modules: mbedtls: Enable PKCS1 v2.1

This Mbed TLS configuration option was being selected based on a non-existent Kconfig option, and hence would never be defined. v2.1 of PKCS1 was published in 2003. Use of v1.5 has been deprecated since 2016, and should not be used in new or existing designs. Enable the v2.1 version in any situation where RSA is used for signatures. In the future, we should disable v1.5 entirely, but only after all uses have been determined and possibly corrected. No significant weaknesses have been found in v1.5, however v2.1 has a significant security proof. However, v2.1 does require an entropy source, which may be an issue in some embedded device situations (which likely are problematic for other cryptographic reasons). Signed-off-by: David Brown <[email protected]>
ucb-bar · May 9, 2021 · 4164b17 · 4164b17
1 parent 22360ee
commit 4164b17
Showing 1 changed file with 1 addition and 4 deletions.
diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h
@@ -305,10 +305,6 @@
 #define MBEDTLS_CIPHER_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_PKCS1_V21_ENABLED)
-#define MBEDTLS_PKCS1_V21
-#endif
-
 #if defined(CONFIG_MBEDTLS_MD)
 #define MBEDTLS_MD_C
 #endif
@@ -340,6 +336,7 @@
     defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
 #define MBEDTLS_PKCS1_V15
+#define MBEDTLS_PKCS1_V21
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \