feat(ssl): Add config for mbedTLS RSA bits

Add ERROR information for users.
2025-06-17 11:54:24 +08:00 · 2018-10-29 16:20:07 +08:00
parent 37f6a717d3
commit 9355e427d1
3 changed files with 32 additions and 2 deletions
--- a/components/ssl/Kconfig
+++ b/components/ssl/Kconfig
@ -39,6 +39,25 @@ config MBEDTLS_SSL_MAX_CONTENT_LEN
        handshake or a return value of MBEDTLS_ERR_SSL_INVALID_RECORD
        (-0x7200).

+choice MBEDTLS_RSA_BITLEN_MIN
+    prompt "RSA minimum bit length"
+    default MBEDTLS_RSA_BITLEN_2048
+    help
+        mbedTLS's minimum bit length is 2048, but some customers's key RSA bits is 1024.
+
+        With the option users can configurate the value to make mbedTLS support 1024 bits RSA key.
+
+config MBEDTLS_RSA_BITLEN_1024
+    bool "1024(not safe)"
+config MBEDTLS_RSA_BITLEN_2048
+    bool "2048"
+endchoice
+
+config MBEDTLS_RSA_BITLEN_MIN
+    int
+    default 1024 if MBEDTLS_RSA_BITLEN_1024
+    default 2048 if MBEDTLS_RSA_BITLEN_2048
+
 config MBEDTLS_DEBUG
   bool "Enable mbedTLS debugging"
   default n
--- a/components/ssl/mbedtls/mbedtls/library/x509_crt.c
+++ b/components/ssl/mbedtls/mbedtls/library/x509_crt.c
@ -96,7 +96,7 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default =
    MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
    0xFFFFFFF, /* Any PK alg    */
    0xFFFFFFF, /* Any curve     */
-    2048,
+    MBEDTLS_RSA_BITLEN_MIN,
 };

 /*
@ -121,7 +121,7 @@ const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next =
 #else
    0,
 #endif
-    2048,
+    MBEDTLS_RSA_BITLEN_MIN,
 };

 /*
@ -185,6 +185,9 @@ static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
        if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen )
            return( 0 );

+        MBEDTLS_DEBUGF("ERROR: Certification RSA bit length is %d and should be >= %d",
+                mbedtls_pk_get_bitlen(pk), MBEDTLS_RSA_BITLEN_MIN);
+
        return( -1 );
    }
 #endif
--- a/components/ssl/mbedtls/port/esp8266/include/mbedtls/esp_config.h
+++ b/components/ssl/mbedtls/port/esp8266/include/mbedtls/esp_config.h
@ -2967,6 +2967,14 @@
 #include MBEDTLS_USER_CONFIG_FILE
 #endif

+#ifdef CONFIG_MBEDTLS_RSA_BITLEN_MIN
+#define MBEDTLS_RSA_BITLEN_MIN CONFIG_MBEDTLS_RSA_BITLEN_MIN
+#else
+#define MBEDTLS_RSA_BITLEN_MIN 2048
+#endif
+
+#define MBEDTLS_DEBUGF(_fmt, ...)   printf(_fmt "\r\n", ##__VA_ARGS__)
+
 #include "mbedtls/check_config.h"

 #endif /* MBEDTLS_CONFIG_H */