mirror of https://github.com/ARMmbed/mbed-os.git
partial security pass
paul-szczepanek-arm
Vincent Coubard
parent
a1815e31f0
commit
bc3ff56504
|
|
@ -272,12 +272,20 @@ public:
|
|||
|
||||
public:
|
||||
GenericSecurityManager(
|
||||
PalSecurityManager &palImpl,
|
||||
pal::ConnectionEventMonitor<GenericSecurityManager> &connMonitorImpl,
|
||||
SigningEventMonitor &signingMonitorImpl
|
||||
PalSecurityManager &palImpl
|
||||
#if BLE_FEATURE_CONNECTABLE
|
||||
, pal::ConnectionEventMonitor<GenericSecurityManager> &connMonitorImpl
|
||||
#endif
|
||||
#if BLE_FEATURE_SIGNING
|
||||
, SigningEventMonitor &signingMonitorImpl
|
||||
#endif
|
||||
) : _pal(palImpl),
|
||||
#if BLE_FEATURE_CONNECTABLE
|
||||
_connection_monitor(connMonitorImpl),
|
||||
#endif
|
||||
#if BLE_FEATURE_SIGNING
|
||||
_signing_monitor(signingMonitorImpl),
|
||||
#endif
|
||||
_db(NULL),
|
||||
_default_authentication(0),
|
||||
_default_key_distribution(pal::KeyDistribution::KEY_DISTRIBUTION_ALL),
|
||||
|
|
@ -527,8 +535,12 @@ private:
|
|||
};
|
||||
|
||||
PalSecurityManager &_pal;
|
||||
#if BLE_FEATURE_CONNECTABLE
|
||||
pal::ConnectionEventMonitor<GenericSecurityManager> &_connection_monitor;
|
||||
#endif
|
||||
#if BLE_FEATURE_SIGNING
|
||||
SigningEventMonitor &_signing_monitor;
|
||||
#endif
|
||||
|
||||
SecurityDb *_db;
|
||||
|
||||
|
|
|
|||
|
|
@ -520,18 +520,18 @@ public:
|
|||
impl()->on_keys_distributed_local_ediv_rand_(connection, ediv, rand);
|
||||
}
|
||||
|
||||
#if BLE_FEATURE_PRIVACY
|
||||
/**
|
||||
* Store the results of key distribution after IRK has been received.
|
||||
*
|
||||
* @param[in] connection connection handle
|
||||
* @param[in] irk identity resolution key
|
||||
*/
|
||||
void on_keys_distributed_irk(
|
||||
virtual void on_keys_distributed_irk(
|
||||
connection_handle_t connection,
|
||||
const irk_t &irk
|
||||
) {
|
||||
impl()->on_keys_distributed_irk_(connection, irk);
|
||||
}
|
||||
) = 0;
|
||||
#endif // BLE_FEATURE_PRIVACY
|
||||
|
||||
/**
|
||||
* Store the identity address of the peer after it has been distributed.
|
||||
|
|
@ -540,26 +540,24 @@ public:
|
|||
* @param[in] peer_identity_address_type public or private address indication
|
||||
* @param[in] peer_identity_address peer address
|
||||
*/
|
||||
void on_keys_distributed_bdaddr(
|
||||
virtual void on_keys_distributed_bdaddr(
|
||||
connection_handle_t connection,
|
||||
advertising_peer_address_type_t peer_identity_address_type,
|
||||
const address_t &peer_identity_address
|
||||
) {
|
||||
impl()->on_keys_distributed_bdaddr_(connection, peer_identity_address_type, peer_identity_address);
|
||||
}
|
||||
) = 0;
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
/**
|
||||
* Store the peer's CSRK after it has been distributed.
|
||||
*
|
||||
* @param[in] connection connection handle
|
||||
* @param[in] csrk signing key
|
||||
*/
|
||||
void on_keys_distributed_csrk(
|
||||
virtual void on_keys_distributed_csrk(
|
||||
connection_handle_t connection,
|
||||
const csrk_t &csrk
|
||||
) {
|
||||
impl()->on_keys_distributed_csrk_(connection, csrk);
|
||||
}
|
||||
) = 0;
|
||||
#endif // BLE_FEATURE_SIGNING
|
||||
|
||||
/**
|
||||
* Request the LTK since the peer is asking us to encrypt the link. We need to
|
||||
|
|
@ -642,7 +640,7 @@ public:
|
|||
////////////////////////////////////////////////////////////////////////////
|
||||
// Resolving list management
|
||||
//
|
||||
|
||||
#if BLE_FEATURE_PRIVACY
|
||||
/**
|
||||
* Return the number of address translation entries that can be stored by the
|
||||
* subsystem.
|
||||
|
|
@ -704,6 +702,7 @@ public:
|
|||
ble_error_t clear_resolving_list() {
|
||||
return impl()->clear_resolving_list_();
|
||||
}
|
||||
#endif // BLE_FEATURE_PRIVACY
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////
|
||||
// Pairing
|
||||
|
|
@ -1004,6 +1003,7 @@ public:
|
|||
return impl()->set_ltk_not_found_(connection);
|
||||
}
|
||||
|
||||
#if BLE_FEATURE_PRIVACY
|
||||
/**
|
||||
* Set the local IRK.
|
||||
*
|
||||
|
|
@ -1015,7 +1015,9 @@ public:
|
|||
) {
|
||||
return impl()->set_irk_(irk);
|
||||
}
|
||||
#endif // BLE_FEATURE_PRIVACY
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
/**
|
||||
* Set the local CSRK.
|
||||
*
|
||||
|
|
@ -1056,6 +1058,7 @@ public:
|
|||
ble_error_t remove_peer_csrk(connection_handle_t connection) {
|
||||
return impl()->remove_peer_csrk_(connection);
|
||||
}
|
||||
#endif // BLE_FEATURE_SIGNING
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////
|
||||
// Authentication
|
||||
|
|
|
|||
|
|
@ -47,6 +47,11 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_(
|
|||
bool signing,
|
||||
const char* db_path
|
||||
) {
|
||||
#if !(BLE_FEATURE_SIGNING)
|
||||
if (signing) {
|
||||
return BLE_ERROR_INVALID_PARAM;
|
||||
}
|
||||
#endif // !(BLE_FEATURE_SIGNING)
|
||||
ble_error_t result = _pal.initialize();
|
||||
|
||||
if (result != BLE_ERROR_NONE) {
|
||||
|
|
@ -79,14 +84,20 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_(
|
|||
|
||||
// FIXME: depends on BR/EDR support
|
||||
_default_key_distribution.set_link(false);
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
_default_key_distribution.set_signing(signing);
|
||||
if (signing) {
|
||||
init_signing();
|
||||
}
|
||||
|
||||
#else
|
||||
_default_key_distribution.set_signing(false);
|
||||
#endif // BLE_FEATURE_SIGNING
|
||||
#if BLE_FEATURE_CONNECTABLE
|
||||
_connection_monitor.set_connection_event_handler(this);
|
||||
#endif
|
||||
#if BLE_FEATURE_SIGNING
|
||||
_signing_monitor.set_signing_event_handler(this);
|
||||
#endif
|
||||
_pal.set_event_handler(this);
|
||||
|
||||
result = init_resolving_list();
|
||||
|
|
@ -388,6 +399,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setKeyp
|
|||
return BLE_ERROR_NONE;
|
||||
}
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::enableSigning_(
|
||||
connection_handle_t connection,
|
||||
|
|
@ -429,6 +441,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::enableS
|
|||
|
||||
return BLE_ERROR_NONE;
|
||||
}
|
||||
#endif // BLE_FEATURE_SIGNING
|
||||
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setHintFutureRoleReversal_(bool enable) {
|
||||
|
|
@ -579,7 +592,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setEncr
|
|||
////////////////////////////////////////////////////////////////////////////
|
||||
// Keys
|
||||
//
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::getSigningKey_(connection_handle_t connection, bool authenticated) {
|
||||
if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
|
||||
|
|
@ -614,16 +627,19 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::getSign
|
|||
}
|
||||
}
|
||||
}
|
||||
#endif // BLE_FEATURE_SIGNING
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////
|
||||
// Privacy
|
||||
//
|
||||
|
||||
#if BLE_FEATURE_PRIVACY
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::setPrivateAddressTimeout_(uint16_t timeout_in_seconds) {
|
||||
if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
|
||||
return _pal.set_private_address_timeout(timeout_in_seconds);
|
||||
}
|
||||
#endif // BLE_FEATURE_PRIVACY
|
||||
|
||||
////////////////////////////////////////////////////////////////////////////
|
||||
// Authentication
|
||||
|
|
@ -839,6 +855,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_da
|
|||
return BLE_ERROR_NONE;
|
||||
}
|
||||
|
||||
#if BLE_FEATURE_PRIVACY
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_resolving_list() {
|
||||
if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
|
||||
|
|
@ -864,7 +881,9 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_re
|
|||
|
||||
return BLE_ERROR_NONE;
|
||||
}
|
||||
#endif // BLE_FEATURE_PRIVACY
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_signing() {
|
||||
if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
|
||||
|
|
@ -886,6 +905,7 @@ ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::init_si
|
|||
|
||||
return _pal.set_csrk(*pcsrk, local_sign_counter);
|
||||
}
|
||||
#endif // BLE_FEATURE_SIGNING
|
||||
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
ble_error_t GenericSecurityManager<TPalSecurityManager, SigningMonitor>::get_random_data(uint8_t *buffer, size_t size) {
|
||||
|
|
@ -1000,6 +1020,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::set_ltk_cb(
|
|||
}
|
||||
}
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::set_peer_csrk_cb(
|
||||
SecurityDb::entry_handle_t db_entry,
|
||||
|
|
@ -1045,6 +1066,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::return_csrk_cb
|
|||
flags->csrk_mitm_protected
|
||||
);
|
||||
}
|
||||
#endif BLE_FEATURE_SIGNING
|
||||
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::update_oob_presence(connection_handle_t connection) {
|
||||
|
|
@ -1139,8 +1161,9 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_disconnecte
|
|||
if (!cb) {
|
||||
return;
|
||||
}
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
_pal.remove_peer_csrk(connection);
|
||||
#endif
|
||||
|
||||
_db->close_entry(cb->db_entry);
|
||||
release_control_block(cb);
|
||||
|
|
@ -1618,6 +1641,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
|
|||
_db->set_entry_local_ediv_rand(cb->db_entry, ediv, rand);
|
||||
}
|
||||
|
||||
#if BLE_FEATURE_PRIVACY
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_irk_(
|
||||
connection_handle_t connection,
|
||||
|
|
@ -1636,6 +1660,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
|
|||
|
||||
_db->set_entry_peer_irk(cb->db_entry, irk);
|
||||
}
|
||||
#endif BLE_FEATURE_PRIVACY
|
||||
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_bdaddr_(
|
||||
|
|
@ -1656,6 +1681,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
|
|||
);
|
||||
}
|
||||
|
||||
#if BLE_FEATURE_SIGNING
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distributed_csrk_(
|
||||
connection_handle_t connection,
|
||||
|
|
@ -1681,6 +1707,7 @@ void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_keys_distri
|
|||
flags->csrk_mitm_protected
|
||||
);
|
||||
}
|
||||
#endif // BLE_FEATURE_SIGNING
|
||||
|
||||
template<template<class> class TPalSecurityManager, template<class> class SigningMonitor>
|
||||
void GenericSecurityManager<TPalSecurityManager, SigningMonitor>::on_ltk_request_(
|
||||
|
|
|
|||
|
|
@ -233,11 +233,17 @@ impl::PalGattClientImpl& BLE::getPalGattClient()
|
|||
#if BLE_FEATURE_SECURITY
|
||||
SecurityManager& BLE::getSecurityManager()
|
||||
{
|
||||
#if BLE_FEATURE_SIGNING
|
||||
static vendor::cordio::SigningEventMonitor<impl::GenericSecurityManagerImpl> signing_event_monitor;
|
||||
#endif
|
||||
static impl::GenericSecurityManagerImpl m_instance(
|
||||
impl::PalSecurityManagerImpl::get_security_manager(),
|
||||
getGap(),
|
||||
signing_event_monitor
|
||||
impl::PalSecurityManagerImpl::get_security_manager()
|
||||
#if BLE_FEATURE_CONNECTABLE
|
||||
, getGap()
|
||||
#endif
|
||||
#if BLE_FEATURE_SIGNING
|
||||
, signing_event_monitor
|
||||
#endif
|
||||
);
|
||||
|
||||
return m_instance;
|
||||
|
|
|
|||
|
|
@ -704,7 +704,7 @@ bool CordioSecurityManager<EventHandler>::sm_handler(const wsfMsgHdr_t* msg) {
|
|||
evt->keyData.ltk.rand
|
||||
);
|
||||
break;
|
||||
|
||||
#if BLE_FEATURE_PRIVACY
|
||||
case DM_KEY_IRK:
|
||||
handler->on_keys_distributed_bdaddr(
|
||||
connection,
|
||||
|
|
@ -717,6 +717,7 @@ bool CordioSecurityManager<EventHandler>::sm_handler(const wsfMsgHdr_t* msg) {
|
|||
irk_t(reinterpret_cast<uint8_t*>(evt->keyData.irk.key))
|
||||
);
|
||||
break;
|
||||
#endif // BLE_FEATURE_PRIVACY
|
||||
#if BLE_FEATURE_SIGNING
|
||||
case DM_KEY_CSRK:
|
||||
handler->on_keys_distributed_csrk(
|
||||
|
|
|
|||
Loading…
Reference in New Issue