From e1676dc1ccfad3979886e0ab8aae9037b44bf732 Mon Sep 17 00:00:00 2001 From: paul-szczepanek-arm <33840200+paul-szczepanek-arm@users.noreply.github.com> Date: Fri, 5 Jan 2018 17:32:49 +0000 Subject: [PATCH] added MITM to user facing security manager api --- features/FEATURE_BLE/ble/SecurityManager.h | 69 ++++++++++++++++++- features/FEATURE_BLE/ble/pal/PalSm.h | 33 +++++---- .../source/generic/GenericSecurityManager.cpp | 41 ++++++----- 3 files changed, 109 insertions(+), 34 deletions(-) diff --git a/features/FEATURE_BLE/ble/SecurityManager.h b/features/FEATURE_BLE/ble/SecurityManager.h index 49ca719d6f..e0c09ff178 100644 --- a/features/FEATURE_BLE/ble/SecurityManager.h +++ b/features/FEATURE_BLE/ble/SecurityManager.h @@ -86,6 +86,10 @@ public: */ static const unsigned PASSKEY_LEN = 6; typedef uint8_t Passkey_t[PASSKEY_LEN]; /**< 6-digit passkey in ASCII ('0'-'9' digits only). */ + typedef uint8_t c192_t[16]; + typedef uint8_t r192_t[16]; + typedef uint8_t c256_t[16]; + typedef uint8_t r256_t[16]; typedef void (*HandleSpecificEvent_t)(Gap::Handle_t handle); typedef void (*SecuritySetupInitiatedCallback_t)(Gap::Handle_t, bool allowBonding, bool requireMITM, SecurityIOCapabilities_t iocaps); @@ -195,7 +199,7 @@ public: return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ } - virtual ble_error_t setOOBDataUsage(Gap::Handle_t connectionHandle, bool useOOB, bool OOBProvidesMITM) { + virtual ble_error_t setOOBDataUsage(Gap::Handle_t connectionHandle, bool useOOB, bool OOBProvidesMITM = false) { /* Avoid compiler warnings about unused variables */ (void) connectionHandle; (void) useOOB; @@ -204,6 +208,69 @@ public: return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ } + virtual ble_error_t setPinCode(uint8_t pinLength, uint8_t * pinCode, bool isStatic = false) { + (void) pinLength; + (void) pinCode; + (void) isStatic; + + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + + virtual ble_error_t setPasskey(const Passkey_t passkey) { + (void) passkey; + + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + + virtual ble_error_t confirmationEntered(Gap::Handle_t handle, bool confirmation) { + (void) handle; + (void) confirmation; + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + virtual ble_error_t passkeyEntered(Gap::Handle_t handle, Passkey_t passkey) { + (void) handle; + (void) passkey; + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + virtual ble_error_t sendKeypressNotification(Gap::Handle_t handle, Keypress_t keypress) { + (void) handle; + (void) keypress; + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + virtual ble_error_t setOob(Gap::Handle_t handle, c192_t* hash192, r192_t* rand192) { + (void) handle; + (void) hash192; + (void) rand192; + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + virtual ble_error_t setExtendedOob(Gap::Handle_t handle, + c192_t* hash192, r192_t* rand192, + c256_t* hash256, r256_t* rand256) { + (void) handle; + (void) hash192; + (void) rand192; + (void) hash256; + (void) rand256; + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + virtual ble_error_t getLocalOobData(Gap::Handle_t handle, c192_t* hash192, r192_t* rand192) { + (void) handle; + (void) hash192; + (void) rand192; + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + virtual ble_error_t getLocalExtendedOobData(Gap::Handle_t handle, + c192_t* hash192, r192_t* rand192, + c256_t* hash256, r256_t* rand256) { + (void) handle; + (void) hash192; + (void) rand192; + (void) hash256; + (void) rand256; + return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + } + + /* Event callback handlers. */ public: /** diff --git a/features/FEATURE_BLE/ble/pal/PalSm.h b/features/FEATURE_BLE/ble/pal/PalSm.h index 7d964491e7..435b36546a 100644 --- a/features/FEATURE_BLE/ble/pal/PalSm.h +++ b/features/FEATURE_BLE/ble/pal/PalSm.h @@ -25,6 +25,11 @@ using SecurityManager::SecurityMode_t; using SecurityManager::LinkSecurityStatus_t; using SecurityManager::Passkey_t; using SecurityManager::Keypress_t; +using SecurityManager::c192_t; +using SecurityManager::r192_t; +using SecurityManager::c256_t; +using SecurityManager::r256_t; +using SecurityManager::PasskeyNum_t; using BLEProtocol::AddressBytes_t; using BLEProtocol::Address_t; @@ -35,11 +40,7 @@ typedef uint8_t csrk_t[16]; typedef uint8_t ltk_t[16]; typedef uint8_t ediv_t[8]; typedef uint8_t rand_t[2]; -typedef uint8_t passkey_t[4]; -typedef uint8_t c192_t[16]; -typedef uint8_t r192_t[16]; -typedef uint8_t c256_t[16]; -typedef uint8_t r256_t[16]; +typedef uint32_t passkey_num_t; struct bonded_list_entry_t { Address_t peer_address; @@ -72,6 +73,7 @@ struct bonded_list_t { class SecurityManager : private mbed::NonCopyable { public: SecurityManager() : _event_handler(NULL) { }; + virtual ~SecurityManager() { }; virtual ble_error_t initialize() = 0; virtual ble_error_t terminate() = 0; @@ -97,7 +99,8 @@ public: virtual ble_error_t set_authentication_timeout(connection_handle_t, uint16_t timeout /*x10 ms*/) = 0; virtual ble_error_t get_authentication_timeout(connection_handle_t, uint16_t *timeout /*x10 ms*/) = 0; - virtual ble_error_t set_pin_code(uint8_t pin_length, uint8_t *pin_code, bool variable_pin = true) = 0; + virtual ble_error_t set_pin_code(uint8_t pin_length, uint8_t *pin_code, bool static_pin = false) = 0; + virtual ble_error_t set_passkey(passkey_num_t passkey) = 0; /* feature support */ @@ -111,15 +114,15 @@ public: /* security level */ - virtual ble_error_t set_security_settings(connection_handle_t address, - bool bondable = true, - SecurityIOCapabilities_t iocaps = IO_CAPS_NONE, - bool use_oob = false, - bool send_keypresses = false) = 0; + virtual ble_error_t set_security_settings(bool bondable = true, + SecurityIOCapabilities_t iocaps = IO_CAPS_NONE, + bool send_keypresses = false) = 0; + + virtual ble_error_t set_oob_data_usage(Gap::Handle_t connectionHandle, bool useOOB, bool OOBProvidesMITM) = 0; /* triggers pairing if required */ virtual ble_error_t set_security_mode(connection_handle_t handle, - SecurityMode_t mode) = 0; + SecurityMode_t mode) = 0; virtual ble_error_t get_encryption_status(connection_handle_t handle, LinkSecurityStatus_t *mode) = 0; @@ -127,7 +130,7 @@ public: /* MITM */ virtual ble_error_t confirmation_entered(connection_handle_t address, bool confirmation) = 0; - virtual ble_error_t passkey_entered(connection_handle_t, passkey_t passkey) = 0; + virtual ble_error_t passkey_entered(connection_handle_t, PasskeyNum_t passkey) = 0; virtual ble_error_t send_keypress_notification(connection_handle_t, Keypress_t keypress) = 0; virtual ble_error_t set_oob(connection_handle_t handle, c192_t*, r192_t*) = 0; @@ -153,7 +156,7 @@ private: }; -} -} +} /* namespace pal */ +} /* namespace ble */ #endif /* MBED_OS_FEATURES_FEATURE_BLE_BLE_PAL_PALSM_H_ */ diff --git a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp index 87b1a6b8e5..d11c31ad57 100644 --- a/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp +++ b/features/FEATURE_BLE/source/generic/GenericSecurityManager.cpp @@ -23,22 +23,20 @@ namespace ble { namespace generic { +static const uint8_t NUMBER_OFFSET = '0'; + class GenericSecurityManager : public SecurityManager { public: - - virtual ble_error_t init(bool enableBonding = true, - bool requireMITM = true, - SecurityIOCapabilities_t iocaps = IO_CAPS_NONE, - const Passkey_t passkey = NULL) { - /* Avoid compiler warnings about unused variables. */ - (void)enableBonding; + virtual ble_error_t init(bool enableBonding = true, + bool requireMITM = true, + SecurityIOCapabilities_t iocaps = IO_CAPS_NONE, + const Passkey_t passkey = NULL) { (void)requireMITM; - (void)iocaps; - (void)passkey; - loadState(); + pal.set_security_settings(enableBonding, iocaps); + pal.set_passkey(passkey, true); - return BLE_ERROR_NOT_IMPLEMENTED; /* Requesting action from porters: override this API if security is supported. */ + return BLE_ERROR_NONE; } void saveState() { @@ -70,13 +68,8 @@ public: return pal.get_whitelist(addresses); } - ble_error_t setOOBDataUsage(Gap::Handle_t connectionHandle, bool useOOB, bool OOBProvidesMITM) { - /* - [].useOOB = useOOB; - [].OOBProvidesMITM = OOBProvidesMITM; - */ - - return BLE_ERROR_NONE; + ble_error_t setOOBDataUsage(Gap::Handle_t connectionHandle, bool useOOB, bool OOBProvidesMITM = false) { + return pal.set_oob_data_usage(connectionHandle, useOOB, OOBProvidesMITM); } ble_error_t preserveBondingStateOnReset(bool enabled) { @@ -84,6 +77,18 @@ public: return BLE_ERROR_NONE; } + ble_error_t setPinCode(uint8_t pinLength, uint8_t * pinCode, bool isStatic = false) { + return pal.set_pin_code(pinLength, pinCode, isStatic); + } + + ble_error_t setPasskey(const Passkey_t passkeyASCI, bool isStatic = false) { + uint32_t passkey = 0; + for (int i = 0, m = 1; i < 6; ++i, m *= 10) { + passkey += (passkeyASCI[i] - NUMBER_OFFSET) * m; + } + return pal.set_passkey(passkey); + } + protected: GenericSecurityManager(ble::pal::SecurityManager& palImpl) : pal(palImpl), saveStateEnabled(false) { eventHandler = new SecurityManagerEventHandler();