tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Bluetooth: Fix regression with minimum encryption key size alignment

When trying to align the minimum encryption key size requirement for
Bluetooth connections, it turns out doing this in a central location in
the HCI connection handling code is not possible.

Original Bluetooth version up to 2.0 used a security model where the
L2CAP service would enforce authentication and encryption. Starting
with Bluetooth 2.1 and Secure Simple Pairing that model has changed into
that the connection initiator is responsible for providing an encrypted
ACL link before any L2CAP communication can happen.

Now connecting Bluetooth 2.1 or later devices with Bluetooth 2.0 and
before devices are causing a regression. The encryption key size check
needs to be moved out of the HCI connection handling into the L2CAP
channel setup.

To achieve this, the current check inside hci_conn_security() has been
moved into l2cap_check_enc_key_size() helper function and then called
from four decisions point inside L2CAP to cover all combinations of
Secure Simple Pairing enabled devices and device using legacy pairing
and legacy service security model.

Fixes: d5bb334a8e17 ("Bluetooth: Align minimum encryption key size for LE and BR/EDR connections")
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203643
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Marcel Holtmann and committed by
Linus Torvalds 693cd8ce c356dc4b

+37 -14
+9 -9
net/bluetooth/hci_conn.c
··· 1276 1276 !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 1277 1277 return 0; 1278 1278 1279 - /* The minimum encryption key size needs to be enforced by the 1280 - * host stack before establishing any L2CAP connections. The 1281 - * specification in theory allows a minimum of 1, but to align 1282 - * BR/EDR and LE transports, a minimum of 7 is chosen. 1283 - */ 1284 - if (conn->enc_key_size < HCI_MIN_ENC_KEY_SIZE) 1285 - return 0; 1286 - 1287 1279 return 1; 1288 1280 } 1289 1281 ··· 1392 1400 return 0; 1393 1401 1394 1402 encrypt: 1395 - if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) 1403 + if (test_bit(HCI_CONN_ENCRYPT, &conn->flags)) { 1404 + /* Ensure that the encryption key size has been read, 1405 + * otherwise stall the upper layer responses. 1406 + */ 1407 + if (!conn->enc_key_size) 1408 + return 0; 1409 + 1410 + /* Nothing else needed, all requirements are met */ 1396 1411 return 1; 1412 + } 1397 1413 1398 1414 hci_conn_encrypt(conn); 1399 1415 return 0;
+28 -5
net/bluetooth/l2cap_core.c
··· 1341 1341 sizeof(req), &req); 1342 1342 } 1343 1343 1344 + static bool l2cap_check_enc_key_size(struct hci_conn *hcon) 1345 + { 1346 + /* The minimum encryption key size needs to be enforced by the 1347 + * host stack before establishing any L2CAP connections. The 1348 + * specification in theory allows a minimum of 1, but to align 1349 + * BR/EDR and LE transports, a minimum of 7 is chosen. 1350 + * 1351 + * This check might also be called for unencrypted connections 1352 + * that have no key size requirements. Ensure that the link is 1353 + * actually encrypted before enforcing a key size. 1354 + */ 1355 + return (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags) || 1356 + hcon->enc_key_size > HCI_MIN_ENC_KEY_SIZE); 1357 + } 1358 + 1344 1359 static void l2cap_do_start(struct l2cap_chan *chan) 1345 1360 { 1346 1361 struct l2cap_conn *conn = chan->conn; ··· 1373 1358 if (!(conn->info_state & L2CAP_INFO_FEAT_MASK_REQ_DONE)) 1374 1359 return; 1375 1360 1376 - if (l2cap_chan_check_security(chan, true) && 1377 - __l2cap_no_conn_pending(chan)) 1361 + if (!l2cap_chan_check_security(chan, true) || 1362 + !__l2cap_no_conn_pending(chan)) 1363 + return; 1364 + 1365 + if (l2cap_check_enc_key_size(conn->hcon)) 1378 1366 l2cap_start_connection(chan); 1367 + else 1368 + __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); 1379 1369 } 1380 1370 1381 1371 static inline int l2cap_mode_supported(__u8 mode, __u32 feat_mask) ··· 1459 1439 continue; 1460 1440 } 1461 1441 1462 - l2cap_start_connection(chan); 1442 + if (l2cap_check_enc_key_size(conn->hcon)) 1443 + l2cap_start_connection(chan); 1444 + else 1445 + l2cap_chan_close(chan, ECONNREFUSED); 1463 1446 1464 1447 } else if (chan->state == BT_CONNECT2) { 1465 1448 struct l2cap_conn_rsp rsp; ··· 7513 7490 } 7514 7491 7515 7492 if (chan->state == BT_CONNECT) { 7516 - if (!status) 7493 + if (!status && l2cap_check_enc_key_size(hcon)) 7517 7494 l2cap_start_connection(chan); 7518 7495 else 7519 7496 __set_chan_timer(chan, L2CAP_DISC_TIMEOUT); ··· 7522 7499 struct l2cap_conn_rsp rsp; 7523 7500 __u16 res, stat; 7524 7501 7525 - if (!status) { 7502 + if (!status && l2cap_check_enc_key_size(hcon)) { 7526 7503 if (test_bit(FLAG_DEFER_SETUP, &chan->flags)) { 7527 7504 res = L2CAP_CR_PEND; 7528 7505 stat = L2CAP_CS_AUTHOR_PEND;