BLE: Security Manager

features/FEATURE_BLE/.mbedignore

@@ -0,0 +1 @@
+tests/*

features/FEATURE_BLE/ble/BLE.h

@@ -28,7 +28,7 @@
 #ifdef YOTTA_CFG_MBED_OS
 #include "mbed-drivers/mbed_error.h"
 #else
-#include "mbed_error.h"
+#include "platform/mbed_error.h"
 #endif
 
 #include "platform/mbed_toolchain.h"

features/FEATURE_BLE/ble/BLETypes.h

@@ -19,6 +19,8 @@
 
 #include <stddef.h>
 #include <stdint.h>
+#include <string.h>
+#include "ble/SafeEnum.h"
 
 /**
  * @addtogroup ble
@@ -54,7 +56,7 @@ typedef uint16_t attribute_handle_t;
   */
 struct attribute_handle_range_t {
     /**
-     * Begining of the range.
+     * Beginning of the range.
      */
     attribute_handle_t begin;
 
@@ -96,8 +98,8 @@ struct attribute_handle_range_t {
 /**
  * Construct an attribute_handle_range_t from its first and last attribute handle.
  *
- * @param begin Handle at the begining of the range.
- * @param end Handle at the end of the range.
+ * @param[in] begin Handle at the beginning of the range.
+ * @param[in] end Handle at the end of the range.
  *
  * @return An instance of attribute_handle_range_t where
  * attribute_handle_range_t::begin is equal to begin and
@@ -117,6 +119,266 @@ static inline attribute_handle_range_t attribute_handle_range(
     return result;
 }
 
+/**
+ * Type that describes link's encryption state.
+ */
+struct link_encryption_t : SafeEnum<link_encryption_t, uint8_t> {
+    /** struct scoped enum wrapped by the class */
+    enum type {
+        NOT_ENCRYPTED,          /**< The link is not secured. */
+        ENCRYPTION_IN_PROGRESS, /**< Link security is being established. */
+        ENCRYPTED,              /**< The link is secure. */
+        ENCRYPTED_WITH_MITM     /**< The link is secure and authenticated. */
+    };
+
+    /**
+     * Construct a new instance of link_encryption_t.
+     */
+    link_encryption_t(type value) : SafeEnum<link_encryption_t, uint8_t>(value) { }
+};
+
+/**
+ * Type that describe a pairing failure.
+ */
+struct pairing_failure_t : SafeEnum<pairing_failure_t, uint8_t> {
+    /** struct scoped enum wrapped by the class */
+    enum type {
+        PASSKEY_ENTRY_FAILED = 0x01,
+        OOB_NOT_AVAILABLE = 0x02,
+        AUTHENTICATION_REQUIREMENTS = 0x03,
+        CONFIRM_VALUE_FAILED = 0x04,
+        PAIRING_NOT_SUPPORTED = 0x05,
+        ENCRYPTION_KEY_SIZE = 0x06,
+        COMMAND_NOT_SUPPORTED = 0x07,
+        UNSPECIFIED_REASON = 0x08,
+        REPEATED_ATTEMPTS = 0x09,
+        INVALID_PARAMETERS = 0x0A,
+        DHKEY_CHECK_FAILED = 0x0B,
+        NUMERIC_COMPARISON_FAILED = 0x0c,
+        BR_EDR_PAIRING_IN_PROGRESS = 0x0D,
+        CROSS_TRANSPORT_KEY_DERIVATION_OR_GENERATION_NOT_ALLOWED = 0x0E
+    };
+
+    /**
+     * Construct a new instance of pairing_failure_t.
+     */
+    pairing_failure_t(type value) : SafeEnum<pairing_failure_t, uint8_t>(value) { }
+};
+
+
+/**
+ * Type that describe the IO capability of a device; it is used during Pairing
+ * Feature exchange.
+ */
+struct io_capability_t : SafeEnum<io_capability_t, uint8_t> {
+    enum type {
+        DISPLAY_ONLY = 0x00,
+        DISPLAY_YES_NO = 0x01,
+        KEYBOARD_ONLY = 0x02,
+        NO_INPUT_NO_OUTPUT = 0x03,
+        KEYBOARD_DISPLAY = 0x04
+    };
+
+    /**
+     * Construct a new instance of io_capability_t.
+     */
+    io_capability_t(type value) : SafeEnum<io_capability_t, uint8_t>(value) { }
+};
+
+/**
+ * Passkey stored as a number.
+ */
+typedef uint32_t passkey_num_t;
+
+/**
+ * Passkey stored as a string of digits.
+ */
+class PasskeyAscii {
+public:
+    static const uint8_t PASSKEY_LEN = 6;
+    static const uint8_t NUMBER_OFFSET = '0';
+
+    /**
+     * Default to all zeroes
+     */
+    PasskeyAscii() {
+        memset(ascii, NUMBER_OFFSET, PASSKEY_LEN);
+    }
+
+    /**
+     * Initialize a data from a string.
+     *
+     * @param[in] passkey value of the data.
+     */
+    PasskeyAscii(const uint8_t* passkey) {
+        if (passkey) {
+            memcpy(ascii, passkey, PASSKEY_LEN);
+        } else {
+            memset(ascii, NUMBER_OFFSET, PASSKEY_LEN);
+        }
+    }
+
+    /**
+     * Initialize a data from a number.
+     *
+     * @param[in] passkey value of the data.
+     */
+    PasskeyAscii(passkey_num_t passkey) {
+        for (int i = 5, m = 100000; i >= 0; --i, m /= 10) {
+            uint32_t result = passkey / m;
+            ascii[i] = NUMBER_OFFSET + result;
+            passkey -= result * m;
+        }
+    }
+
+    /**
+     * Cast to number.
+     */
+    operator passkey_num_t() {
+        return to_num(ascii);
+    }
+
+    /**
+     * Convert ASCII string of digits into a number.
+     * @param[in] ascii ASCII string of 6 digits stored as ASCII characters
+     * @return Passkey as a number.
+     */
+    static uint32_t to_num(const uint8_t *ascii) {
+        uint32_t passkey = 0;
+        for (size_t i = 0, m = 1; i < PASSKEY_LEN; ++i, m *= 10) {
+            passkey += (ascii[i] - NUMBER_OFFSET) * m;
+        }
+        return passkey;
+    }
+
+    /**
+     * Return the pointer to the buffer holding the string.
+     */
+    uint8_t* value() {
+        return ascii;
+    }
+private:
+    uint8_t ascii[PASSKEY_LEN];
+};
+
+template <size_t array_size>
+struct byte_array_t {
+    /**
+     * Default to all zeroes
+     */
+    byte_array_t() {
+        memset(_value, 0x00, sizeof(_value));
+    }
+
+    /**
+     * Initialize a data from an array of bytes.
+     *
+     * @param[in] input_value value of the data.
+     */
+    byte_array_t(const uint8_t *input_value) {
+        memcpy(_value, input_value, sizeof(_value));
+    }
+
+    /**
+     * Initialize a data from an buffer of bytes.
+     *
+     * @param[in] input_value pointer to buffer.
+     * @param[in] size buffer size
+     */
+    byte_array_t(const uint8_t* input_value, size_t size) {
+        memcpy(_value, input_value, size);
+    }
+
+    /**
+     * Equal operator between two octet types.
+     */
+    friend bool operator==(const byte_array_t& lhs, const byte_array_t& rhs) {
+        return memcmp(lhs._value, rhs._value, sizeof(lhs._value)) == 0;
+    }
+
+    /**
+     * Non equal operator between two octet types.
+     */
+    friend bool operator!=(const byte_array_t& lhs, const byte_array_t& rhs) {
+        return !(lhs == rhs);
+    }
+
+    /**
+     * Subscript operator to access data content
+     */
+    uint8_t& operator[](uint8_t i) {
+        return _value[i];
+    }
+
+    /**
+     * Return the pointer to the buffer holding data.
+     */
+    const uint8_t* data() const {
+        return _value;
+    }
+
+    /**
+     * Return the pointer to the buffer holding data.
+     */
+    uint8_t* buffer() {
+        return _value;
+    }
+
+    /**
+     * Size in byte of a data.
+     */
+    static size_t size() {
+        return array_size;
+    }
+
+protected:
+    uint8_t _value[array_size];
+};
+
+/** 128 bit keys used by paired devices */
+typedef byte_array_t<16> irk_t;
+typedef byte_array_t<16> csrk_t;
+typedef byte_array_t<16> ltk_t;
+
+/** Used to identify LTK for legacy pairing connections */
+typedef byte_array_t<2> ediv_t;
+typedef byte_array_t<8> rand_t;
+
+/** Out of band data exchanged during pairing */
+typedef byte_array_t<16> oob_tk_t; /**< legacy pairing TK */
+typedef byte_array_t<16> oob_lesc_value_t; /**< secure connections oob random 128 value */
+typedef byte_array_t<16> oob_confirm_t; /**< secure connections oob confirmation value */
+
+/** data to be encrypted */
+typedef byte_array_t<16> encryption_block_t;
+
+/** public key coordinate, two of which define the public key */
+typedef byte_array_t<32> public_key_coord_t;
+
+/** Diffie-Hellman key */
+typedef byte_array_t<32> dhkey_t;
+
+/**
+ * MAC address data type.
+ */
+struct address_t : public byte_array_t<6> {
+    /**
+     * Create an invalid mac address, equal to FF:FF:FF:FF:FF:FF
+     */
+    address_t() {
+        memset(_value, 0xFF, sizeof(_value));
+    }
+
+    /**
+     * Initialize a data from an array of bytes.
+     *
+     * @param[in] input_value value of the data.
+     */
+    address_t(const uint8_t *input_value) {
+        memcpy(_value, input_value, sizeof(_value));
+    }
+};
+
 } // namespace ble
 
 /**

features/FEATURE_BLE/ble/Gap.h

@@ -237,7 +237,7 @@ class GapAdvertisingData;
  *    // Initiate the connection procedure
  *    gap.connect(
  *       packet->peerAddr,
- *       BLEProtocol::RANDOM_STATIC,
+ *       packet->addressType,
  *       &connection_parameters,
  *       &scanning_params
  *    );
@@ -608,6 +608,11 @@ class Gap {
          * Pointer to the advertisement packet's data.
          */
         const uint8_t *advertisingData;
+
+        /**
+         * Type of the address received
+         */
+        AddressType_t addressType;
     };
 
     /**
@@ -2304,6 +2309,7 @@ class Gap {
             ownAddr,
             connectionParams
         );
+
         connectionCallChain.call(&callbackParams);
     }
 
@@ -2342,22 +2348,29 @@ class Gap {
      * @param[in] type Advertising type of the packet.
      * @param[in] advertisingDataLen Length of the advertisement data received.
      * @param[in] advertisingData Pointer to the advertisement packet's data.
+     * @param[in] addressType Type of the address of the peer that has emitted the packet.
      */
     void processAdvertisementReport(
         const BLEProtocol::AddressBytes_t peerAddr,
         int8_t rssi,
         bool isScanResponse,
         GapAdvertisingParams::AdvertisingType_t type,
         uint8_t advertisingDataLen,
-        const uint8_t *advertisingData
+        const uint8_t *advertisingData,
+        BLEProtocol::AddressType_t addressType = BLEProtocol::AddressType::RANDOM_STATIC
     ) {
+       // FIXME: remove default parameter for addressType when ST shield is merged;
+       // this has been added to mitigate the lack of dependency management in
+       // testing jobs ....
+
         AdvertisementCallbackParams_t params;
         memcpy(params.peerAddr, peerAddr, ADDR_LEN);
         params.rssi = rssi;
         params.isScanResponse = isScanResponse;
         params.type = type;
         params.advertisingDataLen = advertisingDataLen;
         params.advertisingData = advertisingData;
+        params.addressType = addressType;
         onAdvertisementReport.call(&params);
     }