From 9cb63ab0e4b525c8d067ea94d7e4302203ba835a Mon Sep 17 00:00:00 2001
From: Arto Kinnunen <arto.kinnunen@arm.com>
Date: Fri, 3 Apr 2020 14:51:33 +0300
Subject: [PATCH] Squashed 'features/nanostack/coap-service/' changes from
 e5e0c138e6..5aa54b8e62

5aa54b8e62 Merge pull request #127 from ARMmbed/sync_with_mbedos
6fe78412d2 Follow Mbed OS coding style
2b708be451 trace group defiined for shared_rng
d4c2caca41 more error handling added for ctr and hmac
cace1e9c22 Added missing optimizations based on mbedtls/baremetal.h config
2cc7442ba5 Added new global rng, needed for MbedTLS optimisations
f861157576 Prepare for upcoming MbedTLS changes

git-subtree-dir: features/nanostack/coap-service
git-subtree-split: 5aa54b8e622ec2b44bdf323cc02bd1cfc5ffd904
---
 source/coap_security_handler.c                | 65 +++++++++++++++++--
 .../coap-service/unittest/stub/mbedtls_stub.c | 32 +++++++++
 .../coap-service/unittest/stub/mbedtls_stub.h |  2 +
 3 files changed, 93 insertions(+), 6 deletions(-)

diff --git a/source/coap_security_handler.c b/source/coap_security_handler.c
index 1fbe3ffc86..5afd2abf02 100644
--- a/source/coap_security_handler.c
+++ b/source/coap_security_handler.c
@@ -30,6 +30,7 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/entropy_poll.h"
 #include "mbedtls/ctr_drbg.h"
+#include "mbedtls/hmac_drbg.h"
 #include "mbedtls/ssl_ciphersuites.h"
 
 #include "ns_trace.h"
@@ -41,7 +42,20 @@ struct coap_security_s {
     mbedtls_ssl_config          _conf;
     mbedtls_ssl_context         _ssl;
 
-    mbedtls_ctr_drbg_context    _ctr_drbg;
+#if defined(MBEDTLS_CTR_DRBG_C)
+    mbedtls_ctr_drbg_context    _drbg;
+#define DRBG_INIT mbedtls_ctr_drbg_init
+#define DRBG_RANDOM mbedtls_ctr_drbg_random
+#define DRBG_FREE mbedtls_ctr_drbg_free
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    mbedtls_hmac_drbg_context   _drbg;
+#define DRBG_INIT mbedtls_hmac_drbg_init
+#define DRBG_RANDOM mbedtls_hmac_drbg_random
+#define DRBG_FREE mbedtls_hmac_drbg_free
+#else
+#error "CTR or HMAC must be defined for coap_security_handler!"
+#endif
+
     mbedtls_entropy_context     _entropy;
     bool                        _is_started;
     simple_cookie_t             _cookie;
@@ -68,6 +82,7 @@ struct coap_security_s {
 
 };
 
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 const int ECJPAKE_SUITES[] = {
     MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8,
@@ -75,12 +90,15 @@ const int ECJPAKE_SUITES[] = {
 };
 #endif
 
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
 static const int PSK_SUITES[] = {
     MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256,
     MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8,
     MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8,
     0
 };
+#endif /* defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) */
+#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */
 
 #define TRACE_GROUP "CsSh"
 
@@ -110,7 +128,7 @@ static int coap_security_handler_init(coap_security_t *sec)
 
     mbedtls_ssl_init(&sec->_ssl);
     mbedtls_ssl_config_init(&sec->_conf);
-    mbedtls_ctr_drbg_init(&sec->_ctr_drbg);
+    DRBG_INIT(&sec->_drbg);
     mbedtls_entropy_init(&sec->_entropy);
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
@@ -128,12 +146,22 @@ static int coap_security_handler_init(coap_security_t *sec)
                                    128, entropy_source_type) < 0) {
         return -1;
     }
-
-    if ((mbedtls_ctr_drbg_seed(&sec->_ctr_drbg, mbedtls_entropy_func, &sec->_entropy,
+#if defined(MBEDTLS_CTR_DRBG_C)
+    if ((mbedtls_ctr_drbg_seed(&sec->_drbg, mbedtls_entropy_func, &sec->_entropy,
                                (const unsigned char *) pers,
                                strlen(pers))) != 0) {
         return -1;
     }
+#elif defined(MBEDTLS_HMAC_DRBG_C)
+    if ((mbedtls_hmac_drbg_seed(&sec->_drbg, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
+                                mbedtls_entropy_func, &sec->_entropy,
+                                (const unsigned char *) pers,
+                                strlen(pers))) != 0) {
+        return -1;
+    }
+#else
+#error "CTR or HMAC must be defined for coap_security_handler!"
+#endif
     return 0;
 }
 
@@ -156,7 +184,9 @@ static void coap_security_handler_reset(coap_security_t *sec)
 #endif
 
     mbedtls_entropy_free(&sec->_entropy);
-    mbedtls_ctr_drbg_free(&sec->_ctr_drbg);
+
+    DRBG_FREE(&sec->_drbg);
+
     mbedtls_ssl_config_free(&sec->_conf);
     mbedtls_ssl_free(&sec->_ssl);
 #if defined(MBEDTLS_PLATFORM_C)
@@ -332,7 +362,9 @@ static int coap_security_handler_configure_keys(coap_security_t *sec, coap_secur
             if (0 != mbedtls_ssl_conf_psk(&sec->_conf, keys._priv_key, keys._priv_key_len, keys._cert, keys._cert_len)) {
                 break;
             }
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
             mbedtls_ssl_conf_ciphersuites(&sec->_conf, PSK_SUITES);
+#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */
             ret = 0;
 #endif
             break;
@@ -342,7 +374,9 @@ static int coap_security_handler_configure_keys(coap_security_t *sec, coap_secur
             if (mbedtls_ssl_set_hs_ecjpake_password(&sec->_ssl, keys._key, keys._key_len) != 0) {
                 return -1;
             }
+#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
             mbedtls_ssl_conf_ciphersuites(&sec->_conf, ECJPAKE_SUITES);
+#endif /* !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE) */
 
             //NOTE: If thread starts supporting PSK in other modes, then this will be needed!
             mbedtls_ssl_conf_export_keys_cb(&sec->_conf,
@@ -388,17 +422,31 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
         mbedtls_ssl_conf_handshake_timeout(&sec->_conf, timeout_min, timeout_max);
     }
 
-    mbedtls_ssl_conf_rng(&sec->_conf, mbedtls_ctr_drbg_random, &sec->_ctr_drbg);
+#if !defined(MBEDTLS_SSL_CONF_RNG)
+    mbedtls_ssl_conf_rng(&sec->_conf, DRBG_RANDOM, &sec->_drbg);
+#endif
 
     if ((mbedtls_ssl_setup(&sec->_ssl, &sec->_conf)) != 0) {
         return -1;
     }
 
+    // Defines MBEDTLS_SSL_CONF_RECV/SEND/RECV_TIMEOUT define global functions which should be the same for all
+    // callers of mbedtls_ssl_set_bio_ctx and there should be only one ssl context. If these rules don't apply,
+    // these defines can't be used.
+#if !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT)
     mbedtls_ssl_set_bio(&sec->_ssl, sec,
                         f_send, f_recv, NULL);
+#else
+    mbedtls_ssl_set_bio_ctx(&sec->_ssl, sec);
+#endif /* !defined(MBEDTLS_SSL_CONF_RECV) && !defined(MBEDTLS_SSL_CONF_SEND) && !defined(MBEDTLS_SSL_CONF_RECV_TIMEOUT) */
 
+    // Defines MBEDTLS_SSL_CONF_SET_TIMER/GET_TIMER define global functions which should be the same for all
+    // callers of mbedtls_ssl_set_timer_cb and there should be only one ssl context. If these rules don't apply,
+    // these defines can't be used.
+#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER)
     mbedtls_ssl_set_timer_cb(&sec->_ssl, sec, set_timer,
                              get_timer);
+#endif /* !defined(MBEDTLS_SSL_CONF_SET_TIMER) && !defined(MBEDTLS_SSL_CONF_GET_TIMER) */
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
     //TODO: Figure out better way!!!
@@ -420,8 +468,13 @@ int coap_security_handler_connect_non_blocking(coap_security_t *sec, bool is_ser
                                   &sec->_cookie);
 #endif
 
+#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
     mbedtls_ssl_conf_min_version(&sec->_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
+#endif /* !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) */
+
+#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
     mbedtls_ssl_conf_max_version(&sec->_conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
+#endif /* !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) */
 
     sec->_is_started = true;
 
diff --git a/test/coap-service/unittest/stub/mbedtls_stub.c b/test/coap-service/unittest/stub/mbedtls_stub.c
index e607acd4d3..403ae9a57a 100644
--- a/test/coap-service/unittest/stub/mbedtls_stub.c
+++ b/test/coap-service/unittest/stub/mbedtls_stub.c
@@ -248,6 +248,38 @@ int mbedtls_ctr_drbg_random(void *p_rng,
     return mbedtls_stub.crt_expected_int;
 }
 
+// from hmac_drbg.h
+void mbedtls_hmac_drbg_init(mbedtls_hmac_drbg_context *ctx)
+{
+
+}
+
+void mbedtls_hmac_drbg_free(mbedtls_hmac_drbg_context *ctx)
+{
+
+}
+
+int mbedtls_hmac_drbg_seed(mbedtls_hmac_drbg_context *ctx,
+                           const mbedtls_md_info_t *md_info,
+                           int (*f_entropy)(void *, unsigned char *, size_t),
+                           void *p_entropy,
+                           const unsigned char *custom,
+                           size_t len)
+{
+    return mbedtls_stub.crt_expected_int;
+}
+
+int mbedtls_hmac_drbg_random(void *p_rng, unsigned char *output, size_t out_len)
+{
+    return mbedtls_stub.crt_expected_int;
+}
+
+// from md.h
+const mbedtls_md_info_t *mbedtls_md_info_from_type(mbedtls_md_type_t md_type)
+{
+    return 0;
+}
+
 //From x509_crt.h
 void mbedtls_x509_crt_init(mbedtls_x509_crt *a)
 {
diff --git a/test/coap-service/unittest/stub/mbedtls_stub.h b/test/coap-service/unittest/stub/mbedtls_stub.h
index 2ad72cb939..1910f9c5f2 100644
--- a/test/coap-service/unittest/stub/mbedtls_stub.h
+++ b/test/coap-service/unittest/stub/mbedtls_stub.h
@@ -24,11 +24,13 @@
 #include "mbedtls/platform.h"
 #include "mbedtls/ssl.h"
 #include "mbedtls/ctr_drbg.h"
+#include "mbedtls/hmac_drbg.h"
 #include "mbedtls/x509_crt.h"
 #include "mbedtls/sha256.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/pk.h"
 #include "mbedtls/platform.h"
+#include "mbedtls/md.h"
 
 
 #define HANDSHAKE_FINISHED_VALUE 8888