diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt index 28556aeed5a..81a67bdc017 100644 --- a/components/mbedtls/CMakeLists.txt +++ b/components/mbedtls/CMakeLists.txt @@ -126,6 +126,12 @@ if(${IDF_TARGET} STREQUAL "linux") set(mbedtls_target_sources ${mbedtls_target_sources} "${COMPONENT_DIR}/port/net_sockets.c") endif() +# While updating to MbedTLS release/v3.4.0, building mbedtls/library/psa_crypto.c +# clang produces an unreachable-code warning. +if(CMAKE_C_COMPILER_ID MATCHES "Clang") + target_compile_options(mbedcrypto PRIVATE "-Wno-unreachable-code") +endif() + # net_sockets.c should only be compiled if BSD socket functions are available. # Do this by checking if lwip component is included into the build. idf_build_get_property(build_components BUILD_COMPONENTS) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 0b3d67de111..b76e29a4d9a 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -246,6 +246,13 @@ menu "mbedTLS" See mbedTLS documentation for required API and more details. + config MBEDTLS_PKCS7_C + bool "Enable PKCS #7" + default y + depends on MBEDTLS_X509_CRL_PARSE_C + help + Enable PKCS #7 core for using PKCS #7-formatted signatures. + menu "DTLS-based configurations" depends on MBEDTLS_SSL_PROTO_DTLS @@ -351,6 +358,7 @@ menu "mbedTLS" config MBEDTLS_ECP_RESTARTABLE bool "Enable mbedTLS ecp restartable" select MBEDTLS_ECDH_LEGACY_CONTEXT + depends on MBEDTLS_ECP_C default n help Enable "non-blocking" ECC operations that can return early and be resumed. diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls index e39975969d5..f5fca55508d 160000 --- a/components/mbedtls/mbedtls +++ b/components/mbedtls/mbedtls @@ -1 +1 @@ -Subproject commit e39975969d548572a39875ad29abd88b23285f94 +Subproject commit f5fca55508d9d18961b10824d5cf5d8338c087f6 diff --git a/components/mbedtls/port/dynamic/esp_ssl_tls.c b/components/mbedtls/port/dynamic/esp_ssl_tls.c index dad7414388f..e242b2ced6c 100644 --- a/components/mbedtls/port/dynamic/esp_ssl_tls.c +++ b/components/mbedtls/port/dynamic/esp_ssl_tls.c @@ -4,6 +4,7 @@ * SPDX-License-Identifier: Apache-2.0 */ #include +#include "mbedtls/error.h" #include "esp_mbedtls_dynamic_impl.h" int __real_mbedtls_ssl_write(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); @@ -42,15 +43,17 @@ static int rx_done(mbedtls_ssl_context *ssl) return 0; } -static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, +static int ssl_update_checksum_start( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len ); + ret = mbedtls_md_update( &ssl->handshake->fin_sha256, buf, len ); #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_update( &ssl->handshake->fin_sha384, buf, len ); + ret = mbedtls_md_update( &ssl->handshake->fin_sha384, buf, len ); #endif + return ret; } static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) @@ -58,12 +61,18 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_init( &handshake->fin_sha256 ); - mbedtls_sha256_starts( &handshake->fin_sha256, 0 ); + mbedtls_md_init( &handshake->fin_sha256 ); + mbedtls_md_setup( &handshake->fin_sha256, + mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), + 0 ); + mbedtls_md_starts( &handshake->fin_sha256 ); #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_init( &handshake->fin_sha384 ); - mbedtls_sha512_starts( &handshake->fin_sha384, 1 ); + mbedtls_md_init( &handshake->fin_sha384 ); + mbedtls_md_setup( &handshake->fin_sha384, + mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), + 0 ); + mbedtls_md_starts( &handshake->fin_sha384 ); #endif handshake->update_checksum = ssl_update_checksum_start; diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index ea2efa243ad..4cc3b2d4a79 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -314,12 +314,36 @@ * This is useful in non-threaded environments if you want to avoid blocking * for too long on ECC (and, hence, X.509 or SSL/TLS) operations. * - * Uncomment this macro to enable restartable ECC computations. + * This option: + * - Adds xxx_restartable() variants of existing operations in the + * following modules, with corresponding restart context types: + * - ECP (for Short Weierstrass curves only): scalar multiplication (mul), + * linear combination (muladd); + * - ECDSA: signature generation & verification; + * - PK: signature generation & verification; + * - X509: certificate chain verification. + * - Adds mbedtls_ecdh_enable_restart() in the ECDH module. + * - Changes the behaviour of TLS 1.2 clients (not servers) when using the + * ECDHE-ECDSA key exchange (not other key exchanges) to make all ECC + * computations restartable: + * - ECDH operations from the key exchange, only for Short Weierstrass + * curves, only when MBEDTLS_USE_PSA_CRYPTO is not enabled. + * - verification of the server's key exchange signature; + * - verification of the server's certificate chain; + * - generation of the client's signature if client authentication is used, + * with an ECC key/certificate. + * + * \note In the cases above, the usual SSL/TLS functions, such as + * mbedtls_ssl_handshake(), can now return + * MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS. * * \note This option only works with the default software implementation of * elliptic curve functionality. It is incompatible with - * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT - * and MBEDTLS_ECDH_LEGACY_CONTEXT. + * MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT. + * + * Requires: MBEDTLS_ECP_C + * + * Uncomment this macro to enable restartable ECC computations. */ #ifdef CONFIG_MBEDTLS_ECP_RESTARTABLE #define MBEDTLS_ECP_RESTARTABLE @@ -1105,6 +1129,19 @@ */ #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +/** + * \def MBEDTLS_SSL_RECORD_SIZE_LIMIT + * + * Enable support for RFC 8449 record_size_limit extension in SSL (TLS 1.3 only). + * + * \warning This extension is currently in development and must NOT be used except + * for testing purposes. + * + * Requires: MBEDTLS_SSL_PROTO_TLS1_3 + * + * Uncomment this macro to enable support for the record_size_limit extension + */ +//#define MBEDTLS_SSL_RECORD_SIZE_LIMIT /** * \def MBEDTLS_SSL_PROTO_TLS1_2 @@ -1262,21 +1299,21 @@ #define MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS 1 /** -* \def MBEDTLS_SSL_EARLY_DATA -* -* Enable support for RFC 8446 TLS 1.3 early data. -* -* Requires: MBEDTLS_SSL_SESSION_TICKETS and either -* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or -* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -* -* Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 -* is not enabled, this option does not have any effect on the build. -* -* This feature is experimental, not completed and thus not ready for -* production. -* -*/ + * \def MBEDTLS_SSL_EARLY_DATA + * + * Enable support for RFC 8446 TLS 1.3 early data. + * + * Requires: MBEDTLS_SSL_SESSION_TICKETS and either + * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED or + * MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + * + * Comment this to disable support for early data. If MBEDTLS_SSL_PROTO_TLS1_3 + * is not enabled, this option does not have any effect on the build. + * + * This feature is experimental, not completed and thus not ready for + * production. + * + */ //#define MBEDTLS_SSL_EARLY_DATA /** @@ -2289,9 +2326,13 @@ * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C * - * This module is required for the PKCS7 parsing modules. + * This module is required for the PKCS #7 parsing modules. */ -//#define MBEDTLS_PKCS7_C +#ifdef CONFIG_MBEDTLS_PKCS7_C +#define MBEDTLS_PKCS7_C +#else +#undef MBEDTLS_PKCS7_C +#endif /** * \def MBEDTLS_PKCS12_C