mbedtls: `MBEDTLS_PRIVATE` & `MBEDTLS_ALLOW_PRIVATE_ACCESS`-related cleanup

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.c

@@ -458,10 +458,10 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num)
     size_t bytes = 0;
 
     while (cert) {
-        bytes += cert->MBEDTLS_PRIVATE(raw).MBEDTLS_PRIVATE(len);
+        bytes += cert->raw.len;
         n++;
 
-        cert = cert->MBEDTLS_PRIVATE(next);
+        cert = cert->next;
     }
 
     *num = n;
@@ -473,14 +473,15 @@ size_t esp_mbedtls_get_crt_size(mbedtls_x509_crt *cert, size_t *num)
 void esp_mbedtls_free_dhm(mbedtls_ssl_context *ssl)
 {
 #ifdef CONFIG_MBEDTLS_DHM_C
-    mbedtls_mpi_free((mbedtls_mpi *)&ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(dhm_P));
-    mbedtls_mpi_free((mbedtls_mpi *)&ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(dhm_G));
+    const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+    mbedtls_mpi_free((mbedtls_mpi *)conf->MBEDTLS_PRIVATE(dhm_P));
+    mbedtls_mpi_free((mbedtls_mpi *)conf->MBEDTLS_PRIVATE(dhm_G));
 #endif /* CONFIG_MBEDTLS_DHM_C */
 }
 
 void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
 {
-    mbedtls_ssl_config *conf = (mbedtls_ssl_config *)ssl->MBEDTLS_PRIVATE(conf);
+    mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
     mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert), *next;
 
     while (keycert) {
@@ -498,7 +499,8 @@ void esp_mbedtls_free_keycert(mbedtls_ssl_context *ssl)
 
 void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
 {
-    mbedtls_ssl_key_cert *keycert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
+    const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+    mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
 
     while (keycert) {
         if (keycert->key) {
@@ -511,7 +513,8 @@ void esp_mbedtls_free_keycert_key(mbedtls_ssl_context *ssl)
 
 void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
 {
-    mbedtls_ssl_key_cert *keycert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
+    const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+    mbedtls_ssl_key_cert *keycert = conf->MBEDTLS_PRIVATE(key_cert);
 
     while (keycert) {
         if (keycert->cert) {
@@ -527,7 +530,7 @@ void esp_mbedtls_free_keycert_cert(mbedtls_ssl_context *ssl)
 void esp_mbedtls_free_cacert(mbedtls_ssl_context *ssl)
 {
     if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ca_chain)) {
-        mbedtls_ssl_config *conf = (mbedtls_ssl_config *)ssl->MBEDTLS_PRIVATE(conf);
+        mbedtls_ssl_config *conf = (mbedtls_ssl_config * )mbedtls_ssl_context_get_config(ssl);
 
         mbedtls_x509_crt_free(conf->MBEDTLS_PRIVATE(ca_chain));
         conf->MBEDTLS_PRIVATE(ca_chain) = NULL;

components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h

@@ -9,15 +9,19 @@
 #include <stddef.h>
 #include <string.h>
 #include <stdbool.h>
-/* ToDo - Remove this once appropriate solution is available.
-We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
-which are undefined if the following flag is not defined */
-/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
-/* ToDo - Replace them with proper getter-setter once they are added */
+
+/* TODO: Remove this once the appropriate solution is found
+ *
+ * ssl_misc.h header uses private elements from
+ * mbedtls, which become undefined if the following flag
+ * is not defined
+ */
 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
 
+// located at mbedtls/library/ssl_misc.h
+#include "ssl_misc.h"
+
 #include "mbedtls/ssl.h"
-#include "ssl_misc.h" // located at mbedtls/library/ssl_misc.h
 #include "mbedtls/platform.h"
 #include "esp_log.h"
 

components/mbedtls/port/dynamic/esp_ssl_cli.c

@@ -19,7 +19,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
 {
     int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
 
-    if (ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
+    if (mbedtls_ssl_is_handshake_over(ssl) || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
         return 0;
     }
 
@@ -103,7 +103,9 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
         case MBEDTLS_SSL_CLIENT_CERTIFICATE:
             if (add) {
                 size_t buffer_len = 3;
-                mbedtls_ssl_key_cert *key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
+
+                const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+                mbedtls_ssl_key_cert *key_cert = conf->MBEDTLS_PRIVATE(key_cert);
 
                 while (key_cert && key_cert->cert) {
                     size_t num;

components/mbedtls/port/dynamic/esp_ssl_srv.c

@@ -18,8 +18,8 @@ static const char *TAG = "SSL Server";
  */
 static bool ssl_ciphersuite_uses_rsa_key_ex(mbedtls_ssl_context *ssl)
 {
-    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
-        ssl->MBEDTLS_PRIVATE(handshake)->ciphersuite_info;
+    int suite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl);
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
 
     if (ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA ||
         ciphersuite_info->MBEDTLS_PRIVATE(key_exchange) == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
@@ -34,7 +34,7 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
 {
     int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
 
-    if (ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
+    if (mbedtls_ssl_is_handshake_over(ssl) || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
         return 0;
     }
 
@@ -66,7 +66,9 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
         case MBEDTLS_SSL_SERVER_CERTIFICATE:
             if (add) {
                 size_t buffer_len = 3;
-                mbedtls_ssl_key_cert *key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
+
+                const mbedtls_ssl_config *conf = mbedtls_ssl_context_get_config(ssl);
+                mbedtls_ssl_key_cert *key_cert = conf->MBEDTLS_PRIVATE(key_cert);
 
                 while (key_cert && key_cert->cert) {
                     size_t num;

components/mbedtls/port/ecc/ecc_alt.c

@@ -8,11 +8,6 @@
 #include "soc/hwcrypto_periph.h"
 #include "ecc_impl.h"
 
-/* TBD: Remove this and use proper getter/setter methods to access
- * private members of EC data structures once they are available
- * in mbedTLS stack */
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include "mbedtls/ecp.h"
 #include "mbedtls/platform_util.h"
 
@@ -37,19 +32,19 @@ static int esp_mbedtls_ecp_point_multiply(const mbedtls_ecp_group *grp, mbedtls_
 
     p_pt.len = grp->pbits / 8;
 
-    memcpy(&p_pt.x, P->X.p, mbedtls_mpi_size(&P->X));
-    memcpy(&p_pt.y, P->Y.p, mbedtls_mpi_size(&P->Y));
+    memcpy(&p_pt.x, P->MBEDTLS_PRIVATE(X).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&P->MBEDTLS_PRIVATE(X)));
+    memcpy(&p_pt.y, P->MBEDTLS_PRIVATE(Y).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&P->MBEDTLS_PRIVATE(Y)));
 
-    ret = esp_ecc_point_multiply(&p_pt, (uint8_t *)m->p, &r_pt, false);
+    ret = esp_ecc_point_multiply(&p_pt, (uint8_t *)m->MBEDTLS_PRIVATE(p), &r_pt, false);
 
     for (int i = 0; i < MAX_SIZE; i++) {
         x_tmp[MAX_SIZE - i - 1] = r_pt.x[i];
         y_tmp[MAX_SIZE - i - 1] = r_pt.y[i];
     }
 
-    mbedtls_mpi_read_binary(&R->X, x_tmp, MAX_SIZE);
-    mbedtls_mpi_read_binary(&R->Y, y_tmp, MAX_SIZE);
-    mbedtls_mpi_lset(&R->Z, 1);
+    mbedtls_mpi_read_binary(&R->MBEDTLS_PRIVATE(X), x_tmp, MAX_SIZE);
+    mbedtls_mpi_read_binary(&R->MBEDTLS_PRIVATE(Y), y_tmp, MAX_SIZE);
+    mbedtls_mpi_lset(&R->MBEDTLS_PRIVATE(Z), 1);
     return ret;
 }
 
@@ -94,13 +89,13 @@ int mbedtls_ecp_check_pubkey( const mbedtls_ecp_group *grp,
     ECP_VALIDATE_RET( pt  != NULL );
 
     /* Must use affine coordinates */
-    if( mbedtls_mpi_cmp_int( &pt->Z, 1 ) != 0 )
+    if( mbedtls_mpi_cmp_int( &pt->MBEDTLS_PRIVATE(Z), 1 ) != 0 )
         return( MBEDTLS_ERR_ECP_INVALID_KEY );
 
     mbedtls_platform_zeroize((void *)&point, sizeof(ecc_point_t));
 
-    memcpy(&point.x, pt->X.p, mbedtls_mpi_size(&pt->X));
-    memcpy(&point.y, pt->Y.p, mbedtls_mpi_size(&pt->Y));
+    memcpy(&point.x, pt->MBEDTLS_PRIVATE(X).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&pt->MBEDTLS_PRIVATE(X)));
+    memcpy(&point.y, pt->MBEDTLS_PRIVATE(Y).MBEDTLS_PRIVATE(p), mbedtls_mpi_size(&pt->MBEDTLS_PRIVATE(Y)));
 
     point.len = grp->pbits / 8;
 

components/mbedtls/port/esp_timing.c

@@ -83,4 +83,12 @@ int mbedtls_timing_get_delay( void *data )
     return( 0 );
 }
 
+/*
+ * Get the final delay.
+ */
+uint32_t mbedtls_timing_get_final_delay( const mbedtls_timing_delay_context *data )
+{
+    return( data->MBEDTLS_PRIVATE(fin_ms) );
+}
+
 #endif /* MBEDTLS_ESP_TIMING_C */

components/mbedtls/test_apps/main/test_ecp.c

@@ -12,13 +12,6 @@
 #include <stdbool.h>
 #include <esp_random.h>
 
-/* ToDo - Remove this once appropriate solution is available.
-We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
-which are undefined if the following flag is not defined */
-/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
-/* ToDo - Replace them with proper getter-setter once they are added */
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #include <mbedtls/entropy.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/ecdh.h>
@@ -31,6 +24,20 @@ which are undefined if the following flag is not defined */
    error hex value (mbedTLS uses -N for error codes) */
 #define TEST_ASSERT_MBEDTLS_OK(X) TEST_ASSERT_EQUAL_HEX32(0, -(X))
 
+/* TODO: Currently MBEDTLS_ECDH_LEGACY_CONTEXT is enabled by default
+ * when MBEDTLS_ECP_RESTARTABLE is enabled.
+ * This is a temporary workaround to allow that.
+ *
+ * The legacy option is soon going to be removed in future mbedtls
+ * versions and this workaround will be removed once the appropriate
+ * solution is available.
+ */
+#ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
+#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(var)
+#else
+#define ACCESS_ECDH(S, var) S.MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var)
+#endif
+
 TEST_CASE("mbedtls ECDH Generate Key", "[mbedtls]")
 {
     mbedtls_ecdh_context ctx;
@@ -43,9 +50,9 @@ TEST_CASE("mbedtls ECDH Generate Key", "[mbedtls]")
     mbedtls_entropy_init(&entropy);
     TEST_ASSERT_MBEDTLS_OK( mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) );
 
-    TEST_ASSERT_MBEDTLS_OK( mbedtls_ecp_group_load(&ctx.ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519) );
+    TEST_ASSERT_MBEDTLS_OK( mbedtls_ecp_group_load(ACCESS_ECDH(&ctx, grp), MBEDTLS_ECP_DP_CURVE25519) );
 
-    TEST_ASSERT_MBEDTLS_OK( mbedtls_ecdh_gen_public(&ctx.ctx.mbed_ecdh.grp, &ctx.ctx.mbed_ecdh.d, &ctx.ctx.mbed_ecdh.Q,
+    TEST_ASSERT_MBEDTLS_OK( mbedtls_ecdh_gen_public(ACCESS_ECDH(&ctx, grp), ACCESS_ECDH(&ctx, d), ACCESS_ECDH(&ctx, Q),
                                                     mbedtls_ctr_drbg_random, &ctr_drbg ) );
 
     mbedtls_ecdh_free(&ctx);
@@ -77,7 +84,8 @@ TEST_CASE("mbedtls ECP mul w/ koblitz", "[mbedtls]")
                                                  mbedtls_ctr_drbg_random, &ctxRandom) );
 
 
-    TEST_ASSERT_MBEDTLS_OK(mbedtls_ecp_mul(&ctxECDSA.grp, &ctxECDSA.Q, &ctxECDSA.d, &ctxECDSA.grp.G,
+    TEST_ASSERT_MBEDTLS_OK(mbedtls_ecp_mul(&ctxECDSA.MBEDTLS_PRIVATE(grp), &ctxECDSA.MBEDTLS_PRIVATE(Q),
+                                           &ctxECDSA.MBEDTLS_PRIVATE(d), &ctxECDSA.MBEDTLS_PRIVATE(grp).G,
                                            mbedtls_ctr_drbg_random, &ctxRandom) );
 
     mbedtls_ecdsa_free(&ctxECDSA);
@@ -184,20 +192,20 @@ static void test_ecp_mul(mbedtls_ecp_group_id id, const uint8_t *x_coord, const
 
     mbedtls_mpi_read_binary(&m, scalar, size);
 
-    mbedtls_mpi_read_binary(&P.X, x_coord, size);
-    mbedtls_mpi_read_binary(&P.Y, y_coord, size);
+    mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(X), x_coord, size);
+    mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(Y), y_coord, size);
 
-    mbedtls_mpi_lset(&P.Z, 1);
+    mbedtls_mpi_lset(&P.MBEDTLS_PRIVATE(Z), 1);
 
     ret = mbedtls_ecp_mul(&grp, &R, &m, &P, rng_wrapper, NULL);
 
     TEST_ASSERT_EQUAL(0, ret);
 
-    mbedtls_mpi_write_binary(&R.X, x, mbedtls_mpi_size(&R.X));
-    mbedtls_mpi_write_binary(&R.Y, y, mbedtls_mpi_size(&R.Y));
+    mbedtls_mpi_write_binary(&R.MBEDTLS_PRIVATE(X), x, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(X)));
+    mbedtls_mpi_write_binary(&R.MBEDTLS_PRIVATE(Y), y, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(Y)));
 
-    TEST_ASSERT_EQUAL(0, memcmp(x, result_x_coord, mbedtls_mpi_size(&R.X)));
-    TEST_ASSERT_EQUAL(0, memcmp(y, result_y_coord, mbedtls_mpi_size(&R.Y)));
+    TEST_ASSERT_EQUAL(0, memcmp(x, result_x_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(X))));
+    TEST_ASSERT_EQUAL(0, memcmp(y, result_y_coord, mbedtls_mpi_size(&R.MBEDTLS_PRIVATE(Y))));
 
     mbedtls_ecp_point_free(&R);
     mbedtls_ecp_point_free(&P);
@@ -232,9 +240,9 @@ static void test_ecp_verify(mbedtls_ecp_group_id id, const uint8_t *x_coord, con
 
     size = grp.pbits / 8;
 
-    mbedtls_mpi_read_binary(&P.X, x_coord, size);
-    mbedtls_mpi_read_binary(&P.Y, y_coord, size);
-    mbedtls_mpi_lset(&P.Z, 1);
+    mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(X), x_coord, size);
+    mbedtls_mpi_read_binary(&P.MBEDTLS_PRIVATE(Y), y_coord, size);
+    mbedtls_mpi_lset(&P.MBEDTLS_PRIVATE(Z), 1);
 
     ret = mbedtls_ecp_check_pubkey(&grp, &P);
 

components/protocomm/test_apps/main/test_protocomm.c

@@ -564,7 +564,7 @@ static esp_err_t test_req_endpoint(session_t *session)
         // Check if the AES key is correctly set before calling the software encryption
         // API. Without this check, the code will crash, resulting in a test case failure.
         // For hardware AES, portability layer takes care of this.
-        if (session->ctx_aes.rk != NULL && session->ctx_aes.nr > 0) {
+        if (session->ctx_aes.MBEDTLS_PRIVATE(rk) != NULL && session->ctx_aes.MBEDTLS_PRIVATE(nr) > 0) {
 #endif
 
             mbedtls_aes_crypt_ctr(&session->ctx_aes, sizeof(rand_test_data), &session->nc_off,