Merge branch 'bugfix/mbedtls_deprecated_options' into 'master'

mbedtls: Remove deprecated options from mbedtls/esp_config.h

Closes IDFGH-7296

See merge request espressif/esp-idf!18008

components/mbedtls/Kconfig

@@ -726,23 +726,6 @@ menu "mbedTLS"
                 3DES is vulnerable to the Sweet32 attack and should only be enabled
                 if absolutely necessary.
 
-        choice MBEDTLS_RC4_MODE
-            prompt "RC4 Stream Cipher (legacy, insecure)"
-            default MBEDTLS_RC4_DISABLED
-            help
-                    ARCFOUR (RC4) stream cipher can be disabled entirely, enabled but not
-                    added to default ciphersuites, or enabled completely.
-
-                    Please consider the security implications before enabling RC4.
-
-                config MBEDTLS_RC4_DISABLED
-                    bool "Disabled"
-                config MBEDTLS_RC4_ENABLED_NO_DEFAULT
-                    bool "Enabled, not in default ciphersuites"
-                config MBEDTLS_RC4_ENABLED
-                    bool "Enabled"
-        endchoice
-
         config MBEDTLS_BLOWFISH_C
             bool "Blowfish block cipher (read help)"
             default n

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -290,43 +290,6 @@
 #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
 #define MBEDTLS_CIPHER_PADDING_ZEROS
 
-/**
- * \def MBEDTLS_REMOVE_ARC4_CIPHERSUITES & MBEDTLS_ARC4_C
- *
- * MBEDTLS_ARC4_C
- * Enable the ARCFOUR stream cipher.
- *
- * This module enables/disables the following ciphersuites
- *      MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
- *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
- *
- * MBEDTLS_REMOVE_ARC4_CIPHERSUITES
- * This flag removes the ciphersuites based on RC4 from the default list as
- * returned by mbedtls_ssl_list_ciphersuites(). However, it is still possible to
- * enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including them
- * explicitly.
- *
- * Uncomment this macro to remove RC4 ciphersuites by default.
- */
-#ifdef CONFIG_MBEDTLS_RC4_ENABLED
-#define MBEDTLS_ARC4_C
-#undef MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-#elif defined CONFIG_MBEDTLS_RC4_ENABLED_NO_DEFAULT
-#define MBEDTLS_ARC4_C
-#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-#else
-#undef MBEDTLS_ARC4_C
-#define MBEDTLS_REMOVE_ARC4_CIPHERSUITES
-#endif
-
 /**
  * \def MBEDTLS_ECP_RESTARTABLE
  *
@@ -529,7 +492,6 @@
  *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
  *      MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA
- *      MBEDTLS_TLS_PSK_WITH_RC4_128_SHA
  */
 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_PSK
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
@@ -557,7 +519,6 @@
  *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  *      MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA
- *      MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA
  */
 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK
 #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
@@ -581,7 +542,6 @@
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
  *      MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA
- *      MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA
  */
 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -610,7 +570,6 @@
  *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
  *      MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA
- *      MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA
  */
 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK
 #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
@@ -641,8 +600,6 @@
  *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
  *      MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
  *      MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA
- *      MBEDTLS_TLS_RSA_WITH_RC4_128_SHA
- *      MBEDTLS_TLS_RSA_WITH_RC4_128_MD5
  */
 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_RSA
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
@@ -701,7 +658,6 @@
  *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
  *      MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- *      MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA
  */
 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@@ -729,7 +685,6 @@
  *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256
  *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
  *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- *      MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
  */
 #ifdef CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
@@ -746,7 +701,6 @@
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
- *      MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA
  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  *      MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
@@ -774,7 +728,6 @@
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
- *      MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA
  *      MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  *      MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
@@ -1071,41 +1024,6 @@
 #undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
 #endif
 
-/**
- * \def MBEDTLS_SSL_PROTO_TLS1
- *
- * Enable support for TLS 1.0.
- *
- * Requires: MBEDTLS_MD5_C
- *           MBEDTLS_SHA1_C
- *
- * Comment this macro to disable support for TLS 1.0
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1
-#define MBEDTLS_SSL_PROTO_TLS1
-#else
-#undef MBEDTLS_SSL_PROTO_TLS1
-#endif
-
-/**
- * \def MBEDTLS_SSL_PROTO_SSL3
- *
- * Enable support for SSL 3.0.
- *
- * Requires: MBEDTLS_MD5_C
- *           MBEDTLS_SHA1_C
- *
- * \deprecated This option is deprecated and will be removed in a future
- *             version of Mbed TLS.
- *
- * Comment this macro to disable support for SSL 3.0
- */
-#ifdef CONFIG_MBEDTLS_SSL_PROTO_SSL3
-#define MBEDTLS_SSL_PROTO_SSL3
-#else
-#undef MBEDTLS_SSL_PROTO_SSL3
-#endif
-
 /**
  * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING
  *
@@ -1393,7 +1311,7 @@
  *
  * Requires: MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
  */
-#if defined MBEDTLS_SSL_MAX_FRAGMENT_LENGTH && CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
+#ifdef CONFIG_MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
 #define MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
 #else
 #undef MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH
@@ -1787,6 +1705,19 @@
 #undef MBEDTLS_DES_C
 #endif
 
+/**
+ * \def MBEDTLS_ARC4_C
+ *
+ * NOTE: mbedTLS-3.x release has removed support for RC4 cipher-suite.
+ * TODO: IDF-4983
+ *
+ * Following option is kept as there are a few places in the
+ * WPA supplicant component in ESP-IDF that relies on this config.
+ * This shall be removed once the RC4 cipher-suite support is cleanly
+ * removed from WPA supplicant component.
+ */
+#undef MBEDTLS_ARC4_C
+
 /**
  * \def MBEDTLS_DHM_C
  *
@@ -2151,7 +2082,6 @@
  * Caller:  library/pkparse.c
  *
  * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_CIPHER_C, MBEDTLS_MD_C
- * Can use:  MBEDTLS_ARC4_C
  *
  * This module enables PKCS#12 functions.
  */

components/wpa_supplicant/CMakeLists.txt

@@ -95,10 +95,8 @@ if(CONFIG_WPA_MBEDTLS_CRYPTO)
     "esp_supplicant/src/crypto/crypto_mbedtls-bignum.c"
     "esp_supplicant/src/crypto/crypto_mbedtls-rsa.c"
     "esp_supplicant/src/crypto/crypto_mbedtls-ec.c")
-    # Add internal RC4 if RC4 is disabled in mbedtls
+    # Add internal RC4 as RC4 has been removed from mbedtls
-    if(CONFIG_MBEDTLS_RC4_DISABLED)
+    set(crypto_src ${crypto_src} "src/crypto/rc4.c")
-        set(crypto_src ${crypto_src} "src/crypto/rc4.c")
-    endif()
     if(NOT CONFIG_MBEDTLS_DES_C)
         set(crypto_src ${crypto_src} "src/crypto/des-internal.c")
     endif()