/* NetworkClientSecure.h - Base class that provides Client SSL to ESP32 Copyright (c) 2011 Adrian McEwen. All right reserved. Additions Copyright (C) 2017 Evandro Luis Copercini. This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */ #ifndef NetworkClientSecure_h #define NetworkClientSecure_h #include "Arduino.h" #include "IPAddress.h" #include "Network.h" #include "ssl_client.h" #include class NetworkClientSecure : public NetworkClient { protected: std::shared_ptr sslclient; bool _use_insecure; bool _stillinPlainStart; bool _ca_cert_free; bool _cert_free; bool _private_key_free; const char *_CA_cert; const char *_cert; const char *_private_key; const char *_pskIdent; // identity for PSK cipher suites const char *_psKey; // key in hex for PSK cipher suites const char **_alpn_protos; bool _use_ca_bundle; public: NetworkClientSecure *next; NetworkClientSecure(); NetworkClientSecure(int socket); ~NetworkClientSecure(); int connect(IPAddress ip, uint16_t port); int connect(IPAddress ip, uint16_t port, int32_t timeout); int connect(const char *host, uint16_t port); int connect(const char *host, uint16_t port, int32_t timeout); int connect(IPAddress ip, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key); int connect(const char *host, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key); int connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey); int connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey); int connect(IPAddress ip, uint16_t port, const char *host, const char *CA_cert, const char *cert, const char *private_key); int peek(); size_t write(uint8_t data); size_t write(const uint8_t *buf, size_t size); int available(); int read(); int read(uint8_t *buf, size_t size); void flush() {} void stop(); uint8_t connected(); int lastError(char *buf, const size_t size); void setInsecure(); // Don't validate the chain, just accept whatever is given. VERY INSECURE! void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex void setCACert(const char *rootCA); void setCertificate(const char *client_ca); void setPrivateKey(const char *private_key); bool loadCACert(Stream &stream, size_t size); void setCACertBundle(const uint8_t *bundle); bool loadCertificate(Stream &stream, size_t size); bool loadPrivateKey(Stream &stream, size_t size); bool verify(const char *fingerprint, const char *domain_name); void setHandshakeTimeout(unsigned long handshake_timeout); void setAlpnProtocols(const char **alpn_protos); // Certain protocols start in plain-text; and then have the client // give some STARTSSL command to `upgrade' the connection to TLS // or SSL. Setting PlainStart to true (the default is false) enables // this. It is up to the application code to then call 'startTLS()' // at the right point to initialize the SSL or TLS upgrade. void setPlainStart() { _stillinPlainStart = true; }; bool stillInPlainStart() { return _stillinPlainStart; }; int startTLS(); const mbedtls_x509_crt *getPeerCertificate() { return mbedtls_ssl_get_peer_cert(&sslclient->ssl_ctx); }; bool getFingerprintSHA256(uint8_t sha256_result[32]) { return get_peer_fingerprint(sslclient.get(), sha256_result); }; int fd() const; operator bool() { return connected(); } bool operator==(const bool value) { return bool() == value; } bool operator!=(const bool value) { return bool() != value; } bool operator==(const NetworkClientSecure &); bool operator!=(const NetworkClientSecure &rhs) { return !this->operator==(rhs); }; int socket() { return sslclient->socket = -1; } private: char *_streamLoad(Stream &stream, size_t size); //friend class NetworkServer; using Print::write; }; #endif /* _WIFICLIENT_H_ */