[crypto] move Pskc generation to platform API (#8468)

Android.mk

@@ -257,7 +257,6 @@ LOCAL_SRC_FILES                                                  := \
     src/core/crypto/hkdf_sha256.cpp                                 \
     src/core/crypto/hmac_sha256.cpp                                 \
     src/core/crypto/mbedtls.cpp                                     \
-    src/core/crypto/pbkdf2_cmac.cpp                                 \
     src/core/crypto/sha256.cpp                                      \
     src/core/crypto/storage.cpp                                     \
     src/core/diags/factory_diags.cpp                                \

include/openthread/instance.h

@@ -53,7 +53,7 @@ extern "C" {
  * @note This number versions both OpenThread platform and user APIs.
  *
  */
-#define OPENTHREAD_API_VERSION (266)
+#define OPENTHREAD_API_VERSION (267)
 
 /**
  * @addtogroup api-instance

include/openthread/platform/crypto.h

@@ -219,6 +219,12 @@ struct otPlatCryptoEcdsaSignature
 
 typedef struct otPlatCryptoEcdsaSignature otPlatCryptoEcdsaSignature;
 
+/**
+ * Max PBKDF2 SALT length: salt prefix (6) + extended panid (8) + network name (16)
+ *
+ */
+#define OT_CRYPTO_PBDKF2_MAX_SALT_SIZE 30
+
 /**
  * Initialize the Crypto module.
  *
@@ -644,6 +650,26 @@ otError otPlatCryptoEcdsaVerify(const otPlatCryptoEcdsaPublicKey *aPublicKey,
                                 const otPlatCryptoSha256Hash     *aHash,
                                 const otPlatCryptoEcdsaSignature *aSignature);
 
+/**
+ * Perform PKCS#5 PBKDF2 using CMAC (AES-CMAC-PRF-128).
+ *
+ * @param[in]     aPassword          Password to use when generating key.
+ * @param[in]     aPasswordLen       Length of password.
+ * @param[in]     aSalt              Salt to use when generating key.
+ * @param[in]     aSaltLen           Length of salt.
+ * @param[in]     aIterationCounter  Iteration count.
+ * @param[in]     aKeyLen            Length of generated key in bytes.
+ * @param[out]    aKey               A pointer to the generated key.
+ *
+ */
+void otPlatCryptoPbkdf2GenerateKey(const uint8_t *aPassword,
+                                   uint16_t       aPasswordLen,
+                                   const uint8_t *aSalt,
+                                   uint16_t       aSaltLen,
+                                   uint32_t       aIterationCounter,
+                                   uint16_t       aKeyLen,
+                                   uint8_t       *aKey);
+
 /**
  * @}
  *

src/core/BUILD.gn

@@ -469,8 +469,6 @@ openthread_core_files = [
   "crypto/hmac_sha256.hpp",
   "crypto/mbedtls.cpp",
   "crypto/mbedtls.hpp",
-  "crypto/pbkdf2_cmac.cpp",
-  "crypto/pbkdf2_cmac.hpp",
   "crypto/sha256.cpp",
   "crypto/sha256.hpp",
   "crypto/storage.cpp",

src/core/CMakeLists.txt

@@ -124,7 +124,6 @@ set(COMMON_SOURCES
     crypto/hkdf_sha256.cpp
     crypto/hmac_sha256.cpp
     crypto/mbedtls.cpp
-    crypto/pbkdf2_cmac.cpp
     crypto/sha256.cpp
     crypto/storage.cpp
     diags/factory_diags.cpp

src/core/Makefile.am

@@ -214,7 +214,6 @@ SOURCES_COMMON                                  = \
     crypto/hkdf_sha256.cpp                        \
     crypto/hmac_sha256.cpp                        \
     crypto/mbedtls.cpp                            \
-    crypto/pbkdf2_cmac.cpp                        \
     crypto/sha256.cpp                             \
     crypto/storage.cpp                            \
     diags/factory_diags.cpp                       \
@@ -529,7 +528,6 @@ HEADERS_COMMON                                  = \
     crypto/hkdf_sha256.hpp                        \
     crypto/hmac_sha256.hpp                        \
     crypto/mbedtls.hpp                            \
-    crypto/pbkdf2_cmac.hpp                        \
     crypto/sha256.hpp                             \
     crypto/storage.hpp                            \
     diags/factory_diags.hpp                       \

src/core/crypto/crypto_platform.cpp

@@ -32,7 +32,10 @@
 
 #include "openthread-core-config.h"
 
+#include <string.h>
+
 #include <mbedtls/aes.h>
+#include <mbedtls/cmac.h>
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/ecdsa.h>
 #include <mbedtls/entropy.h>
@@ -660,3 +663,81 @@ OT_TOOL_WEAK otError otPlatCryptoEcdsaVerify(const otPlatCryptoEcdsaPublicKey *a
 #endif // #if !OPENTHREAD_RADIO
 
 #endif // #if OPENTHREAD_CONFIG_CRYPTO_LIB == OPENTHREAD_CONFIG_CRYPTO_LIB_MBEDTLS
+
+//---------------------------------------------------------------------------------------------------------------------
+// APIs to be used in "hybrid" mode by every OPENTHREAD_CONFIG_CRYPTO_LIB variant until full PSA support is ready
+
+#if OPENTHREAD_FTD
+
+OT_TOOL_WEAK void otPlatCryptoPbkdf2GenerateKey(const uint8_t *aPassword,
+                                                uint16_t       aPasswordLen,
+                                                const uint8_t *aSalt,
+                                                uint16_t       aSaltLen,
+                                                uint32_t       aIterationCounter,
+                                                uint16_t       aKeyLen,
+                                                uint8_t       *aKey)
+{
+    const size_t kBlockSize = MBEDTLS_CIPHER_BLKSIZE_MAX;
+    uint8_t      prfInput[OT_CRYPTO_PBDKF2_MAX_SALT_SIZE + 4]; // Salt || INT(), for U1 calculation
+    long         prfOne[kBlockSize / sizeof(long)];
+    long         prfTwo[kBlockSize / sizeof(long)];
+    long         keyBlock[kBlockSize / sizeof(long)];
+    uint32_t     blockCounter = 0;
+    uint8_t     *key          = aKey;
+    uint16_t     keyLen       = aKeyLen;
+    uint16_t     useLen       = 0;
+
+    OT_ASSERT(aSaltLen <= sizeof(prfInput));
+    memcpy(prfInput, aSalt, aSaltLen);
+    OT_ASSERT(aIterationCounter % 2 == 0);
+    aIterationCounter /= 2;
+
+#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+    // limit iterations to avoid OSS-Fuzz timeouts
+    aIterationCounter = 2;
+#endif
+
+    while (keyLen)
+    {
+        ++blockCounter;
+        prfInput[aSaltLen + 0] = static_cast<uint8_t>(blockCounter >> 24);
+        prfInput[aSaltLen + 1] = static_cast<uint8_t>(blockCounter >> 16);
+        prfInput[aSaltLen + 2] = static_cast<uint8_t>(blockCounter >> 8);
+        prfInput[aSaltLen + 3] = static_cast<uint8_t>(blockCounter);
+
+        // Calculate U_1
+        mbedtls_aes_cmac_prf_128(aPassword, aPasswordLen, prfInput, aSaltLen + 4,
+                                 reinterpret_cast<uint8_t *>(keyBlock));
+
+        // Calculate U_2
+        mbedtls_aes_cmac_prf_128(aPassword, aPasswordLen, reinterpret_cast<const uint8_t *>(keyBlock), kBlockSize,
+                                 reinterpret_cast<uint8_t *>(prfOne));
+
+        for (uint32_t j = 0; j < kBlockSize / sizeof(long); ++j)
+        {
+            keyBlock[j] ^= prfOne[j];
+        }
+
+        for (uint32_t i = 1; i < aIterationCounter; ++i)
+        {
+            // Calculate U_{2 * i - 1}
+            mbedtls_aes_cmac_prf_128(aPassword, aPasswordLen, reinterpret_cast<const uint8_t *>(prfOne), kBlockSize,
+                                     reinterpret_cast<uint8_t *>(prfTwo));
+            // Calculate U_{2 * i}
+            mbedtls_aes_cmac_prf_128(aPassword, aPasswordLen, reinterpret_cast<const uint8_t *>(prfTwo), kBlockSize,
+                                     reinterpret_cast<uint8_t *>(prfOne));
+
+            for (uint32_t j = 0; j < kBlockSize / sizeof(long); ++j)
+            {
+                keyBlock[j] ^= prfOne[j] ^ prfTwo[j];
+            }
+        }
+
+        useLen = (keyLen < kBlockSize) ? keyLen : kBlockSize;
+        memcpy(key, keyBlock, useLen);
+        key += useLen;
+        keyLen -= useLen;
+    }
+}
+
+#endif // #if OPENTHREAD_FTD