diff options
| author | Hui Peng <phui@google.com> | 2023-09-02 04:20:10 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-10-11 22:47:50 +0000 |
| commit | 5a770730bda686816f1905cd0ff3b1b33287992e (patch) | |
| tree | ab11a8445329664082a5b29a3f8bffc6693a6d74 | |
| parent | 9b80a6e7a92e3f8db825e91951408440d31ddbfe (diff) | |
| download | bt-5a770730bda686816f1905cd0ff3b1b33287992e.tar.gz | |
Reject access to secure service authenticated from a temp bonding [1]
Rejecct access to services running on l2cap
Backport of
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:a36757e967ab6d956127cac298134f28ce8f0d6d)
Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
| -rw-r--r-- | stack/btm/btm_sec.cc | 38 |
1 files changed, 34 insertions, 4 deletions
diff --git a/stack/btm/btm_sec.cc b/stack/btm/btm_sec.cc index ec120f68b..759615c6d 100644 --- a/stack/btm/btm_sec.cc +++ b/stack/btm/btm_sec.cc @@ -106,7 +106,7 @@ static bool btm_sec_set_security_level(CONNECTION_TYPE conn_type, uint32_t mx_proto_id, uint32_t mx_chan_id); -static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec); +static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec); static bool btm_dev_encrypted(tBTM_SEC_DEV_REC* p_dev_rec); static bool btm_dev_authorized(tBTM_SEC_DEV_REC* p_dev_rec); static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, @@ -148,7 +148,7 @@ static const bool btm_sec_io_map[BTM_IO_CAP_MAX][BTM_IO_CAP_MAX] = { * Returns bool true or false * ******************************************************************************/ -static bool btm_dev_authenticated(tBTM_SEC_DEV_REC* p_dev_rec) { +static bool btm_dev_authenticated(const tBTM_SEC_DEV_REC* p_dev_rec) { if (p_dev_rec->sec_flags & BTM_SEC_AUTHENTICATED) { return (true); } @@ -224,6 +224,25 @@ static bool btm_serv_trusted(tBTM_SEC_DEV_REC* p_dev_rec, /******************************************************************************* * + * Function access_secure_service_from_temp_bond + * + * Description a utility function to test whether an access to + * secure service from temp bonding is happening + * + * Returns true if the aforementioned condition holds, + * false otherwise + * + ******************************************************************************/ +static bool access_secure_service_from_temp_bond(const tBTM_SEC_DEV_REC* p_dev_rec, + bool locally_initiated, + uint16_t security_req) { + return !locally_initiated && (security_req & BTM_SEC_IN_AUTHENTICATE) && + btm_dev_authenticated(p_dev_rec) && + p_dev_rec->bond_type == BOND_TYPE_TEMPORARY; +} + +/******************************************************************************* + * * Function BTM_SecRegister * * Description Application manager calls this function to register for @@ -1863,9 +1882,13 @@ tBTM_STATUS btm_sec_l2cap_access_req(const RawAddress& bd_addr, uint16_t psm, } if (rc == BTM_SUCCESS) { + if (access_secure_service_from_temp_bond(p_dev_rec, is_originator, security_required)) { + LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); + rc = BTM_FAILED_ON_SECURITY; + } if (p_callback) - (*p_callback)(&bd_addr, transport, (void*)p_ref_data, BTM_SUCCESS); - return (BTM_SUCCESS); + (*p_callback)(&bd_addr, transport, (void*)p_ref_data, rc); + return (rc); } } @@ -4930,6 +4953,13 @@ tBTM_STATUS btm_sec_execute_procedure(tBTM_SEC_DEV_REC* p_dev_rec) { } } + if (access_secure_service_from_temp_bond(p_dev_rec, + p_dev_rec->is_originator, + p_dev_rec->security_required)) { + LOG_ERROR(LOG_TAG, "Trying to access a secure service from a temp bonding, rejecting"); + return (BTM_FAILED_ON_SECURITY); + } + /* All required security procedures already established */ p_dev_rec->security_required &= ~(BTM_SEC_OUT_AUTHORIZE | BTM_SEC_IN_AUTHORIZE | |