Update to BearSSL 0.6+ release, add AES_CCM modes (#5164)

Pull in latest BearSSL head (0.6 + minor additions) release and add AES_CCM
modes to the encryption options. Enable the aes_ccm initialization in client/server

The EC mul20 and square20 code was identical in two different files,
but because these copies were static, we ended up with an extra 6k of
duplicated code. Updated BearSSL to make them shared, saving 6KB.

libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp

@@ -648,6 +648,26 @@ extern "C" {
 
   // Some constants uses to init the server/client contexts
   // Note that suites_P needs to be copied to RAM before use w/BearSSL!
+  // List copied verbatim from BearSSL/ssl_client_full.c
+  /*
+   * The "full" profile supports all implemented cipher suites.
+   *
+   * Rationale for suite order, from most important to least
+   * important rule:
+   *
+   * -- Don't use 3DES if AES or ChaCha20 is available.
+   * -- Try to have Forward Secrecy (ECDHE suite) if possible.
+   * -- When not using Forward Secrecy, ECDH key exchange is
+   *    better than RSA key exchange (slightly more expensive on the
+   *    client, but much cheaper on the server, and it implies smaller
+   *    messages).
+   * -- ChaCha20+Poly1305 is better than AES/GCM (faster, smaller code).
+   * -- GCM is better than CCM and CBC. CCM is better than CBC.
+   * -- CCM is preferable over CCM_8 (with CCM_8, forgeries may succeed
+   *    with probability 2^(-64)).
+   * -- AES-128 is preferred over AES-256 (AES-128 is already
+   *    strong enough, and AES-256 is 40% more expensive).
+   */
   static const uint16_t suites_P[] PROGMEM = {
     BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
     BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
@@ -655,6 +675,10 @@ extern "C" {
     BR_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
     BR_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
     BR_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+    BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM,
+    BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM,
+    BR_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
+    BR_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8,
     BR_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     BR_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
     BR_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
@@ -677,6 +701,10 @@ extern "C" {
     BR_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
     BR_TLS_RSA_WITH_AES_128_GCM_SHA256,
     BR_TLS_RSA_WITH_AES_256_GCM_SHA384,
+    BR_TLS_RSA_WITH_AES_128_CCM,
+    BR_TLS_RSA_WITH_AES_256_CCM,
+    BR_TLS_RSA_WITH_AES_128_CCM_8,
+    BR_TLS_RSA_WITH_AES_256_CCM_8,
     BR_TLS_RSA_WITH_AES_128_CBC_SHA256,
     BR_TLS_RSA_WITH_AES_256_CBC_SHA256,
     BR_TLS_RSA_WITH_AES_128_CBC_SHA,
@@ -730,6 +758,7 @@ extern "C" {
     br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf);
     br_ssl_engine_set_default_aes_cbc(&cc->eng);
     br_ssl_engine_set_default_aes_gcm(&cc->eng);
+    br_ssl_engine_set_default_aes_ccm(&cc->eng);
     br_ssl_engine_set_default_des_cbc(&cc->eng);
     br_ssl_engine_set_default_chapol(&cc->eng);
   }
@@ -819,7 +848,7 @@ bool WiFiClientSecure::_connectSSL(const char* hostName) {
 
   // If no cipher list yet set, use defaults
   if (_cipher_list == NULL) {
-    br_ssl_client_base_init(_sc.get(), suites_P, sizeof(suites_P) / sizeof(uint16_t));
+    br_ssl_client_base_init(_sc.get(), suites_P, sizeof(suites_P) / sizeof(suites_P[0]));
   } else {
     br_ssl_client_base_init(_sc.get(), _cipher_list, _cipher_cnt);
   }