Port Cordio SMP control block improvements from Packetcraft

LDong-Arm · LDong-Arm · commit 421becce8d51 · 2020-04-22T10:58:05.000+01:00
This change is provided by Packetcraft (which maintains the Cordio BLE stack) to address possible Sweyntooth vulnerabilities. (cherry picked from commit 0402fe4)
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.c b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -233,6 +234,7 @@ static void smpDmConnCback(dmEvt_t *pDmEvt)
     pCcb->attempts = SmpDbGetFailureCount((dmConnId_t) pDmEvt->hdr.param);
     pCcb->lastSentKey = 0;
     pCcb->state = 0;
+    pCcb->keyReady = FALSE;
 
     /* Resume the attempts state if necessary */
     smpResumeAttemptsState((dmConnId_t) pDmEvt->hdr.param);
@@ -710,6 +712,11 @@ uint8_t *SmpDmGetStk(dmConnId_t connId, uint8_t *pSecLevel)
   /* get connection control block */
   pCcb = smpCcbByConnId(connId);
 
+  if ((pCcb == NULL) || (pCcb->keyReady == FALSE))
+  {
+    return NULL;
+  }
+
   if (smpCb.lescSupported && pCcb->pScCcb->lescEnabled && (pCcb->pScCcb->pLtk != NULL))
   {
     /* set security level */
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.h b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.h
@@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -314,6 +315,7 @@ typedef struct
   uint8_t         token;                          /* AES transaction token */
   uint8_t         attempts;                       /* Failed pairing attempts */
   uint8_t         lastSentKey;                    /* Command code of last sent key */
+  bool_t          keyReady;                       /* Encryption key is ready */
   smpScCcb_t      *pScCcb;                        /* LE Secure Connection control blocks */
 } smpCcb_t;
 
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpi_act.c b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpi_act.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -269,6 +270,7 @@ void smpiActStkEncrypt(smpCcb_t *pCcb, smpMsg_t *pMsg)
   /* adjust key based on max key length */
   memcpy(buf, pMsg->aes.pCiphertext, encKeyLen);
   memset((buf + encKeyLen), 0, (SMP_KEY_LEN - encKeyLen));
+  pCcb->keyReady = TRUE;
 
   secLevel = (pCcb->auth & SMP_AUTH_MITM_FLAG) ? DM_SEC_LEVEL_ENC_AUTH : DM_SEC_LEVEL_ENC;
   DmSmpEncryptReq(pCcb->connId, secLevel, buf);
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpi_sc_act.c b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpi_sc_act.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -463,6 +464,7 @@ void smpiScActDHKeyCheckVerify(smpCcb_t *pCcb, smpMsg_t *pMsg)
     /* Adjust key based on max key length */
     memcpy(buf, pCcb->pScCcb->pLtk->ltk_t, encKeyLen);
     memset((buf + encKeyLen), 0, (SMP_KEY_LEN - encKeyLen));
+    pCcb->keyReady = TRUE;
 
     /* Initiate encryption */
     DmSmpEncryptReq(pCcb->connId, smpGetScSecLevel(pCcb), buf);
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpr_act.c b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpr_act.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -284,6 +285,7 @@ void smprActSendPairRandom(smpCcb_t *pCcb, smpMsg_t *pMsg)
   /* store STK and adjust based on max key length */
   memcpy(pCcb->pScr->buf.b3, pMsg->aes.pCiphertext, encKeyLen);
   memset((pCcb->pScr->buf.b3 + encKeyLen), 0, (SMP_KEY_LEN - encKeyLen));
+  pCcb->keyReady = TRUE;
 
   /* start smp response timer */
   smpStartRspTimer(pCcb);
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpr_sc_act.c b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpr_sc_act.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -524,6 +525,7 @@ void smprScActDHKeyCheckSend(smpCcb_t *pCcb, smpMsg_t *pMsg)
                           pCcb->pairReq[SMP_MAXKEY_POS] : pCcb->pairRsp[SMP_MAXKEY_POS];
 
     memset((pCcb->pScCcb->pLtk->ltk_t + encKeyLen), 0, (SMP_KEY_LEN - encKeyLen));
+    pCcb->keyReady = TRUE;
 
     /* Send the DH Key check Eb to the initiator */
     smpScSendDHKeyCheck(pCcb, pMsg, pCcb->pScCcb->pScratch->Nb_Eb);
