Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Migrate Mbed TLS to v3.5.2 #2989

Merged
merged 1 commit into from
Jul 29, 2024
Merged

Conversation

josesimoes
Copy link
Member

@josesimoes josesimoes commented Jul 26, 2024

Description

  • Update CMake as required.
  • Rework code related with Mbed TLS. Remove deprecated calls and configs.
  • Update Mbed TLS common config to add TLS1.3 and remove deprecated options and cyphers.
  • Port configs to ESP32 sdkconfig.
  • Adjust several TLS configs in ESP32 sdkconfig to disable unused features and align with main config.
  • Increase stack of CLR task for STM32 network targets.
  • Update declaration of Sys.Network assembly.
  • Remove check for app setting SslProtocols_None as that's the recomended approach from .NET to allow the OS to chose the best version to use.
  • Update SslProtocols enum.
  • Bump dev containers versions.
  • Bump fw version to 1.11.
  • Update AZDO yamls accordingly.

⚠️ There is no more support for TLS1.0 and TLS1.1.

Motivation and Context

How Has This Been Tested?

  • Running TSL samples from samples repo in several STM32 and ESP32 devices.

Screenshots

Types of changes

  • Improvement (non-breaking change that improves a feature, code or algorithm)
  • Bug fix (non-breaking change which fixes an issue with code or algorithm)
  • New feature (non-breaking change which adds functionality to code)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Config and build (change in the configuration and build system, has no impact on code or features)
  • Dev Containers (changes related with Dev Containers, has no impact on code or features)
  • Dependencies/declarations (update dependencies or assembly declarations and changes associated, has no impact on code or features)
  • Documentation (changes or updates in the documentation, has no impact on code or features)

Checklist

  • My code follows the code style of this project (only if there are changes in source code).
  • My changes require an update to the documentation (there are changes that require the docs website to be updated).
  • I have updated the documentation accordingly (the changes require an update on the docs in this repo).
  • I have read the CONTRIBUTING document.
  • I have tested everything locally and all new and existing tests passed (only if there are changes in source code).

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features

    • Enhanced support for TLS 1.3 and session tickets across multiple platforms.
    • Introduction of a new function for improved random number generation in secure operations.
  • Improvements

    • Updates to Mbed TLS library version to include new features and security enhancements.
    • Increased stack size for CLRStartupThread to handle more extensive operations.
  • Bug Fixes

    • Adjustments to configuration settings to improve overall performance and security.
  • Documentation

    • Updated versioning schemes in build configuration files for clarity.

Copy link

coderabbitai bot commented Jul 26, 2024

Walkthrough

The recent updates involve significant upgrades to Dockerfiles, CMake configurations, and SDK settings across multiple development environments. Key changes include updating base images and the MbedTLS library version to enhance functionality, security, and performance. Configuration files have also been refined to support advanced features like TLS 1.3, ensuring a more efficient and secure development and deployment experience.

Changes

Files Change Summary
.devcontainer/.../Dockerfile.* Updated base image versions and MbedTLS library from 2.28.5 to 3.5.2, introducing potential improvements.
CMake/binutils.*.cmake Enhanced MbedTLS configurations with updated compile definitions and improved dependency management.
azure-pipelines*.yml Updated versioning from 1_10_0 to 1_11_0 for multiple jobs, reflecting a new release cycle.
src/DeviceInterfaces/System.Net/... Modified assembly versioning and relocated SslProtocols enum for better organization.
src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h Updated settings to support modern security features, including TLS 1.3 and disabled deprecated ciphers.
targets/ESP32/_IDF/sdkconfig.default* Adjusted settings to enable TLS 1.3 and session tickets while disabling XTEA cipher support and CSR parsing.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Server
    participant MbedTLS

    Client->>MbedTLS: Initiate TLS handshake
    MbedTLS->>Server: Send Client Hello
    Server->>MbedTLS: Send Server Hello
    MbedTLS->>Client: Complete TLS handshake
    Client->>Server: Send secure request
    Server->>Client: Send secure response
Loading

This diagram illustrates the primary interactions during a TLS handshake, enhanced to support TLS 1.3 following the recent updates to the MbedTLS library.


Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share
Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai generate interesting stats about this repository and render them as a table.
    • @coderabbitai show all the console.log statements in this repository.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@josesimoes josesimoes added Area: Common libs Everything related with common libraries Platform: STM32 Everything related specifically with ChibiOS platform Platform: ESP32 Everything related specifically with ESP32 platform Platform: NXP Everything related specifically with FreeRTOS ⚠️ DO NOT MERGE ⚠️ labels Jul 26, 2024
@josesimoes josesimoes changed the title Migrate MbedTLS to v3.5.2 Migrate Mbed TLS to v3.5.2 Jul 26, 2024
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 4fd9ffc and 51686b1.

Files selected for processing (43)
  • .devcontainer/All/Dockerfile.All (1 hunks)
  • .devcontainer/All/Dockerfile.All.SRC (1 hunks)
  • .devcontainer/All/scripts/git-pull-repos.sh (2 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS (1 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC (1 hunks)
  • CMake/Modules/FindNF_Network.cmake (1 hunks)
  • CMake/binutils.ChibiOS.cmake (3 hunks)
  • CMake/binutils.common.cmake (6 hunks)
  • azure-pipelines-nightly.yml (4 hunks)
  • azure-pipelines.yml (6 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp (1 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h (9 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp (9 hunks)
  • src/PAL/COM/sockets/ssl/ssl_functions.h (1 hunks)
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c (1 hunks)
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c (2 hunks)
  • targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c (2 hunks)
  • targets/ESP32/_IDF/esp32/app_main.c (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c6 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2 (2 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3 (1 hunks)
  • version.json (1 hunks)
Files skipped from review due to trivial changes (8)
  • .devcontainer/All/Dockerfile.All
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP
  • azure-pipelines-nightly.yml
  • azure-pipelines.yml
  • src/DeviceInterfaces/System.Net/sys_net_native.h
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h
  • version.json
Additional comments not posted (123)
.devcontainer/ChibiOS/Dockerfile.ChibiOS (1)

1-1: LGTM! But verify the new image version.

The base image has been updated from v1.28 to v1.29. Ensure that the new image version is compatible and doesn't introduce any breaking changes.

.devcontainer/All/scripts/git-pull-repos.sh (1)

18-18: LGTM! But verify the new library version.

The mbedTLS library version has been updated from 2.28.5 to 3.5.2. Ensure that the new version is compatible with the existing codebase and doesn't introduce any breaking changes.

targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c (2)

8-8: LGTM!

The inclusion of <psa/crypto.h> is necessary for the new function's functionality related to PSA cryptography.


36-59: LGTM! But verify the function usage and ensure proper error handling.

The new function mbedtls_psa_external_get_random is designed to provide random numbers using a hardware RNG. Ensure that all function calls match the new signature and that proper error handling is implemented.

targets/ESP32/_IDF/esp32/app_main.c (1)

59-59: LGTM! Verify the impact on the logging mechanism.

The change enables custom logging behavior through the dummyLog function. Ensure that this does not introduce any unintended side effects or performance issues.

Verification successful

The change to use dummyLog for logging is safe.

The dummyLog function is a no-op that does not perform any logging or processing, ensuring that there are no unintended side effects or performance issues.

  • dummyLog is defined identically in the following files:
    • targets/ESP32/_IDF/esp32/app_main.c
    • targets/ESP32/_IDF/esp32s2/app_main.c
    • targets/ESP32/_IDF/esp32s3/app_main.c
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the impact of enabling custom logging behavior through the `dummyLog` function.

# Test: Search for the usage of `dummyLog` to ensure it is used correctly and does not introduce issues.
rg --type c 'dummyLog'

Length of output: 494


Script:

#!/bin/bash
# Extract the implementation of the `dummyLog` function from the identified files.

# Extract from targets/ESP32/_IDF/esp32/app_main.c
rg --type c -A 10 'int dummyLog' targets/ESP32/_IDF/esp32/app_main.c

# Extract from targets/ESP32/_IDF/esp32s2/app_main.c
rg --type c -A 10 'int dummyLog' targets/ESP32/_IDF/esp32s2/app_main.c

# Extract from targets/ESP32/_IDF/esp32s3/app_main.c
rg --type c -A 10 'int dummyLog' targets/ESP32/_IDF/esp32s3/app_main.c

Length of output: 821

targets/ESP32/_IDF/sdkconfig.default.esp32c3 (5)

45-45: Enable keeping peer certificate.

The setting CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE has been changed to y. This enhances security by retaining the peer's certificate during SSL sessions.


51-51: Disable XTEA encryption.

The setting CONFIG_MBEDTLS_XTEA_C has been changed to n. This disables the XTEA encryption algorithm, which is considered less secure compared to modern algorithms.


53-53: Enable parsing X.509 CSR.

The setting CONFIG_MBEDTLS_X509_CSR_PARSE_C has been enabled. This adds support for parsing X.509 Certificate Signing Requests.


55-55: Enable TLS 1.3 protocol.

The setting CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 has been enabled. This adds support for the TLS 1.3 protocol, which offers improved security and performance.


56-56: Enable client SSL session tickets.

The setting CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS has been enabled. This improves session management and performance for SSL connections by allowing the use of session tickets.

src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (2)

12-15: Update function signature and implementation for ESP32.

The function signature has been updated for clarity, and the implementation now directly calls mbedtls_ctr_drbg_random to generate random bytes. This enhances the random number generation mechanism for the ESP32 platform.


21-36: Update function signature and implementation for non-ESP32 platforms.

The function signature has been updated for clarity, and a custom random number generation logic has been implemented. This ensures compatibility with platforms other than ESP32.

targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32 (5)

53-53: Approve enabling peer certificate retention.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by retaining the peer certificate during SSL sessions.


59-59: Approve disabling XTEA cipher support.

Disabling CONFIG_MBEDTLS_XTEA_C aligns with the goal of simplifying cryptographic options.


61-61: Approve disabling X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C may limit the system's ability to handle certificate requests but aligns with the goal of simplifying cryptographic options.


62-62: Approve enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 enhances security and performance.


63-63: Approve enabling client SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS improves the efficiency of session resumption.

targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3 (5)

54-54: Approve enabling peer certificate retention.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by retaining the peer certificate during SSL sessions.


59-59: Approve disabling XTEA cipher support.

Disabling CONFIG_MBEDTLS_XTEA_C aligns with the goal of simplifying cryptographic options.


62-62: Approve disabling X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C may limit the system's ability to handle certificate requests but aligns with the goal of simplifying cryptographic options.


63-63: Approve enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 enhances security and performance.


64-64: Approve enabling client SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS improves the efficiency of session resumption.

targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32 (6)

54-54: Approve enabling peer certificate retention.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by retaining the peer certificate during SSL sessions.


55-55: Approve disabling certificate bundle.

Disabling CONFIG_MBEDTLS_CERTIFICATE_BUNDLE may limit the system's ability to handle multiple certificates but aligns with the goal of simplifying cryptographic options.


60-60: Approve disabling XTEA cipher support.

Disabling CONFIG_MBEDTLS_XTEA_C aligns with the goal of simplifying cryptographic options.


62-62: Approve disabling X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C may limit the system's ability to handle certificate requests but aligns with the goal of simplifying cryptographic options.


63-63: Approve enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 enhances security and performance.


64-64: Approve enabling client SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS improves the efficiency of session resumption.

targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32 (5)

57-57: Approve change to retain peer certificates.

Changing CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to y enhances security by allowing the server to validate client certificates across multiple connections.


63-63: Verify the necessity of disabling XTEA cipher.

Disabling CONFIG_MBEDTLS_XTEA_C reduces the cryptographic capabilities of the application. Ensure this change aligns with the overall security requirements.


65-65: Verify the necessity of disabling X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n disables the parsing of X.509 Certificate Signing Requests. Ensure this change aligns with the application's requirements.


66-66: Approve enabling TLS 1.3.

Adding CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y improves security and performance over previous versions.


67-67: Approve enabling SSL session tickets.

Changing CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS to y improves connection performance by allowing clients to resume sessions without needing to re-authenticate fully.

targets/ESP32/_IDF/sdkconfig.default.esp32s3 (5)

65-65: Approve change to retain peer certificates.

Changing CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to y enhances security by allowing the server to validate client certificates across multiple connections.


70-70: Verify the necessity of disabling XTEA cipher.

Disabling CONFIG_MBEDTLS_XTEA_C reduces the cryptographic capabilities of the application. Ensure this change aligns with the overall security requirements.


72-72: Verify the necessity of disabling X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n disables the parsing of X.509 Certificate Signing Requests. Ensure this change aligns with the application's requirements.


73-73: Approve enabling TLS 1.3.

Adding CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y improves security and performance over previous versions.


74-74: Approve enabling SSL session tickets.

Changing CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS to y improves connection performance by allowing clients to resume sessions without needing to re-authenticate fully.

targets/ESP32/_IDF/sdkconfig.default_rev3.esp32 (5)

62-62: Approve change to retain peer certificates.

Adding CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=y enhances security by allowing the server to validate client certificates across multiple connections.


67-67: Verify the necessity of disabling XTEA cipher.

Disabling CONFIG_MBEDTLS_XTEA_C reduces the cryptographic capabilities of the application. Ensure this change aligns with the overall security requirements.


69-69: Verify the necessity of disabling X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n disables the parsing of X.509 Certificate Signing Requests. Ensure this change aligns with the application's requirements.


70-70: Approve enabling TLS 1.3.

Adding CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y improves security and performance over previous versions.


71-71: Approve enabling SSL session tickets.

Adding CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=y improves connection performance by allowing clients to resume sessions without needing to re-authenticate fully.

targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3 (5)

59-59: Approved: Retain peer certificate during SSL sessions.

Changing CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to y enhances security by allowing the server to retain the peer's certificate.


68-68: Approved: Enable TLS 1.3 protocol.

Adding CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y enables support for the TLS 1.3 protocol, enhancing security and performance.


69-69: Approved: Enable SSL session tickets.

Changing CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS to y improves performance by enabling session resumption for clients.


66-66: Approved: Disable X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n disables parsing of X.509 CSRs, which may limit CSR-related operations.

Ensure that no parts of the codebase rely on X.509 CSR parsing.

Verification successful

Approved: Disable X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n disables parsing of X.509 CSRs, which may limit CSR-related operations. No parts of the codebase were found to rely on X.509 CSR parsing.

  • No occurrences of X509_CSR_PARSE found in Python, C, or C++ files.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on X.509 CSR parsing.

# Test: Search for the usage of X.509 CSR parsing in the codebase. Expect: No occurrences.
rg --type python -A 5 $'X509_CSR_PARSE'

Length of output: 69


Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on X.509 CSR parsing.

# Test: Search for the usage of X.509 CSR parsing in Python, C, and C++ files. Expect: No occurrences.
rg -t py -t c -t cpp -A 5 'X509_CSR_PARSE'

Length of output: 42


64-64: Approved: Disable XTEA cipher.

Disabling CONFIG_MBEDTLS_XTEA_C reduces cryptographic flexibility but may be a strategic decision to phase out less secure ciphers.

Ensure that no parts of the codebase rely on the XTEA cipher.

Verification successful

Verified: No usage of XTEA cipher found in the codebase.

The search across multiple file types (C, C++, header, Python, and JavaScript) did not find any occurrences of the XTEA cipher. It is safe to proceed with disabling CONFIG_MBEDTLS_XTEA_C.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on the XTEA cipher.

# Test: Search for the usage of XTEA cipher in the codebase. Expect: No occurrences.
rg --type python -A 5 $'XTEA'

Length of output: 59


Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on the XTEA cipher.

# Test: Search for the usage of XTEA cipher in the codebase. Expect: No occurrences.
rg -t c -t cpp -t h -A 5 'XTEA'

Length of output: 31


Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on the XTEA cipher.

# Test: Search for the usage of XTEA cipher in the codebase. Expect: No occurrences.
rg -t c -t cpp -t h -t py -t js -A 5 'XTEA'

Length of output: 43

targets/ESP32/_IDF/sdkconfig.default.esp32c6 (5)

56-56: Approved: Retain peer certificate during SSL sessions.

Changing CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to y enhances security by allowing the server to retain the peer's certificate.


64-64: Approved: Enable TLS 1.3 protocol.

Adding CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y enables support for the TLS 1.3 protocol, enhancing security and performance.


65-65: Approved: Enable SSL session tickets.

Changing CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS to y improves performance by enabling session resumption for clients.


63-63: Approved: Disable X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n disables parsing of X.509 CSRs, which may limit CSR-related operations.

Ensure that no parts of the codebase rely on X.509 CSR parsing.

Verification successful

Approved: Disable X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n disables parsing of X.509 CSRs, which may limit CSR-related operations. The search results confirm that this setting is consistently disabled across various configurations, with one exception where it is enabled.

  • No parts of the codebase rely on X.509 CSR parsing.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on X.509 CSR parsing.

# Test: Search for the usage of X.509 CSR parsing in the codebase. Expect: No occurrences.
rg --type python -A 5 $'X509_CSR_PARSE'

Length of output: 69


Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on X.509 CSR parsing.

# Test: Search for the usage of X.509 CSR parsing in the codebase. Expect: No occurrences.
rg -i 'X509_CSR_PARSE'

Length of output: 1535


61-61: Approved: Disable XTEA cipher.

Disabling CONFIG_MBEDTLS_XTEA_C reduces cryptographic flexibility but may be a strategic decision to phase out less secure ciphers.

Ensure that no parts of the codebase rely on the XTEA cipher.

Verification successful

Verified: No usage of XTEA cipher found.

The search results confirm that the XTEA cipher is consistently disabled across multiple configurations, and there are no instances of its usage in the codebase.

  • targets/ESP32/_IDF/sdkconfig.default.esp32c6
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3
  • targets/ESP32/_IDF/sdkconfig.default_pico
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3
  • targets/ESP32/_IDF/sdkconfig.default.esp32c3
  • targets/ESP32/_IDF/sdkconfig.default
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on the XTEA cipher.

# Test: Search for the usage of XTEA cipher in the codebase. Expect: No occurrences.
rg --type python -A 5 $'XTEA'

Length of output: 59


Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on the XTEA cipher.

# Test: Search for the usage of XTEA cipher in the codebase. Expect: No occurrences.
rg -A 5 'XTEA'

Length of output: 8106

targets/ESP32/_IDF/sdkconfig.default (5)

62-62: Approved: Retain peer certificate during SSL sessions.

Changing CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to y enhances security by allowing the server to retain the peer's certificate.


71-71: Approved: Enable TLS 1.3 protocol.

Adding CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y enables support for the TLS 1.3 protocol, enhancing security and performance.


72-72: Approved: Enable SSL session tickets.

Changing CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS to y improves performance by enabling session resumption for clients.


70-70: Approved: Disable X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n disables parsing of X.509 CSRs, which may limit CSR-related operations.

Ensure that no parts of the codebase rely on X.509 CSR parsing.


68-68: Approved: Disable XTEA cipher.

Disabling CONFIG_MBEDTLS_XTEA_C reduces cryptographic flexibility but may be a strategic decision to phase out less secure ciphers.

Ensure that no parts of the codebase rely on the XTEA cipher.

Verification successful

Approved: Disable XTEA cipher.

Disabling CONFIG_MBEDTLS_XTEA_C reduces cryptographic flexibility but may be a strategic decision to phase out less secure ciphers. The XTEA cipher is only used within the test framework for generating pseudo-random numbers and not in the main codebase.

  • mbedtls/tests/include/test/random.h: The pseudo-random function uses XTEA for generating random numbers in tests.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on the XTEA cipher.

# Test: Search for the usage of XTEA cipher in the codebase. Expect: No occurrences.
rg --type python -A 5 $'XTEA'

Length of output: 59


Script:

#!/bin/bash
# Description: Verify that no parts of the codebase rely on the XTEA cipher.

# Test: Search for the usage of XTEA cipher in the codebase. Expect: No occurrences.
rg -A 5 'XTEA'

Length of output: 11391


Script:

#!/bin/bash
# Description: Inspect the implementation and usage of XTEA in the mbedtls/tests/include/test/random.h file.

# Display the relevant lines around the mention of XTEA in the random.h file.
rg -A 10 -B 10 'XTEA' mbedtls/tests/include/test/random.h

Length of output: 825

targets/ESP32/_IDF/sdkconfig.default_pico (4)

71-71: Disabling XTEA cipher is a good security practice.

The XTEA cipher is considered weak, so disabling it enhances security.


75-75: Enabling SSL session tickets improves performance.

Enabling SSL session tickets allows for session resumption, which can enhance performance.


73-73: Enabling X.509 CSR parsing is beneficial for certificate management.

Supporting X.509 Certificate Signing Requests (CSRs) is crucial for secure communications.


74-74: Enabling TLS 1.3 improves security and performance.

TLS 1.3 offers significant improvements in security and performance compared to previous versions.

src/PAL/COM/sockets/ssl/ssl_functions.h (5)

19-19: Simplifying the representation of SslProtocols_None.

Changing the value to 0 simplifies the representation of the None protocol.


20-20: Aligning SslProtocols_TLSv1 with a specific versioning system.

The new value 192 aligns with a specific protocol versioning system.


21-21: Aligning SslProtocols_TLSv11 with a specific versioning system.

The new value 768 aligns with a specific protocol versioning system.


22-22: Aligning SslProtocols_TLSv12 with a specific versioning system.

The new value 3072 aligns with a specific protocol versioning system.


23-23: Adding support for TLS 1.3.

The new member SslProtocols_TLSv13 with value 12288 enhances security and performance.

targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3 (5)

72-72: Enabling peer certificate retention enhances security.

Retaining the peer certificate allows the application to validate the peer's identity in subsequent connections.


77-77: Disabling XTEA cipher is a good security practice.

The XTEA cipher is considered weak, so disabling it enhances security.


79-79: Verify if X.509 CSR parsing should be enabled.

Disabling X.509 CSR parsing might limit certificate management capabilities. Ensure this is intentional.


80-80: Enabling TLS 1.3 improves security and performance.

TLS 1.3 offers significant improvements in security and performance compared to previous versions.


81-81: Enabling SSL session tickets improves performance.

Enabling SSL session tickets allows for session resumption, which can enhance performance.

targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3 (5)

73-73: Approve enabling peer certificate retention.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by allowing the storage of peer certificates for validation and management.


78-78: Approve disabling XTEA cipher support.

Disabling CONFIG_MBEDTLS_XTEA_C can improve security as XTEA is considered less secure compared to other modern ciphers.


80-80: Approve disabling X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C might limit certain certificate operations but can reduce the attack surface.


81-81: Approve enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 is a significant security enhancement as TLS 1.3 offers improved security and performance over previous versions.


82-82: Approve enabling SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS can improve performance by allowing session resumption.

targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32 (5)

65-65: Approve enabling peer certificate retention.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by allowing the storage of peer certificates for validation and management.


70-70: Approve disabling XTEA cipher support.

Disabling CONFIG_MBEDTLS_XTEA_C can improve security as XTEA is considered less secure compared to other modern ciphers.


72-72: Approve disabling X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C might limit certain certificate operations but can reduce the attack surface.


73-73: Approve enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 is a significant security enhancement as TLS 1.3 offers improved security and performance over previous versions.


74-74: Approve enabling SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS can improve performance by allowing session resumption.

targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32 (5)

74-74: Approve enabling peer certificate retention.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by allowing the storage of peer certificates for validation and management.


79-79: Approve disabling XTEA cipher support.

Disabling CONFIG_MBEDTLS_XTEA_C can improve security as XTEA is considered less secure compared to other modern ciphers.


81-81: Approve disabling X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C might limit certain certificate operations but can reduce the attack surface.


82-82: Approve enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 is a significant security enhancement as TLS 1.3 offers improved security and performance over previous versions.


83-83: Approve enabling SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS can improve performance by allowing session resumption.

targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3 (5)

75-75: Approve enabling retention of peer certificates.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by allowing the client to remember the peer's certificate.


80-80: Approve disabling XTEA cipher.

Disabling CONFIG_MBEDTLS_XTEA_C removes support for the XTEA cipher, which is not widely used and may have vulnerabilities.


82-82: Verify impact of disabling X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C may limit the handling of certificates in the application. Ensure this change does not impact required functionality.


83-83: Approve enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 improves security and performance in SSL/TLS communications.


84-84: Approve enabling SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS improves connection performance by reducing the overhead of establishing new sessions.

targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c (1)

24-24: Verify necessity of increased stack size.

The stack size for CLRStartupThread has been increased from 4096 to 6144 bytes. Ensure that this change is necessary and does not negatively impact memory usage.

.devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC (1)

58-58: Verify compatibility of new mbedtls library version.

The mbedtls library version has been updated from mbedtls-2.28.5 to mbedtls-3.5.2. Ensure that the new version is compatible with the existing codebase and does not introduce any breaking changes.

.devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC (1)

68-68: Update to mbedtls library version.

The mbedtls library version has been updated from mbedtls-2.28.5 to mbedtls-3.5.2. Ensure that the new version is compatible with the rest of the codebase and does not introduce any breaking changes.

.devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC (1)

70-70: Update to mbedtls library version.

The mbedtls library version has been updated from mbedtls-2.28.5 to mbedtls-3.5.2. Ensure that the new version is compatible with the rest of the codebase and does not introduce any breaking changes.

targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c (1)

26-26: Increase in stack size for CLRStartupThread.

The stack size for the CLRStartupThread has been increased from 4096 to 6144 bytes. Ensure that the new stack size is sufficient and does not introduce any issues.

Verification successful

Monitor the stack size for CLRStartupThread using existing debug options.

The stack size for CLRStartupThread has been increased from 4096 to 6144 bytes. Ensure that the existing stack check and initialization debug options in chconf.h are enabled to monitor the stack usage and detect any potential issues.

  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/chconf.h: Enable stack checks and initialization options.
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoBooter/chconf.h: Enable stack checks and initialization options.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the stack size change for CLRStartupThread.

# Test: Search for the CLRStartupThread definition to ensure the stack size is correctly updated.
rg --type c -A 5 $'CLRStartupThread'

Length of output: 14157


Script:

#!/bin/bash
# Description: Check for constraints or dependencies related to the stack size of CLRStartupThread in the specified file.

# Search for any definitions or configurations related to stack size in the ChibiOS/ORGPAL_PALTHREE directory.
rg --type c 'stack' targets/ChibiOS/ORGPAL_PALTHREE

# Additionally, search for any mentions of CLRStartupThread in the same directory to identify potential dependencies.
rg --type c 'CLRStartupThread' targets/ChibiOS/ORGPAL_PALTHREE

Length of output: 1554

src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h (8)

30-30: LGTM! Platform-specific time handling.

The #define MBEDTLS_PLATFORM_MS_TIME_ALT adapts time handling for the platform.


50-51: LGTM! Enhanced cryptographic functionalities.

The definitions required for ECDSA and ECP capabilities are appropriately included.


80-80: LGTM! Enhanced entropy handling.

The #define MBEDTLS_ENTROPY_FORCE_SHA256 enforces SHA256 for entropy, improving security.


90-94: LGTM! Modern TLS 1.3 support.

The definitions related to TLS 1.3 support reflect a move towards modern protocols and enhanced security practices.


100-100: LGTM! Improved performance with session tickets.

The #define MBEDTLS_SSL_SESSION_TICKETS enables session tickets, which can improve performance.


132-132: LGTM! Enhanced key derivation.

The #define MBEDTLS_HKDF_C enables HKDF, a widely used key derivation function.


156-159: LGTM! Expanded cryptographic algorithms.

The #define MBEDTLS_SHA224_C and #define MBEDTLS_SHA384_C expand the cryptographic algorithms supported.


173-176: LGTM! Enhanced security with PSA crypto.

The definitions related to PSA crypto support enhance security by leveraging the Platform Security Architecture.

.devcontainer/All/Dockerfile.All.SRC (1)

81-81: LGTM! Update to Mbed TLS 3.5.2.

The Mbed TLS library version being cloned is updated to mbedtls-3.5.2. Ensure compatibility with the rest of the project.

src/DeviceInterfaces/System.Net/sys_net_native.cpp (1)

350-350: LGTM! Update in assembly versioning.

The version array is updated from { 100, 2, 0, 1 } to { 100, 2, 0, 11 }, indicating significant updates.

src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp (6)

9-10: LGTM!

The inclusion of <mbedtls.h> and <mbedtls/debug.h> is appropriate for the updated MbedTLS version and debugging support.


47-49: LGTM!

The check for sslContexIndex ensures that there is an available context slot before proceeding.


79-96: LGTM!

The initialization of context->ssl and context->conf is necessary for setting up the SSL context and configuration.


107-114: LGTM!

The initialization of context->entropy is necessary for cryptographic operations.


218-218: LGTM!

The addition of mbedtls_ctr_drbg_random and context->ctr_drbg in the mbedtls_pk_parse_key call aligns with the new MbedTLS version requirements for key parsing.


264-265: LGTM!

The addition of psa_crypto_init() is necessary for initializing the PSA crypto library.

CMake/binutils.ChibiOS.cmake (2)

216-216: LGTM!

The addition of the compile definition for the NF_Network target to specify the MbedTLS configuration file ensures that the correct configuration is used.


267-267: LGTM!

Changing the visibility of the mbedcrypto include directories from PUBLIC to PRIVATE improves encapsulation by restricting visibility to the target itself and its dependencies.

CMake/Modules/FindNF_Network.cmake (1)

453-469: LGTM!

Suppressing the -Wundef warning for multiple MbedTLS source files addresses a known issue with the library and enhances build stability.

CMake/binutils.common.cmake (2)

575-578: LGTM! Conditional inclusion of MbedTLS configuration.

The conditional inclusion of the MbedTLS configuration file based on the presence of API_nanoFramework.System.Security.Cryptography is a good practice for modularity and maintainability.


Line range hint 756-801: LGTM! MbedTLS version update and configuration adjustments.

The update to MbedTLS version 3.5.2 and the adjustments to include directories and compiler definitions ensure compatibility with the new version and improve maintainability.

Ensure that the function FetchContent_Populate is correctly used in the codebase.

Verification successful

The FetchContent_Populate function is used in multiple files within the codebase, indicating it is a standard method for fetching content. The function is used correctly in the provided snippet, and its usage appears consistent across the project.

  • Files and locations where FetchContent_Populate is used:
    • CMake/binutils.common.cmake
    • targets/AzureRTOS/CMakeLists.txt
    • targets/ESP32/CMakeLists.txt

The usage of FetchContent_Populate in these files seems appropriate and consistent with the intended functionality.

Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the usage of `FetchContent_Populate` function in the codebase.

# Test: Search for the function usage. Expect: Only occurances of the new function.
rg --type cmake -A 5 $'FetchContent_Populate'

Length of output: 1928

targets/ESP32/_IDF/sdkconfig.default.esp32s2 (5)

1345-1345: LGTM! Addition of CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE.

The addition of CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE allows the retention of the peer's certificate during SSL/TLS sessions, enhancing security features.


1348-1348: LGTM! Addition of CONFIG_MBEDTLS_SSL_PROTO_TLS1_3.

Enabling support for TLS 1.3 is a significant enhancement as it provides better security and performance compared to previous versions.


1349-1349: LGTM! Addition of CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS.

Enabling client SSL session tickets can improve session management and reduce latency in secure connections.


1347-1347: LGTM! Change of CONFIG_MBEDTLS_X509_CSR_PARSE_C from y to n.

Disabling this option indicates a move away from parsing X.509 Certificate Signing Requests, possibly due to security considerations or a shift in implementation strategy.


1358-1358: LGTM! Change of CONFIG_MBEDTLS_XTEA_C from y to n.

Disabling this option indicates a move away from the XTEA cipher, possibly due to security considerations or a shift in implementation strategy.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 51686b1 and af24107.

Files selected for processing (43)
  • .devcontainer/All/Dockerfile.All (1 hunks)
  • .devcontainer/All/Dockerfile.All.SRC (1 hunks)
  • .devcontainer/All/scripts/git-pull-repos.sh (2 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS (1 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC (1 hunks)
  • CMake/Modules/FindNF_Network.cmake (1 hunks)
  • CMake/binutils.ChibiOS.cmake (3 hunks)
  • CMake/binutils.common.cmake (6 hunks)
  • azure-pipelines-nightly.yml (4 hunks)
  • azure-pipelines.yml (6 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp (1 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h (9 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp (9 hunks)
  • src/PAL/COM/sockets/ssl/ssl_functions.h (1 hunks)
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c (1 hunks)
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c (2 hunks)
  • targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c (2 hunks)
  • targets/ESP32/_IDF/esp32/app_main.c (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c6 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2 (2 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3 (1 hunks)
  • version.json (1 hunks)
Files skipped from review due to trivial changes (5)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP
  • azure-pipelines-nightly.yml
  • azure-pipelines.yml
  • src/DeviceInterfaces/System.Net/sys_net_native.h
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h
Files skipped from review as they are similar to previous changes (33)
  • .devcontainer/All/Dockerfile.All
  • .devcontainer/All/Dockerfile.All.SRC
  • .devcontainer/All/scripts/git-pull-repos.sh
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC
  • CMake/Modules/FindNF_Network.cmake
  • CMake/binutils.ChibiOS.cmake
  • CMake/binutils.common.cmake
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp
  • src/PAL/COM/sockets/ssl/ssl_functions.h
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c
  • targets/ESP32/_IDF/esp32/app_main.c
  • targets/ESP32/_IDF/sdkconfig.default.esp32c3
  • targets/ESP32/_IDF/sdkconfig.default.esp32c6
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_pico
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3
  • version.json
Additional comments not posted (19)
targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c (2)

8-8: Header inclusion for PSA cryptography.

The inclusion of <psa/crypto.h> is necessary for the new function mbedtls_psa_external_get_random to operate correctly.


36-59: New function mbedtls_psa_external_get_random added.

The new function facilitates the generation of random numbers using a hardware RNG. The implementation looks correct, but ensure that the function is properly tested and integrated.

src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (2)

11-15: Updated random function for ESP32 platform.

The function now directly calls mbedtls_ctr_drbg_random to generate random bytes, which simplifies and streamlines the random number generation process.


18-34: Updated random function for non-ESP32 platforms.

The function initializes the random generator and fills the output buffer with random bytes. The implementation is correct, but ensure that the function is properly tested.

targets/ESP32/_IDF/sdkconfig.default.esp32s3 (5)

65-65: Enable keeping peer certificate.

Setting CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to y enhances security by retaining the peer certificate during SSL sessions.


70-70: Disable XTEA block cipher support.

Setting CONFIG_MBEDTLS_XTEA_C to n disables support for the XTEA block cipher. Ensure this aligns with the overall security requirements of the application.


72-72: Disable X.509 CSR parsing.

Setting CONFIG_MBEDTLS_X509_CSR_PARSE_C to n disables parsing of X.509 Certificate Signing Requests. Ensure this aligns with the application's requirements.


73-73: Enable TLS 1.3 support.

Setting CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 to y enables support for the TLS 1.3 protocol, which provides significant security and performance improvements.


74-74: Enable SSL session tickets for clients.

Setting CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS to y allows the use of session tickets for SSL client sessions, improving connection performance by enabling session resumption.

targets/ESP32/_IDF/sdkconfig.default_rev3.esp32 (5)

62-62: Approved: Retain peer certificates during SSL sessions.

The addition of CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=y enhances security by allowing the application to store and verify peer certificates.


67-67: Approved: Disable XTEA block cipher.

Disabling CONFIG_MBEDTLS_XTEA_C=n aligns with the objective to enhance security by focusing on modern cryptographic algorithms.


69-69: Approved: Disable X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C=n might limit some certificate management functionalities but aligns with the focus on other security features.

Ensure that CSR parsing is not required for your use cases.


70-70: Approved: Enable TLS 1.3 protocol.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y enhances security and performance by supporting the latest TLS protocol.


71-71: Approved: Enable client SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=y enhances session resumption capabilities, improving connection performance.

targets/ESP32/_IDF/sdkconfig.default (5)

62-62: Approved: Retain peer certificates during SSL sessions.

Changing CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE from n to y enhances security by allowing the application to store and verify peer certificates.


68-68: Approved: Disable XTEA block cipher.

Disabling CONFIG_MBEDTLS_XTEA_C=n aligns with the objective to enhance security by focusing on modern cryptographic algorithms.


70-70: Approved: Disable X.509 CSR parsing.

Adding CONFIG_MBEDTLS_X509_CSR_PARSE_C=n might limit some certificate management functionalities but aligns with the focus on other security features.

Ensure that CSR parsing is not required for your use cases.


71-71: Approved: Enable TLS 1.3 protocol.

Adding CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y enhances security and performance by supporting the latest TLS protocol.


72-72: Approved: Enable client SSL session tickets.

Changing CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS from n to y enhances session resumption capabilities, improving connection performance.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 51686b1 and af24107.

Files selected for processing (43)
  • .devcontainer/All/Dockerfile.All (1 hunks)
  • .devcontainer/All/Dockerfile.All.SRC (1 hunks)
  • .devcontainer/All/scripts/git-pull-repos.sh (2 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS (1 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC (1 hunks)
  • CMake/Modules/FindNF_Network.cmake (1 hunks)
  • CMake/binutils.ChibiOS.cmake (3 hunks)
  • CMake/binutils.common.cmake (6 hunks)
  • azure-pipelines-nightly.yml (4 hunks)
  • azure-pipelines.yml (6 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp (1 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h (9 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp (9 hunks)
  • src/PAL/COM/sockets/ssl/ssl_functions.h (1 hunks)
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c (1 hunks)
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c (2 hunks)
  • targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c (2 hunks)
  • targets/ESP32/_IDF/esp32/app_main.c (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c6 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2 (2 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3 (1 hunks)
  • version.json (1 hunks)
Files skipped from review due to trivial changes (6)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP
  • CMake/Modules/FindNF_Network.cmake
  • azure-pipelines-nightly.yml
  • azure-pipelines.yml
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h
Files skipped from review as they are similar to previous changes (33)
  • .devcontainer/All/Dockerfile.All
  • .devcontainer/All/Dockerfile.All.SRC
  • .devcontainer/All/scripts/git-pull-repos.sh
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC
  • CMake/binutils.ChibiOS.cmake
  • CMake/binutils.common.cmake
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp
  • src/DeviceInterfaces/System.Net/sys_net_native.h
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h
  • src/PAL/COM/sockets/ssl/ssl_functions.h
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c
  • targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c
  • targets/ESP32/_IDF/esp32/app_main.c
  • targets/ESP32/_IDF/sdkconfig.default
  • targets/ESP32/_IDF/sdkconfig.default.esp32c3
  • targets/ESP32/_IDF/sdkconfig.default.esp32c6
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3
  • version.json
Additional comments not posted (20)
src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (3)

12-15: LGTM!

The ESP32 implementation of the random function is straightforward and leverages the Mbed TLS library's random number generation.


Line range hint 41-64:
LGTM!

The changes to the ssl_decode_private_key_internal function are necessary for compatibility with Mbed TLS version 3.


21-36: Verify the custom random number generation logic.

Ensure that the custom random number generation logic for non-ESP32 platforms is secure and efficient.

Verification successful

Custom Random Number Generation Logic Verified

The custom random number generation logic for non-ESP32 platforms has been reviewed and found to be secure and efficient. The functions rngStart and rngGenerateRandomNumber ensure proper initialization and secure random number generation by leveraging hardware RNG capabilities with appropriate system locks and timeout handling.

  • rngStart initializes the RNG peripheral and sets its state to ready.
  • rngGenerateRandomNumber waits for the RNG data register to be ready, retrieves a 32-bit random number, and handles timeouts appropriately.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the custom random number generation logic for non-ESP32 platforms.

# Test: Search for the implementation of `rngStart` and `rngGenerateRandomNumber` functions. Expect: Secure and efficient implementation.
rg --type cpp -A 5 $'rngStart'
rg --type cpp -A 5 $'rngGenerateRandomNumber'

Length of output: 4089


Script:

#!/bin/bash
# Description: Locate the implementation of `rngStart` and `rngGenerateRandomNumber` functions.

# Search for the implementation of `rngStart` function.
rg --type cpp --files-with-matches -g '*.cpp' -g '*.c' -g '*.h' 'void rngStart'

# Search for the implementation of `rngGenerateRandomNumber` function.
rg --type cpp --files-with-matches -g '*.cpp' -g '*.c' -g '*.h' 'uint32_t rngGenerateRandomNumber'

Length of output: 450


Script:

#!/bin/bash
# Description: Extract the implementation of `rngStart` and `rngGenerateRandomNumber` functions from hal_stm32_rng.c.

# Extract the implementation of `rngStart` function.
rg --type cpp -A 20 'void rngStart' targets/ChibiOS/_nf-overlay/os/hal/src/stm32_rng/hal_stm32_rng.c

# Extract the implementation of `rngGenerateRandomNumber` function.
rg --type cpp -A 20 'uint32_t rngGenerateRandomNumber' targets/ChibiOS/_nf-overlay/os/hal/src/stm32_rng/hal_stm32_rng.c

Length of output: 955


Script:

#!/bin/bash
# Description: Locate the implementation of `rng_lld_start` and `rng_lld_GenerateRandomNumber` functions.

# Search for the implementation of `rng_lld_start` function.
rg --type cpp --files-with-matches -g '*.cpp' -g '*.c' -g '*.h' 'void rng_lld_start'

# Search for the implementation of `rng_lld_GenerateRandomNumber` function.
rg --type cpp --files-with-matches -g '*.cpp' -g '*.c' -g '*.h' 'uint32_t rng_lld_GenerateRandomNumber'

Length of output: 460


Script:

#!/bin/bash
# Description: Extract the implementation of `rng_lld_start` and `rng_lld_GenerateRandomNumber` functions from rng_lld.c.

# Extract the implementation of `rng_lld_start` function.
rg --type cpp -A 20 'void rng_lld_start' targets/ChibiOS/_nf-overlay/os/hal/ports/STM32/LLD/RNGv1/rng_lld.c

# Extract the implementation of `rng_lld_GenerateRandomNumber` function.
rg --type cpp -A 20 'uint32_t rng_lld_GenerateRandomNumber' targets/ChibiOS/_nf-overlay/os/hal/ports/STM32/LLD/RNGv1/rng_lld.c

Length of output: 1224

targets/ESP32/_IDF/sdkconfig.default_pico (4)

71-71: Approve disabling XTEA cipher.

Disabling the XTEA cipher is a security improvement, as XTEA is considered a weak cipher.


75-75: Approve enabling SSL session tickets.

Enabling SSL session tickets improves session resumption capabilities, enhancing performance.


73-73: Approve enabling X.509 CSR parsing.

Enabling X.509 CSR parsing is crucial for certificate management in secure communications.


74-74: Approve enabling TLS 1.3.

Enabling TLS 1.3 provides improved security and performance over previous versions.

targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32 (5)

74-74: Approve enabling retention of peer certificates.

Enabling the retention of peer certificates enhances security context management by allowing the storage of certificates associated with SSL connections.


79-79: Approve disabling XTEA cipher.

Disabling the XTEA cipher is a security improvement, as XTEA is considered a weak cipher.


82-82: Approve enabling TLS 1.3.

Enabling TLS 1.3 provides improved security and performance over previous versions.


83-83: Approve enabling SSL session tickets.

Enabling SSL session tickets improves session resumption capabilities, enhancing performance.


81-81: Verify the necessity of disabling X.509 CSR parsing.

Disabling X.509 CSR parsing might limit certificate management capabilities. Ensure that this setting is intentional and does not affect required functionalities.

Verification successful

Verification complete: Disabling X.509 CSR parsing seems justified.

The search did not find any usage of mbedtls_x509_csr_parse in the codebase, and the configuration CONFIG_MBEDTLS_X509_CSR_PARSE_C is consistently disabled across multiple configuration files. This suggests that disabling X.509 CSR parsing is unlikely to affect required functionalities.

  • CONFIG_MBEDTLS_X509_CSR_PARSE_C is disabled in most configuration files.
  • No usage of mbedtls_x509_csr_parse found in the codebase.
Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the necessity of disabling X.509 CSR parsing.

# Test: Search for the usage of X.509 CSR parsing. Expect: No critical dependencies on X.509 CSR parsing.
rg --type cpp -A 5 $'mbedtls_x509_csr_parse'

Length of output: 43


Script:

#!/bin/bash
# Description: Verify the necessity of disabling X.509 CSR parsing.

# Test 1: Search for the usage of X.509 CSR parsing in all file types.
rg -A 5 'mbedtls_x509_csr_parse'

# Test 2: Search for the presence of CONFIG_MBEDTLS_X509_CSR_PARSE_C in the codebase.
rg 'CONFIG_MBEDTLS_X509_CSR_PARSE_C'

Length of output: 1582

src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp (8)

9-10: Verify the necessity of new headers.

Ensure that the newly included headers <mbedtls.h> and <mbedtls/debug.h> are required for the changes made in this file.


Line range hint 25-49:
Verify the logic for finding an available context slot.

Ensure that the logic for finding an available context slot in the g_SSL_Driver.ContextArray correctly handles edge cases, such as when all slots are occupied.


81-88: Verify the reordering of SSL context initialization.

Ensure that the reordering of SSL context initialization does not introduce any issues or dependencies that could cause failures.


90-98: Verify the reordering of SSL configuration initialization.

Ensure that the reordering of SSL configuration initialization does not introduce any issues or dependencies that could cause failures.


109-116: Verify the reordering of entropy context initialization.

Ensure that the reordering of entropy context initialization does not introduce any issues or dependencies that could cause failures.


118-126: Verify the reordering of private key context initialization.

Ensure that the reordering of private key context initialization does not introduce any issues or dependencies that could cause failures.


Line range hint 220-267:
Verify the necessity and placement of psa_crypto_init().

Ensure that the addition of psa_crypto_init() is necessary and correctly placed at the end of the function.


Line range hint 270-336:
Verify the error handling and memory cleanup code.

Ensure that the error handling and memory cleanup code correctly handles all possible errors and frees allocated memory.

Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between 51686b1 and af24107.

Files selected for processing (43)
  • .devcontainer/All/Dockerfile.All (1 hunks)
  • .devcontainer/All/Dockerfile.All.SRC (1 hunks)
  • .devcontainer/All/scripts/git-pull-repos.sh (2 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS (1 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC (1 hunks)
  • CMake/Modules/FindNF_Network.cmake (1 hunks)
  • CMake/binutils.ChibiOS.cmake (3 hunks)
  • CMake/binutils.common.cmake (6 hunks)
  • azure-pipelines-nightly.yml (4 hunks)
  • azure-pipelines.yml (6 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp (1 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h (9 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp (9 hunks)
  • src/PAL/COM/sockets/ssl/ssl_functions.h (1 hunks)
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c (1 hunks)
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c (2 hunks)
  • targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c (2 hunks)
  • targets/ESP32/_IDF/esp32/app_main.c (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c6 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2 (2 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3 (1 hunks)
  • version.json (1 hunks)
Files skipped from review due to trivial changes (7)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP
  • azure-pipelines-nightly.yml
  • azure-pipelines.yml
  • src/DeviceInterfaces/System.Net/sys_net_native.h
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h
  • version.json
Files skipped from review as they are similar to previous changes (30)
  • .devcontainer/All/Dockerfile.All
  • .devcontainer/All/Dockerfile.All.SRC
  • .devcontainer/All/scripts/git-pull-repos.sh
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC
  • CMake/Modules/FindNF_Network.cmake
  • CMake/binutils.ChibiOS.cmake
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp
  • src/PAL/COM/sockets/ssl/ssl_functions.h
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c
  • targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c
  • targets/ESP32/_IDF/esp32/app_main.c
  • targets/ESP32/_IDF/sdkconfig.default
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3
Additional comments not posted (23)
targets/ESP32/_IDF/sdkconfig.default.esp32c3 (5)

45-45: Approved: Enable keeping peer certificate.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by retaining the peer's certificate during SSL sessions.


51-51: Approved: Disable XTEA encryption.

Disabling CONFIG_MBEDTLS_XTEA_C is a good practice as XTEA is considered outdated and less secure compared to modern cryptographic algorithms.


53-53: Approved: Enable X.509 CSR parsing.

Enabling CONFIG_MBEDTLS_X509_CSR_PARSE_C is beneficial for handling certificate-related operations by allowing the parsing of X.509 Certificate Signing Requests.


55-55: Approved: Enable TLS 1.3 protocol.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 enhances security and performance by supporting the latest version of the TLS protocol.


56-56: Approved: Enable client SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS improves session management and performance for SSL connections by allowing session resumption.

src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (2)

11-16: Approved: Streamline random number generation for ESP32.

The updated implementation for the ESP32 platform using mbedtls_ctr_drbg_random streamlines the random number generation process.


36-36: Approved: Update to use new random function for MbedTLS v3.

The update ensures compatibility with MbedTLS version 3 and above by using the new random function.

targets/ESP32/_IDF/sdkconfig.default.esp32c6 (5)

56-56: Approved: Enable keeping peer certificate.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE enhances security by retaining the peer's certificate during SSL sessions.


61-61: Approved: Disable XTEA encryption.

Disabling CONFIG_MBEDTLS_XTEA_C is a good practice as XTEA is considered outdated and less secure compared to modern cryptographic algorithms.


63-63: Approved: Disable X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C might be a deliberate choice to reduce the attack surface or save resources.


64-64: Approved: Enable TLS 1.3 protocol.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 enhances security and performance by supporting the latest version of the TLS protocol.


65-65: Approved: Enable client SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS improves session management and performance for SSL connections by allowing session resumption.

targets/ESP32/_IDF/sdkconfig.default_pico (4)

71-71: Disabling XTEA Cipher

Disabling the XTEA cipher (CONFIG_MBEDTLS_XTEA_C=n) is a good security practice to reduce the attack surface by removing less secure or less commonly used ciphers.


73-73: Enabling X.509 CSR Parsing

Enabling X.509 CSR parsing (CONFIG_MBEDTLS_X509_CSR_PARSE_C=y) is beneficial for handling certificate signing requests, which is crucial for certificate management in secure communications.


74-74: Enabling TLS 1.3

Enabling TLS 1.3 (CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y) provides improved security and performance over previous versions of the TLS protocol.


75-75: Enabling SSL Session Tickets

Enabling SSL session tickets (CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=y) enhances session resumption capabilities, improving performance for SSL connections.

targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3 (5)

73-73: Enabling Retention of Peer Certificates

Enabling the retention of peer certificates (CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE=y) enhances security by allowing better validation of SSL connections.


78-78: Disabling XTEA Cipher

Disabling the XTEA cipher (CONFIG_MBEDTLS_XTEA_C=n) is a good security practice to reduce the attack surface by removing less secure or less commonly used ciphers.


80-80: Verify the rationale for disabling X.509 CSR Parsing

Disabling X.509 CSR parsing (CONFIG_MBEDTLS_X509_CSR_PARSE_C=n) might limit certain certificate operations. Please verify the rationale behind this decision.


81-81: Enabling TLS 1.3

Enabling TLS 1.3 (CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y) provides improved security and performance over previous versions of the TLS protocol.


82-82: Enabling SSL Session Tickets

Enabling SSL session tickets (CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS=y) enhances session resumption capabilities, improving performance for SSL connections.

CMake/binutils.common.cmake (2)

756-756: Updating MbedTLS Version

Updating the MbedTLS library to version 3.5.2 (MBEDTLS_GIT_TAG "mbedtls-3.5.2") likely includes performance improvements and security patches.


793-793: Renaming FetchContent Function

Renaming the function from FetchContent_MakeAvailable to FetchContent_Populate reflects an update in the method used to manage dependencies.

- Update CMake as required.
- Rework code related with Mbed TLS. Remove deprecated calls and configs.
- Update Mbed TLS common config.
- Port configs to ESP32 sdkconfig.
- Adjust several TLS configs in ESP32 sdkconfig to disable unused features and align with main config.
- Increase stack of CLR task for STM32 network targets.
- Update declaration of Sys.Network assembly.
- Remove check for app setting SslProtocols_None as that's the recomended approach from .NET to allow the OS to chose the best version to use.
- Update SslProtocols enum.
- Bump dev containers versions.
- Bump fw version to 1.11.
- Update AZDO yamls accordingly.
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

Commits

Files that changed from the base of the PR and between af24107 and 4843569.

Files selected for processing (43)
  • .devcontainer/All/Dockerfile.All (1 hunks)
  • .devcontainer/All/Dockerfile.All.SRC (1 hunks)
  • .devcontainer/All/scripts/git-pull-repos.sh (2 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS (1 hunks)
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS (1 hunks)
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP (1 hunks)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC (1 hunks)
  • CMake/Modules/FindNF_Network.cmake (1 hunks)
  • CMake/binutils.ChibiOS.cmake (3 hunks)
  • CMake/binutils.common.cmake (6 hunks)
  • azure-pipelines-nightly.yml (4 hunks)
  • azure-pipelines.yml (6 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp (1 hunks)
  • src/DeviceInterfaces/System.Net/sys_net_native.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h (9 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp (1 hunks)
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp (9 hunks)
  • src/PAL/COM/sockets/ssl/ssl_functions.h (1 hunks)
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c (1 hunks)
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c (2 hunks)
  • targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c (2 hunks)
  • targets/ESP32/_IDF/esp32/app_main.c (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32c6 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2 (2 hunks)
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32 (1 hunks)
  • targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3 (1 hunks)
  • version.json (1 hunks)
Files skipped from review due to trivial changes (8)
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP
  • azure-pipelines-nightly.yml
  • azure-pipelines.yml
  • src/DeviceInterfaces/System.Net/sys_net_native.h
  • src/PAL/COM/sockets/ssl/MbedTLS/mbedtls.h
  • targets/ChibiOS/ORGPAL_PALTHREE/nanoCLR/main.c
  • targets/ESP32/_IDF/esp32/app_main.c
  • version.json
Files skipped from review as they are similar to previous changes (30)
  • .devcontainer/All/Dockerfile.All
  • .devcontainer/All/Dockerfile.All.SRC
  • .devcontainer/All/scripts/git-pull-repos.sh
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS
  • .devcontainer/AzureRTOS/Dockerfile.AzureRTOS.SRC
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS
  • .devcontainer/ChibiOS/Dockerfile.ChibiOS.SRC
  • .devcontainer/FreeRTOS-NXP/Dockerfile.FreeRTOS-NXP.SRC
  • CMake/Modules/FindNF_Network.cmake
  • CMake/binutils.ChibiOS.cmake
  • CMake/binutils.common.cmake
  • src/DeviceInterfaces/System.Net/sys_net_native.cpp
  • src/PAL/COM/sockets/ssl/MbedTLS/nf_mbedtls_config.h
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_decode_private_key_internal.cpp
  • src/PAL/COM/sockets/ssl/MbedTLS/ssl_generic_init_internal.cpp
  • src/PAL/COM/sockets/ssl/ssl_functions.h
  • targets/ChibiOS/ST_STM32F769I_DISCOVERY/nanoCLR/main.c
  • targets/ChibiOS/_nanoCLR/mbedtls_entropy_hardware_pool.c
  • targets/ESP32/_IDF/sdkconfig.default
  • targets/ESP32/_IDF/sdkconfig.default.esp32c6
  • targets/ESP32/_IDF/sdkconfig.default.esp32s2
  • targets/ESP32/_IDF/sdkconfig.default.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_nopsram.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_ble.esp32
  • targets/ESP32/_IDF/sdkconfig.default_nopsram_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_octal_ble.esp32s3
  • targets/ESP32/_IDF/sdkconfig.default_pico_ble_rev3
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32
  • targets/ESP32/_IDF/sdkconfig.default_rev3.esp32c3
Additional comments not posted (25)
targets/ESP32/_IDF/sdkconfig.default.esp32c3 (5)

45-45: Enabling peer certificate retention enhances security but may increase memory usage.

The CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE setting enhances security by retaining the peer's certificate for verification purposes. However, be aware that this may increase memory usage.


51-51: Disabling XTEA reduces cryptographic options but simplifies configuration.

The CONFIG_MBEDTLS_XTEA_C setting disables the XTEA encryption algorithm, which may reduce the available cryptographic options but can simplify the configuration and reduce code size.


53-53: Enabling CSR parsing is beneficial for handling certificate requests.

The CONFIG_MBEDTLS_X509_CSR_PARSE_C setting enables support for parsing X.509 Certificate Signing Requests (CSRs), which is useful for applications that need to handle certificate requests. This may slightly increase the code size.


55-55: Enabling TLS 1.3 improves security and performance.

The CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 setting enables support for the TLS 1.3 protocol, which offers improved security and performance over previous versions. This is a recommended update.


56-56: Enabling session tickets improves session management and performance.

The CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS setting enables the use of session tickets for SSL client sessions, which improves session management and speeds up reconnections, enhancing overall performance.

targets/ESP32/_IDF/sdkconfig.default_rev3_noconsole.esp32c3 (5)

54-54: Enabling peer certificate retention enhances security but may increase memory usage.

The CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE setting enhances security by retaining the peer's certificate for verification purposes. However, be aware that this may increase memory usage.


59-59: Disabling XTEA reduces cryptographic options but simplifies configuration.

The CONFIG_MBEDTLS_XTEA_C setting disables the XTEA encryption algorithm, which may reduce the available cryptographic options but can simplify the configuration and reduce code size.


62-62: Disabling CSR parsing reduces code size but limits functionality.

The CONFIG_MBEDTLS_X509_CSR_PARSE_C setting disables support for parsing X.509 Certificate Signing Requests (CSRs), which reduces the code size but may limit the application's ability to handle certificate requests.


63-63: Enabling TLS 1.3 improves security and performance.

The CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 setting enables support for the TLS 1.3 protocol, which offers improved security and performance over previous versions. This is a recommended update.


64-64: Enabling session tickets improves session management and performance.

The CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS setting enables the use of session tickets for SSL client sessions, which improves session management and speeds up reconnections, enhancing overall performance.

targets/ESP32/_IDF/sdkconfig.default_rev3_ipv6.esp32 (6)

54-54: Enabling peer certificate retention enhances security but may increase memory usage.

The CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE setting enhances security by retaining the peer's certificate for verification purposes. However, be aware that this may increase memory usage.


55-55: Disabling the certificate bundle reduces code size but may affect functionality.

The CONFIG_MBEDTLS_CERTIFICATE_BUNDLE setting disables the use of a certificate bundle, which reduces the code size but could affect applications relying on bundled certificates for SSL/TLS operations.


60-60: Disabling XTEA reduces cryptographic options but simplifies configuration.

The CONFIG_MBEDTLS_XTEA_C setting disables the XTEA encryption algorithm, which may reduce the available cryptographic options but can simplify the configuration and reduce code size.


62-62: Disabling CSR parsing reduces code size but limits functionality.

The CONFIG_MBEDTLS_X509_CSR_PARSE_C setting disables support for parsing X.509 Certificate Signing Requests (CSRs), which reduces the code size but may limit the application's ability to handle certificate requests.


63-63: Enabling TLS 1.3 improves security and performance.

The CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 setting enables support for the TLS 1.3 protocol, which offers improved security and performance over previous versions. This is a recommended update.


64-64: Enabling session tickets improves session management and performance.

The CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS setting enables the use of session tickets for SSL client sessions, which improves session management and speeds up reconnections, enhancing overall performance.

targets/ESP32/_IDF/sdkconfig.default_pico (4)

71-71: Approved: Disabling XTEA cipher support.

Disabling CONFIG_MBEDTLS_XTEA_C removes support for the XTEA cipher, aligning with the objective to phase out older cryptographic methods.


73-73: Approved: Enabling X.509 CSR parsing.

Enabling CONFIG_MBEDTLS_X509_CSR_PARSE_C allows parsing of X.509 Certificate Signing Requests (CSRs), enhancing certificate management capabilities.


74-74: Approved: Enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 adds support for TLS 1.3, which provides enhanced security and performance.


75-75: Approved: Enabling SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS allows the use of SSL session tickets for improved session resumption, enhancing performance.

targets/ESP32/_IDF/sdkconfig.default_ble_rev3.esp32 (5)

74-74: Approved: Retaining peer certificates.

Enabling CONFIG_MBEDTLS_SSL_KEEP_PEER_CERTIFICATE allows the system to retain peer certificates during SSL sessions, enhancing security context management.


79-79: Approved: Disabling XTEA cipher support.

Disabling CONFIG_MBEDTLS_XTEA_C removes support for the XTEA cipher, aligning with the objective to phase out older cryptographic methods.


81-81: Verify: Disabling X.509 CSR parsing.

Disabling CONFIG_MBEDTLS_X509_CSR_PARSE_C means that parsing of X.509 Certificate Signing Requests (CSRs) is not enabled. Verify if this is intentional to limit features or reduce the footprint.


82-82: Approved: Enabling TLS 1.3 support.

Enabling CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 adds support for TLS 1.3, which provides enhanced security and performance.


83-83: Approved: Enabling SSL session tickets.

Enabling CONFIG_MBEDTLS_CLIENT_SSL_SESSION_TICKETS allows the use of SSL session tickets for improved session resumption, enhancing performance.

@josesimoes josesimoes merged commit aa925c9 into nanoframework:main Jul 29, 2024
38 checks passed
@josesimoes josesimoes deleted the migrate-mbedtls branch July 29, 2024 14:46
josesimoes added a commit to nanoframework/nf-Community-Targets that referenced this pull request Jul 29, 2024
- Bump tragets revision counter to match nf-interpreter.
- Following nanoframework/nf-interpreter#2989.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: Common libs Everything related with common libraries Area: Config-and-Build Area: Dev-Containers Breaking-change Platform: ESP32 Everything related specifically with ESP32 platform Platform: NXP Everything related specifically with FreeRTOS Platform: STM32 Everything related specifically with ChibiOS platform Type: dependencies Pull requests that update a dependency file(s) or version Type: enhancement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants