From f226b0cc8aefa95f093f0acf4680f3f46a99da25 Mon Sep 17 00:00:00 2001 From: Daniel Adam Date: Sun, 19 Jan 2025 11:11:12 +0100 Subject: [PATCH 1/4] Support for mbedTLS 3.6.2 --- CMakeLists.txt | 5 + api/unittest/tcptest.cpp | 20 + deps/mbedtls-patch.cmake | 46 +- deps/mbedtls.cmake | 2 +- patches/mbedtls/3.6/01-ocf-anon-psk.patch | 690 ++++++++++ .../3.6/cmake/02-ocf-mbedtls-config.patch | 1186 +++++++++++++++++ port/linux/Makefile | 31 + security/oc_certs.c | 4 + security/oc_certs_internal.h | 7 + security/unittest/certsgeneratetest.cpp | 7 + security/unittest/obt_certstest.cpp | 6 + 11 files changed, 1998 insertions(+), 6 deletions(-) create mode 100644 patches/mbedtls/3.6/01-ocf-anon-psk.patch create mode 100644 patches/mbedtls/3.6/cmake/02-ocf-mbedtls-config.patch diff --git a/CMakeLists.txt b/CMakeLists.txt index 4ceca54c0..4159d75f8 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -42,6 +42,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON) set(BUILD_EXAMPLE_APPLICATIONS ON CACHE BOOL "Build example applications.") set(BUILD_MBEDTLS ON CACHE BOOL "Build Mbed TLS library. When set to OFF, the Mbed TLS library with the OCF patches has to be provided.") set(BUILD_MBEDTLS_FORCE_3_5_0 OFF CACHE BOOL "Force v3.5.0 of the MbedTLS library to be used (by default v3.1.0 is used by master)") +set(BUILD_MBEDTLS_FORCE_3_6_2 OFF CACHE BOOL "Force v3.6.2 of the MbedTLS library to be used (by default v3.5.0 is used by master)") set(OC_INSTALL_MBEDTLS ON CACHE BOOL "Include Mbed TLS in installation") set(BUILD_TINYCBOR ON CACHE BOOL "Build TinyCBOR library. When set to OFF, the TinyCBOR library has to be provided.") set(OC_INSTALL_TINYCBOR ON CACHE BOOL "Include TinyCBOR in installation") @@ -51,6 +52,10 @@ if(NOT BUILD_MBEDTLS_FORCE_3_5_0) message(WARNING "MbedTLS v3.1.0 is deprecated and support will be removed in a future release") endif() +if(NOT BUILD_MBEDTLS_FORCE_3_6_2) + message(WARNING "MbedTLS v3.5.0 is deprecated and support will be removed in a future release") +endif() + set(OC_DYNAMIC_ALLOCATION_ENABLED ON CACHE BOOL "Enable dynamic memory allocation within the OCF stack and Mbed TLS.") set(OC_SECURITY_ENABLED ON CACHE BOOL "Enable security.") if (OC_SECURITY_ENABLED) diff --git a/api/unittest/tcptest.cpp b/api/unittest/tcptest.cpp index 62336451e..c4d75de8d 100644 --- a/api/unittest/tcptest.cpp +++ b/api/unittest/tcptest.cpp @@ -24,6 +24,7 @@ #include "api/oc_tcp_internal.h" #include "messaging/coap/coap_internal.h" #include "port/oc_allocator_internal.h" +#include "port/oc_random.h" #include "tests/gtest/Endpoint.h" #include "util/oc_features.h" @@ -31,9 +32,15 @@ #include "messaging/coap/oscore_internal.h" #endif /* OC_OSCORE */ +#ifdef OC_SECURITY +#include "security/oc_entropy_internal.h" +#endif /* OC_SECURITY */ + #include "gtest/gtest.h" #ifdef OC_SECURITY +#include "mbedtls/build_info.h" +#include "mbedtls/ctr_drbg.h" #include "mbedtls/ssl.h" #endif /* OC_SECURITY */ @@ -56,10 +63,12 @@ class TCPMessage : public testing::Test { #ifdef OC_HAS_FEATURE_ALLOCATOR_MUTEX oc_allocator_mutex_init(); #endif /* OC_HAS_FEATURE_ALLOCATOR_MUTEX */ + oc_random_init(); } static void TearDownTestCase() { + oc_random_destroy(); #ifdef OC_HAS_FEATURE_ALLOCATOR_MUTEX oc_allocator_mutex_destroy(); #endif /* OC_HAS_FEATURE_ALLOCATOR_MUTEX */ @@ -267,6 +276,15 @@ TEST_F(TCPMessage, GetTotalLength) mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3); #endif /* MBEDTLS_VERSION_NUMBER <= 0x03010000 */ + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_ctr_drbg_init(&ctr_drbg); + mbedtls_entropy_context entropy_ctx; + mbedtls_entropy_init(&entropy_ctx); + oc_entropy_add_source(&entropy_ctx); + std::vector pers = { 't', 'e', 's', 't', '\0' }; + ASSERT_EQ(0, mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, + &entropy_ctx, pers.data(), pers.size())); + mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg); mbedtls_ssl_context ssl; mbedtls_ssl_init(&ssl); ASSERT_EQ(0, mbedtls_ssl_setup(&ssl, &conf)); @@ -296,6 +314,8 @@ TEST_F(TCPMessage, GetTotalLength) oc_message_unref(message); mbedtls_ssl_free(&ssl); + mbedtls_entropy_free(&entropy_ctx); + mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); #define SSL_MAJOR_VERSION_3 (3) diff --git a/deps/mbedtls-patch.cmake b/deps/mbedtls-patch.cmake index bd4d7aabb..85d2af995 100644 --- a/deps/mbedtls-patch.cmake +++ b/deps/mbedtls-patch.cmake @@ -23,6 +23,24 @@ if(EXISTS "${MBEDTLS_SRC_DIR}/.git") message("mbedtls cleaned") endif() +if(BUILD_MBEDTLS_FORCE_3_6_2) + execute_process( + COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} rev-parse --is-shallow-repository + RESULT_VARIABLE IS_SHALLOW + OUTPUT_QUIET + ) + if(IS_SHALLOW EQUAL 0) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} fetch --unshallow --tags) + else() + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} fetch --tags) + endif() + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} checkout v3.6.2) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} submodule update --init) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${IOTIVITY_SRC_DIR} add -u deps/mbedtls) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${IOTIVITY_SRC_DIR} submodule update --init) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${IOTIVITY_SRC_DIR} reset HEAD deps/mbedtls) +else() + if(BUILD_MBEDTLS_FORCE_3_5_0) execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} fetch --unshallow) execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} checkout v3.5.0) @@ -33,14 +51,27 @@ else() execute_process(COMMAND ${GIT_EXECUTABLE} -C ${IOTIVITY_SRC_DIR} submodule update --init) endif() +endif() + message("submodules initialised") -if(BUILD_MBEDTLS_FORCE_3_5_0) - file(GLOB PATCHES_COMMON "${IOTIVITY_PATCH_DIR}/mbedtls/3.5/*.patch") - file(GLOB PATCHES_CMAKE "${IOTIVITY_PATCH_DIR}/mbedtls/3.5/cmake/*.patch") +if(BUILD_MBEDTLS_FORCE_3_6_2) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} branch -D feature/iotivity-lite/v3.6.2 ERROR_QUIET) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} checkout -b feature/iotivity-lite/v3.6.2) + file(GLOB PATCHES_COMMON "${IOTIVITY_PATCH_DIR}/mbedtls/3.6/*.patch") + file(GLOB PATCHES_CMAKE "${IOTIVITY_PATCH_DIR}/mbedtls/3.6/cmake/*.patch") else() - file(GLOB PATCHES_COMMON "${IOTIVITY_PATCH_DIR}/mbedtls/3.1/*.patch") - file(GLOB PATCHES_CMAKE "${IOTIVITY_PATCH_DIR}/mbedtls/3.1/cmake/*.patch") + if(BUILD_MBEDTLS_FORCE_3_5_0) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} branch -D feature/iotivity-lite/v3.5.0 ERROR_QUIET) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} checkout -b feature/iotivity-lite/v3.5.0) + file(GLOB PATCHES_COMMON "${IOTIVITY_PATCH_DIR}/mbedtls/3.5/*.patch") + file(GLOB PATCHES_CMAKE "${IOTIVITY_PATCH_DIR}/mbedtls/3.5/cmake/*.patch") + else() + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} branch -D feature/iotivity-lite/v3.1.0 ERROR_QUIET) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} checkout -b feature/iotivity-lite/v3.1.0) + file(GLOB PATCHES_COMMON "${IOTIVITY_PATCH_DIR}/mbedtls/3.1/*.patch") + file(GLOB PATCHES_CMAKE "${IOTIVITY_PATCH_DIR}/mbedtls/3.1/cmake/*.patch") + endif() endif() foreach(PATCH IN LISTS PATCHES_COMMON PATCHES_CMAKE) @@ -51,6 +82,11 @@ foreach(PATCH IN LISTS PATCHES_COMMON PATCHES_CMAKE) ) endforeach() +execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} add -u) +if(BUILD_MBEDTLS_FORCE_3_6_2 OR BUILD_MBEDTLS_FORCE_3_5_0) + execute_process(COMMAND ${GIT_EXECUTABLE} -C ${MBEDTLS_SRC_DIR} add include/mbedtls/mbedtls_oc_platform-standalone.h.in include/mbedtls/mbedtls_oc_platform.h.in) +endif() + set(MBEDTLS_INCLUDE_DIR "${IOTIVITY_SRC_DIR}/deps/mbedtls/include/mbedtls") if(ENABLE_TESTING OR ENABLE_PROGRAMS) diff --git a/deps/mbedtls.cmake b/deps/mbedtls.cmake index e89fc79c2..f8a43b286 100755 --- a/deps/mbedtls.cmake +++ b/deps/mbedtls.cmake @@ -72,7 +72,7 @@ foreach(target ${mbedtls_targets}) target_compile_definitions(${target} PRIVATE ${MBEDTLS_COMPILE_DEFINITIONS}) if(OC_COMPILER_IS_GCC OR OC_COMPILER_IS_CLANG) - if(NOT BUILD_MBEDTLS_FORCE_3_5_0) + if((NOT BUILD_MBEDTLS_FORCE_3_5_0) AND (NOT BUILD_MBEDTLS_FORCE_3_6_2)) target_compile_options(${target} PRIVATE -Wno-error=unused) endif() endif() diff --git a/patches/mbedtls/3.6/01-ocf-anon-psk.patch b/patches/mbedtls/3.6/01-ocf-anon-psk.patch new file mode 100644 index 000000000..0b3b51a80 --- /dev/null +++ b/patches/mbedtls/3.6/01-ocf-anon-psk.patch @@ -0,0 +1,690 @@ +diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h +index 67a05f83b8..8445dd8c91 100644 +--- a/include/mbedtls/check_config.h ++++ b/include/mbedtls/check_config.h +@@ -347,6 +347,11 @@ + #error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites" + #endif + ++#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) && \ ++ ( !defined(MBEDTLS_ECDH_C) ) ++#error "MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED defined, but not all prerequisites" ++#endif ++ + #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \ + ( !defined(MBEDTLS_CAN_ECDH) || \ + !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) || \ +diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h +index 1dc31c9c24..eabf9248c2 100644 +--- a/include/mbedtls/cipher.h ++++ b/include/mbedtls/cipher.h +@@ -725,8 +725,8 @@ static inline int mbedtls_cipher_get_iv_size( + return (int) ctx->MBEDTLS_PRIVATE(iv_size); + } + +- return (int) (((int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(iv_size)) << +- MBEDTLS_IV_SIZE_SHIFT); ++ return (((int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(iv_size)) << ++ MBEDTLS_IV_SIZE_SHIFT); + } + + /** +diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h +index 42fffbf860..e14ff25079 100644 +--- a/include/mbedtls/ssl.h ++++ b/include/mbedtls/ssl.h +@@ -663,7 +663,8 @@ union mbedtls_ssl_premaster_secret { + #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) + unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES]; /* RFC 4492 5.10 */ + #endif + #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) +@@ -1552,6 +1553,10 @@ struct mbedtls_ssl_config { + mbedtls_ssl_key_cert *MBEDTLS_PRIVATE(key_cert); /*!< own certificate/key pair(s) */ + mbedtls_x509_crt *MBEDTLS_PRIVATE(ca_chain); /*!< trusted CAs */ + mbedtls_x509_crl *MBEDTLS_PRIVATE(ca_crl); /*!< trusted CAs CRLs */ ++ const char *MBEDTLS_PRIVATE(client_oid); /*!< OID to check on client certs */ ++ size_t MBEDTLS_PRIVATE(client_oid_len); /*!< length of client OID */ ++ const char *MBEDTLS_PRIVATE(server_oid); /*!< OID to check on server certs */ ++ size_t MBEDTLS_PRIVATE(server_oid_len); /*!< length of server OID */ + #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) + mbedtls_x509_crt_ca_cb_t MBEDTLS_PRIVATE(f_ca_cb); + void *MBEDTLS_PRIVATE(p_ca_cb); +@@ -3607,6 +3612,75 @@ void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, + int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, + mbedtls_x509_crt *own_cert, + mbedtls_pk_context *pk_key); ++ ++/** ++ * \brief The type of certificate chain and private key callback. ++ * ++ * \note The callback will be invoked by \c mbedtls_ssl_conf_iterate_own_certs for ++ * each certificate chain and private key pair added to configuration ++ * by \c mbedtls_ssl_conf_own_cert. ++ * ++ * \param ctx An opaque context passed to the callback. ++ * \param own_cert own public certificate chain ++ * \param pk_key own private key ++ * ++ * \return \c 0 to continue iteration. ++ * \return A non-zero value to stop iteration. ++ */ ++typedef int (*mbedtls_ssl_conf_iterate_own_certs_cb_t)( void *ctx, ++ const mbedtls_x509_crt *own_cert, ++ const mbedtls_pk_context *pk_key ); ++ ++/** ++ * \brief Iterate over configured certificate and key pairs and invoke provided ++ * callback with each pair. ++ * ++ * \param conf SSL configuration ++ * \param cert_cb The callback to use with each certificate key pair ++ * \param ctx The context to be passed to \p cert_cb ++*/ ++void mbedtls_ssl_conf_iterate_own_certs( const mbedtls_ssl_config *conf, ++ mbedtls_ssl_conf_iterate_own_certs_cb_t cert_cb, ++ void *ctx ); ++ ++/** ++ * \brief Set custom EKU OIDs to be checked on certificates during TLS negotiation, ++ * and for selecting suitable certificates for TLS negotation. ++ * ++ * \note By default, if this function is not called, clients will ++ * check for the server authentication EKU (1.3.6.1.5.5.7.3.1) in ++ * a server's certificate, and servers will check for the ++ * client authentication EKU (1.3.6.1.5.5.7.3.2) if a client ++ * presents a certificate. ++ * ++ * \param conf SSL configuration ++ * \param client_oid OID to check for when verifying client certificates as a server. ++ * This must be an MBEDTLS_OID_* constant from oid.h, or a custom OID ++ * supplied by the caller. If a custom OID is used, it must be provided in ++ * its ASN.1 encoding; human-readable dotted numeric strings are not supported. ++ * Additionally, callers using custom OID buffers must ensure those buffers remain ++ * live while this SSL configuration is live. Passing NULL will ++ * disable EKU checking of client certificates. ++ * \param client_oid_len The length of client_oid, not counting a terminating NULL if present; for constants ++ * from oid.h, this can be obtained with MBEDTLS_OID_SIZE(x) where x is the OID constant. ++ * If client_oid is NULL, this must be zero. ++ * \param server_oid OID to check for when verifying server certificates as a client. ++ * This must be an MBEDTLS_OID_* constant from oid.h, or a custom OID ++ * supplied by the caller. If a custom OID is used, it must be provided in ++ * its ASN.1 encoding; human-readable dotted numeric strings are not supported. ++ * Additionally, callers using custom OID buffers must ensure those buffers remain ++ * live while this SSL configuration is live. Passing NULL will ++ * disable EKU checking of server certificates. ++ * \param server_oid_len The length of server_oid not counting a terminating NULL if present; for constants ++ * from oid.h, this can be obtained with MBEDTLS_OID_SIZE(x) where x is the OID constant. ++ * If client_oid is NULL, this must be zero. ++ * ++ * \return 0 on success or MBEDTLS_ERR_SSL_BAD_INPUT_DATA for invalid arguments. ++ * On failure, existing behavior is unchanged. ++ */ ++int mbedtls_ssl_conf_ekus( mbedtls_ssl_config *conf, ++ const char *client_oid, size_t client_oid_len, ++ const char *server_oid, size_t server_oid_len ); + #endif /* MBEDTLS_X509_CRT_PARSE_C */ + + #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) +diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h +index 12d446200f..f039791df3 100644 +--- a/include/mbedtls/ssl_ciphersuites.h ++++ b/include/mbedtls/ssl_ciphersuites.h +@@ -125,6 +125,8 @@ extern "C" { + #define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 /**< TLS 1.2 */ + #define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 /**< TLS 1.2 */ + ++#define MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256 0xFF00 /**< TLS 1.2 */ ++ + #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035 + #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036 + #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 +@@ -267,6 +269,7 @@ typedef enum { + MBEDTLS_KEY_EXCHANGE_ECDH_RSA, + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, + MBEDTLS_KEY_EXCHANGE_ECJPAKE, ++ MBEDTLS_KEY_EXCHANGE_ECDH_ANON, + } mbedtls_key_exchange_type_t; + + /* Key exchanges using a certificate */ +@@ -350,7 +353,8 @@ typedef enum { + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ++ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) + #define MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED + #endif + +diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h +index 1d678dbfc2..69205c75d7 100644 +--- a/include/psa/crypto_values.h ++++ b/include/psa/crypto_values.h +@@ -2343,7 +2343,7 @@ + ((psa_key_persistence_t) ((lifetime) & 0x000000ff)) + + #define PSA_KEY_LIFETIME_GET_LOCATION(lifetime) \ +- ((psa_key_location_t) ((lifetime) >> 8)) ++ ((lifetime) >> 8) + + /** Whether a key lifetime indicates that the key is volatile. + * +diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c +index b82044eb7d..9a9c68787c 100644 +--- a/library/ctr_drbg.c ++++ b/library/ctr_drbg.c +@@ -206,7 +206,7 @@ static int block_cipher_df(unsigned char *output, + buf_len = MBEDTLS_CTR_DRBG_BLOCKSIZE + 8 + data_len + 1; + + for (i = 0; i < MBEDTLS_CTR_DRBG_KEYSIZE; i++) { +- key[i] = i; ++ key[i] = (unsigned char)i; + } + + #if defined(MBEDTLS_CTR_DRBG_USE_PSA_CRYPTO) +diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c +index 23619a26c8..6f200d6d33 100644 +--- a/library/ssl_ciphersuites.c ++++ b/library/ssl_ciphersuites.c +@@ -99,6 +99,7 @@ static const int ciphersuite_preference[] = + MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, + MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8, ++ MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, + + /* All CAMELLIA-128 ephemeral suites */ + MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, +@@ -490,6 +491,19 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = + #endif /* MBEDTLS_CIPHER_NULL_CIPHER */ + #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ + ++#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) ++#if defined(MBEDTLS_AES_C) ++#if defined(MBEDTLS_MD_CAN_SHA256) ++#if defined(MBEDTLS_CIPHER_MODE_CBC) ++ { MBEDTLS_TLS_ECDH_ANON_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ANON-WITH-AES-128-CBC-SHA256", ++ MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ANON, ++ 0, ++ MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, ++#endif /* MBEDTLS_CIPHER_MODE_CBC */ ++#endif /* MBEDTLS_MD_CAN_SHA256 */ ++#endif /* MBEDTLS_AES_C */ ++#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ ++ + #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) + #if defined(MBEDTLS_SSL_HAVE_AES) + #if defined(MBEDTLS_MD_CAN_SHA1) +@@ -2021,6 +2035,7 @@ int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info) + case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: + case MBEDTLS_KEY_EXCHANGE_ECJPAKE: ++ case MBEDTLS_KEY_EXCHANGE_ECDH_ANON: + return 1; + + default: +diff --git a/library/ssl_ciphersuites_internal.h b/library/ssl_ciphersuites_internal.h +index 27ff72106e..6d131e2607 100644 +--- a/library/ssl_ciphersuites_internal.h ++++ b/library/ssl_ciphersuites_internal.h +@@ -34,6 +34,7 @@ static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_ + case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + case MBEDTLS_KEY_EXCHANGE_ECJPAKE: ++ case MBEDTLS_KEY_EXCHANGE_ECDH_ANON: + return 1; + + default: +@@ -120,13 +121,15 @@ static inline int mbedtls_ssl_ciphersuite_uses_dhe(const mbedtls_ssl_ciphersuite + } + #endif /* MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) */ + +-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) ++#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) + static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(const mbedtls_ssl_ciphersuite_t *info) + { + switch (info->MBEDTLS_PRIVATE(key_exchange)) { + case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: + case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: ++ case MBEDTLS_KEY_EXCHANGE_ECDH_ANON: + return 1; + + default: +diff --git a/library/ssl_misc.h b/library/ssl_misc.h +index 98668798a8..f5db3f7c19 100644 +--- a/library/ssl_misc.h ++++ b/library/ssl_misc.h +@@ -1720,6 +1720,8 @@ MBEDTLS_CHECK_RETURN_CRITICAL + int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, + const mbedtls_ssl_ciphersuite_t *ciphersuite, + int recv_endpoint, ++ const char *client_oid, size_t client_oid_len, ++ const char *server_oid, size_t server_oid_len, + mbedtls_ssl_protocol_version tls_version, + uint32_t *flags); + #endif /* MBEDTLS_X509_CRT_PARSE_C */ +diff --git a/library/ssl_tls.c b/library/ssl_tls.c +index c773365bf6..6476c33222 100644 +--- a/library/ssl_tls.c ++++ b/library/ssl_tls.c +@@ -1864,6 +1864,38 @@ int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, + return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key); + } + ++void mbedtls_ssl_conf_iterate_own_certs(const mbedtls_ssl_config *conf, ++ mbedtls_ssl_conf_iterate_own_certs_cb_t cert_cb, ++ void *ctx) ++{ ++ mbedtls_ssl_key_cert *key_cert = conf->key_cert; ++ while (key_cert != NULL) { ++ if (cert_cb(ctx, key_cert->cert, key_cert->key) != 0) { ++ break; ++ } ++ key_cert = key_cert->next; ++ } ++} ++ ++int mbedtls_ssl_conf_ekus(mbedtls_ssl_config *conf, ++ const char *client_oid, size_t client_oid_len, ++ const char *server_oid, size_t server_oid_len ) ++{ ++ if ((client_oid_len == 0 && client_oid) || ++ (client_oid_len != 0 && !client_oid)|| ++ (server_oid_len == 0 && server_oid) || ++ (server_oid_len != 0 && !server_oid)) { ++ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; ++ } ++ ++ conf->client_oid = client_oid; ++ conf->client_oid_len = client_oid_len; ++ conf->server_oid = server_oid; ++ conf->server_oid_len = server_oid_len; ++ ++ return 0; ++} ++ + void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf, + mbedtls_x509_crt *ca_chain, + mbedtls_x509_crl *ca_crl) +@@ -5861,6 +5893,13 @@ int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, + mbedtls_ssl_conf_endpoint(conf, endpoint); + mbedtls_ssl_conf_transport(conf, transport); + ++#if defined(MBEDTLS_X509_CRT_PARSE_C) ++ conf->client_oid = MBEDTLS_OID_CLIENT_AUTH; ++ conf->client_oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); ++ conf->server_oid = MBEDTLS_OID_SERVER_AUTH; ++ conf->server_oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); ++#endif ++ + /* + * Things that are common to all presets + */ +@@ -9704,6 +9743,8 @@ int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session, + int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, + const mbedtls_ssl_ciphersuite_t *ciphersuite, + int recv_endpoint, ++ const char *client_oid, size_t client_oid_len, ++ const char *server_oid, size_t server_oid_len, + mbedtls_ssl_protocol_version tls_version, + uint32_t *flags) + { +@@ -9746,6 +9787,7 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, + case MBEDTLS_KEY_EXCHANGE_DHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: + case MBEDTLS_KEY_EXCHANGE_ECJPAKE: ++ case MBEDTLS_KEY_EXCHANGE_ECDH_ANON: + usage = 0; + } + } else +@@ -9769,11 +9811,11 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, + */ + + if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) { +- ext_oid = MBEDTLS_OID_SERVER_AUTH; +- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); ++ ext_oid = server_oid; ++ ext_len = server_oid_len; + } else { +- ext_oid = MBEDTLS_OID_CLIENT_AUTH; +- ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); ++ ext_oid = client_oid; ++ ext_len = client_oid_len; + } + + if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { +@@ -9893,6 +9935,10 @@ int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, + if (mbedtls_ssl_check_cert_usage(chain, + ciphersuite_info, + ssl->conf->endpoint, ++ ssl->conf->client_oid, ++ ssl->conf->client_oid_len, ++ ssl->conf->server_oid, ++ ssl->conf->server_oid_len, + ssl->tls_version, + &ssl->session_negotiate->verify_result) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); +diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c +index 9b2da5a39d..5aa118e6bb 100644 +--- a/library/ssl_tls12_client.c ++++ b/library/ssl_tls12_client.c +@@ -1784,7 +1784,8 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) + MBEDTLS_CHECK_RETURN_CRITICAL + static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl) + { +@@ -1819,11 +1820,13 @@ static int ssl_check_server_ecdh_params(const mbedtls_ssl_context *ssl) + MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || +- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ ++ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || ++ MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + +-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) ++#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) + MBEDTLS_CHECK_RETURN_CRITICAL + static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, + unsigned char **p, +@@ -1858,9 +1861,10 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, + + return ret; + } +-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ +- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ +- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ ++#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || \ ++ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || \ ++ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || \ ++ MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + #endif /* !MBEDTLS_USE_PSA_CRYPTO */ + #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + MBEDTLS_CHECK_RETURN_CRITICAL +@@ -1868,9 +1872,13 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl, + unsigned char **p, + unsigned char *end) + { +- int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; +- uint16_t len; +- ((void) ssl); ++ if(ssl->conf->f_psk == NULL && ++ (ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL || ++ ssl->conf->psk_identity_len == 0 || ssl->conf->psk_len == 0)) ++ { ++ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no pre-shared key" ) ); ++ return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); ++ } + + /* + * PSK parameters: +@@ -1882,24 +1890,44 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl, + ("bad server key exchange message (psk_identity_hint length)")); + return MBEDTLS_ERR_SSL_DECODE_ERROR; + } +- len = MBEDTLS_GET_UINT16_BE(*p, 0); ++ size_t len = MBEDTLS_GET_UINT16_BE(*p, 0); + *p += 2; + +- if (end - (*p) < len) { ++ if (len == 0 ) { ++ return 0; ++ } ++ ++ if (len < 1 || len > 65535 || *p + len > end) { + MBEDTLS_SSL_DEBUG_MSG(1, + ("bad server key exchange message (psk_identity_hint length)")); + return MBEDTLS_ERR_SSL_DECODE_ERROR; + } + +- /* +- * Note: we currently ignore the PSK identity hint, as we only allow one +- * PSK to be provisioned on the client. This could be changed later if +- * someone needs that feature. +- */ +- *p += len; +- ret = 0; ++ int ret = 0; ++ if (ssl->conf->f_psk != NULL) { ++ if (ssl->conf->f_psk(ssl->conf->p_psk, ssl, *p, len) != 0) { ++ ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; ++ } ++ } else { ++ /* Identity is not a big secret since clients send it in the clear, ++ * but treat it carefully anyway, just in case */ ++ if (len != ssl->conf->psk_identity_len || ++ mbedtls_ct_memcmp(ssl->conf->psk_identity, *p, len) != 0) { ++ ret = MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; ++ } ++ } + +- return ret; ++ if (ret == MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) { ++ MBEDTLS_SSL_DEBUG_BUF(3, "Unknown PSK identity", *p, len); ++ if ((ret = mbedtls_ssl_send_alert_message(ssl, ++ MBEDTLS_SSL_ALERT_LEVEL_FATAL, ++ MBEDTLS_SSL_ALERT_MSG_UNKNOWN_PSK_IDENTITY)) != 0) { ++ return ret; ++ } ++ return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY; ++ } ++ *p += len; ++ return 0; + } + #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ + +@@ -2214,12 +2242,14 @@ start_processing: + } else + #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ +-#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) +- if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || +- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || +- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { ++#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) ++ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || ++ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || ++ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || ++ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON) { + if (ssl_parse_server_ecdh_params(ssl, &p, end) != 0) { + MBEDTLS_SSL_DEBUG_MSG(1, ("bad server key exchange message")); + mbedtls_ssl_send_alert_message( +@@ -2229,9 +2259,10 @@ start_processing: + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } + } else +-#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || +- MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || +- MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ ++#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || ++ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || ++ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || ++ MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { + #if defined(MBEDTLS_USE_PSA_CRYPTO) +@@ -2292,28 +2323,20 @@ start_processing: + + #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) + if (mbedtls_ssl_ciphersuite_uses_server_signature(ciphersuite_info)) { ++#if !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) + size_t sig_len, hashlen; + unsigned char hash[MBEDTLS_MD_MAX_SIZE]; + +- mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; +- mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; + unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl); + size_t params_len = (size_t) (p - params); + void *rs_ctx = NULL; +- uint16_t sig_alg; + + mbedtls_pk_context *peer_pk; ++#endif /* !MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + +-#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) +- peer_pk = &ssl->handshake->peer_pubkey; +-#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ +- if (ssl->session_negotiate->peer_cert == NULL) { +- /* Should never happen */ +- MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); +- return MBEDTLS_ERR_SSL_INTERNAL_ERROR; +- } +- peer_pk = &ssl->session_negotiate->peer_cert->pk; +-#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ ++ mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; ++ mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; ++ uint16_t sig_alg; + + /* + * Handle the digitally-signed structure +@@ -2332,7 +2355,24 @@ start_processing: + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } ++ ++ // Anonymous cipher suite without sign, ecdh param only ++#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) ++ if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON) { ++ goto exit; ++ } ++#else /* !MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + p += 2; ++#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) ++ peer_pk = &ssl->handshake->peer_pubkey; ++#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ ++ if (ssl->session_negotiate->peer_cert == NULL) { ++ /* Should never happen */ ++ MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); ++ return MBEDTLS_ERR_SSL_INTERNAL_ERROR; ++ } ++ peer_pk = &ssl->session_negotiate->peer_cert->pk; ++#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + + if (!mbedtls_pk_can_do(peer_pk, pk_alg)) { + MBEDTLS_SSL_DEBUG_MSG(1, +@@ -2450,6 +2490,7 @@ start_processing: + * operations like ECDHE. */ + mbedtls_pk_free(peer_pk); + #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ ++#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + } + #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */ + +@@ -2750,11 +2791,13 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) + #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) + if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || +- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { ++ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA || ++ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON) { + #if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; + psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; +@@ -2892,7 +2935,8 @@ ecdh_calc_secret: + #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || +- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ ++ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || ++ MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) + if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { +diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c +index 03722ac33c..fe69560796 100644 +--- a/library/ssl_tls12_server.c ++++ b/library/ssl_tls12_server.c +@@ -757,6 +757,10 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl, + */ + if (mbedtls_ssl_check_cert_usage(cur->cert, ciphersuite_info, + MBEDTLS_SSL_IS_CLIENT, ++ ssl->conf->client_oid, ++ ssl->conf->client_oid_len, ++ ssl->conf->server_oid, ++ ssl->conf->server_oid_len, + MBEDTLS_SSL_VERSION_TLS1_2, + &flags) != 0) { + MBEDTLS_SSL_DEBUG_MSG(3, ("certificate mismatch: " +@@ -2896,8 +2900,14 @@ static int ssl_prepare_server_key_exchange(mbedtls_ssl_context *ssl, + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) + if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { +- ssl->out_msg[ssl->out_msglen++] = 0x00; +- ssl->out_msg[ssl->out_msglen++] = 0x00; ++ if (ssl->conf->psk_identity_len > UINT16_MAX) { ++ MBEDTLS_SSL_DEBUG_MSG(1, ("invalid PSK identity")); ++ return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; ++ } ++ ssl->out_msg[ssl->out_msglen++] = (unsigned char)(ssl->conf->psk_identity_len >> 8); ++ ssl->out_msg[ssl->out_msglen++] = (unsigned char)(ssl->conf->psk_identity_len); ++ memcpy(ssl->out_msg+ssl->out_msglen, ssl->conf->psk_identity, ssl->conf->psk_identity_len); ++ ssl->out_msglen += ssl->conf->psk_identity_len; + } + #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ +@@ -3728,11 +3738,13 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) + #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ +- defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ ++ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) + if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || +- ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { ++ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA || ++ ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ANON) { + #if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t data_len = (size_t) (*p++); + size_t buf_len = (size_t) (end - p); +@@ -3820,7 +3832,8 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) + #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || +- MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ ++ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED || ++ MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) + if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { + if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { +diff --git a/library/version_features.c b/library/version_features.c +index f542d9808f..2bc658d37e 100644 +--- a/library/version_features.c ++++ b/library/version_features.c +@@ -354,6 +354,9 @@ static const char * const features[] = { + #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) + "KEY_EXCHANGE_ECDHE_RSA_ENABLED", //no-check-names + #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ ++#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED) ++ "KEY_EXCHANGE_ECDH_ANON_ENABLED", //no-check-names ++#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED */ + #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) + "KEY_EXCHANGE_ECDHE_ECDSA_ENABLED", //no-check-names + #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ diff --git a/patches/mbedtls/3.6/cmake/02-ocf-mbedtls-config.patch b/patches/mbedtls/3.6/cmake/02-ocf-mbedtls-config.patch new file mode 100644 index 000000000..3bbc5d55c --- /dev/null +++ b/patches/mbedtls/3.6/cmake/02-ocf-mbedtls-config.patch @@ -0,0 +1,1186 @@ +diff --git a/.gitignore b/.gitignore +index 6068cbca76..37c5590b17 100644 +--- a/.gitignore ++++ b/.gitignore +@@ -71,5 +71,8 @@ compile_commands.json + # clangd index files + /.cache/clangd/index/ + ++# Generated by the iotivity-lite build system ++include/mbedtls/mbedtls_oc_platform.h ++ + # VScode folder to store local debug files and configurations + .vscode +diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h +index bd3f71d5bc..77d2fb4418 100644 +--- a/include/mbedtls/mbedtls_config.h ++++ b/include/mbedtls/mbedtls_config.h +@@ -21,6 +21,11 @@ + */ + //#define MBEDTLS_CONFIG_VERSION 0x03000000 + ++#include "mbedtls_oc_platform.h" ++ ++#define MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED ++#define MBEDTLS_ALLOW_PRIVATE_ACCESS ++ + /** + * \name SECTION: System support + * +@@ -49,7 +54,7 @@ + * + * Comment to disable the use of assembly code. + */ +-#define MBEDTLS_HAVE_ASM ++//#define MBEDTLS_HAVE_ASM + + /** + * \def MBEDTLS_NO_UDBL_DIVISION +@@ -110,6 +115,8 @@ + */ + //#define MBEDTLS_HAVE_SSE2 + ++#if defined(OC_PKI) || defined(PLGD_DEV_TIME) ++#if defined(_WIN64) || defined(_WIN32) || defined(__APPLE__) || defined(__linux__) || defined(__ANDROID__) + /** + * \def MBEDTLS_HAVE_TIME + * +@@ -150,6 +157,8 @@ + * MBEDTLS_PLATFORM_GMTIME_R_ALT. + */ + #define MBEDTLS_HAVE_TIME_DATE ++#endif /* _WIN64 || _WIN32 || __APPLE__ || __linux__ || __ANDROID__ */ ++#endif /* OC_PKI || PLGD_DEV_TIME */ + + /** + * \def MBEDTLS_PLATFORM_MEMORY +@@ -205,7 +214,7 @@ + * + * Enable this layer to allow use of alternative memory allocators. + */ +-//#define MBEDTLS_PLATFORM_MEMORY ++#define MBEDTLS_PLATFORM_MEMORY + + /** + * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +@@ -224,7 +233,9 @@ + * Uncomment to prevent default assignment of standard functions in the + * platform layer. + */ +-//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS ++#ifdef __OC_PLATFORM ++#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS ++#endif /* __OC_PLATFORM */ + + /** + * \def MBEDTLS_PLATFORM_EXIT_ALT +@@ -249,16 +260,20 @@ + * Uncomment a macro to enable alternate implementation of specific base + * platform function + */ ++#ifdef __OC_PLATFORM + //#define MBEDTLS_PLATFORM_SETBUF_ALT +-//#define MBEDTLS_PLATFORM_EXIT_ALT +-//#define MBEDTLS_PLATFORM_TIME_ALT ++#define MBEDTLS_PLATFORM_EXIT_ALT ++#ifdef PLGD_DEV_TIME ++#define MBEDTLS_PLATFORM_TIME_ALT ++#endif /* PLGD_DEV_TIME */ + //#define MBEDTLS_PLATFORM_FPRINTF_ALT + //#define MBEDTLS_PLATFORM_PRINTF_ALT +-//#define MBEDTLS_PLATFORM_SNPRINTF_ALT ++#define MBEDTLS_PLATFORM_SNPRINTF_ALT + //#define MBEDTLS_PLATFORM_VSNPRINTF_ALT + //#define MBEDTLS_PLATFORM_NV_SEED_ALT + //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT + //#define MBEDTLS_PLATFORM_MS_TIME_ALT ++#endif /* __OC_PLATFORM */ + + /** + * Uncomment the macro to let Mbed TLS use your alternate implementation of +@@ -315,7 +330,9 @@ + * + * Uncomment to get warnings on using deprecated functions and features. + */ +-//#define MBEDTLS_DEPRECATED_WARNING ++#if defined(__clang__) || defined(__GNUC__) ++#define MBEDTLS_DEPRECATED_WARNING ++#endif /* __clang__ || __GNUC__ */ + + /** + * \def MBEDTLS_DEPRECATED_REMOVED +@@ -327,7 +344,7 @@ + * + * Uncomment to get errors on using deprecated functions and features. + */ +-//#define MBEDTLS_DEPRECATED_REMOVED ++#define MBEDTLS_DEPRECATED_REMOVED + + /** \} name SECTION: System support */ + +@@ -559,7 +576,7 @@ + * + * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. + */ +-//#define MBEDTLS_AES_ROM_TABLES ++#define MBEDTLS_AES_ROM_TABLES + + /** + * \def MBEDTLS_AES_FEWER_TABLES +@@ -643,7 +660,7 @@ + * macro is not defined. To completely disable return value check + * warnings, define #MBEDTLS_CHECK_RETURN with an empty expansion. + */ +-//#define MBEDTLS_CHECK_RETURN_WARNING ++#define MBEDTLS_CHECK_RETURN_WARNING + + /** + * \def MBEDTLS_CIPHER_MODE_CBC +@@ -657,28 +674,28 @@ + * + * Enable Cipher Feedback mode (CFB) for symmetric ciphers. + */ +-#define MBEDTLS_CIPHER_MODE_CFB ++//#define MBEDTLS_CIPHER_MODE_CFB + + /** + * \def MBEDTLS_CIPHER_MODE_CTR + * + * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. + */ +-#define MBEDTLS_CIPHER_MODE_CTR ++//#define MBEDTLS_CIPHER_MODE_CTR + + /** + * \def MBEDTLS_CIPHER_MODE_OFB + * + * Enable Output Feedback mode (OFB) for symmetric ciphers. + */ +-#define MBEDTLS_CIPHER_MODE_OFB ++//#define MBEDTLS_CIPHER_MODE_OFB + + /** + * \def MBEDTLS_CIPHER_MODE_XTS + * + * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. + */ +-#define MBEDTLS_CIPHER_MODE_XTS ++//#define MBEDTLS_CIPHER_MODE_XTS + + /** + * \def MBEDTLS_CIPHER_NULL_CIPHER +@@ -723,10 +740,10 @@ + * + * Enable padding modes in the cipher layer. + */ +-#define MBEDTLS_CIPHER_PADDING_PKCS7 +-#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +-#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +-#define MBEDTLS_CIPHER_PADDING_ZEROS ++//#define MBEDTLS_CIPHER_PADDING_PKCS7 ++//#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS ++//#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN ++//#define MBEDTLS_CIPHER_PADDING_ZEROS + + /** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + * +@@ -757,20 +774,20 @@ + * Comment macros to disable the curve and functions for it + */ + /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */ +-#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +-#define MBEDTLS_ECP_DP_SECP224R1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED + #define MBEDTLS_ECP_DP_SECP256R1_ENABLED + #define MBEDTLS_ECP_DP_SECP384R1_ENABLED +-#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +-#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +-#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +-#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +-#define MBEDTLS_ECP_DP_BP256R1_ENABLED +-#define MBEDTLS_ECP_DP_BP384R1_ENABLED +-#define MBEDTLS_ECP_DP_BP512R1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP256K1_ENABLED ++//#define MBEDTLS_ECP_DP_BP256R1_ENABLED ++//#define MBEDTLS_ECP_DP_BP384R1_ENABLED ++//#define MBEDTLS_ECP_DP_BP512R1_ENABLED + /* Montgomery curves (supporting ECP) */ +-#define MBEDTLS_ECP_DP_CURVE25519_ENABLED +-#define MBEDTLS_ECP_DP_CURVE448_ENABLED ++//#define MBEDTLS_ECP_DP_CURVE25519_ENABLED ++//#define MBEDTLS_ECP_DP_CURVE448_ENABLED + + /** + * \def MBEDTLS_ECP_NIST_OPTIM +@@ -781,7 +798,7 @@ + * + * Comment this macro to disable NIST curves optimisation. + */ +-#define MBEDTLS_ECP_NIST_OPTIM ++//#define MBEDTLS_ECP_NIST_OPTIM + + /** + * \def MBEDTLS_ECP_RESTARTABLE +@@ -858,7 +875,7 @@ + * + * Comment this macro to disable deterministic ECDSA. + */ +-#define MBEDTLS_ECDSA_DETERMINISTIC ++//#define MBEDTLS_ECDSA_DETERMINISTIC + + /** + * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +@@ -907,7 +924,7 @@ + * See dhm.h for more details. + * + */ +-#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +@@ -948,7 +965,7 @@ + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 + */ +-#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +@@ -973,7 +990,7 @@ + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + */ +-#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +@@ -1005,7 +1022,7 @@ + * See dhm.h for more details. + * + */ +-#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +@@ -1030,7 +1047,9 @@ + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + */ ++#ifdef OC_PKI + #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ++#endif + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +@@ -1054,7 +1073,9 @@ + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 + */ ++#ifdef OC_PKI + #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ++#endif + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +@@ -1078,7 +1099,9 @@ + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 + */ ++#ifdef OC_PKI + #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ++#endif + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +@@ -1102,7 +1125,7 @@ + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 + */ +-#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +@@ -1139,7 +1162,7 @@ + * + * Disable if you only need to support RFC 5915 + 5480 key formats. + */ +-#define MBEDTLS_PK_PARSE_EC_EXTENDED ++//#define MBEDTLS_PK_PARSE_EC_EXTENDED + + /** + * \def MBEDTLS_PK_PARSE_EC_COMPRESSED +@@ -1152,7 +1175,7 @@ + * the only unsupported curves are MBEDTLS_ECP_DP_SECP224R1 and + * MBEDTLS_ECP_DP_SECP224K1. + */ +-#define MBEDTLS_PK_PARSE_EC_COMPRESSED ++//#define MBEDTLS_PK_PARSE_EC_COMPRESSED + + /** + * \def MBEDTLS_ERROR_STRERROR_DUMMY +@@ -1167,7 +1190,7 @@ + * Disable if you run into name conflicts and want to really remove the + * mbedtls_strerror() + */ +-#define MBEDTLS_ERROR_STRERROR_DUMMY ++//#define MBEDTLS_ERROR_STRERROR_DUMMY + + /** + * \def MBEDTLS_GENPRIME +@@ -1176,14 +1199,14 @@ + * + * Requires: MBEDTLS_BIGNUM_C + */ +-#define MBEDTLS_GENPRIME ++//#define MBEDTLS_GENPRIME + + /** + * \def MBEDTLS_FS_IO + * + * Enable functions that use the filesystem. + */ +-#define MBEDTLS_FS_IO ++//#define MBEDTLS_FS_IO + + /** + * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +@@ -1206,7 +1229,9 @@ + * + * Uncomment this macro to disable the built-in platform entropy functions. + */ +-//#define MBEDTLS_NO_PLATFORM_ENTROPY ++#ifdef __OC_PLATFORM ++#define MBEDTLS_NO_PLATFORM_ENTROPY ++#endif /* __OC_PLATFORM */ + + /** + * \def MBEDTLS_ENTROPY_FORCE_SHA256 +@@ -1296,7 +1321,7 @@ + * + * Comment this macro to disable support for external private RSA keys. + */ +-#define MBEDTLS_PK_RSA_ALT_SUPPORT ++//#define MBEDTLS_PK_RSA_ALT_SUPPORT + + /** + * \def MBEDTLS_PKCS1_V15 +@@ -1321,7 +1346,7 @@ + * + * This enables support for RSAES-OAEP and RSASSA-PSS operations. + */ +-#define MBEDTLS_PKCS1_V21 ++//#define MBEDTLS_PKCS1_V21 + + /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS + * +@@ -1429,7 +1454,7 @@ + * Module: library/psa_crypto.c + * Requires: MBEDTLS_PSA_CRYPTO_C + */ +-#define MBEDTLS_PSA_KEY_STORE_DYNAMIC ++//#define MBEDTLS_PSA_KEY_STORE_DYNAMIC + + /** + * Uncomment to enable p256-m. This is an alternative implementation of +@@ -1521,7 +1546,7 @@ + * + * Enable the checkup functions (*_self_test). + */ +-#define MBEDTLS_SELF_TEST ++//#define MBEDTLS_SELF_TEST + + /** + * \def MBEDTLS_SHA256_SMALLER +@@ -1585,7 +1610,7 @@ + * + * Uncomment to enable the Connection ID extension. + */ +-#define MBEDTLS_SSL_DTLS_CONNECTION_ID ++//#define MBEDTLS_SSL_DTLS_CONNECTION_ID + + + /** +@@ -1608,7 +1633,7 @@ + * + * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID + */ +-#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 ++//#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 + + /** + * \def MBEDTLS_SSL_ASYNC_PRIVATE +@@ -1649,7 +1674,7 @@ + * + * Comment to disable the context serialization APIs. + */ +-#define MBEDTLS_SSL_CONTEXT_SERIALIZATION ++//#define MBEDTLS_SSL_CONTEXT_SERIALIZATION + + /** + * \def MBEDTLS_SSL_DEBUG_ALL +@@ -1681,7 +1706,7 @@ + * + * Comment this macro to disable support for Encrypt-then-MAC + */ +-#define MBEDTLS_SSL_ENCRYPT_THEN_MAC ++//#define MBEDTLS_SSL_ENCRYPT_THEN_MAC + + /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET + * +@@ -1745,7 +1770,7 @@ + * configuration of this extension). + * + */ +-#define MBEDTLS_SSL_RENEGOTIATION ++//#define MBEDTLS_SSL_RENEGOTIATION + + /** + * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +@@ -1809,7 +1834,7 @@ + * + * Uncomment this macro to enable the support for TLS 1.3. + */ +-#define MBEDTLS_SSL_PROTO_TLS1_3 ++//#define MBEDTLS_SSL_PROTO_TLS1_3 + + /** + * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +@@ -1831,7 +1856,7 @@ + * effect on the build. + * + */ +-#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE ++//#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + + /** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +@@ -1843,7 +1868,7 @@ + * effect on the build. + * + */ +-#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED ++//#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + + /** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +@@ -1861,7 +1886,7 @@ + * effect on the build. + * + */ +-#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED ++//#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + + /** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +@@ -1875,7 +1900,7 @@ + * have any effect on the build. + * + */ +-#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED ++//#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + + /** + * \def MBEDTLS_SSL_EARLY_DATA +@@ -1915,7 +1940,7 @@ + * + * Comment this macro to disable support for ALPN. + */ +-#define MBEDTLS_SSL_ALPN ++//#define MBEDTLS_SSL_ALPN + + /** + * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY +@@ -1995,7 +2020,7 @@ + * + * Comment this to disable support for clients reusing the source port. + */ +-#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE ++//#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE + + /** + * \def MBEDTLS_SSL_SESSION_TICKETS +@@ -2009,7 +2034,7 @@ + * + * Comment this macro to disable support for SSL session tickets + */ +-#define MBEDTLS_SSL_SESSION_TICKETS ++//#define MBEDTLS_SSL_SESSION_TICKETS + + /** + * \def MBEDTLS_SSL_SERVER_NAME_INDICATION +@@ -2020,7 +2045,7 @@ + * + * Comment this macro to disable support for server name indication in SSL + */ +-#define MBEDTLS_SSL_SERVER_NAME_INDICATION ++//#define MBEDTLS_SSL_SERVER_NAME_INDICATION + + /** + * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +@@ -2183,7 +2208,7 @@ + * + * Comment this to disable run-time checking and save ROM space + */ +-#define MBEDTLS_VERSION_FEATURES ++//#define MBEDTLS_VERSION_FEATURES + + /** + * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +@@ -2227,7 +2252,7 @@ + * + * Comment this macro to disallow using RSASSA-PSS in certificates. + */ +-#define MBEDTLS_X509_RSASSA_PSS_SUPPORT ++//#define MBEDTLS_X509_RSASSA_PSS_SUPPORT + /** \} name SECTION: Mbed TLS feature support */ + + /** +@@ -2267,7 +2292,7 @@ + * + * This modules adds support for the AES-NI instructions on x86. + */ +-#define MBEDTLS_AESNI_C ++//#define MBEDTLS_AESNI_C + + /** + * \def MBEDTLS_AESCE_C +@@ -2293,7 +2318,7 @@ + * + * This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems. + */ +-#define MBEDTLS_AESCE_C ++//#define MBEDTLS_AESCE_C + + /** + * \def MBEDTLS_AES_C +@@ -2382,7 +2407,9 @@ + * library/pkcs5.c + * library/pkparse.c + */ ++#ifdef OC_PKI + #define MBEDTLS_ASN1_PARSE_C ++#endif + + /** + * \def MBEDTLS_ASN1_WRITE_C +@@ -2396,7 +2423,9 @@ + * library/x509write_crt.c + * library/x509write_csr.c + */ ++#ifdef OC_PKI + #define MBEDTLS_ASN1_WRITE_C ++#endif + + /** + * \def MBEDTLS_BASE64_C +@@ -2408,7 +2437,9 @@ + * + * This module is required for PEM support (required by X.509). + */ ++#ifdef OC_PKI + #define MBEDTLS_BASE64_C ++#endif + + /** + * \def MBEDTLS_BLOCK_CIPHER_NO_DECRYPT +@@ -2505,7 +2536,7 @@ + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 + */ +-#define MBEDTLS_CAMELLIA_C ++//#define MBEDTLS_CAMELLIA_C + + /** + * \def MBEDTLS_ARIA_C +@@ -2572,7 +2603,9 @@ + * This module enables the AES-CCM ciphersuites, if other requisites are + * enabled as well. + */ ++#if defined(OC_PKI) || defined(OC_OSCORE) + #define MBEDTLS_CCM_C ++#endif + + /** + * \def MBEDTLS_CHACHA20_C +@@ -2581,7 +2614,7 @@ + * + * Module: library/chacha20.c + */ +-#define MBEDTLS_CHACHA20_C ++//#define MBEDTLS_CHACHA20_C + + /** + * \def MBEDTLS_CHACHAPOLY_C +@@ -2592,7 +2625,7 @@ + * + * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C + */ +-#define MBEDTLS_CHACHAPOLY_C ++//#define MBEDTLS_CHACHAPOLY_C + + /** + * \def MBEDTLS_CIPHER_C +@@ -2680,7 +2713,10 @@ + * + * This module provides debugging functions. + */ ++#if defined(OC_LOG_MAXIMUM_LEVEL) && defined(OC_LOG_LEVEL_DEBUG_MACRO) && \ ++ ((OC_LOG_LEVEL_DEBUG_MACRO) <= (OC_LOG_MAXIMUM_LEVEL)) + #define MBEDTLS_DEBUG_C ++#endif + + /** + * \def MBEDTLS_DES_C +@@ -2696,7 +2732,7 @@ + * \warning DES/3DES are considered weak ciphers and their use constitutes a + * security risk. We recommend considering stronger ciphers instead. + */ +-#define MBEDTLS_DES_C ++//#define MBEDTLS_DES_C + + /** + * \def MBEDTLS_DHM_C +@@ -2718,7 +2754,7 @@ + * See dhm.h for more details. + * + */ +-#define MBEDTLS_DHM_C ++//#define MBEDTLS_DHM_C + + /** + * \def MBEDTLS_ECDH_C +@@ -2753,7 +2789,9 @@ + * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a + * short Weierstrass curve. + */ ++#ifdef OC_PKI + #define MBEDTLS_ECDSA_C ++#endif + + /** + * \def MBEDTLS_ECJPAKE_C +@@ -2815,7 +2853,10 @@ + * + * This module enables mbedtls_strerror(). + */ ++#if defined(OC_LOG_MAXIMUM_LEVEL) && defined(OC_LOG_LEVEL_ERROR_MACRO) && \ ++ ((OC_LOG_LEVEL_ERROR_MACRO) <= (OC_LOG_MAXIMUM_LEVEL)) + #define MBEDTLS_ERROR_C ++#endif + + /** + * \def MBEDTLS_GCM_C +@@ -2830,7 +2871,9 @@ + * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other + * requisites are enabled as well. + */ ++#ifdef OC_PKI + #define MBEDTLS_GCM_C ++#endif + + /** + * \def MBEDTLS_GCM_LARGE_TABLE +@@ -2861,7 +2904,7 @@ + * This module adds support for the Hashed Message Authentication Code + * (HMAC)-based key derivation function (HKDF). + */ +-#define MBEDTLS_HKDF_C ++//#define MBEDTLS_HKDF_C + + /** + * \def MBEDTLS_HMAC_DRBG_C +@@ -2875,7 +2918,7 @@ + * + * Uncomment to enable the HMAC_DRBG random number generator. + */ +-#define MBEDTLS_HMAC_DRBG_C ++//#define MBEDTLS_HMAC_DRBG_C + + /** + * \def MBEDTLS_LMS_C +@@ -2889,7 +2932,7 @@ + * + * Uncomment to enable the LMS verification algorithm and public key operations. + */ +-#define MBEDTLS_LMS_C ++//#define MBEDTLS_LMS_C + + /** + * \def MBEDTLS_LMS_PRIVATE +@@ -2968,7 +3011,7 @@ + * it, and considering stronger message digests instead. + * + */ +-#define MBEDTLS_MD5_C ++//#define MBEDTLS_MD5_C + + /** + * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C +@@ -2984,7 +3027,9 @@ + * + * Enable this module to enable the buffer memory allocator. + */ +-//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C ++#ifndef OC_DYNAMIC_ALLOCATION ++#define MBEDTLS_MEMORY_BUFFER_ALLOC_C ++#endif /* !OC_DYNAMIC_ALLOCATION */ + + /** + * \def MBEDTLS_NET_C +@@ -3003,7 +3048,11 @@ + * + * This module provides networking routines. + */ ++#ifdef OC_TEST ++#if defined(_WIN64) || defined(_WIN32) || defined(__APPLE__) || defined(__linux__) || defined(__ANDROID__) + #define MBEDTLS_NET_C ++#endif /* _WIN64 || _WIN32 || __APPLE__ || __linux__ || __ANDROID__ */ ++#endif /* OC_TEST */ + + /** + * \def MBEDTLS_OID_C +@@ -3026,7 +3075,9 @@ + * + * This modules translates between OIDs and internal values. + */ ++#ifdef OC_PKI + #define MBEDTLS_OID_C ++#endif + + /** + * \def MBEDTLS_PADLOCK_C +@@ -3040,7 +3091,7 @@ + * + * This modules adds support for the VIA PadLock on x86. + */ +-#define MBEDTLS_PADLOCK_C ++//#define MBEDTLS_PADLOCK_C + + /** + * \def MBEDTLS_PEM_PARSE_C +@@ -3062,7 +3113,9 @@ + * + * This modules adds support for decoding / parsing PEM files. + */ ++#ifdef OC_PKI + #define MBEDTLS_PEM_PARSE_C ++#endif + + /** + * \def MBEDTLS_PEM_WRITE_C +@@ -3078,7 +3131,9 @@ + * + * This modules adds support for encoding / writing PEM files. + */ ++#ifdef OC_PKI + #define MBEDTLS_PEM_WRITE_C ++#endif + + /** + * \def MBEDTLS_PK_C +@@ -3096,7 +3151,9 @@ + * + * Uncomment to enable generic public key wrappers. + */ ++#ifdef OC_PKI + #define MBEDTLS_PK_C ++#endif + + /** + * \def MBEDTLS_PK_PARSE_C +@@ -3111,7 +3168,9 @@ + * + * Uncomment to enable generic public key parse functions. + */ ++#ifdef OC_PKI + #define MBEDTLS_PK_PARSE_C ++#endif + + /** + * \def MBEDTLS_PK_WRITE_C +@@ -3125,7 +3184,9 @@ + * + * Uncomment to enable generic public key write functions. + */ ++#ifdef OC_PKI + #define MBEDTLS_PK_WRITE_C ++#endif + + /** + * \def MBEDTLS_PKCS5_C +@@ -3157,7 +3218,7 @@ + * + * This module is required for the PKCS #7 parsing modules. + */ +-#define MBEDTLS_PKCS7_C ++//#define MBEDTLS_PKCS7_C + + /** + * \def MBEDTLS_PKCS12_C +@@ -3176,7 +3237,7 @@ + * + * This module enables PKCS#12 functions. + */ +-#define MBEDTLS_PKCS12_C ++//#define MBEDTLS_PKCS12_C + + /** + * \def MBEDTLS_PLATFORM_C +@@ -3206,7 +3267,7 @@ + * Module: library/poly1305.c + * Caller: library/chachapoly.c + */ +-#define MBEDTLS_POLY1305_C ++//#define MBEDTLS_POLY1305_C + + /** + * \def MBEDTLS_PSA_CRYPTO_C +@@ -3222,7 +3283,7 @@ + * is enabled in PSA (unless it's fully accelerated, see + * docs/driver-only-builds.md about that). + */ +-#define MBEDTLS_PSA_CRYPTO_C ++//#define MBEDTLS_PSA_CRYPTO_C + + /** + * \def MBEDTLS_PSA_CRYPTO_SE_C +@@ -3254,7 +3315,7 @@ + * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of + * the PSA ITS interface + */ +-#define MBEDTLS_PSA_CRYPTO_STORAGE_C ++//#define MBEDTLS_PSA_CRYPTO_STORAGE_C + + /** + * \def MBEDTLS_PSA_ITS_FILE_C +@@ -3266,7 +3327,7 @@ + * + * Requires: MBEDTLS_FS_IO + */ +-#define MBEDTLS_PSA_ITS_FILE_C ++//#define MBEDTLS_PSA_ITS_FILE_C + + /** + * \def MBEDTLS_RIPEMD160_C +@@ -3277,7 +3338,7 @@ + * Caller: library/md.c + * + */ +-#define MBEDTLS_RIPEMD160_C ++//#define MBEDTLS_RIPEMD160_C + + /** + * \def MBEDTLS_RSA_C +@@ -3297,7 +3358,9 @@ + * + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C + */ ++#ifdef OC_PKI + #define MBEDTLS_RSA_C ++#endif + + /** + * \def MBEDTLS_SHA1_C +@@ -3316,7 +3379,7 @@ + * on it, and considering stronger message digests instead. + * + */ +-#define MBEDTLS_SHA1_C ++//#define MBEDTLS_SHA1_C + + /** + * \def MBEDTLS_SHA224_C +@@ -3470,7 +3533,7 @@ + * + * This module adds support for SHA3. + */ +-#define MBEDTLS_SHA3_C ++//#define MBEDTLS_SHA3_C + + /** + * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT +@@ -3538,7 +3601,7 @@ + * + * Requires: MBEDTLS_SSL_CACHE_C + */ +-#define MBEDTLS_SSL_CACHE_C ++//#define MBEDTLS_SSL_CACHE_C + + /** + * \def MBEDTLS_SSL_COOKIE_C +@@ -3561,7 +3624,7 @@ + * Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && + * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C) + */ +-#define MBEDTLS_SSL_TICKET_C ++//#define MBEDTLS_SSL_TICKET_C + + /** + * \def MBEDTLS_SSL_CLI_C +@@ -3651,7 +3714,11 @@ + * + * Module: library/timing.c + */ ++#ifdef OC_TEST ++#if defined(_WIN64) || defined(_WIN32) || defined(__APPLE__) || defined(__linux__) || defined(__ANDROID__) + #define MBEDTLS_TIMING_C ++#endif /* _WIN64 || _WIN32 || __APPLE__ || __linux__ || __ANDROID__ */ ++#endif /* OC_TEST */ + + /** + * \def MBEDTLS_VERSION_C +@@ -3662,7 +3729,7 @@ + * + * This module provides run-time version information. + */ +-#define MBEDTLS_VERSION_C ++//#define MBEDTLS_VERSION_C + + /** + * \def MBEDTLS_X509_USE_C +@@ -3682,7 +3749,9 @@ + * + * This module is required for the X.509 parsing modules. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_USE_C ++#endif + + /** + * \def MBEDTLS_X509_CRT_PARSE_C +@@ -3698,7 +3767,9 @@ + * + * This module is required for X.509 certificate parsing. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CRT_PARSE_C ++#endif + + /** + * \def MBEDTLS_X509_CRL_PARSE_C +@@ -3712,7 +3783,7 @@ + * + * This module is required for X.509 CRL parsing. + */ +-#define MBEDTLS_X509_CRL_PARSE_C ++//#define MBEDTLS_X509_CRL_PARSE_C + + /** + * \def MBEDTLS_X509_CSR_PARSE_C +@@ -3726,7 +3797,9 @@ + * + * This module is used for reading X.509 certificate request. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CSR_PARSE_C ++#endif + + /** + * \def MBEDTLS_X509_CREATE_C +@@ -3743,7 +3816,9 @@ + * + * This module is the basis for creating X.509 certificates and CSRs. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CREATE_C ++#endif + + /** + * \def MBEDTLS_X509_CRT_WRITE_C +@@ -3756,7 +3831,9 @@ + * + * This module is required for X.509 certificate creation. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CRT_WRITE_C ++#endif + + /** + * \def MBEDTLS_X509_CSR_WRITE_C +@@ -3769,7 +3846,9 @@ + * + * This module is required for X.509 certificate request writing. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CSR_WRITE_C ++#endif + + /** \} name SECTION: Mbed TLS modules */ + +@@ -3943,7 +4022,12 @@ + //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ + + /* Entropy options */ +-//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ ++/* ++ * You should adjust this to the exact number of sources you're using: default ++ * is the "platform_entropy_poll" source, but you may want to add other ones ++ * Minimum is 2 for the entropy test suite. ++ */ ++#define MBEDTLS_ENTROPY_MAX_SOURCES 2 /**< Maximum number of sources supported */ + //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ + //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */ + +@@ -3951,8 +4035,10 @@ + //#define MBEDTLS_MEMORY_ALIGN_MULTIPLE 4 /**< Align on multiples of this value */ + + /* Platform options */ ++#ifdef __OC_PLATFORM + //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ + ++#ifdef OC_DYNAMIC_ALLOCATION + /** \def MBEDTLS_PLATFORM_STD_CALLOC + * + * Default allocator to use, can be undefined. +@@ -3964,7 +4050,7 @@ + * See the description of #MBEDTLS_PLATFORM_MEMORY for more details. + * The corresponding deallocation function is #MBEDTLS_PLATFORM_STD_FREE. + */ +-//#define MBEDTLS_PLATFORM_STD_CALLOC calloc ++#define MBEDTLS_PLATFORM_STD_CALLOC calloc + + /** \def MBEDTLS_PLATFORM_STD_FREE + * +@@ -3974,19 +4060,23 @@ + * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything. + * See the description of #MBEDTLS_PLATFORM_MEMORY for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply). + */ +-//#define MBEDTLS_PLATFORM_STD_FREE free ++#define MBEDTLS_PLATFORM_STD_FREE free ++#endif /* OC_DYNAMIC_ALLOCATION */ + //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ +-//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ +-//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ ++#define MBEDTLS_PLATFORM_STD_EXIT oc_exit /**< Default exit to use, can be undefined */ ++#ifdef PLGD_DEV_TIME ++#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ ++#endif /* PLGD_DEV_TIME */ + //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ + /* Note: your snprintf must correctly zero-terminate the buffer! */ +-//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ ++#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_NV_SEED_WRITE mbedtls_platform_std_nv_seed_write /**< Default nv_seed_write function to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_NV_SEED_FILE "seedfile" /**< Seed file to read/write with default implementation */ ++#endif /* __OC_PLATFORM */ + + /* To use the following function macros, MBEDTLS_PLATFORM_C must be enabled. */ + /* MBEDTLS_PLATFORM_XXX_MACRO and MBEDTLS_PLATFORM_XXX_ALT cannot both be defined */ +@@ -4019,7 +4109,9 @@ + * If the implementation here is empty, this will effectively disable the + * checking of functions' return values. + */ +-//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) ++#if defined(__clang__) || defined(__GNUC__) ++#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) ++#endif + + /** \def MBEDTLS_IGNORE_RETURN + * +@@ -4098,6 +4190,9 @@ + * Uncomment to set the maximum plaintext size of the incoming I/O buffer. + */ + //#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 ++#ifdef __OC_SSL_CONTENT_LEN ++#define MBEDTLS_SSL_IN_CONTENT_LEN (__OC_SSL_CONTENT_LEN) ++#endif /* !__OC_SSL_CONTENT_LEN */ + + /** \def MBEDTLS_SSL_CID_IN_LEN_MAX + * +@@ -4148,6 +4243,9 @@ + * Uncomment to set the maximum plaintext size of the outgoing I/O buffer. + */ + //#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 ++#ifdef __OC_SSL_CONTENT_LEN ++#define MBEDTLS_SSL_OUT_CONTENT_LEN (__OC_SSL_CONTENT_LEN) ++#endif /* !__OC_SSL_CONTENT_LEN */ + + /** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING + * +@@ -4166,7 +4264,7 @@ + */ + //#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 + +-//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 or 384 bits) */ ++#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 or 384 bits) */ + //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ + + /** +diff --git a/include/mbedtls/mbedtls_oc_platform-standalone.h.in b/include/mbedtls/mbedtls_oc_platform-standalone.h.in +new file mode 100644 +index 0000000000..36206a4f71 +--- /dev/null ++++ b/include/mbedtls/mbedtls_oc_platform-standalone.h.in +@@ -0,0 +1,42 @@ ++#ifdef __OC_PLATFORM ++ ++#include ++#include ++#include ++#include ++ ++#ifndef OC_DYNAMIC_ALLOCATION ++#define __OC_SSL_CONTENT_LEN (OC_PDU_SIZE) ++#endif /* !OC_DYNAMIC_ALLOCATION */ ++ ++#else /* !__OC_PLATFORM */ ++ ++#define OC_LOG_LEVEL_DISABLED_MACRO (-1) ++#define OC_LOG_LEVEL_ERROR_MACRO (3) ++#define OC_LOG_LEVEL_WARNING_MACRO (4) ++#define OC_LOG_LEVEL_NOTICE_MACRO (5) ++#define OC_LOG_LEVEL_INFO_MACRO (6) ++#define OC_LOG_LEVEL_DEBUG_MACRO (7) ++#define OC_LOG_LEVEL_TRACE_MACRO (8) ++ ++#ifndef OC_LOG_MAXIMUM_LEVEL ++@OC_LOG_MAXIMUM_LEVEL_MACRO@ ++#endif /* !OC_LOG_MAXIMUM_LEVEL */ ++ ++#ifndef OC_DYNAMIC_ALLOCATION ++@OC_DYNAMIC_ALLOCATION_MACRO@ ++#endif /* !OC_DYNAMIC_ALLOCATION */ ++ ++#ifndef OC_PKI ++@OC_PKI_MACRO@ ++#endif /* !OC_PKI */ ++ ++#ifndef OC_OSCORE ++@OC_OSCORE_MACRO@ ++#endif /* !OC_OSCORE */ ++ ++#ifndef OC_DYNAMIC_ALLOCATION ++#define __OC_SSL_CONTENT_LEN (16384) ++#endif /* !OC_DYNAMIC_ALLOCATION */ ++ ++#endif /* __OC_PLATFORM */ +diff --git a/include/mbedtls/mbedtls_oc_platform.h.in b/include/mbedtls/mbedtls_oc_platform.h.in +new file mode 100644 +index 0000000000..d4ced796f5 +--- /dev/null ++++ b/include/mbedtls/mbedtls_oc_platform.h.in +@@ -0,0 +1,12 @@ ++#ifdef __OC_PLATFORM ++ ++#include ++#include ++#include ++#include ++ ++#ifndef OC_DYNAMIC_ALLOCATION ++#define __OC_SSL_CONTENT_LEN (OC_PDU_SIZE) ++#endif /* !OC_DYNAMIC_ALLOCATION */ ++ ++#endif /* __OC_PLATFORM */ diff --git a/port/linux/Makefile b/port/linux/Makefile index dca32aa2c..bad5e3ccc 100644 --- a/port/linux/Makefile +++ b/port/linux/Makefile @@ -42,6 +42,7 @@ BUILD_SAMPLES ?= 1 TEST ?= 1 # for now use v3.1.0 as default MBEDTLS_FORCE_3_5_0 ?= 0 +MBEDTLS_FORCE_3_6_2 ?= 0 TINYCBOR_DIR := $(ROOT_DIR)/deps/tinycbor MBEDTLS_DIR := $(ROOT_DIR)/deps/mbedtls @@ -117,6 +118,11 @@ DTLS = aes.c aesni.c asn1parse.c asn1write.c base64.c \ x509write_crt.c x509_create.c x509_csr.c ssl_msg.c constant_time.c \ nist_kw.c aria.c rsa_alt_helpers.c +ifeq ($(MBEDTLS_FORCE_3_6_2),1) +DTLS += bignum_core.c \ + ssl_client.c ssl_debug_helpers_generated.c ssl_tls12_client.c ssl_tls12_server.c \ + x509write.c +else ifeq ($(MBEDTLS_FORCE_3_5_0),1) DTLS += bignum_core.c \ ssl_client.c ssl_debug_helpers_generated.c ssl_tls12_client.c ssl_tls12_server.c \ @@ -124,6 +130,7 @@ DTLS += bignum_core.c \ else DTLS += ssl_cli.c ssl_srv.c endif +endif DTLSFLAGS=-I../../deps/mbedtls/include -Wno-error=unused @@ -722,6 +729,28 @@ ${MBEDTLS_DIR}/.git: git submodule update --init ${@D} +ifeq ($(MBEDTLS_FORCE_3_6_2),1) + +MBEDTLS_PATCHES := $(sort $(wildcard ../../patches/mbedtls/3.6/*.patch) $(wildcard ../../patches/mbedtls/3.6/make/*.patch)) + +$(MBEDTLS_PATCH_FILE): ${MBEDTLS_DIR}/.git ${MBEDTLS_PATCHES} + if [ -d ${MBEDTLS_DIR} ]; then \ + cd ${MBEDTLS_DIR} && \ + git clean -fdx . && \ + git reset --hard && \ + (git fetch --unshallow --tags || git fetch --all) && \ + git checkout v3.6.2 && \ + cd - && \ + git add -u ${MBEDTLS_DIR} ; \ + fi && \ + git submodule update --init && \ + git reset HEAD ${MBEDTLS_DIR} && \ + cd ${MBEDTLS_DIR} && \ + for patch in $(MBEDTLS_PATCHES); do patch -r - -s -N -p1 < $${patch} ; done && \ + echo "Patches applied in $^" > ${@F} + +else + ifeq ($(MBEDTLS_FORCE_3_5_0),1) MBEDTLS_PATCHES := $(sort $(wildcard ../../patches/mbedtls/3.5/*.patch) $(wildcard ../../patches/mbedtls/3.5/make/*.patch)) @@ -761,6 +790,8 @@ endif endif +endif + clean: rm -rf obj $(PC) $(CONSTRAINED_LIBS) $(COMMON_TEST_OBJ_FILES) $(API_TEST_OBJ_FILES) $(SECURITY_TEST_OBJ_FILES) $(PLATFORM_TEST_OBJ_FILES) $(MESSAGING_TEST_OBJ_FILES) $(UNIT_TESTS) $(STORAGE_TEST_DIR) $(CLOUD_TEST_OBJ_FILES) $(CLOUD_TEST_STORAGE_DIR) $(RD_CLIENT_TEST_OBJ_FILES) rm -rf $(COMMON_TEST_OBJ_DIR)/*.gcda $(COMMON_TEST_TLS_OBJ_DIR)/*.gcda $(API_TEST_OBJ_DIR)/*.gcda $(API_TEST_ENCODER_OBJ_DIR)/*.gcda $(SECURITY_TEST_OBJ_DIR)/*.gcda $(PLATFORM_TEST_OBJ_DIR)/*.gcda $(MESSAGING_TEST_OBJ_DIR)/*.gcda diff --git a/security/oc_certs.c b/security/oc_certs.c index d16132f53..3eff029c7 100644 --- a/security/oc_certs.c +++ b/security/oc_certs.c @@ -182,6 +182,8 @@ oc_certs_parse_serial_number(const unsigned char *cert, size_t cert_size, return ret; } +#if MBEDTLS_VERSION_NUMBER < 0x03060200 + static int certs_extract_private_key(size_t device, const mbedtls_x509_crt *cert, unsigned char *buffer, size_t buffer_size) @@ -217,6 +219,8 @@ oc_certs_parse_private_key(size_t device, const unsigned char *cert, return ret; } +#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ + static int certs_extract_public_key(const mbedtls_x509_crt *cert, unsigned char *buffer, size_t buffer_size) diff --git a/security/oc_certs_internal.h b/security/oc_certs_internal.h index 304beccd4..37f892e84 100644 --- a/security/oc_certs_internal.h +++ b/security/oc_certs_internal.h @@ -57,6 +57,8 @@ int oc_certs_parse_serial_number(const unsigned char *cert, size_t cert_size, char *buffer, size_t buffer_size) OC_NONNULL(3); +#if MBEDTLS_VERSION_NUMBER < 0x03060200 + /** * @brief Extract private key from a x509 certificate. * @@ -68,11 +70,16 @@ int oc_certs_parse_serial_number(const unsigned char *cert, size_t cert_size, * @param buffer_size size of the output buffer * @return <0 on error * @return >=0 on success, length of data written + * + * @note the private key is no longer obtainable from the PEM encoded string + * of a certificate(at least as of mbedTLS v3.6.2) */ int oc_certs_parse_private_key(size_t device, const unsigned char *cert, size_t cert_size, unsigned char *buffer, size_t buffer_size) OC_NONNULL(4); +#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ + /** * @brief Extract public key from a x509 certificate. * diff --git a/security/unittest/certsgeneratetest.cpp b/security/unittest/certsgeneratetest.cpp index 55e3c5331..4bc6319d6 100644 --- a/security/unittest/certsgeneratetest.cpp +++ b/security/unittest/certsgeneratetest.cpp @@ -265,6 +265,7 @@ static oc_certs_generate_t defaultCertificateGenerate(const oc::keypair_t &kp, bool isCA = false) { oc_certs_generate_t generate{}; + generate.serial_number_size = 20; generate.personalization_string.value = kPersonalizationString.data(); generate.personalization_string.size = kPersonalizationString.size(); generate.validity.not_before = oc_certs_timestamp_now(); @@ -301,6 +302,8 @@ TEST_F(TestParseCerts, ParseSerialNumber) { oc::keypair_t kp{ oc::GetECPKeyPair(MBEDTLS_ECP_DP_SECP256R1) }; oc_certs_generate_t generate{ defaultCertificateGenerate(kp) }; + // certificate without serial number + generate.serial_number_size = 0; auto pem = oc::pki::GenerateCertificate(generate); ASSERT_FALSE(pem.empty()); std::array buffer{}; @@ -316,6 +319,8 @@ TEST_F(TestParseCerts, ParseSerialNumber) buffer.size())); } +#if MBEDTLS_VERSION_NUMBER < 0x03060200 + TEST_F(TestParseCerts, ParsePrivateKey_Fail) { std::array private_key{}; @@ -343,6 +348,8 @@ TEST_F(TestParseCerts, ParsePrivateKey) ASSERT_EQ(generate.issuer.private_key.size, ret); } +#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ + TEST_F(TestParseCerts, ParsePublicKey_Fail) { std::array public_key{}; diff --git a/security/unittest/obt_certstest.cpp b/security/unittest/obt_certstest.cpp index b1b3e60b8..15d912256 100644 --- a/security/unittest/obt_certstest.cpp +++ b/security/unittest/obt_certstest.cpp @@ -154,10 +154,12 @@ TEST_F(TestObtCerts, GenerateValidSelfSignedCertificate) EXPECT_LT(0, ret); OC_DBG("serial: %s", &serial[0]); +#if MBEDTLS_VERSION_NUMBER < 0x03060200 std::array private_key{}; ret = oc_certs_parse_private_key(0, &cert_buf[0], cert_buf.size(), private_key.data(), private_key.size()); EXPECT_EQ(kp256_.private_key_size, ret); +#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ oc_string_t pk{}; ret = @@ -282,10 +284,12 @@ TEST_F(TestObtCerts, GenerateValidIdentityCertificate) EXPECT_NE(std::string::npos, uuid_.find(uuid_cstr.data(), 0)); #endif +#if MBEDTLS_VERSION_NUMBER < 0x03060200 std::array private_key{}; ret = oc_certs_parse_private_key(0, &id_cert[0], id_cert.size(), private_key.data(), private_key.size()); EXPECT_EQ(kp256_.private_key_size, ret); +#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ std::array public_key{}; ret = oc_certs_parse_public_key(&id_cert[0], id_cert.size(), @@ -426,10 +430,12 @@ TEST_F(TestObtCerts, GenerateValidRoleCertificate) EXPECT_NE(std::string::npos, uuid_.find(uuid_cstr.data(), 0)); #endif +#if MBEDTLS_VERSION_NUMBER < 0x03060200 std::array private_key{}; ret = oc_certs_parse_private_key(0, &role_cert[0], role_cert.size(), private_key.data(), private_key.size()); ASSERT_EQ(kp256_.private_key_size, ret); +#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ std::array public_key{}; ret = oc_certs_parse_public_key(&role_cert[0], role_cert.size(), From f77390da0e9f55ba55f627580e2a3229d13915b5 Mon Sep 17 00:00:00 2001 From: Daniel Adam Date: Sun, 19 Jan 2025 11:11:53 +0100 Subject: [PATCH 2/4] Force mbedTLS 3.6.2 to be used --- .github/workflows/cmake-linux.yml | 2 +- CMakeLists.txt | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cmake-linux.yml b/.github/workflows/cmake-linux.yml index 2365fd1ee..0dd9de266 100644 --- a/.github/workflows/cmake-linux.yml +++ b/.github/workflows/cmake-linux.yml @@ -90,7 +90,7 @@ jobs: - args: "-DOC_DEBUG_ENABLED=ON -DOC_CLOUD_ENABLED=ON -DOC_COLLECTIONS_IF_CREATE_ENABLED=ON" uses: ./.github/workflows/unit-test-with-cfg.yml with: - build_args: -DOC_LOG_MAXIMUM_LOG_LEVEL=INFO -DOC_WKCORE_ENABLED=ON -DOC_SOFTWARE_UPDATE_ENABLED=ON -DOC_MNT_ENABLED=ON -DOC_DISCOVERY_RESOURCE_OBSERVABLE_ENABLED=ON -DOC_PUSH_ENABLED=ON -DPLGD_DEV_TIME_ENABLED=ON -DOC_ETAG_ENABLED=ON -DBUILD_MBEDTLS_FORCE_3_5_0=ON ${{ matrix.args }} + build_args: -DOC_LOG_MAXIMUM_LOG_LEVEL=INFO -DOC_WKCORE_ENABLED=ON -DOC_SOFTWARE_UPDATE_ENABLED=ON -DOC_MNT_ENABLED=ON -DOC_DISCOVERY_RESOURCE_OBSERVABLE_ENABLED=ON -DOC_PUSH_ENABLED=ON -DPLGD_DEV_TIME_ENABLED=ON -DOC_ETAG_ENABLED=ON -DBUILD_MBEDTLS_FORCE_3_5_0=ON -DBUILD_MBEDTLS_FORCE_3_6_2=OFF ${{ matrix.args }} build_type: ${{ (github.event_name == 'workflow_dispatch' && inputs.build_type) || 'Debug' }} clang: ${{ github.event_name == 'workflow_dispatch' && inputs.clang }} coverage: false diff --git a/CMakeLists.txt b/CMakeLists.txt index 4159d75f8..446460be5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -42,7 +42,7 @@ set(CMAKE_POSITION_INDEPENDENT_CODE ON) set(BUILD_EXAMPLE_APPLICATIONS ON CACHE BOOL "Build example applications.") set(BUILD_MBEDTLS ON CACHE BOOL "Build Mbed TLS library. When set to OFF, the Mbed TLS library with the OCF patches has to be provided.") set(BUILD_MBEDTLS_FORCE_3_5_0 OFF CACHE BOOL "Force v3.5.0 of the MbedTLS library to be used (by default v3.1.0 is used by master)") -set(BUILD_MBEDTLS_FORCE_3_6_2 OFF CACHE BOOL "Force v3.6.2 of the MbedTLS library to be used (by default v3.5.0 is used by master)") +set(BUILD_MBEDTLS_FORCE_3_6_2 ON CACHE BOOL "Force v3.6.2 of the MbedTLS library to be used (by default v3.5.0 is used by master)") set(OC_INSTALL_MBEDTLS ON CACHE BOOL "Include Mbed TLS in installation") set(BUILD_TINYCBOR ON CACHE BOOL "Build TinyCBOR library. When set to OFF, the TinyCBOR library has to be provided.") set(OC_INSTALL_TINYCBOR ON CACHE BOOL "Include TinyCBOR in installation") From 0192a8e3382c24c41d9caf2ed1c561d7a3f7a4c5 Mon Sep 17 00:00:00 2001 From: Daniel Adam Date: Sun, 19 Jan 2025 13:06:49 +0100 Subject: [PATCH 3/4] Add linux Makefile support --- .../3.6/make/02-ocf-mbedtls-config.patch | 1090 +++++++++++++++++ port/linux/Makefile | 8 +- security/oc_certs.c | 2 +- security/oc_certs_internal.h | 2 +- security/unittest/certsgeneratetest.cpp | 2 +- security/unittest/obt_certstest.cpp | 6 +- 6 files changed, 1100 insertions(+), 10 deletions(-) create mode 100644 patches/mbedtls/3.6/make/02-ocf-mbedtls-config.patch diff --git a/patches/mbedtls/3.6/make/02-ocf-mbedtls-config.patch b/patches/mbedtls/3.6/make/02-ocf-mbedtls-config.patch new file mode 100644 index 000000000..c6bf3b6f2 --- /dev/null +++ b/patches/mbedtls/3.6/make/02-ocf-mbedtls-config.patch @@ -0,0 +1,1090 @@ +diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h +index bd3f71d5bc..dd7bf5f345 100644 +--- a/include/mbedtls/mbedtls_config.h ++++ b/include/mbedtls/mbedtls_config.h +@@ -21,6 +21,14 @@ + */ + //#define MBEDTLS_CONFIG_VERSION 0x03000000 + ++#include ++#include ++#include ++#include ++ ++#define MBEDTLS_KEY_EXCHANGE_ECDH_ANON_ENABLED ++#define MBEDTLS_ALLOW_PRIVATE_ACCESS ++ + /** + * \name SECTION: System support + * +@@ -49,7 +57,7 @@ + * + * Comment to disable the use of assembly code. + */ +-#define MBEDTLS_HAVE_ASM ++//#define MBEDTLS_HAVE_ASM + + /** + * \def MBEDTLS_NO_UDBL_DIVISION +@@ -110,6 +118,8 @@ + */ + //#define MBEDTLS_HAVE_SSE2 + ++#if defined(OC_PKI) || defined(PLGD_DEV_TIME) ++#if defined(_WIN64) || defined(_WIN32) || defined(__APPLE__) || defined(__linux__) || defined(__ANDROID__) + /** + * \def MBEDTLS_HAVE_TIME + * +@@ -150,6 +160,8 @@ + * MBEDTLS_PLATFORM_GMTIME_R_ALT. + */ + #define MBEDTLS_HAVE_TIME_DATE ++#endif /* _WIN64 || _WIN32 || __APPLE__ || __linux__ || __ANDROID__ */ ++#endif /* OC_PKI || PLGD_DEV_TIME */ + + /** + * \def MBEDTLS_PLATFORM_MEMORY +@@ -205,7 +217,7 @@ + * + * Enable this layer to allow use of alternative memory allocators. + */ +-//#define MBEDTLS_PLATFORM_MEMORY ++#define MBEDTLS_PLATFORM_MEMORY + + /** + * \def MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +@@ -224,7 +236,7 @@ + * Uncomment to prevent default assignment of standard functions in the + * platform layer. + */ +-//#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS ++#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS + + /** + * \def MBEDTLS_PLATFORM_EXIT_ALT +@@ -250,11 +262,13 @@ + * platform function + */ + //#define MBEDTLS_PLATFORM_SETBUF_ALT +-//#define MBEDTLS_PLATFORM_EXIT_ALT +-//#define MBEDTLS_PLATFORM_TIME_ALT ++#define MBEDTLS_PLATFORM_EXIT_ALT ++#ifdef PLGD_DEV_TIME ++#define MBEDTLS_PLATFORM_TIME_ALT ++#endif /* PLGD_DEV_TIME */ + //#define MBEDTLS_PLATFORM_FPRINTF_ALT + //#define MBEDTLS_PLATFORM_PRINTF_ALT +-//#define MBEDTLS_PLATFORM_SNPRINTF_ALT ++#define MBEDTLS_PLATFORM_SNPRINTF_ALT + //#define MBEDTLS_PLATFORM_VSNPRINTF_ALT + //#define MBEDTLS_PLATFORM_NV_SEED_ALT + //#define MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT +@@ -315,7 +329,9 @@ + * + * Uncomment to get warnings on using deprecated functions and features. + */ +-//#define MBEDTLS_DEPRECATED_WARNING ++#if defined(__clang__) || defined(__GNUC__) ++#define MBEDTLS_DEPRECATED_WARNING ++#endif /* __clang__ || __GNUC__ */ + + /** + * \def MBEDTLS_DEPRECATED_REMOVED +@@ -327,7 +343,7 @@ + * + * Uncomment to get errors on using deprecated functions and features. + */ +-//#define MBEDTLS_DEPRECATED_REMOVED ++#define MBEDTLS_DEPRECATED_REMOVED + + /** \} name SECTION: System support */ + +@@ -559,7 +575,7 @@ + * + * This option is independent of \c MBEDTLS_AES_FEWER_TABLES. + */ +-//#define MBEDTLS_AES_ROM_TABLES ++#define MBEDTLS_AES_ROM_TABLES + + /** + * \def MBEDTLS_AES_FEWER_TABLES +@@ -643,7 +659,7 @@ + * macro is not defined. To completely disable return value check + * warnings, define #MBEDTLS_CHECK_RETURN with an empty expansion. + */ +-//#define MBEDTLS_CHECK_RETURN_WARNING ++#define MBEDTLS_CHECK_RETURN_WARNING + + /** + * \def MBEDTLS_CIPHER_MODE_CBC +@@ -657,28 +673,28 @@ + * + * Enable Cipher Feedback mode (CFB) for symmetric ciphers. + */ +-#define MBEDTLS_CIPHER_MODE_CFB ++//#define MBEDTLS_CIPHER_MODE_CFB + + /** + * \def MBEDTLS_CIPHER_MODE_CTR + * + * Enable Counter Block Cipher mode (CTR) for symmetric ciphers. + */ +-#define MBEDTLS_CIPHER_MODE_CTR ++//#define MBEDTLS_CIPHER_MODE_CTR + + /** + * \def MBEDTLS_CIPHER_MODE_OFB + * + * Enable Output Feedback mode (OFB) for symmetric ciphers. + */ +-#define MBEDTLS_CIPHER_MODE_OFB ++//#define MBEDTLS_CIPHER_MODE_OFB + + /** + * \def MBEDTLS_CIPHER_MODE_XTS + * + * Enable Xor-encrypt-xor with ciphertext stealing mode (XTS) for AES. + */ +-#define MBEDTLS_CIPHER_MODE_XTS ++//#define MBEDTLS_CIPHER_MODE_XTS + + /** + * \def MBEDTLS_CIPHER_NULL_CIPHER +@@ -723,10 +739,10 @@ + * + * Enable padding modes in the cipher layer. + */ +-#define MBEDTLS_CIPHER_PADDING_PKCS7 +-#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS +-#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN +-#define MBEDTLS_CIPHER_PADDING_ZEROS ++//#define MBEDTLS_CIPHER_PADDING_PKCS7 ++//#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS ++//#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN ++//#define MBEDTLS_CIPHER_PADDING_ZEROS + + /** \def MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + * +@@ -757,20 +773,20 @@ + * Comment macros to disable the curve and functions for it + */ + /* Short Weierstrass curves (supporting ECP, ECDH, ECDSA) */ +-#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +-#define MBEDTLS_ECP_DP_SECP224R1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP192R1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP224R1_ENABLED + #define MBEDTLS_ECP_DP_SECP256R1_ENABLED + #define MBEDTLS_ECP_DP_SECP384R1_ENABLED +-#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +-#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +-#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +-#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +-#define MBEDTLS_ECP_DP_BP256R1_ENABLED +-#define MBEDTLS_ECP_DP_BP384R1_ENABLED +-#define MBEDTLS_ECP_DP_BP512R1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP521R1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP192K1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP224K1_ENABLED ++//#define MBEDTLS_ECP_DP_SECP256K1_ENABLED ++//#define MBEDTLS_ECP_DP_BP256R1_ENABLED ++//#define MBEDTLS_ECP_DP_BP384R1_ENABLED ++//#define MBEDTLS_ECP_DP_BP512R1_ENABLED + /* Montgomery curves (supporting ECP) */ +-#define MBEDTLS_ECP_DP_CURVE25519_ENABLED +-#define MBEDTLS_ECP_DP_CURVE448_ENABLED ++//#define MBEDTLS_ECP_DP_CURVE25519_ENABLED ++//#define MBEDTLS_ECP_DP_CURVE448_ENABLED + + /** + * \def MBEDTLS_ECP_NIST_OPTIM +@@ -781,7 +797,7 @@ + * + * Comment this macro to disable NIST curves optimisation. + */ +-#define MBEDTLS_ECP_NIST_OPTIM ++//#define MBEDTLS_ECP_NIST_OPTIM + + /** + * \def MBEDTLS_ECP_RESTARTABLE +@@ -858,7 +874,7 @@ + * + * Comment this macro to disable deterministic ECDSA. + */ +-#define MBEDTLS_ECDSA_DETERMINISTIC ++//#define MBEDTLS_ECDSA_DETERMINISTIC + + /** + * \def MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +@@ -907,7 +923,7 @@ + * See dhm.h for more details. + * + */ +-#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +@@ -948,7 +964,7 @@ + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 + */ +-#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +@@ -973,7 +989,7 @@ + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 + * MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA + */ +-#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED +@@ -1005,7 +1021,7 @@ + * See dhm.h for more details. + * + */ +-#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +@@ -1030,7 +1046,9 @@ + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 + */ ++#ifdef OC_PKI + #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ++#endif + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +@@ -1054,7 +1072,9 @@ + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 + */ ++#ifdef OC_PKI + #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED ++#endif + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +@@ -1078,7 +1098,9 @@ + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 + */ ++#ifdef OC_PKI + #define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED ++#endif + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +@@ -1102,7 +1124,7 @@ + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 + */ +-#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ++//#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + + /** + * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED +@@ -1139,7 +1161,7 @@ + * + * Disable if you only need to support RFC 5915 + 5480 key formats. + */ +-#define MBEDTLS_PK_PARSE_EC_EXTENDED ++//#define MBEDTLS_PK_PARSE_EC_EXTENDED + + /** + * \def MBEDTLS_PK_PARSE_EC_COMPRESSED +@@ -1152,7 +1174,7 @@ + * the only unsupported curves are MBEDTLS_ECP_DP_SECP224R1 and + * MBEDTLS_ECP_DP_SECP224K1. + */ +-#define MBEDTLS_PK_PARSE_EC_COMPRESSED ++//#define MBEDTLS_PK_PARSE_EC_COMPRESSED + + /** + * \def MBEDTLS_ERROR_STRERROR_DUMMY +@@ -1167,7 +1189,7 @@ + * Disable if you run into name conflicts and want to really remove the + * mbedtls_strerror() + */ +-#define MBEDTLS_ERROR_STRERROR_DUMMY ++//#define MBEDTLS_ERROR_STRERROR_DUMMY + + /** + * \def MBEDTLS_GENPRIME +@@ -1176,14 +1198,14 @@ + * + * Requires: MBEDTLS_BIGNUM_C + */ +-#define MBEDTLS_GENPRIME ++//#define MBEDTLS_GENPRIME + + /** + * \def MBEDTLS_FS_IO + * + * Enable functions that use the filesystem. + */ +-#define MBEDTLS_FS_IO ++//#define MBEDTLS_FS_IO + + /** + * \def MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +@@ -1206,7 +1228,7 @@ + * + * Uncomment this macro to disable the built-in platform entropy functions. + */ +-//#define MBEDTLS_NO_PLATFORM_ENTROPY ++#define MBEDTLS_NO_PLATFORM_ENTROPY + + /** + * \def MBEDTLS_ENTROPY_FORCE_SHA256 +@@ -1296,7 +1318,7 @@ + * + * Comment this macro to disable support for external private RSA keys. + */ +-#define MBEDTLS_PK_RSA_ALT_SUPPORT ++//#define MBEDTLS_PK_RSA_ALT_SUPPORT + + /** + * \def MBEDTLS_PKCS1_V15 +@@ -1321,7 +1343,7 @@ + * + * This enables support for RSAES-OAEP and RSASSA-PSS operations. + */ +-#define MBEDTLS_PKCS1_V21 ++//#define MBEDTLS_PKCS1_V21 + + /** \def MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS + * +@@ -1429,7 +1451,7 @@ + * Module: library/psa_crypto.c + * Requires: MBEDTLS_PSA_CRYPTO_C + */ +-#define MBEDTLS_PSA_KEY_STORE_DYNAMIC ++//#define MBEDTLS_PSA_KEY_STORE_DYNAMIC + + /** + * Uncomment to enable p256-m. This is an alternative implementation of +@@ -1521,7 +1543,7 @@ + * + * Enable the checkup functions (*_self_test). + */ +-#define MBEDTLS_SELF_TEST ++//#define MBEDTLS_SELF_TEST + + /** + * \def MBEDTLS_SHA256_SMALLER +@@ -1585,7 +1607,7 @@ + * + * Uncomment to enable the Connection ID extension. + */ +-#define MBEDTLS_SSL_DTLS_CONNECTION_ID ++//#define MBEDTLS_SSL_DTLS_CONNECTION_ID + + + /** +@@ -1608,7 +1630,7 @@ + * + * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID + */ +-#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 ++//#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 + + /** + * \def MBEDTLS_SSL_ASYNC_PRIVATE +@@ -1649,7 +1671,7 @@ + * + * Comment to disable the context serialization APIs. + */ +-#define MBEDTLS_SSL_CONTEXT_SERIALIZATION ++//#define MBEDTLS_SSL_CONTEXT_SERIALIZATION + + /** + * \def MBEDTLS_SSL_DEBUG_ALL +@@ -1681,7 +1703,7 @@ + * + * Comment this macro to disable support for Encrypt-then-MAC + */ +-#define MBEDTLS_SSL_ENCRYPT_THEN_MAC ++//#define MBEDTLS_SSL_ENCRYPT_THEN_MAC + + /** \def MBEDTLS_SSL_EXTENDED_MASTER_SECRET + * +@@ -1745,7 +1767,7 @@ + * configuration of this extension). + * + */ +-#define MBEDTLS_SSL_RENEGOTIATION ++//#define MBEDTLS_SSL_RENEGOTIATION + + /** + * \def MBEDTLS_SSL_MAX_FRAGMENT_LENGTH +@@ -1809,7 +1831,7 @@ + * + * Uncomment this macro to enable the support for TLS 1.3. + */ +-#define MBEDTLS_SSL_PROTO_TLS1_3 ++//#define MBEDTLS_SSL_PROTO_TLS1_3 + + /** + * \def MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +@@ -1831,7 +1853,7 @@ + * effect on the build. + * + */ +-#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE ++//#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + + /** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED +@@ -1843,7 +1865,7 @@ + * effect on the build. + * + */ +-#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED ++//#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED + + /** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED +@@ -1861,7 +1883,7 @@ + * effect on the build. + * + */ +-#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED ++//#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED + + /** + * \def MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +@@ -1875,7 +1897,7 @@ + * have any effect on the build. + * + */ +-#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED ++//#define MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED + + /** + * \def MBEDTLS_SSL_EARLY_DATA +@@ -1915,7 +1937,7 @@ + * + * Comment this macro to disable support for ALPN. + */ +-#define MBEDTLS_SSL_ALPN ++//#define MBEDTLS_SSL_ALPN + + /** + * \def MBEDTLS_SSL_DTLS_ANTI_REPLAY +@@ -1995,7 +2017,7 @@ + * + * Comment this to disable support for clients reusing the source port. + */ +-#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE ++//#define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE + + /** + * \def MBEDTLS_SSL_SESSION_TICKETS +@@ -2009,7 +2031,7 @@ + * + * Comment this macro to disable support for SSL session tickets + */ +-#define MBEDTLS_SSL_SESSION_TICKETS ++//#define MBEDTLS_SSL_SESSION_TICKETS + + /** + * \def MBEDTLS_SSL_SERVER_NAME_INDICATION +@@ -2020,7 +2042,7 @@ + * + * Comment this macro to disable support for server name indication in SSL + */ +-#define MBEDTLS_SSL_SERVER_NAME_INDICATION ++//#define MBEDTLS_SSL_SERVER_NAME_INDICATION + + /** + * \def MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH +@@ -2183,7 +2205,7 @@ + * + * Comment this to disable run-time checking and save ROM space + */ +-#define MBEDTLS_VERSION_FEATURES ++//#define MBEDTLS_VERSION_FEATURES + + /** + * \def MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK +@@ -2227,7 +2249,7 @@ + * + * Comment this macro to disallow using RSASSA-PSS in certificates. + */ +-#define MBEDTLS_X509_RSASSA_PSS_SUPPORT ++//#define MBEDTLS_X509_RSASSA_PSS_SUPPORT + /** \} name SECTION: Mbed TLS feature support */ + + /** +@@ -2267,7 +2289,7 @@ + * + * This modules adds support for the AES-NI instructions on x86. + */ +-#define MBEDTLS_AESNI_C ++//#define MBEDTLS_AESNI_C + + /** + * \def MBEDTLS_AESCE_C +@@ -2293,7 +2315,7 @@ + * + * This module adds support for the AES Armv8-A Cryptographic Extensions on Armv8 systems. + */ +-#define MBEDTLS_AESCE_C ++//#define MBEDTLS_AESCE_C + + /** + * \def MBEDTLS_AES_C +@@ -2382,7 +2404,9 @@ + * library/pkcs5.c + * library/pkparse.c + */ ++#ifdef OC_PKI + #define MBEDTLS_ASN1_PARSE_C ++#endif + + /** + * \def MBEDTLS_ASN1_WRITE_C +@@ -2396,7 +2420,9 @@ + * library/x509write_crt.c + * library/x509write_csr.c + */ ++#ifdef OC_PKI + #define MBEDTLS_ASN1_WRITE_C ++#endif + + /** + * \def MBEDTLS_BASE64_C +@@ -2408,7 +2434,9 @@ + * + * This module is required for PEM support (required by X.509). + */ ++#ifdef OC_PKI + #define MBEDTLS_BASE64_C ++#endif + + /** + * \def MBEDTLS_BLOCK_CIPHER_NO_DECRYPT +@@ -2505,7 +2533,7 @@ + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 + * MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 + */ +-#define MBEDTLS_CAMELLIA_C ++//#define MBEDTLS_CAMELLIA_C + + /** + * \def MBEDTLS_ARIA_C +@@ -2572,7 +2600,9 @@ + * This module enables the AES-CCM ciphersuites, if other requisites are + * enabled as well. + */ ++#if defined(OC_PKI) || defined(OC_OSCORE) + #define MBEDTLS_CCM_C ++#endif + + /** + * \def MBEDTLS_CHACHA20_C +@@ -2581,7 +2611,7 @@ + * + * Module: library/chacha20.c + */ +-#define MBEDTLS_CHACHA20_C ++//#define MBEDTLS_CHACHA20_C + + /** + * \def MBEDTLS_CHACHAPOLY_C +@@ -2592,7 +2622,7 @@ + * + * This module requires: MBEDTLS_CHACHA20_C, MBEDTLS_POLY1305_C + */ +-#define MBEDTLS_CHACHAPOLY_C ++//#define MBEDTLS_CHACHAPOLY_C + + /** + * \def MBEDTLS_CIPHER_C +@@ -2680,7 +2710,10 @@ + * + * This module provides debugging functions. + */ ++#if defined(OC_LOG_MAXIMUM_LEVEL) && defined(OC_LOG_LEVEL_DEBUG_MACRO) && \ ++ ((OC_LOG_LEVEL_DEBUG_MACRO) <= (OC_LOG_MAXIMUM_LEVEL)) + #define MBEDTLS_DEBUG_C ++#endif + + /** + * \def MBEDTLS_DES_C +@@ -2696,7 +2729,7 @@ + * \warning DES/3DES are considered weak ciphers and their use constitutes a + * security risk. We recommend considering stronger ciphers instead. + */ +-#define MBEDTLS_DES_C ++//#define MBEDTLS_DES_C + + /** + * \def MBEDTLS_DHM_C +@@ -2718,7 +2751,7 @@ + * See dhm.h for more details. + * + */ +-#define MBEDTLS_DHM_C ++//#define MBEDTLS_DHM_C + + /** + * \def MBEDTLS_ECDH_C +@@ -2753,7 +2786,9 @@ + * and at least one MBEDTLS_ECP_DP_XXX_ENABLED for a + * short Weierstrass curve. + */ ++#ifdef OC_PKI + #define MBEDTLS_ECDSA_C ++#endif + + /** + * \def MBEDTLS_ECJPAKE_C +@@ -2815,7 +2850,10 @@ + * + * This module enables mbedtls_strerror(). + */ ++#if defined(OC_LOG_MAXIMUM_LEVEL) && defined(OC_LOG_LEVEL_ERROR_MACRO) && \ ++ ((OC_LOG_LEVEL_ERROR_MACRO) <= (OC_LOG_MAXIMUM_LEVEL)) + #define MBEDTLS_ERROR_C ++#endif + + /** + * \def MBEDTLS_GCM_C +@@ -2830,7 +2868,9 @@ + * This module enables the AES-GCM and CAMELLIA-GCM ciphersuites, if other + * requisites are enabled as well. + */ ++#ifdef OC_PKI + #define MBEDTLS_GCM_C ++#endif + + /** + * \def MBEDTLS_GCM_LARGE_TABLE +@@ -2861,7 +2901,7 @@ + * This module adds support for the Hashed Message Authentication Code + * (HMAC)-based key derivation function (HKDF). + */ +-#define MBEDTLS_HKDF_C ++//#define MBEDTLS_HKDF_C + + /** + * \def MBEDTLS_HMAC_DRBG_C +@@ -2875,7 +2915,7 @@ + * + * Uncomment to enable the HMAC_DRBG random number generator. + */ +-#define MBEDTLS_HMAC_DRBG_C ++//#define MBEDTLS_HMAC_DRBG_C + + /** + * \def MBEDTLS_LMS_C +@@ -2889,7 +2929,7 @@ + * + * Uncomment to enable the LMS verification algorithm and public key operations. + */ +-#define MBEDTLS_LMS_C ++//#define MBEDTLS_LMS_C + + /** + * \def MBEDTLS_LMS_PRIVATE +@@ -2968,7 +3008,7 @@ + * it, and considering stronger message digests instead. + * + */ +-#define MBEDTLS_MD5_C ++//#define MBEDTLS_MD5_C + + /** + * \def MBEDTLS_MEMORY_BUFFER_ALLOC_C +@@ -2984,7 +3024,9 @@ + * + * Enable this module to enable the buffer memory allocator. + */ +-//#define MBEDTLS_MEMORY_BUFFER_ALLOC_C ++#ifndef OC_DYNAMIC_ALLOCATION ++#define MBEDTLS_MEMORY_BUFFER_ALLOC_C ++#endif /* !OC_DYNAMIC_ALLOCATION */ + + /** + * \def MBEDTLS_NET_C +@@ -3003,7 +3045,11 @@ + * + * This module provides networking routines. + */ ++#ifdef OC_TEST ++#if defined(_WIN64) || defined(_WIN32) || defined(__APPLE__) || defined(__linux__) || defined(__ANDROID__) + #define MBEDTLS_NET_C ++#endif /* _WIN64 || _WIN32 || __APPLE__ || __linux__ || __ANDROID__ */ ++#endif /* OC_TEST */ + + /** + * \def MBEDTLS_OID_C +@@ -3026,7 +3072,9 @@ + * + * This modules translates between OIDs and internal values. + */ ++#ifdef OC_PKI + #define MBEDTLS_OID_C ++#endif + + /** + * \def MBEDTLS_PADLOCK_C +@@ -3040,7 +3088,7 @@ + * + * This modules adds support for the VIA PadLock on x86. + */ +-#define MBEDTLS_PADLOCK_C ++//#define MBEDTLS_PADLOCK_C + + /** + * \def MBEDTLS_PEM_PARSE_C +@@ -3062,7 +3110,9 @@ + * + * This modules adds support for decoding / parsing PEM files. + */ ++#ifdef OC_PKI + #define MBEDTLS_PEM_PARSE_C ++#endif + + /** + * \def MBEDTLS_PEM_WRITE_C +@@ -3078,7 +3128,9 @@ + * + * This modules adds support for encoding / writing PEM files. + */ ++#ifdef OC_PKI + #define MBEDTLS_PEM_WRITE_C ++#endif + + /** + * \def MBEDTLS_PK_C +@@ -3096,7 +3148,9 @@ + * + * Uncomment to enable generic public key wrappers. + */ ++#ifdef OC_PKI + #define MBEDTLS_PK_C ++#endif + + /** + * \def MBEDTLS_PK_PARSE_C +@@ -3111,7 +3165,9 @@ + * + * Uncomment to enable generic public key parse functions. + */ ++#ifdef OC_PKI + #define MBEDTLS_PK_PARSE_C ++#endif + + /** + * \def MBEDTLS_PK_WRITE_C +@@ -3125,7 +3181,9 @@ + * + * Uncomment to enable generic public key write functions. + */ ++#ifdef OC_PKI + #define MBEDTLS_PK_WRITE_C ++#endif + + /** + * \def MBEDTLS_PKCS5_C +@@ -3157,7 +3215,7 @@ + * + * This module is required for the PKCS #7 parsing modules. + */ +-#define MBEDTLS_PKCS7_C ++//#define MBEDTLS_PKCS7_C + + /** + * \def MBEDTLS_PKCS12_C +@@ -3176,7 +3234,7 @@ + * + * This module enables PKCS#12 functions. + */ +-#define MBEDTLS_PKCS12_C ++//#define MBEDTLS_PKCS12_C + + /** + * \def MBEDTLS_PLATFORM_C +@@ -3206,7 +3264,7 @@ + * Module: library/poly1305.c + * Caller: library/chachapoly.c + */ +-#define MBEDTLS_POLY1305_C ++//#define MBEDTLS_POLY1305_C + + /** + * \def MBEDTLS_PSA_CRYPTO_C +@@ -3222,7 +3280,7 @@ + * is enabled in PSA (unless it's fully accelerated, see + * docs/driver-only-builds.md about that). + */ +-#define MBEDTLS_PSA_CRYPTO_C ++//#define MBEDTLS_PSA_CRYPTO_C + + /** + * \def MBEDTLS_PSA_CRYPTO_SE_C +@@ -3254,7 +3312,7 @@ + * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of + * the PSA ITS interface + */ +-#define MBEDTLS_PSA_CRYPTO_STORAGE_C ++//#define MBEDTLS_PSA_CRYPTO_STORAGE_C + + /** + * \def MBEDTLS_PSA_ITS_FILE_C +@@ -3266,7 +3324,7 @@ + * + * Requires: MBEDTLS_FS_IO + */ +-#define MBEDTLS_PSA_ITS_FILE_C ++//#define MBEDTLS_PSA_ITS_FILE_C + + /** + * \def MBEDTLS_RIPEMD160_C +@@ -3277,7 +3335,7 @@ + * Caller: library/md.c + * + */ +-#define MBEDTLS_RIPEMD160_C ++//#define MBEDTLS_RIPEMD160_C + + /** + * \def MBEDTLS_RSA_C +@@ -3297,7 +3355,9 @@ + * + * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C + */ ++#ifdef OC_PKI + #define MBEDTLS_RSA_C ++#endif + + /** + * \def MBEDTLS_SHA1_C +@@ -3316,7 +3376,7 @@ + * on it, and considering stronger message digests instead. + * + */ +-#define MBEDTLS_SHA1_C ++//#define MBEDTLS_SHA1_C + + /** + * \def MBEDTLS_SHA224_C +@@ -3470,7 +3530,7 @@ + * + * This module adds support for SHA3. + */ +-#define MBEDTLS_SHA3_C ++//#define MBEDTLS_SHA3_C + + /** + * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT +@@ -3538,7 +3598,7 @@ + * + * Requires: MBEDTLS_SSL_CACHE_C + */ +-#define MBEDTLS_SSL_CACHE_C ++//#define MBEDTLS_SSL_CACHE_C + + /** + * \def MBEDTLS_SSL_COOKIE_C +@@ -3561,7 +3621,7 @@ + * Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && + * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C) + */ +-#define MBEDTLS_SSL_TICKET_C ++//#define MBEDTLS_SSL_TICKET_C + + /** + * \def MBEDTLS_SSL_CLI_C +@@ -3651,7 +3711,11 @@ + * + * Module: library/timing.c + */ ++#ifdef OC_TEST ++#if defined(_WIN64) || defined(_WIN32) || defined(__APPLE__) || defined(__linux__) || defined(__ANDROID__) + #define MBEDTLS_TIMING_C ++#endif /* _WIN64 || _WIN32 || __APPLE__ || __linux__ || __ANDROID__ */ ++#endif /* OC_TEST */ + + /** + * \def MBEDTLS_VERSION_C +@@ -3662,7 +3726,7 @@ + * + * This module provides run-time version information. + */ +-#define MBEDTLS_VERSION_C ++//#define MBEDTLS_VERSION_C + + /** + * \def MBEDTLS_X509_USE_C +@@ -3682,7 +3746,9 @@ + * + * This module is required for the X.509 parsing modules. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_USE_C ++#endif + + /** + * \def MBEDTLS_X509_CRT_PARSE_C +@@ -3698,7 +3764,9 @@ + * + * This module is required for X.509 certificate parsing. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CRT_PARSE_C ++#endif + + /** + * \def MBEDTLS_X509_CRL_PARSE_C +@@ -3712,7 +3780,7 @@ + * + * This module is required for X.509 CRL parsing. + */ +-#define MBEDTLS_X509_CRL_PARSE_C ++//#define MBEDTLS_X509_CRL_PARSE_C + + /** + * \def MBEDTLS_X509_CSR_PARSE_C +@@ -3726,7 +3794,9 @@ + * + * This module is used for reading X.509 certificate request. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CSR_PARSE_C ++#endif + + /** + * \def MBEDTLS_X509_CREATE_C +@@ -3743,7 +3813,9 @@ + * + * This module is the basis for creating X.509 certificates and CSRs. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CREATE_C ++#endif + + /** + * \def MBEDTLS_X509_CRT_WRITE_C +@@ -3756,7 +3828,9 @@ + * + * This module is required for X.509 certificate creation. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CRT_WRITE_C ++#endif + + /** + * \def MBEDTLS_X509_CSR_WRITE_C +@@ -3769,7 +3843,9 @@ + * + * This module is required for X.509 certificate request writing. + */ ++#ifdef OC_PKI + #define MBEDTLS_X509_CSR_WRITE_C ++#endif + + /** \} name SECTION: Mbed TLS modules */ + +@@ -3943,7 +4019,12 @@ + //#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 /**< Enable fixed-point speed-up */ + + /* Entropy options */ +-//#define MBEDTLS_ENTROPY_MAX_SOURCES 20 /**< Maximum number of sources supported */ ++/* ++ * You should adjust this to the exact number of sources you're using: default ++ * is the "platform_entropy_poll" source, but you may want to add other ones ++ * Minimum is 2 for the entropy test suite. ++ */ ++#define MBEDTLS_ENTROPY_MAX_SOURCES 2 /**< Maximum number of sources supported */ + //#define MBEDTLS_ENTROPY_MAX_GATHER 128 /**< Maximum amount requested from entropy sources */ + //#define MBEDTLS_ENTROPY_MIN_HARDWARE 32 /**< Default minimum number of bytes required for the hardware entropy source mbedtls_hardware_poll() before entropy is released */ + +@@ -3953,6 +4034,7 @@ + /* Platform options */ + //#define MBEDTLS_PLATFORM_STD_MEM_HDR /**< Header to include if MBEDTLS_PLATFORM_NO_STD_FUNCTIONS is defined. Don't define if no header is needed. */ + ++#ifdef OC_DYNAMIC_ALLOCATION + /** \def MBEDTLS_PLATFORM_STD_CALLOC + * + * Default allocator to use, can be undefined. +@@ -3964,7 +4046,7 @@ + * See the description of #MBEDTLS_PLATFORM_MEMORY for more details. + * The corresponding deallocation function is #MBEDTLS_PLATFORM_STD_FREE. + */ +-//#define MBEDTLS_PLATFORM_STD_CALLOC calloc ++#define MBEDTLS_PLATFORM_STD_CALLOC calloc + + /** \def MBEDTLS_PLATFORM_STD_FREE + * +@@ -3974,14 +4056,17 @@ + * An uninitialized #MBEDTLS_PLATFORM_STD_FREE does not do anything. + * See the description of #MBEDTLS_PLATFORM_MEMORY for more details (same principles as for MBEDTLS_PLATFORM_STD_CALLOC apply). + */ +-//#define MBEDTLS_PLATFORM_STD_FREE free ++#define MBEDTLS_PLATFORM_STD_FREE free ++#endif /* OC_DYNAMIC_ALLOCATION */ + //#define MBEDTLS_PLATFORM_STD_SETBUF setbuf /**< Default setbuf to use, can be undefined */ +-//#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default exit to use, can be undefined */ +-//#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ ++#define MBEDTLS_PLATFORM_STD_EXIT oc_exit /**< Default exit to use, can be undefined */ ++#ifdef PLGD_DEV_TIME ++#define MBEDTLS_PLATFORM_STD_TIME time /**< Default time to use, can be undefined. MBEDTLS_HAVE_TIME must be enabled */ ++#endif /* PLGD_DEV_TIME */ + //#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use, can be undefined */ + /* Note: your snprintf must correctly zero-terminate the buffer! */ +-//#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ ++#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS 0 /**< Default exit value to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE 1 /**< Default exit value to use, can be undefined */ + //#define MBEDTLS_PLATFORM_STD_NV_SEED_READ mbedtls_platform_std_nv_seed_read /**< Default nv_seed_read function to use, can be undefined */ +@@ -4019,7 +4104,9 @@ + * If the implementation here is empty, this will effectively disable the + * checking of functions' return values. + */ +-//#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) ++#if defined(__clang__) || defined(__GNUC__) ++#define MBEDTLS_CHECK_RETURN __attribute__((__warn_unused_result__)) ++#endif + + /** \def MBEDTLS_IGNORE_RETURN + * +@@ -4098,6 +4185,9 @@ + * Uncomment to set the maximum plaintext size of the incoming I/O buffer. + */ + //#define MBEDTLS_SSL_IN_CONTENT_LEN 16384 ++#ifndef OC_DYNAMIC_ALLOCATION ++#define MBEDTLS_SSL_IN_CONTENT_LEN (OC_PDU_SIZE) ++#endif /* !OC_DYNAMIC_ALLOCATION */ + + /** \def MBEDTLS_SSL_CID_IN_LEN_MAX + * +@@ -4148,6 +4238,9 @@ + * Uncomment to set the maximum plaintext size of the outgoing I/O buffer. + */ + //#define MBEDTLS_SSL_OUT_CONTENT_LEN 16384 ++#ifndef OC_DYNAMIC_ALLOCATION ++#define MBEDTLS_SSL_OUT_CONTENT_LEN (OC_PDU_SIZE) ++#endif /* !OC_DYNAMIC_ALLOCATION */ + + /** \def MBEDTLS_SSL_DTLS_MAX_BUFFERING + * +@@ -4166,7 +4259,7 @@ + */ + //#define MBEDTLS_SSL_DTLS_MAX_BUFFERING 32768 + +-//#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 or 384 bits) */ ++#define MBEDTLS_PSK_MAX_LEN 32 /**< Max size of TLS pre-shared keys, in bytes (default 256 or 384 bits) */ + //#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */ + + /** diff --git a/port/linux/Makefile b/port/linux/Makefile index bad5e3ccc..a9ffe8547 100644 --- a/port/linux/Makefile +++ b/port/linux/Makefile @@ -42,7 +42,7 @@ BUILD_SAMPLES ?= 1 TEST ?= 1 # for now use v3.1.0 as default MBEDTLS_FORCE_3_5_0 ?= 0 -MBEDTLS_FORCE_3_6_2 ?= 0 +MBEDTLS_FORCE_3_6_2 ?= 1 TINYCBOR_DIR := $(ROOT_DIR)/deps/tinycbor MBEDTLS_DIR := $(ROOT_DIR)/deps/mbedtls @@ -120,6 +120,7 @@ DTLS = aes.c aesni.c asn1parse.c asn1write.c base64.c \ ifeq ($(MBEDTLS_FORCE_3_6_2),1) DTLS += bignum_core.c \ + pk_ecc.c \ ssl_client.c ssl_debug_helpers_generated.c ssl_tls12_client.c ssl_tls12_server.c \ x509write.c else @@ -198,7 +199,8 @@ HEADERS_TINYCBOR := $(addprefix ../../deps/tinycbor/src/,cbor.h cborjson.h tinyc WARNING_FLAGS=-Wall -Wextra -Werror -Wno-error=deprecated-declarations -pedantic CFLAGS_CLOUD=-I../../api/cloud -DOC_CLIENT -DOC_SERVER CFLAGS=-fPIC -fno-asynchronous-unwind-tables -fno-omit-frame-pointer -ffreestanding -Os -fno-stack-protector -ffunction-sections -fdata-sections -fno-reorder-functions -fno-defer-pop -fno-strict-overflow -I./ -I../../include/ -I../../ -I../../deps/tinycbor/src -I../../api -std=gnu99 $(WARNING_FLAGS) #-Wl,-Map,client.map -CXXFLAGS+=-fPIC -fno-asynchronous-unwind-tables -fno-omit-frame-pointer -ffreestanding -Os -fno-stack-protector -ffunction-sections -fdata-sections -fno-reorder-functions -fno-defer-pop -fno-strict-overflow -I./ -I../../include/ -I../../ -I../../deps/tinycbor/src $(WARNING_FLAGS) #-Wl,-Map,client.map +# TODO: check if it is possible to make -ffreestanding flag work with c++ targets +CXXFLAGS+=-fPIC -fno-asynchronous-unwind-tables -fno-omit-frame-pointer -Os -fno-stack-protector -ffunction-sections -fdata-sections -fno-reorder-functions -fno-defer-pop -fno-strict-overflow -I./ -I../../include/ -I../../ -I../../deps/tinycbor/src $(WARNING_FLAGS) #-Wl,-Map,client.map OBJ_COMMON=$(addprefix obj/,$(notdir $(SRC_COMMON:.c=.o))) OBJ_PORT_COMMON=$(addprefix obj/port/,$(notdir $(SRC_PORT_COMMON:.c=.o))) OBJ_CLIENT=$(addprefix obj/client/,$(notdir $(SRC:.c=.o) $(SRC_CLIENT:.c=.o))) @@ -619,8 +621,6 @@ smart_home_server_linux: libiotivity-lite-server.a $(ROOT_DIR)/apps/smart_home_s smart_home_server_with_mock_swupdate: libiotivity-lite-server.a $(ROOT_DIR)/apps/smart_home_server_with_mock_swupdate.cpp @mkdir -p $@_creds - # old implemenation with boost - #${CXX} -o $@ ../../apps/smart_home_server_with_mock_swupdate.cpp libiotivity-lite-server.a -DOC_SERVER ${CXXFLAGS} ${LIBS} -lboost_system -lcppnetlib-uri ${CXX} -o $@ ../../apps/smart_home_server_with_mock_swupdate.cpp libiotivity-lite-server.a -DOC_SERVER ${CXXFLAGS} ${LIBS} multi_device_server: libiotivity-lite-server.a $(ROOT_DIR)/apps/multi_device_server_linux.c diff --git a/security/oc_certs.c b/security/oc_certs.c index 3eff029c7..10406d60f 100644 --- a/security/oc_certs.c +++ b/security/oc_certs.c @@ -219,7 +219,7 @@ oc_certs_parse_private_key(size_t device, const unsigned char *cert, return ret; } -#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ +#endif /* MBEDTLS_VERSION_NUMBER < 0x03060200 */ static int certs_extract_public_key(const mbedtls_x509_crt *cert, unsigned char *buffer, diff --git a/security/oc_certs_internal.h b/security/oc_certs_internal.h index 37f892e84..ca551684e 100644 --- a/security/oc_certs_internal.h +++ b/security/oc_certs_internal.h @@ -78,7 +78,7 @@ int oc_certs_parse_private_key(size_t device, const unsigned char *cert, size_t cert_size, unsigned char *buffer, size_t buffer_size) OC_NONNULL(4); -#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ +#endif /* MBEDTLS_VERSION_NUMBER < 0x03060200 */ /** * @brief Extract public key from a x509 certificate. diff --git a/security/unittest/certsgeneratetest.cpp b/security/unittest/certsgeneratetest.cpp index 4bc6319d6..ae1f6b33f 100644 --- a/security/unittest/certsgeneratetest.cpp +++ b/security/unittest/certsgeneratetest.cpp @@ -348,7 +348,7 @@ TEST_F(TestParseCerts, ParsePrivateKey) ASSERT_EQ(generate.issuer.private_key.size, ret); } -#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ +#endif /* MBEDTLS_VERSION_NUMBER < 0x03060200 */ TEST_F(TestParseCerts, ParsePublicKey_Fail) { diff --git a/security/unittest/obt_certstest.cpp b/security/unittest/obt_certstest.cpp index 15d912256..47ae65d5c 100644 --- a/security/unittest/obt_certstest.cpp +++ b/security/unittest/obt_certstest.cpp @@ -159,7 +159,7 @@ TEST_F(TestObtCerts, GenerateValidSelfSignedCertificate) ret = oc_certs_parse_private_key(0, &cert_buf[0], cert_buf.size(), private_key.data(), private_key.size()); EXPECT_EQ(kp256_.private_key_size, ret); -#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ +#endif /* MBEDTLS_VERSION_NUMBER < 0x03060200 */ oc_string_t pk{}; ret = @@ -289,7 +289,7 @@ TEST_F(TestObtCerts, GenerateValidIdentityCertificate) ret = oc_certs_parse_private_key(0, &id_cert[0], id_cert.size(), private_key.data(), private_key.size()); EXPECT_EQ(kp256_.private_key_size, ret); -#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ +#endif /* MBEDTLS_VERSION_NUMBER < 0x03060200 */ std::array public_key{}; ret = oc_certs_parse_public_key(&id_cert[0], id_cert.size(), @@ -435,7 +435,7 @@ TEST_F(TestObtCerts, GenerateValidRoleCertificate) ret = oc_certs_parse_private_key(0, &role_cert[0], role_cert.size(), private_key.data(), private_key.size()); ASSERT_EQ(kp256_.private_key_size, ret); -#endif /* MBEDTLS_VERSION_NUMBER<0x03060200 */ +#endif /* MBEDTLS_VERSION_NUMBER < 0x03060200 */ std::array public_key{}; ret = oc_certs_parse_public_key(&role_cert[0], role_cert.size(), From 0c40061edef9eb5467244999cddc8ff1063d788a Mon Sep 17 00:00:00 2001 From: Daniel Adam Date: Sun, 19 Jan 2025 14:43:23 +0100 Subject: [PATCH 4/4] Add android Makefile support --- patches/mbedtls/3.5/01-ocf-anon-psk.patch | 35 +++++--- port/android/Makefile | 103 ++++++++++++++++++---- port/linux/Makefile | 4 +- 3 files changed, 111 insertions(+), 31 deletions(-) diff --git a/patches/mbedtls/3.5/01-ocf-anon-psk.patch b/patches/mbedtls/3.5/01-ocf-anon-psk.patch index fb03a42a3..10101231d 100644 --- a/patches/mbedtls/3.5/01-ocf-anon-psk.patch +++ b/patches/mbedtls/3.5/01-ocf-anon-psk.patch @@ -1,5 +1,5 @@ diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h -index c7aae0ff8..a044543af 100644 +index c7aae0ff87..a044543af6 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -644,10 +644,10 @@ void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name); @@ -16,7 +16,7 @@ index c7aae0ff8..a044543af 100644 - #endif /* asn1.h */ diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h -index e18e9a5fc..6e3b06adf 100644 +index e18e9a5fc6..6e3b06adff 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -430,6 +430,11 @@ @@ -32,7 +32,7 @@ index e18e9a5fc..6e3b06adf 100644 ( !defined(MBEDTLS_CAN_ECDH) || \ !defined(MBEDTLS_PK_CAN_ECDSA_SIGN) || \ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h -index debb1cc2c..d97d4e277 100644 +index debb1cc2c1..d97d4e2770 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -645,7 +645,8 @@ union mbedtls_ssl_premaster_secret { @@ -133,7 +133,7 @@ index debb1cc2c..d97d4e277 100644 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h -index 07f2facef..64b74717f 100644 +index 07f2facef5..64b74717f1 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -137,6 +137,8 @@ extern "C" { @@ -188,8 +188,21 @@ index 07f2facef..64b74717f 100644 return 1; default: +diff --git a/library/common.h b/library/common.h +index 3c472c685d..3690a063b1 100644 +--- a/library/common.h ++++ b/library/common.h +@@ -177,7 +177,7 @@ static inline const unsigned char *mbedtls_buffer_offset_const( + * \param b Pointer to input (buffer of at least \p n bytes) + * \param n Number of bytes to process. + */ +-inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n) ++static inline void mbedtls_xor(unsigned char *r, const unsigned char *a, const unsigned char *b, size_t n) + { + size_t i = 0; + #if defined(MBEDTLS_EFFICIENT_UNALIGNED_ACCESS) diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c -index fdd753d1c..ec9e9e94d 100644 +index fdd753d1cd..ec9e9e94db 100644 --- a/library/ctr_drbg.c +++ b/library/ctr_drbg.c @@ -160,7 +160,7 @@ static int block_cipher_df(unsigned char *output, @@ -202,7 +215,7 @@ index fdd753d1c..ec9e9e94d 100644 if ((ret = mbedtls_aes_setkey_enc(&aes_ctx, key, diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c -index 736b1423b..e69dea0e3 100644 +index 736b1423be..e69dea0e30 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -111,6 +111,7 @@ static const int ciphersuite_preference[] = @@ -242,7 +255,7 @@ index 736b1423b..e69dea0e3 100644 default: diff --git a/library/ssl_misc.h b/library/ssl_misc.h -index a99bb3343..648041d9d 100644 +index a99bb33439..648041d9d9 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1666,6 +1666,8 @@ MBEDTLS_CHECK_RETURN_CRITICAL @@ -255,7 +268,7 @@ index a99bb3343..648041d9d 100644 #endif /* MBEDTLS_X509_CRT_PARSE_C */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c -index fc3fb85d7..cc0ff9005 100644 +index fc3fb85d75..cc0ff9005a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1862,6 +1862,39 @@ int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, @@ -357,7 +370,7 @@ index fc3fb85d7..cc0ff9005 100644 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); if (ret == 0) { diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c -index 27bbafa06..b84444124 100644 +index 27bbafa06e..b844441241 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1797,7 +1797,8 @@ static int ssl_parse_server_ecdh_params(mbedtls_ssl_context *ssl, @@ -603,7 +616,7 @@ index 27bbafa06..b84444124 100644 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c -index 6ebd5064f..c09485f68 100644 +index 6ebd5064f6..c09485f680 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -768,7 +768,12 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl, @@ -664,7 +677,7 @@ index 6ebd5064f..c09485f68 100644 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { diff --git a/library/version_features.c b/library/version_features.c -index a89cef997..46a216097 100644 +index a89cef997e..46a2160979 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -366,6 +366,9 @@ static const char * const features[] = { diff --git a/port/android/Makefile b/port/android/Makefile index 367a50473..e77668a53 100644 --- a/port/android/Makefile +++ b/port/android/Makefile @@ -115,28 +115,45 @@ export IDD ?= 1 export ETAG ?= 0 export JSON_ENCODER ?= 0 +# for now use v3.1.0 as default +MBEDTLS_FORCE_3_5_0 ?= 1 +MBEDTLS_FORCE_3_6_2 ?= 0 + ROOT_DIR = ../.. SWIG_DIR = $(ROOT_DIR)/swig OBJDIR ?= ./${ANDROID_HOST}obj MBEDTLS_DIR := $(ROOT_DIR)/deps/mbedtls -DTLS= \ - aes.c aesni.c asn1parse.c asn1write.c base64.c \ +DTLS = aes.c aesni.c asn1parse.c asn1write.c base64.c \ bignum.c camellia.c ccm.c cipher.c cipher_wrap.c \ - cmac.c ctr_drbg.c des.c dhm.c ecdh.c ecdsa.c \ - ecjpake.c ecp.c ecp_curves.c entropy.c entropy_poll.c \ - error.c gcm.c hmac_drbg.c md.c \ - md5.c oid.c padlock.c pem.c \ - pk.c pk_wrap.c pkcs12.c pkcs5.c pkparse.c pkwrite.c \ - platform.c ripemd160.c rsa.c sha1.c sha256.c sha512.c \ - threading.c timing.c version.c version_features.c \ - x509.c x509_crt.c debug.c net_sockets.c \ - ssl_cache.c ssl_ciphersuites.c ssl_cli.c ssl_cookie.c \ - ssl_srv.c ssl_ticket.c ssl_tls.c \ - x509write_csr.c x509write_crt.c x509_create.c \ - x509_csr.c platform_util.c ssl_msg.c constant_time.c \ + cmac.c ctr_drbg.c des.c dhm.c ecdh.c ecdsa.c \ + ecjpake.c ecp.c ecp_curves.c entropy.c entropy_poll.c error.c \ + gcm.c hmac_drbg.c md.c \ + md5.c oid.c padlock.c \ + pem.c pk.c pk_wrap.c pkcs12.c pkcs5.c pkparse.c \ + pkwrite.c platform.c ripemd160.c rsa.c sha1.c sha256.c \ + sha512.c threading.c timing.c version.c version_features.c \ + x509.c x509_crt.c debug.c net_sockets.c \ + ssl_cache.c ssl_ciphersuites.c ssl_cookie.c platform_util.c \ + ssl_ticket.c ssl_tls.c x509write_csr.c \ + x509write_crt.c x509_create.c x509_csr.c ssl_msg.c constant_time.c \ nist_kw.c aria.c rsa_alt_helpers.c +ifeq ($(MBEDTLS_FORCE_3_6_2),1) +DTLS += bignum_core.c \ + pk_ecc.c \ + ssl_client.c ssl_debug_helpers_generated.c ssl_tls12_client.c ssl_tls12_server.c \ + x509write.c +else +ifeq ($(MBEDTLS_FORCE_3_5_0),1) +DTLS += bignum_core.c \ + ssl_client.c ssl_debug_helpers_generated.c ssl_tls12_client.c ssl_tls12_server.c \ + x509write.c +else +DTLS += ssl_cli.c ssl_srv.c +endif +endif + DTLSFLAGS=-I../../deps/mbedtls/include -Wno-error=unused CBOR=../../deps/tinycbor/src/cborencoder.c ../../deps/tinycbor/src/cborencoder_close_container_checked.c ../../deps/tinycbor/src/cborencoder_float.c ../../deps/tinycbor/src/cborparser.c ../../deps/tinycbor/src/cborparser_float.c# ../../deps/tinycbor/src/cbortojson.c ../../deps/tinycbor/src/cborpretty.c ../../deps/tinycbor/src/cborparser_dup_string.c @@ -420,21 +437,71 @@ swig: $(OBJ_COMMON) $(OBJ_PORT_COMMON) $(OBJ_CLIENT_SERVER) $(OBJ_CLOUD) ${MAKE} -C ${SWIG_DIR} ifneq ($(SECURE),0) -MBEDTLS_PATCHES ?= $(sort $(wildcard ../../patches/mbedtls/3.1/*.patch) $(wildcard ../../patches/mbedtls/3.1/make/*.patch)) + ${MBEDTLS_DIR}/.git: git submodule update --init ${@D} +ifeq ($(MBEDTLS_FORCE_3_6_2),1) + +MBEDTLS_PATCHES := $(sort $(wildcard ../../patches/mbedtls/3.6/*.patch) $(wildcard ../../patches/mbedtls/3.6/make/*.patch)) + $(MBEDTLS_PATCH_FILE): ${MBEDTLS_DIR}/.git ${MBEDTLS_PATCHES} if [ -d ${MBEDTLS_DIR} ]; then \ + cd ${MBEDTLS_DIR} && \ + git clean -fdx . && \ + git reset --hard && \ + (git fetch --unshallow --tags || git fetch --all) && \ + git checkout v3.6.2 && \ + cd - && \ + git add -u ${MBEDTLS_DIR} ; \ + fi && \ + git submodule update --init && \ + git reset HEAD ${MBEDTLS_DIR} && \ cd ${MBEDTLS_DIR} && \ - git clean -fdx . && \ - git reset --hard && \ - cd -; \ + for patch in $(MBEDTLS_PATCHES); do patch -r - -s -N -p1 < $${patch} ; done && \ + echo "Patches applied in $^" > ${@F} + +else + +ifeq ($(MBEDTLS_FORCE_3_5_0),1) + +MBEDTLS_PATCHES := $(sort $(wildcard ../../patches/mbedtls/3.5/*.patch) $(wildcard ../../patches/mbedtls/3.5/make/*.patch)) + +$(MBEDTLS_PATCH_FILE): ${MBEDTLS_DIR}/.git ${MBEDTLS_PATCHES} + if [ -d ${MBEDTLS_DIR} ]; then \ + cd ${MBEDTLS_DIR} && \ + git clean -fdx . && \ + git reset --hard && \ + (git fetch --unshallow --tags || git fetch --all) && \ + git checkout v3.5.0 && \ + cd - && \ + git add -u ${MBEDTLS_DIR} ; \ fi && \ git submodule update --init && \ + git reset HEAD ${MBEDTLS_DIR} && \ cd ${MBEDTLS_DIR} && \ for patch in $(MBEDTLS_PATCHES); do patch -r - -s -N -p1 < $${patch} ; done && \ echo "Patches applied in $^" > ${@F} + +else + +MBEDTLS_PATCHES := $(sort $(wildcard ../../patches/mbedtls/3.1/*.patch) $(wildcard ../../patches/mbedtls/3.1/make/*.patch)) + +$(MBEDTLS_PATCH_FILE): ${MBEDTLS_DIR}/.git ${MBEDTLS_PATCHES} + if [ -d ${MBEDTLS_DIR} ]; then \ + cd ${MBEDTLS_DIR} && \ + git clean -fdx . && \ + git reset --hard && \ + cd -; \ + fi && \ + git submodule update --init && \ + cd ${MBEDTLS_DIR} && \ + for patch in $(MBEDTLS_PATCHES); do patch -r - -s -N -p1 < $${patch} ; done && \ + echo "Patches applied in $^" > ${@F} +endif + +endif + endif clean: diff --git a/port/linux/Makefile b/port/linux/Makefile index a9ffe8547..e682df35e 100644 --- a/port/linux/Makefile +++ b/port/linux/Makefile @@ -42,7 +42,7 @@ BUILD_SAMPLES ?= 1 TEST ?= 1 # for now use v3.1.0 as default MBEDTLS_FORCE_3_5_0 ?= 0 -MBEDTLS_FORCE_3_6_2 ?= 1 +MBEDTLS_FORCE_3_6_2 ?= 0 TINYCBOR_DIR := $(ROOT_DIR)/deps/tinycbor MBEDTLS_DIR := $(ROOT_DIR)/deps/mbedtls @@ -760,7 +760,7 @@ $(MBEDTLS_PATCH_FILE): ${MBEDTLS_DIR}/.git ${MBEDTLS_PATCHES} cd ${MBEDTLS_DIR} && \ git clean -fdx . && \ git reset --hard && \ - (git fetch --unshallow || git fetch --all) && \ + (git fetch --unshallow --tags || git fetch --all) && \ git checkout v3.5.0 && \ cd - && \ git add -u ${MBEDTLS_DIR} ; \