From a271e83a7a39f36bb3c9bb5b7186e95be13a506c Mon Sep 17 00:00:00 2001 From: zhiweijian Date: Thu, 15 Jan 2026 20:22:14 +0800 Subject: [PATCH 1/4] fix(ble/blufi): Fixed blufi dh key cal failed --- .../bluetooth/blufi/main/blufi_security.c | 50 ++++++++++++++++--- 1 file changed, 43 insertions(+), 7 deletions(-) diff --git a/examples/bluetooth/blufi/main/blufi_security.c b/examples/bluetooth/blufi/main/blufi_security.c index 065be15352..3444ca3de4 100644 --- a/examples/bluetooth/blufi/main/blufi_security.c +++ b/examples/bluetooth/blufi/main/blufi_security.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2021-2025 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2021-2026 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ @@ -39,9 +39,9 @@ struct blufi_security { #define DH_PARAM_LEN_MAX 1024 -#define DH_SELF_PUB_KEY_LEN 256 +#define DH_SELF_PUB_KEY_LEN 384 /* Support 3072-bit DH key (3072/8 = 384 bytes) */ uint8_t self_public_key[DH_SELF_PUB_KEY_LEN]; -#define SHARE_KEY_LEN 256 +#define SHARE_KEY_LEN 384 /* Support 3072-bit DH key (3072/8 = 384 bytes) */ uint8_t share_key[SHARE_KEY_LEN]; size_t share_len; #define PSK_LEN 16 @@ -106,28 +106,62 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da return; } - uint8_t *param = blufi_sec->dh_param; memcpy(blufi_sec->dh_param, &data[1], blufi_sec->dh_param_len); + + /* Parse P length */ size_t p_len = (param[0] << 8) | param[1]; + if (2 + p_len > (size_t)blufi_sec->dh_param_len) { + BLUFI_ERROR("P length %d exceeds dh_param bounds", p_len); + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); + return; + } param += 2 + p_len; + /* Parse G length */ size_t g_len = (param[0] << 8) | param[1]; + if ((param - blufi_sec->dh_param) + 2 + g_len > (size_t)blufi_sec->dh_param_len) { + BLUFI_ERROR("G length %d exceeds dh_param bounds", g_len); + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); + return; + } param += 2 + g_len; + /* Parse public key length */ size_t pub_len = (param[0] << 8) | param[1]; param += 2; - ESP_LOGD("blfi", "P len %d, G len %d, pub len %d", p_len, g_len, pub_len); + if ((param - blufi_sec->dh_param) + pub_len > (size_t)blufi_sec->dh_param_len) { + BLUFI_ERROR("Public key length %d exceeds dh_param bounds", pub_len); + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); + return; + } + + /* Determine key bits based on public key length (RFC7919 key sizes) */ + size_t key_bits; + if (pub_len == 256) { + key_bits = 2048; + } else if (pub_len == 384) { + key_bits = 3072; + } else if (pub_len == 512) { + key_bits = 4096; + } else if (pub_len == 768) { + key_bits = 6144; + } else if (pub_len == 1024) { + key_bits = 8192; + } else { + BLUFI_ERROR("Unsupported DH key length: %d bytes", pub_len); + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); + return; + } psa_key_type_t key_type = PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919); - size_t key_bits = 3072; - ESP_LOGI("blfi", "DH param len %d, bits %d", blufi_sec->dh_param_len, key_bits); psa_algorithm_t alg = PSA_ALG_FFDH; psa_key_attributes_t attributes = psa_key_attributes_init(); psa_set_key_type(&attributes, key_type); psa_set_key_bits(&attributes, key_bits); psa_set_key_algorithm(&attributes, alg); psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); + psa_key_id_t private_key = 0; psa_status_t status = psa_generate_key(&attributes, &private_key); if (status != PSA_SUCCESS) { @@ -135,6 +169,7 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); return; } + psa_reset_key_attributes(&attributes); size_t public_key_len = 0; status = psa_export_public_key(private_key, blufi_sec->self_public_key, DH_SELF_PUB_KEY_LEN, &public_key_len); @@ -147,6 +182,7 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da status = psa_raw_key_agreement(alg, private_key, param, pub_len, blufi_sec->share_key, SHARE_KEY_LEN, &blufi_sec->share_len); psa_destroy_key(private_key); + if (status != PSA_SUCCESS) { BLUFI_ERROR("%s psa_raw_key_agreement failed %d\n", __func__, status); free(blufi_sec->dh_param); From bd39f141ffe99e898edb06576e8f6cc7917404ca Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Fri, 16 Jan 2026 17:17:34 +0800 Subject: [PATCH 2/4] fix: enable HARDWARE_MPI by default --- .../bt/common/api/include/api/esp_blufi_api.h | 2 +- .../bluetooth/blufi/main/blufi_security.c | 120 +++++++++++++----- .../bluetooth/blufi/sdkconfig.defaults.mini | 2 - 3 files changed, 88 insertions(+), 36 deletions(-) diff --git a/components/bt/common/api/include/api/esp_blufi_api.h b/components/bt/common/api/include/api/esp_blufi_api.h index 8e1807f57d..b6f3fe295c 100644 --- a/components/bt/common/api/include/api/esp_blufi_api.h +++ b/components/bt/common/api/include/api/esp_blufi_api.h @@ -76,7 +76,7 @@ typedef enum { ESP_BLUFI_READ_PARAM_ERROR, ESP_BLUFI_MAKE_PUBLIC_ERROR, ESP_BLUFI_DATA_FORMAT_ERROR, - ESP_BLUFI_CALC_MD5_ERROR, + ESP_BLUFI_CALC_SHA_256_ERROR, ESP_BLUFI_WIFI_SCAN_FAIL, ESP_BLUFI_MSG_STATE_ERROR, } esp_blufi_error_state_t; diff --git a/examples/bluetooth/blufi/main/blufi_security.c b/examples/bluetooth/blufi/main/blufi_security.c index 3444ca3de4..b775643ee5 100644 --- a/examples/bluetooth/blufi/main/blufi_security.c +++ b/examples/bluetooth/blufi/main/blufi_security.c @@ -44,7 +44,7 @@ struct blufi_security { #define SHARE_KEY_LEN 384 /* Support 3072-bit DH key (3072/8 = 384 bytes) */ uint8_t share_key[SHARE_KEY_LEN]; size_t share_len; -#define PSK_LEN 16 +#define PSK_LEN 32 uint8_t psk[PSK_LEN]; uint8_t *dh_param; int dh_param_len; @@ -63,6 +63,13 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da return; } + /* Validate output parameters */ + if (output_data == NULL || output_len == NULL || need_free == NULL) { + BLUFI_ERROR("BLUFI Invalid output parameters"); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + return; + } + uint8_t type = data[0]; if (blufi_sec == NULL) { @@ -81,10 +88,17 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } + + /* Allow renegotiation - clean up previous state */ if (blufi_sec->dh_param) { free(blufi_sec->dh_param); blufi_sec->dh_param = NULL; } + if (blufi_sec->aes_key != 0) { + psa_destroy_key(blufi_sec->aes_key); + blufi_sec->aes_key = 0; + } + blufi_sec->dh_param = (uint8_t *)malloc(blufi_sec->dh_param_len); if (blufi_sec->dh_param == NULL) { blufi_sec->dh_param_len = 0; /* Reset length to avoid using unallocated memory */ @@ -110,17 +124,29 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da memcpy(blufi_sec->dh_param, &data[1], blufi_sec->dh_param_len); /* Parse P length */ + if (blufi_sec->dh_param_len < 2) { + BLUFI_ERROR("DH param too short for P length"); + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); + return; + } size_t p_len = (param[0] << 8) | param[1]; - if (2 + p_len > (size_t)blufi_sec->dh_param_len) { + size_t p_offset = 2 + p_len; + if (p_offset > (size_t)blufi_sec->dh_param_len) { BLUFI_ERROR("P length %d exceeds dh_param bounds", p_len); btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } - param += 2 + p_len; + param += p_offset; /* Parse G length */ + if ((param - blufi_sec->dh_param) + 2 > (size_t)blufi_sec->dh_param_len) { + BLUFI_ERROR("DH param too short for G length"); + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); + return; + } size_t g_len = (param[0] << 8) | param[1]; - if ((param - blufi_sec->dh_param) + 2 + g_len > (size_t)blufi_sec->dh_param_len) { + size_t g_offset = (param - blufi_sec->dh_param) + 2 + g_len; + if (g_offset > (size_t)blufi_sec->dh_param_len) { BLUFI_ERROR("G length %d exceeds dh_param bounds", g_len); btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; @@ -128,28 +154,34 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da param += 2 + g_len; /* Parse public key length */ + if ((param - blufi_sec->dh_param) + 2 > (size_t)blufi_sec->dh_param_len) { + BLUFI_ERROR("DH param too short for public key length"); + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); + return; + } size_t pub_len = (param[0] << 8) | param[1]; param += 2; - if ((param - blufi_sec->dh_param) + pub_len > (size_t)blufi_sec->dh_param_len) { + + size_t pub_offset = (param - blufi_sec->dh_param) + pub_len; + if (pub_offset > (size_t)blufi_sec->dh_param_len) { BLUFI_ERROR("Public key length %d exceeds dh_param bounds", pub_len); btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } - /* Determine key bits based on public key length (RFC7919 key sizes) */ - size_t key_bits; - if (pub_len == 256) { - key_bits = 2048; - } else if (pub_len == 384) { - key_bits = 3072; - } else if (pub_len == 512) { - key_bits = 4096; - } else if (pub_len == 768) { - key_bits = 6144; - } else if (pub_len == 1024) { - key_bits = 8192; - } else { - BLUFI_ERROR("Unsupported DH key length: %d bytes", pub_len); + /* Determine key bits based on public key length (RFC7919 key sizes) + * Note: Only 2048 and 3072 bit keys are supported due to buffer size constraints + * (DH_SELF_PUB_KEY_LEN = 384 bytes = 3072 bits maximum) */ + size_t key_bits = pub_len * 8; + if (key_bits != 2048 && key_bits != 3072) { + BLUFI_ERROR("Unsupported DH key length: %d bytes (only 2048 and 3072 bit keys supported)", pub_len); + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); + return; + } + + /* Validate public key length fits in output buffer */ + if (pub_len > DH_SELF_PUB_KEY_LEN) { + BLUFI_ERROR("Public key length %d exceeds output buffer size %d", pub_len, DH_SELF_PUB_KEY_LEN); btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } @@ -191,18 +223,33 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da return; } - size_t hash_length = 0; - status = psa_hash_compute(PSA_ALG_MD5, blufi_sec->share_key, blufi_sec->share_len, blufi_sec->psk, PSK_LEN, &hash_length); - if (status != PSA_SUCCESS) { - BLUFI_ERROR("%s psa_hash_compute failed %d\n", __func__, status); - btc_blufi_report_error(ESP_BLUFI_CALC_MD5_ERROR); + /* Validate share key length fits in buffer */ + if (blufi_sec->share_len > SHARE_KEY_LEN) { + BLUFI_ERROR("Share key length %d exceeds buffer size %d", blufi_sec->share_len, SHARE_KEY_LEN); + free(blufi_sec->dh_param); + blufi_sec->dh_param = NULL; + btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } - // mbedtls_aes_setkey_enc(&blufi_sec->aes, blufi_sec->psk, PSK_LEN * 8); + size_t hash_length = 0; + status = psa_hash_compute(PSA_ALG_SHA_256, blufi_sec->share_key, blufi_sec->share_len, blufi_sec->psk, PSK_LEN, &hash_length); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s psa_hash_compute failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_CALC_SHA_256_ERROR); + return; + } + + /* Destroy previous AES key if it exists to prevent key slot leak */ + if (blufi_sec->aes_key != 0) { + psa_destroy_key(blufi_sec->aes_key); + blufi_sec->aes_key = 0; + } + attributes = psa_key_attributes_init(); psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); psa_set_key_bits(&attributes, PSK_LEN * 8); + psa_set_key_algorithm(&attributes, PSA_ALG_CFB); psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); status = psa_import_key(&attributes, blufi_sec->psk, PSK_LEN, &blufi_sec->aes_key); if (status != PSA_SUCCESS) { @@ -224,6 +271,11 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da break; case SEC_TYPE_DH_PUBLIC: break; + default: + /* Reject unknown packet types */ + BLUFI_ERROR("Unknown packet type: 0x%02x", type); + btc_blufi_report_error(ESP_BLUFI_DATA_FORMAT_ERROR); + break; } } @@ -250,20 +302,21 @@ int blufi_aes_encrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len) return -1; } - size_t encrypt_out_len = 0; - status = psa_cipher_update(&operation, crypt_data, crypt_len, crypt_data, crypt_len, &encrypt_out_len); + size_t update_out_len = 0; + status = psa_cipher_update(&operation, crypt_data, crypt_len, crypt_data, crypt_len, &update_out_len); if (status != PSA_SUCCESS) { psa_cipher_abort(&operation); return -1; } - status = psa_cipher_finish(&operation, crypt_data, crypt_len, &encrypt_out_len); + size_t finish_out_len = 0; + status = psa_cipher_finish(&operation, crypt_data, crypt_len, &finish_out_len); if (status != PSA_SUCCESS) { psa_cipher_abort(&operation); return -1; } - return encrypt_out_len; + return update_out_len + finish_out_len; } int blufi_aes_decrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len) @@ -289,20 +342,21 @@ int blufi_aes_decrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len) return -1; } - size_t encrypt_out_len = 0; - status = psa_cipher_update(&operation, crypt_data, crypt_len, crypt_data, crypt_len, &encrypt_out_len); + size_t update_out_len = 0; + status = psa_cipher_update(&operation, crypt_data, crypt_len, crypt_data, crypt_len, &update_out_len); if (status != PSA_SUCCESS) { psa_cipher_abort(&operation); return -1; } - status = psa_cipher_finish(&operation, crypt_data, crypt_len, &encrypt_out_len); + size_t finish_out_len = 0; + status = psa_cipher_finish(&operation, crypt_data, crypt_len, &finish_out_len); if (status != PSA_SUCCESS) { psa_cipher_abort(&operation); return -1; } - return crypt_len; + return update_out_len + finish_out_len; } uint16_t blufi_crc_checksum(uint8_t iv8, uint8_t *data, int len) diff --git a/examples/bluetooth/blufi/sdkconfig.defaults.mini b/examples/bluetooth/blufi/sdkconfig.defaults.mini index 2f81ae696a..d55e51b9b4 100644 --- a/examples/bluetooth/blufi/sdkconfig.defaults.mini +++ b/examples/bluetooth/blufi/sdkconfig.defaults.mini @@ -46,8 +46,6 @@ CONFIG_BT_NIMBLE_DIS_SERVICE=n CONFIG_BT_ALARM_MAX_NUM=15 -CONFIG_MBEDTLS_HARDWARE_MPI=n - CONFIG_BT_NIMBLE_BLUFI_ENABLE=y CONFIG_BT_NIMBLE_ATT_PREFERRED_MTU=23 From 2235fd841a94c1984d839b7180e5c9a4d780bc93 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Fri, 30 Jan 2026 12:50:11 +0530 Subject: [PATCH 3/4] fix(bt): Keep older error code for backward comatibility --- components/bt/common/api/include/api/esp_blufi_api.h | 4 +++- examples/bluetooth/blufi/main/blufi_security.c | 8 ++++---- examples/bluetooth/blufi/sdkconfig.defaults | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/components/bt/common/api/include/api/esp_blufi_api.h b/components/bt/common/api/include/api/esp_blufi_api.h index b6f3fe295c..bcec29381b 100644 --- a/components/bt/common/api/include/api/esp_blufi_api.h +++ b/components/bt/common/api/include/api/esp_blufi_api.h @@ -76,9 +76,11 @@ typedef enum { ESP_BLUFI_READ_PARAM_ERROR, ESP_BLUFI_MAKE_PUBLIC_ERROR, ESP_BLUFI_DATA_FORMAT_ERROR, - ESP_BLUFI_CALC_SHA_256_ERROR, + // BLUFI_CALC_MD5 entry kept for backward compatibility + ESP_BLUFI_CALC_MD5_ERROR, ESP_BLUFI_WIFI_SCAN_FAIL, ESP_BLUFI_MSG_STATE_ERROR, + ESP_BLUFI_CALC_SHA_256_ERROR, } esp_blufi_error_state_t; /** diff --git a/examples/bluetooth/blufi/main/blufi_security.c b/examples/bluetooth/blufi/main/blufi_security.c index b775643ee5..bca615a1db 100644 --- a/examples/bluetooth/blufi/main/blufi_security.c +++ b/examples/bluetooth/blufi/main/blufi_security.c @@ -170,11 +170,11 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da } /* Determine key bits based on public key length (RFC7919 key sizes) - * Note: Only 2048 and 3072 bit keys are supported due to buffer size constraints - * (DH_SELF_PUB_KEY_LEN = 384 bytes = 3072 bits maximum) */ + * Note: Only 3072 bit keys are supported due to buffer size constraints + * (DH_SELF_PUB_KEY_LEN = 384 bytes = 3072 bits) */ size_t key_bits = pub_len * 8; - if (key_bits != 2048 && key_bits != 3072) { - BLUFI_ERROR("Unsupported DH key length: %d bytes (only 2048 and 3072 bit keys supported)", pub_len); + if (key_bits != 3072) { + BLUFI_ERROR("Unsupported DH key length: %d bytes (only 3072 bit keys supported)", pub_len); btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } diff --git a/examples/bluetooth/blufi/sdkconfig.defaults b/examples/bluetooth/blufi/sdkconfig.defaults index 797047814d..31d7023d8b 100644 --- a/examples/bluetooth/blufi/sdkconfig.defaults +++ b/examples/bluetooth/blufi/sdkconfig.defaults @@ -14,4 +14,4 @@ CONFIG_BT_ENABLED=y CONFIG_BT_GATTC_ENABLE=n CONFIG_BT_BLE_SMP_ENABLE=n CONFIG_BT_BLE_BLUFI_ENABLE=y -CONFIG_MBEDTLS_HARDWARE_MPI=n +CONFIG_MBEDTLS_HARDWARE_MPI=y From de9962fe339b969217c3901a06a78f619623739b Mon Sep 17 00:00:00 2001 From: Ashish Sharma Date: Fri, 13 Feb 2026 15:12:52 +0800 Subject: [PATCH 4/4] feat(blufi): update to AES-CTR --- .../bluetooth/blufi/main/blufi_security.c | 283 +++++++++++++----- 1 file changed, 209 insertions(+), 74 deletions(-) diff --git a/examples/bluetooth/blufi/main/blufi_security.c b/examples/bluetooth/blufi/main/blufi_security.c index bca615a1db..8c44daa190 100644 --- a/examples/bluetooth/blufi/main/blufi_security.c +++ b/examples/bluetooth/blufi/main/blufi_security.c @@ -36,6 +36,12 @@ #define SEC_TYPE_DH_G 0x03 #define SEC_TYPE_DH_PUBLIC 0x04 +#define BLUFI_IV_PREFIX_LEN 9 +#define BLUFI_IV_SIZE 16 +#define BLUFI_HASH_SIZE 32 /* SHA-256 output size */ +#define BLUFI_KEY_SIZE 32 +#define BLUFI_ENC_DOMAIN_STR "blufi_enc" +#define BLUFI_DEC_DOMAIN_STR "blufi_dec" struct blufi_security { #define DH_PARAM_LEN_MAX 1024 @@ -48,13 +54,61 @@ struct blufi_security { uint8_t psk[PSK_LEN]; uint8_t *dh_param; int dh_param_len; - uint8_t iv[16]; psa_key_id_t aes_key; + psa_cipher_operation_t enc_operation; /* Persistent cipher operation for encryption */ + psa_cipher_operation_t dec_operation; /* Persistent cipher operation for decryption */ }; static struct blufi_security *blufi_sec; extern void btc_blufi_report_error(esp_blufi_error_state_t state); +/** + * @brief Clean up DH parameter memory + */ +static void blufi_cleanup_dh_param(void) +{ + if (blufi_sec && blufi_sec->dh_param) { + free(blufi_sec->dh_param); + blufi_sec->dh_param = NULL; + } +} + +/** + * @brief Clean up AES key and cipher operations + * + * @param abort_enc Whether to abort encryption operation + * @param abort_dec Whether to abort decryption operation + */ +static void blufi_cleanup_aes_session(bool abort_enc, bool abort_dec) +{ + if (!blufi_sec) { + return; + } + + if (abort_enc) { + psa_cipher_abort(&blufi_sec->enc_operation); + } + if (abort_dec) { + psa_cipher_abort(&blufi_sec->dec_operation); + } + if (blufi_sec->aes_key != 0) { + psa_destroy_key(blufi_sec->aes_key); + blufi_sec->aes_key = 0; + } +} + +/** + * @brief Clean up entire DH negotiation session (AES key, cipher ops, and DH params) + * + * @param abort_enc Whether to abort encryption operation + * @param abort_dec Whether to abort decryption operation + */ +static void blufi_cleanup_negotiation(bool abort_enc, bool abort_dec) +{ + blufi_cleanup_aes_session(abort_enc, abort_dec); + blufi_cleanup_dh_param(); +} + void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_data, int *output_len, bool *need_free) { if (data == NULL || len < 3) { @@ -90,14 +144,8 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da } /* Allow renegotiation - clean up previous state */ - if (blufi_sec->dh_param) { - free(blufi_sec->dh_param); - blufi_sec->dh_param = NULL; - } - if (blufi_sec->aes_key != 0) { - psa_destroy_key(blufi_sec->aes_key); - blufi_sec->aes_key = 0; - } + blufi_cleanup_dh_param(); + blufi_cleanup_aes_session(true, true); blufi_sec->dh_param = (uint8_t *)malloc(blufi_sec->dh_param_len); if (blufi_sec->dh_param == NULL) { @@ -199,6 +247,7 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da if (status != PSA_SUCCESS) { BLUFI_ERROR("%s psa_generate_key failed %d\n", __func__, status); btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_dh_param(); return; } @@ -209,16 +258,15 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da BLUFI_ERROR("%s psa_export_public_key failed %d\n", __func__, status); psa_destroy_key(private_key); btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_dh_param(); return; } status = psa_raw_key_agreement(alg, private_key, param, pub_len, blufi_sec->share_key, SHARE_KEY_LEN, &blufi_sec->share_len); psa_destroy_key(private_key); - if (status != PSA_SUCCESS) { BLUFI_ERROR("%s psa_raw_key_agreement failed %d\n", __func__, status); - free(blufi_sec->dh_param); - blufi_sec->dh_param = NULL; + blufi_cleanup_dh_param(); btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } @@ -226,8 +274,7 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da /* Validate share key length fits in buffer */ if (blufi_sec->share_len > SHARE_KEY_LEN) { BLUFI_ERROR("Share key length %d exceeds buffer size %d", blufi_sec->share_len, SHARE_KEY_LEN); - free(blufi_sec->dh_param); - blufi_sec->dh_param = NULL; + blufi_cleanup_dh_param(); btc_blufi_report_error(ESP_BLUFI_DH_PARAM_ERROR); return; } @@ -237,26 +284,103 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da if (status != PSA_SUCCESS) { BLUFI_ERROR("%s psa_hash_compute failed %d\n", __func__, status); btc_blufi_report_error(ESP_BLUFI_CALC_SHA_256_ERROR); + blufi_cleanup_dh_param(); return; } - /* Destroy previous AES key if it exists to prevent key slot leak */ - if (blufi_sec->aes_key != 0) { - psa_destroy_key(blufi_sec->aes_key); - blufi_sec->aes_key = 0; - } + /* Destroy previous AES key and cipher operations if they exist */ + blufi_cleanup_aes_session(true, true); + /* Import AES key for CTR mode */ attributes = psa_key_attributes_init(); psa_set_key_type(&attributes, PSA_KEY_TYPE_AES); psa_set_key_bits(&attributes, PSK_LEN * 8); - psa_set_key_algorithm(&attributes, PSA_ALG_CFB); + psa_set_key_algorithm(&attributes, PSA_ALG_CTR); psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT); status = psa_import_key(&attributes, blufi_sec->psk, PSK_LEN, &blufi_sec->aes_key); if (status != PSA_SUCCESS) { BLUFI_ERROR("%s psa_import_key failed %d\n", __func__, status); btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_dh_param(); return; } + psa_reset_key_attributes(&attributes); + + /* Derive domain-separated IVs for encryption and decryption */ + uint8_t enc_material[BLUFI_IV_PREFIX_LEN + SHARE_KEY_LEN]; + memcpy(enc_material, BLUFI_ENC_DOMAIN_STR, BLUFI_IV_PREFIX_LEN); + memcpy(enc_material + BLUFI_IV_PREFIX_LEN, blufi_sec->share_key, blufi_sec->share_len); + + uint8_t enc_hash[BLUFI_HASH_SIZE]; + status = psa_hash_compute(PSA_ALG_SHA_256, enc_material, BLUFI_IV_PREFIX_LEN + blufi_sec->share_len, + enc_hash, BLUFI_HASH_SIZE, &hash_length); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s encryption IV derivation failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_negotiation(false, false); + return; + } + mbedtls_platform_zeroize(enc_material, sizeof(enc_material)); + + uint8_t dec_material[BLUFI_IV_PREFIX_LEN + SHARE_KEY_LEN]; + memcpy(dec_material, BLUFI_DEC_DOMAIN_STR, BLUFI_IV_PREFIX_LEN); + memcpy(dec_material + BLUFI_IV_PREFIX_LEN, blufi_sec->share_key, blufi_sec->share_len); + + uint8_t dec_hash[BLUFI_HASH_SIZE]; + status = psa_hash_compute(PSA_ALG_SHA_256, dec_material, BLUFI_IV_PREFIX_LEN + blufi_sec->share_len, + dec_hash, BLUFI_HASH_SIZE, &hash_length); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s decryption IV derivation failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_negotiation(false, false); + return; + } + mbedtls_platform_zeroize(dec_material, sizeof(dec_material)); + + /* Use first 16 bytes (128 bits) as IV for CTR mode */ + uint8_t iv_enc[BLUFI_IV_SIZE], iv_dec[BLUFI_IV_SIZE]; + memcpy(iv_enc, enc_hash, BLUFI_IV_SIZE); + memcpy(iv_dec, dec_hash, BLUFI_IV_SIZE); + mbedtls_platform_zeroize(enc_hash, sizeof(enc_hash)); + mbedtls_platform_zeroize(dec_hash, sizeof(dec_hash)); + + /* Setup persistent cipher operations */ + blufi_sec->enc_operation = psa_cipher_operation_init(); + status = psa_cipher_encrypt_setup(&blufi_sec->enc_operation, blufi_sec->aes_key, PSA_ALG_CTR); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s encryption setup failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_negotiation(false, false); + return; + } + + status = psa_cipher_set_iv(&blufi_sec->enc_operation, iv_enc, BLUFI_IV_SIZE); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s encryption IV setup failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_negotiation(true, false); + return; + } + mbedtls_platform_zeroize(iv_enc, sizeof(iv_enc)); + + blufi_sec->dec_operation = psa_cipher_operation_init(); + /* Note: CTR mode uses encrypt_setup for both encryption and decryption */ + status = psa_cipher_encrypt_setup(&blufi_sec->dec_operation, blufi_sec->aes_key, PSA_ALG_CTR); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s decryption setup failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_negotiation(true, false); + return; + } + + status = psa_cipher_set_iv(&blufi_sec->dec_operation, iv_dec, BLUFI_IV_SIZE); + if (status != PSA_SUCCESS) { + BLUFI_ERROR("%s decryption IV setup failed %d\n", __func__, status); + btc_blufi_report_error(ESP_BLUFI_DH_MALLOC_ERROR); + blufi_cleanup_negotiation(true, true); + return; + } + mbedtls_platform_zeroize(iv_dec, sizeof(iv_dec)); /* alloc output data */ *output_data = &blufi_sec->self_public_key[0]; @@ -281,82 +405,94 @@ void blufi_dh_negotiate_data_handler(uint8_t *data, int len, uint8_t **output_da int blufi_aes_encrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len) { - uint8_t iv0[16]; + (void)iv8; /* iv8 parameter is no longer used with persistent CTR operation */ - if (!blufi_sec) { + if (!blufi_sec || !crypt_data || crypt_len < 0) { return -1; } - psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; - psa_status_t status = psa_cipher_encrypt_setup(&operation, blufi_sec->aes_key, PSA_ALG_CFB); + if (crypt_len == 0) { + return 0; + } + + if (blufi_sec->aes_key == 0) { + BLUFI_ERROR("AES key is not initialized"); + return -1; + } + + /* Use persistent cipher operation - CTR counter is automatically managed */ + size_t output_len = 0; + size_t output_buf_size = PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(PSA_KEY_TYPE_AES, PSA_ALG_CTR, crypt_len); + uint8_t *output_buf = (uint8_t *)malloc(output_buf_size); + if (output_buf == NULL) { + BLUFI_ERROR("Failed to allocate output buffer"); + return -1; + } + + psa_status_t status = psa_cipher_update(&blufi_sec->enc_operation, crypt_data, crypt_len, + output_buf, output_buf_size, &output_len); if (status != PSA_SUCCESS) { + BLUFI_ERROR("Encryption failed with status=%d", status); + free(output_buf); return -1; } - memcpy(iv0, blufi_sec->iv, sizeof(blufi_sec->iv)); - iv0[0] = iv8; - - status = psa_cipher_set_iv(&operation, iv0, sizeof(iv0)); - if (status != PSA_SUCCESS) { - psa_cipher_abort(&operation); + if (output_len > (size_t)crypt_len) { + BLUFI_ERROR("Output length %d exceeds input buffer size %d", output_len, crypt_len); + free(output_buf); return -1; } - size_t update_out_len = 0; - status = psa_cipher_update(&operation, crypt_data, crypt_len, crypt_data, crypt_len, &update_out_len); - if (status != PSA_SUCCESS) { - psa_cipher_abort(&operation); - return -1; - } + memcpy(crypt_data, output_buf, output_len); + free(output_buf); - size_t finish_out_len = 0; - status = psa_cipher_finish(&operation, crypt_data, crypt_len, &finish_out_len); - if (status != PSA_SUCCESS) { - psa_cipher_abort(&operation); - return -1; - } - - return update_out_len + finish_out_len; + return output_len; } int blufi_aes_decrypt(uint8_t iv8, uint8_t *crypt_data, int crypt_len) { - uint8_t iv0[16]; + (void)iv8; /* iv8 parameter is no longer used with persistent CTR operation */ - if (!blufi_sec) { + if (!blufi_sec || !crypt_data || crypt_len < 0) { return -1; } - psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; - psa_status_t status = psa_cipher_decrypt_setup(&operation, blufi_sec->aes_key, PSA_ALG_CFB); + if (crypt_len == 0) { + return 0; + } + + if (blufi_sec->aes_key == 0) { + BLUFI_ERROR("AES key is not initialized"); + return -1; + } + + /* Use persistent cipher operation - CTR counter is automatically managed */ + size_t output_len = 0; + size_t output_buf_size = PSA_CIPHER_DECRYPT_OUTPUT_SIZE(PSA_KEY_TYPE_AES, PSA_ALG_CTR, crypt_len); + uint8_t *output_buf = (uint8_t *)malloc(output_buf_size); + if (output_buf == NULL) { + BLUFI_ERROR("Failed to allocate output buffer"); + return -1; + } + + psa_status_t status = psa_cipher_update(&blufi_sec->dec_operation, crypt_data, crypt_len, + output_buf, output_buf_size, &output_len); if (status != PSA_SUCCESS) { + BLUFI_ERROR("Decryption failed with status=%d", status); + free(output_buf); return -1; } - memcpy(iv0, blufi_sec->iv, sizeof(blufi_sec->iv)); - iv0[0] = iv8; - - status = psa_cipher_set_iv(&operation, iv0, sizeof(iv0)); - if (status != PSA_SUCCESS) { - psa_cipher_abort(&operation); + if (output_len > (size_t)crypt_len) { + BLUFI_ERROR("Output length %d exceeds input buffer size %d", output_len, crypt_len); + free(output_buf); return -1; } - size_t update_out_len = 0; - status = psa_cipher_update(&operation, crypt_data, crypt_len, crypt_data, crypt_len, &update_out_len); - if (status != PSA_SUCCESS) { - psa_cipher_abort(&operation); - return -1; - } + memcpy(crypt_data, output_buf, output_len); + free(output_buf); - size_t finish_out_len = 0; - status = psa_cipher_finish(&operation, crypt_data, crypt_len, &finish_out_len); - if (status != PSA_SUCCESS) { - psa_cipher_abort(&operation); - return -1; - } - - return update_out_len + finish_out_len; + return output_len; } uint16_t blufi_crc_checksum(uint8_t iv8, uint8_t *data, int len) @@ -373,8 +509,9 @@ esp_err_t blufi_security_init(void) } memset(blufi_sec, 0x0, sizeof(struct blufi_security)); + blufi_sec->enc_operation = psa_cipher_operation_init(); + blufi_sec->dec_operation = psa_cipher_operation_init(); - memset(blufi_sec->iv, 0x0, sizeof(blufi_sec->iv)); return 0; } @@ -383,11 +520,9 @@ void blufi_security_deinit(void) if (blufi_sec == NULL) { return; } - if (blufi_sec->dh_param){ - free(blufi_sec->dh_param); - blufi_sec->dh_param = NULL; - } - psa_destroy_key(blufi_sec->aes_key); + + /* Clean up all resources */ + blufi_cleanup_negotiation(true, true); memset(blufi_sec, 0x0, sizeof(struct blufi_security));