modules: mbedtls: Enable PKCS1 v2.1

d3zd3z · galak · commit 4164b1703420 · 2021-05-09T09:59:22.000-05:00
This Mbed TLS configuration option was being selected based on a
non-existent Kconfig option, and hence would never be defined.  v2.1 of
PKCS1 was published in 2003.  Use of v1.5 has been deprecated since
2016, and should not be used in new or existing designs.

Enable the v2.1 version in any situation where RSA is used for
signatures.  In the future, we should disable v1.5 entirely, but only
after all uses have been determined and possibly corrected.

No significant weaknesses have been found in v1.5, however v2.1 has a
significant security proof.  However, v2.1 does require an entropy
source, which may be an issue in some embedded device situations (which
likely are problematic for other cryptographic reasons).

Signed-off-by: David Brown &lt;david.brown@linaro.org&gt;
diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h
@@ -305,10 +305,6 @@
 #define MBEDTLS_CIPHER_C
 #endif
 
-#if defined(CONFIG_MBEDTLS_PKCS1_V21_ENABLED)
-#define MBEDTLS_PKCS1_V21
-#endif
-
 #if defined(CONFIG_MBEDTLS_MD)
 #define MBEDTLS_MD_C
 #endif
@@ -340,6 +336,7 @@
     defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
     defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
 #define MBEDTLS_PKCS1_V15
+#define MBEDTLS_PKCS1_V21
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
