Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a8c0d175 authored by Brian Delwiche's avatar Brian Delwiche Committed by Automerger Merge Worker
Browse files

Merge "Fix an authentication bypass bug in SMP" into tm-dev am: 4e5be429 am:... 

Merge "Fix an authentication bypass bug in SMP" into tm-dev am: 4e5be429 am: d9fdb879 am: bb3648f0 am: 43a77861

Original change: https://googleplex-android-review.googlesource.com/c/platform/packages/modules/Bluetooth/+/27059478



Change-Id: Ia510785cd66aa953f08bbda3ad665f72d07a38d4
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents c7bc09df 43a77861

system/stack/smp/smp_act.cc

+12 −0
Original line number Original line Diff line number Diff line
@@ -315,6 +315,7 @@ void smp_send_pair_rsp(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 
void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {

void smp_send_confirm(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) {

  SMP_TRACE_DEBUG("%s", __func__);

  SMP_TRACE_DEBUG("%s", __func__);

  smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);

  smp_send_cmd(SMP_OPCODE_CONFIRM, p_cb);

  p_cb->flags |= SMP_PAIR_FLAGS_CMD_CONFIRM_SENT;

}

}





/*******************************************************************************

/*******************************************************************************
@@ -689,6 +690,17 @@ void smp_proc_init(tSMP_CB* p_cb, tSMP_INT_DATA* p_data) { 
    return;

    return;

  }

  }





  if (!((p_cb->loc_auth_req & SMP_SC_SUPPORT_BIT) &&

        (p_cb->peer_auth_req & SMP_SC_SUPPORT_BIT)) &&

      !(p_cb->flags & SMP_PAIR_FLAGS_CMD_CONFIRM_SENT)) {

    // in legacy pairing, the peer should send its rand after

    // we send our confirm

    tSMP_INT_DATA smp_int_data{};

    smp_int_data.status = SMP_INVALID_PARAMETERS;

    smp_sm_event(p_cb, SMP_AUTH_CMPL_EVT, &smp_int_data);

    return;

  }



  /* save the SRand for comparison */

  /* save the SRand for comparison */

  STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);

  STREAM_TO_ARRAY(p_cb->rrand.data(), p, OCTET16_LEN);

}

}

system/stack/smp/smp_int.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -222,6 +222,7 @@ typedef union { 
  (1 << 7) /* used to resolve race condition */

  (1 << 7) /* used to resolve race condition */

#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \

#define SMP_PAIR_FLAG_HAVE_LOCAL_PUBL_KEY \

  (1 << 8) /* used on peripheral to resolve race condition */

  (1 << 8) /* used on peripheral to resolve race condition */

#define SMP_PAIR_FLAGS_CMD_CONFIRM_SENT (1 << 9)





/* check if authentication requirement need MITM protection */

/* check if authentication requirement need MITM protection */

#define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)

#define SMP_NO_MITM_REQUIRED(x) (((x)&SMP_AUTH_YN_BIT) == 0)