From 35f7eda54567b55a310d65b51370eccfb71cfcdd Mon Sep 17 00:00:00 2001 From: Tomi Fontanilles Date: Fri, 2 May 2025 10:11:26 +0300 Subject: [PATCH] modules: mbedtls: make key exchange Kconfigs depend on, not select Turn the MBEDTLS_RSA_FULL selects into depends on. This is how the other MBEDTLS_KEY_EXCHANGE_* Kconfig options are defined. This is done to avoid circular dependencies. At the same time update uses of the affected MBEDTLS_KEY_EXCHANGE_* Kconfig options to enable/disable the dependencies which used to be automatically handled. Signed-off-by: Tomi Fontanilles --- modules/hostap/Kconfig | 3 +++ modules/mbedtls/Kconfig.mbedtls | 24 ++++++++++--------- samples/net/cloud/mqtt_azure/prj.conf | 3 +++ samples/tfm_integration/psa_crypto/prj.conf | 4 ++++ subsys/jwt/Kconfig | 4 ++++ subsys/net/lib/sockets/Kconfig | 4 ++++ tests/net/lib/lwm2m/interop/prj.conf | 2 +- .../tls_configurations/overlay-rsa.conf | 5 ++++ tests/net/socket/tls_configurations/prj.conf | 2 ++ 9 files changed, 39 insertions(+), 12 deletions(-) diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index dbb41f35933..e3745c8515a 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -145,6 +145,9 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO_ALT select MBEDTLS_ECDH_C select MBEDTLS_ECDSA_C select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + select MBEDTLS_RSA_C + select MBEDTLS_PKCS1_V15 + select MBEDTLS_PKCS1_V21 select MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED select MBEDTLS_NIST_KW_C select MBEDTLS_DHM_C diff --git a/modules/mbedtls/Kconfig.mbedtls b/modules/mbedtls/Kconfig.mbedtls index f81f91b62cc..89344085505 100644 --- a/modules/mbedtls/Kconfig.mbedtls +++ b/modules/mbedtls/Kconfig.mbedtls @@ -46,28 +46,29 @@ comment "Supported key exchange modes" config MBEDTLS_RSA_C bool "RSA base support" + default y if UOSCORE || UEDHOC if MBEDTLS_RSA_C config MBEDTLS_PKCS1_V15 bool "RSA PKCS1 v1.5" + default y if UOSCORE || UEDHOC config MBEDTLS_PKCS1_V21 bool "RSA PKCS1 v2.1" + default y if UOSCORE || UEDHOC config MBEDTLS_GENPRIME_ENABLED bool "Prime number generation code" endif # MBEDTLS_RSA_C -config MBEDTLS_RSA_FULL - bool +config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED + bool "All available ciphersuite modes" + select MBEDTLS_MD select MBEDTLS_RSA_C select MBEDTLS_PKCS1_V15 select MBEDTLS_PKCS1_V21 - -config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED - bool "All available ciphersuite modes" select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED @@ -92,7 +93,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED bool "RSA-PSK based ciphersuite modes" - select MBEDTLS_RSA_FULL + depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21 config MBEDTLS_PSK_MAX_LEN int "Max size of TLS pre-shared keys" @@ -104,8 +105,8 @@ config MBEDTLS_PSK_MAX_LEN config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED bool "RSA-only based ciphersuite modes" default y if UOSCORE || UEDHOC - select MBEDTLS_MD - select MBEDTLS_RSA_FULL + depends on MBEDTLS_MD + depends on PSA_CRYPTO_CLIENT || MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21 select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT if PSA_CRYPTO_CLIENT @@ -113,16 +114,16 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED bool "DHE-RSA based ciphersuite modes" - select MBEDTLS_RSA_FULL + depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED bool "ECDHE-RSA based ciphersuite modes" - select MBEDTLS_RSA_FULL + depends on MBEDTLS_PKCS1_V15 || MBEDTLS_PKCS1_V21 depends on MBEDTLS_ECDH_C config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED bool "ECDHE-ECDSA based ciphersuite modes" - depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA) + depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA) config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED bool "ECDH-ECDSA based ciphersuite modes" @@ -397,6 +398,7 @@ config MBEDTLS_CIPHER config MBEDTLS_MD bool "generic message digest layer." + default y if UOSCORE || UEDHOC config MBEDTLS_ASN1_PARSE_C bool "Support for ASN1 parser functions" diff --git a/samples/net/cloud/mqtt_azure/prj.conf b/samples/net/cloud/mqtt_azure/prj.conf index b857f7e4317..87fce73d774 100644 --- a/samples/net/cloud/mqtt_azure/prj.conf +++ b/samples/net/cloud/mqtt_azure/prj.conf @@ -35,6 +35,9 @@ CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=10240 CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y CONFIG_MBEDTLS_SHA1=y CONFIG_MBEDTLS_SHA384=y +CONFIG_MBEDTLS_RSA_C=y +CONFIG_MBEDTLS_PKCS1_V15=y +CONFIG_MBEDTLS_PKCS1_V21=y CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y CONFIG_MBEDTLS_ECDH_C=y diff --git a/samples/tfm_integration/psa_crypto/prj.conf b/samples/tfm_integration/psa_crypto/prj.conf index ad9de1f0797..1d5024f1242 100644 --- a/samples/tfm_integration/psa_crypto/prj.conf +++ b/samples/tfm_integration/psa_crypto/prj.conf @@ -39,6 +39,10 @@ CONFIG_MBEDTLS_ENTROPY_C=y CONFIG_MBEDTLS_ECP_C=y CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y CONFIG_MBEDTLS_ECDSA_C=y +CONFIG_MBEDTLS_MD=y +CONFIG_MBEDTLS_RSA_C=y +CONFIG_MBEDTLS_PKCS1_V15=y +CONFIG_MBEDTLS_PKCS1_V21=y CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y CONFIG_MBEDTLS_PK_WRITE_C=y diff --git a/subsys/jwt/Kconfig b/subsys/jwt/Kconfig index 367ba43d225..052908a7775 100644 --- a/subsys/jwt/Kconfig +++ b/subsys/jwt/Kconfig @@ -20,6 +20,10 @@ config JWT_SIGN_RSA_LEGACY bool "Use RSA signature (RS-256). Use Mbed TLS as crypto library." depends on CSPRNG_AVAILABLE select MBEDTLS + select MBEDTLS_MD + select MBEDTLS_RSA_C + select MBEDTLS_PKCS1_V15 + select MBEDTLS_PKCS1_V21 select MBEDTLS_KEY_EXCHANGE_RSA_ENABLED config JWT_SIGN_RSA_PSA diff --git a/subsys/net/lib/sockets/Kconfig b/subsys/net/lib/sockets/Kconfig index 2b3c904c0d0..483c0d2dda0 100644 --- a/subsys/net/lib/sockets/Kconfig +++ b/subsys/net/lib/sockets/Kconfig @@ -116,6 +116,10 @@ config NET_SOCKETS_SOCKOPT_TLS imply TLS_CREDENTIALS select MBEDTLS if NET_NATIVE imply MBEDTLS_TLS_VERSION_1_2 if !NET_L2_OPENTHREAD + imply MBEDTLS_MD if !NET_L2_OPENTHREAD + imply MBEDTLS_RSA_C if !NET_L2_OPENTHREAD + imply MBEDTLS_PKCS1_V15 if !NET_L2_OPENTHREAD + imply MBEDTLS_PKCS1_V21 if !NET_L2_OPENTHREAD imply MBEDTLS_KEY_EXCHANGE_RSA_ENABLED if !NET_L2_OPENTHREAD imply MBEDTLS_CIPHER_AES_ENABLED if !NET_L2_OPENTHREAD imply PSA_WANT_KEY_TYPE_AES if !NET_L2_OPENTHREAD && PSA_CRYPTO_CLIENT diff --git a/tests/net/lib/lwm2m/interop/prj.conf b/tests/net/lib/lwm2m/interop/prj.conf index 2a8ad090074..443531c3e5c 100644 --- a/tests/net/lib/lwm2m/interop/prj.conf +++ b/tests/net/lib/lwm2m/interop/prj.conf @@ -82,7 +82,7 @@ CONFIG_MBEDTLS_HEAP_SIZE=7168 CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y # Disable RSA, we don't parse certs: saves flash/memory -CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n +CONFIG_MBEDTLS_RSA_C=n # Enable PSK instead CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y CONFIG_LWM2M_SECURITY_DTLS_TLS_CIPHERSUITE_MAX=3 diff --git a/tests/net/socket/tls_configurations/overlay-rsa.conf b/tests/net/socket/tls_configurations/overlay-rsa.conf index c8fc3e29b10..bd6d33cd678 100644 --- a/tests/net/socket/tls_configurations/overlay-rsa.conf +++ b/tests/net/socket/tls_configurations/overlay-rsa.conf @@ -1,3 +1,8 @@ +CONFIG_MBEDTLS_MD=y +CONFIG_MBEDTLS_RSA_C=y +CONFIG_MBEDTLS_PKCS1_V15=y +CONFIG_MBEDTLS_PKCS1_V21=y + CONFIG_PSA_WANT_ALG_RSA_OAEP=y CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y diff --git a/tests/net/socket/tls_configurations/prj.conf b/tests/net/socket/tls_configurations/prj.conf index 29c317ca3e7..6e8c9e15c1c 100644 --- a/tests/net/socket/tls_configurations/prj.conf +++ b/tests/net/socket/tls_configurations/prj.conf @@ -37,6 +37,8 @@ CONFIG_ENTROPY_GENERATOR=y # support in overlay files. CONFIG_MBEDTLS_TLS_VERSION_1_2=n CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n +CONFIG_MBEDTLS_MD=n +CONFIG_MBEDTLS_RSA_C=n CONFIG_MBEDTLS_CIPHER_AES_ENABLED=n CONFIG_PSA_WANT_KEY_TYPE_AES=n CONFIG_PSA_WANT_ALG_CBC_NO_PADDING=n