Sternenlabor/nuki_hub
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add and remove libs and components for Arduino Core 3 (#400)

Browse Source 
* Add and remove libs and components for Arduino Core 3

* Add back NimBLE-Arduino in resources
This commit is contained in:
iranl
2024-06-20 18:34:49 +02:00
committed by GitHub
parent 90d13068c9
commit b673fb4d5c
1217 changed files with 118233 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
lib/NetworkClientSecure/README.md Normal file
View File

@@ -0,0 +1,133 @@
NetworkClientSecure
================
The NetworkClientSecure class implements support for secure connections using TLS (SSL).
It inherits from NetworkClient and thus implements a superset of that class' interface.
There are three ways to establish a secure connection using the NetworkClientSecure class:
using a root certificate authority (CA) cert, using a root CA cert plus a client cert and key,
and using a pre-shared key (PSK).
Using a root certificate authority cert
---------------------------------------
This method authenticates the server and negotiates an encrypted connection.
It is the same functionality as implemented in your web browser when you connect to HTTPS sites.
If you are accessing your own server:
- Generate a root certificate for your own certificate authority
- Generate a cert & private key using your root certificate ("self-signed cert") for your server
If you are accessing a public server:
- Obtain the cert of the public CA that signed that server's cert
Then:
- In NetworkClientSecure use setCACert (or the appropriate connect method) to set the root cert of your
CA or of the public CA
- When NetworkClientSecure connects to the target server it uses the CA cert to verify the certificate
presented by the server, and then negotiates encryption for the connection
Please see the NetworkClientSecure example.
Using a bundle of root certificate authority certificates
---------------------------------------------------------
This method is similar to the single root certificate verification above, but it uses a standard set of
root certificates from Mozilla to authenticate against, while the previous method only accepts a single
certificate for a given server. This allows the client to connect to all public SSL servers.
To use this feature in PlatformIO:
1. create a certificate bundle as described in the document below, or obtain a pre-built one you trust:
https://docs.espressif.com/projects/esp-idf/en/latest/esp32/api-reference/protocols/esp_crt_bundle.html
(gen_crt_bundle.py can be found in the /tools folder)
a. note: the full bundle will take up around 64k of flash space, but has minimal RAM usage, as only
the index of the certificates is kept in RAM
2. Place the bundle under the file name "data/cert/x509_crt_bundle.bin" in your platformio project
3. add "board_build.embed_files = data/cert/x509_crt_bundle.bin" in your platformio.ini
4. add the following global declaration in your project:
extern const uint8_t rootca_crt_bundle_start[] asm("_binary_data_cert_x509_crt_bundle_bin_start");
5. before initiating the first SSL connection, call
my_client.setCACertBundle(rootca_crt_bundle_start);
To use this feature in Arduino IDE:
If the Arduino IDE added support for embedding files in the meantime, then follow the instructions above.
If not, you have three choices:
1. convert your project to PlatformIO
2. create a makefile where you can add the idf_component_register() declaration to include the certificate bundle
3. Store the bundle as a SPIFFS file, but then you have to load it into RAM in runtime and waste 64k of precious memory
Using a root CA cert and client cert/keys
-----------------------------------------
This method authenticates the server and additionally also authenticates
the client to the server, then negotiates an encrypted connection.
- Follow steps above
- Using your root CA generate cert/key for your client
- Register the keys with the server you will be accessing so the server can authenticate your client
- In NetworkClientSecure use setCACert (or the appropriate connect method) to set the root cert of your
CA or of the public CA, this is used to authenticate the server
- In NetworkClientSecure use setCertificate, and setPrivateKey (or the appropriate connect method) to
set your client's cert & key, this will be used to authenticate your client to the server
- When NetworkClientSecure connects to the target server it uses the CA cert to verify the certificate
presented by the server, it will use the cert/key to authenticate your client to the server, and
it will then negotiate encryption for the connection
Using Pre-Shared Keys (PSK)
---------------------------
TLS supports authentication and encryption using a pre-shared key (i.e. a key that both client and
server know) as an alternative to the public key cryptography commonly used on the web for HTTPS.
PSK is starting to be used for MQTT, e.g. in mosquitto, to simplify the set-up and avoid having to
go through the whole CA, cert, and private key process.
A pre-shared key is a binary string of up to 32 bytes and is commonly represented in hex form. In
addition to the key, clients can also present an id and typically the server allows a different key
to be associated with each client id. In effect this is very similar to username and password pairs,
except that unlike a password the key is not directly transmitted to the server, thus a connection to a
malicious server does not divulge the password. Plus the server is also authenticated to the client.
To use PSK:
- Generate a random hex string (generating an MD5 or SHA for some file is one way to do this)
- Come up with a string id for your client and configure your server to accept the id/key pair
- In NetworkClientSecure use setPreSharedKey (or the appropriate connect method) to
set the id/key combo
- When NetworkClientSecure connects to the target server it uses the id/key combo to authenticate the
server (it must prove that it has the key too), authenticate the client and then negotiate
encryption for the connection
Please see the NetworkClientPSK example.
Specifying the ALPN Protocol
----------------------------
Application-Layer Protocol Negotiation (ALPN) is a Transport Layer Security (TLS) extension that allows
the application layer to negotiate which protocol should be performed over a secure connection in a manner
that avoids additional round trips and which is independent of the application-layer protocols.
For example, this is used with AWS IoT Custom Authorizers where an MQTT client must set the ALPN protocol to ```mqtt```:
```
const char *aws_protos[] = {"mqtt", NULL};
...
wiFiClient.setAlpnProtocols(aws_protos);
```
Examples
--------
#### NetworkClientInsecure
Demonstrates usage of insecure connection using `NetworkClientSecure::setInsecure()`
#### NetworkClientPSK
Wifi secure connection example for ESP32 using a pre-shared key (PSK)
This is useful with MQTT servers instead of using a self-signed cert, tested with mosquitto.
Running on TLS 1.2 using mbedTLS
#### NetworkClientSecure
Wifi secure connection example for ESP32
Running on TLS 1.2 using mbedTLS
#### NetworkClientSecureEnterprise
This example demonstrates a secure connection to a WiFi network using WPA/WPA2 Enterprise (for example eduroam),
and establishing a secure HTTPS connection with an external server (for example arduino.php5.sk) using the defined anonymous identity, user identity, and password.
.. note::
This example is outdated and might not work. For more examples see [https://github.com/martinius96/ESP32-eduroam](https://github.com/martinius96/ESP32-eduroam)
#### NetworkClientShowPeerCredentials
Example of a establishing a secure connection and then showing the fingerprint of the certificate.
This can be useful in an IoT setting to know for sure that you are connecting to the right server.
Especially in situations where you cannot hardcode a trusted root certificate for long
periods of time (as they tend to get replaced more often than the lifecycle of IoT hardware).

70
lib/NetworkClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino Normal file
View File

@@ -0,0 +1,70 @@
#include <NetworkClientSecure.h>
#include <WiFi.h>
/* This is a very INSECURE approach.
* If for some reason the secure, proper example NetworkClientSecure
* does not work for you; then you may want to check the
* NetworkClientTrustOnFirstUse example first. It is less secure than
* NetworkClientSecure, but a lot better than this totally insecure
* approach shown below.
*/
const char *ssid = "your-ssid"; // your network SSID (name of wifi network)
const char *password = "your-password"; // your network password
const char *server = "www.howsmyssl.com"; // Server URL
NetworkClientSecure client;
void setup() {
//Initialize serial and wait for port to open:
Serial.begin(115200);
delay(100);
Serial.print("Attempting to connect to SSID: ");
Serial.println(ssid);
WiFi.begin(ssid, password);
// attempt to connect to Wifi network:
while (WiFi.status() != WL_CONNECTED) {
Serial.print(".");
// wait 1 second for re-trying
delay(1000);
}
Serial.print("Connected to ");
Serial.println(ssid);
Serial.println("\nStarting connection to server...");
client.setInsecure(); //skip verification
if (!client.connect(server, 443)) {
Serial.println("Connection failed!");
} else {
Serial.println("Connected to server!");
// Make a HTTP request:
client.println("GET https://www.howsmyssl.com/a/check HTTP/1.0");
client.println("Host: www.howsmyssl.com");
client.println("Connection: close");
client.println();
while (client.connected()) {
String line = client.readStringUntil('\n');
if (line == "\r") {
Serial.println("headers received");
break;
}
}
// if there are incoming bytes available
// from the server, read them and print them:
while (client.available()) {
char c = client.read();
Serial.write(c);
}
client.stop();
}
}
void loop() {
// do nothing
}

5
lib/NetworkClientSecure/examples/WiFiClientInsecure/ci.json Normal file
View File

@@ -0,0 +1,5 @@
{
"targets": {
"esp32h2": false
}
}

86
lib/NetworkClientSecure/examples/WiFiClientPSK/WiFiClientPSK.ino Normal file
View File

@@ -0,0 +1,86 @@
/*
Wifi secure connection example for ESP32 using a pre-shared key (PSK)
This is useful with MQTT servers instead of using a self-signed cert, tested with mosquitto.
Running on TLS 1.2 using mbedTLS
To test run a test server using: openssl s_server -accept 8443 -psk 1a2b3c4d -nocert
It will show the http request made, but there's no easy way to send a reply back...
2017 - Evandro Copercini - Apache 2.0 License.
2018 - Adapted for PSK by Thorsten von Eicken
*/
#include <NetworkClientSecure.h>
#include <WiFi.h>
#if 0
const char* ssid = "your-ssid"; // your network SSID (name of wifi network)
const char* password = "your-password"; // your network password
#else
const char *ssid = "test"; // your network SSID (name of wifi network)
const char *password = "securetest"; // your network password
#endif
//const char* server = "server.local"; // Server hostname
const IPAddress server = IPAddress(192, 168, 0, 14); // Server IP address
const int port = 8443; // server's port (8883 for MQTT)
const char *pskIdent = "Client_identity"; // PSK identity (sometimes called key hint)
const char *psKey = "1a2b3c4d"; // PSK Key (must be hex string without 0x)
NetworkClientSecure client;
void setup() {
//Initialize serial and wait for port to open:
Serial.begin(115200);
delay(100);
Serial.print("Attempting to connect to SSID: ");
Serial.println(ssid);
WiFi.begin(ssid, password);
// attempt to connect to Wifi network:
while (WiFi.status() != WL_CONNECTED) {
Serial.print(".");
// wait 1 second for re-trying
delay(1000);
}
Serial.print("Connected to ");
Serial.println(ssid);
client.setPreSharedKey(pskIdent, psKey);
Serial.println("\nStarting connection to server...");
if (!client.connect(server, port)) {
Serial.println("Connection failed!");
} else {
Serial.println("Connected to server!");
// Make a HTTP request:
client.println("GET /a/check HTTP/1.0");
client.print("Host: ");
client.println(server);
client.println("Connection: close");
client.println();
while (client.connected()) {
String line = client.readStringUntil('\n');
if (line == "\r") {
Serial.println("headers received");
break;
}
}
// if there are incoming bytes available
// from the server, read them and print them:
while (client.available()) {
char c = client.read();
Serial.write(c);
}
client.stop();
}
}
void loop() {
// do nothing
}

5
lib/NetworkClientSecure/examples/WiFiClientPSK/ci.json Normal file
View File

@@ -0,0 +1,5 @@
{
"targets": {
"esp32h2": false
}
}

102
lib/NetworkClientSecure/examples/WiFiClientSecure/WiFiClientSecure.ino Normal file
View File

@@ -0,0 +1,102 @@
/*
Wifi secure connection example for ESP32
Running on TLS 1.2 using mbedTLS
Supporting the following ciphersuites:
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","TLS_DHE_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_256_CCM","TLS_DHE_RSA_WITH_AES_256_CCM","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384","TLS_DHE_RSA_WITH_AES_256_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_DHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8","TLS_DHE_RSA_WITH_AES_256_CCM_8","TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CCM","TLS_DHE_RSA_WITH_AES_128_CCM","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8","TLS_DHE_RSA_WITH_AES_128_CCM_8","TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA","TLS_DHE_PSK_WITH_AES_256_GCM_SHA384","TLS_DHE_PSK_WITH_AES_256_CCM","TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384","TLS_DHE_PSK_WITH_AES_256_CBC_SHA384","TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA","TLS_DHE_PSK_WITH_AES_256_CBC_SHA","TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_PSK_DHE_WITH_AES_256_CCM_8","TLS_DHE_PSK_WITH_AES_128_GCM_SHA256","TLS_DHE_PSK_WITH_AES_128_CCM","TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256","TLS_DHE_PSK_WITH_AES_128_CBC_SHA256","TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA","TLS_DHE_PSK_WITH_AES_128_CBC_SHA","TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_PSK_DHE_WITH_AES_128_CCM_8","TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA","TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CCM","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_RSA_WITH_AES_256_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_AES_256_CCM_8","TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256","TLS_RSA_WITH_CAMELLIA_256_CBC_SHA","TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384","TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_128_CCM","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CCM_8","TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_WITH_CAMELLIA_128_CBC_SHA","TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_RSA_PSK_WITH_AES_256_GCM_SHA384","TLS_RSA_PSK_WITH_AES_256_CBC_SHA384","TLS_RSA_PSK_WITH_AES_256_CBC_SHA","TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_RSA_PSK_WITH_AES_128_GCM_SHA256","TLS_RSA_PSK_WITH_AES_128_CBC_SHA256","TLS_RSA_PSK_WITH_AES_128_CBC_SHA","TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA","TLS_PSK_WITH_AES_256_GCM_SHA384","TLS_PSK_WITH_AES_256_CCM","TLS_PSK_WITH_AES_256_CBC_SHA384","TLS_PSK_WITH_AES_256_CBC_SHA","TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384","TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384","TLS_PSK_WITH_AES_256_CCM_8","TLS_PSK_WITH_AES_128_GCM_SHA256","TLS_PSK_WITH_AES_128_CCM","TLS_PSK_WITH_AES_128_CBC_SHA256","TLS_PSK_WITH_AES_128_CBC_SHA","TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256","TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256","TLS_PSK_WITH_AES_128_CCM_8","TLS_PSK_WITH_3DES_EDE_CBC_SHA","TLS_EMPTY_RENEGOTIATION_INFO_SCSV"]
2017 - Evandro Copercini - Apache 2.0 License.
*/
#include <NetworkClientSecure.h>
#include <WiFi.h>
const char *ssid = "your-ssid"; // your network SSID (name of wifi network)
const char *password = "your-password"; // your network password
const char *server = "www.howsmyssl.com"; // Server URL
// www.howsmyssl.com root certificate authority, to verify the server
// change it to your server root CA
// SHA1 fingerprint is broken now!
const char *test_root_ca = "-----BEGIN CERTIFICATE-----\n"
"MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\n"
"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n"
"DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\n"
"PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\n"
"Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n"
"AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\n"
"rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\n"
"OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\n"
"xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n"
"7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\n"
"aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\n"
"HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\n"
"SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\n"
"ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\n"
"AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\n"
"R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\n"
"JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\n"
"Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n"
"-----END CERTIFICATE-----\n";
// You can use x.509 client certificates if you want
//const char* test_client_key = ""; //to verify the client
//const char* test_client_cert = ""; //to verify the client
NetworkClientSecure client;
void setup() {
//Initialize serial and wait for port to open:
Serial.begin(115200);
delay(100);
Serial.print("Attempting to connect to SSID: ");
Serial.println(ssid);
WiFi.begin(ssid, password);
// attempt to connect to Wifi network:
while (WiFi.status() != WL_CONNECTED) {
Serial.print(".");
// wait 1 second for re-trying
delay(1000);
}
Serial.print("Connected to ");
Serial.println(ssid);
client.setCACert(test_root_ca);
//client.setCertificate(test_client_cert); // for client verification
//client.setPrivateKey(test_client_key); // for client verification
Serial.println("\nStarting connection to server...");
if (!client.connect(server, 443)) {
Serial.println("Connection failed!");
} else {
Serial.println("Connected to server!");
// Make a HTTP request:
client.println("GET https://www.howsmyssl.com/a/check HTTP/1.0");
client.println("Host: www.howsmyssl.com");
client.println("Connection: close");
client.println();
while (client.connected()) {
String line = client.readStringUntil('\n');
if (line == "\r") {
Serial.println("headers received");
break;
}
}
// if there are incoming bytes available
// from the server, read them and print them:
while (client.available()) {
char c = client.read();
Serial.write(c);
}
client.stop();
}
}
void loop() {
// do nothing
}

5
lib/NetworkClientSecure/examples/WiFiClientSecure/ci.json Normal file
View File

@@ -0,0 +1,5 @@
{
"targets": {
"esp32h2": false
}
}

132
lib/NetworkClientSecure/examples/WiFiClientSecureEnterprise/WiFiClientSecureEnterprise.ino Normal file
View File

@@ -0,0 +1,132 @@
/*|-----------------------------------------------------------|*/
/*|WORKING EXAMPLE FOR HTTPS CONNECTION |*/
/*|Author: Bc. Martin Chlebovec |*/
/*|Technical University of Košice |*/
/*|TESTED BOARDS: Devkit v1 DOIT, Devkitc v4 |*/
/*|CORE: 0.9x, 1.0.0, 1.0.1 tested, working (newer not tested)|*/
/*|Supported methods: PEAP + MsCHAPv2, EAP-TTLS + MsCHAPv2 |*/
/*|-----------------------------------------------------------|*/
// This example demonstrates a secure connection to a WiFi network using WPA/WPA2 Enterprise (for example eduroam),
// and establishing a secure HTTPS connection with an external server (for example arduino.php5.sk) using the defined anonymous identity, user identity, and password.
// Note: this example is outdated and may not work!
// For more examples see https://github.com/martinius96/ESP32-eduroam
#include <WiFi.h>
#include <NetworkClientSecure.h>
#if __has_include("esp_eap_client.h")
#include "esp_eap_client.h"
#else
#include "esp_wpa2.h"
#endif
#include <Wire.h>
#define EAP_ANONYMOUS_IDENTITY "anonymous@example.com" //anonymous identity
#define EAP_IDENTITY "id@example.com" //user identity
#define EAP_PASSWORD "password" //eduroam user password
const char *ssid = "eduroam"; // eduroam SSID
const char *host = "arduino.php5.sk"; //external server domain for HTTPS connection
int counter = 0;
const char *test_root_ca = "-----BEGIN CERTIFICATE-----\n"
"MIIEsTCCA5mgAwIBAgIQCKWiRs1LXIyD1wK0u6tTSTANBgkqhkiG9w0BAQsFADBh\n"
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
"d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD\n"
"QTAeFw0xNzExMDYxMjIzMzNaFw0yNzExMDYxMjIzMzNaMF4xCzAJBgNVBAYTAlVT\n"
"MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j\n"
"b20xHTAbBgNVBAMTFFJhcGlkU1NMIFJTQSBDQSAyMDE4MIIBIjANBgkqhkiG9w0B\n"
"AQEFAAOCAQ8AMIIBCgKCAQEA5S2oihEo9nnpezoziDtx4WWLLCll/e0t1EYemE5n\n"
"+MgP5viaHLy+VpHP+ndX5D18INIuuAV8wFq26KF5U0WNIZiQp6mLtIWjUeWDPA28\n"
"OeyhTlj9TLk2beytbtFU6ypbpWUltmvY5V8ngspC7nFRNCjpfnDED2kRyJzO8yoK\n"
"MFz4J4JE8N7NA1uJwUEFMUvHLs0scLoPZkKcewIRm1RV2AxmFQxJkdf7YN9Pckki\n"
"f2Xgm3b48BZn0zf0qXsSeGu84ua9gwzjzI7tbTBjayTpT+/XpWuBVv6fvarI6bik\n"
"KB859OSGQuw73XXgeuFwEPHTIRoUtkzu3/EQ+LtwznkkdQIDAQABo4IBZjCCAWIw\n"
"HQYDVR0OBBYEFFPKF1n8a8ADIS8aruSqqByCVtp1MB8GA1UdIwQYMBaAFAPeUDVW\n"
"0Uy7ZvCj4hsbw5eyPdFVMA4GA1UdDwEB/wQEAwIBhjAdBgNVHSUEFjAUBggrBgEF\n"
"BQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0BggrBgEFBQcBAQQo\n"
"MCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBCBgNVHR8E\n"
"OzA5MDegNaAzhjFodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRHbG9i\n"
"YWxSb290Q0EuY3JsMGMGA1UdIARcMFowNwYJYIZIAYb9bAECMCowKAYIKwYBBQUH\n"
"AgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCwYJYIZIAYb9bAEBMAgG\n"
"BmeBDAECATAIBgZngQwBAgIwDQYJKoZIhvcNAQELBQADggEBAH4jx/LKNW5ZklFc\n"
"YWs8Ejbm0nyzKeZC2KOVYR7P8gevKyslWm4Xo4BSzKr235FsJ4aFt6yAiv1eY0tZ\n"
"/ZN18bOGSGStoEc/JE4ocIzr8P5Mg11kRYHbmgYnr1Rxeki5mSeb39DGxTpJD4kG\n"
"hs5lXNoo4conUiiJwKaqH7vh2baryd8pMISag83JUqyVGc2tWPpO0329/CWq2kry\n"
"qv66OSMjwulUz0dXf4OHQasR7CNfIr+4KScc6ABlQ5RDF86PGeE6kdwSQkFiB/cQ\n"
"ysNyq0jEDQTkfa2pjmuWtMCNbBnhFXBYejfubIhaUbEv2FOQB3dCav+FPg5eEveX\n"
"TVyMnGo=\n"
"-----END CERTIFICATE-----\n";
// You can use x.509 client certificates if you want
//const char* test_client_key = ""; //to verify the client
//const char* test_client_cert = ""; //to verify the client
NetworkClientSecure client;
void setup() {
Serial.begin(115200);
delay(10);
Serial.println();
Serial.print("Connecting to network: ");
Serial.println(ssid);
WiFi.disconnect(true); //disconnect form wifi to set new wifi connection
WiFi.mode(WIFI_STA); //init wifi mode
#if __has_include("esp_eap_client.h")
esp_eap_client_set_identity((uint8_t *)EAP_ANONYMOUS_IDENTITY, strlen(EAP_ANONYMOUS_IDENTITY)); //provide identity
esp_eap_client_set_username((uint8_t *)EAP_IDENTITY, strlen(EAP_IDENTITY)); //provide username
esp_eap_client_set_password((uint8_t *)EAP_PASSWORD, strlen(EAP_PASSWORD)); //provide password
esp_wifi_sta_enterprise_enable();
#else
esp_wifi_sta_wpa2_ent_set_identity((uint8_t *)EAP_ANONYMOUS_IDENTITY, strlen(EAP_ANONYMOUS_IDENTITY)); //provide identity
esp_wifi_sta_wpa2_ent_set_username((uint8_t *)EAP_IDENTITY, strlen(EAP_IDENTITY)); //provide username
esp_wifi_sta_wpa2_ent_set_password((uint8_t *)EAP_PASSWORD, strlen(EAP_PASSWORD)); //provide password
esp_wifi_sta_wpa2_ent_enable();
#endif
WiFi.begin(ssid); //connect to wifi
while (WiFi.status() != WL_CONNECTED) {
delay(500);
Serial.print(".");
counter++;
if (counter >= 60) { //after 30 seconds timeout - reset board (on unsuccessful connection)
ESP.restart();
}
}
client.setCACert(test_root_ca);
//client.setCertificate(test_client_cert); // for client verification - certificate
//client.setPrivateKey(test_client_key); // for client verification - private key
Serial.println("");
Serial.println("WiFi connected");
Serial.println("IP address set: ");
Serial.println(WiFi.localIP()); //print LAN IP
}
void loop() {
if (WiFi.status() == WL_CONNECTED) { //if we are connected to eduroam network
counter = 0; //reset counter
Serial.println("Wifi is still connected with IP: ");
Serial.println(WiFi.localIP()); //inform user about his IP address
} else if (WiFi.status() != WL_CONNECTED) { //if we lost connection, retry
WiFi.begin(ssid);
}
while (WiFi.status() != WL_CONNECTED) { //during lost connection, print dots
delay(500);
Serial.print(".");
counter++;
if (counter >= 60) { //30 seconds timeout - reset board
ESP.restart();
}
}
Serial.print("Connecting to website: ");
Serial.println(host);
if (client.connect(host, 443)) {
String url = "/rele/rele1.txt";
client.print(String("GET ") + url + " HTTP/1.1\r\n" + "Host: " + host + "\r\n" + "User-Agent: ESP32\r\n" + "Connection: close\r\n\r\n");
while (client.connected()) {
String header = client.readStringUntil('\n');
Serial.println(header);
if (header == "\r") {
break;
}
}
String line = client.readStringUntil('\n');
Serial.println(line);
} else {
Serial.println("Connection unsuccessful");
}
delay(5000);
}

5
lib/NetworkClientSecure/examples/WiFiClientSecureEnterprise/ci.json Normal file
View File

@@ -0,0 +1,5 @@
{
"targets": {
"esp32h2": false
}
}

190
lib/NetworkClientSecure/examples/WiFiClientSecureProtocolUpgrade/WiFiClientSecureProtocolUpgrade.ino Normal file
View File

@@ -0,0 +1,190 @@
/* STARTSSL example
Inline upgrading from a clear-text connection to an SSL/TLS connection.
Some protocols such as SMTP, XMPP, Mysql, Postgresql and others allow, or require,
that you start the connection without encryption; and then send a command to switch
over to encryption.
E.g. a typical SMTP submission would entail a dialog such as this:
1. client connects to server in the clear
2. server says hello
3. client sents a EHLO
4. server tells the client that it supports SSL/TLS
5. client sends a 'STARTTLS' to make use of this faciltiy
6. client/server negiotiate a SSL or TLS connection.
7. client sends another EHLO
8. server now tells the client what (else) is supported; such as additional authentication options.
... conversation continues encrypted.
This can be enabled in NetworkClientSecure by telling it to start in plaintext:
client.setPlainStart();
and client is than a plain, TCP, connection (just as NetworkClient would be); until the client calls
the method:
client.startTLS(); // returns zero on error; non zero on success.
After which things switch to TLS/SSL.
*/
#include <WiFi.h>
#include <NetworkClientSecure.h>
#ifndef WIFI_NETWORK
#define WIFI_NETWORK "YOUR Wifi SSID"
#endif
#ifndef WIFI_PASSWD
#define WIFI_PASSWD "your-secret-password"
#endif
#ifndef SMTP_HOST
#define SMTP_HOST "smtp.gmail.com"
#endif
#ifndef SMTP_PORT
#define SMTP_PORT (587) // Standard (plaintext) submission port
#endif
const char *ssid = WIFI_NETWORK; // your network SSID (name of wifi network)
const char *password = WIFI_PASSWD; // your network password
const char *server = SMTP_HOST; // Server URL
const int submission_port = SMTP_PORT; // submission port.
NetworkClientSecure client;
static bool readAllSMTPLines();
void setup() {
int ret;
//Initialize serial and wait for port to open:
Serial.begin(115200);
delay(100);
Serial.print("Attempting to connect to SSID: ");
Serial.print(ssid);
WiFi.begin(ssid, password);
// attempt to connect to Wifi network:
while (WiFi.status() != WL_CONNECTED) {
Serial.print(".");
// wait 1 second for re-trying
delay(1000);
}
Serial.print("Connected to ");
Serial.println(ssid);
Serial.printf("\nStarting connection to server: %s:%d\n", server, submission_port);
// skip verification for this demo. In production one should at the very least
// enable TOFU; or ideally hardcode a (CA) certificate that is trusted.
client.setInsecure();
// Enable a plain-test start.
client.setPlainStart();
if (!client.connect(server, SMTP_PORT)) {
Serial.println("Connection failed!");
return;
};
Serial.println("Connected to server (in the clear, in plaintest)");
if (!readAllSMTPLines()) {
goto err;
}
Serial.println("Sending : EHLO\t\tin the clear");
client.print("EHLO there\r\n");
if (!readAllSMTPLines()) {
goto err;
}
Serial.println("Sending : STARTTLS\t\tin the clear");
client.print("STARTTLS\r\n");
if (!readAllSMTPLines()) {
goto err;
}
Serial.println("Upgrading connection to TLS");
if ((ret = client.startTLS()) <= 0) {
Serial.printf("Upgrade connection failed: err %d\n", ret);
goto err;
}
Serial.println("Sending : EHLO again\t\tover the now encrypted connection");
client.print("EHLO again\r\n");
if (!readAllSMTPLines()) {
goto err;
}
// normally, as this point - we'd be authenticating and then be submitting
// an email. This has been left out of this example.
Serial.println("Sending : QUIT\t\t\tover the now encrypted connection");
client.print("QUIT\r\n");
if (!readAllSMTPLines()) {
goto err;
}
Serial.println("Completed OK\n");
err:
Serial.println("Closing connection");
client.stop();
}
// SMTP command repsponse start with three digits and a space;
// or, for continuation, with three digits and a '-'.
static bool readAllSMTPLines() {
String s = "";
int i;
// blocking read; we cannot rely on a timeout
// of a NetworkClientSecure read; as it is non
// blocking.
const unsigned long timeout = 15 * 1000;
unsigned long start = millis(); // the timeout is for the entire CMD block response; not per character/line.
while (1) {
while ((i = client.available()) == 0 && millis() - start < timeout) {
/* .. wait */
};
if (i == 0) {
Serial.println("Timeout reading SMTP response");
return false;
};
if (i < 0) {
break;
}
i = client.read();
if (i < 0) {
break;
}
if (i > 31 && i < 128) {
s += (char)i;
}
if (i == 0x0A) {
Serial.print("Receiving: ");
Serial.println(s);
if (s.charAt(3) == ' ') {
return true;
}
s = "";
}
}
Serial.printf("Error reading SMTP command response line: %d\n", i);
return false;
}
void loop() {
// do nothing
}

5
lib/NetworkClientSecure/examples/WiFiClientSecureProtocolUpgrade/ci.json Normal file
View File

@@ -0,0 +1,5 @@
{
"targets": {
"esp32h2": false
}
}

98
lib/NetworkClientSecure/examples/WiFiClientShowPeerCredentials/WiFiClientShowPeerCredentials.ino Normal file
View File

@@ -0,0 +1,98 @@
// NetworkClientShowPeerCredentials
//
// Example of a establishing a secure connection and then
// showing the fingerprint of the certificate. This can
// be useful in an IoT setting to know for sure that you
// are connecting to the right server. Especially in
// situations where you cannot hardcode a trusted root
// certificate for long periods of time (as they tend to
// get replaced more often than the lifecycle of IoT
// hardware).
//
#include <WiFi.h>
#include <HTTPClient.h>
#include <NetworkClientSecure.h>
#ifndef WIFI_NETWORK
#define WIFI_NETWORK "MyWifiNetwork"
#endif
#ifndef WIFI_PASSWD
#define WIFI_PASSWD "MySecretWifiPassword"
#endif
#define URL "https://arduino.cc"
void demo() {
NetworkClientSecure *client = new NetworkClientSecure;
client->setInsecure(); //
HTTPClient https;
if (!https.begin(*client, URL)) {
Serial.println("HTTPS setup failed");
return;
};
https.setTimeout(5000);
int httpCode = https.GET();
if (httpCode != 200) {
Serial.print("Connect failed: ");
Serial.println(https.errorToString(httpCode));
return;
}
const mbedtls_x509_crt *peer = client->getPeerCertificate();
// Show general output / certificate information
//
char buf[1024];
int l = mbedtls_x509_crt_info(buf, sizeof(buf), "", peer);
if (l <= 0) {
Serial.println("Peer conversion to printable buffer failed");
return;
};
Serial.println();
Serial.println(buf);
uint8_t fingerprint_remote[32];
if (!client->getFingerprintSHA256(fingerprint_remote)) {
Serial.println("Failed to get the fingerprint");
return;
}
// Fingerprint late 2021
Serial.println("Expecting Fingerprint (SHA256): 70 CF A4 B7 5D 09 E9 2A 52 A8 B6 85 B5 0B D6 BE 83 47 83 5B 3A 4D 3C 3E 32 30 EC 1D 61 98 D7 0F");
Serial.print(" Received Fingerprint (SHA256): ");
for (int i = 0; i < 32; i++) {
Serial.print(fingerprint_remote[i], HEX);
Serial.print(" ");
};
Serial.println("");
};
void setup() {
Serial.begin(115200);
Serial.println("Started " __FILE__ " build " __DATE__ " " __TIME__);
WiFi.mode(WIFI_STA);
WiFi.begin(WIFI_NETWORK, WIFI_PASSWD);
while (WiFi.waitForConnectResult() != WL_CONNECTED) {
Serial.println("Wifi fail - rebooting");
delay(5000);
ESP.restart();
}
}
void loop() {
bool already_tried = false;
if ((millis() < 1000) || already_tried) {
return;
}
already_tried = true;
// Run the test just once.
demo();
}

5
lib/NetworkClientSecure/examples/WiFiClientShowPeerCredentials/ci.json Normal file
View File

@@ -0,0 +1,5 @@
{
"targets": {
"esp32h2": false
}
}

270
lib/NetworkClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino Normal file
View File

@@ -0,0 +1,270 @@
/* For any secure connection - it is (at least) essential for the
the client to verify that it is talking with the server it
thinks it is talking to. And not some (invisible) man in the middle.
See https://en.wikipedia.org/wiki/Man-in-the-middle_attack,
https://www.ai.rug.nl/mas/finishedprojects/2011/TLS/hermsencomputerservices.nl/mas/mitm.html or
https://medium.com/@munteanu210/ssl-certificates-vs-man-in-the-middle-attacks-3fb7846fa5db
for some background on this.
Unfortunately this means that one needs to hardcode a server
public key, certificate or some cryptographically strong hash
thereoff into the code, to verify that you are indeed talking to
the right server. This is sometimes somewhat impractical. Especially
if you do not know the server in advance; or if your code needs to be
stable ovr very long times - during which the server may change.
However completely dispensing with any checks (See the WifiClientInSecure
example) is also not a good idea either.
This example gives you some middle ground; "Trust on First Use" --
TOFU - see https://developer.mozilla.org/en-US/docs/Glossary/TOFU or
https://en.wikipedia.org/wiki/Trust_on_first_use).
In this scheme; we start the very first time without any security checks
but once we have our first connection; we store the public crytpographic
details (or a proxy, such as a sha256 of this). And then we use this for
any subsequent connections.
The assumption here is that we do our very first connection in a somewhat
trusted network environment; where the chance of a man in the middle is
very low; or one where the person doing the first run can check the
details manually.
So this is not quite as good as building a CA certificate into your
code (as per the WifiClientSecure example). But not as bad as something
with no trust management at all.
To make it possible for the enduser to 'reset' this trust; the
startup sequence checks if a certain GPIO is low (assumed to be wired
to some physical button or jumper on the PCB). And we only allow
the TOFU to be configured when this pin is LOW.
*/
#ifndef WIFI_NETWORK
#define WIFI_NETWORK "Your Wifi SSID"
#endif
#ifndef WIFI_PASSWD
#define WIFI_PASSWD "your-secret-wifi-password"
#endif
const char *ssid = WIFI_NETWORK; // your network SSID (name of wifi network)
const char *password = WIFI_PASSWD; // your network password
const char *server = "www.howsmyssl.com"; // Server to test with.
const int TOFU_RESET_BUTTON = 35; /* Trust reset button wired between GPIO 35 and GND (pulldown) */
#include <WiFi.h>
#include <NetworkClientSecure.h>
#include <EEPROM.h>
/* Set aside some persistent memory (i.e. memory that is preserved on reboots and
power cycling; and will generally survive software updates as well.
*/
EEPROMClass TOFU("tofu0");
// Utility function; checks if a given buffer is entirely
// with with 0 bytes over its full length. Returns 0 on
// success; a non zero value on fail.
//
static int memcmpzero(unsigned char *ptr, size_t len) {
while (len--) {
if (0xff != *ptr++) {
return -1;
}
}
return 0;
};
static void printSHA256(unsigned char *ptr) {
for (int i = 0; i < 32; i++) {
Serial.printf("%s%02x", i ? ":" : "", ptr[i]);
}
Serial.println("");
};
NetworkClientSecure client;
bool get_tofu();
bool doTOFU_Protected_Connection(uint8_t *fingerprint_tofu);
void setup() {
bool tofu_reset = false;
//Initialize serial and wait for port to open:
Serial.begin(115200);
delay(100);
if (!TOFU.begin(32)) {
Serial.println("Could not initialsize the EEPROM");
return;
}
uint8_t fingerprint_tofu[32];
// reset the trust if the tofu reset button is pressed.
//
pinMode(TOFU_RESET_BUTTON, INPUT_PULLUP);
if (digitalRead(TOFU_RESET_BUTTON) == LOW) {
Serial.println("The TOFU reset button is pressed.");
tofu_reset = true;
}
/* if the button is not pressed; see if we can get the TOFU
fingerprint from the EEPROM.
*/
else if (32 != TOFU.readBytes(0, fingerprint_tofu, 32)) {
Serial.println("Failed to get the fingerprint from memory.");
tofu_reset = true;
}
/* And check that the EEPROM value is not all 0's; in which
case we also need to do a TOFU.
*/
else if (!memcmpzero(fingerprint_tofu, 32)) {
Serial.println("TOFU fingerprint in memory all zero.");
tofu_reset = true;
};
if (!tofu_reset) {
Serial.print("TOFU pegged to fingerprint: SHA256=");
printSHA256(fingerprint_tofu);
Serial.print("Note: You can check this fingerprint by going to the URL\n"
"<https://");
Serial.print(server);
Serial.println("> and then click on the lock icon.\n");
};
// attempt to connect to Wifi network:
Serial.print("Attempting to connect to SSID: ");
Serial.println(ssid);
WiFi.begin(ssid, password);
while (WiFi.status() != WL_CONNECTED) {
Serial.print(".");
// wait 1 second for re-trying
delay(1000);
}
Serial.print("Connected to ");
Serial.println(ssid);
if (tofu_reset) {
Serial.println("Resetting trust fingerprint.");
if (!get_tofu()) {
Serial.println("Trust reset failed. Giving up");
return;
}
Serial.println("(New) Trust of First used configured. Rebooting in 3 seconds");
delay(3 * 1000);
ESP.restart();
};
Serial.println("Trying to connect to a server; using TOFU details from the eeprom");
if (doTOFU_Protected_Connection(fingerprint_tofu)) {
Serial.println("ALL OK");
}
}
bool get_tofu() {
Serial.println("\nStarting our insecure connection to server...");
client.setInsecure(); //skip verification
if (!client.connect(server, 443)) {
Serial.println("Connection failed!");
client.stop();
return false;
};
Serial.println("Connected to server. Extracting trust data.");
// Now extract the data of the certificate and show it to
// the user over the serial connection for optional
// verification.
const mbedtls_x509_crt *peer = client.getPeerCertificate();
char buf[1024];
int l = mbedtls_x509_crt_info(buf, sizeof(buf), "", peer);
if (l <= 0) {
Serial.println("Peer conversion to printable buffer failed");
client.stop();
return false;
};
Serial.println();
Serial.println(buf);
// Extract the fingerprint - and store this in our EEPROM
// to be used for future validation.
uint8_t fingerprint_remote[32];
if (!client.getFingerprintSHA256(fingerprint_remote)) {
Serial.println("Failed to get the fingerprint");
client.stop();
return false;
}
if ((32 != TOFU.writeBytes(0, fingerprint_remote, 32)) || (!TOFU.commit())) {
Serial.println("Could not write the fingerprint to the EEPROM");
client.stop();
return false;
};
TOFU.end();
client.stop();
Serial.print("TOFU pegged to fingerprint: SHA256=");
printSHA256(fingerprint_remote);
return true;
};
bool doTOFU_Protected_Connection(uint8_t *fingerprint_tofu) {
// As we're not using a (CA) certificate to check the
// connection; but the hash of the peer - we need to initially
// allow the connection to be set up without the CA check.
client.setInsecure(); //skip verification
if (!client.connect(server, 443)) {
Serial.println("Connection failed!");
client.stop();
return false;
};
// Now that we're connected - we can check that we have
// end to end trust - by comparing the fingerprint we (now)
// see (of the server certificate) to the one we have stored
// in our EEPROM as part of an earlier trust-on-first use.
uint8_t fingerprint_remote[32];
if (!client.getFingerprintSHA256(fingerprint_remote)) {
Serial.println("Failed to get the fingerprint of the server");
client.stop();
return false;
}
if (memcmp(fingerprint_remote, fingerprint_tofu, 32)) {
Serial.println("TOFU fingerprint not the same as the one from the server.");
Serial.print("TOFU : SHA256=");
printSHA256(fingerprint_tofu);
Serial.print("Remote: SHA256=");
printSHA256(fingerprint_remote);
Serial.println(" : NOT identical -- Aborting!");
client.stop();
return false;
};
Serial.println("All well - you are talking to the same server as\n"
"when you set up TOFU. So we can now do a GET.\n\n");
client.println("GET /a/check HTTP/1.0");
client.print("Host: ");
client.println(server);
client.println("Connection: close");
client.println();
bool inhdr = true;
while (client.connected()) {
String line = client.readStringUntil('\n');
Serial.println(line);
if (inhdr && line == "\r") {
inhdr = false;
Serial.println("-- headers received. Payload follows\n\n");
}
}
Serial.println("\n\n-- Payload ended.");
client.stop();
return true;
}
void loop() {}

5
lib/NetworkClientSecure/examples/WiFiClientTrustOnFirstUse/ci.json Normal file
View File

@@ -0,0 +1,5 @@
{
"targets": {
"esp32h2": false
}
}

36
lib/NetworkClientSecure/keywords.txt Normal file
View File

@@ -0,0 +1,36 @@
#######################################
# Syntax Coloring Map For WiFi
#######################################
#######################################
# Library (KEYWORD3)
#######################################
NetworkClientSecure KEYWORD3
#######################################
# Datatypes (KEYWORD1)
#######################################
NetworkClientSecure KEYWORD1
#######################################
# Methods and Functions (KEYWORD2)
#######################################
connect KEYWORD2
write KEYWORD2
available KEYWORD2
config KEYWORD2
read KEYWORD2
flush KEYWORD2
stop KEYWORD2
connected KEYWORD2
setCACert KEYWORD2
setCertificate KEYWORD2
setPrivateKey KEYWORD2
setAlpnProtocols KEYWORD2
#######################################
# Constants (LITERAL1)
#######################################

9
lib/NetworkClientSecure/library.properties Normal file
View File

@@ -0,0 +1,9 @@
name=NetworkClientSecure
version=2.0.0
author=Evandro Luis Copercini
maintainer=Github Community
sentence=Enables secure network connection (local and Internet) using the ESP32 built-in WiFi.
paragraph=With this library you can make a TLS or SSL connection to a remote server.
category=Communication
url=
architectures=esp32

453
lib/NetworkClientSecure/src/NetworkClientSecure.cpp Normal file
View File

@@ -0,0 +1,453 @@
/*
NetworkClientSecure.cpp - Client Secure class for ESP32
Copyright (c) 2016 Hristo Gochkov All right reserved.
Additions Copyright (C) 2017 Evandro Luis Copercini.
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include "NetworkClientSecure.h"
#include "esp_crt_bundle.h"
#include <lwip/sockets.h>
#include <lwip/netdb.h>
#include <errno.h>
#undef connect
#undef write
#undef read
NetworkClientSecure::NetworkClientSecure() {
_connected = false;
_timeout = 30000; // Same default as ssl_client
sslclient.reset(new sslclient_context, [](struct sslclient_context *sslclient) {
stop_ssl_socket(sslclient);
delete sslclient;
});
ssl_init(sslclient.get());
sslclient->socket = -1;
sslclient->handshake_timeout = 120000;
_use_insecure = false;
_stillinPlainStart = false;
_ca_cert_free = false;
_cert_free = false;
_private_key_free = false;
_CA_cert = NULL;
_cert = NULL;
_private_key = NULL;
_pskIdent = NULL;
_psKey = NULL;
next = NULL;
_alpn_protos = NULL;
_use_ca_bundle = false;
}
NetworkClientSecure::NetworkClientSecure(int sock) {
_connected = false;
_timeout = 30000; // Same default as ssl_client
_lastReadTimeout = 0;
_lastWriteTimeout = 0;
sslclient.reset(new sslclient_context, [](struct sslclient_context *sslclient) {
stop_ssl_socket(sslclient);
delete sslclient;
});
ssl_init(sslclient.get());
sslclient->socket = sock;
sslclient->handshake_timeout = 120000;
if (sock >= 0) {
_connected = true;
}
_use_insecure = false;
_stillinPlainStart = false;
_ca_cert_free = false;
_cert_free = false;
_private_key_free = false;
_CA_cert = NULL;
_cert = NULL;
_private_key = NULL;
_pskIdent = NULL;
_psKey = NULL;
next = NULL;
_alpn_protos = NULL;
}
NetworkClientSecure::~NetworkClientSecure() {
if (_ca_cert_free && _CA_cert) {
free((void *)_CA_cert);
}
if (_cert_free && _cert) {
free((void *)_cert);
}
if (_private_key_free && _private_key) {
free((void *)_private_key);
}
}
void NetworkClientSecure::stop() {
stop_ssl_socket(sslclient.get());
_connected = false;
sslclient->peek_buf = -1;
_lastReadTimeout = 0;
_lastWriteTimeout = 0;
}
int NetworkClientSecure::connect(IPAddress ip, uint16_t port) {
if (_pskIdent && _psKey) {
return connect(ip, port, _pskIdent, _psKey);
}
return connect(ip, port, _CA_cert, _cert, _private_key);
}
int NetworkClientSecure::connect(IPAddress ip, uint16_t port, int32_t timeout) {
_timeout = timeout;
return connect(ip, port);
}
int NetworkClientSecure::connect(const char *host, uint16_t port) {
if (_pskIdent && _psKey) {
return connect(host, port, _pskIdent, _psKey);
}
return connect(host, port, _CA_cert, _cert, _private_key);
}
int NetworkClientSecure::connect(const char *host, uint16_t port, int32_t timeout) {
_timeout = timeout;
return connect(host, port);
}
int NetworkClientSecure::connect(IPAddress ip, uint16_t port, const char *CA_cert, const char *cert, const char *private_key) {
return connect(ip, port, NULL, CA_cert, cert, private_key);
}
int NetworkClientSecure::connect(const char *host, uint16_t port, const char *CA_cert, const char *cert, const char *private_key) {
IPAddress address;
if (!Network.hostByName(host, address)) {
return 0;
}
return connect(address, port, host, CA_cert, cert, private_key);
}
int NetworkClientSecure::connect(IPAddress ip, uint16_t port, const char *host, const char *CA_cert, const char *cert, const char *private_key) {
int ret = start_ssl_client(sslclient.get(), ip, port, host, _timeout, CA_cert, _use_ca_bundle, cert, private_key, NULL, NULL, _use_insecure, _alpn_protos);
if (ret >= 0 && !_stillinPlainStart) {
ret = ssl_starttls_handshake(sslclient.get());
} else {
log_i("Actual TLS start postponed.");
}
sslclient->last_error = ret;
if (ret < 0) {
log_e("start_ssl_client: connect failed: %d", ret);
stop();
return 0;
}
_connected = true;
return 1;
}
int NetworkClientSecure::startTLS() {
int ret = 1;
if (_stillinPlainStart) {
log_i("startTLS: starting TLS/SSL on this dplain connection");
ret = ssl_starttls_handshake(sslclient.get());
if (ret < 0) {
log_e("startTLS: %d", ret);
stop();
return 0;
};
_stillinPlainStart = false;
} else {
log_i("startTLS: ignoring StartTLS - as we should be secure already");
}
return 1;
}
int NetworkClientSecure::connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey) {
return connect(ip.toString().c_str(), port, pskIdent, psKey);
}
int NetworkClientSecure::connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey) {
log_v("start_ssl_client with PSK");
IPAddress address;
if (!Network.hostByName(host, address)) {
return 0;
}
int ret = start_ssl_client(sslclient.get(), address, port, host, _timeout, NULL, false, NULL, NULL, pskIdent, psKey, _use_insecure, _alpn_protos);
sslclient->last_error = ret;
if (ret < 0) {
log_e("start_ssl_client: connect failed %d", ret);
stop();
return 0;
}
_connected = true;
return 1;
}
int NetworkClientSecure::peek() {
if (sslclient->peek_buf >= 0) {
return sslclient->peek_buf;
}
sslclient->peek_buf = timedRead();
return sslclient->peek_buf;
}
size_t NetworkClientSecure::write(uint8_t data) {
return write(&data, 1);
}
int NetworkClientSecure::read() {
uint8_t data = -1;
int res = read(&data, 1);
return res < 0 ? res : data;
}
size_t NetworkClientSecure::write(const uint8_t *buf, size_t size) {
if (!_connected) {
return 0;
}
if (_stillinPlainStart) {
return send_net_data(sslclient.get(), buf, size);
}
if (_lastWriteTimeout != _timeout) {
struct timeval timeout_tv;
timeout_tv.tv_sec = _timeout / 1000;
timeout_tv.tv_usec = (_timeout % 1000) * 1000;
if (setSocketOption(SO_SNDTIMEO, (char *)&timeout_tv, sizeof(struct timeval)) >= 0) {
_lastWriteTimeout = _timeout;
}
}
int res = send_ssl_data(sslclient.get(), buf, size);
if (res < 0) {
log_e("Closing connection on failed write");
stop();
res = 0;
}
return res;
}
int NetworkClientSecure::read(uint8_t *buf, size_t size) {
if (_stillinPlainStart) {
return get_net_receive(sslclient.get(), buf, size);
}
if (_lastReadTimeout != _timeout) {
if (fd() >= 0) {
struct timeval timeout_tv;
timeout_tv.tv_sec = _timeout / 1000;
timeout_tv.tv_usec = (_timeout % 1000) * 1000;
if (setSocketOption(SO_RCVTIMEO, (char *)&timeout_tv, sizeof(struct timeval)) >= 0) {
_lastReadTimeout = _timeout;
}
}
}
int peeked = 0, res = -1;
int avail = available();
if ((!buf && size) || avail <= 0) {
return -1;
}
if (!size) {
return 0;
}
if (sslclient->peek_buf >= 0) {
buf[0] = sslclient->peek_buf;
sslclient->peek_buf = -1;
size--;
avail--;
if (!size || !avail) {
return 1;
}
buf++;
peeked = 1;
}
res = get_ssl_receive(sslclient.get(), buf, size);
if (res < 0) {
log_e("Closing connection on failed read");
stop();
return peeked ? peeked : res;
}
return res + peeked;
}
int NetworkClientSecure::available() {
if (_stillinPlainStart) {
return peek_net_receive(sslclient.get(), 0);
}
int peeked = (sslclient->peek_buf >= 0), res = -1;
if (!_connected) {
return peeked;
}
res = data_to_read(sslclient.get());
if (res < 0 && !_stillinPlainStart) {
log_e("Closing connection on failed available check");
stop();
return peeked ? peeked : res;
}
return res + peeked;
}
uint8_t NetworkClientSecure::connected() {
uint8_t dummy = 0;
read(&dummy, 0);
return _connected;
}
void NetworkClientSecure::setInsecure() {
_CA_cert = NULL;
_cert = NULL;
_private_key = NULL;
_pskIdent = NULL;
_psKey = NULL;
_use_insecure = true;
}
void NetworkClientSecure::setCACert(const char *rootCA) {
if (_ca_cert_free && _CA_cert) {
free((void *)_CA_cert);
_ca_cert_free = false;
}
_CA_cert = rootCA;
_use_insecure = false;
}
void NetworkClientSecure::setCACertBundle(const uint8_t *bundle) {
if (bundle != NULL) {
esp_crt_bundle_set(bundle, sizeof(bundle));
attach_ssl_certificate_bundle(sslclient.get(), true);
_use_ca_bundle = true;
} else {
esp_crt_bundle_detach(NULL);
attach_ssl_certificate_bundle(sslclient.get(), false);
_use_ca_bundle = false;
}
}
void NetworkClientSecure::setCertificate(const char *client_ca) {
if (_cert_free && _cert) {
free((void *)_cert);
_cert_free = false;
}
_cert = client_ca;
}
void NetworkClientSecure::setPrivateKey(const char *private_key) {
if (_private_key_free && _private_key) {
free((void *)_private_key);
_private_key_free = false;
}
_private_key = private_key;
}
void NetworkClientSecure::setPreSharedKey(const char *pskIdent, const char *psKey) {
_pskIdent = pskIdent;
_psKey = psKey;
}
bool NetworkClientSecure::verify(const char *fp, const char *domain_name) {
if (!sslclient) {
return false;
}
return verify_ssl_fingerprint(sslclient.get(), fp, domain_name);
}
char *NetworkClientSecure::_streamLoad(Stream &stream, size_t size) {
char *dest = (char *)malloc(size + 1);
if (!dest) {
return nullptr;
}
if (size != stream.readBytes(dest, size)) {
free(dest);
dest = nullptr;
return nullptr;
}
dest[size] = '\0';
return dest;
}
bool NetworkClientSecure::loadCACert(Stream &stream, size_t size) {
if (_CA_cert != NULL) {
free(const_cast<char *>(_CA_cert));
}
char *dest = _streamLoad(stream, size);
bool ret = false;
if (dest) {
setCACert(dest);
_ca_cert_free = true;
ret = true;
}
return ret;
}
bool NetworkClientSecure::loadCertificate(Stream &stream, size_t size) {
if (_cert != NULL) {
free(const_cast<char *>(_cert));
}
char *dest = _streamLoad(stream, size);
bool ret = false;
if (dest) {
setCertificate(dest);
_cert_free = true;
ret = true;
}
return ret;
}
bool NetworkClientSecure::loadPrivateKey(Stream &stream, size_t size) {
if (_private_key != NULL) {
free(const_cast<char *>(_private_key));
}
char *dest = _streamLoad(stream, size);
bool ret = false;
if (dest) {
setPrivateKey(dest);
_private_key_free = true;
ret = true;
}
return ret;
}
int NetworkClientSecure::lastError(char *buf, const size_t size) {
int lastError = sslclient->last_error;
mbedtls_strerror(lastError, buf, size);
return lastError;
}
void NetworkClientSecure::setHandshakeTimeout(unsigned long handshake_timeout) {
sslclient->handshake_timeout = handshake_timeout * 1000;
}
void NetworkClientSecure::setAlpnProtocols(const char **alpn_protos) {
_alpn_protos = alpn_protos;
}
int NetworkClientSecure::fd() const {
return sslclient->socket;
}

131
lib/NetworkClientSecure/src/NetworkClientSecure.h Normal file
View File

@@ -0,0 +1,131 @@
/*
NetworkClientSecure.h - Base class that provides Client SSL to ESP32
Copyright (c) 2011 Adrian McEwen. All right reserved.
Additions Copyright (C) 2017 Evandro Luis Copercini.
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef NetworkClientSecure_h
#define NetworkClientSecure_h
#include "Arduino.h"
#include "IPAddress.h"
#include "Network.h"
#include "ssl_client.h"
#include <memory>
class NetworkClientSecure : public NetworkClient {
protected:
std::shared_ptr<sslclient_context> sslclient;
bool _use_insecure;
bool _stillinPlainStart;
bool _ca_cert_free;
bool _cert_free;
bool _private_key_free;
const char *_CA_cert;
const char *_cert;
const char *_private_key;
const char *_pskIdent; // identity for PSK cipher suites
const char *_psKey; // key in hex for PSK cipher suites
const char **_alpn_protos;
bool _use_ca_bundle;
public:
NetworkClientSecure *next;
NetworkClientSecure();
NetworkClientSecure(int socket);
~NetworkClientSecure();
int connect(IPAddress ip, uint16_t port);
int connect(IPAddress ip, uint16_t port, int32_t timeout);
int connect(const char *host, uint16_t port);
int connect(const char *host, uint16_t port, int32_t timeout);
int connect(IPAddress ip, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
int connect(const char *host, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
int connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey);
int connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey);
int connect(IPAddress ip, uint16_t port, const char *host, const char *CA_cert, const char *cert, const char *private_key);
int peek();
size_t write(uint8_t data);
size_t write(const uint8_t *buf, size_t size);
int available();
int read();
int read(uint8_t *buf, size_t size);
void flush() {}
void stop();
uint8_t connected();
int lastError(char *buf, const size_t size);
void setInsecure(); // Don't validate the chain, just accept whatever is given. VERY INSECURE!
void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex
void setCACert(const char *rootCA);
void setCertificate(const char *client_ca);
void setPrivateKey(const char *private_key);
bool loadCACert(Stream &stream, size_t size);
void setCACertBundle(const uint8_t *bundle);
bool loadCertificate(Stream &stream, size_t size);
bool loadPrivateKey(Stream &stream, size_t size);
bool verify(const char *fingerprint, const char *domain_name);
void setHandshakeTimeout(unsigned long handshake_timeout);
void setAlpnProtocols(const char **alpn_protos);
// Certain protocols start in plain-text; and then have the client
// give some STARTSSL command to `upgrade' the connection to TLS
// or SSL. Setting PlainStart to true (the default is false) enables
// this. It is up to the application code to then call 'startTLS()'
// at the right point to initialize the SSL or TLS upgrade.
void setPlainStart() {
_stillinPlainStart = true;
};
bool stillInPlainStart() {
return _stillinPlainStart;
};
int startTLS();
const mbedtls_x509_crt *getPeerCertificate() {
return mbedtls_ssl_get_peer_cert(&sslclient->ssl_ctx);
};
bool getFingerprintSHA256(uint8_t sha256_result[32]) {
return get_peer_fingerprint(sslclient.get(), sha256_result);
};
int fd() const;
operator bool() {
return connected();
}
bool operator==(const bool value) {
return bool() == value;
}
bool operator!=(const bool value) {
return bool() != value;
}
bool operator==(const NetworkClientSecure &);
bool operator!=(const NetworkClientSecure &rhs) {
return !this->operator==(rhs);
};
int socket() {
return sslclient->socket = -1;
}
private:
char *_streamLoad(Stream &stream, size_t size);
//friend class NetworkServer;
using Print::write;
};
#endif /* _WIFICLIENT_H_ */

3
lib/NetworkClientSecure/src/WiFiClientSecure.h Normal file
View File

@@ -0,0 +1,3 @@
#pragma once
#include "NetworkClientSecure.h"
#define WiFiClientSecure NetworkClientSecure

633
lib/NetworkClientSecure/src/ssl_client.cpp Normal file
View File

@@ -0,0 +1,633 @@
/* Provide SSL/TLS functions to ESP32 with Arduino IDE
*
* Adapted from the ssl_client1 example of mbedtls.
*
* Original Copyright (C) 2006-2015, ARM Limited, All Rights Reserved, Apache 2.0 License.
* Additions Copyright (C) 2017 Evandro Luis Copercini, Apache 2.0 License.
*/
#include "Arduino.h"
#include <esp32-hal-log.h>
#include <lwip/err.h>
#include <lwip/sockets.h>
#include <lwip/sys.h>
#include <lwip/netdb.h>
#include <mbedtls/sha256.h>
#include <mbedtls/oid.h>
#include <algorithm>
#include <string>
#include "ssl_client.h"
#include "esp_crt_bundle.h"
#if !defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) && !defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#warning \
"Please call `idf.py menuconfig` then go to Component config -> mbedTLS -> TLS Key Exchange Methods -> Enable pre-shared-key ciphersuites and then check `Enable PSK based ciphersuite modes`. Save and Quit."
#else
const char *pers = "esp32-tls";
static int _handle_error(int err, const char *function, int line) {
if (err == -30848) {
return err;
}
#ifdef MBEDTLS_ERROR_C
char error_buf[100];
mbedtls_strerror(err, error_buf, 100);
log_e("[%s():%d]: (%d) %s", function, line, err, error_buf);
#else
log_e("[%s():%d]: code %d", function, line, err);
#endif
return err;
}
#define handle_error(e) _handle_error(e, __FUNCTION__, __LINE__)
void ssl_init(sslclient_context *ssl_client) {
// reset embedded pointers to zero
memset(ssl_client, 0, sizeof(sslclient_context));
mbedtls_ssl_init(&ssl_client->ssl_ctx);
mbedtls_ssl_config_init(&ssl_client->ssl_conf);
mbedtls_ctr_drbg_init(&ssl_client->drbg_ctx);
ssl_client->peek_buf = -1;
}
void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att) {
if (att) {
ssl_client->bundle_attach_cb = &esp_crt_bundle_attach;
} else {
ssl_client->bundle_attach_cb = NULL;
}
}
int start_ssl_client(
sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
) {
int ret;
int enable = 1;
log_v("Free internal heap before TLS %u", ESP.getFreeHeap());
if (rootCABuff == NULL && pskIdent == NULL && psKey == NULL && !insecure && !useRootCABundle) {
return -1;
}
int domain = ip.type() == IPv6 ? AF_INET6 : AF_INET;
log_v("Starting socket (domain %d)", domain);
ssl_client->socket = -1;
ssl_client->socket = lwip_socket(domain, SOCK_STREAM, IPPROTO_TCP);
if (ssl_client->socket < 0) {
log_e("ERROR opening socket");
return ssl_client->socket;
}
fcntl(ssl_client->socket, F_SETFL, fcntl(ssl_client->socket, F_GETFL, 0) | O_NONBLOCK);
struct sockaddr_storage serv_addr = {};
if (domain == AF_INET6) {
struct sockaddr_in6 *tmpaddr = (struct sockaddr_in6 *)&serv_addr;
tmpaddr->sin6_family = AF_INET6;
for (int index = 0; index < 16; index++) {
tmpaddr->sin6_addr.s6_addr[index] = ip[index];
}
tmpaddr->sin6_port = htons(port);
tmpaddr->sin6_scope_id = ip.zone();
} else {
struct sockaddr_in *tmpaddr = (struct sockaddr_in *)&serv_addr;
tmpaddr->sin_family = AF_INET;
tmpaddr->sin_addr.s_addr = ip;
tmpaddr->sin_port = htons(port);
}
if (timeout <= 0) {
timeout = 30000; // Milli seconds.
}
ssl_client->socket_timeout = timeout;
fd_set fdset;
struct timeval tv;
FD_ZERO(&fdset);
FD_SET(ssl_client->socket, &fdset);
tv.tv_sec = timeout / 1000;
tv.tv_usec = (timeout % 1000) * 1000;
int res = lwip_connect(ssl_client->socket, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
if (res < 0 && errno != EINPROGRESS) {
log_e("connect on fd %d, errno: %d, \"%s\"", ssl_client->socket, errno, strerror(errno));
lwip_close(ssl_client->socket);
ssl_client->socket = -1;
return -1;
}
res = select(ssl_client->socket + 1, nullptr, &fdset, nullptr, timeout < 0 ? nullptr : &tv);
if (res < 0) {
log_e("select on fd %d, errno: %d, \"%s\"", ssl_client->socket, errno, strerror(errno));
lwip_close(ssl_client->socket);
ssl_client->socket = -1;
return -1;
} else if (res == 0) {
log_i("select returned due to timeout %d ms for fd %d", timeout, ssl_client->socket);
lwip_close(ssl_client->socket);
ssl_client->socket = -1;
return -1;
} else {
int sockerr;
socklen_t len = (socklen_t)sizeof(int);
res = getsockopt(ssl_client->socket, SOL_SOCKET, SO_ERROR, &sockerr, &len);
if (res < 0) {
log_e("getsockopt on fd %d, errno: %d, \"%s\"", ssl_client->socket, errno, strerror(errno));
lwip_close(ssl_client->socket);
ssl_client->socket = -1;
return -1;
}
if (sockerr != 0) {
log_e("socket error on fd %d, errno: %d, \"%s\"", ssl_client->socket, sockerr, strerror(sockerr));
lwip_close(ssl_client->socket);
ssl_client->socket = -1;
return -1;
}
}
#define ROE(x, msg) \
{ \
if (((x) < 0)) { \
log_e("LWIP Socket config of " msg " failed."); \
return -1; \
} \
}
ROE(lwip_setsockopt(ssl_client->socket, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)), "SO_RCVTIMEO");
ROE(lwip_setsockopt(ssl_client->socket, SOL_SOCKET, SO_SNDTIMEO, &tv, sizeof(tv)), "SO_SNDTIMEO");
ROE(lwip_setsockopt(ssl_client->socket, IPPROTO_TCP, TCP_NODELAY, &enable, sizeof(enable)), "TCP_NODELAY");
ROE(lwip_setsockopt(ssl_client->socket, SOL_SOCKET, SO_KEEPALIVE, &enable, sizeof(enable)), "SO_KEEPALIVE");
log_v("Seeding the random number generator");
mbedtls_entropy_init(&ssl_client->entropy_ctx);
ret = mbedtls_ctr_drbg_seed(&ssl_client->drbg_ctx, mbedtls_entropy_func, &ssl_client->entropy_ctx, (const unsigned char *)pers, strlen(pers));
if (ret < 0) {
return handle_error(ret);
}
log_v("Setting up the SSL/TLS structure...");
if ((ret = mbedtls_ssl_config_defaults(&ssl_client->ssl_conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
return handle_error(ret);
}
if (alpn_protos != NULL) {
log_v("Setting ALPN protocols");
if ((ret = mbedtls_ssl_conf_alpn_protocols(&ssl_client->ssl_conf, alpn_protos)) != 0) {
return handle_error(ret);
}
}
// MBEDTLS_SSL_VERIFY_REQUIRED if a CA certificate is defined on Arduino IDE and
// MBEDTLS_SSL_VERIFY_NONE if not.
if (insecure) {
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
log_d("WARNING: Skipping SSL Verification. INSECURE!");
} else if (rootCABuff != NULL) {
log_v("Loading CA cert");
mbedtls_x509_crt_init(&ssl_client->ca_cert);
mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_REQUIRED);
ret = mbedtls_x509_crt_parse(&ssl_client->ca_cert, (const unsigned char *)rootCABuff, strlen(rootCABuff) + 1);
mbedtls_ssl_conf_ca_chain(&ssl_client->ssl_conf, &ssl_client->ca_cert, NULL);
//mbedtls_ssl_conf_verify(&ssl_client->ssl_ctx, my_verify, NULL );
if (ret < 0) {
// free the ca_cert in the case parse failed, otherwise, the old ca_cert still in the heap memory, that lead to "out of memory" crash.
mbedtls_x509_crt_free(&ssl_client->ca_cert);
return handle_error(ret);
}
} else if (useRootCABundle) {
if (ssl_client->bundle_attach_cb != NULL) {
log_v("Attaching root CA cert bundle");
ret = ssl_client->bundle_attach_cb(&ssl_client->ssl_conf);
if (ret < 0) {
return handle_error(ret);
}
} else {
log_e("useRootCABundle is set, but attach_ssl_certificate_bundle(ssl, true); was not called!");
}
} else if (pskIdent != NULL && psKey != NULL) {
log_v("Setting up PSK");
// convert PSK from hex to binary
if ((strlen(psKey) & 1) != 0 || strlen(psKey) > 2 * MBEDTLS_PSK_MAX_LEN) {
log_e("pre-shared key not valid hex or too long");
return -1;
}
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
size_t psk_len = strlen(psKey) / 2;
for (int j = 0; j < strlen(psKey); j += 2) {
char c = psKey[j];
if (c >= '0' && c <= '9') {
c -= '0';
} else if (c >= 'A' && c <= 'F') {
c -= 'A' - 10;
} else if (c >= 'a' && c <= 'f') {
c -= 'a' - 10;
} else {
return -1;
}
psk[j / 2] = c << 4;
c = psKey[j + 1];
if (c >= '0' && c <= '9') {
c -= '0';
} else if (c >= 'A' && c <= 'F') {
c -= 'A' - 10;
} else if (c >= 'a' && c <= 'f') {
c -= 'a' - 10;
} else {
return -1;
}
psk[j / 2] |= c;
}
// set mbedtls config
ret = mbedtls_ssl_conf_psk(&ssl_client->ssl_conf, psk, psk_len, (const unsigned char *)pskIdent, strlen(pskIdent));
if (ret != 0) {
log_e("mbedtls_ssl_conf_psk returned %d", ret);
return handle_error(ret);
}
} else {
return -1;
}
// Note - this check for BOTH key and cert is relied on
// later during cleanup.
if (!insecure && cli_cert != NULL && cli_key != NULL) {
mbedtls_x509_crt_init(&ssl_client->client_cert);
mbedtls_pk_init(&ssl_client->client_key);
log_v("Loading CRT cert");
ret = mbedtls_x509_crt_parse(&ssl_client->client_cert, (const unsigned char *)cli_cert, strlen(cli_cert) + 1);
if (ret < 0) {
// free the client_cert in the case parse failed, otherwise, the old client_cert still in the heap memory, that lead to "out of memory" crash.
mbedtls_x509_crt_free(&ssl_client->client_cert);
return handle_error(ret);
}
log_v("Loading private key");
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ctr_drbg_init(&ctr_drbg);
ret = mbedtls_pk_parse_key(&ssl_client->client_key, (const unsigned char *)cli_key, strlen(cli_key) + 1, NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ctr_drbg_free(&ctr_drbg);
if (ret != 0) {
mbedtls_x509_crt_free(&ssl_client->client_cert); // cert+key are free'd in pair
return handle_error(ret);
}
mbedtls_ssl_conf_own_cert(&ssl_client->ssl_conf, &ssl_client->client_cert, &ssl_client->client_key);
}
log_v("Setting hostname for TLS session...");
// Hostname set here should match CN in server certificate
if ((ret = mbedtls_ssl_set_hostname(&ssl_client->ssl_ctx, hostname != NULL ? hostname : ip.toString().c_str())) != 0) {
return handle_error(ret);
}
mbedtls_ssl_conf_rng(&ssl_client->ssl_conf, mbedtls_ctr_drbg_random, &ssl_client->drbg_ctx);
if ((ret = mbedtls_ssl_setup(&ssl_client->ssl_ctx, &ssl_client->ssl_conf)) != 0) {
return handle_error(ret);
}
mbedtls_ssl_set_bio(&ssl_client->ssl_ctx, &ssl_client->socket, mbedtls_net_send, mbedtls_net_recv, NULL);
return ssl_client->socket;
}
int ssl_starttls_handshake(sslclient_context *ssl_client) {
char buf[512];
int ret, flags;
log_v("Performing the SSL/TLS handshake...");
unsigned long handshake_start_time = millis();
while ((ret = mbedtls_ssl_handshake(&ssl_client->ssl_ctx)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
return handle_error(ret);
}
if ((millis() - handshake_start_time) > ssl_client->handshake_timeout) {
return -1;
}
vTaskDelay(2); //2 ticks
}
if (ssl_client->client_cert.version) {
log_d("Protocol is %s Ciphersuite is %s", mbedtls_ssl_get_version(&ssl_client->ssl_ctx), mbedtls_ssl_get_ciphersuite(&ssl_client->ssl_ctx));
if ((ret = mbedtls_ssl_get_record_expansion(&ssl_client->ssl_ctx)) >= 0) {
log_d("Record expansion is %d", ret);
} else {
log_w("Record expansion is unknown (compression)");
}
}
log_v("Verifying peer X.509 certificate...");
if ((flags = mbedtls_ssl_get_verify_result(&ssl_client->ssl_ctx)) != 0) {
memset(buf, 0, sizeof(buf));
mbedtls_x509_crt_verify_info(buf, sizeof(buf), " ! ", flags);
log_e("Failed to verify peer certificate! verification info: %s", buf);
return handle_error(ret);
} else {
log_v("Certificate verified.");
}
if (ssl_client->ca_cert.version) {
mbedtls_x509_crt_free(&ssl_client->ca_cert);
}
// We know that we always have a client cert/key pair -- and we
// cannot look into the private client_key pk struct for newer
// versions of mbedtls. So rely on a public field of the cert
// and infer that there is a key too.
if (ssl_client->client_cert.version) {
mbedtls_x509_crt_free(&ssl_client->client_cert);
mbedtls_pk_free(&ssl_client->client_key);
}
log_v("Free internal heap after TLS %u", ESP.getFreeHeap());
return ssl_client->socket;
}
void stop_ssl_socket(sslclient_context *ssl_client) {
log_v("Cleaning SSL connection.");
if (ssl_client->socket >= 0) {
lwip_close(ssl_client->socket);
ssl_client->socket = -1;
}
// avoid memory leak if ssl connection attempt failed
// if (ssl_client->ssl_conf.ca_chain != NULL) {
mbedtls_x509_crt_free(&ssl_client->ca_cert);
// }
// if (ssl_client->ssl_conf.key_cert != NULL) {
mbedtls_x509_crt_free(&ssl_client->client_cert);
mbedtls_pk_free(&ssl_client->client_key);
// }
mbedtls_ssl_free(&ssl_client->ssl_ctx);
mbedtls_ssl_config_free(&ssl_client->ssl_conf);
mbedtls_ctr_drbg_free(&ssl_client->drbg_ctx);
mbedtls_entropy_free(&ssl_client->entropy_ctx);
// save only interesting fields
int handshake_timeout = ssl_client->handshake_timeout;
int socket_timeout = ssl_client->socket_timeout;
int last_err = ssl_client->last_error;
// reset embedded pointers to zero
memset(ssl_client, 0, sizeof(sslclient_context));
ssl_client->handshake_timeout = handshake_timeout;
ssl_client->socket_timeout = socket_timeout;
ssl_client->last_error = last_err;
ssl_client->peek_buf = -1;
}
int data_to_read(sslclient_context *ssl_client) {
int ret, res;
ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, NULL, 0);
//log_e("RET: %i",ret); //for low level debug
res = mbedtls_ssl_get_bytes_avail(&ssl_client->ssl_ctx);
//log_e("RES: %i",res); //for low level debug
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0) {
return handle_error(ret);
}
return res;
}
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, size_t len) {
unsigned long write_start_time = millis();
int ret = -1;
while ((ret = mbedtls_ssl_write(&ssl_client->ssl_ctx, data, len)) <= 0) {
if ((millis() - write_start_time) > ssl_client->socket_timeout) {
log_v("SSL write timed out.");
return -1;
}
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret < 0) {
log_v("Handling error %d", ret); //for low level debug
return handle_error(ret);
}
//wait for space to become available
vTaskDelay(2);
}
return ret;
}
// Some protocols, such as SMTP, XMPP, MySQL/Posgress and various others
// do a 'in-line' upgrade from plaintext to SSL or TLS (usually with some
// sort of 'STARTTLS' textual command from client to sever). For this
// we need to have access to the 'raw' socket; i.e. without TLS/SSL state
// handling before the handshake starts; but after setting up the TLS
// connection.
//
int peek_net_receive(sslclient_context *ssl_client, int timeout) {
#if MBEDTLS_FIXED_LINKING_NET_POLL
int ret = mbedtls_net_poll((mbedtls_net_context *)ssl_client, MBEDTLS_NET_POLL_READ, timeout);
ret == MBEDTLS_NET_POLL_READ ? 1 : ret;
#else
// We should be using mbedtls_net_poll(); which is part of mbedtls and
// included in the EspressifSDK. Unfortunately - it did not make it into
// the statically linked library file. So, for now, we replace it by
// substancially similar code.
//
struct timeval tv = {.tv_sec = timeout / 1000, .tv_usec = (timeout % 1000) * 1000};
fd_set fdset;
FD_SET(ssl_client->socket, &fdset);
int ret = select(ssl_client->socket + 1, &fdset, nullptr, nullptr, timeout < 0 ? nullptr : &tv);
if (ret < 0) {
log_e("select on read fd %d, errno: %d, \"%s\"", ssl_client->socket, errno, strerror(errno));
lwip_close(ssl_client->socket);
ssl_client->socket = -1;
return -1;
};
#endif
return ret;
};
int get_net_receive(sslclient_context *ssl_client, uint8_t *data, int length) {
int ret = peek_net_receive(ssl_client, ssl_client->socket_timeout);
if (ret > 0) {
ret = mbedtls_net_recv(ssl_client, data, length);
}
// log_v( "%d bytes NET read of %d", ret, length); //for low level debug
return ret;
}
int send_net_data(sslclient_context *ssl_client, const uint8_t *data, size_t len) {
int ret = mbedtls_net_send(ssl_client, data, len);
// log_v("Net sending %d btes->ret %d", len, ret); //for low level debug
return ret;
}
int get_ssl_receive(sslclient_context *ssl_client, uint8_t *data, int length) {
int ret = mbedtls_ssl_read(&ssl_client->ssl_ctx, data, length);
// log_v( "%d bytes SSL read", ret); //for low level debug
return ret;
}
static bool parseHexNibble(char pb, uint8_t *res) {
if (pb >= '0' && pb <= '9') {
*res = (uint8_t)(pb - '0');
return true;
} else if (pb >= 'a' && pb <= 'f') {
*res = (uint8_t)(pb - 'a' + 10);
return true;
} else if (pb >= 'A' && pb <= 'F') {
*res = (uint8_t)(pb - 'A' + 10);
return true;
}
return false;
}
// Compare a name from certificate and domain name, return true if they match
static bool matchName(const std::string &name, const std::string &domainName) {
size_t wildcardPos = name.find('*');
if (wildcardPos == std::string::npos) {
// Not a wildcard, expect an exact match
return name == domainName;
}
size_t firstDotPos = name.find('.');
if (wildcardPos > firstDotPos) {
// Wildcard is not part of leftmost component of domain name
// Do not attempt to match (rfc6125 6.4.3.1)
return false;
}
if (wildcardPos != 0 || firstDotPos != 1) {
// Matching of wildcards such as baz*.example.com and b*z.example.com
// is optional. Maybe implement this in the future?
return false;
}
size_t domainNameFirstDotPos = domainName.find('.');
if (domainNameFirstDotPos == std::string::npos) {
return false;
}
return domainName.substr(domainNameFirstDotPos) == name.substr(firstDotPos);
}
// Verifies certificate provided by the peer to match specified SHA256 fingerprint
bool verify_ssl_fingerprint(sslclient_context *ssl_client, const char *fp, const char *domain_name) {
// Convert hex string to byte array
uint8_t fingerprint_local[32];
int len = strlen(fp);
int pos = 0;
for (size_t i = 0; i < sizeof(fingerprint_local); ++i) {
while (pos < len && ((fp[pos] == ' ') || (fp[pos] == ':'))) {
++pos;
}
if (pos > len - 2) {
log_d("pos:%d len:%d fingerprint too short", pos, len);
return false;
}
uint8_t high, low;
if (!parseHexNibble(fp[pos], &high) || !parseHexNibble(fp[pos + 1], &low)) {
log_d("pos:%d len:%d invalid hex sequence: %c%c", pos, len, fp[pos], fp[pos + 1]);
return false;
}
pos += 2;
fingerprint_local[i] = low | (high << 4);
}
// Calculate certificate's SHA256 fingerprint
uint8_t fingerprint_remote[32];
if (!get_peer_fingerprint(ssl_client, fingerprint_remote)) {
return false;
}
// Check if fingerprints match
if (memcmp(fingerprint_local, fingerprint_remote, 32)) {
log_d("fingerprint doesn't match");
return false;
}
// Additionally check if certificate has domain name if provided
if (domain_name) {
return verify_ssl_dn(ssl_client, domain_name);
} else {
return true;
}
}
bool get_peer_fingerprint(sslclient_context *ssl_client, uint8_t sha256[32]) {
if (!ssl_client) {
log_d("Invalid ssl_client pointer");
return false;
};
const mbedtls_x509_crt *crt = mbedtls_ssl_get_peer_cert(&ssl_client->ssl_ctx);
if (!crt) {
log_d("Failed to get peer cert.");
return false;
};
mbedtls_sha256_context sha256_ctx;
mbedtls_sha256_init(&sha256_ctx);
mbedtls_sha256_starts(&sha256_ctx, false);
mbedtls_sha256_update(&sha256_ctx, crt->raw.p, crt->raw.len);
mbedtls_sha256_finish(&sha256_ctx, sha256);
return true;
}
// Checks if peer certificate has specified domain in CN or SANs
bool verify_ssl_dn(sslclient_context *ssl_client, const char *domain_name) {
log_d("domain name: '%s'", (domain_name) ? domain_name : "(null)");
std::string domain_name_str(domain_name);
std::transform(domain_name_str.begin(), domain_name_str.end(), domain_name_str.begin(), ::tolower);
// Get certificate provided by the peer
const mbedtls_x509_crt *crt = mbedtls_ssl_get_peer_cert(&ssl_client->ssl_ctx);
// Check for domain name in SANs
const mbedtls_x509_sequence *san = &crt->subject_alt_names;
while (san != nullptr) {
std::string san_str((const char *)san->buf.p, san->buf.len);
std::transform(san_str.begin(), san_str.end(), san_str.begin(), ::tolower);
if (matchName(san_str, domain_name_str)) {
return true;
}
log_d("SAN '%s': no match", san_str.c_str());
// Fetch next SAN
san = san->next;
}
// Check for domain name in CN
const mbedtls_asn1_named_data *common_name = &crt->subject;
while (common_name != nullptr) {
// While iterating through DN objects, check for CN object
if (!MBEDTLS_OID_CMP(MBEDTLS_OID_AT_CN, &common_name->oid)) {
std::string common_name_str((const char *)common_name->val.p, common_name->val.len);
if (matchName(common_name_str, domain_name_str)) {
return true;
}
log_d("CN '%s': not match", common_name_str.c_str());
}
// Fetch next DN object
common_name = common_name->next;
}
return false;
}
#endif

56
lib/NetworkClientSecure/src/ssl_client.h Normal file
View File

@@ -0,0 +1,56 @@
/* Provide SSL/TLS functions to ESP32 with Arduino IDE
* by Evandro Copercini - 2017 - Apache 2.0 License
*/
#ifndef ARD_SSL_H
#define ARD_SSL_H
#include "mbedtls/platform.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
typedef esp_err_t (*crt_bundle_attach_cb)(void *conf);
typedef struct sslclient_context {
int socket;
mbedtls_ssl_context ssl_ctx;
mbedtls_ssl_config ssl_conf;
mbedtls_ctr_drbg_context drbg_ctx;
mbedtls_entropy_context entropy_ctx;
mbedtls_x509_crt ca_cert;
mbedtls_x509_crt client_cert;
mbedtls_pk_context client_key;
crt_bundle_attach_cb bundle_attach_cb;
unsigned long socket_timeout;
unsigned long handshake_timeout;
int last_error;
int peek_buf;
} sslclient_context;
void ssl_init(sslclient_context *ssl_client);
int start_ssl_client(
sslclient_context *ssl_client, const IPAddress &ip, uint32_t port, const char *hostname, int timeout, const char *rootCABuff, bool useRootCABundle,
const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey, bool insecure, const char **alpn_protos
);
void attach_ssl_certificate_bundle(sslclient_context *ssl_client, bool att);
int ssl_starttls_handshake(sslclient_context *ssl_client);
void stop_ssl_socket(sslclient_context *ssl_client);
int data_to_read(sslclient_context *ssl_client);
int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, size_t len);
int get_ssl_receive(sslclient_context *ssl_client, uint8_t *data, int length);
int send_net_data(sslclient_context *ssl_client, const uint8_t *data, size_t len);
int get_net_receive(sslclient_context *ssl_client, uint8_t *data, int length);
int peek_net_receive(sslclient_context *ssl_client, int timeout);
bool verify_ssl_fingerprint(sslclient_context *ssl_client, const char *fp, const char *domain_name);
bool verify_ssl_dn(sslclient_context *ssl_client, const char *domain_name);
bool get_peer_fingerprint(sslclient_context *ssl_client, uint8_t sha256[32]);
#endif