diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c index a44723d33c..fb9c93bdcf 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c @@ -458,10 +458,10 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num) size_t bytes = 0; while (cert) { - bytes += cert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len); + bytes += cert->raw.len; n++; - cert = cert->MBEDTLS_PRIVATE(next); + cert = cert->next; } *num = n; @@ -473,14 +473,15 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num) void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl) { #ifdef CONFIG_MBEDTLS_DHM_C - mbedtls_mpi_free((mbedtls_mpi *)&ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(dhm_P)); - mbedtls_mpi_free((mbedtls_mpi *)&ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(dhm_G)); + const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl); + mbedtls_mpi_free((mbedtls_mpi *)conf->MBEDTLS_PRIVATE(dhm_P)); + mbedtls_mpi_free((mbedtls_mpi *)conf->MBEDTLS_PRIVATE(dhm_G)); #endif /* CONFIG_MBEDTLS_DHM_C */ } void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl) { - mbedtls_ssl_config *conf = (mbedtls_ssl_config *)ssl->MBEDTLS_PRIVATE(conf); + mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl); mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert), *next; while (keycert) { @@ -498,7 +499,8 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl) void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl) { - mbedtls_ssl_key_cert *keycert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert); + const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl); + mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert); while (keycert) { if (keycert->key) { @@ -511,7 +513,8 @@ void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl) void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl) { - mbedtls_ssl_key_cert *keycert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert); + const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl); + mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert); while (keycert) { if (keycert->cert) { @@ -527,7 +530,7 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl) void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl) { if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) { - mbedtls_ssl_config *conf = (mbedtls_ssl_config *)ssl->MBEDTLS_PRIVATE(conf); + mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl); mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain)); conf->MBEDTLS_PRIVATE(ca_chain) = NULL; diff --git a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h index 6adda7bb84..72641b3a54 100644 --- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h +++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h @@ -9,15 +9,19 @@ #include #include #include -/* ToDo - Remove this once appropriate solution is available. -We need to define this for the file as ssl_misc.h uses private structures from mbedtls, -which are undefined if the following flag is not defined */ -/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */ -/* ToDo - Replace them with proper getter-setter once they are added */ + +/* TODO: Remove this once the appropriate solution is found + * + * ssl_misc.h header uses private elements from + * mbedtls, which become undefined if the following flag + * is not defined + */ #define MBEDTLS_ALLOW_PRIVATE_ACCESS +// located at mbedtls/library/ssl_misc.h +#include "ssl_misc.h" + #include "mbedtls/ssl.h" -#include "ssl_misc.h" // located at mbedtls/library/ssl_misc.h #include "mbedtls/platform.h" #include "esp_log.h" diff --git a/components/mbedtls/port/dynamic/esp_ssl_cli.c b/components/mbedtls/port/dynamic/esp_ssl_cli.c index a38bb002f3..46178bf654 100644 --- a/components/mbedtls/port/dynamic/esp_ssl_cli.c +++ b/components/mbedtls/port/dynamic/esp_ssl_cli.c @@ -19,7 +19,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) { int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1; - if (ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->MBEDTLS_PRIVATE(handshake) == NULL) { + if (mbedtls_ssl_is_handshake_over(ssl) || ssl->MBEDTLS_PRIVATE(handshake) == NULL) { return 0; } @@ -103,7 +103,9 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) case MBEDTLS_SSL_CLIENT_CERTIFICATE: if (add) { size_t buffer_len = 3; - mbedtls_ssl_key_cert *key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert); + + const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl); + mbedtls_ssl_key_cert *key_cert = conf->MBEDTLS_PRIVATE(key_cert); while (key_cert && key_cert->cert) { size_t num; diff --git a/components/mbedtls/port/dynamic/esp_ssl_srv.c b/components/mbedtls/port/dynamic/esp_ssl_srv.c index ba1fa173b8..e49af1e489 100644 --- a/components/mbedtls/port/dynamic/esp_ssl_srv.c +++ b/components/mbedtls/port/dynamic/esp_ssl_srv.c @@ -18,8 +18,8 @@ static const char *TAG = "SSL Server"; */ static bool ssl_ciphersuite_uses_rsa_key_ex(mbedtls_ssl_context *ssl) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->MBEDTLS_PRIVATE(handshake)->ciphersuite_info; + int suite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl); + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(suite_id); if (ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA || ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { @@ -34,7 +34,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) { int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1; - if (ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->MBEDTLS_PRIVATE(handshake) == NULL) { + if (mbedtls_ssl_is_handshake_over(ssl) || ssl->MBEDTLS_PRIVATE(handshake) == NULL) { return 0; } @@ -66,7 +66,9 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add) case MBEDTLS_SSL_SERVER_CERTIFICATE: if (add) { size_t buffer_len = 3; - mbedtls_ssl_key_cert *key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert); + + const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl); + mbedtls_ssl_key_cert *key_cert = conf->MBEDTLS_PRIVATE(key_cert); while (key_cert && key_cert->cert) { size_t num; diff --git a/components/mbedtls/port/ecc/ecc_alt.c b/components/mbedtls/port/ecc/ecc_alt.c index 7b84d0818f..e78babc404 100644 --- a/components/mbedtls/port/ecc/ecc_alt.c +++ b/components/mbedtls/port/ecc/ecc_alt.c @@ -8,11 +8,6 @@ #include "soc/hwcrypto_periph.h" #include "ecc_impl.h" -/* TBD: Remove this and use proper getter/setter methods to access - * private members of EC data structures once they are available - * in mbedTLS stack */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include "mbedtls/ecp.h" #include "mbedtls/platform_util.h" @@ -37,19 +32,19 @@ static int esp_mbedtls_ecp_point_multiply(const mbedtls_ecp_group *grp, mbedtls_ p_pt.len = grp->pbits / 8; - memcpy(&p_pt.x, P->X.p, mbedtls_mpi_size(&P->X)); - memcpy(&p_pt.y, P->Y.p, mbedtls_mpi_size(&P->Y)); + memcpy(&p_pt.x, P->MBEDTLS_PRIVATE(X).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&P->MBEDTLS_PRIVATE(X))); + memcpy(&p_pt.y, P->MBEDTLS_PRIVATE(Y).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&P->MBEDTLS_PRIVATE(Y))); - ret = esp_ecc_point_multiply(&p_pt, (uint8_t *)m->p, &r_pt, false); + ret = esp_ecc_point_multiply(&p_pt, (uint8_t *)m->MBEDTLS_PRIVATE(p), &r_pt, false); for (int i = 0; i < MAX_SIZE; i++) { x_tmp[MAX_SIZE - i - 1] = r_pt.x[i]; y_tmp[MAX_SIZE - i - 1] = r_pt.y[i]; } - mbedtls_mpi_read_binary(&R->X, x_tmp, MAX_SIZE); - mbedtls_mpi_read_binary(&R->Y, y_tmp, MAX_SIZE); - mbedtls_mpi_lset(&R->Z, 1); + mbedtls_mpi_read_binary(&R->MBEDTLS_PRIVATE(X), x_tmp, MAX_SIZE); + mbedtls_mpi_read_binary(&R->MBEDTLS_PRIVATE(Y), y_tmp, MAX_SIZE); + mbedtls_mpi_lset(&R->MBEDTLS_PRIVATE(Z), 1); return ret; } @@ -94,13 +89,13 @@ int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp, ECP_VALIDATE_RET( pt != NULL ); /* Must use affine coordinates */ - if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 ) + if( mbedtls_mpi_cmp_int( &pt->MBEDTLS_PRIVATE(Z), 1 ) != 0 ) return( MBEDTLS_ERR_ECP_INVALID_KEY ); mbedtls_platform_zeroize((void *)&point, sizeof(ecc_point_t)); - memcpy(&point.x, pt->X.p, mbedtls_mpi_size(&pt->X)); - memcpy(&point.y, pt->Y.p, mbedtls_mpi_size(&pt->Y)); + memcpy(&point.x, pt->MBEDTLS_PRIVATE(X).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&pt->MBEDTLS_PRIVATE(X))); + memcpy(&point.y, pt->MBEDTLS_PRIVATE(Y).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&pt->MBEDTLS_PRIVATE(Y))); point.len = grp->pbits / 8; diff --git a/components/mbedtls/port/esp_timing.c b/components/mbedtls/port/esp_timing.c index d310f75772..96858f765a 100644 --- a/components/mbedtls/port/esp_timing.c +++ b/components/mbedtls/port/esp_timing.c @@ -83,4 +83,12 @@ int mbedtls_timing_get_delay( void *data ) return( 0 ); } +/* + * Get the final delay. + */ +uint32_t mbedtls_timing_get_final_delay( const mbedtls_timing_delay_context *data ) +{ + return( data->MBEDTLS_PRIVATE(fin_ms) ); +} + #endif /* MBEDTLS_ESP_TIMING_C */ diff --git a/components/mbedtls/test_apps/main/test_ecp.c b/components/mbedtls/test_apps/main/test_ecp.c index 44a58e92cd..ce86dc97b5 100644 --- a/components/mbedtls/test_apps/main/test_ecp.c +++ b/components/mbedtls/test_apps/main/test_ecp.c @@ -12,13 +12,6 @@ #include #include -/* ToDo - Remove this once appropriate solution is available. -We need to define this for the file as ssl_misc.h uses private structures from mbedtls, -which are undefined if the following flag is not defined */ -/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */ -/* ToDo - Replace them with proper getter-setter once they are added */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #include #include #include @@ -31,6 +24,20 @@ which are undefined if the following flag is not defined */ error hex value (mbedTLS uses -N for error codes) */ #define TEST_ASSERT_MBEDTLS_OK(X) TEST_ASSERT_EQUAL_HEX32(0, -(X)) +/* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default + * when MBEDTLS_ECP_RESTARTABLE is enabled. + * This is a temporary workaround to allow that. + * + * The legacy option is soon going to be removed in future mbedtls + * versions and this workaround will be removed once the appropriate + * solution is available. + */ +#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT +#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(var) +#else +#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var) +#endif + TEST_CASE("mbedtls ECDH Generate Key", "[mbedtls]") { mbedtls_ecdh_context ctx; @@ -43,9 +50,9 @@ TEST_CASE("mbedtls ECDH Generate Key", "[mbedtls]") mbedtls_entropy_init(&entropy); TEST_ASSERT_MBEDTLS_OK( mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) ); - TEST_ASSERT_MBEDTLS_OK( mbedtls_ecp_group_load(&ctx.ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519) ); + TEST_ASSERT_MBEDTLS_OK( mbedtls_ecp_group_load(ACCESS_ECDH(&ctx, grp), MBEDTLS_ECP_DP_CURVE25519) ); - TEST_ASSERT_MBEDTLS_OK( mbedtls_ecdh_gen_public(&ctx.ctx.mbed_ecdh.grp, &ctx.ctx.mbed_ecdh.d, &ctx.ctx.mbed_ecdh.Q, + TEST_ASSERT_MBEDTLS_OK( mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx, grp), ACCESS_ECDH(&ctx, d), ACCESS_ECDH(&ctx, Q), mbedtls_ctr_drbg_random, &ctr_drbg ) ); mbedtls_ecdh_free(&ctx); @@ -77,7 +84,8 @@ TEST_CASE("mbedtls ECP mul w/ koblitz", "[mbedtls]") mbedtls_ctr_drbg_random, &ctxRandom) ); - TEST_ASSERT_MBEDTLS_OK(mbedtls_ecp_mul(&ctxECDSA.grp, &ctxECDSA.Q, &ctxECDSA.d, &ctxECDSA.grp.G, + TEST_ASSERT_MBEDTLS_OK(mbedtls_ecp_mul(&ctxECDSA.MBEDTLS_PRIVATE(grp), &ctxECDSA.MBEDTLS_PRIVATE(Q), + &ctxECDSA.MBEDTLS_PRIVATE(d), &ctxECDSA.MBEDTLS_PRIVATE(grp).G, mbedtls_ctr_drbg_random, &ctxRandom) ); mbedtls_ecdsa_free(&ctxECDSA); @@ -184,20 +192,20 @@ static void test_ecp_mul(mbedtls_ecp_group_id id, const uint8_t *x_coord, const mbedtls_mpi_read_binary(&m, scalar, size); - mbedtls_mpi_read_binary(&P.X, x_coord, size); - mbedtls_mpi_read_binary(&P.Y, y_coord, size); + mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(X), x_coord, size); + mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(Y), y_coord, size); - mbedtls_mpi_lset(&P.Z, 1); + mbedtls_mpi_lset(&P.MBEDTLS_PRIVATE(Z), 1); ret = mbedtls_ecp_mul(&grp, &R, &m, &P, rng_wrapper, NULL); TEST_ASSERT_EQUAL(0, ret); - mbedtls_mpi_write_binary(&R.X, x, mbedtls_mpi_size(&R.X)); - mbedtls_mpi_write_binary(&R.Y, y, mbedtls_mpi_size(&R.Y)); + mbedtls_mpi_write_binary(&R.MBEDTLS_PRIVATE(X), x, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(X))); + mbedtls_mpi_write_binary(&R.MBEDTLS_PRIVATE(Y), y, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(Y))); - TEST_ASSERT_EQUAL(0, memcmp(x, result_x_coord, mbedtls_mpi_size(&R.X))); - TEST_ASSERT_EQUAL(0, memcmp(y, result_y_coord, mbedtls_mpi_size(&R.Y))); + TEST_ASSERT_EQUAL(0, memcmp(x, result_x_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(X)))); + TEST_ASSERT_EQUAL(0, memcmp(y, result_y_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(Y)))); mbedtls_ecp_point_free(&R); mbedtls_ecp_point_free(&P); @@ -232,9 +240,9 @@ static void test_ecp_verify(mbedtls_ecp_group_id id, const uint8_t *x_coord, con size = grp.pbits / 8; - mbedtls_mpi_read_binary(&P.X, x_coord, size); - mbedtls_mpi_read_binary(&P.Y, y_coord, size); - mbedtls_mpi_lset(&P.Z, 1); + mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(X), x_coord, size); + mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(Y), y_coord, size); + mbedtls_mpi_lset(&P.MBEDTLS_PRIVATE(Z), 1); ret = mbedtls_ecp_check_pubkey(&grp, &P); diff --git a/components/protocomm/src/security/security1.c b/components/protocomm/src/security/security1.c index 316747b673..f530055fab 100644 --- a/components/protocomm/src/security/security1.c +++ b/components/protocomm/src/security/security1.c @@ -10,23 +10,18 @@ #include #include -/* ToDo - Remove this once appropriate solution is available. -We need to define this for the file as ssl_misc.h uses private structures from mbedtls, -which are undefined if the following flag is not defined */ -/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */ -/* ToDo - Replace them with proper getter-setter once they are added */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -/* ToDo - Remove this once appropriate solution is available. - * Currently MBEDTLS_LEGACY_CONTEXT is enabled by default for MBEDTLS_ECP_RESTARTABLE +/* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default + * when MBEDTLS_ECP_RESTARTABLE is enabled. * This is a temporary workaround to allow that. - * The LEGACY option is soon going to be removed in future mbedtls - * once it is removed we can remove the workaround. + * + * The legacy option is soon going to be removed in future mbedtls + * versions and this workaround will be removed once the appropriate + * solution is available. */ #ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT -#define ACCESS_ECDH(S, var) S->var +#define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(var) #else -#define ACCESS_ECDH(S, var) S->ctx.mbed_ecdh.var +#define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var) #endif #include @@ -36,7 +31,6 @@ which are undefined if the following flag is not defined */ #include #include #include -#include #include #include @@ -249,7 +243,7 @@ static esp_err_t handle_session_command0(session_t *cur_session, goto exit_cmd0; } - mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, Q).X, + mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, Q).MBEDTLS_PRIVATE(X), cur_session->device_pubkey, PUBLIC_KEY_LEN); if (mbed_err != 0) { @@ -266,7 +260,7 @@ static esp_err_t handle_session_command0(session_t *cur_session, hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN); hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN); - mbed_err = mbedtls_mpi_lset(ACCESS_ECDH(&ctx_server, Qp).Z, 1); + mbed_err = mbedtls_mpi_lset(ACCESS_ECDH(&ctx_server, Qp).MBEDTLS_PRIVATE(Z), 1); if (mbed_err != 0) { ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : -0x%x", -mbed_err); ret = ESP_FAIL; @@ -274,7 +268,7 @@ static esp_err_t handle_session_command0(session_t *cur_session, } flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN); - mbed_err = mbedtls_mpi_read_binary(ACCESS_ECDH(&ctx_server, Qp).X, cli_pubkey, PUBLIC_KEY_LEN); + mbed_err = mbedtls_mpi_read_binary(ACCESS_ECDH(&ctx_server, Qp).MBEDTLS_PRIVATE(X), cli_pubkey, PUBLIC_KEY_LEN); flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN); if (mbed_err != 0) { ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : -0x%x", -mbed_err); diff --git a/components/protocomm/test_apps/main/test_protocomm.c b/components/protocomm/test_apps/main/test_protocomm.c index dbf7ea4057..7160d90817 100644 --- a/components/protocomm/test_apps/main/test_protocomm.c +++ b/components/protocomm/test_apps/main/test_protocomm.c @@ -14,12 +14,19 @@ #include #include -/* ToDo - Remove this once appropriate solution is available. -We need to define this for the file as ssl_misc.h uses private structures from mbedtls, -which are undefined if the following flag is not defined */ -/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE()` */ -/* ToDo - Replace them with proper getter-setter once they are added */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS +/* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default + * when MBEDTLS_ECP_RESTARTABLE is enabled. + * This is a temporary workaround to allow that. + * + * The legacy option is soon going to be removed in future mbedtls + * versions and this workaround will be removed once the appropriate + * solution is available. + */ +#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT +#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(var) +#else +#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var) +#endif #include #include @@ -155,24 +162,24 @@ static esp_err_t verify_response0(session_t *session, SessionData *resp) hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN); hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN); - ret = mbedtls_mpi_lset(&session->ctx_client.ctx.mbed_ecdh.Qp.Z, 1); + ret = mbedtls_mpi_lset(ACCESS_ECDH(&session->ctx_client, Qp).MBEDTLS_PRIVATE(Z), 1); if (ret != 0) { ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : %d", ret); return ESP_FAIL; } flip_endian(session->device_pubkey, PUBLIC_KEY_LEN); - ret = mbedtls_mpi_read_binary(&session->ctx_client.ctx.mbed_ecdh.Qp.X, dev_pubkey, PUBLIC_KEY_LEN); + ret = mbedtls_mpi_read_binary(ACCESS_ECDH(&session->ctx_client, Qp).MBEDTLS_PRIVATE(X), dev_pubkey, PUBLIC_KEY_LEN); flip_endian(session->device_pubkey, PUBLIC_KEY_LEN); if (ret != 0) { ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : %d", ret); return ESP_FAIL; } - ret = mbedtls_ecdh_compute_shared(&session->ctx_client.ctx.mbed_ecdh.grp, - &session->ctx_client.ctx.mbed_ecdh.z, - &session->ctx_client.ctx.mbed_ecdh.Qp, - &session->ctx_client.ctx.mbed_ecdh.d, + ret = mbedtls_ecdh_compute_shared(ACCESS_ECDH(&session->ctx_client, grp), + ACCESS_ECDH(&session->ctx_client, z), + ACCESS_ECDH(&session->ctx_client, Qp), + ACCESS_ECDH(&session->ctx_client, d), mbedtls_ctr_drbg_random, &session->ctr_drbg); if (ret != 0) { @@ -180,7 +187,7 @@ static esp_err_t verify_response0(session_t *session, SessionData *resp) return ESP_FAIL; } - ret = mbedtls_mpi_write_binary(&session->ctx_client.ctx.mbed_ecdh.z, session->sym_key, PUBLIC_KEY_LEN); + ret = mbedtls_mpi_write_binary(ACCESS_ECDH(&session->ctx_client, z), session->sym_key, PUBLIC_KEY_LEN); if (ret != 0) { ESP_LOGE(TAG, "Failed at mbedtls_mpi_write_binary with error code : %d", ret); return ESP_FAIL; @@ -382,15 +389,15 @@ static esp_err_t test_sec_endpoint(session_t *session) goto abort_test_sec_endpoint; } - ret = mbedtls_ecp_group_load(&session->ctx_client.ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519); + ret = mbedtls_ecp_group_load(ACCESS_ECDH(&session->ctx_client, grp), MBEDTLS_ECP_DP_CURVE25519); if (ret != 0) { ESP_LOGE(TAG, "Failed at mbedtls_ecp_group_load with error code : %d", ret); goto abort_test_sec_endpoint; } - ret = mbedtls_ecdh_gen_public(&session->ctx_client.ctx.mbed_ecdh.grp, - &session->ctx_client.ctx.mbed_ecdh.d, - &session->ctx_client.ctx.mbed_ecdh.Q, + ret = mbedtls_ecdh_gen_public(ACCESS_ECDH(&session->ctx_client, grp), + ACCESS_ECDH(&session->ctx_client, d), + ACCESS_ECDH(&session->ctx_client, Q), mbedtls_ctr_drbg_random, &session->ctr_drbg); if (ret != 0) { @@ -400,7 +407,7 @@ static esp_err_t test_sec_endpoint(session_t *session) if (session->weak) { /* Read zero client public key */ - ret = mbedtls_mpi_read_binary(&session->ctx_client.ctx.mbed_ecdh.Q.X, + ret = mbedtls_mpi_read_binary(ACCESS_ECDH(&session->ctx_client, Q).MBEDTLS_PRIVATE(X), session->client_pubkey, PUBLIC_KEY_LEN); if (ret != 0) { @@ -408,7 +415,7 @@ static esp_err_t test_sec_endpoint(session_t *session) goto abort_test_sec_endpoint; } } - ret = mbedtls_mpi_write_binary(&session->ctx_client.ctx.mbed_ecdh.Q.X, + ret = mbedtls_mpi_write_binary(ACCESS_ECDH(&session->ctx_client, Q).MBEDTLS_PRIVATE(X), session->client_pubkey, PUBLIC_KEY_LEN); if (ret != 0) { @@ -557,7 +564,7 @@ static esp_err_t test_req_endpoint(session_t *session) // Check if the AES key is correctly set before calling the software encryption // API. Without this check, the code will crash, resulting in a test case failure. // For hardware AES, portability layer takes care of this. - if (session->ctx_aes.rk != NULL && session->ctx_aes.nr > 0) { + if (session->ctx_aes.MBEDTLS_PRIVATE(rk) != NULL && session->ctx_aes.MBEDTLS_PRIVATE(nr) > 0) { #endif mbedtls_aes_crypt_ctr(&session->ctx_aes, sizeof(rand_test_data), &session->nc_off,