From 4337f38f3a94b35c7c5d90759bce35c80c51cb01 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Sun, 14 Jan 2024 21:20:51 +0100 Subject: [PATCH 01/13] feature: create a Trust on First Use example the quell the increasingly common copy & paste of the insecure approach making it to production --- .../WiFiClientInsecure/WiFiClientInsecure.ino | 9 + .../WiFiClientTrustOnFirstUse.ino | 268 ++++++++++++++++++ 2 files changed, 277 insertions(+) create mode 100644 libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino diff --git a/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino b/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino index 75c23122b5d..5b21dac6a23 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino @@ -1,5 +1,14 @@ #include +/* This is a very INSECURE approach. + * + * If for some reason the secure, proper example WiFiClientSecure + * does not work for you; then you may want to * check the + * WiFiClientTrustOnFirstUse first. It * is less secure than WiFiClientSecure, + * but a lot better than this totally insecure approach shown below. + * + */ + const char* ssid = "your-ssid"; // your network SSID (name of wifi network) const char* password = "your-password"; // your network password diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino new file mode 100644 index 00000000000..e85d440915c --- /dev/null +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -0,0 +1,268 @@ +/* For any secure connection - it is (at least) essential for the + the client to verify that it is talking with the server it + things it is talking to. And not some (invisible) man in the middle. + + See https://en.wikipedia.org/wiki/Man-in-the-middle_attack, + https://www.ai.rug.nl/mas/finishedprojects/2011/TLS/hermsencomputerservices.nl/mas/mitm.html or + https://medium.com/@munteanu210/ssl-certificates-vs-man-in-the-middle-attacks-3fb7846fa5db + for some background on this. + + Unfortunatley this means that one needs to hardcode a server + public key, certificate or some cryptographically strong hash + thereoff into the code, to verify that you are indeed talking to + the right server. This is sometimes somewhat impractical. Especially + if you do not know the server in advance; or if your code needs to be + stable ovr very long times - during which the server may change. + + However completely dispensing with any checks (See the WifiClientInSecure + example) is also not a good idea either. + + This example gives you some middle ground; "Trust on First Use" -- + TOFU - see https://developer.mozilla.org/en-US/docs/Glossary/TOFU or + https://en.wikipedia.org/wiki/Trust_on_first_use). + + In this scheme; we start the very first time without any security checks + but once we have our first connection; we store the public crytpographic + details (or a proxy, such as a sha256 of this). And then we use this for + any subsequent connections. + + The assumption here is that we do our very first connection in a somewhat + trusted network environment; where the chance of a man in the middle is + very low; or one where the person doing the first run can check the + details manually. + + So this is not quite as good as building a CA certificate into your + code (as per the WifiClientSecure example). But not as bad as something + with no trust management at all. + + To make it possible for the enduser to 'reset' this trust; the + startup sequence checks if a certain GPIO is low (assumed to be wired + to some physical button or jumper on the PCB). And we only allow + the TOFU to be configured when this pin is LOW. +*/ +#ifndef WIFI_NETWORK +#define WIFI_NETWORK "Your Wifi SSID" +#endif + +#ifndef WIFI_PASSWD +#define WIFI_PASSWD "your-secret-wifi-password" +#endif + +const char* ssid = WIFI_NETWORK; // your network SSID (name of wifi network) +const char* password = WIFI_PASSWD; // your network password +const char* server = "www.howsmyssl.com"; // Server to test with. + +const int TOFU_RESET_BUTTON = 35; /* Trust reset button wired to GPIO 4 */ + +#include +#include + +/* Set aside some persistant memory (i.e. memory that is preserved on reboots and + power cycling; and will generally survive software updates as well. +*/ +EEPROMClass TOFU("tofu0"); + + +// Utility function; checks if a given buffer is entirly +// with with 0 bytes over its full length. Returns 0 on +// succes; a non zero value on fail. +// +static int memcmpzero(unsigned char * ptr, size_t len) { + while (len--) if (*ptr++) return -1; + return 0; +}; +static void printSHA256(unsigned char * ptr) { + for (int i = 0; i < 32; i++) Serial.printf("%s%02x", i ? ":" : "", ptr[i]); + Serial.println(""); +}; + +WiFiClientSecure client; + +bool get_tofu(); +bool doTOFU_Protected_Connection(uint8_t * fingerprint_tofu); + +void setup() { + bool tofu_reset = false; + //Initialize serial and wait for port to open: + Serial.begin(115200); + delay(100); + + if (!TOFU.begin(32)) { + Serial.println("Could not initialsize the EEPROM"); + return; + } + uint8_t fingerprint_tofu[32]; + + // reset the trust if the tofu reset button is pressed. + // + pinMode(TOFU_RESET_BUTTON, INPUT_PULLUP); + if (digitalRead(TOFU_RESET_BUTTON) == LOW) { + Serial.println("The TOFU reset button is pressed."); + tofu_reset = true; + } + /* if the button is not pressed; see if we can get the TOFU + fingerprint from the EEPROM. + */ + else if (32 != TOFU.readBytes(0, fingerprint_tofu, 32)) { + Serial.println("Failed to get the fingerprint from memory."); + tofu_reset = true; + } + /* And check that the EEPROM value is not all 0's; in which + case we also need to do a TOFU. + */ + else if (!memcmpzero(fingerprint_tofu, 32)) { + Serial.println("TOFU fingerprint in memory all zero."); + tofu_reset = true; + }; + if (!tofu_reset) { + Serial.print("TOFU pegged to fingerprint: SHA256="); + printSHA256(fingerprint_tofu); + Serial.print("Note: You can check this fingerprint by going to the URL\n" + " and then click on the lock icon.\n"); + }; + + // attempt to connect to Wifi network: + Serial.print("Attempting to connect to SSID: "); + Serial.println(ssid); + WiFi.begin(ssid, password); + while (WiFi.status() != WL_CONNECTED) { + Serial.print("."); + // wait 1 second for re-trying + delay(1000); + } + + Serial.print("Connected to "); + Serial.println(ssid); + + if (tofu_reset) { + Serial.println("Resetting trust fingerprint."); + if (!get_tofu()) { + Serial.println("Trust reset failed. Giving up"); + return; + } + Serial.println("(New) Trust of First used configured. Rebooting in 3 seconds"); + delay(3 * 1000); + ESP.restart(); + }; + + Serial.println("Trying to connect to a server; using TOFU details from the eeprom"); + + if (doTOFU_Protected_Connection(fingerprint_tofu)) + Serial.println("ALL OK"); +} + +bool get_tofu() { + Serial.println("\nStarting our insecure connection to server..."); + client.setInsecure();//skip verification + + if (!client.connect(server, 443)) { + Serial.println("Connection failed!"); + client.stop(); + return false; + }; + + Serial.println("Connected to server. Extracting trust data."); + + // Now extract the data of the certificate and show it to + // the user over the serial connection for optional + // verification. + const mbedtls_x509_crt* peer = client.getPeerCertificate(); + char buf[1024]; + int l = mbedtls_x509_crt_info (buf, sizeof(buf), "", peer); + if (l <= 0) { + Serial.println("Peer conversion to printable buffer failed"); + client.stop(); + return false; + }; + Serial.println(); + Serial.println(buf); + + // Extract the fingerprint - and store this in our EEPROM + // to be used for future validation. + + uint8_t fingerprint_remote[32]; + if (!client.getFingerprintSHA256(fingerprint_remote)) { + Serial.println("Failed to get the fingerprint"); + client.stop(); + return false; + } + if ( + (32 != TOFU.writeBytes(0, fingerprint_remote, 32)) || + (!TOFU.commit()) + ) { + Serial.println("Could not write the fingerprint to the EEPROM"); + client.stop(); + return false; + }; + TOFU.end(); + client.stop(); + + Serial.print("TOFU pegged to fingerprint: SHA256="); + printSHA256(fingerprint_remote); + + return true; +}; + +bool doTOFU_Protected_Connection(uint8_t * fingerprint_tofu) { + + // As we're not using a (CA) certificate to check the + // connection; but the hash of the peer - we need to initially + // allow the connection to be set up without the CA check. + // + client.setInsecure();//skip verification + + if (!client.connect(server, 443)) { + Serial.println("Connection failed!"); + client.stop(); + return false; + }; + + // Now that we're connected - we can check that we have + // end to end trust - by comparing the fingerprint we (now) + // see (of the server certificate) to the one we have stored + // in our EEPROM as part of an earlier trust-on-first use. + // + uint8_t fingerprint_remote[32]; + if (!client.getFingerprintSHA256(fingerprint_remote)) { + Serial.println("Failed to get the fingerprint of the server"); + client.stop(); + return false; + } + if (memcmp(fingerprint_remote, fingerprint_tofu, 32)) { + Serial.println("TOFU fingerprint not the same as the one from the server."); + Serial.print("TOFU : SHA256="); + printSHA256(fingerprint_tofu); + Serial.print("Remote: SHA256="); + printSHA256(fingerprint_remote); + Serial.println(" : NOT identical -- Aborting!"); + client.stop(); + return false; + }; + + Serial.println("All well - you are talking to the same server as\n" + "when you set up TOFU. So we can now do a GET.\n\n"); + + client.println("GET /a/check HTTP/1.0"); + client.print("Host: " ); client.println(server); + client.println("Connection: close"); + client.println(); + + bool inhdr = true; + while (client.connected()) { + String line = client.readStringUntil('\n'); + Serial.print(line); + if (inhdr && line == "\r") { + inhdr = false; + Serial.println("-- headers received. Payload follows\n\n"); + } + } + Serial.println("\n\n-- Payload ended."); + client.stop(); + return true; +} + +void loop() { + delay(-1); +} From 7c6c58f56b3e7599951d9b119651c6ab54c00214 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Wed, 17 Jan 2024 14:19:27 +0100 Subject: [PATCH 02/13] Quell CI/CD runs on non-WiFi supporting hardare --- .../examples/WiFiClientTrustOnFirstUse/.skip.esp32h2 | 0 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/.skip.esp32h2 diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/.skip.esp32h2 b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/.skip.esp32h2 new file mode 100644 index 00000000000..e69de29bb2d From d92be069a72483d64454a04acc7ab62447bfe1c5 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 15:58:29 +0100 Subject: [PATCH 03/13] Update libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino typo/improvement to text Co-authored-by: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> --- .../examples/WiFiClientInsecure/WiFiClientInsecure.ino | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino b/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino index 5b21dac6a23..9c519736fda 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientInsecure/WiFiClientInsecure.ino @@ -1,12 +1,11 @@ #include /* This is a very INSECURE approach. - * * If for some reason the secure, proper example WiFiClientSecure - * does not work for you; then you may want to * check the - * WiFiClientTrustOnFirstUse first. It * is less secure than WiFiClientSecure, - * but a lot better than this totally insecure approach shown below. - * + * does not work for you; then you may want to check the + * WiFiClientTrustOnFirstUse example first. It is less secure than + * WiFiClientSecure, but a lot better than this totally insecure + * approach shown below. */ const char* ssid = "your-ssid"; // your network SSID (name of wifi network) From cb1704a48ac2f5a355cc1cadc0905b849a6e0663 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 15:58:35 +0100 Subject: [PATCH 04/13] Update libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino typo/improvement to text Co-authored-by: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index e85d440915c..bb61b72c9fa 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -1,6 +1,6 @@ /* For any secure connection - it is (at least) essential for the the client to verify that it is talking with the server it - things it is talking to. And not some (invisible) man in the middle. + thinks it is talking to. And not some (invisible) man in the middle. See https://en.wikipedia.org/wiki/Man-in-the-middle_attack, https://www.ai.rug.nl/mas/finishedprojects/2011/TLS/hermsencomputerservices.nl/mas/mitm.html or From 5a0adfd166d751053f096c86b96041c71b1b06db Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 15:58:51 +0100 Subject: [PATCH 05/13] Update libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino Fix formatting Co-authored-by: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index bb61b72c9fa..5e5477de257 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -60,8 +60,7 @@ const int TOFU_RESET_BUTTON = 35; /* Trust reset button wired to GPIO 4 */ /* Set aside some persistant memory (i.e. memory that is preserved on reboots and power cycling; and will generally survive software updates as well. */ -EEPROMClass TOFU("tofu0"); - +EEPROMClass TOFU("tofu0"); // Utility function; checks if a given buffer is entirly // with with 0 bytes over its full length. Returns 0 on From 79a390d2a45921f06cc010ccb1a24dc2d974d36a Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 15:58:57 +0100 Subject: [PATCH 06/13] Update libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino typo/improvement to text Co-authored-by: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index 5e5477de257..7a22bf44581 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -50,7 +50,7 @@ const char* ssid = WIFI_NETWORK; // your network SSID (name of wifi network) const char* password = WIFI_PASSWD; // your network password -const char* server = "www.howsmyssl.com"; // Server to test with. +const char* server = "www.howsmyssl.com"; // Server to test with. const int TOFU_RESET_BUTTON = 35; /* Trust reset button wired to GPIO 4 */ From 1f7daa0df6ce2cdb54985ad77262517732e386b8 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 15:59:03 +0100 Subject: [PATCH 07/13] Update libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino typo/improvement to text Co-authored-by: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 1 + 1 file changed, 1 insertion(+) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index 7a22bf44581..0106d1fd7e8 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -70,6 +70,7 @@ static int memcmpzero(unsigned char * ptr, size_t len) { while (len--) if (*ptr++) return -1; return 0; }; + static void printSHA256(unsigned char * ptr) { for (int i = 0; i < 32; i++) Serial.printf("%s%02x", i ? ":" : "", ptr[i]); Serial.println(""); From 0118e15e02b44e7116b2c6123571e9dd0e897e88 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 15:59:09 +0100 Subject: [PATCH 08/13] Update libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino typo/improvement to text Co-authored-by: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index 0106d1fd7e8..3a83a796c05 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -170,7 +170,7 @@ bool get_tofu() { // verification. const mbedtls_x509_crt* peer = client.getPeerCertificate(); char buf[1024]; - int l = mbedtls_x509_crt_info (buf, sizeof(buf), "", peer); + int l = mbedtls_x509_crt_info(buf, sizeof(buf), "", peer); if (l <= 0) { Serial.println("Peer conversion to printable buffer failed"); client.stop(); From 6758e4d44303e7b1495a9297866a8efc57079889 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 15:59:18 +0100 Subject: [PATCH 09/13] Update libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino typo/improvement to text Co-authored-by: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 1 - 1 file changed, 1 deletion(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index 3a83a796c05..bd7f2060d6e 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -210,7 +210,6 @@ bool doTOFU_Protected_Connection(uint8_t * fingerprint_tofu) { // As we're not using a (CA) certificate to check the // connection; but the hash of the peer - we need to initially // allow the connection to be set up without the CA check. - // client.setInsecure();//skip verification if (!client.connect(server, 443)) { From e529fa97f4ae01583dbe9f72421efc9dacbce0a8 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 15:59:26 +0100 Subject: [PATCH 10/13] Update libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino typo/improvement to text Co-authored-by: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 1 - 1 file changed, 1 deletion(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index bd7f2060d6e..c57a758305c 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -222,7 +222,6 @@ bool doTOFU_Protected_Connection(uint8_t * fingerprint_tofu) { // end to end trust - by comparing the fingerprint we (now) // see (of the server certificate) to the one we have stored // in our EEPROM as part of an earlier trust-on-first use. - // uint8_t fingerprint_remote[32]; if (!client.getFingerprintSHA256(fingerprint_remote)) { Serial.println("Failed to get the fingerprint of the server"); From 8f21a074494b0654d9985a80223155e5c49dec79 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 19:52:01 +0100 Subject: [PATCH 11/13] Various things can all stop_ssl_socket() which sets the socket to -1; but the WiFiClientSecure checks for _connected. So we want to make sure the latter is always set. And thus have moved the state handling around *ssl_client down into the C code; below WiFiClientSecure. --- libraries/WiFiClientSecure/src/WiFiClientSecure.cpp | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp b/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp index 2f9da58f9ad..2d725c7b1eb 100644 --- a/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp +++ b/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp @@ -91,15 +91,12 @@ WiFiClientSecure &WiFiClientSecure::operator=(const WiFiClientSecure &other) void WiFiClientSecure::stop() { - if (sslclient->socket >= 0) { - close(sslclient->socket); - sslclient->socket = -1; - _connected = false; - _peek = -1; - _lastReadTimeout = 0; - _lastWriteTimeout = 0; - } stop_ssl_socket(sslclient, _CA_cert, _cert, _private_key); + + _connected = false; + _peek = -1; + _lastReadTimeout = 0; + _lastWriteTimeout = 0; } int WiFiClientSecure::connect(IPAddress ip, uint16_t port) From 9f72a9c77dd3b9ee17b246e26ba38d6924df2f37 Mon Sep 17 00:00:00 2001 From: Dirk-Willem van Gulik Date: Thu, 18 Jan 2024 19:53:55 +0100 Subject: [PATCH 12/13] Unitialized NVRAM/EEPROM is actual set to 0xFF; so adjust for this. And print the LF/CR for the header lines. --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index e85d440915c..c6980f14db8 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -52,7 +52,7 @@ const char* ssid = WIFI_NETWORK; // your network SSID (name of wifi network) const char* password = WIFI_PASSWD; // your network password const char* server = "www.howsmyssl.com"; // Server to test with. -const int TOFU_RESET_BUTTON = 35; /* Trust reset button wired to GPIO 4 */ +const int TOFU_RESET_BUTTON = 35; /* Trust reset button wired between GPIO 35 and GND (pulldown) */ #include #include @@ -68,7 +68,7 @@ EEPROMClass TOFU("tofu0"); // succes; a non zero value on fail. // static int memcmpzero(unsigned char * ptr, size_t len) { - while (len--) if (*ptr++) return -1; + while (len--) if (0xff != *ptr++) return -1; return 0; }; static void printSHA256(unsigned char * ptr) { @@ -252,7 +252,7 @@ bool doTOFU_Protected_Connection(uint8_t * fingerprint_tofu) { bool inhdr = true; while (client.connected()) { String line = client.readStringUntil('\n'); - Serial.print(line); + Serial.println(line); if (inhdr && line == "\r") { inhdr = false; Serial.println("-- headers received. Payload follows\n\n"); From a502c601792673ae995e3435a846657d97a2abe2 Mon Sep 17 00:00:00 2001 From: Lucas Saavedra Vaz <32426024+lucasssvaz@users.noreply.github.com> Date: Wed, 7 Feb 2024 15:31:55 -0300 Subject: [PATCH 13/13] Update libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino --- .../WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino index e3c475bd88a..a8b508f9db1 100644 --- a/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino +++ b/libraries/WiFiClientSecure/examples/WiFiClientTrustOnFirstUse/WiFiClientTrustOnFirstUse.ino @@ -261,6 +261,4 @@ bool doTOFU_Protected_Connection(uint8_t * fingerprint_tofu) { return true; } -void loop() { - delay(-1); -} +void loop() {}