CASESession does not make use of real IPK #15583
Assignees
Labels
Comments
tcarmelveilleux
added
secure channel
V1.0
security
spec
tcarmelveilleux
added a commit
to tcarmelveilleux/connectedhomeip
that referenced
this issue
Mar 28, 2022
Problem: - IPK processing used placeholder IPK at innermost levels of CASE and never used the values set in GroupDataProvider as set by Commissioner with AddNOC or KeySetWrite cluster commands. - IPK Processing requires significant state keeping by controllers and commissioners to work, and none of the plumbing existed Changes: - Fixed NOC Cluster setting of IPK in AddNOC that was using the wrong compressed fabric ID. - Properly use GroupDataProvider to get IPK for controllers sending Sigma1 - Properly iterate through all IPK on receiving Sigma1, from GroupDataProvider - Add plumbing to properly initialize GroupDataProvider at CHIPDeviceControllerFactory and Server - Added a central point for a default IPK, that is at the very outermost level, rather than innermost level. A follow-up PR will allow reconfiguration of it for CHIP-tool. Code paths will properly use the OperationalCredentialsDelegate's IPK value passed in Callback, if you it's provided. Controllers and commissioners can setup their GroupDataProvider context to properly use the right group keys even without the follow-up to allow non-default IPK in chip-tool. - Cleaned-up the loose ends around all the injection points Testing done: - Updated all necessary Unit tests - Added IPK and Destination ID unit test cases from spec - All cert tests still pass - All unit tests still pass Fixes project-chip#15583
tcarmelveilleux
added a commit
that referenced
this issue
Mar 30, 2022
* Implement CASE processing of IPK Problem: - IPK processing used placeholder IPK at innermost levels of CASE and never used the values set in GroupDataProvider as set by Commissioner with AddNOC or KeySetWrite cluster commands. - IPK Processing requires significant state keeping by controllers and commissioners to work, and none of the plumbing existed Changes: - Fixed NOC Cluster setting of IPK in AddNOC that was using the wrong compressed fabric ID. - Properly use GroupDataProvider to get IPK for controllers sending Sigma1 - Properly iterate through all IPK on receiving Sigma1, from GroupDataProvider - Add plumbing to properly initialize GroupDataProvider at CHIPDeviceControllerFactory and Server - Added a central point for a default IPK, that is at the very outermost level, rather than innermost level. A follow-up PR will allow reconfiguration of it for CHIP-tool. Code paths will properly use the OperationalCredentialsDelegate's IPK value passed in Callback, if you it's provided. Controllers and commissioners can setup their GroupDataProvider context to properly use the right group keys even without the follow-up to allow non-default IPK in chip-tool. - Cleaned-up the loose ends around all the injection points Testing done: - Updated all necessary Unit tests - Added IPK and Destination ID unit test cases from spec - All cert tests still pass - All unit tests still pass Fixes #15583 * Restyled by clang-format * Fix a few remaining TODOs * First pass of fixing leftover CI * Restyled by clang-format * More CI fixes * Restyled by clang-format * Apply suggestions from code review Co-authored-by: Michael Sandstedt <[email protected]> * Restyled by clang-format * Revert pHYRate change * Hook up IPKs on Darwin. * Fix more CI on Python, Android, TV app * Restyled by clang-format * Apply review comment * Fix Python repl * Restyled by clang-format * Fix shutdown of group data provider * Fix Darwin and Android CI * More fixing of Android CI Co-authored-by: Restyled.io <[email protected]> Co-authored-by: Michael Sandstedt <[email protected]> Co-authored-by: Boris Zbarsky <[email protected]>
rochaferraz
pushed a commit
to rochaferraz/connectedhomeip
that referenced
this issue
Mar 31, 2022
* Implement CASE processing of IPK Problem: - IPK processing used placeholder IPK at innermost levels of CASE and never used the values set in GroupDataProvider as set by Commissioner with AddNOC or KeySetWrite cluster commands. - IPK Processing requires significant state keeping by controllers and commissioners to work, and none of the plumbing existed Changes: - Fixed NOC Cluster setting of IPK in AddNOC that was using the wrong compressed fabric ID. - Properly use GroupDataProvider to get IPK for controllers sending Sigma1 - Properly iterate through all IPK on receiving Sigma1, from GroupDataProvider - Add plumbing to properly initialize GroupDataProvider at CHIPDeviceControllerFactory and Server - Added a central point for a default IPK, that is at the very outermost level, rather than innermost level. A follow-up PR will allow reconfiguration of it for CHIP-tool. Code paths will properly use the OperationalCredentialsDelegate's IPK value passed in Callback, if you it's provided. Controllers and commissioners can setup their GroupDataProvider context to properly use the right group keys even without the follow-up to allow non-default IPK in chip-tool. - Cleaned-up the loose ends around all the injection points Testing done: - Updated all necessary Unit tests - Added IPK and Destination ID unit test cases from spec - All cert tests still pass - All unit tests still pass Fixes project-chip#15583 * Restyled by clang-format * Fix a few remaining TODOs * First pass of fixing leftover CI * Restyled by clang-format * More CI fixes * Restyled by clang-format * Apply suggestions from code review Co-authored-by: Michael Sandstedt <[email protected]> * Restyled by clang-format * Revert pHYRate change * Hook up IPKs on Darwin. * Fix more CI on Python, Android, TV app * Restyled by clang-format * Apply review comment * Fix Python repl * Restyled by clang-format * Fix shutdown of group data provider * Fix Darwin and Android CI * More fixing of Android CI Co-authored-by: Restyled.io <[email protected]> Co-authored-by: Michael Sandstedt <[email protected]> Co-authored-by: Boris Zbarsky <[email protected]>
andrei-menzopol
pushed a commit
to andrei-menzopol/connectedhomeip
that referenced
this issue
Apr 14, 2022
* Implement CASE processing of IPK Problem: - IPK processing used placeholder IPK at innermost levels of CASE and never used the values set in GroupDataProvider as set by Commissioner with AddNOC or KeySetWrite cluster commands. - IPK Processing requires significant state keeping by controllers and commissioners to work, and none of the plumbing existed Changes: - Fixed NOC Cluster setting of IPK in AddNOC that was using the wrong compressed fabric ID. - Properly use GroupDataProvider to get IPK for controllers sending Sigma1 - Properly iterate through all IPK on receiving Sigma1, from GroupDataProvider - Add plumbing to properly initialize GroupDataProvider at CHIPDeviceControllerFactory and Server - Added a central point for a default IPK, that is at the very outermost level, rather than innermost level. A follow-up PR will allow reconfiguration of it for CHIP-tool. Code paths will properly use the OperationalCredentialsDelegate's IPK value passed in Callback, if you it's provided. Controllers and commissioners can setup their GroupDataProvider context to properly use the right group keys even without the follow-up to allow non-default IPK in chip-tool. - Cleaned-up the loose ends around all the injection points Testing done: - Updated all necessary Unit tests - Added IPK and Destination ID unit test cases from spec - All cert tests still pass - All unit tests still pass Fixes project-chip#15583 * Restyled by clang-format * Fix a few remaining TODOs * First pass of fixing leftover CI * Restyled by clang-format * More CI fixes * Restyled by clang-format * Apply suggestions from code review Co-authored-by: Michael Sandstedt <[email protected]> * Restyled by clang-format * Revert pHYRate change * Hook up IPKs on Darwin. * Fix more CI on Python, Android, TV app * Restyled by clang-format * Apply review comment * Fix Python repl * Restyled by clang-format * Fix shutdown of group data provider * Fix Darwin and Android CI * More fixing of Android CI Co-authored-by: Restyled.io <[email protected]> Co-authored-by: Michael Sandstedt <[email protected]> Co-authored-by: Boris Zbarsky <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Problem
The Identity Protection Key (IPK) is a critical component of CASE security in Matter. SDK currently uses a fixed value of all zeros, rather than using the IPK logic from the spec
Proposed Solution
Implement IPK processing by:
The text was updated successfully, but these errors were encountered: