From b51f060e0456e7c0d42d0a0e65380afb03323970 Mon Sep 17 00:00:00 2001 From: Theo Arends Date: Fri, 9 Mar 2018 18:08:17 +0100 Subject: [PATCH] v5.12.0e - Add second TLS fingerprint 5.12.0e * Add a second TLS fingerprint to allow switching keys in TLS mode (#2033, #2102) --- README.md | 2 +- sonoff/_releasenotes.ino | 5 ++++- sonoff/language/cz-CZ.h | 2 +- sonoff/language/de-DE.h | 2 +- sonoff/language/en-GB.h | 2 +- sonoff/language/es-AR.h | 2 +- sonoff/language/fr-FR.h | 2 +- sonoff/language/hu-HU.h | 2 +- sonoff/language/it-IT.h | 2 +- sonoff/language/nl-NL.h | 2 +- sonoff/language/pl-PL.h | 2 +- sonoff/language/pt-PT.h | 2 +- sonoff/language/ru-RU.h | 2 +- sonoff/settings.h | 7 ++++++- sonoff/settings.ino | 23 +++++++++++++++++++++-- sonoff/sonoff.ino | 2 +- sonoff/sonoff_post.h | 8 ++++++-- sonoff/user_config.h | 3 ++- sonoff/xdrv_00_mqtt.ino | 40 ++++++++++++++++++++++++++++++++-------- 19 files changed, 84 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 1559bd7b5..1c1b625dc 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ## Sonoff-Tasmota Provide ESP8266 based Sonoff by [iTead Studio](https://www.itead.cc/) and ElectroDragon IoT Relay with Serial, Web and MQTT control allowing 'Over the Air' or OTA firmware updates using Arduino IDE. -Current version is **5.12.0d** - See [sonoff/_releasenotes.ino](https://github.com/arendst/Sonoff-Tasmota/blob/development/sonoff/_releasenotes.ino) for change information. +Current version is **5.12.0e** - See [sonoff/_releasenotes.ino](https://github.com/arendst/Sonoff-Tasmota/blob/development/sonoff/_releasenotes.ino) for change information. ### ATTENTION All versions diff --git a/sonoff/_releasenotes.ino b/sonoff/_releasenotes.ino index 066180638..721b8d376 100644 --- a/sonoff/_releasenotes.ino +++ b/sonoff/_releasenotes.ino @@ -1,4 +1,7 @@ -/* 5.12.0d +/* 5.12.0e + * Add a second TLS fingerprint to allow switching keys in TLS mode (#2033, #2102) + * + * 5.12.0d * Add support for optional MQTT drivers to be selected in user_config.h (#1992) * Add Portuguese language file * Add compiler check for stable lwIP version v1.4 (#1940) diff --git a/sonoff/language/cz-CZ.h b/sonoff/language/cz-CZ.h index 6eeb3237b..a3cae2bbc 100644 --- a/sonoff/language/cz-CZ.h +++ b/sonoff/language/cz-CZ.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Verifikuj otisk TLS..." #define D_TLS_CONNECT_FAILED_TO "Nepripojeno TLS do" #define D_RETRY_IN "Zopakuji za" -#define D_VERIFIED "Zverifikovano" +#define D_VERIFIED "Zverifikovano otisk" #define D_INSECURE "Nespravne pripojeni z duvodu chybneho otisku TLS" #define D_CONNECT_FAILED_TO "Spojeni se nepodarilo navazat" diff --git a/sonoff/language/de-DE.h b/sonoff/language/de-DE.h index f1eed0dac..d43055b67 100644 --- a/sonoff/language/de-DE.h +++ b/sonoff/language/de-DE.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "TLS-Fingerabdruck wird verifiziert..." #define D_TLS_CONNECT_FAILED_TO "TLS-Verbindung fehlgeschlagen an" #define D_RETRY_IN "Wiederversuch in" -#define D_VERIFIED "verifiziert" +#define D_VERIFIED "verifiziert mit Fingerabdruck" #define D_INSECURE "unsichere Verbindung aufgrund ungültigen Fingerabdrucks" #define D_CONNECT_FAILED_TO "Verbindung fehlgeschlagen aufgrund von" diff --git a/sonoff/language/en-GB.h b/sonoff/language/en-GB.h index 987d0ccda..905ed5d9b 100644 --- a/sonoff/language/en-GB.h +++ b/sonoff/language/en-GB.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Verify TLS fingerprint..." #define D_TLS_CONNECT_FAILED_TO "TLS Connect failed to" #define D_RETRY_IN "Retry in" -#define D_VERIFIED "Verified" +#define D_VERIFIED "Verified using Fingerprint" #define D_INSECURE "Insecure connection due to invalid Fingerprint" #define D_CONNECT_FAILED_TO "Connect failed to" diff --git a/sonoff/language/es-AR.h b/sonoff/language/es-AR.h index 8386dd605..c46bfa1d5 100644 --- a/sonoff/language/es-AR.h +++ b/sonoff/language/es-AR.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Verificar TLS fingerprint..." #define D_TLS_CONNECT_FAILED_TO "Falló Conección TLS a" #define D_RETRY_IN "Reintentando" -#define D_VERIFIED "Verificado" +#define D_VERIFIED "Verificado Fingerprint" #define D_INSECURE "Conección insegura por Fingerprint no válido" #define D_CONNECT_FAILED_TO "Falló Conección a" diff --git a/sonoff/language/fr-FR.h b/sonoff/language/fr-FR.h index 9364bc102..653887508 100644 --- a/sonoff/language/fr-FR.h +++ b/sonoff/language/fr-FR.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Verification empreinte TLS ..." #define D_TLS_CONNECT_FAILED_TO "Echec de connexion TLS à" #define D_RETRY_IN "Nouvelle tentative dans" -#define D_VERIFIED "Verifié" +#define D_VERIFIED "Verifié empreinte " #define D_INSECURE "Connexion non sécurisée car empreinte non vérifée" #define D_CONNECT_FAILED_TO "Echec de connexion à" diff --git a/sonoff/language/hu-HU.h b/sonoff/language/hu-HU.h index f1fb99c61..9ce316cf9 100644 --- a/sonoff/language/hu-HU.h +++ b/sonoff/language/hu-HU.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "TLS fingerprint hitelesítése..." #define D_TLS_CONNECT_FAILED_TO "TLS Csatlakozás sikertelen a" #define D_RETRY_IN "Újrapróbálás" -#define D_VERIFIED "Hitelesítve" +#define D_VERIFIED "Hitelesítve Fingerprint" #define D_INSECURE "Nem biztonságos kapcsolat érvénytelen Fingerprint miatt" #define D_CONNECT_FAILED_TO "Sikertelen csatlakozás a" diff --git a/sonoff/language/it-IT.h b/sonoff/language/it-IT.h index ea6ce9804..0e0f4594f 100644 --- a/sonoff/language/it-IT.h +++ b/sonoff/language/it-IT.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Verifica TLS fingerprint..." #define D_TLS_CONNECT_FAILED_TO "Connessione TLS fallita a" #define D_RETRY_IN "Nuovo tentativo in" -#define D_VERIFIED "Verificato" +#define D_VERIFIED "Verificato Fingerprint" #define D_INSECURE "Connessione insicura a causa di Fingerprint non valido" #define D_CONNECT_FAILED_TO "Connessione Fallita a" diff --git a/sonoff/language/nl-NL.h b/sonoff/language/nl-NL.h index c260553a0..0932a7326 100644 --- a/sonoff/language/nl-NL.h +++ b/sonoff/language/nl-NL.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Controleer TLS vingerafdruk..." #define D_TLS_CONNECT_FAILED_TO "TLS Verbinding mislukt naar" #define D_RETRY_IN "Opnieuw proberen over" -#define D_VERIFIED "Gecontroleerd" +#define D_VERIFIED "Gecontroleerd met vingerafdruk" #define D_INSECURE "Door ongeldige vingerafdruk een onveilige verbinding" #define D_CONNECT_FAILED_TO "Verbinding mislukt naar" diff --git a/sonoff/language/pl-PL.h b/sonoff/language/pl-PL.h index 334934a12..1b2bbb099 100644 --- a/sonoff/language/pl-PL.h +++ b/sonoff/language/pl-PL.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Weryfikuj odcisk TLS..." #define D_TLS_CONNECT_FAILED_TO "Nieudane połączenie TLS do" #define D_RETRY_IN "Spróbuj ponownie" -#define D_VERIFIED "Zweryfikowano" +#define D_VERIFIED "Zweryfikowano odcisku" #define D_INSECURE "Nieprawidłowe połączenie z powodu błędnego odcisku TLS" #define D_CONNECT_FAILED_TO "Nie udało się nawiązać połączenia" diff --git a/sonoff/language/pt-PT.h b/sonoff/language/pt-PT.h index 7fd9bac23..cc3b74a04 100644 --- a/sonoff/language/pt-PT.h +++ b/sonoff/language/pt-PT.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Verifique a impressão digital TLS..." #define D_TLS_CONNECT_FAILED_TO "TLS não conseguiu ligar" #define D_RETRY_IN "Tentativa em" -#define D_VERIFIED "Verificado" +#define D_VERIFIED "Verificado impressão digital " #define D_INSECURE "Ligação insegura devido à impressão digital inválida" #define D_CONNECT_FAILED_TO "A ligação falhou ao" diff --git a/sonoff/language/ru-RU.h b/sonoff/language/ru-RU.h index b0f5cd764..d5483b504 100644 --- a/sonoff/language/ru-RU.h +++ b/sonoff/language/ru-RU.h @@ -165,7 +165,7 @@ #define D_FINGERPRINT "Проверка TLS Fingerprint..." #define D_TLS_CONNECT_FAILED_TO "Сбой подключения TLS к" #define D_RETRY_IN "Повторить" -#define D_VERIFIED "Проверено" +#define D_VERIFIED "Проверено Fingerprint" #define D_INSECURE "Небезопасное соединение, недействительный Fingerprint" #define D_CONNECT_FAILED_TO "Ошибка подключения к" diff --git a/sonoff/settings.h b/sonoff/settings.h index dab308503..a3049dbca 100644 --- a/sonoff/settings.h +++ b/sonoff/settings.h @@ -116,7 +116,12 @@ struct SYSCFG { byte syslog_level; // 1AA uint8_t webserver; // 1AB byte weblog_level; // 1AC - char mqtt_fingerprint[60]; // 1AD To be freed by binary fingerprint + +// char mqtt_fingerprint[60]; // 1AD + uint8_t mqtt_fingerprint[2][20]; // 1AD + + byte free_1D5[20]; // 1D5 + char mqtt_host[33]; // 1E9 uint16_t mqtt_port; // 20A char mqtt_client[33]; // 20C diff --git a/sonoff/settings.ino b/sonoff/settings.ino index c702d16c2..b0d6c444e 100644 --- a/sonoff/settings.ino +++ b/sonoff/settings.ino @@ -472,7 +472,18 @@ void SettingsDefaultSet2() Settings.webserver = WEB_SERVER; Settings.weblog_level = WEB_LOG_LEVEL; - strlcpy(Settings.mqtt_fingerprint, MQTT_FINGERPRINT, sizeof(Settings.mqtt_fingerprint)); + char fingerprint[60]; + strlcpy(fingerprint, MQTT_FINGERPRINT1, sizeof(fingerprint)); + char *p = fingerprint; + for (byte i = 0; i < 20; i++) { + Settings.mqtt_fingerprint[0][i] = strtol(p, &p, 16); + } + strlcpy(fingerprint, MQTT_FINGERPRINT2, sizeof(fingerprint)); + p = fingerprint; + for (byte i = 0; i < 20; i++) { + Settings.mqtt_fingerprint[1][i] = strtol(p, &p, 16); + } + strlcpy(Settings.mqtt_host, MQTT_HOST, sizeof(Settings.mqtt_host)); Settings.mqtt_port = MQTT_PORT; strlcpy(Settings.mqtt_client, MQTT_CLIENT_ID, sizeof(Settings.mqtt_client)); @@ -875,7 +886,15 @@ void SettingsDelta() if (Settings.version < 0x050B0107) { Settings.flag.not_power_linked = 0; } - + if (Settings.version < 0x050C0005) { + char fingerprint[60]; + memcpy(fingerprint, Settings.mqtt_fingerprint, sizeof(fingerprint)); + char *p = fingerprint; + for (byte i = 0; i < 20; i++) { + Settings.mqtt_fingerprint[0][i] = strtol(p, &p, 16); + Settings.mqtt_fingerprint[1][i] = Settings.mqtt_fingerprint[0][i]; + } + } Settings.version = VERSION; SettingsSave(1); diff --git a/sonoff/sonoff.ino b/sonoff/sonoff.ino index 099bedd9f..5f3ce3ea4 100644 --- a/sonoff/sonoff.ino +++ b/sonoff/sonoff.ino @@ -25,7 +25,7 @@ - Select IDE Tools - Flash Size: "1M (no SPIFFS)" ====================================================*/ -#define VERSION 0x050C0004 // 5.12.0d +#define VERSION 0x050C0005 // 5.12.0e // Location specific includes #include // Arduino_Esp8266 version information (ARDUINO_ESP8266_RELEASE and ARDUINO_ESP8266_RELEASE_2_3_0) diff --git a/sonoff/sonoff_post.h b/sonoff/sonoff_post.h index 0a023ea6f..b6ab9e999 100644 --- a/sonoff/sonoff_post.h +++ b/sonoff/sonoff_post.h @@ -145,8 +145,12 @@ void WifiWpsStatusCallback(wps_cb_status status); #define SWITCH_MODE TOGGLE // TOGGLE, FOLLOW or FOLLOW_INV (the wall switch state) #endif -#ifndef MQTT_FINGERPRINT -#define MQTT_FINGERPRINT "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07" +#ifndef MQTT_FINGERPRINT1 +#define MQTT_FINGERPRINT1 "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07" +#endif + +#ifndef MQTT_FINGERPRINT2 +#define MQTT_FINGERPRINT2 "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07" #endif #ifndef WS2812_LEDS diff --git a/sonoff/user_config.h b/sonoff/user_config.h index 15cfb6fbf..a59d451fd 100644 --- a/sonoff/user_config.h +++ b/sonoff/user_config.h @@ -92,7 +92,8 @@ // Needs Fingerprint, TLS Port, UserId and Password #ifdef USE_MQTT_TLS #define MQTT_HOST "" // [MqttHost] - #define MQTT_FINGERPRINT "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07" // [MqttFingerprint] + #define MQTT_FINGERPRINT1 "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07" // [MqttFingerprint1] + #define MQTT_FINGERPRINT2 "A5 02 FF 13 99 9F 8B 39 8E F1 83 4F 11 23 65 0B 32 36 FC 07" // [MqttFingerprint2] #define MQTT_PORT 20123 // [MqttPort] MQTT TLS port #define MQTT_USER "cloudmqttuser" // [MqttUser] Mandatory user #define MQTT_PASS "cloudmqttpassword" // [MqttPassword] Mandatory password diff --git a/sonoff/xdrv_00_mqtt.ino b/sonoff/xdrv_00_mqtt.ino index b8e76ca7e..9f89eb259 100644 --- a/sonoff/xdrv_00_mqtt.ino +++ b/sonoff/xdrv_00_mqtt.ino @@ -376,19 +376,33 @@ void MqttConnected() #ifdef USE_MQTT_TLS boolean MqttCheckTls() { + char fingerprint1[60]; + char fingerprint2[60]; boolean result = false; + fingerprint1[0] = '\0'; + fingerprint2[0] = '\0'; + for (byte i = 0; i < sizeof(Settings.mqtt_fingerprint[0]); i++) { + snprintf_P(fingerprint1, sizeof(fingerprint1), PSTR("%s%s%02X"), fingerprint1, (i) ? " " : "", Settings.mqtt_fingerprint[0][i]); + snprintf_P(fingerprint2, sizeof(fingerprint2), PSTR("%s%s%02X"), fingerprint2, (i) ? " " : "", Settings.mqtt_fingerprint[1][i]); + } + AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_FINGERPRINT)); if (!EspClient.connect(Settings.mqtt_host, Settings.mqtt_port)) { snprintf_P(log_data, sizeof(log_data), PSTR(D_LOG_MQTT D_TLS_CONNECT_FAILED_TO " %s:%d. " D_RETRY_IN " %d " D_UNIT_SECOND), Settings.mqtt_host, Settings.mqtt_port, mqtt_retry_counter); AddLog(LOG_LEVEL_DEBUG); - } else if (!EspClient.verify(Settings.mqtt_fingerprint, Settings.mqtt_host)) { - AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_INSECURE)); } else { - AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_VERIFIED)); - result = true; + if (EspClient.verify(fingerprint1, Settings.mqtt_host)) { + AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_VERIFIED "1")); + result = true; + } + else if (EspClient.verify(fingerprint2, Settings.mqtt_host)) { + AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_VERIFIED "2")); + result = true; + } } + if (!result) AddLog_P(LOG_LEVEL_INFO, S_LOG_MQTT, PSTR(D_FAILED)); EspClient.stop(); yield(); return result; @@ -534,12 +548,22 @@ bool MqttCommand() snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, GetStateText(index -1)); } #ifdef USE_MQTT_TLS - else if (CMND_MQTTFINGERPRINT == command_code) { - if ((data_len > 0) && (data_len < sizeof(Settings.mqtt_fingerprint))) { - strlcpy(Settings.mqtt_fingerprint, (!strcmp(dataBuf,"0")) ? "" : (1 == payload) ? MQTT_FINGERPRINT : dataBuf, sizeof(Settings.mqtt_fingerprint)); + else if ((CMND_MQTTFINGERPRINT == command_code) && (index > 0) && (index <= 2)) { + char fingerprint[60]; + if ((data_len > 0) && (data_len < sizeof(fingerprint))) { + strlcpy(fingerprint, (!strcmp(dataBuf,"0")) ? "" : (1 == payload) ? (1 == index) ? MQTT_FINGERPRINT1 : MQTT_FINGERPRINT2 : dataBuf, sizeof(fingerprint)); + char *p = fingerprint; + for (byte i = 0; i < 20; i++) { + Settings.mqtt_fingerprint[index -1][i] = strtol(p, &p, 16); + } restart_flag = 2; } - snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_SVALUE, command, Settings.mqtt_fingerprint); + + fingerprint[0] = '\0'; + for (byte i = 0; i < sizeof(Settings.mqtt_fingerprint[index -1]); i++) { + snprintf_P(fingerprint, sizeof(fingerprint), PSTR("%s%s%02X"), fingerprint, (i) ? " " : "", Settings.mqtt_fingerprint[index -1][i]); + } + snprintf_P(mqtt_data, sizeof(mqtt_data), S_JSON_COMMAND_INDEX_SVALUE, command, index, fingerprint); } #endif else if ((CMND_MQTTCLIENT == command_code) && !grpflg) {