diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 5b9b86be7c..ba946c3c1d 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -97,19 +97,12 @@ menu "mbedTLS" This defines maximum outgoing fragment length, overriding default maximum content length (MBEDTLS_SSL_MAX_CONTENT_LEN). - config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH - bool "Variable SSL buffer length" - default n - help - This enables the SSL buffer to be resized automatically - based on the negotiated maximum fragment length in each direction. - config MBEDTLS_DYNAMIC_BUFFER bool "Using dynamic TX/RX buffer" default n select MBEDTLS_ASYMMETRIC_CONTENT_LEN # Dynamic buffer feature is not supported with DTLS - depends on !MBEDTLS_SSL_PROTO_DTLS + depends on !MBEDTLS_SSL_PROTO_DTLS && !MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH help Using dynamic TX/RX buffer. After enabling this option, mbedTLS will allocate TX buffer when need to send data and then free it if all data @@ -185,6 +178,111 @@ menu "mbedTLS" default 3 if MBEDTLS_DEBUG_LEVEL_DEBUG default 4 if MBEDTLS_DEBUG_LEVEL_VERBOSE + menu "mbedTLS v2.28.x related" + + config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH + bool "Variable SSL buffer length" + default n + help + This enables the SSL buffer to be resized automatically + based on the negotiated maximum fragment length in each direction. + + config MBEDTLS_ECDH_LEGACY_CONTEXT + bool "Use a backward compatible ECDH context (Experimental)" + default y + depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE + help + Use the legacy ECDH context format. + Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you + want to access ECDH context fields directly. + + config MBEDTLS_X509_TRUSTED_CERT_CALLBACK + bool "Enable trusted certificate callbacks" + default n + help + Enables users to configure the set of trusted certificates + through a callback instead of a linked list. + + See mbedTLS documentation for required API and more details. + + config MBEDTLS_SSL_CONTEXT_SERIALIZATION + bool "Enable serialization of the TLS context structures" + default n + help + Enable serialization of the TLS context structures + This is a local optimization in handling a single, potentially long-lived connection. + + See mbedTLS documentation for required API and more details. + Disabling this option will save some code size. + + config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + bool "Keep peer certificate after handshake completion" + default y + depends on !MBEDTLS_DYNAMIC_FREE_PEER_CERT + help + Keep the peer's certificate after completion of the handshake. + Disabling this option will save about 4kB of heap and some code size. + + See mbedTLS documentation for required API and more details. + + menu "DTLS-based configurations" + visible if MBEDTLS_SSL_PROTO_DTLS + + config MBEDTLS_SSL_DTLS_CONNECTION_ID + bool "Support for the DTLS Connection ID extension" + depends on MBEDTLS_SSL_PROTO_DTLS + default n + help + Enable support for the DTLS Connection ID extension which allows to + identify DTLS connections across changes in the underlying transport. + The Connection ID extension is still in draft state. + Refer: version draft-ietf-tls-dtls-connection-id-05 + + config MBEDTLS_SSL_CID_IN_LEN_MAX + int "Maximum length of CIDs used for incoming DTLS messages" + default 32 + range 0 32 + depends on MBEDTLS_SSL_DTLS_CONNECTION_ID + help + Maximum length of CIDs used for incoming DTLS messages + + config MBEDTLS_SSL_CID_OUT_LEN_MAX + int "Maximum length of CIDs used for outgoing DTLS messages" + default 32 + range 0 32 + depends on MBEDTLS_SSL_DTLS_CONNECTION_ID + help + Maximum length of CIDs used for outgoing DTLS messages + + config MBEDTLS_SSL_CID_PADDING_GRANULARITY + int "Record plaintext padding (for DTLS 1.2)" + default 16 + range 0 32 + depends on MBEDTLS_SSL_DTLS_CONNECTION_ID + help + Controls the use of record plaintext padding when + using the Connection ID extension in DTLS 1.2. + + The padding will always be chosen so that the length of the + padded plaintext is a multiple of the value of this option. + + Notes: + A value of 1 means that no padding will be used for outgoing records. + On systems lacking division instructions, a power of two should be preferred. + + config MBEDTLS_SSL_DTLS_SRTP + bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)" + depends on MBEDTLS_SSL_PROTO_DTLS + default n + help + Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension. + + See mbedTLS documentation for required API and more details. + Disabling this option will save some code size. + + endmenu + + endmenu menu "Certificate Bundle" @@ -233,15 +331,6 @@ menu "mbedTLS" help Enable "non-blocking" ECC operations that can return early and be resumed. - config MBEDTLS_ECDH_LEGACY_CONTEXT - bool "Use a backward compatible ECDH context (Experimental)" - default y - depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE - help - Use the legacy ECDH context format. - Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you - want to access ECDH context fields directly. - config MBEDTLS_CMAC_C bool "Enable CMAC mode for block ciphers" default n @@ -719,94 +808,8 @@ menu "mbedTLS" help Support for parsing X.509 Certifificate Signing Requests - config MBEDTLS_X509_TRUSTED_CERT_CALLBACK - bool "Enable trusted certificate callbacks" - default n - help - Enables users to configure the set of trusted certificates - through a callback instead of a linked list. - - See mbedTLS documentation for required API and more details. - endmenu # Certificates - - menu "DTLS-based configurations" - visible if MBEDTLS_SSL_PROTO_DTLS - - config MBEDTLS_SSL_DTLS_CONNECTION_ID - bool "Support for the DTLS Connection ID extension" - depends on MBEDTLS_SSL_PROTO_DTLS - default n - help - Enable support for the DTLS Connection ID extension which allows to - identify DTLS connections across changes in the underlying transport. - The Connection ID extension is still in draft state. - Refer: version draft-ietf-tls-dtls-connection-id-05 - - config MBEDTLS_SSL_CID_IN_LEN_MAX - int "Maximum length of CIDs used for incoming DTLS messages" - default 32 - range 0 32 - depends on MBEDTLS_SSL_DTLS_CONNECTION_ID - help - Maximum length of CIDs used for incoming DTLS messages - - config MBEDTLS_SSL_CID_OUT_LEN_MAX - int "Maximum length of CIDs used for outgoing DTLS messages" - default 32 - range 0 32 - depends on MBEDTLS_SSL_DTLS_CONNECTION_ID - help - Maximum length of CIDs used for outgoing DTLS messages - - config MBEDTLS_SSL_CID_PADDING_GRANULARITY - int "Record plaintext padding (for DTLS 1.2)" - default 16 - range 0 32 - depends on MBEDTLS_SSL_DTLS_CONNECTION_ID - help - Controls the use of record plaintext padding when - using the Connection ID extension in DTLS 1.2. - - The padding will always be chosen so that the length of the - padded plaintext is a multiple of the value of this option. - - Notes: - A value of 1 means that no padding will be used for outgoing records. - On systems lacking division instructions, a power of two should be preferred. - - config MBEDTLS_SSL_DTLS_SRTP - bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)" - depends on MBEDTLS_SSL_PROTO_DTLS - default n - help - Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension. - - See mbedTLS documentation for required API and more details. - Disabling this option will save some code size. - - endmenu - - config MBEDTLS_SSL_CONTEXT_SERIALIZATION - bool "Enable serialization of the TLS context structures" - default n - help - Enable serialization of the TLS context structures - This is a local optimization in handling a single, potentially long-lived connection. - - See mbedTLS documentation for required API and more details. - Disabling this option will save some code size. - - config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE - bool "Keep peer certificate after handshake completion" - default y - help - Keep the peer's certificate after completion of the handshake. - Disabling this option will save about 4kB of heap and some code size. - - See mbedTLS documentation for required API and more details. - menuconfig MBEDTLS_ECP_C bool "Elliptic Curve Ciphers" default y diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c index 373264452b..58c814ecd2 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c @@ -1,16 +1,8 @@ -// Copyright 2020 Espressif Systems (Shanghai) PTE LTD -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at - -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. +/* + * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ #include #include "esp_mbedtls_dynamic_impl.h" @@ -531,27 +523,3 @@ void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl) } } #endif /* CONFIG_MBEDTLS_DYNAMIC_FREE_CA_CERT */ - -#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT -void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl) -{ - if (ssl->session_negotiate->peer_cert) { - mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert ); - mbedtls_free( ssl->session_negotiate->peer_cert ); - ssl->session_negotiate->peer_cert = NULL; - } -} - -bool esp_mbedtls_ssl_is_rsa(mbedtls_ssl_context *ssl) -{ - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->transform_negotiate->ciphersuite_info; - - if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { - return true; - } else { - return false; - } -} -#endif diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h index 45dfe033fd..a32f4e5b01 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -86,10 +86,4 @@ void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl); void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl); #endif -#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT -void esp_mbedtls_free_peer_cert(mbedtls_ssl_context *ssl); - -bool esp_mbedtls_ssl_is_rsa(mbedtls_ssl_context *ssl); -#endif - #endif /* _DYNAMIC_IMPL_H_ */ diff --git a/components/mbedtls/port/dynamic/esp_ssl_cli.c b/components/mbedtls/port/dynamic/esp_ssl_cli.c index 94ed064d6d..ddad9b44d3 100644 --- a/components/mbedtls/port/dynamic/esp_ssl_cli.c +++ b/components/mbedtls/port/dynamic/esp_ssl_cli.c @@ -1,16 +1,8 @@ -// Copyright 2020 Espressif Systems (Shanghai) PTE LTD -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at - -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and - +/* + * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ #include #include #include "esp_mbedtls_dynamic_impl.h" @@ -72,19 +64,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) if (!ssl->keep_current_message) { CHECK_OK(esp_mbedtls_free_rx_buffer(ssl)); } -#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT - /** - * If current ciphersuite is RSA, we should free peer' - * certificate at step MBEDTLS_SSL_CLIENT_KEY_EXCHANGE. - * - * And if it is other kinds of ciphersuite, we can free - * peer certificate here. - */ - - if (esp_mbedtls_ssl_is_rsa(ssl) == false) { - esp_mbedtls_free_peer_cert(ssl); - } -#endif } break; case MBEDTLS_SSL_CERTIFICATE_REQUEST: @@ -133,12 +112,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) size_t buffer_len = MBEDTLS_SSL_OUT_BUFFER_LEN; CHECK_OK(esp_mbedtls_add_tx_buffer(ssl, buffer_len)); - } else { -#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT - if (esp_mbedtls_ssl_is_rsa(ssl) == true) { - esp_mbedtls_free_peer_cert(ssl); - } -#endif } break; case MBEDTLS_SSL_CERTIFICATE_VERIFY: diff --git a/components/mbedtls/port/dynamic/esp_ssl_srv.c b/components/mbedtls/port/dynamic/esp_ssl_srv.c index bc96dcfab0..84bbd59682 100644 --- a/components/mbedtls/port/dynamic/esp_ssl_srv.c +++ b/components/mbedtls/port/dynamic/esp_ssl_srv.c @@ -1,16 +1,8 @@ -// Copyright 2020 Espressif Systems (Shanghai) PTE LTD -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at - -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and - +/* + * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ #include #include "esp_mbedtls_dynamic_impl.h" @@ -136,10 +128,6 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) CHECK_OK(esp_mbedtls_add_rx_buffer(ssl)); } else { CHECK_OK(esp_mbedtls_free_rx_buffer(ssl)); - -#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_PEER_CERT - esp_mbedtls_free_peer_cert(ssl); -#endif } break; case MBEDTLS_SSL_CLIENT_FINISHED: