From 4f21164527a073b337de7b47c19fc16a1dc35be7 Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 3 Jan 2024 16:32:27 +0100 Subject: [PATCH 1/9] Allow overriding default client profile --- src/BearSSLClient.cpp | 15 ++++++++++++--- src/BearSSLClient.h | 5 +++-- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp index f1df47c..a681e9f 100644 --- a/src/BearSSLClient.cpp +++ b/src/BearSSLClient.cpp @@ -28,15 +28,19 @@ #include #endif +#ifndef ARDUINO_BEARSSL_DISABLE_BUILTIN_TRUST_ANCHORS #include "BearSSLTrustAnchors.h" +#endif #include "utility/eccX08_asn1.h" #include "BearSSLClient.h" +#ifndef ARDUINO_BEARSSL_DISABLE_BUILTIN_TRUST_ANCHORS BearSSLClient::BearSSLClient(Client& client) : BearSSLClient(&client, TAs, TAs_NUM) { } +#endif BearSSLClient::BearSSLClient(Client& client, const br_x509_trust_anchor* myTAs, int myNumTAs) : BearSSLClient(&client, myTAs, myNumTAs) @@ -49,7 +53,8 @@ BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, _numTAs(myNumTAs), _noSNI(false), _skeyDecoder(NULL), - _ecChainLen(0) + _ecChainLen(0), + _br_ssl_client_init_function(br_ssl_client_init_full) { #ifndef ARDUINO_DISABLE_ECCX08 _ecVrfy = eccX08_vrfy_asn1; @@ -436,8 +441,12 @@ int BearSSLClient::errorCode() int BearSSLClient::connectSSL(const char* host) { - // initialize client context with all algorithms and hardcoded trust anchors - br_ssl_client_init_full(&_sc, &_xc, _TAs, _numTAs); + if (!_br_ssl_client_init_function) { + return 0; + } + + // initialize client context with enabled algorithms and trust anchors + _br_ssl_client_init_function(&_sc, &_xc, _TAs, _numTAs); br_ssl_engine_set_buffers_bidi(&_sc.eng, _ibuf, sizeof(_ibuf), _obuf, sizeof(_obuf)); diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h index 031cc0b..a5404cc 100644 --- a/src/BearSSLClient.h +++ b/src/BearSSLClient.h @@ -64,9 +64,8 @@ class BearSSLClient : public Client { BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, int myNumTAs); virtual ~BearSSLClient(); - inline void setClient(Client& client) { _client = &client; } - + inline void setProfile(void(*client_init_function)(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trustrust_anchorst_anchors_num)) { _br_ssl_client_init_function = client_init_function; } virtual int connect(IPAddress ip, uint16_t port); virtual int connect(const char* host, uint16_t port); @@ -131,6 +130,8 @@ class BearSSLClient : public Client { unsigned char _ibuf[BEAR_SSL_CLIENT_IBUF_SIZE]; unsigned char _obuf[BEAR_SSL_CLIENT_OBUF_SIZE]; br_sslio_context _ioc; + + void (*_br_ssl_client_init_function)(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num); }; #endif From 0530d3528d0c4b72a928132999b4d75ad5829fb0 Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 3 Jan 2024 16:24:16 +0100 Subject: [PATCH 2/9] Allow enabling or disabling global instances creation via config file --- src/AES128.cpp | 3 ++- src/DES.cpp | 3 ++- src/MD5.cpp | 3 ++- src/SHA1.cpp | 3 +++ src/SHA256.cpp | 3 ++- 5 files changed, 11 insertions(+), 4 deletions(-) diff --git a/src/AES128.cpp b/src/AES128.cpp index c655d2c..2d3e5c8 100644 --- a/src/AES128.cpp +++ b/src/AES128.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "AES128.h" AES128Class::AES128Class() : @@ -49,6 +50,6 @@ int AES128Class::runDecryption(uint8_t *key, size_t size, uint8_t *input, size_t return 1; } -#ifndef ARDUINO_ARCH_MEGAAVR +#if !defined(ARDUINO_BEARSSL_DISABLE_AES128) && !defined(ARDUINO_ARCH_MEGAAVR) AES128Class AES128; #endif \ No newline at end of file diff --git a/src/DES.cpp b/src/DES.cpp index f56adb4..7445765 100644 --- a/src/DES.cpp +++ b/src/DES.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "DES.h" DESClass::DESClass() : @@ -50,6 +51,6 @@ int DESClass::runDecryption(uint8_t *key, size_t size, uint8_t *input, size_t bl } -#ifndef ARDUINO_ARCH_MEGAAVR +#if !defined(ARDUINO_BEARSSL_DISABLE_DES) && !defined(ARDUINO_ARCH_MEGAAVR) DESClass DES; #endif \ No newline at end of file diff --git a/src/MD5.cpp b/src/MD5.cpp index db234ec..d5e2a56 100644 --- a/src/MD5.cpp +++ b/src/MD5.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "MD5.h" MD5Class::MD5Class() : @@ -54,6 +55,6 @@ int MD5Class::end(uint8_t *digest) return 1; } -#ifndef ARDUINO_ARCH_MEGAAVR +#if !defined(ARDUINO_BEARSSL_DISABLE_MD5) && !defined(ARDUINO_ARCH_MEGAAVR) MD5Class MD5; #endif \ No newline at end of file diff --git a/src/SHA1.cpp b/src/SHA1.cpp index bd525fd..c59d728 100644 --- a/src/SHA1.cpp +++ b/src/SHA1.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "SHA1.h" SHA1Class::SHA1Class() : @@ -54,4 +55,6 @@ int SHA1Class::end(uint8_t *digest) return 1; } +#if !defined(ARDUINO_BEARSSL_DISABLE_SHA1) SHA1Class SHA1; +#endif diff --git a/src/SHA256.cpp b/src/SHA256.cpp index f911d86..48be1a9 100644 --- a/src/SHA256.cpp +++ b/src/SHA256.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "SHA256.h" SHA256Class::SHA256Class() : @@ -54,6 +55,6 @@ int SHA256Class::end(uint8_t *digest) return 1; } -#ifndef ARDUINO_ARCH_MEGAAVR +#if !defined(ARDUINO_BEARSSL_DISABLE_SHA256) && !defined(ARDUINO_ARCH_MEGAAVR) SHA256Class SHA256; #endif From 46bd0f78fe7e78f40105cd7e1e07bbc5e5e792e9 Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 3 Jan 2024 16:33:11 +0100 Subject: [PATCH 3/9] Allow enabling or disabling default full client profile inclusion via config file --- src/BearSSLClient.cpp | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp index a681e9f..a54cdfa 100644 --- a/src/BearSSLClient.cpp +++ b/src/BearSSLClient.cpp @@ -54,7 +54,11 @@ BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, _noSNI(false), _skeyDecoder(NULL), _ecChainLen(0), +#ifndef ARDUINO_BEARSSL_DISABLE_FULL_CLIENT_PROFILE _br_ssl_client_init_function(br_ssl_client_init_full) +#else + _br_ssl_client_init_function(NULL) +#endif { #ifndef ARDUINO_DISABLE_ECCX08 _ecVrfy = eccX08_vrfy_asn1; From 45d8b11a96a2fbb2c058a0e7eaeaebb3ebc1c33d Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 3 Jan 2024 17:41:05 +0100 Subject: [PATCH 4/9] Allow enabling or disabling key decoder via config file --- src/BearSSLClient.cpp | 12 ++++++++++++ src/BearSSLClient.h | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp index a54cdfa..82088af 100644 --- a/src/BearSSLClient.cpp +++ b/src/BearSSLClient.cpp @@ -52,7 +52,9 @@ BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, _TAs(myTAs), _numTAs(myNumTAs), _noSNI(false), +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER _skeyDecoder(NULL), +#endif _ecChainLen(0), #ifndef ARDUINO_BEARSSL_DISABLE_FULL_CLIENT_PROFILE _br_ssl_client_init_function(br_ssl_client_init_full) @@ -86,10 +88,12 @@ BearSSLClient::~BearSSLClient() _ecCert[0].data = NULL; } +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER if (_skeyDecoder) { free(_skeyDecoder); _skeyDecoder = NULL; } +#endif } int BearSSLClient::connect(IPAddress ip, uint16_t port) @@ -318,6 +322,7 @@ void BearSSLClient::setEccSlot(int ecc508KeySlot, const char cert[]) } } +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER void BearSSLClient::setKey(const char key[], const char cert[]) { // try to decode the key and cert @@ -390,6 +395,7 @@ void BearSSLClient::setKey(const char key[], const char cert[]) } } } +#endif void BearSSLClient::setEccCertParent(const char cert[]) { @@ -475,6 +481,7 @@ int BearSSLClient::connectSSL(const char* host) // enable client auth if (_ecCert[0].data_len) { +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER if (_skeyDecoder) { int skeyType = br_skey_decoder_key_type(_skeyDecoder); @@ -484,8 +491,11 @@ int BearSSLClient::connectSSL(const char* host) br_ssl_client_set_single_rsa(&_sc, _ecCert, _ecChainLen, br_skey_decoder_get_rsa(_skeyDecoder), br_rsa_pkcs1_sign_get_default()); } } else { +#endif br_ssl_client_set_single_ec(&_sc, _ecCert, _ecChainLen, &_ecKey, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), _ecSign); +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER } +#endif } // set the hostname used for SNI @@ -588,12 +598,14 @@ void BearSSLClient::clientAppendCert(void *ctx, const void *data, size_t len) c->_ecCert[0].data_len += len; } +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER void BearSSLClient::clientAppendKey(void *ctx, const void *data, size_t len) { BearSSLClient* c = (BearSSLClient*)ctx; br_skey_decoder_push(c->_skeyDecoder, data, len); } +#endif void BearSSLClient::parentAppendCert(void *ctx, const void *data, size_t len) { diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h index a5404cc..64f2b1e 100644 --- a/src/BearSSLClient.h +++ b/src/BearSSLClient.h @@ -96,7 +96,9 @@ class BearSSLClient : public Client { void setEccSlot(int ecc508KeySlot, const byte cert[], int certLength); void setEccSlot(int ecc508KeySlot, const char cert[]); +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER void setKey(const char key[], const char cert[]); +#endif void setEccCertParent(const char cert[]); int errorCode(); @@ -106,7 +108,9 @@ class BearSSLClient : public Client { static int clientRead(void *ctx, unsigned char *buf, size_t len); static int clientWrite(void *ctx, const unsigned char *buf, size_t len); static void clientAppendCert(void *ctx, const void *data, size_t len); +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER static void clientAppendKey(void *ctx, const void *data, size_t len); +#endif static void parentAppendCert(void *ctx, const void *data, size_t len); private: @@ -120,7 +124,9 @@ class BearSSLClient : public Client { br_ecdsa_sign _ecSign; br_ec_private_key _ecKey; +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER br_skey_decoder_context* _skeyDecoder; +#endif br_x509_certificate _ecCert[BEAR_SSL_CLIENT_CHAIN_SIZE]; int _ecChainLen; bool _ecCertDynamic; From d3a2abbbff90757dc111485bceca4be29cd65f64 Mon Sep 17 00:00:00 2001 From: pennam Date: Mon, 15 Apr 2024 21:39:25 +0200 Subject: [PATCH 5/9] Set IBUF_SIZE to default value for STM32H7 boards --- src/BearSSLClient.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h index 64f2b1e..941642b 100644 --- a/src/BearSSLClient.h +++ b/src/BearSSLClient.h @@ -32,7 +32,7 @@ #endif #ifndef BEAR_SSL_CLIENT_IBUF_SIZE -#define BEAR_SSL_CLIENT_IBUF_SIZE 32768 +#define BEAR_SSL_CLIENT_IBUF_SIZE (16384 + 325) #endif #else From 79fc48cf1d6cb33a9a1102c1f32971d62c826673 Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 22 May 2024 10:04:24 +0200 Subject: [PATCH 6/9] Add ctor without parameters --- src/BearSSLClient.cpp | 14 ++++++++++++++ src/BearSSLClient.h | 1 + 2 files changed, 15 insertions(+) diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp index 82088af..3fde93f 100644 --- a/src/BearSSLClient.cpp +++ b/src/BearSSLClient.cpp @@ -42,6 +42,20 @@ BearSSLClient::BearSSLClient(Client& client) : } #endif +BearSSLClient::BearSSLClient() : + _noSNI(false) +{ + _ecKey.curve = 0; + _ecKey.x = NULL; + _ecKey.xlen = 0; + + for (size_t i = 0; i < BEAR_SSL_CLIENT_CHAIN_SIZE; i++) { + _ecCert[i].data = NULL; + _ecCert[i].data_len = 0; + } + _ecCertDynamic = false; +} + BearSSLClient::BearSSLClient(Client& client, const br_x509_trust_anchor* myTAs, int myNumTAs) : BearSSLClient(&client, myTAs, myNumTAs) { diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h index 941642b..4b7ab1c 100644 --- a/src/BearSSLClient.h +++ b/src/BearSSLClient.h @@ -59,6 +59,7 @@ class BearSSLClient : public Client { public: + BearSSLClient(); BearSSLClient(Client& client); BearSSLClient(Client& client, const br_x509_trust_anchor* myTAs, int myNumTAs); BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, int myNumTAs); From efcf2833824f5822c11167d678a590846ba7a084 Mon Sep 17 00:00:00 2001 From: pennam Date: Wed, 22 May 2024 10:04:54 +0200 Subject: [PATCH 7/9] Add method to configure trust anchors --- src/BearSSLClient.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h index 4b7ab1c..b532bc1 100644 --- a/src/BearSSLClient.h +++ b/src/BearSSLClient.h @@ -67,6 +67,7 @@ class BearSSLClient : public Client { inline void setClient(Client& client) { _client = &client; } inline void setProfile(void(*client_init_function)(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trustrust_anchorst_anchors_num)) { _br_ssl_client_init_function = client_init_function; } + inline void setTrustAnchors(const br_x509_trust_anchor* myTAs, int myNumTAs) { _TAs = myTAs; _numTAs = myNumTAs; } virtual int connect(IPAddress ip, uint16_t port); virtual int connect(const char* host, uint16_t port); From 04cdddf6d366a823bc9f871abf17cba1bc987895 Mon Sep 17 00:00:00 2001 From: pennam Date: Mon, 17 Jun 2024 11:54:44 +0200 Subject: [PATCH 8/9] Compile Examples: add boards to CI workflow --- .github/workflows/compile-examples.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/compile-examples.yml b/.github/workflows/compile-examples.yml index 8bc6795..f71ace3 100644 --- a/.github/workflows/compile-examples.yml +++ b/.github/workflows/compile-examples.yml @@ -48,6 +48,21 @@ jobs: - fqbn: arduino:samd:mkrgsm1400 type: gsm artifact-name-suffix: arduino-samd-mkrgsm1400 + - fqbn: arduino:samd:mkrnb1500 + type: nb + artifact-name-suffix: arduino-samd-mkrnb1500 + - fqbn: arduino:mbed_portenta:envie_m7 + type: mbed_portenta + artifact-name-suffix: arduino-mbed_portenta-envie_m7 + - fqbn: arduino:mbed_nano:nanorp2040connect + type: nina + artifact-name-suffix: arduino-mbed_nano-nanorp2040connect + - fqbn: arduino:mbed_opta:opta + type: mbed_opta + artifact-name-suffix: arduino-mbed_opta-opta + - fqbn: arduino:mbed_giga:giga + type: mbed_giga + artifact-name-suffix: arduino-mbed_giga-giga - fqbn: arduino:megaavr:uno2018 type: megaavr artifact-name-suffix: arduino-megaavr-uno2018 From 504a875a9283cde7d3acbb8335367ef774d91e39 Mon Sep 17 00:00:00 2001 From: pennam Date: Tue, 16 Jul 2024 11:40:52 +0200 Subject: [PATCH 9/9] Disable parent certificate functions if chain length is 1 --- src/BearSSLClient.cpp | 5 ++++- src/BearSSLClient.h | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp index 3fde93f..0e5b31a 100644 --- a/src/BearSSLClient.cpp +++ b/src/BearSSLClient.cpp @@ -411,6 +411,7 @@ void BearSSLClient::setKey(const char key[], const char cert[]) } #endif +#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1 void BearSSLClient::setEccCertParent(const char cert[]) { // try to decode the cert @@ -457,6 +458,7 @@ void BearSSLClient::setEccCertParent(const char cert[]) } } } +#endif int BearSSLClient::errorCode() { @@ -621,6 +623,7 @@ void BearSSLClient::clientAppendKey(void *ctx, const void *data, size_t len) } #endif +#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1 void BearSSLClient::parentAppendCert(void *ctx, const void *data, size_t len) { BearSSLClient* c = (BearSSLClient*)ctx; @@ -628,4 +631,4 @@ void BearSSLClient::parentAppendCert(void *ctx, const void *data, size_t len) memcpy(&c->_ecCert[1].data[c->_ecCert[1].data_len], data, len); c->_ecCert[1].data_len += len; } - +#endif diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h index b532bc1..03f081e 100644 --- a/src/BearSSLClient.h +++ b/src/BearSSLClient.h @@ -101,7 +101,9 @@ class BearSSLClient : public Client { #ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER void setKey(const char key[], const char cert[]); #endif +#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1 void setEccCertParent(const char cert[]); +#endif int errorCode(); @@ -113,7 +115,9 @@ class BearSSLClient : public Client { #ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER static void clientAppendKey(void *ctx, const void *data, size_t len); #endif +#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1 static void parentAppendCert(void *ctx, const void *data, size_t len); +#endif private: Client* _client;