Upgrade mbedTLS to v3.5.0

.github/workflows/build.yml

@@ -32,6 +32,8 @@ jobs:
           - args: "CLOUD=1"
           # cloud on (tcp on, ipv4 on), debug on
           - args: "CLOUD=1 DEBUG=1"
+          # cloud on (tcp on, ipv4 on), debug on, mbedTLS v3.5.0
+          - args: "CLOUD=1 DEBUG=1 MBEDTLS_FORCE_3_5_0=1"
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
@@ -104,7 +106,7 @@ jobs:
           ./esp-idf/install.sh
           . ./esp-idf/export.sh
           idf.py ${{ matrix.args }} set-target esp32
-          ( cd esp-idf/components/mbedtls/mbedtls && patch -p1 < ../../../../../../patches/01-ocf-x509san-anon-psk.patch)
-          ( cd esp-idf/components/mbedtls/mbedtls && patch -p1 < ../../../../patches/mbedtls/02-ocf-mbedtls-config.patch)
+          ( cd esp-idf/components/mbedtls/mbedtls && patch -p1 < ../../../../../../patches/mbedtls/3.1/01-ocf-x509san-anon-psk.patch)
+          ( cd esp-idf/components/mbedtls/mbedtls && patch -p1 < ../../../../patches/mbedtls/3.1/02-ocf-mbedtls-config.patch)
           ( cd esp-idf/components/lwip/lwip && find ../../../../patches/lwip/ -type f -name '*.patch' -exec patch -p1 -i {} \; )
           idf.py build

.github/workflows/cmake-linux.yml

@@ -63,7 +63,7 @@ jobs:
           # debug on
           - args: "-DOC_DEBUG_ENABLED=ON"
           # debug on, cloud on (ipv4+tcp on)
-          - args: "-DOC_CLOUD_ENABLED=ON -DOC_DEBUG_ENABLED=ON "
+          - args: "-DOC_CLOUD_ENABLED=ON -DOC_DEBUG_ENABLED=ON"
           # secure off, tcp on
           - args: "-DOC_SECURITY_ENABLED=OFF -DOC_TCP_ENABLED=ON"
           # secure off, ipv4 on, tcp on
@@ -81,6 +81,22 @@ jobs:
       install_mbedtls: ${{ github.event_name == 'workflow_dispatch' && inputs.install_mbedtls }}
       install_tinycbor: ${{ github.event_name == 'workflow_dispatch' && inputs.install_tinycbor }}
 
+  cmake_linux_mbedtls3_5_0:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          # debug on, cloud on (ipv4+tcp on), collections create on
+          - args: "-DOC_DEBUG_ENABLED=ON -DOC_CLOUD_ENABLED=ON -DOC_COLLECTIONS_IF_CREATE_ENABLED=ON"
+    uses: ./.github/workflows/unit-test-with-cfg.yml
+    with:
+      build_args: -DOC_LOG_MAXIMUM_LOG_LEVEL=INFO -DOC_WKCORE_ENABLED=ON -DOC_SOFTWARE_UPDATE_ENABLED=ON -DOC_MNT_ENABLED=ON -DOC_DISCOVERY_RESOURCE_OBSERVABLE_ENABLED=ON -DOC_PUSH_ENABLED=ON -DPLGD_DEV_TIME_ENABLED=ON -DOC_ETAG_ENABLED=ON -DBUILD_MBEDTLS_FORCE_3_5_0=ON ${{ matrix.args }}
+      build_type: ${{ (github.event_name == 'workflow_dispatch' && inputs.build_type) || 'Debug' }}
+      clang: ${{ github.event_name == 'workflow_dispatch' && inputs.clang }}
+      coverage: false
+      install_mbedtls: ${{ github.event_name == 'workflow_dispatch' && inputs.install_mbedtls }}
+      install_tinycbor: ${{ github.event_name == 'workflow_dispatch' && inputs.install_tinycbor }}
+
   cmake_linux_preinstalled:
     uses: ./.github/workflows/unit-test-with-cfg.yml
     with:

CMakeLists.txt

@@ -21,10 +21,15 @@ endif()
 ######## Build configuration options ########
 set(BUILD_EXAMPLE_APPLICATIONS ON CACHE BOOL "Build example applications.")
 set(BUILD_MBEDTLS ON CACHE BOOL "Build Mbed TLS library. When set to OFF, the Mbed TLS library with the OCF patches has to be provided.")
+set(BUILD_MBEDTLS_FORCE_3_5_0 OFF CACHE BOOL "Force v3.5.0 of the MbedTLS library to be used (by default v3.1.0 is used by master)")
 set(OC_INSTALL_MBEDTLS ON CACHE BOOL "Include Mbed TLS in installation")
 set(BUILD_TINYCBOR ON CACHE BOOL "Build TinyCBOR library. When set to OFF, the TinyCBOR library has to be provided.")
 set(OC_INSTALL_TINYCBOR ON CACHE BOOL "Include TinyCBOR in installation")
 
+if(NOT BUILD_MBEDTLS_FORCE_3_5_0)
+    message(WARNING "MbedTLS v3.1.0 is deprecated and support will be removed in a future release")
+endif()
+
 set(OC_DYNAMIC_ALLOCATION_ENABLED ON CACHE BOOL "Enable dynamic memory allocation within the OCF stack and Mbed TLS.")
 set(OC_SECURITY_ENABLED ON CACHE BOOL "Enable security.")
 if (OC_SECURITY_ENABLED)
@@ -222,6 +227,14 @@ elseif(OC_COMPILER_IS_GCC OR OC_COMPILER_IS_CLANG)
         CFLAGS -Wmissing-prototypes -Wstrict-prototypes
     )
 
+    # ignore issues in mbedTLS test and utility code
+    if(BUILD_MBEDTLS AND (ENABLE_TESTING OR ENABLE_PROGRAMS))
+        oc_add_compile_options(GLOBAL
+            FLAGS -Wno-error=missing-declarations
+            CFLAGS -Wno-error=missing-prototypes
+        )
+    endif()
+
     if(NOT OC_CLANG_TIDY_ENABLED)
         oc_add_compile_options(GLOBAL
             CXXFLAGS -Wuseless-cast -Wno-error=useless-cast
@@ -261,34 +274,33 @@ if(BUILD_MBEDTLS)
     set(MBEDTLS_COMPILE_DEFINITIONS "__OC_PLATFORM")
 endif()
 
-set(OC_LOG_MAXIMUM_LEVEL)
+set(OC_LOG_MAXIMUM_LOG_LEVEL_INT)
 if(OC_LOG_MAXIMUM_LOG_LEVEL STREQUAL "DISABLED")
-    set(OC_LOG_MAXIMUM_LEVEL -1)
-    # list(APPEND PRIVATE_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=-1")
+    set(OC_LOG_MAXIMUM_LOG_LEVEL_INT -1)
 elseif(OC_LOG_MAXIMUM_LOG_LEVEL STREQUAL "ERROR")
-    # list(APPEND PRIVATE_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=3")
-    set(OC_LOG_MAXIMUM_LEVEL 3)
+    set(OC_LOG_MAXIMUM_LOG_LEVEL_INT 3)
 elseif(OC_LOG_MAXIMUM_LOG_LEVEL STREQUAL "WARNING")
-    # list(APPEND PRIVATE_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=4")
-    set(OC_LOG_MAXIMUM_LEVEL 4)
+    set(OC_LOG_MAXIMUM_LOG_LEVEL_INT 4)
 elseif(OC_LOG_MAXIMUM_LOG_LEVEL STREQUAL "NOTICE")
-    # list(APPEND PRIVATE_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=5")
-    set(OC_LOG_MAXIMUM_LEVEL 5)
+    set(OC_LOG_MAXIMUM_LOG_LEVEL_INT 5)
 elseif(OC_LOG_MAXIMUM_LOG_LEVEL STREQUAL "INFO")
-    # list(APPEND PRIVATE_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=6")
-    set(OC_LOG_MAXIMUM_LEVEL 6)
+    set(OC_LOG_MAXIMUM_LOG_LEVEL_INT 6)
 elseif(OC_LOG_MAXIMUM_LOG_LEVEL STREQUAL "DEBUG")
-    # list(APPEND PRIVATE_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=7")
-    set(OC_LOG_MAXIMUM_LEVEL 7)
+    set(OC_LOG_MAXIMUM_LOG_LEVEL_INT 7)
 elseif(OC_LOG_MAXIMUM_LOG_LEVEL STREQUAL "TRACE")
-    # list(APPEND PRIVATE_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=8")
-    set(OC_LOG_MAXIMUM_LEVEL 8)
+    set(OC_LOG_MAXIMUM_LOG_LEVEL_INT 8)
 else()
     message(FATAL_ERROR "Invalid OC_LOG_MAXIMUM_LOG_LEVEL: ${OC_LOG_MAXIMUM_LOG_LEVEL}")
 endif()
+
+set(OC_LOG_MAXIMUM_LEVEL ${OC_LOG_MAXIMUM_LOG_LEVEL_INT} CACHE INTERNAL "Maximum supported log level in compile time as integer.")
+
 # clang-tidy triggers bugprone-macro-parentheses if the value is not in ()
 list(APPEND PRIVATE_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=(${OC_LOG_MAXIMUM_LEVEL})")
 list(APPEND TEST_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=(${OC_LOG_MAXIMUM_LEVEL})")
+if(BUILD_MBEDTLS)
+    list(APPEND MBEDTLS_COMPILE_DEFINITIONS "OC_LOG_MAXIMUM_LEVEL=(${OC_LOG_MAXIMUM_LEVEL})")
+endif()
 
 if(OC_PUSH_ENABLED)
     list(APPEND PUBLIC_COMPILE_DEFINITIONS "OC_PUSH")

api/oc_rep.c

@@ -93,9 +93,6 @@ oc_rep_t *
 oc_alloc_rep(void)
 {
   oc_rep_t *rep = (oc_rep_t *)oc_memb_alloc(g_rep_objects);
-#ifdef OC_DEBUG
-  oc_assert(rep != NULL);
-#endif
   if (rep == NULL) {
     return NULL;
   }

api/oc_storage.c

@@ -168,7 +168,7 @@ storage_print_data(const uint8_t *buf, size_t size)
   oc_rep_to_json(result.rep, json, json_size + 1, true);
 #else  /* !OC_DYNAMIC_ALLOCATION */
   char json[4096] = { 0 };
-  oc_rep_to_json(rep, json, OC_ARRAY_SIZE(json), true);
+  oc_rep_to_json(result.rep, json, OC_ARRAY_SIZE(json), true);
 #endif /* OC_DYNAMIC_ALLOCATION */
   OC_DBG("payload %s", json);
 #ifdef OC_DYNAMIC_ALLOCATION

api/oc_tcp.c

@@ -90,6 +90,11 @@ bool
 oc_tcp_is_valid_header(const uint8_t *data, size_t data_size, bool is_tls)
 {
 #ifdef OC_SECURITY
+#define SSL_MAJOR_VERSION_3 (3)
+#define SSL_MINOR_VERSION_1 (1)
+#define SSL_MINOR_VERSION_2 (2)
+#define SSL_MINOR_VERSION_3 (3)
+#define SSL_MINOR_VERSION_4 (4)
   if (is_tls) {
     if (data_size < 3) {
       OC_ERR("TLS header too short: %zu", data_size);
@@ -114,20 +119,20 @@ oc_tcp_is_valid_header(const uint8_t *data, size_t data_size, bool is_tls)
       OC_ERR("invalid record type: %d", type);
       return false;
     }
-    if (major_version != MBEDTLS_SSL_MAJOR_VERSION_3) {
+    if (major_version != SSL_MAJOR_VERSION_3) {
       OC_ERR("invalid major version: %d", major_version);
       return false;
     }
     if (
       // TLS 1.0 - some implementations doesn't set the minor version (eg
       // golang)
-      minor_version != 1 &&
+      minor_version != SSL_MINOR_VERSION_1 &&
       // TLS 1.1
-      minor_version != 2 &&
+      minor_version != SSL_MINOR_VERSION_2 &&
       // TLS 1.2
-      minor_version != MBEDTLS_SSL_MINOR_VERSION_3 &&
+      minor_version != SSL_MINOR_VERSION_3 &&
       // TLS 1.3
-      minor_version != MBEDTLS_SSL_MINOR_VERSION_4) {
+      minor_version != SSL_MINOR_VERSION_4) {
       OC_ERR("invalid minor version: %d", minor_version);
       return false;
     }

api/oc_udp.c

@@ -34,6 +34,11 @@ oc_udp_is_valid_message(oc_message_t *message)
 {
   assert(message != NULL);
 #ifdef OC_SECURITY
+#define SSL_MAJOR_VERSION_3 (3)
+#define SSL_MINOR_VERSION_1 (1)
+#define SSL_MINOR_VERSION_2 (2)
+#define SSL_MINOR_VERSION_3 (3)
+#define SSL_MINOR_VERSION_4 (4)
   if ((message->endpoint.flags & SECURED) != 0) {
     if (message->length < 3) {
       OC_ERR("invalid DTLS header length: %lu", (long unsigned)message->length);
@@ -47,21 +52,21 @@ oc_udp_is_valid_message(oc_message_t *message)
     uint8_t minor_version = 255 - message->data[2] + 1;
     OC_DBG("TLS header: record type: %d, major %d(%d), minor %d(%d)", type,
            major_version, message->data[1], minor_version, message->data[2]);
-    if (major_version != MBEDTLS_SSL_MAJOR_VERSION_3) {
+    if (major_version != SSL_MAJOR_VERSION_3) {
       OC_ERR("invalid major version: %d", major_version);
       // Invalid major version
       return false;
     }
     if (
       // TLS 1.0 - some implementations doesn't set the minor version (eg
       // golang)
-      minor_version != 1 &&
+      minor_version != SSL_MINOR_VERSION_1 &&
       // TLS 1.1
-      minor_version != 2 &&
+      minor_version != SSL_MINOR_VERSION_2 &&
       // TLS 1.2
-      minor_version != MBEDTLS_SSL_MINOR_VERSION_3 &&
+      minor_version != SSL_MINOR_VERSION_3 &&
       // TLS 1.3
-      minor_version != MBEDTLS_SSL_MINOR_VERSION_4) {
+      minor_version != SSL_MINOR_VERSION_4) {
       OC_ERR("invalid minor version: %d", minor_version);
       return false;
     }

api/unittest/tcptest.cpp

@@ -193,28 +193,32 @@ TEST_F(TCPMessage, ValidateHeader)
   ValidateHeader(false, false, { 0xff, 2, 3, 4 });
 
 #ifdef OC_SECURITY
+#define SSL_MAJOR_VERSION_3 (3)
+#define SSL_MINOR_VERSION_1 (1)
+#define SSL_MINOR_VERSION_2 (2)
+#define SSL_MINOR_VERSION_3 (3)
+#define SSL_MINOR_VERSION_4 (4)
   ValidateHeader(false, true, nullptr, 0);
-  ValidateHeader(true, true,
-                 { MBEDTLS_SSL_MSG_HANDSHAKE, MBEDTLS_SSL_MAJOR_VERSION_3, 1 });
-  ValidateHeader(true, true,
-                 { MBEDTLS_SSL_MSG_HANDSHAKE, MBEDTLS_SSL_MAJOR_VERSION_3, 2 });
-  ValidateHeader(true, true,
-                 { MBEDTLS_SSL_MSG_HANDSHAKE, MBEDTLS_SSL_MAJOR_VERSION_3,
-                   MBEDTLS_SSL_MINOR_VERSION_3 });
-  ValidateHeader(true, true,
-                 { MBEDTLS_SSL_MSG_HANDSHAKE, MBEDTLS_SSL_MAJOR_VERSION_3,
-                   MBEDTLS_SSL_MINOR_VERSION_4 });
   ValidateHeader(
-    false, true,
-    { MBEDTLS_SSL_MSG_HANDSHAKE, 0xff, MBEDTLS_SSL_MINOR_VERSION_3 });
+    true, true,
+    { MBEDTLS_SSL_MSG_HANDSHAKE, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 });
   ValidateHeader(
-    false, true,
-    { MBEDTLS_SSL_MSG_HANDSHAKE, MBEDTLS_SSL_MAJOR_VERSION_3, 0xff });
-  ValidateHeader(false, true,
-                 { MBEDTLS_SSL_MSG_HANDSHAKE, MBEDTLS_SSL_MAJOR_VERSION_3 });
+    true, true,
+    { MBEDTLS_SSL_MSG_HANDSHAKE, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2 });
+  ValidateHeader(
+    true, true,
+    { MBEDTLS_SSL_MSG_HANDSHAKE, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3 });
   ValidateHeader(
-    false, true,
-    { 0xff, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3 });
+    true, true,
+    { MBEDTLS_SSL_MSG_HANDSHAKE, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_4 });
+  ValidateHeader(false, true,
+                 { MBEDTLS_SSL_MSG_HANDSHAKE, 0xff, SSL_MINOR_VERSION_3 });
+  ValidateHeader(false, true,
+                 { MBEDTLS_SSL_MSG_HANDSHAKE, SSL_MAJOR_VERSION_3, 0xff });
+  ValidateHeader(false, true,
+                 { MBEDTLS_SSL_MSG_HANDSHAKE, SSL_MAJOR_VERSION_3 });
+  ValidateHeader(false, true,
+                 { 0xff, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3 });
 #endif /* OC_SECURITY */
 }
 
@@ -258,9 +262,10 @@ TEST_F(TCPMessage, GetTotalLength)
   ASSERT_EQ(0, mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT,
                                            MBEDTLS_SSL_TRANSPORT_STREAM,
                                            MBEDTLS_SSL_PRESET_DEFAULT));
+#if MBEDTLS_VERSION_NUMBER <= 0x03010000
   mbedtls_ssl_conf_min_version(&conf, MBEDTLS_SSL_MAJOR_VERSION_3,
                                MBEDTLS_SSL_MINOR_VERSION_3);
-
+#endif /* MBEDTLS_VERSION_NUMBER <= 0x03010000 */
   mbedtls_ssl_context ssl;
   mbedtls_ssl_init(&ssl);
   ASSERT_EQ(0, mbedtls_ssl_setup(&ssl, &conf));
@@ -277,8 +282,12 @@ TEST_F(TCPMessage, GetTotalLength)
     },
     nullptr, nullptr);
 
+#if MBEDTLS_VERSION_NUMBER <= 0x03010000
   ssl.major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
   ssl.minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
+#else  /* MBEDTLS_VERSION_NUMBER > 0x03010000 */
+  ssl.tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#endif /* MBEDTLS_VERSION_NUMBER <= 0x03010000 */
   ssl.state = MBEDTLS_SSL_HANDSHAKE_OVER;
   std::vector<uint8_t> data{ 0x01, 0x02, 0x03, 0x04 };
   ASSERT_EQ(data.size(), mbedtls_ssl_write(&ssl, &data[0], data.size()));
@@ -288,9 +297,11 @@ TEST_F(TCPMessage, GetTotalLength)
   mbedtls_ssl_free(&ssl);
   mbedtls_ssl_config_free(&conf);
 
-  ValidateHeaderLength(-1, true,
-                       { MBEDTLS_SSL_MSG_HANDSHAKE, MBEDTLS_SSL_MAJOR_VERSION_3,
-                         MBEDTLS_SSL_MINOR_VERSION_3 });
+#define SSL_MAJOR_VERSION_3 (3)
+#define SSL_MINOR_VERSION_3 (3)
+  ValidateHeaderLength(
+    -1, true,
+    { MBEDTLS_SSL_MSG_HANDSHAKE, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3 });
 #endif /* OC_SECURITY */
 }