From a088a0f7cd542230d92970b7f0915867a29db7aa Mon Sep 17 00:00:00 2001 From: LizzieDE Date: Mon, 4 Mar 2024 14:36:49 +0100 Subject: [PATCH 1/4] Add work about atecc608a --- .gitignore | 6 +++ CMakeLists.txt | 27 ++++++++++++- crypto.c | 103 ++++++++++++++++++++++++++++++++++++++++++++++++- crypto.h | 31 +++++++++++++++ dtls.c | 41 +++++++++++++++----- dtls.h | 19 +++++++++ 6 files changed, 214 insertions(+), 13 deletions(-) diff --git a/.gitignore b/.gitignore index 3a2c53e5..b520491f 100644 --- a/.gitignore +++ b/.gitignore @@ -91,3 +91,9 @@ CMakeFiles tinydtls.dir Debug Release + +compile_commands.json + +.cache/ + +libtinydtls.so* diff --git a/CMakeLists.txt b/CMakeLists.txt index 551282f1..03023577 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -25,8 +25,25 @@ project(tinydtls) include (AutoConf.cmake) +set(CMAKE_EXPORT_COMPILE_COMMANDS ON) + +# Include the toolchain file +if (CMAKE_SYSTEM_NAME STREQUAL "Generic" AND CMAKE_SYSTEM_PROCESSOR STREQUAL "arm") + set(CMAKE_SYSTEM_NAME Generic) + set(CMAKE_SYSTEM_PROCESSOR arm) + + set(CMAKE_C_COMPILER arm-none-eabi-gcc) + set(CMAKE_CXX_COMPILER arm-none-eabi-g++) + set(CMAKE_ASM_COMPILER arm-none-eabi-gcc) + set(CMAKE_OBJCOPY arm-none-eabi-objcopy) + + set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER) + set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY) + set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY) +endif() + if(NOT ZEPHYR_BASE) - option(BUILD_SHARED_LIBS "Link using shared libs" OFF) + option(BUILD_SHARED_LIBS "Link using shared libs" ON) else() # provided by the zephyr build system endif() @@ -72,8 +89,14 @@ target_sources(tinydtls PRIVATE sha2/sha2.c ecc/ecc.c) -target_include_directories(tinydtls PUBLIC ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR}) +set(CMAKE_CRYPTOAUTHLIB_PATH "/usr/include/cryptoauthlib") + +# Link cryptoauthlib to your project +target_link_libraries(tinydtls cryptoauth) +target_include_directories(tinydtls PUBLIC ${CMAKE_CURRENT_SOURCE_DIR} ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CRYPTOAUTHLIB_PATH} ${CMAKE_PLATFORM_SPE}) target_compile_definitions(tinydtls PUBLIC DTLSv12 WITH_SHA256 SHA2_USE_INTTYPES_H DTLS_CHECK_CONTENTTYPE) +# Add the preprocessor definition +target_compile_definitions(tinydtls PRIVATE DTLS_ATECC608A) if(CMAKE_GENERATOR MATCHES "Visual Studio") option(CMAKE_WINDOWS_EXPORT_ALL_SYMBOLS "Export all symbols when compiling to a .dll" ON) diff --git a/crypto.c b/crypto.c index 1937681d..41222196 100644 --- a/crypto.c +++ b/crypto.c @@ -15,10 +15,13 @@ * *******************************************************************************/ +#include #include #include "tinydtls.h" - +#ifdef DTLS_ATECC608A +#include "cryptoauthlib.h" +#endif #ifdef HAVE_ASSERT_H #include #else @@ -74,9 +77,11 @@ static void dtls_cipher_context_release(void) } #if !(defined (WITH_CONTIKI)) && !(defined (RIOT_VERSION)) +#ifndef DTLS_ATECC608A void crypto_init(void) { } +#endif static dtls_handshake_parameters_t *dtls_handshake_malloc(void) { return malloc(sizeof(dtls_handshake_parameters_t)); @@ -121,11 +126,32 @@ static void dtls_security_dealloc(dtls_security_parameters_t *security) { } #elif defined (RIOT_VERSION) - +#ifndef DTLS_ATECC608A void crypto_init(void) { memarray_init(&handshake_storage, handshake_storage_data, sizeof(dtls_handshake_parameters_t), DTLS_HANDSHAKE_MAX); memarray_init(&security_storage, security_storage_data, sizeof(dtls_security_parameters_t), DTLS_SECURITY_MAX); } +#else +static ATCAIfaceCfg atecc608a; + +void crypto_init(ATCAIfaceCfg *config) +{ + printf("Using ATECC608A\n"); + memarray_init(&handshake_storage, handshake_storage_data, sizeof(dtls_handshake_parameters_t), DTLS_HANDSHAKE_MAX); + memarray_init(&security_storage, security_storage_data, sizeof(dtls_security_parameters_t), DTLS_SECURITY_MAX); + atecc608a = *config; + ATCA_STATUS status = atcab_init(config); + if (status != ATCA_SUCCESS) + { + dtls_alert("atcab_init failed with ret=0x%08x\n", status); + return; + } + else + { + dtls_alert("atcab_init success\n"); + } +} +#endif /* DTLS_ATECC608A */ static dtls_handshake_parameters_t *dtls_handshake_malloc(void) { return memarray_alloc(&handshake_storage); @@ -438,6 +464,18 @@ int dtls_ecdh_pre_master_secret(unsigned char *priv_key, size_t key_size, unsigned char *result, size_t result_len) { +#if defined (DTLS_ATECC608A) + (void)result_len; + (void)priv_key; + unsigned char pub_key[2 * ATCA_KEY_SIZE]; + memcpy(pub_key, pub_key_x, ATCA_KEY_SIZE); + memcpy(pub_key + ATCA_KEY_SIZE, pub_key_y, ATCA_KEY_SIZE); + ATCA_STATUS status = atcab_ecdh(ecdhe_slot_id, pub_key, result); + if (status != ATCA_SUCCESS) { + dtls_alert("Failed to generate pre-master secret\n"); + return -1; + } +#else uint32_t priv[8]; uint32_t pub_x[8]; uint32_t pub_y[8]; @@ -456,6 +494,7 @@ int dtls_ecdh_pre_master_secret(unsigned char *priv_key, ecc_ecdh(pub_x, pub_y, priv, result_x, result_y); dtls_ec_key_from_uint32(result_x, key_size, result); +#endif /* DTLS_ATECC608A */ return key_size; } @@ -464,6 +503,22 @@ dtls_ecdsa_generate_key(unsigned char *priv_key, unsigned char *pub_key_x, unsigned char *pub_key_y, size_t key_size) { +#if defined (DTLS_ATECC608A) + // priv_key et key_size are not used in ATECC608A + (void)priv_key; + (void)key_size; + + unsigned char pub_key[2 * key_size]; + ATCA_STATUS status = atcab_genkey(ecdhe_slot_id, pub_key); + if (status != ATCA_SUCCESS) { + dtls_crit("Failed to generate key\n"); + } + else + { + memcpy(pub_key_x, pub_key, key_size); + memcpy(pub_key_y, pub_key + key_size, key_size); + } +#else uint32_t priv[8]; uint32_t pub_x[8]; uint32_t pub_y[8]; @@ -477,6 +532,7 @@ dtls_ecdsa_generate_key(unsigned char *priv_key, dtls_ec_key_from_uint32(priv, key_size, priv_key); dtls_ec_key_from_uint32(pub_x, key_size, pub_key_x); dtls_ec_key_from_uint32(pub_y, key_size, pub_key_y); +#endif /* DTLS_ATECC608A */ } /* rfc4492#section-5.4 */ @@ -484,6 +540,22 @@ void dtls_ecdsa_create_sig_hash(const unsigned char *priv_key, size_t key_size, const unsigned char *sign_hash, size_t sign_hash_size, uint32_t point_r[9], uint32_t point_s[9]) { +#if defined (DTLS_ATECC608A) + (void)sign_hash_size; + (void)priv_key; + ATCA_STATUS status; + unsigned char signature[2*key_size]; + + status = atcab_sign(ecc_slot_id, sign_hash, signature); + if (status != ATCA_SUCCESS) { + dtls_crit("Failed to sign hash\n"); + } + else + { + dtls_ec_key_to_uint32(signature, key_size, point_r); + dtls_ec_key_to_uint32(signature + key_size, key_size, point_s); + } +#else int ret; uint32_t priv[8]; uint32_t hash[8]; @@ -495,6 +567,7 @@ dtls_ecdsa_create_sig_hash(const unsigned char *priv_key, size_t key_size, dtls_prng((unsigned char *)randv, key_size); ret = ecc_ecdsa_sign(priv, hash, randv, point_r, point_s); } while (ret); +#endif /* DTLS_ATECC608A */ } void @@ -522,6 +595,31 @@ dtls_ecdsa_verify_sig_hash(const unsigned char *pub_key_x, const unsigned char *pub_key_y, size_t key_size, const unsigned char *sign_hash, size_t sign_hash_size, unsigned char *result_r, unsigned char *result_s) { +#if defined (DTLS_ATECC608A) + (void)sign_hash_size; + unsigned char pub_key[2 * key_size]; + memcpy(pub_key, pub_key_x, key_size); + memcpy(pub_key + key_size, pub_key_y, key_size); + unsigned char signature[2 * key_size]; + memcpy(signature, result_r, key_size); + memcpy(signature + key_size, result_s, key_size); + + int is_verified = 0; + + ATCA_STATUS status = atcab_verify_extern(sign_hash, signature, pub_key, (bool*)&is_verified); + if (status != ATCA_SUCCESS) { + dtls_alert("Failed to verify signature : %x\n", status); + is_verified = -1; + } + else + { + if (is_verified == 0) { + dtls_alert("Signature is not verified\n"); + is_verified = -1; + } + } + return is_verified; +#else uint32_t pub_x[8]; uint32_t pub_y[8]; uint32_t hash[8]; @@ -535,6 +633,7 @@ dtls_ecdsa_verify_sig_hash(const unsigned char *pub_key_x, dtls_ec_key_to_uint32(sign_hash, sign_hash_size, hash); return ecc_ecdsa_validate(pub_x, pub_y, hash, point_r, point_s); +#endif /* DTLS_ATECC608A */ } int diff --git a/crypto.h b/crypto.h index 53547589..7d6c72e5 100644 --- a/crypto.h +++ b/crypto.h @@ -30,6 +30,10 @@ #include "hmac.h" #include "ccm.h" +#ifdef DTLS_ATECC608A +#include "cryptoauthlib.h" +#endif /* ATECC608A */ + /* TLS_PSK_WITH_AES_128_CCM_8 */ #define DTLS_MAC_KEY_LENGTH 0 #define DTLS_KEY_LENGTH 16 /* AES-128 */ @@ -220,6 +224,28 @@ typedef struct { /* just for consistency */ #define dtls_kb_digest_size(Param, Role) DTLS_MAC_LENGTH +#ifdef DTLS_ATECC608A +/** + * @brief Slot id used to perform ECDHE operation. + * Due to the last 'E', the operation is performed with + * ephemeral keys that must be generated and stored in the + * the current slot. + * I advise to use slot configured as follows: + * - SlotConfig[slot_id] = 0x2087 + * - KeyConfig[slot_id] = 0x0013 + * @warning Slot ID must be different from ecc_slot_id. + */ +static uint8_t ecdhe_slot_id; + +/** + * @brief Slot id used to perform ECDSA operation. + * This slot must contains the private key used to sign the + * message. The associated public key is used to verify the signature. + * @warning Slot ID must be different from ecdhe_slot_id. + */ +static uint8_t ecc_slot_id; +#endif + /** * Expands the secret and key to a block of DTLS_HMAC_MAX * size according to the algorithm specified in section 5 of @@ -467,7 +493,12 @@ void dtls_handshake_free(dtls_handshake_parameters_t *handshake); dtls_security_parameters_t *dtls_security_new(void); void dtls_security_free(dtls_security_parameters_t *security); + +#ifndef DTLS_ATECC608A void crypto_init(void); +#else +void crypto_init(ATCAIfaceCfg *config); +#endif /* ATECC608A */ #endif /* _DTLS_CRYPTO_H_ */ diff --git a/dtls.c b/dtls.c index 33b352f4..12dadaef 100644 --- a/dtls.c +++ b/dtls.c @@ -324,6 +324,7 @@ free_context(dtls_context_t *context) { #endif /* WITH_POSIX */ +#ifndef DTLS_ATECC608A void dtls_init(void) { dtls_clock_init(); @@ -331,12 +332,32 @@ dtls_init(void) { netq_init(); peer_init(); +#ifdef RIOT_VERSION +memarray_init(&dtlscontext_storage, dtlscontext_storage_data, + sizeof(dtls_context_t), DTLS_CONTEXT_MAX); +#endif /* RIOT_VERSION */ +} +#else +void dtls_init(ATCAIfaceCfg *cfg) +{ + dtls_clock_init(); + crypto_init(cfg); + netq_init(); + peer_init(); + #ifdef RIOT_VERSION memarray_init(&dtlscontext_storage, dtlscontext_storage_data, sizeof(dtls_context_t), DTLS_CONTEXT_MAX); #endif /* RIOT_VERSION */ } +void dtls_set_slot_id(uint8_t ecc_slot, uint8_t ecdhe_slot) +{ + ecdhe_slot_id = ecdhe_slot; + ecc_slot_id = ecc_slot; +} +#endif /* DTLS_ATECC608A */ + /* Calls cb_alert() with given arguments if defined, otherwise an * error message is logged and the result is -1. This is just an * internal helper. @@ -653,7 +674,6 @@ static const dtls_user_parameters_t default_user_parameters = { { #ifdef DTLS_ECC TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, - TLS_ECDHE_ECDSA_WITH_AES_128_CCM, #endif /* DTLS_ECC */ #ifdef DTLS_PSK TLS_PSK_WITH_AES_128_CCM_8, @@ -695,7 +715,6 @@ static const struct cipher_suite_param_t cipher_suite_params[] = { #endif /* DTLS_PSK */ #ifdef DTLS_ECC { TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, 8, DTLS_KEY_EXCHANGE_ECDHE_ECDSA }, - { TLS_ECDHE_ECDSA_WITH_AES_128_CCM, 16, DTLS_KEY_EXCHANGE_ECDHE_ECDSA }, #endif /* DTLS_ECC */ }; @@ -2432,15 +2451,15 @@ check_client_certificate_verify(dtls_context_t *ctx, copy_hs_hash(peer, &hs_hash); dtls_hash_finalize(sha256hash, &hs_hash); - + ret = dtls_ecdsa_verify_sig_hash(config->keyx.ecdsa.other_pub_x, config->keyx.ecdsa.other_pub_y, sizeof(config->keyx.ecdsa.other_pub_x), sha256hash, sizeof(sha256hash), result_r, result_s); - + if (ret < 0) { - dtls_alert("wrong signature err: %i\n", ret); + dtls_alert("check_client_certificate_verify : wrong signature err: %i\n", ret); return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); } return 0; @@ -2962,7 +2981,7 @@ dtls_send_client_key_exchange(dtls_context_t *ctx, dtls_peer_t *peer) p += DTLS_EC_KEY_SIZE; ephemeral_pub_y = p; p += DTLS_EC_KEY_SIZE; - + dtls_ecdsa_generate_key(peer->handshake_params->keyx.ecdsa.own_eph_priv, ephemeral_pub_x, ephemeral_pub_y, DTLS_EC_KEY_SIZE); @@ -3419,10 +3438,14 @@ check_server_certificate(dtls_context_t *ctx, config->keyx.ecdsa.other_pub_x, config->keyx.ecdsa.other_pub_y, sizeof(config->keyx.ecdsa.other_pub_x)); + if (err < 0) { dtls_warn("The certificate was not accepted\n"); return err; } + else { + dtls_debug("The certificate was accepted\n"); + } return 0; } @@ -3458,14 +3481,14 @@ check_server_key_exchange_ecdsa(dtls_context_t *ctx, key_params = data; if (dtls_uint8_to_int(data) != TLS_EC_CURVE_TYPE_NAMED_CURVE) { - dtls_alert("Only named curves supported\n"); + dtls_alert("Only named curves supported : %d\n", dtls_uint8_to_int(data)); return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); } data += sizeof(uint8); data_length -= sizeof(uint8); if (dtls_uint16_to_int(data) != TLS_EXT_ELLIPTIC_CURVES_SECP256R1) { - dtls_alert("secp256r1 supported\n"); + dtls_alert("secp256r1 supported : %d\n", dtls_uint16_to_int(data)); return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); } data += sizeof(uint16); @@ -3509,7 +3532,7 @@ check_server_key_exchange_ecdsa(dtls_context_t *ctx, result_r, result_s); if (ret < 0) { - dtls_alert("wrong signature\n"); + dtls_alert("check_server_key_exchange_ecdsa : wrong signature\n"); return dtls_alert_fatal_create(DTLS_ALERT_HANDSHAKE_FAILURE); } return 0; diff --git a/dtls.h b/dtls.h index 05f3385c..344f0dbb 100644 --- a/dtls.h +++ b/dtls.h @@ -40,6 +40,10 @@ #include "global.h" #include "dtls_time.h" +#ifdef DTLS_ATECC608A +#include "cryptoauthlib.h" +#endif /* ATECC608A */ + #ifndef DTLSv12 #define DTLS_VERSION 0xfeff /* DTLS v1.1 */ #else @@ -244,8 +248,23 @@ typedef struct dtls_context_t { * This function initializes the tinyDTLS memory management and must * be called first. */ +#ifndef DTLS_ATECC608A void dtls_init(void); +#else +void dtls_init(ATCAIfaceCfg *cfg); + +/** + * @brief Set the slot id used to perform ECDHE operation. + * @warning Slot ID must be different. + * @param ecc_slot Slot ID used to perform ECDSA operation. + * @param ecdhe_slot Slot ID used to perform ECDHE operation. + */ +void dtls_set_slot_id(uint8_t ecc_slot, uint8_t ecdhe_slot); + +void dtls_test_ATECC608A(void); +#endif /* ATECC608A */ + /** * Creates a new context object. The storage allocated for the new * object must be released with dtls_free_context(). */ From 6200a192ad0e0c190337268424b1580c76080f57 Mon Sep 17 00:00:00 2001 From: LizzieDE Date: Mon, 4 Mar 2024 16:48:49 +0100 Subject: [PATCH 2/4] Change slot id declaration (handshake working) --- crypto.c | 5 +++++ crypto.h | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/crypto.c b/crypto.c index 41222196..17601999 100644 --- a/crypto.c +++ b/crypto.c @@ -59,6 +59,11 @@ memarray_t security_storage; #endif /* RIOT_VERSION */ +#ifdef DTLS_ATECC608A +uint8_t ecdhe_slot_id; +uint8_t ecc_slot_id; +#endif + #define HMAC_UPDATE_SEED(Context,Seed,Length) \ if (Seed) dtls_hmac_update(Context, (Seed), (Length)) diff --git a/crypto.h b/crypto.h index 7d6c72e5..a00be0fd 100644 --- a/crypto.h +++ b/crypto.h @@ -235,7 +235,7 @@ typedef struct { * - KeyConfig[slot_id] = 0x0013 * @warning Slot ID must be different from ecc_slot_id. */ -static uint8_t ecdhe_slot_id; +extern uint8_t ecdhe_slot_id; /** * @brief Slot id used to perform ECDSA operation. @@ -243,7 +243,7 @@ static uint8_t ecdhe_slot_id; * message. The associated public key is used to verify the signature. * @warning Slot ID must be different from ecdhe_slot_id. */ -static uint8_t ecc_slot_id; +extern uint8_t ecc_slot_id; #endif /** From bf44103dc19e12ba3c2271e3c4cd003813c85427 Mon Sep 17 00:00:00 2001 From: LizzieDE Date: Tue, 5 Mar 2024 08:46:51 +0100 Subject: [PATCH 3/4] Update comment of slot id variables --- crypto.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/crypto.h b/crypto.h index a00be0fd..6c48c9f6 100644 --- a/crypto.h +++ b/crypto.h @@ -233,6 +233,8 @@ typedef struct { * I advise to use slot configured as follows: * - SlotConfig[slot_id] = 0x2087 * - KeyConfig[slot_id] = 0x0013 + * When using test_ecc608_configdata of cryptoauthlib tests, + * it corresponds to slot 2. * @warning Slot ID must be different from ecc_slot_id. */ extern uint8_t ecdhe_slot_id; @@ -241,6 +243,8 @@ extern uint8_t ecdhe_slot_id; * @brief Slot id used to perform ECDSA operation. * This slot must contains the private key used to sign the * message. The associated public key is used to verify the signature. + * When using test_ecc608_configdata of cryptoauthlib tests, + * you can use slot 7. * @warning Slot ID must be different from ecdhe_slot_id. */ extern uint8_t ecc_slot_id; From fce833e2ec9b09c92ce3a70c78b4f28790903b5f Mon Sep 17 00:00:00 2001 From: LizzieDE Date: Mon, 18 Mar 2024 17:07:35 +0100 Subject: [PATCH 4/4] Change storage of slot ID and add possibility to use many many slot for ecdhe key generation --- crypto.c | 38 +++++++++++++++++++++++++++++++------- crypto.h | 34 ++++++++++++++++------------------ dtls.c | 12 +++++++++--- dtls.h | 7 +++---- 4 files changed, 59 insertions(+), 32 deletions(-) diff --git a/crypto.c b/crypto.c index 17601999..a614651c 100644 --- a/crypto.c +++ b/crypto.c @@ -60,8 +60,8 @@ memarray_t security_storage; #endif /* RIOT_VERSION */ #ifdef DTLS_ATECC608A -uint8_t ecdhe_slot_id; -uint8_t ecc_slot_id; +ecdhe_slot_id_t *ecdhe_slots_id; +uint8_t ecdhe_nb_slots; #endif #define HMAC_UPDATE_SEED(Context,Seed,Length) \ @@ -475,7 +475,7 @@ int dtls_ecdh_pre_master_secret(unsigned char *priv_key, unsigned char pub_key[2 * ATCA_KEY_SIZE]; memcpy(pub_key, pub_key_x, ATCA_KEY_SIZE); memcpy(pub_key + ATCA_KEY_SIZE, pub_key_y, ATCA_KEY_SIZE); - ATCA_STATUS status = atcab_ecdh(ecdhe_slot_id, pub_key, result); + ATCA_STATUS status = atcab_ecdh(priv_key[1], pub_key, result); if (status != ATCA_SUCCESS) { dtls_alert("Failed to generate pre-master secret\n"); return -1; @@ -503,23 +503,47 @@ int dtls_ecdh_pre_master_secret(unsigned char *priv_key, return key_size; } +#ifdef DTLS_ATECC608A +static ecdhe_slot_id_t get_ecdhe_slot_id(void) +{ + for (int i = 0 ; i < ecdhe_nb_slots ; i++) + { + if (!(ecdhe_slots_id[i].usage)) + { + ecdhe_slots_id[i].usage = 1; + return ecdhe_slots_id[i]; + } + } + // No slot available + dtls_crit("No slot available\n"); + ecdhe_slot_id_t slot_id = {0, 0}; + return slot_id; +} +#endif + void dtls_ecdsa_generate_key(unsigned char *priv_key, unsigned char *pub_key_x, unsigned char *pub_key_y, size_t key_size) { #if defined (DTLS_ATECC608A) - // priv_key et key_size are not used in ATECC608A - (void)priv_key; + // We fill the private key with the slot id (void)key_size; + ecdhe_slot_id_t slot_id = get_ecdhe_slot_id(); + if (!slot_id.usage) + { + dtls_crit("No slot available\n"); + return; + } unsigned char pub_key[2 * key_size]; - ATCA_STATUS status = atcab_genkey(ecdhe_slot_id, pub_key); + ATCA_STATUS status = atcab_genkey(slot_id.slot, pub_key); if (status != ATCA_SUCCESS) { dtls_crit("Failed to generate key\n"); } else { + memcpy(priv_key + 1, &(slot_id.slot), 1); memcpy(pub_key_x, pub_key, key_size); memcpy(pub_key_y, pub_key + key_size, key_size); } @@ -551,7 +575,7 @@ dtls_ecdsa_create_sig_hash(const unsigned char *priv_key, size_t key_size, ATCA_STATUS status; unsigned char signature[2*key_size]; - status = atcab_sign(ecc_slot_id, sign_hash, signature); + status = atcab_sign(priv_key[1], sign_hash, signature); if (status != ATCA_SUCCESS) { dtls_crit("Failed to sign hash\n"); } diff --git a/crypto.h b/crypto.h index 6c48c9f6..1179e944 100644 --- a/crypto.h +++ b/crypto.h @@ -226,28 +226,26 @@ typedef struct { #ifdef DTLS_ATECC608A /** - * @brief Slot id used to perform ECDHE operation. - * Due to the last 'E', the operation is performed with - * ephemeral keys that must be generated and stored in the - * the current slot. - * I advise to use slot configured as follows: - * - SlotConfig[slot_id] = 0x2087 - * - KeyConfig[slot_id] = 0x0013 - * When using test_ecc608_configdata of cryptoauthlib tests, - * it corresponds to slot 2. - * @warning Slot ID must be different from ecc_slot_id. + * @brief Structure used to store if a slot is already used by ECDHE operation or not. + * + */ +typedef struct +{ + bool usage; + uint8_t slot; +} ecdhe_slot_id_t; + +/** + * @brief List of slots used to perform ECDHE operation. + * */ -extern uint8_t ecdhe_slot_id; +extern ecdhe_slot_id_t *ecdhe_slots_id; /** - * @brief Slot id used to perform ECDSA operation. - * This slot must contains the private key used to sign the - * message. The associated public key is used to verify the signature. - * When using test_ecc608_configdata of cryptoauthlib tests, - * you can use slot 7. - * @warning Slot ID must be different from ecdhe_slot_id. + * @brief Number of slots capable to perform ECDHE operation. + * */ -extern uint8_t ecc_slot_id; +extern uint8_t ecdhe_nb_slots; #endif /** diff --git a/dtls.c b/dtls.c index 12dadaef..76ecdc5f 100644 --- a/dtls.c +++ b/dtls.c @@ -22,6 +22,7 @@ #include #include +#include #ifdef HAVE_ASSERT_H #include #endif @@ -351,10 +352,15 @@ memarray_init(&dtlscontext_storage, dtlscontext_storage_data, #endif /* RIOT_VERSION */ } -void dtls_set_slot_id(uint8_t ecc_slot, uint8_t ecdhe_slot) +void dtls_set_ecdhe_slots_id(uint8_t *ecdhe_slot, uint8_t nb_slots) { - ecdhe_slot_id = ecdhe_slot; - ecc_slot_id = ecc_slot; + ecdhe_slots_id = (ecdhe_slot_id_t*)malloc(nb_slots * sizeof(ecdhe_slot_id_t)); + for (int i = 0; i < nb_slots; i++) + { + ecdhe_slots_id[i].slot = ecdhe_slot[i]; + ecdhe_slots_id[i].usage = false; + } + ecdhe_nb_slots = nb_slots; } #endif /* DTLS_ATECC608A */ diff --git a/dtls.h b/dtls.h index 344f0dbb..e2e54b68 100644 --- a/dtls.h +++ b/dtls.h @@ -256,11 +256,10 @@ void dtls_init(ATCAIfaceCfg *cfg); /** * @brief Set the slot id used to perform ECDHE operation. - * @warning Slot ID must be different. - * @param ecc_slot Slot ID used to perform ECDSA operation. - * @param ecdhe_slot Slot ID used to perform ECDHE operation. + * @param ecdhe_slot List of slot ID used to perform ECDSA operation. + * @param nb_slots Number of available slots. */ -void dtls_set_slot_id(uint8_t ecc_slot, uint8_t ecdhe_slot); +void dtls_set_ecdhe_slots_id(uint8_t *ecdhe_slot, uint8_t nb_slots); void dtls_test_ATECC608A(void); #endif /* ATECC608A */