Drop support of old insecure fingerprint algorithm (deprecated since v8.4.0) (#21416)

CHANGELOG.md

@@ -15,7 +15,7 @@ All notable changes to this project will be documented in this file.
 ### Fixed
 
 ### Removed
-
+- Drop support of old insecure fingerprint algorithm (deprecated since v8.4.0)
 
 ## [Released]
 

lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp

@@ -813,25 +813,6 @@ extern "C" {
   // Return 0 on validation success, !0 on validation error
   static unsigned pubkeyfingerprint_end_chain(const br_x509_class **ctx) {
     br_x509_pubkeyfingerprint_context *xc = (br_x509_pubkeyfingerprint_context *)ctx;
-// **** Start patch Castellucci
-/*
-    br_sha1_context sha1_context;
-    pubkeyfingerprint_pubkey_fingerprint(&sha1_context, xc->ctx.pkey.key.rsa);
-    br_sha1_out(&sha1_context, xc->pubkey_recv_fingerprint); // copy to fingerprint
-
-    if (!xc->fingerprint_all) {
-      if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint1, 20)) {
-        return 0;
-      }
-      if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint2, 20)) {
-        return 0;
-      }
-      return 1; // no match, error
-    } else {
-      // Default (no validation at all) or no errors in prior checks = success.
-      return 0;
-    }
-*/
     // set fingerprint status byte to zero
     // FIXME: find a better way to pass this information
     xc->pubkey_recv_fingerprint[20] = 0;
@@ -844,45 +825,7 @@ extern "C" {
       if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint2, 20)) {
         return 0;
       }
-
-#ifndef USE_MQTT_TLS_DROP_OLD_FINGERPRINT
-      // No match under new algorithm, do some basic checking on the key.
-      //
-      // RSA keys normally have an e value of 65537, which is three bytes long.
-      // Other e values are suspicious, but if the modulus is a standard size
-      // (multiple of 512 bits/64 bytes), any public exponent up to eight bytes
-      // long will be allowed.
-      //
-      // A legitimate key could possibly be marked as bad by this check, but
-      // the user would have had to really worked at making a strange key.
-      if (!(xc->ctx.pkey.key.rsa.elen == 3
-            && xc->ctx.pkey.key.rsa.e[0] == 1
-            && xc->ctx.pkey.key.rsa.e[1] == 0
-            && xc->ctx.pkey.key.rsa.e[2] == 1)) {
-        if (xc->ctx.pkey.key.rsa.nlen & 63 != 0 || xc->ctx.pkey.key.rsa.elen > 8) {
-          return 2; // suspicious key, return error
-        }
-      }
-
-      // try the old algorithm and potentially mark for update
-      pubkeyfingerprint_pubkey_fingerprint(xc, true);
-      if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint1, 20)) {
-        xc->pubkey_recv_fingerprint[20] |= 1; // mark for update
-      }
-      if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint2, 20)) {
-        xc->pubkey_recv_fingerprint[20] |= 2; // mark for update
-      }
-      if (!xc->pubkey_recv_fingerprint[20]) {
-        return 1; // not marked for update because no match, error
-      }
-
-      // the old fingerprint format matched, recompute new one for update
-      pubkeyfingerprint_pubkey_fingerprint(xc, false);
-
-      return 0;
-#else   // USE_TLS_OLD_FINGERPRINT_COMPAT
       return 1;   // no match, error
-#endif  // USE_TLS_OLD_FINGERPRINT_COMPAT
     } else {
       // Default (no validation at all) or no errors in prior checks = success.
       return 0;

tasmota/my_user_config.h

@@ -103,20 +103,6 @@
 
 #define MQTT_HOST              ""                // [MqttHost]
 
-// XXX temporary - leave for a few releases so people compiling in
-// fingerprints have a chance to update their configuration files
-#if !defined(USE_MQTT_TLS_DROP_OLD_FINGERPRINT) && defined(MQTT_FINGERPRINT1) || defined(MQTT_FINGERPRINT2)
-#error "The old TLS fingerprint format is being removed.\n\
-Please ensure your TLS fingerprint(s) are using the new version, then add\n\
-\n\
-#define USE_MQTT_TLS_DROP_OLD_FINGERPRINT\n\
-\n\
-to your user_config_override.h file.\n\
-\n\
-An online tool to calculate TLS fingerprints is available here at:\n\
-https://rya.nc/tasmota-fingerprint.html"
-#endif
-
 #define MQTT_FINGERPRINT1      0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00  // [MqttFingerprint1] (auto-learn)
 #define MQTT_FINGERPRINT2      0xDA,0x39,0xA3,0xEE,0x5E,0x6B,0x4B,0x0D,0x32,0x55,0xBF,0xEF,0x95,0x60,0x18,0x90,0xAF,0xD8,0x07,0x09  // [MqttFingerprint2] (invalid - value from sha1(""))
 #define MQTT_PORT              1883              // [MqttPort] MQTT port (10123 on CloudMQTT)
@@ -462,9 +448,6 @@ https://rya.nc/tasmota-fingerprint.html"
 //  #define USE_MQTT_AWS_IOT                       // [Deprecated] Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem)
                                                  //   Note: you need to generate a private key + certificate per device and update 'tasmota/tasmota_aws_iot.cpp'
                                                  //   Full documentation here: https://github.com/arendst/Tasmota/wiki/AWS-IoT
- #define USE_MQTT_TLS_DROP_OLD_FINGERPRINT          // If you use fingerprint (i.e. not CA) validation, the algorithm changed to a more secure one.
-                                                   // Any valid fingerprint with the old algo will be automatically updated to the new algo.
-                                                   // Enable this if you want to disable the old algo check, which should be more secure
 //  for USE_4K_RSA (support for 4096 bits certificates, instead of 2048), you need to uncommend `-DUSE_4K_RSA` in `build_flags` from `platform.ini` or `platform_override.ini`
 
 // -- MQTT - TLS - Azure IoT & IoT Central ---------