As a guard against the BLUFFS attack, we will need to check the security
parameters of incoming connections against cached values and disallow
connection if these parameters are downgraded or changed from their
cached values.

Future CLs will add checks during connection.  This CL adds the
functions that will be needed to perform those checks and the necessary
mocks.
Currently supported checks are : IO capabilities (must be an exact match),
Secure Connections capability (must not be a downgrade), and session key
length (must not be a downgrade).  Maximum session key length, which was
previously not cached, has been added to the device security manager
cache.

To QA: This CL is a logical no-op by itself.  Tests should be performed as described in ag/25815924 and ag/25815925/

Bug: 314331379
Test: m libbluetooth
Tag: #security
Ignore-AOSP-First: Security
Merged-In: I3cd1db300be68d15cb09bdabea711199fcf748da
Merged-In: I972fd4a3a4d4566968d097df9f27396a821fb24f
Change-Id: I972fd4a3a4d4566968d097df9f27396a821fb24f

* changes:
  Relax the validation on sdp attr size
  Add validation on attr type and size in a2dp_api.cc
  Add tests for the following change

* changes:
  Add validation in sdp attr type and size in connection_handler.cc
  Add type and len field in sdp attr in SetUpSdp

* changes:
  Fix an OOB bug in parse_gap_data
  Factor out duplicate code for parsing gap data

BTM_BleVerifySignature uses a stock memcmp, allowing signature contents
to be deduced through a side-channel attack.

Change to CRYPTO_memcmp, which is hardened against this attack, to
eliminate this attack.

Bug: 274478807
Test: atest bluetooth_test_gd_unit
Tag: #security
Ignore-AOSP-First: Security
Merged-In: I7f5646b683209bc6a6fbce8d4702ec311adc9cfc
Change-Id: Iddeff055d9064f51a1e0cfb851d8b74135a714c2

Fuzz testing reveals that the transcodeQ*ToFloat family of functions are
not bounds checked, causing a potential OOB write.

Check these functions against bounds of the destination array.

Bug: 275895309
Test: atest bluetooth_test_gd_unit, net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
Merged-In: I7a13261429797769cf5b913912a30e249668ac93
Change-Id: I7a13261429797769cf5b913912a30e249668ac93

Changing from exact size match to greater than or equal
to make the fix less prone to regression.

Bug: 263958603
Test: atest net_test_stack_a2dp_native
Ignore-AOSP-First: security
Tag: #security

Merged-In: I03522897e93af59508efa2f536dd217d48f78110
Change-Id: I03522897e93af59508efa2f536dd217d48f78110
(cherry picked from commit b608afa0)

Bug: 263958603
Test: atest net_test_stack_a2dp_native
Ignore-AOSP-First: security
Tag: #security

Merged-In: I938467ca4f4b130cd8b4c544096127e679391c06
Change-Id: I938467ca4f4b130cd8b4c544096127e679391c06
(cherry picked from commit 4832e302)

CL: I59b208d403d6f16a8515b351f4c296f9affdf37b

Bug: 263958603
Test: atest net_test_bta
Ignore-AOSP-First: security
Tag: #security
Merged-In: Ia587191901112d9e3ab15faefb1ca0f914e127ef
Change-Id: Ia587191901112d9e3ab15faefb1ca0f914e127ef
(cherry picked from commit a6b4a43d)

Bug: 263958603
Test: atest net_test_avrcp
Ignore-AOSP-First: security
Tag: #security
Merged-In: I3f999d405fb3a0be2df32b05f54b9cef98d10f19
Change-Id: I3f999d405fb3a0be2df32b05f54b9cef98d10f19
(cherry picked from commit 65605ce3)

Bug: 263958603
Test: atest bt_host_test_bta
Ignore-AOSP-First: security
Tag: #security
Merged-In: I5286fabf49f14cba5ef65a79d6e1eadb40bbb514
Change-Id: I5286fabf49f14cba5ef65a79d6e1eadb40bbb514
(cherry picked from commit 590aa47f)

This is a regression introduced in ag/24529645
(one of the fixes of b/263958603)
and detected and reported in bugs below by WearOS team.

Origninal bug
Bug: 263958603

Regressions:
Bug: 297438857
Bug: 297458852
Bug: 297461435
Bug: 297831980

Test: atest net_test_stack_sdp
Ignore-AOSP-First: security
Merged-In: Ie7210673d65656ef9dbb2a4759a3636025b67b44
Change-Id: Ie7210673d65656ef9dbb2a4759a3636025b67b44
(cherry picked from commit d7d87efa)

Original bug
Bug: 294854926

regressions:
Bug: 299570702
Bug: 299561281

Test: m com.android.btservices
Test: QA validation
Ignore-AOSP-First: security

Merged-In: I0370ed2e3166d56f708e1981c2126526e1db9eaa
Change-Id: I0370ed2e3166d56f708e1981c2126526e1db9eaa

Original bug
Bug: 294854926

regressions:
Bug: 299570702

Test: Test: m com.android.btservices
Test: QA validation
Merged-In: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4
Change-Id: I976a5a6d7bb819fd6accdc71eb1501b9606f3ae4

Allow access to rfcomm PSM by default

Original bug
Bug: 294854926

Nearby regressions:
Bug: 298539299

Test: m com.android.btservices
Ignore-AOSP-First: security
Merged-In: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66
Change-Id: If1f7c9278a9e877f64ae78b6f067c597fb5d0e66

Reject access to service running on rfcomm

this is a backport of
I10fcc2dcd78fc22ffbe3c425669fc9889b94a166

Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security
Merged-In: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166
Change-Id: I10fcc2dcd78fc22ffbe3c425669fc9889b94a166

Rejecct access to services running on l2cap

Backport of
Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3

Bug: 294854926
Test: m com.android.btservices
Ignore-AOSP-First: security

Merged-In: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3
Change-Id: Idef4ea28eb3d17b0807ab7dc6849433ddc5581b3

Bug: 263958603
Test: atest net_test_stack_hid
Ignore-AOSP-First: security
Tag: #security

Merged-In: Ia2e8e588ad890b531b94e2fca84279de603dcc05
Change-Id: Ia2e8e588ad890b531b94e2fca84279de603dcc05
(cherry picked from commit 5715e465)

Bug: 263958603
Test: atest net_test_bta
Ignore-AOSP-First: security
Tag: #security

Merged-In: I59b208d403d6f16a8515b351f4c296f9affdf37b
Change-Id: I59b208d403d6f16a8515b351f4c296f9affdf37b
(cherry picked from commit 66ce4a04)

Bug: 263958603
Test: atest bt_host_test_bta
Ignore-AOSP-First: security
Tag: #security
Change-Id: I51c0215125808102b6cff880357d19012ffc37b9
Merged-In: I51c0215125808102b6cff880357d19012ffc37b9
(cherry picked from commit 509feb84)

Bug: 263958603
Test: atest net_test_bta
Ignore-AOSP-First: security
Tag: #security

Merged-In: I70a15be0409d9368e1d5984b1719f9a917c8cb7e
Change-Id: I70a15be0409d9368e1d5984b1719f9a917c8cb7e
(cherry picked from commit 3bd9e5b1)

Bug: 263958603
Test: atest net_test_avrcp
Ignore-AOSP-First: security
Tag: #security
Change-Id: Ic807df3bce25fdcd83061d24ac185ba3c4bab328
(cherry picked from commit 2d5672a6)

Bug: 277590580
bug: 275553827
Test: atest net_test_main_shim
Ignore-AOSP-First: security
Tag: #security
Merged-In: I7fcb7c46f668f48560a72399a3c5087c6da3827f
Change-Id: I7fcb7c46f668f48560a72399a3c5087c6da3827f

This change is intended to be used to factor out
dup code for parsing GapData in StartAdvertisingSet
and make it easier to be tested.

Backport of Ia39886c415218353b6f9d59d7d3f6d1160477d6c

Bug: 296291440
Test: atest net_test_main_shim
Merged-In: Ia39886c415218353b6f9d59d7d3f6d1160477d6c
Change-Id: Ia39886c415218353b6f9d59d7d3f6d1160477d6c

com_android_bluetooth_btservice_AdapterService does not null its local
JNI environment variable after detaching the thread (which frees the
environment context), allowing UAF under certain conditions.

Null the variable in this case.

Testing here was done through a custom unit test; see patchsets 4-6 for
contents.  However, unit testing of the JNI layer is problematic in
production, so that part of the patch is omitted for final merge.

Bug: 291500341
Test: atest bluetooth_test_gd_unit, atest net_test_stack_btm
Tag: #security
Ignore-AOSP-First: Security
Change-Id: I3e5e3c51412640aa19f0981caaa809313d6ad030

This reverts commit bbd88e88.

Reason for revert: b/281788858

Merged-In: Id5f74a0f9c27f67050ffef497bb42580f30bfe38
Merged-In: If6fb57064b5b2da40842e2c1cf95aadc6f0351b6
Merged-In: I608fd8b8838a2476bf0b1d9dbb86c75032eec2f3

Change-Id: I0f45c87ba5f0b2c84843e568ca117439b42d1ed3

Bug: 275057843
Bug: 275057678
Test: manual
Tag: #security
Ignore-AOSP-First: security
Merged-In: I4c8ec50c15e2727839a49da0e582164557bcd38a
Change-Id: I4c8ec50c15e2727839a49da0e582164557bcd38a