mbedtls-3.1 update: Removed the MBEDTLS_PRIVATE from multiple files

after they have been again made public in mbedtls-3.1 *Added `MBEDTLS_ALLOW_PRIVATE_ACCESS` in some files.
2025-09-30 19:19:21 +00:00 · 2022-01-05 10:00:35 +05:30
parent 6a164cc5bc
commit 60b167f2d6
13 changed files with 2165 additions and 81 deletions
--- a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
+++ b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
@@ -1,18 +1,8 @@
-// Copyright 2018-2019 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-
+/*
+ * SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 #include <string.h>
 #include <esp_system.h>
 #include "esp_crt_bundle.h"
@@ -53,28 +43,28 @@ static int esp_crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_k

    mbedtls_x509_crt_init(&parent);

-    if ( (ret = mbedtls_pk_parse_public_key(&parent.MBEDTLS_PRIVATE(pk), pub_key_buf, pub_key_len) ) != 0) {
+    if ( (ret = mbedtls_pk_parse_public_key(&parent.pk, pub_key_buf, pub_key_len) ) != 0) {
        ESP_LOGE(TAG, "PK parse failed with error %X", ret);
        goto cleanup;
    }


    // Fast check to avoid expensive computations when not necessary
-    if (!mbedtls_pk_can_do(&parent.MBEDTLS_PRIVATE(pk), child->MBEDTLS_PRIVATE(sig_pk))) {
+    if (!mbedtls_pk_can_do(&parent.pk, child->MBEDTLS_PRIVATE(sig_pk))) {
        ESP_LOGE(TAG, "Simple compare failed");
        ret = -1;
        goto cleanup;
    }

    md_info = mbedtls_md_info_from_type(child->MBEDTLS_PRIVATE(sig_md));
-    if ( (ret = mbedtls_md( md_info, child->MBEDTLS_PRIVATE(tbs).MBEDTLS_PRIVATE(p), child->MBEDTLS_PRIVATE(tbs).MBEDTLS_PRIVATE(len), hash )) != 0 ) {
+    if ( (ret = mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash )) != 0 ) {
        ESP_LOGE(TAG, "Internal mbedTLS error %X", ret);
        goto cleanup;
    }

-    if ( (ret = mbedtls_pk_verify_ext( child->MBEDTLS_PRIVATE(sig_pk), child->MBEDTLS_PRIVATE(sig_opts), &parent.MBEDTLS_PRIVATE(pk),
+    if ( (ret = mbedtls_pk_verify_ext( child->MBEDTLS_PRIVATE(sig_pk), child->MBEDTLS_PRIVATE(sig_opts), &parent.pk,
                                       child->MBEDTLS_PRIVATE(sig_md), hash, mbedtls_md_get_size( md_info ),
-                                       child->MBEDTLS_PRIVATE(sig).MBEDTLS_PRIVATE(p), child->MBEDTLS_PRIVATE(sig).MBEDTLS_PRIVATE(len) )) != 0 ) {
+                                       child->MBEDTLS_PRIVATE(sig).p, child->MBEDTLS_PRIVATE(sig).len )) != 0 ) {

        ESP_LOGE(TAG, "PK verify failed with error %X", ret);
        goto cleanup;
@@ -125,7 +115,7 @@ int esp_crt_verify_callback(void *buf, mbedtls_x509_crt *crt, int depth, uint32_
        name_len = s_crt_bundle.crts[middle][0] << 8 | s_crt_bundle.crts[middle][1];
        crt_name = s_crt_bundle.crts[middle] + CRT_HEADER_OFFSET;

-        int cmp_res = memcmp(child->MBEDTLS_PRIVATE(issuer_raw).MBEDTLS_PRIVATE(p), crt_name, name_len );
+        int cmp_res = memcmp(child->issuer_raw.p, crt_name, name_len );
        if (cmp_res == 0) {
            crt_found = true;
            break;
--- a/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
+++ b/components/mbedtls/port/dynamic/esp_mbedtls_dynamic_impl.h
@@ -9,6 +9,13 @@

 #include <stddef.h>
 #include <string.h>
+/* ToDo - Remove this once appropriate solution is available.
+We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
+which are undefined if the following flag is not defined */
+/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
+/* ToDo - Replace them with proper getter-setter once they are added */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
 #include "mbedtls/ssl.h"
 #include "ssl_misc.h" // located at mbedtls/library/ssl_misc.h
 #include "mbedtls/platform.h"
--- a/components/mbedtls/port/net_sockets.c
+++ b/components/mbedtls/port/net_sockets.c
@@ -62,7 +62,7 @@ static int net_prepare( void )
 */
 void mbedtls_net_init( mbedtls_net_context *ctx )
 {
-    ctx->MBEDTLS_PRIVATE(fd) = -1;
+    ctx->fd = -1;
 }

 /*
@@ -98,7 +98,7 @@ int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char
        }

        if ( connect( fd, cur->ai_addr, cur->ai_addrlen ) == 0 ) {
-            ctx->MBEDTLS_PRIVATE(fd) = fd; // connected!
+            ctx->fd = fd; // connected!
            ret = 0;
            break;
        }
@@ -175,7 +175,7 @@ int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char
        }

        /* I we ever get there, it's a success */
-        ctx->MBEDTLS_PRIVATE(fd) = fd;
+        ctx->fd = fd;
        ret = 0;
        break;
    }
@@ -224,7 +224,7 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
    socklen_t type_len = (socklen_t) sizeof( type );

    /* Is this a TCP or UDP socket? */
-    if ( getsockopt( bind_ctx->MBEDTLS_PRIVATE(fd), SOL_SOCKET, SO_TYPE,
+    if ( getsockopt( bind_ctx->fd, SOL_SOCKET, SO_TYPE,
                     (void *) &type, (socklen_t *) &type_len ) != 0 ||
            ( type != SOCK_STREAM && type != SOCK_DGRAM ) ) {
        return ( MBEDTLS_ERR_NET_ACCEPT_FAILED );
@@ -232,13 +232,13 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,

    if ( type == SOCK_STREAM ) {
        /* TCP: actual accept() */
-        ret = client_ctx->MBEDTLS_PRIVATE(fd) = (int) accept( bind_ctx->MBEDTLS_PRIVATE(fd),
+        ret = client_ctx->fd = (int) accept( bind_ctx->fd,
                                             (struct sockaddr *) &client_addr, &n );
    } else {
        /* UDP: wait for a message, but keep it in the queue */
        char buf[1] = { 0 };

-        ret = recvfrom( bind_ctx->MBEDTLS_PRIVATE(fd), buf, sizeof( buf ), MSG_PEEK,
+        ret = recvfrom( bind_ctx->fd, buf, sizeof( buf ), MSG_PEEK,
                        (struct sockaddr *) &client_addr, &n );

    }
@@ -257,24 +257,24 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
        struct sockaddr_in local_addr;
        int one = 1;

-        if ( connect( bind_ctx->MBEDTLS_PRIVATE(fd), (struct sockaddr *) &client_addr, n ) != 0 ) {
+        if ( connect( bind_ctx->fd, (struct sockaddr *) &client_addr, n ) != 0 ) {
            return ( MBEDTLS_ERR_NET_ACCEPT_FAILED );
        }

-        client_ctx->MBEDTLS_PRIVATE(fd) = bind_ctx->MBEDTLS_PRIVATE(fd);
-        bind_ctx->MBEDTLS_PRIVATE(fd)   = -1; /* In case we exit early */
+        client_ctx->fd = bind_ctx->fd;
+        bind_ctx->fd   = -1; /* In case we exit early */

        n = sizeof( struct sockaddr_in );
-        if ( getsockname( client_ctx->MBEDTLS_PRIVATE(fd),
+        if ( getsockname( client_ctx->fd,
                          (struct sockaddr *) &local_addr, &n ) != 0 ||
-                ( bind_ctx->MBEDTLS_PRIVATE(fd) = (int) socket( AF_INET,
+                ( bind_ctx->fd = (int) socket( AF_INET,
                                               SOCK_DGRAM, IPPROTO_UDP ) ) < 0 ||
-                setsockopt( bind_ctx->MBEDTLS_PRIVATE(fd), SOL_SOCKET, SO_REUSEADDR,
+                setsockopt( bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
                            (const char *) &one, sizeof( one ) ) != 0 ) {
            return ( MBEDTLS_ERR_NET_SOCKET_FAILED );
        }

-        if ( bind( bind_ctx->MBEDTLS_PRIVATE(fd), (struct sockaddr *) &local_addr, n ) != 0 ) {
+        if ( bind( bind_ctx->fd, (struct sockaddr *) &local_addr, n ) != 0 ) {
            return ( MBEDTLS_ERR_NET_BIND_FAILED );
        }
    }
@@ -298,12 +298,12 @@ int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
 */
 int mbedtls_net_set_block( mbedtls_net_context *ctx )
 {
-    return ( fcntl( ctx->MBEDTLS_PRIVATE(fd), F_SETFL, fcntl( ctx->MBEDTLS_PRIVATE(fd), F_GETFL, 0 ) & ~O_NONBLOCK ) );
+    return ( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL, 0 ) & ~O_NONBLOCK ) );
 }

 int mbedtls_net_set_nonblock( mbedtls_net_context *ctx )
 {
-    return ( fcntl( ctx->MBEDTLS_PRIVATE(fd), F_SETFL, fcntl( ctx->MBEDTLS_PRIVATE(fd), F_GETFL, 0 ) | O_NONBLOCK ) );
+    return ( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL, 0 ) | O_NONBLOCK ) );
 }

 /*
@@ -323,7 +323,7 @@ void mbedtls_net_usleep( unsigned long usec )
 int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
 {
    int ret;
-    int fd = ((mbedtls_net_context *) ctx)->MBEDTLS_PRIVATE(fd);
+    int fd = ((mbedtls_net_context *) ctx)->fd;

    if ( fd < 0 ) {
        return ( MBEDTLS_ERR_NET_INVALID_CONTEXT );
@@ -359,7 +359,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
    int ret;
    struct timeval tv;
    fd_set read_fds;
-    int fd = ((mbedtls_net_context *) ctx)->MBEDTLS_PRIVATE(fd);
+    int fd = ((mbedtls_net_context *) ctx)->fd;

    if ( fd < 0 ) {
        return ( MBEDTLS_ERR_NET_INVALID_CONTEXT );
@@ -396,7 +396,7 @@ int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
 int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
 {
    int ret;
-    int fd = ((mbedtls_net_context *) ctx)->MBEDTLS_PRIVATE(fd);
+    int fd = ((mbedtls_net_context *) ctx)->fd;

    if ( fd < 0 ) {
        return ( MBEDTLS_ERR_NET_INVALID_CONTEXT );
@@ -428,14 +428,14 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
 */
 void mbedtls_net_free( mbedtls_net_context *ctx )
 {
-    if ( ctx->MBEDTLS_PRIVATE(fd) == -1 ) {
+    if ( ctx->fd == -1) {
        return;
    }

-    shutdown( ctx->MBEDTLS_PRIVATE(fd), 2 );
-    close( ctx->MBEDTLS_PRIVATE(fd) );
+    shutdown( ctx->fd, 2);
+    close(ctx->fd);

-    ctx->MBEDTLS_PRIVATE(fd) = -1;
+    ctx->fd = -1;
 }

 #endif /* MBEDTLS_NET_C */
--- a/components/mbedtls/test/test_ecp.c
+++ b/components/mbedtls/test/test_ecp.c
@@ -3,7 +3,7 @@
 * Focus on testing functionality where we use ESP32 hardware
 * accelerated crypto features.
 *
- * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -12,6 +12,13 @@
 #include <stdbool.h>
 #include <esp_system.h>

+/* ToDo - Remove this once appropriate solution is available.
+We need to define this for the file as ssl_misc.h uses private structures from mbedtls,
+which are undefined if the following flag is not defined */
+/* Many APIs in the file make use of this flag instead of `MBEDTLS_PRIVATE` */
+/* ToDo - Replace them with proper getter-setter once they are added */
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
+
 #include <mbedtls/entropy.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/ecdh.h>
@@ -36,9 +43,9 @@ TEST_CASE("mbedtls ECDH Generate Key", "[mbedtls]")
    mbedtls_entropy_init(&entropy);
    TEST_ASSERT_MBEDTLS_OK( mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0) );

-    TEST_ASSERT_MBEDTLS_OK( mbedtls_ecp_group_load(&ctx.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_CURVE25519) );
+    TEST_ASSERT_MBEDTLS_OK( mbedtls_ecp_group_load(&ctx.ctx.mbed_ecdh.grp, MBEDTLS_ECP_DP_CURVE25519) );

-    TEST_ASSERT_MBEDTLS_OK( mbedtls_ecdh_gen_public(&ctx.MBEDTLS_PRIVATE(grp), &ctx.MBEDTLS_PRIVATE(d), &ctx.MBEDTLS_PRIVATE(Q),
+    TEST_ASSERT_MBEDTLS_OK( mbedtls_ecdh_gen_public(&ctx.ctx.mbed_ecdh.grp, &ctx.ctx.mbed_ecdh.d, &ctx.ctx.mbed_ecdh.Q,
                                                    mbedtls_ctr_drbg_random, &ctr_drbg ) );

    mbedtls_ecdh_free(&ctx);
@@ -70,7 +77,7 @@ TEST_CASE("mbedtls ECP mul w/ koblitz", "[mbedtls]")
                                                 mbedtls_ctr_drbg_random, &ctxRandom) );


-    TEST_ASSERT_MBEDTLS_OK(mbedtls_ecp_mul(&ctxECDSA.MBEDTLS_PRIVATE(grp), &ctxECDSA.MBEDTLS_PRIVATE(Q), &ctxECDSA.MBEDTLS_PRIVATE(d), &ctxECDSA.MBEDTLS_PRIVATE(grp).G,
+    TEST_ASSERT_MBEDTLS_OK(mbedtls_ecp_mul(&ctxECDSA.grp, &ctxECDSA.Q, &ctxECDSA.d, &ctxECDSA.grp.G,
                                           mbedtls_ctr_drbg_random, &ctxRandom) );

    mbedtls_ecdsa_free(&ctxECDSA);
--- a/components/mbedtls/test/test_rsa.c
+++ b/components/mbedtls/test/test_rsa.c
@@ -3,7 +3,7 @@
 * Focus on testing functionality where we use ESP32 hardware
 * accelerated crypto features
 *
- * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -361,7 +361,7 @@ static void test_cert(const char *cert, const uint8_t *expected_output, size_t o
                                                            strlen(cert)+1),
                                    "parse cert");

-    rsa = mbedtls_pk_rsa(crt.MBEDTLS_PRIVATE(pk));
+    rsa = mbedtls_pk_rsa(crt.pk);
    TEST_ASSERT_NOT_NULL(rsa);

    res = mbedtls_rsa_check_pubkey(rsa);
@@ -542,7 +542,7 @@ TEST_CASE("mbedtls RSA Generate Key", "[mbedtls][timeout=60]")
    esp_task_wdt_add(xTaskGetIdleTaskHandleForCPU(0));
 #endif //CONFIG_MBEDTLS_MPI_USE_INTERRUPT

-    mbedtls_rsa_init(&ctx, MBEDTLS_RSA_PKCS_V15, 0);
+    mbedtls_rsa_init(&ctx);
    mbedtls_ctr_drbg_init(&ctr_drbg);

    mbedtls_entropy_init(&entropy);
--- a/components/mbedtls/test/test_sha_perf.c
+++ b/components/mbedtls/test/test_sha_perf.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -10,6 +10,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <stdbool.h>
+#include <string.h>
 #include "mbedtls/sha256.h"
 #include "unity.h"
 #include "sdkconfig.h"