From 8874a09119e74bb0edf73a63495b559d983767b7 Mon Sep 17 00:00:00 2001 From: Damien George Date: Wed, 5 Oct 2022 11:02:47 +1100 Subject: [PATCH] extmod/mbedtls: Enable elliptic curve DH and DSA cryptography. This is necessary to access sites that only support these protocols. The rp2 port already has ECDH enabled, so this just adds ECDSA there. The other ports now gain both ECDH and ECDSA. The code size increase is: - rp2 (PICO_W): +2916 bytes flash, +24 bytes BSS - stm32 (PYBD_SF6): +20480 bytes flash, +32 bytes data, +48 bytes BSS - mimxrt (TEENSY41): +20708 bytes flash, +32 bytes data, +48 bytes BSS - unix (standard x86-64): +39344 executable, +1744 bytes data, +96 BSS This is obviously a large increase in code size. But there doesn't seem to be any other option because without elliptic curve cryptography devices are partially cut off from the internet. For use cases that require small firmware size, they'll need to build custom firmware with a custom mbedtls config. Signed-off-by: Damien George --- extmod/mbedtls/mbedtls_config_common.h | 6 ++++++ ports/mimxrt/mbedtls/mbedtls_config.h | 3 --- ports/rp2/mbedtls/mbedtls_config.h | 2 -- ports/stm32/mbedtls/mbedtls_config.h | 3 --- 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/extmod/mbedtls/mbedtls_config_common.h b/extmod/mbedtls/mbedtls_config_common.h index 4c2be6228..252f293e0 100644 --- a/extmod/mbedtls/mbedtls_config_common.h +++ b/extmod/mbedtls/mbedtls_config_common.h @@ -47,6 +47,8 @@ #define MBEDTLS_ECP_DP_BP512R1_ENABLED #define MBEDTLS_ECP_DP_CURVE25519_ENABLED #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +// #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED // enabling this currently breaks ssl_data.py test +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_NO_PLATFORM_ENTROPY #define MBEDTLS_PKCS1_V15 #define MBEDTLS_SHA256_SMALLER @@ -63,9 +65,13 @@ // Enable mbedtls modules. #define MBEDTLS_AES_C #define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_BIGNUM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECP_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_ERROR_C #define MBEDTLS_MD_C diff --git a/ports/mimxrt/mbedtls/mbedtls_config.h b/ports/mimxrt/mbedtls/mbedtls_config.h index cc71aa7ec..4140bb514 100644 --- a/ports/mimxrt/mbedtls/mbedtls_config.h +++ b/ports/mimxrt/mbedtls/mbedtls_config.h @@ -26,9 +26,6 @@ #ifndef MICROPY_INCLUDED_MBEDTLS_CONFIG_H #define MICROPY_INCLUDED_MBEDTLS_CONFIG_H -// Enable mbedtls modules -// #define MBEDTLS_ECP_C - // Set MicroPython-specific options. #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1) diff --git a/ports/rp2/mbedtls/mbedtls_config.h b/ports/rp2/mbedtls/mbedtls_config.h index 9c930b7d9..1b6d3dd43 100644 --- a/ports/rp2/mbedtls/mbedtls_config.h +++ b/ports/rp2/mbedtls/mbedtls_config.h @@ -31,8 +31,6 @@ #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED // Enable mbedtls modules -#define MBEDTLS_ECDH_C -#define MBEDTLS_ECP_C #define MBEDTLS_GCM_C #define MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME_DATE diff --git a/ports/stm32/mbedtls/mbedtls_config.h b/ports/stm32/mbedtls/mbedtls_config.h index cc71aa7ec..4140bb514 100644 --- a/ports/stm32/mbedtls/mbedtls_config.h +++ b/ports/stm32/mbedtls/mbedtls_config.h @@ -26,9 +26,6 @@ #ifndef MICROPY_INCLUDED_MBEDTLS_CONFIG_H #define MICROPY_INCLUDED_MBEDTLS_CONFIG_H -// Enable mbedtls modules -// #define MBEDTLS_ECP_C - // Set MicroPython-specific options. #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)