Mirrors/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-06-04 20:26:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

feat(lwip): migrate to to PSA API interface

Browse Source
This commit is contained in:
Ashish Sharma
2025-03-18 11:37:41 +08:00
parent 77d2a9e627
commit b4fea9cccc
26 changed files with 599 additions and 352 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
components/bootloader_support/src/secure_boot_v1/secure_boot_signatures_app.c
View File

@@ -14,6 +14,9 @@
#include "psa/crypto.h"
#include <string.h>
#include <sys/param.h>
#include "mbedtls/pk.h"
#include "psa/crypto.h"
#ifdef CONFIG_SECURE_SIGNED_APPS_ECDSA_SCHEME
ESP_LOG_ATTR_TAG(TAG, "secure_boot_v1");
@@ -107,10 +110,11 @@ esp_err_t esp_secure_boot_verify_ecdsa_signature_block(const esp_secure_boot_sig
// Verify the signature
status = psa_verify_hash(key_handle, PSA_ALG_ECDSA(PSA_ALG_SHA_256), image_digest, ESP_SECURE_BOOT_DIGEST_LEN, sig_block->signature, SIGNATURE_VERIFICATION_KEYLEN);
ESP_LOGD(TAG, "Verification result %d", status);
ESP_LOGI(TAG, "Verification result %d", status);
// Destroy the key handle
psa_destroy_key(key_handle);
psa_reset_key_attributes(&key_attributes);
return status == PSA_SUCCESS ? ESP_OK : ESP_ERR_IMAGE_INVALID;
#endif // CONFIG_MBEDTLS_ECDSA_C && CONFIG_MBEDTLS_ECP_DP_SECP256R1_ENABLED

1
components/bootloader_support/src/secure_boot_v2/secure_boot_rsa_signature.c
View File

@@ -5,6 +5,7 @@
*/
#include "esp_log.h"
#include "esp_secure_boot.h"
#include "mbedtls/pk.h"
#include "psa/crypto.h"
#include "mbedtls/pk.h"
#include "mbedtls/rsa.h"

2
components/esp-tls/esp-tls-crypto/esp_tls_crypto.c
View File

@@ -10,6 +10,8 @@
#include "sdkconfig.h"
__attribute__((unused)) static const char *TAG = "esp_crypto";
#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
/* Need this for mbedtls_sha1_* APIs */
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include "mbedtls/sha1.h"
#include "mbedtls/base64.h"
#include "mbedtls/error.h"

5
components/esp-tls/esp_tls_mbedtls.c
View File

@@ -124,7 +124,7 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
tls->server_fd.fd = tls->sockfd;
mbedtls_ssl_init(&tls->ssl);
mbedtls_ssl_config_init(&tls->conf);
mbedtls_ssl_conf_rng(&tls->conf, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE);
// mbedtls_ssl_conf_rng(&tls->conf, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE);
#if CONFIG_MBEDTLS_DYNAMIC_BUFFER
tls->esp_tls_dyn_buf_strategy = ((esp_tls_cfg_t *)cfg)->esp_tls_dyn_buf_strategy;
@@ -594,8 +594,7 @@ static esp_err_t set_pki_context(esp_tls_t *tls, const esp_tls_pki_t *pki)
#endif
if (pki->privkey_pem_buf != NULL) {
ret = mbedtls_pk_parse_key(pki->pk_key, pki->privkey_pem_buf, pki->privkey_pem_bytes,
pki->privkey_password, pki->privkey_password_len,
mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE);
pki->privkey_password, pki->privkey_password_len);
} else {
return ESP_ERR_INVALID_ARG;
}

1
components/esp-tls/test_apps/main/app_main.c
View File

@@ -17,7 +17,6 @@
#endif
#include "esp_newlib.h"
#include "psa/crypto.h"
#if SOC_SHA_SUPPORT_SHA512
#define SHA_TYPE SHA2_512
#else

17
components/esp_security/src/init.c
View File

@@ -15,6 +15,7 @@
#include "hal/efuse_hal.h"
#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C)
#include "psa/crypto.h"
#include "esp_random.h"
#endif /* CONFIG_MBEDTLS_PSA_CRYPTO_C */
#if SOC_HUK_MEM_NEEDS_RECHARGE
@@ -139,6 +140,22 @@ ESP_SYSTEM_INIT_FN(esp_security_init, SECONDARY, BIT(0), 103)
return err;
}
#if defined(CONFIG_MBEDTLS_PSA_CRYPTO_C)
int mbedtls_platform_get_entropy(unsigned char *output, size_t output_size,
size_t *output_len, size_t *entropy_content)
{
if (output == NULL || output_size == 0 || output_len == NULL || entropy_content == NULL) {
ESP_EARLY_LOGE(TAG, "Invalid parameters for mbedtls_platform_get_entropy");
return -1; // Invalid parameters
}
esp_fill_random(output, output_size);
*output_len = output_size;
*entropy_content = 8 * output_size;
return 0;
}
#endif // CONFIG_MBEDTLS_PSA_CRYPTO_C
void esp_security_init_include_impl(void)
{
// Linker hook, exists for no other purpose

1
components/lwip/test_apps/main/lwip_test.c
View File

@@ -492,7 +492,6 @@ TEST_GROUP_RUNNER(lwip)
RUN_TEST_CASE(lwip, dhcp_server_dns_options)
RUN_TEST_CASE(lwip, sntp_client_time_2015)
RUN_TEST_CASE(lwip, sntp_client_time_2048)
RUN_TEST_CASE(lwip, dhcp_arp_probe_self_mac_is_ok)
}
void app_main(void)

280
components/mbedtls/CMakeLists.txt
View File

@@ -147,10 +147,10 @@ set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls})
if(CONFIG_MBEDTLS_SSL_PROTO_GMTSSL1_1)
get_target_property(src_tls mbedtls SOURCES)
list(REMOVE_ITEM src_tls ssl_ciphersuites.c ssl_cli.c ssl_tls.c)
list(REMOVE_ITEM src_tls ssl_ciphersuites.c ssl_cli.c ssl_tls.c)
set_property(TARGET mbedtls PROPERTY SOURCES ${src_tls})
get_target_property(src_crypto mbedcrypto SOURCES)
get_target_property(src_crypto tfpsacrypto SOURCES)
list(REMOVE_ITEM src_crypto cipher_wrap.c ecdsa.c ecp.c ecp_curves.c oid.c pk_wrap.c)
set_property(TARGET mbedcrypto PROPERTY SOURCES ${src_crypto})
@@ -160,7 +160,7 @@ set_property(TARGET mbedx509 PROPERTY SOURCES ${src_x509})
endif()
# Core libraries from the mbedTLS project
set(mbedtls_targets mbedtls mbedcrypto mbedx509)
set(mbedtls_targets mbedtls mbedx509 tfpsacrypto)
# 3rd party libraries from the mbedTLS project
list(APPEND mbedtls_targets everest p256m)
@@ -201,9 +201,9 @@ endif()
# Add port files to mbedtls targets
target_sources(mbedtls PRIVATE ${mbedtls_target_sources})
if(NOT ${IDF_TARGET} STREQUAL "linux")
target_link_libraries(mbedcrypto PRIVATE idf::esp_security)
endif()
# if(NOT ${IDF_TARGET} STREQUAL "linux")
# target_link_libraries(mbedcrypto PRIVATE idf::esp_security)
# endif()
# Choose peripheral type
@@ -215,57 +215,68 @@ if(CONFIG_SOC_SHA_SUPPORTED)
endif()
endif()
if(SHA_PERIPHERAL_TYPE STREQUAL "core")
target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/include")
if(CONFIG_SOC_SHA_GDMA)
set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_gdma_impl.c")
elseif(CONFIG_SOC_SHA_CRYPTO_DMA)
set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_crypto_dma_impl.c")
endif()
target_sources(mbedcrypto PRIVATE "${SHA_CORE_SRCS}")
endif()
if(CONFIG_SOC_AES_SUPPORT_DMA)
if(NOT CONFIG_SOC_AES_GDMA)
set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_crypto_dma_impl.c")
else()
set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_gdma_impl.c")
endif()
list(APPEND AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c")
target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/dma/include")
target_sources(mbedcrypto PRIVATE "${AES_DMA_SRCS}")
endif()
if((SHA_PERIPHERAL_TYPE STREQUAL "core" AND CONFIG_SOC_SHA_SUPPORT_DMA) OR CONFIG_SOC_AES_SUPPORT_DMA)
target_link_libraries(mbedcrypto PRIVATE idf::esp_mm)
if(CONFIG_SOC_SHA_GDMA OR CONFIG_SOC_AES_GDMA)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/crypto_shared_gdma/esp_crypto_shared_gdma.c")
endif()
endif()
if(NOT ${IDF_TARGET} STREQUAL "linux")
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c")
endif()
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_mem.c"
"${COMPONENT_DIR}/port/esp_timing.c"
)
if(CONFIG_SOC_AES_SUPPORTED)
target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/include")
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_xts.c"
"${COMPONENT_DIR}/port/aes/esp_aes_common.c"
"${COMPONENT_DIR}/port/aes/esp_aes.c"
)
if(CONFIG_SOC_AES_SUPPORT_DMA)
set(AES_PERIPHERAL_TYPE "dma")
else()
set(AES_PERIPHERAL_TYPE "block")
endif()
endif()
if(CONFIG_SOC_SHA_SUPPORTED)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/esp_sha.c"
"${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/sha.c"
)
endif()
# if(SHA_PERIPHERAL_TYPE STREQUAL "core")
# target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/core/include")
# if(CONFIG_SOC_SHA_GDMA)
# set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_gdma_impl.c")
# elseif(CONFIG_SOC_SHA_CRYPTO_DMA)
# set(SHA_CORE_SRCS "${COMPONENT_DIR}/port/sha/core/esp_sha_crypto_dma_impl.c")
# endif()
# target_sources(mbedcrypto PRIVATE "${SHA_CORE_SRCS}")
# endif()
# if(AES_PERIPHERAL_TYPE STREQUAL "dma")
# if(NOT CONFIG_SOC_AES_GDMA)
# set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_crypto_dma_impl.c")
# else()
# set(AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_gdma_impl.c")
# endif()
# list(APPEND AES_DMA_SRCS "${COMPONENT_DIR}/port/aes/dma/esp_aes_dma_core.c")
# target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/dma/include")
# target_sources(mbedcrypto PRIVATE "${AES_DMA_SRCS}")
# endif()
# if((SHA_PERIPHERAL_TYPE STREQUAL "core" AND CONFIG_SOC_SHA_SUPPORT_DMA) OR AES_PERIPHERAL_TYPE STREQUAL "dma")
# target_link_libraries(mbedcrypto PRIVATE idf::esp_mm)
# if(CONFIG_SOC_SHA_GDMA OR CONFIG_SOC_AES_GDMA)
# if(CONFIG_SOC_AXI_DMA_EXT_MEM_ENC_ALIGNMENT)
# target_link_libraries(mbedcrypto PRIVATE idf::bootloader_support)
# endif()
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/crypto_shared_gdma/esp_crypto_shared_gdma.c")
# endif()
# endif()
# if(NOT ${IDF_TARGET} STREQUAL "linux")
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hardware.c")
# endif()
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_mem.c"
# "${COMPONENT_DIR}/port/esp_timing.c"
# )
# if(CONFIG_SOC_AES_SUPPORTED)
# target_include_directories(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/include")
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_xts.c"
# "${COMPONENT_DIR}/port/aes/esp_aes_common.c"
# "${COMPONENT_DIR}/port/aes/${AES_PERIPHERAL_TYPE}/esp_aes.c"
# )
# endif()
# if(CONFIG_SOC_SHA_SUPPORTED)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/esp_sha.c"
# "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/sha.c"
# )
# endif()
if(CONFIG_SOC_DIG_SIGN_SUPPORTED)
target_sources(mbedcrypto PRIVATE
@@ -273,6 +284,10 @@ target_sources(mbedcrypto PRIVATE
"${COMPONENT_DIR}/port/esp_ds/esp_rsa_dec_alt.c"
"${COMPONENT_DIR}/port/esp_ds/esp_ds_common.c")
endif()
# # CONFIG_ESP_TLS_USE_DS_PERIPHERAL can be enabled only for the supported targets.
# if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_ds/esp_rsa_sign_alt.c")
# endif()
if(CONFIG_SOC_HMAC_SUPPORTED)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/esp_hmac_pbkdf2.c")
@@ -285,72 +300,73 @@ endif()
#
# The other port-specific files don't override internal mbedTLS functions, they just add new functions.
if(CONFIG_MBEDTLS_HARDWARE_MPI)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/bignum/esp_bignum.c"
"${COMPONENT_DIR}/port/bignum/bignum_alt.c")
endif()
# if(CONFIG_MBEDTLS_HARDWARE_MPI)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/bignum/esp_bignum.c"
# "${COMPONENT_DIR}/port/bignum/bignum_alt.c")
# endif()
if(CONFIG_MBEDTLS_HARDWARE_SHA)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha1.c"
"${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha256.c"
"${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha512.c"
)
endif()
# if(CONFIG_MBEDTLS_HARDWARE_SHA)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha1.c"
# "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha256.c"
# "${COMPONENT_DIR}/port/sha/${SHA_PERIPHERAL_TYPE}/esp_sha512.c"
# )
# endif()
if(CONFIG_MBEDTLS_HARDWARE_GCM OR CONFIG_MBEDTLS_HARDWARE_AES)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c")
endif()
# if(CONFIG_MBEDTLS_HARDWARE_GCM OR CONFIG_MBEDTLS_HARDWARE_AES)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/aes/esp_aes_gcm.c")
# endif()
if(CONFIG_MBEDTLS_HARDWARE_ECC)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c"
"${COMPONENT_DIR}/port/ecc/ecc_alt.c")
endif()
# if(CONFIG_MBEDTLS_HARDWARE_ECC)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecc/esp_ecc.c"
# "${COMPONENT_DIR}/port/ecc/ecc_alt.c")
# endif()
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c")
# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR
# CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/ecdsa/ecdsa_alt.c")
set(WRAP_FUNCTIONS_SIGN
mbedtls_ecdsa_sign
mbedtls_ecdsa_sign_restartable
mbedtls_ecdsa_write_signature
mbedtls_ecdsa_write_signature_restartable)
# set(WRAP_FUNCTIONS_SIGN
# mbedtls_ecdsa_sign
# mbedtls_ecdsa_sign_restartable
# mbedtls_ecdsa_write_signature
# mbedtls_ecdsa_write_signature_restartable)
set(WRAP_FUNCTIONS_VERIFY
mbedtls_ecdsa_verify
mbedtls_ecdsa_verify_restartable
mbedtls_ecdsa_read_signature
mbedtls_ecdsa_read_signature_restartable)
# set(WRAP_FUNCTIONS_VERIFY
# mbedtls_ecdsa_verify
# mbedtls_ecdsa_verify_restartable
# mbedtls_ecdsa_read_signature
# mbedtls_ecdsa_read_signature_restartable)
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
foreach(wrap ${WRAP_FUNCTIONS_SIGN})
target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}")
endforeach()
# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
# foreach(wrap ${WRAP_FUNCTIONS_SIGN})
# target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}")
# endforeach()
if(CONFIG_SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE)
target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_ext")
target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_restartable")
endif()
endif()
# if(CONFIG_SOC_ECDSA_SUPPORT_DETERMINISTIC_MODE)
# target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_ext")
# target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=mbedtls_ecdsa_sign_det_restartable")
# endif()
# endif()
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY)
foreach(wrap ${WRAP_FUNCTIONS_VERIFY})
target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}")
endforeach()
endif()
# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY)
# foreach(wrap ${WRAP_FUNCTIONS_VERIFY})
# target_link_libraries(${COMPONENT_LIB} INTERFACE "-Wl,--wrap=${wrap}")
# endforeach()
# endif()
if(CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
target_link_libraries(mbedcrypto PRIVATE idf::tee_sec_storage)
endif()
endif()
# if(CONFIG_MBEDTLS_TEE_SEC_STG_ECDSA_SIGN)
# target_link_libraries(mbedcrypto PRIVATE idf::tee_sec_storage)
# endif()
# endif()
if(CONFIG_MBEDTLS_ROM_MD5)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/md/esp_md.c")
endif()
# if(CONFIG_MBEDTLS_ROM_MD5)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/md/esp_md.c")
# endif()
if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL)
target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/mbedtls_rom/mbedtls_rom_osi.c")
target_link_libraries(${COMPONENT_LIB} PRIVATE "-u mbedtls_rom_osi_functions_init")
endif()
# if(CONFIG_MBEDTLS_USE_CRYPTO_ROM_IMPL)
# target_sources(mbedcrypto PRIVATE "${COMPONENT_DIR}/port/mbedtls_rom/mbedtls_rom_osi.c")
# target_link_libraries(${COMPONENT_LIB} PRIVATE "-u mbedtls_rom_osi_functions_init")
# endif()
foreach(target ${mbedtls_targets})
target_compile_definitions(${target} PUBLIC -DMBEDTLS_CONFIG_FILE="mbedtls/esp_config.h")
@@ -388,37 +404,37 @@ if(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
endforeach()
endif()
set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls)
# set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_LIBRARIES mbedtls)
if(CONFIG_PM_ENABLE)
target_link_libraries(mbedcrypto PRIVATE idf::esp_pm)
endif()
# if(CONFIG_PM_ENABLE)
# target_link_libraries(mbedcrypto PRIVATE idf::esp_pm)
# endif()
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY)
target_link_libraries(mbedcrypto PRIVATE idf::efuse)
endif()
# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN OR CONFIG_MBEDTLS_HARDWARE_ECDSA_VERIFY)
# target_link_libraries(mbedcrypto PRIVATE idf::efuse)
# endif()
target_link_libraries(${COMPONENT_LIB} ${linkage_type} ${mbedtls_targets})
if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
# The linker seems to be unable to resolve all the dependencies without increasing this
set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 6)
endif()
# if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
# # The linker seems to be unable to resolve all the dependencies without increasing this
# set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 6)
# endif()
# Additional optional dependencies for the mbedcrypto library
function(mbedcrypto_optional_deps component_name)
idf_build_get_property(components BUILD_COMPONENTS)
if(${component_name} IN_LIST components)
idf_component_get_property(lib_name ${component_name} COMPONENT_LIB)
target_link_libraries(mbedcrypto PRIVATE ${lib_name})
endif()
endfunction()
# function(mbedcrypto_optional_deps component_name)
# idf_build_get_property(components BUILD_COMPONENTS)
# if(${component_name} IN_LIST components)
# idf_component_get_property(lib_name ${component_name} COMPONENT_LIB)
# target_link_libraries(mbedcrypto PRIVATE ${lib_name})
# endif()
# endfunction()
if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM)
mbedcrypto_optional_deps(esp_timer idf::esp_timer)
endif()
# if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM)
# mbedcrypto_optional_deps(esp_timer idf::esp_timer)
# endif()
# Link esp-cryptoauthlib to mbedtls
if(CONFIG_ATCA_MBEDTLS_ECDSA)
mbedcrypto_optional_deps(espressif__esp-cryptoauthlib esp-cryptoauthlib)
endif()
# if(CONFIG_ATCA_MBEDTLS_ECDSA)
# mbedcrypto_optional_deps(espressif__esp-cryptoauthlib esp-cryptoauthlib)
# endif()

2
components/mbedtls/esp_crt_bundle/esp_crt_bundle.c
View File

@@ -162,7 +162,7 @@ static int esp_crt_check_signature(const mbedtls_x509_crt* child, const uint8_t*
goto cleanup;
}
if (unlikely((ret = mbedtls_pk_verify_ext(child->MBEDTLS_PRIVATE(sig_pk), child->MBEDTLS_PRIVATE(sig_opts), &pubkey,
if (unlikely((ret = mbedtls_pk_verify_ext(child->MBEDTLS_PRIVATE(sig_pk), NULL, &pubkey,
child->MBEDTLS_PRIVATE(sig_md), hash, md_size,
child->MBEDTLS_PRIVATE(sig).p, child->MBEDTLS_PRIVATE(sig).len)) != 0)) {
ESP_LOGE(TAG, "PK verify failed with error 0x%x", -ret);

16
components/mbedtls/port/include/mbedtls/esp_config.h
View File

@@ -25,10 +25,14 @@
#ifndef ESP_CONFIG_H
#define ESP_CONFIG_H
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#include "sdkconfig.h"
#include "mbedtls/mbedtls_config.h"
#include "soc/soc_caps.h"
/**
* \def MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS
*
@@ -149,6 +153,8 @@
/** Override calloc(), free() except for case where memory allocation scheme is not set to custom */
#ifndef CONFIG_MBEDTLS_CUSTOM_MEM_ALLOC
#include "esp_mem.h"
#undef MBEDTLS_PLATFORM_STD_CALLOC
#undef MBEDTLS_PLATFORM_STD_FREE
#define MBEDTLS_PLATFORM_STD_CALLOC esp_mbedtls_mem_calloc
#define MBEDTLS_PLATFORM_STD_FREE esp_mbedtls_mem_free
#endif
@@ -623,11 +629,11 @@
*
* Comment this macro to disable FIXED POINT curves optimisation.
*/
#ifdef CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 1
#else
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0
#endif
// #ifdef CONFIG_MBEDTLS_ECP_FIXED_POINT_OPTIM
// #define MBEDTLS_ECP_FIXED_POINT_OPTIM 1
// #else
// #define MBEDTLS_ECP_FIXED_POINT_OPTIM 0
// #endif
/**
* \def MBEDTLS_ECDSA_DETERMINISTIC

96
components/mbedtls/port/include/mbedtls/gcm.h
View File

@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2023-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Apache-2.0
*/
@@ -14,65 +14,65 @@ extern "C" {
#if defined(MBEDTLS_GCM_ALT) && defined(MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK)
/**
* When the MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK is defined, for non-AES GCM
* operations we need to fallback to the software function definitions of the
* mbedtls GCM layer.
* Thus in this case we need declarations for the software funtions.
* Please refer mbedtls/include/mbedtls/gcm.h for function documentations
*/
// /**
// * When the MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK is defined, for non-AES GCM
// * operations we need to fallback to the software function definitions of the
// * mbedtls GCM layer.
// * Thus in this case we need declarations for the software functions.
// * Please refer mbedtls/include/mbedtls/gcm.h for function documentations
// */
void mbedtls_gcm_init_soft(mbedtls_gcm_context_soft *ctx);
// void mbedtls_gcm_init_soft(mbedtls_gcm_context_soft *ctx);
int mbedtls_gcm_setkey_soft(mbedtls_gcm_context_soft *ctx,
mbedtls_cipher_id_t cipher,
const unsigned char *key,
unsigned int keybits);
// int mbedtls_gcm_setkey_soft(mbedtls_gcm_context_soft *ctx,
// mbedtls_cipher_id_t cipher,
// const unsigned char *key,
// unsigned int keybits);
int mbedtls_gcm_starts_soft(mbedtls_gcm_context_soft *ctx,
int mode,
const unsigned char *iv, size_t iv_len);
// int mbedtls_gcm_starts_soft(mbedtls_gcm_context_soft *ctx,
// int mode,
// const unsigned char *iv, size_t iv_len);
int mbedtls_gcm_update_ad_soft(mbedtls_gcm_context_soft *ctx,
const unsigned char *add, size_t add_len);
// int mbedtls_gcm_update_ad_soft(mbedtls_gcm_context_soft *ctx,
// const unsigned char *add, size_t add_len);
int mbedtls_gcm_update_soft(mbedtls_gcm_context_soft *ctx,
const unsigned char *input, size_t input_length,
unsigned char *output, size_t output_size,
size_t *output_length);
// int mbedtls_gcm_update_soft(mbedtls_gcm_context_soft *ctx,
// const unsigned char *input, size_t input_length,
// unsigned char *output, size_t output_size,
// size_t *output_length);
int mbedtls_gcm_finish_soft(mbedtls_gcm_context_soft *ctx,
unsigned char *output, size_t output_size,
size_t *output_length,
unsigned char *tag, size_t tag_len);
// int mbedtls_gcm_finish_soft(mbedtls_gcm_context_soft *ctx,
// unsigned char *output, size_t output_size,
// size_t *output_length,
// unsigned char *tag, size_t tag_len);
int mbedtls_gcm_crypt_and_tag_soft(mbedtls_gcm_context_soft *ctx,
int mode,
size_t length,
const unsigned char *iv,
size_t iv_len,
const unsigned char *add,
size_t add_len,
const unsigned char *input,
unsigned char *output,
size_t tag_len,
unsigned char *tag);
// int mbedtls_gcm_crypt_and_tag_soft(mbedtls_gcm_context_soft *ctx,
// int mode,
// size_t length,
// const unsigned char *iv,
// size_t iv_len,
// const unsigned char *add,
// size_t add_len,
// const unsigned char *input,
// unsigned char *output,
// size_t tag_len,
// unsigned char *tag);
int mbedtls_gcm_auth_decrypt_soft(mbedtls_gcm_context_soft *ctx,
size_t length,
const unsigned char *iv,
size_t iv_len,
const unsigned char *add,
size_t add_len,
const unsigned char *tag,
size_t tag_len,
const unsigned char *input,
unsigned char *output);
// int mbedtls_gcm_auth_decrypt_soft(mbedtls_gcm_context_soft *ctx,
// size_t length,
// const unsigned char *iv,
// size_t iv_len,
// const unsigned char *add,
// size_t add_len,
// const unsigned char *tag,
// size_t tag_len,
// const unsigned char *input,
// unsigned char *output);
void mbedtls_gcm_free_soft(mbedtls_gcm_context_soft *ctx);
// void mbedtls_gcm_free_soft(mbedtls_gcm_context_soft *ctx);
#endif /* MBEDTLS_GCM_ALT && MBEDTLS_GCM_NON_AES_CIPHER_SOFT_FALLBACK*/

7
components/mbedtls/test_apps/main/CMakeLists.txt
View File

@@ -4,7 +4,10 @@ set(TEST_CRTS "crts/server_cert_chain.pem"
"crts/bad_md_crt.pem"
"crts/wrong_sig_crt_esp32_com.pem"
"crts/correct_sig_crt_esp32_com.pem")
idf_component_register(SRC_DIRS "."
idf_component_register(
SRCS "app_main.c"
# SRC_DIRS "."
PRIV_INCLUDE_DIRS "."
PRIV_REQUIRES efuse cmock test_utils mbedtls esp_timer unity spi_flash esp_psram esp_security
EMBED_TXTFILES ${TEST_CRTS}
@@ -13,7 +16,7 @@ idf_component_register(SRC_DIRS "."
idf_component_get_property(mbedtls mbedtls COMPONENT_LIB)
target_compile_definitions(${mbedtls} INTERFACE "-DMBEDTLS_DEPRECATED_WARNING")
target_compile_definitions(mbedtls PUBLIC "-DMBEDTLS_DEPRECATED_WARNING")
target_compile_definitions(mbedcrypto PUBLIC "-DMBEDTLS_DEPRECATED_WARNING")
# target_compile_definitions(mbedcrypto PUBLIC "-DMBEDTLS_DEPRECATED_WARNING")
target_compile_definitions(mbedx509 PUBLIC "-DMBEDTLS_DEPRECATED_WARNING")
# Add linker wrap option to override esp_ds_finish_sign

8
components/mbedtls/test_apps/main/app_main.c
View File

@@ -1,5 +1,5 @@
/*
* SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
* SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
*
* SPDX-License-Identifier: Unlicense OR CC0-1.0
*/
@@ -10,6 +10,8 @@
#include "memory_checks.h"
#include "soc/soc_caps.h"
#include "esp_newlib.h"
#include "esp_random.h"
#include "mbedtls/entropy.h"
/* setUp runs before every test */
void setUp(void)
@@ -17,8 +19,8 @@ void setUp(void)
// Execute mbedtls_aes_init operation to allocate AES interrupt
// allocation memory which is considered as leak otherwise
#if SOC_AES_SUPPORTED
mbedtls_aes_context ctx;
mbedtls_aes_init(&ctx);
// mbedtls_aes_context ctx;
// mbedtls_aes_init(&ctx);
#endif // SOC_AES_SUPPORTED
test_utils_record_free_mem();

14
components/nvs_flash/src/nvs_encrypted_partition.hpp
View File

@@ -3,11 +3,19 @@
*
* SPDX-License-Identifier: Apache-2.0
*/
#pragma once
#ifndef NVS_ENCRYPTED_PARTITION_HPP_
#define NVS_ENCRYPTED_PARTITION_HPP_
#include "sdkconfig.h" // For CONFIG_NVS_BDL_STACK
#include "mbedtls/aes.h" // For mbedtls_aes_xts_context
#include "nvs_flash.h" // For nvs_sec_cfg_t
/* NOTE: Using legacy mbedtls XTS API until PSA Crypto adds XTS support
* With TF-PSA-Crypto 1.0, AES headers moved to mbedtls/private/.
* Need MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS to access XTS functions.
*/
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include "mbedtls/aes.h"
#include "nvs_flash.h"
#include "nvs_partition.hpp"
namespace nvs {

4
components/nvs_flash/test_apps/main/app_main.c
View File

@@ -63,8 +63,8 @@ void setUp(void)
// Execute mbedtls_aes_init operation to allocate AES interrupt
// allocation memory which is considered as memory leak otherwise
#if defined(CONFIG_NVS_ENCRYPTION) && defined(SOC_AES_SUPPORTED)
mbedtls_aes_context ctx;
mbedtls_aes_init(&ctx);
// mbedtls_aes_context ctx;
// mbedtls_aes_init(&ctx);
#endif
// Calling esp_partition_find_first ensures that the partitions have been loaded

1
components/nvs_flash/test_apps/main/test_nvs.c
View File

@@ -29,6 +29,7 @@
#include "esp_random.h"
#ifdef CONFIG_NVS_ENCRYPTION
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include "mbedtls/aes.h"
#endif

8
components/protocomm/src/crypto/srp6a/esp_srp.c
View File

@@ -676,10 +676,12 @@ esp_err_t esp_srp_get_session_key(esp_srp_handle_t *hd, char *bytes_A, int len_A
goto error;
}
psa_hash_operation_t hash_op = PSA_HASH_OPERATION_INIT;
psa_status_t status = psa_hash_setup(&hash_op, PSA_ALG_SHA_512);
ESP_RETURN_ON_FALSE(status == PSA_SUCCESS, ESP_FAIL, TAG, "Failed to setup hash operation: %d", status);
psa_status_t status = psa_crypto_init();
ESP_RETURN_ON_FALSE(status == PSA_SUCCESS, ESP_FAIL, TAG, "Failed to initialize PSA crypto: %d", status);
psa_hash_operation_t hash_op = PSA_HASH_OPERATION_INIT;
status = psa_hash_setup(&hash_op, PSA_ALG_SHA_512);
ESP_RETURN_ON_FALSE(status == PSA_SUCCESS, ESP_FAIL, TAG, "Failed to setup hash operation: %d", status);
psa_hash_update(&hash_op, (unsigned char *)bytes_S, len_S);
size_t hash_len = 0;
status = psa_hash_finish(&hash_op, (unsigned char *)hd->session_key, SHA512_HASH_SZ, &hash_len);

2
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-bignum.c
View File

@@ -3,7 +3,7 @@
*
* SPDX-License-Identifier: Apache-2.0
*/
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#ifdef ESP_PLATFORM
#include "esp_system.h"
#include "mbedtls/bignum.h"

235
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-ec.c
View File

@@ -4,6 +4,8 @@
* SPDX-License-Identifier: Apache-2.0
*/
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#ifdef ESP_PLATFORM
#include "esp_system.h"
#include "mbedtls/bignum.h"
@@ -23,7 +25,7 @@
#include "mbedtls/sha256.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/error.h"
#include "mbedtls/oid.h"
// #include "mbedtls/crypto_oid.h"
#include <mbedtls/psa_util.h>
#include "psa/crypto.h"
@@ -537,6 +539,82 @@ static struct crypto_ec_key *crypto_alloc_key(void)
return (struct crypto_ec_key *)key;
}
static psa_ecc_family_t group_id_to_psa(mbedtls_ecp_group_id grp_id, size_t *bits)
{
switch (grp_id) {
case MBEDTLS_ECP_DP_SECP192R1:
if (bits) {
*bits = 192;
}
return PSA_ECC_FAMILY_SECP_R1;
case MBEDTLS_ECP_DP_SECP224R1:
if (bits) {
*bits = 224;
}
return PSA_ECC_FAMILY_SECP_R1;
case MBEDTLS_ECP_DP_SECP256R1:
if (bits) {
*bits = 256;
}
return PSA_ECC_FAMILY_SECP_R1;
case MBEDTLS_ECP_DP_SECP384R1:
if (bits) {
*bits = 384;
}
return PSA_ECC_FAMILY_SECP_R1;
case MBEDTLS_ECP_DP_SECP521R1:
if (bits) {
*bits = 521;
}
return PSA_ECC_FAMILY_SECP_R1;
case MBEDTLS_ECP_DP_BP256R1:
if (bits) {
*bits = 256;
}
return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
case MBEDTLS_ECP_DP_BP384R1:
if (bits) {
*bits = 384;
}
return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
case MBEDTLS_ECP_DP_BP512R1:
if (bits) {
*bits = 512;
}
return PSA_ECC_FAMILY_BRAINPOOL_P_R1;
case MBEDTLS_ECP_DP_CURVE25519:
if (bits) {
*bits = 255;
}
return PSA_ECC_FAMILY_MONTGOMERY;
case MBEDTLS_ECP_DP_SECP192K1:
if (bits) {
*bits = 192;
}
return PSA_ECC_FAMILY_SECP_K1;
case MBEDTLS_ECP_DP_SECP224K1:
if (bits) {
*bits = 224;
}
return PSA_ECC_FAMILY_SECP_K1;
case MBEDTLS_ECP_DP_SECP256K1:
if (bits) {
*bits = 256;
}
return PSA_ECC_FAMILY_SECP_K1;
case MBEDTLS_ECP_DP_CURVE448:
if (bits) {
*bits = 448;
}
return PSA_ECC_FAMILY_MONTGOMERY;
default:
if (bits) {
*bits = 0;
}
return 0;
}
}
struct crypto_ec_key * crypto_ec_key_set_pub(const struct crypto_ec_group *group,
const u8 *buf, size_t len)
{
@@ -545,16 +623,13 @@ struct crypto_ec_key * crypto_ec_key_set_pub(const struct crypto_ec_group *group
return NULL;
}
mbedtls_ecp_group *ecp_grp = (mbedtls_ecp_group *)group;
mbedtls_ecp_group_id grp_id = ecp_grp->id;
size_t key_bits = 0;
psa_ecc_family_t ecc_family = mbedtls_ecc_group_to_psa(grp_id, &key_bits);
if (ecc_family == 0) {
wpa_printf(MSG_ERROR, "Unsupported ECC group");
mbedtls_ecp_group *grp = (mbedtls_ecp_group *)group;
if (!grp) {
wpa_printf(MSG_ERROR, "Invalid ECC group");
return NULL;
}
size_t key_bits = 0;
psa_ecc_family_t ecc_family = group_id_to_psa(grp->id, &key_bits);
psa_key_id_t *key_id = os_calloc(1, sizeof(psa_key_id_t));
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -593,7 +668,7 @@ struct crypto_ec_key * crypto_ec_key_set_pub(const struct crypto_ec_group *group
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_VERIFY_HASH | PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_EXPORT);
psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDSA(PSA_ALG_SHA_256));
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(ecc_family));
psa_set_key_type(&key_attributes, ecc_family);
status = psa_import_key(&key_attributes, key_buf, key_len, key_id);
if (status != PSA_SUCCESS) {
@@ -692,26 +767,31 @@ struct crypto_ec_group *crypto_ec_get_group_from_key(struct crypto_ec_key *key)
}
psa_ecc_family_t ecc_family = psa_get_key_type(&key_attributes);
size_t bits = psa_get_key_bits(&key_attributes);
int ret = mbedtls_ecc_group_from_psa(ecc_family, bits);
if (ret == 0) {
wpa_printf(MSG_ERROR, "Unsupported ECC group");
}
mbedtls_ecp_group *e = os_zalloc(sizeof(*e));
if (!e) {
psa_ecc_family_t *curve = os_zalloc(sizeof(psa_ecc_family_t));
if (!curve) {
wpa_printf(MSG_ERROR, "memory allocation failed");
return NULL;
}
*curve = PSA_KEY_TYPE_ECC_GET_FAMILY(ecc_family);
// int ret = mbedtls_ecc_group_from_psa(ecc_family, bits);
// if (ret == 0) {
// wpa_printf(MSG_ERROR, "Unsupported ECC group");
// }
mbedtls_ecp_group_init(e);
// mbedtls_ecp_group *e = os_zalloc(sizeof(*e));
// if (!e) {
// return NULL;
// }
if (mbedtls_ecp_group_load(e, ret)) {
mbedtls_ecp_group_free(e);
os_free(e);
e = NULL;
}
// mbedtls_ecp_group_init(e);
return (struct crypto_ec_group *)e;
// if (mbedtls_ecp_group_load(e, ret)) {
// mbedtls_ecp_group_free(e);
// os_free(e);
// e = NULL;
// }
return (struct crypto_ec_group *)curve;
}
int crypto_ec_key_group(struct crypto_ec_key *key)
@@ -730,13 +810,8 @@ int crypto_ec_key_group(struct crypto_ec_key *key)
}
psa_ecc_family_t ecc_family = psa_get_key_type(&key_attributes);
size_t bits = psa_get_key_bits(&key_attributes);
int ret = mbedtls_ecc_group_from_psa(ecc_family, bits);
if (ret == 0) {
wpa_printf(MSG_ERROR, "Unsupported ECC group");
}
int iana_group = (int)crypto_ec_get_mbedtls_to_nist_group_id(ret);
int iana_group = (int)crypto_ec_get_mbedtls_to_nist_group_id(ecc_family);
return iana_group;
}
@@ -904,7 +979,7 @@ struct crypto_ec_key *crypto_ec_key_parse_priv(const u8 *privkey, size_t privkey
wpa_printf(MSG_ERROR, "memory allocation failed");
return NULL;
}
ret = mbedtls_pk_parse_key(kctx, privkey, privkey_len, NULL, 0, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE);
ret = mbedtls_pk_parse_key(kctx, privkey, privkey_len, NULL, 0);
if (ret < 0) {
//crypto_print_error_string(ret);
@@ -942,6 +1017,12 @@ fail:
unsigned int crypto_ec_get_mbedtls_to_nist_group_id(int id)
{
unsigned int nist_grpid = 0;
size_t bits = 0;
psa_ecc_family_t family = PSA_KEY_TYPE_ECC_GET_FAMILY(id);
if (family == PSA_ECC_FAMILY_MONTGOMERY) {
// Montgomery curves are not supported in NIST
return 0;
}
switch (id) {
case MBEDTLS_ECP_DP_SECP256R1:
nist_grpid = 19;
@@ -961,6 +1042,24 @@ unsigned int crypto_ec_get_mbedtls_to_nist_group_id(int id)
case MBEDTLS_ECP_DP_BP512R1:
nist_grpid = 30;
break;
case PSA_ECC_FAMILY_SECP_R1:
if (bits == 256) {
nist_grpid = 19; // NIST P-256
} else if (bits == 384) {
nist_grpid = 20; // NIST P-384
} else if (bits == 521) {
nist_grpid = 21; // NIST P-521
}
break;
case PSA_ECC_FAMILY_BRAINPOOL_P_R1:
if (bits == 256) {
nist_grpid = 28; // Brainpool P-256
} else if (bits == 384) {
nist_grpid = 29; // Brainpool P-384
} else if (bits == 512) {
nist_grpid = 30; // Brainpool P-512
}
break;
default:
break;
}
@@ -1009,8 +1108,6 @@ int crypto_ecdh(struct crypto_ec_key *key_own, struct crypto_ec_key *key_peer,
goto fail;
}
// psa_algorithm_t alg = psa_get_key_algorithm(&peer_key_attributes);
*secret_len = 0;
size_t secret_length = 0;
status = psa_raw_key_agreement(PSA_ALG_ECDH, *own, peer_key_buf, peer_key_len, secret, 66, &secret_length);
@@ -1150,7 +1247,7 @@ struct crypto_ec_key * crypto_ec_key_gen(u16 ike_group)
}
size_t key_bit_length = 0;
psa_ecc_family_t ecc_family = mbedtls_ecc_group_to_psa(ike_group, &key_bit_length);
psa_ecc_family_t ecc_family = group_id_to_psa(ike_group, &key_bit_length);
if (ecc_family == 0) {
printf("mbedtls_ecc_group_to_psa failed\n");
return NULL;
@@ -1174,28 +1271,6 @@ struct crypto_ec_key * crypto_ec_key_gen(u16 ike_group)
return (struct crypto_ec_key *)key_id;
}
/*
* ECParameters ::= CHOICE {
* namedCurve OBJECT IDENTIFIER
* }
*/
static int pk_write_ec_param(unsigned char **p, unsigned char *start,
mbedtls_ecp_keypair *ec)
{
int ret;
size_t len = 0;
const char *oid;
size_t oid_len;
if ((ret = mbedtls_oid_get_oid_by_ec_grp(ec->MBEDTLS_PRIVATE(grp).id, &oid, &oid_len)) != 0) {
return (ret);
}
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_oid(p, start, oid, oid_len));
return ((int) len);
}
static int pk_write_ec_pubkey_formatted(unsigned char **p, unsigned char *start,
mbedtls_ecp_keypair *ec, int format)
{
@@ -1238,8 +1313,6 @@ int crypto_pk_write_formatted_pubkey_der(mbedtls_pk_context *key, unsigned char
{
int ret;
unsigned char *c;
size_t len = 0, par_len = 0, oid_len;
const char *oid;
if (size == 0) {
return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
@@ -1247,45 +1320,13 @@ int crypto_pk_write_formatted_pubkey_der(mbedtls_pk_context *key, unsigned char
c = buf + size;
ret = mbedtls_pk_write_pubkey_formatted(&c, buf, key, format);
ret = mbedtls_pk_write_pubkey_der(key, c, size);
if (ret < 0) {
wpa_printf(MSG_ERROR, "mbedtls_pk_write_pubkey_der failed with %d", ret);
return ret;
}
MBEDTLS_ASN1_CHK_ADD(len, ret);
if (c - buf < 1) {
return (MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
}
/*
* SubjectPublicKeyInfo ::= SEQUENCE {
* algorithm AlgorithmIdentifier,
* subjectPublicKey BIT STRING }
*/
*--c = 0;
len += 1;
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_BIT_STRING));
if ((ret = mbedtls_oid_get_oid_by_pk_alg(mbedtls_pk_get_type(key),
&oid, &oid_len)) != 0) {
return (ret);
}
if (mbedtls_pk_get_type(key) == MBEDTLS_PK_ECKEY) {
MBEDTLS_ASN1_CHK_ADD(par_len, pk_write_ec_param(&c, buf, mbedtls_pk_ec(*key)));
}
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_algorithm_identifier(&c, buf, oid, oid_len,
par_len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_len(&c, buf, len));
MBEDTLS_ASN1_CHK_ADD(len, mbedtls_asn1_write_tag(&c, buf, MBEDTLS_ASN1_CONSTRUCTED |
MBEDTLS_ASN1_SEQUENCE));
return ((int) len);
return ((int) ret);
}
int crypto_ec_write_pub_key(struct crypto_ec_key *key, unsigned char **key_buf)
@@ -1378,7 +1419,7 @@ struct crypto_ecdh * crypto_ecdh_init(int group)
psa_key_id_t key_id;
size_t key_size = 0;
psa_ecc_family_t ecc_family = mbedtls_ecc_group_to_psa(crypto_mbedtls_get_grp_id(group), &key_size);
psa_ecc_family_t ecc_family = group_id_to_psa(crypto_mbedtls_get_grp_id(group), &key_size);
psa_set_key_type(&key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(ecc_family));
psa_set_key_bits(&key_attributes, key_size);
@@ -1405,6 +1446,8 @@ struct wpabuf * crypto_ecdh_get_pubkey(struct crypto_ecdh *ecdh, int y)
return NULL;
}
uint8_t raw_key[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE] = {0};
status = psa_export_public_key(*key_id, raw_key, sizeof(raw_key), &key_size);
if (status != PSA_SUCCESS) {
return NULL;

5
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls-rsa.c
View File

@@ -121,7 +121,7 @@ struct crypto_private_key * crypto_private_key_import(const u8 *key,
mbedtls_pk_init(pkey);
ret = mbedtls_pk_parse_key(pkey, key, len, (const unsigned char *)passwd,
passwd ? os_strlen(passwd) : 0, mbedtls_esp_random, NULL);
passwd ? os_strlen(passwd) : 0);
if (ret < 0) {
wpa_printf(MSG_ERROR, "failed to parse private key");
@@ -189,8 +189,7 @@ int crypto_public_key_encrypt_pkcs1_v15(struct crypto_public_key *key,
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "Failed to initialize PSA crypto, returned %d", (int) status);
ret = -1;
goto cleanup;
return -1;
}
mbedtls_pk_context *pkey = (mbedtls_pk_context *)key;

65
components/wpa_supplicant/esp_supplicant/src/crypto/crypto_mbedtls.c
View File

@@ -3,6 +3,9 @@
*
* SPDX-License-Identifier: Apache-2.0
*/
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#ifdef ESP_PLATFORM
#include "esp_system.h"
#endif
@@ -455,9 +458,9 @@ static void *aes_crypt_init(int mode, const u8 *key, size_t len)
return NULL;
}
if (mode == MBEDTLS_AES_ENCRYPT) {
if (mode == MBEDTLS_ENCRYPT) {
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
} else if (mode == MBEDTLS_AES_DECRYPT) {
} else if (mode == MBEDTLS_DECRYPT) {
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
}
@@ -490,9 +493,9 @@ static int aes_crypt(void *ctx, int mode, const u8 *in, u8 *out)
return -1;
}
if (mode == MBEDTLS_AES_ENCRYPT) {
if (mode == MBEDTLS_ENCRYPT) {
status = psa_cipher_encrypt_setup(&operation, *key_id, PSA_ALG_ECB_NO_PADDING);
} else if (mode == MBEDTLS_AES_DECRYPT) {
} else if (mode == MBEDTLS_DECRYPT) {
status = psa_cipher_decrypt_setup(&operation, *key_id, PSA_ALG_ECB_NO_PADDING);
} else {
wpa_printf(MSG_ERROR, "%s: invalid mode", __func__);
@@ -537,12 +540,12 @@ static void aes_crypt_deinit(void *ctx)
void *aes_encrypt_init(const u8 *key, size_t len)
{
return aes_crypt_init(MBEDTLS_AES_ENCRYPT, key, len);
return aes_crypt_init(MBEDTLS_ENCRYPT, key, len);
}
int aes_encrypt(void *ctx, const u8 *plain, u8 *crypt)
{
return aes_crypt(ctx, MBEDTLS_AES_ENCRYPT, plain, crypt);
return aes_crypt(ctx, MBEDTLS_ENCRYPT, plain, crypt);
}
void aes_encrypt_deinit(void *ctx)
@@ -552,12 +555,12 @@ void aes_encrypt_deinit(void *ctx)
void * aes_decrypt_init(const u8 *key, size_t len)
{
return aes_crypt_init(MBEDTLS_AES_DECRYPT, key, len);
return aes_crypt_init(MBEDTLS_DECRYPT, key, len);
}
int aes_decrypt(void *ctx, const u8 *crypt, u8 *plain)
{
return aes_crypt(ctx, MBEDTLS_AES_DECRYPT, crypt, plain);
return aes_crypt(ctx, MBEDTLS_DECRYPT, crypt, plain);
}
void aes_decrypt_deinit(void *ctx)
@@ -735,8 +738,10 @@ struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg,
}
psa_status_t status;
psa_key_attributes attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_id_t key_id;
psa_cipher_operation_t *enc_operation = NULL;
psa_cipher_operation_t *dec_operation = NULL;
status = psa_crypto_init();
if (status != PSA_SUCCESS) {
@@ -768,10 +773,10 @@ struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg,
psa_reset_key_attributes(&attributes);
psa_cipher_operation_t *enc_operation = os_zalloc(sizeof(psa_cipher_operation_t));
enc_operation = os_zalloc(sizeof(psa_cipher_operation_t));
if (!enc_operation) {
wpa_printf(MSG_ERROR, "%s: os_zalloc failed", __func__);
return NULL;
goto cleanup;
}
ctx->ctx_enc = (void *)enc_operation;
@@ -779,24 +784,50 @@ struct crypto_cipher *crypto_cipher_init(enum crypto_cipher_alg alg,
status = psa_cipher_encrypt_setup(enc_operation, key_id, psa_alg);
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "%s: psa_cipher_encrypt_setup failed", __func__);
return NULL;
goto cleanup;
}
status = psa_cipher_set_iv(enc_operation, iv, 16);
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "%s: psa_cipher_set_iv failed", __func__);
return NULL;
goto cleanup;
}
psa_cipher_operation_t *dec_operation = os_zalloc(sizeof(psa_cipher_operation_t));
dec_operation = os_zalloc(sizeof(psa_cipher_operation_t));
if (!dec_operation) {
wpa_printf(MSG_ERROR, "%s: os_zalloc failed", __func__);
return NULL;
goto cleanup;
}
#endif /* CONFIG_MBEDTLS_CIPHER_MODE_WITH_PADDING */
ctx->ctx_dec = (void *)dec_operation;
status = psa_cipher_decrypt_setup(dec_operation, key_id, psa_alg);
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "%s: psa_cipher_decrypt_setup failed", __func__);
goto cleanup;
}
status = psa_cipher_set_iv(dec_operation, iv, 16);
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "%s: psa_cipher_set_iv failed", __func__);
goto cleanup;
}
ctx->key_id = key_id;
return ctx;
cleanup:
if (key_id) {
psa_destroy_key(key_id);
}
if (enc_operation) {
os_free(enc_operation);
}
if (dec_operation) {
os_free(dec_operation);
}
psa_reset_key_attributes(&attributes);
os_free(ctx);
return NULL;
}
@@ -856,6 +887,8 @@ void crypto_cipher_deinit(struct crypto_cipher *ctx)
if (status != PSA_SUCCESS) {
wpa_printf(MSG_ERROR, "%s: psa_destroy_key failed", __func__);
}
os_free(ctx->ctx_enc);
os_free(ctx->ctx_dec);
os_free(ctx);
}
#endif

62
components/wpa_supplicant/esp_supplicant/src/crypto/fastpbkdf2.c
View File

@@ -25,10 +25,11 @@
#if defined(__GNUC__)
#include <endian.h>
#endif
#include <mbedtls/sha1.h>
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include "mbedtls/sha1.h"
#include "mbedtls/esp_config.h"
#include "utils/wpa_debug.h"
#include "psa/crypto.h"
/* --- MSVC doesn't support C99 --- */
#ifdef _MSC_VER
@@ -40,7 +41,7 @@
#ifndef MIN
#define MIN(a, b) ((a) > (b)) ? (b) : (a)
#endif
#if 0
static inline void write32_be(uint32_t n, uint8_t out[4])
{
#if defined(__GNUC__) && __GNUC__ >= 4 && __BYTE_ORDER == __LITTLE_ENDIAN
@@ -378,11 +379,66 @@ DECL_PBKDF2(sha1, // _name
sha1_cpy, // _xcpy
sha1_extract, // _xtract
sha1_xor) // _xxor
#endif /* 0 */
#define USE_PSA 1
void fastpbkdf2_hmac_sha1(const uint8_t *pw, size_t npw,
const uint8_t *salt, size_t nsalt,
uint32_t iterations,
uint8_t *out, size_t nout)
{
#ifdef USE_PSA
psa_status_t status;
psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_id_t key_id = 0;
// Set up key attributes for password
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
psa_set_key_algorithm(&attributes, PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1));
psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
// Import password as key
status = psa_import_key(&attributes, pw, npw, &key_id);
if (status != PSA_SUCCESS) {
return;
}
// Set up key derivation
status = psa_key_derivation_setup(&operation, PSA_ALG_PBKDF2_HMAC(PSA_ALG_SHA_1));
if (status != PSA_SUCCESS) {
goto cleanup;
}
// Add salt
status = psa_key_derivation_input_bytes(&operation, PSA_KEY_DERIVATION_INPUT_SALT,
salt, nsalt);
if (status != PSA_SUCCESS) {
goto cleanup;
}
// Add password
status = psa_key_derivation_input_key(&operation, PSA_KEY_DERIVATION_INPUT_PASSWORD, key_id);
if (status != PSA_SUCCESS) {
goto cleanup;
}
// Set iteration count
status = psa_key_derivation_input_integer(&operation, PSA_KEY_DERIVATION_INPUT_COST,
iterations);
if (status != PSA_SUCCESS) {
goto cleanup;
}
// Generate output
status = psa_key_derivation_output_bytes(&operation, out, nout);
cleanup:
psa_key_derivation_abort(&operation);
psa_destroy_key(key_id);
psa_reset_key_attributes(&attributes);
#else
PBKDF2(sha1)(pw, npw, salt, nsalt, iterations, out, nout);
#endif // USE_PSA
}

100
components/wpa_supplicant/esp_supplicant/src/crypto/fastpsk.c
View File

@@ -63,6 +63,7 @@
#include "sha/sha_core.h"
#endif
#include "esp_log.h"
#include "psa/crypto.h"
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n, b, i) \
@@ -100,24 +101,24 @@ struct fast_psk_context {
};
/* Acquire SHA1 hardware for exclusive use */
static inline void sha1_setup(void)
{
#if SOC_SHA_SUPPORT_PARALLEL_ENG
esp_sha_lock_engine(SHA1);
#else
esp_sha_acquire_hardware();
#endif
}
// static inline void sha1_setup(void)
// {
// #if SOC_SHA_SUPPORT_PARALLEL_ENG
// esp_sha_lock_engine(SHA1);
// #else
// esp_sha_acquire_hardware();
// #endif
// }
/* Release SHA1 hardware */
static inline void sha1_teardown(void)
{
#if SOC_SHA_SUPPORT_PARALLEL_ENG
esp_sha_unlock_engine(SHA1);
#else
esp_sha_release_hardware();
#endif
}
// static inline void sha1_teardown(void)
// {
// #if SOC_SHA_SUPPORT_PARALLEL_ENG
// esp_sha_unlock_engine(SHA1);
// #else
// esp_sha_release_hardware();
// #endif
// }
/*
* Pads the given HMAC block context with the appropriate SHA1 padding.
@@ -160,13 +161,62 @@ static inline void write32_be(uint32_t n, uint8_t out[4])
void sha1_op(uint32_t blocks[FAST_PSK_SHA1_BLOCKS_BUF_WORDS], uint32_t output[SHA1_OUTPUT_SZ_WORDS])
{
esp_sha_set_mode(SHA1);
/* First block */
esp_sha_block(SHA1, blocks, true);
/* Second block */
esp_sha_block(SHA1, &blocks[SHA1_BLOCK_SZ_WORDS], false);
/* Read the final digest */
esp_sha_read_digest_state(SHA1, output);
// esp_sha_set_mode(SHA1);
// /* First block */
// esp_sha_block(SHA1, blocks, true);
// /* Second block */
// esp_sha_block(SHA1, &blocks[SHA1_BLOCK_SZ_WORDS], false);
// /* Read the final digest */
// esp_sha_read_digest_state(SHA1, output);
// Convert to PSA API
psa_status_t status;
psa_hash_operation_t operation = PSA_HASH_OPERATION_INIT;
status = psa_hash_setup(&operation, PSA_ALG_SHA_1);
if (status != PSA_SUCCESS) {
ESP_LOGE("fastpsk", "psa_hash_setup failed: %d", status);
return;
}
// Update with the first block
status = psa_hash_update(&operation, (const uint8_t *)blocks, SHA1_BLOCK_SZ);
if (status != PSA_SUCCESS) {
ESP_LOGE("fastpsk", "psa_hash_update failed: %d", status);
psa_hash_abort(&operation);
return;
}
// Update with the second block
status = psa_hash_update(&operation, (const uint8_t *)&blocks[SHA1_BLOCK_SZ_WORDS], SHA1_BLOCK_SZ);
if (status != PSA_SUCCESS) {
ESP_LOGE("fastpsk", "psa_hash_update failed: %d", status);
psa_hash_abort(&operation);
return;
}
// Finish the hash operation
size_t mac_len;
status = psa_hash_finish(&operation, (uint8_t *)output, SHA1_OUTPUT_SZ, &mac_len);
if (status != PSA_SUCCESS) {
ESP_LOGE("fastpsk", "psa_hash_finish failed: %d", status);
psa_hash_abort(&operation);
return;
}
// Ensure the output length is correct
if (mac_len != SHA1_OUTPUT_SZ) {
ESP_LOGE("fastpsk", "Unexpected hash length: %zu, expected: %d", mac_len, SHA1_OUTPUT_SZ);
psa_hash_abort(&operation);
return;
}
// Clean up the operation
status = psa_hash_abort(&operation);
if (status != PSA_SUCCESS) {
ESP_LOGE("fastpsk", "psa_hash_abort failed: %d", status);
return;
}
#if CONFIG_IDF_TARGET_ESP32
for (int i = 0; i < SHA1_OUTPUT_SZ_WORDS; i++) {
@@ -210,7 +260,7 @@ void fast_psk_f(const char *password, size_t password_len, const uint8_t *ssid,
/* Pad the block */
pad_blocks(&ctx->inner, SHA1_BLOCK_SZ + ssid_len + 4);
sha1_setup();
// sha1_setup();
uint32_t *pi, *po;
pi = ctx->inner.whole_words;
@@ -245,7 +295,7 @@ void fast_psk_f(const char *password, size_t password_len, const uint8_t *ssid,
}
}
sha1_teardown();
// sha1_teardown();
/* Copy the final result to the output digest */
memcpy(digest, sum, SHA1_OUTPUT_SZ);

4
components/wpa_supplicant/esp_supplicant/src/crypto/tls_mbedtls.c
View File

@@ -179,7 +179,7 @@ static int set_pki_context(tls_context_t *tls, const struct tls_connection_param
ret = mbedtls_pk_parse_key(&tls->clientkey, cfg->private_key_blob, cfg->private_key_blob_len,
(const unsigned char *)cfg->private_key_passwd,
cfg->private_key_passwd ? os_strlen(cfg->private_key_passwd) : 0, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE);
cfg->private_key_passwd ? os_strlen(cfg->private_key_passwd) : 0);
if (ret < 0) {
wpa_printf(MSG_ERROR, "mbedtls_pk_parse_keyfile returned -0x%x", -ret);
return ret;
@@ -611,7 +611,7 @@ static int tls_create_mbedtls_handle(struct tls_connection *conn,
goto exit;
}
mbedtls_ssl_conf_rng(&tls->conf, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE);
// mbedtls_ssl_conf_rng(&tls->conf, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE);
#if defined(CONFIG_MBEDTLS_SSL_PROTO_TLS1_3) && !defined(CONFIG_TLSV13)
/* Disable TLSv1.3 even when enabled in MbedTLS and not enabled in WiFi config.

3
examples/protocols/https_request/main/https_request_example_main.c
View File

@@ -44,6 +44,7 @@
#include "esp_crt_bundle.h"
#endif
#include "time_sync.h"
#include "esp_random.h"
/* Constants that aren't configurable in menuconfig */
#ifdef CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT
@@ -95,7 +96,7 @@ extern const uint8_t local_server_cert_pem_end[] asm("_binary_local_server_cer
static const int server_supported_ciphersuites[] = {MBEDTLS_TLS1_3_AES_256_GCM_SHA384, MBEDTLS_TLS1_3_AES_128_CCM_SHA256, 0};
static const int server_unsupported_ciphersuites[] = {MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 0};
#else
static const int server_supported_ciphersuites[] = {MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 0};
static const int server_supported_ciphersuites[] = {MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM, 0};
static const int server_unsupported_ciphersuites[] = {MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256, 0};
#endif // CONFIG_EXAMPLE_SSL_PROTO_TLS1_3_CLIENT
#endif // CONFIG_EXAMPLE_USING_ESP_TLS_MBEDTLS

6
tools/ci/check_copyright_ignore.txt
View File

@@ -473,6 +473,12 @@ components/mbedtls/port/include/sha1_alt.h
components/mbedtls/port/include/sha256_alt.h
components/mbedtls/port/include/sha512_alt.h
components/mbedtls/port/sha/parallel_engine/sha.c
components/nvs_flash/include/nvs_handle.hpp
components/nvs_flash/src/nvs_item_hash_list.cpp
components/nvs_flash/src/nvs_pagemanager.hpp
components/nvs_flash/src/nvs_partition_lookup.cpp
components/nvs_flash/src/nvs_partition_lookup.hpp
components/nvs_flash/src/nvs_test_api.h
components/protocomm/include/transports/protocomm_console.h
components/protocomm/include/transports/protocomm_httpd.h
components/riscv/include/riscv/csr.h