[PATCH RFC BlueZ 0/1] On demand LE link encryption/authentication

[PATCH RFC BlueZ 0/1] On demand LE link encryption/authentication

[Anderson Lizardo]

Hi,

This patch adds support in BlueZ for only increasing security level of the LE
link when the ATT request fails with "Insufficient Encryption" or "Insufficient
Authentication". This mechanism is described on Core Specification page 1837
("3.2.5 Attribute Permissions") and 1876 ("4 Security Considerations"). This
allows for very low latency connections when encryption is not required.

On a related topic, we would like to propose changing how LE Security
Modes/Levels are mapped to BlueZ/kernel security levels. Currently, for LE the
kernel does the following mapping:

* seclevel SDP (0): not used by LE. Effectively should work like LOW.
* seclevel LOW (1): no authentication and no encryption (LE Security Mode 1
  Level 1)
* seclevel MEDIUM (2): Unauthenticated pairing with encryption (LE Security
  Mode 1 Level 2), uses Just Works pairing algorithm
* seclevel HIGH (3): Authenticated pairing with encryption (LE Security Mode 1
  Level 3), uses Passkey Entry pairing algorithm

There is no support for LE Security Mode 2. Our proposal is to:

1) Rename SDP level to NONE. It will mean "no authentication and no encryption"
   for LE, for BR/EDR it will be unchanged.
2) use LOW for "Unauthenticated pairing with encryption"
3) use MEDIUM for "Authenticated pairing with encryption"
4) HIGH becomes unused for LE (maybe mapping to MEDIUM?)

We believe this would align better with BR/EDR and with the definition of LE
Security Mode 2. Thoughts?

Note: there is currently a bug which makes the socket unavailable for writing
after switching from MEDIUM to HIGH security level. We are currently
investigating the issue. Until it is not fixed, this patch cannot be applied.

Comments/suggestions are welcome.


Bruna Moreira (1):
  attrib: Retry ATT request when link is unencrypted

 attrib/gattrib.c |   32 ++++++++++++++++++++++++++++++++
 src/device.c     |    2 +-
 2 files changed, 33 insertions(+), 1 deletions(-)

-- 
1.7.5.4

[PATCH RFC BlueZ 1/1] attrib: Retry ATT request when link is unencrypted

[Anderson Lizardo]

From: Bruna Moreira <bruna.moreira@openbossa.org>

If the client side receives an Error Response with "Insufficient
Authentication" or "Insufficient Encryption", it will increase the link
security level and send the same request again.
---
 attrib/gattrib.c |   32 ++++++++++++++++++++++++++++++++
 src/device.c     |    2 +-
 2 files changed, 33 insertions(+), 1 deletions(-)

diff --git a/attrib/gattrib.c b/attrib/gattrib.c
index 769be36..e551aef 100644
--- a/attrib/gattrib.c
+++ b/attrib/gattrib.c
@@ -61,6 +61,7 @@ struct command {
 	guint16 len;
 	guint8 expected;
 	gboolean sent;
+	gboolean retry;
 	GAttribResultFunc func;
 	gpointer user_data;
 	GDestroyNotify notify;
@@ -307,6 +308,22 @@ static void wake_up_sender(struct _GAttrib *attrib)
 				can_write_data, attrib, destroy_sender);
 }
 
+static void increase_sec_level(struct _GAttrib *attrib)
+{
+	BtIOSecLevel sec_level;
+
+	bt_io_get(attrib->io, BT_IO_L2CAP, NULL,
+			BT_IO_OPT_SEC_LEVEL, &sec_level,
+			BT_IO_OPT_INVALID);
+
+	if (sec_level < BT_IO_SEC_HIGH) {
+		sec_level++;
+		bt_io_set(attrib->io, BT_IO_L2CAP, NULL,
+					BT_IO_OPT_SEC_LEVEL, sec_level,
+					BT_IO_OPT_INVALID);
+	}
+}
+
 static gboolean received_data(GIOChannel *io, GIOCondition cond, gpointer data)
 {
 	struct _GAttrib *attrib = data;
@@ -368,6 +385,20 @@ static gboolean received_data(GIOChannel *io, GIOCondition cond, gpointer data)
 	status = 0;
 
 done:
+	if ((status == ATT_ECODE_INSUFF_ENC ||
+				status == ATT_ECODE_AUTHENTICATION) &&
+				cmd && cmd->retry) {
+		/* Increase security level */
+		increase_sec_level(attrib);
+
+		/* Retry request once */
+		cmd->sent = FALSE;
+		cmd->retry = FALSE;
+		g_queue_push_head(attrib->queue, cmd);
+		wake_up_sender(attrib);
+		return TRUE;
+	}
+
 	qempty = attrib->queue == NULL || g_queue_is_empty(attrib->queue);
 
 	if (cmd) {
@@ -434,6 +465,7 @@ guint g_attrib_send(GAttrib *attrib, guint id, guint8 opcode,
 	c->func = func;
 	c->user_data = user_data;
 	c->notify = notify;
+	c->retry = TRUE;
 
 	if (id) {
 		c->id = id;
diff --git a/src/device.c b/src/device.c
index 021b200..37b05f4 100644
--- a/src/device.c
+++ b/src/device.c
@@ -2003,7 +2003,7 @@ static gboolean att_connect(gpointer user_data)
 				BT_IO_OPT_DEST_BDADDR, &device->bdaddr,
 				BT_IO_OPT_DEST_TYPE, device->bdaddr_type,
 				BT_IO_OPT_CID, ATT_CID,
-				BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_MEDIUM,
+				BT_IO_OPT_SEC_LEVEL, BT_IO_SEC_LOW,
 				BT_IO_OPT_INVALID);
 	}
 
-- 
1.7.5.4

Re: [PATCH RFC BlueZ 0/1] On demand LE link encryption/authentication

[Johan Hedberg]

Hi Lizardo,

On Fri, Apr 27, 2012, Anderson Lizardo wrote:
> This patch adds support in BlueZ for only increasing security level of the LE
> link when the ATT request fails with "Insufficient Encryption" or "Insufficient
> Authentication". This mechanism is described on Core Specification page 1837
> ("3.2.5 Attribute Permissions") and 1876 ("4 Security Considerations"). This
> allows for very low latency connections when encryption is not required.
> 
> On a related topic, we would like to propose changing how LE Security
> Modes/Levels are mapped to BlueZ/kernel security levels. Currently, for LE the
> kernel does the following mapping:
> 
> * seclevel SDP (0): not used by LE. Effectively should work like LOW.
> * seclevel LOW (1): no authentication and no encryption (LE Security Mode 1
>   Level 1)
> * seclevel MEDIUM (2): Unauthenticated pairing with encryption (LE Security
>   Mode 1 Level 2), uses Just Works pairing algorithm
> * seclevel HIGH (3): Authenticated pairing with encryption (LE Security Mode 1
>   Level 3), uses Passkey Entry pairing algorithm
> 
> There is no support for LE Security Mode 2. Our proposal is to:
> 
> 1) Rename SDP level to NONE. It will mean "no authentication and no encryption"
>    for LE, for BR/EDR it will be unchanged.
> 2) use LOW for "Unauthenticated pairing with encryption"
> 3) use MEDIUM for "Authenticated pairing with encryption"
> 4) HIGH becomes unused for LE (maybe mapping to MEDIUM?)
> 
> We believe this would align better with BR/EDR and with the definition of LE
> Security Mode 2. Thoughts?

MEDIUM for BR/EDR means unauthenticated so your rewritten definition
wouldn't match that anymore. Regarding security level 0 (SDP/NONE) the
specification says:

"Permitted only for SDP and service data sent via either L2CAP fixed
signaling channels or the L2CAP connectionless channel to PSMs that
correspond to service class UUIDs which are allowed to utilize Level 0."

Based on that I do think the s/SDP/NONE/ rename could make sense and
would be applicable to LE which uses a fixed CID. However in that case
there wouldn't really be any practical difference between NONE and LOW
for LE. MEDIUM would still map unauthenticated and HIGH to authenticated.

Johan