zephyr: changes needed for Zephyr 4.3 default TLS support

Follow-up to #7731 ("Changes needed for default TLS support in zephyr
kernel"). Zephyr 4.3's TLS socket integration uses three additional
wolfSSL features that were not needed by the 3.7 integration, plus an
extension to the native_sim time-source gates introduced in #7731.

native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c):
  Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the
  CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover
  CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from
  native_posix to native_sim; without this, k_cpu_idle() on native_sim
  advances simulated time during DTLS retransmit loops and the RTC path
  falls through to uptime-since-boot. Behavior on native_posix is
  unchanged.

New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h):
  CONFIG_WOLFSSL_SESSION_EXPORT   -> HAVE_EXT_CACHE
    Required by consumers that serialize TLS session state across
    connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION.
  CONFIG_WOLFSSL_KEEP_PEER_CERT   -> KEEP_PEER_CERT
    Retain the peer certificate after handshake so the application
    layer can inspect it via wolfSSL_get_peer_certificate.
  CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB
    Invoke an application-set verify callback on successful chain
    validation in addition to validation failures.

All three are default-off; customers opt in the same way they do for
the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options.

.wolfssl_known_macro_extras: register HAVE_EXT_CACHE.
This commit is contained in:
Colton Willey
2026-04-20 12:29:26 -07:00
parent fa9f24ff27
commit c950a6aa46
5 changed files with 36 additions and 4 deletions
+1
View File
@@ -279,6 +279,7 @@ HAVE_ECC512
HAVE_ECC_CDH_CAST
HAVE_ECC_SM2
HAVE_ESP_CLK
HAVE_EXT_CACHE
HAVE_FIPS_VERSION_PORT
HAVE_FUZZER
HAVE_INTEL_MULX
+2 -1
View File
@@ -10602,7 +10602,8 @@ ProtocolVersion MakeDTLSv1_3(void)
word32 LowResTimer(void)
{
int64_t t;
#if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX)
#if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX) \
&& !defined(CONFIG_BOARD_NATIVE_SIM)
k_cpu_idle();
#endif
t = k_uptime_get(); /* returns current uptime in milliseconds */
+3 -3
View File
@@ -215,7 +215,7 @@ Threading/Mutex options:
#endif
#if defined(WOLFSSL_ZEPHYR)
#if defined(CONFIG_BOARD_NATIVE_POSIX)
#if defined(CONFIG_BOARD_NATIVE_POSIX) || defined(CONFIG_BOARD_NATIVE_SIM)
#include "native_rtc.h"
#define CONFIG_RTC
#endif
@@ -4088,7 +4088,7 @@ time_t z_time(time_t * timer)
#if defined(CONFIG_RTC) && \
(defined(CONFIG_PICOLIBC) || defined(CONFIG_NEWLIB_LIBC))
#if defined(CONFIG_BOARD_NATIVE_POSIX)
#if defined(CONFIG_BOARD_NATIVE_POSIX) || defined(CONFIG_BOARD_NATIVE_SIM)
/* When using native sim, get time from simulator rtc */
uint32_t nsec = 0;
@@ -4120,7 +4120,7 @@ time_t z_time(time_t * timer)
return epochTime;
}
}
#endif /* defined(CONFIG_BOARD_NATIVE_POSIX) */
#endif /* CONFIG_BOARD_NATIVE_POSIX || CONFIG_BOARD_NATIVE_SIM */
#endif
/* Fallback to uptime since boot. This works for relative times, but
+15
View File
@@ -98,6 +98,21 @@ config WOLFSSL_MAX_FRAGMENT_LEN
Sets the maximum fragment length wolfSSL will use, values 1-6 correspond to enum values
WOLFSSL_MFL_* in ssl.h
config WOLFSSL_SESSION_EXPORT
bool "wolfSSL session export support"
help
Enable external session cache (HAVE_EXT_CACHE)
config WOLFSSL_KEEP_PEER_CERT
bool "wolfSSL keep peer certificate support"
help
Retain peer certificate after handshake (KEEP_PEER_CERT)
config WOLFSSL_ALWAYS_VERIFY_CB
bool "wolfSSL always invoke verify callback"
help
Invoke verify callback on success as well as failure (WOLFSSL_ALWAYS_VERIFY_CB)
config WOLFCRYPT_ARMASM
bool "wolfCrypt ARM Assembly support"
depends on WOLFSSL_BUILTIN
+15
View File
@@ -133,6 +133,21 @@ extern "C" {
#define NO_SESSION_CACHE /* disable session resumption */
#endif
/* Session export (external session cache) */
#if defined(CONFIG_WOLFSSL_SESSION_EXPORT)
#define HAVE_EXT_CACHE
#endif
/* Keep peer certificate after handshake */
#if defined(CONFIG_WOLFSSL_KEEP_PEER_CERT)
#define KEEP_PEER_CERT
#endif
/* Always invoke verify callback (on success as well as failure) */
#if defined(CONFIG_WOLFSSL_ALWAYS_VERIFY_CB)
#define WOLFSSL_ALWAYS_VERIFY_CB
#endif
/* DTLS */
#if defined(CONFIG_WOLFSSL_DTLS)
#define WOLFSSL_DTLS