Updated nanostack to be compatible with mbed TLS 3.0 (ARMmbed#2657)

Mika Leppänen · web-flow · commit 1af7cfeb24bb · 2021-08-03T10:14:44.000+03:00
Updated functions names for SHA256 and MD5, updated export keys function
for EAP-TLS key material export, disabled extended Wi-SUN certification
field checks (other name, extended key usage) for now, made the SSL state
to refer to private state for now. Do not include config, instead include
version.h that is present in both 2.0 and 3.0 and will include config and
define version macros.
diff --git a/nanostack/ns_sha256.h b/nanostack/ns_sha256.h
@@ -61,45 +61,77 @@ static inline void ns_sha256_clone(ns_sha256_context *dst,
 
 static inline void ns_sha256_starts(ns_sha256_context *ctx)
 {
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    (void)mbedtls_sha256_starts(ctx, 0);
+#else
     (void)mbedtls_sha256_starts_ret(ctx, 0);
+#endif
 }
 
 static inline void ns_sha256_update(ns_sha256_context *ctx, const void *input,
                                     size_t ilen)
 {
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    (void)mbedtls_sha256_update(ctx, input, ilen);
+#else
     (void)mbedtls_sha256_update_ret(ctx, input, ilen);
+#endif
 }
 
 static inline void ns_sha256_finish(ns_sha256_context *ctx, void *output)
 {
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    (void)mbedtls_sha256_finish(ctx, output);
+#else
     (void)mbedtls_sha256_finish_ret(ctx, output);
+#endif
 }
 
 static inline void ns_sha256(const void *input, size_t ilen, void *output)
 {
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    (void)mbedtls_sha256(input, ilen, output, 0);
+#else
     (void)mbedtls_sha256_ret(input, ilen, output, 0);
+#endif
 }
 
 /* Extensions to standard mbed TLS - output the first bits of a hash only */
 /* Number of bits must be a multiple of 32, and <=256 */
 static inline void ns_sha256_finish_nbits(ns_sha256_context *ctx, void *output, unsigned obits)
 {
     if (obits == 256) {
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+        (void)mbedtls_sha256_finish(ctx, output);
+#else
         (void)mbedtls_sha256_finish_ret(ctx, output);
+#endif
     } else {
         uint8_t sha256[32];
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+        (void)mbedtls_sha256_finish(ctx, sha256);
+#else
         (void)mbedtls_sha256_finish_ret(ctx, sha256);
+#endif
         memcpy(output, sha256, obits / 8);
     }
 }
 
 static inline void ns_sha256_nbits(const void *input, size_t ilen, void *output, unsigned obits)
 {
     if (obits == 256) {
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+        (void)mbedtls_sha256(input, ilen, output, 0);
+#else
         (void)mbedtls_sha256_ret(input, ilen, output, 0);
+#endif
     } else {
         uint8_t sha256[32];
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+        (void)mbedtls_sha256(input, ilen, sha256, 0);
+#else
         (void)mbedtls_sha256_ret(input, ilen, sha256, 0);
+#endif
         memcpy(output, sha256, obits / 8);
     }
 }
diff --git a/source/6LoWPAN/ws/ws_pae_controller.c b/source/6LoWPAN/ws/ws_pae_controller.c
@@ -546,19 +546,31 @@ static int8_t ws_pae_controller_gak_from_gtk(uint8_t *gak, uint8_t *gtk, char *n
 
     mbedtls_sha256_init(&ctx);
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_starts(&ctx, 0) != 0) {
+#else
     if (mbedtls_sha256_starts_ret(&ctx, 0) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_update(&ctx, input, network_name_len + GTK_LEN) != 0) {
+#else
     if (mbedtls_sha256_update_ret(&ctx, input, network_name_len + GTK_LEN) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
 
     uint8_t output[32];
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_finish(&ctx, output) != 0) {
+#else
     if (mbedtls_sha256_finish_ret(&ctx, output) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
diff --git a/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c b/source/Security/protocols/radius_sec_prot/radius_client_sec_prot.c
@@ -786,19 +786,31 @@ static int8_t radius_client_sec_prot_eui_64_hash_generate(uint8_t *eui_64, uint8
 
     mbedtls_sha256_init(&ctx);
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_starts(&ctx, 0) != 0) {
+#else
     if (mbedtls_sha256_starts_ret(&ctx, 0) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_update(&ctx, hashed_string, 24) != 0) {
+#else
     if (mbedtls_sha256_update_ret(&ctx, hashed_string, 24) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
 
     uint8_t output[32];
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_finish(&ctx, output) != 0) {
+#else
     if (mbedtls_sha256_finish_ret(&ctx, output) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
@@ -872,19 +884,35 @@ static int8_t radius_client_sec_prot_response_authenticator_calc(sec_prot_t *pro
 
     mbedtls_md5_init(&ctx);
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_md5_starts(&ctx) != 0) {
+#else
     if (mbedtls_md5_starts_ret(&ctx) != 0) {
+#endif
         goto end;
     }
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_md5_update(&ctx, msg_ptr, msg_len) != 0) {
+#else
     if (mbedtls_md5_update_ret(&ctx, msg_ptr, msg_len) != 0) {
+#endif
         goto end;
     }
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_md5_update(&ctx, key, key_len) != 0) {
+#else
     if (mbedtls_md5_update_ret(&ctx, key, key_len) != 0) {
+#endif
         goto end;
     }
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_md5_finish(&ctx, auth_ptr) != 0) {
+#else
     if (mbedtls_md5_finish_ret(&ctx, auth_ptr) != 0) {
+#endif
         goto end;
     }
 
@@ -940,35 +968,59 @@ static int8_t radius_client_sec_prot_ms_mppe_recv_key_pmk_decrypt(sec_prot_t *pr
     while (cipher_text_len >= MS_MPPE_RECV_KEY_BLOCK_LEN) {
         mbedtls_md5_init(&ctx);
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+        if (mbedtls_md5_starts(&ctx) != 0) {
+#else
         if (mbedtls_md5_starts_ret(&ctx) != 0) {
+#endif
             md5_failed = true;
             break;
         }
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+        if (mbedtls_md5_update(&ctx, key, key_len) != 0) {
+#else
         if (mbedtls_md5_update_ret(&ctx, key, key_len) != 0) {
+#endif
             md5_failed = true;
             break;
         }
 
         if (first_interm_b_value) {
             // b(1) = MD5(secret + request-authenticator + salt)
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+            if (mbedtls_md5_update(&ctx, request_authenticator, MS_MPPE_RECV_KEY_BLOCK_LEN) != 0) {
+#else
             if (mbedtls_md5_update_ret(&ctx, request_authenticator, MS_MPPE_RECV_KEY_BLOCK_LEN) != 0) {
+#endif
                 md5_failed = true;
                 break;
             }
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+            if (mbedtls_md5_update(&ctx, salt_ptr, MS_MPPE_RECV_KEY_SALT_LEN) != 0) {
+#else
             if (mbedtls_md5_update_ret(&ctx, salt_ptr, MS_MPPE_RECV_KEY_SALT_LEN) != 0) {
+#endif
                 md5_failed = true;
                 break;
             }
         } else {
             // b(i) = MD5(secret + cipher_text(i - 1))
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+            if (mbedtls_md5_update(&ctx, cipher_text_ptr - MS_MPPE_RECV_KEY_BLOCK_LEN, MS_MPPE_RECV_KEY_BLOCK_LEN) != 0) {
+#else
             if (mbedtls_md5_update_ret(&ctx, cipher_text_ptr - MS_MPPE_RECV_KEY_BLOCK_LEN, MS_MPPE_RECV_KEY_BLOCK_LEN) != 0) {
+#endif
                 md5_failed = true;
                 break;
             }
         }
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+        if (mbedtls_md5_finish(&ctx, interm_b_val) != 0) {
+#else
         if (mbedtls_md5_finish_ret(&ctx, interm_b_val) != 0) {
+#endif
             md5_failed = true;
             break;
         }
diff --git a/source/Security/protocols/sec_prot_lib.c b/source/Security/protocols/sec_prot_lib.c
@@ -514,19 +514,31 @@ int8_t sec_prot_lib_gtkhash_generate(uint8_t *gtk, uint8_t *gtk_hash)
 
     mbedtls_sha256_init(&ctx);
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_starts(&ctx, 0) != 0) {
+#else
     if (mbedtls_sha256_starts_ret(&ctx, 0) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_update(&ctx, gtk, 16) != 0) {
+#else
     if (mbedtls_sha256_update_ret(&ctx, gtk, 16) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
 
     uint8_t output[32];
 
+#if (MBEDTLS_VERSION_MAJOR >= 3)
+    if (mbedtls_sha256_finish(&ctx, output) != 0) {
+#else
     if (mbedtls_sha256_finish_ret(&ctx, output) != 0) {
+#endif
         ret_val = -1;
         goto error;
     }
diff --git a/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c b/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c
diff --git a/source/Service_Libs/nist_aes_kw/nist_aes_kw.c b/source/Service_Libs/nist_aes_kw/nist_aes_kw.c

Original file line number	Diff line number	Diff line change
`@@ -61,45 +61,77 @@ static inline void ns_sha256_clone(ns_sha256_context *dst,`
`61`	`61`
`62`	`62`	`static inline void ns_sha256_starts(ns_sha256_context *ctx)`
`63`	`63`	`{`
	`64`	`+#if (MBEDTLS_VERSION_MAJOR >= 3)`
	`65`	`+ (void)mbedtls_sha256_starts(ctx, 0);`
	`66`	`+#else`
`64`	`67`	`(void)mbedtls_sha256_starts_ret(ctx, 0);`
	`68`	`+#endif`
`65`	`69`	`}`
`66`	`70`
`67`	`71`	`static inline void ns_sha256_update(ns_sha256_context ctx, const void input,`
`68`	`72`	`size_t ilen)`
`69`	`73`	`{`
	`74`	`+#if (MBEDTLS_VERSION_MAJOR >= 3)`
	`75`	`+ (void)mbedtls_sha256_update(ctx, input, ilen);`
	`76`	`+#else`
`70`	`77`	`(void)mbedtls_sha256_update_ret(ctx, input, ilen);`
	`78`	`+#endif`
`71`	`79`	`}`
`72`	`80`
`73`	`81`	`static inline void ns_sha256_finish(ns_sha256_context ctx, void output)`
`74`	`82`	`{`
	`83`	`+#if (MBEDTLS_VERSION_MAJOR >= 3)`
	`84`	`+ (void)mbedtls_sha256_finish(ctx, output);`
	`85`	`+#else`
`75`	`86`	`(void)mbedtls_sha256_finish_ret(ctx, output);`
	`87`	`+#endif`
`76`	`88`	`}`
`77`	`89`
`78`	`90`	`static inline void ns_sha256(const void input, size_t ilen, void output)`
`79`	`91`	`{`
	`92`	`+#if (MBEDTLS_VERSION_MAJOR >= 3)`
	`93`	`+ (void)mbedtls_sha256(input, ilen, output, 0);`
	`94`	`+#else`
`80`	`95`	`(void)mbedtls_sha256_ret(input, ilen, output, 0);`
	`96`	`+#endif`
`81`	`97`	`}`
`82`	`98`
`83`	`99`	`/* Extensions to standard mbed TLS - output the first bits of a hash only */`
`84`	`100`	`/* Number of bits must be a multiple of 32, and <=256 */`
`85`	`101`	`static inline void ns_sha256_finish_nbits(ns_sha256_context ctx, void output, unsigned obits)`
`86`	`102`	`{`
`87`	`103`	`if (obits == 256) {`
	`104`	`+#if (MBEDTLS_VERSION_MAJOR >= 3)`
	`105`	`+ (void)mbedtls_sha256_finish(ctx, output);`
	`106`	`+#else`
`88`	`107`	`(void)mbedtls_sha256_finish_ret(ctx, output);`
	`108`	`+#endif`
`89`	`109`	`} else {`
`90`	`110`	`uint8_t sha256[32];`
	`111`	`+#if (MBEDTLS_VERSION_MAJOR >= 3)`
	`112`	`+ (void)mbedtls_sha256_finish(ctx, sha256);`
	`113`	`+#else`
`91`	`114`	`(void)mbedtls_sha256_finish_ret(ctx, sha256);`
	`115`	`+#endif`
`92`	`116`	`memcpy(output, sha256, obits / 8);`
`93`	`117`	`}`
`94`	`118`	`}`
`95`	`119`
`96`	`120`	`static inline void ns_sha256_nbits(const void input, size_t ilen, void output, unsigned obits)`
`97`	`121`	`{`
`98`	`122`	`if (obits == 256) {`
	`123`	`+#if (MBEDTLS_VERSION_MAJOR >= 3)`
	`124`	`+ (void)mbedtls_sha256(input, ilen, output, 0);`
	`125`	`+#else`
`99`	`126`	`(void)mbedtls_sha256_ret(input, ilen, output, 0);`
	`127`	`+#endif`
`100`	`128`	`} else {`
`101`	`129`	`uint8_t sha256[32];`
	`130`	`+#if (MBEDTLS_VERSION_MAJOR >= 3)`
	`131`	`+ (void)mbedtls_sha256(input, ilen, sha256, 0);`
	`132`	`+#else`
`102`	`133`	`(void)mbedtls_sha256_ret(input, ilen, sha256, 0);`
	`134`	`+#endif`
`103`	`135`	`memcpy(output, sha256, obits / 8);`
`104`	`136`	`}`
`105`	`137`	`}`