mbedtls: add nuttx crypto alternative implementation in mbedtls

(1)add dev_alt to manage /dev/crypto
(2)add sha_alt to alternate sha1 algorithm
(3)use new mbedtls_config.h to admin configs of mbedtls
Signed-off-by: makejian <makejian@xiaomi.com>

crypto/mbedtls/Kconfig

@@ -15,6 +15,142 @@ config MBEDTLS_VERSION
 	string "Mbed TLS Version"
 	default "3.4.0"
 
+config MBEDTLS_DEBUG_C
+	bool "This module provides debugging functions."
+	default n
+	help
+		This module provides debugging functions.
+
+config MBEDTLS_SSL_MAX_CONTENT_LEN
+	int "Maximum length (in bytes) of incoming and outgoing plaintext fragments."
+	default 16384
+	help
+		Maximum length (in bytes) of incoming and outgoing plaintext fragments.
+
+config MBEDTLS_SSL_SRV_C
+	bool "This module is required for SSL/TLS server support."
+	default y
+	help
+		This module is required for SSL/TLS server support.
+
+config MBEDTLS_PLATFORM_MEMORY
+	bool "Enable the memory allocation layer."
+	default n
+
+config MBEDTLS_ENTROPY_HARDWARE_ALT
+	bool "Uncomment this macro to let mbed TLS use your own implementation of a hardware entropy collector."
+	default n
+	depends on DEV_RANDOM
+	select MBEDTLS_NO_PLATFORM_ENTROPY
+
+config MBEDTLS_AES_ROM_TABLES
+	bool "Store the AES tables in ROM."
+	default n
+
+config MBEDTLS_REMOVE_ARC4_CIPHERSUITES
+	bool "Remove RC4 ciphersuites by default in SSL / TLS."
+	default n
+
+config MBEDTLS_NO_PLATFORM_ENTROPY
+	bool "Do not use built-in platform entropy functions."
+	default n
+
+config MBEDTLS_ECP_RESTARTABLE
+	bool "Enable the restartable ECC."
+	default n
+
+config MBEDTLS_SELF_TEST
+	bool "Enable the checkup functions (*_self_test)."
+	default y
+
+config MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
+	bool "Enable server-side support for clients that reconnect from the same port."
+	default n
+
+config MBEDTLS_BLOWFISH_C
+	bool "Enable the Blowfish block cipher."
+	default n
+
+config MBEDTLS_CAMELLIA_C
+	bool "Enable the Camellia block cipher."
+	default n
+
+config MBEDTLS_CERTS_C
+	bool "Enable the test certificates."
+	default n
+
+config MBEDTLS_PADLOCK_C
+	bool "Enable VIA Padlock support on x86."
+	default n
+
+config MBEDTLS_TIMING_C
+	bool "Enable the semi-portable timing interface."
+	default y
+
+config MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
+	bool "Enable the availability of the API mbedtls_ssl_get_peer_cert() giving access to the peer's certificate after completion of the handshake."
+	default n
+
+config MBEDTLS_SSL_PROTO_DTLS
+	bool "Enable support for DTLS (all available versions)."
+	default n
+
+if MBEDTLS_SSL_PROTO_DTLS
+
+config MBEDTLS_SSL_DTLS_ANTI_REPLAY
+	bool "Enable support for the anti-replay mechanism in DTLS."
+	default n
+
+config MBEDTLS_SSL_DTLS_HELLO_VERIFY
+	bool "Enable support for HelloVerifyRequest on DTLS servers."
+	default n
+
+config MBEDTLS_SSL_DTLS_BADMAC_LIMIT
+	bool "Enable support for a limit of records with bad MAC."
+	default n
+
+endif
+
+config MBEDTLS_SSL_ALPN
+	bool "Enable support for RFC 7301 Application Layer Protocol Negotiation."
+	default n
+
+config MBEDTLS_AESNI_C
+	bool "Enable AES-NI support on x86-64."
+	default n
+
+config MBEDTLS_ECP_WINDOW_SIZE
+	int "Maximum window size used"
+	default 6
+
+config MBEDTLS_ECP_FIXED_POINT_OPTIM
+	bool "Enable fixed-point speed-up"
+	default n
+
+config MBEDTLS_CMAC_C
+	bool "Enable the CMAC (Cipher-based Message Authentication Code) mode for block"
+	default n
+
+config MBEDTLS_NET_C
+	bool "Enable the TCP and UDP over IPv6/IPv4 networking routines"
+	default y if LIBC_NETDB
+	default n if !LIBC_NETDB
+
+if CRYPTO_CRYPTODEV
+
+config MBEDTLS_ALT
+	bool
+	default n
+	---help---
+		Enable Mbed TLS alted by nuttx crypto via /dev/crypto
+
+config MBEDTLS_SHA1_ALT
+	bool "Enable Mbedt TLS SHA1 module alted by nuttx crypto"
+	select MBEDTLS_ALT
+	default n
+
+endif
+
 menuconfig MBEDTLS_APPS
 	tristate "Mbed TLS Applications"
 	default n

crypto/mbedtls/Make.defs

@@ -23,10 +23,12 @@ CONFIGURED_APPS += $(APPDIR)/crypto/mbedtls
 
 # Allows `<mbedtls/<>.h>` import.
 
+CFLAGS += ${INCDIR_PREFIX}$(APPDIR)/crypto/mbedtls/include
 CFLAGS += ${INCDIR_PREFIX}$(APPDIR)/crypto/mbedtls/mbedtls/include
-CXXFLAGS += ${INCDIR_PREFIX}$(APPDIR)/crypto/mbedtls/mbedtls/include
+CFLAGS += ${DEFINE_PREFIX}MBEDTLS_CONFIG_FILE="<mbedtls/mbedtls_config.h>"
 
-CFLAGS += ${DEFINE_PREFIX}MBEDTLS_CONFIG_FILE="<crypto/mbedtls_config.h>"
-CXXFLAGS += ${DEFINE_PREFIX}MBEDTLS_CONFIG_FILE="<crypto/mbedtls_config.h>"
+CXXFLAGS += ${INCDIR_PREFIX}$(APPDIR)/crypto/mbedtls/include
+CXXFLAGS += ${INCDIR_PREFIX}$(APPDIR)/crypto/mbedtls/mbedtls/include
+CXXFLAGS += ${DEFINE_PREFIX}MBEDTLS_CONFIG_FILE="<mbedtls/mbedtls_config.h>"
 
 endif

crypto/mbedtls/Makefile

@@ -91,4 +91,16 @@ endif
 
 endif
 
+# Configuration alternative implementation
+
+ifeq ($(CONFIG_MBEDTLS_ALT),y)
+
+CSRCS += $(APPDIR)/crypto/mbedtls/source/dev_alt.c
+
+ifeq ($(CONFIG_MBEDTLS_SHA1_ALT),y)
+CSRCS += $(APPDIR)/crypto/mbedtls/source/sha1_alt.c
+endif
+
+endif
+
 include $(APPDIR)/Application.mk

crypto/mbedtls/include/dev_alt.h

@@ -0,0 +1,45 @@
+/****************************************************************************
+ * apps/crypto/mbedtls/include/dev_alt.h
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.  The
+ * ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the
+ * License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ ****************************************************************************/
+
+#ifndef __APPS_CRYPTO_MBEDTLS_INCLUDE_DEV_ALT_H
+#define __APPS_CRYPTO_MBEDTLS_INCLUDE_DEV_ALT_H
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include <crypto/cryptodev.h>
+
+typedef struct cryptodev_context_s
+{
+  int fd;
+  struct session_op session;
+  struct crypt_op crypt;
+}
+cryptodev_context_t;
+
+int cryptodev_init(FAR cryptodev_context_t *ctx);
+int cryptodev_clone(FAR cryptodev_context_t *dst,
+                    FAR const cryptodev_context_t *src);
+void cryptodev_free(FAR cryptodev_context_t *ctx);
+int cryptodev_get_session(FAR cryptodev_context_t *ctx);
+void cryptodev_free_session(FAR cryptodev_context_t *ctx);
+int cryptodev_crypt(FAR cryptodev_context_t *ctx);
+
+#endif /* __APPS_CRYPTO_MBEDTLS_INCLUDE_DEV_ALT_H */

crypto/mbedtls/include/sha1_alt.h

@@ -0,0 +1,31 @@
+/****************************************************************************
+ * apps/crypto/mbedtls/include/sha1_alt.h
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.  The
+ * ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the
+ * License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ ****************************************************************************/
+
+#ifndef __APPS_CRYPTO_MBEDTLS_INCLUDE_SHA1_ALT_H
+#define __APPS_CRYPTO_MBEDTLS_INCLUDE_SHA1_ALT_H
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include "dev_alt.h"
+
+#define mbedtls_sha1_context cryptodev_context_t
+
+#endif /* __APPS_CRYPTO_MBEDTLS_INCLUDE_SHA1_ALT_H */

crypto/mbedtls/source/dev_alt.c

@@ -0,0 +1,98 @@
+/****************************************************************************
+ * apps/crypto/mbedtls/source/dev_alt.c
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.  The
+ * ASF licenses this file to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance with the
+ * License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
+ * License for the specific language governing permissions and limitations
+ * under the License.
+ ****************************************************************************/
+
+/****************************************************************************
+ * Included Files
+ ****************************************************************************/
+
+#include <errno.h>
+#include <fcntl.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/ioctl.h>
+
+#include "dev_alt.h"
+
+/****************************************************************************
+ * Public Functions
+ ****************************************************************************/
+
+int cryptodev_init(FAR cryptodev_context_t *ctx)
+{
+  int ret;
+  int fd;
+
+  memset(ctx, 0, sizeof(cryptodev_context_t));
+  fd = open("/dev/crypto", O_RDWR, 0);
+  if (fd < 0)
+    {
+      return -errno;
+    }
+
+  ret = ioctl(fd, CRIOGET, &ctx->fd);
+  close(fd);
+  if (ret < 0)
+    {
+      ret = -errno;
+    }
+
+  return ret;
+}
+
+void cryptodev_free(FAR cryptodev_context_t *ctx)
+{
+  close(ctx->fd);
+  memset(ctx, 0, sizeof(cryptodev_context_t));
+}
+
+int cryptodev_get_session(FAR cryptodev_context_t *ctx)
+{
+  int ret;
+
+  ret = ioctl(ctx->fd, CIOCGSESSION, &ctx->session);
+  if (ret < 0)
+    {
+      return -errno;
+    }
+
+  ctx->crypt.ses = ctx->session.ses;
+  return ret;
+}
+
+void cryptodev_free_session(FAR cryptodev_context_t *ctx)
+{
+  ioctl(ctx->fd, CIOCFSESSION, &ctx->session.ses);
+  ctx->crypt.ses = 0;
+}
+
+int cryptodev_crypt(FAR cryptodev_context_t *ctx)
+{
+  int ret;
+
+  ret = ioctl(ctx->fd, CIOCCRYPT, &ctx->crypt);
+  return ret < 0 ? -errno : ret;
+}
+
+int cryptodev_clone(FAR cryptodev_context_t *dst,
+                    FAR const cryptodev_context_t *src)
+{
+  dst->session = src->session;
+  dst->crypt = src->crypt;
+  return cryptodev_get_session(dst);
+}

crypto/mbedtls/source/sha1_alt.c

@@ -1,5 +1,5 @@
 /****************************************************************************
- * apps/include/crypto/mbedtls_config.h
+ * apps/crypto/mbedtls/source/sha1_alt.c
  *
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
@@ -15,68 +15,60 @@
  * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.  See the
  * License for the specific language governing permissions and limitations
  * under the License.
- *
  ****************************************************************************/
 
-#ifndef __APPS_INCLUDE_CRYPTO_MBEDTLS_CONFIG_H
-#define __APPS_INCLUDE_CRYPTO_MBEDTLS_CONFIG_H
-
 /****************************************************************************
  * Included Files
  ****************************************************************************/
 
-#include <nuttx/config.h>
+#include "mbedtls/sha1.h"
 
 /****************************************************************************
- * Pre-processor Definitions
+ * Public Functions
  ****************************************************************************/
 
-/* System support */
-#define MBEDTLS_HAVE_TIME
+void mbedtls_sha1_clone(FAR mbedtls_sha1_context *dst,
+                        FAR const mbedtls_sha1_context *src)
+{
+  cryptodev_clone(dst, src);
+}
 
-/* Debug */
-#define MBEDTLS_SELF_TEST
-#define MBEDTLS_TIMING_C
+void mbedtls_sha1_init(FAR mbedtls_sha1_context *ctx)
+{
+  cryptodev_init(ctx);
+}
 
-/* Feature support */
-#define MBEDTLS_CIPHER_MODE_CBC
-#define MBEDTLS_PKCS1_V15
-#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-#define MBEDTLS_SSL_PROTO_TLS1_2
+void mbedtls_sha1_free(FAR mbedtls_sha1_context *ctx)
+{
+  cryptodev_free(ctx);
+}
 
-/* Modules */
-#define MBEDTLS_AES_C
-#define MBEDTLS_ASN1_PARSE_C
-#define MBEDTLS_ASN1_WRITE_C
-#define MBEDTLS_BIGNUM_C
-#define MBEDTLS_CIPHER_C
-#define MBEDTLS_CTR_DRBG_C
-#define MBEDTLS_DES_C
-#define MBEDTLS_ENTROPY_C
-#define MBEDTLS_MD_C
-#define MBEDTLS_MD5_C
+int mbedtls_sha1_starts(FAR mbedtls_sha1_context *ctx)
+{
+  ctx->session.mac = CRYPTO_SHA1;
+  return cryptodev_get_session(ctx);
+}
 
-#ifdef CONFIG_NET
-#define MBEDTLS_NET_C
-#endif
+int mbedtls_sha1_update(FAR mbedtls_sha1_context *ctx,
+                        FAR const unsigned char *input,
+                        size_t ilen)
+{
+  ctx->crypt.op = COP_ENCRYPT;
+  ctx->crypt.flags |= COP_FLAG_UPDATE;
+  ctx->crypt.src = (caddr_t)input;
+  ctx->crypt.len = ilen;
+  return cryptodev_crypt(ctx);
+}
 
-#define MBEDTLS_OID_C
-#define MBEDTLS_PK_C
-#define MBEDTLS_PK_PARSE_C
-#define MBEDTLS_RSA_C
-#define MBEDTLS_SHA1_C
-#define MBEDTLS_SHA224_C
-#define MBEDTLS_SHA256_C
-#define MBEDTLS_SSL_CLI_C
-#define MBEDTLS_SSL_SRV_C
-#define MBEDTLS_SSL_TLS_C
-#define MBEDTLS_X509_CRT_PARSE_C
-#define MBEDTLS_X509_USE_C
+int mbedtls_sha1_finish(FAR mbedtls_sha1_context *ctx,
+                        unsigned char output[20])
+{
+  int ret;
 
-#define MBEDTLS_BASE64_C
-#define MBEDTLS_CERTS_C
-#define MBEDTLS_PEM_PARSE_C
-
-#define MBEDTLS_FS_IO
-
-#endif /* __APPS_INCLUDE_CRYPTO_MBEDTLS_CONFIG_H */
+  ctx->crypt.op = COP_ENCRYPT;
+  ctx->crypt.flags = 0;
+  ctx->crypt.mac = (caddr_t)output;
+  ret = cryptodev_crypt(ctx);
+  cryptodev_free_session(ctx);
+  return ret;
+}