From 1a96a39d3ae570af652d9e4f2a770fad3d46cc64 Mon Sep 17 00:00:00 2001 From: Stephan Hadinger Date: Sat, 9 Oct 2021 09:49:00 +0200 Subject: [PATCH] TLS dual mode --- .../src/WiFiClientSecureLightBearSSL.cpp | 42 ++++++++++--------- .../src/WiFiClientSecureLightBearSSL.h | 4 +- 2 files changed, 26 insertions(+), 20 deletions(-) diff --git a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp index 21317479c..ff87d3112 100755 --- a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp +++ b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp @@ -191,6 +191,11 @@ void WiFiClientSecure_light::_clear() { _last_error = 0; _recvapp_buf = nullptr; _recvapp_len = 0; +#ifdef USE_MQTT_TLS_CA_CERT + _insecure = false; // insecure (fingerprint) mode is only enabled if setPubKeyFingerprint() is called +#else + _insecure = true; // force insecure if CA validation is not enabled +#endif _fingerprint_any = true; // by default accept all fingerprints _fingerprint1 = nullptr; _fingerprint2 = nullptr; @@ -954,10 +959,9 @@ extern "C" { bool WiFiClientSecure_light::_connectSSL(const char* hostName) { // Validation context, either full CA validation or checking only fingerprints #ifdef USE_MQTT_TLS_CA_CERT - br_x509_minimal_context *x509_minimal; -#else - br_x509_pubkeyfingerprint_context *x509_insecure; + br_x509_minimal_context *x509_minimal = nullptr; #endif + br_x509_pubkeyfingerprint_context *x509_insecure = nullptr; LOG_HEAP_SIZE("_connectSSL.start"); @@ -984,24 +988,26 @@ bool WiFiClientSecure_light::_connectSSL(const char* hostName) { // Allocatte and initialize Decoder Context LOG_HEAP_SIZE("_connectSSL before DecoderContext allocation"); // Only failure possible in the installation is OOM - #ifdef USE_MQTT_TLS_CA_CERT - x509_minimal = (br_x509_minimal_context*) malloc(sizeof(br_x509_minimal_context)); - if (!x509_minimal) break; - br_x509_minimal_init(x509_minimal, &br_sha256_vtable, _ta_P, _ta_size); - br_x509_minimal_set_rsa(x509_minimal, br_ssl_engine_get_rsavrfy(_eng)); - br_x509_minimal_set_hash(x509_minimal, br_sha256_ID, &br_sha256_vtable); - br_ssl_engine_set_x509(_eng, &x509_minimal->vtable); - uint32_t now = UtcTime(); - uint32_t cfg_time = CfgTime(); - if (cfg_time > now) { now = cfg_time; } - br_x509_minimal_set_time(x509_minimal, now / 86400 + 719528, now % 86400); - #else x509_insecure = (br_x509_pubkeyfingerprint_context*) malloc(sizeof(br_x509_pubkeyfingerprint_context)); //x509_insecure = std::unique_ptr(new br_x509_pubkeyfingerprint_context); if (!x509_insecure) break; br_x509_pubkeyfingerprint_init(x509_insecure, _fingerprint1, _fingerprint2, _recv_fingerprint, _fingerprint_any); br_ssl_engine_set_x509(_eng, &x509_insecure->vtable); + + #ifdef USE_MQTT_TLS_CA_CERT + if (!_insecure) { + x509_minimal = (br_x509_minimal_context*) malloc(sizeof(br_x509_minimal_context)); + if (!x509_minimal) break; + br_x509_minimal_init(x509_minimal, &br_sha256_vtable, _ta_P, _ta_size); + br_x509_minimal_set_rsa(x509_minimal, br_ssl_engine_get_rsavrfy(_eng)); + br_x509_minimal_set_hash(x509_minimal, br_sha256_ID, &br_sha256_vtable); + br_ssl_engine_set_x509(_eng, &x509_minimal->vtable); + uint32_t now = UtcTime(); + uint32_t cfg_time = CfgTime(); + if (cfg_time > now) { now = cfg_time; } + br_x509_minimal_set_time(x509_minimal, now / 86400 + 719528, now % 86400); + } #endif LOG_HEAP_SIZE("_connectSSL after DecoderContext allocation"); @@ -1043,9 +1049,8 @@ bool WiFiClientSecure_light::_connectSSL(const char* hostName) { #ifdef USE_MQTT_TLS_CA_CERT free(x509_minimal); - #else - free(x509_insecure); #endif + free(x509_insecure); LOG_HEAP_SIZE("_connectSSL after release of Priv Key"); return ret; } while (0); @@ -1059,9 +1064,8 @@ bool WiFiClientSecure_light::_connectSSL(const char* hostName) { #endif #ifdef USE_MQTT_TLS_CA_CERT free(x509_minimal); -#else - free(x509_insecure); #endif + free(x509_insecure); LOG_HEAP_SIZE("_connectSSL clean_on_error"); return false; } diff --git a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h index 2e140308d..450a664f4 100755 --- a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h +++ b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.h @@ -82,6 +82,7 @@ class WiFiClientSecure_light : public WiFiClient { _fingerprint1 = f1; _fingerprint2 = f2; _fingerprint_any = f_any; + _insecure = true; } const uint8_t * getRecvPubKeyFingerprint(void) { return _recv_fingerprint; @@ -132,7 +133,8 @@ class WiFiClientSecure_light : public WiFiClient { bool _handshake_done; uint64_t _last_error; - bool _fingerprint_any; // accept all fingerprints + bool _fingerprint_any; // accept all fingerprints + bool _insecure; // force fingerprint const uint8_t *_fingerprint1; // fingerprint1 to be checked against const uint8_t *_fingerprint2; // fingerprint2 to be checked against // **** Start patch Castellucci