/*
 *
 *    Copyright (c) 2013-2017 Nest Labs, Inc.
 *    All rights reserved.
 *
 *    Licensed under the Apache License, Version 2.0 (the "License");
 *    you may not use this file except in compliance with the License.
 *    You may obtain a copy of the License at
 *
 *        http://www.apache.org/licenses/LICENSE-2.0
 *
 *    Unless required by applicable law or agreed to in writing, software
 *    distributed under the License is distributed on an "AS IS" BASIS,
 *    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *    See the License for the specific language governing permissions and
 *    limitations under the License.
 */

/**
 *    @file
 *      This file defines types and objects for managing Weave session
 *      security state.
 *
 */

#ifndef WEAVESECURITYMANAGER_H_
#define WEAVESECURITYMANAGER_H_

#include <Weave/Support/NLDLLUtil.h>
#include <Weave/Core/WeaveCore.h>
#include <Weave/Profiles/security/WeaveSecurity.h>
#include <Weave/Profiles/security/WeavePASE.h>
#include <Weave/Profiles/security/WeaveCASE.h>
#include <Weave/Profiles/security/WeaveTAKE.h>
#include <Weave/Profiles/security/WeaveKeyExport.h>
#include <Weave/Profiles/common/WeaveMessage.h>
#include <Weave/Profiles/status-report/StatusReportProfile.h>

/**
 *   @namespace nl::Weave::Platform::Security
 *
 *   @brief
 *     This namespace includes all interfaces within Weave for the
 *     Weave Security Monitor memory manager. Functions in this
 *     namespace are to be implemented by platforms that use Weave,
 *     according to the needs/constraints of the particular environment.
 *
 */

namespace nl {
namespace Weave {

namespace Platform {
namespace Security {

/**
 * This function is called by the Weave layer to initialize memory and resources
 * required for proper functionality of the Weave Security Manager memory allocator.
 * This function is platform specific and might be empty in certain cases.
 * For example, this function is doing nothing when the C Standard Library malloc()
 * and free() functions are used for memory allocation.
 *
 * @param[in]  buf      A pointer to a dedicated memory buffer, which should be used as
 *                      a memory pool for Weave Security Manager memory allocation.
 *                      This input is optional (defaults to NULL) and shouldn't be used
 *                      if a dedicated memory buffer is not used.
 *
 * @param[in]  bufSize  Size of a dedicated memory buffer. This input is optional (defaults to 0)
 *                      and shouldn't be used if dedicated memory buffer is not used.
 *                      When a dedicated memory buffer is used the function checks and
 *                      generates an error if buffer size is not big enough to support
 *                      Weave Security Manager use cases.
 *
 * @retval  An error generated by platform-specific memory initialization function.
 * @retval  #WEAVE_ERROR_BUFFER_TOO_SMALL  If dedicated input buffer size is not sufficient
 *                                         to support Weave Security Manager use cases.
 * @retval  #WEAVE_NO_ERROR                On success.
 *
 */
extern WEAVE_ERROR MemoryInit(void *buf = NULL, size_t bufSize = 0);

/**
 * This function is called by the Weave layer to releases all resources that were allocated
 * by MemoryInit() function.
 * This function can be an empty call if there is no need to release resources. For example,
 * this is the case when the C Standard Library malloc() and free() functions are used
 * for memory allocation.
 *
 */
extern void MemoryShutdown(void);

/**
 * This function is called by the Weave layer to allocate a block of memory of "size" bytes.
 *
 * @param[in]  size             Specifies requested memory size in bytes.
 *
 * @param[in]  isLongTermAlloc  A Boolean indicating whether (true) or not (false) the
 *                              requested memory block is for long term use. A long term
 *                              allocation is memory that should stay allocated until secure
 *                              session/handshake is complete. Examples of a long term
 *                              allocation include blocks allocated for CASE/PASE objects
 *                              and their context data. A short term allocation is a memory
 *                              needed to perform specific operation and can be released
 *                              immediately after that. This input helps to optimize memory
 *                              utilization in a memory constrained system. Use of this parameter
 *                              is arbitrary and depends on function implementer. For example,
 *                              this parameter is ignored when the C Standard Library malloc()
 *                              is used.
 *
 * @retval  Pointer to a memory block in case of success.
 * @retval  NULL-pointer if memory allocation fails.
 *
 */
extern void *MemoryAlloc(size_t size, bool isLongTermAlloc);

/**
 * This function is called by the Weave layer to allocate a block of memory of "size" bytes.
 * This function is equivalent to MemoryAlloc(size, false).
 *
 * @param[in]  size             Specifies requested memory size in bytes.
 *
 * @retval  Pointer to a memory block in case of success.
 * @retval  NULL-pointer if memory allocation fails.
 *
 */
extern void *MemoryAlloc(size_t size);

/**
 * This function is called by the Weave layer to release a memory block allocated by
 * the MemeoryAlloc() function.
 *
 * @param[in]  p                Pointer to a memory block that should be released.
 *
 */
extern void MemoryFree(void *p);

#if WEAVE_CONFIG_SECURITY_MGR_TIME_ALERTS_PLATFORM

/**
 * This function is called to notify the application when a time-consuming
 * cryptographic operation is about to start.
 *
 * @note If application wants to receive these alerts and adjust platform settings
 *       accordingly then it should provide it's own implementation of these functions
 *       and enable (1) #WEAVE_CONFIG_SECURITY_MGR_TIME_ALERTS_PLATFORM option.
 *
 */
extern void OnTimeConsumingCryptoStart(void);

/**
 * This function is called to notify the application when a time-consuming
 * cryptographic operation has just finished.
 *
 * @note If application wants to receive these alerts and adjust platform settings
 *       accordingly then it should provide it's own implementation of these functions
 *       and enable (1) #WEAVE_CONFIG_SECURITY_MGR_TIME_ALERTS_PLATFORM option.
 *
 */
extern void OnTimeConsumingCryptoDone(void);

#endif // WEAVE_CONFIG_SECURITY_MGR_TIME_ALERTS_PLATFORM

} // namespace Platform
} // namespace Security


using nl::Weave::Profiles::StatusReporting::StatusReport;
using nl::Weave::Profiles::Security::PASE::WeavePASEEngine;
using nl::Weave::Profiles::Security::CASE::WeaveCASEEngine;
using nl::Weave::Profiles::Security::CASE::WeaveCASEAuthDelegate;
using nl::Weave::Profiles::Security::TAKE::WeaveTAKEEngine;
using nl::Weave::Profiles::Security::TAKE::WeaveTAKEChallengerAuthDelegate;
using nl::Weave::Profiles::Security::TAKE::WeaveTAKETokenAuthDelegate;
using nl::Weave::Profiles::Security::KeyExport::WeaveKeyExport;
using nl::Weave::Profiles::Security::KeyExport::WeaveKeyExportDelegate;

class NL_DLL_EXPORT WeaveSecurityManager
{
public:
    enum State
    {
        kState_NotInitialized = 0,
        kState_Idle,
        kState_CASEInProgress,
        kState_PASEInProgress,
        kState_TAKEInProgress,
        kState_KeyExportInProgress
    };

    WeaveFabricState *FabricState;                      // [READ ONLY] Associated Fabric State object.
    WeaveExchangeManager *ExchangeManager;              // [READ ONLY] Associated Exchange Manager object.
    uint8_t State;                                      // [READ ONLY] State of the Weave Message Layer object
#if WEAVE_CONFIG_ENABLE_CASE_INITIATOR
    uint32_t InitiatorCASEConfig;                       // CASE configuration proposed when initiating a CASE session
    uint32_t InitiatorCASECurveId;                      // ECDH curve proposed when initiating a CASE session
    uint8_t InitiatorAllowedCASEConfigs;                // Set of allowed CASE configurations when initiating a CASE session
    uint8_t InitiatorAllowedCASECurves;                 // Set of allowed ECDH curves when initiating a CASE session
#endif
#if WEAVE_CONFIG_ENABLE_CASE_RESPONDER
    uint8_t ResponderAllowedCASEConfigs;                // Set of allowed CASE configurations when responding to CASE session
    uint8_t ResponderAllowedCASECurves;                 // Set of allowed ECDH curves when responding to CASE session
#endif
#if WEAVE_CONFIG_ENABLE_KEY_EXPORT_INITIATOR
    uint8_t InitiatorKeyExportConfig;                   // Key export configuration proposed when initiating key export request
    uint8_t InitiatorAllowedKeyExportConfigs;           // Set of allowed configurations when initiating key export request
#endif
#if WEAVE_CONFIG_ENABLE_KEY_EXPORT_RESPONDER
    uint8_t ResponderAllowedKeyExportConfigs;           // Set of allowed configurations when responding to key export request
#endif
#if WEAVE_CONFIG_SECURITY_TEST_MODE
    bool CASEUseKnownECDHKey;                           // Enable the use of a known ECDH key pair in CASE to allow man-in-the-middle
                                                        // key recovery for testing purposes.
#endif
    uint32_t SessionEstablishTimeout;                   // The amount of time after which an in-progress session establishment will timeout.
    uint32_t IdleSessionTimeout;                        // The amount of time after which an idle session will be removed.

    WeaveSecurityManager(void);

    WEAVE_ERROR Init(WeaveExchangeManager& aExchangeMgr, System::Layer& aSystemLayer);
    WEAVE_ERROR Shutdown(void);

#if WEAVE_CONFIG_PROVIDE_OBSOLESCENT_INTERFACES
    WEAVE_ERROR Init(WeaveExchangeManager* aExchangeMgr, InetLayer* aInetLayer);
#endif // WEAVE_CONFIG_PROVIDE_OBSOLESCENT_INTERFACES

    typedef void (*SessionEstablishedFunct)(WeaveSecurityManager *sm, WeaveConnection *con, void *reqState, uint16_t sessionKeyId, uint64_t peerNodeId, uint8_t encType);
    typedef void (*SessionErrorFunct)(WeaveSecurityManager *sm, WeaveConnection *con, void *reqState, WEAVE_ERROR localErr, uint64_t peerNodeId, StatusReport *statusReport);

    /**
     * Type of key error message handling function.
     *
     * @param[in] keyId         Encryption key caused the key error message response from the peer.
     * @param[in] encType       Encryption type associated with @a keyId.
     * @param[in] messageId     The identifier of the Weave message resulted in the key error response from the peer.
     * @param[in] peerNodeId    The identifier of the Weave node that sent key error message.
     * @param[in] keyErr        The error code received from the peer.
     *
     */
    typedef void (*KeyErrorMsgRcvdFunct)(uint16_t keyId, uint8_t encType, uint32_t messageId, uint64_t peerNodeId, WEAVE_ERROR keyErr);

    /**
     * Type of key export protocol complete handling function.
     *
     * @param[in] sm             A pointer to WeaveSecurityManager object.
     * @param[in] con            A pointer to WeaveConnection object.
     * @param[in] reqState       A pointer to the key export requester state.
     * @param[in] keyId          Exported key ID.
     * @param[in] exportedKey    A pointer to the exported secret key.
     * @param[in] exportedKeyLen A reference to the exported secret key length.
     *
     */
    typedef void (*KeyExportCompleteFunct)(WeaveSecurityManager *sm, WeaveConnection *con, void *reqState, uint32_t exportedKeyId, const uint8_t *exportedKey, uint16_t exportedKeyLen);

    /**
     * Type of key export protocol error handling function.
     *
     * @param[in] sm             A pointer to WeaveSecurityManager object.
     * @param[in] con            A pointer to WeaveConnection object.
     * @param[in] reqState       A pointer to the key export requester state.
     * @param[in] localErr       The WEAVE_ERROR encountered during key export protocol.
     * @param[in] statusReport   A pointer to StatusReport object if error status received from peer.
     *
     */
    typedef void (*KeyExportErrorFunct)(WeaveSecurityManager *sm, WeaveConnection *con, void *reqState, WEAVE_ERROR localErr, StatusReport *statusReport);

    // Initiate a secure PASE session, optionally providing a password.
    // Session establishment is done over connection that was specified.
    WEAVE_ERROR StartPASESession(WeaveConnection *con, WeaveAuthMode requestedAuthMode, void *reqState,
                                 SessionEstablishedFunct onComplete, SessionErrorFunct onError,
                                 const uint8_t *pw = NULL, uint16_t pwLen = 0);

    // Initiate a secure CASE session, optionally providing a CASE auth delegate.
    // Session establishment is done over specified connection or over UDP using WRM Protocol.
    WEAVE_ERROR StartCASESession(WeaveConnection *con, uint64_t peerNodeId, const IPAddress &peerAddr,
                                 uint16_t peerPort, WeaveAuthMode requestedAuthMode, void *reqState,
                                 SessionEstablishedFunct onComplete, SessionErrorFunct onError,
                                 WeaveCASEAuthDelegate *authDelegate = NULL, uint64_t terminatingNodeId = kNodeIdNotSpecified);

    // Initiate a secure TAKE session, optionally providing a TAKE auth delegate.
    // Session establishment is done over connection that was specified.
    WEAVE_ERROR StartTAKESession(WeaveConnection *con, WeaveAuthMode requestedAuthMode, void *reqState,
                                 SessionEstablishedFunct onComplete, SessionErrorFunct onError,
                                 bool encryptAuthPhase, bool encryptCommPhase,
                                 bool timeLimitedIK, bool sendChallengerId,
                                 WeaveTAKEChallengerAuthDelegate *authDelegate = NULL);

    // Initiate key export protocol.
    WEAVE_ERROR StartKeyExport(WeaveConnection *con, uint64_t peerNodeId, const IPAddress &peerAddr,
                               uint16_t peerPort, uint32_t keyId, bool signMessage, void *reqState,
                               KeyExportCompleteFunct onComplete, KeyExportErrorFunct onError,
                               WeaveKeyExportDelegate *keyExportDelegate = NULL);

    // General callback functions. These will be called when a secure session is established or fails.
    SessionEstablishedFunct OnSessionEstablished;
    SessionErrorFunct OnSessionError;

    /**
     * The key error callback function. This function is called when
     * a key error message is received.
     */
    KeyErrorMsgRcvdFunct OnKeyErrorMsgRcvd;

    void SetCASEAuthDelegate(WeaveCASEAuthDelegate *delegate)
    {
#if WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER
        mDefaultAuthDelegate = delegate;
#endif
    }

    void SetTAKEAuthDelegate(WeaveTAKEChallengerAuthDelegate *delegate)
    {
#if WEAVE_CONFIG_ENABLE_TAKE_INITIATOR
        mDefaultTAKEChallengerAuthDelegate = delegate;
#endif
    }

    void SetTAKETokenAuthDelegate(WeaveTAKETokenAuthDelegate *delegate)
    {
#if WEAVE_CONFIG_ENABLE_TAKE_RESPONDER
        mDefaultTAKETokenAuthDelegate = delegate;
#endif
    }

    void SetKeyExportDelegate(WeaveKeyExportDelegate *delegate)
    {
#if WEAVE_CONFIG_ENABLE_KEY_EXPORT_INITIATOR || WEAVE_CONFIG_ENABLE_KEY_EXPORT_RESPONDER
        mDefaultKeyExportDelegate = delegate;
#endif
    }

    // Determine whether Weave error code is a key error.
    bool IsKeyError(WEAVE_ERROR err);

    // Send key error message when correct key has not been found and the message cannot be decrypted.
    WEAVE_ERROR SendKeyErrorMsg(WeaveMessageInfo *rcvdMsgInfo, const IPPacketInfo *rcvdMsgPacketInfo, WeaveConnection *con, WEAVE_ERROR keyErr);

    void OnEncryptedMsgRcvd(uint16_t sessionKeyId, uint64_t peerNodeId, uint8_t encType);

#if WEAVE_CONFIG_USE_APP_GROUP_KEYS_FOR_MSG_ENC
    // Send message counter synchronization message.
    WEAVE_ERROR SendMsgCounterSyncResp(const WeaveMessageInfo *rcvdMsgInfo, const IPPacketInfo *rcvdMsgPacketInfo);

    // Send peer message counter synchronization request.
    WEAVE_ERROR SendSolitaryMsgCounterSyncReq(const WeaveMessageInfo *rcvdMsgInfo, const IPPacketInfo *rcvdMsgPacketInfo);

    // Handle message counter synchronization response message.
    void HandleMsgCounterSyncRespMsg(WeaveMessageInfo *msgInfo, PacketBuffer *msgBuf);
#endif

    WEAVE_ERROR CancelSessionEstablishment(void *reqState);

    void ReserveKey(uint64_t peerNodeId, uint16_t keyId);
    void ReleaseKey(uint64_t peerNodeId, uint16_t keyId);

private:
    enum Flags
    {
        kFlag_IdleSessionTimerRunning   = 0x01
    };

    ExchangeContext *mEC;
    WeaveConnection *mCon;
    union
    {
#if WEAVE_CONFIG_ENABLE_PASE_INITIATOR || WEAVE_CONFIG_ENABLE_PASE_RESPONDER
        WeavePASEEngine *mPASEEngine;
#endif
#if WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER
        WeaveCASEEngine *mCASEEngine;
#endif
#if WEAVE_CONFIG_ENABLE_TAKE_INITIATOR || WEAVE_CONFIG_ENABLE_TAKE_RESPONDER
        WeaveTAKEEngine *mTAKEEngine;
#endif
#if WEAVE_CONFIG_ENABLE_KEY_EXPORT_INITIATOR
        WeaveKeyExport *mKeyExport;
#endif
    };
    union
    {
        SessionEstablishedFunct mStartSecureSession_OnComplete;

        /**
         * The key export protocol complete callback function. This function is
         * called when the secret key export process is complete.
         */
        KeyExportCompleteFunct mStartKeyExport_OnComplete;
    };
    union
    {
        SessionErrorFunct mStartSecureSession_OnError;

        /**
         * The key export protocol error callback function. This function is
         * called when an error is encountered during key export process.
         */
        KeyExportErrorFunct mStartKeyExport_OnError;
    };
    union
    {
        void *mStartSecureSession_ReqState;
        void *mStartKeyExport_ReqState;
    };
#if WEAVE_CONFIG_ENABLE_CASE_INITIATOR || WEAVE_CONFIG_ENABLE_CASE_RESPONDER
    WeaveCASEAuthDelegate *mDefaultAuthDelegate;
#endif
#if WEAVE_CONFIG_ENABLE_TAKE_INITIATOR
    WeaveTAKEChallengerAuthDelegate *mDefaultTAKEChallengerAuthDelegate;
#endif
#if WEAVE_CONFIG_ENABLE_TAKE_RESPONDER
    WeaveTAKETokenAuthDelegate *mDefaultTAKETokenAuthDelegate;
#endif
#if WEAVE_CONFIG_ENABLE_KEY_EXPORT_INITIATOR || WEAVE_CONFIG_ENABLE_KEY_EXPORT_RESPONDER
    WeaveKeyExportDelegate *mDefaultKeyExportDelegate;
#endif

    uint16_t        mSessionKeyId;
    WeaveAuthMode   mRequestedAuthMode;
    uint8_t         mEncType;
    System::Layer*  mSystemLayer;
    uint8_t         mFlags;

    void StartSessionTimer(void);
    void CancelSessionTimer(void);
    static void HandleSessionTimeout(System::Layer* aSystemLayer, void* aAppState, System::Error aError);

    void StartIdleSessionTimer(void);
    void StopIdleSessionTimer(void);
    static void HandleIdleSessionTimeout(System::Layer* aLayer, void* aAppState, System::Error aError);

    static void HandleUnsolicitedMessage(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
            uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf);

    void StartPASESession(void);
    void HandlePASESessionStart(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo, PacketBuffer *msgBuf);
    WEAVE_ERROR ProcessPASEInitiatorStep1(ExchangeContext *ec, PacketBuffer *msgBuf);
    WEAVE_ERROR SendPASEResponderReconfigure(void);
    WEAVE_ERROR SendPASEResponderStep1(void);
    WEAVE_ERROR SendPASEResponderStep2(void);
    WEAVE_ERROR SendPASEInitiatorStep1(uint32_t paseConfig);
    WEAVE_ERROR ProcessPASEResponderReconfigure(PacketBuffer *msgBuf, uint32_t &newConfig);
    WEAVE_ERROR ProcessPASEResponderStep1(PacketBuffer *msgBuf);
    WEAVE_ERROR ProcessPASEResponderStep2(PacketBuffer *msgBuf);
    WEAVE_ERROR SendPASEInitiatorStep2(void);
    WEAVE_ERROR ProcessPASEInitiatorStep2(PacketBuffer *msgBuf);
    WEAVE_ERROR SendPASEResponderKeyConfirm(void);
    WEAVE_ERROR ProcessPASEResponderKeyConfirm(PacketBuffer *msgBuf);
    WEAVE_ERROR HandlePASESessionEstablished(void);
    static void HandlePASEMessageInitiator(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
            uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf);
    static void HandlePASEMessageResponder(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
            uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf);
    static void HandlePASEConnectionClosed(ExchangeContext *ec, WeaveConnection *con, WEAVE_ERROR conErr);

    void StartCASESession(uint32_t config, uint32_t curveId);
    void HandleCASESessionStart(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo, PacketBuffer *msgBuf);
    static void HandleCASEMessageInitiator(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
            uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf);
    static void HandleCASEMessageResponder(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
            uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf);

    void StartTAKESession(bool encryptAuthPhase, bool encryptCommPhase, bool timeLimitedIK, bool sendChallengerId);
    void HandleTAKESessionStart(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo, PacketBuffer *msgBuf);
    WEAVE_ERROR SendTAKEIdentifyToken(uint8_t takeConfig, bool encryptAuthPhase, bool encryptCommPhase, bool timeLimitedIK, bool sendChallengerId);
    static void HandleTAKEMessageInitiator(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
            uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf);
    static void HandleTAKEMessageResponder(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
            uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf);
    WEAVE_ERROR ProcessTAKEIdentifyTokenResponse(const PacketBuffer *msgBuf);
    WEAVE_ERROR CreateTAKESecureSession(void);
    WEAVE_ERROR SendTAKEAuthenticateToken(void);
    WEAVE_ERROR ProcessTAKEAuthenticateToken(const PacketBuffer *msgBuf);
    WEAVE_ERROR SendTAKEAuthenticateTokenResponse(void);
    WEAVE_ERROR ProcessTAKEAuthenticateTokenResponse(const PacketBuffer *msgBuf);
    WEAVE_ERROR SendTAKEReAuthenticateToken(void);
    WEAVE_ERROR ProcessTAKEReAuthenticateToken(const PacketBuffer *msgBuf);
    WEAVE_ERROR SendTAKEReAuthenticateTokenResponse(void);
    WEAVE_ERROR ProcessTAKEReAuthenticateTokenResponse(const PacketBuffer *msgBuf);
    WEAVE_ERROR SendTAKETokenReconfigure(void);
    WEAVE_ERROR ProcessTAKETokenReconfigure(uint8_t& config, const PacketBuffer *msgBuf);
    WEAVE_ERROR FinishTAKESetUp(void);

    void HandleKeyErrorMsg(ExchangeContext *ec, PacketBuffer *msgBuf);

#if WEAVE_CONFIG_USE_APP_GROUP_KEYS_FOR_MSG_ENC
    WEAVE_ERROR NewMsgCounterSyncExchange(const WeaveMessageInfo *rcvdMsgInfo, const IPPacketInfo *rcvdMsgPacketInfo, ExchangeContext *& ec);
#endif
    WEAVE_ERROR NewSessionExchange(uint64_t peerNodeId, IPAddress peerAddr, uint16_t peerPort);
    WEAVE_ERROR HandleSessionEstablished(void);
    void HandleSessionComplete(void);
    void HandleSessionError(WEAVE_ERROR err, PacketBuffer *statusReportMsgBuf);
    static void HandleConnectionClosed(ExchangeContext *ec, WeaveConnection *con, WEAVE_ERROR conErr);

    static WEAVE_ERROR SendStatusReport(WEAVE_ERROR localError, ExchangeContext *ec);

    void HandleKeyExportRequest(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo, PacketBuffer *msgBuf);
    WEAVE_ERROR SendKeyExportRequest(uint8_t keyExportConfig, uint32_t keyId, bool signMessage);
    WEAVE_ERROR SendKeyExportResponse(WeaveKeyExport& keyExport, uint8_t msgType);
    static void HandleKeyExportMessageInitiator(ExchangeContext *ec, const IPPacketInfo *pktInfo, const WeaveMessageInfo *msgInfo,
                                                uint32_t profileId, uint8_t msgType, PacketBuffer *msgBuf);
    void HandleKeyExportError(WEAVE_ERROR err, PacketBuffer *statusReportMsgBuf);

#if WEAVE_CONFIG_ENABLE_RELIABLE_MESSAGING
    static void WRMPHandleAckRcvd(ExchangeContext *ec, void *msgCtxt);
    static void WRMPHandleSendError(ExchangeContext *ec, WEAVE_ERROR err, void *msgCtxt);
#endif // WEAVE_CONFIG_ENABLE_RELIABLE_MESSAGING

    void Reset(void);

    void AsyncNotifySecurityManagerAvailable();
    static void DoNotifySecurityManagerAvailable(System::Layer *systemLayer, void *appState, System::Error err);

    void ReserveSessionKey(WeaveSessionKey *sessionKey);
    void ReleaseSessionKey(WeaveSessionKey *sessionKey);
};

} // namespace Weave
} // namespace nl

#endif /* WEAVESECURITYMANAGER_H_ */