Skip to content

Commit

Permalink
modules: mbedtls: rename CONFIG_MBEDTLS_MAC_*_ENABLED and rm duplicates
Browse files Browse the repository at this point in the history
Remove the `_MAC` part because those Kconfig options enable only hash
algorithms, nothing MAC-related, and the `_ENABLED` part to align the
naming to the Mbed TLS defines (plus we don't need such a part).

As a bonus, enabling SHA-256 does not automatically enable SHA-224
anymore.

See the migration guide entries for more details on the practical
changes.

Signed-off-by: Tomi Fontanilles <[email protected]>
tomi-font authored and henrikbrixandersen committed May 29, 2024
1 parent 6e8d979 commit 3efdbe6
Showing 17 changed files with 77 additions and 82 deletions.
8 changes: 8 additions & 0 deletions doc/releases/migration-guide-3.7.rst
Original file line number Diff line number Diff line change
@@ -81,6 +81,14 @@ MbedTLS

* The hash algorithms SHA-384, SHA-512, MD5 and SHA-1 are not enabled by default anymore.
Their respective Kconfig options now need to be explicitly enabled to be able to use them.
* The Kconfig options previously named `CONFIG_MBEDTLS_MAC_*_ENABLED` have been renamed.
The `_MAC` and `_ENABLED` parts have been removed from their names.
* The :kconfig:option:`CONFIG_MBEDTLS_HASH_ALL_ENABLED` Kconfig option has been fixed to actually
enable all the available hash algorithms. Previously, it used to only enable the SHA-2 ones.
* The `CONFIG_MBEDTLS_HASH_SHA*_ENABLED` Kconfig options have been removed. They were duplicates
of other Kconfig options which are now named `CONFIG_MBEDTLS_SHA*`.
* The `CONFIG_MBEDTLS_MAC_ALL_ENABLED` Kconfig option has been removed. Its equivalent is the
combination of :kconfig:option:`CONFIG_MBEDTLS_HASH_ALL_ENABLED` and :kconfig:option:`CONFIG_MBEDTLS_CMAC`.

MCUboot
=======
2 changes: 1 addition & 1 deletion drivers/crypto/Kconfig
Original file line number Diff line number Diff line change
@@ -52,7 +52,7 @@ config CRYPTO_MBEDTLS_SHIM
bool "MbedTLS shim driver [EXPERIMENTAL]"
select MBEDTLS
select MBEDTLS_ENABLE_HEAP
select MBEDTLS_MAC_SHA512_ENABLED
select MBEDTLS_SHA512
select EXPERIMENTAL
help
Enable mbedTLS shim layer compliant with crypto APIs. You will need
2 changes: 1 addition & 1 deletion drivers/wifi/esp32/Kconfig.esp32
Original file line number Diff line number Diff line change
@@ -269,7 +269,7 @@ config ESP32_WIFI_MBEDTLS_CRYPTO
select MBEDTLS_PKCS5_C
select MBEDTLS_PK_WRITE_C
select MBEDTLS_CIPHER_MODE_CTR_ENABLED
select MBEDTLS_MAC_CMAC_ENABLED
select MBEDTLS_CMAC
select MBEDTLS_ZEPHYR_ENTROPY
help
Select this option to use MbedTLS crypto APIs which utilize hardware acceleration.
2 changes: 1 addition & 1 deletion modules/hostap/Kconfig
Original file line number Diff line number Diff line change
@@ -114,7 +114,7 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO
select MBEDTLS_CIPHER_MODE_CBC_ENABLED
select MBEDTLS_ECP_C
select MBEDTLS_ECP_ALL_ENABLED
select MBEDTLS_MAC_CMAC_ENABLED
select MBEDTLS_CMAC
select MBEDTLS_PKCS5_C
select MBEDTLS_PK_WRITE_C
select MBEDTLS_ECDH_C
94 changes: 39 additions & 55 deletions modules/mbedtls/Kconfig.tls-generic
Original file line number Diff line number Diff line change
@@ -12,15 +12,15 @@ menu "Supported TLS version"
config MBEDTLS_TLS_VERSION_1_0
bool "Support for TLS 1.0"
select MBEDTLS_CIPHER
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MD5
select MBEDTLS_SHA1
select MBEDTLS_MD

config MBEDTLS_TLS_VERSION_1_1
bool "Support for TLS 1.1 (DTLS 1.0)"
select MBEDTLS_CIPHER
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MD5
select MBEDTLS_SHA1
select MBEDTLS_MD

config MBEDTLS_TLS_VERSION_1_2
@@ -206,25 +206,7 @@ config MBEDTLS_ECP_NIST_OPTIM

endif

comment "Supported hash"

config MBEDTLS_HASH_ALL_ENABLED
bool "All available hashes"
select MBEDTLS_HASH_SHA256_ENABLED
select MBEDTLS_HASH_SHA384_ENABLED
select MBEDTLS_HASH_SHA512_ENABLED

config MBEDTLS_HASH_SHA256_ENABLED
bool "SHA224 and SHA256 hashes"

config MBEDTLS_HASH_SHA384_ENABLED
bool "SHA384 hash"
select MBEDTLS_HASH_SHA512_ENABLED

config MBEDTLS_HASH_SHA512_ENABLED
bool "SHA512 hash"

comment "Supported cipher modes"
comment "Supported ciphers and cipher modes"

config MBEDTLS_CIPHER_ALL_ENABLED
bool "All available ciphers"
@@ -297,55 +279,57 @@ config MBEDTLS_CIPHER_MODE_CTR_ENABLED

config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
bool "ChaCha20-Poly1305 AEAD algorithm"
depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
depends on MBEDTLS_CIPHER_CHACHA20_ENABLED && MBEDTLS_POLY1305

config MBEDTLS_CMAC
bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED

comment "Supported message authentication methods"
comment "Supported hash algorithms"

config MBEDTLS_MAC_ALL_ENABLED
config MBEDTLS_HASH_ALL_ENABLED
bool "All available MAC methods"
select MBEDTLS_MAC_MD4_ENABLED
select MBEDTLS_MAC_MD5_ENABLED
select MBEDTLS_MAC_SHA1_ENABLED
select MBEDTLS_MAC_SHA256_ENABLED
select MBEDTLS_MAC_SHA384_ENABLED
select MBEDTLS_MAC_SHA512_ENABLED
select MBEDTLS_MAC_POLY1305_ENABLED
select MBEDTLS_MAC_CMAC_ENABLED

config MBEDTLS_MAC_MD4_ENABLED
select MBEDTLS_MD4
select MBEDTLS_MD5
select MBEDTLS_SHA1
select MBEDTLS_SHA224
select MBEDTLS_SHA256
select MBEDTLS_SHA384
select MBEDTLS_SHA512
select MBEDTLS_POLY1305

config MBEDTLS_MD4
bool "MD4 hash algorithm"

config MBEDTLS_MAC_MD5_ENABLED
config MBEDTLS_MD5
bool "MD5 hash algorithm"

config MBEDTLS_MAC_SHA1_ENABLED
bool "SHA1 hash algorithm"
config MBEDTLS_SHA1
bool "SHA-1 hash algorithm"

config MBEDTLS_SHA224
bool "SHA-224 hash algorithm"

config MBEDTLS_MAC_SHA256_ENABLED
bool "SHA-224 and SHA-256 hash algorithms"
config MBEDTLS_SHA256
bool "SHA-256 hash algorithm"
default y

config MBEDTLS_SHA256_SMALLER
bool "Smaller SHA-256 implementation"
depends on MBEDTLS_MAC_SHA256_ENABLED
depends on MBEDTLS_SHA256
default y
help
Enable an implementation of SHA-256 that has lower ROM footprint but also
lower performance
Enable an implementation of SHA-256 that has a
smaller ROM footprint but also lower performance.

config MBEDTLS_MAC_SHA384_ENABLED
config MBEDTLS_SHA384
bool "SHA-384 hash algorithm"
select MBEDTLS_MAC_SHA512_ENABLED

config MBEDTLS_MAC_SHA512_ENABLED
config MBEDTLS_SHA512
bool "SHA-512 hash algorithm"

config MBEDTLS_MAC_POLY1305_ENABLED
bool "Poly1305 MAC algorithm"

config MBEDTLS_MAC_CMAC_ENABLED
bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
config MBEDTLS_POLY1305
bool "Poly1305 hash family"

endmenu

@@ -387,7 +371,7 @@ config MBEDTLS_HAVE_ASM

config MBEDTLS_ENTROPY_ENABLED
bool "MbedTLS generic entropy pool"
depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
depends on MBEDTLS_SHA256 || MBEDTLS_SHA384 || MBEDTLS_SHA512
default y if MBEDTLS_ZEPHYR_ENTROPY

config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
@@ -502,7 +486,7 @@ config MBEDTLS_PSA_CRYPTO_CLIENT
config MBEDTLS_LMS
bool "Support LMS signature schemes"
depends on MBEDTLS_PSA_CRYPTO_CLIENT
depends on MBEDTLS_HASH_SHA256_ENABLED
depends on MBEDTLS_SHA256
select PSA_WANT_ALG_SHA_256

config MBEDTLS_SSL_DTLS_CONNECTION_ID
24 changes: 12 additions & 12 deletions modules/mbedtls/configs/config-tls-generic.h
Original file line number Diff line number Diff line change
@@ -271,45 +271,45 @@
#define MBEDTLS_ECP_NIST_OPTIM
#endif

/* Supported message authentication methods */
/* Supported hash algorithms */

#if defined(CONFIG_MBEDTLS_MAC_MD4_ENABLED)
#if defined(CONFIG_MBEDTLS_MD4)
#define MBEDTLS_MD4_C
#endif

#if defined(CONFIG_MBEDTLS_MAC_MD5_ENABLED)
#if defined(CONFIG_MBEDTLS_MD5)
#define MBEDTLS_MD5_C
#endif

#if defined(CONFIG_MBEDTLS_MAC_SHA1_ENABLED)
#if defined(CONFIG_MBEDTLS_SHA1)
#define MBEDTLS_SHA1_C
#endif

#if defined(CONFIG_MBEDTLS_MAC_SHA256_ENABLED) || \
defined(CONFIG_MBEDTLS_HASH_SHA256_ENABLED)
#if defined(CONFIG_MBEDTLS_SHA224)
#define MBEDTLS_SHA224_C
#endif

#if defined(CONFIG_MBEDTLS_SHA256)
#define MBEDTLS_SHA256_C
#endif

#if defined(CONFIG_MBEDTLS_SHA256_SMALLER)
#define MBEDTLS_SHA256_SMALLER
#endif

#if defined(CONFIG_MBEDTLS_MAC_SHA384_ENABLED) || \
defined(CONFIG_MBEDTLS_HASH_SHA384_ENABLED)
#if defined(CONFIG_MBEDTLS_SHA384)
#define MBEDTLS_SHA384_C
#endif

#if defined(CONFIG_MBEDTLS_MAC_SHA512_ENABLED) || \
defined(CONFIG_MBEDTLS_HASH_SHA512_ENABLED)
#if defined(CONFIG_MBEDTLS_SHA512)
#define MBEDTLS_SHA512_C
#endif

#if defined(CONFIG_MBEDTLS_MAC_POLY1305_ENABLED)
#if defined(CONFIG_MBEDTLS_POLY1305)
#define MBEDTLS_POLY1305_C
#endif

#if defined(CONFIG_MBEDTLS_MAC_CMAC_ENABLED)
#if defined(CONFIG_MBEDTLS_CMAC)
#define MBEDTLS_CMAC_C
#endif

3 changes: 2 additions & 1 deletion samples/net/sockets/http_get/overlay-tls.conf
Original file line number Diff line number Diff line change
@@ -6,6 +6,7 @@ CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=60000
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=7168
CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
CONFIG_MBEDTLS_CMAC=y

CONFIG_NET_SOCKETS_SOCKOPT_TLS=y
2 changes: 1 addition & 1 deletion subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt
Original file line number Diff line number Diff line change
@@ -15,7 +15,7 @@ zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32 src/fs_mgm
zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_HASH_SHA256 src/fs_mgmt_hash_checksum_sha256.c)

if(CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH AND CONFIG_MCUMGR_GRP_FS_HASH_SHA256)
if(CONFIG_MBEDTLS_MAC_SHA256_ENABLED)
if(CONFIG_MBEDTLS_SHA256)
zephyr_library_link_libraries(mbedTLS)
endif()
endif()
2 changes: 1 addition & 1 deletion subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig
Original file line number Diff line number Diff line change
@@ -125,7 +125,7 @@ config MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32

config MCUMGR_GRP_FS_HASH_SHA256
bool "SHA256 hash support"
depends on BUILD_WITH_TFM || MBEDTLS_MAC_SHA256_ENABLED
depends on BUILD_WITH_TFM || MBEDTLS_SHA256
select PSA_WANT_ALG_SHA_256 if BUILD_WITH_TFM
help
Enable SHA256 hash support for MCUmgr.
4 changes: 2 additions & 2 deletions subsys/net/l2/openthread/Kconfig
Original file line number Diff line number Diff line change
@@ -181,9 +181,9 @@ config OPENTHREAD_MBEDTLS
select MBEDTLS_ENABLE_HEAP
select MBEDTLS_CIPHER_AES_ENABLED
select MBEDTLS_CIPHER_CCM_ENABLED
select MBEDTLS_MAC_SHA256_ENABLED
select MBEDTLS_SHA256
select MBEDTLS_ENTROPY_ENABLED
select MBEDTLS_MAC_CMAC_ENABLED
select MBEDTLS_CMAC
select MBEDTLS_CIPHER
select MBEDTLS_MD
select MBEDTLS_TLS_VERSION_1_2 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER
2 changes: 1 addition & 1 deletion subsys/net/lib/websocket/Kconfig
Original file line number Diff line number Diff line change
@@ -9,7 +9,7 @@ config WEBSOCKET_CLIENT
select HTTP_CLIENT
select MBEDTLS
select BASE64
select MBEDTLS_MAC_SHA1_ENABLED if MBEDTLS_BUILTIN
select MBEDTLS_SHA1 if MBEDTLS_BUILTIN
select EXPERIMENTAL
help
Enable Websocket client library.
2 changes: 1 addition & 1 deletion subsys/storage/flash_map/Kconfig
Original file line number Diff line number Diff line change
@@ -58,7 +58,7 @@ config FLASH_AREA_CHECK_INTEGRITY_MBEDTLS
bool "Use MBEDTLS"
select MBEDTLS
select MBEDTLS_MD
select MBEDTLS_MAC_SHA256_ENABLED
select MBEDTLS_SHA256
select MBEDTLS_ENABLE_HEAP
help
Use MBEDTLS library to perform the integrity check.
3 changes: 2 additions & 1 deletion tests/benchmarks/mbedtls/prj.conf
Original file line number Diff line number Diff line change
@@ -21,7 +21,8 @@ CONFIG_MBEDTLS_TLS_VERSION_1_2=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y
CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y
CONFIG_MBEDTLS_ECP_ALL_ENABLED=y
CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
CONFIG_MBEDTLS_CMAC=y
CONFIG_MBEDTLS_GENPRIME_ENABLED=y
CONFIG_MBEDTLS_HMAC_DRBG_ENABLED=y
CONFIG_MBEDTLS_ECDH_C=y
3 changes: 2 additions & 1 deletion tests/net/socket/tls/prj.conf
Original file line number Diff line number Diff line change
@@ -47,4 +47,5 @@ CONFIG_ZTEST_STACK_SIZE=3072
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=18000
CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
CONFIG_MBEDTLS_MAC_ALL_ENABLED=y
CONFIG_MBEDTLS_HASH_ALL_ENABLED=y
CONFIG_MBEDTLS_CMAC=y
2 changes: 1 addition & 1 deletion tests/subsys/mgmt/mcumgr/all_options/prj.conf
Original file line number Diff line number Diff line change
@@ -5,7 +5,7 @@
#
CONFIG_ZTEST=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
CONFIG_MBEDTLS_SHA256=y
CONFIG_FILE_SYSTEM=y
CONFIG_BASE64=y
CONFIG_NET_BUF=y
Original file line number Diff line number Diff line change
@@ -6,4 +6,4 @@
CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=y
CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
CONFIG_MBEDTLS_SHA256=y
Original file line number Diff line number Diff line change
@@ -6,4 +6,4 @@
CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=n
CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y
CONFIG_MBEDTLS_SHA256=y

0 comments on commit 3efdbe6

Please sign in to comment.