From c3748fd5c0668ef4848e4b83302e6b16fbc8b20c Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Wed, 7 Apr 2021 11:18:45 +0200 Subject: [PATCH] Add ARDUINO_DISABLE_ECCX08 This new compilation flag can be set through ArduinoBearSSLConfig.h and will allow the user to use ArduinoBearSSL without ECCX08. Indeed, the cryptographic operations could be done through the default software implementation or offloaded to another secure element such as an applet compliant with the GSMA IoT SAFE standard. Signed-off-by: Fabrice Fontaine --- README.adoc | 4 +++- examples/AES128/ArduinoBearSSLConfig.h | 7 +++++++ examples/DES/ArduinoBearSSLConfig.h | 7 +++++++ examples/MD5/ArduinoBearSSLConfig.h | 7 +++++++ .../MKRGSMSSLClient/ArduinoBearSSLConfig.h | 7 +++++++ examples/SHA1/ArduinoBearSSLConfig.h | 7 +++++++ examples/SHA256/ArduinoBearSSLConfig.h | 7 +++++++ examples/WiFiSSLClient/ArduinoBearSSLConfig.h | 7 +++++++ .../WiFiSSLClientNoSNI/ArduinoBearSSLConfig.h | 7 +++++++ src/ArduinoBearSSL.h | 6 ++++++ src/BearSSLClient.cpp | 19 ++++++++++++++++++- src/utility/eccX08_sign_asn1.cpp | 4 ++++ src/utility/eccX08_vrfy_asn1.cpp | 4 ++++ 13 files changed, 91 insertions(+), 2 deletions(-) create mode 100644 examples/AES128/ArduinoBearSSLConfig.h create mode 100644 examples/DES/ArduinoBearSSLConfig.h create mode 100644 examples/MD5/ArduinoBearSSLConfig.h create mode 100644 examples/MKRGSMSSLClient/ArduinoBearSSLConfig.h create mode 100644 examples/SHA1/ArduinoBearSSLConfig.h create mode 100644 examples/SHA256/ArduinoBearSSLConfig.h create mode 100644 examples/WiFiSSLClient/ArduinoBearSSLConfig.h create mode 100644 examples/extras/WiFiSSLClientNoSNI/ArduinoBearSSLConfig.h diff --git a/README.adoc b/README.adoc index aade2df..cd1600c 100644 --- a/README.adoc +++ b/README.adoc @@ -8,7 +8,9 @@ image:https://github.com/{repository-owner}/{repository-name}/workflows/Spell%20 Port of https://bearssl.org[BearSSL] to Arduino. -This library depends on ArduinoECCX08. +This library depends on ArduinoECCX08. This dependency could be +disabled by defining ARDUINO_DISABLE_ECCX08 in ArduinoBearSSLConfig.h +(see examples). == License == diff --git a/examples/AES128/ArduinoBearSSLConfig.h b/examples/AES128/ArduinoBearSSLConfig.h new file mode 100644 index 0000000..160fc22 --- /dev/null +++ b/examples/AES128/ArduinoBearSSLConfig.h @@ -0,0 +1,7 @@ +#ifndef ARDUINO_BEARSSL_CONFIG_H_ +#define ARDUINO_BEARSSL_CONFIG_H_ + +/* Enabling this define allows the usage of ArduinoBearSSL without crypto chip. */ +//#define ARDUINO_DISABLE_ECCX08 + +#endif /* ARDUINO_BEARSSL_CONFIG_H_ */ diff --git a/examples/DES/ArduinoBearSSLConfig.h b/examples/DES/ArduinoBearSSLConfig.h new file mode 100644 index 0000000..160fc22 --- /dev/null +++ b/examples/DES/ArduinoBearSSLConfig.h @@ -0,0 +1,7 @@ +#ifndef ARDUINO_BEARSSL_CONFIG_H_ +#define ARDUINO_BEARSSL_CONFIG_H_ + +/* Enabling this define allows the usage of ArduinoBearSSL without crypto chip. */ +//#define ARDUINO_DISABLE_ECCX08 + +#endif /* ARDUINO_BEARSSL_CONFIG_H_ */ diff --git a/examples/MD5/ArduinoBearSSLConfig.h b/examples/MD5/ArduinoBearSSLConfig.h new file mode 100644 index 0000000..160fc22 --- /dev/null +++ b/examples/MD5/ArduinoBearSSLConfig.h @@ -0,0 +1,7 @@ +#ifndef ARDUINO_BEARSSL_CONFIG_H_ +#define ARDUINO_BEARSSL_CONFIG_H_ + +/* Enabling this define allows the usage of ArduinoBearSSL without crypto chip. */ +//#define ARDUINO_DISABLE_ECCX08 + +#endif /* ARDUINO_BEARSSL_CONFIG_H_ */ diff --git a/examples/MKRGSMSSLClient/ArduinoBearSSLConfig.h b/examples/MKRGSMSSLClient/ArduinoBearSSLConfig.h new file mode 100644 index 0000000..160fc22 --- /dev/null +++ b/examples/MKRGSMSSLClient/ArduinoBearSSLConfig.h @@ -0,0 +1,7 @@ +#ifndef ARDUINO_BEARSSL_CONFIG_H_ +#define ARDUINO_BEARSSL_CONFIG_H_ + +/* Enabling this define allows the usage of ArduinoBearSSL without crypto chip. */ +//#define ARDUINO_DISABLE_ECCX08 + +#endif /* ARDUINO_BEARSSL_CONFIG_H_ */ diff --git a/examples/SHA1/ArduinoBearSSLConfig.h b/examples/SHA1/ArduinoBearSSLConfig.h new file mode 100644 index 0000000..160fc22 --- /dev/null +++ b/examples/SHA1/ArduinoBearSSLConfig.h @@ -0,0 +1,7 @@ +#ifndef ARDUINO_BEARSSL_CONFIG_H_ +#define ARDUINO_BEARSSL_CONFIG_H_ + +/* Enabling this define allows the usage of ArduinoBearSSL without crypto chip. */ +//#define ARDUINO_DISABLE_ECCX08 + +#endif /* ARDUINO_BEARSSL_CONFIG_H_ */ diff --git a/examples/SHA256/ArduinoBearSSLConfig.h b/examples/SHA256/ArduinoBearSSLConfig.h new file mode 100644 index 0000000..160fc22 --- /dev/null +++ b/examples/SHA256/ArduinoBearSSLConfig.h @@ -0,0 +1,7 @@ +#ifndef ARDUINO_BEARSSL_CONFIG_H_ +#define ARDUINO_BEARSSL_CONFIG_H_ + +/* Enabling this define allows the usage of ArduinoBearSSL without crypto chip. */ +//#define ARDUINO_DISABLE_ECCX08 + +#endif /* ARDUINO_BEARSSL_CONFIG_H_ */ diff --git a/examples/WiFiSSLClient/ArduinoBearSSLConfig.h b/examples/WiFiSSLClient/ArduinoBearSSLConfig.h new file mode 100644 index 0000000..160fc22 --- /dev/null +++ b/examples/WiFiSSLClient/ArduinoBearSSLConfig.h @@ -0,0 +1,7 @@ +#ifndef ARDUINO_BEARSSL_CONFIG_H_ +#define ARDUINO_BEARSSL_CONFIG_H_ + +/* Enabling this define allows the usage of ArduinoBearSSL without crypto chip. */ +//#define ARDUINO_DISABLE_ECCX08 + +#endif /* ARDUINO_BEARSSL_CONFIG_H_ */ diff --git a/examples/extras/WiFiSSLClientNoSNI/ArduinoBearSSLConfig.h b/examples/extras/WiFiSSLClientNoSNI/ArduinoBearSSLConfig.h new file mode 100644 index 0000000..160fc22 --- /dev/null +++ b/examples/extras/WiFiSSLClientNoSNI/ArduinoBearSSLConfig.h @@ -0,0 +1,7 @@ +#ifndef ARDUINO_BEARSSL_CONFIG_H_ +#define ARDUINO_BEARSSL_CONFIG_H_ + +/* Enabling this define allows the usage of ArduinoBearSSL without crypto chip. */ +//#define ARDUINO_DISABLE_ECCX08 + +#endif /* ARDUINO_BEARSSL_CONFIG_H_ */ diff --git a/src/ArduinoBearSSL.h b/src/ArduinoBearSSL.h index 5296b9f..dfaddb1 100644 --- a/src/ArduinoBearSSL.h +++ b/src/ArduinoBearSSL.h @@ -25,6 +25,12 @@ #ifndef _ARDUINO_BEAR_SSL_H_ #define _ARDUINO_BEAR_SSL_H_ +#if defined __has_include +# if __has_include () +# include +# endif +#endif + #include "BearSSLClient.h" #include "SHA1.h" #include "SHA256.h" diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp index f3bed28..5a2795d 100644 --- a/src/BearSSLClient.cpp +++ b/src/BearSSLClient.cpp @@ -22,9 +22,12 @@ * SOFTWARE. */ +#include "ArduinoBearSSL.h" + +#ifndef ARDUINO_DISABLE_ECCX08 #include +#endif -#include "ArduinoBearSSL.h" #include "BearSSLTrustAnchors.h" #include "utility/eccX08_asn1.h" @@ -47,8 +50,13 @@ BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, _noSNI(false), _ecChainLen(0) { +#ifndef ARDUINO_DISABLE_ECCX08 _ecVrfy = eccX08_vrfy_asn1; _ecSign = eccX08_sign_asn1; +#else + _ecVrfy = br_ecdsa_vrfy_asn1_get_default(); + _ecSign = br_ecdsa_sign_asn1_get_default(); +#endif _ecKey.curve = 0; _ecKey.x = NULL; @@ -237,8 +245,13 @@ void BearSSLClient::setEccSlot(int ecc508KeySlot, const byte cert[], int certLen _ecChainLen = 1; _ecCertDynamic = false; +#ifndef ARDUINO_DISABLE_ECCX08 _ecVrfy = eccX08_vrfy_asn1; _ecSign = eccX08_sign_asn1; +#else + _ecVrfy = br_ecdsa_vrfy_asn1_get_default(); + _ecSign = br_ecdsa_sign_asn1_get_default(); +#endif } void BearSSLClient::setEccSlot(int ecc508KeySlot, const char cert[]) @@ -352,12 +365,16 @@ int BearSSLClient::connectSSL(const char* host) // inject entropy in engine unsigned char entropy[32]; +#ifndef ARDUINO_DISABLE_ECCX08 if (!ECCX08.begin() || !ECCX08.locked() || !ECCX08.random(entropy, sizeof(entropy))) { +#endif // no ECCX08 or random failed, fallback to pseudo random for (size_t i = 0; i < sizeof(entropy); i++) { entropy[i] = random(0, 255); } +#ifndef ARDUINO_DISABLE_ECCX08 } +#endif br_ssl_engine_inject_entropy(&_sc.eng, entropy, sizeof(entropy)); // add custom ECDSA vfry and EC sign diff --git a/src/utility/eccX08_sign_asn1.cpp b/src/utility/eccX08_sign_asn1.cpp index 9b17480..d99e5d5 100644 --- a/src/utility/eccX08_sign_asn1.cpp +++ b/src/utility/eccX08_sign_asn1.cpp @@ -23,6 +23,9 @@ * SOFTWARE. */ +#include "ArduinoBearSSL.h" + +#ifndef ARDUINO_DISABLE_ECCX08 #include "eccX08_asn1.h" #include @@ -51,3 +54,4 @@ eccX08_sign_asn1(const br_ec_impl * /*impl*/, memcpy(sig, rsig, sig_len); return sig_len; } +#endif diff --git a/src/utility/eccX08_vrfy_asn1.cpp b/src/utility/eccX08_vrfy_asn1.cpp index 8221919..c8b5cdd 100644 --- a/src/utility/eccX08_vrfy_asn1.cpp +++ b/src/utility/eccX08_vrfy_asn1.cpp @@ -23,6 +23,9 @@ * SOFTWARE. */ +#include "ArduinoBearSSL.h" + +#ifndef ARDUINO_DISABLE_ECCX08 #include "eccX08_asn1.h" #include @@ -60,3 +63,4 @@ eccX08_vrfy_asn1(const br_ec_impl * /*impl*/, return 1; } +#endif