connectedhomeip icon indicating copy to clipboard operation
connectedhomeip copied to clipboard

Published 20 hours ago verified publisher icon project-chip

Enforce that no PASE sessions that aren't commissioning are possible

Open mlepage-google opened this issue 3 years ago • 1 comments

For v1, we do not support operational PASE, so PASE is only permissible during commissioning.

In access control, for v1 we grant any PASE session the administer privilege, since it's appropriate given commissioning can be taken for granted.

Therefore, we need to enforce in the SDK that in v1 it is not possible to create a non-commissioning PASE session. This may already be the case but we need to double check.

mlepage-google avatar Jan 31 '22 20:01 mlepage-google

PASE session establishment is only allowed once the commissioning window manager calls WaitForPairing. We already expire PASE pairings on commissioning complete, but we should also expire them when the commissioning window closes so that other nodes can't establish a long-running PASE connection and send commands after the commissioning window is closed.

cecille avatar May 16 '22 19:05 cecille

Issue Scrub: We believe in the current implementation of the SDK, PASE can't be easily, or at all used. Closing.

woody-apple avatar Nov 02 '22 17:11 woody-apple