Removed MbedTLS defines for unsupported MD2, MD4, and RC4

Signed-off-by: George Poulios <[email protected]>
tiiuae · Nov 29, 2024 · ba8d265 · ba8d265
1 parent 763aecd
commit ba8d265
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 92 deletions.
diff --git a/crypto/mbedtls/Kconfig b/crypto/mbedtls/Kconfig
@@ -460,10 +460,6 @@ config MBEDTLS_AES_C
 	bool "Enable the AES block cipher."
 	default y
 
-config CONFIG_MBEDTLS_ARC4_C
-	bool "Enable the ARCFOUR stream cipher."
-	default y
-
 config MBEDTLS_ASN1_PARSE_C
 	bool "Enable the generic ASN1 parser."
 	default y

diff --git a/crypto/mbedtls/include/mbedtls/mbedtls_config.h b/crypto/mbedtls/include/mbedtls/mbedtls_config.h
@@ -419,18 +419,17 @@
  * Uncomment a macro to enable alternate implementation of the corresponding
  * module.
  *
- * \warning   MD2, MD4, MD5, ARC4, DES and SHA-1 are considered weak and
- *            their use constitutes a security risk. If possible, we
- *            recommend avoiding dependencies on them, and considering
- *            stronger message digests and ciphers instead.
+ * \warning   MD5, DES and SHA-1 are considered weak and their
+ *            use constitutes a security risk. If possible, we recommend
+ *            avoiding dependencies on them, and considering stronger message
+ *            digests and ciphers instead.
  *
  */
 
 #ifdef CONFIG_MBEDTLS_AES_ALT
 #define MBEDTLS_AES_ALT
 #endif
-/* #define MBEDTLS_ARC4_ALT
- * #define MBEDTLS_ARIA_ALT
+/* #define MBEDTLS_ARIA_ALT
  * #define MBEDTLS_BLOWFISH_ALT
  * #define MBEDTLS_CAMELLIA_ALT
  * #define MBEDTLS_CCM_ALT
@@ -445,8 +444,6 @@
  * #define MBEDTLS_ECJPAKE_ALT
  * #define MBEDTLS_GCM_ALT
  * #define MBEDTLS_NIST_KW_ALT
- * #define MBEDTLS_MD2_ALT
- * #define MBEDTLS_MD4_ALT
  */
 #ifdef CONFIG_MBEDTLS_MD5_ALT
 #define MBEDTLS_MD5_ALT
@@ -483,46 +480,41 @@
  * \def MBEDTLS_SHA256_PROCESS_ALT
  *
  * MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use you
- * alternate core implementation of symmetric crypto or hash function.
- * Keep in mind that function prototypes should remain the same.
+ * alternate core implementation of symmetric crypto or hash function. Keep in
+ * mind that function prototypes should remain the same.
  *
  * This replaces only one function. The header file from Mbed TLS is still
  * used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
  *
  * Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, Mbed TLS will
- * no longer provide the mbedtls_sha1_process() function, but it will still
- * provide the other function (using your mbedtls_sha1_process() function)
- * and the definition of mbedtls_sha1_context, so your implementation of
- * mbedtls_sha1_process must be compatible
- *
+ * no longer provide the mbedtls_sha1_process() function, but it will still provide
+ * the other function (using your mbedtls_sha1_process() function) and the definition
+ * of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
  * with this definition.
  *
- * \note If you use the AES_xxx_ALT macros, then it is recommended to also
- *       set MBEDTLS_AES_ROM_TABLES in order to help the linker
- *       garbage-collect the AES tables.
+ * \note If you use the AES_xxx_ALT macros, then it is recommended to also set
+ *       MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
+ *       tables.
  *
  * Uncomment a macro to enable alternate implementation of the corresponding
  * function.
  *
- * \warning   MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
+ * \warning   MD5, DES and SHA-1 are considered weak and their use
  *            constitutes a security risk. If possible, we recommend avoiding
  *            dependencies on them, and considering stronger message digests
  *            and ciphers instead.
  *
- * \warning   If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC
- *            are enabled, then the deterministic ECDH signature functions
- *            pass the the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign().
- *            Therefore alternative implementations should use the RNG only
- *            for generating the ephemeral key and nothing else.
+ * \warning   If both MBEDTLS_ECDSA_SIGN_ALT and MBEDTLS_ECDSA_DETERMINISTIC are
+ *            enabled, then the deterministic ECDH signature functions pass the
+ *            the static HMAC-DRBG as RNG to mbedtls_ecdsa_sign(). Therefore
+ *            alternative implementations should use the RNG only for generating
+ *            the ephemeral key and nothing else. If this is not possible, then
+ *            MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
+ *            implementation should be provided for mbedtls_ecdsa_sign_det_ext().
  *
- *            If this is not possible, then MBEDTLS_ECDSA_DETERMINISTIC
- *            should be disabled and an alternative implementation should
- *            be provided for mbedtls_ecdsa_sign_det_ext().
  */
 
-/* #define MBEDTLS_MD2_PROCESS_ALT
- * #define MBEDTLS_MD4_PROCESS_ALT
- * #define MBEDTLS_MD5_PROCESS_ALT
+/* #define MBEDTLS_MD5_PROCESS_ALT
  * #define MBEDTLS_RIPEMD160_PROCESS_ALT
  * #define MBEDTLS_SHA1_PROCESS_ALT
  * #define MBEDTLS_SHA256_PROCESS_ALT
@@ -2682,26 +2674,6 @@
 #define MBEDTLS_AES_C
 #endif
 
-/**
- * \def MBEDTLS_ARC4_C
- *
- * Enable the ARCFOUR stream cipher.
- *
- * Module:  library/arc4.c
- * Caller:  library/cipher.c
- *
- * This module enables the following ciphersuites (if other requisites are
- * enabled as well):
- *
- * \warning   ARC4 is considered a weak cipher and its use constitutes a
- *            security risk. If possible, we recommend avoidng dependencies
- *            on it, and considering stronger ciphers instead.
- *
- */
-#ifdef CONFIG_MBEDTLS_ARC4_C
-#define MBEDTLS_ARC4_C
-#endif
-
 /**
  * \def MBEDTLS_ASN1_PARSE_C
  *
@@ -3342,44 +3314,6 @@
 #define MBEDTLS_MD_C
 #endif
 
-/**
- * \def MBEDTLS_MD2_C
- *
- * Enable the MD2 hash algorithm.
- *
- * Module:  library/md2.c
- * Caller:
- *
- * Uncomment to enable support for (rare) MD2-signed X.509 certs.
- *
- * \warning   MD2 is considered a weak message digest and its use constitutes
- *a
- *            security risk. If possible, we recommend avoiding dependencies
- *on
- *            it, and considering stronger message digests instead.
- *
- */
-
-/* #define MBEDTLS_MD2_C */
-
-/**
- * \def MBEDTLS_MD4_C
- *
- * Enable the MD4 hash algorithm.
- *
- * Module:  library/md4.c
- * Caller:
- *
- * Uncomment to enable support for (rare) MD4-signed X.509 certs.
- *
- * \warning   MD4 is considered a weak message digest and its use
- *            constitutes a security risk. If possible, we recommend
- *            avoiding dependencies on it, and considering stronger
- *            message digests instead.
- */
-
-/* #define MBEDTLS_MD4_C */
-
 /**
  * \def MBEDTLS_MD5_C
  *