From 6b1f3c36b30c9dd5463e5ef6e4254ab1a95cc1ae Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 22 Jan 2019 13:10:13 +0000 Subject: [PATCH 1/2] Allow the use of PSA Crypto in TLS client example --- tls-client/main.cpp | 21 +++++++++++++++++++++ tls-client/mbedtls_entropy_config.h | 10 ++++++++++ 2 files changed, 31 insertions(+) diff --git a/tls-client/main.cpp b/tls-client/main.cpp index 5476c692d..bb57437ba 100644 --- a/tls-client/main.cpp +++ b/tls-client/main.cpp @@ -35,6 +35,9 @@ #include "mbed.h" #include "mbedtls/platform.h" +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "psa/crypto.h" +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #include "HelloHttpsClient.h" @@ -52,6 +55,24 @@ int main() { int exit_code = MBEDTLS_EXIT_FAILURE; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + /* + * Initialize underlying PSA Crypto implementation. + * Even if the HTTPS client doesn't make use of + * PSA-specific API, for example for setting opaque PSKs + * or opaque private keys, Mbed TLS will use PSA + * for public and symmetric key operations as well as + * hashing. + */ + psa_status_t status; + status = psa_crypto_init(); + if( status != PSA_SUCCESS ) + { + printf("psa_crypto_init() failed with %d\r\n", status ); + return MBEDTLS_EXIT_FAILURE; + } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ + if((exit_code = mbedtls_platform_setup(NULL)) != 0) { printf("Platform initialization failed with error %d\r\n", exit_code); return MBEDTLS_EXIT_FAILURE; diff --git a/tls-client/mbedtls_entropy_config.h b/tls-client/mbedtls_entropy_config.h index b5dc56fb4..d0b032e2e 100644 --- a/tls-client/mbedtls_entropy_config.h +++ b/tls-client/mbedtls_entropy_config.h @@ -36,4 +36,14 @@ #undef MBEDTLS_MPI_MAX_SIZE #define MBEDTLS_MPI_MAX_SIZE 256 +/* This macro determines whether Mbed TLS uses its own legacy crypto library + * or an implementation of the PSA Crypto API such as Mbed Crypto. + * + * To confirm the use of PSA Crypto, you may enable debugging by setting + * HELLO_HTTPS_CLIENT_DEBUG_LEVEL in HelloHttpsClient.h and look for + * PSA-related debugging output on the serial line. + * + * Uncomment this to use the PSA Crypto API. */ +//#define MBEDTLS_USE_PSA_CRYPTO + #define MBEDTLS_MPI_WINDOW_SIZE 1 From 4dc9aeb70234dc59b920c57bb5a2015655c80710 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 25 Jan 2019 12:45:05 +0000 Subject: [PATCH 2/2] Swap initializations of PSA Crypto and Mbed TLS platform As PSA Crypto is independent of Mbed TLS, `psa_crypto_init()` must eventually work standalone, and in particular not require a prior call to `mbedtls_platform_init()`. At the moment, however, it might still rely on HW drivers being initialized by `mbedtls_platform_init()`, and so the latter should be invoked before `psa_crypto_init()`. This commit changes the order of the calls accordingly. In general, the relation between of `psa_crypto_init()` and `mbedtls_platform_init()` still needs to be discussed and documented, and once that's done, the code might need revision. As it stands, however, it should work with current implementations of `psa_crypto_init()` and `mbedtls_platform_init()`. --- tls-client/main.cpp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tls-client/main.cpp b/tls-client/main.cpp index bb57437ba..77f54fc2b 100644 --- a/tls-client/main.cpp +++ b/tls-client/main.cpp @@ -55,6 +55,11 @@ int main() { int exit_code = MBEDTLS_EXIT_FAILURE; + if((exit_code = mbedtls_platform_setup(NULL)) != 0) { + printf("Platform initialization failed with error %d\r\n", exit_code); + return MBEDTLS_EXIT_FAILURE; + } + #if defined(MBEDTLS_USE_PSA_CRYPTO) /* * Initialize underlying PSA Crypto implementation. @@ -73,10 +78,6 @@ int main() } #endif /* MBEDTLS_USE_PSA_CRYPTO */ - if((exit_code = mbedtls_platform_setup(NULL)) != 0) { - printf("Platform initialization failed with error %d\r\n", exit_code); - return MBEDTLS_EXIT_FAILURE; - } /* * The default 9600 bps is too slow to print full TLS debug info and could * cause the other party to time out.