This new compilation flag can be set through ArduinoBearSSLConfig.h and will allow the user to use ArduinoBearSSL without ECCX08.

Indeed, the cryptographic operations could be done through the default software implementation or offloaded to another secure element such as an applet compliant with the GSMA IoT SAFE standard.

Signed-off-by: Fabrice Fontaine [email protected]

Add support for not sending Server Name Indication even when host is a DNS name.

This PR paves the way for supporting TLS servers with home-made/self-created PKI CAs and no SNI extension in server certificate.

This PR has been tested on an Arduino MKR WiFi 1000 and an Arduino MKR WiFi 1010 connected to an in-house MQTT/S broker (mosquitto) with TLS support configured with security files generated via an in-house EasyRSA instance.

The Arduino boards have been programmed with the AWS_IoT_WiFi.ino sketch.

Certificates generation steps:

• the certificate signing requests (CSRs) have been generated with the standard ArduinoECCX08 CSR tool
• the CSRs have been signed with the in-house EasyRSA to generate the client certificates for the Arduino boards
• the generated certificates have been added to the sketches.

… as trust anchor

Adding DigiCertGlobalRootG2 and MicrosoftRSARootCertificateAuthority2017 as trust anchors.

• Added .cer files to extras/TrustAnchors/
• Ran *brssl ta .cer on TrustAnchors folder with added certificates, added new structures to existing src/BearSSLTrustAnchors.h file

I keep getting undefined reference to `_gettimeofday issue when importing the ArduinoBearSSL library.

undefined reference to `_gettimeofday'

Linking .pio\build\teensy40\firmware.elf
c:/users/ganna/.platformio/packages/toolchain-gccarmnoneeabi/bin/../lib/gcc/arm-none-eabi/5.4.1/../../../../arm-none-eabi/lib/armv7e-m/fpu/fpv5-d16\libc.a(lib_a-gettimeofdayr.o): In function `_gettimeofday_r':
gettimeofdayr.c:(.text._gettimeofday_r+0x10): undefined reference to `_gettimeofday'
collect2.exe: error: ld returned 1 exit status
*** [.pio\build\teensy40\firmware.elf] Error 1

the fix mentioned https://github.com/arduino/Arduino/issues/9413 seems to solve it.

But wanted to understand the reason for this issue? any help is appreciated.

Thanks

This is similar to #39 in that it enables setting the parent certificate of a client certificate, but the difference to #39 is that it works when the client certificate private key is using an ECC508/608 key slot.

This change is based from #43 and with these two changes it makes it possible to use AWS JITP with an Arduino Nano 33 IoT with the private key stored in the ATECC608A.

Use two dedicated buffers for input and output instead of split mode, indeed some MQTT server (especially with TLS) needs a full 8k buffer as they send their Certificate Chain. On the other hand, on output, a 1k buffer seems to be enough

Signed-off-by: Fabrice Fontaine [email protected]

This pull request adds the following:

• New API to set private key (and public certificate) for client based authentication
• Adds the DigitCertGlobalRootCA as trust anchor

Some IoT cloud providers do not support either:

1. Elliptic Curve Cryptography (ECC)
2. Generating a public certificate from a CSR

This pull request would allow users to specify their own private key (RSA or ECC) and public certification in PEM format using:

const char SECRET_CERTIFICATE[] = R"(
-----BEGIN CERTIFICATE-----
// ...
-----END CERTIFICATE-----
)";

const char SECRET_KEY[] = R"(
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
)";

// ...
sslClient.setKey(SECRET_KEY, SECRET_CERTIFICATE);

They would also still be able leverage the TNG feature of the ECCX08 crypto chip with this library.

Please let me know if you have any questions, or comments regarding the proposed changes.

cc/ @skye0402

I'm using ArduinoBearSSL to connect to server with TLS and its works with the 1.5.0 release butnot with the 1.6.0 release. Going back through the commits trying each it breaks with this change: https://github.com/arduino-libraries/ArduinoBearSSL/pull/31

The server does have a certificate with an ECDSA key.

Is there some bug, or am I suppose to explicitly call setEccVrfy/setEccSign now? And if so what would the arg be?

Hello team,

I failed to send a long data(> 512bytes), using BearSSLClient::write(const uint8_t *buf, size_t size)

Suppose that buf stored 600 bytes data and br_sslio_write() could send 512 bytes at maximum each call.

Call write(buf, 600)

Expected behavior write() sends 600 bytes and returns 600

Current behavior write() sends 1024 bytes and returns 1024

Detail:

1. User calls write(buf, 600)
2. First time execution in the while loop
   • br_sslio_write() sends 512 bytes from &buf[0] and returns 512, buf points at &buf[512], written = 512
3. written < size is true
4. Second time execution in the while loop
   • br_sslio_write() sends 512 bytes from &buf[512] and returns 512, buf points at &buf[1024], written = 1024
5. written < size is false and escaping from the loop
6. write() returns 1024

To fix this issue, I'd like to change here from:
int result = br_sslio_write(&_ioc, buf, size); to:
int result = br_sslio_write(&_ioc, buf, size - written);

Bumps actions/checkout from 2 to 2.3.4.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

I'm opening this issue to know if it would be possible to make ArduinoECCX08 optional?

Indeed, I'm currently using ArduinoBearSSL on an Arduino MKR NB 1500 but without using the ArduinoECCX08 (thanks to setEccVrfy, setEccSign, etc.). I'm planning to continue to use ArduinoBearSSL on a STM32 board so I made some modifications to protect all the ArduinoECC08 specific code by ifndef ARDUINO_DISABLE_ECCX08. Ideally, I would like to upstream this modification but I'm not sure if it makes sense for you and I don't know if there is a standard way to declare or manage optional dependency in the Arduino world (i.e. if Arduino was autotools/cmake/meson based, I would declare an option such as --disable-eccx08).

The problem of #56 is even bigger: ::ClientRead() and ::ClientWrite() are called in bearssl ssl_io.c. If the socket client connection (Client *c) is lost or reset by the peer, both c->read(buf, len) and c->write(buf, len) will return a 0 (at least on the ESP32 but I think this is standard behavior also on an Arduino) thus causing an infinite loop in static int run_until(br_sslio_context *ctx, unsigned target) in ssl_io.c.

In my situation this problem occurs on a bad WiFi connection, but I think it may also occur on a bad tcp/ip connection or if the peer closes the connection.

One solution would be to add a timeout in the run_until() function, but I think it is better not to touch the original library. So I made adaptations to ::ClientRead() and ::ClientWrite() that involve static variables, which I think is a bad programming habit, but this is the only way to record a state between calls to these functions. I did not introduce a new timeout value, but use the value of the socket client c->getTimeout().

int BearSSLClient::clientRead(void *ctx, unsigned char *buf, size_t len)
{
  static bool notAvailableFlag = false;
  static uint32_t lastNotAvailableMillis;

  Client* c = (Client*)ctx;

  if (!c->connected() && !c->available()) {

    return -1;			// connection lost or closed by peer (in ssl_io.c low_read, which points to this function, fails on a -1. which it should if a connection is lost)
  }

  int result = c->read(buf, len);
  if (result == 0) {
    if(notAvailableFlag) {
      if(millis() - lastNotAvailableMillis > c->getTimeout()) {
        notAvailableFlag = false;  // for the next round

        return -1;		// timout read (in ssl_io.c low_read, which points to this function, fails on a -1. which it should if a connection is lost or closed by peer)
      }
    } else {
      notAvailableFlag = true; // First time no data available
      lastNotAvailableMillis = millis();
    }
  
    delay(10);			// Needed?
  } else {
    notAvailableFlag = false; // This flag was set but new data is available, so start again
  }

#ifdef DEBUGSERIAL
  DEBUGSERIAL.print("BearSSLClient::clientRead - ");
  DEBUGSERIAL.print(result);
  DEBUGSERIAL.print(" - ");  
  for (size_t i = 0; i < result; i++) {
    byte b = buf[i];

    if (b < 16) {
      DEBUGSERIAL.print("0");
    }
    DEBUGSERIAL.print(b, HEX);
  }
  DEBUGSERIAL.println();
#endif

  return result;
}

int BearSSLClient::clientWrite(void *ctx, const unsigned char *buf, size_t len)
{
  static bool notAvailableForWriteFlag = false;
  static uint32_t lastNotAvailableForWriteMillis;

  Client* c = (Client*)ctx;

  if (!c->connected()) {

    return -1;			// connection lost or closed by peer (in ssl_io.c low_write, which points to this function, fails on a -1. which it should if a connection is lost)
  }

  int result = c->write(buf, len);
  if (result == 0) {

    if(notAvailableForWriteFlag) {
      if(millis() - lastNotAvailableForWriteMillis > c->getTimeout()) {
        notAvailableForWriteFlag = false;  // for the next round

        return -1;		// timout write (in ssl_io.c low_write, which points to this function, fails on a -1. which it should if a connection is lost or closed by peer)
      }
    } else {
      notAvailableForWriteFlag = true; // First time impossible to write data to peer
      lastNotAvailableForWriteMillis = millis();
    }

    delay(10);			// Needed?
  } else {
    notAvailableForWriteFlag = false; // This flag was set but new data was written, so start again
  }

#ifdef DEBUGSERIAL
  DEBUGSERIAL.print("BearSSLClient::clientWrite - ");
  DEBUGSERIAL.print(len);
  DEBUGSERIAL.print(" - ");
  for (size_t i = 0; i < len; i++) {
    byte b = buf[i];

    if (b < 16) {
      DEBUGSERIAL.print("0");
    }
    DEBUGSERIAL.print(b, HEX);
  }
  DEBUGSERIAL.println();
#endif

  return result;
}

Besides the canned examples (in another libary) there is no documentation how to use the library or support in the forum.

BearSSL reference is not a 1 for 1 match for the functions in this library so it can not be readily referenced.

Some basic documentation or usable references would be helpful.

Thanks

Bruce

Here the connection might already by closed but there may still be data available in the client's buffer. To work correctly, it should be changed to

return c->read(buf, len);

Hello Team,

The ATECC608B-TNGTLS comes pre-configured and pre-provisioned with default thumbprint certificates and keys which can be used the cloud infrastructure would not require verification of the thumbprint certificate by a certificate authority. Can ArduinoBearSSL along with ArduinoECCX08 leverage this functionality eliminating the need to create a CSR ( coming from this tutorial ) and register it with AWS using Multi-Account Registration?

hello friend how can I use this function so that it recevies Auto handshake without certificate??? exp : when using class esp8266secure can get data handshake & its dosent need cert.h class or function & gets the certificate automaticaly the same as chrome browser when searching the web site thx