ICD: Checking counter check moved from CheckInHandler to CheckinMessage.#71643
ICD: Checking counter check moved from CheckInHandler to CheckinMessage.#71643rcasallas-silabs wants to merge 1 commit intoproject-chip:masterfrom
Conversation
github-actions
bot
added
app
tests
icd
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors the ICD check-in message processing by moving duplicate message detection logic from CheckInHandler into CheckinMessage::ParseCheckinMessagePayload. The ProcessCheckInPayload interface has been updated to handle counter offsets directly. A significant issue was identified in DefaultICDClientStorage::ProcessCheckInPayload where the lastErr variable is initialized but never updated within the loop, which prevents the function from returning specific error codes such as CHIP_ERROR_DUPLICATE_MESSAGE_RECEIVED when a duplicate message is correctly identified during decryption.
| CHIP_ERROR lastErr = CHIP_ERROR_NOT_FOUND; | ||
|
|
||
| while (iterator->Next(clientInfo)) | ||
| { | ||
| CHIP_ERROR err = chip::Protocols::SecureChannel::CheckinMessage::ParseCheckinMessagePayload( | ||
| clientInfo.aes_key_handle, clientInfo.hmac_key_handle, payload, counter, appData); | ||
| clientInfo.aes_key_handle, clientInfo.hmac_key_handle, clientInfo.start_icd_counter, clientInfo.offset, payload, offset, | ||
| appData); | ||
| if (CHIP_NO_ERROR == err) | ||
| { | ||
| clientInfo.offset = offset; | ||
| iterator->Release(); | ||
| return CHIP_NO_ERROR; | ||
| } | ||
| } | ||
| iterator->Release(); | ||
| return CHIP_ERROR_NOT_FOUND; | ||
| return lastErr; |
There was a problem hiding this comment.
The lastErr variable is initialized to CHIP_ERROR_NOT_FOUND but is never updated within the loop. This results in the function always returning CHIP_ERROR_NOT_FOUND if no successful match is found, masking more specific errors like CHIP_ERROR_DUPLICATE_MESSAGE_RECEIVED.
Since check-in message keys are unique per client, if ParseCheckinMessagePayload returns CHIP_ERROR_DUPLICATE_MESSAGE_RECEIVED, it confirms that the correct client was found (as decryption succeeded) but the message is a duplicate. The loop should terminate and return this specific error to allow the caller to log or handle the duplicate correctly.
CHIP_ERROR lastErr = CHIP_ERROR_NOT_FOUND;
while (iterator->Next(clientInfo))
{
CHIP_ERROR err = chip::Protocols::SecureChannel::CheckinMessage::ParseCheckinMessagePayload(
clientInfo.aes_key_handle, clientInfo.hmac_key_handle, clientInfo.start_icd_counter, clientInfo.offset, payload, offset,
appData);
if (CHIP_NO_ERROR == err)
{
clientInfo.offset = offset;
iterator->Release();
return CHIP_NO_ERROR;
}
if (err == CHIP_ERROR_DUPLICATE_MESSAGE_RECEIVED)
{
lastErr = err;
break;
}
}
iterator->Release();
return lastErr;1 participant
Summary
ICD: Checking counter check moved from CheckInHandler to CheckinMessage.
Related issues
MATTER-2246.
Testing
UNTESTED.
Readability checklist
The checklist below will help the reviewer finish PR review in time and keep the
code readable:
descriptive
“When in Rome…”
rule (coding style)
See: Pull Request Guidelines