2.2.1 fixed support for ECDHE in TLS protocol

- even though these protocols were offered in the ClientHello, they were broken - the supporting extensions were missing and the server never selected them
HomeACcessoryKid · Nov 30, 2021 · acd4330 · acd4330
1 parent ac4592a
commit acd4330
Show file tree

Hide file tree

Showing 9 changed files with 26 additions and 20 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 2.2.1 fixed support for ECDHE in TLS protocol
+- even though these protocols were offered in the ClientHello, they were broken
+- the supporting extensions were missing and the server never selected them
+
 ## 2.2.0 more robust parsing of Location header and added ota_string
 - even long headers existing before the Location header will be parsable
 - ota_string sysparam added to pass configuration to user app

diff --git a/Makefile b/Makefile
@@ -43,6 +43,8 @@ EXTRA_WOLFSSL_CFLAGS = \
 	-DHAVE_ECC_SIGN \
 	-DHAVE_ECC_VERIFY \
 	-DHAVE_ECC_KEY_IMPORT \
+	-DHAVE_ECC_DHE \
+	-DHAVE_SUPPORTED_CURVES \
 
 #	-DDEBUG_WOLFSSL \
 

diff --git a/deploy.md b/deploy.md
@@ -10,30 +10,30 @@ cd life-cycle-manager
 - initial steps to be expanded
 
 #### These are the steps if not introducing a new key pair
-- create/update the file versions1/latest-pre-release without new-line and setup 2.2.0 version folder
+- create/update the file versions1/latest-pre-release without new-line and setup 2.2.1 version folder
 ```
-mkdir versions1/2.2.0v
-echo -n 2.2.0 > versions1/2.2.0v/latest-pre-release
-cp versions1/certs.sector versions1/certs.sector.sig versions1/2.2.0v
-cp versions1/public*key*   versions1/2.2.0v
+mkdir versions1/2.2.1v
+echo -n 2.2.1 > versions1/2.2.1v/latest-pre-release
+cp versions1/certs.sector versions1/certs.sector.sig versions1/2.2.1v
+cp versions1/public*key*   versions1/2.2.1v
 ```
 - set local.mk to the ota-main program
 ```
-make -j6 rebuild OTAVERSION=2.2.0
-mv firmware/otamain.bin versions1/2.2.0v
+make -j6 rebuild OTAVERSION=2.2.1
+mv firmware/otamain.bin versions1/2.2.1v
 ```
 - set local.mk back to ota-boot program
 ```
-make -j6 rebuild OTAVERSION=2.2.0
-mv firmware/otaboot.bin versions1/2.2.0v
-make -j6 rebuild OTAVERSION=2.2.0 OTABETA=1
-cp firmware/otaboot.bin versions1/2.2.0v/otabootbeta.bin
+make -j6 rebuild OTAVERSION=2.2.1
+mv firmware/otaboot.bin versions1/2.2.1v
+make -j6 rebuild OTAVERSION=2.2.1 OTABETA=1
+cp firmware/otaboot.bin versions1/2.2.1v/otabootbeta.bin
 ```
 - remove the older version files
 #
 - update Changelog
-- commit this as version 2.2.0  
-- set up a new github release 2.2.0 as a pre-release using the just commited master...  
+- commit this as version 2.2.1  
+- set up a new github release 2.2.1 as a pre-release using the just commited master...  
 - upload the certs and binaries to the pre-release assets on github  
 #
 - erase the flash and upload the privatekey
@@ -43,18 +43,18 @@ esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versions1-pr
 ```
 - upload the ota-boot BETA program to the device that contains the private key
 ```
-make flash OTAVERSION=2.2.0 OTABETA=1
+make flash OTAVERSION=2.2.1 OTABETA=1
 ```
 - power cycle to prevent the bug for software reset after flash  
 - setup wifi and select the ota-demo repo without pre-release checkbox  
 - create the 2 signature files next to the bin file and upload to github one by one  
 - verify the hashes on the computer  
 ```
-openssl sha384 versions1/2.2.0v/otamain.bin
-xxd versions1/2.2.0v/otamain.bin.sig
+openssl sha384 versions1/2.2.1v/otamain.bin
+xxd versions1/2.2.1v/otamain.bin.sig
 ```
 
-- upload the file versions1/2.2.0v/latest-pre-release to the 'latest release' assets on github
+- upload the file versions1/2.2.1v/latest-pre-release to the 'latest release' assets on github
 
 #### Testing
 
@@ -107,14 +107,14 @@ esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versionsN-1-
 ```
 - collect public-1.key.sig and store it in the new version folder and copy it to versions1
 ```
-cp  versions1/2.2.0v/public-1.key.sig versions1
+cp  versions1/2.2.1v/public-1.key.sig versions1
 ```
 - then flash the new private key
 ```
 esptool.py -p /dev/cu.usbserial-* --baud 230400 write_flash 0xf9000 versions1-privatekey.der
 ```
 - collect cert.sector.sig and store it in the new version folder and copy it to versions1 
 ```
-cp  versions1/2.2.0v/certs.sector.sig versions1
+cp  versions1/2.2.1v/certs.sector.sig versions1
 ```
 - continue with a normal deployment to create the 2 signature files next to the bin files
diff --git a/versions1/2.2.0v/latest-pre-release b/versions1/2.2.0v/latest-pre-release
diff --git a/versions1/2.2.0v/certs.sector → versions1/2.2.1v/certs.sector b/versions1/2.2.0v/certs.sector → versions1/2.2.1v/certs.sector
diff --git a/versions1/2.2.1v/latest-pre-release b/versions1/2.2.1v/latest-pre-release
@@ -0,0 +1 @@
+2.2.1
diff --git a/versions1/2.2.0v/otaboot.bin → versions1/2.2.1v/otaboot.bin b/versions1/2.2.0v/otaboot.bin → versions1/2.2.1v/otaboot.bin
diff --git a/versions1/2.2.0v/otabootbeta.bin → versions1/2.2.1v/otabootbeta.bin b/versions1/2.2.0v/otabootbeta.bin → versions1/2.2.1v/otabootbeta.bin
diff --git a/versions1/2.2.0v/otamain.bin → versions1/2.2.1v/otamain.bin b/versions1/2.2.0v/otamain.bin → versions1/2.2.1v/otamain.bin