Merge branch 'cherry-pick-76bd33e9' into 'release/v4.3'

MbedTLS: Add config option for key elements and key element extension for SSL connection (backport v4.3)

See merge request espressif/esp-idf!14361

components/mbedtls/Kconfig

@@ -563,6 +563,22 @@ menu "mbedTLS"
             Client support for RFC 5077 session tickets. See mbedTLS documentation for more details.
             Disabling this option will save some code size.
 
+    config MBEDTLS_X509_CHECK_KEY_USAGE
+        bool "Enable verification of the keyUsage extension"
+        default y
+        depends on MBEDTLS_TLS_ENABLED
+        help
+            Disabling this avoids problems with mis-issued and/or misused (intermediate) CA and leaf certificates.
+            Depending on your PKI use, disabling this can be a security risk.
+
+    config MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+        bool "Enable verification of the extendedKeyUsage extension"
+        default y
+        depends on MBEDTLS_TLS_ENABLED
+        help
+            Disabling this avoids problems with mis-issued and/or misused certificates.
+            Depending on your PKI use, disabling this can be a security risk.
+
     config MBEDTLS_SERVER_SSL_SESSION_TICKETS
         bool "TLS: Server Support for RFC 5077 SSL session tickets"
         default y

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -1193,7 +1193,11 @@
  *
  * Comment to skip keyUsage checking for both CA and leaf certificates.
  */
+#ifdef CONFIG_MBEDTLS_X509_CHECK_KEY_USAGE
 #define MBEDTLS_X509_CHECK_KEY_USAGE
+#else
+#undef MBEDTLS_X509_CHECK_KEY_USAGE
+#endif
 
 /**
  * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
@@ -1206,7 +1210,11 @@
  *
  * Comment to skip extendedKeyUsage checking for certificates.
  */
+#ifdef CONFIG_MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#else
+#undef MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#endif
 
 /**
  * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT