system/bt
| Revisão | 7561a388a5b560e8feecc13169b830e0fbb86d5e (tree) |
|---|---|
| Hora | 2019-06-06 22:05:13 |
| Autor | Jakub Pawlowski <jpawlowski@goog...> |
| Commiter | Kevin F. Haggerty |
DO NOT MERGE Don't persist bonds using sample LTK
Test: compilation, manual testing
Bug: 128843052
Change-Id: I52fd484d42bf87e96dbc9e6456090f231ed48111
(cherry picked from commit c0fb2a25f92848f4d78f72d31e9705e29e6f5ca8)
btif/src/btif_storage.c (diff) stack/btm/btm_sec.c (diff)
stack/include/bt_types.h (diff)| @@ -35,6 +35,7 @@ | ||
| 35 | 35 | #include <alloca.h> |
| 36 | 36 | #include <assert.h> |
| 37 | 37 | #include <ctype.h> |
| 38 | +#include <log/log.h> | |
| 38 | 39 | #include <stdlib.h> |
| 39 | 40 | #include <string.h> |
| 40 | 41 | #include <time.h> |
| @@ -49,6 +50,7 @@ | ||
| 49 | 50 | #include "osi/include/allocator.h" |
| 50 | 51 | #include "osi/include/compat.h" |
| 51 | 52 | #include "osi/include/config.h" |
| 53 | +#include "osi/include/list.h" | |
| 52 | 54 | #include "osi/include/log.h" |
| 53 | 55 | #include "osi/include/osi.h" |
| 54 | 56 |
| @@ -840,6 +842,47 @@ bt_status_t btif_storage_remove_bonded_device(bt_bdaddr_t *remote_bd_addr) | ||
| 840 | 842 | |
| 841 | 843 | } |
| 842 | 844 | |
| 845 | +/* Some devices hardcode sample LTK value from spec, instead of generating one. | |
| 846 | + * Treat such devices as insecure, and remove such bonds when bluetooth restarts. | |
| 847 | + * Removing them after disconnection is handled separately. | |
| 848 | + * | |
| 849 | + * We still allow such devices to bond in order to give the user a chance to update | |
| 850 | + * firmware. | |
| 851 | + */ | |
| 852 | +static void remove_devices_with_sample_ltk() { | |
| 853 | + list_t *bad_ltk = list_new(osi_free); | |
| 854 | + | |
| 855 | + for (const btif_config_section_iter_t *iter = btif_config_section_begin(); iter != btif_config_section_end(); iter = btif_config_section_next(iter)) { | |
| 856 | + const char *name = btif_config_section_name(iter); | |
| 857 | + if (!string_is_bdaddr(name)) { | |
| 858 | + continue; | |
| 859 | + } | |
| 860 | + | |
| 861 | + bt_bdaddr_t *bda = osi_malloc(sizeof(bt_bdaddr_t)); | |
| 862 | + string_to_bdaddr(name, bda); | |
| 863 | + | |
| 864 | + tBTA_LE_KEY_VALUE key; | |
| 865 | + memset(&key, 0, sizeof(key)); | |
| 866 | + | |
| 867 | + if (btif_storage_get_ble_bonding_key(bda, BTIF_DM_LE_KEY_PENC, (char*)&key, sizeof(tBTM_LE_PENC_KEYS)) == | |
| 868 | + BT_STATUS_SUCCESS) { | |
| 869 | + if (is_sample_ltk(key.penc_key.ltk)) { | |
| 870 | + list_append(bad_ltk, (void*)bda); | |
| 871 | + } | |
| 872 | + } | |
| 873 | + } | |
| 874 | + | |
| 875 | + for (list_node_t *sn = list_begin(bad_ltk); sn != list_end(bad_ltk); sn = list_next(sn)) { | |
| 876 | + android_errorWriteLog(0x534e4554, "128437297"); | |
| 877 | + BTIF_TRACE_ERROR("%s: removing bond to device using test TLK", __func__); | |
| 878 | + | |
| 879 | + bt_bdaddr_t *bda = (bt_bdaddr_t*)list_node(sn); | |
| 880 | + btif_storage_remove_bonded_device(bda); | |
| 881 | + } | |
| 882 | + | |
| 883 | + list_free(bad_ltk); | |
| 884 | +} | |
| 885 | + | |
| 843 | 886 | /******************************************************************************* |
| 844 | 887 | ** |
| 845 | 888 | ** Function btif_storage_is_device_bonded |
| @@ -887,6 +930,8 @@ bt_status_t btif_storage_load_bonded_devices(void) | ||
| 887 | 930 | bt_uuid_t local_uuids[BT_MAX_NUM_UUIDS]; |
| 888 | 931 | bt_uuid_t remote_uuids[BT_MAX_NUM_UUIDS]; |
| 889 | 932 | |
| 933 | + remove_devices_with_sample_ltk(); | |
| 934 | + | |
| 890 | 935 | btif_in_fetch_bonded_devices(&bonded_devices, 1); |
| 891 | 936 | |
| 892 | 937 | /* Now send the adapter_properties_cb with all adapter_properties */ |
| @@ -24,6 +24,7 @@ | ||
| 24 | 24 | |
| 25 | 25 | #define LOG_TAG "bt_btm_sec" |
| 26 | 26 | |
| 27 | +#include <log/log.h> | |
| 27 | 28 | #include <stdarg.h> |
| 28 | 29 | #include <string.h> |
| 29 | 30 |
| @@ -47,6 +48,9 @@ | ||
| 47 | 48 | #include "gatt_int.h" |
| 48 | 49 | #endif |
| 49 | 50 | |
| 51 | +#include "bta/sys/bta_sys.h" | |
| 52 | +#include "bta/dm/bta_dm_int.h" | |
| 53 | + | |
| 50 | 54 | #define BTM_SEC_MAX_COLLISION_DELAY (5000) |
| 51 | 55 | |
| 52 | 56 | extern fixed_queue_t *btu_general_alarm_queue; |
| @@ -4898,6 +4902,19 @@ void btm_sec_disconnected (UINT16 handle, UINT8 reason) | ||
| 4898 | 4902 | | BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED); |
| 4899 | 4903 | } |
| 4900 | 4904 | |
| 4905 | + /* Some devices hardcode sample LTK value from spec, instead of generating | |
| 4906 | + * one. Treat such devices as insecure, and remove such bonds on | |
| 4907 | + * disconnection. | |
| 4908 | + */ | |
| 4909 | + if (is_sample_ltk(p_dev_rec->ble.keys.pltk)) { | |
| 4910 | + android_errorWriteLog(0x534e4554, "128437297"); | |
| 4911 | + BTM_TRACE_ERROR("%s: removing bond to device that used sample LTK", __func__); | |
| 4912 | + | |
| 4913 | + tBTA_DM_MSG p_data; | |
| 4914 | + memcpy(p_data.remove_dev.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN); | |
| 4915 | + bta_dm_remove_device(&p_data); | |
| 4916 | + } | |
| 4917 | + | |
| 4901 | 4918 | #if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE |
| 4902 | 4919 | if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH) |
| 4903 | 4920 | { |
| @@ -22,6 +22,7 @@ | ||
| 22 | 22 | #include <stdint.h> |
| 23 | 23 | #include <stdio.h> |
| 24 | 24 | #include <stdbool.h> |
| 25 | +#include <string.h> | |
| 25 | 26 | |
| 26 | 27 | #ifndef FALSE |
| 27 | 28 | # define FALSE false |
| @@ -795,4 +796,13 @@ static inline void bdsetany(BD_ADDR a) | ||
| 795 | 796 | { |
| 796 | 797 | bdcpy(a, bd_addr_any); |
| 797 | 798 | } |
| 799 | + | |
| 800 | +static inline bool is_sample_ltk(const BT_OCTET16 ltk) { | |
| 801 | + /* Sample LTK from BT Spec 5.1 | Vol 6, Part C 1 | |
| 802 | + * 0x4C68384139F574D836BCF34E9DFB01BF */ | |
| 803 | + const uint8_t SAMPLE_LTK[] = {0xbf, 0x01, 0xfb, 0x9d, 0x4e, 0xf3, 0xbc, 0x36, | |
| 804 | + 0xd8, 0x74, 0xf5, 0x39, 0x41, 0x38, 0x68, 0x4c}; | |
| 805 | + return memcmp(ltk, SAMPLE_LTK, BT_OCTET16_LEN) == 0; | |
| 806 | +} | |
| 807 | + | |
| 798 | 808 | #endif |
Fork