Native BareSSL support for ESP8266

see #557, #509, #492, #555, #352
2025-07-13 23:36:30 +02:00 · 2020-10-04 14:49:22 +02:00
parent a00d3edcb7
commit 91b02341ba
4 changed files with 69 additions and 13 deletions
--- a/src/WebSocketsClient.cpp
+++ b/src/WebSocketsClient.cpp
@ -46,7 +46,7 @@ void WebSocketsClient::begin(const char * host, uint16_t port, const char * url,
    _host = host;
    _port = port;
 #if defined(HAS_SSL)
-    _fingerprint = "";
+    _fingerprint = SSL_FINGERPRINT_NULL;
    _CA_cert     = NULL;
 #endif

@ -97,6 +97,7 @@ void WebSocketsClient::begin(IPAddress host, uint16_t port, const char * url, co
 }

 #if defined(HAS_SSL)
+#if defined(SSL_AXTLS)
 void WebSocketsClient::beginSSL(const char * host, uint16_t port, const char * url, const char * fingerprint, const char * protocol) {
    begin(host, port, url, protocol);
    _client.isSSL = true;
@ -111,10 +112,31 @@ void WebSocketsClient::beginSSL(String host, uint16_t port, String url, String f
 void WebSocketsClient::beginSslWithCA(const char * host, uint16_t port, const char * url, const char * CA_cert, const char * protocol) {
    begin(host, port, url, protocol);
    _client.isSSL = true;
-    _fingerprint  = "";
+    _fingerprint  = SSL_FINGERPRINT_NULL;
    _CA_cert      = CA_cert;
 }
-#endif
+#else
+void WebSocketsClient::beginSSL(const char * host, uint16_t port, const char * url, const uint8_t * fingerprint, const char * protocol) {
+    begin(host, port, url, protocol);
+    _client.isSSL = true;
+    _fingerprint  = fingerprint;
+    _CA_cert      = NULL;
+}
+void WebSocketsClient::beginSslWithCA(const char * host, uint16_t port, const char * url, const char * CA_cert, const char * protocol) {
+    begin(host, port, url, protocol);
+    _client.isSSL = true;
+    _fingerprint  = SSL_FINGERPRINT_NULL;
+    _CA_cert      = new BearSSL::X509List(CA_cert);
+}
+
+void WebSocketsClient::beginSslWithCA(const char * host, uint16_t port, const char * url, BearSSL::X509List * CA_cert, const char * protocol) {
+    begin(host, port, url, protocol);
+    _client.isSSL = true;
+    _fingerprint  = SSL_FINGERPRINT_NULL;
+    _CA_cert      = CA_cert;
+}
+#endif    // SSL_AXTLS
+#endif    // HAS_SSL

 void WebSocketsClient::beginSocketIO(const char * host, uint16_t port, const char * url, const char * protocol) {
    begin(host, port, url, protocol);
@ -130,7 +152,7 @@ void WebSocketsClient::beginSocketIOSSL(const char * host, uint16_t port, const
    begin(host, port, url, protocol);
    _client.isSocketIO = true;
    _client.isSSL      = true;
-    _fingerprint       = "";
+    _fingerprint       = SSL_FINGERPRINT_NULL;
 }

 void WebSocketsClient::beginSocketIOSSL(String host, uint16_t port, String url, String protocol) {
@ -141,8 +163,12 @@ void WebSocketsClient::beginSocketIOSSLWithCA(const char * host, uint16_t port,
    begin(host, port, url, protocol);
    _client.isSocketIO = true;
    _client.isSSL      = true;
-    _fingerprint       = "";
-    _CA_cert           = CA_cert;
+    _fingerprint       = SSL_FINGERPRINT_NULL;
+#if defined(SSL_AXTLS)
+    _CA_cert = CA_cert;
+#else
+    _CA_cert = new BearSSL::X509List(CA_cert);
+#endif
 }
 #endif

@ -175,14 +201,20 @@ void WebSocketsClient::loop(void) {
                DEBUG_WEBSOCKETS("[WS-Client] setting CA certificate");
 #if defined(ESP32)
                _client.ssl->setCACert(_CA_cert);
-#elif defined(ESP8266)
+#elif defined(ESP8266) && defined(SSL_AXTLS)
                _client.ssl->setCACert((const uint8_t *)_CA_cert, strlen(_CA_cert) + 1);
+#elif defined(ESP8266) && defined(SSL_BARESSL)
+                _client.ssl->setTrustAnchors(_CA_cert);
 #else
 #error setCACert not implemented
 #endif
-            } else if(_fingerprint.length()) {
-#if defined(wificlientbearssl_h) && !defined(USING_AXTLS) && !defined(wificlientsecure_h)
-                _client.ssl->setFingerprint(_fingerprint.c_str());
+#if defined(SSL_BARESSL)
+            } else if(_fingerprint) {
+                _client.ssl->setFingerprint(_fingerprint);
+#endif
+            } else {
+#if defined(SSL_BARESSL)
+                _client.ssl->setInsecure();
 #endif
            }
        } else {
@ -774,14 +806,18 @@ void WebSocketsClient::connectedCb() {
 #endif

 #if defined(HAS_SSL)
+#if defined(SSL_AXTLS) || defined(ESP32)
    if(_client.isSSL && _fingerprint.length()) {
        if(!_client.ssl->verify(_fingerprint.c_str(), _host.c_str())) {
            DEBUG_WEBSOCKETS("[WS-Client] certificate mismatch\n");
            WebSockets::clientDisconnect(&_client, 1000);
            return;
        }
+#else
+    if(_client.isSSL && _fingerprint) {
+#endif
    } else if(_client.isSSL && !_CA_cert) {
-#if defined(wificlientbearssl_h) && !defined(USING_AXTLS) && !defined(wificlientsecure_h)
+#if defined(SSL_BARESSL)
        _client.ssl->setInsecure();
 #endif
    }