mirror of https://github.com/arendst/Tasmota.git
Merge pull request #13631 from s-hadinger/tls_alpn
TLS make ALPN configurable
This commit is contained in:
commit
b749e5e792
|
@ -204,6 +204,8 @@ void WiFiClientSecure_light::_clear() {
|
|||
_ta_P = nullptr;
|
||||
_ta_size = 0;
|
||||
_max_thunkstack_use = 0;
|
||||
_alpn_names = nullptr;
|
||||
_alpn_num = 0;
|
||||
}
|
||||
|
||||
// Constructor
|
||||
|
@ -949,8 +951,6 @@ extern "C" {
|
|||
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced
|
||||
br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); // TODO
|
||||
#endif
|
||||
static const char * alpn_mqtt = "mqtt";
|
||||
br_ssl_engine_set_protocol_names(&cc->eng, &alpn_mqtt, 1);
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -983,6 +983,9 @@ bool WiFiClientSecure_light::_connectSSL(const char* hostName) {
|
|||
_eng = &_sc->eng; // Allocation/deallocation taken care of by the _sc shared_ptr
|
||||
|
||||
br_ssl_client_base_init(_sc.get());
|
||||
if (_alpn_names && _alpn_num > 0) {
|
||||
br_ssl_engine_set_protocol_names(_eng, _alpn_names, _alpn_num);
|
||||
}
|
||||
|
||||
// ============================================================
|
||||
// Allocatte and initialize Decoder Context
|
||||
|
|
|
@ -93,6 +93,12 @@ class WiFiClientSecure_light : public WiFiClient {
|
|||
|
||||
void setTrustAnchor(const br_x509_trust_anchor *ta, size_t ta_size);
|
||||
|
||||
void setALPN(const char **names, size_t num) {
|
||||
// set ALPN extensions, used mostly by AWS IoT on port 443. Need to be static pointers
|
||||
_alpn_names = names;
|
||||
_alpn_num = num;
|
||||
}
|
||||
|
||||
// Sets the requested buffer size for transmit and receive
|
||||
void setBufferSizes(int recv, int xmit);
|
||||
|
||||
|
@ -165,6 +171,10 @@ class WiFiClientSecure_light : public WiFiClient {
|
|||
// record the maximum use of ThunkStack for monitoring
|
||||
size_t _max_thunkstack_use;
|
||||
|
||||
// ALPN
|
||||
const char ** _alpn_names;
|
||||
size_t _alpn_num;
|
||||
|
||||
};
|
||||
|
||||
#define ERR_OOM -1000
|
||||
|
@ -237,6 +247,44 @@ class WiFiClientSecure_light : public WiFiClient {
|
|||
// #define BR_ERR_X509_WEAK_PUBLIC_KEY 60
|
||||
// #define BR_ERR_X509_NOT_TRUSTED 62
|
||||
|
||||
// Alert types for TLSContentType.ALERT messages
|
||||
// See RFC 8466, section B.2
|
||||
|
||||
// CLOSE_NOTIFY = 0
|
||||
// UNEXPECTED_MESSAGE = 10
|
||||
// BAD_RECORD_MAC = 20
|
||||
// DECRYPTION_FAILED = 21
|
||||
// RECORD_OVERFLOW = 22
|
||||
// DECOMPRESSION_FAILURE = 30
|
||||
// HANDSHAKE_FAILURE = 40
|
||||
// NO_CERTIFICATE = 41
|
||||
// BAD_CERTIFICATE = 42
|
||||
// UNSUPPORTED_CERTIFICATE = 43
|
||||
// CERTIFICATE_REVOKED = 44
|
||||
// CERTIFICATE_EXPIRED = 45
|
||||
// CERTIFICATE_UNKNOWN = 46
|
||||
// ILLEGAL_PARAMETER = 47
|
||||
// UNKNOWN_CA = 48
|
||||
// ACCESS_DENIED = 49
|
||||
// DECODE_ERROR = 50
|
||||
// DECRYPT_ERROR = 51
|
||||
// EXPORT_RESTRICTION = 60
|
||||
// PROTOCOL_VERSION = 70
|
||||
// INSUFFICIENT_SECURITY = 71
|
||||
// INTERNAL_ERROR = 80
|
||||
// INAPPROPRIATE_FALLBACK = 86
|
||||
// USER_CANCELED = 90
|
||||
// NO_RENEGOTIATION = 100
|
||||
// MISSING_EXTENSION = 109
|
||||
// UNSUPPORTED_EXTENSION = 110
|
||||
// CERTIFICATE_UNOBTAINABLE = 111
|
||||
// UNRECOGNIZED_NAME = 112
|
||||
// BAD_CERTIFICATE_STATUS_RESPONSE = 113
|
||||
// BAD_CERTIFICATE_HASH_VALUE = 114
|
||||
// UNKNOWN_PSK_IDENTITY = 115
|
||||
// CERTIFICATE_REQUIRED = 116
|
||||
// NO_APPLICATION_PROTOCOL = 120
|
||||
|
||||
};
|
||||
|
||||
#endif // USE_TLS
|
||||
|
|
|
@ -216,6 +216,12 @@ void MqttInit(void) {
|
|||
tlsClient = new BearSSL::WiFiClientSecure_light(1024,1024);
|
||||
#endif
|
||||
|
||||
#ifdef USE_MQTT_AWS_IOT_LIGHT
|
||||
if (443 == Settings->mqtt_port) {
|
||||
static const char * alpn_mqtt = "mqtt"; // needs to be static
|
||||
tlsClient->setALPN(&alpn_mqtt, 1); // need to set alpn to 'mqtt' for AWS IoT
|
||||
}
|
||||
#endif
|
||||
#ifdef USE_MQTT_AWS_IOT
|
||||
loadTlsDir(); // load key and certificate data from Flash
|
||||
if ((nullptr != AWS_IoT_Private_Key) && (nullptr != AWS_IoT_Client_Certificate)) {
|
||||
|
|
Loading…
Reference in New Issue