• State Not Answered
  • Replies 6 replies
  • Subscribers 64 subscribers
  • Views 1337 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 303739
Options

MbedTLS configuration/socket issue. Migrating from 1.8.0->2.2.0 nRF Connect

dimitrois

Hi,

I am trying to migrate the existing application for the custom nrf9160 board.

It is based on nRF Connect SDKv1.8.0 and we need to migrate to v2.2.0.

I have resolved all conflicts (a legion of those) except for the issue with MbedTLS configuration.

Old version was using SPM and the new version is using TFM, which requires NRF Security + there are substantial changes to MbedTLS configuration, so I can't use the existing configuration "as is".

We use POSIX TLS sockets and from what I could see, configuration of those has not changed much . connect() fails with various error codes (depending on the MbedTLS configuration). I have spent a few days on it now but still can't figure out what I need to change - not the easiest thing to work with in nRF Connect SDK.

We use a PEM cert (RSA) to authenticate with the server. The best, I was able to achieve so far, is the -2700 (MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) error from net_sock_tls when trying to connect.

Config from application with 1.8.0:

# Network
CONFIG_NETWORKING=y
CONFIG_NET_OFFLOAD=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS_OFFLOAD_TLS=n
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

# MbedTLS
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_BUILTIN=y
CONFIG_MBEDTLS_USER_CONFIG_ENABLE=y
CONFIG_MBEDTLS_USER_CONFIG_FILE="_mbedtls_user_config.h"
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=8192

## Feature Options
CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT=y
CONFIG_MBEDTLS_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_ECDSA_DETERMINISTIC=y
CONFIG_MBEDTLS_HMAC_DRBG_ENABLED=y
CONFIG_MBEDTLS_MAC_SHA512_ENABLED=y

## Key exchanges
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED=y
CONFIG_MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED=y

## Ciphers
CONFIG_MBEDTLS_CIPHER_GCM_ENABLED=y
CONFIG_MBEDTLS_CIPHER_CAMELLIA_ENABLED=y
CONFIG_MBEDTLS_CIPHER_AES_ENABLED=y
CONFIG_MBEDTLS_CIPHER_CCM_ENABLED=y

## Elliptic curves
###For  ECC508
CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED=y
CONFIG_MBEDTLS_ECP_NIST_OPTIM=y

Contents of _mbedtls_user_config.h:

define MBEDTLS_ECDH_GEN_PUBLIC_ALT
#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
#define MBEDTLS_ECDSA_SIGN_ALT
#define MBEDTLS_ECDSA_VERIFY_ALT
#define MBEDTLS_PEM_WRITE_C
#define MBEDTLS_X509_CRL_PARSE_C
#define MBEDTLS_X509_CSR_PARSE_C

#define MBEDTLS_SSL_RENEGOTIATION
#define MBEDTLS_SSL_SESSION_TICKETS

Config from application with 2.2.0 (what I'm currently trying to use):

# Network
CONFIG_NETWORKING=y
CONFIG_NET_IPV6=n
CONFIG_NET_IPV4=y
CONFIG_NET_OFFLOAD=y
CONFIG_NET_SOCKETS=y
CONFIG_NET_SOCKETS_OFFLOAD=y
CONFIG_NET_SOCKETS_POSIX_NAMES=y
CONFIG_NET_SOCKETS_SOCKOPT_TLS=y

#TFM
CONFIG_BUILD_WITH_TFM=y
CONFIG_TFM_PROFILE_TYPE_MINIMAL=y

# MbedTLS
CONFIG_MBEDTLS=y
CONFIG_NRF_SECURITY_ADVANCED=y
CONFIG_NORDIC_SECURITY_BACKEND=y
CONFIG_CUSTOM_MBEDTLS_CFG_FILE=y
CONFIG_MBEDTLS_USER_CONFIG_FILE="_mbedtls_user_config.h"
CONFIG_MBEDTLS_TLS_LIBRARY=y
CONFIG_MBEDTLS_SSL_RENEGOTIATION=y
CONFIG_MBEDTLS_SSL_SESSION_TICKETS=y
CONFIG_MBEDTLS_SSL_SERVER_NAME_INDICATION=y
CONFIG_MBEDTLS_SSL_IN_CONTENT_LEN=16384
CONFIG_MBEDTLS_SSL_OUT_CONTENT_LEN=16384
CONFIG_MBEDTLS_X509_LIBRARY=y
CONFIG_MBEDTLS_PKCS1_V15=y

CONFIG_MBEDTLS_RSA_C=y
CONFIG_MBEDTLS_GCM_C=y
CONFIG_MBEDTLS_DHM_C=y
CONFIG_PSA_WANT_ALG_CTR_DRBG=y
CONFIG_PSA_WANT_ALG_CCM=y
CONFIG_PSA_WANT_ALG_GCM=y
CONFIG_PSA_WANT_ALG_ECDH=y
CONFIG_PSA_WANT_ALG_ECDSA=y
CONFIG_PSA_WANT_ALG_DETERMINISTIC_ECDSA=y
CONFIG_PSA_WANT_ALG_CTR_DRBG=y
CONFIG_PSA_WANT_ALG_SHA_1=y
CONFIG_PSA_WANT_ALG_SHA_224=y
CONFIG_PSA_WANT_ALG_SHA_256=y
CONFIG_PSA_WANT_ALG_SHA_512=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_CRYPT=y
CONFIG_PSA_WANT_ALG_RSA_PKCS1V15_SIGN=y
CONFIG_PSA_WANT_ECC_SECP_R1_256=y

Contents of _mbedtls_user_config.h:

#undef MBEDTLS_MPI_MAX_SIZE
#define MBEDTLS_ECDSA_DETERMINISTIC

#define MBEDTLS_DEPRECATED_WARNING
#define MBEDTLS_ECDH_GEN_PUBLIC_ALT
#define MBEDTLS_ECDH_COMPUTE_SHARED_ALT
#define MBEDTLS_ECDSA_SIGN_ALT
#define MBEDTLS_ECDSA_VERIFY_ALT

In addition to the above, almost all settings from generic mbedtls_config.h. That

is probably overkill but without these additional settings, cert parsing fails and the socket fails with -EINVAL (result of INVALID_PUBLIC_KEY error from parsing). Also,

I #undef MPI_MAX_SIZE as nRF Connect sets it to a default of 256 and mbedtls_mpi_size() in rsa.c fails for 512 (256<512).

MBEDTLS_MPI_MAX_SIZE is defined as 1024 in bignum.h but is guarded by if #!defined, so 256 value is used.

Also PEM_CERTIFICATE_SUPPORT option can't be enabled with TFM/nRF Security.

I am not an expert in MbedTLS and the major pain for me is that I can't use the original "legacy" MbedTLS settings.

I did read nRF Connect documentation related to the Security module and looked at nRF/Zephyr samples but that 

did not help unfortunately.

Any help with the above will be very much appreciated as I think I have tried almost all possible configurations at this stage and I am out of ideas.

Also, is there any civilized way of getting detailed logs from MbedTLS/sockets?

I have added a swarm of printf's but commenting/uncommenting them is not very convenient.

( I did enable MBEDTLS_DEBUG_LEVEL_C in config and set the level to 4 but the output of that was NIL.)

Related