mirror of
https://github.com/espressif/esp-idf.git
synced 2025-08-05 05:34:32 +02:00
Merge branch 'feature/mbedtls_private_cleanup' into 'master'
mbedtls: `MBEDTLS_PRIVATE` & `MBEDTLS_ALLOW_PRIVATE_ACCESS`-related cleanup Closes IDF-5861 See merge request espressif/esp-idf!20163
This commit is contained in:
@@ -458,10 +458,10 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num)
|
|||||||
size_t bytes = 0;
|
size_t bytes = 0;
|
||||||
|
|
||||||
while (cert) {
|
while (cert) {
|
||||||
bytes += cert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len);
|
bytes += cert->raw.len;
|
||||||
n++;
|
n++;
|
||||||
|
|
||||||
cert = cert->MBEDTLS_PRIVATE(next);
|
cert = cert->next;
|
||||||
}
|
}
|
||||||
|
|
||||||
*num = n;
|
*num = n;
|
||||||
@@ -473,14 +473,15 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num)
|
|||||||
void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
|
void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
#ifdef CONFIG_MBEDTLS_DHM_C
|
#ifdef CONFIG_MBEDTLS_DHM_C
|
||||||
mbedtls_mpi_free((mbedtls_mpi *)&ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(dhm_P));
|
const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
|
||||||
mbedtls_mpi_free((mbedtls_mpi *)&ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(dhm_G));
|
mbedtls_mpi_free((mbedtls_mpi *)conf->MBEDTLS_PRIVATE(dhm_P));
|
||||||
|
mbedtls_mpi_free((mbedtls_mpi *)conf->MBEDTLS_PRIVATE(dhm_G));
|
||||||
#endif /* CONFIG_MBEDTLS_DHM_C */
|
#endif /* CONFIG_MBEDTLS_DHM_C */
|
||||||
}
|
}
|
||||||
|
|
||||||
void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
|
void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
mbedtls_ssl_config *conf = (mbedtls_ssl_config *)ssl->MBEDTLS_PRIVATE(conf);
|
mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
|
||||||
mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert), *next;
|
mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert), *next;
|
||||||
|
|
||||||
while (keycert) {
|
while (keycert) {
|
||||||
@@ -498,7 +499,8 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
|
|||||||
|
|
||||||
void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
|
void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
mbedtls_ssl_key_cert *keycert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
|
const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
|
||||||
|
mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
|
||||||
|
|
||||||
while (keycert) {
|
while (keycert) {
|
||||||
if (keycert->key) {
|
if (keycert->key) {
|
||||||
@@ -511,7 +513,8 @@ void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
|
|||||||
|
|
||||||
void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
|
void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
mbedtls_ssl_key_cert *keycert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
|
const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
|
||||||
|
mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
|
||||||
|
|
||||||
while (keycert) {
|
while (keycert) {
|
||||||
if (keycert->cert) {
|
if (keycert->cert) {
|
||||||
@@ -527,7 +530,7 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
|
|||||||
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
|
void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
|
if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
|
||||||
mbedtls_ssl_config *conf = (mbedtls_ssl_config *)ssl->MBEDTLS_PRIVATE(conf);
|
mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
|
||||||
|
|
||||||
mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
|
mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
|
||||||
conf->MBEDTLS_PRIVATE(ca_chain) = NULL;
|
conf->MBEDTLS_PRIVATE(ca_chain) = NULL;
|
||||||
|
@@ -9,15 +9,19 @@
|
|||||||
#include <stddef.h>
|
#include <stddef.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
/* ToDo - Remove this once appropriate solution is available.
|
|
||||||
We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
|
/* TODO: Remove this once the appropriate solution is found
|
||||||
which are undefined if the following flag is not defined */
|
*
|
||||||
/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
|
* ssl_misc.h header uses private elements from
|
||||||
/* ToDo - Replace them with proper getter-setter once they are added */
|
* mbedtls, which become undefined if the following flag
|
||||||
|
* is not defined
|
||||||
|
*/
|
||||||
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
|
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
|
||||||
|
|
||||||
|
// located at mbedtls/library/ssl_misc.h
|
||||||
|
#include "ssl_misc.h"
|
||||||
|
|
||||||
#include "mbedtls/ssl.h"
|
#include "mbedtls/ssl.h"
|
||||||
#include "ssl_misc.h" // located at mbedtls/library/ssl_misc.h
|
|
||||||
#include "mbedtls/platform.h"
|
#include "mbedtls/platform.h"
|
||||||
#include "esp_log.h"
|
#include "esp_log.h"
|
||||||
|
|
||||||
|
@@ -19,7 +19,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
{
|
{
|
||||||
int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
|
int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
|
||||||
|
|
||||||
if (ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
|
if (mbedtls_ssl_is_handshake_over(ssl) || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -103,7 +103,9 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
case MBEDTLS_SSL_CLIENT_CERTIFICATE:
|
case MBEDTLS_SSL_CLIENT_CERTIFICATE:
|
||||||
if (add) {
|
if (add) {
|
||||||
size_t buffer_len = 3;
|
size_t buffer_len = 3;
|
||||||
mbedtls_ssl_key_cert *key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
|
|
||||||
|
const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
|
||||||
|
mbedtls_ssl_key_cert *key_cert = conf->MBEDTLS_PRIVATE(key_cert);
|
||||||
|
|
||||||
while (key_cert && key_cert->cert) {
|
while (key_cert && key_cert->cert) {
|
||||||
size_t num;
|
size_t num;
|
||||||
|
@@ -18,8 +18,8 @@ static const char *TAG = "SSL Server";
|
|||||||
*/
|
*/
|
||||||
static bool ssl_ciphersuite_uses_rsa_key_ex(mbedtls_ssl_context *ssl)
|
static bool ssl_ciphersuite_uses_rsa_key_ex(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
int suite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl);
|
||||||
ssl->MBEDTLS_PRIVATE(handshake)->ciphersuite_info;
|
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
|
||||||
|
|
||||||
if (ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA ||
|
if (ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA ||
|
||||||
ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
|
||||||
@@ -34,7 +34,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
{
|
{
|
||||||
int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
|
int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
|
||||||
|
|
||||||
if (ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
|
if (mbedtls_ssl_is_handshake_over(ssl) || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -66,7 +66,9 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
|
|||||||
case MBEDTLS_SSL_SERVER_CERTIFICATE:
|
case MBEDTLS_SSL_SERVER_CERTIFICATE:
|
||||||
if (add) {
|
if (add) {
|
||||||
size_t buffer_len = 3;
|
size_t buffer_len = 3;
|
||||||
mbedtls_ssl_key_cert *key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
|
|
||||||
|
const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
|
||||||
|
mbedtls_ssl_key_cert *key_cert = conf->MBEDTLS_PRIVATE(key_cert);
|
||||||
|
|
||||||
while (key_cert && key_cert->cert) {
|
while (key_cert && key_cert->cert) {
|
||||||
size_t num;
|
size_t num;
|
||||||
|
@@ -8,11 +8,6 @@
|
|||||||
#include "soc/hwcrypto_periph.h"
|
#include "soc/hwcrypto_periph.h"
|
||||||
#include "ecc_impl.h"
|
#include "ecc_impl.h"
|
||||||
|
|
||||||
/* TBD: Remove this and use proper getter/setter methods to access
|
|
||||||
* private members of EC data structures once they are available
|
|
||||||
* in mbedTLS stack */
|
|
||||||
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
|
|
||||||
|
|
||||||
#include "mbedtls/ecp.h"
|
#include "mbedtls/ecp.h"
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
@@ -37,19 +32,19 @@ static int esp_mbedtls_ecp_point_multiply(const mbedtls_ecp_group *grp, mbedtls_
|
|||||||
|
|
||||||
p_pt.len = grp->pbits / 8;
|
p_pt.len = grp->pbits / 8;
|
||||||
|
|
||||||
memcpy(&p_pt.x, P->X.p, mbedtls_mpi_size(&P->X));
|
memcpy(&p_pt.x, P->MBEDTLS_PRIVATE(X).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&P->MBEDTLS_PRIVATE(X)));
|
||||||
memcpy(&p_pt.y, P->Y.p, mbedtls_mpi_size(&P->Y));
|
memcpy(&p_pt.y, P->MBEDTLS_PRIVATE(Y).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&P->MBEDTLS_PRIVATE(Y)));
|
||||||
|
|
||||||
ret = esp_ecc_point_multiply(&p_pt, (uint8_t *)m->p, &r_pt, false);
|
ret = esp_ecc_point_multiply(&p_pt, (uint8_t *)m->MBEDTLS_PRIVATE(p), &r_pt, false);
|
||||||
|
|
||||||
for (int i = 0; i < MAX_SIZE; i++) {
|
for (int i = 0; i < MAX_SIZE; i++) {
|
||||||
x_tmp[MAX_SIZE - i - 1] = r_pt.x[i];
|
x_tmp[MAX_SIZE - i - 1] = r_pt.x[i];
|
||||||
y_tmp[MAX_SIZE - i - 1] = r_pt.y[i];
|
y_tmp[MAX_SIZE - i - 1] = r_pt.y[i];
|
||||||
}
|
}
|
||||||
|
|
||||||
mbedtls_mpi_read_binary(&R->X, x_tmp, MAX_SIZE);
|
mbedtls_mpi_read_binary(&R->MBEDTLS_PRIVATE(X), x_tmp, MAX_SIZE);
|
||||||
mbedtls_mpi_read_binary(&R->Y, y_tmp, MAX_SIZE);
|
mbedtls_mpi_read_binary(&R->MBEDTLS_PRIVATE(Y), y_tmp, MAX_SIZE);
|
||||||
mbedtls_mpi_lset(&R->Z, 1);
|
mbedtls_mpi_lset(&R->MBEDTLS_PRIVATE(Z), 1);
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -94,13 +89,13 @@ int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
|
|||||||
ECP_VALIDATE_RET( pt != NULL );
|
ECP_VALIDATE_RET( pt != NULL );
|
||||||
|
|
||||||
/* Must use affine coordinates */
|
/* Must use affine coordinates */
|
||||||
if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 )
|
if( mbedtls_mpi_cmp_int( &pt->MBEDTLS_PRIVATE(Z), 1 ) != 0 )
|
||||||
return( MBEDTLS_ERR_ECP_INVALID_KEY );
|
return( MBEDTLS_ERR_ECP_INVALID_KEY );
|
||||||
|
|
||||||
mbedtls_platform_zeroize((void *)&point, sizeof(ecc_point_t));
|
mbedtls_platform_zeroize((void *)&point, sizeof(ecc_point_t));
|
||||||
|
|
||||||
memcpy(&point.x, pt->X.p, mbedtls_mpi_size(&pt->X));
|
memcpy(&point.x, pt->MBEDTLS_PRIVATE(X).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&pt->MBEDTLS_PRIVATE(X)));
|
||||||
memcpy(&point.y, pt->Y.p, mbedtls_mpi_size(&pt->Y));
|
memcpy(&point.y, pt->MBEDTLS_PRIVATE(Y).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&pt->MBEDTLS_PRIVATE(Y)));
|
||||||
|
|
||||||
point.len = grp->pbits / 8;
|
point.len = grp->pbits / 8;
|
||||||
|
|
||||||
|
@@ -83,4 +83,12 @@ int mbedtls_timing_get_delay( void *data )
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get the final delay.
|
||||||
|
*/
|
||||||
|
uint32_t mbedtls_timing_get_final_delay( const mbedtls_timing_delay_context *data )
|
||||||
|
{
|
||||||
|
return( data->MBEDTLS_PRIVATE(fin_ms) );
|
||||||
|
}
|
||||||
|
|
||||||
#endif /* MBEDTLS_ESP_TIMING_C */
|
#endif /* MBEDTLS_ESP_TIMING_C */
|
||||||
|
@@ -12,13 +12,6 @@
|
|||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
#include <esp_random.h>
|
#include <esp_random.h>
|
||||||
|
|
||||||
/* ToDo - Remove this once appropriate solution is available.
|
|
||||||
We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
|
|
||||||
which are undefined if the following flag is not defined */
|
|
||||||
/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
|
|
||||||
/* ToDo - Replace them with proper getter-setter once they are added */
|
|
||||||
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
|
|
||||||
|
|
||||||
#include <mbedtls/entropy.h>
|
#include <mbedtls/entropy.h>
|
||||||
#include <mbedtls/ctr_drbg.h>
|
#include <mbedtls/ctr_drbg.h>
|
||||||
#include <mbedtls/ecdh.h>
|
#include <mbedtls/ecdh.h>
|
||||||
@@ -31,6 +24,20 @@ which are undefined if the following flag is not defined */
|
|||||||
error hex value (mbedTLS uses -N for error codes) */
|
error hex value (mbedTLS uses -N for error codes) */
|
||||||
#define TEST_ASSERT_MBEDTLS_OK(X) TEST_ASSERT_EQUAL_HEX32(0, -(X))
|
#define TEST_ASSERT_MBEDTLS_OK(X) TEST_ASSERT_EQUAL_HEX32(0, -(X))
|
||||||
|
|
||||||
|
/* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default
|
||||||
|
* when MBEDTLS_ECP_RESTARTABLE is enabled.
|
||||||
|
* This is a temporary workaround to allow that.
|
||||||
|
*
|
||||||
|
* The legacy option is soon going to be removed in future mbedtls
|
||||||
|
* versions and this workaround will be removed once the appropriate
|
||||||
|
* solution is available.
|
||||||
|
*/
|
||||||
|
#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
|
||||||
|
#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(var)
|
||||||
|
#else
|
||||||
|
#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var)
|
||||||
|
#endif
|
||||||
|
|
||||||
TEST_CASE("mbedtls ECDH Generate Key", "[mbedtls]")
|
TEST_CASE("mbedtls ECDH Generate Key", "[mbedtls]")
|
||||||
{
|
{
|
||||||
mbedtls_ecdh_context ctx;
|
mbedtls_ecdh_context ctx;
|
||||||
@@ -43,9 +50,9 @@ TEST_CASE("mbedtls ECDH Generate Key", "[mbedtls]")
|
|||||||
mbedtls_entropy_init(&entropy);
|
mbedtls_entropy_init(&entropy);
|
||||||
TEST_ASSERT_MBEDTLS_OK( mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) );
|
TEST_ASSERT_MBEDTLS_OK( mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) );
|
||||||
|
|
||||||
TEST_ASSERT_MBEDTLS_OK( mbedtls_ecp_group_load(&ctx.ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519) );
|
TEST_ASSERT_MBEDTLS_OK( mbedtls_ecp_group_load(ACCESS_ECDH(&ctx, grp), MBEDTLS_ECP_DP_CURVE25519) );
|
||||||
|
|
||||||
TEST_ASSERT_MBEDTLS_OK( mbedtls_ecdh_gen_public(&ctx.ctx.mbed_ecdh.grp, &ctx.ctx.mbed_ecdh.d, &ctx.ctx.mbed_ecdh.Q,
|
TEST_ASSERT_MBEDTLS_OK( mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx, grp), ACCESS_ECDH(&ctx, d), ACCESS_ECDH(&ctx, Q),
|
||||||
mbedtls_ctr_drbg_random, &ctr_drbg ) );
|
mbedtls_ctr_drbg_random, &ctr_drbg ) );
|
||||||
|
|
||||||
mbedtls_ecdh_free(&ctx);
|
mbedtls_ecdh_free(&ctx);
|
||||||
@@ -77,7 +84,8 @@ TEST_CASE("mbedtls ECP mul w/ koblitz", "[mbedtls]")
|
|||||||
mbedtls_ctr_drbg_random, &ctxRandom) );
|
mbedtls_ctr_drbg_random, &ctxRandom) );
|
||||||
|
|
||||||
|
|
||||||
TEST_ASSERT_MBEDTLS_OK(mbedtls_ecp_mul(&ctxECDSA.grp, &ctxECDSA.Q, &ctxECDSA.d, &ctxECDSA.grp.G,
|
TEST_ASSERT_MBEDTLS_OK(mbedtls_ecp_mul(&ctxECDSA.MBEDTLS_PRIVATE(grp), &ctxECDSA.MBEDTLS_PRIVATE(Q),
|
||||||
|
&ctxECDSA.MBEDTLS_PRIVATE(d), &ctxECDSA.MBEDTLS_PRIVATE(grp).G,
|
||||||
mbedtls_ctr_drbg_random, &ctxRandom) );
|
mbedtls_ctr_drbg_random, &ctxRandom) );
|
||||||
|
|
||||||
mbedtls_ecdsa_free(&ctxECDSA);
|
mbedtls_ecdsa_free(&ctxECDSA);
|
||||||
@@ -184,20 +192,20 @@ static void test_ecp_mul(mbedtls_ecp_group_id id, const uint8_t *x_coord, const
|
|||||||
|
|
||||||
mbedtls_mpi_read_binary(&m, scalar, size);
|
mbedtls_mpi_read_binary(&m, scalar, size);
|
||||||
|
|
||||||
mbedtls_mpi_read_binary(&P.X, x_coord, size);
|
mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(X), x_coord, size);
|
||||||
mbedtls_mpi_read_binary(&P.Y, y_coord, size);
|
mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(Y), y_coord, size);
|
||||||
|
|
||||||
mbedtls_mpi_lset(&P.Z, 1);
|
mbedtls_mpi_lset(&P.MBEDTLS_PRIVATE(Z), 1);
|
||||||
|
|
||||||
ret = mbedtls_ecp_mul(&grp, &R, &m, &P, rng_wrapper, NULL);
|
ret = mbedtls_ecp_mul(&grp, &R, &m, &P, rng_wrapper, NULL);
|
||||||
|
|
||||||
TEST_ASSERT_EQUAL(0, ret);
|
TEST_ASSERT_EQUAL(0, ret);
|
||||||
|
|
||||||
mbedtls_mpi_write_binary(&R.X, x, mbedtls_mpi_size(&R.X));
|
mbedtls_mpi_write_binary(&R.MBEDTLS_PRIVATE(X), x, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(X)));
|
||||||
mbedtls_mpi_write_binary(&R.Y, y, mbedtls_mpi_size(&R.Y));
|
mbedtls_mpi_write_binary(&R.MBEDTLS_PRIVATE(Y), y, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(Y)));
|
||||||
|
|
||||||
TEST_ASSERT_EQUAL(0, memcmp(x, result_x_coord, mbedtls_mpi_size(&R.X)));
|
TEST_ASSERT_EQUAL(0, memcmp(x, result_x_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(X))));
|
||||||
TEST_ASSERT_EQUAL(0, memcmp(y, result_y_coord, mbedtls_mpi_size(&R.Y)));
|
TEST_ASSERT_EQUAL(0, memcmp(y, result_y_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(Y))));
|
||||||
|
|
||||||
mbedtls_ecp_point_free(&R);
|
mbedtls_ecp_point_free(&R);
|
||||||
mbedtls_ecp_point_free(&P);
|
mbedtls_ecp_point_free(&P);
|
||||||
@@ -232,9 +240,9 @@ static void test_ecp_verify(mbedtls_ecp_group_id id, const uint8_t *x_coord, con
|
|||||||
|
|
||||||
size = grp.pbits / 8;
|
size = grp.pbits / 8;
|
||||||
|
|
||||||
mbedtls_mpi_read_binary(&P.X, x_coord, size);
|
mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(X), x_coord, size);
|
||||||
mbedtls_mpi_read_binary(&P.Y, y_coord, size);
|
mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(Y), y_coord, size);
|
||||||
mbedtls_mpi_lset(&P.Z, 1);
|
mbedtls_mpi_lset(&P.MBEDTLS_PRIVATE(Z), 1);
|
||||||
|
|
||||||
ret = mbedtls_ecp_check_pubkey(&grp, &P);
|
ret = mbedtls_ecp_check_pubkey(&grp, &P);
|
||||||
|
|
||||||
|
@@ -10,23 +10,18 @@
|
|||||||
#include <esp_err.h>
|
#include <esp_err.h>
|
||||||
#include <esp_log.h>
|
#include <esp_log.h>
|
||||||
|
|
||||||
/* ToDo - Remove this once appropriate solution is available.
|
/* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default
|
||||||
We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
|
* when MBEDTLS_ECP_RESTARTABLE is enabled.
|
||||||
which are undefined if the following flag is not defined */
|
|
||||||
/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
|
|
||||||
/* ToDo - Replace them with proper getter-setter once they are added */
|
|
||||||
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
|
|
||||||
|
|
||||||
/* ToDo - Remove this once appropriate solution is available.
|
|
||||||
* Currently MBEDTLS_LEGACY_CONTEXT is enabled by default for MBEDTLS_ECP_RESTARTABLE
|
|
||||||
* This is a temporary workaround to allow that.
|
* This is a temporary workaround to allow that.
|
||||||
* The LEGACY option is soon going to be removed in future mbedtls
|
*
|
||||||
* once it is removed we can remove the workaround.
|
* The legacy option is soon going to be removed in future mbedtls
|
||||||
|
* versions and this workaround will be removed once the appropriate
|
||||||
|
* solution is available.
|
||||||
*/
|
*/
|
||||||
#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
|
#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
|
||||||
#define ACCESS_ECDH(S, var) S->var
|
#define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(var)
|
||||||
#else
|
#else
|
||||||
#define ACCESS_ECDH(S, var) S->ctx.mbed_ecdh.var
|
#define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <mbedtls/aes.h>
|
#include <mbedtls/aes.h>
|
||||||
@@ -36,7 +31,6 @@ which are undefined if the following flag is not defined */
|
|||||||
#include <mbedtls/ecdh.h>
|
#include <mbedtls/ecdh.h>
|
||||||
#include <mbedtls/error.h>
|
#include <mbedtls/error.h>
|
||||||
#include <mbedtls/constant_time.h>
|
#include <mbedtls/constant_time.h>
|
||||||
#include <ssl_misc.h>
|
|
||||||
|
|
||||||
#include <protocomm_security.h>
|
#include <protocomm_security.h>
|
||||||
#include <protocomm_security1.h>
|
#include <protocomm_security1.h>
|
||||||
@@ -249,7 +243,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
|
|||||||
goto exit_cmd0;
|
goto exit_cmd0;
|
||||||
}
|
}
|
||||||
|
|
||||||
mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, Q).X,
|
mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, Q).MBEDTLS_PRIVATE(X),
|
||||||
cur_session->device_pubkey,
|
cur_session->device_pubkey,
|
||||||
PUBLIC_KEY_LEN);
|
PUBLIC_KEY_LEN);
|
||||||
if (mbed_err != 0) {
|
if (mbed_err != 0) {
|
||||||
@@ -266,7 +260,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
|
|||||||
hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN);
|
hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN);
|
||||||
hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN);
|
hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN);
|
||||||
|
|
||||||
mbed_err = mbedtls_mpi_lset(ACCESS_ECDH(&ctx_server, Qp).Z, 1);
|
mbed_err = mbedtls_mpi_lset(ACCESS_ECDH(&ctx_server, Qp).MBEDTLS_PRIVATE(Z), 1);
|
||||||
if (mbed_err != 0) {
|
if (mbed_err != 0) {
|
||||||
ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : -0x%x", -mbed_err);
|
ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : -0x%x", -mbed_err);
|
||||||
ret = ESP_FAIL;
|
ret = ESP_FAIL;
|
||||||
@@ -274,7 +268,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
|
|||||||
}
|
}
|
||||||
|
|
||||||
flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN);
|
flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN);
|
||||||
mbed_err = mbedtls_mpi_read_binary(ACCESS_ECDH(&ctx_server, Qp).X, cli_pubkey, PUBLIC_KEY_LEN);
|
mbed_err = mbedtls_mpi_read_binary(ACCESS_ECDH(&ctx_server, Qp).MBEDTLS_PRIVATE(X), cli_pubkey, PUBLIC_KEY_LEN);
|
||||||
flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN);
|
flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN);
|
||||||
if (mbed_err != 0) {
|
if (mbed_err != 0) {
|
||||||
ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : -0x%x", -mbed_err);
|
ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : -0x%x", -mbed_err);
|
||||||
|
@@ -14,12 +14,19 @@
|
|||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
#include <unity.h>
|
#include <unity.h>
|
||||||
|
|
||||||
/* ToDo - Remove this once appropriate solution is available.
|
/* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default
|
||||||
We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
|
* when MBEDTLS_ECP_RESTARTABLE is enabled.
|
||||||
which are undefined if the following flag is not defined */
|
* This is a temporary workaround to allow that.
|
||||||
/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE()` */
|
*
|
||||||
/* ToDo - Replace them with proper getter-setter once they are added */
|
* The legacy option is soon going to be removed in future mbedtls
|
||||||
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
|
* versions and this workaround will be removed once the appropriate
|
||||||
|
* solution is available.
|
||||||
|
*/
|
||||||
|
#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
|
||||||
|
#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(var)
|
||||||
|
#else
|
||||||
|
#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var)
|
||||||
|
#endif
|
||||||
|
|
||||||
#include <mbedtls/aes.h>
|
#include <mbedtls/aes.h>
|
||||||
#include <mbedtls/sha256.h>
|
#include <mbedtls/sha256.h>
|
||||||
@@ -155,24 +162,24 @@ static esp_err_t verify_response0(session_t *session, SessionData *resp)
|
|||||||
hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN);
|
hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN);
|
||||||
hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN);
|
hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN);
|
||||||
|
|
||||||
ret = mbedtls_mpi_lset(&session->ctx_client.ctx.mbed_ecdh.Qp.Z, 1);
|
ret = mbedtls_mpi_lset(ACCESS_ECDH(&session->ctx_client, Qp).MBEDTLS_PRIVATE(Z), 1);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : %d", ret);
|
ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : %d", ret);
|
||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
flip_endian(session->device_pubkey, PUBLIC_KEY_LEN);
|
flip_endian(session->device_pubkey, PUBLIC_KEY_LEN);
|
||||||
ret = mbedtls_mpi_read_binary(&session->ctx_client.ctx.mbed_ecdh.Qp.X, dev_pubkey, PUBLIC_KEY_LEN);
|
ret = mbedtls_mpi_read_binary(ACCESS_ECDH(&session->ctx_client, Qp).MBEDTLS_PRIVATE(X), dev_pubkey, PUBLIC_KEY_LEN);
|
||||||
flip_endian(session->device_pubkey, PUBLIC_KEY_LEN);
|
flip_endian(session->device_pubkey, PUBLIC_KEY_LEN);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : %d", ret);
|
ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : %d", ret);
|
||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = mbedtls_ecdh_compute_shared(&session->ctx_client.ctx.mbed_ecdh.grp,
|
ret = mbedtls_ecdh_compute_shared(ACCESS_ECDH(&session->ctx_client, grp),
|
||||||
&session->ctx_client.ctx.mbed_ecdh.z,
|
ACCESS_ECDH(&session->ctx_client, z),
|
||||||
&session->ctx_client.ctx.mbed_ecdh.Qp,
|
ACCESS_ECDH(&session->ctx_client, Qp),
|
||||||
&session->ctx_client.ctx.mbed_ecdh.d,
|
ACCESS_ECDH(&session->ctx_client, d),
|
||||||
mbedtls_ctr_drbg_random,
|
mbedtls_ctr_drbg_random,
|
||||||
&session->ctr_drbg);
|
&session->ctr_drbg);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
@@ -180,7 +187,7 @@ static esp_err_t verify_response0(session_t *session, SessionData *resp)
|
|||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = mbedtls_mpi_write_binary(&session->ctx_client.ctx.mbed_ecdh.z, session->sym_key, PUBLIC_KEY_LEN);
|
ret = mbedtls_mpi_write_binary(ACCESS_ECDH(&session->ctx_client, z), session->sym_key, PUBLIC_KEY_LEN);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
ESP_LOGE(TAG, "Failed at mbedtls_mpi_write_binary with error code : %d", ret);
|
ESP_LOGE(TAG, "Failed at mbedtls_mpi_write_binary with error code : %d", ret);
|
||||||
return ESP_FAIL;
|
return ESP_FAIL;
|
||||||
@@ -382,15 +389,15 @@ static esp_err_t test_sec_endpoint(session_t *session)
|
|||||||
goto abort_test_sec_endpoint;
|
goto abort_test_sec_endpoint;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = mbedtls_ecp_group_load(&session->ctx_client.ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519);
|
ret = mbedtls_ecp_group_load(ACCESS_ECDH(&session->ctx_client, grp), MBEDTLS_ECP_DP_CURVE25519);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
ESP_LOGE(TAG, "Failed at mbedtls_ecp_group_load with error code : %d", ret);
|
ESP_LOGE(TAG, "Failed at mbedtls_ecp_group_load with error code : %d", ret);
|
||||||
goto abort_test_sec_endpoint;
|
goto abort_test_sec_endpoint;
|
||||||
}
|
}
|
||||||
|
|
||||||
ret = mbedtls_ecdh_gen_public(&session->ctx_client.ctx.mbed_ecdh.grp,
|
ret = mbedtls_ecdh_gen_public(ACCESS_ECDH(&session->ctx_client, grp),
|
||||||
&session->ctx_client.ctx.mbed_ecdh.d,
|
ACCESS_ECDH(&session->ctx_client, d),
|
||||||
&session->ctx_client.ctx.mbed_ecdh.Q,
|
ACCESS_ECDH(&session->ctx_client, Q),
|
||||||
mbedtls_ctr_drbg_random,
|
mbedtls_ctr_drbg_random,
|
||||||
&session->ctr_drbg);
|
&session->ctr_drbg);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
@@ -400,7 +407,7 @@ static esp_err_t test_sec_endpoint(session_t *session)
|
|||||||
|
|
||||||
if (session->weak) {
|
if (session->weak) {
|
||||||
/* Read zero client public key */
|
/* Read zero client public key */
|
||||||
ret = mbedtls_mpi_read_binary(&session->ctx_client.ctx.mbed_ecdh.Q.X,
|
ret = mbedtls_mpi_read_binary(ACCESS_ECDH(&session->ctx_client, Q).MBEDTLS_PRIVATE(X),
|
||||||
session->client_pubkey,
|
session->client_pubkey,
|
||||||
PUBLIC_KEY_LEN);
|
PUBLIC_KEY_LEN);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
@@ -408,7 +415,7 @@ static esp_err_t test_sec_endpoint(session_t *session)
|
|||||||
goto abort_test_sec_endpoint;
|
goto abort_test_sec_endpoint;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
ret = mbedtls_mpi_write_binary(&session->ctx_client.ctx.mbed_ecdh.Q.X,
|
ret = mbedtls_mpi_write_binary(ACCESS_ECDH(&session->ctx_client, Q).MBEDTLS_PRIVATE(X),
|
||||||
session->client_pubkey,
|
session->client_pubkey,
|
||||||
PUBLIC_KEY_LEN);
|
PUBLIC_KEY_LEN);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
@@ -557,7 +564,7 @@ static esp_err_t test_req_endpoint(session_t *session)
|
|||||||
// Check if the AES key is correctly set before calling the software encryption
|
// Check if the AES key is correctly set before calling the software encryption
|
||||||
// API. Without this check, the code will crash, resulting in a test case failure.
|
// API. Without this check, the code will crash, resulting in a test case failure.
|
||||||
// For hardware AES, portability layer takes care of this.
|
// For hardware AES, portability layer takes care of this.
|
||||||
if (session->ctx_aes.rk != NULL && session->ctx_aes.nr > 0) {
|
if (session->ctx_aes.MBEDTLS_PRIVATE(rk) != NULL && session->ctx_aes.MBEDTLS_PRIVATE(nr) > 0) {
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
mbedtls_aes_crypt_ctr(&session->ctx_aes, sizeof(rand_test_data), &session->nc_off,
|
mbedtls_aes_crypt_ctr(&session->ctx_aes, sizeof(rand_test_data), &session->nc_off,
|
||||||
|
Reference in New Issue
Block a user