diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 57a73584f3..2b24ecf1f1 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -15,7 +15,7 @@ config MBEDTLS_SSL_MAX_CONTENT_LEN Fragment Length Negotiation Extension (max_fragment_length, see RFC6066) or you know for certain that it will never send a message longer than a certain number of bytes. - + If the value is set too low, symptoms are a failed TLS handshake or a return value of MBEDTLS_ERR_SSL_INVALID_RECORD (-0x7200). @@ -102,4 +102,426 @@ config MBEDTLS_HAVE_TIME_DATE It is suggested that you should get the real time by "SNTP". -endmenu +choice MBEDTLS_TLS_MODE + bool "TLS Protocol Role" + default MBEDTLS_TLS_SERVER_AND_CLIENT + help + mbedTLS can be compiled with protocol support for the TLS + server, TLS client, or both server and client. + + Reducing the number of TLS roles supported saves code size. + +config MBEDTLS_TLS_SERVER_AND_CLIENT + bool "Server & Client" + select MBEDTLS_TLS_SERVER + select MBEDTLS_TLS_CLIENT +config MBEDTLS_TLS_SERVER_ONLY + bool "Server" + select MBEDTLS_TLS_SERVER +config MBEDTLS_TLS_CLIENT_ONLY + bool "Client" + select MBEDTLS_TLS_CLIENT +config MBEDTLS_TLS_DISABLED + bool "None" + +endchoice + +config MBEDTLS_TLS_SERVER + bool + select MBEDTLS_TLS_ENABLED +config MBEDTLS_TLS_CLIENT + bool + select MBEDTLS_TLS_ENABLED +config MBEDTLS_TLS_ENABLED + bool + +menu "TLS Key Exchange Methods" + depends on MBEDTLS_TLS_ENABLED + +config MBEDTLS_PSK_MODES + bool "Enable pre-shared-key ciphersuites" + default n + help + Enable to show configuration for different types of pre-shared-key TLS authentatication methods. + + Leaving this options disabled will save code size if they are not used. + +config MBEDTLS_KEY_EXCHANGE_PSK + bool "Enable PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default n + help + Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes. + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK + bool "Enable DHE-PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default y + help + Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. + +config MBEDTLS_KEY_EXCHANGE_DHE_PSK + bool "Enable DHE-PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default y + help + Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. + +config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK + bool "Enable ECDHE-PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default y + help + Enable to support Elliptic-Curve-Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. + +config MBEDTLS_KEY_EXCHANGE_RSA_PSK + bool "Enable RSA-PSK based ciphersuite modes" + depends on MBEDTLS_PSK_MODES + default y + help + Enable to support RSA PSK (pre-shared-key) TLS authentication modes. + +config MBEDTLS_KEY_EXCHANGE_RSA + bool "Enable RSA-only based ciphersuite modes" + default y + help + Enable to support ciphersuites with prefix TLS-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_DHE_RSA + bool "Enable DHE-RSA based ciphersuite modes" + default y + help + Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE + bool "Support Elliptic Curve based ciphersuites" + depends on MBEDTLS_ECP_C + default y + help + Enable to show Elliptic Curve based ciphersuite mode options. + + Disabling all Elliptic Curve ciphersuites saves code size and + can give slightly faster TLS handshakes, provided the server supports + RSA-only ciphersuite modes. + +config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA + bool "Enable ECDHE-RSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA + bool "Enable ECDHE-ECDSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA + bool "Enable ECDHE-ECDSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA + bool "Enable ECDH-ECDSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +config MBEDTLS_KEY_EXCHANGE_ECDH_RSA + bool "Enable ECDH-RSA based ciphersuite modes" + depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C + default y + help + Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + +endmenu # TLS key exchange modes + +config MBEDTLS_SSL_RENEGOTIATION + bool "Support TLS renegotiation" + depends on MBEDTLS_TLS_ENABLED + default y + help + The two main uses of renegotiation are (1) refresh keys on long-lived + connections and (2) client authentication after the initial handshake. + If you don't need renegotiation, disabling it will save code size and + reduce the possibility of abuse/vulnerability. + +config MBEDTLS_SSL_PROTO_SSL3 + bool "Legacy SSL 3.0 support" + depends on MBEDTLS_TLS_ENABLED + default n + help + Support the legacy SSL 3.0 protocol. Most servers will speak a newer + TLS protocol these days. + +config MBEDTLS_SSL_PROTO_TLS1 + bool "Support TLS 1.0 protocol" + depends on MBEDTLS_TLS_ENABLED + default y + +config MBEDTLS_SSL_PROTO_TLS1_1 + bool "Support TLS 1.1 protocol" + depends on MBEDTLS_TLS_ENABLED + default y + +config MBEDTLS_SSL_PROTO_TLS1_2 + bool "Support TLS 1.2 protocol" + depends on MBEDTLS_TLS_ENABLED + default y + +config MBEDTLS_SSL_PROTO_DTLS + bool "Support DTLS protocol (all versions)" + default n + depends on MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 + help + Requires TLS 1.1 to be enabled for DTLS 1.0 + Requires TLS 1.2 to be enabled for DTLS 1.2 + +config MBEDTLS_SSL_ALPN + bool "Support ALPN (Application Layer Protocol Negotiation)" + depends on MBEDTLS_TLS_ENABLED + default y + help + Disabling this option will save some code size if it is not needed. + +config MBEDTLS_SSL_SESSION_TICKETS + bool "TLS: Support RFC 5077 SSL session tickets" + default y + depends on MBEDTLS_TLS_ENABLED + help + Support RFC 5077 session tickets. See mbedTLS documentation for more details. + + Disabling this option will save some code size. + +menu "Symmetric Ciphers" + +config MBEDTLS_AES_C + bool "AES block cipher" + default y + +config MBEDTLS_CAMELLIA_C + bool "Camellia block cipher" + default n + +config MBEDTLS_DES_C + bool "DES block cipher (legacy, insecure)" + default n + help + Enables the DES block cipher to support 3DES-based TLS ciphersuites. + + 3DES is vulnerable to the Sweet32 attack and should only be enabled + if absolutely necessary. + +choice MBEDTLS_RC4_MODE + prompt "RC4 Stream Cipher (legacy, insecure)" + default MBEDTLS_RC4_DISABLED + help + ARCFOUR (RC4) stream cipher can be disabled entirely, enabled but not + added to default ciphersuites, or enabled completely. + + Please consider the security implications before enabling RC4. + +config MBEDTLS_RC4_DISABLED + bool "Disabled" +config MBEDTLS_RC4_ENABLED_NO_DEFAULT + bool "Enabled, not in default ciphersuites" +config MBEDTLS_RC4_ENABLED + bool "Enabled" +endchoice + +config MBEDTLS_BLOWFISH_C + bool "Blowfish block cipher (read help)" + default n + help + Enables the Blowfish block cipher (not used for TLS sessions.) + + The Blowfish cipher is not used for mbedTLS TLS sessions but can be + used for other purposes. Read up on the limitations of Blowfish (including + Sweet32) before enabling. + +config MBEDTLS_XTEA_C + bool "XTEA block cipher" + default n + help + Enables the XTEA block cipher. + + +config MBEDTLS_CCM_C + bool "CCM (Counter with CBC-MAC) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable Counter with CBC-MAC (CCM) modes for AES and/or Camellia ciphers. + + Disabling this option saves some code size. + +config MBEDTLS_GCM_C + bool "GCM (Galois/Counter) block cipher modes" + default y + depends on MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C + help + Enable Galois/Counter Mode for AES and/or Camellia ciphers. + + This option is generally faster than CCM. + +endmenu # Symmetric Ciphers + +config MBEDTLS_RIPEMD160_C + bool "Enable RIPEMD-160 hash algorithm" + default n + help + Enable the RIPEMD-160 hash algorithm. + +menu "Certificates" + +config MBEDTLS_PEM_PARSE_C + bool "Read & Parse PEM formatted certificates" + default y + help + Enable decoding/parsing of PEM formatted certificates. + + If your certificates are all in the simpler DER format, disabling + this option will save some code size. + +config MBEDTLS_PEM_WRITE_C + bool "Write PEM formatted certificates" + default y + help + Enable writing of PEM formatted certificates. + + If writing certificate data only in DER format, disabling this + option will save some code size. + +config MBEDTLS_X509_CRL_PARSE_C + bool "X.509 CRL parsing" + default y + help + Support for parsing X.509 Certifificate Revocation Lists. + +config MBEDTLS_X509_CSR_PARSE_C + bool "X.509 CSR parsing" + default y + help + Support for parsing X.509 Certifificate Signing Requests + +endmenu # Certificates + +menuconfig MBEDTLS_ECP_C + bool "Elliptic Curve Ciphers" + default y + +config MBEDTLS_ECDH_C + bool "Elliptic Curve Diffie-Hellman (ECDH)" + depends on MBEDTLS_ECP_C + default y + help + Enable ECDH. Needed to use ECDHE-xxx TLS ciphersuites. + +config MBEDTLS_ECDSA_C + bool "Elliptic Curve DSA" + depends on MBEDTLS_ECDH_C + default y + help + Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites. + +config MBEDTLS_ECP_DP_SECP192R1_ENABLED + bool "Enable SECP192R1 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for SECP192R1 Elliptic Curve. + +config MBEDTLS_ECP_DP_SECP224R1_ENABLED + bool "Enable SECP224R1 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for SECP224R1 Elliptic Curve. + +config MBEDTLS_ECP_DP_SECP256R1_ENABLED + bool "Enable SECP256R1 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for SECP256R1 Elliptic Curve. + +config MBEDTLS_ECP_DP_SECP384R1_ENABLED + bool "Enable SECP384R1 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for SECP384R1 Elliptic Curve. + +config MBEDTLS_ECP_DP_SECP521R1_ENABLED + bool "Enable SECP521R1 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for SECP521R1 Elliptic Curve. + +config MBEDTLS_ECP_DP_SECP192K1_ENABLED + bool "Enable SECP192K1 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for SECP192K1 Elliptic Curve. + +config MBEDTLS_ECP_DP_SECP224K1_ENABLED + bool "Enable SECP224K1 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for SECP224K1 Elliptic Curve. + +config MBEDTLS_ECP_DP_SECP256K1_ENABLED + bool "Enable SECP256K1 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for SECP256K1 Elliptic Curve. + +config MBEDTLS_ECP_DP_BP256R1_ENABLED + bool "Enable BP256R1 curve" + depends on MBEDTLS_ECP_C + default y + help + support for DP Elliptic Curve. + +config MBEDTLS_ECP_DP_BP384R1_ENABLED + bool "Enable BP384R1 curve" + depends on MBEDTLS_ECP_C + default y + help + support for DP Elliptic Curve. + +config MBEDTLS_ECP_DP_BP512R1_ENABLED + bool "Enable BP512R1 curve" + depends on MBEDTLS_ECP_C + default y + help + support for DP Elliptic Curve. + +config MBEDTLS_ECP_DP_CURVE25519_ENABLED + bool "Enable CURVE25519 curve" + depends on MBEDTLS_ECP_C + default y + help + Enable support for CURVE25519 Elliptic Curve. + +config MBEDTLS_ECP_NIST_OPTIM + bool "NIST 'modulo p' optimisations" + depends on MBEDTLS_ECP_C + default y + help + NIST 'modulo p' optimisations increase Elliptic Curve operation performance. + + Disabling this option saves some code size. + +# end of Elliptic Curve options + +endmenu # mbedTLS diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 447fc302bd..85a342be1c 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -430,7 +430,9 @@ * * Uncomment this macro to remove RC4 ciphersuites by default. */ +#ifdef CONFIG_MBEDTLS_RC4_ENABLED #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES +#endif /** * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED @@ -440,18 +442,42 @@ * * Comment macros to disable the curve and functions for it */ +#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED #define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED #define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED #define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED #define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED #define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED #define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED #define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED #define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED #define MBEDTLS_ECP_DP_BP256R1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED #define MBEDTLS_ECP_DP_BP384R1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED #define MBEDTLS_ECP_DP_BP512R1_ENABLED +#endif +#ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED #define MBEDTLS_ECP_DP_CURVE25519_ENABLED +#endif /** * \def MBEDTLS_ECP_NIST_OPTIM @@ -462,7 +488,9 @@ * * Comment this macro to disable NIST curves optimisation. */ +#ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM #define MBEDTLS_ECP_NIST_OPTIM +#endif /** * \def MBEDTLS_ECDSA_DETERMINISTIC @@ -498,7 +526,9 @@ * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED @@ -522,7 +552,9 @@ * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED @@ -542,7 +574,9 @@ * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED @@ -567,7 +601,9 @@ * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED @@ -595,7 +631,9 @@ * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED @@ -621,7 +659,9 @@ * MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA * MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED @@ -646,7 +686,9 @@ * MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED @@ -670,7 +712,9 @@ * MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED @@ -694,7 +738,9 @@ * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED @@ -718,7 +764,9 @@ * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +#endif /** * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED @@ -971,7 +1019,9 @@ * * Comment this macro to disable support for Encrypt-then-MAC */ +#ifdef CONFIG_MBEDTLS_TLS_ENABLED #define MBEDTLS_SSL_ENCRYPT_THEN_MAC +#endif /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET * @@ -989,7 +1039,9 @@ * * Comment this macro to disable support for Extended Master Secret. */ +#ifdef CONFIG_MBEDTLS_TLS_ENABLED #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#endif /** * \def MBEDTLS_SSL_FALLBACK_SCSV @@ -1028,7 +1080,9 @@ * * Comment this macro to disable 1/n-1 record splitting. */ +#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) #define MBEDTLS_SSL_CBC_RECORD_SPLITTING +#endif /** * \def MBEDTLS_SSL_RENEGOTIATION @@ -1043,7 +1097,9 @@ * * Comment this to disable support for renegotiation. */ +#ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION #define MBEDTLS_SSL_RENEGOTIATION +#endif /** * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO @@ -1084,7 +1140,9 @@ * * Comment this macro to disable support for SSL 3.0 */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3 #define MBEDTLS_SSL_PROTO_SSL3 +#endif /** * \def MBEDTLS_SSL_PROTO_TLS1 @@ -1096,7 +1154,9 @@ * * Comment this macro to disable support for TLS 1.0 */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1 #define MBEDTLS_SSL_PROTO_TLS1 +#endif /** * \def MBEDTLS_SSL_PROTO_TLS1_1 @@ -1108,7 +1168,9 @@ * * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_1 #define MBEDTLS_SSL_PROTO_TLS1_1 +#endif /** * \def MBEDTLS_SSL_PROTO_TLS1_2 @@ -1120,7 +1182,9 @@ * * Comment this macro to disable support for TLS 1.2 / DTLS 1.2 */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2 #define MBEDTLS_SSL_PROTO_TLS1_2 +#endif /** * \def MBEDTLS_SSL_PROTO_DTLS @@ -1135,7 +1199,9 @@ * * Comment this macro to disable support for DTLS */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_PROTO_DTLS +#endif /** * \def MBEDTLS_SSL_ALPN @@ -1144,7 +1210,9 @@ * * Comment this macro to disable support for ALPN. */ +#ifdef CONFIG_MBEDTLS_SSL_ALPN #define MBEDTLS_SSL_ALPN +#endif /** * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY @@ -1159,7 +1227,9 @@ * * Comment this to disable anti-replay in DTLS. */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#endif /** * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY @@ -1177,7 +1247,9 @@ * * Comment this to disable support for HelloVerifyRequest. */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_HELLO_VERIFY +#endif /** * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE @@ -1193,7 +1265,9 @@ * * Comment this to disable support for clients reusing the source port. */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE +#endif /** * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT @@ -1204,7 +1278,9 @@ * * Requires: MBEDTLS_SSL_PROTO_DTLS */ +#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT +#endif /** * \def MBEDTLS_SSL_SESSION_TICKETS @@ -1218,7 +1294,9 @@ * * Comment this macro to disable support for SSL session tickets */ +#ifdef CONFIG_MBEDTLS_SSL_SESSION_TICKETS #define MBEDTLS_SSL_SESSION_TICKETS +#endif /** * \def MBEDTLS_SSL_EXPORT_KEYS @@ -1461,7 +1539,9 @@ * * PEM_PARSE uses AES for decrypting encrypted keys. */ +#ifdef CONFIG_MBEDTLS_AES_C #define MBEDTLS_AES_C +#endif /** * \def MBEDTLS_ARC4_C @@ -1484,7 +1564,9 @@ * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA */ +#if defined(CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT) || defined(CONFIG_MBEDTLS_RC4_ENABLED) #define MBEDTLS_ARC4_C +#endif /** * \def MBEDTLS_ASN1_PARSE_C @@ -1549,7 +1631,9 @@ * * Module: library/blowfish.c */ +#ifdef CONFIG_MBEDTLS_BLOWFISH_C #define MBEDTLS_BLOWFISH_C +#endif /** * \def MBEDTLS_CAMELLIA_C @@ -1604,7 +1688,9 @@ * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 */ +#ifdef CONFIG_MBEDTLS_CAMELLIA_C #define MBEDTLS_CAMELLIA_C +#endif /** * \def MBEDTLS_CCM_C @@ -1618,7 +1704,9 @@ * This module enables the AES-CCM ciphersuites, if other requisites are * enabled as well. */ +#ifdef CONFIG_MBEDTLS_CCM_C #define MBEDTLS_CCM_C +#endif /** * \def MBEDTLS_CERTS_C @@ -1698,7 +1786,9 @@ * * PEM_PARSE uses DES/3DES for decrypting encrypted keys. */ +#ifdef CONFIG_MBEDTLS_DES_C #define MBEDTLS_DES_C +#endif /** * \def MBEDTLS_DHM_C @@ -1728,7 +1818,9 @@ * * Requires: MBEDTLS_ECP_C */ +#ifdef CONFIG_MBEDTLS_ECDH_C #define MBEDTLS_ECDH_C +#endif /** * \def MBEDTLS_ECDSA_C @@ -1743,7 +1835,9 @@ * * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C */ +#ifdef CONFIG_MBEDTLS_ECDSA_C #define MBEDTLS_ECDSA_C +#endif /** * \def MBEDTLS_ECJPAKE_C @@ -1776,7 +1870,9 @@ * * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED */ +#ifdef CONFIG_MBEDTLS_ECP_C #define MBEDTLS_ECP_C +#endif /** * \def MBEDTLS_ENTROPY_C @@ -1816,7 +1912,9 @@ * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other * requisites are enabled as well. */ +#ifdef CONFIG_MBEDTLS_GCM_C #define MBEDTLS_GCM_C +#endif /** * \def MBEDTLS_HAVEGE_C @@ -1986,7 +2084,9 @@ * * This modules adds support for decoding / parsing PEM files. */ +#ifdef CONFIG_MBEDTLS_PEM_PARSE_C #define MBEDTLS_PEM_PARSE_C +#endif /** * \def MBEDTLS_PEM_WRITE_C @@ -2002,7 +2102,9 @@ * * This modules adds support for encoding / writing PEM files. */ +#ifdef CONFIG_MBEDTLS_PEM_WRITE_C #define MBEDTLS_PEM_WRITE_C +#endif /** * \def MBEDTLS_PK_C @@ -2122,7 +2224,9 @@ * Caller: library/mbedtls_md.c * */ +#ifdef CONFIG_MBEDTLS_RIPEMD160_C #define MBEDTLS_RIPEMD160_C +#endif /** * \def MBEDTLS_RSA_C @@ -2236,7 +2340,9 @@ * * This module is required for SSL/TLS client support. */ +#ifdef CONFIG_MBEDTLS_TLS_CLIENT #define MBEDTLS_SSL_CLI_C +#endif /** * \def MBEDTLS_SSL_SRV_C @@ -2250,7 +2356,9 @@ * * This module is required for SSL/TLS server support. */ +#ifdef CONFIG_MBEDTLS_TLS_SERVER #define MBEDTLS_SSL_SRV_C +#endif /** * \def MBEDTLS_SSL_TLS_C @@ -2266,7 +2374,9 @@ * * This module is required for SSL/TLS. */ +#ifdef CONFIG_MBEDTLS_TLS_ENABLED #define MBEDTLS_SSL_TLS_C +#endif /** * \def MBEDTLS_THREADING_C @@ -2357,7 +2467,9 @@ * * This module is required for X.509 CRL parsing. */ +#ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C #define MBEDTLS_X509_CRL_PARSE_C +#endif /** * \def MBEDTLS_X509_CSR_PARSE_C @@ -2371,7 +2483,9 @@ * * This module is used for reading X.509 certificate request. */ +#ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C #define MBEDTLS_X509_CSR_PARSE_C +#endif /** * \def MBEDTLS_X509_CREATE_C @@ -2420,7 +2534,9 @@ * Module: library/xtea.c * Caller: */ +#ifdef CONFIG_MBEDTLS_XTEA_C #define MBEDTLS_XTEA_C +#endif /* \} name SECTION: mbed TLS modules */ diff --git a/examples/protocols/https_request/main/https_request_example_main.c b/examples/protocols/https_request/main/https_request_example_main.c index bbba449831..a6cac56ca9 100644 --- a/examples/protocols/https_request/main/https_request_example_main.c +++ b/examples/protocols/https_request/main/https_request_example_main.c @@ -254,19 +254,24 @@ static void https_get_task(void *pvParameters) ESP_LOGI(TAG, "Certificate verified."); } + ESP_LOGI(TAG, "Cipher suite is %s", mbedtls_ssl_get_ciphersuite(&ssl)); + ESP_LOGI(TAG, "Writing HTTP request..."); - while((ret = mbedtls_ssl_write(&ssl, (const unsigned char *)REQUEST, strlen(REQUEST))) <= 0) - { - if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) - { + size_t written_bytes = 0; + do { + ret = mbedtls_ssl_write(&ssl, + (const unsigned char *)REQUEST + written_bytes, + strlen(REQUEST) - written_bytes); + if (ret >= 0) { + ESP_LOGI(TAG, "%d bytes written", ret); + written_bytes += ret; + } else if (ret != MBEDTLS_ERR_SSL_WANT_WRITE && ret != MBEDTLS_ERR_SSL_WANT_READ) { ESP_LOGE(TAG, "mbedtls_ssl_write returned -0x%x", -ret); goto exit; } - } + } while(written_bytes < strlen(REQUEST)); - len = ret; - ESP_LOGI(TAG, "%d bytes written", len); ESP_LOGI(TAG, "Reading HTTP response..."); do @@ -296,7 +301,7 @@ static void https_get_task(void *pvParameters) } len = ret; - ESP_LOGI(TAG, "%d bytes read", len); + ESP_LOGD(TAG, "%d bytes read", len); /* Print response directly to stdout as it is read */ for(int i = 0; i < len; i++) { putchar(buf[i]); @@ -315,6 +320,11 @@ static void https_get_task(void *pvParameters) ESP_LOGE(TAG, "Last error was: -0x%x - %s", -ret, buf); } + putchar('\n'); // JSON output doesn't have a newline at end + + static int request_count; + ESP_LOGI(TAG, "Completed %d requests", ++request_count); + for(int countdown = 10; countdown >= 0; countdown--) { ESP_LOGI(TAG, "%d...", countdown); vTaskDelay(1000 / portTICK_PERIOD_MS);