sync from upstream #1
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CI: Use updated staging dev/platform without "_stage" suffix
add limitations of https connections
add limitations of tls connection
* fix #1002 ::Flush() wait for empty send buffer * WiFiClient::Flush() guarantees that the data has been delivered option 1 of #3967 (comment) 10ms max wait according to loaded tcp echo/reply scheme
…can be (#3988) written before blocking
* boards.txt: add missing -DESP8266 - fix #3973 * + debug menu NoAssert-NDEBUG => -DNDEBUG fix #3978 and saves ram+flash on behalf of @earlephilhower
optional settimeofday()'s callback fix #1679
cbuf.size() must be at least one byte larger than cbuf.available() for logic to work. reject request to resize = available.
* WiFiClientSecure: don't decrypt when testing for 'connected' * WiFiClientSecure: don't trash unread decrypted data when writing When application requests to write data, check if there is any unread decrypted data left. If there is, don't write immediately, but save the data to be written. When all decrypted data has been consumed by the application, send out the saved outgoing data. Fixes #2256.
http.begin("http://www.google.com") yields an empty uri and makes a broken request "GET HTTPi/1.1"
* fix connection reset by peer case where pcb is set to null in ClientContext::_error but not reported to WiFiClient * ClientContext: rename functions *_sent to *_acked (:sent to :ack in debug) * use nullptr instead of 0
* Added channel, ssid scan Overloaded scanNetworks so scan can occur on a single channel and/or for a particular ssid. * Added parameters to scanNetworks channel number and ssid have been added as optional parameters to the orginal scanNetworks()
Force ARDUINO macro to 10805
@platformio: VTables, custom lwIP, sync libs and flags
String's destructor does the same as the 'invalidate' method.
+ interactive example (for debugging)
… server side (#4705) * add http client configurable timeout usefull when download is slow from server side * member init outside constructor body. * removed this.
…rn SSL (#4273) BearSSL (https://www.bearssl.org) is a TLS(SSL) library written by Thomas Pornin that is optimized for lower-memory embedded systems like the ESP8266. It supports a wide variety of modern ciphers and is unique in that it doesn't perform any memory allocations during operation (which is the unfortunate bane of the current axTLS). BearSSL is also absolutely focused on security and by default performs all its security checks on x.509 certificates during the connection phase (but if you want to be insecure and dangerous, that's possible too). While it does support unidirectional SSL buffers, like axTLS, as implemented the ESP8266 wrappers only support bidirectional buffers. These bidirectional buffers avoid deadlocks in protocols which don't have well separated receive and transmit periods. This patch adds several classes which allow connecting to TLS servers using this library in almost the same way as axTLS: BearSSL::WiFiClientSecure - WiFiClient that supports TLS BearSSL::WiFiServerSecure - WiFiServer supporting TLS and client certs It also introduces objects for PEM/DER encoded keys and certificates: BearSSLX509List - x.509 Certificate (list) for general use BearSSLPrivateKey - RSA or EC private key BearSSLPublicKey - RSA or EC public key (i.e. from a public website) Finally, it adds a Certificate Authority store object which lets BearSSL access a set of trusted CA certificates on SPIFFS to allow it to verify the identity of any remote site on the Internet, without requiring RAM except for the single matching certificate. CertStoreSPIFFSBearSSL - Certificate store utility Client certificates are supported for the BearSSL::WiFiClientSecure, and what's more the BearSSL::WiFiServerSecure can also *require* remote clients to have a trusted certificate signed by a specific CA (or yourself with self-signing CAs). Maximum Fragment Length Negotiation probing and usage are supported, but be aware that most sites on the Internet don't support it yet. When available, you can reduce the memory footprint of the SSL client or server dramatically (i.e. down to 2-8KB vs. the ~22KB required for a full 16K receive fragment and 512b send fragment). You can also manually set a smaller fragment size and guarantee at your protocol level all data will fit within it. Examples are included to show the usage of these new features. axTLS has been moved to its own namespace, "axtls". A default "using" clause allows existing apps to run using axTLS without any changes. The BearSSL::WiFi{client,server}Secure implements the axTLS client/server API which lets many end user applications take advantage of BearSSL with few or no changes. The BearSSL static library used presently is stored at https://github.com/earlephilhower/bearssl-esp8266 and can be built using the standard ESP8266 toolchain.
Clarify the folder of the git installation method for Mac
Arduino builds are now taking 49 minutes or more, and failing due to Travis timeouts. Split the Arduino build task into even and odd half, where each job will build every other test. This will reduce any test's runtime by 50% and speed up checks to avoid the timeout.
The SSL pipeline is multi-stage, and the TCP connection can go down even though there is still data waiting to be decrypted or in the decryption buffer. Explicitly check that there if there can be any data made available to the app, and if so report that we are still connected(). When there is no data and there is no TCP connection, report disconnected.
When the TCP socket is closed there may be some data left in the BearSSL internal buffers which can be read by the application. The BearSSL pump, however, would always return no data available in the case the socket was disconnected before checking if the SSL was in a state where the app could possibly read. Fix by returning if the state is available, even if the connection is gone. Eventually no more data will become available to read and the original -1 will be returned. This should match the existing axTLS ::connected() behavior.
Simple git submodule and makefile for building the bearssl library from source in the Arduino tree.
* interactive example: update with option for using DHCP again after using static IP * lwip2: avoid crash when IP address is set to 0(any) by dhcp not getting its lease renewal in due time * lwip2: automatically remove oldest PCBs in time-wait state, limit their number thanks to @me-no-dev 07f4d4c#diff-f8258e71e25fb9985ca3799e3d8b88ecR399 * faq: update about tcpCleanup() * lwip2: add a macro HAS_PHY_CAPTURE=1 indicating capture facility is available
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.