nimble/mesh: Use Mbed-TLS for crypto

sjanc · sjanc · commit 46ead0d252dc · 2026-05-27T11:54:50.000+02:00
So far TinyCRYPT library was used but it is no longer being
maintained. This converts code to use Mbed TLS instead.
diff --git a/nimble/host/mesh/include/mesh/glue.h b/nimble/host/mesh/include/mesh/glue.h
@@ -35,12 +35,6 @@
 #include "../src/ble_sm_priv.h"
 #include "../src/ble_hs_hci_priv.h"
 
-#include "tinycrypt/aes.h"
-#include "tinycrypt/constants.h"
-#include "tinycrypt/utils.h"
-#include "tinycrypt/cmac_mode.h"
-#include "tinycrypt/ecc_dh.h"
-
 #if MYNEWT_VAL(BLE_MESH_SETTINGS)
 #include "config/config.h"
 #endif
diff --git a/nimble/host/mesh/pkg.yml b/nimble/host/mesh/pkg.yml
@@ -29,7 +29,7 @@ pkg.keywords:
 pkg.deps:
     - "@apache-mynewt-core/kernel/os"
     - "@apache-mynewt-core/util/mem"
-    - "@apache-mynewt-core/crypto/tinycrypt"
+    - "@apache-mynewt-core/crypto/mbedtls"
     - nimble
     - nimble/host
 
diff --git a/nimble/host/mesh/src/crypto.c b/nimble/host/mesh/src/crypto.c
@@ -15,11 +15,7 @@
 #include <stdbool.h>
 #include <errno.h>
 
-#include <tinycrypt/constants.h>
-#include <tinycrypt/utils.h>
-#include <tinycrypt/aes.h>
-#include <tinycrypt/cmac_mode.h>
-#include <tinycrypt/ccm_mode.h>
+#include <mbedtls/cmac.h>
 
 #include "crypto.h"
 
@@ -29,25 +25,35 @@
 int bt_mesh_aes_cmac(const uint8_t key[16], struct bt_mesh_sg *sg,
 		     size_t sg_len, uint8_t mac[16])
 {
-	struct tc_aes_key_sched_struct sched;
-	struct tc_cmac_struct state;
+	mbedtls_cipher_context_t ctx;
+	int err = -EIO;
 
-	if (tc_cmac_setup(&state, key, &sched) == TC_CRYPTO_FAIL) {
-		return -EIO;
+	mbedtls_cipher_init(&ctx);
+
+	if (mbedtls_cipher_setup(&ctx,
+				 mbedtls_cipher_info_from_type(MBEDTLS_CIPHER_AES_128_ECB))) {
+		goto done;
+	}
+
+	if (mbedtls_cipher_cmac_starts(&ctx, key, 128)) {
+		goto done;
 	}
 
 	for (; sg_len; sg_len--, sg++) {
-		if (tc_cmac_update(&state, sg->data,
-				   sg->len) == TC_CRYPTO_FAIL) {
-			return -EIO;
+		if (mbedtls_cipher_cmac_update(&ctx, sg->data, sg->len)) {
+			goto done;
 		}
 	}
 
-	if (tc_cmac_final(mac, &state) == TC_CRYPTO_FAIL) {
-		return -EIO;
+	if (mbedtls_cipher_cmac_finish(&ctx, mac)) {
+		goto done;
 	}
 
-	return 0;
+	err = 0;
+
+done:
+	mbedtls_cipher_free(&ctx);
+	return err;
 }
 
 int bt_mesh_k1(const uint8_t *ikm, size_t ikm_len, const uint8_t salt[16],
diff --git a/nimble/host/mesh/src/glue.c b/nimble/host/mesh/src/glue.c
@@ -33,6 +33,8 @@
 #include "base64/base64.h"
 #endif
 
+#include <mbedtls/aes.h>
+
 extern uint8_t g_mesh_addr_type;
 
 #if MYNEWT_VAL(BLE_EXT_ADV)
@@ -130,17 +132,21 @@ void net_buf_simple_clone(const struct os_mbuf *original,
 int
 bt_encrypt_be(const uint8_t *key, const uint8_t *plaintext, uint8_t *enc_data)
 {
-    struct tc_aes_key_sched_struct s;
+	mbedtls_aes_context ctx;
+	int err;
 
-    if (tc_aes128_set_encrypt_key(&s, key) == TC_CRYPTO_FAIL) {
-        return BLE_HS_EUNKNOWN;
-    }
+	mbedtls_aes_init(&ctx);
+	mbedtls_aes_setkey_enc(&ctx, key, 128);
 
-    if (tc_aes_encrypt(enc_data, plaintext, &s) == TC_CRYPTO_FAIL) {
-        return BLE_HS_EUNKNOWN;
-    }
+	err = mbedtls_aes_crypt_ecb(&ctx, MBEDTLS_AES_ENCRYPT, plaintext, enc_data);
 
-    return 0;
+	mbedtls_aes_free(&ctx);
+
+	if (err) {
+		return BLE_HS_EUNKNOWN;
+	}
+
+	return 0;
 }
 
 uint16_t
diff --git a/nimble/host/mesh/src/prov_device.c b/nimble/host/mesh/src/prov_device.c
@@ -24,6 +24,8 @@
 #include "settings.h"
 #include "pb_gatt_srv.h"
 
+#include "mbedtls/ecdh.h"
+
 static void send_pub_key(void);
 static void pub_key_ready(const uint8_t *pkey);
 
@@ -295,6 +297,63 @@ static void prov_dh_key_cb(const uint8_t dhkey[BT_DH_KEY_LEN])
 	dh_key_gen_complete();
 }
 
+
+static int
+mbedtls_rand(void *arg, unsigned char *buf, size_t size)
+{
+	return bt_rand(arg, size);
+}
+
+int bt_mesh_dhkey_gen(const uint8_t *remote_pk, const uint8_t *private_key_be,
+		      uint8_t *dhkey)
+{
+	int ret;
+	mbedtls_ecp_group group;
+	mbedtls_ecp_point pub_key;
+	mbedtls_mpi priv_key;
+	mbedtls_mpi z;
+	uint8_t uncompressed_pk[65];
+
+	mbedtls_ecp_group_init(&group);
+	mbedtls_ecp_point_init(&pub_key);
+	mbedtls_mpi_init(&priv_key);
+	mbedtls_mpi_init(&z);
+
+	ret = mbedtls_ecp_group_load(&group, MBEDTLS_ECP_DP_SECP256R1);
+	if (ret != 0) {
+		goto done;
+	}
+
+	uncompressed_pk[0] = 0x04;
+	memcpy(&uncompressed_pk[1], remote_pk, 64);
+
+	ret = mbedtls_ecp_point_read_binary(&group, &pub_key, uncompressed_pk, 65);
+	if (ret != 0) {
+		goto done;
+	}
+
+	ret = mbedtls_mpi_read_binary(&priv_key, private_key_be, 32);
+	if (ret != 0) {
+		goto done;
+	}
+
+	ret = mbedtls_ecdh_compute_shared(&group, &z, &pub_key, &priv_key,
+	mbedtls_rand, NULL);
+	if (ret != 0) {
+		goto done;
+	}
+
+	ret = mbedtls_mpi_write_binary(&z, dhkey, 32);
+
+done:
+	mbedtls_mpi_free(&z);
+	mbedtls_mpi_free(&priv_key);
+	mbedtls_ecp_point_free(&pub_key);
+	mbedtls_ecp_group_free(&group);
+
+	return ret;
+}
+
 static void prov_dh_key_gen(void)
 {
 	const uint8_t *remote_pk;
@@ -303,11 +362,9 @@ static void prov_dh_key_gen(void)
 	remote_pk = bt_mesh_prov_link.conf_inputs.pub_key_provisioner;
 	if (MYNEWT_VAL(BLE_MESH_PROV_OOB_PUBLIC_KEY) &&
 	    atomic_test_bit(bt_mesh_prov_link.flags, OOB_PUB_KEY)) {
-		if (uECC_valid_public_key(remote_pk, &curve_secp256r1)) {
-			BT_ERR("Public key is not valid");
-		} else if (uECC_shared_secret(remote_pk, bt_mesh_prov->private_key_be,
-					      bt_mesh_prov_link.dhkey,
-					      &curve_secp256r1) != TC_CRYPTO_SUCCESS) {
+
+		if (bt_mesh_dhkey_gen(remote_pk, bt_mesh_prov->private_key_be,
+				      bt_mesh_prov_link.dhkey)) {
 			BT_ERR("DHKey generation failed");
 		} else {
 			dh_key_gen_complete();
