ext: lib: mbedtls : Upgrading mbedTLS library

Upgrading mbedTLS to version 2.4 from 2.3

Origin: https://tls.mbed.org/download/start/mbedtls-2.4.0-apache.tgz

Jira: ZEP-1292
Jira: ZEP-734

Change-Id: I32d81304f5d568810e271b8e9fc2135def1dda0a
Signed-off-by: Sergio Rodriguez <[email protected]>

Author: srodrig1

ext/lib/crypto/mbedtls/Kbuild

@@ -1,73 +1,74 @@
 
 include $(srctree)/ext/lib/crypto/mbedtls/Makefile.include
 
-obj-y += library/ssl_tls.o
-obj-y += library/ssl_cache.o
-obj-y += library/ssl_ciphersuites.o
-obj-y += library/ssl_cli.o
-obj-y += library/ssl_cookie.o
-obj-y += library/ssl_srv.o
-obj-y += library/ssl_ticket.o
-obj-y += library/debug.o
-obj-y += library/net.o
-obj-y += library/memory_buffer_alloc.o
-obj-y += library/platform.o
-obj-y += library/threading.o
-obj-y += library/timing.o
-obj-y += library/version.o
-obj-y += library/version_features.o
-obj-y += library/entropy.o
-obj-y += library/entropy_poll.o
-obj-y += library/error.o
-obj-y += library/cipher.o
-obj-y += library/cipher_wrap.o
-obj-y += library/bignum.o
 obj-y += library/aes.o
 obj-y += library/aesni.o
-obj-y += library/padlock.o
 obj-y += library/arc4.o
 obj-y += library/asn1parse.o
 obj-y += library/asn1write.o
 obj-y += library/base64.o
+obj-y += library/bignum.o
 obj-y += library/blowfish.o
 obj-y += library/camellia.o
 obj-y += library/ccm.o
+obj-y += library/certs.o
+obj-y += library/cipher.o
+obj-y += library/cipher_wrap.o
+obj-y += library/cmac.o
+obj-y += library/ctr_drbg.o
+obj-y += library/debug.o
 obj-y += library/des.o
 obj-y += library/dhm.o
 obj-y += library/ecdh.o
 obj-y += library/ecdsa.o
 obj-y += library/ecjpake.o
 obj-y += library/ecp.o
 obj-y += library/ecp_curves.o
-obj-y += library/ctr_drbg.o
+obj-y += library/entropy.o
+obj-y += library/entropy_poll.o
+obj-y += library/error.o
 obj-y += library/gcm.o
 obj-y += library/havege.o
 obj-y += library/hmac_drbg.o
+obj-y += library/md.o
 obj-y += library/md2.o
 obj-y += library/md4.o
 obj-y += library/md5.o
-obj-y += library/md.o
 obj-y += library/md_wrap.o
+obj-y += library/memory_buffer_alloc.o
+obj-y += library/net_sockets.o
 obj-y += library/oid.o
+obj-y += library/padlock.o
 obj-y += library/pem.o
 obj-y += library/pk.o
+obj-y += library/pk_wrap.o
+obj-y += library/pkcs11.o
 obj-y += library/pkcs12.o
 obj-y += library/pkcs5.o
 obj-y += library/pkparse.o
-obj-y += library/pk_wrap.o
 obj-y += library/pkwrite.o
+obj-y += library/platform.o
 obj-y += library/ripemd160.o
 obj-y += library/rsa.o
 obj-y += library/sha1.o
 obj-y += library/sha256.o
 obj-y += library/sha512.o
-obj-y += library/xtea.o
-obj-y += library/pkcs11.o
-obj-y += library/certs.o
+obj-y += library/ssl_cache.o
+obj-y += library/ssl_ciphersuites.o
+obj-y += library/ssl_cli.o
+obj-y += library/ssl_cookie.o
+obj-y += library/ssl_srv.o
+obj-y += library/ssl_ticket.o
+obj-y += library/ssl_tls.o
+obj-y += library/threading.o
+obj-y += library/timing.o
+obj-y += library/version.o
+obj-y += library/version_features.o
 obj-y += library/x509.o
 obj-y += library/x509_create.o
 obj-y += library/x509_crl.o
 obj-y += library/x509_crt.o
 obj-y += library/x509_csr.o
 obj-y += library/x509write_crt.o
 obj-y += library/x509write_csr.o
+obj-y += library/xtea.o

ext/lib/crypto/mbedtls/README

@@ -1,9 +1,9 @@
 The mbed TLS library in Zephyr is a downstream of an externally maintained
 open source project.  The original upstream code can be found at:
 
-https://tls.mbed.org/download/start/mbedtls-2.3.0-apache.tgz
+https://tls.mbed.org/download/start/mbedtls-2.4.0-apache.tgz
 
-At version  2.3.0
+At version  2.4.0
 
 The following is the license information for this code:
 

ext/lib/crypto/mbedtls/configs/config-ccm-psk-tls1_2.h

@@ -41,7 +41,6 @@
 #define MBEDTLS_NO_PLATFORM_ENTROPY
 #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
 #define MBEDTLS_PLATFORM_PRINTF_ALT
-#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO int
 
 #if defined(CONFIG_MBEDTLS_TEST)
 #define MBEDTLS_SELF_TEST

ext/lib/crypto/mbedtls/configs/config-threadnet.h

@@ -43,7 +43,6 @@
 #define MBEDTLS_NO_PLATFORM_ENTROPY
 #define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES
 #define MBEDTLS_PLATFORM_PRINTF_ALT
-#define MBEDTLS_PLATFORM_TIME_TYPE_MACRO int
 
 #if !defined(CONFIG_ARM)
 #define MBEDTLS_HAVE_ASM
@@ -77,6 +76,7 @@
 #define MBEDTLS_CCM_C
 #define MBEDTLS_CIPHER_C
 #define MBEDTLS_CTR_DRBG_C
+#define MBEDTLS_CMAC_C
 #define MBEDTLS_ECJPAKE_C
 #define MBEDTLS_ECP_C
 #define MBEDTLS_HMAC_DRBG_C

ext/lib/crypto/mbedtls/include/mbedtls/check_config.h

@@ -77,6 +77,11 @@
 #error "MBEDTLS_DHM_C defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_CMAC_C) && \
+    !defined(MBEDTLS_AES_C) && !defined(MBEDTLS_DES_C)
+#error "MBEDTLS_CMAC_C defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
 #error "MBEDTLS_ECDH_C defined, but not all prerequisites"
 #endif
@@ -256,6 +261,36 @@
 #error "MBEDTLS_PLATFORM_EXIT_MACRO and MBEDTLS_PLATFORM_STD_EXIT/MBEDTLS_PLATFORM_EXIT_ALT cannot be defined simultaneously"
 #endif
 
+#if defined(MBEDTLS_PLATFORM_TIME_ALT) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_ALT defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
+    ( !defined(MBEDTLS_PLATFORM_C) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_TIME_TYPE_MACRO defined, but not all prerequisites"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_TIME) ||\
+        defined(MBEDTLS_PLATFORM_TIME_ALT) )
+#error "MBEDTLS_PLATFORM_TIME_MACRO and MBEDTLS_PLATFORM_STD_TIME/MBEDTLS_PLATFORM_TIME_ALT cannot be defined simultaneously"
+#endif
+
+#if defined(MBEDTLS_PLATFORM_TIME_TYPE_MACRO) &&\
+    ( defined(MBEDTLS_PLATFORM_STD_TIME) ||\
+        defined(MBEDTLS_PLATFORM_TIME_ALT) )
+#error "MBEDTLS_PLATFORM_TIME_TYPE_MACRO and MBEDTLS_PLATFORM_STD_TIME/MBEDTLS_PLATFORM_TIME_ALT cannot be defined simultaneously"
+#endif
+
 #if defined(MBEDTLS_PLATFORM_FPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
 #error "MBEDTLS_PLATFORM_FPRINTF_ALT defined, but not all prerequisites"
 #endif
@@ -352,6 +387,12 @@
 #error "MBEDTLS_PLATFORM_STD_EXIT defined, but not all prerequisites"
 #endif
 
+#if defined(MBEDTLS_PLATFORM_STD_TIME) &&\
+    ( !defined(MBEDTLS_PLATFORM_TIME_ALT) ||\
+        !defined(MBEDTLS_HAVE_TIME) )
+#error "MBEDTLS_PLATFORM_STD_TIME defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_PLATFORM_STD_FPRINTF) &&\
     !defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
 #error "MBEDTLS_PLATFORM_STD_FPRINTF defined, but not all prerequisites"

ext/lib/crypto/mbedtls/include/mbedtls/cipher.h

@@ -176,6 +176,11 @@ enum {
  */
 typedef struct mbedtls_cipher_base_t mbedtls_cipher_base_t;
 
+/**
+ * CMAC context (opaque struct).
+ */
+typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t;
+
 /**
  * Cipher information. Allows cipher functions to be called in a generic way.
  */
@@ -241,6 +246,11 @@ typedef struct {
 
     /** Cipher-specific context */
     void *cipher_ctx;
+
+#if defined(MBEDTLS_CMAC_C)
+    /** CMAC Specific context */
+    mbedtls_cmac_context_t *cmac_ctx;
+#endif
 } mbedtls_cipher_context_t;
 
 /**

ext/lib/crypto/mbedtls/include/mbedtls/cmac.h

@@ -0,0 +1,166 @@
+/**
+ * \file cmac.h
+ *
+ * \brief Cipher-based Message Authentication Code (CMAC) Mode for
+ *        Authentication
+ *
+ *  Copyright (C) 2015-2016, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+#ifndef MBEDTLS_CMAC_H
+#define MBEDTLS_CMAC_H
+
+#include "mbedtls/cipher.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define MBEDTLS_AES_BLOCK_SIZE          16
+#define MBEDTLS_DES3_BLOCK_SIZE         8
+
+#if defined(MBEDTLS_AES_C)
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      16  /* longest used by CMAC is AES */
+#else
+#define MBEDTLS_CIPHER_BLKSIZE_MAX      8   /* longest used by CMAC is 3DES */
+#endif
+
+/**
+ * CMAC context structure - Contains internal state information only
+ */
+struct mbedtls_cmac_context_t
+{
+    /** Internal state of the CMAC algorithm  */
+    unsigned char       state[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    /** Unprocessed data - either data that was not block aligned and is still
+     *  pending to be processed, or the final block */
+    unsigned char       unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX];
+
+    /** Length of data pending to be processed */
+    size_t              unprocessed_len;
+};
+
+/**
+ * \brief               Set the CMAC key and prepare to authenticate the input
+ *                      data.
+ *                      Should be called with an initialised cipher context.
+ *
+ * \param ctx           Cipher context
+ * \param key           CMAC key
+ * \param keybits       length of the CMAC key in bits
+ *                      (must be acceptable by the cipher)
+ *
+ * \return              0 if successful, or a cipher specific error code
+ */
+int mbedtls_cipher_cmac_starts( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *key, size_t keybits );
+
+/**
+ * \brief               Generic CMAC process buffer.
+ *                      Called between mbedtls_cipher_cmac_starts() or
+ *                      mbedtls_cipher_cmac_reset() and
+ *                      mbedtls_cipher_cmac_finish().
+ *                      May be called repeatedly.
+ *
+ * \param ctx           CMAC context
+ * \param input         buffer holding the  data
+ * \param ilen          length of the input data
+ *
+ * \returns             0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
+ *                      verification fails.
+ */
+int mbedtls_cipher_cmac_update( mbedtls_cipher_context_t *ctx,
+                                const unsigned char *input, size_t ilen );
+
+/**
+ * \brief               Output CMAC.
+ *                      Called after mbedtls_cipher_cmac_update().
+ *                      Usually followed by mbedtls_cipher_cmac_reset(), then
+ *                      mbedtls_cipher_cmac_starts(), or mbedtls_cipher_free().
+ *
+ * \param ctx           CMAC context
+ * \param output        Generic CMAC checksum result
+ *
+ * \returns             0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
+ *                      verification fails.
+ */
+int mbedtls_cipher_cmac_finish( mbedtls_cipher_context_t *ctx,
+                                unsigned char *output );
+
+/**
+ * \brief               Prepare to authenticate a new message with the same key.
+ *                      Called after mbedtls_cipher_cmac_finish() and before
+ *                      mbedtls_cipher_cmac_update().
+ *
+ * \param ctx           CMAC context to be reset
+ *
+ * \returns             0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
+ *                      verification fails.
+ */
+int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
+
+/**
+ * \brief               Output = Generic_CMAC( hmac key, input buffer )
+ *
+ * \param cipher_info   message digest info
+ * \param key           CMAC key
+ * \param keylen        length of the CMAC key in bits
+ * \param input         buffer holding the  data
+ * \param ilen          length of the input data
+ * \param output        Generic CMAC-result
+ *
+ * \returns             0 on success, MBEDTLS_ERR_MD_BAD_INPUT_DATA if parameter
+ *                      verification fails.
+ */
+int mbedtls_cipher_cmac( const mbedtls_cipher_info_t *cipher_info,
+                         const unsigned char *key, size_t keylen,
+                         const unsigned char *input, size_t ilen,
+                         unsigned char *output );
+
+#if defined(MBEDTLS_AES_C)
+/**
+ * \brief           AES-CMAC-128-PRF
+ *                  Implementation of (AES-CMAC-PRF-128), as defined in RFC 4615
+ *
+ * \param key       PRF key
+ * \param key_len   PRF key length in bytes
+ * \param input     buffer holding the input data
+ * \param in_len    length of the input data in bytes
+ * \param output    buffer holding the generated pseudorandom output (16 bytes)
+ *
+ * \return          0 if successful
+ */
+int mbedtls_aes_cmac_prf_128( const unsigned char *key, size_t key_len,
+                              const unsigned char *input, size_t in_len,
+                              unsigned char output[16] );
+#endif /* MBEDTLS_AES_C */
+
+#if defined(MBEDTLS_SELF_TEST) && ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) )
+/**
+ * \brief          Checkup routine
+ *
+ * \return         0 if successful, or 1 if the test failed
+ */
+int mbedtls_cmac_self_test( int verbose );
+#endif /* MBEDTLS_SELF_TEST && ( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CMAC_H */