kopia lustrzana https://github.com/espressif/esp-idf
Merge branch 'bugfix/mbedtls_disable_dhe_by_default' into 'master'
mbedtls: disable Diffie-Hellman key exchange modes by default Closes IDF-1230 See merge request espressif/esp-idf!15642pull/7855/head
commit
268143b732
|
@ -66,8 +66,8 @@ menu "ESP-TLS"
|
|||
bool "Enable PSK verification"
|
||||
select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
|
||||
select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS
|
||||
select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS
|
||||
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS
|
||||
select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
|
||||
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
|
||||
select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
|
||||
default n
|
||||
help
|
||||
|
|
|
@ -426,7 +426,7 @@ menu "mbedTLS"
|
|||
|
||||
config MBEDTLS_KEY_EXCHANGE_DHE_PSK
|
||||
bool "Enable DHE-PSK based ciphersuite modes"
|
||||
depends on MBEDTLS_PSK_MODES
|
||||
depends on MBEDTLS_PSK_MODES && MBEDTLS_DHM_C
|
||||
default y
|
||||
help
|
||||
Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
|
||||
|
@ -454,6 +454,7 @@ menu "mbedTLS"
|
|||
config MBEDTLS_KEY_EXCHANGE_DHE_RSA
|
||||
bool "Enable DHE-RSA based ciphersuite modes"
|
||||
default y
|
||||
depends on MBEDTLS_DHM_C
|
||||
help
|
||||
Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-
|
||||
|
||||
|
@ -716,6 +717,16 @@ menu "mbedTLS"
|
|||
bool "Elliptic Curve Ciphers"
|
||||
default y
|
||||
|
||||
config MBEDTLS_DHM_C
|
||||
bool "Diffie-Hellman-Merkle key exchange (DHM)"
|
||||
default n
|
||||
help
|
||||
Enable DHM. Needed to use DHE-xxx TLS ciphersuites.
|
||||
|
||||
Note that the security of Diffie-Hellman key exchanges depends on
|
||||
a suitable prime being used for the exchange. Please see detailed
|
||||
warning text about this in file `mbedtls/dhm.h` file.
|
||||
|
||||
config MBEDTLS_ECDH_C
|
||||
bool "Elliptic Curve Diffie-Hellman (ECDH)"
|
||||
depends on MBEDTLS_ECP_C
|
||||
|
|
|
@ -1,16 +1,8 @@
|
|||
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
/*
|
||||
* SPDX-FileCopyrightText: 2020-2021 Espressif Systems (Shanghai) CO LTD
|
||||
*
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*/
|
||||
|
||||
#include <string.h>
|
||||
#include "esp_mbedtls_dynamic_impl.h"
|
||||
|
@ -471,8 +463,10 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num)
|
|||
#ifdef CONFIG_MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
|
||||
void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
|
||||
{
|
||||
#ifdef CONFIG_MBEDTLS_DHM_C
|
||||
mbedtls_mpi_free((mbedtls_mpi *)&ssl->conf->dhm_P);
|
||||
mbedtls_mpi_free((mbedtls_mpi *)&ssl->conf->dhm_G);
|
||||
#endif /* CONFIG_MBEDTLS_DHM_C */
|
||||
}
|
||||
|
||||
void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
|
||||
|
|
|
@ -1601,7 +1601,11 @@
|
|||
* This module is used by the following key exchanges:
|
||||
* DHE-RSA, DHE-PSK
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_DHM_C
|
||||
#define MBEDTLS_DHM_C
|
||||
#else
|
||||
#undef MBEDTLS_DHM_C
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_ECDH_C
|
||||
|
|
|
@ -37,3 +37,4 @@ CONFIG_BT_BLE_DYNAMIC_ENV_MEMORY=n
|
|||
CONFIG_BT_SMP_ENABLE=n
|
||||
CONFIG_BT_BLE_BLUFI_ENABLE=y
|
||||
CONFIG_MBEDTLS_HARDWARE_MPI=n
|
||||
CONFIG_MBEDTLS_DHM_C=y
|
||||
|
|
|
@ -1555,7 +1555,6 @@ components/mbedtls/port/aes/esp_aes_common.c
|
|||
components/mbedtls/port/aes/esp_aes_gcm.c
|
||||
components/mbedtls/port/aes/esp_aes_xts.c
|
||||
components/mbedtls/port/crypto_shared_gdma/esp_crypto_shared_gdma.c
|
||||
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c
|
||||
components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
|
||||
components/mbedtls/port/dynamic/esp_ssl_cli.c
|
||||
components/mbedtls/port/dynamic/esp_ssl_srv.c
|
||||
|
|
Ładowanie…
Reference in New Issue