Skip to content

Commit

Permalink
Stop passing passcode by mutable reference to Spake2pVerifier::Generate.
Browse files Browse the repository at this point in the history
The generation bits never modify the passcode.

Fixes project-chip#23511
  • Loading branch information
bzbarsky-apple committed Nov 10, 2022
1 parent 1a8cf55 commit 9193e8e
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 8 deletions.
4 changes: 2 additions & 2 deletions src/crypto/CHIPCryptoPAL.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -540,7 +540,7 @@ CHIP_ERROR Spake2pVerifier::Deserialize(const ByteSpan & inSerialized)
return CHIP_NO_ERROR;
}

CHIP_ERROR Spake2pVerifier::Generate(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t & setupPin)
CHIP_ERROR Spake2pVerifier::Generate(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t setupPin)
{
uint8_t serializedWS[kSpake2p_WS_Length * 2] = { 0 };
ReturnErrorOnFailure(ComputeWS(pbkdf2IterCount, salt, setupPin, serializedWS, sizeof(serializedWS)));
Expand Down Expand Up @@ -572,7 +572,7 @@ CHIP_ERROR Spake2pVerifier::Generate(uint32_t pbkdf2IterCount, const ByteSpan &
return err;
}

CHIP_ERROR Spake2pVerifier::ComputeWS(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t & setupPin, uint8_t * ws,
CHIP_ERROR Spake2pVerifier::ComputeWS(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t setupPin, uint8_t * ws,
uint32_t ws_len)
{
#ifdef ENABLE_HSM_PBKDF2
Expand Down
5 changes: 2 additions & 3 deletions src/crypto/CHIPCryptoPAL.h
Original file line number Diff line number Diff line change
Expand Up @@ -1351,7 +1351,7 @@ class Spake2pVerifier
*
* @return CHIP_ERROR The result of Spake2+ verifier generation
*/
CHIP_ERROR Generate(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t & setupPin);
CHIP_ERROR Generate(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t setupPin);

/**
* @brief Compute the initiator values (w0, w1) used for PAKE input.
Expand All @@ -1364,8 +1364,7 @@ class Spake2pVerifier
*
* @return CHIP_ERROR The result from running PBKDF2
*/
static CHIP_ERROR ComputeWS(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t & setupPin, uint8_t * ws,
uint32_t ws_len);
static CHIP_ERROR ComputeWS(uint32_t pbkdf2IterCount, const ByteSpan & salt, uint32_t setupPin, uint8_t * ws, uint32_t ws_len);
};

/**
Expand Down
4 changes: 1 addition & 3 deletions src/darwin/Framework/CHIP/MTRDeviceController.mm
Original file line number Diff line number Diff line change
Expand Up @@ -567,10 +567,8 @@ + (nullable NSData *)computePASEVerifierForSetupPasscode:(NSNumber *)setupPassco
salt:(NSData *)salt
error:(NSError * __autoreleasing *)error
{
// Spake2pVerifier::Generate takes the passcode by non-const reference for some reason.
uint32_t unboxedSetupPasscode = [setupPasscode unsignedIntValue];
chip::Spake2pVerifier verifier;
CHIP_ERROR err = verifier.Generate([iterations unsignedIntValue], AsByteSpan(salt), unboxedSetupPasscode);
CHIP_ERROR err = verifier.Generate(iterations.unsignedIntValue, AsByteSpan(salt), setupPasscode.unsignedIntValue);
if ([MTRDeviceController checkForError:err logMsg:kErrorSpake2pVerifierGenerationFailed error:error]) {
return nil;
}
Expand Down

0 comments on commit 9193e8e

Please sign in to comment.