This is a follow-up to commit c7327f5f70.
Wrap implementation of the `mbedtls_hardware_poll()` function in
`#if defined(CONFIG_MBEDTLS_ZEPHYR_ENTROPY)` so that the function
is provided only when that option is activated.
Signed-off-by: Andrzej Głąbek <andrzej.glabek@nordicsemi.no>
Instead of using "select" on certain EC configurations, which is
considered unsafe for various reasons, use a "depends on" and rely on
the user to set a proper configuration in the config file.
Update the respective project configurations to comply with the new
configuration scheme.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Debug log messages generated by mbedTLS library contain newline at the end
of log string. Remove this newline, if it exists, so that log output is
much more user friendly.
Add a dedicated Kconfig option for that, so it can be disabled on request.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far LOG_DBG() was used inside debug hook for mbedTLS library. This meant
that it was hard to distinct log messages by simply looking at the log
level number, even though Zephyr logging subsystem supports colorful logs
depending on log level.
Choose an appropriate Zephyr LOG_*() macro based on log level coming from
mbedTLS library. Remove log level number from formatted log messages, as it
is now redundant.
One controversial thing about this change is that mbedTLS' "2 State change"
log level is mapped to Zephyr's "warning" log level. Those are not really
warnings in real life, but rather informational messages. However, using
"warning" log level for those allows to clearly distinguish between "2
State change" and "3 Informational" debug messages from mbedTLS.
Additionally, mbedTLS debug message implementation does not seem to be safe
to use in production, so keeping in mind MBEDTLS_DEBUG will be enabled just
during debugging phase, printing "2 State change" logs as warnings should
not be a big deal.
Set default MBEDTLS_DEBUG_LEVEL value depending on selected Zephyr logging
module level, so that only single option needs to be configured in
application project.
Remove prompt for MBEDTLS_DEBUG_LEVEL, so that interactively (e.g. via
menuconfig) adjusting MBEDTLS_LOG_LEVEL will always result in automatically
updating MBEDTLS_DEBUG_LEVEL option. This is to prevent so called "stuck
symbol syndrome".
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far there was a runtime basename extraction of filenames passed to
mbedTLS debug hook. This has both runtime penalty as well as code size
penalty.
Introduce a buildtime support of extracting basename of source filenames
logged using logging subsystem, so that there is no need to do it at
runtime.
Provide Kconfig options for both buildtime and runtime basename extraction,
as in some cases the buildtime basename extraction might not work,
depending on toolchain used for building Zephyr. Default to buildtime when
using Zephyr SDK, as that is proven to work. Use runtime basename
extraction in other cases (other toolchains used).
This saves approximately 204 bytes of code footprint for sample
application with native TLS sockets built for nRF52840.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
mbedTLS library threshold initialization was done in native TLS socket
implementation (which tends to use mbedTLS now) and inside mbedTLS
benchmark test. Move that to mbedTLS module initialization, as this is a
global setting.
Update description of CONFIG_MBEDTLS_DEBUG_LEVEL to clarify when
mbedtls_debug_set_threshold() is called.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
So far there was a debug log hook installed in TLS socket implementation.
However, mbedTLS (with debug enabled) might be used outside from TLS socket
and even outside from networking context.
Add new module, which implements debug log hook and makes it available
whenever CONFIG_MBEDTLS_DEBUG is enabled.
Note that debug hook needs to be installed for each mbedTLS context
separately, which means that this requires action from mbedTLS users, such
as TLS sockets implementation.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Add module specific compiler flags to suppress reporting unused
variables and unused functions in mbedtls building.
Signed-off-by: Eugene Cohen <quic_egmc@quicinc.com>
Signed-off-by: Dave Aldridge <quic_daldridg@quicinc.com>
Instead of relying on selected ciphesuite to enable mbed TLS EC configs,
add separate config entries to enable them. This allows to use EC
functionality w/o TLS/DTLS enabled.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
psa_crypto_cipher.c includes an internal header with <>, causing
complication errors in Zephyr (header not found).
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to mbedTLS' Changelog "Mbed TLS 3.0.0 branch released
2021-07-07" -> "Removals":
MBEDTLS_ECP_MAX_BITS is no longer a configuration option because it
is now determined automatically based on supported curves.
Hence remove MBEDTLS_ECP_MAX_BITS from configuration files to fix build
issues with Zephyr when there is unfortunate order of include
statements.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Before mbedTLS 3.0 there was just SHA512 option, which enabled both SHA384
and SHA512 support. mbedTLS 3.0 introduced SHA384 specific option, which
means that SHA384 got unsupported after merging
commit 4e6cfb67f9 ("modules: mbedTLS: Bump mbedTLS to 3.0").
Introduce SHA384 Kconfig options, so that support for it can be selected in
project configuration if needed. Since SHA384 still depends on SHA512 to be
selected, add such dependency in Kconfig.
Select SHA384 support in non-generic (not configured by Kconfig) mbedTLS
config headers, so that previous (before mbedTLS 3.0 was merged) behavior
is regained.
Fixes: 4e6cfb67f9 ("modules: mbedTLS: Bump mbedTLS to 3.0")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
In order to bring consistency in-tree, migrate all modules code to the
new prefix <zephyr/...>. Note that the conversion has been scripted,
refer to zephyrproject-rtos#45388 for more details.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Add Kconfig configuration options which allow to configure
session caching in mbed TLS.
Note, that mbed TLS only takes care of server-side caching, the
application (socket layer) needs to implement a session storage for
client.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to Kconfig guidelines, boolean prompts must not start with
"Enable...". The following command has been used to automate the changes
in this patch:
sed -i "s/bool \"[Ee]nables\? \(\w\)/bool \"\U\1/g" **/Kconfig*
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
MBEDTLS_ECP_MAX_BITS is now set automatically by mbed TLS, redefining it
in the config file ends up in compilation warnings.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
So far maximum PSK length was configured by mbedTLS as 32 bytes.
Introduce Kconfig option that will configure it instead of relying on
default value from mbedTLS library, so that user can easily adjust that
value to application needs.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Use the Mbed TLS module, expecting the upstream directory layout rather
than the nested directory we've been using before.
Signed-off-by: David Brown <david.brown@linaro.org>
Mbed TLS 3.0 changes the configuration defines used to determine the
buffer size used for TLS. We were still setting the old one, which was
causing Mbed TLS to revert back to the large default buffer size. Set
both the in and out buffer sizes to match the config setting. A future
improvement may be to separate this into two configurations within the
Zephyr config.
Signed-off-by: David Brown <david.brown@linaro.org>
-The current scheme in zephyr has the two choices MBEDTLS_BUILTIN
and MBEDTLS_LIBRARY, but the choice of MBEDTLS_LIBRARY requires
setting CONFIG_MBEDTLS_INSTALL_PATH for includes and library linking.
This may not be neccesary when an alternative implementation of the
library is being used. This adds support for custom choices in
MBEDTLS_IMPLEMENTATION which can be added in an out-of-tree Kconfig
file.
-Made else an elseif(CONFIG_MBEDTLS_LIBRARY.
-Removed reduntant assertion between the two choices.
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Currently the MBEDTLS_HAVE_TIME_DATE mbedTLS option is enabled based on
the CONFIG_POSIX_API option. This doesn't seem right, since the enabling
the POSIX API does not guarantee that there is a valid time source in
the system. This was the case for the qemu_x86 platform, where enabling
POSIX_API caused TLS handshake failures due to certificate validation
errors caused by no valid time avaialble in the system.
Fix this by adding a specific KConfig entry for date/time configuration
in mbedTLS. Applications that need to enforce date verification in
mbedTLS should enable it explicitly instead of relying on the
non-obvious implicit configuration.
Fixes#35401
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Now using CONFIG_MBEDTLS_USER_CONFIG_FILE instead of
CONFIG_MBEDTLS_USER_CONFIG_ENABLE for inclusion of user config file.
The Kconfig MBEDTLS_USER_CONFIG_ENABLE setting now now determines if
MBEDTLS_USER_CONFIG_FILE is visible.
This removes the problem of MBEDTLS_USER_CONFIG_FILE to be stuck on its
first value.
Users can use MBEDTLS_USER_CONFIG_ENABLE to get the prompt and define
their own value.
As the CONFIG_MBEDTLS_USER_CONFIG_FILE is default promptless then we can
use this setting directly as it will only be defined if another Kconfig
file specifies a default value to use, or user enables:
MBEDTLS_USER_CONFIG_ENABLE.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Introducing MBEDTLS_PROMPTLESS and CUSTOM_MBEDTLS_CFG_FILE settings.
The MBEDTLS_PROMPTLESS can be set to true whenever configuration of
mbedTLS is done from a subsystem or module.
Such an example is OpenThread, which selects mbedTLS for some predefined
crypto settings using OPENTHREAD_MBEDTLS=y.
Unfortunately, extensive use of select can easily cause stuck symbol
syndrome making it harder than neccesarry for users to later reconfigure
as they easily get stuck in incompatible configurations.
Providing a MBEDTLS_PROMPTLESS allows such configurations to disable the
MBEDTLS prompt itself when selected but avoid stuck symbol if user
select another security configuration.
Similar with CUSTOM_MBEDTLS_CFG_FILE which ensures that user must
explicitly select this symbol before providing a custom mbedTLS config
file.
Today, other parts the Kconfig tree may set a default value for
MBEDTLS_CFG_FILE but that value is stuck and thus changed Kconfig
selections elsewhere in the tree will not adjust the value.
Introducing CUSTOM_MBEDTLS_CFG_FILE ensures it is known when the user
has provided the value.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the prompt from MBEDTLS_USER_CONFIG_FILE unless
MBEDTLS_USER_CONFIG_ENABLE is true.
This fixes issues where other parts would specify a default value for
MBEDTLS_USER_CONFIG_FILE that would become stuck and not updated if
user re-configured the system using menuconfig.
Disabling the prompt ensures that only when a user specifically enables
MBEDTLS_USER_CONFIG_ENABLE and specify a custom user value in
MBEDTLS_USER_CONFIG_FILE the setting will be fixed.
Also updates the manifest with related change in the mbedtls project.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This Mbed TLS configuration option was being selected based on a
non-existent Kconfig option, and hence would never be defined. v2.1 of
PKCS1 was published in 2003. Use of v1.5 has been deprecated since
2016, and should not be used in new or existing designs.
Enable the v2.1 version in any situation where RSA is used for
signatures. In the future, we should disable v1.5 entirely, but only
after all uses have been determined and possibly corrected.
No significant weaknesses have been found in v1.5, however v2.1 has a
significant security proof. However, v2.1 does require an entropy
source, which may be an issue in some embedded device situations (which
likely are problematic for other cryptographic reasons).
Signed-off-by: David Brown <david.brown@linaro.org>
Updates in CMakeLists.txt to reflect the restructuring
in the module directory. This also bumps mbetls version
to 2.26.0.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We move the Zephyr-specific CMakeLists.txt file into
the main Zephyr tree. We also move the zephyr_init.c
source file.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
