stse_ecc_establish_shared_secret 0x0205 (STSE_CORE_SESSION_ERROR)

[simeonfelis]

I'm trying to implement example 03_ECDH
As middleware we use wolfcrypt.

I get error 0x0205 after stse_ecc_establish_shared_secret(). I digged it down to this location:

https://github.com/STMicroelectronics/STSELib/blob/main/services/stsafea/stsafea_sessions.c#L163

    /* - Perform first AES ECB round on IV */
    ret = stse_platform_aes_ecb_enc(initial_value,
                                    STSAFEA_HOST_AES_BLOCK_SIZE,
                                    pSession->context.host.pHost_cypher_key,
                                    (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
                                    initial_value,
                                    NULL);

Last parameter pEncryptedtext_length is NULL which can't work, so I assume this is a STSELib issue and not a platfrom implementation issue.

For example when cmox is used as middleware, this code would crash (link):

stse_ReturnCode_t stse_platform_aes_ecb_enc(const PLAT_UI8 *pPlaintext,
                                            PLAT_UI16 plaintext_length,
                                            const PLAT_UI8 *pKey,
                                            PLAT_UI16 key_length,
                                            PLAT_UI8 *pEncryptedtext,
                                            PLAT_UI16 *pEncryptedtext_length) {
    cmox_cipher_retval_t retval;
    PLAT_UI8 IV[16] = {0};
    size_t cmox_encryptedtext_len = *pEncryptedtext_length;

For the wolfcrypt middleware there is a sanity check which will return and finally trigger error code 0x0205.

To me this looks like a bug. I'm not sure where to store the length. Maybe just &pCmdFrame->length?

[simeonfelis]

It looks like lengths are already calculated beforehand, so wolf and cmox should treat this OUT parameter as optional and write it when non-NULL.

[nils-cercariolo-st]

Thanks for pointing your problem, I'll check in the following days and come back to you !

[nils-cercariolo-st]

Hello,
I was able to reproduce your error with wolfssl but cmox allows it and I couldn't experience any crash. It indeed seems like a bug (and we can see that a TODO a bit below in stsafea_session_frame_encrypt mentions that NULL might not be ok).

This problem would only happen when performing encrypted transfer because the command or response encryption flag has been set for the ESTABLISH KEY command, which is your current command configuration, right ?

if (cmd_encryption_flag || rsp_encryption_flag) {
        ret = stsafea_session_encrypted_transfer(pSTSE->pActive_host_session,
                                                 pCmdFrame,
                                                 pRspFrame,
                                                 cmd_encryption_flag,
                                                 rsp_encryption_flag,
                                                 cmd_ac_info,
                                                 inter_frame_delay);

I was able to fix this issue with for example this code. Note that we need to modify both encrypt and decrypt functions. As the input length should be same as output length for AES-CBC/ECB, I don't think the way we store it matters a lot as we don't really use it later. I will submit a PR internally, perform few more tests and hopefully this change reflects here soon too.

stse_ReturnCode_t stsafea_session_frame_encrypt(stse_session_t *pSession,
                                                stse_frame_t *pFrame,
                                                stse_frame_element_t *pEnc_payload_element) {
    stse_ReturnCode_t ret;
    PLAT_UI8 initial_value[STSAFEA_HOST_AES_BLOCK_SIZE];
    stse_frame_element_t *pElement;
    PLAT_UI16 i = 0;

    /* - Verify parameters */
    if ((pSession == NULL) ||
        (pFrame == NULL) ||
        (pEnc_payload_element == NULL) ||
        (pEnc_payload_element->length < (pFrame->length - pFrame->first_element->length + (16 - (pFrame->length - pFrame->first_element->length) % 16)))) {
        return (STSE_CORE_INVALID_PARAMETER);
    }

    /* - Prepare specific STSAFE AES IV */
    if (pSession->context.host.pSTSE->device_type == STSAFE_A120) {
        initial_value[0] = UI32_B3(pSession->context.host.MAC_counter + 1);
        initial_value[1] = UI32_B2(pSession->context.host.MAC_counter + 1);
        initial_value[2] = UI32_B1(pSession->context.host.MAC_counter + 1);
        initial_value[3] = UI32_B0(pSession->context.host.MAC_counter + 1);
        initial_value[4] = STSAFEA_AES_SUBJECT_HOST_ENCRYPT;
        initial_value[5] = STSAFEA_AES_FIRST_PADDING_BYTE;
        (void)memset(&initial_value[6], 0x00, (STSAFEA_HOST_AES_BLOCK_SIZE)-6U);
    } else {
        initial_value[0] = UI32_B2(pSession->context.host.MAC_counter + 1);
        initial_value[1] = UI32_B1(pSession->context.host.MAC_counter + 1);
        initial_value[2] = UI32_B0(pSession->context.host.MAC_counter + 1);
        initial_value[3] = STSAFEA_AES_SUBJECT_HOST_ENCRYPT;
        initial_value[4] = STSAFEA_AES_FIRST_PADDING_BYTE;
        (void)memset(&initial_value[5], 0x00, (STSAFEA_HOST_AES_BLOCK_SIZE)-5U);
    }

    PLAT_UI16 encrypted_iv_len = STSAFEA_HOST_AES_BLOCK_SIZE;

    /* - Perform first AES ECB round on IV */
    ret = stse_platform_aes_ecb_enc(initial_value,
                                    STSAFEA_HOST_AES_BLOCK_SIZE,
                                    pSession->context.host.pHost_cypher_key,
                                    (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
                                    initial_value,
									&encrypted_iv_len);
    if (ret != STSE_OK) {
        return (ret);
    }
    /* - Copy Plain text Frame payload content in Ciphered   */
    pElement = pFrame->first_element->next;
    while (pElement != NULL) {
        memcpy(pEnc_payload_element->pData + i,
               pElement->pData,
               pElement->length);

        i += pElement->length;
        pElement = pElement->next;
    }
    /* - Add First padding byte */
    *(pEnc_payload_element->pData + i++) = 0x80;

    /* - Add padding  */
    while (i < pEnc_payload_element->length) {
        *(pEnc_payload_element->pData + i++) = 0x00;
    }

    PLAT_UI16 encrypted_payload_len = pEnc_payload_element->length;

    /* - Encrypt pEncFrame content */
    ret = stse_platform_aes_cbc_enc(
        pEnc_payload_element->pData,
        pEnc_payload_element->length,
        initial_value,
        pSession->context.host.pHost_cypher_key,
        (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
        pEnc_payload_element->pData,
		&encrypted_payload_len);
    if (ret != 0) {
        return (STSE_SESSION_ERROR);
    } else {
        return (STSE_OK);
    }
}

static stse_ReturnCode_t stsafea_session_frame_decrypt(stse_session_t *pSession, stse_frame_t *pFrame) {
    stse_ReturnCode_t ret;
    PLAT_UI8 initial_value[STSAFEA_HOST_AES_BLOCK_SIZE];
    stse_frame_element_t *pElement;
    PLAT_UI16 i = 0;
    PLAT_UI16 encrypted_payload_len;

    pElement = pFrame->first_element->next;
    if (pElement == NULL) {
        return STSE_OK;
    }

    /* Total length of the encrypted part of the frame */
    encrypted_payload_len = pFrame->length - pFrame->first_element->length;

    /* Fill decrypt buffer with encrypted payload content */
    PLAT_UI8 decrypt_buffer[encrypted_payload_len];

    while (pElement != NULL) {
        if (pElement->length != 0) {
            memcpy(decrypt_buffer + i, pElement->pData, pElement->length);
            i += pElement->length;
        }
        pElement = pElement->next;
    }

    /* - Prepare Plain text info for AES IV */
    if (pSession->context.host.pSTSE->device_type == STSAFE_A120) {
        initial_value[0] = UI32_B3(pSession->context.host.MAC_counter);
        initial_value[1] = UI32_B2(pSession->context.host.MAC_counter);
        initial_value[2] = UI32_B1(pSession->context.host.MAC_counter);
        initial_value[3] = UI32_B0(pSession->context.host.MAC_counter);
        initial_value[4] = STSAFEA_AES_SUBJECT_HOST_DECRYPT;
        initial_value[5] = STSAFEA_AES_FIRST_PADDING_BYTE;
        (void)memset(&initial_value[6], 0x00, (STSAFEA_HOST_AES_BLOCK_SIZE)-6U);
    } else {
        initial_value[0] = UI32_B2(pSession->context.host.MAC_counter);
        initial_value[1] = UI32_B1(pSession->context.host.MAC_counter);
        initial_value[2] = UI32_B0(pSession->context.host.MAC_counter);
        initial_value[3] = STSAFEA_AES_SUBJECT_HOST_DECRYPT;
        initial_value[4] = STSAFEA_AES_FIRST_PADDING_BYTE;
        (void)memset(&initial_value[5], 0x00, (STSAFEA_HOST_AES_BLOCK_SIZE)-5U);
    }

    PLAT_UI16 out_len = STSAFEA_HOST_AES_BLOCK_SIZE;

    /* - Transform IV using AES ECB */
    ret = stse_platform_aes_ecb_enc(initial_value,
                                    STSAFEA_HOST_AES_BLOCK_SIZE,
                                    pSession->context.host.pHost_cypher_key,
                                    (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
                                    initial_value,
                                    &out_len);

    if (ret != 0) {
        return STSE_CORE_SESSION_ERROR;
    }

    /* - Decrypt payload using CBC */
    PLAT_UI16 decrypted_payload_len = encrypted_payload_len;

    ret = stse_platform_aes_cbc_dec(decrypt_buffer,
                                    encrypted_payload_len,
                                    initial_value,
                                    pSession->context.host.pHost_cypher_key,
                                    (pSession->context.host.key_type == STSE_AES_128_KT) ? STSE_AES_128_KEY_SIZE : STSE_AES_256_KEY_SIZE,
                                    decrypt_buffer,
                                    &decrypted_payload_len);

    if (ret != 0) {
        return ret;
    }

    /* - Strip the frame (removes 0x80 padding and 0x00s) */
    stse_frame_unstrap(pFrame);

    /* - Copy Decrypted payload content back to the frame elements */
    pElement = pFrame->first_element->next;
    i = 0;
    while (pElement != NULL) {
        memcpy(pElement->pData,
               decrypt_buffer + i,
               pElement->length);
        i += pElement->length;
        pElement = pElement->next;
    }

    return STSE_OK;
}

Have a great day~

[simeonfelis]

This problem would only happen when performing encrypted transfer because the command or response encryption flag has been set for the ESTABLISH KEY command, which is your current command configuration, right ?

Yes, I ran some example tests and ESTABLISH KEY is indeed modified with AC HOST, CMD encryption, RSP encryption. Next time I dump my device configs, too.
I just tried your reworked stsafea_session_frame_*crypt. They seem to work. However I cannot re-generate a blank new key pair in slot 0xff anymore. This has nothing to do with this issue but I cannot walk the same paths again for confirmation atm.

[nils-cercariolo-st]

Thanks for mentioning it, I didn't see the ST forum question. We're currently investigating it as it indeed doesn't sound normal. If using another key type is ok for you, I'd suggest this in the meantime. I'll come back to you asap.

[simeonfelis]

[...] However I cannot re-generate a blank new key pair in slot 0xff anymore. [...]

Sorry I pasted the wrong link. This one is the corresponding forum post. I'm sure it's just a OSI level 7 problem and I don't want to hide support requests as github issues.