diff options
| -rw-r--r-- | flags/security.aconfig | 7 | ||||
| -rw-r--r-- | system/stack/btm/btm_sec.cc | 106 |
2 files changed, 36 insertions, 77 deletions
diff --git a/flags/security.aconfig b/flags/security.aconfig index 5793d0c9f2..4799d83988 100644 --- a/flags/security.aconfig +++ b/flags/security.aconfig @@ -16,13 +16,6 @@ flag { } flag { - name: "bluffs_mitigation" - namespace: "bluetooth" - description: "Cache security values to mitigate BLUFFS" - bug: "314331379" -} - -flag { name: "fix_le_pairing_passkey_entry_bypass" namespace: "bluetooth" description: "Fix the passkey entry bypassing bug in SMP" diff --git a/system/stack/btm/btm_sec.cc b/system/stack/btm/btm_sec.cc index fdeb658a11..da9c6f487f 100644 --- a/system/stack/btm/btm_sec.cc +++ b/system/stack/btm/btm_sec.cc @@ -3471,22 +3471,20 @@ static void read_encryption_key_size_complete_after_encryption_change( return; } - if (com::android::bluetooth::flags::bluffs_mitigation()) { - if (btm_sec_is_session_key_size_downgrade(handle, key_size)) { - log::error( - "encryption key size lower than cached value, disconnecting. " - "handle: 0x{:x} attempted key size: {}", - handle, key_size); - acl_disconnect_from_handle( - handle, HCI_ERR_HOST_REJECT_SECURITY, - "stack::btu::btu_hcif::read_encryption_key_size_complete_after_" - "encryption_change Key Size Downgrade"); - return; - } - - btm_sec_update_session_key_size(handle, key_size); + if (btm_sec_is_session_key_size_downgrade(handle, key_size)) { + log::error( + "encryption key size lower than cached value, disconnecting. " + "handle: 0x{:x} attempted key size: {}", + handle, key_size); + acl_disconnect_from_handle( + handle, HCI_ERR_HOST_REJECT_SECURITY, + "stack::btu::btu_hcif::read_encryption_key_size_complete_after_" + "encryption_change Key Size Downgrade"); + return; } + btm_sec_update_session_key_size(handle, key_size); + // good key size - succeed btm_acl_encrypt_change(handle, static_cast<tHCI_STATUS>(status), 1 /* enable */); @@ -3508,52 +3506,23 @@ void smp_cancel_start_encryption_attempt(); ******************************************************************************/ void btm_sec_encryption_change_evt(uint16_t handle, tHCI_STATUS status, uint8_t encr_enable) { - if (com::android::bluetooth::flags::bluffs_mitigation()) { - if (status != HCI_SUCCESS || encr_enable == 0 || - BTM_IsBleConnection(handle) || - !bluetooth::shim::GetController()->IsSupported( - bluetooth::hci::OpCode::READ_ENCRYPTION_KEY_SIZE)) { - if (status == HCI_ERR_CONNECTION_TOUT) { - smp_cancel_start_encryption_attempt(); - return; - } - - btm_acl_encrypt_change(handle, static_cast<tHCI_STATUS>(status), - encr_enable); - btm_sec_encrypt_change(handle, static_cast<tHCI_STATUS>(status), - encr_enable); - } else { - btsnd_hcic_read_encryption_key_size( - handle, - base::Bind( - &read_encryption_key_size_complete_after_encryption_change)); + if (status != HCI_SUCCESS || encr_enable == 0 || + BTM_IsBleConnection(handle) || + !bluetooth::shim::GetController()->IsSupported( + bluetooth::hci::OpCode::READ_ENCRYPTION_KEY_SIZE)) { + if (status == HCI_ERR_CONNECTION_TOUT) { + smp_cancel_start_encryption_attempt(); + return; } - } else { - // This block added to ensure matching code flow with the bluffs_mitigation - // flag off. The entire block should be removed when the flag is. - if (status != HCI_SUCCESS || encr_enable == 0 || - BTM_IsBleConnection(handle) || - !bluetooth::shim::GetController()->IsSupported( - bluetooth::hci::OpCode::READ_ENCRYPTION_KEY_SIZE) || - // Skip encryption key size check when using set_min_encryption_key_size - (bluetooth::common::init_flags::set_min_encryption_is_enabled() && - bluetooth::shim::GetController()->IsSupported( - bluetooth::hci::OpCode::SET_MIN_ENCRYPTION_KEY_SIZE))) { - if (status == HCI_ERR_CONNECTION_TOUT) { - smp_cancel_start_encryption_attempt(); - return; - } - btm_acl_encrypt_change(handle, static_cast<tHCI_STATUS>(status), - encr_enable); - btm_sec_encrypt_change(handle, static_cast<tHCI_STATUS>(status), - encr_enable); - } else { - btsnd_hcic_read_encryption_key_size( - handle, - base::Bind( - &read_encryption_key_size_complete_after_encryption_change)); - } + btm_acl_encrypt_change(handle, static_cast<tHCI_STATUS>(status), + encr_enable); + btm_sec_encrypt_change(handle, static_cast<tHCI_STATUS>(status), + encr_enable); + } else { + btsnd_hcic_read_encryption_key_size( + handle, + base::Bind(&read_encryption_key_size_complete_after_encryption_change)); } } /******************************************************************************* @@ -4175,8 +4144,7 @@ void btm_sec_link_key_notification(const RawAddress& p_bda, } } - if (com::android::bluetooth::flags::bluffs_mitigation() && - p_dev_rec->sec_rec.is_bond_type_persistent() && + if (p_dev_rec->sec_rec.is_bond_type_persistent() && (p_dev_rec->is_device_type_br_edr() || p_dev_rec->is_device_type_dual_mode())) { btm_sec_store_device_sc_support(p_dev_rec->get_br_edr_hci_handle(), @@ -5205,16 +5173,14 @@ void btm_sec_set_peer_sec_caps(uint16_t hci_handle, bool ssp_supported, tBTM_SEC_DEV_REC* p_dev_rec = btm_find_dev_by_handle(hci_handle); if (p_dev_rec == nullptr) return; - if (com::android::bluetooth::flags::bluffs_mitigation()) { - // Drop the connection here if the remote attempts to downgrade from Secure - // Connections mode. - if (btm_sec_is_device_sc_downgrade(hci_handle, sc_supported)) { - acl_set_disconnect_reason(HCI_ERR_HOST_REJECT_SECURITY); - btm_sec_send_hci_disconnect( - p_dev_rec, HCI_ERR_AUTH_FAILURE, hci_handle, - "attempted to downgrade from Secure Connections mode"); - return; - } + // Drop the connection here if the remote attempts to downgrade from Secure + // Connections mode. + if (btm_sec_is_device_sc_downgrade(hci_handle, sc_supported)) { + acl_set_disconnect_reason(HCI_ERR_HOST_REJECT_SECURITY); + btm_sec_send_hci_disconnect( + p_dev_rec, HCI_ERR_AUTH_FAILURE, hci_handle, + "attempted to downgrade from Secure Connections mode"); + return; } p_dev_rec->remote_feature_received = true; |