Add WiFiClientSecure::setInsecure() to equalize API with ESP8266 (#4648)

ef99cd7f · Me No Dev · GitHub · b05bdf69 · ef99cd7f · ef99cd7f
Unverified Commit ef99cd7f authored Dec 21, 2020 by Me No Dev Committed by GitHub Dec 21, 2020
6 changed files
--- a/libraries/HTTPClient/src/HTTPClient.cpp
+++ b/libraries/HTTPClient/src/HTTPClient.cpp
@@ -73,11 +73,15 @@ public:

    bool verify(WiFiClient& client, const char* host) override
    {
-         WiFiClientSecure& wcs = static_cast<WiFiClientSecure&>(client);
-         wcs.setCACert(_cacert);
-         wcs.setCertificate(_clicert);
-         wcs.setPrivateKey(_clikey);
-         return true;
+        WiFiClientSecure& wcs = static_cast<WiFiClientSecure&>(client);
+        if (_cacert == nullptr) {
+            wcs.setInsecure();
+        } else {
+            wcs.setCACert(_cacert);
+            wcs.setCertificate(_clicert);
+            wcs.setPrivateKey(_clikey);
+        }
+        return true;
    }

 protected:

--- a/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino
+++ b/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino
+#include <WiFiClientSecure.h>
+
+const char* ssid     = "your-ssid";     // your network SSID (name of wifi network)
+const char* password = "your-password"; // your network password
+
+const char*  server = "www.howsmyssl.com";  // Server URL
+
+WiFiClientSecure client;
+
+void setup() {
+  //Initialize serial and wait for port to open:
+  Serial.begin(115200);
+  delay(100);
+
+  Serial.print("Attempting to connect to SSID: ");
+  Serial.println(ssid);
+  WiFi.begin(ssid, password);
+
+  // attempt to connect to Wifi network:
+  while (WiFi.status() != WL_CONNECTED) {
+    Serial.print(".");
+    // wait 1 second for re-trying
+    delay(1000);
+  }
+
+  Serial.print("Connected to ");
+  Serial.println(ssid);
+
+  Serial.println("\nStarting connection to server...");
+  client.setInsecure();//skip verification
+  if (!client.connect(server, 443))
+    Serial.println("Connection failed!");
+  else {
+    Serial.println("Connected to server!");
+    // Make a HTTP request:
+    client.println("GET https://www.howsmyssl.com/a/check HTTP/1.0");
+    client.println("Host: www.howsmyssl.com");
+    client.println("Connection: close");
+    client.println();
+
+    while (client.connected()) {
+      String line = client.readStringUntil('\n');
+      if (line == "\r") {
+        Serial.println("headers received");
+        break;
+      }
+    }
+    // if there are incoming bytes available
+    // from the server, read them and print them:
+    while (client.available()) {
+      char c = client.read();
+      Serial.write(c);
+    }
+
+    client.stop();
+  }
+}
+
+void loop() {
+  // do nothing
+}
--- a/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp
+++ b/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp
@@ -36,6 +36,7 @@ WiFiClientSecure::WiFiClientSecure()
    ssl_init(sslclient);
    sslclient->socket = -1;
    sslclient->handshake_timeout = 120000;
+    _use_insecure = false;
    _CA_cert = NULL;
    _cert = NULL;
    _private_key = NULL;
@@ -116,17 +117,17 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, int32_t timeout){
    return connect(host, port);
 }

-int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
+int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *CA_cert, const char *cert, const char *private_key)
 {
-    return connect(ip.toString().c_str(), port, _CA_cert, _cert, _private_key);
+    return connect(ip.toString().c_str(), port, CA_cert, cert, private_key);
 }

-int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
+int WiFiClientSecure::connect(const char *host, uint16_t port, const char *CA_cert, const char *cert, const char *private_key)
 {
    if(_timeout > 0){
        sslclient->handshake_timeout = _timeout;
    }
-    int ret = start_ssl_client(sslclient, host, port, _timeout, _CA_cert, _cert, _private_key, NULL, NULL);
+    int ret = start_ssl_client(sslclient, host, port, _timeout, CA_cert, cert, private_key, NULL, NULL, _use_insecure);
    _lastError = ret;
    if (ret < 0) {
        log_e("start_ssl_client: %d", ret);
@@ -138,7 +139,7 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_c
 }

 int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey) {
-    return connect(ip.toString().c_str(), port,_pskIdent, _psKey);
+    return connect(ip.toString().c_str(), port, pskIdent, psKey);
 }

 int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey) {
@@ -146,7 +147,7 @@ int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskId
    if(_timeout > 0){
        sslclient->handshake_timeout = _timeout;
    }
-    int ret = start_ssl_client(sslclient, host, port, _timeout, NULL, NULL, NULL, _pskIdent, _psKey);
+    int ret = start_ssl_client(sslclient, host, port, _timeout, NULL, NULL, NULL, pskIdent, psKey, _use_insecure);
    _lastError = ret;
    if (ret < 0) {
        log_e("start_ssl_client: %d", ret);
@@ -245,6 +246,16 @@ uint8_t WiFiClientSecure::connected()
    return _connected;
 }

+void WiFiClientSecure::setInsecure()
+{
+    _CA_cert = NULL;
+    _cert = NULL;
+    _private_key = NULL;
+    _pskIdent = NULL;
+    _psKey = NULL;
+    _use_insecure = true;
+}
+
 void WiFiClientSecure::setCACert (const char *rootCA)
 {
    _CA_cert = rootCA;

--- a/libraries/WiFiClientSecure/src/WiFiClientSecure.h
+++ b/libraries/WiFiClientSecure/src/WiFiClientSecure.h
@@ -33,6 +33,7 @@ protected:
    int _lastError = 0;
 	int _peek = -1;
    int _timeout = 0;
+    bool _use_insecure;
    const char *_CA_cert;
    const char *_cert;
    const char *_private_key;
@@ -62,6 +63,7 @@ public:
    void stop();
    uint8_t connected();
    int lastError(char *buf, const size_t size);
+    void setInsecure(); // Don't validate the chain, just accept whatever is given.  VERY INSECURE!
    void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex
    void setCACert(const char *rootCA);
    void setCertificate(const char *client_ca);

--- a/libraries/WiFiClientSecure/src/ssl_client.cpp
+++ b/libraries/WiFiClientSecure/src/ssl_client.cpp
@@ -51,13 +51,17 @@ void ssl_init(sslclient_context *ssl_client)
 }


-int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey)
+int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure)
 {
    char buf[512];
    int ret, flags;
    int enable = 1;
    log_v("Free internal heap before TLS %u", ESP.getFreeHeap());

+    if (rootCABuff == NULL && pskIdent == NULL && psKey == NULL && !insecure) {
+        return -1;
+    }
+
    log_v("Starting socket");
    ssl_client->socket = -1;

@@ -118,7 +122,10 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
    // MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
    // MBEDTLS_SSL_VERIFY_NONE if not.

-    if (rootCABuff != NULL) {
+    if (insecure) {
+        mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
+        log_i("WARNING: Skipping SSL Verification. INSECURE!");
+    } else if (rootCABuff != NULL) {
        log_v("Loading CA cert");
        mbedtls_x509_crt_init(&ssl_client->ca_cert);
        mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
@@ -126,8 +133,8 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
        mbedtls_ssl_conf_ca_chain(&ssl_client->ssl_conf, &ssl_client->ca_cert, NULL);
        //mbedtls_ssl_conf_verify(&ssl_client->ssl_ctx, my_verify, NULL );
        if (ret < 0) {
-		// free the ca_cert in the case parse failed, otherwise, the old ca_cert still in the heap memory, that lead to "out of memory" crash.
-		mbedtls_x509_crt_free(&ssl_client->ca_cert);
+            // free the ca_cert in the case parse failed, otherwise, the old ca_cert still in the heap memory, that lead to "out of memory" crash.
+            mbedtls_x509_crt_free(&ssl_client->ca_cert);
            return handle_error(ret);
        }
    } else if (pskIdent != NULL && psKey != NULL) {
@@ -161,11 +168,10 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
            return handle_error(ret);
        }
    } else {
-        mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
-        log_i("WARNING: Use certificates for a more secure communication!");
+        return -1;
    }

-    if (cli_cert != NULL && cli_key != NULL) {
+    if (!insecure && cli_cert != NULL && cli_key != NULL) {
        mbedtls_x509_crt_init(&ssl_client->client_cert);
        mbedtls_pk_init(&ssl_client->client_key);

@@ -173,8 +179,8 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p

        ret = mbedtls_x509_crt_parse(&ssl_client->client_cert, (const unsigned char *)cli_cert, strlen(cli_cert) + 1);
        if (ret < 0) {
-		// free the client_cert in the case parse failed, otherwise, the old client_cert still in the heap memory, that lead to "out of memory" crash.
-		mbedtls_x509_crt_free(&ssl_client->client_cert);
+        // free the client_cert in the case parse failed, otherwise, the old client_cert still in the heap memory, that lead to "out of memory" crash.
+        mbedtls_x509_crt_free(&ssl_client->client_cert);
            return handle_error(ret);
        }

@@ -211,7 +217,7 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
        }
        if((millis()-handshake_start_time)>ssl_client->handshake_timeout)
 			return -1;
-	    vTaskDelay(10 / portTICK_PERIOD_MS);
+	    vTaskDelay(2);//2 ticks
    }



--- a/libraries/WiFiClientSecure/src/ssl_client.h
+++ b/libraries/WiFiClientSecure/src/ssl_client.h
@@ -29,7 +29,7 @@ typedef struct sslclient_context {


 void ssl_init(sslclient_context *ssl_client);
-int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey);
+int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, int timeout, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure);
 void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
 int data_to_read(sslclient_context *ssl_client);
 int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);