mbedtls: Added config options for v2.28.0 upgrade

2025-08-01 03:34:32 +02:00 · 2021-12-27 18:41:09 +05:30
parent 0fdc5f7490
commit 76658d5066
2 changed files with 371 additions and 20 deletions
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -97,6 +97,13 @@ menu "mbedTLS"
            This defines maximum outgoing fragment length, overriding default
            maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN).
    config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
        bool "Variable SSL buffer length"
        default n
        help
            This enables the SSL buffer to be resized automatically
            based on the negotiated maximum fragment length in each direction.
    config MBEDTLS_DYNAMIC_BUFFER
        bool "Using dynamic TX/RX buffer"
        default n
@@ -220,16 +227,21 @@ menu "mbedTLS"
                relative to the project root directory.
    endmenu
    config MBEDTLS_ECP_RESTARTABLE
        bool "Enable mbedTLS ecp restartable"
        default n
        help
            Enable "non-blocking" ECC operations that can return early and be resumed.
    config MBEDTLS_ECDH_LEGACY_CONTEXT
        bool "Use a backward compatible ECDH context (Experimental)"
        default y
        depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE
        help
            Use the legacy ECDH context format.
            Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you
            want to access ECDH context fields directly.
    config MBEDTLS_CMAC_C
        bool "Enable CMAC mode for block ciphers"
        default n
@@ -712,8 +724,94 @@ menu "mbedTLS"
            help
                Support for parsing X.509 Certifificate Signing Requests
        config MBEDTLS_X509_TRUSTED_CERT_CALLBACK
            bool "Enable trusted certificate callbacks"
            default n
            help
                Enables users to configure the set of trusted certificates
                through a callback instead of a linked list.
                See mbedTLS documentation for required API and more details.
    endmenu # Certificates
    menu "DTLS-based configurations"
        visible if MBEDTLS_SSL_PROTO_DTLS
        config MBEDTLS_SSL_DTLS_CONNECTION_ID
            bool "Support for the DTLS Connection ID extension"
            depends on MBEDTLS_SSL_PROTO_DTLS
            default n
            help
                Enable support for the DTLS Connection ID extension which allows to
                identify DTLS connections across changes in the underlying transport.
                The Connection ID extension is still in draft state.
                Refer: version draft-ietf-tls-dtls-connection-id-05
        config MBEDTLS_SSL_CID_IN_LEN_MAX
            int "Maximum length of CIDs used for incoming DTLS messages"
            default 32
            range 0 32
            depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
            help
                Maximum length of CIDs used for incoming DTLS messages
        config MBEDTLS_SSL_CID_OUT_LEN_MAX
            int "Maximum length of CIDs used for outgoing DTLS messages"
            default 32
            range 0 32
            depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
            help
                Maximum length of CIDs used for outgoing DTLS messages
        config MBEDTLS_SSL_CID_PADDING_GRANULARITY
            int "Record plaintext padding (for DTLS 1.2)"
            default 16
            range 0 32
            depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
            help
                Controls the use of record plaintext padding when
                using the Connection ID extension in DTLS 1.2.
                The padding will always be chosen so that the length of the
                padded plaintext is a multiple of the value of this option.
                Notes:
                    A value of 1 means that no padding will be used for outgoing records.
                    On systems lacking division instructions, a power of two should be preferred.
        config MBEDTLS_SSL_DTLS_SRTP
            bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)"
            depends on MBEDTLS_SSL_PROTO_DTLS
            default n
            help
                Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension.
                See mbedTLS documentation for required API and more details.
                Disabling this option will save some code size.
    endmenu
    config MBEDTLS_SSL_CONTEXT_SERIALIZATION
        bool "Enable serialization of the TLS context structures"
        default n
        help
            Enable serialization of the TLS context structures
            This is a local optimization in handling a single, potentially long-lived connection.
            See mbedTLS documentation for required API and more details.
            Disabling this option will save some code size.
    config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
        bool "Keep peer certificate after handshake completion"
        default y
        help
            Keep the peer's certificate after completion of the handshake.
            Disabling this option will save about 4kB of heap and some code size.
            See mbedTLS documentation for required API and more details.
    menuconfig MBEDTLS_ECP_C
        bool  "Elliptic Curve Ciphers"
        default y
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -1,12 +1,13 @@
 /**
 *
- * \brief Default mbedTLS configuration options for esp-idf
+ * \brief Default mbedTLS configuration options for ESP-IDF
 *
 *  This set of compile-time options may be used to enable
 *  or disable features selectively, and reduce the global
 *  memory footprint.
- *
+ */
- *  Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
+/*
 *  Copyright The Mbed TLS Contributors
 *  SPDX-License-Identifier: Apache-2.0
 *
 *  Licensed under the Apache License, Version 2.0 (the "License"); you may
@@ -20,8 +21,6 @@
 *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *  See the License for the specific language governing permissions and
 *  limitations under the License.
 *
 *  This file is part of mbed TLS (https://tls.mbed.org)
 */
 #ifndef ESP_CONFIG_H
@@ -310,18 +309,54 @@
 *
 * \note  This option only works with the default software implementation of
 *        elliptic curve functionality. It is incompatible with
- *        MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT and MBEDTLS_ECDSA_XXX_ALT.
+ *        MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT
 *        and MBEDTLS_ECDH_LEGACY_CONTEXT.
 */
 #ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE
 #define MBEDTLS_ECP_RESTARTABLE
 #endif
 /**
 * \def MBEDTLS_ECDH_LEGACY_CONTEXT
 *
 * Use a backward compatible ECDH context.
 *
 * Mbed TLS supports two formats for ECDH contexts (#mbedtls_ecdh_context
 * defined in `ecdh.h`). For most applications, the choice of format makes
 * no difference, since all library functions can work with either format,
 * except that the new format is incompatible with MBEDTLS_ECP_RESTARTABLE.
 * The new format used when this option is disabled is smaller
 * (56 bytes on a 32-bit platform). In future versions of the library, it
 * will support alternative implementations of ECDH operations.
 * The new format is incompatible with applications that access
 * context fields directly and with restartable ECP operations.
 *
 * Define this macro if you enable MBEDTLS_ECP_RESTARTABLE or if you
 * want to access ECDH context fields directly. Otherwise you should
 * comment out this macro definition.
 *
 * This option has no effect if #MBEDTLS_ECDH_C is not enabled.
 *
 * \note This configuration option is experimental. Future versions of the
 *       library may modify the way the ECDH context layout is configured
 *       and may modify the layout of the new context type.
 */
 #ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
 #define MBEDTLS_ECDH_LEGACY_CONTEXT
 #endif
 /**
 * \def MBEDTLS_CMAC_C
 *
 * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
 * ciphers.
 *
 * \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying
 *       implementation of the CMAC algorithm is provided by an alternate
 *       implementation, that alternate implementation may opt to not support
 *       AES-192 or 3DES as underlying block ciphers for the CMAC operation.
 *
 * Module:  library/cmac.c
 *
 * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
@@ -339,6 +374,7 @@
 *
 * Comment macros to disable the curve and functions for it
 */
 /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */
 #ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
 #else
@@ -394,12 +430,12 @@
 #else
 #undef MBEDTLS_ECP_DP_BP512R1_ENABLED
 #endif
 /* Montgomery curves (supporting ECP) */
 #ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
 #else
 #undef MBEDTLS_ECP_DP_CURVE25519_ENABLED
 #endif
 #ifdef MBEDTLS_ECP_DP_CURVE448_ENABLED
 #undef MBEDTLS_ECP_DP_CURVE448_ENABLED
 #endif
@@ -427,7 +463,7 @@
 * may result in a compromise of the long-term signing key. This is avoided by
 * the deterministic variant.
 *
- * Requires: MBEDTLS_HMAC_DRBG_C
+ * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C
 *
 * Comment this macro to disable deterministic ECDSA.
 */
@@ -668,7 +704,7 @@
 *
 * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS.
 *
- * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_ECDSA_C, MBEDTLS_X509_CRT_PARSE_C
 *
 * This enables the following ciphersuites (if other requisites are
 * enabled as well):
@@ -696,7 +732,7 @@
 *
 * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS.
 *
- * Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C
+ * Requires: MBEDTLS_ECDH_C, MBEDTLS_RSA_C, MBEDTLS_X509_CRT_PARSE_C
 *
 * This enables the following ciphersuites (if other requisites are
 * enabled as well):
@@ -850,6 +886,69 @@
 */
 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
 /**
 * \def MBEDTLS_SSL_DTLS_CONNECTION_ID
 *
 * Enable support for the DTLS Connection ID extension
 * (version draft-ietf-tls-dtls-connection-id-05,
 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
 * which allows to identify DTLS connections across changes
 * in the underlying transport.
 *
 * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
 * `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`.
 * See the corresponding documentation for more information.
 *
 * \warning The Connection ID extension is still in draft state.
 *          We make no stability promises for the availability
 *          or the shape of the API controlled by this option.
 *
 * The maximum lengths of outgoing and incoming CIDs can be configured
 * through the options
 * - MBEDTLS_SSL_CID_OUT_LEN_MAX
 * - MBEDTLS_SSL_CID_IN_LEN_MAX.
 *
 * Requires: MBEDTLS_SSL_PROTO_DTLS
 *
 * Uncomment to enable the Connection ID extension.
 */
 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID
 #define MBEDTLS_SSL_DTLS_CONNECTION_ID
 #else
 #undef MBEDTLS_SSL_DTLS_CONNECTION_ID
 #endif
 /**
 * \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
 *
 * Enable serialization of the TLS context structures, through use of the
 * functions mbedtls_ssl_context_save() and mbedtls_ssl_context_load().
 *
 * This pair of functions allows one side of a connection to serialize the
 * context associated with the connection, then free or re-use that context
 * while the serialized state is persisted elsewhere, and finally deserialize
 * that state to a live context for resuming read/write operations on the
 * connection. From a protocol perspective, the state of the connection is
 * unaffected, in particular this is entirely transparent to the peer.
 *
 * Note: this is distinct from TLS session resumption, which is part of the
 * protocol and fully visible by the peer. TLS session resumption enables
 * establishing new connections associated to a saved session with shorter,
 * lighter handshakes, while context serialization is a local optimization in
 * handling a single, potentially long-lived connection.
 *
 * Enabling these APIs makes some SSL structures larger, as 64 extra bytes are
 * saved after the handshake to allow for more efficient serialization, so if
 * you don't need this feature you'll save RAM by disabling it.
 *
 * Comment to disable the context serialization APIs.
 */
 #ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION
 #define MBEDTLS_SSL_CONTEXT_SERIALIZATION
 #else
 #undef MBEDTLS_SSL_CONTEXT_SERIALIZATION
 #endif
 /** \def MBEDTLS_SSL_ENCRYPT_THEN_MAC
 *
 * Enable support for Encrypt-then-MAC, RFC 7366.
@@ -874,8 +973,8 @@
 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 *
- * Enable support for Extended Master Secret, aka Session Hash
+ * Enable support for RFC 7627: Session Hash and Extended Master Secret
- * (draft-ietf-tls-session-hash-02).
+ * Extension.
 *
 * This was introduced as "the proper fix" to the Triple Handshake familiy of
 * attacks, but it is recommended to always use it (even if you disable
@@ -897,7 +996,8 @@
 /**
 * \def MBEDTLS_SSL_FALLBACK_SCSV
 *
- * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00).
+ * Enable support for RFC 7507: Fallback Signaling Cipher Suite Value (SCSV)
 * for Preventing Protocol Downgrade Attacks.
 *
 * For servers, it is recommended to always enable this, unless you support
 * only one version of TLS, or know for sure that none of your clients
@@ -911,6 +1011,32 @@
 */
 #define MBEDTLS_SSL_FALLBACK_SCSV
 /**
 * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 *
 * This option controls the availability of the API mbedtls_ssl_get_peer_cert()
 * giving access to the peer's certificate after completion of the handshake.
 *
 * Unless you need mbedtls_ssl_peer_cert() in your application, it is
 * recommended to disable this option for reduced RAM usage.
 *
 * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still
 *       defined, but always returns \c NULL.
 *
 * \note This option has no influence on the protection against the
 *       triple handshake attack. Even if it is disabled, Mbed TLS will
 *       still ensure that certificates do not change during renegotiation,
 *       for exaple by keeping a hash of the peer's certificate.
 *
 * Comment this macro to disable storing the peer's certificate
 * after the handshake.
 */
 #ifdef CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #else
 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #endif
 /**
 * \def MBEDTLS_SSL_PROTO_TLS1
 *
@@ -935,6 +1061,9 @@
 * Requires: MBEDTLS_MD5_C
 *           MBEDTLS_SHA1_C
 *
 * \deprecated This option is deprecated and will be removed in a future
 *             version of Mbed TLS.
 *
 * Comment this macro to disable support for SSL 3.0
 */
 #ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3
@@ -1092,6 +1221,41 @@
 #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY
 #endif
 /**
 * \def MBEDTLS_SSL_DTLS_SRTP
 *
 * Enable support for negotiation of DTLS-SRTP (RFC 5764)
 * through the use_srtp extension.
 *
 * \note This feature provides the minimum functionality required
 * to negotiate the use of DTLS-SRTP and to allow the derivation of
 * the associated SRTP packet protection key material.
 * In particular, the SRTP packet protection itself, as well as the
 * demultiplexing of RTP and DTLS packets at the datagram layer
 * (see Section 5 of RFC 5764), are not handled by this feature.
 * Instead, after successful completion of a handshake negotiating
 * the use of DTLS-SRTP, the extended key exporter API
 * mbedtls_ssl_conf_export_keys_ext_cb() should be used to implement
 * the key exporter described in Section 4.2 of RFC 5764 and RFC 5705
 * (this is implemented in the SSL example programs).
 * The resulting key should then be passed to an SRTP stack.
 *
 * Setting this option enables the runtime API
 * mbedtls_ssl_conf_dtls_srtp_protection_profiles()
 * through which the supported DTLS-SRTP protection
 * profiles can be configured. You must call this API at
 * runtime if you wish to negotiate the use of DTLS-SRTP.
 *
 * Requires: MBEDTLS_SSL_PROTO_DTLS
 *
 * Uncomment this to enable support for use_srtp extension.
 */
 #ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_SRTP
 #else
 #undef MBEDTLS_SSL_DTLS_SRTP
 #endif
 /**
 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
 *
@@ -1176,6 +1340,21 @@
 #define MBEDTLS_SSL_TRUNCATED_HMAC
 /**
 * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
 *
 * When this option is enabled, the SSL buffer will be resized automatically
 * based on the negotiated maximum fragment length in each direction.
 *
 * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 */
 #if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH && CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
 #define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
 #else
 #undef MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
 #endif
 /**
 *
 * \def MBEDTLS_VERSION_FEATURES
 *
 * Allow run-time checking of compile-time enabled features. Thus allowing users
@@ -1641,7 +1820,9 @@
 * This module is used by the following key exchanges:
 *      ECDHE-ECDSA
 *
- * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
+ * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C,
 *           and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a
 *           short Weierstrass curve.
 */
 #ifdef CONFIG_MBEDTLS_ECDSA_C
 #define MBEDTLS_ECDSA_C
@@ -1719,11 +1900,11 @@
 /**
 * \def MBEDTLS_GCM_C
 *
- * Enable the Galois/Counter Mode (GCM) for AES.
+ * Enable the Galois/Counter Mode (GCM).
 *
 * Module:  library/gcm.c
 *
- * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
+ * Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
 *
 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
 * requisites are enabled as well.
@@ -2323,6 +2504,29 @@
 #undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
 #endif
 /**
 * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 *
 * If set, this enables the X.509 API `mbedtls_x509_crt_verify_with_ca_cb()`
 * and the SSL API `mbedtls_ssl_conf_ca_cb()` which allow users to configure
 * the set of trusted certificates through a callback instead of a linked
 * list.
 *
 * This is useful for example in environments where a large number of trusted
 * certificates is present and storing them in a linked list isn't efficient
 * enough, or when the set of trusted certificates changes frequently.
 *
 * See the documentation of `mbedtls_x509_crt_verify_with_ca_cb()` and
 * `mbedtls_ssl_conf_ca_cb()` for more information.
 *
 * Uncomment to enable trusted certificate callbacks.
 */
 #ifdef CONFIG_MBEDTLS_X509_TRUSTED_CERT_CALLBACK
 #define MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 #else
 #undef MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 #endif
 /**
 * \def MBEDTLS_X509_CSR_WRITE_C
 *
@@ -2383,6 +2587,51 @@
 */
 #define MBEDTLS_SSL_IN_CONTENT_LEN              CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN
 /** \def MBEDTLS_SSL_CID_IN_LEN_MAX
 *
 * The maximum length of CIDs used for incoming DTLS messages.
 *
 */
 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID
 #define MBEDTLS_SSL_CID_IN_LEN_MAX              CONFIG_MBEDTLS_SSL_CID_IN_LEN_MAX
 #else
 #undef MBEDTLS_SSL_CID_IN_LEN_MAX
 #endif
 /** \def MBEDTLS_SSL_CID_OUT_LEN_MAX
 *
 * The maximum length of CIDs used for outgoing DTLS messages.
 *
 */
 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID
 #define MBEDTLS_SSL_CID_OUT_LEN_MAX            CONFIG_MBEDTLS_SSL_CID_OUT_LEN_MAX
 #else
 #undef MBEDTLS_SSL_CID_OUT_LEN_MAX
 #endif
 /** \def MBEDTLS_SSL_CID_PADDING_GRANULARITY
 *
 * This option controls the use of record plaintext padding
 * when using the Connection ID extension in DTLS 1.2.
 *
 * The padding will always be chosen so that the length of the
 * padded plaintext is a multiple of the value of this option.
 *
 * Note: A value of \c 1 means that no padding will be used
 *       for outgoing records.
 *
 * Note: On systems lacking division instructions,
 *       a power of two should be preferred.
 *
 */
 #ifdef CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID
 #define MBEDTLS_SSL_CID_PADDING_GRANULARITY    CONFIG_MBEDTLS_SSL_CID_PADDING_GRANULARITY
 #else
 #undef MBEDTLS_SSL_CID_PADDING_GRANULARITY
 #endif
 /** \def MBEDTLS_SSL_OUT_CONTENT_LEN
 *
 * Maximum outgoing fragment length in bytes.
@@ -2416,6 +2665,10 @@
 * default. At the time of writing, there is no practical attack on the use
 * of SHA-1 in handshake signatures, hence this option is turned on by default
 * for compatibility with existing peers.
 *
 * \warning   SHA-1 is considered a weak message digest and its use constitutes
 *            a security risk. If possible, we recommend avoiding dependencies
 *            on it, and considering stronger message digests instead.
 */
 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE