espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-07-29 18:27:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

mbedtls: Added option MBEDTLS_SSL_KEEP_PEER_CERTIFICATE

Browse Source 
- Removed code regarding MBEDTLS_DYNAMIC_FREE_PEER_CERT
  (config was kept for backward compatibility)
- Combined mbedTLS v2.28.x related options under a separate Kconfig menu
This commit is contained in:
Laukik Hase
2022-01-24 10:04:05 +05:30
parent 6957b4815a
commit df9f101792
5 changed files with 122 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

209
components/mbedtls/Kconfig
View File

@ -97,19 +97,12 @@ menu "mbedTLS"
This defines maximum outgoing fragment length, overriding default
maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN).
config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
bool "Variable SSL buffer length"
default n
help
This enables the SSL buffer to be resized automatically
based on the negotiated maximum fragment length in each direction.
config MBEDTLS_DYNAMIC_BUFFER
bool "Using dynamic TX/RX buffer"
default n
select MBEDTLS_ASYMMETRIC_CONTENT_LEN
# Dynamic buffer feature is not supported with DTLS
depends on !MBEDTLS_SSL_PROTO_DTLS
depends on !MBEDTLS_SSL_PROTO_DTLS && !MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
help
Using dynamic TX/RX buffer. After enabling this option, mbedTLS will
allocate TX buffer when need to send data and then free it if all data
@ -185,6 +178,111 @@ menu "mbedTLS"
default 3 if MBEDTLS_DEBUG_LEVEL_DEBUG
default 4 if MBEDTLS_DEBUG_LEVEL_VERBOSE
menu "mbedTLS v2.28.x related"
config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
bool "Variable SSL buffer length"
default n
help
This enables the SSL buffer to be resized automatically
based on the negotiated maximum fragment length in each direction.
config MBEDTLS_ECDH_LEGACY_CONTEXT
bool "Use a backward compatible ECDH context (Experimental)"
default y
depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE
help
Use the legacy ECDH context format.
Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you
want to access ECDH context fields directly.
config MBEDTLS_X509_TRUSTED_CERT_CALLBACK
bool "Enable trusted certificate callbacks"
default n
help
Enables users to configure the set of trusted certificates
through a callback instead of a linked list.
See mbedTLS documentation for required API and more details.
config MBEDTLS_SSL_CONTEXT_SERIALIZATION
bool "Enable serialization of the TLS context structures"
default n
help
Enable serialization of the TLS context structures
This is a local optimization in handling a single, potentially long-lived connection.
See mbedTLS documentation for required API and more details.
Disabling this option will save some code size.
config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
bool "Keep peer certificate after handshake completion"
default y
depends on !MBEDTLS_DYNAMIC_FREE_PEER_CERT
help
Keep the peer's certificate after completion of the handshake.
Disabling this option will save about 4kB of heap and some code size.
See mbedTLS documentation for required API and more details.
menu "DTLS-based configurations"
visible if MBEDTLS_SSL_PROTO_DTLS
config MBEDTLS_SSL_DTLS_CONNECTION_ID
bool "Support for the DTLS Connection ID extension"
depends on MBEDTLS_SSL_PROTO_DTLS
default n
help
Enable support for the DTLS Connection ID extension which allows to
identify DTLS connections across changes in the underlying transport.
The Connection ID extension is still in draft state.
Refer: version draft-ietf-tls-dtls-connection-id-05
config MBEDTLS_SSL_CID_IN_LEN_MAX
int "Maximum length of CIDs used for incoming DTLS messages"
default 32
range 0 32
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
help
Maximum length of CIDs used for incoming DTLS messages
config MBEDTLS_SSL_CID_OUT_LEN_MAX
int "Maximum length of CIDs used for outgoing DTLS messages"
default 32
range 0 32
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
help
Maximum length of CIDs used for outgoing DTLS messages
config MBEDTLS_SSL_CID_PADDING_GRANULARITY
int "Record plaintext padding (for DTLS 1.2)"
default 16
range 0 32
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
help
Controls the use of record plaintext padding when
using the Connection ID extension in DTLS 1.2.
The padding will always be chosen so that the length of the
padded plaintext is a multiple of the value of this option.
Notes:
A value of 1 means that no padding will be used for outgoing records.
On systems lacking division instructions, a power of two should be preferred.
config MBEDTLS_SSL_DTLS_SRTP
bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)"
depends on MBEDTLS_SSL_PROTO_DTLS
default n
help
Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension.
See mbedTLS documentation for required API and more details.
Disabling this option will save some code size.
endmenu
endmenu
menu "Certificate Bundle"
@ -233,15 +331,6 @@ menu "mbedTLS"
help
Enable "non-blocking" ECC operations that can return early and be resumed.
config MBEDTLS_ECDH_LEGACY_CONTEXT
bool "Use a backward compatible ECDH context (Experimental)"
default y
depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE
help
Use the legacy ECDH context format.
Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you
want to access ECDH context fields directly.
config MBEDTLS_CMAC_C
bool "Enable CMAC mode for block ciphers"
default n
@ -719,94 +808,8 @@ menu "mbedTLS"
help
Support for parsing X.509 Certifificate Signing Requests
config MBEDTLS_X509_TRUSTED_CERT_CALLBACK
bool "Enable trusted certificate callbacks"
default n
help
Enables users to configure the set of trusted certificates
through a callback instead of a linked list.
See mbedTLS documentation for required API and more details.
endmenu # Certificates
menu "DTLS-based configurations"
visible if MBEDTLS_SSL_PROTO_DTLS
config MBEDTLS_SSL_DTLS_CONNECTION_ID
bool "Support for the DTLS Connection ID extension"
depends on MBEDTLS_SSL_PROTO_DTLS
default n
help
Enable support for the DTLS Connection ID extension which allows to
identify DTLS connections across changes in the underlying transport.
The Connection ID extension is still in draft state.
Refer: version draft-ietf-tls-dtls-connection-id-05
config MBEDTLS_SSL_CID_IN_LEN_MAX
int "Maximum length of CIDs used for incoming DTLS messages"
default 32
range 0 32
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
help
Maximum length of CIDs used for incoming DTLS messages
config MBEDTLS_SSL_CID_OUT_LEN_MAX
int "Maximum length of CIDs used for outgoing DTLS messages"
default 32
range 0 32
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
help
Maximum length of CIDs used for outgoing DTLS messages
config MBEDTLS_SSL_CID_PADDING_GRANULARITY
int "Record plaintext padding (for DTLS 1.2)"
default 16
range 0 32
depends on MBEDTLS_SSL_DTLS_CONNECTION_ID
help
Controls the use of record plaintext padding when
using the Connection ID extension in DTLS 1.2.
The padding will always be chosen so that the length of the
padded plaintext is a multiple of the value of this option.
Notes:
A value of 1 means that no padding will be used for outgoing records.
On systems lacking division instructions, a power of two should be preferred.
config MBEDTLS_SSL_DTLS_SRTP
bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)"
depends on MBEDTLS_SSL_PROTO_DTLS
default n
help
Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension.
See mbedTLS documentation for required API and more details.
Disabling this option will save some code size.
endmenu
config MBEDTLS_SSL_CONTEXT_SERIALIZATION
bool "Enable serialization of the TLS context structures"
default n
help
Enable serialization of the TLS context structures
This is a local optimization in handling a single, potentially long-lived connection.
See mbedTLS documentation for required API and more details.
Disabling this option will save some code size.
config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
bool "Keep peer certificate after handshake completion"
default y
help
Keep the peer's certificate after completion of the handshake.
Disabling this option will save about 4kB of heap and some code size.
See mbedTLS documentation for required API and more details.
menuconfig MBEDTLS_ECP_C
bool "Elliptic Curve Ciphers"
default y

42
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
View File

@ -1,16 +1,8 @@
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
/*
* SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <string.h>
#include "esp_mbedtls_dynamic_impl.h"
@ -531,27 +523,3 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
}
}
#endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl)
{
if (ssl->session_negotiate->peer_cert) {
mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
mbedtls_free( ssl->session_negotiate->peer_cert );
ssl->session_negotiate->peer_cert = NULL;
}
}
bool esp_mbedtls_ssl_is_rsa(mbedtls_ssl_context *ssl)
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->transform_negotiate->ciphersuite_info;
if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
return true;
} else {
return false;
}
}
#endif

8
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
View File

@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@ -86,10 +86,4 @@ void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl);
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl);
#endif
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl);
bool esp_mbedtls_ssl_is_rsa(mbedtls_ssl_context *ssl);
#endif
#endif /* _DYNAMIC_IMPL_H_ */

37
components/mbedtls/port/dynamic/esp_ssl_cli.c
View File

@ -1,16 +1,8 @@
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
/*
* SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <sys/param.h>
#include <stdbool.h>
#include "esp_mbedtls_dynamic_impl.h"
@ -72,19 +64,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
if (!ssl->keep_current_message) {
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
}
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
/**
* If current ciphersuite is RSA, we should free peer'
* certificate at step MBEDTLS_SSL_CLIENT_KEY_EXCHANGE.
*
* And if it is other kinds of ciphersuite, we can free
* peer certificate here.
*/
if (esp_mbedtls_ssl_is_rsa(ssl) == false) {
esp_mbedtls_free_peer_cert(ssl);
}
#endif
}
break;
case MBEDTLS_SSL_CERTIFICATE_REQUEST:
@ -133,12 +112,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
size_t buffer_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
CHECK_OK(esp_mbedtls_add_tx_buffer(ssl, buffer_len));
} else {
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
if (esp_mbedtls_ssl_is_rsa(ssl) == true) {
esp_mbedtls_free_peer_cert(ssl);
}
#endif
}
break;
case MBEDTLS_SSL_CERTIFICATE_VERIFY:

22
components/mbedtls/port/dynamic/esp_ssl_srv.c
View File

@ -1,16 +1,8 @@
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
/*
* SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <sys/param.h>
#include "esp_mbedtls_dynamic_impl.h"
@ -136,10 +128,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
CHECK_OK(esp_mbedtls_add_rx_buffer(ssl));
} else {
CHECK_OK(esp_mbedtls_free_rx_buffer(ssl));
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT
esp_mbedtls_free_peer_cert(ssl);
#endif
}
break;
case MBEDTLS_SSL_CLIENT_FINISHED: