Merge branch 'feature/wpa_supp_mbedtls_private_cleanup' into 'master'

wpa_supplicant: `MBEDTLS_PRIVATE` & `MBEDTLS_ALLOW_PRIVATE_ACCESS`-related cleanup

Closes IDF-5861

See merge request espressif/esp-idf!20171

components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c

@@ -4,8 +4,6 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
-#define MBEDTLS_ALLOW_PRIVATE_ACCESS
-
 #ifdef ESP_PLATFORM
 #include "esp_system.h"
 #include "mbedtls/bignum.h"
@@ -31,9 +29,9 @@
 #define ECP_PRV_DER_MAX_BYTES   29 + 3 * MBEDTLS_ECP_MAX_BYTES
 
 #ifdef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
-#define ACCESS_ECDH(S, var) S->var
+#define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(var)
 #else
-#define ACCESS_ECDH(S, var) S->ctx.mbed_ecdh.var
+#define ACCESS_ECDH(S, var) S->MBEDTLS_PRIVATE(ctx).MBEDTLS_PRIVATE(mbed_ecdh).MBEDTLS_PRIVATE(var)
 #endif
 
 #ifdef CONFIG_ECC
@@ -1053,7 +1051,7 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
 	}
 	mbedtls_ecdh_init(ctx);
 #ifndef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
-	ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
+	ctx->MBEDTLS_PRIVATE(var) = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
 #endif
 
 	if ((mbedtls_ecp_group_load(ACCESS_ECDH(&ctx, grp), crypto_mbedtls_get_grp_id(group))) != 0) {
@@ -1105,7 +1103,7 @@ struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int y)
         }
 
 	/* Export an MPI into unsigned big endian binary data of fixed size */
-	mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx, Q).X, buf, prime_len);
+	mbedtls_mpi_write_binary(ACCESS_ECDH(&ctx, Q).MBEDTLS_PRIVATE(X), buf, prime_len);
 	public_key = wpabuf_alloc_copy(buf, 32);
 	os_free(buf);
 	return public_key;
@@ -1179,9 +1177,9 @@ struct wpabuf * crypto_ecdh_set_peerkey(struct crypto_ecdh *ecdh, int inc_y,
 	/* Setup ECDH context from EC key */
 /* Call to mbedtls_ecdh_get_params() will initialize the context when not LEGACY context */
         if (ctx != NULL && peer != NULL) {
-                mbedtls_ecp_copy( ACCESS_ECDH(&ctx, Qp), &(mbedtls_pk_ec(*peer))->Q );
+				mbedtls_ecp_copy( ACCESS_ECDH(&ctx, Qp), &(mbedtls_pk_ec(*peer))->MBEDTLS_PRIVATE(Q) );
 #ifndef CONFIG_MBEDTLS_ECDH_LEGACY_CONTEXT
-                ctx->var = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
+				ctx->MBEDTLS_PRIVATE(var) = MBEDTLS_ECDH_VARIANT_MBEDTLS_2_0;
 #endif
         } else {
                 wpa_printf(MSG_ERROR, "Failed to set peer's ECDH context");

components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c

@@ -217,7 +217,7 @@ int crypto_public_key_encrypt_pkcs1_v15(struct crypto_public_key *key,
 		wpa_printf(MSG_ERROR, " failed  !  mbedtls_rsa_pkcs1_encrypt returned -0x%04x", -ret);
 		goto cleanup;
 	}
-	*outlen = mbedtls_pk_rsa(*pkey)->MBEDTLS_PRIVATE(len);
+	*outlen = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey));
 
 cleanup:
 	mbedtls_ctr_drbg_free( ctr_drbg );
@@ -256,7 +256,7 @@ int  crypto_private_key_decrypt_pkcs1_v15(struct crypto_private_key *key,
 	if (ret < 0)
 		goto cleanup;
 
-	i =  mbedtls_pk_rsa(*pkey)->MBEDTLS_PRIVATE(len);
+	i = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey));
 	ret = mbedtls_rsa_rsaes_pkcs1_v15_decrypt(mbedtls_pk_rsa(*pkey), mbedtls_ctr_drbg_random,
 			ctr_drbg, &i, in, out, *outlen);
 
@@ -301,7 +301,8 @@ int crypto_private_key_sign_pkcs1(struct crypto_private_key *key,
 		wpa_printf(MSG_ERROR, " failed  ! mbedtls_rsa_pkcs1_sign returned %d", ret );
 		goto cleanup;
 	}
-	*outlen = mbedtls_pk_rsa(*pkey)->MBEDTLS_PRIVATE(len);
+	*outlen = mbedtls_rsa_get_len(mbedtls_pk_rsa(*pkey));
+
 cleanup:
 	mbedtls_ctr_drbg_free( ctr_drbg );
 	mbedtls_entropy_free( entropy );

components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c

@@ -220,7 +220,8 @@ int crypto_hash_finish(struct crypto_hash *crypto_ctx, u8 *mac, size_t *len)
 	if (mac == NULL || len == NULL) {
 		goto err;
 	}
-	md_type = mbedtls_md_get_type(ctx->MBEDTLS_PRIVATE(md_info));
+
+	md_type = mbedtls_md_get_type(mbedtls_md_info_from_ctx(ctx));
 	switch(md_type) {
 	case MBEDTLS_MD_MD5:
 		if (*len < MD5_MAC_LEN) {

components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c

@@ -13,14 +13,17 @@
 #include "crypto/sha256.h"
 #include "crypto/sha384.h"
 
-/* ToDo - Remove this once appropriate solution is available.
-We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
-which are undefined if the following flag is not defined */
-/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
-/* ToDo - Replace them with proper getter-setter once they are added */
+/* TODO: Remove this once the appropriate solution is found
+ *
+ * ssl_misc.h header uses private elements from
+ * mbedtls, which become undefined if the following flag
+ * is not defined
+ */
 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
 
+// located at mbedtls/library/ssl_misc.h
 #include "ssl_misc.h"
+
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/debug.h"
@@ -659,11 +662,7 @@ int tls_connection_established(void *tls_ctx, struct tls_connection *conn)
 {
 	mbedtls_ssl_context *ssl = &conn->tls->ssl;
 
-	if (ssl->MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER) {
-		return 1;
-	}
-
-	return 0;
+	return mbedtls_ssl_is_handshake_over(ssl);
 }
 
 int tls_global_set_verify(void *tls_ctx, int check_crl, int strict)
@@ -696,13 +695,13 @@ struct wpabuf * tls_connection_handshake(void *tls_ctx,
 	}
 
 	/* Multiple reads */
-	while (tls->ssl.MBEDTLS_PRIVATE(state) != MBEDTLS_SSL_HANDSHAKE_OVER) {
+	while (!mbedtls_ssl_is_handshake_over(&tls->ssl)) {
 		if (tls->ssl.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_CLIENT_CERTIFICATE) {
 			/* Read random data before session completes, not present after handshake */
 			if (tls->ssl.MBEDTLS_PRIVATE(handshake)) {
 				os_memcpy(conn->randbytes, tls->ssl.MBEDTLS_PRIVATE(handshake)->randbytes,
 					  TLS_RANDOM_LEN * 2);
-				conn->mac = tls->ssl.handshake->ciphersuite_info->mac;
+				conn->mac = tls->ssl.MBEDTLS_PRIVATE(handshake)->ciphersuite_info->mac;
 			}
 		}
 		ret = mbedtls_ssl_handshake_step(&tls->ssl);
@@ -944,7 +943,7 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
 		wpa_printf(MSG_ERROR, "TLS: %s, session ingo is null", __func__);
 		return -1;
 	}
-	if (ssl->MBEDTLS_PRIVATE(state) != MBEDTLS_SSL_HANDSHAKE_OVER) {
+	if (!mbedtls_ssl_is_handshake_over(ssl)) {
 		wpa_printf(MSG_ERROR, "TLS: %s, incorrect tls state=%d", __func__, ssl->MBEDTLS_PRIVATE(state));
 		return -1;
 	}
@@ -957,7 +956,7 @@ static int tls_connection_prf(void *tls_ctx, struct tls_connection *conn,
 	}
 
 	wpa_hexdump_key(MSG_MSGDUMP, "random", seed, 2 * TLS_RANDOM_LEN);
-	wpa_hexdump_key(MSG_MSGDUMP, "master", ssl->MBEDTLS_PRIVATE(session)->MBEDTLS_PRIVATE(master), TLS_MASTER_SECRET_LEN);
+	wpa_hexdump_key(MSG_MSGDUMP, "master",  ssl->MBEDTLS_PRIVATE(session)->MBEDTLS_PRIVATE(master), TLS_MASTER_SECRET_LEN);
 
 	ret = mbedtls_ssl_tls_prf(conn->tls_prf_type, conn->master_secret, TLS_MASTER_SECRET_LEN,
 				label, seed, 2 * TLS_RANDOM_LEN, out, out_len);