diff --git a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp index d02a994e9b3498..a56056d9b69d46 100644 --- a/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp +++ b/src/app/clusters/operational-credentials-server/operational-credentials-server.cpp @@ -50,9 +50,6 @@ #include #include #include -#if CHIP_CRYPTO_HSM -#include -#endif using namespace chip; using namespace ::chip::Transport; diff --git a/src/credentials/FabricTable.cpp b/src/credentials/FabricTable.cpp index a91feb68bdcbfb..257caa0526175a 100644 --- a/src/credentials/FabricTable.cpp +++ b/src/credentials/FabricTable.cpp @@ -1334,6 +1334,28 @@ CHIP_ERROR FabricTable::ReadFabricInfo(TLV::ContiguousBufferTLVReader & reader) return CHIP_NO_ERROR; } +Crypto::P256Keypair * FabricTable::AllocateEphemeralKeypairForCASE() +{ + if (mOperationalKeystore != nullptr) + { + return mOperationalKeystore->AllocateEphemeralKeypairForCASE(); + } + + return Platform::New(); +} + +void FabricTable::ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair) +{ + if (mOperationalKeystore != nullptr) + { + mOperationalKeystore->ReleaseEphemeralKeypair(keypair); + } + else + { + Platform::Delete(keypair); + } +} + CHIP_ERROR FabricTable::StoreCommitMarker(const CommitMarker & commitMarker) { DefaultStorageKeyAllocator keyAlloc; diff --git a/src/credentials/FabricTable.h b/src/credentials/FabricTable.h index b7cffb12dcf114..dfca651d6f9cc1 100644 --- a/src/credentials/FabricTable.h +++ b/src/credentials/FabricTable.h @@ -582,6 +582,26 @@ class DLL_EXPORT FabricTable */ CHIP_ERROR SignWithOpKeypair(FabricIndex fabricIndex, ByteSpan message, Crypto::P256ECDSASignature & outSignature) const; + /** + * @brief Create an ephemeral keypair for use in session establishment. + * + * WARNING: The return value MUST be released by `ReleaseEphemeralKeypair`. This is because + * Matter CHIPMem.h does not properly support UniquePtr in a way that would + * safely allow classes derived from Crypto::P256Keypair to be released properly. + * + * This delegates to the OperationalKeystore if one exists, otherwise it directly allocates a base + * Crypto::P256Keypair instance + * + * @return a pointer to a dynamically P256Keypair (or derived class thereof), which may evaluate to nullptr + * if running out of memory. + */ + Crypto::P256Keypair * AllocateEphemeralKeypairForCASE(); + + /** + * @brief Release an ephemeral keypair previously created by `AllocateEphemeralKeypairForCASE()` + */ + void ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair); + /** * This initializes a new keypair for the given fabric and generates a CSR for it, * so that it can be passed in a CSRResponse. diff --git a/src/credentials/tests/TestFabricTable.cpp b/src/credentials/tests/TestFabricTable.cpp index b652dfbfd120a3..a8d38219e42e60 100644 --- a/src/credentials/tests/TestFabricTable.cpp +++ b/src/credentials/tests/TestFabricTable.cpp @@ -1742,6 +1742,61 @@ void TestInvalidChaining(nlTestSuite * inSuite, void * inContext) // TODO: Write test } +void TestEphemeralKeys(nlTestSuite * inSuite, void * inContext) +{ + // Initialize a fabric table with operational keystore + { + chip::TestPersistentStorageDelegate storage; + + // Initialize a FabricTable + ScopedFabricTable fabricTableHolder; + NL_TEST_ASSERT(inSuite, fabricTableHolder.Init(&storage) == CHIP_NO_ERROR); + FabricTable & fabricTable = fabricTableHolder.GetFabricTable(); + + Crypto::P256ECDSASignature sig; + uint8_t message[] = { 'm', 's', 'g' }; + + Crypto::P256Keypair * ephemeralKeypair = fabricTable.AllocateEphemeralKeypairForCASE(); + NL_TEST_ASSERT(inSuite, ephemeralKeypair != nullptr); + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Initialize()); + + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->ECDSA_sign_msg(message, sizeof(message), sig)); + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Pubkey().ECDSA_validate_msg_signature(message, sizeof(message), sig)); + + fabricTable.ReleaseEphemeralKeypair(ephemeralKeypair); + } + + // Use a fabric table without an operational keystore: should still work + { + chip::TestPersistentStorageDelegate storage; + + chip::Credentials::PersistentStorageOpCertStore opCertStore; + NL_TEST_ASSERT_SUCCESS(inSuite, opCertStore.Init(&storage)); + + FabricTable fabricTable; + FabricTable::InitParams initParams; + initParams.storage = &storage; + initParams.opCertStore = &opCertStore; + + NL_TEST_ASSERT_SUCCESS(inSuite, fabricTable.Init(initParams)); + + Crypto::P256ECDSASignature sig; + uint8_t message[] = { 'm', 's', 'g' }; + + Crypto::P256Keypair * ephemeralKeypair = fabricTable.AllocateEphemeralKeypairForCASE(); + NL_TEST_ASSERT(inSuite, ephemeralKeypair != nullptr); + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Initialize()); + + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->ECDSA_sign_msg(message, sizeof(message), sig)); + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Pubkey().ECDSA_validate_msg_signature(message, sizeof(message), sig)); + + fabricTable.ReleaseEphemeralKeypair(ephemeralKeypair); + + fabricTable.Shutdown(); + opCertStore.Finish(); + } +} + void TestCommitMarker(nlTestSuite * inSuite, void * inContext) { Crypto::P256PublicKey fIdx1PublicKey; @@ -1765,7 +1820,7 @@ void TestCommitMarker(nlTestSuite * inSuite, void * inContext) // - FabricID 2222, Node ID 66 // - Abort commit on second fabric { - // Initialize a FabricTable + // Initialize a fabric table ScopedFabricTable fabricTableHolder; NL_TEST_ASSERT(inSuite, fabricTableHolder.Init(&storage) == CHIP_NO_ERROR); FabricTable & fabricTable = fabricTableHolder.GetFabricTable(); @@ -1976,6 +2031,7 @@ static const nlTest sTests[] = NL_TEST_DEF("Test compressed fabric ID is properly generated", TestCompressedFabricId), NL_TEST_DEF("Test AddNOC root collision", TestAddNocRootCollision), NL_TEST_DEF("Test invalid chaining in AddNOC and UpdateNOC", TestInvalidChaining), + NL_TEST_DEF("Test ephemeral keys allocation", TestEphemeralKeys), NL_TEST_DEF("Test proper detection of Commit Marker on init", TestCommitMarker), NL_TEST_SENTINEL() diff --git a/src/crypto/OperationalKeystore.h b/src/crypto/OperationalKeystore.h index 443542bf8b7bfe..bfa846b9d1a8be 100644 --- a/src/crypto/OperationalKeystore.h +++ b/src/crypto/OperationalKeystore.h @@ -168,6 +168,32 @@ class OperationalKeystore */ virtual CHIP_ERROR SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message, Crypto::P256ECDSASignature & outSignature) const = 0; + + /** + * @brief Create an ephemeral keypair for use in session establishment. + * + * The caller must Initialize() the P256Keypair if needed. It is not done by this method. + * + * This method MUST ONLY be used for CASESession ephemeral keys. + * + * NOTE: The stack will allocate as many of these as there are CASE sessions which + * can be concurrently in the process of establishment. Implementations must + * support more than one such keypair, or be implemented to match the limitations + * enforced by a given product on its concurrent CASE session establishment limits. + * + * WARNING: The return value MUST be released by `ReleaseEphemeralKeypair`. This is because + * Matter CHIPMem.h does not properly support UniquePtr in a way that would + * safely allow classes derived from Crypto::P256Keypair to be released properly. + * + * @return a pointer to a P256Keypair (or derived class thereof), which may evaluate to nullptr + * if running out of memory. + */ + virtual Crypto::P256Keypair * AllocateEphemeralKeypairForCASE() = 0; + + /** + * @brief Release an ephemeral keypair previously provided by `AllocateEphemeralKeypairForCASE()` + */ + virtual void ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair) = 0; }; } // namespace Crypto diff --git a/src/crypto/PersistentStorageOperationalKeystore.cpp b/src/crypto/PersistentStorageOperationalKeystore.cpp index 96350ba4972d91..94c19888dc93b0 100644 --- a/src/crypto/PersistentStorageOperationalKeystore.cpp +++ b/src/crypto/PersistentStorageOperationalKeystore.cpp @@ -296,4 +296,19 @@ CHIP_ERROR PersistentStorageOperationalKeystore::SignWithOpKeypair(FabricIndex f return SignWithStoredOpKey(fabricIndex, mStorage, message, outSignature); } +Crypto::P256Keypair * PersistentStorageOperationalKeystore::AllocateEphemeralKeypairForCASE() +{ + // DO NOT CUT AND PASTE without considering the ReleaseEphemeralKeypair(). + // If allocating a derived class, then `ReleaseEphemeralKeypair` MUST + // de-allocate the derived class after up-casting the base class pointer. + return Platform::New(); +} + +void PersistentStorageOperationalKeystore::ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair) +{ + // DO NOT CUT AND PASTE without considering the AllocateEphemeralKeypairForCASE(). + // This must delete the same concrete class as allocated in `AllocateEphemeralKeypairForCASE` + Platform::Delete(keypair); +} + } // namespace chip diff --git a/src/crypto/PersistentStorageOperationalKeystore.h b/src/crypto/PersistentStorageOperationalKeystore.h index 1073147175dd9b..1a6c08c4f8fb6e 100644 --- a/src/crypto/PersistentStorageOperationalKeystore.h +++ b/src/crypto/PersistentStorageOperationalKeystore.h @@ -85,6 +85,8 @@ class PersistentStorageOperationalKeystore : public Crypto::OperationalKeystore void RevertPendingKeypair() override; CHIP_ERROR SignWithOpKeypair(FabricIndex fabricIndex, const ByteSpan & message, Crypto::P256ECDSASignature & outSignature) const override; + Crypto::P256Keypair * AllocateEphemeralKeypairForCASE() override; + void ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair) override; protected: void ResetPendingKey() diff --git a/src/crypto/tests/TestPersistentStorageOpKeyStore.cpp b/src/crypto/tests/TestPersistentStorageOpKeyStore.cpp index 34d10d3971d507..b962626b59d4d1 100644 --- a/src/crypto/tests/TestPersistentStorageOpKeyStore.cpp +++ b/src/crypto/tests/TestPersistentStorageOpKeyStore.cpp @@ -24,6 +24,7 @@ #include #include #include +#include #include #include @@ -194,12 +195,33 @@ void TestBasicLifeCycle(nlTestSuite * inSuite, void * inContext) opKeystore.Finish(); } +void TestEphemeralKeys(nlTestSuite * inSuite, void * inContext) +{ + chip::TestPersistentStorageDelegate storage; + + PersistentStorageOperationalKeystore opKeyStore; + NL_TEST_ASSERT_SUCCESS(inSuite, opKeyStore.Init(&storage)); + + Crypto::P256ECDSASignature sig; + uint8_t message[] = { 'm', 's', 'g' }; + + Crypto::P256Keypair * ephemeralKeypair = opKeyStore.AllocateEphemeralKeypairForCASE(); + NL_TEST_ASSERT(inSuite, ephemeralKeypair != nullptr); + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Initialize()); + + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->ECDSA_sign_msg(message, sizeof(message), sig)); + NL_TEST_ASSERT_SUCCESS(inSuite, ephemeralKeypair->Pubkey().ECDSA_validate_msg_signature(message, sizeof(message), sig)); + + opKeyStore.ReleaseEphemeralKeypair(ephemeralKeypair); + + opKeyStore.Finish(); +} + /** * Test Suite. It lists all the test functions. */ static const nlTest sTests[] = { NL_TEST_DEF("Test Basic Lifecycle of PersistentStorageOperationalKeystore", TestBasicLifeCycle), - - NL_TEST_SENTINEL() }; + NL_TEST_DEF("Test ephemeral key management", TestEphemeralKeys), NL_TEST_SENTINEL() }; /** * Set up the test suite. diff --git a/src/lib/support/CHIPMem.h b/src/lib/support/CHIPMem.h index 3bd852210de5a4..a1e27c20b73ce3 100644 --- a/src/lib/support/CHIPMem.h +++ b/src/lib/support/CHIPMem.h @@ -160,6 +160,11 @@ inline T * New(Args &&... args) template inline void Delete(T * p) { + if (p == nullptr) + { + return; + } + p->~T(); MemoryFree(p); } diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index d7b18d003daf86..5699513d9ccb01 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -144,9 +144,12 @@ void CASESession::Clear() mState = State::kInitialized; Crypto::ClearSecretData(mIPK); - if (mFabricsTable) + if (mFabricsTable != nullptr) { mFabricsTable->RemoveFabricDelegate(this); + + mFabricsTable->ReleaseEphemeralKeypair(mEphemeralKey); + mEphemeralKey = nullptr; } mLocalNodeId = kUndefinedNodeId; @@ -394,7 +397,9 @@ CHIP_ERROR CASESession::SendSigma1() VerifyOrReturnError(GetLocalSessionId().HasValue(), CHIP_ERROR_INCORRECT_STATE); // Generate an ephemeral keypair - ReturnErrorOnFailure(mEphemeralKey.Initialize()); + mEphemeralKey = mFabricsTable->AllocateEphemeralKeypairForCASE(); + VerifyOrReturnError(mEphemeralKey != nullptr, CHIP_ERROR_NO_MEMORY); + ReturnErrorOnFailure(mEphemeralKey->Initialize()); // Fill in the random value ReturnErrorOnFailure(DRBG_get_bytes(mInitiatorRandom, sizeof(mInitiatorRandom))); @@ -427,7 +432,7 @@ CHIP_ERROR CASESession::SendSigma1() ReturnErrorOnFailure(tlvWriter.PutBytes(TLV::ContextTag(3), destinationIdentifier, sizeof(destinationIdentifier))); ReturnErrorOnFailure( - tlvWriter.PutBytes(TLV::ContextTag(4), mEphemeralKey.Pubkey(), static_cast(mEphemeralKey.Pubkey().Length()))); + tlvWriter.PutBytes(TLV::ContextTag(4), mEphemeralKey->Pubkey(), static_cast(mEphemeralKey->Pubkey().Length()))); if (mLocalMRPConfig.HasValue()) { @@ -720,18 +725,17 @@ CHIP_ERROR CASESession::SendSigma2() ReturnErrorOnFailure(DRBG_get_bytes(&msg_rand[0], sizeof(msg_rand))); // Generate an ephemeral keypair -#ifdef ENABLE_HSM_CASE_EPHEMERAL_KEY - mEphemeralKey.SetKeyId(CASE_EPHEMERAL_KEY); -#endif - ReturnErrorOnFailure(mEphemeralKey.Initialize()); + mEphemeralKey = mFabricsTable->AllocateEphemeralKeypairForCASE(); + VerifyOrReturnError(mEphemeralKey != nullptr, CHIP_ERROR_NO_MEMORY); + ReturnErrorOnFailure(mEphemeralKey->Initialize()); // Generate a Shared Secret - ReturnErrorOnFailure(mEphemeralKey.ECDH_derive_secret(mRemotePubKey, mSharedSecret)); + ReturnErrorOnFailure(mEphemeralKey->ECDH_derive_secret(mRemotePubKey, mSharedSecret)); uint8_t msg_salt[kIPKSize + kSigmaParamRandomNumberSize + kP256_PublicKey_Length + kSHA256_Hash_Length]; MutableByteSpan saltSpan(msg_salt); - ReturnErrorOnFailure(ConstructSaltSigma2(ByteSpan(msg_rand), mEphemeralKey.Pubkey(), ByteSpan(mIPK), saltSpan)); + ReturnErrorOnFailure(ConstructSaltSigma2(ByteSpan(msg_rand), mEphemeralKey->Pubkey(), ByteSpan(mIPK), saltSpan)); HKDF_sha_crypto mHKDF; uint8_t sr2k[CHIP_CRYPTO_SYMMETRIC_KEY_LENGTH_BYTES]; @@ -745,7 +749,7 @@ CHIP_ERROR CASESession::SendSigma2() chip::Platform::ScopedMemoryBuffer msg_R2_Signed; VerifyOrReturnError(msg_R2_Signed.Alloc(msg_r2_signed_len), CHIP_ERROR_NO_MEMORY); - ReturnErrorOnFailure(ConstructTBSData(nocCert, icaCert, ByteSpan(mEphemeralKey.Pubkey(), mEphemeralKey.Pubkey().Length()), + ReturnErrorOnFailure(ConstructTBSData(nocCert, icaCert, ByteSpan(mEphemeralKey->Pubkey(), mEphemeralKey->Pubkey().Length()), ByteSpan(mRemotePubKey, mRemotePubKey.Length()), msg_R2_Signed.Get(), msg_r2_signed_len)); // Generate a Signature @@ -813,8 +817,8 @@ CHIP_ERROR CASESession::SendSigma2() ReturnErrorOnFailure(tlvWriterMsg2.StartContainer(TLV::AnonymousTag(), TLV::kTLVType_Structure, outerContainerType)); ReturnErrorOnFailure(tlvWriterMsg2.PutBytes(TLV::ContextTag(1), &msg_rand[0], sizeof(msg_rand))); ReturnErrorOnFailure(tlvWriterMsg2.Put(TLV::ContextTag(2), GetLocalSessionId().Value())); - ReturnErrorOnFailure( - tlvWriterMsg2.PutBytes(TLV::ContextTag(3), mEphemeralKey.Pubkey(), static_cast(mEphemeralKey.Pubkey().Length()))); + ReturnErrorOnFailure(tlvWriterMsg2.PutBytes(TLV::ContextTag(3), mEphemeralKey->Pubkey(), + static_cast(mEphemeralKey->Pubkey().Length()))); ReturnErrorOnFailure(tlvWriterMsg2.PutBytes(TLV::ContextTag(4), msg_R2_Encrypted.Get(), static_cast(msg_r2_signed_enc_len + CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES))); if (mLocalMRPConfig.HasValue()) @@ -947,6 +951,7 @@ CHIP_ERROR CASESession::HandleSigma2(System::PacketBufferHandle && msg) uint16_t responderSessionId; + VerifyOrExit(mEphemeralKey != nullptr, err = CHIP_ERROR_INTERNAL); VerifyOrExit(buf != nullptr, err = CHIP_ERROR_MESSAGE_INCOMPLETE); ChipLogProgress(SecureChannel, "Received Sigma2 msg"); @@ -971,7 +976,7 @@ CHIP_ERROR CASESession::HandleSigma2(System::PacketBufferHandle && msg) SuccessOrExit(err = tlvReader.GetBytes(mRemotePubKey, static_cast(mRemotePubKey.Length()))); // Generate a Shared Secret - SuccessOrExit(err = mEphemeralKey.ECDH_derive_secret(mRemotePubKey, mSharedSecret)); + SuccessOrExit(err = mEphemeralKey->ECDH_derive_secret(mRemotePubKey, mSharedSecret)); // Generate the S2K key { @@ -1039,7 +1044,7 @@ CHIP_ERROR CASESession::HandleSigma2(System::PacketBufferHandle && msg) VerifyOrExit(msg_R2_Signed.Alloc(msg_r2_signed_len), err = CHIP_ERROR_NO_MEMORY); SuccessOrExit(err = ConstructTBSData(responderNOC, responderICAC, ByteSpan(mRemotePubKey, mRemotePubKey.Length()), - ByteSpan(mEphemeralKey.Pubkey(), mEphemeralKey.Pubkey().Length()), msg_R2_Signed.Get(), + ByteSpan(mEphemeralKey->Pubkey(), mEphemeralKey->Pubkey().Length()), msg_R2_Signed.Get(), msg_r2_signed_len)); VerifyOrExit(TLV::TagNumFromTag(decryptedDataTlvReader.GetTag()) == kTag_TBEData_Signature, err = CHIP_ERROR_INVALID_TLV_TAG); @@ -1100,6 +1105,7 @@ CHIP_ERROR CASESession::SendSigma3() ChipLogDetail(SecureChannel, "Sending Sigma3"); + VerifyOrExit(mEphemeralKey != nullptr, err = CHIP_ERROR_INTERNAL); VerifyOrExit(icacBuf.Alloc(kMaxCHIPCertLength), err = CHIP_ERROR_NO_MEMORY); icaCert = MutableByteSpan{ icacBuf.Get(), kMaxCHIPCertLength }; @@ -1116,7 +1122,7 @@ CHIP_ERROR CASESession::SendSigma3() VerifyOrExit(msg_R3_Signed.Alloc(msg_r3_signed_len), err = CHIP_ERROR_NO_MEMORY); - SuccessOrExit(err = ConstructTBSData(nocCert, icaCert, ByteSpan(mEphemeralKey.Pubkey(), mEphemeralKey.Pubkey().Length()), + SuccessOrExit(err = ConstructTBSData(nocCert, icaCert, ByteSpan(mEphemeralKey->Pubkey(), mEphemeralKey->Pubkey().Length()), ByteSpan(mRemotePubKey, mRemotePubKey.Length()), msg_R3_Signed.Get(), msg_r3_signed_len)); // Generate a signature @@ -1256,6 +1262,8 @@ CHIP_ERROR CASESession::HandleSigma3(System::PacketBufferHandle && msg) ChipLogProgress(SecureChannel, "Received Sigma3 msg"); + VerifyOrExit(mEphemeralKey != nullptr, err = CHIP_ERROR_INTERNAL); + tlvReader.Init(std::move(msg)); SuccessOrExit(err = tlvReader.Next(containerType, TLV::AnonymousTag())); SuccessOrExit(err = tlvReader.EnterContainer(containerType)); @@ -1325,7 +1333,7 @@ CHIP_ERROR CASESession::HandleSigma3(System::PacketBufferHandle && msg) VerifyOrExit(msg_R3_Signed.Alloc(msg_r3_signed_len), err = CHIP_ERROR_NO_MEMORY); SuccessOrExit(err = ConstructTBSData(initiatorNOC, initiatorICAC, ByteSpan(mRemotePubKey, mRemotePubKey.Length()), - ByteSpan(mEphemeralKey.Pubkey(), mEphemeralKey.Pubkey().Length()), msg_R3_Signed.Get(), + ByteSpan(mEphemeralKey->Pubkey(), mEphemeralKey->Pubkey().Length()), msg_R3_Signed.Get(), msg_r3_signed_len)); VerifyOrExit(TLV::TagNumFromTag(decryptedDataTlvReader.GetTag()) == kTag_TBEData_Signature, err = CHIP_ERROR_INVALID_TLV_TAG); diff --git a/src/protocols/secure_channel/CASESession.h b/src/protocols/secure_channel/CASESession.h index 35aa8ba2dd3b0d..e48f48bc6e946b 100644 --- a/src/protocols/secure_channel/CASESession.h +++ b/src/protocols/secure_channel/CASESession.h @@ -26,13 +26,10 @@ #pragma once #include -#include -#if CHIP_CRYPTO_HSM -#include -#endif #include #include #include +#include #include #include #include @@ -50,10 +47,6 @@ namespace chip { -#ifdef ENABLE_HSM_CASE_EPHEMERAL_KEY -#define CASE_EPHEMERAL_KEY 0xCA5EECD0 -#endif - // TODO: temporary derive from Messaging::UnsolicitedMessageHandler, actually the CASEServer should be the umh, it will be fixed // when implementing concurrent CASE session. class DLL_EXPORT CASESession : public Messaging::UnsolicitedMessageHandler, @@ -269,11 +262,7 @@ class DLL_EXPORT CASESession : public Messaging::UnsolicitedMessageHandler, Crypto::Hash_SHA256_stream mCommissioningHash; Crypto::P256PublicKey mRemotePubKey; -#ifdef ENABLE_HSM_CASE_EPHEMERAL_KEY - Crypto::P256KeypairHSM mEphemeralKey; -#else - Crypto::P256Keypair mEphemeralKey; -#endif + Crypto::P256Keypair * mEphemeralKey = nullptr; Crypto::P256ECDHDerivedSecret mSharedSecret; Credentials::ValidationContext mValidContext; Credentials::GroupDataProvider * mGroupDataProvider = nullptr; diff --git a/src/protocols/secure_channel/tests/TestCASESession.cpp b/src/protocols/secure_channel/tests/TestCASESession.cpp index 029d24307a8d2a..a9ad062f532edf 100644 --- a/src/protocols/secure_channel/tests/TestCASESession.cpp +++ b/src/protocols/secure_channel/tests/TestCASESession.cpp @@ -135,6 +135,10 @@ class TestOperationalKeystore : public chip::Crypto::OperationalKeystore return mKeypair->ECDSA_sign_msg(message.data(), message.size(), outSignature); } + Crypto::P256Keypair * AllocateEphemeralKeypairForCASE() override { return Platform::New(); } + + void ReleaseEphemeralKeypair(Crypto::P256Keypair * keypair) override { Platform::Delete(keypair); } + protected: Platform::UniquePtr mKeypair; FabricIndex mSingleFabricIndex = kUndefinedFabricIndex;