system/bt
Revision | a59a37963952d6dcb78ef2b9eb2265d40b14e699 (tree) |
---|---|
Zeit | 2019-05-01 04:53:23 |
Autor | Jakub Pawlowski <jpawlowski@goog...> |
Commiter | Greg Wroblewski |
DO NOT MERGE Drop Bluetooth connection with weak encryption key
This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.
Bug: 124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit 027532b3678e3d50ed41270d747df5eb06bc6a8d)
@@ -252,6 +252,8 @@ static future_t *start_up(void) { | ||
252 | 252 | &number_of_local_supported_codecs, local_supported_codecs); |
253 | 253 | } |
254 | 254 | |
255 | + assert(HCI_READ_ENCR_KEY_SIZE_SUPPORTED(supported_commands)); | |
256 | + | |
255 | 257 | readable = true; |
256 | 258 | return future_new_immediate(FUTURE_SUCCESS); |
257 | 259 | } |
@@ -28,6 +28,7 @@ | ||
28 | 28 | #define LOG_TAG "bt_btu_hcif" |
29 | 29 | |
30 | 30 | #include <assert.h> |
31 | +#include <log/log.h> | |
31 | 32 | #include <stdio.h> |
32 | 33 | #include <stdlib.h> |
33 | 34 | #include <string.h> |
@@ -601,6 +602,55 @@ static void btu_hcif_rmt_name_request_comp_evt (UINT8 *p, UINT16 evt_len) | ||
601 | 602 | btm_sec_rmt_name_request_complete (bd_addr, p, status); |
602 | 603 | } |
603 | 604 | |
605 | +const uint8_t MIN_KEY_SIZE = 7; | |
606 | +bool read_key_send_from_key_refresh = false; | |
607 | + | |
608 | +static void read_encryption_key_size_complete_after_key_refresh( | |
609 | + uint8_t status, uint16_t handle, uint8_t key_size) { | |
610 | + if (status != HCI_SUCCESS) { | |
611 | + HCI_TRACE_WARNING("%s: disconnecting, status: 0x%02x", __func__, status); | |
612 | + btsnd_hcic_disconnect(handle, HCI_ERR_PEER_USER); | |
613 | + return; | |
614 | + } | |
615 | + | |
616 | + if (key_size < MIN_KEY_SIZE) { | |
617 | + android_errorWriteLog(0x534e4554, "124301137"); | |
618 | + HCI_TRACE_ERROR( | |
619 | + "%s encryption key too short, disconnecting. handle: 0x%02x, key_size: " | |
620 | + "%d", | |
621 | + __func__, handle, key_size); | |
622 | + | |
623 | + btsnd_hcic_disconnect(handle, HCI_ERR_HOST_REJECT_SECURITY); | |
624 | + return; | |
625 | + } | |
626 | + | |
627 | + btm_sec_encrypt_change(handle, status, 1 /* enc_enable */); | |
628 | +} | |
629 | + | |
630 | +static void read_encryption_key_size_complete_after_encryption_change( | |
631 | + uint8_t status, uint16_t handle, uint8_t key_size) { | |
632 | + if (status != HCI_SUCCESS) { | |
633 | + HCI_TRACE_WARNING("%s: disconnecting, status: 0x%02x", __func__, status); | |
634 | + btsnd_hcic_disconnect(handle, HCI_ERR_PEER_USER); | |
635 | + return; | |
636 | + } | |
637 | + | |
638 | + if (key_size < MIN_KEY_SIZE) { | |
639 | + android_errorWriteLog(0x534e4554, "124301137"); | |
640 | + HCI_TRACE_ERROR( | |
641 | + "%s encryption key too short, disconnecting. handle: 0x%02x, key_size: " | |
642 | + "%d", | |
643 | + __func__, handle, key_size); | |
644 | + | |
645 | + btsnd_hcic_disconnect(handle, HCI_ERR_HOST_REJECT_SECURITY); | |
646 | + return; | |
647 | + } | |
648 | + | |
649 | + // good key size - succeed | |
650 | + btm_acl_encrypt_change(handle, status, 1 /* enable */); | |
651 | + btm_sec_encrypt_change(handle, status, 1 /* enable */); | |
652 | +} | |
653 | + | |
604 | 654 | /******************************************************************************* |
605 | 655 | ** |
606 | 656 | ** Function btu_hcif_encryption_change_evt |
@@ -620,8 +670,14 @@ static void btu_hcif_encryption_change_evt (UINT8 *p) | ||
620 | 670 | STREAM_TO_UINT16 (handle, p); |
621 | 671 | STREAM_TO_UINT8 (encr_enable, p); |
622 | 672 | |
623 | - btm_acl_encrypt_change (handle, status, encr_enable); | |
624 | - btm_sec_encrypt_change (handle, status, encr_enable); | |
673 | + if (status != HCI_SUCCESS || encr_enable == 0 || | |
674 | + BTM_IsBleConnection(handle)) { | |
675 | + btm_acl_encrypt_change (handle, status, encr_enable); | |
676 | + btm_sec_encrypt_change (handle, status, encr_enable); | |
677 | + } else { | |
678 | + read_key_send_from_key_refresh = false; | |
679 | + btsnd_hcic_read_encryption_key_size(handle); | |
680 | + } | |
625 | 681 | } |
626 | 682 | |
627 | 683 | /******************************************************************************* |
@@ -824,6 +880,26 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l | ||
824 | 880 | btm_read_inq_tx_power_complete(p); |
825 | 881 | break; |
826 | 882 | |
883 | + case HCI_READ_ENCR_KEY_SIZE: { | |
884 | + UINT8 *pp = p; | |
885 | + | |
886 | + UINT8 status; | |
887 | + UINT16 handle; | |
888 | + UINT8 key_size; | |
889 | + | |
890 | + STREAM_TO_UINT8 (status, pp); | |
891 | + STREAM_TO_UINT16 (handle, pp); | |
892 | + STREAM_TO_UINT8 (key_size, pp); | |
893 | + | |
894 | + if (read_key_send_from_key_refresh) { | |
895 | + read_encryption_key_size_complete_after_encryption_change(status, handle, key_size); | |
896 | + } else { | |
897 | + read_encryption_key_size_complete_after_key_refresh(status, handle, key_size); | |
898 | + } | |
899 | + | |
900 | + } | |
901 | + break; | |
902 | + | |
827 | 903 | #if (BLE_INCLUDED == TRUE) |
828 | 904 | /* BLE Commands sComplete*/ |
829 | 905 | case HCI_BLE_ADD_WHITE_LIST: |
@@ -1595,6 +1671,7 @@ static void btu_hcif_enhanced_flush_complete_evt (void) | ||
1595 | 1671 | ** BLE Events |
1596 | 1672 | ***********************************************/ |
1597 | 1673 | #if (defined BLE_INCLUDED) && (BLE_INCLUDED == TRUE) |
1674 | + | |
1598 | 1675 | static void btu_hcif_encryption_key_refresh_cmpl_evt (UINT8 *p) |
1599 | 1676 | { |
1600 | 1677 | UINT8 status; |
@@ -1606,7 +1683,12 @@ static void btu_hcif_encryption_key_refresh_cmpl_evt (UINT8 *p) | ||
1606 | 1683 | |
1607 | 1684 | if (status == HCI_SUCCESS) enc_enable = 1; |
1608 | 1685 | |
1609 | - btm_sec_encrypt_change (handle, status, enc_enable); | |
1686 | + if (status != HCI_SUCCESS || BTM_IsBleConnection(handle)) { | |
1687 | + btm_sec_encrypt_change (handle, status, enc_enable); | |
1688 | + } else { | |
1689 | + read_key_send_from_key_refresh = true; | |
1690 | + btsnd_hcic_read_encryption_key_size(handle); | |
1691 | + } | |
1610 | 1692 | } |
1611 | 1693 | |
1612 | 1694 | static void btu_ble_process_adv_pkt (UINT8 *p) |
@@ -1356,6 +1356,19 @@ BOOLEAN btsnd_hcic_read_rssi (UINT16 handle) | ||
1356 | 1356 | return (TRUE); |
1357 | 1357 | } |
1358 | 1358 | |
1359 | +BOOLEAN btsnd_hcic_read_encryption_key_size(UINT16 handle) { | |
1360 | + BT_HDR *p = (BT_HDR *)osi_malloc(HCI_CMD_BUF_SIZE); | |
1361 | + UINT8 *pp = (UINT8 *)(p + 1); | |
1362 | + | |
1363 | + p->len = HCIC_PREAMBLE_SIZE + 2; | |
1364 | + p->offset = 0; | |
1365 | + | |
1366 | + UINT16_TO_STREAM (pp, handle); | |
1367 | + | |
1368 | + btu_hcif_send_cmd (LOCAL_BR_EDR_CONTROLLER_ID, p); | |
1369 | + return (TRUE); | |
1370 | +} | |
1371 | + | |
1359 | 1372 | BOOLEAN btsnd_hcic_enable_test_mode (void) |
1360 | 1373 | { |
1361 | 1374 | BT_HDR *p = (BT_HDR *)osi_malloc(HCI_CMD_BUF_SIZE); |
@@ -1304,7 +1304,17 @@ extern BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig, | ||
1304 | 1304 | extern void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr, |
1305 | 1305 | tBLE_ADDR_TYPE *p_addr_type); |
1306 | 1306 | |
1307 | - | |
1307 | +/******************************************************************************* | |
1308 | + * | |
1309 | + * Function BTM_IsBleConnection | |
1310 | + * | |
1311 | + * Description This function is called to check if the connection handle | |
1312 | + * for an LE link | |
1313 | + * | |
1314 | + * Returns true if connection is LE link, otherwise false. | |
1315 | + * | |
1316 | + ******************************************************************************/ | |
1317 | +extern bool BTM_IsBleConnection(uint16_t conn_handle); | |
1308 | 1318 | |
1309 | 1319 | /******************************************************************************* |
1310 | 1320 | ** |
@@ -603,6 +603,7 @@ extern BOOLEAN btsnd_hcic_write_cur_iac_lap (UINT8 num_cur_iac, | ||
603 | 603 | |
604 | 604 | extern BOOLEAN btsnd_hcic_get_link_quality (UINT16 handle); /* Get Link Quality */ |
605 | 605 | extern BOOLEAN btsnd_hcic_read_rssi (UINT16 handle); /* Read RSSI */ |
606 | +extern BOOLEAN btsnd_hcic_read_encryption_key_size (UINT16 handle); /* Read encryption key size */ | |
606 | 607 | extern BOOLEAN btsnd_hcic_enable_test_mode (void); /* Enable Device Under Test Mode */ |
607 | 608 | extern BOOLEAN btsnd_hcic_write_pagescan_type(UINT8 type); /* Write Page Scan Type */ |
608 | 609 | extern BOOLEAN btsnd_hcic_write_inqscan_type(UINT8 type); /* Write Inquiry Scan Type */ |