diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt index 11862cb739..f11b9a7b4d 100644 --- a/components/mbedtls/CMakeLists.txt +++ b/components/mbedtls/CMakeLists.txt @@ -28,7 +28,13 @@ if(NOT ${IDF_TARGET} STREQUAL "linux") endif() set(mbedtls_srcs "") -set(mbedtls_include_dirs "port/include" "mbedtls/include" "mbedtls/library") +set(mbedtls_include_dirs + "port/include" + "mbedtls/include" + "mbedtls/library" + "mbedtls/tf-psa-crypto/core" + "mbedtls/tf-psa-crypto/drivers/builtin/src/" + ) if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL) list(APPEND mbedtls_include_dirs "port/mbedtls_rom") @@ -39,12 +45,17 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE) list(APPEND mbedtls_include_dirs "esp_crt_bundle/include") endif() +list(APPEND mbedtls_include_dirs "${COMPONENT_DIR}/port/psa_driver/include") + idf_component_register(SRCS "${mbedtls_srcs}" INCLUDE_DIRS "${mbedtls_include_dirs}" PRIV_REQUIRES "${priv_requires}" REQUIRES "${requires}" ) +# Add MBEDTLS_MAJOR_VERSION definition to the component library +target_compile_definitions(${COMPONENT_LIB} INTERFACE MBEDTLS_MAJOR_VERSION=4) + # Determine the type of mbedtls component library if(mbedtls_srcs STREQUAL "") # For no sources in component library we must use "INTERFACE" @@ -130,6 +141,8 @@ if(CONFIG_MBEDTLS_CERTIFICATE_BUNDLE) list(APPEND include_dirs "${COMPONENT_DIR}/esp_crt_bundle/include") endif() +list(APPEND include_dirs "${COMPONENT_DIR}/port/psa_driver/include") + include_directories(${include_dirs}) # Needed to for mbedtls_rom includes to work from within mbedtls @@ -137,6 +150,13 @@ if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL) include_directories("${COMPONENT_DIR}/port/mbedtls_rom") endif() +# Set TF_PSA_CRYPTO_CONFIG_FILE before processing subdirectories to prevent override +set( + TF_PSA_CRYPTO_USER_CONFIG_FILE "mbedtls/esp_config.h" + CACHE STRING "Path to the PSA Crypto configuration file" + FORCE +) + # Import mbedtls library targets add_subdirectory(mbedtls) @@ -146,21 +166,49 @@ list(REMOVE_ITEM src_tls net_sockets.c) set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls}) if(CONFIG_MBEDTLS_SSL_PROTO_GMTSSL1_1) -get_target_property(src_tls mbedtls SOURCES) -list(REMOVE_ITEM src_tls ssl_ciphersuites.c ssl_cli.c ssl_tls.c) -set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls}) + get_target_property(src_tls mbedtls SOURCES) + list(REMOVE_ITEM src_tls ssl_ciphersuites.c ssl_cli.c ssl_tls.c) + set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls}) -get_target_property(src_crypto mbedcrypto SOURCES) -list(REMOVE_ITEM src_crypto cipher_wrap.c ecdsa.c ecp.c ecp_curves.c oid.c pk_wrap.c) -set_property(TARGET mbedcrypto PROPERTY SOURCES ${src_crypto}) + message(STATUS "Setting up mbedtls") -get_target_property(src_x509 mbedx509 SOURCES) -list(REMOVE_ITEM src_x509 x509_crt.c) -set_property(TARGET mbedx509 PROPERTY SOURCES ${src_x509}) + # list(REMOVE_ITEM src_crypto sha512.c) + # list(REMOVE_ITEM src_crypto cipher_wrap.c ecdsa.c ecp.c ecp_curves.c oid.c pk_wrap.c) + # set_property(TARGET tfpsacrypto PROPERTY SOURCES ${src_crypto}) + + get_target_property(src_builtin builtin SOURCES) + message(STATUS "src_builtin: ${src_builtin}") + + get_target_property(src_x509 mbedx509 SOURCES) + list(REMOVE_ITEM src_x509 x509_crt.c) + set_property(TARGET mbedx509 PROPERTY SOURCES ${src_x509}) endif() # Core libraries from the mbedTLS project -set(mbedtls_targets mbedtls mbedcrypto mbedx509) +set(mbedtls_targets mbedtls mbedx509 tfpsacrypto builtin) + +target_include_directories(tfpsacrypto PUBLIC "port/include") +target_include_directories(tfpsacrypto PRIVATE "port/psa_crypto_storage/include") + +if(CONFIG_MBEDTLS_HARDWARE_SHA OR CONFIG_MBEDTLS_HARDWARE_AES) + target_include_directories(tfpsacrypto PUBLIC "${COMPONENT_DIR}/port/psa_driver/include") +endif() + +message(STATUS "Setting up mbedtls configuration") +foreach(target ${mbedtls_targets}) + target_compile_definitions(${target} PUBLIC -DMBEDTLS_CONFIG_FILE="mbedtls/esp_config.h") + set_config_files_compile_definitions(${target}) + target_compile_definitions(${target} PUBLIC MBEDTLS_MAJOR_VERSION=4) + if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU") # TODO IDF-10087 + target_compile_options(${target} PRIVATE "-fno-analyzer") + endif() + if(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SIZE) + target_compile_options(${target} PRIVATE "-Os") + elseif(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_PERF) + target_compile_options(${target} PRIVATE "-O2") + endif() +endforeach() + # 3rd party libraries from the mbedTLS project list(APPEND mbedtls_targets everest p256m) @@ -169,10 +217,33 @@ set(mbedtls_target_sources "${COMPONENT_DIR}/port/mbedtls_debug.c" if(CONFIG_MBEDTLS_VER_4_X_SUPPORT) list(APPEND mbedtls_target_sources "${COMPONENT_DIR}/port/esp_psa_crypto_init.c") + # Add ESP-IDF NVS-based PSA ITS implementation + # Only compile esp_psa_its.c if nvs_flash component is available + if(NOT ${IDF_TARGET} STREQUAL "linux") + if(IDF_BUILD_V2) + # For v2: conditionally compile source and link only if nvs_flash target exists + target_sources( + tfpsacrypto PRIVATE + "$<$:${COMPONENT_DIR}/port/psa_crypto_storage/esp_psa_its.c>" + ) + target_link_libraries(tfpsacrypto PRIVATE "$<$:idf::nvs_flash>") + # Define compile definition to indicate ESP-IDF PSA ITS implementation is available + target_compile_definitions(tfpsacrypto PRIVATE "$<$:ESP_PSA_ITS_AVAILABLE>") + else() + # For v1: check if component is in build before adding source and linking + idf_build_get_property(build_components BUILD_COMPONENTS) + if(nvs_flash IN_LIST build_components) + target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/psa_crypto_storage/esp_psa_its.c") + idf_component_get_property(nvs_flash_lib nvs_flash COMPONENT_LIB) + target_link_libraries(tfpsacrypto PRIVATE ${nvs_flash_lib}) + target_compile_definitions(tfpsacrypto PRIVATE ESP_PSA_ITS_AVAILABLE) + endif() + endif() + endif() endif() if(CONFIG_MBEDTLS_DYNAMIC_BUFFER) -set(mbedtls_target_sources ${mbedtls_target_sources} + set(mbedtls_target_sources ${mbedtls_target_sources} "${COMPONENT_DIR}/port/dynamic/esp_mbedtls_dynamic_impl.c" "${COMPONENT_DIR}/port/dynamic/esp_ssl_cli.c" "${COMPONENT_DIR}/port/dynamic/esp_ssl_srv.c" @@ -180,13 +251,13 @@ set(mbedtls_target_sources ${mbedtls_target_sources} endif() if(${IDF_TARGET} STREQUAL "linux") -set(mbedtls_target_sources ${mbedtls_target_sources} "${COMPONENT_DIR}/port/net_sockets.c") + set(mbedtls_target_sources ${mbedtls_target_sources} "${COMPONENT_DIR}/port/net_sockets.c") endif() # While updating to MbedTLS release/v3.4.0, building mbedtls/library/psa_crypto.c # clang produces an unreachable-code warning. if(CMAKE_C_COMPILER_ID MATCHES "Clang") - target_compile_options(mbedcrypto PRIVATE "-Wno-unreachable-code") + target_compile_options(tfpsacrypto PRIVATE "-Wno-unreachable-code") endif() # net_sockets.c should only be compiled if BSD socket functions are available. @@ -206,7 +277,8 @@ endif() target_sources(mbedtls PRIVATE ${mbedtls_target_sources}) if(NOT ${IDF_TARGET} STREQUAL "linux") - target_link_libraries(mbedcrypto PRIVATE idf::esp_security) + target_link_libraries(tfpsacrypto PRIVATE idf::esp_security) + target_link_libraries(builtin PRIVATE idf::esp_security) endif() # Choose peripheral type @@ -219,18 +291,25 @@ if(CONFIG_SOC_SHA_SUPPORTED) endif() endif() -if(SHA_PERIPHERAL_TYPE STREQUAL "core") - target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/include") +if(CONFIG_SOC_AES_SUPPORTED) + if(CONFIG_SOC_AES_SUPPORT_DMA) + set(AES_PERIPHERAL_TYPE "dma") + else() + set(AES_PERIPHERAL_TYPE "block") + endif() +endif() +if(SHA_PERIPHERAL_TYPE STREQUAL "core") + target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/include") if(CONFIG_SOC_SHA_GDMA) set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_gdma_impl.c") elseif(CONFIG_SOC_SHA_CRYPTO_DMA) set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_crypto_dma_impl.c") endif() - target_sources(mbedcrypto PRIVATE "${SHA_CORE_SRCS}") + target_sources(tfpsacrypto PRIVATE "${SHA_CORE_SRCS}") endif() -if(CONFIG_SOC_AES_SUPPORT_DMA) +if(AES_PERIPHERAL_TYPE STREQUAL "dma") if(NOT CONFIG_SOC_AES_GDMA) set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_crypto_dma_impl.c") else() @@ -239,47 +318,66 @@ if(CONFIG_SOC_AES_SUPPORT_DMA) list(APPEND AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c") - target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/dma/include") - target_sources(mbedcrypto PRIVATE "${AES_DMA_SRCS}") + target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/aes/dma/include") + target_sources(tfpsacrypto PRIVATE "${AES_DMA_SRCS}") endif() -if((SHA_PERIPHERAL_TYPE STREQUAL "core" AND CONFIG_SOC_SHA_SUPPORT_DMA) OR CONFIG_SOC_AES_SUPPORT_DMA) - target_link_libraries(mbedcrypto PRIVATE idf::esp_mm) +if((SHA_PERIPHERAL_TYPE STREQUAL "core" AND CONFIG_SOC_SHA_SUPPORT_DMA) OR AES_PERIPHERAL_TYPE STREQUAL "dma") + target_link_libraries(tfpsacrypto PRIVATE idf::esp_mm) + target_link_libraries(builtin PRIVATE idf::esp_mm) if(CONFIG_SOC_SHA_GDMA OR CONFIG_SOC_AES_GDMA) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/crypto_shared_gdma/esp_crypto_shared_gdma.c") + if(CONFIG_SOC_AXI_DMA_EXT_MEM_ENC_ALIGNMENT) + target_link_libraries(tfpsacrypto PRIVATE idf::bootloader_support) + target_link_libraries(builtin PRIVATE idf::bootloader_support) + endif() + target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/crypto_shared_gdma/esp_crypto_shared_gdma.c") endif() endif() if(NOT ${IDF_TARGET} STREQUAL "linux") - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c") + target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c") endif() -target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_mem.c" - "${COMPONENT_DIR}/port/esp_timing.c" +target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_mem.c" + # "${COMPONENT_DIR}/port/esp_timing.c" ) if(CONFIG_SOC_AES_SUPPORTED) - target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/include") - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_xts.c" + target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/aes/include") + target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_xts.c" "${COMPONENT_DIR}/port/aes/esp_aes_common.c" "${COMPONENT_DIR}/port/aes/esp_aes.c" ) endif() if(CONFIG_SOC_SHA_SUPPORTED) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/esp_sha.c" - "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/sha.c" + if(CONFIG_MBEDTLS_HARDWARE_SHA) + target_compile_definitions(tfpsacrypto PRIVATE ESP_SHA_DRIVER_ENABLED) + target_sources(tfpsacrypto PRIVATE + "${COMPONENT_DIR}/port/psa_driver/esp_sha/psa_crypto_driver_esp_sha.c" + "${COMPONENT_DIR}/port/psa_driver/esp_sha/${SHA_PERIPHERAL_TYPE}/psa_crypto_driver_esp_sha256.c" + "${COMPONENT_DIR}/port/psa_driver/esp_sha/${SHA_PERIPHERAL_TYPE}/psa_crypto_driver_esp_sha512.c" + + "${COMPONENT_DIR}/port/sha/esp_sha.c") + endif() + target_sources(tfpsacrypto PRIVATE + "${COMPONENT_DIR}/port/psa_driver/esp_sha/${SHA_PERIPHERAL_TYPE}/psa_crypto_driver_esp_sha1.c" + "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/sha.c" ) endif() if(CONFIG_SOC_DIG_SIGN_SUPPORTED) -target_sources(mbedcrypto PRIVATE +target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_ds/esp_rsa_sign_alt.c" "${COMPONENT_DIR}/port/esp_ds/esp_rsa_dec_alt.c" "${COMPONENT_DIR}/port/esp_ds/esp_ds_common.c") endif() +# # CONFIG_ESP_TLS_USE_DS_PERIPHERAL can be enabled only for the supported targets. +if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL) + target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_ds/esp_rsa_sign_alt.c") +endif() if(CONFIG_SOC_HMAC_SUPPORTED) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hmac_pbkdf2.c") + target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/esp_hmac_pbkdf2.c") endif() # Note: some mbedTLS hardware acceleration can be enabled/disabled by config. @@ -290,28 +388,36 @@ endif() # The other port-specific files don't override internal mbedTLS functions, they just add new functions. if(CONFIG_MBEDTLS_HARDWARE_MPI) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/bignum/esp_bignum.c" + target_sources(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/bignum/esp_bignum.c" "${COMPONENT_DIR}/port/bignum/bignum_alt.c") endif() -if(CONFIG_MBEDTLS_HARDWARE_SHA) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha1.c" - "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha256.c" - "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha512.c" - ) -endif() - if(CONFIG_MBEDTLS_HARDWARE_GCM OR CONFIG_MBEDTLS_HARDWARE_AES) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c") + target_compile_definitions(tfpsacrypto PRIVATE ESP_AES_DRIVER_ENABLED) + target_include_directories(tfpsacrypto PRIVATE "${COMPONENT_DIR}/port/include/aes") + target_sources(tfpsacrypto PRIVATE + "${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_aes.c" + ) + if(CONFIG_MBEDTLS_HARDWARE_SHA) + target_sources(tfpsacrypto PRIVATE + "${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_cmac.c" + ) + endif() + if(CONFIG_SOC_AES_SUPPORT_GCM) + target_sources(tfpsacrypto PRIVATE "$ENV{IDF_PATH}/components/mbedtls/port/aes/esp_aes_gcm.c" + "${COMPONENT_DIR}/port/psa_driver/esp_aes/psa_crypto_driver_esp_aes_gcm.c") + endif() endif() if(CONFIG_MBEDTLS_HARDWARE_ECC) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c" + target_sources(builtin PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c" "${COMPONENT_DIR}/port/ecc/ecc_alt.c") + include_directories("${COMPONENT_DIR}/tf-psa-crypto/drivers/builtin/include/mbedtls") endif() -if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c") +if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR +CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) + target_sources(builtin PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c") set(WRAP_FUNCTIONS_SIGN mbedtls_ecdsa_sign @@ -343,35 +449,37 @@ if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR endif() if(CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) - target_link_libraries(mbedcrypto PRIVATE idf::tee_sec_storage) + target_link_libraries(builtin PRIVATE idf::tee_sec_storage) endif() endif() -if(CONFIG_MBEDTLS_ROM_MD5) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/md/esp_md.c") +# if(CONFIG_MBEDTLS_ROM_MD5) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/md/esp_md.c") +# endif() + +# if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/mbedtls_rom/mbedtls_rom_osi.c") +# target_link_libraries(${COMPONENT_LIB} PRIVATE "-u mbedtls_rom_osi_functions_init") +# endif() + +if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU") + target_compile_options(${COMPONENT_LIB} PRIVATE "-fno-analyzer") + target_compile_options(tfpsacrypto PRIVATE "-fno-analyzer") endif() -if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/mbedtls_rom/mbedtls_rom_osi.c") - target_link_libraries(${COMPONENT_LIB} PRIVATE "-u mbedtls_rom_osi_functions_init") +# If linkage_type is PUBLIC, use PRIVATE while setting compiler optimization flags +# as we don't want the optimization flags to modify other targets +if(linkage_type STREQUAL "PUBLIC") + set(compiler_linkage_type PRIVATE) +else() + set(compiler_linkage_type ${linkage_type}) endif() -foreach(target ${mbedtls_targets}) - target_compile_definitions(${target} PUBLIC -DMBEDTLS_CONFIG_FILE="mbedtls/esp_config.h") - if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU") # TODO IDF-10087 - target_compile_options(${target} PRIVATE "-fno-analyzer") - endif() - if(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SIZE) - target_compile_options(${target} PRIVATE "-Os") - elseif(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_PERF) - target_compile_options(${target} PRIVATE "-O2") - endif() -endforeach() - if(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_SIZE) - target_compile_options(${COMPONENT_LIB} PRIVATE "-Os") + message(STATUS "Linkage type is ${linkage_type}") + target_compile_options(${COMPONENT_LIB} ${compiler_linkage_type} "-Os") elseif(CONFIG_MBEDTLS_COMPILER_OPTIMIZATION_PERF) - target_compile_options(${COMPONENT_LIB} PRIVATE "-O2") + target_compile_options(${COMPONENT_LIB} ${compiler_linkage_type} "-O2") endif() if(CONFIG_MBEDTLS_DYNAMIC_BUFFER) @@ -392,40 +500,121 @@ if(CONFIG_MBEDTLS_DYNAMIC_BUFFER) endforeach() endif() -set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls) +# set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls) if(CONFIG_PM_ENABLE) - target_link_libraries(mbedcrypto PRIVATE idf::esp_pm) + target_link_libraries(tfpsacrypto PRIVATE idf::esp_pm) endif() if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY) - target_link_libraries(mbedcrypto PRIVATE idf::efuse) + target_link_libraries(builtin PRIVATE idf::efuse) endif() target_link_libraries(${COMPONENT_LIB} ${linkage_type} ${mbedtls_targets}) # Ensure PSA crypto initialization is included in the build -target_link_libraries(${COMPONENT_LIB} ${linkage_type} "-u mbedtls_psa_crypto_init_include_impl") - -if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL) - # The linker seems to be unable to resolve all the dependencies without increasing this - set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 6) +if(NOT ${IDF_TARGET} STREQUAL "linux") + target_link_libraries(${COMPONENT_LIB} ${linkage_type} "-u mbedtls_psa_crypto_init_include_impl") endif() # Additional optional dependencies for the mbedcrypto library -function(mbedcrypto_optional_deps component_name) +function(builtin_optional_deps component_name) idf_build_get_property(components BUILD_COMPONENTS) if(${component_name} IN_LIST components) idf_component_get_property(lib_name ${component_name} COMPONENT_LIB) - target_link_libraries(mbedcrypto PRIVATE ${lib_name}) + target_link_libraries(builtin PRIVATE ${lib_name}) endif() endfunction() if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM) - mbedcrypto_optional_deps(esp_timer idf::esp_timer) + builtin_optional_deps(esp_timer idf::esp_timer) endif() -# Link esp-cryptoauthlib to mbedtls -if(CONFIG_ATCA_MBEDTLS_ECDSA) - mbedcrypto_optional_deps(espressif__esp-cryptoauthlib esp-cryptoauthlib) +# # Link esp-cryptoauthlib to mbedtls +# if(CONFIG_ATCA_MBEDTLS_ECDSA) +# mbedcrypto_optional_deps(espressif__esp-cryptoauthlib esp-cryptoauthlib) +# endif() + +# Apply -fno-analyzer to ALL mbedTLS targets at the very end when all targets are created +if(CONFIG_COMPILER_STATIC_ANALYZER AND CMAKE_C_COMPILER_ID STREQUAL "GNU") + message(STATUS "Applying -fno-analyzer to all mbedTLS targets...") + + # Get all targets from all directories + get_property( + all_mbedtls_targets DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/mbedtls PROPERTY BUILDSYSTEM_TARGETS + ) + get_property( + drivers_targets DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/mbedtls/tf-psa-crypto/drivers PROPERTY BUILDSYSTEM_TARGETS + ) + + message(STATUS "Found mbedtls targets: ${all_mbedtls_targets}") + message(STATUS "Found drivers targets: ${drivers_targets}") + + # Get targets from nested driver subdirectories + foreach(subdir IN ITEMS builtin everest p256-m) + if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/mbedtls/tf-psa-crypto/drivers/${subdir}) + get_property( + subdir_targets DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/mbedtls/tf-psa-crypto/drivers/${subdir} + PROPERTY BUILDSYSTEM_TARGETS + ) + message(STATUS "Found ${subdir} targets: ${subdir_targets}") + list(APPEND drivers_targets ${subdir_targets}) + endif() + endforeach() + + # Combine all target lists + set(all_targets ${all_mbedtls_targets} ${drivers_targets}) + message(STATUS "All combined targets: ${all_targets}") + + # Apply -fno-analyzer to each target + foreach(target ${all_targets}) + if(TARGET ${target}) + get_target_property(target_type ${target} TYPE) + if(target_type STREQUAL "STATIC_LIBRARY" OR + target_type STREQUAL "SHARED_LIBRARY" OR + target_type STREQUAL "MODULE_LIBRARY" OR + target_type STREQUAL "OBJECT_LIBRARY" OR + target_type STREQUAL "EXECUTABLE") + message(STATUS "Applying -fno-analyzer to target: ${target}") + target_compile_options(${target} PRIVATE "-fno-analyzer") + endif() + endif() + endforeach() + + # Also check for any targets that might have been missed by using global target list + get_property(global_targets GLOBAL PROPERTY TARGETS) + set(mbedtls_global_targets "") + foreach(target ${global_targets}) + if(TARGET ${target}) + get_target_property(target_source_dir ${target} SOURCE_DIR) + if(target_source_dir) + # Check if target is from mbedtls directory or has mbedtls-related names + string(FIND "${target_source_dir}" "mbedtls" pos) + string(FIND "${target}" "mbedtls" name_pos) + string(FIND "${target}" "tfpsacrypto" tfpsa_pos) + # string(FIND "${target}" "everest" everest_pos) + # string(FIND "${target}" "p256m" p256m_pos) + string(FIND "${target}" "builtin" builtin_pos) + if(pos GREATER -1 OR name_pos GREATER -1 OR tfpsa_pos GREATER -1 OR builtin_pos GREATER -1) + list(APPEND mbedtls_global_targets ${target}) + get_target_property(target_type ${target} TYPE) + # Skip ALIAS targets as they don't have compile options + if(NOT target_type STREQUAL "ALIAS" AND + (target_type STREQUAL "STATIC_LIBRARY" OR + target_type STREQUAL "SHARED_LIBRARY" OR + target_type STREQUAL "MODULE_LIBRARY" OR + target_type STREQUAL "OBJECT_LIBRARY" OR + target_type STREQUAL "EXECUTABLE")) + # Check if -fno-analyzer was already applied + get_target_property(compile_options ${target} COMPILE_OPTIONS) + if(NOT compile_options OR NOT "-fno-analyzer" IN_LIST compile_options) + message(STATUS "Applying -fno-analyzer to missed target: ${target}") + target_compile_options(${target} PRIVATE "-fno-analyzer") + endif() + endif() + endif() + endif() + endif() + endforeach() + message(STATUS "All mbedtls-related global targets: ${mbedtls_global_targets}") endif() diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index e06352f73c..0ea2c25569 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -3,15 +3,12 @@ menu "mbedTLS" menu "Core Configuration" config MBEDTLS_VER_4_X_SUPPORT - bool "Enable the Platform Security Architecture (PSA) cryptography API for ESP-IDF" - default n - help - Enable the Platform Security Architecture (PSA) cryptography API for ESP-IDF. - This option migrates from mbedtls API to PSA Crypto API. This increases code size. + bool + default y choice MBEDTLS_COMPILER_OPTIMIZATION prompt "Compiler optimization level" - default MBEDTLS_COMPILER_OPTIMIZATION_NONE + default MBEDTLS_COMPILER_OPTIMIZATION_SIZE help This option allows you to select the compiler optimization level for mbedTLS. The default is set to the optimization level used by the rest of the ESP-IDF project. @@ -353,14 +350,14 @@ menu "mbedTLS" config MBEDTLS_PK_PARSE_C bool "Enables generic public key parsing functions" default y - depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_PK_C && MBEDTLS_OID_C + depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_PK_C help Enable generic public key parsing functions. config MBEDTLS_PK_WRITE_C bool "Enables generic public key writing functions" default y - depends on MBEDTLS_PK_C && MBEDTLS_OID_C && MBEDTLS_ASN1_WRITE_C + depends on MBEDTLS_PK_C && MBEDTLS_ASN1_WRITE_C help Enable generic public key writing functions. @@ -395,7 +392,7 @@ menu "mbedTLS" config MBEDTLS_X509_CREATE_C bool "X.509 certificate creation" default n - depends on MBEDTLS_BIGNUM_C && MBEDTLS_OID_C && \ + depends on MBEDTLS_BIGNUM_C && \ MBEDTLS_PK_WRITE_C && MBEDTLS_MD_C help Support for creating X.509 certificates and CSRs. @@ -443,13 +440,6 @@ menu "mbedTLS" help Enable ASN.1 writing functions. - config MBEDTLS_OID_C - bool "Enable OID support" - default y - help - Enable support for Object Identifier (OID) parsing and printing. - This is used by X.509 and PKCS#11. - config MBEDTLS_CERTIFICATE_BUNDLE bool "Enable trusted root certificate bundle" default y @@ -534,7 +524,6 @@ menu "mbedTLS" config MBEDTLS_TLS_ENABLED bool "Enable TLS protocol support" default y - select MBEDTLS_CIPHER_C select MBEDTLS_SHA256_C select MBEDTLS_MD_C select MBEDTLS_SSL_PROTO_TLS1_2 @@ -555,7 +544,6 @@ menu "mbedTLS" config MBEDTLS_SSL_PROTO_TLS1_3 bool "Support TLS 1.3 protocol" depends on MBEDTLS_TLS_ENABLED - select MBEDTLS_HKDF_C select MBEDTLS_SSL_KEEP_PEER_CERTIFICATE default n @@ -698,13 +686,6 @@ menu "mbedTLS" help Enable to support symmetric key PSK (pre-shared-key) TLS key exchange modes. - config MBEDTLS_KEY_EXCHANGE_DHE_PSK - bool "Enable DHE-PSK based ciphersuite modes" - depends on MBEDTLS_PSK_MODES && MBEDTLS_DHM_C - default y - help - Enable to support Diffie-Hellman PSK (pre-shared-key) TLS authentication modes. - config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK bool "Enable ECDHE-PSK based ciphersuite modes" depends on MBEDTLS_PSK_MODES && MBEDTLS_ECDH_C @@ -715,7 +696,7 @@ menu "mbedTLS" config MBEDTLS_KEY_EXCHANGE_RSA_PSK bool "Enable RSA-PSK based ciphersuite modes" depends on MBEDTLS_PSK_MODES - default y + default n help Enable to support RSA PSK (pre-shared-key) TLS authentication modes. @@ -725,13 +706,6 @@ menu "mbedTLS" help Enable to support ciphersuites with prefix TLS-RSA-WITH- - config MBEDTLS_KEY_EXCHANGE_DHE_RSA - bool "Enable DHE-RSA based ciphersuite modes" - default y - depends on MBEDTLS_DHM_C - help - Enable to support ciphersuites with prefix TLS-DHE-RSA-WITH- - config MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE bool "Support Elliptic Curve based ciphersuites" depends on MBEDTLS_ECP_C @@ -756,20 +730,6 @@ menu "mbedTLS" help Enable to support ciphersuites with prefix TLS-ECDHE-ECDSA-WITH- - config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA - bool "Enable ECDH-ECDSA based ciphersuite modes" - depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C - default y - help - Enable to support ciphersuites with prefix TLS-ECDH-ECDSA-WITH- - - config MBEDTLS_KEY_EXCHANGE_ECDH_RSA - bool "Enable ECDH-RSA based ciphersuite modes" - depends on MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE && MBEDTLS_ECDH_C - default y - help - Enable to support ciphersuites with prefix TLS-ECDH-RSA-WITH- - config MBEDTLS_KEY_EXCHANGE_ECJPAKE bool "Enable ECJPAKE based ciphersuite modes" depends on MBEDTLS_ECJPAKE_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED @@ -897,15 +857,6 @@ menu "mbedTLS" Disabling this option will save some code size. endmenu - config MBEDTLS_CIPHER_C - bool "Cipher abstraction layer" - default y - help - Enable the cipher abstraction layer. This enables generic cipher wrappers - for the block ciphers and stream ciphers. - If you are not using the cipher abstraction layer, you can disable this - option to save some code size. - menu "Symmetric Ciphers" config MBEDTLS_AES_C bool "AES block cipher" @@ -999,7 +950,7 @@ menu "mbedTLS" config MBEDTLS_GCM_C bool "GCM (Galois/Counter) block cipher modes" default y - depends on (MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C) && MBEDTLS_CIPHER_C + depends on (MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C) help Enable Galois/Counter Mode for AES and/or Camellia ciphers. @@ -1008,53 +959,10 @@ menu "mbedTLS" config MBEDTLS_NIST_KW_C bool "NIST key wrapping (KW) and KW padding (KWP)" default n - depends on MBEDTLS_AES_C && MBEDTLS_CIPHER_C + depends on MBEDTLS_AES_C help Enable NIST key wrapping and key wrapping padding. - config MBEDTLS_CIPHER_PADDING - bool "Cipher padding" - default y - depends on MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB - help - Enable padding for block ciphers. - - Padding is only used for block ciphers in CBC, CFB, CTR and OFB modes. - If you are using a stream cipher or a block cipher in ECB mode, you can - disable this option to save code size. - - config MBEDTLS_CIPHER_PADDING_PKCS7 - bool "PKCS#7 padding" - default y - depends on MBEDTLS_CIPHER_PADDING && \ - (MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB) - help - Enable PKCS#7 padding for block ciphers. - - config MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS - bool "One and zeros padding" - default y - depends on MBEDTLS_CIPHER_PADDING && \ - (MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB) - help - Enable one and zeros padding for block ciphers. - - config MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN - bool "Zeros and length padding" - default y - depends on MBEDTLS_CIPHER_PADDING && \ - (MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB) - help - Enable zeros and length padding for block ciphers. - - config MBEDTLS_CIPHER_PADDING_ZEROS - bool "Zeros padding" - default y - depends on MBEDTLS_CIPHER_PADDING && \ - (MBEDTLS_CIPHER_MODE_CBC || MBEDTLS_CIPHER_MODE_CFB || MBEDTLS_CIPHER_MODE_OFB) - help - Enable zeros padding for block ciphers. - config MBEDTLS_AES_ROM_TABLES bool "Store AES tables in ROM" default y @@ -1082,7 +990,6 @@ menu "mbedTLS" config MBEDTLS_CMAC_C bool "Enable CMAC mode for block ciphers" default y - select MBEDTLS_CIPHER_C depends on (MBEDTLS_AES_C || MBEDTLS_DES_C) help Enable the CMAC (Cipher-based Message Authentication Code) mode for @@ -1101,18 +1008,10 @@ menu "mbedTLS" If you don't need any of these algorithms, you can disable this option to save code size. - config MBEDTLS_GENPRIME - bool "Enable hardware prime number generation" - default y - depends on MBEDTLS_BIGNUM_C - help - Enable prime number generation. - config MBEDTLS_RSA_C bool "RSA public key cryptosystem" default y select MBEDTLS_BIGNUM_C - select MBEDTLS_OID_C help Enable RSA. Needed to use RSA-xxx TLS ciphersuites. @@ -1120,20 +1019,6 @@ menu "mbedTLS" bool "Enable Elliptic Curve Ciphers(ECC) support" default y menu "Supported Curves" - config MBEDTLS_ECP_DP_SECP192R1_ENABLED - bool "Enable SECP192R1 curve" - depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) - help - Enable support for SECP192R1 Elliptic Curve. - - config MBEDTLS_ECP_DP_SECP224R1_ENABLED - bool "Enable SECP224R1 curve" - depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) - help - Enable support for SECP224R1 Elliptic Curve. - config MBEDTLS_ECP_DP_SECP256R1_ENABLED bool "Enable SECP256R1 curve" depends on MBEDTLS_ECP_C @@ -1155,20 +1040,6 @@ menu "mbedTLS" help Enable support for SECP521R1 Elliptic Curve. - config MBEDTLS_ECP_DP_SECP192K1_ENABLED - bool "Enable SECP192K1 curve" - depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) - help - Enable support for SECP192K1 Elliptic Curve. - - config MBEDTLS_ECP_DP_SECP224K1_ENABLED - bool "Enable SECP224K1 curve" - depends on MBEDTLS_ECP_C - default y if !(MBEDTLS_ATCA_HW_ECDSA_SIGN || MBEDTLS_ATCA_HW_ECDSA_VERIFY) - help - Enable support for SECP224K1 Elliptic Curve. - config MBEDTLS_ECP_DP_SECP256K1_ENABLED bool "Enable SECP256K1 curve" depends on MBEDTLS_ECP_C @@ -1235,9 +1106,10 @@ menu "mbedTLS" Define this option only if you enable MBEDTLS_ECP_RESTARTABLE or if you want to access ECDH context fields directly. + # TODO: IDF-15031 config MBEDTLS_DHM_C bool "Diffie-Hellman-Merkle key exchange (DHM)" - default y + default n select MBEDTLS_BIGNUM_C depends on MBEDTLS_ECP_C help @@ -1306,14 +1178,6 @@ menu "mbedTLS" endmenu menu "Hash functions" - config MBEDTLS_HKDF_C - bool "HKDF algorithm (RFC 5869)" - default n - depends on MBEDTLS_MD_C - help - Enable support for the Hashed Message Authentication Code - (HMAC)-based key derivation function (HKDF). - config MBEDTLS_POLY1305_C bool "Poly1305 MAC algorithm" default n @@ -1525,7 +1389,7 @@ menu "mbedTLS" bool "Fallback to software implementation for larger MPI values" depends on MBEDTLS_HARDWARE_MPI default y if SOC_RSA_MAX_BIT_LEN <= 3072 # HW max 3072 bits - default n + default y help Fallback to software implementation for RSA key lengths larger than SOC_RSA_MAX_BIT_LEN. If this is not active @@ -1670,12 +1534,6 @@ menu "mbedTLS" it also increases the binary size by ~1.2 KB as it pulls in the peripheral's block mode code as well. - config MBEDTLS_PK_RSA_ALT_SUPPORT - bool "Enable RSA alt support" - default y - help - Support external private RSA keys (eg from a HSM) int the PK layer. - config MBEDTLS_ATCA_HW_ECDSA_SIGN bool "Enable hardware ECDSA sign acceleration when using ATECC608A" default n @@ -1692,14 +1550,6 @@ menu "mbedTLS" endmenu menu "Entropy and Random Number Generation" - config MBEDTLS_ENTROPY_C - bool "Enable entropy support" - default y - depends on MBEDTLS_SHA256_C || MBEDTLS_SHA512_C - help - Enable support for entropy sources and provides a generic - entropy pool. - config MBEDTLS_ENTROPY_FORCE_SHA256 bool "Force SHA-256 for entropy" default n @@ -1741,17 +1591,11 @@ menu "mbedTLS" config MBEDTLS_PKCS7_C bool "Enable PKCS number 7" default y - depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_OID_C && MBEDTLS_PK_PARSE_C && \ + depends on MBEDTLS_ASN1_PARSE_C && MBEDTLS_PK_PARSE_C && \ MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_X509_CRL_PARSE_C && MBEDTLS_BIGNUM_C && MBEDTLS_MD_C help Enable PKCS number 7 core for using PKCS number 7-formatted signatures. - config MBEDTLS_PKCS12_C - bool "Enable PKCS number 12" - default y - depends on MBEDTLS_ASN1_PARSE_C && (MBEDTLS_MD_C) - help - Enable PKCS number 12 core for using PKCS number 12-formatted signatures. config MBEDTLS_PKCS1_V15 bool "Enable PKCS#1 v1.5 padding" default y @@ -1784,6 +1628,7 @@ menu "mbedTLS" config MBEDTLS_USE_CRYPTO_ROM_IMPL_BOOTLOADER bool "Use ROM implementation of the crypto algorithm in the bootloader" + # TODO: IDF-15012 depends on ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB && !MBEDTLS_VER_4_X_SUPPORT default "n" select MBEDTLS_AES_C @@ -1795,6 +1640,7 @@ menu "mbedTLS" config MBEDTLS_USE_CRYPTO_ROM_IMPL bool "Use ROM implementation of the crypto algorithm" + # TODO: IDF-15012 depends on ESP_ROM_HAS_MBEDTLS_CRYPTO_LIB && !MBEDTLS_VER_4_X_SUPPORT default "n" select MBEDTLS_SHA512_C diff --git a/components/mbedtls/config/mbedtls_preset_bt.conf b/components/mbedtls/config/mbedtls_preset_bt.conf index 8a816c6f08..93b9f68aa6 100644 --- a/components/mbedtls/config/mbedtls_preset_bt.conf +++ b/components/mbedtls/config/mbedtls_preset_bt.conf @@ -31,7 +31,6 @@ CONFIG_MBEDTLS_SSL_PROTO_TLS1_2=n CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=n # TLS Key Exchange Configuration -CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=n CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=n CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=n CONFIG_MBEDTLS_SSL_ALPN=n @@ -39,11 +38,6 @@ CONFIG_MBEDTLS_SSL_RENEGOTIATION=n CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=n CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=n -# DTLS Protocol Configuration - -# Cipher Abstraction Layer -CONFIG_MBEDTLS_CIPHER_C=y - # Symmetric Ciphers CONFIG_MBEDTLS_ARIA_C=n CONFIG_MBEDTLS_CCM_C=n @@ -54,23 +48,15 @@ CONFIG_MBEDTLS_CIPHER_MODE_OFB=n CONFIG_MBEDTLS_CIPHER_MODE_XTS=y CONFIG_MBEDTLS_GCM_C=n CONFIG_MBEDTLS_PKCS5_C=n -CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=n -CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=n -CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=n CONFIG_MBEDTLS_AES_FEWER_TABLES=y # Elliptic Curve Ciphers Configuration -CONFIG_MBEDTLS_ECP_NIST_OPTIM=n -CONFIG_MBEDTLS_DHM_C=n +CONFIG_MBEDTLS_ECP_NIST_OPTIM=y CONFIG_MBEDTLS_ECDSA_C=y CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=n CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=n -CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=n -CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=n -CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=n -CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=n @@ -84,12 +70,10 @@ CONFIG_MBEDTLS_SHA512_C=n CONFIG_MBEDTLS_MD5_C=n CONFIG_MBEDTLS_MPI_USE_INTERRUPT=n CONFIG_MBEDTLS_ECC_OTHER_CURVES_SOFT_FALLBACK=n -CONFIG_MBEDTLS_GENPRIME=y -CONFIG_MBEDTLS_PKCS12_C=n CONFIG_MBEDTLS_PKCS1_V21=n -CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256=y +CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256=n CONFIG_MBEDTLS_CTR_DRBG_C=y CONFIG_ESP_WIFI_MBEDTLS_TLS_CLIENT=n diff --git a/components/mbedtls/config/mbedtls_preset_default.conf b/components/mbedtls/config/mbedtls_preset_default.conf index f34bd4d963..affbd1556e 100644 --- a/components/mbedtls/config/mbedtls_preset_default.conf +++ b/components/mbedtls/config/mbedtls_preset_default.conf @@ -42,7 +42,6 @@ CONFIG_MBEDTLS_X509_RSASSA_PSS_SUPPORT=y CONFIG_MBEDTLS_X509_TRUSTED_CERT_CALLBACK=n CONFIG_MBEDTLS_ASN1_PARSE_C=y CONFIG_MBEDTLS_ASN1_WRITE_C=y -CONFIG_MBEDTLS_OID_C=y CONFIG_MBEDTLS_CERTIFICATE_BUNDLE=y CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_CMN=y CONFIG_MBEDTLS_CERTIFICATE_BUNDLE_DEFAULT_NONE=n @@ -75,12 +74,9 @@ CONFIG_MBEDTLS_KEY_EXCHANGE_PSK=n CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK=n CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK=n CONFIG_MBEDTLS_KEY_EXCHANGE_RSA=y -CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA=y CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA=y -CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=y CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=y CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA=y -CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA=y CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y CONFIG_MBEDTLS_SSL_ALPN=y CONFIG_MBEDTLS_SSL_MAX_FRAGMENT_LENGTH=y @@ -93,9 +89,6 @@ CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=y # DTLS Protocol Configuration CONFIG_MBEDTLS_SSL_PROTO_DTLS=n -# Cipher Abstraction Layer -CONFIG_MBEDTLS_CIPHER_C=n - # Symmetric Ciphers CONFIG_MBEDTLS_AES_C=y CONFIG_MBEDTLS_CAMELLIA_C=n @@ -111,12 +104,7 @@ CONFIG_MBEDTLS_CIPHER_MODE_OFB=y CONFIG_MBEDTLS_CIPHER_MODE_XTS=y CONFIG_MBEDTLS_GCM_C=y CONFIG_MBEDTLS_NIST_KW_C=n -CONFIG_MBEDTLS_CIPHER_PADDING=y -CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=y CONFIG_MBEDTLS_PKCS5_C=y -CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=y -CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=y -CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=y CONFIG_MBEDTLS_AES_ROM_TABLES=y CONFIG_MBEDTLS_AES_FEWER_TABLES=n CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH=n @@ -130,7 +118,6 @@ CONFIG_MBEDTLS_RSA_C=y CONFIG_MBEDTLS_ECP_C=y CONFIG_MBEDTLS_ECP_NIST_OPTIM=y CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM=n -CONFIG_MBEDTLS_DHM_C=y CONFIG_MBEDTLS_ECDH_C=y CONFIG_MBEDTLS_ECJPAKE_C=n CONFIG_MBEDTLS_ECDSA_C=y @@ -138,13 +125,9 @@ CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=y CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=y CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y CONFIG_MBEDTLS_ECP_RESTARTABLE=n -CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=y -CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=y CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=y CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=y -CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=y -CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=y CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=y CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=y CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=y @@ -166,7 +149,6 @@ CONFIG_MBEDTLS_GCM_SUPPORT_NON_AES_CIPHER=y CONFIG_MBEDTLS_HARDWARE_AES=y CONFIG_MBEDTLS_AES_USE_INTERRUPT=y CONFIG_MBEDTLS_AES_INTERRUPT_LEVEL=0 -CONFIG_MBEDTLS_PK_RSA_ALT_SUPPORT=y CONFIG_MBEDTLS_HARDWARE_MPI=y # CONFIG_MBEDTLS_LARGE_KEY_SOFTWARE_MPI=n CONFIG_MBEDTLS_MPI_USE_INTERRUPT=y @@ -179,11 +161,9 @@ CONFIG_MBEDTLS_ATCA_HW_ECDSA_SIGN=n CONFIG_MBEDTLS_ATCA_HW_ECDSA_VERIFY=n CONFIG_MBEDTLS_PKCS7_C=y -CONFIG_MBEDTLS_PKCS12_C=y CONFIG_MBEDTLS_PKCS1_V15=y CONFIG_MBEDTLS_PKCS1_V21=y -CONFIG_MBEDTLS_ENTROPY_C=y CONFIG_MBEDTLS_ENTROPY_FORCE_SHA256=n CONFIG_MBEDTLS_CTR_DRBG_C=y CONFIG_MBEDTLS_HMAC_DRBG_C=y @@ -192,7 +172,6 @@ CONFIG_MBEDTLS_BASE64_C=y CONFIG_MBEDTLS_CHACHA20_C=n CONFIG_MBEDTLS_POLY1305_C=n -CONFIG_MBEDTLS_HKDF_C=n # # End of mbedTLS Minimal Configuration Preset diff --git a/components/mbedtls/config/mbedtls_preset_minimal.conf b/components/mbedtls/config/mbedtls_preset_minimal.conf index 1b44f12e2b..59a375098d 100644 --- a/components/mbedtls/config/mbedtls_preset_minimal.conf +++ b/components/mbedtls/config/mbedtls_preset_minimal.conf @@ -35,9 +35,7 @@ CONFIG_MBEDTLS_KEY_EXCHANGE_PSK=y CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK=n CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK=n CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA=n -CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA=n CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA=n -CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA=n CONFIG_MBEDTLS_KEY_EXCHANGE_ELLIPTIC_CURVE=n CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=n CONFIG_MBEDTLS_SSL_ALPN=n @@ -46,10 +44,6 @@ CONFIG_MBEDTLS_SSL_RENEGOTIATION=n CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=n CONFIG_MBEDTLS_SERVER_SSL_SESSION_TICKETS=n - -# Cipher Abstraction Layer -CONFIG_MBEDTLS_CIPHER_C=y - # Symmetric Ciphers CONFIG_MBEDTLS_ARIA_C=n CONFIG_MBEDTLS_BLOWFISH_C=n @@ -57,12 +51,7 @@ CONFIG_MBEDTLS_CCM_C=n CONFIG_MBEDTLS_CIPHER_MODE_OFB=n CONFIG_MBEDTLS_CIPHER_MODE_XTS=y CONFIG_MBEDTLS_GCM_C=n -CONFIG_MBEDTLS_CIPHER_PADDING=n -CONFIG_MBEDTLS_CIPHER_PADDING_PKCS7=n CONFIG_MBEDTLS_PKCS5_C=n -CONFIG_MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS=n -CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN=n -CONFIG_MBEDTLS_CIPHER_PADDING_ZEROS=n CONFIG_MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH=y CONFIG_MBEDTLS_CMAC_C=n @@ -72,19 +61,14 @@ CONFIG_MBEDTLS_RSA_C=y # Elliptic Curve Ciphers Configuration CONFIG_MBEDTLS_ECP_C=n CONFIG_MBEDTLS_ECP_NIST_OPTIM=n -CONFIG_MBEDTLS_DHM_C=n CONFIG_MBEDTLS_ECDH_C=n CONFIG_MBEDTLS_ECDSA_C=n CONFIG_MBEDTLS_PK_PARSE_EC_EXTENDED=n CONFIG_MBEDTLS_PK_PARSE_EC_COMPRESSED=n CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=n -CONFIG_MBEDTLS_ECP_DP_SECP192R1_ENABLED=n -CONFIG_MBEDTLS_ECP_DP_SECP224R1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_SECP384R1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_SECP521R1_ENABLED=n -CONFIG_MBEDTLS_ECP_DP_SECP192K1_ENABLED=n -CONFIG_MBEDTLS_ECP_DP_SECP224K1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_SECP256K1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_BP256R1_ENABLED=n CONFIG_MBEDTLS_ECP_DP_BP384R1_ENABLED=n diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls index ffb280bb63..02849218b3 160000 --- a/components/mbedtls/mbedtls +++ b/components/mbedtls/mbedtls @@ -1 +1 @@ -Subproject commit ffb280bb63c78bfec1e1ab55040671768c85c923 +Subproject commit 02849218b3c75d37142940ee10be51d681ce6709 diff --git a/components/mbedtls/port/esp_hardware.c b/components/mbedtls/port/esp_hardware.c index a89144ff56..db79471b2e 100644 --- a/components/mbedtls/port/esp_hardware.c +++ b/components/mbedtls/port/esp_hardware.c @@ -3,22 +3,13 @@ * * SPDX-License-Identifier: Apache-2.0 */ -#include #include #include #include #include "esp_random.h" -#include "mbedtls/esp_mbedtls_random.h" -#if defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) -#include "psa/crypto.h" -#endif - #include - -#ifndef MBEDTLS_ENTROPY_HARDWARE_ALT -#error "MBEDTLS_ENTROPY_HARDWARE_ALT should always be set in ESP-IDF" -#endif +#include "psa/crypto.h" int mbedtls_hardware_poll( void *data, unsigned char *output, size_t len, size_t *olen ) @@ -28,17 +19,7 @@ int mbedtls_hardware_poll( void *data, return 0; } -int mbedtls_esp_random(void *ctx, unsigned char *buf, size_t len) -{ - (void) ctx; // unused - esp_fill_random(buf, len); - return 0; -} - -#if defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) -int mbedtls_platform_get_entropy(unsigned char *output, size_t output_size, - size_t *output_len, size_t *entropy_content); - +#if defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY) psa_status_t mbedtls_psa_external_get_random( mbedtls_psa_external_random_context_t *context, uint8_t *output, size_t output_size, size_t *output_length) @@ -50,17 +31,4 @@ psa_status_t mbedtls_psa_external_get_random( *output_length = output_size; return PSA_SUCCESS; } - -int mbedtls_platform_get_entropy(unsigned char *output, size_t output_size, - size_t *output_len, size_t *entropy_content) -{ - if (output == NULL || output_size == 0 || output_len == NULL || entropy_content == NULL) { - return -1; - } - - esp_fill_random(output, output_size); - *output_len = output_size; - *entropy_content = 8 * output_size; - return 0; -} -#endif // MBEDTLS_PLATFORM_GET_ENTROPY_ALT +#endif // MBEDTLS_PSA_DRIVER_GET_ENTROPY