[nrf fromtree] net: websocket: Allow using PSA APIs to calculate SHA1

The websocket used mbedtls functions to calculate the
SHA1 needed. Update the code to use PSA crypto calls instead
when the configuration CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
is enabled.

This can be useful for applications which use TF-M
since it only provides PSA crypto APIs.

Also check the error code from the mbedtls_sha1
call since it can fail and it was not checked before.

Signed-off-by: Georgios Vasilakis <[email protected]>
(cherry picked from commit 53b2802)

Author: Vge0rge

subsys/net/lib/websocket/websocket.c

@@ -34,7 +34,12 @@ LOG_MODULE_REGISTER(net_websocket, CONFIG_NET_WEBSOCKET_LOG_LEVEL);
 #include <zephyr/random/random.h>
 #include <zephyr/sys/byteorder.h>
 #include <zephyr/sys/base64.h>
+
+#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
+#include <psa/crypto.h>
+#else
 #include <mbedtls/sha1.h>
+#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 #include "net_private.h"
 #include "sockets_internal.h"
@@ -253,6 +258,10 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 		"Sec-WebSocket-Version: 13\r\n",
 		NULL
 	};
+#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
+	psa_status_t psa_status;
+	size_t hash_length;
+#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 	fd = -1;
 
@@ -280,8 +289,23 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	ctx->http_cb = wreq->http_cb;
 	ctx->is_client = 1;
 
-	mbedtls_sha1((const unsigned char *)&rnd_value, sizeof(rnd_value),
-			 sec_accept_key);
+#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
+	psa_status = psa_hash_compute(PSA_ALG_SHA_1, (const uint8_t *)&rnd_value, sizeof(rnd_value),
+				      sec_accept_key, sizeof(sec_accept_key), &hash_length);
+	if (psa_status != PSA_SUCCESS) {
+		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, psa_status);
+		ret = -EPROTO;
+		goto out;
+	}
+#else
+	ret = mbedtls_sha1((const unsigned char *)&rnd_value, sizeof(rnd_value), sec_accept_key);
+	if (ret != 0) {
+		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, ret);
+		ret = -EPROTO;
+		goto out;
+	}
+#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
+
 
 	ret = base64_encode(sec_ws_key + sizeof("Sec-Websocket-Key: ") - 1,
 			    sizeof(sec_ws_key) -
@@ -344,7 +368,22 @@ int websocket_connect(int sock, struct websocket_request *wreq,
 	strncpy(key_accept + key_len, WS_MAGIC, olen);
 
 	/* This SHA-1 value is then checked when we receive the response */
-	mbedtls_sha1(key_accept, olen + key_len, sec_accept_key);
+#ifdef CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT
+	psa_status = psa_hash_compute(PSA_ALG_SHA_1, (const uint8_t *)key_accept, olen + key_len,
+				      sec_accept_key, sizeof(sec_accept_key), &hash_length);
+	if (psa_status != PSA_SUCCESS) {
+		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, psa_status);
+		ret = -EPROTO;
+		goto out;
+	}
+#else
+	ret = mbedtls_sha1(key_accept, olen + key_len, sec_accept_key);
+	if (ret != 0) {
+		NET_DBG("[%p] Cannot calculate sha1 (%d)", ctx, ret);
+		ret = -EPROTO;
+		goto out;
+	}
+#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_CLIENT */
 
 	ret = http_client_req(sock, &req, timeout, ctx);
 	if (ret < 0) {