Added missing optimizations based on mbedtls/baremetal.h config

Author: Teppo Järvelin

TESTS/mbedtls/multi/main.cpp

@@ -33,7 +33,7 @@
 using namespace utest::v1;
 
 #if defined(MBEDTLS_SHA256_C)
-/* Tests several call to mbedtls_sha256_update function that are not modulo 64 bytes */
+/* Tests several call to mbedtls_sha256_update_ret function that are not modulo 64 bytes */
 void test_case_sha256_split()
 {
     const unsigned char test_buf[] = {"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopqabcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"};
@@ -50,18 +50,18 @@ void test_case_sha256_split()
     mbedtls_sha256_context ctx;
     printf("test sha256\n");
     mbedtls_sha256_init(&ctx);
-    mbedtls_sha256_starts(&ctx, 0);
+    (void)mbedtls_sha256_starts_ret(&ctx, 0);
 #if 0
     printf("test not splitted\n");
-    mbedtls_sha256_update(&ctx, test_buf, 168);
+    (void)mbedtls_sha256_update_ret(&ctx, test_buf, 168);
 #else
     printf("test splitted into 3 pieces\n");
-    mbedtls_sha256_update(&ctx, test_buf, 2);
-    mbedtls_sha256_update(&ctx, test_buf + 2, 66);
-    mbedtls_sha256_update(&ctx, test_buf + 68, 100);
+    (void)mbedtls_sha256_update_ret(&ctx, test_buf, 2);
+    (void)mbedtls_sha256_update_ret(&ctx, test_buf + 2, 66);
+    (void)mbedtls_sha256_update_ret(&ctx, test_buf + 68, 100);
 #endif
 
-    mbedtls_sha256_finish(&ctx, outsum);
+    (void)mbedtls_sha256_finish_ret(&ctx, outsum);
     mbedtls_sha256_free(&ctx);
 
     printf("\nreceived result : ");
@@ -113,29 +113,29 @@ void test_case_sha256_multi()
     mbedtls_sha256_init(&ctx2);
     mbedtls_sha256_init(&ctx3);
     //Start both contexts
-    mbedtls_sha256_starts(&ctx1, 0);
-    mbedtls_sha256_starts(&ctx2, 0);
+    (void)mbedtls_sha256_starts_ret(&ctx1, 0);
+    (void)mbedtls_sha256_starts_ret(&ctx2, 0);
 
     printf("upd ctx1\n");
-    mbedtls_sha256_update(&ctx1, test_buf, 56);
+    (void)mbedtls_sha256_update_ret(&ctx1, test_buf, 56);
     printf("upd ctx2\n");
-    mbedtls_sha256_update(&ctx2, test_buf, 66);
+    (void)mbedtls_sha256_update_ret(&ctx2, test_buf, 66);
     printf("finish ctx1\n");
-    mbedtls_sha256_finish(&ctx1, outsum1);
+    (void)mbedtls_sha256_finish_ret(&ctx1, outsum1);
     printf("upd ctx2\n");
-    mbedtls_sha256_update(&ctx2, test_buf + 66, 46);
+    (void)mbedtls_sha256_update_ret(&ctx2, test_buf + 66, 46);
     printf("clone ctx2 in ctx3\n");
     mbedtls_sha256_clone(&ctx3, (const mbedtls_sha256_context *)&ctx2);
     printf("free ctx1\n");
     mbedtls_sha256_free(&ctx1);
     printf("upd ctx2\n");
-    mbedtls_sha256_update(&ctx2, test_buf + 112, 56);
+    (void)mbedtls_sha256_update_ret(&ctx2, test_buf + 112, 56);
     printf("upd ctx3 with different values than ctx2\n");
-    mbedtls_sha256_update(&ctx3, test_buf2, 56);
+    (void)mbedtls_sha256_update_ret(&ctx3, test_buf2, 56);
     printf("finish ctx2\n");
-    mbedtls_sha256_finish(&ctx2, outsum2);
+    (void)mbedtls_sha256_finish_ret(&ctx2, outsum2);
     printf("finish ctx3\n");
-    mbedtls_sha256_finish(&ctx3, outsum3);
+    (void)mbedtls_sha256_finish_ret(&ctx3, outsum3);
     printf("free ctx2\n");
     mbedtls_sha256_free(&ctx2);
     printf("free ctx3\n");

features/device_key/TESTS/device_key/functionality/main.cpp

@@ -72,10 +72,12 @@ void generate_derived_key_long_consistency_test()
     generate_derived_key_consistency_16_byte_key_long_consistency_test(key);
     strcpy(key, MSG_KEY_DEVICE_TEST_STEP2);
     generate_derived_key_consistency_16_byte_key_long_consistency_test(key);
+#ifndef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
     strcpy(key, MSG_KEY_DEVICE_TEST_STEP3);
     generate_derived_key_consistency_32_byte_key_long_consistency_test(key);
     strcpy(key, MSG_KEY_DEVICE_TEST_STEP4);
     generate_derived_key_consistency_32_byte_key_long_consistency_test(key);
+#endif
 
 }
 
@@ -476,12 +478,16 @@ Case cases[] = {
     Case("Device Key - long consistency test",               generate_derived_key_long_consistency_test,        greentea_failure_handler),
     Case("Device Key - inject value wrong size",             device_inject_root_of_trust_wrong_size_test,       greentea_failure_handler),
     Case("Device Key - inject value 16 byte size",           device_inject_root_of_trust_16_byte_size_test,     greentea_failure_handler),
+#ifndef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
     Case("Device Key - inject value 32 byte size",           device_inject_root_of_trust_32_byte_size_test,     greentea_failure_handler),
+#endif
     Case("Device Key - inject value several times",          device_inject_root_of_trust_several_times_test,    greentea_failure_handler),
     Case("Device Key - derived key consistency 16 byte key", generate_derived_key_consistency_16_byte_key_test, greentea_failure_handler),
     Case("Device Key - derived key consistency 32 byte key", generate_derived_key_consistency_32_byte_key_test, greentea_failure_handler),
     Case("Device Key - derived key key type 16",             generate_derived_key_key_type_16_test,             greentea_failure_handler),
+#ifndef MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
     Case("Device Key - derived key key type 32",             generate_derived_key_key_type_32_test,             greentea_failure_handler),
+#endif
     Case("Device Key - derived key wrong key type",          generate_derived_key_wrong_key_type_test,          greentea_failure_handler)
 };
 

features/lwipstack/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c

@@ -69,6 +69,7 @@
 /* @todo: which includes are really needed? */
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
+#include "mbedtls/hmac_drbg.h"
 #include "mbedtls/certs.h"
 #include "mbedtls/x509.h"
 #include "mbedtls/ssl.h"
@@ -98,7 +99,21 @@ extern const struct altcp_functions altcp_mbedtls_functions;
 struct altcp_tls_config {
   mbedtls_ssl_config conf;
   mbedtls_entropy_context entropy;
-  mbedtls_ctr_drbg_context ctr_drbg;
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_context    _drbg;
+#define DRBG_INIT mbedtls_ctr_drbg_init
+#define DRBG_SEED mbedtls_ctr_drbg_seed
+#define DRBG_SEED_ERROR "mbedtls_ctr_drbg_seed failed: %d\n"
+#define DRBG_RANDOM mbedtls_ctr_drbg_random
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_context   _drbg;
+#define DRBG_INIT mbedtls_hmac_drbg_init
+#define DRBG_SEED mbedtls_hmac_drbg_seed
+#define DRBG_SEED_ERROR "mbedtls_hmac_drbg_seed failed: %d\n"
+#define DRBG_RANDOM mbedtls_hmac_drbg_random
+#else
+#error "CTR or HMAC must be defined for coap_security_handler!"
+#endif
   mbedtls_x509_crt *cert;
   mbedtls_pk_context *pkey;
   mbedtls_x509_crt *ca;
@@ -721,12 +736,15 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
 
   mbedtls_ssl_config_init(&conf->conf);
   mbedtls_entropy_init(&conf->entropy);
-  mbedtls_ctr_drbg_init(&conf->ctr_drbg);
+
+  DRBG_INIT(&conf->_drbg);
 
   /* Seed the RNG */
-  ret = mbedtls_ctr_drbg_seed(&conf->ctr_drbg, ALTCP_MBEDTLS_RNG_FN, &conf->entropy, ALTCP_MBEDTLS_ENTROPY_PTR, ALTCP_MBEDTLS_ENTROPY_LEN);
+  ret = DRBG_SEED(&conf->_drbg, ALTCP_MBEDTLS_RNG_FN, &conf->entropy, ALTCP_MBEDTLS_ENTROPY_PTR, ALTCP_MBEDTLS_ENTROPY_LEN);
+
   if (ret != 0) {
-    LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ctr_drbg_seed failed: %d\n", ret));
+    LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, (DRBG_SEED_ERROR, ret));
+
     altcp_mbedtls_free_config(conf);
     return NULL;
   }
@@ -742,7 +760,7 @@ altcp_tls_create_config(int is_server, int have_cert, int have_pkey, int have_ca
   mbedtls_ssl_conf_authmode(&conf->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 
 #if !defined(MBEDTLS_SSL_CONF_RNG)
-  mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &conf->ctr_drbg);
+  mbedtls_ssl_conf_rng(&conf->conf, DRBG_RANDOM, &conf->ctr_drbg);
 #endif
 
 #if ALTCP_MBEDTLS_DEBUG != LWIP_DBG_OFF

features/mbedtls/platform/src/shared_rng.cpp

@@ -33,8 +33,9 @@ int init_global_rng()
     mbedtls_entropy_init(&global_entropy);
     mbedtls_hmac_drbg_init(&global_hmac_drbg);
 
-    int ret = mbedtls_hmac_drbg_seed(&global_hmac_drbg, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
-                                 mbedtls_entropy_func, &global_entropy, NULL, 0);
+    int ret = mbedtls_hmac_drbg_seed(&global_hmac_drbg,
+                                     mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
+                                     mbedtls_entropy_func, &global_entropy, NULL, 0);
 
     if (ret != 0) {
         tr_error(" init_global_rng failed! mbedtls_hmac_drbg_seed returned -0x%x", -ret);
@@ -44,7 +45,6 @@ int init_global_rng()
     }
 
     return ret;
-This conversation was marked as resolved by jarvte
 }
 
 void free_global_rng()

features/nanostack/coap-service/source/coap_security_handler.c

@@ -30,6 +30,7 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/entropy_poll.h"
 #include "mbedtls/ctr_drbg.h"
+#include "mbedtls/hmac_drbg.h"
 #include "mbedtls/ssl_ciphersuites.h"
 
 #include "ns_trace.h"
@@ -41,7 +42,14 @@ struct coap_security_s {
     mbedtls_ssl_config          _conf;
     mbedtls_ssl_context         _ssl;
 
-    mbedtls_ctr_drbg_context    _ctr_drbg;
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_context    _drbg;
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_context   _drbg;
+#else
+#error "CTR or HMAC must be defined for coap_security_handler!"
+#endif
+
     mbedtls_entropy_context     _entropy;
     bool                        _is_started;
     simple_cookie_t             _cookie;
@@ -114,7 +122,11 @@ static int coap_security_handler_init(coap_security_t *sec)
 
     mbedtls_ssl_init(&sec->_ssl);
     mbedtls_ssl_config_init(&sec->_conf);
-    mbedtls_ctr_drbg_init(&sec->_ctr_drbg);
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_init(&sec->_drbg);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_init(&sec->_drbg);
+#endif
     mbedtls_entropy_init(&sec->_entropy);
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -132,12 +144,20 @@ static int coap_security_handler_init(coap_security_t *sec)
                                    128, entropy_source_type) < 0) {
         return -1;
     }
-
-    if ((mbedtls_ctr_drbg_seed(&sec->_ctr_drbg, mbedtls_entropy_func, &sec->_entropy,
+#if defined(MBEDTLS_CTR_DRBG_C)
+    if ((mbedtls_ctr_drbg_seed(&sec->_drbg, mbedtls_entropy_func, &sec->_entropy,
+                               (const unsigned char *) pers,
+                               strlen(pers))) != 0) {
+        return -1;
+    }
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    if ((mbedtls_hmac_drbg_seed(&sec->_drbg, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
+                                mbedtls_entropy_func, &sec->_entropy,
                                (const unsigned char *) pers,
                                strlen(pers))) != 0) {
         return -1;
     }
+#endif
     return 0;
 }
 
@@ -160,7 +180,11 @@ static void coap_security_handler_reset(coap_security_t *sec)
 #endif
 
     mbedtls_entropy_free(&sec->_entropy);
-    mbedtls_ctr_drbg_free(&sec->_ctr_drbg);
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_free(&sec->_drbg);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_free(&sec->_drbg);
+#endif
     mbedtls_ssl_config_free(&sec->_conf);
     mbedtls_ssl_free(&sec->_ssl);
 #if defined(MBEDTLS_PLATFORM_C)
@@ -397,7 +421,11 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
     }
 
 #if !defined(MBEDTLS_SSL_CONF_RNG)
-    mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_ctr_drbg_random, &sec->_ctr_drbg);
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_ctr_drbg_random, &sec->_drbg);
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_hmac_drbg_random, &sec->_drbg);
+#endif
 #endif
 
     if ((mbedtls_ssl_setup(&sec->_ssl, &sec->_conf)) != 0) {

features/nanostack/coap-service/test/coap-service/unittest/stub/mbedtls_stub.c

@@ -248,6 +248,38 @@ int mbedtls_ctr_drbg_random(void *p_rng,
     return mbedtls_stub.crt_expected_int;
 }
 
+// from hmac_drbg.h
+void mbedtls_hmac_drbg_init( mbedtls_hmac_drbg_context *ctx )
+{
+
+}
+
+void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx )
+{
+
+}
+
+int mbedtls_hmac_drbg_seed( mbedtls_hmac_drbg_context *ctx,
+                    mbedtls_md_handle_t md_info,
+                    int (*f_entropy)(void *, unsigned char *, size_t),
+                    void *p_entropy,
+                    const unsigned char *custom,
+                    size_t len )
+{
+    return mbedtls_stub.crt_expected_int;
+}
+
+int mbedtls_hmac_drbg_random( void *p_rng, unsigned char *output, size_t out_len )
+{
+    return mbedtls_stub.crt_expected_int;
+}
+
+// from md.h
+mbedtls_md_handle_t mbedtls_md_info_from_type( mbedtls_md_type_t md_type )
+{
+    return 0;
+}
+
 //From x509_crt.h
 void mbedtls_x509_crt_init(mbedtls_x509_crt *a)
 {

features/nanostack/coap-service/test/coap-service/unittest/stub/mbedtls_stub.h

@@ -24,11 +24,13 @@
 #include "mbedtls/platform.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/ctr_drbg.h"
+#include "mbedtls/hmac_drbg.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/sha256.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/pk.h"
 #include "mbedtls/platform.h"
+#include "mbedtls/md.h"
 
 
 #define HANDSHAKE_FINISHED_VALUE 8888

features/nanostack/sal-stack-nanostack/nanostack/ns_sha256.h

@@ -61,45 +61,45 @@ static inline void ns_sha256_clone(ns_sha256_context *dst,
 
 static inline void ns_sha256_starts(ns_sha256_context *ctx)
 {
-    mbedtls_sha256_starts(ctx, 0);
+    (void)mbedtls_sha256_starts_ret(ctx, 0);
 }
 
 static inline void ns_sha256_update(ns_sha256_context *ctx, const void *input,
                                     size_t ilen)
 {
-    mbedtls_sha256_update(ctx, input, ilen);
+    (void)mbedtls_sha256_update_ret(ctx, input, ilen);
 }
 
 static inline void ns_sha256_finish(ns_sha256_context *ctx, void *output)
 {
-    mbedtls_sha256_finish(ctx, output);
+    (void)mbedtls_sha256_finish_ret(ctx, output);
 }
 
 static inline void ns_sha256(const void *input, size_t ilen, void *output)
 {
-    mbedtls_sha256(input, ilen, output, 0);
+    (void)mbedtls_sha256_ret(input, ilen, output, 0);
 }
 
 /* Extensions to standard mbed TLS - output the first bits of a hash only */
 /* Number of bits must be a multiple of 32, and <=256 */
 static inline void ns_sha256_finish_nbits(ns_sha256_context *ctx, void *output, unsigned obits)
 {
     if (obits == 256) {
-        mbedtls_sha256_finish(ctx, output);
+        (void)mbedtls_sha256_finish_ret(ctx, output);
     } else {
         uint8_t sha256[32];
-        mbedtls_sha256_finish(ctx, sha256);
+        (void)mbedtls_sha256_finish_ret(ctx, sha256);
         memcpy(output, sha256, obits / 8);
     }
 }
 
 static inline void ns_sha256_nbits(const void *input, size_t ilen, void *output, unsigned obits)
 {
     if (obits == 256) {
-        mbedtls_sha256(input, ilen, output, 0);
+        (void)mbedtls_sha256_ret(input, ilen, output, 0);
     } else {
         uint8_t sha256[32];
-        mbedtls_sha256(input, ilen, sha256, 0);
+        (void)mbedtls_sha256_ret(input, ilen, sha256, 0);
         memcpy(output, sha256, obits / 8);
     }
 }