WiFiSecureClient fixes and improvements (espressif#255)

* Add CA certificate in example SHA1 fingerprint is broken now: more info: https://shattered.io * Best error handling When occur an error in WiFiClientSecure library just return the error message and clean the context avoiding crash - fix for espressif#211 Translate MbedTLS error codes in messages for best understanding * Declarate certificates as const mbedtls_pk_parse_key needs a const unsigned char * certificate. In old implementation the certificate was declarated as char * so first it converts to unsigned and after to const. When we convert signed to unsigned it may result in a +1 larger output. Fix issue espressif#223

Author: copercini

libraries/WiFiClientSecure/examples/WiFiClientSecure/WiFiClientSecure.ino

@@ -8,14 +8,47 @@
 
 #include <WiFiClientSecure.h>
 
-char ssid[] = "your_network_name"; //  your network SSID (name of wifi network)
-char pass[] = "your_password";  // your network password
+const char* ssid = "your-ssid";  // your network SSID (name of wifi network)
+const char* password = "your-password"; // your network password
 
-char server[] = "www.howsmyssl.com"; // Server URL
-// You can use x.509 certificates if you want
-//unsigned char test_ca_cert[] = ""; //For the usage of verifying server
-//unsigned char test_client_key[] = ""; //For the usage of verifying client
-//unsigned char test_client_cert[] = ""; //For the usage of verifying client
+const char* server = "www.howsmyssl.com"; // Server URL
+
+// www.howsmyssl.com CA certificate, to verify the server
+// change it to your server CA certificate
+// SHA1 fingerprint is broken now!
+
+const char* test_ca_cert = \ 
+"-----BEGIN CERTIFICATE-----\n" \
+"MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/\n" \
+"MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n" \
+"DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow\n" \
+"SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT\n" \
+"GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC\n" \
+"AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF\n" \
+"q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8\n" \
+"SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0\n" \
+"Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA\n" \
+"a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj\n" \
+"/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T\n" \
+"AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG\n" \
+"CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv\n" \
+"bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k\n" \
+"c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw\n" \
+"VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC\n" \
+"ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz\n" \
+"MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu\n" \
+"Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF\n" \
+"AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo\n" \
+"uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/\n" \
+"wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu\n" \
+"X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG\n" \
+"PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6\n" \
+"KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==\n" \
+"-----END CERTIFICATE-----\n";
+
+// You can use x.509 client certificates if you want
+//const char* test_client_key = ""; //to verify the client
+//const char* test_client_cert = ""; //to verify the client
 
 
 WiFiClientSecure client;
@@ -27,7 +60,7 @@ void setup() {
 
  Serial.print("Attempting to connect to SSID: ");
  Serial.println(ssid);
- WiFi.begin(ssid, pass);
+ WiFi.begin(ssid, password);
 
  // attempt to connect to Wifi network:
  while (WiFi.status() != WL_CONNECTED) {
@@ -38,39 +71,43 @@ void setup() {
 
  Serial.print("Connected to ");
  Serial.println(ssid);
+ 
+ client.setCACert(test_ca_cert);
+ //client.setCertificate(certificateBuff); // for client verification
+ //client.setPrivateKey(privateKeyBuff);	// for client verification
 
  Serial.println("\nStarting connection to server...");
- if (client.connect(server, 443)) { //client.connect(server, 443, test_ca_cert, test_client_cert, test_client_key)
+ if (!client.connect(server, 443))
+ Serial.println("Connection failed!");
+ else {
  Serial.println("Connected to server!");
  // Make a HTTP request:
  client.println("GET https://www.howsmyssl.com/a/check HTTP/1.0");
  client.println("Host: www.howsmyssl.com");
  client.println("Connection: close");
  client.println();
- }
- else
- Serial.println("Connection failed!");
 
 Serial.print("Waiting for response "); //WiFiClientSecure uses a non blocking implementation
 while (!client.available()){
 delay(50); //
 Serial.print(".");
 } 
- // if there are incoming bytes available
- // from the server, read them and print them:
- while (client.available()) {
- char c = client.read();
- Serial.write(c);
- }
+  // if there are incoming bytes available
+  // from the server, read them and print them:
+  while (client.available()) {
+  char c = client.read();
+  Serial.write(c);
+  }
 
- // if the server's disconnected, stop the client:
- if (!client.connected()) {
- Serial.println();
- Serial.println("disconnecting from server.");
- client.stop();
+ // if the server's disconnected, stop the client:
+ if (!client.connected()) {
+ Serial.println();
+ Serial.println("disconnecting from server.");
+ client.stop();
+ }
  }
 }
 
 void loop() {
  // do nothing
-}
+}

libraries/WiFiClientSecure/src/WiFiClientSecure.cpp

@@ -39,7 +39,7 @@ WiFiClientSecure::WiFiClientSecure()
  _CA_cert = NULL;
  _cert = NULL;
  _private_key = NULL;
- next = NULL;
+next = NULL;
 }
 
 
@@ -58,7 +58,7 @@ WiFiClientSecure::WiFiClientSecure(int sock)
  _CA_cert = NULL;
  _cert = NULL;
  _private_key = NULL;
- next = NULL;
+ next = NULL;
 }
 
 WiFiClientSecure::~WiFiClientSecure()
@@ -76,34 +76,37 @@ WiFiClientSecure &WiFiClientSecure::operator=(const WiFiClientSecure &other)
 
 void WiFiClientSecure::stop()
 {
- if (_connected && sslclient->socket >= 0) {
- stop_ssl_socket(sslclient, _CA_cert, _cert, _private_key);
+ if (sslclient->socket >= 0) {
+ close(sslclient->socket);
  sslclient->socket = -1;
  _connected = false;
  }
+ stop_ssl_socket(sslclient, _CA_cert, _cert, _private_key);
 }
 
 int WiFiClientSecure::connect(IPAddress ip, uint16_t port)
 {
-return connect(ip, port, _CA_cert, _cert, _private_key);
+ return connect(ip, port, _CA_cert, _cert, _private_key);
 }
 
 int WiFiClientSecure::connect(const char *host, uint16_t port)
 {
-return connect(host, port, _CA_cert, _cert, _private_key);
+ return connect(host, port, _CA_cert, _cert, _private_key);
 }
 
-int WiFiClientSecure::connect(IPAddress ip, uint16_t port, unsigned char *_CA_cert, unsigned char *_cert, unsigned char *_private_key)
+int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
 {
  int ret = start_ssl_client(sslclient, ip, port, _CA_cert, _cert, _private_key);
  if (ret < 0) {
  log_e("lwip_connect_r: %d", errno);
+ stop();
+ return 0;
  }
  _connected = true;
  return 1;
 }
 
-int WiFiClientSecure::connect(const char *host, uint16_t port, unsigned char *_CA_cert, unsigned char *_cert, unsigned char *_private_key)
+int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
 {
  struct hostent *server;
  server = gethostbyname(host);
@@ -137,7 +140,7 @@ size_t WiFiClientSecure::write(const uint8_t *buf, size_t size)
  }
  int res = send_ssl_data(sslclient, buf, size);
  if (res < 0) {
-  log_e("%d", errno);
+ 
  stop();
  res = 0;
  }
@@ -150,8 +153,8 @@ int WiFiClientSecure::read(uint8_t *buf, size_t size)
  return -1;
  }
  int res = get_ssl_receive(sslclient, buf, size);
- if (res < 0 && errno != EWOULDBLOCK) {
- printf("%d", errno);
+ if (res < 0) {
+
  stop();
  }
  return res;
@@ -163,7 +166,9 @@ int WiFiClientSecure::available()
  return 0;
  }
  int res = data_to_read(sslclient);
-
+ if (res < 0 ) {
+ stop();
+ }
  return res;
 }
 
@@ -175,17 +180,17 @@ uint8_t WiFiClientSecure::connected()
  return _connected;
 }
 
-void WiFiClientSecure::setCACert(unsigned char *rootCA)
+void WiFiClientSecure::setCACert (const char *rootCA)
 {
  _CA_cert = rootCA;
 }
 
-void WiFiClientSecure::setCertificate (unsigned char *client_ca)
+void WiFiClientSecure::setCertificate (const char *client_ca)
 {
  _cert = client_ca;
 }
 
-void WiFiClientSecure::setPrivateKey (unsigned char *private_key)
+void WiFiClientSecure::setPrivateKey (const char *private_key)
 {
  _private_key = private_key;
 }

libraries/WiFiClientSecure/src/WiFiClientSecure.h

@@ -31,9 +31,9 @@ class WiFiClientSecure : public Client
  bool _connected;
  sslclient_context *sslclient;
 
- unsigned char *_CA_cert;
- unsigned char *_cert;
- unsigned char *_private_key;
+ const char *_CA_cert;
+ const char *_cert;
+ const char *_private_key;
 
 public:
  WiFiClientSecure *next;
@@ -42,8 +42,8 @@ class WiFiClientSecure : public Client
  ~WiFiClientSecure();
  int connect(IPAddress ip, uint16_t port);
  int connect(const char *host, uint16_t port);
- int connect(IPAddress ip, uint16_t port, unsigned char *rootCABuff, unsigned char *cli_cert, unsigned char *cli_key);
- int connect(const char *host, uint16_t port, unsigned char *rootCABuff, unsigned char *cli_cert, unsigned char *cli_key);
+ int connect(IPAddress ip, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
+ int connect(const char *host, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
  size_t write(uint8_t data);
  size_t write(const uint8_t *buf, size_t size);
  int available();
@@ -57,9 +57,9 @@ class WiFiClientSecure : public Client
  void stop();
  uint8_t connected();
 
- void setCACert(unsigned char *rootCA);
- void setCertificate(unsigned char *client_ca);
- void setPrivateKey (unsigned char *private_key);
+ void setCACert(const char *rootCA);
+ void setCertificate(const char *client_ca);
+ void setPrivateKey (const char *private_key);
 
  operator bool()
  {