2024-07-13 14:51:09 -04:00
|
|
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
2024-07-04 09:17:52 -04:00
|
|
|
From: Brian Delwiche <delwiche@google.com>
|
|
|
|
Date: Mon, 22 Apr 2024 21:14:56 +0000
|
2024-07-13 14:51:09 -04:00
|
|
|
Subject: [PATCH] Fix an authentication bypass bug in SMP
|
2024-07-04 09:17:52 -04:00
|
|
|
|
|
|
|
When pairing with BLE legacy pairing initiated
|
|
|
|
from remote, authentication can be bypassed.
|
|
|
|
This change fixes it.
|
|
|
|
|
|
|
|
Bug: 251514170
|
|
|
|
Test: m com.android.btservices
|
|
|
|
Test: manual run against PoC
|
|
|
|
Ignore-AOSP-First: security
|
|
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8a3dbadc71428a30b172a74343be08498c656747)
|
|
|
|
Merged-In: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
|
|
|
|
Change-Id: I66b1f9a80060f48a604001829db8ea7c96c7b7f8
|
|
|
|
---
|
|
|
|
stack/smp/smp_act.c | 11 +++++++++++
|
|
|
|
stack/smp/smp_int.h | 1 +
|
|
|
|
2 files changed, 12 insertions(+)
|
|
|
|
|
|
|
|
diff --git a/stack/smp/smp_act.c b/stack/smp/smp_act.c
|
2024-07-13 14:51:09 -04:00
|
|
|
index 7491d0972..925bcd832 100644
|
2024-07-04 09:17:52 -04:00
|
|
|
--- a/stack/smp/smp_act.c
|
|
|
|
+++ b/stack/smp/smp_act.c
|
|
|
|
@@ -331,6 +331,7 @@ void smp_send_confirm(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
|
|
|
|
{
|
|
|
|
SMP_TRACE_DEBUG("%s", __func__);
|
|
|
|
smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);
|
|
|
|
+ p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*******************************************************************************
|
2024-07-13 14:51:09 -04:00
|
|
|
@@ -720,6 +721,16 @@ void smp_proc_init(tSMP_CB *p_cb, tSMP_INT_DATA *p_data)
|
2024-07-04 09:17:52 -04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
+ if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&
|
|
|
|
+ (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&
|
|
|
|
+ !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT))
|
|
|
|
+ {
|
|
|
|
+ // in legacy pairing, the peer should send its rand after
|
|
|
|
+ // we send our confirm
|
|
|
|
+ smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &reason);
|
|
|
|
+ return;
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
/* save the SRand for comparison */
|
|
|
|
STREAM_TO_ARRAY(p_cb->rrand, p, BT_OCTET16_LEN);
|
|
|
|
}
|
|
|
|
diff --git a/stack/smp/smp_int.h b/stack/smp/smp_int.h
|
2024-07-13 14:51:09 -04:00
|
|
|
index bfac772b9..ab7676861 100644
|
2024-07-04 09:17:52 -04:00
|
|
|
--- a/stack/smp/smp_int.h
|
|
|
|
+++ b/stack/smp/smp_int.h
|
|
|
|
@@ -251,6 +251,7 @@ typedef union
|
|
|
|
#define SMP_PAIR_FLAG_HAVE_PEER_PUBL_KEY (1 << 6) /* used on slave to resolve race condition */
|
|
|
|
#define SMP_PAIR_FLAG_HAVE_PEER_COMM (1 << 7) /* used to resolve race condition */
|
|
|
|
#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY (1 << 8) /* used on slave to resolve race condition */
|
|
|
|
+#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)
|
|
|
|
|
|
|
|
/* check if authentication requirement need MITM protection */
|
|
|
|
#define SMP_NO_MITM_REQUIRED(x) (((x) & SMP_AUTH_YN_BIT) == 0)
|