Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp770015pxf; Thu, 8 Apr 2021 12:11:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxTOyq7ncLLg71W+lqsPJ1Dvx8h7jejm3Yd44UXvfVfzxMuy/3U/RuayBTqNjUkzlJRZlch X-Received: by 2002:a63:fd0a:: with SMTP id d10mr1719667pgh.94.1617909108995; Thu, 08 Apr 2021 12:11:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617909108; cv=none; d=google.com; s=arc-20160816; b=D/gAIh1sv99a7R35/PIBIyPD8cnv56fK2pHAcGj9yOB7Dj3kjNIeUfKIo991OFn90b VbVli3KN/yugvmYS8rHZUBhy+nt/TKwqzhBS9zctoKU3GcAbH1tfQcXTX2MrM8TdPFvN K6ktKNTC/yju2XVgl4D44HBhLAFb7XBzp4P6ALsukgvPcNlVhdfBPV93DcGazmZAULnH W06vkAUIgTIuhbGdH9dgFj8K+CFuuOzCtqHZiaruffbEgNr46g7Vds0tcVX8glG/b34q qOV7qOLkHLDtaglNnsd7GW6E6DNJ5UQiBXl+9Qx2u5HJL4xbiQSnoXpm4KC+2vIA7UJ3 pfiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:ironport-sdr:ironport-sdr; bh=yerDskV5+ER+nbpNEtYuPq2RVsw4IGq3NGaeBN2sszE=; b=UPMbFJXXKtVEaGj2f/I/GF12jRlaiSZooqv5j0dBhMCHupmgqjJhCpD3ABt7P09nbr Pabu7ujbwLCx+4YffTau8dPsyhkEoEpVewnuumSlYKgPHsvJ19ctGkzqo+w5EIaZmSAO 8jFLIKh+tWcUTIbo9wixQE5aQjAHJ2gYdl67ZZPjBFCu7GyiF4NTyv3pAZ3rNvAarYCO h76wcfS1JTjX5/JygaV9ck/EFE9OMsycCXH79T6VvATwGoSzSJ8jjQ8H8MlKx8EHnpDE DdAuUI4iDoQ6oXehACQM6UUpwP2q9tZ64lj9CyLSZIkYwsWuGf86uNy+AlkX5DUaaplV jTkg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p5si185600pgh.232.2021.04.08.12.11.03; Thu, 08 Apr 2021 12:11:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-bluetooth-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-bluetooth-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232885AbhDHTKC (ORCPT + 99 others); Thu, 8 Apr 2021 15:10:02 -0400 Received: from mga11.intel.com ([192.55.52.93]:47870 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232804AbhDHTKC (ORCPT ); Thu, 8 Apr 2021 15:10:02 -0400 IronPort-SDR: G9qlvWBLHNqe0ctE+oeyWJY6oRWPvJQbgJ8o/BjYQCB/09z3/e7cKnDQSTn6ZI9m7JN/E5qbeN OlXzZSEVczUw== X-IronPort-AV: E=McAfee;i="6000,8403,9948"; a="190414460" X-IronPort-AV: E=Sophos;i="5.82,207,1613462400"; d="scan'208";a="190414460" Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Apr 2021 12:09:50 -0700 IronPort-SDR: kp4/LWq3XYx+2T8q5+q/Lcb1XYfUIZRDNZyaNBwKBTsYlc7suKxsSxxRIb+yOwGXSuK9GUFQ4/ k/gUDeti9PFw== X-IronPort-AV: E=Sophos;i="5.82,207,1613462400"; d="scan'208";a="449814061" Received: from bgi1-mobl2.amr.corp.intel.com ([10.252.132.187]) by fmsmga002-auth.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 08 Apr 2021 12:09:50 -0700 From: Brian Gix To: linux-bluetooth@vger.kernel.org Cc: inga.stotland@intel.com, brian.gix@intel.com Subject: [PATCH BlueZ] mesh: Add Provisioning Confirmation validity check Date: Thu, 8 Apr 2021 12:09:28 -0700 Message-Id: <20210408190928.1645427-1-brian.gix@intel.com> X-Mailer: git-send-email 2.25.4 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-bluetooth@vger.kernel.org Validate generated and received confirmation data is unique during provisioning. --- mesh/prov-acceptor.c | 13 +++++++++++-- mesh/prov-initiator.c | 8 ++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/mesh/prov-acceptor.c b/mesh/prov-acceptor.c index 4ec6ea34a..e806b12ef 100644 --- a/mesh/prov-acceptor.c +++ b/mesh/prov-acceptor.c @@ -347,14 +347,20 @@ static void send_pub_key(struct mesh_prov_acceptor *prov) prov->trans_tx(prov->trans_data, &msg, sizeof(msg)); } -static void send_conf(struct mesh_prov_acceptor *prov) +static bool send_conf(struct mesh_prov_acceptor *prov) { struct prov_conf_msg msg; msg.opcode = PROV_CONFIRM; mesh_crypto_aes_cmac(prov->calc_key, prov->rand_auth_workspace, 32, msg.conf); + + /* Fail if confirmations match */ + if (!memcmp(msg.conf, prov->confirm, sizeof(msg.conf))) + return false; + prov->trans_tx(prov->trans_data, &msg, sizeof(msg)); + return true; } static void send_rand(struct mesh_prov_acceptor *prov) @@ -529,7 +535,10 @@ static void acp_prov_rx(void *user_data, const uint8_t *data, uint16_t len) memcpy(prov->confirm, data, 16); prov->expected = PROV_RANDOM; - send_conf(prov); + if (!send_conf(prov)) { + fail.reason = PROV_ERR_INVALID_PDU; + goto failure; + } break; case PROV_RANDOM: /* Random Value */ diff --git a/mesh/prov-initiator.c b/mesh/prov-initiator.c index 4f492a49c..ae9c646de 100644 --- a/mesh/prov-initiator.c +++ b/mesh/prov-initiator.c @@ -279,6 +279,7 @@ static void send_confirm(struct mesh_prov_initiator *prov) msg.opcode = PROV_CONFIRM; mesh_crypto_aes_cmac(prov->calc_key, prov->rand_auth_workspace, 32, msg.conf); + memcpy(prov->confirm, msg.conf, sizeof(prov->confirm)); prov->trans_tx(prov->trans_data, &msg, sizeof(msg)); prov->state = INT_PROV_CONF_SENT; prov->expected = PROV_CONFIRM; @@ -732,6 +733,13 @@ static void int_prov_rx(void *user_data, const uint8_t *data, uint16_t len) case PROV_CONFIRM: /* Confirmation */ prov->state = INT_PROV_CONF_ACKED; /* RXed Device Confirmation */ + + /* Disallow echoed values */ + if (!memcmp(prov->confirm, data, 16)) { + fail_code[1] = PROV_ERR_INVALID_PDU; + goto failure; + } + memcpy(prov->confirm, data, 16); print_packet("ConfirmationDevice", prov->confirm, 16); send_random(prov); -- 2.25.4