Skip to content

Commit

Permalink
Update session parameters to be inline with matter 1.3 spec (#30405)
Browse files Browse the repository at this point in the history
  • Loading branch information
@tehampson @pull
tehampson authored and pull[bot] committed Nov 30, 2023
1 parent d3ee627 commit 2756415
Show file tree
Hide file tree
Showing 10 changed files with 311 additions and 97 deletions.
10 changes: 9 additions & 1 deletion src/app/BUILD.gn
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,14 @@ buildconfig_header("app_buildconfig") {
]
}

source_set("revision_info") {
sources = [
"DataModelRevision.h",
"InteractionModelRevision.h",
"SpecificationVersion.h",
]
}

source_set("app_config") {
sources = [ "AppConfig.h" ]

Expand Down Expand Up @@ -101,7 +109,6 @@ static_library("app") {
"FailSafeContext.h",
"GlobalAttributes.h",
"InteractionModelEngine.cpp",
"InteractionModelRevision.h",
"InteractionModelTimeout.h",
"MessageDef/ArrayBuilder.cpp",
"MessageDef/ArrayParser.cpp",
Expand Down Expand Up @@ -237,6 +244,7 @@ static_library("app") {

public_deps = [
":app_config",
":revision_info",
"${chip_root}/src/access",
"${chip_root}/src/app/icd:notifier",
"${chip_root}/src/app/icd:observer",
Expand Down
31 changes: 31 additions & 0 deletions src/app/SpecificationVersion.h
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
/*
*
* Copyright (c) 2023 Project CHIP Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

#pragma once

/**
* CHIP_DEVICE_SPECIFICATION_VERSION
*
* A number identifying the specification version against which the
* Node is certified.
*
* See section 11.1.5.22. "SpecificationVersion Attribute" in "Service and
* Device Management" chapter of the core Matter specification.
*/
#ifndef CHIP_DEVICE_SPECIFICATION_VERSION
#define CHIP_DEVICE_SPECIFICATION_VERSION 0x01030000
#endif
13 changes: 13 additions & 0 deletions src/lib/core/CHIPConfig.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1600,6 +1600,19 @@ extern const char CHIP_NON_PRODUCTION_MARKER[];
#define CHIP_CONFIG_SYNCHRONOUS_REPORTS_ENABLED 0
#endif

/**
* @def CHIP_CONFIG_MAX_PATHS_PER_INVOKE
*
* @brief The maximum number of elements in the InvokeRequests list that the Node is able to process.
*/
#ifndef CHIP_CONFIG_MAX_PATHS_PER_INVOKE
#define CHIP_CONFIG_MAX_PATHS_PER_INVOKE 1
#endif

#if CHIP_CONFIG_MAX_PATHS_PER_INVOKE < 1 || CHIP_CONFIG_MAX_PATHS_PER_INVOKE > 65535
#error "CHIP_CONFIG_MAX_PATHS_PER_INVOKE is not allowed to be a number less than 1 or greater than 65535"
#endif

/**
* @def CHIP_CONFIG_ICD_OBSERVERS_POOL_SIZE
*
Expand Down
2 changes: 2 additions & 0 deletions src/protocols/secure_channel/BUILD.gn
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,6 @@ static_library("secure_channel") {
"${chip_root}/src/tracing:macros",
"${chip_root}/src/transport",
]

deps = [ "${chip_root}/src/app:revision_info" ]
}
54 changes: 21 additions & 33 deletions src/protocols/secure_channel/CASESession.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
#include <protocols/Protocols.h>
#include <protocols/secure_channel/CASEDestinationId.h>
#include <protocols/secure_channel/PairingSession.h>
#include <protocols/secure_channel/SessionParameters.h>
#include <protocols/secure_channel/SessionResumptionStorage.h>
#include <protocols/secure_channel/StatusReport.h>
#include <system/SystemClock.h>
Expand Down Expand Up @@ -640,13 +641,11 @@ CHIP_ERROR CASESession::RecoverInitiatorIpk()
CHIP_ERROR CASESession::SendSigma1()
{
MATTER_TRACE_SCOPE("SendSigma1", "CASESession");
const size_t mrpParamsSize =
mLocalMRPConfig.HasValue() ? TLV::EstimateStructOverhead(sizeof(uint16_t), sizeof(uint16_t), sizeof(uint16_t)) : 0;
size_t data_len = TLV::EstimateStructOverhead(kSigmaParamRandomNumberSize, // initiatorRandom
sizeof(uint16_t), // initiatorSessionId,
kSHA256_Hash_Length, // destinationId
kP256_PublicKey_Length, // InitiatorEphPubKey,
mrpParamsSize, // initiatorMRPParams
size_t data_len = TLV::EstimateStructOverhead(kSigmaParamRandomNumberSize, // initiatorRandom
sizeof(uint16_t), // initiatorSessionId,
kSHA256_Hash_Length, // destinationId
kP256_PublicKey_Length, // InitiatorEphPubKey,
SessionParameters::kEstimatedTLVSize, // initiatorSessionParams
SessionResumptionStorage::kResumptionIdSize, CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES);

System::PacketBufferTLVWriter tlvWriter;
Expand Down Expand Up @@ -699,11 +698,7 @@ CHIP_ERROR CASESession::SendSigma1()
ReturnErrorOnFailure(
tlvWriter.PutBytes(TLV::ContextTag(4), mEphemeralKey->Pubkey(), static_cast<uint32_t>(mEphemeralKey->Pubkey().Length())));

if (mLocalMRPConfig.HasValue())
{
ChipLogDetail(SecureChannel, "Including MRP parameters");
ReturnErrorOnFailure(EncodeMRPParameters(TLV::ContextTag(5), mLocalMRPConfig.Value(), tlvWriter));
}
ReturnErrorOnFailure(EncodeSessionParameters(TLV::ContextTag(5), mLocalMRPConfig, tlvWriter));

// Try to find persistent session, and resume it.
bool resuming = false;
Expand Down Expand Up @@ -916,10 +911,9 @@ CHIP_ERROR CASESession::HandleSigma1(System::PacketBufferHandle && msg)
CHIP_ERROR CASESession::SendSigma2Resume()
{
MATTER_TRACE_SCOPE("SendSigma2Resume", "CASESession");
const size_t mrpParamsSize =
mLocalMRPConfig.HasValue() ? TLV::EstimateStructOverhead(sizeof(uint16_t), sizeof(uint16_t), sizeof(uint16_t)) : 0;
size_t max_sigma2_resume_data_len = TLV::EstimateStructOverhead(
SessionResumptionStorage::kResumptionIdSize, CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES, sizeof(uint16_t), mrpParamsSize);
size_t max_sigma2_resume_data_len =
TLV::EstimateStructOverhead(SessionResumptionStorage::kResumptionIdSize, CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES,
sizeof(uint16_t), SessionParameters::kEstimatedTLVSize);

System::PacketBufferTLVWriter tlvWriter;
System::PacketBufferHandle msg_R2_resume;
Expand Down Expand Up @@ -948,11 +942,7 @@ CHIP_ERROR CASESession::SendSigma2Resume()

ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(3), GetLocalSessionId().Value()));

if (mLocalMRPConfig.HasValue())
{
ChipLogDetail(SecureChannel, "Including MRP parameters");
ReturnErrorOnFailure(EncodeMRPParameters(TLV::ContextTag(4), mLocalMRPConfig.Value(), tlvWriter));
}
ReturnErrorOnFailure(EncodeSessionParameters(TLV::ContextTag(4), mLocalMRPConfig, tlvWriter));

ReturnErrorOnFailure(tlvWriter.EndContainer(outerContainerType));
ReturnErrorOnFailure(tlvWriter.Finalize(&msg_R2_resume));
Expand Down Expand Up @@ -1067,10 +1057,10 @@ CHIP_ERROR CASESession::SendSigma2()
msg_R2_Encrypted.Get() + msg_r2_signed_enc_len, CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES));

// Construct Sigma2 Msg
const size_t mrpParamsSize =
mLocalMRPConfig.HasValue() ? TLV::EstimateStructOverhead(sizeof(uint16_t), sizeof(uint16_t), sizeof(uint16_t)) : 0;
size_t data_len = TLV::EstimateStructOverhead(kSigmaParamRandomNumberSize, sizeof(uint16_t), kP256_PublicKey_Length,
msg_r2_signed_enc_len, CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES, mrpParamsSize);
size_t size_of_local_session_id = sizeof(uint16_t);
size_t data_len =
TLV::EstimateStructOverhead(kSigmaParamRandomNumberSize, size_of_local_session_id, kP256_PublicKey_Length,
msg_r2_signed_enc_len, CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES, SessionParameters::kEstimatedTLVSize);

System::PacketBufferHandle msg_R2 = System::PacketBufferHandle::New(data_len);
VerifyOrReturnError(!msg_R2.IsNull(), CHIP_ERROR_NO_MEMORY);
Expand All @@ -1086,11 +1076,9 @@ CHIP_ERROR CASESession::SendSigma2()
static_cast<uint32_t>(mEphemeralKey->Pubkey().Length())));
ReturnErrorOnFailure(tlvWriterMsg2.PutBytes(TLV::ContextTag(4), msg_R2_Encrypted.Get(),
static_cast<uint32_t>(msg_r2_signed_enc_len + CHIP_CRYPTO_AEAD_MIC_LENGTH_BYTES)));
if (mLocalMRPConfig.HasValue())
{
ChipLogDetail(SecureChannel, "Including MRP parameters");
ReturnErrorOnFailure(EncodeMRPParameters(TLV::ContextTag(5), mLocalMRPConfig.Value(), tlvWriterMsg2));
}

ReturnErrorOnFailure(EncodeSessionParameters(TLV::ContextTag(5), mLocalMRPConfig, tlvWriterMsg2));

ReturnErrorOnFailure(tlvWriterMsg2.EndContainer(outerContainerType));
ReturnErrorOnFailure(tlvWriterMsg2.Finalize(&msg_R2));

Expand Down Expand Up @@ -1147,7 +1135,7 @@ CHIP_ERROR CASESession::HandleSigma2Resume(System::PacketBufferHandle && msg)
if (tlvReader.Next() != CHIP_END_OF_TLV)
{
SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(4), tlvReader));
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(mRemoteMRPConfig);
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(GetRemoteMRPConfig());
}

ChipLogDetail(SecureChannel, "Peer assigned session session ID %d", responderSessionId);
Expand Down Expand Up @@ -1340,7 +1328,7 @@ CHIP_ERROR CASESession::HandleSigma2(System::PacketBufferHandle && msg)
if (tlvReader.Next() != CHIP_END_OF_TLV)
{
SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(kTag_Sigma2_ResponderMRPParams), tlvReader));
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(mRemoteMRPConfig);
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(GetRemoteMRPConfig());
}

exit:
Expand Down Expand Up @@ -2029,7 +2017,7 @@ CHIP_ERROR CASESession::ParseSigma1(TLV::ContiguousBufferTLVReader & tlvReader,
if (err == CHIP_NO_ERROR && tlvReader.GetTag() == ContextTag(kInitiatorMRPParamsTag))
{
ReturnErrorOnFailure(DecodeMRPParametersIfPresent(TLV::ContextTag(kInitiatorMRPParamsTag), tlvReader));
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(mRemoteMRPConfig);
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(GetRemoteMRPConfig());
err = tlvReader.Next();
}

Expand Down
37 changes: 15 additions & 22 deletions src/protocols/secure_channel/PASESession.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
#include <lib/support/TypeTraits.h>
#include <protocols/Protocols.h>
#include <protocols/secure_channel/Constants.h>
#include <protocols/secure_channel/SessionParameters.h>
#include <protocols/secure_channel/StatusReport.h>
#include <setup_payload/SetupPayload.h>
#include <system/TLVPacketBufferBackingStore.h>
Expand Down Expand Up @@ -270,13 +271,12 @@ CHIP_ERROR PASESession::SendPBKDFParamRequest()

ReturnErrorOnFailure(DRBG_get_bytes(mPBKDFLocalRandomData, sizeof(mPBKDFLocalRandomData)));

const size_t mrpParamsSize = mLocalMRPConfig.HasValue() ? TLV::EstimateStructOverhead(sizeof(uint16_t), sizeof(uint16_t)) : 0;
const size_t max_msg_len = TLV::EstimateStructOverhead(kPBKDFParamRandomNumberSize, // initiatorRandom,
sizeof(uint16_t), // initiatorSessionId
sizeof(PasscodeId), // passcodeId,
sizeof(uint8_t), // hasPBKDFParameters
mrpParamsSize // MRP Parameters
);
const size_t max_msg_len = TLV::EstimateStructOverhead(kPBKDFParamRandomNumberSize, // initiatorRandom,
sizeof(uint16_t), // initiatorSessionId
sizeof(PasscodeId), // passcodeId,
sizeof(uint8_t), // hasPBKDFParameters
SessionParameters::kEstimatedTLVSize // Session Parameters
);

System::PacketBufferHandle req = System::PacketBufferHandle::New(max_msg_len);
VerifyOrReturnError(!req.IsNull(), CHIP_ERROR_NO_MEMORY);
Expand All @@ -290,11 +290,9 @@ CHIP_ERROR PASESession::SendPBKDFParamRequest()
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(2), GetLocalSessionId().Value()));
ReturnErrorOnFailure(tlvWriter.Put(TLV::ContextTag(3), kDefaultCommissioningPasscodeId));
ReturnErrorOnFailure(tlvWriter.PutBoolean(TLV::ContextTag(4), mHavePBKDFParameters));
if (mLocalMRPConfig.HasValue())
{
ChipLogDetail(SecureChannel, "Including MRP parameters in PBKDF param request");
ReturnErrorOnFailure(EncodeMRPParameters(TLV::ContextTag(5), mLocalMRPConfig.Value(), tlvWriter));
}

ReturnErrorOnFailure(EncodeSessionParameters(TLV::ContextTag(5), mLocalMRPConfig, tlvWriter));

ReturnErrorOnFailure(tlvWriter.EndContainer(outerContainerType));
ReturnErrorOnFailure(tlvWriter.Finalize(&req));

Expand Down Expand Up @@ -357,7 +355,7 @@ CHIP_ERROR PASESession::HandlePBKDFParamRequest(System::PacketBufferHandle && ms
if (tlvReader.Next() != CHIP_END_OF_TLV)
{
SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(5), tlvReader));
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(mRemoteMRPConfig);
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(GetRemoteMRPConfig());
}

err = SendPBKDFParamResponse(ByteSpan(initiatorRandom), hasPBKDFParameters);
Expand All @@ -382,13 +380,12 @@ CHIP_ERROR PASESession::SendPBKDFParamResponse(ByteSpan initiatorRandom, bool in

ReturnErrorOnFailure(DRBG_get_bytes(mPBKDFLocalRandomData, sizeof(mPBKDFLocalRandomData)));

const size_t mrpParamsSize = mLocalMRPConfig.HasValue() ? TLV::EstimateStructOverhead(sizeof(uint16_t), sizeof(uint16_t)) : 0;
const size_t max_msg_len =
TLV::EstimateStructOverhead(kPBKDFParamRandomNumberSize, // initiatorRandom
kPBKDFParamRandomNumberSize, // responderRandom
sizeof(uint16_t), // responderSessionId
TLV::EstimateStructOverhead(sizeof(uint32_t), mSaltLength), // pbkdf_parameters
mrpParamsSize // MRP Parameters
SessionParameters::kEstimatedTLVSize // Session Parameters
);

System::PacketBufferHandle resp = System::PacketBufferHandle::New(max_msg_len);
Expand All @@ -413,11 +410,7 @@ CHIP_ERROR PASESession::SendPBKDFParamResponse(ByteSpan initiatorRandom, bool in
ReturnErrorOnFailure(tlvWriter.EndContainer(pbkdfParamContainer));
}

if (mLocalMRPConfig.HasValue())
{
ChipLogDetail(SecureChannel, "Including MRP parameters in PBKDF param response");
ReturnErrorOnFailure(EncodeMRPParameters(TLV::ContextTag(5), mLocalMRPConfig.Value(), tlvWriter));
}
ReturnErrorOnFailure(EncodeSessionParameters(TLV::ContextTag(5), mLocalMRPConfig, tlvWriter));

ReturnErrorOnFailure(tlvWriter.EndContainer(outerContainerType));
ReturnErrorOnFailure(tlvWriter.Finalize(&resp));
Expand Down Expand Up @@ -481,7 +474,7 @@ CHIP_ERROR PASESession::HandlePBKDFParamResponse(System::PacketBufferHandle && m
if (tlvReader.Next() != CHIP_END_OF_TLV)
{
SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(5), tlvReader));
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(mRemoteMRPConfig);
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(GetRemoteMRPConfig());
}

// TODO - Add a unit test that exercises mHavePBKDFParameters path
Expand All @@ -506,7 +499,7 @@ CHIP_ERROR PASESession::HandlePBKDFParamResponse(System::PacketBufferHandle && m
if (tlvReader.Next() != CHIP_END_OF_TLV)
{
SuccessOrExit(err = DecodeMRPParametersIfPresent(TLV::ContextTag(5), tlvReader));
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(mRemoteMRPConfig);
mExchangeCtxt->GetSessionHandle()->AsUnauthenticatedSession()->SetRemoteMRPConfig(GetRemoteMRPConfig());
}
}

Expand Down
Loading

0 comments on commit 2756415

Please sign in to comment.