mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'feature/cert_key_length_options' into 'master'
esp_http_client: Add cert and key length options, add config option for HTTP digest auth Closes IDFGH-4752 and IDF-642 See merge request espressif/esp-idf!12736
This commit is contained in:
commit
1ff4afd9ef
@ -14,4 +14,11 @@ menu "ESP HTTP client"
|
||||
This option will enable HTTP Basic Authentication. It is disabled by default as Basic
|
||||
auth uses unencrypted encoding, so it introduces a vulnerability when not using TLS
|
||||
|
||||
config ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
|
||||
bool "Enable HTTP Digest Authentication"
|
||||
default y
|
||||
help
|
||||
This option will enable HTTP Digest Authentication. It is enabled by default, but use of this
|
||||
configuration is not recommended as the password can be derived from the exchange, so it introduces
|
||||
a vulnerability when not using TLS
|
||||
endmenu
|
||||
|
@ -510,11 +510,13 @@ static esp_err_t esp_http_client_prepare(esp_http_client_handle_t client)
|
||||
|
||||
if (client->connection_info.auth_type == HTTP_AUTH_TYPE_BASIC) {
|
||||
auth_response = http_auth_basic(client->connection_info.username, client->connection_info.password);
|
||||
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
|
||||
} else if (client->connection_info.auth_type == HTTP_AUTH_TYPE_DIGEST && client->auth_data) {
|
||||
client->auth_data->uri = client->connection_info.path;
|
||||
client->auth_data->cnonce = ((uint64_t)esp_random() << 32) + esp_random();
|
||||
auth_response = http_auth_digest(client->connection_info.username, client->connection_info.password, client->auth_data);
|
||||
client->auth_data->nc ++;
|
||||
#endif
|
||||
}
|
||||
|
||||
if (auth_response) {
|
||||
@ -609,15 +611,27 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co
|
||||
if (config->use_global_ca_store == true) {
|
||||
esp_transport_ssl_enable_global_ca_store(ssl);
|
||||
} else if (config->cert_pem) {
|
||||
if (!config->cert_len) {
|
||||
esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem));
|
||||
} else {
|
||||
esp_transport_ssl_set_cert_data_der(ssl, config->cert_pem, config->cert_len);
|
||||
}
|
||||
}
|
||||
|
||||
if (config->client_cert_pem) {
|
||||
if (!config->client_cert_len) {
|
||||
esp_transport_ssl_set_client_cert_data(ssl, config->client_cert_pem, strlen(config->client_cert_pem));
|
||||
} else {
|
||||
esp_transport_ssl_set_client_cert_data_der(ssl, config->client_cert_pem, config->client_cert_len);
|
||||
}
|
||||
}
|
||||
|
||||
if (config->client_key_pem) {
|
||||
if (!config->client_key_len) {
|
||||
esp_transport_ssl_set_client_key_data(ssl, config->client_key_pem, strlen(config->client_key_pem));
|
||||
} else {
|
||||
esp_transport_ssl_set_client_key_data_der(ssl, config->client_key_pem, config->client_key_len);
|
||||
}
|
||||
}
|
||||
|
||||
if (config->skip_cert_common_name_check) {
|
||||
@ -1398,19 +1412,27 @@ void esp_http_client_add_auth(esp_http_client_handle_t client)
|
||||
http_utils_trim_whitespace(&auth_header);
|
||||
ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header);
|
||||
client->redirect_counter++;
|
||||
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
|
||||
if (http_utils_str_starts_with(auth_header, "Digest") == 0) {
|
||||
ESP_LOGD(TAG, "type = Digest");
|
||||
client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST;
|
||||
} else {
|
||||
#endif
|
||||
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
|
||||
} else if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
|
||||
if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
|
||||
ESP_LOGD(TAG, "type = Basic");
|
||||
client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC;
|
||||
#endif
|
||||
} else {
|
||||
#endif
|
||||
client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
|
||||
ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header);
|
||||
return;
|
||||
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
|
||||
}
|
||||
#endif
|
||||
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
|
||||
}
|
||||
#endif
|
||||
|
||||
_clear_auth_data(client);
|
||||
|
||||
|
@ -116,8 +116,11 @@ typedef struct {
|
||||
const char *path; /*!< HTTP Path, if not set, default is `/` */
|
||||
const char *query; /*!< HTTP query */
|
||||
const char *cert_pem; /*!< SSL server certification, PEM format as string, if the client requires to verify server */
|
||||
size_t cert_len; /*!< Length of the buffer pointed to by cert_pem. May be 0 for null-terminated pem */
|
||||
const char *client_cert_pem; /*!< SSL client certification, PEM format as string, if the server requires to verify client */
|
||||
size_t client_cert_len; /*!< Length of the buffer pointed to by client_cert_pem. May be 0 for null-terminated pem */
|
||||
const char *client_key_pem; /*!< SSL client key, PEM format as string, if the server requires to verify client */
|
||||
size_t client_key_len; /*!< Length of the buffer pointed to by client_key_pem. May be 0 for null-terminated pem */
|
||||
const char *user_agent; /*!< The User Agent string to send with HTTP requests */
|
||||
esp_http_client_method_t method; /*!< HTTP Method */
|
||||
int timeout_ms; /*!< Network timeout in milliseconds */
|
||||
|
@ -341,6 +341,7 @@ static void http_auth_basic_redirect(void)
|
||||
}
|
||||
#endif
|
||||
|
||||
#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
|
||||
static void http_auth_digest(void)
|
||||
{
|
||||
esp_http_client_config_t config = {
|
||||
@ -359,6 +360,7 @@ static void http_auth_digest(void)
|
||||
}
|
||||
esp_http_client_cleanup(client);
|
||||
}
|
||||
#endif
|
||||
|
||||
static void https_with_url(void)
|
||||
{
|
||||
@ -681,7 +683,9 @@ static void http_test_task(void *pvParameters)
|
||||
http_auth_basic();
|
||||
http_auth_basic_redirect();
|
||||
#endif
|
||||
#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
|
||||
http_auth_digest();
|
||||
#endif
|
||||
http_relative_redirect();
|
||||
http_absolute_redirect();
|
||||
https_with_url();
|
||||
|
@ -8,3 +8,4 @@ CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
|
||||
CONFIG_EXAMPLE_ETH_PHY_ADDR=1
|
||||
CONFIG_EXAMPLE_CONNECT_IPV6=y
|
||||
CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH=y
|
||||
CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH=y
|
||||
|
Loading…
Reference in New Issue
Block a user