espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix/mbedtls_disable_default_configs_v6.0' into 'release/v6.0'

Browse Source 
change(mbedTLS): update mbedTLS default configs (v6.0)

See merge request espressif/esp-idf!45699
This commit is contained in:
Mahavir Jain
2026-02-12 11:34:33 +05:30
parent 1dc0b26075 526e7a0230
commit 63be46ed3d
13 changed files with 53 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/mbedtls/CMakeLists.txt
+5 -2
View File
@@ -186,6 +186,9 @@ endif()
# Core libraries from the mbedTLS project
set(mbedtls_targets mbedtls mbedx509 tfpsacrypto builtin)
add_library(mbed-builtin ALIAS builtin)
set_target_properties(builtin PROPERTIES OUTPUT_NAME "mbed-builtin")
target_include_directories(tfpsacrypto PUBLIC "port/include")
message(STATUS "Setting up mbedtls configuration")
@@ -222,7 +225,7 @@ if(NOT ${IDF_TARGET} STREQUAL "linux")
)
target_link_libraries(tfpsacrypto PRIVATE "$<$<TARGET_EXISTS:idf::nvs_flash>:idf::nvs_flash>")
# Define compile definition to indicate ESP-IDF PSA ITS implementation is available
target_compile_definitions(tfpsacrypto PRIVATE "$<$<TARGET_EXISTS:idf::nvs_flash>:ESP_PSA_ITS_AVAILABLE>")
target_compile_definitions(tfpsacrypto PUBLIC "$<$<TARGET_EXISTS:idf::nvs_flash>:ESP_PSA_ITS_AVAILABLE>")
else()
# For v1: check if component is in build before adding source and linking
idf_build_get_property(build_components BUILD_COMPONENTS)
@@ -230,7 +233,7 @@ if(NOT ${IDF_TARGET} STREQUAL "linux")
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/psa_crypto_storage/esp_psa_its.c")
idf_component_get_property(nvs_flash_lib nvs_flash COMPONENT_LIB)
target_link_libraries(tfpsacrypto PRIVATE ${nvs_flash_lib})
target_compile_definitions(tfpsacrypto PRIVATE ESP_PSA_ITS_AVAILABLE)
target_compile_definitions(tfpsacrypto PUBLIC ESP_PSA_ITS_AVAILABLE)
endif()
endif()
endif()
components/mbedtls/Kconfig
+4 -1
View File
@@ -868,7 +868,7 @@ menu "mbedTLS"
config MBEDTLS_ARIA_C
bool "ARIA block cipher"
default y
default n
config MBEDTLS_CAMELLIA_SMALL_MEMORY
bool "Use small memory implementation of Camellia"
@@ -1272,6 +1272,7 @@ menu "mbedTLS"
help
Enable hardware accelerated ECDSA peripheral to verify signature
on curve SECP192R1 and SECP256R1 in mbedTLS.
Note that SECP192R1 support is disabled by default.
menu "Enable Software Countermeasure for ECDSA signing using on-chip ECDSA peripheral"
depends on MBEDTLS_HARDWARE_ECDSA_SIGN
@@ -1312,6 +1313,7 @@ menu "mbedTLS"
help
Enable hardware accelerated ECDSA peripheral to sign data
on curve SECP192R1 and SECP256R1 in mbedTLS.
Note that SECP192R1 support is disabled by default.
Note that for signing, the private key has to be burnt in an efuse key block
with key purpose set to ECDSA_KEY.
@@ -1332,6 +1334,7 @@ menu "mbedTLS"
help
Enable hardware accelerated ECC point multiplication and point verification for points
on curve SECP192R1 and SECP256R1 in mbedTLS
Note that SECP192R1 support is disabled by default.
config MBEDTLS_ECC_OTHER_CURVES_SOFT_FALLBACK
bool "Fallback to software implementation for curves not supported in hardware"
components/mbedtls/config/mbedtls_preset_default.conf
+1 -1
View File
@@ -92,7 +92,7 @@ CONFIG_MBEDTLS_SSL_PROTO_DTLS=n
# Symmetric Ciphers
CONFIG_MBEDTLS_AES_C=y
CONFIG_MBEDTLS_CAMELLIA_C=n
CONFIG_MBEDTLS_ARIA_C=y
CONFIG_MBEDTLS_ARIA_C=n
CONFIG_MBEDTLS_DES_C=n
CONFIG_MBEDTLS_CCM_C=y
CONFIG_MBEDTLS_CIPHER_MODE_CBC=y
components/mbedtls/port/include/mbedtls/esp_config.h
-2
View File
@@ -60,8 +60,6 @@
*/
#define MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
#define PSA_WANT_ECC_SECP_R1_192 1
/**
* \name SECTION: System support
*
components/mbedtls/test_apps/main/test_ecp.c
+3 -21
View File
@@ -3,7 +3,7 @@
* Focus on testing functionality where we use ESP32 hardware
* accelerated crypto features.
*
* SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2021-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -308,9 +308,7 @@ static void test_ecp_mul(mbedtls_ecp_group_id id, const uint8_t *x_coord, const
TEST_ASSERT_EQUAL(0, memcmp(x, result_x_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(X))));
TEST_ASSERT_EQUAL(0, memcmp(y, result_y_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(Y))));
if (id == MBEDTLS_ECP_DP_SECP192R1) {
TEST_PERFORMANCE_CCOMP_LESS_THAN(ECP_P192_POINT_MULTIPLY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
} else if (id == MBEDTLS_ECP_DP_SECP256R1) {
if (id == MBEDTLS_ECP_DP_SECP256R1) {
TEST_PERFORMANCE_CCOMP_LESS_THAN(ECP_P256_POINT_MULTIPLY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
#if SOC_ECC_SUPPORT_CURVE_P384
} else if (id == MBEDTLS_ECP_DP_SECP384R1) {
@@ -326,15 +324,6 @@ static void test_ecp_mul(mbedtls_ecp_group_id id, const uint8_t *x_coord, const
mbedtls_ecp_group_free(&grp);
}
TEST_CASE("mbedtls ECP point multiply with SECP192R1", "[mbedtls]")
{
test_ecp_mul(MBEDTLS_ECP_DP_SECP192R1, ecc_p192_point_x, ecc_p192_point_y, ecc_p192_scalar,
ecc_p192_mul_res_x, ecc_p192_mul_res_y);
test_ecp_mul(MBEDTLS_ECP_DP_SECP192R1, ecc_p192_point_x, ecc_p192_point_y, NULL,
ecc_p192_small_mul_res_x, ecc_p192_small_mul_res_y);
}
TEST_CASE("mbedtls ECP point multiply with SECP256R1", "[mbedtls]")
{
test_ecp_mul(MBEDTLS_ECP_DP_SECP256R1, ecc_p256_point_x, ecc_p256_point_y, ecc_p256_scalar,
@@ -383,9 +372,7 @@ static void test_ecp_verify(mbedtls_ecp_group_id id, const uint8_t *x_coord, con
TEST_ASSERT_EQUAL(0, ret);
if (id == MBEDTLS_ECP_DP_SECP192R1) {
TEST_PERFORMANCE_CCOMP_LESS_THAN(ECP_P192_POINT_VERIFY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
} else if (id == MBEDTLS_ECP_DP_SECP256R1) {
if (id == MBEDTLS_ECP_DP_SECP256R1) {
TEST_PERFORMANCE_CCOMP_LESS_THAN(ECP_P256_POINT_VERIFY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
#if SOC_ECC_SUPPORT_CURVE_P384
} else if (id == MBEDTLS_ECP_DP_SECP384R1) {
@@ -399,11 +386,6 @@ static void test_ecp_verify(mbedtls_ecp_group_id id, const uint8_t *x_coord, con
mbedtls_ecp_group_free(&grp);
}
TEST_CASE("mbedtls ECP point verify with SECP192R1", "[mbedtls]")
{
test_ecp_verify(MBEDTLS_ECP_DP_SECP192R1, ecc_p192_mul_res_x, ecc_p192_mul_res_y);
}
TEST_CASE("mbedtls ECP point verify with SECP256R1", "[mbedtls]")
{
test_ecp_verify(MBEDTLS_ECP_DP_SECP256R1, ecc_p256_mul_res_x, ecc_p256_mul_res_y);
components/mbedtls/test_apps/main/test_psa_ecdsa.c
+1 -92
View File
@@ -195,10 +195,6 @@ void test_ecdsa_verify(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8
psa_set_key_algorithm(&key_attr, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
switch (curve) {
case ESP_ECDSA_CURVE_SECP192R1:
plen = 192;
hash_len = HASH_LEN;
break;
case ESP_ECDSA_CURVE_SECP256R1:
plen = 256;
hash_len = HASH_LEN;
@@ -237,9 +233,7 @@ void test_ecdsa_verify(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8
TEST_ASSERT_EQUAL(PSA_SUCCESS, status);
elapsed_time = ccomp_timer_stop();
if (curve == ESP_ECDSA_CURVE_SECP192R1) {
TEST_PERFORMANCE_CCOMP_LESS_THAN(ECDSA_P192_VERIFY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
} else if (curve == ESP_ECDSA_CURVE_SECP256R1) {
if (curve == ESP_ECDSA_CURVE_SECP256R1) {
TEST_PERFORMANCE_CCOMP_LESS_THAN(ECDSA_P256_VERIFY_OP, "%" NEWLIB_NANO_COMPAT_FORMAT" us", NEWLIB_NANO_COMPAT_CAST(elapsed_time));
}
#if SOC_ECDSA_SUPPORT_CURVE_P384
@@ -251,16 +245,6 @@ void test_ecdsa_verify(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8
psa_reset_key_attributes(&key_attr);
}
TEST_CASE("mbedtls ECDSA signature verification performance on SECP192R1", "[mbedtls]")
{
#if SOC_ECDSA_SUPPORTED
if (!ecdsa_ll_is_supported()) {
TEST_IGNORE_MESSAGE("ECDSA is not supported");
}
#endif
test_ecdsa_verify(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_r, ecdsa192_s, ecdsa192_pub_x, ecdsa192_pub_y);
}
TEST_CASE("mbedtls ECDSA signature verification performance on SECP256R1", "[mbedtls]")
{
#if SOC_ECDSA_SUPPORTED
@@ -291,11 +275,9 @@ TEST_CASE("mbedtls ECDSA signature verification performance on SECP384R1", "[mbe
/*
* This test assumes that ECDSA private key has been burnt in efuse.
*
* ecdsa_key_p192.pem must be burnt in efuse block 4
* ecdsa_key_p256.pem must be burnt in efuse block 5
* ecdsa_key_p384.pem must be burnt in efuse block 6 and 7
*/
#define SECP192R1_EFUSE_BLOCK 4 // EFUSE_BLK_KEY0
#define SECP256R1_EFUSE_BLOCK 5 // EFUSE_BLK_KEY1
#define SECP384R1_EFUSE_BLOCK_HIGH 6 // EFUSE_BLK_KEY2
#define SECP384R1_EFUSE_BLOCK_LOW 7 // EFUSE_BLK_KEY3
@@ -327,11 +309,6 @@ void test_ecdsa_sign(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8_t
psa_algorithm_t sha_alg = 0;
switch (curve) {
case ESP_ECDSA_CURVE_SECP192R1:
hash_len = HASH_LEN;
plen = 192;
sha_alg = PSA_ALG_SHA_256;
break;
case ESP_ECDSA_CURVE_SECP256R1:
hash_len = HASH_LEN;
plen = 256;
@@ -390,14 +367,6 @@ void test_ecdsa_sign(esp_ecdsa_curve_t curve, const uint8_t *hash, const uint8_t
psa_reset_key_attributes(&priv_attr);
}
TEST_CASE("mbedtls ECDSA signature generation on SECP192R1", "[mbedtls][efuse_key]")
{
if (!ecdsa_ll_is_supported()) {
TEST_IGNORE_MESSAGE("ECDSA is not supported");
}
test_ecdsa_sign(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, false, SECP192R1_EFUSE_BLOCK);
}
TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][efuse_key]")
{
if (!ecdsa_ll_is_supported()) {
@@ -442,17 +411,6 @@ static void deploy_key_in_key_manager(const uint8_t *k1_encrypted, esp_key_mgr_k
free(key_config);
}
TEST_CASE("mbedtls ECDSA signature generation on SECP192R1", "[mbedtls][key_manager_key]")
{
if (!key_mgr_ll_is_supported()) {
TEST_IGNORE_MESSAGE("Key manager is not supported");
}
deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192);
test_ecdsa_sign(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, false, USE_ECDSA_KEY_FROM_KEY_MANAGER);
esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
}
TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][key_manager_key]")
{
if (!key_mgr_ll_is_supported()) {
@@ -466,14 +424,6 @@ TEST_CASE("mbedtls ECDSA signature generation on SECP256R1", "[mbedtls][key_mana
#endif /* SOC_KEY_MANAGER_SUPPORTED */
#ifdef SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE
TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP192R1", "[mbedtls][efuse_key]")
{
if (!ecdsa_ll_is_deterministic_mode_supported()) {
ESP_LOGI(TAG, "Skipping test because ECDSA deterministic mode is not supported.");
} else {
test_ecdsa_sign(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, true, SECP192R1_EFUSE_BLOCK);
}
}
TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP256R1", "[mbedtls][efuse_key]")
{
@@ -493,20 +443,6 @@ TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP384R1", "[mbe
#endif /* SOC_ECDSA_SUPPORT_CURVE_P384 */
#if SOC_KEY_MANAGER_SUPPORTED
TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP192R1", "[mbedtls][key_manager_key]")
{
if (!key_mgr_ll_is_supported()) {
TEST_IGNORE_MESSAGE("Key manager is not supported");
}
if (!ecdsa_ll_is_deterministic_mode_supported()) {
ESP_LOGI(TAG, "Skipping test because ECDSA deterministic mode is not supported.");
} else {
deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192);
test_ecdsa_sign(ESP_ECDSA_CURVE_SECP192R1, sha, ecdsa192_pub_x, ecdsa192_pub_y, true, USE_ECDSA_KEY_FROM_KEY_MANAGER);
esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
}
}
TEST_CASE("mbedtls ECDSA deterministic signature generation on SECP256R1", "[mbedtls][key_manager_key]")
{
@@ -538,10 +474,6 @@ void test_ecdsa_export_pubkey(esp_ecdsa_curve_t curve, const uint8_t *pub_x, con
psa_algorithm_t sha_alg = 0;
switch (curve) {
case ESP_ECDSA_CURVE_SECP192R1:
plen = 192;
sha_alg = PSA_ALG_SHA_256;
break;
case ESP_ECDSA_CURVE_SECP256R1:
plen = 256;
sha_alg = PSA_ALG_SHA_256;
@@ -588,14 +520,6 @@ void test_ecdsa_export_pubkey(esp_ecdsa_curve_t curve, const uint8_t *pub_x, con
psa_reset_key_attributes(&key_attr);
}
TEST_CASE("mbedtls ECDSA export public key on SECP192R1", "[mbedtls][efuse_key]")
{
if (!ecdsa_ll_is_supported()) {
TEST_IGNORE_MESSAGE("ECDSA is not supported");
}
test_ecdsa_export_pubkey(ESP_ECDSA_CURVE_SECP192R1, ecdsa192_pub_x, ecdsa192_pub_y, SECP192R1_EFUSE_BLOCK);
}
TEST_CASE("mbedtls ECDSA export public key on SECP256R1", "[mbedtls][efuse_key]")
{
if (!ecdsa_ll_is_supported()) {
@@ -613,16 +537,6 @@ TEST_CASE("mbedtls ECDSA export public key on SECP384R1", "[mbedtls][efuse_key]"
#endif /* SOC_ECDSA_SUPPORT_CURVE_P384 */
#if SOC_KEY_MANAGER_SUPPORTED
TEST_CASE("mbedtls ECDSA export public key on SECP192R1", "[mbedtls][key_manager_key]")
{
if (!key_mgr_ll_is_supported()) {
TEST_IGNORE_MESSAGE("Key manager is not supported");
}
deploy_key_in_key_manager(k1_ecdsa192_encrypt, ESP_KEY_MGR_ECDSA_KEY, ESP_KEY_MGR_ECDSA_LEN_192);
test_ecdsa_export_pubkey(ESP_ECDSA_CURVE_SECP192R1, ecdsa192_pub_x, ecdsa192_pub_y, USE_ECDSA_KEY_FROM_KEY_MANAGER);
esp_key_mgr_deactivate_key(ESP_KEY_MGR_ECDSA_KEY);
}
TEST_CASE("mbedtls ECDSA export public key on SECP256R1", "[mbedtls][key_manager_key]")
{
@@ -644,11 +558,6 @@ void test_ecdsa_sign_verify_import_export_error_codes(esp_ecdsa_curve_t curve, c
psa_algorithm_t sha_alg = 0;
switch (curve) {
case ESP_ECDSA_CURVE_SECP192R1:
hash_len = HASH_LEN;
plen = 192;
sha_alg = PSA_ALG_SHA_256;
break;
case ESP_ECDSA_CURVE_SECP256R1:
hash_len = HASH_LEN;
plen = 256;
components/mbedtls/test_apps/main/test_psa_gcm.c
+5 -8
View File
@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2025 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2025-2026 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
@@ -13,8 +13,7 @@
#include "unity.h"
#include "sdkconfig.h"
#if CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER
#ifdef CONFIG_MBEDTLS_ARIA_C
static const uint8_t key_256[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
@@ -22,10 +21,8 @@ static const uint8_t key_256[] = {
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
};
TEST_CASE("PSA ARIA-GCM multipart", "[psa-gcm]")
TEST_CASE("PSA ARIA-GCM multipart", "[psa-gcm][aria]")
{
// TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_crypto_init());
const size_t SZ = 100;
const size_t iv_SZ = 12; // GCM typically uses 12 bytes IV
const size_t tag_SZ = 16; // GCM tag size
@@ -134,7 +131,7 @@ TEST_CASE("PSA ARIA-GCM multipart", "[psa-gcm]")
psa_destroy_key(key_id);
}
TEST_CASE("PSA ARIA-GCM one-shot", "[psa-gcm]")
TEST_CASE("PSA ARIA-GCM one-shot", "[psa-gcm][aria]")
{
// TEST_ASSERT_EQUAL(PSA_SUCCESS, psa_crypto_init());
@@ -209,4 +206,4 @@ TEST_CASE("PSA ARIA-GCM one-shot", "[psa-gcm]")
/* Destroy the key */
psa_destroy_key(key_id);
}
#endif /* CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER */
#endif /* CONFIG_MBEDTLS_ARIA_C */
components/mbedtls/test_apps/pytest_mbedtls_ut.py
+13
View File
@@ -129,3 +129,16 @@ def test_mbedtls_ecdsa_sign(dut: Dut) -> None:
@idf_parametrize('target', ['esp32s3'], indirect=['target'])
def test_mbedtls_ds_rsa(dut: Dut) -> None:
dut.run_all_single_board_cases(group='ds_rsa')
@pytest.mark.generic
@pytest.mark.parametrize(
'config',
[
'aria',
],
indirect=True,
)
@idf_parametrize('target', ['esp32s3'], indirect=['target'])
def test_mbedtls_aria(dut: Dut) -> None:
dut.run_all_single_board_cases(group='aria')
components/mbedtls/test_apps/sdkconfig.ci.aria
+1
View File
@@ -0,0 +1 @@
CONFIG_MBEDTLS_ARIA_C=y
docs/en/api-guides/performance/size.rst
-1
View File
@@ -214,7 +214,6 @@ These include:
- :ref:`CONFIG_MBEDTLS_HAVE_TIME`
- :ref:`CONFIG_MBEDTLS_ECDSA_DETERMINISTIC`
- :ref:`CONFIG_MBEDTLS_SHA512_C`
- :ref:`CONFIG_MBEDTLS_SHA3_C`
- :ref:`CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS`
- :ref:`CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS`
- :ref:`CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION`
docs/en/migration-guides/release-6.x/6.0/security.rst
+10
View File
@@ -60,6 +60,16 @@ ESP-IDF v6.0 updates to Mbed TLS v4.0, where **PSA Crypto is the primary cryptog
- 41084
- 4.97
Default configuration changes
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- Note: The default Mbed TLS configuration in ESP-IDF v6.0 has been tightened for security and footprint:
- ``MBEDTLS_ARIA_C`` is disabled by default. Applications that rely on ARIA must explicitly enable it in ``menuconfig`` (Component config -> mbedTLS) or by customizing ``components/mbedtls/config/mbedtls_preset_default.conf``.
- Support for ``secp192r1`` is disabled by default, consistent with the removal of support for elliptic curves smaller than 250 bits in certificates and TLS. If an application still requires legacy curve support outside TLS/certificates, it must be enabled explicitly (for example by defining ``PSA_WANT_ECC_SECP_R1_192=1``) and validated for compatibility. Note: this legacy support may be disabled in the next minor ESP-IDF release.
References
^^^^^^^^^^
docs/zh_CN/api-guides/performance/size.rst
-1
View File
@@ -213,7 +213,6 @@ MbedTLS 功能
- :ref:`CONFIG_MBEDTLS_HAVE_TIME`
- :ref:`CONFIG_MBEDTLS_ECDSA_DETERMINISTIC`
- :ref:`CONFIG_MBEDTLS_SHA512_C`
- :ref:`CONFIG_MBEDTLS_SHA3_C`
- :ref:`CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS`
- :ref:`CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS`
- :ref:`CONFIG_MBEDTLS_SSL_CONTEXT_SERIALIZATION`
docs/zh_CN/migration-guides/release-6.x/6.0/security.rst
+10
View File
@@ -60,6 +60,16 @@ ESP-IDF v6.0 已升级至 Mbed TLS v4.0**PSA Crypto 成为主要加密接口*
- 41084
- 4.97
默认配置更改
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
- 注意:默认的 Mbed TLS 配置在 ESP-IDF v6.0 中已收紧,以提升安全性并降低资源占用:
- ``MBEDTLS_ARIA_C`` 默认禁用。依赖 ARIA 的应用必须在 ``menuconfig`` (Component config -> mbedTLS) 中显式启用,或通过自定义 ``components/mbedtls/config/mbedtls_preset_default.conf`` 来启用。
- 默认禁用 ``secp192r1``,这与证书和 TLS 中移除对 250 位以下椭圆曲线的支持策略保持一致。如果某个应用在 TLS/证书之外仍然需要旧版曲线支持,则必须显式启用该功能(例如通过定义 ``PSA_WANT_ECC_SECP_R1_192=1``),并验证其兼容性。注意:该旧版支持可能会在下一次 ESP-IDF 小版本更新中被禁用。
参考文档
^^^^^^^^^^