Bluetooth: SMP: Fix not generating mackey and ltk when repairing

The change eed467b517e8 ("Bluetooth: fix passkey uninitialized when used")
introduced a goto that bypasses the creation of temporary mackey and ltk
which are later used by the likes of DHKey Check step.

Later ffee202a78c2 ("Bluetooth: Always request for user confirmation for
Just Works (LE SC)") which means confirm_hint is always set in case
JUST_WORKS so the branch checking for an existing LTK becomes pointless
as confirm_hint will always be set, so this just merge both cases of
malicious or legitimate devices to be confirmed before continuing with the
pairing procedure.

Link: https://github.com/bluez/bluez/issues/1622
Fixes: eed467b517e8 ("Bluetooth: fix passkey uninitialized when used")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 45512b2ba951cc66026709f0874407d5827f178f..3a1ce04a7a5361d863a845172ad6e0efdabfd0ce 100644 (file)
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -2136,7 +2136,7 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
        struct smp_chan *smp = chan->data;
        struct hci_conn *hcon = conn->hcon;
        u8 *pkax, *pkbx, *na, *nb, confirm_hint;
-       u32 passkey;
+       u32 passkey = 0;
        int err;
 
        bt_dev_dbg(hcon->hdev, "conn %p", conn);
@@ -2188,24 +2188,6 @@ static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
                smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
                             smp->prnd);
                SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
-
-               /* Only Just-Works pairing requires extra checks */
-               if (smp->method != JUST_WORKS)
-                       goto mackey_and_ltk;
-
-               /* If there already exists long term key in local host, leave
-                * the decision to user space since the remote device could
-                * be legitimate or malicious.
-                */
-               if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
-                                hcon->role)) {
-                       /* Set passkey to 0. The value can be any number since
-                        * it'll be ignored anyway.
-                        */
-                       passkey = 0;
-                       confirm_hint = 1;
-                       goto confirm;
-               }
        }
 
 mackey_and_ltk:
@@ -2226,11 +2208,12 @@ mackey_and_ltk:
        if (err)
                return SMP_UNSPECIFIED;
 
-       confirm_hint = 0;
-
-confirm:
-       if (smp->method == JUST_WORKS)
-               confirm_hint = 1;
+       /* Always require user confirmation for Just-Works pairing to prevent
+        * impersonation attacks, or in case of a legitimate device that is
+        * repairing use the confirmation as acknowledgment to proceed with the
+        * creation of new keys.
+        */
+       confirm_hint = smp->method == JUST_WORKS ? 1 : 0;
 
        err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
                                        hcon->dst_type, passkey, confirm_hint);