RE: Meshctl - Modification to agent.c for easier entering static OOB key

"Gix, Brian" <brian.gix@xxxxxxxxx> · Fri, 1 Sep 2017 15:19:38 +0000

Hi Jehudi,

We need to be careful that we do not compromise the security level when operating with HIGH security. 

HIGH Security provisioning  is defined as the provisioner getting either the full 64 bytes of the new device's Public Key Out-Of-Band, *or* the full 16 bytes of high quality Static Data Out-Of-Band.

Any "Well Known" keys or static data, or Static data that does not use all the bytes available compromises the security of Mesh.

As I said in another thread here,  tweaks to the code to simplify testing can be valuable during the development cycle, but we should not ever release BlueZ Mesh with security crippled, or it could have permanent repercussions with respect to the level of security in any Mesh system. Security is cooperative in Mesh, and one poorly secured node can compromise the entire mesh.

So if you want to make tweaks like this in your local system, you are free to do so, but please don't put security lowering tweaks into any released system, and please don't upstream those tweaks here.

> -----Original Message-----
> From: linux-bluetooth-owner@xxxxxxxxxxxxxxx [mailto:linux-bluetooth-
> owner@xxxxxxxxxxxxxxx] On Behalf Of Laczen JMS
> Sent: Friday, September 1, 2017 7:34 AM
> To: linux-bluetooth@xxxxxxxxxxxxxxx
> Subject: Meshctl - Modification to agent.c for easier entering static OOB key
> 
> Hi,
> 
> Entering a static OOB key in meshctl requires all 16 bytes. With the following
> change a shorter key can be entered. I have never created a patch, so sorry
> about the format:
> 
> In agent.c @ line 102:
> static bool response_hexadecimal(const char *input) {
>   uint8_t buf[MAX_HEXADECIMAL_OOB_LEN];
> 
>   if (!str2hex(input, strlen(input), buf, pending_request.len) ) {
> rl_printf("Incorrect input: expecting %d hex octets\n",
> pending_request.len); return false; } ...
> 
> changes to:
> 
> static bool response_hexadecimal(const char *input) {
>   uint8_t buf[MAX_HEXADECIMAL_OOB_LEN];
> 
>   memset(buf, 0, pending_request.len);
>   str2hex(input, strlen(input), buf, strlen(input)/2); ...
> 
> Kind regards,
> 
> Jehudi
> --
> To unsubscribe from this list: send the line "unsubscribe linux-bluetooth" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo
> info at  http://vger.kernel.org/majordomo-info.html
��.n��������+%������w��{.n�����{����^n�r������&��z�ޗ�zf���h���~����������_��+v���)ߣ�