ZGW-3413: Improve keys randomization

ochavezmiranda · rzr · commit 3cf4851d78c3 · 2024-08-14T17:50:22.000+02:00
ZGW-3413: unit test added Forwarded: #12 Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
diff --git a/src/transport/Security_Scheme0.c b/src/transport/Security_Scheme0.c
@@ -8,6 +8,7 @@
 #include "ZW_PRNG.h"
 #include "ZIP_Router_logging.h"
 #include "zip_router_config.h"
+#include "random.h"
 #define NONCE_OPT 0
 
 /**/
@@ -23,6 +24,8 @@
 #define NONCE_BLACKLIST_SIZE 10
 #define RECEIVERS_NONCE_SIZE 8    /* The size of the nonce field in a Nonce Report */
 
+#define S0_KEY_SIZE 16  /* The S0 Key Size */
+
 typedef enum {
   NONCE_GET,
   NONCE_GET_SENT,
@@ -59,7 +62,7 @@ typedef struct _AUTHDATA_ {
 extern u8_t send_data(ts_param_t* p, const u8_t* data, u16_t len,ZW_SendDataAppl_Callback_t cb,void* user);
 
 static sec_tx_session_t tx_sessions[NUM_TX_SESSIONS];
-uint8_t networkKey[16];                 /* The master key */
+uint8_t networkKey[S0_KEY_SIZE] = {0};                 /* The master key */
 
 
 /* Nonce blacklist type*/
@@ -885,10 +888,24 @@ uint8_t sec0_decrypt_message(uint8_t snode, uint8_t dnode, uint8_t* enc_data, ui
 }
 
 
-void sec0_reset_netkey() {
+void sec0_reset_netkey(void) {
+  uint8_t n=0;
+  bool bSuccess=false;
+
   LOG_PRINTF("Reinitializing S0 network key (S2 keys are unchanged)\n");
-  aes_random8( &networkKey[0] );
-  aes_random8( &networkKey[8] );
+  do {
+    bSuccess = dev_urandom(sizeof(networkKey),networkKey);
+    if (bSuccess) {
+      break;
+    }
+  } while (n++ <= 10); 
+
+  if(bSuccess) {
+    nvm_config_set(security_netkey,networkKey);
+  }
+  else {
+    ERR_PRINTF("Failed to generate random S0 key. Security compromised!\n");
+  }
 
-  nvm_config_set(security_netkey,networkKey);
+  ASSERT(bSuccess);
 }
diff --git a/test/S0/test_S0.c b/test/S0/test_S0.c
@@ -93,6 +93,24 @@ void sec0_sd_callback(BYTE txStatus,void* user, TX_STATUS_TYPE *txStatEx) {
     printf("sec0_sd_callback from line %u\n", (unsigned int)user);
 }
 
+int dev_urandom(int len, uint8_t *buf)
+{ FILE * fp;
+  size_t read;
+  int error = 0; 
+
+  printf("-------in my dev_urandom\n");
+  
+  fp = fopen("/dev/urandom", "r");
+  read = fread(buf, 1, len, fp);
+  if (read < len) {
+      printf("Error: Random number generation failed\n");
+      error = 1;
+  }
+
+  fclose(fp);
+
+  return error ? 0 : 1;
+}
 
 /****************************************Test cases*******************************************************/
 
@@ -382,3 +400,13 @@ void test_nonce_blacklist() {
   TEST_ASSERT_TRUE(sec0_is_nonce_blacklisted(1, 2, (const uint8_t*)"AAAAAAAA"));
   TEST_ASSERT_TRUE(sec0_is_nonce_blacklisted(1, 2, (const uint8_t*)"BBBBBBBB"));
 }
+
+void test_sec0_reset_netkey()
+{  uint8_t s0_key[S0_KEY_SIZE]={0};
+
+   sec0_reset_netkey();
+   memcpy(s0_key, networkKey, sizeof(s0_key));
+   sec0_reset_netkey();
+
+   TEST_ASSERT_NOT_EQUAL(memcmp(s0_key, networkKey, sizeof(s0_key)), 0);
+}
