From 76a0c10be8b8a612a07991a8754b7a8871b075ca Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 27 Jun 2024 11:13:01 -0600 Subject: [PATCH] boot: Fix ASN.1 for mbedtls >= 3.1 In Mbed TLS 3.1, the private fields in the ASN.1 structure were made private. This breaks code that accesses these private macros. Fix this by changing the ASN.1 specific code to use a new field accessor `ASN1_CONTEXT_MEMBER` that will be conditionally defined based on the version of Mbed TLS that is present. [david.brown: Cherry-picked from upsteam: 1d79ef35ee560e24da981d13c9414de9947b07a2] Signed-off-by: David Brown --- boot/bootutil/include/bootutil/crypto/common.h | 9 +++++++++ boot/bootutil/include/bootutil/crypto/ecdsa.h | 16 ++++++++-------- boot/bootutil/src/encrypted.c | 12 ++++++------ boot/bootutil/src/image_ed25519.c | 4 ++-- 4 files changed, 25 insertions(+), 16 deletions(-) diff --git a/boot/bootutil/include/bootutil/crypto/common.h b/boot/bootutil/include/bootutil/crypto/common.h index c765fe1f3..1fb5c5835 100644 --- a/boot/bootutil/include/bootutil/crypto/common.h +++ b/boot/bootutil/include/bootutil/crypto/common.h @@ -17,4 +17,13 @@ #define MBEDTLS_CONTEXT_MEMBER(X) X #endif +/* Newer versions of Mbed TLS have removed the private accessor requirement for + * the ASN1 fields. + */ +#if (MBEDTLS_VERSION_NUMBER >= 0x03000000) && (MBEDTLS_VERSION_NUMBER < 0x03010000) +#define ASN1_CONTEXT_MEMBER(X) MBEDTLS_PRIVATE(X) +#else +#define ASN1_CONTEXT_MEMBER(X) X +#endif + #endif /* __BOOTUTIL_CRYPTO_COMMON_H__ */ diff --git a/boot/bootutil/include/bootutil/crypto/ecdsa.h b/boot/bootutil/include/bootutil/crypto/ecdsa.h index 5a87f736b..3b0541072 100644 --- a/boot/bootutil/include/bootutil/crypto/ecdsa.h +++ b/boot/bootutil/include/bootutil/crypto/ecdsa.h @@ -102,13 +102,13 @@ static int bootutil_import_key(uint8_t **cp, uint8_t *end) return -2; } /* id-ecPublicKey (RFC5480) */ - if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || - memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { + if (alg.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || + memcmp(alg.ASN1_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { return -3; } /* namedCurve (RFC5480) */ - if (param.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1 || - memcmp(param.MBEDTLS_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) { + if (param.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1 || + memcmp(param.ASN1_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) { return -4; } /* ECPoint (RFC5480) */ @@ -512,12 +512,12 @@ static int bootutil_parse_eckey(bootutil_ecdsa_context *ctx, uint8_t **p, uint8_ if (mbedtls_asn1_get_alg(p, end, &alg, ¶m)) { return -2; } - if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || - memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { + if (alg.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || + memcmp(alg.ASN1_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { return -3; } - if (param.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1|| - memcmp(param.MBEDTLS_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) { + if (param.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1|| + memcmp(param.ASN1_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) { return -4; } diff --git a/boot/bootutil/src/encrypted.c b/boot/bootutil/src/encrypted.c index 4082611c4..fee30ddee 100644 --- a/boot/bootutil/src/encrypted.c +++ b/boot/bootutil/src/encrypted.c @@ -126,12 +126,12 @@ parse_ec256_enckey(uint8_t **p, uint8_t *end, uint8_t *private_key) return -5; } - if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || - memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { + if (alg.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || + memcmp(alg.ASN1_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { return -6; } - if (param.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1 || - memcmp(param.MBEDTLS_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) { + if (param.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_secp256r1_oid) - 1 || + memcmp(param.ASN1_CONTEXT_MEMBER(p), ec_secp256r1_oid, sizeof(ec_secp256r1_oid) - 1)) { return -7; } @@ -203,8 +203,8 @@ parse_x25519_enckey(uint8_t **p, uint8_t *end, uint8_t *private_key) return -4; } - if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || - memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { + if (alg.ASN1_CONTEXT_MEMBER(len) != sizeof(ec_pubkey_oid) - 1 || + memcmp(alg.ASN1_CONTEXT_MEMBER(p), ec_pubkey_oid, sizeof(ec_pubkey_oid) - 1)) { return -5; } diff --git a/boot/bootutil/src/image_ed25519.c b/boot/bootutil/src/image_ed25519.c index c51fea494..7a597d4c0 100644 --- a/boot/bootutil/src/image_ed25519.c +++ b/boot/bootutil/src/image_ed25519.c @@ -45,8 +45,8 @@ bootutil_import_key(uint8_t **cp, uint8_t *end) return -2; } - if (alg.MBEDTLS_CONTEXT_MEMBER(len) != sizeof(ed25519_pubkey_oid) - 1 || - memcmp(alg.MBEDTLS_CONTEXT_MEMBER(p), ed25519_pubkey_oid, sizeof(ed25519_pubkey_oid) - 1)) { + if (alg.ASN1_CONTEXT_MEMBER(len) != sizeof(ed25519_pubkey_oid) - 1 || + memcmp(alg.ASN1_CONTEXT_MEMBER(p), ed25519_pubkey_oid, sizeof(ed25519_pubkey_oid) - 1)) { return -3; }