lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 22 Sep 2020 15:56:11 +0800 From: Archie Pusaka <apusaka@...gle.com> To: linux-bluetooth <linux-bluetooth@...r.kernel.org>, Marcel Holtmann <marcel@...tmann.org> Cc: CrosBT Upstreaming <chromeos-bluetooth-upstreaming@...omium.org>, Archie Pusaka <apusaka@...omium.org>, "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, Johan Hedberg <johan.hedberg@...il.com>, linux-kernel@...r.kernel.org, netdev@...r.kernel.org Subject: [PATCH v3] Bluetooth: Check for encryption key size on connect From: Archie Pusaka <apusaka@...omium.org> When receiving connection, we only check whether the link has been encrypted, but not the encryption key size of the link. This patch adds check for encryption key size, and reject L2CAP connection which size is below the specified threshold (default 7) with security block. Here is some btmon trace. @ MGMT Event: New Link Key (0x0009) plen 26 {0x0001} [hci0] 5.847722 Store hint: No (0x00) BR/EDR Address: 38:00:25:F7:F1:B0 (OUI 38-00-25) Key type: Unauthenticated Combination key from P-192 (0x04) Link key: 7bf2f68c81305d63a6b0ee2c5a7a34bc PIN length: 0 > HCI Event: Encryption Change (0x08) plen 4 #29 [hci0] 5.871537 Status: Success (0x00) Handle: 256 Encryption: Enabled with E0 (0x01) < HCI Command: Read Encryp... (0x05|0x0008) plen 2 #30 [hci0] 5.871609 Handle: 256 > HCI Event: Command Complete (0x0e) plen 7 #31 [hci0] 5.872524 Read Encryption Key Size (0x05|0x0008) ncmd 1 Status: Success (0x00) Handle: 256 Key size: 3 ////// WITHOUT PATCH ////// > ACL Data RX: Handle 256 flags 0x02 dlen 12 #42 [hci0] 5.895023 L2CAP: Connection Request (0x02) ident 3 len 4 PSM: 4097 (0x1001) Source CID: 64 < ACL Data TX: Handle 256 flags 0x00 dlen 16 #43 [hci0] 5.895213 L2CAP: Connection Response (0x03) ident 3 len 8 Destination CID: 64 Source CID: 64 Result: Connection successful (0x0000) Status: No further information available (0x0000) ////// WITH PATCH ////// > ACL Data RX: Handle 256 flags 0x02 dlen 12 #42 [hci0] 4.887024 L2CAP: Connection Request (0x02) ident 3 len 4 PSM: 4097 (0x1001) Source CID: 64 < ACL Data TX: Handle 256 flags 0x00 dlen 16 #43 [hci0] 4.887127 L2CAP: Connection Response (0x03) ident 3 len 8 Destination CID: 0 Source CID: 64 Result: Connection refused - security block (0x0003) Status: No further information available (0x0000) Signed-off-by: Archie Pusaka <apusaka@...omium.org> --- Changes in v3: * Move the check to hci_conn_check_link_mode() Changes in v2: * Add btmon trace to the commit message net/bluetooth/hci_conn.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c index 9832f8445d43..89085fac797c 100644 --- a/net/bluetooth/hci_conn.c +++ b/net/bluetooth/hci_conn.c @@ -1348,6 +1348,10 @@ int hci_conn_check_link_mode(struct hci_conn *conn) !test_bit(HCI_CONN_ENCRYPT, &conn->flags)) return 0; + if (test_bit(HCI_CONN_ENCRYPT, &conn->flags) && + conn->enc_key_size < conn->hdev->min_enc_key_size) + return 0; + return 1; } -- 2.28.0.681.g6f77f65b4e-goog
Powered by blists - more mailing lists