From: "[email protected]" <[email protected]>
When kernel find out that the incoming Just-Works pairing is
initiated by a paired device, it is user space's responsibility to
decide the next action.
This patch includes the following:
- add JustWorksRepairing policy as an option in main.conf
- handle the confirmation request from kernel
---
The Just-Works repairing policy could be one of the following:
- never: default; reject the repairing immediately.
- confirm: prompt a confirmation dialog to user.
- always: always accept the repairing.
Changes in v2:
- let RequestAuthorization handle the situation
- remove the changes in client/
src/agent.c | 16 ++++++++++++++++
src/hcid.h | 8 ++++++++
src/main.c | 27 +++++++++++++++++++++++++++
src/main.conf | 5 +++++
4 files changed, 56 insertions(+)
diff --git a/src/agent.c b/src/agent.c
index e0ffcd22f..e013ec85f 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -773,12 +773,28 @@ int agent_request_authorization(struct agent *agent, struct btd_device *device,
GDestroyNotify destroy)
{
struct agent_request *req;
+ DBusError dbus_err;
int err;
err = agent_has_request(agent, device, AGENT_REQUEST_AUTHORIZATION);
if (err)
return err;
+ /* Just-Works repairing policy */
+ if (device_is_paired(device, BDADDR_BREDR) ||
+ device_is_paired(device, BDADDR_LE_PUBLIC)) {
+ if (main_opts.jw_repairing == JW_REPAIRING_NEVER) {
+ dbus_error_init(&dbus_err);
+ dbus_set_error_const(&dbus_err,
+ ERROR_INTERFACE ".Rejected", NULL);
+ cb(agent, &dbus_err, user_data);
+ return 0;
+ } else if (main_opts.jw_repairing == JW_REPAIRING_ALWAYS) {
+ cb(agent, NULL, user_data);
+ return 0;
+ }
+ }
+
DBG("Calling Agent.RequestAuthorization: name=%s, path=%s",
agent->owner, agent->path);
diff --git a/src/hcid.h b/src/hcid.h
index adea85ce2..bcd2b9fa1 100644
--- a/src/hcid.h
+++ b/src/hcid.h
@@ -35,6 +35,12 @@ typedef enum {
BT_GATT_CACHE_NO,
} bt_gatt_cache_t;
+enum {
+ JW_REPAIRING_NEVER,
+ JW_REPAIRING_CONFIRM,
+ JW_REPAIRING_ALWAYS,
+} jw_repairing_t;
+
struct main_opts {
char *name;
uint32_t class;
@@ -58,6 +64,8 @@ struct main_opts {
uint16_t gatt_mtu;
uint8_t key_size;
+
+ jw_repairing_t jw_repairing;
};
extern struct main_opts main_opts;
diff --git a/src/main.c b/src/main.c
index 1a6ab36a3..d67f469f1 100644
--- a/src/main.c
+++ b/src/main.c
@@ -93,6 +93,7 @@ static const char *supported_options[] = {
"MultiProfile",
"FastConnectable",
"Privacy",
+ "JustWorksRepairing",
NULL
};
@@ -193,6 +194,20 @@ static bt_gatt_cache_t parse_gatt_cache(const char *cache)
}
}
+static jw_repairing_t parse_jw_repairing(const char *jw_repairing)
+{
+ if (!strcmp(jw_repairing, "never")) {
+ return JW_REPAIRING_NEVER;
+ } else if (!strcmp(jw_repairing, "confirm")) {
+ return JW_REPAIRING_CONFIRM;
+ } else if (!strcmp(jw_repairing, "always")) {
+ return JW_REPAIRING_ALWAYS;
+ } else {
+ return JW_REPAIRING_NEVER;
+ }
+}
+
+
static void check_options(GKeyFile *config, const char *group,
const char **options)
{
@@ -331,6 +346,18 @@ static void parse_config(GKeyFile *config)
g_free(str);
}
+ str = g_key_file_get_string(config, "General",
+ "JustWorksRepairing", &err);
+ if (err) {
+ DBG("%s", err->message);
+ g_clear_error(&err);
+ main_opts.jw_repairing = JW_REPAIRING_NEVER;
+ } else {
+ DBG("just_works_repairing=%s", str);
+ main_opts.jw_repairing = parse_jw_repairing(str);
+ g_free(str);
+ }
+
str = g_key_file_get_string(config, "General", "Name", &err);
if (err) {
DBG("%s", err->message);
diff --git a/src/main.conf b/src/main.conf
index 40687a755..bb5ff5b15 100644
--- a/src/main.conf
+++ b/src/main.conf
@@ -72,6 +72,11 @@
# Defaults to "off"
# Privacy = off
+# Specify the policy to the JUST-WORKS repairing initiated by peer
+# Possible values: "never", "confirm", "always"
+# Defaults to "never"
+#JustWorksRepairing = never
+
[GATT]
# GATT attribute cache.
# Possible values:
--
2.25.0.225.g125e21ebc7-goog
Hi,
Den ons 12 feb. 2020 kl 14:30 skrev Howard Chung <[email protected]>:
>
> From: "[email protected]" <[email protected]>
>
> When kernel find out that the incoming Just-Works pairing is
> initiated by a paired device, it is user space's responsibility to
> decide the next action.
>
> This patch includes the following:
> - add JustWorksRepairing policy as an option in main.conf
> - handle the confirmation request from kernel
>
> ---
> The Just-Works repairing policy could be one of the following:
> - never: default; reject the repairing immediately.
> - confirm: prompt a confirmation dialog to user.
> - always: always accept the repairing.
>
> Changes in v2:
> - let RequestAuthorization handle the situation
> - remove the changes in client/
>
> src/agent.c | 16 ++++++++++++++++
> src/hcid.h | 8 ++++++++
> src/main.c | 27 +++++++++++++++++++++++++++
> src/main.conf | 5 +++++
> 4 files changed, 56 insertions(+)
>
> diff --git a/src/agent.c b/src/agent.c
> index e0ffcd22f..e013ec85f 100644
> --- a/src/agent.c
> +++ b/src/agent.c
> @@ -773,12 +773,28 @@ int agent_request_authorization(struct agent *agent, struct btd_device *device,
> GDestroyNotify destroy)
> {
> struct agent_request *req;
> + DBusError dbus_err;
> int err;
>
> err = agent_has_request(agent, device, AGENT_REQUEST_AUTHORIZATION);
> if (err)
> return err;
>
> + /* Just-Works repairing policy */
> + if (device_is_paired(device, BDADDR_BREDR) ||
> + device_is_paired(device, BDADDR_LE_PUBLIC)) {
> + if (main_opts.jw_repairing == JW_REPAIRING_NEVER) {
> + dbus_error_init(&dbus_err);
> + dbus_set_error_const(&dbus_err,
> + ERROR_INTERFACE ".Rejected", NULL);
> + cb(agent, &dbus_err, user_data);
> + return 0;
> + } else if (main_opts.jw_repairing == JW_REPAIRING_ALWAYS) {
> + cb(agent, NULL, user_data);
> + return 0;
> + }
> + }
> +
> DBG("Calling Agent.RequestAuthorization: name=%s, path=%s",
> agent->owner, agent->path);
>
> diff --git a/src/hcid.h b/src/hcid.h
> index adea85ce2..bcd2b9fa1 100644
> --- a/src/hcid.h
> +++ b/src/hcid.h
> @@ -35,6 +35,12 @@ typedef enum {
> BT_GATT_CACHE_NO,
> } bt_gatt_cache_t;
>
> +enum {
> + JW_REPAIRING_NEVER,
> + JW_REPAIRING_CONFIRM,
> + JW_REPAIRING_ALWAYS,
> +} jw_repairing_t;
> +
> struct main_opts {
> char *name;
> uint32_t class;
> @@ -58,6 +64,8 @@ struct main_opts {
> uint16_t gatt_mtu;
>
> uint8_t key_size;
> +
> + jw_repairing_t jw_repairing;
> };
>
> extern struct main_opts main_opts;
> diff --git a/src/main.c b/src/main.c
> index 1a6ab36a3..d67f469f1 100644
> --- a/src/main.c
> +++ b/src/main.c
> @@ -93,6 +93,7 @@ static const char *supported_options[] = {
> "MultiProfile",
> "FastConnectable",
> "Privacy",
> + "JustWorksRepairing",
> NULL
> };
>
> @@ -193,6 +194,20 @@ static bt_gatt_cache_t parse_gatt_cache(const char *cache)
> }
> }
>
> +static jw_repairing_t parse_jw_repairing(const char *jw_repairing)
> +{
> + if (!strcmp(jw_repairing, "never")) {
> + return JW_REPAIRING_NEVER;
> + } else if (!strcmp(jw_repairing, "confirm")) {
> + return JW_REPAIRING_CONFIRM;
> + } else if (!strcmp(jw_repairing, "always")) {
> + return JW_REPAIRING_ALWAYS;
> + } else {
> + return JW_REPAIRING_NEVER;
> + }
> +}
> +
> +
> static void check_options(GKeyFile *config, const char *group,
> const char **options)
> {
> @@ -331,6 +346,18 @@ static void parse_config(GKeyFile *config)
> g_free(str);
> }
>
> + str = g_key_file_get_string(config, "General",
> + "JustWorksRepairing", &err);
> + if (err) {
> + DBG("%s", err->message);
> + g_clear_error(&err);
> + main_opts.jw_repairing = JW_REPAIRING_NEVER;
> + } else {
> + DBG("just_works_repairing=%s", str);
> + main_opts.jw_repairing = parse_jw_repairing(str);
> + g_free(str);
> + }
> +
> str = g_key_file_get_string(config, "General", "Name", &err);
> if (err) {
> DBG("%s", err->message);
> diff --git a/src/main.conf b/src/main.conf
> index 40687a755..bb5ff5b15 100644
> --- a/src/main.conf
> +++ b/src/main.conf
> @@ -72,6 +72,11 @@
> # Defaults to "off"
> # Privacy = off
>
> +# Specify the policy to the JUST-WORKS repairing initiated by peer
> +# Possible values: "never", "confirm", "always"
> +# Defaults to "never"
> +#JustWorksRepairing = never
> +
> [GATT]
> # GATT attribute cache.
> # Possible values:
> --
> 2.25.0.225.g125e21ebc7-goog
>
I haven't looked much into this, but have a question. What happens by
default currently when we have an already bonded device previously
paired using some MITM-protected mechanism, and suddenly wants to
re-bond using a less secure mechanism (Just Works)? In my opinion
denying this should obviously be the default in case no agent is
available, compared to if pairing a new device then the default should
be accept.
/Emil
Hi Howard,
On Wed, Feb 12, 2020 at 5:30 AM Howard Chung <[email protected]> wrote:
>
> From: "[email protected]" <[email protected]>
>
> When kernel find out that the incoming Just-Works pairing is
> initiated by a paired device, it is user space's responsibility to
> decide the next action.
>
> This patch includes the following:
> - add JustWorksRepairing policy as an option in main.conf
> - handle the confirmation request from kernel
>
> ---
> The Just-Works repairing policy could be one of the following:
> - never: default; reject the repairing immediately.
> - confirm: prompt a confirmation dialog to user.
> - always: always accept the repairing.
>
> Changes in v2:
> - let RequestAuthorization handle the situation
> - remove the changes in client/
>
> src/agent.c | 16 ++++++++++++++++
> src/hcid.h | 8 ++++++++
> src/main.c | 27 +++++++++++++++++++++++++++
> src/main.conf | 5 +++++
> 4 files changed, 56 insertions(+)
>
> diff --git a/src/agent.c b/src/agent.c
> index e0ffcd22f..e013ec85f 100644
> --- a/src/agent.c
> +++ b/src/agent.c
> @@ -773,12 +773,28 @@ int agent_request_authorization(struct agent *agent, struct btd_device *device,
> GDestroyNotify destroy)
> {
> struct agent_request *req;
> + DBusError dbus_err;
> int err;
>
> err = agent_has_request(agent, device, AGENT_REQUEST_AUTHORIZATION);
> if (err)
> return err;
>
> + /* Just-Works repairing policy */
> + if (device_is_paired(device, BDADDR_BREDR) ||
> + device_is_paired(device, BDADDR_LE_PUBLIC)) {
> + if (main_opts.jw_repairing == JW_REPAIRING_NEVER) {
> + dbus_error_init(&dbus_err);
> + dbus_set_error_const(&dbus_err,
> + ERROR_INTERFACE ".Rejected", NULL);
> + cb(agent, &dbus_err, user_data);
> + return 0;
Can't we just return an error here instead of creating a D-Bus error
just to call the callback?
> + } else if (main_opts.jw_repairing == JW_REPAIRING_ALWAYS) {
> + cb(agent, NULL, user_data);
> + return 0;
> + }
> + }
> +
> DBG("Calling Agent.RequestAuthorization: name=%s, path=%s",
> agent->owner, agent->path);
>
> diff --git a/src/hcid.h b/src/hcid.h
> index adea85ce2..bcd2b9fa1 100644
> --- a/src/hcid.h
> +++ b/src/hcid.h
> @@ -35,6 +35,12 @@ typedef enum {
> BT_GATT_CACHE_NO,
> } bt_gatt_cache_t;
>
> +enum {
> + JW_REPAIRING_NEVER,
> + JW_REPAIRING_CONFIRM,
> + JW_REPAIRING_ALWAYS,
> +} jw_repairing_t;
> +
> struct main_opts {
> char *name;
> uint32_t class;
> @@ -58,6 +64,8 @@ struct main_opts {
> uint16_t gatt_mtu;
>
> uint8_t key_size;
> +
> + jw_repairing_t jw_repairing;
> };
>
> extern struct main_opts main_opts;
> diff --git a/src/main.c b/src/main.c
> index 1a6ab36a3..d67f469f1 100644
> --- a/src/main.c
> +++ b/src/main.c
> @@ -93,6 +93,7 @@ static const char *supported_options[] = {
> "MultiProfile",
> "FastConnectable",
> "Privacy",
> + "JustWorksRepairing",
> NULL
> };
>
> @@ -193,6 +194,20 @@ static bt_gatt_cache_t parse_gatt_cache(const char *cache)
> }
> }
>
> +static jw_repairing_t parse_jw_repairing(const char *jw_repairing)
> +{
> + if (!strcmp(jw_repairing, "never")) {
> + return JW_REPAIRING_NEVER;
> + } else if (!strcmp(jw_repairing, "confirm")) {
> + return JW_REPAIRING_CONFIRM;
> + } else if (!strcmp(jw_repairing, "always")) {
> + return JW_REPAIRING_ALWAYS;
> + } else {
> + return JW_REPAIRING_NEVER;
> + }
> +}
> +
> +
> static void check_options(GKeyFile *config, const char *group,
> const char **options)
> {
> @@ -331,6 +346,18 @@ static void parse_config(GKeyFile *config)
> g_free(str);
> }
>
> + str = g_key_file_get_string(config, "General",
> + "JustWorksRepairing", &err);
> + if (err) {
> + DBG("%s", err->message);
> + g_clear_error(&err);
> + main_opts.jw_repairing = JW_REPAIRING_NEVER;
> + } else {
> + DBG("just_works_repairing=%s", str);
> + main_opts.jw_repairing = parse_jw_repairing(str);
> + g_free(str);
> + }
> +
> str = g_key_file_get_string(config, "General", "Name", &err);
> if (err) {
> DBG("%s", err->message);
> diff --git a/src/main.conf b/src/main.conf
> index 40687a755..bb5ff5b15 100644
> --- a/src/main.conf
> +++ b/src/main.conf
> @@ -72,6 +72,11 @@
> # Defaults to "off"
> # Privacy = off
>
> +# Specify the policy to the JUST-WORKS repairing initiated by peer
> +# Possible values: "never", "confirm", "always"
> +# Defaults to "never"
> +#JustWorksRepairing = never
> +
> [GATT]
> # GATT attribute cache.
> # Possible values:
> --
> 2.25.0.225.g125e21ebc7-goog
>
--
Luiz Augusto von Dentz
Hi Emil,
On Wed, Feb 12, 2020 at 6:00 AM Emil Lenngren <[email protected]> wrote:
>
> Hi,
>
> Den ons 12 feb. 2020 kl 14:30 skrev Howard Chung <[email protected]>:
> >
> > From: "[email protected]" <[email protected]>
> >
> > When kernel find out that the incoming Just-Works pairing is
> > initiated by a paired device, it is user space's responsibility to
> > decide the next action.
> >
> > This patch includes the following:
> > - add JustWorksRepairing policy as an option in main.conf
> > - handle the confirmation request from kernel
> >
> > ---
> > The Just-Works repairing policy could be one of the following:
> > - never: default; reject the repairing immediately.
> > - confirm: prompt a confirmation dialog to user.
> > - always: always accept the repairing.
> >
> > Changes in v2:
> > - let RequestAuthorization handle the situation
> > - remove the changes in client/
> >
> > src/agent.c | 16 ++++++++++++++++
> > src/hcid.h | 8 ++++++++
> > src/main.c | 27 +++++++++++++++++++++++++++
> > src/main.conf | 5 +++++
> > 4 files changed, 56 insertions(+)
> >
> > diff --git a/src/agent.c b/src/agent.c
> > index e0ffcd22f..e013ec85f 100644
> > --- a/src/agent.c
> > +++ b/src/agent.c
> > @@ -773,12 +773,28 @@ int agent_request_authorization(struct agent *agent, struct btd_device *device,
> > GDestroyNotify destroy)
> > {
> > struct agent_request *req;
> > + DBusError dbus_err;
> > int err;
> >
> > err = agent_has_request(agent, device, AGENT_REQUEST_AUTHORIZATION);
> > if (err)
> > return err;
> >
> > + /* Just-Works repairing policy */
> > + if (device_is_paired(device, BDADDR_BREDR) ||
> > + device_is_paired(device, BDADDR_LE_PUBLIC)) {
> > + if (main_opts.jw_repairing == JW_REPAIRING_NEVER) {
> > + dbus_error_init(&dbus_err);
> > + dbus_set_error_const(&dbus_err,
> > + ERROR_INTERFACE ".Rejected", NULL);
> > + cb(agent, &dbus_err, user_data);
> > + return 0;
> > + } else if (main_opts.jw_repairing == JW_REPAIRING_ALWAYS) {
> > + cb(agent, NULL, user_data);
> > + return 0;
> > + }
> > + }
> > +
> > DBG("Calling Agent.RequestAuthorization: name=%s, path=%s",
> > agent->owner, agent->path);
> >
> > diff --git a/src/hcid.h b/src/hcid.h
> > index adea85ce2..bcd2b9fa1 100644
> > --- a/src/hcid.h
> > +++ b/src/hcid.h
> > @@ -35,6 +35,12 @@ typedef enum {
> > BT_GATT_CACHE_NO,
> > } bt_gatt_cache_t;
> >
> > +enum {
> > + JW_REPAIRING_NEVER,
> > + JW_REPAIRING_CONFIRM,
> > + JW_REPAIRING_ALWAYS,
> > +} jw_repairing_t;
> > +
> > struct main_opts {
> > char *name;
> > uint32_t class;
> > @@ -58,6 +64,8 @@ struct main_opts {
> > uint16_t gatt_mtu;
> >
> > uint8_t key_size;
> > +
> > + jw_repairing_t jw_repairing;
> > };
> >
> > extern struct main_opts main_opts;
> > diff --git a/src/main.c b/src/main.c
> > index 1a6ab36a3..d67f469f1 100644
> > --- a/src/main.c
> > +++ b/src/main.c
> > @@ -93,6 +93,7 @@ static const char *supported_options[] = {
> > "MultiProfile",
> > "FastConnectable",
> > "Privacy",
> > + "JustWorksRepairing",
> > NULL
> > };
> >
> > @@ -193,6 +194,20 @@ static bt_gatt_cache_t parse_gatt_cache(const char *cache)
> > }
> > }
> >
> > +static jw_repairing_t parse_jw_repairing(const char *jw_repairing)
> > +{
> > + if (!strcmp(jw_repairing, "never")) {
> > + return JW_REPAIRING_NEVER;
> > + } else if (!strcmp(jw_repairing, "confirm")) {
> > + return JW_REPAIRING_CONFIRM;
> > + } else if (!strcmp(jw_repairing, "always")) {
> > + return JW_REPAIRING_ALWAYS;
> > + } else {
> > + return JW_REPAIRING_NEVER;
> > + }
> > +}
> > +
> > +
> > static void check_options(GKeyFile *config, const char *group,
> > const char **options)
> > {
> > @@ -331,6 +346,18 @@ static void parse_config(GKeyFile *config)
> > g_free(str);
> > }
> >
> > + str = g_key_file_get_string(config, "General",
> > + "JustWorksRepairing", &err);
> > + if (err) {
> > + DBG("%s", err->message);
> > + g_clear_error(&err);
> > + main_opts.jw_repairing = JW_REPAIRING_NEVER;
> > + } else {
> > + DBG("just_works_repairing=%s", str);
> > + main_opts.jw_repairing = parse_jw_repairing(str);
> > + g_free(str);
> > + }
> > +
> > str = g_key_file_get_string(config, "General", "Name", &err);
> > if (err) {
> > DBG("%s", err->message);
> > diff --git a/src/main.conf b/src/main.conf
> > index 40687a755..bb5ff5b15 100644
> > --- a/src/main.conf
> > +++ b/src/main.conf
> > @@ -72,6 +72,11 @@
> > # Defaults to "off"
> > # Privacy = off
> >
> > +# Specify the policy to the JUST-WORKS repairing initiated by peer
> > +# Possible values: "never", "confirm", "always"
> > +# Defaults to "never"
> > +#JustWorksRepairing = never
> > +
> > [GATT]
> > # GATT attribute cache.
> > # Possible values:
> > --
> > 2.25.0.225.g125e21ebc7-goog
> >
>
> I haven't looked much into this, but have a question. What happens by
> default currently when we have an already bonded device previously
> paired using some MITM-protected mechanism, and suddenly wants to
> re-bond using a less secure mechanism (Just Works)? In my opinion
> denying this should obviously be the default in case no agent is
> available, compared to if pairing a new device then the default should
> be accept.
When no agent is registered we don't set the pairable flag, so it
shouldn't even be able do trigger a new pairing without an agent.
--
Luiz Augusto von Dentz