From 9c6e867ea60e26979e8ba80bb3e93f18d65239e2 Mon Sep 17 00:00:00 2001 From: Matthias Ringwald Date: Fri, 19 Jan 2018 16:08:14 +0100 Subject: [PATCH] sm: moved sm_encryption_key_size, sm_authenticated, sm_authorization_state into gap.h --- src/ble/att_server.c | 6 +++--- src/ble/sm.c | 23 ----------------------- src/ble/sm.h | 22 ---------------------- src/gap.h | 33 ++++++++++++++++++++++++++++++++- src/hci.c | 34 ++++++++++++++++++++++++++++++++++ src/hci.h | 8 -------- src/l2cap.c | 12 ++++-------- 7 files changed, 73 insertions(+), 65 deletions(-) diff --git a/src/ble/att_server.c b/src/ble/att_server.c index f96cbd157..16b2693ec 100644 --- a/src/ble/att_server.c +++ b/src/ble/att_server.c @@ -216,8 +216,8 @@ static void att_event_packet_handler (uint8_t packet_type, uint16_t channel, uin con_handle = little_endian_read_16(packet, 3); att_server = att_server_for_handle(con_handle); if (!att_server) break; - att_server->connection.encryption_key_size = sm_encryption_key_size(con_handle); - att_server->connection.authenticated = sm_authenticated(con_handle); + att_server->connection.encryption_key_size = gap_encryption_key_size(con_handle); + att_server->connection.authenticated = gap_authenticated(con_handle); if (hci_event_packet_get_type(packet) == HCI_EVENT_ENCRYPTION_CHANGE){ // restore CCC values when encrypted if (hci_event_encryption_change_get_encryption_enabled(packet)){ @@ -345,7 +345,7 @@ static int att_server_process_validated_request(att_server_t * att_server){ && (att_response_buffer[4] == ATT_ERROR_INSUFFICIENT_AUTHORIZATION) && (att_server->connection.authenticated)){ - switch (sm_authorization_state(att_server->connection.con_handle)){ + switch (gap_authorization_state(att_server->connection.con_handle)){ case AUTHORIZATION_UNKNOWN: l2cap_release_packet_buffer(); sm_request_pairing(att_server->connection.con_handle); diff --git a/src/ble/sm.c b/src/ble/sm.c index 95e162cd9..cfb910776 100644 --- a/src/ble/sm.c +++ b/src/ble/sm.c @@ -4063,29 +4063,6 @@ static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handl return &hci_con->sm_connection; } -// @returns 0 if not encrypted, 7-16 otherwise -int sm_encryption_key_size(hci_con_handle_t con_handle){ - sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); - if (!sm_conn) return 0; // wrong connection - if (!sm_conn->sm_connection_encrypted) return 0; - return sm_conn->sm_actual_encryption_key_size; -} - -int sm_authenticated(hci_con_handle_t con_handle){ - sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); - if (!sm_conn) return 0; // wrong connection - if (!sm_conn->sm_connection_encrypted) return 0; // unencrypted connection cannot be authenticated - return sm_conn->sm_connection_authenticated; -} - -authorization_state_t sm_authorization_state(hci_con_handle_t con_handle){ - sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); - if (!sm_conn) return AUTHORIZATION_UNKNOWN; // wrong connection - if (!sm_conn->sm_connection_encrypted) return AUTHORIZATION_UNKNOWN; // unencrypted connection cannot be authorized - if (!sm_conn->sm_connection_authenticated) return AUTHORIZATION_UNKNOWN; // unauthenticatd connection cannot be authorized - return sm_conn->sm_connection_authorization_state; -} - static void sm_send_security_request_for_connection(sm_connection_t * sm_conn){ switch (sm_conn->sm_engine_state){ case SM_GENERAL_IDLE: diff --git a/src/ble/sm.h b/src/ble/sm.h index eca5fd3fd..955c0a92c 100644 --- a/src/ble/sm.h +++ b/src/ble/sm.h @@ -152,28 +152,6 @@ void sm_passkey_input(hci_con_handle_t con_handle, uint32_t passkey); */ void sm_keypress_notification(hci_con_handle_t con_handle, uint8_t action); -/** - * - * @brief Get encryption key size. - * @param con_handle - * @return 0 if not encrypted, 7-16 otherwise - */ -int sm_encryption_key_size(hci_con_handle_t con_handle); - -/** - * @brief Get authentication property. - * @param con_handle - * @return 1 if bonded with OOB/Passkey (AND MITM protection) - */ -int sm_authenticated(hci_con_handle_t con_handle); - -/** - * @brief Queries authorization state. - * @param con_handle - * @return authorization_state for the current session - */ -authorization_state_t sm_authorization_state(hci_con_handle_t con_handle); - /** * @brief Used by att_server.c to request user authorization. * @param con_handle diff --git a/src/gap.h b/src/gap.h index 70d1a8fc3..989c47c95 100644 --- a/src/gap.h +++ b/src/gap.h @@ -44,7 +44,7 @@ extern "C" { #include "btstack_defines.h" #include "btstack_util.h" - + typedef enum { // MITM protection not required @@ -103,6 +103,15 @@ typedef enum { GAP_RANDOM_ADDRESS_RESOLVABLE, } gap_random_address_type_t; +// Authorization state +typedef enum { + AUTHORIZATION_UNKNOWN, + AUTHORIZATION_PENDING, + AUTHORIZATION_DECLINED, + AUTHORIZATION_GRANTED +} authorization_state_t; + + /* API_START */ // Classic + LE @@ -359,6 +368,28 @@ int gap_auto_connection_stop(bd_addr_type_t address_typ, bd_addr_t address); */ void gap_auto_connection_stop_all(void); +/** + * + * @brief Get encryption key size. + * @param con_handle + * @return 0 if not encrypted, 7-16 otherwise + */ +int gap_encryption_key_size(hci_con_handle_t con_handle); + +/** + * @brief Get authentication property. + * @param con_handle + * @return 1 if bonded with OOB/Passkey (AND MITM protection) + */ +int gap_authenticated(hci_con_handle_t con_handle); + +/** + * @brief Queries authorization state. + * @param con_handle + * @return authorization_state for the current session + */ +authorization_state_t gap_authorization_state(hci_con_handle_t con_handle); + // Classic /** diff --git a/src/hci.c b/src/hci.c index 6596f9233..fef3cfde9 100644 --- a/src/hci.c +++ b/src/hci.c @@ -4525,3 +4525,37 @@ void hci_disconnect_all(void){ uint16_t hci_get_manufacturer(void){ return hci_stack->manufacturer; } + +static sm_connection_t * sm_get_connection_for_handle(hci_con_handle_t con_handle){ + hci_connection_t * hci_con = hci_connection_for_handle(con_handle); + if (!hci_con) return NULL; + return &hci_con->sm_connection; +} + +#ifdef ENABLE_BLE + +// extracted from sm.c to allow enabling of l2cap le data channels without adding sm.c to the build +// without sm.c default values from create_connection_for_bd_addr_and_type() resulg in non-encrypted, not-authenticated + +int gap_encryption_key_size(hci_con_handle_t con_handle){ + sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); + if (!sm_conn) return 0; // wrong connection + if (!sm_conn->sm_connection_encrypted) return 0; + return sm_conn->sm_actual_encryption_key_size; +} + +int gap_authenticated(hci_con_handle_t con_handle){ + sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); + if (!sm_conn) return 0; // wrong connection + if (!sm_conn->sm_connection_encrypted) return 0; // unencrypted connection cannot be authenticated + return sm_conn->sm_connection_authenticated; +} + +authorization_state_t gap_authorization_state(hci_con_handle_t con_handle){ + sm_connection_t * sm_conn = sm_get_connection_for_handle(con_handle); + if (!sm_conn) return AUTHORIZATION_UNKNOWN; // wrong connection + if (!sm_conn->sm_connection_encrypted) return AUTHORIZATION_UNKNOWN; // unencrypted connection cannot be authorized + if (!sm_conn->sm_connection_authenticated) return AUTHORIZATION_UNKNOWN; // unauthenticatd connection cannot be authorized + return sm_conn->sm_connection_authorization_state; +} +#endif diff --git a/src/hci.h b/src/hci.h index d27fe2de8..9e5f81e70 100644 --- a/src/hci.h +++ b/src/hci.h @@ -381,14 +381,6 @@ typedef enum { IRK_LOOKUP_FAILED } irk_lookup_state_t; -// Authorization state -typedef enum { - AUTHORIZATION_UNKNOWN, - AUTHORIZATION_PENDING, - AUTHORIZATION_DECLINED, - AUTHORIZATION_GRANTED -} authorization_state_t; - typedef uint8_t sm_pairing_packet_t[7]; // connection info available as long as connection exists diff --git a/src/l2cap.c b/src/l2cap.c index 195d54d62..cad807e69 100644 --- a/src/l2cap.c +++ b/src/l2cap.c @@ -53,10 +53,6 @@ #include "btstack_event.h" #include "btstack_memory.h" -#ifdef ENABLE_LE_DATA_CHANNELS -#include "ble/sm.h" -#endif - #include #include @@ -2868,13 +2864,13 @@ static int l2cap_le_signaling_handler_dispatch(hci_con_handle_t handle, uint8_t // security: check encryption if (service->required_security_level >= LEVEL_2){ - if (sm_encryption_key_size(handle) == 0){ + if (gap_encryption_key_size(handle) == 0){ // 0x0008 Connection refused - insufficient encryption l2cap_register_signaling_response(handle, LE_CREDIT_BASED_CONNECTION_REQUEST, sig_id, source_cid, 0x0008); return 1; } // anything less than 16 byte key size is insufficient - if (sm_encryption_key_size(handle) < 16){ + if (gap_encryption_key_size(handle) < 16){ // 0x0007 Connection refused – insufficient encryption key size l2cap_register_signaling_response(handle, LE_CREDIT_BASED_CONNECTION_REQUEST, sig_id, source_cid, 0x0007); return 1; @@ -2883,7 +2879,7 @@ static int l2cap_le_signaling_handler_dispatch(hci_con_handle_t handle, uint8_t // security: check authencation if (service->required_security_level >= LEVEL_3){ - if (!sm_authenticated(handle)){ + if (!gap_authenticated(handle)){ // 0x0005 Connection refused – insufficient authentication l2cap_register_signaling_response(handle, LE_CREDIT_BASED_CONNECTION_REQUEST, sig_id, source_cid, 0x0005); return 1; @@ -2892,7 +2888,7 @@ static int l2cap_le_signaling_handler_dispatch(hci_con_handle_t handle, uint8_t // security: check authorization if (service->required_security_level >= LEVEL_4){ - if (sm_authorization_state(handle) != AUTHORIZATION_GRANTED){ + if (gap_authorization_state(handle) != AUTHORIZATION_GRANTED){ // 0x0006 Connection refused – insufficient authorization l2cap_register_signaling_response(handle, LE_CREDIT_BASED_CONNECTION_REQUEST, sig_id, source_cid, 0x0006); return 1;