From dab686d12a06ad5e46eaae88d3b727d28051101f Mon Sep 17 00:00:00 2001 From: Kangping Dong Date: Sun, 31 Mar 2024 21:57:33 +0800 Subject: [PATCH] [build] support mbedtls 3.x Support building with mbedtls 3.x which is required for different platforms. --- include/commissioner/error.hpp | 11 ++ src/library/coap.cpp | 72 +++++++++++- src/library/coap.hpp | 8 ++ src/library/cose.cpp | 1 + src/library/cose_test.cpp | 29 +++-- src/library/dtls.cpp | 74 ++++++++----- src/library/dtls.hpp | 40 ++++--- src/library/openthread/sha256.cpp | 6 +- src/library/token_manager.cpp | 8 +- src/library/token_manager.hpp | 16 +-- third_party/COSE-C/repo | 2 +- third_party/mbedtls/CMakeLists.txt | 6 +- third_party/mbedtls/mbedtls-config.h | 129 ++++++++++++++++++++++ third_party/mbedtls/mbedtls_user_config.h | 17 --- third_party/mbedtls/repo | 2 +- 15 files changed, 331 insertions(+), 90 deletions(-) create mode 100644 third_party/mbedtls/mbedtls-config.h delete mode 100644 third_party/mbedtls/mbedtls_user_config.h diff --git a/include/commissioner/error.hpp b/include/commissioner/error.hpp index 308f69f37..f61719f7f 100644 --- a/include/commissioner/error.hpp +++ b/include/commissioner/error.hpp @@ -35,6 +35,7 @@ #define OT_COMM_ERROR_HPP_ #include +#include #include #include @@ -272,6 +273,16 @@ inline bool operator!=(const ErrorCode &aErrorCode, const Error &aError) return !(aErrorCode == aError); } +/** + * Allows pretty-print in unit tests. + * + * See https://google.github.io/googletest/advanced.html#teaching-googletest-how-to-print-your-values + */ +inline void PrintTo(const Error &error, std::ostream *os) +{ + *os << error.ToString(); +} + } // namespace commissioner } // namespace ot diff --git a/src/library/coap.cpp b/src/library/coap.cpp index 8f574329f..d11785596 100644 --- a/src/library/coap.cpp +++ b/src/library/coap.cpp @@ -195,8 +195,7 @@ Error Message::AppendOption(OptionType aNumber, const OptionValue &aValue) { Error error; - VerifyOrExit(IsValidOption(aNumber, aValue), - error = ERROR_INVALID_ARGS("invalid CoAP option (number={})", aNumber)); + VerifyOrExit(IsValidOption(aNumber, aValue), error = ERROR_INVALID_ARGS("invalid CoAP option {}", aNumber)); if (aNumber == OptionType::kUriPath) { @@ -219,7 +218,7 @@ Error Message::GetOption(std::string &aValue, OptionType aNumber) const Error error; auto option = GetOption(aNumber); - VerifyOrExit(option != nullptr, error = ERROR_NOT_FOUND("CoAP option (number={}) not found", aNumber)); + VerifyOrExit(option != nullptr, error = ERROR_NOT_FOUND("CoAP option {} not found", aNumber)); aValue = option->GetStringValue(); @@ -232,7 +231,7 @@ Error Message::GetOption(uint32_t &aValue, OptionType aNumber) const Error error; auto option = GetOption(aNumber); - VerifyOrExit(option != nullptr, error = ERROR_NOT_FOUND("CoAP option (number={}) not found", aNumber)); + VerifyOrExit(option != nullptr, error = ERROR_NOT_FOUND("CoAP option {} not found", aNumber)); aValue = option->GetUint32Value(); @@ -245,7 +244,7 @@ Error Message::GetOption(ByteArray &aValue, OptionType aNumber) const Error error; auto option = GetOption(aNumber); - VerifyOrExit(option != nullptr, error = ERROR_NOT_FOUND("CoAP option (number={}) not found", aNumber)); + VerifyOrExit(option != nullptr, error = ERROR_NOT_FOUND("CoAP option {} not found", aNumber)); aValue = option->GetOpaqueValue(); @@ -355,7 +354,7 @@ Error Message::Serialize(OptionType aOptionNumber, VerifyOrDie(utils::to_underlying(aOptionNumber) >= aLastOptionNumber); VerifyOrExit(IsValidOption(aOptionNumber, aOptionValue), - error = ERROR_INVALID_ARGS("option (number={}) is not valid", aOptionNumber)); + error = ERROR_INVALID_ARGS("option {} is not valid", aOptionNumber)); length = 1; length += delta < kOption1ByteExtension ? 0 : (delta < kOption2ByteExtension ? 1 : 2); @@ -1287,3 +1286,64 @@ std::string Message::GetRequestUri(void) const } // namespace commissioner } // namespace ot + +auto fmt::formatter::format(ot::commissioner::coap::OptionType optionType, + format_context &ctx) -> decltype(ctx.out()) +{ + using ot::commissioner::coap::OptionType; + string_view name; + switch (optionType) + { + case OptionType::kIfMatch: + name = "kIfMatch"; + break; + case OptionType::kUriHost: + name = "kUriHost"; + break; + case OptionType::kETag: + name = "kETag"; + break; + case OptionType::kIfNonMatch: + name = "kIfNonMatch"; + break; + case OptionType::kObserve: + name = "kObserve"; + break; + case OptionType::kUriPort: + name = "kUriPort"; + break; + case OptionType::kLocationPath: + name = "kLocationPath"; + break; + case OptionType::kUriPath: + name = "kUriPath"; + break; + case OptionType::kContentFormat: + name = "kContentFormat"; + break; + case OptionType::kMaxAge: + name = "kMaxAge"; + break; + case OptionType::kUriQuery: + name = "kUriQuery"; + break; + case OptionType::kAccept: + name = "kAccept"; + break; + case OptionType::kLocationQuery: + name = "kLocationQuery"; + break; + case OptionType::kProxyUri: + name = "kProxyUri"; + break; + case OptionType::kProxyScheme: + name = "kProxyScheme"; + break; + case OptionType::kSize1: + name = "kSize1"; + break; + default: + name = "unknown"; + } + return formatter::format(name, ctx); +} diff --git a/src/library/coap.hpp b/src/library/coap.hpp index f47f5c675..b8f60034d 100644 --- a/src/library/coap.hpp +++ b/src/library/coap.hpp @@ -42,6 +42,8 @@ #include #include +#include + #include #include @@ -781,4 +783,10 @@ class Coap } // namespace ot +/** Makes `OptionType` formattable as a string. */ +template <> struct fmt::formatter : formatter +{ + auto format(ot::commissioner::coap::OptionType optionType, format_context &ctx) -> decltype(ctx.out()); +}; + #endif // OT_COMM_LIBRARY_COAP_HPP_ diff --git a/src/library/cose.cpp b/src/library/cose.cpp index fd091aeae..1a7f448a0 100644 --- a/src/library/cose.cpp +++ b/src/library/cose.cpp @@ -32,6 +32,7 @@ */ #if OT_COMM_CONFIG_CCM_ENABLE +#define MBEDTLS_ALLOW_PRIVATE_ACCESS #include "library/cose.hpp" diff --git a/src/library/cose_test.cpp b/src/library/cose_test.cpp index 5de42cfb7..0415bb42f 100644 --- a/src/library/cose_test.cpp +++ b/src/library/cose_test.cpp @@ -65,6 +65,20 @@ static const char kPrivateKey[] = "-----BEGIN PRIVATE KEY-----\r\n" "Xvr27euqi54WCMXJEMk6IIaPyFBNNw8bJvqXWfZ5g7t4hj7amsvqUST2\r\n" "-----END PRIVATE KEY-----\r\n"; +static Error ParsePublicKey(mbedtls_pk_context &aPublicKey, const ByteArray &aCert) +{ + TokenManager tokenManager{event_base_new()}; + + return tokenManager.ParsePublicKey(aPublicKey, aCert); +} + +static Error ParsePrivateKey(mbedtls_pk_context &aPrivateKey, const ByteArray &aPrivateKeyRaw) +{ + TokenManager tokenManager{event_base_new()}; + + return tokenManager.ParsePrivateKey(aPrivateKey, aPrivateKeyRaw); +} + TEST(CoseTest, CoseSignAndVerify_SignWithoutExternalData) { ByteArray content{1, 2, 3, 4, 5, 6}; @@ -76,10 +90,9 @@ TEST(CoseTest, CoseSignAndVerify_SignWithoutExternalData) mbedtls_pk_init(&publicKey); mbedtls_pk_init(&privateKey); - EXPECT_EQ(TokenManager::ParsePublicKey(publicKey, ByteArray{kCertificate, kCertificate + sizeof(kCertificate)}), - ErrorCode::kNone); - EXPECT_EQ(TokenManager::ParsePrivateKey(privateKey, ByteArray{kPrivateKey, kPrivateKey + sizeof(kPrivateKey)}), + EXPECT_EQ(ParsePublicKey(publicKey, ByteArray{kCertificate, kCertificate + sizeof(kCertificate)}), ErrorCode::kNone); + EXPECT_EQ(ParsePrivateKey(privateKey, ByteArray{kPrivateKey, kPrivateKey + sizeof(kPrivateKey)}), ErrorCode::kNone); ByteArray signature; Sign1Message msg; @@ -107,10 +120,9 @@ TEST(CoseTest, CoseSignAndVerify_SignWithExternalData) mbedtls_pk_init(&publicKey); mbedtls_pk_init(&privateKey); - EXPECT_EQ(TokenManager::ParsePublicKey(publicKey, ByteArray{kCertificate, kCertificate + sizeof(kCertificate)}), - ErrorCode::kNone); - EXPECT_EQ(TokenManager::ParsePrivateKey(privateKey, ByteArray{kPrivateKey, kPrivateKey + sizeof(kPrivateKey)}), + EXPECT_EQ(ParsePublicKey(publicKey, ByteArray{kCertificate, kCertificate + sizeof(kCertificate)}), ErrorCode::kNone); + EXPECT_EQ(ParsePrivateKey(privateKey, ByteArray{kPrivateKey, kPrivateKey + sizeof(kPrivateKey)}), ErrorCode::kNone); ByteArray signature; Sign1Message msg; @@ -140,10 +152,9 @@ TEST(CoseTest, CoseSignAndVerify_KeyConstruction) mbedtls_pk_init(&publicKey); mbedtls_pk_init(&privateKey); - EXPECT_EQ(TokenManager::ParsePublicKey(publicKey, ByteArray{kCertificate, kCertificate + sizeof(kCertificate)}), - ErrorCode::kNone); - EXPECT_EQ(TokenManager::ParsePrivateKey(privateKey, ByteArray{kPrivateKey, kPrivateKey + sizeof(kPrivateKey)}), + EXPECT_EQ(ParsePublicKey(publicKey, ByteArray{kCertificate, kCertificate + sizeof(kCertificate)}), ErrorCode::kNone); + EXPECT_EQ(ParsePrivateKey(privateKey, ByteArray{kPrivateKey, kPrivateKey + sizeof(kPrivateKey)}), ErrorCode::kNone); ByteArray keyId = {}; ByteArray encodedCoseKey; diff --git a/src/library/dtls.cpp b/src/library/dtls.cpp index 04216519a..1432de692 100644 --- a/src/library/dtls.cpp +++ b/src/library/dtls.cpp @@ -31,6 +31,8 @@ * This file implements wrapper of mbedtls. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include "library/dtls.hpp" #include @@ -48,7 +50,7 @@ namespace ot { namespace commissioner { static const int kAuthMode = MBEDTLS_SSL_VERIFY_REQUIRED; -static const size_t kMaxContentLength = MBEDTLS_SSL_MAX_CONTENT_LEN; +static const size_t kMaxContentLength = MBEDTLS_SSL_IN_CONTENT_LEN; static const size_t KMaxFragmentLengthCode = MBEDTLS_SSL_MAX_FRAG_LEN_1024; static const size_t kMaxTransmissionUnit = 1280; @@ -110,8 +112,9 @@ void DtlsSession::InitMbedtls() { mbedtls_ssl_config_init(&mConfig); mbedtls_ssl_cookie_init(&mCookie); - mbedtls_ctr_drbg_init(&mCtrDrbg); mbedtls_entropy_init(&mEntropy); + mbedtls_ctr_drbg_init(&mCtrDrbg); + mbedtls_ctr_drbg_seed(&mCtrDrbg, mbedtls_entropy_func, &mEntropy, nullptr, 0); mbedtls_ssl_init(&mSsl); mbedtls_x509_crt_init(&mCaChain); @@ -175,7 +178,8 @@ Error DtlsSession::Init(const DtlsConfig &aConfig) { ExitNow(error = ERROR_INVALID_ARGS("bad certificate; {}", ErrorFromMbedtlsError(fail).GetMessage())); } - if (int fail = mbedtls_pk_parse_key(&mOwnKey, &aConfig.mOwnKey[0], aConfig.mOwnKey.size(), nullptr, 0)) + if (int fail = mbedtls_pk_parse_key(&mOwnKey, &aConfig.mOwnKey[0], aConfig.mOwnKey.size(), nullptr, 0, + mbedtls_ctr_drbg_random, &mCtrDrbg)) { ExitNow(error = ERROR_INVALID_ARGS("bad private key; {}", ErrorFromMbedtlsError(fail).GetMessage())); } @@ -192,13 +196,7 @@ Error DtlsSession::Init(const DtlsConfig &aConfig) mCipherSuites.push_back(0); mbedtls_ssl_conf_ciphersuites(&mConfig, &mCipherSuites[0]); - mbedtls_ssl_conf_export_keys_cb(&mConfig, HandleMbedtlsExportKeys, this); - - // RNG & Entropy - if (int fail = mbedtls_ctr_drbg_seed(&mCtrDrbg, mbedtls_entropy_func, &mEntropy, nullptr, 0)) - { - ExitNow(error = ErrorFromMbedtlsError(fail)); - } + mbedtls_ssl_set_export_keys_cb(&mSsl, HandleMbedtlsExportKeys, this); mbedtls_ssl_conf_rng(&mConfig, mbedtls_ctr_drbg_random, &mCtrDrbg); // Cookie @@ -335,35 +333,59 @@ std::string DtlsSession::GetStateString() const return stateString; } -int DtlsSession::HandleMbedtlsExportKeys(void *aDtlsSession, - const unsigned char *aMasterSecret, - const unsigned char *aKeyBlock, - size_t aMacLength, - size_t aKeyLength, - size_t aIvLength) +#if OT_COMM_CONFIG_CCM_ENABLE +const mbedtls_x509_crt *DtlsSession::GetPeerCertificate() const +{ + return mSsl.session ? mSsl.session->peer_cert : nullptr; +} +#endif + +void DtlsSession::HandleMbedtlsExportKeys(void *aDtlsSession, + mbedtls_ssl_key_export_type aType, + const unsigned char *aMasterSecret, + size_t aMasterSecretLen, + const unsigned char aClientRandom[32], + const unsigned char aServerRandom[32], + mbedtls_tls_prf_types aTlsPrfType) { auto dtlsSession = reinterpret_cast(aDtlsSession); - return dtlsSession->HandleMbedtlsExportKeys(aMasterSecret, aKeyBlock, aMacLength, aKeyLength, aIvLength); + dtlsSession->HandleMbedtlsExportKeys(aType, aMasterSecret, aMasterSecretLen, aClientRandom, aServerRandom, + aTlsPrfType); } -int DtlsSession::HandleMbedtlsExportKeys(const unsigned char *, - const unsigned char *aKeyBlock, - size_t aMacLength, - size_t aKeyLength, - size_t aIvLength) +void DtlsSession::HandleMbedtlsExportKeys(mbedtls_ssl_key_export_type aType, + const unsigned char *aMasterSecret, + size_t aMasterSecretLen, + const unsigned char aClientRandom[32], + const unsigned char aServerRandom[32], + mbedtls_tls_prf_types aTlsPrfType) { - Sha256 sha256; + Sha256 sha256; + unsigned char keyBlock[kKeyBlockSize]; + unsigned char randBytes[2 * kRandomBufferSize]; + + VerifyOrExit(!mPSK.empty()); + VerifyOrExit(aType == MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET); + + memcpy(randBytes, aServerRandom, kRandomBufferSize); + memcpy(randBytes + kRandomBufferSize, aClientRandom, kRandomBufferSize); + + // Retrieve the Key block from Master secret + mbedtls_ssl_tls_prf(aTlsPrfType, aMasterSecret, aMasterSecretLen, "key expansion", randBytes, sizeof(randBytes), + keyBlock, sizeof(keyBlock)); sha256.Start(); - sha256.Update(aKeyBlock, 2 * static_cast(aMacLength + aKeyLength + aIvLength)); + sha256.Update(keyBlock, kKeyBlockSize); mKek.resize(Sha256::kHashSize); - sha256.Finish(&mKek[0]); + sha256.Finish(mKek.data()); static_assert(Sha256::kHashSize >= kJoinerRouterKekLength, "Sha256::kHashSize >= kJoinerRouterKekLength"); mKek.resize(kJoinerRouterKekLength); - return 0; + LOG_DEBUG(LOG_REGION_DTLS, "Generated KEK"); + +exit:; } void DtlsSession::HandleEvent(short aFlags) diff --git a/src/library/dtls.hpp b/src/library/dtls.hpp index f907e1d46..22f3d2ec3 100644 --- a/src/library/dtls.hpp +++ b/src/library/dtls.hpp @@ -111,14 +111,20 @@ class DtlsSession : public Endpoint uint16_t GetPeerPort() const override { return mSocket->GetPeerPort(); } uint16_t GetLocalPort() const { return mSocket->GetLocalPort(); } - - const mbedtls_x509_crt *GetPeerCertificate() const { return mSsl.session ? mSsl.session->peer_cert : nullptr; } - - const ByteArray &GetKek() const { return mKek; } +#if OT_COMM_CONFIG_CCM_ENABLE + const mbedtls_x509_crt *GetPeerCertificate() const; +#endif + const ByteArray &GetKek() const + { + return mKek; + } void HandleEvent(short aFlags); private: + static constexpr size_t kKeyBlockSize = 40; + static constexpr size_t kRandomBufferSize = 32; + class DtlsTimer : public Timer { public: @@ -170,18 +176,20 @@ class DtlsSession : public Endpoint // Decide if we should stop processing this session by given error. static bool ShouldStop(Error aError); - static int HandleMbedtlsExportKeys(void *aDtlsSession, - const unsigned char *aMasterSecret, - const unsigned char *aKeyBlock, - size_t aMacLength, - size_t aKeyLength, - size_t aIvLength); - - int HandleMbedtlsExportKeys(const unsigned char *aMasterSecret, - const unsigned char *aKeyBlock, - size_t aMacLength, - size_t aKeyLength, - size_t aIvLength); + static void HandleMbedtlsExportKeys(void *aDtlsSession, + mbedtls_ssl_key_export_type aType, + const unsigned char *aMasterSecret, + size_t aMasterSecretLen, + const unsigned char aClientRandom[32], + const unsigned char aServerRandom[32], + mbedtls_tls_prf_types aTlsPrfType); + + void HandleMbedtlsExportKeys(mbedtls_ssl_key_export_type aType, + const unsigned char *aMasterSecret, + size_t aMasterSecretLen, + const unsigned char aClientRandom[32], + const unsigned char aServerRandom[32], + mbedtls_tls_prf_types aTlsPrfType); SocketPtr mSocket; DtlsTimer mHandshakeTimer; diff --git a/src/library/openthread/sha256.cpp b/src/library/openthread/sha256.cpp index 81f32e5a5..1db57ec51 100644 --- a/src/library/openthread/sha256.cpp +++ b/src/library/openthread/sha256.cpp @@ -49,17 +49,17 @@ Sha256::~Sha256() void Sha256::Start(void) { - mbedtls_sha256_starts_ret(&mContext, 0); + mbedtls_sha256_starts(&mContext, 0); } void Sha256::Update(const uint8_t *aBuf, uint16_t aBufLength) { - mbedtls_sha256_update_ret(&mContext, aBuf, aBufLength); + mbedtls_sha256_update(&mContext, aBuf, aBufLength); } void Sha256::Finish(uint8_t aHash[kHashSize]) { - mbedtls_sha256_finish_ret(&mContext, aHash); + mbedtls_sha256_finish(&mContext, aHash); } } // namespace commissioner diff --git a/src/library/token_manager.cpp b/src/library/token_manager.cpp index a8344787a..2ee7e6dae 100644 --- a/src/library/token_manager.cpp +++ b/src/library/token_manager.cpp @@ -51,6 +51,9 @@ namespace commissioner { TokenManager::TokenManager(struct event_base *aEventBase) : mRegistrarClient(aEventBase) { + mbedtls_entropy_init(&mEntropy); + mbedtls_ctr_drbg_init(&mCtrDrbg); + mbedtls_ctr_drbg_seed(&mCtrDrbg, mbedtls_entropy_func, &mEntropy, nullptr, 0); mbedtls_pk_init(&mPublicKey); mbedtls_pk_init(&mPrivateKey); mbedtls_pk_init(&mDomainCAPublicKey); @@ -58,6 +61,8 @@ TokenManager::TokenManager(struct event_base *aEventBase) TokenManager::~TokenManager() { + mbedtls_entropy_free(&mEntropy); + mbedtls_ctr_drbg_free(&mCtrDrbg); mbedtls_pk_free(&mPrivateKey); mbedtls_pk_free(&mPublicKey); mbedtls_pk_free(&mDomainCAPublicKey); @@ -513,7 +518,8 @@ Error TokenManager::ParsePrivateKey(mbedtls_pk_context &aPrivateKey, const ByteA Error error; VerifyOrExit(!aPrivateKeyRaw.empty(), error = ERROR_INVALID_ARGS("the raw private key is empty")); - if (int fail = mbedtls_pk_parse_key(&aPrivateKey, aPrivateKeyRaw.data(), aPrivateKeyRaw.size(), nullptr, 0)) + if (int fail = mbedtls_pk_parse_key(&aPrivateKey, aPrivateKeyRaw.data(), aPrivateKeyRaw.size(), nullptr, 0, + mbedtls_ctr_drbg_random, &mCtrDrbg)) { error = ErrorFromMbedtlsError(fail); ExitNow(error = {ErrorCode::kInvalidArgs, error.GetMessage()}); diff --git a/src/library/token_manager.hpp b/src/library/token_manager.hpp index a9a09ef84..cae23793b 100644 --- a/src/library/token_manager.hpp +++ b/src/library/token_manager.hpp @@ -155,7 +155,7 @@ class TokenManager * @retval ... Failed to parse the public key. * */ - static Error ParsePublicKey(mbedtls_pk_context &aPublicKey, const ByteArray &aCert); + Error ParsePublicKey(mbedtls_pk_context &aPublicKey, const ByteArray &aCert); /** * This method parse private key from PEM/DER encoded certificate. @@ -167,7 +167,7 @@ class TokenManager * @retval ... Failed to parse the private key. * */ - static Error ParsePrivateKey(mbedtls_pk_context &aPrivateKey, const ByteArray &aPrivateKeyRaw); + Error ParsePrivateKey(mbedtls_pk_context &aPrivateKey, const ByteArray &aPrivateKeyRaw); private: /* @@ -205,11 +205,13 @@ class TokenManager // The cose signed commissioner token. ByteArray mSignedToken; - std::string mCommissionerId; - std::string mDomainName; - mbedtls_pk_context mPublicKey; - mbedtls_pk_context mPrivateKey; - mbedtls_pk_context mDomainCAPublicKey; + std::string mCommissionerId; + std::string mDomainName; + mbedtls_entropy_context mEntropy; + mbedtls_ctr_drbg_context mCtrDrbg; + mbedtls_pk_context mPublicKey; + mbedtls_pk_context mPrivateKey; + mbedtls_pk_context mDomainCAPublicKey; coap::CoapSecure mRegistrarClient; }; diff --git a/third_party/COSE-C/repo b/third_party/COSE-C/repo index 059e8f4db..9401d5859 160000 --- a/third_party/COSE-C/repo +++ b/third_party/COSE-C/repo @@ -1 +1 @@ -Subproject commit 059e8f4dbe9827ed89f6731e95052a5a1b79ed94 +Subproject commit 9401d5859e049585dd45dd1f689b6caf5bb8cd7f diff --git a/third_party/mbedtls/CMakeLists.txt b/third_party/mbedtls/CMakeLists.txt index e651ec752..e70bac107 100644 --- a/third_party/mbedtls/CMakeLists.txt +++ b/third_party/mbedtls/CMakeLists.txt @@ -39,21 +39,21 @@ add_subdirectory(repo) ## Include the user config file by absolute path to avoid exposing current directory. target_compile_definitions(mbedtls - PUBLIC MBEDTLS_USER_CONFIG_FILE="${CMAKE_CURRENT_SOURCE_DIR}/mbedtls_user_config.h" + PUBLIC MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_SOURCE_DIR}/mbedtls-config.h" ) target_include_directories(mbedtls PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/repo/include ) target_compile_definitions(mbedx509 - PUBLIC MBEDTLS_USER_CONFIG_FILE="${CMAKE_CURRENT_SOURCE_DIR}/mbedtls_user_config.h" + PUBLIC MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_SOURCE_DIR}/mbedtls-config.h" ) target_include_directories(mbedx509 PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/repo/include ) target_compile_definitions(mbedcrypto - PUBLIC MBEDTLS_USER_CONFIG_FILE="${CMAKE_CURRENT_SOURCE_DIR}/mbedtls_user_config.h" + PUBLIC MBEDTLS_CONFIG_FILE="${CMAKE_CURRENT_SOURCE_DIR}/mbedtls-config.h" ) target_include_directories(mbedcrypto PUBLIC ${CMAKE_CURRENT_SOURCE_DIR}/repo/include diff --git a/third_party/mbedtls/mbedtls-config.h b/third_party/mbedtls/mbedtls-config.h new file mode 100644 index 000000000..b9d01aa95 --- /dev/null +++ b/third_party/mbedtls/mbedtls-config.h @@ -0,0 +1,129 @@ +/* + * Copyright (c) 2024, The OpenThread Authors. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef OT_COMM_MBEDTLS_CONFIG_H +#define OT_COMM_MBEDTLS_CONFIG_H + +#include +#include + +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + +#define MBEDTLS_DEBUG_C +#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf + +#define MBEDTLS_AES_C +#define MBEDTLS_AES_ROM_TABLES +#define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_ASN1_WRITE_C +#define MBEDTLS_BIGNUM_C +#define MBEDTLS_CCM_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_CMAC_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_ECJPAKE_C +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_NIST_OPTIM +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_ERROR_C +#define MBEDTLS_HAVE_ASM +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +#define MBEDTLS_MD_C +#define MBEDTLS_NET_C +#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_PSA_CRYPTO_C +#define MBEDTLS_SHA224_C +#define MBEDTLS_SHA256_C +#define MBEDTLS_SHA256_SMALLER +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +#define MBEDTLS_SSL_EXPORT_KEYS +#define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_TLS_C + +#define MBEDTLS_SSL_COOKIE_C +#define MBEDTLS_SSL_SRV_C + +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED + +#define MBEDTLS_BASE64_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#define MBEDTLS_OID_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_X509_USE_C +#define MBEDTLS_X509_CRT_PARSE_C +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE + +#define MBEDTLS_BASE64_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_OID_C +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_PK_WRITE_C + +#define MBEDTLS_MPI_WINDOW_SIZE 1 /**< Maximum windows size used. */ +#define MBEDTLS_MPI_MAX_SIZE 32 /**< Maximum number of bytes for usable MPIs. */ +#define MBEDTLS_ECP_MAX_BITS 256 /**< Maximum bit size of groups */ +#define MBEDTLS_ECP_WINDOW_SIZE 2 /**< Maximum window size used */ +#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Enable fixed-point speed-up */ +#define MBEDTLS_ENTROPY_MAX_SOURCES 1 /**< Maximum number of sources supported */ + +#define MBEDTLS_SSL_MAX_CONTENT_LEN 1024 /**< Maxium fragment length in bytes */ + +#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN +#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN +#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 + +#include "mbedtls/version.h" + +#if (MBEDTLS_VERSION_NUMBER >= 0x03050000) + // This is from build_info.h of 3.X mbedtls to workaround building issues +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \ + defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */ + #include "mbedtls/config_psa.h" +#endif + + // Include in the legacy config name adjustment file for mbedtls >= 3.5.0 + #include "mbedtls/config_adjust_legacy_crypto.h" +#endif + +#include "mbedtls/check_config.h" + +#endif /* OT_COMM_MBEDTLS_CONFIG_H */ diff --git a/third_party/mbedtls/mbedtls_user_config.h b/third_party/mbedtls/mbedtls_user_config.h deleted file mode 100644 index 03d0e8bff..000000000 --- a/third_party/mbedtls/mbedtls_user_config.h +++ /dev/null @@ -1,17 +0,0 @@ -#ifndef MBEDTLS_USER_CONFIG_H -#define MBEDTLS_USER_CONFIG_H - -#define MBEDTLS_DEBUG_C - -#define MBEDTLS_CMAC_C -#define MBEDTLS_AES_C -#define MBEDTLS_ECJPAKE_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED - -#define MBEDTLS_SSL_MAX_CONTENT_LEN (1024) - -#undef MBEDTLS_SSL_RENEGOTIATION - -#endif // MBEDTLS_USER_CONFIG_H diff --git a/third_party/mbedtls/repo b/third_party/mbedtls/repo index d81c11b8a..daca7a397 160000 --- a/third_party/mbedtls/repo +++ b/third_party/mbedtls/repo @@ -1 +1 @@ -Subproject commit d81c11b8ab61fd5b2da8133aa73c5fe33a0633eb +Subproject commit daca7a3979c22da155ec9dce49ab1abf3b65d3a9