Upload secure-sockets 3.8.0.2746 [2846]

.cyignore

@@ -1,14 +1,33 @@
 docs
 
-$(SEARCH_optiga-trust-m)/externals/mbedtls
+# Not required executeable for tools
+$(SEARCH_optiga-trust-m)/tests
 $(SEARCH_optiga-trust-m)/examples/
-$(SEARCH_optiga-trust-m)/pal/NEW_PAL_TEMPLATE
-$(SEARCH_optiga-trust-m)/pal/esp32_freertos
-$(SEARCH_optiga-trust-m)/pal/libusb
-$(SEARCH_optiga-trust-m)/pal/linux
-$(SEARCH_optiga-trust-m)/pal/xmc4800
-$(SEARCH_optiga-trust-m)/pal/xmc4800_freertos
+
+# Not required PALs
+$(SEARCH_optiga-trust-m)/extras/pal/NEW_PAL_TEMPLATE
+$(SEARCH_optiga-trust-m)/extras/pal/esp32_freertos
+$(SEARCH_optiga-trust-m)/extras/pal/libusb
+$(SEARCH_optiga-trust-m)/extras/pal/linux
+$(SEARCH_optiga-trust-m)/extras/pal/xmc4800
+$(SEARCH_optiga-trust-m)/extras/pal/xmc4800_freertos
+$(SEARCH_optiga-trust-m)/extras/pal/zephyr
+$(SEARCH_optiga-trust-m)/extras/pal/test_pal
+$(SEARCH_optiga-trust-m)/extras/pal/linux_uart
+$(SEARCH_optiga-trust-m)/extras/pal/windows_uart
 
 # Not required Crypto midlayers
-$(SEARCH_optiga-trust-m)/pal/pal_crypt_openssl.c
-$(SEARCH_optiga-trust-m)/pal/pal_crypt_wolfssl.c
+$(SEARCH_optiga-trust-m)/extras/pal/pal_crypt_openssl.c
+$(SEARCH_optiga-trust-m)/extras/pal/pal_crypt_wolfssl.c
+
+# Not required MbedTLS folders
+$(SEARCH_optiga-trust-m)/external/mbedtls/3rdparty
+$(SEARCH_optiga-trust-m)/external/mbedtls/ChangeLog.d
+$(SEARCH_optiga-trust-m)/external/mbedtls/configs
+$(SEARCH_optiga-trust-m)/external/mbedtls/docs
+$(SEARCH_optiga-trust-m)/external/mbedtls/doxygen
+$(SEARCH_optiga-trust-m)/external/mbedtls/programs
+$(SEARCH_optiga-trust-m)/external/mbedtls/scripts
+$(SEARCH_optiga-trust-m)/external/mbedtls/tests
+$(SEARCH_optiga-trust-m)/external/mbedtls/visualc
+$(SEARCH_optiga-trust-m)/external/mbedtls/include/mbedtls

README.md

@@ -206,7 +206,7 @@ Ensure that the following libraries are pulled in by creating the following *.mt
 
   - *aws-iot-device-sdk-embedded-C.mtb:* `https://github.com/aws/aws-iot-device-sdk-embedded-C/#202103.00#$$ASSET_REPO$$/aws-iot-device-sdk-embedded-C/202103.00`
 
-  - *optiga-trust-m.mtb:* `https://github.com/Infineon/optiga-trust-m#release-v4.0.3#$$ASSET_REPO$$/optiga-trust-m/release-v4.0.3`
+  - *optiga-trust-m.mtb:* `https://github.com/Infineon/optiga-trust-m#release-v5.3.0#$$ASSET_REPO$$/optiga-trust-m/release-v5.3.0`
 
 ###### ***Pull required libraries and enable PKCS mode***
 1. Execute the `make getlibs` command to pull the required libraries created as .mtb.
@@ -217,11 +217,13 @@ Ensure that the following libraries are pulled in by creating the following *.mt
     COMPONENTS+= OPTIGA
    ```
 
-3. Add the Optiga PAL interface as per the platform. Use `PSOC6_FREERTOS` for PSOC6 with FREERTOS. The Makefile entry would look like as follows
+3. To enable communication over I<sup>2</sup>C with Optiga, a PAL interface implementation is required. Follow the steps outlined below based on the version of the optiga-trust-m library used in your application:
+   - When using the optiga-trust-m library with a version of 4.0.3 or lower, the Optiga PAL interface implementation is already provided. To enable this implementation for the PSoC6 platform with FreeRTOS, add the PSOC6_FREERTOS component to the application's Makefile. The Makefile entry would look like as follows:
 
    ```
     COMPONENTS+= PSOC6_FREERTOS
    ```
+   - When using the optiga-trust-m library with a version higher than 4.0.3, it is necessary to implement the Optiga PAL interface within the application itself. For guidance on this implementation, refer to the example provided in the [mtb-example-optiga-mqtt-client](https://github.com/Infineon/mtb-example-optiga-mqtt-client/tree/master/source/COMPONENT_OPTIGA_PAL_FREERTOS) repository.
 
 4. Add `OPTIGAFLAGS` with the configuration file for Optiga. A pre-defined configuration file *optiga_lib_config_mtb.h* is bundled with the secure sockets library. To change the default configuration for PKCS11, copy the *optiga_config.h* file from the secure sockets library to the top-level application directory, and then modify it.
 
@@ -235,6 +237,15 @@ Ensure that the following libraries are pulled in by creating the following *.mt
     DEFINES+= $(OPTIGAFLAGS) CY_SECURE_SOCKETS_PKCS_SUPPORT
    ```
 
+6. For CYW955913EVK-01 kit add the below Makefile entries to use default mbedtls config file provided by
+   `optiga-trust-m` library. For more information refer `optiga-trust-m` documentation
+   [Configuring Mbed TLS library](https://github.com/Infineon/optiga-trust-m?tab=readme-ov-file#configuring-mbed-tls-library)
+
+   ```
+    MBEDTLSFLAGS = MBEDTLS_USER_CONFIG_FILE='"mbedtls_default_config.h"'
+    DEFINES+= $(MBEDTLSFLAGS) $(OPTIGAFLAGS) CY_SECURE_SOCKETS_PKCS_SUPPORT
+   ```
+
 ##### ***Configuration for PKCS11***
 
 A pre-defined configuration file *core_pkcs11_config.h* is bundled with the secure sockets library. To change the default configuration for PKCS11, copy the *core_pkcs11_config.h* file from the secure sockets library to the top-level application directory, and then modify it.

RELEASE.md

@@ -13,6 +13,10 @@ Refer to the [README.md](./README.md) for a complete description of the Secure S
 
 ## Changelog
 
+### v3.8.0
+* Added fix to use TLS1.2 for NetXSecure if RSA keys/certificate are used.
+* Added PKCS11 OPTIGA Support for CYW955913EVK-01 kit.
+
 ### v3.7.0
 * Added support for CY8CEVAL-062S2-CYW955513SDM2WLIPA kit.
 

include/COMPONENT_FREERTOS/core_pkcs11_config.h → include/core_pkcs11_config.h

@@ -46,12 +46,20 @@
 /**
  * @brief Malloc API used by core_pkcs11.h
  */
+#ifdef COMPONENT_FREERTOS
 #define PKCS11_MALLOC pvPortMalloc
+#else
+#define PKCS11_MALLOC malloc
+#endif
 
 /**
  * @brief Free API used by core_pkcs11.h
  */
+#ifdef COMPONENT_FREERTOS
 #define PKCS11_FREE vPortFree
+#else
+#define PKCS11_FREE free
+#endif
 
 /* A non-standard version of C_INITIALIZE should be used by this port. */
 /* #define pkcs11configC_INITIALIZE_ALT */

include/cy_secure_sockets_pkcs.h

@@ -0,0 +1,108 @@
+/*
+ * Copyright 2024, Cypress Semiconductor Corporation (an Infineon company) or
+ * an affiliate of Cypress Semiconductor Corporation.  All rights reserved.
+ *
+ * This software, including source code, documentation and related
+ * materials ("Software") is owned by Cypress Semiconductor Corporation
+ * or one of its affiliates ("Cypress") and is protected by and subject to
+ * worldwide patent protection (United States and foreign),
+ * United States copyright laws and international treaty provisions.
+ * Therefore, you may use this Software only as provided in the license
+ * agreement accompanying the software package from which you
+ * obtained this Software ("EULA").
+ * If no EULA applies, Cypress hereby grants you a personal, non-exclusive,
+ * non-transferable license to copy, modify, and compile the Software
+ * source code solely for use in connection with Cypress's
+ * integrated circuit products.  Any reproduction, modification, translation,
+ * compilation, or representation of this Software except as specified
+ * above is prohibited without the express written permission of Cypress.
+ *
+ * Disclaimer: THIS SOFTWARE IS PROVIDED AS-IS, WITH NO WARRANTY OF ANY KIND,
+ * EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, NONINFRINGEMENT, IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Cypress
+ * reserves the right to make changes to the Software without notice. Cypress
+ * does not assume any liability arising out of the application or use of the
+ * Software or any product or circuit described in the Software. Cypress does
+ * not authorize its products for use in any products where a malfunction or
+ * failure of the Cypress product may reasonably be expected to result in
+ * significant property damage, injury or death ("High Risk Product"). By
+ * including Cypress's product in a High Risk Product, the manufacturer
+ * of such system or application assumes all risk of such use and in doing
+ * so agrees to indemnify Cypress against all liability.
+ */
+
+/** @file
+ *  Common includes and defines for PKCS11
+ */
+
+#ifndef INCLUDED_CY_SECURE_SOCKETS_PKCS_H_
+#define INCLUDED_CY_SECURE_SOCKETS_PKCS_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef CY_SECURE_SOCKETS_PKCS_SUPPORT
+#include <core_pkcs11_config.h>
+#include <core_pkcs11.h>
+#include <core_pki_utils.h>
+#ifdef COMPONENT_MBEDTLS
+#include <mbedtls/version.h>
+#include <mbedtls/pk.h>
+#include <mbedtls/pk_internal.h>
+#endif
+
+/** \cond INTERNAL */
+/**
+ * PKCS11 context object
+ */
+typedef struct cy_tls_pkcs_context
+{
+    CK_FUNCTION_LIST_PTR        functionlist;   /**< PKCS11 function list */
+    CK_SESSION_HANDLE           session;        /**< PKCS11 session handle */
+    CK_OBJECT_HANDLE            privatekey_obj; /**< PKCS11 private key object */
+    CK_KEY_TYPE                 key_type;       /**< PKCS11 private key type */
+#ifdef COMPONENT_MBEDTLS
+    mbedtls_pk_context          ssl_pk_ctx;     /**< mbedtls private key context */
+    mbedtls_pk_info_t           ssl_pk_info;    /**< mbedtls private key info */
+#endif
+    bool                        load_rootca_from_ram; /**< Load rootCA cert from RAM */
+    bool                        load_device_cert_key_from_ram; /**< Load device cert, key from RAM */
+#ifdef COMPONENT_NETXSECURE
+    void                        *device_cert_ptr; /**< netxsecure device cert ptr */
+    void                        *root_cert_ptr;   /**< netxsecure root cert ptr */
+#endif
+} cy_tls_pkcs_context_t;
+
+cy_rslt_t cy_tls_convert_pkcs_error_to_tls(CK_RV result);
+#define MAX_HASH_DATA_LENGTH                     256
+#define CY_TLS_LOAD_CERT_FROM_SECURE_STORAGE     0
+/**
+ * @brief OID for curve P-256.
+ */
+#ifndef pkcs11DER_ENCODED_OID_P256
+#define pkcs11DER_ENCODED_OID_P256               { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }
+#endif
+/**
+ * @brief OID for curve P-384.
+ */
+#ifndef pkcs11DER_ENCODED_OID_P384
+#define pkcs11DER_ENCODED_OID_P384               { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x22 }
+#endif
+/**
+ * @brief OID for curve P-512.
+ */
+#ifndef pkcs11DER_ENCODED_OID_P521
+#define pkcs11DER_ENCODED_OID_P521               { 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23 }
+#endif
+/** \endcond */
+#endif /* CY_SECURE_SOCKETS_PKCS_SUPPORT */
+
+/** \cond INTERNAL */
+#define CY_TLS_LOAD_CERT_FROM_RAM                1
+/** \endcond */
+
+#ifdef __cplusplus
+} /*extern "C" */
+#endif
+#endif /* ifndef INCLUDED_CY_SECURE_SOCKETS_PKCS_H_ */

source/COMPONENT_LWIP/cy_secure_sockets.c

@@ -50,6 +50,10 @@
 #include <ethernet.h>
 #include <string.h>
 
+#if defined(CYBSP_ETHERNET_CAPABLE)
+#include "cycfg.h"
+#endif
+
 #if LWIP_IPV4 && LWIP_IGMP
 #include <lwip/igmp.h>
 #endif
@@ -444,7 +448,12 @@ static cy_socket_ctx_t* alloc_socket(cy_socket_interface_t iface_type)
             socket_list[i].ctx->iface_type = iface_type;
 
 #if defined(CYBSP_ETHERNET_CAPABLE)
+#if (defined (eth_0_ENABLED) && (eth_0_ENABLED == 1u))
+            socket_list[i].ctx->iface_idx = 0;
+#endif
+#if (defined (eth_1_ENABLED) && (eth_1_ENABLED == 1u))
             socket_list[i].ctx->iface_idx = 1;
+#endif
 #else
             socket_list[i].ctx->iface_idx = 0;
 #endif
@@ -1554,8 +1563,12 @@ cy_rslt_t cy_socket_create(int domain, int type, int protocol, cy_socket_t *hand
         return CY_RSLT_MODULE_SECURE_SOCKETS_BADARG;
     }
 #if defined(CYBSP_ETHERNET_CAPABLE)
-    /* At present only CY_SOCKET_ETH1_INTERFACE is supported for ethernet */
+#if (defined (eth_0_ENABLED) && (eth_0_ENABLED == 1u))
+    iface_type = CY_SOCKET_ETH0_INTERFACE;
+#endif
+#if (defined (eth_1_ENABLED) && (eth_1_ENABLED == 1u))
     iface_type = CY_SOCKET_ETH1_INTERFACE;
+#endif
 #else
     netif = cy_network_get_nw_interface(CY_NETWORK_WIFI_STA_INTERFACE, 0);
     if (netif == NULL)
@@ -4692,20 +4705,23 @@ cy_rslt_t cy_socket_get_tls_info(cy_socket_t handle, cy_tls_offload_info_t *tls_
     }
     ctx = (cy_socket_ctx_t *) handle;
 
+    /* While this function is running, application may delete the socket. Protect entire function with a mutex. */
+    ss_cy_log_msg(CYLF_MIDDLEWARE, CY_LOG_DEBUG, "socket_mutex locked %s %d ctx %p\r\n", __FILE__, __LINE__, ctx);
+    cy_rtos_get_mutex(&ctx->socket_mutex, CY_RTOS_NEVER_TIMEOUT);
+
     if(!is_socket_valid(ctx))
     {
         ss_cy_log_msg(CYLF_MIDDLEWARE, CY_LOG_ERR, "invalid handle\r\n");
+        cy_rtos_set_mutex(&ctx->socket_mutex);
         return CY_RSLT_MODULE_SECURE_SOCKETS_INVALID_SOCKET;
     }
 
-    /* While this function is running, application may delete the socket. Protect entire function with a mutex. */
-    ss_cy_log_msg(CYLF_MIDDLEWARE, CY_LOG_DEBUG, "socket_mutex locked %s %d ctx %p\r\n", __FILE__, __LINE__, ctx);
-    cy_rtos_get_mutex(&ctx->socket_mutex, CY_RTOS_NEVER_TIMEOUT);
     result = cy_tls_get_tls_info(ctx->tls_ctx, tls_info);
     if(result != CY_RSLT_SUCCESS)
     {
         ss_cy_log_msg(CYLF_MIDDLEWARE, CY_LOG_ERR, "cy_tls_get_tls_info failed\r\n");
-        result = CY_RSLT_MODULE_SECURE_SOCKETS_TLS_ERROR;
+        cy_rtos_set_mutex(&ctx->socket_mutex);
+        return CY_RSLT_MODULE_SECURE_SOCKETS_TLS_ERROR;
     }
 
     cy_rtos_set_mutex(&ctx->socket_mutex);
@@ -4726,20 +4742,23 @@ cy_rslt_t cy_socket_update_tls_sequence(cy_socket_t handle,  uint8_t *read_seq,
     }
     ctx = (cy_socket_ctx_t *) handle;
 
+    /* While this function is running, application may delete the socket. Protect entire function with a mutex. */
+    ss_cy_log_msg(CYLF_MIDDLEWARE, CY_LOG_DEBUG, "socket_mutex locked %s %d ctx %p\r\n", __FILE__, __LINE__, ctx);
+    cy_rtos_get_mutex(&ctx->socket_mutex, CY_RTOS_NEVER_TIMEOUT);
+
     if(!is_socket_valid(ctx))
     {
         ss_cy_log_msg(CYLF_MIDDLEWARE, CY_LOG_ERR, "invalid handle\r\n");
+        cy_rtos_set_mutex(&ctx->socket_mutex);
         return CY_RSLT_MODULE_SECURE_SOCKETS_INVALID_SOCKET;
     }
 
-    /* While this function is running, application may delete the socket. Protect entire function with a mutex. */
-    ss_cy_log_msg(CYLF_MIDDLEWARE, CY_LOG_DEBUG, "socket_mutex locked %s %d ctx %p\r\n", __FILE__, __LINE__, ctx);
-    cy_rtos_get_mutex(&ctx->socket_mutex, CY_RTOS_NEVER_TIMEOUT);
     result = cy_tls_update_tls_sequence(ctx->tls_ctx, read_seq, write_seq);
     if(result != CY_RSLT_SUCCESS)
     {
         ss_cy_log_msg(CYLF_MIDDLEWARE, CY_LOG_ERR, "cy_tls_get_tls_info failed\r\n");
-        result = CY_RSLT_MODULE_SECURE_SOCKETS_TLS_ERROR;
+        cy_rtos_set_mutex(&ctx->socket_mutex);
+        return CY_RSLT_MODULE_SECURE_SOCKETS_TLS_ERROR;
     }
 
     cy_rtos_set_mutex(&ctx->socket_mutex);