modules: mbedtls: Update mbedTLS commit and apply fixes

Update mbedTLS commit along with the following fixes: * Fix naming inconsistencies in some cipher modes, to match core mbedTLS configs * Add Kconfig to enable CTR cipher mode Fixes #22421 Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
2020-02-05 15:42:11 +01:00 · 2020-02-05 15:42:11 +01:00 · 2c2771970e
commit 2c2771970e
parent fdd89efd3a
4 changed files with 22 additions and 18 deletions
--- a/drivers/crypto/crypto_mtls_shim.c
+++ b/drivers/crypto/crypto_mtls_shim.c
@ -21,7 +21,7 @@
 #endif /* CONFIG_MBEDTLS_CFG_FILE */

 #include <mbedtls/ccm.h>
-#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED
+#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
 #include <mbedtls/gcm.h>
 #endif
 #include <mbedtls/aes.h>
@ -36,7 +36,7 @@ LOG_MODULE_REGISTER(mbedtls);
 struct mtls_shim_session {
 	union {
 		mbedtls_ccm_context mtls_ccm;
-#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED
+#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
 		mbedtls_gcm_context mtls_gcm;
 #endif
 		mbedtls_aes_context mtls_aes;
@ -226,7 +226,7 @@ static int mtls_ccm_decrypt_auth(struct cipher_ctx *ctx,
 	return 0;
 }

-#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED
+#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
 static int mtls_gcm_encrypt_auth(struct cipher_ctx *ctx,
 				 struct cipher_aead_pkt *apkt,
 				 u8_t *nonce)
@ -284,7 +284,7 @@ static int mtls_gcm_decrypt_auth(struct cipher_ctx *ctx,

 	return 0;
 }
-#endif /* CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED */
+#endif /* CONFIG_MBEDTLS_CIPHER_GCM_ENABLED */

 static int mtls_get_unused_session_index(void)
 {
@ -306,7 +306,7 @@ static int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx,
 {
 	mbedtls_aes_context *aes_ctx;
 	mbedtls_ccm_context *ccm_ctx;
-#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED
+#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
 	mbedtls_gcm_context *gcm_ctx;
 #endif
 	int ctx_idx;
@ -324,7 +324,7 @@ static int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx,

 	if (mode != CRYPTO_CIPHER_MODE_CCM &&
 	    mode != CRYPTO_CIPHER_MODE_CBC &&
-#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED
+#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
 	    mode != CRYPTO_CIPHER_MODE_GCM &&
 #endif
 	    mode != CRYPTO_CIPHER_MODE_ECB) {
@ -400,7 +400,7 @@ static int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx,
 			ctx->ops.ccm_crypt_hndlr = mtls_ccm_decrypt_auth;
 		}
 		break;
-#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED
+#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
 	case CRYPTO_CIPHER_MODE_GCM:
 		gcm_ctx = &mtls_sessions[ctx_idx].mtls_gcm;
 		mbedtls_gcm_init(gcm_ctx);
@ -418,7 +418,7 @@ static int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx,
 			ctx->ops.gcm_crypt_hndlr = mtls_gcm_decrypt_auth;
 		}
 		break;
-#endif /* CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED */
+#endif /* CONFIG_MBEDTLS_CIPHER_GCM_ENABLED */
 	default:
 		LOG_ERR("Unhandled mode");
 		mtls_sessions[ctx_idx].in_use = false;
@ -438,7 +438,7 @@ static int mtls_session_free(struct device *dev, struct cipher_ctx *ctx)

 	if (mtls_session->mode == CRYPTO_CIPHER_MODE_CCM) {
 		mbedtls_ccm_free(&mtls_session->mtls_ccm);
-#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED
+#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
 	} else if (mtls_session->mode == CRYPTO_CIPHER_MODE_GCM) {
 		mbedtls_gcm_free(&mtls_session->mtls_gcm);
 #endif
--- a/modules/Kconfig.tls-generic
+++ b/modules/Kconfig.tls-generic
@ -170,9 +170,10 @@ config MBEDTLS_CIPHER_ALL_ENABLED
 	select MBEDTLS_CIPHER_CHACHA20_ENABLED
 	select MBEDTLS_CIPHER_BLOWFISH_ENABLED
 	select MBEDTLS_CIPHER_CCM_ENABLED
+	select MBEDTLS_CIPHER_GCM_ENABLED
 	select MBEDTLS_CIPHER_MODE_XTS_ENABLED
-	select MBEDTLS_CIPHER_MODE_GCM_ENABLED
-	select MBEDTLS_CIPHER_CBC_ENABLED
+	select MBEDTLS_CIPHER_MODE_CBC_ENABLED
+	select MBEDTLS_CIPHER_MODE_CTR_ENABLED
 	select MBEDTLS_CHACHAPOLY_AEAD_ENABLED

 config MBEDTLS_CIPHER_AES_ENABLED
@ -204,18 +205,21 @@ config MBEDTLS_CIPHER_CCM_ENABLED
 	bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher"
 	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED

+config MBEDTLS_CIPHER_GCM_ENABLED
+	bool "Enable the Galois/Counter Mode (GCM) for AES"
+	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
+
 config MBEDTLS_CIPHER_MODE_XTS_ENABLED
 	bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES"
 	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED

-config MBEDTLS_CIPHER_MODE_GCM_ENABLED
-	bool "Enable the Galois/Counter Mode (GCM) for AES"
-	depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED
-
-config MBEDTLS_CIPHER_CBC_ENABLED
+config MBEDTLS_CIPHER_MODE_CBC_ENABLED
 	bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers"
 	default y if !NET_L2_OPENTHREAD

+config MBEDTLS_CIPHER_MODE_CTR_ENABLED
+	bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers."
+
 config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
 	bool "Enable the ChaCha20-Poly1305 AEAD algorithm"
 	depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
--- a/samples/drivers/crypto/prj_mtls_shim.conf
+++ b/samples/drivers/crypto/prj_mtls_shim.conf
@ -5,7 +5,7 @@ CONFIG_MBEDTLS_BUILTIN=y
 CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h"
 CONFIG_MBEDTLS_HEAP_SIZE=512
 CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
-CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED=y
+CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
 CONFIG_MAIN_STACK_SIZE=4096

 CONFIG_CRYPTO=y
--- a/west.yml
+++ b/west.yml
@ -80,7 +80,7 @@ manifest:
      revision: 74fc2e753a997bd71cefa34dd9c56dcb954b42e2
      path: modules/lib/gui/lvgl
    - name: mbedtls
-      revision: cf7020eb4c7ef93319f2d6d2403a21e12a879bf6
+      revision: 821154171b246f64eaeef3ccc267f58d8274739a
      path: modules/crypto/mbedtls
    - name: mcuboot
      revision: 5657d00e662adbd32addc8525862249b631334c5