ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

security mode split into encryption and signing key

pull/6188/head
paul-szczepanek-arm 2018-01-19 15:56:18 +00:00
parent ebe2439ff7
commit 3074d12ff1
4 changed files with 74 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
features/FEATURE_BLE/ble/BLETypes.h
View File

@ -118,6 +118,22 @@ static inline attribute_handle_range_t attribute_handle_range(
return result;
}
/**
* Type that describes link's encryption state..
*/
struct link_encryption_t : SafeEnum<link_encryption_t, uint8_t> {
enum type {
NOT_ENCRYPTED, /**< The link is not secured. */
ENCRYPTION_IN_PROGRESS, /**< Link security is being established. */
ENCRYPTED, /**< The link is secure. */
ENCRYPTED_WITH_MITM /**< The link is secure and authenticated. */
};
/**
* Construct a new instance of pairing_failure_t.
*/
link_encryption_t(type value) : SafeEnum<link_encryption_t, uint8_t>(value) { }
};
/**
* Type that describe a pairing failure.

58
features/FEATURE_BLE/ble/SecurityManager.h
View File

@ -28,6 +28,8 @@ class LegacySecurityManagerEventHandler;
using ble::connection_handle_t;
using ble::pairing_failure_t;
using ble::link_encryption_t;
typedef uint8_t csrk_t[16];
class SecurityManager {
public:
@ -60,11 +62,11 @@ public:
};
enum SecurityIOCapabilities_t {
IO_CAPS_DISPLAY_ONLY = 0x00, /**< Display only. */
IO_CAPS_DISPLAY_YESNO = 0x01, /**< Display and yes/no entry. */
IO_CAPS_KEYBOARD_ONLY = 0x02, /**< Keyboard only. */
IO_CAPS_NONE = 0x03, /**< No I/O capabilities. */
IO_CAPS_KEYBOARD_DISPLAY = 0x04, /**< Keyboard and display. */
IO_CAPS_DISPLAY_ONLY = 0x00, /**< Display only. */
IO_CAPS_DISPLAY_YESNO = 0x01, /**< Display and yes/no entry. */
IO_CAPS_KEYBOARD_ONLY = 0x02, /**< Keyboard only. */
IO_CAPS_NONE = 0x03, /**< No I/O capabilities. */
IO_CAPS_KEYBOARD_DISPLAY = 0x04, /**< Keyboard and display. */
};
enum SecurityCompletionStatus_t {
@ -137,11 +139,15 @@ public:
}
}
virtual void signingKey(const csrk_t csrk, bool authenticated) {
(void)csrk;
}
////////////////////////////////////////////////////////////////////////////
// Encryption
//
void linkEncryptionResult(connection_handle_t handle, bool encrypted) {
void linkEncryptionResult(connection_handle_t handle, link_encryption_t encrypted) {
(void)handle;
(void)encrypted;
}
@ -202,7 +208,7 @@ private:
// Encryption
//
void linkEncryptionResult(connection_handle_t handle, bool encrypted) {
void linkEncryptionResult(connection_handle_t handle, LinkSecurityStatus_t encrypted) {
if (linkSecuredCallback) {
SecurityManager::SecurityMode_t securityMode;
if (encrypted) {
@ -406,6 +412,22 @@ public:
return BLE_ERROR_NOT_IMPLEMENTED;
}
/**
* Retrieves a signing key through a signingKey event.
* If a signing key is not present, pairing/authentication will be attempted.
*
* @param[in] connectionHandle Handle to identify the connection.
* @param[in] authenticated Whether the signing key needs to be authenticated
* (provide MITM protection).
*
* @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
*/
virtual ble_error_t getSigningKey(Gap::Handle_t connectionHandle, bool authenticated) {
(void)connectionHandle;
(void)authenticated;
return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */
}
/**
* Set whether or not we want to send and receive keypress notifications
* during passkey entry.
@ -424,7 +446,7 @@ public:
// Encryption
//
virtual ble_error_t getLinkEncryption(Gap::Handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) {
virtual ble_error_t getLinkEncryption(Gap::Handle_t connectionHandle, link_encryption_t *securityStatus) {
(void)connectionHandle;
(void)securityStatus;
return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */
@ -577,11 +599,17 @@ public:
*
* @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
*/
virtual ble_error_t getLinkSecurity(Gap::Handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) {
/* Avoid compiler warnings about unused variables. */
(void)connectionHandle;
(void)securityStatus;
return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */
ble_error_t getLinkSecurity(Gap::Handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) {
link_encryption_t encryption(link_encryption_t::NOT_ENCRYPTED);
ble_error_t status = getLinkEncryption(connectionHandle, &encryption);
/* legacy support limits the return values */
if (encryption.value() == link_encryption_t::ENCRYPTED_WITH_MITM) {
*securityStatus = ENCRYPTED;
} else {
*securityStatus = (LinkSecurityStatus_t)encryption.value();
}
return status;
}
/**
@ -646,9 +674,9 @@ public:
/** @deprecated */
void processLinkSecuredEvent(Gap::Handle_t handle, SecurityMode_t securityMode) {
if (securityMode == SECURITY_MODE_ENCRYPTION_NO_MITM) {
eventHandler->linkEncryptionResult(handle, true);
eventHandler->linkEncryptionResult(handle, link_encryption_t::ENCRYPTED);
} else {
eventHandler->linkEncryptionResult(handle, false);
eventHandler->linkEncryptionResult(handle, link_encryption_t::NOT_ENCRYPTED);
}
}
/** @deprecated */

2
features/FEATURE_BLE/ble/pal/PalSecurityManager.h
View File

@ -295,7 +295,7 @@ public:
*/
virtual void on_link_encryption_result(
connection_handle_t connection,
bool encrypted
link_encryption_t result
) = 0;
/**

30
features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
View File

@ -294,8 +294,6 @@ public:
//
/**
* @deprecated
*
* Get the security status of a connection.
*
* @param[in] connection Handle to identify the connection.
@ -303,24 +301,24 @@ public:
*
* @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
*/
ble_error_t getLinkSecurity(connection_handle_t connection, LinkSecurityStatus_t *securityStatus) {
return getLinkEncryption(connection, securityStatus);
}
ble_error_t getLinkEncryption(connection_handle_t connection, LinkSecurityStatus_t *securityStatus) {
ble_error_t getLinkEncryption(connection_handle_t connection, link_encryption_t *securityStatus) {
SecurityEntry_t *entry = db.get_entry(connection);
if (entry) {
if (entry->encrypted) {
*securityStatus = ENCRYPTED;
if (entry->mitm) {
*securityStatus = link_encryption_t::ENCRYPTED_WITH_MITM;
} else {
*securityStatus = link_encryption_t::ENCRYPTED;
}
} else if (entry->encryption_requested) {
*securityStatus = ENCRYPTION_IN_PROGRESS;
*securityStatus = link_encryption_t::ENCRYPTION_IN_PROGRESS;
} else {
*securityStatus = NOT_ENCRYPTED;
*securityStatus = link_encryption_t::NOT_ENCRYPTED;
}
return BLE_ERROR_NONE;
} else {
return BLE_ERROR_INVALID_PARAM;
}
} else {
return BLE_ERROR_INVALID_PARAM;
}
}
ble_error_t getEncryptionKeySize(connection_handle_t connection, uint8_t *size) {
@ -519,15 +517,15 @@ public:
//
void on_link_encryption_result(connection_handle_t connection,
bool encrypted) {
link_encryption_t result) {
if (_app_event_handler) {
_app_event_handler->linkEncryptionResult(connection, encrypted);
_app_event_handler->linkEncryptionResult(connection, result);
}
}
void on_link_encryption_request_timed_out(connection_handle_t connection) {
if (_app_event_handler) {
_app_event_handler->linkEncryptionResult(connection, false);
_app_event_handler->linkEncryptionResult(connection, link_encryption_t::NOT_ENCRYPTED);
}
}