mbedtls: Add more config options to disable Elliptic Curve features

Can save up to an additional 20KB when not using EC in TLS, or disable unwanted features as needed.
2017-08-18 17:44:33 +10:00 · 2017-08-18 17:44:33 +10:00 · 66ad84d318
commit 66ad84d318
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -195,6 +195,7 @@ config MBEDTLS_KEY_EXCHANGE_DHE_RSA

 config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
   bool "Support Elliptic Curve based ciphersuites"
+   depends on MBEDTLS_ECP_C
   default y
   help
       Enable to show Elliptic Curve based ciphersuite mode options.
@ -205,35 +206,35 @@ config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE

 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
   bool "Enable ECDHE-RSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
   default y
   help
       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-

 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
   bool "Enable ECDHE-ECDSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
   default y
   help
       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-

 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
   bool "Enable ECDHE-ECDSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
   default y
   help
       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-

 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
   bool "Enable ECDH-ECDSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
   default y
   help
       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-

 config MBEDTLS_KEY_EXCHANGE_ECDH_RSA
   bool "Enable ECDH-RSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
   default y
   help
       Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
@ -410,4 +411,117 @@ config MBEDTLS_X509_CSR_PARSE_C

 endmenu # Certificates

+menuconfig MBEDTLS_ECP_C
+    bool  "Elliptic Curve Ciphers"
+    default y
+
+config MBEDTLS_ECDH_C
+    bool "Elliptic Curve Diffie-Hellman (ECDH)"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable ECDH. Needed to use ECDHE-xxx TLS ciphersuites.
+
+config MBEDTLS_ECDSA_C
+    bool "Elliptic Curve DSA"
+    depends on MBEDTLS_ECDH_C
+    default y
+    help
+        Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites.
+
+config MBEDTLS_ECP_DP_SECP192R1_ENABLED
+    bool "Enable SECP192R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP192R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP224R1_ENABLED
+    bool "Enable SECP224R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP224R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP256R1_ENABLED
+    bool "Enable SECP256R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP256R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP384R1_ENABLED
+    bool "Enable SECP384R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP384R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP521R1_ENABLED
+    bool "Enable SECP521R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP521R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP192K1_ENABLED
+    bool "Enable SECP192K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP192K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP224K1_ENABLED
+    bool "Enable SECP224K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP224K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP256K1_ENABLED
+    bool "Enable SECP256K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP256K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP256R1_ENABLED
+    bool "Enable BP256R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP384R1_ENABLED
+    bool "Enable BP384R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP512R1_ENABLED
+    bool "Enable BP512R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_CURVE25519_ENABLED
+    bool "Enable CURVE25519 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for CURVE25519 Elliptic Curve.
+
+config MBEDTLS_ECP_NIST_OPTIM
+    bool "NIST 'modulo p' optimisations"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        NIST 'modulo p' optimisations increase Elliptic Curve operation performance.
+
+        Disabling this option saves some code size.
+
+# end of Elliptic Curve options
+
 endmenu  # mbedTLS
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@ -442,18 +442,42 @@
 *
 * Comment macros to disable the curve and functions for it
 */
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED
 #define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED
 #define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED
 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif

 /**
 * \def MBEDTLS_ECP_NIST_OPTIM
@ -464,7 +488,9 @@
 *
 * Comment this macro to disable NIST curves optimisation.
 */
+#ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM
 #define MBEDTLS_ECP_NIST_OPTIM
+#endif

 /**
 * \def MBEDTLS_ECDSA_DETERMINISTIC
@ -1792,7 +1818,9 @@
 *
 * Requires: MBEDTLS_ECP_C
 */
+#ifdef CONFIG_MBEDTLS_ECDH_C
 #define MBEDTLS_ECDH_C
+#endif

 /**
 * \def MBEDTLS_ECDSA_C
@ -1807,7 +1835,9 @@
 *
 * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
 */
+#ifdef CONFIG_MBEDTLS_ECDSA_C
 #define MBEDTLS_ECDSA_C
+#endif

 /**
 * \def MBEDTLS_ECJPAKE_C
@ -1840,7 +1870,9 @@
 *
 * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
 */
+#ifdef CONFIG_MBEDTLS_ECP_C
 #define MBEDTLS_ECP_C
+#endif

 /**
 * \def MBEDTLS_ENTROPY_C