From 436c232c451dc4ad7a1ce0ebd606cfbb4b21699b Mon Sep 17 00:00:00 2001 From: Fabrice Fontaine Date: Tue, 23 Jun 2020 18:36:53 +0200 Subject: [PATCH] Add _ecVrfy and _ecSign Add _ecVrfy and _ecSign to allow the user to customize the verification and signature functions (could be useful if the user wants to use BearSSLClient without ECC508) The functions can be customized through the constructor and are set to their current values as soon as the user calls setEccSlot Signed-off-by: Fabrice Fontaine --- src/BearSSLClient.cpp | 36 ++++++++++++++++++++++++++---------- src/BearSSLClient.h | 6 ++++++ 2 files changed, 32 insertions(+), 10 deletions(-) diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp index 435d185..67d00ee 100644 --- a/src/BearSSLClient.cpp +++ b/src/BearSSLClient.cpp @@ -46,6 +46,9 @@ BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, _numTAs(myNumTAs), _noSNI(false) { + _ecVrfy = br_ecdsa_vrfy_asn1_get_default(); + _ecSign = br_ecdsa_sign_asn1_get_default(); + _ecKey.curve = 0; _ecKey.x = NULL; _ecKey.xlen = 0; @@ -192,6 +195,16 @@ void BearSSLClient::setInsecure(SNI insecure) } } +void BearSSLClient::setEccVrfy(br_ecdsa_vrfy vrfy) +{ + _ecVrfy = vrfy; +} + +void BearSSLClient::setEccSign(br_ecdsa_sign sign) +{ + _ecSign = sign; +} + void BearSSLClient::setEccSlot(int ecc508KeySlot, const byte cert[], int certLength) { // HACK: put the key slot info. in the br_ec_private_key structure @@ -202,6 +215,9 @@ void BearSSLClient::setEccSlot(int ecc508KeySlot, const byte cert[], int certLen _ecCert.data = (unsigned char*)cert; _ecCert.data_len = certLength; _ecCertDynamic = false; + + _ecVrfy = eccX08_vrfy_asn1; + _ecSign = eccX08_sign_asn1; } void BearSSLClient::setEccSlot(int ecc508KeySlot, const char cert[]) @@ -267,16 +283,7 @@ int BearSSLClient::connectSSL(const char* host) // inject entropy in engine unsigned char entropy[32]; - if (ECCX08.begin() && ECCX08.locked() && ECCX08.random(entropy, sizeof(entropy))) { - // ECC508 random success, add custom ECDSA vfry and EC sign - br_ssl_engine_set_ecdsa(&_sc.eng, eccX08_vrfy_asn1); - br_x509_minimal_set_ecdsa(&_xc, br_ssl_engine_get_ec(&_sc.eng), br_ssl_engine_get_ecdsa(&_sc.eng)); - - // enable client auth using the ECCX08 - if (_ecCert.data_len && _ecKey.xlen) { - br_ssl_client_set_single_ec(&_sc, &_ecCert, 1, &_ecKey, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), eccX08_sign_asn1); - } - } else { + if (!ECCX08.begin() || !ECCX08.locked() || !ECCX08.random(entropy, sizeof(entropy))) { // no ECCX08 or random failed, fallback to pseudo random for (size_t i = 0; i < sizeof(entropy); i++) { entropy[i] = random(0, 255); @@ -284,6 +291,15 @@ int BearSSLClient::connectSSL(const char* host) } br_ssl_engine_inject_entropy(&_sc.eng, entropy, sizeof(entropy)); + // add custom ECDSA vfry and EC sign + br_ssl_engine_set_ecdsa(&_sc.eng, _ecVrfy); + br_x509_minimal_set_ecdsa(&_xc, br_ssl_engine_get_ec(&_sc.eng), br_ssl_engine_get_ecdsa(&_sc.eng)); + + // enable client auth + if (_ecCert.data_len && _ecKey.xlen) { + br_ssl_client_set_single_ec(&_sc, &_ecCert, 1, &_ecKey, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), _ecSign); + } + // set the hostname used for SNI br_ssl_client_reset(&_sc, host, 0); diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h index 44ba2f8..8296cd9 100644 --- a/src/BearSSLClient.h +++ b/src/BearSSLClient.h @@ -71,6 +71,9 @@ class BearSSLClient : public Client { void setInsecure(SNI insecure) __attribute__((deprecated("INSECURE. DO NOT USE IN PRODUCTION"))); + void setEccVrfy(br_ecdsa_vrfy vrfy); + void setEccSign(br_ecdsa_sign sign); + void setEccSlot(int ecc508KeySlot, const byte cert[], int certLength); void setEccSlot(int ecc508KeySlot, const char cert[]); @@ -89,6 +92,9 @@ class BearSSLClient : public Client { bool _noSNI; + br_ecdsa_vrfy _ecVrfy; + br_ecdsa_sign _ecSign; + br_ec_private_key _ecKey; br_x509_certificate _ecCert; bool _ecCertDynamic;