Commit Graph

9 Commits

Author SHA1 Message Date
Damien George
8874a09119 extmod/mbedtls: Enable elliptic curve DH and DSA cryptography.
This is necessary to access sites that only support these protocols.

The rp2 port already has ECDH enabled, so this just adds ECDSA there.  The
other ports now gain both ECDH and ECDSA.  The code size increase is:

- rp2 (PICO_W): +2916 bytes flash, +24 bytes BSS
- stm32 (PYBD_SF6): +20480 bytes flash, +32 bytes data, +48 bytes BSS
- mimxrt (TEENSY41): +20708 bytes flash, +32 bytes data, +48 bytes BSS
- unix (standard x86-64): +39344 executable, +1744 bytes data, +96 BSS

This is obviously a large increase in code size.  But there doesn't seem to
be any other option because without elliptic curve cryptography devices are
partially cut off from the internet.  For use cases that require small
firmware size, they'll need to build custom firmware with a custom mbedtls
config.

Signed-off-by: Damien George <damien@micropython.org>
2022-10-22 19:08:21 +11:00
Damien George
9347545f9e extmod/mbedtls: Enable MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.
This was already enabled on all ports except mimxrt.  Now it's enabled on
all of them.

Signed-off-by: Damien George <damien@micropython.org>
2022-10-22 19:06:21 +11:00
Damien George
b337678964 extmod/mbedtls: Add common configuration file, and use it in all ports.
This is a no-op change.

Signed-off-by: Damien George <damien@micropython.org>
2022-10-22 19:06:21 +11:00
Damien George
39c96b543f stm32/mbedtls: Use core-provided tracked alloc instead of custom funcs.
Signed-off-by: Damien George <damien@micropython.org>
2022-05-05 10:31:50 +10:00
Damien George
5c32111fa0 ports: Reformat more C and Python source code.
These files that are reformatted only now fall under the list of files to
apply uncrustify/black formatting to.

Signed-off-by: Damien George <damien@micropython.org>
2022-04-20 16:17:35 +10:00
Damien George
5e506567a3 stm32/mbedtls: Enable MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE.
This adds MBEDTLS_MD_SHA1 to the list of default hashes for TLS 1.2
handshake signatures.  Although SHA-1 is weak, this option is turned on in
the default mbedtls configuration file, and allows better compatibility
with older servers.  In particular it allows an stm32-mbedtls-based client
to connect to an axtls-based client (eg default unix port and esp8266).

Signed-off-by: Damien George <damien@micropython.org>
2022-01-17 17:35:04 +11:00
Thorsten von Eicken
5264478007 extmod/modussl_mbedtls: Integrate shorter error strings.
The stm32 and esp32 ports now use shorter error strings for mbedtls errors.
Also, MBEDTLS_ERROR_C is enabled on stm32 by default to get these strings.
2020-07-21 00:31:05 +10:00
Jim Mussared
90f286465b stm32/mbedtls: Resize mbedtls output buffer from 16 down to 4 kiB.
To reduce the size of the SSL context on the heap.  See issue #5303.
2019-12-21 00:02:24 +11:00
Damien George
fed4c23590 stm32: Integrate optional mbedTLS component for ussl module.
To use it a board should define MICROPY_PY_USSL=1 and MICROPY_SSL_MBEDTLS=1
at the Makefile level.  With the provided configuration it adds about 64k
to the build.
2019-06-05 15:37:31 +10:00