Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 239605c6 authored by Hansong Zhang's avatar Hansong Zhang
Browse files

GD Security: Improve link encryption storage 

Encryption is a property of link.  We update it when we receive
encryption change event, and then continue L2cap security Enforce()
workflow.

For RFCOMM and OPP, we just need encryption (remote device is paired),
without authenticated link key or MITM.

Tag: #gd-refactor
Bug: 141555841
Test: cert/run --host
Change-Id: I42c7ccd3b8abac1acdef10833da574e4f798ef20
parent dda6b133

system/gd/security/channel/security_manager_channel.cc

+3 −2
Original line number Diff line number Diff line
@@ -112,8 +112,9 @@ void SecurityManagerChannel::OnAuthenticationComplete(hci::Address remote) { 
  }

}



void SecurityManagerChannel::OnEncryptionChange(hci::Address, bool encrypted) {

  // TODO(hsz): Update record and notify L2cap Enforce() complete.

void SecurityManagerChannel::OnEncryptionChange(hci::Address remote, bool encrypted) {

  ASSERT_LOG(listener_ != nullptr, "No listener set!");

  listener_->OnEncryptionChange(remote, encrypted);

}



}  // namespace channel

system/gd/security/channel/security_manager_channel.h

+1 −0
Original line number Diff line number Diff line
@@ -40,6 +40,7 @@ class ISecurityManagerChannelListener { 
  virtual ~ISecurityManagerChannelListener() = default;

  virtual void OnHciEventReceived(hci::EventPacketView packet) = 0;

  virtual void OnConnectionClosed(hci::Address) = 0;

  virtual void OnEncryptionChange(hci::Address, bool encrypted) = 0;

};



/**

system/gd/security/channel/security_manager_channel_unittest.cc

+6 −0
Original line number Diff line number Diff line
@@ -59,6 +59,10 @@ class FakeSecurityManagerChannel : public SecurityManagerChannel { 
  void OnLinkDisconnected(hci::Address address) {

    on_link_disconnected_called = true;

  }



  void OnAuthenticationComplete(hci::Address remote) override {}



  void OnEncryptionChange(hci::Address address, bool encrypted) override {}

};



class SecurityManagerChannelCallback : public ISecurityManagerChannelListener {
@@ -208,6 +212,8 @@ class SecurityManagerChannelCallback : public ISecurityManagerChannelListener { 
  void OnConnectionClosed(hci::Address address) override {

    LOG_DEBUG("Called");

  }



  void OnEncryptionChange(hci::Address address, bool encrypted) override {}

};



class SecurityManagerChannelTest : public ::testing::Test {

system/gd/security/internal/security_manager_impl.cc

+13 −2
Original line number Diff line number Diff line
@@ -332,6 +332,17 @@ void SecurityManagerImpl::OnConnectionClosed(hci::Address address) { 
  }

}



void SecurityManagerImpl::OnEncryptionChange(hci::Address address, bool encrypted) {

  auto remote = hci::AddressWithType(address, hci::AddressType::PUBLIC_DEVICE_ADDRESS);

  auto record = security_database_.FindOrCreate(remote);

  record->SetIsEncrypted(encrypted);

  auto cb_entry = enforce_security_policy_callback_map_.find(remote);

  if (cb_entry != enforce_security_policy_callback_map_.end()) {

    this->InternalEnforceSecurityPolicy(remote, cb_entry->second.first, std::move(cb_entry->second.second), false);

    enforce_security_policy_callback_map_.erase(cb_entry);

  }

}



void SecurityManagerImpl::OnHciLeEvent(hci::LeMetaEventView event) {

  // hci::SubeventCode::LONG_TERM_KEY_REQUEST,

  // hci::SubeventCode::READ_LOCAL_P256_PUBLIC_KEY_COMPLETE,
@@ -713,11 +724,11 @@ void SecurityManagerImpl::InternalEnforceSecurityPolicy( 
  switch (policy) {

    case l2cap::classic::SecurityPolicy::BEST:

    case l2cap::classic::SecurityPolicy::AUTHENTICATED_ENCRYPTED_TRANSPORT:

      result = record->IsAuthenticated() && record->RequiresMitmProtection() && record->IsEncryptionRequired();

      result = record->IsAuthenticated() && record->RequiresMitmProtection() && record->IsEncrypted();

      authentication_requirements = hci::AuthenticationRequirements::GENERAL_BONDING_MITM_PROTECTION;

      break;

    case l2cap::classic::SecurityPolicy::ENCRYPTED_TRANSPORT:

      result = record->IsAuthenticated() && record->IsEncryptionRequired();

      result = record->IsEncrypted();

      authentication_requirements = hci::AuthenticationRequirements::NO_BONDING;

      break;

    case l2cap::classic::SecurityPolicy::_SDP_ONLY_NO_SECURITY_WHATSOEVER_PLAINTEXT_TRANSPORT_OK:

system/gd/security/internal/security_manager_impl.h

+6 −0
Original line number Diff line number Diff line
@@ -153,6 +153,12 @@ class SecurityManagerImpl : public channel::ISecurityManagerChannelListener, pub 
   */

  void OnConnectionClosed(hci::Address address) override;



  /**

   * When link encryption status change, we need to update the device record (temporary).

   * @param encrypted

   */

  void OnEncryptionChange(hci::Address remote, bool encrypted) override;



  /**

   * Pairing handler has finished or cancelled

   *