WiFiClientSecure: add support for PSK (pre-shared key) ciphers

tve · tve · commit 1e495f14498c · 2018-11-30T17:56:43.000-08:00
diff --git a/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp b/libraries/WiFiClientSecure/src/WiFiClientSecure.cpp
@@ -39,6 +39,8 @@ WiFiClientSecure::WiFiClientSecure()
     _CA_cert = NULL;
     _cert = NULL;
     _private_key = NULL;
+    _pskIdent = NULL;
+    _psKey = NULL;
     next = NULL;
 }
 
@@ -59,6 +61,8 @@ WiFiClientSecure::WiFiClientSecure(int sock)
     _CA_cert = NULL;
     _cert = NULL;
     _private_key = NULL;
+    _pskIdent = NULL;
+    _psKey = NULL;
     next = NULL;
 }
 
@@ -89,11 +93,15 @@ void WiFiClientSecure::stop()
 
 int WiFiClientSecure::connect(IPAddress ip, uint16_t port)
 {
+    if (_pskIdent && _psKey)
+        return connect(ip, port, _pskIdent, _psKey);
     return connect(ip, port, _CA_cert, _cert, _private_key);
 }
 
 int WiFiClientSecure::connect(const char *host, uint16_t port)
 {
+    if (_pskIdent && _psKey)
+        return connect(host, port, _pskIdent, _psKey);
     return connect(host, port, _CA_cert, _cert, _private_key);
 }
 
@@ -104,7 +112,24 @@ int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *_CA_cert,
 
 int WiFiClientSecure::connect(const char *host, uint16_t port, const char *_CA_cert, const char *_cert, const char *_private_key)
 {
-    int ret = start_ssl_client(sslclient, host, port, _CA_cert, _cert, _private_key);
+    int ret = start_ssl_client(sslclient, host, port, _CA_cert, _cert, _private_key, NULL, NULL);
+    _lastError = ret;
+    if (ret < 0) {
+        log_e("start_ssl_client: %d", ret);
+        stop();
+        return 0;
+    }
+    _connected = true;
+    return 1;
+}
+
+int WiFiClientSecure::connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey) {
+    return connect(ip.toString().c_str(), port,_pskIdent, _psKey);
+}
+
+int WiFiClientSecure::connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey) {
+    log_v("start_ssl_client with PSK");
+    int ret = start_ssl_client(sslclient, host, port, NULL, NULL, NULL, _pskIdent, _psKey);
     _lastError = ret;
     if (ret < 0) {
         log_e("start_ssl_client: %d", ret);
@@ -223,6 +248,11 @@ void WiFiClientSecure::setPrivateKey (const char *private_key)
     _private_key = private_key;
 }
 
+void WiFiClientSecure::setPreSharedKey(const char *pskIdent, const char *psKey) {
+    _pskIdent = pskIdent;
+    _psKey = psKey;
+}
+
 bool WiFiClientSecure::verify(const char* fp, const char* domain_name)
 {
     if (!sslclient)
diff --git a/libraries/WiFiClientSecure/src/WiFiClientSecure.h b/libraries/WiFiClientSecure/src/WiFiClientSecure.h
@@ -35,6 +35,8 @@ class WiFiClientSecure : public WiFiClient
     const char *_CA_cert;
     const char *_cert;
     const char *_private_key;
+    const char *_pskIdent; // identity for PSK cipher suites
+    const char *_psKey; // key in hex for PSK cipher suites
 
 public:
     WiFiClientSecure *next;
@@ -45,6 +47,8 @@ class WiFiClientSecure : public WiFiClient
     int connect(const char *host, uint16_t port);
     int connect(IPAddress ip, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
     int connect(const char *host, uint16_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
+    int connect(IPAddress ip, uint16_t port, const char *pskIdent, const char *psKey);
+    int connect(const char *host, uint16_t port, const char *pskIdent, const char *psKey);
 	int peek();
     size_t write(uint8_t data);
     size_t write(const uint8_t *buf, size_t size);
@@ -55,6 +59,7 @@ class WiFiClientSecure : public WiFiClient
     void stop();
     uint8_t connected();
     int lastError(char *buf, const size_t size);
+    void setPreSharedKey(const char *pskIdent, const char *psKey); // psKey in Hex
     void setCACert(const char *rootCA);
     void setCertificate(const char *client_ca);
     void setPrivateKey (const char *private_key);
diff --git a/libraries/WiFiClientSecure/src/ssl_client.cpp b/libraries/WiFiClientSecure/src/ssl_client.cpp
@@ -45,7 +45,7 @@ void ssl_init(sslclient_context *ssl_client)
 }
 
 
-int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key)
+int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey)
 {
     char buf[512];
     int ret, flags, timeout;
@@ -116,6 +116,36 @@ int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t p
         if (ret < 0) {
             return handle_error(ret);
         }
+    } else if (pskIdent != NULL && psKey != NULL) {
+        log_v("Setting up PSK");
+        // convert PSK from hex to binary
+        if ((strlen(psKey) & 1) != 0 || strlen(psKey) > 2*MBEDTLS_PSK_MAX_LEN) {
+            log_e("pre-shared key not valid hex or too long");
+            return -1;
+        }
+        unsigned char psk[MBEDTLS_PSK_MAX_LEN];
+        size_t psk_len = strlen(psKey)/2;
+        for (int j=0; j<strlen(psKey); j+= 2) {
+            char c = psKey[j];
+            if (c >= '0' && c <= '9') c -= '0';
+            else if (c >= 'A' && c <= 'F') c -= 'A' - 10;
+            else if (c >= 'a' && c <= 'f') c -= 'a' - 10;
+            else return -1;
+            psk[j/2] = c<<4;
+            c = psKey[j+1];
+            if (c >= '0' && c <= '9') c -= '0';
+            else if (c >= 'A' && c <= 'F') c -= 'A' - 10;
+            else if (c >= 'a' && c <= 'f') c -= 'a' - 10;
+            else return -1;
+            psk[j/2] |= c;
+        }
+        // set mbedtls config
+        ret = mbedtls_ssl_conf_psk(&ssl_client->ssl_conf, psk, psk_len,
+                 (const unsigned char *)pskIdent, strlen(pskIdent));
+        if (ret != 0) {
+            log_e("mbedtls_ssl_conf_psk returned %d", ret);
+            return handle_error(ret);
+        }
     } else {
         mbedtls_ssl_conf_authmode(&ssl_client->ssl_conf, MBEDTLS_SSL_VERIFY_NONE);
         log_i("WARNING: Use certificates for a more secure communication!");
diff --git a/libraries/WiFiClientSecure/src/ssl_client.h b/libraries/WiFiClientSecure/src/ssl_client.h
@@ -29,7 +29,7 @@ typedef struct sslclient_context {
 
 
 void ssl_init(sslclient_context *ssl_client);
-int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key);
+int start_ssl_client(sslclient_context *ssl_client, const char *host, uint32_t port, const char *rootCABuff, const char *cli_cert, const char *cli_key, const char *pskIdent, const char *psKey);
 void stop_ssl_socket(sslclient_context *ssl_client, const char *rootCABuff, const char *cli_cert, const char *cli_key);
 int data_to_read(sslclient_context *ssl_client);
 int send_ssl_data(sslclient_context *ssl_client, const uint8_t *data, uint16_t len);
