Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SL-UP] Adds mbedTLS 3.x support with tinycrypt uECC APIs #132

Merged
merged 5 commits into from
Dec 2, 2024
+50 −75
Merged

[SL-UP] Adds mbedTLS 3.x support with tinycrypt uECC APIs #132

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
44172dd
Adds mbedTLS 3.x support with tinycrypt uECC APIs
rosahay-silabs Nov 26, 2024
a5b24d4
Added comments for the MACRO
rosahay-silabs Nov 27, 2024
fb7efa0
Remove duplicate includes
rosahay-silabs Nov 27, 2024
eaed9c6
Remove MBEDTLS_ALLOW_PRIVATE_ACCESS
rosahay-silabs Nov 27, 2024
0f60b57
Updated Support SDK pointer
rosahay-silabs Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion src/platform/silabs/SiWx917/BUILD.gn
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,6 @@ static_library("SiWx917") {

public_deps += [
"${chip_root}/src/crypto",
"${mbedtls_root}:mbedtls",
"${silabs_platform_dir}/wifi:wifi-platform",
]
}
Expand Down
91 changes: 29 additions & 62 deletions src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,9 @@

/**
* @file
* mbedTLS based implementation of CHIP crypto primitives
* mbedTLS and Tinycrypt based implementation of CHIP crypto primitives
*/
#include <string.h>

#include <crypto/CHIPCryptoPAL.h>

Expand All @@ -34,6 +35,7 @@
#include <mbedtls/error.h>
#include <mbedtls/hkdf.h>
#include <mbedtls/md.h>
#include <mbedtls/pk.h>
#include <mbedtls/pkcs5.h>
#include <mbedtls/sha1.h>
#include <mbedtls/sha256.h>
Expand All @@ -44,7 +46,6 @@
#include <mbedtls/x509.h>
#include <mbedtls/x509_csr.h>

#include <mbedtls/pk.h>
#include <tinycrypt/ecc.h>
#include <tinycrypt/ecc_dh.h>
#include <tinycrypt/ecc_dsa.h>
Expand All @@ -58,14 +59,18 @@
#include <lib/support/SafePointerCast.h>
#include <lib/support/logging/CHIPLogging.h>

#include <string.h>

#ifdef SLI_SI91X_MCU_INTERFACE
#ifdef __cplusplus
extern "C" {
#include "sl_si91x_trng.h"
}
#endif

#if defined(SLI_SI91X_MCU_INTERFACE)
#include <sl_si91x_trng.h>
#endif // SLI_SI91X_MCU_INTERFACE

#ifdef __cplusplus
}
#endif

namespace chip {
namespace Crypto {

Expand All @@ -85,6 +90,8 @@ namespace Crypto {
#define CHIP_CRYPTO_PAL_PRIVATE_X509(x) x
#endif

namespace {

typedef struct
{
bool mInitialized;
Expand All @@ -93,9 +100,15 @@ typedef struct
mbedtls_entropy_context mEntropy;
} EntropyContext;

typedef struct
{
uint8_t private_key[NUM_ECC_BYTES];
uint8_t public_key[2 * NUM_ECC_BYTES];
} mbedtls_uecc_keypair;

static EntropyContext gsEntropyContext;

static void _log_mbedTLS_error(int error_code)
void _log_mbedTLS_error(int error_code)
{
if (error_code != 0 && error_code != UECC_SUCCESS)
{
Expand All @@ -110,14 +123,15 @@ static void _log_mbedTLS_error(int error_code)
}
}

static bool _isValidTagLength(size_t tag_length)
bool _isValidTagLength(size_t tag_length)
{
if (tag_length == 8 || tag_length == 12 || tag_length == 16)
{
return true;
}
return false;
}
} // namespace

CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length,
const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext,
Expand Down Expand Up @@ -494,11 +508,6 @@ CHIP_ERROR DRBG_get_bytes(uint8_t * out_buffer, const size_t out_length)
return CHIP_NO_ERROR;
}

static int CryptoRNG(void * ctxt, uint8_t * out_buffer, size_t out_length)
{
return (chip::Crypto::DRBG_get_bytes(out_buffer, out_length) == CHIP_NO_ERROR) ? 0 : 1;
}

mbedtls_ecp_group_id MapECPGroupId(SupportedECPKeyTypes keyType)
{
switch (keyType)
Expand Down Expand Up @@ -734,53 +743,11 @@ P256Keypair::~P256Keypair()

CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length) const
{
CHIP_ERROR error = CHIP_NO_ERROR;
int result = 0;
size_t out_length;

mbedtls_x509write_csr csr;
mbedtls_x509write_csr_init(&csr);

mbedtls_pk_context pk;
pk.CHIP_CRYPTO_PAL_PRIVATE(pk_info) = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
pk.CHIP_CRYPTO_PAL_PRIVATE(pk_ctx) = to_keypair(&mKeypair);
VerifyOrExit(pk.CHIP_CRYPTO_PAL_PRIVATE(pk_info) != nullptr, error = CHIP_ERROR_INTERNAL);

VerifyOrExit(mInitialized, error = CHIP_ERROR_UNINITIALIZED);

mbedtls_x509write_csr_set_key(&csr, &pk);

mbedtls_x509write_csr_set_md_alg(&csr, MBEDTLS_MD_SHA256);

// TODO: mbedTLS CSR parser fails if the subject name is not set (or if empty).
// CHIP Spec doesn't specify the subject name that can be used.
// Figure out the correct value and update this code.
result = mbedtls_x509write_csr_set_subject_name(&csr, "O=CSR");
VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL);

result = mbedtls_x509write_csr_der(&csr, out_csr, csr_length, CryptoRNG, nullptr);
VerifyOrExit(result > 0, error = CHIP_ERROR_INTERNAL);
VerifyOrExit(CanCastTo<size_t>(result), error = CHIP_ERROR_INTERNAL);

out_length = static_cast<size_t>(result);
result = 0;
VerifyOrExit(out_length <= csr_length, error = CHIP_ERROR_INTERNAL);

if (csr_length != out_length)
{
// mbedTLS API writes the CSR at the end of the provided buffer.
// Let's move it to the start of the buffer.
size_t offset = csr_length - out_length;
memmove(out_csr, &out_csr[offset], out_length);
}

csr_length = out_length;

exit:
mbedtls_x509write_csr_free(&csr);

_log_mbedTLS_error(result);
return error;
MutableByteSpan csr(out_csr, csr_length);
CHIP_ERROR err = GenerateCertificateSigningRequest(this, csr);
csr_length = (CHIP_NO_ERROR == err) ? csr.size() : 0;
ChipLogByteSpan(Crypto, csr);
return err;
}

CHIP_ERROR VerifyCertificateSigningRequest(const uint8_t * csr_buf, size_t csr_length, P256PublicKey & pubkey)
Expand Down Expand Up @@ -1523,7 +1490,7 @@ CHIP_ERROR ExtractPubkeyFromX509Cert(const ByteSpan & certificate, Crypto::P256P
VerifyOrExit(mbedtls_pk_get_type(&(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk))) == MBEDTLS_PK_ECKEY,
error = CHIP_ERROR_INVALID_ARGUMENT);

keypair = mbedtls_pk_uecc(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk));
keypair = (mbedtls_uecc_keypair *) (mbedtls_pk_ec(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk)));
Uint8::to_uchar(pubkey)[0] = 0x04; // uncompressed type
memcpy(Uint8::to_uchar(pubkey) + 1, keypair->public_key, 2 * NUM_ECC_BYTES);

Expand Down
1 change: 1 addition & 0 deletions src/platform/silabs/SiWx917/siwx917-chip-mbedtls-config.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
#define MBEDTLS_PK_HAVE_ECC_KEYS
#define MBEDTLS_SHA256_SMALLER
#define MBEDTLS_SHA512_C
#define MBEDTLS_SSL_CLI_C
Expand Down
30 changes: 19 additions & 11 deletions third_party/silabs/SiWx917_sdk.gni
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -534,7 +534,7 @@ template("siwx917_sdk") {
}

if (sl_si91x_crypto_flavor == "tinycrypt") {
_mbedtls_root = "${mbedtls_root}/repo"
_mbedtls_root = "${efr32_sdk_root}/util/third_party/mbedtls"

config("siwx917_tinycrypt_config") {
defines = [
Expand All @@ -543,14 +543,17 @@ template("siwx917_sdk") {
]

include_dirs = [
"${sdk_support_root}/matter/mbedtls/tinycrypt/inc",
# mbedTLS headers
"${_mbedtls_root}/include",
"${_mbedtls_root}/library",

# GECKO SDK configuration included to be used in autogenerated files
"${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/config",
"${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/config/preset",
"${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/inc",

# tinycrypt specific headers
"${sdk_support_root}/matter/mbedtls/tinycrypt/inc",
]
}

Expand All @@ -567,6 +570,7 @@ template("siwx917_sdk") {
"${_mbedtls_root}/library/asn1write.c",
"${_mbedtls_root}/library/base64.c",
"${_mbedtls_root}/library/bignum.c",
"${_mbedtls_root}/library/bignum_core.c",
"${_mbedtls_root}/library/ccm.c",
"${_mbedtls_root}/library/cipher.c",
"${_mbedtls_root}/library/cipher_wrap.c",
Expand All @@ -577,30 +581,34 @@ template("siwx917_sdk") {
"${_mbedtls_root}/library/ecp.c",
"${_mbedtls_root}/library/ecp_curves.c",
"${_mbedtls_root}/library/entropy.c",
"${_mbedtls_root}/library/error.c",
"${_mbedtls_root}/library/hkdf.c",
"${_mbedtls_root}/library/hmac_drbg.c",
"${_mbedtls_root}/library/md.c",
"${_mbedtls_root}/library/pem.c",
"${_mbedtls_root}/library/pkcs5.c",
"${_mbedtls_root}/library/platform.c",
"${_mbedtls_root}/library/platform_util.c",
"${_mbedtls_root}/library/sha256.c",
"${_mbedtls_root}/library/sha512.c",
"${_mbedtls_root}/library/version.c",
"${_mbedtls_root}/library/x509_create.c",

# mbedtls + tinycrypt integration
"${_mbedtls_root}/library/oid.c",
"${_mbedtls_root}/library/pk.c",
"${_mbedtls_root}/library/pk_wrap.c",
"${_mbedtls_root}/library/pk_wrap.h",
"${_mbedtls_root}/library/pkparse.c",
"${_mbedtls_root}/library/pkwrite.c",
"${_mbedtls_root}/library/x509_crt.c",
"${_mbedtls_root}/library/x509write_csr.c",

# tinycrypt
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc_dh.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc_dsa.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/error.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/oid.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/pk.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/pk_wrap.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/pkparse.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/pkwrite.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/platform_util.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/x509_crt.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/x509write_csr.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/tinycrypt_util.c",
]

public_deps = [ "${chip_root}/src/crypto:crypto_buildconfig" ]
Expand Down
2 changes: 1 addition & 1 deletion third_party/silabs/matter_support
Open in desktop
Submodule matter_support updated 28 files
+24 −3 components/service/network_manager/src/sl_net_for_lwip.c
+0 −977 matter/mbedtls/tinycrypt/inc/mbedtls/check_config.h
+0 −1,766 matter/mbedtls/tinycrypt/inc/mbedtls/config.h
+0 −927 matter/mbedtls/tinycrypt/inc/mbedtls/oid.h
+0 −936 matter/mbedtls/tinycrypt/inc/mbedtls/pk.h
+0 −139 matter/mbedtls/tinycrypt/inc/mbedtls/pk_internal.h
+0 −448 matter/mbedtls/tinycrypt/inc/mbedtls/platform.h
+0 −462 matter/mbedtls/tinycrypt/inc/mbedtls/platform_util.h
+412 −478 matter/mbedtls/tinycrypt/inc/tinycrypt/ecc.h
+119 −135 matter/mbedtls/tinycrypt/inc/tinycrypt/ecc_dh.h
+134 −144 matter/mbedtls/tinycrypt/inc/tinycrypt/ecc_dsa.h
+13 −0 matter/mbedtls/tinycrypt/inc/tinycrypt/tinycrypt_util.h
+1,869 −1,738 matter/mbedtls/tinycrypt/src/ecc.c
+202 −182 matter/mbedtls/tinycrypt/src/ecc_dh.c
+320 −308 matter/mbedtls/tinycrypt/src/ecc_dsa.c
+0 −1,064 matter/mbedtls/tinycrypt/src/error.c
+0 −884 matter/mbedtls/tinycrypt/src/oid.c
+0 −641 matter/mbedtls/tinycrypt/src/pk.c
+0 −1,344 matter/mbedtls/tinycrypt/src/pk_wrap.c
+0 −1,672 matter/mbedtls/tinycrypt/src/pkparse.c
+0 −716 matter/mbedtls/tinycrypt/src/pkwrite.c
+0 −449 matter/mbedtls/tinycrypt/src/platform_util.c
+209 −0 matter/mbedtls/tinycrypt/src/tinycrypt_util.c
+0 −3,196 matter/mbedtls/tinycrypt/src/x509_crt.c
+0 −355 matter/mbedtls/tinycrypt/src/x509write_csr.c
+1 −1 matter/si91x/siwx917/BRD4338A/autogen/sli_mbedtls_config_autogen.h
+1 −1 matter/si91x/siwx917/BRD4342A/autogen/sli_mbedtls_config_autogen.h
+1 −1 matter/si91x/siwx917/BRD4343A/autogen/sli_mbedtls_config_autogen.h
Loading