) {
+      _clearAuthenticationSettings();
      _knownkey = pk;
      _knownkey_usages = usages;
    }
    // Only check SHA1 fingerprint of certificate
    void setFingerprint(const uint8_t fingerprint[20]) {
+      _clearAuthenticationSettings();
      _use_fingerprint = true;
      memcpy_P(_fingerprint, fingerprint, 20);
    }
    // Accept any certificate that's self-signed
    void allowSelfSignedCerts() {
+      _clearAuthenticationSettings();
      _use_self_signed = true;
    }
    // Install certificates of trusted CAs or specific site
    void setTrustAnchors(const BearSSLX509List *ta) {
+      _clearAuthenticationSettings();
      _ta = ta;
    }
    // In cases when NTP is not used, app must set a time manually to check cert validity