From c950a6aa462631dca1f30fcd512947df2dce7f60 Mon Sep 17 00:00:00 2001 From: Colton Willey Date: Mon, 20 Apr 2026 12:29:26 -0700 Subject: [PATCH] zephyr: changes needed for Zephyr 4.3 default TLS support Follow-up to #7731 ("Changes needed for default TLS support in zephyr kernel"). Zephyr 4.3's TLS socket integration uses three additional wolfSSL features that were not needed by the 3.7 integration, plus an extension to the native_sim time-source gates introduced in #7731. native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c): Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from native_posix to native_sim; without this, k_cpu_idle() on native_sim advances simulated time during DTLS retransmit loops and the RTC path falls through to uptime-since-boot. Behavior on native_posix is unchanged. New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h): CONFIG_WOLFSSL_SESSION_EXPORT -> HAVE_EXT_CACHE Required by consumers that serialize TLS session state across connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION. CONFIG_WOLFSSL_KEEP_PEER_CERT -> KEEP_PEER_CERT Retain the peer certificate after handshake so the application layer can inspect it via wolfSSL_get_peer_certificate. CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB Invoke an application-set verify callback on successful chain validation in addition to validation failures. All three are default-off; customers opt in the same way they do for the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options. .wolfssl_known_macro_extras: register HAVE_EXT_CACHE. --- .wolfssl_known_macro_extras | 1 + src/internal.c | 3 ++- wolfcrypt/src/wc_port.c | 6 +++--- zephyr/Kconfig | 15 +++++++++++++++ zephyr/user_settings.h | 15 +++++++++++++++ 5 files changed, 36 insertions(+), 4 deletions(-) diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras index 3943d47739..9dfce8514c 100644 --- a/.wolfssl_known_macro_extras +++ b/.wolfssl_known_macro_extras @@ -279,6 +279,7 @@ HAVE_ECC512 HAVE_ECC_CDH_CAST HAVE_ECC_SM2 HAVE_ESP_CLK +HAVE_EXT_CACHE HAVE_FIPS_VERSION_PORT HAVE_FUZZER HAVE_INTEL_MULX diff --git a/src/internal.c b/src/internal.c index 2ba6cabc15..9280884e51 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10602,7 +10602,8 @@ ProtocolVersion MakeDTLSv1_3(void) word32 LowResTimer(void) { int64_t t; - #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX) + #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX) \ + && !defined(CONFIG_BOARD_NATIVE_SIM) k_cpu_idle(); #endif t = k_uptime_get(); /* returns current uptime in milliseconds */ diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index ba740423ea..c34bb4c18a 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -215,7 +215,7 @@ Threading/Mutex options: #endif #if defined(WOLFSSL_ZEPHYR) -#if defined(CONFIG_BOARD_NATIVE_POSIX) +#if defined(CONFIG_BOARD_NATIVE_POSIX) || defined(CONFIG_BOARD_NATIVE_SIM) #include "native_rtc.h" #define CONFIG_RTC #endif @@ -4088,7 +4088,7 @@ time_t z_time(time_t * timer) #if defined(CONFIG_RTC) && \ (defined(CONFIG_PICOLIBC) || defined(CONFIG_NEWLIB_LIBC)) - #if defined(CONFIG_BOARD_NATIVE_POSIX) + #if defined(CONFIG_BOARD_NATIVE_POSIX) || defined(CONFIG_BOARD_NATIVE_SIM) /* When using native sim, get time from simulator rtc */ uint32_t nsec = 0; @@ -4120,7 +4120,7 @@ time_t z_time(time_t * timer) return epochTime; } } - #endif /* defined(CONFIG_BOARD_NATIVE_POSIX) */ + #endif /* CONFIG_BOARD_NATIVE_POSIX || CONFIG_BOARD_NATIVE_SIM */ #endif /* Fallback to uptime since boot. This works for relative times, but diff --git a/zephyr/Kconfig b/zephyr/Kconfig index ff05e74d23..fb6084893a 100644 --- a/zephyr/Kconfig +++ b/zephyr/Kconfig @@ -98,6 +98,21 @@ config WOLFSSL_MAX_FRAGMENT_LEN Sets the maximum fragment length wolfSSL will use, values 1-6 correspond to enum values WOLFSSL_MFL_* in ssl.h +config WOLFSSL_SESSION_EXPORT + bool "wolfSSL session export support" + help + Enable external session cache (HAVE_EXT_CACHE) + +config WOLFSSL_KEEP_PEER_CERT + bool "wolfSSL keep peer certificate support" + help + Retain peer certificate after handshake (KEEP_PEER_CERT) + +config WOLFSSL_ALWAYS_VERIFY_CB + bool "wolfSSL always invoke verify callback" + help + Invoke verify callback on success as well as failure (WOLFSSL_ALWAYS_VERIFY_CB) + config WOLFCRYPT_ARMASM bool "wolfCrypt ARM Assembly support" depends on WOLFSSL_BUILTIN diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h index cc333bdaaa..29aea487c8 100644 --- a/zephyr/user_settings.h +++ b/zephyr/user_settings.h @@ -133,6 +133,21 @@ extern "C" { #define NO_SESSION_CACHE /* disable session resumption */ #endif +/* Session export (external session cache) */ +#if defined(CONFIG_WOLFSSL_SESSION_EXPORT) + #define HAVE_EXT_CACHE +#endif + +/* Keep peer certificate after handshake */ +#if defined(CONFIG_WOLFSSL_KEEP_PEER_CERT) + #define KEEP_PEER_CERT +#endif + +/* Always invoke verify callback (on success as well as failure) */ +#if defined(CONFIG_WOLFSSL_ALWAYS_VERIFY_CB) + #define WOLFSSL_ALWAYS_VERIFY_CB +#endif + /* DTLS */ #if defined(CONFIG_WOLFSSL_DTLS) #define WOLFSSL_DTLS