mirror of https://github.com/arendst/Tasmota.git
Tls ecdsa (#22649)
* TLS add support for ECDSA on ESP32 * Reduce size for ESP8266
This commit is contained in:
parent
7cd0908c89
commit
615c6763f6
|
@ -6,6 +6,7 @@ All notable changes to this project will be documented in this file.
|
|||
## [14.4.0.1]
|
||||
### Added
|
||||
- MCP23XXX_DRV control register IOCON in template (#22622)
|
||||
- TLS add support for ECDSA on ESP32
|
||||
|
||||
### Breaking Changed
|
||||
|
||||
|
|
|
@ -788,6 +788,7 @@ extern "C" {
|
|||
// created with more than two primes, and most numbers, even large ones, can
|
||||
// be easily factored.
|
||||
static void pubkeyfingerprint_pubkey_fingerprint(br_x509_pubkeyfingerprint_context *xc) {
|
||||
if (xc->ctx.pkey.key_type == BR_KEYTYPE_RSA) {
|
||||
br_rsa_public_key rsakey = xc->ctx.pkey.key.rsa;
|
||||
|
||||
br_sha1_context shactx;
|
||||
|
@ -795,13 +796,32 @@ extern "C" {
|
|||
br_sha1_init(&shactx);
|
||||
|
||||
// The tag string doesn't really matter, but it should differ depending on
|
||||
// key type. Since we only support RSA for now, it's a fixed string.
|
||||
// key type. For RSA it's a fixed string.
|
||||
sha1_update_len(&shactx, "ssh-rsa", 7); // tag
|
||||
sha1_update_len(&shactx, rsakey.e, rsakey.elen); // exponent
|
||||
sha1_update_len(&shactx, rsakey.n, rsakey.nlen); // modulus
|
||||
|
||||
br_sha1_out(&shactx, xc->pubkey_recv_fingerprint); // copy to fingerprint
|
||||
}
|
||||
#ifndef ESP8266
|
||||
else if (xc->ctx.pkey.key_type == BR_KEYTYPE_EC) {
|
||||
br_ec_public_key eckey = xc->ctx.pkey.key.ec;
|
||||
|
||||
br_sha1_context shactx;
|
||||
|
||||
br_sha1_init(&shactx);
|
||||
|
||||
// The tag string doesn't really matter, but it should differ depending on
|
||||
// key type. For ECDSA it's a fixed string.
|
||||
sha1_update_len(&shactx, "ecdsa-sha2-nistp256", 19); // tag
|
||||
sha1_update_len(&shactx, eckey.q, eckey.qlen); // exponent
|
||||
}
|
||||
#endif
|
||||
else {
|
||||
// We don't support anything else, so just set the fingerprint to all zeros.
|
||||
memset(xc->pubkey_recv_fingerprint, 0, 20);
|
||||
}
|
||||
}
|
||||
|
||||
// Callback when complete chain has been parsed.
|
||||
// Return 0 on validation success, !0 on validation error
|
||||
|
@ -856,11 +876,19 @@ extern "C" {
|
|||
ctx->fingerprint_all = fingerprint_all;
|
||||
}
|
||||
|
||||
#ifdef ESP8266
|
||||
// We limit to a single cipher to reduce footprint
|
||||
// we reference it, don't put in PROGMEM
|
||||
static const uint16_t suites[] = {
|
||||
BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
||||
};
|
||||
#else
|
||||
// add more flexibility on ESP32
|
||||
static const uint16_t suites[] = {
|
||||
BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
};
|
||||
#endif
|
||||
|
||||
// Default initializion for our SSL clients
|
||||
static void br_ssl_client_base_init(br_ssl_client_context *cc) {
|
||||
|
@ -884,6 +912,9 @@ extern "C" {
|
|||
|
||||
// we support only P256 EC curve for AWS IoT, no EC curve for Letsencrypt unless forced
|
||||
br_ssl_engine_set_ec(&cc->eng, &br_ec_p256_m15); // TODO
|
||||
#ifndef ESP8266
|
||||
br_ssl_engine_set_ecdsa(&cc->eng, &br_ecdsa_i15_vrfy_asn1);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue