Merge branch 'feature/mbedtls_using_util_algorithm_v3.3' into 'release/v3.3'

mbedtls: mbedtls using SHA/AES of util component instead of its raw algorithm (backport v3.3)

See merge request sdk/ESP8266_RTOS_SDK!1240

Author: donghengqaz

components/libsodium/Kconfig

@@ -3,7 +3,6 @@ menu "libsodium"
 config LIBSODIUM_USE_MBEDTLS_SHA
     bool "Use mbedTLS SHA256 & SHA512 implementations"
     default y
-    depends on !MBEDTLS_HARDWARE_SHA
     help
         If this option is enabled, libsodium will use thin wrappers
         around mbedTLS for SHA256 & SHA512 operations.

components/libsodium/port/crypto_hash_mbedtls/crypto_hash_sha256_mbedtls.c

@@ -16,15 +16,6 @@
 #include "mbedtls/sha256.h"
 #include <string.h>
 
-#ifdef MBEDTLS_SHA256_ALT
-/* Wrapper only works if the libsodium context structure can be mapped
-   directly to the mbedTLS context structure.
-
-   See extended comments in crypto_hash_sha512_mbedtls.c
-*/
-#error "This wrapper only support standard software mbedTLS SHA"
-#endif
-
 /* Sanity check that all the context fields have identical sizes
    (this should be more or less given from the SHA256 algorithm)
 
@@ -55,7 +46,6 @@ static void sha256_libsodium_to_mbedtls(mbedtls_sha256_context *mb_ctx, crypto_h
     memcpy(mb_ctx->total, &ls_state->count, sizeof(mb_ctx->total));
     memcpy(mb_ctx->state, ls_state->state, sizeof(mb_ctx->state));
     memcpy(mb_ctx->buffer, ls_state->buf, sizeof(mb_ctx->buffer));
-    mb_ctx->is224 = 0;
 }
 
 int

components/libsodium/port/crypto_hash_mbedtls/crypto_hash_sha512_mbedtls.c

@@ -16,18 +16,6 @@
 #include "mbedtls/sha512.h"
 #include <string.h>
 
-#ifdef MBEDTLS_SHA512_ALT
-/* Wrapper only works if the libsodium context structure can be mapped
-   directly to the mbedTLS context structure.
-
-   For ESP8266 hardware SHA, the problems are fitting all the data in
-   the libsodium state structure, and also that libsodium doesn't
-   have mbedtls_sha512_free() or mbedtls_sha512_clone() so we can't
-   manage the hardware state in a clean way.
-*/
-#error "This wrapper only support standard software mbedTLS SHA"
-#endif
-
 /* Sanity check that all the context fields have identical sizes
    (this should be more or less given from the SHA512 algorithm)
 
@@ -59,7 +47,6 @@ static void sha512_libsodium_to_mbedtls(mbedtls_sha512_context *mb_ctx, crypto_h
     memcpy(mb_ctx->total, ls_state->count, sizeof(mb_ctx->total));
     memcpy(mb_ctx->state, ls_state->state, sizeof(mb_ctx->state));
     memcpy(mb_ctx->buffer, ls_state->buf, sizeof(mb_ctx->buffer));
-    mb_ctx->is384 = 0;
 }
 
 int

components/mbedtls/Kconfig

@@ -116,51 +116,6 @@ menu "mbedTLS"
         default 3 if MBEDTLS_DEBUG_LEVEL_DEBUG
         default 4 if MBEDTLS_DEBUG_LEVEL_VERBOSE
 
-    config MBEDTLS_HARDWARE_AES
-        bool "Enable hardware AES acceleration"
-        default y
-        help
-            Enable hardware accelerated AES encryption & decryption.
-
-            Note that if the ESP32 CPU is running at 240MHz, hardware AES does not
-            offer any speed boost over software AES.
-
-    config MBEDTLS_HARDWARE_MPI
-        bool "Enable hardware MPI (bignum) acceleration"
-        default n
-        help
-            Enable hardware accelerated multiple precision integer operations.
-
-            Hardware accelerated multiplication, modulo multiplication,
-            and modular exponentiation for up to 4096 bit results.
-
-            These operations are used by RSA.
-
-    config MBEDTLS_MPI_USE_INTERRUPT
-        bool "Use interrupt for MPI operations"
-        depends on MBEDTLS_HARDWARE_MPI
-        default n
-        help
-            Use an interrupt to coordinate MPI operations.
-
-            This allows other code to run on the CPU while an MPI operation is pending.
-            Otherwise the CPU busy-waits.
-
-    config MBEDTLS_HARDWARE_SHA
-        bool "Enable hardware SHA acceleration"
-        default y
-        help
-            Enable hardware accelerated SHA1, SHA256, SHA384 & SHA512 in mbedTLS.
-
-            Due to a hardware limitation, hardware acceleration is only
-            guaranteed if SHA digests are calculated one at a time. If more
-            than one SHA digest is calculated at the same time, one will
-            be calculated fully in hardware and the rest will be calculated
-            (at least partially calculated) in software. This happens automatically.
-
-            SHA hardware acceleration is faster than software in some situations but
-            slower in others. You should benchmark to find the best setting for you.
-
     config MBEDTLS_HAVE_TIME
         bool "Enable mbedtls time"
         depends on !ESP32_TIME_SYSCALL_USE_NONE

components/mbedtls/port/include/mbedtls/esp_config.h

@@ -108,40 +108,21 @@
  * within the modules that are enabled.
  * \{
  */
-
-/* The following units have ESP32 hardware support,
-   uncommenting each _ALT macro will use the
-   hardware-accelerated implementation. */
-#ifdef CONFIG_MBEDTLS_HARDWARE_AES
 #define MBEDTLS_AES_ALT
-#else
-#undef MBEDTLS_AES_ALT
-#endif
 
 /* MBEDTLS_SHAxx_ALT to enable hardware SHA support
    with software fallback.
 */
-#ifdef CONFIG_MBEDTLS_HARDWARE_SHA
 #define MBEDTLS_SHA1_ALT
 #define MBEDTLS_SHA256_ALT
 #define MBEDTLS_SHA512_ALT
-#else
-#undef MBEDTLS_SHA1_ALT
-#undef MBEDTLS_SHA256_ALT
-#undef MBEDTLS_SHA512_ALT
-#endif
 
 /* The following MPI (bignum) functions have ESP32 hardware support,
    Uncommenting these macros will use the hardware-accelerated
    implementations.
 */
-#ifdef CONFIG_MBEDTLS_HARDWARE_MPI
-#define MBEDTLS_MPI_EXP_MOD_ALT
-#define MBEDTLS_MPI_MUL_MPI_ALT
-#else
 #undef MBEDTLS_MPI_EXP_MOD_ALT
 #undef MBEDTLS_MPI_MUL_MPI_ALT
-#endif
 
 /**
  * \def MBEDTLS_ENTROPY_HARDWARE_ALT

components/util/include/esp_sha.h

@@ -28,10 +28,9 @@ typedef struct {
 } esp_sha1_t;
 
 typedef struct {
-    uint64_t        length;
-    uint32_t        curlen;
+    uint32_t        total[2];
     uint32_t        state[8];
-    uint8_t         buf[64];
+    uint8_t         buffer[64];
 } esp_sha256_t;
 
 typedef struct {

components/util/src/sha256.c

@@ -79,7 +79,7 @@ static const uint32_t K[64] = {
     0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL
 };
 
-static void esp_sha256_transform(esp_sha256_t *ctx, uint8_t *buf)
+static void esp_sha256_transform(esp_sha256_t *ctx, const uint8_t *buf)
 {
     uint32_t S[8], W[64], t0, t1;
     uint32_t t;
@@ -108,8 +108,8 @@ int esp_sha256_init(esp_sha256_t *ctx)
 {
     util_assert(ctx);
 
-    ctx->curlen = 0;
-    ctx->length = 0;
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
 
     ctx->state[0] = 0x6A09E667UL;
     ctx->state[1] = 0xBB67AE85UL;
@@ -127,8 +127,8 @@ int esp_sha224_init(esp_sha224_t *ctx)
 {
     util_assert(ctx);
 
-    ctx->curlen = 0;
-    ctx->length = 0;
+    ctx->total[0] = 0;
+    ctx->total[1] = 0;
 
     ctx->state[0] = 0xC1059ED8;
     ctx->state[1] = 0x367CD507;
@@ -144,39 +144,43 @@ int esp_sha224_init(esp_sha224_t *ctx)
 
 int esp_sha256_update(esp_sha256_t *ctx, const void *src, size_t size)
 {
-    const uint8_t *in = (const uint8_t *)src;
-    uint32_t n;
+    size_t fill;
+    uint32_t left;
+    const uint8_t *input = (const uint8_t *)src;
 
     util_assert(ctx);
     util_assert(src);
     util_assert(size);
 
-    if (ctx->curlen >= sizeof(ctx->buf))
-        return -1;
-
-    while (size > 0) {
-        if (ctx->curlen == 0 && size >= 64) {
-            esp_sha256_transform(ctx, (uint8_t *) in);
-    
-            ctx->length += 64 * 8;
-            in += 64;
-            size -= 64;
-        } else {
-            n = MIN(size, (64 - ctx->curlen));
-            memcpy(ctx->buf + ctx->curlen, in, n);
-            ctx->curlen += n;
-            in += n;
-            size -= n;
-
-            if (ctx->curlen == 64) {
-                esp_sha256_transform(ctx, ctx->buf);
-
-                ctx->length += 8 * 64;
-                ctx->curlen = 0;
-            }
-        }
+    left = ctx->total[0] & 0x3F;
+    fill = 64 - left;
+
+    ctx->total[0] += size;
+    ctx->total[0] &= 0xFFFFFFFF;
+
+    if (ctx->total[0] < size)
+        ctx->total[1]++;
+
+    if (left && size >= fill) {
+        memcpy(ctx->buffer + left, input, fill);
+
+        esp_sha256_transform(ctx, ctx->buffer);
+
+        input += fill;
+        size  -= fill;
+        left = 0;
+    }
+
+    while (size >= 64) {
+        esp_sha256_transform(ctx, input);
+
+        input += 64;
+        size  -= 64;
     }
 
+    if (size > 0)
+        memcpy(ctx->buffer + left, input, size);
+
     return 0;
 }
 
@@ -191,37 +195,42 @@ int esp_sha224_update(esp_sha224_t *ctx, const void *src, size_t size)
 
 int esp_sha224_finish(esp_sha224_t *ctx, void *dest)
 {
-    int i;
+    uint32_t used;
+    uint32_t high, low;
     uint8_t *out = (uint8_t *)dest;
 
     util_assert(ctx);
     util_assert(dest);
 
-    if (ctx->curlen >= sizeof(ctx->buf))
-        return -1;
-
-    ctx->length += ctx->curlen * 8;
+    used = ctx->total[0] & 0x3F;
 
-    ctx->buf[ctx->curlen++] = 0x80;
+    ctx->buffer[used++] = 0x80;
 
-    if (ctx->curlen > 56) {
-        while (ctx->curlen < 64)
-            ctx->buf[ctx->curlen++] = 0;
-
-        esp_sha256_transform(ctx, ctx->buf);
-        ctx->curlen = 0;
+    if (used <= 56) {
+        memset(ctx->buffer + used, 0, 56 - used);
+    } else {
+        memset(ctx->buffer + used, 0, 64 - used);
+        esp_sha256_transform(ctx, ctx->buffer);
+        memset(ctx->buffer, 0, 56);
     }
 
-    while (ctx->curlen < 56)
-        ctx->buf[ctx->curlen++] = 0;
+    high = (ctx->total[0] >> 29) | (ctx->total[1] <<  3);
+    low  = (ctx->total[0] <<  3);
 
-    ESP_PUT_BE64(ctx->buf + 56, ctx->length);
-    esp_sha256_transform(ctx, ctx->buf);
+    ESP_PUT_BE32(ctx->buffer +  56, high);
+    ESP_PUT_BE32(ctx->buffer +  60, low);
 
-    for (i = 0; i < 7; i++)
-        ESP_PUT_BE32(out + (4 * i), ctx->state[i]);
+    esp_sha256_transform(ctx, ctx->buffer);
 
-    return 0;
+    ESP_PUT_BE32(out +  0, ctx->state[0]);
+    ESP_PUT_BE32(out +  4, ctx->state[1]);
+    ESP_PUT_BE32(out +  8, ctx->state[2]);
+    ESP_PUT_BE32(out + 12, ctx->state[3]);
+    ESP_PUT_BE32(out + 16, ctx->state[4]);
+    ESP_PUT_BE32(out + 20, ctx->state[5]);
+    ESP_PUT_BE32(out + 24, ctx->state[6]);
+
+    return( 0 );
 }
 
 int esp_sha256_finish(esp_sha256_t *ctx, void *dest)