Merge branch 'feature/cert_key_length_options' into 'master'

esp_http_client: Add cert and key length options, add config option for HTTP digest auth

Closes IDFGH-4752 and IDF-642

See merge request espressif/esp-idf!12736
This commit is contained in:
Mahavir Jain 2021-03-23 10:54:33 +00:00
commit 1ff4afd9ef
5 changed files with 42 additions and 5 deletions

View File

@ -14,4 +14,11 @@ menu "ESP HTTP client"
This option will enable HTTP Basic Authentication. It is disabled by default as Basic
auth uses unencrypted encoding, so it introduces a vulnerability when not using TLS
config ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
bool "Enable HTTP Digest Authentication"
default y
help
This option will enable HTTP Digest Authentication. It is enabled by default, but use of this
configuration is not recommended as the password can be derived from the exchange, so it introduces
a vulnerability when not using TLS
endmenu

View File

@ -510,11 +510,13 @@ static esp_err_t esp_http_client_prepare(esp_http_client_handle_t client)
if (client->connection_info.auth_type == HTTP_AUTH_TYPE_BASIC) {
auth_response = http_auth_basic(client->connection_info.username, client->connection_info.password);
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
} else if (client->connection_info.auth_type == HTTP_AUTH_TYPE_DIGEST && client->auth_data) {
client->auth_data->uri = client->connection_info.path;
client->auth_data->cnonce = ((uint64_t)esp_random() << 32) + esp_random();
auth_response = http_auth_digest(client->connection_info.username, client->connection_info.password, client->auth_data);
client->auth_data->nc ++;
#endif
}
if (auth_response) {
@ -609,15 +611,27 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co
if (config->use_global_ca_store == true) {
esp_transport_ssl_enable_global_ca_store(ssl);
} else if (config->cert_pem) {
if (!config->cert_len) {
esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem));
} else {
esp_transport_ssl_set_cert_data_der(ssl, config->cert_pem, config->cert_len);
}
}
if (config->client_cert_pem) {
if (!config->client_cert_len) {
esp_transport_ssl_set_client_cert_data(ssl, config->client_cert_pem, strlen(config->client_cert_pem));
} else {
esp_transport_ssl_set_client_cert_data_der(ssl, config->client_cert_pem, config->client_cert_len);
}
}
if (config->client_key_pem) {
if (!config->client_key_len) {
esp_transport_ssl_set_client_key_data(ssl, config->client_key_pem, strlen(config->client_key_pem));
} else {
esp_transport_ssl_set_client_key_data_der(ssl, config->client_key_pem, config->client_key_len);
}
}
if (config->skip_cert_common_name_check) {
@ -1398,19 +1412,27 @@ void esp_http_client_add_auth(esp_http_client_handle_t client)
http_utils_trim_whitespace(&auth_header);
ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header);
client->redirect_counter++;
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
if (http_utils_str_starts_with(auth_header, "Digest") == 0) {
ESP_LOGD(TAG, "type = Digest");
client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST;
} else {
#endif
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
} else if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
ESP_LOGD(TAG, "type = Basic");
client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC;
#endif
} else {
#endif
client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header);
return;
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
}
#endif
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
}
#endif
_clear_auth_data(client);

View File

@ -116,8 +116,11 @@ typedef struct {
const char *path; /*!< HTTP Path, if not set, default is `/` */
const char *query; /*!< HTTP query */
const char *cert_pem; /*!< SSL server certification, PEM format as string, if the client requires to verify server */
size_t cert_len; /*!< Length of the buffer pointed to by cert_pem. May be 0 for null-terminated pem */
const char *client_cert_pem; /*!< SSL client certification, PEM format as string, if the server requires to verify client */
size_t client_cert_len; /*!< Length of the buffer pointed to by client_cert_pem. May be 0 for null-terminated pem */
const char *client_key_pem; /*!< SSL client key, PEM format as string, if the server requires to verify client */
size_t client_key_len; /*!< Length of the buffer pointed to by client_key_pem. May be 0 for null-terminated pem */
const char *user_agent; /*!< The User Agent string to send with HTTP requests */
esp_http_client_method_t method; /*!< HTTP Method */
int timeout_ms; /*!< Network timeout in milliseconds */

View File

@ -341,6 +341,7 @@ static void http_auth_basic_redirect(void)
}
#endif
#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
static void http_auth_digest(void)
{
esp_http_client_config_t config = {
@ -359,6 +360,7 @@ static void http_auth_digest(void)
}
esp_http_client_cleanup(client);
}
#endif
static void https_with_url(void)
{
@ -681,7 +683,9 @@ static void http_test_task(void *pvParameters)
http_auth_basic();
http_auth_basic_redirect();
#endif
#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
http_auth_digest();
#endif
http_relative_redirect();
http_absolute_redirect();
https_with_url();

View File

@ -8,3 +8,4 @@ CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
CONFIG_EXAMPLE_ETH_PHY_ADDR=1
CONFIG_EXAMPLE_CONNECT_IPV6=y
CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH=y
CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH=y