Cert bundle is periodically updated with the upstream Mozilla's NSS
root cert store. Retracted certs are moved to deprecated list now and
an additional config allows to include them in the default bundle. New
config is kept default disabled but can be enabled if one would like
to ensure 100% compatibility w.r.t. cert bundle across IDF minor or
patch releases. In IDF major release the deprecated list shall be reset.
ADDITIONAL_MAKE_CLEAN_FILES is deprecated and only worked with make.
Replaced with the new ADDITIONAL_CLEAN_FILES (CMake 3.15) which also works with ninja.
- While updating to mbedtls release/v3.4.0, building mbedtls/library/psa_crypto.c,
clang produced an unreachable-code warning, so added `-Wno-unreachable-code` compile option for clang.
- In `mbedtls/v3.4.0`, the ECDSA restartable sign and verify functions (`ecdsa.c`) were made public.
- But the `mbedtls_ecdsa_sign_det_restartable` function prototype was declared in the file `ecdsa.h`,
only when `MBEDTLS_ECDSA_SIGN_ALT` was not defined.
- added a patch in mbedtls library to fix it.
- GCM operation in mbedtls used ECB, which calculated only 16 bytes of data each time.
- Therefore, when processing a large amount of data, it is necessary to frequently set hardware acceleration calculations,
- which could not make good use of the AES DMA function to improve efficiency.
- Hence, GCM implementation is replaced with CTR-based calculation which utilizes AES DMA to improve efficiency.
After refactoring the target components (e.g. esp32) no longer contained any real functionality.
What remained in these components have been moved elsewhere and the component itself deleted from the
build system.
lwip was added to common requirements list to provide "sys/socket.h"
header to all components without additional requirements specified.
However, lwip pulls in a lot of dependencies on other components.
This commit removes lwip from common requirements to reduce the number
of components in G1-only apps.
To compensate for this removal, the following changes are made:
- newlib (which is a common requirement) has a public dependency on
lwip if lwip is present in the build. This ensures that sys/socket.h
is available as long as lwip component is included into the build.
- lwip is now a public requirement of esp-tls since esp_tls.h includes
sys/socket.h header.
- lwip is now a public requirement o esp_http_client because
sys/socket.h is included from esp_http_client.h
- lwip is now a private requirement of esp_wifi for "smartconfig_ack"
- lwip is now a private requirement of mqtt for socket functions
- lwip is now a public requirement of tcp_transport because
esp_transport_tcp.h includes sys/socket.h header.
- mbedtls checks if lwip component is present in the build. If yes,
net_sockets.c is added to the build, along with the dependency on
lwip. Previously lwip was a public requirement of mbedtls
unconditionally.
system/g1_components test app is updated to reflect the changes
Default public dependencies of a component before and after this
change, except common requirements:
- esp_timer (public dependency of freertos)
- bootloader_support (public dependency of esp_hw_support)
- vfs (public dependency of lwip)
- esp_wifi (public dependency of lwip)
- esp_event (public dependency of esp_wifi)
- esp_netif (public dependency of esp_event)
- esp_eth (public dependency of esp_netif)
- esp_phy (public dependency of esp_wifi)
After:
- esp_timer (public dependency of freertos)
- bootloader_support (public dependency of esp_hw_support)
Altogether, the following components have been always added as
public requirements to all other components, and are not added now
([breaking-change]):
- lwip
- vfs
- esp_wifi
- esp_event
- esp_netif
- esp_eth
- esp_phy
Application components now need to explicitly declare dependencies on
these components.
Purpose:
This will allow for easily automating periodic updates to
"cacrt_all.pem" file.
Note:
For now newly created "cacrt_local.pem" contains single "DST Root CA X3"
which we are keeping to manage compatibility with endpoints like
"howsmyssl.com". Please note this Root CA is expired and is not part of
Mozilla’s NSS root certificate store.
When GEN_FILES is enabled, Perl interpreter should be available. There
is a check in mbedTLS that disables GEN_FILES on Windows (where Perl
is not available by default) but it is broken for recent CMake
versions.
Also set Python interpreter to the one IDF uses, just to avoid calling
into some other Python version which CMake might manage to find.
In commit de22f3a4e5, combination of
hardware and software MPI (bignum) related approach was used to
work around chip (e.g. ESP32-C3) limitation of max 3072 bits support.
This was done using linker "--wrap" flag but since the relevant API is
being used in same translation (compilation unit), hardware mode was not
getting used in some cases (e.g., RSA key generation).
This commit modified internal mbedTLS API and makes software+hardware
combination deterministic.
Building mbedtls with CMake would warn that:
"A private source from a directory other than that of target "mbedcrypto
has a relative path"
This happened due to some of the CMake variables listing sources could be empty.
Changed to only use target_sources in the code-path where we set the sources,
so we only call target_sources will non-empty variables.
Closes https://github.com/espressif/esp-idf/issues/6767
Removed the old dynamically allocated GDMA channel approach.
It proved too unreliable as we couldn't not ensure consumers of the mbedtls
would properly free the channels after use.
Replaced by a single shared GDMA channel for AES and SHA, which won't be
released unless user specifically calls API for releasing it.
MbedTLS: Add software fallback for Modular Exponentiation for larger bignum operations
Closes WIFI-3257 and IDFGH-132
See merge request espressif/esp-idf!11928
Add configuration option to fallback to software implementation
for exponential mod incase of hardware is not supporting it
for larger MPI value.
Usecase:
ESP32C3 only supports till RSA3072 in hardware. This config option
will help to support 4k certificates for WPA enterprise connection.
* Replaced crypotoauthlib with esp-cryptoauthlib
* Added menuconfig option for esp-tls about using HSM
* Added error codes for HSM in esp-tls,
* Added support to select different type of ATECC608A chips
* Added README, updated docs
* tcp_transport: Added option to enable secure_element for ssl
Closes https://github.com/espressif/esp-idf/issues/4432
When compiling esp_crt_bundle.c, it would end up with a different struct layout due
to configuration options from "mbedtls/esp_config.h" not being considered.
This lead to ca_chain potentially not being set correctly.