MBEDTLS configuration on NCS 2.6.4 for DTLS over Openthread

Hi there!

I'm in the process of updating our codebase from 2.4.0 to 2.6.4. We are using the nRF52840. My plan is to do this step-wise, following the migration guides for each major release. It seems that the mbedtls and crytpo configurations have changed between versions. I am using Zephyr's CoAP library over DTLS, with openthread as my net layer.

When building my application, I am getting many warnings where some mbedtls functions are not being included (and there are subsequent errors when linking):

workspace/zephyr/subsys/net/lib/sockets/sockets_tls.c:663:15: warning: implicit declaration of function 'mbedtls_ssl_get_session'; did you mean 'mbedtls_ssl_get_version'? [-Wimplicit-function-declaration]
  663 |         ret = mbedtls_ssl_get_session(&context->ssl, &session);
      |               ^~~~~~~~~~~~~~~~~~~~~~~
      |               mbedtls_ssl_get_version

I have traced this issue down to the config MBEDTLS_SSL_CLI_C not being selected. I took a look at the Kconfig entry, and it lists the following:

Name: MBEDTLS_SSL_CLI_C
Prompt: Enable the SSL/TLS client code
Type: bool
Value: n

Help:

  This setting enables SSL/TLS client functionality.
  Corresponds to MBEDTLS_SSL_CLI_C in mbed TLS config file

Direct dependencies (=y):
     !(OPENTHREAD_JOINER(=n) || OPENTHREAD_COMMISSIONER(=n) || OPENTHREAD_COAPS(=n)) && NET_L2_OPENTHREAD(=y)  (=y)
  || MBEDTLS_SSL_TLS_C(=n) && MBEDTLS_TLS_LIBRARY(=y) && NRF_SECURITY(=y)  (=n)

Defaults:
  - n
  - y


I can see that this symbol's value is 'n', due to MBEDTLS_SSL_TLS_C being 'n' selected. Let's take a look at its entry:

Name: MBEDTLS_SSL_TLS_C
Type: bool
Value: n

Help:

  Corresponds to MBEDTLS_SSL_TLS_C in mbed TLS config file

Direct dependencies (=y):
     !(OPENTHREAD_JOINER(=n) || OPENTHREAD_COMMISSIONER(=n) || OPENTHREAD_COAPS(=n)) && NET_L2_OPENTHREAD(=y)  (=y)
  || MBEDTLS_CIPHER_C(=y) && MBEDTLS_MD_C(=y) && MBEDTLS_TLS_LIBRARY(=y) && NRF_SECURITY(=y)  (=y)

Defaults:
  - n
  - y

Symbols currently n-selecting this symbol (no effect):
  - WPA_SUPP_CRYPTO_PSA

Kconfig definitions, with parent deps. propagated to 'depends on'
=================================================================

At /home/nealjack/git/speck-workspace/nrf/subsys/net/openthread/Kconfig.defconfig:208
Included via /home/nealjack/git/speck-workspace/speck-software/app/speck_coap/Kconfig:10 -> Kconfig.zephyr:41 -> modules/Kconfig:Menu path: (Top) -> Zephyr -> Modules -> nrf (/home/nealjack/git/speck-workspace/nrf)

  config MBEDTLS_SSL_TLS_C
        bool
        default n
        depends on !(OPENTHREAD_JOINER(=n) || OPENTHREAD_COMMISSIONER(=n) || OPENTHREAD_COAPS(=n)) && NET_L2_OPENTHREAD(=y)

At /home/nealjack/git/speck-workspace/nrf/subsys/nrf_security/Kconfig.tls:100
Included via /home/nealjack/git/speck-workspace/speck-software/app/speck_coap/Kconfig:10 -> Kconfig.zephyr:41 -> modules/Kconfig:Menu path: (Top) -> Zephyr -> Modules -> nrf (/home/nealjack/git/speck-workspace/nrf) -> Nordic nRF Connect -> Subsystems -> nRF

  config MBEDTLS_SSL_TLS_C
        bool
        default y
        depends on MBEDTLS_CIPHER_C(=y) && MBEDTLS_MD_C(=y) && MBEDTLS_TLS_LIBRARY(=y) && NRF_SECURITY(=y)
        help
          Corresponds to MBEDTLS_SSL_TLS_C in mbed TLS config file

Now this one has all its dependencies fulfilled, but it also says 'WPA_SUPP_CRYPTO_PSA' is n-selecting this symbol with no effect. This seems like a red herring.

Looking into WPA_SUPP_CRYPTO_PSA, it seems like it is the only symbol that selects MBEDTLS_SSL_TLS_C. grepping for "select MBEDTLS_SSL_TLS_C" yields "nrf/modules/hostap/Kconfig" where WPA_SUPP_CRYPTO_PSA is defined.

I have tried looking into WPA_SUPP_CRYPTO_PSA but I am not using WiFi and I have not configured it in any way. I can also not figure out the dependency between these two symbols and why it is causing MBEDTLS_SSL_TLS_C to be n-selected. WPA_SUPP_CRYPTO_PSA  is not listed as a dependency for MBEDTLS_SSL_TLS_C.

I can't manually include CONFIG_MBEDTLS_SSL_TLS_C in my project config, as it " is not directly user-configurable (has no prompt)"

How can I get this variable, and subsequently MBEDTLS_SSL_CLI_C to be y-selected?

My old, 2.4.0 working configuration is as follows:

# Enable nordic security backend and PSA APIs
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384
CONFIG_MBEDTLS_HEAP_SIZE=40000
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_PKCS1_V15=y
CONFIG_MBEDTLS_SSL_DEBUG_ALL=y
CONFIG_MBEDTLS_LOG_LEVEL_DBG=y
#CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048
#CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y
#CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y

My current mbedtls configuration is as follows, based on the psa_tls example:

# Select Zephyr mbedtls
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_TLS_LIBRARY=y
#CONFIG_MBEDTLS_SSL_TLS_C=y
CONFIG_MBEDTLS_TLS_VERSION_1_2=y
CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID=y

# Special MbedTLS changes
CONFIG_MBEDTLS_ENABLE_HEAP=y
CONFIG_MBEDTLS_HEAP_SIZE=8192
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=1500
CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y

CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y
CONFIG_PSA_CRYPTO_DRIVER_OBERON=n

# Disable RSA, we don't parse certs: saves flash/memory
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n
# Enable PSK instead
CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y

I have tried removing the MBEDTLS_SSL_TLS_C from MBEDTLS_SSL_CLI_C in the Kconfig, and y-selecting MBEDTLS_SSL_CLI_C manually just to see what would happen. I get the same warnings.

Any hints on how to properly navigate the nRF security/crypto configurations and enable SSL/DTLS for a project?

Thanks!

Related