alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2025-08-08 04:02:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

mbedtls: disable Diffie-Hellman key exchange modes by default

Browse Source 
Using these ciphers can constitute a security risk if the server
uses a weak prime for the key exchange.

Footprint impact:
Roughly 3K saved in text+rodata in default https_request example
This commit is contained in:
Mahavir Jain
2021-10-25 18:35:50 +05:30
committed by bot
parent 4e5648ea98
commit 8c9a3da695
3 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
components/esp-tls/Kconfig
View File

@@ -66,8 +66,8 @@ menu "ESP-TLS"
bool "Enable PSK verification" bool "Enable PSK verification"
select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS
select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
default n default n
help help

13
components/mbedtls/Kconfig
View File

@@ -426,7 +426,7 @@ menu "mbedTLS"
config MBEDTLS_KEY_EXCHANGE_DHE_PSK config MBEDTLS_KEY_EXCHANGE_DHE_PSK
bool "Enable DHE-PSK based ciphersuite modes" bool "Enable DHE-PSK based ciphersuite modes"
depends on MBEDTLS_PSK_MODES depends on MBEDTLS_PSK_MODES && MBEDTLS_DHM_C
default y default y
help help
Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
@@ -454,6 +454,7 @@ menu "mbedTLS"
config MBEDTLS_KEY_EXCHANGE_DHE_RSA config MBEDTLS_KEY_EXCHANGE_DHE_RSA
bool "Enable DHE-RSA based ciphersuite modes" bool "Enable DHE-RSA based ciphersuite modes"
default y default y
depends on MBEDTLS_DHM_C
help help
Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH- Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-
@@ -716,6 +717,16 @@ menu "mbedTLS"
bool "Elliptic Curve Ciphers" bool "Elliptic Curve Ciphers"
default y default y
config MBEDTLS_DHM_C
bool "Diffie-Hellman-Merkle key exchange (DHM)"
default n
help
Enable DHM. Needed to use DHE-xxx TLS ciphersuites.
Note that the security of Diffie-Hellman key exchanges depends on
a suitable prime being used for the exchange. Please see detailed
warning text about this in file `mbedtls/dhm.h` file.
config MBEDTLS_ECDH_C config MBEDTLS_ECDH_C
bool "Elliptic Curve Diffie-Hellman (ECDH)" bool "Elliptic Curve Diffie-Hellman (ECDH)"
depends on MBEDTLS_ECP_C depends on MBEDTLS_ECP_C

4
components/mbedtls/port/include/mbedtls/esp_config.h
View File

@@ -1601,7 +1601,11 @@
* This module is used by the following key exchanges: * This module is used by the following key exchanges:
* DHE-RSA, DHE-PSK * DHE-RSA, DHE-PSK
*/ */
#ifdef CONFIG_MBEDTLS_DHM_C
#define MBEDTLS_DHM_C #define MBEDTLS_DHM_C
#else
#undef MBEDTLS_DHM_C
#endif
/** /**
* \def MBEDTLS_ECDH_C * \def MBEDTLS_ECDH_C