Refactoring external/mbedtls

external/include/mbedtls/mbedtls_config.h

@@ -3962,5 +3962,3 @@
 //#define MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED
 
 /** \} name SECTION: Module configuration options */
-
-// #define MBEDTLS_SSL_CONF_EKU_PATCH

external/include/mbedtls/mbedtls_tizenrt_config.h

@@ -18,10 +18,6 @@
 /**
  * \file mbedtls_tizenrt_config.h
  */
-#undef MBEDTLS_NO_PLATFORM_ENTROPY
-#if !defined(CONFIG_DEV_URANDOM)
-#define MBEDTLS_NO_PLATFORM_ENTROPY
-#endif
 
 /*
  * Tizenrt mbedtls 2.7.8 uses below option. need to check whether it is really requires 
@@ -162,6 +158,7 @@
  * Uncomment to use your own hardware entropy collector.
  */
 #if defined(CONFIG_TLS_HW_RNG)
+#define MBEDTLS_NO_PLATFORM_ENTROPY
 #define MBEDTLS_ENTROPY_HARDWARE_ALT
 #endif
 
@@ -205,8 +202,3 @@
 #endif /* CONFIG_TLS_HW_AES_ENC */
 
 #endif /* CONFIG_SE */
-
-#if defined(CONFIG_MBEDTLS_PKCS5_C)
-/* MBEDTLS_PKCS5_C should be enabled to encrypt TASH password with PBKDF2 */
-#define MBEDTLS_PKCS5_C
-#endif /* CONFIG_MBEDTLS_PKCS5_C */

external/include/mbedtls/ssl.h

@@ -1483,12 +1483,6 @@ struct mbedtls_ssl_config {
     mbedtls_ssl_key_cert *MBEDTLS_PRIVATE(key_cert); /*!< own certificate/key pair(s)        */
     mbedtls_x509_crt *MBEDTLS_PRIVATE(ca_chain);     /*!< trusted CAs                        */
     mbedtls_x509_crl *MBEDTLS_PRIVATE(ca_crl);       /*!< trusted CAs CRLs                   */
-#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)    
-    const char *MBEDTLS_PRIVATE(client_oid);         /*!< OID to check on client certs       */
-    size_t MBEDTLS_PRIVATE(client_oid_len);          /*!< length of client OID               */
-    const char *MBEDTLS_PRIVATE(server_oid);         /*!< OID to check on server certs       */
-    size_t MBEDTLS_PRIVATE(server_oid_len);          /*!< length of server OID               */
-#endif
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
     mbedtls_x509_crt_ca_cb_t MBEDTLS_PRIVATE(f_ca_cb);
     void *MBEDTLS_PRIVATE(p_ca_cb);
@@ -3439,79 +3433,7 @@ void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
  */
 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
                               mbedtls_x509_crt *own_cert,
-                              mbedtls_pk_context *pk_key);
-#if defined(MBEDTLS_OCF_PATCH)
-/**
- * \brief          The type of certificate chain and private key callback.
- *
- * \note           The callback will be invoked by \c mbedtls_ssl_conf_iterate_own_certs for
- *                 each certificate chain and private key pair added to configuration
- *                 by \c mbedtls_ssl_conf_own_cert.
- *
- * \param ctx      An opaque context passed to the callback.
- * \param own_cert own public certificate chain
- * \param pk_key   own private key
- *
- * \return         \c 0 to continue iteration.
- * \return         A non-zero value to stop iteration.
- */
-typedef int (*mbedtls_ssl_conf_iterate_own_certs_cb_t)( void *ctx,
-                                                        const mbedtls_x509_crt *own_cert,
-                                                        const mbedtls_pk_context *pk_key );
-
-/**
- * \brief          Iterate over configured certificate and key pairs and invoke provided
- *                 callback with each pair.
- *
- * \param conf     SSL configuration
- * \param cert_cb  The callback to use with each certificate key pair
- * \param ctx      The context to be passed to \p cert_cb
-*/
-void mbedtls_ssl_conf_iterate_own_certs( const mbedtls_ssl_config *conf,
-                                        mbedtls_ssl_conf_iterate_own_certs_cb_t cert_cb,
-                                        void *ctx );
-
-#if defined(MBEDTLS_SSL_CONF_EKU_PATCH)
-/**
- * \brief                  Set custom EKU OIDs to be checked on certificates during TLS negotiation,
- *                         and for selecting suitable certificates for TLS negotation.
- *
- * \note                   By default, if this function is not called, clients will
- *                         check for the server authentication EKU (1.3.6.1.5.5.7.3.1) in
- *                         a server's certificate, and servers will check for the
- *                         client authentication EKU (1.3.6.1.5.5.7.3.2) if a client
- *                         presents a certificate.
- *
- * \param conf             SSL configuration
- * \param client_oid       OID to check for when verifying client certificates as a server.
- *                         This must be an MBEDTLS_OID_* constant from oid.h, or a custom OID
- *                         supplied by the caller. If a custom OID is used, it must be provided in
- *                         its ASN.1 encoding; human-readable dotted numeric strings are not supported.
- *                         Additionally, callers using custom OID buffers must ensure those buffers remain
- *                         live while this SSL configuration is live. Passing NULL will
- *                         disable EKU checking of client certificates.
- * \param client_oid_len   The length of client_oid, not counting a terminating NULL if present; for constants
- *                         from oid.h, this can be obtained with MBEDTLS_OID_SIZE(x) where x is the OID constant.
- *                         If client_oid is NULL, this must be zero.
- * \param server_oid       OID to check for when verifying server certificates as a client.
- *                         This must be an MBEDTLS_OID_* constant from oid.h, or a custom OID
- *                         supplied by the caller. If a custom OID is used, it must be provided in
- *                         its ASN.1 encoding; human-readable dotted numeric strings are not supported.
- *                         Additionally, callers using custom OID buffers must ensure those buffers remain
- *                         live while this SSL configuration is live. Passing NULL will
- *                         disable EKU checking of server certificates.
- * \param server_oid_len   The length of server_oid not counting a terminating NULL if present; for constants
- *                         from oid.h, this can be obtained with MBEDTLS_OID_SIZE(x) where x is the OID constant.
- *                         If client_oid is NULL, this must be zero.
- *
- * \return                 0 on success or MBEDTLS_ERR_SSL_BAD_INPUT_DATA for invalid arguments.
- *                         On failure, existing behavior is unchanged.
- */
-int mbedtls_ssl_conf_ekus( mbedtls_ssl_config *conf,
-                           const char *client_oid, size_t client_oid_len,
-                           const char *server_oid, size_t server_oid_len );
-#endif /* MBEDTLS_SSL_CONF_EKU_PATCH */
-#endif /* MBEDTLS_OCF_PATCH */                                                         
+                              mbedtls_pk_context *pk_key);                                                     
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)

external/include/mbedtls/ssl_misc.h

@@ -1685,11 +1685,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
 MBEDTLS_CHECK_RETURN_CRITICAL
 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
                                  const mbedtls_ssl_ciphersuite_t *ciphersuite,
-                                 int cert_endpoint,
-#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)                                 
-                                 const char *client_oid, size_t client_oid_len,
-                                 const char *server_oid, size_t server_oid_len,
-#endif                                 
+                                 int cert_endpoint,                               
                                  uint32_t *flags);
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 

external/include/mbedtls/x509_crt.h

@@ -1151,21 +1151,6 @@ int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx,
 int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx,
                                            unsigned char ns_cert_type);
 
-
-#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT)
-/**
- * \brief           Set the subject alternative name extension
- *
- * \param ctx       CRT context to use
- * \param names     subject alternative names. For each dNSName element, the tag field of the dns_name
- *                  member does not need to be set and will be ignored.
- *
- * \return          0 if successful, or a specific error code
- */
-int mbedtls_x509write_crt_set_subject_alt_names( mbedtls_x509write_cert *ctx,
-                                                 const mbedtls_x509_general_names *names );
-#endif /* MBEDTLS_X509_EXPANDED_SUBJECT_ALT_NAME_SUPPORT */
-
 /**
  * \brief           Free the contents of a CRT write context
  *

external/mbedtls/entropy_poll.c

@@ -56,68 +56,41 @@
 
 #if !defined(MBEDTLS_NO_PLATFORM_ENTROPY)
 
-#if defined(MBED_TIZENRT)
-#else
 #if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
     !defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
     !defined(__HAIKU__) && !defined(__midipix__)
 #error \
     "Platform entropy sources only work on Unix and Windows, see MBEDTLS_NO_PLATFORM_ENTROPY in mbedtls_config.h"
 #endif
-#endif
 
 #if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
 
 #if !defined(_WIN32_WINNT)
 #define _WIN32_WINNT 0x0400
 #endif
 #include <windows.h>
-
-#if defined(MBEDTLS_OCF_PATCH)
-#include <bcrypt.h>
-#else
 #include <wincrypt.h>
-#endif
 
 int mbedtls_platform_entropy_poll(void *data, unsigned char *output, size_t len,
                                   size_t *olen)
 {
-#if !defined(MBEDTLS_OCF_PATCH)
     HCRYPTPROV provider;
-#endif
     ((void) data);
     *olen = 0;
 
-#if defined(MBEDTLS_OCF_PATCH)
-    /*
-     * size_t may be 64 bits, but ULONG is always 32.
-     * If len is larger than the maximum for ULONG, just fail.
-     * It's unlikely anything ever will want to ask for this much randomness.
-     */
-    if ( len > 0xFFFFFFFFULL )
-#else
     if (CryptAcquireContext(&provider, NULL, NULL,
-                            PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE)
-#endif                            
+                            PROV_RSA_FULL, CRYPT_VERIFYCONTEXT) == FALSE)                            
     {
         return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
     }
 
-#if defined(MBEDTLS_OCF_PATCH)
-	if( !BCRYPT_SUCCESS(BCryptGenRandom(NULL, output, (ULONG) len, BCRYPT_USE_SYSTEM_PREFERRED_RNG)) )
-#else
     if( CryptGenRandom( provider, (DWORD) len, output ) == FALSE )
-#endif
     {
-#if !defined(MBEDTLS_OCF_PATCH)
         CryptReleaseContext( provider, 0 );
-#endif
         return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
     }
 
-#if !defined(MBEDTLS_OCF_PATCH)
     CryptReleaseContext( provider, 0 );
-#endif
     *olen = len;
 
     return 0;

external/mbedtls/ssl_tls.c

@@ -1895,43 +1895,6 @@ int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
     return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
 }
 
-#if defined(MBEDTLS_OCF_PATCH)
-void mbedtls_ssl_conf_iterate_own_certs( const mbedtls_ssl_config *conf,
-                                        mbedtls_ssl_conf_iterate_own_certs_cb_t cert_cb,
-                                        void *ctx )
-{
-    mbedtls_ssl_key_cert *key_cert = conf->key_cert;
-    while(key_cert != NULL)
-    {
-        if (cert_cb(ctx, key_cert->cert, key_cert->key) != 0)
-            break;
-        key_cert = key_cert->next;
-    }
-}
-
-#if defined(MBEDTLS_SSL_CONF_EKU_PATCH)
-int mbedtls_ssl_conf_ekus( mbedtls_ssl_config *conf,
-                           const char *client_oid, size_t client_oid_len,
-                           const char *server_oid, size_t server_oid_len )
-{
-    if( ( client_oid_len == 0 && client_oid )  ||
-        ( client_oid_len != 0 && !client_oid ) ||
-        ( server_oid_len == 0 && server_oid )  ||
-        ( server_oid_len != 0 && !server_oid ) )
-    {
-        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
-    }
-
-    conf->client_oid = client_oid;
-    conf->client_oid_len = client_oid_len;
-    conf->server_oid = server_oid;
-    conf->server_oid_len = server_oid_len;
-
-    return( 0 );
-}
-
-#endif /*defined(MBEDTLS_SSL_CONF_EKU_PATCH)*/
-#endif /*defined(MBEDTLS_OCF_PATCH)*/
 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
                                mbedtls_x509_crt *ca_chain,
                                mbedtls_x509_crl *ca_crl)
@@ -5321,15 +5284,6 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
     mbedtls_ssl_conf_endpoint(conf, endpoint);
     mbedtls_ssl_conf_transport(conf, transport);
 
-#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH) 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
-    conf->client_oid = MBEDTLS_OID_CLIENT_AUTH;
-    conf->client_oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
-    conf->server_oid = MBEDTLS_OID_SERVER_AUTH;
-    conf->server_oid_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
-#endif
-#endif /*defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)*/
-
     /*
      * Things that are common to all presets
      */
@@ -5810,11 +5764,7 @@ const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
                                  const mbedtls_ssl_ciphersuite_t *ciphersuite,
-                                 int cert_endpoint,
-#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)                                 
-                                 const char *client_oid, size_t client_oid_len,
-                                 const char *server_oid, size_t server_oid_len,
-#endif                                 
+                                 int cert_endpoint,                                 
                                  uint32_t *flags)
 {
     int ret = 0;
@@ -5859,23 +5809,14 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
         *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
         ret = -1;
     }
-#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)
-    if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
-        ext_oid = server_oid;
-        ext_len = server_oid_len;
-    } else {
-        ext_oid = client_oid;
-        ext_len = client_oid_len;
-    }
-#else
+
     if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
         ext_oid = MBEDTLS_OID_SERVER_AUTH;
         ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
     } else {
         ext_oid = MBEDTLS_OID_CLIENT_AUTH;
         ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
     }
-#endif /*defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)*/
 
     if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
         *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
@@ -7610,11 +7551,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
 
     if (mbedtls_ssl_check_cert_usage(chain,
                                      ciphersuite_info,
-                                     !ssl->conf->endpoint,
-#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)
-                                     ssl->conf->client_oid, ssl->conf->client_oid_len,
-                                     ssl->conf->server_oid, ssl->conf->server_oid_len,
-#endif                                     
+                                     !ssl->conf->endpoint,                                  
                                      &ssl->session_negotiate->verify_result) != 0) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
         if (ret == 0) {

external/mbedtls/ssl_tls12_server.c

@@ -868,11 +868,7 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
          * and decrypting with the same RSA key.
          */
         if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info,
-                                         MBEDTLS_SSL_IS_SERVER,
-#if defined(MBEDTLS_OCF_PATCH) && defined(MBEDTLS_SSL_CONF_EKU_PATCH)                                          
-                                         ssl->conf->client_oid, ssl->conf->client_oid_len,
-                                         ssl->conf->server_oid, ssl->conf->server_oid_len,
-#endif                                         
+                                         MBEDTLS_SSL_IS_SERVER,                                        
                                          &flags) != 0) {
             MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: "
                                       "(extended) key usage extension"));