From 9bdffd2ef1b185e37ba0bd27f30f1ae9ecda13e5 Mon Sep 17 00:00:00 2001 From: "Earle F. Philhower, III" Date: Thu, 6 Jun 2019 14:21:34 -0700 Subject: [PATCH 1/3] Obey the BASIC_SSL request for TLS servers When in basic SSL mode, don't include ciphers for EC for the server by replacinf the BearSSL "support everything" init call with our own version which obeys the requested BASIC_SSL. Saves ~47KB on TLS servers, about the same as basic SSL saves for clients. --- .../src/WiFiClientSecureBearSSL.cpp | 88 ++++++++++++++++++- 1 file changed, 85 insertions(+), 3 deletions(-) diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp index 0f0de724b4..b6a39e1e3e 100644 --- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp +++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp @@ -795,6 +795,58 @@ extern "C" { BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA #endif }; + // Server w/EC has one set + static const uint16_t suites_server_ec_P [] PROGMEM = { +#ifndef BEARSSL_BASIC + BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + BR_TLS_RSA_WITH_AES_128_GCM_SHA256, + BR_TLS_RSA_WITH_AES_256_GCM_SHA384, + BR_TLS_RSA_WITH_AES_128_CCM, + BR_TLS_RSA_WITH_AES_256_CCM, + BR_TLS_RSA_WITH_AES_128_CCM_8, + BR_TLS_RSA_WITH_AES_256_CCM_8, +#endif + BR_TLS_RSA_WITH_AES_128_CBC_SHA256, + BR_TLS_RSA_WITH_AES_256_CBC_SHA256, + BR_TLS_RSA_WITH_AES_128_CBC_SHA, + BR_TLS_RSA_WITH_AES_256_CBC_SHA, +#ifndef BEARSSL_BASIC + BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA +#endif + }; + static const uint16_t suites_server_rsa_P[] PROGMEM = { +#ifndef BEARSSL_BASIC + BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, + BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, + BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + BR_TLS_RSA_WITH_AES_128_GCM_SHA256, + BR_TLS_RSA_WITH_AES_256_GCM_SHA384, + BR_TLS_RSA_WITH_AES_128_CCM, + BR_TLS_RSA_WITH_AES_256_CCM, + BR_TLS_RSA_WITH_AES_128_CCM_8, + BR_TLS_RSA_WITH_AES_256_CCM_8, +#endif + BR_TLS_RSA_WITH_AES_128_CBC_SHA256, + BR_TLS_RSA_WITH_AES_256_CBC_SHA256, + BR_TLS_RSA_WITH_AES_128_CBC_SHA, + BR_TLS_RSA_WITH_AES_256_CBC_SHA, +#ifndef BEARSSL_BASIC + BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA +#endif + }; + // For apps which want to use less secure but faster ciphers, only static const uint16_t faster_suites_P[] PROGMEM = { @@ -848,6 +900,30 @@ extern "C" { #endif } + // Default initializion for our SSL clients + static void br_ssl_server_base_init(br_ssl_server_context *cc, const uint16_t *cipher_list, int cipher_cnt) { + uint16_t suites[cipher_cnt]; + memcpy_P(suites, cipher_list, cipher_cnt * sizeof(cipher_list[0])); + br_ssl_server_zero(cc); + br_ssl_engine_add_flags(&cc->eng, BR_OPT_NO_RENEGOTIATION); // forbid SSL renegociation, as we free the Private Key after handshake + br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12); + br_ssl_engine_set_suites(&cc->eng, suites, (sizeof suites) / (sizeof suites[0])); +#ifndef BEARSSL_SSL_BASIC + br_ssl_engine_set_default_ec(&cc->eng); +#endif + + br_ssl_client_install_hashes(&cc->eng); + br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf); + br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf); + br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf); + br_ssl_engine_set_default_aes_cbc(&cc->eng); +#ifndef BEARSSL_SSL_BASIC + br_ssl_engine_set_default_aes_ccm(&cc->eng); + br_ssl_engine_set_default_aes_gcm(&cc->eng); + br_ssl_engine_set_default_des_cbc(&cc->eng); + br_ssl_engine_set_default_chapol(&cc->eng); +#endif + } } // Set custom list of ciphers @@ -1050,6 +1126,7 @@ bool WiFiClientSecure::_installServerX509Validator(const X509List *client_CA_ta) return true; } + // Called by WiFiServerBearSSL when an RSA cert/key is specified. bool WiFiClientSecure::_connectSSLServerRSA(const X509List *chain, const PrivateKey *sk, @@ -1068,7 +1145,10 @@ bool WiFiClientSecure::_connectSSLServerRSA(const X509List *chain, return false; } - br_ssl_server_init_full_rsa(_sc_svr.get(), chain ? chain->getX509Certs() : nullptr, chain ? chain->getCount() : 0, sk ? sk->getRSA() : nullptr); + br_ssl_server_base_init(_sc_svr.get(), suites_server_rsa_P, sizeof(suites_server_rsa_P) / sizeof(suites_server_rsa_P[0])); + br_ssl_server_set_single_rsa(_sc_svr.get(), chain ? chain->getX509Certs() : nullptr, chain ? chain->getCount() : 0, + sk ? sk->getRSA() : nullptr, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, + br_rsa_private_get_default(), br_rsa_pkcs1_sign_get_default()); br_ssl_engine_set_buffers_bidi(_eng, _iobuf_in.get(), _iobuf_in_size, _iobuf_out.get(), _iobuf_out_size); if (client_CA_ta && !_installServerX509Validator(client_CA_ta)) { DEBUG_BSSL("_connectSSLServerRSA: Can't install serverX509check\n"); @@ -1102,8 +1182,10 @@ bool WiFiClientSecure::_connectSSLServerEC(const X509List *chain, return false; } - br_ssl_server_init_full_ec(_sc_svr.get(), chain ? chain->getX509Certs() : nullptr, chain ? chain->getCount() : 0, - cert_issuer_key_type, sk ? sk->getEC() : nullptr); + br_ssl_server_base_init(_sc_svr.get(), suites_server_ec_P, sizeof(suites_server_ec_P) / sizeof(suites_server_ec_P[0])); + br_ssl_server_set_single_ec(_sc_svr.get(), chain ? chain->getX509Certs() : nullptr, chain ? chain->getCount() : 0, + sk ? sk->getEC() : nullptr, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, + cert_issuer_key_type, br_ssl_engine_get_ec(_eng), br_ecdsa_i15_sign_asn1); br_ssl_engine_set_buffers_bidi(_eng, _iobuf_in.get(), _iobuf_in_size, _iobuf_out.get(), _iobuf_out_size); if (client_CA_ta && !_installServerX509Validator(client_CA_ta)) { DEBUG_BSSL("_connectSSLServerEC: Can't install serverX509check\n"); From f4e8b7088e6e684b9d707539f251d2fe37f2ada9 Mon Sep 17 00:00:00 2001 From: "Earle F. Philhower, III" Date: Thu, 6 Jun 2019 17:17:09 -0700 Subject: [PATCH 2/3] Fix cipher list for EC server --- .../src/WiFiClientSecureBearSSL.cpp | 107 ++++++++++++++---- 1 file changed, 83 insertions(+), 24 deletions(-) diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp index b6a39e1e3e..23c0383325 100644 --- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp +++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp @@ -795,32 +795,38 @@ extern "C" { BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA #endif }; - // Server w/EC has one set - static const uint16_t suites_server_ec_P [] PROGMEM = { #ifndef BEARSSL_BASIC - BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, - BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, - BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, - BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, - BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, - BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, - BR_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, - BR_TLS_RSA_WITH_AES_128_GCM_SHA256, - BR_TLS_RSA_WITH_AES_256_GCM_SHA384, - BR_TLS_RSA_WITH_AES_128_CCM, - BR_TLS_RSA_WITH_AES_256_CCM, - BR_TLS_RSA_WITH_AES_128_CCM_8, - BR_TLS_RSA_WITH_AES_256_CCM_8, -#endif - BR_TLS_RSA_WITH_AES_128_CBC_SHA256, - BR_TLS_RSA_WITH_AES_256_CBC_SHA256, - BR_TLS_RSA_WITH_AES_128_CBC_SHA, - BR_TLS_RSA_WITH_AES_256_CBC_SHA, -#ifndef BEARSSL_BASIC - BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, - BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA -#endif + // Server w/EC has one set, not possible with basic SSL config + static const uint16_t suites_server_ec_P [] PROGMEM = { + BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, + BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM, + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8, + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, + BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + BR_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, + BR_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, + BR_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, + BR_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, + BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, + BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, + BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, + BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, + BR_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, + BR_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, + BR_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, + BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, + BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, + BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, + BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA }; +#endif + static const uint16_t suites_server_rsa_P[] PROGMEM = { #ifndef BEARSSL_BASIC BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, @@ -904,6 +910,7 @@ extern "C" { static void br_ssl_server_base_init(br_ssl_server_context *cc, const uint16_t *cipher_list, int cipher_cnt) { uint16_t suites[cipher_cnt]; memcpy_P(suites, cipher_list, cipher_cnt * sizeof(cipher_list[0])); +#if 0 br_ssl_server_zero(cc); br_ssl_engine_add_flags(&cc->eng, BR_OPT_NO_RENEGOTIATION); // forbid SSL renegociation, as we free the Private Key after handshake br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12); @@ -923,7 +930,59 @@ extern "C" { br_ssl_engine_set_default_des_cbc(&cc->eng); br_ssl_engine_set_default_chapol(&cc->eng); #endif +#endif + /* + * Reset server context and set supported versions from TLS-1.0 + * to TLS-1.2 (inclusive). + */ + br_ssl_server_zero(cc); + br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12); + + /* + * Set suites and elliptic curve implementation (for ECDHE). + */ + br_ssl_engine_set_suites(&cc->eng, suites, + (sizeof suites) / (sizeof suites[0])); + br_ssl_engine_set_default_ec(&cc->eng); + + /* + * Set the "server policy": handler for the certificate chain + * and private key operations. + */ +// br_ssl_server_set_single_rsa(cc, chain, chain_len, sk, +// BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, +// br_rsa_private_get_default(), +// br_rsa_pkcs1_sign_get_default()); + + /* + * Set supported hash functions. + */ + br_ssl_client_install_hashes(&cc->eng); + +// for (id = br_md5_ID; id <= br_sha512_ID; id ++) { +// const br_hash_class *hc; +// +//` hc = hashes[id - 1]; +// br_ssl_engine_set_hash(&cc->eng, id, hc); +// } + + /* + * Set the PRF implementations. + */ + br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf); + br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf); + br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf); + + /* + * Symmetric encryption. + */ + br_ssl_engine_set_default_aes_cbc(&cc->eng); + br_ssl_engine_set_default_aes_ccm(&cc->eng); + br_ssl_engine_set_default_aes_gcm(&cc->eng); + br_ssl_engine_set_default_des_cbc(&cc->eng); + br_ssl_engine_set_default_chapol(&cc->eng); } + } // Set custom list of ciphers From 994839e70de28468198641a5634048f6705d3de6 Mon Sep 17 00:00:00 2001 From: "Earle F. Philhower, III" Date: Fri, 7 Jun 2019 16:29:33 -0700 Subject: [PATCH 3/3] Remove accidentally included debug cruft --- .../src/WiFiClientSecureBearSSL.cpp | 52 ------------------- 1 file changed, 52 deletions(-) diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp index 23c0383325..e60e292bd4 100644 --- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp +++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp @@ -910,7 +910,6 @@ extern "C" { static void br_ssl_server_base_init(br_ssl_server_context *cc, const uint16_t *cipher_list, int cipher_cnt) { uint16_t suites[cipher_cnt]; memcpy_P(suites, cipher_list, cipher_cnt * sizeof(cipher_list[0])); -#if 0 br_ssl_server_zero(cc); br_ssl_engine_add_flags(&cc->eng, BR_OPT_NO_RENEGOTIATION); // forbid SSL renegociation, as we free the Private Key after handshake br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12); @@ -930,57 +929,6 @@ extern "C" { br_ssl_engine_set_default_des_cbc(&cc->eng); br_ssl_engine_set_default_chapol(&cc->eng); #endif -#endif - /* - * Reset server context and set supported versions from TLS-1.0 - * to TLS-1.2 (inclusive). - */ - br_ssl_server_zero(cc); - br_ssl_engine_set_versions(&cc->eng, BR_TLS10, BR_TLS12); - - /* - * Set suites and elliptic curve implementation (for ECDHE). - */ - br_ssl_engine_set_suites(&cc->eng, suites, - (sizeof suites) / (sizeof suites[0])); - br_ssl_engine_set_default_ec(&cc->eng); - - /* - * Set the "server policy": handler for the certificate chain - * and private key operations. - */ -// br_ssl_server_set_single_rsa(cc, chain, chain_len, sk, -// BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, -// br_rsa_private_get_default(), -// br_rsa_pkcs1_sign_get_default()); - - /* - * Set supported hash functions. - */ - br_ssl_client_install_hashes(&cc->eng); - -// for (id = br_md5_ID; id <= br_sha512_ID; id ++) { -// const br_hash_class *hc; -// -//` hc = hashes[id - 1]; -// br_ssl_engine_set_hash(&cc->eng, id, hc); -// } - - /* - * Set the PRF implementations. - */ - br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf); - br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf); - br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf); - - /* - * Symmetric encryption. - */ - br_ssl_engine_set_default_aes_cbc(&cc->eng); - br_ssl_engine_set_default_aes_ccm(&cc->eng); - br_ssl_engine_set_default_aes_gcm(&cc->eng); - br_ssl_engine_set_default_des_cbc(&cc->eng); - br_ssl_engine_set_default_chapol(&cc->eng); } }