Bluedroid: Authentication fixes in Legacy and Secure Connection.

Prevent a remote device from doing a Bluetooth Impersonation Attack (BIAS) by: - Preventing remote device to downgrade secure connection feature mask. Secure connection feature mask should remain same or increase to enabled in link key generation and authentication. - Doing a mutual authentication during Legacy Authentication. Signed-off-by: Chinmay Chhajed <chinmay.chhajed@espressif.com>
2025-10-02 11:44:52 +00:00 · 2020-04-28 15:54:31 +05:30
parent 26272af3b4
commit e3350e7861
16 changed files with 271 additions and 50 deletions
--- a/components/bt/host/bluedroid/stack/include/stack/btm_api.h
+++ b/components/bt/host/bluedroid/stack/include/stack/btm_api.h
@@ -844,14 +844,15 @@ typedef UINT16 tBTM_BL_EVENT_MASK;

 /* the data type associated with BTM_BL_CONN_EVT */
 typedef struct {
-    tBTM_BL_EVENT   event;      /* The event reported. */
-    BD_ADDR_PTR     p_bda;      /* The address of the newly connected device */
-    DEV_CLASS_PTR   p_dc;       /* The device class */
-    BD_NAME_PTR     p_bdn;      /* The device name */
-    UINT8          *p_features; /* pointer to the remote device's features page[0] (supported features page) */
+    tBTM_BL_EVENT   event;          /* The event reported. */
+    BD_ADDR_PTR     p_bda;          /* The address of the newly connected device */
+    DEV_CLASS_PTR   p_dc;           /* The device class */
+    BD_NAME_PTR     p_bdn;          /* The device name */
+    UINT8          *p_features;     /* pointer to the remote device's features page[0] (supported features page) */
+    BOOLEAN         sc_downgrade;   /* Secure connection downgrade state. */
 #if BLE_INCLUDED == TRUE
-    UINT16          handle;     /* connection handle */
-    tBT_TRANSPORT   transport; /* link is LE or not */
+    UINT16          handle;         /* connection handle */
+    tBT_TRANSPORT   transport;      /* link is LE or not */
 #endif
 } tBTM_BL_CONN_DATA;

@@ -1372,7 +1373,7 @@ typedef UINT8 (tBTM_PIN_CALLBACK) (BD_ADDR bd_addr, DEV_CLASS dev_class,
 */
 typedef UINT8 (tBTM_LINK_KEY_CALLBACK) (BD_ADDR bd_addr, DEV_CLASS dev_class,
                                        tBTM_BD_NAME bd_name, UINT8 *key,
-                                        UINT8 key_type);
+                                        UINT8 key_type, BOOLEAN sc_support);


 /* Remote Name Resolved.  Parameters are
@@ -3426,7 +3427,8 @@ UINT8 BTM_SecClrService (UINT8 service_id);
 BOOLEAN BTM_SecAddDevice (BD_ADDR bd_addr, DEV_CLASS dev_class,
                          BD_NAME bd_name, UINT8 *features,
                          UINT32 trusted_mask[], LINK_KEY link_key,
-                          UINT8 key_type, tBTM_IO_CAP io_cap, UINT8 pin_length);
+                          UINT8 key_type, tBTM_IO_CAP io_cap, UINT8 pin_length,
+                          UINT8 sc_support);


 /*******************************************************************************