diff --git a/features/FEATURE_BLE/ble/SecurityManager.h b/features/FEATURE_BLE/ble/SecurityManager.h index 43a83e7fe7..9bf6ea26bc 100644 --- a/features/FEATURE_BLE/ble/SecurityManager.h +++ b/features/FEATURE_BLE/ble/SecurityManager.h @@ -735,9 +735,23 @@ public: // MITM // + /** + * Generate OOB data with the given address. If Secure Connections is supported this will + * also generate Secure Connections OOB data on top of legacy pairing OOB data. This can be used + * to generate such data before any connections take place. + * + * @param[in] address The local address you will use in the connection using this OOB data. + * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason. + */ + virtual ble_error_t generateOOB(const ble::address_t *address) { + /* Avoid compiler warnings about unused variables */ + (void) address; + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + /** * Enable OOB data usage during paring. If Secure Connections is supported enabling useOOB will - * generate Secure Connections OOB data through oobGenerated(). + * generate Secure Connections OOB data through oobGenerated() on top of legacy pairing OOB data. * * @param[in] connectionHandle Handle to identify the connection. * @param[in] useOOB If set to true, authenticate using OOB data. diff --git a/features/FEATURE_BLE/ble/generic/GenericSecurityManager.h b/features/FEATURE_BLE/ble/generic/GenericSecurityManager.h index 583097fa76..b01020b19e 100644 --- a/features/FEATURE_BLE/ble/generic/GenericSecurityManager.h +++ b/features/FEATURE_BLE/ble/generic/GenericSecurityManager.h @@ -192,6 +192,10 @@ public: // MITM // + virtual ble_error_t generateOOB( + const address_t *address + ); + virtual ble_error_t setOOBDataUsage( connection_handle_t connection, bool useOOB, @@ -441,6 +445,7 @@ private: pal::ConnectionEventMonitor &_connection_monitor; /* OOB data */ + address_t _oob_local_address; address_t _oob_peer_address; oob_lesc_value_t _oob_peer_random; oob_confirm_t _oob_peer_confirm; @@ -572,7 +577,6 @@ public: /** @copydoc ble::pal::SecurityManager::on_secure_connections_oob_generated */ virtual void on_secure_connections_oob_generated( - connection_handle_t connection, const oob_lesc_value_t &random, const oob_confirm_t &confirm ); diff --git a/features/FEATURE_BLE/ble/pal/PalSecurityManager.h b/features/FEATURE_BLE/ble/pal/PalSecurityManager.h index e452f6fe4c..d8b0dcf986 100644 --- a/features/FEATURE_BLE/ble/pal/PalSecurityManager.h +++ b/features/FEATURE_BLE/ble/pal/PalSecurityManager.h @@ -399,7 +399,6 @@ public: * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason. */ virtual void on_secure_connections_oob_generated( - connection_handle_t connection, const oob_lesc_value_t &random, const oob_confirm_t &confirm ) = 0; @@ -975,13 +974,9 @@ public: ) = 0; /** - * Generate local OOB data to be sent to the application which sends it to the peer. - * - * @param[in] connectionHandle Handle to identify the connection. + * Generate local OOB data to be sent to the application which sends it to the peer.p */ - virtual ble_error_t generate_secure_connections_oob( - connection_handle_t connection - ) = 0; + virtual ble_error_t generate_secure_connections_oob() = 0; /* Entry points for the underlying stack to report events back to the user. */ public: diff --git a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp index 7c210cc17a..dcb83331f7 100644 --- a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp +++ b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp @@ -500,6 +500,25 @@ ble_error_t GenericSecurityManager::requestAuthentication(connection_handle_t co // MITM // +ble_error_t GenericSecurityManager::generateOOB( + const address_t *address +) { + /* legacy pairing */ + _oob_temporary_key_creator_address = *address; + get_random_data(_oob_temporary_key.buffer(), 16); + + eventHandler->legacyPairingOobGenerated( + &_oob_temporary_key_creator_address, + &_oob_temporary_key + ); + + /* secure connections */ + _oob_local_address = *address; + _pal.generate_secure_connections_oob(); + + return BLE_ERROR_NONE; +} + ble_error_t GenericSecurityManager::setOOBDataUsage( connection_handle_t connection, bool useOOB, @@ -513,6 +532,7 @@ ble_error_t GenericSecurityManager::setOOBDataUsage( cb->attempt_oob = useOOB; cb->oob_mitm_protection = OOBProvidesMITM; + /* legacy pairing */ _oob_temporary_key_creator_address = cb->local_address; get_random_data(_oob_temporary_key.buffer(), 16); @@ -521,7 +541,9 @@ ble_error_t GenericSecurityManager::setOOBDataUsage( &_oob_temporary_key ); - _pal.generate_secure_connections_oob(connection); + /* secure connections */ + _oob_local_address = cb->local_address; + _pal.generate_secure_connections_oob(); return BLE_ERROR_NONE; } @@ -714,13 +736,18 @@ void GenericSecurityManager::update_oob_presence(connection_handle_t connection) return; } - /* only update the oob state if we support secure connections, - * otherwise follow the user set preference for providing legacy - * pairing oob data */ - cb->oob_present = cb->attempt_oob; - + /* if we support secure connection we only care about secure connections oob data */ if (_default_authentication.get_secure_connections()) { cb->oob_present = (cb->peer_address == _oob_peer_address); + } else { + /* otherwise for legacy pairing we first set the oob based on set preference */ + cb->oob_present = cb->attempt_oob; + + /* and also turn it on if we have oob data for legacy pairing */ + if (cb->peer_address == _oob_temporary_key_creator_address + || cb->local_address == _oob_temporary_key_creator_address) { + cb->oob_present = true; + } } } @@ -1016,15 +1043,10 @@ void GenericSecurityManager::on_legacy_pairing_oob_request(connection_handle_t c } void GenericSecurityManager::on_secure_connections_oob_generated( - connection_handle_t connection, const oob_lesc_value_t &random, const oob_confirm_t &confirm ) { - ControlBlock_t *cb = get_control_block(connection); - if (!cb) { - return; - } - eventHandler->oobGenerated(&cb->local_address, &random, &confirm); + eventHandler->oobGenerated(&_oob_local_address, &random, &confirm); _oob_local_random = random; } diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/CordioPalSecurityManager.h b/features/FEATURE_BLE/targets/TARGET_CORDIO/CordioPalSecurityManager.h index 1181abb273..0461beaec6 100644 --- a/features/FEATURE_BLE/targets/TARGET_CORDIO/CordioPalSecurityManager.h +++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/CordioPalSecurityManager.h @@ -297,9 +297,7 @@ public: /** * @see ::ble::pal::SecurityManager::generate_secure_connections_oob */ - virtual ble_error_t generate_secure_connections_oob( - connection_handle_t connection - ); + virtual ble_error_t generate_secure_connections_oob(); /** * @see ::ble::pal::SecurityManager::secure_connections_oob_request_reply diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.cpp b/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.cpp index 7764bbd09c..1948c0560e 100644 --- a/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.cpp +++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.cpp @@ -394,9 +394,7 @@ ble_error_t CordioSecurityManager::send_keypress_notification( return BLE_ERROR_NONE; } -ble_error_t CordioSecurityManager::generate_secure_connections_oob( - connection_handle_t connection -) { +ble_error_t CordioSecurityManager::generate_secure_connections_oob() { return BLE_ERROR_NOT_IMPLEMENTED; }