Skip to content

Commit

Permalink
samples: crypto: psa_tls support for TLSv1.3
Browse files Browse the repository at this point in the history
Added TLSv1.3 overlay for psa_tls sample and tests for different
backends

Signed-off-by: Paul Fleury <[email protected]>
  • Loading branch information
PFnord committed Nov 20, 2024
1 parent 6cb51b8 commit 27f6128
Show file tree
Hide file tree
Showing 7 changed files with 164 additions and 0 deletions.
13 changes: 13 additions & 0 deletions samples/crypto/psa_tls/overlays/tls_13.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
#
# Copyright (c) 2024 Nordic Semiconductor ASA
#
# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause
#
CONFIG_MBEDTLS_TLS_VERSION_1_3=y

CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=y
CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=y
CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=y

CONFIG_PSA_WANT_ALG_HKDF_EXTRACT=y
CONFIG_PSA_WANT_ALG_HKDF_EXPAND=y
87 changes: 87 additions & 0 deletions samples/crypto/psa_tls/sample.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,43 @@ tests:
- nrf9151dk/nrf9151
- nrf9151dk/nrf9151/ns
tags: ci_build cc3xx_oberon dtls sysbuild ci_samples_crypto
sample.psa_tls.tls_1_3_server.ecdsa.cc3xx_oberon:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns
nrf9160dk/nrf9160/ns nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151
nrf9151dk/nrf9151/ns
integration_platforms:
- nrf5340dk/nrf5340/cpuapp
- nrf5340dk/nrf5340/cpuapp/ns
- nrf9160dk/nrf9160
- nrf9160dk/nrf9160/ns
- nrf9161dk/nrf9161
- nrf9161dk/nrf9161/ns
- nrf9151dk/nrf9151
- nrf9151dk/nrf9151/ns
tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto
sample.psa_tls.tls_1_3_client.ecdsa.cc3xx_oberon:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns nrf9160dk/nrf9160/ns
nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 nrf9151dk/nrf9151/ns
integration_platforms:
- nrf5340dk/nrf5340/cpuapp
- nrf5340dk/nrf5340/cpuapp/ns
- nrf9160dk/nrf9160
- nrf9160dk/nrf9160/ns
- nrf9161dk/nrf9161
- nrf9161dk/nrf9161/ns
- nrf9151dk/nrf9151
- nrf9151dk/nrf9151/ns
tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto
################################################################################
## PSA APIs with Oberon
################################################################################
Expand Down Expand Up @@ -108,6 +145,30 @@ tests:
- nrf54l15dk/nrf54l15/cpuapp
- nrf54l15pdk/nrf54l15/cpuapp
tags: ci_build oberon sysbuild ci_samples_crypto
sample.psa_tls.1_3_server.ecdsa.oberon:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/oberon-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf54l15dk/nrf54l15/cpuapp
nrf54l15pdk/nrf54l15/cpuapp
integration_platforms:
- nrf54l15dk/nrf54l15/cpuapp
- nrf54l15pdk/nrf54l15/cpuapp
tags: ci_build oberon sysbuild ci_samples_crypto
sample.psa_tls.1_3_client.ecdsa.oberon:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/oberon-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf54l15dk/nrf54l15/cpuapp
nrf54l15pdk/nrf54l15/cpuapp
integration_platforms:
- nrf54l15dk/nrf54l15/cpuapp
- nrf54l15pdk/nrf54l15/cpuapp
tags: ci_build oberon sysbuild ci_samples_crypto
################################################################################
## PSA APIs with Cracen
################################################################################
Expand Down Expand Up @@ -137,6 +198,32 @@ tests:
- nrf54l15pdk/nrf54l15/cpuapp
- nrf54l15dk/nrf54l15/cpuapp/ns
tags: ci_build cracen sysbuild ci_samples_crypto
sample.psa_tls.1_3_server.ecdsa.cracen:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cracen-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp
nrf54l15dk/nrf54l15/cpuapp/ns
integration_platforms:
- nrf54l15dk/nrf54l15/cpuapp
- nrf54l15pdk/nrf54l15/cpuapp
- nrf54l15dk/nrf54l15/cpuapp/ns
tags: ci_build cracen sysbuild ci_samples_crypto
sample.psa_tls.1_3_client.ecdsa.cracen:
sysbuild: true
build_only: true
extra_args: >
OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cracen-psa.conf;overlays/tls_13.conf"
platform_allow: >
nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp
nrf54l15dk/nrf54l15/cpuapp/ns
integration_platforms:
- nrf54l15dk/nrf54l15/cpuapp
- nrf54l15pdk/nrf54l15/cpuapp
- nrf54l15dk/nrf54l15/cpuapp/ns
tags: ci_build cracen sysbuild ci_samples_crypto
################################################################################
## Legacy APIs with Cryptocell (secure-only)
################################################################################
Expand Down
5 changes: 5 additions & 0 deletions samples/crypto/psa_tls/src/psa_tls_functions_client.c
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,11 @@ static int setup_tls_client_socket(void)
PSK_TAG,
};

#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_3);
#else
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_2);
#endif
if (sock < 0) {
LOG_ERR("Failed to create a socket. Err: %d", errno);
return -errno;
Expand All @@ -54,6 +58,7 @@ static int setup_tls_client_socket(void)

err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
sizeof(sec_tag_list));

if (err < 0) {
LOG_ERR("Failed to set TLS security TAG list. Err: %d", errno);
(void)close(sock);
Expand Down
4 changes: 4 additions & 0 deletions samples/crypto/psa_tls/src/psa_tls_functions_server.c
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,11 @@ static int setup_tls_server_socket(void)
memset(&my_addr, 0, sizeof(my_addr));
my_addr.sin_family = AF_INET;
my_addr.sin_port = htons(SERVER_PORT);
#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3)
sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_3);
#else
sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_2);
#endif

err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list,
sizeof(sec_tag_list));
Expand Down
43 changes: 43 additions & 0 deletions subsys/nrf_security/Kconfig.tls
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,7 @@ config MBEDTLS_SSL_PROTO_TLS1_2

if MBEDTLS_SSL_PROTO_TLS1_2


config MBEDTLS_SSL_ENCRYPT_THEN_MAC
bool
default y
Expand Down Expand Up @@ -143,6 +144,9 @@ config MBEDTLS_SSL_COOKIE_C

endif # MBEDTLS_SSL_PROTO_TLS1_2

config MBEDTLS_TLS_VERSION_1_3
bool "Support for TLS 1.3"

config MBEDTLS_DEBUG_C
bool
prompt "Enable the debug functions for TLS."
Expand Down Expand Up @@ -256,6 +260,22 @@ config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
reduces RAM usage.
Corresponds to MBEDTLS_SSL_KEEP_PEER_CERTIFICATE in mbed TLS config file.

config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
bool
prompt "Enable TLS1.3 middlebox compatibility mode"
default n
help
As specified in RFC8446, TLS 1.3 offers a compatibility mode to make a TLS
1.3 connection more likely to pass through middle boxes expecting TLS 1.2
traffic

config MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED
bool
prompt "Allow Handshake with psk"
default n
help
Allows a handshake to be done with a PSK shared in a previous one.

config MBEDTLS_SSL_RENEGOTIATION
bool
prompt "SSL - Renegotiation"
Expand Down Expand Up @@ -325,6 +345,29 @@ config MBEDTLS_SSL_CIPHERSUITES
Warning: This field has offers no validation checks.
MBEDTLS_SSL_CIPHERSUITES setting in mbed TLS config file.

if MBEDTLS_TLS_VERSION_1_3

config MBEDTLS_SSL_PROTO_TLS1_3
bool "Enable TLS version 1.3 protocol"
default y
help
Enable the TLS 1.3 protocol
Corresponds to MBEDTLS_SSL_PROTO_TLS1_3 in mbed TLS config file

config MBEDTLS_TLS_SESSION_TICKETS
bool "Support for RFC 5077 session tickets in TLS 1.3"

config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
bool "TLS 1.3 PSK key exchange mode"

config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
bool "TLS 1.3 ephemeral key exchange mode"

config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
bool "TLS 1.3 PSK ephemeral key exchange mode"

endif # MBEDTLS_TLS_VERSION_1_3

menu "TLS/DTL Cipher Suites"

config MBEDTLS_HAS_CBC_CIPHERSUITE_REQUIREMENTS
Expand Down
6 changes: 6 additions & 0 deletions subsys/nrf_security/cmake/nrf_config.cmake
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,12 @@ if (NOT MBEDTLS_PSA_CRYPTO_SPM)
kconfig_check_and_set_base(MBEDTLS_SSL_RENEGOTIATION)
kconfig_check_and_set_base(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_2)
kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_3)
kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
kconfig_check_and_set_base(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_DTLS)
kconfig_check_and_set_base(MBEDTLS_SSL_ALPN)
kconfig_check_and_set_base(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
Expand Down
6 changes: 6 additions & 0 deletions subsys/nrf_security/configs/nrf-config.h.template
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,12 @@
#cmakedefine MBEDTLS_SSL_RENEGOTIATION
#cmakedefine MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
#cmakedefine MBEDTLS_SSL_PROTO_TLS1_2
#cmakedefine MBEDTLS_SSL_PROTO_TLS1_3
#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
#cmakedefine MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED
#cmakedefine MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
#cmakedefine MBEDTLS_SSL_PROTO_DTLS
#cmakedefine MBEDTLS_SSL_ALPN
#cmakedefine MBEDTLS_SSL_DTLS_ANTI_REPLAY
Expand Down

0 comments on commit 27f6128

Please sign in to comment.