mbedtls 3.X update:

*MBEDTLS_ECDH_LEGACY_CONTEXT is now disabled by default.
*Fixed MBEDTLS_ECDH_LEGACY_CONTEXT issue for protocomm component.
*Removed all code under MBEDTLS_DEPRECATED_REMOVED

components/mbedtls/Kconfig

@@ -189,7 +189,7 @@ menu "mbedTLS"
 
         config MBEDTLS_ECDH_LEGACY_CONTEXT
             bool "Use a backward compatible ECDH context (Experimental)"
-            default y
+            default n
             depends on MBEDTLS_ECDH_C && MBEDTLS_ECP_RESTARTABLE
             help
                 Use the legacy ECDH context format.
@@ -327,6 +327,7 @@ menu "mbedTLS"
 
     config MBEDTLS_ECP_RESTARTABLE
         bool "Enable mbedTLS ecp restartable"
+        select MBEDTLS_ECDH_LEGACY_CONTEXT
         default n
         help
             Enable "non-blocking" ECC operations that can return early and be resumed.

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -2696,8 +2696,8 @@
 #include MBEDTLS_USER_CONFIG_FILE
 #endif
 
-/* Define this flag for now */
-/* To Do - while updating to v3.0 remove all the code where this flag is used */
+/* This flag makes sure that we are not using
+ * any functino that is deprecated by mbedtls */
 #define MBEDTLS_DEPRECATED_REMOVED
 
 #endif /* ESP_CONFIG_H */

components/mbedtls/port/sha/dma/esp_sha256.c

@@ -100,15 +100,6 @@ int mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
-                            int is224 )
-{
-    mbedtls_sha256_starts( ctx, is224 );
-}
-#endif
-
-
 int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned char data[64] )
 {
     int ret;
@@ -119,14 +110,6 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned
     return ret;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
-                             const unsigned char data[64] )
-{
-    mbedtls_internal_sha256_process( ctx, data );
-}
-#endif
-
 /*
  * SHA-256 process buffer
  */
@@ -192,15 +175,6 @@ int mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *inp
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
-                            const unsigned char *input,
-                            size_t ilen )
-{
-    mbedtls_sha256_update( ctx, input, ilen );
-}
-#endif
-
 static const unsigned char sha256_padding[64] = {
     0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
@@ -241,12 +215,4 @@ int mbedtls_sha256_finish( mbedtls_sha256_context *ctx, unsigned char output[32]
     return ret;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
-                            unsigned char output[32] )
-{
-    mbedtls_sha256_finish( ctx, output );
-}
-#endif
-
 #endif /* MBEDTLS_SHA256_C && MBEDTLS_SHA256_ALT */

components/mbedtls/port/sha/dma/esp_sha512.c

@@ -122,14 +122,6 @@ int mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 )
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
-                            int is384 )
-{
-    mbedtls_sha512_starts( ctx, is384 );
-}
-#endif
-
 static int esp_internal_sha512_dma_process(mbedtls_sha512_context *ctx,
         const uint8_t *data, size_t len,
         uint8_t *buf, size_t buf_len)
@@ -152,14 +144,6 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, const unsigned
 
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha512_process( mbedtls_sha512_context *ctx,
-                             const unsigned char data[128] )
-{
-    mbedtls_internal_sha512_process( ctx, data );
-}
-#endif
-
 /*
  * SHA-512 process buffer
  */
@@ -233,16 +217,6 @@ int mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *inp
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
-                            const unsigned char *input,
-                            size_t ilen )
-{
-    mbedtls_sha512_update( ctx, input, ilen );
-}
-#endif
-
-
 static const unsigned char sha512_padding[128] = {
     0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
@@ -291,12 +265,4 @@ int mbedtls_sha512_finish( mbedtls_sha512_context *ctx, unsigned char output[64]
     return ret;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
-                            unsigned char output[64] )
-{
-    mbedtls_sha512_finish( ctx, output );
-}
-#endif
-
 #endif /* MBEDTLS_SHA512_C && MBEDTLS_SHA512_ALT */

components/mbedtls/port/sha/parallel_engine/esp_sha1.c

@@ -145,15 +145,6 @@ int mbedtls_internal_sha1_process( mbedtls_sha1_context *ctx, const unsigned cha
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha1_process( mbedtls_sha1_context *ctx,
-                           const unsigned char data[64] )
-{
-    mbedtls_internal_sha1_process( ctx, data );
-}
-#endif
-
-
 static void mbedtls_sha1_software_process( mbedtls_sha1_context *ctx, const unsigned char data[64] )
 {
     uint32_t temp, W[16], A, B, C, D, E;
@@ -361,15 +352,6 @@ int mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input,
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha1_update( mbedtls_sha1_context *ctx,
-                          const unsigned char *input,
-                          size_t ilen )
-{
-    mbedtls_sha1_update( ctx, input, ilen );
-}
-#endif
-
 static const unsigned char sha1_padding[64] = {
     0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
@@ -424,12 +406,4 @@ out:
     return ret;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha1_finish( mbedtls_sha1_context *ctx,
-                          unsigned char output[20] )
-{
-    mbedtls_sha1_finish( ctx, output );
-}
-#endif
-
 #endif /* MBEDTLS_SHA1_C && MBEDTLS_SHA1_ALT */

components/mbedtls/port/sha/parallel_engine/esp_sha256.c

@@ -135,14 +135,6 @@ int mbedtls_sha256_starts( mbedtls_sha256_context *ctx, int is224 )
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha256_starts( mbedtls_sha256_context *ctx,
-                            int is224 )
-{
-    mbedtls_sha256_starts( ctx, is224 );
-}
-#endif
-
 static const uint32_t K[] = {
     0x428A2F98, 0x71374491, 0xB5C0FBCF, 0xE9B5DBA5,
     0x3956C25B, 0x59F111F1, 0x923F82A4, 0xAB1C5ED5,
@@ -212,14 +204,6 @@ int mbedtls_internal_sha256_process( mbedtls_sha256_context *ctx, const unsigned
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha256_process( mbedtls_sha256_context *ctx,
-                             const unsigned char data[64] )
-{
-    mbedtls_internal_sha256_process( ctx, data );
-}
-#endif
-
 static void mbedtls_sha256_software_process( mbedtls_sha256_context *ctx, const unsigned char data[64] )
 {
     uint32_t temp1, temp2, W[64];
@@ -328,15 +312,6 @@ int mbedtls_sha256_update( mbedtls_sha256_context *ctx, const unsigned char *inp
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha256_update( mbedtls_sha256_context *ctx,
-                            const unsigned char *input,
-                            size_t ilen )
-{
-    mbedtls_sha256_update( ctx, input, ilen );
-}
-#endif
-
 static const unsigned char sha256_padding[64] = {
     0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
@@ -398,12 +373,4 @@ out:
     return ret;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha256_finish( mbedtls_sha256_context *ctx,
-                            unsigned char output[32] )
-{
-    mbedtls_sha256_finish( ctx, output );
-}
-#endif
-
 #endif /* MBEDTLS_SHA256_C && MBEDTLS_SHA256_ALT */

components/mbedtls/port/sha/parallel_engine/esp_sha512.c

@@ -160,14 +160,6 @@ int mbedtls_sha512_starts( mbedtls_sha512_context *ctx, int is384 )
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha512_starts( mbedtls_sha512_context *ctx,
-                            int is384 )
-{
-    mbedtls_sha512_starts( ctx, is384 );
-}
-#endif
-
 /*
  * Round constants
  */
@@ -239,15 +231,6 @@ int mbedtls_internal_sha512_process( mbedtls_sha512_context *ctx, const unsigned
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha512_process( mbedtls_sha512_context *ctx,
-                             const unsigned char data[128] )
-{
-    mbedtls_internal_sha512_process( ctx, data );
-}
-#endif
-
-
 static void mbedtls_sha512_software_process( mbedtls_sha512_context *ctx, const unsigned char data[128] )
 {
     int i;
@@ -363,16 +346,6 @@ int mbedtls_sha512_update( mbedtls_sha512_context *ctx, const unsigned char *inp
     return 0;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha512_update( mbedtls_sha512_context *ctx,
-                            const unsigned char *input,
-                            size_t ilen )
-{
-    mbedtls_sha512_update( ctx, input, ilen );
-}
-#endif
-
-
 static const unsigned char sha512_padding[128] = {
     0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
     0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
@@ -438,12 +411,4 @@ out:
     return ret;
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_sha512_finish( mbedtls_sha512_context *ctx,
-                            unsigned char output[64] )
-{
-    mbedtls_sha512_finish( ctx, output );
-}
-#endif
-
 #endif /* MBEDTLS_SHA512_C && MBEDTLS_SHA512_ALT */

components/protocomm/src/security/security1.c

@@ -17,6 +17,18 @@ which are undefined if the following flag is not defined */
 /* ToDo - Replace them with proper getter-setter once they are added */
 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
 
+/* ToDo - Remove this once appropriate solution is available.
+ * Currently MBEDTLS_LEGACY_CONTEXT is enabled by default for MBEDTLS_ECP_RESTARTABLE
+ * This is a temporary workaround to allow that.
+ * The LEGACY option is soon going to be removed in future mbedtls
+ * once it is removed we can remove the workaround.
+ */
+#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
+#define ACCESS_ECDH(S, var) S->var
+#else
+#define ACCESS_ECDH(S, var) S->ctx.mbed_ecdh.var
+#endif
+
 #include <mbedtls/aes.h>
 #include <mbedtls/sha256.h>
 #include <mbedtls/entropy.h>
@@ -222,14 +234,14 @@ static esp_err_t handle_session_command0(session_t *cur_session,
         goto exit_cmd0;
     }
 
-    mbed_err = mbedtls_ecp_group_load(&ctx_server->ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519);
+    mbed_err = mbedtls_ecp_group_load(ACCESS_ECDH(&ctx_server, grp), MBEDTLS_ECP_DP_CURVE25519);
     if (mbed_err != 0) {
         ESP_LOGE(TAG, "Failed at mbedtls_ecp_group_load with error code : -0x%x", -mbed_err);
         ret = ESP_FAIL;
         goto exit_cmd0;
     }
 
-    mbed_err = mbedtls_ecdh_gen_public(&ctx_server->ctx.mbed_ecdh.grp, &ctx_server->ctx.mbed_ecdh.d, &ctx_server->ctx.mbed_ecdh.Q,
+    mbed_err = mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx_server, grp), ACCESS_ECDH(&ctx_server, d), ACCESS_ECDH(&ctx_server, Q),
                                        mbedtls_ctr_drbg_random, ctr_drbg);
     if (mbed_err != 0) {
         ESP_LOGE(TAG, "Failed at mbedtls_ecdh_gen_public with error code : -0x%x", -mbed_err);
@@ -237,7 +249,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
         goto exit_cmd0;
     }
 
-    mbed_err = mbedtls_mpi_write_binary(&ctx_server->ctx.mbed_ecdh.Q.X,
+    mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, Q).X,
                                         cur_session->device_pubkey,
                                         PUBLIC_KEY_LEN);
     if (mbed_err != 0) {
@@ -254,7 +266,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
     hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN);
     hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN);
 
-    mbed_err = mbedtls_mpi_lset(&ctx_server->ctx.mbed_ecdh.Qp.Z, 1);
+    mbed_err = mbedtls_mpi_lset(ACCESS_ECDH(&ctx_server, Qp).Z, 1);
     if (mbed_err != 0) {
         ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : -0x%x", -mbed_err);
         ret = ESP_FAIL;
@@ -262,7 +274,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
     }
 
     flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN);
-    mbed_err = mbedtls_mpi_read_binary(&ctx_server->ctx.mbed_ecdh.Qp.X, cli_pubkey, PUBLIC_KEY_LEN);
+    mbed_err = mbedtls_mpi_read_binary(ACCESS_ECDH(&ctx_server, Qp).X, cli_pubkey, PUBLIC_KEY_LEN);
     flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN);
     if (mbed_err != 0) {
         ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : -0x%x", -mbed_err);
@@ -270,15 +282,15 @@ static esp_err_t handle_session_command0(session_t *cur_session,
         goto exit_cmd0;
     }
 
-    mbed_err = mbedtls_ecdh_compute_shared(&ctx_server->ctx.mbed_ecdh.grp, &ctx_server->ctx.mbed_ecdh.z, &ctx_server->ctx.mbed_ecdh.Qp,
-                                           &ctx_server->ctx.mbed_ecdh.d, mbedtls_ctr_drbg_random, ctr_drbg);
+    mbed_err = mbedtls_ecdh_compute_shared(ACCESS_ECDH(&ctx_server, grp), ACCESS_ECDH(&ctx_server, z), ACCESS_ECDH(&ctx_server, Qp),
+                                           ACCESS_ECDH(&ctx_server, d), mbedtls_ctr_drbg_random, ctr_drbg);
     if (mbed_err != 0) {
         ESP_LOGE(TAG, "Failed at mbedtls_ecdh_compute_shared with error code : -0x%x", -mbed_err);
         ret = ESP_FAIL;
         goto exit_cmd0;
     }
 
-    mbed_err = mbedtls_mpi_write_binary(&ctx_server->ctx.mbed_ecdh.z, cur_session->sym_key, PUBLIC_KEY_LEN);
+    mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, z), cur_session->sym_key, PUBLIC_KEY_LEN);
     if (mbed_err != 0) {
         ESP_LOGE(TAG, "Failed at mbedtls_mpi_write_binary with error code : -0x%x", -mbed_err);
         ret = ESP_FAIL;