Bluedroid: Authentication fixes in Legacy and Secure Connection.

Prevent a remote device from doing a Bluetooth Impersonation Attack
(BIAS) by:

- Preventing remote device to downgrade secure connection
feature mask. Secure connection feature mask should remain same or
increase to enabled in link key generation and authentication.

- Doing a mutual authentication during Legacy Authentication.

Signed-off-by: Chinmay Chhajed <[email protected]>

Author: chhajedji

components/bt/Kconfig

@@ -92,6 +92,19 @@ menu "Bluetooth"
             default BTDM_CTRL_AUTO_LATENCY if BTDM_CTRL_MODE_BTDM
             default n
 
+        config BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT
+            bool "Legacy Authentication Vendor Specific Event Enable"
+            depends on BTDM_CTRL_MODE_BR_EDR_ONLY || BTDM_CTRL_MODE_BTDM
+            default y
+            help
+                To protect from BIAS attack during Legacy authentication,
+                Legacy authentication Vendor specific event should be enabled
+
+        config BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT_EFF
+            bool
+            default BTDM_CTRL_LEGACY_AUTH_VENDOR_EVT if BTDM_CTRL_MODE_BR_EDR_ONLY || BTDM_CTRL_MODE_BTDM
+            default 0
+
 
         config BTDM_CTRL_BLE_MAX_CONN_EFF
             int

components/bt/controller/lib

@@ -63,7 +63,7 @@ static UINT8 bta_dm_authorize_cback (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NA
 #if (CLASSIC_BT_INCLUDED == TRUE)
 static UINT8 bta_dm_pin_cback (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, BOOLEAN min_16_digit);
 #endif /// CLASSIC_BT_INCLUDED == TRUE
-static UINT8 bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, LINK_KEY key, UINT8 key_type);
+static UINT8 bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, LINK_KEY key, UINT8 key_type, BOOLEAN sc_support);
 static UINT8 bta_dm_authentication_complete_cback(BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_name, int result);
 #endif  ///SMP_INCLUDED == TRUE
 static void bta_dm_local_name_cback(BD_ADDR bd_addr);
@@ -1063,7 +1063,7 @@ void bta_dm_add_device (tBTA_DM_MSG *p_data)
 
     if (!BTM_SecAddDevice (p_dev->bd_addr, p_dc, p_dev->bd_name, p_dev->features,
                            trusted_services_mask, p_lc, p_dev->key_type, p_dev->io_cap,
-                           p_dev->pin_length)) {
+                           p_dev->pin_length, p_dev->sc_support)) {
         APPL_TRACE_ERROR ("BTA_DM: Error adding device %08x%04x",
                           (p_dev->bd_addr[0] << 24) + (p_dev->bd_addr[1] << 16) + (p_dev->bd_addr[2] << 8) + p_dev->bd_addr[3],
                           (p_dev->bd_addr[4] << 8) + p_dev->bd_addr[5]);
@@ -2988,7 +2988,8 @@ static UINT8 bta_dm_pin_cback (BD_ADDR bd_addr, DEV_CLASS dev_class, BD_NAME bd_
 **
 *******************************************************************************/
 static UINT8  bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
-                                        BD_NAME bd_name, LINK_KEY key, UINT8 key_type)
+                                        BD_NAME bd_name, LINK_KEY key, UINT8 key_type,
+                                        BOOLEAN sc_support)
 {
     tBTA_DM_SEC sec_event;
     tBTA_DM_AUTH_CMPL *p_auth_cmpl;
@@ -3010,6 +3011,7 @@ static UINT8  bta_dm_new_link_key_cback(BD_ADDR bd_addr, DEV_CLASS dev_class,
         p_auth_cmpl->key_present = TRUE;
         p_auth_cmpl->key_type = key_type;
         p_auth_cmpl->success = TRUE;
+        p_auth_cmpl->sc_support = sc_support;
 
         memcpy(p_auth_cmpl->key, key, LINK_KEY_LEN);
         sec_event.auth_cmpl.fail_reason = HCI_SUCCESS;
@@ -3287,6 +3289,7 @@ static void bta_dm_bl_change_cback (tBTM_BL_EVENT_DATA *p_data)
 
         switch (p_msg->event) {
         case BTM_BL_CONN_EVT:
+            p_msg->sc_downgrade = p_data->conn.sc_downgrade;
             p_msg->is_new = TRUE;
             bdcpy(p_msg->bd_addr, p_data->conn.p_bda);
 #if BLE_INCLUDED == TRUE
@@ -3513,6 +3516,7 @@ void bta_dm_acl_change(tBTA_DM_MSG *p_data)
         APPL_TRACE_DEBUG("%s info: 0x%x", __func__, bta_dm_cb.device_list.peer_device[i].info);
 
         if (bta_dm_cb.p_sec_cback) {
+            conn.link_up.sc_downgrade = p_data->acl_change.sc_downgrade;
             bta_dm_cb.p_sec_cback(BTA_DM_LINK_UP_EVT, (tBTA_DM_SEC *)&conn);
         }
     } else {

components/bt/host/bluedroid/bta/dm/bta_dm_act.c

@@ -733,7 +733,8 @@ void BTA_DmPasskeyReqReply(BOOLEAN accept, BD_ADDR bd_addr, UINT32 passkey)
 *******************************************************************************/
 void BTA_DmAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class, LINK_KEY link_key,
                      tBTA_SERVICE_MASK trusted_mask, BOOLEAN is_trusted,
-                     UINT8 key_type, tBTA_IO_CAP io_cap, UINT8 pin_length)
+                     UINT8 key_type, tBTA_IO_CAP io_cap, UINT8 pin_length,
+                     UINT8 sc_support)
 {
 
     tBTA_DM_API_ADD_DEVICE *p_msg;
@@ -746,6 +747,7 @@ void BTA_DmAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class, LINK_KEY link_key,
         p_msg->tm = trusted_mask;
         p_msg->is_trusted = is_trusted;
         p_msg->io_cap = io_cap;
+        p_msg->sc_support = sc_support;
 
         if (link_key) {
             p_msg->link_key_known = TRUE;

components/bt/host/bluedroid/bta/dm/bta_dm_api.c

@@ -433,6 +433,7 @@ typedef struct {
     UINT8           new_role;
     BD_ADDR         bd_addr;
     UINT8           hci_status;
+    BOOLEAN         sc_downgrade;
 #if BLE_INCLUDED == TRUE
     UINT16          handle;
 #endif
@@ -474,6 +475,7 @@ typedef struct {
     BD_NAME             bd_name;
     UINT8               features[BTA_FEATURE_BYTES_PER_PAGE * (BTA_EXT_FEATURES_PAGE_MAX + 1)];
     UINT8               pin_length;
+    UINT8               sc_support;
 } tBTA_DM_API_ADD_DEVICE;
 
 /* data type for BTA_DM_API_REMOVE_ACL_EVT */

components/bt/host/bluedroid/bta/dm/include/bta_dm_int.h

@@ -784,6 +784,7 @@ typedef struct {
     tBLE_ADDR_TYPE  addr_type;          /* Peer device address type */
     tBT_DEVICE_TYPE dev_type;
     UINT8           auth_mode;
+    BOOLEAN           sc_support;         /* Denotes if peer device supported secure connection while bonding. */
 } tBTA_DM_AUTH_CMPL;
 
 
@@ -799,6 +800,7 @@ typedef struct {
 
 /* Structure associated with BTA_DM_LINK_UP_EVT */
 typedef struct {
+    BOOLEAN         sc_downgrade;       /* Security downgrade state. */
     BD_ADDR         bd_addr;            /* BD address peer device. */
 #if BLE_INCLUDED == TRUE
     tBTA_TRANSPORT  link_type;
@@ -1757,7 +1759,8 @@ extern void BTA_DmPasskeyReqReply(BOOLEAN accept, BD_ADDR bd_addr, UINT32 passke
 extern void BTA_DmAddDevice(BD_ADDR bd_addr, DEV_CLASS dev_class,
                             LINK_KEY link_key, tBTA_SERVICE_MASK trusted_mask,
                             BOOLEAN is_trusted, UINT8 key_type,
-                            tBTA_IO_CAP io_cap, UINT8 pin_length);
+                            tBTA_IO_CAP io_cap, UINT8 pin_length,
+                            UINT8 sc_support);
 
 /*******************************************************************************
 **

components/bt/host/bluedroid/bta/include/bta/bta_api.h

@@ -303,6 +303,27 @@ static void btc_dm_ble_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
 #endif  ///BLE_INCLUDED == TRUE
 #endif ///SMP_INCLUDED == TRUE
 
+static void btc_dm_link_up_evt(tBTA_DM_LINK_UP *p_link_up)
+{
+    BD_ADDR bd_addr;
+    bt_bdaddr_t bt_bdaddr;
+
+    memcpy(bd_addr, p_link_up->bd_addr, sizeof(BD_ADDR));
+    memcpy(bt_bdaddr.address, p_link_up->bd_addr, sizeof(BD_ADDR));
+
+    if (p_link_up->sc_downgrade == 1) {
+        if (btc_storage_remove_bonded_device(&bt_bdaddr) == BT_STATUS_SUCCESS) {
+            if (BTA_DmRemoveDevice(bd_addr, BT_TRANSPORT_BR_EDR) == BTA_SUCCESS) {
+                BTC_TRACE_EVENT(" %s() Bonding information removed.", __FUNCTION__);
+            } else {
+                BTC_TRACE_ERROR(" %s() BTA_DmRemoveDevice error", __FUNCTION__);
+            }
+        } else {
+            BTC_TRACE_ERROR(" %s() btc_storage_remove_bonded_device error", __FUNCTION__);
+        }
+    }
+}
+
 static void btc_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
 {
     /* Save link key, if not temporary */
@@ -326,7 +347,7 @@ static void btc_dm_auth_cmpl_evt (tBTA_DM_AUTH_CMPL *p_auth_cmpl)
                           __FUNCTION__, p_auth_cmpl->key_type);
                 ret = btc_storage_add_bonded_device(&bd_addr,
                                                     p_auth_cmpl->key, p_auth_cmpl->key_type,
-                                                    16);
+                                                    16, p_auth_cmpl->sc_support);
                 BTC_ASSERTC(ret == BT_STATUS_SUCCESS, "storing link key failed", ret);
             } else {
                 BTC_TRACE_DEBUG("%s: Temporary key. Not storing. key_type=0x%x",
@@ -678,6 +699,7 @@ void btc_dm_sec_cb_handler(btc_msg_t *msg)
         }
 #endif /* BTC_GAP_BT_INCLUDED  == TRUE */
     case BTA_DM_LINK_UP_EVT:
+        btc_dm_link_up_evt(&p_data->link_up);
     case BTA_DM_LINK_DOWN_EVT:
     case BTA_DM_HW_ERROR_EVT:
         BTC_TRACE_DEBUG( "btc_dm_sec_cback : unhandled event (%d)\n", msg->act );

components/bt/host/bluedroid/btc/core/btc_dm.c

@@ -37,7 +37,8 @@
 bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr,
         LINK_KEY link_key,
         uint8_t key_type,
-        uint8_t pin_length)
+        uint8_t pin_length,
+        BOOLEAN sc_support)
 {
     bdstr_t bdstr;
 
@@ -48,6 +49,7 @@ bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr,
     int ret = btc_config_set_int(bdstr, BTC_STORAGE_LINK_KEY_TYPE_STR, (int)key_type);
     ret &= btc_config_set_int(bdstr, BTC_STORAGE_PIN_LENGTH_STR, (int)pin_length);
     ret &= btc_config_set_bin(bdstr, BTC_STORAGE_LINK_KEY_STR, link_key, sizeof(LINK_KEY));
+    ret &= btc_config_set_bin(bdstr, BTC_STORAGE_SC_SUPPORT, (uint8_t *)&sc_support, sizeof(sc_support));
     /* write bonded info immediately */
     btc_config_flush();
     btc_config_unlock();
@@ -69,6 +71,7 @@ bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr,
 static bt_status_t btc_in_fetch_bonded_devices(int add)
 {
     BOOLEAN bt_linkkey_file_found = FALSE;
+    UINT8 sc_support = 0;
 
     btc_config_lock();
     for (const btc_config_section_iter_t *iter = btc_config_section_begin(); iter != btc_config_section_end(); iter = btc_config_section_next(iter)) {
@@ -93,9 +96,11 @@ static bt_status_t btc_in_fetch_bonded_devices(int add)
                         uint2devclass((UINT32)cod, dev_class);
                     }
                     btc_config_get_int(name, BTC_STORAGE_PIN_LENGTH_STR, &pin_length);
+                    size = sizeof(sc_support);
+                    btc_config_get_bin(name, BTC_STORAGE_SC_SUPPORT, &sc_support, &size);
 #if (SMP_INCLUDED == TRUE)
                     BTA_DmAddDevice(bd_addr.address, dev_class, link_key, 0, 0,
-                                    (UINT8)linkkey_type, 0, pin_length);
+                                    (UINT8)linkkey_type, 0, pin_length, (UINT8)sc_support);
 #endif  ///SMP_INCLUDED == TRUE
                 }
                 bt_linkkey_file_found = TRUE;
@@ -160,6 +165,9 @@ bt_status_t btc_storage_remove_bonded_device(bt_bdaddr_t *remote_bd_addr)
     if (btc_config_exist(bdstr, BTC_STORAGE_LINK_KEY_STR)) {
         ret &= btc_config_remove(bdstr, BTC_STORAGE_LINK_KEY_STR);
     }
+    if (btc_config_exist(bdstr, BTC_STORAGE_SC_SUPPORT)) {
+        ret &= btc_config_remove(bdstr, BTC_STORAGE_SC_SUPPORT);
+    }
     /* write bonded info immediately */
     btc_config_flush();
     btc_config_unlock();
@@ -187,6 +195,7 @@ int btc_storage_get_num_bt_bond_devices(void)
         if (string_is_bdaddr(name) &&
             btc_config_exist(name, BTC_STORAGE_LINK_KEY_TYPE_STR) &&
             btc_config_exist(name, BTC_STORAGE_PIN_LENGTH_STR) &&
+            btc_config_exist(name, BTC_STORAGE_SC_SUPPORT) &&
             btc_config_exist(name, BTC_STORAGE_LINK_KEY_STR)) {
             num_dev++;
         }
@@ -223,6 +232,7 @@ bt_status_t btc_storage_get_bonded_bt_devices_list(bt_bdaddr_t *bond_dev, int de
         if (string_is_bdaddr(name) &&
             btc_config_exist(name, BTC_STORAGE_LINK_KEY_TYPE_STR) &&
             btc_config_exist(name, BTC_STORAGE_PIN_LENGTH_STR) &&
+            btc_config_exist(name, BTC_STORAGE_SC_SUPPORT) &&
             btc_config_exist(name, BTC_STORAGE_LINK_KEY_STR)) {
             string_to_bdaddr(name, &bd_addr);
             memcpy(bond_dev, &bd_addr, sizeof(bt_bdaddr_t));
@@ -232,4 +242,4 @@ bt_status_t btc_storage_get_bonded_bt_devices_list(bt_bdaddr_t *bond_dev, int de
     btc_config_unlock();
 
     return BT_STATUS_SUCCESS;
-}
+}

components/bt/host/bluedroid/btc/core/btc_storage.c

@@ -25,6 +25,7 @@
 #define BTC_STORAGE_LINK_KEY_STR        "LinkKey"    /* same as the ble */
 #define BTC_STORAGE_LINK_KEY_TYPE_STR   "LinkKeyType"
 #define BTC_STORAGE_PIN_LENGTH_STR      "PinLength"
+#define BTC_STORAGE_SC_SUPPORT          "SCSupport"
 
 /*******************************************************************************
 **
@@ -40,7 +41,8 @@
 bt_status_t btc_storage_add_bonded_device(bt_bdaddr_t *remote_bd_addr,
         LINK_KEY link_key,
         uint8_t key_type,
-        uint8_t pin_length);
+        uint8_t pin_length,
+        BOOLEAN sc_support);
 
 /*******************************************************************************
 **