Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3cf3d9d9 authored by Brian Delwiche's avatar Brian Delwiche
Browse files

Add support for checking security downgrade 

As a guard against the BLUFFS attack, we will need to check the security
parameters of incoming connections against cached values and disallow
connection if these parameters are downgraded or changed from their
cached values.

Future CLs will add checks during connection.  This CL adds the
functions that will be needed to perform those checks and the necessary
mocks.
Currently supported checks are : IO capabilities (must be an exact match),
Secure Connections capability (must not be a downgrade), and session key
length (must not be a downgrade).  Maximum session key length, which was
previously not cached, has been added to the device security manager
cache.

To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/

Bug: 314331379
Test: m libbluetooth
Tag: #security
Ignore-AOSP-First: Security
Merged-In: I3cd1db300be68d15cb09bdabea711199fcf748da
Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f
parent b9bcb27e

system/btif/src/btif_storage.cc

+31 −0
Original line number Diff line number Diff line
@@ -92,10 +92,13 @@ using bluetooth::groups::DeviceGroups; 
#define BTIF_STORAGE_KEY_ADAPTER_SCANMODE "ScanMode"

#define BTIF_STORAGE_KEY_LOCAL_IO_CAPS "LocalIOCaps"

#define BTIF_STORAGE_KEY_LOCAL_IO_CAPS_BLE "LocalIOCapsBLE"

#define BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE "MaxSessionKeySize"

#define BTIF_STORAGE_KEY_ADAPTER_DISC_TIMEOUT "DiscoveryTimeout"

#define BTIF_STORAGE_KEY_GATT_CLIENT_SUPPORTED "GattClientSupportedFeatures"

#define BTIF_STORAGE_KEY_GATT_CLIENT_DB_HASH "GattClientDatabaseHash"

#define BTIF_STORAGE_KEY_GATT_SERVER_SUPPORTED "GattServerSupportedFeatures"

#define BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED \

  "SecureConnectionsSupported"

#define BTIF_STORAGE_DEVICE_GROUP_BIN "DeviceGroupBin"

#define BTIF_STORAGE_CSIS_AUTOCONNECT "CsisAutoconnect"

#define BTIF_STORAGE_CSIS_SET_INFO_BIN "CsisSetInfoBin"
@@ -281,6 +284,14 @@ static int prop2cfg(const RawAddress* remote_bd_addr, bt_property_t* prop) { 
      btif_config_set_int(bdstr, BT_CONFIG_KEY_REMOTE_VER_SUBVER,

                          info->sub_ver);

    } break;

    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED:

      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED,

                          *(uint8_t*)prop->val);

      break;

    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE:

      btif_config_set_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,

                          *(uint8_t*)prop->val);

      break;



    default:

      BTIF_TRACE_ERROR("Unknown prop type:%d", prop->type);
@@ -407,6 +418,26 @@ static int cfg2prop(const RawAddress* remote_bd_addr, bt_property_t* prop) { 
      }

    } break;



    case BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED: {

      int val;



      if (prop->len >= (int)sizeof(uint8_t)) {

        ret = btif_config_get_int(

            bdstr, BTIF_STORAGE_KEY_SECURE_CONNECTIONS_SUPPORTED, &val);

        *(uint8_t*)prop->val = (uint8_t)val;

      }

    } break;



    case BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE: {

      int val;



      if (prop->len >= (int)sizeof(uint8_t)) {

        ret = btif_config_get_int(bdstr, BTIF_STORAGE_KEY_MAX_SESSION_KEY_SIZE,

                                  &val);

        *(uint8_t*)prop->val = (uint8_t)val;

      }

    } break;



    default:

      BTIF_TRACE_ERROR("Unknow prop type:%d", prop->type);

      return false;

system/include/hardware/bluetooth.h

+14 −0
Original line number Diff line number Diff line
@@ -339,6 +339,20 @@ typedef enum { 
   */

  BT_PROPERTY_REMOTE_IS_COORDINATED_SET_MEMBER,



  /**

   * Description - Whether remote device supports Secure Connections mode

   * Access mode - GET and SET.

   * Data Type - uint8_t.

   */

  BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,



  /**

   * Description - Maximum observed session key for remote device

   * Access mode - GET and SET.

   * Data Type - uint8_t.

   */

  BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,



  BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP = 0xFF,

} bt_property_type_t;

system/service/logging_helpers.cc

+2 −0
Original line number Diff line number Diff line
@@ -118,6 +118,8 @@ const char* BtPropertyText(const bt_property_type_t prop) { 
    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_VERSION_INFO);

    CASE_RETURN_TEXT(BT_PROPERTY_LOCAL_LE_FEATURES);

    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_DEVICE_TIMESTAMP);

    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED);

    CASE_RETURN_TEXT(BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE);

    default:

      return "Invalid property";

  }

system/stack/btm/btm_sec.cc

+103 −0
Original line number Diff line number Diff line
@@ -207,6 +207,109 @@ static bool btm_dev_16_digit_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { 
  return (false);

}



/*******************************************************************************

 *

 * Function         btm_sec_is_device_sc_downgrade

 *

 * Description      Check for a stored device record matching the candidate

 *                  device, and return true if the stored device has reported

 *                  that it supports Secure Connections mode and the candidate

 *                  device reports that it does not.  Otherwise, return false.

 *

 * Returns          bool

 *

 ******************************************************************************/

static bool btm_sec_is_device_sc_downgrade(uint16_t hci_handle,

                                           bool secure_connections_supported) {

  if (secure_connections_supported) return false;



  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);

  if (p_dev_rec == nullptr) return false;



  uint8_t property_val = 0;

  bt_property_t property = {

      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,

      .len = sizeof(uint8_t),

      .val = &property_val};



  bt_status_t cached =

      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);



  if (cached == BT_STATUS_FAIL) return false;



  return (bool)property_val;

}



/*******************************************************************************

 *

 * Function         btm_sec_store_device_sc_support

 *

 * Description      Save Secure Connections support for this device to file

 *

 ******************************************************************************/



static void btm_sec_store_device_sc_support(uint16_t hci_handle,

                                            bool secure_connections_supported) {

  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);

  if (p_dev_rec == nullptr) return;



  uint8_t property_val = (uint8_t)secure_connections_supported;

  bt_property_t property = {

      .type = BT_PROPERTY_REMOTE_SECURE_CONNECTIONS_SUPPORTED,

      .len = sizeof(uint8_t),

      .val = &property_val};



  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);

}



/*******************************************************************************

 *

 * Function         btm_sec_is_session_key_size_downgrade

 *

 * Description      Check if there is a stored device record matching this

 *                  handle, and return true if the stored record has a lower

 *                  session key size than the candidate device.

 *

 * Returns          bool

 *

 ******************************************************************************/

bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,

                                           uint8_t key_size) {

  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);

  if (p_dev_rec == nullptr) return false;



  uint8_t property_val = 0;

  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,

                            .len = sizeof(uint8_t),

                            .val = &property_val};



  bt_status_t cached =

      btif_storage_get_remote_device_property(&p_dev_rec->bd_addr, &property);



  if (cached == BT_STATUS_FAIL) return false;



  return property_val > key_size;

}



/*******************************************************************************

 *

 * Function         btm_sec_update_session_key_size

 *

 * Description      Store the max session key size to disk, if possible.

 *

 ******************************************************************************/

void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size) {

  tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle);

  if (p_dev_rec == nullptr) return;



  uint8_t property_val = key_size;

  bt_property_t property = {.type = BT_PROPERTY_REMOTE_MAX_SESSION_KEY_SIZE,

                            .len = sizeof(uint8_t),

                            .val = &property_val};



  btif_storage_set_remote_device_property(&p_dev_rec->bd_addr, &property);

}



/*******************************************************************************

 *

 * Function         access_secure_service_from_temp_bond

system/stack/btm/btm_sec.h

+23 −0
Original line number Diff line number Diff line
@@ -805,5 +805,28 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported, 
void btm_sec_cr_loc_oob_data_cback_event(const RawAddress& address,

                                         tSMP_LOC_OOB_DATA loc_oob_data);



/*******************************************************************************

 *

 * Function         btm_sec_is_session_key_size_downgrade

 *

 * Description      Check if there is a stored device record matching this

 *                  handle, and return true if the stored record has a lower

 *                  session key size than the candidate device.

 *

 * Returns          bool

 *

 ******************************************************************************/

bool btm_sec_is_session_key_size_downgrade(uint16_t hci_handle,

                                           uint8_t key_size);



/*******************************************************************************

 *

 * Function         btm_sec_update_session_key_size

 *

 * Description      Store the max session key size to disk, if possible.

 *

 ******************************************************************************/

void btm_sec_update_session_key_size(uint16_t hci_handle, uint8_t key_size);



// Return DEV_CLASS (uint8_t[3]) of bda. If record doesn't exist, create one.

const uint8_t* btm_get_dev_class(const RawAddress& bda);