From fdf0439ad743fc130a59d29bf848a7114033d8f2 Mon Sep 17 00:00:00 2001
From: David Brown <david.brown@linaro.org>
Date: Tue, 25 Jun 2024 09:12:25 -0600
Subject: [PATCH 1/2] mbedtls: Move local mbedtls to v3.6.0

The in-tree mbedtls (used for the simulator and some targets) is a few years
old, and currently is unable to pass the rsa tests when built with clang.
Update this mbed TLS to the v3.6.0 release.  This fixes clang support in the
simulator.

There are a few minor changes to configuration and what files are needed to
support newer version of Mbed TLS.

Fixes #1986

Signed-off-by: David Brown <david.brown@linaro.org>
---
 ext/mbedtls                              |  2 +-
 sim/mcuboot-sys/build.rs                 | 19 ++++++++++++++++++-
 sim/mcuboot-sys/csupport/config-ec-psa.h |  1 +
 sim/mcuboot-sys/csupport/config-rsa-kw.h |  5 +----
 4 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/ext/mbedtls b/ext/mbedtls
index 8df2f8e7b..2ca6c285a 160000
--- a/ext/mbedtls
+++ b/ext/mbedtls
@@ -1 +1 @@
-Subproject commit 8df2f8e7b9c7bb9390ac74bb7bace27edca81a2b
+Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206
diff --git a/sim/mcuboot-sys/build.rs b/sim/mcuboot-sys/build.rs
index ea17d8014..88003d660 100644
--- a/sim/mcuboot-sys/build.rs
+++ b/sim/mcuboot-sys/build.rs
@@ -108,6 +108,7 @@ fn main() {
             conf.file("../../ext/mbedtls/library/chachapoly.c");
             conf.file("../../ext/mbedtls/library/cipher.c");
             conf.file("../../ext/mbedtls/library/cipher_wrap.c");
+            conf.file("../../ext/mbedtls/library/constant_time.c");
             conf.file("../../ext/mbedtls/library/ctr_drbg.c");
             conf.file("../../ext/mbedtls/library/des.c");
             conf.file("../../ext/mbedtls/library/ecdsa.c");
@@ -130,7 +131,6 @@ fn main() {
             conf.file("../../ext/mbedtls/library/psa_crypto.c");
             conf.file("../../ext/mbedtls/library/psa_crypto_cipher.c");
             conf.file("../../ext/mbedtls/library/psa_crypto_client.c");
-            conf.file("../../ext/mbedtls/library/psa_crypto_driver_wrappers.c");
             conf.file("../../ext/mbedtls/library/psa_crypto_ecp.c");
             conf.file("../../ext/mbedtls/library/psa_crypto_hash.c");
             conf.file("../../ext/mbedtls/library/psa_crypto_mac.c");
@@ -138,6 +138,7 @@ fn main() {
             conf.file("../../ext/mbedtls/library/psa_crypto_slot_management.c");
             conf.file("../../ext/mbedtls/library/psa_crypto_storage.c");
             conf.file("../../ext/mbedtls/library/psa_its_file.c");
+            conf.file("../../ext/mbedtls/library/psa_util.c");
             conf.file("../../ext/mbedtls/library/ripemd160.c");
             conf.file("../../ext/mbedtls/library/rsa_alt_helpers.c");
             conf.file("../../ext/mbedtls/library/sha1.c");
@@ -169,6 +170,9 @@ fn main() {
 
         conf.file("../../ext/mbedtls/library/rsa.c");
         conf.file("../../ext/mbedtls/library/bignum.c");
+        conf.file("../../ext/mbedtls/library/bignum_core.c");
+        conf.file("../../ext/mbedtls/library/constant_time.c");
+        conf.file("../../ext/mbedtls/library/nist_kw.c");
         conf.file("../../ext/mbedtls/library/platform.c");
         conf.file("../../ext/mbedtls/library/platform_util.c");
         conf.file("../../ext/mbedtls/library/asn1parse.c");
@@ -202,6 +206,9 @@ fn main() {
 
         conf.file("../../ext/mbedtls/library/asn1parse.c");
         conf.file("../../ext/mbedtls/library/bignum.c");
+        conf.file("../../ext/mbedtls/library/bignum_core.c");
+        conf.file("../../ext/mbedtls/library/constant_time.c");
+        conf.file("../../ext/mbedtls/library/nist_kw.c");
         conf.file("../../ext/mbedtls/library/ecdsa.c");
         conf.file("../../ext/mbedtls/library/ecp.c");
         conf.file("../../ext/mbedtls/library/ecp_curves.c");
@@ -221,6 +228,9 @@ fn main() {
         conf.file("csupport/keys.c");
         conf.file("../../ext/mbedtls/library/asn1parse.c");
         conf.file("../../ext/mbedtls/library/bignum.c");
+        conf.file("../../ext/mbedtls/library/bignum_core.c");
+        conf.file("../../ext/mbedtls/library/constant_time.c");
+        conf.file("../../ext/mbedtls/library/nist_kw.c");
         conf.file("../../ext/mbedtls/library/ecp.c");
         conf.file("../../ext/mbedtls/library/ecp_curves.c");
         conf.file("../../ext/mbedtls/library/platform.c");
@@ -282,6 +292,9 @@ fn main() {
         conf.file("../../ext/mbedtls/library/md.c");
         conf.file("../../ext/mbedtls/library/aes.c");
         conf.file("../../ext/mbedtls/library/bignum.c");
+        conf.file("../../ext/mbedtls/library/bignum_core.c");
+        conf.file("../../ext/mbedtls/library/constant_time.c");
+        conf.file("../../ext/mbedtls/library/nist_kw.c");
         conf.file("../../ext/mbedtls/library/asn1parse.c");
     }
 
@@ -305,6 +318,7 @@ fn main() {
         conf.conf.include("../../ext/mbedtls/library");
         conf.file("../../ext/mbedtls/library/platform_util.c");
         conf.file("../../ext/mbedtls/library/nist_kw.c");
+        conf.file("../../ext/mbedtls/library/constant_time.c");
         conf.file("../../ext/mbedtls/library/cipher.c");
         conf.file("../../ext/mbedtls/library/cipher_wrap.c");
         conf.file("../../ext/mbedtls/library/aes.c");
@@ -369,6 +383,9 @@ fn main() {
         conf.file("../../ext/mbedtls/library/sha256.c");
         conf.file("../../ext/mbedtls/library/asn1parse.c");
         conf.file("../../ext/mbedtls/library/bignum.c");
+        conf.file("../../ext/mbedtls/library/bignum_core.c");
+        conf.file("../../ext/mbedtls/library/constant_time.c");
+        conf.file("../../ext/mbedtls/library/nist_kw.c");
         conf.file("../../ext/mbedtls/library/ecdh.c");
         conf.file("../../ext/mbedtls/library/md.c");
         conf.file("../../ext/mbedtls/library/aes.c");
diff --git a/sim/mcuboot-sys/csupport/config-ec-psa.h b/sim/mcuboot-sys/csupport/config-ec-psa.h
index 5dbb4956e..309739838 100644
--- a/sim/mcuboot-sys/csupport/config-ec-psa.h
+++ b/sim/mcuboot-sys/csupport/config-ec-psa.h
@@ -22,6 +22,7 @@
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_MD_C
 #define MBEDTLS_OID_C
+#define MBEDTLS_CIPHER_C
 #if defined(MCUBOOT_SIGN_EC384)
 #define MBEDTLS_SHA384_C
 #define MBEDTLS_SHA512_C
diff --git a/sim/mcuboot-sys/csupport/config-rsa-kw.h b/sim/mcuboot-sys/csupport/config-rsa-kw.h
index e06debf47..43f47b4c4 100644
--- a/sim/mcuboot-sys/csupport/config-rsa-kw.h
+++ b/sim/mcuboot-sys/csupport/config-rsa-kw.h
@@ -63,6 +63,7 @@
 
 /* mbed TLS modules */
 #define MBEDTLS_ASN1_PARSE_C
+#define MBEDTLS_ASN1_WRITE_C
 #define MBEDTLS_BIGNUM_C
 #define MBEDTLS_MD_C
 #define MBEDTLS_OID_C
@@ -72,10 +73,6 @@
 #define MBEDTLS_CIPHER_C
 #define MBEDTLS_NIST_KW_C
 
-/* Save RAM by adjusting to our exact needs */
-#define MBEDTLS_ECP_MAX_BITS             2048
-#define MBEDTLS_MPI_MAX_SIZE              256
-
 #define MBEDTLS_SSL_MAX_CONTENT_LEN 1024
 
 /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */

From d3021511ca89482d6b1796a4f1199c1ed28bb597 Mon Sep 17 00:00:00 2001
From: David Brown <david.brown@linaro.org>
Date: Thu, 27 Jun 2024 13:46:44 -0600
Subject: [PATCH 2/2] espressif: workaround for mbedtls >= v3.1

Until espressif builds can be updated to work with recent versions of
mbedtls, explicitly revert the version used to one that is known to
work.

Signed-off-by: David Brown <david.brown@linaro.org>
---
 ci/espressif_run.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ci/espressif_run.sh b/ci/espressif_run.sh
index 74b77cbbc..90e9556c8 100755
--- a/ci/espressif_run.sh
+++ b/ci/espressif_run.sh
@@ -9,6 +9,11 @@ IDF_PATH="${HOME}/esp-idf"
 
 set -eo pipefail
 
+revert_mcuboot() {
+  (cd "${MCUBOOT_ROOTDIR}/ext/mbedtls";
+   git checkout v3.0.0)
+}
+
 prepare_environment() {
   # Prepare the environment for ESP-IDF
 
@@ -44,6 +49,7 @@ build_mcuboot() {
   cmake --build "${build_dir}"/
 }
 
+revert_mcuboot
 prepare_environment
 
 if [ -n "${MCUBOOT_FEATURES}" ]; then