2013-05-14 21:23:13

by Szymon Janc

[permalink] [raw]
Subject: [RFC 0/2] Reauthentication support

Hi,

Following patches are initial proposal for introducting reauthentication
support for BlueZ. This allows to set system wide property to change default
action when remote is missing link key from 'disconnect' to 'user consent' or
'auto-reauthentication' (later is what e.g. Android does).

Since reauthencation is not something that happens all the time first draft
proposal is for single system wide policy.

It is also possible to prepare more fine grained API like per adapter or per
device property. Not sure if that would give some real benefit over system wide
property... I have some draft proposal for such API as well but wanted to get
feedback for simpler variant first.

Some open points include pairing failure after reauthentication or weaker key
being created... should old key be restored in such case? Or just handle those
as regular pairing failure/success (there was user consent after all) and don't
restore old linkkey?

Last but not least:) Is 'reauthentication' a good name? Other option would be
'repairing' but that might be confusing with fixing..


Comments are welcome.

--
BR
Szymon Janc

Szymon Janc (2):
doc: Add reauthentication commands and event to Management API
doc: Add reauthentication support to Agent API

doc/agent-api.txt | 43 +++++++++++++++++++++-
doc/mgmt-api.txt | 105 +++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 147 insertions(+), 1 deletion(-)

--
1.7.10.4



2013-05-30 22:10:50

by Szymon Janc

[permalink] [raw]
Subject: Re: [RFC 1/2] doc: Add reauthentication commands and event to Management API

On Tuesday 28 May 2013 03:57:24 Marcel Holtmann wrote:
> Hi Szymon,

Hi Marcel,

>
> >>> Those will be used to allow/disallow of performing remote device
> >>> reauthentication.
> >>
> >> I guess you could expand this explaining why you need this in the MGMT
> >> API,
> >> i.e. why this can't be implemented on userspace only.
> >
> > This will allow to avoid ACL disconnect in case of auth failure and should
> > allow to reauth also for incoming connections e.g. this is what Android
> > do.
> > I couldn't figure out how this could be achieved in userspace only but if
> > it is possible I'm totally after userspace-only implementation.
>
> can someone send around some btmon traces that would demonstrate this. I am
> not really following on what the issue here is and what we trying to solve.

Yeah... I was confused about how authentication works. After more reading and
testing I see that remote device with no linkkey will initiate pairing before
connecting so this patch was trying to address non-existing issue and can be
ignored. Sorry for noise.

I'll follow with agent api extension only.

--
Szymon K. Janc
[email protected]

2013-05-27 18:57:24

by Marcel Holtmann

[permalink] [raw]
Subject: Re: [RFC 1/2] doc: Add reauthentication commands and event to Management API

Hi Szymon,

>>> Those will be used to allow/disallow of performing remote device
>>> reauthentication.
>>
>> I guess you could expand this explaining why you need this in the MGMT API,
>> i.e. why this can't be implemented on userspace only.
>
> This will allow to avoid ACL disconnect in case of auth failure and should
> allow to reauth also for incoming connections e.g. this is what Android do.
> I couldn't figure out how this could be achieved in userspace only but if it
> is possible I'm totally after userspace-only implementation.

can someone send around some btmon traces that would demonstrate this. I am not really following on what the issue here is and what we trying to solve.

Regards

Marcel


2013-05-27 18:50:52

by Szymon Janc

[permalink] [raw]
Subject: Re: [RFC 1/2] doc: Add reauthentication commands and event to Management API

On Tuesday 14 May 2013 20:15:38 Vinicius Costa Gomes wrote:
> Hi Szymon,

Hi Vinicius,

>
> On 23:23 Tue 14 May, Szymon Janc wrote:
> > Those will be used to allow/disallow of performing remote device
> > reauthentication.
>
> I guess you could expand this explaining why you need this in the MGMT API,
> i.e. why this can't be implemented on userspace only.

This will allow to avoid ACL disconnect in case of auth failure and should
allow to reauth also for incoming connections e.g. this is what Android do.
I couldn't figure out how this could be achieved in userspace only but if it
is possible I'm totally after userspace-only implementation.

> > ---
> >
> > doc/mgmt-api.txt | 105
> > ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed,
> > 105 insertions(+)
> >
> > diff --git a/doc/mgmt-api.txt b/doc/mgmt-api.txt
> > index 1e450e4..96603cd 100644
> > --- a/doc/mgmt-api.txt
> > +++ b/doc/mgmt-api.txt
> > @@ -1223,6 +1223,82 @@ Set Device ID Command
> >
> > Possible errors: Invalid Parameters
> >
> > Invalid Index
> >
> > +Set Reauthentication Policy Command
> > +===================================
> > +
> > + Command Code: 0x0029
> > + Controller Index: <non-controller>
> > + Command Parameters: Policy (1 Octet)
> > + Return Parameters:
> > +
> > + This command is used to change kernel policy regarding remote device
> > + reauthentication. When remote device reports no link key presence
while
> > + kernel holds link key for this device action taken by kernel depends
on
> > + selected policy.
> > +
> > + The Policy parameter selects desired policy:
> > +
> > + 0x00 Disallow
> > + 0x01 Ask for consent
> > + 0x02 Reauthenticate without asking for consent
> > +
> > + By default 'Disconnect' policy is used. Selecting 'Ask for consent'
>
> Minor nitpick, here "Disconnect" should read "Disallow".

Will fix in next version.

>
> > + policy will result in emmiting 'Reauthentication Consent Event' if
> > + circumstance described above occurs.
> > +
> > + This command generates a Command Complete event on success or
> > + a Command Status event on failure.
> > +
> > + Possible errors: Invalid Parameters
> > +
> > +Reauthentication Consent Reply Command
> > +======================================
> > +
> > + Command Code: 0x002A
> > + Controller Index: <controller id>
> > + Command Parameters: Address (6 Octets)
> > + Address_Type (1 Octet)
> > + Return Parameters: Address (6 Octets)
> > + Address_Type (1 Octet)
> > +
> > + This command is used to respond to a Reauthentication Consent event.
> > + This will result in current link key being removed by kernel and new
> > + authentication process will start.
> > +
> > + This command can only be used when the controller is powered.
> > +
> > + This command generates a Command Complete event on success
> > + or failure.
> > +
> > + Possible errors: Not Connected
> > + Invalid Parameters
> > + Not Powered
> > + Invalid Index
> > + Failed
> > +
> > +Reauthentication Consent Negative Reply Command
> > +===============================================
> > +
> > + Command Code: 0x002B
> > + Controller Index: <controller id>
> > + Command Parameters: Address (6 Octets)
> > + Address_Type (1 Octet)
> > + Return Parameters: Address (6 Octets)
> > + Address_Type (1 Octet)
> > +
> > + This command is used to return a negative response to a
Reauthentication
> > + Consent event.
> > +
> > + This command can only be used when the controller is powered.
> > +
> > + This command generates a Command Complete event on success
> > + or failure.
> > +
> > + Possible errors: Not Connected
> > + Invalid Parameters
> > + Not Powered
> > + Invalid Index
> > + Failed
> >
> > Command Complete Event
> > ======================
> >
> > @@ -1621,3 +1697,32 @@ Event Parameters Address (6 Octets)
> >
> > The Passkey parameter indicates the passkey to be shown to the
> > user whereas the Entered parameter indicates how many characters
> > the user has entered on the remote side.
> >
> > +
> > +Reauthentication Consent Event
> > +==============================
> > +
> > +Event Code 0x0018
> > +Controller Index <controller id>
> > +Event Parameters Address (6 Octets)
> > + Address_Type (1 Octet)
> > +
> > + This event is used to request a consent for reauthentication. It is
> > + emmited when remote device reports no link key presence while kernel
> > + holds link key and reuthentication policy for this device is set to
> > + 'Ask for consent'.
> > +
> > + User space should respond to this command either using the
> > + Reauthentication Consent Reply or the Reauthentication Consent
Negative
> > + Reply command.
> > +
> > +Reauthentication Policy Changed Event
> > +=====================================
> > +
> > +Event Code 0x0019
> > +Controller Index <non-controller>
> > +Event Parameters Policy (1 Octet)
> > +
> > + This event indicates that reauthentication policy has been changed
> > + using Set Reauthentication Policy command. The event will only be sent
> > + to Management sockets other than the one through which the command was
> > + sent.
>
> I still can't see the reason for this. Is it because this policy is global
> (not per-controller)?

This is pretty much the same as for device blocked/unblocked/unpaired events.
There is no point in informing user that set policy about policy change.

--
Szymon K. Janc
[email protected]

2013-05-14 23:15:38

by Vinicius Costa Gomes

[permalink] [raw]
Subject: Re: [RFC 1/2] doc: Add reauthentication commands and event to Management API

Hi Szymon,

On 23:23 Tue 14 May, Szymon Janc wrote:
> Those will be used to allow/disallow of performing remote device
> reauthentication.

I guess you could expand this explaining why you need this in the MGMT API,
i.e. why this can't be implemented on userspace only.

> ---
> doc/mgmt-api.txt | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 105 insertions(+)
>
> diff --git a/doc/mgmt-api.txt b/doc/mgmt-api.txt
> index 1e450e4..96603cd 100644
> --- a/doc/mgmt-api.txt
> +++ b/doc/mgmt-api.txt
> @@ -1223,6 +1223,82 @@ Set Device ID Command
> Possible errors: Invalid Parameters
> Invalid Index
>
> +Set Reauthentication Policy Command
> +===================================
> +
> + Command Code: 0x0029
> + Controller Index: <non-controller>
> + Command Parameters: Policy (1 Octet)
> + Return Parameters:
> +
> + This command is used to change kernel policy regarding remote device
> + reauthentication. When remote device reports no link key presence while
> + kernel holds link key for this device action taken by kernel depends on
> + selected policy.
> +
> + The Policy parameter selects desired policy:
> +
> + 0x00 Disallow
> + 0x01 Ask for consent
> + 0x02 Reauthenticate without asking for consent
> +
> + By default 'Disconnect' policy is used. Selecting 'Ask for consent'

Minor nitpick, here "Disconnect" should read "Disallow".

> + policy will result in emmiting 'Reauthentication Consent Event' if
> + circumstance described above occurs.
> +
> + This command generates a Command Complete event on success or
> + a Command Status event on failure.
> +
> + Possible errors: Invalid Parameters
> +
> +Reauthentication Consent Reply Command
> +======================================
> +
> + Command Code: 0x002A
> + Controller Index: <controller id>
> + Command Parameters: Address (6 Octets)
> + Address_Type (1 Octet)
> + Return Parameters: Address (6 Octets)
> + Address_Type (1 Octet)
> +
> + This command is used to respond to a Reauthentication Consent event.
> + This will result in current link key being removed by kernel and new
> + authentication process will start.
> +
> + This command can only be used when the controller is powered.
> +
> + This command generates a Command Complete event on success
> + or failure.
> +
> + Possible errors: Not Connected
> + Invalid Parameters
> + Not Powered
> + Invalid Index
> + Failed
> +
> +Reauthentication Consent Negative Reply Command
> +===============================================
> +
> + Command Code: 0x002B
> + Controller Index: <controller id>
> + Command Parameters: Address (6 Octets)
> + Address_Type (1 Octet)
> + Return Parameters: Address (6 Octets)
> + Address_Type (1 Octet)
> +
> + This command is used to return a negative response to a Reauthentication
> + Consent event.
> +
> + This command can only be used when the controller is powered.
> +
> + This command generates a Command Complete event on success
> + or failure.
> +
> + Possible errors: Not Connected
> + Invalid Parameters
> + Not Powered
> + Invalid Index
> + Failed
>
> Command Complete Event
> ======================
> @@ -1621,3 +1697,32 @@ Event Parameters Address (6 Octets)
> The Passkey parameter indicates the passkey to be shown to the
> user whereas the Entered parameter indicates how many characters
> the user has entered on the remote side.
> +
> +Reauthentication Consent Event
> +==============================
> +
> +Event Code 0x0018
> +Controller Index <controller id>
> +Event Parameters Address (6 Octets)
> + Address_Type (1 Octet)
> +
> + This event is used to request a consent for reauthentication. It is
> + emmited when remote device reports no link key presence while kernel
> + holds link key and reuthentication policy for this device is set to
> + 'Ask for consent'.
> +
> + User space should respond to this command either using the
> + Reauthentication Consent Reply or the Reauthentication Consent Negative
> + Reply command.
> +
> +Reauthentication Policy Changed Event
> +=====================================
> +
> +Event Code 0x0019
> +Controller Index <non-controller>
> +Event Parameters Policy (1 Octet)
> +
> + This event indicates that reauthentication policy has been changed
> + using Set Reauthentication Policy command. The event will only be sent
> + to Management sockets other than the one through which the command was
> + sent.

I still can't see the reason for this. Is it because this policy is global
(not per-controller)?


> --
> 1.7.10.4
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html


Cheers,
--
Vinicius

2013-05-14 21:23:15

by Szymon Janc

[permalink] [raw]
Subject: [RFC 2/2] doc: Add reauthentication support to Agent API

Add ReauthenticationPolicy property to AgentManager1 interface.
This will allow to change default reauthentication policy.

Add RequestReauthentication method to Agent API. This method will
be used to request user consent for remote device reauthentication.
---
doc/agent-api.txt | 43 ++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 42 insertions(+), 1 deletion(-)

diff --git a/doc/agent-api.txt b/doc/agent-api.txt
index 2e70931..0074259 100644
--- a/doc/agent-api.txt
+++ b/doc/agent-api.txt
@@ -9,7 +9,7 @@ Service org.bluez
Interface org.bluez.AgentManager1
Object path /org/bluez

- void RegisterAgent(object agent, string capability)
+Methods void RegisterAgent(object agent, string capability)

This registers an agent handler.

@@ -61,6 +61,32 @@ Object path /org/bluez

Possible errors: org.bluez.Error.DoesNotExist

+Properties string ReauthenticationPolicy [readwrite]
+
+ Default policy for reauthentication of already paired
+ devices. UI entity should clearly inform user about
+ possible cause and possible security consideration of
+ reauthentication before changing value of this
+ property.
+
+ Following policies are possible:
+ - disallow reauthentication
+ - ask for user consent before reauthentication
+ (see RequestReauthentication from Agent API)
+ - allow reauthentication without user consent
+
+ Some of possible causes of already paired remote device
+ missing linkkey:
+ - unpair performed by user on remote device only
+ - reset of a remote device e.g. due to user action or
+ power source depletion
+ - lost of linkkey on remote device due to pairing with
+ secondary OS or other host
+ - bogus device is imitating user's legitimate device
+ (security issue if reauthentication occurs!)
+
+ Possible values: "ask", "allow" or "disallow"
+

Agent hierarchy
===============
@@ -176,6 +202,21 @@ Methods void Release()
Possible errors: org.bluez.Error.Rejected
org.bluez.Error.Canceled

+ void RequestReauthentication(object device)
+
+ This method gets called to request the user for consent
+ to perform reauthentication of already paired device.
+
+ Agent should inform user about possible cause and
+ security considerations related to this request. Please
+ see ReauthenticationPolicy property description in
+ Adapter API for details.
+
+ If this method is not implemented consent is rejected.
+
+ Possible errors: org.bluez.Error.Rejected
+ org.bluez.Error.Canceled
+
void Cancel()

This method gets called to indicate that the agent
--
1.7.10.4


2013-05-14 21:23:14

by Szymon Janc

[permalink] [raw]
Subject: [RFC 1/2] doc: Add reauthentication commands and event to Management API

Those will be used to allow/disallow of performing remote device
reauthentication.
---
doc/mgmt-api.txt | 105 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 105 insertions(+)

diff --git a/doc/mgmt-api.txt b/doc/mgmt-api.txt
index 1e450e4..96603cd 100644
--- a/doc/mgmt-api.txt
+++ b/doc/mgmt-api.txt
@@ -1223,6 +1223,82 @@ Set Device ID Command
Possible errors: Invalid Parameters
Invalid Index

+Set Reauthentication Policy Command
+===================================
+
+ Command Code: 0x0029
+ Controller Index: <non-controller>
+ Command Parameters: Policy (1 Octet)
+ Return Parameters:
+
+ This command is used to change kernel policy regarding remote device
+ reauthentication. When remote device reports no link key presence while
+ kernel holds link key for this device action taken by kernel depends on
+ selected policy.
+
+ The Policy parameter selects desired policy:
+
+ 0x00 Disallow
+ 0x01 Ask for consent
+ 0x02 Reauthenticate without asking for consent
+
+ By default 'Disconnect' policy is used. Selecting 'Ask for consent'
+ policy will result in emmiting 'Reauthentication Consent Event' if
+ circumstance described above occurs.
+
+ This command generates a Command Complete event on success or
+ a Command Status event on failure.
+
+ Possible errors: Invalid Parameters
+
+Reauthentication Consent Reply Command
+======================================
+
+ Command Code: 0x002A
+ Controller Index: <controller id>
+ Command Parameters: Address (6 Octets)
+ Address_Type (1 Octet)
+ Return Parameters: Address (6 Octets)
+ Address_Type (1 Octet)
+
+ This command is used to respond to a Reauthentication Consent event.
+ This will result in current link key being removed by kernel and new
+ authentication process will start.
+
+ This command can only be used when the controller is powered.
+
+ This command generates a Command Complete event on success
+ or failure.
+
+ Possible errors: Not Connected
+ Invalid Parameters
+ Not Powered
+ Invalid Index
+ Failed
+
+Reauthentication Consent Negative Reply Command
+===============================================
+
+ Command Code: 0x002B
+ Controller Index: <controller id>
+ Command Parameters: Address (6 Octets)
+ Address_Type (1 Octet)
+ Return Parameters: Address (6 Octets)
+ Address_Type (1 Octet)
+
+ This command is used to return a negative response to a Reauthentication
+ Consent event.
+
+ This command can only be used when the controller is powered.
+
+ This command generates a Command Complete event on success
+ or failure.
+
+ Possible errors: Not Connected
+ Invalid Parameters
+ Not Powered
+ Invalid Index
+ Failed

Command Complete Event
======================
@@ -1621,3 +1697,32 @@ Event Parameters Address (6 Octets)
The Passkey parameter indicates the passkey to be shown to the
user whereas the Entered parameter indicates how many characters
the user has entered on the remote side.
+
+Reauthentication Consent Event
+==============================
+
+Event Code 0x0018
+Controller Index <controller id>
+Event Parameters Address (6 Octets)
+ Address_Type (1 Octet)
+
+ This event is used to request a consent for reauthentication. It is
+ emmited when remote device reports no link key presence while kernel
+ holds link key and reuthentication policy for this device is set to
+ 'Ask for consent'.
+
+ User space should respond to this command either using the
+ Reauthentication Consent Reply or the Reauthentication Consent Negative
+ Reply command.
+
+Reauthentication Policy Changed Event
+=====================================
+
+Event Code 0x0019
+Controller Index <non-controller>
+Event Parameters Policy (1 Octet)
+
+ This event indicates that reauthentication policy has been changed
+ using Set Reauthentication Policy command. The event will only be sent
+ to Management sockets other than the one through which the command was
+ sent.
--
1.7.10.4