crypto/mbedtls: Add support for mbedtls 3.x

vikramdattu · vikramdattu · commit 38fbb72087f7 · 2025-04-15T09:51:39.000+05:30
- Also clone mbedtls 3.6.x instead of 2.8.x to match with rainmaker's
   version
diff --git a/CMake/Dependencies/libmbedtls-CMakeLists.txt b/CMake/Dependencies/libmbedtls-CMakeLists.txt
@@ -21,7 +21,7 @@ message(STATUS "C flags here are ${CMAKE_C_FLAGS}")
 ExternalProject_Add(
   project_libmbedtls
   GIT_REPOSITORY  https://github.com/ARMmbed/mbedtls.git
-  GIT_TAG         v2.28.8
+  GIT_TAG         v3.6.0
   PREFIX          ${CMAKE_CURRENT_BINARY_DIR}/build
   CMAKE_ARGS
     -DCMAKE_INSTALL_PREFIX=${OPEN_SRC_INSTALL_PREFIX}
diff --git a/src/source/Crypto/Crypto.h b/src/source/Crypto/Crypto.h
@@ -35,7 +35,11 @@ typedef enum {
 #define KVS_RSA_F4                  0x10001L
 #define KVS_MD5_DIGEST_LENGTH       16
 #define KVS_SHA1_DIGEST_LENGTH      20
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+#define KVS_MD5_DIGEST(m, mlen, ob) mbedtls_md5((m), (mlen), (ob));
+#else
 #define KVS_MD5_DIGEST(m, mlen, ob) mbedtls_md5_ret((m), (mlen), (ob));
+#endif
 #define KVS_SHA1_HMAC(k, klen, m, mlen, ob, plen)                                                                                                    \
     CHK(0 == mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), (k), (klen), (m), (mlen), (ob)), STATUS_HMAC_GENERATION_ERROR);             \
     *(plen) = mbedtls_md_get_size(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1));
diff --git a/src/source/Crypto/Dtls.h b/src/source/Crypto/Dtls.h
@@ -208,9 +208,21 @@ INT32 dtlsSessionSendCallback(PVOID, const unsigned char*, ULONG);
 INT32 dtlsSessionReceiveCallback(PVOID, unsigned char*, ULONG);
 VOID dtlsSessionSetTimerCallback(PVOID, UINT32, UINT32);
 INT32 dtlsSessionGetTimerCallback(PVOID);
+
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+void dtlsSessionKeyDerivationCallback(void *customData,
+                                    mbedtls_ssl_key_export_type secret_type,
+                                    const unsigned char *pMasterSecret,
+                                    size_t pMasterSecretLen,
+                                    const unsigned char clientRandom[MAX_DTLS_RANDOM_BYTES_LEN],
+                                    const unsigned char serverRandom[MAX_DTLS_RANDOM_BYTES_LEN],
+                                    mbedtls_tls_prf_types tlsProfile);
+#else
 INT32 dtlsSessionKeyDerivationCallback(PVOID, const unsigned char*, const unsigned char*, ULONG, ULONG, ULONG,
                                        const unsigned char[MAX_DTLS_RANDOM_BYTES_LEN], const unsigned char[MAX_DTLS_RANDOM_BYTES_LEN],
                                        mbedtls_tls_prf_types);
+#endif
+
 #else
 #error "A Crypto implementation is required."
 #endif
diff --git a/src/source/Crypto/Dtls_mbedtls.c b/src/source/Crypto/Dtls_mbedtls.c
@@ -8,6 +8,11 @@ mbedtls_ssl_srtp_profile DTLS_SRTP_SUPPORTED_PROFILES[] = {
     MBEDTLS_TLS_SRTP_UNSET,
 };
 
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+static mbedtls_ctr_drbg_context ctr_drbg;
+static mbedtls_entropy_context entropy;
+#endif
+
 STATUS createDtlsSession(PDtlsSessionCallbacks pDtlsSessionCallbacks, TIMER_QUEUE_HANDLE timerQueueHandle, INT32 certificateBits,
                          BOOL generateRSACertificate, PRtcCertificate pRtcCertificates, PDtlsSession* ppDtlsSession)
 {
@@ -229,6 +234,37 @@ STATUS dtlsTransmissionTimerCallback(UINT32 timerID, UINT64 currentTime, UINT64
     return retStatus;
 }
 
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+void dtlsSessionKeyDerivationCallback(void *customData,
+                                    mbedtls_ssl_key_export_type secret_type,
+                                    const unsigned char *pMasterSecret,
+                                    size_t pMasterSecretLen,
+                                    const unsigned char clientRandom[MAX_DTLS_RANDOM_BYTES_LEN],
+                                    const unsigned char serverRandom[MAX_DTLS_RANDOM_BYTES_LEN],
+                                    mbedtls_tls_prf_types tlsProfile)
+{
+    ENTERS();
+
+    /* We're only interested in the TLS 1.2 master secret */
+    if (secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET) {
+        printf("Secret type is not matching...\n");
+    }
+
+    PDtlsSession pDtlsSession = (PDtlsSession) customData;
+    PTlsKeys pKeys = &pDtlsSession->tlsKeys;
+
+    if (pMasterSecretLen != sizeof(pKeys->masterSecret)) {
+        printf("Length check failed, pMasterSecretLen = %d, sizeof(pKeys->masterSecret) = %d\n",
+               pMasterSecretLen,  sizeof(pKeys->masterSecret));
+    }
+
+    MEMCPY(pKeys->masterSecret, pMasterSecret, pMasterSecretLen);
+    MEMCPY(pKeys->randBytes, clientRandom, MAX_DTLS_RANDOM_BYTES_LEN);
+    MEMCPY(pKeys->randBytes + MAX_DTLS_RANDOM_BYTES_LEN, serverRandom, MAX_DTLS_RANDOM_BYTES_LEN);
+    pKeys->tlsProfile = tlsProfile;
+    LEAVES();
+}
+#else
 INT32 dtlsSessionKeyDerivationCallback(PVOID customData, const unsigned char* pMasterSecret, const unsigned char* pKeyBlock, ULONG maclen,
                                        ULONG keylen, ULONG ivlen, const unsigned char clientRandom[MAX_DTLS_RANDOM_BYTES_LEN],
                                        const unsigned char serverRandom[MAX_DTLS_RANDOM_BYTES_LEN], mbedtls_tls_prf_types tlsProfile)
@@ -247,6 +283,7 @@ INT32 dtlsSessionKeyDerivationCallback(PVOID customData, const unsigned char* pM
     LEAVES();
     return 0;
 }
+#endif
 
 STATUS dtlsSessionHandshakeInThread(PDtlsSession pDtlsSession, BOOL isServer)
 {
@@ -287,11 +324,18 @@ STATUS dtlsSessionStart(PDtlsSession pDtlsSession, BOOL isServer)
     }
     mbedtls_ssl_conf_dtls_cookies(&pDtlsSession->sslCtxConfig, NULL, NULL, NULL);
     CHK(mbedtls_ssl_conf_dtls_srtp_protection_profiles(&pDtlsSession->sslCtxConfig, DTLS_SRTP_SUPPORTED_PROFILES) == 0, STATUS_CREATE_SSL_FAILED);
+
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
     mbedtls_ssl_conf_export_keys_ext_cb(&pDtlsSession->sslCtxConfig, dtlsSessionKeyDerivationCallback, pDtlsSession);
+#endif
 
     CHK(mbedtls_ssl_setup(&pDtlsSession->sslCtx, &pDtlsSession->sslCtxConfig) == 0, STATUS_SSL_CTX_CREATION_FAILED);
     mbedtls_ssl_set_mtu(&pDtlsSession->sslCtx, DEFAULT_MTU_SIZE_BYTES);
     mbedtls_ssl_set_bio(&pDtlsSession->sslCtx, pDtlsSession, dtlsSessionSendCallback, dtlsSessionReceiveCallback, NULL);
+
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+    mbedtls_ssl_set_export_keys_cb(&pDtlsSession->sslCtx, dtlsSessionKeyDerivationCallback, pDtlsSession);
+#endif
     mbedtls_ssl_set_timer_cb(&pDtlsSession->sslCtx, &pDtlsSession->transmissionTimer, dtlsSessionSetTimerCallback, dtlsSessionGetTimerCallback);
 
     // Start non-blocking handshaking
@@ -363,7 +407,11 @@ STATUS dtlsSessionProcessPacket(PDtlsSession pDtlsSession, PBYTE pData, PINT32 p
         }
     }
 
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+    if (pDtlsSession->sslCtx.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER) {
+#else
     if (pDtlsSession->sslCtx.state == MBEDTLS_SSL_HANDSHAKE_OVER) {
+#endif
         CHK_STATUS(dtlsSessionChangeState(pDtlsSession, RTC_DTLS_TRANSPORT_STATE_CONNECTED));
     }
 
@@ -504,8 +552,14 @@ STATUS dtlsSessionPopulateKeyingMaterial(PDtlsSession pDtlsSession, PDtlsKeyingM
 
     MEMCPY(pDtlsKeyingMaterial->serverWriteKey + MAX_SRTP_MASTER_KEY_LEN, &keyingMaterialBuffer[offset], MAX_SRTP_SALT_KEY_LEN);
 
+    DLOGI("calling mbedtls_ssl_get_dtls_srtp_negotiation_result");
+
     mbedtls_ssl_get_dtls_srtp_negotiation_result(&pDtlsSession->sslCtx, &negotiatedSRTPProfile);
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+    switch (negotiatedSRTPProfile.MBEDTLS_PRIVATE(chosen_dtls_srtp_profile)) {
+#else
     switch (negotiatedSRTPProfile.chosen_dtls_srtp_profile) {
+#endif
         case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
             pDtlsKeyingMaterial->srtpProfile = KVS_SRTP_PROFILE_AES128_CM_HMAC_SHA1_80;
             break;
@@ -520,6 +574,7 @@ STATUS dtlsSessionPopulateKeyingMaterial(PDtlsSession pDtlsSession, PDtlsKeyingM
     if (locked) {
         MUTEX_UNLOCK(pDtlsSession->sslLock);
     }
+    CHK_LOG_ERR(retStatus);
 
     LEAVES();
     return retStatus;
@@ -561,15 +616,35 @@ STATUS copyCertificateAndKey(mbedtls_x509_crt* pCert, mbedtls_pk_context* pKey,
     BOOL initialized = FALSE;
     mbedtls_ecp_keypair *pSrcECP, *pDstECP;
 
+    int ret = 0;
+#if (MBEDTLS_VERSION_NUMBER >= 0x03000000)
+    mbedtls_entropy_init(&entropy);
+    mbedtls_ctr_drbg_init(&ctr_drbg);
+    int mbedtls_ctr_ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
+    if (mbedtls_ctr_ret != 0) {
+        printf("mbedtls_ctr_drbg_seed failed\n");
+        goto CleanUp;
+    }
+#endif
+
     CHK(pCert != NULL && pKey != NULL && pDst != NULL, STATUS_NULL_ARG);
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
     CHK(mbedtls_pk_check_pair(&pCert->pk, pKey) == 0, STATUS_CERTIFICATE_GENERATION_FAILED);
+#else
+    ret = mbedtls_pk_check_pair(&pCert->pk, pKey, mbedtls_ctr_drbg_random, &ctr_drbg);
+    CHK(ret == 0, STATUS_CERTIFICATE_GENERATION_FAILED);
+#endif
 
     mbedtls_x509_crt_init(&pDst->cert);
     mbedtls_pk_init(&pDst->privateKey);
     initialized = TRUE;
 
     CHK(mbedtls_x509_crt_parse_der(&pDst->cert, pCert->raw.p, pCert->raw.len) == 0, STATUS_CERTIFICATE_GENERATION_FAILED);
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
     CHK(mbedtls_pk_setup(&pDst->privateKey, pKey->pk_info) == 0, STATUS_CERTIFICATE_GENERATION_FAILED);
+#else
+    CHK(mbedtls_pk_setup(&pDst->privateKey, pKey->MBEDTLS_PRIVATE(pk_info)) == 0, STATUS_CERTIFICATE_GENERATION_FAILED);
+#endif
 
     switch (mbedtls_pk_get_type(pKey)) {
         case MBEDTLS_PK_RSA:
@@ -579,9 +654,16 @@ STATUS copyCertificateAndKey(mbedtls_x509_crt* pCert, mbedtls_pk_context* pKey,
         case MBEDTLS_PK_ECDSA:
             pSrcECP = mbedtls_pk_ec(*pKey);
             pDstECP = mbedtls_pk_ec(pDst->privateKey);
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
             CHK(mbedtls_ecp_group_copy(&pDstECP->grp, &pSrcECP->grp) == 0 && mbedtls_ecp_copy(&pDstECP->Q, &pSrcECP->Q) == 0 &&
                     mbedtls_mpi_copy(&pDstECP->d, &pSrcECP->d) == 0,
                 STATUS_CERTIFICATE_GENERATION_FAILED);
+#else
+            CHK(mbedtls_ecp_group_copy(&pDstECP->MBEDTLS_PRIVATE(grp), &pSrcECP->MBEDTLS_PRIVATE(grp)) == 0 &&
+                    mbedtls_ecp_copy(&pDstECP->MBEDTLS_PRIVATE(Q), &pSrcECP->MBEDTLS_PRIVATE(Q)) == 0 &&
+                    mbedtls_mpi_copy(&pDstECP->MBEDTLS_PRIVATE(d), &pSrcECP->MBEDTLS_PRIVATE(d)) == 0,
+                STATUS_CERTIFICATE_GENERATION_FAILED);
+#endif
             break;
         default:
             CHK(FALSE, STATUS_CERTIFICATE_GENERATION_FAILED);
@@ -598,6 +680,30 @@ STATUS copyCertificateAndKey(mbedtls_x509_crt* pCert, mbedtls_pk_context* pKey,
     return retStatus;
 }
 
+#if !(defined(MBEDTLS_BIGNUM_C) && !defined(MBEDTLS_DEPRECATED_REMOVED))
+int mbedtls_x509write_crt_set_serial(mbedtls_x509write_cert *ctx,
+                                     const mbedtls_mpi *serial)
+{
+    int ret;
+    size_t tmp_len;
+
+    /* Ensure that the MPI value fits into the buffer */
+    tmp_len = mbedtls_mpi_size(serial);
+    if (tmp_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) {
+        return MBEDTLS_ERR_X509_BAD_INPUT_DATA;
+    }
+
+    ctx->MBEDTLS_PRIVATE(serial_len) = tmp_len;
+
+    ret = mbedtls_mpi_write_binary(serial, ctx->MBEDTLS_PRIVATE(serial), tmp_len);
+    if (ret < 0) {
+        return ret;
+    }
+
+    return 0;
+}
+#endif // MBEDTLS_BIGNUM_C && !MBEDTLS_DEPRECATED_REMOVED
+
 /**
  * createCertificateAndKey generates a new certificate and a key
  * If generateRSACertificate is true, RSA is going to be used for the key generation. Otherwise, ECDSA is going to be used.
@@ -732,7 +838,11 @@ STATUS dtlsCertificateFingerprint(mbedtls_x509_crt* pCert, PCHAR pBuff)
     pMdInfo = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
     CHK(pMdInfo != NULL, STATUS_INTERNAL_ERROR);
 
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+    sslRet = mbedtls_sha256(pCert->raw.p, pCert->raw.len, fingerprint, 0);
+#else
     sslRet = mbedtls_sha256_ret(pCert->raw.p, pCert->raw.len, fingerprint, 0);
+#endif
     CHK(sslRet == 0, STATUS_INTERNAL_ERROR);
 
     size = mbedtls_md_get_size(pMdInfo);
diff --git a/src/source/Crypto/Tls_mbedtls.c b/src/source/Crypto/Tls_mbedtls.c
@@ -171,8 +171,11 @@ STATUS tlsSessionProcessPacket(PTlsSession pTlsSession, PBYTE pData, UINT32 buff
             iterate = FALSE;
         }
     }
-
+#if MBEDTLS_VERSION_NUMBER >= 0x03000000
+    if (pTlsSession->sslCtx.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER) {
+#else
     if (pTlsSession->sslCtx.state == MBEDTLS_SSL_HANDSHAKE_OVER) {
+#endif
         tlsSessionChangeState(pTlsSession, TLS_SESSION_STATE_CONNECTED);
     }
 
diff --git a/src/source/Include_i.h b/src/source/Include_i.h
@@ -39,7 +39,9 @@ extern "C" {
 #include <mbedtls/entropy.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/error.h>
+#if MBEDTLS_VERSION_NUMBER < 0x03000000
 #include <mbedtls/certs.h>
+#endif
 #include <mbedtls/sha256.h>
 #include <mbedtls/md5.h>
 #endif

Original file line number	Diff line number	Diff line change
`@@ -171,8 +171,11 @@ STATUS tlsSessionProcessPacket(PTlsSession pTlsSession, PBYTE pData, UINT32 buff`
`171`	`171`	`iterate = FALSE;`
`172`	`172`	`}`
`173`	`173`	`}`
`174`		`-`
	`174`	`+#if MBEDTLS_VERSION_NUMBER >= 0x03000000`
	`175`	`+ if (pTlsSession->sslCtx.MBEDTLS_PRIVATE(state) == MBEDTLS_SSL_HANDSHAKE_OVER) {`
	`176`	`+#else`
`175`	`177`	`if (pTlsSession->sslCtx.state == MBEDTLS_SSL_HANDSHAKE_OVER) {`
	`178`	`+#endif`
`176`	`179`	`tlsSessionChangeState(pTlsSession, TLS_SESSION_STATE_CONNECTED);`
`177`	`180`	`}`
`178`	`181`