Protect Against Key Error Denial-Of-Service Vulnerability.

The following mitigation mechanisms were implemented:
 -- Verify that the Key Error message was received over the same
    transport mechanism as was used to establish the security session.
 -- Verify that the message Id value presented in the Key Error
    message is equal to the last used message id.
 -- Randomize the initial 32-bit message counter on session establishment.

This change addresses CVE security vulnerability: CVE-2019-5036

Author: emargolis

src/lib/core/WeaveFabricState.cpp

@@ -332,17 +332,27 @@ WEAVE_ERROR WeaveFabricState::SetSessionKey(uint16_t keyId, uint64_t peerNodeId,
     err = FindSessionKey(keyId, peerNodeId, false, sessionKey);
     SuccessOrExit(err);
 
-    SetSessionKey(sessionKey, encType, authMode, encKey);
+    err = SetSessionKey(sessionKey, encType, authMode, encKey);
+    SuccessOrExit(err);
 
 exit:
     return err;
 }
 
-void WeaveFabricState::SetSessionKey(WeaveSessionKey *sessionKey, uint8_t encType, WeaveAuthMode authMode, const WeaveEncryptionKey *encKey)
+WEAVE_ERROR WeaveFabricState::SetSessionKey(WeaveSessionKey *sessionKey, uint8_t encType, WeaveAuthMode authMode, const WeaveEncryptionKey *encKey)
 {
+    WEAVE_ERROR err;
+    uint32_t msgId;
+
+    // Randomize the initial 32-bit message counter on session establishment.
+    // This value should be secure random to prevent man-in-the-middle adversary
+    // guessing this number.
+    err = nl::Weave::Platform::Security::GetSecureRandomData(reinterpret_cast<uint8_t *>(&msgId), sizeof(msgId));
+    SuccessOrExit(err);
+
     sessionKey->MsgEncKey.EncType = encType;
     sessionKey->MsgEncKey.EncKey = *encKey;
-    sessionKey->NextMsgId.Init(0);
+    sessionKey->NextMsgId.Init(msgId);
     sessionKey->MaxRcvdMsgId = 0;
     sessionKey->RcvFlags = 0;
     sessionKey->AuthMode = authMode;
@@ -356,6 +366,9 @@ void WeaveFabricState::SetSessionKey(WeaveSessionKey *sessionKey, uint8_t encTyp
                 sessionKey->MsgEncKey.KeyId, sessionKey->NodeId, encType, keyString);
     }
 #endif // WEAVE_CONFIG_SECURITY_TEST_MODE
+
+exit:
+    return err;
 }
 
 WEAVE_ERROR WeaveFabricState::RemoveSessionKey(uint16_t keyId, uint64_t peerNodeId)

src/lib/core/WeaveFabricState.h

@@ -509,7 +509,7 @@ class NL_DLL_EXPORT WeaveFabricState
 
     WEAVE_ERROR AllocSessionKey(uint64_t peerNodeId, uint16_t keyId, WeaveConnection *boundCon, WeaveSessionKey *& sessionKey);
     WEAVE_ERROR SetSessionKey(uint16_t keyId, uint64_t peerNodeId, uint8_t encType, WeaveAuthMode authMode, const WeaveEncryptionKey *encKey);
-    void SetSessionKey(WeaveSessionKey *sessionKey, uint8_t encType, WeaveAuthMode authMode, const WeaveEncryptionKey *encKey);
+    WEAVE_ERROR SetSessionKey(WeaveSessionKey *sessionKey, uint8_t encType, WeaveAuthMode authMode, const WeaveEncryptionKey *encKey);
     WEAVE_ERROR GetSessionKey(uint16_t keyId, uint64_t peerNodeId, WeaveSessionKey *& outSessionKey);
     WEAVE_ERROR FindSessionKey(uint16_t keyId, uint64_t peerNodeId, bool create, WeaveSessionKey *& retRec);
     WEAVE_ERROR RemoveSessionKey(uint16_t keyId, uint64_t peerNodeId);

src/lib/core/WeaveSecurityMgr.cpp

@@ -2567,6 +2567,7 @@ void WeaveSecurityManager::HandleKeyErrorMsg(ExchangeContext *ec, PacketBuffer*
     WeaveSessionKey *sessionKey;
     uint8_t *p = msgBuf->Start();
     uint64_t srcNodeId = ec->PeerNodeId;
+    WeaveConnection *msgCon = ec->Con;
     uint16_t keyId;
     uint8_t encType;
     uint16_t keyErrCode;
@@ -2623,6 +2624,16 @@ void WeaveSecurityManager::HandleKeyErrorMsg(ExchangeContext *ec, PacketBuffer*
         err = FabricState->FindSessionKey(keyId, srcNodeId, false, sessionKey);
         if (err == WEAVE_NO_ERROR)
         {
+            // Ignore KeyError if it wasn't received over the same transport mechanism
+            // as was used to establish the security session.
+            if (msgCon != sessionKey->BoundCon)
+                ExitNow();
+
+            // Ignore KeyError if the message Id value presented in the Key Error message
+            // doesn't correspond to the last used message id.
+            if (messageId != sessionKey->NextMsgId.GetValue() - 1)
+                ExitNow();
+
             // If the key refers to a shared session, add the shared session end nodes to the list
             // of peer nodes associated with the key.
             if (sessionKey->IsSharedSession())