Domů Procházet Nápověda
Přihlásit se
RT-Thread-packages
/
esp-idf
zrcadlo https://github-proxy.rt-thread.io/RT-Thread-packages/esp-idf.git
2
0
Rozštěpit 0
Soubory Úkoly 0 Wiki
Procházet zdrojové kódy

Merge branch 'cert/skipping_keyelements_validation' into 'master'

MbedTLS: Add config option for key elements and key element extension for SSL connection

See merge request espressif/esp-idf!12898

(cherry picked from commit 76bd33e9a4574829195d5fa4fbe05078ca6d291d)

38d67725 mbedtls: Add config option key element and key element ext
Mahavir Jain před 4 roky
rodič
8807d8a5d8
revize
dd12e9f8cd
2 změnil soubory, kde provedl 24 přidání a 0 odebrání
Rozdělené zobrazení Ukázat statistiku rozdílových dat
  1. 16 0
      components/mbedtls/Kconfig
  2. 8 0
      components/mbedtls/port/include/mbedtls/esp_config.h

+ 16 - 0
components/mbedtls/Kconfig
Zobrazit soubor 

@@ -563,6 +563,22 @@ menu "mbedTLS"
 
             Client support for RFC 5077 session tickets. See mbedTLS documentation for more details.
 
             Disabling this option will save some code size.
 
 
+    config MBEDTLS_X509_CHECK_KEY_USAGE
 
+        bool "Enable verification of the keyUsage extension"
 
+        default y
 
+        depends on MBEDTLS_TLS_ENABLED
 
+        help
 
+            Disabling this avoids problems with mis-issued and/or misused (intermediate) CA and leaf certificates.
 
+            Depending on your PKI use, disabling this can be a security risk.
 
+
 
+    config MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 
+        bool "Enable verification of the extendedKeyUsage extension"
 
+        default y
 
+        depends on MBEDTLS_TLS_ENABLED
 
+        help
 
+            Disabling this avoids problems with mis-issued and/or misused certificates.
 
+            Depending on your PKI use, disabling this can be a security risk.
 
+
 
     config MBEDTLS_SERVER_SSL_SESSION_TICKETS
 
         bool "TLS: Server Support for RFC 5077 SSL session tickets"
 
         default y

+ 8 - 0
components/mbedtls/port/include/mbedtls/esp_config.h
Zobrazit soubor 

@@ -1193,7 +1193,11 @@
 
  *
 
  * Comment to skip keyUsage checking for both CA and leaf certificates.
 
  */
 
+#ifdef CONFIG_MBEDTLS_X509_CHECK_KEY_USAGE
 
 #define MBEDTLS_X509_CHECK_KEY_USAGE
 
+#else
 
+#undef MBEDTLS_X509_CHECK_KEY_USAGE
 
+#endif
 
 
 /**
 
  * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 
@@ -1206,7 +1210,11 @@
 
  *
 
  * Comment to skip extendedKeyUsage checking for certificates.
 
  */
 
+#ifdef CONFIG_MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 
 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 
+#else
 
+#undef MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 
+#endif
 
 
 /**
 
  * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT