zara
/
zephyr
mirror of https://github.com/zephyrproject-rtos/zephyr
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

bluetooth: smp: CTKD issue when cross br and ble connections and security 

The peer uses the RPA address.
A BR connection is created firstly, a subsequent BLE connection is
created secondly, the BR SMP CTKD occur thirdly (The BLE LTK is
derived from BR and the BR SMP distribute peer's IRK and identity address
here), but the BLE LTK is saved to key pool that is not
matched with the previous BLE connection because the derived LTK is saved
with identity address and BLE connection uses RPA. Fix it by: Resolve the
BLE connections' RPA with the derived IRK to find the previous BLE
connections and match the connections with derived LTK key.

Signed-off-by: Mark Wang <yichang.wang@nxp.com>
pull/92708/head
Mark Wang 1 month ago committed by Daniel DeGrasse
parent
3978ca15ff
commit
81d938606d
1 changed files with 30 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 30
      subsys/bluetooth/host/smp.c

30
subsys/bluetooth/host/smp.c
Unescape View File

@ -39,6 +39,7 @@ @@ -39,6 +39,7 @@
#include "conn_internal.h"
#include "common/bt_str.h"
#include "common/rpa.h"
#include "crypto/bt_crypto.h"
#include "ecc.h"
#include "hci_core.h"
@ -1515,12 +1516,33 @@ static uint8_t smp_br_ident_info(struct bt_smp_br *smp, struct net_buf *buf) @@ -1515,12 +1516,33 @@ static uint8_t smp_br_ident_info(struct bt_smp_br *smp, struct net_buf *buf)
return 0;
}
static void convert_to_id_on_irk_match(struct bt_conn *conn, void *data)
{
struct bt_keys *keys = data;
if (!bt_addr_le_is_rpa(&conn->le.dst)) {
return;
}
if (bt_rpa_irk_matches(keys->irk.val, &conn->le.dst.a)) {
if (conn->le.keys != NULL && conn->le.keys != keys) {
bt_keys_clear(conn->le.keys);
}
conn->le.keys = keys;
/* always update last use RPA */
bt_addr_copy(&keys->irk.rpa, &conn->le.dst.a);
bt_addr_le_copy(&conn->le.dst, &keys->addr);
}
}
static uint8_t smp_br_ident_addr_info(struct bt_smp_br *smp,
struct net_buf *buf)
{
struct bt_conn *conn = smp->chan.chan.conn;
struct bt_smp_ident_addr_info *req = (void *)buf->data;
bt_addr_le_t addr;
struct bt_keys *keys;
LOG_DBG("identity %s", bt_addr_le_str(&req->addr));
@ -1543,6 +1565,14 @@ static uint8_t smp_br_ident_addr_info(struct bt_smp_br *smp, @@ -1543,6 +1565,14 @@ static uint8_t smp_br_ident_addr_info(struct bt_smp_br *smp,
atomic_set_bit(smp->allowed_cmds, BT_SMP_CMD_SIGNING_INFO);
}
/* Check the BLE connections that has RPA matched with this IRK */
keys = bt_keys_get_type(BT_KEYS_IRK, conn->id, &addr);
if (keys) {
bt_conn_foreach(BT_CONN_TYPE_LE, convert_to_id_on_irk_match, keys);
} else {
LOG_ERR("Unable to get keys for %s", bt_addr_le_str(&addr));
}
if (conn->role == BT_CONN_ROLE_CENTRAL && !smp->remote_dist) {
smp_br_distribute_keys(smp);
}

Write Preview
Loading…
Cancel
Save