SM: Implement API for enforcing security levels (cf33a7e6) · Commits · e / os / android_packages_modules_Bluetooth

system/gd/security/Android.bp

+1 −0

Original line number	Diff line number	Diff line
		@@ -5,6 +5,7 @@ filegroup {
		"ecc/p_256_ecc_pp.cc",
		"ecdh_keys.cc",
		"facade_configuration_api.cc",
		"l2cap_security_module_interface.cc",
		"pairing_handler_le.cc",
		"pairing_handler_le_legacy.cc",
		"pairing_handler_le_secure_connections.cc",

system/gd/security/internal/security_manager_impl.cc

+45 −0

Original line number	Diff line number	Diff line
		@@ -450,6 +450,51 @@ void SecurityManagerImpl::SetOobDataPresent(hci::OobDataPresent data_present) {
		this->local_oob_data_present_ = data_present;
		}

		void SecurityManagerImpl::EnforceSecurityPolicy(
		hci::AddressWithType remote, l2cap::classic::SecurityPolicy policy,
		l2cap::classic::SecurityModuleInterface::ResultCallback result_callback) {
		bool result = false;
		auto record = this->security_database_.FindOrCreate(remote);
		switch (policy) {
		case l2cap::classic::SecurityPolicy::BEST:
		case l2cap::classic::SecurityPolicy::AUTHENTICATED_ENCRYPTED_TRANSPORT:
		result = record.IsAuthenticated() && record.RequiresMitmProtection() && record.IsEncryptionRequired();
		break;
		case l2cap::classic::SecurityPolicy::ENCRYPTED_TRANSPORT:
		result = record.IsAuthenticated() && record.IsEncryptionRequired();
		break;
		case l2cap::classic::SecurityPolicy::_SDP_ONLY_NO_SECURITY_WHATSOEVER_PLAINTEXT_TRANSPORT_OK:
		result = true;
		break;
		}
		if (!result) {
		// TODO(optedoblivion): Start pairing process to meet requirements
		}
		result_callback.Invoke(result);
		}

		void SecurityManagerImpl::EnforceLeSecurityPolicy(hci::AddressWithType remote, l2cap::le::SecurityPolicy policy,
		l2cap::le::SecurityModuleInterface::ResultCallback result_callback) {
		bool result = false;
		// TODO(jpawlowski): Implement for LE
		switch (policy) {
		case l2cap::le::SecurityPolicy::BEST:
		break;
		case l2cap::le::SecurityPolicy::AUTHENTICATED_ENCRYPTED_TRANSPORT:
		break;
		case l2cap::le::SecurityPolicy::ENCRYPTED_TRANSPORT:
		break;
		case l2cap::le::SecurityPolicy::NO_SECURITY_WHATSOEVER_PLAINTEXT_TRANSPORT_OK:
		result = true;
		break;
		case l2cap::le::SecurityPolicy::_NOT_FOR_YOU__AUTHENTICATED_PAIRING_WITH_128_BIT_KEY:
		break;
		case l2cap::le::SecurityPolicy::_NOT_FOR_YOU__AUTHORIZATION:
		break;
		}
		result_callback.Invoke(result);
		}

		} // namespace internal
		} // namespace security
		} // namespace bluetooth

system/gd/security/internal/security_manager_impl.h

+7 −0

Original line number	Diff line number	Diff line
		@@ -21,7 +21,9 @@

		#include "hci/acl_manager.h"
		#include "hci/classic_device.h"
		#include "l2cap/classic/security_module_interface.h"
		#include "l2cap/le/l2cap_le_module.h"
		#include "l2cap/le/security_module_interface.h"
		#include "os/handler.h"
		#include "security/channel/security_manager_channel.h"
		#include "security/initial_informations.h"
		@@ -151,6 +153,11 @@ class SecurityManagerImpl : public channel::ISecurityManagerChannelListener, pub
		void SetAuthenticationRequirements(hci::AuthenticationRequirements authentication_requirements);
		void SetOobDataPresent(hci::OobDataPresent data_present);

		void EnforceSecurityPolicy(hci::AddressWithType remote, l2cap::classic::SecurityPolicy policy,
		l2cap::classic::SecurityModuleInterface::ResultCallback result_callback);
		void EnforceLeSecurityPolicy(hci::AddressWithType remote, l2cap::le::SecurityPolicy policy,
		l2cap::le::SecurityModuleInterface::ResultCallback result_callback);

		protected:
		std::vector<std::pair<ISecurityManagerListener, os::Handler>> listeners_;
		UI* user_interface_ = nullptr;

system/gd/security/l2cap_security_module_interface.cc

0 → 100644

+45 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright 2020 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/
		#include "security/l2cap_security_module_interface.h"
		#include "common/bind.h"

		namespace bluetooth {
		namespace security {

		L2capSecurityModuleInterface::L2capSecurityModuleInterface(internal::SecurityManagerImpl* security_manager_impl,
		os::Handler* security_handler)
		: security_manager_impl_(security_manager_impl), security_handler_(security_handler) {}

		void L2capSecurityModuleInterface::EnforceSecurityPolicy(
		hci::AddressWithType remote, l2cap::classic::SecurityPolicy policy,
		l2cap::classic::SecurityModuleInterface::ResultCallback result_callback) {
		this->security_handler_->Post(common::BindOnce(
		&internal::SecurityManagerImpl::EnforceSecurityPolicy, common::Unretained(security_manager_impl_),
		std::forward<hci::AddressWithType>(remote), std::forward<l2cap::classic::SecurityPolicy>(policy),
		std::forward<l2cap::classic::SecurityModuleInterface::ResultCallback>(result_callback)));
		}

		void L2capSecurityModuleInterface::EnforceSecurityPolicy(
		hci::AddressWithType remote, l2cap::le::SecurityPolicy policy,
		l2cap::le::SecurityModuleInterface::ResultCallback result_callback) {
		this->security_handler_->Post(common::BindOnce(
		&internal::SecurityManagerImpl::EnforceLeSecurityPolicy, common::Unretained(security_manager_impl_),
		std::forward<hci::AddressWithType>(remote), std::forward<l2cap::le::SecurityPolicy>(policy),
		std::forward<l2cap::le::SecurityModuleInterface::ResultCallback>(result_callback)));
		}

		} // namespace security
		} // namespace bluetooth

system/gd/security/l2cap_security_module_interface.h

0 → 100644

+40 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright 2020 The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/
		#pragma once

		#include "l2cap/classic/security_module_interface.h"
		#include "l2cap/le/security_module_interface.h"
		#include "os/handler.h"
		#include "security/internal/security_manager_impl.h"

		namespace bluetooth {
		namespace security {
		class L2capSecurityModuleInterface : public l2cap::classic::SecurityModuleInterface,
		public l2cap::le::SecurityModuleInterface {
		public:
		L2capSecurityModuleInterface(internal::SecurityManagerImpl* security_manager_impl, os::Handler* security_handler);
		void EnforceSecurityPolicy(hci::AddressWithType remote, l2cap::classic::SecurityPolicy policy,
		l2cap::classic::SecurityModuleInterface::ResultCallback result_callback) override;
		void EnforceSecurityPolicy(hci::AddressWithType remote, l2cap::le::SecurityPolicy policy,
		l2cap::le::SecurityModuleInterface::ResultCallback result_callback) override;

		private:
		internal::SecurityManagerImpl* security_manager_impl_;
		os::Handler* security_handler_ = nullptr;
		};

		} // namespace security
		} // namespace bluetooth