espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-03 20:54:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feat/restructure_mbedtls_configurations' into 'master'

Browse Source 
Restructure mbedTLS configurations

Closes IDF-12984 and IDF-12982

See merge request espressif/esp-idf!39941
This commit is contained in:
Mahavir Jain
2025-07-30 20:11:11 +05:30
parent 08d2d5fe76 d9c431268a
commit 4e036983a7
13 changed files with 2695 additions and 1165 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
components/esp-tls/Kconfig
View File

@@ -8,6 +8,7 @@ menu "ESP-TLS"
usage. Consult the ESP-TLS documentation in ESP-IDF Programming guide for more details.
config ESP_TLS_USING_MBEDTLS
bool "mbedTLS"
select MBEDTLS_TLS_ENABLED
config ESP_TLS_USING_WOLFSSL
depends on TLS_STACK_WOLFSSL
bool "wolfSSL (License info in wolfSSL directory README)"

11
components/mbedtls/CMakeLists.txt
View File

@@ -357,8 +357,19 @@ foreach(target ${mbedtls_targets})
if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU") # TODO IDF-10087
target_compile_options(${target} PRIVATE "-fno-analyzer")
endif()
if(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SIZE)
target_compile_options(${target} PRIVATE "-Os")
elseif(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SPEED)
target_compile_options(${target} PRIVATE "-O2")
endif()
endforeach()
if(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SIZE)
target_compile_options(${COMPONENT_LIB} PRIVATE "-Os")
elseif(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SPEED)
target_compile_options(${COMPONENT_LIB} PRIVATE "-O2")
endif()
if(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
set(WRAP_FUNCTIONS
mbedtls_ssl_write_client_hello

2770
components/mbedtls/Kconfig
View File

File diff suppressed because it is too large Load Diff

98
components/mbedtls/config/mbedtls_preset_bt.conf Normal file
View File

@@ -0,0 +1,98 @@
#
# mbedTLS Bluetooth Configuration Preset
#
# Core Configuration
CONFIG_MBEDTLS_FS_IO=n
CONFIG_MBEDTLS_ERROR_STRINGS=n
CONFIG_MBEDTLS_HAVE_TIME=n
CONFIG_MBEDTLS_SELF_TEST=n
# Certificates
CONFIG_MBEDTLS_PEM_PARSE_C=n
CONFIG_MBEDTLS_PEM_WRITE_C=n
CONFIG_MBEDTLS_X509_REMOVE_INFO=y
CONFIG_MBEDTLS_X509_CRL_PARSE_C=n
CONFIG_MBEDTLS_X509_CSR_PARSE_C=n
CONFIG_MBEDTLS_X509_RSASSA_PSS_SUPPORT=n
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=n
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=n
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE=y
# TLS Protocol Configuration
CONFIG_MBEDTLS_TLS_ENABLED=n
CONFIG_MBEDTLS_TLS_SERVER_AND_CLIENT=n
CONFIG_MBEDTLS_TLS_DISABLED=y
# TLS 1.2 Configuration
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=n
# TLS 1.3 Configuration
CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=n
# TLS Key Exchange Configuration
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=n
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=n
CONFIG_MBEDTLS_SSL_ALPN=n
CONFIG_MBEDTLS_SSL_RENEGOTIATION=n
CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=n
CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=n
# DTLS Protocol Configuration
# Cipher Abstraction Layer
CONFIG_MBEDTLS_CIPHER_C=y
# Symmetric Ciphers
CONFIG_MBEDTLS_ARIA_C=n
CONFIG_MBEDTLS_CCM_C=n
CONFIG_MBEDTLS_CIPHER_MODE_CBC=n
CONFIG_MBEDTLS_CIPHER_MODE_CFB=n
CONFIG_MBEDTLS_CIPHER_MODE_CTR=n
CONFIG_MBEDTLS_CIPHER_MODE_OFB=n
CONFIG_MBEDTLS_CIPHER_MODE_XTS=y
CONFIG_MBEDTLS_GCM_C=n
CONFIG_MBEDTLS_PKCS5_C=n
CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=n
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=n
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=n
CONFIG_MBEDTLS_AES_FEWER_TABLES=y
# Elliptic Curve Ciphers Configuration
CONFIG_MBEDTLS_ECP_NIST_OPTIM=n
CONFIG_MBEDTLS_DHM_C=n
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=n
CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=n
CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED=n
# Hash functions
CONFIG_MBEDTLS_SHA1_C=n
CONFIG_MBEDTLS_SHA384_C=n
CONFIG_MBEDTLS_SHA512_C=n
CONFIG_MBEDTLS_MD5_C=n
CONFIG_MBEDTLS_MPI_USE_INTERRUPT=n
CONFIG_MBEDTLS_ECC_OTHER_CURVES_SOFT_FALLBACK=n
CONFIG_MBEDTLS_GENPRIME=y
CONFIG_MBEDTLS_PKCS12_C=n
CONFIG_MBEDTLS_PKCS1_V21=n
CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256=y
CONFIG_MBEDTLS_CTR_DRBG_C=y
CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT=n
#
# End of mbedTLS Minimal Configuration Preset
#

199
components/mbedtls/config/mbedtls_preset_default.conf Normal file
View File

@@ -0,0 +1,199 @@
#
# mbedTLS Default Configuration Preset
#
# Core Configuration
CONFIG_MBEDTLS_FS_IO=y
CONFIG_MBEDTLS_THREADING_C=n
CONFIG_MBEDTLS_ERROR_STRINGS=y
CONFIG_MBEDTLS_VERSION_C=n
CONFIG_MBEDTLS_HAVE_TIME=y
CONFIG_MBEDTLS_PLATFORM_TIME_ALT=n
CONFIG_MBEDTLS_HAVE_TIME_DATE=n
CONFIG_MBEDTLS_BIGNUM_C=y
CONFIG_MBEDTLS_INTERNAL_MEM_ALLOC=y
CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC=n
CONFIG_MBEDTLS_DEFAULT_MEM_ALLOC=n
CONFIG_MBEDTLS_CUSTOM_MEM_ALLOC=n
CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN=y
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=4096
CONFIG_MBEDTLS_DYNAMIC_BUFFER=n
CONFIG_MBEDTLS_VERSION_FEATURES=n
CONFIG_MBEDTLS_DEBUG=n
CONFIG_MBEDTLS_SELF_TEST=y
# Certificates
CONFIG_MBEDTLS_ALLOW_WEAK_CERTIFICATE_VERIFICATION=n
CONFIG_MBEDTLS_X509_USE_C=y
CONFIG_MBEDTLS_PEM_PARSE_C=y
CONFIG_MBEDTLS_PEM_WRITE_C=y
CONFIG_MBEDTLS_PK_C=y
CONFIG_MBEDTLS_PK_PARSE_C=y
CONFIG_MBEDTLS_PK_WRITE_C=y
CONFIG_MBEDTLS_X509_REMOVE_INFO=n
CONFIG_MBEDTLS_X509_CRL_PARSE_C=y
CONFIG_MBEDTLS_X509_CRT_PARSE_C=y
CONFIG_MBEDTLS_X509_CSR_PARSE_C=y
CONFIG_MBEDTLS_X509_CREATE_C=n
CONFIG_MBEDTLS_X509_CRT_WRITE_C=y
CONFIG_MBEDTLS_X509_CSR_WRITE_C=y
CONFIG_MBEDTLS_X509_RSASSA_PSS_SUPPORT=y
CONFIG_MBEDTLS_X509_TRUSTED_CERT_CALLBACK=n
CONFIG_MBEDTLS_ASN1_PARSE_C=y
CONFIG_MBEDTLS_ASN1_WRITE_C=y
CONFIG_MBEDTLS_OID_C=y
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=y
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE=n
CONFIG_MBEDTLS_CUSTOM_CERTIFICATE_BUNDLE=n
# TLS Protocol Configuration
CONFIG_MBEDTLS_TLS_ENABLED=y
CONFIG_MBEDTLS_SSL_PROTO_GMTSSL1_1=n
CONFIG_MBEDTLS_TLS_SERVER_AND_CLIENT=y
CONFIG_MBEDTLS_TLS_SERVER_ONLY=n
CONFIG_MBEDTLS_TLS_CLIENT_ONLY=n
CONFIG_MBEDTLS_TLS_DISABLED=n
CONFIG_MBEDTLS_TLS_SERVER=y
CONFIG_MBEDTLS_TLS_CLIENT=y
CONFIG_MBEDTLS_SSL_CID_PADDING_GRANULARITY=1
CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=n
CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION=n
CONFIG_MBEDTLS_SSL_CACHE_C=n
CONFIG_MBEDTLS_SSL_ALL_ALERT_MESSAGES=n
# TLS 1.2 Configuration
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y
# TLS 1.3 Configuration
CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y
# TLS Key Exchange Configuration
CONFIG_MBEDTLS_PSK_MODES=n
CONFIG_MBEDTLS_KEY_EXCHANGE_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA=y
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_SSL_ALPN=y
CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=y
CONFIG_MBEDTLS_SSL_RECORD_SIZE_LIMIT=n
CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH=n
CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=y
CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=y
# DTLS Protocol Configuration
CONFIG_MBEDTLS_SSL_PROTO_DTLS=n
# Cipher Abstraction Layer
CONFIG_MBEDTLS_CIPHER_C=n
# Symmetric Ciphers
CONFIG_MBEDTLS_AES_C=y
CONFIG_MBEDTLS_CAMELLIA_C=n
CONFIG_MBEDTLS_ARIA_C=y
CONFIG_MBEDTLS_DES_C=n
CONFIG_MBEDTLS_BLOWFISH_C=n
CONFIG_MBEDTLS_XTEA_C=n
CONFIG_MBEDTLS_CCM_C=y
CONFIG_MBEDTLS_CIPHER_MODE_CBC=y
CONFIG_MBEDTLS_CIPHER_MODE_CFB=y
CONFIG_MBEDTLS_CIPHER_MODE_CTR=y
CONFIG_MBEDTLS_CIPHER_MODE_OFB=y
CONFIG_MBEDTLS_CIPHER_MODE_XTS=y
CONFIG_MBEDTLS_GCM_C=y
CONFIG_MBEDTLS_NIST_KW_C=n
CONFIG_MBEDTLS_CIPHER_PADDING=y
CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=y
CONFIG_MBEDTLS_PKCS5_C=y
CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=y
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=y
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=y
CONFIG_MBEDTLS_AES_ROM_TABLES=y
CONFIG_MBEDTLS_AES_FEWER_TABLES=n
CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH=n
CONFIG_MBEDTLS_AES_USE_PSEUDO_ROUND_FUNC=n
CONFIG_MBEDTLS_CMAC_C=y
# Asymmetric Ciphers
CONFIG_MBEDTLS_RSA_C=y
# Elliptic Curve Ciphers Configuration
CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_ECP_NIST_OPTIM=y
CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM=n
CONFIG_MBEDTLS_DHM_C=y
CONFIG_MBEDTLS_ECDH_C=y
CONFIG_MBEDTLS_ECJPAKE_C=n
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=y
CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=y
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y
CONFIG_MBEDTLS_ECP_RESTARTABLE=n
CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED=y
# Hash functions
CONFIG_MBEDTLS_MD_C=y
CONFIG_MBEDTLS_ROM_MD5=y
CONFIG_MBEDTLS_SHA256_C=y
CONFIG_MBEDTLS_SHA1_C=y
CONFIG_MBEDTLS_SHA384_C=y
CONFIG_MBEDTLS_SHA512_C=y
CONFIG_MBEDTLS_MD5_C=y
CONFIG_MBEDTLS_SHA3_C=n
CONFIG_MBEDTLS_HARDWARE_SHA=y
CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER=y
CONFIG_MBEDTLS_HARDWARE_AES=y
CONFIG_MBEDTLS_AES_USE_INTERRUPT=y
CONFIG_MBEDTLS_AES_INTERRUPT_LEVEL=0
CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT=y
CONFIG_MBEDTLS_HARDWARE_MPI=y
# CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI=n
CONFIG_MBEDTLS_MPI_USE_INTERRUPT=y
CONFIG_MBEDTLS_MPI_INTERRUPT_LEVEL=0
CONFIG_MBEDTLS_HARDWARE_ECC=y
CONFIG_MBEDTLS_ECC_OTHER_CURVES_SOFT_FALLBACK=y
CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN=n
CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY=y
CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN=n
CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY=n
CONFIG_MBEDTLS_PKCS7_C=y
CONFIG_MBEDTLS_PKCS12_C=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_PKCS1_V21=y
CONFIG_MBEDTLS_ENTROPY_C=y
CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256=n
CONFIG_MBEDTLS_CTR_DRBG_C=y
CONFIG_MBEDTLS_HMAC_DRBG_C=y
CONFIG_MBEDTLS_BASE64_C=y
CONFIG_MBEDTLS_CHACHA20_C=n
CONFIG_MBEDTLS_POLY1305_C=n
CONFIG_MBEDTLS_HKDF_C=n
#
# End of mbedTLS Minimal Configuration Preset
#

102
components/mbedtls/config/mbedtls_preset_minimal.conf Normal file
View File

@@ -0,0 +1,102 @@
#
# mbedTLS Minimal Configuration Preset
#
# Core Configuration
CONFIG_MBEDTLS_FS_IO=n
CONFIG_MBEDTLS_ERROR_STRINGS=n
CONFIG_MBEDTLS_HAVE_TIME=n
CONFIG_MBEDTLS_SELF_TEST=n
# Certificates
CONFIG_MBEDTLS_PEM_PARSE_C=n
CONFIG_MBEDTLS_PEM_WRITE_C=n
CONFIG_MBEDTLS_X509_REMOVE_INFO=y
CONFIG_MBEDTLS_X509_CRL_PARSE_C=n
CONFIG_MBEDTLS_X509_CSR_PARSE_C=n
CONFIG_MBEDTLS_X509_CRT_WRITE_C=n
CONFIG_MBEDTLS_X509_CSR_WRITE_C=n
CONFIG_MBEDTLS_X509_RSASSA_PSS_SUPPORT=n
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=n
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=n
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE=y
# TLS Protocol Configuration
CONFIG_MBEDTLS_TLS_SERVER_AND_CLIENT=n
CONFIG_MBEDTLS_TLS_CLIENT_ONLY=y
CONFIG_MBEDTLS_TLS_SERVER=n
# TLS 1.3 Configuration
CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=n
# TLS Key Exchange Configuration
CONFIG_MBEDTLS_PSK_MODES=y
CONFIG_MBEDTLS_KEY_EXCHANGE_PSK=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=n
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=n
CONFIG_MBEDTLS_SSL_ALPN=n
CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=n
CONFIG_MBEDTLS_SSL_RENEGOTIATION=n
CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=n
CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=n
# Cipher Abstraction Layer
CONFIG_MBEDTLS_CIPHER_C=y
# Symmetric Ciphers
CONFIG_MBEDTLS_ARIA_C=n
CONFIG_MBEDTLS_BLOWFISH_C=n
CONFIG_MBEDTLS_CCM_C=n
CONFIG_MBEDTLS_CIPHER_MODE_OFB=n
CONFIG_MBEDTLS_CIPHER_MODE_XTS=y
CONFIG_MBEDTLS_GCM_C=n
CONFIG_MBEDTLS_CIPHER_PADDING=n
CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=n
CONFIG_MBEDTLS_PKCS5_C=n
CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=n
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=n
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=n
CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH=y
CONFIG_MBEDTLS_CMAC_C=n
# Asymmetric Ciphers
CONFIG_MBEDTLS_RSA_C=y
# Elliptic Curve Ciphers Configuration
CONFIG_MBEDTLS_ECP_C=n
CONFIG_MBEDTLS_ECP_NIST_OPTIM=n
CONFIG_MBEDTLS_DHM_C=n
CONFIG_MBEDTLS_ECDH_C=n
CONFIG_MBEDTLS_ECDSA_C=n
CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=n
CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=n
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n
CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED=n
# Hash functions
CONFIG_MBEDTLS_ROM_MD5=n
CONFIG_MBEDTLS_SHA1_C=n
CONFIG_MBEDTLS_SHA384_C=n
CONFIG_MBEDTLS_SHA512_C=n
CONFIG_MBEDTLS_MD5_C=n
#
# End of mbedTLS Minimal Configuration Preset
#

2
components/mbedtls/port/aes/dma/esp_aes.c
View File

@@ -458,6 +458,7 @@ int esp_aes_crypt_ofb(esp_aes_context *ctx,
return 0;
}
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CTR
/*
* AES-CTR buffer encryption/decryption
*/
@@ -529,3 +530,4 @@ int esp_aes_crypt_ctr(esp_aes_context *ctx,
return 0;
}
#endif /* CONFIG_MBEDTLS_CIPHER_MODE_CTR */

453
components/mbedtls/port/include/mbedtls/esp_config.h
View File

@@ -260,42 +260,107 @@
*
* Uncomment this macro to store the AES tables in ROM.
*/
#ifdef CONFIG_MBEDTLS_AES_ROM_TABLES
#define MBEDTLS_AES_ROM_TABLES
#else
#undef MBEDTLS_AES_ROM_TABLES
#endif
/**
* \def MBEDTLS_AES_FEWER_TABLES
*
* Use fewer tables for AES.
*
* Uncomment this macro to store fewer tables for AES
* in ROM or RAM. The values are computed at runtime.
*
*/
#ifdef CONFIG_MBEDTLS_AES_FEWER_TABLES
#define MBEDTLS_AES_FEWER_TABLES
#else
#undef MBEDTLS_AES_FEWER_TABLES
#endif
/**
* \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
*
* Enable support for AES with only 128-bit key length. This disables
* support for 192-bit and 256-bit key lengths.
*
* Uncommenting this macro reduces the size of AES code
*/
#ifdef CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
#else
#undef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
#endif
/**
* \def MBEDTLS_CAMELLIA_SMALL_MEMORY
*
* Enable small memory usage for Camellia cipher.
*/
#ifdef CONFIG_MBEDTLS_CAMELLIA_SMALL_MEMORY
#define MBEDTLS_CAMELLIA_SMALL_MEMORY
#else
#undef MBEDTLS_CAMELLIA_SMALL_MEMORY
#endif
/**
* \def MBEDTLS_CIPHER_MODE_CBC
*
* Enable Cipher Block Chaining mode (CBC) for symmetric ciphers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CBC
#define MBEDTLS_CIPHER_MODE_CBC
#else
#undef MBEDTLS_CIPHER_MODE_CBC
#endif
/**
* \def MBEDTLS_CIPHER_MODE_CFB
*
* Enable Cipher Feedback mode (CFB) for symmetric ciphers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CFB
#define MBEDTLS_CIPHER_MODE_CFB
#else
#undef MBEDTLS_CIPHER_MODE_CFB
#endif
/**
* \def MBEDTLS_CIPHER_MODE_CTR
*
* Enable Counter Block Cipher mode (CTR) for symmetric ciphers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CTR
#define MBEDTLS_CIPHER_MODE_CTR
#else
#undef MBEDTLS_CIPHER_MODE_CTR
#endif
/**
* \def MBEDTLS_CIPHER_MODE_OFB
*
* Enable Output Feedback mode (OFB) for symmetric ciphers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_OFB
#define MBEDTLS_CIPHER_MODE_OFB
#else
#undef MBEDTLS_CIPHER_MODE_OFB
#endif
/**
* \def MBEDTLS_CIPHER_MODE_XTS
*
* Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_XTS
#define MBEDTLS_CIPHER_MODE_XTS
#else
#undef MBEDTLS_CIPHER_MODE_XTS
#endif
/**
* \def MBEDTLS_CIPHER_PADDING_PKCS7
@@ -308,10 +373,29 @@
*
* Enable padding modes in the cipher layer.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7
#define MBEDTLS_CIPHER_PADDING_PKCS7
#else
#undef MBEDTLS_CIPHER_PADDING_PKCS7
#endif
#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#else
#undef MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
#endif
#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
#else
#undef MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
#endif
#ifdef CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS
#define MBEDTLS_CIPHER_PADDING_ZEROS
#else
#undef MBEDTLS_CIPHER_PADDING_ZEROS
#endif
/**
* \def MBEDTLS_ECP_RESTARTABLE
@@ -362,6 +446,8 @@
*/
#ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE
#define MBEDTLS_ECP_RESTARTABLE
#else
#undef MBEDTLS_ECP_RESTARTABLE
#endif
/**
@@ -885,7 +971,11 @@
* Disable if you run into name conflicts and want to really remove the
* mbedtls_strerror()
*/
#ifdef CONFIG_MBEDTLS_ERROR_STRERROR_DUMMY
#define MBEDTLS_ERROR_STRERROR_DUMMY
#else
#undef MBEDTLS_ERROR_STRERROR_DUMMY
#endif
/**
* \def MBEDTLS_GENPRIME
@@ -894,7 +984,11 @@
*
* Requires: MBEDTLS_BIGNUM_C
*/
#ifdef CONFIG_MBEDTLS_GENPRIME
#define MBEDTLS_GENPRIME
#else
#undef MBEDTLS_GENPRIME
#endif
/**
* \def MBEDTLS_FS_IO
@@ -922,6 +1016,26 @@
#define MBEDTLS_NO_PLATFORM_ENTROPY
#endif // !CONFIG_IDF_TARGET_LINUX
/**
* \def MBEDTLS_ENTROPY_FORCE_SHA256
*
* Force the entropy accumulator to use a SHA-256 accumulator instead of the
* default SHA-512 based one (if both are available).
*
* Requires: MBEDTLS_SHA256_C
*
* On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option
* if you have performance concerns.
*
* This option is only useful if both MBEDTLS_SHA256_C and
* MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used.
*/
#ifdef CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256
#define MBEDTLS_ENTROPY_FORCE_SHA256
#else
#undef MBEDTLS_ENTROPY_FORCE_SHA256
#endif
/**
* \def MBEDTLS_PK_RSA_ALT_SUPPORT
*
@@ -929,7 +1043,11 @@
*
* Comment this macro to disable support for external private RSA keys.
*/
#ifdef CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT
#define MBEDTLS_PK_RSA_ALT_SUPPORT
#else
#undef MBEDTLS_PK_RSA_ALT_SUPPORT
#endif
/**
* \def MBEDTLS_PKCS1_V15
@@ -940,7 +1058,11 @@
*
* This enables support for PKCS#1 v1.5 operations.
*/
#ifdef CONFIG_MBEDTLS_PKCS1_V15
#define MBEDTLS_PKCS1_V15
#else
#undef MBEDTLS_PKCS1_V15
#endif
/**
* \def MBEDTLS_PKCS1_V21
@@ -951,14 +1073,55 @@
*
* This enables support for RSAES-OAEP and RSASSA-PSS operations.
*/
#ifdef CONFIG_MBEDTLS_PKCS1_V21
#define MBEDTLS_PKCS1_V21
#else
#undef MBEDTLS_PKCS1_V21
#endif
/**
* \def MBEDTLS_SELF_TEST
*
* Enable the checkup functions (*_self_test).
*/
#ifdef CONFIG_MBEDTLS_SELF_TEST
#define MBEDTLS_SELF_TEST
#else
#undef MBEDTLS_SELF_TEST
#endif
/**
* \def MBEDTLS_SHA256_SMALLER
*
* Enable an implementation of SHA-256 that has lower ROM footprint but also
* lower performance.
*
* The default implementation is meant to be a reasonable compromise between
* performance and size. This version optimizes more aggressively for size at
* the expense of performance. Eg on Cortex-M4 it reduces the size of
* mbedtls_sha256_process() from ~2KB to ~0.5KB for a performance hit of about
* 30%.
*
* Uncomment to enable the smaller implementation of SHA256.
*/
#ifdef CONFIG_MBEDTLS_SHA256_SMALLER
#define MBEDTLS_SHA256_SMALLER
#else
#undef MBEDTLS_SHA256_SMALLER
#endif
/**
* \def MBEDTLS_SHA512_SMALLER
* Enable an implementation of SHA-512 that has lower ROM footprint but also
* lower performance.
*
* Uncomment to enable the smaller implementation of SHA512.
*/
#ifdef CONFIG_MBEDTLS_SHA512_SMALLER
#define MBEDTLS_SHA512_SMALLER
#else
#undef MBEDTLS_SHA512_SMALLER
#endif
/**
* \def MBEDTLS_SSL_ALL_ALERT_MESSAGES
@@ -972,7 +1135,11 @@
*
* Enable sending of all alert messages
*/
#ifdef CONFIG_MBEDTLS_SSL_ALL_ALERT_MESSAGES
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
#else
#undef MBEDTLS_SSL_ALL_ALERT_MESSAGES
#endif
/**
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
@@ -1210,21 +1377,26 @@
*
* Comment this macro to disable support for the max_fragment_length extension
*/
#ifdef CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#else
#undef MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#endif
/**
* \def MBEDTLS_SSL_RECORD_SIZE_LIMIT
*
* Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only).
*
* \warning This extension is currently in development and must NOT be used except
* for testing purposes.
*
* Requires: MBEDTLS_SSL_PROTO_TLS1_3
*
* Uncomment this macro to enable support for the record_size_limit extension
*/
//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
#ifdef CONFIG_MBEDTLS_SSL_RECORD_SIZE_LIMIT
#define MBEDTLS_SSL_RECORD_SIZE_LIMIT
#else
#undef MBEDTLS_SSL_RECORD_SIZE_LIMIT
#endif
/**
* \def MBEDTLS_SSL_PROTO_TLS1_2
@@ -1393,11 +1565,12 @@
* Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
* is not enabled, this option does not have any effect on the build.
*
* This feature is experimental, not completed and thus not ready for
* production.
*
*/
//#define MBEDTLS_SSL_EARLY_DATA
#ifdef CONFIG_MBEDTLS_SSL_EARLY_DATA
#define MBEDTLS_SSL_EARLY_DATA
#else
#undef MBEDTLS_SSL_EARLY_DATA
#endif
/**
* \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
@@ -1517,7 +1690,7 @@
*
* Uncomment this to enable support for use_srtp extension.
*/
#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
#ifdef CONFIG_MBEDTLS_SSL_DTLS_SRTP
#define MBEDTLS_SSL_DTLS_SRTP
#else
#undef MBEDTLS_SSL_DTLS_SRTP
@@ -1580,8 +1753,11 @@
*
* Comment this macro to disable support for server name indication in SSL
*/
#ifdef CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION
#define MBEDTLS_SSL_SERVER_NAME_INDICATION
#else
#undef MBEDTLS_SSL_SERVER_NAME_INDICATION
#endif
/**
* \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
@@ -1609,7 +1785,11 @@
*
* Comment this to disable run-time checking and save ROM space
*/
#ifdef CONFIG_MBEDTLS_VERSION_FEATURES
#define MBEDTLS_VERSION_FEATURES
#else
#undef MBEDTLS_VERSION_FEATURES
#endif
/**
@@ -1620,7 +1800,11 @@
*
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/
#ifdef CONFIG_MBEDTLS_X509_RSASSA_PSS_SUPPORT
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT
#else
#undef MBEDTLS_X509_RSASSA_PSS_SUPPORT
#endif
/* \} name SECTION: mbed TLS feature support */
@@ -1644,7 +1828,33 @@
*
* This modules adds support for the AES-NI instructions on x86-64
*/
#define MBEDTLS_AESNI_C
#undef MBEDTLS_AESNI_C
/**
* \def MBEDTLS_AESCE_C
*
* Enable AES cryptographic extension support on Armv8.
*
* Module: library/aesce.c
* Caller: library/aes.c
*
* Requires: MBEDTLS_AES_C
*
* \warning Runtime detection only works on Linux. For non-Linux operating
* system, Armv8-A Cryptographic Extensions must be supported by
* the CPU when this option is enabled.
*
* \note Minimum compiler versions for this feature when targeting aarch64
* are Clang 4.0; armclang 6.6; GCC 6.0; or MSVC 2019 version 16.11.2.
* Minimum compiler versions for this feature when targeting 32-bit
* Arm or Thumb are Clang 11.0; armclang 6.20; or GCC 6.0.
*
* \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for
* armclang <= 6.9
*
* This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems.
*/
#undef MBEDTLS_AESCE_C
/**
* \def MBEDTLS_AES_C
@@ -1737,7 +1947,11 @@
* library/pkcs5.c
* library/pkparse.c
*/
#ifdef CONFIG_MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_ASN1_PARSE_C
#else
#undef MBEDTLS_ASN1_PARSE_C
#endif
/**
* \def MBEDTLS_ASN1_WRITE_C
@@ -1751,7 +1965,11 @@
* library/x509write_crt.c
* library/mbedtls_x509write_csr.c
*/
#ifdef CONFIG_MBEDTLS_ASN1_WRITE_C
#define MBEDTLS_ASN1_WRITE_C
#else
#undef MBEDTLS_ASN1_WRITE_C
#endif
/**
* \def MBEDTLS_BASE64_C
@@ -1763,7 +1981,11 @@
*
* This module is required for PEM support (required by X.509).
*/
#ifdef CONFIG_MBEDTLS_BASE64_C
#define MBEDTLS_BASE64_C
#else
#undef MBEDTLS_BASE64_C
#endif
/**
* \def MBEDTLS_BIGNUM_C
@@ -1783,7 +2005,11 @@
*
* This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
*/
#ifdef CONFIG_MBEDTLS_BIGNUM_C
#define MBEDTLS_BIGNUM_C
#else
#undef MBEDTLS_BIGNUM_C
#endif
/**
* \def MBEDTLS_BLOWFISH_C
@@ -1857,6 +2083,62 @@
#undef MBEDTLS_CAMELLIA_C
#endif
/**
* \def MBEDTLS_ARIA_C
*
* Enable the ARIA block cipher.
*
* Module: library/aria.c
* Caller: library/cipher.c
*
* This module enables the following ciphersuites (if other requisites are
* enabled as well):
*
* MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384
* MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256
* MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256
* MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384
*/
#ifdef CONFIG_MBEDTLS_ARIA_C
#define MBEDTLS_ARIA_C
#else
#undef MBEDTLS_ARIA_C
#endif
/**
* \def MBEDTLS_CCM_C
*
@@ -1936,7 +2218,11 @@
*
* Uncomment to enable generic cipher wrappers.
*/
#ifdef CONFIG_MBEDTLS_CIPHER_C
#define MBEDTLS_CIPHER_C
#else
#undef MBEDTLS_CIPHER_C
#endif
/**
* \def MBEDTLS_CTR_DRBG_C
@@ -1950,7 +2236,11 @@
*
* This module provides the CTR_DRBG AES-256 random number generator.
*/
#ifdef CONFIG_MBEDTLS_CTR_DRBG_C
#define MBEDTLS_CTR_DRBG_C
#else
#undef MBEDTLS_CTR_DRBG_C
#endif
/**
* \def MBEDTLS_DEBUG_C
@@ -2117,7 +2407,11 @@
*
* This module provides a generic entropy pool
*/
#ifdef CONFIG_MBEDTLS_ENTROPY_C
#define MBEDTLS_ENTROPY_C
#else
#undef MBEDTLS_ENTROPY_C
#endif
/**
* \def MBEDTLS_ERROR_C
@@ -2200,7 +2494,27 @@
*
* Uncomment to enable the HMAC_DRBG random number generator.
*/
#ifdef CONFIG_MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_HMAC_DRBG_C
#else
#undef MBEDTLS_HMAC_DRBG_C
#endif
/**
* \def MBEDTLS_LMS_C
*
* Enable the LMS stateful-hash asymmetric signature algorithm.
*
* Module: library/lms.c
* Caller:
*
* Requires: MBEDTLS_PSA_CRYPTO_C
*
* Uncomment to enable the LMS verification algorithm and public key operations.
*
* This is disable by now. When we shift to PSA, we will enable it.
*/
#undef MBEDTLS_LMS_C
/**
* \def MBEDTLS_MD_C
@@ -2233,7 +2547,11 @@
*
* Uncomment to enable generic message digest wrappers.
*/
#ifdef CONFIG_MBEDTLS_MD_C
#define MBEDTLS_MD_C
#else
#undef MBEDTLS_MD_C
#endif
/**
* \def MBEDTLS_MD5_C
@@ -2248,7 +2566,11 @@
* This module is required for SSL/TLS and X.509.
* PEM_PARSE uses MD5 for decrypting encrypted keys.
*/
#ifdef CONFIG_MBEDTLS_MD5_C
#define MBEDTLS_MD5_C
#else
#undef MBEDTLS_MD5_C
#endif
/**
* \def MBEDTLS_NET_C
@@ -2292,7 +2614,11 @@
*
* This modules translates between OIDs and internal values.
*/
#ifdef CONFIG_MBEDTLS_OID_C
#define MBEDTLS_OID_C
#else
#undef MBEDTLS_OID_C
#endif
/**
* \def MBEDTLS_PADLOCK_C
@@ -2306,7 +2632,7 @@
*
* This modules adds support for the VIA PadLock on x86.
*/
#define MBEDTLS_PADLOCK_C
#undef MBEDTLS_PADLOCK_C
/**
* \def MBEDTLS_PEM_PARSE_C
@@ -2368,7 +2694,11 @@
*
* Uncomment to enable generic public key wrappers.
*/
#ifdef CONFIG_MBEDTLS_PK_C
#define MBEDTLS_PK_C
#else
#undef MBEDTLS_PK_C
#endif
/**
* \def MBEDTLS_PK_PARSE_C
@@ -2383,7 +2713,11 @@
*
* Uncomment to enable generic public key parse functions.
*/
#ifdef CONFIG_MBEDTLS_PK_PARSE_C
#define MBEDTLS_PK_PARSE_C
#else
#undef MBEDTLS_PK_PARSE_C
#endif
/**
* \def MBEDTLS_PK_WRITE_C
@@ -2397,7 +2731,11 @@
*
* Uncomment to enable generic public key write functions.
*/
#ifdef CONFIG_MBEDTLS_PK_WRITE_C
#define MBEDTLS_PK_WRITE_C
#else
#undef MBEDTLS_PK_WRITE_C
#endif
/**
* \def MBEDTLS_PKCS5_C
@@ -2410,7 +2748,11 @@
*
* This module adds support for the PKCS#5 functions.
*/
#ifdef CONFIG_MBEDTLS_PKCS5_C
#define MBEDTLS_PKCS5_C
#else
#undef MBEDTLS_PKCS5_C
#endif
/**
* \def MBEDTLS_PKCS7_C
@@ -2449,7 +2791,11 @@
*
* This module enables PKCS#12 functions.
*/
#ifdef CONFIG_MBEDTLS_PKCS12_C
#define MBEDTLS_PKCS12_C
#else
#undef MBEDTLS_PKCS12_C
#endif
/**
* \def MBEDTLS_PLATFORM_C
@@ -2518,7 +2864,11 @@
*
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C
*/
#ifdef CONFIG_MBEDTLS_RSA_C
#define MBEDTLS_RSA_C
#else
#undef MBEDTLS_RSA_C
#endif
/**
* \def MBEDTLS_SHA1_C
@@ -2556,7 +2906,11 @@
*
* This module adds support for SHA-224.
*/
#ifdef CONFIG_MBEDTLS_SHA224_C
#define MBEDTLS_SHA224_C
#else
#undef MBEDTLS_SHA224_C
#endif
/**
* \def MBEDTLS_SHA256_C
@@ -2573,7 +2927,31 @@
* This module adds support for SHA-224 and SHA-256.
* This module is required for the SSL/TLS 1.2 PRF function.
*/
#ifdef CONFIG_MBEDTLS_SHA256_C
#define MBEDTLS_SHA256_C
#else
#undef MBEDTLS_SHA256_C
#endif
/**
* \def MBEDTLS_SHA384_C
*
* Enable the SHA-384 cryptographic hash algorithm.
*
* Module: library/sha512.c
* Caller: library/md.c
* library/psa_crypto_hash.c
* library/ssl_tls.c
* library/ssl*_client.c
* library/ssl*_server.c
*
* Comment to disable SHA-384
*/
#ifdef CONFIG_MBEDTLS_SHA384_C
#define MBEDTLS_SHA384_C
#else
#undef MBEDTLS_SHA384_C
#endif
/**
* \def MBEDTLS_SHA512_C
@@ -2589,10 +2967,8 @@
* This module adds support for SHA-384 and SHA-512.
*/
#ifdef CONFIG_MBEDTLS_SHA512_C
#define MBEDTLS_SHA384_C
#define MBEDTLS_SHA512_C
#else
#undef MBEDTLS_SHA384_C
#undef MBEDTLS_SHA512_C
#endif
@@ -2621,7 +2997,11 @@
*
* Requires: MBEDTLS_SSL_CACHE_C
*/
#ifdef CONFIG_MBEDTLS_SSL_CACHE_C
#define MBEDTLS_SSL_CACHE_C
#else
#undef MBEDTLS_SSL_CACHE_C
#endif
/**
* \def MBEDTLS_SSL_COOKIE_C
@@ -2631,7 +3011,11 @@
* Module: library/ssl_cookie.c
* Caller:
*/
#ifdef CONFIG_MBEDTLS_SSL_COOKIE_C
#define MBEDTLS_SSL_COOKIE_C
#else
#undef MBEDTLS_SSL_COOKIE_C
#endif
/**
* \def MBEDTLS_SSL_TICKET_C
@@ -2740,7 +3124,11 @@
*
* This module provides run-time version information.
*/
#ifdef CONFIG_MBEDTLS_VERSION_C
#define MBEDTLS_VERSION_C
#else
#undef MBEDTLS_VERSION_C
#endif
/**
* \def MBEDTLS_X509_USE_C
@@ -2757,7 +3145,11 @@
*
* This module is required for the X.509 parsing modules.
*/
#ifdef CONFIG_MBEDTLS_X509_USE_C
#define MBEDTLS_X509_USE_C
#else
#undef MBEDTLS_X509_USE_C
#endif
/**
* \def MBEDTLS_X509_CRT_PARSE_C
@@ -2773,7 +3165,11 @@
*
* This module is required for X.509 certificate parsing.
*/
#ifdef CONFIG_MBEDTLS_X509_CRT_PARSE_C
#define MBEDTLS_X509_CRT_PARSE_C
#else
#undef MBEDTLS_X509_CRT_PARSE_C
#endif
/**
* \def MBEDTLS_X509_CRL_PARSE_C
@@ -2823,7 +3219,11 @@
*
* This module is the basis for creating X.509 certificates and CSRs.
*/
#ifdef CONFIG_MBEDTLS_X509_CREATE_C
#define MBEDTLS_X509_CREATE_C
#else
#undef MBEDTLS_X509_CREATE_C
#endif
/**
* \def MBEDTLS_X509_CRT_WRITE_C
@@ -2836,7 +3236,11 @@
*
* This module is required for X.509 certificate creation.
*/
#ifdef CONFIG_MBEDTLS_X509_CRT_WRITE_C
#define MBEDTLS_X509_CRT_WRITE_C
#else
#undef MBEDTLS_X509_CRT_WRITE_C
#endif
/**
* \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
@@ -2861,6 +3265,21 @@
#undef MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
#endif
/**
* \def MBEDTLS_X509_REMOVE_INFO
*
* Disable mbedtls_x509_*_info() and related APIs.
*
* Uncomment to omit mbedtls_x509_*_info(), as well as mbedtls_debug_print_crt()
* and other functions/constants only used by these functions, thus reducing
* the code footprint by several KB.
*/
#ifdef CONFIG_MBEDTLS_X509_REMOVE_INFO
#define MBEDTLS_X509_REMOVE_INFO
#else
#undef MBEDTLS_X509_REMOVE_INFO
#endif
/**
* \def MBEDTLS_X509_CSR_WRITE_C
*
@@ -2872,7 +3291,11 @@
*
* This module is required for X.509 certificate request writing.
*/
#ifdef CONFIG_MBEDTLS_X509_CSR_WRITE_C
#define MBEDTLS_X509_CSR_WRITE_C
#else
#undef MBEDTLS_X509_CSR_WRITE_C
#endif
/**
* \def MBEDTLS_XTEA_C

9
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
View File

@@ -6,7 +6,7 @@
#ifdef ESP_PLATFORM
#include "esp_system.h"
#endif
#include "sdkconfig.h"
#include <errno.h>
#include "utils/includes.h"
#include "utils/common.h"
@@ -469,6 +469,7 @@ void aes_decrypt_deinit(void *ctx)
return aes_crypt_deinit(ctx);
}
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CBC
int aes_128_cbc_encrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
{
int ret = 0;
@@ -513,6 +514,7 @@ int aes_128_cbc_decrypt(const u8 *key, const u8 *iv, u8 *data, size_t data_len)
return ret;
}
#endif /* CONFIG_MBEDTLS_CIPHER_MODE_CBC */
#ifdef CONFIG_TLS_INTERNAL_CLIENT
struct crypto_cipher {
@@ -613,13 +615,14 @@ struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg,
key_len, MBEDTLS_DECRYPT) < 0) {
goto cleanup;
}
#if defined(CONFIG_MBEDTLS_CIPHER_MODE_WITH_PADDING)
if (mbedtls_cipher_set_padding_mode(&ctx->ctx_enc, MBEDTLS_PADDING_NONE) < 0) {
goto cleanup;
}
if (mbedtls_cipher_set_padding_mode(&ctx->ctx_dec, MBEDTLS_PADDING_NONE) < 0) {
goto cleanup;
}
#endif /* CONFIG_MBEDTLS_CIPHER_MODE_WITH_PADDING */
return ctx;
cleanup:
@@ -673,6 +676,7 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
}
#endif
#ifdef CONFIG_MBEDTLS_CIPHER_MODE_CTR
int aes_ctr_encrypt(const u8 *key, size_t key_len, const u8 *nonce,
u8 *data, size_t data_len)
{
@@ -692,6 +696,7 @@ cleanup:
mbedtls_aes_free(&ctx);
return ret;
}
#endif /* CONFIG_MBEDTLS_CIPHER_MODE_CTR */
int aes_128_ctr_encrypt(const u8 *key, const u8 *nonce,
u8 *data, size_t data_len)

205
docs/en/api-reference/protocols/mbedtls.rst
View File

@@ -39,6 +39,133 @@ Please find the information about the Mbed TLS versions presented in different b
Please refer the :ref:`migration_guide_mbedtls` to migrate from Mbed TLS version 2.x to version 3.0 or greater.
Configuration Presets
^^^^^^^^^^^^^^^^^^^^^^
ESP-IDF provides a preset-based configuration system for Mbed TLS to simplify setup and provide optimized starting points for different use cases. This system works alongside the existing manual configuration system and provides baseline configurations that can be further customized through menuconfig or additional configuration files.
.. list-table::
:header-rows: 1
:widths: 15 25 35
:align: center
* - Preset
- Use Case
- Key Features
* - **Default**
- General purpose applications
- • TLS 1.2 & 1.3 support
• Certificate bundle enabled
• Hardware acceleration
• Full cipher suite support
* - **Minimal**
- Resource-constrained applications
- • TLS 1.2 client only
• RSA & PSK key exchange
• AES-128 CBC/CTR modes
• Basic X.509 parsing
* - **Bluetooth (BT)**
- Bluetooth applications
- • Optimized for BLE security
• ECC P-256 curve support
• Minimal TLS overhead
• Bluetooth-specific algorithms
Using Configuration Presets
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Presets serve as **starting points** for your mbedTLS configuration. You can use them as-is or customize them further using standard ESP-IDF configuration methods.
To use a preset configuration, add the following line to your project's ``CMakeLists.txt`` file **before** the ``project()`` call:
.. code-block:: cmake
# Include the default preset (recommended for most applications)
list(APPEND sdkconfig_defaults $ENV{IDF_PATH}/components/mbedtls/config/mbedtls_preset_default.conf)
# Or for resource-constrained applications
list(APPEND sdkconfig_defaults $ENV{IDF_PATH}/components/mbedtls/config/mbedtls_preset_minimal.conf)
# Or for Bluetooth applications
list(APPEND sdkconfig_defaults $ENV{IDF_PATH}/components/mbedtls/config/mbedtls_preset_bt.conf)
# Standard ESP-IDF project setup
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
project(my_project)
.. note::
The preset configurations are located in ``components/mbedtls/config/`` and can be customized or used as a starting point for your own configurations.
Customizing Preset Configurations
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
After applying a preset, you can further customize the configuration using any of these methods:
**Method 1: Using menuconfig (Recommended)**
.. code-block:: bash
# After applying a preset in CMakeLists.txt
idf.py menuconfig
Navigate to ``Component Config -> mbedTLS`` to modify any settings. Your changes will override the preset defaults.
**Method 2: Additional Configuration Files**
You can combine a preset with your own custom configuration by creating an additional configuration file:
.. code-block:: cmake
# Use the minimal preset as a base, then add custom settings
list(APPEND SDKCONFIG_DEFAULTS
$ENV{IDF_PATH}/components/mbedtls/config/mbedtls_preset_minimal.conf
${CMAKE_CURRENT_SOURCE_DIR}/my_custom_mbedtls.conf
)
Migration from Manual Configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The preset system complements manual configuration. If you have an existing manually configured mbedTLS setup:
**Option 1: Keep Your Existing Configuration**
Your current manual configuration will continue to work without any changes.
**Option 2: Migrate to Preset + Customization**
1. **Choose a base preset** that's closest to your current configuration
2. **Apply the preset** in your CMakeLists.txt
3. **Use menuconfig** to adjust settings to match your requirements
4. **Test thoroughly** to ensure functionality is maintained
Configuration Categories
^^^^^^^^^^^^^^^^^^^^^^^^
The new mbedTLS configuration system is organized into logical categories for easier navigation:
**Core Configuration**
Basic mbedTLS settings including memory allocation, threading, and debug options.
**TLS Protocol Configuration**
TLS/DTLS protocol versions, modes (client/server), and protocol-specific features.
**Symmetric Ciphers**
Block ciphers (AES, ARIA, etc.), cipher modes (CBC, GCM, etc.), and symmetric cryptography.
**Asymmetric Ciphers**
RSA, ECC, and other public key cryptography algorithms.
**Hash Functions**
Message digest algorithms (SHA-256, SHA-512, etc.) and HMAC.
**Hardware Acceleration**
ESP32-specific hardware acceleration for cryptographic operations.
**Certificate Support**
X.509 certificate parsing, validation, and certificate bundle management.
Application Examples
--------------------
@@ -56,23 +183,87 @@ Alternatives
Please refer to :ref:`ESP-TLS: Underlying SSL/TLS Library Options <esp_tls_wolfssl>` docs for more information on this and comparison of Mbed TLS and wolfSSL.
Important Config Options
------------------------
Following is a brief list of important config options accessible at ``Component Config -> mbedTLS``. The full list of config options can be found :ref:`here <CONFIG_MBEDTLS_MEM_ALLOC_MODE>`.
The Mbed TLS configuration system supports preset configurations. Following is a brief list of important config options accessible at ``Component Config -> mbedTLS``. The full list of config options can be found :ref:`here <CONFIG_MBEDTLS_MEM_ALLOC_MODE>`.
**Core Configuration:**
.. list::
- :ref:`CONFIG_MBEDTLS_SSL_PROTO_TLS1_2`: Support for TLS 1.2
- :ref:`CONFIG_MBEDTLS_SSL_PROTO_TLS1_3`: Support for TLS 1.3
- :ref:`CONFIG_MBEDTLS_CERTIFICATE_BUNDLE`: Support for trusted root certificate bundle (more about this: :doc:`/api-reference/protocols/esp_crt_bundle`)
- :ref:`CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS`: Support for TLS Session Resumption: Client session tickets
- :ref:`CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS`: Support for TLS Session Resumption: Server session tickets
:SOC_SHA_SUPPORTED: - :ref:`CONFIG_MBEDTLS_HARDWARE_SHA`: Support for hardware SHA acceleration
:SOC_AES_SUPPORTED: - :ref:`CONFIG_MBEDTLS_HARDWARE_AES`: Support for hardware AES acceleration
:SOC_MPI_SUPPORTED: - :ref:`CONFIG_MBEDTLS_HARDWARE_MPI`: Support for hardware MPI (bignum) acceleration
:SOC_ECC_SUPPORTED: - :ref:`CONFIG_MBEDTLS_HARDWARE_ECC`: Support for hardware ECC acceleration
- :ref:`CONFIG_MBEDTLS_MEM_ALLOC_MODE`: Memory allocation strategy (Internal/External/Custom)
- :ref:`CONFIG_MBEDTLS_ASYMMETRIC_CONTENT_LEN`: Asymmetric in/out fragment length for memory optimization
- :ref:`CONFIG_MBEDTLS_DYNAMIC_BUFFER`: Enable dynamic TX/RX buffer allocation
- :ref:`CONFIG_MBEDTLS_DEBUG`: Enable mbedTLS debugging (useful for development)
**TLS Protocol Configuration:**
.. list::
- :ref:`CONFIG_MBEDTLS_TLS_ENABLED`: Enable TLS protocol support
- :ref:`CONFIG_MBEDTLS_SSL_PROTO_TLS1_2`: Support for TLS 1.2 (recommended)
- :ref:`CONFIG_MBEDTLS_SSL_PROTO_TLS1_3`: Support for TLS 1.3 (latest standard)
- :ref:`CONFIG_MBEDTLS_SSL_PROTO_DTLS`: Support for DTLS (UDP-based TLS)
- :ref:`CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS`: Support for TLS Session Resumption: Client session tickets
- :ref:`CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS`: Support for TLS Session Resumption: Server session tickets
- :ref:`CONFIG_MBEDTLS_SSL_ALPN`: Support for Application Layer Protocol Negotiation
- :ref:`CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION`: Support for Server Name Indication (SNI)
**Certificate Support:**
.. list::
- :ref:`CONFIG_MBEDTLS_CERTIFICATE_BUNDLE`: Support for trusted root certificate bundle (more about this: :doc:`/api-reference/protocols/esp_crt_bundle`)
- :ref:`CONFIG_MBEDTLS_X509_USE_C`: Enable X.509 certificate support
- :ref:`CONFIG_MBEDTLS_PEM_PARSE_C`: Read & Parse PEM formatted certificates
- :ref:`CONFIG_MBEDTLS_PEM_WRITE_C`: Write PEM formatted certificates
- :ref:`CONFIG_MBEDTLS_X509_CRT_PARSE_C`: Parse X.509 certificates
- :ref:`CONFIG_MBEDTLS_X509_CRL_PARSE_C`: Parse X.509 Certificate Revocation Lists
**Cryptographic Algorithms:**
.. list::
- :ref:`CONFIG_MBEDTLS_AES_C`: AES block cipher support
- :ref:`CONFIG_MBEDTLS_RSA_C`: RSA public key cryptosystem
- :ref:`CONFIG_MBEDTLS_ECP_C`: Elliptic Curve Cryptography support
- :ref:`CONFIG_MBEDTLS_ECDSA_C`: Elliptic Curve Digital Signature Algorithm
- :ref:`CONFIG_MBEDTLS_ECDH_C`: Elliptic Curve Diffie-Hellman key exchange
- :ref:`CONFIG_MBEDTLS_SHA256_C`: SHA-256 hash function
- :ref:`CONFIG_MBEDTLS_SHA512_C`: SHA-512 hash function
- :ref:`CONFIG_MBEDTLS_GCM_C`: Galois/Counter Mode for authenticated encryption
.. note::
The new configuration structure provides better organization with categories like "Core Configuration", "TLS Protocol Configuration", "Symmetric Ciphers", "Asymmetric Ciphers", "Hash Functions", and "Hardware Acceleration" for easier navigation and configuration management.
Debugging mbedTLS
^^^^^^^^^^^^^^^^^
To enable debugging, add these configurations:
.. code-block:: kconfig
CONFIG_MBEDTLS_DEBUG=y
CONFIG_MBEDTLS_DEBUG_LEVEL=3
CONFIG_LOG_DEFAULT_LEVEL_DEBUG=y
Performance Optimization
^^^^^^^^^^^^^^^^^^^^^^^^
For optimal performance **Enable hardware acceleration** when available:
.. code-block:: kconfig
CONFIG_MBEDTLS_HARDWARE_AES=y
CONFIG_MBEDTLS_HARDWARE_SHA=y
CONFIG_MBEDTLS_HARDWARE_MPI=y
CONFIG_MBEDTLS_HARDWARE_ECC=y
Performance and Memory Tweaks
-----------------------------

4
examples/bluetooth/nimble/bleprph/CMakeLists.txt
View File

@@ -2,6 +2,10 @@
# CMakeLists in this exact order for cmake to work correctly
cmake_minimum_required(VERSION 3.16)
# Include the Bluetooth-optimized mbedTLS preset configuration
# This provides optimized settings for Bluetooth applications
# You can customize these settings using 'idf.py menuconfig' or additional config files
list(APPEND sdkconfig_defaults $ENV{IDF_PATH}/components/mbedtls/config/mbedtls_preset_bt.conf)
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
# "Trim" the build. Include the minimal set of components, main, and anything it depends on.
idf_build_set_property(MINIMAL_BUILD ON)

5
examples/protocols/https_request/CMakeLists.txt
View File

@@ -2,8 +2,13 @@
# CMakeLists in this exact order for cmake to work correctly
cmake_minimum_required(VERSION 3.16)
# Include the default mbedTLS preset configuration
# This provides optimized settings for general-purpose TLS applications
# You can customize these settings using 'idf.py menuconfig' or additional config files
list(APPEND sdkconfig_defaults $ENV{IDF_PATH}/components/mbedtls/config/mbedtls_preset_default.conf)
include($ENV{IDF_PATH}/tools/cmake/project.cmake)
# "Trim" the build. Include the minimal set of components, main, and anything it depends on.
idf_build_set_property(MINIMAL_BUILD ON)
project(https_request)

1
examples/protocols/https_request/sdkconfig.ci.mbedtls_config
View File

@@ -6,6 +6,7 @@
# Few example dependencies need to be enabled by default for the build to succeed
##############
CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=y
CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=n
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA=y
CONFIG_MBEDTLS_AES_C=y
##############