blob: 6b39af59696028bcd34afc57a2b0e35ae98618be [file] [log] [blame]
/*
*
* Copyright (c) 2020-2021 Project CHIP Authors
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @file
* This file implements the CHIP Secure Session object.
*
*/
#include <crypto/CHIPCryptoPAL.h>
#include <crypto/SessionKeystore.h>
#include <lib/core/CHIPEncoding.h>
#include <lib/support/BufferWriter.h>
#include <lib/support/CodeUtils.h>
#include <transport/CryptoContext.h>
#include <transport/raw/MessageHeader.h>
#include <lib/support/BytesToHex.h>
#include <string.h>
namespace chip {
namespace {
constexpr size_t kMaxAADLen = 128;
/* Session Establish Key Info */
constexpr uint8_t SEKeysInfo[] = { 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x73 };
/* Session Resumption Key Info */
constexpr uint8_t RSEKeysInfo[] = { 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x73, 0x75,
0x6d, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x4b, 0x65, 0x79, 0x73 };
} // namespace
using namespace Crypto;
CryptoContext::CryptoContext() : mKeyAvailable(false) {}
CryptoContext::~CryptoContext()
{
if (mKeystore)
{
mKeystore->DestroyKey(mEncryptionKey);
mKeystore->DestroyKey(mDecryptionKey);
}
mKeystore = nullptr;
mKeyContext = nullptr;
}
CHIP_ERROR CryptoContext::InitFromSecret(SessionKeystore & keystore, const ByteSpan & secret, const ByteSpan & salt,
SessionInfoType infoType, SessionRole role)
{
VerifyOrReturnError(mKeyAvailable == false, CHIP_ERROR_INCORRECT_STATE);
VerifyOrReturnError(secret.data() != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(secret.size() > 0, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError((salt.size() == 0) || (salt.data() != nullptr), CHIP_ERROR_INVALID_ARGUMENT);
ByteSpan info = (infoType == SessionInfoType::kSessionResumption) ? ByteSpan(RSEKeysInfo) : ByteSpan(SEKeysInfo);
// If the secure session is created by session initiator, use the I2R key to encrypt
// messages being transmitted. Otherwise, use the R2I key.
auto & i2rKey = (role == SessionRole::kInitiator) ? mEncryptionKey : mDecryptionKey;
auto & r2iKey = (role == SessionRole::kInitiator) ? mDecryptionKey : mEncryptionKey;
#if CHIP_CONFIG_SECURITY_TEST_MODE
// If enabled, override the generated session key with a known key pair
// to allow man-in-the-middle session key recovery for testing purposes.
constexpr uint8_t kTestSharedSecret[CHIP_CONFIG_TEST_SHARED_SECRET_LENGTH] = CHIP_CONFIG_TEST_SHARED_SECRET_VALUE;
static_assert(sizeof(CHIP_CONFIG_TEST_SHARED_SECRET_VALUE) == CHIP_CONFIG_TEST_SHARED_SECRET_LENGTH,
"CHIP_CONFIG_TEST_SHARED_SECRET_VALUE must be 32 bytes");
const ByteSpan & testSalt = ByteSpan(nullptr, 0);
(void) info;
#warning \
"Warning: CHIP_CONFIG_SECURITY_TEST_MODE=1 bypassing key negotiation... All sessions will use known, fixed test key, and NodeID=0 in NONCE. Node can only communicate with other nodes built with this flag set. Requires build flag 'treat_warnings_as_errors=false'."
ChipLogError(
SecureChannel,
"Warning: CHIP_CONFIG_SECURITY_TEST_MODE=1 bypassing key negotiation... All sessions will use known, fixed test key, "
"and NodeID=0 in NONCE. "
"Node can only communicate with other nodes built with this flag set.");
ReturnErrorOnFailure(keystore.DeriveSessionKeys(ByteSpan(kTestSharedSecret), testSalt, ByteSpan(SEKeysInfo), i2rKey, r2iKey,
mAttestationChallenge));
#else
ReturnErrorOnFailure(keystore.DeriveSessionKeys(secret, salt, info, i2rKey, r2iKey, mAttestationChallenge));
#endif
mKeyAvailable = true;
mSessionRole = role;
mKeystore = &keystore;
return CHIP_NO_ERROR;
}
CHIP_ERROR CryptoContext::InitFromKeyPair(SessionKeystore & keystore, const Crypto::P256Keypair & local_keypair,
const Crypto::P256PublicKey & remote_public_key, const ByteSpan & salt,
SessionInfoType infoType, SessionRole role)
{
VerifyOrReturnError(mKeyAvailable == false, CHIP_ERROR_INCORRECT_STATE);
P256ECDHDerivedSecret secret;
ReturnErrorOnFailure(local_keypair.ECDH_derive_secret(remote_public_key, secret));
return InitFromSecret(keystore, secret.Span(), salt, infoType, role);
}
CHIP_ERROR CryptoContext::BuildNonce(NonceView nonce, uint8_t securityFlags, uint32_t messageCounter, NodeId nodeId)
{
Encoding::LittleEndian::BufferWriter bbuf(nonce.data(), nonce.size());
bbuf.Put8(securityFlags);
bbuf.Put32(messageCounter);
#if CHIP_CONFIG_SECURITY_TEST_MODE
bbuf.Put64(0); // Simplifies decryption of CASE sessions when in TEST_MODE.
#else
bbuf.Put64(nodeId);
#endif
return bbuf.Fit() ? CHIP_NO_ERROR : CHIP_ERROR_NO_MEMORY;
}
CHIP_ERROR CryptoContext::BuildPrivacyNonce(NonceView nonce, uint16_t sessionId, const MessageAuthenticationCode & mac)
{
const uint8_t * micFragment = &mac.GetTag()[kPrivacyNonceMicFragmentOffset];
Encoding::BigEndian::BufferWriter bbuf(nonce.data(), nonce.size());
bbuf.Put16(sessionId);
bbuf.Put(micFragment, kPrivacyNonceMicFragmentLength);
return bbuf.Fit() ? CHIP_NO_ERROR : CHIP_ERROR_NO_MEMORY;
}
CHIP_ERROR CryptoContext::GetAdditionalAuthData(const PacketHeader & header, uint8_t * aad, uint16_t & len)
{
VerifyOrReturnError(len >= header.EncodeSizeBytes(), CHIP_ERROR_INVALID_ARGUMENT);
// Use unencrypted part of header as AAD. This will help
// integrity protect the whole message
uint16_t actualEncodedHeaderSize;
ReturnErrorOnFailure(header.Encode(aad, len, &actualEncodedHeaderSize));
VerifyOrReturnError(len >= actualEncodedHeaderSize, CHIP_ERROR_INVALID_ARGUMENT);
len = actualEncodedHeaderSize;
return CHIP_NO_ERROR;
}
CHIP_ERROR CryptoContext::Encrypt(const uint8_t * input, size_t input_length, uint8_t * output, ConstNonceView nonce,
PacketHeader & header, MessageAuthenticationCode & mac) const
{
const size_t taglen = header.MICTagLength();
VerifyOrDie(taglen <= kMaxTagLen);
VerifyOrReturnError(input != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(input_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(output != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
uint8_t AAD[kMaxAADLen];
uint16_t aadLen = sizeof(AAD);
uint8_t tag[kMaxTagLen];
ReturnErrorOnFailure(GetAdditionalAuthData(header, AAD, aadLen));
if (mKeyContext)
{
ByteSpan plaintext(input, input_length);
MutableByteSpan ciphertext(output, input_length);
MutableByteSpan mic(tag, taglen);
ReturnErrorOnFailure(mKeyContext->MessageEncrypt(plaintext, ByteSpan(AAD, aadLen), nonce, mic, ciphertext));
}
else
{
VerifyOrReturnError(mKeyAvailable, CHIP_ERROR_INVALID_USE_OF_SESSION_KEY);
ReturnErrorOnFailure(
AES_CCM_encrypt(input, input_length, AAD, aadLen, mEncryptionKey, nonce.data(), nonce.size(), output, tag, taglen));
}
mac.SetTag(&header, tag, taglen);
return CHIP_NO_ERROR;
}
CHIP_ERROR CryptoContext::Decrypt(const uint8_t * input, size_t input_length, uint8_t * output, ConstNonceView nonce,
const PacketHeader & header, const MessageAuthenticationCode & mac) const
{
const size_t taglen = header.MICTagLength();
const uint8_t * tag = mac.GetTag();
uint8_t AAD[kMaxAADLen];
uint16_t aadLen = sizeof(AAD);
VerifyOrReturnError(input != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(input_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(output != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
ReturnErrorOnFailure(GetAdditionalAuthData(header, AAD, aadLen));
if (nullptr != mKeyContext)
{
ByteSpan ciphertext(input, input_length);
MutableByteSpan plaintext(output, input_length);
ByteSpan mic(tag, taglen);
CHIP_ERROR err = mKeyContext->MessageDecrypt(ciphertext, ByteSpan(AAD, aadLen), nonce, mic, plaintext);
ReturnErrorOnFailure(err);
}
else
{
VerifyOrReturnError(mKeyAvailable, CHIP_ERROR_INVALID_USE_OF_SESSION_KEY);
ReturnErrorOnFailure(
AES_CCM_decrypt(input, input_length, AAD, aadLen, tag, taglen, mDecryptionKey, nonce.data(), nonce.size(), output));
}
return CHIP_NO_ERROR;
}
CHIP_ERROR CryptoContext::PrivacyEncrypt(const uint8_t * input, size_t input_length, uint8_t * output, PacketHeader & header,
MessageAuthenticationCode & mac) const
{
VerifyOrReturnError(input != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(input_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(output != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
// Confirm group key is available. Privacy obfuscation is not supported on unicast session keys.
VerifyOrReturnError(mKeyContext != nullptr, CHIP_ERROR_INVALID_USE_OF_SESSION_KEY);
ByteSpan plaintext(input, input_length);
MutableByteSpan privacytext(output, input_length);
CryptoContext::NonceStorage privacyNonce;
CryptoContext::BuildPrivacyNonce(privacyNonce, header.GetSessionId(), mac);
return mKeyContext->PrivacyEncrypt(plaintext, privacyNonce, privacytext);
}
CHIP_ERROR CryptoContext::PrivacyDecrypt(const uint8_t * input, size_t input_length, uint8_t * output, const PacketHeader & header,
const MessageAuthenticationCode & mac) const
{
VerifyOrReturnError(input != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(input_length > 0, CHIP_ERROR_INVALID_ARGUMENT);
VerifyOrReturnError(output != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
// Confirm group key is available. Privacy obfuscation is not supported on session keys.
VerifyOrReturnError(mKeyContext != nullptr, CHIP_ERROR_INVALID_USE_OF_SESSION_KEY);
const ByteSpan privacytext(input, input_length);
MutableByteSpan plaintext(output, input_length);
CryptoContext::NonceStorage privacyNonce;
CryptoContext::BuildPrivacyNonce(privacyNonce, header.GetSessionId(), mac);
return mKeyContext->PrivacyDecrypt(privacytext, privacyNonce, plaintext);
}
} // namespace chip