Integrate secure pairing with example app and device controller (proj…

…ect-chip#2230) * Fixes and cleanup in Secure Pairing class * Integrate secure pairing with example app and device controller * Fix override warning * Remove manual keys from Android wrapper * Remove pairing logs * Restyled by clang-format * Fix LGTM warning * Fix controller logs * const nodeID Co-authored-by: Restyled.io <commits@restyled.io>
mspang · Aug 20, 2020 · ade4ad6 · ade4ad6
1 parent b14e3e3
commit ade4ad6
Show file tree

Hide file tree

Showing 19 changed files with 333 additions and 314 deletions.
diff --git a/examples/chip-tool/main.cpp b/examples/chip-tool/main.cpp
@@ -60,16 +60,6 @@ constexpr NodeId kLocalDeviceId = 112233;
 constexpr NodeId kRemoteDeviceId = 12344321;
 constexpr std::chrono::seconds kWaitingForResponseTimeout(1);
 
-static const unsigned char local_private_key[] = { 0x00, 0xd1, 0x90, 0xd9, 0xb3, 0x95, 0x1c, 0x5f, 0xa4, 0xe7, 0x47,
- 0x92, 0x5b, 0x0a, 0xa9, 0xa7, 0xc1, 0x1c, 0xe7, 0x06, 0x10, 0xe2,
- 0xdd, 0x16, 0x41, 0x52, 0x55, 0xb7, 0xb8, 0x80, 0x8d, 0x87, 0xa1 };
-
-static const unsigned char remote_public_key[] = { 0x04, 0xe2, 0x07, 0x64, 0xff, 0x6f, 0x6a, 0x91, 0xd9, 0xc2, 0xc3, 0x0a, 0xc4,
- 0x3c, 0x56, 0x4b, 0x42, 0x8a, 0xf3, 0xb4, 0x49, 0x29, 0x39, 0x95, 0xa2, 0xf7,
- 0x02, 0x8c, 0xa5, 0xce, 0xf3, 0xc9, 0xca, 0x24, 0xc5, 0xd4, 0x5c, 0x60, 0x79,
- 0x48, 0x30, 0x3c, 0x53, 0x86, 0xd9, 0x23, 0xe6, 0x61, 0x1f, 0x5a, 0x3d, 0xdf,
- 0x9f, 0xdc, 0x35, 0xea, 0xd0, 0xde, 0x16, 0x7e, 0x64, 0xde, 0x7f, 0x3c, 0xa6 };
-
 static const char * PAYLOAD = "Message from Standalone CHIP echo client!";
 bool isDeviceConnected = false;
 static bool waitingForResponse = true;
@@ -79,17 +69,6 @@ static void OnConnect(DeviceController::ChipDeviceController * controller, Trans
  void * appReqState)
 {
  isDeviceConnected = true;
-
- if (state != NULL)
- {
- CHIP_ERROR err = controller->ManualKeyExchange(state, remote_public_key, sizeof(remote_public_key), local_private_key,
- sizeof(local_private_key));
-
- if (err != CHIP_NO_ERROR)
- {
- fprintf(stderr, "Failed to exchange keys\n");
- }
- }
 }
 
 static bool ContentMayBeADataModelMessage(System::PacketBuffer * buffer)

diff --git a/examples/lock-app/nrfconnect/main/Server.cpp b/examples/lock-app/nrfconnect/main/Server.cpp
@@ -50,16 +50,6 @@ namespace {
 #define EXAMPLE_SERVER_NODEID 0x3546526e
 #endif // EXAMPLE_SERVER_NODEID
 
-const uint8_t local_private_key[] = { 0xc6, 0x1a, 0x2f, 0x89, 0x36, 0x67, 0x2b, 0x26, 0x12, 0x47, 0x4f,
- 0x11, 0x0e, 0x34, 0x15, 0x81, 0x81, 0x12, 0xfc, 0x36, 0xeb, 0x65,
- 0x61, 0x07, 0xaa, 0x63, 0xe8, 0xc5, 0x22, 0xac, 0x52, 0xa1 };
-
-const uint8_t remote_public_key[] = { 0x04, 0x30, 0x77, 0x2c, 0xe7, 0xd4, 0x0a, 0xf2, 0xf3, 0x19, 0xbd, 0xfb, 0x1f,
- 0xcc, 0x88, 0xd9, 0x83, 0x25, 0x89, 0xf2, 0x09, 0xf3, 0xab, 0xe4, 0x33, 0xb6,
- 0x7a, 0xff, 0x73, 0x3b, 0x01, 0x35, 0x34, 0x92, 0x73, 0x14, 0x59, 0x0b, 0xbd,
- 0x44, 0x72, 0x1b, 0xcd, 0xb9, 0x02, 0x53, 0xd9, 0xaf, 0xcc, 0x1a, 0xcd, 0xae,
- 0xe8, 0x87, 0x2e, 0x52, 0x3b, 0x98, 0xf0, 0xa1, 0x88, 0x4a, 0xe3, 0x03, 0x75 };
-
 class ServerCallback : public SecureSessionMgrCallback
 {
 public:
@@ -93,15 +83,7 @@ class ServerCallback : public SecureSessionMgrCallback
 
  void OnNewConnection(Transport::PeerConnectionState * state, SecureSessionMgrBase * mgr) override
  {
- CHIP_ERROR err;
-
  LOG_INF("Received a new connection.");
-
- err = state->GetSecureSession().TemporaryManualKeyExchange(remote_public_key, sizeof(remote_public_key), local_private_key,
- sizeof(local_private_key));
-
- if (err != CHIP_NO_ERROR)
- LOG_INF("Failed to setup encryption");
  }
 
 private:

diff --git a/examples/platform/nrf528xx/app/Server.cpp b/examples/platform/nrf528xx/app/Server.cpp
@@ -68,16 +68,6 @@ namespace {
 char deviceName[128];
 constexpr uint16_t kUDPBroadcastPort = 23367;
 
-const uint8_t local_private_key[] = { 0xc6, 0x1a, 0x2f, 0x89, 0x36, 0x67, 0x2b, 0x26, 0x12, 0x47, 0x4f,
- 0x11, 0x0e, 0x34, 0x15, 0x81, 0x81, 0x12, 0xfc, 0x36, 0xeb, 0x65,
- 0x61, 0x07, 0xaa, 0x63, 0xe8, 0xc5, 0x22, 0xac, 0x52, 0xa1 };
-
-const uint8_t remote_public_key[] = { 0x04, 0x30, 0x77, 0x2c, 0xe7, 0xd4, 0x0a, 0xf2, 0xf3, 0x19, 0xbd, 0xfb, 0x1f,
- 0xcc, 0x88, 0xd9, 0x83, 0x25, 0x89, 0xf2, 0x09, 0xf3, 0xab, 0xe4, 0x33, 0xb6,
- 0x7a, 0xff, 0x73, 0x3b, 0x01, 0x35, 0x34, 0x92, 0x73, 0x14, 0x59, 0x0b, 0xbd,
- 0x44, 0x72, 0x1b, 0xcd, 0xb9, 0x02, 0x53, 0xd9, 0xaf, 0xcc, 0x1a, 0xcd, 0xae,
- 0xe8, 0x87, 0x2e, 0x52, 0x3b, 0x98, 0xf0, 0xa1, 0x88, 0x4a, 0xe3, 0x03, 0x75 };
-
 class ServerCallback : public SecureSessionMgrCallback
 {
 public:
@@ -110,16 +100,7 @@ class ServerCallback : public SecureSessionMgrCallback
 
  virtual void OnNewConnection(Transport::PeerConnectionState * state, SecureSessionMgrBase * mgr)
  {
- CHIP_ERROR err;
-
  NRF_LOG_INFO("Received a new connection.");
-
- err = state->GetSecureSession().TemporaryManualKeyExchange(remote_public_key, sizeof(remote_public_key), local_private_key,
- sizeof(local_private_key));
- VerifyOrExit(err == CHIP_NO_ERROR, NRF_LOG_INFO("Failed to setup encryption"));
-
- exit:
- return;
  }
 
 private:

diff --git a/examples/wifi-echo/server/esp32/main/EchoServer.cpp b/examples/wifi-echo/server/esp32/main/EchoServer.cpp
@@ -55,7 +55,7 @@ using namespace ::chip;
 using namespace ::chip::Inet;
 using namespace ::chip::Transport;
 
-constexpr NodeId kLocalNodeId = 12344321;
+extern const NodeId kLocalNodeId = 12344321;
 extern LEDWidget statusLED; // In wifi-echo.cpp
 
 namespace {
@@ -200,16 +200,7 @@ class EchoServerCallback : public SecureSessionMgrCallback
 
  void OnNewConnection(Transport::PeerConnectionState * state, SecureSessionMgrBase * mgr) override
  {
- CHIP_ERROR err;
-
  ESP_LOGI(TAG, "Received a new connection.");
-
- err = state->GetSecureSession().TemporaryManualKeyExchange(remote_public_key, sizeof(remote_public_key), local_private_key,
- sizeof(local_private_key));
- VerifyOrExit(err == CHIP_NO_ERROR, ESP_LOGE(TAG, "Failed to setup encryption"));
-
- exit:
- return;
  }
 
 private:
@@ -247,6 +238,12 @@ SecureSessionMgr<Transport::UDP, // IPV6
 
 } // namespace
 
+void PairingComplete(Optional<NodeId> peerNodeId, uint16_t peerKeyId, uint16_t localKeyId, SecurePairingSession * pairing)
+{
+ Optional<Transport::PeerAddress> peer(Transport::Type::kUndefined);
+ sessions.NewPairing(peerNodeId, peer, peerKeyId, localKeyId, pairing);
+}
+
 // The echo server assumes the platform's networking has been setup already
 void startServer()
 {

diff --git a/examples/wifi-echo/server/esp32/main/RendezvousSession.cpp b/examples/wifi-echo/server/esp32/main/RendezvousSession.cpp
@@ -29,11 +29,55 @@ BluetoothWidget * RendezvousSession::mVirtualLed;
 
 Ble::BLEEndPoint * RendezvousSession::mEndPoint = nullptr;
 
-RendezvousSession::RendezvousSession(BluetoothWidget * virtualLed)
+bool RendezvousSession::mPairingInProgress = false;
+SecurePairingSession RendezvousSession::mPairing;
+
+static constexpr uint32_t kSpake2p_Iteration_Count = 50000;
+static const char * kSpake2pKeyExchangeSalt = "SPAKE2P Key Exchange Salt";
+
+extern void PairingComplete(Optional<NodeId> peerNodeId, uint16_t peerKeyId, uint16_t localKeyId, SecurePairingSession * pairing);
+
+RendezvousSession::RendezvousSession(BluetoothWidget * virtualLed, uint32_t setUpPINCode, NodeId myNodeId)
 {
  mVirtualLed = virtualLed;
 
  DeviceLayer::ConnectivityMgr().AddCHIPoBLEConnectionHandler(HandleConnectionOpened);
+
+ RendezvousSession::mPairing.WaitForPairing(setUpPINCode, kSpake2p_Iteration_Count,
+ (const unsigned char *) kSpake2pKeyExchangeSalt, strlen(kSpake2pKeyExchangeSalt),
+ Optional<NodeId>::Value(myNodeId), 0, this);
+ RendezvousSession::mPairingInProgress = true;
+ mSetUpPINCode = setUpPINCode;
+ mNodeId = myNodeId;
+}
+
+CHIP_ERROR RendezvousSession::OnNewMessageForPeer(System::PacketBuffer * buffer)
+{
+ CHIP_ERROR err = CHIP_NO_ERROR;
+
+ VerifyOrExit(mEndPoint, err = CHIP_ERROR_INCORRECT_STATE);
+ err = mEndPoint->Send(buffer);
+
+exit:
+ return err;
+}
+
+void RendezvousSession::OnPairingError(CHIP_ERROR error)
+{
+ ChipLogError(Ble, "RendezvousSession: failed in pairing");
+ mPaired = false;
+ RendezvousSession::mPairing.WaitForPairing(mSetUpPINCode, kSpake2p_Iteration_Count,
+ (const unsigned char *) kSpake2pKeyExchangeSalt, strlen(kSpake2pKeyExchangeSalt),
+ Optional<NodeId>::Value(mNodeId), 0, this);
+ RendezvousSession::mPairingInProgress = true;
+}
+
+void RendezvousSession::OnPairingComplete(Optional<NodeId> peerNodeId, uint16_t peerKeyId, uint16_t localKeyId)
+{
+ ChipLogProgress(Ble, "RendezvousSession: pairing complete");
+ mPaired = true;
+ RendezvousSession::mPairingInProgress = false;
+ PairingComplete(peerNodeId, peerKeyId, localKeyId, &RendezvousSession::mPairing);
 }
 
 CHIP_ERROR RendezvousSession::Send(const char * msg)
@@ -74,32 +118,49 @@ void RendezvousSession::HandleConnectionClosed(Ble::BLEEndPoint * endPoint, BLE_
 
 void RendezvousSession::HandleMessageReceived(Ble::BLEEndPoint * endPoint, PacketBuffer * buffer)
 {
- const size_t bufferLen = buffer->DataLength();
- char msg[bufferLen];
- msg[bufferLen] = 0;
- memcpy(msg, buffer->Start(), bufferLen);
+ if (RendezvousSession::mPairingInProgress)
+ {
+  MessageHeader header;
+  size_t headerSize = 0;
 
- ChipLogProgress(Ble, "RendezvousSession: Receive message: %s", msg);
+ CHIP_ERROR err = header.Decode(buffer->Start(), buffer->DataLength(), &headerSize);
+ SuccessOrExit(err);
 
- if ((bufferLen > 3) && (msg[0] == msg[1]) && (msg[0] == msg[bufferLen - 1]))
+ buffer->ConsumeHead(headerSize);
+ RendezvousSession::mPairing.HandlePeerMessage(header, buffer);
+ }
+ else
  {
- // WiFi credentials, of the form ‘::SSID:password:’, where ‘:’ can be any single ASCII character.
- msg[1] = 0;
- char * ssid = strtok(&msg[2], msg);
- char * key = strtok(NULL, msg);
- if (ssid && key)
+ const size_t bufferLen = buffer->DataLength();
+ char msg[bufferLen];
+ msg[bufferLen] = 0;
+ memcpy(msg, buffer->Start(), bufferLen);
+
+ ChipLogProgress(Ble, "RendezvousSession: Receive message: %s", msg);
+
+ if ((bufferLen > 3) && (msg[0] == msg[1]) && (msg[0] == msg[bufferLen - 1]))
  {
- ChipLogProgress(Ble, "RendezvousSession: SSID: %s, key: %s", ssid, key);
- SetWiFiStationProvisioning(ssid, key);
+ // WiFi credentials, of the form ‘::SSID:password:’, where ‘:’ can be any single ASCII character.
+ msg[1] = 0;
+ char * ssid = strtok(&msg[2], msg);
+ char * key = strtok(NULL, msg);
+ if (ssid && key)
+ {
+ ChipLogProgress(Ble, "RendezvousSession: SSID: %s, key: %s", ssid, key);
+ SetWiFiStationProvisioning(ssid, key);
+ }
+ else
+ {
+ ChipLogError(Ble, "RendezvousSession: SSID: %p, key: %p", ssid, key);
+ }
  }
  else
  {
- ChipLogError(Ble, "RendezvousSession: SSID: %p, key: %p", ssid, key);
+ // Echo.
+ mEndPoint->Send(buffer);
  }
  }
- else
- {
- // Echo.
- mEndPoint->Send(buffer);
- }
+
+exit:
+ return;
 }
diff --git a/examples/wifi-echo/server/esp32/main/include/RendezvousSession.h b/examples/wifi-echo/server/esp32/main/include/RendezvousSession.h
@@ -18,20 +18,32 @@
 #include "BluetoothWidget.h"
 
 #include <platform/CHIPDeviceLayer.h>
+#include <transport/SecurePairingSession.h>
 
 using namespace ::chip;
 
-class RendezvousSession
+class RendezvousSession : public SecurePairingSessionDelegate
 {
 public:
- RendezvousSession(BluetoothWidget * virtualLed);
+ RendezvousSession(BluetoothWidget * virtualLed, uint32_t setUpPINCode, NodeId myNodeId);
  CHIP_ERROR Send(const char * msg);
 
 private:
  static void HandleConnectionOpened(Ble::BLEEndPoint * endPoint);
  static void HandleConnectionClosed(Ble::BLEEndPoint * endPoint, BLE_ERROR err);
  static void HandleMessageReceived(Ble::BLEEndPoint * endPoint, System::PacketBuffer * buffer);
 
+ virtual CHIP_ERROR OnNewMessageForPeer(System::PacketBuffer * msgBuf);
+ virtual void OnPairingError(CHIP_ERROR error);
+ virtual void OnPairingComplete(Optional<NodeId> peerNodeId, uint16_t peerKeyId, uint16_t localKeyId);
+
  static BluetoothWidget * mVirtualLed;
  static Ble::BLEEndPoint * mEndPoint;
+
+ static SecurePairingSession mPairing;
+ static bool mPairingInProgress;
+
+ bool mPaired = false;
+ uint32_t mSetUpPINCode = 0;
+ NodeId mNodeId;
 };
diff --git a/examples/wifi-echo/server/esp32/main/wifi-echo.cpp b/examples/wifi-echo/server/esp32/main/wifi-echo.cpp
@@ -102,6 +102,8 @@ LEDWidget statusLED;
 BluetoothWidget bluetoothLED;
 WiFiWidget wifiLED;
 
+extern NodeId kLocalNodeId;
+
 const char * TAG = "wifi-echo-demo";
 
 static EchoDeviceCallbacks EchoCallbacks;
@@ -463,7 +465,14 @@ extern "C" void app_main()
 
  if (isRendezvousBLE())
  {
- rendezvousSession = new RendezvousSession(&bluetoothLED);
+ uint32_t setupPINCode;
+ err = ConfigurationMgr().GetSetupPinCode(setupPINCode);
+ if (err != CHIP_NO_ERROR)
+ {
+ ESP_LOGE(TAG, "GetSetupPinCode() failed: %s", ErrorStr(err));
+ return;
+ }
+ rendezvousSession = new RendezvousSession(&bluetoothLED, setupPINCode, kLocalNodeId);
  }
 
 #if CONFIG_USE_ECHO_CLIENT