| Message ID | 20200212212729.Bluez.v2.1.I333a90ad3c75882c6f008c94a28ca7d3e8f6c76e@changeid (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Luiz Von Dentz |
| Headers | show |
| Series | [Bluez,v2] core: Add new policy for Just-Works repairing | expand |
Hi, Den ons 12 feb. 2020 kl 14:30 skrev Howard Chung <howardchung@google.com>: > > From: "howardchung@google.com" <howardchung@google.com> > > When kernel find out that the incoming Just-Works pairing is > initiated by a paired device, it is user space's responsibility to > decide the next action. > > This patch includes the following: > - add JustWorksRepairing policy as an option in main.conf > - handle the confirmation request from kernel > > --- > The Just-Works repairing policy could be one of the following: > - never: default; reject the repairing immediately. > - confirm: prompt a confirmation dialog to user. > - always: always accept the repairing. > > Changes in v2: > - let RequestAuthorization handle the situation > - remove the changes in client/ > > src/agent.c | 16 ++++++++++++++++ > src/hcid.h | 8 ++++++++ > src/main.c | 27 +++++++++++++++++++++++++++ > src/main.conf | 5 +++++ > 4 files changed, 56 insertions(+) > > diff --git a/src/agent.c b/src/agent.c > index e0ffcd22f..e013ec85f 100644 > --- a/src/agent.c > +++ b/src/agent.c > @@ -773,12 +773,28 @@ int agent_request_authorization(struct agent *agent, struct btd_device *device, > GDestroyNotify destroy) > { > struct agent_request *req; > + DBusError dbus_err; > int err; > > err = agent_has_request(agent, device, AGENT_REQUEST_AUTHORIZATION); > if (err) > return err; > > + /* Just-Works repairing policy */ > + if (device_is_paired(device, BDADDR_BREDR) || > + device_is_paired(device, BDADDR_LE_PUBLIC)) { > + if (main_opts.jw_repairing == JW_REPAIRING_NEVER) { > + dbus_error_init(&dbus_err); > + dbus_set_error_const(&dbus_err, > + ERROR_INTERFACE ".Rejected", NULL); > + cb(agent, &dbus_err, user_data); > + return 0; > + } else if (main_opts.jw_repairing == JW_REPAIRING_ALWAYS) { > + cb(agent, NULL, user_data); > + return 0; > + } > + } > + > DBG("Calling Agent.RequestAuthorization: name=%s, path=%s", > agent->owner, agent->path); > > diff --git a/src/hcid.h b/src/hcid.h > index adea85ce2..bcd2b9fa1 100644 > --- a/src/hcid.h > +++ b/src/hcid.h > @@ -35,6 +35,12 @@ typedef enum { > BT_GATT_CACHE_NO, > } bt_gatt_cache_t; > > +enum { > + JW_REPAIRING_NEVER, > + JW_REPAIRING_CONFIRM, > + JW_REPAIRING_ALWAYS, > +} jw_repairing_t; > + > struct main_opts { > char *name; > uint32_t class; > @@ -58,6 +64,8 @@ struct main_opts { > uint16_t gatt_mtu; > > uint8_t key_size; > + > + jw_repairing_t jw_repairing; > }; > > extern struct main_opts main_opts; > diff --git a/src/main.c b/src/main.c > index 1a6ab36a3..d67f469f1 100644 > --- a/src/main.c > +++ b/src/main.c > @@ -93,6 +93,7 @@ static const char *supported_options[] = { > "MultiProfile", > "FastConnectable", > "Privacy", > + "JustWorksRepairing", > NULL > }; > > @@ -193,6 +194,20 @@ static bt_gatt_cache_t parse_gatt_cache(const char *cache) > } > } > > +static jw_repairing_t parse_jw_repairing(const char *jw_repairing) > +{ > + if (!strcmp(jw_repairing, "never")) { > + return JW_REPAIRING_NEVER; > + } else if (!strcmp(jw_repairing, "confirm")) { > + return JW_REPAIRING_CONFIRM; > + } else if (!strcmp(jw_repairing, "always")) { > + return JW_REPAIRING_ALWAYS; > + } else { > + return JW_REPAIRING_NEVER; > + } > +} > + > + > static void check_options(GKeyFile *config, const char *group, > const char **options) > { > @@ -331,6 +346,18 @@ static void parse_config(GKeyFile *config) > g_free(str); > } > > + str = g_key_file_get_string(config, "General", > + "JustWorksRepairing", &err); > + if (err) { > + DBG("%s", err->message); > + g_clear_error(&err); > + main_opts.jw_repairing = JW_REPAIRING_NEVER; > + } else { > + DBG("just_works_repairing=%s", str); > + main_opts.jw_repairing = parse_jw_repairing(str); > + g_free(str); > + } > + > str = g_key_file_get_string(config, "General", "Name", &err); > if (err) { > DBG("%s", err->message); > diff --git a/src/main.conf b/src/main.conf > index 40687a755..bb5ff5b15 100644 > --- a/src/main.conf > +++ b/src/main.conf > @@ -72,6 +72,11 @@ > # Defaults to "off" > # Privacy = off > > +# Specify the policy to the JUST-WORKS repairing initiated by peer > +# Possible values: "never", "confirm", "always" > +# Defaults to "never" > +#JustWorksRepairing = never > + > [GATT] > # GATT attribute cache. > # Possible values: > -- > 2.25.0.225.g125e21ebc7-goog > I haven't looked much into this, but have a question. What happens by default currently when we have an already bonded device previously paired using some MITM-protected mechanism, and suddenly wants to re-bond using a less secure mechanism (Just Works)? In my opinion denying this should obviously be the default in case no agent is available, compared to if pairing a new device then the default should be accept. /Emil
Hi Howard, On Wed, Feb 12, 2020 at 5:30 AM Howard Chung <howardchung@google.com> wrote: > > From: "howardchung@google.com" <howardchung@google.com> > > When kernel find out that the incoming Just-Works pairing is > initiated by a paired device, it is user space's responsibility to > decide the next action. > > This patch includes the following: > - add JustWorksRepairing policy as an option in main.conf > - handle the confirmation request from kernel > > --- > The Just-Works repairing policy could be one of the following: > - never: default; reject the repairing immediately. > - confirm: prompt a confirmation dialog to user. > - always: always accept the repairing. > > Changes in v2: > - let RequestAuthorization handle the situation > - remove the changes in client/ > > src/agent.c | 16 ++++++++++++++++ > src/hcid.h | 8 ++++++++ > src/main.c | 27 +++++++++++++++++++++++++++ > src/main.conf | 5 +++++ > 4 files changed, 56 insertions(+) > > diff --git a/src/agent.c b/src/agent.c > index e0ffcd22f..e013ec85f 100644 > --- a/src/agent.c > +++ b/src/agent.c > @@ -773,12 +773,28 @@ int agent_request_authorization(struct agent *agent, struct btd_device *device, > GDestroyNotify destroy) > { > struct agent_request *req; > + DBusError dbus_err; > int err; > > err = agent_has_request(agent, device, AGENT_REQUEST_AUTHORIZATION); > if (err) > return err; > > + /* Just-Works repairing policy */ > + if (device_is_paired(device, BDADDR_BREDR) || > + device_is_paired(device, BDADDR_LE_PUBLIC)) { > + if (main_opts.jw_repairing == JW_REPAIRING_NEVER) { > + dbus_error_init(&dbus_err); > + dbus_set_error_const(&dbus_err, > + ERROR_INTERFACE ".Rejected", NULL); > + cb(agent, &dbus_err, user_data); > + return 0; Can't we just return an error here instead of creating a D-Bus error just to call the callback? > + } else if (main_opts.jw_repairing == JW_REPAIRING_ALWAYS) { > + cb(agent, NULL, user_data); > + return 0; > + } > + } > + > DBG("Calling Agent.RequestAuthorization: name=%s, path=%s", > agent->owner, agent->path); > > diff --git a/src/hcid.h b/src/hcid.h > index adea85ce2..bcd2b9fa1 100644 > --- a/src/hcid.h > +++ b/src/hcid.h > @@ -35,6 +35,12 @@ typedef enum { > BT_GATT_CACHE_NO, > } bt_gatt_cache_t; > > +enum { > + JW_REPAIRING_NEVER, > + JW_REPAIRING_CONFIRM, > + JW_REPAIRING_ALWAYS, > +} jw_repairing_t; > + > struct main_opts { > char *name; > uint32_t class; > @@ -58,6 +64,8 @@ struct main_opts { > uint16_t gatt_mtu; > > uint8_t key_size; > + > + jw_repairing_t jw_repairing; > }; > > extern struct main_opts main_opts; > diff --git a/src/main.c b/src/main.c > index 1a6ab36a3..d67f469f1 100644 > --- a/src/main.c > +++ b/src/main.c > @@ -93,6 +93,7 @@ static const char *supported_options[] = { > "MultiProfile", > "FastConnectable", > "Privacy", > + "JustWorksRepairing", > NULL > }; > > @@ -193,6 +194,20 @@ static bt_gatt_cache_t parse_gatt_cache(const char *cache) > } > } > > +static jw_repairing_t parse_jw_repairing(const char *jw_repairing) > +{ > + if (!strcmp(jw_repairing, "never")) { > + return JW_REPAIRING_NEVER; > + } else if (!strcmp(jw_repairing, "confirm")) { > + return JW_REPAIRING_CONFIRM; > + } else if (!strcmp(jw_repairing, "always")) { > + return JW_REPAIRING_ALWAYS; > + } else { > + return JW_REPAIRING_NEVER; > + } > +} > + > + > static void check_options(GKeyFile *config, const char *group, > const char **options) > { > @@ -331,6 +346,18 @@ static void parse_config(GKeyFile *config) > g_free(str); > } > > + str = g_key_file_get_string(config, "General", > + "JustWorksRepairing", &err); > + if (err) { > + DBG("%s", err->message); > + g_clear_error(&err); > + main_opts.jw_repairing = JW_REPAIRING_NEVER; > + } else { > + DBG("just_works_repairing=%s", str); > + main_opts.jw_repairing = parse_jw_repairing(str); > + g_free(str); > + } > + > str = g_key_file_get_string(config, "General", "Name", &err); > if (err) { > DBG("%s", err->message); > diff --git a/src/main.conf b/src/main.conf > index 40687a755..bb5ff5b15 100644 > --- a/src/main.conf > +++ b/src/main.conf > @@ -72,6 +72,11 @@ > # Defaults to "off" > # Privacy = off > > +# Specify the policy to the JUST-WORKS repairing initiated by peer > +# Possible values: "never", "confirm", "always" > +# Defaults to "never" > +#JustWorksRepairing = never > + > [GATT] > # GATT attribute cache. > # Possible values: > -- > 2.25.0.225.g125e21ebc7-goog >
Hi Emil, On Wed, Feb 12, 2020 at 6:00 AM Emil Lenngren <emil.lenngren@gmail.com> wrote: > > Hi, > > Den ons 12 feb. 2020 kl 14:30 skrev Howard Chung <howardchung@google.com>: > > > > From: "howardchung@google.com" <howardchung@google.com> > > > > When kernel find out that the incoming Just-Works pairing is > > initiated by a paired device, it is user space's responsibility to > > decide the next action. > > > > This patch includes the following: > > - add JustWorksRepairing policy as an option in main.conf > > - handle the confirmation request from kernel > > > > --- > > The Just-Works repairing policy could be one of the following: > > - never: default; reject the repairing immediately. > > - confirm: prompt a confirmation dialog to user. > > - always: always accept the repairing. > > > > Changes in v2: > > - let RequestAuthorization handle the situation > > - remove the changes in client/ > > > > src/agent.c | 16 ++++++++++++++++ > > src/hcid.h | 8 ++++++++ > > src/main.c | 27 +++++++++++++++++++++++++++ > > src/main.conf | 5 +++++ > > 4 files changed, 56 insertions(+) > > > > diff --git a/src/agent.c b/src/agent.c > > index e0ffcd22f..e013ec85f 100644 > > --- a/src/agent.c > > +++ b/src/agent.c > > @@ -773,12 +773,28 @@ int agent_request_authorization(struct agent *agent, struct btd_device *device, > > GDestroyNotify destroy) > > { > > struct agent_request *req; > > + DBusError dbus_err; > > int err; > > > > err = agent_has_request(agent, device, AGENT_REQUEST_AUTHORIZATION); > > if (err) > > return err; > > > > + /* Just-Works repairing policy */ > > + if (device_is_paired(device, BDADDR_BREDR) || > > + device_is_paired(device, BDADDR_LE_PUBLIC)) { > > + if (main_opts.jw_repairing == JW_REPAIRING_NEVER) { > > + dbus_error_init(&dbus_err); > > + dbus_set_error_const(&dbus_err, > > + ERROR_INTERFACE ".Rejected", NULL); > > + cb(agent, &dbus_err, user_data); > > + return 0; > > + } else if (main_opts.jw_repairing == JW_REPAIRING_ALWAYS) { > > + cb(agent, NULL, user_data); > > + return 0; > > + } > > + } > > + > > DBG("Calling Agent.RequestAuthorization: name=%s, path=%s", > > agent->owner, agent->path); > > > > diff --git a/src/hcid.h b/src/hcid.h > > index adea85ce2..bcd2b9fa1 100644 > > --- a/src/hcid.h > > +++ b/src/hcid.h > > @@ -35,6 +35,12 @@ typedef enum { > > BT_GATT_CACHE_NO, > > } bt_gatt_cache_t; > > > > +enum { > > + JW_REPAIRING_NEVER, > > + JW_REPAIRING_CONFIRM, > > + JW_REPAIRING_ALWAYS, > > +} jw_repairing_t; > > + > > struct main_opts { > > char *name; > > uint32_t class; > > @@ -58,6 +64,8 @@ struct main_opts { > > uint16_t gatt_mtu; > > > > uint8_t key_size; > > + > > + jw_repairing_t jw_repairing; > > }; > > > > extern struct main_opts main_opts; > > diff --git a/src/main.c b/src/main.c > > index 1a6ab36a3..d67f469f1 100644 > > --- a/src/main.c > > +++ b/src/main.c > > @@ -93,6 +93,7 @@ static const char *supported_options[] = { > > "MultiProfile", > > "FastConnectable", > > "Privacy", > > + "JustWorksRepairing", > > NULL > > }; > > > > @@ -193,6 +194,20 @@ static bt_gatt_cache_t parse_gatt_cache(const char *cache) > > } > > } > > > > +static jw_repairing_t parse_jw_repairing(const char *jw_repairing) > > +{ > > + if (!strcmp(jw_repairing, "never")) { > > + return JW_REPAIRING_NEVER; > > + } else if (!strcmp(jw_repairing, "confirm")) { > > + return JW_REPAIRING_CONFIRM; > > + } else if (!strcmp(jw_repairing, "always")) { > > + return JW_REPAIRING_ALWAYS; > > + } else { > > + return JW_REPAIRING_NEVER; > > + } > > +} > > + > > + > > static void check_options(GKeyFile *config, const char *group, > > const char **options) > > { > > @@ -331,6 +346,18 @@ static void parse_config(GKeyFile *config) > > g_free(str); > > } > > > > + str = g_key_file_get_string(config, "General", > > + "JustWorksRepairing", &err); > > + if (err) { > > + DBG("%s", err->message); > > + g_clear_error(&err); > > + main_opts.jw_repairing = JW_REPAIRING_NEVER; > > + } else { > > + DBG("just_works_repairing=%s", str); > > + main_opts.jw_repairing = parse_jw_repairing(str); > > + g_free(str); > > + } > > + > > str = g_key_file_get_string(config, "General", "Name", &err); > > if (err) { > > DBG("%s", err->message); > > diff --git a/src/main.conf b/src/main.conf > > index 40687a755..bb5ff5b15 100644 > > --- a/src/main.conf > > +++ b/src/main.conf > > @@ -72,6 +72,11 @@ > > # Defaults to "off" > > # Privacy = off > > > > +# Specify the policy to the JUST-WORKS repairing initiated by peer > > +# Possible values: "never", "confirm", "always" > > +# Defaults to "never" > > +#JustWorksRepairing = never > > + > > [GATT] > > # GATT attribute cache. > > # Possible values: > > -- > > 2.25.0.225.g125e21ebc7-goog > > > > I haven't looked much into this, but have a question. What happens by > default currently when we have an already bonded device previously > paired using some MITM-protected mechanism, and suddenly wants to > re-bond using a less secure mechanism (Just Works)? In my opinion > denying this should obviously be the default in case no agent is > available, compared to if pairing a new device then the default should > be accept. When no agent is registered we don't set the pairable flag, so it shouldn't even be able do trigger a new pairing without an agent.
diff --git a/src/agent.c b/src/agent.c index e0ffcd22f..e013ec85f 100644 --- a/src/agent.c +++ b/src/agent.c @@ -773,12 +773,28 @@ int agent_request_authorization(struct agent *agent, struct btd_device *device, GDestroyNotify destroy) { struct agent_request *req; + DBusError dbus_err; int err; err = agent_has_request(agent, device, AGENT_REQUEST_AUTHORIZATION); if (err) return err; + /* Just-Works repairing policy */ + if (device_is_paired(device, BDADDR_BREDR) || + device_is_paired(device, BDADDR_LE_PUBLIC)) { + if (main_opts.jw_repairing == JW_REPAIRING_NEVER) { + dbus_error_init(&dbus_err); + dbus_set_error_const(&dbus_err, + ERROR_INTERFACE ".Rejected", NULL); + cb(agent, &dbus_err, user_data); + return 0; + } else if (main_opts.jw_repairing == JW_REPAIRING_ALWAYS) { + cb(agent, NULL, user_data); + return 0; + } + } + DBG("Calling Agent.RequestAuthorization: name=%s, path=%s", agent->owner, agent->path); diff --git a/src/hcid.h b/src/hcid.h index adea85ce2..bcd2b9fa1 100644 --- a/src/hcid.h +++ b/src/hcid.h @@ -35,6 +35,12 @@ typedef enum { BT_GATT_CACHE_NO, } bt_gatt_cache_t; +enum { + JW_REPAIRING_NEVER, + JW_REPAIRING_CONFIRM, + JW_REPAIRING_ALWAYS, +} jw_repairing_t; + struct main_opts { char *name; uint32_t class; @@ -58,6 +64,8 @@ struct main_opts { uint16_t gatt_mtu; uint8_t key_size; + + jw_repairing_t jw_repairing; }; extern struct main_opts main_opts; diff --git a/src/main.c b/src/main.c index 1a6ab36a3..d67f469f1 100644 --- a/src/main.c +++ b/src/main.c @@ -93,6 +93,7 @@ static const char *supported_options[] = { "MultiProfile", "FastConnectable", "Privacy", + "JustWorksRepairing", NULL }; @@ -193,6 +194,20 @@ static bt_gatt_cache_t parse_gatt_cache(const char *cache) } } +static jw_repairing_t parse_jw_repairing(const char *jw_repairing) +{ + if (!strcmp(jw_repairing, "never")) { + return JW_REPAIRING_NEVER; + } else if (!strcmp(jw_repairing, "confirm")) { + return JW_REPAIRING_CONFIRM; + } else if (!strcmp(jw_repairing, "always")) { + return JW_REPAIRING_ALWAYS; + } else { + return JW_REPAIRING_NEVER; + } +} + + static void check_options(GKeyFile *config, const char *group, const char **options) { @@ -331,6 +346,18 @@ static void parse_config(GKeyFile *config) g_free(str); } + str = g_key_file_get_string(config, "General", + "JustWorksRepairing", &err); + if (err) { + DBG("%s", err->message); + g_clear_error(&err); + main_opts.jw_repairing = JW_REPAIRING_NEVER; + } else { + DBG("just_works_repairing=%s", str); + main_opts.jw_repairing = parse_jw_repairing(str); + g_free(str); + } + str = g_key_file_get_string(config, "General", "Name", &err); if (err) { DBG("%s", err->message); diff --git a/src/main.conf b/src/main.conf index 40687a755..bb5ff5b15 100644 --- a/src/main.conf +++ b/src/main.conf @@ -72,6 +72,11 @@ # Defaults to "off" # Privacy = off +# Specify the policy to the JUST-WORKS repairing initiated by peer +# Possible values: "never", "confirm", "always" +# Defaults to "never" +#JustWorksRepairing = never + [GATT] # GATT attribute cache. # Possible values:
From: "howardchung@google.com" <howardchung@google.com> When kernel find out that the incoming Just-Works pairing is initiated by a paired device, it is user space's responsibility to decide the next action. This patch includes the following: - add JustWorksRepairing policy as an option in main.conf - handle the confirmation request from kernel --- The Just-Works repairing policy could be one of the following: - never: default; reject the repairing immediately. - confirm: prompt a confirmation dialog to user. - always: always accept the repairing. Changes in v2: - let RequestAuthorization handle the situation - remove the changes in client/ src/agent.c | 16 ++++++++++++++++ src/hcid.h | 8 ++++++++ src/main.c | 27 +++++++++++++++++++++++++++ src/main.conf | 5 +++++ 4 files changed, 56 insertions(+)