[1/3] Reserve SecureSession for CASE establishment on the responder…

… at init time (#19261) * Initial commit. * Review feedback * Review feedback * Minor integer promotion issue in a test * Linux build fix
project-chip · Jul 6, 2022 · 5121715 · 5121715
1 parent 75e2efd
commit 5121715
Show file tree

Hide file tree

Showing 15 changed files with 194 additions and 55 deletions.
diff --git a/src/app/server/Server.cpp b/src/app/server/Server.cpp
@@ -348,6 +348,7 @@ void Server::ScheduleFactoryReset()
 
 void Server::Shutdown()
 {
+ mCASEServer.Shutdown();
  mCASESessionManager.Shutdown();
  app::DnssdServer::Instance().SetCommissioningModeProvider(nullptr);
  chip::Dnssd::ServiceAdvertiser::Instance().Shutdown();

diff --git a/src/controller/CHIPDeviceControllerFactory.cpp b/src/controller/CHIPDeviceControllerFactory.cpp
@@ -339,6 +339,7 @@ CHIP_ERROR DeviceControllerSystemState::Shutdown()
 
  if (mCASEServer != nullptr)
  {
+ mCASEServer->Shutdown();
  chip::Platform::Delete(mCASEServer);
  mCASEServer = nullptr;
  }

diff --git a/src/lib/core/CHIPConfig.h b/src/lib/core/CHIPConfig.h
@@ -644,15 +644,21 @@
 #endif // CHIP_CONFIG_UNAUTHENTICATED_CONNECTION_POOL_SIZE
 
 /**
- * @def CHIP_CONFIG_PEER_CONNECTION_POOL_SIZE
+ * @def CHIP_CONFIG_SECURE_SESSION_POOL_SIZE
+ *
+ * @brief Defines the size of the pool used for tracking the state of
+ * secure sessions. This controls the maximum number of concurrent
+ * established secure sessions across all supported transports.
+ *
+ * This is sized to cover the sum of the following:
+ * - At least 3 CASE sessions / fabric (Spec Ref: 4.13.2.8)
+ * - 1 reserved slot for CASEServer as a responder.
+ * - 1 reserved slot for PASE.
  *
- * @brief Define the size of the pool used for tracking CHIP
- * Peer connections. This defines maximum number of concurrent
- * device connections across all supported transports.
  */
-#ifndef CHIP_CONFIG_PEER_CONNECTION_POOL_SIZE
-#define CHIP_CONFIG_PEER_CONNECTION_POOL_SIZE 16
-#endif // CHIP_CONFIG_PEER_CONNECTION_POOL_SIZE
+#ifndef CHIP_CONFIG_SECURE_SESSION_POOL_SIZE
+#define CHIP_CONFIG_SECURE_SESSION_POOL_SIZE (CHIP_CONFIG_MAX_FABRICS * 3 + 2)
+#endif // CHIP_CONFIG_SECURE_SESSION_POOL_SIZE
 
 /**
  * @def CHIP_CONFIG_SECURE_SESSION_REFCOUNT_LOGGING

diff --git a/src/protocols/secure_channel/CASEServer.cpp b/src/protocols/secure_channel/CASEServer.cpp
@@ -45,20 +45,18 @@ CHIP_ERROR CASEServer::ListenForSessionEstablishment(Messaging::ExchangeManager
  mExchangeManager = exchangeManager;
  mGroupDataProvider = responderGroupDataProvider;
 
- Cleanup();
+ // Set up the group state provider that persists across all handshakes.
+ GetSession().SetGroupDataProvider(mGroupDataProvider);
+
+ PrepareForSessionEstablishment();
+
  return CHIP_NO_ERROR;
 }
 
 CHIP_ERROR CASEServer::InitCASEHandshake(Messaging::ExchangeContext * ec)
 {
  ReturnErrorCodeIf(ec == nullptr, CHIP_ERROR_INVALID_ARGUMENT);
 
- // Setup CASE state machine using the credentials for the current fabric.
- GetSession().SetGroupDataProvider(mGroupDataProvider);
- ReturnErrorOnFailure(GetSession().ListenForSessionEstablishment(
- *mSessionManager, mFabrics, mSessionResumptionStorage, mCertificateValidityPolicy, this,
- Optional<ReliableMessageProtocolConfig>::Value(GetLocalMRPConfig())));
-
  // Hand over the exchange context to the CASE session.
  ec->SetDelegate(&GetSession());
 
@@ -90,31 +88,71 @@ CHIP_ERROR CASEServer::OnMessageReceived(Messaging::ExchangeContext * ec, const
 exit:
  if (err != CHIP_NO_ERROR)
  {
- Cleanup();
+ PrepareForSessionEstablishment();
  }
+
  return err;
 }
 
-void CASEServer::Cleanup()
+void CASEServer::PrepareForSessionEstablishment(const ScopedNodeId & previouslyEstablishedPeer)
 {
  // Let's re-register for CASE Sigma1 message, so that the next CASE session setup request can be processed.
  // https://github.com/project-chip/connectedhomeip/issues/8342
  ChipLogProgress(Inet, "CASE Server enabling CASE session setups");
  mExchangeManager->RegisterUnsolicitedMessageHandlerForType(Protocols::SecureChannel::MsgType::CASE_Sigma1, this);
 
  GetSession().Clear();
+
+ //
+ // Indicate to the underlying CASE session to prepare for session establishment requests coming its way. This will
+ // involve allocating a SecureSession that will be held until it's needed for the next CASE session handshake.
+ //
+ // Logically speaking, we're attempting to evict a session using details of the just-established session (to ensure
+ // we're evicting sessions from the right fabric if needed) and then transferring the just established session into that
+ // slot (and thereby free'ing up the slot for the next session attempt). However, this transfer isn't necessary - just
+ // evicting a session will ensure it is available for the next attempt.
+ //
+ // This call can fail if we have run out memory to allocate SecureSessions. Continuing without taking any action
+ // however will render this node deaf to future handshake requests, so it's better to die here to raise attention to the problem
+ // / facilitate recovery.
+ //
+ // TODO(#17568): Once session eviction is actually in place, this call should NEVER fail and if so, is a logic bug.
+ // Dying here on failure is even more appropriate then.
+ //
+ VerifyOrDie(GetSession().PrepareForSessionEstablishment(*mSessionManager, mFabrics, mSessionResumptionStorage,
+ mCertificateValidityPolicy, this, previouslyEstablishedPeer,
+ Optional<ReliableMessageProtocolConfig>::Value(GetLocalMRPConfig())) ==
+ CHIP_NO_ERROR);
+
+ //
+ // PairingSession::mSecureSessionHolder is a weak-reference. If MarkForRemoval is called on this session, the session is
+ // going to get de-allocated from underneath us. This session that has just been allocated should *never* get evicted, and
+ // remain available till the next hand-shake is received.
+ //
+ // TODO: Converting SessionHolder to a true weak-ref and making PairingSession hold a strong-ref (#18397) would avoid this
+ // headache...
+ //
+ // Let's create a SessionHandle strong-reference to it to keep it resident.
+ //
+ mPinnedSecureSession = GetSession().CopySecureSession();
+
+ //
+ // If we've gotten this far, it means we have successfully allocated a SecureSession to back our next attempt. If we haven't,
+ // there is a bug somewhere and we should raise attention to it by dying.
+ //
+ VerifyOrDie(mPinnedSecureSession.HasValue());
 }
 
 void CASEServer::OnSessionEstablishmentError(CHIP_ERROR err)
 {
  ChipLogError(Inet, "CASE Session establishment failed: %s", ErrorStr(err));
- Cleanup();
+ PrepareForSessionEstablishment();
 }
 
 void CASEServer::OnSessionEstablished(const SessionHandle & session)
 {
  ChipLogProgress(Inet, "CASE Session established to peer: " ChipLogFormatScopedNodeId,
  ChipLogValueScopedNodeId(session->GetPeer()));
- Cleanup();
+ PrepareForSessionEstablishment(session->GetPeer());
 }
 } // namespace chip
diff --git a/src/protocols/secure_channel/CASEServer.h b/src/protocols/secure_channel/CASEServer.h
@@ -31,12 +31,23 @@ class CASEServer : public SessionEstablishmentDelegate,
 {
 public:
  CASEServer() {}
- ~CASEServer() override
+ ~CASEServer() override { Shutdown(); }
+
+ /*
+ * This method will shutdown this object, releasing the strong reference to the pinned SecureSession object.
+ * It will also unregister the unsolicited handler and clear out the session object (which will release the weak
+ * reference through the underlying SessionHolder).
+ *
+ */
+ void Shutdown()
  {
  if (mExchangeManager != nullptr)
  {
  mExchangeManager->UnregisterUnsolicitedMessageHandlerForType(Protocols::SecureChannel::MsgType::CASE_Sigma1);
  }
+
+ GetSession().Clear();
+ mPinnedSecureSession.ClearValue();
  }
 
  CHIP_ERROR ListenForSessionEstablishment(Messaging::ExchangeManager * exchangeManager, SessionManager * sessionManager,
@@ -64,6 +75,19 @@ class CASEServer : public SessionEstablishmentDelegate,
  SessionResumptionStorage * mSessionResumptionStorage = nullptr;
  Credentials::CertificateValidityPolicy * mCertificateValidityPolicy = nullptr;
 
+ //
+ // When we're in the process of establishing a session, this is used
+ // to maintain an additional, strong reference to the underlying SecureSession.
+ // This is because the existing reference in PairingSession is a weak one
+ // (i.e a SessionHolder) and can lose its reference if the session is evicted
+ // for any reason.
+ //
+ // This initially points to a session that is not yet active. Upon activation, it
+ // transfers ownership of the session to the SecureSessionManager and this reference
+ // is released before simultaneously acquiring ownership of a new SecureSession.
+ //
+ Optional<SessionHandle> mPinnedSecureSession;
+
  CASESession mPairingSession;
  SessionManager * mSessionManager = nullptr;
 
@@ -72,7 +96,16 @@ class CASEServer : public SessionEstablishmentDelegate,
 
  CHIP_ERROR InitCASEHandshake(Messaging::ExchangeContext * ec);
 
- void Cleanup();
+ /*
+ * This will clean up any state from a previous session establishment
+ * attempt (if any) and setup the machinery to listen for and handle
+ * any session handshakes there-after.
+ *
+ * If a session had previously been established successfully, previouslyEstablishedPeer
+ * should be set to the scoped node-id of the peer associated with that session.
+ *
+ */
+ void PrepareForSessionEstablishment(const ScopedNodeId & previouslyEstablishedPeer = ScopedNodeId());
 };
 
 } // namespace chip
diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp
@@ -151,7 +151,7 @@ void CASESession::Clear()
 }
 
 CHIP_ERROR CASESession::Init(SessionManager & sessionManager, Credentials::CertificateValidityPolicy * policy,
- SessionEstablishmentDelegate * delegate)
+ SessionEstablishmentDelegate * delegate, const ScopedNodeId & sessionEvictionHint)
 {
  VerifyOrReturnError(delegate != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
  VerifyOrReturnError(mGroupDataProvider != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
@@ -161,7 +161,7 @@ CHIP_ERROR CASESession::Init(SessionManager & sessionManager, Credentials::Certi
  ReturnErrorOnFailure(mCommissioningHash.Begin());
 
  mDelegate = delegate;
- ReturnErrorOnFailure(AllocateSecureSession(sessionManager));
+ ReturnErrorOnFailure(AllocateSecureSession(sessionManager, sessionEvictionHint));
 
  mValidContext.Reset();
  mValidContext.mRequiredKeyUsages.Set(KeyUsageFlags::kDigitalSignature);
@@ -172,13 +172,14 @@ CHIP_ERROR CASESession::Init(SessionManager & sessionManager, Credentials::Certi
 }
 
 CHIP_ERROR
-CASESession::ListenForSessionEstablishment(SessionManager & sessionManager, FabricTable * fabrics,
- SessionResumptionStorage * sessionResumptionStorage,
- Credentials::CertificateValidityPolicy * policy, SessionEstablishmentDelegate * delegate,
- Optional<ReliableMessageProtocolConfig> mrpConfig)
+CASESession::PrepareForSessionEstablishment(SessionManager & sessionManager, FabricTable * fabrics,
+ SessionResumptionStorage * sessionResumptionStorage,
+ Credentials::CertificateValidityPolicy * policy,
+ SessionEstablishmentDelegate * delegate, ScopedNodeId previouslyEstablishedPeer,
+ Optional<ReliableMessageProtocolConfig> mrpConfig)
 {
  VerifyOrReturnError(fabrics != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
- ReturnErrorOnFailure(Init(sessionManager, policy, delegate));
+ ReturnErrorOnFailure(Init(sessionManager, policy, delegate, previouslyEstablishedPeer));
 
  mRole = CryptoContext::SessionRole::kResponder;
  mFabricsTable = fabrics;
@@ -207,7 +208,7 @@ CHIP_ERROR CASESession::EstablishSession(SessionManager & sessionManager, Fabric
  ReturnErrorCodeIf(fabricIndex == kUndefinedFabricIndex, CHIP_ERROR_INVALID_ARGUMENT);
  VerifyOrReturnError((fabricInfo = fabricTable->FindFabricWithIndex(fabricIndex)) != nullptr, CHIP_ERROR_INVALID_ARGUMENT);
 
- err = Init(sessionManager, policy, delegate);
+ err = Init(sessionManager, policy, delegate, ScopedNodeId(peerNodeId, fabricIndex));
 
  mRole = CryptoContext::SessionRole::kInitiator;
 

diff --git a/src/protocols/secure_channel/CASESession.h b/src/protocols/secure_channel/CASESession.h
@@ -75,12 +75,17 @@ class DLL_EXPORT CASESession : public Messaging::UnsolicitedMessageHandler,
  * @param fabrics Table of fabrics that are currently configured on the device
  * @param policy Optional application-provided certificate validity policy
  * @param delegate Callback object
+ * @param previouslyEstablishedPeer If a session had previously been established successfully to a peer, this should
+ * be set to its scoped node-id. Else, this should be initialized to a
+ * default-constructed ScopedNodeId().
+ * @param mrpConfig MRP configuration to encode into Sigma2. If not provided, it won't be encoded.
  *
  * @return CHIP_ERROR The result of initialization
  */
- CHIP_ERROR ListenForSessionEstablishment(
+ CHIP_ERROR PrepareForSessionEstablishment(
  SessionManager & sessionManager, FabricTable * fabrics, SessionResumptionStorage * sessionResumptionStorage,
  Credentials::CertificateValidityPolicy * policy, SessionEstablishmentDelegate * delegate,
+ ScopedNodeId previouslyEstablishedPeer,
  Optional<ReliableMessageProtocolConfig> mrpConfig = Optional<ReliableMessageProtocolConfig>::Missing());
 
  /**
@@ -181,8 +186,17 @@ class DLL_EXPORT CASESession : public Messaging::UnsolicitedMessageHandler,
  kFinishedViaResume = 7,
  };
 
+ /*
+ * Initialize the object given a reference to the SessionManager, certificate validity policy and a delegate which will be
+ * notified of any further progress on this session.
+ *
+ * If we're either establishing or finished establishing a session to a peer in either initiator or responder
+ * roles, the node id of that peer should be provided in sessionEvictionHint. Else, it should be initialized
+ * to a default-constructed ScopedNodeId().
+ *
+ */
  CHIP_ERROR Init(SessionManager & sessionManager, Credentials::CertificateValidityPolicy * policy,
- SessionEstablishmentDelegate * delegate);
+ SessionEstablishmentDelegate * delegate, const ScopedNodeId & sessionEvictionHint);
 
  // On success, sets mIpk to the correct value for outgoing Sigma1 based on internal state
  CHIP_ERROR RecoverInitiatorIpk();

diff --git a/src/protocols/secure_channel/PairingSession.cpp b/src/protocols/secure_channel/PairingSession.cpp
@@ -23,9 +23,9 @@
 
 namespace chip {
 
-CHIP_ERROR PairingSession::AllocateSecureSession(SessionManager & sessionManager)
+CHIP_ERROR PairingSession::AllocateSecureSession(SessionManager & sessionManager, const ScopedNodeId & sessionEvictionHint)
 {
- auto handle = sessionManager.AllocateSession(GetSecureSessionType());
+ auto handle = sessionManager.AllocateSession(GetSecureSessionType(), sessionEvictionHint);
  VerifyOrReturnError(handle.HasValue(), CHIP_ERROR_NO_MEMORY);
  VerifyOrReturnError(mSecureSessionHolder.GrabPairingSession(handle.Value()), CHIP_ERROR_INTERNAL);
  mSessionManager = &sessionManager;

diff --git a/src/protocols/secure_channel/PairingSession.h b/src/protocols/secure_channel/PairingSession.h
@@ -63,11 +63,27 @@ class DLL_EXPORT PairingSession : public SessionDelegate
  return localSessionId;
  }
 
+ /**
+ * Copy the underlying session (if present) into a SessionHandle that a caller can use to
+ * obtain a reference to the session.
+ */
+ Optional<SessionHandle> CopySecureSession()
+ {
+ if (mSecureSessionHolder)
+ {
+ VerifyOrDie(mSecureSessionHolder->GetSessionType() == Transport::Session::SessionType::kSecure);
+ return MakeOptional<SessionHandle>(*mSecureSessionHolder->AsSecureSession());
+ }
+
+ return Optional<SessionHandle>::Missing();
+ }
+
  uint16_t GetPeerSessionId() const
  {
  VerifyOrDie(mPeerSessionId.HasValue());
  return mPeerSessionId.Value();
  }
+
  bool IsValidPeerSessionId() const { return mPeerSessionId.HasValue(); }
 
  /**
@@ -93,10 +109,14 @@ class DLL_EXPORT PairingSession : public SessionDelegate
  * Allocate a secure session object from the passed session manager for the
  * pending session establishment operation.
  *
- * @param sessionManager session manager from which to allocate a secure session object
+ * @param sessionManager Session manager from which to allocate a secure session object
+ * @param sessionEvictionHint If we're either establishing or just finished establishing a session to a peer in either
+ * initiator or responder roles, the node id of that peer should be provided in this argument. Else, it should be initialized to
+ * a default-constructed ScopedNodeId().
+ *
  * @return CHIP_ERROR The outcome of the allocation attempt
  */
- CHIP_ERROR AllocateSecureSession(SessionManager & sessionManager);
+ CHIP_ERROR AllocateSecureSession(SessionManager & sessionManager, const ScopedNodeId & sessionEvictionHint = ScopedNodeId());
 
  CHIP_ERROR ActivateSecureSession(const Transport::PeerAddress & peerAddress);
 

diff --git a/src/protocols/secure_channel/tests/TestCASESession.cpp b/src/protocols/secure_channel/tests/TestCASESession.cpp
@@ -198,13 +198,14 @@ void CASE_SecurePairingWaitTest(nlTestSuite * inSuite, void * inContext)
 
  pairing.SetGroupDataProvider(&gDeviceGroupDataProvider);
  NL_TEST_ASSERT(inSuite,
- pairing.ListenForSessionEstablishment(sessionManager, nullptr, nullptr, nullptr, nullptr) ==
+ pairing.PrepareForSessionEstablishment(sessionManager, nullptr, nullptr, nullptr, nullptr, ScopedNodeId()) ==
  CHIP_ERROR_INVALID_ARGUMENT);
  NL_TEST_ASSERT(inSuite,
- pairing.ListenForSessionEstablishment(sessionManager, nullptr, nullptr, nullptr, &delegate) ==
+ pairing.PrepareForSessionEstablishment(sessionManager, nullptr, nullptr, nullptr, &delegate, ScopedNodeId()) ==
  CHIP_ERROR_INVALID_ARGUMENT);
  NL_TEST_ASSERT(inSuite,
- pairing.ListenForSessionEstablishment(sessionManager, &fabrics, nullptr, nullptr, &delegate) == CHIP_NO_ERROR);
+ pairing.PrepareForSessionEstablishment(sessionManager, &fabrics, nullptr, nullptr, &delegate, ScopedNodeId()) ==
+ CHIP_NO_ERROR);
 }
 
 void CASE_SecurePairingStartTest(nlTestSuite * inSuite, void * inContext)
@@ -283,9 +284,9 @@ void CASE_SecurePairingHandshakeTestCommon(nlTestSuite * inSuite, void * inConte
 
  pairingAccessory.SetGroupDataProvider(&gDeviceGroupDataProvider);
  NL_TEST_ASSERT(inSuite,
- pairingAccessory.ListenForSessionEstablishment(sessionManager, &gDeviceFabrics, nullptr, nullptr,
- &delegateAccessory,
- MakeOptional(verySleepyAccessoryRmpConfig)) == CHIP_NO_ERROR);
+ pairingAccessory.PrepareForSessionEstablishment(sessionManager, &gDeviceFabrics, nullptr, nullptr,
+  &delegateAccessory, ScopedNodeId(),
+  MakeOptional(verySleepyAccessoryRmpConfig)) == CHIP_NO_ERROR);
  NL_TEST_ASSERT(inSuite,
  pairingCommissioner.EstablishSession(sessionManager, &gCommissionerFabrics, gCommissionerFabricIndex, Node01_01,
  contextCommissioner, nullptr, nullptr, &delegateCommissioner,
@@ -847,6 +848,7 @@ int CASE_TestSecurePairing_Setup(void * inContext)
  */
 int CASE_TestSecurePairing_Teardown(void * inContext)
 {
+ gPairingServer.Shutdown();
  gCommissionerStorageDelegate.ClearStorage();
  gDeviceStorageDelegate.ClearStorage();
  gCommissionerFabrics.DeleteAllFabrics();

diff --git a/src/transport/SecureSessionTable.h b/src/transport/SecureSessionTable.h
@@ -214,7 +214,7 @@ class SecureSessionTable
  return NullOptional;
  }
 
- BitMapObjectPool<SecureSession, CHIP_CONFIG_PEER_CONNECTION_POOL_SIZE> mEntries;
+ BitMapObjectPool<SecureSession, CHIP_CONFIG_SECURE_SESSION_POOL_SIZE> mEntries;
  uint16_t mNextSessionId = 0;
 };