mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-13 18:04:35 -05:00
2e83c91a81
Signed-off-by: Tavi <tavi@divested.dev>
61 lines
2.7 KiB
Diff
61 lines
2.7 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Brian Delwiche <delwiche@google.com>
|
|
Date: Fri, 31 May 2024 21:46:17 +0000
|
|
Subject: [PATCH] Disallow connect with Secure Connections downgrade
|
|
|
|
As a guard against the BLUFFS attack, check security parameters of
|
|
incoming connections against cached values and disallow connection if
|
|
these parameters are downgraded or changed from their cached values.
|
|
|
|
This CL adds the connection-time check for Secure Connections mode.
|
|
|
|
Bug: 314331379
|
|
Test: m libbluetooth
|
|
Test: manual
|
|
|
|
To test this CL, please ensure that BR/EDR initial connections and reconnections (after cycling remote devices, cycling Bluetooth, restarting the phone, etc.) work against remote devices which both support and do not support Secure Connections mode, and with all supported bonding types. Basic validation of LE bonding functionality should be done as well.
|
|
|
|
Tag: #security
|
|
Ignore-AOSP-First: Security
|
|
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:4da47591b9530849123c238b2747f5304058db2d)
|
|
Merged-In: I7b9dd1a18f1c04df88aabe89d4790fef9112da7e
|
|
Change-Id: I7b9dd1a18f1c04df88aabe89d4790fef9112da7e
|
|
---
|
|
stack/btm/btm_sec.cc | 16 ++++++++++++++++
|
|
1 file changed, 16 insertions(+)
|
|
|
|
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc
|
|
index 835a5d7c5..d5d698c27 100644
|
|
--- a/stack/btm/btm_sec.cc
|
|
+++ b/stack/btm/btm_sec.cc
|
|
@@ -4751,6 +4751,13 @@ void btm_sec_link_key_notification(const RawAddress& p_bda,
|
|
}
|
|
}
|
|
|
|
+ if (p_dev_rec->is_bond_type_persistent() &&
|
|
+ (p_dev_rec->is_device_type_br_edr() ||
|
|
+ p_dev_rec->is_device_type_dual_mode())) {
|
|
+ btm_sec_store_device_sc_support(p_dev_rec->get_br_edr_hci_handle(),
|
|
+ p_dev_rec->SupportsSecureConnections());
|
|
+ }
|
|
+
|
|
/* If name is not known at this point delay calling callback until the name is
|
|
*/
|
|
/* resolved. Unless it is a HID Device and we really need to send all link
|
|
@@ -5878,6 +5885,15 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported,
|
|
tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);
|
|
if (p_dev_rec == nullptr) return;
|
|
|
|
+ // Drop the connection here if the remote attempts to downgrade from Secure
|
|
+ // Connections mode.
|
|
+ if (btm_sec_is_device_sc_downgrade(hci_handle, sc_supported)) {
|
|
+ btm_cb.acl_disc_reason = HCI_ERR_HOST_REJECT_SECURITY;
|
|
+ btm_sec_send_hci_disconnect(p_dev_rec, HCI_ERR_AUTH_FAILURE, hci_handle);
|
|
+ LOG_WARN(LOG_TAG, "Remote attempted to downgrade from Secure Connections mode");
|
|
+ return;
|
|
+ }
|
|
+
|
|
/* Store the Peer Security Capabilites (in SM4 and rmt_sec_caps) */
|
|
if ((btm_cb.security_mode == BTM_SEC_MODE_SP ||
|
|
btm_cb.security_mode == BTM_SEC_MODE_SC) &&
|