diff --git a/subsys/net/ip/Kconfig.ipv6 b/subsys/net/ip/Kconfig.ipv6 index 945438dbc0feb..2d05087d956c5 100644 --- a/subsys/net/ip/Kconfig.ipv6 +++ b/subsys/net/ip/Kconfig.ipv6 @@ -224,7 +224,10 @@ config NET_IPV6_IID_EUI_64 config NET_IPV6_IID_STABLE bool "Generate stable IID [EXPERIMENTAL]" select MBEDTLS - select MBEDTLS_MD + select MBEDTLS_PSA_CRYPTO_C + select PSA_WANT_KEY_TYPE_HMAC + select PSA_WANT_ALG_HMAC + select PSA_WANT_ALG_SHA_256 select EXPERIMENTAL depends on !NET_6LO help @@ -246,7 +249,10 @@ endchoice config NET_IPV6_PE bool "Privacy extension (RFC 8981) support [EXPERIMENTAL]" select MBEDTLS - select MBEDTLS_MD + select MBEDTLS_PSA_CRYPTO_C + select PSA_WANT_KEY_TYPE_HMAC + select PSA_WANT_ALG_HMAC + select PSA_WANT_ALG_SHA_256 select EXPERIMENTAL select NET_MGMT select NET_MGMT_EVENT diff --git a/subsys/net/ip/ipv6.c b/subsys/net/ip/ipv6.c index e481f2ed84208..079835d944cdb 100644 --- a/subsys/net/ip/ipv6.c +++ b/subsys/net/ip/ipv6.c @@ -21,7 +21,7 @@ LOG_MODULE_REGISTER(net_ipv6, CONFIG_NET_IPV6_LOG_LEVEL); #if defined(CONFIG_NET_IPV6_IID_STABLE) #include -#include +#include #endif /* CONFIG_NET_IPV6_IID_STABLE */ #include @@ -875,10 +875,12 @@ static int gen_stable_iid(uint8_t if_index, size_t stable_iid_len) { #if defined(CONFIG_NET_IPV6_IID_STABLE) - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256); - mbedtls_md_context_t ctx; + psa_key_id_t key_id; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + psa_mac_operation_t mac_op = PSA_MAC_OPERATION_INIT; + psa_status_t status; uint8_t digest[32]; - int ret; + size_t digest_len; static bool once; static uint8_t secret_key[16]; /* Min 128 bits, RFC 7217 ch 5 */ struct { @@ -909,28 +911,30 @@ static int gen_stable_iid(uint8_t if_index, once = true; } - mbedtls_md_init(&ctx); - ret = mbedtls_md_setup(&ctx, md_info, true); - if (ret != 0) { - NET_DBG("Cannot %s hmac (%d)", "setup", ret); + psa_set_key_type(&key_attr, PSA_KEY_TYPE_HMAC); + psa_set_key_algorithm(&key_attr, PSA_ALG_HMAC(PSA_ALG_SHA_256)); + psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_SIGN_MESSAGE); + status = psa_import_key(&key_attr, secret_key, sizeof(secret_key), &key_id); + if (status != PSA_SUCCESS) { + NET_DBG("Cannot %s hmac (%d)", "import key", status); goto err; } - ret = mbedtls_md_hmac_starts(&ctx, secret_key, sizeof(secret_key)); - if (ret != 0) { - NET_DBG("Cannot %s hmac (%d)", "start", ret); + status = psa_mac_sign_setup(&mac_op, key_id, PSA_ALG_HMAC(PSA_ALG_SHA_256)); + if (status != PSA_SUCCESS) { + NET_DBG("Cannot %s hmac (%d)", "setup", status); goto err; } - ret = mbedtls_md_hmac_update(&ctx, (uint8_t *)&buf, sizeof(buf)); - if (ret != 0) { - NET_DBG("Cannot %s hmac (%d)", "update", ret); + status = psa_mac_update(&mac_op, (uint8_t *)&buf, sizeof(buf)); + if (status != PSA_SUCCESS) { + NET_DBG("Cannot %s hmac (%d)", "update", status); goto err; } - ret = mbedtls_md_hmac_finish(&ctx, digest); - if (ret != 0) { - NET_DBG("Cannot %s hmac (%d)", "finish", ret); + status = psa_mac_sign_finish(&mac_op, digest, sizeof(digest), &digest_len); + if (status != PSA_SUCCESS) { + NET_DBG("Cannot %s hmac (%d)", "finish", status); goto err; } @@ -940,14 +944,14 @@ static int gen_stable_iid(uint8_t if_index, if (unlikely(check_reserved(stable_iid, stable_iid_len))) { LOG_HEXDUMP_DBG(stable_iid, stable_iid_len, "Generated IID is reserved"); - ret = -EINVAL; goto err; } err: - mbedtls_md_free(&ctx); + psa_mac_abort(&mac_op); + psa_destroy_key(key_id); - return ret; + return (status == PSA_SUCCESS) ? 0 : -EIO; #else return -ENOTSUP; #endif diff --git a/subsys/net/ip/ipv6_pe.c b/subsys/net/ip/ipv6_pe.c index bb03683db39f9..e982ce5baa1c9 100644 --- a/subsys/net/ip/ipv6_pe.c +++ b/subsys/net/ip/ipv6_pe.c @@ -18,7 +18,7 @@ LOG_MODULE_REGISTER(net_ipv6_pe, CONFIG_NET_IPV6_PE_LOG_LEVEL); #include #include -#include +#include #include #include @@ -223,10 +223,12 @@ static int gen_temporary_iid(struct net_if *iface, uint8_t *temporary_iid, size_t temporary_iid_len) { - const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256); - mbedtls_md_context_t ctx; + psa_key_id_t key_id; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + psa_mac_operation_t mac_op = PSA_MAC_OPERATION_INIT; + psa_status_t status; uint8_t digest[32]; - int ret; + size_t digest_len; static bool once; static uint8_t secret_key[16]; /* Min 128 bits, RFC 8981 ch 3.3.2 */ struct { @@ -255,37 +257,40 @@ static int gen_temporary_iid(struct net_if *iface, once = true; } - mbedtls_md_init(&ctx); - ret = mbedtls_md_setup(&ctx, md_info, true); - if (ret != 0) { - NET_DBG("Cannot %s hmac (%d)", "setup", ret); + psa_set_key_type(&key_attr, PSA_KEY_TYPE_HMAC); + psa_set_key_algorithm(&key_attr, PSA_ALG_HMAC(PSA_ALG_SHA_256)); + psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_SIGN_MESSAGE); + status = psa_import_key(&key_attr, secret_key, sizeof(secret_key), &key_id); + if (status != PSA_SUCCESS) { + NET_DBG("Cannot %s hmac (%d)", "import key", status); goto err; } - ret = mbedtls_md_hmac_starts(&ctx, secret_key, sizeof(secret_key)); - if (ret != 0) { - NET_DBG("Cannot %s hmac (%d)", "start", ret); + status = psa_mac_sign_setup(&mac_op, key_id, PSA_ALG_HMAC(PSA_ALG_SHA_256)); + if (status != PSA_SUCCESS) { + NET_DBG("Cannot %s hmac (%d)", "setup", status); goto err; } - ret = mbedtls_md_hmac_update(&ctx, (uint8_t *)&buf, sizeof(buf)); - if (ret != 0) { - NET_DBG("Cannot %s hmac (%d)", "update", ret); + status = psa_mac_update(&mac_op, (uint8_t *)&buf, sizeof(buf)); + if (status != PSA_SUCCESS) { + NET_DBG("Cannot %s hmac (%d)", "update", status); goto err; } - ret = mbedtls_md_hmac_finish(&ctx, digest); - if (ret != 0) { - NET_DBG("Cannot %s hmac (%d)", "finish", ret); + status = psa_mac_sign_finish(&mac_op, digest, sizeof(digest), &digest_len); + if (status != PSA_SUCCESS) { + NET_DBG("Cannot %s hmac (%d)", "finish", status); goto err; } memcpy(temporary_iid, digest, MIN(sizeof(digest), temporary_iid_len)); err: - mbedtls_md_free(&ctx); + psa_mac_abort(&mac_op); + psa_destroy_key(key_id); - return ret; + return (status == PSA_SUCCESS) ? 0 : -EIO; } void net_ipv6_pe_start(struct net_if *iface, const struct in6_addr *prefix, diff --git a/tests/net/iface/prj.conf b/tests/net/iface/prj.conf index 71b3f4dfcf8a0..b1a70540435d2 100644 --- a/tests/net/iface/prj.conf +++ b/tests/net/iface/prj.conf @@ -28,3 +28,4 @@ CONFIG_ZTEST=y CONFIG_NET_IF_MAX_IPV4_COUNT=4 CONFIG_NET_IF_MAX_IPV6_COUNT=4 CONFIG_TEST_USERSPACE=y +CONFIG_MAIN_STACK_SIZE=2048 diff --git a/west.yml b/west.yml index 2f1e36bb74f65..c24d97d599a58 100644 --- a/west.yml +++ b/west.yml @@ -316,7 +316,7 @@ manifest: revision: b03edc8e6282a963cd312cd0b409eb5ce263ea75 path: modules/lib/gui/lvgl - name: mbedtls - revision: 85440ef5fffa95d0e9971e9163719189cf34d979 + revision: pull/76/head path: modules/crypto/mbedtls groups: - crypto