Prepare for upcoming MbedTLS changes

Author: Teppo Järvelin

features/nanostack/coap-service/source/coap_security_handler.c

@@ -68,19 +68,23 @@ struct coap_security_s {
 
 };
 
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 const int ECJPAKE_SUITES[] = {
     MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
     0
 };
 #endif
 
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
 static const int PSK_SUITES[] = {
     MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
     MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
     MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
     0
 };
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) */
+#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */
 
 #define TRACE_GROUP "CsSh"
 
@@ -332,7 +336,9 @@ static int coap_security_handler_configure_keys(coap_security_t *sec, coap_secur
             if (0 != mbedtls_ssl_conf_psk(&sec->_conf, keys._priv_key, keys._priv_key_len, keys._cert, keys._cert_len)) {
                 break;
             }
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
             mbedtls_ssl_conf_ciphersuites(&sec->_conf, PSK_SUITES);
+#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */
             ret = 0;
 #endif
             break;
@@ -342,7 +348,9 @@ static int coap_security_handler_configure_keys(coap_security_t *sec, coap_secur
             if (mbedtls_ssl_set_hs_ecjpake_password(&sec->_ssl, keys._key, keys._key_len) != 0) {
                 return -1;
             }
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
             mbedtls_ssl_conf_ciphersuites(&sec->_conf, ECJPAKE_SUITES);
+#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */
 
             //NOTE: If thread starts supporting PSK in other modes, then this will be needed!
             mbedtls_ssl_conf_export_keys_cb(&sec->_conf,
@@ -394,11 +402,23 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
         return -1;
     }
 
+    // Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all
+    // callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply,
+    // these defines can't be used.
+#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT)
     mbedtls_ssl_set_bio(&sec->_ssl, sec,
                         f_send, f_recv, NULL);
+#else
+    mbedtls_ssl_set_bio_ctx(&sec->_ssl, sec);
+#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */
 
+    // Defines MBEDTLS_SSL_CONF_SET_TIMER/GET_TIMER define global functions which should be the same for all
+    // callers of mbedtls_ssl_set_timer_cb and there should be only one ssl context. If these rules don't apply,
+    // these defines can't be used.
+#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER)
     mbedtls_ssl_set_timer_cb(&sec->_ssl, sec, set_timer,
                              get_timer);
+#endif /* !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
     //TODO: Figure out better way!!!
@@ -420,8 +440,13 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
                                   &sec->_cookie);
 #endif
 
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
     mbedtls_ssl_conf_min_version(&sec->_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
+#endif /* !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) */
+
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
     mbedtls_ssl_conf_max_version(&sec->_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
+#endif /* !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) */
 
     sec->_is_started = true;
 

features/nanostack/sal-stack-nanostack/source/Security/protocols/tls_sec_prot/tls_sec_prot_lib.c

@@ -340,16 +340,30 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
         return -1;
     }
 
+    // Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all
+    // callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply,
+    // these defines can't be used.
+#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT)
     // Set calbacks
     mbedtls_ssl_set_bio(&sec->ssl, sec, tls_sec_prot_lib_ssl_send, tls_sec_prot_lib_ssl_recv, NULL);
+#else
+    mbedtls_ssl_set_bio_ctx(&sec->ssl, sec);
+#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */
+
+// Defines MBEDTLS_SSL_CONF_SET_TIMER/GET_TIMER define global functions which should be the same for all
+// callers of mbedtls_ssl_set_timer_cb and there should be only one ssl context. If these rules don't apply,
+// these defines can't be used.
+#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER)
     mbedtls_ssl_set_timer_cb(&sec->ssl, sec, tls_sec_prot_lib_ssl_set_timer, tls_sec_prot_lib_ssl_get_timer);
+#endif /* !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) */
 
     // Configure certificates, keys and certificate revocation list
     if (tls_sec_prot_lib_configure_certificates(sec, certs) != 0) {
         tr_error("cert conf fail");
         return -1;
     }
 
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
     // Configure ciphersuites
     static const int sec_suites[] = {
         MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
@@ -358,6 +372,7 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
         0
     };
     mbedtls_ssl_conf_ciphersuites(&sec->conf, sec_suites);
+#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */
 
 #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG
     mbedtls_ssl_conf_dbg(&sec->conf, tls_sec_prot_lib_debug, sec);
@@ -367,8 +382,13 @@ int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_p
     // Export keys callback
     mbedtls_ssl_conf_export_keys_ext_cb(&sec->conf, tls_sec_prot_lib_ssl_export_keys, sec);
 
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
     mbedtls_ssl_conf_min_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
+#endif /* !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) */
+
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
     mbedtls_ssl_conf_max_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
+#endif /* !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) */
 
     // Set certificate verify callback
     mbedtls_ssl_set_verify(&sec->ssl, tls_sec_prot_lib_x509_crt_verify, sec);

features/netsocket/DTLSSocketWrapper.cpp

@@ -30,7 +30,13 @@ DTLSSocketWrapper::DTLSSocketWrapper(Socket *transport, const char *hostname, co
     _timer_expired(false)
 {
     mbedtls_ssl_conf_transport(get_ssl_config(), MBEDTLS_SSL_TRANSPORT_DATAGRAM);
+
+    // Defines MBEDTLS_SSL_CONF_SET_TIMER/GET_TIMER define global functions which should be the same for all
+    // callers of mbedtls_ssl_set_timer_cb and there should be only one ssl context. If these rules don't apply,
+    // these defines can't be used
+#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER)
     mbedtls_ssl_set_timer_cb(get_ssl_context(), this, timing_set_delay, timing_get_delay);
+#endif /* !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) */
 }
 
 void DTLSSocketWrapper::timing_set_delay(void *ctx, uint32_t int_ms, uint32_t fin_ms)

features/netsocket/TLSSocketWrapper.cpp

@@ -85,7 +85,7 @@ TLSSocketWrapper::~TLSSocketWrapper()
 
 void TLSSocketWrapper::set_hostname(const char *hostname)
 {
-#ifdef MBEDTLS_X509_CRT_PARSE_C
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
     mbedtls_ssl_set_hostname(&_ssl, hostname);
 #endif
 }
@@ -207,7 +207,15 @@ nsapi_error_t TLSSocketWrapper::start_handshake(bool first_call)
 
     _transport->set_blocking(false);
     _transport->sigio(mbed::callback(this, &TLSSocketWrapper::event));
-    mbedtls_ssl_set_bio(&_ssl, this, ssl_send, ssl_recv, NULL);
+
+    // Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all
+    // callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply,
+    // these defines can't be used.
+#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT)
+    mbedtls_ssl_set_bio(&_ssl, this, ssl_send, ssl_recv, nullptr);
+#else
+    mbedtls_ssl_set_bio_ctx(&_ssl, this);
+#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */
 
     _tls_initialized = true;
 

features/netsocket/TLSSocketWrapper.h

@@ -66,6 +66,9 @@ class TLSSocketWrapper : public Socket {
     virtual ~TLSSocketWrapper();
 
     /** Set hostname.
+     *
+     * @note Implementation is inside following defines:
+     * #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
      *
      * TLSSocket requires hostname used to verify the certificate.
      * If hostname is not given in constructor, this function must be used before