Commit Graph

11 Commits

Author SHA1 Message Date
Colton Willey c950a6aa46 zephyr: changes needed for Zephyr 4.3 default TLS support
Follow-up to #7731 ("Changes needed for default TLS support in zephyr
kernel"). Zephyr 4.3's TLS socket integration uses three additional
wolfSSL features that were not needed by the 3.7 integration, plus an
extension to the native_sim time-source gates introduced in #7731.

native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c):
  Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the
  CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover
  CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from
  native_posix to native_sim; without this, k_cpu_idle() on native_sim
  advances simulated time during DTLS retransmit loops and the RTC path
  falls through to uptime-since-boot. Behavior on native_posix is
  unchanged.

New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h):
  CONFIG_WOLFSSL_SESSION_EXPORT   -> HAVE_EXT_CACHE
    Required by consumers that serialize TLS session state across
    connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION.
  CONFIG_WOLFSSL_KEEP_PEER_CERT   -> KEEP_PEER_CERT
    Retain the peer certificate after handshake so the application
    layer can inspect it via wolfSSL_get_peer_certificate.
  CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB
    Invoke an application-set verify callback on successful chain
    validation in addition to validation failures.

All three are default-off; customers opt in the same way they do for
the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options.

.wolfssl_known_macro_extras: register HAVE_EXT_CACHE.
2026-04-20 12:29:26 -07:00
Tobias Frauenschläger c3289f8aa9 Enable and use ML-KEM by default
* Enable ML-KEM by default in build systems (autoconf and CMake)
* Only allow three to-be-standardized hybrid PQ/T combinations by
  default
* Use X25519MLKEM768 as the default KeyShare in the ClientHello (if user
  does not override that). When Curve25519 is disabled, then either
  WOLFSSL_SECP384R1MLKEM1024 or WOLFSSL_SECP256R1MLKEM768 is used as
  default depending on the ECC configuration
* Disable standalone ML-KEM in supported groups by default (enable with
  --enable-tls-mlkem-standalone)
* Disable extra OQS-based hybrid PQ/T curves by default and gate
  behind --enable-experimental (enable with --enable-extra-pqc-hybrids)
* Reorder the SupportedGroups extension to reflect the preferences
* Reorder the preferredGroup array to also reflect the same preferences
* Add async support for ML-KEM hybrids
2026-03-18 10:48:16 +01:00
night1rider 0442918391 Add Zephyr 4.1+ build compatibility for wolfssl_tls_sock sample. Replace removed Kconfig options (PTHREAD_IPC, POSIX_CLOCK, NET_SOCKETS_POSIX_NAMES) with version-conditional config fragments and fix min/max macro collision with Zephyr's sys/util.h. 2026-03-10 14:23:47 -06:00
msi-debian c8eb3b07a0 Kconfig update for new setting 2025-03-07 14:19:33 -07:00
Colton Willey 4ec07bb5a8 Changes needed for default TLS support in zephyr kernel 2024-07-09 12:00:34 -07:00
David Garske face8b6e43 Experimental support for Intel and ARM ASM with Zephyr. Related to issue #7116. 2024-03-18 13:40:10 -07:00
David Garske 737fa53636 Improve Zephyr support. Cleanup user_settings.h mess. Add FIPS support. 2024-03-18 08:14:40 -07:00
Dimitri Papadopoulos 50752f5a2b Fix typos found by codespell 2023-07-04 07:21:27 +02:00
John Bland b146830fe8 move the zephyr folder back to it's correct location 2023-03-02 23:40:12 -05:00
John Bland e9aeb1a857 Add nuttx integration (#6043) 2023-02-08 16:04:53 -08:00
Maxime Vincent 9d562a59bc wolfSSL as a Zephyr module 2021-07-29 11:58:13 +02:00