From f22006e2f0338441738d3772ca3ddca5f923ee3b Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Tue, 23 Dec 2025 10:27:26 +0800 Subject: [PATCH] feat: migrates bt/ble to PSA APIs --- .../btc/profile/esp/blufi/include/blufi_int.h | 2 +- components/bt/controller/esp32c2/bt.c | 159 +++++++--------- components/bt/controller/esp32c5/bt.c | 161 +++++++--------- components/bt/controller/esp32c6/bt.c | 162 +++++++--------- components/bt/controller/esp32h2/bt.c | 155 ++++++--------- .../core/bluedroid_host/adapter.c | 87 ++++++--- .../esp_ble_mesh/core/nimble_host/adapter.c | 126 ++++++++----- .../main/src/heart_rate_mock.c | 1 - .../Bluedroid_GATT_Server/main/src/led.c | 1 - .../bluetooth/blufi/main/blufi_security.c | 178 +++++++++++------- examples/bluetooth/blufi/sdkconfig.defaults | 1 - .../blufi/sdkconfig.defaults.esp32c2 | 1 - .../blufi/sdkconfig.defaults.esp32c5 | 1 - .../blufi/sdkconfig.defaults.esp32c6 | 1 - .../blufi/sdkconfig.defaults.esp32c61 | 1 - .../bluetooth/blufi/sdkconfig.defaults.mini | 1 - .../aligenie_demo/main/aligenie_demo.c | 11 +- .../bluetooth/nimble/bleprph/main/gatt_svr.c | 2 + .../sdkconfig.ci.esp32c5 | 1 + 19 files changed, 524 insertions(+), 528 deletions(-) create mode 100644 examples/mesh/internal_communication/sdkconfig.ci.esp32c5 diff --git a/components/bt/common/btc/profile/esp/blufi/include/blufi_int.h b/components/bt/common/btc/profile/esp/blufi/include/blufi_int.h index a7f4f29288..248b97adec 100644 --- a/components/bt/common/btc/profile/esp/blufi/include/blufi_int.h +++ b/components/bt/common/btc/profile/esp/blufi/include/blufi_int.h @@ -17,7 +17,7 @@ extern "C" { #if (BLUFI_INCLUDED == TRUE) #define BTC_BLUFI_GREAT_VER 0x01 //Version + Subversion -#define BTC_BLUFI_SUB_VER 0x03 //Version + Subversion +#define BTC_BLUFI_SUB_VER 0x04 //Version + Subversion #define BTC_BLUFI_VERSION ((BTC_BLUFI_GREAT_VER<<8)|BTC_BLUFI_SUB_VER) //Version + Subversion typedef UINT8 tGATT_IF; diff --git a/components/bt/controller/esp32c2/bt.c b/components/bt/controller/esp32c2/bt.c index 506dc13cd1..1daade25f8 100644 --- a/components/bt/controller/esp32c2/bt.c +++ b/components/bt/controller/esp32c2/bt.c @@ -1443,19 +1443,12 @@ uint8_t esp_ble_get_chip_rev_version(void) #if (!CONFIG_BT_NIMBLE_ENABLED) && (CONFIG_BT_CONTROLLER_ENABLED) #if CONFIG_BT_LE_SM_LEGACY || CONFIG_BT_LE_SM_SC #define BLE_SM_KEY_ERR 0x17 +#define BLE_PUB_KEY_LEN 65 #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS -#include "mbedtls/aes.h" #if CONFIG_BT_LE_SM_SC -#include "mbedtls/cipher.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/cmac.h" -#include "mbedtls/ecdh.h" -#include "mbedtls/ecp.h" - -static mbedtls_ecp_keypair keypair; +#include "psa/crypto.h" +static const char *TAG_SM_ALG = "ble_sm_alg"; #endif // CONFIG_BT_LE_SM_SC - #else #include "tinycrypt/aes.h" #include "tinycrypt/constants.h" @@ -1499,84 +1492,56 @@ int ble_sm_alg_gen_dhkey(const uint8_t *peer_pub_key_x, const uint8_t *peer_pub_ const uint8_t *our_priv_key, uint8_t *out_dhkey) { uint8_t dh[32]; - uint8_t pk[64]; + uint8_t pk[BLE_PUB_KEY_LEN]; uint8_t priv[32]; int rc = BLE_SM_KEY_ERR; - swap_buf(pk, peer_pub_key_x, 32); - swap_buf(&pk[32], peer_pub_key_y, 32); swap_buf(priv, our_priv_key, 32); #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS - struct mbedtls_ecp_point pt = {0}, Q = {0}; - mbedtls_mpi z = {0}, d = {0}; - mbedtls_ctr_drbg_context ctr_drbg = {0}; - mbedtls_entropy_context entropy = {0}; + // PSA expects 65 bytes: 0x04 prefix + X (32 bytes) + Y (32 bytes) + pk[0] = 0x04; // Uncompressed format for public key + swap_buf(&pk[1], peer_pub_key_x, 32); + swap_buf(&pk[33], peer_pub_key_y, 32); - uint8_t pub[65] = {0}; - /* Hardcoded first byte of pub key for MBEDTLS_ECP_PF_UNCOMPRESSED */ - pub[0] = 0x04; - memcpy(&pub[1], pk, 64); + psa_key_id_t key_id = 0; + psa_status_t status; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_bits(&key_attributes, 256); + psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); - /* Initialize the required structures here */ - mbedtls_ecp_point_init(&pt); - mbedtls_ecp_point_init(&Q); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_entropy_init(&entropy); - mbedtls_mpi_init(&d); - mbedtls_mpi_init(&z); - - /* Below 3 steps are to validate public key on curve secp256r1 */ - if (mbedtls_ecp_group_load(&keypair.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_SECP256R1) != 0) { + status = psa_import_key(&key_attributes, priv, 32, &key_id); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG_SM_ALG, "Failed to import key: %d", status); + goto exit; + } + psa_reset_key_attributes(&key_attributes); + size_t output_len = 0; + status = psa_raw_key_agreement(PSA_ALG_ECDH, key_id, pk, BLE_PUB_KEY_LEN, dh, sizeof(dh), &output_len); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG_SM_ALG, "Failed to perform raw key agreement: %d", status); goto exit; } - if (mbedtls_ecp_point_read_binary(&keypair.MBEDTLS_PRIVATE(grp), &pt, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_ecp_check_pubkey(&keypair.MBEDTLS_PRIVATE(grp), &pt) != 0) { - goto exit; - } - - /* Set PRNG */ - if ((rc = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0) { - goto exit; - } - - /* Prepare point Q from pub key */ - if (mbedtls_ecp_point_read_binary(&keypair.MBEDTLS_PRIVATE(grp), &Q, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_mpi_read_binary(&d, priv, 32) != 0) { - goto exit; - } - - rc = mbedtls_ecdh_compute_shared(&keypair.MBEDTLS_PRIVATE(grp), &z, &Q, &d, - mbedtls_ctr_drbg_random, &ctr_drbg); - if (rc != 0) { - goto exit; - } - - rc = mbedtls_mpi_write_binary(&z, dh, 32); - if (rc != 0) { + if (output_len != 32) { + ESP_LOGE(TAG_SM_ALG, "Unexpected output length: %zu", output_len); goto exit; } + rc = 0; exit: - mbedtls_ecp_point_free(&pt); - mbedtls_mpi_free(&z); - mbedtls_mpi_free(&d); - mbedtls_ecp_point_free(&Q); - mbedtls_entropy_free(&entropy); - mbedtls_ctr_drbg_free(&ctr_drbg); if (rc != 0) { return BLE_SM_KEY_ERR; } #else - if (uECC_valid_public_key(pk, uECC_secp256r1()) < 0) { + // tinycrypt expects 64 bytes: X (32 bytes) + Y (32 bytes), no prefix + swap_buf(pk, peer_pub_key_x, 32); + swap_buf(&pk[32], peer_pub_key_y, 32); + + if (uECC_valid_public_key(pk, &curve_secp256r1) < 0) { return BLE_SM_KEY_ERR; } @@ -1594,42 +1559,38 @@ exit: static int mbedtls_gen_keypair(uint8_t *public_key, uint8_t *private_key) { int rc = BLE_SM_KEY_ERR; - mbedtls_entropy_context entropy = {0}; - mbedtls_ctr_drbg_context ctr_drbg = {0}; + psa_status_t status; + psa_key_id_t key_id = 0; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_algorithm_t alg = PSA_ALG_ECDH; + psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); + psa_key_usage_t key_usage = PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT; - mbedtls_entropy_init(&entropy); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_ecp_keypair_init(&keypair); - - if ((rc = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - NULL, 0)) != 0) { - goto exit; - } - - if ((rc = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, &keypair, - mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { - goto exit; - } - - if ((rc = mbedtls_mpi_write_binary(&keypair.MBEDTLS_PRIVATE(d), private_key, 32)) != 0) { + psa_set_key_type(&key_attributes, key_type); + psa_set_key_bits(&key_attributes, 256); + psa_set_key_algorithm(&key_attributes, alg); + psa_set_key_usage_flags(&key_attributes, key_usage); + status = psa_generate_key(&key_attributes, &key_id); + if (status != PSA_SUCCESS) { goto exit; } + psa_reset_key_attributes(&key_attributes); size_t olen = 0; - uint8_t pub[65] = {0}; - - if ((rc = mbedtls_ecp_point_write_binary(&keypair.MBEDTLS_PRIVATE(grp), &keypair.MBEDTLS_PRIVATE(Q), MBEDTLS_ECP_PF_UNCOMPRESSED, - &olen, pub, 65)) != 0) { + status = psa_export_public_key(key_id, public_key, BLE_PUB_KEY_LEN, &olen); + if (status != PSA_SUCCESS || olen != BLE_PUB_KEY_LEN) { goto exit; } - memcpy(public_key, &pub[1], 64); + status = psa_export_key(key_id, private_key, 32, &olen); + if (status != PSA_SUCCESS || olen != 32) { + goto exit; + } + psa_destroy_key(key_id); + rc = 0; exit: - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); if (rc != 0) { - mbedtls_ecp_keypair_free(&keypair); return BLE_SM_KEY_ERR; } @@ -1638,7 +1599,7 @@ exit: #endif // CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS /** - * pub: 64 bytes + * pub: BLE_PUB_KEY_LEN bytes * priv: 32 bytes */ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) @@ -1648,7 +1609,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) swap_buf(&pub[32], &ble_sm_alg_dbg_pub_key[32], 32); swap_buf(priv, ble_sm_alg_dbg_priv_key, 32); #else - uint8_t pk[64]; + uint8_t pk[BLE_PUB_KEY_LEN]; do { #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS @@ -1663,8 +1624,16 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) /* Make sure generated key isn't debug key. */ } while (memcmp(priv, ble_sm_alg_dbg_priv_key, 32) == 0); +#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS + // PSA returns 65 bytes: 0x04 prefix + X (32 bytes) + Y (32 bytes) + // Skip the 0x04 prefix when copying to pub + swap_buf(pub, &pk[1], 32); + swap_buf(&pub[32], &pk[33], 32); +#else + // tinycrypt returns 64 bytes: X (32 bytes) + Y (32 bytes), no prefix swap_buf(pub, pk, 32); swap_buf(&pub[32], &pk[32], 32); +#endif swap_in_place(priv, 32); #endif // CONFIG_BT_LE_SM_SC_DEBUG_KEYS return 0; diff --git a/components/bt/controller/esp32c5/bt.c b/components/bt/controller/esp32c5/bt.c index 6354eb9928..56334374a0 100644 --- a/components/bt/controller/esp32c5/bt.c +++ b/components/bt/controller/esp32c5/bt.c @@ -1585,19 +1585,12 @@ void esp_ble_controller_log_dump_all(bool output) #if (!CONFIG_BT_NIMBLE_ENABLED) && (CONFIG_BT_CONTROLLER_ENABLED) #if CONFIG_BT_LE_SM_LEGACY || CONFIG_BT_LE_SM_SC #define BLE_SM_KEY_ERR 0x17 +#define BLE_PUB_KEY_LEN 65 #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS -#include "mbedtls/aes.h" #if CONFIG_BT_LE_SM_SC -#include "mbedtls/cipher.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/cmac.h" -#include "mbedtls/ecdh.h" -#include "mbedtls/ecp.h" - -static mbedtls_ecp_keypair keypair; +#include "psa/crypto.h" +static const char *TAG_SM_ALG = "ble_sm_alg"; #endif // CONFIG_BT_LE_SM_SC - #else #include "tinycrypt/aes.h" #include "tinycrypt/constants.h" @@ -1640,84 +1633,58 @@ int ble_sm_alg_gen_dhkey(const uint8_t *peer_pub_key_x, const uint8_t *peer_pub_ const uint8_t *our_priv_key, uint8_t *out_dhkey) { uint8_t dh[32]; - uint8_t pk[64]; + uint8_t pk[BLE_PUB_KEY_LEN]; uint8_t priv[32]; int rc = BLE_SM_KEY_ERR; - swap_buf(pk, peer_pub_key_x, 32); - swap_buf(&pk[32], peer_pub_key_y, 32); swap_buf(priv, our_priv_key, 32); #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS - struct mbedtls_ecp_point pt = {0}, Q = {0}; - mbedtls_mpi z = {0}, d = {0}; - mbedtls_ctr_drbg_context ctr_drbg = {0}; - mbedtls_entropy_context entropy = {0}; + // PSA/mbedTLS expects 65 bytes: 0x04 prefix + X (32 bytes) + Y (32 bytes) + pk[0] = 0x04; // Uncompressed format for public key + swap_buf(&pk[1], peer_pub_key_x, 32); + swap_buf(&pk[33], peer_pub_key_y, 32); - uint8_t pub[65] = {0}; - /* Hardcoded first byte of pub key for MBEDTLS_ECP_PF_UNCOMPRESSED */ - pub[0] = 0x04; - memcpy(&pub[1], pk, 64); - - /* Initialize the required structures here */ - mbedtls_ecp_point_init(&pt); - mbedtls_ecp_point_init(&Q); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_entropy_init(&entropy); - mbedtls_mpi_init(&d); - mbedtls_mpi_init(&z); - - /* Below 3 steps are to validate public key on curve secp256r1 */ - if (mbedtls_ecp_group_load(&keypair.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_SECP256R1) != 0) { + psa_key_id_t key_id = 0; + psa_status_t status; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_bits(&key_attributes, 256); + psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); + status = psa_import_key(&key_attributes, priv, 32, &key_id); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG_SM_ALG, "Failed to import key: %d", status); + goto exit; + } + psa_reset_key_attributes(&key_attributes); + size_t output_len = 0; + status = psa_raw_key_agreement(PSA_ALG_ECDH, key_id, pk, BLE_PUB_KEY_LEN, dh, sizeof(dh), &output_len); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG_SM_ALG, "Failed to perform raw key agreement: %d", status); goto exit; } - if (mbedtls_ecp_point_read_binary(&keypair.MBEDTLS_PRIVATE(grp), &pt, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_ecp_check_pubkey(&keypair.MBEDTLS_PRIVATE(grp), &pt) != 0) { - goto exit; - } - - /* Set PRNG */ - if ((rc = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0) { - goto exit; - } - - /* Prepare point Q from pub key */ - if (mbedtls_ecp_point_read_binary(&keypair.MBEDTLS_PRIVATE(grp), &Q, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_mpi_read_binary(&d, priv, 32) != 0) { - goto exit; - } - - rc = mbedtls_ecdh_compute_shared(&keypair.MBEDTLS_PRIVATE(grp), &z, &Q, &d, - mbedtls_ctr_drbg_random, &ctr_drbg); - if (rc != 0) { - goto exit; - } - - rc = mbedtls_mpi_write_binary(&z, dh, 32); - if (rc != 0) { + if (output_len != 32) { + ESP_LOGE(TAG_SM_ALG, "Unexpected output length: %zu", output_len); goto exit; } + rc = 0; exit: - mbedtls_ecp_point_free(&pt); - mbedtls_mpi_free(&z); - mbedtls_mpi_free(&d); - mbedtls_ecp_point_free(&Q); - mbedtls_entropy_free(&entropy); - mbedtls_ctr_drbg_free(&ctr_drbg); + if (key_id != 0) { + psa_destroy_key(key_id); + } if (rc != 0) { return BLE_SM_KEY_ERR; } #else - if (uECC_valid_public_key(pk, uECC_secp256r1()) < 0) { + // TinyCrypt/uECC expects 64 bytes: X (32 bytes) + Y (32 bytes), no prefix + swap_buf(pk, peer_pub_key_x, 32); + swap_buf(&pk[32], peer_pub_key_y, 32); + + if (uECC_valid_public_key(pk, &curve_secp256r1) < 0) { return BLE_SM_KEY_ERR; } @@ -1735,42 +1702,38 @@ exit: static int mbedtls_gen_keypair(uint8_t *public_key, uint8_t *private_key) { int rc = BLE_SM_KEY_ERR; - mbedtls_entropy_context entropy = {0}; - mbedtls_ctr_drbg_context ctr_drbg = {0}; + psa_status_t status; + psa_key_id_t key_id = 0; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_algorithm_t alg = PSA_ALG_ECDH; + psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); + psa_key_usage_t key_usage = PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT; - mbedtls_entropy_init(&entropy); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_ecp_keypair_init(&keypair); - - if ((rc = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - NULL, 0)) != 0) { - goto exit; - } - - if ((rc = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, &keypair, - mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { - goto exit; - } - - if ((rc = mbedtls_mpi_write_binary(&keypair.MBEDTLS_PRIVATE(d), private_key, 32)) != 0) { + psa_set_key_type(&key_attributes, key_type); + psa_set_key_bits(&key_attributes, 256); + psa_set_key_algorithm(&key_attributes, alg); + psa_set_key_usage_flags(&key_attributes, key_usage); + status = psa_generate_key(&key_attributes, &key_id); + if (status != PSA_SUCCESS) { goto exit; } + psa_reset_key_attributes(&key_attributes); size_t olen = 0; - uint8_t pub[65] = {0}; - - if ((rc = mbedtls_ecp_point_write_binary(&keypair.MBEDTLS_PRIVATE(grp), &keypair.MBEDTLS_PRIVATE(Q), MBEDTLS_ECP_PF_UNCOMPRESSED, - &olen, pub, 65)) != 0) { + status = psa_export_public_key(key_id, public_key, BLE_PUB_KEY_LEN, &olen); + if (status != PSA_SUCCESS || olen != BLE_PUB_KEY_LEN) { goto exit; } - memcpy(public_key, &pub[1], 64); + status = psa_export_key(key_id, private_key, 32, &olen); + if (status != PSA_SUCCESS || olen != 32) { + goto exit; + } + psa_destroy_key(key_id); + rc = 0; exit: - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); if (rc != 0) { - mbedtls_ecp_keypair_free(&keypair); return BLE_SM_KEY_ERR; } @@ -1789,7 +1752,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) swap_buf(&pub[32], &ble_sm_alg_dbg_pub_key[32], 32); swap_buf(priv, ble_sm_alg_dbg_priv_key, 32); #else - uint8_t pk[64]; + uint8_t pk[BLE_PUB_KEY_LEN]; do { #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS @@ -1804,8 +1767,16 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) /* Make sure generated key isn't debug key. */ } while (memcmp(priv, ble_sm_alg_dbg_priv_key, 32) == 0); +#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS + // PSA returns 65 bytes: 0x04 prefix + X (32 bytes) + Y (32 bytes) + // Skip the 0x04 prefix when copying to pub + swap_buf(pub, &pk[1], 32); + swap_buf(&pub[32], &pk[33], 32); +#else + // tinycrypt returns 64 bytes: X (32 bytes) + Y (32 bytes), no prefix swap_buf(pub, pk, 32); swap_buf(&pub[32], &pk[32], 32); +#endif swap_in_place(priv, 32); #endif // CONFIG_BT_LE_SM_SC_DEBUG_KEYS return 0; diff --git a/components/bt/controller/esp32c6/bt.c b/components/bt/controller/esp32c6/bt.c index de8d8f51fc..5eb26edc60 100644 --- a/components/bt/controller/esp32c6/bt.c +++ b/components/bt/controller/esp32c6/bt.c @@ -1655,24 +1655,16 @@ void esp_ble_controller_log_dump_all(bool output) #if (!CONFIG_BT_NIMBLE_ENABLED) && (CONFIG_BT_CONTROLLER_ENABLED) #if CONFIG_BT_LE_SM_LEGACY || CONFIG_BT_LE_SM_SC #define BLE_SM_KEY_ERR 0x17 +#define BLE_PUB_KEY_LEN 65 #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS -#include "mbedtls/aes.h" #if CONFIG_BT_LE_SM_SC -#include "mbedtls/cipher.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/cmac.h" -#include "mbedtls/ecdh.h" -#include "mbedtls/ecp.h" - -static mbedtls_ecp_keypair keypair; +#include "psa/crypto.h" +static const char *TAG_SM_ALG = "ble_sm_alg"; #endif // CONFIG_BT_LE_SM_SC - #else #include "tinycrypt/aes.h" #include "tinycrypt/constants.h" #include "tinycrypt/utils.h" - #if CONFIG_BT_LE_SM_SC #include "tinycrypt/cmac_mode.h" #include "tinycrypt/ecc_dh.h" @@ -1709,84 +1701,58 @@ int ble_sm_alg_gen_dhkey(const uint8_t *peer_pub_key_x, const uint8_t *peer_pub_ const uint8_t *our_priv_key, uint8_t *out_dhkey) { uint8_t dh[32]; - uint8_t pk[64]; + uint8_t pk[BLE_PUB_KEY_LEN]; uint8_t priv[32]; int rc = BLE_SM_KEY_ERR; - swap_buf(pk, peer_pub_key_x, 32); - swap_buf(&pk[32], peer_pub_key_y, 32); swap_buf(priv, our_priv_key, 32); #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS - struct mbedtls_ecp_point pt = {0}, Q = {0}; - mbedtls_mpi z = {0}, d = {0}; - mbedtls_ctr_drbg_context ctr_drbg = {0}; - mbedtls_entropy_context entropy = {0}; + // PSA/mbedTLS expects 65 bytes: 0x04 prefix + X (32 bytes) + Y (32 bytes) + pk[0] = 0x04; // Uncompressed format for public key + swap_buf(&pk[1], peer_pub_key_x, 32); + swap_buf(&pk[33], peer_pub_key_y, 32); - uint8_t pub[65] = {0}; - /* Hardcoded first byte of pub key for MBEDTLS_ECP_PF_UNCOMPRESSED */ - pub[0] = 0x04; - memcpy(&pub[1], pk, 64); - - /* Initialize the required structures here */ - mbedtls_ecp_point_init(&pt); - mbedtls_ecp_point_init(&Q); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_entropy_init(&entropy); - mbedtls_mpi_init(&d); - mbedtls_mpi_init(&z); - - /* Below 3 steps are to validate public key on curve secp256r1 */ - if (mbedtls_ecp_group_load(&keypair.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_SECP256R1) != 0) { + psa_key_id_t key_id = 0; + psa_status_t status; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_bits(&key_attributes, 256); + psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); + status = psa_import_key(&key_attributes, priv, 32, &key_id); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG_SM_ALG, "Failed to import key: %d", status); + goto exit; + } + psa_reset_key_attributes(&key_attributes); + size_t output_len = 0; + status = psa_raw_key_agreement(PSA_ALG_ECDH, key_id, pk, BLE_PUB_KEY_LEN, dh, sizeof(dh), &output_len); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG_SM_ALG, "Failed to perform raw key agreement: %d", status); goto exit; } - if (mbedtls_ecp_point_read_binary(&keypair.MBEDTLS_PRIVATE(grp), &pt, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_ecp_check_pubkey(&keypair.MBEDTLS_PRIVATE(grp), &pt) != 0) { - goto exit; - } - - /* Set PRNG */ - if ((rc = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0) { - goto exit; - } - - /* Prepare point Q from pub key */ - if (mbedtls_ecp_point_read_binary(&keypair.MBEDTLS_PRIVATE(grp), &Q, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_mpi_read_binary(&d, priv, 32) != 0) { - goto exit; - } - - rc = mbedtls_ecdh_compute_shared(&keypair.MBEDTLS_PRIVATE(grp), &z, &Q, &d, - mbedtls_ctr_drbg_random, &ctr_drbg); - if (rc != 0) { - goto exit; - } - - rc = mbedtls_mpi_write_binary(&z, dh, 32); - if (rc != 0) { + if (output_len != 32) { + ESP_LOGE(TAG_SM_ALG, "Unexpected output length: %zu", output_len); goto exit; } + rc = 0; exit: - mbedtls_ecp_point_free(&pt); - mbedtls_mpi_free(&z); - mbedtls_mpi_free(&d); - mbedtls_ecp_point_free(&Q); - mbedtls_entropy_free(&entropy); - mbedtls_ctr_drbg_free(&ctr_drbg); + if (key_id != 0) { + psa_destroy_key(key_id); + } if (rc != 0) { return BLE_SM_KEY_ERR; } #else - if (uECC_valid_public_key(pk, uECC_secp256r1()) < 0) { + // TinyCrypt/uECC expects 64 bytes: X (32 bytes) + Y (32 bytes), no prefix + swap_buf(pk, peer_pub_key_x, 32); + swap_buf(&pk[32], peer_pub_key_y, 32); + + if (uECC_valid_public_key(pk, &curve_secp256r1) < 0) { return BLE_SM_KEY_ERR; } @@ -1804,42 +1770,38 @@ exit: static int mbedtls_gen_keypair(uint8_t *public_key, uint8_t *private_key) { int rc = BLE_SM_KEY_ERR; - mbedtls_entropy_context entropy = {0}; - mbedtls_ctr_drbg_context ctr_drbg = {0}; + psa_status_t status; + psa_key_id_t key_id = 0; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_algorithm_t alg = PSA_ALG_ECDH; + psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); + psa_key_usage_t key_usage = PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT; - mbedtls_entropy_init(&entropy); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_ecp_keypair_init(&keypair); - - if ((rc = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - NULL, 0)) != 0) { - goto exit; - } - - if ((rc = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, &keypair, - mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { - goto exit; - } - - if ((rc = mbedtls_mpi_write_binary(&keypair.MBEDTLS_PRIVATE(d), private_key, 32)) != 0) { + psa_set_key_type(&key_attributes, key_type); + psa_set_key_bits(&key_attributes, 256); + psa_set_key_algorithm(&key_attributes, alg); + psa_set_key_usage_flags(&key_attributes, key_usage); + status = psa_generate_key(&key_attributes, &key_id); + if (status != PSA_SUCCESS) { goto exit; } + psa_reset_key_attributes(&key_attributes); size_t olen = 0; - uint8_t pub[65] = {0}; - - if ((rc = mbedtls_ecp_point_write_binary(&keypair.MBEDTLS_PRIVATE(grp), &keypair.MBEDTLS_PRIVATE(Q), MBEDTLS_ECP_PF_UNCOMPRESSED, - &olen, pub, 65)) != 0) { + status = psa_export_public_key(key_id, public_key, BLE_PUB_KEY_LEN, &olen); + if (status != PSA_SUCCESS || olen != BLE_PUB_KEY_LEN) { goto exit; } - memcpy(public_key, &pub[1], 64); + status = psa_export_key(key_id, private_key, 32, &olen); + if (status != PSA_SUCCESS || olen != 32) { + goto exit; + } + psa_destroy_key(key_id); + rc = 0; exit: - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); if (rc != 0) { - mbedtls_ecp_keypair_free(&keypair); return BLE_SM_KEY_ERR; } @@ -1858,7 +1820,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) swap_buf(&pub[32], &ble_sm_alg_dbg_pub_key[32], 32); swap_buf(priv, ble_sm_alg_dbg_priv_key, 32); #else - uint8_t pk[64]; + uint8_t pk[BLE_PUB_KEY_LEN]; do { #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS @@ -1873,8 +1835,16 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) /* Make sure generated key isn't debug key. */ } while (memcmp(priv, ble_sm_alg_dbg_priv_key, 32) == 0); +#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS + // PSA returns 65 bytes: 0x04 prefix + X (32 bytes) + Y (32 bytes) + // Skip the 0x04 prefix when copying to pub + swap_buf(pub, &pk[1], 32); + swap_buf(&pub[32], &pk[33], 32); +#else + // tinycrypt returns 64 bytes: X (32 bytes) + Y (32 bytes), no prefix swap_buf(pub, pk, 32); swap_buf(&pub[32], &pk[32], 32); +#endif swap_in_place(priv, 32); #endif // CONFIG_BT_LE_SM_SC_DEBUG_KEYS return 0; diff --git a/components/bt/controller/esp32h2/bt.c b/components/bt/controller/esp32h2/bt.c index ffa419c6e0..3b7c5be011 100644 --- a/components/bt/controller/esp32h2/bt.c +++ b/components/bt/controller/esp32h2/bt.c @@ -1605,19 +1605,11 @@ void esp_ble_controller_log_dump_all(bool output) #if (!CONFIG_BT_NIMBLE_ENABLED) && (CONFIG_BT_CONTROLLER_ENABLED) #if CONFIG_BT_LE_SM_LEGACY || CONFIG_BT_LE_SM_SC #define BLE_SM_KEY_ERR 0x17 +#define BLE_PUB_KEY_LEN 65 #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS -#include "mbedtls/aes.h" #if CONFIG_BT_LE_SM_SC -#include "mbedtls/cipher.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/cmac.h" -#include "mbedtls/ecdh.h" -#include "mbedtls/ecp.h" - -static mbedtls_ecp_keypair keypair; +#include "psa/crypto.h" #endif // CONFIG_BT_LE_SM_SC - #else #include "tinycrypt/aes.h" #include "tinycrypt/constants.h" @@ -1659,84 +1651,52 @@ int ble_sm_alg_gen_dhkey(const uint8_t *peer_pub_key_x, const uint8_t *peer_pub_ const uint8_t *our_priv_key, uint8_t *out_dhkey) { uint8_t dh[32]; - uint8_t pk[64]; + uint8_t pk[BLE_PUB_KEY_LEN]; uint8_t priv[32]; int rc = BLE_SM_KEY_ERR; - swap_buf(pk, peer_pub_key_x, 32); - swap_buf(&pk[32], peer_pub_key_y, 32); swap_buf(priv, our_priv_key, 32); #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS - struct mbedtls_ecp_point pt = {0}, Q = {0}; - mbedtls_mpi z = {0}, d = {0}; - mbedtls_ctr_drbg_context ctr_drbg = {0}; - mbedtls_entropy_context entropy = {0}; + // PSA/mbedTLS expects 65 bytes: 0x04 prefix + X (32 bytes) + Y (32 bytes) + pk[0] = 0x04; // Uncompressed format for public key + swap_buf(&pk[1], peer_pub_key_x, 32); + swap_buf(&pk[33], peer_pub_key_y, 32); - uint8_t pub[65] = {0}; - /* Hardcoded first byte of pub key for MBEDTLS_ECP_PF_UNCOMPRESSED */ - pub[0] = 0x04; - memcpy(&pub[1], pk, 64); - - /* Initialize the required structures here */ - mbedtls_ecp_point_init(&pt); - mbedtls_ecp_point_init(&Q); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_entropy_init(&entropy); - mbedtls_mpi_init(&d); - mbedtls_mpi_init(&z); - - /* Below 3 steps are to validate public key on curve secp256r1 */ - if (mbedtls_ecp_group_load(&keypair.MBEDTLS_PRIVATE(grp), MBEDTLS_ECP_DP_SECP256R1) != 0) { + psa_key_id_t key_id = 0; + psa_status_t status; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_bits(&key_attributes, 256); + psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); + psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); + status = psa_import_key(&key_attributes, priv, 32, &key_id); + if (status != PSA_SUCCESS) { + goto exit; + } + psa_reset_key_attributes(&key_attributes); + size_t output_len = 0; + status = psa_raw_key_agreement(PSA_ALG_ECDH, key_id, pk, BLE_PUB_KEY_LEN, dh, sizeof(dh), &output_len); + if (status != PSA_SUCCESS) { goto exit; } - if (mbedtls_ecp_point_read_binary(&keypair.MBEDTLS_PRIVATE(grp), &pt, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_ecp_check_pubkey(&keypair.MBEDTLS_PRIVATE(grp), &pt) != 0) { - goto exit; - } - - /* Set PRNG */ - if ((rc = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0)) != 0) { - goto exit; - } - - /* Prepare point Q from pub key */ - if (mbedtls_ecp_point_read_binary(&keypair.MBEDTLS_PRIVATE(grp), &Q, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_mpi_read_binary(&d, priv, 32) != 0) { - goto exit; - } - - rc = mbedtls_ecdh_compute_shared(&keypair.MBEDTLS_PRIVATE(grp), &z, &Q, &d, - mbedtls_ctr_drbg_random, &ctr_drbg); - if (rc != 0) { - goto exit; - } - - rc = mbedtls_mpi_write_binary(&z, dh, 32); - if (rc != 0) { + if (output_len != 32) { goto exit; } + rc = 0; exit: - mbedtls_ecp_point_free(&pt); - mbedtls_mpi_free(&z); - mbedtls_mpi_free(&d); - mbedtls_ecp_point_free(&Q); - mbedtls_entropy_free(&entropy); - mbedtls_ctr_drbg_free(&ctr_drbg); if (rc != 0) { return BLE_SM_KEY_ERR; } #else - if (uECC_valid_public_key(pk, uECC_secp256r1()) < 0) { + // TinyCrypt/uECC expects 64 bytes: X (32 bytes) + Y (32 bytes), no prefix + swap_buf(pk, peer_pub_key_x, 32); + swap_buf(&pk[32], peer_pub_key_y, 32); + + if (uECC_valid_public_key(pk, &curve_secp256r1) < 0) { return BLE_SM_KEY_ERR; } @@ -1754,42 +1714,39 @@ exit: static int mbedtls_gen_keypair(uint8_t *public_key, uint8_t *private_key) { int rc = BLE_SM_KEY_ERR; - mbedtls_entropy_context entropy = {0}; - mbedtls_ctr_drbg_context ctr_drbg = {0}; + psa_status_t status; + psa_key_id_t key_id = 0; + psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_algorithm_t alg = PSA_ALG_ECDH; + psa_key_type_t key_type = PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1); + psa_key_usage_t key_usage = PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT; - mbedtls_entropy_init(&entropy); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_ecp_keypair_init(&keypair); - - if ((rc = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - NULL, 0)) != 0) { - goto exit; - } - - if ((rc = mbedtls_ecp_gen_key(MBEDTLS_ECP_DP_SECP256R1, &keypair, - mbedtls_ctr_drbg_random, &ctr_drbg)) != 0) { - goto exit; - } - - if ((rc = mbedtls_mpi_write_binary(&keypair.MBEDTLS_PRIVATE(d), private_key, 32)) != 0) { + psa_set_key_type(&key_attributes, key_type); + psa_set_key_bits(&key_attributes, 256); + psa_set_key_algorithm(&key_attributes, alg); + psa_set_key_usage_flags(&key_attributes, key_usage); + status = psa_generate_key(&key_attributes, &key_id); + if (status != PSA_SUCCESS) { goto exit; } + psa_reset_key_attributes(&key_attributes); size_t olen = 0; - uint8_t pub[65] = {0}; - - if ((rc = mbedtls_ecp_point_write_binary(&keypair.MBEDTLS_PRIVATE(grp), &keypair.MBEDTLS_PRIVATE(Q), MBEDTLS_ECP_PF_UNCOMPRESSED, - &olen, pub, 65)) != 0) { + status = psa_export_public_key(key_id, public_key, BLE_PUB_KEY_LEN, &olen); + if (status != PSA_SUCCESS || olen != BLE_PUB_KEY_LEN) { goto exit; } - memcpy(public_key, &pub[1], 64); + status = psa_export_key(key_id, private_key, 32, &olen); + if (status != PSA_SUCCESS || olen != 32) { + goto exit; + } + + psa_destroy_key(key_id); + rc = 0; exit: - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); if (rc != 0) { - mbedtls_ecp_keypair_free(&keypair); return BLE_SM_KEY_ERR; } @@ -1808,7 +1765,7 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) swap_buf(&pub[32], &ble_sm_alg_dbg_pub_key[32], 32); swap_buf(priv, ble_sm_alg_dbg_priv_key, 32); #else - uint8_t pk[64]; + uint8_t pk[BLE_PUB_KEY_LEN]; do { #if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS @@ -1823,8 +1780,16 @@ int ble_sm_alg_gen_key_pair(uint8_t *pub, uint8_t *priv) /* Make sure generated key isn't debug key. */ } while (memcmp(priv, ble_sm_alg_dbg_priv_key, 32) == 0); +#if CONFIG_BT_LE_CRYPTO_STACK_MBEDTLS + // PSA returns 65 bytes: 0x04 prefix + X (32 bytes) + Y (32 bytes) + // Skip the 0x04 prefix when copying to pub + swap_buf(pub, &pk[1], 32); + swap_buf(&pub[32], &pk[33], 32); +#else + // tinycrypt returns 64 bytes: X (32 bytes) + Y (32 bytes), no prefix swap_buf(pub, pk, 32); swap_buf(&pub[32], &pk[32], 32); +#endif swap_in_place(priv, 32); #endif // CONFIG_BT_LE_SM_SC_DEBUG_KEYS return 0; diff --git a/components/bt/esp_ble_mesh/core/bluedroid_host/adapter.c b/components/bt/esp_ble_mesh/core/bluedroid_host/adapter.c index a322c0ab86..ec584b8933 100644 --- a/components/bt/esp_ble_mesh/core/bluedroid_host/adapter.c +++ b/components/bt/esp_ble_mesh/core/bluedroid_host/adapter.c @@ -19,7 +19,7 @@ #include "device/controller.h" #if CONFIG_MBEDTLS_HARDWARE_AES -#include "mbedtls/aes.h" +#include "psa/crypto.h" #endif #include @@ -2580,26 +2580,47 @@ int bt_mesh_encrypt_le(const uint8_t key[16], const uint8_t plaintext[16], BT_DBG("key %s plaintext %s", bt_hex(key, 16), bt_hex(plaintext, 16)); #if CONFIG_MBEDTLS_HARDWARE_AES - mbedtls_aes_context ctx = {0}; - - mbedtls_aes_init(&ctx); - sys_memcpy_swap(tmp, key, 16); + psa_status_t status; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id = 0; + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + psa_algorithm_t alg = PSA_ALG_ECB_NO_PADDING; + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); + psa_set_key_bits(&attributes, 128); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); - if (mbedtls_aes_setkey_enc(&ctx, tmp, 128) != 0) { - mbedtls_aes_free(&ctx); + status = psa_import_key(&attributes, tmp, 16, &key_id); + if (status != PSA_SUCCESS) { + BT_ERR("psa_import_key failed with status %d", status); + return -EINVAL; + } + psa_reset_key_attributes(&attributes); + + status = psa_cipher_encrypt_setup(&operation, key_id, alg); + if (status != PSA_SUCCESS) { + BT_ERR("psa_cipher_encrypt_setup failed with status %d", status); + psa_destroy_key(key_id); + return -EINVAL; + } + size_t output_length = 0; + status = psa_cipher_update(&operation, plaintext, 16, enc_data, 16, &output_length); + if (status != PSA_SUCCESS || output_length != 16) { + BT_ERR("psa_cipher_update failed with status %d", status); + psa_cipher_abort(&operation); + psa_destroy_key(key_id); return -EINVAL; } - sys_memcpy_swap(tmp, plaintext, 16); - - if (mbedtls_aes_crypt_ecb(&ctx, MBEDTLS_AES_ENCRYPT, - tmp, enc_data) != 0) { - mbedtls_aes_free(&ctx); + status = psa_cipher_finish(&operation, enc_data + output_length, 16 - output_length, &output_length); + if (status != PSA_SUCCESS) { + BT_ERR("psa_cipher_finish failed with status %d", status); return -EINVAL; } - mbedtls_aes_free(&ctx); + psa_destroy_key(key_id); + #else /* CONFIG_MBEDTLS_HARDWARE_AES */ struct tc_aes_key_sched_struct s = {0}; @@ -2629,22 +2650,44 @@ int bt_mesh_encrypt_be(const uint8_t key[16], const uint8_t plaintext[16], BT_DBG("key %s plaintext %s", bt_hex(key, 16), bt_hex(plaintext, 16)); #if CONFIG_MBEDTLS_HARDWARE_AES - mbedtls_aes_context ctx = {0}; + psa_status_t status; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id = 0; + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + psa_algorithm_t alg = PSA_ALG_ECB_NO_PADDING; + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); + psa_set_key_bits(&attributes, 128); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); - mbedtls_aes_init(&ctx); - - if (mbedtls_aes_setkey_enc(&ctx, key, 128) != 0) { - mbedtls_aes_free(&ctx); + status = psa_import_key(&attributes, key, 16, &key_id); + if (status != PSA_SUCCESS) { + BT_ERR("psa_import_key failed with status %d", status); return -EINVAL; } - if (mbedtls_aes_crypt_ecb(&ctx, MBEDTLS_AES_ENCRYPT, - plaintext, enc_data) != 0) { - mbedtls_aes_free(&ctx); + status = psa_cipher_encrypt_setup(&operation, key_id, alg); + if (status != PSA_SUCCESS) { + BT_ERR("psa_cipher_encrypt_setup failed with status %d", status); + psa_destroy_key(key_id); + return -EINVAL; + } + size_t output_length = 0; + status = psa_cipher_update(&operation, plaintext, 16, enc_data, 16, &output_length); + if (status != PSA_SUCCESS || output_length != 16) { + BT_ERR("psa_cipher_update failed with status %d", status); + psa_cipher_abort(&operation); + psa_destroy_key(key_id); return -EINVAL; } - mbedtls_aes_free(&ctx); + status = psa_cipher_finish(&operation, enc_data + output_length, 16 - output_length, &output_length); + if (status != PSA_SUCCESS) { + BT_ERR("psa_cipher_finish failed with status %d", status); + return -EINVAL; + } + + psa_destroy_key(key_id); #else /* CONFIG_MBEDTLS_HARDWARE_AES */ struct tc_aes_key_sched_struct s = {0}; diff --git a/components/bt/esp_ble_mesh/core/nimble_host/adapter.c b/components/bt/esp_ble_mesh/core/nimble_host/adapter.c index 1992fb87b3..18613b36fe 100644 --- a/components/bt/esp_ble_mesh/core/nimble_host/adapter.c +++ b/components/bt/esp_ble_mesh/core/nimble_host/adapter.c @@ -11,8 +11,7 @@ #include "btc/btc_task.h" #include "osi/alarm.h" -#include "mbedtls/aes.h" -#include "mbedtls/ecp.h" +#include "psa/crypto.h" #include "host/ble_hs.h" #include "host/ble_uuid.h" @@ -2665,39 +2664,29 @@ const uint8_t *bt_mesh_pub_key_get(void) bool bt_mesh_check_public_key(const uint8_t key[64]) { - struct mbedtls_ecp_point pt = {0}; - mbedtls_ecp_group grp = {0}; - bool rc = false; + psa_status_t status = PSA_SUCCESS; uint8_t pub[65] = {0}; /* Hardcoded first byte of pub key for MBEDTLS_ECP_PF_UNCOMPRESSED */ pub[0] = 0x04; memcpy(&pub[1], key, 64); - /* Initialize the required structures here */ - mbedtls_ecp_point_init(&pt); - mbedtls_ecp_group_init(&grp); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id = 0; + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); + psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256)); + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1)); + psa_set_key_bits(&attributes, 256); - /* Below 3 steps are to validate public key on curve secp256r1 */ - if (mbedtls_ecp_group_load(&grp, MBEDTLS_ECP_DP_SECP256R1) != 0) { - goto exit; + status = psa_import_key(&attributes, pub, sizeof(pub), &key_id); + if (status != PSA_SUCCESS) { + BT_ERR("Failed to import public key, status: %d", status); + return false; } + psa_reset_key_attributes(&attributes); + psa_destroy_key(key_id); - if (mbedtls_ecp_point_read_binary(&grp, &pt, pub, 65) != 0) { - goto exit; - } - - if (mbedtls_ecp_check_pubkey(&grp, &pt) != 0) { - goto exit; - } - - rc = true; - -exit: - mbedtls_ecp_point_free(&pt); - mbedtls_ecp_group_free(&grp); - return rc; - + return true; } int ble_sm_alg_gen_dhkey(uint8_t *peer_pub_key_x, uint8_t *peer_pub_key_y, @@ -2719,26 +2708,46 @@ int bt_mesh_encrypt_le(const uint8_t key[16], const uint8_t plaintext[16], BT_DBG("key %s plaintext %s", bt_hex(key, 16), bt_hex(plaintext, 16)); #if CONFIG_MBEDTLS_HARDWARE_AES - mbedtls_aes_context ctx = {0}; - - mbedtls_aes_init(&ctx); - sys_memcpy_swap(tmp, key, 16); + psa_status_t status; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id = 0; + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + psa_algorithm_t alg = PSA_ALG_ECB_NO_PADDING; + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); + psa_set_key_bits(&attributes, 128); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); - if (mbedtls_aes_setkey_enc(&ctx, tmp, 128) != 0) { - mbedtls_aes_free(&ctx); + status = psa_import_key(&attributes, tmp, 16, &key_id); + if (status != PSA_SUCCESS) { + BT_ERR("psa_import_key failed with status %d", status); + return -EINVAL; + } + psa_reset_key_attributes(&attributes); + + status = psa_cipher_encrypt_setup(&operation, key_id, alg); + if (status != PSA_SUCCESS) { + BT_ERR("psa_cipher_encrypt_setup failed with status %d", status); + psa_destroy_key(key_id); + return -EINVAL; + } + size_t output_length = 0; + status = psa_cipher_update(&operation, plaintext, 16, enc_data, 16, &output_length); + if (status != PSA_SUCCESS || output_length != 16) { + BT_ERR("psa_cipher_update failed with status %d", status); + psa_cipher_abort(&operation); + psa_destroy_key(key_id); return -EINVAL; } - sys_memcpy_swap(tmp, plaintext, 16); - - if (mbedtls_aes_crypt_ecb(&ctx, MBEDTLS_AES_ENCRYPT, - tmp, enc_data) != 0) { - mbedtls_aes_free(&ctx); + status = psa_cipher_finish(&operation, enc_data + output_length, 16 - output_length, &output_length); + if (status != PSA_SUCCESS) { + BT_ERR("psa_cipher_finish failed with status %d", status); return -EINVAL; } - mbedtls_aes_free(&ctx); + psa_destroy_key(key_id); #else /* CONFIG_MBEDTLS_HARDWARE_AES */ struct tc_aes_key_sched_struct s = {0}; @@ -2768,22 +2777,45 @@ int bt_mesh_encrypt_be(const uint8_t key[16], const uint8_t plaintext[16], BT_DBG("key %s plaintext %s", bt_hex(key, 16), bt_hex(plaintext, 16)); #if CONFIG_MBEDTLS_HARDWARE_AES - mbedtls_aes_context ctx = {0}; + psa_status_t status; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_key_id_t key_id = 0; + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + psa_algorithm_t alg = PSA_ALG_ECB_NO_PADDING; + psa_set_key_algorithm(&attributes, alg); + psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); + psa_set_key_bits(&attributes, 128); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); - mbedtls_aes_init(&ctx); - - if (mbedtls_aes_setkey_enc(&ctx, key, 128) != 0) { - mbedtls_aes_free(&ctx); + status = psa_import_key(&attributes, key, 16, &key_id); + if (status != PSA_SUCCESS) { + BT_ERR("psa_import_key failed with status %d", status); return -EINVAL; } - if (mbedtls_aes_crypt_ecb(&ctx, MBEDTLS_AES_ENCRYPT, - plaintext, enc_data) != 0) { - mbedtls_aes_free(&ctx); + status = psa_cipher_encrypt_setup(&operation, key_id, alg); + if (status != PSA_SUCCESS) { + BT_ERR("psa_cipher_encrypt_setup failed with status %d", status); + psa_destroy_key(key_id); + return -EINVAL; + } + size_t output_length = 0; + status = psa_cipher_update(&operation, plaintext, 16, enc_data, 16, &output_length); + if (status != PSA_SUCCESS || output_length != 16) { + BT_ERR("psa_cipher_update failed with status %d", status); + psa_cipher_abort(&operation); + psa_destroy_key(key_id); return -EINVAL; } - mbedtls_aes_free(&ctx); + status = psa_cipher_finish(&operation, enc_data + output_length, 16 - output_length, &output_length); + if (status != PSA_SUCCESS) { + BT_ERR("psa_cipher_finish failed with status %d", status); + psa_destroy_key(key_id); + return -EINVAL; + } + + psa_destroy_key(key_id); #else /* CONFIG_MBEDTLS_HARDWARE_AES */ struct tc_aes_key_sched_struct s = {0}; diff --git a/examples/bluetooth/ble_get_started/bluedroid/Bluedroid_GATT_Server/main/src/heart_rate_mock.c b/examples/bluetooth/ble_get_started/bluedroid/Bluedroid_GATT_Server/main/src/heart_rate_mock.c index fe8aaf8c89..21516435e5 100644 --- a/examples/bluetooth/ble_get_started/bluedroid/Bluedroid_GATT_Server/main/src/heart_rate_mock.c +++ b/examples/bluetooth/ble_get_started/bluedroid/Bluedroid_GATT_Server/main/src/heart_rate_mock.c @@ -4,7 +4,6 @@ * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ /* Includes */ -#include "common.h" #include "heart_rate.h" #include "esp_random.h" diff --git a/examples/bluetooth/ble_get_started/bluedroid/Bluedroid_GATT_Server/main/src/led.c b/examples/bluetooth/ble_get_started/bluedroid/Bluedroid_GATT_Server/main/src/led.c index 8a11d00b02..a00d5459ed 100644 --- a/examples/bluetooth/ble_get_started/bluedroid/Bluedroid_GATT_Server/main/src/led.c +++ b/examples/bluetooth/ble_get_started/bluedroid/Bluedroid_GATT_Server/main/src/led.c @@ -5,7 +5,6 @@ */ /* Includes */ #include "led.h" -#include "common.h" /* Private variables */ static uint8_t led_state; diff --git a/examples/bluetooth/blufi/main/blufi_security.c b/examples/bluetooth/blufi/main/blufi_security.c index 123f506336..065be15352 100644 --- a/examples/bluetooth/blufi/main/blufi_security.c +++ b/examples/bluetooth/blufi/main/blufi_security.c @@ -23,9 +23,7 @@ #include "esp_blufi_api.h" #include "blufi_example.h" -#include "mbedtls/aes.h" -#include "mbedtls/dhm.h" -#include "mbedtls/md5.h" +#include "psa/crypto.h" #include "esp_crc.h" /* @@ -40,10 +38,10 @@ struct blufi_security { -#define DH_SELF_PUB_KEY_LEN 128 #define DH_PARAM_LEN_MAX 1024 +#define DH_SELF_PUB_KEY_LEN 256 uint8_t self_public_key[DH_SELF_PUB_KEY_LEN]; -#define SHARE_KEY_LEN 128 +#define SHARE_KEY_LEN 256 uint8_t share_key[SHARE_KEY_LEN]; size_t share_len; #define PSK_LEN 16 @@ -51,17 +49,10 @@ struct blufi_security { uint8_t *dh_param; int dh_param_len; uint8_t iv[16]; - mbedtls_dhm_context dhm; - mbedtls_aes_context aes; + psa_key_id_t aes_key; }; static struct blufi_security *blufi_sec; -static int myrand( void *rng_state, unsigned char *output, size_t len ) -{ - esp_fill_random(output, len); - return( 0 ); -} - extern void btc_blufi_report_error(esp_blufi_error_state_t state); void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_data, int *output_len, bool *need_free) @@ -72,7 +63,6 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da return; } - int ret; uint8_t type = data[0]; if (blufi_sec == NULL) { @@ -116,56 +106,78 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da return; } + uint8_t *param = blufi_sec->dh_param; memcpy(blufi_sec->dh_param, &data[1], blufi_sec->dh_param_len); - ret = mbedtls_dhm_read_params(&blufi_sec->dhm, ¶m, ¶m[blufi_sec->dh_param_len]); - if (ret) { - BLUFI_ERROR("%s read param failed %d\n", __func__, ret); - btc_blufi_report_error(ESP_BLUFI_READ_PARAM_ERROR); + size_t p_len = (param[0] << 8) | param[1]; + param += 2 + p_len; + + size_t g_len = (param[0] << 8) | param[1]; + param += 2 + g_len; + + size_t pub_len = (param[0] << 8) | param[1]; + param += 2; + ESP_LOGD("blfi", "P len %d, G len %d, pub len %d", p_len, g_len, pub_len); + + psa_key_type_t key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); + size_t key_bits = 3072; + ESP_LOGI("blfi", "DH param len %d, bits %d", blufi_sec->dh_param_len, key_bits); + psa_algorithm_t alg = PSA_ALG_FFDH; + psa_key_attributes_t attributes = psa_key_attributes_init(); + psa_set_key_type(&attributes, key_type); + psa_set_key_bits(&attributes, key_bits); + psa_set_key_algorithm(&attributes, alg); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_key_id_t private_key = 0; + psa_status_t status = psa_generate_key(&attributes, &private_key); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s psa_generate_key failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + return; + } + psa_reset_key_attributes(&attributes); + size_t public_key_len = 0; + status = psa_export_public_key(private_key, blufi_sec->self_public_key, DH_SELF_PUB_KEY_LEN, &public_key_len); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s psa_export_public_key failed %d\n", __func__, status); + psa_destroy_key(private_key); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); return; } - free(blufi_sec->dh_param); - blufi_sec->dh_param = NULL; - const int dhm_len = mbedtls_dhm_get_len(&blufi_sec->dhm); - - if (dhm_len > DH_SELF_PUB_KEY_LEN) { - BLUFI_ERROR("%s dhm len not support %d\n", __func__, dhm_len); + status = psa_raw_key_agreement(alg, private_key, param, pub_len, blufi_sec->share_key, SHARE_KEY_LEN, &blufi_sec->share_len); + psa_destroy_key(private_key); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s psa_raw_key_agreement failed %d\n", __func__, status); + free(blufi_sec->dh_param); + blufi_sec->dh_param = NULL; btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } - ret = mbedtls_dhm_make_public(&blufi_sec->dhm, dhm_len, blufi_sec->self_public_key, DH_SELF_PUB_KEY_LEN, myrand, NULL); - if (ret) { - BLUFI_ERROR("%s make public failed %d\n", __func__, ret); - btc_blufi_report_error(ESP_BLUFI_MAKE_PUBLIC_ERROR); - return; - } - - ret = mbedtls_dhm_calc_secret( &blufi_sec->dhm, - blufi_sec->share_key, - SHARE_KEY_LEN, - &blufi_sec->share_len, - myrand, NULL); - if (ret) { - BLUFI_ERROR("%s mbedtls_dhm_calc_secret failed %d\n", __func__, ret); - btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); - return; - } - - ret = mbedtls_md5(blufi_sec->share_key, blufi_sec->share_len, blufi_sec->psk); - - if (ret) { - BLUFI_ERROR("%s mbedtls_md5 failed %d\n", __func__, ret); + size_t hash_length = 0; + status = psa_hash_compute(PSA_ALG_MD5, blufi_sec->share_key, blufi_sec->share_len, blufi_sec->psk, PSK_LEN, &hash_length); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s psa_hash_compute failed %d\n", __func__, status); btc_blufi_report_error(ESP_BLUFI_CALC_MD5_ERROR); return; } - mbedtls_aes_setkey_enc(&blufi_sec->aes, blufi_sec->psk, PSK_LEN * 8); + // mbedtls_aes_setkey_enc(&blufi_sec->aes, blufi_sec->psk, PSK_LEN * 8); + attributes = psa_key_attributes_init(); + psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); + psa_set_key_bits(&attributes, PSK_LEN * 8); + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); + status = psa_import_key(&attributes, blufi_sec->psk, PSK_LEN, &blufi_sec->aes_key); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s psa_import_key failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + return; + } /* alloc output data */ *output_data = &blufi_sec->self_public_key[0]; - *output_len = dhm_len; + *output_len = public_key_len; *need_free = false; } @@ -181,40 +193,76 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da int blufi_aes_encrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len) { - int ret; - size_t iv_offset = 0; uint8_t iv0[16]; if (!blufi_sec) { return -1; } - memcpy(iv0, blufi_sec->iv, sizeof(blufi_sec->iv)); - iv0[0] = iv8; /* set iv8 as the iv0[0] */ - - ret = mbedtls_aes_crypt_cfb128(&blufi_sec->aes, MBEDTLS_AES_ENCRYPT, crypt_len, &iv_offset, iv0, crypt_data, crypt_data); - if (ret) { + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + psa_status_t status = psa_cipher_encrypt_setup(&operation, blufi_sec->aes_key, PSA_ALG_CFB); + if (status != PSA_SUCCESS) { return -1; } - return crypt_len; + memcpy(iv0, blufi_sec->iv, sizeof(blufi_sec->iv)); + iv0[0] = iv8; + + status = psa_cipher_set_iv(&operation, iv0, sizeof(iv0)); + if (status != PSA_SUCCESS) { + psa_cipher_abort(&operation); + return -1; + } + + size_t encrypt_out_len = 0; + status = psa_cipher_update(&operation, crypt_data, crypt_len, crypt_data, crypt_len, &encrypt_out_len); + if (status != PSA_SUCCESS) { + psa_cipher_abort(&operation); + return -1; + } + + status = psa_cipher_finish(&operation, crypt_data, crypt_len, &encrypt_out_len); + if (status != PSA_SUCCESS) { + psa_cipher_abort(&operation); + return -1; + } + + return encrypt_out_len; } int blufi_aes_decrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len) { - int ret; - size_t iv_offset = 0; uint8_t iv0[16]; if (!blufi_sec) { return -1; } - memcpy(iv0, blufi_sec->iv, sizeof(blufi_sec->iv)); - iv0[0] = iv8; /* set iv8 as the iv0[0] */ + psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; + psa_status_t status = psa_cipher_decrypt_setup(&operation, blufi_sec->aes_key, PSA_ALG_CFB); + if (status != PSA_SUCCESS) { + return -1; + } - ret = mbedtls_aes_crypt_cfb128(&blufi_sec->aes, MBEDTLS_AES_DECRYPT, crypt_len, &iv_offset, iv0, crypt_data, crypt_data); - if (ret) { + memcpy(iv0, blufi_sec->iv, sizeof(blufi_sec->iv)); + iv0[0] = iv8; + + status = psa_cipher_set_iv(&operation, iv0, sizeof(iv0)); + if (status != PSA_SUCCESS) { + psa_cipher_abort(&operation); + return -1; + } + + size_t encrypt_out_len = 0; + status = psa_cipher_update(&operation, crypt_data, crypt_len, crypt_data, crypt_len, &encrypt_out_len); + if (status != PSA_SUCCESS) { + psa_cipher_abort(&operation); + return -1; + } + + status = psa_cipher_finish(&operation, crypt_data, crypt_len, &encrypt_out_len); + if (status != PSA_SUCCESS) { + psa_cipher_abort(&operation); return -1; } @@ -236,9 +284,6 @@ esp_err_t blufi_security_init(void) memset(blufi_sec, 0x0, sizeof(struct blufi_security)); - mbedtls_dhm_init(&blufi_sec->dhm); - mbedtls_aes_init(&blufi_sec->aes); - memset(blufi_sec->iv, 0x0, sizeof(blufi_sec->iv)); return 0; } @@ -252,8 +297,7 @@ void blufi_security_deinit(void) free(blufi_sec->dh_param); blufi_sec->dh_param = NULL; } - mbedtls_dhm_free(&blufi_sec->dhm); - mbedtls_aes_free(&blufi_sec->aes); + psa_destroy_key(blufi_sec->aes_key); memset(blufi_sec, 0x0, sizeof(struct blufi_security)); diff --git a/examples/bluetooth/blufi/sdkconfig.defaults b/examples/bluetooth/blufi/sdkconfig.defaults index a68c42e84a..797047814d 100644 --- a/examples/bluetooth/blufi/sdkconfig.defaults +++ b/examples/bluetooth/blufi/sdkconfig.defaults @@ -15,4 +15,3 @@ CONFIG_BT_GATTC_ENABLE=n CONFIG_BT_BLE_SMP_ENABLE=n CONFIG_BT_BLE_BLUFI_ENABLE=y CONFIG_MBEDTLS_HARDWARE_MPI=n -CONFIG_MBEDTLS_DHM_C=y diff --git a/examples/bluetooth/blufi/sdkconfig.defaults.esp32c2 b/examples/bluetooth/blufi/sdkconfig.defaults.esp32c2 index 128be8ddd8..9e6420f770 100644 --- a/examples/bluetooth/blufi/sdkconfig.defaults.esp32c2 +++ b/examples/bluetooth/blufi/sdkconfig.defaults.esp32c2 @@ -8,7 +8,6 @@ CONFIG_BT_NIMBLE_BLUFI_ENABLE=y # CONFIG_BT_BLE_SMP_ENABLE is not set # CONFIG_BT_BLE_50_FEATURES_SUPPORTED is not set CONFIG_BT_BLE_42_FEATURES_SUPPORTED=y -CONFIG_MBEDTLS_DHM_C=y # The config items for NIMBLE HOST CONFIG_BT_NIMBLE_ENABLED=y CONFIG_BT_NIMBLE_ROLE_CENTRAL=n diff --git a/examples/bluetooth/blufi/sdkconfig.defaults.esp32c5 b/examples/bluetooth/blufi/sdkconfig.defaults.esp32c5 index 128be8ddd8..9e6420f770 100644 --- a/examples/bluetooth/blufi/sdkconfig.defaults.esp32c5 +++ b/examples/bluetooth/blufi/sdkconfig.defaults.esp32c5 @@ -8,7 +8,6 @@ CONFIG_BT_NIMBLE_BLUFI_ENABLE=y # CONFIG_BT_BLE_SMP_ENABLE is not set # CONFIG_BT_BLE_50_FEATURES_SUPPORTED is not set CONFIG_BT_BLE_42_FEATURES_SUPPORTED=y -CONFIG_MBEDTLS_DHM_C=y # The config items for NIMBLE HOST CONFIG_BT_NIMBLE_ENABLED=y CONFIG_BT_NIMBLE_ROLE_CENTRAL=n diff --git a/examples/bluetooth/blufi/sdkconfig.defaults.esp32c6 b/examples/bluetooth/blufi/sdkconfig.defaults.esp32c6 index 128be8ddd8..9e6420f770 100644 --- a/examples/bluetooth/blufi/sdkconfig.defaults.esp32c6 +++ b/examples/bluetooth/blufi/sdkconfig.defaults.esp32c6 @@ -8,7 +8,6 @@ CONFIG_BT_NIMBLE_BLUFI_ENABLE=y # CONFIG_BT_BLE_SMP_ENABLE is not set # CONFIG_BT_BLE_50_FEATURES_SUPPORTED is not set CONFIG_BT_BLE_42_FEATURES_SUPPORTED=y -CONFIG_MBEDTLS_DHM_C=y # The config items for NIMBLE HOST CONFIG_BT_NIMBLE_ENABLED=y CONFIG_BT_NIMBLE_ROLE_CENTRAL=n diff --git a/examples/bluetooth/blufi/sdkconfig.defaults.esp32c61 b/examples/bluetooth/blufi/sdkconfig.defaults.esp32c61 index 128be8ddd8..9e6420f770 100644 --- a/examples/bluetooth/blufi/sdkconfig.defaults.esp32c61 +++ b/examples/bluetooth/blufi/sdkconfig.defaults.esp32c61 @@ -8,7 +8,6 @@ CONFIG_BT_NIMBLE_BLUFI_ENABLE=y # CONFIG_BT_BLE_SMP_ENABLE is not set # CONFIG_BT_BLE_50_FEATURES_SUPPORTED is not set CONFIG_BT_BLE_42_FEATURES_SUPPORTED=y -CONFIG_MBEDTLS_DHM_C=y # The config items for NIMBLE HOST CONFIG_BT_NIMBLE_ENABLED=y CONFIG_BT_NIMBLE_ROLE_CENTRAL=n diff --git a/examples/bluetooth/blufi/sdkconfig.defaults.mini b/examples/bluetooth/blufi/sdkconfig.defaults.mini index ae88731ccd..2f81ae696a 100644 --- a/examples/bluetooth/blufi/sdkconfig.defaults.mini +++ b/examples/bluetooth/blufi/sdkconfig.defaults.mini @@ -47,7 +47,6 @@ CONFIG_BT_NIMBLE_DIS_SERVICE=n CONFIG_BT_ALARM_MAX_NUM=15 CONFIG_MBEDTLS_HARDWARE_MPI=n -CONFIG_MBEDTLS_DHM_C=y CONFIG_BT_NIMBLE_BLUFI_ENABLE=y diff --git a/examples/bluetooth/esp_ble_mesh/aligenie_demo/main/aligenie_demo.c b/examples/bluetooth/esp_ble_mesh/aligenie_demo/main/aligenie_demo.c index 2bfd9397ab..1858bc0946 100644 --- a/examples/bluetooth/esp_ble_mesh/aligenie_demo/main/aligenie_demo.c +++ b/examples/bluetooth/esp_ble_mesh/aligenie_demo/main/aligenie_demo.c @@ -16,7 +16,7 @@ #include "esp_mac.h" #include "nvs_flash.h" -#include "mbedtls/sha256.h" +#include "psa/crypto.h" #include "esp_ble_mesh_common_api.h" #include "esp_ble_mesh_networking_api.h" @@ -32,6 +32,8 @@ #include "genie_mesh.h" #include "ble_mesh_example_init.h" #include "ble_mesh_example_nvs.h" +#include "psa/crypto_struct.h" +#include "psa/crypto_values.h" static const char *TAG = "genie_demo"; @@ -1335,7 +1337,12 @@ void config_triples(void) ESP_LOGI(TAG, "authvalue_string: %s", authvalue_string); uint8_t sha256_out[32] = {0}; - mbedtls_sha256((const unsigned char *)authvalue_string, strlen(authvalue_string), sha256_out, 0); + size_t hash_length = 0; + psa_status_t status = psa_hash_compute(PSA_ALG_SHA_256, (const uint8_t *)authvalue_string, strlen(authvalue_string), sha256_out, sizeof(sha256_out), &hash_length); + if (status != PSA_SUCCESS) { + ESP_LOGE(TAG, "Failed to compute hash, status: %ld", status); + return; + } memcpy(static_val, sha256_out, 16); provision.static_val = static_val; diff --git a/examples/bluetooth/nimble/bleprph/main/gatt_svr.c b/examples/bluetooth/nimble/bleprph/main/gatt_svr.c index d48a35f0ab..eb45537f4f 100644 --- a/examples/bluetooth/nimble/bleprph/main/gatt_svr.c +++ b/examples/bluetooth/nimble/bleprph/main/gatt_svr.c @@ -240,7 +240,9 @@ gatt_svr_init(void) { int rc; +#if CONFIG_BT_NIMBLE_GAP_SERVICE ble_svc_gap_init(); +#endif /* CONFIG_BT_NIMBLE_GAP_SERVICE */ ble_svc_gatt_init(); ble_svc_ans_init(); diff --git a/examples/mesh/internal_communication/sdkconfig.ci.esp32c5 b/examples/mesh/internal_communication/sdkconfig.ci.esp32c5 new file mode 100644 index 0000000000..1686559de4 --- /dev/null +++ b/examples/mesh/internal_communication/sdkconfig.ci.esp32c5 @@ -0,0 +1 @@ +CONFIG_PARTITION_TABLE_SINGLE_APP_LARGE=y