michaelh/zephyr
1
0
Fork 0
Code Releases Activity

bluetooth: host: Add workaround for USB HCI controllers

Browse source 
This commit adds a new option CONFIG_BT_SMP_USB_HCI_CTLR_WORKAROUND
to support USB HCI controllers that sometimes send out-of-order HCI
events and ACL Data due to using different USB endpoints.

Enabling this option will make the master role not require the
encryption-change event to be received before accepting
key-distribution data.

It opens up for a potential vulnerability as the master cannot detect
if the keys are distributed over an encrypted link.

Fixes: #22086

Signed-off-by: François Delawarde <fnde@oticon.com>
This commit is contained in:
François Delawarde 2020-01-30 08:23:00 +01:00 committed by Johan Hedberg
commit 9d2e34e9c8
2 changed files with 42 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
subsys/bluetooth/host/Kconfig
View file

@ -360,6 +360,19 @@ config BT_SMP_ALLOW_UNAUTH_OVERWRITE
to create a new bond the old bond has to be explicitly deleted with to create a new bond the old bond has to be explicitly deleted with
bt_unpair. bt_unpair.
config BT_SMP_USB_HCI_CTLR_WORKAROUND
bool "Workaround for USB HCI controller out-of-order events"
depends on BT_TESTING
help
This option enables support for USB HCI controllers that sometimes
send out-of-order HCI events and ACL Data due to using different USB
endpoints.
Enabling this option will make the master role not require the
encryption-change event to be received before accepting key-distribution
data.
It opens up for a potential vulnerability as the master cannot detect
if the keys are distributed over an encrypted link.
config BT_FIXED_PASSKEY config BT_FIXED_PASSKEY
bool "Use a fixed passkey for pairing" bool "Use a fixed passkey for pairing"
help help

29
subsys/bluetooth/host/smp.c
View file

@ -2358,6 +2358,19 @@ static u8_t legacy_pairing_random(struct bt_smp *smp)
atomic_set_bit(smp->flags, SMP_FLAG_ENC_PENDING); atomic_set_bit(smp->flags, SMP_FLAG_ENC_PENDING);
if (IS_ENABLED(CONFIG_BT_SMP_USB_HCI_CTLR_WORKAROUND)) {
if (smp->remote_dist & BT_SMP_DIST_ENC_KEY) {
atomic_set_bit(&smp->allowed_cmds,
BT_SMP_CMD_ENCRYPT_INFO);
} else if (smp->remote_dist & BT_SMP_DIST_ID_KEY) {
atomic_set_bit(&smp->allowed_cmds,
BT_SMP_CMD_IDENT_INFO);
} else if (smp->remote_dist & BT_SMP_DIST_SIGN) {
atomic_set_bit(&smp->allowed_cmds,
BT_SMP_CMD_SIGNING_INFO);
}
}
return 0; return 0;
} }
@ -4084,6 +4097,17 @@ static u8_t smp_dhkey_check(struct bt_smp *smp, struct net_buf *buf)
} }
atomic_set_bit(smp->flags, SMP_FLAG_ENC_PENDING); atomic_set_bit(smp->flags, SMP_FLAG_ENC_PENDING);
if (IS_ENABLED(CONFIG_BT_SMP_USB_HCI_CTLR_WORKAROUND)) {
if (smp->remote_dist & BT_SMP_DIST_ID_KEY) {
atomic_set_bit(&smp->allowed_cmds,
BT_SMP_CMD_IDENT_INFO);
} else if (smp->remote_dist & BT_SMP_DIST_SIGN) {
atomic_set_bit(&smp->allowed_cmds,
BT_SMP_CMD_SIGNING_INFO);
}
}
return 0; return 0;
} }
@ -5404,6 +5428,11 @@ int bt_smp_init(void)
return -ENOENT; return -ENOENT;
} }
if (IS_ENABLED(CONFIG_BT_SMP_USB_HCI_CTLR_WORKAROUND)) {
BT_WARN("BT_SMP_USB_HCI_CTLR_WORKAROUND is enabled, which "
"exposes a security vulnerability!");
}
BT_DBG("LE SC %s", sc_supported ? "enabled" : "disabled"); BT_DBG("LE SC %s", sc_supported ? "enabled" : "disabled");
bt_pub_key_gen(&pub_key_cb); bt_pub_key_gen(&pub_key_cb);