diff --git a/doc/releases/migration-guide-3.7.rst b/doc/releases/migration-guide-3.7.rst index 547268260be3..5a4402325f41 100644 --- a/doc/releases/migration-guide-3.7.rst +++ b/doc/releases/migration-guide-3.7.rst @@ -81,6 +81,14 @@ MbedTLS * The hash algorithms SHA-384, SHA-512, MD5 and SHA-1 are not enabled by default anymore. Their respective Kconfig options now need to be explicitly enabled to be able to use them. +* The Kconfig options previously named `CONFIG_MBEDTLS_MAC_*_ENABLED` have been renamed. + The `_MAC` and `_ENABLED` parts have been removed from their names. +* The :kconfig:option:`CONFIG_MBEDTLS_HASH_ALL_ENABLED` Kconfig option has been fixed to actually + enable all the available hash algorithms. Previously, it used to only enable the SHA-2 ones. +* The `CONFIG_MBEDTLS_HASH_SHA*_ENABLED` Kconfig options have been removed. They were duplicates + of other Kconfig options which are now named `CONFIG_MBEDTLS_SHA*`. +* The `CONFIG_MBEDTLS_MAC_ALL_ENABLED` Kconfig option has been removed. Its equivalent is the + combination of :kconfig:option:`CONFIG_MBEDTLS_HASH_ALL_ENABLED` and :kconfig:option:`CONFIG_MBEDTLS_CMAC`. MCUboot ======= diff --git a/drivers/crypto/Kconfig b/drivers/crypto/Kconfig index 451a524c810f..27c35c9b1235 100644 --- a/drivers/crypto/Kconfig +++ b/drivers/crypto/Kconfig @@ -52,7 +52,7 @@ config CRYPTO_MBEDTLS_SHIM bool "MbedTLS shim driver [EXPERIMENTAL]" select MBEDTLS select MBEDTLS_ENABLE_HEAP - select MBEDTLS_MAC_SHA512_ENABLED + select MBEDTLS_SHA512 select EXPERIMENTAL help Enable mbedTLS shim layer compliant with crypto APIs. You will need diff --git a/drivers/wifi/esp32/Kconfig.esp32 b/drivers/wifi/esp32/Kconfig.esp32 index 7760668b0bd2..2805f5b2ce48 100644 --- a/drivers/wifi/esp32/Kconfig.esp32 +++ b/drivers/wifi/esp32/Kconfig.esp32 @@ -269,7 +269,7 @@ config ESP32_WIFI_MBEDTLS_CRYPTO select MBEDTLS_PKCS5_C select MBEDTLS_PK_WRITE_C select MBEDTLS_CIPHER_MODE_CTR_ENABLED - select MBEDTLS_MAC_CMAC_ENABLED + select MBEDTLS_CMAC select MBEDTLS_ZEPHYR_ENTROPY help Select this option to use MbedTLS crypto APIs which utilize hardware acceleration. diff --git a/modules/hostap/Kconfig b/modules/hostap/Kconfig index 473b6278055c..490e70c0c7d6 100644 --- a/modules/hostap/Kconfig +++ b/modules/hostap/Kconfig @@ -114,7 +114,7 @@ config WIFI_NM_WPA_SUPPLICANT_CRYPTO select MBEDTLS_CIPHER_MODE_CBC_ENABLED select MBEDTLS_ECP_C select MBEDTLS_ECP_ALL_ENABLED - select MBEDTLS_MAC_CMAC_ENABLED + select MBEDTLS_CMAC select MBEDTLS_PKCS5_C select MBEDTLS_PK_WRITE_C select MBEDTLS_ECDH_C diff --git a/modules/mbedtls/Kconfig.tls-generic b/modules/mbedtls/Kconfig.tls-generic index b692c18e3235..c0a6fade6b99 100644 --- a/modules/mbedtls/Kconfig.tls-generic +++ b/modules/mbedtls/Kconfig.tls-generic @@ -12,15 +12,15 @@ menu "Supported TLS version" config MBEDTLS_TLS_VERSION_1_0 bool "Support for TLS 1.0" select MBEDTLS_CIPHER - select MBEDTLS_MAC_MD5_ENABLED - select MBEDTLS_MAC_SHA1_ENABLED + select MBEDTLS_MD5 + select MBEDTLS_SHA1 select MBEDTLS_MD config MBEDTLS_TLS_VERSION_1_1 bool "Support for TLS 1.1 (DTLS 1.0)" select MBEDTLS_CIPHER - select MBEDTLS_MAC_MD5_ENABLED - select MBEDTLS_MAC_SHA1_ENABLED + select MBEDTLS_MD5 + select MBEDTLS_SHA1 select MBEDTLS_MD config MBEDTLS_TLS_VERSION_1_2 @@ -206,25 +206,7 @@ config MBEDTLS_ECP_NIST_OPTIM endif -comment "Supported hash" - -config MBEDTLS_HASH_ALL_ENABLED - bool "All available hashes" - select MBEDTLS_HASH_SHA256_ENABLED - select MBEDTLS_HASH_SHA384_ENABLED - select MBEDTLS_HASH_SHA512_ENABLED - -config MBEDTLS_HASH_SHA256_ENABLED - bool "SHA224 and SHA256 hashes" - -config MBEDTLS_HASH_SHA384_ENABLED - bool "SHA384 hash" - select MBEDTLS_HASH_SHA512_ENABLED - -config MBEDTLS_HASH_SHA512_ENABLED - bool "SHA512 hash" - -comment "Supported cipher modes" +comment "Supported ciphers and cipher modes" config MBEDTLS_CIPHER_ALL_ENABLED bool "All available ciphers" @@ -297,55 +279,57 @@ config MBEDTLS_CIPHER_MODE_CTR_ENABLED config MBEDTLS_CHACHAPOLY_AEAD_ENABLED bool "ChaCha20-Poly1305 AEAD algorithm" - depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED + depends on MBEDTLS_CIPHER_CHACHA20_ENABLED && MBEDTLS_POLY1305 + +config MBEDTLS_CMAC + bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers." + depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED -comment "Supported message authentication methods" +comment "Supported hash algorithms" -config MBEDTLS_MAC_ALL_ENABLED +config MBEDTLS_HASH_ALL_ENABLED bool "All available MAC methods" - select MBEDTLS_MAC_MD4_ENABLED - select MBEDTLS_MAC_MD5_ENABLED - select MBEDTLS_MAC_SHA1_ENABLED - select MBEDTLS_MAC_SHA256_ENABLED - select MBEDTLS_MAC_SHA384_ENABLED - select MBEDTLS_MAC_SHA512_ENABLED - select MBEDTLS_MAC_POLY1305_ENABLED - select MBEDTLS_MAC_CMAC_ENABLED - -config MBEDTLS_MAC_MD4_ENABLED + select MBEDTLS_MD4 + select MBEDTLS_MD5 + select MBEDTLS_SHA1 + select MBEDTLS_SHA224 + select MBEDTLS_SHA256 + select MBEDTLS_SHA384 + select MBEDTLS_SHA512 + select MBEDTLS_POLY1305 + +config MBEDTLS_MD4 bool "MD4 hash algorithm" -config MBEDTLS_MAC_MD5_ENABLED +config MBEDTLS_MD5 bool "MD5 hash algorithm" -config MBEDTLS_MAC_SHA1_ENABLED - bool "SHA1 hash algorithm" +config MBEDTLS_SHA1 + bool "SHA-1 hash algorithm" + +config MBEDTLS_SHA224 + bool "SHA-224 hash algorithm" -config MBEDTLS_MAC_SHA256_ENABLED - bool "SHA-224 and SHA-256 hash algorithms" +config MBEDTLS_SHA256 + bool "SHA-256 hash algorithm" default y config MBEDTLS_SHA256_SMALLER bool "Smaller SHA-256 implementation" - depends on MBEDTLS_MAC_SHA256_ENABLED + depends on MBEDTLS_SHA256 default y help - Enable an implementation of SHA-256 that has lower ROM footprint but also - lower performance + Enable an implementation of SHA-256 that has a + smaller ROM footprint but also lower performance. -config MBEDTLS_MAC_SHA384_ENABLED +config MBEDTLS_SHA384 bool "SHA-384 hash algorithm" - select MBEDTLS_MAC_SHA512_ENABLED -config MBEDTLS_MAC_SHA512_ENABLED +config MBEDTLS_SHA512 bool "SHA-512 hash algorithm" -config MBEDTLS_MAC_POLY1305_ENABLED - bool "Poly1305 MAC algorithm" - -config MBEDTLS_MAC_CMAC_ENABLED - bool "CMAC (Cipher-based Message Authentication Code) mode for block ciphers." - depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED +config MBEDTLS_POLY1305 + bool "Poly1305 hash family" endmenu @@ -387,7 +371,7 @@ config MBEDTLS_HAVE_ASM config MBEDTLS_ENTROPY_ENABLED bool "MbedTLS generic entropy pool" - depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA384_ENABLED || MBEDTLS_MAC_SHA512_ENABLED + depends on MBEDTLS_SHA256 || MBEDTLS_SHA384 || MBEDTLS_SHA512 default y if MBEDTLS_ZEPHYR_ENTROPY config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED @@ -502,7 +486,7 @@ config MBEDTLS_PSA_CRYPTO_CLIENT config MBEDTLS_LMS bool "Support LMS signature schemes" depends on MBEDTLS_PSA_CRYPTO_CLIENT - depends on MBEDTLS_HASH_SHA256_ENABLED + depends on MBEDTLS_SHA256 select PSA_WANT_ALG_SHA_256 config MBEDTLS_SSL_DTLS_CONNECTION_ID diff --git a/modules/mbedtls/configs/config-tls-generic.h b/modules/mbedtls/configs/config-tls-generic.h index 45bc81f35f20..c9f01db9bed5 100644 --- a/modules/mbedtls/configs/config-tls-generic.h +++ b/modules/mbedtls/configs/config-tls-generic.h @@ -271,23 +271,25 @@ #define MBEDTLS_ECP_NIST_OPTIM #endif -/* Supported message authentication methods */ +/* Supported hash algorithms */ -#if defined(CONFIG_MBEDTLS_MAC_MD4_ENABLED) +#if defined(CONFIG_MBEDTLS_MD4) #define MBEDTLS_MD4_C #endif -#if defined(CONFIG_MBEDTLS_MAC_MD5_ENABLED) +#if defined(CONFIG_MBEDTLS_MD5) #define MBEDTLS_MD5_C #endif -#if defined(CONFIG_MBEDTLS_MAC_SHA1_ENABLED) +#if defined(CONFIG_MBEDTLS_SHA1) #define MBEDTLS_SHA1_C #endif -#if defined(CONFIG_MBEDTLS_MAC_SHA256_ENABLED) || \ - defined(CONFIG_MBEDTLS_HASH_SHA256_ENABLED) +#if defined(CONFIG_MBEDTLS_SHA224) #define MBEDTLS_SHA224_C +#endif + +#if defined(CONFIG_MBEDTLS_SHA256) #define MBEDTLS_SHA256_C #endif @@ -295,21 +297,19 @@ #define MBEDTLS_SHA256_SMALLER #endif -#if defined(CONFIG_MBEDTLS_MAC_SHA384_ENABLED) || \ - defined(CONFIG_MBEDTLS_HASH_SHA384_ENABLED) +#if defined(CONFIG_MBEDTLS_SHA384) #define MBEDTLS_SHA384_C #endif -#if defined(CONFIG_MBEDTLS_MAC_SHA512_ENABLED) || \ - defined(CONFIG_MBEDTLS_HASH_SHA512_ENABLED) +#if defined(CONFIG_MBEDTLS_SHA512) #define MBEDTLS_SHA512_C #endif -#if defined(CONFIG_MBEDTLS_MAC_POLY1305_ENABLED) +#if defined(CONFIG_MBEDTLS_POLY1305) #define MBEDTLS_POLY1305_C #endif -#if defined(CONFIG_MBEDTLS_MAC_CMAC_ENABLED) +#if defined(CONFIG_MBEDTLS_CMAC) #define MBEDTLS_CMAC_C #endif diff --git a/samples/net/sockets/http_get/overlay-tls.conf b/samples/net/sockets/http_get/overlay-tls.conf index 29bfc2372f85..0cf82f18cf85 100644 --- a/samples/net/sockets/http_get/overlay-tls.conf +++ b/samples/net/sockets/http_get/overlay-tls.conf @@ -6,6 +6,7 @@ CONFIG_MBEDTLS_BUILTIN=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=60000 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=7168 -CONFIG_MBEDTLS_MAC_ALL_ENABLED=y +CONFIG_MBEDTLS_HASH_ALL_ENABLED=y +CONFIG_MBEDTLS_CMAC=y CONFIG_NET_SOCKETS_SOCKOPT_TLS=y diff --git a/subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt b/subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt index f25495d667c4..cd09c59d7a6a 100644 --- a/subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt +++ b/subsys/mgmt/mcumgr/grp/fs_mgmt/CMakeLists.txt @@ -15,7 +15,7 @@ zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32 src/fs_mgm zephyr_library_sources_ifdef(CONFIG_MCUMGR_GRP_FS_HASH_SHA256 src/fs_mgmt_hash_checksum_sha256.c) if(CONFIG_MCUMGR_GRP_FS_CHECKSUM_HASH AND CONFIG_MCUMGR_GRP_FS_HASH_SHA256) - if(CONFIG_MBEDTLS_MAC_SHA256_ENABLED) + if(CONFIG_MBEDTLS_SHA256) zephyr_library_link_libraries(mbedTLS) endif() endif() diff --git a/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig b/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig index 2bb7e74fb630..013697225fcd 100644 --- a/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig +++ b/subsys/mgmt/mcumgr/grp/fs_mgmt/Kconfig @@ -125,7 +125,7 @@ config MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32 config MCUMGR_GRP_FS_HASH_SHA256 bool "SHA256 hash support" - depends on BUILD_WITH_TFM || MBEDTLS_MAC_SHA256_ENABLED + depends on BUILD_WITH_TFM || MBEDTLS_SHA256 select PSA_WANT_ALG_SHA_256 if BUILD_WITH_TFM help Enable SHA256 hash support for MCUmgr. diff --git a/subsys/net/l2/openthread/Kconfig b/subsys/net/l2/openthread/Kconfig index c75af2c5c255..de7fb4a3aaa4 100644 --- a/subsys/net/l2/openthread/Kconfig +++ b/subsys/net/l2/openthread/Kconfig @@ -181,9 +181,9 @@ config OPENTHREAD_MBEDTLS select MBEDTLS_ENABLE_HEAP select MBEDTLS_CIPHER_AES_ENABLED select MBEDTLS_CIPHER_CCM_ENABLED - select MBEDTLS_MAC_SHA256_ENABLED + select MBEDTLS_SHA256 select MBEDTLS_ENTROPY_ENABLED - select MBEDTLS_MAC_CMAC_ENABLED + select MBEDTLS_CMAC select MBEDTLS_CIPHER select MBEDTLS_MD select MBEDTLS_TLS_VERSION_1_2 if OPENTHREAD_COMMISSIONER || OPENTHREAD_JOINER diff --git a/subsys/net/lib/websocket/Kconfig b/subsys/net/lib/websocket/Kconfig index 20f6ca6b1fe3..c3aa3470f442 100644 --- a/subsys/net/lib/websocket/Kconfig +++ b/subsys/net/lib/websocket/Kconfig @@ -9,7 +9,7 @@ config WEBSOCKET_CLIENT select HTTP_CLIENT select MBEDTLS select BASE64 - select MBEDTLS_MAC_SHA1_ENABLED if MBEDTLS_BUILTIN + select MBEDTLS_SHA1 if MBEDTLS_BUILTIN select EXPERIMENTAL help Enable Websocket client library. diff --git a/subsys/storage/flash_map/Kconfig b/subsys/storage/flash_map/Kconfig index 4c2d230e121c..cbe5c1599b32 100644 --- a/subsys/storage/flash_map/Kconfig +++ b/subsys/storage/flash_map/Kconfig @@ -58,7 +58,7 @@ config FLASH_AREA_CHECK_INTEGRITY_MBEDTLS bool "Use MBEDTLS" select MBEDTLS select MBEDTLS_MD - select MBEDTLS_MAC_SHA256_ENABLED + select MBEDTLS_SHA256 select MBEDTLS_ENABLE_HEAP help Use MBEDTLS library to perform the integrity check. diff --git a/tests/benchmarks/mbedtls/prj.conf b/tests/benchmarks/mbedtls/prj.conf index 6339cd45b173..ffc9e160d8e5 100644 --- a/tests/benchmarks/mbedtls/prj.conf +++ b/tests/benchmarks/mbedtls/prj.conf @@ -21,7 +21,8 @@ CONFIG_MBEDTLS_TLS_VERSION_1_2=y CONFIG_MBEDTLS_KEY_EXCHANGE_ALL_ENABLED=y CONFIG_MBEDTLS_CIPHER_ALL_ENABLED=y CONFIG_MBEDTLS_ECP_ALL_ENABLED=y -CONFIG_MBEDTLS_MAC_ALL_ENABLED=y +CONFIG_MBEDTLS_HASH_ALL_ENABLED=y +CONFIG_MBEDTLS_CMAC=y CONFIG_MBEDTLS_GENPRIME_ENABLED=y CONFIG_MBEDTLS_HMAC_DRBG_ENABLED=y CONFIG_MBEDTLS_ECDH_C=y diff --git a/tests/net/socket/tls/prj.conf b/tests/net/socket/tls/prj.conf index 94fb56a7142d..514dc114925d 100644 --- a/tests/net/socket/tls/prj.conf +++ b/tests/net/socket/tls/prj.conf @@ -47,4 +47,5 @@ CONFIG_ZTEST_STACK_SIZE=3072 CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=18000 CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y -CONFIG_MBEDTLS_MAC_ALL_ENABLED=y +CONFIG_MBEDTLS_HASH_ALL_ENABLED=y +CONFIG_MBEDTLS_CMAC=y diff --git a/tests/subsys/mgmt/mcumgr/all_options/prj.conf b/tests/subsys/mgmt/mcumgr/all_options/prj.conf index ed584f347629..ba15113a9239 100644 --- a/tests/subsys/mgmt/mcumgr/all_options/prj.conf +++ b/tests/subsys/mgmt/mcumgr/all_options/prj.conf @@ -5,7 +5,7 @@ # CONFIG_ZTEST=y CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y +CONFIG_MBEDTLS_SHA256=y CONFIG_FILE_SYSTEM=y CONFIG_BASE64=y CONFIG_NET_BUF=y diff --git a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf index 53b017ba80a9..eff5b71007f8 100644 --- a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf +++ b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/all.conf @@ -6,4 +6,4 @@ CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=y CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y +CONFIG_MBEDTLS_SHA256=y diff --git a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf index bf9bb9763c24..5f85dda37085 100644 --- a/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf +++ b/tests/subsys/mgmt/mcumgr/fs_mgmt_hash_supported/configuration/sha256.conf @@ -6,4 +6,4 @@ CONFIG_MCUMGR_GRP_FS_CHECKSUM_IEEE_CRC32=n CONFIG_MCUMGR_GRP_FS_HASH_SHA256=y CONFIG_MBEDTLS=y -CONFIG_MBEDTLS_MAC_SHA256_ENABLED=y +CONFIG_MBEDTLS_SHA256=y