From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Claudio Takahasi <claudio.takahasi@openbossa.org>,
Johan Hedberg <johan.hedberg@intel.com>
Subject: [PATCH 3.4 22/27] Bluetooth: Fix removing Long Term Key
Date: Thu, 24 Apr 2014 14:55:56 -0700 [thread overview]
Message-ID: <20140424215552.635422825@linuxfoundation.org> (raw)
In-Reply-To: <20140424215551.942390050@linuxfoundation.org>
3.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Claudio Takahasi <claudio.takahasi@openbossa.org>
commit 5981a8821b774ada0be512fd9bad7c241e17657e upstream.
This patch fixes authentication failure on LE link re-connection when
BlueZ acts as slave (peripheral). LTK is removed from the internal list
after its first use causing PIN or Key missing reply when re-connecting
the link. The LE Long Term Key Request event indicates that the master
is attempting to encrypt or re-encrypt the link.
Pre-condition: BlueZ host paired and running as slave.
How to reproduce(master):
1) Establish an ACL LE encrypted link
2) Disconnect the link
3) Try to re-establish the ACL LE encrypted link (fails)
> HCI Event: LE Meta Event (0x3e) plen 19
LE Connection Complete (0x01)
Status: Success (0x00)
Handle: 64
Role: Slave (0x01)
...
@ Device Connected: 00:02:72:DC:29:C9 (1) flags 0x0000
> HCI Event: LE Meta Event (0x3e) plen 13
LE Long Term Key Request (0x05)
Handle: 64
Random number: 875be18439d9aa37
Encryption diversifier: 0x76ed
< HCI Command: LE Long Term Key Request Reply (0x08|0x001a) plen 18
Handle: 64
Long term key: 2aa531db2fce9f00a0569c7d23d17409
> HCI Event: Command Complete (0x0e) plen 6
LE Long Term Key Request Reply (0x08|0x001a) ncmd 1
Status: Success (0x00)
Handle: 64
> HCI Event: Encryption Change (0x08) plen 4
Status: Success (0x00)
Handle: 64
Encryption: Enabled with AES-CCM (0x01)
...
@ Device Disconnected: 00:02:72:DC:29:C9 (1) reason 3
< HCI Command: LE Set Advertise Enable (0x08|0x000a) plen 1
Advertising: Enabled (0x01)
> HCI Event: Command Complete (0x0e) plen 4
LE Set Advertise Enable (0x08|0x000a) ncmd 1
Status: Success (0x00)
> HCI Event: LE Meta Event (0x3e) plen 19
LE Connection Complete (0x01)
Status: Success (0x00)
Handle: 64
Role: Slave (0x01)
...
@ Device Connected: 00:02:72:DC:29:C9 (1) flags 0x0000
> HCI Event: LE Meta Event (0x3e) plen 13
LE Long Term Key Request (0x05)
Handle: 64
Random number: 875be18439d9aa37
Encryption diversifier: 0x76ed
< HCI Command: LE Long Term Key Request Neg Reply (0x08|0x001b) plen 2
Handle: 64
> HCI Event: Command Complete (0x0e) plen 6
LE Long Term Key Request Neg Reply (0x08|0x001b) ncmd 1
Status: Success (0x00)
Handle: 64
> HCI Event: Disconnect Complete (0x05) plen 4
Status: Success (0x00)
Handle: 64
Reason: Authentication Failure (0x05)
@ Device Disconnected: 00:02:72:DC:29:C9 (1) reason 0
Signed-off-by: Claudio Takahasi <claudio.takahasi@openbossa.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3383,7 +3383,13 @@ static inline void hci_le_ltk_request_ev
hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp);
- if (ltk->type & HCI_SMP_STK) {
+ /* Ref. Bluetooth Core SPEC pages 1975 and 2004. STK is a
+ * temporary key used to encrypt a connection following
+ * pairing. It is used during the Encrypted Session Setup to
+ * distribute the keys. Later, security can be re-established
+ * using a distributed LTK.
+ */
+ if (ltk->type == HCI_SMP_STK_SLAVE) {
list_del(<k->list);
kfree(ltk);
}
next prev parent reply other threads:[~2014-04-24 22:00 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-24 21:55 [PATCH 3.4 00/27] 3.4.88-stable review Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 01/27] net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 03/27] net: unix: non blocking recvmsg() should not return -EINTR Greg Kroah-Hartman
2014-04-24 22:01 ` Rainer Weikusat
2014-04-24 22:19 ` Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 04/27] ipv6: dont set DST_NOCOUNT for remotely added routes Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 06/27] net: socket: error on a negative msg_namelen Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 07/27] ipv6: Avoid unnecessary temporary addresses being generated Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 08/27] ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment properly Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 09/27] vhost: fix total length when packets are too short Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 10/27] vhost: validate vhost_get_vq_desc return value Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 11/27] xen-netback: remove pointless clause from if statement Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 12/27] ipv6: some ipv6 statistic counters failed to disable bh Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 13/27] netlink: dont compare the nul-termination in nla_strcmp Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 14/27] isdnloop: Validate NUL-terminated strings from user Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 15/27] isdnloop: several buffer overflows Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 16/27] rds: prevent dereference of a NULL device in rds_iw_laddr_check Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 17/27] sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on Simba-bridges Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 18/27] Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines." Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 19/27] sparc32: fix build failure for arch_jump_label_transform Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 20/27] sparc64: dont treat 64-bit syscall return codes as 32-bit Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 21/27] Char: ipmi_bt_sm, fix infinite loop Greg Kroah-Hartman
2014-04-24 21:55 ` Greg Kroah-Hartman [this message]
2014-04-24 21:55 ` [PATCH 3.4 23/27] jffs2: Fix segmentation fault found in stress test Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 24/27] jffs2: Fix crash due to truncation of csize Greg Kroah-Hartman
2014-04-24 21:55 ` [PATCH 3.4 25/27] jffs2: avoid soft-lockup in jffs2_reserve_space_gc() Greg Kroah-Hartman
2014-04-24 21:56 ` [PATCH 3.4 26/27] jffs2: remove from wait queue after schedule() Greg Kroah-Hartman
2014-04-24 21:56 ` [PATCH 3.4 27/27] wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race Greg Kroah-Hartman
2014-04-25 0:12 ` [PATCH 3.4 00/27] 3.4.88-stable review Guenter Roeck
2014-04-25 17:21 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140424215552.635422825@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=claudio.takahasi@openbossa.org \
--cc=johan.hedberg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox