From d9b0480f095b9cf0042b8da9a6cac339f4a225ae Mon Sep 17 00:00:00 2001 From: "Earle F. Philhower, III" Date: Thu, 25 Apr 2019 11:13:26 -0700 Subject: [PATCH] New menu option to minimize BSSL ROM with only RSA (#6006) * New menu option to minimize BSSL ROM with only RSA Adds a menu option and define to limit BearSSL to older RSA connection options. This saves ~45K program memory and can speed up connections since EC, while more secure, is significantly slower on the chip. The supported ciphers are identical to the ones that axTLS supported. Fixes #6005 * Add default SSLFLAGS(blank) to platform.txt * Fix unused variable warning * Add clarifying comment to menu items --- boards.txt | 121 ++++++++++++++++++ .../src/WiFiClientSecureBearSSL.cpp | 36 ++++++ .../package_esp8266com_index.template.json | 2 +- platform.txt | 6 +- tools/boards.txt.py | 12 +- 5 files changed, 173 insertions(+), 4 deletions(-) diff --git a/boards.txt b/boards.txt index db90994b3..083b5e740 100644 --- a/boards.txt +++ b/boards.txt @@ -21,6 +21,7 @@ menu.exception=Exceptions menu.led=Builtin Led menu.wipe=Erase Flash menu.sdk=Espressif FW +menu.ssl=SSL Support ############################################################## generic.name=Generic ESP8266 Module @@ -53,6 +54,10 @@ generic.menu.exception.disabled.build.stdcpp_lib=-lstdc++ generic.menu.exception.enabled=Enabled generic.menu.exception.enabled.build.exception_flags=-fexceptions generic.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +generic.menu.ssl.all=All SSL ciphers (most compatible) +generic.menu.ssl.all.build.sslflags= +generic.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +generic.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC generic.menu.ResetMethod.ck=ck generic.menu.ResetMethod.ck.upload.resetmethod=ck generic.menu.ResetMethod.nodemcu=nodemcu @@ -499,6 +504,10 @@ esp8285.menu.exception.disabled.build.stdcpp_lib=-lstdc++ esp8285.menu.exception.enabled=Enabled esp8285.menu.exception.enabled.build.exception_flags=-fexceptions esp8285.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +esp8285.menu.ssl.all=All SSL ciphers (most compatible) +esp8285.menu.ssl.all.build.sslflags= +esp8285.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +esp8285.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC esp8285.menu.ResetMethod.ck=ck esp8285.menu.ResetMethod.ck.upload.resetmethod=ck esp8285.menu.ResetMethod.nodemcu=nodemcu @@ -774,6 +783,10 @@ espduino.menu.exception.disabled.build.stdcpp_lib=-lstdc++ espduino.menu.exception.enabled=Enabled espduino.menu.exception.enabled.build.exception_flags=-fexceptions espduino.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +espduino.menu.ssl.all=All SSL ciphers (most compatible) +espduino.menu.ssl.all.build.sslflags= +espduino.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +espduino.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC espduino.build.flash_mode=dio espduino.build.flash_flags=-DFLASHMODE_DIO espduino.build.flash_freq=40 @@ -957,6 +970,10 @@ huzzah.menu.exception.disabled.build.stdcpp_lib=-lstdc++ huzzah.menu.exception.enabled=Enabled huzzah.menu.exception.enabled.build.exception_flags=-fexceptions huzzah.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +huzzah.menu.ssl.all=All SSL ciphers (most compatible) +huzzah.menu.ssl.all.build.sslflags= +huzzah.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +huzzah.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC huzzah.upload.resetmethod=nodemcu huzzah.build.flash_mode=qio huzzah.build.flash_flags=-DFLASHMODE_QIO @@ -1141,6 +1158,10 @@ inventone.menu.exception.disabled.build.stdcpp_lib=-lstdc++ inventone.menu.exception.enabled=Enabled inventone.menu.exception.enabled.build.exception_flags=-fexceptions inventone.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +inventone.menu.ssl.all=All SSL ciphers (most compatible) +inventone.menu.ssl.all.build.sslflags= +inventone.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +inventone.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC inventone.upload.resetmethod=nodemcu inventone.build.flash_mode=dio inventone.build.flash_flags=-DFLASHMODE_DIO @@ -1325,6 +1346,10 @@ cw01.menu.exception.disabled.build.stdcpp_lib=-lstdc++ cw01.menu.exception.enabled=Enabled cw01.menu.exception.enabled.build.exception_flags=-fexceptions cw01.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +cw01.menu.ssl.all=All SSL ciphers (most compatible) +cw01.menu.ssl.all.build.sslflags= +cw01.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +cw01.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC cw01.upload.resetmethod=nodemcu cw01.menu.CrystalFreq.26=26 MHz cw01.menu.CrystalFreq.40=40 MHz @@ -1512,6 +1537,10 @@ espresso_lite_v1.menu.exception.disabled.build.stdcpp_lib=-lstdc++ espresso_lite_v1.menu.exception.enabled=Enabled espresso_lite_v1.menu.exception.enabled.build.exception_flags=-fexceptions espresso_lite_v1.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +espresso_lite_v1.menu.ssl.all=All SSL ciphers (most compatible) +espresso_lite_v1.menu.ssl.all.build.sslflags= +espresso_lite_v1.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +espresso_lite_v1.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC espresso_lite_v1.build.flash_mode=dio espresso_lite_v1.build.flash_flags=-DFLASHMODE_DIO espresso_lite_v1.build.flash_freq=40 @@ -1699,6 +1728,10 @@ espresso_lite_v2.menu.exception.disabled.build.stdcpp_lib=-lstdc++ espresso_lite_v2.menu.exception.enabled=Enabled espresso_lite_v2.menu.exception.enabled.build.exception_flags=-fexceptions espresso_lite_v2.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +espresso_lite_v2.menu.ssl.all=All SSL ciphers (most compatible) +espresso_lite_v2.menu.ssl.all.build.sslflags= +espresso_lite_v2.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +espresso_lite_v2.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC espresso_lite_v2.build.flash_mode=dio espresso_lite_v2.build.flash_flags=-DFLASHMODE_DIO espresso_lite_v2.build.flash_freq=40 @@ -1886,6 +1919,10 @@ phoenix_v1.menu.exception.disabled.build.stdcpp_lib=-lstdc++ phoenix_v1.menu.exception.enabled=Enabled phoenix_v1.menu.exception.enabled.build.exception_flags=-fexceptions phoenix_v1.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +phoenix_v1.menu.ssl.all=All SSL ciphers (most compatible) +phoenix_v1.menu.ssl.all.build.sslflags= +phoenix_v1.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +phoenix_v1.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC phoenix_v1.build.flash_mode=dio phoenix_v1.build.flash_flags=-DFLASHMODE_DIO phoenix_v1.build.flash_freq=40 @@ -2073,6 +2110,10 @@ phoenix_v2.menu.exception.disabled.build.stdcpp_lib=-lstdc++ phoenix_v2.menu.exception.enabled=Enabled phoenix_v2.menu.exception.enabled.build.exception_flags=-fexceptions phoenix_v2.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +phoenix_v2.menu.ssl.all=All SSL ciphers (most compatible) +phoenix_v2.menu.ssl.all.build.sslflags= +phoenix_v2.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +phoenix_v2.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC phoenix_v2.build.flash_mode=dio phoenix_v2.build.flash_flags=-DFLASHMODE_DIO phoenix_v2.build.flash_freq=40 @@ -2260,6 +2301,10 @@ nodemcu.menu.exception.disabled.build.stdcpp_lib=-lstdc++ nodemcu.menu.exception.enabled=Enabled nodemcu.menu.exception.enabled.build.exception_flags=-fexceptions nodemcu.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +nodemcu.menu.ssl.all=All SSL ciphers (most compatible) +nodemcu.menu.ssl.all.build.sslflags= +nodemcu.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +nodemcu.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC nodemcu.upload.resetmethod=nodemcu nodemcu.build.flash_mode=qio nodemcu.build.flash_flags=-DFLASHMODE_QIO @@ -2444,6 +2489,10 @@ nodemcuv2.menu.exception.disabled.build.stdcpp_lib=-lstdc++ nodemcuv2.menu.exception.enabled=Enabled nodemcuv2.menu.exception.enabled.build.exception_flags=-fexceptions nodemcuv2.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +nodemcuv2.menu.ssl.all=All SSL ciphers (most compatible) +nodemcuv2.menu.ssl.all.build.sslflags= +nodemcuv2.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +nodemcuv2.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC nodemcuv2.upload.resetmethod=nodemcu nodemcuv2.build.flash_mode=dio nodemcuv2.build.flash_flags=-DFLASHMODE_DIO @@ -2628,6 +2677,10 @@ modwifi.menu.exception.disabled.build.stdcpp_lib=-lstdc++ modwifi.menu.exception.enabled=Enabled modwifi.menu.exception.enabled.build.exception_flags=-fexceptions modwifi.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +modwifi.menu.ssl.all=All SSL ciphers (most compatible) +modwifi.menu.ssl.all.build.sslflags= +modwifi.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +modwifi.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC modwifi.upload.resetmethod=ck modwifi.build.flash_mode=qio modwifi.build.flash_flags=-DFLASHMODE_QIO @@ -2822,6 +2875,10 @@ thing.menu.exception.disabled.build.stdcpp_lib=-lstdc++ thing.menu.exception.enabled=Enabled thing.menu.exception.enabled.build.exception_flags=-fexceptions thing.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +thing.menu.ssl.all=All SSL ciphers (most compatible) +thing.menu.ssl.all.build.sslflags= +thing.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +thing.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC thing.upload.resetmethod=ck thing.build.flash_mode=qio thing.build.flash_flags=-DFLASHMODE_QIO @@ -3006,6 +3063,10 @@ thingdev.menu.exception.disabled.build.stdcpp_lib=-lstdc++ thingdev.menu.exception.enabled=Enabled thingdev.menu.exception.enabled.build.exception_flags=-fexceptions thingdev.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +thingdev.menu.ssl.all=All SSL ciphers (most compatible) +thingdev.menu.ssl.all.build.sslflags= +thingdev.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +thingdev.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC thingdev.upload.resetmethod=nodemcu thingdev.build.flash_mode=dio thingdev.build.flash_flags=-DFLASHMODE_DIO @@ -3190,6 +3251,10 @@ esp210.menu.exception.disabled.build.stdcpp_lib=-lstdc++ esp210.menu.exception.enabled=Enabled esp210.menu.exception.enabled.build.exception_flags=-fexceptions esp210.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +esp210.menu.ssl.all=All SSL ciphers (most compatible) +esp210.menu.ssl.all.build.sslflags= +esp210.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +esp210.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC esp210.upload.resetmethod=ck esp210.build.flash_mode=qio esp210.build.flash_flags=-DFLASHMODE_QIO @@ -3374,6 +3439,10 @@ d1_mini.menu.exception.disabled.build.stdcpp_lib=-lstdc++ d1_mini.menu.exception.enabled=Enabled d1_mini.menu.exception.enabled.build.exception_flags=-fexceptions d1_mini.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +d1_mini.menu.ssl.all=All SSL ciphers (most compatible) +d1_mini.menu.ssl.all.build.sslflags= +d1_mini.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +d1_mini.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC d1_mini.upload.resetmethod=nodemcu d1_mini.build.flash_mode=dio d1_mini.build.flash_flags=-DFLASHMODE_DIO @@ -3558,6 +3627,10 @@ d1_mini_pro.menu.exception.disabled.build.stdcpp_lib=-lstdc++ d1_mini_pro.menu.exception.enabled=Enabled d1_mini_pro.menu.exception.enabled.build.exception_flags=-fexceptions d1_mini_pro.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +d1_mini_pro.menu.ssl.all=All SSL ciphers (most compatible) +d1_mini_pro.menu.ssl.all.build.sslflags= +d1_mini_pro.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +d1_mini_pro.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC d1_mini_pro.upload.resetmethod=nodemcu d1_mini_pro.build.flash_mode=dio d1_mini_pro.build.flash_flags=-DFLASHMODE_DIO @@ -3725,6 +3798,10 @@ d1_mini_lite.menu.exception.disabled.build.stdcpp_lib=-lstdc++ d1_mini_lite.menu.exception.enabled=Enabled d1_mini_lite.menu.exception.enabled.build.exception_flags=-fexceptions d1_mini_lite.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +d1_mini_lite.menu.ssl.all=All SSL ciphers (most compatible) +d1_mini_lite.menu.ssl.all.build.sslflags= +d1_mini_lite.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +d1_mini_lite.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC d1_mini_lite.upload.resetmethod=nodemcu d1_mini_lite.build.flash_mode=dout d1_mini_lite.build.flash_flags=-DFLASHMODE_DOUT @@ -3949,6 +4026,10 @@ d1.menu.exception.disabled.build.stdcpp_lib=-lstdc++ d1.menu.exception.enabled=Enabled d1.menu.exception.enabled.build.exception_flags=-fexceptions d1.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +d1.menu.ssl.all=All SSL ciphers (most compatible) +d1.menu.ssl.all.build.sslflags= +d1.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +d1.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC d1.upload.resetmethod=nodemcu d1.build.flash_mode=dio d1.build.flash_flags=-DFLASHMODE_DIO @@ -4133,6 +4214,10 @@ espino.menu.exception.disabled.build.stdcpp_lib=-lstdc++ espino.menu.exception.enabled=Enabled espino.menu.exception.enabled.build.exception_flags=-fexceptions espino.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +espino.menu.ssl.all=All SSL ciphers (most compatible) +espino.menu.ssl.all.build.sslflags= +espino.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +espino.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC espino.menu.ResetMethod.ck=ck espino.menu.ResetMethod.ck.upload.resetmethod=ck espino.menu.ResetMethod.nodemcu=nodemcu @@ -4320,6 +4405,10 @@ espinotee.menu.exception.disabled.build.stdcpp_lib=-lstdc++ espinotee.menu.exception.enabled=Enabled espinotee.menu.exception.enabled.build.exception_flags=-fexceptions espinotee.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +espinotee.menu.ssl.all=All SSL ciphers (most compatible) +espinotee.menu.ssl.all.build.sslflags= +espinotee.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +espinotee.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC espinotee.upload.resetmethod=nodemcu espinotee.build.flash_mode=qio espinotee.build.flash_flags=-DFLASHMODE_QIO @@ -4521,6 +4610,10 @@ wifinfo.menu.exception.disabled.build.stdcpp_lib=-lstdc++ wifinfo.menu.exception.enabled=Enabled wifinfo.menu.exception.enabled.build.exception_flags=-fexceptions wifinfo.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +wifinfo.menu.ssl.all=All SSL ciphers (most compatible) +wifinfo.menu.ssl.all.build.sslflags= +wifinfo.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +wifinfo.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC wifinfo.upload.resetmethod=nodemcu wifinfo.build.flash_mode=qio wifinfo.build.flash_flags=-DFLASHMODE_QIO @@ -4760,6 +4853,10 @@ arduino-esp8266.menu.exception.disabled.build.stdcpp_lib=-lstdc++ arduino-esp8266.menu.exception.enabled=Enabled arduino-esp8266.menu.exception.enabled.build.exception_flags=-fexceptions arduino-esp8266.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +arduino-esp8266.menu.ssl.all=All SSL ciphers (most compatible) +arduino-esp8266.menu.ssl.all.build.sslflags= +arduino-esp8266.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +arduino-esp8266.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC arduino-esp8266.upload.resetmethod=ck arduino-esp8266.build.flash_mode=qio arduino-esp8266.build.flash_flags=-DFLASHMODE_QIO @@ -4945,6 +5042,10 @@ gen4iod.menu.exception.disabled.build.stdcpp_lib=-lstdc++ gen4iod.menu.exception.enabled=Enabled gen4iod.menu.exception.enabled.build.exception_flags=-fexceptions gen4iod.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +gen4iod.menu.ssl.all=All SSL ciphers (most compatible) +gen4iod.menu.ssl.all.build.sslflags= +gen4iod.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +gen4iod.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC gen4iod.upload.resetmethod=nodemcu gen4iod.build.flash_mode=dio gen4iod.build.flash_flags=-DFLASHMODE_DIO @@ -5130,6 +5231,10 @@ oak.menu.exception.disabled.build.stdcpp_lib=-lstdc++ oak.menu.exception.enabled=Enabled oak.menu.exception.enabled.build.exception_flags=-fexceptions oak.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +oak.menu.ssl.all=All SSL ciphers (most compatible) +oak.menu.ssl.all.build.sslflags= +oak.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +oak.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC oak.upload.resetmethod=none oak.build.flash_mode=dio oak.build.flash_flags=-DFLASHMODE_DIO @@ -5314,6 +5419,10 @@ wifiduino.menu.exception.disabled.build.stdcpp_lib=-lstdc++ wifiduino.menu.exception.enabled=Enabled wifiduino.menu.exception.enabled.build.exception_flags=-fexceptions wifiduino.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +wifiduino.menu.ssl.all=All SSL ciphers (most compatible) +wifiduino.menu.ssl.all.build.sslflags= +wifiduino.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +wifiduino.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC wifiduino.upload.resetmethod=nodemcu wifiduino.build.flash_mode=dio wifiduino.build.flash_flags=-DFLASHMODE_DIO @@ -5498,6 +5607,10 @@ wifi_slot.menu.exception.disabled.build.stdcpp_lib=-lstdc++ wifi_slot.menu.exception.enabled=Enabled wifi_slot.menu.exception.enabled.build.exception_flags=-fexceptions wifi_slot.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +wifi_slot.menu.ssl.all=All SSL ciphers (most compatible) +wifi_slot.menu.ssl.all.build.sslflags= +wifi_slot.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +wifi_slot.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC wifi_slot.upload.resetmethod=nodemcu wifi_slot.menu.FlashFreq.40=40MHz wifi_slot.menu.FlashFreq.40.build.flash_freq=40 @@ -5782,6 +5895,10 @@ wiolink.menu.exception.disabled.build.stdcpp_lib=-lstdc++ wiolink.menu.exception.enabled=Enabled wiolink.menu.exception.enabled.build.exception_flags=-fexceptions wiolink.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +wiolink.menu.ssl.all=All SSL ciphers (most compatible) +wiolink.menu.ssl.all.build.sslflags= +wiolink.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +wiolink.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC wiolink.upload.resetmethod=nodemcu wiolink.build.flash_mode=qio wiolink.build.flash_flags=-DFLASHMODE_QIO @@ -5966,6 +6083,10 @@ espectro.menu.exception.disabled.build.stdcpp_lib=-lstdc++ espectro.menu.exception.enabled=Enabled espectro.menu.exception.enabled.build.exception_flags=-fexceptions espectro.menu.exception.enabled.build.stdcpp_lib=-lstdc++-exc +espectro.menu.ssl.all=All SSL ciphers (most compatible) +espectro.menu.ssl.all.build.sslflags= +espectro.menu.ssl.basic=Basic SSL ciphers (lower ROM use) +espectro.menu.ssl.basic.build.sslflags=-DBEARSSL_SSL_BASIC espectro.upload.resetmethod=nodemcu espectro.build.flash_mode=dio espectro.build.flash_flags=-DFLASHMODE_DIO diff --git a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp index 4a2a68363..e2f35b51e 100644 --- a/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp +++ b/libraries/ESP8266WiFi/src/WiFiClientSecureBearSSL.cpp @@ -744,6 +744,7 @@ extern "C" { * strong enough, and AES-256 is 40% more expensive). */ static const uint16_t suites_P[] PROGMEM = { +#ifndef BEARSSL_SSL_BASIC BR_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, BR_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, BR_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, @@ -780,15 +781,18 @@ extern "C" { BR_TLS_RSA_WITH_AES_256_CCM, BR_TLS_RSA_WITH_AES_128_CCM_8, BR_TLS_RSA_WITH_AES_256_CCM_8, +#endif BR_TLS_RSA_WITH_AES_128_CBC_SHA256, BR_TLS_RSA_WITH_AES_256_CBC_SHA256, BR_TLS_RSA_WITH_AES_128_CBC_SHA, BR_TLS_RSA_WITH_AES_256_CBC_SHA, +#ifndef BEARSSL_SSL_BASIC BR_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, BR_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, BR_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, BR_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, BR_TLS_RSA_WITH_3DES_EDE_CBC_SHA +#endif }; // For apps which want to use less secure but faster ciphers, only @@ -826,16 +830,20 @@ extern "C" { br_ssl_engine_set_suites(&cc->eng, suites, (sizeof suites) / (sizeof suites[0])); br_ssl_client_set_default_rsapub(cc); br_ssl_engine_set_default_rsavrfy(&cc->eng); +#ifndef BEARSSL_SSL_BASIC br_ssl_engine_set_default_ecdsa(&cc->eng); +#endif br_ssl_client_install_hashes(&cc->eng); br_ssl_engine_set_prf10(&cc->eng, &br_tls10_prf); br_ssl_engine_set_prf_sha256(&cc->eng, &br_tls12_sha256_prf); br_ssl_engine_set_prf_sha384(&cc->eng, &br_tls12_sha384_prf); br_ssl_engine_set_default_aes_cbc(&cc->eng); +#ifndef BEARSSL_SSL_BASIC br_ssl_engine_set_default_aes_gcm(&cc->eng); br_ssl_engine_set_default_aes_ccm(&cc->eng); br_ssl_engine_set_default_des_cbc(&cc->eng); br_ssl_engine_set_default_chapol(&cc->eng); +#endif } } @@ -882,7 +890,14 @@ bool WiFiClientSecure::_installClientX509Validator() { if (_knownkey->isRSA()) { br_x509_knownkey_init_rsa(_x509_knownkey.get(), _knownkey->getRSA(), _knownkey_usages); } else if (_knownkey->isEC()) { +#ifndef BEARSSL_SSL_BASIC br_x509_knownkey_init_ec(_x509_knownkey.get(), _knownkey->getEC(), _knownkey_usages); +#else + (void) _knownkey; + (void) _knownkey_usages; + DEBUG_BSSL("_installClientX509Validator: Attempting to use EC keys in minimal cipher mode (no EC)\n"); + return false; +#endif } br_ssl_engine_set_x509(_eng, &_x509_knownkey->vtable); } else { @@ -894,7 +909,9 @@ bool WiFiClientSecure::_installClientX509Validator() { } br_x509_minimal_init(_x509_minimal.get(), &br_sha256_vtable, _ta ? _ta->getTrustAnchors() : nullptr, _ta ? _ta->getCount() : 0); br_x509_minimal_set_rsa(_x509_minimal.get(), br_ssl_engine_get_rsavrfy(_eng)); +#ifndef BEARSSL_SSL_BASIC br_x509_minimal_set_ecdsa(_x509_minimal.get(), br_ssl_engine_get_ec(_eng), br_ssl_engine_get_ecdsa(_eng)); +#endif br_x509_minimal_install_hashes(_x509_minimal.get()); if (_now) { // Magic constants convert to x509 times @@ -953,9 +970,15 @@ bool WiFiClientSecure::_connectSSL(const char* hostName) { br_ssl_client_set_single_rsa(_sc.get(), _chain ? _chain->getX509Certs() : nullptr, _chain ? _chain->getCount() : 0, _sk->getRSA(), br_rsa_pkcs1_sign_get_default()); } else if (_sk && _sk->isEC()) { +#ifndef BEARSSL_SSL_BASIC br_ssl_client_set_single_ec(_sc.get(), _chain ? _chain->getX509Certs() : nullptr, _chain ? _chain->getCount() : 0, _sk->getEC(), _allowed_usages, _cert_issuer_key_type, br_ec_get_default(), br_ecdsa_sign_asn1_get_default()); +#else + _freeSSL(); + DEBUG_BSSL("_connectSSL: Attempting to use EC cert in minimal cipher mode (no EC)\n"); + return false; +#endif } // Restore session from the storage spot, if present @@ -997,9 +1020,13 @@ bool WiFiClientSecure::_installServerX509Validator(const X509List *client_CA_ta) } br_x509_minimal_init(_x509_minimal.get(), &br_sha256_vtable, _ta->getTrustAnchors(), _ta->getCount()); br_ssl_engine_set_default_rsavrfy(_eng); +#ifndef BEARSSL_SSL_BASIC br_ssl_engine_set_default_ecdsa(_eng); +#endif br_x509_minimal_set_rsa(_x509_minimal.get(), br_ssl_engine_get_rsavrfy(_eng)); +#ifndef BEARSSL_SSL_BASIC br_x509_minimal_set_ecdsa(_x509_minimal.get(), br_ssl_engine_get_ec(_eng), br_ssl_engine_get_ecdsa(_eng)); +#endif br_x509_minimal_install_hashes(_x509_minimal.get()); if (_now) { // Magic constants convert to x509 times @@ -1048,6 +1075,7 @@ bool WiFiClientSecure::_connectSSLServerRSA(const X509List *chain, bool WiFiClientSecure::_connectSSLServerEC(const X509List *chain, unsigned cert_issuer_key_type, const PrivateKey *sk, const X509List *client_CA_ta) { +#ifndef BEARSSL_SSL_BASIC _freeSSL(); _oom_err = false; _sc_svr = std::make_shared(); @@ -1076,6 +1104,14 @@ bool WiFiClientSecure::_connectSSLServerEC(const X509List *chain, } return _wait_for_handshake(); +#else + (void) chain; + (void) cert_issuer_key_type; + (void) sk; + (void) client_CA_ta; + DEBUG_BSSL("_connectSSLServerEC: Attempting to use EC cert in minimal cipher mode (no EC)\n"); + return false; +#endif } // Returns an error ID and possibly a string (if dest != null) of the last diff --git a/package/package_esp8266com_index.template.json b/package/package_esp8266com_index.template.json index 387f636c1..ec2314f7e 100644 --- a/package/package_esp8266com_index.template.json +++ b/package/package_esp8266com_index.template.json @@ -299,4 +299,4 @@ ] } ] -} +} \ No newline at end of file diff --git a/platform.txt b/platform.txt index 706d5b9c8..2ba6dfefa 100644 --- a/platform.txt +++ b/platform.txt @@ -30,6 +30,8 @@ build.lwip_flags=-DLWIP_OPEN_SRC build.vtable_flags=-DVTABLES_IN_FLASH +build.sslflags= + build.exception_flags=-fno-exceptions build.stdcpp_lib=-lstdc++ @@ -44,7 +46,7 @@ compiler.libc.path={runtime.platform.path}/tools/sdk/libc/xtensa-lx106-elf compiler.cpreprocessor.flags=-D__ets__ -DICACHE_FLASH -U__STRICT_ANSI__ "-I{compiler.sdk.path}/include" "-I{compiler.sdk.path}/{build.lwip_include}" "-I{compiler.libc.path}/include" "-I{build.path}/core" compiler.c.cmd=xtensa-lx106-elf-gcc -compiler.c.flags=-c {compiler.warning_flags} -Os -g -Wpointer-arith -Wno-implicit-function-declaration -Wl,-EL -fno-inline-functions -nostdlib -mlongcalls -mtext-section-literals -falign-functions=4 -MMD -std=gnu99 -ffunction-sections -fdata-sections {build.exception_flags} +compiler.c.flags=-c {compiler.warning_flags} -Os -g -Wpointer-arith -Wno-implicit-function-declaration -Wl,-EL -fno-inline-functions -nostdlib -mlongcalls -mtext-section-literals -falign-functions=4 -MMD -std=gnu99 -ffunction-sections -fdata-sections {build.exception_flags} {build.sslflags} compiler.S.cmd=xtensa-lx106-elf-gcc compiler.S.flags=-c -g -x assembler-with-cpp -MMD -mlongcalls @@ -55,7 +57,7 @@ compiler.c.elf.cmd=xtensa-lx106-elf-gcc compiler.c.elf.libs=-lhal -lphy -lpp -lnet80211 {build.lwip_lib} -lwpa -lcrypto -lmain -lwps -lbearssl -laxtls -lespnow -lsmartconfig -lairkiss -lwpa2 {build.stdcpp_lib} -lm -lc -lgcc compiler.cpp.cmd=xtensa-lx106-elf-g++ -compiler.cpp.flags=-c {compiler.warning_flags} -Os -g -mlongcalls -mtext-section-literals -fno-rtti -falign-functions=4 -std=c++11 -MMD -ffunction-sections -fdata-sections {build.exception_flags} +compiler.cpp.flags=-c {compiler.warning_flags} -Os -g -mlongcalls -mtext-section-literals -fno-rtti -falign-functions=4 -std=c++11 -MMD -ffunction-sections -fdata-sections {build.exception_flags} {build.sslflags} compiler.as.cmd=xtensa-lx106-elf-as diff --git a/tools/boards.txt.py b/tools/boards.txt.py index fd9605116..3338330f2 100755 --- a/tools/boards.txt.py +++ b/tools/boards.txt.py @@ -1074,6 +1074,15 @@ macros = { ( '.menu.wipe.all.upload.erase_cmd', 'erase_flash' ), ]), + ######################## SSL supported protocols + + 'ssl_cipher_menu': collections.OrderedDict([ + ( '.menu.ssl.all', 'All SSL ciphers (most compatible)' ), + ( '.menu.ssl.all.build.sslflags', ''), + ( '.menu.ssl.basic', 'Basic SSL ciphers (lower ROM use)' ), + ( '.menu.ssl.basic.build.sslflags', '-DBEARSSL_SSL_BASIC'), + ]), + } ################################################################ @@ -1384,6 +1393,7 @@ def all_boards (): print('menu.led=Builtin Led') print('menu.wipe=Erase Flash') print('menu.sdk=Espressif FW') + print('menu.ssl=SSL Support') print('') for id in boards: @@ -1397,7 +1407,7 @@ def all_boards (): print(id + optname + '=' + board['opts'][optname]) # macros - macrolist = [ 'defaults', 'cpufreq_menu', 'vtable_menu', 'exception_menu' ] + macrolist = [ 'defaults', 'cpufreq_menu', 'vtable_menu', 'exception_menu', 'ssl_cipher_menu' ] if 'macro' in board: macrolist += board['macro'] if lwip == 2: