Update feature/mbedtls from mbedtls feature-opaque-keys branch

[mazimkhan]

This PR updates branch feature-opaque-keys with mbedtls feature-opaque-keys branch. For demonstrating mbedtls opaque keys feature with mbed-os. Related PR #6104.

[mazimkhan]

@0xc0170 please add @gilles-peskine-arm and @AndrzejKurek as reviewers to confirm that changes belong to mbedtls/feature-opaque-keys branch.

[ciarmcom]

ARM Internal Ref: IOTSSL-2106

[gilles-peskine-arm]

As in #5973, we'll need to update the Mbed TLS code to 2.7.1. Step 1: merge 2.7.1 into the feature branch on the Mbed TLS side (Mbed-TLS/mbedtls#1398).

[mazimkhan]

@0xc0170 can you please run morph test on it. Please

[gilles-peskine-arm]

This is a faithful import of the Mbed TLS feature-opaque-keys branch (all files in inc and src are identical except for inc/config.h which is the result of running importer/adjust-config.sh).

[0xc0170]

/morph build

[mbed-ci]

Build : FAILURE

Build number : 1232
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/6176/

[mazimkhan]

@0xc0170 @cmonr Can you please help with reproducing following log:
https://jenkins-internal.mbed.com/job/ARMmbed/job/mbed-os-cliapp/job/master/9494/artifact/mbed-os-cliapp/UBLOX_EVK_ODIN_W2_armcc_eth0_ipv6.log

Here md_wrap.c is calling mbedtls_internal_md5_process and similar functions. But fails to find them. This is not possible normally since config.h has MBEDTLS_MD5_C and other related flags disabled. Seems like md_wrap.c is compiled with MBEDTLS_MD5_C enabled (some other config) and md5.c containing the function is compiled with config.h hence function not present.

We do not understand how above build environment is configured. There is something unusual causing the error.

Link: mbed-os-cliapp
Error: L6218E: Undefined symbol mbedtls_internal_md5_process (referred from .build/UBLOX_EVK_ODIN_W2_armcc_eth0_ipv6/mbed-os/features/mbedtls/src/md_wrap.o).
Error: L6218E: Undefined symbol mbedtls_internal_sha1_process (referred from .build/UBLOX_EVK_ODIN_W2_armcc_eth0_ipv6/mbed-os/features/mbedtls/src/md_wrap.o).
Error: L6218E: Undefined symbol mbedtls_internal_sha256_process (referred from .build/UBLOX_EVK_ODIN_W2_armcc_eth0_ipv6/mbed-os/features/mbedtls/src/md_wrap.o).
Finished: 0 information, 0 warning and 3 error messages.
[ERROR] Error: L6218E: Undefined symbol mbedtls_internal_md5_process (referred from .build/UBLOX_EVK_ODIN_W2_armcc_eth0_ipv6/mbed-os/features/mbedtls/src/md_wrap.o).
Error: L6218E: Undefined symbol mbedtls_internal_sha1_process (referred from .build/UBLOX_EVK_ODIN_W2_armcc_eth0_ipv6/mbed-os/features/mbedtls/src/md_wrap.o).
Error: L6218E: Undefined symbol mbedtls_internal_sha256_process (referred from .build/UBLOX_EVK_ODIN_W2_armcc_eth0_ipv6/mbed-os/features/mbedtls/src/md_wrap.o).
Finished: 0 information, 0 warning and 3 error messages.

[gilles-peskine-arm]

@mazimkhan I haven't followed everything, but it looks like the problem is caused by a binary that was built against mbedtls compiled with a different configuration.

strings targets/TARGET_STM/TARGET_STM32F4/TARGET_STM32F439xI/TARGET_MODULE_UBLOX_ODIN_W2/sdk/TOOLCHAIN_GCC_ARM/libublox-odin-w2-driver.a |less |grep mbedtls_ |sort -u
mbedtls_aes_crypt_ecb
mbedtls_aes_setkey_enc
mbedtls_arc4_crypt
mbedtls_arc4_setup
mbedtls_des_crypt_ecb
mbedtls_des_setkey_enc
mbedtls_md4
mbedtls_md5_finish
mbedtls_md5_starts
mbedtls_md5_update
mbedtls_md_hmac
mbedtls_md_info_from_type
mbedtls_sha1_finish
mbedtls_sha1_starts
mbedtls_sha1_update

Either this binary needs to be rebuilt against the current version of Mbed TLS, with the official Mbed TLS configuration (which doesn't include MD4 (‽), MD5 or SHA-1); or the linker scripts need to be modified so that these symbols aren't exported.

[mazimkhan]

@gilles-peskine-arm the undefined reference complaint comes from md_wrap.c. How does it make call to one of those functions when mbedtls config have them disabled?

[mazimkhan]

Ok I see the problem Ublox inherits TARGET_STM. Its header is here https://github.com/ARMmbed/mbed-os/blob/master/features/mbedtls/targets/TARGET_STM/TARGET_STM32F4/TARGET_STM32F437xG/mbedtls_device.h

This header defines SHAx_ALT but not _PROCESS_ALT. If it has the definition of ````_PROCESS_ALT``` it should also define those macros.

#ifndef MBEDTLS_DEVICE_H
#define MBEDTLS_DEVICE_H

#define MBEDTLS_AES_ALT

#define MBEDTLS_SHA256_ALT

#define MBEDTLS_SHA1_ALT

#define MBEDTLS_MD5_ALT

#endif /* MBEDTLS_DEVICE_H */

[mazimkhan]

Fixed build issues by

• Providing wrappers for new _process functions to link using old implementation.
• Defining _PROCESS_ALT in mbedtls/target/.../mbedtls_device.h

@0xc0170 @cmonr mbedtls imported here is not a true copy of mbedtls/feature-opaque-keys. Some extra commits are for resolving breaking API changes done in mbedtls 2.7.0 on which feature-opaque-keys is based.

This does not impact the purpose of testing opaque keys feature. Please merge it.

Once the API incompatibility issue is fixed, a fresh import of mbedtls can be done.

[0xc0170]

/morph build

[mbed-ci]

Build : FAILURE

Build number : 1246
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/6176/

[mazimkhan]

/morph build

[mbed-ci]

Build : FAILURE

Build number : 1247
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/6176/

[cmonr]

/morph build

[mbed-ci]

Build : SUCCESS

Build number : 1249
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/6176/

Triggering tests

/morph test
/morph uvisor-test
/morph export-build
/morph mbed2-build

[mazimkhan]

AWS-CI uVisor Build & Test — Failed
Failed due to serial issue.

[mbed-ci]

Test : SUCCESS

Build number : 1047
Test logs :http://mbed-os-logs.s3-website-us-west-1.amazonaws.com/?prefix=logs/6176/1047

[mbed-ci]

Exporter Build : SUCCESS

Build number : 914
Build artifacts/logs : http://mbed-os.s3-website-eu-west-1.amazonaws.com/?prefix=builds/exporter/6176/

[0xc0170]

/morph uvisor-test