16bd8a82a6
Adds an internal credential_digest for generating a string digest of credentials. Such digests would allow users of a prospective TLS credentials shell to verify the contents of a given credential without directly accessing those contents. Offloading the digest process to the underlying backend allows backends for which private portions are not directly accessible to be eventually supported. Signed-off-by: Georges Oates_Larsen <georges.larsen@nordicsemi.no>
93 lines
2.3 KiB
C
93 lines
2.3 KiB
C
/*
|
|
* Copyright (c) 2023 Nordic Semiconductor ASA
|
|
*
|
|
* SPDX-License-Identifier: Apache-2.0
|
|
*/
|
|
|
|
|
|
/* This file provides an (internal-use-only) credential digest function that backends storing
|
|
* raw credentials can use.
|
|
*/
|
|
|
|
#include <string.h>
|
|
|
|
#include <zephyr/init.h>
|
|
#include <zephyr/kernel.h>
|
|
#include "tls_internal.h"
|
|
#include "tls_credentials_digest_raw.h"
|
|
|
|
/* Grab mbedTLS headers if they are available so that we can check whether SHA256 is supported */
|
|
|
|
#if defined(CONFIG_MBEDTLS)
|
|
#if !defined(CONFIG_MBEDTLS_CFG_FILE)
|
|
#include "mbedtls/config.h"
|
|
#else
|
|
#include CONFIG_MBEDTLS_CFG_FILE
|
|
#endif /* CONFIG_MBEDTLS_CFG_FILE */
|
|
#endif /* CONFIG_MBEDTLS */
|
|
|
|
#if defined(CONFIG_TINYCRYPT_SHA256) && defined(CONFIG_BASE64)
|
|
|
|
#include <tinycrypt/sha256.h>
|
|
#include <zephyr/sys/base64.h>
|
|
|
|
int credential_digest_raw(struct tls_credential *credential, void *dest, size_t *len)
|
|
{
|
|
int err = 0;
|
|
size_t written = 0;
|
|
struct tc_sha256_state_struct sha_state;
|
|
uint8_t digest_buf[TC_SHA256_DIGEST_SIZE];
|
|
|
|
/* Compute digest. */
|
|
(void)tc_sha256_init(&sha_state);
|
|
(void)tc_sha256_update(&sha_state, credential->buf, credential->len);
|
|
(void)tc_sha256_final(digest_buf, &sha_state);
|
|
|
|
/* Attempt to encode digest to destination.
|
|
* Will return -ENOMEM if there is not enough space in the destination buffer.
|
|
*/
|
|
err = base64_encode(dest, *len, &written, digest_buf, sizeof(digest_buf));
|
|
*len = err ? 0 : written;
|
|
|
|
/* Clean up. */
|
|
memset(&sha_state, 0, sizeof(sha_state));
|
|
memset(digest_buf, 0, sizeof(digest_buf));
|
|
return err;
|
|
}
|
|
|
|
#elif defined(MBEDTLS_SHA256_C) && defined(CONFIG_BASE64)
|
|
|
|
#include <mbedtls/sha256.h>
|
|
#include <zephyr/sys/base64.h>
|
|
|
|
int credential_digest_raw(struct tls_credential *credential, void *dest, size_t *len)
|
|
{
|
|
int err = 0;
|
|
size_t written = 0;
|
|
uint8_t digest_buf[32];
|
|
|
|
/* Compute digest. The '0' indicates to mbedtls to use SHA256 instead of 224. */
|
|
mbedtls_sha256(credential->buf, credential->len, digest_buf, 0);
|
|
|
|
/* Attempt to encode digest to destination.
|
|
* Will return -ENOMEM if there is not enough space in the destination buffer.
|
|
*/
|
|
err = base64_encode(dest, *len, &written, digest_buf, sizeof(digest_buf));
|
|
*len = err ? 0 : written;
|
|
|
|
/* Clean up. */
|
|
memset(digest_buf, 0, sizeof(digest_buf));
|
|
|
|
return err;
|
|
}
|
|
|
|
#else
|
|
|
|
int credential_digest_raw(struct tls_credential *credential, void *dest, size_t *len)
|
|
{
|
|
*len = 0;
|
|
return -ENOTSUP;
|
|
}
|
|
|
|
#endif
|