Restructure HQ connection handling

This commit:
 - Renames a few functions
 - Removes the host and port arguments from the wifi.config bitlash
   commands. HQ host and port are no longer provisioned, but hardcoded
   in the sketch.
 - Adds suport for TLS connections (disabled still, though).
 - Introduces an HqHandler class which now contains just the connection
   info for the HQ but will later get more HQ-related code.

Author: matthijskooijman

HqHandler.h

@@ -0,0 +1,30 @@
+#ifndef LIB_PINOCCIO_HQHANDLER_H_
+#define LIB_PINOCCIO_HQHANDLER_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+/**
+ * This class handles direct connections to the HQ server (e.g., through
+ * wifi).
+ */
+class HqHandler {
+public:
+
+  // TODO: Move more code into here.
+
+  /////////////////////////////////////////
+  // These are defined in HQInfo.cpp
+  /////////////////////////////////////////
+
+  /** Hostname of the hq server */
+  static const char host[];
+  /** Port of the hq server */
+  static const uint16_t port;
+  /** The CA certificate for the hq server. */
+  static const uint8_t cacert[];
+  /** The length of cacert. Is 0 when TLS should not be used. */
+  static const size_t cacert_len;
+};
+
+#endif // LIB_PINOCCIO_HQHANDLER_H_

HqInfo.cpp

@@ -0,0 +1,34 @@
+#include "HqHandler.h"
+
+//#define USE_TLS
+
+
+const char HqHandler::host[] = "api.pinocc.io";
+#ifndef USE_TLS
+// 22757 for TLS, 22756 for plain
+const uint16_t HqHandler::port = 22756;
+const uint8_t HqHandler::cacert[] = {};
+const size_t HqHandler::cacert_len = 0;
+#else
+// 22757 for TLS, 22756 for plain
+const uint16_t HqHandler::port = 22757;
+
+// CA certificate that signed the server certificate.
+//  - Using the server certificate here doesn't work, only the CA that
+//    signed it is checked (except self-signed certificates where the
+//    CA and server certificates are the same, though this was not
+//    tested).
+//  - No checks of the server certificate (like hostname) are done,
+//    other than to confirm that it was indeed signed by the right CA.
+//    This means that if you use a server certificate signed by a
+//    commercial CA, _any_ other certificate signed by the same CA
+//    will also pass the check, which is probably not what you want...
+//  - This should be a certificate in (binary) DER format. To convert
+//    it to something that can be pasted below, you can use the
+//    `xxd -i` command, which should be available on Linux and MacOS X.
+//
+const uint8_t HqHandler::cacert[] = {
+  //TODO
+};
+const size_t HqHandler::cacert_len = sizeof(cacert);
+#endif

ScoutHandler.cpp

@@ -18,7 +18,7 @@ void PinoccioScoutHandler::setup() {
 
     Serial.print("Wi-Fi backpack connecting...");
     Scout.wifi.setup();
-    Scout.wifi.autoConnect();
+    Scout.wifi.autoConnectHq();
     Serial.println("Done");
     RgbLed.blinkGreen();
 

Shell.cpp

@@ -622,7 +622,7 @@ static numvar wifiList(void) {
 }
 
 static numvar wifiConfig(void) {
-  if (!Scout.wifi.autoConfig((const char *)getstringarg(1), (const char *)getstringarg(2), (const char *)getstringarg(3), getarg(4))) {
+  if (!Scout.wifi.wifiConfig((const char *)getstringarg(1), (const char *)getstringarg(2))) {
     Serial.println("Error: saving Scout.wifi.configuration data failed");
   }
 }

utility/WiFiBackpack.cpp

@@ -2,6 +2,9 @@
 #include <SPI.h>
 #include <utility/WiFiBackpack.h>
 #include "../ScoutHandler.h"
+#include "../HqHandler.h"
+
+#define CA_CERTNAME_HQ "hq-ca"
 
 static void print_line(const uint8_t *buf, uint16_t len, void *data) {
   static_cast<Print*>(data)->write(buf, len);
@@ -23,7 +26,14 @@ bool WiFiBackpack::setup() {
   SPI.begin();
   SPI.setClockDivider(SPI_CLOCK_DIV8);
 
-  return gs.begin(7);
+
+  if (!gs.begin(7))
+    return false;
+
+  #ifdef HQ_USE_TLS
+    if (HqHandler::cacert_len)
+      gs.addCert(CA_CERTNAME_HQ, /* to_flash */ false, HqHandler::cacert, HqHandler::cacert_len);
+  #endif
 }
 
 void WiFiBackpack::loop() {
@@ -32,31 +42,33 @@ void WiFiBackpack::loop() {
   if (!client.connected()) {
     hqConnected = false;
   } else if (!hqConnected) {
-    leadHQConnect();
-    hqConnected = true;
+    if (HqHandler::cacert_len == 0 || client.enableTls(CA_CERTNAME_HQ)) {
+      leadHQConnect();
+      hqConnected = true;
+    }
   }
   // TODO: Don't call leadHQConnect directly
   // TODO: There is a race condition here: If a disconnect and connect
   // happen quickly before we can notice the disconnect, leadHqConnect
   // will not be called for the new connection.
 }
 
-bool WiFiBackpack::autoConfig(const char *ssid, const char *passphrase, const String& host, uint16_t port) {
+bool WiFiBackpack::wifiConfig(const char *ssid, const char *passphrase) {
   bool ok = true;
   ok = ok && gs.setSecurity(GSModule::GS_SECURITY_AUTO);
   ok = ok && gs.setWpaPassphrase(passphrase);
   ok = ok && gs.setAutoAssociate(ssid);
-  ok = ok && gs.setAutoConnectClient(host.c_str(), port);
   // Remember these settings through a reboot
   ok = ok && gs.saveProfile(0);
   ok = ok && gs.setDefaultProfile(0);
   return ok;
 }
 
-bool WiFiBackpack::autoConnect() {
+bool WiFiBackpack::autoConnectHq() {
   // Try to disable the NCM in case it's already running
   gs.setNcm(false);
-  return gs.setNcm(/* enable */ true, /* associate_only */ false, /* remember */ false);
+  return gs.setAutoConnectClient(HqHandler::host, HqHandler::port) &&
+         gs.setNcm(/* enable */ true, /* associate_only */ false, /* remember */ false);
 }
 
 void WiFiBackpack::printAPs(Print& p) {

utility/WiFiBackpack.h

@@ -15,8 +15,8 @@ class WiFiBackpack : public Backpack {
     bool init();
     void loop();
 
-    bool autoConfig(const char *ssid, const char *passphrase, const String &host, uint16_t port);
-    bool autoConnect();
+    bool wifiConfig(const char *ssid, const char *passphrase);
+    bool autoConnectHq();
 
     void printAPs(Print& p);
     void printProfiles(Print& p);