From 7269ecbcd4e7cedb8b7dd72d1caf06b670fa8171 Mon Sep 17 00:00:00 2001 From: William Emfinger Date: Fri, 22 May 2026 22:19:07 -0500 Subject: [PATCH] fix: add support for mbedtls 3.x, migrated from 2.x --- embedded/common/source/mbedtls/gen_secret.c | 60 ++++++++++++ embedded/common/source/mbedtls/mbedtls.c | 103 ++++++++++++++++++++ 2 files changed, 163 insertions(+) diff --git a/embedded/common/source/mbedtls/gen_secret.c b/embedded/common/source/mbedtls/gen_secret.c index 2f90422516..9d19d5fea4 100644 --- a/embedded/common/source/mbedtls/gen_secret.c +++ b/embedded/common/source/mbedtls/gen_secret.c @@ -31,6 +31,16 @@ #define MBEDTLS_ALLOW_PRIVATE_ACCESS +#if defined(__has_include) +#if __has_include() +#define NEARBY_PLATFORM_USE_PSA_CRYPTO 1 +#endif +#endif + +#if defined(NEARBY_PLATFORM_USE_PSA_CRYPTO) +#include +#include +#else #include #include #include @@ -40,11 +50,60 @@ #if (MBEDTLS_VERSION_NUMBER >= 0x03000000) #include #endif +#endif #include #include #ifndef NEARBY_PLATFORM_HAS_SE +#if defined(NEARBY_PLATFORM_USE_PSA_CRYPTO) +static nearby_platform_status nearby_platform_InitCrypto() { + return psa_crypto_init() == PSA_SUCCESS ? kNearbyStatusOK : kNearbyStatusError; +} + +nearby_platform_status nearby_platform_GenSec256r1Secret( + const uint8_t remote_party_public_key[64], uint8_t shared_secret[32]) { + if (nearby_platform_InitCrypto() != kNearbyStatusOK) { + return kNearbyStatusError; + } + + const uint8_t* pkp = nearby_platform_GetAntiSpoofingPrivateKey(); + if (!pkp) { + return kNearbyStatusError; + } + + nearby_platform_status platform_status = kNearbyStatusError; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id = 0; + size_t shared_secret_length = 0; + uint8_t peer_public_key[65] = {0x04}; + + memcpy(&peer_public_key[1], remote_party_public_key, 64); + + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_bits(&attributes, 256); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&attributes, PSA_ALG_ECDH); + + psa_status_t status = psa_import_key(&attributes, pkp, 32, &key_id); + psa_reset_key_attributes(&attributes); + if (status != PSA_SUCCESS) { + goto exit; + } + + status = psa_raw_key_agreement(PSA_ALG_ECDH, key_id, peer_public_key, sizeof(peer_public_key), + shared_secret, 32, &shared_secret_length); + if (status == PSA_SUCCESS && shared_secret_length == 32) { + platform_status = kNearbyStatusOK; + } + +exit: + if (key_id != 0) { + psa_destroy_key(key_id); + } + return platform_status; +} +#else static int crypto_rand(void* const seed, uint8_t* const out, size_t const size) { (void)seed; @@ -105,4 +164,5 @@ nearby_platform_status nearby_platform_GenSec256r1Secret( return status; } +#endif #endif /* NEARBY_PLATFORM_HAS_SE */ diff --git a/embedded/common/source/mbedtls/mbedtls.c b/embedded/common/source/mbedtls/mbedtls.c index e72b28b94f..207e86516e 100644 --- a/embedded/common/source/mbedtls/mbedtls.c +++ b/embedded/common/source/mbedtls/mbedtls.c @@ -37,6 +37,15 @@ // separate file, gen_secret.c. // +#if defined(__has_include) +#if __has_include() +#define NEARBY_PLATFORM_USE_PSA_CRYPTO 1 +#endif +#endif + +#if defined(NEARBY_PLATFORM_USE_PSA_CRYPTO) +#include +#else #include #include #include @@ -45,9 +54,102 @@ #if (MBEDTLS_VERSION_NUMBER >= 0x03000000) #include #endif +#endif #include +#if defined(NEARBY_PLATFORM_USE_PSA_CRYPTO) +static psa_hash_operation_t sha256_op = PSA_HASH_OPERATION_INIT; + +static nearby_platform_status nearby_platform_InitCrypto() { + return psa_crypto_init() == PSA_SUCCESS ? kNearbyStatusOK : kNearbyStatusError; +} + +nearby_platform_status nearby_platform_Sha256Start() { + if (nearby_platform_InitCrypto() != kNearbyStatusOK) { + return kNearbyStatusError; + } + psa_hash_abort(&sha256_op); + return psa_hash_setup(&sha256_op, PSA_ALG_SHA_256) == PSA_SUCCESS ? kNearbyStatusOK + : kNearbyStatusError; +} + +nearby_platform_status nearby_platform_Sha256Update(const void* data, + size_t length) { + return psa_hash_update(&sha256_op, (const uint8_t*)data, length) == PSA_SUCCESS + ? kNearbyStatusOK + : kNearbyStatusError; +} + +nearby_platform_status nearby_platform_Sha256Finish(uint8_t out[32]) { + size_t out_length = 0; + psa_status_t status = psa_hash_finish(&sha256_op, out, 32, &out_length); + if (status != PSA_SUCCESS || out_length != 32) { + psa_hash_abort(&sha256_op); + return kNearbyStatusError; + } + return kNearbyStatusOK; +} + +static nearby_platform_status nearby_platform_Aes128Crypt( + const uint8_t input[AES_MESSAGE_SIZE_BYTES], + uint8_t output[AES_MESSAGE_SIZE_BYTES], + const uint8_t key[AES_MESSAGE_SIZE_BYTES], psa_key_usage_t usage) { + if (nearby_platform_InitCrypto() != kNearbyStatusOK) { + return kNearbyStatusError; + } + + nearby_platform_status platform_status = kNearbyStatusError; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id = 0; + size_t output_length = 0; + + psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); + psa_set_key_bits(&attributes, 128); + psa_set_key_usage_flags(&attributes, usage); + psa_set_key_algorithm(&attributes, PSA_ALG_ECB_NO_PADDING); + + psa_status_t status = psa_import_key(&attributes, key, AES_MESSAGE_SIZE_BYTES, &key_id); + psa_reset_key_attributes(&attributes); + if (status != PSA_SUCCESS) { + goto exit; + } + + if (usage == PSA_KEY_USAGE_ENCRYPT) { + status = psa_cipher_encrypt(key_id, PSA_ALG_ECB_NO_PADDING, input, + AES_MESSAGE_SIZE_BYTES, output, AES_MESSAGE_SIZE_BYTES, + &output_length); + } else { + status = psa_cipher_decrypt(key_id, PSA_ALG_ECB_NO_PADDING, input, + AES_MESSAGE_SIZE_BYTES, output, AES_MESSAGE_SIZE_BYTES, + &output_length); + } + + if (status == PSA_SUCCESS && output_length == AES_MESSAGE_SIZE_BYTES) { + platform_status = kNearbyStatusOK; + } + +exit: + if (key_id != 0) { + psa_destroy_key(key_id); + } + return platform_status; +} + +nearby_platform_status nearby_platform_Aes128Encrypt( + const uint8_t input[AES_MESSAGE_SIZE_BYTES], + uint8_t output[AES_MESSAGE_SIZE_BYTES], + const uint8_t key[AES_MESSAGE_SIZE_BYTES]) { + return nearby_platform_Aes128Crypt(input, output, key, PSA_KEY_USAGE_ENCRYPT); +} + +nearby_platform_status nearby_platform_Aes128Decrypt( + const uint8_t input[AES_MESSAGE_SIZE_BYTES], + uint8_t output[AES_MESSAGE_SIZE_BYTES], + const uint8_t key[AES_MESSAGE_SIZE_BYTES]) { + return nearby_platform_Aes128Crypt(input, output, key, PSA_KEY_USAGE_DECRYPT); +} +#else static mbedtls_sha256_context sha256_ctx; nearby_platform_status nearby_platform_Sha256Start() { @@ -119,3 +221,4 @@ nearby_platform_status nearby_platform_Aes128Decrypt( mbedtls_aes_free(&ctx); return status; } +#endif