modules: mbedtls: Enable PKCS1 v2.1
This Mbed TLS configuration option was being selected based on a non-existent Kconfig option, and hence would never be defined. v2.1 of PKCS1 was published in 2003. Use of v1.5 has been deprecated since 2016, and should not be used in new or existing designs. Enable the v2.1 version in any situation where RSA is used for signatures. In the future, we should disable v1.5 entirely, but only after all uses have been determined and possibly corrected. No significant weaknesses have been found in v1.5, however v2.1 has a significant security proof. However, v2.1 does require an entropy source, which may be an issue in some embedded device situations (which likely are problematic for other cryptographic reasons). Signed-off-by: David Brown <david.brown@linaro.org>
This commit is contained in:
David Brown
Kumar Gala
parent
22360ee323
commit
4164b17034
1 changed files with 1 additions and 4 deletions
|
|
@ -305,10 +305,6 @@
|
|||
#define MBEDTLS_CIPHER_C
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_PKCS1_V21_ENABLED)
|
||||
#define MBEDTLS_PKCS1_V21
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_MD)
|
||||
#define MBEDTLS_MD_C
|
||||
#endif
|
||||
|
|
@ -340,6 +336,7 @@
|
|||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
||||
#define MBEDTLS_PKCS1_V15
|
||||
#define MBEDTLS_PKCS1_V21
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue