From 44ba9bfa68c2712fa53caaeb057cf661fa493aec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C5=81ukasz=20Duda?= Date: Sun, 22 Sep 2024 01:57:39 +0200 Subject: [PATCH] [crypto] enable PSA Crypto API by default --- examples/platforms/simulation/CMakeLists.txt | 2 +- examples/platforms/simulation/crypto.c | 121 ----------------- examples/platforms/simulation/entropy.c | 34 +++++ .../openthread-core-simulation-config.h | 8 ++ src/posix/platform/CMakeLists.txt | 1 + src/posix/platform/entropy.cpp | 34 +++++ tests/unit/CMakeLists.txt | 1 + tests/unit/test_platform.cpp | 34 +++++ third_party/mbedtls/CMakeLists.txt | 31 ++++- third_party/mbedtls/mbedtls-config.h | 126 +++++++++++++----- third_party/mbedtls/psa-crypto-config.h | 86 ++++++++++++ 11 files changed, 318 insertions(+), 160 deletions(-) delete mode 100644 examples/platforms/simulation/crypto.c create mode 100644 third_party/mbedtls/psa-crypto-config.h diff --git a/examples/platforms/simulation/CMakeLists.txt b/examples/platforms/simulation/CMakeLists.txt index 3030de47a260..cfe1b8a7241f 100644 --- a/examples/platforms/simulation/CMakeLists.txt +++ b/examples/platforms/simulation/CMakeLists.txt @@ -67,7 +67,6 @@ set(OT_PLATFORM_DEFINES ${OT_PLATFORM_DEFINES} PARENT_SCOPE) add_library(openthread-simulation alarm.c ble.c - crypto.c diag.c dns.c dnssd.c @@ -99,6 +98,7 @@ target_link_libraries(openthread-simulation PRIVATE openthread-platform ot-simulation-config ot-config + mbedtls ) target_compile_options(openthread-simulation PRIVATE diff --git a/examples/platforms/simulation/crypto.c b/examples/platforms/simulation/crypto.c deleted file mode 100644 index 20c151b46b24..000000000000 --- a/examples/platforms/simulation/crypto.c +++ /dev/null @@ -1,121 +0,0 @@ -/* - * Copyright (c) 2021, The OpenThread Authors. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. Neither the name of the copyright holder nor the - * names of its contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "platform-simulation.h" - -#include -#include - -#include -#include - -#if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE - -// crypto key storage stubs - -otError otPlatCryptoImportKey(otCryptoKeyRef *aKeyRef, - otCryptoKeyType aKeyType, - otCryptoKeyAlgorithm aKeyAlgorithm, - int aKeyUsage, - otCryptoKeyStorage aKeyPersistence, - const uint8_t *aKey, - size_t aKeyLen) -{ - OT_UNUSED_VARIABLE(aKeyRef); - OT_UNUSED_VARIABLE(aKeyType); - OT_UNUSED_VARIABLE(aKeyAlgorithm); - OT_UNUSED_VARIABLE(aKeyUsage); - OT_UNUSED_VARIABLE(aKeyPersistence); - OT_UNUSED_VARIABLE(aKey); - OT_UNUSED_VARIABLE(aKeyLen); - - return OT_ERROR_NOT_IMPLEMENTED; -} - -otError otPlatCryptoExportKey(otCryptoKeyRef aKeyRef, uint8_t *aBuffer, size_t aBufferLen, size_t *aKeyLen) -{ - OT_UNUSED_VARIABLE(aKeyRef); - OT_UNUSED_VARIABLE(aBuffer); - OT_UNUSED_VARIABLE(aBufferLen); - OT_UNUSED_VARIABLE(aKeyLen); - - return OT_ERROR_NOT_IMPLEMENTED; -} - -otError otPlatCryptoDestroyKey(otCryptoKeyRef aKeyRef) -{ - OT_UNUSED_VARIABLE(aKeyRef); - - return OT_ERROR_NOT_IMPLEMENTED; -} - -bool otPlatCryptoHasKey(otCryptoKeyRef aKeyRef) -{ - OT_UNUSED_VARIABLE(aKeyRef); - - return false; -} - -otError otPlatCryptoEcdsaGenerateAndImportKey(otCryptoKeyRef aKeyRef) -{ - OT_UNUSED_VARIABLE(aKeyRef); - - return OT_ERROR_NONE; -} - -otError otPlatCryptoEcdsaExportPublicKey(otCryptoKeyRef aKeyRef, otPlatCryptoEcdsaPublicKey *aPublicKey) -{ - OT_UNUSED_VARIABLE(aKeyRef); - OT_UNUSED_VARIABLE(aPublicKey); - - return OT_ERROR_NONE; -} - -otError otPlatCryptoEcdsaSignUsingKeyRef(otCryptoKeyRef aKeyRef, - const otPlatCryptoSha256Hash *aHash, - otPlatCryptoEcdsaSignature *aSignature) -{ - OT_UNUSED_VARIABLE(aKeyRef); - OT_UNUSED_VARIABLE(aHash); - OT_UNUSED_VARIABLE(aSignature); - - return OT_ERROR_NONE; -} - -otError otPlatCryptoEcdsaVerifyUsingKeyRef(otCryptoKeyRef aKeyRef, - const otPlatCryptoSha256Hash *aHash, - const otPlatCryptoEcdsaSignature *aSignature) -{ - OT_UNUSED_VARIABLE(aKeyRef); - OT_UNUSED_VARIABLE(aHash); - OT_UNUSED_VARIABLE(aSignature); - - return OT_ERROR_NONE; -} - -#endif // OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE diff --git a/examples/platforms/simulation/entropy.c b/examples/platforms/simulation/entropy.c index b567b0b635cf..a7c4906fc08f 100644 --- a/examples/platforms/simulation/entropy.c +++ b/examples/platforms/simulation/entropy.c @@ -39,6 +39,10 @@ #include +#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) +#include +#endif + #include "utils/code_utils.h" #ifndef __SANITIZE_ADDRESS__ @@ -134,3 +138,33 @@ otError otPlatEntropyGet(uint8_t *aOutput, uint16_t aOutputLength) return error; } + +#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) +/** + * When OpenThread is compiled with the PSA Crypto backend using Mbed TLS 3.x, there is no + * API to configure a dedicated non-default entropy source. It is documented that a future version of + * Mbed TLS (likely 4.x) will include a PSA interface for configuring entropy sources. + * + * For now, we need to define the external RNG. Since the implementation of `otPlatEntropyGet` already + * uses CSPRNG, we will call it here as well. + */ +psa_status_t mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t *context, + uint8_t *output, + size_t output_size, + size_t *output_length) +{ + OT_UNUSED_VARIABLE(context); + + otError error; + psa_status_t status = PSA_ERROR_GENERIC_ERROR; + + error = otPlatEntropyGet(output, (uint16_t)output_size); + if (error == OT_ERROR_NONE) + { + *output_length = output_size; + status = PSA_SUCCESS; + } + + return status; +} +#endif diff --git a/examples/platforms/simulation/openthread-core-simulation-config.h b/examples/platforms/simulation/openthread-core-simulation-config.h index 1b702788a0c9..55128288ce38 100644 --- a/examples/platforms/simulation/openthread-core-simulation-config.h +++ b/examples/platforms/simulation/openthread-core-simulation-config.h @@ -39,6 +39,14 @@ #define OPENTHREAD_RADIO 0 #endif +#ifndef OPENTHREAD_CONFIG_CRYPTO_LIB +#define OPENTHREAD_CONFIG_CRYPTO_LIB OPENTHREAD_CONFIG_CRYPTO_LIB_PSA +#endif + +#ifndef OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE +#define OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 1 +#endif + #ifndef OPENTHREAD_CONFIG_PLATFORM_INFO #define OPENTHREAD_CONFIG_PLATFORM_INFO "SIMULATION" #endif diff --git a/src/posix/platform/CMakeLists.txt b/src/posix/platform/CMakeLists.txt index b4ac241f53eb..7b9072d699a1 100644 --- a/src/posix/platform/CMakeLists.txt +++ b/src/posix/platform/CMakeLists.txt @@ -170,6 +170,7 @@ target_link_libraries(openthread-posix ot-config-ftd ot-config ot-posix-config + mbedtls $<$>:util> $<$:rt> ) diff --git a/src/posix/platform/entropy.cpp b/src/posix/platform/entropy.cpp index 79f493886740..458719c6810c 100644 --- a/src/posix/platform/entropy.cpp +++ b/src/posix/platform/entropy.cpp @@ -41,6 +41,10 @@ #include #include +#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) +#include +#endif + #include "common/code_utils.hpp" #ifndef __SANITIZE_ADDRESS__ @@ -136,3 +140,33 @@ otError otPlatEntropyGet(uint8_t *aOutput, uint16_t aOutputLength) return error; } + +#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) +/** + * When OpenThread is compiled with the PSA Crypto backend using Mbed TLS 3.x, there is no + * API to configure a dedicated non-default entropy source. It is documented that a future version of + * Mbed TLS (likely 4.x) will include a PSA interface for configuring entropy sources. + * + * For now, we need to define the external RNG. Since the implementation of `otPlatEntropyGet` already + * uses CSPRNG, we will call it here as well. + */ +extern "C" psa_status_t mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t *context, + uint8_t *output, + size_t output_size, + size_t *output_length) +{ + OT_UNUSED_VARIABLE(context); + + otError error; + psa_status_t status = PSA_ERROR_GENERIC_ERROR; + + error = otPlatEntropyGet(output, (uint16_t)output_size); + if (error == OT_ERROR_NONE) + { + *output_length = output_size; + status = PSA_SUCCESS; + } + + return status; +} +#endif diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt index e936417c1bcb..829e0c2c9f30 100644 --- a/tests/unit/CMakeLists.txt +++ b/tests/unit/CMakeLists.txt @@ -101,6 +101,7 @@ endif() target_link_libraries(ot-test-platform-ftd PRIVATE ot-config + mbedtls ${OT_MBEDTLS} ) diff --git a/tests/unit/test_platform.cpp b/tests/unit/test_platform.cpp index 89dfda775f11..7f8605d760c1 100644 --- a/tests/unit/test_platform.cpp +++ b/tests/unit/test_platform.cpp @@ -40,6 +40,10 @@ #include #endif +#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) +#include +#endif + enum { FLASH_SWAP_SIZE = 2048, @@ -228,6 +232,36 @@ OT_TOOL_WEAK otError otPlatEntropyGet(uint8_t *aOutput, uint16_t aOutputLength) return error; } +#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) +/** + * When OpenThread is compiled with the PSA Crypto backend using Mbed TLS 3.x, there is no + * API to configure a dedicated non-default entropy source. It is documented that a future version of + * Mbed TLS (likely 4.x) will include a PSA interface for configuring entropy sources. + * + * For now, we need to define the external RNG. Since the implementation of `otPlatEntropyGet` already + * uses CSPRNG, we will call it here as well. + */ +extern "C" psa_status_t mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t *context, + uint8_t *output, + size_t output_size, + size_t *output_length) +{ + OT_UNUSED_VARIABLE(context); + + otError error; + psa_status_t status = PSA_ERROR_GENERIC_ERROR; + + error = otPlatEntropyGet(output, (uint16_t)output_size); + if (error == OT_ERROR_NONE) + { + *output_length = output_size; + status = PSA_SUCCESS; + } + + return status; +} +#endif + static void DiagOutput(const char *aFormat, ...) { va_list args; diff --git a/third_party/mbedtls/CMakeLists.txt b/third_party/mbedtls/CMakeLists.txt index 5fd9c5eb9247..edda48e900af 100644 --- a/third_party/mbedtls/CMakeLists.txt +++ b/third_party/mbedtls/CMakeLists.txt @@ -27,8 +27,10 @@ # set(OT_MBEDTLS_DEFAULT_CONFIG_FILE \"openthread-mbedtls-config.h\") +set(OT_PSA_CRYPTO_DEFAULT_CONFIG_FILE \"openthread-psa-crypto-config.h\") set(OT_MBEDTLS_CONFIG_FILE "" CACHE STRING "The mbedTLS config file") +set(OT_PSA_CRYPTO_CONFIG_FILE "" CACHE STRING "The PCA Crypto config file") set(ENABLE_TESTING OFF CACHE BOOL "Disable mbedtls test" FORCE) set(ENABLE_PROGRAMS OFF CACHE BOOL "Disable mbetls program" FORCE) @@ -42,6 +44,8 @@ if(UNIFDEF_EXE) endif() find_program(SED_EXE sed) +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-unused-but-set-variable") + string(REPLACE "-Wconversion" "" CMAKE_C_FLAGS "${CMAKE_C_FLAGS}") string(REPLACE "-Wconversion" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}") @@ -63,15 +67,29 @@ if(UNIFDEFALL_EXE AND SED_EXE AND UNIFDEF_VERSION VERSION_GREATER_EQUAL 2.10) COMMAND_EXPAND_LISTS ) + add_custom_command(OUTPUT openthread-psa-crypto-config.h + COMMAND ${UNIFDEFALL_EXE} + "'-D$,';'-D>'" + "-I$,;-I>" + "-I$" + "-I${CMAKE_CURRENT_SOURCE_DIR}/repo/include" + "${CMAKE_CURRENT_SOURCE_DIR}/psa-crypto-config.h" | + ${SED_EXE} '/openthread-core-config\.h/d' > + openthread-psa-crypto-config.h + MAIN_DEPENDENCY psa-crypto-config.h + COMMAND_EXPAND_LISTS + ) + add_custom_target(openthread-mbedtls-config - DEPENDS openthread-mbedtls-config.h) + DEPENDS openthread-mbedtls-config.h openthread-psa-crypto-config.h) - add_dependencies(ot-config openthread-mbedtls-config) - add_dependencies(mbedtls openthread-mbedtls-config) - add_dependencies(mbedx509 openthread-mbedtls-config) - add_dependencies(mbedcrypto openthread-mbedtls-config) + add_dependencies(ot-config openthread-mbedtls-config openthread-psa-crypto-config) + add_dependencies(mbedtls openthread-mbedtls-config openthread-psa-crypto-config) + add_dependencies(mbedx509 openthread-mbedtls-config openthread-psa-crypto-config) + add_dependencies(mbedcrypto openthread-mbedtls-config openthread-psa-crypto-config) else() configure_file(mbedtls-config.h openthread-mbedtls-config.h COPYONLY) + configure_file(psa-crypto-config.h openthread-psa-crypto-config.h COPYONLY) endif() target_include_directories(ot-config SYSTEM @@ -82,6 +100,7 @@ target_include_directories(ot-config SYSTEM target_compile_definitions(mbedtls PUBLIC "MBEDTLS_CONFIG_FILE=$,${OT_MBEDTLS_CONFIG_FILE},${OT_MBEDTLS_DEFAULT_CONFIG_FILE}>" + "MBEDTLS_PSA_CRYPTO_CONFIG_FILE=$,${OT_PSA_CRYPTO_CONFIG_FILE},${OT_PSA_CRYPTO_DEFAULT_CONFIG_FILE}>" PRIVATE $ ) @@ -96,6 +115,7 @@ target_include_directories(mbedtls target_compile_definitions(mbedx509 PUBLIC "MBEDTLS_CONFIG_FILE=$,${OT_MBEDTLS_CONFIG_FILE},${OT_MBEDTLS_DEFAULT_CONFIG_FILE}>" + "MBEDTLS_PSA_CRYPTO_CONFIG_FILE=$,${OT_PSA_CRYPTO_CONFIG_FILE},${OT_PSA_CRYPTO_DEFAULT_CONFIG_FILE}>" PRIVATE $ ) @@ -110,6 +130,7 @@ target_include_directories(mbedx509 target_compile_definitions(mbedcrypto PUBLIC "MBEDTLS_CONFIG_FILE=$,${OT_MBEDTLS_CONFIG_FILE},${OT_MBEDTLS_DEFAULT_CONFIG_FILE}>" + "MBEDTLS_PSA_CRYPTO_CONFIG_FILE=$,${OT_PSA_CRYPTO_CONFIG_FILE},${OT_PSA_CRYPTO_DEFAULT_CONFIG_FILE}>" PRIVATE $ ) diff --git a/third_party/mbedtls/mbedtls-config.h b/third_party/mbedtls/mbedtls-config.h index 32ced0a9e62c..6c9a5a22f35a 100644 --- a/third_party/mbedtls/mbedtls-config.h +++ b/third_party/mbedtls/mbedtls-config.h @@ -40,7 +40,11 @@ #include #include -#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf +// ============================================================================== +// mbedTLS legacy/PSA configuration +// ============================================================================== + +#if OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_MBEDTLS #define MBEDTLS_AES_C #if (MBEDTLS_VERSION_NUMBER >= 0x03050000) @@ -66,19 +70,51 @@ #define MBEDTLS_ENTROPY_C #define MBEDTLS_HAVE_ASM #define MBEDTLS_HMAC_DRBG_C -#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED #define MBEDTLS_MD_C -#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES -#define MBEDTLS_NO_PLATFORM_ENTROPY -#define MBEDTLS_OID_C -#define MBEDTLS_PK_C -#define MBEDTLS_PK_PARSE_C -#define MBEDTLS_PLATFORM_C -#define MBEDTLS_PLATFORM_MEMORY -#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS #define MBEDTLS_SHA224_C #define MBEDTLS_SHA256_C #define MBEDTLS_SHA256_SMALLER + +#if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE || OPENTHREAD_CONFIG_TLS_ENABLE +#define MBEDTLS_BASE64_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#endif + +#if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE +#define MBEDTLS_GCM_C +#endif + +#if OPENTHREAD_CONFIG_ECDSA_ENABLE +#define MBEDTLS_BASE64_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_C +#if OPENTHREAD_CONFIG_DETERMINISTIC_ECDSA_ENABLE +#define MBEDTLS_ECDSA_DETERMINISTIC +#endif +#endif + +#elif OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA + +#define MBEDTLS_PSA_CRYPTO_C +#define MBEDTLS_PSA_CRYPTO_CLIENT +#define MBEDTLS_PSA_CRYPTO_STORAGE_C +#define MBEDTLS_USE_PSA_CRYPTO + +#define MBEDTLS_PSA_CRYPTO_CONFIG + +// Temporary for ITS.. +#define MBEDTLS_PSA_ITS_FILE_C +#define MBEDTLS_FS_IO + +#define MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG + +#endif + +// ============================================================================== +// SSL configuration +// ============================================================================== + #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_DTLS_ANTI_REPLAY #define MBEDTLS_SSL_DTLS_HELLO_VERIFY @@ -93,6 +129,12 @@ #define MBEDTLS_SSL_SRV_C #endif +#if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE +#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE +#endif + +#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + #if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #endif @@ -102,36 +144,59 @@ #endif #if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE -#define MBEDTLS_SSL_KEEP_PEER_CERTIFICATE -#define MBEDTLS_GCM_C +#define MBEDTLS_SSL_MAX_CONTENT_LEN 2000 /**< Maxium fragment length in bytes */ +#elif OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE +#define MBEDTLS_SSL_MAX_CONTENT_LEN 900 /**< Maxium fragment length in bytes */ +#else +#define MBEDTLS_SSL_MAX_CONTENT_LEN 768 /**< Maxium fragment length in bytes */ #endif -#ifdef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN +#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN +#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 + +// ============================================================================== +// x509 & PK configuration +// ============================================================================== + +#define MBEDTLS_OID_C +#define MBEDTLS_PK_C +#define MBEDTLS_PK_PARSE_C + +#if OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE || OPENTHREAD_CONFIG_TLS_ENABLE #define MBEDTLS_BASE64_C -#define MBEDTLS_ECDH_C -#define MBEDTLS_ECDSA_C #define MBEDTLS_PEM_PARSE_C #define MBEDTLS_X509_USE_C #define MBEDTLS_X509_CRT_PARSE_C #endif #if OPENTHREAD_CONFIG_ECDSA_ENABLE -#define MBEDTLS_BASE64_C -#define MBEDTLS_ECDH_C -#define MBEDTLS_ECDSA_C -#if OPENTHREAD_CONFIG_DETERMINISTIC_ECDSA_ENABLE -#define MBEDTLS_ECDSA_DETERMINISTIC -#endif #define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PK_WRITE_C #endif +// ============================================================================== +// MPI configuration +// ============================================================================== + #define MBEDTLS_MPI_WINDOW_SIZE 1 /**< Maximum windows size used. */ #define MBEDTLS_MPI_MAX_SIZE 32 /**< Maximum number of bytes for usable MPIs. */ + +// ============================================================================== +// ECP configuration +// ============================================================================== + +#if (MBEDTLS_VERSION_NUMBER < 0x03000000) #define MBEDTLS_ECP_MAX_BITS 256 /**< Maximum bit size of groups */ +#endif #define MBEDTLS_ECP_WINDOW_SIZE 2 /**< Maximum window size used */ #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Enable fixed-point speed-up */ -#define MBEDTLS_ENTROPY_MAX_SOURCES 1 /**< Maximum number of sources supported */ + +// ============================================================================== +// Platform configuration +// ============================================================================== + +#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf #if OPENTHREAD_CONFIG_HEAP_EXTERNAL_ENABLE #define MBEDTLS_PLATFORM_STD_CALLOC otPlatCAlloc /**< Default allocator to use, can be undefined */ @@ -140,17 +205,12 @@ #define MBEDTLS_MEMORY_BUFFER_ALLOC_C #endif -#if OPENTHREAD_CONFIG_BLE_TCAT_ENABLE -#define MBEDTLS_SSL_MAX_CONTENT_LEN 2000 /**< Maxium fragment length in bytes */ -#elif OPENTHREAD_CONFIG_COAP_SECURE_API_ENABLE -#define MBEDTLS_SSL_MAX_CONTENT_LEN 900 /**< Maxium fragment length in bytes */ -#else -#define MBEDTLS_SSL_MAX_CONTENT_LEN 768 /**< Maxium fragment length in bytes */ -#endif - -#define MBEDTLS_SSL_IN_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN -#define MBEDTLS_SSL_OUT_CONTENT_LEN MBEDTLS_SSL_MAX_CONTENT_LEN -#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 +#define MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_PLATFORM_MEMORY +#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS +#define MBEDTLS_ENTROPY_MAX_SOURCES 1 // Spans multiple lines to avoid being processed by unifdef #if defined(\ diff --git a/third_party/mbedtls/psa-crypto-config.h b/third_party/mbedtls/psa-crypto-config.h new file mode 100644 index 000000000000..906f62938ed2 --- /dev/null +++ b/third_party/mbedtls/psa-crypto-config.h @@ -0,0 +1,86 @@ +/* + * Copyright (c) 2024, The OpenThread Authors. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the copyright holder nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +// Spans multiple lines to avoid being processed by unifdef +#ifndef \ + PSA_CRYPTO_CONFIG_H +#define PSA_CRYPTO_CONFIG_H + +#include "openthread-core-config.h" + +#include + +/* + * CBC-MAC is not yet supported via the PSA API in Mbed TLS. + */ +//#define PSA_WANT_ALG_CBC_MAC 1 +#define PSA_WANT_ALG_CBC_NO_PADDING 1 +#define PSA_WANT_ALG_CBC_PKCS7 1 +#define PSA_WANT_ALG_CCM 1 +#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 +#define PSA_WANT_ALG_CMAC 1 +#define PSA_WANT_ALG_CFB 1 +#define PSA_WANT_ALG_CTR 1 +#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 +#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#define PSA_WANT_ALG_ECDH 1 +#define PSA_WANT_ALG_ECDSA 1 +#define PSA_WANT_ALG_JPAKE 1 +#define PSA_WANT_ALG_GCM 1 +#define PSA_WANT_ALG_HKDF 1 +#define PSA_WANT_ALG_HKDF_EXTRACT 1 +#define PSA_WANT_ALG_HKDF_EXPAND 1 +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_ALG_PBKDF2_HMAC 1 +#define PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 1 +#define PSA_WANT_ALG_RIPEMD160 1 +#define PSA_WANT_ALG_SHA_1 1 +#define PSA_WANT_ALG_SHA_224 1 +#define PSA_WANT_ALG_SHA_256 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 + +#define PSA_WANT_ECC_SECP_K1_256 1 +#define PSA_WANT_ECC_SECP_R1_256 1 + +#define PSA_WANT_KEY_TYPE_DERIVE 1 +#define PSA_WANT_KEY_TYPE_PASSWORD 1 +#define PSA_WANT_KEY_TYPE_PASSWORD_HASH 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 +#define PSA_WANT_KEY_TYPE_RAW_DATA 1 + +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 + +#endif /* PSA_CRYPTO_CONFIG_H */