mirrors
/
Tasmota
mirror of https://github.com/arendst/Tasmota.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix TLS crash

This commit is contained in:
Stephan Hadinger 2020-09-14 21:48:32 +02:00
parent bf115647c3
commit 6eadeb81ea
2 changed files with 28 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tasmota/WiFiClientSecureLightBearSSL.cpp
View File

@ -874,10 +874,8 @@ extern "C" {
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced // we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced
br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); // TODO br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); // TODO
#endif #endif
#ifdef USE_MQTT_AWS_IOT_LIGHT
static const char * alpn_mqtt = "mqtt"; static const char * alpn_mqtt = "mqtt";
br_ssl_engine_set_protocol_names(&cc->eng, &alpn_mqtt, 1); br_ssl_engine_set_protocol_names(&cc->eng, &alpn_mqtt, 1);
#endif
} }
} }

50
tasmota/xdrv_02_mqtt.ino
View File

@ -57,7 +57,7 @@ struct MQTT {
uint8_t initial_connection_state = 2; // MQTT connection messages state uint8_t initial_connection_state = 2; // MQTT connection messages state
bool connected = false; // MQTT virtual connection status bool connected = false; // MQTT virtual connection status
bool allowed = false; // MQTT enabled and parameters valid bool allowed = false; // MQTT enabled and parameters valid
bool tls_private_key = false; // MQTT require a private key before connecting bool mqtt_tls = false; // MQTT TLS is enabled
} Mqtt; } Mqtt;
#ifdef USE_MQTT_TLS #ifdef USE_MQTT_TLS
@ -149,22 +149,24 @@ void MqttInit(void)
// Turn on TLS for port 8883 (TLS) and 8884 (TLS, client certificate) // Turn on TLS for port 8883 (TLS) and 8884 (TLS, client certificate)
Settings.flag4.mqtt_tls = true; Settings.flag4.mqtt_tls = true;
} }
Mqtt.mqtt_tls = Settings.flag4.mqtt_tls; // this flag should not change even if we change the SetOption (until reboot)
// Detect AWS IoT and set default parameters // Detect AWS IoT and set default parameters
String host = String(SettingsText(SET_MQTT_HOST)); String host = String(SettingsText(SET_MQTT_HOST));
if (host.indexOf(".iot.") && host.endsWith(".amazonaws.com")) { // look for ".iot." and ".amazonaws.com" in the domain name if (host.indexOf(".iot.") && host.endsWith(".amazonaws.com")) { // look for ".iot." and ".amazonaws.com" in the domain name
Settings.flag4.mqtt_no_retain = true; Settings.flag4.mqtt_no_retain = true;
// Mqtt.tls_private_key = true;
} }
if (Settings.flag4.mqtt_tls) { if (Mqtt.mqtt_tls) {
tlsClient = new BearSSL::WiFiClientSecure_light(1024,1024); tlsClient = new BearSSL::WiFiClientSecure_light(1024,1024);
#ifdef USE_MQTT_AWS_IOT #ifdef USE_MQTT_AWS_IOT
loadTlsDir(); // load key and certificate data from Flash loadTlsDir(); // load key and certificate data from Flash
tlsClient->setClientECCert(AWS_IoT_Client_Certificate, if ((nullptr != AWS_IoT_Private_Key) && (nullptr != AWS_IoT_Client_Certificate)) {
AWS_IoT_Private_Key, tlsClient->setClientECCert(AWS_IoT_Client_Certificate,
0xFFFF /* all usages, don't care */, 0); AWS_IoT_Private_Key,
0xFFFF /* all usages, don't care */, 0);
}
#endif #endif
#ifdef USE_MQTT_TLS_CA_CERT #ifdef USE_MQTT_TLS_CA_CERT
@ -578,8 +580,8 @@ void MqttReconnect(void)
} }
#if defined(USE_MQTT_TLS) && defined(USE_MQTT_AWS_IOT) #if defined(USE_MQTT_TLS) && defined(USE_MQTT_AWS_IOT)
// don't enable MQTT for AWS IoT if Private Key or Certificate are not set // don't enable MQTT for AWS IoT if Private Key or Certificate are not set
if (Settings.flag4.mqtt_tls && Mqtt.tls_private_key) { if (Mqtt.mqtt_tls) {
if (!AWS_IoT_Private_Key || !AWS_IoT_Client_Certificate) { if (0 == strlen(SettingsText(SET_MQTT_PWD))) { // we anticipate that an empty password does not make sense with TLS. This avoids failed connections
Mqtt.allowed = false; Mqtt.allowed = false;
} }
} }
@ -614,7 +616,7 @@ void MqttReconnect(void)
if (MqttClient.connected()) { MqttClient.disconnect(); } if (MqttClient.connected()) { MqttClient.disconnect(); }
#ifdef USE_MQTT_TLS #ifdef USE_MQTT_TLS
if (Settings.flag4.mqtt_tls) { if (Mqtt.mqtt_tls) {
tlsClient->stop(); tlsClient->stop();
} else { } else {
EspClient = WiFiClient(); // Wifi Client reconnect issue 4497 (https://github.com/esp8266/Arduino/issues/4497) EspClient = WiFiClient(); // Wifi Client reconnect issue 4497 (https://github.com/esp8266/Arduino/issues/4497)
@ -632,10 +634,12 @@ void MqttReconnect(void)
MqttClient.setCallback(MqttDataHandler); MqttClient.setCallback(MqttDataHandler);
#if defined(USE_MQTT_TLS) && defined(USE_MQTT_AWS_IOT) #if defined(USE_MQTT_TLS) && defined(USE_MQTT_AWS_IOT)
// re-assign private keys in case it was updated in between // re-assign private keys in case it was updated in between
if (Settings.flag4.mqtt_tls) { if (Mqtt.mqtt_tls) {
tlsClient->setClientECCert(AWS_IoT_Client_Certificate, if ((nullptr != AWS_IoT_Private_Key) && (nullptr != AWS_IoT_Client_Certificate)) {
AWS_IoT_Private_Key, tlsClient->setClientECCert(AWS_IoT_Client_Certificate,
0xFFFF /* all usages, don't care */, 0); AWS_IoT_Private_Key,
0xFFFF /* all usages, don't care */, 0);
}
} }
#endif #endif
MqttClient.setServer(SettingsText(SET_MQTT_HOST), Settings.mqtt_port); MqttClient.setServer(SettingsText(SET_MQTT_HOST), Settings.mqtt_port);
@ -645,7 +649,7 @@ void MqttReconnect(void)
bool allow_all_fingerprints; bool allow_all_fingerprints;
bool learn_fingerprint1; bool learn_fingerprint1;
bool learn_fingerprint2; bool learn_fingerprint2;
if (Settings.flag4.mqtt_tls) { if (Mqtt.mqtt_tls) {
allow_all_fingerprints = false; allow_all_fingerprints = false;
learn_fingerprint1 = is_fingerprint_mono_value(Settings.mqtt_fingerprint[0], 0x00); learn_fingerprint1 = is_fingerprint_mono_value(Settings.mqtt_fingerprint[0], 0x00);
learn_fingerprint2 = is_fingerprint_mono_value(Settings.mqtt_fingerprint[1], 0x00); learn_fingerprint2 = is_fingerprint_mono_value(Settings.mqtt_fingerprint[1], 0x00);
@ -658,16 +662,18 @@ void MqttReconnect(void)
#endif #endif
bool lwt_retain = Settings.flag4.mqtt_no_retain ? false : true; // no retained last will if "no_retain" bool lwt_retain = Settings.flag4.mqtt_no_retain ? false : true; // no retained last will if "no_retain"
#if defined(USE_MQTT_TLS) && defined(USE_MQTT_AWS_IOT) #if defined(USE_MQTT_TLS) && defined(USE_MQTT_AWS_IOT)
if (Settings.flag4.mqtt_tls && Mqtt.tls_private_key) { if (Mqtt.mqtt_tls) {
// If we require private key then we should null user/pwd if ((nullptr != AWS_IoT_Private_Key) && (nullptr != AWS_IoT_Client_Certificate)) {
mqtt_user = nullptr; // if private key is there, we remove user/pwd
mqtt_pwd = nullptr; mqtt_user = nullptr;
mqtt_pwd = nullptr;
}
} }
#endif #endif
if (MqttClient.connect(mqtt_client, mqtt_user, mqtt_pwd, stopic, 1, lwt_retain, mqtt_data, MQTT_CLEAN_SESSION)) { if (MqttClient.connect(mqtt_client, mqtt_user, mqtt_pwd, stopic, 1, lwt_retain, mqtt_data, MQTT_CLEAN_SESSION)) {
#ifdef USE_MQTT_TLS #ifdef USE_MQTT_TLS
if (Settings.flag4.mqtt_tls) { if (Mqtt.mqtt_tls) {
AddLog_P2(LOG_LEVEL_INFO, PSTR(D_LOG_MQTT "TLS connected in %d ms, max ThunkStack used %d"), AddLog_P2(LOG_LEVEL_INFO, PSTR(D_LOG_MQTT "TLS connected in %d ms, max ThunkStack used %d"),
millis() - mqtt_connect_time, tlsClient->getMaxThunkStackUse()); millis() - mqtt_connect_time, tlsClient->getMaxThunkStackUse());
if (!tlsClient->getMFLNStatus()) { if (!tlsClient->getMFLNStatus()) {
@ -739,7 +745,7 @@ void MqttReconnect(void)
MqttConnected(); MqttConnected();
} else { } else {
#ifdef USE_MQTT_TLS #ifdef USE_MQTT_TLS
if (Settings.flag4.mqtt_tls) { if (Mqtt.mqtt_tls) {
AddLog_P2(LOG_LEVEL_INFO, PSTR(D_LOG_MQTT "TLS connection error: %d"), tlsClient->getLastError()); AddLog_P2(LOG_LEVEL_INFO, PSTR(D_LOG_MQTT "TLS connection error: %d"), tlsClient->getLastError());
} }
#endif #endif
@ -1311,7 +1317,7 @@ void HandleMqttConfiguration(void)
SettingsText(SET_MQTT_HOST), SettingsText(SET_MQTT_HOST),
Settings.mqtt_port, Settings.mqtt_port,
#ifdef USE_MQTT_TLS #ifdef USE_MQTT_TLS
Settings.flag4.mqtt_tls ? " checked" : "", // SetOption102 - Enable MQTT TLS Mqtt.mqtt_tls ? " checked" : "", // SetOption102 - Enable MQTT TLS
#endif // USE_MQTT_TLS #endif // USE_MQTT_TLS
Format(str, MQTT_CLIENT_ID, sizeof(str)), MQTT_CLIENT_ID, SettingsText(SET_MQTT_CLIENT)); Format(str, MQTT_CLIENT_ID, sizeof(str)), MQTT_CLIENT_ID, SettingsText(SET_MQTT_CLIENT));
WSContentSend_P(HTTP_FORM_MQTT2, WSContentSend_P(HTTP_FORM_MQTT2,
@ -1346,7 +1352,7 @@ void MqttSaveSettings(void)
WebGetArg("ml", tmp, sizeof(tmp)); WebGetArg("ml", tmp, sizeof(tmp));
Settings.mqtt_port = (!strlen(tmp)) ? MQTT_PORT : atoi(tmp); Settings.mqtt_port = (!strlen(tmp)) ? MQTT_PORT : atoi(tmp);
#ifdef USE_MQTT_TLS #ifdef USE_MQTT_TLS
Settings.flag4.mqtt_tls = Webserver->hasArg("b3"); // SetOption102 - Enable MQTT TLS Mqtt.mqtt_tls = Webserver->hasArg("b3"); // SetOption102 - Enable MQTT TLS
#endif #endif
WebGetArg("mc", tmp, sizeof(tmp)); WebGetArg("mc", tmp, sizeof(tmp));
SettingsUpdateText(SET_MQTT_CLIENT, (!strlen(tmp)) ? MQTT_CLIENT_ID : tmp); SettingsUpdateText(SET_MQTT_CLIENT, (!strlen(tmp)) ? MQTT_CLIENT_ID : tmp);