From b7fbd4ae8f7e2a6d0d2c220aa3606f654785d5b4 Mon Sep 17 00:00:00 2001 From: Bhaskar Sarma Date: Tue, 7 Apr 2020 12:12:43 -0700 Subject: [PATCH 1/8] Missing crypto PAL layer #287 https://github.com/project-chip/connectedhomeip/issues/287 --- src/crypto/CHIPCryptoPAL.h | 34 ++++++++++++++++++++++++++++ src/crypto/CHIPCryptoPALOpenSSL.c | 37 +++++++++++++++++++++++++++++++ src/crypto/CHIPCryptoPALmbedTLS.c | 37 +++++++++++++++++++++++++++++++ src/crypto/Makefile.am | 1 + 4 files changed, 109 insertions(+) create mode 100644 src/crypto/CHIPCryptoPAL.h create mode 100644 src/crypto/CHIPCryptoPALOpenSSL.c create mode 100644 src/crypto/CHIPCryptoPALmbedTLS.c diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h new file mode 100644 index 00000000000000..4672a8237a5064 --- /dev/null +++ b/src/crypto/CHIPCryptoPAL.h @@ -0,0 +1,34 @@ +/* + * + * Copyright (c) 2020 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file + * Header that exposes the platform agnostic CHIP crypto primitives + */ + +#ifndef _CHIP_CRYPTO_PAL_H_ +#define _CHIP_CRYPTO_PAL_H_ + +#include + +CHIP_ERROR CHIP_aes_ccm_encrypt(unsigned char * plaintext, int plaintext_len, unsigned char * aad, int aad_len, unsigned char * key, + unsigned char * iv, unsigned char * ciphertext, unsigned char * tag); + +CHIP_ERROR CHIP_aes_ccm_decrypt(unsigned char * ciphertext, int ciphertext_len, unsigned char * aad, int aad_len, + unsigned char * tag, unsigned char * key, unsigned char * iv, unsigned char * plaintext); + +#endif diff --git a/src/crypto/CHIPCryptoPALOpenSSL.c b/src/crypto/CHIPCryptoPALOpenSSL.c new file mode 100644 index 00000000000000..b1c7f14edc7281 --- /dev/null +++ b/src/crypto/CHIPCryptoPALOpenSSL.c @@ -0,0 +1,37 @@ +/* + * + * Copyright (c) 2020 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file + * openSSL based implementation of CHIP crypto primitives + */ + +#include "CHIPCryptoPAL.h" + +int CHIP_aes_ccm_encrypt(unsigned char * plaintext, int plaintext_len, unsigned char * aad, int aad_len, unsigned char * key, + unsigned char * iv, unsigned char * ciphertext, unsigned char * tag) +{ + // TODO: Need to implement openSSL based AES-CCM #256 + return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; +} + +int CHIP_aes_ccm_decrypt(unsigned char * ciphertext, int ciphertext_len, unsigned char * aad, int aad_len, unsigned char * tag, + unsigned char * key, unsigned char * iv, unsigned char * plaintext); +{ + // TODO: Need to implement openSSL based AES-CCM #256 + return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; +} \ No newline at end of file diff --git a/src/crypto/CHIPCryptoPALmbedTLS.c b/src/crypto/CHIPCryptoPALmbedTLS.c new file mode 100644 index 00000000000000..48f1d567571d06 --- /dev/null +++ b/src/crypto/CHIPCryptoPALmbedTLS.c @@ -0,0 +1,37 @@ +/* + * + * Copyright (c) 2020 Project CHIP Authors + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * @file + * mbedTLS based implementation of CHIP crypto primitives + */ + +#include "CHIPCryptoPAL.h" + +int CHIP_aes_ccm_encrypt(unsigned char * plaintext, int plaintext_len, unsigned char * aad, int aad_len, unsigned char * key, + unsigned char * iv, unsigned char * ciphertext, unsigned char * tag) +{ + // TODO: Need mbedTLS based implementation for AES-CCM #264 + return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; +} + +int CHIP_aes_ccm_decrypt(unsigned char * ciphertext, int ciphertext_len, unsigned char * aad, int aad_len, unsigned char * tag, + unsigned char * key, unsigned char * iv, unsigned char * plaintext); +{ + // TODO: Need mbedTLS based implementation for AES-CCM #264 + return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; +} \ No newline at end of file diff --git a/src/crypto/Makefile.am b/src/crypto/Makefile.am index ab16dfdaf577a2..3e4a09ce82a517 100644 --- a/src/crypto/Makefile.am +++ b/src/crypto/Makefile.am @@ -42,6 +42,7 @@ libChipCrypto_a_SOURCES = \ dist_libChipCrypto_a_HEADERS = \ CHIPCrypto.h \ CHIPBase+CompilerAbstraction.h \ + CHIPCryptoPAL.h \ $(NULL) $(RECURSIVE_TARGETS): $(lib_LIBRARIES) From b9c3400dabf02f3151ceb8dca0c92a25d5619dca Mon Sep 17 00:00:00 2001 From: Bhaskar Sarma Date: Tue, 7 Apr 2020 14:36:37 -0700 Subject: [PATCH 2/8] PR Feedback - Add doxygen, make params const, update sizes to be size_t --- src/crypto/CHIPCryptoPAL.h | 37 +++++++++++++++++++++++++++---- src/crypto/CHIPCryptoPALOpenSSL.c | 10 +++++---- src/crypto/CHIPCryptoPALmbedTLS.c | 10 +++++---- 3 files changed, 45 insertions(+), 12 deletions(-) diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index 4672a8237a5064..1f593e482b7e36 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -24,11 +24,40 @@ #define _CHIP_CRYPTO_PAL_H_ #include +#include -CHIP_ERROR CHIP_aes_ccm_encrypt(unsigned char * plaintext, int plaintext_len, unsigned char * aad, int aad_len, unsigned char * key, - unsigned char * iv, unsigned char * ciphertext, unsigned char * tag); +/** + * @brief A function that implements 256-bit AES-CCM encryption + * @param plaintext Plaintext to encrypt + * @param plaintext_length Length of plain_text + * @param aad Additional authentication data + * @param aad_length Length of additional authentication data + * @param key Encryption key + * @param iv Initial vector + * @param iv_length Length of initial vector + * @param ciphertext Buffer to write ciphertext into. Caller must ensure this is large enough to hold the ciphertext + * @param tag Buffer to write tag into. Caller must ensure this is large enough to hold the tag + * */ +CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, + size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, + unsigned char * ciphertext, unsigned char * tag); + +/** + * @brief A function that implements 256-bit AES-CCM decryption + * @param ciphertext Ciphertext to decrypt + * @param ciphertext_length Length of ciphertext + * @param aad Additional authentical data. + * @param aad_length Length of additional authentication data + * @param tag Tag to use to decrypt + * @param tag_length Length of tag + * @param key Decryption key + * @param iv Initial vector + * @param iv_length Length of initial vector + * @param plaintext Buffer to write plaintext into + **/ -CHIP_ERROR CHIP_aes_ccm_decrypt(unsigned char * ciphertext, int ciphertext_len, unsigned char * aad, int aad_len, - unsigned char * tag, unsigned char * key, unsigned char * iv, unsigned char * plaintext); +CHIP_ERROR CHIP_aes_ccm_256_decrypt(const unsigned char * ciphertext, size_t ciphertext_length, const unsigned char * aad, + size_t aad_length, const unsigned char * tag, size_t tag_length, const unsigned char * key, + const unsigned char * iv, size_t iv_length, unsigned char * plaintext); #endif diff --git a/src/crypto/CHIPCryptoPALOpenSSL.c b/src/crypto/CHIPCryptoPALOpenSSL.c index b1c7f14edc7281..55e3c4539711f7 100644 --- a/src/crypto/CHIPCryptoPALOpenSSL.c +++ b/src/crypto/CHIPCryptoPALOpenSSL.c @@ -22,15 +22,17 @@ #include "CHIPCryptoPAL.h" -int CHIP_aes_ccm_encrypt(unsigned char * plaintext, int plaintext_len, unsigned char * aad, int aad_len, unsigned char * key, - unsigned char * iv, unsigned char * ciphertext, unsigned char * tag) +CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_len, const unsigned char * aad, + size_t aad_len, const unsigned char * key, const unsigned char * iv, size_t iv_length, + unsigned char * ciphertext, unsigned char * tag) { // TODO: Need to implement openSSL based AES-CCM #256 return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; } -int CHIP_aes_ccm_decrypt(unsigned char * ciphertext, int ciphertext_len, unsigned char * aad, int aad_len, unsigned char * tag, - unsigned char * key, unsigned char * iv, unsigned char * plaintext); +CHIP_ERROR CHIP_aes_ccm_256_decrypt(const unsigned char * ciphertext, size_t ciphertext_len, const unsigned char * aad, + size_t aad_len, const unsigned char * tag, size_t tag_length, const unsigned char * key, + const unsigned char * iv, size_t iv_length, unsigned char * plaintext) { // TODO: Need to implement openSSL based AES-CCM #256 return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; diff --git a/src/crypto/CHIPCryptoPALmbedTLS.c b/src/crypto/CHIPCryptoPALmbedTLS.c index 48f1d567571d06..a2f6bd8d2b1ccc 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.c +++ b/src/crypto/CHIPCryptoPALmbedTLS.c @@ -22,15 +22,17 @@ #include "CHIPCryptoPAL.h" -int CHIP_aes_ccm_encrypt(unsigned char * plaintext, int plaintext_len, unsigned char * aad, int aad_len, unsigned char * key, - unsigned char * iv, unsigned char * ciphertext, unsigned char * tag) +CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_len, const unsigned char * aad, + size_t aad_len, const unsigned char * key, const unsigned char * iv, size_t iv_length, + unsigned char * ciphertext, unsigned char * tag) { // TODO: Need mbedTLS based implementation for AES-CCM #264 return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; } -int CHIP_aes_ccm_decrypt(unsigned char * ciphertext, int ciphertext_len, unsigned char * aad, int aad_len, unsigned char * tag, - unsigned char * key, unsigned char * iv, unsigned char * plaintext); +CHIP_ERROR CHIP_aes_ccm_256_decrypt(const unsigned char * ciphertext, size_t ciphertext_len, const unsigned char * aad, + size_t aad_len, const unsigned char * tag, size_t tag_length, const unsigned char * key, + const unsigned char * iv, size_t iv_length, unsigned char * plaintext) { // TODO: Need mbedTLS based implementation for AES-CCM #264 return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; From a08cc46c2ceeff38cf420b1be55ef19b356c7501 Mon Sep 17 00:00:00 2001 From: Bhaskar Sarma Date: Tue, 7 Apr 2020 14:38:44 -0700 Subject: [PATCH 3/8] Add @return to doxygen comment --- src/crypto/CHIPCryptoPAL.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index 1f593e482b7e36..e3a4792b4af344 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -37,6 +37,7 @@ * @param iv_length Length of initial vector * @param ciphertext Buffer to write ciphertext into. Caller must ensure this is large enough to hold the ciphertext * @param tag Buffer to write tag into. Caller must ensure this is large enough to hold the tag + * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise * */ CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, @@ -54,6 +55,7 @@ CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plai * @param iv Initial vector * @param iv_length Length of initial vector * @param plaintext Buffer to write plaintext into + * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise **/ CHIP_ERROR CHIP_aes_ccm_256_decrypt(const unsigned char * ciphertext, size_t ciphertext_length, const unsigned char * aad, From c783e82df70ff2e9a24698db891d7768add46c30 Mon Sep 17 00:00:00 2001 From: Bhaskar Sarma Date: Tue, 7 Apr 2020 15:43:20 -0700 Subject: [PATCH 4/8] Add tag_length to the encrypt API --- src/crypto/CHIPCryptoPAL.h | 3 ++- src/crypto/CHIPCryptoPALOpenSSL.c | 6 +++--- src/crypto/CHIPCryptoPALmbedTLS.c | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index e3a4792b4af344..e12dd4605894fb 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -37,11 +37,12 @@ * @param iv_length Length of initial vector * @param ciphertext Buffer to write ciphertext into. Caller must ensure this is large enough to hold the ciphertext * @param tag Buffer to write tag into. Caller must ensure this is large enough to hold the tag + * @param tag_length Expected length of tag * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise * */ CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, - unsigned char * ciphertext, unsigned char * tag); + unsigned char * ciphertext, unsigned char * tag, size_t tag_length); /** * @brief A function that implements 256-bit AES-CCM decryption diff --git a/src/crypto/CHIPCryptoPALOpenSSL.c b/src/crypto/CHIPCryptoPALOpenSSL.c index 55e3c4539711f7..0a386403a30389 100644 --- a/src/crypto/CHIPCryptoPALOpenSSL.c +++ b/src/crypto/CHIPCryptoPALOpenSSL.c @@ -22,9 +22,9 @@ #include "CHIPCryptoPAL.h" -CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_len, const unsigned char * aad, - size_t aad_len, const unsigned char * key, const unsigned char * iv, size_t iv_length, - unsigned char * ciphertext, unsigned char * tag) +CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, + size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, + unsigned char * ciphertext, unsigned char * tag, size_t tag_length) { // TODO: Need to implement openSSL based AES-CCM #256 return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; diff --git a/src/crypto/CHIPCryptoPALmbedTLS.c b/src/crypto/CHIPCryptoPALmbedTLS.c index a2f6bd8d2b1ccc..168b07c0f7e716 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.c +++ b/src/crypto/CHIPCryptoPALmbedTLS.c @@ -22,9 +22,9 @@ #include "CHIPCryptoPAL.h" -CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_len, const unsigned char * aad, - size_t aad_len, const unsigned char * key, const unsigned char * iv, size_t iv_length, - unsigned char * ciphertext, unsigned char * tag) +CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, + size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, + unsigned char * ciphertext, unsigned char * tag, size_t tag_length) { // TODO: Need mbedTLS based implementation for AES-CCM #264 return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; From 9817553eb4a5ef5829f06e6e7b76f37ea7c6ad14 Mon Sep 17 00:00:00 2001 From: Bhaskar Sarma Date: Tue, 7 Apr 2020 16:22:51 -0700 Subject: [PATCH 5/8] Add ciphertext_length as an out param --- src/crypto/CHIPCryptoPAL.h | 3 ++- src/crypto/CHIPCryptoPALOpenSSL.c | 2 +- src/crypto/CHIPCryptoPALmbedTLS.c | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index e12dd4605894fb..9a28f62416b65f 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -36,13 +36,14 @@ * @param iv Initial vector * @param iv_length Length of initial vector * @param ciphertext Buffer to write ciphertext into. Caller must ensure this is large enough to hold the ciphertext + * @param ciphertext_length Length of generated ciphertext * @param tag Buffer to write tag into. Caller must ensure this is large enough to hold the tag * @param tag_length Expected length of tag * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise * */ CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, - unsigned char * ciphertext, unsigned char * tag, size_t tag_length); + unsigned char * ciphertext, size_t &ciphertext_length, unsigned char * tag, size_t tag_length); /** * @brief A function that implements 256-bit AES-CCM decryption diff --git a/src/crypto/CHIPCryptoPALOpenSSL.c b/src/crypto/CHIPCryptoPALOpenSSL.c index 0a386403a30389..c399467fa31204 100644 --- a/src/crypto/CHIPCryptoPALOpenSSL.c +++ b/src/crypto/CHIPCryptoPALOpenSSL.c @@ -24,7 +24,7 @@ CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, - unsigned char * ciphertext, unsigned char * tag, size_t tag_length) + unsigned char * ciphertext, size_t & ciphertext_length, unsigned char * tag, size_t tag_length) { // TODO: Need to implement openSSL based AES-CCM #256 return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; diff --git a/src/crypto/CHIPCryptoPALmbedTLS.c b/src/crypto/CHIPCryptoPALmbedTLS.c index 168b07c0f7e716..fe0f224e725b6b 100644 --- a/src/crypto/CHIPCryptoPALmbedTLS.c +++ b/src/crypto/CHIPCryptoPALmbedTLS.c @@ -24,7 +24,7 @@ CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, - unsigned char * ciphertext, unsigned char * tag, size_t tag_length) + unsigned char * ciphertext, size_t & ciphertext_length, unsigned char * tag, size_t tag_length) { // TODO: Need mbedTLS based implementation for AES-CCM #264 return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; From be85374e50e097ec24105e3c6d1ffc45925a481d Mon Sep 17 00:00:00 2001 From: Bhaskar Sarma Date: Tue, 7 Apr 2020 14:03:28 -0700 Subject: [PATCH 6/8] Implement AES 256 bit --- src/crypto/CHIPCryptoPAL.h | 1 - src/crypto/CHIPCryptoPALOpenSSL.c | 80 ++++++++++++++++++++++++++++++- src/lib/core/CHIPError.h | 8 ++++ 3 files changed, 86 insertions(+), 3 deletions(-) diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index 9a28f62416b65f..867f0c12df58e7 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -59,7 +59,6 @@ CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plai * @param plaintext Buffer to write plaintext into * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise **/ - CHIP_ERROR CHIP_aes_ccm_256_decrypt(const unsigned char * ciphertext, size_t ciphertext_length, const unsigned char * aad, size_t aad_length, const unsigned char * tag, size_t tag_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, unsigned char * plaintext); diff --git a/src/crypto/CHIPCryptoPALOpenSSL.c b/src/crypto/CHIPCryptoPALOpenSSL.c index c399467fa31204..0032d318082d1a 100644 --- a/src/crypto/CHIPCryptoPALOpenSSL.c +++ b/src/crypto/CHIPCryptoPALOpenSSL.c @@ -22,12 +22,88 @@ #include "CHIPCryptoPAL.h" +#include +#include +#include +#include + +#define kKeyLengthInBits 256 + +bool _isValidTagLength(size_t tag_length) +{ + if (tag_length == 8 || tag_length == 12 || tag_length == 16) { + return true; + } + return false; +} + CHIP_ERROR CHIP_aes_ccm_256_encrypt(const unsigned char * plaintext, size_t plaintext_length, const unsigned char * aad, size_t aad_length, const unsigned char * key, const unsigned char * iv, size_t iv_length, unsigned char * ciphertext, size_t & ciphertext_length, unsigned char * tag, size_t tag_length) { - // TODO: Need to implement openSSL based AES-CCM #256 - return CHIP_ERROR_UNSUPPORTED_ENCRYPTION_TYPE; + EVP_CIPHER_CTX * context = NULL; + size_t bytesWritten = 0; + size_t ciphertext_length = 0; + CHIP_ERROR error = CHIP_NO_ERROR; + + VerifyOrExit((plaintext != NULL && plaintext_len > 0), error = CHIP_ERROR_INVALID_ARGUMENT); + if (aad) + { + VerifyOrExit(aad_length > 0, error = CHIP_ERROR_INVALID_ARGUMENT); + } + + VerifyOrExit(key != NULL, error = CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrExit(strlen(key) * sizeof(unsigned char) == kKeyLengthInBits, error == CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrExit(iv != NULL && iv_length > 0, error = CHIP_ERROR_INVALID_ARGUMENT); + VerifyOrExit(_isValidTagLength(tag_length), error = CHIP_ERROR_INVALID_ARGUMENT); + + + context = EVP_CIPHER_CTX_new(); + VerifyOrExit(context != NULL, error = CHIP_ERROR_INTERNAL); + + // Pass in cipher + int result = EVP_EncryptInit_ex(context, EVP_aes_256_ccm(), NULL, NULL, NULL); + VerifyOrExit(result == 1, error = CHIP_ERROR_INTERNAL); + + // Pass in IV length + result = EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_CCM_SET_IVLEN, iv_length, NULL); + VerifyOrExit(result == 1, error = CHIP_ERROR_INTERNAL); + + // Pass in tag length + result = EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, tag_length, NULL); + VerifyOrExit(result == 1, error = CHIP_ERROR_INTERNAL); + + // Pass in key + iv + result = EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv); + VerifyOrExit(result == 1, error = CHIP_ERROR_INTERNAL); + + // Pass in plain text length + result = EVP_EncryptUpdate(ctx, NULL, &bytesWritten, NULL, plaintext_len); + VerifyOrExit(result == 1, error = CHIP_ERROR_INTERNAL); + + // Pass in AAD + if (aad) { + result = EVP_EncryptUpdate(ctx, NULL, &bytesWritten, aad, aad_length); + VerifyOrExit(result == 1, error = CHIP_ERROR_INTERNAL); + } + + // Encrypt + result = EVP_EncryptUpdate(ctx, ciphertext, &bytesWritten, plaintext, plaintext_length); + VerifyOrExit(result == 1, error = CHIP_ERROR_INTERNAL); + ciphertext_length = bytesWritten; + + // Finalize encryption + result = EVP_EncryptFinal_ex(ctx, ciphertext + ciphertext_length, &bytesWritten); + VerifyOrExit(result == 1, error = CHIP_ERROR_INTERNAL); + ciphertext_length += bytesWritten; + + exit : if (context != NULL) + { + EVP_CIPHER_CTX_free(context); + context = null; + } + + return error; } CHIP_ERROR CHIP_aes_ccm_256_decrypt(const unsigned char * ciphertext, size_t ciphertext_len, const unsigned char * aad, diff --git a/src/lib/core/CHIPError.h b/src/lib/core/CHIPError.h index 5c38d7ac657092..76588482bb831b 100644 --- a/src/lib/core/CHIPError.h +++ b/src/lib/core/CHIPError.h @@ -1729,6 +1729,14 @@ typedef CHIP_CONFIG_ERROR_TYPE CHIP_ERROR; */ #define CHIP_EVENT_ID_FOUND _CHIP_ERROR(182) +/** + * @def CHIP_ERROR_UNKNOWN + * + * @brief + * Error unknown + */ +#define CHIP_ERROR_UNKNOWN _CHIP_ERROR(183) + /** * @} */ From feb05348d8150007c92753b686c58bbafbc5e967 Mon Sep 17 00:00:00 2001 From: Bhaskar Sarma Date: Thu, 9 Apr 2020 16:29:53 -0700 Subject: [PATCH 7/8] Fix a comment --- src/crypto/CHIPCryptoPAL.h | 1 - 1 file changed, 1 deletion(-) diff --git a/src/crypto/CHIPCryptoPAL.h b/src/crypto/CHIPCryptoPAL.h index a41e5e919a2b6b..5bc47a7fddb74a 100644 --- a/src/crypto/CHIPCryptoPAL.h +++ b/src/crypto/CHIPCryptoPAL.h @@ -36,7 +36,6 @@ * @param iv Initial vector * @param iv_length Length of initial vector * @param ciphertext Buffer to write ciphertext into. Caller must ensure this is large enough to hold the ciphertext - * @param ciphertext_length Length of generated ciphertext * @param tag Buffer to write tag into. Caller must ensure this is large enough to hold the tag * @param tag_length Expected length of tag * @return Returns a CHIP_ERROR on error, CHIP_NO_ERROR otherwise From 1de9e64690db9f09f31db0d6031a26b82ec8e152 Mon Sep 17 00:00:00 2001 From: Bhaskar Sarma Date: Thu, 9 Apr 2020 17:09:24 -0700 Subject: [PATCH 8/8] Fix formatting --- src/crypto/tests/CHIPCryptoPALOpenSSLTest.cpp | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/crypto/tests/CHIPCryptoPALOpenSSLTest.cpp b/src/crypto/tests/CHIPCryptoPALOpenSSLTest.cpp index 06fb5476d920da..46bb1004e21ce1 100644 --- a/src/crypto/tests/CHIPCryptoPALOpenSSLTest.cpp +++ b/src/crypto/tests/CHIPCryptoPALOpenSSLTest.cpp @@ -25,8 +25,8 @@ static void TestAES_CCM_256EncryptTestVectors(nlTestSuite * inSuite, void * inContext) { int numOfTestVectors = sizeof(ccm_test_vectors) / sizeof(ccm_test_vectors[0]); - int numOfTestsRan = 0; - for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) + int numOfTestsRan = 0; + for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) { const ccm_test_vector * vector = ccm_test_vectors[numOfTestsRan]; if (vector->key_len == 32 && vector->pt_len > 0) @@ -60,7 +60,7 @@ static void TestAES_CCM_256DecryptTestVectors(nlTestSuite * inSuite, void * inCo { int numOfTestVectors = sizeof(ccm_test_vectors) / sizeof(ccm_test_vectors[0]); int numOfTestsRan = 0; - for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) + for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) { const ccm_test_vector * vector = ccm_test_vectors[numOfTestsRan]; if (vector->key_len == 32 && vector->pt_len > 0) @@ -86,7 +86,7 @@ static void TestAES_CCM_256EncryptInvalidPlainText(nlTestSuite * inSuite, void * { int numOfTestVectors = sizeof(ccm_test_vectors) / sizeof(ccm_test_vectors[0]); int numOfTestsRan = 0; - for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) + for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) { const ccm_test_vector * vector = ccm_test_vectors[numOfTestsRan]; if (vector->key_len == 32 && vector->pt_len > 0) @@ -95,8 +95,8 @@ static void TestAES_CCM_256EncryptInvalidPlainText(nlTestSuite * inSuite, void * unsigned char out_ct[vector->ct_len]; unsigned char out_tag[vector->tag_len]; - CHIP_ERROR err = CHIP_aes_ccm_256_encrypt(vector->pt, 0, vector->aad, vector->aad_len, vector->key, - vector->iv, vector->iv_len, out_ct, out_tag, vector->tag_len); + CHIP_ERROR err = CHIP_aes_ccm_256_encrypt(vector->pt, 0, vector->aad, vector->aad_len, vector->key, vector->iv, + vector->iv_len, out_ct, out_tag, vector->tag_len); NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_INVALID_ARGUMENT); break; } @@ -108,7 +108,7 @@ static void TestAES_CCM_256EncryptNilKey(nlTestSuite * inSuite, void * inContext { int numOfTestVectors = sizeof(ccm_test_vectors) / sizeof(ccm_test_vectors[0]); int numOfTestsRan = 0; - for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) + for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) { const ccm_test_vector * vector = ccm_test_vectors[numOfTestsRan]; if (vector->key_len == 32 && vector->pt_len > 0) @@ -130,7 +130,7 @@ static void TestAES_CCM_256EncryptInvalidIVLen(nlTestSuite * inSuite, void * inC { int numOfTestVectors = sizeof(ccm_test_vectors) / sizeof(ccm_test_vectors[0]); int numOfTestsRan = 0; - for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) + for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) { const ccm_test_vector * vector = ccm_test_vectors[numOfTestsRan]; if (vector->key_len == 32 && vector->pt_len > 0) @@ -152,7 +152,7 @@ static void TestAES_CCM_256EncryptInvalidTagLen(nlTestSuite * inSuite, void * in { int numOfTestVectors = sizeof(ccm_test_vectors) / sizeof(ccm_test_vectors[0]); int numOfTestsRan = 0; - for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) + for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) { const ccm_test_vector * vector = ccm_test_vectors[numOfTestsRan]; if (vector->key_len == 32 && vector->pt_len > 0) @@ -174,15 +174,15 @@ static void TestAES_CCM_256DecryptInvalidCipherText(nlTestSuite * inSuite, void { int numOfTestVectors = sizeof(ccm_test_vectors) / sizeof(ccm_test_vectors[0]); int numOfTestsRan = 0; - for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) + for (numOfTestsRan = 0; numOfTestsRan < numOfTestVectors; numOfTestsRan++) { const ccm_test_vector * vector = ccm_test_vectors[numOfTestsRan]; if (vector->key_len == 32 && vector->pt_len > 0) { unsigned char out_pt[vector->pt_len]; - CHIP_ERROR err = CHIP_aes_ccm_256_decrypt(vector->ct, 0, vector->aad, vector->aad_len, vector->tag, - vector->tag_len, vector->key, vector->iv, vector->iv_len, out_pt); + CHIP_ERROR err = CHIP_aes_ccm_256_decrypt(vector->ct, 0, vector->aad, vector->aad_len, vector->tag, vector->tag_len, + vector->key, vector->iv, vector->iv_len, out_pt); NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_INVALID_ARGUMENT); break; } @@ -201,8 +201,8 @@ static void TestAES_CCM_256DecryptInvalidKey(nlTestSuite * inSuite, void * inCon { unsigned char out_pt[vector->pt_len]; - CHIP_ERROR err = CHIP_aes_ccm_256_decrypt(vector->ct, vector->ct_len, vector->aad, vector->aad_len, vector->tag, vector->tag_len, - NULL, vector->iv, vector->iv_len, out_pt); + CHIP_ERROR err = CHIP_aes_ccm_256_decrypt(vector->ct, vector->ct_len, vector->aad, vector->aad_len, vector->tag, + vector->tag_len, NULL, vector->iv, vector->iv_len, out_pt); NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_INVALID_ARGUMENT); break; }