From: Marcel Holtmann <marcel@holtmann.org>
To: Archie Pusaka <apusaka@google.com>
Cc: linux-bluetooth <linux-bluetooth@vger.kernel.org>,
CrosBT Upstreaming <chromeos-bluetooth-upstreaming@chromium.org>,
Archie Pusaka <apusaka@chromium.org>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
open list <linux-kernel@vger.kernel.org>,
netdev@vger.kernel.org
Subject: Re: [PATCH v3] Bluetooth: Check for encryption key size on connect
Date: Fri, 25 Sep 2020 18:37:29 +0200 [thread overview]
Message-ID: <BC59363A-B32A-4DAA-BAF5-F7FBA01752E6@holtmann.org> (raw)
In-Reply-To: <20200922155548.v3.1.I67a8b8cd4def8166970ca37109db46d731b62bb6@changeid>
Hi Archie,
> When receiving connection, we only check whether the link has been
> encrypted, but not the encryption key size of the link.
>
> This patch adds check for encryption key size, and reject L2CAP
> connection which size is below the specified threshold (default 7)
> with security block.
>
> Here is some btmon trace.
> @ MGMT Event: New Link Key (0x0009) plen 26 {0x0001} [hci0] 5.847722
> Store hint: No (0x00)
> BR/EDR Address: 38:00:25:F7:F1:B0 (OUI 38-00-25)
> Key type: Unauthenticated Combination key from P-192 (0x04)
> Link key: 7bf2f68c81305d63a6b0ee2c5a7a34bc
> PIN length: 0
>> HCI Event: Encryption Change (0x08) plen 4 #29 [hci0] 5.871537
> Status: Success (0x00)
> Handle: 256
> Encryption: Enabled with E0 (0x01)
> < HCI Command: Read Encryp... (0x05|0x0008) plen 2 #30 [hci0] 5.871609
> Handle: 256
>> HCI Event: Command Complete (0x0e) plen 7 #31 [hci0] 5.872524
> Read Encryption Key Size (0x05|0x0008) ncmd 1
> Status: Success (0x00)
> Handle: 256
> Key size: 3
>
> ////// WITHOUT PATCH //////
>> ACL Data RX: Handle 256 flags 0x02 dlen 12 #42 [hci0] 5.895023
> L2CAP: Connection Request (0x02) ident 3 len 4
> PSM: 4097 (0x1001)
> Source CID: 64
> < ACL Data TX: Handle 256 flags 0x00 dlen 16 #43 [hci0] 5.895213
> L2CAP: Connection Response (0x03) ident 3 len 8
> Destination CID: 64
> Source CID: 64
> Result: Connection successful (0x0000)
> Status: No further information available (0x0000)
>
> ////// WITH PATCH //////
>> ACL Data RX: Handle 256 flags 0x02 dlen 12 #42 [hci0] 4.887024
> L2CAP: Connection Request (0x02) ident 3 len 4
> PSM: 4097 (0x1001)
> Source CID: 64
> < ACL Data TX: Handle 256 flags 0x00 dlen 16 #43 [hci0] 4.887127
> L2CAP: Connection Response (0x03) ident 3 len 8
> Destination CID: 0
> Source CID: 64
> Result: Connection refused - security block (0x0003)
> Status: No further information available (0x0000)
>
> Signed-off-by: Archie Pusaka <apusaka@chromium.org>
>
> ---
>
> Changes in v3:
> * Move the check to hci_conn_check_link_mode()
>
> Changes in v2:
> * Add btmon trace to the commit message
>
> net/bluetooth/hci_conn.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
> index 9832f8445d43..89085fac797c 100644
> --- a/net/bluetooth/hci_conn.c
> +++ b/net/bluetooth/hci_conn.c
> @@ -1348,6 +1348,10 @@ int hci_conn_check_link_mode(struct hci_conn *conn)
> !test_bit(HCI_CONN_ENCRYPT, &conn->flags))
> return 0;
>
> + if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) &&
> + conn->enc_key_size < conn->hdev->min_enc_key_size)
> + return 0;
> +
> return 1;
> }
I am a bit concerned since we had that check and I on purpose moved it. See commit 693cd8ce3f88 for the change where I removed and commit d5bb334a8e17 where I initially added it.
Naively adding the check in that location caused a major regression with Bluetooth 2.0 devices. This makes me a bit reluctant to re-add it here since I restructured the whole change to check the key size a different location.
Now I have to ask, are you running an upstream kernel with both commits above that address KNOB vulnerability?
Regards
Marcel
next prev parent reply other threads:[~2020-09-25 16:37 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-22 7:56 [PATCH v3] Bluetooth: Check for encryption key size on connect Archie Pusaka
2020-09-25 16:37 ` Marcel Holtmann [this message]
2020-09-26 18:41 ` Archie Pusaka
2020-09-27 12:08 ` Marcel Holtmann
2020-09-28 6:09 ` Archie Pusaka
2020-09-28 16:43 ` Marcel Holtmann
2020-09-29 4:48 ` Archie Pusaka
2020-09-29 6:21 ` Marcel Holtmann
2020-09-29 6:53 ` Archie Pusaka
2020-10-01 7:14 ` Marcel Holtmann
2020-10-05 4:07 ` Archie Pusaka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BC59363A-B32A-4DAA-BAF5-F7FBA01752E6@holtmann.org \
--to=marcel@holtmann.org \
--cc=apusaka@chromium.org \
--cc=apusaka@google.com \
--cc=chromeos-bluetooth-upstreaming@chromium.org \
--cc=davem@davemloft.net \
--cc=johan.hedberg@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.