2019-11-26 19:15:29

by Alain Michaud

[permalink] [raw]
Subject: [PATCH] Blocked key mgmt Api definition

---
doc/mgmt-api.txt | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)

diff --git a/doc/mgmt-api.txt b/doc/mgmt-api.txt
index 0d11aa035..7c77927a2 100644
--- a/doc/mgmt-api.txt
+++ b/doc/mgmt-api.txt
@@ -3013,6 +3013,39 @@ Set PHY Configuration Command
Possible errors: Invalid Parameters
Invalid Index

+Load Blocked Keys Command
+===========================
+
+ Command Code: 0x0046
+ Controller Index: <controller id>
+ Command Parameters: Key_Count (2 Octets)
+ Key1 {
+ Key_Type (1 Octet)
+ Value (16 Octets)
+ }
+ Key2 { }
+ ...
+ Return Parameters:
+
+ This command is used to feed the kernel a list of keys that
+ are known to be vulnerable.
+
+ Currently defined Key_Type values are:
+
+ 0x00 Link Key (BR/EDR)
+ 0x01 Long Term Key (LE)
+ 0x02 Identity Resolving Key (LE)
+
+ This command can be used at anypoint to add to the list of blocked keys. Any connections that
+ are attempting to use the keys will be terminated. If a device tries to distribute the keys during
+ pairing, pairing will fail.
+
+ This command generates a Command Complete event on success or
+ a Command Status event on failure.
+
+ Possible errors: Invalid Parameters
+ Invalid Index
+

Command Complete Event
======================
--
2.24.0.432.g9d3f5f5b63-goog


2019-11-27 06:01:09

by Marcel Holtmann

[permalink] [raw]
Subject: Re: [PATCH] Blocked key mgmt Api definition

Hi Alain,

> ---
> doc/mgmt-api.txt | 33 +++++++++++++++++++++++++++++++++
> 1 file changed, 33 insertions(+)

patch has been applied.

> +
> + This command can be used at anypoint to add to the list of blocked keys. Any connections that
> + are attempting to use the keys will be terminated. If a device tries to distribute the keys during
> + pairing, pairing will fail.
> +

However, I ended up rewording this part since it doesn’t sounded right to me. We can adjust this once we have the implementation to match against, but for now I kept it simple. Oh, and we need to stay within the rule that it has to readable in 80 character wide terminal. So no long lines.

Regards

Marcel

2019-11-27 15:55:09

by Luiz Augusto von Dentz

[permalink] [raw]
Subject: Re: [PATCH] Blocked key mgmt Api definition

Hi Marcel, Alain,

On Wed, Nov 27, 2019 at 8:02 AM Marcel Holtmann <[email protected]> wrote:
>
> Hi Alain,
>
> > ---
> > doc/mgmt-api.txt | 33 +++++++++++++++++++++++++++++++++
> > 1 file changed, 33 insertions(+)
>
> patch has been applied.
>
> > +
> > + This command can be used at anypoint to add to the list of blocked keys. Any connections that
> > + are attempting to use the keys will be terminated. If a device tries to distribute the keys during
> > + pairing, pairing will fail.
> > +
>
> However, I ended up rewording this part since it doesn’t sounded right to me. We can adjust this once we have the implementation to match against, but for now I kept it simple. Oh, and we need to stay within the rule that it has to readable in 80 character wide terminal. So no long lines.

Will there be a follow up change to add support for this in the
daemon, I suspect we will need to have it given as a file or will the
blacklist be just hardcoded?

--
Luiz Augusto von Dentz

2019-11-27 16:45:39

by Alain Michaud

[permalink] [raw]
Subject: Re: [PATCH] Blocked key mgmt Api definition

Hi Luiz,

Yes, look for more patches from me on this next week.

Thanks,
Alain


On Wed, Nov 27, 2019 at 10:54 AM Luiz Augusto von Dentz
<[email protected]> wrote:
>
> Hi Marcel, Alain,
>
> On Wed, Nov 27, 2019 at 8:02 AM Marcel Holtmann <[email protected]> wrote:
> >
> > Hi Alain,
> >
> > > ---
> > > doc/mgmt-api.txt | 33 +++++++++++++++++++++++++++++++++
> > > 1 file changed, 33 insertions(+)
> >
> > patch has been applied.
> >
> > > +
> > > + This command can be used at anypoint to add to the list of blocked keys. Any connections that
> > > + are attempting to use the keys will be terminated. If a device tries to distribute the keys during
> > > + pairing, pairing will fail.
> > > +
> >
> > However, I ended up rewording this part since it doesn’t sounded right to me. We can adjust this once we have the implementation to match against, but for now I kept it simple. Oh, and we need to stay within the rule that it has to readable in 80 character wide terminal. So no long lines.
>
> Will there be a follow up change to add support for this in the
> daemon, I suspect we will need to have it given as a file or will the
> blacklist be just hardcoded?
>
> --
> Luiz Augusto von Dentz