diff --git a/src/app/icd/ICDMonitoringTable.h b/src/app/icd/ICDMonitoringTable.h index cf5fa28b4f1138..2e072981984f2a 100644 --- a/src/app/icd/ICDMonitoringTable.h +++ b/src/app/icd/ICDMonitoringTable.h @@ -98,7 +98,7 @@ struct ICDMonitoringEntry : public PersistentData chip::FabricIndex fabricIndex = kUndefinedFabricIndex; chip::NodeId checkInNodeID = kUndefinedNodeId; uint64_t monitoredSubject = static_cast(0); - Crypto::Aes128KeyHandle key = Crypto::Aes128KeyHandle(); + Crypto::Aes128BitsKeyHandle key = Crypto::Aes128BitsKeyHandle(); bool keyHandleValid = false; uint16_t index = 0; Crypto::SymmetricKeystore * symmetricKeystore = nullptr; diff --git a/src/credentials/GroupDataProviderImpl.h b/src/credentials/GroupDataProviderImpl.h index c06165b59ea6a3..500e63b8fcda45 100644 --- a/src/credentials/GroupDataProviderImpl.h +++ b/src/credentials/GroupDataProviderImpl.h @@ -201,8 +201,8 @@ class GroupDataProviderImpl : public GroupDataProvider protected: GroupDataProviderImpl & mProvider; uint16_t mKeyHash = 0; - Crypto::Aes128KeyHandle mEncryptionKey; - Crypto::Aes128KeyHandle mPrivacyKey; + Crypto::Aes128BitsKeyHandle mEncryptionKey; + Crypto::Aes128BitsKeyHandle mPrivacyKey; }; class KeySetIteratorImpl : public KeySetIterator diff --git a/src/crypto/CHIPCryptoPAL.cpp b/src/crypto/CHIPCryptoPAL.cpp index 1154d25a6b5d2a..ae0943ce7c120b 100644 --- a/src/crypto/CHIPCryptoPAL.cpp +++ b/src/crypto/CHIPCryptoPAL.cpp @@ -233,6 +233,11 @@ CHIP_ERROR Find16BitUpperCaseHexAfterPrefix(const ByteSpan & buffer, const char } // namespace +Symmetric128BitsKeyHandle::~Symmetric128BitsKeyHandle() +{ + ClearSecretData(mContext.mOpaque); +} + using HKDF_sha_crypto = HKDF_sha; CHIP_ERROR Spake2p::InternalHash(const uint8_t * in, size_t in_len) @@ -779,7 +784,7 @@ CHIP_ERROR EcdsaAsn1SignatureToRaw(size_t fe_length_bytes, const ByteSpan & asn1 return CHIP_NO_ERROR; } -CHIP_ERROR AES_CTR_crypt(const uint8_t * input, size_t input_length, const Aes128KeyHandle & key, const uint8_t * nonce, +CHIP_ERROR AES_CTR_crypt(const uint8_t * input, size_t input_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * output) { // Discard tag portion of CCM to apply only CTR mode encryption/decryption. diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index 924b1f768d7ef0..5bac2b54377788 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -574,11 +574,15 @@ using Symmetric128BitsKeyByteArray = uint8_t[CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BY * * @note Symmetric128BitsKeyHandle is an abstract class to force child classes for each key handle type. * Symmetric128BitsKeyHandle class implements all the necessary components for handles. - * Child classes only need to implement a constructor and delete all the copy operators. + * Child classes only need to implement a constructor, implement a destructor and delete all the copy operators. */ class Symmetric128BitsKeyHandle { public: + Symmetric128BitsKeyHandle() = default; + // Destructor is implemented in the .cpp. It is pure virtual only to force the class to be abstract. + virtual ~Symmetric128BitsKeyHandle() = 0; + Symmetric128BitsKeyHandle(const Symmetric128BitsKeyHandle &) = delete; Symmetric128BitsKeyHandle(Symmetric128BitsKeyHandle &&) = delete; void operator=(const Symmetric128BitsKeyHandle &) = delete; @@ -602,10 +606,6 @@ class Symmetric128BitsKeyHandle return *SafePointerCast(&mContext); } -protected: - Symmetric128BitsKeyHandle() = default; - ~Symmetric128BitsKeyHandle() { ClearSecretData(mContext.mOpaque); } - private: static constexpr size_t kContextSize = CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES; @@ -618,29 +618,31 @@ class Symmetric128BitsKeyHandle /** * @brief Platform-specific AES key handle */ -class Aes128KeyHandle final : public Symmetric128BitsKeyHandle +class Aes128BitsKeyHandle : public Symmetric128BitsKeyHandle { public: - Aes128KeyHandle() = default; + Aes128BitsKeyHandle() = default; + virtual ~Aes128BitsKeyHandle() {} - Aes128KeyHandle(const Aes128KeyHandle &) = delete; - Aes128KeyHandle(Aes128KeyHandle &&) = delete; - void operator=(const Aes128KeyHandle &) = delete; - void operator=(Aes128KeyHandle &&) = delete; + Aes128BitsKeyHandle(const Aes128BitsKeyHandle &) = delete; + Aes128BitsKeyHandle(Aes128BitsKeyHandle &&) = delete; + void operator=(const Aes128BitsKeyHandle &) = delete; + void operator=(Aes128BitsKeyHandle &&) = delete; }; /** * @brief Platform-specific HMAC key handle */ -class Hmac128KeyHandle final : public Symmetric128BitsKeyHandle +class Hmac128BitsKeyHandle : public Symmetric128BitsKeyHandle { public: - Hmac128KeyHandle() = default; + Hmac128BitsKeyHandle() = default; + virtual ~Hmac128BitsKeyHandle() {} - Hmac128KeyHandle(const Hmac128KeyHandle &) = delete; - Hmac128KeyHandle(Hmac128KeyHandle &&) = delete; - void operator=(const Hmac128KeyHandle &) = delete; - void operator=(Hmac128KeyHandle &&) = delete; + Hmac128BitsKeyHandle(const Hmac128BitsKeyHandle &) = delete; + Hmac128BitsKeyHandle(Hmac128BitsKeyHandle &&) = delete; + void operator=(const Hmac128BitsKeyHandle &) = delete; + void operator=(Hmac128BitsKeyHandle &&) = delete; }; /** @@ -730,7 +732,7 @@ CHIP_ERROR ConvertIntegerRawToDerWithoutTag(const ByteSpan & raw_integer, Mutabl * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise * */ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length); /** @@ -754,7 +756,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise **/ CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_length, const uint8_t * aad, size_t aad_length, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext); /** @@ -773,7 +775,7 @@ CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_length, * @param output Buffer to write output into * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise **/ -CHIP_ERROR AES_CTR_crypt(const uint8_t * input, size_t input_length, const Aes128KeyHandle & key, const uint8_t * nonce, +CHIP_ERROR AES_CTR_crypt(const uint8_t * input, size_t input_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * output); /** @@ -980,31 +982,6 @@ class HMAC_sha virtual CHIP_ERROR HMAC_SHA256(const uint8_t * key, size_t key_length, const uint8_t * message, size_t message_length, uint8_t * out_buffer, size_t out_length); - - /** - * @brief A function that implements SHA-256 based HMAC per FIPS1981. - * - * This implements the CHIP_Crypto_HMAC() cryptographic primitive - * in the the specification. - * - * The `out_length` must be at least kSHA256_Hash_Length, and only - * kSHA256_Hash_Length bytes are written to out_buffer. - * - * Error values are: - * - CHIP_ERROR_INVALID_ARGUMENT: for any bad arguments or nullptr input on - * any pointer. - * - CHIP_ERROR_INTERNAL: for any unexpected error arising in the underlying - * cryptographic layers. - * - * @param key The HMAC Key handle to use for the HMAC operation - * @param message Message over which to compute the HMAC - * @param message_length Length of the message over which to compute the HMAC - * @param out_buffer Pointer to buffer into which to write the output. - * @param out_length Underlying size of the `out_buffer`. - * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise - **/ - virtual CHIP_ERROR HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, - uint8_t * out_buffer, size_t out_length); }; /** diff --git a/src/crypto/CHIPCryptoPALOpenSSL.cpp b/src/crypto/CHIPCryptoPALOpenSSL.cpp index f9751d5cd2f24b..51e2f0ddb8eec3 100644 --- a/src/crypto/CHIPCryptoPALOpenSSL.cpp +++ b/src/crypto/CHIPCryptoPALOpenSSL.cpp @@ -147,7 +147,7 @@ static int _compareDaysAndSeconds(const int days, const int seconds) } CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { #if CHIP_CRYPTO_BORINGSSL @@ -282,7 +282,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_length, const uint8_t * aad, size_t aad_length, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { #if CHIP_CRYPTO_BORINGSSL @@ -598,13 +598,6 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u return error; } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - return HMAC_SHA256(key.As(), sizeof(Symmetric128BitsKeyByteArray), message, message_length, - out_buffer, out_length); -} - CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * password, size_t plen, const uint8_t * salt, size_t slen, unsigned int iteration_count, uint32_t key_length, uint8_t * output) { diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index 8a72e4ba356eb1..04d8d248935d8b 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -69,7 +69,7 @@ bool isValidTag(const uint8_t * tag, size_t tag_length) } // namespace CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { VerifyOrReturnError(isBufferNonEmpty(nonce, nonce_length), CHIP_ERROR_INVALID_ARGUMENT); @@ -123,7 +123,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_length, const uint8_t * aad, size_t aad_length, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { VerifyOrReturnError(isBufferNonEmpty(nonce, nonce_length), CHIP_ERROR_INVALID_ARGUMENT); @@ -364,21 +364,6 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u return CHIP_NO_ERROR; } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - VerifyOrReturnError(isBufferNonEmpty(message, message_length), CHIP_ERROR_INVALID_ARGUMENT); - VerifyOrReturnError(out_buffer != nullptr && out_length == PSA_HASH_LENGTH(PSA_ALG_SHA_256), CHIP_ERROR_INVALID_ARGUMENT); - - const psa_algorithm_t algorithm = PSA_ALG_HMAC(PSA_ALG_SHA_256); - psa_status_t status = PSA_SUCCESS; - - status = psa_mac_compute(key.As(), algorithm, message, message_length, out_buffer, out_length, &out_length); - VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL); - - return CHIP_NO_ERROR; -} - CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * pass, size_t pass_length, const uint8_t * salt, size_t salt_length, unsigned int iteration_count, uint32_t key_length, uint8_t * key) { diff --git a/src/crypto/CHIPCryptoPALmbedTLS.cpp b/src/crypto/CHIPCryptoPALmbedTLS.cpp index ede17ac208a97a..f325995384fd5d 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.cpp +++ b/src/crypto/CHIPCryptoPALmbedTLS.cpp @@ -75,7 +75,7 @@ static bool _isValidTagLength(size_t tag_length) } CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -113,7 +113,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_len, const uint8_t * aad, size_t aad_len, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -325,13 +325,6 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u return CHIP_NO_ERROR; } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - return HMAC_SHA256(key.As(), sizeof(Symmetric128BitsKeyByteArray), message, message_length, - out_buffer, out_length); -} - CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * password, size_t plen, const uint8_t * salt, size_t slen, unsigned int iteration_count, uint32_t key_length, uint8_t * output) { diff --git a/src/crypto/PSASessionKeystore.cpp b/src/crypto/PSASessionKeystore.cpp index 28f8f002e16a1c..515ef83bf1ffd9 100644 --- a/src/crypto/PSASessionKeystore.cpp +++ b/src/crypto/PSASessionKeystore.cpp @@ -53,7 +53,7 @@ class HmacKeyAttributes HmacKeyAttributes() { psa_set_key_type(&mAttrs, PSA_KEY_TYPE_HMAC); - psa_set_key_algorithm(&mAttrs, PSA_ALG_HMAC(PSA_ALG_SHA_256)); + psa_set_key_algorithm(&mAttrs, PSA_ALG_HMAC(PSA_ALG_ANY_HASH)); psa_set_key_usage_flags(&mAttrs, PSA_KEY_USAGE_SIGN_MESSAGE); psa_set_key_bits(&mAttrs, CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES * 8); } @@ -68,7 +68,7 @@ class HmacKeyAttributes } // namespace -CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128KeyHandle & key) +CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128BitsKeyHandle & key) { // Destroy the old key if already allocated psa_destroy_key(key.As()); @@ -81,7 +81,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke return CHIP_NO_ERROR; } -CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128KeyHandle & key) +CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128BitsKeyHandle & key) { // Destroy the old key if already allocated psa_destroy_key(key.As()); @@ -96,7 +96,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke } CHIP_ERROR PSASessionKeystore::DeriveKey(const P256ECDHDerivedSecret & secret, const ByteSpan & salt, const ByteSpan & info, - Aes128KeyHandle & key) + Aes128BitsKeyHandle & key) { PsaKdf kdf; ReturnErrorOnFailure(kdf.Init(PSA_ALG_HKDF(PSA_ALG_SHA_256), secret.Span(), salt, info)); @@ -107,7 +107,7 @@ CHIP_ERROR PSASessionKeystore::DeriveKey(const P256ECDHDerivedSecret & secret, c } CHIP_ERROR PSASessionKeystore::DeriveSessionKeys(const ByteSpan & secret, const ByteSpan & salt, const ByteSpan & info, - Aes128KeyHandle & i2rKey, Aes128KeyHandle & r2iKey, + Aes128BitsKeyHandle & i2rKey, Aes128BitsKeyHandle & r2iKey, AttestationChallenge & attestationChallenge) { PsaKdf kdf; diff --git a/src/crypto/PSASessionKeystore.h b/src/crypto/PSASessionKeystore.h index 690194fcd4314d..92190b2e4a883c 100644 --- a/src/crypto/PSASessionKeystore.h +++ b/src/crypto/PSASessionKeystore.h @@ -25,12 +25,13 @@ namespace Crypto { class PSASessionKeystore : public SessionKeystore { public: - CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128KeyHandle & key) override; - CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128KeyHandle & key) override; + CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128BitsKeyHandle & key) override; + CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128BitsKeyHandle & key) override; CHIP_ERROR DeriveKey(const P256ECDHDerivedSecret & secret, const ByteSpan & salt, const ByteSpan & info, - Aes128KeyHandle & key) override; - CHIP_ERROR DeriveSessionKeys(const ByteSpan & secret, const ByteSpan & salt, const ByteSpan & info, Aes128KeyHandle & i2rKey, - Aes128KeyHandle & r2iKey, AttestationChallenge & attestationChallenge) override; + Aes128BitsKeyHandle & key) override; + CHIP_ERROR DeriveSessionKeys(const ByteSpan & secret, const ByteSpan & salt, const ByteSpan & info, + Aes128BitsKeyHandle & i2rKey, Aes128BitsKeyHandle & r2iKey, + AttestationChallenge & attestationChallenge) override; void DestroyKey(Symmetric128BitsKeyHandle & key) override; }; diff --git a/src/crypto/RawKeySessionKeystore.cpp b/src/crypto/RawKeySessionKeystore.cpp index 949d30a857ee53..266a6e63c00559 100644 --- a/src/crypto/RawKeySessionKeystore.cpp +++ b/src/crypto/RawKeySessionKeystore.cpp @@ -24,20 +24,20 @@ namespace Crypto { using HKDF_sha_crypto = HKDF_sha; -CHIP_ERROR RawKeySessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128KeyHandle & key) +CHIP_ERROR RawKeySessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128BitsKeyHandle & key) { memcpy(key.AsMutable(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray)); return CHIP_NO_ERROR; } -CHIP_ERROR RawKeySessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128KeyHandle & key) +CHIP_ERROR RawKeySessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128BitsKeyHandle & key) { memcpy(key.AsMutable(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray)); return CHIP_NO_ERROR; } CHIP_ERROR RawKeySessionKeystore::DeriveKey(const P256ECDHDerivedSecret & secret, const ByteSpan & salt, const ByteSpan & info, - Aes128KeyHandle & key) + Aes128BitsKeyHandle & key) { HKDF_sha_crypto hkdf; @@ -46,7 +46,7 @@ CHIP_ERROR RawKeySessionKeystore::DeriveKey(const P256ECDHDerivedSecret & secret } CHIP_ERROR RawKeySessionKeystore::DeriveSessionKeys(const ByteSpan & secret, const ByteSpan & salt, const ByteSpan & info, - Aes128KeyHandle & i2rKey, Aes128KeyHandle & r2iKey, + Aes128BitsKeyHandle & i2rKey, Aes128BitsKeyHandle & r2iKey, AttestationChallenge & attestationChallenge) { HKDF_sha_crypto hkdf; diff --git a/src/crypto/RawKeySessionKeystore.h b/src/crypto/RawKeySessionKeystore.h index 51f6c927500b7c..4e7930bed4b233 100644 --- a/src/crypto/RawKeySessionKeystore.h +++ b/src/crypto/RawKeySessionKeystore.h @@ -25,12 +25,13 @@ namespace Crypto { class RawKeySessionKeystore : public SessionKeystore { public: - CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128KeyHandle & key) override; - CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128KeyHandle & key) override; + CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128BitsKeyHandle & key) override; + CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128BitsKeyHandle & key) override; CHIP_ERROR DeriveKey(const P256ECDHDerivedSecret & secret, const ByteSpan & salt, const ByteSpan & info, - Aes128KeyHandle & key) override; - CHIP_ERROR DeriveSessionKeys(const ByteSpan & secret, const ByteSpan & salt, const ByteSpan & info, Aes128KeyHandle & i2rKey, - Aes128KeyHandle & r2iKey, AttestationChallenge & attestationChallenge) override; + Aes128BitsKeyHandle & key) override; + CHIP_ERROR DeriveSessionKeys(const ByteSpan & secret, const ByteSpan & salt, const ByteSpan & info, + Aes128BitsKeyHandle & i2rKey, Aes128BitsKeyHandle & r2iKey, + AttestationChallenge & attestationChallenge) override; void DestroyKey(Symmetric128BitsKeyHandle & key) override; }; diff --git a/src/crypto/SessionKeystore.h b/src/crypto/SessionKeystore.h index dbf0ea3996bfe2..425db857a39149 100644 --- a/src/crypto/SessionKeystore.h +++ b/src/crypto/SessionKeystore.h @@ -45,7 +45,7 @@ class SessionKeystore * If the method returns no error, the application is responsible for destroying the handle * using the DestroyKey() method when the key is no longer needed. */ - virtual CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128KeyHandle & key) = 0; + virtual CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Aes128BitsKeyHandle & key) = 0; /** * @brief Import raw key material and return a key handle for a key that can be used to do 128-bit HMAC. @@ -57,7 +57,7 @@ class SessionKeystore * If the method returns no error, the application is responsible for destroying the handle * using the DestroyKey() method when the key is no longer needed. */ - virtual CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128KeyHandle & key) = 0; + virtual CHIP_ERROR CreateKey(const Symmetric128BitsKeyByteArray & keyMaterial, Hmac128BitsKeyHandle & key) = 0; /** * @brief Derive key from a shared secret. @@ -68,7 +68,7 @@ class SessionKeystore * using DestroyKey() method when the key is no longer needed. */ virtual CHIP_ERROR DeriveKey(const P256ECDHDerivedSecret & secret, const ByteSpan & salt, const ByteSpan & info, - Aes128KeyHandle & key) = 0; + Aes128BitsKeyHandle & key) = 0; /** * @brief Derive session keys from a shared secret. @@ -81,7 +81,7 @@ class SessionKeystore * release all handles that it allocated so far. */ virtual CHIP_ERROR DeriveSessionKeys(const ByteSpan & secret, const ByteSpan & salt, const ByteSpan & info, - Aes128KeyHandle & i2rKey, Aes128KeyHandle & r2iKey, + Aes128BitsKeyHandle & i2rKey, Aes128BitsKeyHandle & r2iKey, AttestationChallenge & attestationChallenge) = 0; /** @@ -102,11 +102,11 @@ class AutoReleaseSessionKey explicit AutoReleaseSessionKey(SessionKeystore & keystore) : mKeystore(keystore) {} ~AutoReleaseSessionKey() { mKeystore.DestroyKey(mKeyHandle); } - Aes128KeyHandle & KeyHandle() { return mKeyHandle; } + Aes128BitsKeyHandle & KeyHandle() { return mKeyHandle; } private: SessionKeystore & mKeystore; - Aes128KeyHandle mKeyHandle; + Aes128BitsKeyHandle mKeyHandle; }; } // namespace Crypto diff --git a/src/crypto/tests/CHIPCryptoPALTest.cpp b/src/crypto/tests/CHIPCryptoPALTest.cpp index 59ce99ad6dac84..6c7537e3820e4f 100644 --- a/src/crypto/tests/CHIPCryptoPALTest.cpp +++ b/src/crypto/tests/CHIPCryptoPALTest.cpp @@ -193,7 +193,7 @@ struct TestAesKey ~TestAesKey() { keystore.DestroyKey(key); } DefaultSessionKeystore keystore; - Aes128KeyHandle key; + Aes128BitsKeyHandle key; }; struct TestHmacKey @@ -211,7 +211,7 @@ struct TestHmacKey ~TestHmacKey() { keystore.DestroyKey(key); } DefaultSessionKeystore keystore; - Hmac128KeyHandle key; + Hmac128BitsKeyHandle key; }; static void TestAES_CTR_128_Encrypt(nlTestSuite * inSuite, const AesCtrTestEntry * vector) @@ -899,16 +899,16 @@ static void TestHash_SHA256_Stream(nlTestSuite * inSuite, void * inContext) } } -static void TestHMAC_SHA256_RawKey(nlTestSuite * inSuite, void * inContext) +static void TestHMAC_SHA256(nlTestSuite * inSuite, void * inContext) { HeapChecker heapChecker(inSuite); - int numOfTestCases = ArraySize(hmac_sha256_test_vectors_raw_key); + int numOfTestCases = ArraySize(hmac_sha256_test_vectors); int numOfTestsExecuted = 0; TestHMAC_sha mHMAC; for (numOfTestsExecuted = 0; numOfTestsExecuted < numOfTestCases; numOfTestsExecuted++) { - hmac_sha256_vector v = hmac_sha256_test_vectors_raw_key[numOfTestsExecuted]; + hmac_sha256_vector v = hmac_sha256_test_vectors[numOfTestsExecuted]; size_t out_length = v.output_hash_length; chip::Platform::ScopedMemoryBuffer out_buffer; out_buffer.Alloc(out_length); @@ -920,37 +920,6 @@ static void TestHMAC_SHA256_RawKey(nlTestSuite * inSuite, void * inContext) NL_TEST_ASSERT(inSuite, numOfTestsExecuted == numOfTestCases); } -static void TestHMAC_SHA256_KeyHandle(nlTestSuite * inSuite, void * inContext) -{ - HeapChecker heapChecker(inSuite); - int numOfTestCases = ArraySize(hmac_sha256_test_vectors_key_handle); - int numOfTestsExecuted = 0; - TestHMAC_sha mHMAC; - - for (numOfTestsExecuted = 0; numOfTestsExecuted < numOfTestCases; numOfTestsExecuted++) - { - hmac_sha256_vector v = hmac_sha256_test_vectors_key_handle[numOfTestsExecuted]; - size_t out_length = v.output_hash_length; - chip::Platform::ScopedMemoryBuffer out_buffer; - out_buffer.Alloc(out_length); - NL_TEST_ASSERT(inSuite, out_buffer); - Crypto::DefaultSessionKeystore keystore; - - Symmetric128BitsKeyByteArray keyMaterial; - memcpy(keyMaterial, v.key, v.key_length); - - Hmac128KeyHandle keyHandle; - NL_TEST_ASSERT_SUCCESS(inSuite, keystore.CreateKey(keyMaterial, keyHandle)); - - mHMAC.HMAC_SHA256(keyHandle, v.message, v.message_length, out_buffer.Get(), v.output_hash_length); - bool success = memcmp(v.output_hash, out_buffer.Get(), out_length) == 0; - NL_TEST_ASSERT(inSuite, success); - - keystore.DestroyKey(keyHandle); - } - NL_TEST_ASSERT(inSuite, numOfTestsExecuted == numOfTestCases); -} - static void TestHKDF_SHA256(nlTestSuite * inSuite, void * inContext) { HeapChecker heapChecker(inSuite); @@ -2987,8 +2956,7 @@ static const nlTest sTests[] = { NL_TEST_DEF("Test Hash SHA 256", TestHash_SHA256), NL_TEST_DEF("Test Hash SHA 256 Stream", TestHash_SHA256_Stream), NL_TEST_DEF("Test HKDF SHA 256", TestHKDF_SHA256), - NL_TEST_DEF("Test HMAC SHA 256 - Raw Key", TestHMAC_SHA256_RawKey), - NL_TEST_DEF("Test HMAC SHA 256 - Key Handle", TestHMAC_SHA256_KeyHandle), + NL_TEST_DEF("Test HMAC SHA 256", TestHMAC_SHA256), NL_TEST_DEF("Test DRBG invalid inputs", TestDRBG_InvalidInputs), NL_TEST_DEF("Test DRBG output", TestDRBG_Output), NL_TEST_DEF("Test ECDH derive shared secret", TestECDH_EstablishSecret), diff --git a/src/crypto/tests/HMAC_SHA256_test_vectors.h b/src/crypto/tests/HMAC_SHA256_test_vectors.h index c6aee729a8bfbc..ae6005ccf66cc9 100644 --- a/src/crypto/tests/HMAC_SHA256_test_vectors.h +++ b/src/crypto/tests/HMAC_SHA256_test_vectors.h @@ -36,15 +36,8 @@ typedef struct hmac_sha256_vector const size_t output_hash_length; } hmac_sha256_vector; -// Common Test case messages -const uint8_t kHmacTestCase1Message[] = { - 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69, 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, - 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a, 0x65, 0x20, 0x4b, 0x65, - 0x79, 0x20, 0x2d, 0x20, 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x46, 0x69, 0x72, 0x73, 0x74, -}; - // Basic test case -const uint8_t kHmacRawKeyTestCase1Key[] = { +const uint8_t kHmacTestCase1Key[] = { 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, @@ -54,33 +47,22 @@ const uint8_t kHmacRawKeyTestCase1Key[] = { 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, }; -const uint8_t kHmacRawKeyTestCase1Expected[] = { +const uint8_t kHmacTestCase1Message[] = { + 0x54, 0x65, 0x73, 0x74, 0x20, 0x55, 0x73, 0x69, 0x6e, 0x67, 0x20, 0x4c, 0x61, 0x72, 0x67, 0x65, 0x72, 0x20, + 0x54, 0x68, 0x61, 0x6e, 0x20, 0x42, 0x6c, 0x6f, 0x63, 0x6b, 0x2d, 0x53, 0x69, 0x7a, 0x65, 0x20, 0x4b, 0x65, + 0x79, 0x20, 0x2d, 0x20, 0x48, 0x61, 0x73, 0x68, 0x20, 0x4b, 0x65, 0x79, 0x20, 0x46, 0x69, 0x72, 0x73, 0x74, +}; + +const uint8_t kHmacTestCase1Expected[] = { 0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54, }; -hmac_sha256_vector kHmacSha256TestCase1 = { .key = kHmacRawKeyTestCase1Key, - .key_length = sizeof(kHmacRawKeyTestCase1Key), +hmac_sha256_vector kHmacSha256TestCase1 = { .key = kHmacTestCase1Key, + .key_length = sizeof(kHmacTestCase1Key), .message = kHmacTestCase1Message, .message_length = sizeof(kHmacTestCase1Message), - .output_hash = kHmacRawKeyTestCase1Expected, - .output_hash_length = sizeof(kHmacRawKeyTestCase1Expected) }; - -hmac_sha256_vector hmac_sha256_test_vectors_raw_key[] = { kHmacSha256TestCase1 }; - -// KeyHandle Test Case - Symmetric 128 Bits key -const uint8_t kHmacKeyHandleTestCase1Key[] = { 0xba, 0xba, 0xba, 0xba, 0xba, 0xba, 0xba, 0xba, - 0xba, 0xba, 0xba, 0xba, 0xba, 0xba, 0xba, 0xba }; - -const uint8_t kHmacKeyHandleTestCase1Expected[] = { 0xc0, 0xcd, 0x77, 0x23, 0xdc, 0xf1, 0x57, 0xa5, 0xfe, 0x53, 0xc5, - 0x6b, 0x2d, 0x86, 0xd4, 0x1c, 0x78, 0x61, 0xb4, 0x20, 0x67, 0xca, - 0x7c, 0xae, 0x44, 0x13, 0x57, 0x4d, 0x25, 0xda, 0x84, 0x1e }; - -hmac_sha256_vector kHmacKeyHandleSha256TestCase1 = { .key = kHmacKeyHandleTestCase1Key, - .key_length = sizeof(kHmacKeyHandleTestCase1Key), - .message = kHmacTestCase1Message, - .message_length = sizeof(kHmacTestCase1Message), - .output_hash = kHmacKeyHandleTestCase1Expected, - .output_hash_length = sizeof(kHmacKeyHandleTestCase1Expected) }; + .output_hash = kHmacTestCase1Expected, + .output_hash_length = sizeof(kHmacTestCase1Expected) }; -hmac_sha256_vector hmac_sha256_test_vectors_key_handle[] = { kHmacKeyHandleSha256TestCase1 }; +hmac_sha256_vector hmac_sha256_test_vectors[] = { kHmacSha256TestCase1 }; diff --git a/src/crypto/tests/TestSessionKeystore.cpp b/src/crypto/tests/TestSessionKeystore.cpp index 025cd5c9233cbe..01a506382302a8 100644 --- a/src/crypto/tests/TestSessionKeystore.cpp +++ b/src/crypto/tests/TestSessionKeystore.cpp @@ -113,7 +113,7 @@ void TestBasicImport(nlTestSuite * inSuite, void * inContext) Symmetric128BitsKeyByteArray keyMaterial; memcpy(keyMaterial, test.key, test.key_len); - Aes128KeyHandle keyHandle; + Aes128BitsKeyHandle keyHandle; NL_TEST_ASSERT_SUCCESS(inSuite, keystore.CreateKey(keyMaterial, keyHandle)); Platform::ScopedMemoryBuffer ciphertext; @@ -140,7 +140,7 @@ void TestDeriveKey(nlTestSuite * inSuite, void * inContext) memcpy(secret.Bytes(), test.secret, strlen(test.secret)); secret.SetLength(strlen(test.secret)); - Aes128KeyHandle keyHandle; + Aes128BitsKeyHandle keyHandle; NL_TEST_ASSERT_SUCCESS(inSuite, keystore.DeriveKey(secret, ToSpan(test.salt), ToSpan(test.info), keyHandle)); uint8_t ciphertext[sizeof(test.ciphertext)]; @@ -162,8 +162,8 @@ void TestDeriveSessionKeys(nlTestSuite * inSuite, void * inContext) memcpy(secret.Bytes(), test.secret, strlen(test.secret)); secret.SetLength(strlen(test.secret)); - Aes128KeyHandle i2r; - Aes128KeyHandle r2i; + Aes128BitsKeyHandle i2r; + Aes128BitsKeyHandle r2i; AttestationChallenge challenge; NL_TEST_ASSERT_SUCCESS( inSuite, keystore.DeriveSessionKeys(ToSpan(test.secret), ToSpan(test.salt), ToSpan(test.info), i2r, r2i, challenge)); diff --git a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp index fbb462381975f3..ae434d990bcc60 100644 --- a/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/nxp/common/crypto/CHIPCryptoPALTinyCrypt.cpp @@ -124,7 +124,7 @@ static bool _isValidTagLength(size_t tag_length) } CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -162,7 +162,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_len, const uint8_t * aad, size_t aad_len, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -380,13 +380,6 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u return CHIP_NO_ERROR; } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - return HMAC_SHA256(key.As(), sizeof(Symmetric128BitsKeyByteArray), message, message_length, - out_buffer, out_length); -} - CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * password, size_t plen, const uint8_t * salt, size_t slen, unsigned int iteration_count, uint32_t key_length, uint8_t * output) { diff --git a/src/platform/nxp/crypto/se05x/CHIPCryptoPALHost.cpp b/src/platform/nxp/crypto/se05x/CHIPCryptoPALHost.cpp index ffc626c201d373..f69696229ad493 100644 --- a/src/platform/nxp/crypto/se05x/CHIPCryptoPALHost.cpp +++ b/src/platform/nxp/crypto/se05x/CHIPCryptoPALHost.cpp @@ -109,7 +109,7 @@ static bool _isValidTagLength(size_t tag_length) } CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -147,7 +147,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_len, const uint8_t * aad, size_t aad_len, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { CHIP_ERROR error = CHIP_NO_ERROR; diff --git a/src/platform/nxp/crypto/se05x/CHIPCryptoPALHsm_se05x_hmac.cpp b/src/platform/nxp/crypto/se05x/CHIPCryptoPALHsm_se05x_hmac.cpp index 6590915ebcf98f..ca1fb0111e4a9a 100644 --- a/src/platform/nxp/crypto/se05x/CHIPCryptoPALHsm_se05x_hmac.cpp +++ b/src/platform/nxp/crypto/se05x/CHIPCryptoPALHsm_se05x_hmac.cpp @@ -120,12 +120,5 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u #endif } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - return HMAC_SHA256(key.As(), sizeof(Symmetric128BitsKeyByteArray), message, message_length, - out_buffer, out_length); -} - } // namespace Crypto } // namespace chip diff --git a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp index f5237ee5211a4b..cc8fd2f389f88f 100644 --- a/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp +++ b/src/platform/nxp/k32w/k32w0/crypto/CHIPCryptoPALNXPUltrafastP256.cpp @@ -115,7 +115,7 @@ static bool _isValidTagLength(size_t tag_length) } CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -153,7 +153,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_len, const uint8_t * aad, size_t aad_len, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -371,13 +371,6 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u return CHIP_NO_ERROR; } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - return HMAC_SHA256(key.As(), sizeof(Symmetric128BitsKeyByteArray), message, message_length, - out_buffer, out_length); -} - CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * password, size_t plen, const uint8_t * salt, size_t slen, unsigned int iteration_count, uint32_t key_length, uint8_t * output) { diff --git a/src/platform/nxp/k32w/k32w1/CHIPCryptoPalK32W1.cpp b/src/platform/nxp/k32w/k32w1/CHIPCryptoPalK32W1.cpp index fd998f36522eca..af478c34f1c598 100644 --- a/src/platform/nxp/k32w/k32w1/CHIPCryptoPalK32W1.cpp +++ b/src/platform/nxp/k32w/k32w1/CHIPCryptoPalK32W1.cpp @@ -122,7 +122,7 @@ static bool _isValidKeyLength(size_t length) } CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -160,7 +160,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_len, const uint8_t * aad, size_t aad_len, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -372,13 +372,6 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u return CHIP_NO_ERROR; } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - return HMAC_SHA256(key.As(), sizeof(Symmetric128BitsKeyByteArray), message, message_length, - out_buffer, out_length); -} - CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * password, size_t plen, const uint8_t * salt, size_t slen, unsigned int iteration_count, uint32_t key_length, uint8_t * output) { diff --git a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp index 2b8664d2f44efd..324978f9e1dcd8 100644 --- a/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp +++ b/src/platform/silabs/SiWx917/CHIPCryptoPALTinyCrypt.cpp @@ -114,7 +114,7 @@ static bool _isValidTagLength(size_t tag_length) } CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -152,7 +152,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_len, const uint8_t * aad, size_t aad_len, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -364,13 +364,6 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u return CHIP_NO_ERROR; } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - return HMAC_SHA256(key.As(), sizeof(Symmetric128BitsKeyByteArray), message, message_length, - out_buffer, out_length); -} - CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * password, size_t plen, const uint8_t * salt, size_t slen, unsigned int iteration_count, uint32_t key_length, uint8_t * output) { diff --git a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp index d541fc17da517a..2ee09be0cc132d 100644 --- a/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp +++ b/src/platform/silabs/efr32/CHIPCryptoPALPsaEfr32.cpp @@ -158,7 +158,7 @@ static int timeCompare(mbedtls_x509_time * t1, mbedtls_x509_time * t2) } CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, const uint8_t * aad, size_t aad_length, - const Aes128KeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, + const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * ciphertext, uint8_t * tag, size_t tag_length) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -215,7 +215,7 @@ CHIP_ERROR AES_CCM_encrypt(const uint8_t * plaintext, size_t plaintext_length, c } CHIP_ERROR AES_CCM_decrypt(const uint8_t * ciphertext, size_t ciphertext_len, const uint8_t * aad, size_t aad_len, - const uint8_t * tag, size_t tag_length, const Aes128KeyHandle & key, const uint8_t * nonce, + const uint8_t * tag, size_t tag_length, const Aes128BitsKeyHandle & key, const uint8_t * nonce, size_t nonce_length, uint8_t * plaintext) { CHIP_ERROR error = CHIP_NO_ERROR; @@ -476,13 +476,6 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u return error; } -CHIP_ERROR HMAC_sha::HMAC_SHA256(const Hmac128KeyHandle & key, const uint8_t * message, size_t message_length, uint8_t * out_buffer, - size_t out_length) -{ - return HMAC_SHA256(key.As(), sizeof(Symmetric128BitsKeyByteArray), message, message_length, - out_buffer, out_length); -} - CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * password, size_t plen, const uint8_t * salt, size_t slen, unsigned int iteration_count, uint32_t key_length, uint8_t * output) { diff --git a/src/protocols/secure_channel/CheckinMessage.cpp b/src/protocols/secure_channel/CheckinMessage.cpp index 5e63feb3428aa0..43351de492113a 100644 --- a/src/protocols/secure_channel/CheckinMessage.cpp +++ b/src/protocols/secure_channel/CheckinMessage.cpp @@ -30,7 +30,7 @@ namespace chip { namespace Protocols { namespace SecureChannel { -CHIP_ERROR CheckinMessage::GenerateCheckinMessagePayload(Crypto::Aes128KeyHandle & key, CounterType counter, +CHIP_ERROR CheckinMessage::GenerateCheckinMessagePayload(Crypto::Aes128BitsKeyHandle & key, CounterType counter, const ByteSpan & appData, MutableByteSpan & output) { VerifyOrReturnError(appData.size() <= sMaxAppDataSize, CHIP_ERROR_INVALID_ARGUMENT); @@ -62,7 +62,7 @@ CHIP_ERROR CheckinMessage::GenerateCheckinMessagePayload(Crypto::Aes128KeyHandle return err; } -CHIP_ERROR CheckinMessage::ParseCheckinMessagePayload(Crypto::Aes128KeyHandle & key, ByteSpan & payload, CounterType & counter, +CHIP_ERROR CheckinMessage::ParseCheckinMessagePayload(Crypto::Aes128BitsKeyHandle & key, ByteSpan & payload, CounterType & counter, MutableByteSpan & appData) { VerifyOrReturnError(payload.size() >= sMinPayloadSize, CHIP_ERROR_INVALID_ARGUMENT); diff --git a/src/protocols/secure_channel/CheckinMessage.h b/src/protocols/secure_channel/CheckinMessage.h index aa494c3689b5c8..534e66f52ca6b5 100644 --- a/src/protocols/secure_channel/CheckinMessage.h +++ b/src/protocols/secure_channel/CheckinMessage.h @@ -52,8 +52,8 @@ class DLL_EXPORT CheckinMessage * Required Buffer Size is : GetCheckinPayloadSize(appData.size()) * @return CHIP_ERROR */ - static CHIP_ERROR GenerateCheckinMessagePayload(Crypto::Aes128KeyHandle & key, CounterType counter, const ByteSpan & appData, - MutableByteSpan & output); + static CHIP_ERROR GenerateCheckinMessagePayload(Crypto::Aes128BitsKeyHandle & key, CounterType counter, + const ByteSpan & appData, MutableByteSpan & output); /** * @brief Parse Check-in Message payload @@ -65,7 +65,7 @@ class DLL_EXPORT CheckinMessage * GetAppDataSize(payload) + sizeof(CounterType) * @return CHIP_ERROR */ - static CHIP_ERROR ParseCheckinMessagePayload(Crypto::Aes128KeyHandle & key, ByteSpan & payload, CounterType & counter, + static CHIP_ERROR ParseCheckinMessagePayload(Crypto::Aes128BitsKeyHandle & key, ByteSpan & payload, CounterType & counter, MutableByteSpan & appData); static inline size_t GetCheckinPayloadSize(size_t appDataSize) { return appDataSize + sMinPayloadSize; } diff --git a/src/protocols/secure_channel/tests/TestCheckinMsg.cpp b/src/protocols/secure_channel/tests/TestCheckinMsg.cpp index 6310cf38c05494..730f6c7184f6fb 100644 --- a/src/protocols/secure_channel/tests/TestCheckinMsg.cpp +++ b/src/protocols/secure_channel/tests/TestCheckinMsg.cpp @@ -59,7 +59,7 @@ void TestCheckin_Generate(nlTestSuite * inSuite, void * inContext) Symmetric128BitsKeyByteArray keyMaterial; memcpy(keyMaterial, test.key, test.key_len); - Aes128KeyHandle keyHandle; + Aes128BitsKeyHandle keyHandle; NL_TEST_ASSERT_SUCCESS(inSuite, keystore.CreateKey(keyMaterial, keyHandle)); // Validate that counter change, indeed changes the output buffer content @@ -90,14 +90,14 @@ void TestCheckin_Generate(nlTestSuite * inSuite, void * inContext) Symmetric128BitsKeyByteArray keyMaterial; memcpy(keyMaterial, test.key, test.key_len); - Aes128KeyHandle keyHandle; + Aes128BitsKeyHandle keyHandle; NL_TEST_ASSERT_SUCCESS(inSuite, keystore.CreateKey(keyMaterial, keyHandle)); // As of now passing an empty key handle while using PSA crypto will result in a failure. // However when using OpenSSL this same test result in a success. // Issue #28986 - // Aes128KeyHandle emptyKeyHandle; + // Aes128BitsKeyHandle emptyKeyHandle; // err = CheckinMessage::GenerateCheckinMessagePayload(emptyKeyHandle, counter, userData, outputBuffer); // ChipLogError(Inet, "%s", err.AsString()); // NL_TEST_ASSERT(inSuite, (CHIP_NO_ERROR == err)); @@ -140,7 +140,7 @@ void TestCheckin_Parse(nlTestSuite * inSuite, void * inContext) Symmetric128BitsKeyByteArray keyMaterial; memcpy(keyMaterial, test.key, test.key_len); - Aes128KeyHandle keyHandle; + Aes128BitsKeyHandle keyHandle; NL_TEST_ASSERT_SUCCESS(inSuite, keystore.CreateKey(keyMaterial, keyHandle)); //=================Encrypt======================= @@ -183,7 +183,7 @@ void TestCheckin_GenerateParse(nlTestSuite * inSuite, void * inContext) Symmetric128BitsKeyByteArray keyMaterial; memcpy(keyMaterial, test.key, test.key_len); - Aes128KeyHandle keyHandle; + Aes128BitsKeyHandle keyHandle; NL_TEST_ASSERT_SUCCESS(inSuite, keystore.CreateKey(keyMaterial, keyHandle)); //=================Encrypt======================= diff --git a/src/transport/CryptoContext.h b/src/transport/CryptoContext.h index b08efdabbc9dcd..f5717a3abf7926 100644 --- a/src/transport/CryptoContext.h +++ b/src/transport/CryptoContext.h @@ -160,8 +160,8 @@ class DLL_EXPORT CryptoContext SessionRole mSessionRole; bool mKeyAvailable; - Crypto::Aes128KeyHandle mEncryptionKey; - Crypto::Aes128KeyHandle mDecryptionKey; + Crypto::Aes128BitsKeyHandle mEncryptionKey; + Crypto::Aes128BitsKeyHandle mDecryptionKey; Crypto::AttestationChallenge mAttestationChallenge; Crypto::SessionKeystore * mKeystore = nullptr; Crypto::SymmetricKeyContext * mKeyContext = nullptr;