From ca3daa50de3157e3b64802e1a2b03cbf488183bd Mon Sep 17 00:00:00 2001 From: Shubham Kulkarni Date: Thu, 23 Apr 2020 11:41:24 +0530 Subject: [PATCH] mbedtls: Add configuration options --- components/mbedtls/Kconfig | 34 ++++++++++ .../mbedtls/port/include/mbedtls/esp_config.h | 64 +++++++++++++++++++ 2 files changed, 98 insertions(+) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 475a4858b..c92859f88 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -266,6 +266,19 @@ menu "mbedTLS" It is suggested that you should get the real time by "SNTP". + config MBEDTLS_ECDSA_DETERMINISTIC + bool "Enable deterministic ECDSA" + default y + help + Standard ECDSA is "fragile" in the sense that lack of entropy when signing + may result in a compromise of the long-term signing key. + + config MBEDTLS_SHA512_C + bool "Enable the SHA-384 and SHA-512 cryptographic hash algorithms" + default y + help + Enable MBEDTLS_SHA512_C adds support for SHA-384 and SHA-512. + choice MBEDTLS_TLS_MODE bool "TLS Protocol Role" default MBEDTLS_TLS_SERVER_AND_CLIENT @@ -721,6 +734,27 @@ menu "mbedTLS" Enable support for the Hashed Message Authentication Code (HMAC)-based key derivation function (HKDF). + config MBEDTLS_THREADING_C + bool "Enable the threading abstraction layer" + default n + help + If you do intend to use contexts between threads, you will need to enable + this layer to prevent race conditions. + + config MBEDTLS_THREADING_ALT + bool "Enable threading alternate implementation" + depends on MBEDTLS_THREADING_C + default y + help + Enable threading alt to allow your own alternate threading implementation. + + config MBEDTLS_THREADING_PTHREAD + bool "Enable threading pthread implementation" + depends on MBEDTLS_THREADING_C + default n + help + Enable the pthread wrapper layer for the threading layer. + menuconfig MBEDTLS_SECURITY_RISKS bool "Show configurations with potential security risks" default n diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index b3442b7b0..4f522d37d 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -400,7 +400,11 @@ * * Comment this macro to disable deterministic ECDSA. */ +#ifdef CONFIG_MBEDTLS_ECDSA_DETERMINISTIC #define MBEDTLS_ECDSA_DETERMINISTIC +#else +#undef MBEDTLS_ECDSA_DETERMINISTIC +#endif /** * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED @@ -2028,7 +2032,11 @@ * * This module adds support for SHA-384 and SHA-512. */ +#ifdef CONFIG_MBEDTLS_SHA512_C #define MBEDTLS_SHA512_C +#else +#undef MBEDTLS_SHA512_C +#endif /** * \def MBEDTLS_SSL_CACHE_C @@ -2370,6 +2378,62 @@ */ #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE +/** + * \def MBEDTLS_THREADING_C + * + * Enable the threading abstraction layer. + * By default mbed TLS assumes it is used in a non-threaded environment or that + * contexts are not shared between threads. If you do intend to use contexts + * between threads, you will need to enable this layer to prevent race + * conditions. See also our Knowledge Base article about threading: + * https://tls.mbed.org/kb/development/thread-safety-and-multi-threading + * + * Module: library/threading.c + * + * This allows different threading implementations (self-implemented or + * provided). + * + * You will have to enable either MBEDTLS_THREADING_ALT or + * MBEDTLS_THREADING_PTHREAD. + * + * Enable this layer to allow use of mutexes within mbed TLS + */ +#ifdef CONFIG_MBEDTLS_THREADING_C +#define MBEDTLS_THREADING_C +#else +#undef MBEDTLS_THREADING_C +#endif + +/** + * \def MBEDTLS_THREADING_ALT + * + * Provide your own alternate threading implementation. + * + * Requires: MBEDTLS_THREADING_C + * + * Uncomment this to allow your own alternate threading implementation. + */ +#ifdef CONFIG_MBEDTLS_THREADING_ALT +#define MBEDTLS_THREADING_ALT +#else +#undef MBEDTLS_THREADING_ALT +#endif + +/** + * \def MBEDTLS_THREADING_PTHREAD + * + * Enable the pthread wrapper layer for the threading layer. + * + * Requires: MBEDTLS_THREADING_C + * + * Uncomment this to enable pthread mutexes. + */ +#ifdef CONFIG_MBEDTLS_THREADING_PTHREAD +#define MBEDTLS_THREADING_PTHREAD +#else +#undef MBEDTLS_THREADING_PTHREAD +#endif + /* \} name SECTION: Module configuration options */ #if defined(TARGET_LIKE_MBED)