From abc22b780fbe3db5273e3f9c59ed01e2427f0725 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 18 Mar 2019 12:39:49 +0000 Subject: [PATCH] Add baremetal configuration to `configs` folder This commit adds a minimal test configuration `baremetal.h` to the `configs` folder supporting ECDHE-ECDSA-AES-CCM-8 with Secp256R1 and SHA-256 only. The configuration lacks some options which are currently needed to successfully build and run the example applications `ssl_client2` and `ssl_server2`, such as `MBEDTLS_NET_C`. To still allow testing a configuration close to `baremetal.h`, the commit also adds `baremetal_test.h`, containing minimal amendments to `baremetal.h` that allow building and running `ssl_client2` and `ssl_server2`. --- configs/baremetal.h | 113 +++++++++++++++++++++++++++++++++++++++ configs/baremetal_test.h | 57 ++++++++++++++++++++ 2 files changed, 170 insertions(+) create mode 100644 configs/baremetal.h create mode 100644 configs/baremetal_test.h diff --git a/configs/baremetal.h b/configs/baremetal.h new file mode 100644 index 000000000..6b41e765f --- /dev/null +++ b/configs/baremetal.h @@ -0,0 +1,113 @@ +/** + * \file baremetal.h + * + * \brief Test configuration for minimal baremetal Mbed TLS builds + * based on the following primitives: + * - ECDHE-ECDSA only + * - Elliptic curve SECP256R1 only + * - SHA-256 only + * - AES-CCM-8 only + * + * The library compiles in this configuration, but the example + * programs `ssl_client2` and `ssl_server2` require the + * modifications from `baremetal_test.h`. + */ +/* + * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#ifndef MBEDTLS_BAREMETAL_CONFIG_H +#define MBEDTLS_BAREMETAL_CONFIG_H + +#define MBEDTLS_HAVE_TIME +#define MBEDTLS_HAVE_TIME_DATE + +/* Symmetric crypto: AES-CCM only */ +#define MBEDTLS_CIPHER_C +#define MBEDTLS_AES_C +#define MBEDTLS_AES_ROM_TABLES +#define MBEDTLS_AES_FEWER_TABLES +#define MBEDTLS_CCM_C + +/* Asymmetric crypto: Single-curve ECC only. */ +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PK_WRITE_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_NIST_OPTIM +#define MBEDTLS_ECDSA_DETERMINISTIC + +/* Key exchanges */ +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 + +/* Digests - just SHA-256 */ +#define MBEDTLS_MD_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA256_SMALLER + +/* TLS options */ +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_EXTENDED_MASTER_SECRET +#define MBEDTLS_SSL_SESSION_TICKETS +#define MBEDTLS_SSL_COOKIE_C +#define MBEDTLS_SSL_PROTO_DTLS /* TODO: Unset TLS one possible. */ +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +#define MBEDTLS_SSL_DTLS_BADMAC_LIMIT + +/* X.509 CRT parsing */ +#define MBEDTLS_X509_USE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_X509_CHECK_KEY_USAGE +#define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE +#define MBEDTLS_ASN1_PARSE_C + +/* X.509 CSR writing */ +#define MBEDTLS_X509_CSR_WRITE_C +#define MBEDTLS_X509_CREATE_C +#define MBEDTLS_ASN1_WRITE_C + +/* RNG and PRNG */ +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_HMAC_DRBG_C + +#define MBEDTLS_OID_C +#define MBEDTLS_PLATFORM_C + +/* I/O buffer configuration */ +#define MBEDTLS_SSL_MAX_CONTENT_LEN 2048 + +/* Server-side only */ +#define MBEDTLS_SSL_TICKET_C +#define MBEDTLS_SSL_SRV_C + +#if defined(MBEDTLS_USER_CONFIG_FILE) +#include MBEDTLS_USER_CONFIG_FILE +#endif + +#include + +#endif /* MBEDTLS_BAREMETAL_CONFIG_H */ diff --git a/configs/baremetal_test.h b/configs/baremetal_test.h new file mode 100644 index 000000000..4b51212c4 --- /dev/null +++ b/configs/baremetal_test.h @@ -0,0 +1,57 @@ +/** + * \file baremetal_test.h + * + * \brief This file contains minimal modifications to the + * baremetal configuration `baremetal.h` which allows + * example programs to compile and run. + * + * It should be used as the `MBEDTLS_USER_CONFIG_FILE` + * in builds using `baremetal.h`. + */ +/* + * Copyright (C) 2006-2018, ARM Limited, All Rights Reserved + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * This file is part of mbed TLS (https://tls.mbed.org) + */ + +#ifndef MBEDTLS_BAREMETAL_USER_CONFIG_H +#define MBEDTLS_BAREMETAL_USER_CONFIG_H + +/* We need test CRTs to be able to run ssl_client2 and ssl_server2. */ +#define MBEDTLS_CERTS_C +/* For the network context used by ssl_client2 and ssl_server2. */ +#define MBEDTLS_NET_C +/* Debug output */ +#define MBEDTLS_DEBUG_C + +/* We don't have DER-encoded test CRTs yet. */ +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_BASE64_C +/* We don't have Secp256r1 test CRTs at the moment. */ +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED + +/* ssl_client2 and ssl_server2 use CTR-DRBG so far. */ +#define MBEDTLS_CTR_DRBG_C + +/* The ticket implementation hardcodes AES-GCM */ +#define MBEDTLS_GCM_C + +/* Use Mbed TLS' timer implementation for Linux. */ +#define MBEDTLS_TIMING_C + +#undef MBEDTLS_NO_PLATFORM_ENTROPY + +#endif /* MBEDTLS_BAREMETAL_USER_CONFIG_H */