diff --git a/components/bt/common/Kconfig.in b/components/bt/common/Kconfig.in index 4bcfaa79ce..0c0b040ab4 100644 --- a/components/bt/common/Kconfig.in +++ b/components/bt/common/Kconfig.in @@ -6,6 +6,43 @@ config BT_ALARM_MAX_NUM This option decides the maximum number of alarms which could be used by Bluetooth host. +choice BT_SMP_CRYPTO_STACK + prompt "SMP cryptographic stack" + depends on (BT_BLE_SMP_ENABLE || BT_SMP_ENABLE || BT_NIMBLE_SECURITY_ENABLE) + default BT_SMP_CRYPTO_STACK_NATIVE + help + Select the cryptographic library to use for SMP operations (AES, AES-CMAC, ECDH P-256). + + config BT_SMP_CRYPTO_STACK_NATIVE + bool "Native Bluedroid implementation" + depends on (BT_BLE_SMP_ENABLE || BT_SMP_ENABLE) + help + Use the built-in Bluedroid cryptographic implementation. + This provides compatibility with all features. + This option is only available for Bluedroid host. + + config BT_SMP_CRYPTO_STACK_TINYCRYPT + bool "TinyCrypt" + help + Use TinyCrypt library for cryptographic operations. + TinyCrypt is a lightweight cryptographic library designed for constrained devices. + This can reduce code size compared to the native implementation. + This is the default option. + + config BT_SMP_CRYPTO_STACK_MBEDTLS + bool "mbedTLS" + select MBEDTLS_AES_C + select MBEDTLS_CMAC_C + select MBEDTLS_ECDH_C + select MBEDTLS_ECP_C + select MBEDTLS_ECP_DP_SECP256R1_ENABLED + help + Use mbedTLS library for cryptographic operations. + This can provide hardware acceleration on supported platforms and reduce code size + by sharing crypto implementations with other components. + +endchoice + menu "BLE Log" source "$IDF_PATH/components/bt/common/ble_log/Kconfig.in" endmenu diff --git a/components/bt/host/bluedroid/Kconfig.in b/components/bt/host/bluedroid/Kconfig.in index 6bc115b788..1ea73f2058 100644 --- a/components/bt/host/bluedroid/Kconfig.in +++ b/components/bt/host/bluedroid/Kconfig.in @@ -406,43 +406,6 @@ config BT_BLE_SMP_BOND_NVS_FLASH help This select can save SMP bonding keys to nvs flash -choice BT_SMP_CRYPTO_STACK - prompt "SMP cryptographic stack" - depends on BT_BLE_SMP_ENABLE - default BT_SMP_CRYPTO_STACK_NATIVE - help - Select the cryptographic library to use for SMP operations (AES, AES-CMAC, ECDH P-256). - - Note: This option is not compatible with BLE Mesh, as BLE Mesh - uses the native Bluedroid ECC implementation directly. - - config BT_SMP_CRYPTO_STACK_NATIVE - bool "Native Bluedroid implementation" - help - Use the built-in Bluedroid cryptographic implementation. - This is the default option and provides compatibility with all features. - - config BT_SMP_CRYPTO_STACK_TINYCRYPT - bool "TinyCrypt" - help - Use TinyCrypt library for cryptographic operations. - TinyCrypt is a lightweight cryptographic library designed for constrained devices. - This can reduce code size compared to the native implementation. - - config BT_SMP_CRYPTO_STACK_MBEDTLS - bool "mbedTLS" - select MBEDTLS_AES_C - select MBEDTLS_CMAC_C - select MBEDTLS_ECDH_C - select MBEDTLS_ECP_C - select MBEDTLS_ECP_DP_SECP256R1_ENABLED - help - Use mbedTLS library for cryptographic operations. - This can provide hardware acceleration on supported platforms and reduce code size - by sharing crypto implementations with other components. - -endchoice - config BT_BLE_RPA_SUPPORTED bool "Update RPA to Controller" depends on (BT_BLE_SMP_ENABLE && ((BT_CONTROLLER_ENABLED && !SOC_BLE_DEVICE_PRIVACY_SUPPORTED) || BT_CONTROLLER_DISABLED)) # NOERROR diff --git a/components/bt/host/bluedroid/stack/smp/smp_cmac.c b/components/bt/host/bluedroid/stack/smp/smp_cmac.c index 9d290af559..fd10e50760 100644 --- a/components/bt/host/bluedroid/stack/smp/smp_cmac.c +++ b/components/bt/host/bluedroid/stack/smp/smp_cmac.c @@ -346,12 +346,13 @@ BOOLEAN aes_cipher_msg_auth_code(BT_OCTET16 key, UINT8 *input, UINT16 length, psa_set_key_bits(&key_attributes, 128); status = psa_import_key(&key_attributes, key_be, BT_OCTET16_LEN, &key_id); + psa_reset_key_attributes(&key_attributes); + if (status != PSA_SUCCESS) { SMP_TRACE_ERROR("psa_import_key failed: %d", status); if (input_be) osi_free(input_be); return FALSE; } - psa_reset_key_attributes(&key_attributes); /* Setup MAC operation */ status = psa_mac_sign_setup(&operation, key_id, PSA_ALG_CMAC); diff --git a/components/bt/host/bluedroid/stack/smp/smp_keys.c b/components/bt/host/bluedroid/stack/smp/smp_keys.c index 8cb553a782..63fd74b65e 100644 --- a/components/bt/host/bluedroid/stack/smp/smp_keys.c +++ b/components/bt/host/bluedroid/stack/smp/smp_keys.c @@ -217,12 +217,13 @@ BOOLEAN smp_encrypt_data (UINT8 *key, UINT8 key_len, psa_set_key_bits(&key_attributes, 128); status = psa_import_key(&key_attributes, p_rev_key, SMP_ENCRYT_KEY_SIZE, &key_id); + psa_reset_key_attributes(&key_attributes); + if (status != PSA_SUCCESS) { SMP_TRACE_ERROR("%s psa_import_key failed: %d\n", __func__, status); osi_free(p_start); return FALSE; } - psa_reset_key_attributes(&key_attributes); status = psa_cipher_encrypt(key_id, PSA_ALG_ECB_NO_PADDING, p_rev_data, SMP_ENCRYT_DATA_SIZE, p_rev_output, SMP_ENCRYT_DATA_SIZE, &output_len); @@ -1218,11 +1219,12 @@ void smp_process_private_key(tSMP_CB *p_cb) psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT); status = psa_import_key(&key_attributes, priv_be, BT_OCTET32_LEN, &key_id); + psa_reset_key_attributes(&key_attributes); + if (status != PSA_SUCCESS) { SMP_TRACE_ERROR("%s psa_import_key failed: %d\n", __FUNCTION__, status); goto psa_pubkey_cleanup; } - psa_reset_key_attributes(&key_attributes); /* Export public key */ status = psa_export_public_key(key_id, pub_be, sizeof(pub_be), &pub_len); @@ -1330,11 +1332,12 @@ void smp_compute_dhkey (tSMP_CB *p_cb) psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); status = psa_import_key(&key_attributes, priv_be, BT_OCTET32_LEN, &key_id); + psa_reset_key_attributes(&key_attributes); + if (status != PSA_SUCCESS) { SMP_TRACE_ERROR("%s psa_import_key failed: %d\n", __FUNCTION__, status); goto psa_dhkey_cleanup; } - psa_reset_key_attributes(&key_attributes); /* Construct peer public key in uncompressed format: 0x04 || X || Y */ peer_pub_be[0] = 0x04;