More security flag hiding (4f67dc7c) · Commits · e / os / android_packages_modules_Bluetooth

system/stack/gatt/gatt_db.cc

+16 −24

Original line number	Original line	Diff line number	Diff line
	@@ -98,27 +98,24 @@ static tGATT_STATUS gatts_check_attr_readability(const tGATT_ATTR& attr,
	return GATT_READ_NOT_PERMIT;		return GATT_READ_NOT_PERMIT;
	}		}

	if ((perm & GATT_READ_AUTH_REQUIRED) &&		if ((perm & GATT_READ_AUTH_REQUIRED) && !sec_flag.is_link_key_known &&
	!(sec_flag & GATT_SEC_FLAG_LKEY_UNAUTHED) &&		!sec_flag.is_encrypted) {
	!(sec_flag & BTM_SEC_FLAG_ENCRYPTED)) {
	LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION";		LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION";
	return GATT_INSUF_AUTHENTICATION;		return GATT_INSUF_AUTHENTICATION;
	}		}

	if ((perm & GATT_READ_MITM_REQUIRED) &&		if ((perm & GATT_READ_MITM_REQUIRED) && !sec_flag.is_link_key_authed) {
	!(sec_flag & GATT_SEC_FLAG_LKEY_AUTHED)) {
	LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION: MITM Required";		LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION: MITM Required";
	return GATT_INSUF_AUTHENTICATION;		return GATT_INSUF_AUTHENTICATION;
	}		}

	if ((perm & GATT_READ_ENCRYPTED_REQUIRED) &&		if ((perm & GATT_READ_ENCRYPTED_REQUIRED) && !sec_flag.is_encrypted) {
	!(sec_flag & GATT_SEC_FLAG_ENCRYPTED)) {
	LOG(ERROR) << __func__ << ": GATT_INSUF_ENCRYPTION";		LOG(ERROR) << __func__ << ": GATT_INSUF_ENCRYPTION";
	return GATT_INSUF_ENCRYPTION;		return GATT_INSUF_ENCRYPTION;
	}		}

	if ((perm & GATT_READ_ENCRYPTED_REQUIRED) &&		if ((perm & GATT_READ_ENCRYPTED_REQUIRED) && sec_flag.is_encrypted &&
	(sec_flag & GATT_SEC_FLAG_ENCRYPTED) && (key_size < min_key_size)) {		(key_size < min_key_size)) {
	LOG(ERROR) << __func__ << ": GATT_INSUF_KEY_SIZE";		LOG(ERROR) << __func__ << ": GATT_INSUF_KEY_SIZE";
	return GATT_INSUF_KEY_SIZE;		return GATT_INSUF_KEY_SIZE;
	}		}
	@@ -169,8 +166,8 @@ static tGATT_STATUS read_attr_value(tGATT_ATTR& attr16, uint16_t offset,
	uint8_t* p = *p_data;		uint8_t* p = *p_data;

	VLOG(1) << __func__ << " uuid=" << attr16.uuid		VLOG(1) << __func__ << " uuid=" << attr16.uuid
	<< StringPrintf(" perm=0x%02x sec_flag=0x%x offset=%d read_long=%d",		<< StringPrintf(" perm=0x%02x offset=%d read_long=%d",
	attr16.permission, sec_flag, offset, read_long);		attr16.permission, offset, read_long);

	tGATT_STATUS status = gatts_check_attr_readability(attr16, offset, read_long,		tGATT_STATUS status = gatts_check_attr_readability(attr16, offset, read_long,
	sec_flag, key_size);		sec_flag, key_size);
	@@ -539,9 +536,9 @@ tGATT_STATUS gatts_write_attr_perm_check(tGATT_SVC_DB* p_db, uint8_t op_code,
	tGATT_SEC_FLAG sec_flag,		tGATT_SEC_FLAG sec_flag,
	uint8_t key_size) {		uint8_t key_size) {
	VLOG(1) << StringPrintf(		VLOG(1) << StringPrintf(
	"%s: op_code=0x%0x handle=0x%04x offset=%d len=%d sec_flag=0x%0x "		"%s: op_code=0x%0x handle=0x%04x offset=%d len=%d "
	"key_size=%d",		"key_size=%d",
	__func__, op_code, handle, offset, len, sec_flag, key_size);		__func__, op_code, handle, offset, len, key_size);

	tGATT_ATTR* p_attr = find_attr_by_handle(p_db, handle);		tGATT_ATTR* p_attr = find_attr_by_handle(p_db, handle);
	if (!p_attr) return GATT_NOT_FOUND;		if (!p_attr) return GATT_NOT_FOUND;
	@@ -578,8 +575,7 @@ tGATT_STATUS gatts_write_attr_perm_check(tGATT_SVC_DB* p_db, uint8_t op_code,
	status = GATT_WRITE_NOT_PERMIT;		status = GATT_WRITE_NOT_PERMIT;
	VLOG(1) << __func__ << ": sign cmd write not allowed";		VLOG(1) << __func__ << ": sign cmd write not allowed";
	}		}
	if ((op_code == GATT_SIGN_CMD_WRITE) &&		if ((op_code == GATT_SIGN_CMD_WRITE) && sec_flag.is_encrypted) {
	(sec_flag & GATT_SEC_FLAG_ENCRYPTED)) {
	status = GATT_INVALID_PDU;		status = GATT_INVALID_PDU;
	LOG(ERROR) << __func__		LOG(ERROR) << __func__
	<< ": Error!! sign cmd write sent on a encypted link";		<< ": Error!! sign cmd write sent on a encypted link";
	@@ -588,28 +584,24 @@ tGATT_STATUS gatts_write_attr_perm_check(tGATT_SVC_DB* p_db, uint8_t op_code,
	LOG(ERROR) << __func__ << ": GATT_WRITE_NOT_PERMIT";		LOG(ERROR) << __func__ << ": GATT_WRITE_NOT_PERMIT";
	}		}
	/* require authentication, but not been authenticated */		/* require authentication, but not been authenticated */
	else if ((perm & GATT_WRITE_AUTH_REQUIRED) &&		else if ((perm & GATT_WRITE_AUTH_REQUIRED) && !sec_flag.is_link_key_known) {
	!(sec_flag & GATT_SEC_FLAG_LKEY_UNAUTHED)) {
	status = GATT_INSUF_AUTHENTICATION;		status = GATT_INSUF_AUTHENTICATION;
	LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION";		LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION";
	} else if ((perm & GATT_WRITE_MITM_REQUIRED) &&		} else if ((perm & GATT_WRITE_MITM_REQUIRED) &&
	!(sec_flag & GATT_SEC_FLAG_LKEY_AUTHED)) {		!sec_flag.is_link_key_authed) {
	status = GATT_INSUF_AUTHENTICATION;		status = GATT_INSUF_AUTHENTICATION;
	LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION: MITM required";		LOG(ERROR) << __func__ << ": GATT_INSUF_AUTHENTICATION: MITM required";
	} else if ((perm & GATT_WRITE_ENCRYPTED_PERM) &&		} else if ((perm & GATT_WRITE_ENCRYPTED_PERM) && !sec_flag.is_encrypted) {
	!(sec_flag & GATT_SEC_FLAG_ENCRYPTED)) {
	status = GATT_INSUF_ENCRYPTION;		status = GATT_INSUF_ENCRYPTION;
	LOG(ERROR) << __func__ << ": GATT_INSUF_ENCRYPTION";		LOG(ERROR) << __func__ << ": GATT_INSUF_ENCRYPTION";
	} else if ((perm & GATT_WRITE_ENCRYPTED_PERM) &&		} else if ((perm & GATT_WRITE_ENCRYPTED_PERM) && sec_flag.is_encrypted &&
	(sec_flag & GATT_SEC_FLAG_ENCRYPTED) &&
	(key_size < min_key_size)) {		(key_size < min_key_size)) {
	status = GATT_INSUF_KEY_SIZE;		status = GATT_INSUF_KEY_SIZE;
	LOG(ERROR) << __func__ << ": GATT_INSUF_KEY_SIZE";		LOG(ERROR) << __func__ << ": GATT_INSUF_KEY_SIZE";
	}		}
	/* LE security mode 2 attribute */		/* LE security mode 2 attribute */
	else if (perm & GATT_WRITE_SIGNED_PERM && op_code != GATT_SIGN_CMD_WRITE &&		else if (perm & GATT_WRITE_SIGNED_PERM && op_code != GATT_SIGN_CMD_WRITE &&
	!(sec_flag & GATT_SEC_FLAG_ENCRYPTED) &&		!sec_flag.is_encrypted && (perm & GATT_WRITE_ALLOWED) == 0) {
	(perm & GATT_WRITE_ALLOWED) == 0) {
	status = GATT_INSUF_AUTHENTICATION;		status = GATT_INSUF_AUTHENTICATION;
	LOG(ERROR) << __func__		LOG(ERROR) << __func__
	<< ": GATT_INSUF_AUTHENTICATION: LE security mode 2 required";		<< ": GATT_INSUF_AUTHENTICATION: LE security mode 2 required";

system/stack/gatt/gatt_int.h

+7 −5

Original line number	Original line	Diff line number	Diff line
	@@ -84,10 +84,11 @@ inline std::string gatt_security_action_text(const tGATT_SEC_ACTION& action) {
	#define GATT_WAIT_FOR_DISC_RSP_TIMEOUT_MS (5 * 1000)		#define GATT_WAIT_FOR_DISC_RSP_TIMEOUT_MS (5 * 1000)
	#define GATT_REQ_RETRY_LIMIT 2		#define GATT_REQ_RETRY_LIMIT 2

	#define GATT_SEC_FLAG_LKEY_UNAUTHED BTM_SEC_FLAG_LKEY_KNOWN		typedef struct {
	#define GATT_SEC_FLAG_LKEY_AUTHED BTM_SEC_FLAG_LKEY_AUTHED		bool is_link_key_known;
	#define GATT_SEC_FLAG_ENCRYPTED BTM_SEC_FLAG_ENCRYPTED		bool is_link_key_authed;
	typedef uint8_t tGATT_SEC_FLAG;		bool is_encrypted;
			} tGATT_SEC_FLAG;

	/* Find Information Response Type		/* Find Information Response Type
	*/		*/
	@@ -492,7 +493,8 @@ extern uint8_t gatt_build_uuid_to_stream_len(const bluetooth::Uuid& uuid);
	extern uint8_t gatt_build_uuid_to_stream(uint8_t** p_dst,		extern uint8_t gatt_build_uuid_to_stream(uint8_t** p_dst,
	const bluetooth::Uuid& uuid);		const bluetooth::Uuid& uuid);
	extern void gatt_sr_get_sec_info(const RawAddress& rem_bda,		extern void gatt_sr_get_sec_info(const RawAddress& rem_bda,
	tBT_TRANSPORT transport, uint8_t* p_sec_flag,		tBT_TRANSPORT transport,
			tGATT_SEC_FLAG* p_sec_flag,
	uint8_t* p_key_size);		uint8_t* p_key_size);
	extern void gatt_start_rsp_timer(tGATT_CLCB* p_clcb);		extern void gatt_start_rsp_timer(tGATT_CLCB* p_clcb);
	extern void gatt_stop_rsp_timer(tGATT_CLCB* p_clcb);		extern void gatt_stop_rsp_timer(tGATT_CLCB* p_clcb);

system/stack/gatt/gatt_sr.cc

+8 −4

Original line number	Original line	Diff line number	Diff line
	@@ -405,7 +405,8 @@ void gatt_process_read_multi_req(tGATT_TCB& tcb, uint16_t cid, uint8_t op_code,
	uint16_t handle = 0, ll = len;		uint16_t handle = 0, ll = len;
	uint8_t* p = p_data;		uint8_t* p = p_data;
	tGATT_STATUS err = GATT_SUCCESS;		tGATT_STATUS err = GATT_SUCCESS;
	uint8_t sec_flag, key_size;		tGATT_SEC_FLAG sec_flag;
			uint8_t key_size;

	VLOG(1) << __func__;		VLOG(1) << __func__;

	@@ -888,7 +889,8 @@ static void gatts_process_read_by_type_req(tGATT_TCB& tcb, uint16_t cid,
	reason = GATT_NOT_FOUND;		reason = GATT_NOT_FOUND;
	for (tGATT_SRV_LIST_ELEM& el : *gatt_cb.srv_list_info) {		for (tGATT_SRV_LIST_ELEM& el : *gatt_cb.srv_list_info) {
	if (el.s_hdl <= e_hdl && el.e_hdl >= s_hdl) {		if (el.s_hdl <= e_hdl && el.e_hdl >= s_hdl) {
	uint8_t sec_flag, key_size;		tGATT_SEC_FLAG sec_flag;
			uint8_t key_size;
	gatt_sr_get_sec_info(tcb.peer_bda, tcb.transport, &sec_flag, &key_size);		gatt_sr_get_sec_info(tcb.peer_bda, tcb.transport, &sec_flag, &key_size);

	tGATT_STATUS ret = gatts_db_read_attr_value_by_type(		tGATT_STATUS ret = gatts_db_read_attr_value_by_type(
	@@ -933,7 +935,8 @@ static void gatts_process_write_req(tGATT_TCB& tcb, uint16_t cid,
	tGATTS_DATA sr_data;		tGATTS_DATA sr_data;
	uint32_t trans_id;		uint32_t trans_id;
	tGATT_STATUS status;		tGATT_STATUS status;
	uint8_t sec_flag, key_size, *p = p_data;		tGATT_SEC_FLAG sec_flag;
			uint8_t key_size, *p = p_data;
	uint16_t conn_id;		uint16_t conn_id;

	memset(&sr_data, 0, sizeof(tGATTS_DATA));		memset(&sr_data, 0, sizeof(tGATTS_DATA));
	@@ -1042,7 +1045,8 @@ static void gatts_process_read_req(tGATT_TCB& tcb, uint16_t cid,
	p_msg->len = 1;		p_msg->len = 1;
	buf_len = payload_size - 1;		buf_len = payload_size - 1;

	uint8_t sec_flag, key_size;		tGATT_SEC_FLAG sec_flag;
			uint8_t key_size;
	gatt_sr_get_sec_info(tcb.peer_bda, tcb.transport, &sec_flag, &key_size);		gatt_sr_get_sec_info(tcb.peer_bda, tcb.transport, &sec_flag, &key_size);

	uint16_t value_len = 0;		uint16_t value_len = 0;

system/stack/gatt/gatt_utils.cc

+6 −8

Original line number	Original line	Diff line number	Diff line
	@@ -753,16 +753,14 @@ std::list<tGATT_SRV_LIST_ELEM>::iterator gatt_sr_find_i_rcb_by_handle(
	*		*
	******************************************************************************/		******************************************************************************/
	void gatt_sr_get_sec_info(const RawAddress& rem_bda, tBT_TRANSPORT transport,		void gatt_sr_get_sec_info(const RawAddress& rem_bda, tBT_TRANSPORT transport,
	uint8_t* p_sec_flag, uint8_t* p_key_size) {		tGATT_SEC_FLAG* p_sec_flag, uint8_t* p_key_size) {
	uint8_t sec_flag = 0;		tGATT_SEC_FLAG flags = {};
			flags.is_link_key_known = BTM_IsLinkKeyKnown(rem_bda, transport);
	BTM_GetSecurityFlagsByTransport(rem_bda, &sec_flag, transport);		flags.is_link_key_authed = BTM_IsLinkKeyAuthed(rem_bda, transport);
			flags.is_encrypted = BTM_IsEncrypted(rem_bda, transport);
	sec_flag &= (GATT_SEC_FLAG_LKEY_UNAUTHED \| GATT_SEC_FLAG_LKEY_AUTHED \|
	GATT_SEC_FLAG_ENCRYPTED);

	*p_key_size = btm_ble_read_sec_key_size(rem_bda);		*p_key_size = btm_ble_read_sec_key_size(rem_bda);
	*p_sec_flag = sec_flag;		*p_sec_flag = flags;
	}		}
	/*******************************************************************************		/*******************************************************************************
	*		*