Skip to content

Commit

Permalink
samples: crypto: psa_tls support for TLSv1.3
Browse files Browse the repository at this point in the history
Added TLSv1.3 overlay for psa_tls sample and tests for different
backends

Signed-off-by: Paul Fleury <[email protected]>
  • Loading branch information
PFnord committed Dec 2, 2024
1 parent 6cb51b8 commit 1fa31ba
Show file tree
Hide file tree
Showing 7 changed files with 125 additions and 0 deletions.
13 changes: 13 additions & 0 deletions samples/crypto/psa_tls/overlays/tls_13.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#
# Copyright (c) 2024 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
CONFIG_MBEDTLS_TLS_VERSION_1_3=y

CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=y
CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=y
CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=y

CONFIG_PSA_WANT_ALG_HKDF_EXTRACT=y
CONFIG_PSA_WANT_ALG_HKDF_EXPAND=y
66 changes: 66 additions & 0 deletions samples/crypto/psa_tls/sample.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,43 @@ tests:
- nrf9151dk/nrf9151
- nrf9151dk/nrf9151/ns
tags: ci_build cc3xx_oberon dtls sysbuild ci_samples_crypto
sample.psa_tls.tls_1_3_server.ecdsa.cc3xx_oberon:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns
nrf9160dk/nrf9160/ns nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151
nrf9151dk/nrf9151/ns
integration_platforms:
- nrf5340dk/nrf5340/cpuapp
- nrf5340dk/nrf5340/cpuapp/ns
- nrf9160dk/nrf9160
- nrf9160dk/nrf9160/ns
- nrf9161dk/nrf9161
- nrf9161dk/nrf9161/ns
- nrf9151dk/nrf9151
- nrf9151dk/nrf9151/ns
tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto
sample.psa_tls.tls_1_3_client.ecdsa.cc3xx_oberon:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns nrf9160dk/nrf9160/ns
nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 nrf9151dk/nrf9151/ns
integration_platforms:
- nrf5340dk/nrf5340/cpuapp
- nrf5340dk/nrf5340/cpuapp/ns
- nrf9160dk/nrf9160
- nrf9160dk/nrf9160/ns
- nrf9161dk/nrf9161
- nrf9161dk/nrf9161/ns
- nrf9151dk/nrf9151
- nrf9151dk/nrf9151/ns
tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto
################################################################################
## PSA APIs with Oberon
################################################################################
Expand Down Expand Up @@ -138,6 +175,35 @@ tests:
- nrf54l15dk/nrf54l15/cpuapp/ns
tags: ci_build cracen sysbuild ci_samples_crypto
################################################################################
## PSA APIs with Cracen and Oberon
################################################################################
sample.psa_tls.1_3_server.ecdsa.cracen_oberon:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cracen-oberon-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp
nrf54l15dk/nrf54l15/cpuapp/ns
integration_platforms:
- nrf54l15dk/nrf54l15/cpuapp
- nrf54l15pdk/nrf54l15/cpuapp
- nrf54l15dk/nrf54l15/cpuapp/ns
tags: ci_build cracen_oberon sysbuild ci_samples_crypto
sample.psa_tls.1_3_client.ecdsa.cracen_oberon:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cracen-oberon-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp
nrf54l15dk/nrf54l15/cpuapp/ns
integration_platforms:
- nrf54l15dk/nrf54l15/cpuapp
- nrf54l15pdk/nrf54l15/cpuapp
- nrf54l15dk/nrf54l15/cpuapp/ns
tags: ci_build cracen_oberon sysbuild ci_samples_crypto
################################################################################
## Legacy APIs with Cryptocell (secure-only)
################################################################################
sample.psa_tls.tls_server.rsa.cc3xx_legacy:
Expand Down
4 changes: 4 additions & 0 deletions samples/crypto/psa_tls/src/psa_tls_functions_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,11 @@ static int setup_tls_client_socket(void)
PSK_TAG,
};

#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_3);
#else
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_2);
#endif
if (sock < 0) {
LOG_ERR("Failed to create a socket. Err: %d", errno);
return -errno;
Expand Down
4 changes: 4 additions & 0 deletions samples/crypto/psa_tls/src/psa_tls_functions_server.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,11 @@ static int setup_tls_server_socket(void)
memset(&my_addr, 0, sizeof(my_addr));
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(SERVER_PORT);
#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_3);
#else
sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_2);
#endif

err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
sizeof(sec_tag_list));
Expand Down
28 changes: 28 additions & 0 deletions subsys/nrf_security/Kconfig.tls
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,9 @@ config MBEDTLS_SSL_COOKIE_C

endif # MBEDTLS_SSL_PROTO_TLS1_2

config MBEDTLS_TLS_VERSION_1_3
bool "Support for TLS 1.3"

config MBEDTLS_DEBUG_C
bool
prompt "Enable the debug functions for TLS."
Expand Down Expand Up @@ -325,6 +328,31 @@ config MBEDTLS_SSL_CIPHERSUITES
Warning: This field has offers no validation checks.
MBEDTLS_SSL_CIPHERSUITES setting in mbed TLS config file.

if MBEDTLS_TLS_VERSION_1_3

config MBEDTLS_SSL_PROTO_TLS1_3
bool
default y

config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
bool "Enable TLS1.3 middlebox compatibility mode"
default y
help
As specified in RFC8446, TLS 1.3 offers a compatibility mode to make a TLS
1.3 connection more likely to pass through middle boxes expecting TLS 1.2
traffic

config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
bool "TLS 1.3 PSK key exchange mode"

config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
bool "TLS 1.3 ephemeral key exchange mode"

config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
bool "TLS 1.3 PSK ephemeral key exchange mode"

endif # MBEDTLS_TLS_VERSION_1_3

menu "TLS/DTL Cipher Suites"

config MBEDTLS_HAS_CBC_CIPHERSUITE_REQUIREMENTS
Expand Down
5 changes: 5 additions & 0 deletions subsys/nrf_security/cmake/nrf_config.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,11 @@ if (NOT MBEDTLS_PSA_CRYPTO_SPM)
kconfig_check_and_set_base(MBEDTLS_SSL_RENEGOTIATION)
kconfig_check_and_set_base(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_2)
kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_3)
kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_DTLS)
kconfig_check_and_set_base(MBEDTLS_SSL_ALPN)
kconfig_check_and_set_base(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Expand Down
5 changes: 5 additions & 0 deletions subsys/nrf_security/configs/nrf-config.h.template
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,11 @@
#cmakedefine MBEDTLS_SSL_RENEGOTIATION
#cmakedefine MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#cmakedefine MBEDTLS_SSL_PROTO_TLS1_2
#cmakedefine MBEDTLS_SSL_PROTO_TLS1_3
#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
#cmakedefine MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
#cmakedefine MBEDTLS_SSL_PROTO_DTLS
#cmakedefine MBEDTLS_SSL_ALPN
#cmakedefine MBEDTLS_SSL_DTLS_ANTI_REPLAY
Expand Down

0 comments on commit 1fa31ba

Please sign in to comment.