Yet another SPI SPWF04S problem

Ok. So has this changed vs SPWF01? It worked just fine in this area.

If I need to do something with certificates, are there any instructions how to work with those.

Ok, I'll check that. Thanks a lot for support.

Any plans on adding that anynomous mode to SPWF04?

Hi again Mridu!

WiFi_Status_t wifi_socket_client_security(uint8_t* tls_mode, uint8_t* ca_certificate, uint8_t* certificate, uint8_t* certificate_key, uint8_t* client_domain, uint32_t tls_epoch_time)

I got the CA cerficate from amazon. Also I've got the Subject key identifier. I've used python script to constuct byte header from the CA certificate.

Is it really so, that the client_domain parameter is the subject key identifier? Atleast the /*AT+S.TLSCERT=auth,<Peer CA Authority Key Id>*/ would match it. How should I use the function in this case? I'm calling it after the AP connection has been established and before the socket connection is attempted to be formed (I'm not waiting for any callback).

wifi_socket_client_security('o', &cert_data, NULL, NULL, key, 1497610496);

Where the 'o' is the one way authorization, cert_data is the uint8_t stucture containing the DER encoded binary X.509 (.CER), key is pointer to Subject key structure and the last one is EPOC time half an hour a go.

***********

The wifi_init calls the certificate clean.

/*AT+S.TLSCERT2=content,2 -> clean certificates*/

This means that after every boot the certificates need to be reloaded?

Hi,

no plans for anonymous on 04.

Using a cipher with anonymous authentication means that no authentication of the server will be done inside the TLS handshake and thus the connection is open for 'man in the middle' attacks.

Also a little worrysome discovery. The wifi_socket_client_security uses strlen and sprintf to handle the certificate file. However the certificate file contains lots of null-characters, so I don't think it works like it should. Unless of course this is intended behaviour, and only the start of file is valid data.

EDIT: even more worrying is that also the send function relys on strlen. Hopefully the socket write doesn't behave similarily as there also might be non-string content.

Hi Matti,

it's not necessary to reload certificates each time you re-start(re-boot). You can remove the init tls clean command if you wish. Also while testing we have seen certificates mostly without any NULL character in between. And yes if there is NULL character in between the certificates then certainly using strlen will be an issue. We will modify usage of strlen on certificates. For the time being you can use any other means to measure the strlen.

regards,

Mridu

What about the SPWF04 side? It doesn't rely on null termination?

EDIT: The spwf04WiFi->cmd_funcArgs has another rather large bug. It doesn't do any size checking and the WiFi_SPI_Packet buffer is only 128 bytes in size. Even if there was no null-characters in the certificate, the 1,5k size would mean that no certificate would be transferred completely.

Null termination should not be a problem on the module. I will confirm this though.

The SPI_Packet buffer only contains the packet structure. The certificate will be in WiFi_AT_Cmd_Buff buffer and the data ptr will keep track of this and use this to write it to the module. (Check if (data && len > 0) condition). Typically 2k size of 

WiFi_AT_Cmd_Buff should be OK. You can play around with the buffer size as you wish.