Skip to content

Commit

Permalink
[crypto] Log PSA crypto error codes in more places
Browse files Browse the repository at this point in the history
Log PSA crypto error codes in more places to make it easier
to catch and analyze crypto misconfiguration, such as too
low number of available key slots.

Signed-off-by: Damian Krolik <[email protected]>
  • Loading branch information
Damian-Nordic committed May 10, 2024
1 parent 0d67568 commit 2ecdb4f
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 17 deletions.
33 changes: 18 additions & 15 deletions src/crypto/CHIPCryptoPALPSA.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -48,14 +48,6 @@ namespace Crypto {

namespace {

void logPsaError(psa_status_t status)
{
if (status != 0)
{
ChipLogError(Crypto, "PSA error: %d", static_cast<int>(status));
}
}

bool isBufferNonEmpty(const uint8_t * data, size_t data_length)
{
return data != nullptr && data_length > 0;
Expand Down Expand Up @@ -281,6 +273,7 @@ CHIP_ERROR PsaKdf::Init(const ByteSpan & secret, const ByteSpan & salt, const By
psa_set_key_usage_flags(&attrs, PSA_KEY_USAGE_DERIVE);

status = psa_import_key(&attrs, secret.data(), secret.size(), &mSecretKeyId);
LogPsaError(status);
psa_reset_key_attributes(&attrs);
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);

Expand Down Expand Up @@ -312,6 +305,14 @@ CHIP_ERROR PsaKdf::InitOperation(psa_key_id_t hkdfKey, const ByteSpan & salt, co
return CHIP_NO_ERROR;
}

void LogPsaError(psa_status_t status)
{
if (status != PSA_SUCCESS)
{
ChipLogError(Crypto, "PSA error: %d", static_cast<int>(status));
}
}

CHIP_ERROR PsaKdf::DeriveBytes(const MutableByteSpan & output)
{
psa_status_t status = psa_key_derivation_output_bytes(&mOperation, output.data(), output.size());
Expand Down Expand Up @@ -367,6 +368,7 @@ CHIP_ERROR HMAC_sha::HMAC_SHA256(const uint8_t * key, size_t key_length, const u
VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INTERNAL);

exit:
LogPsaError(status);
psa_destroy_key(keyId);
psa_reset_key_attributes(&attrs);

Expand Down Expand Up @@ -476,6 +478,7 @@ CHIP_ERROR PBKDF2_sha256::pbkdf2_sha256(const uint8_t * pass, size_t pass_length
}

exit:
LogPsaError(status);
psa_destroy_key(keyId);
psa_reset_key_attributes(&attrs);

Expand Down Expand Up @@ -519,7 +522,7 @@ CHIP_ERROR P256Keypair::ECDSA_sign_msg(const uint8_t * msg, const size_t msg_len
error = out_signature.SetLength(outputLen);

exit:
logPsaError(status);
LogPsaError(status);
return error;
}

Expand All @@ -544,7 +547,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_msg_signature(const uint8_t * msg, cons
VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE);

exit:
logPsaError(status);
LogPsaError(status);
psa_destroy_key(keyId);
psa_reset_key_attributes(&attributes);

Expand Down Expand Up @@ -573,7 +576,7 @@ CHIP_ERROR P256PublicKey::ECDSA_validate_hash_signature(const uint8_t * hash, co
VerifyOrExit(status == PSA_SUCCESS, error = CHIP_ERROR_INVALID_SIGNATURE);

exit:
logPsaError(status);
LogPsaError(status);
psa_destroy_key(keyId);
psa_reset_key_attributes(&attributes);

Expand All @@ -596,7 +599,7 @@ CHIP_ERROR P256Keypair::ECDH_derive_secret(const P256PublicKey & remote_public_k
SuccessOrExit(error = out_secret.SetLength(outputLength));

exit:
logPsaError(status);
LogPsaError(status);

return error;
}
Expand Down Expand Up @@ -671,7 +674,7 @@ CHIP_ERROR P256Keypair::Initialize(ECPKeyTarget key_target)
mInitialized = true;

exit:
logPsaError(status);
LogPsaError(status);
psa_reset_key_attributes(&attributes);

return error;
Expand All @@ -697,7 +700,7 @@ CHIP_ERROR P256Keypair::Serialize(P256SerializedKeypair & output) const
error = output.SetLength(bbuf.Needed());

exit:
logPsaError(status);
LogPsaError(status);

return error;
}
Expand Down Expand Up @@ -728,7 +731,7 @@ CHIP_ERROR P256Keypair::Deserialize(P256SerializedKeypair & input)
mInitialized = true;

exit:
logPsaError(status);
LogPsaError(status);

return error;
}
Expand Down
5 changes: 5 additions & 0 deletions src/crypto/CHIPCryptoPALPSA.h
Original file line number Diff line number Diff line change
Expand Up @@ -150,5 +150,10 @@ class PsaKdf
psa_key_derivation_operation_t mOperation = PSA_KEY_DERIVATION_OPERATION_INIT;
};

/**
* @brief Log PSA status code if it indicates an error.
*/
void LogPsaError(psa_status_t status);

} // namespace Crypto
} // namespace chip
1 change: 1 addition & 0 deletions src/crypto/PSAOperationalKeystore.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ CHIP_ERROR PSAOperationalKeystore::PersistentP256Keypair::Deserialize(P256Serial
memcpy(mPublicKey.Bytes(), input.ConstBytes(), mPublicKey.Length());

exit:
LogPsaError(status);
psa_reset_key_attributes(&attributes);

return error;
Expand Down
5 changes: 3 additions & 2 deletions src/crypto/PSASessionKeystore.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke
AesKeyAttributes attrs;
psa_status_t status =
psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable<psa_key_id_t>());
LogPsaError(status);
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);

return CHIP_NO_ERROR;
Expand All @@ -105,7 +106,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const Symmetric128BitsKeyByteArray & ke
HmacKeyAttributes attrs;
psa_status_t status =
psa_import_key(&attrs.Get(), keyMaterial, sizeof(Symmetric128BitsKeyByteArray), &key.AsMutable<psa_key_id_t>());

LogPsaError(status);
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);

return CHIP_NO_ERROR;
Expand All @@ -118,7 +119,7 @@ CHIP_ERROR PSASessionKeystore::CreateKey(const ByteSpan & keyMaterial, HkdfKeyHa

HkdfKeyAttributes attrs;
psa_status_t status = psa_import_key(&attrs.Get(), keyMaterial.data(), keyMaterial.size(), &key.AsMutable<psa_key_id_t>());

LogPsaError(status);
VerifyOrReturnError(status == PSA_SUCCESS, CHIP_ERROR_INTERNAL);

return CHIP_NO_ERROR;
Expand Down

0 comments on commit 2ecdb4f

Please sign in to comment.