ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

security mode split into encryption and signing key

pull/6188/head
paul-szczepanek-arm 2018-01-19 15:56:18 +00:00
parent ebe2439ff7
commit 3074d12ff1
4 changed files with 74 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
features/FEATURE_BLE/ble/BLETypes.h
View File

@ -118,6 +118,22 @@ static inline attribute_handle_range_t attribute_handle_range(
return result; return result;
} }
/**
* Type that describes link's encryption state..
*/
struct link_encryption_t : SafeEnum<link_encryption_t, uint8_t> {
enum type {
NOT_ENCRYPTED, /**< The link is not secured. */
ENCRYPTION_IN_PROGRESS, /**< Link security is being established. */
ENCRYPTED, /**< The link is secure. */
ENCRYPTED_WITH_MITM /**< The link is secure and authenticated. */
};
/**
* Construct a new instance of pairing_failure_t.
*/
link_encryption_t(type value) : SafeEnum<link_encryption_t, uint8_t>(value) { }
};
/** /**
* Type that describe a pairing failure. * Type that describe a pairing failure.

58
features/FEATURE_BLE/ble/SecurityManager.h
View File

@ -28,6 +28,8 @@ class LegacySecurityManagerEventHandler;
using ble::connection_handle_t; using ble::connection_handle_t;
using ble::pairing_failure_t; using ble::pairing_failure_t;
using ble::link_encryption_t;
typedef uint8_t csrk_t[16];
class SecurityManager { class SecurityManager {
public: public:
@ -60,11 +62,11 @@ public:
}; };
enum SecurityIOCapabilities_t { enum SecurityIOCapabilities_t {
IO_CAPS_DISPLAY_ONLY = 0x00, /**< Display only. */ IO_CAPS_DISPLAY_ONLY = 0x00, /**< Display only. */
IO_CAPS_DISPLAY_YESNO = 0x01, /**< Display and yes/no entry. */ IO_CAPS_DISPLAY_YESNO = 0x01, /**< Display and yes/no entry. */
IO_CAPS_KEYBOARD_ONLY = 0x02, /**< Keyboard only. */ IO_CAPS_KEYBOARD_ONLY = 0x02, /**< Keyboard only. */
IO_CAPS_NONE = 0x03, /**< No I/O capabilities. */ IO_CAPS_NONE = 0x03, /**< No I/O capabilities. */
IO_CAPS_KEYBOARD_DISPLAY = 0x04, /**< Keyboard and display. */ IO_CAPS_KEYBOARD_DISPLAY = 0x04, /**< Keyboard and display. */
}; };
enum SecurityCompletionStatus_t { enum SecurityCompletionStatus_t {
@ -137,11 +139,15 @@ public:
} }
} }
virtual void signingKey(const csrk_t csrk, bool authenticated) {
(void)csrk;
}
//////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////
// Encryption // Encryption
// //
void linkEncryptionResult(connection_handle_t handle, bool encrypted) { void linkEncryptionResult(connection_handle_t handle, link_encryption_t encrypted) {
(void)handle; (void)handle;
(void)encrypted; (void)encrypted;
} }
@ -202,7 +208,7 @@ private:
// Encryption // Encryption
// //
void linkEncryptionResult(connection_handle_t handle, bool encrypted) { void linkEncryptionResult(connection_handle_t handle, LinkSecurityStatus_t encrypted) {
if (linkSecuredCallback) { if (linkSecuredCallback) {
SecurityManager::SecurityMode_t securityMode; SecurityManager::SecurityMode_t securityMode;
if (encrypted) { if (encrypted) {
@ -406,6 +412,22 @@ public:
return BLE_ERROR_NOT_IMPLEMENTED; return BLE_ERROR_NOT_IMPLEMENTED;
} }
/**
* Retrieves a signing key through a signingKey event.
* If a signing key is not present, pairing/authentication will be attempted.
*
* @param[in] connectionHandle Handle to identify the connection.
* @param[in] authenticated Whether the signing key needs to be authenticated
* (provide MITM protection).
*
* @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
*/
virtual ble_error_t getSigningKey(Gap::Handle_t connectionHandle, bool authenticated) {
(void)connectionHandle;
(void)authenticated;
return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */
}
/** /**
* Set whether or not we want to send and receive keypress notifications * Set whether or not we want to send and receive keypress notifications
* during passkey entry. * during passkey entry.
@ -424,7 +446,7 @@ public:
// Encryption // Encryption
// //
virtual ble_error_t getLinkEncryption(Gap::Handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) { virtual ble_error_t getLinkEncryption(Gap::Handle_t connectionHandle, link_encryption_t *securityStatus) {
(void)connectionHandle; (void)connectionHandle;
(void)securityStatus; (void)securityStatus;
return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */
@ -577,11 +599,17 @@ public:
* *
* @return BLE_ERROR_NONE or appropriate error code indicating the failure reason. * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
*/ */
virtual ble_error_t getLinkSecurity(Gap::Handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) { ble_error_t getLinkSecurity(Gap::Handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) {
/* Avoid compiler warnings about unused variables. */ link_encryption_t encryption(link_encryption_t::NOT_ENCRYPTED);
(void)connectionHandle; ble_error_t status = getLinkEncryption(connectionHandle, &encryption);
(void)securityStatus; /* legacy support limits the return values */
return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ if (encryption.value() == link_encryption_t::ENCRYPTED_WITH_MITM) {
*securityStatus = ENCRYPTED;
} else {
*securityStatus = (LinkSecurityStatus_t)encryption.value();
}
return status;
} }
/** /**
@ -646,9 +674,9 @@ public:
/** @deprecated */ /** @deprecated */
void processLinkSecuredEvent(Gap::Handle_t handle, SecurityMode_t securityMode) { void processLinkSecuredEvent(Gap::Handle_t handle, SecurityMode_t securityMode) {
if (securityMode == SECURITY_MODE_ENCRYPTION_NO_MITM) { if (securityMode == SECURITY_MODE_ENCRYPTION_NO_MITM) {
eventHandler->linkEncryptionResult(handle, true); eventHandler->linkEncryptionResult(handle, link_encryption_t::ENCRYPTED);
} else { } else {
eventHandler->linkEncryptionResult(handle, false); eventHandler->linkEncryptionResult(handle, link_encryption_t::NOT_ENCRYPTED);
} }
} }
/** @deprecated */ /** @deprecated */

2
features/FEATURE_BLE/ble/pal/PalSecurityManager.h
View File

@ -295,7 +295,7 @@ public:
*/ */
virtual void on_link_encryption_result( virtual void on_link_encryption_result(
connection_handle_t connection, connection_handle_t connection,
bool encrypted link_encryption_t result
) = 0; ) = 0;
/** /**

30
features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
View File

@ -294,8 +294,6 @@ public:
// //
/** /**
* @deprecated
*
* Get the security status of a connection. * Get the security status of a connection.
* *
* @param[in] connection Handle to identify the connection. * @param[in] connection Handle to identify the connection.
@ -303,24 +301,24 @@ public:
* *
* @return BLE_ERROR_NONE or appropriate error code indicating the failure reason. * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
*/ */
ble_error_t getLinkSecurity(connection_handle_t connection, LinkSecurityStatus_t *securityStatus) { ble_error_t getLinkEncryption(connection_handle_t connection, link_encryption_t *securityStatus) {
return getLinkEncryption(connection, securityStatus);
}
ble_error_t getLinkEncryption(connection_handle_t connection, LinkSecurityStatus_t *securityStatus) {
SecurityEntry_t *entry = db.get_entry(connection); SecurityEntry_t *entry = db.get_entry(connection);
if (entry) { if (entry) {
if (entry->encrypted) { if (entry->encrypted) {
*securityStatus = ENCRYPTED; if (entry->mitm) {
*securityStatus = link_encryption_t::ENCRYPTED_WITH_MITM;
} else {
*securityStatus = link_encryption_t::ENCRYPTED;
}
} else if (entry->encryption_requested) { } else if (entry->encryption_requested) {
*securityStatus = ENCRYPTION_IN_PROGRESS; *securityStatus = link_encryption_t::ENCRYPTION_IN_PROGRESS;
} else { } else {
*securityStatus = NOT_ENCRYPTED; *securityStatus = link_encryption_t::NOT_ENCRYPTED;
} }
return BLE_ERROR_NONE; return BLE_ERROR_NONE;
} else { } else {
return BLE_ERROR_INVALID_PARAM; return BLE_ERROR_INVALID_PARAM;
} }
} }
ble_error_t getEncryptionKeySize(connection_handle_t connection, uint8_t *size) { ble_error_t getEncryptionKeySize(connection_handle_t connection, uint8_t *size) {
@ -519,15 +517,15 @@ public:
// //
void on_link_encryption_result(connection_handle_t connection, void on_link_encryption_result(connection_handle_t connection,
bool encrypted) { link_encryption_t result) {
if (_app_event_handler) { if (_app_event_handler) {
_app_event_handler->linkEncryptionResult(connection, encrypted); _app_event_handler->linkEncryptionResult(connection, result);
} }
} }
void on_link_encryption_request_timed_out(connection_handle_t connection) { void on_link_encryption_request_timed_out(connection_handle_t connection) {
if (_app_event_handler) { if (_app_event_handler) {
_app_event_handler->linkEncryptionResult(connection, false); _app_event_handler->linkEncryptionResult(connection, link_encryption_t::NOT_ENCRYPTED);
} }
} }