diff --git a/.github/workflows/compile-examples.yml b/.github/workflows/compile-examples.yml index 8bc6795..f71ace3 100644 --- a/.github/workflows/compile-examples.yml +++ b/.github/workflows/compile-examples.yml @@ -48,6 +48,21 @@ jobs: - fqbn: arduino:samd:mkrgsm1400 type: gsm artifact-name-suffix: arduino-samd-mkrgsm1400 + - fqbn: arduino:samd:mkrnb1500 + type: nb + artifact-name-suffix: arduino-samd-mkrnb1500 + - fqbn: arduino:mbed_portenta:envie_m7 + type: mbed_portenta + artifact-name-suffix: arduino-mbed_portenta-envie_m7 + - fqbn: arduino:mbed_nano:nanorp2040connect + type: nina + artifact-name-suffix: arduino-mbed_nano-nanorp2040connect + - fqbn: arduino:mbed_opta:opta + type: mbed_opta + artifact-name-suffix: arduino-mbed_opta-opta + - fqbn: arduino:mbed_giga:giga + type: mbed_giga + artifact-name-suffix: arduino-mbed_giga-giga - fqbn: arduino:megaavr:uno2018 type: megaavr artifact-name-suffix: arduino-megaavr-uno2018 diff --git a/src/AES128.cpp b/src/AES128.cpp index c655d2c..2d3e5c8 100644 --- a/src/AES128.cpp +++ b/src/AES128.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "AES128.h" AES128Class::AES128Class() : @@ -49,6 +50,6 @@ int AES128Class::runDecryption(uint8_t *key, size_t size, uint8_t *input, size_t return 1; } -#ifndef ARDUINO_ARCH_MEGAAVR +#if !defined(ARDUINO_BEARSSL_DISABLE_AES128) && !defined(ARDUINO_ARCH_MEGAAVR) AES128Class AES128; #endif \ No newline at end of file diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp index f1df47c..0e5b31a 100644 --- a/src/BearSSLClient.cpp +++ b/src/BearSSLClient.cpp @@ -28,15 +28,33 @@ #include #endif +#ifndef ARDUINO_BEARSSL_DISABLE_BUILTIN_TRUST_ANCHORS #include "BearSSLTrustAnchors.h" +#endif #include "utility/eccX08_asn1.h" #include "BearSSLClient.h" +#ifndef ARDUINO_BEARSSL_DISABLE_BUILTIN_TRUST_ANCHORS BearSSLClient::BearSSLClient(Client& client) : BearSSLClient(&client, TAs, TAs_NUM) { } +#endif + +BearSSLClient::BearSSLClient() : + _noSNI(false) +{ + _ecKey.curve = 0; + _ecKey.x = NULL; + _ecKey.xlen = 0; + + for (size_t i = 0; i < BEAR_SSL_CLIENT_CHAIN_SIZE; i++) { + _ecCert[i].data = NULL; + _ecCert[i].data_len = 0; + } + _ecCertDynamic = false; +} BearSSLClient::BearSSLClient(Client& client, const br_x509_trust_anchor* myTAs, int myNumTAs) : BearSSLClient(&client, myTAs, myNumTAs) @@ -48,8 +66,15 @@ BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, _TAs(myTAs), _numTAs(myNumTAs), _noSNI(false), +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER _skeyDecoder(NULL), - _ecChainLen(0) +#endif + _ecChainLen(0), +#ifndef ARDUINO_BEARSSL_DISABLE_FULL_CLIENT_PROFILE + _br_ssl_client_init_function(br_ssl_client_init_full) +#else + _br_ssl_client_init_function(NULL) +#endif { #ifndef ARDUINO_DISABLE_ECCX08 _ecVrfy = eccX08_vrfy_asn1; @@ -77,10 +102,12 @@ BearSSLClient::~BearSSLClient() _ecCert[0].data = NULL; } +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER if (_skeyDecoder) { free(_skeyDecoder); _skeyDecoder = NULL; } +#endif } int BearSSLClient::connect(IPAddress ip, uint16_t port) @@ -309,6 +336,7 @@ void BearSSLClient::setEccSlot(int ecc508KeySlot, const char cert[]) } } +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER void BearSSLClient::setKey(const char key[], const char cert[]) { // try to decode the key and cert @@ -381,7 +409,9 @@ void BearSSLClient::setKey(const char key[], const char cert[]) } } } +#endif +#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1 void BearSSLClient::setEccCertParent(const char cert[]) { // try to decode the cert @@ -428,6 +458,7 @@ void BearSSLClient::setEccCertParent(const char cert[]) } } } +#endif int BearSSLClient::errorCode() { @@ -436,8 +467,12 @@ int BearSSLClient::errorCode() int BearSSLClient::connectSSL(const char* host) { - // initialize client context with all algorithms and hardcoded trust anchors - br_ssl_client_init_full(&_sc, &_xc, _TAs, _numTAs); + if (!_br_ssl_client_init_function) { + return 0; + } + + // initialize client context with enabled algorithms and trust anchors + _br_ssl_client_init_function(&_sc, &_xc, _TAs, _numTAs); br_ssl_engine_set_buffers_bidi(&_sc.eng, _ibuf, sizeof(_ibuf), _obuf, sizeof(_obuf)); @@ -462,6 +497,7 @@ int BearSSLClient::connectSSL(const char* host) // enable client auth if (_ecCert[0].data_len) { +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER if (_skeyDecoder) { int skeyType = br_skey_decoder_key_type(_skeyDecoder); @@ -471,8 +507,11 @@ int BearSSLClient::connectSSL(const char* host) br_ssl_client_set_single_rsa(&_sc, _ecCert, _ecChainLen, br_skey_decoder_get_rsa(_skeyDecoder), br_rsa_pkcs1_sign_get_default()); } } else { +#endif br_ssl_client_set_single_ec(&_sc, _ecCert, _ecChainLen, &_ecKey, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), _ecSign); +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER } +#endif } // set the hostname used for SNI @@ -575,13 +614,16 @@ void BearSSLClient::clientAppendCert(void *ctx, const void *data, size_t len) c->_ecCert[0].data_len += len; } +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER void BearSSLClient::clientAppendKey(void *ctx, const void *data, size_t len) { BearSSLClient* c = (BearSSLClient*)ctx; br_skey_decoder_push(c->_skeyDecoder, data, len); } +#endif +#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1 void BearSSLClient::parentAppendCert(void *ctx, const void *data, size_t len) { BearSSLClient* c = (BearSSLClient*)ctx; @@ -589,4 +631,4 @@ void BearSSLClient::parentAppendCert(void *ctx, const void *data, size_t len) memcpy(&c->_ecCert[1].data[c->_ecCert[1].data_len], data, len); c->_ecCert[1].data_len += len; } - +#endif diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h index 031cc0b..03f081e 100644 --- a/src/BearSSLClient.h +++ b/src/BearSSLClient.h @@ -32,7 +32,7 @@ #endif #ifndef BEAR_SSL_CLIENT_IBUF_SIZE -#define BEAR_SSL_CLIENT_IBUF_SIZE 32768 +#define BEAR_SSL_CLIENT_IBUF_SIZE (16384 + 325) #endif #else @@ -59,14 +59,15 @@ class BearSSLClient : public Client { public: + BearSSLClient(); BearSSLClient(Client& client); BearSSLClient(Client& client, const br_x509_trust_anchor* myTAs, int myNumTAs); BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, int myNumTAs); virtual ~BearSSLClient(); - inline void setClient(Client& client) { _client = &client; } - + inline void setProfile(void(*client_init_function)(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trustrust_anchorst_anchors_num)) { _br_ssl_client_init_function = client_init_function; } + inline void setTrustAnchors(const br_x509_trust_anchor* myTAs, int myNumTAs) { _TAs = myTAs; _numTAs = myNumTAs; } virtual int connect(IPAddress ip, uint16_t port); virtual int connect(const char* host, uint16_t port); @@ -97,8 +98,12 @@ class BearSSLClient : public Client { void setEccSlot(int ecc508KeySlot, const byte cert[], int certLength); void setEccSlot(int ecc508KeySlot, const char cert[]); +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER void setKey(const char key[], const char cert[]); +#endif +#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1 void setEccCertParent(const char cert[]); +#endif int errorCode(); @@ -107,8 +112,12 @@ class BearSSLClient : public Client { static int clientRead(void *ctx, unsigned char *buf, size_t len); static int clientWrite(void *ctx, const unsigned char *buf, size_t len); static void clientAppendCert(void *ctx, const void *data, size_t len); +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER static void clientAppendKey(void *ctx, const void *data, size_t len); +#endif +#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1 static void parentAppendCert(void *ctx, const void *data, size_t len); +#endif private: Client* _client; @@ -121,7 +130,9 @@ class BearSSLClient : public Client { br_ecdsa_sign _ecSign; br_ec_private_key _ecKey; +#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER br_skey_decoder_context* _skeyDecoder; +#endif br_x509_certificate _ecCert[BEAR_SSL_CLIENT_CHAIN_SIZE]; int _ecChainLen; bool _ecCertDynamic; @@ -131,6 +142,8 @@ class BearSSLClient : public Client { unsigned char _ibuf[BEAR_SSL_CLIENT_IBUF_SIZE]; unsigned char _obuf[BEAR_SSL_CLIENT_OBUF_SIZE]; br_sslio_context _ioc; + + void (*_br_ssl_client_init_function)(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num); }; #endif diff --git a/src/DES.cpp b/src/DES.cpp index f56adb4..7445765 100644 --- a/src/DES.cpp +++ b/src/DES.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "DES.h" DESClass::DESClass() : @@ -50,6 +51,6 @@ int DESClass::runDecryption(uint8_t *key, size_t size, uint8_t *input, size_t bl } -#ifndef ARDUINO_ARCH_MEGAAVR +#if !defined(ARDUINO_BEARSSL_DISABLE_DES) && !defined(ARDUINO_ARCH_MEGAAVR) DESClass DES; #endif \ No newline at end of file diff --git a/src/MD5.cpp b/src/MD5.cpp index db234ec..d5e2a56 100644 --- a/src/MD5.cpp +++ b/src/MD5.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "MD5.h" MD5Class::MD5Class() : @@ -54,6 +55,6 @@ int MD5Class::end(uint8_t *digest) return 1; } -#ifndef ARDUINO_ARCH_MEGAAVR +#if !defined(ARDUINO_BEARSSL_DISABLE_MD5) && !defined(ARDUINO_ARCH_MEGAAVR) MD5Class MD5; #endif \ No newline at end of file diff --git a/src/SHA1.cpp b/src/SHA1.cpp index bd525fd..c59d728 100644 --- a/src/SHA1.cpp +++ b/src/SHA1.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "SHA1.h" SHA1Class::SHA1Class() : @@ -54,4 +55,6 @@ int SHA1Class::end(uint8_t *digest) return 1; } +#if !defined(ARDUINO_BEARSSL_DISABLE_SHA1) SHA1Class SHA1; +#endif diff --git a/src/SHA256.cpp b/src/SHA256.cpp index f911d86..48be1a9 100644 --- a/src/SHA256.cpp +++ b/src/SHA256.cpp @@ -22,6 +22,7 @@ * SOFTWARE. */ +#include #include "SHA256.h" SHA256Class::SHA256Class() : @@ -54,6 +55,6 @@ int SHA256Class::end(uint8_t *digest) return 1; } -#ifndef ARDUINO_ARCH_MEGAAVR +#if !defined(ARDUINO_BEARSSL_DISABLE_SHA256) && !defined(ARDUINO_ARCH_MEGAAVR) SHA256Class SHA256; #endif