diff --git a/samples/crypto/psa_tls/overlays/tls_13.conf b/samples/crypto/psa_tls/overlays/tls_13.conf new file mode 100644 index 000000000000..e65076b1ee05 --- /dev/null +++ b/samples/crypto/psa_tls/overlays/tls_13.conf @@ -0,0 +1,13 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# +CONFIG_MBEDTLS_TLS_VERSION_1_3=y + +CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE=y +CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=y +CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=y + +CONFIG_PSA_WANT_ALG_HKDF_EXTRACT=y +CONFIG_PSA_WANT_ALG_HKDF_EXPAND=y diff --git a/samples/crypto/psa_tls/sample.yaml b/samples/crypto/psa_tls/sample.yaml index 75104b36a508..6b703e81cf33 100644 --- a/samples/crypto/psa_tls/sample.yaml +++ b/samples/crypto/psa_tls/sample.yaml @@ -81,6 +81,43 @@ tests: - nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns tags: ci_build cc3xx_oberon dtls sysbuild ci_samples_crypto + sample.psa_tls.tls_1_3_server.ecdsa.cc3xx_oberon: + sysbuild: true + build_only: true + extra_args: > + OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf" + platform_allow: > + nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns + nrf9160dk/nrf9160/ns nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 + nrf9151dk/nrf9151/ns + integration_platforms: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns + tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto + sample.psa_tls.tls_1_3_client.ecdsa.cc3xx_oberon: + sysbuild: true + build_only: true + extra_args: > + OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_13.conf" + platform_allow: > + nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns nrf9160dk/nrf9160/ns + nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 nrf9151dk/nrf9151/ns + integration_platforms: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns + tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto ################################################################################ ## PSA APIs with Oberon ################################################################################ @@ -108,6 +145,30 @@ tests: - nrf54l15dk/nrf54l15/cpuapp - nrf54l15pdk/nrf54l15/cpuapp tags: ci_build oberon sysbuild ci_samples_crypto + sample.psa_tls.1_3_server.ecdsa.oberon: + sysbuild: true + build_only: true + extra_args: > + OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/oberon-psa.conf;overlays/tls_13.conf" + platform_allow: > + nrf54l15dk/nrf54l15/cpuapp + nrf54l15pdk/nrf54l15/cpuapp + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15pdk/nrf54l15/cpuapp + tags: ci_build oberon sysbuild ci_samples_crypto + sample.psa_tls.1_3_client.ecdsa.oberon: + sysbuild: true + build_only: true + extra_args: > + OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/oberon-psa.conf;overlays/tls_13.conf" + platform_allow: > + nrf54l15dk/nrf54l15/cpuapp + nrf54l15pdk/nrf54l15/cpuapp + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15pdk/nrf54l15/cpuapp + tags: ci_build oberon sysbuild ci_samples_crypto ################################################################################ ## PSA APIs with Cracen ################################################################################ @@ -137,6 +198,32 @@ tests: - nrf54l15pdk/nrf54l15/cpuapp - nrf54l15dk/nrf54l15/cpuapp/ns tags: ci_build cracen sysbuild ci_samples_crypto + sample.psa_tls.1_3_server.ecdsa.cracen: + sysbuild: true + build_only: true + extra_args: > + OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cracen-psa.conf;overlays/tls_13.conf" + platform_allow: > + nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp + nrf54l15dk/nrf54l15/cpuapp/ns + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15pdk/nrf54l15/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + tags: ci_build cracen sysbuild ci_samples_crypto + sample.psa_tls.1_3_client.ecdsa.cracen: + sysbuild: true + build_only: true + extra_args: > + OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cracen-psa.conf;overlays/tls_13.conf" + platform_allow: > + nrf54l15dk/nrf54l15/cpuapp nrf54l15pdk/nrf54l15/cpuapp + nrf54l15dk/nrf54l15/cpuapp/ns + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15pdk/nrf54l15/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + tags: ci_build cracen sysbuild ci_samples_crypto ################################################################################ ## Legacy APIs with Cryptocell (secure-only) ################################################################################ diff --git a/samples/crypto/psa_tls/src/psa_tls_functions_client.c b/samples/crypto/psa_tls/src/psa_tls_functions_client.c index fabbc0486718..238d96602a0c 100644 --- a/samples/crypto/psa_tls/src/psa_tls_functions_client.c +++ b/samples/crypto/psa_tls/src/psa_tls_functions_client.c @@ -38,7 +38,11 @@ static int setup_tls_client_socket(void) PSK_TAG, }; +#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3) + sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_3); +#else sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_2); +#endif if (sock < 0) { LOG_ERR("Failed to create a socket. Err: %d", errno); return -errno; @@ -54,6 +58,7 @@ static int setup_tls_client_socket(void) err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list, sizeof(sec_tag_list)); + if (err < 0) { LOG_ERR("Failed to set TLS security TAG list. Err: %d", errno); (void)close(sock); diff --git a/samples/crypto/psa_tls/src/psa_tls_functions_server.c b/samples/crypto/psa_tls/src/psa_tls_functions_server.c index 50be65aa11c9..bd91229517c1 100644 --- a/samples/crypto/psa_tls/src/psa_tls_functions_server.c +++ b/samples/crypto/psa_tls/src/psa_tls_functions_server.c @@ -41,7 +41,11 @@ static int setup_tls_server_socket(void) memset(&my_addr, 0, sizeof(my_addr)); my_addr.sin_family = AF_INET; my_addr.sin_port = htons(SERVER_PORT); +#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3) + sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_3); +#else sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_2); +#endif err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list, sizeof(sec_tag_list)); diff --git a/subsys/nrf_security/Kconfig.tls b/subsys/nrf_security/Kconfig.tls index 626db6f411da..ecce37dd1afc 100644 --- a/subsys/nrf_security/Kconfig.tls +++ b/subsys/nrf_security/Kconfig.tls @@ -116,6 +116,7 @@ config MBEDTLS_SSL_PROTO_TLS1_2 if MBEDTLS_SSL_PROTO_TLS1_2 + config MBEDTLS_SSL_ENCRYPT_THEN_MAC bool default y @@ -143,6 +144,9 @@ config MBEDTLS_SSL_COOKIE_C endif # MBEDTLS_SSL_PROTO_TLS1_2 +config MBEDTLS_TLS_VERSION_1_3 + bool "Support for TLS 1.3" + config MBEDTLS_DEBUG_C bool prompt "Enable the debug functions for TLS." @@ -256,6 +260,22 @@ config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE reduces RAM usage. Corresponds to MBEDTLS_SSL_KEEP_PEER_CERTIFICATE in mbed TLS config file. +config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + bool + prompt "Enable TLS1.3 middlebox compatibility mode" + default n + help + As specified in RFC8446, TLS 1.3 offers a compatibility mode to make a TLS + 1.3 connection more likely to pass through middle boxes expecting TLS 1.2 + traffic + +config MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED + bool + prompt "Allow Handshake with psk" + default n + help + Allows a handshake to be done with a PSK shared in a previous one. + config MBEDTLS_SSL_RENEGOTIATION bool prompt "SSL - Renegotiation" @@ -325,6 +345,29 @@ config MBEDTLS_SSL_CIPHERSUITES Warning: This field has offers no validation checks. MBEDTLS_SSL_CIPHERSUITES setting in mbed TLS config file. +if MBEDTLS_TLS_VERSION_1_3 + +config MBEDTLS_SSL_PROTO_TLS1_3 + bool "Enable TLS version 1.3 protocol" + default y + help + Enable the TLS 1.3 protocol + Corresponds to MBEDTLS_SSL_PROTO_TLS1_3 in mbed TLS config file + +config MBEDTLS_TLS_SESSION_TICKETS + bool "Support for RFC 5077 session tickets in TLS 1.3" + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + bool "TLS 1.3 PSK key exchange mode" + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + bool "TLS 1.3 ephemeral key exchange mode" + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + bool "TLS 1.3 PSK ephemeral key exchange mode" + +endif # MBEDTLS_TLS_VERSION_1_3 + menu "TLS/DTL Cipher Suites" config MBEDTLS_HAS_CBC_CIPHERSUITE_REQUIREMENTS diff --git a/subsys/nrf_security/cmake/nrf_config.cmake b/subsys/nrf_security/cmake/nrf_config.cmake index 3a19409c6ce6..37b01e91068d 100644 --- a/subsys/nrf_security/cmake/nrf_config.cmake +++ b/subsys/nrf_security/cmake/nrf_config.cmake @@ -107,6 +107,12 @@ if (NOT MBEDTLS_PSA_CRYPTO_SPM) kconfig_check_and_set_base(MBEDTLS_SSL_RENEGOTIATION) kconfig_check_and_set_base(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_2) + kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_3) + kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) + kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) + kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) + kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + kconfig_check_and_set_base(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_DTLS) kconfig_check_and_set_base(MBEDTLS_SSL_ALPN) kconfig_check_and_set_base(MBEDTLS_SSL_DTLS_ANTI_REPLAY) diff --git a/subsys/nrf_security/configs/nrf-config.h.template b/subsys/nrf_security/configs/nrf-config.h.template index abfff20d3448..4dc912f46204 100644 --- a/subsys/nrf_security/configs/nrf-config.h.template +++ b/subsys/nrf_security/configs/nrf-config.h.template @@ -115,6 +115,12 @@ #cmakedefine MBEDTLS_SSL_RENEGOTIATION #cmakedefine MBEDTLS_SSL_MAX_FRAGMENT_LENGTH #cmakedefine MBEDTLS_SSL_PROTO_TLS1_2 +#cmakedefine MBEDTLS_SSL_PROTO_TLS1_3 +#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +#cmakedefine MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED +#cmakedefine MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE #cmakedefine MBEDTLS_SSL_PROTO_DTLS #cmakedefine MBEDTLS_SSL_ALPN #cmakedefine MBEDTLS_SSL_DTLS_ANTI_REPLAY