Port Cordio SMP control block improvements from Packetcraft

This change is provided by Packetcraft (which maintains the Cordio BLE stack) to address possible Sweyntooth vulnerabilities.
2020-04-09 15:01:45 +01:00 · 2020-04-09 15:01:45 +01:00 · 0402fe4efb
parent 71c9780dfe
commit 0402fe4efb
6 changed files with 17 additions and 0 deletions
--- a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.c
+++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.c
@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
@ -233,6 +234,7 @@ static void smpDmConnCback(dmEvt_t *pDmEvt)
    pCcb->attempts = SmpDbGetFailureCount((dmConnId_t) pDmEvt->hdr.param);
    pCcb->lastSentKey = 0;
    pCcb->state = 0;
+    pCcb->keyReady = FALSE;

    /* Resume the attempts state if necessary */
    smpResumeAttemptsState((dmConnId_t) pDmEvt->hdr.param);
@ -710,6 +712,11 @@ uint8_t *SmpDmGetStk(dmConnId_t connId, uint8_t *pSecLevel)
  /* get connection control block */
  pCcb = smpCcbByConnId(connId);

+  if ((pCcb == NULL) || (pCcb->keyReady == FALSE))
+  {
+    return NULL;
+  }
+
  if (smpCb.lescSupported && pCcb->pScCcb->lescEnabled && (pCcb->pScCcb->pLtk != NULL))
  {
    /* set security level */
--- a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.h
+++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smp_main.h
@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
@ -314,6 +315,7 @@ typedef struct
  uint8_t         token;                          /* AES transaction token */
  uint8_t         attempts;                       /* Failed pairing attempts */
  uint8_t         lastSentKey;                    /* Command code of last sent key */
+  bool_t          keyReady;                       /* Encryption key is ready */
  smpScCcb_t      *pScCcb;                        /* LE Secure Connection control blocks */
 } smpCcb_t;

--- a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpi_act.c
+++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpi_act.c
@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
@ -269,6 +270,7 @@ void smpiActStkEncrypt(smpCcb_t *pCcb, smpMsg_t *pMsg)
  /* adjust key based on max key length */
  memcpy(buf, pMsg->aes.pCiphertext, encKeyLen);
  memset((buf + encKeyLen), 0, (SMP_KEY_LEN - encKeyLen));
+  pCcb->keyReady = TRUE;

  secLevel = (pCcb->auth & SMP_AUTH_MITM_FLAG) ? DM_SEC_LEVEL_ENC_AUTH : DM_SEC_LEVEL_ENC;
  DmSmpEncryptReq(pCcb->connId, secLevel, buf);
--- a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpi_sc_act.c
+++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpi_sc_act.c
@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
@ -463,6 +464,7 @@ void smpiScActDHKeyCheckVerify(smpCcb_t *pCcb, smpMsg_t *pMsg)
    /* Adjust key based on max key length */
    memcpy(buf, pCcb->pScCcb->pLtk->ltk_t, encKeyLen);
    memset((buf + encKeyLen), 0, (SMP_KEY_LEN - encKeyLen));
+    pCcb->keyReady = TRUE;

    /* Initiate encryption */
    DmSmpEncryptReq(pCcb->connId, smpGetScSecLevel(pCcb), buf);
--- a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpr_act.c
+++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpr_act.c
@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
@ -284,6 +285,7 @@ void smprActSendPairRandom(smpCcb_t *pCcb, smpMsg_t *pMsg)
  /* store STK and adjust based on max key length */
  memcpy(pCcb->pScr->buf.b3, pMsg->aes.pCiphertext, encKeyLen);
  memset((pCcb->pScr->buf.b3 + encKeyLen), 0, (SMP_KEY_LEN - encKeyLen));
+  pCcb->keyReady = TRUE;

  /* start smp response timer */
  smpStartRspTimer(pCcb);
--- a/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpr_sc_act.c
+++ b/features/FEATURE_BLE/targets/TARGET_CORDIO/stack/ble-host/sources/stack/smp/smpr_sc_act.c
@ -1,4 +1,5 @@
 /* Copyright (c) 2009-2019 Arm Limited
+ * Copyright (c) 2019-2020 Packetcraft, Inc.
 * SPDX-License-Identifier: Apache-2.0
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
@ -524,6 +525,7 @@ void smprScActDHKeyCheckSend(smpCcb_t *pCcb, smpMsg_t *pMsg)
                          pCcb->pairReq[SMP_MAXKEY_POS] : pCcb->pairRsp[SMP_MAXKEY_POS];

    memset((pCcb->pScCcb->pLtk->ltk_t + encKeyLen), 0, (SMP_KEY_LEN - encKeyLen));
+    pCcb->keyReady = TRUE;

    /* Send the DH Key check Eb to the initiator */
    smpScSendDHKeyCheck(pCcb, pMsg, pCcb->pScCcb->pScratch->Nb_Eb);