From 2c2771970edc23d4e2997c0df537a8570ffa8069 Mon Sep 17 00:00:00 2001 From: Robert Lubos Date: Wed, 5 Feb 2020 15:42:11 +0100 Subject: [PATCH] modules: mbedtls: Update mbedTLS commit and apply fixes Update mbedTLS commit along with the following fixes: * Fix naming inconsistencies in some cipher modes, to match core mbedTLS configs * Add Kconfig to enable CTR cipher mode Fixes #22421 Signed-off-by: Robert Lubos --- drivers/crypto/crypto_mtls_shim.c | 18 +++++++++--------- modules/Kconfig.tls-generic | 18 +++++++++++------- samples/drivers/crypto/prj_mtls_shim.conf | 2 +- west.yml | 2 +- 4 files changed, 22 insertions(+), 18 deletions(-) diff --git a/drivers/crypto/crypto_mtls_shim.c b/drivers/crypto/crypto_mtls_shim.c index 720c557219a..0c14c74c8d5 100644 --- a/drivers/crypto/crypto_mtls_shim.c +++ b/drivers/crypto/crypto_mtls_shim.c @@ -21,7 +21,7 @@ #endif /* CONFIG_MBEDTLS_CFG_FILE */ #include -#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED +#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED #include #endif #include @@ -36,7 +36,7 @@ LOG_MODULE_REGISTER(mbedtls); struct mtls_shim_session { union { mbedtls_ccm_context mtls_ccm; -#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED +#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED mbedtls_gcm_context mtls_gcm; #endif mbedtls_aes_context mtls_aes; @@ -226,7 +226,7 @@ static int mtls_ccm_decrypt_auth(struct cipher_ctx *ctx, return 0; } -#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED +#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED static int mtls_gcm_encrypt_auth(struct cipher_ctx *ctx, struct cipher_aead_pkt *apkt, u8_t *nonce) @@ -284,7 +284,7 @@ static int mtls_gcm_decrypt_auth(struct cipher_ctx *ctx, return 0; } -#endif /* CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED */ +#endif /* CONFIG_MBEDTLS_CIPHER_GCM_ENABLED */ static int mtls_get_unused_session_index(void) { @@ -306,7 +306,7 @@ static int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx, { mbedtls_aes_context *aes_ctx; mbedtls_ccm_context *ccm_ctx; -#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED +#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED mbedtls_gcm_context *gcm_ctx; #endif int ctx_idx; @@ -324,7 +324,7 @@ static int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx, if (mode != CRYPTO_CIPHER_MODE_CCM && mode != CRYPTO_CIPHER_MODE_CBC && -#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED +#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED mode != CRYPTO_CIPHER_MODE_GCM && #endif mode != CRYPTO_CIPHER_MODE_ECB) { @@ -400,7 +400,7 @@ static int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx, ctx->ops.ccm_crypt_hndlr = mtls_ccm_decrypt_auth; } break; -#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED +#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED case CRYPTO_CIPHER_MODE_GCM: gcm_ctx = &mtls_sessions[ctx_idx].mtls_gcm; mbedtls_gcm_init(gcm_ctx); @@ -418,7 +418,7 @@ static int mtls_session_setup(struct device *dev, struct cipher_ctx *ctx, ctx->ops.gcm_crypt_hndlr = mtls_gcm_decrypt_auth; } break; -#endif /* CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED */ +#endif /* CONFIG_MBEDTLS_CIPHER_GCM_ENABLED */ default: LOG_ERR("Unhandled mode"); mtls_sessions[ctx_idx].in_use = false; @@ -438,7 +438,7 @@ static int mtls_session_free(struct device *dev, struct cipher_ctx *ctx) if (mtls_session->mode == CRYPTO_CIPHER_MODE_CCM) { mbedtls_ccm_free(&mtls_session->mtls_ccm); -#ifdef CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED +#ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED } else if (mtls_session->mode == CRYPTO_CIPHER_MODE_GCM) { mbedtls_gcm_free(&mtls_session->mtls_gcm); #endif diff --git a/modules/Kconfig.tls-generic b/modules/Kconfig.tls-generic index 8d3187b3630..5602e4d0225 100644 --- a/modules/Kconfig.tls-generic +++ b/modules/Kconfig.tls-generic @@ -170,9 +170,10 @@ config MBEDTLS_CIPHER_ALL_ENABLED select MBEDTLS_CIPHER_CHACHA20_ENABLED select MBEDTLS_CIPHER_BLOWFISH_ENABLED select MBEDTLS_CIPHER_CCM_ENABLED + select MBEDTLS_CIPHER_GCM_ENABLED select MBEDTLS_CIPHER_MODE_XTS_ENABLED - select MBEDTLS_CIPHER_MODE_GCM_ENABLED - select MBEDTLS_CIPHER_CBC_ENABLED + select MBEDTLS_CIPHER_MODE_CBC_ENABLED + select MBEDTLS_CIPHER_MODE_CTR_ENABLED select MBEDTLS_CHACHAPOLY_AEAD_ENABLED config MBEDTLS_CIPHER_AES_ENABLED @@ -204,18 +205,21 @@ config MBEDTLS_CIPHER_CCM_ENABLED bool "Enable the Counter with CBC-MAC (CCM) mode for 128-bit block cipher" depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED +config MBEDTLS_CIPHER_GCM_ENABLED + bool "Enable the Galois/Counter Mode (GCM) for AES" + depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED + config MBEDTLS_CIPHER_MODE_XTS_ENABLED bool "Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES" depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED -config MBEDTLS_CIPHER_MODE_GCM_ENABLED - bool "Enable the Galois/Counter Mode (GCM) for AES" - depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_CAMELLIA_ENABLED - -config MBEDTLS_CIPHER_CBC_ENABLED +config MBEDTLS_CIPHER_MODE_CBC_ENABLED bool "Enable Cipher Block Chaining mode (CBC) for symmetric ciphers" default y if !NET_L2_OPENTHREAD +config MBEDTLS_CIPHER_MODE_CTR_ENABLED + bool "Enable Counter Block Cipher mode (CTR) for symmetric ciphers." + config MBEDTLS_CHACHAPOLY_AEAD_ENABLED bool "Enable the ChaCha20-Poly1305 AEAD algorithm" depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED diff --git a/samples/drivers/crypto/prj_mtls_shim.conf b/samples/drivers/crypto/prj_mtls_shim.conf index 41939c99511..407faac094a 100644 --- a/samples/drivers/crypto/prj_mtls_shim.conf +++ b/samples/drivers/crypto/prj_mtls_shim.conf @@ -5,7 +5,7 @@ CONFIG_MBEDTLS_BUILTIN=y CONFIG_MBEDTLS_CFG_FILE="config-tls-generic.h" CONFIG_MBEDTLS_HEAP_SIZE=512 CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y -CONFIG_MBEDTLS_CIPHER_MODE_GCM_ENABLED=y +CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y CONFIG_MAIN_STACK_SIZE=4096 CONFIG_CRYPTO=y diff --git a/west.yml b/west.yml index a5af608a19b..e2ae1d679d7 100644 --- a/west.yml +++ b/west.yml @@ -80,7 +80,7 @@ manifest: revision: 74fc2e753a997bd71cefa34dd9c56dcb954b42e2 path: modules/lib/gui/lvgl - name: mbedtls - revision: cf7020eb4c7ef93319f2d6d2403a21e12a879bf6 + revision: 821154171b246f64eaeef3ccc267f58d8274739a path: modules/crypto/mbedtls - name: mcuboot revision: 5657d00e662adbd32addc8525862249b631334c5