Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp61369ybl; Tue, 28 Jan 2020 18:33:35 -0800 (PST) X-Google-Smtp-Source: APXvYqwGDlVS+QWjU01Nnf+zbYlIqBKu7Xnqtuoi/6xsfhhF5NQzEL6plt1/RaVe5xwfglYv8NK2 X-Received: by 2002:a9d:ec1:: with SMTP id 59mr18266271otj.141.1580265215136; Tue, 28 Jan 2020 18:33:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580265215; cv=none; d=google.com; s=arc-20160816; b=GZC6TNQntHVlWG1Wxqr0e2qOuppXV4nYOmDLQMrrzAkp+//Gd5L//MOSLA6/YpC2Eq 3AcnQU1Qo6F79PYbl056ljzcog1nvzpy3cSqT1zCen3Wmm/oJpaS1lm1Wc2OEXL6Da4z E3KQxW+NSdEuephyjXv69HH0bfeyx2DchemXdkkq4eoqgOka6a6cOmr8xLbbdLrUEJzZ wE6Lyyat78fnEVM/7Y34v7KPXsAwfWPMFy29PYaVAs683+VoVSBFwhRxXyVRa/K2IPYk kCw2+VflA84UIyRxuXFN0xacwITTx9wUGj7UKWctUs9/n/MXRfdnn/Ci0+KWeTuRE3hH v8LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=VeZiYJ90nj6Pa5mZW4QvAapqU0gDvY7v8jt/5zVgSmA=; b=d25pwYglO7rkc4gr/B5HpCkKPnz8dXeWaJ8H3ECpuY2z8kt7/3J2FQ7Q6gyDFb3iNT +WvPbpB/QDK9GVde24d5em5GXrl14tt9L1nmhvNOyg4DaBiu3r3raAlEhd5LHEJwqcNJ ZnL9FXAaHMk9kzb5PcvS12l74RE95pXeeKvyWnrJD06p527hjuHdhxO++5RRMEy1VYjS +2QYzA0B/TeCPmX3AgCvuXL1Q6rk80ctWiJ/RbbkiIkm8MN59FgDtq7bKgzE6dNZ8VOl 4xvtwjkHxhRbVVFXllisDGZrnVm6MPq9cJj/Xu3XWDJ8smblHyktWZMgFYBjEMzD6WoG qwpw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u5si461185otg.66.2020.01.28.18.33.24; Tue, 28 Jan 2020 18:33:35 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-bluetooth-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726604AbgA2CdW (ORCPT + 99 others); Tue, 28 Jan 2020 21:33:22 -0500 Received: from mga05.intel.com ([192.55.52.43]:53194 "EHLO mga05.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726510AbgA2CdW (ORCPT ); Tue, 28 Jan 2020 21:33:22 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by fmsmga105.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Jan 2020 18:33:22 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.70,376,1574150400"; d="scan'208";a="427831932" Received: from bgi1-mobl2.amr.corp.intel.com ([10.255.84.27]) by fmsmga005.fm.intel.com with ESMTP; 28 Jan 2020 18:33:22 -0800 From: Brian Gix To: linux-bluetooth@vger.kernel.org Cc: brian.gix@intel.com, inga.stotland@intel.com, rafal.gajda@silvair.com Subject: [PATCH BlueZ v4 4/5] mesh: Apply Replay Protection to all incoming packets Date: Tue, 28 Jan 2020 18:32:57 -0800 Message-Id: <20200129023258.10004-5-brian.gix@intel.com> X-Mailer: git-send-email 2.21.1 In-Reply-To: <20200129023258.10004-1-brian.gix@intel.com> References: <20200129023258.10004-1-brian.gix@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-bluetooth-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Replay Protection was only being applied against Application Keys, but messages with Device Keys are just as vulnerable, and need to be checked as well. --- mesh/model.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/mesh/model.c b/mesh/model.c index 0018c7cff..92a00496c 100644 --- a/mesh/model.c +++ b/mesh/model.c @@ -608,7 +608,7 @@ static bool msg_send(struct mesh_node *node, bool credential, uint16_t src, iv_index = mesh_net_get_iv_index(net); - seq_num = mesh_net_get_seq_num(net); + seq_num = mesh_net_next_seq_num(net); if (!mesh_crypto_payload_encrypt(label, msg, out, msg_len, src, dst, key_aid, seq_num, iv_index, szmic, key)) { l_error("Failed to Encrypt Payload"); @@ -949,7 +949,7 @@ bool mesh_model_rx(struct mesh_node *node, bool szmict, uint32_t seq0, struct mesh_net *net = node_get_net(node); uint8_t num_ele; int decrypt_idx, i, ele_idx; - uint16_t addr; + uint16_t addr, crpl; struct mesh_virtual *decrypt_virt = NULL; bool result = false; bool is_subscription; @@ -997,14 +997,12 @@ bool mesh_model_rx(struct mesh_node *node, bool szmict, uint32_t seq0, /* print_packet("Clr Rx (pre-cache-check)", clear_text, size - 4); */ - if (key_aid != APP_AID_DEV) { - uint16_t crpl = node_get_crpl(node); + crpl = node_get_crpl(node); - if (net_msg_in_replay_cache(net, (uint16_t) decrypt_idx, src, - crpl, seq, iv_index)) { - result = true; - goto done; - } + if (net_msg_in_replay_cache(net, (uint16_t) decrypt_idx, src, + crpl, seq, iv_index)) { + result = true; + goto done; } print_packet("Clr Rx", clear_text, size - (szmict ? 8 : 4)); -- 2.21.1