[PATCH 0/4] Bluetooth: Fix initiator/responder addresses for SMP

[PATCH 0/4] Bluetooth: Fix initiator/responder addresses for SMP

[johan.hedberg]

Hi,

I'm presenting this patch set as an alternative to the two patches from
Marcel. The main difference is that we trade some more complexity during
the connection creation phase with less complexity in looking up the
values in SMP when the time comes for calling the smp_c1 function.

One source of extra complexity is the attempt to handle the case of
whitelist initiated connections. Since we do not use those I'm not
completely sure it's worth to have code for it. If the handling is not
needed patch 3/4 gets a bit simpler and patch 2/4 can potentially be
dropped (I added that new function mainly to make 3/4 actually readable
with this extra whitelist handling logic).

Johan

----------------------------------------------------------------
Johan Hedberg (4):
      Bluetooth: Add tracking of advertising address type
      Bluetooth: Add hci_copy_identity_address convenience function
      Bluetooth: Track LE initiator and responder address information
      Bluetooth: Use hdev->init/resp_addr values for smp_c1 function

 include/net/bluetooth/hci_core.h |   7 +++
 net/bluetooth/hci_core.c         |  35 ++++++++---
 net/bluetooth/hci_event.c        | 114 ++++++++++++++++++++++++++++++-----
 net/bluetooth/smp.c              |  22 ++-----
 4 files changed, 136 insertions(+), 42 deletions(-)

[PATCH 1/4] Bluetooth: Add tracking of advertising address type

[johan.hedberg]

From: Johan Hedberg <johan.hedberg@intel.com>

To know the real source address for incoming connections (needed e.g.
for SMP) we should store the own_address_type parameter that was used
for the last HCI_LE_Write_Advertising_Parameters command. This patch
adds a proper command complete handler for the command and stores the
address type in a new adv_addr_type variable in the hci_dev struct.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 include/net/bluetooth/hci_core.h |  1 +
 net/bluetooth/hci_event.c        | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 79a75edc62d0..853376df4f99 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -156,6 +156,7 @@ struct hci_dev {
 	bdaddr_t	bdaddr;
 	bdaddr_t	random_addr;
 	bdaddr_t	static_addr;
+	__u8		adv_addr_type;
 	__u8		dev_name[HCI_MAX_NAME_LENGTH];
 	__u8		short_name[HCI_MAX_SHORT_NAME_LENGTH];
 	__u8		eir[HCI_MAX_EIR_LENGTH];
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index cda92db2a9fc..f26e91f72930 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1078,6 +1078,25 @@ static void hci_cc_write_le_host_supported(struct hci_dev *hdev,
 	}
 }
 
+static void hci_cc_set_adv_param(struct hci_dev *hdev, struct sk_buff *skb)
+{
+	struct hci_cp_le_set_adv_param *cp;
+	u8 status = *((u8 *) skb->data);
+
+	BT_DBG("%s status 0x%2.2x", hdev->name, status);
+
+	if (status)
+		return;
+
+	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_SET_ADV_PARAM);
+	if (!cp)
+		return;
+
+	hci_dev_lock(hdev);
+	hdev->adv_addr_type = cp->own_address_type;
+	hci_dev_unlock(hdev);
+}
+
 static void hci_cc_write_remote_amp_assoc(struct hci_dev *hdev,
 					  struct sk_buff *skb)
 {
@@ -2367,6 +2386,10 @@ static void hci_cmd_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 		hci_cc_write_le_host_supported(hdev, skb);
 		break;
 
+	case HCI_OP_LE_SET_ADV_PARAM:
+		hci_cc_set_adv_param(hdev, skb);
+		break;
+
 	case HCI_OP_WRITE_REMOTE_AMP_ASSOC:
 		hci_cc_write_remote_amp_assoc(hdev, skb);
 		break;
-- 
1.8.5.3

[PATCH 2/4] Bluetooth: Add hci_copy_identity_address convenience function

[johan.hedberg]

From: Johan Hedberg <johan.hedberg@intel.com>

The number of places needing the local Identity Address are starting to
grow so it's better to have a single place for the logic of determining
it. This patch adds a convenience function for getting the Identity
Address and updates the two current places needing this to use it.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 include/net/bluetooth/hci_core.h |  2 ++
 net/bluetooth/hci_core.c         | 35 +++++++++++++++++++++++++----------
 net/bluetooth/hci_event.c        | 17 +----------------
 3 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 853376df4f99..093d05eeb3fa 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -1292,6 +1292,8 @@ void hci_le_start_enc(struct hci_conn *conn, __le16 ediv, __u8 rand[8],
 
 int hci_update_random_address(struct hci_request *req, bool require_privacy,
 			      u8 *own_addr_type);
+void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
+			       u8 *bdaddr_type);
 
 #define SCO_AIRMODE_MASK       0x0003
 #define SCO_AIRMODE_CVSD       0x0000
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index bbd085d32d78..7113d4cc085f 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -582,21 +582,14 @@ DEFINE_SIMPLE_ATTRIBUTE(sniff_max_interval_fops, sniff_max_interval_get,
 static int identity_show(struct seq_file *f, void *p)
 {
 	struct hci_dev *hdev = f->private;
-	bdaddr_t *addr;
+	bdaddr_t addr;
 	u8 addr_type;
 
 	hci_dev_lock(hdev);
 
-	if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
-	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
-		addr = &hdev->static_addr;
-		addr_type = ADDR_LE_DEV_RANDOM;
-	} else {
-		addr = &hdev->bdaddr;
-		addr_type = ADDR_LE_DEV_PUBLIC;
-	}
+	hci_copy_identity_address(hdev, &addr, &addr_type);
 
-	seq_printf(f, "%pMR (type %u) %*phN %pMR\n", addr, addr_type,
+	seq_printf(f, "%pMR (type %u) %*phN %pMR\n", &addr, addr_type,
 		   16, hdev->irk, &hdev->rpa);
 
 	hci_dev_unlock(hdev);
@@ -3636,6 +3629,28 @@ int hci_update_random_address(struct hci_request *req, bool require_privacy,
 	return 0;
 }
 
+/* Copy the Identity Address of the controller.
+ *
+ * If the controller has a public BD_ADDR, then by default use that one.
+ * If this is a LE only controller without a public address, default to
+ * the static random address.
+ *
+ * For debugging purposes it is possible to force controllers with a
+ * public address to use the static random address instead.
+ */
+void hci_copy_identity_address(struct hci_dev *hdev, bdaddr_t *bdaddr,
+			       u8 *bdaddr_type)
+{
+	if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
+	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
+		bacpy(bdaddr, &hdev->static_addr);
+		*bdaddr_type = ADDR_LE_DEV_RANDOM;
+	} else {
+		bacpy(bdaddr, &hdev->bdaddr);
+		*bdaddr_type = ADDR_LE_DEV_PUBLIC;
+	}
+}
+
 /* Alloc HCI device */
 struct hci_dev *hci_alloc_dev(void)
 {
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index f26e91f72930..162235633bf5 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3665,23 +3665,8 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 
 	/* Ensure that the hci_conn contains the identity address type
 	 * regardless of which address the connection was made with.
-	 *
-	 * If the controller has a public BD_ADDR, then by default
-	 * use that one. If this is a LE only controller without
-	 * a public address, default to the static random address.
-	 *
-	 * For debugging purposes it is possible to force
-	 * controllers with a public address to use the static
-	 * random address instead.
 	 */
-	if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dev_flags) ||
-	    !bacmp(&hdev->bdaddr, BDADDR_ANY)) {
-		bacpy(&conn->src, &hdev->static_addr);
-		conn->src_type = ADDR_LE_DEV_RANDOM;
-	} else {
-		bacpy(&conn->src, &hdev->bdaddr);
-		conn->src_type = ADDR_LE_DEV_PUBLIC;
-	}
+	hci_copy_identity_address(hdev, &conn->src, &conn->src_type);
 
 	/* Lookup the identity address from the stored connection
 	 * address and address type.
-- 
1.8.5.3

[PATCH 3/4] Bluetooth: Track LE initiator and responder address information

[johan.hedberg]

From: Johan Hedberg <johan.hedberg@intel.com>

For SMP we need the local and remote addresses (and their types) that
were used to establish the connection. These may be different from the
Identity Addresses or even the current RPA. To guarantee that we have
this information available and it is correct track these values
separately from the very beginning of the connection.

For outgoing connections we set the values as soon as we get a
successful command status for HCI_LE_Create_Connection (for which the
patch adds a command status handler function) and for incoming
connections as soon as we get a LE Connection Complete HCI event.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 include/net/bluetooth/hci_core.h |  4 +++
 net/bluetooth/hci_event.c        | 74 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 78 insertions(+)

diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 093d05eeb3fa..f18f342bb120 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -331,6 +331,10 @@ struct hci_conn {
 	__u8		dst_type;
 	bdaddr_t	src;
 	__u8		src_type;
+	bdaddr_t	init_addr;
+	__u8		init_addr_type;
+	bdaddr_t	resp_addr;
+	__u8		resp_addr_type;
 	__u16		handle;
 	__u16		state;
 	__u8		mode;
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 162235633bf5..203a4f1c32b1 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -1598,6 +1598,47 @@ static void hci_cs_accept_phylink(struct hci_dev *hdev, u8 status)
 	amp_write_remote_assoc(hdev, cp->phy_handle);
 }
 
+static void hci_cs_le_create_conn(struct hci_dev *hdev, u8 status)
+{
+	struct hci_cp_le_create_conn *cp;
+	struct hci_conn *conn;
+
+	BT_DBG("%s status 0x%2.2x", hdev->name, status);
+
+	/* All connection failure handling is taken care of by the
+	 * hci_le_conn_failed function which is triggered by the HCI
+	 * request completion callbacks used for connecting.
+	 */
+	if (status)
+		return;
+
+	cp = hci_sent_cmd_data(hdev, HCI_OP_LE_CREATE_CONN);
+	if (!cp)
+		return;
+
+	hci_dev_lock(hdev);
+
+	conn = hci_conn_hash_lookup_ba(hdev, LE_LINK, &cp->peer_addr);
+	if (!conn)
+		goto unlock;
+
+	/* Store the initiator and responder address information which
+	 * is needed for SMP. These values will not change during the
+	 * lifetime of the connection.
+	 */
+	conn->init_addr_type = cp->own_address_type;
+	if (cp->own_address_type == ADDR_LE_DEV_RANDOM)
+		bacpy(&conn->init_addr, &hdev->random_addr);
+	else
+		bacpy(&conn->init_addr, &hdev->bdaddr);
+
+	conn->resp_addr_type = cp->peer_addr_type;
+	bacpy(&conn->resp_addr, &cp->peer_addr);
+
+unlock:
+	hci_dev_unlock(hdev);
+}
+
 static void hci_inquiry_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 {
 	__u8 status = *((__u8 *) skb->data);
@@ -2477,6 +2518,10 @@ static void hci_cmd_status_evt(struct hci_dev *hdev, struct sk_buff *skb)
 		hci_cs_accept_phylink(hdev, ev->status);
 		break;
 
+	case HCI_OP_LE_CREATE_CONN:
+		hci_cs_le_create_conn(hdev, ev->status);
+		break;
+
 	default:
 		BT_DBG("%s opcode 0x%4.4x", hdev->name, opcode);
 		break;
@@ -3661,6 +3706,35 @@ static void hci_le_conn_complete_evt(struct hci_dev *hdev, struct sk_buff *skb)
 			conn->out = true;
 			conn->link_mode |= HCI_LM_MASTER;
 		}
+
+		/* If we didn't have a hci_conn object previously
+		 * but we're in master role this must be something
+		 * initiated using a white list.
+		 */
+		if (conn->out) {
+			conn->resp_addr_type = ev->bdaddr_type;
+			bacpy(&conn->resp_addr, &ev->bdaddr);
+			if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) {
+				conn->init_addr_type = ADDR_LE_DEV_RANDOM;
+				bacpy(&conn->init_addr, &hdev->rpa);
+			} else {
+				hci_copy_identity_address(hdev,
+							  &conn->init_addr,
+							  &conn->init_addr_type);
+			}
+		} else {
+			/* Set the responder (our side) address type based on
+			 * the advertising address type.
+			 */
+			conn->resp_addr_type = hdev->adv_addr_type;
+			if (hdev->adv_addr_type == ADDR_LE_DEV_RANDOM)
+				bacpy(&conn->resp_addr, &hdev->random_addr);
+			else
+				bacpy(&conn->resp_addr, &hdev->bdaddr);
+
+			conn->init_addr_type = ev->bdaddr_type;
+			bacpy(&conn->init_addr, &ev->bdaddr);
+		}
 	}
 
 	/* Ensure that the hci_conn contains the identity address type
-- 
1.8.5.3

[PATCH 4/4] Bluetooth: Use hdev->init/resp_addr values for smp_c1 function

[johan.hedberg]

From: Johan Hedberg <johan.hedberg@intel.com>

Now that we have nicely tracked values of the initiator and responder
address information we can pass that directly to the smp_c1 function
without worrying e.g. about who initiated the connection. This patch
updates the two places in smp.c to use the new variables.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
---
 net/bluetooth/smp.c | 22 ++++++----------------
 1 file changed, 6 insertions(+), 16 deletions(-)

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 52708f79545f..c7ba30dcb907 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -445,14 +445,9 @@ static void confirm_work(struct work_struct *work)
 	/* Prevent mutual access to hdev->tfm_aes */
 	hci_dev_lock(hdev);
 
-	if (conn->hcon->out)
-		ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
-			     conn->hcon->src_type, &conn->hcon->src,
-			     conn->hcon->dst_type, &conn->hcon->dst, res);
-	else
-		ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
-			     conn->hcon->dst_type, &conn->hcon->dst,
-			     conn->hcon->src_type, &conn->hcon->src, res);
+	ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
+		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
+		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr, res);
 
 	hci_dev_unlock(hdev);
 
@@ -492,14 +487,9 @@ static void random_work(struct work_struct *work)
 	/* Prevent mutual access to hdev->tfm_aes */
 	hci_dev_lock(hdev);
 
-	if (hcon->out)
-		ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
-			     hcon->src_type, &hcon->src,
-			     hcon->dst_type, &hcon->dst, res);
-	else
-		ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
-			     hcon->dst_type, &hcon->dst,
-			     hcon->src_type, &hcon->src, res);
+	ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
+		     hcon->init_addr_type, &hcon->init_addr,
+		     hcon->resp_addr_type, &hcon->resp_addr, res);
 
 	hci_dev_unlock(hdev);
 
-- 
1.8.5.3

Re: [PATCH 0/4] Bluetooth: Fix initiator/responder addresses for SMP

[Marcel Holtmann]

Hi Johan,

> I'm presenting this patch set as an alternative to the two patches from
> Marcel. The main difference is that we trade some more complexity during
> the connection creation phase with less complexity in looking up the
> values in SMP when the time comes for calling the smp_c1 function.
> 
> One source of extra complexity is the attempt to handle the case of
> whitelist initiated connections. Since we do not use those I'm not
> completely sure it's worth to have code for it. If the handling is not
> needed patch 3/4 gets a bit simpler and patch 2/4 can potentially be
> dropped (I added that new function mainly to make 3/4 actually readable
> with this extra whitelist handling logic).
> 
> Johan
> 
> ----------------------------------------------------------------
> Johan Hedberg (4):
>      Bluetooth: Add tracking of advertising address type
>      Bluetooth: Add hci_copy_identity_address convenience function
>      Bluetooth: Track LE initiator and responder address information
>      Bluetooth: Use hdev->init/resp_addr values for smp_c1 function
> 
> include/net/bluetooth/hci_core.h |   7 +++
> net/bluetooth/hci_core.c         |  35 ++++++++---
> net/bluetooth/hci_event.c        | 114 ++++++++++++++++++++++++++++++-----
> net/bluetooth/smp.c              |  22 ++-----
> 4 files changed, 136 insertions(+), 42 deletions(-)

I applied patch 1 and patch 2 to bluetooth-next tree.

Regards

Marcel