net: sockets_tls: add support for TLS 1.3
Enables TLS 1.3 sockets based on Mbed TLS. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This commit is contained in:
Valerio Setti
Anas Nashif
parent
33931cf8e1
commit
6be57aaedf
5 changed files with 95 additions and 26 deletions
|
|
@ -329,6 +329,18 @@ Libraries / Subsystems
|
|||
secure random sources when :kconfig:option:`CONFIG_MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG`
|
||||
is also enabled. This is only meant to be used for test purposes, not in production.
|
||||
(:github:`76408`)
|
||||
* The Kconfig symbol :kconfig:option:`CONFIG_MBEDTLS_TLS_VERSION_1_3` was added to
|
||||
enable TLS 1.3 support from Mbed TLS. When this is enabled the following
|
||||
new Kconfig symbols can also be enabled:
|
||||
|
||||
* :kconfig:option:`CONFIG_MBEDTLS_TLS_SESSION_TICKETS` to enable session tickets
|
||||
(RFC 5077);
|
||||
* :kconfig:option:`CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED`
|
||||
for TLS 1.3 PSK key exchange mode;
|
||||
* :kconfig:option:`CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED`
|
||||
for TLS 1.3 ephemeral key exchange mode;
|
||||
* :kconfig:option:`CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED`
|
||||
for TLS 1.3 PSK ephemeral key exchange mode.
|
||||
|
||||
* CMSIS-NN
|
||||
|
||||
|
|
|
|||
|
|
@ -78,6 +78,7 @@ enum net_ip_protocol_secure {
|
|||
IPPROTO_TLS_1_0 = 256, /**< TLS 1.0 protocol */
|
||||
IPPROTO_TLS_1_1 = 257, /**< TLS 1.1 protocol */
|
||||
IPPROTO_TLS_1_2 = 258, /**< TLS 1.2 protocol */
|
||||
IPPROTO_TLS_1_3 = 259, /**< TLS 1.3 protocol */
|
||||
IPPROTO_DTLS_1_0 = 272, /**< DTLS 1.0 protocol */
|
||||
IPPROTO_DTLS_1_2 = 273, /**< DTLS 1.2 protocol */
|
||||
};
|
||||
|
|
|
|||
|
|
@ -19,10 +19,24 @@ if MBEDTLS_TLS_VERSION_1_2
|
|||
config MBEDTLS_DTLS
|
||||
bool "Support for DTLS"
|
||||
|
||||
endif # MBEDTLS_TLS_VERSION_1_2
|
||||
|
||||
config MBEDTLS_TLS_VERSION_1_3
|
||||
bool "Support for TLS 1.3"
|
||||
|
||||
if MBEDTLS_TLS_VERSION_1_3
|
||||
|
||||
config MBEDTLS_TLS_SESSION_TICKETS
|
||||
bool "Support for RFC 5077 session tickets in TLS 1.3"
|
||||
|
||||
endif # MBEDTLS_TLS_VERSION_1_3
|
||||
|
||||
if MBEDTLS_TLS_VERSION_1_2 || MBEDTLS_TLS_VERSION_1_3
|
||||
|
||||
config MBEDTLS_SSL_ALPN
|
||||
bool "Support for setting the supported Application Layer Protocols"
|
||||
|
||||
endif
|
||||
endif # MBEDTLS_TLS_VERSION_1_2 || MBEDTLS_TLS_VERSION_1_3
|
||||
|
||||
endmenu # TLS
|
||||
|
||||
|
|
@ -57,21 +71,12 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
|
|||
config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
bool "RSA-PSK based ciphersuite modes"
|
||||
|
||||
config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
|
||||
bool
|
||||
default y
|
||||
depends on \
|
||||
MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || \
|
||||
MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || \
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
|
||||
|
||||
config MBEDTLS_PSK_MAX_LEN
|
||||
int "Max size of TLS pre-shared keys"
|
||||
default 32
|
||||
depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
|
||||
help
|
||||
Max size of TLS pre-shared keys, in bytes.
|
||||
Max size of TLS pre-shared keys, in bytes. It has no effect if no
|
||||
PSK key exchange is used.
|
||||
|
||||
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
|
||||
bool "RSA-only based ciphersuite modes"
|
||||
|
|
@ -91,7 +96,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
|
|||
|
||||
config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
bool "ECDHE-ECDSA based ciphersuite modes"
|
||||
depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C
|
||||
depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
|
||||
|
||||
config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
||||
bool "ECDH-ECDSA based ciphersuite modes"
|
||||
|
|
@ -108,6 +113,19 @@ config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
|||
bool "ECJPAKE based ciphersuite modes"
|
||||
depends on MBEDTLS_ECJPAKE_C
|
||||
|
||||
if MBEDTLS_TLS_VERSION_1_3
|
||||
|
||||
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
bool "TLS 1.3 PSK key exchange mode"
|
||||
|
||||
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
bool "TLS 1.3 ephemeral key exchange mode"
|
||||
|
||||
config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
bool "TLS 1.3 PSK ephemeral key exchange mode"
|
||||
|
||||
endif # MBEDTLS_TLS_VERSION_1_3
|
||||
|
||||
config MBEDTLS_HKDF_C
|
||||
bool "HMAC-based Extract-and-Expand Key Derivation Function"
|
||||
|
||||
|
|
|
|||
|
|
@ -57,14 +57,32 @@
|
|||
#define MBEDTLS_SSL_PROTO_TLS1_2
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_2)
|
||||
#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
|
||||
#define MBEDTLS_SSL_PROTO_TLS1_3
|
||||
#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||
#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
||||
#endif
|
||||
|
||||
/* Modules required for TLS */
|
||||
#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_2) || \
|
||||
defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
|
||||
|
||||
/* Common modules required for TLS 1.2 and 1.3 */
|
||||
#define MBEDTLS_SSL_TLS_C
|
||||
#define MBEDTLS_SSL_SRV_C
|
||||
#define MBEDTLS_SSL_CLI_C
|
||||
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
|
||||
/* This is not supported by Mbed TLS in TLS 1.3 mode
|
||||
* (see modules/crypto/mbedtls/docs/architecture/tls13-support.md).
|
||||
*/
|
||||
#if !defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
|
||||
#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
|
||||
#endif
|
||||
|
||||
#endif /* CONFIG_MBEDTLS_TLS_VERSION_1_2 || CONFIG_MBEDTLS_TLS_VERSION_1_3 */
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_TLS_SESSION_TICKETS)
|
||||
#define MBEDTLS_SSL_SESSION_TICKETS
|
||||
#define MBEDTLS_SSL_TICKET_C
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_DTLS)
|
||||
|
|
@ -128,6 +146,20 @@
|
|||
#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
|
||||
#define MBEDTLS_SSL_EARLY_DATA
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
|
||||
#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
|
||||
#define MBEDTLS_SSL_EARLY_DATA
|
||||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_HKDF_C)
|
||||
#define MBEDTLS_HKDF_C
|
||||
#endif
|
||||
|
|
@ -353,12 +385,13 @@
|
|||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||
#define MBEDTLS_X509_CRT_PARSE_C
|
||||
#endif
|
||||
|
||||
|
|
@ -423,7 +456,7 @@
|
|||
#endif
|
||||
|
||||
#if defined(CONFIG_MBEDTLS_SERVER_NAME_INDICATION) && \
|
||||
defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#define MBEDTLS_SSL_SERVER_NAME_INDICATION
|
||||
#endif
|
||||
|
||||
|
|
|
|||
|
|
@ -1056,7 +1056,7 @@ static int tls_set_psk(struct tls_context *tls,
|
|||
struct tls_credential *psk,
|
||||
struct tls_credential *psk_id)
|
||||
{
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
|
||||
int err = mbedtls_ssl_conf_psk(&tls->config,
|
||||
psk->buf, psk->len,
|
||||
(const unsigned char *)psk_id->buf,
|
||||
|
|
@ -1421,6 +1421,10 @@ static int tls_mbedtls_init(struct tls_context *context, bool is_server)
|
|||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||
mbedtls_ssl_conf_early_data(&context->config, MBEDTLS_SSL_EARLY_DATA_ENABLED);
|
||||
#endif
|
||||
|
||||
ret = mbedtls_ssl_setup(&context->ssl,
|
||||
&context->config);
|
||||
if (ret != 0) {
|
||||
|
|
@ -2034,7 +2038,7 @@ static int protocol_check(int family, int type, int *proto)
|
|||
return -EAFNOSUPPORT;
|
||||
}
|
||||
|
||||
if (*proto >= IPPROTO_TLS_1_0 && *proto <= IPPROTO_TLS_1_2) {
|
||||
if (*proto >= IPPROTO_TLS_1_0 && *proto <= IPPROTO_TLS_1_3) {
|
||||
if (type != SOCK_STREAM) {
|
||||
return -EPROTOTYPE;
|
||||
}
|
||||
|
|
@ -2600,7 +2604,8 @@ static ssize_t recv_tls(struct tls_context *ctx, void *buf,
|
|||
if (ret == MBEDTLS_ERR_SSL_WANT_READ ||
|
||||
ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
|
||||
ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS ||
|
||||
ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
|
||||
ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS ||
|
||||
ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) {
|
||||
int timeout_ms;
|
||||
|
||||
if (!is_block) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue