alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

protocomm: MBEDTLS_PRIVATE & MBEDTLS_ALLOW_PRIVATE_ACCESS-related cleanup

Browse Source
This commit is contained in:
Laukik Hase 2022-09-15 12:40:53 +05:30
parent 6a24f6393e
commit b7ae23856a
No known key found for this signature in database
GPG Key ID: 11C571361F51A199
2 changed files with 37 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
components/protocomm/src/security/security1.c
View File

@ -10,23 +10,18 @@
#include <esp_err.h> #include <esp_err.h>
#include <esp_log.h> #include <esp_log.h>
/* ToDo - Remove this once appropriate solution is available. /* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default
We need to define this for the file as ssl_misc.h uses private structures from mbedtls, * when MBEDTLS_ECP_RESTARTABLE is enabled.
which are undefined if the following flag is not defined */
/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
/* ToDo - Replace them with proper getter-setter once they are added */
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
/* ToDo - Remove this once appropriate solution is available.
* Currently MBEDTLS_LEGACY_CONTEXT is enabled by default for MBEDTLS_ECP_RESTARTABLE
* This is a temporary workaround to allow that. * This is a temporary workaround to allow that.
* The LEGACY option is soon going to be removed in future mbedtls *
* once it is removed we can remove the workaround. * The legacy option is soon going to be removed in future mbedtls
* versions and this workaround will be removed once the appropriate
* solution is available.
*/ */
#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT #ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
#define ACCESS_ECDH(S, var) S->var #define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(var)
#else #else
#define ACCESS_ECDH(S, var) S->ctx.mbed_ecdh.var #define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var)
#endif #endif
#include <mbedtls/aes.h> #include <mbedtls/aes.h>
@ -36,7 +31,6 @@ which are undefined if the following flag is not defined */
#include <mbedtls/ecdh.h> #include <mbedtls/ecdh.h>
#include <mbedtls/error.h> #include <mbedtls/error.h>
#include <mbedtls/constant_time.h> #include <mbedtls/constant_time.h>
#include <ssl_misc.h>
#include <protocomm_security.h> #include <protocomm_security.h>
#include <protocomm_security1.h> #include <protocomm_security1.h>
@ -249,7 +243,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
goto exit_cmd0; goto exit_cmd0;
} }
mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, Q).X, mbed_err = mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx_server, Q).MBEDTLS_PRIVATE(X),
cur_session->device_pubkey, cur_session->device_pubkey,
PUBLIC_KEY_LEN); PUBLIC_KEY_LEN);
if (mbed_err != 0) { if (mbed_err != 0) {
@ -266,7 +260,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN); hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN);
hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN); hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN);
mbed_err = mbedtls_mpi_lset(ACCESS_ECDH(&ctx_server, Qp).Z, 1); mbed_err = mbedtls_mpi_lset(ACCESS_ECDH(&ctx_server, Qp).MBEDTLS_PRIVATE(Z), 1);
if (mbed_err != 0) { if (mbed_err != 0) {
ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : -0x%x", -mbed_err); ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : -0x%x", -mbed_err);
ret = ESP_FAIL; ret = ESP_FAIL;
@ -274,7 +268,7 @@ static esp_err_t handle_session_command0(session_t *cur_session,
} }
flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN); flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN);
mbed_err = mbedtls_mpi_read_binary(ACCESS_ECDH(&ctx_server, Qp).X, cli_pubkey, PUBLIC_KEY_LEN); mbed_err = mbedtls_mpi_read_binary(ACCESS_ECDH(&ctx_server, Qp).MBEDTLS_PRIVATE(X), cli_pubkey, PUBLIC_KEY_LEN);
flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN); flip_endian(cur_session->client_pubkey, PUBLIC_KEY_LEN);
if (mbed_err != 0) { if (mbed_err != 0) {
ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : -0x%x", -mbed_err); ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : -0x%x", -mbed_err);

45
components/protocomm/test_apps/main/test_protocomm.c
View File

@ -14,12 +14,19 @@
#include <unistd.h> #include <unistd.h>
#include <unity.h> #include <unity.h>
/* ToDo - Remove this once appropriate solution is available. /* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default
We need to define this for the file as ssl_misc.h uses private structures from mbedtls, * when MBEDTLS_ECP_RESTARTABLE is enabled.
which are undefined if the following flag is not defined */ * This is a temporary workaround to allow that.
/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE()` */ *
/* ToDo - Replace them with proper getter-setter once they are added */ * The legacy option is soon going to be removed in future mbedtls
#define MBEDTLS_ALLOW_PRIVATE_ACCESS * versions and this workaround will be removed once the appropriate
* solution is available.
*/
#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(var)
#else
#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var)
#endif
#include <mbedtls/aes.h> #include <mbedtls/aes.h>
#include <mbedtls/sha256.h> #include <mbedtls/sha256.h>
@ -155,24 +162,24 @@ static esp_err_t verify_response0(session_t *session, SessionData *resp)
hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN); hexdump("Device pubkey", dev_pubkey, PUBLIC_KEY_LEN);
hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN); hexdump("Client pubkey", cli_pubkey, PUBLIC_KEY_LEN);
ret = mbedtls_mpi_lset(&session->ctx_client.ctx.mbed_ecdh.Qp.Z, 1); ret = mbedtls_mpi_lset(ACCESS_ECDH(&session->ctx_client, Qp).MBEDTLS_PRIVATE(Z), 1);
if (ret != 0) { if (ret != 0) {
ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : %d", ret); ESP_LOGE(TAG, "Failed at mbedtls_mpi_lset with error code : %d", ret);
return ESP_FAIL; return ESP_FAIL;
} }
flip_endian(session->device_pubkey, PUBLIC_KEY_LEN); flip_endian(session->device_pubkey, PUBLIC_KEY_LEN);
ret = mbedtls_mpi_read_binary(&session->ctx_client.ctx.mbed_ecdh.Qp.X, dev_pubkey, PUBLIC_KEY_LEN); ret = mbedtls_mpi_read_binary(ACCESS_ECDH(&session->ctx_client, Qp).MBEDTLS_PRIVATE(X), dev_pubkey, PUBLIC_KEY_LEN);
flip_endian(session->device_pubkey, PUBLIC_KEY_LEN); flip_endian(session->device_pubkey, PUBLIC_KEY_LEN);
if (ret != 0) { if (ret != 0) {
ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : %d", ret); ESP_LOGE(TAG, "Failed at mbedtls_mpi_read_binary with error code : %d", ret);
return ESP_FAIL; return ESP_FAIL;
} }
ret = mbedtls_ecdh_compute_shared(&session->ctx_client.ctx.mbed_ecdh.grp, ret = mbedtls_ecdh_compute_shared(ACCESS_ECDH(&session->ctx_client, grp),
&session->ctx_client.ctx.mbed_ecdh.z, ACCESS_ECDH(&session->ctx_client, z),
&session->ctx_client.ctx.mbed_ecdh.Qp, ACCESS_ECDH(&session->ctx_client, Qp),
&session->ctx_client.ctx.mbed_ecdh.d, ACCESS_ECDH(&session->ctx_client, d),
mbedtls_ctr_drbg_random, mbedtls_ctr_drbg_random,
&session->ctr_drbg); &session->ctr_drbg);
if (ret != 0) { if (ret != 0) {
@ -180,7 +187,7 @@ static esp_err_t verify_response0(session_t *session, SessionData *resp)
return ESP_FAIL; return ESP_FAIL;
} }
ret = mbedtls_mpi_write_binary(&session->ctx_client.ctx.mbed_ecdh.z, session->sym_key, PUBLIC_KEY_LEN); ret = mbedtls_mpi_write_binary(ACCESS_ECDH(&session->ctx_client, z), session->sym_key, PUBLIC_KEY_LEN);
if (ret != 0) { if (ret != 0) {
ESP_LOGE(TAG, "Failed at mbedtls_mpi_write_binary with error code : %d", ret); ESP_LOGE(TAG, "Failed at mbedtls_mpi_write_binary with error code : %d", ret);
return ESP_FAIL; return ESP_FAIL;
@ -382,15 +389,15 @@ static esp_err_t test_sec_endpoint(session_t *session)
goto abort_test_sec_endpoint; goto abort_test_sec_endpoint;
} }
ret = mbedtls_ecp_group_load(&session->ctx_client.ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519); ret = mbedtls_ecp_group_load(ACCESS_ECDH(&session->ctx_client, grp), MBEDTLS_ECP_DP_CURVE25519);
if (ret != 0) { if (ret != 0) {
ESP_LOGE(TAG, "Failed at mbedtls_ecp_group_load with error code : %d", ret); ESP_LOGE(TAG, "Failed at mbedtls_ecp_group_load with error code : %d", ret);
goto abort_test_sec_endpoint; goto abort_test_sec_endpoint;
} }
ret = mbedtls_ecdh_gen_public(&session->ctx_client.ctx.mbed_ecdh.grp, ret = mbedtls_ecdh_gen_public(ACCESS_ECDH(&session->ctx_client, grp),
&session->ctx_client.ctx.mbed_ecdh.d, ACCESS_ECDH(&session->ctx_client, d),
&session->ctx_client.ctx.mbed_ecdh.Q, ACCESS_ECDH(&session->ctx_client, Q),
mbedtls_ctr_drbg_random, mbedtls_ctr_drbg_random,
&session->ctr_drbg); &session->ctr_drbg);
if (ret != 0) { if (ret != 0) {
@ -400,7 +407,7 @@ static esp_err_t test_sec_endpoint(session_t *session)
if (session->weak) { if (session->weak) {
/* Read zero client public key */ /* Read zero client public key */
ret = mbedtls_mpi_read_binary(&session->ctx_client.ctx.mbed_ecdh.Q.X, ret = mbedtls_mpi_read_binary(ACCESS_ECDH(&session->ctx_client, Q).MBEDTLS_PRIVATE(X),
session->client_pubkey, session->client_pubkey,
PUBLIC_KEY_LEN); PUBLIC_KEY_LEN);
if (ret != 0) { if (ret != 0) {
@ -408,7 +415,7 @@ static esp_err_t test_sec_endpoint(session_t *session)
goto abort_test_sec_endpoint; goto abort_test_sec_endpoint;
} }
} }
ret = mbedtls_mpi_write_binary(&session->ctx_client.ctx.mbed_ecdh.Q.X, ret = mbedtls_mpi_write_binary(ACCESS_ECDH(&session->ctx_client, Q).MBEDTLS_PRIVATE(X),
session->client_pubkey, session->client_pubkey,
PUBLIC_KEY_LEN); PUBLIC_KEY_LEN);
if (ret != 0) { if (ret != 0) {