Add group object security handling

2025-01-25 00:06:20 +01:00 · 2020-07-02 11:51:43 +02:00 · 2020-07-02 11:51:43 +02:00 · f8252097c8
commit f8252097c8
parent 0f794ab2ea
5 changed files with 65 additions and 20 deletions
--- a/src/knx/bau_systemB.cpp
+++ b/src/knx/bau_systemB.cpp
@ -79,25 +79,25 @@ void BauSystemB::sendNextGroupTelegram()
            continue;

        SecurityControl goSecurity;
-        // TODO: what do we do with it?
-        goSecurity.toolAccess;
-
-#ifdef USE_DATASECURE
-        // Get security flags from Security Interface Object for this group object
-        goSecurity.dataSecurity = _appLayer.getGoSecurityFlags(asap);
-
-#else
+        goSecurity.toolAccess = false;
        goSecurity.dataSecurity = DataSecurity::none;
-#endif

        if (flag == WriteRequest && go.transmitEnable())
        {
+#ifdef USE_DATASECURE
+            // Get security flags from Security Interface Object for this group object
+            goSecurity.dataSecurity = _secIfObj.getGroupObjectSecurity(asap, true);
+#endif
            uint8_t* data = go.valueRef();
            _appLayer.groupValueWriteRequest(AckRequested, asap, go.priority(), NetworkLayerParameter, goSecurity, data,
                go.sizeInTelegram());
        }
        else if (flag == ReadRequest)
        {
+#ifdef USE_DATASECURE
+            // Get security flags from Security Interface Object for this group object
+            goSecurity.dataSecurity = _secIfObj.getGroupObjectSecurity(asap, false);
+#endif
            _appLayer.groupValueReadRequest(AckRequested, asap, go.priority(), NetworkLayerParameter, goSecurity);
        }

@ -584,6 +584,19 @@ void BauSystemB::groupValueReadLocalConfirm(AckType ack, uint16_t asap, Priority

 void BauSystemB::groupValueReadIndication(uint16_t asap, Priority priority, HopCountType hopType, const SecurityControl &secCtrl)
 {
+#ifdef USE_DATASECURE
+    DataSecurity requiredGoSecurity;
+
+    // Get security flags from Security Interface Object for this group object
+    requiredGoSecurity = _secIfObj.getGroupObjectSecurity(asap, false);
+
+    if (secCtrl.dataSecurity != requiredGoSecurity)
+    {
+        println("GroupValueRead: access denied due to wrong security flags");
+        return;
+    }
+#endif
+
    GroupObject& go = _groupObjTable.get(asap);

    if (!go.communicationEnable() || !go.readEnable())
@ -606,6 +619,18 @@ void BauSystemB::groupValueReadAppLayerConfirm(uint16_t asap, Priority priority,

 void BauSystemB::groupValueWriteIndication(uint16_t asap, Priority priority, HopCountType hopType, const SecurityControl &secCtrl, uint8_t * data, uint8_t dataLength)
 {
+#ifdef USE_DATASECURE
+    DataSecurity requiredGoSecurity;
+
+    // Get security flags from Security Interface Object for this group object
+    requiredGoSecurity = _secIfObj.getGroupObjectSecurity(asap, true);
+
+    if (secCtrl.dataSecurity != requiredGoSecurity)
+    {
+        println("GroupValueWrite: access denied due to wrong security flags");
+        return;
+    }
+#endif
    GroupObject& go = _groupObjTable.get(asap);

    if (!go.communicationEnable() || !go.writeEnable())
--- a/src/knx/secure_application_layer.cpp
+++ b/src/knx/secure_application_layer.cpp
@ -294,6 +294,10 @@ void SecureApplicationLayer::dataGroupRequest(AckType ack, HopCountType hopType,

    if (secCtrl.dataSecurity != DataSecurity::none)
    {
+        apdu.frame().sourceAddress(_deviceObj.induvidualAddress());
+        apdu.frame().destinationAddress(_addrTab.getGroupAddress(tsap));
+        apdu.frame().addressType(GroupAddress);
+
        uint16_t secureApduLength = apdu.length() + 3 + 6 + 4; // 3(TPCI,APCI,SCF) + sizeof(seqNum) + apdu.length() + 4
        CemiFrame secureFrame(secureApduLength);
        // create secure APDU
@ -1275,8 +1279,3 @@ bool SecureApplicationLayer::isSyncService(APDU& secureApdu)

    return false;
 }
-
-DataSecurity SecureApplicationLayer::getGoSecurityFlags(uint16_t index)
-{
-    return _secIfObj.getGoSecurityFlags(index);
-}
--- a/src/knx/secure_application_layer.h
+++ b/src/knx/secure_application_layer.h
@ -35,8 +35,6 @@ class SecureApplicationLayer :  public ApplicationLayer
    void getFailureCounters(uint8_t* data);
    uint8_t getFromFailureLogByIndex(uint8_t index, uint8_t* data, uint8_t maxDataLen);

-    DataSecurity getGoSecurityFlags(uint16_t index);
-
    // from transport layer
    virtual void dataGroupIndication(HopCountType hopType, Priority priority, uint16_t tsap, APDU& apdu) override;
    virtual void dataGroupConfirm(AckType ack, HopCountType hopType, Priority priority, uint16_t tsap,
--- a/src/knx/security_interface_object.cpp
+++ b/src/knx/security_interface_object.cpp
@ -491,10 +491,33 @@ void SecurityInterfaceObject::setLastValidSequenceNumber(uint16_t deviceAddr, ui
    }
 }

-DataSecurity SecurityInterfaceObject::getGoSecurityFlags(uint16_t index)
+DataSecurity SecurityInterfaceObject::getGroupObjectSecurity(uint16_t index, bool isWrite)
 {
-    // TODO
-    // PID_GO_SECURITY_FLAGS
+    // security table uses same index as group object table
+
+    uint8_t data[propertySize(PID_GO_SECURITY_FLAGS)];
+
+    uint8_t count = property(PID_GO_SECURITY_FLAGS)->read(index, 1, data);
+
+    if (count > 0)
+    {
+        bool conf;
+        bool auth;
+        if (isWrite)
+        {
+            // write access flags, draft spec. p.68
+            conf = (data[0] & 2) == 2;
+            auth = (data[0] & 1) == 1;
+        }
+        else
+        {
+            // Read access flags, draft spec. p.68
+            conf = (data[0] & 8) == 8;
+            auth = (data[0] & 4) == 4;
+        }
+        return conf ? DataSecurity::authConf : auth ? DataSecurity::auth : DataSecurity::none;
+    }
+
    return DataSecurity::none;
 }

--- a/src/knx/security_interface_object.h
+++ b/src/knx/security_interface_object.h
@ -33,7 +33,7 @@ public:
  uint64_t getLastValidSequenceNumber(uint16_t deviceAddr);
  void setLastValidSequenceNumber(uint16_t deviceAddr, uint64_t seqNum);

-  DataSecurity getGoSecurityFlags(uint16_t index);
+  DataSecurity getGroupObjectSecurity(uint16_t index, bool isWrite);

 private:
  SecureApplicationLayer* _secAppLayer = nullptr;