openweave
diff --git a/‎build/config/standalone/WeaveProjectConfig.h‎
Lines changed: 2 additions & 0 deletions b/‎build/config/standalone/WeaveProjectConfig.h‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/device-manager/WeaveDeviceManager.cpp‎
Lines changed: 87 additions & 8 deletions b/‎src/device-manager/WeaveDeviceManager.cpp‎
Lines changed: 87 additions & 8 deletions
diff --git a/‎src/device-manager/WeaveDeviceManager.h‎
Lines changed: 33 additions & 8 deletions b/‎src/device-manager/WeaveDeviceManager.h‎
Lines changed: 33 additions & 8 deletions
diff --git a/‎src/lib/core/WeaveConfig.h‎
Lines changed: 10 additions & 0 deletions b/‎src/lib/core/WeaveConfig.h‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎src/lib/core/WeaveFabricState.h‎
Lines changed: 1 addition & 1 deletion b/‎src/lib/core/WeaveFabricState.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/lib/core/WeaveSecurityMgr.cpp‎
Lines changed: 62 additions & 50 deletions b/‎src/lib/core/WeaveSecurityMgr.cpp‎
Lines changed: 62 additions & 50 deletions
@@ -57,4 +57,6 @@
 
 #define WEAVE_CONFIG_ENABLE_WDM_UPDATE 1
 
+#define WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE 0
+
 #endif /* WEAVEPROJECTCONFIG_H */
@@ -5169,6 +5169,83 @@ WEAVE_ERROR WeaveDeviceManager::DecodeNetworkInfoList(PacketBuffer *msgBuf, uint
     return err;
 }
 
+
+#if !WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
+
+WEAVE_ERROR WeaveDeviceManager::EncodeNodeCertInfo(const Security::CASE::BeginSessionContext & msgCtx,
+        TLVWriter & writer)
+{
+    WEAVE_ERROR err = WEAVE_NO_ERROR;
+    TLVReader reader;
+
+    // Initialize a reader to read the access token.
+    reader.Init((const uint8_t *)mAuthKey, mAuthKeyLen);
+    reader.ImplicitProfileId = kWeaveProfile_Security;
+
+    // Generate a CASE CertificateInformation structure from the information in the access token.
+    err = CASECertInfoFromAccessToken(reader, writer);
+    SuccessOrExit(err);
+
+exit:
+    if (err != WEAVE_NO_ERROR)
+        err = WEAVE_ERROR_INVALID_ACCESS_TOKEN;
+    return err;
+}
+
+WEAVE_ERROR WeaveDeviceManager::GenerateNodeSignature(const Security::CASE::BeginSessionContext & msgCtx,
+        const uint8_t * msgHash, uint8_t msgHashLen,
+        TLVWriter & writer, uint64_t tag)
+{
+    WEAVE_ERROR err = WEAVE_NO_ERROR;
+    const uint8_t * privKey = NULL;
+    uint16_t privKeyLen;
+
+    // Get the private key from the access token.
+    err = GetNodePrivateKey(msgCtx.IsInitiator(), privKey, privKeyLen);
+    SuccessOrExit(err);
+
+    // Generate a signature using the access token private key.
+    err = GenerateAndEncodeWeaveECDSASignature(writer, tag, msgHash, msgHashLen, privKey, privKeyLen);
+    SuccessOrExit(err);
+
+exit:
+    if (privKey != NULL)
+    {
+        WEAVE_ERROR relErr = ReleaseNodePrivateKey(privKey);
+        err = (err == WEAVE_NO_ERROR) ? relErr : err;
+    }
+    return err;
+}
+
+WEAVE_ERROR WeaveDeviceManager::EncodeNodePayload(const Security::CASE::BeginSessionContext & msgCtx,
+        uint8_t * payloadBuf, uint16_t payloadBufSize, uint16_t & payloadLen)
+{
+    // No payload
+    payloadLen = 0;
+    return WEAVE_NO_ERROR;
+}
+
+WEAVE_ERROR WeaveDeviceManager::BeginValidation(const Security::CASE::BeginSessionContext & msgCtx,
+        Security::ValidationContext & validCtx, Security::WeaveCertificateSet & certSet)
+{
+    return BeginCertValidation(msgCtx.IsInitiator(), certSet, validCtx);
+}
+
+WEAVE_ERROR WeaveDeviceManager::HandleValidationResult(const Security::CASE::BeginSessionContext & msgCtx,
+        Security::ValidationContext & validCtx,
+        Security::WeaveCertificateSet & certSet, WEAVE_ERROR & validRes)
+{
+    return HandleCertValidationResult(msgCtx.IsInitiator(), validRes, validCtx.SigningCert, msgCtx.PeerNodeId, certSet, validCtx);
+}
+
+void WeaveDeviceManager::EndValidation(const Security::CASE::BeginSessionContext & msgCtx,
+        Security::ValidationContext & validCtx, Security::WeaveCertificateSet & certSet)
+{
+    EndCertValidation(certSet, validCtx);
+}
+
+#else // !WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
+
 WEAVE_ERROR WeaveDeviceManager::GetNodeCertInfo(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& certInfoLen)
 {
     WEAVE_ERROR err;
@@ -5184,6 +5261,16 @@ WEAVE_ERROR WeaveDeviceManager::GetNodeCertInfo(bool isInitiator, uint8_t *buf,
     return err;
 }
 
+// Get payload information, if any, to be included in the message to the peer.
+WEAVE_ERROR WeaveDeviceManager::GetNodePayload(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& payloadLen)
+{
+    // No payload
+    payloadLen = 0;
+    return WEAVE_NO_ERROR;
+}
+
+#endif // WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
+
 // Get the local node's private key.
 WEAVE_ERROR WeaveDeviceManager::GetNodePrivateKey(bool isInitiator, const uint8_t *& weavePrivKey, uint16_t& weavePrivKeyLen)
 {
@@ -5218,14 +5305,6 @@ WEAVE_ERROR WeaveDeviceManager::ReleaseNodePrivateKey(const uint8_t *weavePrivKe
     return WEAVE_NO_ERROR;
 }
 
-// Get payload information, if any, to be included in the message to the peer.
-WEAVE_ERROR WeaveDeviceManager::GetNodePayload(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& payloadLen)
-{
-    // No payload
-    payloadLen = 0;
-    return WEAVE_NO_ERROR;
-}
-
 // Prepare the supplied certificate set and validation context for use in validating the certificate of a peer.
 // This method is responsible for loading the trust anchors into the certificate set.
 WEAVE_ERROR WeaveDeviceManager::BeginCertValidation(bool isInitiator, WeaveCertificateSet& certSet, ValidationContext& validContext)
 
@@ -42,6 +42,7 @@
 #include <Weave/Profiles/network-provisioning/NetworkInfo.h>
 #include <Weave/Profiles/security/WeaveSecurity.h>
 #include <Weave/Profiles/security/WeaveCASE.h>
+#include <Weave/Profiles/security/WeaveSig.h>
 #include <Weave/Profiles/service-directory/ServiceDirectory.h>
 #include <Weave/Profiles/status-report/StatusReportProfile.h>
 #include <Weave/Profiles/token-pairing/TokenPairing.h>
@@ -620,15 +621,39 @@ class NL_DLL_EXPORT WeaveDeviceManager : private Security::CASE::WeaveCASEAuthDe
     static WEAVE_ERROR DecodeStatusReport(PacketBuffer *msgBuf, DeviceStatus& status);
     static WEAVE_ERROR DecodeNetworkInfoList(PacketBuffer *buf, uint16_t& count, NetworkInfo *& netInfoList);
 
-    // CASE auth delegate methods
-    virtual WEAVE_ERROR GetNodeCertInfo(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& certInfoLen);
-    virtual WEAVE_ERROR GetNodePrivateKey(bool isInitiator, const uint8_t *& weavePrivKey, uint16_t& weavePrivKeyLen);
-    virtual WEAVE_ERROR ReleaseNodePrivateKey(const uint8_t *weavePrivKey);
-    virtual WEAVE_ERROR GetNodePayload(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& payloadLen);
-    virtual WEAVE_ERROR BeginCertValidation(bool isInitiator, Security::WeaveCertificateSet& certSet, Security::ValidationContext& validContext);
-    virtual WEAVE_ERROR HandleCertValidationResult(bool isInitiator, WEAVE_ERROR& validRes, Security::WeaveCertificateData *peerCert,
+#if !WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
+
+    // ===== Methods that implement the WeaveCASEAuthDelegate interface
+
+    WEAVE_ERROR EncodeNodeCertInfo(const Security::CASE::BeginSessionContext & msgCtx, TLVWriter & writer) __OVERRIDE;
+    WEAVE_ERROR GenerateNodeSignature(const Security::CASE::BeginSessionContext & msgCtx,
+            const uint8_t * msgHash, uint8_t msgHashLen,
+            TLVWriter & writer, uint64_t tag) __OVERRIDE;
+    WEAVE_ERROR EncodeNodePayload(const Security::CASE::BeginSessionContext & msgCtx,
+            uint8_t * payloadBuf, uint16_t payloadBufSize, uint16_t & payloadLen) __OVERRIDE;
+    WEAVE_ERROR BeginValidation(const Security::CASE::BeginSessionContext & msgCtx, Security::ValidationContext & validCtx,
+            Security::WeaveCertificateSet & certSet) __OVERRIDE;
+    WEAVE_ERROR HandleValidationResult(const Security::CASE::BeginSessionContext & msgCtx, Security::ValidationContext & validCtx,
+            Security::WeaveCertificateSet & certSet, WEAVE_ERROR & validRes) __OVERRIDE;
+    void EndValidation(const Security::CASE::BeginSessionContext & msgCtx, Security::ValidationContext & validCtx,
+            Security::WeaveCertificateSet & certSet) __OVERRIDE;
+
+#else // !WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
+
+    // ===== Methods that implement the legacy WeaveCASEAuthDelegate interface
+
+    WEAVE_ERROR GetNodeCertInfo(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& certInfoLen) __OVERRIDE;
+    WEAVE_ERROR GetNodePayload(bool isInitiator, uint8_t *buf, uint16_t bufSize, uint16_t& payloadLen) __OVERRIDE;
+
+#endif // WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
+
+    WEAVE_ERROR GetNodePrivateKey(bool isInitiator, const uint8_t *& weavePrivKey, uint16_t& weavePrivKeyLen);
+    WEAVE_ERROR ReleaseNodePrivateKey(const uint8_t *weavePrivKey);
+    WEAVE_ERROR BeginCertValidation(bool isInitiator, Security::WeaveCertificateSet& certSet,
+            Security::ValidationContext& validContext);
+    WEAVE_ERROR HandleCertValidationResult(bool isInitiator, WEAVE_ERROR& validRes, Security::WeaveCertificateData *peerCert,
             uint64_t peerNodeId, Security::WeaveCertificateSet& certSet, Security::ValidationContext& validContext);
-    virtual WEAVE_ERROR EndCertValidation(Security::WeaveCertificateSet& certSet, Security::ValidationContext& validContext);
+    WEAVE_ERROR EndCertValidation(Security::WeaveCertificateSet& certSet, Security::ValidationContext& validContext);
 
     // Locale
     static void WriteLocaleRequest(nl::Weave::TLV::TLVWriter &aWriter, void *ctx);
 
@@ -1444,6 +1444,16 @@
 #endif
 #endif // WEAVE_CONFIG_DEFAULT_CASE_ALLOWED_CURVES
 
+/**
+ * @def WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
+ *
+ * @brief
+ *   Enable use of the legacy WeaveCASEAuthDelegate interface.
+ */
+#ifndef WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
+#define WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE 1
+#endif
+
 /**
  *  @def WEAVE_CONFIG_MAX_SHARED_SESSIONS_END_NODES
  *
 
@@ -145,7 +145,7 @@ enum
  * WeaveAuthMode includes a set of pre-defined values describing common
  * authentication modes.  These are broken down by the key agreement mechanism
  * (CASE, PASE, GroupKey, etc.).  Developers can extend WeaveAuthMode by defining
- * application-specific mode, which they can attach to specific encryption keys.
+ * application-specific modes, which they can attach to specific encryption keys.
  *
  * @note WeaveAuthMode is an API data type only; it should never be sent over-the-wire.
  */
 
@@ -1055,29 +1055,34 @@ WEAVE_ERROR WeaveSecurityManager::StartCASESession(WeaveConnection *con, uint64_
 
 void WeaveSecurityManager::StartCASESession(uint32_t config, uint32_t curveId)
 {
-    WEAVE_ERROR                         err;
-    CASE::BeginSessionRequestMessage    req;
-    PacketBuffer*                       msgBuf = NULL;
-    uint16_t                            sendFlags = 0;
+    WEAVE_ERROR err;
+    PacketBuffer * msgBuf = NULL;
+    uint16_t sendFlags = 0;
 
     // Allocate a buffer to hold the Begin Session message.
     msgBuf = PacketBuffer::New();
     VerifyOrExit(msgBuf != NULL, err = WEAVE_ERROR_NO_MEMORY);
 
     // Generate the CASE Begin Session message.
-    req.Reset();
-    req.PeerNodeId = mEC->PeerNodeId;
-    req.ProtocolConfig = config;
-    mCASEEngine->SetAlternateConfigs(req);
-    req.CurveId = curveId;
-    mCASEEngine->SetAlternateCurves(req);
-    req.PerformKeyConfirm = true;
-    req.SessionKeyId = mSessionKeyId;
-    req.EncryptionType = mEncType;
-    Platform::Security::OnTimeConsumingCryptoStart();
-    err = mCASEEngine->GenerateBeginSessionRequest(req, msgBuf);
-    Platform::Security::OnTimeConsumingCryptoDone();
-    SuccessOrExit(err);
+    {
+        CASE::BeginSessionRequestContext reqCtx;
+
+        reqCtx.Reset();
+        reqCtx.SetIsInitiator(true);
+        reqCtx.PeerNodeId = mEC->PeerNodeId;
+        reqCtx.ProtocolConfig = config;
+        mCASEEngine->SetAlternateConfigs(reqCtx);
+        reqCtx.CurveId = curveId;
+        mCASEEngine->SetAlternateCurves(reqCtx);
+        reqCtx.SetPerformKeyConfirm(true);
+        reqCtx.SessionKeyId = mSessionKeyId;
+        reqCtx.EncryptionType = mEncType;
+
+        Platform::Security::OnTimeConsumingCryptoStart();
+        err = mCASEEngine->GenerateBeginSessionRequest(reqCtx, msgBuf);
+        Platform::Security::OnTimeConsumingCryptoDone();
+        SuccessOrExit(err);
+    }
 
 #if WEAVE_CONFIG_ENABLE_RELIABLE_MESSAGING
     if (mCon == NULL)
@@ -1133,12 +1138,15 @@ void WeaveSecurityManager::HandleCASEMessageInitiator(ExchangeContext *ec, const
 
         // Decode and process the BeginSessionResponse.
         {
-            CASE::BeginSessionResponseMessage resp;
-            resp.Reset();
-            resp.PeerNodeId = ec->PeerNodeId;
+            CASE::BeginSessionResponseContext respCtx;
+
+            respCtx.Reset();
+            respCtx.SetIsInitiator(true);
+            respCtx.PeerNodeId = ec->PeerNodeId;
+            respCtx.MsgInfo = msgInfo;
 
             Platform::Security::OnTimeConsumingCryptoStart();
-            err = secMgr->mCASEEngine->ProcessBeginSessionResponse(msgBuf, resp);
+            err = secMgr->mCASEEngine->ProcessBeginSessionResponse(msgBuf, respCtx);
             Platform::Security::OnTimeConsumingCryptoDone();
             SuccessOrExit(err);
         }
@@ -1193,8 +1201,8 @@ void WeaveSecurityManager::HandleCASEMessageInitiator(ExchangeContext *ec, const
     {
         // Process the reconfigure message.  If this proposed alternate configuration is not acceptable,
         // the call will fail with an error.
-        CASE::ReconfigureMessage reconfMsg;
-        err = secMgr->mCASEEngine->ProcessReconfigure(msgBuf, reconfMsg);
+        CASE::ReconfigureContext reconfCtx;
+        err = secMgr->mCASEEngine->ProcessReconfigure(msgBuf, reconfCtx);
         SuccessOrExit(err);
 
         // Release the buffer containing the response.
@@ -1208,7 +1216,7 @@ void WeaveSecurityManager::HandleCASEMessageInitiator(ExchangeContext *ec, const
         SuccessOrExit(err);
 
         // Restart the CASE session using the peer's propose parameters.
-        secMgr->StartCASESession(reconfMsg.ProtocolConfig, reconfMsg.CurveId);
+        secMgr->StartCASESession(reconfCtx.ProtocolConfig, reconfCtx.CurveId);
     }
 
     // Fail if the message is unrecognized.
@@ -1238,12 +1246,12 @@ WEAVE_ERROR WeaveSecurityManager::StartCASESession(WeaveConnection *con, uint64_
 
 void WeaveSecurityManager::HandleCASESessionStart(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo, PacketBuffer* msgBuf)
 {
-    WEAVE_ERROR                         err;
-    WeaveSessionKey                     *sessionKey;
-    CASE::BeginSessionRequestMessage    req;
-    CASE::ReconfigureMessage            reconf;
-    PacketBuffer                        *respMsgBuf = NULL;
-    uint16_t                            sendFlags = 0;
+    WEAVE_ERROR err;
+    WeaveSessionKey * sessionKey;
+    CASE::BeginSessionRequestContext reqCtx;
+    CASE::ReconfigureContext reconfCtx;
+    PacketBuffer * respMsgBuf = NULL;
+    uint16_t sendFlags = 0;
 
     State = kState_CASEInProgress;
     mEC = ec;
@@ -1293,11 +1301,12 @@ void WeaveSecurityManager::HandleCASESessionStart(ExchangeContext *ec, const IPP
 #endif
 
     // Process the BeginSessionRequest
-    req.Reset();
-    req.PeerNodeId = ec->PeerNodeId;
-    reconf.Reset();
+    reqCtx.Reset();
+    reqCtx.PeerNodeId = ec->PeerNodeId;
+    reqCtx.MsgInfo = msgInfo;
+    reconfCtx.Reset();
     Platform::Security::OnTimeConsumingCryptoStart();
-    err = mCASEEngine->ProcessBeginSessionRequest(msgBuf, req, reconf);
+    err = mCASEEngine->ProcessBeginSessionRequest(msgBuf, reqCtx, reconfCtx);
     Platform::Security::OnTimeConsumingCryptoDone();
     if (err != WEAVE_ERROR_CASE_RECONFIG_REQUIRED)
         SuccessOrExit(err);
@@ -1312,7 +1321,7 @@ void WeaveSecurityManager::HandleCASESessionStart(ExchangeContext *ec, const IPP
         // Encode a CASE Reconfigure message into a new buffer.
         respMsgBuf = PacketBuffer::New();
         VerifyOrExit(respMsgBuf != NULL, err = WEAVE_ERROR_NO_MEMORY);
-        err = reconf.Encode(respMsgBuf);
+        err = reconfCtx.Encode(respMsgBuf);
         SuccessOrExit(err);
 
         // Send the Reconfigure message to the peer.
@@ -1332,32 +1341,35 @@ void WeaveSecurityManager::HandleCASESessionStart(ExchangeContext *ec, const IPP
         // be bound to the connection, such that when the connection closes, the key is removed.
         // Set the RemoveOnIdle flag so that the session will be automatically removed after a period of
         // inactivity (note that this only applies to sessions that are NOT bound to connections).
-        err = FabricState->AllocSessionKey(ec->PeerNodeId, req.SessionKeyId, ec->Con, sessionKey);
+        err = FabricState->AllocSessionKey(ec->PeerNodeId, reqCtx.SessionKeyId, ec->Con, sessionKey);
         SuccessOrExit(err);
         sessionKey->SetLocallyInitiated(false);
         sessionKey->SetRemoveOnIdle(true);
 
         // Save the proposed session key id and encryption type.
-        mSessionKeyId = req.SessionKeyId;
-        mEncType = req.EncryptionType;
-
-        // Prepare the contents of a BeginSessionResponse message to be sent to the initiator.
-        CASE::BeginSessionResponseMessage resp;
-        resp.Reset();
-        resp.PeerNodeId = ec->PeerNodeId;
-        resp.ProtocolConfig = req.ProtocolConfig;
-        resp.CurveId = req.CurveId;
-        resp.PerformKeyConfirm = true;
+        mSessionKeyId = reqCtx.SessionKeyId;
+        mEncType = reqCtx.EncryptionType;
 
         // Allocate a buffer to hold the encoded BeginSessionResponse message.
         respMsgBuf = PacketBuffer::New();
         VerifyOrExit(respMsgBuf != NULL, err = WEAVE_ERROR_NO_MEMORY);
 
         // Generate the BeginSessionResponse message.
-        Platform::Security::OnTimeConsumingCryptoStart();
-        err = mCASEEngine->GenerateBeginSessionResponse(resp, respMsgBuf, req);
-        Platform::Security::OnTimeConsumingCryptoDone();
-        SuccessOrExit(err);
+        {
+            CASE::BeginSessionResponseContext respCtx;
+
+            respCtx.Reset();
+            respCtx.PeerNodeId = ec->PeerNodeId;
+            respCtx.MsgInfo = msgInfo;
+            respCtx.ProtocolConfig = reqCtx.ProtocolConfig;
+            respCtx.CurveId = reqCtx.CurveId;
+            respCtx.SetPerformKeyConfirm(true);
+
+            Platform::Security::OnTimeConsumingCryptoStart();
+            err = mCASEEngine->GenerateBeginSessionResponse(respCtx, respMsgBuf, reqCtx);
+            Platform::Security::OnTimeConsumingCryptoDone();
+            SuccessOrExit(err);
+        }
 
         // Send the BeginSessionResponse message to the peer.
         err = ec->SendMessage(kWeaveProfile_Security, kMsgType_CASEBeginSessionResponse, respMsgBuf, sendFlags);
Original file line number	Diff line number	Diff line change
`@@ -145,7 +145,7 @@ enum`
`145`	`145`	`* WeaveAuthMode includes a set of pre-defined values describing common`
`146`	`146`	`* authentication modes. These are broken down by the key agreement mechanism`
`147`	`147`	`* (CASE, PASE, GroupKey, etc.). Developers can extend WeaveAuthMode by defining`
`148`		`- * application-specific mode, which they can attach to specific encryption keys.`
	`148`	`+ * application-specific modes, which they can attach to specific encryption keys.`
`149`	`149`	`*`
`150`	`150`	`* @note WeaveAuthMode is an API data type only; it should never be sent over-the-wire.`
`151`	`151`	`*/`