Google Git
Sign in
fuchsia / third_party / openweave-core / refs/heads/upstream/bug/device-descriptor / . / src / lib / profiles / security / WeaveCASE.h
blob: 3113acd0930c1b1ddae7c6d939cd5ccb08156c52 [file] [log] [blame]
/*
*
* Copyright (c) 2013-2017 Nest Labs, Inc.
* All rights reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/**
* @file
* This file defines data types and objects for initiators and
* responders for the Weave Certificate Authenticated Session
* Establishment (CASE) protocol.
*
*/
#ifndef WEAVECASE_H_
#define WEAVECASE_H_
#include <Weave/Support/NLDLLUtil.h>
#include <Weave/Core/WeaveCore.h>
#include <Weave/Core/WeaveVendorIdentifiers.hpp>
#include <Weave/Profiles/security/WeaveSecurity.h>
#include <Weave/Profiles/security/WeaveCert.h>
#include <Weave/Support/ASN1.h>
#include <Weave/Support/CodeUtils.h>
#include <Weave/Support/crypto/EllipticCurve.h>
#include <Weave/Support/crypto/HashAlgos.h>
/**
* @namespace nl::Weave::Profiles::Security::CASE
*
* @brief
* This namespace includes all interfaces within Weave for the
* Certificate Authenticated Session Establishment (CASE)
* protocol within the Weave security profile.
*/
namespace nl {
namespace Weave {
namespace Profiles {
namespace Security {
namespace CASE {
using nl::Weave::ASN1::OID;
using nl::Weave::TLV::TLVWriter;
using nl::Weave::Platform::Security::SHA1;
using nl::Weave::Platform::Security::SHA256;
using nl::Weave::Crypto::EncodedECPublicKey;
using nl::Weave::Crypto::EncodedECPrivateKey;
using nl::Weave::Crypto::EncodedECDSASignature;
class WeaveCASEEngine;
// CASE Protocol Configuration Values
enum
{
kCASEConfig_NotSpecified = 0,
kCASEConfig_Config1 = (kWeaveVendor_NestLabs << 16) | 1,
kCASEConfig_Config2 = (kWeaveVendor_NestLabs << 16) | 2,
};
// Bit-field representing a set of allowed CASE protocol configurations
enum
{
kCASEAllowedConfig_Config1 = 0x01,
kCASEAllowedConfig_Config2 = 0x02,
kCASEAllowedConfig_Mask = 0x03, // NOTE: If you expand this mask, you must reconfigure
// the mFlags field in WeaveCASEEngine.
};
enum
{
kCASEKeyConfirmHashLength_0Bytes = 0x00,
kCASEKeyConfirmHashLength_32Bytes = 0x40,
kCASEKeyConfirmHashLength_20Bytes = 0x80,
kCASEKeyConfirmHashLength_Reserved = 0xC0,
};
// CASE Header Field Definitions
enum
{
// Control Header Fields
kCASEHeader_EncryptionTypeMask = 0x0F,
kCASEHeader_PerformKeyConfirmFlag = 0x80,
kCASEHeader_ControlHeaderUnusedBits = ~(kCASEHeader_EncryptionTypeMask |
kCASEHeader_PerformKeyConfirmFlag),
// Size Header Fields
kCASEHeader_DHPublicKeyLengthMask = 0x000000FF,
kCASEHeader_DHPublicKeyLengthShift = 0,
kCASEHeader_SignatureLengthMask = 0x0000FF00,
kCASEHeader_SignatureLengthShift = 8,
kCASEHeader_AlternateConfigCountMask = 0x00FF0000,
kCASEHeader_AlternateConfigCountShift = 16,
kCASEHeader_AlternateCurveCountMask = 0xFF000000,
kCASEHeader_AlternateCurveCountShift = 24,
// Mask for Key Confirm Hash Length field in CASEBeginSessionResponse
kCASEHeader_KeyConfirmHashLengthMask = 0xC0
};
/**
* Holds context information related to the generation or processing of a CASE begin session messages.
*/
class BeginSessionContext
{
public:
uint64_t PeerNodeId;
EncodedECPublicKey ECDHPublicKey;
const WeaveMessageInfo * MsgInfo;
uint32_t ProtocolConfig;
uint32_t CurveId;
const uint8_t * Payload;
const uint8_t * CertInfo;
const uint8_t * Signature;
uint16_t PayloadLength;
uint16_t CertInfoLength;
uint16_t SignatureLength;
bool IsBeginSessionRequest() const;
void SetIsBeginSessionRequest(bool val);
bool IsInitiator() const;
void SetIsInitiator(bool val);
bool PerformKeyConfirm() const;
void SetPerformKeyConfirm(bool val);
protected:
enum
{
kFlag_IsBeginSessionRequest = 0x01,
kFlag_IsInitiator = 0x02,
kFlag_PerformKeyConfirm = 0x04,
};
uint8_t Flags;
};
/**
* Holds context information related to the generation or processing of a CASE BeginSessionRequest message.
*/
class BeginSessionRequestContext : public BeginSessionContext
{
public:
enum
{
kMaxAlternateProtocolConfigs = 4,
kMaxAlternateCurveIds = 4
};
uint32_t AlternateConfigs[kMaxAlternateProtocolConfigs];
uint32_t AlternateCurveIds[kMaxAlternateCurveIds];
uint16_t SessionKeyId;
uint8_t AlternateConfigCount;
uint8_t AlternateCurveCount;
uint8_t EncryptionType;
WEAVE_ERROR EncodeHead(PacketBuffer * msgBuf);
WEAVE_ERROR DecodeHead(PacketBuffer * msgBuf);
uint16_t HeadLength(void);
void Reset(void);
bool IsAltConfig(uint32_t config) const;
};
/**
* Holds context information related to the generation or processing of a CASE BeginSessionRequest message.
*/
class BeginSessionResponseContext : public BeginSessionContext
{
public:
const uint8_t * KeyConfirmHash;
uint8_t KeyConfirmHashLength;
WEAVE_ERROR EncodeHead(PacketBuffer * msgBuf);
WEAVE_ERROR DecodeHead(PacketBuffer * msgBuf);
uint16_t HeadLength(void);
void Reset(void);
};
/**
* Holds information related to the generation or processing of a CASE Reconfigure message.
*/
class ReconfigureContext
{
public:
uint32_t ProtocolConfig;
uint32_t CurveId;
WEAVE_ERROR Encode(PacketBuffer *buf);
void Reset(void);
static WEAVE_ERROR Decode(PacketBuffer *buf, ReconfigureContext& msg);
};
/**
* Abstract interface to which authentication actions are delegated during CASE
* session establishment.
*/
class WeaveCASEAuthDelegate
{
public:
#if !WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
// ===== Abstract Interface methods
/**
* Encode CASE Certificate Information for the local node.
*
* Implementations can use this call to override the default encoding of the CASE
* CertificateInformation structure for the local node. When called, the
* implementation should write a CertificateInformation structure containing, at
* a minimum, the local node's entity certificate. Implementation may optionally
* include a set of related certificates and/or trust anchors.
*/
virtual WEAVE_ERROR EncodeNodeCertInfo(const BeginSessionContext & msgCtx, TLVWriter & writer) = 0;
/** Generate a signature using local node's private key.
*
* When invoked, implementations must compute a signature on the given hash value using the node's
* private key. The generated signature should then be written in the form of a CASE ECDSASignature
* structure to the supplied TLV writing using the specified tag.
*
* In cases where the node's private key is held in a local buffer, the GenerateAndEncodeWeaveECDSASignature()
* utility function can be useful for implementing this method.
*/
virtual WEAVE_ERROR GenerateNodeSignature(const BeginSessionContext & msgCtx,
const uint8_t * msgHash, uint8_t msgHashLen,
TLVWriter & writer, uint64_t tag) = 0;
/**
* Encode an application-specific payload to be included in the CASE message to the peer.
*
* Implementing this method is optional. The default implementation returns a zero-length
* payload.
*/
virtual WEAVE_ERROR EncodeNodePayload(const BeginSessionContext & msgCtx,
uint8_t * payloadBuf, uint16_t payloadBufSize, uint16_t & payloadLen);
/**
* Called at the start of certificate validation.
*
* Implementations must initialize the supplied WeaveCertificateSet object with sufficient
* resources to handle the upcoming certificate validation. At this time Implementations
* may load trusted root or CA certificates into the certificate set, or wait until
* OnPeerCertsLoaded() is called.
*
* Each certificate loaded into the certificate set will be assigned a default certificate
* type by the load function. Implementations should adjust these types as necessary to
* ensure the correct treatment of the certificate during validation, and the correct
* assignment of WeaveAuthMode for CASE interactions.
*
* The supplied validation context will be initialized with a set of default validation
* criteria, which the implementation may alter as necessary. The implementation must
* either set the EffectiveTime field, or set the appropriate validation flags to suppress
* certificate lifetime validation.
*
* If detailed validation results are desired, the implementation may initialize the
* CertValidationResults and CertValidationLen fields.
*
* Implementations are required to maintain any resources allocated during BeginValidation()
* until the corresponding EndValidation() is called is made. Implementations are guaranteed
* that EndValidation() will be called exactly once for each successful call to BeginValidation().
*/
virtual WEAVE_ERROR BeginValidation(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet) = 0;
/**
* Called after the peer's certificates have been loaded.
*
* Implementations may use this call to finalize the input certificates and the validation
* criteria that will be used to perform validation of the peer's certificate. At call time,
* the certificates supplied by the peer will have been loaded into the certificate set
* (including its own certificate, if present). Additionally, the subjectDN and subjectKeyId
* arguments will have been initialized to values that will be used to resolve the peer's
* certificate from the certificate set. If the peer supplied its own certificate (rather
* than a certificate reference) then the EntityCert field within the validCtx argument will
* contain a pointer to that certificate.
*
* During this called, implementations may modify the contents of the certificate set, including
* adding new certificates. They may also alter the subjectDN, subjectKeyId or validCtx
* arguments as necessary. Most importantly, implementations should adjust the certificate type
* fields with the certificate set prior to returning to ensure correct treatment of certificates
* during validation and subsequent access control checks.
*
* NOTE: In the event that the peer supplies a certificate reference for itself, rather than a
* full certificate, the EntityCert field in the validation context will contain a NULL. If an
* implementation wishes to support certificate references, it must add a certificate matching
* the peer's subject DN and key id to the certificate set prior to returning.
*
* Implementing this method is optional. The default implementation does nothing.
*/
virtual WEAVE_ERROR OnPeerCertsLoaded(const BeginSessionContext & msgCtx, WeaveDN & subjectDN,
CertificateKeyId & subjectKeyId, ValidationContext & validCtx, WeaveCertificateSet& certSet);
/**
* Called with the result of certificate validation.
*
* Implementations may use this call to inspect, and possibly alter, the result of validation
* of the peer's certificate. If validation was successful, validRes will be set to WEAVE_NO_ERROR.
* In this case, the validation context will contain details regarding the result. In particular,
* the TrustAnchor field will be set to the trust anchor certificate.
*
* If the implementation initialized the CertValidationResults and CertValidationLen fields within
* the ValidationContext structure during the BeginValidation() called, then these fields will
* contained detailed validation results for each certificate in the certificate set.
*
* Implementations may override this by setting validRes to an error value, thereby causing validation to fail.
*
* If validation failed, validRes will reflect the reason for the failure. Implementations may
* override the result to a different error value, but MUST NOT set the result to WEAVE_NO_ERROR.
*/
virtual WEAVE_ERROR HandleValidationResult(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet, WEAVE_ERROR & validRes) = 0;
/** Called at the end of certificate validation.
*
* Implementations may use this call to perform cleanup after certification validation completes.
* Implementations are guaranteed that EndValidation() will be called exactly once for each
* successful call to BeginValidation().
*/
virtual void EndValidation(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet) = 0;
#else // !WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
// ===== Legacy interface methods
// Get the CASE Certificate Information structure for the local node.
virtual WEAVE_ERROR GetNodeCertInfo(bool isInitiator, uint8_t * buf, uint16_t bufSize, uint16_t & certInfoLen) = 0;
// Get the local node's private key.
virtual WEAVE_ERROR GetNodePrivateKey(bool isInitiator, const uint8_t *& weavePrivKey, uint16_t & weavePrivKeyLen) = 0;
// Called when the CASE engine is done with the buffer returned by GetNodePrivateKey().
virtual WEAVE_ERROR ReleaseNodePrivateKey(const uint8_t * weavePrivKey) = 0;
// Get payload information, if any, to be included in the message to the peer.
virtual WEAVE_ERROR GetNodePayload(bool isInitiator, uint8_t * buf, uint16_t bufSize, uint16_t & payloadLen) = 0;
// Prepare the supplied certificate set and validation context for use in validating the certificate of a peer.
// This method is responsible for loading the trust anchors into the certificate set.
virtual WEAVE_ERROR BeginCertValidation(bool isInitiator, WeaveCertificateSet & certSet, ValidationContext & validCtx) = 0;
// Called with the results of validating the peer's certificate. If basic cert validation was successful, this method can
// cause validation to fail by setting validRes, e.g. in the event that the peer's certificate is somehow unacceptable.
virtual WEAVE_ERROR HandleCertValidationResult(bool isInitiator, WEAVE_ERROR & validRes, WeaveCertificateData * peerCert,
uint64_t peerNodeId, WeaveCertificateSet & certSet, ValidationContext & validCtx) = 0;
// Called when peer certificate validation is complete.
virtual WEAVE_ERROR EndCertValidation(WeaveCertificateSet & certSet, ValidationContext & validCtx) = 0;
private:
// ===== Private members that provide compatibility with the non-legacy interface.
friend class WeaveCASEEngine;
WEAVE_ERROR GenerateNodeSignature(const BeginSessionContext & msgCtx,
const uint8_t * msgHash, uint8_t msgHashLen, TLVWriter & writer, uint64_t tag);
WEAVE_ERROR EncodeNodePayload(const BeginSessionContext & msgCtx,
uint8_t * payloadBuf, uint16_t payloadBufSize, uint16_t & payloadLen);
WEAVE_ERROR BeginValidation(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet);
WEAVE_ERROR OnPeerCertsLoaded(const BeginSessionContext & msgCtx, WeaveDN & subjectDN,
CertificateKeyId & subjectKeyId, ValidationContext & validCtx, WeaveCertificateSet& certSet);
WEAVE_ERROR HandleValidationResult(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet, WEAVE_ERROR & validRes);
void EndValidation(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet);
#endif // WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
};
/**
* Implements the core logic of the Weave CASE protocol.
*/
class NL_DLL_EXPORT WeaveCASEEngine
{
public:
enum EngineState
{
kState_Idle = 0,
kState_BeginRequestGenerated = 1,
kState_BeginResponseProcessed = 2,
kState_BeginRequestProcessed = 3,
kState_BeginResponseGenerated = 4,
kState_Complete = 5,
kState_Failed = 6
};
WeaveCASEAuthDelegate *AuthDelegate; // Authentication delegate object
uint8_t State; // [READ-ONLY] Current protocol state
uint8_t EncryptionType; // [READ-ONLY] Proposed Weave encryption type
uint16_t SessionKeyId; // [READ-ONLY] Proposed session key id
void Init(void);
void Shutdown(void);
void Reset(void);
void SetAlternateConfigs(BeginSessionRequestContext & reqCtx);
void SetAlternateCurves(BeginSessionRequestContext & reqCtx);
WEAVE_ERROR GenerateBeginSessionRequest(BeginSessionRequestContext & reqCtx, PacketBuffer * msgBuf);
WEAVE_ERROR ProcessBeginSessionRequest(PacketBuffer * msgBuf, BeginSessionRequestContext & reqCtx, ReconfigureContext & reconfCtx);
WEAVE_ERROR GenerateBeginSessionResponse(BeginSessionResponseContext & respCtx, PacketBuffer * msgBuf,
BeginSessionRequestContext & reqCtx);
WEAVE_ERROR ProcessBeginSessionResponse(PacketBuffer * msgBuf, BeginSessionResponseContext & respCtx);
WEAVE_ERROR GenerateInitiatorKeyConfirm(PacketBuffer * msgBuf);
WEAVE_ERROR ProcessInitiatorKeyConfirm(PacketBuffer * msgBuf);
WEAVE_ERROR ProcessReconfigure(PacketBuffer * msgBuf, ReconfigureContext & reconfCtx);
WEAVE_ERROR GetSessionKey(const WeaveEncryptionKey *& encKey);
bool IsInitiator() const;
uint32_t SelectedConfig() const;
uint32_t SelectedCurve() const;
bool PerformingKeyConfirm() const;
uint8_t AllowedConfigs() const;
void SetAllowedConfigs(uint8_t allowedConfigs);
bool IsAllowedConfig(uint32_t config) const;
uint8_t AllowedCurves() const;
void SetAllowedCurves(uint8_t allowedCurves);
bool IsAllowedCurve(uint32_t curveId) const;
bool ResponderRequiresKeyConfirm() const;
void SetResponderRequiresKeyConfirm(bool val);
uint8_t CertType() const;
void SetCertType(uint8_t certType);
#if WEAVE_CONFIG_SECURITY_TEST_MODE
bool UseKnownECDHKey() const;
void SetUseKnownECDHKey(bool val);
#endif
private:
enum
{
kMaxHashLength = SHA256::kHashLength,
kMaxECDHPrivateKeySize = ((WEAVE_CONFIG_MAX_EC_BITS + 7) / 8) + 1,
kMaxECDHSharedSecretSize = kMaxECDHPrivateKeySize
};
enum
{
kFlag_IsInitiator = 0x80,
kFlag_PerformingKeyConfirm = 0x40,
kFlag_IsUsingConfig1 = 0x20,
kFlag_ResponderRequiresKeyConfirm = 0x10,
kFlag_HasReconfigured = 0x08,
#if WEAVE_CONFIG_SECURITY_TEST_MODE
kFlag_UseKnownECDHKey = 0x04,
#endif
kFlag_Reserved = kCASEAllowedConfig_Mask // Bottom 2 bits reserved for allowed configs flags
};
union
{
struct
{
uint16_t ECDHPrivateKeyLength;
uint8_t ECDHPrivateKey[kMaxECDHPrivateKeySize];
uint8_t RequestMsgHash[kMaxHashLength];
} BeforeKeyGen;
struct
{
WeaveEncryptionKey EncryptionKey;
uint8_t InitiatorKeyConfirmHash[kMaxHashLength];
} AfterKeyGen;
} mSecureState;
uint32_t mCurveId;
uint8_t mAllowedCurves;
uint8_t mFlags;
uint8_t mCertType;
bool IsUsingConfig1() const;
void SetSelectedConfig(uint32_t config);
void SetIsInitiator(bool val);
bool HasReconfigured() const;
void SetHasReconfigured(bool val);
void SetPerformingKeyConfirm(bool val);
bool IsConfig1Allowed() const;
bool IsConfig2Allowed() const;
uint8_t ConfigHashLength() const;
WEAVE_ERROR VerifyProposedConfig(BeginSessionRequestContext & reqCtx, uint32_t & selectedAltConfig);
WEAVE_ERROR VerifyProposedCurve(BeginSessionRequestContext & reqCtx, uint32_t & selectedAltCurve);
WEAVE_ERROR AppendNewECDHKey(BeginSessionContext & msgCtx, PacketBuffer * msgBuf);
WEAVE_ERROR AppendCertInfo(BeginSessionContext & msgCtx, PacketBuffer * msgBuf);
WEAVE_ERROR AppendPayload(BeginSessionContext & msgCtx, PacketBuffer * msgBuf);
WEAVE_ERROR AppendSignature(BeginSessionContext & msgCtx, PacketBuffer * msgBuf, uint8_t * msgHash);
WEAVE_ERROR VerifySignature(BeginSessionContext & msgCtx, PacketBuffer * msgBuf, uint8_t * msgHash);
static WEAVE_ERROR DecodeCertificateInfo(BeginSessionContext & msgCtx, WeaveCertificateSet & certSet,
WeaveDN & entityCertDN, CertificateKeyId & entityCertSubjectKeyId);
WEAVE_ERROR DeriveSessionKeys(EncodedECPublicKey & pubKey, const uint8_t * respMsgHash, uint8_t * responderKeyConfirmHash);
void GenerateHash(const uint8_t * inData, uint16_t inDataLen, uint8_t * hash);
void GenerateKeyConfirmHashes(const uint8_t * keyConfirmKey, uint8_t * singleHash, uint8_t * doubleHash);
};
// Utility Functions
WEAVE_ERROR EncodeCASECertInfo(uint8_t * buf, uint16_t bufSize, uint16_t& certInfoLen,
const uint8_t * entityCert, uint16_t entityCertLen,
const uint8_t * intermediateCert, uint16_t intermediateCertLen);
WEAVE_ERROR EncodeCASECertInfo(TLVWriter & writer,
const uint8_t * entityCert, uint16_t entityCertLen,
const uint8_t * intermediateCert, uint16_t intermediateCertLen);
// Inline Methods
inline bool BeginSessionContext::IsBeginSessionRequest() const
{
return GetFlag(Flags, kFlag_IsBeginSessionRequest);
}
inline void BeginSessionContext::SetIsBeginSessionRequest(bool val)
{
SetFlag(Flags, kFlag_IsBeginSessionRequest, val);
}
inline bool BeginSessionContext::IsInitiator() const
{
return GetFlag(Flags, kFlag_IsInitiator);
}
inline void BeginSessionContext::SetIsInitiator(bool val)
{
SetFlag(Flags, kFlag_IsInitiator, val);
}
inline bool BeginSessionContext::PerformKeyConfirm() const
{
return GetFlag(Flags, kFlag_PerformKeyConfirm);
}
inline void BeginSessionContext::SetPerformKeyConfirm(bool val)
{
SetFlag(Flags, kFlag_PerformKeyConfirm, val);
}
inline uint16_t BeginSessionRequestContext::HeadLength(void)
{
return (1 + // control header
1 + // alternate config count
1 + // alternate curve count
1 + // DH public key length
2 + // certificate information length
2 + // payload length
4 + // proposed protocol config
4 + // proposed elliptic curve
2 + // session key id
(AlternateConfigCount * 4) + // alternate config list
(AlternateCurveCount * 4)); // alternate curve list
}
inline void BeginSessionRequestContext::Reset(void)
{
memset(this, 0, sizeof(*this));
Flags = kFlag_IsBeginSessionRequest;
}
inline uint16_t BeginSessionResponseContext::HeadLength(void)
{
return (1 + // control header
1 + // DH public key length
2 + // certificate information length
2); // payload length
}
inline void BeginSessionResponseContext::Reset(void)
{
memset(this, 0, sizeof(*this));
}
inline void ReconfigureContext::Reset(void)
{
memset(this, 0, sizeof(*this));
}
#if WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
inline WEAVE_ERROR WeaveCASEAuthDelegate::EncodeNodePayload(const BeginSessionContext & msgCtx,
uint8_t * payloadBuf, uint16_t payloadBufSize, uint16_t & payloadLen)
{
return GetNodePayload(msgCtx.IsInitiator(), payloadBuf, payloadBufSize, payloadLen);
}
inline WEAVE_ERROR WeaveCASEAuthDelegate::BeginValidation(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet)
{
return BeginCertValidation(msgCtx.IsInitiator(), certSet, validCtx);
}
inline WEAVE_ERROR WeaveCASEAuthDelegate::OnPeerCertsLoaded(const BeginSessionContext & msgCtx, WeaveDN & subjectDN,
CertificateKeyId & subjectKeyId, ValidationContext & validCtx, WeaveCertificateSet& certSet)
{
return WEAVE_NO_ERROR;
}
inline WEAVE_ERROR WeaveCASEAuthDelegate::HandleValidationResult(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet, WEAVE_ERROR & validRes)
{
return HandleCertValidationResult(msgCtx.IsInitiator(), validRes, validCtx.SigningCert, msgCtx.PeerNodeId, certSet, validCtx);
}
inline void WeaveCASEAuthDelegate::EndValidation(const BeginSessionContext & msgCtx, ValidationContext & validCtx,
WeaveCertificateSet & certSet)
{
EndCertValidation(certSet, validCtx);
}
#endif // WEAVE_CONFIG_LEGACY_CASE_AUTH_DELEGATE
inline bool WeaveCASEEngine::IsUsingConfig1() const
{
#if WEAVE_CONFIG_SUPPORT_CASE_CONFIG1
return (mFlags & kFlag_IsUsingConfig1) != 0;
#else
return false;
#endif
}
inline void WeaveCASEEngine::SetSelectedConfig(uint32_t config)
{
#if WEAVE_CONFIG_SUPPORT_CASE_CONFIG1
if (config == kCASEConfig_Config1)
mFlags |= kFlag_IsUsingConfig1;
else
mFlags &= ~kFlag_IsUsingConfig1;
#else
IgnoreUnusedVariable(config);
#endif
}
inline uint32_t WeaveCASEEngine::SelectedCurve() const
{
return mCurveId;
}
inline uint8_t WeaveCASEEngine::AllowedConfigs() const
{
return mFlags & kCASEAllowedConfig_Mask;
}
inline void WeaveCASEEngine::SetAllowedConfigs(uint8_t allowedConfigs)
{
mFlags = (mFlags & ~kCASEAllowedConfig_Mask) | (allowedConfigs & kCASEAllowedConfig_Mask);
}
inline bool WeaveCASEEngine::IsConfig1Allowed() const
{
#if WEAVE_CONFIG_SUPPORT_CASE_CONFIG1
return (mFlags & kCASEAllowedConfig_Config1) != 0;
#else
return false;
#endif
}
inline bool WeaveCASEEngine::IsConfig2Allowed() const
{
return (mFlags & kCASEAllowedConfig_Config2) != 0;
}
inline uint8_t WeaveCASEEngine::AllowedCurves() const
{
return mAllowedCurves;
}
inline void WeaveCASEEngine::SetAllowedCurves(uint8_t allowedCurves)
{
mAllowedCurves = allowedCurves;
}
inline bool WeaveCASEEngine::IsAllowedCurve(uint32_t curveId) const
{
return IsCurveInSet(curveId, mAllowedCurves);
}
inline bool WeaveCASEEngine::IsInitiator() const
{
return (mFlags & kFlag_IsInitiator) != 0;
}
inline void WeaveCASEEngine::SetIsInitiator(bool val)
{
if (val)
mFlags |= kFlag_IsInitiator;
else
mFlags &= ~kFlag_IsInitiator;
}
inline bool WeaveCASEEngine::PerformingKeyConfirm() const
{
return (mFlags & kFlag_PerformingKeyConfirm) != 0;
}
inline void WeaveCASEEngine::SetPerformingKeyConfirm(bool val)
{
if (val)
mFlags |= kFlag_PerformingKeyConfirm;
else
mFlags &= ~kFlag_PerformingKeyConfirm;
}
inline bool WeaveCASEEngine::ResponderRequiresKeyConfirm() const
{
return (mFlags & kFlag_ResponderRequiresKeyConfirm) != 0;
}
inline void WeaveCASEEngine::SetResponderRequiresKeyConfirm(bool val)
{
if (val)
mFlags |= kFlag_ResponderRequiresKeyConfirm;
else
mFlags &= ~kFlag_ResponderRequiresKeyConfirm;
}
inline bool WeaveCASEEngine::HasReconfigured() const
{
return (mFlags & kFlag_HasReconfigured) != 0;
}
inline void WeaveCASEEngine::SetHasReconfigured(bool val)
{
if (val)
mFlags |= kFlag_HasReconfigured;
else
mFlags &= ~kFlag_HasReconfigured;
}
inline uint8_t WeaveCASEEngine::ConfigHashLength() const
{
if (IsUsingConfig1())
return SHA1::kHashLength;
else
return SHA256::kHashLength;
}
inline uint8_t WeaveCASEEngine::CertType() const
{
return mCertType;
}
inline void WeaveCASEEngine::SetCertType(uint8_t certType)
{
mCertType = certType;
}
#if WEAVE_CONFIG_SECURITY_TEST_MODE
inline bool WeaveCASEEngine::UseKnownECDHKey() const
{
return (mFlags & kFlag_UseKnownECDHKey) != 0;
}
inline void WeaveCASEEngine::SetUseKnownECDHKey(bool val)
{
if (val)
mFlags |= kFlag_UseKnownECDHKey;
else
mFlags &= ~kFlag_UseKnownECDHKey;
}
#endif // WEAVE_CONFIG_SECURITY_TEST_MODE
} // namespace CASE
} // namespace Security
} // namespace Profiles
} // namespace Weave
} // namespace nl
#endif /* WEAVECASE_H_ */