X.509: use PSA for hashing under USE_PSA_CRYPTO
When MBEDTLS_USE_PSA_CRYPTO is enabled, use psa_hash_xxx rather than
mbedtls_md_xxx.
Signed-off-by: pespacek <peter.spacek@silabs.com>
diff --git a/ChangeLog.d/MD-X.509-hashing.txt b/ChangeLog.d/MD-X.509-hashing.txt
new file mode 100644
index 0000000..2ca989c
--- /dev/null
+++ b/ChangeLog.d/MD-X.509-hashing.txt
@@ -0,0 +1,2 @@
+Features
+ * The X.509 module now uses PSA hash acceleration if present.
diff --git a/library/x509_crt.c b/library/x509_crt.c
index c865444..b7eb617 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -47,7 +47,8 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
-#endif
+#include "psa/crypto_values.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
@@ -2336,8 +2337,14 @@
const mbedtls_x509_crt_profile *profile )
{
int flags = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char hash[PSA_HASH_MAX_SIZE];
+ psa_algorithm_t psa_algorithm;
+#else
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
const mbedtls_md_info_t *md_info;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+ size_t hash_length;
if( ca == NULL )
return( flags );
@@ -2370,8 +2377,21 @@
if( x509_profile_check_pk_alg( profile, crl_list->sig_pk ) != 0 )
flags |= MBEDTLS_X509_BADCRL_BAD_PK;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm = mbedtls_psa_translate_md( crl_list->sig_md );
+ if(psa_hash_compute( psa_algorithm,
+ crl_list->tbs.p,
+ crl_list->tbs.len,
+ hash,PSA_HASH_MAX_SIZE,
+ &hash_length ) != PSA_SUCCESS )
+#else
md_info = mbedtls_md_info_from_type( crl_list->sig_md );
- if( mbedtls_md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ) != 0 )
+ hash_length = mbedtls_md_get_size( md_info );
+ if( mbedtls_md( md_info,
+ crl_list->tbs.p,
+ crl_list->tbs.len,
+ hash ) != 0 )
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
/* Note: this can't happen except after an internal error */
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
@@ -2382,7 +2402,7 @@
flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
- crl_list->sig_md, hash, mbedtls_md_get_size( md_info ),
+ crl_list->sig_md, hash, hash_length,
crl_list->sig.p, crl_list->sig.len ) != 0 )
{
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
@@ -2421,9 +2441,9 @@
mbedtls_x509_crt *parent,
mbedtls_x509_crt_restart_ctx *rs_ctx )
{
- unsigned char hash[MBEDTLS_MD_MAX_SIZE];
size_t hash_len;
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
+ unsigned char hash[MBEDTLS_MD_MAX_SIZE];
const mbedtls_md_info_t *md_info;
md_info = mbedtls_md_info_from_type( child->sig_md );
hash_len = mbedtls_md_get_size( md_info );
@@ -2432,23 +2452,21 @@
if( mbedtls_md( md_info, child->tbs.p, child->tbs.len, hash ) != 0 )
return( -1 );
#else
- psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
+ unsigned char hash[PSA_HASH_MAX_SIZE];
psa_algorithm_t hash_alg = mbedtls_psa_translate_md( child->sig_md );
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
- if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
- return( -1 );
-
- if( psa_hash_update( &hash_operation, child->tbs.p, child->tbs.len )
- != PSA_SUCCESS )
+ status = psa_hash_compute( hash_alg,
+ child->tbs.p,
+ child->tbs.len,
+ hash,
+ PSA_HASH_MAX_SIZE,
+ &hash_len );
+ if( status != PSA_SUCCESS )
{
- return( -1 );
+ return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
}
- if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
- != PSA_SUCCESS )
- {
- return( -1 );
- }
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Skip expensive computation on obvious mismatch */
if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
diff --git a/library/x509write_crt.c b/library/x509write_crt.c
index 17b3e79..44a9729 100644
--- a/library/x509write_crt.c
+++ b/library/x509write_crt.c
@@ -40,6 +40,11 @@
#include "mbedtls/pem.h"
#endif /* MBEDTLS_PEM_WRITE_C */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#include "psa/crypto.h"
+#include "mbedtls/psa_util.h"
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
{
memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
@@ -169,6 +174,11 @@
#if defined(MBEDTLS_SHA1_C)
int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx )
{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t hash_length;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
unsigned char *c = buf + sizeof(buf);
@@ -178,10 +188,24 @@
MBEDTLS_ASN1_CHK_ADD( len,
mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) );
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_compute( PSA_ALG_SHA_1,
+ buf + sizeof( buf ) - len,
+ len,
+ buf + sizeof( buf ) - 20 ,
+ PSA_HASH_LENGTH(PSA_ALG_SHA_1),
+ &hash_length );
+ if( status != PSA_SUCCESS )
+ {
+ return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
+ }
+#else
ret = mbedtls_sha1( buf + sizeof( buf ) - len, len,
- buf + sizeof( buf ) - 20 );
+ buf + sizeof( buf ) - 20 );
if( ret != 0 )
return( ret );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
c = buf + sizeof( buf ) - 20;
len = 20;
@@ -197,6 +221,11 @@
int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx )
{
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t hash_length;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
unsigned char *c = buf + sizeof( buf );
@@ -205,11 +234,24 @@
memset( buf, 0, sizeof(buf) );
MBEDTLS_ASN1_CHK_ADD( len,
mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
-
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_compute( PSA_ALG_SHA_1,
+ buf + sizeof( buf ) - len,
+ len,
+ buf + sizeof( buf ) - 20 ,
+ PSA_HASH_LENGTH(PSA_ALG_SHA_1),
+ &hash_length );
+ if( status != PSA_SUCCESS )
+ {
+ return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
+ }
+#else
ret = mbedtls_sha1( buf + sizeof( buf ) - len, len,
- buf + sizeof( buf ) - 20 );
+ buf + sizeof( buf ) - 20 );
if( ret != 0 )
return( ret );
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
c = buf + sizeof( buf ) - 20;
len = 20;
@@ -330,8 +372,16 @@
const char *sig_oid;
size_t sig_oid_len = 0;
unsigned char *c, *c2;
- unsigned char hash[64];
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
+ size_t hash_length = 0;
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_algorithm_t psa_algorithm;
+ unsigned char hash[PSA_HASH_MAX_SIZE];
+#else
+ unsigned char hash[64];
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
size_t len = 0;
mbedtls_pk_type_t pk_alg;
@@ -466,14 +516,30 @@
*/
/* Compute hash of CRT. */
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_algorithm = mbedtls_psa_translate_md( ctx->md_alg );
+
+ status = psa_hash_compute( psa_algorithm,
+ c,
+ len,
+ hash,
+ PSA_HASH_MAX_SIZE,
+ &hash_length );
+ if( status != PSA_SUCCESS )
+ {
+ return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
+ }
+#else
if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
len, hash ) ) != 0 )
{
return( ret );
}
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
+
if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg,
- hash, 0, sig, sizeof( sig ), &sig_len,
+ hash, hash_length, sig, sizeof( sig ), &sig_len,
f_rng, p_rng ) ) != 0 )
{
return( ret );
diff --git a/library/x509write_csr.c b/library/x509write_csr.c
index 555f296..a9fc8ba 100644
--- a/library/x509write_csr.c
+++ b/library/x509write_csr.c
@@ -35,7 +35,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
-#endif
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
#include <string.h>
#include <stdlib.h>
@@ -149,7 +149,6 @@
size_t len = 0;
mbedtls_pk_type_t pk_alg;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
size_t hash_len;
psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -219,16 +218,14 @@
* Note: hash errors can happen only after an internal error
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
- return( MBEDTLS_ERR_X509_FATAL_ERROR );
-
- if( psa_hash_update( &hash_operation, c, len ) != PSA_SUCCESS )
- return( MBEDTLS_ERR_X509_FATAL_ERROR );
-
- if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
- != PSA_SUCCESS )
+ if( psa_hash_compute( hash_alg,
+ c,
+ len,
+ hash,
+ PSA_HASH_MAX_SIZE,
+ &hash_len ) != PSA_SUCCESS )
{
- return( MBEDTLS_ERR_X509_FATAL_ERROR );
+ return ( MBEDTLS_ERR_X509_FATAL_ERROR );
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );