Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add BearSSL::setFingerprint(char* fp) #5204

Merged
merged 3 commits into from
Oct 4, 2018
Merged

Add BearSSL::setFingerprint(char* fp) #5204

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
016ca89
Add BearSSL::setFingerprint(char* fp)
earlephilhower Oct 3, 2018
0a39a87
Merge branch 'master' into setfingerprint
earlephilhower Oct 3, 2018
68ec6b9
Fix parsing checks
earlephilhower Oct 4, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion libraries/ESP8266WiFi/examples/BearSSL_Validation/BearSSL_Validation.ino
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,7 +102,7 @@ instead of the while certificate. This is not nearly as secure as real
X.509 validation, but is better than nothing.
)EOF");
BearSSL::WiFiClientSecure client;
const uint8_t fp[20] = {0x5F, 0xF1, 0x60, 0x31, 0x09, 0x04, 0x3E, 0xF2, 0x90, 0xD2, 0xB0, 0x8A, 0x50, 0x38, 0x04, 0xE8, 0x37, 0x9F, 0xBC, 0x76};
static const char fp[] PROGMEM = "5F:F1:60:31:09:04:3E:F2:90:D2:B0:8A:50:38:04:E8:37:9F:BC:76";
client.setFingerprint(fp);
fetchURL(&client, host, port, path);
}
Expand Down
36 changes: 36 additions & 0 deletions libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -536,6 +536,42 @@ bool WiFiClientSecure::_wait_for_handshake() {
return _handshake_done;
}

static uint8_t htoi (unsigned char c)
{
if (c>='0' && c <='9') return c - '0';
else if (c>='A' && c<='F') return 10 + c - 'A';
else if (c>='a' && c<='f') return 10 + c - 'a';
else return 255;
}

// Set a fingerprint by parsing an ASCII string
bool WiFiClientSecure::setFingerprint(const char *fpStr) {
int idx = 0;
uint8_t c, d;
uint8_t fp[20];

while (idx < 20) {
c = pgm_read_byte(fpStr++);
if (!c) break; // String ended, done processing
d = pgm_read_byte(fpStr++);
if (!d) return false; // Only half of the last hex digit, error
c = htoi(c);
d = htoi(d);
if ((c>15) || (d>15)) {
return false; // Error in one of the hex characters
}
fp[idx++] = (c<<4)|d;

// Skip 0 or more spaces or colons
while ( pgm_read_byte(fpStr) && (pgm_read_byte(fpStr)==' ' || pgm_read_byte(fpStr)==':') ) {
fpStr++;
}
}
if ((idx != 20) || pgm_read_byte(_fingerprint)) {
return false; // Garbage at EOL or we didn't have enough hex digits
}
return setFingerprint(fp);
}

extern "C" {

Expand Down
4 changes: 3 additions & 1 deletion libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,11 +73,13 @@ class WiFiClientSecure : public WiFiClient {
_knownkey_usages = usages;
}
// Only check SHA1 fingerprint of certificate
void setFingerprint(const uint8_t fingerprint[20]) {
bool setFingerprint(const uint8_t fingerprint[20]) {
_clearAuthenticationSettings();
_use_fingerprint = true;
memcpy_P(_fingerprint, fingerprint, 20);
return true;
}
bool setFingerprint(const char *fpStr);
// Accept any certificate that's self-signed
void allowSelfSignedCerts() {
_clearAuthenticationSettings();
Expand Down