When encrypted connections are configured, verify that the encryption
key length has a minimum size when the adaptor supports that.

This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506

https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/

branches: 1.25.4;

Result of audit to check that mbuf length is checked before m_copydata()
and that any data supposedly copied out is valid before use.

prompted by maxv@, I have checked every usage of m_copydata() and made
the following corrections

hci_event.c:
hci_event_command_compl()
check that the packet does contain enough data for there to
be a status code before noting possible failures.

hci_event_num_compl_pkts()
check that the packet does contain data to cover the
stated number of handle/num pairs

l2cap_signal.c:
l2cap_recv_signal()
just ignore packets with not enough data rather than
trying to reject them (may not have cmd.ident)

l2cap_recv_command_rej()
check we have a valid reason and/or data before use

branches: 1.24.10; 1.24.16; 1.24.18;
add version and extended feature flags defined in 4.2 specification,
add cache for page 2 of extended features and return this in
the SIOCGBTFEAT ioctl (no change in size)

branches: 1.23.12; 1.23.28; 1.23.30; 1.23.32; 1.23.36;

cleanup some DIAGNOSTIC and KASSERT code

- remove #ifdef DIAGNOSTIC, so that we won't act
differently

- handle the cases where a Bluetooth adapter
sends invalid packet data (I've not seen this,
but it is not impossible)

- use KASSERT for actual impossible situations
(to catch bad future development)

upon device initialisation, query and cache the device features,
and cache the maximum ACL/SCO packet buffers.

provide an additional SIOCGBTFEAT ioctl to retrieve the cached
features, and add the max values to the SIOC?BTINFO results.

(btreq does not change size)

branches: 1.21.4;
slight reordering, plus only deal with ACL links

add devices seen in "Extended Inquiry Result" to the cache

add a per-unit master setting, to control requesting the master role
when accepting connections.

branches: 1.18.2;
Merge the socket locking patch:

- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.

With much feedback from matt@ and plunky@.

branches: 1.17.2;
move the updating of num_cmd_pkts to its own function, mostly so that
pending commands will be output on the device in the order that they
were queued.

insert new links at the tail of the queue so that if a create_connection
command fails to start we can find the relevant link, since it will be
the first one with the pending flag set.

a "Create Connection" command can sometimes fail to start for whatever
reason and the command_status event returns failure but we get no
indication of which connection failed (for instance in the case where
we tried to open too many connections all at once)

So, keep a flag on the link to indicate pending status until the
command_status event is returned to help us decide which should
be failed.

branches: 1.14.2; 1.14.6;
add HCI definitions from the Bluetooth 2.1 spec

request and keep a mask of supported commands per unit in order
to block unsupported HCI commands sent by unprivileged users
reaching the device.

branches: 1.12.6;
[experimentally] report failing commands

this does happen sometimes and I would like to see if it happens
more often than I know of.

Clean up the way that bluetooth drivers attach to the bluetooth stack,
to remove the frobbing that drivers must do in the hci_unit structure.

- driver provides a static const interface descriptor
- hci_unit is allocated by hci_attach() rather than part of softc
- statistics are compiled by driver and provided on request
- driver provides output methods and is responsible for output queue
- stack provides input methods and is responsible for input queue
- mutex is used to arbitrate device queue access

use more device_t and device_xxx() accessors

make bluetooth stack keep device_t instead of softc pointer as
device is not necessarily part of softc, and pass device_t to
driver callbacks. hci_devname is no longer required.

branches: 1.9.4; 1.9.6;
improve memo taking of known bluetooth devices

- centralise creation of new memo into function
hci_memo_new(), when a memo exists for that address,
just update the timestamp.

- all results of inquiry/rssi result are processed; even
if no memo can be allocated, we may update a timestamp.

- for new connections, query the clock offset of the remote
device, in order that we can use it to facilitate future
reconnections

- as a connection is removed, make a memo of the clock offset

add event processing for "Inquiry result with RSSI", and modify the memo
contents so that this will fit.

branches: 1.7.4; 1.7.6; 1.7.8;
not necessary to cast to (void *) (from caddr_t removal)

branches: 1.6.2;
Add 'service level' security for L2CAP and RFCOMM connections, following
the Linux (BlueZ) API.

- L2CAP or RFCOMM connections can require the baseband radio link
mode be any of:
authenticated (devices are paired)
encrypted (implies authentication)
secured (encryption, plus generate new link key)

- for sockets, the mode is set using setsockopt(2) and the socket
connection will be aborted if the mode change fails.

- mode settings will be applied during connection establishment, and
for safety, we enter a wait state and will only proceed when the mode
settings are successfuly set.

- It is possible to change the mode on already open connections, but
not possible to guarantee that data already queued (from either end)
will not be delivered. (this is a feature, not a bug)

- bthidev(4) and rfcomm_sppd(1) support "auth", "encrypt" and
"secure" options

- btdevctl(8) by default enables "auth" for HIDs, and "encrypt" for
keyboards (which are required to support it)

remove default setting of bluetooth_debug, since 'options BLUETOOTH_DEBUG'
causes it to fail

remove C++ style comments

branches: 1.3.2; 1.3.4; 1.3.6;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.2.4; 1.2.6; 1.2.10;
Endian issues:

hci_event.c:
- Convert memo->response.clock_offset to host-endian.

hci_ioctl.c:
- printf format tweak (size_t)

hci_link.c:
- Convert memo->response.clock_offset from host-endian.
- Tweak a DIAGNOSTIC message.

l2cap_signal.c:
- In l2cap_recv_config_req(), rp->scid is little-endian so make sure
we convert from host-endian.

from scw@

branches: 1.1.2; 1.1.4; 1.1.6; 1.1.8; 1.1.10; 1.1.12; 1.1.14;
Initial import of bluetooth stack on behalf of Iain Hibbert. (plunky@,
NetBSD Foundation Membership still pending.) This stack was written by
Iain under sponsorship from Itronix Inc.

The stack includes support for rfcomm networking (networking via your
bluetooth enabled cell phone), hid devices (keyboards/mice), and headsets.

Drivers for both PCMCIA and USB bluetooth controllers are included.

Result of audit to check that mbuf length is checked before m_copydata()
and that any data supposedly copied out is valid before use.

prompted by maxv@, I have checked every usage of m_copydata() and made
the following corrections

hci_event.c:
hci_event_command_compl()
check that the packet does contain enough data for there to
be a status code before noting possible failures.

hci_event_num_compl_pkts()
check that the packet does contain data to cover the
stated number of handle/num pairs

l2cap_signal.c:
l2cap_recv_signal()
just ignore packets with not enough data rather than
trying to reject them (may not have cmd.ident)

l2cap_recv_command_rej()
check we have a valid reason and/or data before use

branches: 1.24.16;
add version and extended feature flags defined in 4.2 specification,
add cache for page 2 of extended features and return this in
the SIOCGBTFEAT ioctl (no change in size)

branches: 1.23.12; 1.23.30;

cleanup some DIAGNOSTIC and KASSERT code

- remove #ifdef DIAGNOSTIC, so that we won't act
differently

- handle the cases where a Bluetooth adapter
sends invalid packet data (I've not seen this,
but it is not impossible)

- use KASSERT for actual impossible situations
(to catch bad future development)

upon device initialisation, query and cache the device features,
and cache the maximum ACL/SCO packet buffers.

provide an additional SIOCGBTFEAT ioctl to retrieve the cached
features, and add the max values to the SIOC?BTINFO results.

(btreq does not change size)

branches: 1.21.4;
slight reordering, plus only deal with ACL links

add devices seen in "Extended Inquiry Result" to the cache

add a per-unit master setting, to control requesting the master role
when accepting connections.

branches: 1.18.2;
Merge the socket locking patch:

- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.

With much feedback from matt@ and plunky@.

branches: 1.17.2;
move the updating of num_cmd_pkts to its own function, mostly so that
pending commands will be output on the device in the order that they
were queued.

insert new links at the tail of the queue so that if a create_connection
command fails to start we can find the relevant link, since it will be
the first one with the pending flag set.

a "Create Connection" command can sometimes fail to start for whatever
reason and the command_status event returns failure but we get no
indication of which connection failed (for instance in the case where
we tried to open too many connections all at once)

So, keep a flag on the link to indicate pending status until the
command_status event is returned to help us decide which should
be failed.

branches: 1.14.2; 1.14.6;
add HCI definitions from the Bluetooth 2.1 spec

request and keep a mask of supported commands per unit in order
to block unsupported HCI commands sent by unprivileged users
reaching the device.

branches: 1.12.6;
[experimentally] report failing commands

this does happen sometimes and I would like to see if it happens
more often than I know of.

Clean up the way that bluetooth drivers attach to the bluetooth stack,
to remove the frobbing that drivers must do in the hci_unit structure.

- driver provides a static const interface descriptor
- hci_unit is allocated by hci_attach() rather than part of softc
- statistics are compiled by driver and provided on request
- driver provides output methods and is responsible for output queue
- stack provides input methods and is responsible for input queue
- mutex is used to arbitrate device queue access

use more device_t and device_xxx() accessors

make bluetooth stack keep device_t instead of softc pointer as
device is not necessarily part of softc, and pass device_t to
driver callbacks. hci_devname is no longer required.

branches: 1.9.4; 1.9.6;
improve memo taking of known bluetooth devices

- centralise creation of new memo into function
hci_memo_new(), when a memo exists for that address,
just update the timestamp.

- all results of inquiry/rssi result are processed; even
if no memo can be allocated, we may update a timestamp.

- for new connections, query the clock offset of the remote
device, in order that we can use it to facilitate future
reconnections

- as a connection is removed, make a memo of the clock offset

add event processing for "Inquiry result with RSSI", and modify the memo
contents so that this will fit.

branches: 1.7.4; 1.7.6; 1.7.8;
not necessary to cast to (void *) (from caddr_t removal)

branches: 1.6.2;
Add 'service level' security for L2CAP and RFCOMM connections, following
the Linux (BlueZ) API.

- L2CAP or RFCOMM connections can require the baseband radio link
mode be any of:
authenticated (devices are paired)
encrypted (implies authentication)
secured (encryption, plus generate new link key)

- for sockets, the mode is set using setsockopt(2) and the socket
connection will be aborted if the mode change fails.

- mode settings will be applied during connection establishment, and
for safety, we enter a wait state and will only proceed when the mode
settings are successfuly set.

- It is possible to change the mode on already open connections, but
not possible to guarantee that data already queued (from either end)
will not be delivered. (this is a feature, not a bug)

- bthidev(4) and rfcomm_sppd(1) support "auth", "encrypt" and
"secure" options

- btdevctl(8) by default enables "auth" for HIDs, and "encrypt" for
keyboards (which are required to support it)

remove default setting of bluetooth_debug, since 'options BLUETOOTH_DEBUG'
causes it to fail

remove C++ style comments

branches: 1.3.2; 1.3.4; 1.3.6;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.2.4; 1.2.6; 1.2.10;
Endian issues:

hci_event.c:
- Convert memo->response.clock_offset to host-endian.

hci_ioctl.c:
- printf format tweak (size_t)

hci_link.c:
- Convert memo->response.clock_offset from host-endian.
- Tweak a DIAGNOSTIC message.

l2cap_signal.c:
- In l2cap_recv_config_req(), rp->scid is little-endian so make sure
we convert from host-endian.

from scw@

branches: 1.1.2; 1.1.4; 1.1.6; 1.1.8; 1.1.10; 1.1.12; 1.1.14;
Initial import of bluetooth stack on behalf of Iain Hibbert. (plunky@,
NetBSD Foundation Membership still pending.) This stack was written by
Iain under sponsorship from Itronix Inc.

The stack includes support for rfcomm networking (networking via your
bluetooth enabled cell phone), hid devices (keyboards/mice), and headsets.

Drivers for both PCMCIA and USB bluetooth controllers are included.

add version and extended feature flags defined in 4.2 specification,
add cache for page 2 of extended features and return this in
the SIOCGBTFEAT ioctl (no change in size)

branches: 1.23.30;

cleanup some DIAGNOSTIC and KASSERT code

- remove #ifdef DIAGNOSTIC, so that we won't act
differently

- handle the cases where a Bluetooth adapter
sends invalid packet data (I've not seen this,
but it is not impossible)

- use KASSERT for actual impossible situations
(to catch bad future development)

upon device initialisation, query and cache the device features,
and cache the maximum ACL/SCO packet buffers.

provide an additional SIOCGBTFEAT ioctl to retrieve the cached
features, and add the max values to the SIOC?BTINFO results.

(btreq does not change size)

branches: 1.21.4;
slight reordering, plus only deal with ACL links

add devices seen in "Extended Inquiry Result" to the cache

add a per-unit master setting, to control requesting the master role
when accepting connections.

branches: 1.18.2;
Merge the socket locking patch:

- Socket layer becomes MP safe.
- Unix protocols become MP safe.
- Allows protocol processing interrupts to safely block on locks.
- Fixes a number of race conditions.

With much feedback from matt@ and plunky@.

branches: 1.17.2;
move the updating of num_cmd_pkts to its own function, mostly so that
pending commands will be output on the device in the order that they
were queued.

insert new links at the tail of the queue so that if a create_connection
command fails to start we can find the relevant link, since it will be
the first one with the pending flag set.

a "Create Connection" command can sometimes fail to start for whatever
reason and the command_status event returns failure but we get no
indication of which connection failed (for instance in the case where
we tried to open too many connections all at once)

So, keep a flag on the link to indicate pending status until the
command_status event is returned to help us decide which should
be failed.

branches: 1.14.2; 1.14.6;
add HCI definitions from the Bluetooth 2.1 spec

request and keep a mask of supported commands per unit in order
to block unsupported HCI commands sent by unprivileged users
reaching the device.

branches: 1.12.6;
[experimentally] report failing commands

this does happen sometimes and I would like to see if it happens
more often than I know of.

Clean up the way that bluetooth drivers attach to the bluetooth stack,
to remove the frobbing that drivers must do in the hci_unit structure.

- driver provides a static const interface descriptor
- hci_unit is allocated by hci_attach() rather than part of softc
- statistics are compiled by driver and provided on request
- driver provides output methods and is responsible for output queue
- stack provides input methods and is responsible for input queue
- mutex is used to arbitrate device queue access

use more device_t and device_xxx() accessors

make bluetooth stack keep device_t instead of softc pointer as
device is not necessarily part of softc, and pass device_t to
driver callbacks. hci_devname is no longer required.

branches: 1.9.4; 1.9.6;
improve memo taking of known bluetooth devices

- centralise creation of new memo into function
hci_memo_new(), when a memo exists for that address,
just update the timestamp.

- all results of inquiry/rssi result are processed; even
if no memo can be allocated, we may update a timestamp.

- for new connections, query the clock offset of the remote
device, in order that we can use it to facilitate future
reconnections

- as a connection is removed, make a memo of the clock offset

add event processing for "Inquiry result with RSSI", and modify the memo
contents so that this will fit.

branches: 1.7.4; 1.7.6; 1.7.8;
not necessary to cast to (void *) (from caddr_t removal)

branches: 1.6.2;
Add 'service level' security for L2CAP and RFCOMM connections, following
the Linux (BlueZ) API.

- L2CAP or RFCOMM connections can require the baseband radio link
mode be any of:
authenticated (devices are paired)
encrypted (implies authentication)
secured (encryption, plus generate new link key)

- for sockets, the mode is set using setsockopt(2) and the socket
connection will be aborted if the mode change fails.

- mode settings will be applied during connection establishment, and
for safety, we enter a wait state and will only proceed when the mode
settings are successfuly set.

- It is possible to change the mode on already open connections, but
not possible to guarantee that data already queued (from either end)
will not be delivered. (this is a feature, not a bug)

- bthidev(4) and rfcomm_sppd(1) support "auth", "encrypt" and
"secure" options

- btdevctl(8) by default enables "auth" for HIDs, and "encrypt" for
keyboards (which are required to support it)

remove default setting of bluetooth_debug, since 'options BLUETOOTH_DEBUG'
causes it to fail

remove C++ style comments

branches: 1.3.2; 1.3.4; 1.3.6;
Kill caddr_t; there will be some MI fallout, but it will be fixed shortly.

branches: 1.2.4; 1.2.6; 1.2.10;
Endian issues:

hci_event.c:
- Convert memo->response.clock_offset to host-endian.

hci_ioctl.c:
- printf format tweak (size_t)

hci_link.c:
- Convert memo->response.clock_offset from host-endian.
- Tweak a DIAGNOSTIC message.

l2cap_signal.c:
- In l2cap_recv_config_req(), rp->scid is little-endian so make sure
we convert from host-endian.

from scw@

branches: 1.1.2; 1.1.4; 1.1.6; 1.1.8; 1.1.10; 1.1.12; 1.1.14;
Initial import of bluetooth stack on behalf of Iain Hibbert. (plunky@,
NetBSD Foundation Membership still pending.) This stack was written by
Iain under sponsorship from Itronix Inc.

The stack includes support for rfcomm networking (networking via your
bluetooth enabled cell phone), hid devices (keyboards/mice), and headsets.

Drivers for both PCMCIA and USB bluetooth controllers are included.