espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 19:13:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: migrates mbedtls to PSA APIs

Browse Source
This commit is contained in:
Ashish Sharma
2025-12-23 10:47:08 +08:00
committed by Mahavir Jain
parent c4dafbe27f
commit 7310184949
7 changed files with 289 additions and 339 deletions
Download Patch File Download Diff File Expand all files Collapse all files
components/mbedtls/CMakeLists.txt
+268 -79
View File
@@ -28,7 +28,13 @@ if(NOT ${IDF_TARGET} STREQUAL "linux")
endif()
set(mbedtls_srcs "")
set(mbedtls_include_dirs "port/include" "mbedtls/include" "mbedtls/library")
set(mbedtls_include_dirs
"port/include"
"mbedtls/include"
"mbedtls/library"
"mbedtls/tf-psa-crypto/core"
"mbedtls/tf-psa-crypto/drivers/builtin/src/"
)
if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL)
list(APPEND mbedtls_include_dirs "port/mbedtls_rom")
@@ -39,12 +45,17 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE)
list(APPEND mbedtls_include_dirs "esp_crt_bundle/include")
endif()
list(APPEND mbedtls_include_dirs "${COMPONENT_DIR}/port/psa_driver/include")
idf_component_register(SRCS "${mbedtls_srcs}"
INCLUDE_DIRS "${mbedtls_include_dirs}"
PRIV_REQUIRES "${priv_requires}"
REQUIRES "${requires}"
)
# Add MBEDTLS_MAJOR_VERSION definition to the component library
target_compile_definitions(${COMPONENT_LIB} INTERFACE MBEDTLS_MAJOR_VERSION=4)
# Determine the type of mbedtls component library
if(mbedtls_srcs STREQUAL "")
# For no sources in component library we must use "INTERFACE"
@@ -130,6 +141,8 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE)
list(APPEND include_dirs "${COMPONENT_DIR}/esp_crt_bundle/include")
endif()
list(APPEND include_dirs "${COMPONENT_DIR}/port/psa_driver/include")
include_directories(${include_dirs})
# Needed to for mbedtls_rom includes to work from within mbedtls
@@ -137,6 +150,13 @@ if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL)
include_directories("${COMPONENT_DIR}/port/mbedtls_rom")
endif()
# Set TF_PSA_CRYPTO_CONFIG_FILE before processing subdirectories to prevent override
set(
TF_PSA_CRYPTO_USER_CONFIG_FILE "mbedtls/esp_config.h"
CACHE STRING "Path to the PSA Crypto configuration file"
FORCE
)
# Import mbedtls library targets
add_subdirectory(mbedtls)
@@ -146,21 +166,49 @@ list(REMOVE_ITEM src_tls net_sockets.c)
set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls})
if(CONFIG_MBEDTLS_SSL_PROTO_GMTSSL1_1)
get_target_property(src_tls mbedtls SOURCES)
list(REMOVE_ITEM src_tls ssl_ciphersuites.c ssl_cli.c ssl_tls.c)
set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls})
get_target_property(src_tls mbedtls SOURCES)
list(REMOVE_ITEM src_tls ssl_ciphersuites.c ssl_cli.c ssl_tls.c)
set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls})
get_target_property(src_crypto mbedcrypto SOURCES)
list(REMOVE_ITEM src_crypto cipher_wrap.c ecdsa.c ecp.c ecp_curves.c oid.c pk_wrap.c)
set_property(TARGET mbedcrypto PROPERTY SOURCES ${src_crypto})
message(STATUS "Setting up mbedtls")
get_target_property(src_x509 mbedx509 SOURCES)
list(REMOVE_ITEM src_x509 x509_crt.c)
set_property(TARGET mbedx509 PROPERTY SOURCES ${src_x509})
# list(REMOVE_ITEM src_crypto sha512.c)
# list(REMOVE_ITEM src_crypto cipher_wrap.c ecdsa.c ecp.c ecp_curves.c oid.c pk_wrap.c)
# set_property(TARGET tfpsacrypto PROPERTY SOURCES ${src_crypto})
get_target_property(src_builtin builtin SOURCES)
message(STATUS "src_builtin: ${src_builtin}")
get_target_property(src_x509 mbedx509 SOURCES)
list(REMOVE_ITEM src_x509 x509_crt.c)
set_property(TARGET mbedx509 PROPERTY SOURCES ${src_x509})
endif()
# Core libraries from the mbedTLS project
set(mbedtls_targets mbedtls mbedcrypto mbedx509)
set(mbedtls_targets mbedtls mbedx509 tfpsacrypto builtin)
target_include_directories(tfpsacrypto PUBLIC "port/include")
target_include_directories(tfpsacrypto PRIVATE "port/psa_crypto_storage/include")
if(CONFIG_MBEDTLS_HARDWARE_SHA OR CONFIG_MBEDTLS_HARDWARE_AES)
target_include_directories(tfpsacrypto PUBLIC "${COMPONENT_DIR}/port/psa_driver/include")
endif()
message(STATUS "Setting up mbedtls configuration")
foreach(target ${mbedtls_targets})
target_compile_definitions(${target} PUBLIC -DMBEDTLS_CONFIG_FILE="mbedtls/esp_config.h")
set_config_files_compile_definitions(${target})
target_compile_definitions(${target} PUBLIC MBEDTLS_MAJOR_VERSION=4)
if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU") # TODO IDF-10087
target_compile_options(${target} PRIVATE "-fno-analyzer")
endif()
if(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SIZE)
target_compile_options(${target} PRIVATE "-Os")
elseif(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_PERF)
target_compile_options(${target} PRIVATE "-O2")
endif()
endforeach()
# 3rd party libraries from the mbedTLS project
list(APPEND mbedtls_targets everest p256m)
@@ -169,10 +217,33 @@ set(mbedtls_target_sources "${COMPONENT_DIR}/port/mbedtls_debug.c"
if(CONFIG_MBEDTLS_VER_4_X_SUPPORT)
list(APPEND mbedtls_target_sources "${COMPONENT_DIR}/port/esp_psa_crypto_init.c")
# Add ESP-IDF NVS-based PSA ITS implementation
# Only compile esp_psa_its.c if nvs_flash component is available
if(NOT ${IDF_TARGET} STREQUAL "linux")
if(IDF_BUILD_V2)
# For v2: conditionally compile source and link only if nvs_flash target exists
target_sources(
tfpsacrypto PRIVATE
"$<$<TARGET_EXISTS:idf::nvs_flash>:${COMPONENT_DIR}/port/psa_crypto_storage/esp_psa_its.c>"
)
target_link_libraries(tfpsacrypto PRIVATE "$<$<TARGET_EXISTS:idf::nvs_flash>:idf::nvs_flash>")
# Define compile definition to indicate ESP-IDF PSA ITS implementation is available
target_compile_definitions(tfpsacrypto PRIVATE "$<$<TARGET_EXISTS:idf::nvs_flash>:ESP_PSA_ITS_AVAILABLE>")
else()
# For v1: check if component is in build before adding source and linking
idf_build_get_property(build_components BUILD_COMPONENTS)
if(nvs_flash IN_LIST build_components)
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/psa_crypto_storage/esp_psa_its.c")
idf_component_get_property(nvs_flash_lib nvs_flash COMPONENT_LIB)
target_link_libraries(tfpsacrypto PRIVATE ${nvs_flash_lib})
target_compile_definitions(tfpsacrypto PRIVATE ESP_PSA_ITS_AVAILABLE)
endif()
endif()
endif()
endif()
if(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
set(mbedtls_target_sources ${mbedtls_target_sources}
set(mbedtls_target_sources ${mbedtls_target_sources}
"${COMPONENT_DIR}/port/dynamic/esp_mbedtls_dynamic_impl.c"
"${COMPONENT_DIR}/port/dynamic/esp_ssl_cli.c"
"${COMPONENT_DIR}/port/dynamic/esp_ssl_srv.c"
@@ -180,13 +251,13 @@ set(mbedtls_target_sources ${mbedtls_target_sources}
endif()
if(${IDF_TARGET} STREQUAL "linux")
set(mbedtls_target_sources ${mbedtls_target_sources} "${COMPONENT_DIR}/port/net_sockets.c")
set(mbedtls_target_sources ${mbedtls_target_sources} "${COMPONENT_DIR}/port/net_sockets.c")
endif()
# While updating to MbedTLS release/v3.4.0, building mbedtls/library/psa_crypto.c
# clang produces an unreachable-code warning.
if(CMAKE_C_COMPILER_ID MATCHES "Clang")
target_compile_options(mbedcrypto PRIVATE "-Wno-unreachable-code")
target_compile_options(tfpsacrypto PRIVATE "-Wno-unreachable-code")
endif()
# net_sockets.c should only be compiled if BSD socket functions are available.
@@ -206,7 +277,8 @@ endif()
target_sources(mbedtls PRIVATE ${mbedtls_target_sources})
if(NOT ${IDF_TARGET} STREQUAL "linux")
target_link_libraries(mbedcrypto PRIVATE idf::esp_security)
target_link_libraries(tfpsacrypto PRIVATE idf::esp_security)
target_link_libraries(builtin PRIVATE idf::esp_security)
endif()
# Choose peripheral type
@@ -219,18 +291,25 @@ if(CONFIG_SOC_SHA_SUPPORTED)
endif()
endif()
if(SHA_PERIPHERAL_TYPE STREQUAL "core")
target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/include")
if(CONFIG_SOC_AES_SUPPORTED)
if(CONFIG_SOC_AES_SUPPORT_DMA)
set(AES_PERIPHERAL_TYPE "dma")
else()
set(AES_PERIPHERAL_TYPE "block")
endif()
endif()
if(SHA_PERIPHERAL_TYPE STREQUAL "core")
target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/include")
if(CONFIG_SOC_SHA_GDMA)
set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_gdma_impl.c")
elseif(CONFIG_SOC_SHA_CRYPTO_DMA)
set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_crypto_dma_impl.c")
endif()
target_sources(mbedcrypto PRIVATE "${SHA_CORE_SRCS}")
target_sources(tfpsacrypto PRIVATE "${SHA_CORE_SRCS}")
endif()
if(CONFIG_SOC_AES_SUPPORT_DMA)
if(AES_PERIPHERAL_TYPE STREQUAL "dma")
if(NOT CONFIG_SOC_AES_GDMA)
set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_crypto_dma_impl.c")
else()
@@ -239,47 +318,66 @@ if(CONFIG_SOC_AES_SUPPORT_DMA)
list(APPEND AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c")
target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/dma/include")
target_sources(mbedcrypto PRIVATE "${AES_DMA_SRCS}")
target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/aes/dma/include")
target_sources(tfpsacrypto PRIVATE "${AES_DMA_SRCS}")
endif()
if((SHA_PERIPHERAL_TYPE STREQUAL "core" AND CONFIG_SOC_SHA_SUPPORT_DMA) OR CONFIG_SOC_AES_SUPPORT_DMA)
target_link_libraries(mbedcrypto PRIVATE idf::esp_mm)
if((SHA_PERIPHERAL_TYPE STREQUAL "core" AND CONFIG_SOC_SHA_SUPPORT_DMA) OR AES_PERIPHERAL_TYPE STREQUAL "dma")
target_link_libraries(tfpsacrypto PRIVATE idf::esp_mm)
target_link_libraries(builtin PRIVATE idf::esp_mm)
if(CONFIG_SOC_SHA_GDMA OR CONFIG_SOC_AES_GDMA)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/crypto_shared_gdma/esp_crypto_shared_gdma.c")
if(CONFIG_SOC_AXI_DMA_EXT_MEM_ENC_ALIGNMENT)
target_link_libraries(tfpsacrypto PRIVATE idf::bootloader_support)
target_link_libraries(builtin PRIVATE idf::bootloader_support)
endif()
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/crypto_shared_gdma/esp_crypto_shared_gdma.c")
endif()
endif()
if(NOT ${IDF_TARGET} STREQUAL "linux")
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c")
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c")
endif()
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_mem.c"
"${COMPONENT_DIR}/port/esp_timing.c"
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_mem.c"
# "${COMPONENT_DIR}/port/esp_timing.c"
)
if(CONFIG_SOC_AES_SUPPORTED)
target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/include")
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_xts.c"
target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/aes/include")
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_xts.c"
"${COMPONENT_DIR}/port/aes/esp_aes_common.c"
"${COMPONENT_DIR}/port/aes/esp_aes.c"
)
endif()
if(CONFIG_SOC_SHA_SUPPORTED)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/esp_sha.c"
"${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/sha.c"
if(CONFIG_MBEDTLS_HARDWARE_SHA)
target_compile_definitions(tfpsacrypto PRIVATE ESP_SHA_DRIVER_ENABLED)
target_sources(tfpsacrypto PRIVATE
"${COMPONENT_DIR}/port/psa_driver/esp_sha/psa_crypto_driver_esp_sha.c"
"${COMPONENT_DIR}/port/psa_driver/esp_sha/${SHA_PERIPHERAL_TYPE}/psa_crypto_driver_esp_sha256.c"
"${COMPONENT_DIR}/port/psa_driver/esp_sha/${SHA_PERIPHERAL_TYPE}/psa_crypto_driver_esp_sha512.c"
"${COMPONENT_DIR}/port/sha/esp_sha.c")
endif()
target_sources(tfpsacrypto PRIVATE
"${COMPONENT_DIR}/port/psa_driver/esp_sha/${SHA_PERIPHERAL_TYPE}/psa_crypto_driver_esp_sha1.c"
"${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/sha.c"
)
endif()
if(CONFIG_SOC_DIG_SIGN_SUPPORTED)
target_sources(mbedcrypto PRIVATE
target_sources(tfpsacrypto PRIVATE
"${COMPONENT_DIR}/port/esp_ds/esp_rsa_sign_alt.c"
"${COMPONENT_DIR}/port/esp_ds/esp_rsa_dec_alt.c"
"${COMPONENT_DIR}/port/esp_ds/esp_ds_common.c")
endif()
# # CONFIG_ESP_TLS_USE_DS_PERIPHERAL can be enabled only for the supported targets.
if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_ds/esp_rsa_sign_alt.c")
endif()
if(CONFIG_SOC_HMAC_SUPPORTED)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hmac_pbkdf2.c")
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_hmac_pbkdf2.c")
endif()
# Note: some mbedTLS hardware acceleration can be enabled/disabled by config.
@@ -290,28 +388,36 @@ endif()
# The other port-specific files don't override internal mbedTLS functions, they just add new functions.
if(CONFIG_MBEDTLS_HARDWARE_MPI)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/bignum/esp_bignum.c"
target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/bignum/esp_bignum.c"
"${COMPONENT_DIR}/port/bignum/bignum_alt.c")
endif()
if(CONFIG_MBEDTLS_HARDWARE_SHA)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha1.c"
"${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha256.c"
"${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha512.c"
)
endif()
if(CONFIG_MBEDTLS_HARDWARE_GCM OR CONFIG_MBEDTLS_HARDWARE_AES)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c")
target_compile_definitions(tfpsacrypto PRIVATE ESP_AES_DRIVER_ENABLED)
target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/include/aes")
target_sources(tfpsacrypto PRIVATE
"${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_aes.c"
)
if(CONFIG_MBEDTLS_HARDWARE_SHA)
target_sources(tfpsacrypto PRIVATE
"${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_cmac.c"
)
endif()
if(CONFIG_SOC_AES_SUPPORT_GCM)
target_sources(tfpsacrypto PRIVATE "$ENV{IDF_PATH}/components/mbedtls/port/aes/esp_aes_gcm.c"
"${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_aes_gcm.c")
endif()
endif()
if(CONFIG_MBEDTLS_HARDWARE_ECC)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c"
target_sources(builtin PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c"
"${COMPONENT_DIR}/port/ecc/ecc_alt.c")
include_directories("${COMPONENT_DIR}/tf-psa-crypto/drivers/builtin/include/mbedtls")
endif()
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c")
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR
CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
target_sources(builtin PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c")
set(WRAP_FUNCTIONS_SIGN
mbedtls_ecdsa_sign
@@ -343,35 +449,37 @@ if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR
endif()
if(CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
target_link_libraries(mbedcrypto PRIVATE idf::tee_sec_storage)
target_link_libraries(builtin PRIVATE idf::tee_sec_storage)
endif()
endif()
if(CONFIG_MBEDTLS_ROM_MD5)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/md/esp_md.c")
# if(CONFIG_MBEDTLS_ROM_MD5)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/md/esp_md.c")
# endif()
# if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/mbedtls_rom/mbedtls_rom_osi.c")
# target_link_libraries(${COMPONENT_LIB} PRIVATE "-u mbedtls_rom_osi_functions_init")
# endif()
if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU")
target_compile_options(${COMPONENT_LIB} PRIVATE "-fno-analyzer")
target_compile_options(tfpsacrypto PRIVATE "-fno-analyzer")
endif()
if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/mbedtls_rom/mbedtls_rom_osi.c")
target_link_libraries(${COMPONENT_LIB} PRIVATE "-u mbedtls_rom_osi_functions_init")
# If linkage_type is PUBLIC, use PRIVATE while setting compiler optimization flags
# as we don't want the optimization flags to modify other targets
if(linkage_type STREQUAL "PUBLIC")
set(compiler_linkage_type PRIVATE)
else()
set(compiler_linkage_type ${linkage_type})
endif()
foreach(target ${mbedtls_targets})
target_compile_definitions(${target} PUBLIC -DMBEDTLS_CONFIG_FILE="mbedtls/esp_config.h")
if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU") # TODO IDF-10087
target_compile_options(${target} PRIVATE "-fno-analyzer")
endif()
if(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SIZE)
target_compile_options(${target} PRIVATE "-Os")
elseif(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_PERF)
target_compile_options(${target} PRIVATE "-O2")
endif()
endforeach()
if(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SIZE)
target_compile_options(${COMPONENT_LIB} PRIVATE "-Os")
message(STATUS "Linkage type is ${linkage_type}")
target_compile_options(${COMPONENT_LIB} ${compiler_linkage_type} "-Os")
elseif(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_PERF)
target_compile_options(${COMPONENT_LIB} PRIVATE "-O2")
target_compile_options(${COMPONENT_LIB} ${compiler_linkage_type} "-O2")
endif()
if(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
@@ -392,40 +500,121 @@ if(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
endforeach()
endif()
set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls)
# set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls)
if(CONFIG_PM_ENABLE)
target_link_libraries(mbedcrypto PRIVATE idf::esp_pm)
target_link_libraries(tfpsacrypto PRIVATE idf::esp_pm)
endif()
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY)
target_link_libraries(mbedcrypto PRIVATE idf::efuse)
target_link_libraries(builtin PRIVATE idf::efuse)
endif()
target_link_libraries(${COMPONENT_LIB} ${linkage_type} ${mbedtls_targets})
# Ensure PSA crypto initialization is included in the build
target_link_libraries(${COMPONENT_LIB} ${linkage_type} "-u mbedtls_psa_crypto_init_include_impl")
if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
# The linker seems to be unable to resolve all the dependencies without increasing this
set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 6)
if(NOT ${IDF_TARGET} STREQUAL "linux")
target_link_libraries(${COMPONENT_LIB} ${linkage_type} "-u mbedtls_psa_crypto_init_include_impl")
endif()
# Additional optional dependencies for the mbedcrypto library
function(mbedcrypto_optional_deps component_name)
function(builtin_optional_deps component_name)
idf_build_get_property(components BUILD_COMPONENTS)
if(${component_name} IN_LIST components)
idf_component_get_property(lib_name ${component_name} COMPONENT_LIB)
target_link_libraries(mbedcrypto PRIVATE ${lib_name})
target_link_libraries(builtin PRIVATE ${lib_name})
endif()
endfunction()
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM)
mbedcrypto_optional_deps(esp_timer idf::esp_timer)
builtin_optional_deps(esp_timer idf::esp_timer)
endif()
# Link esp-cryptoauthlib to mbedtls
if(CONFIG_ATCA_MBEDTLS_ECDSA)
mbedcrypto_optional_deps(espressif__esp-cryptoauthlib esp-cryptoauthlib)
# # Link esp-cryptoauthlib to mbedtls
# if(CONFIG_ATCA_MBEDTLS_ECDSA)
# mbedcrypto_optional_deps(espressif__esp-cryptoauthlib esp-cryptoauthlib)
# endif()
# Apply -fno-analyzer to ALL mbedTLS targets at the very end when all targets are created
if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU")
message(STATUS "Applying -fno-analyzer to all mbedTLS targets...")
# Get all targets from all directories
get_property(
all_mbedtls_targets DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/mbedtls PROPERTY BUILDSYSTEM_TARGETS
)
get_property(
drivers_targets DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/mbedtls/tf-psa-crypto/drivers PROPERTY BUILDSYSTEM_TARGETS
)
message(STATUS "Found mbedtls targets: ${all_mbedtls_targets}")
message(STATUS "Found drivers targets: ${drivers_targets}")
# Get targets from nested driver subdirectories
foreach(subdir IN ITEMS builtin everest p256-m)
if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/mbedtls/tf-psa-crypto/drivers/${subdir})
get_property(
subdir_targets DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/mbedtls/tf-psa-crypto/drivers/${subdir}
PROPERTY BUILDSYSTEM_TARGETS
)
message(STATUS "Found ${subdir} targets: ${subdir_targets}")
list(APPEND drivers_targets ${subdir_targets})
endif()
endforeach()
# Combine all target lists
set(all_targets ${all_mbedtls_targets} ${drivers_targets})
message(STATUS "All combined targets: ${all_targets}")
# Apply -fno-analyzer to each target
foreach(target ${all_targets})
if(TARGET ${target})
get_target_property(target_type ${target} TYPE)
if(target_type STREQUAL "STATIC_LIBRARY" OR
target_type STREQUAL "SHARED_LIBRARY" OR
target_type STREQUAL "MODULE_LIBRARY" OR
target_type STREQUAL "OBJECT_LIBRARY" OR
target_type STREQUAL "EXECUTABLE")
message(STATUS "Applying -fno-analyzer to target: ${target}")
target_compile_options(${target} PRIVATE "-fno-analyzer")
endif()
endif()
endforeach()
# Also check for any targets that might have been missed by using global target list
get_property(global_targets GLOBAL PROPERTY TARGETS)
set(mbedtls_global_targets "")
foreach(target ${global_targets})
if(TARGET ${target})
get_target_property(target_source_dir ${target} SOURCE_DIR)
if(target_source_dir)
# Check if target is from mbedtls directory or has mbedtls-related names
string(FIND "${target_source_dir}" "mbedtls" pos)
string(FIND "${target}" "mbedtls" name_pos)
string(FIND "${target}" "tfpsacrypto" tfpsa_pos)
# string(FIND "${target}" "everest" everest_pos)
# string(FIND "${target}" "p256m" p256m_pos)
string(FIND "${target}" "builtin" builtin_pos)
if(pos GREATER -1 OR name_pos GREATER -1 OR tfpsa_pos GREATER -1 OR builtin_pos GREATER -1)
list(APPEND mbedtls_global_targets ${target})
get_target_property(target_type ${target} TYPE)
# Skip ALIAS targets as they don't have compile options
if(NOT target_type STREQUAL "ALIAS" AND
(target_type STREQUAL "STATIC_LIBRARY" OR
target_type STREQUAL "SHARED_LIBRARY" OR
target_type STREQUAL "MODULE_LIBRARY" OR
target_type STREQUAL "OBJECT_LIBRARY" OR
target_type STREQUAL "EXECUTABLE"))
# Check if -fno-analyzer was already applied
get_target_property(compile_options ${target} COMPILE_OPTIONS)
if(NOT compile_options OR NOT "-fno-analyzer" IN_LIST compile_options)
message(STATUS "Applying -fno-analyzer to missed target: ${target}")
target_compile_options(${target} PRIVATE "-fno-analyzer")
endif()
endif()
endif()
endif()
endif()
endforeach()
message(STATUS "All mbedtls-related global targets: ${mbedtls_global_targets}")
endif()
components/mbedtls/Kconfig
+15 -169
View File
@@ -3,15 +3,12 @@ menu "mbedTLS"
menu "Core Configuration"
config MBEDTLS_VER_4_X_SUPPORT
bool "Enable the Platform Security Architecture (PSA) cryptography API for ESP-IDF"
default n
help
Enable the Platform Security Architecture (PSA) cryptography API for ESP-IDF.
This option migrates from mbedtls API to PSA Crypto API. This increases code size.
bool
default y
choice MBEDTLS_COMPILER_OPTIMIZATION
prompt "Compiler optimization level"
default MBEDTLS_COMPILER_OPTIMIZATION_NONE
default MBEDTLS_COMPILER_OPTIMIZATION_SIZE
help
This option allows you to select the compiler optimization level for mbedTLS.
The default is set to the optimization level used by the rest of the ESP-IDF project.
@@ -353,14 +350,14 @@ menu "mbedTLS"
config MBEDTLS_PK_PARSE_C
bool "Enables generic public key parsing functions"
default y
depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_PK_C && MBEDTLS_OID_C
depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_PK_C
help
Enable generic public key parsing functions.
config MBEDTLS_PK_WRITE_C
bool "Enables generic public key writing functions"
default y
depends on MBEDTLS_PK_C && MBEDTLS_OID_C && MBEDTLS_ASN1_WRITE_C
depends on MBEDTLS_PK_C && MBEDTLS_ASN1_WRITE_C
help
Enable generic public key writing functions.
@@ -395,7 +392,7 @@ menu "mbedTLS"
config MBEDTLS_X509_CREATE_C
bool "X.509 certificate creation"
default n
depends on MBEDTLS_BIGNUM_C && MBEDTLS_OID_C && \
depends on MBEDTLS_BIGNUM_C && \
MBEDTLS_PK_WRITE_C && MBEDTLS_MD_C
help
Support for creating X.509 certificates and CSRs.
@@ -443,13 +440,6 @@ menu "mbedTLS"
help
Enable ASN.1 writing functions.
config MBEDTLS_OID_C
bool "Enable OID support"
default y
help
Enable support for Object Identifier (OID) parsing and printing.
This is used by X.509 and PKCS#11.
config MBEDTLS_CERTIFICATE_BUNDLE
bool "Enable trusted root certificate bundle"
default y
@@ -534,7 +524,6 @@ menu "mbedTLS"
config MBEDTLS_TLS_ENABLED
bool "Enable TLS protocol support"
default y
select MBEDTLS_CIPHER_C
select MBEDTLS_SHA256_C
select MBEDTLS_MD_C
select MBEDTLS_SSL_PROTO_TLS1_2
@@ -555,7 +544,6 @@ menu "mbedTLS"
config MBEDTLS_SSL_PROTO_TLS1_3
bool "Support TLS 1.3 protocol"
depends on MBEDTLS_TLS_ENABLED
select MBEDTLS_HKDF_C
select MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
default n
@@ -698,13 +686,6 @@ menu "mbedTLS"
help
Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes.
config MBEDTLS_KEY_EXCHANGE_DHE_PSK
bool "Enable DHE-PSK based ciphersuite modes"
depends on MBEDTLS_PSK_MODES && MBEDTLS_DHM_C
default y
help
Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes.
config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
bool "Enable ECDHE-PSK based ciphersuite modes"
depends on MBEDTLS_PSK_MODES && MBEDTLS_ECDH_C
@@ -715,7 +696,7 @@ menu "mbedTLS"
config MBEDTLS_KEY_EXCHANGE_RSA_PSK
bool "Enable RSA-PSK based ciphersuite modes"
depends on MBEDTLS_PSK_MODES
default y
default n
help
Enable to support RSA PSK (pre-shared-key) TLS authentication modes.
@@ -725,13 +706,6 @@ menu "mbedTLS"
help
Enable to support ciphersuites with prefix TLS-RSA-WITH-
config MBEDTLS_KEY_EXCHANGE_DHE_RSA
bool "Enable DHE-RSA based ciphersuite modes"
default y
depends on MBEDTLS_DHM_C
help
Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH-
config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE
bool "Support Elliptic Curve based ciphersuites"
depends on MBEDTLS_ECP_C
@@ -756,20 +730,6 @@ menu "mbedTLS"
help
Enable to support ciphersuites with prefix TLS-ECDHE-ECDSA-WITH-
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
bool "Enable ECDH-ECDSA based ciphersuite modes"
depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
default y
help
Enable to support ciphersuites with prefix TLS-ECDH-ECDSA-WITH-
config MBEDTLS_KEY_EXCHANGE_ECDH_RSA
bool "Enable ECDH-RSA based ciphersuite modes"
depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C
default y
help
Enable to support ciphersuites with prefix TLS-ECDH-RSA-WITH-
config MBEDTLS_KEY_EXCHANGE_ECJPAKE
bool "Enable ECJPAKE based ciphersuite modes"
depends on MBEDTLS_ECJPAKE_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED
@@ -897,15 +857,6 @@ menu "mbedTLS"
Disabling this option will save some code size.
endmenu
config MBEDTLS_CIPHER_C
bool "Cipher abstraction layer"
default y
help
Enable the cipher abstraction layer. This enables generic cipher wrappers
for the block ciphers and stream ciphers.
If you are not using the cipher abstraction layer, you can disable this
option to save some code size.
menu "Symmetric Ciphers"
config MBEDTLS_AES_C
bool "AES block cipher"
@@ -999,7 +950,7 @@ menu "mbedTLS"
config MBEDTLS_GCM_C
bool "GCM (Galois/Counter) block cipher modes"
default y
depends on (MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C) && MBEDTLS_CIPHER_C
depends on (MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C)
help
Enable Galois/Counter Mode for AES and/or Camellia ciphers.
@@ -1008,53 +959,10 @@ menu "mbedTLS"
config MBEDTLS_NIST_KW_C
bool "NIST key wrapping (KW) and KW padding (KWP)"
default n
depends on MBEDTLS_AES_C && MBEDTLS_CIPHER_C
depends on MBEDTLS_AES_C
help
Enable NIST key wrapping and key wrapping padding.
config MBEDTLS_CIPHER_PADDING
bool "Cipher padding"
default y
depends on MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB
help
Enable padding for block ciphers.
Padding is only used for block ciphers in CBC, CFB, CTR and OFB modes.
If you are using a stream cipher or a block cipher in ECB mode, you can
disable this option to save code size.
config MBEDTLS_CIPHER_PADDING_PKCS7
bool "PKCS#7 padding"
default y
depends on MBEDTLS_CIPHER_PADDING && \
(MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB)
help
Enable PKCS#7 padding for block ciphers.
config MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS
bool "One and zeros padding"
default y
depends on MBEDTLS_CIPHER_PADDING && \
(MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB)
help
Enable one and zeros padding for block ciphers.
config MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN
bool "Zeros and length padding"
default y
depends on MBEDTLS_CIPHER_PADDING && \
(MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB)
help
Enable zeros and length padding for block ciphers.
config MBEDTLS_CIPHER_PADDING_ZEROS
bool "Zeros padding"
default y
depends on MBEDTLS_CIPHER_PADDING && \
(MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB)
help
Enable zeros padding for block ciphers.
config MBEDTLS_AES_ROM_TABLES
bool "Store AES tables in ROM"
default y
@@ -1082,7 +990,6 @@ menu "mbedTLS"
config MBEDTLS_CMAC_C
bool "Enable CMAC mode for block ciphers"
default y
select MBEDTLS_CIPHER_C
depends on (MBEDTLS_AES_C || MBEDTLS_DES_C)
help
Enable the CMAC (Cipher-based Message Authentication Code) mode for
@@ -1101,18 +1008,10 @@ menu "mbedTLS"
If you don't need any of these algorithms, you can disable this option
to save code size.
config MBEDTLS_GENPRIME
bool "Enable hardware prime number generation"
default y
depends on MBEDTLS_BIGNUM_C
help
Enable prime number generation.
config MBEDTLS_RSA_C
bool "RSA public key cryptosystem"
default y
select MBEDTLS_BIGNUM_C
select MBEDTLS_OID_C
help
Enable RSA. Needed to use RSA-xxx TLS ciphersuites.
@@ -1120,20 +1019,6 @@ menu "mbedTLS"
bool "Enable Elliptic Curve Ciphers(ECC) support"
default y
menu "Supported Curves"
config MBEDTLS_ECP_DP_SECP192R1_ENABLED
bool "Enable SECP192R1 curve"
depends on MBEDTLS_ECP_C
default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY)
help
Enable support for SECP192R1 Elliptic Curve.
config MBEDTLS_ECP_DP_SECP224R1_ENABLED
bool "Enable SECP224R1 curve"
depends on MBEDTLS_ECP_C
default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY)
help
Enable support for SECP224R1 Elliptic Curve.
config MBEDTLS_ECP_DP_SECP256R1_ENABLED
bool "Enable SECP256R1 curve"
depends on MBEDTLS_ECP_C
@@ -1155,20 +1040,6 @@ menu "mbedTLS"
help
Enable support for SECP521R1 Elliptic Curve.
config MBEDTLS_ECP_DP_SECP192K1_ENABLED
bool "Enable SECP192K1 curve"
depends on MBEDTLS_ECP_C
default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY)
help
Enable support for SECP192K1 Elliptic Curve.
config MBEDTLS_ECP_DP_SECP224K1_ENABLED
bool "Enable SECP224K1 curve"
depends on MBEDTLS_ECP_C
default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY)
help
Enable support for SECP224K1 Elliptic Curve.
config MBEDTLS_ECP_DP_SECP256K1_ENABLED
bool "Enable SECP256K1 curve"
depends on MBEDTLS_ECP_C
@@ -1235,9 +1106,10 @@ menu "mbedTLS"
Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you
want to access ECDH context fields directly.
# TODO: IDF-15031
config MBEDTLS_DHM_C
bool "Diffie-Hellman-Merkle key exchange (DHM)"
default y
default n
select MBEDTLS_BIGNUM_C
depends on MBEDTLS_ECP_C
help
@@ -1306,14 +1178,6 @@ menu "mbedTLS"
endmenu
menu "Hash functions"
config MBEDTLS_HKDF_C
bool "HKDF algorithm (RFC 5869)"
default n
depends on MBEDTLS_MD_C
help
Enable support for the Hashed Message Authentication Code
(HMAC)-based key derivation function (HKDF).
config MBEDTLS_POLY1305_C
bool "Poly1305 MAC algorithm"
default n
@@ -1525,7 +1389,7 @@ menu "mbedTLS"
bool "Fallback to software implementation for larger MPI values"
depends on MBEDTLS_HARDWARE_MPI
default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits
default n
default y
help
Fallback to software implementation for RSA key lengths
larger than SOC_RSA_MAX_BIT_LEN. If this is not active
@@ -1670,12 +1534,6 @@ menu "mbedTLS"
it also increases the binary size by ~1.2 KB as it pulls in the peripheral's block
mode code as well.
config MBEDTLS_PK_RSA_ALT_SUPPORT
bool "Enable RSA alt support"
default y
help
Support external private RSA keys (eg from a HSM) int the PK layer.
config MBEDTLS_ATCA_HW_ECDSA_SIGN
bool "Enable hardware ECDSA sign acceleration when using ATECC608A"
default n
@@ -1692,14 +1550,6 @@ menu "mbedTLS"
endmenu
menu "Entropy and Random Number Generation"
config MBEDTLS_ENTROPY_C
bool "Enable entropy support"
default y
depends on MBEDTLS_SHA256_C || MBEDTLS_SHA512_C
help
Enable support for entropy sources and provides a generic
entropy pool.
config MBEDTLS_ENTROPY_FORCE_SHA256
bool "Force SHA-256 for entropy"
default n
@@ -1741,17 +1591,11 @@ menu "mbedTLS"
config MBEDTLS_PKCS7_C
bool "Enable PKCS number 7"
default y
depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_OID_C && MBEDTLS_PK_PARSE_C && \
depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_PK_PARSE_C && \
MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_CRL_PARSE_C && MBEDTLS_BIGNUM_C && MBEDTLS_MD_C
help
Enable PKCS number 7 core for using PKCS number 7-formatted signatures.
config MBEDTLS_PKCS12_C
bool "Enable PKCS number 12"
default y
depends on MBEDTLS_ASN1_PARSE_C && (MBEDTLS_MD_C)
help
Enable PKCS number 12 core for using PKCS number 12-formatted signatures.
config MBEDTLS_PKCS1_V15
bool "Enable PKCS#1 v1.5 padding"
default y
@@ -1784,6 +1628,7 @@ menu "mbedTLS"
config MBEDTLS_USE_CRYPTO_ROM_IMPL_BOOTLOADER
bool "Use ROM implementation of the crypto algorithm in the bootloader"
# TODO: IDF-15012
depends on ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB && !MBEDTLS_VER_4_X_SUPPORT
default "n"
select MBEDTLS_AES_C
@@ -1795,6 +1640,7 @@ menu "mbedTLS"
config MBEDTLS_USE_CRYPTO_ROM_IMPL
bool "Use ROM implementation of the crypto algorithm"
# TODO: IDF-15012
depends on ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB && !MBEDTLS_VER_4_X_SUPPORT
default "n"
select MBEDTLS_SHA512_C
components/mbedtls/config/mbedtls_preset_bt.conf
+2 -18
View File
@@ -31,7 +31,6 @@ CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=n
CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=n
# TLS Key Exchange Configuration
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=n
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=n
CONFIG_MBEDTLS_SSL_ALPN=n
@@ -39,11 +38,6 @@ CONFIG_MBEDTLS_SSL_RENEGOTIATION=n
CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=n
CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=n
# DTLS Protocol Configuration
# Cipher Abstraction Layer
CONFIG_MBEDTLS_CIPHER_C=y
# Symmetric Ciphers
CONFIG_MBEDTLS_ARIA_C=n
CONFIG_MBEDTLS_CCM_C=n
@@ -54,23 +48,15 @@ CONFIG_MBEDTLS_CIPHER_MODE_OFB=n
CONFIG_MBEDTLS_CIPHER_MODE_XTS=y
CONFIG_MBEDTLS_GCM_C=n
CONFIG_MBEDTLS_PKCS5_C=n
CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=n
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=n
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=n
CONFIG_MBEDTLS_AES_FEWER_TABLES=y
# Elliptic Curve Ciphers Configuration
CONFIG_MBEDTLS_ECP_NIST_OPTIM=n
CONFIG_MBEDTLS_DHM_C=n
CONFIG_MBEDTLS_ECP_NIST_OPTIM=y
CONFIG_MBEDTLS_ECDSA_C=y
CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=n
CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=n
CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=n
@@ -84,12 +70,10 @@ CONFIG_MBEDTLS_SHA512_C=n
CONFIG_MBEDTLS_MD5_C=n
CONFIG_MBEDTLS_MPI_USE_INTERRUPT=n
CONFIG_MBEDTLS_ECC_OTHER_CURVES_SOFT_FALLBACK=n
CONFIG_MBEDTLS_GENPRIME=y
CONFIG_MBEDTLS_PKCS12_C=n
CONFIG_MBEDTLS_PKCS1_V21=n
CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256=y
CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256=n
CONFIG_MBEDTLS_CTR_DRBG_C=y
CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT=n
components/mbedtls/config/mbedtls_preset_default.conf
-21
View File
@@ -42,7 +42,6 @@ CONFIG_MBEDTLS_X509_RSASSA_PSS_SUPPORT=y
CONFIG_MBEDTLS_X509_TRUSTED_CERT_CALLBACK=n
CONFIG_MBEDTLS_ASN1_PARSE_C=y
CONFIG_MBEDTLS_ASN1_WRITE_C=y
CONFIG_MBEDTLS_OID_C=y
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=y
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y
CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE=n
@@ -75,12 +74,9 @@ CONFIG_MBEDTLS_KEY_EXCHANGE_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA=y
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_SSL_ALPN=y
CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=y
@@ -93,9 +89,6 @@ CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=y
# DTLS Protocol Configuration
CONFIG_MBEDTLS_SSL_PROTO_DTLS=n
# Cipher Abstraction Layer
CONFIG_MBEDTLS_CIPHER_C=n
# Symmetric Ciphers
CONFIG_MBEDTLS_AES_C=y
CONFIG_MBEDTLS_CAMELLIA_C=n
@@ -111,12 +104,7 @@ CONFIG_MBEDTLS_CIPHER_MODE_OFB=y
CONFIG_MBEDTLS_CIPHER_MODE_XTS=y
CONFIG_MBEDTLS_GCM_C=y
CONFIG_MBEDTLS_NIST_KW_C=n
CONFIG_MBEDTLS_CIPHER_PADDING=y
CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=y
CONFIG_MBEDTLS_PKCS5_C=y
CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=y
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=y
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=y
CONFIG_MBEDTLS_AES_ROM_TABLES=y
CONFIG_MBEDTLS_AES_FEWER_TABLES=n
CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH=n
@@ -130,7 +118,6 @@ CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_ECP_C=y
CONFIG_MBEDTLS_ECP_NIST_OPTIM=y
CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM=n
CONFIG_MBEDTLS_DHM_C=y
CONFIG_MBEDTLS_ECDH_C=y
CONFIG_MBEDTLS_ECJPAKE_C=n
CONFIG_MBEDTLS_ECDSA_C=y
@@ -138,13 +125,9 @@ CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=y
CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=y
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y
CONFIG_MBEDTLS_ECP_RESTARTABLE=n
CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=y
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=y
@@ -166,7 +149,6 @@ CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER=y
CONFIG_MBEDTLS_HARDWARE_AES=y
CONFIG_MBEDTLS_AES_USE_INTERRUPT=y
CONFIG_MBEDTLS_AES_INTERRUPT_LEVEL=0
CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT=y
CONFIG_MBEDTLS_HARDWARE_MPI=y
# CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI=n
CONFIG_MBEDTLS_MPI_USE_INTERRUPT=y
@@ -179,11 +161,9 @@ CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN=n
CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY=n
CONFIG_MBEDTLS_PKCS7_C=y
CONFIG_MBEDTLS_PKCS12_C=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_PKCS1_V21=y
CONFIG_MBEDTLS_ENTROPY_C=y
CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256=n
CONFIG_MBEDTLS_CTR_DRBG_C=y
CONFIG_MBEDTLS_HMAC_DRBG_C=y
@@ -192,7 +172,6 @@ CONFIG_MBEDTLS_BASE64_C=y
CONFIG_MBEDTLS_CHACHA20_C=n
CONFIG_MBEDTLS_POLY1305_C=n
CONFIG_MBEDTLS_HKDF_C=n
#
# End of mbedTLS Minimal Configuration Preset
components/mbedtls/config/mbedtls_preset_minimal.conf
-16
View File
@@ -35,9 +35,7 @@ CONFIG_MBEDTLS_KEY_EXCHANGE_PSK=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA=n
CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=n
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=n
CONFIG_MBEDTLS_SSL_ALPN=n
@@ -46,10 +44,6 @@ CONFIG_MBEDTLS_SSL_RENEGOTIATION=n
CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=n
CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=n
# Cipher Abstraction Layer
CONFIG_MBEDTLS_CIPHER_C=y
# Symmetric Ciphers
CONFIG_MBEDTLS_ARIA_C=n
CONFIG_MBEDTLS_BLOWFISH_C=n
@@ -57,12 +51,7 @@ CONFIG_MBEDTLS_CCM_C=n
CONFIG_MBEDTLS_CIPHER_MODE_OFB=n
CONFIG_MBEDTLS_CIPHER_MODE_XTS=y
CONFIG_MBEDTLS_GCM_C=n
CONFIG_MBEDTLS_CIPHER_PADDING=n
CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=n
CONFIG_MBEDTLS_PKCS5_C=n
CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=n
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=n
CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=n
CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH=y
CONFIG_MBEDTLS_CMAC_C=n
@@ -72,19 +61,14 @@ CONFIG_MBEDTLS_RSA_C=y
# Elliptic Curve Ciphers Configuration
CONFIG_MBEDTLS_ECP_C=n
CONFIG_MBEDTLS_ECP_NIST_OPTIM=n
CONFIG_MBEDTLS_DHM_C=n
CONFIG_MBEDTLS_ECDH_C=n
CONFIG_MBEDTLS_ECDSA_C=n
CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=n
CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=n
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n
CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=n
CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=n
components/mbedtls/mbedtls
+1 -1
Submodule components/mbedtls/mbedtls updated: ffb280bb63...02849218b3
components/mbedtls/port/esp_hardware.c
+3 -35
View File
@@ -3,22 +3,13 @@
*
* SPDX-License-Identifier: Apache-2.0
*/
#include <mbedtls/build_info.h>
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
#include "esp_random.h"
#include "mbedtls/esp_mbedtls_random.h"
#if defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT)
#include "psa/crypto.h"
#endif
#include <entropy_poll.h>
#ifndef MBEDTLS_ENTROPY_HARDWARE_ALT
#error "MBEDTLS_ENTROPY_HARDWARE_ALT should always be set in ESP-IDF"
#endif
#include "psa/crypto.h"
int mbedtls_hardware_poll( void *data,
unsigned char *output, size_t len, size_t *olen )
@@ -28,17 +19,7 @@ int mbedtls_hardware_poll( void *data,
return 0;
}
int mbedtls_esp_random(void *ctx, unsigned char *buf, size_t len)
{
(void) ctx; // unused
esp_fill_random(buf, len);
return 0;
}
#if defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT)
int mbedtls_platform_get_entropy(unsigned char *output, size_t output_size,
size_t *output_len, size_t *entropy_content);
#if defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY)
psa_status_t mbedtls_psa_external_get_random(
mbedtls_psa_external_random_context_t *context,
uint8_t *output, size_t output_size, size_t *output_length)
@@ -50,17 +31,4 @@ psa_status_t mbedtls_psa_external_get_random(
*output_length = output_size;
return PSA_SUCCESS;
}
int mbedtls_platform_get_entropy(unsigned char *output, size_t output_size,
size_t *output_len, size_t *entropy_content)
{
if (output == NULL || output_size == 0 || output_len == NULL || entropy_content == NULL) {
return -1;
}
esp_fill_random(output, output_size);
*output_len = output_size;
*entropy_content = 8 * output_size;
return 0;
}
#endif // MBEDTLS_PLATFORM_GET_ENTROPY_ALT
#endif // MBEDTLS_PSA_DRIVER_GET_ENTROPY