From b4fea9ccccfe59c93b354a3fe4261e2259e4be8b Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Tue, 18 Mar 2025 11:37:41 +0800 Subject: [PATCH] feat(lwip): migrate to to PSA API interface --- .../secure_boot_signatures_app.c | 6 +- .../secure_boot_rsa_signature.c | 1 + .../esp-tls/esp-tls-crypto/esp_tls_crypto.c | 2 + components/esp-tls/esp_tls_mbedtls.c | 5 +- components/esp-tls/test_apps/main/app_main.c | 1 - components/esp_security/src/init.c | 17 ++ components/lwip/test_apps/main/lwip_test.c | 1 - components/mbedtls/CMakeLists.txt | 280 +++++++++--------- .../mbedtls/esp_crt_bundle/esp_crt_bundle.c | 2 +- .../mbedtls/port/include/mbedtls/esp_config.h | 16 +- components/mbedtls/port/include/mbedtls/gcm.h | 96 +++--- .../mbedtls/test_apps/main/CMakeLists.txt | 7 +- components/mbedtls/test_apps/main/app_main.c | 8 +- .../nvs_flash/src/nvs_encrypted_partition.hpp | 14 +- .../nvs_flash/test_apps/main/app_main.c | 4 +- .../nvs_flash/test_apps/main/test_nvs.c | 1 + .../protocomm/src/crypto/srp6a/esp_srp.c | 8 +- .../src/crypto/crypto_mbedtls-bignum.c | 2 +- .../src/crypto/crypto_mbedtls-ec.c | 235 +++++++++------ .../src/crypto/crypto_mbedtls-rsa.c | 5 +- .../src/crypto/crypto_mbedtls.c | 65 +++- .../esp_supplicant/src/crypto/fastpbkdf2.c | 62 +++- .../esp_supplicant/src/crypto/fastpsk.c | 100 +++++-- .../esp_supplicant/src/crypto/tls_mbedtls.c | 4 +- .../main/https_request_example_main.c | 3 +- tools/ci/check_copyright_ignore.txt | 6 + 26 files changed, 599 insertions(+), 352 deletions(-) diff --git a/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c b/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c index 7f8fbe3720..fdf2ae4e30 100644 --- a/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c +++ b/components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c @@ -14,6 +14,9 @@ #include "psa/crypto.h" #include #include +#include "mbedtls/pk.h" +#include "psa/crypto.h" + #ifdef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME ESP_LOG_ATTR_TAG(TAG, "secure_boot_v1"); @@ -107,10 +110,11 @@ esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig // Verify the signature status = psa_verify_hash(key_handle, PSA_ALG_ECDSA(PSA_ALG_SHA_256), image_digest, ESP_SECURE_BOOT_DIGEST_LEN, sig_block->signature, SIGNATURE_VERIFICATION_KEYLEN); - ESP_LOGD(TAG, "Verification result %d", status); + ESP_LOGI(TAG, "Verification result %d", status); // Destroy the key handle psa_destroy_key(key_handle); + psa_reset_key_attributes(&key_attributes); return status == PSA_SUCCESS ? ESP_OK : ESP_ERR_IMAGE_INVALID; #endif // CONFIG_MBEDTLS_ECDSA_C && CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED diff --git a/components/bootloader_support/src/secure_boot_v2/secure_boot_rsa_signature.c b/components/bootloader_support/src/secure_boot_v2/secure_boot_rsa_signature.c index 1f4c9e5bca..ebe3bb4138 100644 --- a/components/bootloader_support/src/secure_boot_v2/secure_boot_rsa_signature.c +++ b/components/bootloader_support/src/secure_boot_v2/secure_boot_rsa_signature.c @@ -5,6 +5,7 @@ */ #include "esp_log.h" #include "esp_secure_boot.h" +#include "mbedtls/pk.h" #include "psa/crypto.h" #include "mbedtls/pk.h" #include "mbedtls/rsa.h" diff --git a/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c b/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c index 64e8246288..77fd02cf54 100644 --- a/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c +++ b/components/esp-tls/esp-tls-crypto/esp_tls_crypto.c @@ -10,6 +10,8 @@ #include "sdkconfig.h" __attribute__((unused)) static const char *TAG = "esp_crypto"; #ifdef CONFIG_ESP_TLS_USING_MBEDTLS +/* Need this for mbedtls_sha1_* APIs */ +#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "mbedtls/sha1.h" #include "mbedtls/base64.h" #include "mbedtls/error.h" diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c index b7a2214ea0..497afc0c3a 100644 --- a/components/esp-tls/esp_tls_mbedtls.c +++ b/components/esp-tls/esp_tls_mbedtls.c @@ -124,7 +124,7 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const tls->server_fd.fd = tls->sockfd; mbedtls_ssl_init(&tls->ssl); mbedtls_ssl_config_init(&tls->conf); - mbedtls_ssl_conf_rng(&tls->conf, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); + // mbedtls_ssl_conf_rng(&tls->conf, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); #if CONFIG_MBEDTLS_DYNAMIC_BUFFER tls->esp_tls_dyn_buf_strategy = ((esp_tls_cfg_t *)cfg)->esp_tls_dyn_buf_strategy; @@ -594,8 +594,7 @@ static esp_err_t set_pki_context(esp_tls_t *tls, const esp_tls_pki_t *pki) #endif if (pki->privkey_pem_buf != NULL) { ret = mbedtls_pk_parse_key(pki->pk_key, pki->privkey_pem_buf, pki->privkey_pem_bytes, - pki->privkey_password, pki->privkey_password_len, - mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); + pki->privkey_password, pki->privkey_password_len); } else { return ESP_ERR_INVALID_ARG; } diff --git a/components/esp-tls/test_apps/main/app_main.c b/components/esp-tls/test_apps/main/app_main.c index 09f7f9d947..397525073e 100644 --- a/components/esp-tls/test_apps/main/app_main.c +++ b/components/esp-tls/test_apps/main/app_main.c @@ -17,7 +17,6 @@ #endif #include "esp_newlib.h" #include "psa/crypto.h" - #if SOC_SHA_SUPPORT_SHA512 #define SHA_TYPE SHA2_512 #else diff --git a/components/esp_security/src/init.c b/components/esp_security/src/init.c index f9993914a1..3bb2694070 100644 --- a/components/esp_security/src/init.c +++ b/components/esp_security/src/init.c @@ -15,6 +15,7 @@ #include "hal/efuse_hal.h" #if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C) #include "psa/crypto.h" +#include "esp_random.h" #endif /* CONFIG_MBEDTLS_PSA_CRYPTO_C */ #if SOC_HUK_MEM_NEEDS_RECHARGE @@ -139,6 +140,22 @@ ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103) return err; } +#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C) +int mbedtls_platform_get_entropy(unsigned char *output, size_t output_size, + size_t *output_len, size_t *entropy_content) +{ + if (output == NULL || output_size == 0 || output_len == NULL || entropy_content == NULL) { + ESP_EARLY_LOGE(TAG, "Invalid parameters for mbedtls_platform_get_entropy"); + return -1; // Invalid parameters + } + + esp_fill_random(output, output_size); + *output_len = output_size; + *entropy_content = 8 * output_size; + return 0; +} +#endif // CONFIG_MBEDTLS_PSA_CRYPTO_C + void esp_security_init_include_impl(void) { // Linker hook, exists for no other purpose diff --git a/components/lwip/test_apps/main/lwip_test.c b/components/lwip/test_apps/main/lwip_test.c index 1f83ecee94..c3a4942eb3 100644 --- a/components/lwip/test_apps/main/lwip_test.c +++ b/components/lwip/test_apps/main/lwip_test.c @@ -492,7 +492,6 @@ TEST_GROUP_RUNNER(lwip) RUN_TEST_CASE(lwip, dhcp_server_dns_options) RUN_TEST_CASE(lwip, sntp_client_time_2015) RUN_TEST_CASE(lwip, sntp_client_time_2048) - RUN_TEST_CASE(lwip, dhcp_arp_probe_self_mac_is_ok) } void app_main(void) diff --git a/components/mbedtls/CMakeLists.txt b/components/mbedtls/CMakeLists.txt index bcda4d69ae..cdf7c65418 100644 --- a/components/mbedtls/CMakeLists.txt +++ b/components/mbedtls/CMakeLists.txt @@ -147,10 +147,10 @@ set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls}) if(CONFIG_MBEDTLS_SSL_PROTO_GMTSSL1_1) get_target_property(src_tls mbedtls SOURCES) -list(REMOVE_ITEM src_tls ssl_ciphersuites.c ssl_cli.c ssl_tls.c) + list(REMOVE_ITEM src_tls ssl_ciphersuites.c ssl_cli.c ssl_tls.c) set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls}) -get_target_property(src_crypto mbedcrypto SOURCES) +get_target_property(src_crypto tfpsacrypto SOURCES) list(REMOVE_ITEM src_crypto cipher_wrap.c ecdsa.c ecp.c ecp_curves.c oid.c pk_wrap.c) set_property(TARGET mbedcrypto PROPERTY SOURCES ${src_crypto}) @@ -160,7 +160,7 @@ set_property(TARGET mbedx509 PROPERTY SOURCES ${src_x509}) endif() # Core libraries from the mbedTLS project -set(mbedtls_targets mbedtls mbedcrypto mbedx509) +set(mbedtls_targets mbedtls mbedx509 tfpsacrypto) # 3rd party libraries from the mbedTLS project list(APPEND mbedtls_targets everest p256m) @@ -201,9 +201,9 @@ endif() # Add port files to mbedtls targets target_sources(mbedtls PRIVATE ${mbedtls_target_sources}) -if(NOT ${IDF_TARGET} STREQUAL "linux") - target_link_libraries(mbedcrypto PRIVATE idf::esp_security) -endif() +# if(NOT ${IDF_TARGET} STREQUAL "linux") +# target_link_libraries(mbedcrypto PRIVATE idf::esp_security) +# endif() # Choose peripheral type @@ -215,57 +215,68 @@ if(CONFIG_SOC_SHA_SUPPORTED) endif() endif() -if(SHA_PERIPHERAL_TYPE STREQUAL "core") - target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/include") - - if(CONFIG_SOC_SHA_GDMA) - set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_gdma_impl.c") - elseif(CONFIG_SOC_SHA_CRYPTO_DMA) - set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_crypto_dma_impl.c") - endif() - target_sources(mbedcrypto PRIVATE "${SHA_CORE_SRCS}") -endif() - -if(CONFIG_SOC_AES_SUPPORT_DMA) - if(NOT CONFIG_SOC_AES_GDMA) - set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_crypto_dma_impl.c") - else() - set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_gdma_impl.c") - endif() - - list(APPEND AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c") - - target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/dma/include") - target_sources(mbedcrypto PRIVATE "${AES_DMA_SRCS}") -endif() - -if((SHA_PERIPHERAL_TYPE STREQUAL "core" AND CONFIG_SOC_SHA_SUPPORT_DMA) OR CONFIG_SOC_AES_SUPPORT_DMA) - target_link_libraries(mbedcrypto PRIVATE idf::esp_mm) - if(CONFIG_SOC_SHA_GDMA OR CONFIG_SOC_AES_GDMA) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/crypto_shared_gdma/esp_crypto_shared_gdma.c") - endif() -endif() - -if(NOT ${IDF_TARGET} STREQUAL "linux") - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c") -endif() -target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_mem.c" - "${COMPONENT_DIR}/port/esp_timing.c" -) - if(CONFIG_SOC_AES_SUPPORTED) - target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/include") - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_xts.c" - "${COMPONENT_DIR}/port/aes/esp_aes_common.c" - "${COMPONENT_DIR}/port/aes/esp_aes.c" - ) + if(CONFIG_SOC_AES_SUPPORT_DMA) + set(AES_PERIPHERAL_TYPE "dma") + else() + set(AES_PERIPHERAL_TYPE "block") + endif() endif() -if(CONFIG_SOC_SHA_SUPPORTED) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/esp_sha.c" - "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/sha.c" - ) -endif() +# if(SHA_PERIPHERAL_TYPE STREQUAL "core") +# target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/include") + +# if(CONFIG_SOC_SHA_GDMA) +# set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_gdma_impl.c") +# elseif(CONFIG_SOC_SHA_CRYPTO_DMA) +# set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_crypto_dma_impl.c") +# endif() +# target_sources(mbedcrypto PRIVATE "${SHA_CORE_SRCS}") +# endif() + +# if(AES_PERIPHERAL_TYPE STREQUAL "dma") +# if(NOT CONFIG_SOC_AES_GDMA) +# set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_crypto_dma_impl.c") +# else() +# set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_gdma_impl.c") +# endif() + +# list(APPEND AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c") + +# target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/dma/include") +# target_sources(mbedcrypto PRIVATE "${AES_DMA_SRCS}") +# endif() + +# if((SHA_PERIPHERAL_TYPE STREQUAL "core" AND CONFIG_SOC_SHA_SUPPORT_DMA) OR AES_PERIPHERAL_TYPE STREQUAL "dma") +# target_link_libraries(mbedcrypto PRIVATE idf::esp_mm) +# if(CONFIG_SOC_SHA_GDMA OR CONFIG_SOC_AES_GDMA) +# if(CONFIG_SOC_AXI_DMA_EXT_MEM_ENC_ALIGNMENT) +# target_link_libraries(mbedcrypto PRIVATE idf::bootloader_support) +# endif() +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/crypto_shared_gdma/esp_crypto_shared_gdma.c") +# endif() +# endif() + +# if(NOT ${IDF_TARGET} STREQUAL "linux") +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c") +# endif() +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_mem.c" +# "${COMPONENT_DIR}/port/esp_timing.c" +# ) + +# if(CONFIG_SOC_AES_SUPPORTED) +# target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/include") +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_xts.c" +# "${COMPONENT_DIR}/port/aes/esp_aes_common.c" +# "${COMPONENT_DIR}/port/aes/${AES_PERIPHERAL_TYPE}/esp_aes.c" +# ) +# endif() + +# if(CONFIG_SOC_SHA_SUPPORTED) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/esp_sha.c" +# "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/sha.c" +# ) +# endif() if(CONFIG_SOC_DIG_SIGN_SUPPORTED) target_sources(mbedcrypto PRIVATE @@ -273,6 +284,10 @@ target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_ds/esp_rsa_dec_alt.c" "${COMPONENT_DIR}/port/esp_ds/esp_ds_common.c") endif() +# # CONFIG_ESP_TLS_USE_DS_PERIPHERAL can be enabled only for the supported targets. +# if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_ds/esp_rsa_sign_alt.c") +# endif() if(CONFIG_SOC_HMAC_SUPPORTED) target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hmac_pbkdf2.c") @@ -285,72 +300,73 @@ endif() # # The other port-specific files don't override internal mbedTLS functions, they just add new functions. -if(CONFIG_MBEDTLS_HARDWARE_MPI) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/bignum/esp_bignum.c" - "${COMPONENT_DIR}/port/bignum/bignum_alt.c") -endif() +# if(CONFIG_MBEDTLS_HARDWARE_MPI) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/bignum/esp_bignum.c" +# "${COMPONENT_DIR}/port/bignum/bignum_alt.c") +# endif() -if(CONFIG_MBEDTLS_HARDWARE_SHA) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha1.c" - "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha256.c" - "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha512.c" - ) -endif() +# if(CONFIG_MBEDTLS_HARDWARE_SHA) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha1.c" +# "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha256.c" +# "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha512.c" +# ) +# endif() -if(CONFIG_MBEDTLS_HARDWARE_GCM OR CONFIG_MBEDTLS_HARDWARE_AES) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c") -endif() +# if(CONFIG_MBEDTLS_HARDWARE_GCM OR CONFIG_MBEDTLS_HARDWARE_AES) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c") +# endif() -if(CONFIG_MBEDTLS_HARDWARE_ECC) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c" - "${COMPONENT_DIR}/port/ecc/ecc_alt.c") -endif() +# if(CONFIG_MBEDTLS_HARDWARE_ECC) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c" +# "${COMPONENT_DIR}/port/ecc/ecc_alt.c") +# endif() -if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c") +# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR +# CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c") - set(WRAP_FUNCTIONS_SIGN - mbedtls_ecdsa_sign - mbedtls_ecdsa_sign_restartable - mbedtls_ecdsa_write_signature - mbedtls_ecdsa_write_signature_restartable) +# set(WRAP_FUNCTIONS_SIGN +# mbedtls_ecdsa_sign +# mbedtls_ecdsa_sign_restartable +# mbedtls_ecdsa_write_signature +# mbedtls_ecdsa_write_signature_restartable) - set(WRAP_FUNCTIONS_VERIFY - mbedtls_ecdsa_verify - mbedtls_ecdsa_verify_restartable - mbedtls_ecdsa_read_signature - mbedtls_ecdsa_read_signature_restartable) +# set(WRAP_FUNCTIONS_VERIFY +# mbedtls_ecdsa_verify +# mbedtls_ecdsa_verify_restartable +# mbedtls_ecdsa_read_signature +# mbedtls_ecdsa_read_signature_restartable) - if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) - foreach(wrap ${WRAP_FUNCTIONS_SIGN}) - target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}") - endforeach() +# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) +# foreach(wrap ${WRAP_FUNCTIONS_SIGN}) +# target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}") +# endforeach() - if(CONFIG_SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE) - target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_ext") - target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_restartable") - endif() - endif() +# if(CONFIG_SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE) +# target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_ext") +# target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_restartable") +# endif() +# endif() - if(CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY) - foreach(wrap ${WRAP_FUNCTIONS_VERIFY}) - target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}") - endforeach() - endif() +# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY) +# foreach(wrap ${WRAP_FUNCTIONS_VERIFY}) +# target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}") +# endforeach() +# endif() - if(CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) - target_link_libraries(mbedcrypto PRIVATE idf::tee_sec_storage) - endif() -endif() +# if(CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN) +# target_link_libraries(mbedcrypto PRIVATE idf::tee_sec_storage) +# endif() +# endif() -if(CONFIG_MBEDTLS_ROM_MD5) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/md/esp_md.c") -endif() +# if(CONFIG_MBEDTLS_ROM_MD5) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/md/esp_md.c") +# endif() -if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL) - target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/mbedtls_rom/mbedtls_rom_osi.c") - target_link_libraries(${COMPONENT_LIB} PRIVATE "-u mbedtls_rom_osi_functions_init") -endif() +# if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL) +# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/mbedtls_rom/mbedtls_rom_osi.c") +# target_link_libraries(${COMPONENT_LIB} PRIVATE "-u mbedtls_rom_osi_functions_init") +# endif() foreach(target ${mbedtls_targets}) target_compile_definitions(${target} PUBLIC -DMBEDTLS_CONFIG_FILE="mbedtls/esp_config.h") @@ -388,37 +404,37 @@ if(CONFIG_MBEDTLS_DYNAMIC_BUFFER) endforeach() endif() -set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls) +# set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls) -if(CONFIG_PM_ENABLE) - target_link_libraries(mbedcrypto PRIVATE idf::esp_pm) -endif() +# if(CONFIG_PM_ENABLE) +# target_link_libraries(mbedcrypto PRIVATE idf::esp_pm) +# endif() -if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY) - target_link_libraries(mbedcrypto PRIVATE idf::efuse) -endif() +# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY) +# target_link_libraries(mbedcrypto PRIVATE idf::efuse) +# endif() target_link_libraries(${COMPONENT_LIB} ${linkage_type} ${mbedtls_targets}) -if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL) - # The linker seems to be unable to resolve all the dependencies without increasing this - set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 6) -endif() +# if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL) +# # The linker seems to be unable to resolve all the dependencies without increasing this +# set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 6) +# endif() # Additional optional dependencies for the mbedcrypto library -function(mbedcrypto_optional_deps component_name) - idf_build_get_property(components BUILD_COMPONENTS) - if(${component_name} IN_LIST components) - idf_component_get_property(lib_name ${component_name} COMPONENT_LIB) - target_link_libraries(mbedcrypto PRIVATE ${lib_name}) - endif() -endfunction() +# function(mbedcrypto_optional_deps component_name) +# idf_build_get_property(components BUILD_COMPONENTS) +# if(${component_name} IN_LIST components) +# idf_component_get_property(lib_name ${component_name} COMPONENT_LIB) +# target_link_libraries(mbedcrypto PRIVATE ${lib_name}) +# endif() +# endfunction() -if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM) - mbedcrypto_optional_deps(esp_timer idf::esp_timer) -endif() +# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM) +# mbedcrypto_optional_deps(esp_timer idf::esp_timer) +# endif() # Link esp-cryptoauthlib to mbedtls -if(CONFIG_ATCA_MBEDTLS_ECDSA) - mbedcrypto_optional_deps(espressif__esp-cryptoauthlib esp-cryptoauthlib) -endif() +# if(CONFIG_ATCA_MBEDTLS_ECDSA) +# mbedcrypto_optional_deps(espressif__esp-cryptoauthlib esp-cryptoauthlib) +# endif() diff --git a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c index 3e68dcccfb..e7417821b4 100644 --- a/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c +++ b/components/mbedtls/esp_crt_bundle/esp_crt_bundle.c @@ -162,7 +162,7 @@ static int esp_crt_check_signature(const mbedtls_x509_crt* child, const uint8_t* goto cleanup; } - if (unlikely((ret = mbedtls_pk_verify_ext(child->MBEDTLS_PRIVATE(sig_pk), child->MBEDTLS_PRIVATE(sig_opts), &pubkey, + if (unlikely((ret = mbedtls_pk_verify_ext(child->MBEDTLS_PRIVATE(sig_pk), NULL, &pubkey, child->MBEDTLS_PRIVATE(sig_md), hash, md_size, child->MBEDTLS_PRIVATE(sig).p, child->MBEDTLS_PRIVATE(sig).len)) != 0)) { ESP_LOGE(TAG, "PK verify failed with error 0x%x", -ret); diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h index 1ae5cf2366..beb269ef67 100644 --- a/components/mbedtls/port/include/mbedtls/esp_config.h +++ b/components/mbedtls/port/include/mbedtls/esp_config.h @@ -25,10 +25,14 @@ #ifndef ESP_CONFIG_H #define ESP_CONFIG_H +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #include "sdkconfig.h" #include "mbedtls/mbedtls_config.h" #include "soc/soc_caps.h" + + /** * \def MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS * @@ -149,6 +153,8 @@ /** Override calloc(), free() except for case where memory allocation scheme is not set to custom */ #ifndef CONFIG_MBEDTLS_CUSTOM_MEM_ALLOC #include "esp_mem.h" +#undef MBEDTLS_PLATFORM_STD_CALLOC +#undef MBEDTLS_PLATFORM_STD_FREE #define MBEDTLS_PLATFORM_STD_CALLOC esp_mbedtls_mem_calloc #define MBEDTLS_PLATFORM_STD_FREE esp_mbedtls_mem_free #endif @@ -623,11 +629,11 @@ * * Comment this macro to disable FIXED POINT curves optimisation. */ -#ifdef CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM -#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 -#else -#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 -#endif +// #ifdef CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM +// #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1 +// #else +// #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 +// #endif /** * \def MBEDTLS_ECDSA_DETERMINISTIC diff --git a/components/mbedtls/port/include/mbedtls/gcm.h b/components/mbedtls/port/include/mbedtls/gcm.h index d50527d4df..2d5e7516a6 100644 --- a/components/mbedtls/port/include/mbedtls/gcm.h +++ b/components/mbedtls/port/include/mbedtls/gcm.h @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Apache-2.0 */ @@ -14,65 +14,65 @@ extern "C" { #if defined(MBEDTLS_GCM_ALT) && defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK) -/** - * When the MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK is defined, for non-AES GCM - * operations we need to fallback to the software function definitions of the - * mbedtls GCM layer. - * Thus in this case we need declarations for the software funtions. - * Please refer mbedtls/include/mbedtls/gcm.h for function documentations - */ +// /** +// * When the MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK is defined, for non-AES GCM +// * operations we need to fallback to the software function definitions of the +// * mbedtls GCM layer. +// * Thus in this case we need declarations for the software functions. +// * Please refer mbedtls/include/mbedtls/gcm.h for function documentations +// */ -void mbedtls_gcm_init_soft(mbedtls_gcm_context_soft *ctx); +// void mbedtls_gcm_init_soft(mbedtls_gcm_context_soft *ctx); -int mbedtls_gcm_setkey_soft(mbedtls_gcm_context_soft *ctx, - mbedtls_cipher_id_t cipher, - const unsigned char *key, - unsigned int keybits); +// int mbedtls_gcm_setkey_soft(mbedtls_gcm_context_soft *ctx, +// mbedtls_cipher_id_t cipher, +// const unsigned char *key, +// unsigned int keybits); -int mbedtls_gcm_starts_soft(mbedtls_gcm_context_soft *ctx, - int mode, - const unsigned char *iv, size_t iv_len); +// int mbedtls_gcm_starts_soft(mbedtls_gcm_context_soft *ctx, +// int mode, +// const unsigned char *iv, size_t iv_len); -int mbedtls_gcm_update_ad_soft(mbedtls_gcm_context_soft *ctx, - const unsigned char *add, size_t add_len); +// int mbedtls_gcm_update_ad_soft(mbedtls_gcm_context_soft *ctx, +// const unsigned char *add, size_t add_len); -int mbedtls_gcm_update_soft(mbedtls_gcm_context_soft *ctx, - const unsigned char *input, size_t input_length, - unsigned char *output, size_t output_size, - size_t *output_length); +// int mbedtls_gcm_update_soft(mbedtls_gcm_context_soft *ctx, +// const unsigned char *input, size_t input_length, +// unsigned char *output, size_t output_size, +// size_t *output_length); -int mbedtls_gcm_finish_soft(mbedtls_gcm_context_soft *ctx, - unsigned char *output, size_t output_size, - size_t *output_length, - unsigned char *tag, size_t tag_len); +// int mbedtls_gcm_finish_soft(mbedtls_gcm_context_soft *ctx, +// unsigned char *output, size_t output_size, +// size_t *output_length, +// unsigned char *tag, size_t tag_len); -int mbedtls_gcm_crypt_and_tag_soft(mbedtls_gcm_context_soft *ctx, - int mode, - size_t length, - const unsigned char *iv, - size_t iv_len, - const unsigned char *add, - size_t add_len, - const unsigned char *input, - unsigned char *output, - size_t tag_len, - unsigned char *tag); +// int mbedtls_gcm_crypt_and_tag_soft(mbedtls_gcm_context_soft *ctx, +// int mode, +// size_t length, +// const unsigned char *iv, +// size_t iv_len, +// const unsigned char *add, +// size_t add_len, +// const unsigned char *input, +// unsigned char *output, +// size_t tag_len, +// unsigned char *tag); -int mbedtls_gcm_auth_decrypt_soft(mbedtls_gcm_context_soft *ctx, - size_t length, - const unsigned char *iv, - size_t iv_len, - const unsigned char *add, - size_t add_len, - const unsigned char *tag, - size_t tag_len, - const unsigned char *input, - unsigned char *output); +// int mbedtls_gcm_auth_decrypt_soft(mbedtls_gcm_context_soft *ctx, +// size_t length, +// const unsigned char *iv, +// size_t iv_len, +// const unsigned char *add, +// size_t add_len, +// const unsigned char *tag, +// size_t tag_len, +// const unsigned char *input, +// unsigned char *output); -void mbedtls_gcm_free_soft(mbedtls_gcm_context_soft *ctx); +// void mbedtls_gcm_free_soft(mbedtls_gcm_context_soft *ctx); #endif /* MBEDTLS_GCM_ALT && MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK*/ diff --git a/components/mbedtls/test_apps/main/CMakeLists.txt b/components/mbedtls/test_apps/main/CMakeLists.txt index c70fe8198d..29f3439abd 100644 --- a/components/mbedtls/test_apps/main/CMakeLists.txt +++ b/components/mbedtls/test_apps/main/CMakeLists.txt @@ -4,7 +4,10 @@ set(TEST_CRTS "crts/server_cert_chain.pem" "crts/bad_md_crt.pem" "crts/wrong_sig_crt_esp32_com.pem" "crts/correct_sig_crt_esp32_com.pem") -idf_component_register(SRC_DIRS "." + +idf_component_register( + SRCS "app_main.c" + # SRC_DIRS "." PRIV_INCLUDE_DIRS "." PRIV_REQUIRES efuse cmock test_utils mbedtls esp_timer unity spi_flash esp_psram esp_security EMBED_TXTFILES ${TEST_CRTS} @@ -13,7 +16,7 @@ idf_component_register(SRC_DIRS "." idf_component_get_property(mbedtls mbedtls COMPONENT_LIB) target_compile_definitions(${mbedtls} INTERFACE "-DMBEDTLS_DEPRECATED_WARNING") target_compile_definitions(mbedtls PUBLIC "-DMBEDTLS_DEPRECATED_WARNING") -target_compile_definitions(mbedcrypto PUBLIC "-DMBEDTLS_DEPRECATED_WARNING") +# target_compile_definitions(mbedcrypto PUBLIC "-DMBEDTLS_DEPRECATED_WARNING") target_compile_definitions(mbedx509 PUBLIC "-DMBEDTLS_DEPRECATED_WARNING") # Add linker wrap option to override esp_ds_finish_sign diff --git a/components/mbedtls/test_apps/main/app_main.c b/components/mbedtls/test_apps/main/app_main.c index 20792fb592..717843ea56 100644 --- a/components/mbedtls/test_apps/main/app_main.c +++ b/components/mbedtls/test_apps/main/app_main.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ @@ -10,6 +10,8 @@ #include "memory_checks.h" #include "soc/soc_caps.h" #include "esp_newlib.h" +#include "esp_random.h" +#include "mbedtls/entropy.h" /* setUp runs before every test */ void setUp(void) @@ -17,8 +19,8 @@ void setUp(void) // Execute mbedtls_aes_init operation to allocate AES interrupt // allocation memory which is considered as leak otherwise #if SOC_AES_SUPPORTED - mbedtls_aes_context ctx; - mbedtls_aes_init(&ctx); + // mbedtls_aes_context ctx; + // mbedtls_aes_init(&ctx); #endif // SOC_AES_SUPPORTED test_utils_record_free_mem(); diff --git a/components/nvs_flash/src/nvs_encrypted_partition.hpp b/components/nvs_flash/src/nvs_encrypted_partition.hpp index 6cf128203d..ec846b6875 100644 --- a/components/nvs_flash/src/nvs_encrypted_partition.hpp +++ b/components/nvs_flash/src/nvs_encrypted_partition.hpp @@ -3,11 +3,19 @@ * * SPDX-License-Identifier: Apache-2.0 */ -#pragma once + +#ifndef NVS_ENCRYPTED_PARTITION_HPP_ +#define NVS_ENCRYPTED_PARTITION_HPP_ #include "sdkconfig.h" // For CONFIG_NVS_BDL_STACK -#include "mbedtls/aes.h" // For mbedtls_aes_xts_context -#include "nvs_flash.h" // For nvs_sec_cfg_t + +/* NOTE: Using legacy mbedtls XTS API until PSA Crypto adds XTS support +* With TF-PSA-Crypto 1.0, AES headers moved to mbedtls/private/. +* Need MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS to access XTS functions. +*/ +#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS +#include "mbedtls/aes.h" +#include "nvs_flash.h" #include "nvs_partition.hpp" namespace nvs { diff --git a/components/nvs_flash/test_apps/main/app_main.c b/components/nvs_flash/test_apps/main/app_main.c index 17601f77a1..da1d694c77 100644 --- a/components/nvs_flash/test_apps/main/app_main.c +++ b/components/nvs_flash/test_apps/main/app_main.c @@ -63,8 +63,8 @@ void setUp(void) // Execute mbedtls_aes_init operation to allocate AES interrupt // allocation memory which is considered as memory leak otherwise #if defined(CONFIG_NVS_ENCRYPTION) && defined(SOC_AES_SUPPORTED) - mbedtls_aes_context ctx; - mbedtls_aes_init(&ctx); + // mbedtls_aes_context ctx; + // mbedtls_aes_init(&ctx); #endif // Calling esp_partition_find_first ensures that the partitions have been loaded diff --git a/components/nvs_flash/test_apps/main/test_nvs.c b/components/nvs_flash/test_apps/main/test_nvs.c index 04e4efc061..2a3f013411 100644 --- a/components/nvs_flash/test_apps/main/test_nvs.c +++ b/components/nvs_flash/test_apps/main/test_nvs.c @@ -29,6 +29,7 @@ #include "esp_random.h" #ifdef CONFIG_NVS_ENCRYPTION +#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "mbedtls/aes.h" #endif diff --git a/components/protocomm/src/crypto/srp6a/esp_srp.c b/components/protocomm/src/crypto/srp6a/esp_srp.c index 675ca34b08..906df77eb2 100644 --- a/components/protocomm/src/crypto/srp6a/esp_srp.c +++ b/components/protocomm/src/crypto/srp6a/esp_srp.c @@ -676,10 +676,12 @@ esp_err_t esp_srp_get_session_key(esp_srp_handle_t *hd, char *bytes_A, int len_A goto error; } - psa_hash_operation_t hash_op = PSA_HASH_OPERATION_INIT; - psa_status_t status = psa_hash_setup(&hash_op, PSA_ALG_SHA_512); - ESP_RETURN_ON_FALSE(status == PSA_SUCCESS, ESP_FAIL, TAG, "Failed to setup hash operation: %d", status); + psa_status_t status = psa_crypto_init(); + ESP_RETURN_ON_FALSE(status == PSA_SUCCESS, ESP_FAIL, TAG, "Failed to initialize PSA crypto: %d", status); + psa_hash_operation_t hash_op = PSA_HASH_OPERATION_INIT; + status = psa_hash_setup(&hash_op, PSA_ALG_SHA_512); + ESP_RETURN_ON_FALSE(status == PSA_SUCCESS, ESP_FAIL, TAG, "Failed to setup hash operation: %d", status); psa_hash_update(&hash_op, (unsigned char *)bytes_S, len_S); size_t hash_len = 0; status = psa_hash_finish(&hash_op, (unsigned char *)hd->session_key, SHA512_HASH_SZ, &hash_len); diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c index 6328136a91..46d42db737 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c @@ -3,7 +3,7 @@ * * SPDX-License-Identifier: Apache-2.0 */ - +#define MBEDTLS_ALLOW_PRIVATE_ACCESS #ifdef ESP_PLATFORM #include "esp_system.h" #include "mbedtls/bignum.h" diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c index c731257ca2..12d0cd803b 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c @@ -4,6 +4,8 @@ * SPDX-License-Identifier: Apache-2.0 */ +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #ifdef ESP_PLATFORM #include "esp_system.h" #include "mbedtls/bignum.h" @@ -23,7 +25,7 @@ #include "mbedtls/sha256.h" #include "mbedtls/asn1write.h" #include "mbedtls/error.h" -#include "mbedtls/oid.h" +// #include "mbedtls/crypto_oid.h" #include #include "psa/crypto.h" @@ -537,6 +539,82 @@ static struct crypto_ec_key *crypto_alloc_key(void) return (struct crypto_ec_key *)key; } +static psa_ecc_family_t group_id_to_psa(mbedtls_ecp_group_id grp_id, size_t *bits) +{ + switch (grp_id) { + case MBEDTLS_ECP_DP_SECP192R1: + if (bits) { + *bits = 192; + } + return PSA_ECC_FAMILY_SECP_R1; + case MBEDTLS_ECP_DP_SECP224R1: + if (bits) { + *bits = 224; + } + return PSA_ECC_FAMILY_SECP_R1; + case MBEDTLS_ECP_DP_SECP256R1: + if (bits) { + *bits = 256; + } + return PSA_ECC_FAMILY_SECP_R1; + case MBEDTLS_ECP_DP_SECP384R1: + if (bits) { + *bits = 384; + } + return PSA_ECC_FAMILY_SECP_R1; + case MBEDTLS_ECP_DP_SECP521R1: + if (bits) { + *bits = 521; + } + return PSA_ECC_FAMILY_SECP_R1; + case MBEDTLS_ECP_DP_BP256R1: + if (bits) { + *bits = 256; + } + return PSA_ECC_FAMILY_BRAINPOOL_P_R1; + case MBEDTLS_ECP_DP_BP384R1: + if (bits) { + *bits = 384; + } + return PSA_ECC_FAMILY_BRAINPOOL_P_R1; + case MBEDTLS_ECP_DP_BP512R1: + if (bits) { + *bits = 512; + } + return PSA_ECC_FAMILY_BRAINPOOL_P_R1; + case MBEDTLS_ECP_DP_CURVE25519: + if (bits) { + *bits = 255; + } + return PSA_ECC_FAMILY_MONTGOMERY; + case MBEDTLS_ECP_DP_SECP192K1: + if (bits) { + *bits = 192; + } + return PSA_ECC_FAMILY_SECP_K1; + case MBEDTLS_ECP_DP_SECP224K1: + if (bits) { + *bits = 224; + } + return PSA_ECC_FAMILY_SECP_K1; + case MBEDTLS_ECP_DP_SECP256K1: + if (bits) { + *bits = 256; + } + return PSA_ECC_FAMILY_SECP_K1; + case MBEDTLS_ECP_DP_CURVE448: + if (bits) { + *bits = 448; + } + return PSA_ECC_FAMILY_MONTGOMERY; + default: + if (bits) { + *bits = 0; + } + return 0; + } +} + struct crypto_ec_key * crypto_ec_key_set_pub(const struct crypto_ec_group *group, const u8 *buf, size_t len) { @@ -545,16 +623,13 @@ struct crypto_ec_key * crypto_ec_key_set_pub(const struct crypto_ec_group *group return NULL; } - mbedtls_ecp_group *ecp_grp = (mbedtls_ecp_group *)group; - mbedtls_ecp_group_id grp_id = ecp_grp->id; - - size_t key_bits = 0; - psa_ecc_family_t ecc_family = mbedtls_ecc_group_to_psa(grp_id, &key_bits); - - if (ecc_family == 0) { - wpa_printf(MSG_ERROR, "Unsupported ECC group"); + mbedtls_ecp_group *grp = (mbedtls_ecp_group *)group; + if (!grp) { + wpa_printf(MSG_ERROR, "Invalid ECC group"); + return NULL; } - + size_t key_bits = 0; + psa_ecc_family_t ecc_family = group_id_to_psa(grp->id, &key_bits); psa_key_id_t *key_id = os_calloc(1, sizeof(psa_key_id_t)); psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -593,7 +668,7 @@ struct crypto_ec_key * crypto_ec_key_set_pub(const struct crypto_ec_group *group psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT); psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); - psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(ecc_family)); + psa_set_key_type(&key_attributes, ecc_family); status = psa_import_key(&key_attributes, key_buf, key_len, key_id); if (status != PSA_SUCCESS) { @@ -692,26 +767,31 @@ struct crypto_ec_group *crypto_ec_get_group_from_key(struct crypto_ec_key *key) } psa_ecc_family_t ecc_family = psa_get_key_type(&key_attributes); - size_t bits = psa_get_key_bits(&key_attributes); - int ret = mbedtls_ecc_group_from_psa(ecc_family, bits); - if (ret == 0) { - wpa_printf(MSG_ERROR, "Unsupported ECC group"); - } - - mbedtls_ecp_group *e = os_zalloc(sizeof(*e)); - if (!e) { + psa_ecc_family_t *curve = os_zalloc(sizeof(psa_ecc_family_t)); + if (!curve) { + wpa_printf(MSG_ERROR, "memory allocation failed"); return NULL; } + *curve = PSA_KEY_TYPE_ECC_GET_FAMILY(ecc_family); + // int ret = mbedtls_ecc_group_from_psa(ecc_family, bits); + // if (ret == 0) { + // wpa_printf(MSG_ERROR, "Unsupported ECC group"); + // } - mbedtls_ecp_group_init(e); + // mbedtls_ecp_group *e = os_zalloc(sizeof(*e)); + // if (!e) { + // return NULL; + // } - if (mbedtls_ecp_group_load(e, ret)) { - mbedtls_ecp_group_free(e); - os_free(e); - e = NULL; - } + // mbedtls_ecp_group_init(e); - return (struct crypto_ec_group *)e; + // if (mbedtls_ecp_group_load(e, ret)) { + // mbedtls_ecp_group_free(e); + // os_free(e); + // e = NULL; + // } + + return (struct crypto_ec_group *)curve; } int crypto_ec_key_group(struct crypto_ec_key *key) @@ -730,13 +810,8 @@ int crypto_ec_key_group(struct crypto_ec_key *key) } psa_ecc_family_t ecc_family = psa_get_key_type(&key_attributes); - size_t bits = psa_get_key_bits(&key_attributes); - int ret = mbedtls_ecc_group_from_psa(ecc_family, bits); - if (ret == 0) { - wpa_printf(MSG_ERROR, "Unsupported ECC group"); - } - int iana_group = (int)crypto_ec_get_mbedtls_to_nist_group_id(ret); + int iana_group = (int)crypto_ec_get_mbedtls_to_nist_group_id(ecc_family); return iana_group; } @@ -904,7 +979,7 @@ struct crypto_ec_key *crypto_ec_key_parse_priv(const u8 *privkey, size_t privkey wpa_printf(MSG_ERROR, "memory allocation failed"); return NULL; } - ret = mbedtls_pk_parse_key(kctx, privkey, privkey_len, NULL, 0, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); + ret = mbedtls_pk_parse_key(kctx, privkey, privkey_len, NULL, 0); if (ret < 0) { //crypto_print_error_string(ret); @@ -942,6 +1017,12 @@ fail: unsigned int crypto_ec_get_mbedtls_to_nist_group_id(int id) { unsigned int nist_grpid = 0; + size_t bits = 0; + psa_ecc_family_t family = PSA_KEY_TYPE_ECC_GET_FAMILY(id); + if (family == PSA_ECC_FAMILY_MONTGOMERY) { + // Montgomery curves are not supported in NIST + return 0; + } switch (id) { case MBEDTLS_ECP_DP_SECP256R1: nist_grpid = 19; @@ -961,6 +1042,24 @@ unsigned int crypto_ec_get_mbedtls_to_nist_group_id(int id) case MBEDTLS_ECP_DP_BP512R1: nist_grpid = 30; break; + case PSA_ECC_FAMILY_SECP_R1: + if (bits == 256) { + nist_grpid = 19; // NIST P-256 + } else if (bits == 384) { + nist_grpid = 20; // NIST P-384 + } else if (bits == 521) { + nist_grpid = 21; // NIST P-521 + } + break; + case PSA_ECC_FAMILY_BRAINPOOL_P_R1: + if (bits == 256) { + nist_grpid = 28; // Brainpool P-256 + } else if (bits == 384) { + nist_grpid = 29; // Brainpool P-384 + } else if (bits == 512) { + nist_grpid = 30; // Brainpool P-512 + } + break; default: break; } @@ -1009,8 +1108,6 @@ int crypto_ecdh(struct crypto_ec_key *key_own, struct crypto_ec_key *key_peer, goto fail; } - // psa_algorithm_t alg = psa_get_key_algorithm(&peer_key_attributes); - *secret_len = 0; size_t secret_length = 0; status = psa_raw_key_agreement(PSA_ALG_ECDH, *own, peer_key_buf, peer_key_len, secret, 66, &secret_length); @@ -1150,7 +1247,7 @@ struct crypto_ec_key * crypto_ec_key_gen(u16 ike_group) } size_t key_bit_length = 0; - psa_ecc_family_t ecc_family = mbedtls_ecc_group_to_psa(ike_group, &key_bit_length); + psa_ecc_family_t ecc_family = group_id_to_psa(ike_group, &key_bit_length); if (ecc_family == 0) { printf("mbedtls_ecc_group_to_psa failed\n"); return NULL; @@ -1174,28 +1271,6 @@ struct crypto_ec_key * crypto_ec_key_gen(u16 ike_group) return (struct crypto_ec_key *)key_id; } -/* - * ECParameters ::= CHOICE { - * namedCurve OBJECT IDENTIFIER - * } - */ -static int pk_write_ec_param(unsigned char **p, unsigned char *start, - mbedtls_ecp_keypair *ec) -{ - int ret; - size_t len = 0; - const char *oid; - size_t oid_len; - - if ((ret = mbedtls_oid_get_oid_by_ec_grp(ec->MBEDTLS_PRIVATE(grp).id, &oid, &oid_len)) != 0) { - return (ret); - } - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid, oid_len)); - - return ((int) len); -} - static int pk_write_ec_pubkey_formatted(unsigned char **p, unsigned char *start, mbedtls_ecp_keypair *ec, int format) { @@ -1238,8 +1313,6 @@ int crypto_pk_write_formatted_pubkey_der(mbedtls_pk_context *key, unsigned char { int ret; unsigned char *c; - size_t len = 0, par_len = 0, oid_len; - const char *oid; if (size == 0) { return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); @@ -1247,45 +1320,13 @@ int crypto_pk_write_formatted_pubkey_der(mbedtls_pk_context *key, unsigned char c = buf + size; - ret = mbedtls_pk_write_pubkey_formatted(&c, buf, key, format); - + ret = mbedtls_pk_write_pubkey_der(key, c, size); if (ret < 0) { + wpa_printf(MSG_ERROR, "mbedtls_pk_write_pubkey_der failed with %d", ret); return ret; } - MBEDTLS_ASN1_CHK_ADD(len, ret); - if (c - buf < 1) { - return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); - } - - /* - * SubjectPublicKeyInfo ::= SEQUENCE { - * algorithm AlgorithmIdentifier, - * subjectPublicKey BIT STRING } - */ - *--c = 0; - len += 1; - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING)); - - if ((ret = mbedtls_oid_get_oid_by_pk_alg(mbedtls_pk_get_type(key), - &oid, &oid_len)) != 0) { - return (ret); - } - - if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) { - MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, mbedtls_pk_ec(*key))); - } - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_algorithm_identifier(&c, buf, oid, oid_len, - par_len)); - - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len)); - MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED | - MBEDTLS_ASN1_SEQUENCE)); - - return ((int) len); + return ((int) ret); } int crypto_ec_write_pub_key(struct crypto_ec_key *key, unsigned char **key_buf) @@ -1378,7 +1419,7 @@ struct crypto_ecdh * crypto_ecdh_init(int group) psa_key_id_t key_id; size_t key_size = 0; - psa_ecc_family_t ecc_family = mbedtls_ecc_group_to_psa(crypto_mbedtls_get_grp_id(group), &key_size); + psa_ecc_family_t ecc_family = group_id_to_psa(crypto_mbedtls_get_grp_id(group), &key_size); psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family)); psa_set_key_bits(&key_attributes, key_size); @@ -1405,6 +1446,8 @@ struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int y) return NULL; } + uint8_t raw_key[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE] = {0}; + status = psa_export_public_key(*key_id, raw_key, sizeof(raw_key), &key_size); if (status != PSA_SUCCESS) { return NULL; diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c index f82ca0bc33..476876c605 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c @@ -121,7 +121,7 @@ struct crypto_private_key * crypto_private_key_import(const u8 *key, mbedtls_pk_init(pkey); ret = mbedtls_pk_parse_key(pkey, key, len, (const unsigned char *)passwd, - passwd ? os_strlen(passwd) : 0, mbedtls_esp_random, NULL); + passwd ? os_strlen(passwd) : 0); if (ret < 0) { wpa_printf(MSG_ERROR, "failed to parse private key"); @@ -189,8 +189,7 @@ int crypto_public_key_encrypt_pkcs1_v15(struct crypto_public_key *key, psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { wpa_printf(MSG_ERROR, "Failed to initialize PSA crypto, returned %d", (int) status); - ret = -1; - goto cleanup; + return -1; } mbedtls_pk_context *pkey = (mbedtls_pk_context *)key; diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c index 702b12ee3b..74f3f1f100 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c @@ -3,6 +3,9 @@ * * SPDX-License-Identifier: Apache-2.0 */ + +#define MBEDTLS_ALLOW_PRIVATE_ACCESS + #ifdef ESP_PLATFORM #include "esp_system.h" #endif @@ -455,9 +458,9 @@ static void *aes_crypt_init(int mode, const u8 *key, size_t len) return NULL; } - if (mode == MBEDTLS_AES_ENCRYPT) { + if (mode == MBEDTLS_ENCRYPT) { psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); - } else if (mode == MBEDTLS_AES_DECRYPT) { + } else if (mode == MBEDTLS_DECRYPT) { psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); } @@ -490,9 +493,9 @@ static int aes_crypt(void *ctx, int mode, const u8 *in, u8 *out) return -1; } - if (mode == MBEDTLS_AES_ENCRYPT) { + if (mode == MBEDTLS_ENCRYPT) { status = psa_cipher_encrypt_setup(&operation, *key_id, PSA_ALG_ECB_NO_PADDING); - } else if (mode == MBEDTLS_AES_DECRYPT) { + } else if (mode == MBEDTLS_DECRYPT) { status = psa_cipher_decrypt_setup(&operation, *key_id, PSA_ALG_ECB_NO_PADDING); } else { wpa_printf(MSG_ERROR, "%s: invalid mode", __func__); @@ -537,12 +540,12 @@ static void aes_crypt_deinit(void *ctx) void *aes_encrypt_init(const u8 *key, size_t len) { - return aes_crypt_init(MBEDTLS_AES_ENCRYPT, key, len); + return aes_crypt_init(MBEDTLS_ENCRYPT, key, len); } int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt) { - return aes_crypt(ctx, MBEDTLS_AES_ENCRYPT, plain, crypt); + return aes_crypt(ctx, MBEDTLS_ENCRYPT, plain, crypt); } void aes_encrypt_deinit(void *ctx) @@ -552,12 +555,12 @@ void aes_encrypt_deinit(void *ctx) void * aes_decrypt_init(const u8 *key, size_t len) { - return aes_crypt_init(MBEDTLS_AES_DECRYPT, key, len); + return aes_crypt_init(MBEDTLS_DECRYPT, key, len); } int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain) { - return aes_crypt(ctx, MBEDTLS_AES_DECRYPT, crypt, plain); + return aes_crypt(ctx, MBEDTLS_DECRYPT, crypt, plain); } void aes_decrypt_deinit(void *ctx) @@ -735,8 +738,10 @@ struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg, } psa_status_t status; - psa_key_attributes attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_id_t key_id; + psa_cipher_operation_t *enc_operation = NULL; + psa_cipher_operation_t *dec_operation = NULL; status = psa_crypto_init(); if (status != PSA_SUCCESS) { @@ -768,10 +773,10 @@ struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg, psa_reset_key_attributes(&attributes); - psa_cipher_operation_t *enc_operation = os_zalloc(sizeof(psa_cipher_operation_t)); + enc_operation = os_zalloc(sizeof(psa_cipher_operation_t)); if (!enc_operation) { wpa_printf(MSG_ERROR, "%s: os_zalloc failed", __func__); - return NULL; + goto cleanup; } ctx->ctx_enc = (void *)enc_operation; @@ -779,24 +784,50 @@ struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg, status = psa_cipher_encrypt_setup(enc_operation, key_id, psa_alg); if (status != PSA_SUCCESS) { wpa_printf(MSG_ERROR, "%s: psa_cipher_encrypt_setup failed", __func__); - return NULL; + goto cleanup; } status = psa_cipher_set_iv(enc_operation, iv, 16); if (status != PSA_SUCCESS) { wpa_printf(MSG_ERROR, "%s: psa_cipher_set_iv failed", __func__); - return NULL; + goto cleanup; } - psa_cipher_operation_t *dec_operation = os_zalloc(sizeof(psa_cipher_operation_t)); + dec_operation = os_zalloc(sizeof(psa_cipher_operation_t)); if (!dec_operation) { wpa_printf(MSG_ERROR, "%s: os_zalloc failed", __func__); - return NULL; + goto cleanup; } -#endif /* CONFIG_MBEDTLS_CIPHER_MODE_WITH_PADDING */ + + ctx->ctx_dec = (void *)dec_operation; + + status = psa_cipher_decrypt_setup(dec_operation, key_id, psa_alg); + if (status != PSA_SUCCESS) { + wpa_printf(MSG_ERROR, "%s: psa_cipher_decrypt_setup failed", __func__); + goto cleanup; + } + + status = psa_cipher_set_iv(dec_operation, iv, 16); + if (status != PSA_SUCCESS) { + wpa_printf(MSG_ERROR, "%s: psa_cipher_set_iv failed", __func__); + goto cleanup; + } + + ctx->key_id = key_id; + return ctx; cleanup: + if (key_id) { + psa_destroy_key(key_id); + } + if (enc_operation) { + os_free(enc_operation); + } + if (dec_operation) { + os_free(dec_operation); + } + psa_reset_key_attributes(&attributes); os_free(ctx); return NULL; } @@ -856,6 +887,8 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx) if (status != PSA_SUCCESS) { wpa_printf(MSG_ERROR, "%s: psa_destroy_key failed", __func__); } + os_free(ctx->ctx_enc); + os_free(ctx->ctx_dec); os_free(ctx); } #endif diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c b/components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c index c938506e94..3d08d86cfe 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c @@ -25,10 +25,11 @@ #if defined(__GNUC__) #include #endif - -#include +#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS +#include "mbedtls/sha1.h" #include "mbedtls/esp_config.h" #include "utils/wpa_debug.h" +#include "psa/crypto.h" /* --- MSVC doesn't support C99 --- */ #ifdef _MSC_VER @@ -40,7 +41,7 @@ #ifndef MIN #define MIN(a, b) ((a) > (b)) ? (b) : (a) #endif - +#if 0 static inline void write32_be(uint32_t n, uint8_t out[4]) { #if defined(__GNUC__) && __GNUC__ >= 4 && __BYTE_ORDER == __LITTLE_ENDIAN @@ -378,11 +379,66 @@ DECL_PBKDF2(sha1, // _name sha1_cpy, // _xcpy sha1_extract, // _xtract sha1_xor) // _xxor +#endif /* 0 */ +#define USE_PSA 1 void fastpbkdf2_hmac_sha1(const uint8_t *pw, size_t npw, const uint8_t *salt, size_t nsalt, uint32_t iterations, uint8_t *out, size_t nout) { +#ifdef USE_PSA + psa_status_t status; + psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id = 0; + + // Set up key attributes for password + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&attributes, PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1)); + psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); + + // Import password as key + status = psa_import_key(&attributes, pw, npw, &key_id); + if (status != PSA_SUCCESS) { + return; + } + + // Set up key derivation + status = psa_key_derivation_setup(&operation, PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1)); + if (status != PSA_SUCCESS) { + goto cleanup; + } + + // Add salt + status = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_SALT, + salt, nsalt); + if (status != PSA_SUCCESS) { + goto cleanup; + } + + // Add password + status = psa_key_derivation_input_key(&operation, PSA_KEY_DERIVATION_INPUT_PASSWORD, key_id); + if (status != PSA_SUCCESS) { + goto cleanup; + } + + // Set iteration count + status = psa_key_derivation_input_integer(&operation, PSA_KEY_DERIVATION_INPUT_COST, + iterations); + if (status != PSA_SUCCESS) { + goto cleanup; + } + + // Generate output + status = psa_key_derivation_output_bytes(&operation, out, nout); + +cleanup: + psa_key_derivation_abort(&operation); + psa_destroy_key(key_id); + psa_reset_key_attributes(&attributes); + +#else PBKDF2(sha1)(pw, npw, salt, nsalt, iterations, out, nout); +#endif // USE_PSA } diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/fastpsk.c b/components/wpa_supplicant/esp_supplicant/src/crypto/fastpsk.c index 3ec8a6a9cc..c14dc7a601 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/fastpsk.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/fastpsk.c @@ -63,6 +63,7 @@ #include "sha/sha_core.h" #endif #include "esp_log.h" +#include "psa/crypto.h" #ifndef PUT_UINT32_BE #define PUT_UINT32_BE(n, b, i) \ @@ -100,24 +101,24 @@ struct fast_psk_context { }; /* Acquire SHA1 hardware for exclusive use */ -static inline void sha1_setup(void) -{ -#if SOC_SHA_SUPPORT_PARALLEL_ENG - esp_sha_lock_engine(SHA1); -#else - esp_sha_acquire_hardware(); -#endif -} +// static inline void sha1_setup(void) +// { +// #if SOC_SHA_SUPPORT_PARALLEL_ENG +// esp_sha_lock_engine(SHA1); +// #else +// esp_sha_acquire_hardware(); +// #endif +// } /* Release SHA1 hardware */ -static inline void sha1_teardown(void) -{ -#if SOC_SHA_SUPPORT_PARALLEL_ENG - esp_sha_unlock_engine(SHA1); -#else - esp_sha_release_hardware(); -#endif -} +// static inline void sha1_teardown(void) +// { +// #if SOC_SHA_SUPPORT_PARALLEL_ENG +// esp_sha_unlock_engine(SHA1); +// #else +// esp_sha_release_hardware(); +// #endif +// } /* * Pads the given HMAC block context with the appropriate SHA1 padding. @@ -160,13 +161,62 @@ static inline void write32_be(uint32_t n, uint8_t out[4]) void sha1_op(uint32_t blocks[FAST_PSK_SHA1_BLOCKS_BUF_WORDS], uint32_t output[SHA1_OUTPUT_SZ_WORDS]) { - esp_sha_set_mode(SHA1); - /* First block */ - esp_sha_block(SHA1, blocks, true); - /* Second block */ - esp_sha_block(SHA1, &blocks[SHA1_BLOCK_SZ_WORDS], false); - /* Read the final digest */ - esp_sha_read_digest_state(SHA1, output); + // esp_sha_set_mode(SHA1); + // /* First block */ + // esp_sha_block(SHA1, blocks, true); + // /* Second block */ + // esp_sha_block(SHA1, &blocks[SHA1_BLOCK_SZ_WORDS], false); + // /* Read the final digest */ + // esp_sha_read_digest_state(SHA1, output); + + // Convert to PSA API + psa_status_t status; + psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT; + + status = psa_hash_setup(&operation, PSA_ALG_SHA_1); + if (status != PSA_SUCCESS) { + ESP_LOGE("fastpsk", "psa_hash_setup failed: %d", status); + return; + } + + // Update with the first block + status = psa_hash_update(&operation, (const uint8_t *)blocks, SHA1_BLOCK_SZ); + if (status != PSA_SUCCESS) { + ESP_LOGE("fastpsk", "psa_hash_update failed: %d", status); + psa_hash_abort(&operation); + return; + } + + // Update with the second block + status = psa_hash_update(&operation, (const uint8_t *)&blocks[SHA1_BLOCK_SZ_WORDS], SHA1_BLOCK_SZ); + if (status != PSA_SUCCESS) { + ESP_LOGE("fastpsk", "psa_hash_update failed: %d", status); + psa_hash_abort(&operation); + return; + } + + // Finish the hash operation + size_t mac_len; + status = psa_hash_finish(&operation, (uint8_t *)output, SHA1_OUTPUT_SZ, &mac_len); + if (status != PSA_SUCCESS) { + ESP_LOGE("fastpsk", "psa_hash_finish failed: %d", status); + psa_hash_abort(&operation); + return; + } + + // Ensure the output length is correct + if (mac_len != SHA1_OUTPUT_SZ) { + ESP_LOGE("fastpsk", "Unexpected hash length: %zu, expected: %d", mac_len, SHA1_OUTPUT_SZ); + psa_hash_abort(&operation); + return; + } + + // Clean up the operation + status = psa_hash_abort(&operation); + if (status != PSA_SUCCESS) { + ESP_LOGE("fastpsk", "psa_hash_abort failed: %d", status); + return; + } #if CONFIG_IDF_TARGET_ESP32 for (int i = 0; i < SHA1_OUTPUT_SZ_WORDS; i++) { @@ -210,7 +260,7 @@ void fast_psk_f(const char *password, size_t password_len, const uint8_t *ssid, /* Pad the block */ pad_blocks(&ctx->inner, SHA1_BLOCK_SZ + ssid_len + 4); - sha1_setup(); + // sha1_setup(); uint32_t *pi, *po; pi = ctx->inner.whole_words; @@ -245,7 +295,7 @@ void fast_psk_f(const char *password, size_t password_len, const uint8_t *ssid, } } - sha1_teardown(); + // sha1_teardown(); /* Copy the final result to the output digest */ memcpy(digest, sum, SHA1_OUTPUT_SZ); diff --git a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c index 00826054ed..dd8d09b088 100644 --- a/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c +++ b/components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c @@ -179,7 +179,7 @@ static int set_pki_context(tls_context_t *tls, const struct tls_connection_param ret = mbedtls_pk_parse_key(&tls->clientkey, cfg->private_key_blob, cfg->private_key_blob_len, (const unsigned char *)cfg->private_key_passwd, - cfg->private_key_passwd ? os_strlen(cfg->private_key_passwd) : 0, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); + cfg->private_key_passwd ? os_strlen(cfg->private_key_passwd) : 0); if (ret < 0) { wpa_printf(MSG_ERROR, "mbedtls_pk_parse_keyfile returned -0x%x", -ret); return ret; @@ -611,7 +611,7 @@ static int tls_create_mbedtls_handle(struct tls_connection *conn, goto exit; } - mbedtls_ssl_conf_rng(&tls->conf, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); + // mbedtls_ssl_conf_rng(&tls->conf, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE); #if defined(CONFIG_MBEDTLS_SSL_PROTO_TLS1_3) && !defined(CONFIG_TLSV13) /* Disable TLSv1.3 even when enabled in MbedTLS and not enabled in WiFi config. diff --git a/examples/protocols/https_request/main/https_request_example_main.c b/examples/protocols/https_request/main/https_request_example_main.c index abbb050ac7..6985f6ea8b 100644 --- a/examples/protocols/https_request/main/https_request_example_main.c +++ b/examples/protocols/https_request/main/https_request_example_main.c @@ -44,6 +44,7 @@ #include "esp_crt_bundle.h" #endif #include "time_sync.h" +#include "esp_random.h" /* Constants that aren't configurable in menuconfig */ #ifdef CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT @@ -95,7 +96,7 @@ extern const uint8_t local_server_cert_pem_end[] asm("_binary_local_server_cer static const int server_supported_ciphersuites[] = {MBEDTLS_TLS1_3_AES_256_GCM_SHA384, MBEDTLS_TLS1_3_AES_128_CCM_SHA256, 0}; static const int server_unsupported_ciphersuites[] = {MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 0}; #else -static const int server_supported_ciphersuites[] = {MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0}; +static const int server_supported_ciphersuites[] = {MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, 0}; static const int server_unsupported_ciphersuites[] = {MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 0}; #endif // CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT #endif // CONFIG_EXAMPLE_USING_ESP_TLS_MBEDTLS diff --git a/tools/ci/check_copyright_ignore.txt b/tools/ci/check_copyright_ignore.txt index c910871218..f6ff4824e3 100644 --- a/tools/ci/check_copyright_ignore.txt +++ b/tools/ci/check_copyright_ignore.txt @@ -473,6 +473,12 @@ components/mbedtls/port/include/sha1_alt.h components/mbedtls/port/include/sha256_alt.h components/mbedtls/port/include/sha512_alt.h components/mbedtls/port/sha/parallel_engine/sha.c +components/nvs_flash/include/nvs_handle.hpp +components/nvs_flash/src/nvs_item_hash_list.cpp +components/nvs_flash/src/nvs_pagemanager.hpp +components/nvs_flash/src/nvs_partition_lookup.cpp +components/nvs_flash/src/nvs_partition_lookup.hpp +components/nvs_flash/src/nvs_test_api.h components/protocomm/include/transports/protocomm_console.h components/protocomm/include/transports/protocomm_httpd.h components/riscv/include/riscv/csr.h