arduino-libraries · pennam · Jul 16, 2024 · Jan 3, 2024 · Jan 3, 2024 · Jan 3, 2024
diff --git a/.github/workflows/compile-examples.yml b/.github/workflows/compile-examples.yml
@@ -48,6 +48,21 @@ jobs:
           - fqbn: arduino:samd:mkrgsm1400
             type: gsm
             artifact-name-suffix: arduino-samd-mkrgsm1400
+          - fqbn: arduino:samd:mkrnb1500
+            type: nb
+            artifact-name-suffix: arduino-samd-mkrnb1500
+          - fqbn: arduino:mbed_portenta:envie_m7
+            type: mbed_portenta
+            artifact-name-suffix: arduino-mbed_portenta-envie_m7
+          - fqbn: arduino:mbed_nano:nanorp2040connect
+            type: nina
+            artifact-name-suffix: arduino-mbed_nano-nanorp2040connect
+          - fqbn: arduino:mbed_opta:opta
+            type: mbed_opta
+            artifact-name-suffix: arduino-mbed_opta-opta
+          - fqbn: arduino:mbed_giga:giga
+            type: mbed_giga
+            artifact-name-suffix: arduino-mbed_giga-giga
           - fqbn: arduino:megaavr:uno2018
             type: megaavr
             artifact-name-suffix: arduino-megaavr-uno2018

diff --git a/src/AES128.cpp b/src/AES128.cpp
@@ -22,6 +22,7 @@
  * SOFTWARE.
  */
 
+#include <ArduinoBearSSL.h>
 #include "AES128.h"
 
 AES128Class::AES128Class() :
@@ -49,6 +50,6 @@ int AES128Class::runDecryption(uint8_t *key, size_t size, uint8_t *input, size_t
   return 1;
 }
 
-#ifndef ARDUINO_ARCH_MEGAAVR
+#if !defined(ARDUINO_BEARSSL_DISABLE_AES128) && !defined(ARDUINO_ARCH_MEGAAVR)
 AES128Class AES128;
 #endif
diff --git a/src/BearSSLClient.cpp b/src/BearSSLClient.cpp
@@ -28,15 +28,33 @@
 #include <ArduinoECCX08.h>
 #endif
 
+#ifndef ARDUINO_BEARSSL_DISABLE_BUILTIN_TRUST_ANCHORS
 #include "BearSSLTrustAnchors.h"
+#endif
 #include "utility/eccX08_asn1.h"
 
 #include "BearSSLClient.h"
 
+#ifndef ARDUINO_BEARSSL_DISABLE_BUILTIN_TRUST_ANCHORS
 BearSSLClient::BearSSLClient(Client& client) :
   BearSSLClient(&client, TAs, TAs_NUM)
 {
 }
+#endif
+
+BearSSLClient::BearSSLClient() :
+  _noSNI(false)
+{
+  _ecKey.curve = 0;
+  _ecKey.x = NULL;
+  _ecKey.xlen = 0;
+
+  for (size_t i = 0; i < BEAR_SSL_CLIENT_CHAIN_SIZE; i++) {
+    _ecCert[i].data = NULL;
+    _ecCert[i].data_len = 0;
+  }
+  _ecCertDynamic = false;
+}
 
 BearSSLClient::BearSSLClient(Client& client, const br_x509_trust_anchor* myTAs, int myNumTAs)
 : BearSSLClient(&client, myTAs, myNumTAs)
@@ -48,8 +66,15 @@ BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs,
   _TAs(myTAs),
   _numTAs(myNumTAs),
   _noSNI(false),
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
   _skeyDecoder(NULL),
-  _ecChainLen(0)
+#endif
+  _ecChainLen(0),
+#ifndef ARDUINO_BEARSSL_DISABLE_FULL_CLIENT_PROFILE
+  _br_ssl_client_init_function(br_ssl_client_init_full)
+#else
+  _br_ssl_client_init_function(NULL)
+#endif
 {
 #ifndef ARDUINO_DISABLE_ECCX08
   _ecVrfy = eccX08_vrfy_asn1;
@@ -77,10 +102,12 @@ BearSSLClient::~BearSSLClient()
     _ecCert[0].data = NULL;
   }
 
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
   if (_skeyDecoder) {
     free(_skeyDecoder);
     _skeyDecoder = NULL;
   }
+#endif
 }
 
 int BearSSLClient::connect(IPAddress ip, uint16_t port)
@@ -309,6 +336,7 @@ void BearSSLClient::setEccSlot(int ecc508KeySlot, const char cert[])
   }
 }
 
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
 void BearSSLClient::setKey(const char key[], const char cert[])
 {
   // try to decode the key and cert
@@ -381,7 +409,9 @@ void BearSSLClient::setKey(const char key[], const char cert[])
     }
   }
 }
+#endif
 
+#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1
 void BearSSLClient::setEccCertParent(const char cert[])
 {
   // try to decode the cert
@@ -428,6 +458,7 @@ void BearSSLClient::setEccCertParent(const char cert[])
     }
   }
 }
+#endif
 
 int BearSSLClient::errorCode()
 {
@@ -436,8 +467,12 @@ int BearSSLClient::errorCode()
 
 int BearSSLClient::connectSSL(const char* host)
 {
-  // initialize client context with all algorithms and hardcoded trust anchors
-  br_ssl_client_init_full(&_sc, &_xc, _TAs, _numTAs);
+  if (!_br_ssl_client_init_function) {
+    return 0;
+  }
+
+  // initialize client context with enabled algorithms and trust anchors
+  _br_ssl_client_init_function(&_sc, &_xc, _TAs, _numTAs);
 
   br_ssl_engine_set_buffers_bidi(&_sc.eng, _ibuf, sizeof(_ibuf), _obuf, sizeof(_obuf));
 
@@ -462,6 +497,7 @@ int BearSSLClient::connectSSL(const char* host)
 
   // enable client auth
   if (_ecCert[0].data_len) {
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
     if (_skeyDecoder) {
       int skeyType = br_skey_decoder_key_type(_skeyDecoder);
 
@@ -471,8 +507,11 @@ int BearSSLClient::connectSSL(const char* host)
         br_ssl_client_set_single_rsa(&_sc, _ecCert, _ecChainLen, br_skey_decoder_get_rsa(_skeyDecoder), br_rsa_pkcs1_sign_get_default());
       }
     } else {
+#endif
       br_ssl_client_set_single_ec(&_sc, _ecCert, _ecChainLen, &_ecKey, BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN, BR_KEYTYPE_EC, br_ec_get_default(), _ecSign);
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
     }
+#endif
   }
 
   // set the hostname used for SNI
@@ -575,18 +614,21 @@ void BearSSLClient::clientAppendCert(void *ctx, const void *data, size_t len)
   c->_ecCert[0].data_len += len;
 }
 
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
 void BearSSLClient::clientAppendKey(void *ctx, const void *data, size_t len)
 {
   BearSSLClient* c = (BearSSLClient*)ctx;
 
   br_skey_decoder_push(c->_skeyDecoder, data, len);
 }
+#endif
 
+#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1
 void BearSSLClient::parentAppendCert(void *ctx, const void *data, size_t len)
 {
   BearSSLClient* c = (BearSSLClient*)ctx;
 
   memcpy(&c->_ecCert[1].data[c->_ecCert[1].data_len], data, len);
   c->_ecCert[1].data_len += len;
 }
-
+#endif
diff --git a/src/BearSSLClient.h b/src/BearSSLClient.h
@@ -32,7 +32,7 @@
 #endif
 
 #ifndef BEAR_SSL_CLIENT_IBUF_SIZE
-#define BEAR_SSL_CLIENT_IBUF_SIZE 32768
+#define BEAR_SSL_CLIENT_IBUF_SIZE (16384 + 325)
 #endif
 
 #else
@@ -59,14 +59,15 @@
 class BearSSLClient : public Client {
 
 public:
+  BearSSLClient();
   BearSSLClient(Client& client);
   BearSSLClient(Client& client, const br_x509_trust_anchor* myTAs, int myNumTAs);
   BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, int myNumTAs);
   virtual ~BearSSLClient();
 
-
   inline void setClient(Client& client) { _client = &client; }
-
+  inline void setProfile(void(*client_init_function)(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trustrust_anchorst_anchors_num)) { _br_ssl_client_init_function = client_init_function; }
+  inline void setTrustAnchors(const br_x509_trust_anchor* myTAs, int myNumTAs) { _TAs = myTAs; _numTAs = myNumTAs; }
 
   virtual int connect(IPAddress ip, uint16_t port);
   virtual int connect(const char* host, uint16_t port);
@@ -97,8 +98,12 @@ class BearSSLClient : public Client {
 
   void setEccSlot(int ecc508KeySlot, const byte cert[], int certLength);
   void setEccSlot(int ecc508KeySlot, const char cert[]);
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
   void setKey(const char key[], const char cert[]);
+#endif
+#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1
   void setEccCertParent(const char cert[]);
+#endif
 
   int errorCode();
 
@@ -107,8 +112,12 @@ class BearSSLClient : public Client {
   static int clientRead(void *ctx, unsigned char *buf, size_t len);
   static int clientWrite(void *ctx, const unsigned char *buf, size_t len);
   static void clientAppendCert(void *ctx, const void *data, size_t len);
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
   static void clientAppendKey(void *ctx, const void *data, size_t len);
+#endif
+#if BEAR_SSL_CLIENT_CHAIN_SIZE > 1
   static void parentAppendCert(void *ctx, const void *data, size_t len);
+#endif
 
 private:
   Client* _client;
@@ -121,7 +130,9 @@ class BearSSLClient : public Client {
   br_ecdsa_sign _ecSign;
 
   br_ec_private_key _ecKey;
+#ifndef ARDUINO_BEARSSL_DISABLE_KEY_DECODER
   br_skey_decoder_context* _skeyDecoder;
+#endif
   br_x509_certificate _ecCert[BEAR_SSL_CLIENT_CHAIN_SIZE];
   int _ecChainLen;
   bool _ecCertDynamic;
@@ -131,6 +142,8 @@ class BearSSLClient : public Client {
   unsigned char _ibuf[BEAR_SSL_CLIENT_IBUF_SIZE];
   unsigned char _obuf[BEAR_SSL_CLIENT_OBUF_SIZE];
   br_sslio_context _ioc;
+
+  void (*_br_ssl_client_init_function)(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
 };
 
 #endif
diff --git a/src/DES.cpp b/src/DES.cpp
@@ -22,6 +22,7 @@
  * SOFTWARE.
  */
 
+#include <ArduinoBearSSL.h>
 #include "DES.h"
 
 DESClass::DESClass() :
@@ -50,6 +51,6 @@ int DESClass::runDecryption(uint8_t *key, size_t size, uint8_t *input, size_t bl
 }
 
 
-#ifndef ARDUINO_ARCH_MEGAAVR
+#if !defined(ARDUINO_BEARSSL_DISABLE_DES) && !defined(ARDUINO_ARCH_MEGAAVR)
 DESClass DES;
 #endif
diff --git a/src/MD5.cpp b/src/MD5.cpp
@@ -22,6 +22,7 @@
  * SOFTWARE.
  */
 
+#include <ArduinoBearSSL.h>
 #include "MD5.h"
 
 MD5Class::MD5Class() :
@@ -54,6 +55,6 @@ int MD5Class::end(uint8_t *digest)
   return 1;
 }
 
-#ifndef ARDUINO_ARCH_MEGAAVR
+#if !defined(ARDUINO_BEARSSL_DISABLE_MD5) && !defined(ARDUINO_ARCH_MEGAAVR)
 MD5Class MD5;
 #endif
diff --git a/src/SHA1.cpp b/src/SHA1.cpp
@@ -22,6 +22,7 @@
  * SOFTWARE.
  */
 
+#include <ArduinoBearSSL.h>
 #include "SHA1.h"
 
 SHA1Class::SHA1Class() :
@@ -54,4 +55,6 @@ int SHA1Class::end(uint8_t *digest)
   return 1;
 }
 
+#if !defined(ARDUINO_BEARSSL_DISABLE_SHA1)
 SHA1Class SHA1;
+#endif
diff --git a/src/SHA256.cpp b/src/SHA256.cpp
@@ -22,6 +22,7 @@
  * SOFTWARE.
  */
 
+#include <ArduinoBearSSL.h>
 #include "SHA256.h"
 
 SHA256Class::SHA256Class() :
@@ -54,6 +55,6 @@ int SHA256Class::end(uint8_t *digest)
   return 1;
 }
 
-#ifndef ARDUINO_ARCH_MEGAAVR
+#if !defined(ARDUINO_BEARSSL_DISABLE_SHA256) && !defined(ARDUINO_ARCH_MEGAAVR)
 SHA256Class SHA256;
 #endif