Merge 59f7f8d9fa into 59274ae0d6

fix(esp_wifi): Set PMK len after SAE exchange

See merge request espressif/esp-idf!33853

components/bt/common/btc/profile/esp/blufi/nimble_host/esp_blufi.c

@@ -442,8 +442,10 @@ uint8_t esp_blufi_init(void)
 void esp_blufi_deinit(void)
 {
     blufi_env.enabled = false;
-    btc_msg_t msg;
     esp_blufi_cb_param_t param;
+    btc_msg_t msg;
+    memset (&msg, 0x0, sizeof (msg));
+    msg.sig = BTC_SIG_API_CB;
     msg.pid = BTC_PID_BLUFI;
     msg.act = ESP_BLUFI_EVENT_DEINIT_FINISH;
     param.deinit_finish.state = ESP_BLUFI_DEINIT_OK;

components/bt/controller/lib_esp32c3_family

@@ -1 +1 @@
-Subproject commit b8ef2c474d392a88ea7e6626f89acf1fa5f30e4a
+Subproject commit 061e70c319576bf28b5695f5478dbe01ad18b18d

components/bt/host/bluedroid/stack/btm/btm_ble_addr.c

@@ -384,6 +384,10 @@ static BOOLEAN btm_ble_match_random_bda(tBTM_SEC_DEV_REC *p_dev_rec)
 void btm_ble_resolve_random_addr(BD_ADDR random_bda, tBTM_BLE_RESOLVE_CBACK *p_cback, void *p)
 {
 #if (SMP_INCLUDED == TRUE)
+    if (btm_cb.addr_res_en == FALSE) {
+        return;
+    }
+
     tBTM_LE_RANDOM_CB   *p_mgnt_cb = &btm_cb.ble_ctr_cb.addr_mgnt_cb;
     list_node_t         *p_node    = NULL;
     tBTM_SEC_DEV_REC *p_dev_rec    = NULL;
@@ -458,6 +462,10 @@ tBTM_SEC_DEV_REC *btm_find_dev_by_identity_addr(BD_ADDR bd_addr, UINT8 addr_type
 BOOLEAN btm_identity_addr_to_random_pseudo(BD_ADDR bd_addr, UINT8 *p_addr_type, BOOLEAN refresh)
 {
 #if BLE_PRIVACY_SPT == TRUE
+    if (btm_cb.addr_res_en == FALSE) {
+        return TRUE;
+    }
+
     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev_by_identity_addr(bd_addr, *p_addr_type);
 
     BTM_TRACE_EVENT ("%s", __func__);
@@ -491,6 +499,10 @@ BOOLEAN btm_identity_addr_to_random_pseudo(BD_ADDR bd_addr, UINT8 *p_addr_type,
 BOOLEAN btm_random_pseudo_to_identity_addr(BD_ADDR random_pseudo, UINT8 *p_static_addr_type)
 {
 #if BLE_PRIVACY_SPT == TRUE
+    if (btm_cb.addr_res_en == FALSE) {
+        return TRUE;
+    }
+
     tBTM_SEC_DEV_REC    *p_dev_rec = btm_find_dev (random_pseudo);
 
     if (p_dev_rec != NULL) {

components/bt/host/bluedroid/stack/btm/btm_main.c

@@ -84,6 +84,7 @@ void btm_init (void)
 #if BLE_INCLUDED == TRUE
     btm_ble_lock_init();
     btm_ble_sem_init();
+    btm_cb.addr_res_en = TRUE;
 #endif
     btm_sec_dev_init();
 #if (BLE_50_FEATURE_SUPPORT == TRUE)
@@ -133,3 +134,10 @@ uint8_t btm_acl_active_count(void)
 
     return count;
 }
+
+void btm_ble_addr_resolve_enable(bool enable)
+{
+#if (BLE_INCLUDED == TRUE)
+    btm_cb.addr_res_en = enable;
+#endif
+}

components/bt/host/bluedroid/stack/btm/include/btm_int.h

@@ -876,6 +876,7 @@ typedef struct {
     UINT16                  ediv;       /* received ediv value from LTK request */
     UINT8                   key_size;
     tBTM_BLE_VSC_CB         cmn_ble_vsc_cb;
+    BOOLEAN                 addr_res_en;   /* internal use for test: address resolution enable/disable */
 #endif
 
     /* Packet types supported by the local device */

components/bt/host/nimble/nimble

@@ -1 +1 @@
-Subproject commit 43226b84d1dc9e333b8b3a3c0a69d74612f936ff
+Subproject commit 8b3951670c8f7a69874f64a85562b872c25ba02e

components/bt/porting/npl/freertos/src/npl_os_freertos.c

@@ -21,6 +21,7 @@
 #include "esp_log.h"
 #include "soc/soc_caps.h"
 #include "esp_bt.h"
+#include "bt_osi_mem.h"
 
 portMUX_TYPE ble_port_mutex = portMUX_INITIALIZER_UNLOCKED;
 
@@ -95,7 +96,7 @@ IRAM_ATTR npl_freertos_event_init(struct ble_npl_event *ev, ble_npl_event_fn *fn
     }
 #else
     if(!ev->event) {
-        ev->event = malloc(sizeof(struct ble_npl_event_freertos));
+        ev->event = bt_osi_mem_malloc_internal(sizeof(struct ble_npl_event_freertos));
     }
 #endif
     event = (struct ble_npl_event_freertos *)ev->event;
@@ -113,7 +114,7 @@ IRAM_ATTR npl_freertos_event_deinit(struct ble_npl_event *ev)
 #if OS_MEM_ALLOC
     os_memblock_put(&ble_freertos_ev_pool,ev->event);
 #else
-    free(ev->event);
+    bt_osi_mem_free(ev->event);
 #endif
     ev->event = NULL;
 }
@@ -144,7 +145,7 @@ npl_freertos_eventq_init(struct ble_npl_eventq *evq)
     }
 #else
     if(!evq->eventq) {
-        evq->eventq = malloc(sizeof(struct ble_npl_eventq_freertos));
+        evq->eventq = bt_osi_mem_malloc_internal(sizeof(struct ble_npl_eventq_freertos));
         eventq = (struct ble_npl_eventq_freertos*)evq->eventq;
         BLE_LL_ASSERT(eventq);
         memset(eventq, 0, sizeof(*eventq));
@@ -167,7 +168,7 @@ npl_freertos_eventq_deinit(struct ble_npl_eventq *evq)
 #if OS_MEM_ALLOC
     os_memblock_put(&ble_freertos_evq_pool,eventq);
 #else
-    free((void *)eventq);
+    bt_osi_mem_free((void *)eventq);
 #endif
     evq->eventq = NULL;
 }
@@ -357,7 +358,7 @@ npl_freertos_mutex_init(struct ble_npl_mutex *mu)
     }
 #else
     if(!mu->mutex) {
-        mu->mutex = malloc(sizeof(struct ble_npl_mutex_freertos));
+        mu->mutex = bt_osi_mem_malloc_internal(sizeof(struct ble_npl_mutex_freertos));
         mutex = (struct ble_npl_mutex_freertos *)mu->mutex;
 
         if (!mutex) {
@@ -388,7 +389,7 @@ npl_freertos_mutex_deinit(struct ble_npl_mutex *mu)
 #if OS_MEM_ALLOC
     os_memblock_put(&ble_freertos_mutex_pool,mutex);
 #else
-    free((void *)mutex);
+    bt_osi_mem_free((void *)mutex);
 #endif
     mu->mutex = NULL;
 
@@ -494,7 +495,7 @@ npl_freertos_sem_init(struct ble_npl_sem *sem, uint16_t tokens)
     }
 #else
     if(!sem->sem) {
-        sem->sem = malloc(sizeof(struct ble_npl_sem_freertos));
+        sem->sem = bt_osi_mem_malloc_internal(sizeof(struct ble_npl_sem_freertos));
         semaphore = (struct ble_npl_sem_freertos *)sem->sem;
 
         if (!semaphore) {
@@ -525,7 +526,7 @@ npl_freertos_sem_deinit(struct ble_npl_sem *sem)
 #if OS_MEM_ALLOC
     os_memblock_put(&ble_freertos_sem_pool,semaphore);
 #else
-    free((void *)semaphore);
+    bt_osi_mem_free((void *)semaphore);
 #endif
     sem->sem = NULL;
 
@@ -684,7 +685,7 @@ npl_freertos_callout_init(struct ble_npl_callout *co, struct ble_npl_eventq *evq
 #else
 
     if(!co->co) {
-        co->co = malloc(sizeof(struct ble_npl_callout_freertos));
+        co->co = bt_osi_mem_malloc_internal(sizeof(struct ble_npl_callout_freertos));
         callout = (struct ble_npl_callout_freertos *)co->co;
         if (!callout) {
             return -1;
@@ -704,7 +705,7 @@ npl_freertos_callout_init(struct ble_npl_callout *co, struct ble_npl_eventq *evq
 
         if (esp_timer_create(&create_args, &callout->handle) != ESP_OK) {
             ble_npl_event_deinit(&callout->ev);
-            free((void *)callout);
+            bt_osi_mem_free((void *)callout);
             co->co = NULL;
             return -1;
         }
@@ -713,7 +714,7 @@ npl_freertos_callout_init(struct ble_npl_callout *co, struct ble_npl_eventq *evq
 
         if (!callout->handle) {
             ble_npl_event_deinit(&callout->ev);
-            free((void *)callout);
+            bt_osi_mem_free((void *)callout);
             co->co = NULL;
             return -1;
         }
@@ -761,7 +762,7 @@ npl_freertos_callout_deinit(struct ble_npl_callout *co)
 #if OS_MEM_ALLOC
     os_memblock_put(&ble_freertos_co_pool,callout);
 #else
-    free((void *)callout);
+    bt_osi_mem_free((void *)callout);
 #endif // OS_MEM_ALLOC
     co->co = NULL;
     memset(co, 0, sizeof(struct ble_npl_callout));
@@ -1089,7 +1090,7 @@ struct npl_funcs_t * npl_freertos_funcs_get(void)
 
 void npl_freertos_funcs_init(void)
 {
-    npl_funcs = (struct npl_funcs_t *)malloc(sizeof(struct npl_funcs_t));
+    npl_funcs = (struct npl_funcs_t *)bt_osi_mem_malloc_internal(sizeof(struct npl_funcs_t));
     if(!npl_funcs) {
         printf("npl funcs init failed\n");
         assert(0);
@@ -1123,7 +1124,7 @@ int npl_freertos_mempool_init(void)
     ble_freertos_total_event_cnt = ble_total_evt_count;
 
     if (ble_total_evt_count) {
-        ble_freertos_ev_buf  = malloc(OS_MEMPOOL_SIZE(ble_total_evt_count,
+        ble_freertos_ev_buf  = bt_osi_mem_malloc_internal(OS_MEMPOOL_SIZE(ble_total_evt_count,
                                       sizeof (struct ble_npl_event_freertos)) *
                                       sizeof(os_membuf_t));
         if (!ble_freertos_ev_buf) {
@@ -1138,7 +1139,7 @@ int npl_freertos_mempool_init(void)
     }
 
     if (ble_total_evtq_count) {
-        ble_freertos_evq_buf  = malloc(OS_MEMPOOL_SIZE(ble_total_evtq_count,
+        ble_freertos_evq_buf  = bt_osi_mem_malloc_internal(OS_MEMPOOL_SIZE(ble_total_evtq_count,
                                        sizeof (struct ble_npl_eventq_freertos)) *
                                        sizeof(os_membuf_t));
         if (!ble_freertos_evq_buf) {
@@ -1153,7 +1154,7 @@ int npl_freertos_mempool_init(void)
     }
 
     if (ble_total_co_count) {
-        ble_freertos_co_buf  = malloc(OS_MEMPOOL_SIZE(ble_total_co_count,
+        ble_freertos_co_buf  = bt_osi_mem_malloc_internal(OS_MEMPOOL_SIZE(ble_total_co_count,
                                       sizeof (struct ble_npl_callout_freertos)) *
                                       sizeof(os_membuf_t));
         if (!ble_freertos_co_buf) {
@@ -1168,7 +1169,7 @@ int npl_freertos_mempool_init(void)
     }
 
     if (ble_total_sem_count) {
-        ble_freertos_sem_buf  = malloc(OS_MEMPOOL_SIZE(ble_total_sem_count,
+        ble_freertos_sem_buf  = bt_osi_mem_malloc_internal(OS_MEMPOOL_SIZE(ble_total_sem_count,
                                        sizeof (struct ble_npl_sem_freertos)) *
                                        sizeof(os_membuf_t));
         if (!ble_freertos_sem_buf) {
@@ -1183,7 +1184,7 @@ int npl_freertos_mempool_init(void)
     }
 
     if (ble_total_mutex_count) {
-        ble_freertos_mutex_buf  = malloc(OS_MEMPOOL_SIZE(ble_total_mutex_count,
+        ble_freertos_mutex_buf  = bt_osi_mem_malloc_internal(OS_MEMPOOL_SIZE(ble_total_mutex_count,
                                          sizeof (struct ble_npl_mutex_freertos)) *
                                          sizeof(os_membuf_t));
         if (!ble_freertos_mutex_buf) {
@@ -1200,27 +1201,27 @@ int npl_freertos_mempool_init(void)
     return 0;
 _error:
     if (ble_freertos_ev_buf) {
-        free(ble_freertos_ev_buf);
+        bt_osi_mem_free(ble_freertos_ev_buf);
         ble_freertos_ev_buf = NULL;
     }
 
     if (ble_freertos_evq_buf) {
-        free(ble_freertos_evq_buf);
+        bt_osi_mem_free(ble_freertos_evq_buf);
         ble_freertos_evq_buf = NULL;
     }
 
     if (ble_freertos_co_buf) {
-        free(ble_freertos_co_buf);
+        bt_osi_mem_free(ble_freertos_co_buf);
         ble_freertos_co_buf = NULL;
     }
 
     if (ble_freertos_sem_buf) {
-        free(ble_freertos_sem_buf);
+        bt_osi_mem_free(ble_freertos_sem_buf);
         ble_freertos_sem_buf = NULL;
     }
 
     if (ble_freertos_mutex_buf) {
-        free(ble_freertos_mutex_buf);
+        bt_osi_mem_free(ble_freertos_mutex_buf);
         ble_freertos_mutex_buf = NULL;
     }
     return -1;
@@ -1229,23 +1230,23 @@ _error:
 void npl_freertos_mempool_deinit(void)
 {
     if (ble_freertos_ev_buf) {
-        free(ble_freertos_ev_buf);
+        bt_osi_mem_free(ble_freertos_ev_buf);
         ble_freertos_ev_buf = NULL;
     }
     if (ble_freertos_evq_buf) {
-        free(ble_freertos_evq_buf);
+        bt_osi_mem_free(ble_freertos_evq_buf);
         ble_freertos_evq_buf = NULL;
     }
     if (ble_freertos_co_buf) {
-        free(ble_freertos_co_buf);
+        bt_osi_mem_free(ble_freertos_co_buf);
         ble_freertos_co_buf = NULL;
     }
     if (ble_freertos_sem_buf) {
-        free(ble_freertos_sem_buf);
+        bt_osi_mem_free(ble_freertos_sem_buf);
         ble_freertos_sem_buf = NULL;
     }
     if (ble_freertos_mutex_buf) {
-        free(ble_freertos_mutex_buf);
+        bt_osi_mem_free(ble_freertos_mutex_buf);
         ble_freertos_mutex_buf = NULL;
     }
 }
@@ -1253,7 +1254,7 @@ void npl_freertos_mempool_deinit(void)
 void npl_freertos_funcs_deinit(void)
 {
     if (npl_funcs) {
-        free(npl_funcs);
+        bt_osi_mem_free(npl_funcs);
     }
     npl_funcs = NULL;
 }

components/esp_rom/esp32c2/ld/esp32c2.rom.eco4.ld

@@ -874,7 +874,7 @@ r_ble_phy_get_pyld_time_offset = 0x4000181c;
 r_ble_phy_get_rx_phy_mode = 0x40001820;
 r_ble_phy_get_seq_end_st = 0x40001824;
 r_ble_phy_init = 0x40001828;
-r_ble_phy_isr = 0x4000182c;
+//r_ble_phy_isr = 0x4000182c;
 r_ble_phy_max_data_pdu_pyld = 0x40001830;
 r_ble_phy_mode_config = 0x40001834;
 r_ble_phy_mode_convert = 0x40001838;
@@ -952,7 +952,7 @@ r_get_peer_id_offset = 0x40001954;
 r_get_peer_irk_offset = 0x40001958;
 r_get_peer_rpa_offset = 0x4000195c;
 r_hal_rtc_intr_init = 0x40001960;
-r_hal_rtc_irq_handler = 0x40001964;
+//r_hal_rtc_irq_handler = 0x40001964;
 r_hal_timer_deinit = 0x40001968;
 r_hal_timer_disable_irq = 0x4000196c;
 r_hal_timer_env_init = 0x40001970;

components/esp_wifi/lib

@@ -1 +1 @@
-Subproject commit b6a8a3e02f0b6386916a82d97a3b7bece68d301a
+Subproject commit 5a165aca9498ed054ab7704cd6f89056189600e9

components/hal/Kconfig

@@ -103,4 +103,13 @@ menu "Hardware Abstraction Layer (HAL) and Low Level (LL)"
         help
             Enable this option to place SPI slave hal layer functions into IRAM.
 
+    config HAL_ECDSA_GEN_SIG_CM
+        bool "Enable countermeasure for ECDSA signature generation"
+        default n
+        # ToDo - IDF-11051
+        help
+            Enable this option to apply the countermeasure for ECDSA signature operation
+            This countermeasure masks the real ECDSA sign operation
+            under dummy sign operations to add randomness in the generated power signature.
+
 endmenu

components/hal/ecdsa_hal.c

@@ -9,6 +9,11 @@
 #include "hal/ecdsa_hal.h"
 #include "hal/efuse_hal.h"
 
+#if CONFIG_HAL_ECDSA_GEN_SIG_CM
+#include "esp_fault.h"
+#include "esp_random.h"
+#endif
+
 #define ECDSA_HAL_P192_COMPONENT_LEN        24
 #define ECDSA_HAL_P256_COMPONENT_LEN        32
 
@@ -26,23 +31,9 @@ bool ecdsa_hal_get_operation_result(void)
     return ecdsa_ll_get_operation_result();
 }
 
-void ecdsa_hal_gen_signature(ecdsa_hal_config_t *conf, const uint8_t *hash,
-                            uint8_t *r_out, uint8_t *s_out, uint16_t len)
+static void ecdsa_hal_gen_signature_inner(const uint8_t *hash, uint8_t *r_out,
+                              uint8_t *s_out, uint16_t len)
 {
-    if (len != ECDSA_HAL_P192_COMPONENT_LEN && len != ECDSA_HAL_P256_COMPONENT_LEN) {
-        HAL_ASSERT(false && "Incorrect length");
-    }
-
-    if (conf->sha_mode == ECDSA_Z_USER_PROVIDED && hash == NULL) {
-        HAL_ASSERT(false && "Mismatch in SHA configuration");
-    }
-
-    if (ecdsa_ll_get_state() != ECDSA_STATE_IDLE) {
-        HAL_ASSERT(false && "Incorrect ECDSA state");
-    }
-
-    configure_ecdsa_periph(conf);
-
     ecdsa_ll_set_stage(ECDSA_STAGE_START_CALC);
 
     while(ecdsa_ll_get_state() != ECDSA_STATE_LOAD) {
@@ -67,6 +58,63 @@ void ecdsa_hal_gen_signature(ecdsa_hal_config_t *conf, const uint8_t *hash,
     }
 }
 
+#if CONFIG_HAL_ECDSA_GEN_SIG_CM
+__attribute__((optimize("O0"))) static void ecdsa_hal_gen_signature_with_countermeasure(const uint8_t *hash, uint8_t *r_out,
+                       uint8_t *s_out, uint16_t len)
+{
+    uint8_t tmp_r_out[32] = {};
+    uint8_t tmp_s_out[32] = {};
+    uint8_t tmp_hash[64] = {};
+
+    uint8_t dummy_op_count_prior = esp_random() % ECDSA_SIGN_MAX_DUMMY_OP_COUNT;
+    uint8_t dummy_op_count_later = ECDSA_SIGN_MAX_DUMMY_OP_COUNT - dummy_op_count_prior;
+    ESP_FAULT_ASSERT((dummy_op_count_prior != 0) || (dummy_op_count_later != 0));
+    ESP_FAULT_ASSERT(dummy_op_count_prior + dummy_op_count_later == ECDSA_SIGN_MAX_DUMMY_OP_COUNT);
+
+    esp_fill_random(tmp_hash, 64);
+    /* Dummy ecdsa signature operations prior to the actual one */
+    for (int i = 0; i < dummy_op_count_prior; i++) {
+        ecdsa_hal_gen_signature_inner(tmp_hash + ((6 * i) % 32), (uint8_t *) tmp_r_out, (uint8_t *) tmp_s_out, len);
+    }
+
+    /* Actual ecdsa signature operation */
+    ecdsa_hal_gen_signature_inner(hash, r_out, s_out, len);
+
+    /* Dummy ecdsa signature operations after the actual one */
+    for (int i = 0; i < dummy_op_count_later; i++) {
+        ecdsa_hal_gen_signature_inner(tmp_hash + ((6 * i) % 32), (uint8_t *)tmp_r_out, (uint8_t *)tmp_s_out, len);
+    }
+
+}
+#endif /* CONFIG_HAL_ECDSA_GEN_SIG_CM */
+
+
+
+void ecdsa_hal_gen_signature(ecdsa_hal_config_t *conf, const uint8_t *hash,
+                        uint8_t *r_out, uint8_t *s_out, uint16_t len)
+{
+    if (len != ECDSA_HAL_P192_COMPONENT_LEN && len != ECDSA_HAL_P256_COMPONENT_LEN) {
+        HAL_ASSERT(false && "Incorrect length");
+    }
+
+    if (conf->sha_mode == ECDSA_Z_USER_PROVIDED && hash == NULL) {
+        HAL_ASSERT(false && "Mismatch in SHA configuration");
+    }
+
+    if (ecdsa_ll_get_state() != ECDSA_STATE_IDLE) {
+        HAL_ASSERT(false && "Incorrect ECDSA state");
+    }
+
+    configure_ecdsa_periph(conf);
+
+#if CONFIG_HAL_ECDSA_GEN_SIG_CM
+    ecdsa_hal_gen_signature_with_countermeasure(hash, r_out, s_out, len);
+#else /* CONFIG_HAL_ECDSA_GEN_SIG_CM */
+    ecdsa_hal_gen_signature_inner(hash, r_out, s_out, len);
+#endif /* !CONFIG_HAL_ECDSA_GEN_SIG_CM */
+
+}
+
 int ecdsa_hal_verify_signature(ecdsa_hal_config_t *conf, const uint8_t *hash, const uint8_t *r, const uint8_t *s,
                                const uint8_t *pub_x, const uint8_t *pub_y, uint16_t len)
 {

components/hal/include/hal/ecdsa_hal.h

@@ -15,11 +15,23 @@
 #include <stdbool.h>
 #include <stdint.h>
 #include "hal/ecdsa_types.h"
+#include "sdkconfig.h"
 
 #ifdef __cplusplus
 extern "C" {
 #endif
 
+#if CONFIG_HAL_ECDSA_GEN_SIG_CM
+
+#define ECDSA_SIGN_MAX_DUMMY_OP_COUNT 0x7
+
+/* This value defines the maximum dummy operation count for the ECDSA signature countermeasure.
+   Higher the number, better the countermeasure's effectiveness against attacks.
+   At the same time higher number leads to slower performance.
+   After the countermeasure is enabled, hardware ECDSA signature operation
+   shall take time approximately equal to original time multiplied by this number.
+   If you observe that the reduced performance is affecting your use-case then you may try reducing this time to the minimum. */
+#endif /* CONFIG_HAL_ECDSA_GEN_SIG_CM */
 /*
  * ECDSA peripheral config structure
  */

components/mbedtls/CMakeLists.txt

@@ -317,6 +317,19 @@ if(CONFIG_ESP_TLS_USE_DS_PERIPHERAL)
     set_property(TARGET mbedcrypto APPEND PROPERTY LINK_INTERFACE_MULTIPLICITY 6)
 endif()
 
+# Additional optional dependencies for the mbedcrypto library
+function(mbedcrypto_optional_deps component_name)
+    idf_build_get_property(components BUILD_COMPONENTS)
+    if(${component_name} IN_LIST components)
+        idf_component_get_property(lib_name ${component_name} COMPONENT_LIB)
+        target_link_libraries(mbedcrypto PRIVATE ${lib_name})
+    endif()
+endfunction()
+
+if(CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM)
+    mbedcrypto_optional_deps(esp_timer idf::esp_timer)
+endif()
+
 # Link esp-cryptoauthlib to mbedtls
 if(CONFIG_ATCA_MBEDTLS_ECDSA)
     idf_component_optional_requires(PRIVATE espressif__esp-cryptoauthlib esp-cryptoauthlib)

components/mbedtls/Kconfig

@@ -511,6 +511,37 @@ menu "mbedTLS"
             The key should be burnt in little endian format. espefuse.py utility handles it internally
             but care needs to be taken while burning using esp_efuse APIs
 
+    menu "Enable Software Countermeasure for ECDSA signing using on-chip ECDSA peripheral"
+        depends on MBEDTLS_HARDWARE_ECDSA_SIGN
+        depends on IDF_TARGET_ESP32H2
+        config MBEDTLS_HARDWARE_ECDSA_SIGN_MASKING_CM
+            bool "Mask original ECDSA sign operation under dummy sign operations"
+            select HAL_ECDSA_GEN_SIG_CM
+            # ToDo: IDF-11051
+            default y
+            help
+                The ECDSA peripheral before ECO5 does not offer constant time ECDSA sign operation.
+                This time can be observed through power profiling of the device,
+                making the ECDSA private key vulnerable to side-channel timing attacks.
+                This countermeasure masks the real ECDSA sign operation
+                under dummy sign operations to add randomness in the generated power signature.
+                It is highly recommended to also enable Secure Boot for the device in addition to this countermeasure
+                so that only trusted software can execute on the device.
+
+        config MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM
+            bool "Make ECDSA signature operation pseudo constant time for software"
+            default y
+            help
+                This option adds a delay after the actual ECDSA signature operation
+                so that the entire operation appears to be constant time for the software.
+                This fix helps in protecting the device only in case of remote timing attack on the ECDSA private key.
+                For e.g., When an interface is exposed by the device to perform ECDSA signature
+                of an arbitrary message.
+                The signature time would appear to be constant to the external entity after enabling
+                this option.
+
+    endmenu
+
     config MBEDTLS_HARDWARE_ECDSA_VERIFY
         bool "Enable ECDSA signature verification using on-chip ECDSA peripheral"
         default y

components/mbedtls/port/ecdsa/ecdsa_alt.c

@@ -20,6 +20,28 @@
 #define ECDSA_SHA_LEN               32
 #define MAX_ECDSA_COMPONENT_LEN     32
 
+#if CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM
+#include "esp_timer.h"
+
+#if CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH
+/*
+ * This is the maximum time (in us) required for performing 1 ECDSA signature
+ * in this configuration along some additional margin considerations
+ */
+#define ECDSA_MAX_SIG_TIME 24000
+#else /* CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH */
+#define ECDSA_MAX_SIG_TIME  17500
+#endif /* !CONFIG_ESP_CRYPTO_DPA_PROTECTION_LEVEL_HIGH */
+
+#if CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_MASKING_CM
+#define DUMMY_OP_COUNT ECDSA_SIGN_MAX_DUMMY_OP_COUNT
+#else /* CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_MASKING_CM */
+#define DUMMY_OP_COUNT 0
+#endif /* !CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_MASKING_CM */
+#define ECDSA_CM_FIXED_SIG_TIME ECDSA_MAX_SIG_TIME * (DUMMY_OP_COUNT + 1)
+
+#endif /* CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM */
+
 __attribute__((unused)) static const char *TAG = "ecdsa_alt";
 
 static void esp_ecdsa_acquire_hardware(void)
@@ -148,8 +170,16 @@ static int esp_ecdsa_sign(mbedtls_ecp_group *grp, mbedtls_mpi* r, mbedtls_mpi* s
             .efuse_key_blk = d->MBEDTLS_PRIVATE(n),
         };
 
+#if CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM
+        uint64_t sig_time = esp_timer_get_time();
+#endif
         ecdsa_hal_gen_signature(&conf, sha_le, r_le, s_le, len);
-
+#if CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN_CONSTANT_TIME_CM
+        sig_time = esp_timer_get_time() - sig_time;
+        if (sig_time < ECDSA_CM_FIXED_SIG_TIME) {
+            esp_rom_delay_us(ECDSA_CM_FIXED_SIG_TIME - sig_time);
+        }
+#endif
         process_again = !ecdsa_hal_get_operation_result()
                         || !memcmp(r_le, zeroes, len)
                         || !memcmp(s_le, zeroes, len);

components/wpa_supplicant/src/common/sae.c

@@ -1570,6 +1570,7 @@ static int sae_derive_keys(struct sae_data *sae, const u8 *k)
 	os_memcpy(sae->tmp->kck, keys, hash_len);
 	sae->tmp->kck_len = hash_len;
 	os_memcpy(sae->pmk, keys + hash_len, SAE_PMK_LEN);
+	sae->pmk_len = SAE_PMK_LEN;
 	os_memcpy(sae->pmkid, val, SAE_PMKID_LEN);
 
 #ifdef CONFIG_SAE_PK

examples/bluetooth/blufi/main/blufi_init.c

@@ -227,6 +227,12 @@ esp_err_t esp_blufi_host_deinit(void)
 {
     esp_err_t ret = ESP_OK;
 
+    ret = nimble_port_stop();
+
+    if (ret == 0) {
+        esp_nimble_deinit();
+    }
+
     ret = esp_blufi_profile_deinit();
     if(ret != ESP_OK) {
         return ret;
@@ -234,11 +240,6 @@ esp_err_t esp_blufi_host_deinit(void)
 
     esp_blufi_btc_deinit();
 
-    ret = nimble_port_stop();
-    if (ret == 0) {
-        esp_nimble_deinit();
-    }
-
     return ret;
 }