project-chip · msandstedt · Oct 8, 2021 · Sep 9, 2021 · Sep 10, 2021 · Sep 10, 2021
diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h
@@ -26,6 +26,8 @@
 #include <crypto/CryptoBuildConfig.h>
 #endif
 
+#include <system/SystemConfig.h>
+
 #include <lib/core/CHIPError.h>
 #include <lib/core/CHIPVendorIdentifiers.hpp>
 #include <lib/support/CodeUtils.h>
@@ -73,18 +75,7 @@ constexpr size_t kMAX_P256Keypair_Context_Size = 512;
 constexpr size_t kEmitDerIntegerWithoutTagOverhead = 1; // 1 sign stuffer
 constexpr size_t kEmitDerIntegerOverhead           = 3; // Tag + Length byte + 1 sign stuffer
 
-/*
- * Worst case is OpenSSL, so let's use its worst case and let static assert tell us if
- * we are wrong, since `typedef SHA_LONG unsigned int` is default.
- *   SHA_LONG h[8];
- *   SHA_LONG Nl, Nh;
- *   SHA_LONG data[SHA_LBLOCK]; // SHA_LBLOCK is 16 for SHA256
- *   unsigned int num, md_len;
- *
- * We also have to account for possibly some custom extensions on some targets,
- * especially for mbedTLS, so an extra sizeof(uint64_t) is added to account.
- */
-constexpr size_t kMAX_Hash_SHA256_Context_Size = ((sizeof(unsigned int) * (8 + 2 + 16 + 2)) + sizeof(uint64_t));
+constexpr size_t kMAX_Hash_SHA256_Context_Size = CHIP_CONFIG_SHA256_CONTEXT_SIZE;
 
 /*
  * Overhead to encode a raw ECDSA signature in X9.62 format in ASN.1 DER

diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp
@@ -207,13 +207,6 @@ CHIP_ERROR Hash_SHA1(const uint8_t * data, const size_t data_length, uint8_t * o
     return CHIP_NO_ERROR;
 }
 
-Hash_SHA256_stream::Hash_SHA256_stream(void) {}
-
-Hash_SHA256_stream::~Hash_SHA256_stream(void)
-{
-    Clear();
-}
-
 static_assert(kMAX_Hash_SHA256_Context_Size >= sizeof(mbedtls_sha256_context),
               "kMAX_Hash_SHA256_Context_Size is too small for the size of underlying mbedtls_sha256_context");
 
@@ -222,6 +215,19 @@ static inline mbedtls_sha256_context * to_inner_hash_sha256_context(HashSHA256Op
     return SafePointerCast<mbedtls_sha256_context *>(context);
 }
 
+Hash_SHA256_stream::Hash_SHA256_stream(void)
+{
+    mbedtls_sha256_context * context = to_inner_hash_sha256_context(&mContext);
+    mbedtls_sha256_init(context);
+}
+
+Hash_SHA256_stream::~Hash_SHA256_stream(void)
+{
+    mbedtls_sha256_context * context = to_inner_hash_sha256_context(&mContext);
+    mbedtls_sha256_free(context);
+    Clear();
+}
+
 CHIP_ERROR Hash_SHA256_stream::Begin(void)
 {
     mbedtls_sha256_context * const context = to_inner_hash_sha256_context(&mContext);
@@ -254,7 +260,7 @@ CHIP_ERROR Hash_SHA256_stream::GetDigest(MutableByteSpan & out_buffer)
     CHIP_ERROR result = Finish(out_buffer);
 
     // Restore context prior to finalization.
-    *context = previous_ctx;
+    mbedtls_sha256_clone(context, &previous_ctx);
 
     return result;
 }

diff --git a/src/lib/core/CHIPConfig.h b/src/lib/core/CHIPConfig.h
@@ -863,6 +863,28 @@
 #error "Please assert exactly one CHIP_CONFIG_HASH_IMPLEMENTATION_... option."
 #endif
 
+/**
+ *  @def CHIP_CONFIG_SHA256_CONTEXT_SIZE
+ *
+ *  @brief
+ *    Size of the statically allocated context for SHA256 operations in CryptoPAL
+ *
+ *    The default size is based on the Worst software implementation, OpenSSL. A
+ *    static assert will tell us if we are wrong, since `typedef SHA_LONG unsigned
+ *    int` is default.
+ *      SHA_LONG h[8];
+ *      SHA_LONG Nl, Nh;
+ *      SHA_LONG data[SHA_LBLOCK]; // SHA_LBLOCK is 16 for SHA256
+ *      unsigned int num, md_len;
+ *
+ *    We also have to account for possibly some custom extensions on some targets,
+ *    especially for mbedTLS, so an extra sizeof(uint64_t) is added to account.
+ *
+ */
+#ifndef CHIP_CONFIG_SHA256_CONTEXT_SIZE
+#define CHIP_CONFIG_SHA256_CONTEXT_SIZE ((sizeof(unsigned int) * (8 + 2 + 16 + 2)) + sizeof(uint64_t))
+#endif // CHIP_CONFIG_SHA256_CONTEXT_SIZE
+
 /**
  *  @name chip key export protocol configuration.
  *

diff --git a/src/platform/cc13x2_26x2/BLEManagerImpl.h b/src/platform/cc13x2_26x2/BLEManagerImpl.h
@@ -22,34 +22,31 @@
  * Instruments cc13xx_cc26xx platform.
  */
 
-#ifndef BLEManager_IMPL_H
-#define BLEManager_IMPL_H
-
 #pragma once
 
 #if CHIP_DEVICE_CONFIG_ENABLE_CHIPOBLE
 
-#ifdef __cplusplus
-extern "C" {
-#endif
-
 #include "FreeRTOS.h"
 #include <queue.h>
 #include <task.h>
 
+#ifdef __cplusplus
+extern "C" {
+#endif
 #include <icall.h>
 #include <icall_ble_api.h>
 
 #include "hal_types.h"
 
-#include "chipOBleProfile.h"
 #include "ti_ble_config.h"
 #include "ti_drivers_config.h"
 
 #ifdef __cplusplus
 }
 #endif
 
+#include "chipOBleProfile.h"
+
 namespace chip {
 namespace DeviceLayer {
 namespace Internal {
@@ -367,5 +364,3 @@ inline BleLayer * BLEManagerImpl::_GetBleLayer()
 } // namespace chip
 
 #endif // CHIP_DEVICE_CONFIG_ENABLE_CHIPOBLE
-
-#endif // BLEManager_IMPL_H
diff --git a/src/platform/cc13x2_26x2/CHIPPlatformConfig.h b/src/platform/cc13x2_26x2/CHIPPlatformConfig.h
@@ -41,14 +41,17 @@
 
 // ==================== Security Adaptations ====================
 
+// This platform uses mbedtls, but these defines don't seem to be used in source
 #define CHIP_CONFIG_USE_OPENSSL_ECC 0
 #define CHIP_CONFIG_USE_MICRO_ECC 1
 
 #define CHIP_CONFIG_HASH_IMPLEMENTATION_OPENSSL 0
-#define CHIP_CONFIG_HASH_IMPLEMENTATION_MINCRYPT 1
-#define CHIP_CONFIG_HASH_IMPLEMENTATION_MBEDTLS 0
+#define CHIP_CONFIG_HASH_IMPLEMENTATION_MINCRYPT 0
+#define CHIP_CONFIG_HASH_IMPLEMENTATION_MBEDTLS 1
 #define CHIP_CONFIG_HASH_IMPLEMENTATION_PLATFORM 0
 
+#define CHIP_CONFIG_SHA256_CONTEXT_SIZE (sizeof(unsigned int) * 76)
+
 #define CHIP_CONFIG_AES_IMPLEMENTATION_OPENSSL 0
 #define CHIP_CONFIG_AES_IMPLEMENTATION_AESNI 0
 #define CHIP_CONFIG_AES_IMPLEMENTATION_MBEDTLS 1

diff --git a/src/platform/cc13x2_26x2/crypto/aes_alt.c b/src/platform/cc13x2_26x2/crypto/aes_alt.c
@@ -0,0 +1,135 @@
+/*
+ *
+ *    Copyright (c) 2020 Project CHIP Authors
+ *    Copyright (c) 2020 Texas Instruments Incorporated
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#include "aes_alt.h"
+#include "mbedtls/aes.h"
+
+#if defined(MBEDTLS_AES_ALT)
+
+#include <string.h>
+
+#include "ti_drivers_config.h"
+
+#include <ti/devices/DeviceFamily.h>
+#include <ti/drivers/AESECB.h>
+#include <ti/drivers/cryptoutils/cryptokey/CryptoKeyPlaintext.h>
+
+/*
+ * number of active contexts, used for power on/off of the crypto core
+ */
+static unsigned int ref_num = 0;
+
+static AESECB_Handle AESECB_handle = NULL;
+
+void mbedtls_aes_init(mbedtls_aes_context * ctx)
+{
+    AESECB_Params AESECBParams;
+
+    if (ref_num == 0)
+    {
+        AESECB_Params_init(&AESECBParams);
+        AESECBParams.returnBehavior = AESECB_RETURN_BEHAVIOR_POLLING;
+        AESECB_handle               = AESECB_open(CONFIG_AESECB_1, &AESECBParams);
+
+        // handle will be NULL if open failed, subsequent calls will fail with a generic HW error
+    }
+    ref_num++;
+}
+
+void mbedtls_aes_free(mbedtls_aes_context * ctx)
+{
+    if (ref_num > 0)
+    {
+        ref_num--;
+        if (ref_num == 0)
+        {
+            AESECB_close(AESECB_handle);
+
+            AESECB_handle = NULL;
+        }
+    }
+
+    memset((void *) ctx, 0x00, sizeof(ctx));
+}
+
+int mbedtls_aes_setkey_enc(mbedtls_aes_context * ctx, const unsigned char * key, unsigned int keybits)
+{
+    int_fast16_t statusCrypto;
+    size_t keylen = keybits / 8U; // 8 bits in a byte
+
+    if (keylen > sizeof(ctx->keyMaterial))
+    {
+        return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+    }
+
+    /* Initialize AES key */
+    memcpy(ctx->keyMaterial, key, keylen);
+    statusCrypto = CryptoKeyPlaintext_initKey(&ctx->cryptoKey, (uint8_t *) ctx->keyMaterial, keylen);
+
+    if (CryptoKey_STATUS_SUCCESS != statusCrypto)
+    {
+        return MBEDTLS_ERR_AES_HW_ACCEL_FAILED;
+    }
+
+    return 0;
+}
+
+int mbedtls_aes_setkey_dec(mbedtls_aes_context * ctx, const unsigned char * key, unsigned int keybits)
+{
+    int_fast16_t statusCrypto;
+    size_t keylen = keybits / 8U; // 8 bits in a byte
+
+    if (keylen > sizeof(ctx->keyMaterial))
+    {
+        return MBEDTLS_ERR_AES_INVALID_KEY_LENGTH;
+    }
+
+    /* Initialize AES key */
+    statusCrypto = CryptoKeyPlaintext_initKey(&ctx->cryptoKey, (uint8_t *) key, keylen);
+
+    if (CryptoKey_STATUS_SUCCESS != statusCrypto)
+    {
+        return MBEDTLS_ERR_AES_HW_ACCEL_FAILED;
+    }
+
+    return 0;
+}
+
+int mbedtls_aes_crypt_ecb(mbedtls_aes_context * ctx, int mode, const unsigned char input[16], unsigned char output[16])
+{
+    int statusCrypto;
+    AESECB_Operation operationOneStepEncrypt;
+
+    /* run it through the authentication + encryption, pass the ccmLVal = 2 */
+    AESECB_Operation_init(&operationOneStepEncrypt);
+
+    operationOneStepEncrypt.key         = &ctx->cryptoKey;
+    operationOneStepEncrypt.inputLength = 16;
+    operationOneStepEncrypt.input       = (uint8_t *) input;
+    operationOneStepEncrypt.output      = (uint8_t *) output;
+
+    statusCrypto = AESECB_oneStepEncrypt(AESECB_handle, &operationOneStepEncrypt);
+
+    if (CryptoKey_STATUS_SUCCESS != statusCrypto)
+    {
+        return MBEDTLS_ERR_AES_HW_ACCEL_FAILED;
+    }
+
+    return 0;
+}
+#endif
diff --git a/src/platform/cc13x2_26x2/crypto/aes_alt.h b/src/platform/cc13x2_26x2/crypto/aes_alt.h
@@ -0,0 +1,46 @@
+/*
+ *
+ *    Copyright (c) 2020 Project CHIP Authors
+ *    Copyright (c) 2020 Texas Instruments Incorporated
+ *
+ *    Licensed under the Apache License, Version 2.0 (the "License");
+ *    you may not use this file except in compliance with the License.
+ *    You may obtain a copy of the License at
+ *
+ *        http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS,
+ *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *    See the License for the specific language governing permissions and
+ *    limitations under the License.
+ */
+
+#pragma once
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls-config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_AES_ALT)
+
+#include <ti/drivers/AESECB.h>
+#include <ti/drivers/cryptoutils/cryptokey/CryptoKey.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct
+{
+    CryptoKey cryptoKey;      /*!<  structure for the AES driver */
+    uint32_t keyMaterial[16]; /*!<  memory for the key bytes used by cryptoKey */
+} mbedtls_aes_context;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_AES_ALT */
diff --git a/.../cc13x2_26x2/cc13x2_26x2-mbedtls-config.h → ..._26x2/crypto/cc13x2_26x2-mbedtls-config.h b/.../cc13x2_26x2/cc13x2_26x2-mbedtls-config.h → ..._26x2/crypto/cc13x2_26x2-mbedtls-config.h
@@ -42,7 +42,7 @@
 #define MBEDTLS_ECJPAKE_ALT
 #define MBEDTLS_AES_ALT
 #define MBEDTLS_SHA256_ALT
-//#define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_ENTROPY_HARDWARE_ALT
 
 /**
  * Enable Crypto and Entropy modules