[PSA] Improve PSA crypto PAL (#26741)

Use correct type to refer to key id. Fix AES CCM encrypt/decrypt function - null arguments validation. Remove mbedtls PSA crypto condition - it isn't valid for external PSA crypto source such as TF-M. Signed-off-by: Vincent Coubard <vincent.coubard@arm.com>
project-chip · Feb 8, 2024 · 1633555 · 1633555
1 parent 0ba4e3e
commit 1633555
Showing 1 changed file with 46 additions and 21 deletions.
diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp
@@ -47,10 +47,6 @@
 #include <string.h>
 #include <type_traits>
 
-#if !defined(MBEDTLS_PSA_CRYPTO_C)
-#error "PSA crypto API not enabled in mbedTLS config"
-#endif
-
 constexpr size_t kMaxErrorStrLen = 128;
 
 // In mbedTLS 3.0.0 direct access to structure fields was replaced with using MBEDTLS_PRIVATE macro.
@@ -130,17 +126,31 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c
  status = psa_aead_set_nonce(&operation, nonce, nonce_length);
  VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
- status = psa_aead_update_ad(&operation, aad, aad_length);
- VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
+ if (aad_length != 0)
+ {
+ status = psa_aead_update_ad(&operation, aad, aad_length);
+ VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
+ }
+ else
+ {
+ ChipLogDetail(Crypto, "AES_CCM_encrypt: Using aad == null path");
+ }
 
- status = psa_aead_update(&operation, plaintext, plaintext_length, ciphertext,
- PSA_AEAD_UPDATE_OUTPUT_SIZE(PSA_KEY_TYPE_AES, algorithm, plaintext_length), &out_length);
- VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
+ if (plaintext_length != 0)
+ {
+ status = psa_aead_update(&operation, plaintext, plaintext_length, ciphertext,
+ PSA_AEAD_UPDATE_OUTPUT_SIZE(PSA_KEY_TYPE_AES, algorithm, plaintext_length), &out_length);
+ VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
- ciphertext += out_length;
+  ciphertext += out_length;
 
- status = psa_aead_finish(&operation, ciphertext, PSA_AEAD_FINISH_OUTPUT_SIZE(PSA_KEY_TYPE_AES, algorithm), &out_length, tag,
- tag_length, &tag_out_length);
+ status = psa_aead_finish(&operation, ciphertext, PSA_AEAD_FINISH_OUTPUT_SIZE(PSA_KEY_TYPE_AES, algorithm), &out_length, tag,
+ tag_length, &tag_out_length);
+ }
+ else
+ {
+ status = psa_aead_finish(&operation, nullptr, 0, &out_length, tag, tag_length, &tag_out_length);
+ }
  VerifyOrReturnError(status == PSA_SUCCESS && tag_length == tag_out_length, CHIP_ERROR_INTERNAL);
 
  return CHIP_NO_ERROR;
@@ -169,17 +179,32 @@ CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_length,
  status = psa_aead_set_nonce(&operation, nonce, nonce_length);
  VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
- status = psa_aead_update_ad(&operation, aad, aad_length);
- VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
+ if (aad_length != 0)
+ {
+ status = psa_aead_update_ad(&operation, aad, aad_length);
+ VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
+ }
+ else
+ {
+ ChipLogDetail(Crypto, "AES_CCM_decrypt: Using aad == null path");
+ }
 
- status = psa_aead_update(&operation, ciphertext, ciphertext_length, plaintext,
- PSA_AEAD_UPDATE_OUTPUT_SIZE(PSA_KEY_TYPE_AES, algorithm, ciphertext_length), &outLength);
- VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
+ if (ciphertext_length != 0)
+ {
+ status = psa_aead_update(&operation, ciphertext, ciphertext_length, plaintext,
+ PSA_AEAD_UPDATE_OUTPUT_SIZE(PSA_KEY_TYPE_AES, algorithm, ciphertext_length), &outLength);
+ VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
- plaintext += outLength;
+ plaintext += outLength;
+
+ status = psa_aead_verify(&operation, plaintext, PSA_AEAD_VERIFY_OUTPUT_SIZE(PSA_KEY_TYPE_AES, algorithm), &outLength, tag,
+ tag_length);
+ }
+ else
+ {
+ status = psa_aead_verify(&operation, nullptr, 0, &outLength, tag, tag_length);
+ }
 
- status = psa_aead_verify(&operation, plaintext, PSA_AEAD_VERIFY_OUTPUT_SIZE(PSA_KEY_TYPE_AES, algorithm), &outLength, tag,
- tag_length);
  VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
  return CHIP_NO_ERROR;
@@ -555,7 +580,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, co
 
  CHIP_ERROR error = CHIP_NO_ERROR;
  psa_status_t status = PSA_SUCCESS;
- mbedtls_svc_key_id_t keyId = 0;
+ psa_key_id_t keyId  = 0;
  psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
 
  psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1));