Port Cordio LE Secure Connections check from PacketCraft

LDong-Arm · LDong-Arm · commit 568c1f915f6e · 2020-04-22T10:58:27.000+01:00
This change is provided by Packetcraft (which maintains the Cordio BLE stack) to address possible Sweyntooth vulnerabilities. (cherry picked from commit c927773)
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/include/smp_api.h b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/include/smp_api.h
@@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -252,6 +253,17 @@ void SmpDmMsgSend(smpDmMsg_t *pMsg);
 /*************************************************************************************************/
 void SmpDmEncryptInd(wsfMsgHdr_t *pMsg);
 
+/*************************************************************************************************/
+/*!
+ *  \brief  Check if LE Secure Connections is enabled on the connection.
+ *
+ *  \param  connId    Connection identifier.
+ *
+ *  \return TRUE is Secure Connections is enabled, else FALSE
+ */
+/*************************************************************************************************/
+bool_t SmpDmLescEnabled(dmConnId_t connId);
+
 /*************************************************************************************************/
 /*!
  *  \brief  Return the STK for the given connection.
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/dm/dm_sec.c b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/dm/dm_sec.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
  * SPDX-License-Identifier: Apache-2.0
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -117,6 +118,12 @@ void dmSecHciHandler(hciEvt_t *pEvent)
           return;
         }
       }
+      else if (SmpDmLescEnabled(pCcb->connId) == TRUE)
+      {
+        /* EDIV and Rand must be zero in LE Secure Connections */
+        HciLeLtkReqNegReplCmd(pEvent->hdr.param);
+        return;
+      }
 
       /* call callback to get key from app */
 
diff --git a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.c b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.c
@@ -695,6 +695,27 @@ uint8_t smpGetScSecLevel(smpCcb_t *pCcb)
   return secLevel;
 }
 
+/*************************************************************************************************/
+/*!
+ *  \brief  Check if LE Secure Connections is enabled on the connection.
+ *
+ *  \param  connId    Connection identifier.
+ *
+ *  \return TRUE is Secure Connections is enabled, else FALSE
+ */
+/*************************************************************************************************/
+bool_t SmpDmLescEnabled(dmConnId_t connId)
+{
+  smpCcb_t *pCcb = smpCcbByConnId(connId);
+
+  if (pCcb == NULL || pCcb->pScCcb == NULL)
+  {
+    return FALSE;
+  }
+
+  return pCcb->pScCcb->lescEnabled;
+}
+
 /*************************************************************************************************/
 /*!
  *  \brief  Return the STK for the given connection.

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`/* Copyright (c) 2009-2019 Arm Limited`
	`2`	`+ * Copyright (c) 2019-2020 Packetcraft, Inc.`
`2`	`3`	`* SPDX-License-Identifier: Apache-2.0`
`3`	`4`	`*`
`4`	`5`	`* Licensed under the Apache License, Version 2.0 (the "License");`
`@@ -117,6 +118,12 @@ void dmSecHciHandler(hciEvt_t *pEvent)`
`117`	`118`	`return;`
`118`	`119`	`}`
`119`	`120`	`}`
	`121`	`+ else if (SmpDmLescEnabled(pCcb->connId) == TRUE)`
	`122`	`+ {`
	`123`	`+ /* EDIV and Rand must be zero in LE Secure Connections */`
	`124`	`+ HciLeLtkReqNegReplCmd(pEvent->hdr.param);`
	`125`	`+ return;`
	`126`	`+ }`
`120`	`127`
`121`	`128`	`/* call callback to get key from app */`
`122`	`129`