Merge branch 'bugfix/mbedtls_disable_dhe_by_default' into 'master'

mbedtls: disable Diffie-Hellman key exchange modes by default Closes IDF-1230 See merge request espressif/esp-idf!15642
2021-11-03 04:30:30 +00:00 · 2021-11-03 04:30:30 +00:00 · 268143b732
commit 268143b732
--- a/components/esp-tls/Kconfig
+++ b/components/esp-tls/Kconfig
@ -66,8 +66,8 @@ menu "ESP-TLS"
        bool "Enable PSK verification"
        select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
        select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS
-        select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS
-        select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS
+        select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
+        select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
        select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
        default n
        help
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -426,7 +426,7 @@ menu "mbedTLS"

        config MBEDTLS_KEY_EXCHANGE_DHE_PSK
            bool "Enable DHE-PSK based ciphersuite modes"
-            depends on MBEDTLS_PSK_MODES
+            depends on MBEDTLS_PSK_MODES && MBEDTLS_DHM_C
            default y
            help
                Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
@ -454,6 +454,7 @@ menu "mbedTLS"
        config MBEDTLS_KEY_EXCHANGE_DHE_RSA
            bool "Enable DHE-RSA based ciphersuite modes"
            default y
+            depends on MBEDTLS_DHM_C
            help
                Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-

@ -716,6 +717,16 @@ menu "mbedTLS"
        bool  "Elliptic Curve Ciphers"
        default y

+    config MBEDTLS_DHM_C
+        bool "Diffie-Hellman-Merkle key exchange (DHM)"
+        default n
+        help
+            Enable DHM. Needed to use DHE-xxx TLS ciphersuites.
+
+            Note that the security of Diffie-Hellman key exchanges depends on
+            a suitable prime being used for the exchange. Please see detailed
+            warning text about this in file `mbedtls/dhm.h` file.
+
    config MBEDTLS_ECDH_C
        bool "Elliptic Curve Diffie-Hellman (ECDH)"
        depends on MBEDTLS_ECP_C
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
@ -1,16 +1,8 @@
-// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+ * SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */

 #include <string.h>
 #include "esp_mbedtls_dynamic_impl.h"
@ -471,8 +463,10 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num)
 #ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
 void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
 {
+#ifdef CONFIG_MBEDTLS_DHM_C
    mbedtls_mpi_free((mbedtls_mpi *)&ssl->conf->dhm_P);
    mbedtls_mpi_free((mbedtls_mpi *)&ssl->conf->dhm_G);
+#endif /* CONFIG_MBEDTLS_DHM_C */
 }

 void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@ -1601,7 +1601,11 @@
 * This module is used by the following key exchanges:
 *      DHE-RSA, DHE-PSK
 */
+#ifdef CONFIG_MBEDTLS_DHM_C
 #define MBEDTLS_DHM_C
+#else
+#undef MBEDTLS_DHM_C
+#endif

 /**
 * \def MBEDTLS_ECDH_C
--- a/examples/bluetooth/blufi/sdkconfig.defaults
+++ b/examples/bluetooth/blufi/sdkconfig.defaults
@ -37,3 +37,4 @@ CONFIG_BT_BLE_DYNAMIC_ENV_MEMORY=n
 CONFIG_BT_SMP_ENABLE=n
 CONFIG_BT_BLE_BLUFI_ENABLE=y
 CONFIG_MBEDTLS_HARDWARE_MPI=n
+CONFIG_MBEDTLS_DHM_C=y
--- a/tools/ci/check_copyright_ignore.txt
+++ b/tools/ci/check_copyright_ignore.txt
@ -1555,7 +1555,6 @@ components/mbedtls/port/aes/esp_aes_common.c
 components/mbedtls/port/aes/esp_aes_gcm.c
 components/mbedtls/port/aes/esp_aes_xts.c
 components/mbedtls/port/crypto_shared_gdma/esp_crypto_shared_gdma.c
-components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
 components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
 components/mbedtls/port/dynamic/esp_ssl_cli.c
 components/mbedtls/port/dynamic/esp_ssl_srv.c