From 9842f4bd25cc291c7b871a2b6342b8aeee4b13ca Mon Sep 17 00:00:00 2001 From: Esko Dijk Date: Mon, 10 Nov 2025 17:54:19 -0500 Subject: [PATCH] [tcat] surface hash calculation internal errors to TCAT Commissioner (#12136) Small change to surface any internal errors in the hash calculations to the TCAT Commissioner as general error. If not done, such errors are silently ignored and hard to diagnose in products. --- src/core/meshcop/tcat_agent.cpp | 19 ++++++++++--------- src/core/meshcop/tcat_agent.hpp | 2 +- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/src/core/meshcop/tcat_agent.cpp b/src/core/meshcop/tcat_agent.cpp index bcc184530..3064d8b2c 100644 --- a/src/core/meshcop/tcat_agent.cpp +++ b/src/core/meshcop/tcat_agent.cpp @@ -907,8 +907,8 @@ Error TcatAgent::HandleRequestPskdHash(const Message &aIncomingMessage, SuccessOrExit(error = aIncomingMessage.Read(aOffset, &providedChallenge, aLength)); - CalculateHash(providedChallenge, mVendorInfo->mPskdString, StringLength(mVendorInfo->mPskdString, kMaxPskdLength), - hash); + SuccessOrExit(error = CalculateHash(providedChallenge, mVendorInfo->mPskdString, + StringLength(mVendorInfo->mPskdString, kMaxPskdLength), hash)); SuccessOrExit(error = Tlv::AppendTlv(aOutgoingMessage, kTlvResponseWithPayload, hash.GetBytes(), Crypto::HmacSha256::Hash::kSize)); @@ -930,7 +930,7 @@ Error TcatAgent::VerifyHash(const Message &aIncomingMessage, VerifyOrExit(aLength == Crypto::HmacSha256::Hash::kSize, error = kErrorSecurity); VerifyOrExit(mRandomChallenge != 0, error = kErrorSecurity); - CalculateHash(mRandomChallenge, reinterpret_cast(aBuf), aBufLen, hash); + SuccessOrExit(error = CalculateHash(mRandomChallenge, reinterpret_cast(aBuf), aBufLen, hash)); DumpDebg("Hash", &hash, sizeof(hash)); VerifyOrExit(aIncomingMessage.Compare(aOffset, hash), error = kErrorSecurity); @@ -939,18 +939,19 @@ exit: return error; } -void TcatAgent::CalculateHash(uint64_t aChallenge, const char *aBuf, size_t aBufLen, Crypto::HmacSha256::Hash &aHash) +Error TcatAgent::CalculateHash(uint64_t aChallenge, const char *aBuf, size_t aBufLen, Crypto::HmacSha256::Hash &aHash) { const mbedtls_asn1_buf &rawKey = Get().GetOwnPublicKey(); Crypto::Key cryptoKey; Crypto::HmacSha256 hmac; + Error error = kErrorNone; #if OPENTHREAD_CONFIG_PLATFORM_KEY_REFERENCES_ENABLE Crypto::Storage::KeyRef keyRef; - SuccessOrExit(Crypto::Storage::ImportKey(keyRef, Crypto::Storage::kKeyTypeHmac, - Crypto::Storage::kKeyAlgorithmHmacSha256, Crypto::Storage::kUsageSignHash, - Crypto::Storage::kTypeVolatile, reinterpret_cast(aBuf), - aBufLen)); + SuccessOrExit(error = Crypto::Storage::ImportKey(keyRef, Crypto::Storage::kKeyTypeHmac, + Crypto::Storage::kKeyAlgorithmHmacSha256, + Crypto::Storage::kUsageSignHash, Crypto::Storage::kTypeVolatile, + reinterpret_cast(aBuf), aBufLen)); cryptoKey.SetAsKeyRef(keyRef); #else cryptoKey.Set(reinterpret_cast(aBuf), static_cast(aBufLen)); @@ -965,7 +966,7 @@ void TcatAgent::CalculateHash(uint64_t aChallenge, const char *aBuf, size_t aBuf Crypto::Storage::DestroyKey(keyRef); exit: #endif - return; + return error; } Error TcatAgent::HandleGetApplicationLayers(Message &aOutgoingMessage, bool &aResponse) diff --git a/src/core/meshcop/tcat_agent.hpp b/src/core/meshcop/tcat_agent.hpp index 4533f57f3..9734ef625 100644 --- a/src/core/meshcop/tcat_agent.hpp +++ b/src/core/meshcop/tcat_agent.hpp @@ -465,7 +465,7 @@ private: uint16_t aLength, const void *aBuf, size_t aBufLen); - void CalculateHash(uint64_t aChallenge, const char *aBuf, size_t aBufLen, Crypto::HmacSha256::Hash &aHash); + Error CalculateHash(uint64_t aChallenge, const char *aBuf, size_t aBufLen, Crypto::HmacSha256::Hash &aHash); bool CheckCommandClassAuthorizationFlags(CommandClassFlags aCommissionerCommandClassFlags, CommandClassFlags aDeviceCommandClassFlags,