all: Update bindings, ports and tests for mbedtls v3.5.1.

Changes include:

- Some mbedtls source files renamed or deprecated.

- Our `mbedtls_config.h` files are renamed to `mbedtls_config_port.h`, so
  they don't clash with mbedtls's new default configuration file named
  `mbedtls_config.h`.

- MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE is deprecated.

- MBEDTLS_HAVE_TIME now requires an `mbedtls_ms_time` function to be
  defined but it's only used for TLSv1.3 (currently not enabled in
  MicroPython so there is a lazy implementation, i.e. seconds * 1000).

- `tests/multi_net/ssl_data.py` is removed (due to deprecation of
  MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE), there are the existing
  `ssl_cert_rsa.py` and `sslcontext_server_client.py` tests which do very
  similar, simple SSL data transfer.

- Tests now use an EC key by default (they are smaller and faster), and the
  RSA key has been regenerated due to the old PKCS encoding used by openssl
  rsa command, see
  https://stackoverflow.com/questions/40822328/openssl-rsa-key-pem-and-der-conversion-does-not-match
  (and `tests/README.md` has been updated accordingly).

Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>

extmod/extmod.cmake

@@ -174,20 +174,24 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_DIR}/lib/mbedtls_errors/mp_mbedtls_errors.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/aes.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/aesni.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/arc4.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/asn1parse.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/asn1write.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/base64.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_core.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_mod.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_mod_raw.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/blowfish.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/camellia.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ccm.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/certs.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/chacha20.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/chachapoly.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cipher.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cipher_wrap.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/nist_kw.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/aria.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cmac.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/mps_reader.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/mps_trace.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ctr_drbg.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/debug.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/des.c
@@ -200,17 +204,13 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/entropy.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/entropy_poll.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/gcm.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/havege.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/hmac_drbg.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/md2.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/md4.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/md5.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/md.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/oid.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/padlock.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pem.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pk.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs11.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs12.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs5.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkparse.c
@@ -221,15 +221,17 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/poly1305.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ripemd160.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa_internal.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa_alt_helpers.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha1.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha256.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha512.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cache.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_ciphersuites.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cli.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls12_client.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls12_server.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_client.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cookie.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_srv.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_debug_helpers_generated.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_msg.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_ticket.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls.c
@@ -242,11 +244,10 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509_csr.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509write_crt.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509write_csr.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/xtea.c
     )
 
     if(NOT MBEDTLS_CONFIG_FILE)
-        set(MBEDTLS_CONFIG_FILE "${MICROPY_PORT_DIR}/mbedtls/mbedtls_config.h")
+        set(MBEDTLS_CONFIG_FILE "${MICROPY_PORT_DIR}/mbedtls/mbedtls_config_port.h")
     endif()
 
     target_compile_definitions(micropy_lib_mbedtls INTERFACE

extmod/extmod.mk

@@ -231,28 +231,33 @@ SRC_THIRDPARTY_C += $(addprefix $(AXTLS_DIR)/,\
 	)
 else ifeq ($(MICROPY_SSL_MBEDTLS),1)
 MBEDTLS_DIR = lib/mbedtls
-MBEDTLS_CONFIG_FILE ?= \"mbedtls/mbedtls_config.h\"
+MBEDTLS_CONFIG_FILE ?= \"mbedtls/mbedtls_config_port.h\"
 GIT_SUBMODULES += $(MBEDTLS_DIR)
 CFLAGS_EXTMOD += -DMBEDTLS_CONFIG_FILE=$(MBEDTLS_CONFIG_FILE)
 CFLAGS_EXTMOD += -DMICROPY_SSL_MBEDTLS=1 -I$(TOP)/$(MBEDTLS_DIR)/include
 SRC_THIRDPARTY_C += lib/mbedtls_errors/mp_mbedtls_errors.c
 SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	aes.c \
 	aesni.c \
-	arc4.c \
 	asn1parse.c \
 	asn1write.c \
 	base64.c \
+	bignum_core.c \
+	bignum_mod.c \
+	bignum_mod_raw.c \
 	bignum.c \
-	blowfish.c \
 	camellia.c \
 	ccm.c \
-	certs.c \
 	chacha20.c \
 	chachapoly.c \
 	cipher.c \
 	cipher_wrap.c \
+	nist_kw.c \
+	aria.c \
 	cmac.c \
+	constant_time.c \
+	mps_reader.c \
+	mps_trace.c \
 	ctr_drbg.c \
 	debug.c \
 	des.c \
@@ -265,17 +270,13 @@ SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	entropy.c \
 	entropy_poll.c \
 	gcm.c \
-	havege.c \
 	hmac_drbg.c \
-	md2.c \
-	md4.c \
 	md5.c \
 	md.c \
 	oid.c \
 	padlock.c \
 	pem.c \
 	pk.c \
-	pkcs11.c \
 	pkcs12.c \
 	pkcs5.c \
 	pkparse.c \
@@ -286,28 +287,28 @@ SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	poly1305.c \
 	ripemd160.c \
 	rsa.c \
-	rsa_internal.c \
+	rsa_alt_helpers.c \
 	sha1.c \
 	sha256.c \
 	sha512.c \
 	ssl_cache.c \
 	ssl_ciphersuites.c \
-	ssl_cli.c \
+	ssl_client.c \
 	ssl_cookie.c \
-	ssl_srv.c \
+	ssl_debug_helpers_generated.c \
 	ssl_msg.c \
 	ssl_ticket.c \
 	ssl_tls.c \
+	ssl_tls12_client.c \
+	ssl_tls12_server.c \
 	timing.c \
-	constant_time.c \
 	x509.c \
 	x509_create.c \
 	x509_crl.c \
 	x509_crt.c \
 	x509_csr.c \
 	x509write_crt.c \
 	x509write_csr.c \
-	xtea.c \
 	)
 endif
 endif

extmod/mbedtls/mbedtls_config_common.h

@@ -45,9 +45,9 @@
 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-// #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED // enabling this currently breaks ssl_data.py test
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_CAN_ECDH
+#define MBEDTLS_PK_CAN_ECDSA_SIGN
 #define MBEDTLS_PKCS1_V15
 #define MBEDTLS_SHA256_SMALLER
 #define MBEDTLS_SSL_PROTO_TLS1
@@ -81,12 +81,13 @@
 #define MBEDTLS_PLATFORM_C
 #define MBEDTLS_RSA_C
 #define MBEDTLS_SHA1_C
+#define MBEDTLS_SHA224_C
 #define MBEDTLS_SHA256_C
+#define MBEDTLS_SHA384_C
 #define MBEDTLS_SHA512_C
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_SRV_C
 #define MBEDTLS_SSL_TLS_C
-#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 #define MBEDTLS_X509_CRT_PARSE_C
 #define MBEDTLS_X509_USE_C
 
@@ -97,6 +98,7 @@
 #define MBEDTLS_PLATFORM_MEMORY
 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
 #define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_NO_PLATFORM_ENTROPY
 
 // Bare-metal memory allocation hooks.
 #include <stdlib.h>
@@ -109,7 +111,4 @@ void m_tracked_free(void *ptr);
 
 #endif
 
-// Include mbedtls configuration checker.
-#include "mbedtls/check_config.h"
-
 #endif // MICROPY_INCLUDED_MBEDTLS_CONFIG_COMMON_H

ports/mimxrt/mbedtls/mbedtls_config.h → ports/mimxrt/mbedtls/mbedtls_config_port.h

@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t mimxrt_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO mimxrt_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)

ports/mimxrt/mbedtls/mbedtls_port.c

@@ -28,10 +28,11 @@
 
 #ifdef MICROPY_SSL_MBEDTLS
 
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "fsl_snvs_lp.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 void trng_random_data(unsigned char *output, size_t len);
@@ -52,6 +53,13 @@ time_t mimxrt_rtctime_seconds(time_t *timer) {
     SNVS_LP_SRTC_GetDatetime(SNVS, &date);
     return timeutils_seconds_since_epoch(date.year, date.month, date.day, date.hour, date.minute, date.second);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = mimxrt_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)

ports/renesas-ra/boards/ARDUINO_PORTENTA_C33/mbedtls_config_board.h

@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/renesas-ra/mbedtls/mbedtls_config.h"
+#include "ports/renesas-ra/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */

ports/renesas-ra/mbedtls/mbedtls_config.h → ports/renesas-ra/mbedtls/mbedtls_config_port.h

@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t ra_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO ra_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)

ports/renesas-ra/mbedtls/mbedtls_port.c

@@ -25,11 +25,12 @@
  */
 
 #include "rng.h"
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) {
@@ -57,6 +58,13 @@ time_t ra_rtctime_seconds(time_t *timer) {
     rtc_get_date(&date);
     return timeutils_seconds_since_epoch(2000 + date.Year, date.Month, date.Date, time.Hours, time.Minutes, time.Seconds);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = ra_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)

ports/rp2/mbedtls/mbedtls_config.h → ports/rp2/mbedtls/mbedtls_config_port.h

@@ -37,6 +37,7 @@
 #include <time.h>
 time_t rp2_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO rp2_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)

ports/rp2/mbedtls/mbedtls_port.c

@@ -27,10 +27,11 @@
 
 #ifdef MICROPY_SSL_MBEDTLS
 
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #include "hardware/rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 
 extern uint8_t rosc_random_u8(size_t cycles);
 
@@ -48,4 +49,10 @@ time_t rp2_rtctime_seconds(time_t *timer) {
     return timeutils_seconds_since_epoch(t.year, t.month, t.day, t.hour, t.min, t.sec);
 }
 
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = rp2_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif

ports/stm32/boards/ARDUINO_GIGA/mbedtls_config_board.h

@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */

ports/stm32/boards/ARDUINO_NICLA_VISION/mbedtls_config_board.h

@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */

ports/stm32/boards/ARDUINO_PORTENTA_H7/mbedtls_config_board.h

@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */

ports/stm32/mbedtls/mbedtls_config.h → ports/stm32/mbedtls/mbedtls_config_port.h

@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t stm32_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO stm32_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)

ports/stm32/mbedtls/mbedtls_port.c

@@ -25,11 +25,12 @@
  */
 
 #include "rng.h"
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) {
@@ -57,6 +58,13 @@ time_t stm32_rtctime_seconds(time_t *timer) {
     HAL_RTC_GetDate(&RTCHandle, &date, RTC_FORMAT_BIN);
     return timeutils_seconds_since_epoch(2000 + date.Year, date.Month, date.Date, time.Hours, time.Minutes, time.Seconds);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = stm32_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)

ports/unix/mbedtls/mbedtls_config.h → ports/unix/mbedtls/mbedtls_config_port.h

@@ -30,7 +30,6 @@
 #define MBEDTLS_CIPHER_MODE_CTR // needed for MICROPY_PY_CRYPTOLIB_CTR
 
 // Enable mbedtls modules
-#define MBEDTLS_HAVEGE_C
 #define MBEDTLS_TIMING_C
 
 // Include common mbedtls configuration.