| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
This handles a case when a Key Refresh procedure is in place with
no application keys stored in the keyring. When KR procedure is
finalized, the check for the presence of AppKeys storage directory
does not return failure if the directory does not exist.
Also, remove duplicate include.
|
|
|
|
| |
This enables proxing ISO packets.
|
|
|
|
| |
This adds the initial command/event decoding for 5.2.
|
|
|
|
|
|
| |
Enhanced Credit Based Flow Control Mode is used for L2CAP
connection-oriented channels on LE and BR/EDR with flow control using
a credit-based scheme for L2CAP data.
|
|
|
|
| |
This enables decoding of ISO packets.
|
|
|
|
| |
This adds the decoding of ISO related Link Layer PDUs
|
|
|
|
| |
This adds parsing of ISO related commands.
|
|
|
|
|
| |
This patch removes node_set_device_key() function,
because it is unused.
|
|
|
|
|
| |
There is no need to use the pointer to the node_comp data.
This pach uses static node_comp instead.
|
|
|
|
|
|
|
| |
Re-arranged for efficiency. Replay Protection was set up as an atomic
check-and-add operation. Now we check the message early so we can
discard it without taking further action, and only add it to the RPL
once fully verified that it was authorized and addressed to us.
|
|
|
|
|
|
|
|
|
| |
Mesh specification requires that Replay Protection be preserved
across node restarts. This adds that storage in
<node_uuid>/rpl/<iv_index>/<src>
Realtime access remains in an l_queue structure, and stored as
messages are processed.
|
|
|
|
|
|
| |
Replay Protection was only being applied against Application Keys,
but messages with Device Keys are just as vulnerable, and need to be
checked as well.
|
|
|
|
|
|
| |
Scrub of Sequence Number handling of OB messages to account for in-node
delivery of segmented messages, so that each discrete message has a
unique sequence number for the RPL.
|
|
|
|
|
|
|
| |
The specification calls for a flatter Replay Protection List that
applies to all processed messages, regardless of which credentials
were used to secure them. So storage and checking is now centralized
in mesh/net.c
|
| |
|
|
|
|
| |
Packet Too Long (0x45 ) status code was missing.
|
|
|
|
|
|
|
|
| |
In Public Key OOB case, when provisioner receives public key via
OOB, provisioner has to send it's public key to remote node and
and then proceed for authentication.
Handle invalid keys case.
|
|
|
|
|
|
| |
Provisioning agent interface methods PublicKey, PrivateKey and
Cancel do not accept any parameters. So, while invoking them
explicitly set the parameters to "".
|
|
|
|
| |
Remove mentioning of ImportLocalNode() method, use Import() instead.
|
|
|
|
|
|
|
|
|
|
|
| |
This adds implementation for:
Config Model Subscription Delete
Config Model Subscription Delete All
Config Model Subscription Overwrite
and adds handling vendor model IDs for
Config Model Subscription Add
Config Model Subscription Get
|
|
|
|
|
| |
This adds implementation for sending Config Vendor App Get message
and receiving Config Vendor App List response.
|
|
|
|
|
|
| |
This adds missing validation of received responses.
If the length of a received message does not pass the
validation, it's not processed.
|
|
|
|
|
|
| |
Common code for populating message buffer with Model ID
(either SIG or vendor defined) for misc commands is refactored
into a single function.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change rl_handler to append duplicate history, as long as it isn't
identical to the last line. It prevents consecutive duplicates while
still having an accurate overview of the most recent commands used,
mimicking most modern shells.
This addresses my only major gripe with bluetoothctl: pressing UP does
not retrieve the last typed command when it is a duplicate of something
else written (much) earlier in the history. It is especially noticeable
when needing the same command repeatedly.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Any packet that may be handled internally by the daemon must be sent in
it's own idle_oneshot context, to prevent multiple nodes from handling
and responding in the same context, eventually corrupting memory.
This addresses the following crash:
Program terminated with signal SIGSEGV, Segmentation fault.
0 tcache_get (tc_idx=0) at malloc.c:2951
2951 tcache->entries[tc_idx] = e->next;
(gdb) bt
0 tcache_get (tc_idx=0) at malloc.c:2951
1 __GI___libc_malloc (bytes=bytes@entry=16) at malloc.c:3058
2 0x0000564cff9bc1de in l_malloc (size=size@entry=16) at ell/util.c:62
3 0x0000564cff9bd46b in l_queue_push_tail (queue=0x564d000c9710, data=data@entry=0x564d000d0d60) at ell/queue.c:136
4 0x0000564cff9beabd in idle_add (callback=callback@entry=0x564cff9be4e0 <oneshot_callback>, user_data=user_data@entry=0x564d000d4700,
flags=flags@entry=268435456, destroy=destroy@entry=0x564cff9be4c0 <idle_destroy>) at ell/main.c:292
5 0x0000564cff9be5f7 in l_idle_oneshot (callback=callback@entry=0x564cff998bc0 <tx_worker>, user_data=user_data@entry=0x564d000d83f0,
destroy=destroy@entry=0x0) at ell/idle.c:144
6 0x0000564cff998326 in send_tx (io=<optimized out>, info=0x7ffd035503f4, data=<optimized out>, len=<optimized out>)
at mesh/mesh-io-generic.c:637
7 0x0000564cff99675a in send_network_beacon (key=0x564d000cfee0) at mesh/net-keys.c:355
8 snb_timeout (timeout=0x564d000dd730, user_data=0x564d000cfee0) at mesh/net-keys.c:364
9 0x0000564cff9bdca2 in timeout_callback (fd=<optimized out>, events=<optimized out>, user_data=0x564d000dd730) at ell/timeout.c:81
10 timeout_callback (fd=<optimized out>, events=<optimized out>, user_data=0x564d000dd730) at ell/timeout.c:70
11 0x0000564cff9bedcd in l_main_iterate (timeout=<optimized out>) at ell/main.c:473
12 0x0000564cff9bee7c in l_main_run () at ell/main.c:520
13 l_main_run () at ell/main.c:502
14 0x0000564cff9bf08c in l_main_run_with_signal (callback=<optimized out>, user_data=0x0) at ell/main.c:642
15 0x0000564cff994b64 in main (argc=<optimized out>, argv=0x7ffd03550668) at mesh/main.c:268
|
|
|
|
|
| |
This changes the value of OP_VEND_MODEL_APP_GET to 0x804D (it was
incorrectly set to 0x804C)
|
|
|
|
| |
Adding the missing string conversion for MGMG_OP_SET_BLOCKED_KEYS.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change accomplishes 2 things:
1. Drop device security data from previously paired devices
using blocked keys.
2. Send the list of known bad keys that should be blocked to the kernel
if supported.
In particular keys from the Google Titan Security key are being
blocked.
For additional background information, please see
https://security.googleblog.com/2019/05/titan-keys-update.html
|
|
|
|
|
| |
This will allow other implementations within src/ to use a single
definition of the ARRAY_SIZE macro.
|
|
|
|
| |
Adding the required definitions for the MGMT_OP_SET_BLOCKED_KEYS Api.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This allows specifying io type and options when invoking the daemon.
When no "-i" is passed, meshd still runs with MESH_IO_TYPE_GENERIC and
tries to attach to the first available HCI interface.
Options "-i <n>" and "-i hci<n>" are just shortcuts for
"--io=generic:<n>" and "--io=generic:hci<n>", respectively.
|
| |
|
| |
|
|
|
|
|
|
| |
When responding with NetKey List Status, packed NetKey indices into
3 octets per pair. If number of NetKeys is odd, append the last key
index as a 2-octet value.
|
|
|
|
|
|
|
|
|
| |
When a netkey is deleted from a remote node, all the appkeys bound
to this netkey are expected to be deleted as well.
This fixes app_key queue manipulation to avoid issues caused by modifying
the queue while iterating over it: instead of iteration over all the
entries, find a first bound key, delete it, find next... and so on,
until there are no bound keys left in the app_keys queue.
|
|
|
|
|
| |
Use the value of VENDOR_ID_MASK to set/check vendor model
and SIG model IDs
|
|
|
|
|
| |
This implements commands to send AppKey Get and NetKey Get messages and
to process AppKey List and NetKey List reponses
|
|
|
|
|
|
|
|
|
| |
First valid SNB received from the network should cause the node to
switch into IV_UPD_NORMAL state.
Otherwise, it will never try to enter IV Update procedure when sequence
number approaches the IV_UPDATE_SEQ_TRIGGER, because that's only allowed
in IV_UPD_NORMAL.
|
|
|
|
|
|
|
|
|
|
| |
After introducing "remote" flag for DevKeyMessageReceived in
c8cd5b04ccd865deeb90b70ea649c0b6cc0385e6, we can now allow applications
to received DevKey messages from external addresses as well as from
local ones.
This enables applications to properly implement models using DevKey
security, by accepting only requests with "remote" flag set to false.
|
|
|
|
|
|
|
|
|
| |
When a netkey is deleted all the appkeys bound to this key has
to be deleted as well. This fixes app_key queue manipulation to
avoid issues caused by modifying the queue while iterating over it:
instead of iteration over all the entries, find a first bound key,
delete it, find next... and so on, until there are no bound keys
left in the app_keys queue.
|
|
|
|
|
|
|
|
| |
When deleting an AppKey from a node, call mesh_config_app_key_del()
only from appkey level (i.e., keep it contained in appkey.c and
remove the duplicate call in node.c)
Also, simplify the node_app_key_delete() argument list.
|
|
|
|
|
|
| |
The struct uinput_dev variable is on stack, so clear its content to
avoid accidentally writing garbage values to kernel. This fixes "Can't
create uinput device: Invalid argument (22)" in some cases.
|
|
|
|
| |
This allows one App using the mesh daemon to provision another.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The crash with stack trace:
(libc-2.27.so -raise.c:51 ) raise
(libc-2.27.so -abort.c:79 ) abort
(libc-2.27.so -libc_fatal.c:181 ) __libc_message
(libc-2.27.so -malloc.c:5350 ) malloc_printerr
(libc-2.27.so -malloc.c:4157 ) _int_free
(libglib-2.0.so.0.5200.3 -gslist.c:878 ) g_slist_free_full
(bluetoothd -a2dp.c:165 ) setup_unref
(bluetoothd -a2dp.c:2184 ) a2dp_cancel
(bluetoothd -sink.c:317 ) sink_unregister
(bluetoothd -service.c:176 ) service_remove
(bluetoothd -device.c:4678 ) device_remove
(bluetoothd -adapter.c:6573 ) adapter_remove
(bluetoothd -adapter.c:8832 ) index_removed
(bluetoothd -queue.c:220 ) queue_foreach
(bluetoothd -mgmt.c:304 ) can_read_data
(bluetoothd -io-glib.c:170 ) watch_callback
(libglib-2.0.so.0.5200.3 -gmain.c:3234 ) g_main_context_dispatch
(libglib-2.0.so.0.5200.3 -gmain.c:3972 ) g_main_context_iterate
(libglib-2.0.so.0.5200.3 -gmain.c:4168 ) g_main_loop_run
(bluetoothd -main.c:798 ) main
(libc-2.27.so -libc-start.c:308 ) __libc_start_main
(bluetoothd + 0x0000b089 ) _start
(bluetoothd + 0x0000b05f ) _init
triggered when 'usb disconnect' happened during AVDTP_SET_CONFIGURATION
request is sent but haven't received the response.
In this situation, the recovering process goes into sink.c:sink_free and
then a2dp.c:a2dp_cancel, avdtp.c:cancel_request, avdtp.c:connection_lost,
avdtp.c:release_stream.
During recovering, the reference count of setup and avdtp decrease more
than it increase, which ends up causing the crash.
The reference count of setup decreases one more time since
a2dp.c:setconf_cfm(called by cfm->set_configuration in
avdtp.c:cancel_request) was called in the 'error mode', which didn't
reference the setup, but in a2dp.c:abort_cfm(called by cfm->abort in
avdtp.c:release_stream), the reference count decreased by 1.
In this case, abort_cfm shouldn't be called as we already know
setconf_cfm didn't send any request. Setting avdtp_sep_state to
AVDTP_STATE_ABORTING should avoid this issue.
The reference count of avdtp decrease one more time since
both sink.c:sink_free and sink.c:sink_set_state(called from
avdtp.c:connection_lost -> avdtp.c:avdtp_set_state) unreference avdtp
for the session. The changes in sink.c should avoid the issue.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
< HCI Command: LE Set Default Periodic Advertisng Sync Transfer Parameters (0x08|0x005d) plen 6
Mode: Enabled with report events disabled (0x01)
Skip: 0x00
Sync timeout: 0 msec (0x0000)
Sync CTE type: 0x0000
> HCI Event: Command Status (0x0f) plen 4
LE Set Default Periodic Advertisng Sync Transfer Parameters (0x08|0x005d) ncmd 1
Status: Unknown HCI Command (0x01)
|
|
|
|
|
|
|
|
|
|
|
|
| |
< HCI Command: LE Periodic Advertising Sync Transfer Parameters (0x08|0x005c) plen 8
Connection handle: 1
Mode: Disabled (0x00)
Skip: 0x00
Sync timeout: 0 msec (0x0000)
Sync CTE type: 0x0000
> HCI Event: Command Status (0x0f) plen 4
LE Periodic Advertising Sync Transfer Parameters (0x08|0x005c) ncmd 1
Status: Unknown HCI Command (0x01)
|
|
|
|
|
|
|
|
|
|
| |
< HCI Command: LE Periodic Advertising Set Info Transfer (0x08|0x005b) plen 5
Connection handle: 1
Service data: 0x0000
Advertising handle: 0
> HCI Event: Command Status (0x0f) plen 4
LE Periodic Advertising Set Info Transfer (0x08|0x005b) ncmd 1
Status: Unknown HCI Command (0x01)
|