Hi Ilias, On 10/24/24 12:24, Ilias Apalodimas wrote: > Since lwIP and mbedTLS have been merged we can tweak the config options > and enable TLS1.2 support. Add RSA and ECDSA by default and enable > enough block cipher modes of operation to be comatible with modern > TLS requirements and webservers > > Signed-off-by: Ilias Apalodimas <ilias.apalodi...@linaro.org> > Reviewed-by: Raymond Mao <raymond....@linaro.org> > --- > lib/mbedtls/Kconfig | 12 ++++++++ > lib/mbedtls/Makefile | 31 +++++++++++++++++++ > lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++ > 3 files changed, 95 insertions(+) > > diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig > index d71adc3648ad..f3e172633999 100644 > --- a/lib/mbedtls/Kconfig > +++ b/lib/mbedtls/Kconfig > @@ -430,4 +430,16 @@ endif # SPL > > endif # MBEDTLS_LIB_X509 > > +config MBEDTLS_LIB_TLS > + bool "MbedTLS TLS library" > + depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS > + depends on X509_CERTIFICATE_PARSER_MBEDTLS > + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS > + depends on ASN1_DECODER_MBEDTLS > + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS > + depends on MBEDTLS_LIB_CRYPTO > + help > + Enable MbedTLS TLS library. If enabled HTTPs support will be enabled > + in wget
Technically not true until patch 4/6. Maybe "Required for HTTPS support in wget"? Aside from that, LGTM. Acked-by: Jerome Forissier <jerome.foriss...@linaro.org> Thanks, -- Jerome > + > endif # MBEDTLS_LIB > diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile > index 83cb3c2fa705..ce0a61e40541 100644 > --- a/lib/mbedtls/Makefile > +++ b/lib/mbedtls/Makefile > @@ -26,6 +26,7 @@ mbedtls_lib_crypto-y := \ > $(MBEDTLS_LIB_DIR)/platform_util.o \ > $(MBEDTLS_LIB_DIR)/constant_time.o \ > $(MBEDTLS_LIB_DIR)/md.o > + > mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o > mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o > mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ > @@ -54,3 +55,33 @@ > mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ > $(MBEDTLS_LIB_DIR)/x509_crt.o > mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ > $(MBEDTLS_LIB_DIR)/pkcs7.o > + > +#mbedTLS TLS support > +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o > +mbedtls_lib_tls-y := \ > + $(MBEDTLS_LIB_DIR)/mps_reader.o \ > + $(MBEDTLS_LIB_DIR)/mps_trace.o \ > + $(MBEDTLS_LIB_DIR)/net_sockets.o \ > + $(MBEDTLS_LIB_DIR)/pk_ecc.o \ > + $(MBEDTLS_LIB_DIR)/ssl_cache.o \ > + $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \ > + $(MBEDTLS_LIB_DIR)/ssl_client.o \ > + $(MBEDTLS_LIB_DIR)/ssl_cookie.o \ > + $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \ > + $(MBEDTLS_LIB_DIR)/ssl_msg.o \ > + $(MBEDTLS_LIB_DIR)/ssl_ticket.o \ > + $(MBEDTLS_LIB_DIR)/ssl_tls.o \ > + $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \ > + $(MBEDTLS_LIB_DIR)/hmac_drbg.o \ > + $(MBEDTLS_LIB_DIR)/ctr_drbg.o \ > + $(MBEDTLS_LIB_DIR)/entropy.o \ > + $(MBEDTLS_LIB_DIR)/entropy_poll.o \ > + $(MBEDTLS_LIB_DIR)/aes.o \ > + $(MBEDTLS_LIB_DIR)/cipher.o \ > + $(MBEDTLS_LIB_DIR)/cipher_wrap.o \ > + $(MBEDTLS_LIB_DIR)/ecdh.o \ > + $(MBEDTLS_LIB_DIR)/ecdsa.o \ > + $(MBEDTLS_LIB_DIR)/ecp.o \ > + $(MBEDTLS_LIB_DIR)/ecp_curves.o \ > + $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \ > + $(MBEDTLS_LIB_DIR)/gcm.o \ > diff --git a/lib/mbedtls/mbedtls_def_config.h > b/lib/mbedtls/mbedtls_def_config.h > index 1af911c2003f..ac8f0bbf2c0e 100644 > --- a/lib/mbedtls/mbedtls_def_config.h > +++ b/lib/mbedtls/mbedtls_def_config.h > @@ -87,4 +87,56 @@ > > #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */ > > +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) > +#include "rtc.h" > + > +/* Generic options */ > +#define MBEDTLS_ENTROPY_HARDWARE_ALT > +#define MBEDTLS_HAVE_TIME > +#define MBEDTLS_PLATFORM_MS_TIME_ALT > +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime > +#define MBEDTLS_PLATFORM_C > +#define MBEDTLS_SSL_CLI_C > +#define MBEDTLS_SSL_TLS_C > +#define MBEDTLS_CIPHER_C > +#define MBEDTLS_MD_C > +#define MBEDTLS_CTR_DRBG_C > +#define MBEDTLS_AES_C > +#define MBEDTLS_ENTROPY_C > +#define MBEDTLS_NO_PLATFORM_ENTROPY > +#define MBEDTLS_SSL_PROTO_TLS1_2 > +#define MBEDTLS_SSL_SERVER_NAME_INDICATION > +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED > + > +/* RSA */ > +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED > +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED > +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED > +#define MBEDTLS_GCM_C > + > +/* ECDSA */ > +#define MBEDTLS_ECDSA_C > +#define MBEDTLS_ECDH_C > +#define MBEDTLS_ECDSA_DETERMINISTIC > +#define MBEDTLS_HMAC_DRBG_C > +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED > +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED > +#define MBEDTLS_CAN_ECDH > +#define MBEDTLS_PK_CAN_ECDSA_SIGN > +#define MBEDTLS_ECP_C > +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED > +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED > +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED > +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED > +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED > +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED > +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED > +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED > +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED > +#define MBEDTLS_ECP_DP_BP256R1_ENABLED > +#define MBEDTLS_ECP_DP_BP384R1_ENABLED > +#define MBEDTLS_ECP_DP_BP512R1_ENABLED > + > +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */ > + > #endif /* #if defined CONFIG_MBEDTLS_LIB */
