ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #26 from paul-szczepanek-arm/signing 

signing integration between gatt and sm
pull/6932/head
Paul Szczepanek 2018-04-03 15:50:18 +01:00 committed by GitHub
parent 381b99bc61 08c9ac5fe6
commit 0833827460
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 215 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
features/FEATURE_BLE/ble/GattClient.h
View File

@ -116,6 +116,15 @@ public:
* The server does not acknowledge the status of the operation.
*/
GATT_OP_WRITE_CMD = 0x02,
/**
* Signed Write command.
*
* It is used to request the server to write the value of an attribute
* using a signed packet. The server does not acknowledge the status
* of the operation.
*/
GATT_OP_SIGNED_WRITE_CMD = 0x03
};
/**

21
features/FEATURE_BLE/ble/generic/GenericSecurityManager.h
View File

@ -322,13 +322,24 @@ private:
* Returns the CSRK for the connection. Called by the security db.
*
* @param[in] connectionHandle Handle to identify the connection.
* @param[in] entryKeys security entry containing keys.
* @param[in] csrk connection signature resolving key.
*/
void return_csrk_cb(
pal::SecurityDb::entry_handle_t connection,
const csrk_t *csrk
);
/**
* Set the peer CSRK for the connection. Called by the security db.
*
* @param[in] connectionHandle Handle to identify the connection.
* @param[in] csrk connection signature resolving key.
*/
void set_peer_csrk_cb(
pal::SecurityDb::entry_handle_t connection,
const csrk_t *csrk
);
/**
* Updates the entry for the connection with OOB data presence.
*
@ -443,6 +454,8 @@ private:
uint8_t oob_mitm_protection:1;
uint8_t oob_present:1;
uint8_t legacy_pairing_oob_request_pending:1;
uint8_t csrk_failures:2;
};
pal::SecurityManager &_pal;
@ -513,6 +526,12 @@ public:
connection_handle_t connection
);
/** @copydoc ble::pal::SecurityManager::on_signature_verification_failure
*/
virtual void on_signature_verification_failure(
connection_handle_t connection
);
/** @copydoc ble::pal::SecurityManager::on_slave_security_request
*/
virtual void on_slave_security_request(

23
features/FEATURE_BLE/ble/pal/PalSecurityManager.h
View File

@ -280,6 +280,16 @@ public:
connection_handle_t connection
) = 0;
/**
* Indicate that signed data was rejected due to verification failure. This could
* be due to an invalid CSRK key.
*
* @param[in] connection connection handle
*/
virtual void on_signature_verification_failure(
connection_handle_t connection
) = 0;
/**
* Ask the stack to evaluate the security request received from the slave.
* This might result in the stack enabling encryption, or pairing/re-pairing.
@ -865,6 +875,19 @@ public:
const csrk_t &csrk
) = 0;
/**
* Set the peer CSRK for particular connection.
*
* @param[in] connection connection handle
* @param[in] csrk signing key
* @retval BLE_ERROR_NONE On success, else an error code indicating reason for failure
*/
virtual ble_error_t set_peer_csrk(
connection_handle_t connection,
const csrk_t &csrk,
bool authenticated
) = 0;
////////////////////////////////////////////////////////////////////////////
// Authentication
//

121
features/FEATURE_BLE/source/generic/GenericGattClient.cpp
View File

@ -21,6 +21,8 @@
#include <ble/DiscoveredCharacteristic.h>
#include "ble/generic/GenericGattClient.h"
#include "ble/blecommon.h"
#include "ble/BLEInstanceBase.h"
#include "ble/generic/GenericSecurityManager.h"
#include <algorithm>
using ble::pal::AttServerMessage;
@ -38,6 +40,11 @@ using ble::pal::AttHandleValueIndication;
using ble::pal::AttHandleValueNotification;
using ble::pal::AttFindInformationResponse;
#define PREPARE_WRITE_HEADER_LENGTH 5
#define WRITE_HEADER_LENGTH 3
#define CMAC_LENGTH 8
#define MAC_COUNTER_LENGTH 4
namespace ble {
namespace generic {
@ -1074,67 +1081,77 @@ ble_error_t GenericGattClient::write(
return BLE_ERROR_INVALID_STATE;
}
uint16_t mtu = get_mtu(connection_handle);
uint16_t mtu = get_mtu(connection_handle);
if (cmd == GattClient::GATT_OP_WRITE_CMD) {
if (length > (uint16_t)(mtu - 3)) {
return BLE_ERROR_PARAM_OUT_OF_RANGE;
}
return _pal_client->write_without_response(
connection_handle,
attribute_handle,
make_const_ArrayView(value, length)
);
} else {
uint8_t* data = NULL;
if (cmd == GattClient::GATT_OP_WRITE_CMD) {
if (length > (uint16_t) (mtu - WRITE_HEADER_LENGTH)) {
return BLE_ERROR_PARAM_OUT_OF_RANGE;
}
return _pal_client->write_without_response(
connection_handle,
attribute_handle,
make_const_ArrayView(value, length)
);
} else if (cmd == GattClient::GATT_OP_SIGNED_WRITE_CMD) {
/*TODO check encryption status */
if (length > (uint16_t) (mtu - WRITE_HEADER_LENGTH - CMAC_LENGTH - MAC_COUNTER_LENGTH)) {
return BLE_ERROR_PARAM_OUT_OF_RANGE;
}
return _pal_client->signed_write_without_response(
connection_handle,
attribute_handle,
make_const_ArrayView(value, length)
);
} else {
uint8_t* data = NULL;
if (length > (uint16_t)(mtu - 3)) {
data = (uint8_t*) malloc(length);
if (data == NULL) {
return BLE_ERROR_NO_MEM;
}
memcpy(data, value, length);
}
if (length > (uint16_t) (mtu - WRITE_HEADER_LENGTH)) {
data = (uint8_t*) malloc(length);
if (data == NULL) {
return BLE_ERROR_NO_MEM;
}
memcpy(data, value, length);
}
WriteControlBlock* write_pcb = new(std::nothrow) WriteControlBlock(
connection_handle,
attribute_handle,
data,
length
);
WriteControlBlock* write_pcb = new (std::nothrow) WriteControlBlock(
connection_handle,
attribute_handle,
data,
length
);
if (write_pcb == NULL) {
free(data);
return BLE_ERROR_NO_MEM;
}
if (write_pcb == NULL) {
free(data);
return BLE_ERROR_NO_MEM;
}
insert_control_block(write_pcb);
insert_control_block(write_pcb);
ble_error_t err = BLE_ERROR_UNSPECIFIED;
if (data) {
err = _pal_client->queue_prepare_write(
connection_handle,
attribute_handle,
make_const_ArrayView(value, mtu - 5),
/* offset */ 0
);
} else {
err = _pal_client->write_attribute(
connection_handle,
attribute_handle,
make_const_ArrayView(value, length)
);
}
ble_error_t err = BLE_ERROR_UNSPECIFIED;
if (data) {
err = _pal_client->queue_prepare_write(
connection_handle,
attribute_handle,
make_const_ArrayView(value, mtu - PREPARE_WRITE_HEADER_LENGTH),
/* offset */0
);
} else {
err = _pal_client->write_attribute(
connection_handle,
attribute_handle,
make_const_ArrayView(value, length)
);
}
if (err) {
remove_control_block(write_pcb);
delete write_pcb;
}
if (err) {
remove_control_block(write_pcb);
delete write_pcb;
}
return err;
}
return err;
}
return BLE_ERROR_NOT_IMPLEMENTED;
return BLE_ERROR_NOT_IMPLEMENTED;
}
void GenericGattClient::onServiceDiscoveryTermination(

95
features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
View File

@ -140,14 +140,10 @@ ble_error_t GenericSecurityManager::requestPairing(connection_handle_t connectio
* use when roles are changed */
if (_master_sends_keys) {
initiator_distribution = _default_key_distribution;
}
/* override default if requested */
if (cb->signing_override_default) {
initiator_distribution.set_signing(cb->signing_requested);
} else {
/* because _master_sends_keys might be false so we need to set this */
initiator_distribution.set_signing(_default_key_distribution.get_signing());
/* override default if requested */
if (cb->signing_override_default) {
initiator_distribution.set_signing(cb->signing_requested);
}
}
KeyDistribution responder_distribution(_default_key_distribution);
@ -312,19 +308,27 @@ ble_error_t GenericSecurityManager::enableSigning(
return BLE_ERROR_INVALID_PARAM;
}
cb->signing_requested = enabled;
cb->signing_override_default = false;
cb->signing_override_default = true;
if (cb->encrypted) {
return BLE_ERROR_INVALID_STATE;
}
if (!cb->csrk_stored && cb->signing_requested) {
init_signing();
if (cb->is_master) {
return requestPairing(connection);
if (enabled && !cb->signing_requested && !_default_key_distribution.get_signing()) {
cb->signing_requested = true;
if (cb->csrk_stored) {
/* used the stored ones when available */
_db.get_entry_peer_csrk(
mbed::callback(this, &GenericSecurityManager::set_peer_csrk_cb),
cb->db_entry
);
} else {
return slave_security_request(connection);
/* create keys if needed and exchange them */
init_signing();
if (cb->is_master) {
return requestPairing(connection);
} else {
return slave_security_request(connection);
}
}
} else {
cb->signing_requested = enabled;
}
return BLE_ERROR_NONE;
@ -729,6 +733,22 @@ void GenericSecurityManager::set_ltk_cb(
}
}
void GenericSecurityManager::set_peer_csrk_cb(
pal::SecurityDb::entry_handle_t db_entry,
const csrk_t *csrk
) {
ControlBlock_t *cb = get_control_block(db_entry);
if (!cb) {
return;
}
_pal.set_peer_csrk(
cb->connection,
*csrk,
cb->csrk_mitm_protected
);
}
void GenericSecurityManager::return_csrk_cb(
pal::SecurityDb::entry_handle_t db_entry,
const csrk_t *csrk
@ -808,6 +828,17 @@ void GenericSecurityManager::on_connected(
if (dist_flags) {
*static_cast<pal::SecurityDistributionFlags_t*>(cb) = *dist_flags;
}
const bool signing = cb->signing_override_default ?
cb->signing_requested :
_default_key_distribution.get_signing();
if (signing && cb->csrk_stored) {
_db.get_entry_peer_csrk(
mbed::callback(this, &GenericSecurityManager::set_peer_csrk_cb),
cb->db_entry
);
}
}
void GenericSecurityManager::on_disconnected(
@ -912,6 +943,31 @@ void GenericSecurityManager::on_valid_mic_timeout(connection_handle_t connection
(void)connection;
}
void GenericSecurityManager::on_signature_verification_failure(
connection_handle_t connection
) {
ControlBlock_t *cb = get_control_block(connection);
if (!cb) {
return;
}
const bool signing = cb->signing_override_default ?
cb->signing_requested :
_default_key_distribution.get_signing();
if (signing) {
cb->csrk_failures++;
if (cb->csrk_failures == 3) {
cb->csrk_failures = 0;
if (cb->is_master) {
requestPairing(connection);
} else {
slave_security_request(connection);
}
}
}
}
void GenericSecurityManager::on_slave_security_request(
connection_handle_t connection,
AuthenticationMask authentication
@ -1228,7 +1284,8 @@ GenericSecurityManager::ControlBlock_t::ControlBlock_t() :
attempt_oob(false),
oob_mitm_protection(false),
oob_present(false),
legacy_pairing_oob_request_pending(false) { }
legacy_pairing_oob_request_pending(false),
csrk_failures(0) { }
void GenericSecurityManager::on_ltk_request(connection_handle_t connection)
{

9
features/FEATURE_BLE/targets/TARGET_CORDIO/CordioPalSecurityManager.h
View File

@ -239,6 +239,15 @@ public:
*/
virtual ble_error_t set_csrk(const csrk_t &csrk);
/**
* @see ::ble::pal::SecurityManager::set_peer_csrk
*/
virtual ble_error_t set_peer_csrk(
connection_handle_t connection,
const csrk_t &csrk,
bool authenticated
);
////////////////////////////////////////////////////////////////////////////
// Authentication
//

9
features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.cpp
View File

@ -272,6 +272,15 @@ ble_error_t CordioSecurityManager::set_csrk(const csrk_t& csrk)
return BLE_ERROR_NONE;
}
ble_error_t CordioSecurityManager::set_peer_csrk(
connection_handle_t connection,
const csrk_t &csrk,
bool authenticated
) {
/* TODO implement */
return BLE_ERROR_NOT_IMPLEMENTED;
}
////////////////////////////////////////////////////////////////////////////
// Global parameters
//