From 95b0caf2c79d1fca585ac4b74c4907efa857ad3b Mon Sep 17 00:00:00 2001 From: gitlab-runner Date: Fri, 27 Sep 2024 23:51:08 -0500 Subject: [PATCH] Upload mtb-example-wifi-https-client [2752] --- .gitignore | 2 +- Makefile | 15 +- README.md | 24 +- {source => configs}/FreeRTOSConfig.h | 0 configs/mbedtls_user_config.h | 998 +++++++++++++++++++++++++++ scripts/format_cert_key.py | 37 + scripts/generate_ssl_certs.sh | 78 +++ source/secure_http_client.c | 3 +- source/secure_keys.h | 38 +- 9 files changed, 1151 insertions(+), 44 deletions(-) rename {source => configs}/FreeRTOSConfig.h (100%) create mode 100644 configs/mbedtls_user_config.h create mode 100644 scripts/format_cert_key.py create mode 100755 scripts/generate_ssl_certs.sh diff --git a/.gitignore b/.gitignore index 00b3ccb..fd59dad 100644 --- a/.gitignore +++ b/.gitignore @@ -146,4 +146,4 @@ Thumbs.db Thumbs.db:encryptable ehthumbs.db ehthumbs_vista.db -[Dd]esktop.ini \ No newline at end of file +[Dd]esktop.ini diff --git a/Makefile b/Makefile index 7f28770..99ecbe4 100644 --- a/Makefile +++ b/Makefile @@ -47,6 +47,7 @@ TARGET=CY8CPROTO-062S2-43439 # If APPNAME is edited, ensure to update or regenerate launch # configurations for your IDE. APPNAME=mtb-example-wifi-https-client + # Name of toolchain to use. Options include: # # GCC_ARM -- GCC provided with ModusToolbox software @@ -69,7 +70,6 @@ CONFIG=Debug # If set to "true" or "1", display full command-lines when building. VERBOSE= - ################################################################################ # Advanced Configuration ################################################################################ @@ -114,11 +114,14 @@ DEFINES=$(MBEDTLSFLAGS) CYBSP_WIFI_CAPABLE CY_RETARGET_IO_CONVERT_LF_TO_CRLF CY_ # If you want this feature on CY8CPROTO-062-4343W, change the GPIO pin for USER BTN # in design/hardware & Comment DEFINES+=CY_WIFI_HOST_WAKE_SW_FORCE=0. DEFINES+=CY_WIFI_HOST_WAKE_SW_FORCE=0 - -#Define the following macro in the application's Makefile to mandatorily disable the custom -#configuration header file. -DEFINES += HTTP_DO_NOT_USE_CUSTOM_CONFIG -DEFINES += MQTT_DO_NOT_USE_CUSTOM_CONFIG + +# Define the following macro in the application's Makefile to mandatorily disable the custom +# configuration header file. +DEFINES+=HTTP_DO_NOT_USE_CUSTOM_CONFIG +DEFINES+=MQTT_DO_NOT_USE_CUSTOM_CONFIG + +#Disabled D-cache for XMC7000 based BSPs +DEFINES+=CY_DISABLE_XMC7000_DATA_CACHE # Select softfp or hardfp floating point. Default is softfp. VFP_SELECT= diff --git a/README.md b/README.md index c61ea9c..ac3b77b 100644 --- a/README.md +++ b/README.md @@ -6,12 +6,12 @@ It employs the [HTTPS client](https://github.com/Infineon/http-client) middlewar [View this README on GitHub.](https://github.com/Infineon/mtb-example-wifi-https-client) -[Provide feedback on this code example.](https://cypress.co1.qualtrics.com/jfe/form/SV_1NTns53sK2yiljn?Q_EED=eyJVbmlxdWUgRG9jIElkIjoiQ0UyMzc5NTMiLCJTcGVjIE51bWJlciI6IjAwMi0zNzk1MyIsIkRvYyBUaXRsZSI6IkhUVFBTIGNsaWVudCIsInJpZCI6Im5hbmp1bmd1ZHN1ciIsIkRvYyB2ZXJzaW9uIjoiMS4zLjAiLCJEb2MgTGFuZ3VhZ2UiOiJFbmdsaXNoIiwiRG9jIERpdmlzaW9uIjoiTUNEIiwiRG9jIEJVIjoiSUNXIiwiRG9jIEZhbWlseSI6IlBTT0MifQ==) +[Provide feedback on this code example.](https://cypress.co1.qualtrics.com/jfe/form/SV_1NTns53sK2yiljn?Q_EED=eyJVbmlxdWUgRG9jIElkIjoiQ0UyMzc5NTMiLCJTcGVjIE51bWJlciI6IjAwMi0zNzk1MyIsIkRvYyBUaXRsZSI6IkhUVFBTIGNsaWVudCIsInJpZCI6InNkYWsiLCJEb2MgdmVyc2lvbiI6IjEuNC4wIiwiRG9jIExhbmd1YWdlIjoiRW5nbGlzaCIsIkRvYyBEaXZpc2lvbiI6Ik1DRCIsIkRvYyBCVSI6IklDVyIsIkRvYyBGYW1pbHkiOiJQU09DIn0=) ## Requirements -- [ModusToolbox™](https://www.infineon.com/modustoolbox) v3.1 or later (tested with v3.1) +- [ModusToolbox™](https://www.infineon.com/modustoolbox) v3.2 or later (tested with v3.2) - Board support package (BSP) minimum required version: 4.0.0 - Programming language: C - Associated parts: All [PSoC™ 6 MCU](https://www.infineon.com/cms/en/product/microcontroller/32-bit-psoc-arm-cortex-microcontroller/psoc-6-32-bit-arm-cortex-m4-mcu) parts, [AIROC™ CYW20819 Bluetooth® & Bluetooth® LE SoC](https://www.infineon.com/cms/en/product/wireless-connectivity/airoc-bluetooth-le-bluetooth-multiprotocol/airoc-bluetooth-le-bluetooth/cyw20819), [AIROC™ CYW43012 Wi-Fi & Bluetooth® combo chip](https://www.infineon.com/cms/en/product/wireless-connectivity/airoc-wi-fi-plus-bluetooth-combos/wi-fi-4-802.11n/cyw43012/), [AIROC™ CYW4343W Wi-Fi & Bluetooth® combo chip](https://www.infineon.com/cms/en/product/wireless-connectivity/airoc-wi-fi-plus-bluetooth-combos/wi-fi-4-802.11n/cyw4343w),[AIROC™ CYW43022 Wi-Fi & Bluetooth® combo chip](https://www.infineon.com/cms/en/product/wireless-connectivity/airoc-wi-fi-plus-bluetooth-combos/wi-fi-5-802.11ac/cyw43022) @@ -369,6 +369,8 @@ If using a PSoC™ 64 "Secure" MCU kit (like CY8CKIT-064B0S2-4343W), the PSo Successfully send get request to http server The http status code is :: 0 ``` +> **Note:** You may see an empty response for the first GET request. However, the subsequent GET request works correctly. This is a known issue and will be resolved in the future version of the code example. + ## Debugging @@ -431,6 +433,7 @@ Run the following script to generate the self-signed SSL certificate and private Before invoking the following command, modify the `OPENSSL_SUBJECT_INFO` macro in the *generate_ssl_certs.sh* file to match your local domain configuration such as *Country*, *State*, *Locality*, *Organization*, *Organization Unit name*, and *Common Name*. This macro is used by the *openssl* commands when generating the certificate. ``` +cd scripts ./generate_ssl_certs.sh ``` @@ -450,8 +453,20 @@ File | Description Configure the HTTPS client to take *mysecurehttpclient.crt* as the certificate, *mysecurehttpclient.key* as the private key, and *rootCA.crt* as the rootCA certificate. -You can either convert the values to strings manually following the format shown in *source/secure_keys.h* or use the HTML utility available [here](https://github.com/Infineon/amazon-freertos/blob/master/tools/certificate_configuration/PEMfileToCString.html) to convert the certificates and keys from PEM format to C string format. Clone the repository from GitHub to use the utility. +You can either convert the values to strings manually following the format shown in *source/secure_keys.h* or run the _format_cert_key.py_ Python script to generate the string format of the certificate file. Pass the name of the certificate with the extension as an argument to the Python script: + +> **Note:** For Linux and macOS platforms, use `python3` instead of `python` in the following command. + + ``` + python format_cert_key.py + ``` + + Example: + ``` + python format_cert_key.py root_ca.crt + ``` +Currently this code example uses the TLS v1.2. To use the TLS v1.3, uncomment the MBEDTLS_SSL_PROTO_TLS1_3 and FORCE_TLS_VERSION MBEDTLS_SSL_VERSION_TLS1_3 defines in the mbedtls_user_config.h file. However, note that the socket receive fails if the application establishes TLS v1.3 connection to a server where session tickets are enabled. This is due to a bug in third-party MBEDTLS library. ## Related resources @@ -484,11 +499,12 @@ Document title: *CE237953* - *HTTPS client* 1.1.0 | Added support for KIT_XMC72_EVK_MUR_43439M2
Updated to support mbedtls v3.4.0 and ModusToolbox™ v3.1. 1.2.0 | Added support for CY8CEVAL-062S2-CYW43022CUB 1.3.0 | Added support for CY8CEVAL-062S2-CYW955513SDM2WLIPA + 1.4.0 | Disabled D-cache for XMC7000 based BSPs
--------------------------------------------------------- -© Cypress Semiconductor Corporation, 2023. This document is the property of Cypress Semiconductor Corporation, an Infineon Technologies company, and its affiliates ("Cypress"). This document, including any software or firmware included or referenced in this document ("Software"), is owned by Cypress under the intellectual property laws and treaties of the United States and other countries worldwide. Cypress reserves all rights under such laws and treaties and does not, except as specifically stated in this paragraph, grant any license under its patents, copyrights, trademarks, or other intellectual property rights. If the Software is not accompanied by a license agreement and you do not otherwise have a written agreement with Cypress governing the use of the Software, then Cypress hereby grants you a personal, non-exclusive, nontransferable license (without the right to sublicense) (1) under its copyright rights in the Software (a) for Software provided in source code form, to modify and reproduce the Software solely for use with Cypress hardware products, only internally within your organization, and (b) to distribute the Software in binary code form externally to end users (either directly or indirectly through resellers and distributors), solely for use on Cypress hardware product units, and (2) under those claims of Cypress's patents that are infringed by the Software (as provided by Cypress, unmodified) to make, use, distribute, and import the Software solely for use with Cypress hardware products. Any other use, reproduction, modification, translation, or compilation of the Software is prohibited. +© Cypress Semiconductor Corporation, 2024. This document is the property of Cypress Semiconductor Corporation, an Infineon Technologies company, and its affiliates ("Cypress"). This document, including any software or firmware included or referenced in this document ("Software"), is owned by Cypress under the intellectual property laws and treaties of the United States and other countries worldwide. Cypress reserves all rights under such laws and treaties and does not, except as specifically stated in this paragraph, grant any license under its patents, copyrights, trademarks, or other intellectual property rights. If the Software is not accompanied by a license agreement and you do not otherwise have a written agreement with Cypress governing the use of the Software, then Cypress hereby grants you a personal, non-exclusive, nontransferable license (without the right to sublicense) (1) under its copyright rights in the Software (a) for Software provided in source code form, to modify and reproduce the Software solely for use with Cypress hardware products, only internally within your organization, and (b) to distribute the Software in binary code form externally to end users (either directly or indirectly through resellers and distributors), solely for use on Cypress hardware product units, and (2) under those claims of Cypress's patents that are infringed by the Software (as provided by Cypress, unmodified) to make, use, distribute, and import the Software solely for use with Cypress hardware products. Any other use, reproduction, modification, translation, or compilation of the Software is prohibited.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CYPRESS MAKES NO WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, WITH REGARD TO THIS DOCUMENT OR ANY SOFTWARE OR ACCOMPANYING HARDWARE, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. No computing device can be absolutely secure. Therefore, despite security measures implemented in Cypress hardware or software products, Cypress shall have no liability arising out of any security breach, such as unauthorized access to or use of a Cypress product. CYPRESS DOES NOT REPRESENT, WARRANT, OR GUARANTEE THAT CYPRESS PRODUCTS, OR SYSTEMS CREATED USING CYPRESS PRODUCTS, WILL BE FREE FROM CORRUPTION, ATTACK, VIRUSES, INTERFERENCE, HACKING, DATA LOSS OR THEFT, OR OTHER SECURITY INTRUSION (collectively, "Security Breach"). Cypress disclaims any liability relating to any Security Breach, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any Security Breach. In addition, the products described in these materials may contain design defects or errors known as errata which may cause the product to deviate from published specifications. To the extent permitted by applicable law, Cypress reserves the right to make changes to this document without further notice. Cypress does not assume any liability arising out of the application or use of any product or circuit described in this document. Any information provided in this document, including any sample design information or programming code, is provided only for reference purposes. It is the responsibility of the user of this document to properly design, program, and test the functionality and safety of any application made of this information and any resulting product. "High-Risk Device" means any device or system whose failure could cause personal injury, death, or property damage. Examples of High-Risk Devices are weapons, nuclear installations, surgical implants, and other medical devices. "Critical Component" means any component of a High-Risk Device whose failure to perform can be reasonably expected to cause, directly or indirectly, the failure of the High-Risk Device, or to affect its safety or effectiveness. Cypress is not liable, in whole or in part, and you shall and hereby do release Cypress from any claim, damage, or other liability arising from any use of a Cypress product as a Critical Component in a High-Risk Device. You shall indemnify and hold Cypress, including its affiliates, and its directors, officers, employees, agents, distributors, and assigns harmless from and against all claims, costs, damages, and expenses, arising out of any claim, including claims for product liability, personal injury or death, or property damage arising from any use of a Cypress product as a Critical Component in a High-Risk Device. Cypress products are not intended or authorized for use as a Critical Component in any High-Risk Device except to the limited extent that (i) Cypress's published data sheet for the product explicitly states Cypress has qualified the product for use in a specific High-Risk Device, or (ii) Cypress has given you advance written authorization to use the product as a Critical Component in the specific High-Risk Device and you have signed a separate indemnification agreement.
diff --git a/source/FreeRTOSConfig.h b/configs/FreeRTOSConfig.h similarity index 100% rename from source/FreeRTOSConfig.h rename to configs/FreeRTOSConfig.h diff --git a/configs/mbedtls_user_config.h b/configs/mbedtls_user_config.h new file mode 100644 index 0000000..afd7b7b --- /dev/null +++ b/configs/mbedtls_user_config.h @@ -0,0 +1,998 @@ +/****************************************************************************** +* File Name: mbedtls_user_config.h +* +* Description: This file contains the mbedtls configuration macros. +* +* Related Document: See README.md +* +* +******************************************************************************* +* Copyright 2024, Cypress Semiconductor Corporation (an Infineon company) or +* an affiliate of Cypress Semiconductor Corporation. All rights reserved. +* +* This software, including source code, documentation and related +* materials ("Software") is owned by Cypress Semiconductor Corporation +* or one of its affiliates ("Cypress") and is protected by and subject to +* worldwide patent protection (United States and foreign), +* United States copyright laws and international treaty provisions. +* Therefore, you may use this Software only as provided in the license +* agreement accompanying the software package from which you +* obtained this Software ("EULA"). +* If no EULA applies, Cypress hereby grants you a personal, non-exclusive, +* non-transferable license to copy, modify, and compile the Software +* source code solely for use in connection with Cypress's +* integrated circuit products. Any reproduction, modification, translation, +* compilation, or representation of this Software except as specified +* above is prohibited without the express written permission of Cypress. +* +* Disclaimer: THIS SOFTWARE IS PROVIDED AS-IS, WITH NO WARRANTY OF ANY KIND, +* EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, NONINFRINGEMENT, IMPLIED +* WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Cypress +* reserves the right to make changes to the Software without notice. Cypress +* does not assume any liability arising out of the application or use of the +* Software or any product or circuit described in the Software. Cypress does +* not authorize its products for use in any products where a malfunction or +* failure of the Cypress product may reasonably be expected to result in +* significant property damage, injury or death ("High Risk Product"). By +* including Cypress's product in a High Risk Product, the manufacturer +* of such system or application assumes all risk of such use and in doing +* so agrees to indemnify Cypress against all liability. +*******************************************************************************/ + +/** + * \file config.h + * + * \brief Configuration options (set of defines) + * + * This set of compile-time options may be used to enable + * or disable features selectively, and reduce the global + * memory footprint. + */ +/* + * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#ifndef MBEDTLS_USER_CONFIG_HEADER +#define MBEDTLS_USER_CONFIG_HEADER + +/** + * Compiling Mbed TLS for Cortex-M0/0+/1/M23 cores with optimization enabled and on ARMC6 compiler results in errors. + * These cores lack the required full Thumb-2 support, causing the inline assembly to require more registers than available. + * The workaround is to use 'MULADDC_CANNOT_USE_R7' compilation flag, or without optimization flag, + * but note that this will compile without the assmebly optimization. + * + * To read more about this issue, refer to https://github.com/ARMmbed/mbed-os/pull/14529/commits/86e7bc559b0d1a055bf84ea9249763d2349fb6e8 + */ + +#if defined(COMPONENT_CM0P) && defined(COMPONENT_ARM) +#define MULADDC_CANNOT_USE_R7 +#endif + +/* Currently there is a bug with MBEDTLS 3.4.0 compilation with IAR compiler when assembly instructions are enabled. Hence + * disabling assembly instructions for IAR. This will be fixed in future MBEDTLS releases. + */ +#if defined (__IAR_SYSTEMS_ICC__) +#undef MBEDTLS_HAVE_ASM +#endif + +/** + * \def MBEDTLS_HAVE_TIME_DATE + * + * System has time.h, time(), and an implementation for + * mbedtls_platform_gmtime_r() (see below). + * The time needs to be correct (not necessarily very accurate, but at least + * the date should be correct). This is used to verify the validity period of + * X.509 certificates. + * + * Comment if your system does not have a correct clock. + * + * \note mbedtls_platform_gmtime_r() is an abstraction in platform_util.h that + * behaves similarly to the gmtime_r() function from the C standard. Refer to + * the documentation for mbedtls_platform_gmtime_r() for more information. + * + * \note It is possible to configure an implementation for + * mbedtls_platform_gmtime_r() at compile-time by using the macro + * MBEDTLS_PLATFORM_GMTIME_R_ALT. + */ +#undef MBEDTLS_HAVE_TIME_DATE + + +/** + * \def MBEDTLS_PLATFORM_EXIT_ALT + * + * MBEDTLS_PLATFORM_XXX_ALT: Uncomment a macro to let mbed TLS support the + * function in the platform abstraction layer. + * + * Example: In case you uncomment MBEDTLS_PLATFORM_PRINTF_ALT, mbed TLS will + * provide a function "mbedtls_platform_set_printf()" that allows you to set an + * alternative printf function pointer. + * + * All these define require MBEDTLS_PLATFORM_C to be defined! + * + * \note MBEDTLS_PLATFORM_SNPRINTF_ALT is required on Windows; + * it will be enabled automatically by check_config.h + * + * \warning MBEDTLS_PLATFORM_XXX_ALT cannot be defined at the same time as + * MBEDTLS_PLATFORM_XXX_MACRO! + * + * Requires: MBEDTLS_PLATFORM_TIME_ALT requires MBEDTLS_HAVE_TIME + * + * Uncomment a macro to enable alternate implementation of specific base + * platform function + */ +// #define MBEDTLS_PLATFORM_EXIT_ALT +#define MBEDTLS_PLATFORM_TIME_ALT +// #define MBEDTLS_PLATFORM_FPRINTF_ALT +// #define MBEDTLS_PLATFORM_PRINTF_ALT +// #define MBEDTLS_PLATFORM_SNPRINTF_ALT +// #define MBEDTLS_PLATFORM_NV_SEED_ALT +// #define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT + +/** + * \def MBEDTLS_ENTROPY_HARDWARE_ALT + * + * Uncomment this macro to let mbed TLS use your own implementation of a + * hardware entropy collector. + * + * Your function must be called \c mbedtls_hardware_poll(), have the same + * prototype as declared in entropy_poll.h, and accept NULL as first argument. + * + * Uncomment to use your own hardware entropy collector. + */ +#define MBEDTLS_ENTROPY_HARDWARE_ALT +/** + * \def MBEDTLS_ECP_DP_SECP192R1_ENABLED + * + * MBEDTLS_ECP_XXXX_ENABLED: Enables specific curves within the Elliptic Curve + * module. By default all supported curves are enabled. + * + * Comment macros to disable the curve and functions for it + */ +#undef MBEDTLS_ECP_DP_SECP192R1_ENABLED +#undef MBEDTLS_ECP_DP_SECP224R1_ENABLED +// #define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#undef MBEDTLS_ECP_DP_SECP384R1_ENABLED +#undef MBEDTLS_ECP_DP_SECP521R1_ENABLED +#undef MBEDTLS_ECP_DP_SECP192K1_ENABLED +#undef MBEDTLS_ECP_DP_SECP224K1_ENABLED +#undef MBEDTLS_ECP_DP_SECP256K1_ENABLED +#undef MBEDTLS_ECP_DP_BP256R1_ENABLED +#undef MBEDTLS_ECP_DP_BP384R1_ENABLED +#undef MBEDTLS_ECP_DP_BP512R1_ENABLED +// #undef MBEDTLS_ECP_DP_CURVE25519_ENABLED +#undef MBEDTLS_ECP_DP_CURVE448_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + * + * Enable the PSK based ciphersuite modes in SSL / TLS. + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA + */ +#undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + + +/** + * \def MBEDTLS_PK_PARSE_EC_EXTENDED + * + * Enhance support for reading EC keys using variants of SEC1 not allowed by + * RFC 5915 and RFC 5480. + * + * Currently this means parsing the SpecifiedECDomain choice of EC + * parameters (only known groups are supported, not arbitrary domains, to + * avoid validation issues). + * + * Disable if you only need to support RFC 5915 + 5480 key formats. + */ +#undef MBEDTLS_PK_PARSE_EC_EXTENDED + + +#undef MBEDTLS_FS_IO + + +/** + * \def MBEDTLS_NO_PLATFORM_ENTROPY + * + * Do not use built-in platform entropy functions. + * This is useful if your platform does not support + * standards like the /dev/urandom or Windows CryptoAPI. + * + * Uncomment this macro to disable the built-in platform entropy functions. + */ +#define MBEDTLS_NO_PLATFORM_ENTROPY + +/** + * \def MBEDTLS_ENTROPY_FORCE_SHA256 + * + * Force the entropy accumulator to use a SHA-256 accumulator instead of the + * default SHA-512 based one (if both are available). + * + * Requires: MBEDTLS_SHA256_C + * + * On 32-bit systems SHA-256 can be much faster than SHA-512. Use this option + * if you have performance concerns. + * + * This option is only useful if both MBEDTLS_SHA256_C and + * MBEDTLS_SHA512_C are defined. Otherwise the available hash module is used. + */ +#define MBEDTLS_ENTROPY_FORCE_SHA256 + +/** + * \def MBEDTLS_SELF_TEST + * + * Enable the checkup functions (*_self_test). + */ +#undef MBEDTLS_SELF_TEST + +/** + * \def MBEDTLS_SSL_FALLBACK_SCSV + * + * Enable support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv-00). + * + * For servers, it is recommended to always enable this, unless you support + * only one version of TLS, or know for sure that none of your clients + * implements a fallback strategy. + * + * For clients, you only need this if you're using a fallback strategy, which + * is not recommended in the first place, unless you absolutely need it to + * interoperate with buggy (version-intolerant) servers. + * + * Comment this macro to disable support for FALLBACK_SCSV + */ +#undef MBEDTLS_SSL_FALLBACK_SCSV + +/** + * \def MBEDTLS_SSL_CBC_RECORD_SPLITTING + * + * Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0. + * + * This is a countermeasure to the BEAST attack, which also minimizes the risk + * of interoperability issues compared to sending 0-length records. + * + * Comment this macro to disable 1/n-1 record splitting. + */ +#undef MBEDTLS_SSL_CBC_RECORD_SPLITTING + +/** + * \def MBEDTLS_SSL_RENEGOTIATION + * + * Enable support for TLS renegotiation. + * + * The two main uses of renegotiation are (1) refresh keys on long-lived + * connections and (2) client authentication after the initial handshake. + * If you don't need renegotiation, it's probably better to disable it, since + * it has been associated with security issues in the past and is easy to + * misuse/misunderstand. + * + * Comment this to disable support for renegotiation. + * + * \note Even if this option is disabled, both client and server are aware + * of the Renegotiation Indication Extension (RFC 5746) used to + * prevent the SSL renegotiation attack (see RFC 5746 Sect. 1). + * (See \c mbedtls_ssl_conf_legacy_renegotiation for the + * configuration of this extension). + * + */ +#undef MBEDTLS_SSL_RENEGOTIATION + +/** + * \def MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO + * + * Enable support for receiving and parsing SSLv2 Client Hello messages for the + * SSL Server module (MBEDTLS_SSL_SRV_C). + * + * Uncomment this macro to enable support for SSLv2 Client Hello messages. + */ +// #define MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO + +/** + * \def MBEDTLS_SSL_PROTO_TLS1 + * + * Enable support for TLS 1.0. + * + * Requires: MBEDTLS_MD5_C + * MBEDTLS_SHA1_C + * + * Comment this macro to disable support for TLS 1.0 + */ +#undef MBEDTLS_SSL_PROTO_TLS1 + +/** + * \def MBEDTLS_SSL_PROTO_TLS1_1 + * + * Enable support for TLS 1.1 (and DTLS 1.0 if DTLS is enabled). + * + * Requires: MBEDTLS_MD5_C + * MBEDTLS_SHA1_C + * + * Comment this macro to disable support for TLS 1.1 / DTLS 1.0 + */ +#undef MBEDTLS_SSL_PROTO_TLS1_1 + +/** + * \def MBEDTLS_SSL_PROTO_DTLS + * + * Enable support for DTLS (all available versions). + * + * Enable this and MBEDTLS_SSL_PROTO_TLS1_1 to enable DTLS 1.0, + * and/or this and MBEDTLS_SSL_PROTO_TLS1_2 to enable DTLS 1.2. + * + * Requires: MBEDTLS_SSL_PROTO_TLS1_1 + * or MBEDTLS_SSL_PROTO_TLS1_2 + * + * Comment this macro to disable support for DTLS + */ +#undef MBEDTLS_SSL_PROTO_DTLS + +/** + * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + * + * Defines whether RFC 9146 (default) or the legacy version + * (version draft-ietf-tls-dtls-connection-id-05, + * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) + * is used. + * + * Set the value to 0 for the standard version, and + * 1 for the legacy draft version. + * + * \deprecated Support for the legacy version of the DTLS + * Connection ID feature is deprecated. Please + * switch to the standardized version defined + * in RFC 9146 enabled by utilizing + * MBEDTLS_SSL_DTLS_CONNECTION_ID without use + * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT. + * + * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID + */ +#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + +/** + * \def MBEDTLS_SSL_DTLS_CONNECTION_ID + * + * Enable support for the DTLS Connection ID (CID) extension, + * which allows to identify DTLS connections across changes + * in the underlying transport. The CID functionality is described + * in RFC 9146. + * + * Setting this option enables the SSL APIs `mbedtls_ssl_set_cid()`, + * mbedtls_ssl_get_own_cid()`, `mbedtls_ssl_get_peer_cid()` and + * `mbedtls_ssl_conf_cid()`. See the corresponding documentation for + * more information. + * + * The maximum lengths of outgoing and incoming CIDs can be configured + * through the options + * - MBEDTLS_SSL_CID_OUT_LEN_MAX + * - MBEDTLS_SSL_CID_IN_LEN_MAX. + * + * Requires: MBEDTLS_SSL_PROTO_DTLS + * + * Uncomment to enable the Connection ID extension. + */ +#undef MBEDTLS_SSL_DTLS_CONNECTION_ID + +/** + * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY + * + * Enable support for the anti-replay mechanism in DTLS. + * + * Requires: MBEDTLS_SSL_TLS_C + * MBEDTLS_SSL_PROTO_DTLS + * + * \warning Disabling this is often a security risk! + * See mbedtls_ssl_conf_dtls_anti_replay() for details. + * + * Comment this to disable anti-replay in DTLS. + */ +#undef MBEDTLS_SSL_DTLS_ANTI_REPLAY + +/** + * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY + * + * Enable support for HelloVerifyRequest on DTLS servers. + * + * This feature is highly recommended to prevent DTLS servers being used as + * amplifiers in DoS attacks against other hosts. It should always be enabled + * unless you know for sure amplification cannot be a problem in the + * environment in which your server operates. + * + * \warning Disabling this can ba a security risk! (see above) + * + * Requires: MBEDTLS_SSL_PROTO_DTLS + * + * Comment this to disable support for HelloVerifyRequest. + */ +#undef MBEDTLS_SSL_DTLS_HELLO_VERIFY + +/** + * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE + * + * Enable server-side support for clients that reconnect from the same port. + * + * Some clients unexpectedly close the connection and try to reconnect using the + * same source port. This needs special support from the server to handle the + * new connection securely, as described in section 4.2.8 of RFC 6347. This + * flag enables that support. + * + * Requires: MBEDTLS_SSL_DTLS_HELLO_VERIFY + * + * Comment this to disable support for clients reusing the source port. + */ +#undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE + +/** + * \def MBEDTLS_SSL_DTLS_BADMAC_LIMIT + * + * Enable support for a limit of records with bad MAC. + * + * See mbedtls_ssl_conf_dtls_badmac_limit(). + * + * Requires: MBEDTLS_SSL_PROTO_DTLS + */ +#undef MBEDTLS_SSL_DTLS_BADMAC_LIMIT + +/** + * \def MBEDTLS_SSL_EXPORT_KEYS + * + * Enable support for exporting key block and master secret. + * This is required for certain users of TLS, e.g. EAP-TLS. + * + * Comment this macro to disable support for key export + */ +#undef MBEDTLS_SSL_EXPORT_KEYS + + +/** + * \def MBEDTLS_SSL_TRUNCATED_HMAC + * + * Enable support for RFC 6066 truncated HMAC in SSL. + * + * Comment this macro to disable support for truncated HMAC in SSL + */ +#undef MBEDTLS_SSL_TRUNCATED_HMAC + +/** + * \def MBEDTLS_AESNI_C + * + * Enable AES-NI support on x86-64. + * + * Module: library/aesni.c + * Caller: library/aes.c + * + * Requires: MBEDTLS_HAVE_ASM + * + * This modules adds support for the AES-NI instructions on x86-64 + */ +#undef MBEDTLS_AESNI_C + +/** + * \def MBEDTLS_NET_C + * + * Enable the TCP and UDP over IPv6/IPv4 networking routines. + * + * \note This module only works on POSIX/Unix (including Linux, BSD and OS X) + * and Windows. For other platforms, you'll want to disable it, and write your + * own networking callbacks to be passed to \c mbedtls_ssl_set_bio(). + * + * \note See also our Knowledge Base article about porting to a new + * environment: + * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS + * + * Module: library/net_sockets.c + * + * This module provides networking routines. + */ +#undef MBEDTLS_NET_C + +/** + * \def MBEDTLS_SSL_COOKIE_C + * + * Enable basic implementation of DTLS cookies for hello verification. + * + * Module: library/ssl_cookie.c + * Caller: + */ +#undef MBEDTLS_SSL_COOKIE_C + +/** + * \def MBEDTLS_TIMING_C + * + * Enable the semi-portable timing interface. + * + * \note The provided implementation only works on POSIX/Unix (including Linux, + * BSD and OS X) and Windows. On other platforms, you can either disable that + * module and provide your own implementations of the callbacks needed by + * \c mbedtls_ssl_set_timer_cb() for DTLS, or leave it enabled and provide + * your own implementation of the whole module by setting + * \c MBEDTLS_TIMING_ALT in the current file. + * + * \note See also our Knowledge Base article about porting to a new + * environment: + * https://tls.mbed.org/kb/how-to/how-do-i-port-mbed-tls-to-a-new-environment-OS + * + * Module: library/timing.c + * Caller: library/havege.c + * + * This module is used by the HAVEGE random number generator. + */ +#undef MBEDTLS_TIMING_C + +/** + * \def MBEDTLS_X509_CRL_PARSE_C + * + * Enable X.509 CRL parsing. + * + * Module: library/x509_crl.c + * Caller: library/x509_crt.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is required for X.509 CRL parsing. + */ +#undef MBEDTLS_X509_CRL_PARSE_C + +/** + * \def MBEDTLS_X509_CSR_PARSE_C + * + * Enable X.509 Certificate Signing Request (CSR) parsing. + * + * Module: library/x509_csr.c + * Caller: library/x509_crt_write.c + * + * Requires: MBEDTLS_X509_USE_C + * + * This module is used for reading X.509 certificate request. + */ +#undef MBEDTLS_X509_CSR_PARSE_C + +/** + * \def MBEDTLS_X509_CREATE_C + * + * Enable X.509 core for creating certificates. + * + * Module: library/x509_create.c + * + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_WRITE_C + * + * This module is the basis for creating X.509 certificates and CSRs. + */ +#undef MBEDTLS_X509_CREATE_C + +/** + * \def MBEDTLS_X509_CSR_WRITE_C + * + * Enable creating X.509 Certificate Signing Requests (CSR). + * + * Module: library/x509_csr_write.c + * + * Requires: MBEDTLS_X509_CREATE_C + * + * This module is required for X.509 certificate request writing. + */ +#undef MBEDTLS_X509_CSR_WRITE_C + +/** + * \def MBEDTLS_X509_CRT_WRITE_C + * + * Enable creating X.509 certificates. + * + * Module: library/x509_crt_write.c + * + * Requires: MBEDTLS_X509_CREATE_C + * + * This module is required for X.509 certificate creation. + */ +#undef MBEDTLS_X509_CRT_WRITE_C + +/** + * \def MBEDTLS_CERTS_C + * + * Enable the test certificates. + * + * Module: library/certs.c + * Caller: + * + * This module is used for testing (ssl_client/server). + */ +#undef MBEDTLS_CERTS_C + +/** + * \def MBEDTLS_ERROR_C + * + * Enable error code to error string conversion. + * + * Module: library/error.c + * Caller: + * + * This module enables mbedtls_strerror(). + */ +#undef MBEDTLS_ERROR_C + +/** + * \def MBEDTLS_PADLOCK_C + * + * Enable VIA Padlock support on x86. + * + * Module: library/padlock.c + * Caller: library/aes.c + * + * Requires: MBEDTLS_HAVE_ASM + * + * This modules adds support for the VIA PadLock on x86. + */ +#undef MBEDTLS_PADLOCK_C + +/** + * \def MBEDTLS_RIPEMD160_C + * + * Enable the RIPEMD-160 hash algorithm. + * + * Module: library/ripemd160.c + * Caller: library/md.c + * + */ +#undef MBEDTLS_RIPEMD160_C + +/** + * \def MBEDTLS_ARC4_C + * + * Enable the ARCFOUR stream cipher. + * + * Module: library/arc4.c + * Caller: library/cipher.c + * + * This module enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA + * MBEDTLS_TLS_RSA_WITH_RC4_128_SHA + * MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 + * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA + * MBEDTLS_TLS_PSK_WITH_RC4_128_SHA + * + * \warning ARC4 is considered a weak cipher and its use constitutes a + * security risk. If possible, we recommend avoidng dependencies on + * it, and considering stronger ciphers instead. + * + */ +#undef MBEDTLS_ARC4_C + +/** + * \def MBEDTLS_XTEA_C + * + * Enable the XTEA block cipher. + * + * Module: library/xtea.c + * Caller: + */ +#undef MBEDTLS_XTEA_C + +/** + * \def MBEDTLS_BLOWFISH_C + * + * Enable the Blowfish block cipher. + * + * Module: library/blowfish.c + */ +#undef MBEDTLS_BLOWFISH_C + +/** + * \def MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + * + * Enable the DHE-PSK based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_DHM_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA + * + * \warning Using DHE constitutes a security risk as it + * is not possible to validate custom DH parameters. + * If possible, it is recommended users should consider + * preferring other methods of key exchange. + * See dhm.h for more details. + * + */ +#undef MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + * + * Enable the ECDHE-PSK based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_ECDH_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA + */ +#undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED + +/** + * \def MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + * + * Enable the RSA-PSK based ciphersuite modes in SSL / TLS. + * + * Requires: MBEDTLS_RSA_C, MBEDTLS_PKCS1_V15, + * MBEDTLS_X509_CRT_PARSE_C + * + * This enables the following ciphersuites (if other requisites are + * enabled as well): + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA + * MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA + */ +#undef MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + +/** + * \def MBEDTLS_PSA_CRYPTO_STORAGE_C + * + * Enable the Platform Security Architecture persistent key storage. + * + * Module: library/psa_crypto_storage.c + * + * Requires: MBEDTLS_PSA_CRYPTO_C, + * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of + * the PSA ITS interface + */ +#undef MBEDTLS_PSA_CRYPTO_STORAGE_C + +/** + * \def MBEDTLS_PSA_ITS_FILE_C + * + * Enable the emulation of the Platform Security Architecture + * Internal Trusted Storage (PSA ITS) over files. + * + * Module: library/psa_its_file.c + * + * Requires: MBEDTLS_FS_IO + */ +#undef MBEDTLS_PSA_ITS_FILE_C + +/** + * \def MBEDTLS_SSL_PROTO_TLS1_3 + * + * Enable support for TLS 1.3. + * + * \note The support for TLS 1.3 is not comprehensive yet, in particular + * pre-shared keys are not supported. + * See docs/architecture/tls13-support.md for a description of the TLS + * 1.3 support that this option enables. + * + * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + * Requires: MBEDTLS_PSA_CRYPTO_C + * + * \note TLS 1.3 uses PSA crypto for cryptographic operations that are + * directly performed by TLS 1.3 code. As a consequence, you must + * call psa_crypto_init() before the first TLS 1.3 handshake. + * + * \note Cryptographic operations performed indirectly via another module + * (X.509, PK) or by code shared with TLS 1.2 (record protection, + * running handshake hash) only use PSA crypto if + * #MBEDTLS_USE_PSA_CRYPTO is enabled. + * + * Uncomment this macro to enable the support for TLS 1.3. + */ +// #define MBEDTLS_SSL_PROTO_TLS1_3 + +#ifndef MBEDTLS_SSL_PROTO_TLS1_3 +/** + * \def MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + * + * This option controls the availability of the API mbedtls_ssl_get_peer_cert() + * giving access to the peer's certificate after completion of the handshake. + * + * Unless you need mbedtls_ssl_peer_cert() in your application, it is + * recommended to disable this option for reduced RAM usage. + * + * \note If this option is disabled, mbedtls_ssl_get_peer_cert() is still + * defined, but always returns \c NULL. + * + * \note This option has no influence on the protection against the + * triple handshake attack. Even if it is disabled, Mbed TLS will + * still ensure that certificates do not change during renegotiation, + * for exaple by keeping a hash of the peer's certificate. + * + * Comment this macro to disable storing the peer's certificate + * after the handshake. + */ +#undef MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +#endif + +/* MBEDTLS 3.4 version has build error when TLS1.3 is enabled and session ticket flag is not enabled. + * Hence, enabling session ticket flag when TLS1.3 is enabled though we dont support. + * Note: User should not disable session ticket flag when TLS1.3 is enabled otherwise it will result into + * build error. + */ +#ifndef MBEDTLS_SSL_PROTO_TLS1_3 +/** + * \def MBEDTLS_SSL_SESSION_TICKETS + * + * Enable support for RFC 5077 session tickets in SSL. + * Client-side, provides full support for session tickets (maintenance of a + * session store remains the responsibility of the application, though). + * Server-side, you also need to provide callbacks for writing and parsing + * tickets, including authenticated encryption and key management. Example + * callbacks are provided by MBEDTLS_SSL_TICKET_C. + * + * Comment this macro to disable support for SSL session tickets + */ +#undef MBEDTLS_SSL_SESSION_TICKETS +#endif + +#ifdef MBEDTLS_SSL_PROTO_TLS1_3 +/** + * \def MBEDTLS_PK_RSA_ALT_SUPPORT + * + * Support external private RSA keys (eg from a HSM) in the PK layer. + * + * Comment this macro to disable support for external private RSA keys. + */ +#define MBEDTLS_PK_RSA_ALT_SUPPORT + +/** + * \def MBEDTLS_PSA_CRYPTO_C + * + * Enable the Platform Security Architecture cryptography API. + * + * \warning The PSA Crypto API is still beta status. While you're welcome to + * experiment using it, incompatible API changes are still possible, and some + * parts may not have reached the same quality as the rest of Mbed TLS yet. + * + * Module: library/psa_crypto.c + * + * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C + * + */ +#define MBEDTLS_PSA_CRYPTO_C + +/** + * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + * + * Enable TLS 1.3 middlebox compatibility mode. + * + * As specified in Section D.4 of RFC 8446, TLS 1.3 offers a compatibility + * mode to make a TLS 1.3 connection more likely to pass through middle boxes + * expecting TLS 1.2 traffic. + * + * Turning on the compatibility mode comes at the cost of a few added bytes + * on the wire, but it doesn't affect compatibility with TLS 1.3 implementations + * that don't use it. Therefore, unless transmission bandwidth is critical and + * you know that middlebox compatibility issues won't occur, it is therefore + * recommended to set this option. + * + * Comment to disable compatibility mode for TLS 1.3. If + * MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any + * effect on the build. + * + */ +#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +#endif + +/** + * \def MBEDTLS_DEPRECATED_REMOVED + * + * Remove deprecated functions and features so that they generate an error if + * used. Functionality deprecated in one version will usually be removed in the + * next version. You can enable this to help you prepare the transition to a + * new major version by making sure your code is not using this functionality. + * + * Uncomment to get errors on using deprecated functions and features. + */ +#define MBEDTLS_DEPRECATED_REMOVED + +/** + * \def Enable MBEDTLS debug logs & set debug level + * + * MBEDTLS_VERBOSE values: + * 0 No debug - No logs are printed on console + * 1 Error - Error messages are printed on console + * 2 State change - State level change logs are printed on console + * 3 Informational - Informational logs printed on console + * 4 Verbose - All the logs are printed on console + */ +#define MBEDTLS_VERBOSE 0 + +/** + * \def Comment out below line in addition to setting MBEDTLS_VERBOSE value to get the MBEDTLS logs + * + * MBEDTLS_DEBUG_C flag is by default undefined to save code space (~60Kb). For low memory platform, when MBEDTLS_DEBUG_C is enabled + * make sure to remove unwanted features of MBEDTLS which are not used in the application to avoid code size overflow issues. + */ +#undef MBEDTLS_DEBUG_C + +/** + * \def MBEDTLS_LMS_C + * + * Enable the LMS stateful-hash asymmetric signature algorithm. + * + * Module: library/lms.c + * Caller: + * + * Requires: MBEDTLS_PSA_CRYPTO_C + * + * Uncomment to enable the LMS verification algorithm and public key operations. + */ +#undef MBEDTLS_LMS_C + +/** + * \def MBEDTLS_PKCS7_C + * + * Enable PKCS #7 core for using PKCS #7-formatted signatures. + * RFC Link - https://tools.ietf.org/html/rfc2315 + * + * Module: library/pkcs7.c + * + * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C, + * MBEDTLS_X509_CRT_PARSE_C MBEDTLS_X509_CRL_PARSE_C, + * MBEDTLS_BIGNUM_C, MBEDTLS_MD_C + * + * This module is required for the PKCS #7 parsing modules. + */ +#undef MBEDTLS_PKCS7_C + +/* When TLS1.3 and TLS1.2 both are enabled, there is no version negotiation currently supported for server. Hence, when both + * are enabled, the below macro can be changed to force the TLS version to be used on server side. Please note that this macro + * is only used when device is acting as a server. for client, version negotiation is supported. + */ +// #define FORCE_TLS_VERSION MBEDTLS_SSL_VERSION_TLS1_3 +#endif /* MBEDTLS_USER_CONFIG_HEADER */ diff --git a/scripts/format_cert_key.py b/scripts/format_cert_key.py new file mode 100644 index 0000000..81e7a98 --- /dev/null +++ b/scripts/format_cert_key.py @@ -0,0 +1,37 @@ +# Python script to convert certificate/key file to string format that can be used in C source files. +# +# Usage: +# python format_cert_key.py +# +# Example: +# python format_cert_key.py mosquitto_ca.crt mosquitto_client.crt mosquitto_client.key +# +import sys + +#Function that adds a new line character and trailing backslash except on the final line +def format_file(f): + with open(f, 'r') as fd: + lines = fd.read().splitlines() + line_num = 0 + for i in lines: + i = "\""+i+"\\n\"" + line_num = line_num + 1 + if(len(lines) == line_num): + print(i) + else: + print(i+"\\") + + +#Main function. Execution starts here +if __name__ == '__main__': + + for arg in (sys.argv): + if (arg.endswith(".crt") or arg.endswith(".pem") or arg.endswith(".key")): + print("String format of",arg,"file:") + format_file(arg) + print("") + else: + if (arg.endswith(".py") == False): + print("Pass file with extension (*.crt) (*.pem) or (*.key) only!") + + input("Enter any key to exit...") diff --git a/scripts/generate_ssl_certs.sh b/scripts/generate_ssl_certs.sh new file mode 100755 index 0000000..c4d3a7a --- /dev/null +++ b/scripts/generate_ssl_certs.sh @@ -0,0 +1,78 @@ +#!/bin/sh + +################################ +# Become a Certificate Authority +################################ + +MY_DOMAIN_NAME=mysecurehttpserver.local + +_OS=$(uname -s) +echo "Environment: $_OS" + +if [[ "$_OS" == "MINGW"* ]]; then + OPENSSL_SUBJECT_INFO="//C=IN\ST=Karnataka\L=Bengaluru\O=CY\OU=Engineering\CN=$MY_DOMAIN_NAME" +else + OPENSSL_SUBJECT_INFO="/C=IN/ST=Karnataka/L=Bengaluru/O=CY/OU=Engineering/CN=$MY_DOMAIN_NAME" +fi + +# Generate a private root key +openssl ecparam -name prime256v1 -genkey -noout -out root_ca.key + +# Self-sign a certificate. Make sure to set the "Common Name" field to match +# your server name (HTTPS_SERVER_NAME) defined in the application. +openssl req -new -x509 -sha256 -key root_ca.key -out root_ca.crt -subj $OPENSSL_SUBJECT_INFO + +######################## +# Create CA-signed certs +######################## + +# Generate a private key +openssl ecparam -name prime256v1 -genkey -noout -out $MY_DOMAIN_NAME.key + +# Create the Certificate Signing Request (CSR). +# Make sure to set the "Common Name" field with MY_DOMAIN_NAME. +openssl req -new -sha256 -key $MY_DOMAIN_NAME.key -out $MY_DOMAIN_NAME.csr \ +-subj $OPENSSL_SUBJECT_INFO + +# Create a config file for the extensions +>$MY_DOMAIN_NAME.ext cat <<-EOF +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names +[alt_names] +DNS.1 = $MY_DOMAIN_NAME +EOF + +# Create the signed certificate +openssl x509 -req -in $MY_DOMAIN_NAME.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out $MY_DOMAIN_NAME.crt -days 1000 -sha256 + +################################ +# Generate Client Certificate +################################ +MY_CLIENT=mysecurehttpclient + +# Generating RSA Private Key for Client Certificate +openssl ecparam -name prime256v1 -genkey -noout -out $MY_CLIENT.key + +# Generating Certificate Signing Request for Client Certificate +openssl req -new -sha256 -key $MY_CLIENT.key -out $MY_CLIENT.csr \ +-subj $OPENSSL_SUBJECT_INFO + +# Generating Certificate for Client Certificate +openssl x509 -req -in $MY_CLIENT.csr -CA root_ca.crt -CAkey root_ca.key -CAcreateserial -out $MY_CLIENT.crt -days 1000 -sha256 + +# Bundle the client certificate and key. +# Export password is set to empty. +openssl pkcs12 -export -out $MY_CLIENT.pfx -inkey $MY_CLIENT.key -in $MY_CLIENT.crt \ +-passout pass: + +# We have now successfully generated the server and client certificates. +# Configure your server with the generated certificate, key, and rootCA. +# Configure your client by importing the generated PKCS12 file that +# bundles the client certificate and key. +# +# Remove the intermediate files. +rm rootCA.srl $MY_DOMAIN_NAME.csr $MY_DOMAIN_NAME.ext $MY_CLIENT.csr + +echo "Done" diff --git a/source/secure_http_client.c b/source/secure_http_client.c index 70e248a..0bf10bd 100644 --- a/source/secure_http_client.c +++ b/source/secure_http_client.c @@ -309,7 +309,7 @@ static cy_rslt_t configure_https_client(void) /* Create an instance of the HTTP client. */ result = cy_http_client_create(&security_config, &server_info, http_cb, NULL, &https_client); - + if( result != CY_RSLT_SUCCESS ) { /* Failure path */ @@ -476,4 +476,3 @@ void http_request(void) } } /* [] END OF FILE */ - diff --git a/source/secure_keys.h b/source/secure_keys.h index c428e81..23252f5 100644 --- a/source/secure_keys.h +++ b/source/secure_keys.h @@ -45,51 +45,27 @@ #ifndef SECURE_KEYS_H_ #define SECURE_KEYS_H_ -/* HTTPS server certificate. Copy from the HTTPS server certificate - * generated by OpenSSL (See Readme.md on how to generate a SSL certificate). +/* HTTPS client certificate. Copy from the HTTPS client certificate + * generated by OpenSSL (See README.md on how to generate a SSL certificate). */ #define keyCLIENT_CERTIFICATE_PEM \ "-----BEGIN CERTIFICATE-----\n"\ -"MIIB8TCCAZcCFHaomKL6yYn6sQ2VfnPohiGtvlnMMAoGCCqGSM49BAMCMHsxCzAJ\n"\ -"BgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2ExEjAQBgNVBAcMCUJlbmdhbHVy\n"\ -"dTELMAkGA1UECgwCQ1kxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSEwHwYDVQQDDBht\n"\ -"eXNlY3VyZWh0dHBzZXJ2ZXIubG9jYWwwHhcNMjMxMTIxMTMwNjM0WhcNMjYwODE3\n"\ -"MTMwNjM0WjB7MQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0YWthMRIwEAYD\n"\ -"VQQHDAlCZW5nYWx1cnUxCzAJBgNVBAoMAkNZMRQwEgYDVQQLDAtFbmdpbmVlcmlu\n"\ -"ZzEhMB8GA1UEAwwYbXlzZWN1cmVodHRwc2VydmVyLmxvY2FsMFkwEwYHKoZIzj0C\n"\ -"AQYIKoZIzj0DAQcDQgAE9BU5DVvlaRxYdFEsMT9n9G1W1WmcgV5BUWhHlDf3j6fB\n"\ -"NfflJo70CoFK1oiIRyZ3MNcBSM1Gpy4ocy2XHGYY7DAKBggqhkjOPQQDAgNIADBF\n"\ -"AiEAqlw9wDoeennPbPq33UdE7jPO08ExbqKTHfoieZ/YJG4CIGuDkXCbG2CakQQs\n"\ -"nat97T9G+MHENQfdwoeKNtb04ykj\n"\ +"Client certificate content"\ "-----END CERTIFICATE-----\n" -/* Private key of the HTTPS server. Copy from the HTTPS server key - * generated by OpenSSL (See Readme.md on how to create a private key). +/* Private key of the HTTPS client. Copy from the HTTPS client key + * generated by OpenSSL (See README.md on how to create a private key). */ #define keyCLIENT_PRIVATE_KEY_PEM \ "-----BEGIN EC PRIVATE KEY-----\n"\ -"MHcCAQEEIAEvwSmEMCRxJViwwgi4v+X7zcQCMsRil63729seUee6oAoGCCqGSM49\n"\ -"AwEHoUQDQgAE9BU5DVvlaRxYdFEsMT9n9G1W1WmcgV5BUWhHlDf3j6fBNfflJo70\n"\ -"CoFK1oiIRyZ3MNcBSM1Gpy4ocy2XHGYY7A==\n"\ +"Client private key content"\ "-----END EC PRIVATE KEY-----\n" /* HTTPS client certificate. In this example this is the RootCA * certificate so as to verify the HTTPS client's identity. */ #define keySERVER_ROOTCA_PEM \ "-----BEGIN CERTIFICATE-----\n"\ -"MIICTDCCAfGgAwIBAgIUCHCMb+mwhjvIiw64Qb48kh3deVIwCgYIKoZIzj0EAwIw\n"\ -"ezELMAkGA1UEBhMCSU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmVu\n"\ -"Z2FsdXJ1MQswCQYDVQQKDAJDWTEUMBIGA1UECwwLRW5naW5lZXJpbmcxITAfBgNV\n"\ -"BAMMGG15c2VjdXJlaHR0cHNlcnZlci5sb2NhbDAeFw0yMzExMjExMzA2MzRaFw0y\n"\ -"MzEyMjExMzA2MzRaMHsxCzAJBgNVBAYTAklOMRIwEAYDVQQIDAlLYXJuYXRha2Ex\n"\ -"EjAQBgNVBAcMCUJlbmdhbHVydTELMAkGA1UECgwCQ1kxFDASBgNVBAsMC0VuZ2lu\n"\ -"ZWVyaW5nMSEwHwYDVQQDDBhteXNlY3VyZWh0dHBzZXJ2ZXIubG9jYWwwWTATBgcq\n"\ -"hkjOPQIBBggqhkjOPQMBBwNCAAS5m8ihXU4s3ITJzGnbKQsn+FBdcKqNbvPee6SG\n"\ -"m02AvQrqkAcWCufTZxuj+4FrkQEOq4nnH62xXRbIskL7YLVho1MwUTAdBgNVHQ4E\n"\ -"FgQU4IWkLF6QR1Kq1hfRPqm1teu747MwHwYDVR0jBBgwFoAU4IWkLF6QR1Kq1hfR\n"\ -"Pqm1teu747MwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEApARi\n"\ -"ZDKE0y33F5Aj8gO8jYKMcOAff+JMsRdqVpdz0BMCIQDq/aF4vYjInb6/ZxvjirR/\n"\ -"azSrWPfeFhvsSOtg4E0C3Q==\n"\ +"Root CA content"\ "-----END CERTIFICATE-----\n" #endif /* SECURE_KEYS_H_ */