[crypto] enable PSA Crypto API by default

LuDuda · Sep 22, 2024 · 0e2ae57 · 0e2ae57
1 parent 993e06f
commit 0e2ae57
Show file tree

Hide file tree

Showing 11 changed files with 322 additions and 245 deletions.
diff --git a/examples/platforms/simulation/CMakeLists.txt b/examples/platforms/simulation/CMakeLists.txt
@@ -67,7 +67,6 @@ set(OT_PLATFORM_DEFINES ${OT_PLATFORM_DEFINES} PARENT_SCOPE)
 add_library(openthread-simulation
     alarm.c
     ble.c
-    crypto.c
     diag.c
     dns.c
     dnssd.c
@@ -99,6 +98,7 @@ target_link_libraries(openthread-simulation PRIVATE
     openthread-platform
     ot-simulation-config
     ot-config
+    mbedtls
 )
 
 target_compile_options(openthread-simulation PRIVATE

diff --git a/examples/platforms/simulation/crypto.c b/examples/platforms/simulation/crypto.c
diff --git a/examples/platforms/simulation/entropy.c b/examples/platforms/simulation/entropy.c
@@ -39,6 +39,10 @@
 
 #include <openthread/platform/entropy.h>
 
+#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+#include <psa/crypto.h>
+#endif
+
 #include "utils/code_utils.h"
 
 #ifndef __SANITIZE_ADDRESS__
@@ -134,3 +138,33 @@ otError otPlatEntropyGet(uint8_t *aOutput, uint16_t aOutputLength)
 
     return error;
 }
+
+#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/**
+ * When OpenThread is compiled with the PSA Crypto backend using Mbed TLS 3.x, there is no
+ * API to configure a dedicated non-default entropy source. It is documented that a future version of
+ * Mbed TLS (likely 4.x) will include a PSA interface for configuring entropy sources.
+ *
+ * For now, we need to define the external RNG. Since the implementation of `otPlatEntropyGet` already
+ * uses CSPRNG, we will call it here as well.
+ */
+psa_status_t mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t *context,
+                                             uint8_t                               *output,
+                                             size_t                                 output_size,
+                                             size_t                                *output_length)
+{
+    OT_UNUSED_VARIABLE(context);
+
+    otError      error;
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+
+    error = otPlatEntropyGet(output, (uint16_t)output_size);
+    if (error == OT_ERROR_NONE)
+    {
+        *output_length = output_size;
+        status         = PSA_SUCCESS;
+    }
+
+    return status;
+}
+#endif
diff --git a/examples/platforms/simulation/openthread-core-simulation-config.h b/examples/platforms/simulation/openthread-core-simulation-config.h
@@ -39,6 +39,18 @@
 #define OPENTHREAD_RADIO 0
 #endif
 
+#if !OPENTHREAD_RADIO
+
+#ifndef OPENTHREAD_CONFIG_CRYPTO_LIB
+#define OPENTHREAD_CONFIG_CRYPTO_LIB OPENTHREAD_CONFIG_CRYPTO_LIB_PSA
+#endif
+
+#ifndef OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE
+#define OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE 1
+#endif
+
+#endif
+
 #ifndef OPENTHREAD_CONFIG_PLATFORM_INFO
 #define OPENTHREAD_CONFIG_PLATFORM_INFO "SIMULATION"
 #endif

diff --git a/src/posix/platform/CMakeLists.txt b/src/posix/platform/CMakeLists.txt
@@ -170,6 +170,7 @@ target_link_libraries(openthread-posix
         ot-config-ftd
         ot-config
         ot-posix-config
+        mbedtls
         $<$<NOT:$<BOOL:${OT_ANDROID_NDK}>>:util>
         $<$<STREQUAL:${CMAKE_SYSTEM_NAME},Linux>:rt>
 )

diff --git a/src/posix/platform/entropy.cpp b/src/posix/platform/entropy.cpp
@@ -41,6 +41,10 @@
 #include <openthread/error.h>
 #include <openthread/platform/entropy.h>
 
+#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA)
+#include <psa/crypto.h>
+#endif
+
 #include "common/code_utils.hpp"
 
 #ifndef __SANITIZE_ADDRESS__
@@ -136,3 +140,33 @@ otError otPlatEntropyGet(uint8_t *aOutput, uint16_t aOutputLength)
 
     return error;
 }
+
+#if (OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_PSA) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
+/**
+ * When OpenThread is compiled with the PSA Crypto backend using Mbed TLS 3.x, there is no
+ * API to configure a dedicated non-default entropy source. It is documented that a future version of
+ * Mbed TLS (likely 4.x) will include a PSA interface for configuring entropy sources.
+ *
+ * For now, we need to define the external RNG. Since the implementation of `otPlatEntropyGet` already
+ * uses CSPRNG, we will call it here as well.
+ */
+extern "C" psa_status_t mbedtls_psa_external_get_random(mbedtls_psa_external_random_context_t *context,
+                                                        uint8_t                               *output,
+                                                        size_t                                 output_size,
+                                                        size_t                                *output_length)
+{
+    OT_UNUSED_VARIABLE(context);
+
+    otError      error;
+    psa_status_t status = PSA_ERROR_GENERIC_ERROR;
+
+    error = otPlatEntropyGet(output, (uint16_t)output_size);
+    if (error == OT_ERROR_NONE)
+    {
+        *output_length = output_size;
+        status         = PSA_SUCCESS;
+    }
+
+    return status;
+}
+#endif
diff --git a/tests/unit/CMakeLists.txt b/tests/unit/CMakeLists.txt
@@ -101,6 +101,7 @@ endif()
 target_link_libraries(ot-test-platform-ftd
     PRIVATE
         ot-config
+        mbedtls
         ${OT_MBEDTLS}
 )
-Original file line number
+Diff line change
@@ Expand Up / @@ -101,6 +101,7 @@ endif() @@
     target_link_libraries(ot-test-platform-ftd
         PRIVATE
             ot-config
+            mbedtls
             ${OT_MBEDTLS}
     )
@@ Expand Down @@