Skip to content

BearSSL bugs found by @jeroen88 #4882

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
earlephilhower opened this issue Jul 3, 2018 · 5 comments
Closed

BearSSL bugs found by @jeroen88 #4882

earlephilhower opened this issue Jul 3, 2018 · 5 comments
Assignees
@earlephilhower
Labels
component: TLS type: bug
Milestone
2.4.2

Comments

@earlephilhower
Copy link
Collaborator

@Jeroen88 has been using BearSSL and adding some PRs and discovered a few issues that he's sent in email that I want to make sure get tracked here as I'm still kind of swamped. @Jeroen88, please add to this if I missed something:

  1. The set{insecure,fingerprint,etc.} methods should clear any other authentication methods. Presently, if you setFingerprint then setInsecure, for example, it will have both flags set and actually check the FP and not be insecure as the last call requested.
  2. Shouldn't _sc be tested for nullptr before &_sc->eng in WiFiClientSecure::_connectSSL(const char* hostName)
  3. _waitForHandshake() can cause a hang if the server times out, and needs a WDT feed call in the while() loop somewhere
@earlephilhower earlephilhower self-assigned this Jul 3, 2018
@Jeroen88
Copy link
Contributor

Jeroen88 commented Jul 3, 2018

Just one more: in addition to 1), Stop() should clear the previous authentication methods too in my opinion, making the client ready for a new connection, probably by incorporating this in _freeSSL().

@d-a-v d-a-v mentioned this issue Jul 3, 2018
Closed
@devyte
Copy link
Collaborator

devyte commented Jul 4, 2018

@earlephilhower is it reasonable to get these fixes done for 2.4.2 (current target is 01/Aug) ?

@earlephilhower
Copy link
Collaborator Author

Yes, these changes seem to be very limited in scope. Just need an hour this weekend.

@earlephilhower earlephilhower mentioned this issue Jul 6, 2018
Closed
5 tasks
@earlephilhower
Copy link
Collaborator Author

About (2) above, the code as-is is safe:

struct blah *x = nullptr;
struct blech *y = &x->_blech;

The & means we're only computing an address and not actually try and dereference the nullptr. In the example, it's equivalent of saying struct blech *y = offsetof(struct blah, _blech);.

earlephilhower added a commit to earlephilhower/Arduino that referenced this issue Jul 8, 2018
@earlephilhower
Fix minor BearSSL API issues
34cea3c 
Fixes esp8266#4882 and updates GitHub certificate fingerprint to the current one
in BearSSL_Validation example.

When setting a authentication mode or stopping, clear all others out in case
the object is being re-used.

Add in a yield during the SSL handshake to allow a graceful timeout and not
a WDT error when the remote server hiccups.
@earlephilhower earlephilhower mentioned this issue Jul 8, 2018
Merged
@devyte devyte added this to the 2.4.2 milestone Jul 9, 2018
@earlephilhower
Copy link
Collaborator Author

@Jeroen88 could you give PR #4901 a try/check and see if it covers your needs. We're shooting for a short commit window on the bug fixes (end of month).

earlephilhower added a commit that referenced this issue Jul 16, 2018
@earlephilhower
Fix minor BearSSL API issues (#4901)
5309188 
Fixes #4882 and updates GitHub certificate fingerprint to the current one
in BearSSL_Validation example.

When setting a authentication mode or stopping, clear all others out in case
the object is being re-used.

Add in a yield during the SSL handshake to allow a graceful timeout and not
a WDT error when the remote server hiccups.  Thanks to @Jeroen88 for
finding and testing this.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@earlephilhower earlephilhower

Labels
component: TLS type: bug
Projects
None yet
Milestone
2.4.2
Development

No branches or pull requests
3 participants
@earlephilhower @devyte @Jeroen88