From 75d467d6b6ab7f0cdd68481745b97c68555f5953 Mon Sep 17 00:00:00 2001 From: Mason Tran Date: Fri, 8 Dec 2023 09:56:02 -0500 Subject: [PATCH] [crypto] implement PBKDF2 key generation using PSA This commit adds support for PBKDF2 operation using PSA crypto. We import the salt and password into PSA and generate the key. The generated key is then exported into a flat buffer and all the transient keys are destroyed. Remove dependency on psa_crypto_pbkdf2 component, psa_crypto_pbkdf2_cmac should be enough for our usecase Co-authored-by: Hemanth Rao --- ot-efr32.slce | 2 +- slc/component/ot_psa_crypto.slcc | 30 ++++++++ ...32-soc-with-buttons-power-manager-csl.slcp | 8 ++ ...-efr32-soc-with-buttons-power-manager.slcp | 8 ++ .../openthread-efr32-soc-with-buttons.slcp | 8 ++ .../openthread-efr32-soc.slcp | 8 ++ src/src/crypto.c | 77 +++++++++++++++++++ 7 files changed, 140 insertions(+), 1 deletion(-) create mode 100644 slc/component/ot_psa_crypto.slcc diff --git a/ot-efr32.slce b/ot-efr32.slce index 93734ad5..192796fe 100644 --- a/ot-efr32.slce +++ b/ot-efr32.slce @@ -4,6 +4,6 @@ description: "ot-efr32 extension for Gecko SDK Suite" label: "Silicon Labs Matter" sdk: id: gecko_sdk - version: 4.2.1 + version: 4.3.2 component_path: - path: slc/component diff --git a/slc/component/ot_psa_crypto.slcc b/slc/component/ot_psa_crypto.slcc new file mode 100644 index 00000000..7317de9a --- /dev/null +++ b/slc/component/ot_psa_crypto.slcc @@ -0,0 +1,30 @@ +id: ot_psa_crypto +label: PSA Crypto +package: OpenThread +category: OpenThread +quality: production +description: This component references to all the third party support needed by the OpenThread stack +ui_hints: + visibility: never +provides: + - name: ot_psa_crypto +requires: + - name: psa_crypto + - name: psa_its + - name: psa_crypto_hkdf + - name: psa_crypto_cmac + - name: psa_crypto_hmac + - name: psa_crypto_tls12_prf + - name: psa_crypto_tls12_psk_to_ms + - name: psa_crypto_sha256 + - name: psa_crypto_ecdh + - name: psa_crypto_ecdsa + - name: psa_crypto_ecc_secp256r1 + - name: psa_crypto_pbkdf2_cmac +template_contribution: + - name: mbedtls_config + value: MBEDTLS_USE_PSA_CRYPTO + - name: psa_key_slots + value: + name: psa_key_slots_openthread + count: 15 diff --git a/src/platform_projects/openthread-efr32-soc-with-buttons-power-manager-csl.slcp b/src/platform_projects/openthread-efr32-soc-with-buttons-power-manager-csl.slcp index 9c9d4aa2..18bac711 100644 --- a/src/platform_projects/openthread-efr32-soc-with-buttons-power-manager-csl.slcp +++ b/src/platform_projects/openthread-efr32-soc-with-buttons-power-manager-csl.slcp @@ -9,6 +9,7 @@ quality: production component: - id: ot_platform_abstraction_core - id: ot_psa_crypto + from: ot-efr32 - id: ot_thirdparty - id: uartdrv_usart instance: @@ -53,3 +54,10 @@ configuration: define: - name: OPENTHREAD_CONFIG_MAC_CSL_RECEIVER_ENABLE value: 1 + +sdk: + id: gecko_sdk + version: 4.3.2 +sdk_extension: + - id: ot-efr32 + version: 0.0.1 diff --git a/src/platform_projects/openthread-efr32-soc-with-buttons-power-manager.slcp b/src/platform_projects/openthread-efr32-soc-with-buttons-power-manager.slcp index dbbfae3b..9ee067f8 100644 --- a/src/platform_projects/openthread-efr32-soc-with-buttons-power-manager.slcp +++ b/src/platform_projects/openthread-efr32-soc-with-buttons-power-manager.slcp @@ -9,6 +9,7 @@ quality: production component: - id: ot_platform_abstraction_core - id: ot_psa_crypto + from: ot-efr32 - id: ot_thirdparty - id: uartdrv_usart instance: @@ -49,3 +50,10 @@ configuration: condition: [freertos] - name: SL_STACK_SIZE value: 4608 + +sdk: + id: gecko_sdk + version: 4.3.2 +sdk_extension: + - id: ot-efr32 + version: 0.0.1 diff --git a/src/platform_projects/openthread-efr32-soc-with-buttons.slcp b/src/platform_projects/openthread-efr32-soc-with-buttons.slcp index f834e078..3ed290cf 100644 --- a/src/platform_projects/openthread-efr32-soc-with-buttons.slcp +++ b/src/platform_projects/openthread-efr32-soc-with-buttons.slcp @@ -9,6 +9,7 @@ quality: production component: - id: ot_platform_abstraction_core - id: ot_psa_crypto + from: ot-efr32 - id: ot_thirdparty - id: uartdrv_usart instance: @@ -48,3 +49,10 @@ configuration: condition: [freertos] - name: SL_STACK_SIZE value: 4608 + +sdk: + id: gecko_sdk + version: 4.3.2 +sdk_extension: + - id: ot-efr32 + version: 0.0.1 diff --git a/src/platform_projects/openthread-efr32-soc.slcp b/src/platform_projects/openthread-efr32-soc.slcp index 2fdd99c0..194b488d 100644 --- a/src/platform_projects/openthread-efr32-soc.slcp +++ b/src/platform_projects/openthread-efr32-soc.slcp @@ -8,6 +8,7 @@ quality: production component: - id: ot_platform_abstraction_core - id: ot_psa_crypto + from: ot-efr32 - id: ot_thirdparty - id: uartdrv_usart instance: @@ -35,3 +36,10 @@ configuration: condition: [freertos] - name: SL_STACK_SIZE value: 4608 + +sdk: + id: gecko_sdk + version: 4.3.2 +sdk_extension: + - id: ot-efr32 + version: 0.0.1 diff --git a/src/src/crypto.c b/src/src/crypto.c index dd6b0ca6..d755f5c4 100644 --- a/src/src/crypto.c +++ b/src/src/crypto.c @@ -555,4 +555,81 @@ otError otPlatCryptoEcdsaVerifyUsingKeyRef(otCryptoKeyRef aKe return error; } +otError otPlatCryptoPbkdf2GenerateKey(const uint8_t *aPassword, + uint16_t aPasswordLen, + const uint8_t *aSalt, + uint16_t aSaltLen, + uint32_t aIterationCounter, + uint16_t aKeyLen, + uint8_t *aKey) +{ + psa_status_t status; + size_t outSize; + psa_key_id_t passwordKeyId = 0; + psa_key_id_t saltKeyId = 0; + psa_key_id_t keyId = 0; + + // Algorithm is PBKDF2-AES-CMAC-PRF-128 + psa_algorithm_t algo = PSA_ALG_PBKDF2_AES_CMAC_PRF_128; + + // Initialize key derivation + psa_key_derivation_operation_t operation = psa_key_derivation_operation_init(); + status = psa_key_derivation_setup(&operation, algo); + assert(status == PSA_SUCCESS); + + // Set capacity + status = psa_key_derivation_set_capacity(&operation, aKeyLen); + assert(status == PSA_SUCCESS); + + // Set iteration count as cost + status = psa_key_derivation_input_integer(&operation, PSA_KEY_DERIVATION_INPUT_COST, aIterationCounter); + assert(status == PSA_SUCCESS); + + // Create salt as a key + psa_key_attributes_t saltKeyAttr = psa_key_attributes_init(); + psa_set_key_usage_flags(&saltKeyAttr, PSA_KEY_USAGE_DERIVE); + psa_set_key_type(&saltKeyAttr, PSA_KEY_TYPE_RAW_DATA); + psa_set_key_algorithm(&saltKeyAttr, algo); + assert(status == PSA_SUCCESS); + + status = psa_import_key(&saltKeyAttr, aSalt, aSaltLen, &saltKeyId); + assert(status == PSA_SUCCESS); + + // Provide salt + status = psa_key_derivation_input_key(&operation, PSA_KEY_DERIVATION_INPUT_SALT, saltKeyId); + assert(status == PSA_SUCCESS); + + // Create key for password (key) + psa_key_attributes_t passwordKeyAttr = psa_key_attributes_init(); + psa_set_key_usage_flags(&passwordKeyAttr, PSA_KEY_USAGE_DERIVE); + psa_set_key_type(&passwordKeyAttr, PSA_KEY_TYPE_PASSWORD); + psa_set_key_algorithm(&passwordKeyAttr, algo); + + status = psa_import_key(&passwordKeyAttr, aPassword, aPasswordLen, &passwordKeyId); + assert(status == PSA_SUCCESS); + + // Provide password (key) + status = psa_key_derivation_input_key(&operation, PSA_KEY_DERIVATION_INPUT_PASSWORD, passwordKeyId); + assert(status == PSA_SUCCESS); + + // Configure output as a key + psa_key_attributes_t keyAttrResult = psa_key_attributes_init(); + psa_set_key_bits(&keyAttrResult, (8 * aKeyLen)); + psa_set_key_usage_flags(&keyAttrResult, PSA_KEY_USAGE_EXPORT); + psa_set_key_type(&keyAttrResult, PSA_KEY_TYPE_RAW_DATA); + psa_set_key_algorithm(&keyAttrResult, PSA_ALG_CTR); + + status = psa_key_derivation_output_key(&keyAttrResult, &operation, &keyId); + assert(status == PSA_SUCCESS); + + // Export output key + status = psa_export_key(keyId, aKey, aKeyLen, &outSize); + assert(status == PSA_SUCCESS); + + // Release keys used + psa_destroy_key(keyId); + psa_destroy_key(saltKeyId); + psa_destroy_key(passwordKeyId); +} + #endif // OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE