From 229bf1031fd71a3e6fa26bd4b757a91d9bedfada Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 15 May 2023 11:13:55 +0200 Subject: [PATCH 1/4] pk: make mbedtls_pk_ec internal when !ECP_C mbedtls_pk_ec() is not an ideal function because: - it provides direct access to the ecp_keypair structure wrapped by the pk_context and - this bypasses the PK module's control However, since for backward compatibility, it cannot be deprecated immediately, 2 alternative internal functions are proposed. As a consequence: - when ECP_C is defined, then the legacy mbedtls_pk_ec is available - when only ECP_LIGHT is defined, but ECP_C is not, then only the new internal functions will be available Signed-off-by: Valerio Setti --- include/mbedtls/pk.h | 4 +-- library/pk_internal.h | 68 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 2 deletions(-) create mode 100644 library/pk_internal.h diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 8d6d60f87..ec2a2513e 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -778,7 +778,7 @@ static inline mbedtls_rsa_context *mbedtls_pk_rsa(const mbedtls_pk_context pk) } #endif /* MBEDTLS_RSA_C */ -#if defined(MBEDTLS_ECP_LIGHT) +#if defined(MBEDTLS_ECP_C) /** * Quick access to an EC context inside a PK context. * @@ -801,7 +801,7 @@ static inline mbedtls_ecp_keypair *mbedtls_pk_ec(const mbedtls_pk_context pk) return NULL; } } -#endif /* MBEDTLS_ECP_LIGHT */ +#endif /* MBEDTLS_ECP_C */ #if defined(MBEDTLS_PK_PARSE_C) /** \ingroup pk_module */ diff --git a/library/pk_internal.h b/library/pk_internal.h new file mode 100644 index 000000000..a51482e0e --- /dev/null +++ b/library/pk_internal.h @@ -0,0 +1,68 @@ +/** + * \file pk_internal.h + * + * \brief Public Key abstraction layer: internal (i.e. library only) functions + * and definitions. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#ifndef MBEDTLS_PK_INTERNAL_H +#define MBEDTLS_PK_INTERNAL_H + +#if defined(MBEDTLS_ECP_LIGHT) +#include "mbedtls/ecp.h" +#endif + +#if defined(MBEDTLS_ECP_LIGHT) +/** + * Public function mbedtls_pk_ec() can be used to get direct access to the + * wrapped ecp_keypair strucure pointed to the pk_ctx. However this is not + * ideal because it bypasses the PK module on the control of its internal's + * structure (pk_context) fields. + * For backward compatibility we keep mbedtls_pk_ec() when ECP_C is defined, but + * we provide 2 very similar function when only ECP_LIGHT is enabled and not + * ECP_C. + * These variants embed the "ro" or "rw" keywords in their name to make the + * usage of the returned pointer explicit. Of course the returned value is + * const or non-const accordingly. + */ +static inline const mbedtls_ecp_keypair *mbedtls_pk_ec_ro(const mbedtls_pk_context pk) +{ + switch (mbedtls_pk_get_type(&pk)) { + case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_ECKEY_DH: + case MBEDTLS_PK_ECDSA: + return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx); + default: + return NULL; + } +} + +static inline mbedtls_ecp_keypair *mbedtls_pk_ec_rw(const mbedtls_pk_context pk) +{ + switch (mbedtls_pk_get_type(&pk)) { + case MBEDTLS_PK_ECKEY: + case MBEDTLS_PK_ECKEY_DH: + case MBEDTLS_PK_ECDSA: + return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx); + default: + return NULL; + } +} +#endif /* MBEDTLS_ECP_LIGHT */ + +#endif /* MBEDTLS_PK_INTERNAL_H */ From 77a75685ed955ec163230b857dfd4cb5648dd339 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 15 May 2023 11:18:46 +0200 Subject: [PATCH 2/4] pk: align library and tests code to the new internal functions Note = programs are not aligned to this change because: - the original mbedtls_pk_ec is not ufficially deprecated - that function is used in tests when ECP_C is defined, so the legacy version of that function is available in that case Signed-off-by: Valerio Setti --- include/mbedtls/x509.h | 1 + library/pk.c | 2 +- library/pkparse.c | 21 +++++++------- library/pkwrite.c | 9 +++--- library/ssl_tls.c | 4 +-- library/ssl_tls12_client.c | 2 +- library/ssl_tls12_server.c | 6 ++-- library/x509_crt.c | 2 +- tests/suites/test_suite_pk.function | 35 ++++++++++++------------ tests/suites/test_suite_pkparse.function | 9 +++--- 10 files changed, 48 insertions(+), 43 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 7faf176b5..ba2396a5b 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -27,6 +27,7 @@ #include "mbedtls/asn1.h" #include "mbedtls/pk.h" +#include "pk_internal.h" #if defined(MBEDTLS_RSA_C) #include "mbedtls/rsa.h" diff --git a/library/pk.c b/library/pk.c index 71ab60d54..d92de6945 100644 --- a/library/pk.c +++ b/library/pk.c @@ -879,7 +879,7 @@ int mbedtls_pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_status_t status; /* export the private key material in the format PSA wants */ - ec = mbedtls_pk_ec(*pk); + ec = mbedtls_pk_ec_rw(*pk); d_len = PSA_BITS_TO_BYTES(ec->grp.nbits); if ((ret = mbedtls_ecp_write_key(ec, d, d_len)) != 0) { return ret; diff --git a/library/pkparse.c b/library/pkparse.c index ade8a04ca..87b707dc8 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -26,6 +26,7 @@ #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "pk_internal.h" #include @@ -795,14 +796,14 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, if (pk_alg == MBEDTLS_PK_ECKEY_DH || pk_alg == MBEDTLS_PK_ECKEY) { #if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) if (mbedtls_pk_is_rfc8410_curve(ec_grp_id)) { - ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, &mbedtls_pk_ec(*pk)->grp); + ret = pk_use_ecparams_rfc8410(&alg_params, ec_grp_id, &mbedtls_pk_ec_rw(*pk)->grp); } else #endif { - ret = pk_use_ecparams(&alg_params, &mbedtls_pk_ec(*pk)->grp); + ret = pk_use_ecparams(&alg_params, &mbedtls_pk_ec_rw(*pk)->grp); } if (ret == 0) { - ret = pk_get_ecpubkey(p, end, mbedtls_pk_ec(*pk)); + ret = pk_get_ecpubkey(p, end, mbedtls_pk_ec_rw(*pk)); } } else #endif /* MBEDTLS_ECP_LIGHT */ @@ -1231,10 +1232,10 @@ static int pk_parse_key_pkcs8_unencrypted_der( if (pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) { #if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) if (mbedtls_pk_is_rfc8410_curve(ec_grp_id)) { - if ((ret = - pk_use_ecparams_rfc8410(¶ms, ec_grp_id, &mbedtls_pk_ec(*pk)->grp)) != 0 || + if ((ret = pk_use_ecparams_rfc8410(¶ms, ec_grp_id, + &mbedtls_pk_ec_rw(*pk)->grp)) != 0 || (ret = - pk_parse_key_rfc8410_der(mbedtls_pk_ec(*pk), p, len, end, f_rng, + pk_parse_key_rfc8410_der(mbedtls_pk_ec_rw(*pk), p, len, end, f_rng, p_rng)) != 0) { mbedtls_pk_free(pk); return ret; @@ -1242,8 +1243,8 @@ static int pk_parse_key_pkcs8_unencrypted_der( } else #endif { - if ((ret = pk_use_ecparams(¶ms, &mbedtls_pk_ec(*pk)->grp)) != 0 || - (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), p, len, f_rng, p_rng)) != 0) { + if ((ret = pk_use_ecparams(¶ms, &mbedtls_pk_ec_rw(*pk)->grp)) != 0 || + (ret = pk_parse_key_sec1_der(mbedtls_pk_ec_rw(*pk), p, len, f_rng, p_rng)) != 0) { mbedtls_pk_free(pk); return ret; } @@ -1430,7 +1431,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk, pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY); if ((ret = mbedtls_pk_setup(pk, pk_info)) != 0 || - (ret = pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), + (ret = pk_parse_key_sec1_der(mbedtls_pk_ec_rw(*pk), pem.buf, pem.buflen, f_rng, p_rng)) != 0) { mbedtls_pk_free(pk); @@ -1554,7 +1555,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk, #if defined(MBEDTLS_ECP_LIGHT) pk_info = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY); if (mbedtls_pk_setup(pk, pk_info) == 0 && - pk_parse_key_sec1_der(mbedtls_pk_ec(*pk), + pk_parse_key_sec1_der(mbedtls_pk_ec_rw(*pk), key, keylen, f_rng, p_rng) == 0) { return 0; } diff --git a/library/pkwrite.c b/library/pkwrite.c index 88729534d..1f606a448 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -26,6 +26,7 @@ #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" +#include "pk_internal.h" #include @@ -182,7 +183,7 @@ int mbedtls_pk_write_pubkey(unsigned char **p, unsigned char *start, #endif #if defined(MBEDTLS_ECP_LIGHT) if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) { - MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, mbedtls_pk_ec(*key))); + MBEDTLS_ASN1_CHK_ADD(len, pk_write_ec_pubkey(p, start, mbedtls_pk_ec_rw(*key))); } else #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -246,7 +247,7 @@ int mbedtls_pk_write_pubkey_der(const mbedtls_pk_context *key, unsigned char *bu pk_type = mbedtls_pk_get_type(key); #if defined(MBEDTLS_ECP_LIGHT) if (pk_type == MBEDTLS_PK_ECKEY) { - ec_grp_id = mbedtls_pk_ec(*key)->grp.id; + ec_grp_id = mbedtls_pk_ec_ro(*key)->grp.id; } #endif /* MBEDTLS_ECP_LIGHT */ #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -469,7 +470,7 @@ end_of_export: #endif /* MBEDTLS_RSA_C */ #if defined(MBEDTLS_ECP_LIGHT) if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) { - mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*key); + mbedtls_ecp_keypair *ec = mbedtls_pk_ec_rw(*key); size_t pub_len = 0, par_len = 0; #if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) @@ -591,7 +592,7 @@ int mbedtls_pk_write_key_pem(const mbedtls_pk_context *key, unsigned char *buf, #if defined(MBEDTLS_ECP_LIGHT) if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) { #if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) - if (mbedtls_pk_is_rfc8410_curve(mbedtls_pk_ec(*key)->grp.id)) { + if (mbedtls_pk_is_rfc8410_curve(mbedtls_pk_ec_ro(*key)->grp.id)) { begin = PEM_BEGIN_PRIVATE_KEY_PKCS8; end = PEM_END_PRIVATE_KEY_PKCS8; } else diff --git a/library/ssl_tls.c b/library/ssl_tls.c index cd8716471..fe666e88c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7388,9 +7388,9 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl, /* and in the unlikely case the above assumption no longer holds * we are making sure that pk_ec() here does not return a NULL */ - const mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); + const mbedtls_ecp_keypair *ec = mbedtls_pk_ec_ro(*pk); if (ec == NULL) { - MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_pk_ec() returned NULL")); + MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_pk_ec_ro() returned NULL")); return MBEDTLS_ERR_SSL_INTERNAL_ERROR; } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index d94d8295c..0940bdb67 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2007,7 +2007,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; } - peer_key = mbedtls_pk_ec(*peer_pk); + peer_key = mbedtls_pk_ec_ro(*peer_pk); #if defined(MBEDTLS_USE_PSA_CRYPTO) size_t olen = 0; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index ac6c10d41..38a3fc422 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -666,7 +666,7 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk, uint16_t *curves_tls_id) { uint16_t *curr_tls_id = curves_tls_id; - mbedtls_ecp_group_id grp_id = mbedtls_pk_ec(*pk)->grp.id; + mbedtls_ecp_group_id grp_id = mbedtls_pk_ec_ro(*pk)->grp.id; mbedtls_ecp_group_id curr_grp_id; while (*curr_tls_id != 0) { @@ -2636,7 +2636,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) case MBEDTLS_PK_ECKEY: case MBEDTLS_PK_ECKEY_DH: case MBEDTLS_PK_ECDSA: - key = mbedtls_pk_ec(*pk); + key = mbedtls_pk_ec_ro(*pk); if (key == NULL) { return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; } @@ -2704,7 +2704,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) } if ((ret = mbedtls_ecdh_get_params(&ssl->handshake->ecdh_ctx, - mbedtls_pk_ec(*mbedtls_ssl_own_key(ssl)), + mbedtls_pk_ec_ro(*mbedtls_ssl_own_key(ssl)), MBEDTLS_ECDH_OURS)) != 0) { MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ecdh_get_params"), ret); return ret; diff --git a/library/x509_crt.c b/library/x509_crt.c index 6d62e4494..2f6d9248c 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -237,7 +237,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile, if (pk_alg == MBEDTLS_PK_ECDSA || pk_alg == MBEDTLS_PK_ECKEY || pk_alg == MBEDTLS_PK_ECKEY_DH) { - const mbedtls_ecp_group_id gid = mbedtls_pk_ec(*pk)->grp.id; + const mbedtls_ecp_group_id gid = mbedtls_pk_ec_ro(*pk)->grp.id; if (gid == MBEDTLS_ECP_DP_NONE) { return -1; diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index 059102925..f36c6be3c 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -6,6 +6,7 @@ #include "mbedtls/base64.h" #include "mbedtls/ecp.h" #include "mbedtls/rsa.h" +#include "pk_internal.h" #include "hash_info.h" @@ -101,20 +102,20 @@ static int pk_genkey(mbedtls_pk_context *pk, int parameter) mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECKEY_DH || mbedtls_pk_get_type(pk) == MBEDTLS_PK_ECDSA) { int ret; - if ((ret = mbedtls_ecp_group_load(&mbedtls_pk_ec(*pk)->grp, + if ((ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, parameter)) != 0) { return ret; } #if defined(MBEDTLS_USE_PSA_CRYPTO) - return pk_genkey_ec(&mbedtls_pk_ec(*pk)->grp, - &mbedtls_pk_ec(*pk)->d, - &mbedtls_pk_ec(*pk)->Q); + return pk_genkey_ec(&mbedtls_pk_ec_rw(*pk)->grp, + &mbedtls_pk_ec_rw(*pk)->d, + &mbedtls_pk_ec_rw(*pk)->Q); #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_ECP_C) - return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec(*pk)->grp, - &mbedtls_pk_ec(*pk)->d, - &mbedtls_pk_ec(*pk)->Q, + return mbedtls_ecp_gen_keypair(&mbedtls_pk_ec_rw(*pk)->grp, + &mbedtls_pk_ec_rw(*pk)->d, + &mbedtls_pk_ec_rw(*pk)->Q, mbedtls_test_rnd_std_rand, NULL); #endif /* MBEDTLS_ECP_C */ } @@ -709,7 +710,7 @@ void pk_ec_test_vec(int type, int id, data_t *key, data_t *hash, TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0); TEST_ASSERT(mbedtls_pk_can_do(&pk, MBEDTLS_PK_ECDSA)); - eckey = mbedtls_pk_ec(pk); + eckey = mbedtls_pk_ec_rw(pk); TEST_ASSERT(mbedtls_ecp_group_load(&eckey->grp, id) == 0); TEST_ASSERT(mbedtls_ecp_point_read_binary(&eckey->grp, &eckey->Q, @@ -745,12 +746,12 @@ void pk_sign_verify_restart(int pk_type, int grp_id, char *d_str, memset(sig, 0, sizeof(sig)); TEST_ASSERT(mbedtls_pk_setup(&prv, mbedtls_pk_info_from_type(pk_type)) == 0); - TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec(prv)->grp, grp_id) == 0); - TEST_ASSERT(mbedtls_test_read_mpi(&mbedtls_pk_ec(prv)->d, d_str) == 0); + TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(prv)->grp, grp_id) == 0); + TEST_ASSERT(mbedtls_test_read_mpi(&mbedtls_pk_ec_rw(prv)->d, d_str) == 0); TEST_ASSERT(mbedtls_pk_setup(&pub, mbedtls_pk_info_from_type(pk_type)) == 0); - TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec(pub)->grp, grp_id) == 0); - TEST_ASSERT(mbedtls_ecp_point_read_string(&mbedtls_pk_ec(pub)->Q, 16, QX_str, QY_str) == 0); + TEST_ASSERT(mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(pub)->grp, grp_id) == 0); + TEST_ASSERT(mbedtls_ecp_point_read_string(&mbedtls_pk_ec_rw(pub)->Q, 16, QX_str, QY_str) == 0); mbedtls_ecp_set_max_ops(max_ops); @@ -1316,8 +1317,8 @@ void pk_psa_sign(int parameter_arg, /* mbedtls_pk_write_pubkey_der() writes backwards in the data buffer. */ pkey_legacy_start = pkey_legacy + sizeof(pkey_legacy) - klen_legacy; #else - ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec(pk)->grp), - &(mbedtls_pk_ec(pk)->Q), + ret = mbedtls_ecp_point_write_binary(&(mbedtls_pk_ec_ro(pk)->grp), + &(mbedtls_pk_ec_ro(pk)->Q), MBEDTLS_ECP_PF_UNCOMPRESSED, &klen_legacy, pkey_legacy, sizeof(pkey_legacy)); @@ -1379,10 +1380,10 @@ void pk_psa_sign(int parameter_arg, TEST_EQUAL(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0); TEST_EQUAL(mbedtls_ecp_group_load( - &(mbedtls_pk_ec(pk)->grp), + &(mbedtls_pk_ec_rw(pk)->grp), (mbedtls_ecp_group_id) parameter_arg), 0); - TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec(pk)->grp), - &(mbedtls_pk_ec(pk)->Q), + TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_ro(pk)->grp), + &(mbedtls_pk_ec_rw(pk)->Q), pkey_legacy_start, klen_legacy), 0); #endif TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function index 838a7dba7..e0e33000d 100644 --- a/tests/suites/test_suite_pkparse.function +++ b/tests/suites/test_suite_pkparse.function @@ -3,6 +3,7 @@ #include "mbedtls/pem.h" #include "mbedtls/oid.h" #include "mbedtls/ecp.h" +#include "pk_internal.h" /* END_HEADER */ /* BEGIN_DEPENDENCIES @@ -83,9 +84,9 @@ void pk_parse_public_keyfile_ec(char *key_file, int result) TEST_ASSERT(res == result); if (res == 0) { - mbedtls_ecp_keypair *eckey; + const mbedtls_ecp_keypair *eckey; TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_ECKEY)); - eckey = mbedtls_pk_ec(ctx); + eckey = mbedtls_pk_ec_ro(ctx); TEST_ASSERT(mbedtls_ecp_check_pubkey(&eckey->grp, &eckey->Q) == 0); } @@ -110,9 +111,9 @@ void pk_parse_keyfile_ec(char *key_file, char *password, int result) TEST_ASSERT(res == result); if (res == 0) { - mbedtls_ecp_keypair *eckey; + const mbedtls_ecp_keypair *eckey; TEST_ASSERT(mbedtls_pk_can_do(&ctx, MBEDTLS_PK_ECKEY)); - eckey = mbedtls_pk_ec(ctx); + eckey = mbedtls_pk_ec_ro(ctx); TEST_ASSERT(mbedtls_ecp_check_privkey(&eckey->grp, &eckey->d) == 0); } From 3f00b84dd1721256501e4b8b4f3fada29cff0e75 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 15 May 2023 12:57:06 +0200 Subject: [PATCH 3/4] pk: fix build issues Signed-off-by: Valerio Setti --- include/mbedtls/x509.h | 1 - library/pk.c | 1 + library/ssl_misc.h | 1 + library/ssl_tls12_server.c | 2 +- library/x509_crt.c | 1 + 5 files changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index ba2396a5b..7faf176b5 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -27,7 +27,6 @@ #include "mbedtls/asn1.h" #include "mbedtls/pk.h" -#include "pk_internal.h" #if defined(MBEDTLS_RSA_C) #include "mbedtls/rsa.h" diff --git a/library/pk.c b/library/pk.c index d92de6945..7e772829a 100644 --- a/library/pk.c +++ b/library/pk.c @@ -23,6 +23,7 @@ #include "mbedtls/pk.h" #include "pk_wrap.h" #include "pkwrite.h" +#include "pk_internal.h" #include "hash_info.h" diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d7c47e661..17149c59e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -55,6 +55,7 @@ #endif #include "mbedtls/pk.h" +#include "pk_internal.h" #include "common.h" /* Shorthand for restartable ECC */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 38a3fc422..aa3e306a4 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2636,7 +2636,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) case MBEDTLS_PK_ECKEY: case MBEDTLS_PK_ECKEY_DH: case MBEDTLS_PK_ECDSA: - key = mbedtls_pk_ec_ro(*pk); + key = mbedtls_pk_ec_rw(*pk); if (key == NULL) { return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; } diff --git a/library/x509_crt.c b/library/x509_crt.c index 2f6d9248c..34a561359 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -50,6 +50,7 @@ #endif /* MBEDTLS_USE_PSA_CRYPTO */ #include "hash_info.h" #include "x509_invasive.h" +#include "pk_internal.h" #include "mbedtls/platform.h" From f70b3e08b15cbd84d444861c6f47d8a1ab13d9b8 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 15 May 2023 12:57:40 +0200 Subject: [PATCH 4/4] pk: fix: explicilty set const in casted value in mbedtls_pk_ec_ro Signed-off-by: Valerio Setti --- library/pk_internal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pk_internal.h b/library/pk_internal.h index a51482e0e..7c4f28571 100644 --- a/library/pk_internal.h +++ b/library/pk_internal.h @@ -46,7 +46,7 @@ static inline const mbedtls_ecp_keypair *mbedtls_pk_ec_ro(const mbedtls_pk_conte case MBEDTLS_PK_ECKEY: case MBEDTLS_PK_ECKEY_DH: case MBEDTLS_PK_ECDSA: - return (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx); + return (const mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx); default: return NULL; }