Implement CASE session resumption (#16741)

* Implement CASE session resumption

* Fix span usage

* Introduce SimpleSessionResumptionStorage as an example implementation.

* Allow inject session resumption storage for server

examples/pump-app/cc13x2x7_26x2x7/args.gni

@@ -35,6 +35,9 @@ chip_enable_ota_requestor = true
 # BLE options
 chip_config_network_layer_ble = true
 
+# Disable session resumption due to lack of code space
+chip_enable_session_resumption = false
+
 # Disable lock tracking, since our FreeRTOS configuration does not set
 # INCLUDE_xSemaphoreGetMutexHolder
 chip_stack_lock_tracking = "none"

examples/tv-casting-app/linux/main.cpp

@@ -322,10 +322,11 @@ class TargetVideoPlayerInfo
         }
 
         chip::DeviceProxyInitParams initParams = {
-            .sessionManager = &(server->GetSecureSessionManager()),
-            .exchangeMgr    = &(server->GetExchangeManager()),
-            .fabricTable    = &(server->GetFabricTable()),
-            .clientPool     = &gCASEClientPool,
+            .sessionManager           = &(server->GetSecureSessionManager()),
+            .sessionResumptionStorage = server->GetSessionResumptionStorage(),
+            .exchangeMgr              = &(server->GetExchangeManager()),
+            .fabricTable              = &(server->GetFabricTable()),
+            .clientPool               = &gCASEClientPool,
         };
 
         PeerId peerID           = fabric->GetPeerIdForNode(nodeId);

src/app/BUILD.gn

@@ -22,13 +22,17 @@ declare_args() {
   # Enable strict schema checks.
   chip_enable_schema_check =
       is_debug && (current_os == "linux" || current_os == "mac")
+  chip_enable_session_resumption = true
 }
 
 buildconfig_header("app_buildconfig") {
   header = "AppBuildConfig.h"
   header_dir = "app"
 
-  defines = [ "CHIP_CONFIG_IM_ENABLE_SCHEMA_CHECK=${chip_enable_schema_check}" ]
+  defines = [
+    "CHIP_CONFIG_IM_ENABLE_SCHEMA_CHECK=${chip_enable_schema_check}",
+    "CHIP_CONFIG_ENABLE_SESSION_RESUMPTION=${chip_enable_session_resumption}",
+  ]
 }
 
 static_library("app") {

src/app/CASEClient.cpp

@@ -46,7 +46,8 @@ CHIP_ERROR CASEClient::EstablishSession(PeerId peer, const Transport::PeerAddres
 
     mCASESession.SetGroupDataProvider(mInitParams.groupDataProvider);
     ReturnErrorOnFailure(mCASESession.EstablishSession(*mInitParams.sessionManager, peerAddress, mInitParams.fabricInfo,
-                                                       peer.GetNodeId(), exchange, this, mInitParams.mrpLocalConfig));
+                                                       peer.GetNodeId(), exchange, mInitParams.sessionResumptionStorage, this,
+                                                       mInitParams.mrpLocalConfig));
     mConnectionSuccessCallback = onConnection;
     mConnectionFailureCallback = onFailure;
     mConectionContext          = context;

src/app/CASEClient.h

@@ -31,10 +31,11 @@ typedef void (*OnCASEConnectionFailure)(void * context, CASEClient * client, CHI
 
 struct CASEClientInitParams
 {
-    SessionManager * sessionManager                    = nullptr;
-    Messaging::ExchangeManager * exchangeMgr           = nullptr;
-    FabricInfo * fabricInfo                            = nullptr;
-    Credentials::GroupDataProvider * groupDataProvider = nullptr;
+    SessionManager * sessionManager                     = nullptr;
+    SessionResumptionStorage * sessionResumptionStorage = nullptr;
+    Messaging::ExchangeManager * exchangeMgr            = nullptr;
+    FabricInfo * fabricInfo                             = nullptr;
+    Credentials::GroupDataProvider * groupDataProvider  = nullptr;
 
     Optional<ReliableMessageProtocolConfig> mrpLocalConfig = Optional<ReliableMessageProtocolConfig>::Missing();
 };

src/app/OperationalDeviceProxy.cpp

@@ -167,9 +167,9 @@ bool OperationalDeviceProxy::GetAddress(Inet::IPAddress & addr, uint16_t & port)
 
 CHIP_ERROR OperationalDeviceProxy::EstablishConnection()
 {
-    mCASEClient =
-        mInitParams.clientPool->Allocate(CASEClientInitParams{ mInitParams.sessionManager, mInitParams.exchangeMgr, mFabricInfo,
-                                                               mInitParams.groupDataProvider, mInitParams.mrpLocalConfig });
+    mCASEClient = mInitParams.clientPool->Allocate(
+        CASEClientInitParams{ mInitParams.sessionManager, mInitParams.sessionResumptionStorage, mInitParams.exchangeMgr,
+                              mFabricInfo, mInitParams.groupDataProvider, mInitParams.mrpLocalConfig });
     ReturnErrorCodeIf(mCASEClient == nullptr, CHIP_ERROR_NO_MEMORY);
     CHIP_ERROR err =
         mCASEClient->EstablishSession(mPeerId, mDeviceAddress, mMRPConfig, HandleCASEConnected, HandleCASEConnectionFailure, this);

src/app/OperationalDeviceProxy.h

@@ -48,17 +48,19 @@ namespace chip {
 
 struct DeviceProxyInitParams
 {
-    SessionManager * sessionManager                    = nullptr;
-    Messaging::ExchangeManager * exchangeMgr           = nullptr;
-    FabricTable * fabricTable                          = nullptr;
-    CASEClientPoolDelegate * clientPool                = nullptr;
-    Credentials::GroupDataProvider * groupDataProvider = nullptr;
+    SessionManager * sessionManager                     = nullptr;
+    SessionResumptionStorage * sessionResumptionStorage = nullptr;
+    Messaging::ExchangeManager * exchangeMgr            = nullptr;
+    FabricTable * fabricTable                           = nullptr;
+    CASEClientPoolDelegate * clientPool                 = nullptr;
+    Credentials::GroupDataProvider * groupDataProvider  = nullptr;
 
     Optional<ReliableMessageProtocolConfig> mrpLocalConfig = Optional<ReliableMessageProtocolConfig>::Missing();
 
     CHIP_ERROR Validate() const
     {
         ReturnErrorCodeIf(sessionManager == nullptr, CHIP_ERROR_INCORRECT_STATE);
+        // sessionResumptionStorage can be nullptr when resumption is disabled
         ReturnErrorCodeIf(exchangeMgr == nullptr, CHIP_ERROR_INCORRECT_STATE);
         ReturnErrorCodeIf(fabricTable == nullptr, CHIP_ERROR_INCORRECT_STATE);
         ReturnErrorCodeIf(groupDataProvider == nullptr, CHIP_ERROR_INCORRECT_STATE);

src/app/server/Server.cpp

@@ -115,7 +115,8 @@ CHIP_ERROR Server::Init(const ServerInitParams & initParams)
     mCommissioningWindowManager.SetAppDelegate(initParams.appDelegate);
 
     // Initialize PersistentStorageDelegate-based storage
-    mDeviceStorage = initParams.persistentStorageDelegate;
+    mDeviceStorage            = initParams.persistentStorageDelegate;
+    mSessionResumptionStorage = initParams.sessionResumptionStorage;
 
     // Set up attribute persistence before we try to bring up the data model
     // handler.
@@ -237,6 +238,7 @@ CHIP_ERROR Server::Init(const ServerInitParams & initParams)
     caseSessionManagerConfig = {
         .sessionInitParams =  {
             .sessionManager    = &mSessions,
+            .sessionResumptionStorage = mSessionResumptionStorage,
             .exchangeMgr       = &mExchangeMgr,
             .fabricTable       = &mFabrics,
             .clientPool        = &mCASEClientPool,
@@ -255,7 +257,7 @@ CHIP_ERROR Server::Init(const ServerInitParams & initParams)
 #if CONFIG_NETWORK_LAYER_BLE
                                                     chip::DeviceLayer::ConnectivityMgr().GetBleLayer(),
 #endif
-                                                    &mSessions, &mFabrics, mGroupsProvider);
+                                                    &mSessions, &mFabrics, mSessionResumptionStorage, mGroupsProvider);
     SuccessOrExit(err);
 
     // This code is necessary to restart listening to existing groups after a reboot

src/app/server/Server.h

@@ -17,6 +17,8 @@
 
 #pragma once
 
+#include <app/AppBuildConfig.h>
+
 #include <access/AccessControl.h>
 #include <access/examples/ExampleAccessControlDelegate.h>
 #include <app/CASEClientPool.h>
@@ -38,6 +40,9 @@
 #include <protocols/secure_channel/MessageCounterManager.h>
 #include <protocols/secure_channel/PASESession.h>
 #include <protocols/secure_channel/RendezvousParameters.h>
+#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
+#include <protocols/secure_channel/SimpleSessionResumptionStorage.h>
+#endif
 #include <protocols/user_directed_commissioning/UserDirectedCommissioning.h>
 #include <transport/SessionManager.h>
 #include <transport/TransportMgr.h>
@@ -83,6 +88,9 @@ struct ServerInitParams
     // Persistent storage delegate: MUST be injected. Used to maintain storage by much common code.
     // Must be initialized before being provided.
     PersistentStorageDelegate * persistentStorageDelegate = nullptr;
+    // Session resumption storage: Optional. Support session resumption when provided.
+    // Must be initialized before being provided.
+    SessionResumptionStorage * sessionResumptionStorage = nullptr;
     // Group data provider: MUST be injected. Used to maintain critical keys such as the Identity
     // Protection Key (IPK) for CASE. Must be initialized before being provided.
     Credentials::GroupDataProvider * groupDataProvider = nullptr;
@@ -139,6 +147,9 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
     {
         static chip::KvsPersistentStorageDelegate sKvsPersistenStorageDelegate;
         static chip::Credentials::GroupDataProviderImpl sGroupDataProvider;
+#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
+        static chip::SimpleSessionResumptionStorage sSessionResumptionStorage;
+#endif
 
         // KVS-based persistent storage delegate injection
         chip::DeviceLayer::PersistedStorage::KeyValueStoreManager & kvsManager = DeviceLayer::PersistedStorage::KeyValueStoreMgr();
@@ -150,6 +161,13 @@ struct CommonCaseDeviceServerInitParams : public ServerInitParams
         ReturnErrorOnFailure(sGroupDataProvider.Init());
         this->groupDataProvider = &sGroupDataProvider;
 
+#if CHIP_CONFIG_ENABLE_SESSION_RESUMPTION
+        ReturnErrorOnFailure(sSessionResumptionStorage.Init(&sKvsPersistenStorageDelegate));
+        this->sessionResumptionStorage = &sSessionResumptionStorage;
+#else
+        this->sessionResumptionStorage = nullptr;
+#endif
+
         // Inject access control delegate
         this->accessDelegate = Access::Examples::GetAccessControlDelegate(&sKvsPersistenStorageDelegate);
 
@@ -198,6 +216,8 @@ class Server
 
     SessionManager & GetSecureSessionManager() { return mSessions; }
 
+    SessionResumptionStorage * GetSessionResumptionStorage() { return mSessionResumptionStorage; }
+
     TransportMgrBase & GetTransportManager() { return mTransports; }
 
     Credentials::GroupDataProvider * GetGroupDataProvider() { return mGroupsProvider; }
@@ -313,6 +333,7 @@ class Server
     CommissioningWindowManager mCommissioningWindowManager;
 
     PersistentStorageDelegate * mDeviceStorage;
+    SessionResumptionStorage * mSessionResumptionStorage;
     Credentials::GroupDataProvider * mGroupsProvider;
     app::DefaultAttributePersistenceProvider mAttributePersister;
     GroupDataProviderListener mListener;

src/app/tests/TestOperationalDeviceProxy.cpp

@@ -45,6 +45,7 @@ void TestOperationalDeviceProxy_EstablishSessionDirectly(nlTestSuite * inSuite,
     Platform::MemoryInit();
     TestTransportMgr transportMgr;
     SessionManager sessionManager;
+    SessionResumptionStorage sessionResumptionStorage;
     ExchangeManager exchangeMgr;
     Inet::UDPEndPointManagerImpl udpEndPointManager;
     System::LayerImpl systemLayer;
@@ -61,17 +62,19 @@ void TestOperationalDeviceProxy_EstablishSessionDirectly(nlTestSuite * inSuite,
     udpEndPointManager.Init(systemLayer);
     transportMgr.Init(UdpListenParameters(udpEndPointManager).SetAddressType(Inet::IPAddressType::kIPv4).SetListenPort(CHIP_PORT));
     sessionManager.Init(&systemLayer, &transportMgr, &messageCounterManager, &deviceStorage);
+    sessionResumptionStorage.Init(&deviceStorage);
     exchangeMgr.Init(&sessionManager);
     messageCounterManager.Init(&exchangeMgr);
     groupDataProvider.SetPersistentStorage(&deviceStorage);
     VerifyOrDie(groupDataProvider.Init() == CHIP_NO_ERROR);
     // TODO: Set IPK in groupDataProvider
 
     DeviceProxyInitParams params = {
-        .sessionManager    = &sessionManager,
-        .exchangeMgr       = &exchangeMgr,
-        .fabricInfo        = fabric,
-        .groupDataProvider = &groupDataProvider,
+        .sessionManager           = &sessionManager,
+        .sessionResumptionStorage = &sessionResumptionStorage,
+        .exchangeMgr              = &exchangeMgr,
+        .fabricInfo               = fabric,
+        .groupDataProvider        = &groupDataProvider,
     };
     NodeId mockNodeId = 1;
     OperationalDeviceProxy device(params, PeerId().SetNodeId(mockNodeId));

src/controller/CHIPDeviceControllerFactory.cpp

@@ -36,6 +36,7 @@
 
 #include <app/server/Dnssd.h>
 #include <protocols/secure_channel/CASEServer.h>
+#include <protocols/secure_channel/SimpleSessionResumptionStorage.h>
 
 using namespace chip::Inet;
 using namespace chip::System;
@@ -146,13 +147,16 @@ CHIP_ERROR DeviceControllerFactory::InitSystemState(FactoryInitParams params)
 #endif
                                                             ));
 
-    stateParams.fabricTable           = chip::Platform::New<FabricTable>();
-    stateParams.sessionMgr            = chip::Platform::New<SessionManager>();
-    stateParams.exchangeMgr           = chip::Platform::New<Messaging::ExchangeManager>();
-    stateParams.messageCounterManager = chip::Platform::New<secure_channel::MessageCounterManager>();
-    stateParams.groupDataProvider     = params.groupDataProvider;
+    stateParams.fabricTable                                   = chip::Platform::New<FabricTable>();
+    stateParams.sessionMgr                                    = chip::Platform::New<SessionManager>();
+    SimpleSessionResumptionStorage * sessionResumptionStorage = chip::Platform::New<SimpleSessionResumptionStorage>();
+    stateParams.sessionResumptionStorage                      = sessionResumptionStorage;
+    stateParams.exchangeMgr                                   = chip::Platform::New<Messaging::ExchangeManager>();
+    stateParams.messageCounterManager                         = chip::Platform::New<secure_channel::MessageCounterManager>();
+    stateParams.groupDataProvider                             = params.groupDataProvider;
 
     ReturnErrorOnFailure(stateParams.fabricTable->Init(params.fabricIndependentStorage));
+    ReturnErrorOnFailure(sessionResumptionStorage->Init(params.fabricIndependentStorage));
 
     auto delegate = chip::Platform::MakeUnique<ControllerFabricDelegate>();
     ReturnErrorOnFailure(delegate->Init(stateParams.sessionMgr, stateParams.groupDataProvider));
@@ -186,7 +190,7 @@ CHIP_ERROR DeviceControllerFactory::InitSystemState(FactoryInitParams params)
 #if CONFIG_NETWORK_LAYER_BLE
             nullptr,
 #endif
-            stateParams.sessionMgr, stateParams.fabricTable, stateParams.groupDataProvider));
+            stateParams.sessionMgr, stateParams.fabricTable, stateParams.sessionResumptionStorage, stateParams.groupDataProvider));
 
         //
         // We need to advertise the port that we're listening to for unsolicited messages over UDP. However, we have both a IPv4
@@ -218,12 +222,13 @@ CHIP_ERROR DeviceControllerFactory::InitSystemState(FactoryInitParams params)
     stateParams.caseClientPool        = Platform::New<DeviceControllerSystemStateParams::CASEClientPool>();
 
     DeviceProxyInitParams deviceInitParams = {
-        .sessionManager    = stateParams.sessionMgr,
-        .exchangeMgr       = stateParams.exchangeMgr,
-        .fabricTable       = stateParams.fabricTable,
-        .clientPool        = stateParams.caseClientPool,
-        .groupDataProvider = stateParams.groupDataProvider,
-        .mrpLocalConfig    = Optional<ReliableMessageProtocolConfig>::Value(GetLocalMRPConfig()),
+        .sessionManager           = stateParams.sessionMgr,
+        .sessionResumptionStorage = stateParams.sessionResumptionStorage,
+        .exchangeMgr              = stateParams.exchangeMgr,
+        .fabricTable              = stateParams.fabricTable,
+        .clientPool               = stateParams.caseClientPool,
+        .groupDataProvider        = stateParams.groupDataProvider,
+        .mrpLocalConfig           = Optional<ReliableMessageProtocolConfig>::Value(GetLocalMRPConfig()),
     };
 
     CASESessionManagerConfig sessionManagerConfig = {

src/controller/CHIPDeviceControllerSystemState.h

@@ -81,6 +81,7 @@ struct DeviceControllerSystemStateParams
     // Params that will be deallocated via Platform::Delete in
     // DeviceControllerSystemState::Shutdown.
     DeviceTransportMgr * transportMgr                             = nullptr;
+    SessionResumptionStorage * sessionResumptionStorage           = nullptr;
     SessionManager * sessionMgr                                   = nullptr;
     Messaging::ExchangeManager * exchangeMgr                      = nullptr;
     secure_channel::MessageCounterManager * messageCounterManager = nullptr;

src/credentials/FabricTable.h

@@ -34,6 +34,7 @@
 #include <lib/core/CHIPSafeCasts.h>
 #include <lib/core/CHIPTLV.h>
 #include <lib/core/Optional.h>
+#include <lib/core/ScopedNodeId.h>
 #include <lib/support/CHIPMem.h>
 #include <lib/support/DLLUtil.h>
 #include <lib/support/Span.h>
@@ -85,6 +86,8 @@ class DLL_EXPORT FabricInfo
     }
 
     NodeId GetNodeId() const { return mOperationalId.GetNodeId(); }
+    ScopedNodeId GetScopedNodeId() const { return ScopedNodeId(mOperationalId.GetNodeId(), mFabricIndex); }
+    ScopedNodeId GetScopedNodeIdForNode(const NodeId node) const { return ScopedNodeId(node, mFabricIndex); }
     // TODO(#15049): Refactor/rename PeerId to OperationalId or OpId throughout source
     PeerId GetPeerId() const { return mOperationalId; }
     PeerId GetPeerIdForNode(const NodeId node) const

src/crypto/CHIPCryptoPAL.h

@@ -206,6 +206,18 @@ class CapacityBoundBuffer
         ClearSecretData(&bytes[0], Cap);
     }
 
+    CapacityBoundBuffer & operator=(const CapacityBoundBuffer & other)
+    {
+        // Guard self assignment
+        if (this == &other)
+            return *this;
+
+        ClearSecretData(&bytes[0], Cap);
+        SetLength(other.Length());
+        ::memcpy(Bytes(), other.Bytes(), other.Length());
+        return *this;
+    }
+
     /** @brief Set current length of the buffer that's being used
      * @return Returns error if new length is > capacity
      **/

src/lib/core/CHIPConfig.h

@@ -1669,7 +1669,7 @@ extern const char CHIP_NON_PRODUCTION_MARKER[];
  *   Maximum number of CASE sessions that a device caches, that can be resumed
  */
 #ifndef CHIP_CONFIG_CASE_SESSION_RESUME_CACHE_SIZE
-#define CHIP_CONFIG_CASE_SESSION_RESUME_CACHE_SIZE 4
+#define CHIP_CONFIG_CASE_SESSION_RESUME_CACHE_SIZE 64
 #endif
 
 /**

src/lib/support/DefaultStorageKeyAllocator.h

@@ -52,6 +52,14 @@ class DefaultStorageKeyAllocator
     // FailSafeContext
     const char * FailSafeContextKey() { return Format("g/fsc"); }
 
+    // Session resumption
+    const char * FabricSession(FabricIndex fabric, NodeId nodeId)
+    {
+        return Format("f/%x/s/%08" PRIX32 "%08" PRIX32, fabric, static_cast<uint32_t>(nodeId >> 32), static_cast<uint32_t>(nodeId));
+    }
+    const char * SessionResumptionIndex() { return Format("f/sri"); }
+    const char * SessionResumption(const char * resumptionIdBase64) { return Format("s/%s", resumptionIdBase64); }
+
     // Access Control
     const char * AccessControlExtensionEntry(FabricIndex fabric) { return Format("f/%x/ac/1", fabric); }