From f38c10628c9bf7923642c0ed5738b3619594185b Mon Sep 17 00:00:00 2001 From: "matthias.ringwald" Date: Thu, 12 Jun 2014 12:57:24 +0000 Subject: [PATCH] fixed unsafe use in HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST --- ble/sm.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/ble/sm.c b/ble/sm.c index f464b4835..915924cce 100644 --- a/ble/sm.c +++ b/ble/sm.c @@ -954,9 +954,9 @@ static void sm_run(void){ hci_send_cmd(&hci_le_rand); sm_state_responding_next_state(); return; + case SM_STATE_PH2_C1_GET_ENC_B: case SM_STATE_PH2_C1_GET_ENC_D: - case SM_STATE_PH2_CALC_STK: case SM_STATE_PH3_LTK_GET_ENC: case SM_STATE_PH4_Y_GET_ENC: case SM_STATE_PH4_LTK_GET_ENC: @@ -983,6 +983,15 @@ static void sm_run(void){ sm_aes128_start(sm_aes128_key, sm_aes128_plaintext); sm_state_responding_next_state(); break; + case SM_STATE_PH2_CALC_STK: + // already busy? + if (sm_aes128_active) break; + // calculate STK + sm_aes128_set_key(sm_tk); + sm_s1_r_prime(sm_s_random, sm_m_random, sm_aes128_plaintext); + sm_aes128_start(sm_aes128_key, sm_aes128_plaintext); + sm_state_responding_next_state(); + break; case SM_STATE_PH3_Y_GET_ENC: // already busy? if (sm_aes128_active) break; @@ -1357,13 +1366,6 @@ static void sm_event_packet_handler (uint8_t packet_type, uint16_t channel, uint case HCI_SUBEVENT_LE_LONG_TERM_KEY_REQUEST: log_info("LTK Request: state %u", sm_state_responding); if (sm_state_responding == SM_STATE_PH2_W4_LTK_REQUEST){ - - // SM_AES128_PLAINTEXT_USED_WIHTOUT_CHECK - - // calculate STK - log_info("LTK Request: calculating STK"); - sm_aes128_set_key(sm_tk); - sm_s1_r_prime(sm_s_random, sm_m_random, sm_aes128_plaintext); sm_state_responding = SM_STATE_PH2_CALC_STK; break; }