1 /*
2 * Copyright (c) 2017 Intel Corporation.
3 *
4 * SPDX-License-Identifier: Apache-2.0
5 */
6
7 /**
8 * @file Shim layer for mbedTLS, crypto API compliant.
9 */
10
11
12 #include <zephyr/kernel.h>
13 #include <zephyr/init.h>
14 #include <errno.h>
15 #include <zephyr/crypto/crypto.h>
16
17 #if !defined(CONFIG_MBEDTLS_CFG_FILE)
18 #include "mbedtls/config.h"
19 #else
20 #include CONFIG_MBEDTLS_CFG_FILE
21 #endif /* CONFIG_MBEDTLS_CFG_FILE */
22
23 #include <mbedtls/ccm.h>
24 #ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
25 #include <mbedtls/gcm.h>
26 #endif
27 #include <mbedtls/aes.h>
28
29 #include <mbedtls/sha256.h>
30 #include <mbedtls/sha512.h>
31
32 #define MTLS_SUPPORT (CAP_RAW_KEY | CAP_SEPARATE_IO_BUFS | CAP_SYNC_OPS | \
33 CAP_NO_IV_PREFIX)
34
35 #define LOG_LEVEL CONFIG_CRYPTO_LOG_LEVEL
36 #include <zephyr/logging/log.h>
37 LOG_MODULE_REGISTER(mbedtls);
38
39 struct mtls_shim_session {
40 union {
41 mbedtls_ccm_context mtls_ccm;
42 #ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
43 mbedtls_gcm_context mtls_gcm;
44 #endif
45 mbedtls_aes_context mtls_aes;
46 mbedtls_sha256_context mtls_sha256;
47 mbedtls_sha512_context mtls_sha512;
48 };
49 bool in_use;
50 union {
51 enum cipher_mode mode;
52 enum hash_algo algo;
53 };
54 };
55
56 #define CRYPTO_MAX_SESSION CONFIG_CRYPTO_MBEDTLS_SHIM_MAX_SESSION
57
58 struct mtls_shim_session mtls_sessions[CRYPTO_MAX_SESSION];
59
60 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
61 #include "mbedtls/memory_buffer_alloc.h"
62 #else
63 #error "You need to define MBEDTLS_MEMORY_BUFFER_ALLOC_C"
64 #endif /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
65
66 #define MTLS_GET_CTX(c, m) \
67 (&((struct mtls_shim_session *)c->drv_sessn_state)->mtls_ ## m)
68
69 #define MTLS_GET_ALGO(c) \
70 (((struct mtls_shim_session *)c->drv_sessn_state)->algo)
71
mtls_ecb_encrypt(struct cipher_ctx * ctx,struct cipher_pkt * pkt)72 int mtls_ecb_encrypt(struct cipher_ctx *ctx, struct cipher_pkt *pkt)
73 {
74 int ret;
75 mbedtls_aes_context *ecb_ctx = MTLS_GET_CTX(ctx, aes);
76
77 /* For security reasons, ECB mode should not be used to encrypt
78 * more than one block. Use CBC mode instead.
79 */
80 if (pkt->in_len > 16) {
81 LOG_ERR("Cannot encrypt more than 1 block");
82 return -EINVAL;
83 }
84
85 ret = mbedtls_aes_crypt_ecb(ecb_ctx, MBEDTLS_AES_ENCRYPT,
86 pkt->in_buf, pkt->out_buf);
87 if (ret) {
88 LOG_ERR("Could not encrypt (%d)", ret);
89 return -EINVAL;
90 }
91
92 pkt->out_len = 16;
93
94 return 0;
95 }
96
mtls_ecb_decrypt(struct cipher_ctx * ctx,struct cipher_pkt * pkt)97 int mtls_ecb_decrypt(struct cipher_ctx *ctx, struct cipher_pkt *pkt)
98 {
99 int ret;
100 mbedtls_aes_context *ecb_ctx = MTLS_GET_CTX(ctx, aes);
101
102 /* For security reasons, ECB mode should not be used to decrypt
103 * more than one block. Use CBC mode instead.
104 */
105 if (pkt->in_len > 16) {
106 LOG_ERR("Cannot decrypt more than 1 block");
107 return -EINVAL;
108 }
109
110 ret = mbedtls_aes_crypt_ecb(ecb_ctx, MBEDTLS_AES_DECRYPT,
111 pkt->in_buf, pkt->out_buf);
112 if (ret) {
113 LOG_ERR("Could not encrypt (%d)", ret);
114 return -EINVAL;
115 }
116
117 pkt->out_len = 16;
118
119 return 0;
120 }
121
mtls_cbc_encrypt(struct cipher_ctx * ctx,struct cipher_pkt * pkt,uint8_t * iv)122 int mtls_cbc_encrypt(struct cipher_ctx *ctx, struct cipher_pkt *pkt, uint8_t *iv)
123 {
124 int ret, iv_bytes;
125 uint8_t *p_iv, iv_loc[16];
126 mbedtls_aes_context *cbc_ctx = MTLS_GET_CTX(ctx, aes);
127
128 if ((ctx->flags & CAP_NO_IV_PREFIX) == 0U) {
129 /* Prefix IV to ciphertext, which is default behavior of Zephyr
130 * crypto API, unless CAP_NO_IV_PREFIX is requested.
131 */
132 iv_bytes = 16;
133 memcpy(pkt->out_buf, iv, 16);
134 p_iv = iv;
135 } else {
136 iv_bytes = 0;
137 memcpy(iv_loc, iv, 16);
138 p_iv = iv_loc;
139 }
140
141 ret = mbedtls_aes_crypt_cbc(cbc_ctx, MBEDTLS_AES_ENCRYPT, pkt->in_len,
142 p_iv, pkt->in_buf, pkt->out_buf + iv_bytes);
143 if (ret) {
144 LOG_ERR("Could not encrypt (%d)", ret);
145 return -EINVAL;
146 }
147
148 pkt->out_len = pkt->in_len + iv_bytes;
149
150 return 0;
151 }
152
mtls_cbc_decrypt(struct cipher_ctx * ctx,struct cipher_pkt * pkt,uint8_t * iv)153 int mtls_cbc_decrypt(struct cipher_ctx *ctx, struct cipher_pkt *pkt, uint8_t *iv)
154 {
155 int ret, iv_bytes;
156 uint8_t *p_iv, iv_loc[16];
157 mbedtls_aes_context *cbc_ctx = MTLS_GET_CTX(ctx, aes);
158
159 if ((ctx->flags & CAP_NO_IV_PREFIX) == 0U) {
160 iv_bytes = 16;
161 p_iv = iv;
162 } else {
163 iv_bytes = 0;
164 memcpy(iv_loc, iv, 16);
165 p_iv = iv_loc;
166 }
167
168 ret = mbedtls_aes_crypt_cbc(cbc_ctx, MBEDTLS_AES_DECRYPT, pkt->in_len,
169 p_iv, pkt->in_buf + iv_bytes, pkt->out_buf);
170 if (ret) {
171 LOG_ERR("Could not encrypt (%d)", ret);
172 return -EINVAL;
173 }
174
175 pkt->out_len = pkt->in_len - iv_bytes;
176
177 return 0;
178 }
179
mtls_ccm_encrypt_auth(struct cipher_ctx * ctx,struct cipher_aead_pkt * apkt,uint8_t * nonce)180 static int mtls_ccm_encrypt_auth(struct cipher_ctx *ctx,
181 struct cipher_aead_pkt *apkt,
182 uint8_t *nonce)
183 {
184 mbedtls_ccm_context *mtls_ctx = MTLS_GET_CTX(ctx, ccm);
185 int ret;
186
187 ret = mbedtls_ccm_encrypt_and_tag(mtls_ctx, apkt->pkt->in_len, nonce,
188 ctx->mode_params.ccm_info.nonce_len,
189 apkt->ad, apkt->ad_len,
190 apkt->pkt->in_buf,
191 apkt->pkt->out_buf, apkt->tag,
192 ctx->mode_params.ccm_info.tag_len);
193 if (ret) {
194 LOG_ERR("Could not encrypt/auth (%d)", ret);
195
196 /*ToDo: try to return relevant code depending on ret? */
197 return -EINVAL;
198 }
199
200 /* This is equivalent to what the TinyCrypt shim does in
201 * do_ccm_encrypt_mac().
202 */
203 apkt->pkt->out_len = apkt->pkt->in_len;
204 apkt->pkt->out_len += ctx->mode_params.ccm_info.tag_len;
205
206 return 0;
207 }
208
mtls_ccm_decrypt_auth(struct cipher_ctx * ctx,struct cipher_aead_pkt * apkt,uint8_t * nonce)209 static int mtls_ccm_decrypt_auth(struct cipher_ctx *ctx,
210 struct cipher_aead_pkt *apkt,
211 uint8_t *nonce)
212 {
213 mbedtls_ccm_context *mtls_ctx = MTLS_GET_CTX(ctx, ccm);
214 int ret;
215
216 ret = mbedtls_ccm_auth_decrypt(mtls_ctx, apkt->pkt->in_len, nonce,
217 ctx->mode_params.ccm_info.nonce_len,
218 apkt->ad, apkt->ad_len,
219 apkt->pkt->in_buf,
220 apkt->pkt->out_buf, apkt->tag,
221 ctx->mode_params.ccm_info.tag_len);
222 if (ret) {
223 if (ret == MBEDTLS_ERR_CCM_AUTH_FAILED) {
224 LOG_ERR("Message authentication failed");
225 return -EFAULT;
226 }
227
228 LOG_ERR("Could not decrypt/auth (%d)", ret);
229
230 /*ToDo: try to return relevant code depending on ret? */
231 return -EINVAL;
232 }
233
234 apkt->pkt->out_len = apkt->pkt->in_len;
235 apkt->pkt->out_len += ctx->mode_params.ccm_info.tag_len;
236
237 return 0;
238 }
239
240 #ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
mtls_gcm_encrypt_auth(struct cipher_ctx * ctx,struct cipher_aead_pkt * apkt,uint8_t * nonce)241 static int mtls_gcm_encrypt_auth(struct cipher_ctx *ctx,
242 struct cipher_aead_pkt *apkt,
243 uint8_t *nonce)
244 {
245 mbedtls_gcm_context *mtls_ctx = MTLS_GET_CTX(ctx, gcm);
246 int ret;
247
248 ret = mbedtls_gcm_crypt_and_tag(mtls_ctx, MBEDTLS_GCM_ENCRYPT,
249 apkt->pkt->in_len, nonce,
250 ctx->mode_params.gcm_info.nonce_len,
251 apkt->ad, apkt->ad_len,
252 apkt->pkt->in_buf,
253 apkt->pkt->out_buf,
254 ctx->mode_params.gcm_info.tag_len,
255 apkt->tag);
256 if (ret) {
257 LOG_ERR("Could not encrypt/auth (%d)", ret);
258
259 return -EINVAL;
260 }
261
262 /* This is equivalent to what is done in mtls_ccm_encrypt_auth(). */
263 apkt->pkt->out_len = apkt->pkt->in_len;
264 apkt->pkt->out_len += ctx->mode_params.gcm_info.tag_len;
265
266 return 0;
267 }
268
mtls_gcm_decrypt_auth(struct cipher_ctx * ctx,struct cipher_aead_pkt * apkt,uint8_t * nonce)269 static int mtls_gcm_decrypt_auth(struct cipher_ctx *ctx,
270 struct cipher_aead_pkt *apkt,
271 uint8_t *nonce)
272 {
273 mbedtls_gcm_context *mtls_ctx = MTLS_GET_CTX(ctx, gcm);
274 int ret;
275
276 ret = mbedtls_gcm_auth_decrypt(mtls_ctx, apkt->pkt->in_len, nonce,
277 ctx->mode_params.gcm_info.nonce_len,
278 apkt->ad, apkt->ad_len,
279 apkt->tag,
280 ctx->mode_params.gcm_info.tag_len,
281 apkt->pkt->in_buf,
282 apkt->pkt->out_buf);
283 if (ret) {
284 if (ret == MBEDTLS_ERR_GCM_AUTH_FAILED) {
285 LOG_ERR("Message authentication failed");
286 return -EFAULT;
287 }
288
289 LOG_ERR("Could not decrypt/auth (%d)", ret);
290 return -EINVAL;
291 }
292
293 apkt->pkt->out_len = apkt->pkt->in_len;
294 apkt->pkt->out_len += ctx->mode_params.gcm_info.tag_len;
295
296 return 0;
297 }
298 #endif /* CONFIG_MBEDTLS_CIPHER_GCM_ENABLED */
299
mtls_get_unused_session_index(void)300 static int mtls_get_unused_session_index(void)
301 {
302 int i;
303
304 for (i = 0; i < CRYPTO_MAX_SESSION; i++) {
305 if (!mtls_sessions[i].in_use) {
306 mtls_sessions[i].in_use = true;
307 return i;
308 }
309 }
310
311 return -1;
312 }
313
mtls_session_setup(const struct device * dev,struct cipher_ctx * ctx,enum cipher_algo algo,enum cipher_mode mode,enum cipher_op op_type)314 static int mtls_session_setup(const struct device *dev,
315 struct cipher_ctx *ctx,
316 enum cipher_algo algo, enum cipher_mode mode,
317 enum cipher_op op_type)
318 {
319 mbedtls_aes_context *aes_ctx;
320 mbedtls_ccm_context *ccm_ctx;
321 #ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
322 mbedtls_gcm_context *gcm_ctx;
323 #endif
324 int ctx_idx;
325 int ret;
326
327 if (ctx->flags & ~(MTLS_SUPPORT)) {
328 LOG_ERR("Unsupported flag");
329 return -EINVAL;
330 }
331
332 if (algo != CRYPTO_CIPHER_ALGO_AES) {
333 LOG_ERR("Unsupported algo");
334 return -EINVAL;
335 }
336
337 if (mode != CRYPTO_CIPHER_MODE_CCM &&
338 mode != CRYPTO_CIPHER_MODE_CBC &&
339 #ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
340 mode != CRYPTO_CIPHER_MODE_GCM &&
341 #endif
342 mode != CRYPTO_CIPHER_MODE_ECB) {
343 LOG_ERR("Unsupported mode");
344 return -EINVAL;
345 }
346
347 if (ctx->keylen != 16U) {
348 LOG_ERR("%u key size is not supported", ctx->keylen);
349 return -EINVAL;
350 }
351
352 ctx_idx = mtls_get_unused_session_index();
353 if (ctx_idx < 0) {
354 LOG_ERR("No free session for now");
355 return -ENOSPC;
356 }
357
358
359 switch (mode) {
360 case CRYPTO_CIPHER_MODE_ECB:
361 aes_ctx = &mtls_sessions[ctx_idx].mtls_aes;
362 mbedtls_aes_init(aes_ctx);
363 if (op_type == CRYPTO_CIPHER_OP_ENCRYPT) {
364 ret = mbedtls_aes_setkey_enc(aes_ctx,
365 ctx->key.bit_stream, ctx->keylen * 8U);
366 ctx->ops.block_crypt_hndlr = mtls_ecb_encrypt;
367 } else {
368 ret = mbedtls_aes_setkey_dec(aes_ctx,
369 ctx->key.bit_stream, ctx->keylen * 8U);
370 ctx->ops.block_crypt_hndlr = mtls_ecb_decrypt;
371 }
372 if (ret) {
373 LOG_ERR("AES_ECB: failed at setkey (%d)", ret);
374 ctx->ops.block_crypt_hndlr = NULL;
375 mtls_sessions[ctx_idx].in_use = false;
376 return -EINVAL;
377 }
378 break;
379 case CRYPTO_CIPHER_MODE_CBC:
380 aes_ctx = &mtls_sessions[ctx_idx].mtls_aes;
381 mbedtls_aes_init(aes_ctx);
382 if (op_type == CRYPTO_CIPHER_OP_ENCRYPT) {
383 ret = mbedtls_aes_setkey_enc(aes_ctx,
384 ctx->key.bit_stream, ctx->keylen * 8U);
385 ctx->ops.cbc_crypt_hndlr = mtls_cbc_encrypt;
386 } else {
387 ret = mbedtls_aes_setkey_dec(aes_ctx,
388 ctx->key.bit_stream, ctx->keylen * 8U);
389 ctx->ops.cbc_crypt_hndlr = mtls_cbc_decrypt;
390 }
391 if (ret) {
392 LOG_ERR("AES_CBC: failed at setkey (%d)", ret);
393 ctx->ops.cbc_crypt_hndlr = NULL;
394 mtls_sessions[ctx_idx].in_use = false;
395 return -EINVAL;
396 }
397 break;
398 case CRYPTO_CIPHER_MODE_CCM:
399 ccm_ctx = &mtls_sessions[ctx_idx].mtls_ccm;
400 mbedtls_ccm_init(ccm_ctx);
401 ret = mbedtls_ccm_setkey(ccm_ctx, MBEDTLS_CIPHER_ID_AES,
402 ctx->key.bit_stream, ctx->keylen * 8U);
403 if (ret) {
404 LOG_ERR("AES_CCM: failed at setkey (%d)", ret);
405 mtls_sessions[ctx_idx].in_use = false;
406
407 return -EINVAL;
408 }
409 if (op_type == CRYPTO_CIPHER_OP_ENCRYPT) {
410 ctx->ops.ccm_crypt_hndlr = mtls_ccm_encrypt_auth;
411 } else {
412 ctx->ops.ccm_crypt_hndlr = mtls_ccm_decrypt_auth;
413 }
414 break;
415 #ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
416 case CRYPTO_CIPHER_MODE_GCM:
417 gcm_ctx = &mtls_sessions[ctx_idx].mtls_gcm;
418 mbedtls_gcm_init(gcm_ctx);
419 ret = mbedtls_gcm_setkey(gcm_ctx, MBEDTLS_CIPHER_ID_AES,
420 ctx->key.bit_stream, ctx->keylen * 8U);
421 if (ret) {
422 LOG_ERR("AES_GCM: failed at setkey (%d)", ret);
423 mtls_sessions[ctx_idx].in_use = false;
424
425 return -EINVAL;
426 }
427 if (op_type == CRYPTO_CIPHER_OP_ENCRYPT) {
428 ctx->ops.gcm_crypt_hndlr = mtls_gcm_encrypt_auth;
429 } else {
430 ctx->ops.gcm_crypt_hndlr = mtls_gcm_decrypt_auth;
431 }
432 break;
433 #endif /* CONFIG_MBEDTLS_CIPHER_GCM_ENABLED */
434 default:
435 LOG_ERR("Unhandled mode");
436 mtls_sessions[ctx_idx].in_use = false;
437 return -EINVAL;
438 }
439
440 mtls_sessions[ctx_idx].mode = mode;
441 ctx->drv_sessn_state = &mtls_sessions[ctx_idx];
442
443 return ret;
444 }
445
mtls_session_free(const struct device * dev,struct cipher_ctx * ctx)446 static int mtls_session_free(const struct device *dev, struct cipher_ctx *ctx)
447 {
448 struct mtls_shim_session *mtls_session =
449 (struct mtls_shim_session *)ctx->drv_sessn_state;
450
451 if (mtls_session->mode == CRYPTO_CIPHER_MODE_CCM) {
452 mbedtls_ccm_free(&mtls_session->mtls_ccm);
453 #ifdef CONFIG_MBEDTLS_CIPHER_GCM_ENABLED
454 } else if (mtls_session->mode == CRYPTO_CIPHER_MODE_GCM) {
455 mbedtls_gcm_free(&mtls_session->mtls_gcm);
456 #endif
457 } else {
458 mbedtls_aes_free(&mtls_session->mtls_aes);
459 }
460 mtls_session->in_use = false;
461
462 return 0;
463 }
464
mtls_sha256_compute(struct hash_ctx * ctx,struct hash_pkt * pkt,bool finish)465 static int mtls_sha256_compute(struct hash_ctx *ctx, struct hash_pkt *pkt,
466 bool finish)
467 {
468 int ret;
469 mbedtls_sha256_context *sha256_ctx = MTLS_GET_CTX(ctx, sha256);
470
471
472 if (!ctx->started) {
473 ret = mbedtls_sha256_starts(sha256_ctx,
474 MTLS_GET_ALGO(ctx) == CRYPTO_HASH_ALGO_SHA224);
475 if (ret != 0) {
476 LOG_ERR("Could not compute the hash");
477 return -EINVAL;
478 }
479 ctx->started = true;
480 }
481
482 ret = mbedtls_sha256_update(sha256_ctx, pkt->in_buf, pkt->in_len);
483 if (ret != 0) {
484 LOG_ERR("Could not update the hash");
485 ctx->started = false;
486 return -EINVAL;
487 }
488
489 if (finish) {
490 ctx->started = false;
491 ret = mbedtls_sha256_finish(sha256_ctx, pkt->out_buf);
492 if (ret != 0) {
493 LOG_ERR("Could not compute the hash");
494 return -EINVAL;
495 }
496 }
497
498 return 0;
499 }
500
mtls_sha512_compute(struct hash_ctx * ctx,struct hash_pkt * pkt,bool finish)501 static int mtls_sha512_compute(struct hash_ctx *ctx, struct hash_pkt *pkt,
502 bool finish)
503 {
504 int ret;
505 mbedtls_sha512_context *sha512_ctx = MTLS_GET_CTX(ctx, sha512);
506
507 if (!ctx->started) {
508 ret = mbedtls_sha512_starts(sha512_ctx,
509 MTLS_GET_ALGO(ctx) == CRYPTO_HASH_ALGO_SHA384);
510 if (ret != 0) {
511 LOG_ERR("Could not compute the hash");
512 return -EINVAL;
513 }
514 ctx->started = true;
515 }
516
517 ret = mbedtls_sha512_update(sha512_ctx, pkt->in_buf, pkt->in_len);
518 if (ret != 0) {
519 LOG_ERR("Could not update the hash");
520 ctx->started = false;
521 return -EINVAL;
522 }
523
524 if (finish) {
525 ctx->started = false;
526 ret = mbedtls_sha512_finish(sha512_ctx, pkt->out_buf);
527 if (ret != 0) {
528 LOG_ERR("Could not compute the hash");
529 return -EINVAL;
530 }
531 }
532
533 return 0;
534 }
535
mtls_hash_session_setup(const struct device * dev,struct hash_ctx * ctx,enum hash_algo algo)536 static int mtls_hash_session_setup(const struct device *dev,
537 struct hash_ctx *ctx,
538 enum hash_algo algo)
539 {
540 int ctx_idx;
541
542 if (ctx->flags & ~(MTLS_SUPPORT)) {
543 LOG_ERR("Unsupported flag");
544 return -EINVAL;
545 }
546
547 if ((algo != CRYPTO_HASH_ALGO_SHA224) &&
548 (algo != CRYPTO_HASH_ALGO_SHA256) &&
549 (algo != CRYPTO_HASH_ALGO_SHA384) &&
550 (algo != CRYPTO_HASH_ALGO_SHA512)) {
551 LOG_ERR("Unsupported algo: %d", algo);
552 return -EINVAL;
553 }
554
555 ctx_idx = mtls_get_unused_session_index();
556 if (ctx_idx < 0) {
557 LOG_ERR("No free session for now");
558 return -ENOSPC;
559 }
560
561 mtls_sessions[ctx_idx].algo = algo;
562 ctx->drv_sessn_state = &mtls_sessions[ctx_idx];
563 ctx->started = false;
564
565 if ((algo == CRYPTO_HASH_ALGO_SHA224) ||
566 (algo == CRYPTO_HASH_ALGO_SHA256)) {
567 mbedtls_sha256_context *sha256_ctx =
568 &mtls_sessions[ctx_idx].mtls_sha256;
569 mbedtls_sha256_init(sha256_ctx);
570 ctx->hash_hndlr = mtls_sha256_compute;
571 } else {
572 mbedtls_sha512_context *sha512_ctx =
573 &mtls_sessions[ctx_idx].mtls_sha512;
574 mbedtls_sha512_init(sha512_ctx);
575 ctx->hash_hndlr = mtls_sha512_compute;
576 }
577
578 return 0;
579 }
580
mtls_hash_session_free(const struct device * dev,struct hash_ctx * ctx)581 static int mtls_hash_session_free(const struct device *dev, struct hash_ctx *ctx)
582 {
583 struct mtls_shim_session *mtls_session =
584 (struct mtls_shim_session *)ctx->drv_sessn_state;
585
586 if (mtls_session->algo == CRYPTO_HASH_ALGO_SHA256) {
587 mbedtls_sha256_free(&mtls_session->mtls_sha256);
588 } else {
589 mbedtls_sha512_free(&mtls_session->mtls_sha512);
590 }
591 mtls_session->in_use = false;
592
593 return 0;
594 }
595
596
mtls_query_caps(const struct device * dev)597 static int mtls_query_caps(const struct device *dev)
598 {
599 return MTLS_SUPPORT;
600 }
601
602 static struct crypto_driver_api mtls_crypto_funcs = {
603 .cipher_begin_session = mtls_session_setup,
604 .cipher_free_session = mtls_session_free,
605 .cipher_async_callback_set = NULL,
606 .hash_begin_session = mtls_hash_session_setup,
607 .hash_free_session = mtls_hash_session_free,
608 .query_hw_caps = mtls_query_caps,
609 };
610
611 DEVICE_DEFINE(crypto_mtls, CONFIG_CRYPTO_MBEDTLS_SHIM_DRV_NAME,
612 NULL, NULL, NULL, NULL, POST_KERNEL, CONFIG_CRYPTO_INIT_PRIORITY,
613 (void *)&mtls_crypto_funcs);
614
