Hi there!
I'm in the process of updating our codebase from 2.4.0 to 2.6.4. We are using the nRF52840. My plan is to do this step-wise, following the migration guides for each major release. It seems that the mbedtls and crytpo configurations have changed between versions. I am using Zephyr's CoAP library over DTLS, with openthread as my net layer.
When building my application, I am getting many warnings where some mbedtls functions are not being included (and there are subsequent errors when linking):
workspace/zephyr/subsys/net/lib/sockets/sockets_tls.c:663:15: warning: implicit declaration of function 'mbedtls_ssl_get_session'; did you mean 'mbedtls_ssl_get_version'? [-Wimplicit-function-declaration]
663 | ret = mbedtls_ssl_get_session(&context->ssl, &session);
| ^~~~~~~~~~~~~~~~~~~~~~~
| mbedtls_ssl_get_version
I have traced this issue down to the config MBEDTLS_SSL_CLI_C not being selected. I took a look at the Kconfig entry, and it lists the following:
Name: MBEDTLS_SSL_CLI_C
Prompt: Enable the SSL/TLS client code
Type: bool
Value: n
Help:
This setting enables SSL/TLS client functionality.
Corresponds to MBEDTLS_SSL_CLI_C in mbed TLS config file
Direct dependencies (=y):
!(OPENTHREAD_JOINER(=n) || OPENTHREAD_COMMISSIONER(=n) || OPENTHREAD_COAPS(=n)) && NET_L2_OPENTHREAD(=y) (=y)
|| MBEDTLS_SSL_TLS_C(=n) && MBEDTLS_TLS_LIBRARY(=y) && NRF_SECURITY(=y) (=n)
Defaults:
- n
- yI can see that this symbol's value is 'n', due to MBEDTLS_SSL_TLS_C being 'n' selected. Let's take a look at its entry:
Name: MBEDTLS_SSL_TLS_C
Type: bool
Value: n
Help:
Corresponds to MBEDTLS_SSL_TLS_C in mbed TLS config file
Direct dependencies (=y):
!(OPENTHREAD_JOINER(=n) || OPENTHREAD_COMMISSIONER(=n) || OPENTHREAD_COAPS(=n)) && NET_L2_OPENTHREAD(=y) (=y)
|| MBEDTLS_CIPHER_C(=y) && MBEDTLS_MD_C(=y) && MBEDTLS_TLS_LIBRARY(=y) && NRF_SECURITY(=y) (=y)
Defaults:
- n
- y
Symbols currently n-selecting this symbol (no effect):
- WPA_SUPP_CRYPTO_PSA
Kconfig definitions, with parent deps. propagated to 'depends on'
=================================================================
At /home/nealjack/git/speck-workspace/nrf/subsys/net/openthread/Kconfig.defconfig:208
Included via /home/nealjack/git/speck-workspace/speck-software/app/speck_coap/Kconfig:10 -> Kconfig.zephyr:41 -> modules/Kconfig:Menu path: (Top) -> Zephyr -> Modules -> nrf (/home/nealjack/git/speck-workspace/nrf)
config MBEDTLS_SSL_TLS_C
bool
default n
depends on !(OPENTHREAD_JOINER(=n) || OPENTHREAD_COMMISSIONER(=n) || OPENTHREAD_COAPS(=n)) && NET_L2_OPENTHREAD(=y)
At /home/nealjack/git/speck-workspace/nrf/subsys/nrf_security/Kconfig.tls:100
Included via /home/nealjack/git/speck-workspace/speck-software/app/speck_coap/Kconfig:10 -> Kconfig.zephyr:41 -> modules/Kconfig:Menu path: (Top) -> Zephyr -> Modules -> nrf (/home/nealjack/git/speck-workspace/nrf) -> Nordic nRF Connect -> Subsystems -> nRF
config MBEDTLS_SSL_TLS_C
bool
default y
depends on MBEDTLS_CIPHER_C(=y) && MBEDTLS_MD_C(=y) && MBEDTLS_TLS_LIBRARY(=y) && NRF_SECURITY(=y)
help
Corresponds to MBEDTLS_SSL_TLS_C in mbed TLS config file
Now this one has all its dependencies fulfilled, but it also says 'WPA_SUPP_CRYPTO_PSA' is n-selecting this symbol with no effect. This seems like a red herring.
Looking into WPA_SUPP_CRYPTO_PSA, it seems like it is the only symbol that selects MBEDTLS_SSL_TLS_C. grepping for "select MBEDTLS_SSL_TLS_C" yields "nrf/modules/hostap/Kconfig" where WPA_SUPP_CRYPTO_PSA is defined.
I have tried looking into WPA_SUPP_CRYPTO_PSA but I am not using WiFi and I have not configured it in any way. I can also not figure out the dependency between these two symbols and why it is causing MBEDTLS_SSL_TLS_C to be n-selected. WPA_SUPP_CRYPTO_PSA is not listed as a dependency for MBEDTLS_SSL_TLS_C.
I can't manually include CONFIG_MBEDTLS_SSL_TLS_C in my project config, as it " is not directly user-configurable (has no prompt)"
How can I get this variable, and subsequently MBEDTLS_SSL_CLI_C to be y-selected?
My old, 2.4.0 working configuration is as follows:
# Enable nordic security backend and PSA APIs CONFIG_MBEDTLS=y CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384 CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384 CONFIG_MBEDTLS_HEAP_SIZE=40000 CONFIG_MBEDTLS_TLS_LIBRARY=y CONFIG_MBEDTLS_X509_LIBRARY=y CONFIG_MBEDTLS_PKCS1_V15=y CONFIG_MBEDTLS_SSL_DEBUG_ALL=y CONFIG_MBEDTLS_LOG_LEVEL_DBG=y #CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048 #CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y #CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
My current mbedtls configuration is as follows, based on the psa_tls example:
# Select Zephyr mbedtls CONFIG_MBEDTLS=y CONFIG_MBEDTLS_TLS_LIBRARY=y #CONFIG_MBEDTLS_SSL_TLS_C=y CONFIG_MBEDTLS_TLS_VERSION_1_2=y CONFIG_MBEDTLS_SSL_DTLS_CONNECTION_ID=y # Special MbedTLS changes CONFIG_MBEDTLS_ENABLE_HEAP=y CONFIG_MBEDTLS_HEAP_SIZE=8192 CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=1500 CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y CONFIG_PSA_CRYPTO_DRIVER_CC3XX=y CONFIG_PSA_CRYPTO_DRIVER_OBERON=n # Disable RSA, we don't parse certs: saves flash/memory CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=n # Enable PSK instead CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y
I have tried removing the MBEDTLS_SSL_TLS_C from MBEDTLS_SSL_CLI_C in the Kconfig, and y-selecting MBEDTLS_SSL_CLI_C manually just to see what would happen. I get the same warnings.
Any hints on how to properly navigate the nRF security/crypto configurations and enable SSL/DTLS for a project?
Thanks!