Line data Source code
1 : /*
2 : *
3 : * Copyright (c) 2021 Project CHIP Authors
4 : *
5 : * Licensed under the Apache License, Version 2.0 (the "License");
6 : * you may not use this file except in compliance with the License.
7 : * You may obtain a copy of the License at
8 : *
9 : * http://www.apache.org/licenses/LICENSE-2.0
10 : *
11 : * Unless required by applicable law or agreed to in writing, software
12 : * distributed under the License is distributed on an "AS IS" BASIS,
13 : * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 : * See the License for the specific language governing permissions and
15 : * limitations under the License.
16 : */
17 : #pragma once
18 :
19 : #include <credentials/GroupDataProvider.h>
20 : #include <crypto/SessionKeystore.h>
21 : #include <lib/core/CHIPPersistentStorageDelegate.h>
22 : #include <lib/support/Pool.h>
23 :
24 : namespace chip {
25 : namespace Credentials {
26 :
27 : class GroupDataProviderImpl : public GroupDataProvider
28 : {
29 : public:
30 : static constexpr size_t kIteratorsMax = CHIP_CONFIG_MAX_GROUP_CONCURRENT_ITERATORS;
31 : static constexpr uint16_t kMaxMembershipCount = CHIP_CONFIG_MAX_GROUPCAST_MEMBERSHIP_COUNT;
32 : // Per spec, a single fabric cannot use more than half of the total memberships
33 : static constexpr uint16_t kMaxMembershipPerFabric = kMaxMembershipCount / 2;
34 : static constexpr uint16_t kMaxGroupKeysPerFabric = CHIP_CONFIG_MAX_GROUP_KEYS_PER_FABRIC;
35 :
36 : // TODO Make this configurable. Note: if PGA feature is enabled it SHALL be >= 4. else it SHALL = 1.
37 : static constexpr uint16_t kMaxMcastAddrCount = 4;
38 :
39 : // TODO(#72056): When groupcast is enabled by default, maxGroupsPerFabric passed in should be kMaxMembershipPerFabric
40 54 : GroupDataProviderImpl() : GroupDataProvider(CHIP_CONFIG_MAX_GROUPS_PER_FABRIC, kMaxGroupKeysPerFabric) {}
41 5 : GroupDataProviderImpl(uint16_t maxGroupsPerFabric, uint16_t maxGroupKeysPerFabric) :
42 5 : GroupDataProvider(maxGroupsPerFabric, maxGroupKeysPerFabric)
43 5 : {}
44 59 : ~GroupDataProviderImpl() override {}
45 :
46 : /**
47 : * @brief Set the storage implementation used for non-volatile storage of configuration data.
48 : * This method MUST be called before Init().
49 : *
50 : * @param storage Pointer to storage instance to set. Cannot be nullptr, will assert.
51 : */
52 : void SetStorageDelegate(PersistentStorageDelegate * storage);
53 :
54 117 : void SetSessionKeystore(Crypto::SessionKeystore * keystore) { mSessionKeystore = keystore; }
55 42 : Crypto::SessionKeystore * GetSessionKeystore() const { return mSessionKeystore; }
56 :
57 : CHIP_ERROR Init() override;
58 : void Finish() override;
59 6083 : bool IsInitialized() { return (mStorage != nullptr); }
60 :
61 : //
62 : // Group Info
63 : //
64 :
65 : // By id
66 : CHIP_ERROR SetGroupInfo(FabricIndex fabric_index, const GroupInfo & info) override;
67 : CHIP_ERROR GetGroupInfo(FabricIndex fabric_index, GroupId group_id, GroupInfo & info) override;
68 : CHIP_ERROR RemoveGroupInfo(FabricIndex fabric_index, GroupId group_id) override;
69 : // By index
70 : CHIP_ERROR SetGroupInfoAt(FabricIndex fabric_index, size_t index, const GroupInfo & info) override;
71 : CHIP_ERROR GetGroupInfoAt(FabricIndex fabric_index, size_t index, GroupInfo & info) override;
72 : CHIP_ERROR RemoveGroupInfoAt(FabricIndex fabric_index, size_t index) override;
73 : // Endpoints
74 : bool HasEndpoint(FabricIndex fabric_index, GroupId group_id, EndpointId endpoint_id) override;
75 : CHIP_ERROR AddEndpoint(FabricIndex fabric_index, GroupId group_id, EndpointId endpoint_id) override;
76 : CHIP_ERROR RemoveEndpoint(FabricIndex fabric_index, GroupId group_id, EndpointId endpoint_id,
77 : GroupCleanupPolicy cleanupPolicy) override;
78 : CHIP_ERROR RemoveEndpointAllGroups(FabricIndex fabric_index, EndpointId endpoint_id, GroupCleanupPolicy cleanupPolicy) override;
79 : CHIP_ERROR RemoveEndpoint(FabricIndex fabric_index, GroupId group_id, EndpointId endpoint_id) override;
80 : CHIP_ERROR RemoveEndpoint(FabricIndex fabric_index, EndpointId endpoint_id) override;
81 : CHIP_ERROR RemoveEndpoints(FabricIndex fabric_index, GroupId group_id) override;
82 : // Iterators
83 : GroupInfoIterator * IterateGroupInfo(FabricIndex fabric_index) override;
84 : EndpointIterator * IterateEndpoints(FabricIndex fabric_index, std::optional<GroupId> group_id = std::nullopt) override;
85 :
86 : //
87 : // Group-Key map
88 : //
89 :
90 : CHIP_ERROR SetGroupKey(FabricIndex fabric_index, GroupId group_id, KeysetId keyset_id) override;
91 : CHIP_ERROR SetGroupKeyAt(FabricIndex fabric_index, size_t index, const GroupKey & info) override;
92 : CHIP_ERROR GetGroupKeyAt(FabricIndex fabric_index, size_t index, GroupKey & info) override;
93 : CHIP_ERROR RemoveGroupKeyAt(FabricIndex fabric_index, size_t index) override;
94 : CHIP_ERROR RemoveGroupKeys(FabricIndex fabric_index) override;
95 : GroupKeyIterator * IterateGroupKeys(FabricIndex fabric_index) override;
96 :
97 : //
98 : // Key Sets
99 : //
100 :
101 : CHIP_ERROR SetKeySet(FabricIndex fabric_index, const ByteSpan & compressed_fabric_id, const KeySet & keys) override;
102 : CHIP_ERROR GetKeySet(FabricIndex fabric_index, chip::KeysetId keyset_id, KeySet & keys) override;
103 : CHIP_ERROR RemoveKeySet(FabricIndex fabric_index, chip::KeysetId keyset_id) override;
104 : CHIP_ERROR GetGroupKey(FabricIndex fabric_index, GroupId group_id, KeysetId & keyset_id) override;
105 : CHIP_ERROR GetIpkKeySet(FabricIndex fabric_index, KeySet & out_keyset) override;
106 : KeySetIterator * IterateKeySets(FabricIndex fabric_index) override;
107 :
108 : // Fabrics
109 : CHIP_ERROR RemoveFabric(FabricIndex fabric_index) override;
110 :
111 : // Decryption
112 : Crypto::SymmetricKeyContext * GetKeyContext(FabricIndex fabric_index, GroupId group_id) override;
113 : GroupSessionIterator * IterateGroupSessions(uint16_t session_id) override;
114 :
115 : // Groupcast configurations
116 260 : uint16_t getMaxMembershipCount() const override { return kMaxMembershipCount; }
117 30 : uint16_t getMaxMcastAddrCount() const override { return kMaxMcastAddrCount; }
118 :
119 119 : bool ConsumeAuxAclNotificationNeeded() override
120 : {
121 119 : if (IsGroupcastEnabled())
122 : {
123 119 : bool needed = mAuxAclNotificationNeeded;
124 119 : mAuxAclNotificationNeeded = false;
125 119 : return needed;
126 : }
127 0 : return false;
128 : }
129 :
130 : protected:
131 : class GroupInfoIteratorImpl : public GroupInfoIterator
132 : {
133 : public:
134 : GroupInfoIteratorImpl(GroupDataProviderImpl & provider, FabricIndex fabric_index);
135 : size_t Count() override;
136 : bool Next(GroupInfo & output) override;
137 : void Release() override;
138 :
139 : protected:
140 : GroupDataProviderImpl & mProvider;
141 : FabricIndex mFabric = kUndefinedFabricIndex;
142 : uint16_t mNextId = 0;
143 : size_t mCount = 0;
144 : size_t mTotal = 0;
145 : };
146 :
147 : class GroupKeyIteratorImpl : public GroupKeyIterator
148 : {
149 : public:
150 : GroupKeyIteratorImpl(GroupDataProviderImpl & provider, FabricIndex fabric_index);
151 : size_t Count() override;
152 : bool Next(GroupKey & output) override;
153 : void Release() override;
154 :
155 : protected:
156 : GroupDataProviderImpl & mProvider;
157 : FabricIndex mFabric = kUndefinedFabricIndex;
158 : uint16_t mNextId = 0;
159 : size_t mCount = 0;
160 : size_t mTotal = 0;
161 : };
162 :
163 : class EndpointIteratorImpl : public EndpointIterator
164 : {
165 : public:
166 : EndpointIteratorImpl(GroupDataProviderImpl & provider, FabricIndex fabric_index, std::optional<GroupId> group_id);
167 : size_t Count() override;
168 : bool Next(GroupEndpoint & output) override;
169 : void Release() override;
170 :
171 : protected:
172 : GroupDataProviderImpl & mProvider;
173 : FabricIndex mFabric = kUndefinedFabricIndex;
174 : GroupId mFirstGroup = kUndefinedGroupId;
175 : uint16_t mGroup = 0;
176 : size_t mGroupIndex = 0;
177 : size_t mGroupCount = 0;
178 : uint16_t mEndpoint = 0;
179 : size_t mEndpointIndex = 0;
180 : size_t mEndpointCount = 0;
181 : bool mFirstEndpoint = true;
182 : };
183 :
184 : class GroupKeyContext : public Crypto::SymmetricKeyContext
185 : {
186 : public:
187 10 : GroupKeyContext(GroupDataProviderImpl & provider) : mProvider(provider) {}
188 :
189 4 : GroupKeyContext(GroupDataProviderImpl & provider, const Crypto::Symmetric128BitsKeyByteArray & encryptionKey, uint16_t hash,
190 4 : const Crypto::Symmetric128BitsKeyByteArray & privacyKey) :
191 4 : mProvider(provider)
192 :
193 : {
194 4 : TEMPORARY_RETURN_IGNORED Initialize(encryptionKey, hash, privacyKey);
195 4 : }
196 :
197 14 : CHIP_ERROR Initialize(const Crypto::Symmetric128BitsKeyByteArray & encryptionKey, uint16_t hash,
198 : const Crypto::Symmetric128BitsKeyByteArray & privacyKey)
199 : {
200 14 : ReleaseKeys();
201 14 : mKeyHash = hash;
202 : // TODO: Load group keys to the session keystore upon loading from persistent storage
203 : //
204 : // Group keys should be transformed into a key handle as soon as possible or even
205 : // the key storage should be taken over by SessionKeystore interface, but this looks
206 : // like more work, so let's use the transitional code below for now.
207 :
208 14 : Crypto::SessionKeystore * keystore = mProvider.GetSessionKeystore();
209 14 : ReturnErrorOnFailure(keystore->CreateKey(encryptionKey, mEncryptionKey));
210 14 : return keystore->CreateKey(privacyKey, mPrivacyKey);
211 : }
212 :
213 28 : void ReleaseKeys()
214 : {
215 28 : Crypto::SessionKeystore * keystore = mProvider.GetSessionKeystore();
216 28 : keystore->DestroyKey(mEncryptionKey);
217 28 : keystore->DestroyKey(mPrivacyKey);
218 28 : }
219 :
220 4 : uint16_t GetKeyHash() override { return mKeyHash; }
221 :
222 : CHIP_ERROR MessageEncrypt(const ByteSpan & plaintext, const ByteSpan & aad, const ByteSpan & nonce, MutableByteSpan & mic,
223 : MutableByteSpan & ciphertext) const override;
224 : CHIP_ERROR MessageDecrypt(const ByteSpan & ciphertext, const ByteSpan & aad, const ByteSpan & nonce, const ByteSpan & mic,
225 : MutableByteSpan & plaintext) const override;
226 : CHIP_ERROR PrivacyEncrypt(const ByteSpan & input, const ByteSpan & nonce, MutableByteSpan & output) const override;
227 : CHIP_ERROR PrivacyDecrypt(const ByteSpan & input, const ByteSpan & nonce, MutableByteSpan & output) const override;
228 :
229 : void Release() override;
230 :
231 : protected:
232 : GroupDataProviderImpl & mProvider;
233 : uint16_t mKeyHash = 0;
234 : Crypto::Aes128KeyHandle mEncryptionKey;
235 : Crypto::Aes128KeyHandle mPrivacyKey;
236 : };
237 :
238 : class KeySetIteratorImpl : public KeySetIterator
239 : {
240 : public:
241 : KeySetIteratorImpl(GroupDataProviderImpl & provider, FabricIndex fabric_index);
242 : size_t Count() override;
243 : bool Next(KeySet & output) override;
244 : void Release() override;
245 :
246 : protected:
247 : GroupDataProviderImpl & mProvider;
248 : FabricIndex mFabric = kUndefinedFabricIndex;
249 : uint16_t mNextId = 0;
250 : size_t mCount = 0;
251 : size_t mTotal = 0;
252 : };
253 :
254 : class GroupSessionIteratorImpl : public GroupSessionIterator
255 : {
256 : public:
257 : GroupSessionIteratorImpl(GroupDataProviderImpl & provider, uint16_t session_id);
258 : size_t Count() override;
259 : bool Next(GroupSession & output) override;
260 : void Release() override;
261 :
262 : protected:
263 : GroupDataProviderImpl & mProvider;
264 : uint16_t mSessionId = 0;
265 : FabricIndex mFirstFabric = kUndefinedFabricIndex;
266 : FabricIndex mFabric = kUndefinedFabricIndex;
267 : uint16_t mFabricCount = 0;
268 : uint16_t mFabricTotal = 0;
269 : uint16_t mMapping = 0;
270 : uint16_t mMapCount = 0;
271 : uint16_t mKeyIndex = 0;
272 : uint16_t mKeyCount = 0;
273 : bool mFirstMap = true;
274 : GroupKeyContext mGroupKeyContext;
275 : };
276 :
277 : PersistentStorageDelegate * mStorage = nullptr;
278 : Crypto::SessionKeystore * mSessionKeystore = nullptr;
279 : ObjectPool<GroupInfoIteratorImpl, kIteratorsMax> mGroupInfoIterators;
280 : ObjectPool<GroupKeyIteratorImpl, kIteratorsMax> mGroupKeyIterators;
281 : ObjectPool<EndpointIteratorImpl, kIteratorsMax> mEndpointIterators;
282 : ObjectPool<KeySetIteratorImpl, kIteratorsMax> mKeySetIterators;
283 : ObjectPool<GroupSessionIteratorImpl, kIteratorsMax> mGroupSessionsIterator;
284 : ObjectPool<GroupKeyContext, kIteratorsMax> mGroupKeyContexPool;
285 : bool mAuxAclNotificationNeeded = false;
286 : };
287 :
288 : } // namespace Credentials
289 : } // namespace chip
|
