diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index f45fc1751..4746c1cb4 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -152,9 +152,9 @@ extern "C" { */ typedef struct mbedtls_asn1_buf { - int MBEDTLS_PRIVATE(tag); /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */ - size_t MBEDTLS_PRIVATE(len); /**< ASN1 length, in octets. */ - unsigned char *MBEDTLS_PRIVATE(p); /**< ASN1 data, e.g. in ASCII. */ + int tag; /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */ + size_t len; /**< ASN1 length, in octets. */ + unsigned char *p; /**< ASN1 data, e.g. in ASCII. */ } mbedtls_asn1_buf; @@ -163,9 +163,9 @@ mbedtls_asn1_buf; */ typedef struct mbedtls_asn1_bitstring { - size_t MBEDTLS_PRIVATE(len); /**< ASN1 length, in octets. */ - unsigned char MBEDTLS_PRIVATE(unused_bits); /**< Number of unused bits at the end of the string */ - unsigned char *MBEDTLS_PRIVATE(p); /**< Raw ASN1 data for the bit string */ + size_t len; /**< ASN1 length, in octets. */ + unsigned char unused_bits; /**< Number of unused bits at the end of the string */ + unsigned char *p; /**< Raw ASN1 data for the bit string */ } mbedtls_asn1_bitstring; @@ -174,8 +174,16 @@ mbedtls_asn1_bitstring; */ typedef struct mbedtls_asn1_sequence { - mbedtls_asn1_buf MBEDTLS_PRIVATE(buf); /**< Buffer containing the given ASN.1 item. */ - struct mbedtls_asn1_sequence *MBEDTLS_PRIVATE(next); /**< The next entry in the sequence. */ + mbedtls_asn1_buf buf; /**< Buffer containing the given ASN.1 item. */ + + /** The next entry in the sequence. + * + * The details of memory management for sequences are not documented and + * may change in future versions. Set this field to \p NULL when + * initializing a structure, and do not modify it except via Mbed TLS + * library functions. + */ + struct mbedtls_asn1_sequence *next; } mbedtls_asn1_sequence; @@ -184,10 +192,24 @@ mbedtls_asn1_sequence; */ typedef struct mbedtls_asn1_named_data { - mbedtls_asn1_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */ - mbedtls_asn1_buf MBEDTLS_PRIVATE(val); /**< The named value. */ - struct mbedtls_asn1_named_data *MBEDTLS_PRIVATE(next); /**< The next entry in the sequence. */ - unsigned char MBEDTLS_PRIVATE(next_merged); /**< Merge next item into the current one? */ + mbedtls_asn1_buf oid; /**< The object identifier. */ + mbedtls_asn1_buf val; /**< The named value. */ + + /** The next entry in the sequence. + * + * The details of memory management for named data sequences are not + * documented and may change in future versions. Set this field to \p NULL + * when initializing a structure, and do not modify it except via Mbed TLS + * library functions. + */ + struct mbedtls_asn1_named_data *next; + + /** Merge next item into the current one? + * + * This field exists for the sake of Mbed TLS's X.509 certificate parsing + * code and may change in future versions of the library. + */ + unsigned char MBEDTLS_PRIVATE(next_merged); } mbedtls_asn1_named_data; diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index 9c9a2e88c..b4630f63c 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -258,6 +258,13 @@ typedef struct mbedtls_cmac_context_t mbedtls_cmac_context_t; /** * Cipher information. Allows calling cipher functions * in a generic way. + * + * \note The library does not support custom cipher info structures, + * only built-in structures returned by the functions + * mbedtls_cipher_info_from_string(), + * mbedtls_cipher_info_from_type(), + * mbedtls_cipher_info_from_values(), + * mbedtls_cipher_info_from_psa(). */ typedef struct mbedtls_cipher_info_t { @@ -414,6 +421,82 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_values( const mbedtls_ciph int key_bitlen, const mbedtls_cipher_mode_t mode ); +/** + * \brief Retrieve the identifier for a cipher info structure. + * + * \param[in] info The cipher info structure to query. + * This may be \c NULL. + * + * \return The full cipher identifier (\c MBEDTLS_CIPHER_xxx). + * \return #MBEDTLS_CIPHER_NONE if \p info is \c NULL. + */ +static inline mbedtls_cipher_type_t mbedtls_cipher_info_get_type( + const mbedtls_cipher_info_t *info ) +{ + if( info == NULL ) + return( MBEDTLS_CIPHER_NONE ); + else + return( info->MBEDTLS_PRIVATE(type) ); +} + +/** + * \brief Retrieve the operation mode for a cipher info structure. + * + * \param[in] info The cipher info structure to query. + * This may be \c NULL. + * + * \return The cipher mode (\c MBEDTLS_MODE_xxx). + * \return #MBEDTLS_MODE_NONE if \p info is \c NULL. + */ +static inline mbedtls_cipher_mode_t mbedtls_cipher_info_get_mode( + const mbedtls_cipher_info_t *info ) +{ + if( info == NULL ) + return( MBEDTLS_MODE_NONE ); + else + return( info->MBEDTLS_PRIVATE(mode) ); +} + +/** + * \brief Retrieve the key size for a cipher info structure. + * + * \param[in] info The cipher info structure to query. + * This may be \c NULL. + * + * \return The key length in bits. + * For variable-sized ciphers, this is the default length. + * For DES, this includes the parity bits. + * \return \c 0 if \p info is \c NULL. + */ +static inline size_t mbedtls_cipher_info_get_key_bitlen( + const mbedtls_cipher_info_t *info ) +{ + if( info == NULL ) + return( 0 ); + else + return( info->MBEDTLS_PRIVATE(key_bitlen) ); +} + +/** + * \brief Retrieve the human-readable name for a + * cipher info structure. + * + * \param[in] info The cipher info structure to query. + * This may be \c NULL. + * + * \return The cipher name, which is a human readable string, + * with static storage duration. + * \return \c NULL if \c info is \p NULL. + */ +static inline const char *mbedtls_cipher_info_get_name( + const mbedtls_cipher_info_t *info ) +{ + if( info == NULL ) + return( NULL ); + else + return( info->MBEDTLS_PRIVATE(name) ); +} + /** * \brief This function initializes a \p cipher_context as NONE. * diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 384d0608a..b2a2e3256 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -147,13 +147,17 @@ typedef enum /** * Curve information, for use by other modules. + * + * The fields of this structure are part of the public API and can be + * accessed directly by applications. Future versions of the library may + * add extra fields or reorder existing fields. */ typedef struct mbedtls_ecp_curve_info { - mbedtls_ecp_group_id MBEDTLS_PRIVATE(grp_id); /*!< An internal identifier. */ - uint16_t MBEDTLS_PRIVATE(tls_id); /*!< The TLS NamedCurve identifier. */ - uint16_t MBEDTLS_PRIVATE(bit_size); /*!< The curve size in bits. */ - const char *MBEDTLS_PRIVATE(name); /*!< A human-friendly name. */ + mbedtls_ecp_group_id grp_id; /*!< An internal identifier. */ + uint16_t tls_id; /*!< The TLS NamedCurve identifier. */ + uint16_t bit_size; /*!< The curve size in bits. */ + const char *name; /*!< A human-friendly name. */ } mbedtls_ecp_curve_info; /** diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h index c8214a233..0c754b122 100644 --- a/include/mbedtls/net_sockets.h +++ b/include/mbedtls/net_sockets.h @@ -94,7 +94,13 @@ extern "C" { */ typedef struct mbedtls_net_context { - int MBEDTLS_PRIVATE(fd); /**< The underlying file descriptor */ + /** The underlying file descriptor. + * + * This field is only guaranteed to be present on POSIX/Unix-like platforms. + * On other platforms, it may have a different type, have a different + * meaning, or be absent altogether. + */ + int fd; } mbedtls_net_context; diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index ded52225f..5f9f29ff6 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -186,6 +186,10 @@ typedef struct mbedtls_pk_debug_item /** * \brief Public key information and operations + * + * \note The library does not support custom pk info structures, + * only built-in structures returned by + * mbedtls_cipher_info_from_type(). */ typedef struct mbedtls_pk_info_t mbedtls_pk_info_t; diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index f6f2e5805..6f6354591 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -369,7 +369,7 @@ static inline psa_key_type_t mbedtls_psa_parse_tls_ecc_group( if( curve_info == NULL ) return( 0 ); return( PSA_KEY_TYPE_ECC_KEY_PAIR( - mbedtls_ecc_group_to_psa( curve_info->MBEDTLS_PRIVATE(grp_id), bits ) ) ); + mbedtls_ecc_group_to_psa( curve_info->grp_id, bits ) ) ); } #endif /* MBEDTLS_ECP_C */ diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index df187cb09..9a4be95a3 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -246,8 +246,8 @@ typedef mbedtls_asn1_sequence mbedtls_x509_sequence; /** Container for date and time (precision in seconds). */ typedef struct mbedtls_x509_time { - int MBEDTLS_PRIVATE(year), MBEDTLS_PRIVATE(mon), MBEDTLS_PRIVATE(day); /**< Date. */ - int MBEDTLS_PRIVATE(hour), MBEDTLS_PRIVATE(min), MBEDTLS_PRIVATE(sec); /**< Time. */ + int year, mon, day; /**< Date. */ + int hour, min, sec; /**< Time. */ } mbedtls_x509_time; diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h index 9331827bb..52bd43cd3 100644 --- a/include/mbedtls/x509_crl.h +++ b/include/mbedtls/x509_crl.h @@ -43,18 +43,30 @@ extern "C" { /** * Certificate revocation list entry. * Contains the CA-specific serial numbers and revocation dates. + * + * Some fields of this structure are publicly readable. Do not modify + * them except via Mbed TLS library functions: the effect of modifying + * those fields or the data that those fields points to is unspecified. */ typedef struct mbedtls_x509_crl_entry { - mbedtls_x509_buf MBEDTLS_PRIVATE(raw); + /** Direct access to the whole entry inside the containing buffer. */ + mbedtls_x509_buf raw; + /** The serial number of the revoked certificate. */ + mbedtls_x509_buf serial; + /** The revocation date of this entry. */ + mbedtls_x509_time revocation_date; + /** Direct access to the list of CRL entry extensions + * (an ASN.1 constructed sequence). + * + * If there are no extensions, `entry_ext.len == 0` and + * `entry_ext.p == NULL`. */ + mbedtls_x509_buf entry_ext; - mbedtls_x509_buf MBEDTLS_PRIVATE(serial); - - mbedtls_x509_time MBEDTLS_PRIVATE(revocation_date); - - mbedtls_x509_buf MBEDTLS_PRIVATE(entry_ext); - - struct mbedtls_x509_crl_entry *MBEDTLS_PRIVATE(next); + /** Next element in the linked list of entries. + * \p NULL indicates the end of the list. + * Do not modify this field directly. */ + struct mbedtls_x509_crl_entry *next; } mbedtls_x509_crl_entry; @@ -64,22 +76,22 @@ mbedtls_x509_crl_entry; */ typedef struct mbedtls_x509_crl { - mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */ - mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */ + mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ + mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ - int MBEDTLS_PRIVATE(version); /**< CRL version (1=v1, 2=v2) */ - mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< CRL signature type identifier */ + int version; /**< CRL version (1=v1, 2=v2) */ + mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */ - mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). */ + mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). */ - mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */ + mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ - mbedtls_x509_time MBEDTLS_PRIVATE(this_update); - mbedtls_x509_time MBEDTLS_PRIVATE(next_update); + mbedtls_x509_time this_update; + mbedtls_x509_time next_update; - mbedtls_x509_crl_entry MBEDTLS_PRIVATE(entry); /**< The CRL entries containing the certificate revocation times for this CA. */ + mbedtls_x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(crl_ext); + mbedtls_x509_buf crl_ext; mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2); mbedtls_x509_buf MBEDTLS_PRIVATE(sig); @@ -87,7 +99,10 @@ typedef struct mbedtls_x509_crl mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ - struct mbedtls_x509_crl *MBEDTLS_PRIVATE(next); + /** Next element in the linked list of CRL. + * \p NULL indicates the end of the list. + * Do not modify this field directly. */ + struct mbedtls_x509_crl *next; } mbedtls_x509_crl; diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 49211a948..3c11a9989 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -45,36 +45,40 @@ extern "C" { /** * Container for an X.509 certificate. The certificate may be chained. + * + * Some fields of this structure are publicly readable. Do not modify + * them except via Mbed TLS library functions: the effect of modifying + * those fields or the data that those fields points to is unspecified. */ typedef struct mbedtls_x509_crt { int MBEDTLS_PRIVATE(own_buffer); /**< Indicates if \c raw is owned * by the structure or not. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */ - mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */ + mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ + mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ - int MBEDTLS_PRIVATE(version); /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ - mbedtls_x509_buf MBEDTLS_PRIVATE(serial); /**< Unique id for certificate issued by a specific CA. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< Signature algorithm, e.g. sha1RSA */ + int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ + mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ + mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ - mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). Used for quick comparison. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). Used for quick comparison. */ + mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ + mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ - mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */ - mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */ + mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ + mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ - mbedtls_x509_time MBEDTLS_PRIVATE(valid_from); /**< Start time of certificate validity. */ - mbedtls_x509_time MBEDTLS_PRIVATE(valid_to); /**< End time of certificate validity. */ + mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ + mbedtls_x509_time valid_to; /**< End time of certificate validity. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(pk_raw); - mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */ + mbedtls_x509_buf pk_raw; + mbedtls_pk_context pk; /**< Container for the public key context. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_id); /**< Optional X.509 v2/v3 issuer unique identifier. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(subject_id); /**< Optional X.509 v2/v3 subject unique identifier. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(v3_ext); /**< Optional X.509 v3 extensions. */ - mbedtls_x509_sequence MBEDTLS_PRIVATE(subject_alt_names); /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ + mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ + mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ + mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ + mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ - mbedtls_x509_sequence MBEDTLS_PRIVATE(certificate_policies); /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */ + mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */ int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */ int MBEDTLS_PRIVATE(ca_istrue); /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ @@ -82,7 +86,7 @@ typedef struct mbedtls_x509_crt unsigned int MBEDTLS_PRIVATE(key_usage); /**< Optional key usage extension value: See the values in x509.h */ - mbedtls_x509_sequence MBEDTLS_PRIVATE(ext_key_usage); /**< Optional list of extended key usage OIDs. */ + mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ unsigned char MBEDTLS_PRIVATE(ns_cert_type); /**< Optional Netscape certificate type extension value: See the values in x509.h */ @@ -91,7 +95,10 @@ typedef struct mbedtls_x509_crt mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ - struct mbedtls_x509_crt *MBEDTLS_PRIVATE(next); /**< Next certificate in the CA-chain. */ + /** Next certificate in the linked list that constitutes the CA chain. + * \p NULL indicates the end of the list. + * Do not modify this field directly. */ + struct mbedtls_x509_crt *next; } mbedtls_x509_crt; @@ -100,6 +107,9 @@ mbedtls_x509_crt; * OtherName ::= SEQUENCE { * type-id OBJECT IDENTIFIER, * value [0] EXPLICIT ANY DEFINED BY type-id } + * + * Future versions of the library may add new fields to this structure or + * to its embedded union and structure. */ typedef struct mbedtls_x509_san_other_name { @@ -108,7 +118,7 @@ typedef struct mbedtls_x509_san_other_name * To check the value of the type id, you should use * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(type_id); /**< The type id. */ + mbedtls_x509_buf type_id; /**< The type id. */ union { /** @@ -119,26 +129,30 @@ typedef struct mbedtls_x509_san_other_name */ struct { - mbedtls_x509_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(val); /**< The named value. */ + mbedtls_x509_buf oid; /**< The object identifier. */ + mbedtls_x509_buf val; /**< The named value. */ } - MBEDTLS_PRIVATE(hardware_module_name); + hardware_module_name; } - MBEDTLS_PRIVATE(value); + value; } mbedtls_x509_san_other_name; /** - * A structure for holding the parsed Subject Alternative Name, according to type + * A structure for holding the parsed Subject Alternative Name, + * according to type. + * + * Future versions of the library may add new fields to this structure or + * to its embedded union and structure. */ typedef struct mbedtls_x509_subject_alternative_name { - int MBEDTLS_PRIVATE(type); /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ + int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ union { - mbedtls_x509_san_other_name MBEDTLS_PRIVATE(other_name); /**< The otherName supported type. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(unstructured_name); /**< The buffer for the un constructed types. Only dnsName currently supported */ + mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ + mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */ } - MBEDTLS_PRIVATE(san); /**< A union of the supported SAN types */ + san; /**< A union of the supported SAN types */ } mbedtls_x509_subject_alternative_name; diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index 674f9ce79..f80a1a130 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -42,20 +42,24 @@ extern "C" { /** * Certificate Signing Request (CSR) structure. + * + * Some fields of this structure are publicly readable. Do not modify + * them except via Mbed TLS library functions: the effect of modifying + * those fields or the data that those fields point to is unspecified. */ typedef struct mbedtls_x509_csr { - mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw CSR data (DER). */ - mbedtls_x509_buf MBEDTLS_PRIVATE(cri); /**< The raw CertificateRequestInfo body (DER). */ + mbedtls_x509_buf raw; /**< The raw CSR data (DER). */ + mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */ - int MBEDTLS_PRIVATE(version); /**< CSR version (1=v1). */ + int version; /**< CSR version (1=v1). */ - mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). */ - mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */ + mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */ + mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ - mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */ + mbedtls_pk_context pk; /**< Container for the public key context. */ - mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); + mbedtls_x509_buf sig_oid; mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index bce9a1cd7..e998111d9 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -138,16 +138,14 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, ctx->ticket_lifetime = lifetime; cipher_info = mbedtls_cipher_info_from_type( cipher); - if( cipher_info == NULL ) - return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( cipher_info->mode != MBEDTLS_MODE_GCM && - cipher_info->mode != MBEDTLS_MODE_CCM ) + if( mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_GCM && + mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_CCM ) { return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES ) + if( mbedtls_cipher_info_get_key_bitlen( cipher_info ) > 8 * MAX_KEY_BYTES ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 21a058dd5..f33f106ce 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -689,7 +689,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, unsigned char *mac_dec; size_t mac_key_len = 0; size_t iv_copy_len; - unsigned keylen; + size_t keylen; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; const mbedtls_cipher_info_t *cipher_info; const mbedtls_md_info_t *md_info; @@ -789,14 +789,14 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, * Determine the appropriate key, IV and MAC length. */ - keylen = cipher_info->key_bitlen / 8; + keylen = mbedtls_cipher_info_get_key_bitlen( cipher_info ) / 8; #if defined(MBEDTLS_GCM_C) || \ defined(MBEDTLS_CCM_C) || \ defined(MBEDTLS_CHACHAPOLY_C) - if( cipher_info->mode == MBEDTLS_MODE_GCM || - cipher_info->mode == MBEDTLS_MODE_CCM || - cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) + if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_GCM || + mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CCM || + mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY ) { size_t explicit_ivlen; @@ -814,7 +814,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, * sequence number). */ transform->ivlen = 12; - if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY ) + if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY ) transform->fixed_ivlen = 12; else transform->fixed_ivlen = 4; @@ -826,8 +826,8 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, else #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) - if( cipher_info->mode == MBEDTLS_MODE_STREAM || - cipher_info->mode == MBEDTLS_MODE_CBC ) + if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM || + mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC ) { /* Initialize HMAC contexts */ if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 || @@ -845,7 +845,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, transform->ivlen = cipher_info->iv_size; /* Minimum length */ - if( cipher_info->mode == MBEDTLS_MODE_STREAM ) + if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM ) transform->minlen = transform->maclen; else { @@ -1060,7 +1060,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, } if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1, - cipher_info->key_bitlen, + (int) mbedtls_cipher_info_get_key_bitlen( cipher_info ), MBEDTLS_ENCRYPT ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); @@ -1068,7 +1068,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, } if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2, - cipher_info->key_bitlen, + (int) mbedtls_cipher_info_get_key_bitlen( cipher_info ), MBEDTLS_DECRYPT ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret ); @@ -1076,7 +1076,7 @@ static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform, } #if defined(MBEDTLS_CIPHER_MODE_CBC) - if( cipher_info->mode == MBEDTLS_MODE_CBC ) + if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC ) { if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc, MBEDTLS_PADDING_NONE ) ) != 0 ) diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c index a8026a335..5ed2ece70 100644 --- a/programs/aes/crypt_and_hash.c +++ b/programs/aes/crypt_and_hash.c @@ -124,7 +124,7 @@ int main( int argc, char *argv[] ) while( *list ) { cipher_info = mbedtls_cipher_info_from_type( *list ); - mbedtls_printf( " %s\n", cipher_info->MBEDTLS_PRIVATE(name) ); + mbedtls_printf( " %s\n", mbedtls_cipher_info_get_name( cipher_info ) ); list++; } @@ -309,7 +309,9 @@ int main( int argc, char *argv[] ) } - if( mbedtls_cipher_setkey( &cipher_ctx, digest, cipher_info->MBEDTLS_PRIVATE(key_bitlen), + if( mbedtls_cipher_setkey( &cipher_ctx, + digest, + (int) mbedtls_cipher_info_get_key_bitlen( cipher_info ), MBEDTLS_ENCRYPT ) != 0 ) { mbedtls_fprintf( stderr, "mbedtls_cipher_setkey() returned error\n"); @@ -408,7 +410,7 @@ int main( int argc, char *argv[] ) /* * Check the file size. */ - if( cipher_info->MBEDTLS_PRIVATE(mode) != MBEDTLS_MODE_GCM && + if( mbedtls_cipher_info_get_mode( cipher_info ) != MBEDTLS_MODE_GCM && ( ( filesize - mbedtls_md_get_size( md_info ) ) % mbedtls_cipher_get_block_size( &cipher_ctx ) ) != 0 ) { @@ -448,7 +450,9 @@ int main( int argc, char *argv[] ) mbedtls_md_finish( &md_ctx, digest ); } - if( mbedtls_cipher_setkey( &cipher_ctx, digest, cipher_info->MBEDTLS_PRIVATE(key_bitlen), + if( mbedtls_cipher_setkey( &cipher_ctx, + digest, + (int) mbedtls_cipher_info_get_key_bitlen( cipher_info ), MBEDTLS_DECRYPT ) != 0 ) { mbedtls_fprintf( stderr, "mbedtls_cipher_setkey() returned error\n" ); diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c index 6b6e9517d..550a230e8 100644 --- a/programs/pkey/ecdsa.c +++ b/programs/pkey/ecdsa.c @@ -51,7 +51,7 @@ #define ECPARAMS MBEDTLS_ECP_DP_SECP192R1 #if !defined(ECPARAMS) -#define ECPARAMS mbedtls_ecp_curve_list()->MBEDTLS_PRIVATE(grp_id) +#define ECPARAMS mbedtls_ecp_curve_list()->grp_id #endif #if !defined(MBEDTLS_ECDSA_C) || !defined(MBEDTLS_SHA256_C) || \ diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index 4043dfa6e..7535eee3f 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -86,7 +86,7 @@ int dev_random_entropy_poll( void *data, unsigned char *output, #endif #if defined(MBEDTLS_ECP_C) -#define DFL_EC_CURVE mbedtls_ecp_curve_list()->MBEDTLS_PRIVATE(grp_id) +#define DFL_EC_CURVE mbedtls_ecp_curve_list()->grp_id #else #define DFL_EC_CURVE 0 #endif @@ -219,9 +219,9 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_ECP_C) mbedtls_printf( " available ec_curve values:\n" ); curve_info = mbedtls_ecp_curve_list(); - mbedtls_printf( " %s (default)\n", curve_info->MBEDTLS_PRIVATE(name) ); - while( ( ++curve_info )->MBEDTLS_PRIVATE(name) != NULL ) - mbedtls_printf( " %s\n", curve_info->MBEDTLS_PRIVATE(name) ); + mbedtls_printf( " %s (default)\n", curve_info->name ); + while( ( ++curve_info )->name != NULL ) + mbedtls_printf( " %s\n", curve_info->name ); #endif /* MBEDTLS_ECP_C */ goto exit; } @@ -270,7 +270,7 @@ int main( int argc, char *argv[] ) { if( ( curve_info = mbedtls_ecp_curve_info_from_name( q ) ) == NULL ) goto usage; - opt.ec_curve = curve_info->MBEDTLS_PRIVATE(grp_id); + opt.ec_curve = curve_info->grp_id; } #endif else if( strcmp( p, "filename" ) == 0 ) @@ -391,7 +391,7 @@ int main( int argc, char *argv[] ) { mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( key ); mbedtls_printf( "curve: %s\n", - mbedtls_ecp_curve_info_from_grp_id( ecp->MBEDTLS_PRIVATE(grp).id )->MBEDTLS_PRIVATE(name) ); + mbedtls_ecp_curve_info_from_grp_id( ecp->MBEDTLS_PRIVATE(grp).id )->name ); mbedtls_mpi_write_file( "X_Q: ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL ); mbedtls_mpi_write_file( "Y_Q: ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL ); mbedtls_mpi_write_file( "D: ", &ecp->MBEDTLS_PRIVATE(d) , 16, NULL ); diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index f2570490f..5d1cccbe6 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -226,7 +226,7 @@ int main( void ) mbedtls_ssl_cache_set ); #endif - mbedtls_ssl_conf_ca_chain( &conf, srvcert.MBEDTLS_PRIVATE(next), NULL ); + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 1e0bef6b1..97bfe6806 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -246,13 +246,13 @@ int main( void ) addr.sin_addr.s_addr = *((char *) &ret) == ret ? ADDR_LE : ADDR_BE; ret = 0; - if( ( server_fd.MBEDTLS_PRIVATE(fd) = socket( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) + if( ( server_fd.fd = socket( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { ret = socket_failed; goto exit; } - if( connect( server_fd.MBEDTLS_PRIVATE(fd), + if( connect( server_fd.fd, (const struct sockaddr *) &addr, sizeof( addr ) ) < 0 ) { ret = connect_failed; diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 542a33460..694fc3b7a 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -190,7 +190,7 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_conf_ca_chain( &conf, srvcert.MBEDTLS_PRIVATE(next), NULL ); + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index ace657ceb..95557fb05 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -212,7 +212,7 @@ int main( void ) mbedtls_ssl_cache_set ); #endif - mbedtls_ssl_conf_ca_chain( &conf, srvcert.MBEDTLS_PRIVATE(next), NULL ); + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index aab15db2b..3d8f37b64 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -331,7 +331,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( "%s\n", buf ); - cur = cur->MBEDTLS_PRIVATE(next); + cur = cur->next; } /* diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 9a20d6341..763f8684f 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -514,7 +514,7 @@ int main( int argc, char *argv[] ) } ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name), - &issuer_crt.MBEDTLS_PRIVATE(subject) ); + &issuer_crt.subject ); if( ret < 0 ) { mbedtls_strerror( ret, buf, 1024 ); @@ -548,7 +548,7 @@ int main( int argc, char *argv[] ) } ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name), - &csr.MBEDTLS_PRIVATE(subject) ); + &csr.subject ); if( ret < 0 ) { mbedtls_strerror( ret, buf, 1024 ); @@ -558,7 +558,7 @@ int main( int argc, char *argv[] ) } opt.subject_name = subject_name; - subject_key = &csr.MBEDTLS_PRIVATE(pk); + subject_key = &csr.pk; mbedtls_printf( " ok\n" ); } @@ -602,7 +602,7 @@ int main( int argc, char *argv[] ) // if( strlen( opt.issuer_crt ) ) { - if( mbedtls_pk_check_pair( &issuer_crt.MBEDTLS_PRIVATE(pk), issuer_key, + if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key, mbedtls_ctr_drbg_random, &ctr_drbg ) != 0 ) { mbedtls_printf( " failed\n ! issuer_key does not match " diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 674349f76..c809d9a28 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -13,6 +13,59 @@ #define MBEDTLS_CIPHER_AUTH_CRYPT #endif +/* Check the internal consistency of a cipher info structure, and + * check it against mbedtls_cipher_info_from_xxx(). */ +static int check_cipher_info( mbedtls_cipher_type_t type, + const mbedtls_cipher_info_t *info ) +{ + size_t key_bitlen; + + TEST_ASSERT( info != NULL ); + TEST_EQUAL( type, mbedtls_cipher_info_get_type( info ) ); + TEST_EQUAL( type, info->type ); + TEST_ASSERT( mbedtls_cipher_info_from_type( type ) == info ); + + TEST_EQUAL( info->mode, mbedtls_cipher_info_get_mode( info ) ); + + /* Insist that get_name() return the string from the structure and + * not a copy. A copy would have an unknown storage duration. */ + TEST_ASSERT( mbedtls_cipher_info_get_name( info ) == info->name ); + TEST_ASSERT( mbedtls_cipher_info_from_string( info->name ) == info ); + + key_bitlen = mbedtls_cipher_info_get_key_bitlen( info ); + if( info->type == MBEDTLS_CIPHER_NULL ) + TEST_ASSERT( key_bitlen == 0 ); + else if( info->mode == MBEDTLS_MODE_XTS ) + { + TEST_ASSERT( key_bitlen == 256 || + key_bitlen == 384 || + key_bitlen == 512 ); + } + else if( ! strncmp( info->name, "DES-EDE3-", 9 ) ) + { + TEST_ASSERT( key_bitlen == 192 ); + } + else if( ! strncmp( info->name, "DES-EDE-", 8 ) ) + { + TEST_ASSERT( key_bitlen == 128 ); + } + else if( ! strncmp( info->name, "DES-", 4 ) ) + { + TEST_ASSERT( key_bitlen == 64 ); + } + else + { + TEST_ASSERT( key_bitlen == 128 || + key_bitlen == 192 || + key_bitlen == 256 ); + } + + return( 1 ); + +exit: + return( 0 ); +} + #if defined(MBEDTLS_CIPHER_AUTH_CRYPT) /* Helper for resetting key/direction * @@ -81,7 +134,13 @@ void mbedtls_cipher_list( ) const int *cipher_type; for( cipher_type = mbedtls_cipher_list(); *cipher_type != 0; cipher_type++ ) - TEST_ASSERT( mbedtls_cipher_info_from_type( *cipher_type ) != NULL ); + { + const mbedtls_cipher_info_t *info = + mbedtls_cipher_info_from_type( *cipher_type ); + mbedtls_test_set_step( *cipher_type ); + if( ! check_cipher_info( *cipher_type, info ) ) + goto exit; + } } /* END_CASE */ @@ -309,6 +368,8 @@ void enc_dec_buf( int cipher_id, char * cipher_string, int key_len, cipher_info = mbedtls_cipher_info_from_type( cipher_id ); TEST_ASSERT( NULL != cipher_info ); TEST_ASSERT( mbedtls_cipher_info_from_string( cipher_string ) == cipher_info ); + TEST_ASSERT( strcmp( mbedtls_cipher_info_get_name( cipher_info ), + cipher_string ) == 0 ); /* Initialise enc and dec contexts */ TEST_ASSERT( 0 == mbedtls_cipher_setup( &ctx_dec, cipher_info ) );