Add group object security handling

2025-07-01 01:17:26 +02:00 · 2020-07-02 11:51:43 +02:00 · 2020-07-02 11:51:43 +02:00 · f8252097c8
commit f8252097c8
parent 0f794ab2ea
5 changed files with 65 additions and 20 deletions
--- a/src/knx/bau_systemB.cpp
+++ b/src/knx/bau_systemB.cpp
@ -79,25 +79,25 @@ void BauSystemB::sendNextGroupTelegram()
            continue;
        SecurityControl goSecurity;
-        // TODO: what do we do with it?
+        goSecurity.toolAccess = false;
        goSecurity.toolAccess;
 #ifdef USE_DATASECURE
        // Get security flags from Security Interface Object for this group object
        goSecurity.dataSecurity = _appLayer.getGoSecurityFlags(asap);
 #else
        goSecurity.dataSecurity = DataSecurity::none;
 #endif
        if (flag == WriteRequest && go.transmitEnable())
        {
 #ifdef USE_DATASECURE
            // Get security flags from Security Interface Object for this group object
            goSecurity.dataSecurity = _secIfObj.getGroupObjectSecurity(asap, true);
 #endif
            uint8_t* data = go.valueRef();
            _appLayer.groupValueWriteRequest(AckRequested, asap, go.priority(), NetworkLayerParameter, goSecurity, data,
                go.sizeInTelegram());
        }
        else if (flag == ReadRequest)
        {
 #ifdef USE_DATASECURE
            // Get security flags from Security Interface Object for this group object
            goSecurity.dataSecurity = _secIfObj.getGroupObjectSecurity(asap, false);
 #endif
            _appLayer.groupValueReadRequest(AckRequested, asap, go.priority(), NetworkLayerParameter, goSecurity);
        }
@ -584,6 +584,19 @@ void BauSystemB::groupValueReadLocalConfirm(AckType ack, uint16_t asap, Priority
 void BauSystemB::groupValueReadIndication(uint16_t asap, Priority priority, HopCountType hopType, const SecurityControl &secCtrl)
 {
 #ifdef USE_DATASECURE
    DataSecurity requiredGoSecurity;
    // Get security flags from Security Interface Object for this group object
    requiredGoSecurity = _secIfObj.getGroupObjectSecurity(asap, false);
    if (secCtrl.dataSecurity != requiredGoSecurity)
    {
        println("GroupValueRead: access denied due to wrong security flags");
        return;
    }
 #endif
    GroupObject& go = _groupObjTable.get(asap);
    if (!go.communicationEnable() || !go.readEnable())
@ -606,6 +619,18 @@ void BauSystemB::groupValueReadAppLayerConfirm(uint16_t asap, Priority priority,
 void BauSystemB::groupValueWriteIndication(uint16_t asap, Priority priority, HopCountType hopType, const SecurityControl &secCtrl, uint8_t * data, uint8_t dataLength)
 {
 #ifdef USE_DATASECURE
    DataSecurity requiredGoSecurity;
    // Get security flags from Security Interface Object for this group object
    requiredGoSecurity = _secIfObj.getGroupObjectSecurity(asap, true);
    if (secCtrl.dataSecurity != requiredGoSecurity)
    {
        println("GroupValueWrite: access denied due to wrong security flags");
        return;
    }
 #endif
    GroupObject& go = _groupObjTable.get(asap);
    if (!go.communicationEnable() || !go.writeEnable())
--- a/src/knx/secure_application_layer.cpp
+++ b/src/knx/secure_application_layer.cpp
@ -294,6 +294,10 @@ void SecureApplicationLayer::dataGroupRequest(AckType ack, HopCountType hopType,
    if (secCtrl.dataSecurity != DataSecurity::none)
    {
        apdu.frame().sourceAddress(_deviceObj.induvidualAddress());
        apdu.frame().destinationAddress(_addrTab.getGroupAddress(tsap));
        apdu.frame().addressType(GroupAddress);
        uint16_t secureApduLength = apdu.length() + 3 + 6 + 4; // 3(TPCI,APCI,SCF) + sizeof(seqNum) + apdu.length() + 4
        CemiFrame secureFrame(secureApduLength);
        // create secure APDU
@ -1275,8 +1279,3 @@ bool SecureApplicationLayer::isSyncService(APDU& secureApdu)
    return false;
 }
 DataSecurity SecureApplicationLayer::getGoSecurityFlags(uint16_t index)
 {
    return _secIfObj.getGoSecurityFlags(index);
 }
--- a/src/knx/secure_application_layer.h
+++ b/src/knx/secure_application_layer.h
@ -35,8 +35,6 @@ class SecureApplicationLayer :  public ApplicationLayer
    void getFailureCounters(uint8_t* data);
    uint8_t getFromFailureLogByIndex(uint8_t index, uint8_t* data, uint8_t maxDataLen);
    DataSecurity getGoSecurityFlags(uint16_t index);
    // from transport layer
    virtual void dataGroupIndication(HopCountType hopType, Priority priority, uint16_t tsap, APDU& apdu) override;
    virtual void dataGroupConfirm(AckType ack, HopCountType hopType, Priority priority, uint16_t tsap,
--- a/src/knx/security_interface_object.cpp
+++ b/src/knx/security_interface_object.cpp
@ -491,10 +491,33 @@ void SecurityInterfaceObject::setLastValidSequenceNumber(uint16_t deviceAddr, ui
    }
 }
-DataSecurity SecurityInterfaceObject::getGoSecurityFlags(uint16_t index)
+DataSecurity SecurityInterfaceObject::getGroupObjectSecurity(uint16_t index, bool isWrite)
 {
-    // TODO
+    // security table uses same index as group object table
-    // PID_GO_SECURITY_FLAGS
+
    uint8_t data[propertySize(PID_GO_SECURITY_FLAGS)];
    uint8_t count = property(PID_GO_SECURITY_FLAGS)->read(index, 1, data);
    if (count > 0)
    {
        bool conf;
        bool auth;
        if (isWrite)
        {
            // write access flags, draft spec. p.68
            conf = (data[0] & 2) == 2;
            auth = (data[0] & 1) == 1;
        }
        else
        {
            // Read access flags, draft spec. p.68
            conf = (data[0] & 8) == 8;
            auth = (data[0] & 4) == 4;
        }
        return conf ? DataSecurity::authConf : auth ? DataSecurity::auth : DataSecurity::none;
    }
    return DataSecurity::none;
 }
--- a/src/knx/security_interface_object.h
+++ b/src/knx/security_interface_object.h
@ -33,7 +33,7 @@ public:
  uint64_t getLastValidSequenceNumber(uint16_t deviceAddr);
  void setLastValidSequenceNumber(uint16_t deviceAddr, uint64_t seqNum);
-  DataSecurity getGoSecurityFlags(uint16_t index);
+  DataSecurity getGroupObjectSecurity(uint16_t index, bool isWrite);
 private:
  SecureApplicationLayer* _secAppLayer = nullptr;