Commit fb76b30e authored Jul 11, 2023 by Brian Delwiche Committed by Android Build Coastguard Worker Oct 11, 2023

Fix timing attack in BTM_BleVerifySignature

BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
to be deduced through a side-channel attack.

Change to CRYPTO_memcmp, which is hardened against this attack, to
eliminate this attack.

Bug: 274478807
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
(cherry picked from commit 7a960ac1)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d011f54d04e7ff732d4dc467079574b4e1c7b72d)
Merged-In: Iddeff055d9064f51a1e0cfb851d8b74135a714c2
Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2

parent 423c0285

system/stack/btm/btm_ble.cc

+2 −1

Original line number	Diff line number	Diff line
		@@ -35,6 +35,7 @@
		#include "main/shim/btm_api.h"
		#include "main/shim/l2c_api.h"
		#include "main/shim/shim.h"
		#include "openssl/mem.h"
		#include "osi/include/allocator.h"
		#include "osi/include/properties.h"
		#include "stack/btm/btm_dev.h"
		@@ -1988,7 +1989,7 @@ bool BTM_BleVerifySignature(const RawAddress& bd_addr, uint8_t* p_orig,

		crypto_toolbox::aes_cmac(p_rec->ble.keys.pcsrk, p_orig, len,
		BTM_CMAC_TLEN_SIZE, p_mac);
		if (memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
		if (CRYPTO_memcmp(p_mac, p_comp, BTM_CMAC_TLEN_SIZE) == 0) {
		btm_ble_increment_sign_ctr(bd_addr, false);
		verified = true;
		}