Draft: Bluetooth: Add more enc key size check

Bluetooth: Add more enc key size check

JIRA: https://issues.redhat.com/browse/RHEL-19668

CVE: CVE-2023-24023

    commit 04a342cc49a8522e99c9b3346371c329d841dcd2
    Author: Alex Lu <alex_lu@realsil.com.cn>
    Date:   Tue Dec 12 10:30:34 2023 +0800
    
        Bluetooth: Add more enc key size check
    
        When we are slave role and receives l2cap conn req when encryption has
        started, we should check the enc key size to avoid KNOB attack or BLUFFS
        attack.
        From SIG recommendation, implementations are advised to reject
        service-level connections on an encrypted baseband link with key
        strengths below 7 octets.
        A simple and clear way to achieve this is to place the enc key size
        check in hci_cc_read_enc_key_size()
    
        The btmon log below shows the case that lacks enc key size check.
    
        > HCI Event: Connect Request (0x04) plen 10
                Address: BB:22:33:44:55:99 (OUI BB-22-33)
                Class: 0x480104
                  Major class: Computer (desktop, notebook, PDA, organizers)
                  Minor class: Desktop workstation
                  Capturing (Scanner, Microphone)
                  Telephony (Cordless telephony, Modem, Headset)
                Link type: ACL (0x01)
        < HCI Command: Accept Connection Request (0x01|0x0009) plen 7
                Address: BB:22:33:44:55:99 (OUI BB-22-33)
                Role: Peripheral (0x01)
        > HCI Event: Command Status (0x0f) plen 4
              Accept Connection Request (0x01|0x0009) ncmd 2
                Status: Success (0x00)
        > HCI Event: Connect Complete (0x03) plen 11
                Status: Success (0x00)
                Handle: 1
                Address: BB:22:33:44:55:99 (OUI BB-22-33)
                Link type: ACL (0x01)
                Encryption: Disabled (0x00)
        ...
    
        > HCI Event: Encryption Change (0x08) plen 4
                Status: Success (0x00)
                Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
                Encryption: Enabled with E0 (0x01)
        < HCI Command: Read Encryption Key Size (0x05|0x0008) plen 2
                Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
        > HCI Event: Command Complete (0x0e) plen 7
              Read Encryption Key Size (0x05|0x0008) ncmd 2
                Status: Success (0x00)
                Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
                Key size: 6
        // We should check the enc key size
        ...
    
        > ACL Data RX: Handle 1 flags 0x02 dlen 12
              L2CAP: Connection Request (0x02) ident 3 len 4
                PSM: 25 (0x0019)
                Source CID: 64
        < ACL Data TX: Handle 1 flags 0x00 dlen 16
              L2CAP: Connection Response (0x03) ident 3 len 8
                Destination CID: 64
                Source CID: 64
                Result: Connection pending (0x0001)
                Status: Authorization pending (0x0002)
        > HCI Event: Number of Completed Packets (0x13) plen 5
                Num handles: 1
                Handle: 1 Address: BB:22:33:44:55:99 (OUI BB-22-33)
                Count: 1
                #35: len 16 (25 Kb/s)
                Latency: 5 msec (2-7 msec ~4 msec)
        < ACL Data TX: Handle 1 flags 0x00 dlen 16
              L2CAP: Connection Response (0x03) ident 3 len 8
                Destination CID: 64
                Source CID: 64
                Result: Connection successful (0x0000)
                Status: No further information available (0x0000)
    
        Cc: stable@vger.kernel.org
        Signed-off-by: Alex Lu <alex_lu@realsil.com.cn>
        Signed-off-by: Max Chou <max.chou@realtek.com>
        Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
    

Signed-off-by: David Marlin dmarlin@redhat.com