diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index e79228c3ae..5e3dc50da5 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -189,7 +189,7 @@ menu "mbedTLS" config MBEDTLS_ECDH_LEGACY_CONTEXT bool "Use a backward compatible ECDH context (Experimental)" - default y + default n depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE help Use the legacy ECDH context format. @@ -327,6 +327,7 @@ menu "mbedTLS" config MBEDTLS_ECP_RESTARTABLE bool "Enable mbedTLS ecp restartable" + select MBEDTLS_ECDH_LEGACY_CONTEXT default n help Enable "non-blocking" ECC operations that can return early and be resumed. diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 4c30cab2fd..90d2d7c211 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -2696,8 +2696,8 @@ #include MBEDTLS_USER_CONFIG_FILE #endif -/* Define this flag for now */ -/* To Do - while updating to v3.0 remove all the code where this flag is used */ +/* This flag makes sure that we are not using + * any functino that is deprecated by mbedtls */ #define MBEDTLS_DEPRECATED_REMOVED #endif /* ESP_CONFIG_H */ diff --git a/components/mbedtls/port/sha/dma/esp_sha256.c b/components/mbedtls/port/sha/dma/esp_sha256.c index 88932c92af..8934913b9f 100644 --- a/components/mbedtls/port/sha/dma/esp_sha256.c +++ b/components/mbedtls/port/sha/dma/esp_sha256.c @@ -100,15 +100,6 @@ int mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ) return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, - int is224 ) -{ - mbedtls_sha256_starts( ctx, is224 ); -} -#endif - - int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] ) { int ret; @@ -119,14 +110,6 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned return ret; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha256_process( mbedtls_sha256_context *ctx, - const unsigned char data[64] ) -{ - mbedtls_internal_sha256_process( ctx, data ); -} -#endif - /* * SHA-256 process buffer */ @@ -192,15 +175,6 @@ int mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *inp return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha256_update( mbedtls_sha256_context *ctx, - const unsigned char *input, - size_t ilen ) -{ - mbedtls_sha256_update( ctx, input, ilen ); -} -#endif - static const unsigned char sha256_padding[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -241,12 +215,4 @@ int mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32] return ret; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, - unsigned char output[32] ) -{ - mbedtls_sha256_finish( ctx, output ); -} -#endif - #endif /* MBEDTLS_SHA256_C && MBEDTLS_SHA256_ALT */ diff --git a/components/mbedtls/port/sha/dma/esp_sha512.c b/components/mbedtls/port/sha/dma/esp_sha512.c index 71be824223..197d7e8b31 100644 --- a/components/mbedtls/port/sha/dma/esp_sha512.c +++ b/components/mbedtls/port/sha/dma/esp_sha512.c @@ -122,14 +122,6 @@ int mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 ) return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, - int is384 ) -{ - mbedtls_sha512_starts( ctx, is384 ); -} -#endif - static int esp_internal_sha512_dma_process(mbedtls_sha512_context *ctx, const uint8_t *data, size_t len, uint8_t *buf, size_t buf_len) @@ -152,14 +144,6 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, const unsigned } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha512_process( mbedtls_sha512_context *ctx, - const unsigned char data[128] ) -{ - mbedtls_internal_sha512_process( ctx, data ); -} -#endif - /* * SHA-512 process buffer */ @@ -233,16 +217,6 @@ int mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *inp return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha512_update( mbedtls_sha512_context *ctx, - const unsigned char *input, - size_t ilen ) -{ - mbedtls_sha512_update( ctx, input, ilen ); -} -#endif - - static const unsigned char sha512_padding[128] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -291,12 +265,4 @@ int mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64] return ret; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, - unsigned char output[64] ) -{ - mbedtls_sha512_finish( ctx, output ); -} -#endif - #endif /* MBEDTLS_SHA512_C && MBEDTLS_SHA512_ALT */ diff --git a/components/mbedtls/port/sha/parallel_engine/esp_sha1.c b/components/mbedtls/port/sha/parallel_engine/esp_sha1.c index 9728657f92..a5061ff933 100644 --- a/components/mbedtls/port/sha/parallel_engine/esp_sha1.c +++ b/components/mbedtls/port/sha/parallel_engine/esp_sha1.c @@ -145,15 +145,6 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, const unsigned cha return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha1_process( mbedtls_sha1_context *ctx, - const unsigned char data[64] ) -{ - mbedtls_internal_sha1_process( ctx, data ); -} -#endif - - static void mbedtls_sha1_software_process( mbedtls_sha1_context *ctx, const unsigned char data[64] ) { uint32_t temp, W[16], A, B, C, D, E; @@ -361,15 +352,6 @@ int mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha1_update( mbedtls_sha1_context *ctx, - const unsigned char *input, - size_t ilen ) -{ - mbedtls_sha1_update( ctx, input, ilen ); -} -#endif - static const unsigned char sha1_padding[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -424,12 +406,4 @@ out: return ret; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, - unsigned char output[20] ) -{ - mbedtls_sha1_finish( ctx, output ); -} -#endif - #endif /* MBEDTLS_SHA1_C && MBEDTLS_SHA1_ALT */ diff --git a/components/mbedtls/port/sha/parallel_engine/esp_sha256.c b/components/mbedtls/port/sha/parallel_engine/esp_sha256.c index c0d8ded187..3efa1113bf 100644 --- a/components/mbedtls/port/sha/parallel_engine/esp_sha256.c +++ b/components/mbedtls/port/sha/parallel_engine/esp_sha256.c @@ -135,14 +135,6 @@ int mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 ) return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha256_starts( mbedtls_sha256_context *ctx, - int is224 ) -{ - mbedtls_sha256_starts( ctx, is224 ); -} -#endif - static const uint32_t K[] = { 0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5, 0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5, @@ -212,14 +204,6 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha256_process( mbedtls_sha256_context *ctx, - const unsigned char data[64] ) -{ - mbedtls_internal_sha256_process( ctx, data ); -} -#endif - static void mbedtls_sha256_software_process( mbedtls_sha256_context *ctx, const unsigned char data[64] ) { uint32_t temp1, temp2, W[64]; @@ -328,15 +312,6 @@ int mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *inp return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha256_update( mbedtls_sha256_context *ctx, - const unsigned char *input, - size_t ilen ) -{ - mbedtls_sha256_update( ctx, input, ilen ); -} -#endif - static const unsigned char sha256_padding[64] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -398,12 +373,4 @@ out: return ret; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha256_finish( mbedtls_sha256_context *ctx, - unsigned char output[32] ) -{ - mbedtls_sha256_finish( ctx, output ); -} -#endif - #endif /* MBEDTLS_SHA256_C && MBEDTLS_SHA256_ALT */ diff --git a/components/mbedtls/port/sha/parallel_engine/esp_sha512.c b/components/mbedtls/port/sha/parallel_engine/esp_sha512.c index 6bda71a1f0..6b39100c2b 100644 --- a/components/mbedtls/port/sha/parallel_engine/esp_sha512.c +++ b/components/mbedtls/port/sha/parallel_engine/esp_sha512.c @@ -160,14 +160,6 @@ int mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 ) return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha512_starts( mbedtls_sha512_context *ctx, - int is384 ) -{ - mbedtls_sha512_starts( ctx, is384 ); -} -#endif - /* * Round constants */ @@ -239,15 +231,6 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, const unsigned return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha512_process( mbedtls_sha512_context *ctx, - const unsigned char data[128] ) -{ - mbedtls_internal_sha512_process( ctx, data ); -} -#endif - - static void mbedtls_sha512_software_process( mbedtls_sha512_context *ctx, const unsigned char data[128] ) { int i; @@ -363,16 +346,6 @@ int mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *inp return 0; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha512_update( mbedtls_sha512_context *ctx, - const unsigned char *input, - size_t ilen ) -{ - mbedtls_sha512_update( ctx, input, ilen ); -} -#endif - - static const unsigned char sha512_padding[128] = { 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -438,12 +411,4 @@ out: return ret; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_sha512_finish( mbedtls_sha512_context *ctx, - unsigned char output[64] ) -{ - mbedtls_sha512_finish( ctx, output ); -} -#endif - #endif /* MBEDTLS_SHA512_C && MBEDTLS_SHA512_ALT */ diff --git a/components/protocomm/src/security/security1.c b/components/protocomm/src/security/security1.c index 8192ba8c40..2a5bc0d51c 100644 --- a/components/protocomm/src/security/security1.c +++ b/components/protocomm/src/security/security1.c @@ -17,6 +17,18 @@ which are undefined if the following flag is not defined */ /* ToDo - Replace them with proper getter-setter once they are added */ #define MBEDTLS_ALLOW_PRIVATE_ACCESS +/* ToDo - Remove this once appropriate solution is available. + * Currently MBEDTLS_LEGACY_CONTEXT is enabled by default for MBEDTLS_ECP_RESTARTABLE + * This is a temporary workaround to allow that. + * The LEGACY option is soon going to be removed in future mbedtls + * once it is removed we can remove the workaround. + */ +#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT +#define ACCESS_ECDH(S, var) S->var +#else +#define ACCESS_ECDH(S, var) S->ctx.mbed_ecdh.var +#endif + #include #include #include @@ -222,14 +234,14 @@ static esp_err_t handle_session_command0(session_t *cur_session, goto exit_cmd0; } - mbed_err = mbedtls_ecp_group_load(&ctx_server->ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519); + mbed_err = mbedtls_ecp_group_load(ACCESS_ECDH(&ctx_server, grp), MBEDTLS_ECP_DP_CURVE25519); if (mbed_err != 0) { ESP_LOGE(TAG, "Failed at mbedtls_ecp_group_load with error code : -0x%x", -mbed_err); ret = ESP_FAIL; goto exit_cmd0; } - mbed_err = mbedtls_ecdh_gen_public(&ctx_server->ctx.mbed_ecdh.grp, &ctx_server->ctx.mbed_ecdh.d, &ctx_server->ctx.mbed_ecdh.Q, + mbed_err = mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx_server, grp), ACCESS_ECDH(&ctx_server, d), ACCESS_ECDH(&ctx_server, Q), mbedtls_ctr_drbg_random, ctr_drbg); if (mbed_err != 0) { ESP_LOGE(TAG, "Failed at mbedtls_ecdh_gen_public with error code : -0x%x", -mbed_err); @@ -237,7 +249,7 @@ static esp_err_t handle_session_command0(session_t *cur_session, goto exit_cmd0; } - mbed_err = mbedtls_mpi_write_binary(&ctx_server->ctx.mbed_ecdh.Q.X, + mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, Q).X, cur_session->device_pubkey, PUBLIC_KEY_LEN); if (mbed_err != 0) { @@ -254,7 +266,7 @@ static esp_err_t handle_session_command0(session_t *cur_session, hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN); hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN); - mbed_err = mbedtls_mpi_lset(&ctx_server->ctx.mbed_ecdh.Qp.Z, 1); + mbed_err = mbedtls_mpi_lset(ACCESS_ECDH(&ctx_server, Qp).Z, 1); if (mbed_err != 0) { ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : -0x%x", -mbed_err); ret = ESP_FAIL; @@ -262,7 +274,7 @@ static esp_err_t handle_session_command0(session_t *cur_session, } flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN); - mbed_err = mbedtls_mpi_read_binary(&ctx_server->ctx.mbed_ecdh.Qp.X, cli_pubkey, PUBLIC_KEY_LEN); + mbed_err = mbedtls_mpi_read_binary(ACCESS_ECDH(&ctx_server, Qp).X, cli_pubkey, PUBLIC_KEY_LEN); flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN); if (mbed_err != 0) { ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : -0x%x", -mbed_err); @@ -270,15 +282,15 @@ static esp_err_t handle_session_command0(session_t *cur_session, goto exit_cmd0; } - mbed_err = mbedtls_ecdh_compute_shared(&ctx_server->ctx.mbed_ecdh.grp, &ctx_server->ctx.mbed_ecdh.z, &ctx_server->ctx.mbed_ecdh.Qp, - &ctx_server->ctx.mbed_ecdh.d, mbedtls_ctr_drbg_random, ctr_drbg); + mbed_err = mbedtls_ecdh_compute_shared(ACCESS_ECDH(&ctx_server, grp), ACCESS_ECDH(&ctx_server, z), ACCESS_ECDH(&ctx_server, Qp), + ACCESS_ECDH(&ctx_server, d), mbedtls_ctr_drbg_random, ctr_drbg); if (mbed_err != 0) { ESP_LOGE(TAG, "Failed at mbedtls_ecdh_compute_shared with error code : -0x%x", -mbed_err); ret = ESP_FAIL; goto exit_cmd0; } - mbed_err = mbedtls_mpi_write_binary(&ctx_server->ctx.mbed_ecdh.z, cur_session->sym_key, PUBLIC_KEY_LEN); + mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, z), cur_session->sym_key, PUBLIC_KEY_LEN); if (mbed_err != 0) { ESP_LOGE(TAG, "Failed at mbedtls_mpi_write_binary with error code : -0x%x", -mbed_err); ret = ESP_FAIL;