Bluedroid: Authentication fixes in Legacy and Secure Connection.

Prevent a remote device from doing a Bluetooth Impersonation Attack
(BIAS) by:

- Preventing remote device to downgrade secure connection
feature mask. Secure connection feature mask should remain same or
increase to enabled in link key generation and authentication.

- Doing a mutual authentication during Legacy Authentication.

Signed-off-by: Chinmay Chhajed <chinmay.chhajed@espressif.com>
This commit is contained in:
Chinmay Chhajed 2020-04-28 15:54:31 +05:30
parent 26272af3b4
commit e3350e7861
16 changed files with 271 additions and 50 deletions

View file

@ -92,6 +92,19 @@ menu "Bluetooth"
default BTDM_CTRL_AUTO_LATENCY if BTDM_CTRL_MODE_BTDM
default n
config BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT
bool "Legacy Authentication Vendor Specific Event Enable"
depends on BTDM_CTRL_MODE_BR_EDR_ONLY || BTDM_CTRL_MODE_BTDM
default y
help
To protect from BIAS attack during Legacy authentication,
Legacy authentication Vendor specific event should be enabled
config BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT_EFF
bool
default BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT if BTDM_CTRL_MODE_BR_EDR_ONLY || BTDM_CTRL_MODE_BTDM
default 0
config BTDM_CTRL_BLE_MAX_CONN_EFF
int

@ -1 +1 @@
Subproject commit 17f7ef3432039ccc92ae84855813f832389c6cb6
Subproject commit 8451fa0ed40882ca8e71335daee958c6de0341b3

View file

@ -63,7 +63,7 @@ static UINT8 bta_dm_authorize_cback (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NA
#if (CLASSIC_BT_INCLUDED == TRUE)
static UINT8 bta_dm_pin_cback (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, BOOLEAN min_16_digit);
#endif /// CLASSIC_BT_INCLUDED == TRUE
static UINT8 bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, LINK_KEY key, UINT8 key_type);
static UINT8 bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, LINK_KEY key, UINT8 key_type, BOOLEAN sc_support);
static UINT8 bta_dm_authentication_complete_cback(BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, int result);
#endif ///SMP_INCLUDED == TRUE
static void bta_dm_local_name_cback(BD_ADDR bd_addr);
@ -1063,7 +1063,7 @@ void bta_dm_add_device (tBTA_DM_MSG *p_data)
if (!BTM_SecAddDevice (p_dev->bd_addr, p_dc, p_dev->bd_name, p_dev->features,
trusted_services_mask, p_lc, p_dev->key_type, p_dev->io_cap,
p_dev->pin_length)) {
p_dev->pin_length, p_dev->sc_support)) {
APPL_TRACE_ERROR ("BTA_DM: Error adding device %08x%04x",
(p_dev->bd_addr[0] << 24) + (p_dev->bd_addr[1] << 16) + (p_dev->bd_addr[2] << 8) + p_dev->bd_addr[3],
(p_dev->bd_addr[4] << 8) + p_dev->bd_addr[5]);
@ -2988,7 +2988,8 @@ static UINT8 bta_dm_pin_cback (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_
**
*******************************************************************************/
static UINT8 bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
BD_NAME bd_name, LINK_KEY key, UINT8 key_type)
BD_NAME bd_name, LINK_KEY key, UINT8 key_type,
BOOLEAN sc_support)
{
tBTA_DM_SEC sec_event;
tBTA_DM_AUTH_CMPL *p_auth_cmpl;
@ -3010,6 +3011,7 @@ static UINT8 bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
p_auth_cmpl->key_present = TRUE;
p_auth_cmpl->key_type = key_type;
p_auth_cmpl->success = TRUE;
p_auth_cmpl->sc_support = sc_support;
memcpy(p_auth_cmpl->key, key, LINK_KEY_LEN);
sec_event.auth_cmpl.fail_reason = HCI_SUCCESS;
@ -3287,6 +3289,7 @@ static void bta_dm_bl_change_cback (tBTM_BL_EVENT_DATA *p_data)
switch (p_msg->event) {
case BTM_BL_CONN_EVT:
p_msg->sc_downgrade = p_data->conn.sc_downgrade;
p_msg->is_new = TRUE;
bdcpy(p_msg->bd_addr, p_data->conn.p_bda);
#if BLE_INCLUDED == TRUE
@ -3513,6 +3516,7 @@ void bta_dm_acl_change(tBTA_DM_MSG *p_data)
APPL_TRACE_DEBUG("%s info: 0x%x", __func__, bta_dm_cb.device_list.peer_device[i].info);
if (bta_dm_cb.p_sec_cback) {
conn.link_up.sc_downgrade = p_data->acl_change.sc_downgrade;
bta_dm_cb.p_sec_cback(BTA_DM_LINK_UP_EVT, (tBTA_DM_SEC *)&conn);
}
} else {

View file

@ -733,7 +733,8 @@ void BTA_DmPasskeyReqReply(BOOLEAN accept, BD_ADDR bd_addr, UINT32 passkey)
*******************************************************************************/
void BTA_DmAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class, LINK_KEY link_key,
tBTA_SERVICE_MASK trusted_mask, BOOLEAN is_trusted,
UINT8 key_type, tBTA_IO_CAP io_cap, UINT8 pin_length)
UINT8 key_type, tBTA_IO_CAP io_cap, UINT8 pin_length,
UINT8 sc_support)
{
tBTA_DM_API_ADD_DEVICE *p_msg;
@ -746,6 +747,7 @@ void BTA_DmAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class, LINK_KEY link_key,
p_msg->tm = trusted_mask;
p_msg->is_trusted = is_trusted;
p_msg->io_cap = io_cap;
p_msg->sc_support = sc_support;
if (link_key) {
p_msg->link_key_known = TRUE;

View file

@ -433,6 +433,7 @@ typedef struct {
UINT8 new_role;
BD_ADDR bd_addr;
UINT8 hci_status;
BOOLEAN sc_downgrade;
#if BLE_INCLUDED == TRUE
UINT16 handle;
#endif
@ -474,6 +475,7 @@ typedef struct {
BD_NAME bd_name;
UINT8 features[BTA_FEATURE_BYTES_PER_PAGE * (BTA_EXT_FEATURES_PAGE_MAX + 1)];
UINT8 pin_length;
UINT8 sc_support;
} tBTA_DM_API_ADD_DEVICE;
/* data type for BTA_DM_API_REMOVE_ACL_EVT */

View file

@ -784,6 +784,7 @@ typedef struct {
tBLE_ADDR_TYPE addr_type; /* Peer device address type */
tBT_DEVICE_TYPE dev_type;
UINT8 auth_mode;
BOOLEAN sc_support; /* Denotes if peer device supported secure connection while bonding. */
} tBTA_DM_AUTH_CMPL;
@ -799,6 +800,7 @@ typedef struct {
/* Structure associated with BTA_DM_LINK_UP_EVT */
typedef struct {
BOOLEAN sc_downgrade; /* Security downgrade state. */
BD_ADDR bd_addr; /* BD address peer device. */
#if BLE_INCLUDED == TRUE
tBTA_TRANSPORT link_type;
@ -1757,7 +1759,8 @@ extern void BTA_DmPasskeyReqReply(BOOLEAN accept, BD_ADDR bd_addr, UINT32 passke
extern void BTA_DmAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class,
LINK_KEY link_key, tBTA_SERVICE_MASK trusted_mask,
BOOLEAN is_trusted, UINT8 key_type,
tBTA_IO_CAP io_cap, UINT8 pin_length);
tBTA_IO_CAP io_cap, UINT8 pin_length,
UINT8 sc_support);
/*******************************************************************************
**

View file

@ -303,6 +303,27 @@ static void btc_dm_ble_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
#endif ///BLE_INCLUDED == TRUE
#endif ///SMP_INCLUDED == TRUE
static void btc_dm_link_up_evt(tBTA_DM_LINK_UP *p_link_up)
{
BD_ADDR bd_addr;
bt_bdaddr_t bt_bdaddr;
memcpy(bd_addr, p_link_up->bd_addr, sizeof(BD_ADDR));
memcpy(bt_bdaddr.address, p_link_up->bd_addr, sizeof(BD_ADDR));
if (p_link_up->sc_downgrade == 1) {
if (btc_storage_remove_bonded_device(&bt_bdaddr) == BT_STATUS_SUCCESS) {
if (BTA_DmRemoveDevice(bd_addr, BT_TRANSPORT_BR_EDR) == BTA_SUCCESS) {
BTC_TRACE_EVENT(" %s() Bonding information removed.", __FUNCTION__);
} else {
BTC_TRACE_ERROR(" %s() BTA_DmRemoveDevice error", __FUNCTION__);
}
} else {
BTC_TRACE_ERROR(" %s() btc_storage_remove_bonded_device error", __FUNCTION__);
}
}
}
static void btc_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
{
/* Save link key, if not temporary */
@ -326,7 +347,7 @@ static void btc_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
__FUNCTION__, p_auth_cmpl->key_type);
ret = btc_storage_add_bonded_device(&bd_addr,
p_auth_cmpl->key, p_auth_cmpl->key_type,
16);
16, p_auth_cmpl->sc_support);
BTC_ASSERTC(ret == BT_STATUS_SUCCESS, "storing link key failed", ret);
} else {
BTC_TRACE_DEBUG("%s: Temporary key. Not storing. key_type=0x%x",
@ -678,6 +699,7 @@ void btc_dm_sec_cb_handler(btc_msg_t *msg)
}
#endif /* BTC_GAP_BT_INCLUDED == TRUE */
case BTA_DM_LINK_UP_EVT:
btc_dm_link_up_evt(&p_data->link_up);
case BTA_DM_LINK_DOWN_EVT:
case BTA_DM_HW_ERROR_EVT:
BTC_TRACE_DEBUG( "btc_dm_sec_cback : unhandled event (%d)\n", msg->act );

View file

@ -37,7 +37,8 @@
bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr,
LINK_KEY link_key,
uint8_t key_type,
uint8_t pin_length)
uint8_t pin_length,
BOOLEAN sc_support)
{
bdstr_t bdstr;
@ -48,6 +49,7 @@ bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr,
int ret = btc_config_set_int(bdstr, BTC_STORAGE_LINK_KEY_TYPE_STR, (int)key_type);
ret &= btc_config_set_int(bdstr, BTC_STORAGE_PIN_LENGTH_STR, (int)pin_length);
ret &= btc_config_set_bin(bdstr, BTC_STORAGE_LINK_KEY_STR, link_key, sizeof(LINK_KEY));
ret &= btc_config_set_bin(bdstr, BTC_STORAGE_SC_SUPPORT, (uint8_t *)&sc_support, sizeof(sc_support));
/* write bonded info immediately */
btc_config_flush();
btc_config_unlock();
@ -69,6 +71,7 @@ bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr,
static bt_status_t btc_in_fetch_bonded_devices(int add)
{
BOOLEAN bt_linkkey_file_found = FALSE;
UINT8 sc_support = 0;
btc_config_lock();
for (const btc_config_section_iter_t *iter = btc_config_section_begin(); iter != btc_config_section_end(); iter = btc_config_section_next(iter)) {
@ -93,9 +96,11 @@ static bt_status_t btc_in_fetch_bonded_devices(int add)
uint2devclass((UINT32)cod, dev_class);
}
btc_config_get_int(name, BTC_STORAGE_PIN_LENGTH_STR, &pin_length);
size = sizeof(sc_support);
btc_config_get_bin(name, BTC_STORAGE_SC_SUPPORT, &sc_support, &size);
#if (SMP_INCLUDED == TRUE)
BTA_DmAddDevice(bd_addr.address, dev_class, link_key, 0, 0,
(UINT8)linkkey_type, 0, pin_length);
(UINT8)linkkey_type, 0, pin_length, (UINT8)sc_support);
#endif ///SMP_INCLUDED == TRUE
}
bt_linkkey_file_found = TRUE;
@ -160,6 +165,9 @@ bt_status_t btc_storage_remove_bonded_device(bt_bdaddr_t *remote_bd_addr)
if (btc_config_exist(bdstr, BTC_STORAGE_LINK_KEY_STR)) {
ret &= btc_config_remove(bdstr, BTC_STORAGE_LINK_KEY_STR);
}
if (btc_config_exist(bdstr, BTC_STORAGE_SC_SUPPORT)) {
ret &= btc_config_remove(bdstr, BTC_STORAGE_SC_SUPPORT);
}
/* write bonded info immediately */
btc_config_flush();
btc_config_unlock();
@ -187,6 +195,7 @@ int btc_storage_get_num_bt_bond_devices(void)
if (string_is_bdaddr(name) &&
btc_config_exist(name, BTC_STORAGE_LINK_KEY_TYPE_STR) &&
btc_config_exist(name, BTC_STORAGE_PIN_LENGTH_STR) &&
btc_config_exist(name, BTC_STORAGE_SC_SUPPORT) &&
btc_config_exist(name, BTC_STORAGE_LINK_KEY_STR)) {
num_dev++;
}
@ -223,6 +232,7 @@ bt_status_t btc_storage_get_bonded_bt_devices_list(bt_bdaddr_t *bond_dev, int de
if (string_is_bdaddr(name) &&
btc_config_exist(name, BTC_STORAGE_LINK_KEY_TYPE_STR) &&
btc_config_exist(name, BTC_STORAGE_PIN_LENGTH_STR) &&
btc_config_exist(name, BTC_STORAGE_SC_SUPPORT) &&
btc_config_exist(name, BTC_STORAGE_LINK_KEY_STR)) {
string_to_bdaddr(name, &bd_addr);
memcpy(bond_dev, &bd_addr, sizeof(bt_bdaddr_t));

View file

@ -25,6 +25,7 @@
#define BTC_STORAGE_LINK_KEY_STR "LinkKey" /* same as the ble */
#define BTC_STORAGE_LINK_KEY_TYPE_STR "LinkKeyType"
#define BTC_STORAGE_PIN_LENGTH_STR "PinLength"
#define BTC_STORAGE_SC_SUPPORT "SCSupport"
/*******************************************************************************
**
@ -40,7 +41,8 @@
bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr,
LINK_KEY link_key,
uint8_t key_type,
uint8_t pin_length);
uint8_t pin_length,
BOOLEAN sc_support);
/*******************************************************************************
**

View file

@ -276,6 +276,9 @@ void btm_acl_created (BD_ADDR bda, DEV_CLASS dc, BD_NAME bdn,
btm_pm_sm_alloc(xx);
#if (CLASSIC_BT_INCLUDED == TRUE)
btm_sec_update_legacy_auth_state(p, BTM_ACL_LEGACY_AUTH_NONE);
#endif
if (dc) {
memcpy (p->remote_dc, dc, DEV_CLASS_LEN);
@ -299,6 +302,7 @@ void btm_acl_created (BD_ADDR bda, DEV_CLASS dc, BD_NAME bdn,
#endif
if (p_dev_rec && !(transport == BT_TRANSPORT_LE)) {
if (!p_dev_rec->remote_secure_connection_previous_state) {
/* If remote features already known, copy them and continue connection setup */
if ((p_dev_rec->num_read_pages) &&
(p_dev_rec->num_read_pages <= (HCI_EXT_FEATURES_PAGE_MAX + 1))) {
@ -322,6 +326,11 @@ void btm_acl_created (BD_ADDR bda, DEV_CLASS dc, BD_NAME bdn,
btm_establish_continue (p);
return;
}
} else {
/* If remote features indicated secure connection (SC) mode, check the remote feautres again*/
/* this is to prevent from BIAS attack where attacker can downgrade SC mode*/
btm_read_remote_features (p->hci_handle);
}
}
#if (BLE_INCLUDED == TRUE)
@ -791,6 +800,22 @@ void btm_acl_encrypt_change (UINT16 handle, UINT8 status, UINT8 encr_enable)
}
#endif
}
#if (CLASSIC_BT_INCLUDED == TRUE)
/* If authentication is done through legacy authentication and esp32 has
* not authenticated peer deivce yet, do not proceed for encrytion and
* first authenticate it. */
else if ((BTM_BothEndsSupportSecureConnections(p->remote_addr) == 0) &&
((p->legacy_auth_state & BTM_ACL_LEGACY_AUTH_SELF) == 0)) {
if ((p_dev_rec = btm_find_dev (p->remote_addr)) != NULL) {
if (btm_sec_legacy_authentication_mutual(p_dev_rec)) {
btm_sec_update_legacy_auth_state(btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR), BTM_ACL_LEGACY_AUTH_SELF);
} else {
BTM_TRACE_ERROR("%s failed, Resources not available for Authentication procedure", __FUNCTION__);
}
}
}
#endif
}
/*******************************************************************************
**
@ -1212,6 +1237,7 @@ void btm_establish_continue (tACL_CONN *p_acl_cb)
evt_data.conn.p_bdn = p_acl_cb->remote_name;
evt_data.conn.p_dc = p_acl_cb->remote_dc;
evt_data.conn.p_features = p_acl_cb->peer_lmp_features[HCI_EXT_FEATURES_PAGE_0];
evt_data.conn.sc_downgrade = p_acl_cb->sc_downgrade;
#if BLE_INCLUDED == TRUE
evt_data.conn.handle = p_acl_cb->hci_handle;
evt_data.conn.transport = p_acl_cb->transport;

View file

@ -60,7 +60,7 @@ static tBTM_SEC_DEV_REC *btm_find_oldest_dev (void);
BOOLEAN BTM_SecAddDevice (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name,
UINT8 *features, UINT32 trusted_mask[],
LINK_KEY link_key, UINT8 key_type, tBTM_IO_CAP io_cap,
UINT8 pin_length)
UINT8 pin_length, UINT8 sc_support)
{
#if (SMP_INCLUDED == TRUE)
tBTM_SEC_DEV_REC *p_dev_rec;
@ -99,6 +99,7 @@ BOOLEAN BTM_SecAddDevice (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name,
p_dev_rec->bond_type = BOND_TYPE_UNKNOWN; /* Default value */
p_dev_rec->timestamp = btm_cb.dev_rec_count++;
p_dev_rec->remote_secure_connection_previous_state = sc_support;
if (dev_class) {
memcpy (p_dev_rec->dev_class, dev_class, DEV_CLASS_LEN);

View file

@ -792,13 +792,24 @@ void btm_vendor_specific_evt (UINT8 *p, UINT8 evt_len)
{
UINT8 i;
BTM_TRACE_DEBUG ("BTM Event: Vendor Specific event from controller");
#if (CLASSIC_BT_INCLUDED == TRUE)
UINT8 sub_event;
UINT8 *p_evt = p;
STREAM_TO_UINT8(sub_event, p_evt);
/* Check in subevent if authentication is through Legacy Authentication. */
if (sub_event == ESP_VS_REM_LEGACY_AUTH_CMP) {
UINT16 hci_handle;
STREAM_TO_UINT16(hci_handle, p_evt);
btm_sec_handle_remote_legacy_auth_cmp(hci_handle);
}
#endif /// (CLASSIC_BT_INCLUDED == TRUE)
for (i = 0; i < BTM_MAX_VSE_CALLBACKS; i++) {
if (btm_cb.devcb.p_vend_spec_cb[i]) {
(*btm_cb.devcb.p_vend_spec_cb[i])(evt_len, p);
}
}
BTM_TRACE_DEBUG ("BTM Event: Vendor Specific event from controller");
}

View file

@ -3931,10 +3931,11 @@ void btm_sec_auth_complete (UINT16 handle, UINT8 status)
(BTM_SEC_AUTHENTICATED | BTM_SEC_ENCRYPTED))) {
status = HCI_SUCCESS;
}
/* Currently we do not notify user if it is a keyboard which connects */
/* User probably Disabled the keyboard while it was asleap. Let her try */
/* User probably Disabled the keyboard while it was asleep. Let her try */
if (btm_cb.api.p_auth_complete_callback) {
/* report the suthentication status */
/* report the authentication status */
if (old_state != BTM_PAIR_STATE_IDLE) {
(*btm_cb.api.p_auth_complete_callback) (p_dev_rec->bd_addr,
p_dev_rec->dev_class,
@ -3944,6 +3945,9 @@ void btm_sec_auth_complete (UINT16 handle, UINT8 status)
p_dev_rec->sec_state = BTM_SEC_STATE_IDLE;
#if (CLASSIC_BT_INCLUDED == TRUE)
btm_sec_update_legacy_auth_state(btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR), BTM_ACL_LEGACY_AUTH_SELF);
#endif
/* If this is a bonding procedure can disconnect the link now */
if (are_bonding) {
p_dev_rec->security_required &= ~BTM_SEC_OUT_AUTHENTICATE;
@ -4673,12 +4677,24 @@ void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_t
/* If connection was made to do bonding restore link security if changed */
btm_restore_mode();
/* Store the previous state of secure connection as current state. Since
* this is the first encounter with the remote device, whatever the remote
* device's SC state is, it cannot lower the SC level from this. */
p_dev_rec->remote_secure_connection_previous_state = p_dev_rec->remote_supports_secure_connections;
if (p_dev_rec->remote_supports_secure_connections) {
BTM_TRACE_EVENT ("Remote device supports Secure Connection");
} else {
BTM_TRACE_EVENT ("Remote device does not support Secure Connection");
}
if (key_type != BTM_LKEY_TYPE_CHANGED_COMB) {
p_dev_rec->link_key_type = key_type;
}
p_dev_rec->sec_flags |= BTM_SEC_LINK_KEY_KNOWN;
#if (CLASSIC_BT_INCLUDED == TRUE)
btm_sec_update_legacy_auth_state(btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR), BTM_ACL_LEGACY_AUTH_NONE);
#endif
/*
* Until this point in time, we do not know if MITM was enabled, hence we
* add the extended security flag here.
@ -4711,7 +4727,8 @@ void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_t
__FUNCTION__, p_dev_rec->link_key_type);
(*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
p_dev_rec->sec_bd_name,
p_link_key, p_dev_rec->link_key_type);
p_link_key, p_dev_rec->link_key_type,
p_dev_rec->remote_supports_secure_connections);
}
} else {
if ((p_dev_rec->link_key_type == BTM_LKEY_TYPE_UNAUTH_COMB_P_256) ||
@ -4768,7 +4785,8 @@ void btm_sec_link_key_notification (UINT8 *p_bda, UINT8 *p_link_key, UINT8 key_t
} else {
(*btm_cb.api.p_link_key_callback) (p_bda, p_dev_rec->dev_class,
p_dev_rec->sec_bd_name,
p_link_key, p_dev_rec->link_key_type);
p_link_key, p_dev_rec->link_key_type,
p_dev_rec->remote_supports_secure_connections);
}
}
}
@ -5561,7 +5579,9 @@ static void btm_send_link_key_notif (tBTM_SEC_DEV_REC *p_dev_rec)
if (btm_cb.api.p_link_key_callback) {
(*btm_cb.api.p_link_key_callback) (p_dev_rec->bd_addr, p_dev_rec->dev_class,
p_dev_rec->sec_bd_name, p_dev_rec->link_key,
p_dev_rec->link_key_type);
p_dev_rec->link_key_type,
p_dev_rec->remote_supports_secure_connections);
}
}
#endif ///SMP_INCLUDED == TRUE
@ -5919,6 +5939,29 @@ void btm_sec_set_peer_sec_caps(tACL_CONN *p_acl_cb, tBTM_SEC_DEV_REC *p_dev_rec)
BTM_TRACE_API("%s: sm4: 0x%02x, rmt_support_for_secure_connections %d\n", __FUNCTION__,
p_dev_rec->sm4, p_dev_rec->remote_supports_secure_connections);
/* Store previous state of remote device to check if peer device downgraded
* it's secure connection state. */
#if (CLASSIC_BT_INCLUDED == TRUE)
if (p_dev_rec->remote_supports_secure_connections >= p_dev_rec->remote_secure_connection_previous_state) {
p_dev_rec->remote_secure_connection_previous_state = p_dev_rec->remote_supports_secure_connections;
} else {
BTM_TRACE_ERROR("Remote Device downgraded security from SC, deleting Link Key");
/* Mark in ACL packet that secure connection is downgraded. */
p_acl_cb->sc_downgrade = 1;
p_dev_rec->remote_secure_connection_previous_state = 0;
/* As peer device downgraded it's security, peer device is a suspicious
* device. Hence remove pairing information by removing link key
* information. */
memset(p_dev_rec->link_key, 0, LINK_KEY_LEN);
p_dev_rec->sec_flags &= ~(BTM_SEC_AUTHORIZED | BTM_SEC_AUTHENTICATED
| BTM_SEC_ENCRYPTED | BTM_SEC_NAME_KNOWN
| BTM_SEC_LINK_KEY_KNOWN | BTM_SEC_LINK_KEY_AUTHED
| BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
return;
}
#endif
if (p_dev_rec->remote_features_needed) {
BTM_TRACE_EVENT("%s: Now device in SC Only mode, waiting for peer remote features!\n",
@ -6184,5 +6227,62 @@ static BOOLEAN btm_sec_is_master(tBTM_SEC_DEV_REC *p_dev_rec)
tACL_CONN *p = btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
return (p && (p->link_role == BTM_ROLE_MASTER));
}
#endif ///SMP_INCLUDED == TRUE
#if (CLASSIC_BT_INCLUDED == TRUE)
/*******************************************************************************
**
** Function btm_sec_legacy_authentication_mutual
**
** Description This function is called when legacy authentication is used
** and only remote device has completed the authentication
**
** Returns TRUE if aunthentication command sent successfully
**
*******************************************************************************/
BOOLEAN btm_sec_legacy_authentication_mutual (tBTM_SEC_DEV_REC *p_dev_rec)
{
return (btm_sec_start_authentication (p_dev_rec));
}
/*******************************************************************************
**
** Function btm_sec_update_legacy_auth_state
**
** Description This function updates the legacy authentication state
**
** Returns void
**
*******************************************************************************/
void btm_sec_update_legacy_auth_state(tACL_CONN *p_acl_cb, UINT8 legacy_auth_state)
{
if (p_acl_cb) {
tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (p_acl_cb->hci_handle);
if (p_dev_rec) {
if ((BTM_BothEndsSupportSecureConnections(p_dev_rec->bd_addr) == 0) &&
(legacy_auth_state != BTM_ACL_LEGACY_AUTH_NONE)) {
p_acl_cb->legacy_auth_state |= legacy_auth_state;
} else {
p_acl_cb->legacy_auth_state = BTM_ACL_LEGACY_AUTH_NONE;
}
}
}
}
/*******************************************************************************
**
** Function btm_sec_handle_remote_legacy_auth_cmp
**
** Description This function updates the legacy authneticaiton state
** to indicate that remote device has completed the authentication
**
** Returns void
**
*******************************************************************************/
void btm_sec_handle_remote_legacy_auth_cmp(UINT16 handle)
{
tBTM_SEC_DEV_REC *p_dev_rec = btm_find_dev_by_handle (handle);
tACL_CONN *p_acl_cb = btm_bda_to_acl(p_dev_rec->bd_addr, BT_TRANSPORT_BR_EDR);
btm_sec_update_legacy_auth_state(p_acl_cb, BTM_ACL_LEGACY_AUTH_REMOTE);
}
#endif /// (CLASSIC_BT_INCLUDED == TRUE)
#endif ///SMP_INCLUDED == TRUE

View file

@ -41,6 +41,8 @@
#include "stack/smp_api.h"
#endif
#define ESP_VS_REM_LEGACY_AUTH_CMP 0x03
#if BTM_MAX_LOC_BD_NAME_LEN > 0
typedef char tBTM_LOC_BD_NAME[BTM_MAX_LOC_BD_NAME_LEN + 1];
#endif
@ -93,6 +95,13 @@ UINT8 lmp_version;
BOOLEAN in_use;
UINT8 link_role;
BOOLEAN link_up_issued; /* True if busy_level link up has been issued */
BOOLEAN sc_downgrade; /* Store if security is downgraded or not. */
#define BTM_ACL_LEGACY_AUTH_NONE (0)
#define BTM_ACL_LEGACY_AUTH_SELF (1<<0)
#define BTM_ACL_LEGACY_AUTH_REMOTE (1<<1)
#define BTM_ACL_LEGACY_AUTH_MUTUAL (1<<2)
UINT8 legacy_auth_state;
#define BTM_ACL_SWKEY_STATE_IDLE 0
#define BTM_ACL_SWKEY_STATE_MODE_CHANGE 1
@ -606,6 +615,8 @@ typedef struct {
/* "Secure Connections Only" mode and it receives */
/* HCI_IO_CAPABILITY_REQUEST_EVT from the peer before */
/* it knows peer's support for Secure Connections */
BOOLEAN remote_secure_connection_previous_state; /* Stores if peer ever supported
secure connection. This will be helpful to know when peer device downgrades it's security. */
UINT16 ble_hci_handle; /* use in DUMO connection */
UINT8 enc_key_size; /* current link encryption key size */
@ -1166,6 +1177,10 @@ void btm_ble_sem_free(void);
void btm_ble_lock_free(void);
void btm_sec_handle_remote_legacy_auth_cmp(UINT16 handle);
void btm_sec_update_legacy_auth_state(tACL_CONN *p_acl_cb, UINT8 legacy_auth_state);
BOOLEAN btm_sec_legacy_authentication_mutual (tBTM_SEC_DEV_REC *p_dev_rec);
/*
#ifdef __cplusplus
}

View file

@ -849,6 +849,7 @@ typedef struct {
DEV_CLASS_PTR p_dc; /* The device class */
BD_NAME_PTR p_bdn; /* The device name */
UINT8 *p_features; /* pointer to the remote device's features page[0] (supported features page) */
BOOLEAN sc_downgrade; /* Secure connection downgrade state. */
#if BLE_INCLUDED == TRUE
UINT16 handle; /* connection handle */
tBT_TRANSPORT transport; /* link is LE or not */
@ -1372,7 +1373,7 @@ typedef UINT8 (tBTM_PIN_CALLBACK) (BD_ADDR bd_addr, DEV_CLASS dev_class,
*/
typedef UINT8 (tBTM_LINK_KEY_CALLBACK) (BD_ADDR bd_addr, DEV_CLASS dev_class,
tBTM_BD_NAME bd_name, UINT8 *key,
UINT8 key_type);
UINT8 key_type, BOOLEAN sc_support);
/* Remote Name Resolved. Parameters are
@ -3426,7 +3427,8 @@ UINT8 BTM_SecClrService (UINT8 service_id);
BOOLEAN BTM_SecAddDevice (BD_ADDR bd_addr, DEV_CLASS dev_class,
BD_NAME bd_name, UINT8 *features,
UINT32 trusted_mask[], LINK_KEY link_key,
UINT8 key_type, tBTM_IO_CAP io_cap, UINT8 pin_length);
UINT8 key_type, tBTM_IO_CAP io_cap, UINT8 pin_length,
UINT8 sc_support);
/*******************************************************************************

View file

@ -25,7 +25,7 @@
extern "C" {
#endif
#define ESP_BT_CONTROLLER_CONFIG_MAGIC_VAL 0x20200106
#define ESP_BT_CONTROLLER_CONFIG_MAGIC_VAL 0x20200611
/**
* @brief Bluetooth mode for controller enable/disable
@ -117,6 +117,12 @@ the adv packet will be discarded until the memory is restored. */
#define BTDM_CTRL_AUTO_LATENCY_EFF false
#endif
#ifdef CONFIG_BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT_EFF
#define BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT_EFF CONFIG_BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT_EFF
#else
#define BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT_EFF false
#endif
#define BTDM_CONTROLLER_BLE_MAX_CONN_LIMIT 9 //Maximum BLE connection limitation
#define BTDM_CONTROLLER_BR_EDR_MAX_ACL_CONN_LIMIT 7 //Maximum ACL connection limitation
#define BTDM_CONTROLLER_BR_EDR_MAX_SYNC_CONN_LIMIT 3 //Maximum SCO/eSCO connection limitation
@ -140,6 +146,7 @@ the adv packet will be discarded until the memory is restored. */
.bt_max_acl_conn = CONFIG_BTDM_CTRL_BR_EDR_MAX_ACL_CONN_EFF, \
.bt_sco_datapath = CONFIG_BTDM_CTRL_BR_EDR_SCO_DATA_PATH_EFF, \
.auto_latency = BTDM_CTRL_AUTO_LATENCY_EFF, \
.bt_legacy_auth_vs_evt = BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT_EFF, \
.bt_max_sync_conn = CONFIG_BTDM_CTRL_BR_EDR_MAX_SYNC_CONN_EFF, \
.ble_sca = CONFIG_BTDM_BLE_SLEEP_CLOCK_ACCURACY_INDEX_EFF, \
.magic = ESP_BT_CONTROLLER_CONFIG_MAGIC_VAL, \
@ -173,6 +180,7 @@ typedef struct {
uint8_t bt_max_acl_conn; /*!< BR/EDR maximum ACL connection numbers */
uint8_t bt_sco_datapath; /*!< SCO data path, i.e. HCI or PCM module */
bool auto_latency; /*!< BLE auto latency, used to enhance classic BT performance */
bool bt_legacy_auth_vs_evt; /*!< BR/EDR Legacy auth complete event required to protect from BIAS attack */
/*
* Following parameters can not be configured runtime when call esp_bt_controller_init()
* It will be overwrite with a constant value which in menuconfig or from a macro.