• R/O
  • HTTP
  • SSH
  • HTTPS

Commit

Tags
Keine Tags

Frequently used words (click to add to your profile)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


Commit MetaInfo

Revisiona59a37963952d6dcb78ef2b9eb2265d40b14e699 (tree)
Zeit2019-05-01 04:53:23
AutorJakub Pawlowski <jpawlowski@goog...>
CommiterGreg Wroblewski

Log Message

DO NOT MERGE Drop Bluetooth connection with weak encryption key

This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.

Bug: 124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit 027532b3678e3d50ed41270d747df5eb06bc6a8d)

Ändern Zusammenfassung

Diff

--- a/device/src/controller.c
+++ b/device/src/controller.c
@@ -252,6 +252,8 @@ static future_t *start_up(void) {
252252 &number_of_local_supported_codecs, local_supported_codecs);
253253 }
254254
255+ assert(HCI_READ_ENCR_KEY_SIZE_SUPPORTED(supported_commands));
256+
255257 readable = true;
256258 return future_new_immediate(FUTURE_SUCCESS);
257259 }
--- a/stack/btu/btu_hcif.c
+++ b/stack/btu/btu_hcif.c
@@ -28,6 +28,7 @@
2828 #define LOG_TAG "bt_btu_hcif"
2929
3030 #include <assert.h>
31+#include <log/log.h>
3132 #include <stdio.h>
3233 #include <stdlib.h>
3334 #include <string.h>
@@ -601,6 +602,55 @@ static void btu_hcif_rmt_name_request_comp_evt (UINT8 *p, UINT16 evt_len)
601602 btm_sec_rmt_name_request_complete (bd_addr, p, status);
602603 }
603604
605+const uint8_t MIN_KEY_SIZE = 7;
606+bool read_key_send_from_key_refresh = false;
607+
608+static void read_encryption_key_size_complete_after_key_refresh(
609+ uint8_t status, uint16_t handle, uint8_t key_size) {
610+ if (status != HCI_SUCCESS) {
611+ HCI_TRACE_WARNING("%s: disconnecting, status: 0x%02x", __func__, status);
612+ btsnd_hcic_disconnect(handle, HCI_ERR_PEER_USER);
613+ return;
614+ }
615+
616+ if (key_size < MIN_KEY_SIZE) {
617+ android_errorWriteLog(0x534e4554, "124301137");
618+ HCI_TRACE_ERROR(
619+ "%s encryption key too short, disconnecting. handle: 0x%02x, key_size: "
620+ "%d",
621+ __func__, handle, key_size);
622+
623+ btsnd_hcic_disconnect(handle, HCI_ERR_HOST_REJECT_SECURITY);
624+ return;
625+ }
626+
627+ btm_sec_encrypt_change(handle, status, 1 /* enc_enable */);
628+}
629+
630+static void read_encryption_key_size_complete_after_encryption_change(
631+ uint8_t status, uint16_t handle, uint8_t key_size) {
632+ if (status != HCI_SUCCESS) {
633+ HCI_TRACE_WARNING("%s: disconnecting, status: 0x%02x", __func__, status);
634+ btsnd_hcic_disconnect(handle, HCI_ERR_PEER_USER);
635+ return;
636+ }
637+
638+ if (key_size < MIN_KEY_SIZE) {
639+ android_errorWriteLog(0x534e4554, "124301137");
640+ HCI_TRACE_ERROR(
641+ "%s encryption key too short, disconnecting. handle: 0x%02x, key_size: "
642+ "%d",
643+ __func__, handle, key_size);
644+
645+ btsnd_hcic_disconnect(handle, HCI_ERR_HOST_REJECT_SECURITY);
646+ return;
647+ }
648+
649+ // good key size - succeed
650+ btm_acl_encrypt_change(handle, status, 1 /* enable */);
651+ btm_sec_encrypt_change(handle, status, 1 /* enable */);
652+}
653+
604654 /*******************************************************************************
605655 **
606656 ** Function btu_hcif_encryption_change_evt
@@ -620,8 +670,14 @@ static void btu_hcif_encryption_change_evt (UINT8 *p)
620670 STREAM_TO_UINT16 (handle, p);
621671 STREAM_TO_UINT8 (encr_enable, p);
622672
623- btm_acl_encrypt_change (handle, status, encr_enable);
624- btm_sec_encrypt_change (handle, status, encr_enable);
673+ if (status != HCI_SUCCESS || encr_enable == 0 ||
674+ BTM_IsBleConnection(handle)) {
675+ btm_acl_encrypt_change (handle, status, encr_enable);
676+ btm_sec_encrypt_change (handle, status, encr_enable);
677+ } else {
678+ read_key_send_from_key_refresh = false;
679+ btsnd_hcic_read_encryption_key_size(handle);
680+ }
625681 }
626682
627683 /*******************************************************************************
@@ -824,6 +880,26 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
824880 btm_read_inq_tx_power_complete(p);
825881 break;
826882
883+ case HCI_READ_ENCR_KEY_SIZE: {
884+ UINT8 *pp = p;
885+
886+ UINT8 status;
887+ UINT16 handle;
888+ UINT8 key_size;
889+
890+ STREAM_TO_UINT8 (status, pp);
891+ STREAM_TO_UINT16 (handle, pp);
892+ STREAM_TO_UINT8 (key_size, pp);
893+
894+ if (read_key_send_from_key_refresh) {
895+ read_encryption_key_size_complete_after_encryption_change(status, handle, key_size);
896+ } else {
897+ read_encryption_key_size_complete_after_key_refresh(status, handle, key_size);
898+ }
899+
900+ }
901+ break;
902+
827903 #if (BLE_INCLUDED == TRUE)
828904 /* BLE Commands sComplete*/
829905 case HCI_BLE_ADD_WHITE_LIST:
@@ -1595,6 +1671,7 @@ static void btu_hcif_enhanced_flush_complete_evt (void)
15951671 ** BLE Events
15961672 ***********************************************/
15971673 #if (defined BLE_INCLUDED) && (BLE_INCLUDED == TRUE)
1674+
15981675 static void btu_hcif_encryption_key_refresh_cmpl_evt (UINT8 *p)
15991676 {
16001677 UINT8 status;
@@ -1606,7 +1683,12 @@ static void btu_hcif_encryption_key_refresh_cmpl_evt (UINT8 *p)
16061683
16071684 if (status == HCI_SUCCESS) enc_enable = 1;
16081685
1609- btm_sec_encrypt_change (handle, status, enc_enable);
1686+ if (status != HCI_SUCCESS || BTM_IsBleConnection(handle)) {
1687+ btm_sec_encrypt_change (handle, status, enc_enable);
1688+ } else {
1689+ read_key_send_from_key_refresh = true;
1690+ btsnd_hcic_read_encryption_key_size(handle);
1691+ }
16101692 }
16111693
16121694 static void btu_ble_process_adv_pkt (UINT8 *p)
--- a/stack/hcic/hcicmds.c
+++ b/stack/hcic/hcicmds.c
@@ -1356,6 +1356,19 @@ BOOLEAN btsnd_hcic_read_rssi (UINT16 handle)
13561356 return (TRUE);
13571357 }
13581358
1359+BOOLEAN btsnd_hcic_read_encryption_key_size(UINT16 handle) {
1360+ BT_HDR *p = (BT_HDR *)osi_malloc(HCI_CMD_BUF_SIZE);
1361+ UINT8 *pp = (UINT8 *)(p + 1);
1362+
1363+ p->len = HCIC_PREAMBLE_SIZE + 2;
1364+ p->offset = 0;
1365+
1366+ UINT16_TO_STREAM (pp, handle);
1367+
1368+ btu_hcif_send_cmd (LOCAL_BR_EDR_CONTROLLER_ID, p);
1369+ return (TRUE);
1370+}
1371+
13591372 BOOLEAN btsnd_hcic_enable_test_mode (void)
13601373 {
13611374 BT_HDR *p = (BT_HDR *)osi_malloc(HCI_CMD_BUF_SIZE);
--- a/stack/include/btm_ble_api.h
+++ b/stack/include/btm_ble_api.h
@@ -1304,7 +1304,17 @@ extern BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig,
13041304 extern void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr,
13051305 tBLE_ADDR_TYPE *p_addr_type);
13061306
1307-
1307+/*******************************************************************************
1308+ *
1309+ * Function BTM_IsBleConnection
1310+ *
1311+ * Description This function is called to check if the connection handle
1312+ * for an LE link
1313+ *
1314+ * Returns true if connection is LE link, otherwise false.
1315+ *
1316+ ******************************************************************************/
1317+extern bool BTM_IsBleConnection(uint16_t conn_handle);
13081318
13091319 /*******************************************************************************
13101320 **
--- a/stack/include/hcimsgs.h
+++ b/stack/include/hcimsgs.h
@@ -603,6 +603,7 @@ extern BOOLEAN btsnd_hcic_write_cur_iac_lap (UINT8 num_cur_iac,
603603
604604 extern BOOLEAN btsnd_hcic_get_link_quality (UINT16 handle); /* Get Link Quality */
605605 extern BOOLEAN btsnd_hcic_read_rssi (UINT16 handle); /* Read RSSI */
606+extern BOOLEAN btsnd_hcic_read_encryption_key_size (UINT16 handle); /* Read encryption key size */
606607 extern BOOLEAN btsnd_hcic_enable_test_mode (void); /* Enable Device Under Test Mode */
607608 extern BOOLEAN btsnd_hcic_write_pagescan_type(UINT8 type); /* Write Page Scan Type */
608609 extern BOOLEAN btsnd_hcic_write_inqscan_type(UINT8 type); /* Write Inquiry Scan Type */