Fix minor BearSSL API issues (#4901)

earlephilhower · web-flow · commit 53091882b871 · 2018-07-16T09:35:00.000-07:00
Fixes #4882 and updates GitHub certificate fingerprint to the current one in BearSSL_Validation example. When setting a authentication mode or stopping, clear all others out in case the object is being re-used. Add in a yield during the SSL handshake to allow a graceful timeout and not a WDT error when the remote server hiccups. Thanks to @Jeroen88 for finding and testing this.
diff --git a/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino b/libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
@@ -102,7 +102,7 @@ instead of the while certificate.  This is not nearly as secure as real
 X.509 validation, but is better than nothing.
 )EOF");
   BearSSL::WiFiClientSecure client;
-  const uint8_t fp[20] = {0x35, 0x85, 0x74, 0xEF, 0x67, 0x35, 0xA7, 0xCE, 0x40, 0x69, 0x50, 0xF3, 0xC0, 0xF6, 0x80, 0xCF, 0x80, 0x3B, 0x2E, 0x19};
+  const uint8_t fp[20] = {0x5F, 0xF1, 0x60, 0x31, 0x09, 0x04, 0x3E, 0xF2, 0x90, 0xD2, 0xB0, 0x8A, 0x50, 0x38, 0x04, 0xE8, 0x37, 0x9F, 0xBC, 0x76};
   client.setFingerprint(fp);
   fetchURL(&client, host, port, path);
 }
diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
@@ -79,6 +79,7 @@ void WiFiClientSecure::_clearAuthenticationSettings() {
   _use_self_signed = false;
   _knownkey = nullptr;
   _sk = nullptr;
+  _ta = nullptr;
 }
 
 
@@ -177,6 +178,7 @@ void WiFiClientSecure::stop() {
     _client->abort();
   }
   WiFiClient::stop();
+  _clearAuthenticationSettings();
   _freeSSL();
 }
 
@@ -510,6 +512,7 @@ bool WiFiClientSecure::_wait_for_handshake() {
     if (br_ssl_engine_current_state(_eng) & BR_SSL_SENDAPP) {
       _handshake_done = true;
     }
+    optimistic_yield(1000);
   }
   return _handshake_done;
 }
diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
@@ -59,24 +59,29 @@ class WiFiClientSecure : public WiFiClient {
 
     // Don't validate the chain, just accept whatever is given.  VERY INSECURE!
     void setInsecure() {
+      _clearAuthenticationSettings();
       _use_insecure = true;
     }
     // Assume a given public key, don't validate or use cert info at all
     void setKnownKey(const BearSSLPublicKey *pk, unsigned usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN) {
+      _clearAuthenticationSettings();
       _knownkey = pk;
       _knownkey_usages = usages;
     }
     // Only check SHA1 fingerprint of certificate
     void setFingerprint(const uint8_t fingerprint[20]) {
+      _clearAuthenticationSettings();
       _use_fingerprint = true;
       memcpy_P(_fingerprint, fingerprint, 20);
     }
     // Accept any certificate that's self-signed
     void allowSelfSignedCerts() {
+      _clearAuthenticationSettings();
       _use_self_signed = true;
     }
     // Install certificates of trusted CAs or specific site
     void setTrustAnchors(const BearSSLX509List *ta) {
+      _clearAuthenticationSettings();
       _ta = ta;
     }
     // In cases when NTP is not used, app must set a time manually to check cert validity

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ instead of the while certificate. This is not nearly as secure as real`
`102`	`102`	`X.509 validation, but is better than nothing.`
`103`	`103`	`)EOF");`
`104`	`104`	`BearSSL::WiFiClientSecure client;`
`105`		`- const uint8_t fp[20] = {0x35, 0x85, 0x74, 0xEF, 0x67, 0x35, 0xA7, 0xCE, 0x40, 0x69, 0x50, 0xF3, 0xC0, 0xF6, 0x80, 0xCF, 0x80, 0x3B, 0x2E, 0x19};`
	`105`	`+ const uint8_t fp[20] = {0x5F, 0xF1, 0x60, 0x31, 0x09, 0x04, 0x3E, 0xF2, 0x90, 0xD2, 0xB0, 0x8A, 0x50, 0x38, 0x04, 0xE8, 0x37, 0x9F, 0xBC, 0x76};`
`106`	`106`	`client.setFingerprint(fp);`
`107`	`107`	`fetchURL(&client, host, port, path);`
`108`	`108`	`}`
Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,7 @@ void WiFiClientSecure::_clearAuthenticationSettings() {`
`79`	`79`	`_use_self_signed = false;`
`80`	`80`	`_knownkey = nullptr;`
`81`	`81`	`_sk = nullptr;`
	`82`	`+ _ta = nullptr;`
`82`	`83`	`}`
`83`	`84`
`84`	`85`
`@@ -177,6 +178,7 @@ void WiFiClientSecure::stop() {`
`177`	`178`	`_client->abort();`
`178`	`179`	`}`
`179`	`180`	`WiFiClient::stop();`
	`181`	`+ _clearAuthenticationSettings();`
`180`	`182`	`_freeSSL();`
`181`	`183`	`}`
`182`	`184`
`@@ -510,6 +512,7 @@ bool WiFiClientSecure::_wait_for_handshake() {`
`510`	`512`	`if (br_ssl_engine_current_state(_eng) & BR_SSL_SENDAPP) {`
`511`	`513`	`_handshake_done = true;`
`512`	`514`	`}`
	`515`	`+ optimistic_yield(1000);`
`513`	`516`	`}`
`514`	`517`	`return _handshake_done;`
`515`	`518`	`}`
Original file line number	Diff line number	Diff line change
`@@ -59,24 +59,29 @@ class WiFiClientSecure : public WiFiClient {`
`59`	`59`
`60`	`60`	`// Don't validate the chain, just accept whatever is given. VERY INSECURE!`
`61`	`61`	`void setInsecure() {`
	`62`	`+ _clearAuthenticationSettings();`
`62`	`63`	`_use_insecure = true;`
`63`	`64`	`}`
`64`	`65`	`// Assume a given public key, don't validate or use cert info at all`
`65`	`66`	`void setKnownKey(const BearSSLPublicKey *pk, unsigned usages = BR_KEYTYPE_KEYX \| BR_KEYTYPE_SIGN) {`
	`67`	`+ _clearAuthenticationSettings();`
`66`	`68`	`_knownkey = pk;`
`67`	`69`	`_knownkey_usages = usages;`
`68`	`70`	`}`
`69`	`71`	`// Only check SHA1 fingerprint of certificate`
`70`	`72`	`void setFingerprint(const uint8_t fingerprint[20]) {`
	`73`	`+ _clearAuthenticationSettings();`
`71`	`74`	`_use_fingerprint = true;`
`72`	`75`	`memcpy_P(_fingerprint, fingerprint, 20);`
`73`	`76`	`}`
`74`	`77`	`// Accept any certificate that's self-signed`
`75`	`78`	`void allowSelfSignedCerts() {`
	`79`	`+ _clearAuthenticationSettings();`
`76`	`80`	`_use_self_signed = true;`
`77`	`81`	`}`
`78`	`82`	`// Install certificates of trusted CAs or specific site`
`79`	`83`	`void setTrustAnchors(const BearSSLX509List *ta) {`
	`84`	`+ _clearAuthenticationSettings();`
`80`	`85`	`_ta = ta;`
`81`	`86`	`}`
`82`	`87`	`// In cases when NTP is not used, app must set a time manually to check cert validity`