Re: [PATCH 1/1] Bluetooth: Fix Just-Works re-pairing

Marcel Holtmann <marcel@xxxxxxxxxxxx> · Mon, 8 Feb 2021 14:50:03 +0100

Hi Matias,

> Fix Just-Works pairing responder role in case where LTK already exists.
> Currently when trying to initiate re-pairing from another device
> against Linux using Just-Works, pairing fails due to DHKey check failure
> on Linux side. This happens because mackey calculation is skipped
> totally if LTK already exists due to logic flaw in
> smp_cmd_pairing_random() function.
> 
> With this fix mackey is calculated right before requesting confirmation
> for Just-Works pairing from userspace which in turn fixes the DHKey
> calculation.
> 
> Fixes: eed467b517e8 ("Bluetooth: fix passkey uninitialized when used")
> Signed-off-by: Matias Karhumaa <matias.karhumaa@xxxxxxxxx>
> ---
> net/bluetooth/smp.c | 37 +++++++++----------------------------
> 1 file changed, 9 insertions(+), 28 deletions(-)
> 
> diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
> index b0c1ee110eff..c3ea50fcac6d 100644
> --- a/net/bluetooth/smp.c
> +++ b/net/bluetooth/smp.c
> @@ -2122,7 +2122,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
> 	struct smp_chan *smp = chan->data;
> 	struct hci_conn *hcon = conn->hcon;
> 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
> -	u32 passkey;
> +	u32 passkey = 0;
> 	int err;
> 
> 	BT_DBG("conn %p", conn);
> @@ -2174,24 +2174,6 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
> 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
> 			     smp->prnd);
> 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
> -
> -		/* Only Just-Works pairing requires extra checks */
> -		if (smp->method != JUST_WORKS)
> -			goto mackey_and_ltk;
> -
> -		/* If there already exists long term key in local host, leave
> -		 * the decision to user space since the remote device could
> -		 * be legitimate or malicious.
> -		 */
> -		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
> -				 hcon->role)) {
> -			/* Set passkey to 0. The value can be any number since
> -			 * it'll be ignored anyway.
> -			 */
> -			passkey = 0;
> -			confirm_hint = 1;
> -			goto confirm;
> -		}
> 	}

I have a concern if we just remove such a comment. I think the commit message needs a bit more explanatory and this needs a few more reviews.

Regards

Marcel