Improve and optimize support for mbedTLS v4

Components/Network/Interface/TLS_mbed.c

@@ -33,6 +33,9 @@
 #if defined(MBEDTLS_SSL_CACHE_C)
   #include "mbedtls/ssl_cache.h"
 #endif
+#if defined(MBEDTLS_SSL_TICKET_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+  #include "mbedtls/ssl_ticket.h"
+#endif
 #if defined(MBEDTLS_DEBUG_C)
   #include <stdio.h>
 #endif
@@ -67,6 +70,10 @@ static mbedtls_pk_context pkey_srv;
 #if defined(MBEDTLS_SSL_CACHE_C)
 static mbedtls_ssl_cache_context cache;
 #endif
+#if defined(MBEDTLS_SSL_TICKET_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+static mbedtls_ssl_ticket_context ticket;
+static uint32_t last_ostick;
+#endif
 #endif
 #ifdef __TLS_CLIENT
 static mbedtls_ssl_config conf_cli;
@@ -372,6 +379,9 @@ static int32_t tls_init (void) {
 #if defined(MBEDTLS_SSL_CACHE_C)
   mbedtls_ssl_cache_init (&cache);
 #endif
+#if defined(MBEDTLS_SSL_TICKET_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+  mbedtls_ssl_ticket_init (&ticket);
+#endif
 #endif
 #ifdef __TLS_CLIENT
   mbedtls_ssl_config_init (&conf_cli);
@@ -380,7 +390,7 @@ static int32_t tls_init (void) {
 #endif
 #endif
 
-#if (MBEDTLS_VERSION_MAJOR == 4) 
+#if (MBEDTLS_VERSION_MAJOR == 4)
   ret = psa_crypto_init();
   if (ret != PSA_SUCCESS) {
     /* PSA Crypto initialization failed */
@@ -431,28 +441,26 @@ static int32_t tls_init (void) {
 
   buf = netTLS_GetServerKey (&buf_len);
   if (buf == NULL) {
-#if (MBEDTLS_VERSION_MAJOR == 3)
+  #if (MBEDTLS_VERSION_MAJOR == 3)
     ret = mbedtls_pk_parse_key (&pkey_srv,  NetSecurity_ServerKey,
                                             NetSecurity_ServerKey_Len,
                                             NULL, 0,
                                             mbedtls_ctr_drbg_random, &ctr_drbg);
-#endif
-#if (MBEDTLS_VERSION_MAJOR == 4) 
+  #elif (MBEDTLS_VERSION_MAJOR == 4)
     ret = mbedtls_pk_parse_key (&pkey_srv,  NetSecurity_ServerKey,
                                             NetSecurity_ServerKey_Len,
                                             NULL, 0);
-#endif
+  #endif
   }
   else {
-#if (MBEDTLS_VERSION_MAJOR == 3) 
+  #if (MBEDTLS_VERSION_MAJOR == 3)
     ret = mbedtls_pk_parse_key (&pkey_srv,  buf, buf_len,
                                             NULL, 0,
                                             mbedtls_ctr_drbg_random, &ctr_drbg);
-#endif
-#if (MBEDTLS_VERSION_MAJOR == 4) 
+  #elif (MBEDTLS_VERSION_MAJOR == 4)
     ret = mbedtls_pk_parse_key (&pkey_srv,  buf, buf_len,
                                             NULL, 0);
-#endif
+  #endif
     netTLS_ReleaseMemory (buf);
   }
   if (ret != 0) {
@@ -516,9 +524,23 @@ static int32_t tls_init (void) {
   mbedtls_ssl_conf_rng (&conf_srv, mbedtls_ctr_drbg_random, &ctr_drbg);
 #endif
 #if defined(MBEDTLS_SSL_CACHE_C)
+  mbedtls_ssl_cache_set_max_entries (&cache, 5);
   mbedtls_ssl_conf_session_cache (&conf_srv, &cache,
                                   mbedtls_ssl_cache_get,
                                   mbedtls_ssl_cache_set);
+#endif
+#if defined(MBEDTLS_SSL_TICKET_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+#if (MBEDTLS_VERSION_MAJOR == 3)
+  mbedtls_ssl_ticket_setup (&ticket, mbedtls_ctr_drbg_random, &ctr_drbg,
+                                     MBEDTLS_CIPHER_AES_256_GCM, 3600);
+#elif (MBEDTLS_VERSION_MAJOR == 4)
+  mbedtls_ssl_ticket_setup (&ticket, PSA_ALG_GCM, PSA_KEY_TYPE_AES, 256, 3600);
+#endif
+  mbedtls_ssl_conf_session_tickets_cb (&conf_srv,
+                                       mbedtls_ssl_ticket_write,
+                                       mbedtls_ssl_ticket_parse,
+                                       &ticket);
+  last_ostick = osKernelGetTickCount();
 #endif
   mbedtls_ssl_conf_ca_chain (&conf_srv, srvcert.next, NULL);
   ret = mbedtls_ssl_conf_own_cert (&conf_srv, &srvcert, &pkey_srv);
@@ -532,6 +554,9 @@ static int32_t tls_init (void) {
 #if (MBEDTLS_VERSION_MAJOR == 3)
   mbedtls_ssl_conf_rng (&conf_cli, mbedtls_ctr_drbg_random, &ctr_drbg);
 #endif
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
+  mbedtls_ssl_conf_max_frag_len(&conf_cli, MBEDTLS_SSL_MAX_FRAG_LEN_4096);
+#endif
 #ifdef __TLS_CLIENT_CA
   mbedtls_ssl_conf_ca_chain (&conf_cli, &cacert, NULL);
 #endif
@@ -568,11 +593,14 @@ static void tls_uninit (void) {
 #if defined(MBEDTLS_SSL_CACHE_C)
   mbedtls_ssl_cache_free (&cache);
 #endif
+#if defined(MBEDTLS_SSL_TICKET_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+  mbedtls_ssl_ticket_free (&ticket);
+#endif
 #endif
 
   /* Uninit central random generator */
-  mbedtls_ctr_drbg_free( &ctr_drbg );
-  mbedtls_entropy_free( &entropy );
+  mbedtls_ctr_drbg_free (&ctr_drbg);
+  mbedtls_entropy_free (&entropy);
 }
 
 /**
@@ -612,6 +640,21 @@ static void tls_run (void) {
         }
         mbedtls_ssl_set_bio (tls_s->ssl, tls_s, (mbedtls_ssl_send_t *)bio_send,
                                                 (mbedtls_ssl_recv_t *)bio_recv, NULL);
+      #if defined(MBEDTLS_SSL_TICKET_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
+        /* Rotate ticket keys after timeout of 1 hour */
+        uint32_t ostick = osKernelGetTickCount();
+        if ((ostick - last_ostick) > 3600000) {
+          last_ostick = ostick;
+          mbedtls_ssl_ticket_free (&ticket);
+          mbedtls_ssl_ticket_init (&ticket);
+        #if (MBEDTLS_VERSION_MAJOR == 3)
+          mbedtls_ssl_ticket_setup (&ticket, mbedtls_ctr_drbg_random, &ctr_drbg,
+                                             MBEDTLS_CIPHER_AES_256_GCM, 3600);
+        #elif (MBEDTLS_VERSION_MAJOR == 4)
+          mbedtls_ssl_ticket_setup (&ticket, PSA_ALG_GCM, PSA_KEY_TYPE_AES, 256, 3600);
+        #endif
+        }
+      #endif
         tls_s->State = TLS_STATE_HANDSHAKE;
         ctrl.busy    = true;
         break;

Components/Network/Interface/TLS_mbed.h

@@ -1,6 +1,6 @@
 /*------------------------------------------------------------------------------
  * MDK Middleware - Component ::Network
- * Copyright (c) 2004-2024 Arm Limited (or its affiliates). All rights reserved.
+ * Copyright (c) 2004-2026 Arm Limited (or its affiliates). All rights reserved.
  *------------------------------------------------------------------------------
  * Name:    TLS_mbed.h
  * Purpose: TLS Interface definitions
@@ -46,11 +46,11 @@
   #error "mbedTLS_config: MBEDTLS_SSL_TLS_C not defined"
 #endif
 
-#if !defined(MBEDTLS_RSA_C)
+#if !defined(MBEDTLS_RSA_C) && (MBEDTLS_VERSION_MAJOR == 3)
   #error "mbedTLS_config: MBEDTLS_RSA_C not defined"
 #endif
 
-#if !defined(MBEDTLS_BIGNUM_C)
+#if !defined(MBEDTLS_BIGNUM_C) && (MBEDTLS_VERSION_MAJOR == 3)
   #error "mbedTLS_config: MBEDTLS_BIGNUM_C not defined"
 #endif
 
@@ -62,7 +62,7 @@
   #error "mbedTLS_config: MBEDTLS_X509_CRT_PARSE_C not defined"
 #endif
 
-#if !defined(MBEDTLS_ENTROPY_C)
+#if !defined(MBEDTLS_ENTROPY_C) && (MBEDTLS_VERSION_MAJOR == 3)
   #error "mbedTLS_config: MBEDTLS_ENTROPY_C not defined"
 #endif
 

Examples/Network/HTTPS_Server/app_crypto_config.h

@@ -1,126 +1,50 @@
 /**
- * PSA crypto configuration template for HTTPS
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ * PSA crypto configuration for HTTPS server
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #define TF_PSA_CRYPTO_CONFIG_VERSION 0x01000000
 
-/* Cryptographic mechanism selection (PSA API) */ 
-#define PSA_WANT_ALG_CBC_NO_PADDING             1
-#define PSA_WANT_ALG_CBC_PKCS7                  1
-#define PSA_WANT_ALG_CCM                        1
-#define PSA_WANT_ALG_CCM_STAR_NO_TAG            1
-#define PSA_WANT_ALG_CMAC                       1
-#define PSA_WANT_ALG_CFB                        1
-#define PSA_WANT_ALG_CHACHA20_POLY1305          1
-#define PSA_WANT_ALG_CTR                        1
-#define PSA_WANT_ALG_DETERMINISTIC_ECDSA        1
-#define PSA_WANT_ALG_ECB_NO_PADDING             1
+/* Cryptographic mechanism selection (PSA API) */
 #define PSA_WANT_ALG_ECDH                       1
-#define PSA_WANT_ALG_FFDH                       1
 #define PSA_WANT_ALG_ECDSA                      1
-#define PSA_WANT_ALG_JPAKE                      1
 #define PSA_WANT_ALG_GCM                        1
-#define PSA_WANT_ALG_HKDF                       1
-#define PSA_WANT_ALG_HKDF_EXTRACT               1
-#define PSA_WANT_ALG_HKDF_EXPAND                1
-#define PSA_WANT_ALG_HMAC                       1
-#define PSA_WANT_ALG_MD5                        1
-#define PSA_WANT_ALG_OFB                        1
-#define PSA_WANT_ALG_PBKDF2_HMAC                1
-#define PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128    1
-#define PSA_WANT_ALG_RIPEMD160                  1
 #define PSA_WANT_ALG_RSA_OAEP                   1
 #define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT         1
 #define PSA_WANT_ALG_RSA_PKCS1V15_SIGN          1
 #define PSA_WANT_ALG_RSA_PSS                    1
-#define PSA_WANT_ALG_SHA_1                      1
-#define PSA_WANT_ALG_SHA_224                    1
 #define PSA_WANT_ALG_SHA_256                    1
-#define PSA_WANT_ALG_SHA_384                    1
-#define PSA_WANT_ALG_SHA_512                    1
-#define PSA_WANT_ALG_SHA3_224                   1
-#define PSA_WANT_ALG_SHA3_256                   1
-#define PSA_WANT_ALG_SHA3_384                   1
-#define PSA_WANT_ALG_SHA3_512                   1
-#define PSA_WANT_ALG_STREAM_CIPHER              1
 #define PSA_WANT_ALG_TLS12_PRF                  1
-#define PSA_WANT_ALG_TLS12_PSK_TO_MS            1
-#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS       1
-
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_256         1
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_384         1
-#define PSA_WANT_ECC_BRAINPOOL_P_R1_512         1
-#define PSA_WANT_ECC_MONTGOMERY_255             1
-#define PSA_WANT_ECC_MONTGOMERY_448             1
-#define PSA_WANT_ECC_SECP_K1_256                1
-
 #define PSA_WANT_ECC_SECP_R1_256                1
-#define PSA_WANT_ECC_SECP_R1_384                1
-#define PSA_WANT_ECC_SECP_R1_521                1
-
-#define PSA_WANT_DH_RFC7919_2048                1
-#define PSA_WANT_DH_RFC7919_3072                1
-#define PSA_WANT_DH_RFC7919_4096                1
-#define PSA_WANT_DH_RFC7919_6144                1
-#define PSA_WANT_DH_RFC7919_8192                1
-
 #define PSA_WANT_KEY_TYPE_DERIVE                1
-#define PSA_WANT_KEY_TYPE_PASSWORD              1
-#define PSA_WANT_KEY_TYPE_PASSWORD_HASH         1
 #define PSA_WANT_KEY_TYPE_HMAC                  1
 #define PSA_WANT_KEY_TYPE_AES                   1
-#define PSA_WANT_KEY_TYPE_ARIA                  1
-#define PSA_WANT_KEY_TYPE_CAMELLIA              1
-#define PSA_WANT_KEY_TYPE_CHACHA20              1
 #define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY        1
-#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY         1
-#define PSA_WANT_KEY_TYPE_RAW_DATA              1
 #define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY        1
-
 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC    1
 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT   1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT   1
 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
-#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE   1
-
 #define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC    1
 #define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT   1
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT   1
-#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
-
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC     1
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT    1
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT    1
-#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE  1
 
 /* Platform abstraction layer */
 #define MBEDTLS_PLATFORM_C
 
-/* General and test configuration options */
-#define MBEDTLS_SELF_TEST
-
 /* Cryptographic mechanism selection (extended API) */
 #define MBEDTLS_MD_C
 #define MBEDTLS_PK_C
-#define MBEDTLS_PKCS5_C
 #define MBEDTLS_PK_PARSE_C
 #define MBEDTLS_PK_PARSE_EC_EXTENDED
-#define MBEDTLS_PK_WRITE_C
 
 /* Data format support */
 #define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_BASE64_C
 #define MBEDTLS_PEM_PARSE_C
-#define MBEDTLS_PEM_WRITE_C
 
 /* PSA core */
 #define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_HMAC_DRBG_C
 #define MBEDTLS_PSA_CRYPTO_C
 #define MBEDTLS_PSA_DRIVER_GET_ENTROPY
 

Examples/Network/HTTPS_Server/app_mbedtls_config.h

@@ -1,33 +1,25 @@
 /**
- * Configuration template for HTTPS
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
+ * Configuration for HTTPS server
+ *
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #define MBEDTLS_CONFIG_VERSION 0x04000000
 
 /* General configuration options */
 #define MBEDTLS_ERROR_C
 #define MBEDTLS_ERROR_STRERROR_DUMMY
-#define MBEDTLS_VERSION_C
-#define MBEDTLS_VERSION_FEATURES
 
 /* TLS feature selection */
 //#define MBEDTLS_DEBUG_C
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
-#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
 #define MBEDTLS_SSL_ALL_ALERT_MESSAGES
-#define MBEDTLS_SSL_ALPN
 #define MBEDTLS_SSL_CACHE_C
-#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
 #define MBEDTLS_SSL_EXTENDED_MASTER_SECRET
 #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
 #define MBEDTLS_SSL_PROTO_TLS1_2
-#define MBEDTLS_SSL_SERVER_NAME_INDICATION
 #define MBEDTLS_SSL_SESSION_TICKETS
 #define MBEDTLS_SSL_SRV_C
 #define MBEDTLS_SSL_TICKET_C
@@ -36,12 +28,6 @@
 #define MBEDTLS_SSL_OUT_CONTENT_LEN           4096
 
 /* X.509 feature selection */
-#define MBEDTLS_PKCS7_C
-#define MBEDTLS_X509_CREATE_C
-#define MBEDTLS_X509_CRL_PARSE_C
 #define MBEDTLS_X509_CRT_PARSE_C
-#define MBEDTLS_X509_CRT_WRITE_C
-#define MBEDTLS_X509_CSR_PARSE_C
-#define MBEDTLS_X509_CSR_WRITE_C
 #define MBEDTLS_X509_RSASSA_PSS_SUPPORT
 #define MBEDTLS_X509_USE_C