Allow Mbed CE to be built as an Arduino core

CMakeLists.txt

@@ -228,8 +228,10 @@ endif()
 
 # Generate target config header and include it in all files
 if(NOT MBED_IS_NATIVE_BUILD)
-    mbed_write_target_config_header(${CMAKE_CURRENT_BINARY_DIR}/mbed-target-config.h MBED_TARGET_DEFINITIONS MBED_CONFIG_DEFINITIONS)
-    target_compile_options(mbed-core-flags INTERFACE -include ${CMAKE_CURRENT_BINARY_DIR}/mbed-target-config.h)
+    file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/generated-headers)
+    mbed_write_target_config_header(${CMAKE_CURRENT_BINARY_DIR}/generated-headers/mbed-target-config.h MBED_TARGET_DEFINITIONS MBED_CONFIG_DEFINITIONS)
+    target_compile_options(mbed-core-flags INTERFACE -include ${CMAKE_CURRENT_BINARY_DIR}/generated-headers/mbed-target-config.h)
+    target_include_directories(mbed-core-flags INTERFACE ${CMAKE_CURRENT_BINARY_DIR}/generated-headers)
 endif()
 
 # Include mbed.h and config from generate folder
@@ -283,7 +285,7 @@ if(NOT MBED_IS_NATIVE_BUILD)
     mbed_create_distro(mbed-os ${MBED_TARGET_CMAKE_NAME} mbed-core-flags mbed-core-sources mbed-rtos-flags mbed-rtos-sources)
 
     # Set up the linker script and hook it up to the top-level OS targets
-    mbed_setup_linker_script(mbed-baremetal mbed-os ${CMAKE_CURRENT_BINARY_DIR}/mbed-target-config.h)
+    mbed_setup_linker_script(mbed-baremetal mbed-os ${CMAKE_CURRENT_BINARY_DIR}/generated-headers/mbed-target-config.h)
 
     # Make sure that things linking mbed-core-flags can also get the target-specific include dirs and flags.
     mbed_extract_flags(${MBED_TARGET_CMAKE_NAME}-flags ${MBED_TARGET_CMAKE_NAME})

connectivity/mbedtls/include/mbedtls/config.h

@@ -1204,7 +1204,7 @@
  *
  * Enable functions that use the filesystem.
  */
-//#define MBEDTLS_FS_IO
+#define MBEDTLS_FS_IO
 
 /**
  * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
@@ -3227,7 +3227,7 @@
  *            on it, and considering stronger message digests instead.
  *
  */
-//#define MBEDTLS_SHA1_C
+#define MBEDTLS_SHA1_C
 
 /**
  * \def MBEDTLS_SHA256_C

connectivity/mbedtls/mbed_lib.json5

@@ -0,0 +1,11 @@
+{
+    "name": "mbedtls",
+    "config": {
+        "entropy-nv-seed": {
+            "macro_name": "MBEDTLS_ENTROPY_NV_SEED",
+            "help": "Set to 1 to enable Mbed TLS's Non-Volatile Storage entropy source.  This source allows usage of Mbed TLS on devices which do not have a cryptographic RNG.",
+            "value": null,
+            // Note: see here for details on how to implement the seed I/O: https://os.mbed.com/docs/mbed-os/v6.16/porting/entropy-sources.html
+        }
+    }
+}

connectivity/mbedtls/platform/inc/platform_mbed.h

@@ -31,6 +31,10 @@
  * \ingroup public-crypto
  */
 
+#if CONFIG_MBEDTLS_ENTROPY_NV_SEED
+#define MBEDTLS_ENTROPY_NV_SEED
+#endif
+
 #if defined(FEATURE_EXPERIMENTAL_API) && defined(FEATURE_PSA)
 
 #if defined(MBEDTLS_ENTROPY_NV_SEED)
@@ -72,9 +76,6 @@
 #include "mbedtls_device.h"
 #endif
 
-// Include SHA1 certificate support.  Used for a lot of root CAs.
-#define MBEDTLS_SHA1_C 1
-
 /*
  * MBEDTLS_ERR_PLATFORM_HW_FAILED is deprecated and should not be used.
  */

connectivity/mbedtls/source/x509_crt.c

@@ -74,7 +74,11 @@
 #if !defined(_WIN32) || defined(EFIX64) || defined(EFI32)
 #include <sys/types.h>
 #include <sys/stat.h>
+#if defined(__MBED__)
+#include <platform/mbed_retarget.h>
+#else
 #include <dirent.h>
+#endif /* __MBED__ */
 #endif /* !_WIN32 || EFIX64 || EFI32 */
 #endif
 

connectivity/mbedtls/tools/importer/adjust-config.sh

@@ -2,7 +2,20 @@
 #
 # This file is part of mbed TLS (https://tls.mbed.org)
 #
-# Copyright (c) 2015-2016, ARM Limited, All Rights Reserved
+# Copyright (c) 2023, Arm Limited, All Rights Reserved
+#
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the License); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# * http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an AS IS BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 #
 # Purpose
 #
@@ -53,7 +66,6 @@ conf unset MBEDTLS_TIMING_C
 
 # not supported on all targets with mbed OS, nor used by mbed Client
 conf unset MBEDTLS_HAVE_TIME_DATE
-conf unset MBEDTLS_FS_IO
 conf unset MBEDTLS_PSA_ITS_FILE_C
 conf unset MBEDTLS_PSA_CRYPTO_STORAGE_C
 conf set MBEDTLS_NO_PLATFORM_ENTROPY
@@ -89,7 +101,6 @@ conf unset MBEDTLS_PEM_WRITE_C
 conf unset MBEDTLS_PKCS5_C
 conf unset MBEDTLS_PKCS12_C
 conf unset MBEDTLS_RIPEMD160_C
-conf unset MBEDTLS_SHA1_C
 conf unset MBEDTLS_XTEA_C
 
 conf set MBEDTLS_CMAC_C

connectivity/mbedtls/tools/importer/adjust-no-entropy-config.sh

@@ -2,7 +2,20 @@
 #
 # This file is part of mbed TLS (https://tls.mbed.org)
 #
-# Copyright (c) 2018, ARM Limited, All Rights Reserved
+# Copyright (c) 2018, Arm Limited, All Rights Reserved
+#
+# SPDX-License-Identifier: Apache-2.0
+# Licensed under the Apache License, Version 2.0 (the License); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# * http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an AS IS BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
 #
 # Purpose
 #

connectivity/nanostack/coap-service/test/coap-service/unittest/stub/mbedtls_stub.c

@@ -303,6 +303,12 @@ int mbedtls_x509_crt_parse(mbedtls_x509_crt *a, const unsigned char *b, size_t c
     return mbedtls_stub.expected_int;
 }
 
+int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *a, const char *b)
+{
+    // means 5 valid certificates found
+    return 5;
+}
+
 int mbedtls_x509_crt_info(char *buf, size_t size, const char *prefix,
                           const mbedtls_x509_crt *crt)
 {

connectivity/netsocket/include/netsocket/TLSSocketWrapper.h

@@ -116,6 +116,46 @@ class TLSSocketWrapper : public Socket {
      */
     nsapi_error_t set_root_ca_cert(const char *root_ca_pem);
 
+    /**
+     * @brief Sets the Root CA certificate to a collection of files on the filesystem.
+     *
+     * All files in the supplied directory will be scanned.  Note that to set up a filesystem,
+     * you must mount one or more block devices before calling this function.
+     *
+     * @note Must be called before calling connect()
+     *
+     * @param root_ca_path Path containing Root CA Certificate files in any Mbed TLS-supported format.
+     *     This can point to a directory on any mounted filesystem.
+     * @retval NSAPI_ERROR_OK on success.
+     * @retval NSAPI_ERROR_NO_MEMORY in case there is not enough memory to allocate certificate.
+     * @retval NSAPI_ERROR_PARAMETER in case the provided root_ca parameter failed parsing.
+     *
+     */
+    nsapi_error_t set_root_ca_cert_path(const char *root_ca_path);
+
+    /** Appends the certificate to an existing CA chain.
+     *
+     * @note Must be called before calling connect()
+     *
+     * @param root_ca Root CA Certificate in any Mbed TLS-supported format.
+     * @param len     Length of certificate (including terminating 0 for PEM).
+     * @retval NSAPI_ERROR_OK on success.
+     * @retval NSAPI_ERROR_NO_MEMORY in case there is not enough memory to allocate certificate.
+     * @retval NSAPI_ERROR_PARAMETER in case the provided root_ca parameter failed parsing.
+     */
+    nsapi_error_t append_root_ca_cert(const void *root_ca, size_t len);
+
+    /** Appends the certificate to an existing CA chain.
+     *
+     * @note Must be called before calling connect()
+     *
+     * @param root_ca_pem Root CA Certificate in PEM format.
+     * @retval NSAPI_ERROR_OK on success.
+     * @retval NSAPI_ERROR_NO_MEMORY in case there is not enough memory to allocate certificate.
+     * @retval NSAPI_ERROR_PARAMETER in case the provided root_ca parameter failed parsing.
+     */
+    nsapi_error_t append_root_ca_cert(const char *root_ca_pem);
+
     /** Sets client certificate, and client private key.
      *
      * @param client_cert Client certification in PEM or DER format.

connectivity/netsocket/source/TLSSocketWrapper.cpp

@@ -136,6 +136,62 @@ nsapi_error_t TLSSocketWrapper::set_root_ca_cert(const char *root_ca_pem)
     return set_root_ca_cert(root_ca_pem, strlen(root_ca_pem) + 1);
 }
 
+nsapi_error_t TLSSocketWrapper::set_root_ca_cert_path(const char *root_ca_path)
+{
+#if !defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO)
+    return NSAPI_ERROR_UNSUPPORTED;
+#else
+    mbedtls_x509_crt *crt;
+
+    crt = new (std::nothrow) mbedtls_x509_crt;
+    if (!crt) {
+        return NSAPI_ERROR_NO_MEMORY;
+    }
+
+    mbedtls_x509_crt_init(crt);
+
+    /* Parse CA certification */
+    int ret = mbedtls_x509_crt_parse_path(crt, root_ca_path);
+    if (ret < 0) {
+        print_mbedtls_error("mbedtls_x509_crt_parse", ret);
+        mbedtls_x509_crt_free(crt);
+        delete crt;
+        return NSAPI_ERROR_PARAMETER;
+    }
+    set_ca_chain(crt);
+    _cacert_allocated = true;
+    return NSAPI_ERROR_OK;
+#endif
+}
+
+nsapi_error_t TLSSocketWrapper::append_root_ca_cert(const void *root_ca, size_t len)
+{
+#if !defined(MBEDTLS_X509_CRT_PARSE_C)
+    return NSAPI_ERROR_UNSUPPORTED;
+#else
+    mbedtls_x509_crt *crt;
+
+    crt = get_ca_chain();
+    if (!crt) {
+        return NSAPI_ERROR_NO_MEMORY;
+    }
+
+    /* Parse CA certification */
+    int ret;
+    if ((ret = mbedtls_x509_crt_parse(crt, static_cast<const unsigned char *>(root_ca),
+                                      len)) != 0) {
+        print_mbedtls_error("mbedtls_x509_crt_parse", ret);
+        return NSAPI_ERROR_PARAMETER;
+    }
+    return NSAPI_ERROR_OK;
+#endif
+}
+
+nsapi_error_t TLSSocketWrapper::append_root_ca_cert(const char *root_ca_pem)
+{
+    return append_root_ca_cert(root_ca_pem, strlen(root_ca_pem) + 1);
+}
+
 nsapi_error_t TLSSocketWrapper::set_client_cert_key(const char *client_cert_pem, const char *client_private_key_pem)
 {
     return set_client_cert_key(client_cert_pem, strlen(client_cert_pem) + 1, client_private_key_pem, strlen(client_private_key_pem) + 1);

connectivity/netsocket/tests/TESTS/netsocket/tls/CMakeLists.txt

@@ -19,7 +19,8 @@ list(
             tlssocket_endpoint_close.cpp
             tlssocket_echotest.cpp
             tlssocket_echotest_burst.cpp
-            tlssocket_connect_invalid.cpp       
+            tlssocket_connect_invalid.cpp
+            tlssocket_cert_in_filesystem.cpp
 )
 
 if(MBED_GREENTEA_TEST_BAREMETAL)
@@ -33,6 +34,8 @@ mbed_greentea_add_test(
         ${TEST_SOURCE_LIST}
     TEST_REQUIRED_LIBS
         mbed-netsocket
+        mbed-storage-blockdevice
+    mbed-storage-littlefs
     TEST_SKIPPED
         ${TEST_SKIPPED}
 )

connectivity/netsocket/tests/TESTS/netsocket/tls/main.cpp

@@ -218,7 +218,6 @@ static void test_failure_handler(const failure_t failure)
 
 
 Case cases[] = {
-// Disable tests temporarily till echo server is back on
     Case("TLSSOCKET_ECHOTEST", TLSSOCKET_ECHOTEST),
     Case("TLSSOCKET_ECHOTEST_NONBLOCK", TLSSOCKET_ECHOTEST_NONBLOCK),
     Case("TLSSOCKET_CONNECT_INVALID", TLSSOCKET_CONNECT_INVALID),
@@ -235,6 +234,9 @@ Case cases[] = {
     Case("TLSSOCKET_SEND_REPEAT", TLSSOCKET_SEND_REPEAT),
     Case("TLSSOCKET_SEND_TIMEOUT", TLSSOCKET_SEND_TIMEOUT),
     Case("TLSSOCKET_NO_CERT", TLSSOCKET_NO_CERT),
+#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_FS_IO)
+    Case("TLSSOCKET_CERT_IN_FILESYSTEM", TLSSOCKET_CERT_IN_FILESYSTEM),
+#endif
 //    Temporarily removing this test, as TLS library consumes too much memory
 //    and we see frequent memory allocation failures on architectures with less
 //    RAM such as DISCO_L475VG_IOT1A and NUCLEO_F207ZG (both have 128 kB RAM)

connectivity/netsocket/tests/TESTS/netsocket/tls/tls_tests.h

@@ -91,6 +91,7 @@ void TLSSOCKET_SEND_REPEAT();
 void TLSSOCKET_NO_CERT();
 void TLSSOCKET_SIMULTANEOUS();
 void TLSSOCKET_SEND_TIMEOUT();
+void TLSSOCKET_CERT_IN_FILESYSTEM();
 
 #endif // defined(MBEDTLS_SSL_CLI_C) || defined(DOXYGEN_ONLY)
 

connectivity/netsocket/tests/TESTS/netsocket/tls/tlssocket_cert_in_filesystem.cpp

@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 2020, Arduino SA, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mbed.h"
+#include "TLSSocket.h"
+#include "greentea-client/test_env.h"
+#include "unity/unity.h"
+#include "utest.h"
+#include "tls_tests.h"
+#include "HeapBlockDevice.h"
+#include "LittleFileSystem.h"
+
+using namespace utest::v1;
+
+void TLSSOCKET_CERT_IN_FILESYSTEM()
+{
+    SKIP_IF_TCP_UNSUPPORTED();
+
+    HeapBlockDevice bd(1024 * 10);
+    LittleFileSystem fs("fs");
+    TEST_ASSERT_EQUAL(0, fs.format(&bd));
+    TEST_ASSERT_EQUAL(0, fs.mount(&bd));
+
+    FILE *fp = fopen("/fs/certs.pem", "wb");
+    int ret = fwrite(tls_global::cert, strlen(tls_global::cert), 1, fp);
+    fclose(fp);
+
+    TLSSocket sock;
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.open(NetworkInterface::get_default_instance()));
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.set_root_ca_cert_path("/fs"));
+
+    SocketAddress a;
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, NetworkInterface::get_default_instance()->gethostbyname(ECHO_SERVER_ADDR, &a));
+    a.set_port(ECHO_SERVER_PORT_TLS);
+    TEST_ASSERT_EQUAL(NSAPI_ERROR_OK, sock.connect(a));
+}

connectivity/netsocket/tests/UNITTESTS/netsocket/TLSSocketWrapper/test_TLSSocketWrapper.cpp

@@ -399,6 +399,12 @@ TEST_F(TestTLSSocketWrapper, set_root_ca_cert_invalid)
     EXPECT_EQ(wrapper->set_root_ca_cert(cert, strlen(cert)), NSAPI_ERROR_PARAMETER);
 }
 
+TEST_F(TestTLSSocketWrapper, set_root_ca_cert_path)
+{
+    EXPECT_EQ(transport->open(&stack), NSAPI_ERROR_OK);
+    EXPECT_EQ(wrapper->set_root_ca_cert_path("/"), NSAPI_ERROR_OK);
+}
+
 TEST_F(TestTLSSocketWrapper, set_client_cert_key)
 {
     EXPECT_EQ(wrapper->get_own_cert(), static_cast<mbedtls_x509_crt *>(NULL));

connectivity/netsocket/tests/UNITTESTS/netsocket/TLSSocketWrapper/tls_test_config.h

@@ -19,6 +19,6 @@
 #define UNITTESTS_FEATURES_NETSOCKET_TLSSOCKET_TLS_TEST_CONFIG_H_
 
 #define MBEDTLS_SSL_CLI_C
-
+#define MBEDTLS_FS_IO
 
 #endif /* UNITTESTS_FEATURES_NETSOCKET_TLSSOCKET_TLS_TEST_CONFIG_H_ */