diff --git a/samples/crypto/psa_tls/overlays/cracen-oberon-psa.conf b/samples/crypto/psa_tls/overlays/cracen-oberon-psa.conf new file mode 100644 index 000000000000..8eb5aa00638d --- /dev/null +++ b/samples/crypto/psa_tls/overlays/cracen-oberon-psa.conf @@ -0,0 +1,10 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# +CONFIG_PSA_CRYPTO_DRIVER_CC3XX=n +CONFIG_PSA_CRYPTO_DRIVER_OBERON=y +CONFIG_PSA_CRYPTO_DRIVER_CRACEN=y + +CONFIG_NRF_SECURITY=y diff --git a/samples/crypto/psa_tls/overlays/tls_1_3.conf b/samples/crypto/psa_tls/overlays/tls_1_3.conf new file mode 100644 index 000000000000..be93f1ee5d4a --- /dev/null +++ b/samples/crypto/psa_tls/overlays/tls_1_3.conf @@ -0,0 +1,12 @@ +# +# Copyright (c) 2024 Nordic Semiconductor ASA +# +# SPDX-License-Identifier: LicenseRef-Nordic-5-Clause +# +CONFIG_MBEDTLS_TLS_VERSION_1_3=y + +CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED=y +CONFIG_MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED=y + +CONFIG_PSA_WANT_ALG_HKDF_EXTRACT=y +CONFIG_PSA_WANT_ALG_HKDF_EXPAND=y diff --git a/samples/crypto/psa_tls/sample.yaml b/samples/crypto/psa_tls/sample.yaml index 608a8e89d1f1..9a734ec806f4 100644 --- a/samples/crypto/psa_tls/sample.yaml +++ b/samples/crypto/psa_tls/sample.yaml @@ -9,12 +9,17 @@ tests: sample.psa_tls.tls_server.ecdsa.cc3xx_oberon: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf" - platform_allow: > - nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns - nrf9160dk/nrf9160/ns nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns + platform_allow: + - nrf5340dk/nrf5340/cpuapp + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns integration_platforms: - nrf5340dk/nrf5340/cpuapp - nrf5340dk/nrf5340/cpuapp/ns @@ -24,16 +29,25 @@ tests: - nrf9161dk/nrf9161/ns - nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns - tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto + tags: + - ci_build + - cc3xx_oberon + - sysbuild + - ci_samples_crypto sample.psa_tls.dtls_server.ecdsa.cc3xx_oberon: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/dtls.conf" - platform_allow: > - nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns - nrf9160dk/nrf9160/ns nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns + platform_allow: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns integration_platforms: - nrf5340dk/nrf5340/cpuapp - nrf5340dk/nrf5340/cpuapp/ns @@ -43,15 +57,26 @@ tests: - nrf9161dk/nrf9161/ns - nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns - tags: ci_build cc3xx_oberon dtls sysbuild ci_samples_crypto + tags: + - ci_build + - dtls + - cc3xx_oberon + - sysbuild + - ci_samples_crypto sample.psa_tls.tls_client.ecdsa.cc3xx_oberon: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf" - platform_allow: > - nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns nrf9160dk/nrf9160/ns - nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 nrf9151dk/nrf9151/ns + platform_allow: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns integration_platforms: - nrf5340dk/nrf5340/cpuapp - nrf5340dk/nrf5340/cpuapp/ns @@ -61,16 +86,82 @@ tests: - nrf9161dk/nrf9161/ns - nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns - tags: ci_build cc3xx_oberon sysbuild ci_samples_crypto + tags: + - ci_build + - cc3xx_oberon + - sysbuild + - ci_samples_crypto sample.psa_tls.dtls_client.ecdsa.cc3xx_oberon: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/dtls.conf" - platform_allow: > - nrf5340dk/nrf5340/cpuapp nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp/ns - nrf9160dk/nrf9160/ns nrf9161dk/nrf9161 nrf9161dk/nrf9161/ns nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns + platform_allow: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns + integration_platforms: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns + tags: + - ci_build + - dtls + - cc3xx_oberon + - sysbuild + - ci_samples_crypto + sample.psa_tls.tls_1_3_server.ecdsa.cc3xx_oberon: + sysbuild: true + build_only: true + extra_args: + OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_1_3.conf" + platform_allow: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns + integration_platforms: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns + tags: + - ci_build + - cc3xx_oberon + - sysbuild + - ci_samples_crypto + sample.psa_tls.tls_1_3_client.ecdsa.cc3xx_oberon: + sysbuild: true + build_only: true + extra_args: + OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-oberon-psa.conf;overlays/tls_1_3.conf" + platform_allow: + - nrf5340dk/nrf5340/cpuapp + - nrf5340dk/nrf5340/cpuapp/ns + - nrf9160dk/nrf9160 + - nrf9160dk/nrf9160/ns + - nrf9161dk/nrf9161 + - nrf9161dk/nrf9161/ns + - nrf9151dk/nrf9151 + - nrf9151dk/nrf9151/ns integration_platforms: - nrf5340dk/nrf5340/cpuapp - nrf5340dk/nrf5340/cpuapp/ns @@ -80,160 +171,287 @@ tests: - nrf9161dk/nrf9161/ns - nrf9151dk/nrf9151 - nrf9151dk/nrf9151/ns - tags: ci_build cc3xx_oberon dtls sysbuild ci_samples_crypto + tags: + - ci_build + - cc3xx_oberon + - sysbuild + - ci_samples_crypto ################################################################################ ## PSA APIs with Oberon ################################################################################ sample.psa_tls.server.ecdsa.oberon: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/oberon-psa.conf" - platform_allow: > - nrf54l15dk/nrf54l15/cpuapp + platform_allow: + - nrf54l15dk/nrf54l15/cpuapp integration_platforms: - nrf54l15dk/nrf54l15/cpuapp - tags: ci_build oberon sysbuild ci_samples_crypto + tags: + - ci_build + - oberon + - sysbuild + - ci_samples_crypto sample.psa_tls.client.ecdsa.oberon: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/oberon-psa.conf" - platform_allow: > - nrf54l15dk/nrf54l15/cpuapp + platform_allow: + - nrf54l15dk/nrf54l15/cpuapp integration_platforms: - nrf54l15dk/nrf54l15/cpuapp - tags: ci_build oberon sysbuild ci_samples_crypto + tags: + - ci_build + - oberon + - sysbuild + - ci_samples_crypto ################################################################################ ## PSA APIs with Cracen ################################################################################ sample.psa_tls.server.ecdsa.cracen: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cracen-psa.conf" - platform_allow: > - nrf54l15dk/nrf54l15/cpuapp - nrf54l15dk/nrf54l15/cpuapp/ns - nrf54l15dk/nrf54l10/cpuapp + platform_allow: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + - nrf54l15dk/nrf54l10/cpuapp integration_platforms: - nrf54l15dk/nrf54l15/cpuapp - nrf54l15dk/nrf54l15/cpuapp/ns - nrf54l15dk/nrf54l10/cpuapp - tags: ci_build cracen sysbuild ci_samples_crypto + tags: + - ci_build + - cracen + - sysbuild + - ci_samples_crypto sample.psa_tls.client.ecdsa.cracen: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cracen-psa.conf" - platform_allow: > - nrf54l15dk/nrf54l15/cpuapp - nrf54l15dk/nrf54l15/cpuapp/ns - nrf54l15dk/nrf54l10/cpuapp + platform_allow: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + - nrf54l15dk/nrf54l10/cpuapp integration_platforms: - nrf54l15dk/nrf54l15/cpuapp - nrf54l15dk/nrf54l15/cpuapp/ns - nrf54l15dk/nrf54l10/cpuapp - tags: ci_build cracen sysbuild ci_samples_crypto + tags: + - ci_build + - cracen + - sysbuild + - ci_samples_crypto + ################################################################################ + ## PSA APIs with Cracen and Oberon + ################################################################################ + sample.psa_tls.1_3_server.ecdsa.cracen_oberon: + sysbuild: true + build_only: true + extra_args: + OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cracen-oberon-psa.conf;overlays/tls_1_3.conf" + platform_allow: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + tags: + - ci_build + - cracen_oberon + - sysbuild + - ci_samples_crypto + sample.psa_tls.1_3_client.ecdsa.cracen_oberon: + sysbuild: true + build_only: true + extra_args: + OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cracen-oberon-psa.conf;overlays/tls_1_3.conf" + platform_allow: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + integration_platforms: + - nrf54l15dk/nrf54l15/cpuapp + - nrf54l15dk/nrf54l15/cpuapp/ns + tags: + - ci_build + - cracen_oberon + - sysbuild + - ci_samples_crypto ################################################################################ ## Legacy APIs with Cryptocell (secure-only) ################################################################################ sample.psa_tls.tls_server.rsa.cc3xx_legacy: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/server.conf;overlays/rsa.conf;overlays/cc3xx-legacy.conf" - platform_allow: nrf52840dk/nrf52840 nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp nrf9151dk/nrf9151 + platform_allow: + - nrf52840dk/nrf52840 + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 integration_platforms: - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - nrf9160dk/nrf9160 - nrf9151dk/nrf9151 - tags: ci_build legacy cc3xx_legacy sysbuild ci_samples_crypto + tags: + - ci_build + - legacy + - cc3xx_legacy + - sysbuild + - ci_samples_crypto sample.psa_tls.tls_client.rsa.cc3xx_legacy: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/client.conf;overlays/rsa.conf;overlays/cc3xx-legacy.conf" - platform_allow: nrf52840dk/nrf52840 nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp nrf9151dk/nrf9151 + platform_allow: + - nrf52840dk/nrf52840 + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 integration_platforms: - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - nrf9160dk/nrf9160 - nrf9151dk/nrf9151 - tags: ci_build legacy cc3xx_legacy sysbuild ci_samples_crypto + tags: + - ci_build + - legacy + - cc3xx_legacy + - sysbuild + - ci_samples_crypto sample.psa_tls.tls_server.ecdsa.cc3xx_legacy: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/cc3xx-legacy.conf" - platform_allow: nrf52840dk/nrf52840 nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp nrf9151dk/nrf9151 + platform_allow: + - nrf52840dk/nrf52840 + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 integration_platforms: - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - nrf9160dk/nrf9160 - nrf9151dk/nrf9151 - tags: ci_build legacy cc3xx_legacy sysbuild ci_samples_crypto + tags: + - ci_build + - legacy + - cc3xx_legacy + - sysbuild + - ci_samples_crypto sample.psa_tls.tls_client.ecdsa.cc3xx_legacy: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/cc3xx-legacy.conf" - platform_allow: nrf52840dk/nrf52840 nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp nrf9151dk/nrf9151 + platform_allow: + - nrf52840dk/nrf52840 + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 integration_platforms: - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - nrf9160dk/nrf9160 - nrf9151dk/nrf9151 - tags: ci_build legacy cc3xx_legacy sysbuild ci_samples_crypto + tags: + - ci_build + - legacy + - cc3xx_legacy + - sysbuild + - ci_samples_crypto ################################################################################ ## Legacy APIs with Oberon (secure-only) ################################################################################ sample.psa_tls.tls_server.rsa.oberon_legacy: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/server.conf;overlays/rsa.conf;overlays/oberon-legacy.conf" - platform_allow: nrf52840dk/nrf52840 nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp nrf9151dk/nrf9151 + platform_allow: + - nrf52840dk/nrf52840 + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 integration_platforms: - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - nrf9160dk/nrf9160 - nrf9151dk/nrf9151 - tags: ci_build legacy oberon_legacy sysbuild ci_samples_crypto + tags: + - ci_build + - legacy + - oberon_legacy + - sysbuild + - ci_samples_crypto sample.psa_tls.tls_client.rsa.oberon_legacy: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/client.conf;overlays/rsa.conf;overlays/oberon-legacy.conf" - platform_allow: nrf52840dk/nrf52840 nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp nrf9151dk/nrf9151 + platform_allow: + - nrf52840dk/nrf52840 + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 integration_platforms: - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - nrf9160dk/nrf9160 - nrf9151dk/nrf9151 - tags: ci_build legacy oberon_legacy sysbuild ci_samples_crypto + tags: + - ci_build + - legacy + - oberon_legacy + - sysbuild + - ci_samples_crypto sample.psa_tls.tls_server.ecdsa.oberon_legacy: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/server.conf;overlays/ecdsa.conf;overlays/oberon-legacy.conf" - platform_allow: nrf52840dk/nrf52840 nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp nrf9151dk/nrf9151 + platform_allow: + - nrf52840dk/nrf52840 + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 integration_platforms: - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - nrf9160dk/nrf9160 - nrf9151dk/nrf9151 - tags: ci_build legacy oberon_legacy sysbuild ci_samples_crypto + tags: + - ci_build + - legacy + - oberon_legacy + - sysbuild + - ci_samples_crypto sample.psa_tls.tls_client.ecdsa.oberon_legacy: sysbuild: true build_only: true - extra_args: > + extra_args: OVERLAY_CONFIG="overlays/client.conf;overlays/ecdsa.conf;overlays/oberon-legacy.conf" - platform_allow: nrf52840dk/nrf52840 nrf9160dk/nrf9160 nrf5340dk/nrf5340/cpuapp nrf9151dk/nrf9151 + platform_allow: + - nrf52840dk/nrf52840 + - nrf9160dk/nrf9160 + - nrf5340dk/nrf5340/cpuapp + - nrf9151dk/nrf9151 integration_platforms: - nrf52840dk/nrf52840 - nrf5340dk/nrf5340/cpuapp - nrf9160dk/nrf9160 - nrf9151dk/nrf9151 - tags: ci_build legacy oberon_legacy sysbuild ci_samples_crypto + tags: + - ci_build + - legacy + - oberon_legacy + - sysbuild + - ci_samples_crypto diff --git a/samples/crypto/psa_tls/src/psa_tls_functions_client.c b/samples/crypto/psa_tls/src/psa_tls_functions_client.c index fabbc0486718..bf003656d52f 100644 --- a/samples/crypto/psa_tls/src/psa_tls_functions_client.c +++ b/samples/crypto/psa_tls/src/psa_tls_functions_client.c @@ -38,7 +38,11 @@ static int setup_tls_client_socket(void) PSK_TAG, }; +#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3) + sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_3); +#else sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TLS_1_2); +#endif if (sock < 0) { LOG_ERR("Failed to create a socket. Err: %d", errno); return -errno; diff --git a/samples/crypto/psa_tls/src/psa_tls_functions_server.c b/samples/crypto/psa_tls/src/psa_tls_functions_server.c index 72f182ab0ae9..f7b9a1c000a9 100644 --- a/samples/crypto/psa_tls/src/psa_tls_functions_server.c +++ b/samples/crypto/psa_tls/src/psa_tls_functions_server.c @@ -41,7 +41,11 @@ static int setup_tls_server_socket(void) memset(&my_addr, 0, sizeof(my_addr)); my_addr.sin_family = AF_INET; my_addr.sin_port = htons(SERVER_PORT); +#if defined(CONFIG_MBEDTLS_TLS_VERSION_1_3) + sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_3); +#else sock = socket(my_addr.sin_family, SOCK_STREAM, IPPROTO_TLS_1_2); +#endif err = setsockopt(sock, SOL_TLS, TLS_SEC_TAG_LIST, sec_tag_list, sizeof(sec_tag_list)); diff --git a/subsys/nrf_security/Kconfig.tls b/subsys/nrf_security/Kconfig.tls index 626db6f411da..2609826925b3 100644 --- a/subsys/nrf_security/Kconfig.tls +++ b/subsys/nrf_security/Kconfig.tls @@ -143,6 +143,9 @@ config MBEDTLS_SSL_COOKIE_C endif # MBEDTLS_SSL_PROTO_TLS1_2 +config MBEDTLS_TLS_VERSION_1_3 + bool "Support for TLS 1.3" + config MBEDTLS_DEBUG_C bool prompt "Enable the debug functions for TLS." @@ -325,6 +328,31 @@ config MBEDTLS_SSL_CIPHERSUITES Warning: This field has offers no validation checks. MBEDTLS_SSL_CIPHERSUITES setting in mbed TLS config file. +if MBEDTLS_TLS_VERSION_1_3 + +config MBEDTLS_SSL_PROTO_TLS1_3 + bool + default y + +config MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + bool "Enable TLS1.3 middlebox compatibility mode" + default y + help + As specified in RFC8446, TLS 1.3 offers a compatibility mode to make a TLS + 1.3 connection more likely to pass through middle boxes expecting TLS 1.2 + traffic + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + bool "TLS 1.3 PSK key exchange mode" + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + bool "TLS 1.3 ephemeral key exchange mode" + +config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + bool "TLS 1.3 PSK ephemeral key exchange mode" + +endif # MBEDTLS_TLS_VERSION_1_3 + menu "TLS/DTL Cipher Suites" config MBEDTLS_HAS_CBC_CIPHERSUITE_REQUIREMENTS diff --git a/subsys/nrf_security/cmake/nrf_config.cmake b/subsys/nrf_security/cmake/nrf_config.cmake index 3a19409c6ce6..b274f06b39e2 100644 --- a/subsys/nrf_security/cmake/nrf_config.cmake +++ b/subsys/nrf_security/cmake/nrf_config.cmake @@ -107,6 +107,11 @@ if (NOT MBEDTLS_PSA_CRYPTO_SPM) kconfig_check_and_set_base(MBEDTLS_SSL_RENEGOTIATION) kconfig_check_and_set_base(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_2) + kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_TLS1_3) + kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED) + kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) + kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED) + kconfig_check_and_set_base(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) kconfig_check_and_set_base(MBEDTLS_SSL_PROTO_DTLS) kconfig_check_and_set_base(MBEDTLS_SSL_ALPN) kconfig_check_and_set_base(MBEDTLS_SSL_DTLS_ANTI_REPLAY) diff --git a/subsys/nrf_security/configs/nrf-config.h.template b/subsys/nrf_security/configs/nrf-config.h.template index abfff20d3448..7cb289114dab 100644 --- a/subsys/nrf_security/configs/nrf-config.h.template +++ b/subsys/nrf_security/configs/nrf-config.h.template @@ -115,6 +115,11 @@ #cmakedefine MBEDTLS_SSL_RENEGOTIATION #cmakedefine MBEDTLS_SSL_MAX_FRAGMENT_LENGTH #cmakedefine MBEDTLS_SSL_PROTO_TLS1_2 +#cmakedefine MBEDTLS_SSL_PROTO_TLS1_3 +#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +#cmakedefine MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +#cmakedefine MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE #cmakedefine MBEDTLS_SSL_PROTO_DTLS #cmakedefine MBEDTLS_SSL_ALPN #cmakedefine MBEDTLS_SSL_DTLS_ANTI_REPLAY