mirror of https://github.com/arendst/Tasmota.git
Merge pull request #13631 from s-hadinger/tls_alpn
TLS make ALPN configurable
This commit is contained in:
commit
b749e5e792
|
@ -204,6 +204,8 @@ void WiFiClientSecure_light::_clear() {
|
||||||
_ta_P = nullptr;
|
_ta_P = nullptr;
|
||||||
_ta_size = 0;
|
_ta_size = 0;
|
||||||
_max_thunkstack_use = 0;
|
_max_thunkstack_use = 0;
|
||||||
|
_alpn_names = nullptr;
|
||||||
|
_alpn_num = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Constructor
|
// Constructor
|
||||||
|
@ -949,8 +951,6 @@ extern "C" {
|
||||||
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced
|
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced
|
||||||
br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); // TODO
|
br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); // TODO
|
||||||
#endif
|
#endif
|
||||||
static const char * alpn_mqtt = "mqtt";
|
|
||||||
br_ssl_engine_set_protocol_names(&cc->eng, &alpn_mqtt, 1);
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -983,6 +983,9 @@ bool WiFiClientSecure_light::_connectSSL(const char* hostName) {
|
||||||
_eng = &_sc->eng; // Allocation/deallocation taken care of by the _sc shared_ptr
|
_eng = &_sc->eng; // Allocation/deallocation taken care of by the _sc shared_ptr
|
||||||
|
|
||||||
br_ssl_client_base_init(_sc.get());
|
br_ssl_client_base_init(_sc.get());
|
||||||
|
if (_alpn_names && _alpn_num > 0) {
|
||||||
|
br_ssl_engine_set_protocol_names(_eng, _alpn_names, _alpn_num);
|
||||||
|
}
|
||||||
|
|
||||||
// ============================================================
|
// ============================================================
|
||||||
// Allocatte and initialize Decoder Context
|
// Allocatte and initialize Decoder Context
|
||||||
|
|
|
@ -93,6 +93,12 @@ class WiFiClientSecure_light : public WiFiClient {
|
||||||
|
|
||||||
void setTrustAnchor(const br_x509_trust_anchor *ta, size_t ta_size);
|
void setTrustAnchor(const br_x509_trust_anchor *ta, size_t ta_size);
|
||||||
|
|
||||||
|
void setALPN(const char **names, size_t num) {
|
||||||
|
// set ALPN extensions, used mostly by AWS IoT on port 443. Need to be static pointers
|
||||||
|
_alpn_names = names;
|
||||||
|
_alpn_num = num;
|
||||||
|
}
|
||||||
|
|
||||||
// Sets the requested buffer size for transmit and receive
|
// Sets the requested buffer size for transmit and receive
|
||||||
void setBufferSizes(int recv, int xmit);
|
void setBufferSizes(int recv, int xmit);
|
||||||
|
|
||||||
|
@ -165,6 +171,10 @@ class WiFiClientSecure_light : public WiFiClient {
|
||||||
// record the maximum use of ThunkStack for monitoring
|
// record the maximum use of ThunkStack for monitoring
|
||||||
size_t _max_thunkstack_use;
|
size_t _max_thunkstack_use;
|
||||||
|
|
||||||
|
// ALPN
|
||||||
|
const char ** _alpn_names;
|
||||||
|
size_t _alpn_num;
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#define ERR_OOM -1000
|
#define ERR_OOM -1000
|
||||||
|
@ -237,6 +247,44 @@ class WiFiClientSecure_light : public WiFiClient {
|
||||||
// #define BR_ERR_X509_WEAK_PUBLIC_KEY 60
|
// #define BR_ERR_X509_WEAK_PUBLIC_KEY 60
|
||||||
// #define BR_ERR_X509_NOT_TRUSTED 62
|
// #define BR_ERR_X509_NOT_TRUSTED 62
|
||||||
|
|
||||||
|
// Alert types for TLSContentType.ALERT messages
|
||||||
|
// See RFC 8466, section B.2
|
||||||
|
|
||||||
|
// CLOSE_NOTIFY = 0
|
||||||
|
// UNEXPECTED_MESSAGE = 10
|
||||||
|
// BAD_RECORD_MAC = 20
|
||||||
|
// DECRYPTION_FAILED = 21
|
||||||
|
// RECORD_OVERFLOW = 22
|
||||||
|
// DECOMPRESSION_FAILURE = 30
|
||||||
|
// HANDSHAKE_FAILURE = 40
|
||||||
|
// NO_CERTIFICATE = 41
|
||||||
|
// BAD_CERTIFICATE = 42
|
||||||
|
// UNSUPPORTED_CERTIFICATE = 43
|
||||||
|
// CERTIFICATE_REVOKED = 44
|
||||||
|
// CERTIFICATE_EXPIRED = 45
|
||||||
|
// CERTIFICATE_UNKNOWN = 46
|
||||||
|
// ILLEGAL_PARAMETER = 47
|
||||||
|
// UNKNOWN_CA = 48
|
||||||
|
// ACCESS_DENIED = 49
|
||||||
|
// DECODE_ERROR = 50
|
||||||
|
// DECRYPT_ERROR = 51
|
||||||
|
// EXPORT_RESTRICTION = 60
|
||||||
|
// PROTOCOL_VERSION = 70
|
||||||
|
// INSUFFICIENT_SECURITY = 71
|
||||||
|
// INTERNAL_ERROR = 80
|
||||||
|
// INAPPROPRIATE_FALLBACK = 86
|
||||||
|
// USER_CANCELED = 90
|
||||||
|
// NO_RENEGOTIATION = 100
|
||||||
|
// MISSING_EXTENSION = 109
|
||||||
|
// UNSUPPORTED_EXTENSION = 110
|
||||||
|
// CERTIFICATE_UNOBTAINABLE = 111
|
||||||
|
// UNRECOGNIZED_NAME = 112
|
||||||
|
// BAD_CERTIFICATE_STATUS_RESPONSE = 113
|
||||||
|
// BAD_CERTIFICATE_HASH_VALUE = 114
|
||||||
|
// UNKNOWN_PSK_IDENTITY = 115
|
||||||
|
// CERTIFICATE_REQUIRED = 116
|
||||||
|
// NO_APPLICATION_PROTOCOL = 120
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#endif // USE_TLS
|
#endif // USE_TLS
|
||||||
|
|
|
@ -216,6 +216,12 @@ void MqttInit(void) {
|
||||||
tlsClient = new BearSSL::WiFiClientSecure_light(1024,1024);
|
tlsClient = new BearSSL::WiFiClientSecure_light(1024,1024);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef USE_MQTT_AWS_IOT_LIGHT
|
||||||
|
if (443 == Settings->mqtt_port) {
|
||||||
|
static const char * alpn_mqtt = "mqtt"; // needs to be static
|
||||||
|
tlsClient->setALPN(&alpn_mqtt, 1); // need to set alpn to 'mqtt' for AWS IoT
|
||||||
|
}
|
||||||
|
#endif
|
||||||
#ifdef USE_MQTT_AWS_IOT
|
#ifdef USE_MQTT_AWS_IOT
|
||||||
loadTlsDir(); // load key and certificate data from Flash
|
loadTlsDir(); // load key and certificate data from Flash
|
||||||
if ((nullptr != AWS_IoT_Private_Key) && (nullptr != AWS_IoT_Client_Certificate)) {
|
if ((nullptr != AWS_IoT_Private_Key) && (nullptr != AWS_IoT_Client_Certificate)) {
|
||||||
|
|
Loading…
Reference in New Issue