From 0995ea9df3c01fbe3869b34005103d76dc07df83 Mon Sep 17 00:00:00 2001
From: Rohan Sahay <103027015+rosahay-silabs@users.noreply.github.com>
Date: Tue, 26 Nov 2024 18:59:24 +0530
Subject: [PATCH] Adds mbedTLS 3.x support with tinycrypt uECC APIs

---
 src/platform/silabs/SiWx917/BUILD.gn          |  1 -
 .../silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp | 98 +++++++------------
 .../SiWx917/siwx917-chip-mbedtls-config.h     |  1 +
 third_party/silabs/SiWx917_sdk.gni            | 32 +++---
 4 files changed, 58 insertions(+), 74 deletions(-)

diff --git a/src/platform/silabs/SiWx917/BUILD.gn b/src/platform/silabs/SiWx917/BUILD.gn
index 826d8accd9..3f7adf8269 100644
--- a/src/platform/silabs/SiWx917/BUILD.gn
+++ b/src/platform/silabs/SiWx917/BUILD.gn
@@ -101,7 +101,6 @@ static_library("SiWx917") {
 
     public_deps += [
       "${chip_root}/src/crypto",
-      "${mbedtls_root}:mbedtls",
       "${silabs_platform_dir}/wifi:wifi-platform",
     ]
   }
diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp
index 52f2cb74b9..124de16f41 100644
--- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp
+++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp
@@ -17,9 +17,11 @@
 
 /**
  *    @file
- *      mbedTLS based implementation of CHIP crypto primitives
+ *      mbedTLS and Tinycrypt based implementation of CHIP crypto primitives
  */
+#include <string.h>
 
+#define MBEDTLS_ALLOW_PRIVATE_ACCESS
 #include <crypto/CHIPCryptoPAL.h>
 
 #include <type_traits>
@@ -34,6 +36,7 @@
 #include <mbedtls/error.h>
 #include <mbedtls/hkdf.h>
 #include <mbedtls/md.h>
+#include <mbedtls/pk.h>
 #include <mbedtls/pkcs5.h>
 #include <mbedtls/sha1.h>
 #include <mbedtls/sha256.h>
@@ -44,7 +47,6 @@
 #include <mbedtls/x509.h>
 #include <mbedtls/x509_csr.h>
 
-#include <mbedtls/pk.h>
 #include <tinycrypt/ecc.h>
 #include <tinycrypt/ecc_dh.h>
 #include <tinycrypt/ecc_dsa.h>
@@ -58,14 +60,18 @@
 #include <lib/support/SafePointerCast.h>
 #include <lib/support/logging/CHIPLogging.h>
 
-#include <string.h>
-
-#ifdef SLI_SI91X_MCU_INTERFACE
+#ifdef __cplusplus
 extern "C" {
-#include "sl_si91x_trng.h"
-}
+#endif
+
+#if defined(SLI_SI91X_MCU_INTERFACE)
+#include <sl_si91x_trng.h>
 #endif // SLI_SI91X_MCU_INTERFACE
 
+#ifdef __cplusplus
+}
+#endif
+
 namespace chip {
 namespace Crypto {
 
@@ -85,6 +91,8 @@ namespace Crypto {
 #define CHIP_CRYPTO_PAL_PRIVATE_X509(x) x
 #endif
 
+namespace {
+
 typedef struct
 {
     bool mInitialized;
@@ -93,9 +101,15 @@ typedef struct
     mbedtls_entropy_context mEntropy;
 } EntropyContext;
 
+typedef struct
+{
+    uint8_t private_key[NUM_ECC_BYTES];
+    uint8_t public_key[2 * NUM_ECC_BYTES];
+} mbedtls_uecc_keypair;
+
 static EntropyContext gsEntropyContext;
 
-static void _log_mbedTLS_error(int error_code)
+void _log_mbedTLS_error(int error_code)
 {
     if (error_code != 0 && error_code != UECC_SUCCESS)
     {
@@ -110,7 +124,7 @@ static void _log_mbedTLS_error(int error_code)
     }
 }
 
-static bool _isValidTagLength(size_t tag_length)
+bool _isValidTagLength(size_t tag_length)
 {
     if (tag_length == 8 || tag_length == 12 || tag_length == 16)
     {
@@ -119,6 +133,13 @@ static bool _isValidTagLength(size_t tag_length)
     return false;
 }
 
+inline mbedtls_uecc_keypair * mbedtls_pk_uecc(const mbedtls_pk_context pk)
+{
+    return ((mbedtls_uecc_keypair *) (pk).pk_ctx);
+}
+
+} // namespace
+
 CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length,
                            const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext,
                            uint8_t * tag, size_t tag_length)
@@ -494,11 +515,6 @@ CHIP_ERROR DRBG_get_bytes(uint8_t * out_buffer, const size_t out_length)
     return CHIP_NO_ERROR;
 }
 
-static int CryptoRNG(void * ctxt, uint8_t * out_buffer, size_t out_length)
-{
-    return (chip::Crypto::DRBG_get_bytes(out_buffer, out_length) == CHIP_NO_ERROR) ? 0 : 1;
-}
-
 mbedtls_ecp_group_id MapECPGroupId(SupportedECPKeyTypes keyType)
 {
     switch (keyType)
@@ -734,53 +750,11 @@ P256Keypair::~P256Keypair()
 
 CHIP_ERROR P256Keypair::NewCertificateSigningRequest(uint8_t * out_csr, size_t & csr_length) const
 {
-    CHIP_ERROR error = CHIP_NO_ERROR;
-    int result       = 0;
-    size_t out_length;
-
-    mbedtls_x509write_csr csr;
-    mbedtls_x509write_csr_init(&csr);
-
-    mbedtls_pk_context pk;
-    pk.CHIP_CRYPTO_PAL_PRIVATE(pk_info) = mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY);
-    pk.CHIP_CRYPTO_PAL_PRIVATE(pk_ctx)  = to_keypair(&mKeypair);
-    VerifyOrExit(pk.CHIP_CRYPTO_PAL_PRIVATE(pk_info) != nullptr, error = CHIP_ERROR_INTERNAL);
-
-    VerifyOrExit(mInitialized, error = CHIP_ERROR_UNINITIALIZED);
-
-    mbedtls_x509write_csr_set_key(&csr, &pk);
-
-    mbedtls_x509write_csr_set_md_alg(&csr, MBEDTLS_MD_SHA256);
-
-    // TODO: mbedTLS CSR parser fails if the subject name is not set (or if empty).
-    //       CHIP Spec doesn't specify the subject name that can be used.
-    //       Figure out the correct value and update this code.
-    result = mbedtls_x509write_csr_set_subject_name(&csr, "O=CSR");
-    VerifyOrExit(result == 0, error = CHIP_ERROR_INTERNAL);
-
-    result = mbedtls_x509write_csr_der(&csr, out_csr, csr_length, CryptoRNG, nullptr);
-    VerifyOrExit(result > 0, error = CHIP_ERROR_INTERNAL);
-    VerifyOrExit(CanCastTo<size_t>(result), error = CHIP_ERROR_INTERNAL);
-
-    out_length = static_cast<size_t>(result);
-    result     = 0;
-    VerifyOrExit(out_length <= csr_length, error = CHIP_ERROR_INTERNAL);
-
-    if (csr_length != out_length)
-    {
-        // mbedTLS API writes the CSR at the end of the provided buffer.
-        // Let's move it to the start of the buffer.
-        size_t offset = csr_length - out_length;
-        memmove(out_csr, &out_csr[offset], out_length);
-    }
-
-    csr_length = out_length;
-
-exit:
-    mbedtls_x509write_csr_free(&csr);
-
-    _log_mbedTLS_error(result);
-    return error;
+    MutableByteSpan csr(out_csr, csr_length);
+    CHIP_ERROR err = GenerateCertificateSigningRequest(this, csr);
+    csr_length     = (CHIP_NO_ERROR == err) ? csr.size() : 0;
+    ChipLogByteSpan(Crypto, csr);
+    return err;
 }
 
 CHIP_ERROR VerifyCertificateSigningRequest(const uint8_t * csr_buf, size_t csr_length, P256PublicKey & pubkey)
@@ -1523,7 +1497,7 @@ CHIP_ERROR ExtractPubkeyFromX509Cert(const ByteSpan & certificate, Crypto::P256P
     VerifyOrExit(mbedtls_pk_get_type(&(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk))) == MBEDTLS_PK_ECKEY,
                  error = CHIP_ERROR_INVALID_ARGUMENT);
 
-    keypair                    = mbedtls_pk_uecc(mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk));
+    keypair                    = (mbedtls_uecc_keypair *) (mbed_cert.CHIP_CRYPTO_PAL_PRIVATE_X509(pk)).pk_ctx;
     Uint8::to_uchar(pubkey)[0] = 0x04; // uncompressed type
     memcpy(Uint8::to_uchar(pubkey) + 1, keypair->public_key, 2 * NUM_ECC_BYTES);
 
diff --git a/src/platform/silabs/SiWx917/siwx917-chip-mbedtls-config.h b/src/platform/silabs/SiWx917/siwx917-chip-mbedtls-config.h
index de0298957c..fd4d7c45df 100644
--- a/src/platform/silabs/SiWx917/siwx917-chip-mbedtls-config.h
+++ b/src/platform/silabs/SiWx917/siwx917-chip-mbedtls-config.h
@@ -81,6 +81,7 @@
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
+#define MBEDTLS_PK_HAVE_ECC_KEYS
 #define MBEDTLS_SHA256_SMALLER
 #define MBEDTLS_SHA512_C
 #define MBEDTLS_SSL_CLI_C
diff --git a/third_party/silabs/SiWx917_sdk.gni b/third_party/silabs/SiWx917_sdk.gni
index a579032c9a..57bd045965 100644
--- a/third_party/silabs/SiWx917_sdk.gni
+++ b/third_party/silabs/SiWx917_sdk.gni
@@ -533,7 +533,7 @@ template("siwx917_sdk") {
     }
 
     if (sl_si91x_crypto_flavor == "tinycrypt") {
-      _mbedtls_root = "${mbedtls_root}/repo"
+      _mbedtls_root = "${efr32_sdk_root}/util/third_party/mbedtls"
 
       config("siwx917_tinycrypt_config") {
         defines = [
@@ -542,7 +542,7 @@ template("siwx917_sdk") {
         ]
 
         include_dirs = [
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/inc",
+          # mbedTLS headers
           "${_mbedtls_root}/include",
           "${_mbedtls_root}/library",
 
@@ -550,6 +550,11 @@ template("siwx917_sdk") {
           "${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/config",
           "${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/config/preset",
           "${efr32_sdk_root}/platform/security/sl_component/sl_mbedtls_support/inc",
+          "${sdk_support_root}/matter/si91x/siwx917/BRD4338A/autogen/config",
+          "${sdk_support_root}/matter/si91x/siwx917/BRD4338A/autogen/autogen",
+
+          # tinycrypt specific headers
+          "${sdk_support_root}/matter/mbedtls/tinycrypt/inc",
         ]
       }
 
@@ -566,6 +571,7 @@ template("siwx917_sdk") {
           "${_mbedtls_root}/library/asn1write.c",
           "${_mbedtls_root}/library/base64.c",
           "${_mbedtls_root}/library/bignum.c",
+          "${_mbedtls_root}/library/bignum_core.c",
           "${_mbedtls_root}/library/ccm.c",
           "${_mbedtls_root}/library/cipher.c",
           "${_mbedtls_root}/library/cipher_wrap.c",
@@ -576,30 +582,34 @@ template("siwx917_sdk") {
           "${_mbedtls_root}/library/ecp.c",
           "${_mbedtls_root}/library/ecp_curves.c",
           "${_mbedtls_root}/library/entropy.c",
+          "${_mbedtls_root}/library/error.c",
           "${_mbedtls_root}/library/hkdf.c",
           "${_mbedtls_root}/library/hmac_drbg.c",
           "${_mbedtls_root}/library/md.c",
           "${_mbedtls_root}/library/pem.c",
           "${_mbedtls_root}/library/pkcs5.c",
           "${_mbedtls_root}/library/platform.c",
+          "${_mbedtls_root}/library/platform_util.c",
           "${_mbedtls_root}/library/sha256.c",
           "${_mbedtls_root}/library/sha512.c",
           "${_mbedtls_root}/library/version.c",
           "${_mbedtls_root}/library/x509_create.c",
 
+          # mbedtls + tinycrypt integration
+          "${_mbedtls_root}/library/oid.c",
+          "${_mbedtls_root}/library/pk.c",
+          "${_mbedtls_root}/library/pk_wrap.c",
+          "${_mbedtls_root}/library/pk_wrap.h",
+          "${_mbedtls_root}/library/pkparse.c",
+          "${_mbedtls_root}/library/pkwrite.c",
+          "${_mbedtls_root}/library/x509_crt.c",
+          "${_mbedtls_root}/library/x509write_csr.c",
+
           # tinycrypt
           "${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc.c",
           "${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc_dh.c",
           "${sdk_support_root}/matter/mbedtls/tinycrypt/src/ecc_dsa.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/error.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/oid.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/pk.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/pk_wrap.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/pkparse.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/pkwrite.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/platform_util.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/x509_crt.c",
-          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/x509write_csr.c",
+          "${sdk_support_root}/matter/mbedtls/tinycrypt/src/tinycrypt_util.c",
         ]
 
         public_deps = [ "${chip_root}/src/crypto:crypto_buildconfig" ]