Before mbedTLS 3.0 there was just SHA512 option, which enabled both SHA384
and SHA512 support. mbedTLS 3.0 introduced SHA384 specific option, which
means that SHA384 got unsupported after merging
commit 4e6cfb67f9 ("modules: mbedTLS: Bump mbedTLS to 3.0").
Introduce SHA384 Kconfig options, so that support for it can be selected in
project configuration if needed. Since SHA384 still depends on SHA512 to be
selected, add such dependency in Kconfig.
Select SHA384 support in non-generic (not configured by Kconfig) mbedTLS
config headers, so that previous (before mbedTLS 3.0 was merged) behavior
is regained.
Fixes: 4e6cfb67f9 ("modules: mbedTLS: Bump mbedTLS to 3.0")
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
In order to bring consistency in-tree, migrate all modules code to the
new prefix <zephyr/...>. Note that the conversion has been scripted,
refer to zephyrproject-rtos#45388 for more details.
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
Add Kconfig configuration options which allow to configure
session caching in mbed TLS.
Note, that mbed TLS only takes care of server-side caching, the
application (socket layer) needs to implement a session storage for
client.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
According to Kconfig guidelines, boolean prompts must not start with
"Enable...". The following command has been used to automate the changes
in this patch:
sed -i "s/bool \"[Ee]nables\? \(\w\)/bool \"\U\1/g" **/Kconfig*
Signed-off-by: Gerard Marull-Paretas <gerard.marull@nordicsemi.no>
MBEDTLS_ECP_MAX_BITS is now set automatically by mbed TLS, redefining it
in the config file ends up in compilation warnings.
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
So far maximum PSK length was configured by mbedTLS as 32 bytes.
Introduce Kconfig option that will configure it instead of relying on
default value from mbedTLS library, so that user can easily adjust that
value to application needs.
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
Use the Mbed TLS module, expecting the upstream directory layout rather
than the nested directory we've been using before.
Signed-off-by: David Brown <david.brown@linaro.org>
Mbed TLS 3.0 changes the configuration defines used to determine the
buffer size used for TLS. We were still setting the old one, which was
causing Mbed TLS to revert back to the large default buffer size. Set
both the in and out buffer sizes to match the config setting. A future
improvement may be to separate this into two configurations within the
Zephyr config.
Signed-off-by: David Brown <david.brown@linaro.org>
-The current scheme in zephyr has the two choices MBEDTLS_BUILTIN
and MBEDTLS_LIBRARY, but the choice of MBEDTLS_LIBRARY requires
setting CONFIG_MBEDTLS_INSTALL_PATH for includes and library linking.
This may not be neccesary when an alternative implementation of the
library is being used. This adds support for custom choices in
MBEDTLS_IMPLEMENTATION which can be added in an out-of-tree Kconfig
file.
-Made else an elseif(CONFIG_MBEDTLS_LIBRARY.
-Removed reduntant assertion between the two choices.
Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
Currently the MBEDTLS_HAVE_TIME_DATE mbedTLS option is enabled based on
the CONFIG_POSIX_API option. This doesn't seem right, since the enabling
the POSIX API does not guarantee that there is a valid time source in
the system. This was the case for the qemu_x86 platform, where enabling
POSIX_API caused TLS handshake failures due to certificate validation
errors caused by no valid time avaialble in the system.
Fix this by adding a specific KConfig entry for date/time configuration
in mbedTLS. Applications that need to enforce date verification in
mbedTLS should enable it explicitly instead of relying on the
non-obvious implicit configuration.
Fixes#35401
Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
Now using CONFIG_MBEDTLS_USER_CONFIG_FILE instead of
CONFIG_MBEDTLS_USER_CONFIG_ENABLE for inclusion of user config file.
The Kconfig MBEDTLS_USER_CONFIG_ENABLE setting now now determines if
MBEDTLS_USER_CONFIG_FILE is visible.
This removes the problem of MBEDTLS_USER_CONFIG_FILE to be stuck on its
first value.
Users can use MBEDTLS_USER_CONFIG_ENABLE to get the prompt and define
their own value.
As the CONFIG_MBEDTLS_USER_CONFIG_FILE is default promptless then we can
use this setting directly as it will only be defined if another Kconfig
file specifies a default value to use, or user enables:
MBEDTLS_USER_CONFIG_ENABLE.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Introducing MBEDTLS_PROMPTLESS and CUSTOM_MBEDTLS_CFG_FILE settings.
The MBEDTLS_PROMPTLESS can be set to true whenever configuration of
mbedTLS is done from a subsystem or module.
Such an example is OpenThread, which selects mbedTLS for some predefined
crypto settings using OPENTHREAD_MBEDTLS=y.
Unfortunately, extensive use of select can easily cause stuck symbol
syndrome making it harder than neccesarry for users to later reconfigure
as they easily get stuck in incompatible configurations.
Providing a MBEDTLS_PROMPTLESS allows such configurations to disable the
MBEDTLS prompt itself when selected but avoid stuck symbol if user
select another security configuration.
Similar with CUSTOM_MBEDTLS_CFG_FILE which ensures that user must
explicitly select this symbol before providing a custom mbedTLS config
file.
Today, other parts the Kconfig tree may set a default value for
MBEDTLS_CFG_FILE but that value is stuck and thus changed Kconfig
selections elsewhere in the tree will not adjust the value.
Introducing CUSTOM_MBEDTLS_CFG_FILE ensures it is known when the user
has provided the value.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This commit removes the prompt from MBEDTLS_USER_CONFIG_FILE unless
MBEDTLS_USER_CONFIG_ENABLE is true.
This fixes issues where other parts would specify a default value for
MBEDTLS_USER_CONFIG_FILE that would become stuck and not updated if
user re-configured the system using menuconfig.
Disabling the prompt ensures that only when a user specifically enables
MBEDTLS_USER_CONFIG_ENABLE and specify a custom user value in
MBEDTLS_USER_CONFIG_FILE the setting will be fixed.
Also updates the manifest with related change in the mbedtls project.
Signed-off-by: Torsten Rasmussen <Torsten.Rasmussen@nordicsemi.no>
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
This Mbed TLS configuration option was being selected based on a
non-existent Kconfig option, and hence would never be defined. v2.1 of
PKCS1 was published in 2003. Use of v1.5 has been deprecated since
2016, and should not be used in new or existing designs.
Enable the v2.1 version in any situation where RSA is used for
signatures. In the future, we should disable v1.5 entirely, but only
after all uses have been determined and possibly corrected.
No significant weaknesses have been found in v1.5, however v2.1 has a
significant security proof. However, v2.1 does require an entropy
source, which may be an issue in some embedded device situations (which
likely are problematic for other cryptographic reasons).
Signed-off-by: David Brown <david.brown@linaro.org>
Updates in CMakeLists.txt to reflect the restructuring
in the module directory. This also bumps mbetls version
to 2.26.0.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
We move the Zephyr-specific CMakeLists.txt file into
the main Zephyr tree. We also move the zephyr_init.c
source file.
Signed-off-by: Ioannis Glaropoulos <Ioannis.Glaropoulos@nordicsemi.no>
Marcin Niestroj