modules: mbedtls: deprecate legacy hash algorithms

MAINTAINERS.yml

@@ -5857,7 +5857,8 @@ West:
     - ithinuel
   files:
     - modules/mbedtls/
-    - tests/crypto/mbedtls/
+    - tests/crypto/mbedtls_psa/
+    - tests/crypto/secp256r1/
     - tests/benchmarks/mbedtls/
   labels:
     - "area: mbedTLS / PSA Crypto"

doc/releases/migration-guide-4.3.rst

@@ -72,6 +72,11 @@ Comparator
   and :c:macro:`NRF_COMP_AIN_VDDH_DIV5` represents VDDH/5.
   The old ``string`` properties type is deprecated.
 
+Crypto
+======
+
+* Mbed TLS shim driver now uses PSA API as backend for hash operations.
+
 MFD
 ===
 
@@ -256,6 +261,19 @@ Cellular
  * :c:enum:`cellular_access_technology` values have been redefined to align with 3GPP TS 27.007.
  * :c:enum:`cellular_registration_status` values have been extended to align with 3GPP TS 27.007.
 
+Flash Map
+=========
+
+* ``CONFIG_FLASH_AREA_CHECK_INTEGRITY_MBEDTLS`` is removed. PSA API is used as default backend
+  for hash computations.
+* :kconfig:option:`CONFIG_FLASH_AREA_CHECK_INTEGRITY_PSA` is now promptless as it's automatically
+  enabled as soon as :kconfig:option:`CONFIG_FLASH_AREA_CHECK_INTEGRITY` is set.
+
+JWT
+===
+
+* Kconfig option ``CONFIG_JWT_SIGN_RSA_LEGACY`` is removed.
+
 Logging
 =======
 
@@ -274,6 +292,8 @@ MCUmgr
   but can still be used by enabling
   :kconfig:option:`CONFIG_MCUMGR_GRP_OS_INFO_HARDWARE_INFO_SHORT_HARDWARE_PLATFORM`.
 
+* PSA API are now used by default to perform hash hash computations.
+
 RTIO
 ====
 
@@ -303,6 +323,11 @@ Shell
   compatibility.
   (:github:`92677`).
 
+Update Hub
+==========
+
+* PSA API are now used by default to perform hash hash computations.
+
 .. zephyr-keep-sorted-stop
 
 Modules
@@ -311,6 +336,24 @@ Modules
 * The TinyCrypt library was removed as the upstream version is no longer maintained.
   PSA Crypto API is now the recommended cryptographic library for Zephyr.
 
+* In order to prepare for the next Mbed TLS release where all legacy cryptographic
+  support was removed in favor of PSA API, following Kconfig symbols are
+  deprecated:
+    * :kconfig:option:`CONFIG_MBEDTLS_MD5`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_MD5`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA1`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_1`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA224`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_224`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA256`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_256`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA384`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_384`.
+    * :kconfig:option:`CONFIG_MBEDTLS_SHA512`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_SHA_512`.
+    * :kconfig:option:`CONFIG_MBEDTLS_HASH_ALL_ENABLED`. Switch to
+      :kconfig:option:`CONFIG_PSA_WANT_ALG_HASH_ALL`.
+
 Silabs
 ======
 

drivers/crypto/Kconfig

@@ -24,8 +24,9 @@ source "subsys/logging/Kconfig.template.log_config"
 config CRYPTO_MBEDTLS_SHIM
 	bool "MbedTLS shim driver [EXPERIMENTAL]"
 	select MBEDTLS
+	select MBEDTLS_PSA_CRYPTO_C
+	select PSA_WANT_ALG_SHA_256
 	select MBEDTLS_ENABLE_HEAP
-	select MBEDTLS_SHA512
 	select MBEDTLS_CIPHER_AES_ENABLED
 	select EXPERIMENTAL
 	help

drivers/crypto/crypto_mtls_shim.c

@@ -26,8 +26,7 @@
 #endif
 #include <mbedtls/aes.h>
 
-#include <mbedtls/sha256.h>
-#include <mbedtls/sha512.h>
+#include <psa/crypto.h>
 
 #define MTLS_SUPPORT (CAP_RAW_KEY | CAP_SEPARATE_IO_BUFS | CAP_SYNC_OPS | \
 		      CAP_NO_IV_PREFIX)
@@ -43,13 +42,12 @@ struct mtls_shim_session {
 		mbedtls_gcm_context mtls_gcm;
 #endif
 		mbedtls_aes_context mtls_aes;
-		mbedtls_sha256_context mtls_sha256;
-		mbedtls_sha512_context mtls_sha512;
+		psa_hash_operation_t hash_op;
 	};
 	bool in_use;
 	union {
 		enum cipher_mode mode;
-		enum hash_algo algo;
+		psa_algorithm_t psa_alg;
 	};
 };
 
@@ -462,69 +460,31 @@ static int mtls_session_free(const struct device *dev, struct cipher_ctx *ctx)
 	return 0;
 }
 
-static int mtls_sha256_compute(struct hash_ctx *ctx, struct hash_pkt *pkt,
-			       bool finish)
+static int mtls_hash_compute(struct hash_ctx *ctx, struct hash_pkt *pkt, bool finish)
 {
-	int ret;
-	mbedtls_sha256_context *sha256_ctx = MTLS_GET_CTX(ctx, sha256);
-
-
-	if (!ctx->started) {
-		ret = mbedtls_sha256_starts(sha256_ctx,
-					    MTLS_GET_ALGO(ctx) == CRYPTO_HASH_ALGO_SHA224);
-		if (ret != 0) {
-			LOG_ERR("Could not compute the hash");
-			return -EINVAL;
-		}
-		ctx->started = true;
-	}
-
-	ret = mbedtls_sha256_update(sha256_ctx, pkt->in_buf, pkt->in_len);
-	if (ret != 0) {
-		LOG_ERR("Could not update the hash");
-		ctx->started = false;
-		return -EINVAL;
-	}
-
-	if (finish) {
-		ctx->started = false;
-		ret = mbedtls_sha256_finish(sha256_ctx, pkt->out_buf);
-		if (ret != 0) {
-			LOG_ERR("Could not compute the hash");
-			return -EINVAL;
-		}
-	}
-
-	return 0;
-}
-
-static int mtls_sha512_compute(struct hash_ctx *ctx, struct hash_pkt *pkt,
-			       bool finish)
-{
-	int ret;
-	mbedtls_sha512_context *sha512_ctx = MTLS_GET_CTX(ctx, sha512);
+	struct mtls_shim_session *mtls_session =
+		(struct mtls_shim_session *)ctx->drv_sessn_state;
+	size_t hash_out_len;
 
 	if (!ctx->started) {
-		ret = mbedtls_sha512_starts(sha512_ctx,
-					    MTLS_GET_ALGO(ctx) == CRYPTO_HASH_ALGO_SHA384);
-		if (ret != 0) {
-			LOG_ERR("Could not compute the hash");
-			return -EINVAL;
-		}
 		ctx->started = true;
 	}
 
-	ret = mbedtls_sha512_update(sha512_ctx, pkt->in_buf, pkt->in_len);
-	if (ret != 0) {
+	if (psa_hash_update(&mtls_session->hash_op, pkt->in_buf, pkt->in_len) != PSA_SUCCESS) {
 		LOG_ERR("Could not update the hash");
 		ctx->started = false;
 		return -EINVAL;
 	}
 
 	if (finish) {
 		ctx->started = false;
-		ret = mbedtls_sha512_finish(sha512_ctx, pkt->out_buf);
-		if (ret != 0) {
+		/* Here Zephyr API assume that the output buffer is large enough to
+		 * contain all data, but there's no way to check this. This may lead
+		 * to buffer overrun...
+		 */
+		if (psa_hash_finish(&mtls_session->hash_op, pkt->out_buf,
+				    PSA_HASH_LENGTH(mtls_session->psa_alg),
+				    &hash_out_len) != PSA_SUCCESS) {
 			LOG_ERR("Could not compute the hash");
 			return -EINVAL;
 		}
@@ -537,43 +497,49 @@ static int mtls_hash_session_setup(const struct device *dev,
 				   struct hash_ctx *ctx,
 				   enum hash_algo algo)
 {
+	struct mtls_shim_session *mtls_session;
 	int ctx_idx;
 
 	if (ctx->flags & ~(MTLS_SUPPORT)) {
 		LOG_ERR("Unsupported flag");
 		return -EINVAL;
 	}
 
-	if ((algo != CRYPTO_HASH_ALGO_SHA224) &&
-	    (algo != CRYPTO_HASH_ALGO_SHA256) &&
-	    (algo != CRYPTO_HASH_ALGO_SHA384) &&
-	    (algo != CRYPTO_HASH_ALGO_SHA512)) {
-		LOG_ERR("Unsupported algo: %d", algo);
-		return -EINVAL;
-	}
-
 	ctx_idx = mtls_get_unused_session_index();
 	if (ctx_idx < 0) {
 		LOG_ERR("No free session for now");
 		return -ENOSPC;
 	}
 
-	mtls_sessions[ctx_idx].algo = algo;
-	ctx->drv_sessn_state = &mtls_sessions[ctx_idx];
-	ctx->started = false;
+	mtls_session = &mtls_sessions[ctx_idx];
+	mtls_session->hash_op = psa_hash_operation_init();
+	switch (algo) {
+	case CRYPTO_HASH_ALGO_SHA224:
+		mtls_session->psa_alg = PSA_ALG_SHA_224;
+		break;
+	case CRYPTO_HASH_ALGO_SHA256:
+		mtls_session->psa_alg = PSA_ALG_SHA_256;
+		break;
+	case CRYPTO_HASH_ALGO_SHA384:
+		mtls_session->psa_alg = PSA_ALG_SHA_384;
+		break;
+	case CRYPTO_HASH_ALGO_SHA512:
+		mtls_session->psa_alg = PSA_ALG_SHA_512;
+		break;
+	default:
+		LOG_ERR("Unsupported algo: %d", algo);
+		return -EINVAL;
+	}
 
-	if ((algo == CRYPTO_HASH_ALGO_SHA224) ||
-	    (algo == CRYPTO_HASH_ALGO_SHA256)) {
-		mbedtls_sha256_context *sha256_ctx =
-			&mtls_sessions[ctx_idx].mtls_sha256;
-		mbedtls_sha256_init(sha256_ctx);
-		ctx->hash_hndlr = mtls_sha256_compute;
-	} else {
-		mbedtls_sha512_context *sha512_ctx =
-			&mtls_sessions[ctx_idx].mtls_sha512;
-		mbedtls_sha512_init(sha512_ctx);
-		ctx->hash_hndlr = mtls_sha512_compute;
+	if (psa_hash_setup(mtls_session->hash_op, mtls_session->psa_alg) != PSA_SUCCESS) {
+		LOG_ERR("PSA hash operation setup failed");
+		return -EIO;
 	}
+	mtls_session->in_use = true;
+
+	ctx->hash_hndlr = mtls_hash_compute;
+	ctx->drv_sessn_state = mtls_session;
+	ctx->started = false;
 
 	return 0;
 }
@@ -583,10 +549,9 @@ static int mtls_hash_session_free(const struct device *dev, struct hash_ctx *ctx
 	struct mtls_shim_session *mtls_session =
 		(struct mtls_shim_session *)ctx->drv_sessn_state;
 
-	if (mtls_session->algo == CRYPTO_HASH_ALGO_SHA256) {
-		mbedtls_sha256_free(&mtls_session->mtls_sha256);
-	} else {
-		mbedtls_sha512_free(&mtls_session->mtls_sha512);
+	if (psa_hash_abort(mtls_session->hash_op) != PSA_SUCCESS) {
+		LOG_ERR("PSA hash abort failed");
+		return -EIO;
 	}
 	mtls_session->in_use = false;
 

lib/uuid/Kconfig

@@ -23,8 +23,8 @@ config UUID_V5
 	select EXPERIMENTAL
 	depends on UUID
 	depends on MBEDTLS
-	depends on MBEDTLS_MD
-	depends on MBEDTLS_SHA1
+	depends on MBEDTLS_PSA_CRYPTO_C
+	depends on PSA_WANT_ALG_SHA_1
 	# When TF-M is enabled, Mbed TLS's MD module (which is used to generate
 	# v5 UUIDs) will dispacth hash operations to TF-M. Unfortunately TF-M
 	# does not support SHA-1 (because it's a weak algorithm) so the

lib/uuid/uuid.c

@@ -15,7 +15,7 @@
 #endif
 
 #if defined(CONFIG_UUID_V5)
-#include <mbedtls/md.h>
+#include <psa/crypto.h>
 #endif
 
 #if defined(CONFIG_UUID_BASE64)
@@ -82,54 +82,34 @@ int uuid_generate_v4(struct uuid *out)
 int uuid_generate_v5(const struct uuid *ns, const void *data, size_t data_size,
 		     struct uuid *out)
 {
+	uint8_t sha_result[PSA_HASH_LENGTH(PSA_ALG_SHA_1)];
+	size_t sha_len = 0;
+	psa_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+	psa_status_t status;
+	int ret = 0;
+
 	if (out == NULL) {
 		return -EINVAL;
 	}
-	int ret = 0;
-	int mbedtls_err = 0;
-	mbedtls_md_context_t ctx = {0};
-	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
-	const size_t sha_1_bytes = 20;
-	uint8_t sha_result[sha_1_bytes];
-
-	mbedtls_md_init(&ctx);
-	mbedtls_err = mbedtls_md_setup(&ctx, md_info, 0);
-	/* Might return: MBEDTLS_ERR_MD_BAD_INPUT_DATA or MBEDTLS_ERR_MD_ALLOC_FAILED */
-	switch (mbedtls_err) {
-	case 0:
-		break;
-	case MBEDTLS_ERR_MD_BAD_INPUT_DATA:
-		ret = -EINVAL;
-		goto exit;
-	case MBEDTLS_ERR_MD_ALLOC_FAILED:
-		ret = -ENOMEM;
-		goto exit;
-	default:
-		ret = -ENOTSUP;
-		goto exit;
-	}
-	mbedtls_err = mbedtls_md_starts(&ctx);
-	if (mbedtls_err != 0) {
-		/* Might return MBEDTLS_ERR_MD_BAD_INPUT_DATA */
-		ret = -EINVAL;
+
+	status = psa_hash_operation_setup(&hash_operation, PSA_ALG_SHA1);
+	if (status != PSA_SUCCESS) {
 		goto exit;
 	}
-	mbedtls_err = mbedtls_md_update(&ctx, ns->val, UUID_SIZE);
-	if (mbedtls_err != 0) {
-		/* Might return MBEDTLS_ERR_MD_BAD_INPUT_DATA */
-		ret = -EINVAL;
+
+	status = psa_hash_operation_update(&hash_operation, ns->val, UUID_SIZE);
+	if (status != PSA_SUCCESS) {
 		goto exit;
 	}
-	mbedtls_err = mbedtls_md_update(&ctx, data, data_size);
-	if (mbedtls_err != 0) {
-		/* Might return MBEDTLS_ERR_MD_BAD_INPUT_DATA */
-		ret = -EINVAL;
+
+	status = psa_hash_operation_update(&hash_operation, data, data_size);
+	if (status != PSA_SUCCESS) {
 		goto exit;
 	}
-	mbedtls_err = mbedtls_md_finish(&ctx, sha_result);
-	if (mbedtls_err != 0) {
-		/* Might return MBEDTLS_ERR_MD_BAD_INPUT_DATA */
-		ret = -EINVAL;
+
+	status = psa_hash_operation_finish(&hash_operation, sha_result,
+					   sizeof(sha_result), &sha_len);
+	if (status != PSA_SUCCESS) {
 		goto exit;
 	}
 
@@ -141,8 +121,9 @@ int uuid_generate_v5(const struct uuid *ns, const void *data, size_t data_size,
 	overwrite_uuid_version_and_variant(UUID_V5_VERSION, UUID_V5_VARIANT, out);
 
 exit:
-	mbedtls_md_free(&ctx);
-	return ret;
+	psa_hash_abort(&hash_operation);
+
+	return -EINVAL;
 }
 #endif