diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c index 956a84662c..c458320bb7 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c @@ -4,8 +4,6 @@ * SPDX-License-Identifier: Apache-2.0 */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #ifdef ESP_PLATFORM #include "esp_system.h" #include "mbedtls/bignum.h" @@ -31,9 +29,9 @@ #define ECP_PRV_DER_MAX_BYTES 29 + 3 * MBEDTLS_ECP_MAX_BYTES #ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT -#define ACCESS_ECDH(S, var) S->var +#define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(var) #else -#define ACCESS_ECDH(S, var) S->ctx.mbed_ecdh.var +#define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var) #endif #ifdef CONFIG_ECC @@ -1053,7 +1051,7 @@ struct crypto_ecdh * crypto_ecdh_init(int group) } mbedtls_ecdh_init(ctx); #ifndef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT - ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0; + ctx->MBEDTLS_PRIVATE(var) = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0; #endif if ((mbedtls_ecp_group_load(ACCESS_ECDH(&ctx, grp), crypto_mbedtls_get_grp_id(group))) != 0) { @@ -1105,7 +1103,7 @@ struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int y) } /* Export an MPI into unsigned big endian binary data of fixed size */ - mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx, Q).X, buf, prime_len); + mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx, Q).MBEDTLS_PRIVATE(X), buf, prime_len); public_key = wpabuf_alloc_copy(buf, 32); os_free(buf); return public_key; @@ -1179,9 +1177,9 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y, /* Setup ECDH context from EC key */ /* Call to mbedtls_ecdh_get_params() will initialize the context when not LEGACY context */ if (ctx != NULL && peer != NULL) { - mbedtls_ecp_copy( ACCESS_ECDH(&ctx, Qp), &(mbedtls_pk_ec(*peer))->Q ); + mbedtls_ecp_copy( ACCESS_ECDH(&ctx, Qp), &(mbedtls_pk_ec(*peer))->MBEDTLS_PRIVATE(Q) ); #ifndef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT - ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0; + ctx->MBEDTLS_PRIVATE(var) = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0; #endif } else { wpa_printf(MSG_ERROR, "Failed to set peer's ECDH context"); diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c index 450f78b8fe..21f8f5956b 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c @@ -217,7 +217,7 @@ int crypto_public_key_encrypt_pkcs1_v15(struct crypto_public_key *key, wpa_printf(MSG_ERROR, " failed ! mbedtls_rsa_pkcs1_encrypt returned -0x%04x", -ret); goto cleanup; } - *outlen = mbedtls_pk_rsa(*pkey)->MBEDTLS_PRIVATE(len); + *outlen = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey)); cleanup: mbedtls_ctr_drbg_free( ctr_drbg ); @@ -256,7 +256,7 @@ int crypto_private_key_decrypt_pkcs1_v15(struct crypto_private_key *key, if (ret < 0) goto cleanup; - i = mbedtls_pk_rsa(*pkey)->MBEDTLS_PRIVATE(len); + i = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey)); ret = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_pk_rsa(*pkey), mbedtls_ctr_drbg_random, ctr_drbg, &i, in, out, *outlen); @@ -301,7 +301,8 @@ int crypto_private_key_sign_pkcs1(struct crypto_private_key *key, wpa_printf(MSG_ERROR, " failed ! mbedtls_rsa_pkcs1_sign returned %d", ret ); goto cleanup; } - *outlen = mbedtls_pk_rsa(*pkey)->MBEDTLS_PRIVATE(len); + *outlen = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey)); + cleanup: mbedtls_ctr_drbg_free( ctr_drbg ); mbedtls_entropy_free( entropy ); diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c index fe14f1d77c..f11103d99b 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c @@ -220,7 +220,8 @@ int crypto_hash_finish(struct crypto_hash *crypto_ctx, u8 *mac, size_t *len) if (mac == NULL || len == NULL) { goto err; } - md_type = mbedtls_md_get_type(ctx->MBEDTLS_PRIVATE(md_info)); + + md_type = mbedtls_md_get_type(mbedtls_md_info_from_ctx(ctx)); switch(md_type) { case MBEDTLS_MD_MD5: if (*len < MD5_MAC_LEN) { diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c index 6c518eec22..17ce87e36b 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c @@ -13,14 +13,17 @@ #include "crypto/sha256.h" #include "crypto/sha384.h" -/* ToDo - Remove this once appropriate solution is available. -We need to define this for the file as ssl_misc.h uses private structures from mbedtls, -which are undefined if the following flag is not defined */ -/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */ -/* ToDo - Replace them with proper getter-setter once they are added */ +/* TODO: Remove this once the appropriate solution is found + * + * ssl_misc.h header uses private elements from + * mbedtls, which become undefined if the following flag + * is not defined + */ #define MBEDTLS_ALLOW_PRIVATE_ACCESS +// located at mbedtls/library/ssl_misc.h #include "ssl_misc.h" + #include "mbedtls/ctr_drbg.h" #include "mbedtls/entropy.h" #include "mbedtls/debug.h" @@ -659,11 +662,7 @@ int tls_connection_established(void *tls_ctx, struct tls_connection *conn) { mbedtls_ssl_context *ssl = &conn->tls->ssl; - if (ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER) { - return 1; - } - - return 0; + return mbedtls_ssl_is_handshake_over(ssl); } int tls_global_set_verify(void *tls_ctx, int check_crl, int strict) @@ -696,13 +695,13 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx, } /* Multiple reads */ - while (tls->ssl.MBEDTLS_PRIVATE(state) != MBEDTLS_SSL_HANDSHAKE_OVER) { + while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) { if (tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_CLIENT_CERTIFICATE) { /* Read random data before session completes, not present after handshake */ if (tls->ssl.MBEDTLS_PRIVATE(handshake)) { os_memcpy(conn->randbytes, tls->ssl.MBEDTLS_PRIVATE(handshake)->randbytes, TLS_RANDOM_LEN * 2); - conn->mac = tls->ssl.handshake->ciphersuite_info->mac; + conn->mac = tls->ssl.MBEDTLS_PRIVATE(handshake)->ciphersuite_info->mac; } } ret = mbedtls_ssl_handshake_step(&tls->ssl); @@ -944,7 +943,7 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn, wpa_printf(MSG_ERROR, "TLS: %s, session ingo is null", __func__); return -1; } - if (ssl->MBEDTLS_PRIVATE(state) != MBEDTLS_SSL_HANDSHAKE_OVER) { + if (!mbedtls_ssl_is_handshake_over(ssl)) { wpa_printf(MSG_ERROR, "TLS: %s, incorrect tls state=%d", __func__, ssl->MBEDTLS_PRIVATE(state)); return -1; } @@ -957,7 +956,7 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn, } wpa_hexdump_key(MSG_MSGDUMP, "random", seed, 2 * TLS_RANDOM_LEN); - wpa_hexdump_key(MSG_MSGDUMP, "master", ssl->MBEDTLS_PRIVATE(session)->MBEDTLS_PRIVATE(master), TLS_MASTER_SECRET_LEN); + wpa_hexdump_key(MSG_MSGDUMP, "master", ssl->MBEDTLS_PRIVATE(session)->MBEDTLS_PRIVATE(master), TLS_MASTER_SECRET_LEN); ret = mbedtls_ssl_tls_prf(conn->tls_prf_type, conn->master_secret, TLS_MASTER_SECRET_LEN, label, seed, 2 * TLS_RANDOM_LEN, out, out_len);