[hmac_sha256] Migrate to PSA Crypto MAC API for ESP-IDF 6.0 (#14814)

esphome/components/hmac_sha256/hmac_sha256.cpp

@@ -7,7 +7,55 @@ namespace esphome::hmac_sha256 {
 
 constexpr size_t SHA256_DIGEST_SIZE = 32;
 
-#if defined(USE_ESP32) || defined(USE_LIBRETINY)
+#if defined(USE_HMAC_SHA256_PSA)
+
+// ESP-IDF 6.0 ships mbedtls 4.0 which removed the legacy mbedtls_md HMAC API.
+// Use the PSA Crypto MAC API instead.
+
+HmacSHA256::~HmacSHA256() {
+  psa_mac_abort(&this->op_);
+  psa_destroy_key(this->key_id_);
+}
+
+void HmacSHA256::init(const uint8_t *key, size_t len) {
+  psa_mac_abort(&this->op_);
+  psa_destroy_key(this->key_id_);
+
+  psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+  psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
+  psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
+  psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+  psa_import_key(&attributes, key, len, &this->key_id_);
+
+  this->op_ = PSA_MAC_OPERATION_INIT;
+  psa_mac_sign_setup(&this->op_, this->key_id_, PSA_ALG_HMAC(PSA_ALG_SHA_256));
+}
+
+void HmacSHA256::add(const uint8_t *data, size_t len) { psa_mac_update(&this->op_, data, len); }
+
+void HmacSHA256::calculate() {
+  size_t mac_length;
+  psa_mac_sign_finish(&this->op_, this->digest_, sizeof(this->digest_), &mac_length);
+}
+
+void HmacSHA256::get_bytes(uint8_t *output) { memcpy(output, this->digest_, SHA256_DIGEST_SIZE); }
+
+void HmacSHA256::get_hex(char *output) {
+  format_hex_to(output, SHA256_DIGEST_SIZE * 2 + 1, this->digest_, SHA256_DIGEST_SIZE);
+}
+
+bool HmacSHA256::equals_bytes(const uint8_t *expected) {
+  return memcmp(this->digest_, expected, SHA256_DIGEST_SIZE) == 0;
+}
+
+bool HmacSHA256::equals_hex(const char *expected) {
+  char hex_output[SHA256_DIGEST_SIZE * 2 + 1];
+  this->get_hex(hex_output);
+  hex_output[SHA256_DIGEST_SIZE * 2] = '\0';
+  return strncmp(hex_output, expected, SHA256_DIGEST_SIZE * 2) == 0;
+}
+
+#elif defined(USE_HMAC_SHA256_MBEDTLS)
 
 HmacSHA256::~HmacSHA256() { mbedtls_md_free(&this->ctx_); }
 
@@ -93,7 +141,7 @@ bool HmacSHA256::equals_bytes(const uint8_t *expected) { return this->ohash_.equ
 
 bool HmacSHA256::equals_hex(const char *expected) { return this->ohash_.equals_hex(expected); }
 
-#endif  // USE_ESP32 || USE_LIBRETINY
+#endif  // USE_HMAC_SHA256_PSA / USE_HMAC_SHA256_MBEDTLS
 
 }  // namespace esphome::hmac_sha256
 #endif

esphome/components/hmac_sha256/hmac_sha256.h

@@ -5,7 +5,19 @@
 
 #include <string>
 
-#if defined(USE_ESP32) || defined(USE_LIBRETINY)
+#if defined(USE_ESP32)
+#include <esp_idf_version.h>
+#if ESP_IDF_VERSION >= ESP_IDF_VERSION_VAL(6, 0, 0)
+// mbedtls 4.0 (IDF 6.0) removed the legacy mbedtls_md HMAC API.
+// Use the PSA Crypto MAC API instead.
+#define USE_HMAC_SHA256_PSA
+#include <psa/crypto.h>
+#else
+#define USE_HMAC_SHA256_MBEDTLS
+#include "mbedtls/md.h"
+#endif
+#elif defined(USE_LIBRETINY)
+#define USE_HMAC_SHA256_MBEDTLS
 #include "mbedtls/md.h"
 #else
 #include "esphome/components/sha256/sha256.h"
@@ -45,7 +57,12 @@ class HmacSHA256 {
   bool equals_hex(const char *expected);
 
  protected:
-#if defined(USE_ESP32) || defined(USE_LIBRETINY)
+#if defined(USE_HMAC_SHA256_PSA)
+  static constexpr size_t SHA256_DIGEST_SIZE = 32;
+  psa_mac_operation_t op_ = PSA_MAC_OPERATION_INIT;
+  mbedtls_svc_key_id_t key_id_ = MBEDTLS_SVC_KEY_ID_INIT;
+  uint8_t digest_[SHA256_DIGEST_SIZE]{};
+#elif defined(USE_HMAC_SHA256_MBEDTLS)
   static constexpr size_t SHA256_DIGEST_SIZE = 32;
   mbedtls_md_context_t ctx_{};
   uint8_t digest_[SHA256_DIGEST_SIZE]{};