ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

move securitydb into generic

pull/6932/head
paul-szczepanek-arm 2018-05-10 11:08:31 +01:00
parent b95da8d8c4
commit 473482d204
9 changed files with 75 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
features/FEATURE_BLE/ble/SecurityManager.h
View File

@ -417,6 +417,9 @@ public:
* support out-of-band exchanges of security data.
* @param[in] passkey To specify a static passkey.
* @param[in] signing Generate and distribute signing key during pairing
* @param[in] dbPath Path to the folder used to store keys in the filesystem,
* if NULL keys will be only stored in memory
*
*
* @return BLE_ERROR_NONE on success.
*/
@ -424,12 +427,14 @@ public:
bool requireMITM = true,
SecurityIOCapabilities_t iocaps = IO_CAPS_NONE,
const Passkey_t passkey = NULL,
bool signing = true) {
bool signing = true,
const uint8_t *dbPath = NULL) {
/* Avoid compiler warnings about unused variables. */
(void)enableBonding;
(void)requireMITM;
(void)iocaps;
(void)passkey;
(void)dbPath;
return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */
}

32
features/FEATURE_BLE/ble/generic/GenericSecurityManager.h
View File

@ -19,7 +19,7 @@
#include "ble/pal/GapTypes.h"
#include "ble/BLETypes.h"
#include "ble/pal/SecurityDb.h"
#include "ble/generic/SecurityDb.h"
#include "platform/Callback.h"
#include "ble/pal/ConnectionEventMonitor.h"
#include "ble/pal/SigningEventMonitor.h"
@ -37,8 +37,6 @@ class GenericSecurityManager : public SecurityManager,
public pal::ConnectionEventMonitor::EventHandler,
public pal::SigningEventMonitor::EventHandler {
public:
typedef ble::pal::SecurityDistributionFlags_t SecurityDistributionFlags_t;
typedef ble::pal::SecurityEntryKeys_t SecurityEntryKeys_t;
/* implements SecurityManager */
@ -51,7 +49,8 @@ public:
bool mitm = true,
SecurityIOCapabilities_t iocaps = IO_CAPS_NONE,
const Passkey_t passkey = NULL,
bool signing = true
bool signing = true,
const uint8_t* db_path = NULL
);
virtual ble_error_t reset();
@ -236,11 +235,9 @@ public:
public:
GenericSecurityManager(
pal::SecurityManager &palImpl,
pal::SecurityDb &dbImpl,
pal::ConnectionEventMonitor &connMonitorImpl,
pal::SigningEventMonitor &signingMonitorImpl
) : _pal(palImpl),
_db(dbImpl),
_connection_monitor(connMonitorImpl),
_signing_monitor(signingMonitorImpl),
_default_authentication(0),
@ -308,7 +305,7 @@ private:
* @param[in] entryKeys security entry containing keys.
*/
void enable_encryption_cb(
pal::SecurityDb::entry_handle_t entry,
SecurityDb::entry_handle_t entry,
const SecurityEntryKeys_t* entryKeys
);
@ -319,7 +316,7 @@ private:
* @param[in] entryKeys security entry containing keys.
*/
void set_ltk_cb(
pal::SecurityDb::entry_handle_t entry,
SecurityDb::entry_handle_t entry,
const SecurityEntryKeys_t* entryKeys
);
@ -330,7 +327,7 @@ private:
* @param[in] csrk connection signature resolving key.
*/
void return_csrk_cb(
pal::SecurityDb::entry_handle_t connection,
SecurityDb::entry_handle_t connection,
const csrk_t *csrk,
sign_count_t sign_counter
);
@ -342,7 +339,7 @@ private:
* @param[in] csrk connection signature resolving key.
*/
void set_peer_csrk_cb(
pal::SecurityDb::entry_handle_t connection,
SecurityDb::entry_handle_t connection,
const csrk_t *csrk,
sign_count_t sign_counter
);
@ -407,8 +404,8 @@ private:
* @param identity The identity associated with the entry; may be NULL.
*/
void on_security_entry_retrieved(
pal::SecurityDb::entry_handle_t entry,
const pal::SecurityEntryIdentity_t* identity
SecurityDb::entry_handle_t entry,
const SecurityEntryIdentity_t* identity
);
/**
@ -421,12 +418,12 @@ private:
* @param count Number of identities entries retrieved.
*/
void on_identity_list_retrieved(
ble::ArrayView<pal::SecurityEntryIdentity_t*>& identity_list,
ble::ArrayView<SecurityEntryIdentity_t*>& identity_list,
size_t count
);
private:
struct ControlBlock_t : public pal::SecurityDistributionFlags_t {
struct ControlBlock_t : public SecurityDistributionFlags_t {
ControlBlock_t();
pal::KeyDistribution get_initiator_key_distribution() {
@ -443,7 +440,7 @@ private:
};
connection_handle_t connection;
pal::SecurityDb::entry_handle_t db_entry;
SecurityDb::entry_handle_t db_entry;
address_t local_address; /**< address used for connection, possibly different from identity */
@ -473,10 +470,11 @@ private:
};
pal::SecurityManager &_pal;
pal::SecurityDb &_db;
pal::ConnectionEventMonitor &_connection_monitor;
pal::SigningEventMonitor &_signing_monitor;
SecurityDb *_db;
/* OOB data */
address_t _oob_local_address;
address_t _oob_peer_address;
@ -718,7 +716,7 @@ public:
ControlBlock_t* get_control_block(const address_t &peer_address);
ControlBlock_t* get_control_block(pal::SecurityDb::entry_handle_t db_entry);
ControlBlock_t* get_control_block(SecurityDb::entry_handle_t db_entry);
void release_control_block(ControlBlock_t* entry);
};

2
features/FEATURE_BLE/ble/pal/MemorySecurityDb.h → features/FEATURE_BLE/ble/generic/MemorySecurityDb.h
View File

@ -20,7 +20,7 @@
#include "SecurityDb.h"
namespace ble {
namespace pal {
namespace generic {
/** Naive memory implementation for verification. */
class MemorySecurityDb : public SecurityDb {

2
features/FEATURE_BLE/ble/pal/SecurityDb.h → features/FEATURE_BLE/ble/generic/SecurityDb.h
View File

@ -24,7 +24,7 @@
#include <stdlib.h>
namespace ble {
namespace pal {
namespace generic {
/**

99
features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp
View File

@ -17,6 +17,8 @@
#include "ble/SecurityManager.h"
#include "ble/pal/PalSecurityManager.h"
#include "ble/generic/GenericSecurityManager.h"
#include "ble/generic/MemorySecurityDb.h"
#include "ble/generic/FileSecurityDb.h"
using ble::pal::advertising_peer_address_type_t;
using ble::pal::AuthenticationMask;
@ -37,14 +39,17 @@ ble_error_t GenericSecurityManager::init(
bool mitm,
SecurityIOCapabilities_t iocaps,
const Passkey_t passkey,
bool signing
bool signing,
const uint8_t* db_path
) {
ble_error_t err = _pal.initialize();
if (err) {
return err;
}
_db.restore();
_db = new (std::nothrow) MemorySecurityDb();
_db->restore();
_pal.set_io_capability((io_capability_t::type) iocaps);
if (passkey) {
@ -75,16 +80,16 @@ ble_error_t GenericSecurityManager::init(
_pal.set_event_handler(this);
uint8_t resolving_list_capacity = _pal.read_resolving_list_capacity();
pal::SecurityEntryIdentity_t** identity_list_p =
new (std::nothrow) pal::SecurityEntryIdentity_t*[resolving_list_capacity];
SecurityEntryIdentity_t** identity_list_p =
new (std::nothrow) SecurityEntryIdentity_t*[resolving_list_capacity];
if (identity_list_p) {
ArrayView<pal::SecurityEntryIdentity_t*> identity_list(
ArrayView<SecurityEntryIdentity_t*> identity_list(
identity_list_p,
resolving_list_capacity
);
_db.get_identity_list(
_db->get_identity_list(
mbed::callback(this, &GenericSecurityManager::on_identity_list_retrieved),
identity_list
);
@ -94,7 +99,7 @@ ble_error_t GenericSecurityManager::init(
}
ble_error_t GenericSecurityManager::reset(void) {
_db.sync();
_db->sync();
_pal.reset();
SecurityManager::reset();
@ -102,7 +107,7 @@ ble_error_t GenericSecurityManager::reset(void) {
}
ble_error_t GenericSecurityManager::preserveBondingStateOnReset(bool enabled) {
_db.set_restore(enabled);
_db->set_restore(enabled);
return BLE_ERROR_NONE;
}
@ -111,13 +116,13 @@ ble_error_t GenericSecurityManager::preserveBondingStateOnReset(bool enabled) {
//
ble_error_t GenericSecurityManager::purgeAllBondingState(void) {
_db.clear_entries();
_db->clear_entries();
return BLE_ERROR_NONE;
}
ble_error_t GenericSecurityManager::generateWhitelistFromBondTable(Gap::Whitelist_t *whitelist) const {
if (eventHandler) {
_db.generate_whitelist_from_bond_table(
_db->generate_whitelist_from_bond_table(
mbed::callback(eventHandler, &::SecurityManager::EventHandler::whitelistFromBondTable),
whitelist
);
@ -333,7 +338,7 @@ ble_error_t GenericSecurityManager::enableSigning(
cb->signing_requested = true;
if (cb->csrk_stored) {
/* used the stored ones when available */
_db.get_entry_peer_csrk(
_db->get_entry_peer_csrk(
mbed::callback(this, &GenericSecurityManager::set_peer_csrk_cb),
cb->db_entry
);
@ -471,7 +476,7 @@ ble_error_t GenericSecurityManager::getSigningKey(connection_handle_t connection
if (cb->csrk_stored && (cb->csrk_mitm_protected || !authenticated)) {
/* we have a key that is either authenticated or we don't care if it is
* so retrieve it from the db now */
_db.get_entry_peer_csrk(
_db->get_entry_peer_csrk(
mbed::callback(this, &GenericSecurityManager::return_csrk_cb),
cb->db_entry
);
@ -658,8 +663,8 @@ ble_error_t GenericSecurityManager::oobReceived(
//
ble_error_t GenericSecurityManager::init_signing() {
const csrk_t *pcsrk = _db.get_local_csrk();
sign_count_t local_sign_counter = _db.get_local_sign_counter();
const csrk_t *pcsrk = _db->get_local_csrk();
sign_count_t local_sign_counter = _db->get_local_sign_counter();
if (!pcsrk) {
csrk_t csrk;
@ -670,8 +675,8 @@ ble_error_t GenericSecurityManager::init_signing() {
}
pcsrk = &csrk;
_db.set_local_csrk(csrk);
_db.set_local_sign_counter(local_sign_counter);
_db->set_local_csrk(csrk);
_db->set_local_sign_counter(local_sign_counter);
}
return _pal.set_csrk(*pcsrk, local_sign_counter);
@ -713,7 +718,7 @@ ble_error_t GenericSecurityManager::enable_encryption(connection_handle_t connec
}
if (cb->is_master) {
if (cb->ltk_stored) {
_db.get_entry_peer_keys(
_db->get_entry_peer_keys(
mbed::callback(this, &GenericSecurityManager::enable_encryption_cb),
cb->db_entry
);
@ -727,7 +732,7 @@ ble_error_t GenericSecurityManager::enable_encryption(connection_handle_t connec
}
void GenericSecurityManager::enable_encryption_cb(
pal::SecurityDb::entry_handle_t db_entry,
SecurityDb::entry_handle_t db_entry,
const SecurityEntryKeys_t* entryKeys
) {
ControlBlock_t *cb = get_control_block(db_entry);
@ -742,7 +747,7 @@ void GenericSecurityManager::enable_encryption_cb(
}
void GenericSecurityManager::set_ltk_cb(
pal::SecurityDb::entry_handle_t db_entry,
SecurityDb::entry_handle_t db_entry,
const SecurityEntryKeys_t* entryKeys
) {
ControlBlock_t *cb = get_control_block(db_entry);
@ -757,7 +762,7 @@ void GenericSecurityManager::set_ltk_cb(
}
void GenericSecurityManager::set_peer_csrk_cb(
pal::SecurityDb::entry_handle_t db_entry,
SecurityDb::entry_handle_t db_entry,
const csrk_t *csrk,
sign_count_t sign_counter
) {
@ -775,7 +780,7 @@ void GenericSecurityManager::set_peer_csrk_cb(
}
void GenericSecurityManager::return_csrk_cb(
pal::SecurityDb::entry_handle_t db_entry,
SecurityDb::entry_handle_t db_entry,
const csrk_t *csrk,
sign_count_t sign_counter
) {
@ -846,13 +851,13 @@ void GenericSecurityManager::on_connected(
cb->is_master = (role == Gap::CENTRAL);
// get the associated db handle and the distribution flags if any
cb->db_entry = _db.open_entry(peer_address_type, peer_address);
cb->db_entry = _db->open_entry(peer_address_type, peer_address);
const pal::SecurityDistributionFlags_t* dist_flags =
_db.get_distribution_flags(cb->db_entry);
const SecurityDistributionFlags_t* dist_flags =
_db->get_distribution_flags(cb->db_entry);
if (dist_flags) {
*static_cast<pal::SecurityDistributionFlags_t*>(cb) = *dist_flags;
*static_cast<SecurityDistributionFlags_t*>(cb) = *dist_flags;
}
const bool signing = cb->signing_override_default ?
@ -860,7 +865,7 @@ void GenericSecurityManager::on_connected(
_default_key_distribution.get_signing();
if (signing && cb->csrk_stored) {
_db.get_entry_peer_csrk(
_db->get_entry_peer_csrk(
mbed::callback(this, &GenericSecurityManager::set_peer_csrk_cb),
cb->db_entry
);
@ -876,15 +881,15 @@ void GenericSecurityManager::on_disconnected(
return;
}
_db.close_entry(cb->db_entry);
_db->close_entry(cb->db_entry);
release_control_block(cb);
_db.sync();
_db->sync();
}
void GenericSecurityManager::on_security_entry_retrieved(
pal::SecurityDb::entry_handle_t entry,
const pal::SecurityEntryIdentity_t* identity
SecurityDb::entry_handle_t entry,
const SecurityEntryIdentity_t* identity
) {
if (!identity) {
return;
@ -902,7 +907,7 @@ void GenericSecurityManager::on_security_entry_retrieved(
}
void GenericSecurityManager::on_identity_list_retrieved(
ble::ArrayView<pal::SecurityEntryIdentity_t*>& identity_list,
ble::ArrayView<SecurityEntryIdentity_t*>& identity_list,
size_t count
) {
typedef advertising_peer_address_type_t address_type_t;
@ -992,8 +997,8 @@ void GenericSecurityManager::on_pairing_completed(connection_handle_t connection
ControlBlock_t *cb = get_control_block(connection);
if (cb) {
// set the distribution flags in the db
_db.set_distribution_flags(cb->db_entry, *cb);
_db.get_entry_identity(
_db->set_distribution_flags(cb->db_entry, *cb);
_db->get_entry_identity(
mbed::callback(this, &GenericSecurityManager::on_security_entry_retrieved),
cb->db_entry
);
@ -1021,7 +1026,7 @@ void GenericSecurityManager::on_signed_write_received(
if (!cb) {
return;
}
_db.set_entry_peer_sign_counter(cb->db_entry, sign_counter);
_db->set_entry_peer_sign_counter(cb->db_entry, sign_counter);
}
void GenericSecurityManager::on_signed_write_verification_failure(
@ -1050,7 +1055,7 @@ void GenericSecurityManager::on_signed_write_verification_failure(
}
void GenericSecurityManager::on_signed_write() {
_db.set_local_sign_counter(_db.get_local_sign_counter() + 1);
_db->set_local_sign_counter(_db->get_local_sign_counter() + 1);
}
void GenericSecurityManager::on_slave_security_request(
@ -1229,7 +1234,7 @@ void GenericSecurityManager::on_secure_connections_ltk_generated(
cb->ltk_mitm_protected = cb->mitm_performed;
cb->secure_connections_paired = true;
_db.set_entry_peer_ltk(cb->db_entry, ltk);
_db->set_entry_peer_ltk(cb->db_entry, ltk);
}
void GenericSecurityManager::on_keys_distributed_ltk(
@ -1241,7 +1246,7 @@ void GenericSecurityManager::on_keys_distributed_ltk(
return;
}
cb->ltk_mitm_protected = cb->mitm_performed;
_db.set_entry_peer_ltk(cb->db_entry, ltk);
_db->set_entry_peer_ltk(cb->db_entry, ltk);
}
void GenericSecurityManager::on_keys_distributed_ediv_rand(
@ -1254,7 +1259,7 @@ void GenericSecurityManager::on_keys_distributed_ediv_rand(
return;
}
_db.set_entry_peer_ediv_rand(cb->db_entry, ediv, rand);
_db->set_entry_peer_ediv_rand(cb->db_entry, ediv, rand);
}
void GenericSecurityManager::on_keys_distributed_local_ltk(
@ -1266,7 +1271,7 @@ void GenericSecurityManager::on_keys_distributed_local_ltk(
return;
}
_db.set_entry_local_ltk(cb->db_entry, ltk);
_db->set_entry_local_ltk(cb->db_entry, ltk);
}
void GenericSecurityManager::on_keys_distributed_local_ediv_rand(
@ -1279,7 +1284,7 @@ void GenericSecurityManager::on_keys_distributed_local_ediv_rand(
return;
}
_db.set_entry_local_ediv_rand(cb->db_entry, ediv, rand);
_db->set_entry_local_ediv_rand(cb->db_entry, ediv, rand);
}
void GenericSecurityManager::on_keys_distributed_irk(
@ -1291,7 +1296,7 @@ void GenericSecurityManager::on_keys_distributed_irk(
return;
}
_db.set_entry_peer_irk(cb->db_entry, irk);
_db->set_entry_peer_irk(cb->db_entry, irk);
}
void GenericSecurityManager::on_keys_distributed_bdaddr(
@ -1304,7 +1309,7 @@ void GenericSecurityManager::on_keys_distributed_bdaddr(
return;
}
_db.set_entry_peer_bdaddr(
_db->set_entry_peer_bdaddr(
cb->db_entry,
(peer_address_type == advertising_peer_address_type_t::PUBLIC_ADDRESS),
peer_identity_address
@ -1322,7 +1327,7 @@ void GenericSecurityManager::on_keys_distributed_csrk(
cb->csrk_mitm_protected = cb->mitm_performed;
_db.set_entry_peer_csrk(cb->db_entry, csrk);
_db->set_entry_peer_csrk(cb->db_entry, csrk);
eventHandler->signingKey(
connection,
@ -1341,7 +1346,7 @@ void GenericSecurityManager::on_ltk_request(
return;
}
_db.get_entry_local_keys(
_db->get_entry_local_keys(
mbed::callback(this, &GenericSecurityManager::set_ltk_cb),
cb->db_entry,
ediv,
@ -1352,7 +1357,7 @@ void GenericSecurityManager::on_ltk_request(
/* control blocks list management */
GenericSecurityManager::ControlBlock_t::ControlBlock_t() :
pal::SecurityDistributionFlags_t(),
SecurityDistributionFlags_t(),
connection(0),
db_entry(0),
local_address(),
@ -1379,7 +1384,7 @@ void GenericSecurityManager::on_ltk_request(connection_handle_t connection)
return;
}
_db.get_entry_local_keys(
_db->get_entry_local_keys(
mbed::callback(this, &GenericSecurityManager::set_ltk_cb),
cb->db_entry
);
@ -1428,7 +1433,7 @@ GenericSecurityManager::ControlBlock_t* GenericSecurityManager::get_control_bloc
}
GenericSecurityManager::ControlBlock_t* GenericSecurityManager::get_control_block(
pal::SecurityDb::entry_handle_t db_entry
SecurityDb::entry_handle_t db_entry
) {
for (size_t i = 0; i < MAX_CONTROL_BLOCKS; i++) {
if (!_control_blocks[i].connected) {

1
features/FEATURE_BLE/targets/TARGET_CORDIO/CordioBLE.h
View File

@ -30,7 +30,6 @@
#include "CordioPalGenericAccessService.h"
#include "ble/generic/GenericGap.h"
#include "ble/generic/GenericSecurityManager.h"
#include "ble/pal/MemorySecurityDb.h"
#include "ble/pal/SimpleEventQueue.h"
namespace ble {

2
features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioBLE.cpp
View File

@ -204,11 +204,9 @@ generic::GenericGattClient& BLE::getGattClient()
SecurityManager& BLE::getSecurityManager()
{
static pal::MemorySecurityDb m_db;
static SigningEventMonitorProxy signing_event_monitor(*this);
static generic::GenericSecurityManager m_instance(
pal::vendor::cordio::CordioSecurityManager::get_security_manager(),
m_db,
getGap(),
signing_event_monitor
);

2
features/FEATURE_BLE/targets/TARGET_NORDIC/TARGET_NRF5/source/nRF5xn.cpp
View File

@ -208,7 +208,6 @@ SecurityManager& nRF5xn::getSecurityManager()
const SecurityManager& nRF5xn::getSecurityManager() const
{
static ble::pal::MemorySecurityDb m_db;
ble::pal::vendor::nordic::nRF5xSecurityManager &m_pal =
ble::pal::vendor::nordic::nRF5xSecurityManager::get_security_manager();
static struct : ble::pal::SigningEventMonitor {
@ -217,7 +216,6 @@ const SecurityManager& nRF5xn::getSecurityManager() const
static ble::generic::GenericSecurityManager m_instance(
m_pal,
m_db,
const_cast<nRF5xGap&>(getGap()),
dummy_signing_event_monitor
);

1
features/FEATURE_BLE/targets/TARGET_NORDIC/TARGET_NRF5/source/nRF5xn.h
View File

@ -22,7 +22,6 @@
#include "ble/BLEInstanceBase.h"
#include "ble/generic/GenericGattClient.h"
#include "ble/generic/GenericSecurityManager.h"
#include "ble/pal/MemorySecurityDb.h"
#include "ble/pal/SimpleEventQueue.h"
#include "nRF5xPalSecurityManager.h"