From 2c09c9bca97dcbe42e0b8f2d6f5c00f1c94099c4 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Fri, 14 May 2021 22:20:10 +0200 Subject: [PATCH 01/22] Introduce MBEDTLS_PRIVATE macro. Public structs members are considered private and should not be used by users application. MBEDTLS_PRIVATE(member) macro is intended to clearly indicate which members are private. Signed-off-by: Mateusz Starzyk --- include/mbedtls/private_access.h | 32 +++++++++++++++++++++++ library/common.h | 7 +++++ library/psa_crypto_driver_wrappers.c | 1 + tests/include/test/helpers.h | 2 ++ tests/src/drivers/test_driver_aead.c | 2 ++ tests/src/drivers/test_driver_cipher.c | 2 ++ tests/src/drivers/test_driver_signature.c | 2 ++ tests/suites/helpers.function | 2 ++ tests/suites/main_test.function | 8 ------ 9 files changed, 50 insertions(+), 8 deletions(-) create mode 100644 include/mbedtls/private_access.h diff --git a/include/mbedtls/private_access.h b/include/mbedtls/private_access.h new file mode 100644 index 000000000..98d3419f6 --- /dev/null +++ b/include/mbedtls/private_access.h @@ -0,0 +1,32 @@ + /** + * \file private_access.h + * + * \brief Macro wrapper for struct's memebrs. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_PRIVATE_ACCESS_H +#define MBEDTLS_PRIVATE_ACCESS_H + +#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS +#define MBEDTLS_PRIVATE(member) private_##member +#else +#define MBEDTLS_PRIVATE(member) member +#endif + +#endif /* MBEDTLS_PRIVATE_ACCESS_H */ diff --git a/library/common.h b/library/common.h index 5845766ac..c31ac1e1c 100644 --- a/library/common.h +++ b/library/common.h @@ -50,4 +50,11 @@ #define MBEDTLS_STATIC_TESTABLE static #endif +/** Allow library to access it's structs' private members. + * + * Although structs defined in header files are publicly available, + * their members are private and should not be accessed by the user. + */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #endif /* MBEDTLS_LIBRARY_COMMON_H */ diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index f61e5ebbe..19260c45e 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -19,6 +19,7 @@ * limitations under the License. */ +#include "common.h" #include "psa_crypto_aead.h" #include "psa_crypto_cipher.h" #include "psa_crypto_core.h" diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 9bfe08547..0f82a9040 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -25,6 +25,8 @@ #ifndef TEST_HELPERS_H #define TEST_HELPERS_H +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c index 25396c92f..a14716324 100644 --- a/tests/src/drivers/test_driver_aead.c +++ b/tests/src/drivers/test_driver_aead.c @@ -23,6 +23,8 @@ #include MBEDTLS_CONFIG_FILE #endif +#include + #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) #include "psa_crypto_aead.h" diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c index a415dd812..4827946b0 100644 --- a/tests/src/drivers/test_driver_cipher.c +++ b/tests/src/drivers/test_driver_cipher.c @@ -24,6 +24,8 @@ #include MBEDTLS_CONFIG_FILE #endif +#include + #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) #include "psa/crypto.h" #include "psa_crypto_cipher.h" diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c index 14de8318e..fdfba165f 100644 --- a/tests/src/drivers/test_driver_signature.c +++ b/tests/src/drivers/test_driver_signature.c @@ -25,6 +25,8 @@ #include MBEDTLS_CONFIG_FILE #endif +#include + #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) #include "psa/crypto.h" #include "psa_crypto_core.h" diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index 2ef07fa62..ca03532ba 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -2,6 +2,8 @@ /*----------------------------------------------------------------------------*/ /* Headers */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include #include diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index ac00f45e5..62a667821 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -29,14 +29,6 @@ #include MBEDTLS_CONFIG_FILE #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) -#include "psa/crypto.h" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - -#if defined(MBEDTLS_TEST_HOOKS) -#include "mbedtls/error.h" -#endif - /* Test code may use deprecated identifiers only if the preprocessor symbol * MBEDTLS_TEST_DEPRECATED is defined. When building tests, set * MBEDTLS_TEST_DEPRECATED explicitly if MBEDTLS_DEPRECATED_WARNING is From 0d41abbde61e40ab00ac512f16340262640ba6fb Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 12 May 2021 14:48:40 +0200 Subject: [PATCH 02/22] Introduce scripts automating wrapping structs members with MBEDTLS_PRIVATE. Usage: run setup_and_run_MBEDTLS_PRIVATE.sh Signed-off-by: Mateusz Starzyk --- apply_MBEDTLS_PRIVATE.py | 84 ++++++++++++++++++++++++++++++++ setup_and_run_MBEDTLS_PRIVATE.sh | 10 ++++ 2 files changed, 94 insertions(+) create mode 100644 apply_MBEDTLS_PRIVATE.py create mode 100755 setup_and_run_MBEDTLS_PRIVATE.sh diff --git a/apply_MBEDTLS_PRIVATE.py b/apply_MBEDTLS_PRIVATE.py new file mode 100644 index 000000000..4160287f2 --- /dev/null +++ b/apply_MBEDTLS_PRIVATE.py @@ -0,0 +1,84 @@ +import re +import fileinput +import glob +import pprint +import os +import xml.etree.ElementTree as ET + + +files_to_visit = {} + +struct_files = glob.glob("apidoc/xml/structmbedtls*.xml") + glob.glob("apidoc/xml/structpsa*.xml") + +for struct_file in struct_files: + struct_file_tree = ET.parse(struct_file) + all_struct_members_definitions = struct_file_tree.getroot().findall(".//memberdef[@kind='variable']") + + # Create dictionary with following structre + # "filepath" : { "variable_name1": (1, 2, 40, 61), # line numbers + # "variable_name2": (60, 64), + # } + for struct_member_def in all_struct_members_definitions: + # find file path for this variable + member_id = struct_member_def.attrib["id"] + location = struct_member_def.find("location") + file_path = location.attrib["file"] + variable_name = struct_member_def.find("name").text + # if path not yet in dictionary, create empty record to initialize + if file_path not in files_to_visit: + files_to_visit[file_path] = {} + # if variable is not yet in this file's dictionary, create empty set to initialize + if variable_name not in files_to_visit[file_path]: + files_to_visit[file_path][variable_name] = set() + + # add variable definition + files_to_visit[file_path][variable_name].add(int(location.attrib["line"])) + + # check where the variable was referenced + references = struct_member_def.findall("referencedby") + for reference in references: + refid = reference.attrib["refid"] + # assuming that compound name is related to header's xml file + header_file = "apidoc/xml/" + reference.attrib["compoundref"] + ".xml" + header_file_tree = ET.parse(header_file) + # check if this reference is created by static inline function + static_inline_function_definition = header_file_tree.getroot().find(f".//memberdef[@id='{refid}'][@kind='function'][@static='yes'][@inline='yes']") + if static_inline_function_definition: + static_inline_function_file_path = static_inline_function_definition.find("location").attrib["file"] + # if path not yet in dictionary, create empty record to initialize. + # This could happen if reference is inside header file which was not yet processed in search for variable definitions + if static_inline_function_file_path not in files_to_visit: + files_to_visit[static_inline_function_file_path] = {} + # if variable is not yet in this file's dictionary, create empty set to initialize + if variable_name not in files_to_visit[static_inline_function_file_path]: + files_to_visit[static_inline_function_file_path][variable_name] = set() + # function block scope + function_lines_from = int(reference.attrib["startline"]) + function_lines_to = int(reference.attrib["endline"]) + # find codelines referencing struct's variable + codelines_xml = header_file_tree.getroot().findall(f".//ref[@refid='{member_id}']/../..") + # filter by function's scope + codelines = [int(line.attrib["lineno"]) for line in codelines_xml if int(line.attrib["lineno"]) >= function_lines_from and int(line.attrib["lineno"]) <= function_lines_to] + # add variable reference + files_to_visit[static_inline_function_file_path][variable_name].update(codelines) + +pp = pprint.PrettyPrinter(indent=4) +pp.pprint(files_to_visit) + +for file_path, variables in files_to_visit.items(): + with fileinput.FileInput(file_path, inplace=True) as file: + output_line_number = 1 + re_include_guard = re.compile(r"^#define.*{name}$".format(name=os.path.basename(file_path).replace('.','_').upper())) + for line in file: + insert_allow_private_include = False + if re_include_guard.match(line): + insert_allow_private_include = True + for variable, var_lines in variables.items(): + for var_line in var_lines: + if output_line_number == var_line: + line = re.sub(r"(^.*?\W+)({var})(\W+.*$)".format(var=variable), r"\1MBEDTLS_PRIVATE(\2)\3", line) + output_line_number += 1 + print(line, end='') # fileinput redirects stdout to the target file + if insert_allow_private_include: + insert_allow_private_include = False + print("#include \"mbedtls/private_access.h\"") diff --git a/setup_and_run_MBEDTLS_PRIVATE.sh b/setup_and_run_MBEDTLS_PRIVATE.sh new file mode 100755 index 000000000..9a0e59979 --- /dev/null +++ b/setup_and_run_MBEDTLS_PRIVATE.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +make clean +sed -i 's/GENERATE_XML = NO/GENERATE_XML = YES/g' doxygen/mbedtls.doxyfile +scripts/config.py full +cd doxygen +doxygen mbedtls.doxyfile +cd .. +python3 apply_MBEDTLS_PRIVATE.py +git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile From 846f021de291c105c18031fa5d5c466917cb3cad Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 19 May 2021 19:44:07 +0200 Subject: [PATCH 03/22] Run MBEDTLS_PRIVATE wrapping script on the library. Signed-off-by: Mateusz Starzyk --- include/mbedtls/aes.h | 11 +- include/mbedtls/arc4.h | 7 +- include/mbedtls/aria.h | 5 +- include/mbedtls/asn1.h | 25 +- include/mbedtls/bignum.h | 7 +- include/mbedtls/blowfish.h | 5 +- include/mbedtls/camellia.h | 5 +- include/mbedtls/ccm.h | 3 +- include/mbedtls/chacha20.h | 7 +- include/mbedtls/chachapoly.h | 13 +- include/mbedtls/cipher.h | 73 +++--- include/mbedtls/cmac.h | 7 +- include/mbedtls/ctr_drbg.h | 19 +- include/mbedtls/des.h | 5 +- include/mbedtls/dhm.h | 23 +- include/mbedtls/ecdh.h | 19 +- include/mbedtls/ecjpake.h | 25 +- include/mbedtls/ecp.h | 51 ++-- include/mbedtls/entropy.h | 23 +- include/mbedtls/gcm.h | 19 +- include/mbedtls/hmac_drbg.h | 19 +- include/mbedtls/md.h | 7 +- include/mbedtls/md2.h | 9 +- include/mbedtls/md4.h | 7 +- include/mbedtls/md5.h | 7 +- include/mbedtls/net_sockets.h | 3 +- include/mbedtls/nist_kw.h | 3 +- include/mbedtls/oid.h | 9 +- include/mbedtls/pem.h | 7 +- include/mbedtls/pk.h | 15 +- include/mbedtls/platform.h | 3 +- include/mbedtls/poly1305.h | 11 +- include/mbedtls/psa_util.h | 3 +- include/mbedtls/ripemd160.h | 7 +- include/mbedtls/rsa.h | 37 +-- include/mbedtls/sha1.h | 7 +- include/mbedtls/sha256.h | 9 +- include/mbedtls/sha512.h | 11 +- include/mbedtls/ssl.h | 327 ++++++++++++------------ include/mbedtls/ssl_cache.h | 21 +- include/mbedtls/ssl_ciphersuites.h | 17 +- include/mbedtls/ssl_cookie.h | 7 +- include/mbedtls/ssl_ticket.h | 19 +- include/mbedtls/threading.h | 5 +- include/mbedtls/timing.h | 7 +- include/mbedtls/x509.h | 5 +- include/mbedtls/x509_crl.h | 43 ++-- include/mbedtls/x509_crt.h | 117 ++++----- include/mbedtls/x509_csr.h | 31 +-- include/mbedtls/xtea.h | 3 +- include/psa/crypto_builtin_composites.h | 15 +- include/psa/crypto_builtin_primitives.h | 29 ++- include/psa/crypto_extra.h | 29 ++- include/psa/crypto_se_driver.h | 91 +++---- include/psa/crypto_struct.h | 155 +++++------ 55 files changed, 751 insertions(+), 696 deletions(-) diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h index da741c8e8..e23b9ca94 100644 --- a/include/mbedtls/aes.h +++ b/include/mbedtls/aes.h @@ -39,6 +39,7 @@ #ifndef MBEDTLS_AES_H #define MBEDTLS_AES_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -78,9 +79,9 @@ extern "C" { */ typedef struct mbedtls_aes_context { - int nr; /*!< The number of rounds. */ - uint32_t *rk; /*!< AES round keys. */ - uint32_t buf[68]; /*!< Unaligned data buffer. This buffer can + int MBEDTLS_PRIVATE(nr); /*!< The number of rounds. */ + uint32_t *MBEDTLS_PRIVATE(rk); /*!< AES round keys. */ + uint32_t MBEDTLS_PRIVATE(buf)[68]; /*!< Unaligned data buffer. This buffer can hold 32 extra Bytes, which can be used for one of the following purposes:
  • Alignment if VIA padlock is @@ -97,9 +98,9 @@ mbedtls_aes_context; */ typedef struct mbedtls_aes_xts_context { - mbedtls_aes_context crypt; /*!< The AES context to use for AES block + mbedtls_aes_context MBEDTLS_PRIVATE(crypt); /*!< The AES context to use for AES block encryption or decryption. */ - mbedtls_aes_context tweak; /*!< The AES context used for tweak + mbedtls_aes_context MBEDTLS_PRIVATE(tweak); /*!< The AES context used for tweak computation. */ } mbedtls_aes_xts_context; #endif /* MBEDTLS_CIPHER_MODE_XTS */ diff --git a/include/mbedtls/arc4.h b/include/mbedtls/arc4.h index ada6083e0..631365120 100644 --- a/include/mbedtls/arc4.h +++ b/include/mbedtls/arc4.h @@ -25,6 +25,7 @@ */ #ifndef MBEDTLS_ARC4_H #define MBEDTLS_ARC4_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -51,9 +52,9 @@ extern "C" { */ typedef struct mbedtls_arc4_context { - int x; /*!< permutation index */ - int y; /*!< permutation index */ - unsigned char m[256]; /*!< permutation table */ + int MBEDTLS_PRIVATE(x); /*!< permutation index */ + int MBEDTLS_PRIVATE(y); /*!< permutation index */ + unsigned char MBEDTLS_PRIVATE(m)[256]; /*!< permutation table */ } mbedtls_arc4_context; diff --git a/include/mbedtls/aria.h b/include/mbedtls/aria.h index 7dd960f29..cd15c706f 100644 --- a/include/mbedtls/aria.h +++ b/include/mbedtls/aria.h @@ -28,6 +28,7 @@ #ifndef MBEDTLS_ARIA_H #define MBEDTLS_ARIA_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -64,9 +65,9 @@ extern "C" { */ typedef struct mbedtls_aria_context { - unsigned char nr; /*!< The number of rounds (12, 14 or 16) */ + unsigned char MBEDTLS_PRIVATE(nr); /*!< The number of rounds (12, 14 or 16) */ /*! The ARIA round keys. */ - uint32_t rk[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4]; + uint32_t MBEDTLS_PRIVATE(rk)[MBEDTLS_ARIA_MAX_ROUNDS + 1][MBEDTLS_ARIA_BLOCKSIZE / 4]; } mbedtls_aria_context; diff --git a/include/mbedtls/asn1.h b/include/mbedtls/asn1.h index d2162fe12..66119810f 100644 --- a/include/mbedtls/asn1.h +++ b/include/mbedtls/asn1.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_ASN1_H #define MBEDTLS_ASN1_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -148,9 +149,9 @@ extern "C" { */ typedef struct mbedtls_asn1_buf { - int tag; /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */ - size_t len; /**< ASN1 length, in octets. */ - unsigned char *p; /**< ASN1 data, e.g. in ASCII. */ + int MBEDTLS_PRIVATE(tag); /**< ASN1 type, e.g. MBEDTLS_ASN1_UTF8_STRING. */ + size_t MBEDTLS_PRIVATE(len); /**< ASN1 length, in octets. */ + unsigned char *MBEDTLS_PRIVATE(p); /**< ASN1 data, e.g. in ASCII. */ } mbedtls_asn1_buf; @@ -159,9 +160,9 @@ mbedtls_asn1_buf; */ typedef struct mbedtls_asn1_bitstring { - size_t len; /**< ASN1 length, in octets. */ - unsigned char unused_bits; /**< Number of unused bits at the end of the string */ - unsigned char *p; /**< Raw ASN1 data for the bit string */ + size_t MBEDTLS_PRIVATE(len); /**< ASN1 length, in octets. */ + unsigned char MBEDTLS_PRIVATE(unused_bits); /**< Number of unused bits at the end of the string */ + unsigned char *MBEDTLS_PRIVATE(p); /**< Raw ASN1 data for the bit string */ } mbedtls_asn1_bitstring; @@ -170,8 +171,8 @@ mbedtls_asn1_bitstring; */ typedef struct mbedtls_asn1_sequence { - mbedtls_asn1_buf buf; /**< Buffer containing the given ASN.1 item. */ - struct mbedtls_asn1_sequence *next; /**< The next entry in the sequence. */ + mbedtls_asn1_buf MBEDTLS_PRIVATE(buf); /**< Buffer containing the given ASN.1 item. */ + struct mbedtls_asn1_sequence *MBEDTLS_PRIVATE(next); /**< The next entry in the sequence. */ } mbedtls_asn1_sequence; @@ -180,10 +181,10 @@ mbedtls_asn1_sequence; */ typedef struct mbedtls_asn1_named_data { - mbedtls_asn1_buf oid; /**< The object identifier. */ - mbedtls_asn1_buf val; /**< The named value. */ - struct mbedtls_asn1_named_data *next; /**< The next entry in the sequence. */ - unsigned char next_merged; /**< Merge next item into the current one? */ + mbedtls_asn1_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */ + mbedtls_asn1_buf MBEDTLS_PRIVATE(val); /**< The named value. */ + struct mbedtls_asn1_named_data *MBEDTLS_PRIVATE(next); /**< The next entry in the sequence. */ + unsigned char MBEDTLS_PRIVATE(next_merged); /**< Merge next item into the current one? */ } mbedtls_asn1_named_data; diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index 073b4a40c..47768fc6f 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_BIGNUM_H #define MBEDTLS_BIGNUM_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -183,9 +184,9 @@ extern "C" { */ typedef struct mbedtls_mpi { - int s; /*!< Sign: -1 if the mpi is negative, 1 otherwise */ - size_t n; /*!< total # of limbs */ - mbedtls_mpi_uint *p; /*!< pointer to limbs */ + int MBEDTLS_PRIVATE(s); /*!< Sign: -1 if the mpi is negative, 1 otherwise */ + size_t MBEDTLS_PRIVATE(n); /*!< total # of limbs */ + mbedtls_mpi_uint *MBEDTLS_PRIVATE(p); /*!< pointer to limbs */ } mbedtls_mpi; diff --git a/include/mbedtls/blowfish.h b/include/mbedtls/blowfish.h index 1ade1fc7e..e54d4914d 100644 --- a/include/mbedtls/blowfish.h +++ b/include/mbedtls/blowfish.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_BLOWFISH_H #define MBEDTLS_BLOWFISH_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -57,8 +58,8 @@ extern "C" { */ typedef struct mbedtls_blowfish_context { - uint32_t P[MBEDTLS_BLOWFISH_ROUNDS + 2]; /*!< Blowfish round keys */ - uint32_t S[4][256]; /*!< key dependent S-boxes */ + uint32_t MBEDTLS_PRIVATE(P)[MBEDTLS_BLOWFISH_ROUNDS + 2]; /*!< Blowfish round keys */ + uint32_t MBEDTLS_PRIVATE(S)[4][256]; /*!< key dependent S-boxes */ } mbedtls_blowfish_context; diff --git a/include/mbedtls/camellia.h b/include/mbedtls/camellia.h index dee5c3e2c..d2d4f61b1 100644 --- a/include/mbedtls/camellia.h +++ b/include/mbedtls/camellia.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_CAMELLIA_H #define MBEDTLS_CAMELLIA_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -53,8 +54,8 @@ extern "C" { */ typedef struct mbedtls_camellia_context { - int nr; /*!< number of rounds */ - uint32_t rk[68]; /*!< CAMELLIA round keys */ + int MBEDTLS_PRIVATE(nr); /*!< number of rounds */ + uint32_t MBEDTLS_PRIVATE(rk)[68]; /*!< CAMELLIA round keys */ } mbedtls_camellia_context; diff --git a/include/mbedtls/ccm.h b/include/mbedtls/ccm.h index f63e61be5..2fa4b5b14 100644 --- a/include/mbedtls/ccm.h +++ b/include/mbedtls/ccm.h @@ -46,6 +46,7 @@ #ifndef MBEDTLS_CCM_H #define MBEDTLS_CCM_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -72,7 +73,7 @@ extern "C" { */ typedef struct mbedtls_ccm_context { - mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */ + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ } mbedtls_ccm_context; diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h index a6a8cda74..441aaa4c8 100644 --- a/include/mbedtls/chacha20.h +++ b/include/mbedtls/chacha20.h @@ -31,6 +31,7 @@ #ifndef MBEDTLS_CHACHA20_H #define MBEDTLS_CHACHA20_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -51,9 +52,9 @@ extern "C" { typedef struct mbedtls_chacha20_context { - uint32_t state[16]; /*! The state (before round operations). */ - uint8_t keystream8[64]; /*! Leftover keystream bytes. */ - size_t keystream_bytes_used; /*! Number of keystream bytes already used. */ + uint32_t MBEDTLS_PRIVATE(state)[16]; /*! The state (before round operations). */ + uint8_t MBEDTLS_PRIVATE(keystream8)[64]; /*! Leftover keystream bytes. */ + size_t MBEDTLS_PRIVATE(keystream_bytes_used); /*! Number of keystream bytes already used. */ } mbedtls_chacha20_context; diff --git a/include/mbedtls/chachapoly.h b/include/mbedtls/chachapoly.h index 1007f95bb..7c3673985 100644 --- a/include/mbedtls/chachapoly.h +++ b/include/mbedtls/chachapoly.h @@ -31,6 +31,7 @@ #ifndef MBEDTLS_CHACHAPOLY_H #define MBEDTLS_CHACHAPOLY_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -61,12 +62,12 @@ mbedtls_chachapoly_mode_t; typedef struct mbedtls_chachapoly_context { - mbedtls_chacha20_context chacha20_ctx; /**< The ChaCha20 context. */ - mbedtls_poly1305_context poly1305_ctx; /**< The Poly1305 context. */ - uint64_t aad_len; /**< The length (bytes) of the Additional Authenticated Data. */ - uint64_t ciphertext_len; /**< The length (bytes) of the ciphertext. */ - int state; /**< The current state of the context. */ - mbedtls_chachapoly_mode_t mode; /**< Cipher mode (encrypt or decrypt). */ + mbedtls_chacha20_context MBEDTLS_PRIVATE(chacha20_ctx); /**< The ChaCha20 context. */ + mbedtls_poly1305_context MBEDTLS_PRIVATE(poly1305_ctx); /**< The Poly1305 context. */ + uint64_t MBEDTLS_PRIVATE(aad_len); /**< The length (bytes) of the Additional Authenticated Data. */ + uint64_t MBEDTLS_PRIVATE(ciphertext_len); /**< The length (bytes) of the ciphertext. */ + int MBEDTLS_PRIVATE(state); /**< The current state of the context. */ + mbedtls_chachapoly_mode_t MBEDTLS_PRIVATE(mode); /**< Cipher mode (encrypt or decrypt). */ } mbedtls_chachapoly_context; diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h index ffb20a676..97aa16c83 100644 --- a/include/mbedtls/cipher.h +++ b/include/mbedtls/cipher.h @@ -26,6 +26,7 @@ #ifndef MBEDTLS_CIPHER_H #define MBEDTLS_CIPHER_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -267,37 +268,37 @@ typedef struct mbedtls_cipher_info_t /** Full cipher identifier. For example, * MBEDTLS_CIPHER_AES_256_CBC. */ - mbedtls_cipher_type_t type; + mbedtls_cipher_type_t MBEDTLS_PRIVATE(type); /** The cipher mode. For example, MBEDTLS_MODE_CBC. */ - mbedtls_cipher_mode_t mode; + mbedtls_cipher_mode_t MBEDTLS_PRIVATE(mode); /** The cipher key length, in bits. This is the * default length for variable sized ciphers. * Includes parity bits for ciphers like DES. */ - unsigned int key_bitlen; + unsigned int MBEDTLS_PRIVATE(key_bitlen); /** Name of the cipher. */ - const char * name; + const char * MBEDTLS_PRIVATE(name); /** IV or nonce size, in Bytes. * For ciphers that accept variable IV sizes, * this is the recommended size. */ - unsigned int iv_size; + unsigned int MBEDTLS_PRIVATE(iv_size); /** Bitflag comprised of MBEDTLS_CIPHER_VARIABLE_IV_LEN and * MBEDTLS_CIPHER_VARIABLE_KEY_LEN indicating whether the * cipher supports variable IV or variable key sizes, respectively. */ - int flags; + int MBEDTLS_PRIVATE(flags); /** The block size, in Bytes. */ - unsigned int block_size; + unsigned int MBEDTLS_PRIVATE(block_size); /** Struct for base cipher information and functions. */ - const mbedtls_cipher_base_t *base; + const mbedtls_cipher_base_t *MBEDTLS_PRIVATE(base); } mbedtls_cipher_info_t; @@ -307,43 +308,43 @@ typedef struct mbedtls_cipher_info_t typedef struct mbedtls_cipher_context_t { /** Information about the associated cipher. */ - const mbedtls_cipher_info_t *cipher_info; + const mbedtls_cipher_info_t *MBEDTLS_PRIVATE(cipher_info); /** Key length to use. */ - int key_bitlen; + int MBEDTLS_PRIVATE(key_bitlen); /** Operation that the key of the context has been * initialized for. */ - mbedtls_operation_t operation; + mbedtls_operation_t MBEDTLS_PRIVATE(operation); #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) /** Padding functions to use, if relevant for * the specific cipher mode. */ - void (*add_padding)( unsigned char *output, size_t olen, size_t data_len ); - int (*get_padding)( unsigned char *input, size_t ilen, size_t *data_len ); + void (*MBEDTLS_PRIVATE(add_padding))( unsigned char *output, size_t olen, size_t data_len ); + int (*MBEDTLS_PRIVATE(get_padding))( unsigned char *input, size_t ilen, size_t *data_len ); #endif /** Buffer for input that has not been processed yet. */ - unsigned char unprocessed_data[MBEDTLS_MAX_BLOCK_LENGTH]; + unsigned char MBEDTLS_PRIVATE(unprocessed_data)[MBEDTLS_MAX_BLOCK_LENGTH]; /** Number of Bytes that have not been processed yet. */ - size_t unprocessed_len; + size_t MBEDTLS_PRIVATE(unprocessed_len); /** Current IV or NONCE_COUNTER for CTR-mode, data unit (or sector) number * for XTS-mode. */ - unsigned char iv[MBEDTLS_MAX_IV_LENGTH]; + unsigned char MBEDTLS_PRIVATE(iv)[MBEDTLS_MAX_IV_LENGTH]; /** IV size in Bytes, for ciphers with variable-length IVs. */ - size_t iv_size; + size_t MBEDTLS_PRIVATE(iv_size); /** The cipher-specific context. */ - void *cipher_ctx; + void *MBEDTLS_PRIVATE(cipher_ctx); #if defined(MBEDTLS_CMAC_C) /** CMAC-specific context. */ - mbedtls_cmac_context_t *cmac_ctx; + mbedtls_cmac_context_t *MBEDTLS_PRIVATE(cmac_ctx); #endif #if defined(MBEDTLS_USE_PSA_CRYPTO) @@ -354,7 +355,7 @@ typedef struct mbedtls_cipher_context_t * mbedtls_cipher_setup(), and set if it was established through * mbedtls_cipher_setup_psa(). */ - unsigned char psa_enabled; + unsigned char MBEDTLS_PRIVATE(psa_enabled); #endif /* MBEDTLS_USE_PSA_CRYPTO */ } mbedtls_cipher_context_t; @@ -495,10 +496,10 @@ static inline unsigned int mbedtls_cipher_get_block_size( const mbedtls_cipher_context_t *ctx ) { MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 ); - if( ctx->cipher_info == NULL ) + if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL ) return 0; - return ctx->cipher_info->block_size; + return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(block_size); } /** @@ -514,10 +515,10 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode( const mbedtls_cipher_context_t *ctx ) { MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_MODE_NONE ); - if( ctx->cipher_info == NULL ) + if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL ) return MBEDTLS_MODE_NONE; - return ctx->cipher_info->mode; + return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(mode); } /** @@ -534,13 +535,13 @@ static inline int mbedtls_cipher_get_iv_size( const mbedtls_cipher_context_t *ctx ) { MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 ); - if( ctx->cipher_info == NULL ) + if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL ) return 0; - if( ctx->iv_size != 0 ) - return (int) ctx->iv_size; + if( ctx->MBEDTLS_PRIVATE(iv_size) != 0 ) + return (int) ctx->MBEDTLS_PRIVATE(iv_size); - return (int) ctx->cipher_info->iv_size; + return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(iv_size); } /** @@ -556,10 +557,10 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type( { MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_CIPHER_NONE ); - if( ctx->cipher_info == NULL ) + if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL ) return MBEDTLS_CIPHER_NONE; - return ctx->cipher_info->type; + return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(type); } /** @@ -575,10 +576,10 @@ static inline const char *mbedtls_cipher_get_name( const mbedtls_cipher_context_t *ctx ) { MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, 0 ); - if( ctx->cipher_info == NULL ) + if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL ) return 0; - return ctx->cipher_info->name; + return ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(name); } /** @@ -595,10 +596,10 @@ static inline int mbedtls_cipher_get_key_bitlen( { MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_KEY_LENGTH_NONE ); - if( ctx->cipher_info == NULL ) + if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL ) return MBEDTLS_KEY_LENGTH_NONE; - return (int) ctx->cipher_info->key_bitlen; + return (int) ctx->MBEDTLS_PRIVATE(cipher_info)->MBEDTLS_PRIVATE(key_bitlen); } /** @@ -614,10 +615,10 @@ static inline mbedtls_operation_t mbedtls_cipher_get_operation( { MBEDTLS_INTERNAL_VALIDATE_RET( ctx != NULL, MBEDTLS_OPERATION_NONE ); - if( ctx->cipher_info == NULL ) + if( ctx->MBEDTLS_PRIVATE(cipher_info) == NULL ) return MBEDTLS_OPERATION_NONE; - return ctx->operation; + return ctx->MBEDTLS_PRIVATE(operation); } /** diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h index a0563b1ef..65c831c87 100644 --- a/include/mbedtls/cmac.h +++ b/include/mbedtls/cmac.h @@ -25,6 +25,7 @@ #ifndef MBEDTLS_CMAC_H #define MBEDTLS_CMAC_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -55,14 +56,14 @@ extern "C" { struct mbedtls_cmac_context_t { /** The internal state of the CMAC algorithm. */ - unsigned char state[MBEDTLS_CIPHER_BLKSIZE_MAX]; + unsigned char MBEDTLS_PRIVATE(state)[MBEDTLS_CIPHER_BLKSIZE_MAX]; /** Unprocessed data - either data that was not block aligned and is still * pending processing, or the final block. */ - unsigned char unprocessed_block[MBEDTLS_CIPHER_BLKSIZE_MAX]; + unsigned char MBEDTLS_PRIVATE(unprocessed_block)[MBEDTLS_CIPHER_BLKSIZE_MAX]; /** The length of data pending processing. */ - size_t unprocessed_len; + size_t MBEDTLS_PRIVATE(unprocessed_len); }; #else /* !MBEDTLS_CMAC_ALT */ diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h index 0f2c5510f..6a8d5c688 100644 --- a/include/mbedtls/ctr_drbg.h +++ b/include/mbedtls/ctr_drbg.h @@ -40,6 +40,7 @@ #ifndef MBEDTLS_CTR_DRBG_H #define MBEDTLS_CTR_DRBG_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -168,8 +169,8 @@ extern "C" { */ typedef struct mbedtls_ctr_drbg_context { - unsigned char counter[16]; /*!< The counter (V). */ - int reseed_counter; /*!< The reseed counter. + unsigned char MBEDTLS_PRIVATE(counter)[16]; /*!< The counter (V). */ + int MBEDTLS_PRIVATE(reseed_counter); /*!< The reseed counter. * This is the number of requests that have * been made since the last (re)seeding, * minus one. @@ -179,25 +180,25 @@ typedef struct mbedtls_ctr_drbg_context * or -1 if no nonce length has been explicitly * set (see mbedtls_ctr_drbg_set_nonce_len()). */ - int prediction_resistance; /*!< This determines whether prediction + int MBEDTLS_PRIVATE(prediction_resistance); /*!< This determines whether prediction resistance is enabled, that is whether to systematically reseed before each random generation. */ - size_t entropy_len; /*!< The amount of entropy grabbed on each + size_t MBEDTLS_PRIVATE(entropy_len); /*!< The amount of entropy grabbed on each seed or reseed operation, in bytes. */ - int reseed_interval; /*!< The reseed interval. + int MBEDTLS_PRIVATE(reseed_interval); /*!< The reseed interval. * This is the maximum number of requests * that can be made between reseedings. */ - mbedtls_aes_context aes_ctx; /*!< The AES context. */ + mbedtls_aes_context MBEDTLS_PRIVATE(aes_ctx); /*!< The AES context. */ /* * Callbacks (Entropy) */ - int (*f_entropy)(void *, unsigned char *, size_t); + int (*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t); /*!< The entropy callback function. */ - void *p_entropy; /*!< The context for the entropy function. */ + void *MBEDTLS_PRIVATE(p_entropy); /*!< The context for the entropy function. */ #if defined(MBEDTLS_THREADING_C) /* Invariant: the mutex is initialized if and only if f_entropy != NULL. @@ -207,7 +208,7 @@ typedef struct mbedtls_ctr_drbg_context * Note that this invariant may change without notice. Do not rely on it * and do not access the mutex directly in application code. */ - mbedtls_threading_mutex_t mutex; + mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); #endif } mbedtls_ctr_drbg_context; diff --git a/include/mbedtls/des.h b/include/mbedtls/des.h index 92da73f08..24d240283 100644 --- a/include/mbedtls/des.h +++ b/include/mbedtls/des.h @@ -26,6 +26,7 @@ */ #ifndef MBEDTLS_DES_H #define MBEDTLS_DES_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -60,7 +61,7 @@ extern "C" { */ typedef struct mbedtls_des_context { - uint32_t sk[32]; /*!< DES subkeys */ + uint32_t MBEDTLS_PRIVATE(sk)[32]; /*!< DES subkeys */ } mbedtls_des_context; @@ -69,7 +70,7 @@ mbedtls_des_context; */ typedef struct mbedtls_des3_context { - uint32_t sk[96]; /*!< 3DES subkeys */ + uint32_t MBEDTLS_PRIVATE(sk)[96]; /*!< 3DES subkeys */ } mbedtls_des3_context; diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h index 0e8892e0f..6c8ca037c 100644 --- a/include/mbedtls/dhm.h +++ b/include/mbedtls/dhm.h @@ -62,6 +62,7 @@ #ifndef MBEDTLS_DHM_H #define MBEDTLS_DHM_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -95,17 +96,17 @@ extern "C" { */ typedef struct mbedtls_dhm_context { - size_t len; /*!< The size of \p P in Bytes. */ - mbedtls_mpi P; /*!< The prime modulus. */ - mbedtls_mpi G; /*!< The generator. */ - mbedtls_mpi X; /*!< Our secret value. */ - mbedtls_mpi GX; /*!< Our public key = \c G^X mod \c P. */ - mbedtls_mpi GY; /*!< The public key of the peer = \c G^Y mod \c P. */ - mbedtls_mpi K; /*!< The shared secret = \c G^(XY) mod \c P. */ - mbedtls_mpi RP; /*!< The cached value = \c R^2 mod \c P. */ - mbedtls_mpi Vi; /*!< The blinding value. */ - mbedtls_mpi Vf; /*!< The unblinding value. */ - mbedtls_mpi pX; /*!< The previous \c X. */ + size_t MBEDTLS_PRIVATE(len); /*!< The size of \p P in Bytes. */ + mbedtls_mpi MBEDTLS_PRIVATE(P); /*!< The prime modulus. */ + mbedtls_mpi MBEDTLS_PRIVATE(G); /*!< The generator. */ + mbedtls_mpi MBEDTLS_PRIVATE(X); /*!< Our secret value. */ + mbedtls_mpi MBEDTLS_PRIVATE(GX); /*!< Our public key = \c G^X mod \c P. */ + mbedtls_mpi MBEDTLS_PRIVATE(GY); /*!< The public key of the peer = \c G^Y mod \c P. */ + mbedtls_mpi MBEDTLS_PRIVATE(K); /*!< The shared secret = \c G^(XY) mod \c P. */ + mbedtls_mpi MBEDTLS_PRIVATE(RP); /*!< The cached value = \c R^2 mod \c P. */ + mbedtls_mpi MBEDTLS_PRIVATE(Vi); /*!< The blinding value. */ + mbedtls_mpi MBEDTLS_PRIVATE(Vf); /*!< The unblinding value. */ + mbedtls_mpi MBEDTLS_PRIVATE(pX); /*!< The previous \c X. */ } mbedtls_dhm_context; diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h index 05855cdf1..874b4ee12 100644 --- a/include/mbedtls/ecdh.h +++ b/include/mbedtls/ecdh.h @@ -31,6 +31,7 @@ #ifndef MBEDTLS_ECDH_H #define MBEDTLS_ECDH_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -104,15 +105,15 @@ typedef struct mbedtls_ecdh_context_mbed typedef struct mbedtls_ecdh_context { #if defined(MBEDTLS_ECDH_LEGACY_CONTEXT) - mbedtls_ecp_group grp; /*!< The elliptic curve used. */ - mbedtls_mpi d; /*!< The private key. */ - mbedtls_ecp_point Q; /*!< The public key. */ - mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ - mbedtls_mpi z; /*!< The shared secret. */ - int point_format; /*!< The format of point export in TLS messages. */ - mbedtls_ecp_point Vi; /*!< The blinding value. */ - mbedtls_ecp_point Vf; /*!< The unblinding value. */ - mbedtls_mpi _d; /*!< The previous \p d. */ + mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /*!< The elliptic curve used. */ + mbedtls_mpi MBEDTLS_PRIVATE(d); /*!< The private key. */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Q); /*!< The public key. */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Qp); /*!< The value of the public key of the peer. */ + mbedtls_mpi MBEDTLS_PRIVATE(z); /*!< The shared secret. */ + int MBEDTLS_PRIVATE(point_format); /*!< The format of point export in TLS messages. */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Vi); /*!< The blinding value. */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Vf); /*!< The unblinding value. */ + mbedtls_mpi MBEDTLS_PRIVATE(_d); /*!< The previous \p d. */ #if defined(MBEDTLS_ECP_RESTARTABLE) int restart_enabled; /*!< The flag for restartable mode. */ mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index 891705d8c..0c8e8c927 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_ECJPAKE_H #define MBEDTLS_ECJPAKE_H +#include "mbedtls/private_access.h" /* * J-PAKE is a password-authenticated key exchange that allows deriving a @@ -73,21 +74,21 @@ typedef enum { */ typedef struct mbedtls_ecjpake_context { - const mbedtls_md_info_t *md_info; /**< Hash to use */ - mbedtls_ecp_group grp; /**< Elliptic curve */ - mbedtls_ecjpake_role role; /**< Are we client or server? */ - int point_format; /**< Format for point export */ + const mbedtls_md_info_t *MBEDTLS_PRIVATE(md_info); /**< Hash to use */ + mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /**< Elliptic curve */ + mbedtls_ecjpake_role MBEDTLS_PRIVATE(role); /**< Are we client or server? */ + int MBEDTLS_PRIVATE(point_format); /**< Format for point export */ - mbedtls_ecp_point Xm1; /**< My public key 1 C: X1, S: X3 */ - mbedtls_ecp_point Xm2; /**< My public key 2 C: X2, S: X4 */ - mbedtls_ecp_point Xp1; /**< Peer public key 1 C: X3, S: X1 */ - mbedtls_ecp_point Xp2; /**< Peer public key 2 C: X4, S: X2 */ - mbedtls_ecp_point Xp; /**< Peer public key C: Xs, S: Xc */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Xm1); /**< My public key 1 C: X1, S: X3 */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Xm2); /**< My public key 2 C: X2, S: X4 */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Xp1); /**< Peer public key 1 C: X3, S: X1 */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Xp2); /**< Peer public key 2 C: X4, S: X2 */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Xp); /**< Peer public key C: Xs, S: Xc */ - mbedtls_mpi xm1; /**< My private key 1 C: x1, S: x3 */ - mbedtls_mpi xm2; /**< My private key 2 C: x2, S: x4 */ + mbedtls_mpi MBEDTLS_PRIVATE(xm1); /**< My private key 1 C: x1, S: x3 */ + mbedtls_mpi MBEDTLS_PRIVATE(xm2); /**< My private key 2 C: x2, S: x4 */ - mbedtls_mpi s; /**< Pre-shared secret (passphrase) */ + mbedtls_mpi MBEDTLS_PRIVATE(s); /**< Pre-shared secret (passphrase) */ } mbedtls_ecjpake_context; #else /* MBEDTLS_ECJPAKE_ALT */ diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index dd400a018..913e323f1 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -33,6 +33,7 @@ #ifndef MBEDTLS_ECP_H #define MBEDTLS_ECP_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -142,10 +143,10 @@ typedef enum */ typedef struct mbedtls_ecp_curve_info { - mbedtls_ecp_group_id grp_id; /*!< An internal identifier. */ - uint16_t tls_id; /*!< The TLS NamedCurve identifier. */ - uint16_t bit_size; /*!< The curve size in bits. */ - const char *name; /*!< A human-friendly name. */ + mbedtls_ecp_group_id MBEDTLS_PRIVATE(grp_id); /*!< An internal identifier. */ + uint16_t MBEDTLS_PRIVATE(tls_id); /*!< The TLS NamedCurve identifier. */ + uint16_t MBEDTLS_PRIVATE(bit_size); /*!< The curve size in bits. */ + const char *MBEDTLS_PRIVATE(name); /*!< A human-friendly name. */ } mbedtls_ecp_curve_info; /** @@ -161,9 +162,9 @@ typedef struct mbedtls_ecp_curve_info */ typedef struct mbedtls_ecp_point { - mbedtls_mpi X; /*!< The X coordinate of the ECP point. */ - mbedtls_mpi Y; /*!< The Y coordinate of the ECP point. */ - mbedtls_mpi Z; /*!< The Z coordinate of the ECP point. */ + mbedtls_mpi MBEDTLS_PRIVATE(X); /*!< The X coordinate of the ECP point. */ + mbedtls_mpi MBEDTLS_PRIVATE(Y); /*!< The Y coordinate of the ECP point. */ + mbedtls_mpi MBEDTLS_PRIVATE(Z); /*!< The Z coordinate of the ECP point. */ } mbedtls_ecp_point; @@ -210,26 +211,26 @@ mbedtls_ecp_point; */ typedef struct mbedtls_ecp_group { - mbedtls_ecp_group_id id; /*!< An internal group identifier. */ - mbedtls_mpi P; /*!< The prime modulus of the base field. */ - mbedtls_mpi A; /*!< For Short Weierstrass: \p A in the equation. For + mbedtls_ecp_group_id MBEDTLS_PRIVATE(id); /*!< An internal group identifier. */ + mbedtls_mpi MBEDTLS_PRIVATE(P); /*!< The prime modulus of the base field. */ + mbedtls_mpi MBEDTLS_PRIVATE(A); /*!< For Short Weierstrass: \p A in the equation. For Montgomery curves: (A + 2) / 4. */ - mbedtls_mpi B; /*!< For Short Weierstrass: \p B in the equation. + mbedtls_mpi MBEDTLS_PRIVATE(B); /*!< For Short Weierstrass: \p B in the equation. For Montgomery curves: unused. */ - mbedtls_ecp_point G; /*!< The generator of the subgroup used. */ - mbedtls_mpi N; /*!< The order of \p G. */ - size_t pbits; /*!< The number of bits in \p P.*/ - size_t nbits; /*!< For Short Weierstrass: The number of bits in \p P. + mbedtls_ecp_point MBEDTLS_PRIVATE(G); /*!< The generator of the subgroup used. */ + mbedtls_mpi MBEDTLS_PRIVATE(N); /*!< The order of \p G. */ + size_t MBEDTLS_PRIVATE(pbits); /*!< The number of bits in \p P.*/ + size_t MBEDTLS_PRIVATE(nbits); /*!< For Short Weierstrass: The number of bits in \p P. For Montgomery curves: the number of bits in the private keys. */ - unsigned int h; /*!< \internal 1 if the constants are static. */ - int (*modp)(mbedtls_mpi *); /*!< The function for fast pseudo-reduction + unsigned int MBEDTLS_PRIVATE(h); /*!< \internal 1 if the constants are static. */ + int (*MBEDTLS_PRIVATE(modp))(mbedtls_mpi *); /*!< The function for fast pseudo-reduction mod \p P (see above).*/ - int (*t_pre)(mbedtls_ecp_point *, void *); /*!< Unused. */ - int (*t_post)(mbedtls_ecp_point *, void *); /*!< Unused. */ - void *t_data; /*!< Unused. */ - mbedtls_ecp_point *T; /*!< Pre-computed points for ecp_mul_comb(). */ - size_t T_size; /*!< The number of pre-computed points. */ + int (*MBEDTLS_PRIVATE(t_pre))(mbedtls_ecp_point *, void *); /*!< Unused. */ + int (*MBEDTLS_PRIVATE(t_post))(mbedtls_ecp_point *, void *); /*!< Unused. */ + void *MBEDTLS_PRIVATE(t_data); /*!< Unused. */ + mbedtls_ecp_point *MBEDTLS_PRIVATE(T); /*!< Pre-computed points for ecp_mul_comb(). */ + size_t MBEDTLS_PRIVATE(T_size); /*!< The number of pre-computed points. */ } mbedtls_ecp_group; @@ -369,9 +370,9 @@ typedef void mbedtls_ecp_restart_ctx; */ typedef struct mbedtls_ecp_keypair { - mbedtls_ecp_group grp; /*!< Elliptic curve and base point */ - mbedtls_mpi d; /*!< our secret value */ - mbedtls_ecp_point Q; /*!< our public value */ + mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /*!< Elliptic curve and base point */ + mbedtls_mpi MBEDTLS_PRIVATE(d); /*!< our secret value */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Q); /*!< our public value */ } mbedtls_ecp_keypair; diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h index c51e64164..d707bddf0 100644 --- a/include/mbedtls/entropy.h +++ b/include/mbedtls/entropy.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_ENTROPY_H #define MBEDTLS_ENTROPY_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -104,11 +105,11 @@ typedef int (*mbedtls_entropy_f_source_ptr)(void *data, unsigned char *output, s */ typedef struct mbedtls_entropy_source_state { - mbedtls_entropy_f_source_ptr f_source; /**< The entropy source callback */ - void * p_source; /**< The callback data pointer */ - size_t size; /**< Amount received in bytes */ - size_t threshold; /**< Minimum bytes required before release */ - int strong; /**< Is the source strong? */ + mbedtls_entropy_f_source_ptr MBEDTLS_PRIVATE(f_source); /**< The entropy source callback */ + void * MBEDTLS_PRIVATE(p_source); /**< The callback data pointer */ + size_t MBEDTLS_PRIVATE(size); /**< Amount received in bytes */ + size_t MBEDTLS_PRIVATE(threshold); /**< Minimum bytes required before release */ + int MBEDTLS_PRIVATE(strong); /**< Is the source strong? */ } mbedtls_entropy_source_state; @@ -117,21 +118,21 @@ mbedtls_entropy_source_state; */ typedef struct mbedtls_entropy_context { - int accumulator_started; /* 0 after init. + int MBEDTLS_PRIVATE(accumulator_started); /* 0 after init. * 1 after the first update. * -1 after free. */ #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) - mbedtls_sha512_context accumulator; + mbedtls_sha512_context MBEDTLS_PRIVATE(accumulator); #else mbedtls_sha256_context accumulator; #endif - int source_count; /* Number of entries used in source. */ - mbedtls_entropy_source_state source[MBEDTLS_ENTROPY_MAX_SOURCES]; + int MBEDTLS_PRIVATE(source_count); /* Number of entries used in source. */ + mbedtls_entropy_source_state MBEDTLS_PRIVATE(source)[MBEDTLS_ENTROPY_MAX_SOURCES]; #if defined(MBEDTLS_THREADING_C) - mbedtls_threading_mutex_t mutex; /*!< mutex */ + mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); /*!< mutex */ #endif #if defined(MBEDTLS_ENTROPY_NV_SEED) - int initial_entropy_run; + int MBEDTLS_PRIVATE(initial_entropy_run); #endif } mbedtls_entropy_context; diff --git a/include/mbedtls/gcm.h b/include/mbedtls/gcm.h index a2fc2ab4a..c8e384ad8 100644 --- a/include/mbedtls/gcm.h +++ b/include/mbedtls/gcm.h @@ -30,6 +30,7 @@ #ifndef MBEDTLS_GCM_H #define MBEDTLS_GCM_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -58,15 +59,15 @@ extern "C" { */ typedef struct mbedtls_gcm_context { - mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */ - uint64_t HL[16]; /*!< Precalculated HTable low. */ - uint64_t HH[16]; /*!< Precalculated HTable high. */ - uint64_t len; /*!< The total length of the encrypted data. */ - uint64_t add_len; /*!< The total length of the additional data. */ - unsigned char base_ectr[16]; /*!< The first ECTR for tag. */ - unsigned char y[16]; /*!< The Y working value. */ - unsigned char buf[16]; /*!< The buf working value. */ - int mode; /*!< The operation to perform: + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ + uint64_t MBEDTLS_PRIVATE(HL)[16]; /*!< Precalculated HTable low. */ + uint64_t MBEDTLS_PRIVATE(HH)[16]; /*!< Precalculated HTable high. */ + uint64_t MBEDTLS_PRIVATE(len); /*!< The total length of the encrypted data. */ + uint64_t MBEDTLS_PRIVATE(add_len); /*!< The total length of the additional data. */ + unsigned char MBEDTLS_PRIVATE(base_ectr)[16]; /*!< The first ECTR for tag. */ + unsigned char MBEDTLS_PRIVATE(y)[16]; /*!< The Y working value. */ + unsigned char MBEDTLS_PRIVATE(buf)[16]; /*!< The buf working value. */ + int MBEDTLS_PRIVATE(mode); /*!< The operation to perform: #MBEDTLS_GCM_ENCRYPT or #MBEDTLS_GCM_DECRYPT. */ } diff --git a/include/mbedtls/hmac_drbg.h b/include/mbedtls/hmac_drbg.h index 1ab342252..2f81158b0 100644 --- a/include/mbedtls/hmac_drbg.h +++ b/include/mbedtls/hmac_drbg.h @@ -25,6 +25,7 @@ */ #ifndef MBEDTLS_HMAC_DRBG_H #define MBEDTLS_HMAC_DRBG_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -86,19 +87,19 @@ typedef struct mbedtls_hmac_drbg_context { /* Working state: the key K is not stored explicitly, * but is implied by the HMAC context */ - mbedtls_md_context_t md_ctx; /*!< HMAC context (inc. K) */ - unsigned char V[MBEDTLS_MD_MAX_SIZE]; /*!< V in the spec */ - int reseed_counter; /*!< reseed counter */ + mbedtls_md_context_t MBEDTLS_PRIVATE(md_ctx); /*!< HMAC context (inc. K) */ + unsigned char MBEDTLS_PRIVATE(V)[MBEDTLS_MD_MAX_SIZE]; /*!< V in the spec */ + int MBEDTLS_PRIVATE(reseed_counter); /*!< reseed counter */ /* Administrative state */ - size_t entropy_len; /*!< entropy bytes grabbed on each (re)seed */ - int prediction_resistance; /*!< enable prediction resistance (Automatic + size_t MBEDTLS_PRIVATE(entropy_len); /*!< entropy bytes grabbed on each (re)seed */ + int MBEDTLS_PRIVATE(prediction_resistance); /*!< enable prediction resistance (Automatic reseed before every random generation) */ - int reseed_interval; /*!< reseed interval */ + int MBEDTLS_PRIVATE(reseed_interval); /*!< reseed interval */ /* Callbacks */ - int (*f_entropy)(void *, unsigned char *, size_t); /*!< entropy function */ - void *p_entropy; /*!< context for the entropy function */ + int (*MBEDTLS_PRIVATE(f_entropy))(void *, unsigned char *, size_t); /*!< entropy function */ + void *MBEDTLS_PRIVATE(p_entropy); /*!< context for the entropy function */ #if defined(MBEDTLS_THREADING_C) /* Invariant: the mutex is initialized if and only if @@ -109,7 +110,7 @@ typedef struct mbedtls_hmac_drbg_context * Note that this invariant may change without notice. Do not rely on it * and do not access the mutex directly in application code. */ - mbedtls_threading_mutex_t mutex; + mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); #endif } mbedtls_hmac_drbg_context; diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h index fbc3b4785..21dc7c4aa 100644 --- a/include/mbedtls/md.h +++ b/include/mbedtls/md.h @@ -24,6 +24,7 @@ #ifndef MBEDTLS_MD_H #define MBEDTLS_MD_H +#include "mbedtls/private_access.h" #include @@ -93,13 +94,13 @@ typedef struct mbedtls_md_info_t mbedtls_md_info_t; typedef struct mbedtls_md_context_t { /** Information about the associated message digest. */ - const mbedtls_md_info_t *md_info; + const mbedtls_md_info_t *MBEDTLS_PRIVATE(md_info); /** The digest-specific context. */ - void *md_ctx; + void *MBEDTLS_PRIVATE(md_ctx); /** The HMAC part of the context. */ - void *hmac_ctx; + void *MBEDTLS_PRIVATE(hmac_ctx); } mbedtls_md_context_t; /** diff --git a/include/mbedtls/md2.h b/include/mbedtls/md2.h index 950afa241..8d8d1e538 100644 --- a/include/mbedtls/md2.h +++ b/include/mbedtls/md2.h @@ -26,6 +26,7 @@ */ #ifndef MBEDTLS_MD2_H #define MBEDTLS_MD2_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -53,10 +54,10 @@ extern "C" { */ typedef struct mbedtls_md2_context { - unsigned char cksum[16]; /*!< checksum of the data block */ - unsigned char state[48]; /*!< intermediate digest state */ - unsigned char buffer[16]; /*!< data block being processed */ - size_t left; /*!< amount of data in buffer */ + unsigned char MBEDTLS_PRIVATE(cksum)[16]; /*!< checksum of the data block */ + unsigned char MBEDTLS_PRIVATE(state)[48]; /*!< intermediate digest state */ + unsigned char MBEDTLS_PRIVATE(buffer)[16]; /*!< data block being processed */ + size_t MBEDTLS_PRIVATE(left); /*!< amount of data in buffer */ } mbedtls_md2_context; diff --git a/include/mbedtls/md4.h b/include/mbedtls/md4.h index f9e398749..ac28d2904 100644 --- a/include/mbedtls/md4.h +++ b/include/mbedtls/md4.h @@ -26,6 +26,7 @@ */ #ifndef MBEDTLS_MD4_H #define MBEDTLS_MD4_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -54,9 +55,9 @@ extern "C" { */ typedef struct mbedtls_md4_context { - uint32_t total[2]; /*!< number of bytes processed */ - uint32_t state[4]; /*!< intermediate digest state */ - unsigned char buffer[64]; /*!< data block being processed */ + uint32_t MBEDTLS_PRIVATE(total)[2]; /*!< number of bytes processed */ + uint32_t MBEDTLS_PRIVATE(state)[4]; /*!< intermediate digest state */ + unsigned char MBEDTLS_PRIVATE(buffer)[64]; /*!< data block being processed */ } mbedtls_md4_context; diff --git a/include/mbedtls/md5.h b/include/mbedtls/md5.h index 71a41dc0e..27bc40971 100644 --- a/include/mbedtls/md5.h +++ b/include/mbedtls/md5.h @@ -25,6 +25,7 @@ */ #ifndef MBEDTLS_MD5_H #define MBEDTLS_MD5_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -53,9 +54,9 @@ extern "C" { */ typedef struct mbedtls_md5_context { - uint32_t total[2]; /*!< number of bytes processed */ - uint32_t state[4]; /*!< intermediate digest state */ - unsigned char buffer[64]; /*!< data block being processed */ + uint32_t MBEDTLS_PRIVATE(total)[2]; /*!< number of bytes processed */ + uint32_t MBEDTLS_PRIVATE(state)[4]; /*!< intermediate digest state */ + unsigned char MBEDTLS_PRIVATE(buffer)[64]; /*!< data block being processed */ } mbedtls_md5_context; diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h index 319f4be53..502b9f453 100644 --- a/include/mbedtls/net_sockets.h +++ b/include/mbedtls/net_sockets.h @@ -37,6 +37,7 @@ */ #ifndef MBEDTLS_NET_SOCKETS_H #define MBEDTLS_NET_SOCKETS_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -84,7 +85,7 @@ extern "C" { */ typedef struct mbedtls_net_context { - int fd; /**< The underlying file descriptor */ + int MBEDTLS_PRIVATE(fd); /**< The underlying file descriptor */ } mbedtls_net_context; diff --git a/include/mbedtls/nist_kw.h b/include/mbedtls/nist_kw.h index 7f3e64a52..c537b589a 100644 --- a/include/mbedtls/nist_kw.h +++ b/include/mbedtls/nist_kw.h @@ -34,6 +34,7 @@ #ifndef MBEDTLS_NIST_KW_H #define MBEDTLS_NIST_KW_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -65,7 +66,7 @@ typedef enum * Don't make any assumptions on this context! */ typedef struct { - mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */ + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */ } mbedtls_nist_kw_context; #else /* MBEDTLS_NIST_key wrapping_ALT */ diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 4198eb107..dd3ade6b1 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_OID_H #define MBEDTLS_OID_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -439,11 +440,11 @@ extern "C" { */ typedef struct mbedtls_oid_descriptor_t { - const char *asn1; /*!< OID ASN.1 representation */ - size_t asn1_len; /*!< length of asn1 */ + const char *MBEDTLS_PRIVATE(asn1); /*!< OID ASN.1 representation */ + size_t MBEDTLS_PRIVATE(asn1_len); /*!< length of asn1 */ #if !defined(MBEDTLS_X509_REMOVE_INFO) - const char *name; /*!< official name (e.g. from RFC) */ - const char *description; /*!< human friendly description */ + const char *MBEDTLS_PRIVATE(name); /*!< official name (e.g. from RFC) */ + const char *MBEDTLS_PRIVATE(description); /*!< human friendly description */ #endif } mbedtls_oid_descriptor_t; diff --git a/include/mbedtls/pem.h b/include/mbedtls/pem.h index 4769bec5f..9242da6b1 100644 --- a/include/mbedtls/pem.h +++ b/include/mbedtls/pem.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_PEM_H #define MBEDTLS_PEM_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -57,9 +58,9 @@ extern "C" { */ typedef struct mbedtls_pem_context { - unsigned char *buf; /*!< buffer for decoded data */ - size_t buflen; /*!< length of the buffer */ - unsigned char *info; /*!< buffer for extra header information */ + unsigned char *MBEDTLS_PRIVATE(buf); /*!< buffer for decoded data */ + size_t MBEDTLS_PRIVATE(buflen); /*!< length of the buffer */ + unsigned char *MBEDTLS_PRIVATE(info); /*!< buffer for extra header information */ } mbedtls_pem_context; diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 093b3bc6d..06da076fb 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -22,6 +22,7 @@ #ifndef MBEDTLS_PK_H #define MBEDTLS_PK_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -91,8 +92,8 @@ typedef enum { */ typedef struct mbedtls_pk_rsassa_pss_options { - mbedtls_md_type_t mgf1_hash_id; - int expected_salt_len; + mbedtls_md_type_t MBEDTLS_PRIVATE(mgf1_hash_id); + int MBEDTLS_PRIVATE(expected_salt_len); } mbedtls_pk_rsassa_pss_options; @@ -163,9 +164,9 @@ typedef enum */ typedef struct mbedtls_pk_debug_item { - mbedtls_pk_debug_type type; - const char *name; - void *value; + mbedtls_pk_debug_type MBEDTLS_PRIVATE(type); + const char *MBEDTLS_PRIVATE(name); + void *MBEDTLS_PRIVATE(value); } mbedtls_pk_debug_item; /** Maximum number of item send for debugging, plus 1 */ @@ -181,8 +182,8 @@ typedef struct mbedtls_pk_info_t mbedtls_pk_info_t; */ typedef struct mbedtls_pk_context { - const mbedtls_pk_info_t * pk_info; /**< Public key information */ - void * pk_ctx; /**< Underlying public key context */ + const mbedtls_pk_info_t * MBEDTLS_PRIVATE(pk_info); /**< Public key information */ + void * MBEDTLS_PRIVATE(pk_ctx); /**< Underlying public key context */ } mbedtls_pk_context; #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h index c944732fb..c50d7d211 100644 --- a/include/mbedtls/platform.h +++ b/include/mbedtls/platform.h @@ -30,6 +30,7 @@ */ #ifndef MBEDTLS_PLATFORM_H #define MBEDTLS_PLATFORM_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -367,7 +368,7 @@ int mbedtls_platform_set_nv_seed( */ typedef struct mbedtls_platform_context { - char dummy; /**< A placeholder member, as empty structs are not portable. */ + char MBEDTLS_PRIVATE(dummy); /**< A placeholder member, as empty structs are not portable. */ } mbedtls_platform_context; diff --git a/include/mbedtls/poly1305.h b/include/mbedtls/poly1305.h index 1767f5863..4d253858e 100644 --- a/include/mbedtls/poly1305.h +++ b/include/mbedtls/poly1305.h @@ -31,6 +31,7 @@ #ifndef MBEDTLS_POLY1305_H #define MBEDTLS_POLY1305_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -51,11 +52,11 @@ extern "C" { typedef struct mbedtls_poly1305_context { - uint32_t r[4]; /** The value for 'r' (low 128 bits of the key). */ - uint32_t s[4]; /** The value for 's' (high 128 bits of the key). */ - uint32_t acc[5]; /** The accumulator number. */ - uint8_t queue[16]; /** The current partial block of data. */ - size_t queue_len; /** The number of bytes stored in 'queue'. */ + uint32_t MBEDTLS_PRIVATE(r)[4]; /** The value for 'r' (low 128 bits of the key). */ + uint32_t MBEDTLS_PRIVATE(s)[4]; /** The value for 's' (high 128 bits of the key). */ + uint32_t MBEDTLS_PRIVATE(acc)[5]; /** The accumulator number. */ + uint8_t MBEDTLS_PRIVATE(queue)[16]; /** The current partial block of data. */ + size_t MBEDTLS_PRIVATE(queue_len); /** The number of bytes stored in 'queue'. */ } mbedtls_poly1305_context; diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h index 75fcdac93..d5feecb9b 100644 --- a/include/mbedtls/psa_util.h +++ b/include/mbedtls/psa_util.h @@ -25,6 +25,7 @@ #ifndef MBEDTLS_PSA_UTIL_H #define MBEDTLS_PSA_UTIL_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -380,7 +381,7 @@ static inline psa_key_type_t mbedtls_psa_parse_tls_ecc_group( if( curve_info == NULL ) return( 0 ); return( PSA_KEY_TYPE_ECC_KEY_PAIR( - mbedtls_ecc_group_to_psa( curve_info->grp_id, bits ) ) ); + mbedtls_ecc_group_to_psa( curve_info->MBEDTLS_PRIVATE(grp_id), bits ) ) ); } #endif /* MBEDTLS_ECP_C */ diff --git a/include/mbedtls/ripemd160.h b/include/mbedtls/ripemd160.h index 1c72d60fc..62570c2a2 100644 --- a/include/mbedtls/ripemd160.h +++ b/include/mbedtls/ripemd160.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_RIPEMD160_H #define MBEDTLS_RIPEMD160_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -44,9 +45,9 @@ extern "C" { */ typedef struct mbedtls_ripemd160_context { - uint32_t total[2]; /*!< number of bytes processed */ - uint32_t state[5]; /*!< intermediate digest state */ - unsigned char buffer[64]; /*!< data block being processed */ + uint32_t MBEDTLS_PRIVATE(total)[2]; /*!< number of bytes processed */ + uint32_t MBEDTLS_PRIVATE(state)[5]; /*!< intermediate digest state */ + unsigned char MBEDTLS_PRIVATE(buffer)[64]; /*!< data block being processed */ } mbedtls_ripemd160_context; diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index a54ac4dd0..945050c3c 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -27,6 +27,7 @@ */ #ifndef MBEDTLS_RSA_H #define MBEDTLS_RSA_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -90,41 +91,41 @@ extern "C" { */ typedef struct mbedtls_rsa_context { - int ver; /*!< Reserved for internal purposes. + int MBEDTLS_PRIVATE(ver); /*!< Reserved for internal purposes. * Do not set this field in application * code. Its meaning might change without * notice. */ - size_t len; /*!< The size of \p N in Bytes. */ + size_t MBEDTLS_PRIVATE(len); /*!< The size of \p N in Bytes. */ - mbedtls_mpi N; /*!< The public modulus. */ - mbedtls_mpi E; /*!< The public exponent. */ + mbedtls_mpi MBEDTLS_PRIVATE(N); /*!< The public modulus. */ + mbedtls_mpi MBEDTLS_PRIVATE(E); /*!< The public exponent. */ - mbedtls_mpi D; /*!< The private exponent. */ - mbedtls_mpi P; /*!< The first prime factor. */ - mbedtls_mpi Q; /*!< The second prime factor. */ + mbedtls_mpi MBEDTLS_PRIVATE(D); /*!< The private exponent. */ + mbedtls_mpi MBEDTLS_PRIVATE(P); /*!< The first prime factor. */ + mbedtls_mpi MBEDTLS_PRIVATE(Q); /*!< The second prime factor. */ - mbedtls_mpi DP; /*!< D % (P - 1). */ - mbedtls_mpi DQ; /*!< D % (Q - 1). */ - mbedtls_mpi QP; /*!< 1 / (Q % P). */ + mbedtls_mpi MBEDTLS_PRIVATE(DP); /*!< D % (P - 1). */ + mbedtls_mpi MBEDTLS_PRIVATE(DQ); /*!< D % (Q - 1). */ + mbedtls_mpi MBEDTLS_PRIVATE(QP); /*!< 1 / (Q % P). */ - mbedtls_mpi RN; /*!< cached R^2 mod N. */ + mbedtls_mpi MBEDTLS_PRIVATE(RN); /*!< cached R^2 mod N. */ - mbedtls_mpi RP; /*!< cached R^2 mod P. */ - mbedtls_mpi RQ; /*!< cached R^2 mod Q. */ + mbedtls_mpi MBEDTLS_PRIVATE(RP); /*!< cached R^2 mod P. */ + mbedtls_mpi MBEDTLS_PRIVATE(RQ); /*!< cached R^2 mod Q. */ - mbedtls_mpi Vi; /*!< The cached blinding value. */ - mbedtls_mpi Vf; /*!< The cached un-blinding value. */ + mbedtls_mpi MBEDTLS_PRIVATE(Vi); /*!< The cached blinding value. */ + mbedtls_mpi MBEDTLS_PRIVATE(Vf); /*!< The cached un-blinding value. */ - int padding; /*!< Selects padding mode: + int MBEDTLS_PRIVATE(padding); /*!< Selects padding mode: #MBEDTLS_RSA_PKCS_V15 for 1.5 padding and #MBEDTLS_RSA_PKCS_V21 for OAEP or PSS. */ - int hash_id; /*!< Hash identifier of mbedtls_md_type_t type, + int MBEDTLS_PRIVATE(hash_id); /*!< Hash identifier of mbedtls_md_type_t type, as specified in md.h for use in the MGF mask generating function used in the EME-OAEP and EMSA-PSS encodings. */ #if defined(MBEDTLS_THREADING_C) /* Invariant: the mutex is initialized iff ver != 0. */ - mbedtls_threading_mutex_t mutex; /*!< Thread-safety mutex. */ + mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); /*!< Thread-safety mutex. */ #endif } mbedtls_rsa_context; diff --git a/include/mbedtls/sha1.h b/include/mbedtls/sha1.h index 56ff9487e..5a42e5c23 100644 --- a/include/mbedtls/sha1.h +++ b/include/mbedtls/sha1.h @@ -28,6 +28,7 @@ */ #ifndef MBEDTLS_SHA1_H #define MBEDTLS_SHA1_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -58,9 +59,9 @@ extern "C" { */ typedef struct mbedtls_sha1_context { - uint32_t total[2]; /*!< The number of Bytes processed. */ - uint32_t state[5]; /*!< The intermediate digest state. */ - unsigned char buffer[64]; /*!< The data block being processed. */ + uint32_t MBEDTLS_PRIVATE(total)[2]; /*!< The number of Bytes processed. */ + uint32_t MBEDTLS_PRIVATE(state)[5]; /*!< The intermediate digest state. */ + unsigned char MBEDTLS_PRIVATE(buffer)[64]; /*!< The data block being processed. */ } mbedtls_sha1_context; diff --git a/include/mbedtls/sha256.h b/include/mbedtls/sha256.h index 22c2c7d7e..2b982ff9b 100644 --- a/include/mbedtls/sha256.h +++ b/include/mbedtls/sha256.h @@ -24,6 +24,7 @@ */ #ifndef MBEDTLS_SHA256_H #define MBEDTLS_SHA256_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -53,10 +54,10 @@ extern "C" { */ typedef struct mbedtls_sha256_context { - uint32_t total[2]; /*!< The number of Bytes processed. */ - uint32_t state[8]; /*!< The intermediate digest state. */ - unsigned char buffer[64]; /*!< The data block being processed. */ - int is224; /*!< Determines which function to use: + uint32_t MBEDTLS_PRIVATE(total)[2]; /*!< The number of Bytes processed. */ + uint32_t MBEDTLS_PRIVATE(state)[8]; /*!< The intermediate digest state. */ + unsigned char MBEDTLS_PRIVATE(buffer)[64]; /*!< The data block being processed. */ + int MBEDTLS_PRIVATE(is224); /*!< Determines which function to use: 0: Use SHA-256, or 1: Use SHA-224. */ } mbedtls_sha256_context; diff --git a/include/mbedtls/sha512.h b/include/mbedtls/sha512.h index 04222f4a4..3f1af17b1 100644 --- a/include/mbedtls/sha512.h +++ b/include/mbedtls/sha512.h @@ -23,6 +23,7 @@ */ #ifndef MBEDTLS_SHA512_H #define MBEDTLS_SHA512_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -52,12 +53,12 @@ extern "C" { */ typedef struct mbedtls_sha512_context { - uint64_t total[2]; /*!< The number of Bytes processed. */ - uint64_t state[8]; /*!< The intermediate digest state. */ - unsigned char buffer[128]; /*!< The data block being processed. */ + uint64_t MBEDTLS_PRIVATE(total)[2]; /*!< The number of Bytes processed. */ + uint64_t MBEDTLS_PRIVATE(state)[8]; /*!< The intermediate digest state. */ + unsigned char MBEDTLS_PRIVATE(buffer)[128]; /*!< The data block being processed. */ #if defined(MBEDTLS_SHA384_C) - int is384; /*!< Determines which function to use: - 0: Use SHA-512, or 1: Use SHA-384. */ + int MBEDTLS_PRIVATE(is384); /*!< Determines which function to use: + 0: Use SHA-512, or 1: Use SHA-384. */ #endif } mbedtls_sha512_context; diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 88a599c18..e6a3ff581 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_SSL_H #define MBEDTLS_SSL_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -912,11 +913,11 @@ typedef uint16_t mbedtls_ssl_srtp_profile; typedef struct mbedtls_dtls_srtp_info_t { /*! The SRTP profile that was negotiated. */ - mbedtls_ssl_srtp_profile chosen_dtls_srtp_profile; + mbedtls_ssl_srtp_profile MBEDTLS_PRIVATE(chosen_dtls_srtp_profile); /*! The length of mki_value. */ - uint16_t mki_len; + uint16_t MBEDTLS_PRIVATE(mki_len); /*! The mki_value used, with max size of 256 bytes. */ - unsigned char mki_value[MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH]; + unsigned char MBEDTLS_PRIVATE(mki_value)[MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH]; } mbedtls_dtls_srtp_info; @@ -936,17 +937,17 @@ mbedtls_dtls_srtp_info; struct mbedtls_ssl_session { #if defined(MBEDTLS_HAVE_TIME) - mbedtls_time_t start; /*!< starting time */ + mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ #endif - int ciphersuite; /*!< chosen ciphersuite */ - int compression; /*!< chosen compression */ - size_t id_len; /*!< session id length */ - unsigned char id[32]; /*!< session identifier */ - unsigned char master[48]; /*!< the master secret */ + int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ + int MBEDTLS_PRIVATE(compression); /*!< chosen compression */ + size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ + unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ + unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ #if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */ + mbedtls_x509_crt *MBEDTLS_PRIVATE(peer_cert); /*!< peer X.509 cert chain */ #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /*! The digest of the peer's end-CRT. This must be kept to detect CRT * changes during renegotiation, mitigating the triple handshake attack. */ @@ -955,24 +956,24 @@ struct mbedtls_ssl_session mbedtls_md_type_t peer_cert_digest_type; #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ - uint32_t verify_result; /*!< verification result */ + uint32_t MBEDTLS_PRIVATE(verify_result); /*!< verification result */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) - unsigned char *ticket; /*!< RFC 5077 session ticket */ - size_t ticket_len; /*!< session ticket length */ - uint32_t ticket_lifetime; /*!< ticket lifetime hint */ + unsigned char *MBEDTLS_PRIVATE(ticket); /*!< RFC 5077 session ticket */ + size_t MBEDTLS_PRIVATE(ticket_len); /*!< session ticket length */ + uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< ticket lifetime hint */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */ + unsigned char MBEDTLS_PRIVATE(mfl_code); /*!< MaxFragmentLength negotiated by peer */ #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) - int trunc_hmac; /*!< flag for truncated hmac activation */ + int MBEDTLS_PRIVATE(trunc_hmac); /*!< flag for truncated hmac activation */ #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - int encrypt_then_mac; /*!< flag for EtM activation */ + int MBEDTLS_PRIVATE(encrypt_then_mac); /*!< flag for EtM activation */ #endif }; @@ -990,114 +991,114 @@ struct mbedtls_ssl_config /** Allowed ciphersuites per version. To access list's elements, please use * \c mbedtls_ssl_get_protocol_version_ciphersuites */ - const int *ciphersuite_list[3]; + const int *MBEDTLS_PRIVATE(ciphersuite_list)[3]; /** Callback for printing debug output */ - void (*f_dbg)(void *, int, const char *, int, const char *); - void *p_dbg; /*!< context for the debug function */ + void (*MBEDTLS_PRIVATE(f_dbg))(void *, int, const char *, int, const char *); + void *MBEDTLS_PRIVATE(p_dbg); /*!< context for the debug function */ /** Callback for getting (pseudo-)random numbers */ - int (*f_rng)(void *, unsigned char *, size_t); - void *p_rng; /*!< context for the RNG function */ + int (*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t); + void *MBEDTLS_PRIVATE(p_rng); /*!< context for the RNG function */ /** Callback to retrieve a session from the cache */ - mbedtls_ssl_cache_get_t *f_get_cache; + mbedtls_ssl_cache_get_t *MBEDTLS_PRIVATE(f_get_cache); /** Callback to store a session into the cache */ - mbedtls_ssl_cache_set_t *f_set_cache; - void *p_cache; /*!< context for cache callbacks */ + mbedtls_ssl_cache_set_t *MBEDTLS_PRIVATE(f_set_cache); + void *MBEDTLS_PRIVATE(p_cache); /*!< context for cache callbacks */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** Callback for setting cert according to SNI extension */ - int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); - void *p_sni; /*!< context for SNI callback */ + int (*MBEDTLS_PRIVATE(f_sni))(void *, mbedtls_ssl_context *, const unsigned char *, size_t); + void *MBEDTLS_PRIVATE(p_sni); /*!< context for SNI callback */ #endif #if defined(MBEDTLS_X509_CRT_PARSE_C) /** Callback to customize X.509 certificate chain verification */ - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); - void *p_vrfy; /*!< context for X.509 verify calllback */ + int (*MBEDTLS_PRIVATE(f_vrfy))(void *, mbedtls_x509_crt *, int, uint32_t *); + void *MBEDTLS_PRIVATE(p_vrfy); /*!< context for X.509 verify calllback */ #endif #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) /** Callback to retrieve PSK key from identity */ - int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, size_t); - void *p_psk; /*!< context for PSK callback */ + int (*MBEDTLS_PRIVATE(f_psk))(void *, mbedtls_ssl_context *, const unsigned char *, size_t); + void *MBEDTLS_PRIVATE(p_psk); /*!< context for PSK callback */ #endif #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) /** Callback to create & write a cookie for ClientHello veirifcation */ - int (*f_cookie_write)( void *, unsigned char **, unsigned char *, + int (*MBEDTLS_PRIVATE(f_cookie_write))( void *, unsigned char **, unsigned char *, const unsigned char *, size_t ); /** Callback to verify validity of a ClientHello cookie */ - int (*f_cookie_check)( void *, const unsigned char *, size_t, + int (*MBEDTLS_PRIVATE(f_cookie_check))( void *, const unsigned char *, size_t, const unsigned char *, size_t ); - void *p_cookie; /*!< context for the cookie callbacks */ + void *MBEDTLS_PRIVATE(p_cookie); /*!< context for the cookie callbacks */ #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_SRV_C) /** Callback to create & write a session ticket */ - int (*f_ticket_write)( void *, const mbedtls_ssl_session *, + int (*MBEDTLS_PRIVATE(f_ticket_write))( void *, const mbedtls_ssl_session *, unsigned char *, const unsigned char *, size_t *, uint32_t * ); /** Callback to parse a session ticket into a session structure */ - int (*f_ticket_parse)( void *, mbedtls_ssl_session *, unsigned char *, size_t); - void *p_ticket; /*!< context for the ticket callbacks */ + int (*MBEDTLS_PRIVATE(f_ticket_parse))( void *, mbedtls_ssl_session *, unsigned char *, size_t); + void *MBEDTLS_PRIVATE(p_ticket); /*!< context for the ticket callbacks */ #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_EXPORT_KEYS) /** Callback to export key block and master secret */ - int (*f_export_keys)( void *, const unsigned char *, + int (*MBEDTLS_PRIVATE(f_export_keys))( void *, const unsigned char *, const unsigned char *, size_t, size_t, size_t ); /** Callback to export key block, master secret, * tls_prf and random bytes. Should replace f_export_keys */ - int (*f_export_keys_ext)( void *, const unsigned char *, + int (*MBEDTLS_PRIVATE(f_export_keys_ext))( void *, const unsigned char *, const unsigned char *, size_t, size_t, size_t, const unsigned char[32], const unsigned char[32], mbedtls_tls_prf_types ); - void *p_export_keys; /*!< context for key export callback */ + void *MBEDTLS_PRIVATE(p_export_keys); /*!< context for key export callback */ #endif #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - size_t cid_len; /*!< The length of CIDs for incoming DTLS records. */ + size_t MBEDTLS_PRIVATE(cid_len); /*!< The length of CIDs for incoming DTLS records. */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - const mbedtls_x509_crt_profile *cert_profile; /*!< verification profile */ - mbedtls_ssl_key_cert *key_cert; /*!< own certificate/key pair(s) */ - mbedtls_x509_crt *ca_chain; /*!< trusted CAs */ - mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ + const mbedtls_x509_crt_profile *MBEDTLS_PRIVATE(cert_profile); /*!< verification profile */ + mbedtls_ssl_key_cert *MBEDTLS_PRIVATE(key_cert); /*!< own certificate/key pair(s) */ + mbedtls_x509_crt *MBEDTLS_PRIVATE(ca_chain); /*!< trusted CAs */ + mbedtls_x509_crl *MBEDTLS_PRIVATE(ca_crl); /*!< trusted CAs CRLs */ #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) - mbedtls_x509_crt_ca_cb_t f_ca_cb; - void *p_ca_cb; + mbedtls_x509_crt_ca_cb_t MBEDTLS_PRIVATE(f_ca_cb); + void *MBEDTLS_PRIVATE(p_ca_cb); #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) #if defined(MBEDTLS_X509_CRT_PARSE_C) - mbedtls_ssl_async_sign_t *f_async_sign_start; /*!< start asynchronous signature operation */ - mbedtls_ssl_async_decrypt_t *f_async_decrypt_start; /*!< start asynchronous decryption operation */ + mbedtls_ssl_async_sign_t *MBEDTLS_PRIVATE(f_async_sign_start); /*!< start asynchronous signature operation */ + mbedtls_ssl_async_decrypt_t *MBEDTLS_PRIVATE(f_async_decrypt_start); /*!< start asynchronous decryption operation */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ - mbedtls_ssl_async_resume_t *f_async_resume; /*!< resume asynchronous operation */ - mbedtls_ssl_async_cancel_t *f_async_cancel; /*!< cancel asynchronous operation */ - void *p_async_config_data; /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */ + mbedtls_ssl_async_resume_t *MBEDTLS_PRIVATE(f_async_resume); /*!< resume asynchronous operation */ + mbedtls_ssl_async_cancel_t *MBEDTLS_PRIVATE(f_async_cancel); /*!< cancel asynchronous operation */ + void *MBEDTLS_PRIVATE(p_async_config_data); /*!< Configuration data set by mbedtls_ssl_conf_async_private_cb(). */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - const int *sig_hashes; /*!< allowed signature hashes */ + const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */ #endif #if defined(MBEDTLS_ECP_C) - const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ + const mbedtls_ecp_group_id *MBEDTLS_PRIVATE(curve_list); /*!< allowed curves */ #endif #if defined(MBEDTLS_DHM_C) - mbedtls_mpi dhm_P; /*!< prime modulus for DHM */ - mbedtls_mpi dhm_G; /*!< generator for DHM */ + mbedtls_mpi MBEDTLS_PRIVATE(dhm_P); /*!< prime modulus for DHM */ + mbedtls_mpi MBEDTLS_PRIVATE(dhm_G); /*!< generator for DHM */ #endif #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_id_t psk_opaque; /*!< PSA key slot holding opaque PSK. This field + psa_key_id_t MBEDTLS_PRIVATE(psk_opaque); /*!< PSA key slot holding opaque PSK. This field * should only be set via * mbedtls_ssl_conf_psk_opaque(). * If either no PSK or a raw PSK have been @@ -1105,22 +1106,22 @@ struct mbedtls_ssl_config */ #endif /* MBEDTLS_USE_PSA_CRYPTO */ - unsigned char *psk; /*!< The raw pre-shared key. This field should + unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should * only be set via mbedtls_ssl_conf_psk(). * If either no PSK or an opaque PSK * have been configured, this has value NULL. */ - size_t psk_len; /*!< The length of the raw pre-shared key. + size_t MBEDTLS_PRIVATE(psk_len); /*!< The length of the raw pre-shared key. * This field should only be set via * mbedtls_ssl_conf_psk(). * Its value is non-zero if and only if * \c psk is not \c NULL. */ - unsigned char *psk_identity; /*!< The PSK identity for PSK negotiation. + unsigned char *MBEDTLS_PRIVATE(psk_identity); /*!< The PSK identity for PSK negotiation. * This field should only be set via * mbedtls_ssl_conf_psk(). * This is set if and only if either * \c psk or \c psk_opaque are set. */ - size_t psk_identity_len;/*!< The length of PSK identity. + size_t MBEDTLS_PRIVATE(psk_identity_len);/*!< The length of PSK identity. * This field should only be set via * mbedtls_ssl_conf_psk(). * Its value is non-zero if and only if @@ -1129,279 +1130,279 @@ struct mbedtls_ssl_config #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #if defined(MBEDTLS_SSL_ALPN) - const char **alpn_list; /*!< ordered list of protocols */ + const char **MBEDTLS_PRIVATE(alpn_list); /*!< ordered list of protocols */ #endif #if defined(MBEDTLS_SSL_DTLS_SRTP) /*! ordered list of supported srtp profile */ - const mbedtls_ssl_srtp_profile *dtls_srtp_profile_list; + const mbedtls_ssl_srtp_profile *MBEDTLS_PRIVATE(dtls_srtp_profile_list); /*! number of supported profiles */ - size_t dtls_srtp_profile_list_len; + size_t MBEDTLS_PRIVATE(dtls_srtp_profile_list_len); #endif /* MBEDTLS_SSL_DTLS_SRTP */ /* * Numerical settings (int then char) */ - uint32_t read_timeout; /*!< timeout for mbedtls_ssl_read (ms) */ + uint32_t MBEDTLS_PRIVATE(read_timeout); /*!< timeout for mbedtls_ssl_read (ms) */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - uint32_t hs_timeout_min; /*!< initial value of the handshake + uint32_t MBEDTLS_PRIVATE(hs_timeout_min); /*!< initial value of the handshake retransmission timeout (ms) */ - uint32_t hs_timeout_max; /*!< maximum value of the handshake + uint32_t MBEDTLS_PRIVATE(hs_timeout_max); /*!< maximum value of the handshake retransmission timeout (ms) */ #endif #if defined(MBEDTLS_SSL_RENEGOTIATION) - int renego_max_records; /*!< grace period for renegotiation */ - unsigned char renego_period[8]; /*!< value of the record counters + int MBEDTLS_PRIVATE(renego_max_records); /*!< grace period for renegotiation */ + unsigned char MBEDTLS_PRIVATE(renego_period)[8]; /*!< value of the record counters that triggers renegotiation */ #endif #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) - unsigned int badmac_limit; /*!< limit of records with a bad MAC */ + unsigned int MBEDTLS_PRIVATE(badmac_limit); /*!< limit of records with a bad MAC */ #endif #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) - unsigned int dhm_min_bitlen; /*!< min. bit length of the DHM prime */ + unsigned int MBEDTLS_PRIVATE(dhm_min_bitlen); /*!< min. bit length of the DHM prime */ #endif - unsigned char max_major_ver; /*!< max. major version used */ - unsigned char max_minor_ver; /*!< max. minor version used */ - unsigned char min_major_ver; /*!< min. major version used */ - unsigned char min_minor_ver; /*!< min. minor version used */ + unsigned char MBEDTLS_PRIVATE(max_major_ver); /*!< max. major version used */ + unsigned char MBEDTLS_PRIVATE(max_minor_ver); /*!< max. minor version used */ + unsigned char MBEDTLS_PRIVATE(min_major_ver); /*!< min. major version used */ + unsigned char MBEDTLS_PRIVATE(min_minor_ver); /*!< min. minor version used */ /* * Flags (bitfields) */ - unsigned int endpoint : 1; /*!< 0: client, 1: server */ - unsigned int transport : 1; /*!< stream (TLS) or datagram (DTLS) */ - unsigned int authmode : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */ + unsigned int MBEDTLS_PRIVATE(endpoint) : 1; /*!< 0: client, 1: server */ + unsigned int MBEDTLS_PRIVATE(transport) : 1; /*!< stream (TLS) or datagram (DTLS) */ + unsigned int MBEDTLS_PRIVATE(authmode) : 2; /*!< MBEDTLS_SSL_VERIFY_XXX */ /* needed even with renego disabled for LEGACY_BREAK_HANDSHAKE */ - unsigned int allow_legacy_renegotiation : 2 ; /*!< MBEDTLS_LEGACY_XXX */ + unsigned int MBEDTLS_PRIVATE(allow_legacy_renegotiation) : 2 ; /*!< MBEDTLS_LEGACY_XXX */ #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) - unsigned int mfl_code : 3; /*!< desired fragment length */ + unsigned int MBEDTLS_PRIVATE(mfl_code) : 3; /*!< desired fragment length */ #endif #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) - unsigned int encrypt_then_mac : 1 ; /*!< negotiate encrypt-then-mac? */ + unsigned int MBEDTLS_PRIVATE(encrypt_then_mac) : 1 ; /*!< negotiate encrypt-then-mac? */ #endif #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) - unsigned int extended_ms : 1; /*!< negotiate extended master secret? */ + unsigned int MBEDTLS_PRIVATE(extended_ms) : 1; /*!< negotiate extended master secret? */ #endif #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - unsigned int anti_replay : 1; /*!< detect and prevent replay? */ + unsigned int MBEDTLS_PRIVATE(anti_replay) : 1; /*!< detect and prevent replay? */ #endif #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - unsigned int cbc_record_splitting : 1; /*!< do cbc record splitting */ + unsigned int MBEDTLS_PRIVATE(cbc_record_splitting) : 1; /*!< do cbc record splitting */ #endif #if defined(MBEDTLS_SSL_RENEGOTIATION) - unsigned int disable_renegotiation : 1; /*!< disable renegotiation? */ + unsigned int MBEDTLS_PRIVATE(disable_renegotiation) : 1; /*!< disable renegotiation? */ #endif #if defined(MBEDTLS_SSL_TRUNCATED_HMAC) - unsigned int trunc_hmac : 1; /*!< negotiate truncated hmac? */ + unsigned int MBEDTLS_PRIVATE(trunc_hmac) : 1; /*!< negotiate truncated hmac? */ #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) - unsigned int session_tickets : 1; /*!< use session tickets? */ + unsigned int MBEDTLS_PRIVATE(session_tickets) : 1; /*!< use session tickets? */ #endif #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C) - unsigned int fallback : 1; /*!< is this a fallback? */ + unsigned int MBEDTLS_PRIVATE(fallback) : 1; /*!< is this a fallback? */ #endif #if defined(MBEDTLS_SSL_SRV_C) - unsigned int cert_req_ca_list : 1; /*!< enable sending CA list in + unsigned int MBEDTLS_PRIVATE(cert_req_ca_list) : 1; /*!< enable sending CA list in Certificate Request messages? */ #endif #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - unsigned int ignore_unexpected_cid : 1; /*!< Determines whether DTLS + unsigned int MBEDTLS_PRIVATE(ignore_unexpected_cid) : 1; /*!< Determines whether DTLS * record with unexpected CID * should lead to failure. */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ #if defined(MBEDTLS_SSL_DTLS_SRTP) - unsigned int dtls_srtp_mki_support : 1; /* support having mki_value + unsigned int MBEDTLS_PRIVATE(dtls_srtp_mki_support) : 1; /* support having mki_value in the use_srtp extension */ #endif }; struct mbedtls_ssl_context { - const mbedtls_ssl_config *conf; /*!< configuration information */ + const mbedtls_ssl_config *MBEDTLS_PRIVATE(conf); /*!< configuration information */ /* * Miscellaneous */ - int state; /*!< SSL handshake: current state */ + int MBEDTLS_PRIVATE(state); /*!< SSL handshake: current state */ #if defined(MBEDTLS_SSL_RENEGOTIATION) - int renego_status; /*!< Initial, in progress, pending? */ - int renego_records_seen; /*!< Records since renego request, or with DTLS, + int MBEDTLS_PRIVATE(renego_status); /*!< Initial, in progress, pending? */ + int MBEDTLS_PRIVATE(renego_records_seen); /*!< Records since renego request, or with DTLS, number of retransmissions of request if renego_max_records is < 0 */ #endif /* MBEDTLS_SSL_RENEGOTIATION */ - int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */ - int minor_ver; /*!< one of MBEDTLS_SSL_MINOR_VERSION_x macros */ + int MBEDTLS_PRIVATE(major_ver); /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */ + int MBEDTLS_PRIVATE(minor_ver); /*!< one of MBEDTLS_SSL_MINOR_VERSION_x macros */ #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) - unsigned badmac_seen; /*!< records with a bad MAC received */ + unsigned MBEDTLS_PRIVATE(badmac_seen); /*!< records with a bad MAC received */ #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #if defined(MBEDTLS_X509_CRT_PARSE_C) /** Callback to customize X.509 certificate chain verification */ - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); - void *p_vrfy; /*!< context for X.509 verify callback */ + int (*MBEDTLS_PRIVATE(f_vrfy))(void *, mbedtls_x509_crt *, int, uint32_t *); + void *MBEDTLS_PRIVATE(p_vrfy); /*!< context for X.509 verify callback */ #endif - mbedtls_ssl_send_t *f_send; /*!< Callback for network send */ - mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */ - mbedtls_ssl_recv_timeout_t *f_recv_timeout; + mbedtls_ssl_send_t *MBEDTLS_PRIVATE(f_send); /*!< Callback for network send */ + mbedtls_ssl_recv_t *MBEDTLS_PRIVATE(f_recv); /*!< Callback for network receive */ + mbedtls_ssl_recv_timeout_t *MBEDTLS_PRIVATE(f_recv_timeout); /*!< Callback for network receive with timeout */ - void *p_bio; /*!< context for I/O operations */ + void *MBEDTLS_PRIVATE(p_bio); /*!< context for I/O operations */ /* * Session layer */ - mbedtls_ssl_session *session_in; /*!< current session data (in) */ - mbedtls_ssl_session *session_out; /*!< current session data (out) */ - mbedtls_ssl_session *session; /*!< negotiated session data */ - mbedtls_ssl_session *session_negotiate; /*!< session data in negotiation */ + mbedtls_ssl_session *MBEDTLS_PRIVATE(session_in); /*!< current session data (in) */ + mbedtls_ssl_session *MBEDTLS_PRIVATE(session_out); /*!< current session data (out) */ + mbedtls_ssl_session *MBEDTLS_PRIVATE(session); /*!< negotiated session data */ + mbedtls_ssl_session *MBEDTLS_PRIVATE(session_negotiate); /*!< session data in negotiation */ - mbedtls_ssl_handshake_params *handshake; /*!< params required only during + mbedtls_ssl_handshake_params *MBEDTLS_PRIVATE(handshake); /*!< params required only during the handshake process */ /* * Record layer transformations */ - mbedtls_ssl_transform *transform_in; /*!< current transform params (in) */ - mbedtls_ssl_transform *transform_out; /*!< current transform params (in) */ - mbedtls_ssl_transform *transform; /*!< negotiated transform params */ - mbedtls_ssl_transform *transform_negotiate; /*!< transform params in negotiation */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_in); /*!< current transform params (in) */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_out); /*!< current transform params (in) */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params */ + mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation */ /* * Timers */ - void *p_timer; /*!< context for the timer callbacks */ + void *MBEDTLS_PRIVATE(p_timer); /*!< context for the timer callbacks */ - mbedtls_ssl_set_timer_t *f_set_timer; /*!< set timer callback */ - mbedtls_ssl_get_timer_t *f_get_timer; /*!< get timer callback */ + mbedtls_ssl_set_timer_t *MBEDTLS_PRIVATE(f_set_timer); /*!< set timer callback */ + mbedtls_ssl_get_timer_t *MBEDTLS_PRIVATE(f_get_timer); /*!< get timer callback */ /* * Record layer (incoming data) */ - unsigned char *in_buf; /*!< input buffer */ - unsigned char *in_ctr; /*!< 64-bit incoming message counter + unsigned char *MBEDTLS_PRIVATE(in_buf); /*!< input buffer */ + unsigned char *MBEDTLS_PRIVATE(in_ctr); /*!< 64-bit incoming message counter TLS: maintained by us DTLS: read from peer */ - unsigned char *in_hdr; /*!< start of record header */ + unsigned char *MBEDTLS_PRIVATE(in_hdr); /*!< start of record header */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - unsigned char *in_cid; /*!< The start of the CID; + unsigned char *MBEDTLS_PRIVATE(in_cid); /*!< The start of the CID; * (the end is marked by in_len). */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - unsigned char *in_len; /*!< two-bytes message length field */ - unsigned char *in_iv; /*!< ivlen-byte IV */ - unsigned char *in_msg; /*!< message contents (in_iv+ivlen) */ - unsigned char *in_offt; /*!< read offset in application data */ + unsigned char *MBEDTLS_PRIVATE(in_len); /*!< two-bytes message length field */ + unsigned char *MBEDTLS_PRIVATE(in_iv); /*!< ivlen-byte IV */ + unsigned char *MBEDTLS_PRIVATE(in_msg); /*!< message contents (in_iv+ivlen) */ + unsigned char *MBEDTLS_PRIVATE(in_offt); /*!< read offset in application data */ - int in_msgtype; /*!< record header: message type */ - size_t in_msglen; /*!< record header: message length */ - size_t in_left; /*!< amount of data read so far */ + int MBEDTLS_PRIVATE(in_msgtype); /*!< record header: message type */ + size_t MBEDTLS_PRIVATE(in_msglen); /*!< record header: message length */ + size_t MBEDTLS_PRIVATE(in_left); /*!< amount of data read so far */ #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) - size_t in_buf_len; /*!< length of input buffer */ + size_t MBEDTLS_PRIVATE(in_buf_len); /*!< length of input buffer */ #endif #if defined(MBEDTLS_SSL_PROTO_DTLS) - uint16_t in_epoch; /*!< DTLS epoch for incoming records */ - size_t next_record_offset; /*!< offset of the next record in datagram + uint16_t MBEDTLS_PRIVATE(in_epoch); /*!< DTLS epoch for incoming records */ + size_t MBEDTLS_PRIVATE(next_record_offset); /*!< offset of the next record in datagram (equal to in_left if none) */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) - uint64_t in_window_top; /*!< last validated record seq_num */ - uint64_t in_window; /*!< bitmask for replay detection */ + uint64_t MBEDTLS_PRIVATE(in_window_top); /*!< last validated record seq_num */ + uint64_t MBEDTLS_PRIVATE(in_window); /*!< bitmask for replay detection */ #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ - size_t in_hslen; /*!< current handshake message length, + size_t MBEDTLS_PRIVATE(in_hslen); /*!< current handshake message length, including the handshake header */ - int nb_zero; /*!< # of 0-length encrypted messages */ + int MBEDTLS_PRIVATE(nb_zero); /*!< # of 0-length encrypted messages */ - int keep_current_message; /*!< drop or reuse current message + int MBEDTLS_PRIVATE(keep_current_message); /*!< drop or reuse current message on next call to record layer? */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - uint8_t disable_datagram_packing; /*!< Disable packing multiple records + uint8_t MBEDTLS_PRIVATE(disable_datagram_packing); /*!< Disable packing multiple records * within a single datagram. */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ /* * Record layer (outgoing data) */ - unsigned char *out_buf; /*!< output buffer */ - unsigned char *out_ctr; /*!< 64-bit outgoing message counter */ - unsigned char *out_hdr; /*!< start of record header */ + unsigned char *MBEDTLS_PRIVATE(out_buf); /*!< output buffer */ + unsigned char *MBEDTLS_PRIVATE(out_ctr); /*!< 64-bit outgoing message counter */ + unsigned char *MBEDTLS_PRIVATE(out_hdr); /*!< start of record header */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) - unsigned char *out_cid; /*!< The start of the CID; + unsigned char *MBEDTLS_PRIVATE(out_cid); /*!< The start of the CID; * (the end is marked by in_len). */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ - unsigned char *out_len; /*!< two-bytes message length field */ - unsigned char *out_iv; /*!< ivlen-byte IV */ - unsigned char *out_msg; /*!< message contents (out_iv+ivlen) */ + unsigned char *MBEDTLS_PRIVATE(out_len); /*!< two-bytes message length field */ + unsigned char *MBEDTLS_PRIVATE(out_iv); /*!< ivlen-byte IV */ + unsigned char *MBEDTLS_PRIVATE(out_msg); /*!< message contents (out_iv+ivlen) */ - int out_msgtype; /*!< record header: message type */ - size_t out_msglen; /*!< record header: message length */ - size_t out_left; /*!< amount of data not yet written */ + int MBEDTLS_PRIVATE(out_msgtype); /*!< record header: message type */ + size_t MBEDTLS_PRIVATE(out_msglen); /*!< record header: message length */ + size_t MBEDTLS_PRIVATE(out_left); /*!< amount of data not yet written */ #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) - size_t out_buf_len; /*!< length of output buffer */ + size_t MBEDTLS_PRIVATE(out_buf_len); /*!< length of output buffer */ #endif - unsigned char cur_out_ctr[8]; /*!< Outgoing record sequence number. */ + unsigned char MBEDTLS_PRIVATE(cur_out_ctr)[8]; /*!< Outgoing record sequence number. */ #if defined(MBEDTLS_SSL_PROTO_DTLS) - uint16_t mtu; /*!< path mtu, used to fragment outgoing messages */ + uint16_t MBEDTLS_PRIVATE(mtu); /*!< path mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) - signed char split_done; /*!< current record already splitted? */ + signed char MBEDTLS_PRIVATE(split_done); /*!< current record already splitted? */ #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ /* * PKI layer */ - int client_auth; /*!< flag for client auth. */ + int MBEDTLS_PRIVATE(client_auth); /*!< flag for client auth. */ /* * User settings */ #if defined(MBEDTLS_X509_CRT_PARSE_C) - char *hostname; /*!< expected peer CN for verification + char *MBEDTLS_PRIVATE(hostname); /*!< expected peer CN for verification (and SNI if available) */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_ALPN) - const char *alpn_chosen; /*!< negotiated protocol */ + const char *MBEDTLS_PRIVATE(alpn_chosen); /*!< negotiated protocol */ #endif /* MBEDTLS_SSL_ALPN */ #if defined(MBEDTLS_SSL_DTLS_SRTP) /* * use_srtp extension */ - mbedtls_dtls_srtp_info dtls_srtp_info; + mbedtls_dtls_srtp_info MBEDTLS_PRIVATE(dtls_srtp_info); #endif /* MBEDTLS_SSL_DTLS_SRTP */ /* * Information for DTLS hello verify */ #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) - unsigned char *cli_id; /*!< transport-level ID of the client */ - size_t cli_id_len; /*!< length of cli_id */ + unsigned char *MBEDTLS_PRIVATE(cli_id); /*!< transport-level ID of the client */ + size_t MBEDTLS_PRIVATE(cli_id_len); /*!< length of cli_id */ #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ /* * Secure renegotiation */ /* needed to know when to send extension on server */ - int secure_renegotiation; /*!< does peer support legacy or + int MBEDTLS_PRIVATE(secure_renegotiation); /*!< does peer support legacy or secure renegotiation */ #if defined(MBEDTLS_SSL_RENEGOTIATION) - size_t verify_data_len; /*!< length of verify data stored */ - char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */ - char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */ + size_t MBEDTLS_PRIVATE(verify_data_len); /*!< length of verify data stored */ + char MBEDTLS_PRIVATE(own_verify_data)[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */ + char MBEDTLS_PRIVATE(peer_verify_data)[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]; /*!< previous handshake verify data */ #endif /* MBEDTLS_SSL_RENEGOTIATION */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -1411,9 +1412,9 @@ struct mbedtls_ssl_context * all subsequent handshakes. This may be different from the * CID currently used in case the user has re-configured the CID * after an initial handshake. */ - unsigned char own_cid[ MBEDTLS_SSL_CID_IN_LEN_MAX ]; - uint8_t own_cid_len; /*!< The length of \c own_cid. */ - uint8_t negotiate_cid; /*!< This indicates whether the CID extension should + unsigned char MBEDTLS_PRIVATE(own_cid)[ MBEDTLS_SSL_CID_IN_LEN_MAX ]; + uint8_t MBEDTLS_PRIVATE(own_cid_len); /*!< The length of \c own_cid. */ + uint8_t MBEDTLS_PRIVATE(negotiate_cid); /*!< This indicates whether the CID extension should * be negotiated in the next handshake or not. * Possible values are #MBEDTLS_SSL_CID_ENABLED * and #MBEDTLS_SSL_CID_DISABLED. */ diff --git a/include/mbedtls/ssl_cache.h b/include/mbedtls/ssl_cache.h index ac7b77cfb..d995f8f6d 100644 --- a/include/mbedtls/ssl_cache.h +++ b/include/mbedtls/ssl_cache.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_SSL_CACHE_H #define MBEDTLS_SSL_CACHE_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -65,16 +66,16 @@ typedef struct mbedtls_ssl_cache_entry mbedtls_ssl_cache_entry; struct mbedtls_ssl_cache_entry { #if defined(MBEDTLS_HAVE_TIME) - mbedtls_time_t timestamp; /*!< entry timestamp */ + mbedtls_time_t MBEDTLS_PRIVATE(timestamp); /*!< entry timestamp */ #endif - unsigned char session_id[32]; /*!< session ID */ - size_t session_id_len; + unsigned char MBEDTLS_PRIVATE(session_id)[32]; /*!< session ID */ + size_t MBEDTLS_PRIVATE(session_id_len); - unsigned char *session; /*!< serialized session */ - size_t session_len; + unsigned char *MBEDTLS_PRIVATE(session); /*!< serialized session */ + size_t MBEDTLS_PRIVATE(session_len); - mbedtls_ssl_cache_entry *next; /*!< chain pointer */ + mbedtls_ssl_cache_entry *MBEDTLS_PRIVATE(next); /*!< chain pointer */ }; /** @@ -82,11 +83,11 @@ struct mbedtls_ssl_cache_entry */ struct mbedtls_ssl_cache_context { - mbedtls_ssl_cache_entry *chain; /*!< start of the chain */ - int timeout; /*!< cache entry timeout */ - int max_entries; /*!< maximum entries */ + mbedtls_ssl_cache_entry *MBEDTLS_PRIVATE(chain); /*!< start of the chain */ + int MBEDTLS_PRIVATE(timeout); /*!< cache entry timeout */ + int MBEDTLS_PRIVATE(max_entries); /*!< maximum entries */ #if defined(MBEDTLS_THREADING_C) - mbedtls_threading_mutex_t mutex; /*!< mutex */ + mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); /*!< mutex */ #endif }; diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 3eacfb5a3..093238c0b 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_SSL_CIPHERSUITES_H #define MBEDTLS_SSL_CIPHERSUITES_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -405,7 +406,7 @@ int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info ); #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info ) { - switch( info->key_exchange ) + switch( info->MBEDTLS_PRIVATE(key_exchange) ) { case MBEDTLS_KEY_EXCHANGE_DHE_RSA: case MBEDTLS_KEY_EXCHANGE_DHE_PSK: @@ -424,7 +425,7 @@ static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite #if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info ) { - switch( info->key_exchange ) + switch( info->MBEDTLS_PRIVATE(key_exchange) ) { case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: @@ -442,7 +443,7 @@ static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info ) { - switch( info->key_exchange ) + switch( info->MBEDTLS_PRIVATE(key_exchange) ) { case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: @@ -456,7 +457,7 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersui static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info ) { - switch( info->key_exchange ) + switch( info->MBEDTLS_PRIVATE(key_exchange) ) { case MBEDTLS_KEY_EXCHANGE_RSA: case MBEDTLS_KEY_EXCHANGE_DHE_RSA: @@ -473,7 +474,7 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ci static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphersuite_t *info ) { - switch( info->key_exchange ) + switch( info->MBEDTLS_PRIVATE(key_exchange) ) { case MBEDTLS_KEY_EXCHANGE_RSA: case MBEDTLS_KEY_EXCHANGE_RSA_PSK: @@ -492,7 +493,7 @@ static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphe #if defined(MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED) static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info ) { - switch( info->key_exchange ) + switch( info->MBEDTLS_PRIVATE(key_exchange) ) { case MBEDTLS_KEY_EXCHANGE_DHE_RSA: case MBEDTLS_KEY_EXCHANGE_DHE_PSK: @@ -507,7 +508,7 @@ static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuit #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info ) { - switch( info->key_exchange ) + switch( info->MBEDTLS_PRIVATE(key_exchange) ) { case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: @@ -523,7 +524,7 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersu #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info ) { - switch( info->key_exchange ) + switch( info->MBEDTLS_PRIVATE(key_exchange) ) { case MBEDTLS_KEY_EXCHANGE_DHE_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: diff --git a/include/mbedtls/ssl_cookie.h b/include/mbedtls/ssl_cookie.h index 0a238708e..6806dbddd 100644 --- a/include/mbedtls/ssl_cookie.h +++ b/include/mbedtls/ssl_cookie.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_SSL_COOKIE_H #define MBEDTLS_SSL_COOKIE_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -56,15 +57,15 @@ extern "C" { */ typedef struct mbedtls_ssl_cookie_ctx { - mbedtls_md_context_t hmac_ctx; /*!< context for the HMAC portion */ + mbedtls_md_context_t MBEDTLS_PRIVATE(hmac_ctx); /*!< context for the HMAC portion */ #if !defined(MBEDTLS_HAVE_TIME) unsigned long serial; /*!< serial number for expiration */ #endif - unsigned long timeout; /*!< timeout delay, in seconds if HAVE_TIME, + unsigned long MBEDTLS_PRIVATE(timeout); /*!< timeout delay, in seconds if HAVE_TIME, or in number of tickets issued */ #if defined(MBEDTLS_THREADING_C) - mbedtls_threading_mutex_t mutex; + mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); #endif } mbedtls_ssl_cookie_ctx; diff --git a/include/mbedtls/ssl_ticket.h b/include/mbedtls/ssl_ticket.h index a882eed23..871eec379 100644 --- a/include/mbedtls/ssl_ticket.h +++ b/include/mbedtls/ssl_ticket.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_SSL_TICKET_H #define MBEDTLS_SSL_TICKET_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -50,9 +51,9 @@ extern "C" { */ typedef struct mbedtls_ssl_ticket_key { - unsigned char name[4]; /*!< random key identifier */ - uint32_t generation_time; /*!< key generation timestamp (seconds) */ - mbedtls_cipher_context_t ctx; /*!< context for auth enc/decryption */ + unsigned char MBEDTLS_PRIVATE(name)[4]; /*!< random key identifier */ + uint32_t MBEDTLS_PRIVATE(generation_time); /*!< key generation timestamp (seconds) */ + mbedtls_cipher_context_t MBEDTLS_PRIVATE(ctx); /*!< context for auth enc/decryption */ } mbedtls_ssl_ticket_key; @@ -61,17 +62,17 @@ mbedtls_ssl_ticket_key; */ typedef struct mbedtls_ssl_ticket_context { - mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys */ - unsigned char active; /*!< index of the currently active key */ + mbedtls_ssl_ticket_key MBEDTLS_PRIVATE(keys)[2]; /*!< ticket protection keys */ + unsigned char MBEDTLS_PRIVATE(active); /*!< index of the currently active key */ - uint32_t ticket_lifetime; /*!< lifetime of tickets in seconds */ + uint32_t MBEDTLS_PRIVATE(ticket_lifetime); /*!< lifetime of tickets in seconds */ /** Callback for getting (pseudo-)random numbers */ - int (*f_rng)(void *, unsigned char *, size_t); - void *p_rng; /*!< context for the RNG function */ + int (*MBEDTLS_PRIVATE(f_rng))(void *, unsigned char *, size_t); + void *MBEDTLS_PRIVATE(p_rng); /*!< context for the RNG function */ #if defined(MBEDTLS_THREADING_C) - mbedtls_threading_mutex_t mutex; + mbedtls_threading_mutex_t MBEDTLS_PRIVATE(mutex); #endif } mbedtls_ssl_ticket_context; diff --git a/include/mbedtls/threading.h b/include/mbedtls/threading.h index 1047f8f35..fae96c2d0 100644 --- a/include/mbedtls/threading.h +++ b/include/mbedtls/threading.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_THREADING_H #define MBEDTLS_THREADING_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -41,11 +42,11 @@ extern "C" { #include typedef struct mbedtls_threading_mutex_t { - pthread_mutex_t mutex; + pthread_mutex_t MBEDTLS_PRIVATE(mutex); /* is_valid is 0 after a failed init or a free, and nonzero after a * successful init. This field is not considered part of the public * API of Mbed TLS and may change without notice. */ - char is_valid; + char MBEDTLS_PRIVATE(is_valid); } mbedtls_threading_mutex_t; #endif diff --git a/include/mbedtls/timing.h b/include/mbedtls/timing.h index b7290cfca..9a8b1e011 100644 --- a/include/mbedtls/timing.h +++ b/include/mbedtls/timing.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_TIMING_H #define MBEDTLS_TIMING_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -43,7 +44,7 @@ extern "C" { */ struct mbedtls_timing_hr_time { - unsigned char opaque[32]; + unsigned char MBEDTLS_PRIVATE(opaque)[32]; }; /** @@ -52,8 +53,8 @@ struct mbedtls_timing_hr_time typedef struct mbedtls_timing_delay_context { struct mbedtls_timing_hr_time timer; - uint32_t int_ms; - uint32_t fin_ms; + uint32_t MBEDTLS_PRIVATE(int_ms); + uint32_t MBEDTLS_PRIVATE(fin_ms); } mbedtls_timing_delay_context; #else /* MBEDTLS_TIMING_ALT */ diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index 3091de1d1..b7a969a3b 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_X509_H #define MBEDTLS_X509_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -229,8 +230,8 @@ typedef mbedtls_asn1_sequence mbedtls_x509_sequence; /** Container for date and time (precision in seconds). */ typedef struct mbedtls_x509_time { - int year, mon, day; /**< Date. */ - int hour, min, sec; /**< Time. */ + int MBEDTLS_PRIVATE(year), MBEDTLS_PRIVATE(mon), MBEDTLS_PRIVATE(day); /**< Date. */ + int MBEDTLS_PRIVATE(hour), MBEDTLS_PRIVATE(min), MBEDTLS_PRIVATE(sec); /**< Time. */ } mbedtls_x509_time; diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h index fcaa1495d..440da1216 100644 --- a/include/mbedtls/x509_crl.h +++ b/include/mbedtls/x509_crl.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_X509_CRL_H #define MBEDTLS_X509_CRL_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -49,15 +50,15 @@ extern "C" { */ typedef struct mbedtls_x509_crl_entry { - mbedtls_x509_buf raw; + mbedtls_x509_buf MBEDTLS_PRIVATE(raw); - mbedtls_x509_buf serial; + mbedtls_x509_buf MBEDTLS_PRIVATE(serial); - mbedtls_x509_time revocation_date; + mbedtls_x509_time MBEDTLS_PRIVATE(revocation_date); - mbedtls_x509_buf entry_ext; + mbedtls_x509_buf MBEDTLS_PRIVATE(entry_ext); - struct mbedtls_x509_crl_entry *next; + struct mbedtls_x509_crl_entry *MBEDTLS_PRIVATE(next); } mbedtls_x509_crl_entry; @@ -67,30 +68,30 @@ mbedtls_x509_crl_entry; */ typedef struct mbedtls_x509_crl { - mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ - mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */ + mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */ - int version; /**< CRL version (1=v1, 2=v2) */ - mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */ + int MBEDTLS_PRIVATE(version); /**< CRL version (1=v1, 2=v2) */ + mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< CRL signature type identifier */ - mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). */ + mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). */ - mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ + mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */ - mbedtls_x509_time this_update; - mbedtls_x509_time next_update; + mbedtls_x509_time MBEDTLS_PRIVATE(this_update); + mbedtls_x509_time MBEDTLS_PRIVATE(next_update); - mbedtls_x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */ + mbedtls_x509_crl_entry MBEDTLS_PRIVATE(entry); /**< The CRL entries containing the certificate revocation times for this CA. */ - mbedtls_x509_buf crl_ext; + mbedtls_x509_buf MBEDTLS_PRIVATE(crl_ext); - mbedtls_x509_buf sig_oid2; - mbedtls_x509_buf sig; - mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ - void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ + mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2); + mbedtls_x509_buf MBEDTLS_PRIVATE(sig); + mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ + mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ - struct mbedtls_x509_crl *next; + struct mbedtls_x509_crl *MBEDTLS_PRIVATE(next); } mbedtls_x509_crl; diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 23a20d10b..015962c7c 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_X509_CRT_H #define MBEDTLS_X509_CRT_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -51,50 +52,50 @@ extern "C" { */ typedef struct mbedtls_x509_crt { - int own_buffer; /**< Indicates if \c raw is owned + int MBEDTLS_PRIVATE(own_buffer); /**< Indicates if \c raw is owned * by the structure or not. */ - mbedtls_x509_buf raw; /**< The raw certificate data (DER). */ - mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw certificate data (DER). */ + mbedtls_x509_buf MBEDTLS_PRIVATE(tbs); /**< The raw certificate body (DER). The part that is To Be Signed. */ - int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ - mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */ - mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */ + int MBEDTLS_PRIVATE(version); /**< The X.509 version. (1=v1, 2=v2, 3=v3) */ + mbedtls_x509_buf MBEDTLS_PRIVATE(serial); /**< Unique id for certificate issued by a specific CA. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); /**< Signature algorithm, e.g. sha1RSA */ - mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */ - mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_raw); /**< The raw issuer data (DER). Used for quick comparison. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). Used for quick comparison. */ - mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */ - mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ + mbedtls_x509_name MBEDTLS_PRIVATE(issuer); /**< The parsed issuer data (named information object). */ + mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */ - mbedtls_x509_time valid_from; /**< Start time of certificate validity. */ - mbedtls_x509_time valid_to; /**< End time of certificate validity. */ + mbedtls_x509_time MBEDTLS_PRIVATE(valid_from); /**< Start time of certificate validity. */ + mbedtls_x509_time MBEDTLS_PRIVATE(valid_to); /**< End time of certificate validity. */ - mbedtls_x509_buf pk_raw; - mbedtls_pk_context pk; /**< Container for the public key context. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(pk_raw); + mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */ - mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */ - mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ - mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ - mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ + mbedtls_x509_buf MBEDTLS_PRIVATE(issuer_id); /**< Optional X.509 v2/v3 issuer unique identifier. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(subject_id); /**< Optional X.509 v2/v3 subject unique identifier. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(v3_ext); /**< Optional X.509 v3 extensions. */ + mbedtls_x509_sequence MBEDTLS_PRIVATE(subject_alt_names); /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */ - mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */ + mbedtls_x509_sequence MBEDTLS_PRIVATE(certificate_policies); /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */ - int ext_types; /**< Bit string containing detected and parsed extensions */ - int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ - int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ + int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */ + int MBEDTLS_PRIVATE(ca_istrue); /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ + int MBEDTLS_PRIVATE(max_pathlen); /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */ - unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */ + unsigned int MBEDTLS_PRIVATE(key_usage); /**< Optional key usage extension value: See the values in x509.h */ - mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */ + mbedtls_x509_sequence MBEDTLS_PRIVATE(ext_key_usage); /**< Optional list of extended key usage OIDs. */ - unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */ + unsigned char MBEDTLS_PRIVATE(ns_cert_type); /**< Optional Netscape certificate type extension value: See the values in x509.h */ - mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */ - mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ - void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ + mbedtls_x509_buf MBEDTLS_PRIVATE(sig); /**< Signature: hash of the tbs part signed with the private key. */ + mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ + mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ - struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */ + struct mbedtls_x509_crt *MBEDTLS_PRIVATE(next); /**< Next certificate in the CA-chain. */ } mbedtls_x509_crt; @@ -111,7 +112,7 @@ typedef struct mbedtls_x509_san_other_name * To check the value of the type id, you should use * \p MBEDTLS_OID_CMP with a known OID mbedtls_x509_buf. */ - mbedtls_x509_buf type_id; /**< The type id. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(type_id); /**< The type id. */ union { /** @@ -122,12 +123,12 @@ typedef struct mbedtls_x509_san_other_name */ struct { - mbedtls_x509_buf oid; /**< The object identifier. */ - mbedtls_x509_buf val; /**< The named value. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(oid); /**< The object identifier. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(val); /**< The named value. */ } - hardware_module_name; + MBEDTLS_PRIVATE(hardware_module_name); } - value; + MBEDTLS_PRIVATE(value); } mbedtls_x509_san_other_name; @@ -136,12 +137,12 @@ mbedtls_x509_san_other_name; */ typedef struct mbedtls_x509_subject_alternative_name { - int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ + int MBEDTLS_PRIVATE(type); /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */ union { - mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */ - mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */ + mbedtls_x509_san_other_name MBEDTLS_PRIVATE(other_name); /**< The otherName supported type. */ + mbedtls_x509_buf MBEDTLS_PRIVATE(unstructured_name); /**< The buffer for the un constructed types. Only dnsName currently supported */ } - san; /**< A union of the supported SAN types */ + MBEDTLS_PRIVATE(san); /**< A union of the supported SAN types */ } mbedtls_x509_subject_alternative_name; @@ -158,10 +159,10 @@ mbedtls_x509_subject_alternative_name; */ typedef struct mbedtls_x509_crt_profile { - uint32_t allowed_mds; /**< MDs for signatures */ - uint32_t allowed_pks; /**< PK algs for signatures */ - uint32_t allowed_curves; /**< Elliptic curves for ECDSA */ - uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */ + uint32_t MBEDTLS_PRIVATE(allowed_mds); /**< MDs for signatures */ + uint32_t MBEDTLS_PRIVATE(allowed_pks); /**< PK algs for signatures */ + uint32_t MBEDTLS_PRIVATE(allowed_curves); /**< Elliptic curves for ECDSA */ + uint32_t MBEDTLS_PRIVATE(rsa_min_bitlen); /**< Minimum size for RSA keys */ } mbedtls_x509_crt_profile; @@ -249,16 +250,16 @@ mbedtls_x509_crt_profile; */ typedef struct mbedtls_x509write_cert { - int version; - mbedtls_mpi serial; - mbedtls_pk_context *subject_key; - mbedtls_pk_context *issuer_key; - mbedtls_asn1_named_data *subject; - mbedtls_asn1_named_data *issuer; - mbedtls_md_type_t md_alg; - char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; - char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; - mbedtls_asn1_named_data *extensions; + int MBEDTLS_PRIVATE(version); + mbedtls_mpi MBEDTLS_PRIVATE(serial); + mbedtls_pk_context *MBEDTLS_PRIVATE(subject_key); + mbedtls_pk_context *MBEDTLS_PRIVATE(issuer_key); + mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject); + mbedtls_asn1_named_data *MBEDTLS_PRIVATE(issuer); + mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg); + char MBEDTLS_PRIVATE(not_before)[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; + char MBEDTLS_PRIVATE(not_after)[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1]; + mbedtls_asn1_named_data *MBEDTLS_PRIVATE(extensions); } mbedtls_x509write_cert; @@ -266,8 +267,8 @@ mbedtls_x509write_cert; * Item in a verification chain: cert and flags for it */ typedef struct { - mbedtls_x509_crt *crt; - uint32_t flags; + mbedtls_x509_crt *MBEDTLS_PRIVATE(crt); + uint32_t MBEDTLS_PRIVATE(flags); } mbedtls_x509_crt_verify_chain_item; /** @@ -280,15 +281,15 @@ typedef struct { */ typedef struct { - mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE]; - unsigned len; + mbedtls_x509_crt_verify_chain_item MBEDTLS_PRIVATE(items)[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE]; + unsigned MBEDTLS_PRIVATE(len); #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) /* This stores the list of potential trusted signers obtained from * the CA callback used for the CRT verification, if configured. * We must track it somewhere because the callback passes its * ownership to the caller. */ - mbedtls_x509_crt *trust_ca_cb_result; + mbedtls_x509_crt *MBEDTLS_PRIVATE(trust_ca_cb_result); #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ } mbedtls_x509_crt_verify_chain; diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index 07a371729..fa98394e8 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_X509_CSR_H #define MBEDTLS_X509_CSR_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -48,21 +49,21 @@ extern "C" { */ typedef struct mbedtls_x509_csr { - mbedtls_x509_buf raw; /**< The raw CSR data (DER). */ - mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */ + mbedtls_x509_buf MBEDTLS_PRIVATE(raw); /**< The raw CSR data (DER). */ + mbedtls_x509_buf MBEDTLS_PRIVATE(cri); /**< The raw CertificateRequestInfo body (DER). */ - int version; /**< CSR version (1=v1). */ + int MBEDTLS_PRIVATE(version); /**< CSR version (1=v1). */ - mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */ - mbedtls_x509_name subject; /**< The parsed subject data (named information object). */ + mbedtls_x509_buf MBEDTLS_PRIVATE(subject_raw); /**< The raw subject data (DER). */ + mbedtls_x509_name MBEDTLS_PRIVATE(subject); /**< The parsed subject data (named information object). */ - mbedtls_pk_context pk; /**< Container for the public key context. */ + mbedtls_pk_context MBEDTLS_PRIVATE(pk); /**< Container for the public key context. */ - mbedtls_x509_buf sig_oid; - mbedtls_x509_buf sig; - mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ - void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ + mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid); + mbedtls_x509_buf MBEDTLS_PRIVATE(sig); + mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ + mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + void *MBEDTLS_PRIVATE(sig_opts); /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */ } mbedtls_x509_csr; @@ -71,10 +72,10 @@ mbedtls_x509_csr; */ typedef struct mbedtls_x509write_csr { - mbedtls_pk_context *key; - mbedtls_asn1_named_data *subject; - mbedtls_md_type_t md_alg; - mbedtls_asn1_named_data *extensions; + mbedtls_pk_context *MBEDTLS_PRIVATE(key); + mbedtls_asn1_named_data *MBEDTLS_PRIVATE(subject); + mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg); + mbedtls_asn1_named_data *MBEDTLS_PRIVATE(extensions); } mbedtls_x509write_csr; diff --git a/include/mbedtls/xtea.h b/include/mbedtls/xtea.h index 5ce2fe48c..72c998edf 100644 --- a/include/mbedtls/xtea.h +++ b/include/mbedtls/xtea.h @@ -21,6 +21,7 @@ */ #ifndef MBEDTLS_XTEA_H #define MBEDTLS_XTEA_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" @@ -49,7 +50,7 @@ extern "C" { */ typedef struct mbedtls_xtea_context { - uint32_t k[4]; /*!< key */ + uint32_t MBEDTLS_PRIVATE(k)[4]; /*!< key */ } mbedtls_xtea_context; diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 1d11b003e..b05660f7e 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -32,6 +32,7 @@ #ifndef PSA_CRYPTO_BUILTIN_COMPOSITES_H #define PSA_CRYPTO_BUILTIN_COMPOSITES_H +#include "mbedtls/private_access.h" #include @@ -47,11 +48,11 @@ typedef struct { /** The HMAC algorithm in use */ - psa_algorithm_t alg; + psa_algorithm_t MBEDTLS_PRIVATE(alg); /** The hash context. */ struct psa_hash_operation_s hash_ctx; /** The HMAC part of the context. */ - uint8_t opad[PSA_HMAC_MAX_HASH_BLOCK_SIZE]; + uint8_t MBEDTLS_PRIVATE(opad)[PSA_HMAC_MAX_HASH_BLOCK_SIZE]; } mbedtls_psa_hmac_operation_t; #define MBEDTLS_PSA_HMAC_OPERATION_INIT {0, PSA_HASH_OPERATION_INIT, {0}} @@ -61,17 +62,17 @@ typedef struct typedef struct { - psa_algorithm_t alg; + psa_algorithm_t MBEDTLS_PRIVATE(alg); union { - unsigned dummy; /* Make the union non-empty even with no supported algorithms. */ + unsigned MBEDTLS_PRIVATE(dummy); /* Make the union non-empty even with no supported algorithms. */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(PSA_CRYPTO_DRIVER_TEST) - mbedtls_psa_hmac_operation_t hmac; + mbedtls_psa_hmac_operation_t MBEDTLS_PRIVATE(hmac); #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_CMAC) || defined(PSA_CRYPTO_DRIVER_TEST) - mbedtls_cipher_context_t cmac; + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cmac); #endif /* MBEDTLS_PSA_BUILTIN_ALG_CMAC */ - } ctx; + } MBEDTLS_PRIVATE(ctx); } mbedtls_psa_mac_operation_t; #define MBEDTLS_PSA_MAC_OPERATION_INIT {0, {0}} diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index 75801a178..674c7d060 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -32,6 +32,7 @@ #ifndef PSA_CRYPTO_BUILTIN_PRIMITIVES_H #define PSA_CRYPTO_BUILTIN_PRIMITIVES_H +#include "mbedtls/private_access.h" #include @@ -61,32 +62,32 @@ typedef struct { - psa_algorithm_t alg; + psa_algorithm_t MBEDTLS_PRIVATE(alg); union { - unsigned dummy; /* Make the union non-empty even with no supported algorithms. */ + unsigned MBEDTLS_PRIVATE(dummy); /* Make the union non-empty even with no supported algorithms. */ #if defined(MBEDTLS_MD2_C) - mbedtls_md2_context md2; + mbedtls_md2_context MBEDTLS_PRIVATE(md2); #endif #if defined(MBEDTLS_MD4_C) - mbedtls_md4_context md4; + mbedtls_md4_context MBEDTLS_PRIVATE(md4); #endif #if defined(MBEDTLS_MD5_C) - mbedtls_md5_context md5; + mbedtls_md5_context MBEDTLS_PRIVATE(md5); #endif #if defined(MBEDTLS_RIPEMD160_C) - mbedtls_ripemd160_context ripemd160; + mbedtls_ripemd160_context MBEDTLS_PRIVATE(ripemd160); #endif #if defined(MBEDTLS_SHA1_C) - mbedtls_sha1_context sha1; + mbedtls_sha1_context MBEDTLS_PRIVATE(sha1); #endif #if defined(MBEDTLS_SHA256_C) - mbedtls_sha256_context sha256; + mbedtls_sha256_context MBEDTLS_PRIVATE(sha256); #endif #if defined(MBEDTLS_SHA512_C) - mbedtls_sha512_context sha512; + mbedtls_sha512_context MBEDTLS_PRIVATE(sha512); #endif - } ctx; + } MBEDTLS_PRIVATE(ctx); } mbedtls_psa_hash_operation_t; #define MBEDTLS_PSA_HASH_OPERATION_INIT {0, {0}} @@ -110,10 +111,10 @@ typedef struct typedef struct { /* Context structure for the Mbed TLS cipher implementation. */ - psa_algorithm_t alg; - uint8_t iv_length; - uint8_t block_length; - mbedtls_cipher_context_t cipher; + psa_algorithm_t MBEDTLS_PRIVATE(alg); + uint8_t MBEDTLS_PRIVATE(iv_length); + uint8_t MBEDTLS_PRIVATE(block_length); + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher); } mbedtls_psa_cipher_operation_t; #define MBEDTLS_PSA_CIPHER_OPERATION_INIT {0, 0, 0, {0}} diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index a7b4ab599..3611c4136 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -27,6 +27,7 @@ #ifndef PSA_CRYPTO_EXTRA_H #define PSA_CRYPTO_EXTRA_H +#include "mbedtls/private_access.h" #include "mbedtls/platform_util.h" @@ -71,7 +72,7 @@ static inline void psa_set_key_enrollment_algorithm( psa_key_attributes_t *attributes, psa_algorithm_t alg2) { - attributes->core.policy.alg2 = alg2; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) = alg2; } /** Retrieve the enrollment algorithm policy from key attributes. @@ -83,7 +84,7 @@ static inline void psa_set_key_enrollment_algorithm( static inline psa_algorithm_t psa_get_key_enrollment_algorithm( const psa_key_attributes_t *attributes) { - return( attributes->core.policy.alg2 ); + return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg2) ); } #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -141,8 +142,8 @@ static inline void psa_set_key_slot_number( psa_key_attributes_t *attributes, psa_key_slot_number_t slot_number ) { - attributes->core.flags |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; - attributes->slot_number = slot_number; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) |= MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; + attributes->MBEDTLS_PRIVATE(slot_number) = slot_number; } /** Remove the slot number attribute from a key attribute structure. @@ -154,7 +155,7 @@ static inline void psa_set_key_slot_number( static inline void psa_clear_key_slot_number( psa_key_attributes_t *attributes ) { - attributes->core.flags &= ~MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(flags) &= ~MBEDTLS_PSA_KA_FLAG_HAS_SLOT_NUMBER; } /** Register a key that is already present in a secure element. @@ -226,26 +227,26 @@ void mbedtls_psa_crypto_free( void ); typedef struct mbedtls_psa_stats_s { /** Number of slots containing key material for a volatile key. */ - size_t volatile_slots; + size_t MBEDTLS_PRIVATE(volatile_slots); /** Number of slots containing key material for a key which is in * internal persistent storage. */ - size_t persistent_slots; + size_t MBEDTLS_PRIVATE(persistent_slots); /** Number of slots containing a reference to a key in a * secure element. */ - size_t external_slots; + size_t MBEDTLS_PRIVATE(external_slots); /** Number of slots which are occupied, but do not contain * key material yet. */ - size_t half_filled_slots; + size_t MBEDTLS_PRIVATE(half_filled_slots); /** Number of slots that contain cache data. */ - size_t cache_slots; + size_t MBEDTLS_PRIVATE(cache_slots); /** Number of slots that are not used for anything. */ - size_t empty_slots; + size_t MBEDTLS_PRIVATE(empty_slots); /** Number of slots that are locked. */ - size_t locked_slots; + size_t MBEDTLS_PRIVATE(locked_slots); /** Largest key id value among open keys in internal persistent storage. */ - psa_key_id_t max_open_internal_key_id; + psa_key_id_t MBEDTLS_PRIVATE(max_open_internal_key_id); /** Largest key id value among open keys in secure elements. */ - psa_key_id_t max_open_external_key_id; + psa_key_id_t MBEDTLS_PRIVATE(max_open_external_key_id); } mbedtls_psa_stats_t; /** \brief Get statistics about diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h index 1dc8f9b5c..91a6d0bee 100644 --- a/include/psa/crypto_se_driver.h +++ b/include/psa/crypto_se_driver.h @@ -33,6 +33,7 @@ */ #ifndef PSA_CRYPTO_SE_DRIVER_H #define PSA_CRYPTO_SE_DRIVER_H +#include "mbedtls/private_access.h" #include "crypto_driver_common.h" @@ -97,21 +98,21 @@ typedef struct { * - psa_destroy_key() causes a call to * psa_drv_se_key_management_t::p_destroy. */ - const void *const persistent_data; + const void *const MBEDTLS_PRIVATE(persistent_data); /** The size of \c persistent_data in bytes. * * This is always equal to the value of the `persistent_data_size` field * of the ::psa_drv_se_t structure when the driver is registered. */ - const size_t persistent_data_size; + const size_t MBEDTLS_PRIVATE(persistent_data_size); /** Driver transient data. * * The core initializes this value to 0 and does not read or modify it * afterwards. The driver may store whatever it wants in this field. */ - uintptr_t transient_data; + uintptr_t MBEDTLS_PRIVATE(transient_data); } psa_drv_se_context_t; /** \brief A driver initialization function. @@ -323,28 +324,28 @@ typedef struct { /**The size in bytes of the hardware-specific secure element MAC context * structure */ - size_t context_size; + size_t MBEDTLS_PRIVATE(context_size); /** Function that performs a MAC setup operation */ - psa_drv_se_mac_setup_t p_setup; + psa_drv_se_mac_setup_t MBEDTLS_PRIVATE(p_setup); /** Function that performs a MAC update operation */ - psa_drv_se_mac_update_t p_update; + psa_drv_se_mac_update_t MBEDTLS_PRIVATE(p_update); /** Function that completes a MAC operation */ - psa_drv_se_mac_finish_t p_finish; + psa_drv_se_mac_finish_t MBEDTLS_PRIVATE(p_finish); /** Function that completes a MAC operation with a verify check */ - psa_drv_se_mac_finish_verify_t p_finish_verify; + psa_drv_se_mac_finish_verify_t MBEDTLS_PRIVATE(p_finish_verify); /** Function that aborts a previoustly started MAC operation */ - psa_drv_se_mac_abort_t p_abort; + psa_drv_se_mac_abort_t MBEDTLS_PRIVATE(p_abort); /** Function that performs a MAC operation in one call */ - psa_drv_se_mac_generate_t p_mac; + psa_drv_se_mac_generate_t MBEDTLS_PRIVATE(p_mac); /** Function that performs a MAC and verify operation in one call */ - psa_drv_se_mac_verify_t p_mac_verify; + psa_drv_se_mac_verify_t MBEDTLS_PRIVATE(p_mac_verify); } psa_drv_se_mac_t; /**@}*/ @@ -510,22 +511,22 @@ typedef struct { /** The size in bytes of the hardware-specific secure element cipher * context structure */ - size_t context_size; + size_t MBEDTLS_PRIVATE(context_size); /** Function that performs a cipher setup operation */ - psa_drv_se_cipher_setup_t p_setup; + psa_drv_se_cipher_setup_t MBEDTLS_PRIVATE(p_setup); /** Function that sets a cipher IV (if necessary) */ - psa_drv_se_cipher_set_iv_t p_set_iv; + psa_drv_se_cipher_set_iv_t MBEDTLS_PRIVATE(p_set_iv); /** Function that performs a cipher update operation */ - psa_drv_se_cipher_update_t p_update; + psa_drv_se_cipher_update_t MBEDTLS_PRIVATE(p_update); /** Function that completes a cipher operation */ - psa_drv_se_cipher_finish_t p_finish; + psa_drv_se_cipher_finish_t MBEDTLS_PRIVATE(p_finish); /** Function that aborts a cipher operation */ - psa_drv_se_cipher_abort_t p_abort; + psa_drv_se_cipher_abort_t MBEDTLS_PRIVATE(p_abort); /** Function that performs ECB mode for a cipher operation * (Danger: ECB mode should not be used directly by clients of the PSA * Crypto Client API) */ - psa_drv_se_cipher_ecb_t p_ecb; + psa_drv_se_cipher_ecb_t MBEDTLS_PRIVATE(p_ecb); } psa_drv_se_cipher_t; /**@}*/ @@ -681,13 +682,13 @@ typedef psa_status_t (*psa_drv_se_asymmetric_decrypt_t)(psa_drv_se_context_t *dr */ typedef struct { /** Function that performs an asymmetric sign operation */ - psa_drv_se_asymmetric_sign_t p_sign; + psa_drv_se_asymmetric_sign_t MBEDTLS_PRIVATE(p_sign); /** Function that performs an asymmetric verify operation */ - psa_drv_se_asymmetric_verify_t p_verify; + psa_drv_se_asymmetric_verify_t MBEDTLS_PRIVATE(p_verify); /** Function that performs an asymmetric encrypt operation */ - psa_drv_se_asymmetric_encrypt_t p_encrypt; + psa_drv_se_asymmetric_encrypt_t MBEDTLS_PRIVATE(p_encrypt); /** Function that performs an asymmetric decrypt operation */ - psa_drv_se_asymmetric_decrypt_t p_decrypt; + psa_drv_se_asymmetric_decrypt_t MBEDTLS_PRIVATE(p_decrypt); } psa_drv_se_asymmetric_t; /**@}*/ @@ -798,9 +799,9 @@ typedef psa_status_t (*psa_drv_se_aead_decrypt_t)(psa_drv_se_context_t *drv_cont */ typedef struct { /** Function that performs the AEAD encrypt operation */ - psa_drv_se_aead_encrypt_t p_encrypt; + psa_drv_se_aead_encrypt_t MBEDTLS_PRIVATE(p_encrypt); /** Function that performs the AEAD decrypt operation */ - psa_drv_se_aead_decrypt_t p_decrypt; + psa_drv_se_aead_decrypt_t MBEDTLS_PRIVATE(p_decrypt); } psa_drv_se_aead_t; /**@}*/ @@ -1120,19 +1121,19 @@ typedef psa_status_t (*psa_drv_se_generate_key_t)( */ typedef struct { /** Function that allocates a slot for a key. */ - psa_drv_se_allocate_key_t p_allocate; + psa_drv_se_allocate_key_t MBEDTLS_PRIVATE(p_allocate); /** Function that checks the validity of a slot for a key. */ - psa_drv_se_validate_slot_number_t p_validate_slot_number; + psa_drv_se_validate_slot_number_t MBEDTLS_PRIVATE(p_validate_slot_number); /** Function that performs a key import operation */ - psa_drv_se_import_key_t p_import; + psa_drv_se_import_key_t MBEDTLS_PRIVATE(p_import); /** Function that performs a generation */ - psa_drv_se_generate_key_t p_generate; + psa_drv_se_generate_key_t MBEDTLS_PRIVATE(p_generate); /** Function that performs a key destroy operation */ - psa_drv_se_destroy_key_t p_destroy; + psa_drv_se_destroy_key_t MBEDTLS_PRIVATE(p_destroy); /** Function that performs a key export operation */ - psa_drv_se_export_key_t p_export; + psa_drv_se_export_key_t MBEDTLS_PRIVATE(p_export); /** Function that performs a public key export operation */ - psa_drv_se_export_key_t p_export_public; + psa_drv_se_export_key_t MBEDTLS_PRIVATE(p_export_public); } psa_drv_se_key_management_t; /**@}*/ @@ -1263,16 +1264,16 @@ typedef psa_status_t (*psa_drv_se_key_derivation_export_t)(void *op_context, */ typedef struct { /** The driver-specific size of the key derivation context */ - size_t context_size; + size_t MBEDTLS_PRIVATE(context_size); /** Function that performs a key derivation setup */ - psa_drv_se_key_derivation_setup_t p_setup; + psa_drv_se_key_derivation_setup_t MBEDTLS_PRIVATE(p_setup); /** Function that sets key derivation collateral */ - psa_drv_se_key_derivation_collateral_t p_collateral; + psa_drv_se_key_derivation_collateral_t MBEDTLS_PRIVATE(p_collateral); /** Function that performs a final key derivation step */ - psa_drv_se_key_derivation_derive_t p_derive; + psa_drv_se_key_derivation_derive_t MBEDTLS_PRIVATE(p_derive); /** Function that perforsm a final key derivation or agreement and * exports the key */ - psa_drv_se_key_derivation_export_t p_export; + psa_drv_se_key_derivation_export_t MBEDTLS_PRIVATE(p_export); } psa_drv_se_key_derivation_t; /**@}*/ @@ -1293,7 +1294,7 @@ typedef struct { * a different version of this specification. * Use #PSA_DRV_SE_HAL_VERSION. */ - uint32_t hal_version; + uint32_t MBEDTLS_PRIVATE(hal_version); /** The size of the driver's persistent data in bytes. * @@ -1303,7 +1304,7 @@ typedef struct { * for more information about why and how a driver can use * persistent data. */ - size_t persistent_data_size; + size_t MBEDTLS_PRIVATE(persistent_data_size); /** The driver initialization function. * @@ -1315,14 +1316,14 @@ typedef struct { * If this field is \c NULL, it is equivalent to a function that does * nothing and returns #PSA_SUCCESS. */ - psa_drv_se_init_t p_init; + psa_drv_se_init_t MBEDTLS_PRIVATE(p_init); - const psa_drv_se_key_management_t *key_management; - const psa_drv_se_mac_t *mac; - const psa_drv_se_cipher_t *cipher; - const psa_drv_se_aead_t *aead; - const psa_drv_se_asymmetric_t *asymmetric; - const psa_drv_se_key_derivation_t *derivation; + const psa_drv_se_key_management_t *MBEDTLS_PRIVATE(key_management); + const psa_drv_se_mac_t *MBEDTLS_PRIVATE(mac); + const psa_drv_se_cipher_t *MBEDTLS_PRIVATE(cipher); + const psa_drv_se_aead_t *MBEDTLS_PRIVATE(aead); + const psa_drv_se_asymmetric_t *MBEDTLS_PRIVATE(asymmetric); + const psa_drv_se_key_derivation_t *MBEDTLS_PRIVATE(derivation); } psa_drv_se_t; /** The current version of the secure element driver HAL. diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 47012fdd0..b07ced8bd 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -60,6 +60,7 @@ #ifndef PSA_CRYPTO_STRUCT_H #define PSA_CRYPTO_STRUCT_H +#include "mbedtls/private_access.h" #ifdef __cplusplus extern "C" { @@ -88,8 +89,8 @@ struct psa_hash_operation_s * ID values are auto-generated in psa_driver_wrappers.h. * ID value zero means the context is not valid or not assigned to * any driver (i.e. the driver context is not active, in use). */ - unsigned int id; - psa_driver_hash_context_t ctx; + unsigned int MBEDTLS_PRIVATE(id); + psa_driver_hash_context_t MBEDTLS_PRIVATE(ctx); }; #define PSA_HASH_OPERATION_INIT {0, {0}} @@ -107,14 +108,14 @@ struct psa_cipher_operation_s * ID values are auto-generated in psa_crypto_driver_wrappers.h * ID value zero means the context is not valid or not assigned to * any driver (i.e. none of the driver contexts are active). */ - unsigned int id; + unsigned int MBEDTLS_PRIVATE(id); - unsigned int iv_required : 1; - unsigned int iv_set : 1; + unsigned int MBEDTLS_PRIVATE(iv_required) : 1; + unsigned int MBEDTLS_PRIVATE(iv_set) : 1; - uint8_t default_iv_length; + uint8_t MBEDTLS_PRIVATE(default_iv_length); - psa_driver_cipher_context_t ctx; + psa_driver_cipher_context_t MBEDTLS_PRIVATE(ctx); }; #define PSA_CIPHER_OPERATION_INIT {0, 0, 0, 0, {0}} @@ -136,10 +137,10 @@ struct psa_mac_operation_s * ID values are auto-generated in psa_driver_wrappers.h * ID value zero means the context is not valid or not assigned to * any driver (i.e. none of the driver contexts are active). */ - unsigned int id; - uint8_t mac_size; - unsigned int is_sign : 1; - psa_driver_mac_context_t ctx; + unsigned int MBEDTLS_PRIVATE(id); + uint8_t MBEDTLS_PRIVATE(mac_size); + unsigned int MBEDTLS_PRIVATE(is_sign) : 1; + psa_driver_mac_context_t MBEDTLS_PRIVATE(ctx); }; #define PSA_MAC_OPERATION_INIT {0, 0, 0, {0}} @@ -151,16 +152,16 @@ static inline struct psa_mac_operation_s psa_mac_operation_init( void ) struct psa_aead_operation_s { - psa_algorithm_t alg; - unsigned int key_set : 1; - unsigned int iv_set : 1; - uint8_t iv_size; - uint8_t block_size; + psa_algorithm_t MBEDTLS_PRIVATE(alg); + unsigned int MBEDTLS_PRIVATE(key_set) : 1; + unsigned int MBEDTLS_PRIVATE(iv_set) : 1; + uint8_t MBEDTLS_PRIVATE(iv_size); + uint8_t MBEDTLS_PRIVATE(block_size); union { - unsigned dummy; /* Enable easier initializing of the union. */ - mbedtls_cipher_context_t cipher; - } ctx; + unsigned MBEDTLS_PRIVATE(dummy); /* Enable easier initializing of the union. */ + mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher); + } MBEDTLS_PRIVATE(ctx); }; #define PSA_AEAD_OPERATION_INIT {0, 0, 0, 0, 0, {0}} @@ -173,18 +174,18 @@ static inline struct psa_aead_operation_s psa_aead_operation_init( void ) #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) typedef struct { - uint8_t *info; - size_t info_length; - psa_mac_operation_t hmac; - uint8_t prk[PSA_HASH_MAX_SIZE]; - uint8_t output_block[PSA_HASH_MAX_SIZE]; + uint8_t *MBEDTLS_PRIVATE(info); + size_t MBEDTLS_PRIVATE(info_length); + psa_mac_operation_t MBEDTLS_PRIVATE(hmac); + uint8_t MBEDTLS_PRIVATE(prk)[PSA_HASH_MAX_SIZE]; + uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; #if PSA_HASH_MAX_SIZE > 0xff #error "PSA_HASH_MAX_SIZE does not fit in uint8_t" #endif - uint8_t offset_in_block; - uint8_t block_number; - unsigned int state : 2; - unsigned int info_set : 1; + uint8_t MBEDTLS_PRIVATE(offset_in_block); + uint8_t MBEDTLS_PRIVATE(block_number); + unsigned int MBEDTLS_PRIVATE(state) : 2; + unsigned int MBEDTLS_PRIVATE(info_set) : 1; } psa_hkdf_key_derivation_t; #endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */ @@ -207,45 +208,45 @@ typedef struct psa_tls12_prf_key_derivation_s /* Indicates how many bytes in the current HMAC block have * not yet been read by the user. */ - uint8_t left_in_block; + uint8_t MBEDTLS_PRIVATE(left_in_block); /* The 1-based number of the block. */ - uint8_t block_number; + uint8_t MBEDTLS_PRIVATE(block_number); - psa_tls12_prf_key_derivation_state_t state; + psa_tls12_prf_key_derivation_state_t MBEDTLS_PRIVATE(state); - uint8_t *secret; - size_t secret_length; - uint8_t *seed; - size_t seed_length; - uint8_t *label; - size_t label_length; + uint8_t *MBEDTLS_PRIVATE(secret); + size_t MBEDTLS_PRIVATE(secret_length); + uint8_t *MBEDTLS_PRIVATE(seed); + size_t MBEDTLS_PRIVATE(seed_length); + uint8_t *MBEDTLS_PRIVATE(label); + size_t MBEDTLS_PRIVATE(label_length); - uint8_t Ai[PSA_HASH_MAX_SIZE]; + uint8_t MBEDTLS_PRIVATE(Ai)[PSA_HASH_MAX_SIZE]; /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */ - uint8_t output_block[PSA_HASH_MAX_SIZE]; + uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; } psa_tls12_prf_key_derivation_t; #endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ struct psa_key_derivation_s { - psa_algorithm_t alg; - unsigned int can_output_key : 1; - size_t capacity; + psa_algorithm_t MBEDTLS_PRIVATE(alg); + unsigned int MBEDTLS_PRIVATE(can_output_key) : 1; + size_t MBEDTLS_PRIVATE(capacity); union { /* Make the union non-empty even with no supported algorithms. */ - uint8_t dummy; + uint8_t MBEDTLS_PRIVATE(dummy); #if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) - psa_hkdf_key_derivation_t hkdf; + psa_hkdf_key_derivation_t MBEDTLS_PRIVATE(hkdf); #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) - psa_tls12_prf_key_derivation_t tls12_prf; + psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf); #endif - } ctx; + } MBEDTLS_PRIVATE(ctx); }; /* This only zeroes out the first byte in the union, the rest is unspecified. */ @@ -258,9 +259,9 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init( voi struct psa_key_policy_s { - psa_key_usage_t usage; - psa_algorithm_t alg; - psa_algorithm_t alg2; + psa_key_usage_t MBEDTLS_PRIVATE(usage); + psa_algorithm_t MBEDTLS_PRIVATE(alg); + psa_algorithm_t MBEDTLS_PRIVATE(alg2); }; typedef struct psa_key_policy_s psa_key_policy_t; @@ -309,24 +310,24 @@ typedef uint16_t psa_key_attributes_flag_t; typedef struct { - psa_key_type_t type; - psa_key_bits_t bits; - psa_key_lifetime_t lifetime; - mbedtls_svc_key_id_t id; - psa_key_policy_t policy; - psa_key_attributes_flag_t flags; + psa_key_type_t MBEDTLS_PRIVATE(type); + psa_key_bits_t MBEDTLS_PRIVATE(bits); + psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime); + mbedtls_svc_key_id_t MBEDTLS_PRIVATE(id); + psa_key_policy_t MBEDTLS_PRIVATE(policy); + psa_key_attributes_flag_t MBEDTLS_PRIVATE(flags); } psa_core_key_attributes_t; #define PSA_CORE_KEY_ATTRIBUTES_INIT {PSA_KEY_TYPE_NONE, 0, PSA_KEY_LIFETIME_VOLATILE, MBEDTLS_SVC_KEY_ID_INIT, PSA_KEY_POLICY_INIT, 0} struct psa_key_attributes_s { - psa_core_key_attributes_t core; + psa_core_key_attributes_t MBEDTLS_PRIVATE(core); #if defined(MBEDTLS_PSA_CRYPTO_SE_C) - psa_key_slot_number_t slot_number; + psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number); #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - void *domain_parameters; - size_t domain_parameters_size; + void *MBEDTLS_PRIVATE(domain_parameters); + size_t MBEDTLS_PRIVATE(domain_parameters_size); }; #if defined(MBEDTLS_PSA_CRYPTO_SE_C) @@ -344,13 +345,13 @@ static inline struct psa_key_attributes_s psa_key_attributes_init( void ) static inline void psa_set_key_id( psa_key_attributes_t *attributes, mbedtls_svc_key_id_t key ) { - psa_key_lifetime_t lifetime = attributes->core.lifetime; + psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime) = attributes->MBEDTLS_PRIVATE(core).lifetime; - attributes->core.id = key; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = key; if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) { - attributes->core.lifetime = + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) = PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_LIFETIME_PERSISTENT, PSA_KEY_LIFETIME_GET_LOCATION( lifetime ) ); @@ -360,7 +361,7 @@ static inline void psa_set_key_id( psa_key_attributes_t *attributes, static inline mbedtls_svc_key_id_t psa_get_key_id( const psa_key_attributes_t *attributes) { - return( attributes->core.id ); + return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) ); } #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER @@ -374,13 +375,13 @@ static inline void mbedtls_set_key_owner_id( psa_key_attributes_t *attributes, static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, psa_key_lifetime_t lifetime) { - attributes->core.lifetime = lifetime; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) = lifetime; if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) { #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER - attributes->core.id.key_id = 0; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).key_id = 0; #else - attributes->core.id = 0; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = 0; #endif } } @@ -388,31 +389,31 @@ static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, static inline psa_key_lifetime_t psa_get_key_lifetime( const psa_key_attributes_t *attributes) { - return( attributes->core.lifetime ); + return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime) ); } static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes, psa_key_usage_t usage_flags) { - attributes->core.policy.usage = usage_flags; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) = usage_flags; } static inline psa_key_usage_t psa_get_key_usage_flags( const psa_key_attributes_t *attributes) { - return( attributes->core.policy.usage ); + return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(usage) ); } static inline void psa_set_key_algorithm(psa_key_attributes_t *attributes, psa_algorithm_t alg) { - attributes->core.policy.alg = alg; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) = alg; } static inline psa_algorithm_t psa_get_key_algorithm( const psa_key_attributes_t *attributes) { - return( attributes->core.policy.alg ); + return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(policy).MBEDTLS_PRIVATE(alg) ); } /* This function is declared in crypto_extra.h, which comes after this @@ -425,10 +426,10 @@ psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes, static inline void psa_set_key_type(psa_key_attributes_t *attributes, psa_key_type_t type) { - if( attributes->domain_parameters == NULL ) + if( attributes->MBEDTLS_PRIVATE(domain_parameters) == NULL ) { /* Common case: quick path */ - attributes->core.type = type; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type) = type; } else { @@ -443,22 +444,22 @@ static inline void psa_set_key_type(psa_key_attributes_t *attributes, static inline psa_key_type_t psa_get_key_type( const psa_key_attributes_t *attributes) { - return( attributes->core.type ); + return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(type) ); } static inline void psa_set_key_bits(psa_key_attributes_t *attributes, size_t bits) { if( bits > PSA_MAX_KEY_BITS ) - attributes->core.bits = PSA_KEY_BITS_TOO_LARGE; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) = PSA_KEY_BITS_TOO_LARGE; else - attributes->core.bits = (psa_key_bits_t) bits; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) = (psa_key_bits_t) bits; } static inline size_t psa_get_key_bits( const psa_key_attributes_t *attributes) { - return( attributes->core.bits ); + return( attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits) ); } #ifdef __cplusplus From 88fa17d1e9fc312d848aad38f2411413a288f722 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 19 May 2021 17:32:14 +0200 Subject: [PATCH 04/22] Add missing 'common.h' include. Signed-off-by: Mateusz Starzyk --- library/psa_crypto_storage.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index 773d3aaaf..0ef041d18 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -18,6 +18,8 @@ * limitations under the License. */ +#include "common.h" + #if defined(MBEDTLS_CONFIG_FILE) #include MBEDTLS_CONFIG_FILE #else From 363eb29d4b94c000c0215dc1bdcf89c85ab89627 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 19 May 2021 17:32:44 +0200 Subject: [PATCH 05/22] Fix MBEDTLS_PRIVATE wrapping in the library's headers. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ecdh.h | 26 +++++++++++++------------- include/mbedtls/ecdsa.h | 8 ++++---- include/mbedtls/ecp.h | 8 ++++---- include/mbedtls/pk.h | 8 ++++---- include/mbedtls/ssl_ciphersuites.h | 20 ++++++++++---------- include/mbedtls/x509_crt.h | 16 ++++++++-------- include/psa/crypto_struct.h | 6 +++--- include/psa/crypto_types.h | 5 +++-- include/psa/crypto_values.h | 11 ++++++----- 9 files changed, 55 insertions(+), 53 deletions(-) diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h index 874b4ee12..af4b273bf 100644 --- a/include/mbedtls/ecdh.h +++ b/include/mbedtls/ecdh.h @@ -84,13 +84,13 @@ typedef enum */ typedef struct mbedtls_ecdh_context_mbed { - mbedtls_ecp_group grp; /*!< The elliptic curve used. */ - mbedtls_mpi d; /*!< The private key. */ - mbedtls_ecp_point Q; /*!< The public key. */ - mbedtls_ecp_point Qp; /*!< The value of the public key of the peer. */ - mbedtls_mpi z; /*!< The shared secret. */ + mbedtls_ecp_group MBEDTLS_PRIVATE(grp); /*!< The elliptic curve used. */ + mbedtls_mpi MBEDTLS_PRIVATE(d); /*!< The private key. */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Q); /*!< The public key. */ + mbedtls_ecp_point MBEDTLS_PRIVATE(Qp); /*!< The value of the public key of the peer. */ + mbedtls_mpi MBEDTLS_PRIVATE(z); /*!< The shared secret. */ #if defined(MBEDTLS_ECP_RESTARTABLE) - mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ + mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */ #endif } mbedtls_ecdh_context_mbed; #endif @@ -119,21 +119,21 @@ typedef struct mbedtls_ecdh_context mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ #endif /* MBEDTLS_ECP_RESTARTABLE */ #else - uint8_t point_format; /*!< The format of point export in TLS messages + uint8_t MBEDTLS_PRIVATE(point_format); /*!< The format of point export in TLS messages as defined in RFC 4492. */ - mbedtls_ecp_group_id grp_id;/*!< The elliptic curve used. */ - mbedtls_ecdh_variant var; /*!< The ECDH implementation/structure used. */ + mbedtls_ecp_group_id MBEDTLS_PRIVATE(grp_id);/*!< The elliptic curve used. */ + mbedtls_ecdh_variant MBEDTLS_PRIVATE(var); /*!< The ECDH implementation/structure used. */ union { - mbedtls_ecdh_context_mbed mbed_ecdh; + mbedtls_ecdh_context_mbed MBEDTLS_PRIVATE(mbed_ecdh); #if defined(MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED) - mbedtls_ecdh_context_everest everest_ecdh; + mbedtls_ecdh_context_everest MBEDTLS_PRIVATE(everest_ecdh); #endif - } ctx; /*!< Implementation-specific context. The + } MBEDTLS_PRIVATE(ctx); /*!< Implementation-specific context. The context in use is specified by the \c var field. */ #if defined(MBEDTLS_ECP_RESTARTABLE) - uint8_t restart_enabled; /*!< The flag for restartable mode. Functions of + uint8_t MBEDTLS_PRIVATE(restart_enabled); /*!< The flag for restartable mode. Functions of an alternative implementation not supporting restartable mode must return MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED error diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index 525de5da1..cf063a0b5 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -107,12 +107,12 @@ typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx; */ typedef struct { - mbedtls_ecp_restart_ctx ecp; /*!< base context for ECP restart and + mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(ecp); /*!< base context for ECP restart and shared administrative info */ - mbedtls_ecdsa_restart_ver_ctx *ver; /*!< ecdsa_verify() sub-context */ - mbedtls_ecdsa_restart_sig_ctx *sig; /*!< ecdsa_sign() sub-context */ + mbedtls_ecdsa_restart_ver_ctx *MBEDTLS_PRIVATE(ver); /*!< ecdsa_verify() sub-context */ + mbedtls_ecdsa_restart_sig_ctx *MBEDTLS_PRIVATE(sig); /*!< ecdsa_sign() sub-context */ #if defined(MBEDTLS_ECDSA_DETERMINISTIC) - mbedtls_ecdsa_restart_det_ctx *det; /*!< ecdsa_sign_det() sub-context */ + mbedtls_ecdsa_restart_det_ctx *MBEDTLS_PRIVATE(det); /*!< ecdsa_sign_det() sub-context */ #endif } mbedtls_ecdsa_restart_ctx; diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h index 913e323f1..a3b442478 100644 --- a/include/mbedtls/ecp.h +++ b/include/mbedtls/ecp.h @@ -317,10 +317,10 @@ typedef struct mbedtls_ecp_restart_muladd mbedtls_ecp_restart_muladd_ctx; */ typedef struct { - unsigned ops_done; /*!< current ops count */ - unsigned depth; /*!< call depth (0 = top-level) */ - mbedtls_ecp_restart_mul_ctx *rsm; /*!< ecp_mul_comb() sub-context */ - mbedtls_ecp_restart_muladd_ctx *ma; /*!< ecp_muladd() sub-context */ + unsigned MBEDTLS_PRIVATE(ops_done); /*!< current ops count */ + unsigned MBEDTLS_PRIVATE(depth); /*!< call depth (0 = top-level) */ + mbedtls_ecp_restart_mul_ctx *MBEDTLS_PRIVATE(rsm); /*!< ecp_mul_comb() sub-context */ + mbedtls_ecp_restart_muladd_ctx *MBEDTLS_PRIVATE(ma); /*!< ecp_muladd() sub-context */ } mbedtls_ecp_restart_ctx; /* diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 06da076fb..6f88db43a 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -192,8 +192,8 @@ typedef struct mbedtls_pk_context */ typedef struct { - const mbedtls_pk_info_t * pk_info; /**< Public key information */ - void * rs_ctx; /**< Underlying restart context */ + const mbedtls_pk_info_t * MBEDTLS_PRIVATE(pk_info); /**< Public key information */ + void * MBEDTLS_PRIVATE(rs_ctx); /**< Underlying restart context */ } mbedtls_pk_restart_ctx; #else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */ /* Now we can declare functions that take a pointer to that */ @@ -209,7 +209,7 @@ typedef void mbedtls_pk_restart_ctx; */ static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk ) { - return( (mbedtls_rsa_context *) (pk).pk_ctx ); + return( (mbedtls_rsa_context *) (pk).MBEDTLS_PRIVATE(pk_ctx) ); } #endif /* MBEDTLS_RSA_C */ @@ -222,7 +222,7 @@ static inline mbedtls_rsa_context *mbedtls_pk_rsa( const mbedtls_pk_context pk ) */ static inline mbedtls_ecp_keypair *mbedtls_pk_ec( const mbedtls_pk_context pk ) { - return( (mbedtls_ecp_keypair *) (pk).pk_ctx ); + return( (mbedtls_ecp_keypair *) (pk).MBEDTLS_PRIVATE(pk_ctx) ); } #endif /* MBEDTLS_ECP_C */ diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index 093238c0b..00a1aaec9 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -375,19 +375,19 @@ typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t; */ struct mbedtls_ssl_ciphersuite_t { - int id; - const char * name; + int MBEDTLS_PRIVATE(id); + const char * MBEDTLS_PRIVATE(name); - mbedtls_cipher_type_t cipher; - mbedtls_md_type_t mac; - mbedtls_key_exchange_type_t key_exchange; + mbedtls_cipher_type_t MBEDTLS_PRIVATE(cipher); + mbedtls_md_type_t MBEDTLS_PRIVATE(mac); + mbedtls_key_exchange_type_t MBEDTLS_PRIVATE(key_exchange); - int min_major_ver; - int min_minor_ver; - int max_major_ver; - int max_minor_ver; + int MBEDTLS_PRIVATE(min_major_ver); + int MBEDTLS_PRIVATE(min_minor_ver); + int MBEDTLS_PRIVATE(max_major_ver); + int MBEDTLS_PRIVATE(max_minor_ver); - unsigned char flags; + unsigned char MBEDTLS_PRIVATE(flags); }; const int *mbedtls_ssl_list_ciphersuites( void ); diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 015962c7c..f25db4455 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -301,23 +301,23 @@ typedef struct typedef struct { /* for check_signature() */ - mbedtls_pk_restart_ctx pk; + mbedtls_pk_restart_ctx MBEDTLS_PRIVATE(pk); /* for find_parent_in() */ - mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */ - mbedtls_x509_crt *fallback_parent; - int fallback_signature_is_good; + mbedtls_x509_crt *MBEDTLS_PRIVATE(parent); /* non-null iff parent_in in progress */ + mbedtls_x509_crt *MBEDTLS_PRIVATE(fallback_parent); + int MBEDTLS_PRIVATE(fallback_signature_is_good); /* for find_parent() */ - int parent_is_trusted; /* -1 if find_parent is not in progress */ + int MBEDTLS_PRIVATE(parent_is_trusted); /* -1 if find_parent is not in progress */ /* for verify_chain() */ enum { x509_crt_rs_none, x509_crt_rs_find_parent, - } in_progress; /* none if no operation is in progress */ - int self_cnt; - mbedtls_x509_crt_verify_chain ver_chain; + } MBEDTLS_PRIVATE(in_progress); /* none if no operation is in progress */ + int MBEDTLS_PRIVATE(self_cnt); + mbedtls_x509_crt_verify_chain MBEDTLS_PRIVATE(ver_chain); } mbedtls_x509_crt_restart_ctx; diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index b07ced8bd..598a9a774 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -345,7 +345,7 @@ static inline struct psa_key_attributes_s psa_key_attributes_init( void ) static inline void psa_set_key_id( psa_key_attributes_t *attributes, mbedtls_svc_key_id_t key ) { - psa_key_lifetime_t MBEDTLS_PRIVATE(lifetime) = attributes->MBEDTLS_PRIVATE(core).lifetime; + psa_key_lifetime_t lifetime = attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(lifetime); attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = key; @@ -368,7 +368,7 @@ static inline mbedtls_svc_key_id_t psa_get_key_id( static inline void mbedtls_set_key_owner_id( psa_key_attributes_t *attributes, mbedtls_key_owner_id_t owner ) { - attributes->core.id.owner = owner; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(owner) = owner; } #endif @@ -379,7 +379,7 @@ static inline void psa_set_key_lifetime(psa_key_attributes_t *attributes, if( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) { #ifdef MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER - attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).key_id = 0; + attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id).MBEDTLS_PRIVATE(key_id) = 0; #else attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(id) = 0; #endif diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 386c7d794..2cf965d81 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -32,6 +32,7 @@ #ifndef PSA_CRYPTO_TYPES_H #define PSA_CRYPTO_TYPES_H +#include "mbedtls/private_access.h" #include "crypto_platform.h" @@ -234,8 +235,8 @@ typedef psa_key_id_t mbedtls_svc_key_id_t; */ typedef struct { - psa_key_id_t key_id; - mbedtls_key_owner_id_t owner; + psa_key_id_t MBEDTLS_PRIVATE(key_id); + mbedtls_key_owner_id_t MBEDTLS_PRIVATE(owner); } mbedtls_svc_key_id_t; #endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 497bd8f01..31a64647e 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -33,6 +33,7 @@ #ifndef PSA_CRYPTO_VALUES_H #define PSA_CRYPTO_VALUES_H +#include "mbedtls/private_access.h" /** \defgroup error Error codes * @{ @@ -2124,8 +2125,8 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( mbedtls_key_owner_id_t owner_id, psa_key_id_t key_id ) { - return( (mbedtls_svc_key_id_t){ .key_id = key_id, - .owner = owner_id } ); + return( (mbedtls_svc_key_id_t){ .MBEDTLS_PRIVATE(key_id) = key_id, + .MBEDTLS_PRIVATE(owner) = owner_id } ); } /** Compare two key identifiers. @@ -2138,8 +2139,8 @@ static inline mbedtls_svc_key_id_t mbedtls_svc_key_id_make( static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, mbedtls_svc_key_id_t id2 ) { - return( ( id1.key_id == id2.key_id ) && - mbedtls_key_owner_id_equal( id1.owner, id2.owner ) ); + return( ( id1.MBEDTLS_PRIVATE(key_id) == id2.MBEDTLS_PRIVATE(key_id) ) && + mbedtls_key_owner_id_equal( id1.MBEDTLS_PRIVATE(owner), id2.MBEDTLS_PRIVATE(owner) ) ); } /** Check whether a key identifier is null. @@ -2150,7 +2151,7 @@ static inline int mbedtls_svc_key_id_equal( mbedtls_svc_key_id_t id1, */ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) { - return( ( key.key_id == 0 ) && ( key.owner == 0 ) ); + return( ( key.MBEDTLS_PRIVATE(key_id) == 0 ) && ( key.MBEDTLS_PRIVATE(owner) == 0 ) ); } #endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */ From 6c2e9b6048cc688b33bd59c5ae5472e4838021a5 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 19 May 2021 17:54:54 +0200 Subject: [PATCH 06/22] Add MBEDTLS_ALLOW_PRIVATE_ACCESS to test programs Signed-off-by: Mateusz Starzyk --- programs/fuzz/fuzz_client.c | 2 ++ programs/fuzz/fuzz_dtlsclient.c | 2 ++ programs/fuzz/fuzz_dtlsserver.c | 2 ++ programs/fuzz/fuzz_privkey.c | 2 ++ programs/fuzz/fuzz_pubkey.c | 2 ++ programs/fuzz/fuzz_server.c | 2 ++ programs/fuzz/fuzz_x509crl.c | 2 ++ programs/fuzz/fuzz_x509crt.c | 2 ++ programs/fuzz/fuzz_x509csr.c | 2 ++ programs/ssl/ssl_client2.c | 2 ++ programs/ssl/ssl_context_info.c | 2 ++ programs/ssl/ssl_server2.c | 2 ++ programs/ssl/ssl_test_lib.c | 2 ++ programs/test/benchmark.c | 2 ++ programs/test/selftest.c | 2 ++ programs/test/udp_proxy.c | 2 ++ 16 files changed, 32 insertions(+) diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index 618eda265..40ca90a91 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c index 29c8672f7..16f601470 100644 --- a/programs/fuzz/fuzz_dtlsclient.c +++ b/programs/fuzz/fuzz_dtlsclient.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include #include diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index b6dc52ed6..34ff63ede 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include #include diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c index 6c968fd54..f76afd1c5 100644 --- a/programs/fuzz/fuzz_privkey.c +++ b/programs/fuzz/fuzz_privkey.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include #include "mbedtls/pk.h" diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c index 9e8035045..655d5d615 100644 --- a/programs/fuzz/fuzz_pubkey.c +++ b/programs/fuzz/fuzz_pubkey.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include #include "mbedtls/pk.h" diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 16b800c99..5480e3e87 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include "mbedtls/ssl.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c index 15affb59b..65fc37fb3 100644 --- a/programs/fuzz/fuzz_x509crl.c +++ b/programs/fuzz/fuzz_x509crl.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include "mbedtls/x509_crl.h" diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c index dbc153c49..bd8bdffdb 100644 --- a/programs/fuzz/fuzz_x509crt.c +++ b/programs/fuzz/fuzz_x509crt.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include "mbedtls/x509_crt.h" diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c index a270742a9..a9205be53 100644 --- a/programs/fuzz/fuzz_x509csr.c +++ b/programs/fuzz/fuzz_x509csr.c @@ -1,3 +1,5 @@ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include "mbedtls/x509_csr.h" diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 2ce858837..80b0ce0ee 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include "ssl_test_lib.h" #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) diff --git a/programs/ssl/ssl_context_info.c b/programs/ssl/ssl_context_info.c index ec24fa8e0..bc9c6bd52 100644 --- a/programs/ssl/ssl_context_info.c +++ b/programs/ssl/ssl_context_info.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1ff27fb8b..f7a424a5a 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include "ssl_test_lib.h" #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index 1bb9d6162..04e127a85 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -20,6 +20,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include "ssl_test_lib.h" #if defined(MBEDTLS_TEST_HOOKS) diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c index 3e4ac8b61..3320bbf7d 100644 --- a/programs/test/benchmark.c +++ b/programs/test/benchmark.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/test/selftest.c b/programs/test/selftest.c index e160febe1..a3e306ce9 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index afe0118d0..91c231f9b 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -23,6 +23,8 @@ * example of good general usage. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else From 5dd4f6e9ceaa5d7f1af77db770d1108ca208b81d Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Wed, 19 May 2021 19:35:35 +0200 Subject: [PATCH 07/22] Add MBEDTLS_PRIVATE wrapping to sample programs. Signed-off-by: Mateusz Starzyk --- programs/aes/crypt_and_hash.c | 8 ++++---- programs/pkey/dh_client.c | 14 +++++++------- programs/pkey/dh_server.c | 16 ++++++++-------- programs/pkey/ecdh_curve25519.c | 30 +++++++++++++++--------------- programs/pkey/ecdsa.c | 10 +++++----- programs/pkey/gen_key.c | 18 +++++++++--------- programs/pkey/key_app.c | 14 +++++++------- programs/pkey/key_app_writer.c | 14 +++++++------- programs/pkey/rsa_decrypt.c | 2 +- programs/pkey/rsa_encrypt.c | 2 +- programs/pkey/rsa_sign.c | 2 +- programs/pkey/rsa_verify.c | 8 ++++---- programs/ssl/dtls_client.c | 2 ++ programs/ssl/dtls_server.c | 2 ++ programs/ssl/mini_client.c | 2 ++ programs/ssl/ssl_client1.c | 2 ++ programs/ssl/ssl_fork_server.c | 2 ++ programs/ssl/ssl_mail_client.c | 3 +++ programs/ssl/ssl_server.c | 2 ++ programs/ssl/ssl_server2.c | 4 ++-- programs/x509/cert_app.c | 2 +- programs/x509/cert_write.c | 8 ++++---- 22 files changed, 91 insertions(+), 76 deletions(-) diff --git a/programs/aes/crypt_and_hash.c b/programs/aes/crypt_and_hash.c index 63a12480f..0f97867fa 100644 --- a/programs/aes/crypt_and_hash.c +++ b/programs/aes/crypt_and_hash.c @@ -128,7 +128,7 @@ int main( int argc, char *argv[] ) while( *list ) { cipher_info = mbedtls_cipher_info_from_type( *list ); - mbedtls_printf( " %s\n", cipher_info->name ); + mbedtls_printf( " %s\n", cipher_info->MBEDTLS_PRIVATE(name) ); list++; } @@ -313,7 +313,7 @@ int main( int argc, char *argv[] ) } - if( mbedtls_cipher_setkey( &cipher_ctx, digest, cipher_info->key_bitlen, + if( mbedtls_cipher_setkey( &cipher_ctx, digest, cipher_info->MBEDTLS_PRIVATE(key_bitlen), MBEDTLS_ENCRYPT ) != 0 ) { mbedtls_fprintf( stderr, "mbedtls_cipher_setkey() returned error\n"); @@ -412,7 +412,7 @@ int main( int argc, char *argv[] ) /* * Check the file size. */ - if( cipher_info->mode != MBEDTLS_MODE_GCM && + if( cipher_info->MBEDTLS_PRIVATE(mode) != MBEDTLS_MODE_GCM && ( ( filesize - mbedtls_md_get_size( md_info ) ) % mbedtls_cipher_get_block_size( &cipher_ctx ) ) != 0 ) { @@ -452,7 +452,7 @@ int main( int argc, char *argv[] ) mbedtls_md_finish( &md_ctx, digest ); } - if( mbedtls_cipher_setkey( &cipher_ctx, digest, cipher_info->key_bitlen, + if( mbedtls_cipher_setkey( &cipher_ctx, digest, cipher_info->MBEDTLS_PRIVATE(key_bitlen), MBEDTLS_DECRYPT ) != 0 ) { mbedtls_fprintf( stderr, "mbedtls_cipher_setkey() returned error\n" ); diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c index d6e4990a9..f37df4a9f 100644 --- a/programs/pkey/dh_client.c +++ b/programs/pkey/dh_client.c @@ -127,15 +127,15 @@ int main( void ) mbedtls_rsa_init( &rsa, MBEDTLS_RSA_PKCS_V15, 0 ); - if( ( ret = mbedtls_mpi_read_file( &rsa.N, 16, f ) ) != 0 || - ( ret = mbedtls_mpi_read_file( &rsa.E, 16, f ) ) != 0 ) + if( ( ret = mbedtls_mpi_read_file( &rsa.MBEDTLS_PRIVATE(N), 16, f ) ) != 0 || + ( ret = mbedtls_mpi_read_file( &rsa.MBEDTLS_PRIVATE(E), 16, f ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret ); fclose( f ); goto exit; } - rsa.len = ( mbedtls_mpi_bitlen( &rsa.N ) + 7 ) >> 3; + rsa.MBEDTLS_PRIVATE(len) = ( mbedtls_mpi_bitlen( &rsa.MBEDTLS_PRIVATE(N) ) + 7 ) >> 3; fclose( f ); @@ -193,7 +193,7 @@ int main( void ) goto exit; } - if( dhm.len < 64 || dhm.len > 512 ) + if( dhm.MBEDTLS_PRIVATE(len) < 64 || dhm.MBEDTLS_PRIVATE(len) > 512 ) { mbedtls_printf( " failed\n ! Invalid DHM modulus size\n\n" ); goto exit; @@ -208,7 +208,7 @@ int main( void ) p += 2; - if( ( n = (size_t) ( end - p ) ) != rsa.len ) + if( ( n = (size_t) ( end - p ) ) != rsa.MBEDTLS_PRIVATE(len) ) { mbedtls_printf( " failed\n ! Invalid RSA signature size\n\n" ); goto exit; @@ -233,8 +233,8 @@ int main( void ) mbedtls_printf( "\n . Sending own public value to server" ); fflush( stdout ); - n = dhm.len; - if( ( ret = mbedtls_dhm_make_public( &dhm, (int) dhm.len, buf, n, + n = dhm.MBEDTLS_PRIVATE(len); + if( ( ret = mbedtls_dhm_make_public( &dhm, (int) dhm.MBEDTLS_PRIVATE(len), buf, n, mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_dhm_make_public returned %d\n\n", ret ); diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c index dccf0951c..d19ddad25 100644 --- a/programs/pkey/dh_server.c +++ b/programs/pkey/dh_server.c @@ -173,8 +173,8 @@ int main( void ) goto exit; } - if( mbedtls_mpi_read_file( &dhm.P, 16, f ) != 0 || - mbedtls_mpi_read_file( &dhm.G, 16, f ) != 0 ) + if( mbedtls_mpi_read_file( &dhm.MBEDTLS_PRIVATE(P), 16, f ) != 0 || + mbedtls_mpi_read_file( &dhm.MBEDTLS_PRIVATE(G), 16, f ) != 0 ) { mbedtls_printf( " failed\n ! Invalid DH parameter file\n\n" ); fclose( f ); @@ -210,7 +210,7 @@ int main( void ) memset( buf, 0, sizeof( buf ) ); - if( ( ret = mbedtls_dhm_make_params( &dhm, (int) mbedtls_mpi_size( &dhm.P ), buf, &n, + if( ( ret = mbedtls_dhm_make_params( &dhm, (int) mbedtls_mpi_size( &dhm.MBEDTLS_PRIVATE(P) ), buf, &n, mbedtls_ctr_drbg_random, &ctr_drbg ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_dhm_make_params returned %d\n\n", ret ); @@ -226,8 +226,8 @@ int main( void ) goto exit; } - buf[n ] = (unsigned char)( rsa.len >> 8 ); - buf[n + 1] = (unsigned char)( rsa.len ); + buf[n ] = (unsigned char)( rsa.MBEDTLS_PRIVATE(len) >> 8 ); + buf[n + 1] = (unsigned char)( rsa.MBEDTLS_PRIVATE(len) ); if( ( ret = mbedtls_rsa_pkcs1_sign( &rsa, NULL, NULL, MBEDTLS_RSA_PRIVATE, MBEDTLS_MD_SHA256, 0, hash, buf + n + 2 ) ) != 0 ) @@ -236,7 +236,7 @@ int main( void ) goto exit; } - buflen = n + 2 + rsa.len; + buflen = n + 2 + rsa.MBEDTLS_PRIVATE(len); buf2[0] = (unsigned char)( buflen >> 8 ); buf2[1] = (unsigned char)( buflen ); @@ -255,14 +255,14 @@ int main( void ) memset( buf, 0, sizeof( buf ) ); - n = dhm.len; + n = dhm.MBEDTLS_PRIVATE(len); if( ( ret = mbedtls_net_recv( &client_fd, buf, n ) ) != (int) n ) { mbedtls_printf( " failed\n ! mbedtls_net_recv returned %d\n\n", ret ); goto exit; } - if( ( ret = mbedtls_dhm_read_public( &dhm, buf, dhm.len ) ) != 0 ) + if( ( ret = mbedtls_dhm_read_public( &dhm, buf, dhm.MBEDTLS_PRIVATE(len) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_dhm_read_public returned %d\n\n", ret ); goto exit; diff --git a/programs/pkey/ecdh_curve25519.c b/programs/pkey/ecdh_curve25519.c index 67f136360..1f4b8bc3f 100644 --- a/programs/pkey/ecdh_curve25519.c +++ b/programs/pkey/ecdh_curve25519.c @@ -91,14 +91,14 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up client context..." ); fflush( stdout ); - ret = mbedtls_ecp_group_load( &ctx_cli.grp, MBEDTLS_ECP_DP_CURVE25519 ); + ret = mbedtls_ecp_group_load( &ctx_cli.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_CURVE25519 ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret ); goto exit; } - ret = mbedtls_ecdh_gen_public( &ctx_cli.grp, &ctx_cli.d, &ctx_cli.Q, + ret = mbedtls_ecdh_gen_public( &ctx_cli.MBEDTLS_PRIVATE(grp), &ctx_cli.MBEDTLS_PRIVATE(d), &ctx_cli.MBEDTLS_PRIVATE(Q), mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { @@ -106,7 +106,7 @@ int main( int argc, char *argv[] ) goto exit; } - ret = mbedtls_mpi_write_binary( &ctx_cli.Q.X, cli_to_srv, 32 ); + ret = mbedtls_mpi_write_binary( &ctx_cli.MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), cli_to_srv, 32 ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret ); @@ -121,14 +121,14 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Setting up server context..." ); fflush( stdout ); - ret = mbedtls_ecp_group_load( &ctx_srv.grp, MBEDTLS_ECP_DP_CURVE25519 ); + ret = mbedtls_ecp_group_load( &ctx_srv.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_CURVE25519 ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ecp_group_load returned %d\n", ret ); goto exit; } - ret = mbedtls_ecdh_gen_public( &ctx_srv.grp, &ctx_srv.d, &ctx_srv.Q, + ret = mbedtls_ecdh_gen_public( &ctx_srv.MBEDTLS_PRIVATE(grp), &ctx_srv.MBEDTLS_PRIVATE(d), &ctx_srv.MBEDTLS_PRIVATE(Q), mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { @@ -136,7 +136,7 @@ int main( int argc, char *argv[] ) goto exit; } - ret = mbedtls_mpi_write_binary( &ctx_srv.Q.X, srv_to_cli, 32 ); + ret = mbedtls_mpi_write_binary( &ctx_srv.MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), srv_to_cli, 32 ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_write_binary returned %d\n", ret ); @@ -151,22 +151,22 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Server reading client key and computing secret..." ); fflush( stdout ); - ret = mbedtls_mpi_lset( &ctx_srv.Qp.Z, 1 ); + ret = mbedtls_mpi_lset( &ctx_srv.MBEDTLS_PRIVATE(Qp).MBEDTLS_PRIVATE(Z), 1 ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret ); goto exit; } - ret = mbedtls_mpi_read_binary( &ctx_srv.Qp.X, cli_to_srv, 32 ); + ret = mbedtls_mpi_read_binary( &ctx_srv.MBEDTLS_PRIVATE(Qp).MBEDTLS_PRIVATE(X), cli_to_srv, 32 ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret ); goto exit; } - ret = mbedtls_ecdh_compute_shared( &ctx_srv.grp, &ctx_srv.z, - &ctx_srv.Qp, &ctx_srv.d, + ret = mbedtls_ecdh_compute_shared( &ctx_srv.MBEDTLS_PRIVATE(grp), &ctx_srv.MBEDTLS_PRIVATE(z), + &ctx_srv.MBEDTLS_PRIVATE(Qp), &ctx_srv.MBEDTLS_PRIVATE(d), mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { @@ -182,22 +182,22 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Client reading server key and computing secret..." ); fflush( stdout ); - ret = mbedtls_mpi_lset( &ctx_cli.Qp.Z, 1 ); + ret = mbedtls_mpi_lset( &ctx_cli.MBEDTLS_PRIVATE(Qp).MBEDTLS_PRIVATE(Z), 1 ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_lset returned %d\n", ret ); goto exit; } - ret = mbedtls_mpi_read_binary( &ctx_cli.Qp.X, srv_to_cli, 32 ); + ret = mbedtls_mpi_read_binary( &ctx_cli.MBEDTLS_PRIVATE(Qp).MBEDTLS_PRIVATE(X), srv_to_cli, 32 ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_read_binary returned %d\n", ret ); goto exit; } - ret = mbedtls_ecdh_compute_shared( &ctx_cli.grp, &ctx_cli.z, - &ctx_cli.Qp, &ctx_cli.d, + ret = mbedtls_ecdh_compute_shared( &ctx_cli.MBEDTLS_PRIVATE(grp), &ctx_cli.MBEDTLS_PRIVATE(z), + &ctx_cli.MBEDTLS_PRIVATE(Qp), &ctx_cli.MBEDTLS_PRIVATE(d), mbedtls_ctr_drbg_random, &ctr_drbg ); if( ret != 0 ) { @@ -213,7 +213,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Checking if both computed secrets are equal..." ); fflush( stdout ); - ret = mbedtls_mpi_cmp_mpi( &ctx_cli.z, &ctx_srv.z ); + ret = mbedtls_mpi_cmp_mpi( &ctx_cli.MBEDTLS_PRIVATE(z), &ctx_srv.MBEDTLS_PRIVATE(z) ); if( ret != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ecdh_compute_shared returned %d\n", ret ); diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c index 1bbf8268c..3dacd75d3 100644 --- a/programs/pkey/ecdsa.c +++ b/programs/pkey/ecdsa.c @@ -55,7 +55,7 @@ #define ECPARAMS MBEDTLS_ECP_DP_SECP192R1 #if !defined(ECPARAMS) -#define ECPARAMS mbedtls_ecp_curve_list()->grp_id +#define ECPARAMS mbedtls_ecp_curve_list()->MBEDTLS_PRIVATE(grp_id) #endif #if !defined(MBEDTLS_ECDSA_C) || !defined(MBEDTLS_SHA256_C) || \ @@ -84,7 +84,7 @@ static void dump_pubkey( const char *title, mbedtls_ecdsa_context *key ) unsigned char buf[300]; size_t len; - if( mbedtls_ecp_point_write_binary( &key->grp, &key->Q, + if( mbedtls_ecp_point_write_binary( &key->MBEDTLS_PRIVATE(grp), &key->MBEDTLS_PRIVATE(Q), MBEDTLS_ECP_PF_UNCOMPRESSED, &len, buf, sizeof buf ) != 0 ) { mbedtls_printf("internal error\n"); @@ -156,7 +156,7 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( " ok (key size: %d bits)\n", (int) ctx_sign.grp.pbits ); + mbedtls_printf( " ok (key size: %d bits)\n", (int) ctx_sign.MBEDTLS_PRIVATE(grp).MBEDTLS_PRIVATE(pbits) ); dump_pubkey( " + Public key: ", &ctx_sign ); @@ -204,13 +204,13 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Preparing verification context..." ); fflush( stdout ); - if( ( ret = mbedtls_ecp_group_copy( &ctx_verify.grp, &ctx_sign.grp ) ) != 0 ) + if( ( ret = mbedtls_ecp_group_copy( &ctx_verify.MBEDTLS_PRIVATE(grp), &ctx_sign.MBEDTLS_PRIVATE(grp) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ecp_group_copy returned %d\n", ret ); goto exit; } - if( ( ret = mbedtls_ecp_copy( &ctx_verify.Q, &ctx_sign.Q ) ) != 0 ) + if( ( ret = mbedtls_ecp_copy( &ctx_verify.MBEDTLS_PRIVATE(Q), &ctx_sign.MBEDTLS_PRIVATE(Q) ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ecp_copy returned %d\n", ret ); goto exit; diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c index 63cc11ed5..9ad1190fc 100644 --- a/programs/pkey/gen_key.c +++ b/programs/pkey/gen_key.c @@ -90,7 +90,7 @@ int dev_random_entropy_poll( void *data, unsigned char *output, #endif #if defined(MBEDTLS_ECP_C) -#define DFL_EC_CURVE mbedtls_ecp_curve_list()->grp_id +#define DFL_EC_CURVE mbedtls_ecp_curve_list()->MBEDTLS_PRIVATE(grp_id) #else #define DFL_EC_CURVE 0 #endif @@ -223,9 +223,9 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_ECP_C) mbedtls_printf( " available ec_curve values:\n" ); curve_info = mbedtls_ecp_curve_list(); - mbedtls_printf( " %s (default)\n", curve_info->name ); - while( ( ++curve_info )->name != NULL ) - mbedtls_printf( " %s\n", curve_info->name ); + mbedtls_printf( " %s (default)\n", curve_info->MBEDTLS_PRIVATE(name) ); + while( ( ++curve_info )->MBEDTLS_PRIVATE(name) != NULL ) + mbedtls_printf( " %s\n", curve_info->MBEDTLS_PRIVATE(name) ); #endif /* MBEDTLS_ECP_C */ goto exit; } @@ -274,7 +274,7 @@ int main( int argc, char *argv[] ) { if( ( curve_info = mbedtls_ecp_curve_info_from_name( q ) ) == NULL ) goto usage; - opt.ec_curve = curve_info->grp_id; + opt.ec_curve = curve_info->MBEDTLS_PRIVATE(grp_id); } #endif else if( strcmp( p, "filename" ) == 0 ) @@ -395,10 +395,10 @@ int main( int argc, char *argv[] ) { mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( key ); mbedtls_printf( "curve: %s\n", - mbedtls_ecp_curve_info_from_grp_id( ecp->grp.id )->name ); - mbedtls_mpi_write_file( "X_Q: ", &ecp->Q.X, 16, NULL ); - mbedtls_mpi_write_file( "Y_Q: ", &ecp->Q.Y, 16, NULL ); - mbedtls_mpi_write_file( "D: ", &ecp->d , 16, NULL ); + mbedtls_ecp_curve_info_from_grp_id( ecp->MBEDTLS_PRIVATE(grp).MBEDTLS_PRIVATE(id) )->MBEDTLS_PRIVATE(name) ); + mbedtls_mpi_write_file( "X_Q: ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL ); + mbedtls_mpi_write_file( "Y_Q: ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL ); + mbedtls_mpi_write_file( "D: ", &ecp->MBEDTLS_PRIVATE(d) , 16, NULL ); } else #endif diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c index 7f39e5ce3..7bd93c72b 100644 --- a/programs/pkey/key_app.c +++ b/programs/pkey/key_app.c @@ -222,10 +222,10 @@ int main( int argc, char *argv[] ) if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY ) { mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( pk ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(X): ", &ecp->Q.X, 16, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Y): ", &ecp->Q.Y, 16, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Z): ", &ecp->Q.Z, 16, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "D : ", &ecp->d , 16, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(X): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Y): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Z): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "D : ", &ecp->MBEDTLS_PRIVATE(d) , 16, NULL ) ); } else #endif @@ -273,9 +273,9 @@ int main( int argc, char *argv[] ) if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY ) { mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( pk ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(X): ", &ecp->Q.X, 16, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Y): ", &ecp->Q.Y, 16, NULL ) ); - MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Z): ", &ecp->Q.Z, 16, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(X): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Y): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL ) ); + MBEDTLS_MPI_CHK( mbedtls_mpi_write_file( "Q(Z): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16, NULL ) ); } else #endif diff --git a/programs/pkey/key_app_writer.c b/programs/pkey/key_app_writer.c index 6a4d0e4ce..4b65262d0 100644 --- a/programs/pkey/key_app_writer.c +++ b/programs/pkey/key_app_writer.c @@ -335,10 +335,10 @@ int main( int argc, char *argv[] ) if( mbedtls_pk_get_type( &key ) == MBEDTLS_PK_ECKEY ) { mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( key ); - mbedtls_mpi_write_file( "Q(X): ", &ecp->Q.X, 16, NULL ); - mbedtls_mpi_write_file( "Q(Y): ", &ecp->Q.Y, 16, NULL ); - mbedtls_mpi_write_file( "Q(Z): ", &ecp->Q.Z, 16, NULL ); - mbedtls_mpi_write_file( "D : ", &ecp->d , 16, NULL ); + mbedtls_mpi_write_file( "Q(X): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL ); + mbedtls_mpi_write_file( "Q(Y): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL ); + mbedtls_mpi_write_file( "Q(Z): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16, NULL ); + mbedtls_mpi_write_file( "D : ", &ecp->MBEDTLS_PRIVATE(d) , 16, NULL ); } else #endif @@ -389,9 +389,9 @@ int main( int argc, char *argv[] ) if( mbedtls_pk_get_type( &key ) == MBEDTLS_PK_ECKEY ) { mbedtls_ecp_keypair *ecp = mbedtls_pk_ec( key ); - mbedtls_mpi_write_file( "Q(X): ", &ecp->Q.X, 16, NULL ); - mbedtls_mpi_write_file( "Q(Y): ", &ecp->Q.Y, 16, NULL ); - mbedtls_mpi_write_file( "Q(Z): ", &ecp->Q.Z, 16, NULL ); + mbedtls_mpi_write_file( "Q(X): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(X), 16, NULL ); + mbedtls_mpi_write_file( "Q(Y): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Y), 16, NULL ); + mbedtls_mpi_write_file( "Q(Z): ", &ecp->MBEDTLS_PRIVATE(Q).MBEDTLS_PRIVATE(Z), 16, NULL ); } else #endif diff --git a/programs/pkey/rsa_decrypt.c b/programs/pkey/rsa_decrypt.c index 1ba8c735d..b13bb310e 100644 --- a/programs/pkey/rsa_decrypt.c +++ b/programs/pkey/rsa_decrypt.c @@ -164,7 +164,7 @@ int main( int argc, char *argv[] ) fclose( f ); - if( i != rsa.len ) + if( i != rsa.MBEDTLS_PRIVATE(len) ) { mbedtls_printf( "\n ! Invalid RSA signature format\n\n" ); goto exit; diff --git a/programs/pkey/rsa_encrypt.c b/programs/pkey/rsa_encrypt.c index ba0120172..03a6e894f 100644 --- a/programs/pkey/rsa_encrypt.c +++ b/programs/pkey/rsa_encrypt.c @@ -161,7 +161,7 @@ int main( int argc, char *argv[] ) goto exit; } - for( i = 0; i < rsa.len; i++ ) + for( i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++ ) mbedtls_fprintf( f, "%02X%s", buf[i], ( i + 1 ) % 16 == 0 ? "\r\n" : " " ); diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c index c9522c8c2..8e657a792 100644 --- a/programs/pkey/rsa_sign.c +++ b/programs/pkey/rsa_sign.c @@ -164,7 +164,7 @@ int main( int argc, char *argv[] ) goto exit; } - for( i = 0; i < rsa.len; i++ ) + for( i = 0; i < rsa.MBEDTLS_PRIVATE(len); i++ ) mbedtls_fprintf( f, "%02X%s", buf[i], ( i + 1 ) % 16 == 0 ? "\r\n" : " " ); diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c index fbc0779b2..e7e347c70 100644 --- a/programs/pkey/rsa_verify.c +++ b/programs/pkey/rsa_verify.c @@ -89,15 +89,15 @@ int main( int argc, char *argv[] ) goto exit; } - if( ( ret = mbedtls_mpi_read_file( &rsa.N, 16, f ) ) != 0 || - ( ret = mbedtls_mpi_read_file( &rsa.E, 16, f ) ) != 0 ) + if( ( ret = mbedtls_mpi_read_file( &rsa.MBEDTLS_PRIVATE(N), 16, f ) ) != 0 || + ( ret = mbedtls_mpi_read_file( &rsa.MBEDTLS_PRIVATE(E), 16, f ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_mpi_read_file returned %d\n\n", ret ); fclose( f ); goto exit; } - rsa.len = ( mbedtls_mpi_bitlen( &rsa.N ) + 7 ) >> 3; + rsa.MBEDTLS_PRIVATE(len) = ( mbedtls_mpi_bitlen( &rsa.MBEDTLS_PRIVATE(N) ) + 7 ) >> 3; fclose( f ); @@ -119,7 +119,7 @@ int main( int argc, char *argv[] ) fclose( f ); - if( i != rsa.len ) + if( i != rsa.MBEDTLS_PRIVATE(len) ) { mbedtls_printf( "\n ! Invalid RSA signature format\n\n" ); goto exit; diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 1e9779533..c3c73bb14 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index bd2dc12de..34419db7c 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 0a9cc284d..a067a8fd5 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -18,6 +18,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 6624224af..3e479d00a 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index d181c01da..38a68831e 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 428c64362..5d395c25f 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -20,6 +20,9 @@ /* Enable definition of gethostname() even when compiling with -std=c99. Must * be set before config.h, which pulls in glibc's features.h indirectly. * Harmless on other platforms. */ + +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #define _POSIX_C_SOURCE 200112L #define _XOPEN_SOURCE 600 diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 11147b092..8458a22b4 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index f7a424a5a..da145a92c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -805,7 +805,7 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl, return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) ); } - cur = cur->next; + cur = cur->MBEDTLS_PRIVATE(next); } return( -1 ); @@ -921,7 +921,7 @@ int psk_callback( void *p_info, mbedtls_ssl_context *ssl, return( mbedtls_ssl_set_hs_psk( ssl, cur->key, cur->key_len ) ); } - cur = cur->next; + cur = cur->MBEDTLS_PRIVATE(next); } return( -1 ); diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index fb2484337..2adef3904 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -335,7 +335,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( "%s\n", buf ); - cur = cur->next; + cur = cur->MBEDTLS_PRIVATE(next); } /* diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 18174d804..ff7cf9807 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -518,7 +518,7 @@ int main( int argc, char *argv[] ) } ret = mbedtls_x509_dn_gets( issuer_name, sizeof(issuer_name), - &issuer_crt.subject ); + &issuer_crt.MBEDTLS_PRIVATE(subject) ); if( ret < 0 ) { mbedtls_strerror( ret, buf, 1024 ); @@ -552,7 +552,7 @@ int main( int argc, char *argv[] ) } ret = mbedtls_x509_dn_gets( subject_name, sizeof(subject_name), - &csr.subject ); + &csr.MBEDTLS_PRIVATE(subject) ); if( ret < 0 ) { mbedtls_strerror( ret, buf, 1024 ); @@ -562,7 +562,7 @@ int main( int argc, char *argv[] ) } opt.subject_name = subject_name; - subject_key = &csr.pk; + subject_key = &csr.MBEDTLS_PRIVATE(pk); mbedtls_printf( " ok\n" ); } @@ -606,7 +606,7 @@ int main( int argc, char *argv[] ) // if( strlen( opt.issuer_crt ) ) { - if( mbedtls_pk_check_pair( &issuer_crt.pk, issuer_key ) != 0 ) + if( mbedtls_pk_check_pair( &issuer_crt.MBEDTLS_PRIVATE(pk), issuer_key ) != 0 ) { mbedtls_printf( " failed\n ! issuer_key does not match " "issuer certificate\n\n" ); From beb95b4d251f2072b2f4f15357f7b85f831f05f9 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 20 May 2021 14:41:22 +0200 Subject: [PATCH 08/22] Adjust doxyfile to expand MBEDTLS_PRIVATE macro. Signed-off-by: Mateusz Starzyk --- doxygen/mbedtls.doxyfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 0205dcfef..dd84c2871 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -1577,13 +1577,13 @@ ENABLE_PREPROCESSING = YES # compilation will be performed. Macro expansion can be done in a controlled # way by setting EXPAND_ONLY_PREDEF to YES. -MACRO_EXPANSION = NO +MACRO_EXPANSION = YES # If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES # then the macro expansion is limited to the macros specified with the # PREDEFINED and EXPAND_AS_DEFINED tags. -EXPAND_ONLY_PREDEF = NO +EXPAND_ONLY_PREDEF = YES # If the SEARCH_INCLUDES tag is set to YES (the default) the includes files # pointed to by INCLUDE_PATH will be searched when a #include is found. @@ -1630,7 +1630,7 @@ PREDEFINED = WIN32 \ # Use the PREDEFINED tag if you want to use a different macro definition that # overrules the definition found in the source code. -EXPAND_AS_DEFINED = +EXPAND_AS_DEFINED = MBEDTLS_PRIVATE # If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then # doxygen's preprocessor will remove all references to function-like macros From f2b11a9a77ca2b80952890e72ebe38de7169a441 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Fri, 21 May 2021 09:33:46 +0200 Subject: [PATCH 09/22] Add MBEDTLS_ALLOW_PRIVATE_ACCESS to tests drivers Signed-off-by: Mateusz Starzyk --- tests/src/drivers/hash.c | 2 ++ tests/src/drivers/platform_builtin_keys.c | 2 ++ tests/src/drivers/test_driver_aead.c | 2 ++ tests/src/drivers/test_driver_cipher.c | 2 ++ tests/src/drivers/test_driver_key_management.c | 2 ++ tests/src/drivers/test_driver_mac.c | 2 ++ tests/src/drivers/test_driver_signature.c | 2 ++ tests/src/drivers/test_driver_size.c | 2 ++ 8 files changed, 16 insertions(+) diff --git a/tests/src/drivers/hash.c b/tests/src/drivers/hash.c index f95aa6b61..a9c475a82 100644 --- a/tests/src/drivers/hash.c +++ b/tests/src/drivers/hash.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/tests/src/drivers/platform_builtin_keys.c b/tests/src/drivers/platform_builtin_keys.c index 759fa7830..a3c5796da 100644 --- a/tests/src/drivers/platform_builtin_keys.c +++ b/tests/src/drivers/platform_builtin_keys.c @@ -20,6 +20,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include #include diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c index a14716324..c247bab08 100644 --- a/tests/src/drivers/test_driver_aead.c +++ b/tests/src/drivers/test_driver_aead.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c index 4827946b0..51c1abc1a 100644 --- a/tests/src/drivers/test_driver_cipher.c +++ b/tests/src/drivers/test_driver_cipher.c @@ -18,6 +18,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c index 19e103331..b1096cb6f 100644 --- a/tests/src/drivers/test_driver_key_management.c +++ b/tests/src/drivers/test_driver_key_management.c @@ -18,6 +18,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/tests/src/drivers/test_driver_mac.c b/tests/src/drivers/test_driver_mac.c index 69af10780..439943cca 100644 --- a/tests/src/drivers/test_driver_mac.c +++ b/tests/src/drivers/test_driver_mac.c @@ -17,6 +17,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c index fdfba165f..e48670415 100644 --- a/tests/src/drivers/test_driver_signature.c +++ b/tests/src/drivers/test_driver_signature.c @@ -19,6 +19,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/tests/src/drivers/test_driver_size.c b/tests/src/drivers/test_driver_size.c index d8bcaee38..af899c689 100644 --- a/tests/src/drivers/test_driver_size.c +++ b/tests/src/drivers/test_driver_size.c @@ -18,6 +18,8 @@ * limitations under the License. */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else From 28c8cce051fc90141453a85d16f84527926ffbf5 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Fri, 21 May 2021 09:48:03 +0200 Subject: [PATCH 10/22] Add conditional error.h include to test helpers function. `mbedtls_test_hook_error_add` is referenced inside main_test.function. Including the `error.h` is necessary to build suites which define both MBEDTLS_TEST_HOOKS and MBEDTLS_ERROR_C, such as: build_psa_accel_alg_ecdh Signed-off-by: Mateusz Starzyk --- tests/suites/helpers.function | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index ca03532ba..ae1bc888d 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -11,6 +11,9 @@ #include +#if defined (MBEDTLS_ERROR_C) +#include "mbedtls/error.h" +#endif #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else From 284471c236f3edce4e2ccab6e77ad0e4893e5d6c Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 27 May 2021 12:42:32 +0200 Subject: [PATCH 11/22] Clarify python script's comments Signed-off-by: Mateusz Starzyk --- apply_MBEDTLS_PRIVATE.py | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/apply_MBEDTLS_PRIVATE.py b/apply_MBEDTLS_PRIVATE.py index 4160287f2..4d87384ff 100644 --- a/apply_MBEDTLS_PRIVATE.py +++ b/apply_MBEDTLS_PRIVATE.py @@ -6,32 +6,41 @@ import os import xml.etree.ElementTree as ET +# Create dictionary with following structre +# files_to_visit = { +# "filepath1" : { "variable_name1": (1, 2, 40, 61), # line numbers +# "variable_name2": (60, 64), +# }, +# "filepath2" : { "variable_name1": (1, 2, 40, 61), # line numbers +# "variable_name2": (60, 64), +# }, ... +# } files_to_visit = {} +# find xml models for structs parsed by doxygen struct_files = glob.glob("apidoc/xml/structmbedtls*.xml") + glob.glob("apidoc/xml/structpsa*.xml") for struct_file in struct_files: + # get all variables from currently processed struct struct_file_tree = ET.parse(struct_file) all_struct_members_definitions = struct_file_tree.getroot().findall(".//memberdef[@kind='variable']") - # Create dictionary with following structre - # "filepath" : { "variable_name1": (1, 2, 40, 61), # line numbers - # "variable_name2": (60, 64), - # } for struct_member_def in all_struct_members_definitions: - # find file path for this variable + # get unique id by which this variable is referenced member_id = struct_member_def.attrib["id"] + # find file path for this variable's definition location = struct_member_def.find("location") file_path = location.attrib["file"] + # get variable name variable_name = struct_member_def.find("name").text - # if path not yet in dictionary, create empty record to initialize + # if file path is not yet in dictionary, create empty sub-dictionary to initialize if file_path not in files_to_visit: files_to_visit[file_path] = {} # if variable is not yet in this file's dictionary, create empty set to initialize if variable_name not in files_to_visit[file_path]: files_to_visit[file_path][variable_name] = set() - # add variable definition + # add variable's definition line number files_to_visit[file_path][variable_name].add(int(location.attrib["line"])) # check where the variable was referenced @@ -39,13 +48,13 @@ for struct_file in struct_files: for reference in references: refid = reference.attrib["refid"] # assuming that compound name is related to header's xml file - header_file = "apidoc/xml/" + reference.attrib["compoundref"] + ".xml" - header_file_tree = ET.parse(header_file) + header_file_xml = "apidoc/xml/" + reference.attrib["compoundref"] + ".xml" + header_file_tree = ET.parse(header_file_xml) # check if this reference is created by static inline function static_inline_function_definition = header_file_tree.getroot().find(f".//memberdef[@id='{refid}'][@kind='function'][@static='yes'][@inline='yes']") if static_inline_function_definition: static_inline_function_file_path = static_inline_function_definition.find("location").attrib["file"] - # if path not yet in dictionary, create empty record to initialize. + # if file path not yet in dictionary, create empty sub-dictionary to initialize. # This could happen if reference is inside header file which was not yet processed in search for variable definitions if static_inline_function_file_path not in files_to_visit: files_to_visit[static_inline_function_file_path] = {} @@ -55,26 +64,30 @@ for struct_file in struct_files: # function block scope function_lines_from = int(reference.attrib["startline"]) function_lines_to = int(reference.attrib["endline"]) - # find codelines referencing struct's variable + # find codelines referencing currently processed variable. This is using the code listing inside header's xml model. codelines_xml = header_file_tree.getroot().findall(f".//ref[@refid='{member_id}']/../..") # filter by function's scope codelines = [int(line.attrib["lineno"]) for line in codelines_xml if int(line.attrib["lineno"]) >= function_lines_from and int(line.attrib["lineno"]) <= function_lines_to] - # add variable reference + # add lines referencing currently processed variable files_to_visit[static_inline_function_file_path][variable_name].update(codelines) pp = pprint.PrettyPrinter(indent=4) pp.pprint(files_to_visit) for file_path, variables in files_to_visit.items(): + # FileInput redirects stdout to to 'file', so every print in this block will be put inside 'file' with fileinput.FileInput(file_path, inplace=True) as file: output_line_number = 1 + # compile regex matching the header's include guard. re_include_guard = re.compile(r"^#define.*{name}$".format(name=os.path.basename(file_path).replace('.','_').upper())) for line in file: insert_allow_private_include = False if re_include_guard.match(line): insert_allow_private_include = True + # every line in file is checked against variables and lines in which they occur for variable, var_lines in variables.items(): for var_line in var_lines: + # wrap variable with MBEDTLS_PRIVATE(...) macro if output_line_number == var_line: line = re.sub(r"(^.*?\W+)({var})(\W+.*$)".format(var=variable), r"\1MBEDTLS_PRIVATE(\2)\3", line) output_line_number += 1 From cad24bb5d84ee842b58d9529fd918ede25f3debb Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 27 May 2021 13:50:40 +0200 Subject: [PATCH 12/22] Make python script idempotent. Signed-off-by: Mateusz Starzyk --- apply_MBEDTLS_PRIVATE.py | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/apply_MBEDTLS_PRIVATE.py b/apply_MBEDTLS_PRIVATE.py index 4d87384ff..d2bc7c06a 100644 --- a/apply_MBEDTLS_PRIVATE.py +++ b/apply_MBEDTLS_PRIVATE.py @@ -74,24 +74,33 @@ for struct_file in struct_files: pp = pprint.PrettyPrinter(indent=4) pp.pprint(files_to_visit) +mbedtls_private_access_include = "#include \"mbedtls/private_access.h\"" + for file_path, variables in files_to_visit.items(): + # check if this file has "mbedtls/private_access.h" include + file_has_private_access_include = False + with open(file_path, 'r') as file: + for line in file: + if mbedtls_private_access_include in line: + file_has_private_access_include = True + break + # FileInput redirects stdout to to 'file', so every print in this block will be put inside 'file' with fileinput.FileInput(file_path, inplace=True) as file: output_line_number = 1 # compile regex matching the header's include guard. re_include_guard = re.compile(r"^#define.*{name}$".format(name=os.path.basename(file_path).replace('.','_').upper())) for line in file: - insert_allow_private_include = False + insert_private_access_include = False if re_include_guard.match(line): - insert_allow_private_include = True + insert_private_access_include = not file_has_private_access_include # every line in file is checked against variables and lines in which they occur for variable, var_lines in variables.items(): for var_line in var_lines: # wrap variable with MBEDTLS_PRIVATE(...) macro if output_line_number == var_line: - line = re.sub(r"(^.*?\W+)({var})(\W+.*$)".format(var=variable), r"\1MBEDTLS_PRIVATE(\2)\3", line) + line = re.sub(r"(^.*?\W+)((?!MBEDTLS_PRIVATE\(){var})(\W+.*$)".format(var=variable), r"\1MBEDTLS_PRIVATE(\2)\3", line) output_line_number += 1 print(line, end='') # fileinput redirects stdout to the target file - if insert_allow_private_include: - insert_allow_private_include = False + if insert_private_access_include: print("#include \"mbedtls/private_access.h\"") From 57d1d198ef5d4468ec555ef6c35542ed1d79cf86 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 27 May 2021 14:39:53 +0200 Subject: [PATCH 13/22] Fix typo Signed-off-by: Mateusz Starzyk --- library/common.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/common.h b/library/common.h index c31ac1e1c..0f61f9452 100644 --- a/library/common.h +++ b/library/common.h @@ -50,7 +50,7 @@ #define MBEDTLS_STATIC_TESTABLE static #endif -/** Allow library to access it's structs' private members. +/** Allow library to access its structs' private members. * * Although structs defined in header files are publicly available, * their members are private and should not be accessed by the user. From 03f00307a28efdd2cd40f9193180bf5b5d7aa623 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 27 May 2021 14:40:40 +0200 Subject: [PATCH 14/22] Add missing common.h include. Remove obsolete config.h include when common.h is included. Signed-off-by: Mateusz Starzyk --- library/psa_crypto_storage.c | 6 ------ library/psa_its_file.c | 6 +----- 2 files changed, 1 insertion(+), 11 deletions(-) diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index 0ef041d18..575e9925a 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -20,12 +20,6 @@ #include "common.h" -#if defined(MBEDTLS_CONFIG_FILE) -#include MBEDTLS_CONFIG_FILE -#else -#include "mbedtls/config.h" -#endif - #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) #include diff --git a/library/psa_its_file.c b/library/psa_its_file.c index 7798da615..492be1c71 100644 --- a/library/psa_its_file.c +++ b/library/psa_its_file.c @@ -18,11 +18,7 @@ * limitations under the License. */ -#if defined(MBEDTLS_CONFIG_FILE) -#include MBEDTLS_CONFIG_FILE -#else -#include "mbedtls/config.h" -#endif +#include "common.h" #if defined(MBEDTLS_PSA_ITS_FILE_C) From 3911e70eaaf63d12aeb6e314598742507a07e64b Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 27 May 2021 14:44:31 +0200 Subject: [PATCH 15/22] Remove obsolete MBEDTLS_ALLOW_PRIVATE_ACCESS from helpers function. MBEDTLS_ALLOW_PRIVATE_ACCESS is already defined inside test/helpers.h Signed-off-by: Mateusz Starzyk --- tests/suites/helpers.function | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/suites/helpers.function b/tests/suites/helpers.function index ae1bc888d..2a7575217 100644 --- a/tests/suites/helpers.function +++ b/tests/suites/helpers.function @@ -2,10 +2,8 @@ /*----------------------------------------------------------------------------*/ /* Headers */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#include #include +#include #include #include From b1982728a51fbaa7b912834d1bfc01b5efd1bc18 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 27 May 2021 14:46:48 +0200 Subject: [PATCH 16/22] Document MBEDTLS_ALLOW_PRIVATE_ACCESS inside test/helpers.h. Signed-off-by: Mateusz Starzyk --- tests/include/test/helpers.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index 0f82a9040..a1098c555 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -25,6 +25,9 @@ #ifndef TEST_HELPERS_H #define TEST_HELPERS_H +/* Most fields of publicly available structs are private and are wrapped with + * MBEDTLS_PRIVATE macro. This define allows tests to access the private fields + * directly (without using the MBEDTLS_PRIVATE wrapper). */ #define MBEDTLS_ALLOW_PRIVATE_ACCESS #if !defined(MBEDTLS_CONFIG_FILE) From b4a012929da8a3119caefa82fe25d673fefab2de Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 27 May 2021 14:49:25 +0200 Subject: [PATCH 17/22] Add test/helpers include to test drivers. Remove config.h include. "test/helpers.h" defines MBEDTLS_ALLOW_PRIVATE_ACCESS. Drivers can include that header instead of defining the MBEDTLS_ALLOW_PRIVATE_ACCESS themselves. "test/helpers.h" includes config header as well. Remove obsolete config includes from src/drivers. Signed-off-by: Mateusz Starzyk --- tests/src/drivers/hash.c | 8 +------- tests/src/drivers/platform_builtin_keys.c | 2 +- tests/src/drivers/test_driver_aead.c | 8 -------- tests/src/drivers/test_driver_cipher.c | 8 -------- tests/src/drivers/test_driver_key_management.c | 8 +------- tests/src/drivers/test_driver_mac.c | 8 +------- tests/src/drivers/test_driver_signature.c | 8 -------- tests/src/drivers/test_driver_size.c | 8 +------- 8 files changed, 5 insertions(+), 53 deletions(-) diff --git a/tests/src/drivers/hash.c b/tests/src/drivers/hash.c index a9c475a82..b1880f778 100644 --- a/tests/src/drivers/hash.c +++ b/tests/src/drivers/hash.c @@ -17,13 +17,7 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif +#include #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) #include "psa_crypto_hash.h" diff --git a/tests/src/drivers/platform_builtin_keys.c b/tests/src/drivers/platform_builtin_keys.c index a3c5796da..da5865d86 100644 --- a/tests/src/drivers/platform_builtin_keys.c +++ b/tests/src/drivers/platform_builtin_keys.c @@ -20,7 +20,7 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS +#include #include #include diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c index c247bab08..ce9ce3779 100644 --- a/tests/src/drivers/test_driver_aead.c +++ b/tests/src/drivers/test_driver_aead.c @@ -17,14 +17,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif - #include #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c index 51c1abc1a..9c95cc8f8 100644 --- a/tests/src/drivers/test_driver_cipher.c +++ b/tests/src/drivers/test_driver_cipher.c @@ -18,14 +18,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif - #include #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c index b1096cb6f..afa1fc261 100644 --- a/tests/src/drivers/test_driver_key_management.c +++ b/tests/src/drivers/test_driver_key_management.c @@ -18,13 +18,7 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif +#include #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) #include "psa/crypto.h" diff --git a/tests/src/drivers/test_driver_mac.c b/tests/src/drivers/test_driver_mac.c index 439943cca..3b766dcb5 100644 --- a/tests/src/drivers/test_driver_mac.c +++ b/tests/src/drivers/test_driver_mac.c @@ -17,13 +17,7 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif +#include #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) #include "psa_crypto_mac.h" diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c index e48670415..2d58756aa 100644 --- a/tests/src/drivers/test_driver_signature.c +++ b/tests/src/drivers/test_driver_signature.c @@ -19,14 +19,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif - #include #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) diff --git a/tests/src/drivers/test_driver_size.c b/tests/src/drivers/test_driver_size.c index af899c689..033cf32de 100644 --- a/tests/src/drivers/test_driver_size.c +++ b/tests/src/drivers/test_driver_size.c @@ -18,13 +18,7 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - -#if !defined(MBEDTLS_CONFIG_FILE) -#include "mbedtls/config.h" -#else -#include MBEDTLS_CONFIG_FILE -#endif +#include #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) From 55768f26fc999b560efc2b13b0d33faa43b24bbf Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Thu, 27 May 2021 14:57:03 +0200 Subject: [PATCH 18/22] Fix MBEDTLS_PRIVATE wrapping in tests and sample programs. Signed-off-by: Mateusz Starzyk --- programs/ssl/dtls_client.c | 2 -- programs/ssl/dtls_server.c | 4 +--- programs/ssl/mini_client.c | 6 ++---- programs/ssl/ssl_client1.c | 2 -- programs/ssl/ssl_fork_server.c | 4 +--- programs/ssl/ssl_mail_client.c | 2 -- programs/ssl/ssl_server.c | 4 +--- programs/ssl/ssl_server2.c | 4 ++-- 8 files changed, 7 insertions(+), 21 deletions(-) diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index c3c73bb14..1e9779533 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -17,8 +17,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 34419db7c..de47aab25 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -17,8 +17,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else @@ -231,7 +229,7 @@ int main( void ) mbedtls_ssl_cache_set ); #endif - mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + mbedtls_ssl_conf_ca_chain( &conf, srvcert.MBEDTLS_PRIVATE(next), NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index a067a8fd5..42dbeac9e 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -18,8 +18,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else @@ -252,13 +250,13 @@ int main( void ) addr.sin_addr.s_addr = *((char *) &ret) == ret ? ADDR_LE : ADDR_BE; ret = 0; - if( ( server_fd.fd = socket( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) + if( ( server_fd.MBEDTLS_PRIVATE(fd) = socket( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { ret = socket_failed; goto exit; } - if( connect( server_fd.fd, + if( connect( server_fd.MBEDTLS_PRIVATE(fd), (const struct sockaddr *) &addr, sizeof( addr ) ) < 0 ) { ret = connect_failed; diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 3e479d00a..6624224af 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -17,8 +17,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 38a68831e..573210870 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -17,8 +17,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else @@ -195,7 +193,7 @@ int main( void ) mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_conf_dbg( &conf, my_debug, stdout ); - mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + mbedtls_ssl_conf_ca_chain( &conf, srvcert.MBEDTLS_PRIVATE(next), NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 5d395c25f..09bbc3d69 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -21,8 +21,6 @@ * be set before config.h, which pulls in glibc's features.h indirectly. * Harmless on other platforms. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #define _POSIX_C_SOURCE 200112L #define _XOPEN_SOURCE 600 diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 8458a22b4..42196ffc0 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -17,8 +17,6 @@ * limitations under the License. */ -#define MBEDTLS_ALLOW_PRIVATE_ACCESS - #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" #else @@ -217,7 +215,7 @@ int main( void ) mbedtls_ssl_cache_set ); #endif - mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + mbedtls_ssl_conf_ca_chain( &conf, srvcert.MBEDTLS_PRIVATE(next), NULL ); if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index da145a92c..f7a424a5a 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -805,7 +805,7 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl, return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) ); } - cur = cur->MBEDTLS_PRIVATE(next); + cur = cur->next; } return( -1 ); @@ -921,7 +921,7 @@ int psk_callback( void *p_info, mbedtls_ssl_context *ssl, return( mbedtls_ssl_set_hs_psk( ssl, cur->key, cur->key_len ) ); } - cur = cur->MBEDTLS_PRIVATE(next); + cur = cur->next; } return( -1 ); From 2abe51cc751c16b618dfa55219e91172254bb463 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 7 Jun 2021 11:08:01 +0200 Subject: [PATCH 19/22] Extend setup_and_run script to cover remaining configurations. Signed-off-by: Mateusz Starzyk --- include/mbedtls/ecdh.h | 4 ++-- include/mbedtls/ecdsa.h | 1 + include/mbedtls/entropy.h | 2 +- include/mbedtls/ssl.h | 6 +++--- include/mbedtls/ssl_cookie.h | 2 +- include/psa/crypto_platform.h | 3 ++- setup_and_run_MBEDTLS_PRIVATE.sh | 21 +++++++++++++++++++++ 7 files changed, 31 insertions(+), 8 deletions(-) diff --git a/include/mbedtls/ecdh.h b/include/mbedtls/ecdh.h index 807c88420..2a0980b39 100644 --- a/include/mbedtls/ecdh.h +++ b/include/mbedtls/ecdh.h @@ -134,8 +134,8 @@ typedef struct mbedtls_ecdh_context mbedtls_ecp_point MBEDTLS_PRIVATE(Vf); /*!< The unblinding value. */ mbedtls_mpi MBEDTLS_PRIVATE(_d); /*!< The previous \p d. */ #if defined(MBEDTLS_ECP_RESTARTABLE) - int restart_enabled; /*!< The flag for restartable mode. */ - mbedtls_ecp_restart_ctx rs; /*!< The restart context for EC computations. */ + int MBEDTLS_PRIVATE(restart_enabled); /*!< The flag for restartable mode. */ + mbedtls_ecp_restart_ctx MBEDTLS_PRIVATE(rs); /*!< The restart context for EC computations. */ #endif /* MBEDTLS_ECP_RESTARTABLE */ #else uint8_t MBEDTLS_PRIVATE(point_format); /*!< The format of point export in TLS messages diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h index cf063a0b5..735d37764 100644 --- a/include/mbedtls/ecdsa.h +++ b/include/mbedtls/ecdsa.h @@ -29,6 +29,7 @@ #ifndef MBEDTLS_ECDSA_H #define MBEDTLS_ECDSA_H +#include "mbedtls/private_access.h" #if !defined(MBEDTLS_CONFIG_FILE) #include "mbedtls/config.h" diff --git a/include/mbedtls/entropy.h b/include/mbedtls/entropy.h index d707bddf0..78591e765 100644 --- a/include/mbedtls/entropy.h +++ b/include/mbedtls/entropy.h @@ -124,7 +124,7 @@ typedef struct mbedtls_entropy_context #if defined(MBEDTLS_ENTROPY_SHA512_ACCUMULATOR) mbedtls_sha512_context MBEDTLS_PRIVATE(accumulator); #else - mbedtls_sha256_context accumulator; + mbedtls_sha256_context MBEDTLS_PRIVATE(accumulator); #endif int MBEDTLS_PRIVATE(source_count); /* Number of entries used in source. */ mbedtls_entropy_source_state MBEDTLS_PRIVATE(source)[MBEDTLS_ENTROPY_MAX_SOURCES]; diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2dda6ad45..b6b9c8ca1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -940,9 +940,9 @@ struct mbedtls_ssl_session #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /*! The digest of the peer's end-CRT. This must be kept to detect CRT * changes during renegotiation, mitigating the triple handshake attack. */ - unsigned char *peer_cert_digest; - size_t peer_cert_digest_len; - mbedtls_md_type_t peer_cert_digest_type; + unsigned char *MBEDTLS_PRIVATE(peer_cert_digest); + size_t MBEDTLS_PRIVATE(peer_cert_digest_len); + mbedtls_md_type_t MBEDTLS_PRIVATE(peer_cert_digest_type); #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ uint32_t MBEDTLS_PRIVATE(verify_result); /*!< verification result */ diff --git a/include/mbedtls/ssl_cookie.h b/include/mbedtls/ssl_cookie.h index 6806dbddd..c4f042c80 100644 --- a/include/mbedtls/ssl_cookie.h +++ b/include/mbedtls/ssl_cookie.h @@ -59,7 +59,7 @@ typedef struct mbedtls_ssl_cookie_ctx { mbedtls_md_context_t MBEDTLS_PRIVATE(hmac_ctx); /*!< context for the HMAC portion */ #if !defined(MBEDTLS_HAVE_TIME) - unsigned long serial; /*!< serial number for expiration */ + unsigned long MBEDTLS_PRIVATE(serial); /*!< serial number for expiration */ #endif unsigned long MBEDTLS_PRIVATE(timeout); /*!< timeout delay, in seconds if HAVE_TIME, or in number of tickets issued */ diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 8acf22c7f..d60b7732f 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -32,6 +32,7 @@ #ifndef PSA_CRYPTO_PLATFORM_H #define PSA_CRYPTO_PLATFORM_H +#include "mbedtls/private_access.h" /* Include the Mbed TLS configuration file, the way Mbed TLS does it * in each of its header files. */ @@ -92,7 +93,7 @@ static inline int mbedtls_key_owner_id_equal( mbedtls_key_owner_id_t id1, * are expected to replace it with a custom definition. */ typedef struct { - uintptr_t opaque[2]; + uintptr_t MBEDTLS_PRIVATE(opaque)[2]; } mbedtls_psa_external_random_context_t; #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ diff --git a/setup_and_run_MBEDTLS_PRIVATE.sh b/setup_and_run_MBEDTLS_PRIVATE.sh index 9a0e59979..aaf0a1cf5 100755 --- a/setup_and_run_MBEDTLS_PRIVATE.sh +++ b/setup_and_run_MBEDTLS_PRIVATE.sh @@ -8,3 +8,24 @@ doxygen mbedtls.doxyfile cd .. python3 apply_MBEDTLS_PRIVATE.py git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile + +make clean +sed -i 's/GENERATE_XML = NO/GENERATE_XML = YES/g' doxygen/mbedtls.doxyfile +scripts/config.py set MBEDTLS_ECP_RESTARTABLE +scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +scripts/config.py unset MBEDTLS_HAVE_TIME +cd doxygen +doxygen mbedtls.doxyfile +cd .. +python3 apply_MBEDTLS_PRIVATE.py +git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile + +make clean +sed -i 's/GENERATE_XML = NO/GENERATE_XML = YES/g' doxygen/mbedtls.doxyfile +scripts/config.py realfull +cd doxygen +doxygen mbedtls.doxyfile +cd .. +python3 apply_MBEDTLS_PRIVATE.py +git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile + From 8fc95a06a6b7695f1e2e04cacff49643ee109f63 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 7 Jun 2021 11:28:24 +0200 Subject: [PATCH 20/22] Wrap variable missed by the python script. Signed-off-by: Mateusz Starzyk --- include/mbedtls/timing.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/timing.h b/include/mbedtls/timing.h index 9a8b1e011..7669bb9b3 100644 --- a/include/mbedtls/timing.h +++ b/include/mbedtls/timing.h @@ -52,7 +52,7 @@ struct mbedtls_timing_hr_time */ typedef struct mbedtls_timing_delay_context { - struct mbedtls_timing_hr_time timer; + struct mbedtls_timing_hr_time MBEDTLS_PRIVATE(timer); uint32_t MBEDTLS_PRIVATE(int_ms); uint32_t MBEDTLS_PRIVATE(fin_ms); } mbedtls_timing_delay_context; From a74295fb526f3d6ac1468e6ef46212200db80418 Mon Sep 17 00:00:00 2001 From: Mateusz Starzyk Date: Mon, 7 Jun 2021 11:30:55 +0200 Subject: [PATCH 21/22] Remove outdated note about direct manipulation of private members. Signed-off-by: Mateusz Starzyk --- include/mbedtls/rsa.h | 4 ---- 1 file changed, 4 deletions(-) diff --git a/include/mbedtls/rsa.h b/include/mbedtls/rsa.h index 08db213f4..d3b695ea1 100644 --- a/include/mbedtls/rsa.h +++ b/include/mbedtls/rsa.h @@ -82,10 +82,6 @@ extern "C" { /** * \brief The RSA context structure. - * - * \note Direct manipulation of the members of this structure - * is deprecated. All manipulation should instead be done through - * the public interface functions. */ typedef struct mbedtls_rsa_context { From a90e0907c51241556e07c83b581903302b617c13 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 14 Jun 2021 15:46:35 +0200 Subject: [PATCH 22/22] Remove scripts automating wrapping structs members with MBEDTLS_PRIVATE. Signed-off-by: Ronald Cron --- apply_MBEDTLS_PRIVATE.py | 106 ------------------------------- setup_and_run_MBEDTLS_PRIVATE.sh | 31 --------- 2 files changed, 137 deletions(-) delete mode 100644 apply_MBEDTLS_PRIVATE.py delete mode 100755 setup_and_run_MBEDTLS_PRIVATE.sh diff --git a/apply_MBEDTLS_PRIVATE.py b/apply_MBEDTLS_PRIVATE.py deleted file mode 100644 index d2bc7c06a..000000000 --- a/apply_MBEDTLS_PRIVATE.py +++ /dev/null @@ -1,106 +0,0 @@ -import re -import fileinput -import glob -import pprint -import os -import xml.etree.ElementTree as ET - - -# Create dictionary with following structre -# files_to_visit = { -# "filepath1" : { "variable_name1": (1, 2, 40, 61), # line numbers -# "variable_name2": (60, 64), -# }, -# "filepath2" : { "variable_name1": (1, 2, 40, 61), # line numbers -# "variable_name2": (60, 64), -# }, ... -# } -files_to_visit = {} - -# find xml models for structs parsed by doxygen -struct_files = glob.glob("apidoc/xml/structmbedtls*.xml") + glob.glob("apidoc/xml/structpsa*.xml") - -for struct_file in struct_files: - # get all variables from currently processed struct - struct_file_tree = ET.parse(struct_file) - all_struct_members_definitions = struct_file_tree.getroot().findall(".//memberdef[@kind='variable']") - - for struct_member_def in all_struct_members_definitions: - # get unique id by which this variable is referenced - member_id = struct_member_def.attrib["id"] - # find file path for this variable's definition - location = struct_member_def.find("location") - file_path = location.attrib["file"] - # get variable name - variable_name = struct_member_def.find("name").text - # if file path is not yet in dictionary, create empty sub-dictionary to initialize - if file_path not in files_to_visit: - files_to_visit[file_path] = {} - # if variable is not yet in this file's dictionary, create empty set to initialize - if variable_name not in files_to_visit[file_path]: - files_to_visit[file_path][variable_name] = set() - - # add variable's definition line number - files_to_visit[file_path][variable_name].add(int(location.attrib["line"])) - - # check where the variable was referenced - references = struct_member_def.findall("referencedby") - for reference in references: - refid = reference.attrib["refid"] - # assuming that compound name is related to header's xml file - header_file_xml = "apidoc/xml/" + reference.attrib["compoundref"] + ".xml" - header_file_tree = ET.parse(header_file_xml) - # check if this reference is created by static inline function - static_inline_function_definition = header_file_tree.getroot().find(f".//memberdef[@id='{refid}'][@kind='function'][@static='yes'][@inline='yes']") - if static_inline_function_definition: - static_inline_function_file_path = static_inline_function_definition.find("location").attrib["file"] - # if file path not yet in dictionary, create empty sub-dictionary to initialize. - # This could happen if reference is inside header file which was not yet processed in search for variable definitions - if static_inline_function_file_path not in files_to_visit: - files_to_visit[static_inline_function_file_path] = {} - # if variable is not yet in this file's dictionary, create empty set to initialize - if variable_name not in files_to_visit[static_inline_function_file_path]: - files_to_visit[static_inline_function_file_path][variable_name] = set() - # function block scope - function_lines_from = int(reference.attrib["startline"]) - function_lines_to = int(reference.attrib["endline"]) - # find codelines referencing currently processed variable. This is using the code listing inside header's xml model. - codelines_xml = header_file_tree.getroot().findall(f".//ref[@refid='{member_id}']/../..") - # filter by function's scope - codelines = [int(line.attrib["lineno"]) for line in codelines_xml if int(line.attrib["lineno"]) >= function_lines_from and int(line.attrib["lineno"]) <= function_lines_to] - # add lines referencing currently processed variable - files_to_visit[static_inline_function_file_path][variable_name].update(codelines) - -pp = pprint.PrettyPrinter(indent=4) -pp.pprint(files_to_visit) - -mbedtls_private_access_include = "#include \"mbedtls/private_access.h\"" - -for file_path, variables in files_to_visit.items(): - # check if this file has "mbedtls/private_access.h" include - file_has_private_access_include = False - with open(file_path, 'r') as file: - for line in file: - if mbedtls_private_access_include in line: - file_has_private_access_include = True - break - - # FileInput redirects stdout to to 'file', so every print in this block will be put inside 'file' - with fileinput.FileInput(file_path, inplace=True) as file: - output_line_number = 1 - # compile regex matching the header's include guard. - re_include_guard = re.compile(r"^#define.*{name}$".format(name=os.path.basename(file_path).replace('.','_').upper())) - for line in file: - insert_private_access_include = False - if re_include_guard.match(line): - insert_private_access_include = not file_has_private_access_include - # every line in file is checked against variables and lines in which they occur - for variable, var_lines in variables.items(): - for var_line in var_lines: - # wrap variable with MBEDTLS_PRIVATE(...) macro - if output_line_number == var_line: - line = re.sub(r"(^.*?\W+)((?!MBEDTLS_PRIVATE\(){var})(\W+.*$)".format(var=variable), r"\1MBEDTLS_PRIVATE(\2)\3", line) - output_line_number += 1 - print(line, end='') # fileinput redirects stdout to the target file - if insert_private_access_include: - print("#include \"mbedtls/private_access.h\"") diff --git a/setup_and_run_MBEDTLS_PRIVATE.sh b/setup_and_run_MBEDTLS_PRIVATE.sh deleted file mode 100755 index aaf0a1cf5..000000000 --- a/setup_and_run_MBEDTLS_PRIVATE.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/sh - -make clean -sed -i 's/GENERATE_XML = NO/GENERATE_XML = YES/g' doxygen/mbedtls.doxyfile -scripts/config.py full -cd doxygen -doxygen mbedtls.doxyfile -cd .. -python3 apply_MBEDTLS_PRIVATE.py -git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile - -make clean -sed -i 's/GENERATE_XML = NO/GENERATE_XML = YES/g' doxygen/mbedtls.doxyfile -scripts/config.py set MBEDTLS_ECP_RESTARTABLE -scripts/config.py unset MBEDTLS_SSL_KEEP_PEER_CERTIFICATE -scripts/config.py unset MBEDTLS_HAVE_TIME -cd doxygen -doxygen mbedtls.doxyfile -cd .. -python3 apply_MBEDTLS_PRIVATE.py -git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile - -make clean -sed -i 's/GENERATE_XML = NO/GENERATE_XML = YES/g' doxygen/mbedtls.doxyfile -scripts/config.py realfull -cd doxygen -doxygen mbedtls.doxyfile -cd .. -python3 apply_MBEDTLS_PRIVATE.py -git checkout include/mbedtls/config.h doxygen/mbedtls.doxyfile -