Hkdf integration #383
Hkdf integration #383
Conversation
…e array (#30802) * Rename aes key byte array to symmetric key byte array * Restyled by clang-format --------- Co-authored-by: Restyled.io <commits@restyled.io>
…829) * Rename Aes128KeyHandle to Aes128BitsKeyHandle * create foundation for HMAC algo * Restyled by clang-format * add missing getter * Fix set algo for handle * Apply suggestions from code review Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> --------- Co-authored-by: Restyled.io <commits@restyled.io> Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>
* Add new API for HMAC with key handle * Rename Aes128BitsKeyHandle to Aes128KeyHandle * Rename Hmac128BitsKeyHandle to Hmac128KeyHandle * Replace virtual destructor with a protected one * key algo creation --------- Co-authored-by: Mathieu Kardous <mathieu.kardous@silabs.com>
…1311) * [crypto] Add HKDF key handle and use it during PASE Current SPAKE2+ interface assumes that raw shared secret is extracted and used by the application to derive session keys. This prevents using secure crypto APIs, such as PSA, to perform SPAKE2+ and do the key derivation in a secure environment, and isolate the application from key material. 1. Add Hkdf128KeyHandle type and add methods for deriving session keys from an HKDF key. 2. Change SPAKE2+ interface to return HKDF key handle instead of raw key secret. A similar approach can be taken to improve CASE security in the future though we would need 256-bit HKDF key support in such a case. * Change HKDF key handle to hold key of any length * Code review
github-actions
bot
added
platform
nrf connect
app
lib
core
crypto
transport
protocols
silabs
icd
labels
kkasperczyk-no
requested review from
Damian-Nordic,
ArekBalysNordic,
LuDuda and
markaj-nordic
and removed request for
Damian-Nordic
|
As discussed F2F, this PR could come without the requested optimization. So for a time being, removing request change. |
kkasperczyk-no
force-pushed
the
hkdf_integration
branch
from
ee88af1 to
efcdfd7
Compare
|
@LuDuda I pushed an updated version that does not require using oberon context. Please take a look once again. |
kkasperczyk-no
force-pushed
the
hkdf_integration
branch
from
efcdfd7 to
2e3ca4c
Compare
| @@ -40,7 +40,8 @@ | |||
|
|
|||
| #ifdef CONFIG_CHIP_CRYPTO_PSA | |||
| #define CHIP_CONFIG_SHA256_CONTEXT_SIZE sizeof(psa_hash_operation_t) | |||
| #define CHIP_CONFIG_HKDF_KEY_HANDLE_CONTEXT_SIZE sizeof(psa_key_id_t) | |||
| // Alignment to sizeof(PsaHkdfKeyHandle) from crypto/CHIPCryptoPALPSA.h. | |||
| #define CHIP_CONFIG_HKDF_KEY_HANDLE_CONTEXT_SIZE (sizeof(psa_key_id_t) + sizeof(bool)) | |||
There was a problem hiding this comment.
It will effectively be 8 due to padding
There was a problem hiding this comment.
Right, but is it a problem? Or you mean updating the comment to be more precise?
There was a problem hiding this comment.
A bit confusing because CHIP_CONFIG_HKDF_KEY_HANDLE_CONTEXT_SIZE is 5 and we cast the handle to a structure that is 8 bytes. But maybe I'm too paranoid so let's leave it as it is :). After all, the cast is statically verified so it should be safe.
There was a problem hiding this comment.
Ah, now I see what you mean. Yeah, indeed it looks incorrect. The best option would be to use the sizeof(PsaHkdfKeyHandle), but include is not possible. Another option could be to declare the structure of the same content, as PsaHkdfKeyHandle, but I'm not sure. Maybe for now it's ok to leave it, as we are going to revert it soon.
There was a problem hiding this comment.
If it works, then fine! But don't we have any macro or util to align to 8-bytes in Matter?
There was a problem hiding this comment.
There are cpp macros to generally align the data structure, or return the aligned size of specific type, but to be honest I don't know the macro that would return aligned size from the numerical unaligned size.
kkasperczyk-no
force-pushed
the
hkdf_integration
branch
2 times, most recently
from
3a8936a to
2a4fb92
Compare
kkasperczyk-no
force-pushed
the
hkdf_integration
branch
from
2a4fb92 to
50b0fd7
Compare
kkasperczyk-no
force-pushed
the
hkdf_integration
branch
from
50b0fd7 to
4cd2da5
Compare
|
|
||
| memcpy(out, oberonCtx.shared, oberonCtx.hash_len / 2); | ||
| *out_len = oberonCtx.hash_len / 2; | ||
| kdfPtr.release(); |
There was a problem hiding this comment.
I guess it's fine and more clean.. but do we need to release it explicitly?
There was a problem hiding this comment.
Could you clarify? We have to release it to inform the UniquePtr that the memory will be deleted in some other place (by the DestroyKey method). If we won't do that, the UniquePtr will delete key just after we leave the scope, which is ok only if we faced an error.
| @@ -40,7 +40,8 @@ | |||
|
|
|||
| #ifdef CONFIG_CHIP_CRYPTO_PSA | |||
| #define CHIP_CONFIG_SHA256_CONTEXT_SIZE sizeof(psa_hash_operation_t) | |||
| #define CHIP_CONFIG_HKDF_KEY_HANDLE_CONTEXT_SIZE sizeof(psa_key_id_t) | |||
| // Alignment to sizeof(PsaHkdfKeyHandle) from crypto/CHIPCryptoPALPSA.h. | |||
| #define CHIP_CONFIG_HKDF_KEY_HANDLE_CONTEXT_SIZE (sizeof(psa_key_id_t) + sizeof(bool)) | |||
There was a problem hiding this comment.
If it works, then fine! But don't we have any macro or util to align to 8-bytes in Matter?
* Aligned Spake2+ implementation with the new CHIPCryptoPAL API using HKDF key handle instead of raw data. * Removed workaround extracting raw key data from oberon context. * Removed const from GetKeys and DeriveSecureSession methods, as PSA API requires access to non-const members to obtains shared secret. Signed-off-by: Kamil Kasperczyk <kamil.kasperczyk@nordicsemi.no>
kkasperczyk-no
force-pushed
the
hkdf_integration
branch
from
4cd2da5 to
4bbfbfe
Compare
Pulled the most recent changes in CHIPCryptoPAL to integrate usage of HKDF key handle instead of raw data.