Allow cipher specification for BearSSL (#5151)

* Allow cipher specification for BearSSL BearSSL has many more ciphers than axTLS, but they are more compute intensive and slower. Add an option to use only the same, limited security, axTLS ciphers as well as allow users to specify any suite of ciphers they want using standard BearSSL formats. Fixes #5110 * Rename methods to avoid axtls references. * Allow std::vector to set a list of allowed ciphers For C++ afficionados, allow std::vectors to be passed in to the setCipher() routine. The BearSSL object will now keep a copy of any set ciphers and free on object destruction. These custom lists should normally only be 1-4 entries long, so it is not expected to be a memory hog having this extra copy.
2025-07-27 18:02:17 +03:00 · 2018-09-21 07:47:20 -07:00
parent 1a44f79a9e
commit cc284bb533
3 changed files with 78 additions and 5 deletions
--- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
+++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.h
@ -23,6 +23,7 @@

 #ifndef wificlientbearssl_h
 #define wificlientbearssl_h
+#include <vector>
 #include "WiFiClient.h"
 #include <bearssl/bearssl.h>
 #include "BearSSLHelpers.h"
@ -104,12 +105,18 @@ class WiFiClientSecure : public WiFiClient {
      _certStore = certStore;
    }

+    // Select specific ciphers (i.e. optimize for speed over security)
+    // These may be in PROGMEM or RAM, either will run properly
+    bool setCiphers(const uint16_t *cipherAry, int cipherCount);
+    bool setCiphers(std::vector<uint16_t> list);
+    bool setCiphersLessSecure(); // Only use the limited set of RSA ciphers without EC
+
    // Check for Maximum Fragment Length support for given len
    static bool probeMaxFragmentLength(IPAddress ip, uint16_t port, uint16_t len);
    static bool probeMaxFragmentLength(const char *hostname, uint16_t port, uint16_t len);
    static bool probeMaxFragmentLength(const String host, uint16_t port, uint16_t len);

-    // AXTLS compatbile wrappers
+    // AXTLS compatible wrappers
    bool verify(const char* fingerprint, const char* domain_name) { (void) fingerprint; (void) domain_name; return false; } // Can't handle this case, need app code changes
    bool verifyCertChain(const char* domain_name) { (void)domain_name; return connected(); } // If we're connected, the cert passed validation during handshake

@ -170,6 +177,10 @@ class WiFiClientSecure : public WiFiClient {
    const BearSSLPublicKey *_knownkey;
    unsigned _knownkey_usages;

+    // Custom cipher list pointer or NULL if default
+    uint16_t *_cipher_list;
+    uint8_t _cipher_cnt;
+
    unsigned char *_recvapp_buf;
    size_t _recvapp_len;