From: Greg KH <gregkh@linuxfoundation.org>
To: Hans-Christian Noren Egtvedt <hegtvedt@cisco.com>
Cc: linux-kernel@vger.kernel.org,
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>,
Marcel Holtmann <marcel@holtmann.org>
Subject: Re: [PATCH v4.4/bluetooth 2/2] Bluetooth: Disconnect if E0 is used for Level 4
Date: Thu, 15 Oct 2020 11:58:30 +0200 [thread overview]
Message-ID: <20201015095830.GB3935178@kroah.com> (raw)
In-Reply-To: <20201015074333.445510-2-hegtvedt@cisco.com>
On Thu, Oct 15, 2020 at 09:43:33AM +0200, Hans-Christian Noren Egtvedt wrote:
> From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
>
> E0 is not allowed with Level 4:
>
> BLUETOOTH CORE SPECIFICATION Version 5.2 | Vol 3, Part C page 1319:
>
> '128-bit equivalent strength for link and encryption keys
> required using FIPS approved algorithms (E0 not allowed,
> SAFER+ not allowed, and P-192 not allowed; encryption key
> not shortened'
>
> SC enabled:
>
> > HCI Event: Read Remote Extended Features (0x23) plen 13
> Status: Success (0x00)
> Handle: 256
> Page: 1/2
> Features: 0x0b 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> Secure Simple Pairing (Host Support)
> LE Supported (Host)
> Secure Connections (Host Support)
> > HCI Event: Encryption Change (0x08) plen 4
> Status: Success (0x00)
> Handle: 256
> Encryption: Enabled with AES-CCM (0x02)
>
> SC disabled:
>
> > HCI Event: Read Remote Extended Features (0x23) plen 13
> Status: Success (0x00)
> Handle: 256
> Page: 1/2
> Features: 0x03 0x00 0x00 0x00 0x00 0x00 0x00 0x00
> Secure Simple Pairing (Host Support)
> LE Supported (Host)
> > HCI Event: Encryption Change (0x08) plen 4
> Status: Success (0x00)
> Handle: 256
> Encryption: Enabled with E0 (0x01)
> [May 8 20:23] Bluetooth: hci0: Invalid security: expect AES but E0 was used
> < HCI Command: Disconnect (0x01|0x0006) plen 3
> Handle: 256
> Reason: Authentication Failure (0x05)
>
> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
> (cherry picked from commit 8746f135bb01872ff412d408ea1aa9ebd328c1f5)
> (cherry picked from commit f263237a1709a6dbf1dc9945187f1e64c53a4b73)
I do not see this commit in Linus's tree.
> ---
> AFAICT, fixing CVE 2020-10135 Bluetooth impersonation attacks have been
> left out for the 4.4 stable kernel. I cherry picked what I assume are
> the appropriate two patches missing from the 4.9 stable kernel. Please
> add them to upcoming 4.4 stable releases.
Same thing as before, we need this in all kernels.
thanks,
greg k-h
next prev parent reply other threads:[~2020-10-15 9:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-15 7:43 [PATCH v4.4/bluetooth 1/2] Bluetooth: Consolidate encryption handling in hci_encrypt_cfm Hans-Christian Noren Egtvedt
2020-10-15 7:43 ` [PATCH v4.4/bluetooth 2/2] Bluetooth: Disconnect if E0 is used for Level 4 Hans-Christian Noren Egtvedt
2020-10-15 9:58 ` Greg KH [this message]
2020-10-15 9:57 ` [PATCH v4.4/bluetooth 1/2] Bluetooth: Consolidate encryption handling in hci_encrypt_cfm Greg KH
2020-10-15 11:18 ` Hans-Christian Egtvedt (hegtvedt)
2020-10-15 12:02 ` Greg KH
2020-10-15 12:44 ` Hans-Christian Egtvedt (hegtvedt)
2020-10-15 21:15 ` Hans-Christian Egtvedt (hegtvedt)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201015095830.GB3935178@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=hegtvedt@cisco.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luiz.von.dentz@intel.com \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.