From 5e21b7675f15d5f55d21ba9c84b6100eb49a2fc3 Mon Sep 17 00:00:00 2001 From: kangping Date: Sun, 12 Apr 2020 18:20:10 +0800 Subject: [PATCH 1/2] mbedtls: add configuration options for EC-JPAKE Closes https://github.com/espressif/esp-idf/pull/5106 --- components/mbedtls/Kconfig | 14 +++++++++ .../mbedtls/port/include/mbedtls/esp_config.h | 29 ++++++++++++++++++- 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 0bec091bd..78c4a95b2 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -293,6 +293,13 @@ menu "mbedTLS" help Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH- + config MBEDTLS_KEY_EXCHANGE_ECJPAKE + bool "Enable ECJPAKE based ciphersuite modes" + depends on MBEDTLS_ECJPAKE_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED + default n + help + Enable to support ciphersuites with prefix TLS-ECJPAKE-WITH- + endmenu # TLS key exchange modes config MBEDTLS_SSL_RENEGOTIATION @@ -491,6 +498,13 @@ menu "mbedTLS" help Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites. + config MBEDTLS_ECJPAKE_C + bool "Elliptic curve J-PAKE" + depends on MBEDTLS_ECP_C + default n + help + Enable ECJPAKE. Needed to use ECJPAKE-xxx TLS ciphersuites. + config MBEDTLS_ECP_DP_SECP192R1_ENABLED bool "Enable SECP192R1 curve" depends on MBEDTLS_ECP_C diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 3502aae6b..efc5e50ec 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -621,6 +621,29 @@ #undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED #endif +/** + * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + * + * Enable the ECJPAKE based ciphersuite modes in SSL / TLS. + * + * \warning This is currently experimental. EC J-PAKE support is based on the + * Thread v1.0.0 specification; incompatible changes to the specification + * might still happen. For this reason, this is disabled by default. + * + * Requires: MBEDTLS_ECJPAKE_C + * MBEDTLS_SHA256_C + * MBEDTLS_ECP_DP_SECP256R1_ENABLED + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 + */ +#ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECJPAKE +#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#else +#undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#endif + /** * \def MBEDTLS_PK_PARSE_EC_EXTENDED * @@ -1531,7 +1554,11 @@ * * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C */ -//#define MBEDTLS_ECJPAKE_C +#ifdef CONFIG_MBEDTLS_ECJPAKE_C +#define MBEDTLS_ECJPAKE_C +#else +#undef MBEDTLS_ECJPAKE_C +#endif /** * \def MBEDTLS_ECP_C From e2771716c42d5fecc30c1143be59aa4406b40a6b Mon Sep 17 00:00:00 2001 From: Piyush Shah Date: Sun, 10 May 2020 18:11:17 +0530 Subject: [PATCH 2/2] mbedtls_hkdf: Add a config option to enable HKDF --- components/mbedtls/Kconfig | 7 +++++++ components/mbedtls/port/include/mbedtls/esp_config.h | 8 +++++--- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 78c4a95b2..e37f83a95 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -600,6 +600,13 @@ menu "mbedTLS" # end of Elliptic Curve options + config MBEDTLS_HKDF_C + bool "HKDF algorithm (RFC 5869)" + default n + help + Enable support for the Hashed Message Authentication Code + (HMAC)-based key derivation function (HKDF). + menu "Util" config util_assert diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index efc5e50ec..ec763c80a 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -1625,17 +1625,19 @@ /** * \def MBEDTLS_HKDF_C * - * Disable the HKDF algorithm (RFC 5869). + * Enable the HKDF algorithm (RFC 5869). * * Module: library/hkdf.c * Caller: * * Requires: MBEDTLS_MD_C * - * This module adds support for the Hashed Message Authentication Code + * This module enables support for the Hashed Message Authentication Code * (HMAC)-based key derivation function (HKDF). */ -#ifdef MBEDTLS_HKDF_C +#ifdef CONFIG_MBEDTLS_HKDF_C +#define MBEDTLS_HKDF_C +#else #undef MBEDTLS_HKDF_C #endif