From ec6448b353b5e60e9f7b3aa3030280416ee90269 Mon Sep 17 00:00:00 2001 From: s-hadinger <49731213+s-hadinger@users.noreply.github.com> Date: Wed, 15 May 2024 22:30:10 +0200 Subject: [PATCH] Drop support of old insecure fingerprint algorithm (deprecated since v8.4.0) (#21416) --- CHANGELOG.md | 2 +- .../src/WiFiClientSecureLightBearSSL.cpp | 57 ------------------- tasmota/my_user_config.h | 17 ------ 3 files changed, 1 insertion(+), 75 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4fe376981..87f835fc8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,7 +15,7 @@ All notable changes to this project will be documented in this file. ### Fixed ### Removed - +- Drop support of old insecure fingerprint algorithm (deprecated since v8.4.0) ## [Released] diff --git a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp index 1cc2ae2b3..540d37420 100755 --- a/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp +++ b/lib/lib_ssl/tls_mini/src/WiFiClientSecureLightBearSSL.cpp @@ -813,25 +813,6 @@ extern "C" { // Return 0 on validation success, !0 on validation error static unsigned pubkeyfingerprint_end_chain(const br_x509_class **ctx) { br_x509_pubkeyfingerprint_context *xc = (br_x509_pubkeyfingerprint_context *)ctx; -// **** Start patch Castellucci -/* - br_sha1_context sha1_context; - pubkeyfingerprint_pubkey_fingerprint(&sha1_context, xc->ctx.pkey.key.rsa); - br_sha1_out(&sha1_context, xc->pubkey_recv_fingerprint); // copy to fingerprint - - if (!xc->fingerprint_all) { - if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint1, 20)) { - return 0; - } - if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint2, 20)) { - return 0; - } - return 1; // no match, error - } else { - // Default (no validation at all) or no errors in prior checks = success. - return 0; - } -*/ // set fingerprint status byte to zero // FIXME: find a better way to pass this information xc->pubkey_recv_fingerprint[20] = 0; @@ -844,45 +825,7 @@ extern "C" { if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint2, 20)) { return 0; } - -#ifndef USE_MQTT_TLS_DROP_OLD_FINGERPRINT - // No match under new algorithm, do some basic checking on the key. - // - // RSA keys normally have an e value of 65537, which is three bytes long. - // Other e values are suspicious, but if the modulus is a standard size - // (multiple of 512 bits/64 bytes), any public exponent up to eight bytes - // long will be allowed. - // - // A legitimate key could possibly be marked as bad by this check, but - // the user would have had to really worked at making a strange key. - if (!(xc->ctx.pkey.key.rsa.elen == 3 - && xc->ctx.pkey.key.rsa.e[0] == 1 - && xc->ctx.pkey.key.rsa.e[1] == 0 - && xc->ctx.pkey.key.rsa.e[2] == 1)) { - if (xc->ctx.pkey.key.rsa.nlen & 63 != 0 || xc->ctx.pkey.key.rsa.elen > 8) { - return 2; // suspicious key, return error - } - } - - // try the old algorithm and potentially mark for update - pubkeyfingerprint_pubkey_fingerprint(xc, true); - if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint1, 20)) { - xc->pubkey_recv_fingerprint[20] |= 1; // mark for update - } - if (0 == memcmp_P(xc->pubkey_recv_fingerprint, xc->fingerprint2, 20)) { - xc->pubkey_recv_fingerprint[20] |= 2; // mark for update - } - if (!xc->pubkey_recv_fingerprint[20]) { - return 1; // not marked for update because no match, error - } - - // the old fingerprint format matched, recompute new one for update - pubkeyfingerprint_pubkey_fingerprint(xc, false); - - return 0; -#else // USE_TLS_OLD_FINGERPRINT_COMPAT return 1; // no match, error -#endif // USE_TLS_OLD_FINGERPRINT_COMPAT } else { // Default (no validation at all) or no errors in prior checks = success. return 0; diff --git a/tasmota/my_user_config.h b/tasmota/my_user_config.h index 7a38078db..d658efed2 100644 --- a/tasmota/my_user_config.h +++ b/tasmota/my_user_config.h @@ -103,20 +103,6 @@ #define MQTT_HOST "" // [MqttHost] -// XXX temporary - leave for a few releases so people compiling in -// fingerprints have a chance to update their configuration files -#if !defined(USE_MQTT_TLS_DROP_OLD_FINGERPRINT) && defined(MQTT_FINGERPRINT1) || defined(MQTT_FINGERPRINT2) -#error "The old TLS fingerprint format is being removed.\n\ -Please ensure your TLS fingerprint(s) are using the new version, then add\n\ -\n\ -#define USE_MQTT_TLS_DROP_OLD_FINGERPRINT\n\ -\n\ -to your user_config_override.h file.\n\ -\n\ -An online tool to calculate TLS fingerprints is available here at:\n\ -https://rya.nc/tasmota-fingerprint.html" -#endif - #define MQTT_FINGERPRINT1 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 // [MqttFingerprint1] (auto-learn) #define MQTT_FINGERPRINT2 0xDA,0x39,0xA3,0xEE,0x5E,0x6B,0x4B,0x0D,0x32,0x55,0xBF,0xEF,0x95,0x60,0x18,0x90,0xAF,0xD8,0x07,0x09 // [MqttFingerprint2] (invalid - value from sha1("")) #define MQTT_PORT 1883 // [MqttPort] MQTT port (10123 on CloudMQTT) @@ -462,9 +448,6 @@ https://rya.nc/tasmota-fingerprint.html" // #define USE_MQTT_AWS_IOT // [Deprecated] Enable MQTT for AWS IoT - requires a private key (+11.9k code, +0.4k mem) // Note: you need to generate a private key + certificate per device and update 'tasmota/tasmota_aws_iot.cpp' // Full documentation here: https://github.com/arendst/Tasmota/wiki/AWS-IoT - #define USE_MQTT_TLS_DROP_OLD_FINGERPRINT // If you use fingerprint (i.e. not CA) validation, the algorithm changed to a more secure one. - // Any valid fingerprint with the old algo will be automatically updated to the new algo. - // Enable this if you want to disable the old algo check, which should be more secure // for USE_4K_RSA (support for 4096 bits certificates, instead of 2048), you need to uncommend `-DUSE_4K_RSA` in `build_flags` from `platform.ini` or `platform_override.ini` // -- MQTT - TLS - Azure IoT & IoT Central ---------