projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Convert RFCOMM spinlocks into mutexes
[deliverable/linux.git] / net / bluetooth / smp.c
CommitLineData
eb492e01
AB		 1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
8c520a59
GP		 23#include <linux/crypto.h>
24#include <linux/scatterlist.h>
25#include <crypto/b128ops.h>
26
eb492e01
AB		 27#include <net/bluetooth/bluetooth.h>
28#include <net/bluetooth/hci_core.h>
29#include <net/bluetooth/l2cap.h>
2b64d153 30#include <net/bluetooth/mgmt.h>
ac4b7236
MH		 31
32#include "smp.h"
d22ef0bc 33
17b02e62 34#define SMP_TIMEOUT msecs_to_jiffies(30000)
5d3de7df 35
065a13e2
JH		 36#define AUTH_REQ_MASK 0x07
37
66bed1a2 38static inline void swap128(const u8 src[16], u8 dst[16])
d22ef0bc
AB		 39{
40 int i;
41 for (i = 0; i < 16; i++)
42 dst[15 - i] = src[i];
43}
44
66bed1a2 45static inline void swap56(const u8 src[7], u8 dst[7])
d22ef0bc
AB		 46{
47 int i;
48 for (i = 0; i < 7; i++)
49 dst[6 - i] = src[i];
50}
51
52static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
53{
54 struct blkcipher_desc desc;
55 struct scatterlist sg;
943a732a 56 uint8_t tmp[16], data[16];
201a5929 57 int err;
d22ef0bc
AB		 58
59 if (tfm == NULL) {
60 BT_ERR("tfm %p", tfm);
61 return -EINVAL;
62 }
63
64 desc.tfm = tfm;
65 desc.flags = 0;
66
943a732a
JH		 67 /* The most significant octet of key corresponds to k[0] */
68 swap128(k, tmp);
69
70 err = crypto_blkcipher_setkey(tfm, tmp, 16);
d22ef0bc
AB		 71 if (err) {
72 BT_ERR("cipher setkey failed: %d", err);
73 return err;
74 }
75
943a732a
JH		 76 /* Most significant octet of plaintextData corresponds to data[0] */
77 swap128(r, data);
78
79 sg_init_one(&sg, data, 16);
d22ef0bc 80
d22ef0bc
AB		 81 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
82 if (err)
83 BT_ERR("Encrypt data error %d", err);
84
943a732a
JH		 85 /* Most significant octet of encryptedData corresponds to data[0] */
86 swap128(data, r);
87
d22ef0bc
AB		 88 return err;
89}
90
60478054
JH		 91static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
92{
943a732a 93 u8 _res[16];
60478054
JH		 94 int err;
95
96 /* r' = padding || r */
943a732a
JH		 97 memcpy(_res, r, 3);
98 memset(_res + 3, 0, 13);
60478054 99
943a732a 100 err = smp_e(tfm, irk, _res);
60478054
JH		 101 if (err) {
102 BT_ERR("Encrypt error");
103 return err;
104 }
105
106 /* The output of the random address function ah is:
107 * ah(h, r) = e(k, r') mod 2^24
108 * The output of the security function e is then truncated to 24 bits
109 * by taking the least significant 24 bits of the output of e as the
110 * result of ah.
111 */
943a732a 112 memcpy(res, _res, 3);
60478054
JH		 113
114 return 0;
115}
116
117bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
118 bdaddr_t *bdaddr)
119{
120 u8 hash[3];
121 int err;
122
123 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
124
125 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
126 if (err)
127 return false;
128
129 return !memcmp(bdaddr->b, hash, 3);
130}
131
b1e2b3ae
JH		 132int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa)
133{
134 int err;
135
136 get_random_bytes(&rpa->b[3], 3);
137
138 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
139 rpa->b[5] |= 0x40; /* Set second most significant bit */
140
141 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
142 if (err < 0)
143 return err;
144
145 BT_DBG("RPA %pMR", rpa);
146
147 return 0;
148}
149
d22ef0bc 150static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
f1560463
MH		 151 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
152 u8 _rat, bdaddr_t *ra, u8 res[16])
d22ef0bc
AB		 153{
154 u8 p1[16], p2[16];
155 int err;
156
157 memset(p1, 0, 16);
158
159 /* p1 = pres || preq || _rat || _iat */
943a732a
JH		 160 p1[0] = _iat;
161 p1[1] = _rat;
162 memcpy(p1 + 2, preq, 7);
163 memcpy(p1 + 9, pres, 7);
d22ef0bc
AB		 164
165 /* p2 = padding || ia || ra */
943a732a
JH		 166 memcpy(p2, ra, 6);
167 memcpy(p2 + 6, ia, 6);
168 memset(p2 + 12, 0, 4);
d22ef0bc
AB		 169
170 /* res = r XOR p1 */
171 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
172
173 /* res = e(k, res) */
174 err = smp_e(tfm, k, res);
175 if (err) {
176 BT_ERR("Encrypt data error");
177 return err;
178 }
179
180 /* res = res XOR p2 */
181 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
182
183 /* res = e(k, res) */
184 err = smp_e(tfm, k, res);
185 if (err)
186 BT_ERR("Encrypt data error");
187
188 return err;
189}
190
f1560463
MH		 191static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16], u8 r1[16],
192 u8 r2[16], u8 _r[16])
d22ef0bc
AB		 193{
194 int err;
195
196 /* Just least significant octets from r1 and r2 are considered */
943a732a
JH		 197 memcpy(_r, r2, 8);
198 memcpy(_r + 8, r1, 8);
d22ef0bc
AB		 199
200 err = smp_e(tfm, k, _r);
201 if (err)
202 BT_ERR("Encrypt data error");
203
204 return err;
205}
206
eb492e01 207static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
f1560463 208 u16 dlen, void *data)
eb492e01
AB		 209{
210 struct sk_buff *skb;
211 struct l2cap_hdr *lh;
212 int len;
213
214 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
215
216 if (len > conn->mtu)
217 return NULL;
218
219 skb = bt_skb_alloc(len, GFP_ATOMIC);
220 if (!skb)
221 return NULL;
222
223 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
224 lh->len = cpu_to_le16(sizeof(code) + dlen);
dcf4adbf 225 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
eb492e01
AB		 226
227 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
228
229 memcpy(skb_put(skb, dlen), data, dlen);
230
231 return skb;
232}
233
234static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
235{
236 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
237
238 BT_DBG("code 0x%2.2x", code);
239
240 if (!skb)
241 return;
242
73d80deb
LAD		 243 skb->priority = HCI_PRIO_MAX;
244 hci_send_acl(conn->hchan, skb, 0);
e2dcd113 245
6c9d42a1 246 cancel_delayed_work_sync(&conn->security_timer);
17b02e62 247 schedule_delayed_work(&conn->security_timer, SMP_TIMEOUT);
eb492e01
AB		 248}
249
2b64d153
BG		 250static __u8 authreq_to_seclevel(__u8 authreq)
251{
252 if (authreq & SMP_AUTH_MITM)
253 return BT_SECURITY_HIGH;
254 else
255 return BT_SECURITY_MEDIUM;
256}
257
258static __u8 seclevel_to_authreq(__u8 sec_level)
259{
260 switch (sec_level) {
261 case BT_SECURITY_HIGH:
262 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
263 case BT_SECURITY_MEDIUM:
264 return SMP_AUTH_BONDING;
265 default:
266 return SMP_AUTH_NONE;
267 }
268}
269
b8e66eac 270static void build_pairing_cmd(struct l2cap_conn *conn,
f1560463
MH		 271 struct smp_cmd_pairing *req,
272 struct smp_cmd_pairing *rsp, __u8 authreq)
b8e66eac 273{
fd349c02
JH		 274 struct smp_chan *smp = conn->smp_chan;
275 struct hci_conn *hcon = conn->hcon;
276 struct hci_dev *hdev = hcon->hdev;
277 u8 local_dist = 0, remote_dist = 0;
54790f73 278
a8b2d5c2 279 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->dev_flags)) {
7ee4ea36
MH		 280 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
281 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
54790f73 282 authreq |= SMP_AUTH_BONDING;
2b64d153
BG		 283 } else {
284 authreq &= ~SMP_AUTH_BONDING;
54790f73
VCG		 285 }
286
fd349c02
JH		 287 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
288 remote_dist |= SMP_DIST_ID_KEY;
289
863efaf2
JH		 290 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
291 local_dist |= SMP_DIST_ID_KEY;
292
54790f73
VCG		 293 if (rsp == NULL) {
294 req->io_capability = conn->hcon->io_capability;
295 req->oob_flag = SMP_OOB_NOT_PRESENT;
296 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
fd349c02
JH		 297 req->init_key_dist = local_dist;
298 req->resp_key_dist = remote_dist;
065a13e2 299 req->auth_req = (authreq & AUTH_REQ_MASK);
fd349c02
JH		 300
301 smp->remote_key_dist = remote_dist;
54790f73
VCG		 302 return;
303 }
304
305 rsp->io_capability = conn->hcon->io_capability;
306 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
307 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
fd349c02
JH		 308 rsp->init_key_dist = req->init_key_dist & remote_dist;
309 rsp->resp_key_dist = req->resp_key_dist & local_dist;
065a13e2 310 rsp->auth_req = (authreq & AUTH_REQ_MASK);
fd349c02
JH		 311
312 smp->remote_key_dist = rsp->init_key_dist;
b8e66eac
VCG		 313}
314
3158c50c
VCG		 315static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
316{
1c1def09
VCG		 317 struct smp_chan *smp = conn->smp_chan;
318
3158c50c 319 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
f1560463 320 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
3158c50c
VCG		 321 return SMP_ENC_KEY_SIZE;
322
f7aa611a 323 smp->enc_key_size = max_key_size;
3158c50c
VCG		 324
325 return 0;
326}
327
84794e11 328static void smp_failure(struct l2cap_conn *conn, u8 reason)
4f957a76 329{
bab73cb6
JH		 330 struct hci_conn *hcon = conn->hcon;
331
84794e11 332 if (reason)
4f957a76 333 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
f1560463 334 &reason);
4f957a76 335
ce39fb4e
MH		 336 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
337 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type,
338 HCI_ERROR_AUTH_FAILURE);
f1c09c07 339
61a0cfb0
AG		 340 cancel_delayed_work_sync(&conn->security_timer);
341
ce39fb4e 342 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
f1c09c07 343 smp_chan_destroy(conn);
4f957a76
BG		 344}
345
2b64d153
BG		 346#define JUST_WORKS 0x00
347#define JUST_CFM 0x01
348#define REQ_PASSKEY 0x02
349#define CFM_PASSKEY 0x03
350#define REQ_OOB 0x04
351#define OVERLAP 0xFF
352
353static const u8 gen_method[5][5] = {
354 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
355 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
356 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
357 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
358 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
359};
360
361static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
362 u8 local_io, u8 remote_io)
363{
364 struct hci_conn *hcon = conn->hcon;
365 struct smp_chan *smp = conn->smp_chan;
366 u8 method;
367 u32 passkey = 0;
368 int ret = 0;
369
370 /* Initialize key for JUST WORKS */
371 memset(smp->tk, 0, sizeof(smp->tk));
372 clear_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
373
374 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
375
376 /* If neither side wants MITM, use JUST WORKS */
377 /* If either side has unknown io_caps, use JUST WORKS */
378 /* Otherwise, look up method from the table */
379 if (!(auth & SMP_AUTH_MITM) ||
f1560463
MH		 380 local_io > SMP_IO_KEYBOARD_DISPLAY ||
381 remote_io > SMP_IO_KEYBOARD_DISPLAY)
2b64d153
BG		 382 method = JUST_WORKS;
383 else
b3ff53ff 384 method = gen_method[remote_io][local_io];
2b64d153
BG		 385
386 /* If not bonding, don't ask user to confirm a Zero TK */
387 if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
388 method = JUST_WORKS;
389
a82505c7
JH		 390 /* Don't confirm locally initiated pairing attempts */
391 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
392 &smp->smp_flags))
393 method = JUST_WORKS;
394
2b64d153
BG		 395 /* If Just Works, Continue with Zero TK */
396 if (method == JUST_WORKS) {
397 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
398 return 0;
399 }
400
401 /* Not Just Works/Confirm results in MITM Authentication */
402 if (method != JUST_CFM)
403 set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags);
404
405 /* If both devices have Keyoard-Display I/O, the master
406 * Confirms and the slave Enters the passkey.
407 */
408 if (method == OVERLAP) {
409 if (hcon->link_mode & HCI_LM_MASTER)
410 method = CFM_PASSKEY;
411 else
412 method = REQ_PASSKEY;
413 }
414
01ad34d2 415 /* Generate random passkey. */
2b64d153 416 if (method == CFM_PASSKEY) {
943a732a 417 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153
BG		 418 get_random_bytes(&passkey, sizeof(passkey));
419 passkey %= 1000000;
943a732a 420 put_unaligned_le32(passkey, smp->tk);
2b64d153 421 BT_DBG("PassKey: %d", passkey);
01ad34d2 422 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
2b64d153
BG		 423 }
424
425 hci_dev_lock(hcon->hdev);
426
427 if (method == REQ_PASSKEY)
ce39fb4e 428 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
272d90df 429 hcon->type, hcon->dst_type);
4eb65e66
JH		 430 else if (method == JUST_CFM)
431 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
432 hcon->type, hcon->dst_type,
433 passkey, 1);
2b64d153 434 else
01ad34d2 435 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
272d90df 436 hcon->type, hcon->dst_type,
39adbffe 437 passkey, 0);
2b64d153
BG		 438
439 hci_dev_unlock(hcon->hdev);
440
441 return ret;
442}
443
8aab4757
VCG		 444static void confirm_work(struct work_struct *work)
445{
446 struct smp_chan *smp = container_of(work, struct smp_chan, confirm);
447 struct l2cap_conn *conn = smp->conn;
893ce8b1
JH		 448 struct hci_dev *hdev = conn->hcon->hdev;
449 struct crypto_blkcipher *tfm = hdev->tfm_aes;
8aab4757
VCG		 450 struct smp_cmd_pairing_confirm cp;
451 int ret;
943a732a 452 u8 reason;
8aab4757
VCG		 453
454 BT_DBG("conn %p", conn);
455
893ce8b1
JH		 456 /* Prevent mutual access to hdev->tfm_aes */
457 hci_dev_lock(hdev);
8aab4757 458
b1cd5fd9
JH		 459 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
460 conn->hcon->init_addr_type, &conn->hcon->init_addr,
943a732a
JH		 461 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
462 cp.confirm_val);
893ce8b1
JH		 463
464 hci_dev_unlock(hdev);
465
8aab4757
VCG		 466 if (ret) {
467 reason = SMP_UNSPECIFIED;
468 goto error;
469 }
470
2b64d153
BG		 471 clear_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
472
8aab4757
VCG		 473 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
474
475 return;
476
477error:
84794e11 478 smp_failure(conn, reason);
8aab4757
VCG		 479}
480
481static void random_work(struct work_struct *work)
482{
483 struct smp_chan *smp = container_of(work, struct smp_chan, random);
484 struct l2cap_conn *conn = smp->conn;
485 struct hci_conn *hcon = conn->hcon;
893ce8b1
JH		 486 struct hci_dev *hdev = hcon->hdev;
487 struct crypto_blkcipher *tfm = hdev->tfm_aes;
943a732a 488 u8 reason, confirm[16];
8aab4757
VCG		 489 int ret;
490
491 if (IS_ERR_OR_NULL(tfm)) {
492 reason = SMP_UNSPECIFIED;
493 goto error;
494 }
495
496 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
497
893ce8b1
JH		 498 /* Prevent mutual access to hdev->tfm_aes */
499 hci_dev_lock(hdev);
500
b1cd5fd9
JH		 501 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
502 hcon->init_addr_type, &hcon->init_addr,
943a732a 503 hcon->resp_addr_type, &hcon->resp_addr, confirm);
893ce8b1
JH		 504
505 hci_dev_unlock(hdev);
506
8aab4757
VCG		 507 if (ret) {
508 reason = SMP_UNSPECIFIED;
509 goto error;
510 }
511
8aab4757
VCG		 512 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
513 BT_ERR("Pairing failed (confirmation values mismatch)");
514 reason = SMP_CONFIRM_FAILED;
515 goto error;
516 }
517
518 if (hcon->out) {
fe39c7b2
MH		 519 u8 stk[16];
520 __le64 rand = 0;
521 __le16 ediv = 0;
8aab4757 522
943a732a 523 smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, stk);
8aab4757 524
f7aa611a 525 memset(stk + smp->enc_key_size, 0,
04124681 526 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
8aab4757 527
51a8efd7 528 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) {
8aab4757
VCG		 529 reason = SMP_UNSPECIFIED;
530 goto error;
531 }
532
533 hci_le_start_enc(hcon, ediv, rand, stk);
f7aa611a 534 hcon->enc_key_size = smp->enc_key_size;
8aab4757 535 } else {
943a732a 536 u8 stk[16];
fe39c7b2
MH		 537 __le64 rand = 0;
538 __le16 ediv = 0;
8aab4757 539
943a732a
JH		 540 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
541 smp->prnd);
8aab4757 542
943a732a 543 smp_s1(tfm, smp->tk, smp->prnd, smp->rrnd, stk);
8aab4757 544
f7aa611a 545 memset(stk + smp->enc_key_size, 0,
f1560463 546 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
8aab4757 547
ce39fb4e 548 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
35d70271 549 HCI_SMP_STK_SLAVE, 0, stk, smp->enc_key_size,
04124681 550 ediv, rand);
8aab4757
VCG		 551 }
552
553 return;
554
555error:
84794e11 556 smp_failure(conn, reason);
8aab4757
VCG		 557}
558
559static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
560{
561 struct smp_chan *smp;
562
f1560463 563 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
8aab4757
VCG		 564 if (!smp)
565 return NULL;
566
567 INIT_WORK(&smp->confirm, confirm_work);
568 INIT_WORK(&smp->random, random_work);
569
570 smp->conn = conn;
571 conn->smp_chan = smp;
2b64d153 572 conn->hcon->smp_conn = conn;
8aab4757
VCG		 573
574 hci_conn_hold(conn->hcon);
575
576 return smp;
577}
578
579void smp_chan_destroy(struct l2cap_conn *conn)
580{
c8eb9690 581 struct smp_chan *smp = conn->smp_chan;
f4a407be 582 bool complete;
c8eb9690 583
f1c09c07 584 BUG_ON(!smp);
c8eb9690 585
f4a407be
JH		 586 complete = test_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
587 mgmt_smp_complete(conn->hcon, complete);
588
7ee4ea36
MH		 589 kfree(smp->csrk);
590 kfree(smp->slave_csrk);
591
759331d7
JH		 592 /* If pairing failed clean up any keys we might have */
593 if (!complete) {
594 if (smp->ltk) {
595 list_del(&smp->ltk->list);
596 kfree(smp->ltk);
597 }
598
599 if (smp->slave_ltk) {
600 list_del(&smp->slave_ltk->list);
601 kfree(smp->slave_ltk);
602 }
603
604 if (smp->remote_irk) {
605 list_del(&smp->remote_irk->list);
606 kfree(smp->remote_irk);
607 }
608 }
609
c8eb9690
BG		 610 kfree(smp);
611 conn->smp_chan = NULL;
2b64d153 612 conn->hcon->smp_conn = NULL;
76a68ba0 613 hci_conn_drop(conn->hcon);
8aab4757
VCG		 614}
615
2b64d153
BG		 616int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
617{
618 struct l2cap_conn *conn = hcon->smp_conn;
619 struct smp_chan *smp;
620 u32 value;
2b64d153
BG		 621
622 BT_DBG("");
623
624 if (!conn)
625 return -ENOTCONN;
626
627 smp = conn->smp_chan;
628
629 switch (mgmt_op) {
630 case MGMT_OP_USER_PASSKEY_REPLY:
631 value = le32_to_cpu(passkey);
943a732a 632 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153 633 BT_DBG("PassKey: %d", value);
943a732a 634 put_unaligned_le32(value, smp->tk);
2b64d153
BG		 635 /* Fall Through */
636 case MGMT_OP_USER_CONFIRM_REPLY:
637 set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags);
638 break;
639 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
640 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
84794e11 641 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
2b64d153
BG		 642 return 0;
643 default:
84794e11 644 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
2b64d153
BG		 645 return -EOPNOTSUPP;
646 }
647
648 /* If it is our turn to send Pairing Confirm, do so now */
649 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags))
650 queue_work(hcon->hdev->workqueue, &smp->confirm);
651
652 return 0;
653}
654
da85e5e5 655static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 656{
3158c50c 657 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
8aab4757 658 struct smp_chan *smp;
3158c50c 659 u8 key_size;
2b64d153 660 u8 auth = SMP_AUTH_NONE;
8aab4757 661 int ret;
88ba43b6
AB		 662
663 BT_DBG("conn %p", conn);
664
c46b98be
JH		 665 if (skb->len < sizeof(*req))
666 return SMP_UNSPECIFIED;
667
2b64d153
BG		 668 if (conn->hcon->link_mode & HCI_LM_MASTER)
669 return SMP_CMD_NOTSUPP;
670
51a8efd7 671 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
8aab4757 672 smp = smp_chan_create(conn);
d08fd0e7
AE		 673 else
674 smp = conn->smp_chan;
8aab4757 675
d08fd0e7
AE		 676 if (!smp)
677 return SMP_UNSPECIFIED;
d26a2345 678
1c1def09
VCG		 679 smp->preq[0] = SMP_CMD_PAIRING_REQ;
680 memcpy(&smp->preq[1], req, sizeof(*req));
3158c50c 681 skb_pull(skb, sizeof(*req));
88ba43b6 682
2b64d153
BG		 683 /* We didn't start the pairing, so match remote */
684 if (req->auth_req & SMP_AUTH_BONDING)
685 auth = req->auth_req;
da85e5e5 686
fdde0a26
IY		 687 conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
688
2b64d153 689 build_pairing_cmd(conn, req, &rsp, auth);
3158c50c
VCG		 690
691 key_size = min(req->max_key_size, rsp.max_key_size);
692 if (check_enc_key_size(conn, key_size))
693 return SMP_ENC_KEY_SIZE;
88ba43b6 694
e84a6b13 695 get_random_bytes(smp->prnd, sizeof(smp->prnd));
8aab4757 696
1c1def09
VCG		 697 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
698 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
f01ead31 699
3158c50c 700 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
da85e5e5 701
2b64d153
BG		 702 /* Request setup of TK */
703 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
704 if (ret)
705 return SMP_UNSPECIFIED;
706
edca792c
JH		 707 clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
708
da85e5e5 709 return 0;
88ba43b6
AB		 710}
711
da85e5e5 712static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 713{
3158c50c 714 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1c1def09 715 struct smp_chan *smp = conn->smp_chan;
8aab4757 716 struct hci_dev *hdev = conn->hcon->hdev;
2b64d153 717 u8 key_size, auth = SMP_AUTH_NONE;
7d24ddcc 718 int ret;
88ba43b6
AB		 719
720 BT_DBG("conn %p", conn);
721
c46b98be
JH		 722 if (skb->len < sizeof(*rsp))
723 return SMP_UNSPECIFIED;
724
2b64d153
BG		 725 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
726 return SMP_CMD_NOTSUPP;
727
3158c50c
VCG		 728 skb_pull(skb, sizeof(*rsp));
729
1c1def09 730 req = (void *) &smp->preq[1];
da85e5e5 731
3158c50c
VCG		 732 key_size = min(req->max_key_size, rsp->max_key_size);
733 if (check_enc_key_size(conn, key_size))
734 return SMP_ENC_KEY_SIZE;
735
e84a6b13 736 get_random_bytes(smp->prnd, sizeof(smp->prnd));
7d24ddcc 737
8aab4757
VCG		 738 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
739 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
7d24ddcc 740
fdcc4bec
JH		 741 /* Update remote key distribution in case the remote cleared
742 * some bits that we had enabled in our request.
743 */
744 smp->remote_key_dist &= rsp->resp_key_dist;
745
2b64d153 746 if ((req->auth_req & SMP_AUTH_BONDING) &&
f1560463 747 (rsp->auth_req & SMP_AUTH_BONDING))
2b64d153
BG		 748 auth = SMP_AUTH_BONDING;
749
750 auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
751
476585ec 752 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2b64d153
BG		 753 if (ret)
754 return SMP_UNSPECIFIED;
755
756 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
757
758 /* Can't compose response until we have been confirmed */
18e4aeb9
JH		 759 if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags))
760 queue_work(hdev->workqueue, &smp->confirm);
da85e5e5
VCG		 761
762 return 0;
88ba43b6
AB		 763}
764
da85e5e5 765static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 766{
1c1def09 767 struct smp_chan *smp = conn->smp_chan;
8aab4757 768 struct hci_dev *hdev = conn->hcon->hdev;
7d24ddcc 769
88ba43b6
AB		 770 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
771
c46b98be
JH		 772 if (skb->len < sizeof(smp->pcnf))
773 return SMP_UNSPECIFIED;
774
1c1def09
VCG		 775 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
776 skb_pull(skb, sizeof(smp->pcnf));
88ba43b6 777
943a732a
JH		 778 if (conn->hcon->out)
779 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
780 smp->prnd);
781 else if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags))
8aab4757 782 queue_work(hdev->workqueue, &smp->confirm);
943a732a 783 else
2b64d153 784 set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags);
da85e5e5
VCG		 785
786 return 0;
88ba43b6
AB		 787}
788
da85e5e5 789static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 790{
1c1def09 791 struct smp_chan *smp = conn->smp_chan;
8aab4757 792 struct hci_dev *hdev = conn->hcon->hdev;
7d24ddcc 793
8aab4757 794 BT_DBG("conn %p", conn);
3158c50c 795
c46b98be
JH		 796 if (skb->len < sizeof(smp->rrnd))
797 return SMP_UNSPECIFIED;
798
943a732a 799 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
8aab4757 800 skb_pull(skb, sizeof(smp->rrnd));
e7e62c85 801
8aab4757 802 queue_work(hdev->workqueue, &smp->random);
da85e5e5
VCG		 803
804 return 0;
88ba43b6
AB		 805}
806
4dab7864 807static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
988c5997 808{
c9839a11 809 struct smp_ltk *key;
988c5997
VCG		 810 struct hci_conn *hcon = conn->hcon;
811
98a0b845
JH		 812 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
813 hcon->out);
988c5997
VCG		 814 if (!key)
815 return 0;
816
4dab7864
JH		 817 if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
818 return 0;
819
51a8efd7 820 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
988c5997
VCG		 821 return 1;
822
c9839a11
VCG		 823 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
824 hcon->enc_key_size = key->enc_size;
988c5997
VCG		 825
826 return 1;
988c5997 827}
f1560463 828
da85e5e5 829static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6
AB		 830{
831 struct smp_cmd_security_req *rp = (void *) skb->data;
832 struct smp_cmd_pairing cp;
f1cb9af5 833 struct hci_conn *hcon = conn->hcon;
8aab4757 834 struct smp_chan *smp;
88ba43b6
AB		 835
836 BT_DBG("conn %p", conn);
837
c46b98be
JH		 838 if (skb->len < sizeof(*rp))
839 return SMP_UNSPECIFIED;
840
86ca9eac
JH		 841 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
842 return SMP_CMD_NOTSUPP;
843
2b64d153 844 hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
feb45eb5 845
4dab7864 846 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
988c5997
VCG		 847 return 0;
848
51a8efd7 849 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
da85e5e5 850 return 0;
f1cb9af5 851
8aab4757 852 smp = smp_chan_create(conn);
d26a2345 853
88ba43b6 854 skb_pull(skb, sizeof(*rp));
88ba43b6 855
da85e5e5 856 memset(&cp, 0, sizeof(cp));
54790f73 857 build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
88ba43b6 858
1c1def09
VCG		 859 smp->preq[0] = SMP_CMD_PAIRING_REQ;
860 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 861
88ba43b6 862 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
f1cb9af5 863
edca792c
JH		 864 clear_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
865
da85e5e5 866 return 0;
88ba43b6
AB		 867}
868
ad32a2f5
JH		 869bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level)
870{
871 if (sec_level == BT_SECURITY_LOW)
872 return true;
873
874 if (hcon->sec_level >= sec_level)
875 return true;
876
877 return false;
878}
879
cc110922 880int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
eb492e01 881{
cc110922 882 struct l2cap_conn *conn = hcon->l2cap_data;
0a66cf20 883 struct smp_chan *smp;
2b64d153 884 __u8 authreq;
eb492e01 885
3a0259bb
VCG		 886 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
887
0a66cf20
JH		 888 /* This may be NULL if there's an unexpected disconnection */
889 if (!conn)
890 return 1;
891
757aee0f 892 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2e65c9d2
AG		 893 return 1;
894
ad32a2f5 895 if (smp_sufficient_security(hcon, sec_level))
eb492e01 896 return 1;
f1cb9af5 897
988c5997 898 if (hcon->link_mode & HCI_LM_MASTER)
4dab7864 899 if (smp_ltk_encrypt(conn, sec_level))
02bc7455 900 goto done;
d26a2345 901
51a8efd7 902 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
d26a2345
VCG		 903 return 0;
904
8aab4757 905 smp = smp_chan_create(conn);
2b64d153
BG		 906 if (!smp)
907 return 1;
908
909 authreq = seclevel_to_authreq(sec_level);
d26a2345 910
2e233644
JH		 911 /* hcon->auth_type is set by pair_device in mgmt.c. If the MITM
912 * flag is set we should also set it for the SMP request.
913 */
914 if ((hcon->auth_type & 0x01))
915 authreq |= SMP_AUTH_MITM;
916
d26a2345
VCG		 917 if (hcon->link_mode & HCI_LM_MASTER) {
918 struct smp_cmd_pairing cp;
f01ead31 919
2b64d153 920 build_pairing_cmd(conn, &cp, NULL, authreq);
1c1def09
VCG		 921 smp->preq[0] = SMP_CMD_PAIRING_REQ;
922 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 923
eb492e01
AB		 924 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
925 } else {
926 struct smp_cmd_security_req cp;
2b64d153 927 cp.auth_req = authreq;
eb492e01
AB		 928 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
929 }
930
edca792c
JH		 931 set_bit(SMP_FLAG_INITIATOR, &smp->smp_flags);
932
61b3b2b6 933done:
f1cb9af5 934 hcon->pending_sec_level = sec_level;
f1cb9af5 935
eb492e01
AB		 936 return 0;
937}
938
7034b911
VCG		 939static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
940{
16b90839 941 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1c1def09 942 struct smp_chan *smp = conn->smp_chan;
16b90839 943
c46b98be
JH		 944 BT_DBG("conn %p", conn);
945
946 if (skb->len < sizeof(*rp))
947 return SMP_UNSPECIFIED;
948
6131ddc8
JH		 949 /* Ignore this PDU if it wasn't requested */
950 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
951 return 0;
952
16b90839
VCG		 953 skb_pull(skb, sizeof(*rp));
954
1c1def09 955 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
16b90839 956
7034b911
VCG		 957 return 0;
958}
959
960static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
961{
16b90839 962 struct smp_cmd_master_ident *rp = (void *) skb->data;
1c1def09 963 struct smp_chan *smp = conn->smp_chan;
c9839a11
VCG		 964 struct hci_dev *hdev = conn->hcon->hdev;
965 struct hci_conn *hcon = conn->hcon;
23d0e128 966 struct smp_ltk *ltk;
c9839a11 967 u8 authenticated;
16b90839 968
c46b98be
JH		 969 BT_DBG("conn %p", conn);
970
971 if (skb->len < sizeof(*rp))
972 return SMP_UNSPECIFIED;
973
6131ddc8
JH		 974 /* Ignore this PDU if it wasn't requested */
975 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
976 return 0;
977
9747a9f3
JH		 978 /* Mark the information as received */
979 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
980
16b90839 981 skb_pull(skb, sizeof(*rp));
7034b911 982
c9839a11 983 hci_dev_lock(hdev);
ce39fb4e 984 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
35d70271 985 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, HCI_SMP_LTK,
23d0e128
JH		 986 authenticated, smp->tk, smp->enc_key_size,
987 rp->ediv, rp->rand);
988 smp->ltk = ltk;
fd349c02 989 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
4bd6d38e 990 smp_distribute_keys(conn);
c9839a11 991 hci_dev_unlock(hdev);
7034b911
VCG		 992
993 return 0;
994}
995
fd349c02
JH		 996static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
997{
998 struct smp_cmd_ident_info *info = (void *) skb->data;
999 struct smp_chan *smp = conn->smp_chan;
1000
1001 BT_DBG("");
1002
1003 if (skb->len < sizeof(*info))
1004 return SMP_UNSPECIFIED;
1005
6131ddc8
JH		 1006 /* Ignore this PDU if it wasn't requested */
1007 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1008 return 0;
1009
fd349c02
JH		 1010 skb_pull(skb, sizeof(*info));
1011
1012 memcpy(smp->irk, info->irk, 16);
1013
1014 return 0;
1015}
1016
1017static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1018 struct sk_buff *skb)
1019{
1020 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1021 struct smp_chan *smp = conn->smp_chan;
1022 struct hci_conn *hcon = conn->hcon;
1023 bdaddr_t rpa;
1024
1025 BT_DBG("");
1026
1027 if (skb->len < sizeof(*info))
1028 return SMP_UNSPECIFIED;
1029
6131ddc8
JH		 1030 /* Ignore this PDU if it wasn't requested */
1031 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1032 return 0;
1033
9747a9f3
JH		 1034 /* Mark the information as received */
1035 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1036
fd349c02
JH		 1037 skb_pull(skb, sizeof(*info));
1038
a9a58f86
JH		 1039 /* Strictly speaking the Core Specification (4.1) allows sending
1040 * an empty address which would force us to rely on just the IRK
1041 * as "identity information". However, since such
1042 * implementations are not known of and in order to not over
1043 * complicate our implementation, simply pretend that we never
1044 * received an IRK for such a device.
1045 */
1046 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1047 BT_ERR("Ignoring IRK with no identity address");
4bd6d38e 1048 smp_distribute_keys(conn);
a9a58f86
JH		 1049 return 0;
1050 }
1051
fd349c02
JH		 1052 bacpy(&smp->id_addr, &info->bdaddr);
1053 smp->id_addr_type = info->addr_type;
1054
1055 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1056 bacpy(&rpa, &hcon->dst);
1057 else
1058 bacpy(&rpa, BDADDR_ANY);
1059
23d0e128
JH		 1060 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1061 smp->id_addr_type, smp->irk, &rpa);
fd349c02 1062
4bd6d38e 1063 smp_distribute_keys(conn);
fd349c02
JH		 1064
1065 return 0;
1066}
1067
7ee4ea36
MH		 1068static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1069{
1070 struct smp_cmd_sign_info *rp = (void *) skb->data;
1071 struct smp_chan *smp = conn->smp_chan;
1072 struct hci_dev *hdev = conn->hcon->hdev;
1073 struct smp_csrk *csrk;
1074
1075 BT_DBG("conn %p", conn);
1076
1077 if (skb->len < sizeof(*rp))
1078 return SMP_UNSPECIFIED;
1079
1080 /* Ignore this PDU if it wasn't requested */
1081 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1082 return 0;
1083
1084 /* Mark the information as received */
1085 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1086
1087 skb_pull(skb, sizeof(*rp));
1088
1089 hci_dev_lock(hdev);
1090 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1091 if (csrk) {
1092 csrk->master = 0x01;
1093 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1094 }
1095 smp->csrk = csrk;
1096 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1097 smp_distribute_keys(conn);
1098 hci_dev_unlock(hdev);
1099
1100 return 0;
1101}
1102
eb492e01
AB		 1103int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1104{
7b9899db 1105 struct hci_conn *hcon = conn->hcon;
92381f5c 1106 __u8 code, reason;
eb492e01
AB		 1107 int err = 0;
1108
7b9899db
MH		 1109 if (hcon->type != LE_LINK) {
1110 kfree_skb(skb);
3432711f 1111 return 0;
7b9899db
MH		 1112 }
1113
92381f5c
MH		 1114 if (skb->len < 1) {
1115 kfree_skb(skb);
1116 return -EILSEQ;
1117 }
1118
06ae3314 1119 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2e65c9d2
AG		 1120 err = -ENOTSUPP;
1121 reason = SMP_PAIRING_NOTSUPP;
1122 goto done;
1123 }
1124
92381f5c 1125 code = skb->data[0];
eb492e01
AB		 1126 skb_pull(skb, sizeof(code));
1127
8cf9fa12
JH		 1128 /*
1129 * The SMP context must be initialized for all other PDUs except
1130 * pairing and security requests. If we get any other PDU when
1131 * not initialized simply disconnect (done if this function
1132 * returns an error).
1133 */
1134 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
1135 !conn->smp_chan) {
1136 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1137 kfree_skb(skb);
1138 return -ENOTSUPP;
1139 }
1140
eb492e01
AB		 1141 switch (code) {
1142 case SMP_CMD_PAIRING_REQ:
da85e5e5 1143 reason = smp_cmd_pairing_req(conn, skb);
eb492e01
AB		 1144 break;
1145
1146 case SMP_CMD_PAIRING_FAIL:
84794e11 1147 smp_failure(conn, 0);
da85e5e5
VCG		 1148 reason = 0;
1149 err = -EPERM;
eb492e01
AB		 1150 break;
1151
1152 case SMP_CMD_PAIRING_RSP:
da85e5e5 1153 reason = smp_cmd_pairing_rsp(conn, skb);
88ba43b6
AB		 1154 break;
1155
1156 case SMP_CMD_SECURITY_REQ:
da85e5e5 1157 reason = smp_cmd_security_req(conn, skb);
88ba43b6
AB		 1158 break;
1159
eb492e01 1160 case SMP_CMD_PAIRING_CONFIRM:
da85e5e5 1161 reason = smp_cmd_pairing_confirm(conn, skb);
88ba43b6
AB		 1162 break;
1163
eb492e01 1164 case SMP_CMD_PAIRING_RANDOM:
da85e5e5 1165 reason = smp_cmd_pairing_random(conn, skb);
88ba43b6
AB		 1166 break;
1167
eb492e01 1168 case SMP_CMD_ENCRYPT_INFO:
7034b911
VCG		 1169 reason = smp_cmd_encrypt_info(conn, skb);
1170 break;
1171
eb492e01 1172 case SMP_CMD_MASTER_IDENT:
7034b911
VCG		 1173 reason = smp_cmd_master_ident(conn, skb);
1174 break;
1175
eb492e01 1176 case SMP_CMD_IDENT_INFO:
fd349c02
JH		 1177 reason = smp_cmd_ident_info(conn, skb);
1178 break;
1179
eb492e01 1180 case SMP_CMD_IDENT_ADDR_INFO:
fd349c02
JH		 1181 reason = smp_cmd_ident_addr_info(conn, skb);
1182 break;
1183
eb492e01 1184 case SMP_CMD_SIGN_INFO:
7ee4ea36 1185 reason = smp_cmd_sign_info(conn, skb);
7034b911
VCG		 1186 break;
1187
eb492e01
AB		 1188 default:
1189 BT_DBG("Unknown command code 0x%2.2x", code);
1190
1191 reason = SMP_CMD_NOTSUPP;
eb492e01 1192 err = -EOPNOTSUPP;
3a0259bb 1193 goto done;
eb492e01
AB		 1194 }
1195
3a0259bb
VCG		 1196done:
1197 if (reason)
84794e11 1198 smp_failure(conn, reason);
3a0259bb 1199
eb492e01
AB		 1200 kfree_skb(skb);
1201 return err;
1202}
7034b911 1203
35d70271
JH		 1204static void smp_notify_keys(struct l2cap_conn *conn)
1205{
1206 struct smp_chan *smp = conn->smp_chan;
1207 struct hci_conn *hcon = conn->hcon;
1208 struct hci_dev *hdev = hcon->hdev;
53ac6ab6
MH		 1209 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1210 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1211 bool persistent;
35d70271 1212
61b1a7fb 1213 if (smp->remote_irk) {
95fbac8a 1214 mgmt_new_irk(hdev, smp->remote_irk);
61b1a7fb
JH		 1215 /* Now that user space can be considered to know the
1216 * identity address track the connection based on it
1217 * from now on.
1218 */
1219 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1220 hcon->dst_type = smp->remote_irk->addr_type;
1221 l2cap_conn_update_id_addr(hcon);
1222 }
95fbac8a 1223
53ac6ab6
MH		 1224 /* The LTKs and CSRKs should be persistent only if both sides
1225 * had the bonding bit set in their authentication requests.
1226 */
1227 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
1228
7ee4ea36
MH		 1229 if (smp->csrk) {
1230 smp->csrk->bdaddr_type = hcon->dst_type;
1231 bacpy(&smp->csrk->bdaddr, &hcon->dst);
53ac6ab6 1232 mgmt_new_csrk(hdev, smp->csrk, persistent);
7ee4ea36
MH		 1233 }
1234
1235 if (smp->slave_csrk) {
1236 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1237 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
53ac6ab6 1238 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
7ee4ea36
MH		 1239 }
1240
35d70271
JH		 1241 if (smp->ltk) {
1242 smp->ltk->bdaddr_type = hcon->dst_type;
1243 bacpy(&smp->ltk->bdaddr, &hcon->dst);
53ac6ab6 1244 mgmt_new_ltk(hdev, smp->ltk, persistent);
35d70271
JH		 1245 }
1246
1247 if (smp->slave_ltk) {
1248 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1249 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
53ac6ab6 1250 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
35d70271
JH		 1251 }
1252}
1253
4bd6d38e 1254int smp_distribute_keys(struct l2cap_conn *conn)
7034b911
VCG		 1255{
1256 struct smp_cmd_pairing *req, *rsp;
1c1def09 1257 struct smp_chan *smp = conn->smp_chan;
524237cb
JH		 1258 struct hci_conn *hcon = conn->hcon;
1259 struct hci_dev *hdev = hcon->hdev;
7034b911
VCG		 1260 __u8 *keydist;
1261
4bd6d38e 1262 BT_DBG("conn %p", conn);
7034b911 1263
524237cb 1264 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
d26a2345
VCG		 1265 return 0;
1266
1c1def09 1267 rsp = (void *) &smp->prsp[1];
7034b911
VCG		 1268
1269 /* The responder sends its keys first */
efabba37 1270 if (hcon->out && (smp->remote_key_dist & 0x07))
7034b911
VCG		 1271 return 0;
1272
1c1def09 1273 req = (void *) &smp->preq[1];
7034b911 1274
524237cb 1275 if (hcon->out) {
7034b911
VCG		 1276 keydist = &rsp->init_key_dist;
1277 *keydist &= req->init_key_dist;
1278 } else {
1279 keydist = &rsp->resp_key_dist;
1280 *keydist &= req->resp_key_dist;
1281 }
1282
7034b911
VCG		 1283 BT_DBG("keydist 0x%x", *keydist);
1284
1285 if (*keydist & SMP_DIST_ENC_KEY) {
1286 struct smp_cmd_encrypt_info enc;
1287 struct smp_cmd_master_ident ident;
23d0e128 1288 struct smp_ltk *ltk;
c9839a11 1289 u8 authenticated;
7034b911 1290 __le16 ediv;
fe39c7b2 1291 __le64 rand;
7034b911
VCG		 1292
1293 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1294 get_random_bytes(&ediv, sizeof(ediv));
fe39c7b2 1295 get_random_bytes(&rand, sizeof(rand));
7034b911
VCG		 1296
1297 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1298
c9839a11 1299 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
524237cb 1300 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
35d70271 1301 HCI_SMP_LTK_SLAVE, authenticated, enc.ltk,
fe39c7b2 1302 smp->enc_key_size, ediv, rand);
23d0e128 1303 smp->slave_ltk = ltk;
16b90839 1304
58115373 1305 ident.ediv = ediv;
fe39c7b2 1306 ident.rand = rand;
7034b911
VCG		 1307
1308 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1309
1310 *keydist &= ~SMP_DIST_ENC_KEY;
1311 }
1312
1313 if (*keydist & SMP_DIST_ID_KEY) {
1314 struct smp_cmd_ident_addr_info addrinfo;
1315 struct smp_cmd_ident_info idinfo;
1316
863efaf2 1317 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
7034b911
VCG		 1318
1319 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1320
82d4b359
JH		 1321 /* The hci_conn contains the local identity address
1322 * after the connection has been established.
1323 *
1324 * This is true even when the connection has been
1325 * established using a resolvable random address.
1326 */
524237cb 1327 bacpy(&addrinfo.bdaddr, &hcon->src);
82d4b359 1328 addrinfo.addr_type = hcon->src_type;
7034b911
VCG		 1329
1330 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
f1560463 1331 &addrinfo);
7034b911
VCG		 1332
1333 *keydist &= ~SMP_DIST_ID_KEY;
1334 }
1335
1336 if (*keydist & SMP_DIST_SIGN) {
1337 struct smp_cmd_sign_info sign;
7ee4ea36 1338 struct smp_csrk *csrk;
7034b911 1339
7ee4ea36 1340 /* Generate a new random key */
7034b911
VCG		 1341 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1342
7ee4ea36
MH		 1343 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1344 if (csrk) {
1345 csrk->master = 0x00;
1346 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1347 }
1348 smp->slave_csrk = csrk;
1349
7034b911
VCG		 1350 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1351
1352 *keydist &= ~SMP_DIST_SIGN;
1353 }
1354
efabba37
JH		 1355 /* If there are still keys to be received wait for them */
1356 if ((smp->remote_key_dist & 0x07))
1357 return 0;
1358
1d98bf4f
JH		 1359 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1360 cancel_delayed_work_sync(&conn->security_timer);
1361 set_bit(SMP_FLAG_COMPLETE, &smp->smp_flags);
1362 smp_notify_keys(conn);
efabba37 1363
1d98bf4f 1364 smp_chan_destroy(conn);
d26a2345 1365
7034b911
VCG		 1366 return 0;
1367}
Linux kernel - Deliverables
This page took 0.426112 seconds and 5 git commands to generate.