Skip to content

Commit f081631

Browse files
frkvmbolivar-nordic
frkv
authored and
mbolivar-nordic
committed
[nrf noup] mbedtls: Disable configurations in Kconfig.tls-generic
-This commit prevents legacy mbed TLS configurations from being in conflict with PSA Configurations while using nrf_security -Removing use of unsupported TLS protocols (TLS 1.0, 1.1) -Required configurations are duplicated inside nrf_security Kconfig -Ensured that mbedtls_platform_zeroize is not duplicated when CONFIG_NRF_CC3XX_PLATFORM is set ref: NCSDK-13503 Signed-off-by: Frank Audun Kvamtrø <[email protected]>
1 parent 7536362 commit f081631

File tree

2 files changed

+39
-0
lines changed

2 files changed

+39
-0
lines changed

modules/mbedtls/Kconfig.tls-generic

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ menu "TLS configuration"
99

1010
menu "Supported TLS version"
1111

12+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
13+
1214
config MBEDTLS_TLS_VERSION_1_0
1315
bool "Enable support for TLS 1.0"
1416
select MBEDTLS_CIPHER
@@ -33,6 +35,8 @@ config MBEDTLS_DTLS
3335
bool "Enable support for DTLS"
3436
depends on MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
3537

38+
endif
39+
3640
config MBEDTLS_SSL_EXPORT_KEYS
3741
bool "Enable support for exporting SSL key block and master secret"
3842
depends on MBEDTLS_TLS_VERSION_1_0 || MBEDTLS_TLS_VERSION_1_1 || MBEDTLS_TLS_VERSION_1_2
@@ -47,6 +51,8 @@ menu "Ciphersuite configuration"
4751

4852
comment "Supported key exchange modes"
4953

54+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
55+
5056
config MBEDTLS_KEY_EXCHANGE_ALL_ENABLED
5157
bool "Enable all available ciphersuite modes"
5258
select MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
@@ -80,13 +86,17 @@ config MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
8086
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
8187
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
8288

89+
endif
90+
8391
config MBEDTLS_PSK_MAX_LEN
8492
int "Max size of TLS pre-shared keys"
8593
default 32
8694
depends on MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED
8795
help
8896
Max size of TLS pre-shared keys, in bytes.
8997

98+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
99+
90100
config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
91101
bool "Enable the RSA-only based ciphersuite modes"
92102
default y if !NET_L2_OPENTHREAD
@@ -119,8 +129,12 @@ if MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \
119129
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || \
120130
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
121131

132+
endif
133+
122134
comment "Supported elliptic curves"
123135

136+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
137+
124138
config MBEDTLS_ECP_ALL_ENABLED
125139
bool "Enable all available elliptic curves"
126140
select MBEDTLS_ECP_DP_SECP192R1_ENABLED
@@ -182,9 +196,12 @@ config MBEDTLS_ECP_NIST_OPTIM
182196
bool "Enable NSIT curves optimization"
183197

184198
endif
199+
endif
185200

186201
comment "Supported cipher modes"
187202

203+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
204+
188205
config MBEDTLS_CIPHER_ALL_ENABLED
189206
bool "Enable all available ciphers"
190207
select MBEDTLS_CIPHER_AES_ENABLED
@@ -248,8 +265,12 @@ config MBEDTLS_CHACHAPOLY_AEAD_ENABLED
248265
bool "Enable the ChaCha20-Poly1305 AEAD algorithm"
249266
depends on MBEDTLS_CIPHER_CHACHA20_ENABLED || MBEDTLS_MAC_POLY1305_ENABLED
250267

268+
endif
269+
251270
comment "Supported message authentication methods"
252271

272+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
273+
253274
config MBEDTLS_MAC_ALL_ENABLED
254275
bool "Enable all available MAC methods"
255276
select MBEDTLS_MAC_MD4_ENABLED
@@ -293,10 +314,14 @@ config MBEDTLS_MAC_CMAC_ENABLED
293314
bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block ciphers."
294315
depends on MBEDTLS_CIPHER_AES_ENABLED || MBEDTLS_CIPHER_DES_ENABLED
295316

317+
endif
318+
296319
endmenu
297320

298321
comment "Random number generators"
299322

323+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
324+
300325
config MBEDTLS_CTR_DRBG_ENABLED
301326
bool "Enable the CTR_DRBG AES-256-based random generator"
302327
depends on MBEDTLS_CIPHER_AES_ENABLED
@@ -306,14 +331,20 @@ config MBEDTLS_HMAC_DRBG_ENABLED
306331
bool "Enable the HMAC_DRBG random generator"
307332
select MBEDTLS_MD
308333

334+
endif
335+
309336
comment "Other configurations"
310337

311338
config MBEDTLS_CIPHER
312339
bool "Enable the generic cipher layer."
313340

341+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
342+
314343
config MBEDTLS_MD
315344
bool "Enable the generic message digest layer."
316345

346+
endif
347+
317348
config MBEDTLS_GENPRIME_ENABLED
318349
bool "Enable the prime-number generation code."
319350

@@ -331,10 +362,14 @@ config MBEDTLS_HAVE_ASM
331362
of asymmetric cryptography, however this might have an impact on the
332363
code size.
333364

365+
if !(NRF_SECURITY || NORDIC_SECURITY_BACKEND)
366+
334367
config MBEDTLS_ENTROPY_ENABLED
335368
bool "Enable mbedTLS generic entropy pool"
336369
depends on MBEDTLS_MAC_SHA256_ENABLED || MBEDTLS_MAC_SHA512_ENABLED
337370

371+
endif
372+
338373
config MBEDTLS_OPENTHREAD_OPTIMIZATIONS_ENABLED
339374
bool "Enable mbedTLS optimizations for OpenThread"
340375
depends on NET_L2_OPENTHREAD

modules/mbedtls/configs/config-tls-generic.h

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -438,6 +438,10 @@
438438
#include CONFIG_MBEDTLS_USER_CONFIG_FILE
439439
#endif
440440

441+
#if defined(CONFIG_NRF_CC3XX_PLATFORM)
442+
#define MBEDTLS_PLATFORM_ZEROIZE_ALT
443+
#endif
444+
441445
#include "mbedtls/check_config.h"
442446

443447
#endif /* MBEDTLS_CONFIG_H */

0 commit comments

Comments
 (0)