From 2ecdb4f39885659b18dd709c6bd8f8f3b6875ff8 Mon Sep 17 00:00:00 2001 From: Damian Krolik Date: Fri, 10 May 2024 16:29:04 +0200 Subject: [PATCH] [crypto] Log PSA crypto error codes in more places Log PSA crypto error codes in more places to make it easier to catch and analyze crypto misconfiguration, such as too low number of available key slots. Signed-off-by: Damian Krolik --- src/crypto/CHIPCryptoPALPSA.cpp | 33 +++++++++++++++------------ src/crypto/CHIPCryptoPALPSA.h | 5 ++++ src/crypto/PSAOperationalKeystore.cpp | 1 + src/crypto/PSASessionKeystore.cpp | 5 ++-- 4 files changed, 27 insertions(+), 17 deletions(-) diff --git a/src/crypto/CHIPCryptoPALPSA.cpp b/src/crypto/CHIPCryptoPALPSA.cpp index 554feb0d52fee4..862e3d2179a37c 100644 --- a/src/crypto/CHIPCryptoPALPSA.cpp +++ b/src/crypto/CHIPCryptoPALPSA.cpp @@ -48,14 +48,6 @@ namespace Crypto { namespace { -void logPsaError(psa_status_t status) -{ - if (status != 0) - { - ChipLogError(Crypto, "PSA error: %d", static_cast(status)); - } -} - bool isBufferNonEmpty(const uint8_t * data, size_t data_length) { return data != nullptr && data_length > 0; @@ -281,6 +273,7 @@ CHIP_ERROR PsaKdf::Init(const ByteSpan & secret, const ByteSpan & salt, const By psa_set_key_usage_flags(&attrs, PSA_KEY_USAGE_DERIVE); status = psa_import_key(&attrs, secret.data(), secret.size(), &mSecretKeyId); + LogPsaError(status); psa_reset_key_attributes(&attrs); VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL); @@ -312,6 +305,14 @@ CHIP_ERROR PsaKdf::InitOperation(psa_key_id_t hkdfKey, const ByteSpan & salt, co return CHIP_NO_ERROR; } +void LogPsaError(psa_status_t status) +{ + if (status != PSA_SUCCESS) + { + ChipLogError(Crypto, "PSA error: %d", static_cast(status)); + } +} + CHIP_ERROR PsaKdf::DeriveBytes(const MutableByteSpan & output) { psa_status_t status = psa_key_derivation_output_bytes(&mOperation, output.data(), output.size()); @@ -367,6 +368,7 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INTERNAL); exit: + LogPsaError(status); psa_destroy_key(keyId); psa_reset_key_attributes(&attrs); @@ -476,6 +478,7 @@ CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * pass, size_t pass_length } exit: + LogPsaError(status); psa_destroy_key(keyId); psa_reset_key_attributes(&attrs); @@ -519,7 +522,7 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_len error = out_signature.SetLength(outputLen); exit: - logPsaError(status); + LogPsaError(status); return error; } @@ -544,7 +547,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_msg_signature(const uint8_t * msg, cons VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE); exit: - logPsaError(status); + LogPsaError(status); psa_destroy_key(keyId); psa_reset_key_attributes(&attributes); @@ -573,7 +576,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, co VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE); exit: - logPsaError(status); + LogPsaError(status); psa_destroy_key(keyId); psa_reset_key_attributes(&attributes); @@ -596,7 +599,7 @@ CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_k SuccessOrExit(error = out_secret.SetLength(outputLength)); exit: - logPsaError(status); + LogPsaError(status); return error; } @@ -671,7 +674,7 @@ CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target) mInitialized = true; exit: - logPsaError(status); + LogPsaError(status); psa_reset_key_attributes(&attributes); return error; @@ -697,7 +700,7 @@ CHIP_ERROR P256Keypair::Serialize(P256SerializedKeypair & output) const error = output.SetLength(bbuf.Needed()); exit: - logPsaError(status); + LogPsaError(status); return error; } @@ -728,7 +731,7 @@ CHIP_ERROR P256Keypair::Deserialize(P256SerializedKeypair & input) mInitialized = true; exit: - logPsaError(status); + LogPsaError(status); return error; } diff --git a/src/crypto/CHIPCryptoPALPSA.h b/src/crypto/CHIPCryptoPALPSA.h index 2f91b3b4d49765..8fa3dc57a54024 100644 --- a/src/crypto/CHIPCryptoPALPSA.h +++ b/src/crypto/CHIPCryptoPALPSA.h @@ -150,5 +150,10 @@ class PsaKdf psa_key_derivation_operation_t mOperation = PSA_KEY_DERIVATION_OPERATION_INIT; }; +/** + * @brief Log PSA status code if it indicates an error. + */ +void LogPsaError(psa_status_t status); + } // namespace Crypto } // namespace chip diff --git a/src/crypto/PSAOperationalKeystore.cpp b/src/crypto/PSAOperationalKeystore.cpp index b6ba44e0aa2995..09e00bc9b581f9 100644 --- a/src/crypto/PSAOperationalKeystore.cpp +++ b/src/crypto/PSAOperationalKeystore.cpp @@ -160,6 +160,7 @@ CHIP_ERROR PSAOperationalKeystore::PersistentP256Keypair::Deserialize(P256Serial memcpy(mPublicKey.Bytes(), input.ConstBytes(), mPublicKey.Length()); exit: + LogPsaError(status); psa_reset_key_attributes(&attributes); return error; diff --git a/src/crypto/PSASessionKeystore.cpp b/src/crypto/PSASessionKeystore.cpp index 0ae3ed50755495..304fa10086daba 100644 --- a/src/crypto/PSASessionKeystore.cpp +++ b/src/crypto/PSASessionKeystore.cpp @@ -92,6 +92,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke AesKeyAttributes attrs; psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable()); + LogPsaError(status); VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL); return CHIP_NO_ERROR; @@ -105,7 +106,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke HmacKeyAttributes attrs; psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable()); - + LogPsaError(status); VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL); return CHIP_NO_ERROR; @@ -118,7 +119,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const ByteSpan & keyMaterial, HkdfKeyHa HkdfKeyAttributes attrs; psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial.data(), keyMaterial.size(), &key.AsMutable()); - + LogPsaError(status); VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL); return CHIP_NO_ERROR;