Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1149059ybl; Fri, 24 Jan 2020 16:44:29 -0800 (PST) X-Google-Smtp-Source: APXvYqycKylsye6BFfHHA51xIEJQ0h9ATvc2M20SJ0PEZjNtlqXskMnV0T1EcZuosl2kOAyUO3le X-Received: by 2002:a9d:6f0a:: with SMTP id n10mr4917159otq.54.1579913069805; Fri, 24 Jan 2020 16:44:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579913069; cv=none; d=google.com; s=arc-20160816; b=bzbZqqpodqD78tgBj92ut8beXMy4XBxC5kg/X+v0/Pq9ZYKNrKZkd3hXjWgKqm502T RJso4H3cRgkzkDCRs1JngOmWgQUXUqoGdc5OTgWL9oqaxLeJEA1nicYR+u2H7t8tvJDb F4yKryH5C3T8MhmFNN7aUWFgKsrRWr9qdjBvjQYUBF02sHJ4JOgBrHelfraQ4RZYK0Lq q38AFNAj7XIRUloiEw5mvN0BSc7oTYqGYWQAx58bZTFMtJmhc5ArckUbYCE8Paoi02Pl NjnZmMRZas/I2LwD6kBDl57Ea0IMh0dN8+JK8+rgTY4272SvKDZ8pyY/3lLN8G0ck2dO /jmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=VeZiYJ90nj6Pa5mZW4QvAapqU0gDvY7v8jt/5zVgSmA=; b=o0DHk6Iu/1N+C/ASqWUQ/uq/FZkaijfzNsZMc3xpMALd6xriSG2K/mCNdyU+fb95Dt XGLAbMWBgZ2f0m2iHs5wuw7nPI0ch5cLaChpNmemHPbffHDC4reoXVpQ7XXGfppGSxjH jhTgmvVDQ8UZjywFPb9ksL42kzPBeRB9KDV4V54b+TJ+JlXLqRvcjUDxwC2yuEy7zlXa FJ69VPqbV9ZKW2OsnxiVC/lUKynnI3ZJaFonaQ6EkPLRs9LmAn9+Awg4Yo9MAoH1vXeT TTTkU0F0ClEJtN3fa8ld0BEtrJmiDCuLT42rPKTlrSuSq3Z7PZCNtIG1IuM0+YKJnJST pKJA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c10si3494533otr.88.2020.01.24.16.44.03; Fri, 24 Jan 2020 16:44:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387584AbgAYAoA (ORCPT + 99 others); Fri, 24 Jan 2020 19:44:00 -0500 Received: from mga01.intel.com ([192.55.52.88]:55764 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387581AbgAYAoA (ORCPT ); Fri, 24 Jan 2020 19:44:00 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 24 Jan 2020 16:43:59 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,359,1574150400"; d="scan'208";a="245864384" Received: from bgi1-mobl2.amr.corp.intel.com ([10.251.17.203]) by orsmga002.jf.intel.com with ESMTP; 24 Jan 2020 16:43:58 -0800 From: Brian Gix To: linux-bluetooth@vger.kernel.org Cc: brian.gix@intel.com, inga.stotland@intel.com Subject: [PATCH BlueZ v2 4/5] mesh: Apply Replay Protection to all incoming packets Date: Fri, 24 Jan 2020 16:43:49 -0800 Message-Id: <20200125004350.4640-5-brian.gix@intel.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200125004350.4640-1-brian.gix@intel.com> References: <20200125004350.4640-1-brian.gix@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Replay Protection was only being applied against Application Keys, but messages with Device Keys are just as vulnerable, and need to be checked as well. --- mesh/model.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/mesh/model.c b/mesh/model.c index 0018c7cff..92a00496c 100644 --- a/mesh/model.c +++ b/mesh/model.c @@ -608,7 +608,7 @@ static bool msg_send(struct mesh_node *node, bool credential, uint16_t src, iv_index = mesh_net_get_iv_index(net); - seq_num = mesh_net_get_seq_num(net); + seq_num = mesh_net_next_seq_num(net); if (!mesh_crypto_payload_encrypt(label, msg, out, msg_len, src, dst, key_aid, seq_num, iv_index, szmic, key)) { l_error("Failed to Encrypt Payload"); @@ -949,7 +949,7 @@ bool mesh_model_rx(struct mesh_node *node, bool szmict, uint32_t seq0, struct mesh_net *net = node_get_net(node); uint8_t num_ele; int decrypt_idx, i, ele_idx; - uint16_t addr; + uint16_t addr, crpl; struct mesh_virtual *decrypt_virt = NULL; bool result = false; bool is_subscription; @@ -997,14 +997,12 @@ bool mesh_model_rx(struct mesh_node *node, bool szmict, uint32_t seq0, /* print_packet("Clr Rx (pre-cache-check)", clear_text, size - 4); */ - if (key_aid != APP_AID_DEV) { - uint16_t crpl = node_get_crpl(node); + crpl = node_get_crpl(node); - if (net_msg_in_replay_cache(net, (uint16_t) decrypt_idx, src, - crpl, seq, iv_index)) { - result = true; - goto done; - } + if (net_msg_in_replay_cache(net, (uint16_t) decrypt_idx, src, + crpl, seq, iv_index)) { + result = true; + goto done; } print_packet("Clr Rx", clear_text, size - (szmict ? 8 : 4)); -- 2.21.1