mbedtls: add specific option for X.509 certificate parsing

Instead of enabling MBEDTLS_X509_CRT_PARSE_C indirectly based on ciphersuites that rely on certificates, create a specific kconfig option to 1:1 map this build build symbol. Other advantages of this change are that: - inter symbol dependency is moved out of the config-mbedtls.h header file and into the Kconfig.tls one; - it is possible to enable certificate parsing without necessarily enable some key exchange that use it. Signed-off-by: Valerio Setti <vsetti@baylibre.com>
zephyrproject-rtos · Sep 30, 2024 · 58a0a95 · 58a0a95
1 parent b1ab664
commit 58a0a95
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 33 deletions.
diff --git a/modules/mbedtls/Kconfig.crypto b/modules/mbedtls/Kconfig.crypto
@@ -380,12 +380,6 @@ endmenu # PSA crypto core
 config MBEDTLS_HKDF_C
 	bool "HMAC-based Extract-and-Expand Key Derivation Function"
 
-config MBEDTLS_PEM_CERTIFICATE_FORMAT
-	bool "Support for PEM certificate format"
-	help
-	  By default only DER (binary) format of certificates is supported. Enable
-	  this option to enable support for PEM format.
-
 config MBEDTLS_HAVE_ASM
 	bool "Use of assembly code"
 	default y if !ARM

diff --git a/modules/mbedtls/Kconfig.tls b/modules/mbedtls/Kconfig.tls
@@ -62,6 +62,7 @@ config MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
 	bool "RSA-PSK based ciphersuite modes"
+	select MBEDTLS_X509_CRT_PARSE_C
 	imply MBEDTLS_RSA_C if !PSA_CRYPTO_CLIENT
 	imply MBEDTLS_PKCS1_V15 if !PSA_CRYPTO_CLIENT
 	imply MBEDTLS_PKCS1_V21 if !PSA_CRYPTO_CLIENT
@@ -77,6 +78,7 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 	bool "RSA-only based ciphersuite modes"
 	default y if UOSCORE || UEDHOC
 	select MBEDTLS_MD
+	select MBEDTLS_X509_CRT_PARSE_C
 	select PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT if PSA_CRYPTO_CLIENT
 	select PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT if PSA_CRYPTO_CLIENT
@@ -87,30 +89,35 @@ config MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
 
 config MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
 	bool "DHE-RSA based ciphersuite modes"
+	select MBEDTLS_X509_CRT_PARSE_C
 	imply MBEDTLS_RSA_C if !PSA_CRYPTO_CLIENT
 	imply MBEDTLS_PKCS1_V15 if !PSA_CRYPTO_CLIENT
 	imply MBEDTLS_PKCS1_V21 if !PSA_CRYPTO_CLIENT
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
 	bool "ECDHE-RSA based ciphersuite modes"
 	depends on MBEDTLS_ECDH_C
+	select MBEDTLS_X509_CRT_PARSE_C
 	imply MBEDTLS_RSA_C if !PSA_CRYPTO_CLIENT
 	imply MBEDTLS_PKCS1_V15 if !PSA_CRYPTO_CLIENT
 	imply MBEDTLS_PKCS1_V21 if !PSA_CRYPTO_CLIENT
 
 config MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 	bool "ECDHE-ECDSA based ciphersuite modes"
+	select MBEDTLS_X509_CRT_PARSE_C
 	depends on MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
 	bool "ECDH-ECDSA based ciphersuite modes"
+	select MBEDTLS_X509_CRT_PARSE_C
 	depends on (MBEDTLS_ECDH_C && MBEDTLS_ECDSA_C) || (PSA_WANT_ALG_ECDH && PSA_WANT_ALG_ECDSA)
 
 config MBEDTLS_ECDSA_DETERMINISTIC
 	bool "Deterministic ECDSA (RFC 6979)"
 
 config MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
 	bool "ECDH-RSA based ciphersuite modes"
+	select MBEDTLS_X509_CRT_PARSE_C
 	depends on MBEDTLS_ECDH_C
 
 config MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
@@ -124,19 +131,20 @@ config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
 
 config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
 	bool "TLS 1.3 ephemeral key exchange mode"
+	select MBEDTLS_X509_CRT_PARSE_C
 
 config MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
 	bool "TLS 1.3 PSK ephemeral key exchange mode"
 
 endif # MBEDTLS_TLS_VERSION_1_3
 
-endmenu # Key exchanges
+endmenu # Ciphersuites
 
 config MBEDTLS_SERVER_NAME_INDICATION
 	bool "Support for RFC 6066 server name indication (SNI) in SSL"
+	depends on MBEDTLS_X509_CRT_PARSE_C
 	help
 	  Enable this to support RFC 6066 server name indication (SNI) in SSL.
-	  This requires that MBEDTLS_X509_CRT_PARSE_C is also set.
 
 config MBEDTLS_SSL_CACHE_C
 	bool "SSL session cache support"
@@ -190,21 +198,25 @@ endmenu # TLS
 menu "X.509"
 
 config MBEDTLS_X509_CRL_PARSE_C
-	bool "X.509 CRL parsing"
-	help
-	  Used by X.509 CRL parsing
+	bool "X.509 Certificate Revocation List parsing"
 
 config MBEDTLS_X509_CSR_WRITE_C
 	bool "X.509 Certificate Signing Requests writing"
-	help
-	  For X.509 certificate request writing.
 
 config MBEDTLS_X509_CSR_PARSE_C
 	bool "X.509 Certificate Signing Request parsing"
-	help
-	  For reading X.509 certificate request.
+
+config MBEDTLS_X509_CRT_PARSE_C
+	bool "X.509 certificate parsing"
 
 config MBEDTLS_X509_CRT_WRITE_C
 	bool "X.509 certificate creation"
 
+config MBEDTLS_PEM_CERTIFICATE_FORMAT
+	bool "Support for PEM certificate format"
+	depends on MBEDTLS_X509_CRT_PARSE_C
+	help
+	  By default only DER (binary) format of certificates is supported. Enable
+	  this option to enable support for PEM format.
+
 endmenu # X.509
diff --git a/modules/mbedtls/configs/config-mbedtls.h b/modules/mbedtls/configs/config-mbedtls.h
@@ -456,27 +456,11 @@
 #define MBEDTLS_PKCS1_V21
 #endif
 
-/* Automatic dependencies */
-
-#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
-	defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
-#define MBEDTLS_DHM_C
-#endif
-
-#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
-	defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
-	defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
-	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
-	defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
-	defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
-	defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
-	defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
+#if defined(CONFIG_MBEDTLS_X509_CRT_PARSE_C)
 #define MBEDTLS_X509_CRT_PARSE_C
 #define MBEDTLS_X509_USE_C
 #endif
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-
 #if defined(CONFIG_MBEDTLS_PEM_CERTIFICATE_FORMAT)
 #define MBEDTLS_PEM_PARSE_C
 #define MBEDTLS_PEM_WRITE_C
@@ -487,7 +471,12 @@
 #define MBEDTLS_SSL_SERVER_NAME_INDICATION
 #endif
 
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+/* Automatic dependencies */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
+	defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
+#define MBEDTLS_DHM_C
+#endif
 
 #if defined(MBEDTLS_DHM_C) || \
 	defined(MBEDTLS_ECP_C) || \