mirror of https://github.com/ARMmbed/mbed-os.git
BLE: Support encryption with secure connection key.
Vincent Coubard
parent
f79eeb0173
commit
4e5639f5ca
|
|
@ -967,15 +967,31 @@ public:
|
||||||
*/
|
*/
|
||||||
ble_error_t getLinkSecurity(ble::connection_handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) {
|
ble_error_t getLinkSecurity(ble::connection_handle_t connectionHandle, LinkSecurityStatus_t *securityStatus) {
|
||||||
ble::link_encryption_t encryption(ble::link_encryption_t::NOT_ENCRYPTED);
|
ble::link_encryption_t encryption(ble::link_encryption_t::NOT_ENCRYPTED);
|
||||||
ble_error_t status = getLinkEncryption(connectionHandle, &encryption);
|
ble_error_t err = getLinkEncryption(connectionHandle, &encryption);
|
||||||
/* legacy support limits the return values */
|
if (err) {
|
||||||
if (encryption.value() == ble::link_encryption_t::ENCRYPTED_WITH_MITM) {
|
return err;
|
||||||
*securityStatus = ENCRYPTED;
|
|
||||||
} else {
|
|
||||||
*securityStatus = (LinkSecurityStatus_t)encryption.value();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return status;
|
switch (encryption.value()) {
|
||||||
|
case ble::link_encryption_t::NOT_ENCRYPTED:
|
||||||
|
*securityStatus = NOT_ENCRYPTED;
|
||||||
|
break;
|
||||||
|
case ble::link_encryption_t::ENCRYPTION_IN_PROGRESS:
|
||||||
|
*securityStatus = ENCRYPTION_IN_PROGRESS;
|
||||||
|
break;
|
||||||
|
case ble::link_encryption_t::ENCRYPTED:
|
||||||
|
case ble::link_encryption_t::ENCRYPTED_WITH_MITM:
|
||||||
|
case ble::link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM:
|
||||||
|
*securityStatus = ENCRYPTED;
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
// should never happen
|
||||||
|
MBED_ASSERT(false);
|
||||||
|
*securityStatus = NOT_ENCRYPTED;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
return BLE_ERROR_NONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -1079,7 +1095,10 @@ private:
|
||||||
SecurityManager::SecurityMode_t securityMode;
|
SecurityManager::SecurityMode_t securityMode;
|
||||||
if (result == ble::link_encryption_t::ENCRYPTED) {
|
if (result == ble::link_encryption_t::ENCRYPTED) {
|
||||||
securityMode = SECURITY_MODE_ENCRYPTION_NO_MITM;
|
securityMode = SECURITY_MODE_ENCRYPTION_NO_MITM;
|
||||||
} else if (result == ble::link_encryption_t::ENCRYPTED_WITH_MITM) {
|
} else if (
|
||||||
|
result == ble::link_encryption_t::ENCRYPTED_WITH_MITM ||
|
||||||
|
result == ble::link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM
|
||||||
|
) {
|
||||||
securityMode = SECURITY_MODE_ENCRYPTION_WITH_MITM;
|
securityMode = SECURITY_MODE_ENCRYPTION_WITH_MITM;
|
||||||
} else {
|
} else {
|
||||||
securityMode = SECURITY_MODE_ENCRYPTION_OPEN_LINK;
|
securityMode = SECURITY_MODE_ENCRYPTION_OPEN_LINK;
|
||||||
|
|
|
||||||
|
|
@ -369,7 +369,11 @@ ble_error_t GenericSecurityManager::getLinkEncryption(
|
||||||
|
|
||||||
if (cb->encrypted) {
|
if (cb->encrypted) {
|
||||||
if (cb->ltk_mitm_protected || cb->mitm_performed) {
|
if (cb->ltk_mitm_protected || cb->mitm_performed) {
|
||||||
*encryption = link_encryption_t::ENCRYPTED_WITH_MITM;
|
if (cb->secure_connections_paired) {
|
||||||
|
*encryption = link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM;
|
||||||
|
} else {
|
||||||
|
*encryption = link_encryption_t::ENCRYPTED_WITH_MITM;
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
*encryption = link_encryption_t::ENCRYPTED;
|
*encryption = link_encryption_t::ENCRYPTED;
|
||||||
}
|
}
|
||||||
|
|
@ -408,7 +412,9 @@ ble_error_t GenericSecurityManager::setLinkEncryption(
|
||||||
} else if (encryption == link_encryption_t::ENCRYPTED) {
|
} else if (encryption == link_encryption_t::ENCRYPTED) {
|
||||||
|
|
||||||
/* only change if we're not already encrypted with mitm */
|
/* only change if we're not already encrypted with mitm */
|
||||||
if (current_encryption != link_encryption_t::ENCRYPTED_WITH_MITM) {
|
if (current_encryption != link_encryption_t::ENCRYPTED_WITH_MITM ||
|
||||||
|
current_encryption != link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM
|
||||||
|
) {
|
||||||
cb->encryption_requested = true;
|
cb->encryption_requested = true;
|
||||||
return enable_encryption(connection);
|
return enable_encryption(connection);
|
||||||
}
|
}
|
||||||
|
|
@ -423,6 +429,19 @@ ble_error_t GenericSecurityManager::setLinkEncryption(
|
||||||
return requestAuthentication(connection);
|
return requestAuthentication(connection);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
} else if (encryption == link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM) {
|
||||||
|
|
||||||
|
if (cb->ltk_mitm_protected &&
|
||||||
|
cb->secure_connections_paired && !
|
||||||
|
cb->encrypted
|
||||||
|
) {
|
||||||
|
cb->encryption_requested = true;
|
||||||
|
return enable_encryption(connection);
|
||||||
|
} else {
|
||||||
|
cb->encryption_requested = true;
|
||||||
|
return requestAuthentication(connection);
|
||||||
|
}
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
return BLE_ERROR_INVALID_PARAM;
|
return BLE_ERROR_INVALID_PARAM;
|
||||||
}
|
}
|
||||||
|
|
@ -1059,7 +1078,10 @@ void GenericSecurityManager::on_link_encryption_result(
|
||||||
cb->encryption_failed = false;
|
cb->encryption_failed = false;
|
||||||
cb->encrypted = true;
|
cb->encrypted = true;
|
||||||
|
|
||||||
} else if (result == link_encryption_t::ENCRYPTED_WITH_MITM) {
|
} else if (
|
||||||
|
result == link_encryption_t::ENCRYPTED_WITH_MITM ||
|
||||||
|
result == link_encryption_t::ENCRYPTED_WITH_SC_AND_MITM
|
||||||
|
) {
|
||||||
|
|
||||||
cb->encryption_requested = false;
|
cb->encryption_requested = false;
|
||||||
cb->encryption_failed = false;
|
cb->encryption_failed = false;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue