Google Git
Sign in
pigweed / third_party / github / project-chip / connectedhomeip / 8122739289cf85a50fe63b5b66635bd9d407b141^! / .
commit8122739289cf85a50fe63b5b66635bd9d407b141[log] [tgz]
authorDamian Królik <66667989+Damian-Nordic@users.noreply.github.com>Fri May 10 18:40:05 2024 +0200
committerGitHub <noreply@github.com>Fri May 10 16:40:05 2024 +0000
treeca52c91135cff95992ade632a6e4fc59e8ced953
parentcfbcf1e69715a585b02bea80dd14823375566afc [diff]
[crypto] Log PSA crypto error codes in more places (#33403)

Log PSA crypto error codes in more places to make it easier
to catch and analyze crypto misconfiguration, such as too
low number of available key slots.

Signed-off-by: Damian Krolik <damian.krolik@nordicsemi.no>
diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp
index 554feb0..6eccb1d 100644
--- a/src/crypto/CHIPCryptoPALPSA.cpp
+++ b/src/crypto/CHIPCryptoPALPSA.cpp

@@ -48,14 +48,6 @@
 
 namespace {
 
-void logPsaError(psa_status_t status)
-{
-    if (status != 0)
-    {
-        ChipLogError(Crypto, "PSA error: %d", static_cast<int>(status));
-    }
-}
-
 bool isBufferNonEmpty(const uint8_t * data, size_t data_length)
 {
     return data != nullptr && data_length > 0;
@@ -281,6 +273,7 @@
     psa_set_key_usage_flags(&attrs, PSA_KEY_USAGE_DERIVE);
 
     status = psa_import_key(&attrs, secret.data(), secret.size(), &mSecretKeyId);
+    LogPsaError(status);
     psa_reset_key_attributes(&attrs);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
@@ -312,9 +305,18 @@
     return CHIP_NO_ERROR;
 }
 
+void LogPsaError(psa_status_t status)
+{
+    if (status != PSA_SUCCESS)
+    {
+        ChipLogError(Crypto, "PSA error: %d", static_cast<int>(status));
+    }
+}
+
 CHIP_ERROR PsaKdf::DeriveBytes(const MutableByteSpan & output)
 {
     psa_status_t status = psa_key_derivation_output_bytes(&mOperation, output.data(), output.size());
+    LogPsaError(status);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
     return CHIP_NO_ERROR;
@@ -323,6 +325,7 @@
 CHIP_ERROR PsaKdf::DeriveKey(const psa_key_attributes_t & attributes, psa_key_id_t & keyId)
 {
     psa_status_t status = psa_key_derivation_output_key(&attributes, &mOperation, &keyId);
+    LogPsaError(status);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
     return CHIP_NO_ERROR;
@@ -367,6 +370,7 @@
     VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INTERNAL);
 
 exit:
+    LogPsaError(status);
     psa_destroy_key(keyId);
     psa_reset_key_attributes(&attrs);
 
@@ -476,6 +480,7 @@
     }
 
 exit:
+    LogPsaError(status);
     psa_destroy_key(keyId);
     psa_reset_key_attributes(&attrs);
 
@@ -519,7 +524,7 @@
     error = out_signature.SetLength(outputLen);
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
     return error;
 }
 
@@ -544,7 +549,7 @@
     VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE);
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
     psa_destroy_key(keyId);
     psa_reset_key_attributes(&attributes);
 
@@ -573,7 +578,7 @@
     VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE);
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
     psa_destroy_key(keyId);
     psa_reset_key_attributes(&attributes);
 
@@ -596,7 +601,7 @@
     SuccessOrExit(error = out_secret.SetLength(outputLength));
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
 
     return error;
 }
@@ -671,7 +676,7 @@
     mInitialized = true;
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
     psa_reset_key_attributes(&attributes);
 
     return error;
@@ -697,7 +702,7 @@
     error = output.SetLength(bbuf.Needed());
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
 
     return error;
 }
@@ -728,7 +733,7 @@
     mInitialized = true;
 
 exit:
-    logPsaError(status);
+    LogPsaError(status);
 
     return error;
 }

diff --git a/src/crypto/CHIPCryptoPALPSA.h b/src/crypto/CHIPCryptoPALPSA.h
index 2f91b3b..8fa3dc5 100644
--- a/src/crypto/CHIPCryptoPALPSA.h
+++ b/src/crypto/CHIPCryptoPALPSA.h

@@ -150,5 +150,10 @@
     psa_key_derivation_operation_t mOperation = PSA_KEY_DERIVATION_OPERATION_INIT;
 };
 
+/**
+ * @brief Log PSA status code if it indicates an error.
+ */
+void LogPsaError(psa_status_t status);
+
 } // namespace Crypto
 } // namespace chip

diff --git a/src/crypto/PSAOperationalKeystore.cpp b/src/crypto/PSAOperationalKeystore.cpp
index b6ba44e..09e00bc 100644
--- a/src/crypto/PSAOperationalKeystore.cpp
+++ b/src/crypto/PSAOperationalKeystore.cpp

@@ -160,6 +160,7 @@
     memcpy(mPublicKey.Bytes(), input.ConstBytes(), mPublicKey.Length());
 
 exit:
+    LogPsaError(status);
     psa_reset_key_attributes(&attributes);
 
     return error;

diff --git a/src/crypto/PSASessionKeystore.cpp b/src/crypto/PSASessionKeystore.cpp
index 0ae3ed5..304fa10 100644
--- a/src/crypto/PSASessionKeystore.cpp
+++ b/src/crypto/PSASessionKeystore.cpp

@@ -92,6 +92,7 @@
     AesKeyAttributes attrs;
     psa_status_t status =
         psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable<psa_key_id_t>());
+    LogPsaError(status);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
     return CHIP_NO_ERROR;
@@ -105,7 +106,7 @@
     HmacKeyAttributes attrs;
     psa_status_t status =
         psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable<psa_key_id_t>());
-
+    LogPsaError(status);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
     return CHIP_NO_ERROR;
@@ -118,7 +119,7 @@
 
     HkdfKeyAttributes attrs;
     psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial.data(), keyMaterial.size(), &key.AsMutable<psa_key_id_t>());
-
+    LogPsaError(status);
     VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);
 
     return CHIP_NO_ERROR;