sm: ENABLE_LE_CENTRAL_AUTO_ENCRYPTION triggers automatic encryption on connect to bonded devices

This commit is contained in:
Matthias Ringwald 2018-11-27 11:25:13 +01:00
parent 6ecd409b9d
commit c245ca32b5
2 changed files with 31 additions and 1 deletions

View File

@ -80,6 +80,7 @@ ENABLE_HFP_WIDE_BAND_SPEECH | Enable support for mSBC codec used in HFP pro
ENBALE_LE_PERIPHERAL | Enable support for LE Peripheral Role in HCI and Security Manager ENBALE_LE_PERIPHERAL | Enable support for LE Peripheral Role in HCI and Security Manager
ENBALE_LE_CENTRAL | Enable support for LE Central Role in HCI and Security Manager ENBALE_LE_CENTRAL | Enable support for LE Central Role in HCI and Security Manager
ENABLE_LE_SECURE_CONNECTIONS | Enable LE Secure Connections ENABLE_LE_SECURE_CONNECTIONS | Enable LE Secure Connections
ENABLE_LE_CENTRAL_AUTO_ENCRYPTION | Enable automatic encryption for bonded devices on re-connect
ENABLE_GATT_CLIENT_PAIRING | Enable GATT Client to start pairing and retry operation on security error ENABLE_GATT_CLIENT_PAIRING | Enable GATT Client to start pairing and retry operation on security error
ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS | Use [micro-ecc library](https://github.com/kmackay/micro-ecc) for ECC operations ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS | Use [micro-ecc library](https://github.com/kmackay/micro-ecc) for ECC operations
ENABLE_LE_DATA_CHANNELS | Enable LE Data Channels in credit-based flow control mode ENABLE_LE_DATA_CHANNELS | Enable LE Data Channels in credit-based flow control mode
@ -91,7 +92,7 @@ ENABLE_HCI_CONTROLLER_TO_HOST_FLOW_CONTROL | Enable HCI Controller to Host Flow
ENABLE_CC256X_BAUDRATE_CHANGE_FLOWCONTROL_BUG_WORKAROUND | Enable workaround for bug in CC256x Flow Control during baud rate change, see chipset docs. ENABLE_CC256X_BAUDRATE_CHANGE_FLOWCONTROL_BUG_WORKAROUND | Enable workaround for bug in CC256x Flow Control during baud rate change, see chipset docs.
Notes: Notes:
- ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS: Only some Bluetooth 4.2+ controllers (e.g., EM9304, ESP32) support the necessary HCI commands. Others reasons to enable the ECC software implementations are if the Host is much faster or if the micro-ecc library is already provided (e.g., ESP32, WICED) - ENABLE_MICRO_ECC_FOR_LE_SECURE_CONNECTIONS: Only some Bluetooth 4.2+ controllers (e.g., EM9304, ESP32) support the necessary HCI commands for ECC. Other reason to enable the ECC software implementations are if the Host is much faster or if the micro-ecc library is already provided (e.g., ESP32, WICED, or if the ECC HCI Commands are unreliable.
### HCI Controller to Host Flow Control ### HCI Controller to Host Flow Control
In general, BTstack relies on flow control of the HCI transport, either via Hardware CTS/RTS flow control for UART or regular USB flow control. If this is not possible, e.g on an SoC, BTstack can use HCI Controller to Host Flow Control by defining ENABLE_HCI_CONTROLLER_TO_HOST_FLOW_CONTROL. If enabled, the HCI Transport implementation must be able to buffer the specified packets. In addition, it also need to be able to buffer a few HCI Events. Using a low number of host buffers might result in less throughput. In general, BTstack relies on flow control of the HCI transport, either via Hardware CTS/RTS flow control for UART or regular USB flow control. If this is not possible, e.g on an SoC, BTstack can use HCI Controller to Host Flow Control by defining ENABLE_HCI_CONTROLLER_TO_HOST_FLOW_CONTROL. If enabled, the HCI Transport implementation must be able to buffer the specified packets. In addition, it also need to be able to buffer a few HCI Events. Using a low number of host buffers might result in less throughput.

View File

@ -1151,10 +1151,18 @@ static void sm_address_resolution_handle_event(address_resolution_event_t event)
// reset requests // reset requests
sm_connection->sm_security_request_received = 0; sm_connection->sm_security_request_received = 0;
sm_connection->sm_pairing_requested = 0; sm_connection->sm_pairing_requested = 0;
// have ltk -> start encryption // have ltk -> start encryption
// Core 5, Vol 3, Part C, 10.3.2 Initiating a Service Request
// "When a bond has been created between two devices, any reconnection should result in the local device
// enabling or requesting encryption with the remote device before initiating any service request."
if (have_ltk){ if (have_ltk){
#ifdef ENABLE_LE_CENTRAL_AUTO_ENCRYPTION
sm_connection->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK; sm_connection->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK;
break; break;
#else
log_info("central: defer enabling encryption for bonded device");
#endif
} }
// pairint_request -> send pairing request // pairint_request -> send pairing request
if (pairing_need){ if (pairing_need){
@ -3021,6 +3029,15 @@ static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint
// encryption change event concludes re-encryption for bonded devices (even if it fails) // encryption change event concludes re-encryption for bonded devices (even if it fails)
if (sm_conn->sm_engine_state == SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED){ if (sm_conn->sm_engine_state == SM_INITIATOR_PH0_W4_CONNECTION_ENCRYPTED){
sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED; sm_conn->sm_engine_state = SM_INITIATOR_CONNECTED;
// notify client, if pairing was requested before
if (sm_conn->sm_pairing_requested){
sm_conn->sm_pairing_requested = 0;
if (sm_conn->sm_connection_encrypted){
sm_notify_client_status_reason(sm_conn, ERROR_CODE_SUCCESS, 0);
} else {
sm_notify_client_status_reason(sm_conn, ERROR_CODE_AUTHENTICATION_FAILURE, 0);
}
}
sm_done_for_handle(sm_conn->sm_handle); sm_done_for_handle(sm_conn->sm_handle);
break; break;
} }
@ -3849,8 +3866,20 @@ void sm_request_pairing(hci_con_handle_t con_handle){
} else { } else {
// used as a trigger to start central/master/initiator security procedures // used as a trigger to start central/master/initiator security procedures
if (sm_conn->sm_engine_state == SM_INITIATOR_CONNECTED){ if (sm_conn->sm_engine_state == SM_INITIATOR_CONNECTED){
uint8_t ltk[16];
switch (sm_conn->sm_irk_lookup_state){ switch (sm_conn->sm_irk_lookup_state){
case IRK_LOOKUP_SUCCEEDED: case IRK_LOOKUP_SUCCEEDED:
#ifndef ENABLE_LE_CENTRAL_AUTO_ENCRYPTION
le_device_db_encryption_get(sm_conn->sm_le_db_index, NULL, NULL, ltk, NULL, NULL, NULL);
int have_ltk = !sm_is_null_key(ltk);
log_info("have ltk %u", have_ltk);
// trigger 'pairing complete' event on encryption change
sm_conn->sm_pairing_requested = 1;
sm_conn->sm_engine_state = SM_INITIATOR_PH0_HAS_LTK;
break;
#endif
/* explicit fall-through */
case IRK_LOOKUP_FAILED: case IRK_LOOKUP_FAILED:
sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST; sm_conn->sm_engine_state = SM_INITIATOR_PH1_W2_SEND_PAIRING_REQUEST;
break; break;