mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
Merge branch 'feature/mbedtls-3.3.0' into 'master'
mbedtls: Update to v3.3.0 Closes IDF-6536 See merge request espressif/esp-idf!21897
This commit is contained in:
commit
4f67662cab
@ -179,10 +179,26 @@ menu "mbedTLS"
|
||||
select MBEDTLS_HKDF_C
|
||||
default n
|
||||
|
||||
config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
bool "Enable TLS 1.3 middlebox compatibility mode"
|
||||
menu "TLS 1.3 related configurations"
|
||||
depends on MBEDTLS_SSL_PROTO_TLS1_3
|
||||
default y
|
||||
|
||||
config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
bool "TLS 1.3 middlebox compatibility mode"
|
||||
default y
|
||||
|
||||
config MBEDTLS_SSL_TLS1_3_KEXM_PSK
|
||||
bool "TLS 1.3 PSK key exchange mode"
|
||||
default y
|
||||
|
||||
config MBEDTLS_SSL_TLS1_3_KEXM_EPHEMERAL
|
||||
bool "TLS 1.3 ephemeral key exchange mode"
|
||||
default y
|
||||
|
||||
config MBEDTLS_SSL_TLS1_3_KEXM_PSK_EPHEMERAL
|
||||
bool "TLS 1.3 PSK ephemeral key exchange mode"
|
||||
default y
|
||||
|
||||
endmenu
|
||||
|
||||
config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
|
||||
bool "Variable SSL buffer length"
|
||||
@ -212,6 +228,7 @@ menu "mbedTLS"
|
||||
config MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
bool "Enable serialization of the TLS context structures"
|
||||
default n
|
||||
depends on MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C
|
||||
help
|
||||
Enable serialization of the TLS context structures
|
||||
This is a local optimization in handling a single, potentially long-lived connection.
|
||||
@ -230,17 +247,14 @@ menu "mbedTLS"
|
||||
See mbedTLS documentation for required API and more details.
|
||||
|
||||
menu "DTLS-based configurations"
|
||||
visible if MBEDTLS_SSL_PROTO_DTLS
|
||||
depends on MBEDTLS_SSL_PROTO_DTLS
|
||||
|
||||
config MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
bool "Support for the DTLS Connection ID extension"
|
||||
depends on MBEDTLS_SSL_PROTO_DTLS
|
||||
default n
|
||||
help
|
||||
Enable support for the DTLS Connection ID extension which allows to
|
||||
identify DTLS connections across changes in the underlying transport.
|
||||
The Connection ID extension is still in draft state.
|
||||
Refer: version draft-ietf-tls-dtls-connection-id-05
|
||||
|
||||
config MBEDTLS_SSL_CID_IN_LEN_MAX
|
||||
int "Maximum length of CIDs used for incoming DTLS messages"
|
||||
@ -276,7 +290,6 @@ menu "mbedTLS"
|
||||
|
||||
config MBEDTLS_SSL_DTLS_SRTP
|
||||
bool "Enable support for negotiation of DTLS-SRTP (RFC 5764)"
|
||||
depends on MBEDTLS_SSL_PROTO_DTLS
|
||||
default n
|
||||
help
|
||||
Enable support for negotiation of DTLS-SRTP (RFC 5764) through the use_srtp extension.
|
||||
@ -702,7 +715,7 @@ menu "mbedTLS"
|
||||
config MBEDTLS_SERVER_SSL_SESSION_TICKETS
|
||||
bool "TLS: Server Support for RFC 5077 SSL session tickets"
|
||||
default y
|
||||
depends on MBEDTLS_TLS_ENABLED
|
||||
depends on MBEDTLS_TLS_ENABLED && (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
|
||||
help
|
||||
Server support for RFC 5077 session tickets. See mbedTLS documentation for more details.
|
||||
Disabling this option will save some code size.
|
||||
|
@ -1 +1 @@
|
||||
Subproject commit 7b428b1bf260ce1fec4e3ffb6494070d439a3a67
|
||||
Subproject commit e39975969d548572a39875ad29abd88b23285f94
|
@ -35,7 +35,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
||||
if( ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC &&
|
||||
ssl->handshake->new_session_ticket != 0 )
|
||||
{
|
||||
ssl->state = MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET;
|
||||
ssl->state = MBEDTLS_SSL_NEW_SESSION_TICKET;
|
||||
}
|
||||
#endif
|
||||
|
||||
@ -158,7 +158,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
||||
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
|
||||
case MBEDTLS_SSL_NEW_SESSION_TICKET:
|
||||
if (add) {
|
||||
CHECK_OK(esp_mbedtls_add_rx_buffer(ssl));
|
||||
} else {
|
||||
|
@ -49,7 +49,7 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
|
||||
mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
|
||||
mbedtls_sha512_update( &ssl->handshake->fin_sha384, buf, len );
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -62,8 +62,8 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
|
||||
mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
mbedtls_sha512_init( &handshake->fin_sha512 );
|
||||
mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
|
||||
mbedtls_sha512_init( &handshake->fin_sha384 );
|
||||
mbedtls_sha512_starts( &handshake->fin_sha384, 1 );
|
||||
#endif
|
||||
|
||||
handshake->update_checksum = ssl_update_checksum_start;
|
||||
|
@ -43,7 +43,16 @@
|
||||
* The time does not need to be correct, only time differences are used,
|
||||
* by contrast with MBEDTLS_HAVE_TIME_DATE
|
||||
*
|
||||
* Comment if your system does not support time functions
|
||||
* Defining MBEDTLS_HAVE_TIME allows you to specify MBEDTLS_PLATFORM_TIME_ALT,
|
||||
* MBEDTLS_PLATFORM_TIME_MACRO, MBEDTLS_PLATFORM_TIME_TYPE_MACRO and
|
||||
* MBEDTLS_PLATFORM_STD_TIME.
|
||||
*
|
||||
* Comment if your system does not support time functions.
|
||||
*
|
||||
* \note If MBEDTLS_TIMING_C is set - to enable the semi-portable timing
|
||||
* interface - timing.c will include time.h on suitable platforms
|
||||
* regardless of the setting of MBEDTLS_HAVE_TIME, unless
|
||||
* MBEDTLS_TIMING_ALT is used. See timing.c for more information.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_HAVE_TIME
|
||||
#define MBEDTLS_HAVE_TIME
|
||||
@ -358,7 +367,7 @@
|
||||
*
|
||||
* Module: library/cmac.c
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C or MBEDTLS_DES_C
|
||||
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C
|
||||
*
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_CMAC_C
|
||||
@ -878,19 +887,15 @@
|
||||
/**
|
||||
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
*
|
||||
* Enable support for the DTLS Connection ID extension
|
||||
* (version draft-ietf-tls-dtls-connection-id-05,
|
||||
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
|
||||
* Enable support for the DTLS Connection ID (CID) extension,
|
||||
* which allows to identify DTLS connections across changes
|
||||
* in the underlying transport.
|
||||
* in the underlying transport. The CID functionality is described
|
||||
* in RFC 9146.
|
||||
*
|
||||
* Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`,
|
||||
* `mbedtls_ssl_get_peer_cid()` and `mbedtls_ssl_conf_cid()`.
|
||||
* See the corresponding documentation for more information.
|
||||
*
|
||||
* \warning The Connection ID extension is still in draft state.
|
||||
* We make no stability promises for the availability
|
||||
* or the shape of the API controlled by this option.
|
||||
* mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and
|
||||
* `mbedtls_ssl_conf_cid()`. See the corresponding documentation for
|
||||
* more information.
|
||||
*
|
||||
* The maximum lengths of outgoing and incoming CIDs can be configured
|
||||
* through the options
|
||||
@ -907,6 +912,28 @@
|
||||
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
|
||||
*
|
||||
* Defines whether RFC 9146 (default) or the legacy version
|
||||
* (version draft-ietf-tls-dtls-connection-id-05,
|
||||
* https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05)
|
||||
* is used.
|
||||
*
|
||||
* Set the value to 0 for the standard version, and
|
||||
* 1 for the legacy draft version.
|
||||
*
|
||||
* \deprecated Support for the legacy version of the DTLS
|
||||
* Connection ID feature is deprecated. Please
|
||||
* switch to the standardized version defined
|
||||
* in RFC 9146 enabled by utilizing
|
||||
* MBEDTLS_SSL_DTLS_CONNECTION_ID without use
|
||||
* of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT.
|
||||
*
|
||||
* Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||
*/
|
||||
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
*
|
||||
@ -930,6 +957,8 @@
|
||||
* saved after the handshake to allow for more efficient serialization, so if
|
||||
* you don't need this feature you'll save RAM by disabling it.
|
||||
*
|
||||
* Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
|
||||
*
|
||||
* Comment to disable the context serialization APIs.
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION
|
||||
@ -963,7 +992,7 @@
|
||||
* Enable support for RFC 7627: Session Hash and Extended Master Secret
|
||||
* Extension.
|
||||
*
|
||||
* This was introduced as "the proper fix" to the Triple Handshake familiy of
|
||||
* This was introduced as "the proper fix" to the Triple Handshake family of
|
||||
* attacks, but it is recommended to always use it (even if you disable
|
||||
* renegotiation), since it actually fixes a more fundamental issue in the
|
||||
* original SSL/TLS design, and has implications beyond Triple Handshake.
|
||||
@ -1011,7 +1040,9 @@
|
||||
* \note This option has no influence on the protection against the
|
||||
* triple handshake attack. Even if it is disabled, Mbed TLS will
|
||||
* still ensure that certificates do not change during renegotiation,
|
||||
* for exaple by keeping a hash of the peer's certificate.
|
||||
* for example by keeping a hash of the peer's certificate.
|
||||
*
|
||||
* \note This option is required if MBEDTLS_SSL_PROTO_TLS1_3 is set.
|
||||
*
|
||||
* Comment this macro to disable storing the peer's certificate
|
||||
* after the handshake.
|
||||
@ -1100,6 +1131,8 @@
|
||||
* See docs/architecture/tls13-support.md for a description of the TLS
|
||||
* 1.3 support that this option enables.
|
||||
*
|
||||
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
*
|
||||
* Uncomment this macro to enable the support for TLS 1.3.
|
||||
*
|
||||
*/
|
||||
@ -1135,6 +1168,134 @@
|
||||
#undef MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
*
|
||||
* Enable TLS 1.3 PSK key exchange mode.
|
||||
*
|
||||
* Comment to disable support for the PSK key exchange mode in TLS 1.3. If
|
||||
* MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
|
||||
* effect on the build.
|
||||
*
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_PSK
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
#else
|
||||
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
*
|
||||
* Enable TLS 1.3 ephemeral key exchange mode.
|
||||
*
|
||||
* Requires: MBEDTLS_ECDH_C, MBEDTLS_X509_CRT_PARSE_C, MBEDTLS_ECDSA_C or
|
||||
* MBEDTLS_PKCS1_V21
|
||||
*
|
||||
* Comment to disable support for the ephemeral key exchange mode in TLS 1.3.
|
||||
* If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
|
||||
* effect on the build.
|
||||
*
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_EPHEMERAL
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
#else
|
||||
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
*
|
||||
* Enable TLS 1.3 PSK ephemeral key exchange mode.
|
||||
*
|
||||
* Requires: MBEDTLS_ECDH_C
|
||||
*
|
||||
* Comment to disable support for the PSK ephemeral key exchange mode in
|
||||
* TLS 1.3. If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not
|
||||
* have any effect on the build.
|
||||
*
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_KEXM_PSK_EPHEMERAL
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
#else
|
||||
#undef MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
#endif
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE
|
||||
*
|
||||
* Maximum time difference in milliseconds tolerated between the age of a
|
||||
* ticket from the server and client point of view.
|
||||
* From the client point of view, the age of a ticket is the time difference
|
||||
* between the time when the client proposes to the server to use the ticket
|
||||
* (time of writing of the Pre-Shared Key Extension including the ticket) and
|
||||
* the time the client received the ticket from the server.
|
||||
* From the server point of view, the age of a ticket is the time difference
|
||||
* between the time when the server receives a proposition from the client
|
||||
* to use the ticket and the time when the ticket was created by the server.
|
||||
* The server age is expected to be always greater than the client one and
|
||||
* MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE defines the
|
||||
* maximum difference tolerated for the server to accept the ticket.
|
||||
* This is not used in TLS 1.2.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE 6000
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH
|
||||
*
|
||||
* Size in bytes of a ticket nonce. This is not used in TLS 1.2.
|
||||
*
|
||||
* This must be less than 256.
|
||||
*/
|
||||
#define MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH 32
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS
|
||||
*
|
||||
* Default number of NewSessionTicket messages to be sent by a TLS 1.3 server
|
||||
* after handshake completion. This is not used in TLS 1.2 and relevant only if
|
||||
* the MBEDTLS_SSL_SESSION_TICKETS option is enabled.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_EARLY_DATA
|
||||
*
|
||||
* Enable support for RFC 8446 TLS 1.3 early data.
|
||||
*
|
||||
* Requires: MBEDTLS_SSL_SESSION_TICKETS and either
|
||||
* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or
|
||||
* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
*
|
||||
* Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3
|
||||
* is not enabled, this option does not have any effect on the build.
|
||||
*
|
||||
* This feature is experimental, not completed and thus not ready for
|
||||
* production.
|
||||
*
|
||||
*/
|
||||
//#define MBEDTLS_SSL_EARLY_DATA
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_MAX_EARLY_DATA_SIZE
|
||||
*
|
||||
* The default maximum amount of 0-RTT data. See the documentation of
|
||||
* \c mbedtls_ssl_tls13_conf_max_early_data_size() for more information.
|
||||
*
|
||||
* It must be positive and smaller than UINT32_MAX.
|
||||
*
|
||||
* If MBEDTLS_SSL_EARLY_DATA is not defined, this default value does not
|
||||
* have any impact on the build.
|
||||
*
|
||||
* This feature is experimental, not completed and thus not ready for
|
||||
* production.
|
||||
*
|
||||
*/
|
||||
#define MBEDTLS_SSL_MAX_EARLY_DATA_SIZE 1024
|
||||
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SSL_PROTO_DTLS
|
||||
*
|
||||
@ -1489,10 +1650,14 @@
|
||||
* Enable the multi-precision integer library.
|
||||
*
|
||||
* Module: library/bignum.c
|
||||
* library/bignum_core.c
|
||||
* library/bignum_mod.c
|
||||
* library/bignum_mod_raw.c
|
||||
* Caller: library/dhm.c
|
||||
* library/ecp.c
|
||||
* library/ecdsa.c
|
||||
* library/rsa.c
|
||||
* library/rsa_alt_helpers.c
|
||||
* library/ssl_tls.c
|
||||
*
|
||||
* This module is required for RSA, DHM and ECC (ECDH, ECDSA) support.
|
||||
@ -1578,7 +1743,8 @@
|
||||
*
|
||||
* Module: library/ccm.c
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C
|
||||
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or
|
||||
* MBEDTLS_ARIA_C
|
||||
*
|
||||
* This module enables the AES-CCM ciphersuites, if other requisites are
|
||||
* enabled as well.
|
||||
@ -1635,7 +1801,17 @@
|
||||
* Enable the generic cipher layer.
|
||||
*
|
||||
* Module: library/cipher.c
|
||||
* Caller: library/ssl_tls.c
|
||||
* Caller: library/ccm.c
|
||||
* library/cmac.c
|
||||
* library/gcm.c
|
||||
* library/nist_kw.c
|
||||
* library/pkcs12.c
|
||||
* library/pkcs5.c
|
||||
* library/psa_crypto_aead.c
|
||||
* library/psa_crypto_mac.c
|
||||
* library/ssl_ciphersuites.c
|
||||
* library/ssl_msg.c
|
||||
* library/ssl_ticket.c (unless MBEDTLS_USE_PSA_CRYPTO is enabled)
|
||||
*
|
||||
* Uncomment to enable generic cipher wrappers.
|
||||
*/
|
||||
@ -1661,9 +1837,10 @@
|
||||
* Enable the debug functions.
|
||||
*
|
||||
* Module: library/debug.c
|
||||
* Caller: library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* Caller: library/ssl_msg.c
|
||||
* library/ssl_tls.c
|
||||
* library/ssl_tls12_*.c
|
||||
* library/ssl_tls13_*.c
|
||||
*
|
||||
* This module provides debugging functions.
|
||||
*/
|
||||
@ -1709,8 +1886,9 @@
|
||||
* Enable the Diffie-Hellman-Merkle module.
|
||||
*
|
||||
* Module: library/dhm.c
|
||||
* Caller: library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* Caller: library/ssl_tls.c
|
||||
* library/ssl*_client.c
|
||||
* library/ssl*_server.c
|
||||
*
|
||||
* This module is used by the following key exchanges:
|
||||
* DHE-RSA, DHE-PSK
|
||||
@ -1727,8 +1905,10 @@
|
||||
* Enable the elliptic curve Diffie-Hellman library.
|
||||
*
|
||||
* Module: library/ecdh.c
|
||||
* Caller: library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* Caller: library/psa_crypto.c
|
||||
* library/ssl_tls.c
|
||||
* library/ssl*_client.c
|
||||
* library/ssl*_server.c
|
||||
*
|
||||
* This module is used by the following key exchanges:
|
||||
* ECDHE-ECDSA, ECDHE-RSA, DHE-PSK
|
||||
@ -1777,7 +1957,8 @@
|
||||
* This module is used by the following key exchanges:
|
||||
* ECJPAKE
|
||||
*
|
||||
* Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
|
||||
* Requires: MBEDTLS_ECP_C and MBEDTLS_MD_C
|
||||
*
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_ECJPAKE_C
|
||||
#define MBEDTLS_ECJPAKE_C
|
||||
@ -1836,7 +2017,8 @@
|
||||
*
|
||||
* Module: library/gcm.c
|
||||
*
|
||||
* Requires: MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or MBEDTLS_ARIA_C
|
||||
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_CAMELLIA_C or
|
||||
* MBEDTLS_ARIA_C
|
||||
*
|
||||
* This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other
|
||||
* requisites are enabled as well.
|
||||
@ -1885,8 +2067,29 @@
|
||||
*
|
||||
* Enable the generic message digest layer.
|
||||
*
|
||||
* Module: library/mbedtls_md.c
|
||||
* Caller:
|
||||
* Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,
|
||||
* MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,
|
||||
* MBEDTLS_SHA512_C.
|
||||
*
|
||||
* Module: library/md.c
|
||||
* Caller: library/constant_time.c
|
||||
* library/ecdsa.c
|
||||
* library/ecjpake.c
|
||||
* library/hkdf.c
|
||||
* library/hmac_drbg.c
|
||||
* library/pk.c
|
||||
* library/pkcs5.c
|
||||
* library/pkcs12.c
|
||||
* library/psa_crypto_ecp.c
|
||||
* library/psa_crypto_rsa.c
|
||||
* library/rsa.c
|
||||
* library/ssl_cookie.c
|
||||
* library/ssl_msg.c
|
||||
* library/ssl_tls.c
|
||||
* library/x509.c
|
||||
* library/x509_crt.c
|
||||
* library/x509write_crt.c
|
||||
* library/x509write_csr.c
|
||||
*
|
||||
* Uncomment to enable generic message digest wrappers.
|
||||
*/
|
||||
@ -1910,11 +2113,19 @@
|
||||
/**
|
||||
* \def MBEDTLS_NET_C
|
||||
*
|
||||
* Enable the TCP/IP networking routines.
|
||||
* Enable the TCP and UDP over IPv6/IPv4 networking routines.
|
||||
*
|
||||
* Module: library/net.c
|
||||
* \note This module only works on POSIX/Unix (including Linux, BSD and OS X)
|
||||
* and Windows. For other platforms, you'll want to disable it, and write your
|
||||
* own networking callbacks to be passed to \c mbedtls_ssl_set_bio().
|
||||
*
|
||||
* This module provides TCP/IP networking routines.
|
||||
* \note See also our Knowledge Base article about porting to a new
|
||||
* environment:
|
||||
* https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
||||
*
|
||||
* Module: library/net_sockets.c
|
||||
*
|
||||
* This module provides networking routines.
|
||||
*/
|
||||
#ifdef MBEDTLS_NET_C
|
||||
#undef MBEDTLS_NET_C
|
||||
@ -2002,12 +2213,16 @@
|
||||
/**
|
||||
* \def MBEDTLS_PK_C
|
||||
*
|
||||
* Enable the generic public (asymetric) key layer.
|
||||
* Enable the generic public (asymmetric) key layer.
|
||||
*
|
||||
* Module: library/pk.c
|
||||
* Caller: library/ssl_tls.c
|
||||
* library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* Caller: library/psa_crypto_rsa.c
|
||||
* library/ssl_tls.c
|
||||
* library/ssl*_client.c
|
||||
* library/ssl*_server.c
|
||||
* library/x509.c
|
||||
*
|
||||
* Requires: MBEDTLS_MD_C, MBEDTLS_RSA_C or MBEDTLS_ECP_C
|
||||
*
|
||||
* Requires: MBEDTLS_RSA_C or MBEDTLS_ECP_C
|
||||
*
|
||||
@ -2018,7 +2233,7 @@
|
||||
/**
|
||||
* \def MBEDTLS_PK_PARSE_C
|
||||
*
|
||||
* Enable the generic public (asymetric) key parser.
|
||||
* Enable the generic public (asymmetric) key parser.
|
||||
*
|
||||
* Module: library/pkparse.c
|
||||
* Caller: library/mbedtls_x509_crt.c
|
||||
@ -2033,7 +2248,7 @@
|
||||
/**
|
||||
* \def MBEDTLS_PK_WRITE_C
|
||||
*
|
||||
* Enable the generic public (asymetric) key writer.
|
||||
* Enable the generic public (asymmetric) key writer.
|
||||
*
|
||||
* Module: library/pkwrite.c
|
||||
* Caller: library/x509write.c
|
||||
@ -2051,12 +2266,32 @@
|
||||
*
|
||||
* Module: library/pkcs5.c
|
||||
*
|
||||
* Requires: MBEDTLS_MD_C
|
||||
* Requires: MBEDTLS_CIPHER_C and MBEDTLS_MD_C
|
||||
*
|
||||
* This module adds support for the PKCS#5 functions.
|
||||
*/
|
||||
#define MBEDTLS_PKCS5_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PKCS7_C
|
||||
*
|
||||
* This feature is a work in progress and not ready for production. Testing and
|
||||
* validation is incomplete, and handling of malformed inputs may not be robust.
|
||||
* The API may change.
|
||||
*
|
||||
* Enable PKCS7 core for using PKCS7 formatted signatures.
|
||||
* RFC Link - https://tools.ietf.org/html/rfc2315
|
||||
*
|
||||
* Module: library/pkcs7.c
|
||||
*
|
||||
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
|
||||
* MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C,
|
||||
* MBEDTLS_BIGNUM_C, MBEDTLS_MD_C
|
||||
*
|
||||
* This module is required for the PKCS7 parsing modules.
|
||||
*/
|
||||
//#define MBEDTLS_PKCS7_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_PKCS12_C
|
||||
*
|
||||
@ -2083,7 +2318,7 @@
|
||||
* above to be specified at runtime or compile time respectively.
|
||||
*
|
||||
* \note This abstraction layer must be enabled on Windows (including MSYS2)
|
||||
* as other module rely on it for a fixed snprintf implementation.
|
||||
* as other modules rely on it for a fixed snprintf implementation.
|
||||
*
|
||||
* Module: library/platform.c
|
||||
* Caller: Most other .c files
|
||||
@ -2127,10 +2362,12 @@
|
||||
* Enable the RSA public-key cryptosystem.
|
||||
*
|
||||
* Module: library/rsa.c
|
||||
* Caller: library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* library/rsa_alt_helpers.c
|
||||
* Caller: library/pk.c
|
||||
* library/psa_crypto.c
|
||||
* library/ssl_tls.c
|
||||
* library/x509.c
|
||||
* library/ssl*_client.c
|
||||
* library/ssl*_server.c
|
||||
*
|
||||
* This module is used by the following key exchanges:
|
||||
* RSA, DHE-RSA, ECDHE-RSA, RSA-PSK
|
||||
@ -2144,17 +2381,36 @@
|
||||
*
|
||||
* Enable the SHA1 cryptographic hash algorithm.
|
||||
*
|
||||
* Module: library/mbedtls_sha1.c
|
||||
* Caller: library/mbedtls_md.c
|
||||
* library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* library/ssl_tls.c
|
||||
* library/x509write_crt.c
|
||||
* Module: library/sha1.c
|
||||
* Caller: library/md.c
|
||||
* library/psa_crypto_hash.c
|
||||
*
|
||||
* This module is required for TLS 1.2 depending on the handshake parameters,
|
||||
* and for SHA1-signed certificates.
|
||||
*
|
||||
* \warning SHA-1 is considered a weak message digest and its use constitutes
|
||||
* a security risk. If possible, we recommend avoiding dependencies
|
||||
* on it, and considering stronger message digests instead.
|
||||
*
|
||||
* This module is required for SSL/TLS and SHA1-signed certificates.
|
||||
*/
|
||||
#define MBEDTLS_SHA1_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SHA224_C
|
||||
*
|
||||
* Enable the SHA-224 cryptographic hash algorithm.
|
||||
*
|
||||
* Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
|
||||
* SHA-224 without SHA-256.
|
||||
*
|
||||
* Module: library/sha256.c
|
||||
* Caller: library/md.c
|
||||
* library/ssl_cookie.c
|
||||
*
|
||||
* This module adds support for SHA-224.
|
||||
*/
|
||||
#define MBEDTLS_SHA224_C
|
||||
|
||||
/**
|
||||
* \def MBEDTLS_SHA256_C
|
||||
*
|
||||
@ -2163,9 +2419,9 @@
|
||||
* Module: library/mbedtls_sha256.c
|
||||
* Caller: library/entropy.c
|
||||
* library/mbedtls_md.c
|
||||
* library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* library/ssl_tls.c
|
||||
* library/ssl*_client.c
|
||||
* library/ssl*_server.c=
|
||||
*
|
||||
* This module adds support for SHA-224 and SHA-256.
|
||||
* This module is required for the SSL/TLS 1.2 PRF function.
|
||||
@ -2177,11 +2433,11 @@
|
||||
*
|
||||
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
|
||||
*
|
||||
* Module: library/mbedtls_sha512.c
|
||||
* Module: library/sha512.c
|
||||
* Caller: library/entropy.c
|
||||
* library/mbedtls_md.c
|
||||
* library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* library/md.c
|
||||
* library/ssl_tls.c
|
||||
* library/ssl_cookie.c
|
||||
*
|
||||
* This module adds support for SHA-384 and SHA-512.
|
||||
*/
|
||||
@ -2223,7 +2479,8 @@
|
||||
* Module: library/ssl_ticket.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: MBEDTLS_CIPHER_C
|
||||
* Requires: (MBEDTLS_CIPHER_C) &&
|
||||
* (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C)
|
||||
*/
|
||||
#ifdef CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS
|
||||
#define MBEDTLS_SSL_TICKET_C
|
||||
@ -2236,7 +2493,7 @@
|
||||
*
|
||||
* Enable the SSL/TLS client code.
|
||||
*
|
||||
* Module: library/ssl_cli.c
|
||||
* Module: library/ssl*_client.c
|
||||
* Caller:
|
||||
*
|
||||
* Requires: MBEDTLS_SSL_TLS_C
|
||||
@ -2273,8 +2530,8 @@
|
||||
* Enable the generic SSL/TLS code.
|
||||
*
|
||||
* Module: library/ssl_tls.c
|
||||
* Caller: library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* Caller: library/ssl*_client.c
|
||||
* library/ssl*_server.c
|
||||
*
|
||||
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
|
||||
* and at least one of the MBEDTLS_SSL_PROTO_XXX defines
|
||||
@ -2301,7 +2558,7 @@
|
||||
*
|
||||
* \note See also our Knowledge Base article about porting to a new
|
||||
* environment:
|
||||
* https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
||||
* https://mbed-tls.readthedocs.io/en/latest/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS
|
||||
*
|
||||
* Module: library/timing.c
|
||||
* Caller: library/havege.c
|
||||
@ -2334,7 +2591,7 @@
|
||||
* library/mbedtls_x509_csr.c
|
||||
*
|
||||
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C,
|
||||
* MBEDTLS_PK_PARSE_C
|
||||
* MBEDTLS_PK_PARSE_C, MBEDTLS_MD_C
|
||||
*
|
||||
* This module is required for the X.509 parsing modules.
|
||||
*/
|
||||
@ -2346,9 +2603,9 @@
|
||||
* Enable X.509 certificate parsing.
|
||||
*
|
||||
* Module: library/mbedtls_x509_crt.c
|
||||
* Caller: library/ssl_cli.c
|
||||
* library/ssl_srv.c
|
||||
* library/ssl_tls.c
|
||||
* Caller: library/ssl_tls.c
|
||||
* library/ssl*_client.c
|
||||
* library/ssl*_server.c
|
||||
*
|
||||
* Requires: MBEDTLS_X509_USE_C
|
||||
*
|
||||
@ -2399,7 +2656,8 @@
|
||||
*
|
||||
* Module: library/x509_create.c
|
||||
*
|
||||
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C
|
||||
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C,
|
||||
* MBEDTLS_MD_C
|
||||
*
|
||||
* This module is the basis for creating X.509 certificates and CSRs.
|
||||
*/
|
||||
@ -2613,7 +2871,7 @@
|
||||
* contexts are not shared between threads. If you do intend to use contexts
|
||||
* between threads, you will need to enable this layer to prevent race
|
||||
* conditions. See also our Knowledge Base article about threading:
|
||||
* https://tls.mbed.org/kb/development/thread-safety-and-multi-threading
|
||||
* https://mbed-tls.readthedocs.io/en/latest/kb/development/thread-safety-and-multi-threading
|
||||
*
|
||||
* Module: library/threading.c
|
||||
*
|
||||
|
@ -564,7 +564,7 @@ static esp_err_t test_req_endpoint(session_t *session)
|
||||
// Check if the AES key is correctly set before calling the software encryption
|
||||
// API. Without this check, the code will crash, resulting in a test case failure.
|
||||
// For hardware AES, portability layer takes care of this.
|
||||
if (session->ctx_aes.MBEDTLS_PRIVATE(rk) != NULL && session->ctx_aes.MBEDTLS_PRIVATE(nr) > 0) {
|
||||
if (session->ctx_aes.MBEDTLS_PRIVATE(nr) > 0) {
|
||||
#endif
|
||||
|
||||
mbedtls_aes_crypt_ctr(&session->ctx_aes, sizeof(rand_test_data), &session->nc_off,
|
||||
|
@ -745,25 +745,7 @@ cleanup:
|
||||
int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
|
||||
int iterations, u8 *buf, size_t buflen)
|
||||
{
|
||||
|
||||
mbedtls_md_context_t sha1_ctx;
|
||||
const mbedtls_md_info_t *info_sha1;
|
||||
int ret;
|
||||
|
||||
mbedtls_md_init(&sha1_ctx);
|
||||
|
||||
info_sha1 = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
|
||||
if (info_sha1 == NULL) {
|
||||
ret = -1;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if ((ret = mbedtls_md_setup(&sha1_ctx, info_sha1, 1)) != 0) {
|
||||
ret = -1;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = mbedtls_pkcs5_pbkdf2_hmac(&sha1_ctx, (const u8 *) passphrase,
|
||||
int ret = mbedtls_pkcs5_pbkdf2_hmac_ext(MBEDTLS_MD_SHA1, (const u8 *) passphrase,
|
||||
os_strlen(passphrase) , ssid,
|
||||
ssid_len, iterations, 32, buf);
|
||||
if (ret != 0) {
|
||||
@ -772,7 +754,6 @@ int pbkdf2_sha1(const char *passphrase, const u8 *ssid, size_t ssid_len,
|
||||
}
|
||||
|
||||
cleanup:
|
||||
mbedtls_md_free(&sha1_ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user