Reported in https://github.com/esp8266/Arduino/issues/4078.
WiFiClient::stopAll, called from a WiFi disconnected event handler,
could be called while WiFiClient::connect was in progress. This issue
was initially fixed in #4194, by testing `this` pointer for being
non-null in ClientContext::connect.
This change delegates deletion of ClientContext to WiFiClient
destructor. WiFiClient::stop only calls ClientContext::stop, which
closes/aborts the connection.
Use platform.local.txt to add -Werror to GCC for the build of all
code. Any warnings on a submitted patch will cause an error.
Several examples and libraries had warnings/errors (missing returns
on functions, types, etc.). Clean those up with this commit as well.
* Fix leak on multiple SSL server connections
Fixes#4302
The refcnt setup for the WiFiClientSecure's SSLContext and ClientContext
had issues in certain conditions, causing a massive memory leak on each
SSL server connection. Depending on the state of the machine, after two or
three connections it would OOM and crash.
This patch replaces most of the refcnt operations with C++11 shared_ptr
operations, cleaning up the code substantially and removing the leakage.
Also fixes a race condition where ClientContext was free'd before the SSLContext
was stopped/shutdown. When the SSLContext tried to do ssl_free, axtls would
attempt to send out the real SSL disconnect bits over the wire, however by
this time the ClientContext is invalid and it would fault.
* Separate client and server SSL_CTX, support both
Refactor to use a separate client SSL_CTX and server SSL_CTX. This
allows for separate certificates to be installed on each, and means
that you can now have both a *single* client and a *single* server
running in parallel at the same time, as they'll have separate memory
areas.
Tested using mqtt_esp8266 SSL client with a client certificate and a
WebServerSecure with its own custom certificate and key in parallel.
* Add brackets around a couple if-else clauses
The server needs to load an X509 and RSA key, but instead of using
the existing loadObject() calls implemented its own. Remove them and
use the standard ones instead.
The DEBUG_OUTPUT macro was undefined in the SSL Web server. Add it
in do that when you compile with DEBUG=HTTP_SERVER it actually compiles.
The certificate fingerprint included with the HTTPSRequest example seems
to be for an expired api.github.com certificate. Replace with the current
one to avoid reporting "certificate mismatch" errors when running.
When building using the new NDEBUG option recently added, the assert()
macro is defined to nothing. This leaves a few variables unused in the
WiFi stack causing compiler warnings. Add in empty casts to remove
these warnings. Does not affect actual assert use when NDEBUG is not
defined.
Adds SSL server mode for WiFiServerSecure, for plain SSL connections,
ESP8266WebServerSecure, for HTTPS web serving, and SecureHTTPSUpdater for
encrypted OTA updates.
Example code is provided for all new options, as well as a BASH script for
generating their own, self-signed certificates.
Both ESP8266WebServerSecure and SecureHTTPSUpdater are important for secure
password-based authentication. HTTP Basic Authentication, the only supported
model presently, sends the username and password in *cleartext* and therefore
should *never* be used in any un-SSL encrypted channel unless you don't mind
sharing your login and password with anyone else on the internet. Even if the
ESP8266 is not safety critical, this cleartext broadcast could expose you should
you reuse this password elsewhere on your network or the internet.
axTLS does not correctly implement max_fragment_length extension. This
causes servers which understand this extension (currently GnuTLS- and
WolfSSL-based) to reject the client hello.
Until this is fixed in axTLS, remove the call to enable this extension
from WiFiClientSecure.
Fixes https://github.com/esp8266/Arduino/issues/3932.
* WiFiClientSecure: use _timeout setting when connecting
This timeout value can be customized via a call to setTimeout function.
Closes https://github.com/esp8266/Arduino/issues/3944.
* WiFiClientSecure: increase default connection timeout to 15 sec
* WiFiClientSecure: don't decrypt when testing for 'connected'
* WiFiClientSecure: don't trash unread decrypted data when writing
When application requests to write data, check if there is any unread
decrypted data left. If there is, don't write immediately, but save the
data to be written. When all decrypted data has been consumed by the
application, send out the saved outgoing data.
Fixes https://github.com/esp8266/Arduino/issues/2256.
Mainly useful for testing WiFiClientSecure in local environments.
If allowSelfSignedCerts is called before verifyCertChain, then the
certificate chain will be verified, but the final certificate may be
self-signed.
