mbedtls: Expose compile-time config, disable some things by default

* Disables 3DES, Camellia, Blowfish, RC4, RIPEMD160, SSLv3, TLS-PSK modes, DTLS by default * Saves about 40KB from the default TLS client code size * Defaults no longer get "Bad" howsmyssl.com rating (no more vulnerable 3DES) (ping https://github.com/espressif/arduino-esp32/issues/575 ) * Allows up to another 20-30KB code size to be trimmed without security implications if using DER formatted certificates, RSA ciphersuites only, etc. * Can save up to another 8KB by setting the TLS Role to Server or Client only.
2025-10-18 17:38:09 +00:00 · 2017-08-17 17:15:04 +10:00
parent bfb15c6fc9
commit c0f65f6680
2 changed files with 394 additions and 2 deletions
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -430,7 +430,9 @@
 *
 * Uncomment this macro to remove RC4 ciphersuites by default.
 */
+#ifdef CONFIG_MBEDTLS_RC4_ENABLED
 #define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+#endif

 /**
 * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED
@@ -498,7 +500,9 @@
 *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
@@ -522,7 +526,9 @@
 *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK
 #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -542,7 +548,9 @@
 *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
@@ -567,7 +575,9 @@
 *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK
 #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
@@ -595,7 +605,9 @@
 *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
 *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
@@ -621,7 +633,9 @@
 *      MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
 *      MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA
 #define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@@ -646,7 +660,9 @@
 *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
@@ -670,7 +686,9 @@
 *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
@@ -694,7 +712,9 @@
 *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
 *      MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
 #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
@@ -718,7 +738,9 @@
 *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256
 *      MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384
 */
+#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA
 #define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+#endif

 /**
 * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
@@ -971,7 +993,9 @@
 *
 * Comment this macro to disable support for Encrypt-then-MAC
 */
+#ifdef CONFIG_MBEDTLS_TLS_ENABLED
 #define MBEDTLS_SSL_ENCRYPT_THEN_MAC
+#endif

 /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 *
@@ -989,7 +1013,9 @@
 *
 * Comment this macro to disable support for Extended Master Secret.
 */
+#ifdef CONFIG_MBEDTLS_TLS_ENABLED
 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
+#endif

 /**
 * \def MBEDTLS_SSL_FALLBACK_SCSV
@@ -1028,7 +1054,9 @@
 *
 * Comment this macro to disable 1/n-1 record splitting.
 */
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
 #define MBEDTLS_SSL_CBC_RECORD_SPLITTING
+#endif

 /**
 * \def MBEDTLS_SSL_RENEGOTIATION
@@ -1043,7 +1071,9 @@
 *
 * Comment this to disable support for renegotiation.
 */
+#ifdef CONFIG_MBEDTLS_SSL_RENEGOTIATION
 #define MBEDTLS_SSL_RENEGOTIATION
+#endif

 /**
 * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO
@@ -1084,7 +1114,9 @@
 *
 * Comment this macro to disable support for SSL 3.0
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3
 #define MBEDTLS_SSL_PROTO_SSL3
+#endif

 /**
 * \def MBEDTLS_SSL_PROTO_TLS1
@@ -1096,7 +1128,9 @@
 *
 * Comment this macro to disable support for TLS 1.0
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1
 #define MBEDTLS_SSL_PROTO_TLS1
+#endif

 /**
 * \def MBEDTLS_SSL_PROTO_TLS1_1
@@ -1108,7 +1142,9 @@
 *
 * Comment this macro to disable support for TLS 1.1 / DTLS 1.0
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_1
 #define MBEDTLS_SSL_PROTO_TLS1_1
+#endif

 /**
 * \def MBEDTLS_SSL_PROTO_TLS1_2
@@ -1120,7 +1156,9 @@
 *
 * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_2
 #define MBEDTLS_SSL_PROTO_TLS1_2
+#endif

 /**
 * \def MBEDTLS_SSL_PROTO_DTLS
@@ -1135,7 +1173,9 @@
 *
 * Comment this macro to disable support for DTLS
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_PROTO_DTLS
+#endif

 /**
 * \def MBEDTLS_SSL_ALPN
@@ -1144,7 +1184,9 @@
 *
 * Comment this macro to disable support for ALPN.
 */
+#ifdef CONFIG_MBEDTLS_SSL_ALPN
 #define MBEDTLS_SSL_ALPN
+#endif

 /**
 * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY
@@ -1159,7 +1201,9 @@
 *
 * Comment this to disable anti-replay in DTLS.
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_ANTI_REPLAY
+#endif

 /**
 * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY
@@ -1177,7 +1221,9 @@
 *
 * Comment this to disable support for HelloVerifyRequest.
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
+#endif

 /**
 * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
@@ -1193,7 +1239,9 @@
 *
 * Comment this to disable support for clients reusing the source port.
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+#endif

 /**
 * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT
@@ -1204,7 +1252,9 @@
 *
 * Requires: MBEDTLS_SSL_PROTO_DTLS
 */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_DTLS
 #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+#endif

 /**
 * \def MBEDTLS_SSL_SESSION_TICKETS
@@ -1218,7 +1268,9 @@
 *
 * Comment this macro to disable support for SSL session tickets
 */
+#ifdef CONFIG_MBEDTLS_SSL_SESSION_TICKETS
 #define MBEDTLS_SSL_SESSION_TICKETS
+#endif

 /**
 * \def MBEDTLS_SSL_EXPORT_KEYS
@@ -1461,7 +1513,9 @@
 *
 * PEM_PARSE uses AES for decrypting encrypted keys.
 */
+#ifdef CONFIG_MBEDTLS_AES_C
 #define MBEDTLS_AES_C
+#endif

 /**
 * \def MBEDTLS_ARC4_C
@@ -1484,7 +1538,9 @@
 *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
 *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
 */
+#if defined(CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT) || defined(CONFIG_MBEDTLS_RC4_ENABLED)
 #define MBEDTLS_ARC4_C
+#endif

 /**
 * \def MBEDTLS_ASN1_PARSE_C
@@ -1549,7 +1605,9 @@
 *
 * Module:  library/blowfish.c
 */
+#ifdef CONFIG_MBEDTLS_BLOWFISH_C
 #define MBEDTLS_BLOWFISH_C
+#endif

 /**
 * \def MBEDTLS_CAMELLIA_C
@@ -1604,7 +1662,9 @@
 *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
 *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
 */
+#ifdef CONFIG_MBEDTLS_CAMELLIA_C
 #define MBEDTLS_CAMELLIA_C
+#endif

 /**
 * \def MBEDTLS_CCM_C
@@ -1618,7 +1678,9 @@
 * This module enables the AES-CCM ciphersuites, if other requisites are
 * enabled as well.
 */
+#ifdef CONFIG_MBEDTLS_CCM_C
 #define MBEDTLS_CCM_C
+#endif

 /**
 * \def MBEDTLS_CERTS_C
@@ -1698,7 +1760,9 @@
 *
 * PEM_PARSE uses DES/3DES for decrypting encrypted keys.
 */
+#ifdef CONFIG_MBEDTLS_DES_C
 #define MBEDTLS_DES_C
+#endif

 /**
 * \def MBEDTLS_DHM_C
@@ -1816,7 +1880,9 @@
 * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
 * requisites are enabled as well.
 */
+#ifdef CONFIG_MBEDTLS_GCM_C
 #define MBEDTLS_GCM_C
+#endif

 /**
 * \def MBEDTLS_HAVEGE_C
@@ -1986,7 +2052,9 @@
 *
 * This modules adds support for decoding / parsing PEM files.
 */
+#ifdef CONFIG_MBEDTLS_PEM_PARSE_C
 #define MBEDTLS_PEM_PARSE_C
+#endif

 /**
 * \def MBEDTLS_PEM_WRITE_C
@@ -2002,7 +2070,9 @@
 *
 * This modules adds support for encoding / writing PEM files.
 */
+#ifdef CONFIG_MBEDTLS_PEM_WRITE_C
 #define MBEDTLS_PEM_WRITE_C
+#endif

 /**
 * \def MBEDTLS_PK_C
@@ -2122,7 +2192,9 @@
 * Caller:  library/mbedtls_md.c
 *
 */
+#ifdef CONFIG_MBEDTLS_RIPEMD160_C
 #define MBEDTLS_RIPEMD160_C
+#endif

 /**
 * \def MBEDTLS_RSA_C
@@ -2236,7 +2308,9 @@
 *
 * This module is required for SSL/TLS client support.
 */
+#ifdef CONFIG_MBEDTLS_TLS_CLIENT
 #define MBEDTLS_SSL_CLI_C
+#endif

 /**
 * \def MBEDTLS_SSL_SRV_C
@@ -2250,7 +2324,9 @@
 *
 * This module is required for SSL/TLS server support.
 */
+#ifdef CONFIG_MBEDTLS_TLS_SERVER
 #define MBEDTLS_SSL_SRV_C
+#endif

 /**
 * \def MBEDTLS_SSL_TLS_C
@@ -2266,7 +2342,9 @@
 *
 * This module is required for SSL/TLS.
 */
+#ifdef CONFIG_MBEDTLS_TLS_ENABLED
 #define MBEDTLS_SSL_TLS_C
+#endif

 /**
 * \def MBEDTLS_THREADING_C
@@ -2357,7 +2435,9 @@
 *
 * This module is required for X.509 CRL parsing.
 */
+#ifdef CONFIG_MBEDTLS_X509_CRL_PARSE_C
 #define MBEDTLS_X509_CRL_PARSE_C
+#endif

 /**
 * \def MBEDTLS_X509_CSR_PARSE_C
@@ -2371,7 +2451,9 @@
 *
 * This module is used for reading X.509 certificate request.
 */
+#ifdef CONFIG_MBEDTLS_X509_CSR_PARSE_C
 #define MBEDTLS_X509_CSR_PARSE_C
+#endif

 /**
 * \def MBEDTLS_X509_CREATE_C
@@ -2420,7 +2502,9 @@
 * Module:  library/xtea.c
 * Caller:
 */
+#ifdef CONFIG_MBEDTLS_XTEA_C
 #define MBEDTLS_XTEA_C
+#endif

 /* \} name SECTION: mbed TLS modules */