#include <alloca.h>
#include <assert.h>
#include <ctype.h>
+#include <log/log.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include "osi/include/allocator.h"
#include "osi/include/compat.h"
#include "osi/include/config.h"
+#include "osi/include/list.h"
#include "osi/include/log.h"
#include "osi/include/osi.h"
}
+/* Some devices hardcode sample LTK value from spec, instead of generating one.
+ * Treat such devices as insecure, and remove such bonds when bluetooth restarts.
+ * Removing them after disconnection is handled separately.
+ *
+ * We still allow such devices to bond in order to give the user a chance to update
+ * firmware.
+ */
+static void remove_devices_with_sample_ltk() {
+ list_t *bad_ltk = list_new(osi_free);
+
+ for (const btif_config_section_iter_t *iter = btif_config_section_begin(); iter != btif_config_section_end(); iter = btif_config_section_next(iter)) {
+ const char *name = btif_config_section_name(iter);
+ if (!string_is_bdaddr(name)) {
+ continue;
+ }
+
+ bt_bdaddr_t *bda = osi_malloc(sizeof(bt_bdaddr_t));
+ string_to_bdaddr(name, bda);
+
+ tBTA_LE_KEY_VALUE key;
+ memset(&key, 0, sizeof(key));
+
+ if (btif_storage_get_ble_bonding_key(bda, BTIF_DM_LE_KEY_PENC, (char*)&key, sizeof(tBTM_LE_PENC_KEYS)) ==
+ BT_STATUS_SUCCESS) {
+ if (is_sample_ltk(key.penc_key.ltk)) {
+ list_append(bad_ltk, (void*)bda);
+ }
+ }
+ }
+
+ for (list_node_t *sn = list_begin(bad_ltk); sn != list_end(bad_ltk); sn = list_next(sn)) {
+ android_errorWriteLog(0x534e4554, "128437297");
+ BTIF_TRACE_ERROR("%s: removing bond to device using test TLK", __func__);
+
+ bt_bdaddr_t *bda = (bt_bdaddr_t*)list_node(sn);
+ btif_storage_remove_bonded_device(bda);
+ }
+
+ list_free(bad_ltk);
+}
+
/*******************************************************************************
**
** Function btif_storage_load_bonded_devices
bt_uuid_t local_uuids[BT_MAX_NUM_UUIDS];
bt_uuid_t remote_uuids[BT_MAX_NUM_UUIDS];
+ remove_devices_with_sample_ltk();
+
btif_in_fetch_bonded_devices(&bonded_devices, 1);
/* Now send the adapter_properties_cb with all adapter_properties */
#define LOG_TAG "bt_btm_sec"
+#include <log/log.h>
#include <stdarg.h>
#include <string.h>
#include "gatt_int.h"
#endif
+#include "bta/sys/bta_sys.h"
+#include "bta/dm/bta_dm_int.h"
+
#define BTM_SEC_MAX_COLLISION_DELAY (5000)
extern fixed_queue_t *btu_general_alarm_queue;
| BTM_SEC_ROLE_SWITCHED | BTM_SEC_16_DIGIT_PIN_AUTHED);
}
+ /* Some devices hardcode sample LTK value from spec, instead of generating
+ * one. Treat such devices as insecure, and remove such bonds on
+ * disconnection.
+ */
+ if (is_sample_ltk(p_dev_rec->ble.keys.pltk)) {
+ android_errorWriteLog(0x534e4554, "128437297");
+ BTM_TRACE_ERROR("%s: removing bond to device that used sample LTK", __func__);
+
+ tBTA_DM_MSG p_data;
+ memcpy(p_data.remove_dev.bd_addr, p_dev_rec->bd_addr, BD_ADDR_LEN);
+ bta_dm_remove_device(&p_data);
+ }
+
#if BLE_INCLUDED == TRUE && SMP_INCLUDED == TRUE
if (p_dev_rec->sec_state == BTM_SEC_STATE_DISCONNECTING_BOTH)
{
#include <stdint.h>
#include <stdbool.h>
+#include <string.h>
#ifndef FALSE
# define FALSE false
{
bdcpy(a, bd_addr_any);
}
+
+static inline bool is_sample_ltk(const BT_OCTET16 ltk) {
+ /* Sample LTK from BT Spec 5.1 | Vol 6, Part C 1
+ * 0x4C68384139F574D836BCF34E9DFB01BF */
+ const uint8_t SAMPLE_LTK[] = {0xbf, 0x01, 0xfb, 0x9d, 0x4e, 0xf3, 0xbc, 0x36,
+ 0xd8, 0x74, 0xf5, 0x39, 0x41, 0x38, 0x68, 0x4c};
+ return memcmp(ltk, SAMPLE_LTK, BT_OCTET16_LEN) == 0;
+}
+
#endif