diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 943ca92c9a..291213cb8f 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -208,6 +208,7 @@ menu "mbedTLS" config MBEDTLS_SSL_CONTEXT_SERIALIZATION bool "Enable serialization of the TLS context structures" default n + depends on MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C help Enable serialization of the TLS context structures This is a local optimization in handling a single, potentially long-lived connection. @@ -696,7 +697,7 @@ menu "mbedTLS" config MBEDTLS_SERVER_SSL_SESSION_TICKETS bool "TLS: Server Support for RFC 5077 SSL session tickets" default y - depends on MBEDTLS_TLS_ENABLED + depends on MBEDTLS_TLS_ENABLED && (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C) help Server support for RFC 5077 session tickets. See mbedTLS documentation for more details. Disabling this option will save some code size. diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls index 89da859684..e46cff44a1 160000 --- a/components/mbedtls/mbedtls +++ b/components/mbedtls/mbedtls @@ -1 +1 @@ -Subproject commit 89da85968417ce4a163b7275cb22f159995c271d +Subproject commit e46cff44a1c47593aaf85d2e2686a464f8835a11 diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 607d35ffc6..95bd65883c 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -44,7 +44,12 @@ * The time does not need to be correct, only time differences are used, * by contrast with MBEDTLS_HAVE_TIME_DATE * - * Comment if your system does not support time functions + * Comment if your system does not support time functions. + * + * \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing + * interface - timing.c will include time.h on suitable platforms + * regardless of the setting of MBEDTLS_HAVE_TIME, unless + * MBEDTLS_TIMING_ALT is used. See timing.c for more information. */ #ifdef CONFIG_MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME @@ -253,9 +258,8 @@ #define MBEDTLS_CIPHER_PADDING_ZEROS /** - * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES & MBEDTLS_ARC4_C + * \def MBEDTLS_ARC4_C * - * MBEDTLS_ARC4_C * Enable the ARCFOUR stream cipher. * * This module enables/disables the following ciphersuites @@ -270,7 +274,14 @@ * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA * - * MBEDTLS_REMOVE_ARC4_CIPHERSUITES + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. If possible, we recommend avoiding dependencies on + * it, and considering stronger ciphers instead. + * + * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES + * + * Remove RC4 ciphersuites by default in SSL / TLS. + * * This flag removes the ciphersuites based on RC4 from the default list as * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them @@ -941,6 +952,8 @@ * saved after the handshake to allow for more efficient serialization, so if * you don't need this feature you'll save RAM by disabling it. * + * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C + * * Comment to disable the context serialization APIs. */ #ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION @@ -976,7 +989,7 @@ * Enable support for RFC 7627: Session Hash and Extended Master Secret * Extension. * - * This was introduced as "the proper fix" to the Triple Handshake familiy of + * This was introduced as "the proper fix" to the Triple Handshake family of * attacks, but it is recommended to always use it (even if you disable * renegotiation), since it actually fixes a more fundamental issue in the * original SSL/TLS design, and has implications beyond Triple Handshake. @@ -1026,7 +1039,7 @@ * \note This option has no influence on the protection against the * triple handshake attack. Even if it is disabled, Mbed TLS will * still ensure that certificates do not change during renegotiation, - * for exaple by keeping a hash of the peer's certificate. + * for example by keeping a hash of the peer's certificate. * * Comment this macro to disable storing the peer's certificate * after the handshake. @@ -1209,7 +1222,7 @@ * unless you know for sure amplification cannot be a problem in the * environment in which your server operates. * - * \warning Disabling this can ba a security risk! (see above) + * \warning Disabling this can be a security risk! (see above) * * Requires: MBEDTLS_SSL_PROTO_DTLS * @@ -1944,7 +1957,7 @@ * * Requires: MBEDTLS_MD_C * - * Uncomment to enable the HMAC_DRBG random number geerator. + * Uncomment to enable the HMAC_DRBG random number generator. */ #define MBEDTLS_HMAC_DRBG_C @@ -1978,11 +1991,19 @@ /** * \def MBEDTLS_NET_C * - * Enable the TCP/IP networking routines. + * Enable the TCP and UDP over IPv6/IPv4 networking routines. * - * Module: library/net.c + * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) + * and Windows. For other platforms, you'll want to disable it, and write your + * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). * - * This module provides TCP/IP networking routines. + * \note See also our Knowledge Base article about porting to a new + * environment: + * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS + * + * Module: library/net_sockets.c + * + * This module provides networking routines. */ #ifdef MBEDTLS_NET_C #undef MBEDTLS_NET_C @@ -2070,7 +2091,7 @@ /** * \def MBEDTLS_PK_C * - * Enable the generic public (asymetric) key layer. + * Enable the generic public (asymmetric) key layer. * * Module: library/pk.c * Caller: library/ssl_tls.c @@ -2086,7 +2107,7 @@ /** * \def MBEDTLS_PK_PARSE_C * - * Enable the generic public (asymetric) key parser. + * Enable the generic public (asymmetric) key parser. * * Module: library/pkparse.c * Caller: library/mbedtls_x509_crt.c @@ -2101,7 +2122,7 @@ /** * \def MBEDTLS_PK_WRITE_C * - * Enable the generic public (asymetric) key writer. + * Enable the generic public (asymmetric) key writer. * * Module: library/pkwrite.c * Caller: library/x509write.c @@ -2290,7 +2311,8 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_CIPHER_C + * Requires: MBEDTLS_CIPHER_C && + * ( MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C ) */ #ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS #define MBEDTLS_SSL_TICKET_C @@ -2366,9 +2388,13 @@ * your own implementation of the whole module by setting * \c MBEDTLS_TIMING_ALT in the current file. * + * \note The timing module will include time.h on suitable platforms + * regardless of the setting of MBEDTLS_HAVE_TIME, unless + * MBEDTLS_TIMING_ALT is used. See timing.c for more information. + * * \note See also our Knowledge Base article about porting to a new * environment: - * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS + * https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS * * Module: library/timing.c * Caller: library/havege.c @@ -2680,7 +2706,7 @@ * contexts are not shared between threads. If you do intend to use contexts * between threads, you will need to enable this layer to prevent race * conditions. See also our Knowledge Base article about threading: - * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading + * https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading * * Module: library/threading.c *