Remove Solo1 support + validate HTTPS certs on HTTPS requests (#443)

* Use esp_crt_bundle for HTTPS requests * Remove Solo1 support
2024-08-08 12:29:48 +02:00
parent 1a7baca5da
commit 1f4e85a09e
30 changed files with 1532 additions and 1755 deletions
--- a/lib/NetworkClientSecure/examples/WiFiClientSecure/WiFiClientSecure.ino
+++ b/lib/NetworkClientSecure/examples/WiFiClientSecure/WiFiClientSecure.ino
@@ -18,27 +18,37 @@ const char *server = "www.howsmyssl.com";  // Server URL
 // change it to your server root CA
 // SHA1 fingerprint is broken now!

-const char *test_root_ca = "-----BEGIN CERTIFICATE-----\n"
-                           "MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\n"
-                           "MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n"
-                           "DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\n"
-                           "PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\n"
-                           "Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
-                           "AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\n"
-                           "rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\n"
-                           "OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\n"
-                           "xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n"
-                           "7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\n"
-                           "aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\n"
-                           "HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\n"
-                           "SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\n"
-                           "ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\n"
-                           "AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\n"
-                           "R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\n"
-                           "JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\n"
-                           "Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n"
-                           "-----END CERTIFICATE-----\n";
-
+const char *test_root_ca = R"literal(
+-----BEGIN CERTIFICATE-----
+MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
+MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
+Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
+Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
+bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
+YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
+/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
+FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
+mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
+DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
+MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
+AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
+tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
+Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
+VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
+AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
+zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
+u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
+1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
+GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
+1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
+QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
+4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
+rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
+RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
+KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
+-----END CERTIFICATE-----
+)literal";
 // You can use x.509 client certificates if you want
 //const char* test_client_key = "";   //to verify the client
 //const char* test_client_cert = "";  //to verify the client
--- a/lib/NetworkClientSecure/library.properties
+++ b/lib/NetworkClientSecure/library.properties
@@ -1,5 +1,5 @@
 name=NetworkClientSecure
-version=2.0.0
+version=3.0.3
 author=Evandro Luis Copercini
 maintainer=Github Community
 sentence=Enables secure network connection (local and Internet) using the ESP32 built-in WiFi.
--- a/lib/NetworkClientSecure/src/NetworkClientSecure.cpp
+++ b/lib/NetworkClientSecure/src/NetworkClientSecure.cpp
@@ -305,9 +305,11 @@ int NetworkClientSecure::available() {
  res = data_to_read(sslclient.get());

  if (res < 0 && !_stillinPlainStart) {
-    log_e("Closing connection on failed available check");
+    if (res != MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
+      log_e("Closing connection on failed available check");
+    }
    stop();
-    return peeked ? peeked : res;
+    return peeked;
  }
  return res + peeked;
 }
@@ -337,9 +339,9 @@ void NetworkClientSecure::setCACert(const char *rootCA) {
  _use_insecure = false;
 }

-void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {
-  if (bundle != NULL) {
-    esp_crt_bundle_set(bundle, sizeof(bundle));
+void NetworkClientSecure::setCACertBundle(const uint8_t *bundle, size_t size) {
+  if (bundle != NULL && size > 0) {
+    esp_crt_bundle_set(bundle, size);
    attach_ssl_certificate_bundle(sslclient.get(), true);
    _use_ca_bundle = true;
  } else {
@@ -349,6 +351,11 @@ void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {
  }
 }

+void NetworkClientSecure::setDefaultCACertBundle() {
+    attach_ssl_certificate_bundle(sslclient.get(), true);
+    _use_ca_bundle = true;
+}
+
 void NetworkClientSecure::setCertificate(const char *client_ca) {
  if (_cert_free && _cert) {
    free((void *)_cert);
--- a/lib/NetworkClientSecure/src/NetworkClientSecure.h
+++ b/lib/NetworkClientSecure/src/NetworkClientSecure.h
@@ -73,7 +73,8 @@ public:
  void setCertificate(const char *client_ca);
  void setPrivateKey(const char *private_key);
  bool loadCACert(Stream &stream, size_t size);
-  void setCACertBundle(const uint8_t *bundle);
+  void setCACertBundle(const uint8_t *bundle, size_t size);
+  void setDefaultCACertBundle();
  bool loadCertificate(Stream &stream, size_t size);
  bool loadPrivateKey(Stream &stream, size_t size);
  bool verify(const char *fingerprint, const char *domain_name);
--- a/lib/NetworkClientSecure/src/WiFiClientSecure.h
+++ b/lib/NetworkClientSecure/src/WiFiClientSecure.h
@@ -1,3 +1,3 @@
 #pragma once
 #include "NetworkClientSecure.h"
-#define WiFiClientSecure NetworkClientSecure
+typedef NetworkClientSecure WiFiClientSecure;
--- a/lib/NetworkClientSecure/src/ssl_client.cpp
+++ b/lib/NetworkClientSecure/src/ssl_client.cpp
@@ -27,7 +27,7 @@
 const char *pers = "esp32-tls";

 static int _handle_error(int err, const char *function, int line) {
-  if (err == -30848) {
+  if (err == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
    return err;
  }
 #ifdef MBEDTLS_ERROR_C