- Update SessionID allocator to use freed session IDs #7835

todo · 2021-06-23T02:53:40Z

connectedhomeip/src/protocols/secure_channel/SessionIDAllocator.cpp

Lines 29 to 39 in 6c1f43a

 // TODO - Update SessionID allocator to use freed session IDs 

 mNextAvailable++; 

 return CHIP_NO_ERROR; 

 } 

 void SessionIDAllocator::Free(uint16_t id) 

 { 

 if (mNextAvailable > 0 && (mNextAvailable - 1) == id) 

 { 

 mNextAvailable--;

This issue was generated by todo based on a `TODO` comment in `6c1f43a` when #7666 was merged. cc @pan-apple.

The text was updated successfully, but these errors were encountered:

msandstedt · 2021-12-02T14:33:03Z

This may not be well known. Until we implement this, a node can be DOSed with this pattern:

nodeA;
nodeB;
victimNode;
nodeA::EstablishCASE(victimNode); // occupy initial key ID
nodeB::EstablishCASE(victimNode); // occupy key ID + 1
while (true) // repeat until we can occupy key ID 65535
{
    nodeA::DisconnectCASE(victimNode); // release initial key ID
    nodeA::EstablishCASE(victimNode); // occupy key ID + 2
    nodeB::DisconnectCASE(victimNode); // release key ID + 1
    nodeB::EstablishCASE(victimNode); // occupy key ID + 3
}
// Now the node is deaf

CC @cecille , @kpschoedel

msandstedt · 2022-02-04T15:42:16Z

I think this may have been closed inadvertently.

msandstedt · 2022-02-04T16:22:53Z

Taking this as it's related to #12821 and we can have a pretty straight forward solution by addressing both together.

If the session manager can assign session IDs itself, all of these problems go away. Session manager has complete visibility of occupied and available session IDs, so can easily assign new ones. With this approach, there need be no session ID exhaustion problem as we currently have.

And this can fix #12821 as well, because then session manager can make sure there aren't session ID collisions between fabrics.

Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outsanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate sesion table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass

Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass

* Fix Session ID Allocation Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: #7835, #12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass * fix Werror=conversion * fix VerifyOrExit lint error * fix Werror=unused-but-set-variable with detail logging disabled * fix tv-casting-app build * pass SessionHolder by reference to reduce stack size * bypass -Wstack-usage= in TestPASESession to fix spurious stack warning * Update src/transport/SecureSession.h Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> * Update src/transport/SecureSessionTable.h Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> * per bzbarsky-apple, document that allocation of sessions to caller-specified IDs is for testing * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> * per mrjerryjohns, delegate allocation of secure sessions to base PairingSession object * remove use of Optional<uint16_t> session IDs Overloads make this superfluous. * init session ID randomly; add more checks for invalid 0 session ID * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> * per bzbarsky-apple, pass reference type to SessionHolderWithDelegate * restyle * per kghost, pass SessionHandle, not SessionHolder * make sure to grab the session in NewPairing * fixup doxy params * fix up comments * add a test case to verify the session ID allocator does not have collisions * reduce number of session ID allocator collision test iterations to fix CI timeout * fix loop sentinel in TestSessionManager * increase gcc_debug test phase timeout * increase gcc-debug total timeout to 65 minutes Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>

* Fix Session ID Allocation Secure session ID allocation currently suffers the following problems: * fragmentation has worst case behavior where there may be as few as 2 outstanding sessions, but the allocator will become full * there is no formal coupling to the session manager object, but yet there can only be one allocator per session manager; the current solution is for the allocator to share static state * IDs are proposed *to* the session manager, which means the session manager can only prevent collisions by failing on session creation or by evicting sessions; it currently does the latter * session ID allocation is manual, so leaks are likely This commit solves these problems by moving ID allocation into the session manager and by leveraging the session table itself as the source of truth for available IDs. Whereas the old flow was: * allocate session ID * initiate PASE or CASE * (on success) allocate session table entry The new flow is: * allocate session table entry with non-colliding ID * initiate PASE or CASE * activate the session in the table Allocation uses a next-session-ID clue, which is 1 more than the most recent allocation, and also searches the session table to make sure a non-colliding value is returned. Allocation time complexity is O(kMaxSessionCount^2/64) in the current implementation. Lifecycle of the pending session table entries also leverages the SessionHolder object to alleviate our need to manually free resources. Fixes: project-chip#7835, project-chip#12821 Testing: * Added an allocation test to TestSessionManager * All other code paths are heavily integrated into existing tests * All existing unit tests pass * fix Werror=conversion * fix VerifyOrExit lint error * fix Werror=unused-but-set-variable with detail logging disabled * fix tv-casting-app build * pass SessionHolder by reference to reduce stack size * bypass -Wstack-usage= in TestPASESession to fix spurious stack warning * Update src/transport/SecureSession.h Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> * Update src/transport/SecureSessionTable.h Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> * per bzbarsky-apple, document that allocation of sessions to caller-specified IDs is for testing * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> * per mrjerryjohns, delegate allocation of secure sessions to base PairingSession object * remove use of Optional<uint16_t> session IDs Overloads make this superfluous. * init session ID randomly; add more checks for invalid 0 session ID * Update src/transport/PairingSession.h Co-authored-by: Boris Zbarsky <bzbarsky@apple.com> * per bzbarsky-apple, pass reference type to SessionHolderWithDelegate * restyle * per kghost, pass SessionHandle, not SessionHolder * make sure to grab the session in NewPairing * fixup doxy params * fix up comments * add a test case to verify the session ID allocator does not have collisions * reduce number of session ID allocator collision test iterations to fix CI timeout * fix loop sentinel in TestSessionManager * increase gcc_debug test phase timeout * increase gcc-debug total timeout to 65 minutes Co-authored-by: Boris Zbarsky <bzbarsky@apple.com>

todo bot added the todo label Jun 23, 2021

todo bot assigned pan-apple Jun 23, 2021

franck-apple added the V1.0 label Jan 25, 2022

woody-apple closed this as completed Jan 25, 2022

msandstedt reopened this Feb 4, 2022

msandstedt assigned msandstedt and unassigned pan-apple Feb 4, 2022

msandstedt mentioned this issue Feb 10, 2022

Enable server interactions on Controllers #14998

Merged

msandstedt mentioned this issue Mar 31, 2022

Fix Session ID Allocation #16895

Merged

kghost closed this as completed in #16895 Apr 4, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

- Update SessionID allocator to use freed session IDs #7835

- Update SessionID allocator to use freed session IDs #7835

todo bot commented Jun 23, 2021

msandstedt commented Dec 2, 2021

msandstedt commented Feb 4, 2022

msandstedt commented Feb 4, 2022

- Update SessionID allocator to use freed session IDs #7835

- Update SessionID allocator to use freed session IDs #7835

Comments

todo bot commented Jun 23, 2021

This issue was generated by todo based on a TODO comment in 6c1f43a when #7666 was merged. cc @pan-apple.

msandstedt commented Dec 2, 2021

msandstedt commented Feb 4, 2022

msandstedt commented Feb 4, 2022

This issue was generated by todo based on a `TODO` comment in `6c1f43a` when #7666 was merged. cc @pan-apple.