mirror of
https://github.com/arendst/Tasmota.git
synced 2025-07-24 03:06:33 +00:00
Merge pull request #8658 from s-hadinger/telegram_prep
Cleaned TLS options and prepare for TELEGRAM
This commit is contained in:
Theo Arends
GitHub
commit
b2cef9de32
@ -40,7 +40,7 @@ uint32_t *stack_thunk_light_save = NULL; /* Saved A1 while in BearSSL */
|
|||||||
uint32_t stack_thunk_light_refcnt = 0;
|
uint32_t stack_thunk_light_refcnt = 0;
|
||||||
|
|
||||||
//#define _stackSize (5600/4)
|
//#define _stackSize (5600/4)
|
||||||
#if defined(USE_MQTT_AWS_IOT) || defined(USE_MQTT_TLS_FORCE_EC_CIPHER)
|
#ifdef USE_MQTT_TLS_FORCE_EC_CIPHER
|
||||||
#define _stackSize (5300/4) // using a light version of bearssl we can save 300 bytes
|
#define _stackSize (5300/4) // using a light version of bearssl we can save 300 bytes
|
||||||
#else
|
#else
|
||||||
#define _stackSize (3600/4) // using a light version of bearssl we can save 2k
|
#define _stackSize (3600/4) // using a light version of bearssl we can save 2k
|
||||||
|
|||||||
@ -52,7 +52,7 @@ extern uint32_t stack_thunk_light_refcnt;
|
|||||||
|
|
||||||
// Thunking macro
|
// Thunking macro
|
||||||
#define make_stack_thunk_light(fcnToThunk) \
|
#define make_stack_thunk_light(fcnToThunk) \
|
||||||
__asm("\n\
|
__asm__("\n\
|
||||||
.text\n\
|
.text\n\
|
||||||
.literal_position\n\
|
.literal_position\n\
|
||||||
.literal .LC_STACK_VALUE"#fcnToThunk", 0xdeadbeef\n\
|
.literal .LC_STACK_VALUE"#fcnToThunk", 0xdeadbeef\n\
|
||||||
|
|||||||
1827
tasmota/WiFiClientSecureLightBearSSL.cpp
Normal file → Executable file
1827
tasmota/WiFiClientSecureLightBearSSL.cpp
Normal file → Executable file
File diff suppressed because it is too large
Load Diff
442
tasmota/WiFiClientSecureLightBearSSL.h
Normal file → Executable file
442
tasmota/WiFiClientSecureLightBearSSL.h
Normal file → Executable file
@ -1,221 +1,221 @@
|
|||||||
/*
|
/*
|
||||||
WiFiClientBearSSL- SSL client/server for esp8266 using BearSSL libraries
|
WiFiClientBearSSL- SSL client/server for esp8266 using BearSSL libraries
|
||||||
- Mostly compatible with Arduino WiFi shield library and standard
|
- Mostly compatible with Arduino WiFi shield library and standard
|
||||||
WiFiClient/ServerSecure (except for certificate handling).
|
WiFiClient/ServerSecure (except for certificate handling).
|
||||||
|
|
||||||
Copyright (c) 2018 Earle F. Philhower, III
|
Copyright (c) 2018 Earle F. Philhower, III
|
||||||
|
|
||||||
This library is free software; you can redistribute it and/or
|
This library is free software; you can redistribute it and/or
|
||||||
modify it under the terms of the GNU Lesser General Public
|
modify it under the terms of the GNU Lesser General Public
|
||||||
License as published by the Free Software Foundation; either
|
License as published by the Free Software Foundation; either
|
||||||
version 2.1 of the License, or (at your option) any later version.
|
version 2.1 of the License, or (at your option) any later version.
|
||||||
|
|
||||||
This library is distributed in the hope that it will be useful,
|
This library is distributed in the hope that it will be useful,
|
||||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
Lesser General Public License for more details.
|
Lesser General Public License for more details.
|
||||||
|
|
||||||
You should have received a copy of the GNU Lesser General Public
|
You should have received a copy of the GNU Lesser General Public
|
||||||
License along with this library; if not, write to the Free Software
|
License along with this library; if not, write to the Free Software
|
||||||
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include <core_version.h>
|
#include <core_version.h>
|
||||||
|
|
||||||
#ifndef wificlientlightbearssl_h
|
#ifndef wificlientlightbearssl_h
|
||||||
#define wificlientlightbearssl_h
|
#define wificlientlightbearssl_h
|
||||||
#if defined(USE_MQTT_TLS) || defined (USE_SENDMAIL)
|
#ifdef USE_TLS
|
||||||
#include <vector>
|
#include <vector>
|
||||||
#include "WiFiClient.h"
|
#include "WiFiClient.h"
|
||||||
#include <t_bearssl.h>
|
#include <t_bearssl.h>
|
||||||
|
|
||||||
namespace BearSSL {
|
namespace BearSSL {
|
||||||
|
|
||||||
class WiFiClientSecure_light : public WiFiClient {
|
class WiFiClientSecure_light : public WiFiClient {
|
||||||
public:
|
public:
|
||||||
WiFiClientSecure_light(int recv, int xmit);
|
WiFiClientSecure_light(int recv, int xmit);
|
||||||
~WiFiClientSecure_light() override;
|
~WiFiClientSecure_light() override;
|
||||||
|
|
||||||
void allocateBuffers(void);
|
void allocateBuffers(void);
|
||||||
|
|
||||||
int connect(IPAddress ip, uint16_t port) override;
|
int connect(IPAddress ip, uint16_t port) override;
|
||||||
int connect(const char* name, uint16_t port) override;
|
int connect(const char* name, uint16_t port) override;
|
||||||
|
|
||||||
uint8_t connected() override;
|
uint8_t connected() override;
|
||||||
size_t write(const uint8_t *buf, size_t size) override;
|
size_t write(const uint8_t *buf, size_t size) override;
|
||||||
size_t write_P(PGM_P buf, size_t size) override;
|
size_t write_P(PGM_P buf, size_t size) override;
|
||||||
size_t write(const char *buf) {
|
size_t write(const char *buf) {
|
||||||
return write((const uint8_t*)buf, strlen(buf));
|
return write((const uint8_t*)buf, strlen(buf));
|
||||||
}
|
}
|
||||||
size_t write_P(const char *buf) {
|
size_t write_P(const char *buf) {
|
||||||
return write_P((PGM_P)buf, strlen_P(buf));
|
return write_P((PGM_P)buf, strlen_P(buf));
|
||||||
}
|
}
|
||||||
size_t write(Stream& stream); // Note this is not virtual
|
size_t write(Stream& stream); // Note this is not virtual
|
||||||
int read(uint8_t *buf, size_t size) override;
|
int read(uint8_t *buf, size_t size) override;
|
||||||
int available() override;
|
int available() override;
|
||||||
int read() override;
|
int read() override;
|
||||||
int peek() override;
|
int peek() override;
|
||||||
size_t peekBytes(uint8_t *buffer, size_t length) override;
|
size_t peekBytes(uint8_t *buffer, size_t length) override;
|
||||||
bool flush(unsigned int maxWaitMs);
|
bool flush(unsigned int maxWaitMs);
|
||||||
bool stop(unsigned int maxWaitMs);
|
bool stop(unsigned int maxWaitMs);
|
||||||
void flush() override { (void)flush(0); }
|
void flush() override { (void)flush(0); }
|
||||||
void stop() override { (void)stop(0); }
|
void stop() override { (void)stop(0); }
|
||||||
|
|
||||||
// Only check SHA1 fingerprint of public key
|
// Only check SHA1 fingerprint of public key
|
||||||
void setPubKeyFingerprint(const uint8_t *f1, const uint8_t *f2,
|
void setPubKeyFingerprint(const uint8_t *f1, const uint8_t *f2,
|
||||||
bool f_any = false) {
|
bool f_any = false) {
|
||||||
_fingerprint1 = f1;
|
_fingerprint1 = f1;
|
||||||
_fingerprint2 = f2;
|
_fingerprint2 = f2;
|
||||||
_fingerprint_any = f_any;
|
_fingerprint_any = f_any;
|
||||||
}
|
}
|
||||||
const uint8_t * getRecvPubKeyFingerprint(void) {
|
const uint8_t * getRecvPubKeyFingerprint(void) {
|
||||||
return _recv_fingerprint;
|
return _recv_fingerprint;
|
||||||
}
|
}
|
||||||
|
|
||||||
void setClientECCert(const br_x509_certificate *cert, const br_ec_private_key *sk,
|
void setClientECCert(const br_x509_certificate *cert, const br_ec_private_key *sk,
|
||||||
unsigned allowed_usages, unsigned cert_issuer_key_type);
|
unsigned allowed_usages, unsigned cert_issuer_key_type);
|
||||||
|
|
||||||
void setTrustAnchor(const br_x509_trust_anchor *ta);
|
void setTrustAnchor(const br_x509_trust_anchor *ta);
|
||||||
|
|
||||||
// Sets the requested buffer size for transmit and receive
|
// Sets the requested buffer size for transmit and receive
|
||||||
void setBufferSizes(int recv, int xmit);
|
void setBufferSizes(int recv, int xmit);
|
||||||
|
|
||||||
// Returns whether MFLN negotiation for the above buffer sizes succeeded (after connection)
|
// Returns whether MFLN negotiation for the above buffer sizes succeeded (after connection)
|
||||||
int getMFLNStatus() {
|
int getMFLNStatus() {
|
||||||
return connected() && br_ssl_engine_get_mfln_negotiated(_eng);
|
return connected() && br_ssl_engine_get_mfln_negotiated(_eng);
|
||||||
}
|
}
|
||||||
|
|
||||||
int32_t getLastError(void) {
|
int32_t getLastError(void) {
|
||||||
if (_last_error) {
|
if (_last_error) {
|
||||||
return _last_error;
|
return _last_error;
|
||||||
} else {
|
} else {
|
||||||
return br_ssl_engine_last_error(_eng);
|
return br_ssl_engine_last_error(_eng);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
inline void setLastError(int32_t err) {
|
inline void setLastError(int32_t err) {
|
||||||
_last_error = err;
|
_last_error = err;
|
||||||
}
|
}
|
||||||
inline void clearLastError(void) {
|
inline void clearLastError(void) {
|
||||||
_last_error = 0;
|
_last_error = 0;
|
||||||
}
|
}
|
||||||
inline size_t getMaxThunkStackUse(void) {
|
inline size_t getMaxThunkStackUse(void) {
|
||||||
return _max_thunkstack_use;
|
return _max_thunkstack_use;
|
||||||
}
|
}
|
||||||
|
|
||||||
private:
|
private:
|
||||||
void _clear();
|
void _clear();
|
||||||
bool _ctx_present;
|
bool _ctx_present;
|
||||||
std::shared_ptr<br_ssl_client_context> _sc;
|
std::shared_ptr<br_ssl_client_context> _sc;
|
||||||
inline bool ctx_present() {
|
inline bool ctx_present() {
|
||||||
return _ctx_present;
|
return _ctx_present;
|
||||||
}
|
}
|
||||||
br_ssl_engine_context *_eng; // &_sc->eng, to allow for client or server contexts
|
br_ssl_engine_context *_eng; // &_sc->eng, to allow for client or server contexts
|
||||||
std::shared_ptr<unsigned char> _iobuf_in;
|
std::shared_ptr<unsigned char> _iobuf_in;
|
||||||
std::shared_ptr<unsigned char> _iobuf_out;
|
std::shared_ptr<unsigned char> _iobuf_out;
|
||||||
time_t _now;
|
time_t _now;
|
||||||
int _iobuf_in_size;
|
int _iobuf_in_size;
|
||||||
int _iobuf_out_size;
|
int _iobuf_out_size;
|
||||||
bool _handshake_done;
|
bool _handshake_done;
|
||||||
uint64_t _last_error;
|
uint64_t _last_error;
|
||||||
|
|
||||||
bool _fingerprint_any; // accept all fingerprints
|
bool _fingerprint_any; // accept all fingerprints
|
||||||
const uint8_t *_fingerprint1; // fingerprint1 to be checked against
|
const uint8_t *_fingerprint1; // fingerprint1 to be checked against
|
||||||
const uint8_t *_fingerprint2; // fingerprint2 to be checked against
|
const uint8_t *_fingerprint2; // fingerprint2 to be checked against
|
||||||
uint8_t _recv_fingerprint[20]; // fingerprint received
|
uint8_t _recv_fingerprint[20]; // fingerprint received
|
||||||
|
|
||||||
unsigned char *_recvapp_buf;
|
unsigned char *_recvapp_buf;
|
||||||
size_t _recvapp_len;
|
size_t _recvapp_len;
|
||||||
|
|
||||||
bool _clientConnected(); // Is the underlying socket alive?
|
bool _clientConnected(); // Is the underlying socket alive?
|
||||||
bool _connectSSL(const char *hostName); // Do initial SSL handshake
|
bool _connectSSL(const char *hostName); // Do initial SSL handshake
|
||||||
void _freeSSL();
|
void _freeSSL();
|
||||||
int _run_until(unsigned target, bool blocking = true);
|
int _run_until(unsigned target, bool blocking = true);
|
||||||
size_t _write(const uint8_t *buf, size_t size, bool pmem);
|
size_t _write(const uint8_t *buf, size_t size, bool pmem);
|
||||||
bool _wait_for_handshake(); // Sets and return the _handshake_done after connecting
|
bool _wait_for_handshake(); // Sets and return the _handshake_done after connecting
|
||||||
|
|
||||||
// Optional client certificate
|
// Optional client certificate
|
||||||
const br_x509_certificate *_chain_P; // PROGMEM certificate
|
const br_x509_certificate *_chain_P; // PROGMEM certificate
|
||||||
const br_ec_private_key *_sk_ec_P; // PROGMEM private key
|
const br_ec_private_key *_sk_ec_P; // PROGMEM private key
|
||||||
const br_x509_trust_anchor *_ta_P; // PROGMEM server CA
|
const br_x509_trust_anchor *_ta_P; // PROGMEM server CA
|
||||||
unsigned _allowed_usages;
|
unsigned _allowed_usages;
|
||||||
unsigned _cert_issuer_key_type;
|
unsigned _cert_issuer_key_type;
|
||||||
|
|
||||||
// record the maximum use of ThunkStack for monitoring
|
// record the maximum use of ThunkStack for monitoring
|
||||||
size_t _max_thunkstack_use;
|
size_t _max_thunkstack_use;
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#define ERR_OOM -1000
|
#define ERR_OOM -1000
|
||||||
#define ERR_CANT_RESOLVE_IP -1001
|
#define ERR_CANT_RESOLVE_IP -1001
|
||||||
#define ERR_TCP_CONNECT -1002
|
#define ERR_TCP_CONNECT -1002
|
||||||
#define ERR_MISSING_EC_KEY -1003
|
// #define ERR_MISSING_EC_KEY -1003 // deprecated, AWS IoT is not called if the private key is not present
|
||||||
#define ERR_MISSING_CA -1004
|
#define ERR_MISSING_CA -1004
|
||||||
|
|
||||||
// For reference, BearSSL error codes:
|
// For reference, BearSSL error codes:
|
||||||
// #define BR_ERR_OK 0
|
// #define BR_ERR_OK 0
|
||||||
// #define BR_ERR_BAD_PARAM 1
|
// #define BR_ERR_BAD_PARAM 1
|
||||||
// #define BR_ERR_BAD_STATE 2
|
// #define BR_ERR_BAD_STATE 2
|
||||||
// #define BR_ERR_UNSUPPORTED_VERSION 3
|
// #define BR_ERR_UNSUPPORTED_VERSION 3
|
||||||
// #define BR_ERR_BAD_VERSION 4
|
// #define BR_ERR_BAD_VERSION 4
|
||||||
// #define BR_ERR_BAD_LENGTH 5
|
// #define BR_ERR_BAD_LENGTH 5
|
||||||
// #define BR_ERR_TOO_LARGE 6
|
// #define BR_ERR_TOO_LARGE 6
|
||||||
// #define BR_ERR_BAD_MAC 7
|
// #define BR_ERR_BAD_MAC 7
|
||||||
// #define BR_ERR_NO_RANDOM 8
|
// #define BR_ERR_NO_RANDOM 8
|
||||||
// #define BR_ERR_UNKNOWN_TYPE 9
|
// #define BR_ERR_UNKNOWN_TYPE 9
|
||||||
// #define BR_ERR_UNEXPECTED 10
|
// #define BR_ERR_UNEXPECTED 10
|
||||||
// #define BR_ERR_BAD_CCS 12
|
// #define BR_ERR_BAD_CCS 12
|
||||||
// #define BR_ERR_BAD_ALERT 13
|
// #define BR_ERR_BAD_ALERT 13
|
||||||
// #define BR_ERR_BAD_HANDSHAKE 14
|
// #define BR_ERR_BAD_HANDSHAKE 14
|
||||||
// #define BR_ERR_OVERSIZED_ID 15
|
// #define BR_ERR_OVERSIZED_ID 15
|
||||||
// #define BR_ERR_BAD_CIPHER_SUITE 16
|
// #define BR_ERR_BAD_CIPHER_SUITE 16
|
||||||
// #define BR_ERR_BAD_COMPRESSION 17
|
// #define BR_ERR_BAD_COMPRESSION 17
|
||||||
// #define BR_ERR_BAD_FRAGLEN 18
|
// #define BR_ERR_BAD_FRAGLEN 18
|
||||||
// #define BR_ERR_BAD_SECRENEG 19
|
// #define BR_ERR_BAD_SECRENEG 19
|
||||||
// #define BR_ERR_EXTRA_EXTENSION 20
|
// #define BR_ERR_EXTRA_EXTENSION 20
|
||||||
// #define BR_ERR_BAD_SNI 21
|
// #define BR_ERR_BAD_SNI 21
|
||||||
// #define BR_ERR_BAD_HELLO_DONE 22
|
// #define BR_ERR_BAD_HELLO_DONE 22
|
||||||
// #define BR_ERR_LIMIT_EXCEEDED 23
|
// #define BR_ERR_LIMIT_EXCEEDED 23
|
||||||
// #define BR_ERR_BAD_FINISHED 24
|
// #define BR_ERR_BAD_FINISHED 24
|
||||||
// #define BR_ERR_RESUME_MISMATCH 25
|
// #define BR_ERR_RESUME_MISMATCH 25
|
||||||
// #define BR_ERR_INVALID_ALGORITHM 26
|
// #define BR_ERR_INVALID_ALGORITHM 26
|
||||||
// #define BR_ERR_BAD_SIGNATURE 27
|
// #define BR_ERR_BAD_SIGNATURE 27
|
||||||
// #define BR_ERR_WRONG_KEY_USAGE 28
|
// #define BR_ERR_WRONG_KEY_USAGE 28
|
||||||
// #define BR_ERR_NO_CLIENT_AUTH 29
|
// #define BR_ERR_NO_CLIENT_AUTH 29
|
||||||
// #define BR_ERR_IO 31
|
// #define BR_ERR_IO 31
|
||||||
// #define BR_ERR_RECV_FATAL_ALERT 256
|
// #define BR_ERR_RECV_FATAL_ALERT 256
|
||||||
// #define BR_ERR_SEND_FATAL_ALERT 512
|
// #define BR_ERR_SEND_FATAL_ALERT 512
|
||||||
// #define BR_ERR_X509_OK 32
|
// #define BR_ERR_X509_OK 32
|
||||||
// #define BR_ERR_X509_INVALID_VALUE 33
|
// #define BR_ERR_X509_INVALID_VALUE 33
|
||||||
// #define BR_ERR_X509_TRUNCATED 34
|
// #define BR_ERR_X509_TRUNCATED 34
|
||||||
// #define BR_ERR_X509_EMPTY_CHAIN 35
|
// #define BR_ERR_X509_EMPTY_CHAIN 35
|
||||||
// #define BR_ERR_X509_INNER_TRUNC 36
|
// #define BR_ERR_X509_INNER_TRUNC 36
|
||||||
// #define BR_ERR_X509_BAD_TAG_CLASS 37
|
// #define BR_ERR_X509_BAD_TAG_CLASS 37
|
||||||
// #define BR_ERR_X509_BAD_TAG_VALUE 38
|
// #define BR_ERR_X509_BAD_TAG_VALUE 38
|
||||||
// #define BR_ERR_X509_INDEFINITE_LENGTH 39
|
// #define BR_ERR_X509_INDEFINITE_LENGTH 39
|
||||||
// #define BR_ERR_X509_EXTRA_ELEMENT 40
|
// #define BR_ERR_X509_EXTRA_ELEMENT 40
|
||||||
// #define BR_ERR_X509_UNEXPECTED 41
|
// #define BR_ERR_X509_UNEXPECTED 41
|
||||||
// #define BR_ERR_X509_NOT_CONSTRUCTED 42
|
// #define BR_ERR_X509_NOT_CONSTRUCTED 42
|
||||||
// #define BR_ERR_X509_NOT_PRIMITIVE 43
|
// #define BR_ERR_X509_NOT_PRIMITIVE 43
|
||||||
// #define BR_ERR_X509_PARTIAL_BYTE 44
|
// #define BR_ERR_X509_PARTIAL_BYTE 44
|
||||||
// #define BR_ERR_X509_BAD_BOOLEAN 45
|
// #define BR_ERR_X509_BAD_BOOLEAN 45
|
||||||
// #define BR_ERR_X509_OVERFLOW 46
|
// #define BR_ERR_X509_OVERFLOW 46
|
||||||
// #define BR_ERR_X509_BAD_DN 47
|
// #define BR_ERR_X509_BAD_DN 47
|
||||||
// #define BR_ERR_X509_BAD_TIME 48
|
// #define BR_ERR_X509_BAD_TIME 48
|
||||||
// #define BR_ERR_X509_UNSUPPORTED 49
|
// #define BR_ERR_X509_UNSUPPORTED 49
|
||||||
// #define BR_ERR_X509_LIMIT_EXCEEDED 50
|
// #define BR_ERR_X509_LIMIT_EXCEEDED 50
|
||||||
// #define BR_ERR_X509_WRONG_KEY_TYPE 51
|
// #define BR_ERR_X509_WRONG_KEY_TYPE 51
|
||||||
// #define BR_ERR_X509_BAD_SIGNATURE 52
|
// #define BR_ERR_X509_BAD_SIGNATURE 52
|
||||||
// #define BR_ERR_X509_TIME_UNKNOWN 53
|
// #define BR_ERR_X509_TIME_UNKNOWN 53
|
||||||
// #define BR_ERR_X509_EXPIRED 54
|
// #define BR_ERR_X509_EXPIRED 54
|
||||||
// #define BR_ERR_X509_DN_MISMATCH 55
|
// #define BR_ERR_X509_DN_MISMATCH 55
|
||||||
// #define BR_ERR_X509_BAD_SERVER_NAME 56
|
// #define BR_ERR_X509_BAD_SERVER_NAME 56
|
||||||
// #define BR_ERR_X509_CRITICAL_EXTENSION 57
|
// #define BR_ERR_X509_CRITICAL_EXTENSION 57
|
||||||
// #define BR_ERR_X509_NOT_CA 58
|
// #define BR_ERR_X509_NOT_CA 58
|
||||||
// #define BR_ERR_X509_FORBIDDEN_KEY_USAGE 59
|
// #define BR_ERR_X509_FORBIDDEN_KEY_USAGE 59
|
||||||
// #define BR_ERR_X509_WEAK_PUBLIC_KEY 60
|
// #define BR_ERR_X509_WEAK_PUBLIC_KEY 60
|
||||||
// #define BR_ERR_X509_NOT_TRUSTED 62
|
// #define BR_ERR_X509_NOT_TRUSTED 62
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
#endif // USE_MQTT_TLS
|
#endif // USE_TLS
|
||||||
#endif // wificlientlightbearssl_h
|
#endif // wificlientlightbearssl_h
|
||||||
|
|||||||
@ -753,4 +753,16 @@
|
|||||||
#error "Select either USE_RULES or USE_SCRIPT. They can't both be used at the same time"
|
#error "Select either USE_RULES or USE_SCRIPT. They can't both be used at the same time"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/*********************************************************************************************\
|
||||||
|
* Post-process compile options for TLS
|
||||||
|
\*********************************************************************************************/
|
||||||
|
|
||||||
|
#if defined(USE_MQTT_TLS) || defined(USE_SENDMAIL) || defined(USE_TELEGRAM)
|
||||||
|
#define USE_TLS // flag indicates we need to include TLS code
|
||||||
|
|
||||||
|
#if defined(USE_MQTT_AWS_IOT) || defined(USE_TELEGRAM)
|
||||||
|
#define USE_MQTT_TLS_FORCE_EC_CIPHER // AWS IoT and TELEGRAM require EC Cipher
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
#endif // _MY_USER_CONFIG_H_
|
#endif // _MY_USER_CONFIG_H_
|
||||||
|
|||||||
@ -36,9 +36,9 @@
|
|||||||
#include "tasmota_version.h" // Tasmota version information
|
#include "tasmota_version.h" // Tasmota version information
|
||||||
#include "tasmota.h" // Enumeration used in my_user_config.h
|
#include "tasmota.h" // Enumeration used in my_user_config.h
|
||||||
#include "my_user_config.h" // Fixed user configurable options
|
#include "my_user_config.h" // Fixed user configurable options
|
||||||
#ifdef USE_MQTT_TLS
|
#ifdef USE_TLS
|
||||||
#include <t_bearssl.h> // We need to include before "tasmota_globals.h" to take precedence over the BearSSL version in Arduino
|
#include <t_bearssl.h> // We need to include before "tasmota_globals.h" to take precedence over the BearSSL version in Arduino
|
||||||
#endif // USE_MQTT_TLS
|
#endif // USE_TLS
|
||||||
#include "tasmota_globals.h" // Function prototypes and global configuration
|
#include "tasmota_globals.h" // Function prototypes and global configuration
|
||||||
#include "i18n.h" // Language support configured by my_user_config.h
|
#include "i18n.h" // Language support configured by my_user_config.h
|
||||||
#include "tasmota_template.h" // Hardware configuration
|
#include "tasmota_template.h" // Hardware configuration
|
||||||
|
|||||||
@ -21,9 +21,8 @@
|
|||||||
// Please use fingerprint validation instead
|
// Please use fingerprint validation instead
|
||||||
// However, the CA are available below for future use if it appears to be useful
|
// However, the CA are available below for future use if it appears to be useful
|
||||||
|
|
||||||
#ifdef USE_MQTT_TLS_CA_CERT
|
#if defined(USE_TLS) && defined(USE_MQTT_TLS_CA_CERT)
|
||||||
|
|
||||||
#ifndef USE_MQTT_AWS_IOT
|
|
||||||
/*********************************************************************************************\
|
/*********************************************************************************************\
|
||||||
* LetsEncrypt IdenTrust DST Root CA X3 certificate, RSA 2048 bits SHA 256, valid until 20210417
|
* LetsEncrypt IdenTrust DST Root CA X3 certificate, RSA 2048 bits SHA 256, valid until 20210417
|
||||||
*
|
*
|
||||||
@ -35,7 +34,7 @@
|
|||||||
* remove "static" and add "PROGMEM"
|
* remove "static" and add "PROGMEM"
|
||||||
\*********************************************************************************************/
|
\*********************************************************************************************/
|
||||||
|
|
||||||
static const unsigned char PROGMEM TA0_DN[] = {
|
static const unsigned char PROGMEM LetsEncrypt_DN[] = {
|
||||||
0x30, 0x4A, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
|
0x30, 0x4A, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
|
||||||
0x02, 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A,
|
0x02, 0x55, 0x53, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0A,
|
||||||
0x13, 0x0D, 0x4C, 0x65, 0x74, 0x27, 0x73, 0x20, 0x45, 0x6E, 0x63, 0x72,
|
0x13, 0x0D, 0x4C, 0x65, 0x74, 0x27, 0x73, 0x20, 0x45, 0x6E, 0x63, 0x72,
|
||||||
@ -45,7 +44,7 @@ static const unsigned char PROGMEM TA0_DN[] = {
|
|||||||
0x79, 0x20, 0x58, 0x33
|
0x79, 0x20, 0x58, 0x33
|
||||||
};
|
};
|
||||||
|
|
||||||
static const unsigned char PROGMEM TA0_RSA_N[] = {
|
static const unsigned char PROGMEM LetsEncrypt_RSA_N[] = {
|
||||||
0x9C, 0xD3, 0x0C, 0xF0, 0x5A, 0xE5, 0x2E, 0x47, 0xB7, 0x72, 0x5D, 0x37,
|
0x9C, 0xD3, 0x0C, 0xF0, 0x5A, 0xE5, 0x2E, 0x47, 0xB7, 0x72, 0x5D, 0x37,
|
||||||
0x83, 0xB3, 0x68, 0x63, 0x30, 0xEA, 0xD7, 0x35, 0x26, 0x19, 0x25, 0xE1,
|
0x83, 0xB3, 0x68, 0x63, 0x30, 0xEA, 0xD7, 0x35, 0x26, 0x19, 0x25, 0xE1,
|
||||||
0xBD, 0xBE, 0x35, 0xF1, 0x70, 0x92, 0x2F, 0xB7, 0xB8, 0x4B, 0x41, 0x05,
|
0xBD, 0xBE, 0x35, 0xF1, 0x70, 0x92, 0x2F, 0xB7, 0xB8, 0x4B, 0x41, 0x05,
|
||||||
@ -70,27 +69,22 @@ static const unsigned char PROGMEM TA0_RSA_N[] = {
|
|||||||
0xD8, 0x7D, 0xC3, 0x93
|
0xD8, 0x7D, 0xC3, 0x93
|
||||||
};
|
};
|
||||||
|
|
||||||
static const unsigned char TA0_RSA_E[] = {
|
static const unsigned char LetsEncrypt_RSA_E[] = {
|
||||||
0x01, 0x00, 0x01
|
0x01, 0x00, 0x01
|
||||||
};
|
};
|
||||||
|
|
||||||
static const br_x509_trust_anchor PROGMEM LetsEncryptX3CrossSigned_TA = {
|
static const br_x509_trust_anchor PROGMEM LetsEncryptX3CrossSigned_TA = {
|
||||||
{ (unsigned char *)TA0_DN, sizeof TA0_DN },
|
{ (unsigned char *)LetsEncrypt_DN, sizeof LetsEncrypt_DN },
|
||||||
BR_X509_TA_CA,
|
BR_X509_TA_CA,
|
||||||
{
|
{
|
||||||
BR_KEYTYPE_RSA,
|
BR_KEYTYPE_RSA,
|
||||||
{ .rsa = {
|
{ .rsa = {
|
||||||
(unsigned char *)TA0_RSA_N, sizeof TA0_RSA_N,
|
(unsigned char *)LetsEncrypt_RSA_N, sizeof LetsEncrypt_RSA_N,
|
||||||
(unsigned char *)TA0_RSA_E, sizeof TA0_RSA_E,
|
(unsigned char *)LetsEncrypt_RSA_E, sizeof LetsEncrypt_RSA_E,
|
||||||
} }
|
} }
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
#define TAs_NUM 1
|
|
||||||
|
|
||||||
#endif // not USE_MQTT_AWS_IOT
|
|
||||||
|
|
||||||
#ifdef USE_MQTT_AWS_IOT
|
|
||||||
/*********************************************************************************************\
|
/*********************************************************************************************\
|
||||||
* Amazon Root CA, RSA 2048 bits SHA 256, valid until 20380117
|
* Amazon Root CA, RSA 2048 bits SHA 256, valid until 20380117
|
||||||
*
|
*
|
||||||
@ -103,7 +97,7 @@ static const br_x509_trust_anchor PROGMEM LetsEncryptX3CrossSigned_TA = {
|
|||||||
\*********************************************************************************************/
|
\*********************************************************************************************/
|
||||||
|
|
||||||
|
|
||||||
const unsigned char PROGMEM TA0_DN[] = {
|
const unsigned char PROGMEM AmazonRootCA1_DN[] = {
|
||||||
0x30, 0x39, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
|
0x30, 0x39, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
|
||||||
0x02, 0x55, 0x53, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x03, 0x55, 0x04, 0x0A,
|
0x02, 0x55, 0x53, 0x31, 0x0F, 0x30, 0x0D, 0x06, 0x03, 0x55, 0x04, 0x0A,
|
||||||
0x13, 0x06, 0x41, 0x6D, 0x61, 0x7A, 0x6F, 0x6E, 0x31, 0x19, 0x30, 0x17,
|
0x13, 0x06, 0x41, 0x6D, 0x61, 0x7A, 0x6F, 0x6E, 0x31, 0x19, 0x30, 0x17,
|
||||||
@ -111,7 +105,7 @@ const unsigned char PROGMEM TA0_DN[] = {
|
|||||||
0x6E, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x41, 0x20, 0x31
|
0x6E, 0x20, 0x52, 0x6F, 0x6F, 0x74, 0x20, 0x43, 0x41, 0x20, 0x31
|
||||||
};
|
};
|
||||||
|
|
||||||
const unsigned char PROGMEM TA0_RSA_N[] = {
|
const unsigned char PROGMEM AmazonRootCA1_RSA_N[] = {
|
||||||
0xB2, 0x78, 0x80, 0x71, 0xCA, 0x78, 0xD5, 0xE3, 0x71, 0xAF, 0x47, 0x80,
|
0xB2, 0x78, 0x80, 0x71, 0xCA, 0x78, 0xD5, 0xE3, 0x71, 0xAF, 0x47, 0x80,
|
||||||
0x50, 0x74, 0x7D, 0x6E, 0xD8, 0xD7, 0x88, 0x76, 0xF4, 0x99, 0x68, 0xF7,
|
0x50, 0x74, 0x7D, 0x6E, 0xD8, 0xD7, 0x88, 0x76, 0xF4, 0x99, 0x68, 0xF7,
|
||||||
0x58, 0x21, 0x60, 0xF9, 0x74, 0x84, 0x01, 0x2F, 0xAC, 0x02, 0x2D, 0x86,
|
0x58, 0x21, 0x60, 0xF9, 0x74, 0x84, 0x01, 0x2F, 0xAC, 0x02, 0x2D, 0x86,
|
||||||
@ -136,24 +130,79 @@ const unsigned char PROGMEM TA0_RSA_N[] = {
|
|||||||
0x9A, 0xC8, 0xAA, 0x0D
|
0x9A, 0xC8, 0xAA, 0x0D
|
||||||
};
|
};
|
||||||
|
|
||||||
static const unsigned char PROGMEM TA0_RSA_E[] = {
|
static const unsigned char PROGMEM AmazonRootCA1_RSA_E[] = {
|
||||||
0x01, 0x00, 0x01
|
0x01, 0x00, 0x01
|
||||||
};
|
};
|
||||||
|
|
||||||
const br_x509_trust_anchor PROGMEM AmazonRootCA1_TA = {
|
const br_x509_trust_anchor PROGMEM AmazonRootCA1_TA = {
|
||||||
{ (unsigned char *)TA0_DN, sizeof TA0_DN },
|
{ (unsigned char *)AmazonRootCA1_DN, sizeof AmazonRootCA1_DN },
|
||||||
BR_X509_TA_CA,
|
BR_X509_TA_CA,
|
||||||
{
|
{
|
||||||
BR_KEYTYPE_RSA,
|
BR_KEYTYPE_RSA,
|
||||||
{ .rsa = {
|
{ .rsa = {
|
||||||
(unsigned char *)TA0_RSA_N, sizeof TA0_RSA_N,
|
(unsigned char *)AmazonRootCA1_RSA_N, sizeof AmazonRootCA1_RSA_N,
|
||||||
(unsigned char *)TA0_RSA_E, sizeof TA0_RSA_E,
|
(unsigned char *)AmazonRootCA1_RSA_E, sizeof AmazonRootCA1_RSA_E,
|
||||||
} }
|
} }
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
#define TAs_NUM 1
|
// we add a separate CA for telegram
|
||||||
|
/*********************************************************************************************\
|
||||||
|
* GoDaddy Daddy Secure Certificate Authority - G2, RSA 2048 bits SHA 256, valid until 20220523
|
||||||
|
*
|
||||||
|
* to convert do: "brssl ta GoDaddyCA.pem"
|
||||||
|
* then copy and paste below, chain the generic names to the same as below
|
||||||
|
* remove "static" and add "PROGMEM"
|
||||||
|
\*********************************************************************************************/
|
||||||
|
|
||||||
#endif // USE_MQTT_AWS_IOT
|
const unsigned char GoDaddyCAG2_DN[] PROGMEM = {
|
||||||
|
0x30, 0x3E, 0x31, 0x21, 0x30, 0x1F, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x13,
|
||||||
|
0x18, 0x44, 0x6F, 0x6D, 0x61, 0x69, 0x6E, 0x20, 0x43, 0x6F, 0x6E, 0x74,
|
||||||
|
0x72, 0x6F, 0x6C, 0x20, 0x56, 0x61, 0x6C, 0x69, 0x64, 0x61, 0x74, 0x65,
|
||||||
|
0x64, 0x31, 0x19, 0x30, 0x17, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x10,
|
||||||
|
0x61, 0x70, 0x69, 0x2E, 0x74, 0x65, 0x6C, 0x65, 0x67, 0x72, 0x61, 0x6D,
|
||||||
|
0x2E, 0x6F, 0x72, 0x67
|
||||||
|
};
|
||||||
|
|
||||||
#endif // USE_MQTT_TLS_CA_CERT
|
const unsigned char GoDaddyCAG2_RSA_N[] PROGMEM = {
|
||||||
|
0xB4, 0xA3, 0x16, 0x9E, 0x5C, 0x57, 0xC9, 0x89, 0x65, 0xED, 0xEA, 0x78,
|
||||||
|
0x0B, 0xAE, 0x8A, 0x58, 0x2F, 0xAE, 0x5A, 0xC8, 0x6E, 0x49, 0x8D, 0xFC,
|
||||||
|
0x57, 0xA5, 0x98, 0x88, 0x78, 0x2E, 0x0B, 0x3C, 0x40, 0x3C, 0x21, 0x2E,
|
||||||
|
0x9A, 0x94, 0x98, 0x33, 0xA7, 0xE3, 0x42, 0xA7, 0x85, 0xFA, 0xD0, 0x73,
|
||||||
|
0x84, 0x01, 0x1C, 0x72, 0x39, 0x37, 0x23, 0xB5, 0x56, 0x1D, 0x43, 0xA5,
|
||||||
|
0x71, 0x14, 0x08, 0x24, 0xA5, 0x39, 0xCC, 0xDE, 0x58, 0x53, 0x94, 0x8E,
|
||||||
|
0x2A, 0x42, 0xA7, 0x4E, 0x2D, 0x07, 0x32, 0x9E, 0xBA, 0x8B, 0xD3, 0x2A,
|
||||||
|
0xA9, 0x9E, 0xC0, 0xE3, 0xCE, 0x9A, 0x10, 0x96, 0x45, 0x58, 0x7A, 0xC7,
|
||||||
|
0x1E, 0x45, 0x14, 0x23, 0x92, 0xBB, 0x54, 0x82, 0x88, 0x94, 0x49, 0xB6,
|
||||||
|
0xBE, 0x81, 0x21, 0x00, 0x29, 0x6D, 0xC9, 0xCE, 0x8B, 0x39, 0x3A, 0xDC,
|
||||||
|
0x35, 0x15, 0xD9, 0xEB, 0x47, 0x9C, 0xEF, 0xBA, 0x09, 0x0E, 0x16, 0xE4,
|
||||||
|
0xD9, 0xEB, 0x72, 0x30, 0xFA, 0x49, 0xAB, 0x98, 0x31, 0x7C, 0xB3, 0xAC,
|
||||||
|
0x2B, 0x29, 0x91, 0x87, 0x08, 0x41, 0x72, 0x5E, 0x35, 0xC7, 0x87, 0x04,
|
||||||
|
0x22, 0xF5, 0x48, 0x76, 0x30, 0x6D, 0x88, 0xDF, 0xF2, 0xA5, 0x29, 0x13,
|
||||||
|
0x70, 0xB3, 0x87, 0x02, 0xD5, 0x6B, 0x58, 0xB1, 0xE8, 0x73, 0xC7, 0xE4,
|
||||||
|
0xEF, 0x79, 0x86, 0xA4, 0x07, 0x5F, 0x67, 0xB4, 0x79, 0x8D, 0xA4, 0x25,
|
||||||
|
0x01, 0x82, 0x8C, 0xE0, 0x30, 0x17, 0xCB, 0x4B, 0x5C, 0xFB, 0xEB, 0x4C,
|
||||||
|
0x12, 0x51, 0xB9, 0xC9, 0x04, 0x1F, 0x7E, 0xD2, 0xF8, 0xBA, 0xF5, 0x35,
|
||||||
|
0x8D, 0x8A, 0x1C, 0x37, 0x82, 0xF0, 0x15, 0x73, 0x00, 0x6E, 0x3D, 0x1C,
|
||||||
|
0x76, 0x8B, 0x01, 0x74, 0x81, 0x3D, 0xE4, 0x2C, 0xA7, 0xCC, 0x2F, 0x66,
|
||||||
|
0xDC, 0x44, 0xA8, 0x27, 0x3F, 0xEA, 0xD0, 0xA7, 0xA8, 0xF1, 0xCB, 0xEA,
|
||||||
|
0xDA, 0x07, 0x38, 0xBD
|
||||||
|
};
|
||||||
|
|
||||||
|
const unsigned char GoDaddyCAG2_RSA_E[] PROGMEM = {
|
||||||
|
0x01, 0x00, 0x01
|
||||||
|
};
|
||||||
|
|
||||||
|
const br_x509_trust_anchor GoDaddyCAG2_TA PROGMEM = {
|
||||||
|
{ (unsigned char *)GoDaddyCAG2_DN, sizeof GoDaddyCAG2_DN },
|
||||||
|
0,
|
||||||
|
{
|
||||||
|
BR_KEYTYPE_RSA,
|
||||||
|
{ .rsa = {
|
||||||
|
(unsigned char *)GoDaddyCAG2_RSA_N, sizeof GoDaddyCAG2_RSA_N,
|
||||||
|
(unsigned char *)GoDaddyCAG2_RSA_E, sizeof GoDaddyCAG2_RSA_E,
|
||||||
|
} }
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
#endif // defined(USE_TLS) && defined(USE_MQTT_TLS_CA_CERT)
|
||||||
|
|||||||
@ -88,7 +88,7 @@ extern "C" void resetPins();
|
|||||||
const uint16_t WEB_LOG_SIZE = 4000; // Max number of characters in weblog
|
const uint16_t WEB_LOG_SIZE = 4000; // Max number of characters in weblog
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(USE_MQTT_TLS) && defined(ARDUINO_ESP8266_RELEASE_2_3_0)
|
#if defined(USE_TLS) && defined(ARDUINO_ESP8266_RELEASE_2_3_0)
|
||||||
#error "TLS is no more supported on Core 2.3.0, use 2.4.2 or higher."
|
#error "TLS is no more supported on Core 2.3.0, use 2.4.2 or higher."
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user