diff --git a/nanostack/ns_sha256.h b/nanostack/ns_sha256.h index fccded2cfa94..f550430e6613 100644 --- a/nanostack/ns_sha256.h +++ b/nanostack/ns_sha256.h @@ -61,23 +61,39 @@ static inline void ns_sha256_clone(ns_sha256_context *dst, static inline void ns_sha256_starts(ns_sha256_context *ctx) { +#if (MBEDTLS_VERSION_MAJOR >= 3) + (void)mbedtls_sha256_starts(ctx, 0); +#else (void)mbedtls_sha256_starts_ret(ctx, 0); +#endif } static inline void ns_sha256_update(ns_sha256_context *ctx, const void *input, size_t ilen) { +#if (MBEDTLS_VERSION_MAJOR >= 3) + (void)mbedtls_sha256_update(ctx, input, ilen); +#else (void)mbedtls_sha256_update_ret(ctx, input, ilen); +#endif } static inline void ns_sha256_finish(ns_sha256_context *ctx, void *output) { +#if (MBEDTLS_VERSION_MAJOR >= 3) + (void)mbedtls_sha256_finish(ctx, output); +#else (void)mbedtls_sha256_finish_ret(ctx, output); +#endif } static inline void ns_sha256(const void *input, size_t ilen, void *output) { +#if (MBEDTLS_VERSION_MAJOR >= 3) + (void)mbedtls_sha256(input, ilen, output, 0); +#else (void)mbedtls_sha256_ret(input, ilen, output, 0); +#endif } /* Extensions to standard mbed TLS - output the first bits of a hash only */ @@ -85,10 +101,18 @@ static inline void ns_sha256(const void *input, size_t ilen, void *output) static inline void ns_sha256_finish_nbits(ns_sha256_context *ctx, void *output, unsigned obits) { if (obits == 256) { +#if (MBEDTLS_VERSION_MAJOR >= 3) + (void)mbedtls_sha256_finish(ctx, output); +#else (void)mbedtls_sha256_finish_ret(ctx, output); +#endif } else { uint8_t sha256[32]; +#if (MBEDTLS_VERSION_MAJOR >= 3) + (void)mbedtls_sha256_finish(ctx, sha256); +#else (void)mbedtls_sha256_finish_ret(ctx, sha256); +#endif memcpy(output, sha256, obits / 8); } } @@ -96,10 +120,18 @@ static inline void ns_sha256_finish_nbits(ns_sha256_context *ctx, void *output, static inline void ns_sha256_nbits(const void *input, size_t ilen, void *output, unsigned obits) { if (obits == 256) { +#if (MBEDTLS_VERSION_MAJOR >= 3) + (void)mbedtls_sha256(input, ilen, output, 0); +#else (void)mbedtls_sha256_ret(input, ilen, output, 0); +#endif } else { uint8_t sha256[32]; +#if (MBEDTLS_VERSION_MAJOR >= 3) + (void)mbedtls_sha256(input, ilen, sha256, 0); +#else (void)mbedtls_sha256_ret(input, ilen, sha256, 0); +#endif memcpy(output, sha256, obits / 8); } } diff --git a/source/6LoWPAN/ws/ws_pae_controller.c b/source/6LoWPAN/ws/ws_pae_controller.c index 504aadcedf3c..a7778db54a41 100644 --- a/source/6LoWPAN/ws/ws_pae_controller.c +++ b/source/6LoWPAN/ws/ws_pae_controller.c @@ -546,19 +546,31 @@ static int8_t ws_pae_controller_gak_from_gtk(uint8_t *gak, uint8_t *gtk, char *n mbedtls_sha256_init(&ctx); +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_starts(&ctx, 0) != 0) { +#else if (mbedtls_sha256_starts_ret(&ctx, 0) != 0) { +#endif ret_val = -1; goto error; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_update(&ctx, input, network_name_len + GTK_LEN) != 0) { +#else if (mbedtls_sha256_update_ret(&ctx, input, network_name_len + GTK_LEN) != 0) { +#endif ret_val = -1; goto error; } uint8_t output[32]; +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_finish(&ctx, output) != 0) { +#else if (mbedtls_sha256_finish_ret(&ctx, output) != 0) { +#endif ret_val = -1; goto error; } diff --git a/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c b/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c index 21dc0bf7e0bd..8f3371f62115 100644 --- a/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c +++ b/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c @@ -786,19 +786,31 @@ static int8_t radius_client_sec_prot_eui_64_hash_generate(uint8_t *eui_64, uint8 mbedtls_sha256_init(&ctx); +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_starts(&ctx, 0) != 0) { +#else if (mbedtls_sha256_starts_ret(&ctx, 0) != 0) { +#endif ret_val = -1; goto error; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_update(&ctx, hashed_string, 24) != 0) { +#else if (mbedtls_sha256_update_ret(&ctx, hashed_string, 24) != 0) { +#endif ret_val = -1; goto error; } uint8_t output[32]; +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_finish(&ctx, output) != 0) { +#else if (mbedtls_sha256_finish_ret(&ctx, output) != 0) { +#endif ret_val = -1; goto error; } @@ -872,19 +884,35 @@ static int8_t radius_client_sec_prot_response_authenticator_calc(sec_prot_t *pro mbedtls_md5_init(&ctx); +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_starts(&ctx) != 0) { +#else if (mbedtls_md5_starts_ret(&ctx) != 0) { +#endif goto end; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_update(&ctx, msg_ptr, msg_len) != 0) { +#else if (mbedtls_md5_update_ret(&ctx, msg_ptr, msg_len) != 0) { +#endif goto end; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_update(&ctx, key, key_len) != 0) { +#else if (mbedtls_md5_update_ret(&ctx, key, key_len) != 0) { +#endif goto end; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_finish(&ctx, auth_ptr) != 0) { +#else if (mbedtls_md5_finish_ret(&ctx, auth_ptr) != 0) { +#endif goto end; } @@ -940,35 +968,59 @@ static int8_t radius_client_sec_prot_ms_mppe_recv_key_pmk_decrypt(sec_prot_t *pr while (cipher_text_len >= MS_MPPE_RECV_KEY_BLOCK_LEN) { mbedtls_md5_init(&ctx); +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_starts(&ctx) != 0) { +#else if (mbedtls_md5_starts_ret(&ctx) != 0) { +#endif md5_failed = true; break; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_update(&ctx, key, key_len) != 0) { +#else if (mbedtls_md5_update_ret(&ctx, key, key_len) != 0) { +#endif md5_failed = true; break; } if (first_interm_b_value) { // b(1) = MD5(secret + request-authenticator + salt) +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_update(&ctx, request_authenticator, MS_MPPE_RECV_KEY_BLOCK_LEN) != 0) { +#else if (mbedtls_md5_update_ret(&ctx, request_authenticator, MS_MPPE_RECV_KEY_BLOCK_LEN) != 0) { +#endif md5_failed = true; break; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_update(&ctx, salt_ptr, MS_MPPE_RECV_KEY_SALT_LEN) != 0) { +#else if (mbedtls_md5_update_ret(&ctx, salt_ptr, MS_MPPE_RECV_KEY_SALT_LEN) != 0) { +#endif md5_failed = true; break; } } else { // b(i) = MD5(secret + cipher_text(i - 1)) +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_update(&ctx, cipher_text_ptr - MS_MPPE_RECV_KEY_BLOCK_LEN, MS_MPPE_RECV_KEY_BLOCK_LEN) != 0) { +#else if (mbedtls_md5_update_ret(&ctx, cipher_text_ptr - MS_MPPE_RECV_KEY_BLOCK_LEN, MS_MPPE_RECV_KEY_BLOCK_LEN) != 0) { +#endif md5_failed = true; break; } } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_md5_finish(&ctx, interm_b_val) != 0) { +#else if (mbedtls_md5_finish_ret(&ctx, interm_b_val) != 0) { +#endif md5_failed = true; break; } diff --git a/source/Security/protocols/sec_prot_lib.c b/source/Security/protocols/sec_prot_lib.c index 7789020660c0..88577b3157a2 100644 --- a/source/Security/protocols/sec_prot_lib.c +++ b/source/Security/protocols/sec_prot_lib.c @@ -514,19 +514,31 @@ int8_t sec_prot_lib_gtkhash_generate(uint8_t *gtk, uint8_t *gtk_hash) mbedtls_sha256_init(&ctx); +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_starts(&ctx, 0) != 0) { +#else if (mbedtls_sha256_starts_ret(&ctx, 0) != 0) { +#endif ret_val = -1; goto error; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_update(&ctx, gtk, 16) != 0) { +#else if (mbedtls_sha256_update_ret(&ctx, gtk, 16) != 0) { +#endif ret_val = -1; goto error; } uint8_t output[32]; +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_sha256_finish(&ctx, output) != 0) { +#else if (mbedtls_sha256_finish_ret(&ctx, output) != 0) { +#endif ret_val = -1; goto error; } diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c index 36f50a8b098e..fa3df55593b3 100644 --- a/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c +++ b/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c @@ -18,12 +18,8 @@ #include "nsconfig.h" #ifdef HAVE_WS -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif +#include "mbedtls/version.h" #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_SSL_EXPORT_KEYS) /* EXPORT_KEYS not supported by mbedtls baremetal yet */ #define WS_MBEDTLS_SECURITY_ENABLED #endif @@ -49,7 +45,6 @@ #include "mbedtls/platform.h" #include "mbedtls/ssl_cookie.h" #include "mbedtls/entropy.h" -#include "mbedtls/entropy_poll.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/ssl_ciphersuites.h" #include "mbedtls/debug.h" @@ -77,7 +72,9 @@ struct tls_security_s { mbedtls_pk_context pkey; /**< Private key for own certificate */ void *handle; /**< Handle provided in callbacks (defined by library user) */ bool ext_cert_valid : 1; /**< Extended certificate validation enabled */ +#if (MBEDTLS_VERSION_MAJOR < 3) tls_sec_prot_lib_crt_verify_cb *crt_verify; /**< Verify function for client/server certificate */ +#endif tls_sec_prot_lib_send *send; /**< Send callback */ tls_sec_prot_lib_receive *receive; /**< Receive callback */ tls_sec_prot_lib_export_keys *export_keys; /**< Export keys callback */ @@ -90,12 +87,22 @@ static int tls_sec_prot_lib_ssl_get_timer(void *ctx); static int tls_sec_lib_entropy_poll(void *data, unsigned char *output, size_t len, size_t *olen); static int tls_sec_prot_lib_ssl_send(void *ctx, const unsigned char *buf, size_t len); static int tls_sec_prot_lib_ssl_recv(void *ctx, unsigned char *buf, size_t len); -static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *ms, +#if (MBEDTLS_VERSION_MAJOR >= 3) +static void tls_sec_prot_lib_ssl_export_keys(void *p_expkey, mbedtls_ssl_key_export_type type, + const unsigned char *secret, + size_t secret_len, + const unsigned char client_random[32], + const unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type); +#else +static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *secret, const unsigned char *kb, size_t maclen, size_t keylen, size_t ivlen, const unsigned char client_random[32], const unsigned char server_random[32], mbedtls_tls_prf_types tls_prf_type); +#endif +#if (MBEDTLS_VERSION_MAJOR < 3) static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags); static int8_t tls_sec_prot_lib_subject_alternative_name_validate(mbedtls_x509_crt *crt); static int8_t tls_sec_prot_lib_extended_key_usage_validate(mbedtls_x509_crt *crt); @@ -105,6 +112,7 @@ static int tls_sec_prot_lib_x509_crt_idevid_ldevid_verify(tls_security_t *sec, m #ifdef HAVE_PAE_SUPP static int tls_sec_prot_lib_x509_crt_server_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags); #endif +#endif #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG static void tls_sec_prot_lib_debug(void *ctx, int level, const char *file, int line, const char *string); #endif @@ -234,7 +242,11 @@ static int tls_sec_prot_lib_configure_certificates(tls_security_t *sec, const se return -1; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (mbedtls_pk_parse_key(&sec->pkey, key, key_len, NULL, 0, mbedtls_ctr_drbg_random, &sec->ctr_drbg) < 0) { +#else if (mbedtls_pk_parse_key(&sec->pkey, key, key_len, NULL, 0) < 0) { +#endif tr_error("Private key parse error"); return -1; } @@ -310,6 +322,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p return -1; } +#if (MBEDTLS_VERSION_MAJOR < 3) #ifdef HAVE_PAE_SUPP if (is_server_is_not_set) { sec->crt_verify = tls_sec_prot_lib_x509_crt_server_verify; @@ -320,7 +333,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p sec->crt_verify = tls_sec_prot_lib_x509_crt_idevid_ldevid_verify; } #endif - +#endif if ((mbedtls_ssl_config_defaults(&sec->conf, is_server_is_set ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, @@ -384,7 +397,11 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p #endif // Export keys callback +#if (MBEDTLS_VERSION_MAJOR >= 3) + mbedtls_ssl_set_export_keys_cb(&sec->ssl, tls_sec_prot_lib_ssl_export_keys, sec); +#else mbedtls_ssl_conf_export_keys_ext_cb(&sec->conf, tls_sec_prot_lib_ssl_export_keys, sec); +#endif #if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) mbedtls_ssl_conf_min_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3); @@ -395,7 +412,9 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p #endif /* !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) */ // Set certificate verify callback +#if (MBEDTLS_VERSION_MAJOR < 3) mbedtls_ssl_set_verify(&sec->ssl, tls_sec_prot_lib_x509_crt_verify, sec); +#endif /* Currently assuming we are running fast enough HW that ECC calculations are not blocking any normal operation. * @@ -432,7 +451,11 @@ int8_t tls_sec_prot_lib_process(tls_security_t *sec) return TLS_SEC_PROT_LIB_ERROR; } +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (sec->ssl.private_state == MBEDTLS_SSL_HANDSHAKE_OVER) { +#else if (sec->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER) { +#endif return TLS_SEC_PROT_LIB_HANDSHAKE_OVER; } } @@ -469,16 +492,31 @@ static int tls_sec_prot_lib_ssl_recv(void *ctx, unsigned char *buf, size_t len) return ret; } -static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *ms, +#if (MBEDTLS_VERSION_MAJOR >= 3) +static void tls_sec_prot_lib_ssl_export_keys(void *p_expkey, mbedtls_ssl_key_export_type type, + const unsigned char *secret, + size_t secret_len, + const unsigned char client_random[32], + const unsigned char server_random[32], + mbedtls_tls_prf_types tls_prf_type) +#else +static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *secret, const unsigned char *kb, size_t maclen, size_t keylen, size_t ivlen, const unsigned char client_random[32], const unsigned char server_random[32], mbedtls_tls_prf_types tls_prf_type) +#endif { +#if (MBEDTLS_VERSION_MAJOR >= 3) + if (type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET || secret_len < 48) { + return; + } +#else (void) kb; (void) maclen; (void) keylen; (void) ivlen; +#endif tls_security_t *sec = (tls_security_t *)p_expkey; @@ -487,18 +525,24 @@ static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char memcpy(random, client_random, 32); memcpy(&random[32], server_random, 32); - int ret = mbedtls_ssl_tls_prf(tls_prf_type, ms, 48, "client EAP encryption", + int ret = mbedtls_ssl_tls_prf(tls_prf_type, secret, 48, "client EAP encryption", random, 64, eap_tls_key_material, 128); if (ret != 0) { tr_error("key material PRF error"); +#if (MBEDTLS_VERSION_MAJOR < 3) return 0; +#endif } - sec->export_keys(sec->handle, ms, eap_tls_key_material); + sec->export_keys(sec->handle, secret, eap_tls_key_material); + +#if (MBEDTLS_VERSION_MAJOR < 3) return 0; +#endif } +#if (MBEDTLS_VERSION_MAJOR < 3) static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) { tls_security_t *sec = (tls_security_t *) ctx; @@ -605,6 +649,7 @@ static int tls_sec_prot_lib_x509_crt_server_verify(tls_security_t *sec, mbedtls_ return 0; } #endif +#endif static int tls_sec_lib_entropy_poll(void *ctx, unsigned char *output, size_t len, size_t *olen) { diff --git a/source/Service_Libs/nist_aes_kw/nist_aes_kw.c b/source/Service_Libs/nist_aes_kw/nist_aes_kw.c index 98f6a6981282..09addbc70faf 100644 --- a/source/Service_Libs/nist_aes_kw/nist_aes_kw.c +++ b/source/Service_Libs/nist_aes_kw/nist_aes_kw.c @@ -21,11 +21,7 @@ #include "ns_list.h" #include "ns_trace.h" -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif +#include "mbedtls/version.h" #if defined(MBEDTLS_NIST_KW_C) && defined(HAVE_WS) && (defined(HAVE_PAE_SUPP) || defined(HAVE_PAE_AUTH)) #include "mbedtls/nist_kw.h"