@matter/thread-br-client 0.0.1 → 0.17.5-alpha.0-20260706-fd4c49e2e
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +201 -0
- package/README.md +5 -5
- package/dist/cjs/coap/CoapClient.d.ts +2 -2
- package/dist/cjs/coap/CoapClient.d.ts.map +1 -1
- package/dist/cjs/coap/CoapClient.js +9 -16
- package/dist/cjs/coap/CoapClient.js.map +1 -1
- package/dist/cjs/coap/CoapMessage.d.ts +11 -6
- package/dist/cjs/coap/CoapMessage.d.ts.map +1 -1
- package/dist/cjs/coap/CoapMessage.js +8 -5
- package/dist/cjs/coap/CoapMessage.js.map +1 -1
- package/dist/cjs/commissioner/Commissioner.d.ts.map +1 -1
- package/dist/cjs/commissioner/Commissioner.js +5 -2
- package/dist/cjs/commissioner/Commissioner.js.map +1 -1
- package/dist/cjs/commissioner/LeadKa.d.ts +3 -3
- package/dist/cjs/commissioner/LeadKa.d.ts.map +1 -1
- package/dist/cjs/commissioner/LeadKa.js +1 -1
- package/dist/cjs/commissioner/LeadKa.js.map +1 -1
- package/dist/cjs/commissioner/LeadPet.d.ts +3 -2
- package/dist/cjs/commissioner/LeadPet.d.ts.map +1 -1
- package/dist/cjs/commissioner/LeadPet.js +4 -3
- package/dist/cjs/commissioner/LeadPet.js.map +1 -1
- package/dist/cjs/credentials/ThreadCredentialsRegistry.d.ts +5 -5
- package/dist/cjs/credentials/ThreadCredentialsRegistry.d.ts.map +1 -1
- package/dist/cjs/credentials/ThreadCredentialsRegistry.js +10 -9
- package/dist/cjs/credentials/ThreadCredentialsRegistry.js.map +1 -1
- package/dist/cjs/credentials/ThreadNetworkCredentials.d.ts +4 -3
- package/dist/cjs/credentials/ThreadNetworkCredentials.d.ts.map +1 -1
- package/dist/cjs/crypto/AesCmacPrf128.d.ts +4 -14
- package/dist/cjs/crypto/AesCmacPrf128.d.ts.map +1 -1
- package/dist/cjs/crypto/AesCmacPrf128.js +7 -71
- package/dist/cjs/crypto/AesCmacPrf128.js.map +2 -2
- package/dist/cjs/crypto/Pbkdf2AesCmac.d.ts +5 -4
- package/dist/cjs/crypto/Pbkdf2AesCmac.d.ts.map +1 -1
- package/dist/cjs/crypto/Pbkdf2AesCmac.js +5 -4
- package/dist/cjs/crypto/Pbkdf2AesCmac.js.map +1 -1
- package/dist/cjs/crypto/Pskc.d.ts +4 -3
- package/dist/cjs/crypto/Pskc.d.ts.map +1 -1
- package/dist/cjs/crypto/Pskc.js +6 -5
- package/dist/cjs/crypto/Pskc.js.map +1 -1
- package/dist/cjs/crypto/index.d.ts +1 -1
- package/dist/cjs/crypto/index.d.ts.map +1 -1
- package/dist/cjs/crypto/index.js +0 -1
- package/dist/cjs/crypto/index.js.map +1 -1
- package/dist/cjs/dataset/OperationalDataset.d.ts +10 -10
- package/dist/cjs/dataset/OperationalDataset.d.ts.map +1 -1
- package/dist/cjs/dataset/OperationalDataset.js +32 -31
- package/dist/cjs/dataset/OperationalDataset.js.map +1 -1
- package/dist/cjs/dataset/SecurityPolicy.d.ts +3 -2
- package/dist/cjs/dataset/SecurityPolicy.d.ts.map +1 -1
- package/dist/cjs/dataset/SecurityPolicy.js +5 -4
- package/dist/cjs/dataset/SecurityPolicy.js.map +1 -1
- package/dist/cjs/diagnostic/DiagnosticResponse.d.ts +5 -4
- package/dist/cjs/diagnostic/DiagnosticResponse.d.ts.map +1 -1
- package/dist/cjs/diagnostic/DiagnosticSource.d.ts +2 -2
- package/dist/cjs/diagnostic/DiagnosticSource.d.ts.map +1 -1
- package/dist/cjs/diagnostic/MeshCopDiagnosticSource.d.ts +7 -3
- package/dist/cjs/diagnostic/MeshCopDiagnosticSource.d.ts.map +1 -1
- package/dist/cjs/diagnostic/MeshCopDiagnosticSource.js +48 -43
- package/dist/cjs/diagnostic/MeshCopDiagnosticSource.js.map +1 -1
- package/dist/cjs/diagnostic/connectMeshcop.d.ts.map +1 -1
- package/dist/cjs/diagnostic/connectMeshcop.js +5 -12
- package/dist/cjs/diagnostic/connectMeshcop.js.map +1 -1
- package/dist/cjs/diagnostic/errors.d.ts +1 -1
- package/dist/cjs/diagnostic/errors.d.ts.map +1 -1
- package/dist/cjs/discovery/BorderRouterRegistry.d.ts.map +1 -1
- package/dist/cjs/discovery/BorderRouterRegistry.js +2 -4
- package/dist/cjs/discovery/BorderRouterRegistry.js.map +1 -1
- package/dist/cjs/dtls/channel/DtlsConnectOpts.d.ts +3 -3
- package/dist/cjs/dtls/channel/DtlsConnectOpts.d.ts.map +1 -1
- package/dist/cjs/dtls/channel/NobleDtlsChannel.d.ts.map +1 -1
- package/dist/cjs/dtls/channel/NobleDtlsChannel.js +89 -58
- package/dist/cjs/dtls/channel/NobleDtlsChannel.js.map +1 -1
- package/dist/cjs/dtls/ecjpake/EcJpakePms.d.ts +5 -4
- package/dist/cjs/dtls/ecjpake/EcJpakePms.d.ts.map +1 -1
- package/dist/cjs/dtls/ecjpake/EcJpakePms.js +4 -5
- package/dist/cjs/dtls/ecjpake/EcJpakePms.js.map +1 -1
- package/dist/cjs/dtls/ecjpake/EcJpakeRound.d.ts +16 -15
- package/dist/cjs/dtls/ecjpake/EcJpakeRound.d.ts.map +1 -1
- package/dist/cjs/dtls/ecjpake/EcJpakeRound.js +40 -29
- package/dist/cjs/dtls/ecjpake/EcJpakeRound.js.map +1 -1
- package/dist/cjs/dtls/ecjpake/SchnorrZkp.d.ts +10 -9
- package/dist/cjs/dtls/ecjpake/SchnorrZkp.d.ts.map +1 -1
- package/dist/cjs/dtls/ecjpake/SchnorrZkp.js +17 -13
- package/dist/cjs/dtls/ecjpake/SchnorrZkp.js.map +1 -1
- package/dist/cjs/dtls/handshake/ChangeCipherSpec.d.ts +2 -1
- package/dist/cjs/dtls/handshake/ChangeCipherSpec.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/ChangeCipherSpec.js +3 -1
- package/dist/cjs/dtls/handshake/ChangeCipherSpec.js.map +1 -1
- package/dist/cjs/dtls/handshake/ClientHelloMessage.d.ts +27 -4
- package/dist/cjs/dtls/handshake/ClientHelloMessage.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/ClientHelloMessage.js +3 -1
- package/dist/cjs/dtls/handshake/ClientHelloMessage.js.map +1 -1
- package/dist/cjs/dtls/handshake/ClientKeyExchangeMessage.d.ts +2 -1
- package/dist/cjs/dtls/handshake/ClientKeyExchangeMessage.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/ClientKeyExchangeMessage.js.map +1 -1
- package/dist/cjs/dtls/handshake/DtlsClient.d.ts +9 -6
- package/dist/cjs/dtls/handshake/DtlsClient.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/DtlsClient.js +99 -77
- package/dist/cjs/dtls/handshake/DtlsClient.js.map +1 -1
- package/dist/cjs/dtls/handshake/FinishedMessage.d.ts +10 -3
- package/dist/cjs/dtls/handshake/FinishedMessage.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/FinishedMessage.js +4 -2
- package/dist/cjs/dtls/handshake/FinishedMessage.js.map +1 -1
- package/dist/cjs/dtls/handshake/HandshakeMessage.d.ts +5 -4
- package/dist/cjs/dtls/handshake/HandshakeMessage.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/HandshakeMessage.js +13 -11
- package/dist/cjs/dtls/handshake/HandshakeMessage.js.map +1 -1
- package/dist/cjs/dtls/handshake/HelloVerifyRequestMessage.d.ts +19 -2
- package/dist/cjs/dtls/handshake/HelloVerifyRequestMessage.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/HelloVerifyRequestMessage.js +3 -1
- package/dist/cjs/dtls/handshake/HelloVerifyRequestMessage.js.map +1 -1
- package/dist/cjs/dtls/handshake/ServerHelloDoneMessage.d.ts +2 -1
- package/dist/cjs/dtls/handshake/ServerHelloDoneMessage.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/ServerHelloDoneMessage.js +3 -2
- package/dist/cjs/dtls/handshake/ServerHelloDoneMessage.js.map +1 -1
- package/dist/cjs/dtls/handshake/ServerHelloMessage.d.ts +4 -3
- package/dist/cjs/dtls/handshake/ServerHelloMessage.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/ServerHelloMessage.js +3 -1
- package/dist/cjs/dtls/handshake/ServerHelloMessage.js.map +1 -1
- package/dist/cjs/dtls/handshake/ServerKeyExchangeMessage.d.ts +2 -1
- package/dist/cjs/dtls/handshake/ServerKeyExchangeMessage.d.ts.map +1 -1
- package/dist/cjs/dtls/handshake/ServerKeyExchangeMessage.js.map +1 -1
- package/dist/cjs/dtls/prf/HandshakeTranscript.d.ts +7 -5
- package/dist/cjs/dtls/prf/HandshakeTranscript.d.ts.map +1 -1
- package/dist/cjs/dtls/prf/HandshakeTranscript.js +14 -9
- package/dist/cjs/dtls/prf/HandshakeTranscript.js.map +1 -1
- package/dist/cjs/dtls/prf/TlsPrf.d.ts +23 -22
- package/dist/cjs/dtls/prf/TlsPrf.d.ts.map +1 -1
- package/dist/cjs/dtls/prf/TlsPrf.js +33 -30
- package/dist/cjs/dtls/prf/TlsPrf.js.map +1 -1
- package/dist/cjs/dtls/record/AesCcm8.d.ts +13 -12
- package/dist/cjs/dtls/record/AesCcm8.d.ts.map +1 -1
- package/dist/cjs/dtls/record/AesCcm8.js +12 -34
- package/dist/cjs/dtls/record/AesCcm8.js.map +1 -1
- package/dist/cjs/dtls/record/DtlsCipherState.d.ts +11 -10
- package/dist/cjs/dtls/record/DtlsCipherState.d.ts.map +1 -1
- package/dist/cjs/dtls/record/DtlsCipherState.js +10 -6
- package/dist/cjs/dtls/record/DtlsCipherState.js.map +1 -1
- package/dist/cjs/dtls/record/DtlsRecord.d.ts +10 -10
- package/dist/cjs/dtls/record/DtlsRecord.d.ts.map +1 -1
- package/dist/cjs/dtls/record/DtlsRecord.js +10 -8
- package/dist/cjs/dtls/record/DtlsRecord.js.map +1 -1
- package/dist/cjs/otbr-rest/OtbrRestCapability.d.ts +3 -4
- package/dist/cjs/otbr-rest/OtbrRestCapability.d.ts.map +1 -1
- package/dist/cjs/otbr-rest/OtbrRestClient.d.ts +27 -8
- package/dist/cjs/otbr-rest/OtbrRestClient.d.ts.map +1 -1
- package/dist/cjs/otbr-rest/OtbrRestClient.js +50 -20
- package/dist/cjs/otbr-rest/OtbrRestClient.js.map +1 -1
- package/dist/cjs/otbr-rest/OtbrRestDiagnosticSource.d.ts +2 -1
- package/dist/cjs/otbr-rest/OtbrRestDiagnosticSource.d.ts.map +1 -1
- package/dist/cjs/otbr-rest/OtbrRestDiagnosticSource.js +3 -3
- package/dist/cjs/otbr-rest/OtbrRestDiagnosticSource.js.map +1 -1
- package/dist/cjs/otbr-rest/OtbrRestProbe.d.ts +6 -4
- package/dist/cjs/otbr-rest/OtbrRestProbe.d.ts.map +1 -1
- package/dist/cjs/otbr-rest/OtbrRestProbe.js +11 -43
- package/dist/cjs/otbr-rest/OtbrRestProbe.js.map +1 -1
- package/dist/cjs/otbr-rest/caseNormalizer.d.ts +7 -0
- package/dist/cjs/otbr-rest/caseNormalizer.d.ts.map +1 -1
- package/dist/cjs/otbr-rest/caseNormalizer.js +11 -0
- package/dist/cjs/otbr-rest/caseNormalizer.js.map +1 -1
- package/dist/cjs/otbr-rest/parseHexBytes.d.ts +22 -0
- package/dist/cjs/otbr-rest/parseHexBytes.d.ts.map +1 -0
- package/dist/cjs/otbr-rest/parseHexBytes.js +50 -0
- package/dist/cjs/otbr-rest/parseHexBytes.js.map +6 -0
- package/dist/cjs/otbr-rest/translation.d.ts +2 -1
- package/dist/cjs/otbr-rest/translation.d.ts.map +1 -1
- package/dist/cjs/otbr-rest/translation.js +20 -22
- package/dist/cjs/otbr-rest/translation.js.map +1 -1
- package/dist/cjs/selection/selectBr.d.ts +8 -4
- package/dist/cjs/selection/selectBr.d.ts.map +1 -1
- package/dist/cjs/selection/selectBr.js +6 -5
- package/dist/cjs/selection/selectBr.js.map +1 -1
- package/dist/cjs/selection/withExtPanIdLock.d.ts +2 -1
- package/dist/cjs/selection/withExtPanIdLock.d.ts.map +1 -1
- package/dist/cjs/selection/withExtPanIdLock.js.map +1 -1
- package/dist/cjs/tlv/BasicTlvCodec.d.ts +4 -4
- package/dist/cjs/tlv/BasicTlvCodec.d.ts.map +1 -1
- package/dist/cjs/tlv/BasicTlvCodec.js +13 -11
- package/dist/cjs/tlv/BasicTlvCodec.js.map +1 -1
- package/dist/cjs/tlv/NetworkDiagnosticTlv.d.ts +3 -2
- package/dist/cjs/tlv/NetworkDiagnosticTlv.d.ts.map +1 -1
- package/dist/cjs/tlv/NetworkDiagnosticTlv.js.map +1 -1
- package/dist/cjs/tlv/TypeListTlv.d.ts +3 -2
- package/dist/cjs/tlv/TypeListTlv.d.ts.map +1 -1
- package/dist/cjs/tlv/TypeListTlv.js +1 -1
- package/dist/cjs/tlv/TypeListTlv.js.map +1 -1
- package/dist/cjs/tlv/diag/ChildIpv6AddressList.d.ts +3 -2
- package/dist/cjs/tlv/diag/ChildIpv6AddressList.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/ChildIpv6AddressList.js +5 -3
- package/dist/cjs/tlv/diag/ChildIpv6AddressList.js.map +1 -1
- package/dist/cjs/tlv/diag/ChildTable.d.ts +3 -2
- package/dist/cjs/tlv/diag/ChildTable.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/ChildTable.js +7 -6
- package/dist/cjs/tlv/diag/ChildTable.js.map +1 -1
- package/dist/cjs/tlv/diag/Connectivity.d.ts +3 -2
- package/dist/cjs/tlv/diag/Connectivity.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/Connectivity.js +14 -14
- package/dist/cjs/tlv/diag/Connectivity.js.map +1 -1
- package/dist/cjs/tlv/diag/Ipv6AddressList.d.ts +3 -2
- package/dist/cjs/tlv/diag/Ipv6AddressList.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/Ipv6AddressList.js +6 -5
- package/dist/cjs/tlv/diag/Ipv6AddressList.js.map +1 -1
- package/dist/cjs/tlv/diag/LeaderData.d.ts +3 -2
- package/dist/cjs/tlv/diag/LeaderData.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/LeaderData.js +8 -7
- package/dist/cjs/tlv/diag/LeaderData.js.map +1 -1
- package/dist/cjs/tlv/diag/MacCounters.d.ts +3 -2
- package/dist/cjs/tlv/diag/MacCounters.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/MacCounters.js +12 -11
- package/dist/cjs/tlv/diag/MacCounters.js.map +1 -1
- package/dist/cjs/tlv/diag/MleCounters.d.ts +3 -2
- package/dist/cjs/tlv/diag/MleCounters.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/MleCounters.js +18 -17
- package/dist/cjs/tlv/diag/MleCounters.js.map +1 -1
- package/dist/cjs/tlv/diag/Mode.d.ts +3 -2
- package/dist/cjs/tlv/diag/Mode.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/Mode.js +5 -3
- package/dist/cjs/tlv/diag/Mode.js.map +1 -1
- package/dist/cjs/tlv/diag/NetworkData.d.ts +7 -6
- package/dist/cjs/tlv/diag/NetworkData.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/NetworkData.js +23 -18
- package/dist/cjs/tlv/diag/NetworkData.js.map +1 -1
- package/dist/cjs/tlv/diag/Primitives.d.ts +15 -14
- package/dist/cjs/tlv/diag/Primitives.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/Primitives.js +25 -19
- package/dist/cjs/tlv/diag/Primitives.js.map +1 -1
- package/dist/cjs/tlv/diag/Route64.d.ts +3 -2
- package/dist/cjs/tlv/diag/Route64.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/Route64.js +8 -7
- package/dist/cjs/tlv/diag/Route64.js.map +1 -1
- package/dist/cjs/tlv/diag/RouterNeighbor.d.ts +3 -2
- package/dist/cjs/tlv/diag/RouterNeighbor.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/RouterNeighbor.js +13 -11
- package/dist/cjs/tlv/diag/RouterNeighbor.js.map +1 -1
- package/dist/cjs/tlv/diag/Timeout.d.ts +3 -2
- package/dist/cjs/tlv/diag/Timeout.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/Timeout.js +4 -3
- package/dist/cjs/tlv/diag/Timeout.js.map +1 -1
- package/dist/cjs/tlv/diag/VendorInfo.d.ts +13 -12
- package/dist/cjs/tlv/diag/VendorInfo.d.ts.map +1 -1
- package/dist/cjs/tlv/diag/VendorInfo.js +4 -3
- package/dist/cjs/tlv/diag/VendorInfo.js.map +1 -1
- package/dist/cjs/tlv/meshcop/Ip6AddressTlv.d.ts +3 -2
- package/dist/cjs/tlv/meshcop/Ip6AddressTlv.d.ts.map +1 -1
- package/dist/cjs/tlv/meshcop/Ip6AddressTlv.js +7 -4
- package/dist/cjs/tlv/meshcop/Ip6AddressTlv.js.map +1 -1
- package/dist/cjs/tlv/meshcop/UdpEncapsulationTlv.d.ts +4 -3
- package/dist/cjs/tlv/meshcop/UdpEncapsulationTlv.d.ts.map +1 -1
- package/dist/cjs/tlv/meshcop/UdpEncapsulationTlv.js +9 -7
- package/dist/cjs/tlv/meshcop/UdpEncapsulationTlv.js.map +1 -1
- package/dist/cjs/util/meshLocalAddr.d.ts +5 -4
- package/dist/cjs/util/meshLocalAddr.d.ts.map +1 -1
- package/dist/cjs/util/meshLocalAddr.js +6 -4
- package/dist/cjs/util/meshLocalAddr.js.map +1 -1
- package/dist/esm/coap/CoapClient.d.ts +2 -2
- package/dist/esm/coap/CoapClient.d.ts.map +1 -1
- package/dist/esm/coap/CoapClient.js +11 -17
- package/dist/esm/coap/CoapClient.js.map +1 -1
- package/dist/esm/coap/CoapMessage.d.ts +11 -6
- package/dist/esm/coap/CoapMessage.d.ts.map +1 -1
- package/dist/esm/coap/CoapMessage.js +8 -5
- package/dist/esm/coap/CoapMessage.js.map +1 -1
- package/dist/esm/commissioner/Commissioner.d.ts.map +1 -1
- package/dist/esm/commissioner/Commissioner.js +5 -2
- package/dist/esm/commissioner/Commissioner.js.map +1 -1
- package/dist/esm/commissioner/LeadKa.d.ts +3 -3
- package/dist/esm/commissioner/LeadKa.d.ts.map +1 -1
- package/dist/esm/commissioner/LeadKa.js +2 -2
- package/dist/esm/commissioner/LeadKa.js.map +1 -1
- package/dist/esm/commissioner/LeadPet.d.ts +3 -2
- package/dist/esm/commissioner/LeadPet.d.ts.map +1 -1
- package/dist/esm/commissioner/LeadPet.js +4 -3
- package/dist/esm/commissioner/LeadPet.js.map +1 -1
- package/dist/esm/credentials/ThreadCredentialsRegistry.d.ts +5 -5
- package/dist/esm/credentials/ThreadCredentialsRegistry.d.ts.map +1 -1
- package/dist/esm/credentials/ThreadCredentialsRegistry.js +10 -9
- package/dist/esm/credentials/ThreadCredentialsRegistry.js.map +1 -1
- package/dist/esm/credentials/ThreadNetworkCredentials.d.ts +4 -3
- package/dist/esm/credentials/ThreadNetworkCredentials.d.ts.map +1 -1
- package/dist/esm/crypto/AesCmacPrf128.d.ts +4 -14
- package/dist/esm/crypto/AesCmacPrf128.d.ts.map +1 -1
- package/dist/esm/crypto/AesCmacPrf128.js +8 -72
- package/dist/esm/crypto/AesCmacPrf128.js.map +2 -2
- package/dist/esm/crypto/Pbkdf2AesCmac.d.ts +5 -4
- package/dist/esm/crypto/Pbkdf2AesCmac.d.ts.map +1 -1
- package/dist/esm/crypto/Pbkdf2AesCmac.js +6 -5
- package/dist/esm/crypto/Pbkdf2AesCmac.js.map +1 -1
- package/dist/esm/crypto/Pskc.d.ts +4 -3
- package/dist/esm/crypto/Pskc.d.ts.map +1 -1
- package/dist/esm/crypto/Pskc.js +7 -6
- package/dist/esm/crypto/Pskc.js.map +1 -1
- package/dist/esm/crypto/index.d.ts +1 -1
- package/dist/esm/crypto/index.d.ts.map +1 -1
- package/dist/esm/crypto/index.js +1 -2
- package/dist/esm/crypto/index.js.map +1 -1
- package/dist/esm/dataset/OperationalDataset.d.ts +10 -10
- package/dist/esm/dataset/OperationalDataset.d.ts.map +1 -1
- package/dist/esm/dataset/OperationalDataset.js +32 -31
- package/dist/esm/dataset/OperationalDataset.js.map +1 -1
- package/dist/esm/dataset/SecurityPolicy.d.ts +3 -2
- package/dist/esm/dataset/SecurityPolicy.d.ts.map +1 -1
- package/dist/esm/dataset/SecurityPolicy.js +6 -5
- package/dist/esm/dataset/SecurityPolicy.js.map +1 -1
- package/dist/esm/diagnostic/DiagnosticResponse.d.ts +5 -4
- package/dist/esm/diagnostic/DiagnosticResponse.d.ts.map +1 -1
- package/dist/esm/diagnostic/DiagnosticSource.d.ts +2 -2
- package/dist/esm/diagnostic/DiagnosticSource.d.ts.map +1 -1
- package/dist/esm/diagnostic/MeshCopDiagnosticSource.d.ts +7 -3
- package/dist/esm/diagnostic/MeshCopDiagnosticSource.d.ts.map +1 -1
- package/dist/esm/diagnostic/MeshCopDiagnosticSource.js +49 -43
- package/dist/esm/diagnostic/MeshCopDiagnosticSource.js.map +1 -1
- package/dist/esm/diagnostic/connectMeshcop.d.ts.map +1 -1
- package/dist/esm/diagnostic/connectMeshcop.js +6 -13
- package/dist/esm/diagnostic/connectMeshcop.js.map +1 -1
- package/dist/esm/diagnostic/errors.d.ts +1 -1
- package/dist/esm/diagnostic/errors.d.ts.map +1 -1
- package/dist/esm/discovery/BorderRouterRegistry.d.ts.map +1 -1
- package/dist/esm/discovery/BorderRouterRegistry.js +2 -4
- package/dist/esm/discovery/BorderRouterRegistry.js.map +1 -1
- package/dist/esm/dtls/channel/DtlsConnectOpts.d.ts +3 -3
- package/dist/esm/dtls/channel/DtlsConnectOpts.d.ts.map +1 -1
- package/dist/esm/dtls/channel/NobleDtlsChannel.d.ts.map +1 -1
- package/dist/esm/dtls/channel/NobleDtlsChannel.js +90 -58
- package/dist/esm/dtls/channel/NobleDtlsChannel.js.map +1 -1
- package/dist/esm/dtls/ecjpake/EcJpakePms.d.ts +5 -4
- package/dist/esm/dtls/ecjpake/EcJpakePms.d.ts.map +1 -1
- package/dist/esm/dtls/ecjpake/EcJpakePms.js +5 -6
- package/dist/esm/dtls/ecjpake/EcJpakePms.js.map +1 -1
- package/dist/esm/dtls/ecjpake/EcJpakeRound.d.ts +16 -15
- package/dist/esm/dtls/ecjpake/EcJpakeRound.d.ts.map +1 -1
- package/dist/esm/dtls/ecjpake/EcJpakeRound.js +41 -30
- package/dist/esm/dtls/ecjpake/EcJpakeRound.js.map +1 -1
- package/dist/esm/dtls/ecjpake/SchnorrZkp.d.ts +10 -9
- package/dist/esm/dtls/ecjpake/SchnorrZkp.d.ts.map +1 -1
- package/dist/esm/dtls/ecjpake/SchnorrZkp.js +18 -14
- package/dist/esm/dtls/ecjpake/SchnorrZkp.js.map +1 -1
- package/dist/esm/dtls/handshake/ChangeCipherSpec.d.ts +2 -1
- package/dist/esm/dtls/handshake/ChangeCipherSpec.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/ChangeCipherSpec.js +3 -1
- package/dist/esm/dtls/handshake/ChangeCipherSpec.js.map +1 -1
- package/dist/esm/dtls/handshake/ClientHelloMessage.d.ts +27 -4
- package/dist/esm/dtls/handshake/ClientHelloMessage.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/ClientHelloMessage.js +4 -2
- package/dist/esm/dtls/handshake/ClientHelloMessage.js.map +1 -1
- package/dist/esm/dtls/handshake/ClientKeyExchangeMessage.d.ts +2 -1
- package/dist/esm/dtls/handshake/ClientKeyExchangeMessage.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/ClientKeyExchangeMessage.js.map +1 -1
- package/dist/esm/dtls/handshake/DtlsClient.d.ts +9 -6
- package/dist/esm/dtls/handshake/DtlsClient.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/DtlsClient.js +100 -78
- package/dist/esm/dtls/handshake/DtlsClient.js.map +1 -1
- package/dist/esm/dtls/handshake/FinishedMessage.d.ts +10 -3
- package/dist/esm/dtls/handshake/FinishedMessage.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/FinishedMessage.js +5 -3
- package/dist/esm/dtls/handshake/FinishedMessage.js.map +1 -1
- package/dist/esm/dtls/handshake/HandshakeMessage.d.ts +5 -4
- package/dist/esm/dtls/handshake/HandshakeMessage.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/HandshakeMessage.js +14 -12
- package/dist/esm/dtls/handshake/HandshakeMessage.js.map +1 -1
- package/dist/esm/dtls/handshake/HelloVerifyRequestMessage.d.ts +19 -2
- package/dist/esm/dtls/handshake/HelloVerifyRequestMessage.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/HelloVerifyRequestMessage.js +3 -1
- package/dist/esm/dtls/handshake/HelloVerifyRequestMessage.js.map +1 -1
- package/dist/esm/dtls/handshake/ServerHelloDoneMessage.d.ts +2 -1
- package/dist/esm/dtls/handshake/ServerHelloDoneMessage.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/ServerHelloDoneMessage.js +3 -2
- package/dist/esm/dtls/handshake/ServerHelloDoneMessage.js.map +1 -1
- package/dist/esm/dtls/handshake/ServerHelloMessage.d.ts +4 -3
- package/dist/esm/dtls/handshake/ServerHelloMessage.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/ServerHelloMessage.js +3 -1
- package/dist/esm/dtls/handshake/ServerHelloMessage.js.map +1 -1
- package/dist/esm/dtls/handshake/ServerKeyExchangeMessage.d.ts +2 -1
- package/dist/esm/dtls/handshake/ServerKeyExchangeMessage.d.ts.map +1 -1
- package/dist/esm/dtls/handshake/ServerKeyExchangeMessage.js.map +1 -1
- package/dist/esm/dtls/prf/HandshakeTranscript.d.ts +7 -5
- package/dist/esm/dtls/prf/HandshakeTranscript.d.ts.map +1 -1
- package/dist/esm/dtls/prf/HandshakeTranscript.js +15 -10
- package/dist/esm/dtls/prf/HandshakeTranscript.js.map +1 -1
- package/dist/esm/dtls/prf/TlsPrf.d.ts +23 -22
- package/dist/esm/dtls/prf/TlsPrf.d.ts.map +1 -1
- package/dist/esm/dtls/prf/TlsPrf.js +34 -31
- package/dist/esm/dtls/prf/TlsPrf.js.map +1 -1
- package/dist/esm/dtls/record/AesCcm8.d.ts +13 -12
- package/dist/esm/dtls/record/AesCcm8.d.ts.map +1 -1
- package/dist/esm/dtls/record/AesCcm8.js +13 -35
- package/dist/esm/dtls/record/AesCcm8.js.map +1 -1
- package/dist/esm/dtls/record/DtlsCipherState.d.ts +11 -10
- package/dist/esm/dtls/record/DtlsCipherState.d.ts.map +1 -1
- package/dist/esm/dtls/record/DtlsCipherState.js +11 -7
- package/dist/esm/dtls/record/DtlsCipherState.js.map +1 -1
- package/dist/esm/dtls/record/DtlsRecord.d.ts +10 -10
- package/dist/esm/dtls/record/DtlsRecord.d.ts.map +1 -1
- package/dist/esm/dtls/record/DtlsRecord.js +11 -9
- package/dist/esm/dtls/record/DtlsRecord.js.map +1 -1
- package/dist/esm/otbr-rest/OtbrRestCapability.d.ts +3 -4
- package/dist/esm/otbr-rest/OtbrRestCapability.d.ts.map +1 -1
- package/dist/esm/otbr-rest/OtbrRestClient.d.ts +27 -8
- package/dist/esm/otbr-rest/OtbrRestClient.d.ts.map +1 -1
- package/dist/esm/otbr-rest/OtbrRestClient.js +51 -21
- package/dist/esm/otbr-rest/OtbrRestClient.js.map +1 -1
- package/dist/esm/otbr-rest/OtbrRestDiagnosticSource.d.ts +2 -1
- package/dist/esm/otbr-rest/OtbrRestDiagnosticSource.d.ts.map +1 -1
- package/dist/esm/otbr-rest/OtbrRestDiagnosticSource.js +4 -4
- package/dist/esm/otbr-rest/OtbrRestDiagnosticSource.js.map +1 -1
- package/dist/esm/otbr-rest/OtbrRestProbe.d.ts +6 -4
- package/dist/esm/otbr-rest/OtbrRestProbe.d.ts.map +1 -1
- package/dist/esm/otbr-rest/OtbrRestProbe.js +12 -44
- package/dist/esm/otbr-rest/OtbrRestProbe.js.map +1 -1
- package/dist/esm/otbr-rest/caseNormalizer.d.ts +7 -0
- package/dist/esm/otbr-rest/caseNormalizer.d.ts.map +1 -1
- package/dist/esm/otbr-rest/caseNormalizer.js +11 -0
- package/dist/esm/otbr-rest/caseNormalizer.js.map +1 -1
- package/dist/esm/otbr-rest/parseHexBytes.d.ts +22 -0
- package/dist/esm/otbr-rest/parseHexBytes.d.ts.map +1 -0
- package/dist/esm/otbr-rest/parseHexBytes.js +30 -0
- package/dist/esm/otbr-rest/parseHexBytes.js.map +6 -0
- package/dist/esm/otbr-rest/translation.d.ts +2 -1
- package/dist/esm/otbr-rest/translation.d.ts.map +1 -1
- package/dist/esm/otbr-rest/translation.js +16 -18
- package/dist/esm/otbr-rest/translation.js.map +1 -1
- package/dist/esm/selection/selectBr.d.ts +8 -4
- package/dist/esm/selection/selectBr.d.ts.map +1 -1
- package/dist/esm/selection/selectBr.js +6 -5
- package/dist/esm/selection/selectBr.js.map +1 -1
- package/dist/esm/selection/withExtPanIdLock.d.ts +2 -1
- package/dist/esm/selection/withExtPanIdLock.d.ts.map +1 -1
- package/dist/esm/selection/withExtPanIdLock.js.map +1 -1
- package/dist/esm/tlv/BasicTlvCodec.d.ts +4 -4
- package/dist/esm/tlv/BasicTlvCodec.d.ts.map +1 -1
- package/dist/esm/tlv/BasicTlvCodec.js +14 -12
- package/dist/esm/tlv/BasicTlvCodec.js.map +1 -1
- package/dist/esm/tlv/NetworkDiagnosticTlv.d.ts +3 -2
- package/dist/esm/tlv/NetworkDiagnosticTlv.d.ts.map +1 -1
- package/dist/esm/tlv/NetworkDiagnosticTlv.js.map +1 -1
- package/dist/esm/tlv/TypeListTlv.d.ts +3 -2
- package/dist/esm/tlv/TypeListTlv.d.ts.map +1 -1
- package/dist/esm/tlv/TypeListTlv.js +2 -2
- package/dist/esm/tlv/TypeListTlv.js.map +1 -1
- package/dist/esm/tlv/diag/ChildIpv6AddressList.d.ts +3 -2
- package/dist/esm/tlv/diag/ChildIpv6AddressList.d.ts.map +1 -1
- package/dist/esm/tlv/diag/ChildIpv6AddressList.js +5 -3
- package/dist/esm/tlv/diag/ChildIpv6AddressList.js.map +1 -1
- package/dist/esm/tlv/diag/ChildTable.d.ts +3 -2
- package/dist/esm/tlv/diag/ChildTable.d.ts.map +1 -1
- package/dist/esm/tlv/diag/ChildTable.js +8 -7
- package/dist/esm/tlv/diag/ChildTable.js.map +1 -1
- package/dist/esm/tlv/diag/Connectivity.d.ts +3 -2
- package/dist/esm/tlv/diag/Connectivity.d.ts.map +1 -1
- package/dist/esm/tlv/diag/Connectivity.js +14 -14
- package/dist/esm/tlv/diag/Connectivity.js.map +1 -1
- package/dist/esm/tlv/diag/Ipv6AddressList.d.ts +3 -2
- package/dist/esm/tlv/diag/Ipv6AddressList.d.ts.map +1 -1
- package/dist/esm/tlv/diag/Ipv6AddressList.js +7 -6
- package/dist/esm/tlv/diag/Ipv6AddressList.js.map +1 -1
- package/dist/esm/tlv/diag/LeaderData.d.ts +3 -2
- package/dist/esm/tlv/diag/LeaderData.d.ts.map +1 -1
- package/dist/esm/tlv/diag/LeaderData.js +9 -8
- package/dist/esm/tlv/diag/LeaderData.js.map +1 -1
- package/dist/esm/tlv/diag/MacCounters.d.ts +3 -2
- package/dist/esm/tlv/diag/MacCounters.d.ts.map +1 -1
- package/dist/esm/tlv/diag/MacCounters.js +13 -12
- package/dist/esm/tlv/diag/MacCounters.js.map +1 -1
- package/dist/esm/tlv/diag/MleCounters.d.ts +3 -2
- package/dist/esm/tlv/diag/MleCounters.d.ts.map +1 -1
- package/dist/esm/tlv/diag/MleCounters.js +19 -18
- package/dist/esm/tlv/diag/MleCounters.js.map +1 -1
- package/dist/esm/tlv/diag/Mode.d.ts +3 -2
- package/dist/esm/tlv/diag/Mode.d.ts.map +1 -1
- package/dist/esm/tlv/diag/Mode.js +5 -3
- package/dist/esm/tlv/diag/Mode.js.map +1 -1
- package/dist/esm/tlv/diag/NetworkData.d.ts +7 -6
- package/dist/esm/tlv/diag/NetworkData.d.ts.map +1 -1
- package/dist/esm/tlv/diag/NetworkData.js +23 -18
- package/dist/esm/tlv/diag/NetworkData.js.map +1 -1
- package/dist/esm/tlv/diag/Primitives.d.ts +15 -14
- package/dist/esm/tlv/diag/Primitives.d.ts.map +1 -1
- package/dist/esm/tlv/diag/Primitives.js +26 -20
- package/dist/esm/tlv/diag/Primitives.js.map +1 -1
- package/dist/esm/tlv/diag/Route64.d.ts +3 -2
- package/dist/esm/tlv/diag/Route64.d.ts.map +1 -1
- package/dist/esm/tlv/diag/Route64.js +9 -8
- package/dist/esm/tlv/diag/Route64.js.map +1 -1
- package/dist/esm/tlv/diag/RouterNeighbor.d.ts +3 -2
- package/dist/esm/tlv/diag/RouterNeighbor.d.ts.map +1 -1
- package/dist/esm/tlv/diag/RouterNeighbor.js +13 -11
- package/dist/esm/tlv/diag/RouterNeighbor.js.map +1 -1
- package/dist/esm/tlv/diag/Timeout.d.ts +3 -2
- package/dist/esm/tlv/diag/Timeout.d.ts.map +1 -1
- package/dist/esm/tlv/diag/Timeout.js +5 -4
- package/dist/esm/tlv/diag/Timeout.js.map +1 -1
- package/dist/esm/tlv/diag/VendorInfo.d.ts +13 -12
- package/dist/esm/tlv/diag/VendorInfo.d.ts.map +1 -1
- package/dist/esm/tlv/diag/VendorInfo.js +5 -4
- package/dist/esm/tlv/diag/VendorInfo.js.map +1 -1
- package/dist/esm/tlv/meshcop/Ip6AddressTlv.d.ts +3 -2
- package/dist/esm/tlv/meshcop/Ip6AddressTlv.d.ts.map +1 -1
- package/dist/esm/tlv/meshcop/Ip6AddressTlv.js +7 -4
- package/dist/esm/tlv/meshcop/Ip6AddressTlv.js.map +1 -1
- package/dist/esm/tlv/meshcop/UdpEncapsulationTlv.d.ts +4 -3
- package/dist/esm/tlv/meshcop/UdpEncapsulationTlv.d.ts.map +1 -1
- package/dist/esm/tlv/meshcop/UdpEncapsulationTlv.js +10 -8
- package/dist/esm/tlv/meshcop/UdpEncapsulationTlv.js.map +1 -1
- package/dist/esm/util/meshLocalAddr.d.ts +5 -4
- package/dist/esm/util/meshLocalAddr.d.ts.map +1 -1
- package/dist/esm/util/meshLocalAddr.js +7 -5
- package/dist/esm/util/meshLocalAddr.js.map +1 -1
- package/package.json +5 -5
- package/src/coap/CoapClient.ts +13 -20
- package/src/coap/CoapMessage.ts +17 -9
- package/src/commissioner/Commissioner.ts +5 -2
- package/src/commissioner/LeadKa.ts +4 -4
- package/src/commissioner/LeadPet.ts +6 -5
- package/src/credentials/ThreadCredentialsRegistry.ts +14 -13
- package/src/credentials/ThreadNetworkCredentials.ts +5 -3
- package/src/crypto/AesCmacPrf128.ts +10 -87
- package/src/crypto/Pbkdf2AesCmac.ts +14 -10
- package/src/crypto/Pskc.ts +7 -6
- package/src/crypto/index.ts +1 -1
- package/src/dataset/OperationalDataset.ts +48 -47
- package/src/dataset/SecurityPolicy.ts +8 -7
- package/src/diagnostic/DiagnosticResponse.ts +5 -4
- package/src/diagnostic/DiagnosticSource.ts +2 -2
- package/src/diagnostic/MeshCopDiagnosticSource.ts +80 -64
- package/src/diagnostic/connectMeshcop.ts +6 -14
- package/src/diagnostic/errors.ts +1 -1
- package/src/discovery/BorderRouterRegistry.ts +2 -4
- package/src/dtls/channel/DtlsConnectOpts.ts +3 -3
- package/src/dtls/channel/NobleDtlsChannel.ts +96 -60
- package/src/dtls/ecjpake/EcJpakePms.ts +5 -6
- package/src/dtls/ecjpake/EcJpakeRound.ts +57 -37
- package/src/dtls/ecjpake/SchnorrZkp.ts +43 -30
- package/src/dtls/handshake/ChangeCipherSpec.ts +3 -1
- package/src/dtls/handshake/ClientHelloMessage.ts +8 -6
- package/src/dtls/handshake/ClientKeyExchangeMessage.ts +2 -1
- package/src/dtls/handshake/DtlsClient.ts +119 -95
- package/src/dtls/handshake/FinishedMessage.ts +5 -3
- package/src/dtls/handshake/HandshakeMessage.ts +18 -16
- package/src/dtls/handshake/HelloVerifyRequestMessage.ts +3 -1
- package/src/dtls/handshake/ServerHelloDoneMessage.ts +5 -3
- package/src/dtls/handshake/ServerHelloMessage.ts +5 -3
- package/src/dtls/handshake/ServerKeyExchangeMessage.ts +2 -1
- package/src/dtls/prf/HandshakeTranscript.ts +18 -11
- package/src/dtls/prf/TlsPrf.ts +68 -54
- package/src/dtls/record/AesCcm8.ts +23 -49
- package/src/dtls/record/DtlsCipherState.ts +20 -16
- package/src/dtls/record/DtlsRecord.ts +17 -15
- package/src/otbr-rest/OtbrRestCapability.ts +4 -4
- package/src/otbr-rest/OtbrRestClient.ts +64 -29
- package/src/otbr-rest/OtbrRestDiagnosticSource.ts +5 -5
- package/src/otbr-rest/OtbrRestProbe.ts +12 -47
- package/src/otbr-rest/caseNormalizer.ts +17 -0
- package/src/otbr-rest/parseHexBytes.ts +47 -0
- package/src/otbr-rest/translation.ts +24 -22
- package/src/selection/selectBr.ts +26 -13
- package/src/selection/withExtPanIdLock.ts +1 -1
- package/src/tlv/BasicTlvCodec.ts +17 -15
- package/src/tlv/NetworkDiagnosticTlv.ts +3 -2
- package/src/tlv/TypeListTlv.ts +4 -4
- package/src/tlv/diag/ChildIpv6AddressList.ts +8 -5
- package/src/tlv/diag/ChildTable.ts +10 -9
- package/src/tlv/diag/Connectivity.ts +16 -16
- package/src/tlv/diag/Ipv6AddressList.ts +9 -8
- package/src/tlv/diag/LeaderData.ts +11 -10
- package/src/tlv/diag/MacCounters.ts +15 -14
- package/src/tlv/diag/MleCounters.ts +21 -20
- package/src/tlv/diag/Mode.ts +7 -5
- package/src/tlv/diag/NetworkData.ts +31 -26
- package/src/tlv/diag/Primitives.ts +42 -36
- package/src/tlv/diag/Route64.ts +11 -10
- package/src/tlv/diag/RouterNeighbor.ts +16 -13
- package/src/tlv/diag/Timeout.ts +7 -6
- package/src/tlv/diag/VendorInfo.ts +19 -18
- package/src/tlv/meshcop/Ip6AddressTlv.ts +9 -6
- package/src/tlv/meshcop/UdpEncapsulationTlv.ts +13 -11
- package/src/util/meshLocalAddr.ts +10 -8
|
@@ -4,6 +4,7 @@
|
|
|
4
4
|
* SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
*/
|
|
6
6
|
|
|
7
|
+
import type { Bytes } from "@matter/general";
|
|
7
8
|
import { type EcJpakeKeyKP, EcJpakeRound } from "../ecjpake/EcJpakeRound.js";
|
|
8
9
|
|
|
9
10
|
/**
|
|
@@ -22,7 +23,7 @@ import { type EcJpakeKeyKP, EcJpakeRound } from "../ecjpake/EcJpakeRound.js";
|
|
|
22
23
|
*/
|
|
23
24
|
|
|
24
25
|
export const ServerKeyExchangeMessage = {
|
|
25
|
-
parse(body:
|
|
26
|
+
parse(body: Bytes): EcJpakeKeyKP {
|
|
26
27
|
// EcJpakeRound.parseRound2 already validates the 3-byte ECParameters prefix
|
|
27
28
|
// and the ECJPAKEKeyKP body when `expectEcParameters` is true; deferring keeps
|
|
28
29
|
// both error paths (bad prefix, bad body) consistent with round-1 parsers.
|
|
@@ -4,8 +4,7 @@
|
|
|
4
4
|
* SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
*/
|
|
6
6
|
|
|
7
|
-
import { InternalError } from "@matter/general";
|
|
8
|
-
import { createHash, type Hash } from "node:crypto";
|
|
7
|
+
import { Bytes, Crypto, InternalError } from "@matter/general";
|
|
9
8
|
|
|
10
9
|
const SHA256_LEN = 32;
|
|
11
10
|
|
|
@@ -26,24 +25,32 @@ const SHA256_LEN = 32;
|
|
|
26
25
|
* Internal to `dtls/`; not re-exported from the package public API surface.
|
|
27
26
|
*/
|
|
28
27
|
export class HandshakeTranscript {
|
|
29
|
-
#
|
|
28
|
+
readonly #crypto: Crypto;
|
|
29
|
+
readonly #chunks = new Array<Uint8Array>();
|
|
30
|
+
|
|
31
|
+
constructor(crypto: Crypto) {
|
|
32
|
+
this.#crypto = crypto;
|
|
33
|
+
}
|
|
30
34
|
|
|
31
35
|
/**
|
|
32
36
|
* Append a handshake message in DTLS 1.2 form
|
|
33
37
|
* (`type(1) || length(3) || message_seq(2) || fragment_offset(3) || fragment_length(3) || body`).
|
|
34
38
|
*/
|
|
35
|
-
appendHandshakeMessage(messageBytes:
|
|
36
|
-
|
|
39
|
+
appendHandshakeMessage(messageBytes: Bytes): void {
|
|
40
|
+
const bytes = Bytes.of(messageBytes);
|
|
41
|
+
if (bytes.length > 0) {
|
|
42
|
+
// Copy: the deferred digest() must not observe caller mutations after append.
|
|
43
|
+
this.#chunks.push(new Uint8Array(bytes));
|
|
44
|
+
}
|
|
37
45
|
}
|
|
38
46
|
|
|
39
47
|
/**
|
|
40
|
-
*
|
|
41
|
-
* the same
|
|
42
|
-
* absorbing later messages.
|
|
48
|
+
* SHA-256 over the messages appended so far. Non-mutating: the buffer keeps
|
|
49
|
+
* growing, so the same transcript yields Finished for both peers and keeps
|
|
50
|
+
* absorbing later messages.
|
|
43
51
|
*/
|
|
44
|
-
digest():
|
|
45
|
-
const
|
|
46
|
-
const out = new Uint8Array(snapshot.digest());
|
|
52
|
+
async digest(): Promise<Bytes> {
|
|
53
|
+
const out = Bytes.of(await this.#crypto.computeHash(this.#chunks));
|
|
47
54
|
if (out.length !== SHA256_LEN) {
|
|
48
55
|
throw new InternalError(`HandshakeTranscript digest length ${out.length} != ${SHA256_LEN}`);
|
|
49
56
|
}
|
package/src/dtls/prf/TlsPrf.ts
CHANGED
|
@@ -4,8 +4,7 @@
|
|
|
4
4
|
* SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
*/
|
|
6
6
|
|
|
7
|
-
import { InternalError } from "@matter/general";
|
|
8
|
-
import { createHmac } from "node:crypto";
|
|
7
|
+
import { Bytes, Crypto, InternalError } from "@matter/general";
|
|
9
8
|
|
|
10
9
|
const SHA256_LEN = 32;
|
|
11
10
|
const MASTER_SECRET_LEN = 48;
|
|
@@ -17,19 +16,14 @@ const VERIFY_DATA_LEN = 12;
|
|
|
17
16
|
|
|
18
17
|
const ASCII_ENCODER = new TextEncoder();
|
|
19
18
|
|
|
20
|
-
function
|
|
21
|
-
const
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
}
|
|
25
|
-
|
|
26
|
-
function expectLength(name: string, value: Uint8Array, expected: number): void {
|
|
27
|
-
if (value.length !== expected) {
|
|
28
|
-
throw new InternalError(`TlsPrf ${name} must be ${expected} bytes, got ${value.length}`);
|
|
19
|
+
function expectLength(name: string, value: Bytes, expected: number): void {
|
|
20
|
+
const length = value.byteLength;
|
|
21
|
+
if (length !== expected) {
|
|
22
|
+
throw new InternalError(`TlsPrf ${name} must be ${expected} bytes, got ${length}`);
|
|
29
23
|
}
|
|
30
24
|
}
|
|
31
25
|
|
|
32
|
-
function pSha256(secret:
|
|
26
|
+
async function pSha256(crypto: Crypto, secret: Bytes, seed: Bytes, outputLength: number): Promise<Uint8Array> {
|
|
33
27
|
if (outputLength < 0) {
|
|
34
28
|
throw new InternalError(`TlsPrf outputLength must be non-negative, got ${outputLength}`);
|
|
35
29
|
}
|
|
@@ -37,19 +31,19 @@ function pSha256(secret: Uint8Array, seed: Uint8Array, outputLength: number): Ui
|
|
|
37
31
|
if (outputLength === 0) {
|
|
38
32
|
return out;
|
|
39
33
|
}
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
block
|
|
34
|
+
const seedBytes = Bytes.of(seed);
|
|
35
|
+
let a = Bytes.of(await crypto.signHmac(secret, seedBytes));
|
|
36
|
+
const block = new Uint8Array(SHA256_LEN + seedBytes.length);
|
|
37
|
+
block.set(seedBytes, SHA256_LEN);
|
|
43
38
|
let written = 0;
|
|
44
39
|
while (written < outputLength) {
|
|
45
40
|
block.set(a, 0);
|
|
46
|
-
const next =
|
|
47
|
-
const
|
|
48
|
-
const copyLen = Math.min(SHA256_LEN, remaining);
|
|
41
|
+
const next = Bytes.of(await crypto.signHmac(secret, block));
|
|
42
|
+
const copyLen = Math.min(SHA256_LEN, outputLength - written);
|
|
49
43
|
out.set(next.subarray(0, copyLen), written);
|
|
50
44
|
written += copyLen;
|
|
51
45
|
if (written < outputLength) {
|
|
52
|
-
a =
|
|
46
|
+
a = Bytes.of(await crypto.signHmac(secret, a));
|
|
53
47
|
}
|
|
54
48
|
}
|
|
55
49
|
return out;
|
|
@@ -74,18 +68,22 @@ export namespace TlsPrf {
|
|
|
74
68
|
* concatenated with the seed (no length prefix). The label is ASCII per
|
|
75
69
|
* RFC 5246; we encode it as UTF-8 which coincides for ASCII-only input.
|
|
76
70
|
*/
|
|
77
|
-
export function compute(
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
71
|
+
export async function compute(
|
|
72
|
+
crypto: Crypto,
|
|
73
|
+
args: {
|
|
74
|
+
secret: Bytes;
|
|
75
|
+
label: string;
|
|
76
|
+
seed: Bytes;
|
|
77
|
+
outputLength: number;
|
|
78
|
+
},
|
|
79
|
+
): Promise<Bytes> {
|
|
83
80
|
const { secret, label, seed, outputLength } = args;
|
|
84
81
|
const labelBytes = ASCII_ENCODER.encode(label);
|
|
85
|
-
const
|
|
82
|
+
const seedBytes = Bytes.of(seed);
|
|
83
|
+
const combined = new Uint8Array(labelBytes.length + seedBytes.length);
|
|
86
84
|
combined.set(labelBytes, 0);
|
|
87
|
-
combined.set(
|
|
88
|
-
return pSha256(secret, combined, outputLength);
|
|
85
|
+
combined.set(seedBytes, labelBytes.length);
|
|
86
|
+
return pSha256(crypto, secret, combined, outputLength);
|
|
89
87
|
}
|
|
90
88
|
|
|
91
89
|
/**
|
|
@@ -93,18 +91,26 @@ export namespace TlsPrf {
|
|
|
93
91
|
* ClientHello.random || ServerHello.random)[0..47]`
|
|
94
92
|
* (RFC 5246 §8.1).
|
|
95
93
|
*/
|
|
96
|
-
export function masterSecret(
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
94
|
+
export async function masterSecret(
|
|
95
|
+
crypto: Crypto,
|
|
96
|
+
args: {
|
|
97
|
+
premasterSecret: Bytes;
|
|
98
|
+
clientRandom: Bytes;
|
|
99
|
+
serverRandom: Bytes;
|
|
100
|
+
},
|
|
101
|
+
): Promise<Bytes> {
|
|
101
102
|
const { premasterSecret, clientRandom, serverRandom } = args;
|
|
102
103
|
expectLength("clientRandom", clientRandom, RANDOM_LEN);
|
|
103
104
|
expectLength("serverRandom", serverRandom, RANDOM_LEN);
|
|
104
105
|
const seed = new Uint8Array(RANDOM_LEN * 2);
|
|
105
|
-
seed.set(clientRandom, 0);
|
|
106
|
-
seed.set(serverRandom, RANDOM_LEN);
|
|
107
|
-
return compute(
|
|
106
|
+
seed.set(Bytes.of(clientRandom), 0);
|
|
107
|
+
seed.set(Bytes.of(serverRandom), RANDOM_LEN);
|
|
108
|
+
return compute(crypto, {
|
|
109
|
+
secret: premasterSecret,
|
|
110
|
+
label: "master secret",
|
|
111
|
+
seed,
|
|
112
|
+
outputLength: MASTER_SECRET_LEN,
|
|
113
|
+
});
|
|
108
114
|
}
|
|
109
115
|
|
|
110
116
|
/**
|
|
@@ -112,10 +118,10 @@ export namespace TlsPrf {
|
|
|
112
118
|
* (AEAD, no MAC keys; RFC 6655 §3, RFC 5246 §6.3).
|
|
113
119
|
*/
|
|
114
120
|
export interface KeyBlock {
|
|
115
|
-
clientWriteKey:
|
|
116
|
-
serverWriteKey:
|
|
117
|
-
clientWriteIv:
|
|
118
|
-
serverWriteIv:
|
|
121
|
+
clientWriteKey: Bytes;
|
|
122
|
+
serverWriteKey: Bytes;
|
|
123
|
+
clientWriteIv: Bytes;
|
|
124
|
+
serverWriteIv: Bytes;
|
|
119
125
|
}
|
|
120
126
|
|
|
121
127
|
/**
|
|
@@ -129,19 +135,24 @@ export namespace TlsPrf {
|
|
|
129
135
|
* `client_write_key (16) || server_write_key (16) ||
|
|
130
136
|
* client_write_IV (4) || server_write_IV (4)`.
|
|
131
137
|
*/
|
|
132
|
-
export function keyBlock(
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
138
|
+
export async function keyBlock(
|
|
139
|
+
crypto: Crypto,
|
|
140
|
+
args: {
|
|
141
|
+
masterSecret: Bytes;
|
|
142
|
+
clientRandom: Bytes;
|
|
143
|
+
serverRandom: Bytes;
|
|
144
|
+
},
|
|
145
|
+
): Promise<KeyBlock> {
|
|
137
146
|
const { masterSecret: ms, clientRandom, serverRandom } = args;
|
|
138
147
|
expectLength("masterSecret", ms, MASTER_SECRET_LEN);
|
|
139
148
|
expectLength("clientRandom", clientRandom, RANDOM_LEN);
|
|
140
149
|
expectLength("serverRandom", serverRandom, RANDOM_LEN);
|
|
141
150
|
const seed = new Uint8Array(RANDOM_LEN * 2);
|
|
142
|
-
seed.set(serverRandom, 0);
|
|
143
|
-
seed.set(clientRandom, RANDOM_LEN);
|
|
144
|
-
const block =
|
|
151
|
+
seed.set(Bytes.of(serverRandom), 0);
|
|
152
|
+
seed.set(Bytes.of(clientRandom), RANDOM_LEN);
|
|
153
|
+
const block = Bytes.of(
|
|
154
|
+
await compute(crypto, { secret: ms, label: "key expansion", seed, outputLength: KEY_BLOCK_LEN }),
|
|
155
|
+
);
|
|
145
156
|
return {
|
|
146
157
|
clientWriteKey: block.slice(0, KEY_LEN),
|
|
147
158
|
serverWriteKey: block.slice(KEY_LEN, KEY_LEN * 2),
|
|
@@ -159,15 +170,18 @@ export namespace TlsPrf {
|
|
|
159
170
|
* with `finished_label = "client finished"` for the client-sent Finished
|
|
160
171
|
* and `"server finished"` for the server-sent one.
|
|
161
172
|
*/
|
|
162
|
-
export function verifyData(
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
173
|
+
export async function verifyData(
|
|
174
|
+
crypto: Crypto,
|
|
175
|
+
args: {
|
|
176
|
+
masterSecret: Bytes;
|
|
177
|
+
role: "client" | "server";
|
|
178
|
+
transcriptDigest: Bytes;
|
|
179
|
+
},
|
|
180
|
+
): Promise<Bytes> {
|
|
167
181
|
const { masterSecret: ms, role, transcriptDigest } = args;
|
|
168
182
|
expectLength("masterSecret", ms, MASTER_SECRET_LEN);
|
|
169
183
|
expectLength("transcriptDigest", transcriptDigest, SHA256_LEN);
|
|
170
184
|
const label = role === "client" ? "client finished" : "server finished";
|
|
171
|
-
return compute({ secret: ms, label, seed: transcriptDigest, outputLength: VERIFY_DATA_LEN });
|
|
185
|
+
return compute(crypto, { secret: ms, label, seed: transcriptDigest, outputLength: VERIFY_DATA_LEN });
|
|
172
186
|
}
|
|
173
187
|
}
|
|
@@ -4,8 +4,7 @@
|
|
|
4
4
|
* SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
*/
|
|
6
6
|
|
|
7
|
-
import { InternalError } from "@matter/general";
|
|
8
|
-
import { createCipheriv, createDecipheriv } from "node:crypto";
|
|
7
|
+
import { Bytes, Crypto, InternalError } from "@matter/general";
|
|
9
8
|
import { DtlsError } from "../channel/DtlsChannel.js";
|
|
10
9
|
|
|
11
10
|
const KEY_LEN = 16;
|
|
@@ -15,69 +14,44 @@ const TAG_LEN = 8;
|
|
|
15
14
|
* AES-128-CCM with an 8-octet authentication tag, the AEAD primitive used by the
|
|
16
15
|
* `TLS_ECJPAKE_WITH_AES_128_CCM_8` cipher suite (RFC 6655 §3, RFC 3610).
|
|
17
16
|
*
|
|
18
|
-
*
|
|
19
|
-
* `ciphertext || tag` to match the wire layout expected by the DTLS record layer.
|
|
17
|
+
* Delegates to the matter.js {@link Crypto} abstraction with a fixed 8-byte tag length
|
|
18
|
+
* and returns `ciphertext || tag` to match the wire layout expected by the DTLS record layer.
|
|
20
19
|
*
|
|
21
20
|
* The 12-byte nonce length implies CCM L=3 (15 - 12), giving a 2^24 byte payload
|
|
22
21
|
* limit per record — well above the DTLS 16 KiB record cap.
|
|
23
22
|
*/
|
|
24
23
|
export namespace AesCcm8 {
|
|
25
24
|
export interface EncryptArgs {
|
|
26
|
-
key:
|
|
27
|
-
nonce:
|
|
28
|
-
aad:
|
|
29
|
-
plaintext:
|
|
25
|
+
key: Bytes;
|
|
26
|
+
nonce: Bytes;
|
|
27
|
+
aad: Bytes;
|
|
28
|
+
plaintext: Bytes;
|
|
30
29
|
}
|
|
31
30
|
|
|
32
31
|
export interface DecryptArgs {
|
|
33
|
-
key:
|
|
34
|
-
nonce:
|
|
35
|
-
aad:
|
|
36
|
-
ciphertextWithTag:
|
|
32
|
+
key: Bytes;
|
|
33
|
+
nonce: Bytes;
|
|
34
|
+
aad: Bytes;
|
|
35
|
+
ciphertextWithTag: Bytes;
|
|
37
36
|
}
|
|
38
37
|
|
|
39
|
-
export function encrypt({ key, nonce, aad, plaintext }: EncryptArgs):
|
|
40
|
-
|
|
41
|
-
|
|
38
|
+
export async function encrypt(crypto: Crypto, { key, nonce, aad, plaintext }: EncryptArgs): Promise<Bytes> {
|
|
39
|
+
const keyBytes = Bytes.of(key);
|
|
40
|
+
if (keyBytes.length !== KEY_LEN) {
|
|
41
|
+
throw new InternalError(`AES-128-CCM-8 key must be ${KEY_LEN} bytes, got ${keyBytes.length}`);
|
|
42
42
|
}
|
|
43
|
-
|
|
44
|
-
cipher.setAAD(aad, { plaintextLength: plaintext.length });
|
|
45
|
-
const body = cipher.update(plaintext);
|
|
46
|
-
const tail = cipher.final();
|
|
47
|
-
const tag = cipher.getAuthTag();
|
|
48
|
-
|
|
49
|
-
const out = new Uint8Array(plaintext.length + TAG_LEN);
|
|
50
|
-
out.set(body, 0);
|
|
51
|
-
if (tail.length > 0) {
|
|
52
|
-
out.set(tail, body.length);
|
|
53
|
-
}
|
|
54
|
-
out.set(tag, plaintext.length);
|
|
55
|
-
return out;
|
|
43
|
+
return crypto.encrypt(keyBytes, plaintext, nonce, aad, TAG_LEN);
|
|
56
44
|
}
|
|
57
45
|
|
|
58
|
-
export function decrypt({ key, nonce, aad, ciphertextWithTag }: DecryptArgs):
|
|
59
|
-
|
|
60
|
-
|
|
46
|
+
export async function decrypt(crypto: Crypto, { key, nonce, aad, ciphertextWithTag }: DecryptArgs): Promise<Bytes> {
|
|
47
|
+
const keyBytes = Bytes.of(key);
|
|
48
|
+
if (keyBytes.length !== KEY_LEN) {
|
|
49
|
+
throw new InternalError(`AES-128-CCM-8 key must be ${KEY_LEN} bytes, got ${keyBytes.length}`);
|
|
61
50
|
}
|
|
62
|
-
|
|
51
|
+
const ciphertextBytes = Bytes.of(ciphertextWithTag);
|
|
52
|
+
if (ciphertextBytes.length < TAG_LEN) {
|
|
63
53
|
throw new DtlsError(`AES-128-CCM-8 input shorter than ${TAG_LEN}-byte tag`);
|
|
64
54
|
}
|
|
65
|
-
|
|
66
|
-
const ct = ciphertextWithTag.subarray(0, ctLen);
|
|
67
|
-
const tag = ciphertextWithTag.subarray(ctLen);
|
|
68
|
-
|
|
69
|
-
const decipher = createDecipheriv("aes-128-ccm", key, nonce, { authTagLength: TAG_LEN });
|
|
70
|
-
decipher.setAAD(aad, { plaintextLength: ctLen });
|
|
71
|
-
decipher.setAuthTag(tag);
|
|
72
|
-
const body = decipher.update(ct);
|
|
73
|
-
// CCM .final() throws on tag mismatch; bubble up unchanged.
|
|
74
|
-
const tail = decipher.final();
|
|
75
|
-
|
|
76
|
-
const out = new Uint8Array(ctLen);
|
|
77
|
-
out.set(body, 0);
|
|
78
|
-
if (tail.length > 0) {
|
|
79
|
-
out.set(tail, body.length);
|
|
80
|
-
}
|
|
81
|
-
return out;
|
|
55
|
+
return crypto.decrypt(keyBytes, ciphertextBytes, nonce, aad, TAG_LEN);
|
|
82
56
|
}
|
|
83
57
|
}
|
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
*/
|
|
6
6
|
|
|
7
|
-
import { InternalError } from "@matter/general";
|
|
7
|
+
import { Bytes, InternalError } from "@matter/general";
|
|
8
8
|
import { AntiReplayWindow } from "./AntiReplayWindow.js";
|
|
9
9
|
import { ContentType } from "./ContentType.js";
|
|
10
10
|
import { DTLS_1_2_VERSION, type DtlsRecordCipherState } from "./DtlsRecord.js";
|
|
@@ -17,13 +17,13 @@ import { DTLS_1_2_VERSION, type DtlsRecordCipherState } from "./DtlsRecord.js";
|
|
|
17
17
|
*/
|
|
18
18
|
export interface DtlsCipherStateInputs {
|
|
19
19
|
/** 16-byte AES key the client uses to encrypt outbound records. */
|
|
20
|
-
clientWriteKey:
|
|
20
|
+
clientWriteKey: Bytes;
|
|
21
21
|
/** 16-byte AES key the server uses to encrypt outbound records. */
|
|
22
|
-
serverWriteKey:
|
|
22
|
+
serverWriteKey: Bytes;
|
|
23
23
|
/** 4-byte client implicit-IV salt (`client_write_IV`). */
|
|
24
|
-
clientWriteSalt:
|
|
24
|
+
clientWriteSalt: Bytes;
|
|
25
25
|
/** 4-byte server implicit-IV salt (`server_write_IV`). */
|
|
26
|
-
serverWriteSalt:
|
|
26
|
+
serverWriteSalt: Bytes;
|
|
27
27
|
}
|
|
28
28
|
|
|
29
29
|
const KEY_LEN = 16;
|
|
@@ -33,11 +33,12 @@ const AAD_LEN = 13;
|
|
|
33
33
|
const MAX_EPOCH = 0xffff;
|
|
34
34
|
const MAX_SEQ = (1n << 48n) - 1n;
|
|
35
35
|
|
|
36
|
-
function copyExpect(name: string, value:
|
|
37
|
-
|
|
38
|
-
|
|
36
|
+
function copyExpect(name: string, value: Bytes, expectedLen: number): Uint8Array {
|
|
37
|
+
const bytes = Bytes.of(value);
|
|
38
|
+
if (bytes.length !== expectedLen) {
|
|
39
|
+
throw new InternalError(`DtlsCipherState ${name} must be ${expectedLen} bytes, got ${bytes.length}`);
|
|
39
40
|
}
|
|
40
|
-
return new Uint8Array(
|
|
41
|
+
return new Uint8Array(bytes);
|
|
41
42
|
}
|
|
42
43
|
|
|
43
44
|
/**
|
|
@@ -144,21 +145,24 @@ export class DtlsCipherState implements DtlsRecordCipherState {
|
|
|
144
145
|
return this.#readWindow.check(seqNum);
|
|
145
146
|
}
|
|
146
147
|
|
|
147
|
-
encryptParams(): { key:
|
|
148
|
+
encryptParams(): { key: Bytes; salt: Bytes } {
|
|
148
149
|
return this.role === "client"
|
|
149
150
|
? { key: this.#clientWriteKey, salt: this.#clientWriteSalt }
|
|
150
151
|
: { key: this.#serverWriteKey, salt: this.#serverWriteSalt };
|
|
151
152
|
}
|
|
152
153
|
|
|
153
|
-
decryptParams(): { key:
|
|
154
|
+
decryptParams(): { key: Bytes; salt: Bytes } {
|
|
154
155
|
return this.role === "client"
|
|
155
156
|
? { key: this.#serverWriteKey, salt: this.#serverWriteSalt }
|
|
156
157
|
: { key: this.#clientWriteKey, salt: this.#clientWriteSalt };
|
|
157
158
|
}
|
|
158
159
|
|
|
159
|
-
nonceFor(salt:
|
|
160
|
-
|
|
161
|
-
|
|
160
|
+
nonceFor(salt: Bytes, epoch: number, seqNum: bigint): Bytes {
|
|
161
|
+
const saltBytes = Bytes.of(salt);
|
|
162
|
+
if (saltBytes.length !== SALT_LEN) {
|
|
163
|
+
throw new InternalError(
|
|
164
|
+
`DtlsCipherState nonceFor: salt must be ${SALT_LEN} bytes, got ${saltBytes.length}`,
|
|
165
|
+
);
|
|
162
166
|
}
|
|
163
167
|
if (epoch < 0 || epoch > MAX_EPOCH) {
|
|
164
168
|
throw new InternalError(`DtlsCipherState nonceFor: epoch ${epoch} out of range`);
|
|
@@ -167,7 +171,7 @@ export class DtlsCipherState implements DtlsRecordCipherState {
|
|
|
167
171
|
throw new InternalError(`DtlsCipherState nonceFor: seqNum ${seqNum} out of range`);
|
|
168
172
|
}
|
|
169
173
|
const out = new Uint8Array(NONCE_LEN);
|
|
170
|
-
out.set(
|
|
174
|
+
out.set(saltBytes, 0);
|
|
171
175
|
out[4] = (epoch >>> 8) & 0xff;
|
|
172
176
|
out[5] = epoch & 0xff;
|
|
173
177
|
for (let i = 0; i < 6; i++) {
|
|
@@ -176,7 +180,7 @@ export class DtlsCipherState implements DtlsRecordCipherState {
|
|
|
176
180
|
return out;
|
|
177
181
|
}
|
|
178
182
|
|
|
179
|
-
aadFor(type: ContentType, epoch: number, seqNum: bigint, plaintextLen: number):
|
|
183
|
+
aadFor(type: ContentType, epoch: number, seqNum: bigint, plaintextLen: number): Bytes {
|
|
180
184
|
if (epoch < 0 || epoch > MAX_EPOCH) {
|
|
181
185
|
throw new InternalError(`DtlsCipherState aadFor: epoch ${epoch} out of range`);
|
|
182
186
|
}
|
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
*/
|
|
6
6
|
|
|
7
|
-
import { InternalError, MatterError } from "@matter/general";
|
|
7
|
+
import { Bytes, Crypto, InternalError, MatterError } from "@matter/general";
|
|
8
8
|
import { DtlsError } from "../channel/DtlsChannel.js";
|
|
9
9
|
import { AesCcm8 } from "./AesCcm8.js";
|
|
10
10
|
import { ContentType, isContentType } from "./ContentType.js";
|
|
@@ -35,13 +35,13 @@ export const DTLS_HEADER_LEN = 13;
|
|
|
35
35
|
*/
|
|
36
36
|
export interface DtlsRecordCipherState {
|
|
37
37
|
/** AES key + 4-byte salt to use for outbound (encrypt) records. */
|
|
38
|
-
encryptParams(): { key:
|
|
38
|
+
encryptParams(): { key: Bytes; salt: Bytes };
|
|
39
39
|
/** AES key + 4-byte salt to use for inbound (decrypt) records. */
|
|
40
|
-
decryptParams(): { key:
|
|
40
|
+
decryptParams(): { key: Bytes; salt: Bytes };
|
|
41
41
|
/** Build the 12-byte CCM nonce: salt(4) || epoch(2) || seq(6). */
|
|
42
|
-
nonceFor(salt:
|
|
42
|
+
nonceFor(salt: Bytes, epoch: number, seqNum: bigint): Bytes;
|
|
43
43
|
/** Build the 13-byte DTLS AAD: epoch||seq(8) || type(1) || version(2) || plaintextLen(2). */
|
|
44
|
-
aadFor(type: ContentType, epoch: number, seqNum: bigint, plaintextLen: number):
|
|
44
|
+
aadFor(type: ContentType, epoch: number, seqNum: bigint, plaintextLen: number): Bytes;
|
|
45
45
|
/** Optional read-side replay-window check; absent on test doubles or pre-handshake states. */
|
|
46
46
|
acceptIncoming?(epoch: number, seqNum: bigint): boolean;
|
|
47
47
|
}
|
|
@@ -72,7 +72,7 @@ export interface DtlsRecord {
|
|
|
72
72
|
type: ContentType;
|
|
73
73
|
epoch: number;
|
|
74
74
|
sequenceNumber: bigint;
|
|
75
|
-
fragment:
|
|
75
|
+
fragment: Bytes;
|
|
76
76
|
}
|
|
77
77
|
|
|
78
78
|
const MAX_EPOCH = 0xffff;
|
|
@@ -119,7 +119,7 @@ function readUint48BE(buf: Uint8Array, offset: number): bigint {
|
|
|
119
119
|
* decode invokes it after AEAD success and throws {@link DtlsReplayError} on rejection.
|
|
120
120
|
*/
|
|
121
121
|
export namespace DtlsRecord {
|
|
122
|
-
export function encode(record: DtlsRecord, state?: DtlsRecordCipherState):
|
|
122
|
+
export async function encode(crypto: Crypto, record: DtlsRecord, state?: DtlsRecordCipherState): Promise<Bytes> {
|
|
123
123
|
if (record.epoch < 0 || record.epoch > MAX_EPOCH) {
|
|
124
124
|
throw new InternalError(`DTLS epoch out of range: ${record.epoch}`);
|
|
125
125
|
}
|
|
@@ -129,20 +129,21 @@ export namespace DtlsRecord {
|
|
|
129
129
|
if (!isContentType(record.type)) {
|
|
130
130
|
throw new InternalError(`DTLS unknown ContentType: ${record.type}`);
|
|
131
131
|
}
|
|
132
|
+
const fragmentIn = Bytes.of(record.fragment);
|
|
132
133
|
|
|
133
134
|
let fragment: Uint8Array;
|
|
134
135
|
if (record.epoch === 0) {
|
|
135
|
-
if (
|
|
136
|
+
if (fragmentIn.length > DTLS_MAX_FRAGMENT_LEN) {
|
|
136
137
|
throw new InternalError(
|
|
137
|
-
`DTLS plaintext fragment too large: ${
|
|
138
|
+
`DTLS plaintext fragment too large: ${fragmentIn.length} > ${DTLS_MAX_FRAGMENT_LEN}`,
|
|
138
139
|
);
|
|
139
140
|
}
|
|
140
|
-
fragment =
|
|
141
|
+
fragment = fragmentIn;
|
|
141
142
|
} else {
|
|
142
143
|
if (state === undefined) {
|
|
143
144
|
throw new InternalError(`DTLS encode at epoch ${record.epoch} requires cipher state`);
|
|
144
145
|
}
|
|
145
|
-
const plaintextLen =
|
|
146
|
+
const plaintextLen = fragmentIn.length;
|
|
146
147
|
if (plaintextLen + DTLS_AEAD_OVERHEAD > DTLS_MAX_FRAGMENT_LEN) {
|
|
147
148
|
throw new InternalError(
|
|
148
149
|
`DTLS encrypted fragment too large: ${plaintextLen + DTLS_AEAD_OVERHEAD} > ${DTLS_MAX_FRAGMENT_LEN}`,
|
|
@@ -151,7 +152,7 @@ export namespace DtlsRecord {
|
|
|
151
152
|
const { key, salt } = state.encryptParams();
|
|
152
153
|
const nonce = state.nonceFor(salt, record.epoch, record.sequenceNumber);
|
|
153
154
|
const aad = state.aadFor(record.type, record.epoch, record.sequenceNumber, plaintextLen);
|
|
154
|
-
const cipherWithTag = AesCcm8.encrypt({ key, nonce, aad, plaintext:
|
|
155
|
+
const cipherWithTag = Bytes.of(await AesCcm8.encrypt(crypto, { key, nonce, aad, plaintext: fragmentIn }));
|
|
155
156
|
|
|
156
157
|
fragment = new Uint8Array(8 + cipherWithTag.length);
|
|
157
158
|
// Explicit nonce on the wire mirrors the (epoch || seq) bytes of the AAD/nonce.
|
|
@@ -177,7 +178,8 @@ export namespace DtlsRecord {
|
|
|
177
178
|
consumed: number;
|
|
178
179
|
}
|
|
179
180
|
|
|
180
|
-
export function decode(
|
|
181
|
+
export async function decode(crypto: Crypto, input: Bytes, state?: DtlsRecordCipherState): Promise<DecodeResult> {
|
|
182
|
+
const bytes = Bytes.of(input);
|
|
181
183
|
if (bytes.length < DTLS_HEADER_LEN) {
|
|
182
184
|
throw new DtlsError(`DTLS record header truncated: have ${bytes.length}, need ${DTLS_HEADER_LEN}`);
|
|
183
185
|
}
|
|
@@ -203,7 +205,7 @@ export namespace DtlsRecord {
|
|
|
203
205
|
throw new DtlsError(`DTLS record truncated: header says ${length}, have ${bytes.length - DTLS_HEADER_LEN}`);
|
|
204
206
|
}
|
|
205
207
|
|
|
206
|
-
let fragment:
|
|
208
|
+
let fragment: Bytes;
|
|
207
209
|
if (epoch === 0) {
|
|
208
210
|
fragment = bytes.slice(DTLS_HEADER_LEN, total);
|
|
209
211
|
} else {
|
|
@@ -233,7 +235,7 @@ export namespace DtlsRecord {
|
|
|
233
235
|
}
|
|
234
236
|
const nonce = state.nonceFor(salt, epoch, sequenceNumber);
|
|
235
237
|
const aad = state.aadFor(type, epoch, sequenceNumber, plaintextLen);
|
|
236
|
-
fragment = AesCcm8.decrypt({ key, nonce, aad, ciphertextWithTag: cipherWithTag });
|
|
238
|
+
fragment = await AesCcm8.decrypt(crypto, { key, nonce, aad, ciphertextWithTag: cipherWithTag });
|
|
237
239
|
// Anti-replay applies only to AEAD-protected records; epoch=0 plaintext has
|
|
238
240
|
// no integrity check that a replay tracker could meaningfully gate.
|
|
239
241
|
if (state.acceptIncoming !== undefined && !state.acceptIncoming(epoch, sequenceNumber)) {
|
|
@@ -4,19 +4,19 @@
|
|
|
4
4
|
* SPDX-License-Identifier: Apache-2.0
|
|
5
5
|
*/
|
|
6
6
|
|
|
7
|
+
import type { Bytes } from "@matter/general";
|
|
8
|
+
|
|
7
9
|
/**
|
|
8
10
|
* Snapshot of an OTBR REST endpoint as observed by {@link OtbrRestProbe}.
|
|
9
11
|
*
|
|
10
12
|
* `keyFormat` reflects the case convention the BR's REST surface uses on the
|
|
11
13
|
* wire (older OTBR builds = pascal, post-2024 builds = camel). The probe
|
|
12
|
-
* detects this from the
|
|
13
|
-
* python-otbr-api `_async_detect_case`.
|
|
14
|
+
* detects this from the key casing of the `/node` response.
|
|
14
15
|
*/
|
|
15
16
|
export interface OtbrRestCapability {
|
|
16
17
|
baseUrl: string;
|
|
17
18
|
keyFormat: "camel" | "pascal";
|
|
18
|
-
apiVersion?: string;
|
|
19
19
|
probedAt: number;
|
|
20
20
|
networkName: string;
|
|
21
|
-
extPanId:
|
|
21
|
+
extPanId: Bytes;
|
|
22
22
|
}
|