fix: for mbedtls update

project-chip · Jul 1, 2023 · b95e864 · b95e864
1 parent aa6aa47
commit b95e864
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 17 deletions.
diff --git a/matter/src/crypto/crypto_mbedtls.rs b/matter/src/crypto/crypto_mbedtls.rs
@@ -74,10 +74,15 @@ impl KeyPair {
  }
 
  pub fn new_from_components(_pub_key: &[u8], priv_key: &[u8]) -> Result<Self, Error> {
+ let mut ctr_drbg = CtrDrbg::new(Arc::new(OsEntropy::new()), None)?;
  // No rust-mbedtls API yet for creating keypair from both public and private key
  let priv_key = Mpi::from_binary(priv_key)?;
  Ok(Self {
- key: Pk::private_from_ec_components(EcGroup::new(EcGroupId::SecP256R1)?, priv_key)?,
+ key: Pk::private_from_ec_components(
+ &mut ctr_drbg,
+ EcGroup::new(EcGroupId::SecP256R1)?,
+ priv_key,
+ )?,
  })
  }
 
@@ -91,9 +96,13 @@ impl KeyPair {
  }
 
  pub fn get_csr<'a>(&self, out_csr: &'a mut [u8]) -> Result<&'a [u8], Error> {
+ let mut ctr_drbg = CtrDrbg::new(Arc::new(OsEntropy::new()), None)?;
  let tmp_priv = self.key.ec_private()?;
- let mut tmp_key =
- Pk::private_from_ec_components(EcGroup::new(EcGroupId::SecP256R1)?, tmp_priv)?;
+ let mut tmp_key = Pk::private_from_ec_components(
+ &mut ctr_drbg,
+ EcGroup::new(EcGroupId::SecP256R1)?,
+ tmp_priv,
+ )?;
 
  let mut builder = x509::csr::Builder::new();
  builder.key(&mut tmp_key);
@@ -134,29 +143,36 @@ impl KeyPair {
  }
 
  pub fn derive_secret(self, peer_pub_key: &[u8], secret: &mut [u8]) -> Result<usize, Error> {
+ let mut ctr_drbg = CtrDrbg::new(Arc::new(OsEntropy::new()), None)?;
  // mbedtls requires a 'mut' key. Instead of making a change in our Trait,
  // we just clone the key this way
 
  let tmp_key = self.key.ec_private()?;
- let mut tmp_key =
- Pk::private_from_ec_components(EcGroup::new(EcGroupId::SecP256R1)?, tmp_key)?;
+ let mut tmp_key = Pk::private_from_ec_components(
+ &mut ctr_drbg,
+ EcGroup::new(EcGroupId::SecP256R1)?,
+ tmp_key,
+ )?;
 
  let group = EcGroup::new(EcGroupId::SecP256R1)?;
  let other = EcPoint::from_binary(&group, peer_pub_key)?;
  let other = Pk::public_from_ec_components(group, other)?;
 
  let mut ctr_drbg = CtrDrbg::new(Arc::new(OsEntropy::new()), None)?;
-
  let len = tmp_key.agree(&other, secret, &mut ctr_drbg)?;
  Ok(len)
  }
 
  pub fn sign_msg(&self, msg: &[u8], signature: &mut [u8]) -> Result<usize, Error> {
+ let mut ctr_drbg = CtrDrbg::new(Arc::new(OsEntropy::new()), None)?;
  // mbedtls requires a 'mut' key. Instead of making a change in our Trait,
  // we just clone the key this way
  let tmp_key = self.key.ec_private()?;
- let mut tmp_key =
- Pk::private_from_ec_components(EcGroup::new(EcGroupId::SecP256R1)?, tmp_key)?;
+ let mut tmp_key = Pk::private_from_ec_components(
+ &mut ctr_drbg,
+ EcGroup::new(EcGroupId::SecP256R1)?,
+ tmp_key,
+ )?;
 
  // First get the SHA256 of the message
  let mut msg_hash = [0_u8; super::SHA256_HASH_LEN_BYTES];
@@ -294,18 +310,16 @@ pub fn encrypt_in_place(
  nonce: &[u8],
  ad: &[u8],
  data: &mut [u8],
- data_len: usize,
+ _: usize,
 ) -> Result<usize, Error> {
  let cipher = Cipher::<_, Authenticated, _>::new(
  mbedtls::cipher::raw::CipherId::Aes,
  mbedtls::cipher::raw::CipherMode::CCM,
  (key.len() * 8) as u32,
  )?;
  let cipher = cipher.set_key_iv(key, nonce)?;
- let (data, tag) = data.split_at_mut(data_len);
- let tag = &mut tag[..super::AEAD_MIC_LEN_BYTES];
  cipher
- .encrypt_auth_inplace(ad, data, tag)
+ .encrypt_auth_inplace(ad, data, super::AEAD_MIC_LEN_BYTES)
  .map(|(len, _)| len)
  .map_err(|_e| ErrorCode::TLSStack.into())
 }
@@ -322,10 +336,8 @@ pub fn decrypt_in_place(
  (key.len() * 8) as u32,
  )?;
  let cipher = cipher.set_key_iv(key, nonce)?;
- let data_len = data.len() - super::AEAD_MIC_LEN_BYTES;
- let (data, tag) = data.split_at_mut(data_len);
  cipher
- .decrypt_auth_inplace(ad, data, tag)
+ .decrypt_auth_inplace(ad, data, super::AEAD_MIC_LEN_BYTES)
  .map(|(len, _)| len)
  .map_err(|e| {
  error!("Error during decryption: {:?}", e);

diff --git a/matter/src/secure_channel/crypto_mbedtls.rs b/matter/src/secure_channel/crypto_mbedtls.rs
@@ -130,7 +130,11 @@ impl CryptoSpake2 {
  // where P is the generator of the underlying elliptic curve
  self.set_w1_from_w1s(w1s)?;
  // TODO: rust-mbedtls doesn't yet accept the DRBG parameter
- self.L = self.group.generator()?.mul(&mut self.group, &self.w1)?;
+ let mut ctr_drbg = CtrDrbg::new(Arc::new(OsEntropy::new()), None)?;
+ self.L = self
+ .group
+ .generator()?
+ .mul(&mut self.group, &self.w1, &mut ctr_drbg)?;
  Ok(())
  }
 
@@ -288,7 +292,8 @@ impl CryptoSpake2 {
  let Z = EcPoint::muladd(group, X, y, &inverted_M, &tmp)?;
  // Cofactor for P256 is 1, so that is a No-Op
 
- let V = L.mul(group, y)?;
+ let mut ctr_drbg = CtrDrbg::new(Arc::new(OsEntropy::new()), None)?;
+ let V = L.mul(group, y, &mut ctr_drbg)?;
  Ok((Z, V))
  }