mbedtls: disable Diffie-Hellman key exchange modes by default

Using these ciphers can constitute a security risk if the server uses a weak prime for the key exchange. Footprint impact: Roughly 3K saved in text+rodata in default https_request example
2025-03-09 17:19:09 -04:00 · 2021-10-25 18:35:50 +05:30 · 2021-10-25 18:35:50 +05:30 · 8c9a3da695
commit 8c9a3da695
parent 4e5648ea98
3 changed files with 18 additions and 3 deletions
--- a/components/esp-tls/Kconfig
+++ b/components/esp-tls/Kconfig
@ -66,8 +66,8 @@ menu "ESP-TLS"
        bool "Enable PSK verification"
        select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
        select MBEDTLS_KEY_EXCHANGE_PSK if ESP_TLS_USING_MBEDTLS
-        select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS
-        select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS
+        select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
+        select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
        select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
        default n
        help
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@ -426,7 +426,7 @@ menu "mbedTLS"

        config MBEDTLS_KEY_EXCHANGE_DHE_PSK
            bool "Enable DHE-PSK based ciphersuite modes"
-            depends on MBEDTLS_PSK_MODES
+            depends on MBEDTLS_PSK_MODES && MBEDTLS_DHM_C
            default y
            help
                Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
@ -454,6 +454,7 @@ menu "mbedTLS"
        config MBEDTLS_KEY_EXCHANGE_DHE_RSA
            bool "Enable DHE-RSA based ciphersuite modes"
            default y
+            depends on MBEDTLS_DHM_C
            help
                Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-

@ -716,6 +717,16 @@ menu "mbedTLS"
        bool  "Elliptic Curve Ciphers"
        default y

+    config MBEDTLS_DHM_C
+        bool "Diffie-Hellman-Merkle key exchange (DHM)"
+        default n
+        help
+            Enable DHM. Needed to use DHE-xxx TLS ciphersuites.
+
+            Note that the security of Diffie-Hellman key exchanges depends on
+            a suitable prime being used for the exchange. Please see detailed
+            warning text about this in file `mbedtls/dhm.h` file.
+
    config MBEDTLS_ECDH_C
        bool "Elliptic Curve Diffie-Hellman (ECDH)"
        depends on MBEDTLS_ECP_C
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@ -1601,7 +1601,11 @@
 * This module is used by the following key exchanges:
 *      DHE-RSA, DHE-PSK
 */
+#ifdef CONFIG_MBEDTLS_DHM_C
 #define MBEDTLS_DHM_C
+#else
+#undef MBEDTLS_DHM_C
+#endif

 /**
 * \def MBEDTLS_ECDH_C