From a9c6fbe8d37143289af9f6db5e4a572a44598bcb Mon Sep 17 00:00:00 2001 From: 0xFEEDC0DE64 Date: Tue, 16 Feb 2021 23:35:35 +0100 Subject: [PATCH 1/2] Added cert and key length options Closes https://github.com/espressif/esp-idf/pull/6556 Signed-off-by: Shubham Kulkarni --- components/esp_http_client/esp_http_client.c | 18 +++++++++++++++--- .../esp_http_client/include/esp_http_client.h | 3 +++ 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c index 33b928559a..ab96094345 100644 --- a/components/esp_http_client/esp_http_client.c +++ b/components/esp_http_client/esp_http_client.c @@ -609,15 +609,27 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co if (config->use_global_ca_store == true) { esp_transport_ssl_enable_global_ca_store(ssl); } else if (config->cert_pem) { - esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem)); + if (!config->cert_len) { + esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem)); + } else { + esp_transport_ssl_set_cert_data_der(ssl, config->cert_pem, config->cert_len); + } } if (config->client_cert_pem) { - esp_transport_ssl_set_client_cert_data(ssl, config->client_cert_pem, strlen(config->client_cert_pem)); + if (!config->client_cert_len) { + esp_transport_ssl_set_client_cert_data(ssl, config->client_cert_pem, strlen(config->client_cert_pem)); + } else { + esp_transport_ssl_set_client_cert_data_der(ssl, config->client_cert_pem, config->client_cert_len); + } } if (config->client_key_pem) { - esp_transport_ssl_set_client_key_data(ssl, config->client_key_pem, strlen(config->client_key_pem)); + if (!config->client_key_len) { + esp_transport_ssl_set_client_key_data(ssl, config->client_key_pem, strlen(config->client_key_pem)); + } else { + esp_transport_ssl_set_client_key_data_der(ssl, config->client_key_pem, config->client_key_len); + } } if (config->skip_cert_common_name_check) { diff --git a/components/esp_http_client/include/esp_http_client.h b/components/esp_http_client/include/esp_http_client.h index ed4e4a3230..ee19f70cd7 100644 --- a/components/esp_http_client/include/esp_http_client.h +++ b/components/esp_http_client/include/esp_http_client.h @@ -116,8 +116,11 @@ typedef struct { const char *path; /*!< HTTP Path, if not set, default is `/` */ const char *query; /*!< HTTP query */ const char *cert_pem; /*!< SSL server certification, PEM format as string, if the client requires to verify server */ + size_t cert_len; /*!< Length of the buffer pointed to by cert_pem. May be 0 for null-terminated pem */ const char *client_cert_pem; /*!< SSL client certification, PEM format as string, if the server requires to verify client */ + size_t client_cert_len; /*!< Length of the buffer pointed to by client_cert_pem. May be 0 for null-terminated pem */ const char *client_key_pem; /*!< SSL client key, PEM format as string, if the server requires to verify client */ + size_t client_key_len; /*!< Length of the buffer pointed to by client_key_pem. May be 0 for null-terminated pem */ const char *user_agent; /*!< The User Agent string to send with HTTP requests */ esp_http_client_method_t method; /*!< HTTP Method */ int timeout_ms; /*!< Network timeout in milliseconds */ From 4f6e0c1d27071cbc6e2acbe08f5e0baf30ffb123 Mon Sep 17 00:00:00 2001 From: Shubham Kulkarni Date: Mon, 15 Mar 2021 10:22:15 +0530 Subject: [PATCH 2/2] esp_http_client: Add config option for HTTP Digest auth --- components/esp_http_client/Kconfig | 7 +++++++ components/esp_http_client/esp_http_client.c | 14 ++++++++++++-- .../esp_http_client/main/esp_http_client_example.c | 4 ++++ examples/protocols/esp_http_client/sdkconfig.ci | 1 + 4 files changed, 24 insertions(+), 2 deletions(-) diff --git a/components/esp_http_client/Kconfig b/components/esp_http_client/Kconfig index 9833098cb1..abcee0f327 100644 --- a/components/esp_http_client/Kconfig +++ b/components/esp_http_client/Kconfig @@ -14,4 +14,11 @@ menu "ESP HTTP client" This option will enable HTTP Basic Authentication. It is disabled by default as Basic auth uses unencrypted encoding, so it introduces a vulnerability when not using TLS + config ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH + bool "Enable HTTP Digest Authentication" + default y + help + This option will enable HTTP Digest Authentication. It is enabled by default, but use of this + configuration is not recommended as the password can be derived from the exchange, so it introduces + a vulnerability when not using TLS endmenu diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c index ab96094345..681956422c 100644 --- a/components/esp_http_client/esp_http_client.c +++ b/components/esp_http_client/esp_http_client.c @@ -510,11 +510,13 @@ static esp_err_t esp_http_client_prepare(esp_http_client_handle_t client) if (client->connection_info.auth_type == HTTP_AUTH_TYPE_BASIC) { auth_response = http_auth_basic(client->connection_info.username, client->connection_info.password); +#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH } else if (client->connection_info.auth_type == HTTP_AUTH_TYPE_DIGEST && client->auth_data) { client->auth_data->uri = client->connection_info.path; client->auth_data->cnonce = ((uint64_t)esp_random() << 32) + esp_random(); auth_response = http_auth_digest(client->connection_info.username, client->connection_info.password, client->auth_data); client->auth_data->nc ++; +#endif } if (auth_response) { @@ -1410,19 +1412,27 @@ void esp_http_client_add_auth(esp_http_client_handle_t client) http_utils_trim_whitespace(&auth_header); ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header); client->redirect_counter++; +#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH if (http_utils_str_starts_with(auth_header, "Digest") == 0) { ESP_LOGD(TAG, "type = Digest"); client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST; + } else { +#endif #ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH - } else if (http_utils_str_starts_with(auth_header, "Basic") == 0) { + if (http_utils_str_starts_with(auth_header, "Basic") == 0) { ESP_LOGD(TAG, "type = Basic"); client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC; -#endif } else { +#endif client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE; ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header); return; +#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH } +#endif +#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH + } +#endif _clear_auth_data(client); diff --git a/examples/protocols/esp_http_client/main/esp_http_client_example.c b/examples/protocols/esp_http_client/main/esp_http_client_example.c index e017d17780..7dd2b93df6 100644 --- a/examples/protocols/esp_http_client/main/esp_http_client_example.c +++ b/examples/protocols/esp_http_client/main/esp_http_client_example.c @@ -341,6 +341,7 @@ static void http_auth_basic_redirect(void) } #endif +#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH static void http_auth_digest(void) { esp_http_client_config_t config = { @@ -359,6 +360,7 @@ static void http_auth_digest(void) } esp_http_client_cleanup(client); } +#endif static void https_with_url(void) { @@ -681,7 +683,9 @@ static void http_test_task(void *pvParameters) http_auth_basic(); http_auth_basic_redirect(); #endif +#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH http_auth_digest(); +#endif http_relative_redirect(); http_absolute_redirect(); https_with_url(); diff --git a/examples/protocols/esp_http_client/sdkconfig.ci b/examples/protocols/esp_http_client/sdkconfig.ci index 6132bbfb89..18d318212a 100644 --- a/examples/protocols/esp_http_client/sdkconfig.ci +++ b/examples/protocols/esp_http_client/sdkconfig.ci @@ -8,3 +8,4 @@ CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5 CONFIG_EXAMPLE_ETH_PHY_ADDR=1 CONFIG_EXAMPLE_CONNECT_IPV6=y CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH=y +CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH=y