zephyr: changes needed for Zephyr 4.3 default TLS support

ColtonWilley · ColtonWilley · commit c950a6aa4626 · 2026-04-20T12:29:26.000-07:00
Follow-up to #7731 ("Changes needed for default TLS support in zephyr kernel"). Zephyr 4.3's TLS socket integration uses three additional wolfSSL features that were not needed by the 3.7 integration, plus an extension to the native_sim time-source gates introduced in #7731. native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c): Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from native_posix to native_sim; without this, k_cpu_idle() on native_sim advances simulated time during DTLS retransmit loops and the RTC path falls through to uptime-since-boot. Behavior on native_posix is unchanged. New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h): CONFIG_WOLFSSL_SESSION_EXPORT -> HAVE_EXT_CACHE Required by consumers that serialize TLS session state across connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION. CONFIG_WOLFSSL_KEEP_PEER_CERT -> KEEP_PEER_CERT Retain the peer certificate after handshake so the application layer can inspect it via wolfSSL_get_peer_certificate. CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB Invoke an application-set verify callback on successful chain validation in addition to validation failures. All three are default-off; customers opt in the same way they do for the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options. .wolfssl_known_macro_extras: register HAVE_EXT_CACHE.
diff --git a/.wolfssl_known_macro_extras b/.wolfssl_known_macro_extras
@@ -279,6 +279,7 @@ HAVE_ECC512
 HAVE_ECC_CDH_CAST
 HAVE_ECC_SM2
 HAVE_ESP_CLK
+HAVE_EXT_CACHE
 HAVE_FIPS_VERSION_PORT
 HAVE_FUZZER
 HAVE_INTEL_MULX
diff --git a/src/internal.c b/src/internal.c
@@ -10602,7 +10602,8 @@ ProtocolVersion MakeDTLSv1_3(void)
     word32 LowResTimer(void)
     {
         int64_t t;
-    #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX)
+    #if defined(CONFIG_ARCH_POSIX) && !defined(CONFIG_BOARD_NATIVE_POSIX) \
+                                   && !defined(CONFIG_BOARD_NATIVE_SIM)
         k_cpu_idle();
     #endif
         t = k_uptime_get(); /* returns current uptime in milliseconds */
diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c
@@ -215,7 +215,7 @@ Threading/Mutex options:
 #endif
 
 #if defined(WOLFSSL_ZEPHYR)
-#if defined(CONFIG_BOARD_NATIVE_POSIX)
+#if defined(CONFIG_BOARD_NATIVE_POSIX) || defined(CONFIG_BOARD_NATIVE_SIM)
 #include "native_rtc.h"
 #define CONFIG_RTC
 #endif
@@ -4088,7 +4088,7 @@ time_t z_time(time_t * timer)
     #if defined(CONFIG_RTC) && \
         (defined(CONFIG_PICOLIBC) || defined(CONFIG_NEWLIB_LIBC))
 
-    #if defined(CONFIG_BOARD_NATIVE_POSIX)
+    #if defined(CONFIG_BOARD_NATIVE_POSIX) || defined(CONFIG_BOARD_NATIVE_SIM)
 
     /* When using native sim, get time from simulator rtc */
     uint32_t nsec = 0;
@@ -4120,7 +4120,7 @@ time_t z_time(time_t * timer)
             return epochTime;
         }
     }
-    #endif /* defined(CONFIG_BOARD_NATIVE_POSIX) */
+    #endif /* CONFIG_BOARD_NATIVE_POSIX || CONFIG_BOARD_NATIVE_SIM */
     #endif
 
     /* Fallback to uptime since boot. This works for relative times, but
diff --git a/zephyr/Kconfig b/zephyr/Kconfig
@@ -98,6 +98,21 @@ config WOLFSSL_MAX_FRAGMENT_LEN
     Sets the maximum fragment length wolfSSL will use, values 1-6 correspond to enum values
     WOLFSSL_MFL_* in ssl.h
 
+config WOLFSSL_SESSION_EXPORT
+  bool "wolfSSL session export support"
+  help
+    Enable external session cache (HAVE_EXT_CACHE)
+
+config WOLFSSL_KEEP_PEER_CERT
+  bool "wolfSSL keep peer certificate support"
+  help
+    Retain peer certificate after handshake (KEEP_PEER_CERT)
+
+config WOLFSSL_ALWAYS_VERIFY_CB
+  bool "wolfSSL always invoke verify callback"
+  help
+    Invoke verify callback on success as well as failure (WOLFSSL_ALWAYS_VERIFY_CB)
+
 config WOLFCRYPT_ARMASM
 	bool "wolfCrypt ARM Assembly support"
 	depends on WOLFSSL_BUILTIN
diff --git a/zephyr/user_settings.h b/zephyr/user_settings.h
@@ -133,6 +133,21 @@ extern "C" {
     #define NO_SESSION_CACHE /* disable session resumption */
 #endif
 
+/* Session export (external session cache) */
+#if defined(CONFIG_WOLFSSL_SESSION_EXPORT)
+    #define HAVE_EXT_CACHE
+#endif
+
+/* Keep peer certificate after handshake */
+#if defined(CONFIG_WOLFSSL_KEEP_PEER_CERT)
+    #define KEEP_PEER_CERT
+#endif
+
+/* Always invoke verify callback (on success as well as failure) */
+#if defined(CONFIG_WOLFSSL_ALWAYS_VERIFY_CB)
+    #define WOLFSSL_ALWAYS_VERIFY_CB
+#endif
+
 /* DTLS */
 #if defined(CONFIG_WOLFSSL_DTLS)
     #define WOLFSSL_DTLS
