ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

partial security pass

pull/9790/head
paul-szczepanek-arm 2019-02-22 17:53:44 +00:00 committed by Vincent Coubard
parent a1815e31f0
commit bc3ff56504
5 changed files with 73 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
features/FEATURE_BLE/ble/generic/GenericSecurityManager.h
View File

@ -272,12 +272,20 @@ public:
public: public:
GenericSecurityManager( GenericSecurityManager(
PalSecurityManager &palImpl, PalSecurityManager &palImpl
pal::ConnectionEventMonitor<GenericSecurityManager> &connMonitorImpl, #if BLE_FEATURE_CONNECTABLE
SigningEventMonitor &signingMonitorImpl , pal::ConnectionEventMonitor<GenericSecurityManager> &connMonitorImpl
#endif
#if BLE_FEATURE_SIGNING
, SigningEventMonitor &signingMonitorImpl
#endif
) : _pal(palImpl), ) : _pal(palImpl),
#if BLE_FEATURE_CONNECTABLE
_connection_monitor(connMonitorImpl), _connection_monitor(connMonitorImpl),
#endif
#if BLE_FEATURE_SIGNING
_signing_monitor(signingMonitorImpl), _signing_monitor(signingMonitorImpl),
#endif
_db(NULL), _db(NULL),
_default_authentication(0), _default_authentication(0),
_default_key_distribution(pal::KeyDistribution::KEY_DISTRIBUTION_ALL), _default_key_distribution(pal::KeyDistribution::KEY_DISTRIBUTION_ALL),
@ -527,8 +535,12 @@ private:
}; };
PalSecurityManager &_pal; PalSecurityManager &_pal;
#if BLE_FEATURE_CONNECTABLE
pal::ConnectionEventMonitor<GenericSecurityManager> &_connection_monitor; pal::ConnectionEventMonitor<GenericSecurityManager> &_connection_monitor;
#endif
#if BLE_FEATURE_SIGNING
SigningEventMonitor &_signing_monitor; SigningEventMonitor &_signing_monitor;
#endif
SecurityDb *_db; SecurityDb *_db;

29
features/FEATURE_BLE/ble/pal/PalSecurityManager.h
View File

@ -520,18 +520,18 @@ public:
impl()->on_keys_distributed_local_ediv_rand_(connection, ediv, rand); impl()->on_keys_distributed_local_ediv_rand_(connection, ediv, rand);
} }
#if BLE_FEATURE_PRIVACY
/** /**
* Store the results of key distribution after IRK has been received. * Store the results of key distribution after IRK has been received.
* *
* @param[in] connection connection handle * @param[in] connection connection handle
* @param[in] irk identity resolution key * @param[in] irk identity resolution key
*/ */
void on_keys_distributed_irk( virtual void on_keys_distributed_irk(
connection_handle_t connection, connection_handle_t connection,
const irk_t &irk const irk_t &irk
) { ) = 0;
impl()->on_keys_distributed_irk_(connection, irk); #endif // BLE_FEATURE_PRIVACY
}
/** /**
* Store the identity address of the peer after it has been distributed. * Store the identity address of the peer after it has been distributed.
@ -540,26 +540,24 @@ public:
* @param[in] peer_identity_address_type public or private address indication * @param[in] peer_identity_address_type public or private address indication
* @param[in] peer_identity_address peer address * @param[in] peer_identity_address peer address
*/ */
void on_keys_distributed_bdaddr( virtual void on_keys_distributed_bdaddr(
connection_handle_t connection, connection_handle_t connection,
advertising_peer_address_type_t peer_identity_address_type, advertising_peer_address_type_t peer_identity_address_type,
const address_t &peer_identity_address const address_t &peer_identity_address
) { ) = 0;
impl()->on_keys_distributed_bdaddr_(connection, peer_identity_address_type, peer_identity_address);
}
#if BLE_FEATURE_SIGNING
/** /**
* Store the peer's CSRK after it has been distributed. * Store the peer's CSRK after it has been distributed.
* *
* @param[in] connection connection handle * @param[in] connection connection handle
* @param[in] csrk signing key * @param[in] csrk signing key
*/ */
void on_keys_distributed_csrk( virtual void on_keys_distributed_csrk(
connection_handle_t connection, connection_handle_t connection,
const csrk_t &csrk const csrk_t &csrk
) { ) = 0;
impl()->on_keys_distributed_csrk_(connection, csrk); #endif // BLE_FEATURE_SIGNING
}
/** /**
* Request the LTK since the peer is asking us to encrypt the link. We need to * Request the LTK since the peer is asking us to encrypt the link. We need to
@ -642,7 +640,7 @@ public:
//////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////
// Resolving list management // Resolving list management
// //
#if BLE_FEATURE_PRIVACY
/** /**
* Return the number of address translation entries that can be stored by the * Return the number of address translation entries that can be stored by the
* subsystem. * subsystem.
@ -704,6 +702,7 @@ public:
ble_error_t clear_resolving_list() { ble_error_t clear_resolving_list() {
return impl()->clear_resolving_list_(); return impl()->clear_resolving_list_();
} }
#endif // BLE_FEATURE_PRIVACY
//////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////
// Pairing // Pairing
@ -1004,6 +1003,7 @@ public:
return impl()->set_ltk_not_found_(connection); return impl()->set_ltk_not_found_(connection);
} }
#if BLE_FEATURE_PRIVACY
/** /**
* Set the local IRK. * Set the local IRK.
* *
@ -1015,7 +1015,9 @@ public:
) { ) {
return impl()->set_irk_(irk); return impl()->set_irk_(irk);
} }
#endif // BLE_FEATURE_PRIVACY
#if BLE_FEATURE_SIGNING
/** /**
* Set the local CSRK. * Set the local CSRK.
* *
@ -1056,6 +1058,7 @@ public:
ble_error_t remove_peer_csrk(connection_handle_t connection) { ble_error_t remove_peer_csrk(connection_handle_t connection) {
return impl()->remove_peer_csrk_(connection); return impl()->remove_peer_csrk_(connection);
} }
#endif // BLE_FEATURE_SIGNING
//////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////
// Authentication // Authentication

35
features/FEATURE_BLE/source/generic/GenericSecurityManager.tpp
View File

@ -47,6 +47,11 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_(
bool signing, bool signing,
const char* db_path const char* db_path
) { ) {
#if !(BLE_FEATURE_SIGNING)
if (signing) {
return BLE_ERROR_INVALID_PARAM;
}
#endif // !(BLE_FEATURE_SIGNING)
ble_error_t result = _pal.initialize(); ble_error_t result = _pal.initialize();
if (result != BLE_ERROR_NONE) { if (result != BLE_ERROR_NONE) {
@ -79,14 +84,20 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_(
// FIXME: depends on BR/EDR support // FIXME: depends on BR/EDR support
_default_key_distribution.set_link(false); _default_key_distribution.set_link(false);
#if BLE_FEATURE_SIGNING
_default_key_distribution.set_signing(signing); _default_key_distribution.set_signing(signing);
if (signing) { if (signing) {
init_signing(); init_signing();
} }
#else
_default_key_distribution.set_signing(false);
#endif // BLE_FEATURE_SIGNING
#if BLE_FEATURE_CONNECTABLE
_connection_monitor.set_connection_event_handler(this); _connection_monitor.set_connection_event_handler(this);
#endif
#if BLE_FEATURE_SIGNING
_signing_monitor.set_signing_event_handler(this); _signing_monitor.set_signing_event_handler(this);
#endif
_pal.set_event_handler(this); _pal.set_event_handler(this);
result = init_resolving_list(); result = init_resolving_list();
@ -388,6 +399,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setKeyp
return BLE_ERROR_NONE; return BLE_ERROR_NONE;
} }
#if BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::enableSigning_( ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::enableSigning_(
connection_handle_t connection, connection_handle_t connection,
@ -429,6 +441,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::enableS
return BLE_ERROR_NONE; return BLE_ERROR_NONE;
} }
#endif // BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setHintFutureRoleReversal_(bool enable) { ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setHintFutureRoleReversal_(bool enable) {
@ -579,7 +592,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setEncr
//////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////
// Keys // Keys
// //
#if BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::getSigningKey_(connection_handle_t connection, bool authenticated) { ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::getSigningKey_(connection_handle_t connection, bool authenticated) {
if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE; if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@ -614,16 +627,19 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::getSign
} }
} }
} }
#endif // BLE_FEATURE_SIGNING
//////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////
// Privacy // Privacy
// //
#if BLE_FEATURE_PRIVACY
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setPrivateAddressTimeout_(uint16_t timeout_in_seconds) { ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setPrivateAddressTimeout_(uint16_t timeout_in_seconds) {
if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE; if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
return _pal.set_private_address_timeout(timeout_in_seconds); return _pal.set_private_address_timeout(timeout_in_seconds);
} }
#endif // BLE_FEATURE_PRIVACY
//////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////
// Authentication // Authentication
@ -839,6 +855,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_da
return BLE_ERROR_NONE; return BLE_ERROR_NONE;
} }
#if BLE_FEATURE_PRIVACY
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_resolving_list() { ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_resolving_list() {
if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE; if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@ -864,7 +881,9 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_re
return BLE_ERROR_NONE; return BLE_ERROR_NONE;
} }
#endif // BLE_FEATURE_PRIVACY
#if BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_signing() { ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_signing() {
if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE; if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@ -886,6 +905,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_si
return _pal.set_csrk(*pcsrk, local_sign_counter); return _pal.set_csrk(*pcsrk, local_sign_counter);
} }
#endif // BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::get_random_data(uint8_t *buffer, size_t size) { ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::get_random_data(uint8_t *buffer, size_t size) {
@ -1000,6 +1020,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::set_ltk_cb(
} }
} }
#if BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::set_peer_csrk_cb( void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::set_peer_csrk_cb(
SecurityDb::entry_handle_t db_entry, SecurityDb::entry_handle_t db_entry,
@ -1045,6 +1066,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::return_csrk_cb
flags->csrk_mitm_protected flags->csrk_mitm_protected
); );
} }
#endif BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::update_oob_presence(connection_handle_t connection) { void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::update_oob_presence(connection_handle_t connection) {
@ -1139,8 +1161,9 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_disconnecte
if (!cb) { if (!cb) {
return; return;
} }
#if BLE_FEATURE_SIGNING
_pal.remove_peer_csrk(connection); _pal.remove_peer_csrk(connection);
#endif
_db->close_entry(cb->db_entry); _db->close_entry(cb->db_entry);
release_control_block(cb); release_control_block(cb);
@ -1618,6 +1641,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
_db->set_entry_local_ediv_rand(cb->db_entry, ediv, rand); _db->set_entry_local_ediv_rand(cb->db_entry, ediv, rand);
} }
#if BLE_FEATURE_PRIVACY
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_irk_( void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_irk_(
connection_handle_t connection, connection_handle_t connection,
@ -1636,6 +1660,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
_db->set_entry_peer_irk(cb->db_entry, irk); _db->set_entry_peer_irk(cb->db_entry, irk);
} }
#endif BLE_FEATURE_PRIVACY
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_bdaddr_( void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_bdaddr_(
@ -1656,6 +1681,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
); );
} }
#if BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_csrk_( void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_csrk_(
connection_handle_t connection, connection_handle_t connection,
@ -1681,6 +1707,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
flags->csrk_mitm_protected flags->csrk_mitm_protected
); );
} }
#endif // BLE_FEATURE_SIGNING
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor> template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_ltk_request_( void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_ltk_request_(

12
features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioBLE.cpp
View File

@ -233,11 +233,17 @@ impl::PalGattClientImpl& BLE::getPalGattClient()
#if BLE_FEATURE_SECURITY #if BLE_FEATURE_SECURITY
SecurityManager& BLE::getSecurityManager() SecurityManager& BLE::getSecurityManager()
{ {
#if BLE_FEATURE_SIGNING
static vendor::cordio::SigningEventMonitor<impl::GenericSecurityManagerImpl> signing_event_monitor; static vendor::cordio::SigningEventMonitor<impl::GenericSecurityManagerImpl> signing_event_monitor;
#endif
static impl::GenericSecurityManagerImpl m_instance( static impl::GenericSecurityManagerImpl m_instance(
impl::PalSecurityManagerImpl::get_security_manager(), impl::PalSecurityManagerImpl::get_security_manager()
getGap(), #if BLE_FEATURE_CONNECTABLE
signing_event_monitor , getGap()
#endif
#if BLE_FEATURE_SIGNING
, signing_event_monitor
#endif
); );
return m_instance; return m_instance;

3
features/FEATURE_BLE/targets/TARGET_CORDIO/source/CordioPalSecurityManager.tpp
View File

@ -704,7 +704,7 @@ bool CordioSecurityManager<EventHandler>::sm_handler(const wsfMsgHdr_t* msg) {
evt->keyData.ltk.rand evt->keyData.ltk.rand
); );
break; break;
#if BLE_FEATURE_PRIVACY
case DM_KEY_IRK: case DM_KEY_IRK:
handler->on_keys_distributed_bdaddr( handler->on_keys_distributed_bdaddr(
connection, connection,
@ -717,6 +717,7 @@ bool CordioSecurityManager<EventHandler>::sm_handler(const wsfMsgHdr_t* msg) {
irk_t(reinterpret_cast<uint8_t*>(evt->keyData.irk.key)) irk_t(reinterpret_cast<uint8_t*>(evt->keyData.irk.key))
); );
break; break;
#endif // BLE_FEATURE_PRIVACY
#if BLE_FEATURE_SIGNING #if BLE_FEATURE_SIGNING
case DM_KEY_CSRK: case DM_KEY_CSRK:
handler->on_keys_distributed_csrk( handler->on_keys_distributed_csrk(