v5.12.0e - Add second TLS fingerprint

5.12.0e * Add a second TLS fingerprint to allow switching keys in TLS mode (#2033, #2102)
arendst · Mar 9, 2018 · b51f060 · b51f060 · issacg · Mar 11, 2018
1 parent ba3fc63
commit b51f060
Show file tree

Hide file tree

Showing 19 changed files with 84 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 ## Sonoff-Tasmota
 Provide ESP8266 based Sonoff by [iTead Studio](https://www.itead.cc/) and ElectroDragon IoT Relay with Serial, Web and MQTT control allowing 'Over the Air' or OTA firmware updates using Arduino IDE.
 
-Current version is **5.12.0d** - See [sonoff/_releasenotes.ino](https://github.com/arendst/Sonoff-Tasmota/blob/development/sonoff/_releasenotes.ino) for change information.
+Current version is **5.12.0e** - See [sonoff/_releasenotes.ino](https://github.com/arendst/Sonoff-Tasmota/blob/development/sonoff/_releasenotes.ino) for change information.
 
 ### ATTENTION All versions
 

diff --git a/sonoff/_releasenotes.ino b/sonoff/_releasenotes.ino
@@ -1,4 +1,7 @@
-/* 5.12.0d
+/* 5.12.0e
+ * Add a second TLS fingerprint to allow switching keys in TLS mode (#2033, #2102)
+ *
+ * 5.12.0d
  * Add support for optional MQTT drivers to be selected in user_config.h (#1992)
  * Add Portuguese language file
  * Add compiler check for stable lwIP version v1.4 (#1940)

diff --git a/sonoff/language/cz-CZ.h b/sonoff/language/cz-CZ.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Verifikuj otisk TLS..."
 #define D_TLS_CONNECT_FAILED_TO "Nepripojeno TLS do"
 #define D_RETRY_IN "Zopakuji za"
-#define D_VERIFIED "Zverifikovano"
+#define D_VERIFIED "Zverifikovano otisk"
 #define D_INSECURE "Nespravne pripojeni z duvodu chybneho otisku TLS"
 #define D_CONNECT_FAILED_TO "Spojeni se nepodarilo navazat"
 

diff --git a/sonoff/language/de-DE.h b/sonoff/language/de-DE.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "TLS-Fingerabdruck wird verifiziert..."
 #define D_TLS_CONNECT_FAILED_TO "TLS-Verbindung fehlgeschlagen an"
 #define D_RETRY_IN "Wiederversuch in"
-#define D_VERIFIED "verifiziert"
+#define D_VERIFIED "verifiziert mit Fingerabdruck"
 #define D_INSECURE "unsichere Verbindung aufgrund ungültigen Fingerabdrucks"
 #define D_CONNECT_FAILED_TO "Verbindung fehlgeschlagen aufgrund von"
 

diff --git a/sonoff/language/en-GB.h b/sonoff/language/en-GB.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Verify TLS fingerprint..."
 #define D_TLS_CONNECT_FAILED_TO "TLS Connect failed to"
 #define D_RETRY_IN "Retry in"
-#define D_VERIFIED "Verified"
+#define D_VERIFIED "Verified using Fingerprint"
 #define D_INSECURE "Insecure connection due to invalid Fingerprint"
 #define D_CONNECT_FAILED_TO "Connect failed to"
 

diff --git a/sonoff/language/es-AR.h b/sonoff/language/es-AR.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Verificar TLS fingerprint..."
 #define D_TLS_CONNECT_FAILED_TO "Falló Conección TLS a"
 #define D_RETRY_IN "Reintentando"
-#define D_VERIFIED "Verificado"
+#define D_VERIFIED "Verificado Fingerprint"
 #define D_INSECURE "Conección insegura por Fingerprint no válido"
 #define D_CONNECT_FAILED_TO "Falló Conección a"
 

diff --git a/sonoff/language/fr-FR.h b/sonoff/language/fr-FR.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Verification empreinte TLS ..."
 #define D_TLS_CONNECT_FAILED_TO "Echec de connexion TLS à"
 #define D_RETRY_IN "Nouvelle tentative dans"
-#define D_VERIFIED "Verifié"
+#define D_VERIFIED "Verifié empreinte "
 #define D_INSECURE "Connexion non sécurisée car empreinte non vérifée"
 #define D_CONNECT_FAILED_TO "Echec de connexion à"
 

diff --git a/sonoff/language/hu-HU.h b/sonoff/language/hu-HU.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "TLS fingerprint hitelesítése..."
 #define D_TLS_CONNECT_FAILED_TO "TLS Csatlakozás sikertelen a"
 #define D_RETRY_IN "Újrapróbálás"
-#define D_VERIFIED "Hitelesítve"
+#define D_VERIFIED "Hitelesítve Fingerprint"
 #define D_INSECURE "Nem biztonságos kapcsolat érvénytelen Fingerprint miatt"
 #define D_CONNECT_FAILED_TO "Sikertelen csatlakozás a"
 

diff --git a/sonoff/language/it-IT.h b/sonoff/language/it-IT.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Verifica TLS fingerprint..."
 #define D_TLS_CONNECT_FAILED_TO "Connessione TLS fallita a"
 #define D_RETRY_IN "Nuovo tentativo in"
-#define D_VERIFIED "Verificato"
+#define D_VERIFIED "Verificato Fingerprint"
 #define D_INSECURE "Connessione insicura a causa di Fingerprint non valido"
 #define D_CONNECT_FAILED_TO "Connessione Fallita a"
 

diff --git a/sonoff/language/nl-NL.h b/sonoff/language/nl-NL.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Controleer TLS vingerafdruk..."
 #define D_TLS_CONNECT_FAILED_TO "TLS Verbinding mislukt naar"
 #define D_RETRY_IN "Opnieuw proberen over"
-#define D_VERIFIED "Gecontroleerd"
+#define D_VERIFIED "Gecontroleerd met vingerafdruk"
 #define D_INSECURE "Door ongeldige vingerafdruk een onveilige verbinding"
 #define D_CONNECT_FAILED_TO "Verbinding mislukt naar"
 

diff --git a/sonoff/language/pl-PL.h b/sonoff/language/pl-PL.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Weryfikuj odcisk TLS..."
 #define D_TLS_CONNECT_FAILED_TO "Nieudane połączenie TLS do"
 #define D_RETRY_IN "Spróbuj ponownie"
-#define D_VERIFIED "Zweryfikowano"
+#define D_VERIFIED "Zweryfikowano odcisku"
 #define D_INSECURE "Nieprawidłowe połączenie z powodu błędnego odcisku TLS"
 #define D_CONNECT_FAILED_TO "Nie udało się nawiązać połączenia"
 

diff --git a/sonoff/language/pt-PT.h b/sonoff/language/pt-PT.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Verifique a impressão digital TLS..."
 #define D_TLS_CONNECT_FAILED_TO "TLS não conseguiu ligar"
 #define D_RETRY_IN "Tentativa em"
-#define D_VERIFIED "Verificado"
+#define D_VERIFIED "Verificado impressão digital "
 #define D_INSECURE "Ligação insegura devido à impressão digital inválida"
 #define D_CONNECT_FAILED_TO "A ligação falhou ao"
 

diff --git a/sonoff/language/ru-RU.h b/sonoff/language/ru-RU.h
@@ -165,7 +165,7 @@
 #define D_FINGERPRINT "Проверка TLS Fingerprint..."
 #define D_TLS_CONNECT_FAILED_TO "Сбой подключения TLS к"
 #define D_RETRY_IN "Повторить"
-#define D_VERIFIED "Проверено"
+#define D_VERIFIED "Проверено Fingerprint"
 #define D_INSECURE "Небезопасное соединение, недействительный Fingerprint"
 #define D_CONNECT_FAILED_TO "Ошибка подключения к"
 

diff --git a/sonoff/settings.h b/sonoff/settings.h
@@ -116,7 +116,12 @@ struct SYSCFG {
   byte          syslog_level;              // 1AA
   uint8_t       webserver;                 // 1AB
   byte          weblog_level;              // 1AC
-  char          mqtt_fingerprint[60];      // 1AD To be freed by binary fingerprint
+
+//  char          mqtt_fingerprint[60];      // 1AD
+  uint8_t       mqtt_fingerprint[2][20];   // 1AD
+
+  byte          free_1D5[20];              // 1D5
+
   char          mqtt_host[33];             // 1E9
   uint16_t      mqtt_port;                 // 20A
   char          mqtt_client[33];           // 20C

diff --git a/sonoff/settings.ino b/sonoff/settings.ino
@@ -472,7 +472,18 @@ void SettingsDefaultSet2()
   Settings.webserver = WEB_SERVER;
   Settings.weblog_level = WEB_LOG_LEVEL;
 
-  strlcpy(Settings.mqtt_fingerprint, MQTT_FINGERPRINT, sizeof(Settings.mqtt_fingerprint));
+  char fingerprint[60];
+  strlcpy(fingerprint, MQTT_FINGERPRINT1, sizeof(fingerprint));
+  char *p = fingerprint;
+  for (byte i = 0; i < 20; i++) {
+    Settings.mqtt_fingerprint[0][i] = strtol(p, &p, 16);
+  }
+  strlcpy(fingerprint, MQTT_FINGERPRINT2, sizeof(fingerprint));
+  p = fingerprint;
+  for (byte i = 0; i < 20; i++) {
+    Settings.mqtt_fingerprint[1][i] = strtol(p, &p, 16);
+  }
+
   strlcpy(Settings.mqtt_host, MQTT_HOST, sizeof(Settings.mqtt_host));
   Settings.mqtt_port = MQTT_PORT;
   strlcpy(Settings.mqtt_client, MQTT_CLIENT_ID, sizeof(Settings.mqtt_client));
@@ -875,7 +886,15 @@ void SettingsDelta()
     if (Settings.version < 0x050B0107) {
       Settings.flag.not_power_linked = 0;
     }
-
+    if (Settings.version < 0x050C0005) {
+      char fingerprint[60];
+      memcpy(fingerprint, Settings.mqtt_fingerprint, sizeof(fingerprint));
+      char *p = fingerprint;
+      for (byte i = 0; i < 20; i++) {
+        Settings.mqtt_fingerprint[0][i] = strtol(p, &p, 16);
+        Settings.mqtt_fingerprint[1][i] = Settings.mqtt_fingerprint[0][i];
+      }
+    }
 
     Settings.version = VERSION;
     SettingsSave(1);

diff --git a/sonoff/sonoff.ino b/sonoff/sonoff.ino
@@ -25,7 +25,7 @@
     - Select IDE Tools - Flash Size: "1M (no SPIFFS)"
   ====================================================*/
 
-#define VERSION                0x050C0004   // 5.12.0d
+#define VERSION                0x050C0005   // 5.12.0e
 
 // Location specific includes
 #include <core_version.h>                   // Arduino_Esp8266 version information (ARDUINO_ESP8266_RELEASE and ARDUINO_ESP8266_RELEASE_2_3_0)

diff --git a/sonoff/sonoff_post.h b/sonoff/sonoff_post.h
@@ -145,8 +145,12 @@ void WifiWpsStatusCallback(wps_cb_status status);
 #define SWITCH_MODE            TOGGLE         // TOGGLE, FOLLOW or FOLLOW_INV (the wall switch state)
 #endif
 
-#ifndef MQTT_FINGERPRINT
-#define MQTT_FINGERPRINT       "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07"
+#ifndef MQTT_FINGERPRINT1
+#define MQTT_FINGERPRINT1      "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07"
+#endif
+
+#ifndef MQTT_FINGERPRINT2
+#define MQTT_FINGERPRINT2      "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07"
 #endif
 
 #ifndef WS2812_LEDS

diff --git a/sonoff/user_config.h b/sonoff/user_config.h
@@ -92,7 +92,8 @@
                                                  //   Needs Fingerprint, TLS Port, UserId and Password
 #ifdef USE_MQTT_TLS
   #define MQTT_HOST            ""                   // [MqttHost]
-  #define MQTT_FINGERPRINT     "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07"  // [MqttFingerprint]
+  #define MQTT_FINGERPRINT1    "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07"  // [MqttFingerprint1]
+  #define MQTT_FINGERPRINT2    "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07"  // [MqttFingerprint2]
   #define MQTT_PORT            20123                // [MqttPort] MQTT TLS port
   #define MQTT_USER            "cloudmqttuser"      // [MqttUser] Mandatory user
   #define MQTT_PASS            "cloudmqttpassword"  // [MqttPassword] Mandatory password

diff --git a/sonoff/xdrv_00_mqtt.ino b/sonoff/xdrv_00_mqtt.ino
@@ -376,19 +376,33 @@ void MqttConnected()
 #ifdef USE_MQTT_TLS
 boolean MqttCheckTls()
 {
+  char fingerprint1[60];
+  char fingerprint2[60];
   boolean result = false;
 
+  fingerprint1[0] = '\0';
+  fingerprint2[0] = '\0';
+  for (byte i = 0; i < sizeof(Settings.mqtt_fingerprint[0]); i++) {
+    snprintf_P(fingerprint1, sizeof(fingerprint1), PSTR("%s%s%02X"), fingerprint1, (i) ? " " : "", Settings.mqtt_fingerprint[0][i]);
+    snprintf_P(fingerprint2, sizeof(fingerprint2), PSTR("%s%s%02X"), fingerprint2, (i) ? " " : "", Settings.mqtt_fingerprint[1][i]);
+  }
+
   AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_FINGERPRINT));
   if (!EspClient.connect(Settings.mqtt_host, Settings.mqtt_port)) {
     snprintf_P(log_data, sizeof(log_data), PSTR(D_LOG_MQTT D_TLS_CONNECT_FAILED_TO " %s:%d. " D_RETRY_IN " %d " D_UNIT_SECOND),
       Settings.mqtt_host, Settings.mqtt_port, mqtt_retry_counter);
     AddLog(LOG_LEVEL_DEBUG);
-  } else if (!EspClient.verify(Settings.mqtt_fingerprint, Settings.mqtt_host)) {
-    AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_INSECURE));
   } else {
-    AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_VERIFIED));
-    result = true;
+    if (EspClient.verify(fingerprint1, Settings.mqtt_host)) {
+      AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_VERIFIED "1"));
+      result = true;
+    }
+    else if (EspClient.verify(fingerprint2, Settings.mqtt_host)) {
+      AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_VERIFIED "2"));
+      result = true;
+    }
   }
+  if (!result) AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_FAILED));
   EspClient.stop();
   yield();
   return result;
@@ -534,12 +548,22 @@ bool MqttCommand()
     snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, GetStateText(index -1));
   }
 #ifdef USE_MQTT_TLS
-  else if (CMND_MQTTFINGERPRINT == command_code) {
-    if ((data_len > 0) && (data_len < sizeof(Settings.mqtt_fingerprint))) {
-      strlcpy(Settings.mqtt_fingerprint, (!strcmp(dataBuf,"0")) ? "" : (1 == payload) ? MQTT_FINGERPRINT : dataBuf, sizeof(Settings.mqtt_fingerprint));
+  else if ((CMND_MQTTFINGERPRINT == command_code) && (index > 0) && (index <= 2)) {
+    char fingerprint[60];
+    if ((data_len > 0) && (data_len < sizeof(fingerprint))) {
+      strlcpy(fingerprint, (!strcmp(dataBuf,"0")) ? "" : (1 == payload) ? (1 == index) ? MQTT_FINGERPRINT1 : MQTT_FINGERPRINT2 : dataBuf, sizeof(fingerprint));
+      char *p = fingerprint;
+      for (byte i = 0; i < 20; i++) {
+        Settings.mqtt_fingerprint[index -1][i] = strtol(p, &p, 16);
+      }
       restart_flag = 2;
     }
-    snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_SVALUE, command, Settings.mqtt_fingerprint);
+
+    fingerprint[0] = '\0';
+    for (byte i = 0; i < sizeof(Settings.mqtt_fingerprint[index -1]); i++) {
+      snprintf_P(fingerprint, sizeof(fingerprint), PSTR("%s%s%02X"), fingerprint, (i) ? " " : "", Settings.mqtt_fingerprint[index -1][i]);
+    }
+    snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, fingerprint);
   }
 #endif
   else if ((CMND_MQTTCLIENT == command_code) && !grpflg) {