• R/O
  • HTTP
  • SSH
  • HTTPS

コミット

タグ
未設定

よく使われているワード(クリックで追加)

javac++androidlinuxc#windowsobjective-ccocoa誰得qtpythonphprubygameguibathyscaphec計画中(planning stage)翻訳omegatframeworktwitterdomtestvb.netdirectxゲームエンジンbtronarduinopreviewer

system/bt


コミットメタ情報

リビジョンfc2ca9ee6908cf6dcc7e4c6ea142354c99168d03 (tree)
日時2019-08-08 00:09:23
作者Jakub Pawlowski <jpawlowski@goog...>
コミッターVasyl Gello

ログメッセージ

DO NOT MERGE Drop Bluetooth connection with weak encryption key

This patch requires Bluetooth chip to support HCI Read Encryption Key Size
command and will cause Bluetooth to crash if this command is not supported
on a device. Such device should not take this patch and should look for
alternative solution to drop Bluetooth connection with weak encryption key.

Bug: 124301137
Change-Id: Id4b6b4e765628397a79e6806f45c2cd27acebd5b
(cherry picked from commit 027532b3678e3d50ed41270d747df5eb06bc6a8d)

変更サマリ

差分

--- a/device/src/controller.c
+++ b/device/src/controller.c
@@ -294,6 +294,8 @@ static future_t *start_up(void) {
294294 &number_of_local_supported_codecs, local_supported_codecs);
295295 }
296296
297+ assert(HCI_READ_ENCR_KEY_SIZE_SUPPORTED(supported_commands));
298+
297299 readable = true;
298300 return future_new_immediate(FUTURE_SUCCESS);
299301 }
--- a/stack/btu/btu_hcif.c
+++ b/stack/btu/btu_hcif.c
@@ -28,6 +28,7 @@
2828 #define LOG_TAG "bt_btu_hcif"
2929
3030 #include <assert.h>
31+#include <log/log.h>
3132 #include <stdio.h>
3233 #include <stdlib.h>
3334 #include <string.h>
@@ -605,6 +606,55 @@ static void btu_hcif_rmt_name_request_comp_evt (UINT8 *p, UINT16 evt_len)
605606 btm_sec_rmt_name_request_complete (bd_addr, p, status);
606607 }
607608
609+const uint8_t MIN_KEY_SIZE = 7;
610+bool read_key_send_from_key_refresh = false;
611+
612+static void read_encryption_key_size_complete_after_key_refresh(
613+ uint8_t status, uint16_t handle, uint8_t key_size) {
614+ if (status != HCI_SUCCESS) {
615+ HCI_TRACE_WARNING("%s: disconnecting, status: 0x%02x", __func__, status);
616+ btsnd_hcic_disconnect(handle, HCI_ERR_PEER_USER);
617+ return;
618+ }
619+
620+ if (key_size < MIN_KEY_SIZE) {
621+ android_errorWriteLog(0x534e4554, "124301137");
622+ HCI_TRACE_ERROR(
623+ "%s encryption key too short, disconnecting. handle: 0x%02x, key_size: "
624+ "%d",
625+ __func__, handle, key_size);
626+
627+ btsnd_hcic_disconnect(handle, HCI_ERR_HOST_REJECT_SECURITY);
628+ return;
629+ }
630+
631+ btm_sec_encrypt_change(handle, status, 1 /* enc_enable */);
632+}
633+
634+static void read_encryption_key_size_complete_after_encryption_change(
635+ uint8_t status, uint16_t handle, uint8_t key_size) {
636+ if (status != HCI_SUCCESS) {
637+ HCI_TRACE_WARNING("%s: disconnecting, status: 0x%02x", __func__, status);
638+ btsnd_hcic_disconnect(handle, HCI_ERR_PEER_USER);
639+ return;
640+ }
641+
642+ if (key_size < MIN_KEY_SIZE) {
643+ android_errorWriteLog(0x534e4554, "124301137");
644+ HCI_TRACE_ERROR(
645+ "%s encryption key too short, disconnecting. handle: 0x%02x, key_size: "
646+ "%d",
647+ __func__, handle, key_size);
648+
649+ btsnd_hcic_disconnect(handle, HCI_ERR_HOST_REJECT_SECURITY);
650+ return;
651+ }
652+
653+ // good key size - succeed
654+ btm_acl_encrypt_change(handle, status, 1 /* enable */);
655+ btm_sec_encrypt_change(handle, status, 1 /* enable */);
656+}
657+
608658 /*******************************************************************************
609659 **
610660 ** Function btu_hcif_encryption_change_evt
@@ -624,8 +674,14 @@ static void btu_hcif_encryption_change_evt (UINT8 *p)
624674 STREAM_TO_UINT16 (handle, p);
625675 STREAM_TO_UINT8 (encr_enable, p);
626676
627- btm_acl_encrypt_change (handle, status, encr_enable);
628- btm_sec_encrypt_change (handle, status, encr_enable);
677+ if (status != HCI_SUCCESS || encr_enable == 0 ||
678+ BTM_IsBleConnection(handle)) {
679+ btm_acl_encrypt_change (handle, status, encr_enable);
680+ btm_sec_encrypt_change (handle, status, encr_enable);
681+ } else {
682+ read_key_send_from_key_refresh = false;
683+ btsnd_hcic_read_encryption_key_size(handle);
684+ }
629685 }
630686
631687 /*******************************************************************************
@@ -828,6 +884,26 @@ static void btu_hcif_hdl_command_complete (UINT16 opcode, UINT8 *p, UINT16 evt_l
828884 btm_read_inq_tx_power_complete(p);
829885 break;
830886
887+ case HCI_READ_ENCR_KEY_SIZE: {
888+ UINT8 *pp = p;
889+
890+ UINT8 status;
891+ UINT16 handle;
892+ UINT8 key_size;
893+
894+ STREAM_TO_UINT8 (status, pp);
895+ STREAM_TO_UINT16 (handle, pp);
896+ STREAM_TO_UINT8 (key_size, pp);
897+
898+ if (read_key_send_from_key_refresh) {
899+ read_encryption_key_size_complete_after_encryption_change(status, handle, key_size);
900+ } else {
901+ read_encryption_key_size_complete_after_key_refresh(status, handle, key_size);
902+ }
903+
904+ }
905+ break;
906+
831907 #if (BLE_INCLUDED == TRUE)
832908 /* BLE Commands sComplete*/
833909 case HCI_BLE_ADD_WHITE_LIST:
@@ -1617,6 +1693,7 @@ static void btu_hcif_enhanced_flush_complete_evt (void)
16171693 ** BLE Events
16181694 ***********************************************/
16191695 #if (defined BLE_INCLUDED) && (BLE_INCLUDED == TRUE)
1696+
16201697 static void btu_hcif_encryption_key_refresh_cmpl_evt (UINT8 *p)
16211698 {
16221699 UINT8 status;
@@ -1628,7 +1705,12 @@ static void btu_hcif_encryption_key_refresh_cmpl_evt (UINT8 *p)
16281705
16291706 if (status == HCI_SUCCESS) enc_enable = 1;
16301707
1631- btm_sec_encrypt_change (handle, status, enc_enable);
1708+ if (status != HCI_SUCCESS || BTM_IsBleConnection(handle)) {
1709+ btm_sec_encrypt_change (handle, status, enc_enable);
1710+ } else {
1711+ read_key_send_from_key_refresh = true;
1712+ btsnd_hcic_read_encryption_key_size(handle);
1713+ }
16321714 }
16331715
16341716 static void btu_ble_process_adv_pkt (UINT8 *p)
--- a/stack/hcic/hcicmds.c
+++ b/stack/hcic/hcicmds.c
@@ -1371,6 +1371,19 @@ BOOLEAN btsnd_hcic_read_rssi (UINT16 handle)
13711371 return (TRUE);
13721372 }
13731373
1374+BOOLEAN btsnd_hcic_read_encryption_key_size(UINT16 handle) {
1375+ BT_HDR *p = (BT_HDR *)osi_malloc(HCI_CMD_BUF_SIZE);
1376+ UINT8 *pp = (UINT8 *)(p + 1);
1377+
1378+ p->len = HCIC_PREAMBLE_SIZE + 2;
1379+ p->offset = 0;
1380+
1381+ UINT16_TO_STREAM (pp, handle);
1382+
1383+ btu_hcif_send_cmd (LOCAL_BR_EDR_CONTROLLER_ID, p);
1384+ return (TRUE);
1385+}
1386+
13741387 BOOLEAN btsnd_hcic_enable_test_mode (void)
13751388 {
13761389 BT_HDR *p = (BT_HDR *)osi_malloc(HCI_CMD_BUF_SIZE);
--- a/stack/include/btm_ble_api.h
+++ b/stack/include/btm_ble_api.h
@@ -1304,7 +1304,17 @@ extern BOOLEAN BTM_BleVerifySignature (BD_ADDR bd_addr, UINT8 *p_orig,
13041304 extern void BTM_ReadConnectionAddr (BD_ADDR remote_bda, BD_ADDR local_conn_addr,
13051305 tBLE_ADDR_TYPE *p_addr_type);
13061306
1307-
1307+/*******************************************************************************
1308+ *
1309+ * Function BTM_IsBleConnection
1310+ *
1311+ * Description This function is called to check if the connection handle
1312+ * for an LE link
1313+ *
1314+ * Returns true if connection is LE link, otherwise false.
1315+ *
1316+ ******************************************************************************/
1317+extern bool BTM_IsBleConnection(uint16_t conn_handle);
13081318
13091319 /*******************************************************************************
13101320 **
--- a/stack/include/hcimsgs.h
+++ b/stack/include/hcimsgs.h
@@ -607,6 +607,7 @@ extern BOOLEAN btsnd_hcic_write_cur_iac_lap (UINT8 num_cur_iac,
607607
608608 extern BOOLEAN btsnd_hcic_get_link_quality (UINT16 handle); /* Get Link Quality */
609609 extern BOOLEAN btsnd_hcic_read_rssi (UINT16 handle); /* Read RSSI */
610+extern BOOLEAN btsnd_hcic_read_encryption_key_size (UINT16 handle); /* Read encryption key size */
610611 extern BOOLEAN btsnd_hcic_enable_test_mode (void); /* Enable Device Under Test Mode */
611612 extern BOOLEAN btsnd_hcic_write_pagescan_type(UINT8 type); /* Write Page Scan Type */
612613 extern BOOLEAN btsnd_hcic_write_inqscan_type(UINT8 type); /* Write Inquiry Scan Type */