mbedtls-3.x: Update Kconfig macros

2024-10-05 20:47:46 -04:00 · 2022-02-21 03:14:25 +05:30 · 2022-02-21 03:14:25 +05:30 · 8cbfb18037
commit 8cbfb18037
parent 8111286668
2 changed files with 56 additions and 8 deletions
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -114,13 +114,6 @@ menu "mbedTLS"
            "MBEDTLS_SSL_IN_CONTENT_LEN", so to save more heap, users can set
            the options to be an appropriate value.

-    config MBEDTLS_DYNAMIC_FREE_PEER_CERT
-        bool "Free SSL peer certificate after its usage"
-        default n
-        depends on MBEDTLS_DYNAMIC_BUFFER
-        help
-            Free peer certificate after its usage in handshake process.
-
    config MBEDTLS_DYNAMIC_FREE_CONFIG_DATA
        bool "Free private key and DHM data after its usage"
        default n
@ -178,7 +171,17 @@ menu "mbedTLS"
        default 3 if MBEDTLS_DEBUG_LEVEL_DEBUG
        default 4 if MBEDTLS_DEBUG_LEVEL_VERBOSE

-    menu "mbedTLS v2.28.x related"
+    menu "mbedTLS v3.x related"
+
+        config MBEDTLS_SSL_PROTO_TLS1_3
+            bool "Support TLS 1.3 protocol"
+            depends on MBEDTLS_TLS_ENABLED
+            default n
+
+        config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+            bool "Enable TLS 1.3 middlebox compatibility mode"
+            depends on MBEDTLS_SSL_PROTO_TLS1_3
+            default y

        config MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
            bool "Variable SSL buffer length"
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@ -1135,6 +1135,51 @@
 #undef MBEDTLS_SSL_PROTO_TLS1_2
 #endif

+/**
+ * \def MBEDTLS_SSL_PROTO_TLS1_3
+ *
+ * Enable support for TLS 1.3.
+ *
+ * \note The support for TLS 1.3 is not comprehensive yet, in particular
+ *       pre-shared keys are not supported.
+ *       See docs/architecture/tls13-support.md for a description of the TLS
+ *       1.3 support that this option enables.
+ *
+ * Uncomment this macro to enable the support for TLS 1.3.
+ *
+ */
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
+#define MBEDTLS_SSL_PROTO_TLS1_3
+#else
+#undef MBEDTLS_SSL_PROTO_TLS1_3
+#endif
+
+/**
+ * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+ *
+ * Enable TLS 1.3 middlebox compatibility mode.
+ *
+ * As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility
+ * mode to make a TLS 1.3 connection more likely to pass through middle boxes
+ * expecting TLS 1.2 traffic.
+ *
+ * Turning on the compatibility mode comes at the cost of a few added bytes
+ * on the wire, but it doesn't affect compatibility with TLS 1.3 implementations
+ * that don't use it. Therefore, unless transmission bandwidth is critical and
+ * you know that middlebox compatibility issues won't occur, it is therefore
+ * recommended to set this option.
+ *
+ * Comment to disable compatibility mode for TLS 1.3. If
+ * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
+ * effect on the build.
+ *
+ */
+#ifdef CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+#else
+#undef MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
+#endif
+
 /**
 * \def MBEDTLS_SSL_PROTO_DTLS
 *