net: tls_credentials: credential_digest

Adds an internal credential_digest for generating a string digest of credentials. Such digests would allow users of a prospective TLS credentials shell to verify the contents of a given credential without directly accessing those contents. Offloading the digest process to the underlying backend allows backends for which private portions are not directly accessible to be eventually supported. Signed-off-by: Georges Oates_Larsen <[email protected]>
zephyrproject-rtos · Oct 26, 2023 · 5d4e9a0 · 5d4e9a0
1 parent 88b05b3
commit 5d4e9a0
Show file tree

Hide file tree

Showing 6 changed files with 143 additions and 1 deletion.
diff --git a/subsys/net/lib/tls_credentials/CMakeLists.txt b/subsys/net/lib/tls_credentials/CMakeLists.txt
@@ -1,9 +1,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 zephyr_include_directories(.)
+
 zephyr_sources_ifdef(CONFIG_TLS_CREDENTIALS_BACKEND_VOLATILE
   tls_credentials.c
+  tls_credentials_digest_raw.c
 )
 zephyr_sources_ifdef(CONFIG_TLS_CREDENTIALS_BACKEND_PROTECTED_STORAGE
   tls_credentials_trusted.c
+  tls_credentials_digest_raw.c
 )
diff --git a/subsys/net/lib/tls_credentials/tls_credentials.c b/subsys/net/lib/tls_credentials/tls_credentials.c
@@ -9,6 +9,7 @@
 #include <zephyr/kernel.h>
 
 #include "tls_internal.h"
+#include "tls_credentials_digest_raw.h"
 
 /* Global pool of credentials shared among TLS contexts. */
 static struct tls_credential credentials[CONFIG_TLS_MAX_CREDENTIALS_NUMBER];
@@ -74,6 +75,11 @@ struct tls_credential *credential_next_get(sec_tag_t tag,
 	return NULL;
 }
 
+int credential_digest(struct tls_credential *credential, void *dest, size_t *len)
+{
+	return credential_digest_raw(credential, dest, len);
+}
+
 void credentials_lock(void)
 {
 	k_mutex_lock(&credential_lock, K_FOREVER);

diff --git a/subsys/net/lib/tls_credentials/tls_credentials_digest_raw.c b/subsys/net/lib/tls_credentials/tls_credentials_digest_raw.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 2023 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+
+/* This file provides an (internal-use-only) credential digest function that backends storing
+ * raw credentials can use.
+ */
+
+#include <string.h>
+
+#include <zephyr/init.h>
+#include <zephyr/kernel.h>
+#include "tls_internal.h"
+#include "tls_credentials_digest_raw.h"
+
+/* Grab mbedTLS headers if they are available so that we can check whether SHA256 is supported */
+
+#if defined(CONFIG_MBEDTLS)
+#if !defined(CONFIG_MBEDTLS_CFG_FILE)
+#include "mbedtls/config.h"
+#else
+#include CONFIG_MBEDTLS_CFG_FILE
+#endif /* CONFIG_MBEDTLS_CFG_FILE */
+#endif /* CONFIG_MBEDTLS */
+
+#if defined(CONFIG_TINYCRYPT_SHA256) && defined(CONFIG_BASE64)
+
+#include <tinycrypt/sha256.h>
+#include <zephyr/sys/base64.h>
+
+struct tc_sha256_state_struct sha_state;
+uint8_t digest_buf[TC_SHA256_DIGEST_SIZE];
+
+int credential_digest_raw(struct tls_credential *credential, void *dest, size_t *len)
+{
+	int err = 0;
+	size_t written = 0;
+
+	/* Compute digest. */
+	(void)tc_sha256_init(&sha_state);
+	(void)tc_sha256_update(&sha_state, credential->buf, credential->len);
+	(void)tc_sha256_final(digest_buf, &sha_state);
+
+	/* Attempt to encode digest to destination.
+	 * Will return -ENOMEM if there is not enough space in the destination buffer.
+	 */
+	err = base64_encode(dest, *len, &written, digest_buf, sizeof(digest_buf));
+	*len = err ? 0 : written;
+
+	/* Clean up. */
+	memset(&sha_state, 0, sizeof(sha_state));
+	memset(digest_buf, 0, sizeof(digest_buf));
+	return err;
+}
+
+#elif defined(MBEDTLS_SHA256_C) && defined(CONFIG_BASE64)
+
+#include <mbedtls/sha256.h>
+#include <zephyr/sys/base64.h>
+
+uint8_t digest_buf[32];
+
+int credential_digest_raw(struct tls_credential *credential, void *dest, size_t *len)
+{
+	int err = 0;
+	size_t written = 0;
+
+	/* Compute digest. The '0' indicates to mbedtls to use SHA256 instead of 224. */
+	mbedtls_sha256(credential->buf, credential->len, digest_buf, 0);
+
+	/* Attempt to encode digest to destination.
+	 * Will return -ENOMEM if there is not enough space in the destination buffer.
+	 */
+	err = base64_encode(dest, *len, &written, digest_buf, sizeof(digest_buf));
+	*len = err ? 0 : written;
+
+	/* Clean up. */
+	memset(digest_buf, 0, sizeof(digest_buf));
+
+	return err;
+}
+
+#else
+
+int credential_digest_raw(struct tls_credential *credential, void *dest, size_t *len)
+{
+	*len = 0;
+	return -ENOTSUP;
+}
+
+#endif
diff --git a/subsys/net/lib/tls_credentials/tls_credentials_digest_raw.h b/subsys/net/lib/tls_credentials/tls_credentials_digest_raw.h
@@ -0,0 +1,20 @@
+/*
+ * Copyright (c) 2023 Nordic Semiconductor ASA
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+/** @file
+ * @brief Internal helper function for generating digests for raw credentials.
+ */
+
+#ifndef __TLS_DIGEST_RAW_H
+#define __TLS_DIGEST_RAW_H
+
+#include <zephyr/net/tls_credentials.h>
+#include "tls_internal.h"
+
+/* Common version of credential_digest that raw credentials backends can use. */
+int credential_digest_raw(struct tls_credential *credential, void *dest, size_t *len);
+
+#endif /* __TLS_DIGEST_RAW_H */
diff --git a/subsys/net/lib/tls_credentials/tls_credentials_trusted.c b/subsys/net/lib/tls_credentials/tls_credentials_trusted.c
@@ -12,6 +12,7 @@
 #include <psa/protected_storage.h>
 
 #include "tls_internal.h"
+#include "tls_credentials_digest_raw.h"
 
 LOG_MODULE_REGISTER(tls_credentials_trusted,
 		    CONFIG_TLS_CREDENTIALS_LOG_LEVEL);
@@ -262,6 +263,11 @@ struct tls_credential *credential_next_get(sec_tag_t tag,
 	return NULL;
 }
 
+int credential_digest(struct tls_credential *credential, void *dest, size_t *len)
+{
+	return credential_digest_raw(credential, dest, len);
+}
+
 void credentials_lock(void)
 {
 	k_mutex_lock(&credential_lock, K_FOREVER);

diff --git a/subsys/net/lib/tls_credentials/tls_internal.h b/subsys/net/lib/tls_credentials/tls_internal.h
@@ -42,7 +42,6 @@ void credentials_unlock(void);
 struct tls_credential *credential_get(sec_tag_t tag,
 				      enum tls_credential_type type);
 
-
 /* Function for iterating over credentials by tag.
  *
  * Note, that to assure thread safety, credential access should be locked with
@@ -51,4 +50,18 @@ struct tls_credential *credential_get(sec_tag_t tag,
 struct tls_credential *credential_next_get(sec_tag_t tag,
 					   struct tls_credential *iter);
 
+/* Writes a (NULL-terminated, printable) string digest of the contents of the provided credential
+ * to the provided destination buffer.
+ *
+ * Digest format/type is up to the tls_credentials backend in use.
+ *
+ * len pointer should be set to the amount of space available in the destination buffer prior to
+ * calling, and will be set to the amount written to the destination buffer after calling
+ * (excluding the NULL terminator).
+ *
+ * Note, that to assure thread safety, credential access should be locked with
+ * credentials_lock before calling this function.
+ */
+int credential_digest(struct tls_credential *credential, void *dest, size_t *len);
+
 #endif /* __TLS_INTERNAL_H */