mbedtls: Add more config options to disable Elliptic Curve features

Can save up to an additional 20KB when not using EC in TLS, or disable
unwanted features as needed.

diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
index cecf6b8033b445c5807faa2f95a5da4584ab3e5e..2b24ecf1f1ec729f0a1ecce235a290a3cc2e21e8 100644 (file)
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -195,6 +195,7 @@ config MBEDTLS_KEY_EXCHANGE_DHE_RSA
 
 config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
    bool "Support Elliptic Curve based ciphersuites"
+   depends on MBEDTLS_ECP_C
    default y
    help
        Enable to show Elliptic Curve based ciphersuite mode options.
@@ -205,35 +206,35 @@ config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
    bool "Enable ECDHE-RSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
    default y
    help
        Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
    bool "Enable ECDHE-ECDSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
    default y
    help
        Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
    bool "Enable ECDHE-ECDSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
    default y
    help
        Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
    bool "Enable ECDH-ECDSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
    default y
    help
        Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_RSA
    bool "Enable ECDH-RSA based ciphersuite modes"
-   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
+   depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
    default y
    help
        Enable to support ciphersuites with prefix TLS-ECDHE-RSA-WITH-
@@ -410,4 +411,117 @@ config MBEDTLS_X509_CSR_PARSE_C
 
 endmenu # Certificates
 
+menuconfig MBEDTLS_ECP_C
+    bool  "Elliptic Curve Ciphers"
+    default y
+
+config MBEDTLS_ECDH_C
+    bool "Elliptic Curve Diffie-Hellman (ECDH)"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable ECDH. Needed to use ECDHE-xxx TLS ciphersuites.
+
+config MBEDTLS_ECDSA_C
+    bool "Elliptic Curve DSA"
+    depends on MBEDTLS_ECDH_C
+    default y
+    help
+        Enable ECDSA. Needed to use ECDSA-xxx TLS ciphersuites.
+
+config MBEDTLS_ECP_DP_SECP192R1_ENABLED
+    bool "Enable SECP192R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP192R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP224R1_ENABLED
+    bool "Enable SECP224R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP224R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP256R1_ENABLED
+    bool "Enable SECP256R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP256R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP384R1_ENABLED
+    bool "Enable SECP384R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP384R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP521R1_ENABLED
+    bool "Enable SECP521R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP521R1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP192K1_ENABLED
+    bool "Enable SECP192K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP192K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP224K1_ENABLED
+    bool "Enable SECP224K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP224K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_SECP256K1_ENABLED
+    bool "Enable SECP256K1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for SECP256K1 Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP256R1_ENABLED
+    bool "Enable BP256R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP384R1_ENABLED
+    bool "Enable BP384R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_BP512R1_ENABLED
+    bool "Enable BP512R1 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        support for DP Elliptic Curve.
+
+config MBEDTLS_ECP_DP_CURVE25519_ENABLED
+    bool "Enable CURVE25519 curve"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        Enable support for CURVE25519 Elliptic Curve.
+
+config MBEDTLS_ECP_NIST_OPTIM
+    bool "NIST 'modulo p' optimisations"
+    depends on MBEDTLS_ECP_C
+    default y
+    help
+        NIST 'modulo p' optimisations increase Elliptic Curve operation performance.
+
+        Disabling this option saves some code size.
+
+# end of Elliptic Curve options
+
 endmenu  # mbedTLS

diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h
index daa7bdcfe5229e12afdcf0543e4c876e23c0f85a..85a342be1c40e9dbcd05f8958775aa0d346f66de 100644 (file)
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -442,18 +442,42 @@
  *
  * Comment macros to disable the curve and functions for it
  */
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP192R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP224R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP384R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED
 #define MBEDTLS_ECP_DP_SECP521R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP192K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED
 #define MBEDTLS_ECP_DP_BP256R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED
 #define MBEDTLS_ECP_DP_BP384R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_BP512R1_ENABLED
 #define MBEDTLS_ECP_DP_BP512R1_ENABLED
+#endif
+#ifdef CONFIG_MBEDTLS_ECP_DP_CURVE25519_ENABLED
 #define MBEDTLS_ECP_DP_CURVE25519_ENABLED
+#endif
 
 /**
  * \def MBEDTLS_ECP_NIST_OPTIM
@@ -464,7 +488,9 @@
  *
  * Comment this macro to disable NIST curves optimisation.
  */
+#ifdef CONFIG_MBEDTLS_ECP_NIST_OPTIM
 #define MBEDTLS_ECP_NIST_OPTIM
+#endif
 
 /**
  * \def MBEDTLS_ECDSA_DETERMINISTIC
@@ -1792,7 +1818,9 @@
  *
  * Requires: MBEDTLS_ECP_C
  */
+#ifdef CONFIG_MBEDTLS_ECDH_C
 #define MBEDTLS_ECDH_C
+#endif
 
 /**
  * \def MBEDTLS_ECDSA_C
@@ -1807,7 +1835,9 @@
  *
  * Requires: MBEDTLS_ECP_C, MBEDTLS_ASN1_WRITE_C, MBEDTLS_ASN1_PARSE_C
  */
+#ifdef CONFIG_MBEDTLS_ECDSA_C
 #define MBEDTLS_ECDSA_C
+#endif
 
 /**
  * \def MBEDTLS_ECJPAKE_C
@@ -1840,7 +1870,9 @@
  *
  * Requires: MBEDTLS_BIGNUM_C and at least one MBEDTLS_ECP_DP_XXX_ENABLED
  */
+#ifdef CONFIG_MBEDTLS_ECP_C
 #define MBEDTLS_ECP_C
+#endif
 
 /**
  * \def MBEDTLS_ENTROPY_C