Skip to content

Commit

Permalink
Adds mbedTLS 3.x support with tinycrypt uECC APIs
Browse files Browse the repository at this point in the history
  • Loading branch information
rosahay-silabs committed Nov 26, 2024
1 parent 67f03dd commit 0995ea9
Show file tree
Hide file tree
Showing 4 changed files with 58 additions and 74 deletions.
1 change: 0 additions & 1 deletion src/platform/silabs/SiWx917/BUILD.gn
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,6 @@ static_library("SiWx917") {

public_deps += [
"${chip_root}/src/crypto",
"${mbedtls_root}:mbedtls",
"${silabs_platform_dir}/wifi:wifi-platform",
]
}
Expand Down
98 changes: 36 additions & 62 deletions src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,11 @@

/**
* @file
* mbedTLS based implementation of CHIP crypto primitives
* mbedTLS and Tinycrypt based implementation of CHIP crypto primitives
*/
#include <string.h>

#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#include <crypto/CHIPCryptoPAL.h>

#include <type_traits>
Expand All @@ -34,6 +36,7 @@
#include <mbedtls/error.h>
#include <mbedtls/hkdf.h>
#include <mbedtls/md.h>
#include <mbedtls/pk.h>
#include <mbedtls/pkcs5.h>
#include <mbedtls/sha1.h>
#include <mbedtls/sha256.h>
Expand All @@ -44,7 +47,6 @@
#include <mbedtls/x509.h>
#include <mbedtls/x509_csr.h>

#include <mbedtls/pk.h>
#include <tinycrypt/ecc.h>
#include <tinycrypt/ecc_dh.h>
#include <tinycrypt/ecc_dsa.h>
Expand All @@ -58,14 +60,18 @@
#include <lib/support/SafePointerCast.h>
#include <lib/support/logging/CHIPLogging.h>

#include <string.h>

#ifdef SLI_SI91X_MCU_INTERFACE
#ifdef __cplusplus
extern "C" {
#include "sl_si91x_trng.h"
}
#endif

#if defined(SLI_SI91X_MCU_INTERFACE)
#include <sl_si91x_trng.h>
#endif // SLI_SI91X_MCU_INTERFACE

#ifdef __cplusplus
}
#endif

namespace chip {
namespace Crypto {

Expand All @@ -85,6 +91,8 @@ namespace Crypto {
#define CHIP_CRYPTO_PAL_PRIVATE_X509(x) x
#endif

namespace {

typedef struct
{
bool mInitialized;
Expand All @@ -93,9 +101,15 @@ typedef struct
mbedtls_entropy_context mEntropy;
} EntropyContext;

typedef struct
{
uint8_t private_key[NUM_ECC_BYTES];
uint8_t public_key[2 * NUM_ECC_BYTES];
} mbedtls_uecc_keypair;

static EntropyContext gsEntropyContext;

static void _log_mbedTLS_error(int error_code)
void _log_mbedTLS_error(int error_code)
{
if (error_code != 0 && error_code != UECC_SUCCESS)
{
Expand All @@ -110,7 +124,7 @@ static void _log_mbedTLS_error(int error_code)
}
}

static bool _isValidTagLength(size_t tag_length)
bool _isValidTagLength(size_t tag_length)
{
if (tag_length == 8 || tag_length == 12 || tag_length == 16)
{
Expand All @@ -119,6 +133,13 @@ static bool _isValidTagLength(size_t tag_length)
return false;
}

inline mbedtls_uecc_keypair * mbedtls_pk_uecc(const mbedtls_pk_context pk)
{
return ((mbedtls_uecc_keypair *) (pk).pk_ctx);
}

} // namespace

CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length,
const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext,
uint8_t * tag, size_t tag_length)
Expand Down Expand Up @@ -494,11 +515,6 @@ CHIP_ERROR DRBG_get_bytes(uint8_t * out_buffer, const size_t out_length)
return CHIP_NO_ERROR;
}

static int CryptoRNG(void * ctxt, uint8_t * out_buffer, size_t out_length)
{
return (chip::Crypto::DRBG_get_bytes(out_buffer, out_length) == CHIP_NO_ERROR) ? 0 : 1;
}

mbedtls_ecp_group_id MapECPGroupId(SupportedECPKeyTypes keyType)
{
switch (keyType)
Expand Down Expand Up @@ -734,53 +750,11 @@ P256Keypair::~P256Keypair()

CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length) const
{
CHIP_ERROR error = CHIP_NO_ERROR;
int result = 0;
size_t out_length;

mbedtls_x509write_csr csr;
mbedtls_x509write_csr_init(&csr);

mbedtls_pk_context pk;
pk.CHIP_CRYPTO_PAL_PRIVATE(pk_info) = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
pk.CHIP_CRYPTO_PAL_PRIVATE(pk_ctx) = to_keypair(&mKeypair);
VerifyOrExit(pk.CHIP_CRYPTO_PAL_PRIVATE(pk_info) != nullptr, error = CHIP_ERROR_INTERNAL);

VerifyOrExit(mInitialized, error = CHIP_ERROR_UNINITIALIZED);

mbedtls_x509write_csr_set_key(&csr, &pk);

mbedtls_x509write_csr_set_md_alg(&csr, MBEDTLS_MD_SHA256);

// TODO: mbedTLS CSR parser fails if the subject name is not set (or if empty).
// CHIP Spec doesn't specify the subject name that can be used.
// Figure out the correct value and update this code.
result = mbedtls_x509write_csr_set_subject_name(&csr, "O=CSR");
VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL);

result = mbedtls_x509write_csr_der(&csr, out_csr, csr_length, CryptoRNG, nullptr);
VerifyOrExit(result > 0, error = CHIP_ERROR_INTERNAL);
VerifyOrExit(CanCastTo<size_t>(result), error = CHIP_ERROR_INTERNAL);

out_length = static_cast<size_t>(result);
result = 0;
VerifyOrExit(out_length <= csr_length, error = CHIP_ERROR_INTERNAL);

if (csr_length != out_length)
{
// mbedTLS API writes the CSR at the end of the provided buffer.
// Let's move it to the start of the buffer.
size_t offset = csr_length - out_length;
memmove(out_csr, &out_csr[offset], out_length);
}

csr_length = out_length;

exit:
mbedtls_x509write_csr_free(&csr);

_log_mbedTLS_error(result);
return error;
MutableByteSpan csr(out_csr, csr_length);
CHIP_ERROR err = GenerateCertificateSigningRequest(this, csr);
csr_length = (CHIP_NO_ERROR == err) ? csr.size() : 0;
ChipLogByteSpan(Crypto, csr);
return err;
}

CHIP_ERROR VerifyCertificateSigningRequest(const uint8_t * csr_buf, size_t csr_length, P256PublicKey & pubkey)
Expand Down Expand Up @@ -1523,7 +1497,7 @@ CHIP_ERROR ExtractPubkeyFromX509Cert(const ByteSpan & certificate, Crypto::P256P
VerifyOrExit(mbedtls_pk_get_type(&(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk))) == MBEDTLS_PK_ECKEY,
error = CHIP_ERROR_INVALID_ARGUMENT);

keypair = mbedtls_pk_uecc(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk));
keypair = (mbedtls_uecc_keypair *) (mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk)).pk_ctx;
Uint8::to_uchar(pubkey)[0] = 0x04; // uncompressed type
memcpy(Uint8::to_uchar(pubkey) + 1, keypair->public_key, 2 * NUM_ECC_BYTES);

Expand Down
1 change: 1 addition & 0 deletions src/platform/silabs/SiWx917/siwx917-chip-mbedtls-config.h
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
#define MBEDTLS_PK_HAVE_ECC_KEYS
#define MBEDTLS_SHA256_SMALLER
#define MBEDTLS_SHA512_C
#define MBEDTLS_SSL_CLI_C
Expand Down
32 changes: 21 additions & 11 deletions third_party/silabs/SiWx917_sdk.gni
Original file line number Diff line number Diff line change
Expand Up @@ -533,7 +533,7 @@ template("siwx917_sdk") {
}

if (sl_si91x_crypto_flavor == "tinycrypt") {
_mbedtls_root = "${mbedtls_root}/repo"
_mbedtls_root = "${efr32_sdk_root}/util/third_party/mbedtls"

config("siwx917_tinycrypt_config") {
defines = [
Expand All @@ -542,14 +542,19 @@ template("siwx917_sdk") {
]

include_dirs = [
"${sdk_support_root}/matter/mbedtls/tinycrypt/inc",
# mbedTLS headers
"${_mbedtls_root}/include",
"${_mbedtls_root}/library",

# GECKO SDK configuration included to be used in autogenerated files
"${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/config",
"${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/config/preset",
"${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/inc",
"${sdk_support_root}/matter/si91x/siwx917/BRD4338A/autogen/config",
"${sdk_support_root}/matter/si91x/siwx917/BRD4338A/autogen/autogen",

# tinycrypt specific headers
"${sdk_support_root}/matter/mbedtls/tinycrypt/inc",
]
}

Expand All @@ -566,6 +571,7 @@ template("siwx917_sdk") {
"${_mbedtls_root}/library/asn1write.c",
"${_mbedtls_root}/library/base64.c",
"${_mbedtls_root}/library/bignum.c",
"${_mbedtls_root}/library/bignum_core.c",
"${_mbedtls_root}/library/ccm.c",
"${_mbedtls_root}/library/cipher.c",
"${_mbedtls_root}/library/cipher_wrap.c",
Expand All @@ -576,30 +582,34 @@ template("siwx917_sdk") {
"${_mbedtls_root}/library/ecp.c",
"${_mbedtls_root}/library/ecp_curves.c",
"${_mbedtls_root}/library/entropy.c",
"${_mbedtls_root}/library/error.c",
"${_mbedtls_root}/library/hkdf.c",
"${_mbedtls_root}/library/hmac_drbg.c",
"${_mbedtls_root}/library/md.c",
"${_mbedtls_root}/library/pem.c",
"${_mbedtls_root}/library/pkcs5.c",
"${_mbedtls_root}/library/platform.c",
"${_mbedtls_root}/library/platform_util.c",
"${_mbedtls_root}/library/sha256.c",
"${_mbedtls_root}/library/sha512.c",
"${_mbedtls_root}/library/version.c",
"${_mbedtls_root}/library/x509_create.c",

# mbedtls + tinycrypt integration
"${_mbedtls_root}/library/oid.c",
"${_mbedtls_root}/library/pk.c",
"${_mbedtls_root}/library/pk_wrap.c",
"${_mbedtls_root}/library/pk_wrap.h",
"${_mbedtls_root}/library/pkparse.c",
"${_mbedtls_root}/library/pkwrite.c",
"${_mbedtls_root}/library/x509_crt.c",
"${_mbedtls_root}/library/x509write_csr.c",

# tinycrypt
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc_dh.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc_dsa.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/error.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/oid.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/pk.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/pk_wrap.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/pkparse.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/pkwrite.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/platform_util.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/x509_crt.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/x509write_csr.c",
"${sdk_support_root}/matter/mbedtls/tinycrypt/src/tinycrypt_util.c",
]

public_deps = [ "${chip_root}/src/crypto:crypto_buildconfig" ]
Expand Down

0 comments on commit 0995ea9

Please sign in to comment.