CVS commit: src/sys/netbt
Module Name:src Committed By: nat Date: Wed Mar 13 07:22:16 UTC 2024 Added Files: src/sys/netbt: hci_le.h Log Message: Bluetooth low energy - A beginning at least. This was the start of support for low energy bluetooth support that I have not as yet completed. I'm committing this as it gives the hci defines for an impementation in NetBSD. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/sys/netbt/hci_le.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Added files: Index: src/sys/netbt/hci_le.h diff -u /dev/null src/sys/netbt/hci_le.h:1.1 --- /dev/null Wed Mar 13 07:22:16 2024 +++ src/sys/netbt/hci_le.h Wed Mar 13 07:22:16 2024 @@ -0,0 +1,368 @@ +/* $NetBSD: hci_le.h,v 1.1 2024/03/13 07:22:16 nat Exp $ */ + +/*- + * Copyright (c) 2020 Nathanial Sloss + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + *notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#define HCI_ADVERT_DATA_SIZE 31 /* advertising data size */ +#define HCI_SCAN_DATA_SIZE 31 /* scan resp. data size */ + +/* LE Event masks */ +#define HCI_LE_EVMSK_ALL 0x001f +#define HCI_LE_EVMSK_NONE 0x +#define HCI_LE_EVMSK_CON_COMPL 0x0001 +#define HCI_LE_EVMSK_ADV_REPORT 0x0002 +#define HCI_LE_EVMSK_CON_UPDATE_COMPL 0x0004 +#define HCI_LE_EVMSK_READ_REMOTE_FEATURES_COMPL 0x0008 +#define HCI_LE_EVMSK_LONG_TERM_KEY_REQ 0x0010 +/* 0x0020 - 0x8000 - reserved for future use */ + +/** + ** + ** OGF 0x08 Bluetooth Low Energy (LE) Link commands + ** + **/ + +#define HCI_OGF_LE0x08 + +#define HCI_OCF_LE_SET_EVENT_MASK 0x0001 +#define HCI_CMD_LE_SET_EVENT_MASK 0x2001 +typedef struct { + uint8_t event_mask[HCI_EVENT_MASK_SIZE]; /* event_mask */ +} __packed hci_le_set_event_mask_cp; + +typedef hci_status_rp hci_le_set_event_mask_rp; + +#define HCI_OCF_LE_READ_BUFFER_SIZE 0x0002 +#define HCI_CMD_LE_READ_BUFFER_SIZE 0x2002 +/* No command parameter(s) */ + +typedef struct { + uint8_t status; /* status 0x00 = success */ + uint16_t le_data_pktlen; /* buffer len*/ + uint8_t le_num_pkts; /* no. acl data packets */ +} __packed hci_le_read_buffer_size_rp; + +#define HCI_OCF_LE_READ_LOCAL_FEATURES 0x0003 +#define HCI_CMD_LE_READ_LOCAL_FEATURES 0x2003 +/* No command parameter(s) */ + +typedef struct { + uint8_t status; /* status 0x00 = success */ + uint8_t features[HCI_FEATURES_SIZE]; /* le features */ +} __packed hci_le_read_local_features_rp; + +#define HCI_OCF_LE_SET_RND_ADDR0x0005 +#define HCI_CMD_LE_SET_RND_ADDR0x2005 +typedef struct { + bdaddr_t bdaddr; /* random local address */ +} __packed hci_le_set_rnd_addr_cp; + +typedef hci_status_rp hci_le_set_rnd_addr_rp; +/* XXX NS Finish defines. */ +#define HCI_OCF_LE_SET_ADVERT_PARAM 0x0006 +#define HCI_CMD_LE_SET_ADVERT_PARAM 0x2006 +typedef struct { + uint16_t min_interval; /* min interval * 0.625ms */ + uint16_t max_interval; /* max_interval * 0.625ms */ + uint8_t advert_type; + uint8_t own_address_type; + uint8_t direct_address_type; + bdaddr_t direct_address; /* remote address */ + uint8_t advert_channel_map; + uint8_t advert_filter_policy; +} __packed hci_le_set_advert_param_cp; + +typedef hci_status_rp hci_le_set_advert_param_rp; + +#define HCF_OCF_LE_READ_ADVERT_CHAN_TX_PWR 0x0007 +#define HCF_CMD_LE_READ_ADVERT_CHAN_TX_PWR
CVS commit: src/sys/netbt
Module Name:src Committed By: nat Date: Wed Mar 13 07:22:16 UTC 2024 Added Files: src/sys/netbt: hci_le.h Log Message: Bluetooth low energy - A beginning at least. This was the start of support for low energy bluetooth support that I have not as yet completed. I'm committing this as it gives the hci defines for an impementation in NetBSD. To generate a diff of this commit: cvs rdiff -u -r0 -r1.1 src/sys/netbt/hci_le.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netbt
Module Name:src Committed By: riastradh Date: Mon Aug 7 13:31:54 UTC 2023 Modified Files: src/sys/netbt: bt_proto.c Log Message: netbt(4): Initialize bt_lock earlier. Use a driver-class module modcmd init function, instead of a socket domain init function; the socket-domain ones don't run until after configure, but we need this to be initialized before configure so that Bluetooth HCI drivers like ubt(4) can use it. This is suboptimal but it's the least intrusive way I've thought of to get this working, even if it's a little grody to make netbt a `driver-class' (builtin) module. Note that this doesn't mean netbt becomes dynamically loadable or unloadable; we're just using a module for initialization ordering. PR kern/56988 XXX pullup-10 To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/netbt/bt_proto.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netbt/bt_proto.c diff -u src/sys/netbt/bt_proto.c:1.16 src/sys/netbt/bt_proto.c:1.17 --- src/sys/netbt/bt_proto.c:1.16 Thu Jan 21 15:41:30 2016 +++ src/sys/netbt/bt_proto.c Mon Aug 7 13:31:54 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: bt_proto.c,v 1.16 2016/01/21 15:41:30 riastradh Exp $ */ +/* $NetBSD: bt_proto.c,v 1.17 2023/08/07 13:31:54 riastradh Exp $ */ /*- * Copyright (c) 2005 Iain Hibbert. @@ -31,11 +31,12 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: bt_proto.c,v 1.16 2016/01/21 15:41:30 riastradh Exp $"); +__KERNEL_RCSID(0, "$NetBSD: bt_proto.c,v 1.17 2023/08/07 13:31:54 riastradh Exp $"); #include #include #include +#include #include #include #include @@ -113,6 +114,21 @@ kmutex_t *bt_lock; static void bt_init(void) { +} + +MODULE(MODULE_CLASS_DRIVER, netbt, NULL); + +static int +netbt_modcmd(modcmd_t cmd, void *aux) +{ - bt_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); + switch (cmd) { + case MODULE_CMD_INIT: + bt_lock = mutex_obj_alloc(MUTEX_DEFAULT, IPL_NONE); + return 0; + case MODULE_CMD_FINI: + return EBUSY; /* XXX */ + default: + return ENOTTY; + } }
CVS commit: src/sys/netbt
Module Name:src Committed By: riastradh Date: Mon Aug 7 13:31:54 UTC 2023 Modified Files: src/sys/netbt: bt_proto.c Log Message: netbt(4): Initialize bt_lock earlier. Use a driver-class module modcmd init function, instead of a socket domain init function; the socket-domain ones don't run until after configure, but we need this to be initialized before configure so that Bluetooth HCI drivers like ubt(4) can use it. This is suboptimal but it's the least intrusive way I've thought of to get this working, even if it's a little grody to make netbt a `driver-class' (builtin) module. Note that this doesn't mean netbt becomes dynamically loadable or unloadable; we're just using a module for initialization ordering. PR kern/56988 XXX pullup-10 To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/netbt/bt_proto.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netbt
Module Name:src Committed By: christos Date: Tue Sep 21 15:03:08 UTC 2021 Modified Files: src/sys/netbt: hci_ioctl.c Log Message: don't opencode kauth_cred_get() To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/netbt/hci_ioctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netbt/hci_ioctl.c diff -u src/sys/netbt/hci_ioctl.c:1.14 src/sys/netbt/hci_ioctl.c:1.15 --- src/sys/netbt/hci_ioctl.c:1.14 Sat Feb 2 22:19:28 2019 +++ src/sys/netbt/hci_ioctl.c Tue Sep 21 11:03:08 2021 @@ -1,4 +1,4 @@ -/* $NetBSD: hci_ioctl.c,v 1.14 2019/02/03 03:19:28 mrg Exp $ */ +/* $NetBSD: hci_ioctl.c,v 1.15 2021/09/21 15:03:08 christos Exp $ */ /*- * Copyright (c) 2005 Iain Hibbert. @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: hci_ioctl.c,v 1.14 2019/02/03 03:19:28 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hci_ioctl.c,v 1.15 2021/09/21 15:03:08 christos Exp $"); #include #include @@ -227,7 +227,7 @@ hci_ioctl_pcb(unsigned long cmd, void *d break; case SIOCSBTFLAGS: /* set unit flags (privileged) */ - err = kauth_authorize_device(curlwp->l_cred, + err = kauth_authorize_device(kauth_cred_get(), KAUTH_DEVICE_BLUETOOTH_SETPRIV, unit, KAUTH_ARG(cmd), btr, NULL); if (err) @@ -255,7 +255,7 @@ hci_ioctl_pcb(unsigned long cmd, void *d break; case SIOCSBTPOLICY: /* set unit link policy (privileged) */ - err = kauth_authorize_device(curlwp->l_cred, + err = kauth_authorize_device(kauth_cred_get(), KAUTH_DEVICE_BLUETOOTH_SETPRIV, unit, KAUTH_ARG(cmd), btr, NULL); if (err) @@ -267,7 +267,7 @@ hci_ioctl_pcb(unsigned long cmd, void *d break; case SIOCSBTPTYPE: /* set unit packet types (privileged) */ - err = kauth_authorize_device(curlwp->l_cred, + err = kauth_authorize_device(kauth_cred_get(), KAUTH_DEVICE_BLUETOOTH_SETPRIV, unit, KAUTH_ARG(cmd), btr, NULL); if (err) @@ -283,7 +283,7 @@ hci_ioctl_pcb(unsigned long cmd, void *d break; case SIOCZBTSTATS: /* get & reset unit statistics */ - err = kauth_authorize_device(curlwp->l_cred, + err = kauth_authorize_device(kauth_cred_get(), KAUTH_DEVICE_BLUETOOTH_SETPRIV, unit, KAUTH_ARG(cmd), btr, NULL); if (err) @@ -299,7 +299,7 @@ hci_ioctl_pcb(unsigned long cmd, void *d * sent to USB bluetooth controllers that are not an * integer number of frame sizes, the USB bus locks up. */ - err = kauth_authorize_device(curlwp->l_cred, + err = kauth_authorize_device(kauth_cred_get(), KAUTH_DEVICE_BLUETOOTH_SETPRIV, unit, KAUTH_ARG(cmd), btr, NULL); if (err)
CVS commit: src/sys/netbt
Module Name:src Committed By: christos Date: Tue Sep 21 15:03:08 UTC 2021 Modified Files: src/sys/netbt: hci_ioctl.c Log Message: don't opencode kauth_cred_get() To generate a diff of this commit: cvs rdiff -u -r1.14 -r1.15 src/sys/netbt/hci_ioctl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netbt
Module Name:src Committed By: plunky Date: Sat Sep 28 07:10:55 UTC 2019 Modified Files: src/sys/netbt: hci_socket.c Log Message: permit read_encryption_key_size from userland To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.47 src/sys/netbt/hci_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netbt
Module Name:src Committed By: plunky Date: Sat Sep 28 07:10:55 UTC 2019 Modified Files: src/sys/netbt: hci_socket.c Log Message: permit read_encryption_key_size from userland To generate a diff of this commit: cvs rdiff -u -r1.46 -r1.47 src/sys/netbt/hci_socket.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netbt/hci_socket.c diff -u src/sys/netbt/hci_socket.c:1.46 src/sys/netbt/hci_socket.c:1.47 --- src/sys/netbt/hci_socket.c:1.46 Mon Jan 28 12:53:01 2019 +++ src/sys/netbt/hci_socket.c Sat Sep 28 07:10:55 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: hci_socket.c,v 1.46 2019/01/28 12:53:01 martin Exp $ */ +/* $NetBSD: hci_socket.c,v 1.47 2019/09/28 07:10:55 plunky Exp $ */ /*- * Copyright (c) 2005 Iain Hibbert. @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.46 2019/01/28 12:53:01 martin Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hci_socket.c,v 1.47 2019/09/28 07:10:55 plunky Exp $"); /* load symbolic names */ #ifdef BLUETOOTH_DEBUG @@ -195,6 +195,8 @@ static const struct { 18, 0x01, 0 }, { HCI_CMD_READ_DEFAULT_ERRDATA_REPORTING, 18, 0x04, 0 }, + { HCI_CMD_READ_ENCRYPTION_KEY_SIZE, + 20, 0x10, sizeof(hci_read_encryption_key_size_cp) }, }; /*
CVS commit: src/sys/netbt
Module Name:src Committed By: plunky Date: Sat Sep 28 07:06:33 UTC 2019 Modified Files: src/sys/netbt: hci.h hci_event.c Log Message: When encrypted connections are configured, verify that the encryption key length has a minimum size when the adaptor supports that. This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506 https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/ To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 src/sys/netbt/hci.h cvs rdiff -u -r1.25 -r1.26 src/sys/netbt/hci_event.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: src/sys/netbt/hci.h diff -u src/sys/netbt/hci.h:1.45 src/sys/netbt/hci.h:1.46 --- src/sys/netbt/hci.h:1.45 Wed Jul 25 19:09:38 2018 +++ src/sys/netbt/hci.h Sat Sep 28 07:06:33 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: hci.h,v 1.45 2018/07/25 19:09:38 kamil Exp $ */ +/* $NetBSD: hci.h,v 1.46 2019/09/28 07:06:33 plunky Exp $ */ /*- * Copyright (c) 2005 Iain Hibbert. @@ -54,7 +54,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $Id: hci.h,v 1.45 2018/07/25 19:09:38 kamil Exp $ + * $Id: hci.h,v 1.46 2019/09/28 07:06:33 plunky Exp $ * $FreeBSD: src/sys/netgraph/bluetooth/include/ng_hci.h,v 1.6 2005/01/07 01:45:43 imp Exp $ */ @@ -1812,6 +1812,17 @@ typedef struct { uint16_t accuracy; /* clock accuracy */ } __packed hci_read_clock_rp; +#define HCI_OCF_READ_ENCRYPTION_KEY_SIZE 0x0008 +#define HCI_CMD_READ_ENCRYPTION_KEY_SIZE 0x1408 +typedef struct { + uint16_t con_handle; /* connection handle */ +} __packed hci_read_encryption_key_size_cp; + +typedef struct { + uint8_t status; /* 0x00 - success */ + uint16_t con_handle; /* connection handle */ + uint8_t size; /* key size */ +} __packed hci_read_encryption_key_size_rp; /** ** Index: src/sys/netbt/hci_event.c diff -u src/sys/netbt/hci_event.c:1.25 src/sys/netbt/hci_event.c:1.26 --- src/sys/netbt/hci_event.c:1.25 Tue Aug 21 14:59:13 2018 +++ src/sys/netbt/hci_event.c Sat Sep 28 07:06:33 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: hci_event.c,v 1.25 2018/08/21 14:59:13 plunky Exp $ */ +/* $NetBSD: hci_event.c,v 1.26 2019/09/28 07:06:33 plunky Exp $ */ /*- * Copyright (c) 2005 Iain Hibbert. @@ -31,7 +31,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: hci_event.c,v 1.25 2018/08/21 14:59:13 plunky Exp $"); +__KERNEL_RCSID(0, "$NetBSD: hci_event.c,v 1.26 2019/09/28 07:06:33 plunky Exp $"); #include #include @@ -63,6 +63,7 @@ static void hci_cmd_read_local_features( static void hci_cmd_read_local_extended_features(struct hci_unit *, struct mbuf *); static void hci_cmd_read_local_ver(struct hci_unit *, struct mbuf *); static void hci_cmd_read_local_commands(struct hci_unit *, struct mbuf *); +static void hci_cmd_read_encryption_key_size(struct hci_unit *, struct mbuf *); static void hci_cmd_reset(struct hci_unit *, struct mbuf *); static void hci_cmd_create_con(struct hci_unit *unit, uint8_t status); @@ -353,6 +354,10 @@ hci_event_command_compl(struct hci_unit hci_cmd_read_local_commands(unit, m); break; + case HCI_CMD_READ_ENCRYPTION_KEY_SIZE: + hci_cmd_read_encryption_key_size(unit, m); + break; + case HCI_CMD_RESET: hci_cmd_reset(unit, m); break; @@ -623,10 +628,11 @@ hci_event_con_compl(struct hci_unit *uni return; } - /* XXX could check auth_enable here */ - - if (ep.encryption_mode) - link->hl_flags |= (HCI_LINK_AUTH | HCI_LINK_ENCRYPT); + /* + * We purposefully ignore ep.encryption_mode here - if that is set then + * the link will be authenticated and encrypted, but we still want to + * verify the key size and setmode sets the right flags + */ link->hl_state = HCI_LINK_OPEN; link->hl_handle = HCI_CON_HANDLE(le16toh(ep.con_handle)); @@ -777,17 +783,16 @@ hci_event_auth_compl(struct hci_unit *un /* * Encryption Change * - * The encryption status has changed. Basically, we note the change - * then notify the upper layer protocol unless further mode changes - * are pending. - * Note that if encryption gets disabled when it has been requested, - * we will attempt to enable it again.. (its a feature not a bug :) + * The encryption status has changed. Make a note if disabled, or + * check the key size if possible before allowing it is enabled. + * (checking of key size was enabled in 3.0 spec) */ static void hci_event_encryption_change(struct hci_unit *unit, struct mbuf *m) { hci_encryption_change_ep ep; struct hci_link *link; + uint16_t con_handle; int err; if (m->m_pkthdr.len < sizeof(ep)) @@ -796,27 +801,34 @@ hci_event_encryption_change(struct hci_u m_copydata(m, 0, sizeof(ep), &ep); m_adj(m, sizeof(ep)); - ep.con_handle = HCI_CON_HANDLE(le16toh(ep.con_handle)); + con_handle = H
CVS commit: src/sys/netbt
Module Name:src Committed By: plunky Date: Sat Sep 28 07:06:33 UTC 2019 Modified Files: src/sys/netbt: hci.h hci_event.c Log Message: When encrypted connections are configured, verify that the encryption key length has a minimum size when the adaptor supports that. This addresses the 'Key Negotiation of Bluetooth' attack, CVE-2019-9506 https://www.bluetooth.com/security/statement-key-negotiation-of-bluetooth/ To generate a diff of this commit: cvs rdiff -u -r1.45 -r1.46 src/sys/netbt/hci.h cvs rdiff -u -r1.25 -r1.26 src/sys/netbt/hci_event.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netbt
Module Name:src Committed By: plunky Date: Mon Jan 4 19:20:05 UTC 2010 Modified Files: src/sys/netbt: l2cap_upper.c rfcomm_upper.c sco_upper.c Log Message: prevent local socket address from being changed after socket is in use (connect or listen) To generate a diff of this commit: cvs rdiff -u -r1.10 -r1.11 src/sys/netbt/l2cap_upper.c cvs rdiff -u -r1.12 -r1.13 src/sys/netbt/rfcomm_upper.c cvs rdiff -u -r1.8 -r1.9 src/sys/netbt/sco_upper.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
CVS commit: src/sys/netbt
Module Name:src Committed By: plunky Date: Sun Jan 3 16:38:15 UTC 2010 Modified Files: src/sys/netbt: rfcomm_session.c Log Message: when receiving a MCC PN response, the max frame size that the remote party requests must be less than the one we asked for which will not be greater than the max acceptable value so no need to test for that but make sure that it is not smaller than minimum acceptable value. To generate a diff of this commit: cvs rdiff -u -r1.15 -r1.16 src/sys/netbt/rfcomm_session.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.