From e813bbc6805d24f3d9e7cb9abe5375e39cf4300a Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Fri, 6 Oct 2023 10:21:19 +0530 Subject: [PATCH 1/3] feat(mbedtls): update to 3.5.0 release Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.5.0 --- components/mbedtls/CMakeLists.txt | 6 ++++- components/mbedtls/mbedtls | 2 +- components/mbedtls/port/ecdsa/ecdsa_alt.c | 2 +- components/mbedtls/port/esp_platform_time.c | 25 +++++++++++++++++++ .../mbedtls/port/include/mbedtls/esp_config.h | 7 ++++++ 5 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 components/mbedtls/port/esp_platform_time.c diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt index 692d9d6d21..fcc47ebe72 100644 --- a/components/mbedtls/CMakeLists.txt +++ b/components/mbedtls/CMakeLists.txt @@ -110,9 +110,13 @@ list(REMOVE_ITEM src_x509 x509_crt.c) set_property(TARGET mbedx509 PROPERTY SOURCES ${src_x509}) endif() +# Core libraries from the mbedTLS project set(mbedtls_targets mbedtls mbedcrypto mbedx509) +# 3rd party libraries from the mbedTLS project +list(APPEND mbedtls_targets everest p256m) -set(mbedtls_target_sources "${COMPONENT_DIR}/port/mbedtls_debug.c") +set(mbedtls_target_sources "${COMPONENT_DIR}/port/mbedtls_debug.c" + "${COMPONENT_DIR}/port/esp_platform_time.c") if(CONFIG_MBEDTLS_DYNAMIC_BUFFER) set(mbedtls_target_sources ${mbedtls_target_sources} diff --git a/components/mbedtls/mbedtls b/components/mbedtls/mbedtls index 727a037da6..dd91f30058 160000 --- a/components/mbedtls/mbedtls +++ b/components/mbedtls/mbedtls @@ -1 +1 @@ -Subproject commit 727a037da6f9a62a9d3d5def5bd21a2bc9c621c6 +Subproject commit dd91f30058dfad68d80267cc82cd8472c4aa54b5 diff --git a/components/mbedtls/port/ecdsa/ecdsa_alt.c b/components/mbedtls/port/ecdsa/ecdsa_alt.c index 1cc1445159..f53237f78a 100644 --- a/components/mbedtls/port/ecdsa/ecdsa_alt.c +++ b/components/mbedtls/port/ecdsa/ecdsa_alt.c @@ -13,7 +13,7 @@ #include "esp_private/periph_ctrl.h" #include "ecdsa/ecdsa_alt.h" -#define ECDSA_KEY_MAGIC 0xECD5A +#define ECDSA_KEY_MAGIC (short) 0xECD5A #define ECDSA_SHA_LEN 32 #define MAX_ECDSA_COMPONENT_LEN 32 diff --git a/components/mbedtls/port/esp_platform_time.c b/components/mbedtls/port/esp_platform_time.c new file mode 100644 index 0000000000..541b664ab9 --- /dev/null +++ b/components/mbedtls/port/esp_platform_time.c @@ -0,0 +1,25 @@ +/* + * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD + * + * SPDX-License-Identifier: Apache-2.0 + */ + +#include "mbedtls/build_info.h" +#include "mbedtls/platform_time.h" + +#ifdef MBEDTLS_PLATFORM_MS_TIME_ALT +mbedtls_ms_time_t mbedtls_ms_time() +{ + int ret; + struct timespec tv = {}; + mbedtls_ms_time_t current_ms; + + ret = clock_gettime(CLOCK_MONOTONIC, &tv); + if (ret) { + return time(NULL) * 1000L; + } + + current_ms = tv.tv_sec; + return current_ms * 1000L + tv.tv_nsec / 1000000L; +} +#endif // MBEDTLS_PLATFORM_MS_TIME_ALT diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 8e9b48edf2..a9dcf5b02f 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -56,8 +56,15 @@ */ #ifdef CONFIG_MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME +/** + * \def MBEDTLS_PLATFORM_MS_TIME_ALT + * + * Define platform specific function to get time since bootup in milliseconds. + */ +#define MBEDTLS_PLATFORM_MS_TIME_ALT #else #undef MBEDTLS_HAVE_TIME +#undef MBEDTLS_PLATFORM_MS_TIME_ALT #endif /** From bf59005fe180b6ad954606a6eee4dc9b1072ce43 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Sat, 7 Oct 2023 21:50:01 +0530 Subject: [PATCH 2/3] fix(mbedtls): dynamic buffer feature issue with mbedtls 3.5.0 Set max TLS version in the SSL context during setup phase. Dynamic buffer feature overrides the `mbedtls_ssl_setup` API and hence this change is required per upstream 3.5.0 codebase change. --- components/mbedtls/port/dynamic/esp_ssl_tls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/components/mbedtls/port/dynamic/esp_ssl_tls.c b/components/mbedtls/port/dynamic/esp_ssl_tls.c index e242b2ced6..f12bc2bf7e 100644 --- a/components/mbedtls/port/dynamic/esp_ssl_tls.c +++ b/components/mbedtls/port/dynamic/esp_ssl_tls.c @@ -283,6 +283,8 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl ) int __wrap_mbedtls_ssl_setup(mbedtls_ssl_context *ssl, const mbedtls_ssl_config *conf) { ssl->conf = conf; + ssl->tls_version = ssl->conf->max_tls_version; + CHECK_OK(ssl_handshake_init(ssl)); mbedtls_free(ssl->MBEDTLS_PRIVATE(out_buf)); From 82d2cdcf5a8aff5cf2be9b80f8123e5f2c25ffc5 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Mon, 9 Oct 2023 11:14:10 +0530 Subject: [PATCH 3/3] fix(mbedtls): remove deprecated MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION This config has been removed in the upstream mbedTLS starting 3.0 release. Please see mbedTLS changelog for more details. --- components/mbedtls/Kconfig | 12 ------------ .../mbedtls/port/include/mbedtls/esp_config.h | 19 ------------------- 2 files changed, 31 deletions(-) diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig index 34d5f79013..46bd134937 100644 --- a/components/mbedtls/Kconfig +++ b/components/mbedtls/Kconfig @@ -1052,16 +1052,4 @@ menu "mbedTLS" then the ESP will be unable to process keys greater than SOC_RSA_MAX_BIT_LEN. - menuconfig MBEDTLS_SECURITY_RISKS - bool "Show configurations with potential security risks" - default n - - config MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT - bool "X.509 CRT parsing with unsupported critical extensions" - depends on MBEDTLS_SECURITY_RISKS - default n - help - Allow the X.509 certificate parser to load certificates - with unsupported critical extensions - endmenu # mbedTLS diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index a9dcf5b02f..cde39e540c 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -2738,25 +2738,6 @@ */ #define MBEDTLS_X509_CRT_WRITE_C -/** - * \def MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION - * - * Alow the X509 parser to not break-off when parsing an X509 certificate - * and encountering an unknown critical extension. - * - * Module: library/x509_crt.c - * - * Requires: MBEDTLS_X509_CRT_PARSE_C - * - * This module is supports loading of certificates with extensions that - * may not be supported by mbedtls. - */ -#ifdef CONFIG_MBEDTLS_ALLOW_UNSUPPORTED_CRITICAL_EXT -#define MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION -#else -#undef MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION -#endif - /** * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK *