-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[ICD] Add Check-In payload generation (#27615)
* Add Check-In payload generation * Applied PR comments * Fix last comment * address comments * address comments * fix comments * fix payload representation type * Fix OpenIotSDK failure * fix last test issue
- Loading branch information
1 parent
14f98c3
commit 555d03c
Showing
6 changed files
with
471 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,102 @@ | ||
/* | ||
* Copyright (c) 2020 Project CHIP Authors | ||
* All rights reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
/** | ||
* @file | ||
* This file implements the Matter Checkin protocol. | ||
*/ | ||
|
||
#include "CheckinMessage.h" | ||
#include <lib/core/CHIPCore.h> | ||
|
||
#include <lib/core/CHIPEncoding.h> | ||
#include <protocols/secure_channel/Constants.h> | ||
|
||
namespace chip { | ||
namespace Protocols { | ||
namespace SecureChannel { | ||
|
||
CHIP_ERROR CheckinMessage::GenerateCheckinMessagePayload(Crypto::Aes128KeyHandle & key, CounterType counter, | ||
const ByteSpan & appData, MutableByteSpan & output) | ||
{ | ||
VerifyOrReturnError(appData.size() <= sMaxAppDataSize, CHIP_ERROR_INVALID_ARGUMENT); | ||
VerifyOrReturnError(output.size() >= (appData.size() + sMinPayloadSize), CHIP_ERROR_INVALID_ARGUMENT); | ||
|
||
CHIP_ERROR err = CHIP_NO_ERROR; | ||
uint8_t * appDataStartPtr = output.data() + CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES; | ||
Encoding::LittleEndian::Put32(appDataStartPtr, counter); | ||
|
||
chip::Crypto::HMAC_sha shaHandler; | ||
uint8_t nonceWorkBuffer[CHIP_CRYPTO_HASH_LEN_BYTES] = { 0 }; | ||
|
||
ReturnErrorOnFailure(shaHandler.HMAC_SHA256(key.As<Aes128KeyByteArray>(), sizeof(Aes128KeyByteArray), appDataStartPtr, | ||
sizeof(CounterType), nonceWorkBuffer, CHIP_CRYPTO_HASH_LEN_BYTES)); | ||
|
||
static_assert(sizeof(nonceWorkBuffer) >= CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES, "We're reading off the end of our buffer."); | ||
memcpy(output.data(), nonceWorkBuffer, CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES); | ||
|
||
// In place encryption to save some RAM | ||
memcpy(appDataStartPtr + sizeof(CounterType), appData.data(), appData.size()); | ||
|
||
uint8_t * micPtr = appDataStartPtr + sizeof(CounterType) + appData.size(); | ||
ReturnErrorOnFailure(Crypto::AES_CCM_encrypt(appDataStartPtr, sizeof(CounterType) + appData.size(), nullptr, 0, key, | ||
output.data(), CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES, appDataStartPtr, micPtr, | ||
CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES)); | ||
|
||
output.reduce_size(appData.size() + sMinPayloadSize); | ||
|
||
return err; | ||
} | ||
|
||
CHIP_ERROR CheckinMessage::ParseCheckinMessagePayload(Crypto::Aes128KeyHandle & key, ByteSpan & payload, CounterType & counter, | ||
MutableByteSpan & appData) | ||
{ | ||
VerifyOrReturnError(payload.size() >= sMinPayloadSize, CHIP_ERROR_INVALID_ARGUMENT); | ||
VerifyOrReturnError(payload.size() <= (sMinPayloadSize + sMaxAppDataSize), CHIP_ERROR_INVALID_ARGUMENT); | ||
|
||
CHIP_ERROR err = CHIP_NO_ERROR; | ||
size_t appDataSize = GetAppDataSize(payload); | ||
|
||
// To prevent workbuffer usage, appData size needs to be large enough to hold both the appData and the counter | ||
VerifyOrReturnError(appData.size() >= sizeof(CounterType) + appDataSize, CHIP_ERROR_INVALID_ARGUMENT); | ||
|
||
ByteSpan nonce = payload.SubSpan(0, CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES); | ||
ByteSpan encryptedData = payload.SubSpan(CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES, sizeof(CounterType) + appDataSize); | ||
ByteSpan mic = | ||
payload.SubSpan(CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES + sizeof(CounterType) + appDataSize, CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES); | ||
|
||
err = Crypto::AES_CCM_decrypt(encryptedData.data(), encryptedData.size(), nullptr, 0, mic.data(), mic.size(), key, nonce.data(), | ||
nonce.size(), appData.data()); | ||
|
||
ReturnErrorOnFailure(err); | ||
|
||
counter = Encoding::LittleEndian::Get32(appData.data()); | ||
// Shift to remove the counter from the appData | ||
memmove(appData.data(), sizeof(CounterType) + appData.data(), appDataSize); | ||
|
||
appData.reduce_size(appDataSize); | ||
return err; | ||
} | ||
|
||
size_t CheckinMessage::GetAppDataSize(ByteSpan & payload) | ||
{ | ||
return (payload.size() <= sMinPayloadSize) ? 0 : payload.size() - sMinPayloadSize; | ||
} | ||
|
||
} // namespace SecureChannel | ||
} // namespace Protocols | ||
} // namespace chip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
/* | ||
* Copyright (c) 2020 Project CHIP Authors | ||
* All rights reserved. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
|
||
/** | ||
* @file | ||
* This file implements the Matter Checkin protocol. | ||
*/ | ||
|
||
#pragma once | ||
|
||
#include <crypto/CHIPCryptoPAL.h> | ||
#include <lib/support/Span.h> | ||
#include <stdint.h> | ||
|
||
namespace chip { | ||
namespace Protocols { | ||
namespace SecureChannel { | ||
using namespace Crypto; | ||
|
||
using CounterType = uint32_t; | ||
|
||
/** | ||
* @brief Implement section 4.18.2 of the spec regarding | ||
* Check-in message payload | ||
* | ||
*/ | ||
class DLL_EXPORT CheckinMessage | ||
{ | ||
public: | ||
~CheckinMessage(); | ||
/** | ||
* @brief Generate Check-in Message payload | ||
* | ||
* @param key Key with which to encrypt the check-in payload | ||
* @param counter Check-in counter | ||
* @param appData Application Data to incorporate within the Check-in message. Allowed to be empty. | ||
* @param output Buffer in Which to store the generated payload. SUFFICIENT SPACE MUST BE ALLOCATED by the caller | ||
* Required Buffer Size is : GetCheckinPayloadSize(appData.size()) | ||
* @return CHIP_ERROR | ||
*/ | ||
static CHIP_ERROR GenerateCheckinMessagePayload(Crypto::Aes128KeyHandle & key, CounterType counter, const ByteSpan & appData, | ||
MutableByteSpan & output); | ||
|
||
/** | ||
* @brief Parse Check-in Message payload | ||
* | ||
* @param key Key with which to decrypt the check-in payload | ||
* @param payload The received payload to decrypt and parse | ||
* @param counter The counter value retrieved from the payload | ||
* @param appData The optional application data decrypted. The size of appData must be at least the size of | ||
* GetAppDataSize(payload) + sizeof(CounterType) | ||
* @return CHIP_ERROR | ||
*/ | ||
static CHIP_ERROR ParseCheckinMessagePayload(Crypto::Aes128KeyHandle & key, ByteSpan & payload, CounterType & counter, | ||
MutableByteSpan & appData); | ||
|
||
static inline size_t GetCheckinPayloadSize(size_t appDataSize) { return appDataSize + sMinPayloadSize; } | ||
|
||
/** | ||
* @brief Get the App Data Size | ||
* | ||
* @param payload The undecrypted payload | ||
* @return size_t size in byte of the application data from the payload | ||
*/ | ||
static size_t GetAppDataSize(ByteSpan & payload); | ||
|
||
static constexpr uint16_t sMinPayloadSize = | ||
CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES + sizeof(CounterType) + CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES; | ||
|
||
// Issue #28603 | ||
static constexpr uint16_t sMaxAppDataSize = 1024; | ||
}; | ||
|
||
} // namespace SecureChannel | ||
} // namespace Protocols | ||
} // namespace chip |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.