mbedtls: Update to v3.5.2

* Declaring MBEDTLS_ALLOW_PRIVATE_ACCESS allows access to mbedtls "private" fields. * Migration guide: https://github.com/Mbed-TLS/mbedtls/blob/development/docs/3.0-migration-guide.md Signed-off-by: Dávid Házi <[email protected]>
FreeRTOS · Feb 6, 2024 · d7beac7 · d7beac7
1 parent 465e9e9
commit d7beac7
Show file tree

Hide file tree

Showing 15 changed files with 217 additions and 57 deletions.
diff --git a/applications/aws_iot_example/configs/mbedtls_config/aws_mbedtls_config.h b/applications/aws_iot_example/configs/mbedtls_config/aws_mbedtls_config.h
@@ -3271,6 +3271,4 @@ void mbedtls_platform_free( void * ptr );
 
 /*#define MBEDTLS_PSA_CRYPTO_C */
 
-#include "mbedtls/check_config.h"
-
 /*#undef MBEDTLS_PSA_CRYPTO_C */
diff --git a/applications/aws_iot_example/main.c b/applications/aws_iot_example/main.c
@@ -102,29 +102,6 @@ void vAssertCalled( const char * pcFile,
     taskEXIT_CRITICAL();
 }
 
-/**
- * TODO: This function is only used in the PKCS#11 test case. In the PKCS#11 test,
- * it calls the mbedtls steps to generate the random number, so this function
- * is needed. But in the PKCS#11 library, we call the C_GenerateRandom to
- * generate a random number and do not need to call this function.
- */
-int mbedtls_hardware_poll( void * data,
-                           unsigned char * output,
-                           size_t len,
-                           size_t * olen )
-{
-    ( void ) ( data );
-    ( void ) ( len );
-
-    static uint32_t random_number = 0;
-
-    random_number += 8;
-    memcpy( output, &random_number, sizeof( uint32_t ) );
-    *olen = sizeof( uint32_t );
-
-    return 0;
-}
-
 BaseType_t xApplicationGetRandomNumber( uint32_t * pulNumber )
 {
     psa_status_t xPsaStatus = PSA_ERROR_PROGRAMMER_ERROR;
@@ -205,6 +182,11 @@ int main()
     /* Configure Mbed TLS memory APIs to use FreeRTOS heap APIs */
     mbedtls_platform_set_calloc_free( mbedtls_platform_calloc, mbedtls_platform_free );
 
+    mbedtls_threading_set_alt( mbedtls_platform_mutex_init,
+                               mbedtls_platform_mutex_free,
+                               mbedtls_platform_mutex_lock,
+                               mbedtls_platform_mutex_unlock );
+
     xRetVal = vDevModeKeyProvisioning();
 
     if( xRetVal != CKR_OK )
@@ -230,11 +212,6 @@ int main()
 
     if( status == 0 )
     {
-        mbedtls_threading_set_alt( mbedtls_platform_mutex_init,
-                                   mbedtls_platform_mutex_free,
-                                   mbedtls_platform_mutex_lock,
-                                   mbedtls_platform_mutex_unlock );
-
         #ifdef INTEGRATION_TESTS
             xTaskCreate( qual_task,
                          "qual",

diff --git a/applications/helpers/provisioning/dev_mode_key_provisioning.c b/applications/helpers/provisioning/dev_mode_key_provisioning.c
@@ -38,6 +38,11 @@
 #include <stdio.h>
 #include <string.h>
 
+/**
+ *  @brief Declaring MBEDTLS_ALLOW_PRIVATE_ACCESS allows access to mbedtls "private" fields.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
 /* FreeRTOS includes. */
 #include "FreeRTOS.h"
 
@@ -59,6 +64,8 @@
 /* mbedTLS includes. */
 #include "mbedtls/pk.h"
 #include "mbedtls/oid.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
 
 /* Default FreeRTOS API for console logging. */
 #define DEV_MODE_KEY_PROVISIONING_PRINT( X )    printf
@@ -137,7 +144,7 @@ static CK_RV prvProvisionPrivateECKey( CK_SESSION_HANDLE xSession,
     CK_BBOOL xTrue = CK_TRUE;
     CK_KEY_TYPE xPrivateKeyType = CKK_EC;
     CK_OBJECT_CLASS xPrivateKeyClass = CKO_PRIVATE_KEY;
-    mbedtls_ecp_keypair * pxKeyPair = ( mbedtls_ecp_keypair * ) pxMbedPkContext->pk_ctx;
+    const mbedtls_ecp_keypair * pxKeyPair = mbedtls_pk_ec( *pxMbedPkContext );
 
     xResult = C_GetFunctionList( &pxFunctionList );
 
@@ -221,7 +228,7 @@ static CK_RV prvProvisionPrivateRSAKey( CK_SESSION_HANDLE xSession,
     CK_RV xResult = CKR_OK;
     CK_FUNCTION_LIST_PTR pxFunctionList = NULL;
     CK_KEY_TYPE xPrivateKeyType = CKK_RSA;
-    mbedtls_rsa_context * xRsaContext = pxMbedPkContext->pk_ctx;
+    const mbedtls_rsa_context * xRsaContext = mbedtls_pk_rsa( *pxMbedPkContext );
     CK_OBJECT_CLASS xPrivateKeyClass = CKO_PRIVATE_KEY;
     RsaParams_t * pxRsaParams = NULL;
     CK_BBOOL xTrue = CK_TRUE;
@@ -321,9 +328,22 @@ CK_RV xProvisionPrivateKey( CK_SESSION_HANDLE xSession,
     mbedtls_pk_type_t xMbedKeyType;
     int lMbedResult = 0;
     mbedtls_pk_context xMbedPkContext = { 0 };
+    mbedtls_entropy_context entropyCtx;
+    mbedtls_ctr_drbg_context drbgCtx;
+
+    mbedtls_entropy_init( &entropyCtx );
+    mbedtls_ctr_drbg_init( &drbgCtx );
+    lMbedResult = mbedtls_ctr_drbg_seed( &drbgCtx, mbedtls_entropy_func, &entropyCtx, NULL, 0 );
 
     mbedtls_pk_init( &xMbedPkContext );
-    lMbedResult = mbedtls_pk_parse_key( &xMbedPkContext, pucPrivateKey, xPrivateKeyLength, NULL, 0 );
+
+    if( lMbedResult == 0 )
+    {
+        lMbedResult = mbedtls_pk_parse_key( &xMbedPkContext, pucPrivateKey, xPrivateKeyLength, NULL, 0, mbedtls_ctr_drbg_random, &drbgCtx );
+    }
+
+    mbedtls_ctr_drbg_free( &drbgCtx );
+    mbedtls_entropy_free( &entropyCtx );
 
     if( lMbedResult != 0 )
     {
@@ -381,10 +401,22 @@ CK_RV xProvisionPublicKey( CK_SESSION_HANDLE xSession,
 
     xResult = C_GetFunctionList( &pxFunctionList );
 
+    mbedtls_entropy_context entropyCtx;
+    mbedtls_ctr_drbg_context drbgCtx;
+    mbedtls_entropy_init( &entropyCtx );
+    mbedtls_ctr_drbg_init( &drbgCtx );
+    lMbedResult = mbedtls_ctr_drbg_seed( &drbgCtx, mbedtls_entropy_func, &entropyCtx, NULL, 0 );
+
     mbedtls_pk_init( &xMbedPkContext );
 
-    /* Try parsing the private key using mbedtls_pk_parse_key. */
-    lMbedResult = mbedtls_pk_parse_key( &xMbedPkContext, pucKey, xKeyLength, NULL, 0 );
+    if( lMbedResult == 0 )
+    {
+        /* Try parsing the private key using mbedtls_pk_parse_key. */
+        lMbedResult = mbedtls_pk_parse_key( &xMbedPkContext, pucKey, xKeyLength, NULL, 0, mbedtls_ctr_drbg_random, &drbgCtx );
+    }
+
+    mbedtls_ctr_drbg_free( &drbgCtx );
+    mbedtls_entropy_free( &entropyCtx );
 
     /* If mbedtls_pk_parse_key didn't work, maybe the private key is not included in the input passed in.
      * Try to parse just the public key. */
@@ -404,7 +436,7 @@ CK_RV xProvisionPublicKey( CK_SESSION_HANDLE xSession,
         CK_BYTE xPublicExponent[] = { 0x01, 0x00, 0x01 };
         CK_BYTE xModulus[ MODULUS_LENGTH + 1 ] = { 0 };
 
-        ( void ) mbedtls_rsa_export_raw( ( mbedtls_rsa_context * ) xMbedPkContext.pk_ctx,
+        ( void ) mbedtls_rsa_export_raw( mbedtls_pk_rsa( xMbedPkContext ),
                                          ( unsigned char * ) &xModulus, MODULUS_LENGTH + 1,
                                          NULL, 0,
                                          NULL, 0,
@@ -441,7 +473,7 @@ CK_RV xProvisionPublicKey( CK_SESSION_HANDLE xSession,
         size_t xLength;
         CK_BYTE xEcPoint[ 256 ] = { 0 };
 
-        mbedtls_ecdsa_context * pxEcdsaContext = ( mbedtls_ecdsa_context * ) xMbedPkContext.pk_ctx;
+        const mbedtls_ecdsa_context * pxEcdsaContext = mbedtls_pk_ec( xMbedPkContext );
 
         /* DER encoded EC point. Leave 2 bytes for the tag and length. */
         ( void ) mbedtls_ecp_point_write_binary( &pxEcdsaContext->grp,

diff --git a/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h b/applications/keyword_detection/configs/mbedtls_config/aws_mbedtls_config.h
@@ -3271,6 +3271,4 @@ void mbedtls_platform_free( void * ptr );
 
 /*#define MBEDTLS_PSA_CRYPTO_C */
 
-#include "mbedtls/check_config.h"
-
 /*#undef MBEDTLS_PSA_CRYPTO_C */
diff --git a/applications/keyword_detection/main.c b/applications/keyword_detection/main.c
@@ -162,6 +162,11 @@ int main( void )
 
     ( void ) mbedtls_platform_set_calloc_free( mbedtls_platform_calloc, mbedtls_platform_free );
 
+    mbedtls_threading_set_alt( mbedtls_platform_mutex_init,
+                               mbedtls_platform_mutex_free,
+                               mbedtls_platform_mutex_lock,
+                               mbedtls_platform_mutex_unlock );
+
     UBaseType_t xRetVal = vDevModeKeyProvisioning();
 
     if( xRetVal != CKR_OK )
@@ -195,11 +200,6 @@ int main( void )
         return EXIT_FAILURE;
     }
 
-    mbedtls_threading_set_alt( mbedtls_platform_mutex_init,
-                               mbedtls_platform_mutex_free,
-                               mbedtls_platform_mutex_lock,
-                               mbedtls_platform_mutex_unlock );
-
     if( prvAreAwsCredentialsValid() == true )
     {
         if( network_startup() != 0 )

diff --git a/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h b/applications/speech_recognition/configs/mbedtls_config/aws_mbedtls_config.h
@@ -3271,6 +3271,4 @@ void mbedtls_platform_free( void * ptr );
 
 /*#define MBEDTLS_PSA_CRYPTO_C */
 
-#include "mbedtls/check_config.h"
-
 /*#undef MBEDTLS_PSA_CRYPTO_C */
diff --git a/applications/speech_recognition/main.c b/applications/speech_recognition/main.c
@@ -168,6 +168,11 @@ int main( void )
 
     ( void ) mbedtls_platform_set_calloc_free( mbedtls_platform_calloc, mbedtls_platform_free );
 
+    mbedtls_threading_set_alt( mbedtls_platform_mutex_init,
+                               mbedtls_platform_mutex_free,
+                               mbedtls_platform_mutex_lock,
+                               mbedtls_platform_mutex_unlock );
+
     UBaseType_t xRetVal = vDevModeKeyProvisioning();
 
     if( xRetVal != CKR_OK )
@@ -200,11 +205,6 @@ int main( void )
         return EXIT_FAILURE;
     }
 
-    mbedtls_threading_set_alt( mbedtls_platform_mutex_init,
-                               mbedtls_platform_mutex_free,
-                               mbedtls_platform_mutex_lock,
-                               mbedtls_platform_mutex_unlock );
-
     bool are_credentials_valid = prvAreAwsCredentialsValid();
 
     if( are_credentials_valid )

diff --git a/components/connectivity/freertos_plus_tcp/integration/src/transport_mbedtls.c b/components/connectivity/freertos_plus_tcp/integration/src/transport_mbedtls.c
@@ -1,6 +1,8 @@
 /*
  * FreeRTOS V202212.00
  * Copyright (C) 2020 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
+ * Copyright 2024 Arm Limited and/or its affiliates
+ * <[email protected]>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy of
  * this software and associated documentation files (the "Software"), to deal in

diff --git a/components/security/freertos_pkcs11_psa/CMakeLists.txt b/components/security/freertos_pkcs11_psa/CMakeLists.txt
@@ -8,4 +8,11 @@ set(freertos_pkcs11_psa_SOURCE_DIR
     "Path to FreeRTOS PKCS#11 to PSA shim layer source code"
 )
 
+execute_process(COMMAND git am --abort
+    COMMAND git am ${CMAKE_CURRENT_LIST_DIR}/integration/patches/0001-build-Update-mbedtls-version.patch
+    WORKING_DIRECTORY ${freertos_pkcs11_psa_SOURCE_DIR}
+    OUTPUT_QUIET
+    ERROR_QUIET
+)
+
 add_subdirectory(integration)
diff --git a/.../security/freertos_pkcs11_psa/integration/patches/0001-build-Update-mbedtls-version.patch b/.../security/freertos_pkcs11_psa/integration/patches/0001-build-Update-mbedtls-version.patch
@@ -0,0 +1,107 @@
+From a0345f268535e2150a4a347f6723081a6630ed0b Mon Sep 17 00:00:00 2001
+From: Dávid Házi <[email protected]>
+Date: Thu, 18 Jan 2024 16:24:20 +0100
+Subject: [PATCH] build: Update mbedtls to v3.5.2
+
+* Add #define MBEDTLS_ALLOW_PRIVATE_ACCESS to every file that
+  access private struct members.
+* Remove mbedtls/pk_internal.h header file inclusion,
+  because it no longer exists in the latest mbedtls version.
+* Direct access to pk_info structs has been removed,
+  mbedtls_pk_info_from_type function should be used.
+* mbedtls_rsa_init function prototype has been changed,
+  newer prototype should be used.
+
+Signed-off-by: Dávid Házi <[email protected]>
+---
+ iot_pkcs11_psa.c                   | 11 ++++++-----
+ iot_pkcs11_psa_input_format.h      |  1 -
+ iot_pkcs11_psa_object_management.c |  3 +++
+ 3 files changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/iot_pkcs11_psa.c b/iot_pkcs11_psa.c
+index 54a0669..abe2e75 100644
+--- a/iot_pkcs11_psa.c
++++ b/iot_pkcs11_psa.c
+@@ -38,6 +38,8 @@
+ /* FreeRTOS includes. */
+ #include "FreeRTOS.h"
+
++#define MBEDTLS_ALLOW_PRIVATE_ACCESS
++
+ /* PKCS#11 includes. */
+ #include "core_pkcs11_config.h"
+ #include "core_pkcs11.h"
+@@ -46,7 +48,6 @@
+
+ /* mbedTLS includes. */
+ #include "mbedtls/pk.h"
+-#include "mbedtls/pk_internal.h"
+
+ #define PKCS11_PRINT( X )            vLoggingPrintf X
+ #define PKCS11_WARNING_PRINT( X )    /* vLoggingPrintf  X */
+@@ -646,7 +647,7 @@ CK_RV prvCreateRsaPrivateKey( mbedtls_pk_context * pxMbedContext,
+     *ppxLabel = NULL;
+     *ppxClass = NULL;
+     pxRsaContext = pxMbedContext->pk_ctx;
+-    mbedtls_rsa_init( pxRsaContext, MBEDTLS_RSA_PKCS_V15, 0 /*ignored.*/ );
++    mbedtls_rsa_init( pxRsaContext );
+
+     /* Parse template and collect the relevant parts. */
+     for( ulIndex = 0; ulIndex < ulCount; ulIndex++ )
+@@ -819,7 +820,7 @@ CK_RV prvCreatePrivateKey( CK_ATTRIBUTE_PTR pxTemplate,
+         if( pxRsaCtx != NULL )
+         {
+             xMbedContext.pk_ctx = pxRsaCtx;
+-            xMbedContext.pk_info = &mbedtls_rsa_info;
++            xMbedContext.pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_RSA);
+             xResult = prvCreateRsaPrivateKey( &xMbedContext,
+                                               &pxLabel,
+                                               &pxClass,
+@@ -851,7 +852,7 @@ CK_RV prvCreatePrivateKey( CK_ATTRIBUTE_PTR pxTemplate,
+             if( pxKeyPair != NULL )
+             {
+                 /* Initialize the info. */
+-                xMbedContext.pk_info = &mbedtls_eckey_info;
++                xMbedContext.pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
+
+                 /* Initialize the context. */
+                 xMbedContext.pk_ctx = pxKeyPair;
+@@ -1082,7 +1083,7 @@ CK_RV prvCreatePublicKey( CK_ATTRIBUTE_PTR pxTemplate,
+             if( pxKeyPair != NULL )
+             {
+                 /* Initialize the info. */
+-                xMbedContext.pk_info = &mbedtls_eckey_info;
++                xMbedContext.pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);;
+
+                 /* Initialize the context. */
+                 xMbedContext.pk_ctx = pxKeyPair;
+diff --git a/iot_pkcs11_psa_input_format.h b/iot_pkcs11_psa_input_format.h
+index 3bf18b3..b8cdfda 100644
+--- a/iot_pkcs11_psa_input_format.h
++++ b/iot_pkcs11_psa_input_format.h
+@@ -27,7 +27,6 @@
+ /* mbedTLS includes. */
+ #include "mbedtls/pk.h"
+ #include "mbedtls/asn1.h"
+-#include "mbedtls/pk_internal.h"
+ #include "mbedtls/oid.h"
+
+ #define pkcs11DER_ENCODED_OID_P256_LEGNTH    19
+diff --git a/iot_pkcs11_psa_object_management.c b/iot_pkcs11_psa_object_management.c
+index 6e6a969..ace6dc6 100644
+--- a/iot_pkcs11_psa_object_management.c
++++ b/iot_pkcs11_psa_object_management.c
+@@ -32,6 +32,9 @@
+  */
+
+ #include <string.h>
++
++#define MBEDTLS_ALLOW_PRIVATE_ACCESS
++
+ #include "iot_pkcs11_psa_object_management.h"
+ #include "iot_pkcs11_psa_input_format.h"
+
+--
+2.40.1
+
diff --git a/components/security/mbedtls/integration/inc/iot_tls.h b/components/security/mbedtls/integration/inc/iot_tls.h
@@ -1,6 +1,8 @@
 /*
  * FreeRTOS TLS V1.3.1
  * Copyright (C) 2020 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
+ * Copyright 2024 Arm Limited and/or its affiliates
+ * <[email protected]>
  *
  * Permission is hereby granted, free of charge, to any person obtaining a copy of
  * this software and associated documentation files (the "Software"), to deal in
@@ -26,11 +28,22 @@
 #ifndef IOT_TLS_H
 #define IOT_TLS_H
 
+/**
+ *  @brief Declaring MBEDTLS_ALLOW_PRIVATE_ACCESS allows access to mbedtls "private" fields.
+ */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/sha256.h"
 #include "mbedtls/pk.h"
-#include "mbedtls/pk_internal.h"
+
+/**
+ *  @brief Custom pk_info struct is not supported by mbedtls v3,
+ *         but the current solution should define one. With this
+ *         private include we can access to mbedtls_pk_info_t.
+ */
+#include "../library/pk_wrap.h"
 #include "mbedtls/debug.h"
 #include "core_pkcs11.h"
Original file line number	Diff line number	Diff line change
Expand Up		@@ -3271,6 +3271,4 @@ void mbedtls_platform_free( void * ptr );

		/#define MBEDTLS_PSA_CRYPTO_C /

		#include "mbedtls/check_config.h"

		/#undef MBEDTLS_PSA_CRYPTO_C /