apply ClearSecretData and SensitiveDataFixedBuffer consistently (#71994) (#72358)

* testing

* [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci

* integrating comments

---------


(cherry picked from commit fa18120)

Co-authored-by: Amine Alami <43780877+Alami-Amine@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>

Author: 3 people

src/credentials/GroupDataProviderImpl.cpp

@@ -659,7 +659,7 @@ struct KeySetData : PersistableData<kPersistentBufferMax>
     {
         policy     = GroupDataProvider::SecurityPolicy::kCacheAndSync;
         keys_count = 0;
-        memset(operational_keys, 0x00, sizeof(operational_keys));
+        Crypto::ClearSecretData(reinterpret_cast<uint8_t *>(operational_keys), sizeof(operational_keys));
         next = kInvalidKeysetId;
     }
 

src/crypto/CHIPCryptoPAL.cpp

@@ -574,8 +574,8 @@ CHIP_ERROR Spake2pVerifier::Deserialize(const ByteSpan & inSerialized)
 
 CHIP_ERROR Spake2pVerifier::Generate(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t setupPin)
 {
-    uint8_t serializedWS[kSpake2p_WS_Length * 2] = { 0 };
-    ReturnErrorOnFailure(ComputeWS(pbkdf2IterCount, salt, setupPin, serializedWS, sizeof(serializedWS)));
+    SensitiveDataFixedBuffer<kSpake2p_WS_Length * 2> serializedWS;
+    ReturnErrorOnFailure(ComputeWS(pbkdf2IterCount, salt, setupPin, serializedWS.Bytes(), serializedWS.Capacity()));
 
     CHIP_ERROR err = CHIP_NO_ERROR;
     size_t len;
@@ -587,12 +587,12 @@ CHIP_ERROR Spake2pVerifier::Generate(uint32_t pbkdf2IterCount, const ByteSpan &
 
     // Compute w0
     len = sizeof(mW0);
-    SuccessOrExit(err = spake2p.ComputeW0(mW0, &len, &serializedWS[0], kSpake2p_WS_Length));
+    SuccessOrExit(err = spake2p.ComputeW0(mW0, &len, serializedWS.Bytes(), kSpake2p_WS_Length));
     VerifyOrExit(len == sizeof(mW0), err = CHIP_ERROR_INTERNAL);
 
     // Compute L
     len = sizeof(mL);
-    SuccessOrExit(err = spake2p.ComputeL(mL, &len, &serializedWS[kSpake2p_WS_Length], kSpake2p_WS_Length));
+    SuccessOrExit(err = spake2p.ComputeL(mL, &len, serializedWS.Bytes() + kSpake2p_WS_Length, kSpake2p_WS_Length));
     VerifyOrExit(len == sizeof(mL), err = CHIP_ERROR_INTERNAL);
 
 exit:
@@ -604,15 +604,15 @@ CHIP_ERROR Spake2pVerifier::ComputeWS(uint32_t pbkdf2IterCount, const ByteSpan &
                                       uint32_t ws_len)
 {
     PBKDF2_sha256 pbkdf2;
-    uint8_t littleEndianSetupPINCode[sizeof(uint32_t)];
-    Encoding::LittleEndian::Put32(littleEndianSetupPINCode, setupPin);
+    SensitiveDataFixedBuffer<sizeof(uint32_t)> littleEndianSetupPINCode;
+    Encoding::LittleEndian::Put32(littleEndianSetupPINCode.Bytes(), setupPin);
 
     VerifyOrReturnError(salt.size() >= kSpake2p_Min_PBKDF_Salt_Length && salt.size() <= kSpake2p_Max_PBKDF_Salt_Length,
                         CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(pbkdf2IterCount >= kSpake2p_Min_PBKDF_Iterations && pbkdf2IterCount <= kSpake2p_Max_PBKDF_Iterations,
                         CHIP_ERROR_INVALID_ARGUMENT);
 
-    return pbkdf2.pbkdf2_sha256(littleEndianSetupPINCode, sizeof(littleEndianSetupPINCode), salt.data(), salt.size(),
+    return pbkdf2.pbkdf2_sha256(littleEndianSetupPINCode.Bytes(), littleEndianSetupPINCode.Capacity(), salt.data(), salt.size(),
                                 pbkdf2IterCount, ws_len, ws);
 }
 

src/crypto/CHIPCryptoPALOpenSSL.cpp

@@ -1033,6 +1033,9 @@ void Spake2p_P256_SHA256_HKDF_HMAC::Clear()
     free_bn(tempbn);
     free_bn(order);
 
+    ClearSecretData(Kcab);
+    ClearSecretData(Kae);
+
     state = CHIP_SPAKE2P_STATE::PREINIT;
 }
 

src/crypto/CHIPCryptoPALPSA.cpp

@@ -909,7 +909,7 @@ void P256Keypair::Clear()
     {
         PsaP256KeypairContext & context = ToPsaContext(mKeypair);
         psa_destroy_key(context.key_id);
-        memset(&context, 0, sizeof(context));
+        ClearSecretData(reinterpret_cast<uint8_t *>(&context), sizeof(context));
         mInitialized = false;
     }
 }
@@ -1025,6 +1025,10 @@ void Spake2p_P256_SHA256_HKDF_HMAC::Clear()
     mbedtls_mpi_free(&context->tempbn);
 
     mbedtls_ecp_group_free(&context->curve);
+
+    ClearSecretData(Kcab);
+    ClearSecretData(Kae);
+
     state = CHIP_SPAKE2P_STATE::PREINIT;
 }
 

src/crypto/CHIPCryptoPALmbedTLS.cpp

@@ -929,6 +929,10 @@ void Spake2p_P256_SHA256_HKDF_HMAC::Clear()
     mbedtls_mpi_free(&context->tempbn);
 
     mbedtls_ecp_group_free(&context->curve);
+
+    ClearSecretData(Kcab);
+    ClearSecretData(Kae);
+
     state = CHIP_SPAKE2P_STATE::PREINIT;
 }
 

src/crypto/RawKeySessionKeystore.cpp

@@ -73,12 +73,12 @@ CHIP_ERROR RawKeySessionKeystore::DeriveSessionKeys(const ByteSpan & secret, con
                                                     AttestationChallenge & attestationChallenge)
 {
     HKDF_sha hkdf;
-    uint8_t keyMaterial[2 * sizeof(Symmetric128BitsKeyByteArray) + AttestationChallenge::Capacity()];
+    SensitiveDataFixedBuffer<2 * sizeof(Symmetric128BitsKeyByteArray) + AttestationChallenge::Capacity()> keyMaterial;
 
     ReturnErrorOnFailure(hkdf.HKDF_SHA256(secret.data(), secret.size(), salt.data(), salt.size(), info.data(), info.size(),
-                                          keyMaterial, sizeof(keyMaterial)));
+                                          keyMaterial.Bytes(), keyMaterial.Capacity()));
 
-    Encoding::LittleEndian::Reader reader(keyMaterial, sizeof(keyMaterial));
+    Encoding::LittleEndian::Reader reader(keyMaterial.Bytes(), keyMaterial.Capacity());
 
     return reader.ReadBytes(i2rKey.AsMutable<Symmetric128BitsKeyByteArray>(), sizeof(Symmetric128BitsKeyByteArray))
         .ReadBytes(r2iKey.AsMutable<Symmetric128BitsKeyByteArray>(), sizeof(Symmetric128BitsKeyByteArray))

src/lib/support/ThreadOperationalDataset.cpp

@@ -497,5 +497,11 @@ CHIP_ERROR OperationalDataset::SetDelayTimer(uint32_t aDelayMillis)
     return CHIP_NO_ERROR;
 }
 
+void OperationalDataset::Clear()
+{
+    memset(mBuffer, 0, sizeof(mBuffer));
+    mData = ByteSpan(mBuffer, 0);
+}
+
 } // namespace Thread
 } // namespace chip

src/lib/support/ThreadOperationalDataset.h

@@ -394,7 +394,7 @@ class OperationalDataset : public OperationalDatasetView
     /**
      * This method clears all data stored in the dataset.
      */
-    void Clear() { mData = ByteSpan(mBuffer, 0); }
+    void Clear();
 
     /**
      * Returns a ByteSpan view of the current state of the dataset.

src/protocols/secure_channel/CASESession.cpp

@@ -602,35 +602,36 @@ CHIP_ERROR CASESession::DeriveSecureSession(CryptoContext & session)
     switch (mState)
     {
     case State::kFinished: {
-        std::array<uint8_t, sizeof(mIPK) + kSHA256_Hash_Length> msg_salt;
+        SensitiveDataFixedBuffer<sizeof(mIPK) + kSHA256_Hash_Length> msg_salt;
 
         {
-            Encoding::LittleEndian::BufferWriter bbuf(msg_salt);
+            Encoding::LittleEndian::BufferWriter bbuf(msg_salt.Bytes(), msg_salt.Capacity());
             bbuf.Put(mIPK, sizeof(mIPK));
             bbuf.Put(mMessageDigest, sizeof(mMessageDigest));
 
             VerifyOrReturnError(bbuf.Fit(), CHIP_ERROR_BUFFER_TOO_SMALL);
         }
 
         ReturnErrorOnFailure(session.InitFromSecret(*mSessionManager->GetSessionKeystore(), mSharedSecret.Span(),
-                                                    ByteSpan(msg_salt), CryptoContext::SessionInfoType::kSessionEstablishment,
-                                                    mRole));
+                                                    ByteSpan(msg_salt.ConstBytes(), msg_salt.Capacity()),
+                                                    CryptoContext::SessionInfoType::kSessionEstablishment, mRole));
 
         return CHIP_NO_ERROR;
     }
     case State::kFinishedViaResume: {
-        std::array<uint8_t, sizeof(mInitiatorRandom) + decltype(mResumeResumptionId)().size()> msg_salt;
+        SensitiveDataFixedBuffer<sizeof(mInitiatorRandom) + decltype(mResumeResumptionId)().size()> msg_salt;
 
         {
-            Encoding::LittleEndian::BufferWriter bbuf(msg_salt);
+            Encoding::LittleEndian::BufferWriter bbuf(msg_salt.Bytes(), msg_salt.Capacity());
             bbuf.Put(mInitiatorRandom, sizeof(mInitiatorRandom));
             bbuf.Put(mResumeResumptionId.data(), mResumeResumptionId.size());
 
             VerifyOrReturnError(bbuf.Fit(), CHIP_ERROR_BUFFER_TOO_SMALL);
         }
 
         ReturnErrorOnFailure(session.InitFromSecret(*mSessionManager->GetSessionKeystore(), mSharedSecret.Span(),
-                                                    ByteSpan(msg_salt), CryptoContext::SessionInfoType::kSessionResumption, mRole));
+                                                    ByteSpan(msg_salt.ConstBytes(), msg_salt.Capacity()),
+                                                    CryptoContext::SessionInfoType::kSessionResumption, mRole));
 
         return CHIP_NO_ERROR;
     }
@@ -642,6 +643,7 @@ CHIP_ERROR CASESession::DeriveSecureSession(CryptoContext & session)
 CHIP_ERROR CASESession::RecoverInitiatorIpk()
 {
     Credentials::GroupDataProvider::KeySet ipkKeySet;
+    auto ipkKeySetWiperOnScopeExit = ScopeExit([&] { ipkKeySet.ClearKeys(); });
 
     CHIP_ERROR err = mGroupDataProvider->GetIpkKeySet(mFabricIndex, ipkKeySet);
 
@@ -960,7 +962,8 @@ CHIP_ERROR CASESession::FindLocalNodeFromDestinationId(const ByteSpan & destinat
 
         // Get IPK operational group key set for current candidate fabric
         GroupDataProvider::KeySet ipkKeySet;
-        CHIP_ERROR err = mGroupDataProvider->GetIpkKeySet(fabricInfo.GetFabricIndex(), ipkKeySet);
+        auto ipkKeySetWiperOnScopeExit = ScopeExit([&] { ipkKeySet.ClearKeys(); });
+        CHIP_ERROR err                 = mGroupDataProvider->GetIpkKeySet(fabricInfo.GetFabricIndex(), ipkKeySet);
         if ((err != CHIP_NO_ERROR) ||
             ((ipkKeySet.num_keys_used == 0) || (ipkKeySet.num_keys_used > Credentials::GroupDataProvider::KeySet::kEpochKeysMax)))
         {
@@ -1197,9 +1200,9 @@ CHIP_ERROR CASESession::PrepareSigma2(EncodeSigma2Inputs & outSigma2Data)
     // Generate a Shared Secret
     ReturnErrorOnFailure(mEphemeralKey->ECDH_derive_secret(mRemotePubKey, mSharedSecret));
 
-    uint8_t msgSalt[kIPKSize + kSigmaParamRandomNumberSize + kP256_PublicKey_Length + kSHA256_Hash_Length];
+    SensitiveDataFixedBuffer<kIPKSize + kSigmaParamRandomNumberSize + kP256_PublicKey_Length + kSHA256_Hash_Length> msgSalt;
 
-    MutableByteSpan saltSpan(msgSalt);
+    MutableByteSpan saltSpan(msgSalt.Bytes(), msgSalt.Capacity());
     ReturnErrorOnFailure(
         ConstructSaltSigma2(ByteSpan(outSigma2Data.responderRandom), mEphemeralKey->Pubkey(), ByteSpan(mIPK), saltSpan));
 
@@ -1498,8 +1501,8 @@ CHIP_ERROR CASESession::HandleSigma2(System::PacketBufferHandle && msg)
     // Generate the S2K key
     AutoReleaseSessionKey sr2k(*mSessionManager->GetSessionKeystore());
     {
-        uint8_t msg_salt[kIPKSize + kSigmaParamRandomNumberSize + kP256_PublicKey_Length + kSHA256_Hash_Length];
-        MutableByteSpan saltSpan(msg_salt);
+        SensitiveDataFixedBuffer<kIPKSize + kSigmaParamRandomNumberSize + kP256_PublicKey_Length + kSHA256_Hash_Length> msg_salt;
+        MutableByteSpan saltSpan(msg_salt.Bytes(), msg_salt.Capacity());
         ReturnErrorOnFailure(ConstructSaltSigma2(parsedSigma2.responderRandom, mRemotePubKey, ByteSpan(mIPK), saltSpan));
         ReturnErrorOnFailure(DeriveSigmaKey(saltSpan, ByteSpan(kKDFSR2Info), sr2k));
     }
@@ -1825,7 +1828,7 @@ CHIP_ERROR CASESession::SendSigma3c(SendSigma3Data & data, CHIP_ERROR status)
     System::PacketBufferHandle msg_R3;
     size_t data_len;
 
-    uint8_t msg_salt[kIPKSize + kSHA256_Hash_Length];
+    SensitiveDataFixedBuffer<kIPKSize + kSHA256_Hash_Length> msg_salt;
 
     AutoReleaseSessionKey sr3k(*mSessionManager->GetSessionKeystore());
 
@@ -1835,7 +1838,7 @@ CHIP_ERROR CASESession::SendSigma3c(SendSigma3Data & data, CHIP_ERROR status)
 
     // Generate S3K key
     {
-        MutableByteSpan saltSpan(msg_salt);
+        MutableByteSpan saltSpan(msg_salt.Bytes(), msg_salt.Capacity());
         SuccessOrExit(err = ConstructSaltSigma3(ByteSpan(mIPK), saltSpan));
         SuccessOrExit(err = DeriveSigmaKey(saltSpan, ByteSpan(kKDFSR3Info), sr3k));
     }
@@ -1914,7 +1917,7 @@ CHIP_ERROR CASESession::HandleSigma3a(System::PacketBufferHandle && msg)
 
     AutoReleaseSessionKey sr3k(*mSessionManager->GetSessionKeystore());
 
-    uint8_t msg_salt[kIPKSize + kSHA256_Hash_Length];
+    SensitiveDataFixedBuffer<kIPKSize + kSHA256_Hash_Length> msg_salt;
 
     ChipLogProgress(SecureChannel, "Received Sigma3 msg");
     MATTER_TRACE_COUNTER("Sigma3");
@@ -1946,7 +1949,7 @@ CHIP_ERROR CASESession::HandleSigma3a(System::PacketBufferHandle && msg)
             SuccessOrExit(err = ParseSigma3(tlvReader, msgR3Encrypted, msgR3EncryptedPayload, msgR3MIC));
 
             // Generate the S3K key
-            MutableByteSpan saltSpan(msg_salt);
+            MutableByteSpan saltSpan(msg_salt.Bytes(), msg_salt.Capacity());
             SuccessOrExit(err = ConstructSaltSigma3(ByteSpan(mIPK), saltSpan));
             SuccessOrExit(err = DeriveSigmaKey(saltSpan, ByteSpan(kKDFSR3Info), sr3k));
 

src/protocols/secure_channel/CheckinMessage.cpp

@@ -138,18 +138,18 @@ CHIP_ERROR CheckinMessage::GenerateCheckInMessageNonce(const Crypto::Hmac128KeyH
 {
     VerifyOrReturnError(writer.Available() >= CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES, CHIP_ERROR_BUFFER_TOO_SMALL);
 
-    uint8_t hashWorkBuffer[CHIP_CRYPTO_HASH_LEN_BYTES] = { 0 };
+    Crypto::SensitiveDataFixedBuffer<CHIP_CRYPTO_HASH_LEN_BYTES> hashWorkBuffer;
     uint8_t counterBuffer[sizeof(CounterType)];
 
     // validate that Check-In counter is a uint32_t
     static_assert(sizeof(CounterType) == sizeof(uint32_t), "Expect counter to be 32 bits for correct encoding");
     Encoding::LittleEndian::Put32(counterBuffer, counter);
 
     chip::Crypto::HMAC_sha shaHandler;
-    ReturnErrorOnFailure(
-        shaHandler.HMAC_SHA256(hmacKeyHandle, counterBuffer, sizeof(CounterType), hashWorkBuffer, CHIP_CRYPTO_HASH_LEN_BYTES));
+    ReturnErrorOnFailure(shaHandler.HMAC_SHA256(hmacKeyHandle, counterBuffer, sizeof(CounterType), hashWorkBuffer.Bytes(),
+                                                hashWorkBuffer.Capacity()));
 
-    writer.Put(hashWorkBuffer, CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES);
+    writer.Put(hashWorkBuffer.Bytes(), CHIP_CRYPTO_AEAD_NONCE_LENGTH_BYTES);
     VerifyOrReturnError(writer.Fit(), CHIP_ERROR_BUFFER_TOO_SMALL);
 
     return CHIP_NO_ERROR;