- GCM operation in mbedtls used ECB, which calculated only 16 bytes of data each time.
- Therefore, when processing a large amount of data, it is necessary to frequently set hardware acceleration calculations,
- which could not make good use of the AES DMA function to improve efficiency.
- Hence, GCM implementation is replaced with CTR-based calculation which utilizes AES DMA to improve efficiency.
All the partition handling API functions and data-types were moved from the 'spi_flash' component to the new one named 'esp_partition'. See Storage 5.x migration guide for more details
This fix adds a workaround to disable compiler optimization flag "-ftree-loop-distribute-patterns"
for `mpi_to_mem_block` routine. It was observed that compiler with release configuration was falling
back to `memset` call from ROM library causing an issue in correctly zero initializing MPI peripheral
block.
Please see following linked issue for more discussion and context on this issue.
Closes https://github.com/espressif/esp-idf/issues/8710
Closes https://github.com/espressif/esp-idf/issues/9371
Closes https://github.com/espressif/esp-idf/issues/9256
Closes IDFGH-7102
Closes IDFGH-7842
Closes IDFGH-7714
Closes IDFCI-1452
Closes IDF-6029
Before `test_apps` migration, we had an independent release config,
but we can safely enable it in the default configuration for ESP32
target itself. This helps to catch any potential issues that may
occur in relevant tests because of compiler optimization flags.
- While checking if ciphersuite uses RSA key exchange methods,
the APIs `mbedtls_ssl_get_ciphersuite_id_from_ssl` and
`mbedtls_ssl_ciphersuite_from_id` were used to get the ciphersuite
info.
- However, this is incorrect as we need the ciphersuite info from the
handshake instance and not the ssl_session instance.
ESP32-C2 has a single group timer, thus it will use it for the interrupt watchdog,
which is more critical than the task watchdog. The latter is implement in
software thanks to the `esp_timer`component.
This function removes the following legacy atomic CAS functions:
From compare_set.h (file removed):
- compare_and_set_native()
- compare_and_set_extram()
From portmacro.h
- uxPortCompareSet()
- uxPortCompareSetExtram()
Users should call esp_cpu_compare_and_set() instead as this function hides the details
of atomic CAS on internal and external RAM addresses.
Due to the removal of compare_set.h, some missing header includes are also fixed in this commit.
After refactoring the target components (e.g. esp32) no longer contained any real functionality.
What remained in these components have been moved elsewhere and the component itself deleted from the
build system.
This commit does the following:
- Update existing unit tests that use the TWDT to call the new
esp_task_wdt_init() API
- Add a set of dedicate TWDT unit tests
- Updates the TWDT example
lwip was added to common requirements list to provide "sys/socket.h"
header to all components without additional requirements specified.
However, lwip pulls in a lot of dependencies on other components.
This commit removes lwip from common requirements to reduce the number
of components in G1-only apps.
To compensate for this removal, the following changes are made:
- newlib (which is a common requirement) has a public dependency on
lwip if lwip is present in the build. This ensures that sys/socket.h
is available as long as lwip component is included into the build.
- lwip is now a public requirement of esp-tls since esp_tls.h includes
sys/socket.h header.
- lwip is now a public requirement o esp_http_client because
sys/socket.h is included from esp_http_client.h
- lwip is now a private requirement of esp_wifi for "smartconfig_ack"
- lwip is now a private requirement of mqtt for socket functions
- lwip is now a public requirement of tcp_transport because
esp_transport_tcp.h includes sys/socket.h header.
- mbedtls checks if lwip component is present in the build. If yes,
net_sockets.c is added to the build, along with the dependency on
lwip. Previously lwip was a public requirement of mbedtls
unconditionally.
system/g1_components test app is updated to reflect the changes
Default public dependencies of a component before and after this
change, except common requirements:
- esp_timer (public dependency of freertos)
- bootloader_support (public dependency of esp_hw_support)
- vfs (public dependency of lwip)
- esp_wifi (public dependency of lwip)
- esp_event (public dependency of esp_wifi)
- esp_netif (public dependency of esp_event)
- esp_eth (public dependency of esp_netif)
- esp_phy (public dependency of esp_wifi)
After:
- esp_timer (public dependency of freertos)
- bootloader_support (public dependency of esp_hw_support)
Altogether, the following components have been always added as
public requirements to all other components, and are not added now
([breaking-change]):
- lwip
- vfs
- esp_wifi
- esp_event
- esp_netif
- esp_eth
- esp_phy
Application components now need to explicitly declare dependencies on
these components.
Some components were including esp_timer.h without declaring a
dependency on esp_timer component. This used to work due to a
transitive public dependency on esp_timer from freertos component.
Add explicit dependencies where needed.
Also some source files were using esp_timer functions without
including the header file. This used to work because esp_timer.h was
included from freertos port header file. This commit adds esp_timer.h
includes where needed.
The "mbedtls_rsa_private" has made f_rng function mandatory for the
operation.
Also updated the MAX_PERFORMANCE values with offset added with blinding
Added the SOC_CCOMP_TIMER_SUPPORTED Check
Purpose:
This will allow for easily automating periodic updates to
"cacrt_all.pem" file.
Note:
For now newly created "cacrt_local.pem" contains single "DST Root CA X3"
which we are keeping to manage compatibility with endpoints like
"howsmyssl.com". Please note this Root CA is expired and is not part of
Mozilla’s NSS root certificate store.
- Resulted in a crash in the handshake stage when
used alongside TLS 1.3 (MBEDTLS_SSL_PROTO_TLS1_3)
- Fix build error when MBEDTLS_HARDWARE_SHA=n &&
MBEDTLS_DYNAMIC_BUFFER=y
- Fix build error when TLS 1.3 is enabled with
MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=n
This commit updates the visibility of various header files and cleans up
some unnecessary inclusions. Also, this commit removes certain header
include paths which were maintained for backward compatibility.
When GEN_FILES is enabled, Perl interpreter should be available. There
is a check in mbedTLS that disables GEN_FILES on Windows (where Perl
is not available by default) but it is broken for recent CMake
versions.
Also set Python interpreter to the one IDF uses, just to avoid calling
into some other Python version which CMake might manage to find.
- Kconfig: Enabled MBEDTLS_HKDF_C by default when TLS 1.3 support is enabled
- esp-tls (mbedtls): Forced client to use TLS 1.3 when TLS 1.3 support is enabled
*MBEDTLS_ECDH_LEGACY_CONTEXT is now disabled by default.
*Fixed MBEDTLS_ECDH_LEGACY_CONTEXT issue for protocomm component.
*Removed all code under MBEDTLS_DEPRECATED_REMOVED
1) Fix build issue in mbedtls
2) skip the public headers check in IDF
3)Update Kconfig Macros
4)Remove deprecated config options
5) Update the sha API according to new nomenclature
6) Update mbedtls_rsa_init usage
7) Include mbedtls/build_info.h instead of mbedtls/config.h
8) Dont include check_config.h
9) Add additional error message in esp_blufi_api.h
This commit removes the usage of all legacy FreeRTOS data types that
are exposed via configENABLE_BACKWARD_COMPATIBILITY. Legacy types can
still be used by enabling CONFIG_FREERTOS_ENABLE_BACKWARD_COMPATIBILITY.
- Removed code regarding MBEDTLS_DYNAMIC_FREE_PEER_CERT
(config was kept for backward compatibility)
- Combined mbedTLS v2.28.x related options under a separate Kconfig menu
The following files were deleted:
- components/esp_hw_support/include/soc/cpu.h
- components/soc/esp32s3/include/soc/cpu.h
The following functions are deprecated:
- get_sp()
The following functions declared in soc/cpu.h are now moved to esp_cpu.h:
- esp_cpu_configure_region_protection()
The following functions declared in soc/cpu.h are now moved to components/xtensa/include/esp_cpu_utils.h:
- esp_cpu_process_stack_pc()
All files with soc/cpu.h inclusion are updated to include esp_cpu.h instead.
Signed-off-by: Sudeep Mohanty <sudeep.mohanty@espressif.com>
In commit de22f3a4e5, combination of
hardware and software MPI (bignum) related approach was used to
work around chip (e.g. ESP32-C3) limitation of max 3072 bits support.
This was done using linker "--wrap" flag but since the relevant API is
being used in same translation (compilation unit), hardware mode was not
getting used in some cases (e.g., RSA key generation).
This commit modified internal mbedTLS API and makes software+hardware
combination deterministic.
peripheral enable/disable usually should be managed by driver itself,
so make it as espressif private APIs, not recommended for user to use it
in application code.
However, if user want to re-write the driver or ports to other platform,
this is still possible by including the header in this way:
"esp_private/peripheral_ctrl.h"
Using these ciphers can constitute a security risk if the server
uses a weak prime for the key exchange.
Footprint impact:
Roughly 3K saved in text+rodata in default https_request example
Driver was using the channel ID from tx when reseting rx.
But since rx and tx is not necessarily from the same pair this could lead
to the driver reseting the wrong DMA channel.
Updates the following with changes from verification branches:
* esp_rom linker files
* rtc_cntl and system reg and struct headers
Also updates:
* GDMA driver with new register layout
* esptool submodule commit
Building mbedtls with CMake would warn that:
"A private source from a directory other than that of target "mbedcrypto
has a relative path"
This happened due to some of the CMake variables listing sources could be empty.
Changed to only use target_sources in the code-path where we set the sources,
so we only call target_sources will non-empty variables.
Closes https://github.com/espressif/esp-idf/issues/6767
This commit add following crypto changes
1. Update current crypto code with upstream supplicant code
2. Add a proper porting layer to use mbedtls APIs for all the crypto
operations used by supplicant.
Internal crypto will be used when USE_MBEDLTS flag is disabled
in supplicant's menuconfig.
This commit also removes the clutter in crypto files due to partial
porting of some APIs to mbedtls, all the code from those files have
been removed and rewritten in a generic way, this is inspired from
current upstream code.
This also reduces the lib size significantly, supplicant's lib
size reduces around ~567kb after this change(NB: lib size doesn't
indicate reduction in final bin size).
Removed the old dynamically allocated GDMA channel approach.
It proved too unreliable as we couldn't not ensure consumers of the mbedtls
would properly free the channels after use.
Replaced by a single shared GDMA channel for AES and SHA, which won't be
released unless user specifically calls API for releasing it.
MbedTLS: Add software fallback for Modular Exponentiation for larger bignum operations
Closes WIFI-3257 and IDFGH-132
See merge request espressif/esp-idf!11928
Add configuration option to fallback to software implementation
for exponential mod incase of hardware is not supporting it
for larger MPI value.
Usecase:
ESP32C3 only supports till RSA3072 in hardware. This config option
will help to support 4k certificates for WPA enterprise connection.
There is no ccomp timer on C3, which means our performance tests will start
failing again due to variance caused by cache misses.
This MR adds TEST_PERFORMANCE_CCOMP_ macro that will only fail
performance test if CCOMP timer is supported on the target