mirror of
https://github.com/torvalds/linux.git
synced 2025-12-01 07:26:02 +07:00
Bluetooth: SMP: Fix not generating mackey and ltk when repairing
The changeeed467b517("Bluetooth: fix passkey uninitialized when used") introduced a goto that bypasses the creation of temporary mackey and ltk which are later used by the likes of DHKey Check step. Laterffee202a78("Bluetooth: Always request for user confirmation for Just Works (LE SC)") which means confirm_hint is always set in case JUST_WORKS so the branch checking for an existing LTK becomes pointless as confirm_hint will always be set, so this just merge both cases of malicious or legitimate devices to be confirmed before continuing with the pairing procedure. Link: https://github.com/bluez/bluez/issues/1622 Fixes:eed467b517("Bluetooth: fix passkey uninitialized when used") Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
This commit is contained in:
Luiz Augusto von Dentz
@@ -2136,7 +2136,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
|
|||||||
struct smp_chan *smp = chan->data;
|
struct smp_chan *smp = chan->data;
|
||||||
struct hci_conn *hcon = conn->hcon;
|
struct hci_conn *hcon = conn->hcon;
|
||||||
u8 *pkax, *pkbx, *na, *nb, confirm_hint;
|
u8 *pkax, *pkbx, *na, *nb, confirm_hint;
|
||||||
u32 passkey;
|
u32 passkey = 0;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
bt_dev_dbg(hcon->hdev, "conn %p", conn);
|
bt_dev_dbg(hcon->hdev, "conn %p", conn);
|
||||||
@@ -2188,24 +2188,6 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
|
|||||||
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
|
smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
|
||||||
smp->prnd);
|
smp->prnd);
|
||||||
SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
|
SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
|
||||||
|
|
||||||
/* Only Just-Works pairing requires extra checks */
|
|
||||||
if (smp->method != JUST_WORKS)
|
|
||||||
goto mackey_and_ltk;
|
|
||||||
|
|
||||||
/* If there already exists long term key in local host, leave
|
|
||||||
* the decision to user space since the remote device could
|
|
||||||
* be legitimate or malicious.
|
|
||||||
*/
|
|
||||||
if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
|
|
||||||
hcon->role)) {
|
|
||||||
/* Set passkey to 0. The value can be any number since
|
|
||||||
* it'll be ignored anyway.
|
|
||||||
*/
|
|
||||||
passkey = 0;
|
|
||||||
confirm_hint = 1;
|
|
||||||
goto confirm;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
mackey_and_ltk:
|
mackey_and_ltk:
|
||||||
@@ -2226,11 +2208,12 @@ mackey_and_ltk:
|
|||||||
if (err)
|
if (err)
|
||||||
return SMP_UNSPECIFIED;
|
return SMP_UNSPECIFIED;
|
||||||
|
|
||||||
confirm_hint = 0;
|
/* Always require user confirmation for Just-Works pairing to prevent
|
||||||
|
* impersonation attacks, or in case of a legitimate device that is
|
||||||
confirm:
|
* repairing use the confirmation as acknowledgment to proceed with the
|
||||||
if (smp->method == JUST_WORKS)
|
* creation of new keys.
|
||||||
confirm_hint = 1;
|
*/
|
||||||
|
confirm_hint = smp->method == JUST_WORKS ? 1 : 0;
|
||||||
|
|
||||||
err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
|
err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
|
||||||
hcon->dst_type, passkey, confirm_hint);
|
hcon->dst_type, passkey, confirm_hint);
|
||||||
|
|||||||
Reference in New Issue
Block a user