Commit | Line | Data |
---|---|---|
eb492e01 AB |
1 | /* |
2 | BlueZ - Bluetooth protocol stack for Linux | |
3 | Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). | |
4 | ||
5 | This program is free software; you can redistribute it and/or modify | |
6 | it under the terms of the GNU General Public License version 2 as | |
7 | published by the Free Software Foundation; | |
8 | ||
9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS | |
10 | OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, | |
11 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. | |
12 | IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY | |
13 | CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES | |
14 | WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |
15 | ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |
16 | OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |
17 | ||
18 | ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, | |
19 | COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS | |
20 | SOFTWARE IS DISCLAIMED. | |
21 | */ | |
22 | ||
23 | #include <net/bluetooth/bluetooth.h> | |
24 | #include <net/bluetooth/hci_core.h> | |
25 | #include <net/bluetooth/l2cap.h> | |
26 | #include <net/bluetooth/smp.h> | |
d22ef0bc | 27 | #include <linux/crypto.h> |
f70490e6 | 28 | #include <linux/scatterlist.h> |
d22ef0bc AB |
29 | #include <crypto/b128ops.h> |
30 | ||
5d3de7df VCG |
31 | #define SMP_TIMEOUT 30000 /* 30 seconds */ |
32 | ||
d22ef0bc AB |
33 | static inline void swap128(u8 src[16], u8 dst[16]) |
34 | { | |
35 | int i; | |
36 | for (i = 0; i < 16; i++) | |
37 | dst[15 - i] = src[i]; | |
38 | } | |
39 | ||
40 | static inline void swap56(u8 src[7], u8 dst[7]) | |
41 | { | |
42 | int i; | |
43 | for (i = 0; i < 7; i++) | |
44 | dst[6 - i] = src[i]; | |
45 | } | |
46 | ||
47 | static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r) | |
48 | { | |
49 | struct blkcipher_desc desc; | |
50 | struct scatterlist sg; | |
51 | int err, iv_len; | |
52 | unsigned char iv[128]; | |
53 | ||
54 | if (tfm == NULL) { | |
55 | BT_ERR("tfm %p", tfm); | |
56 | return -EINVAL; | |
57 | } | |
58 | ||
59 | desc.tfm = tfm; | |
60 | desc.flags = 0; | |
61 | ||
62 | err = crypto_blkcipher_setkey(tfm, k, 16); | |
63 | if (err) { | |
64 | BT_ERR("cipher setkey failed: %d", err); | |
65 | return err; | |
66 | } | |
67 | ||
68 | sg_init_one(&sg, r, 16); | |
69 | ||
70 | iv_len = crypto_blkcipher_ivsize(tfm); | |
71 | if (iv_len) { | |
72 | memset(&iv, 0xff, iv_len); | |
73 | crypto_blkcipher_set_iv(tfm, iv, iv_len); | |
74 | } | |
75 | ||
76 | err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16); | |
77 | if (err) | |
78 | BT_ERR("Encrypt data error %d", err); | |
79 | ||
80 | return err; | |
81 | } | |
82 | ||
83 | static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16], | |
84 | u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, | |
85 | u8 _rat, bdaddr_t *ra, u8 res[16]) | |
86 | { | |
87 | u8 p1[16], p2[16]; | |
88 | int err; | |
89 | ||
90 | memset(p1, 0, 16); | |
91 | ||
92 | /* p1 = pres || preq || _rat || _iat */ | |
93 | swap56(pres, p1); | |
94 | swap56(preq, p1 + 7); | |
95 | p1[14] = _rat; | |
96 | p1[15] = _iat; | |
97 | ||
98 | memset(p2, 0, 16); | |
99 | ||
100 | /* p2 = padding || ia || ra */ | |
101 | baswap((bdaddr_t *) (p2 + 4), ia); | |
102 | baswap((bdaddr_t *) (p2 + 10), ra); | |
103 | ||
104 | /* res = r XOR p1 */ | |
105 | u128_xor((u128 *) res, (u128 *) r, (u128 *) p1); | |
106 | ||
107 | /* res = e(k, res) */ | |
108 | err = smp_e(tfm, k, res); | |
109 | if (err) { | |
110 | BT_ERR("Encrypt data error"); | |
111 | return err; | |
112 | } | |
113 | ||
114 | /* res = res XOR p2 */ | |
115 | u128_xor((u128 *) res, (u128 *) res, (u128 *) p2); | |
116 | ||
117 | /* res = e(k, res) */ | |
118 | err = smp_e(tfm, k, res); | |
119 | if (err) | |
120 | BT_ERR("Encrypt data error"); | |
121 | ||
122 | return err; | |
123 | } | |
124 | ||
125 | static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16], | |
126 | u8 r1[16], u8 r2[16], u8 _r[16]) | |
127 | { | |
128 | int err; | |
129 | ||
130 | /* Just least significant octets from r1 and r2 are considered */ | |
131 | memcpy(_r, r1 + 8, 8); | |
132 | memcpy(_r + 8, r2 + 8, 8); | |
133 | ||
134 | err = smp_e(tfm, k, _r); | |
135 | if (err) | |
136 | BT_ERR("Encrypt data error"); | |
137 | ||
138 | return err; | |
139 | } | |
140 | ||
141 | static int smp_rand(u8 *buf) | |
142 | { | |
143 | get_random_bytes(buf, 16); | |
144 | ||
145 | return 0; | |
146 | } | |
eb492e01 AB |
147 | |
148 | static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code, | |
149 | u16 dlen, void *data) | |
150 | { | |
151 | struct sk_buff *skb; | |
152 | struct l2cap_hdr *lh; | |
153 | int len; | |
154 | ||
155 | len = L2CAP_HDR_SIZE + sizeof(code) + dlen; | |
156 | ||
157 | if (len > conn->mtu) | |
158 | return NULL; | |
159 | ||
160 | skb = bt_skb_alloc(len, GFP_ATOMIC); | |
161 | if (!skb) | |
162 | return NULL; | |
163 | ||
164 | lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE); | |
165 | lh->len = cpu_to_le16(sizeof(code) + dlen); | |
166 | lh->cid = cpu_to_le16(L2CAP_CID_SMP); | |
167 | ||
168 | memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code)); | |
169 | ||
170 | memcpy(skb_put(skb, dlen), data, dlen); | |
171 | ||
172 | return skb; | |
173 | } | |
174 | ||
175 | static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) | |
176 | { | |
177 | struct sk_buff *skb = smp_build_cmd(conn, code, len, data); | |
178 | ||
179 | BT_DBG("code 0x%2.2x", code); | |
180 | ||
181 | if (!skb) | |
182 | return; | |
183 | ||
73d80deb LAD |
184 | skb->priority = HCI_PRIO_MAX; |
185 | hci_send_acl(conn->hchan, skb, 0); | |
e2dcd113 VCG |
186 | |
187 | mod_timer(&conn->security_timer, jiffies + | |
188 | msecs_to_jiffies(SMP_TIMEOUT)); | |
eb492e01 AB |
189 | } |
190 | ||
b8e66eac | 191 | static void build_pairing_cmd(struct l2cap_conn *conn, |
54790f73 VCG |
192 | struct smp_cmd_pairing *req, |
193 | struct smp_cmd_pairing *rsp, | |
194 | __u8 authreq) | |
b8e66eac | 195 | { |
54790f73 VCG |
196 | u8 dist_keys; |
197 | ||
198 | dist_keys = 0; | |
199 | if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) { | |
ca10b5ee | 200 | dist_keys = SMP_DIST_ENC_KEY; |
54790f73 VCG |
201 | authreq |= SMP_AUTH_BONDING; |
202 | } | |
203 | ||
204 | if (rsp == NULL) { | |
205 | req->io_capability = conn->hcon->io_capability; | |
206 | req->oob_flag = SMP_OOB_NOT_PRESENT; | |
207 | req->max_key_size = SMP_MAX_ENC_KEY_SIZE; | |
208 | req->init_key_dist = dist_keys; | |
209 | req->resp_key_dist = dist_keys; | |
210 | req->auth_req = authreq; | |
211 | return; | |
212 | } | |
213 | ||
214 | rsp->io_capability = conn->hcon->io_capability; | |
215 | rsp->oob_flag = SMP_OOB_NOT_PRESENT; | |
216 | rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; | |
217 | rsp->init_key_dist = req->init_key_dist & dist_keys; | |
218 | rsp->resp_key_dist = req->resp_key_dist & dist_keys; | |
219 | rsp->auth_req = authreq; | |
b8e66eac VCG |
220 | } |
221 | ||
3158c50c VCG |
222 | static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) |
223 | { | |
1c1def09 VCG |
224 | struct smp_chan *smp = conn->smp_chan; |
225 | ||
3158c50c VCG |
226 | if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) || |
227 | (max_key_size < SMP_MIN_ENC_KEY_SIZE)) | |
228 | return SMP_ENC_KEY_SIZE; | |
229 | ||
1c1def09 | 230 | smp->smp_key_size = max_key_size; |
3158c50c VCG |
231 | |
232 | return 0; | |
233 | } | |
234 | ||
8aab4757 VCG |
235 | static void confirm_work(struct work_struct *work) |
236 | { | |
237 | struct smp_chan *smp = container_of(work, struct smp_chan, confirm); | |
238 | struct l2cap_conn *conn = smp->conn; | |
239 | struct crypto_blkcipher *tfm; | |
240 | struct smp_cmd_pairing_confirm cp; | |
241 | int ret; | |
242 | u8 res[16], reason; | |
243 | ||
244 | BT_DBG("conn %p", conn); | |
245 | ||
246 | tfm = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC); | |
247 | if (IS_ERR(tfm)) { | |
248 | reason = SMP_UNSPECIFIED; | |
249 | goto error; | |
250 | } | |
251 | ||
252 | smp->tfm = tfm; | |
253 | ||
254 | if (conn->hcon->out) | |
255 | ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp, 0, | |
256 | conn->src, conn->hcon->dst_type, conn->dst, | |
257 | res); | |
258 | else | |
259 | ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp, | |
260 | conn->hcon->dst_type, conn->dst, 0, conn->src, | |
261 | res); | |
262 | if (ret) { | |
263 | reason = SMP_UNSPECIFIED; | |
264 | goto error; | |
265 | } | |
266 | ||
267 | swap128(res, cp.confirm_val); | |
268 | smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); | |
269 | ||
270 | return; | |
271 | ||
272 | error: | |
273 | smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), &reason); | |
274 | smp_chan_destroy(conn); | |
275 | } | |
276 | ||
277 | static void random_work(struct work_struct *work) | |
278 | { | |
279 | struct smp_chan *smp = container_of(work, struct smp_chan, random); | |
280 | struct l2cap_conn *conn = smp->conn; | |
281 | struct hci_conn *hcon = conn->hcon; | |
282 | struct crypto_blkcipher *tfm = smp->tfm; | |
283 | u8 reason, confirm[16], res[16], key[16]; | |
284 | int ret; | |
285 | ||
286 | if (IS_ERR_OR_NULL(tfm)) { | |
287 | reason = SMP_UNSPECIFIED; | |
288 | goto error; | |
289 | } | |
290 | ||
291 | BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); | |
292 | ||
293 | if (hcon->out) | |
294 | ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp, 0, | |
295 | conn->src, hcon->dst_type, conn->dst, | |
296 | res); | |
297 | else | |
298 | ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp, | |
299 | hcon->dst_type, conn->dst, 0, conn->src, | |
300 | res); | |
301 | if (ret) { | |
302 | reason = SMP_UNSPECIFIED; | |
303 | goto error; | |
304 | } | |
305 | ||
306 | swap128(res, confirm); | |
307 | ||
308 | if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) { | |
309 | BT_ERR("Pairing failed (confirmation values mismatch)"); | |
310 | reason = SMP_CONFIRM_FAILED; | |
311 | goto error; | |
312 | } | |
313 | ||
314 | if (hcon->out) { | |
315 | u8 stk[16], rand[8]; | |
316 | __le16 ediv; | |
317 | ||
318 | memset(rand, 0, sizeof(rand)); | |
319 | ediv = 0; | |
320 | ||
321 | smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, key); | |
322 | swap128(key, stk); | |
323 | ||
324 | memset(stk + smp->smp_key_size, 0, | |
325 | SMP_MAX_ENC_KEY_SIZE - smp->smp_key_size); | |
326 | ||
327 | if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend)) { | |
328 | reason = SMP_UNSPECIFIED; | |
329 | goto error; | |
330 | } | |
331 | ||
332 | hci_le_start_enc(hcon, ediv, rand, stk); | |
333 | hcon->enc_key_size = smp->smp_key_size; | |
334 | } else { | |
335 | u8 stk[16], r[16], rand[8]; | |
336 | __le16 ediv; | |
337 | ||
338 | memset(rand, 0, sizeof(rand)); | |
339 | ediv = 0; | |
340 | ||
341 | swap128(smp->prnd, r); | |
342 | smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r); | |
343 | ||
344 | smp_s1(tfm, smp->tk, smp->prnd, smp->rrnd, key); | |
345 | swap128(key, stk); | |
346 | ||
347 | memset(stk + smp->smp_key_size, 0, | |
348 | SMP_MAX_ENC_KEY_SIZE - smp->smp_key_size); | |
349 | ||
350 | hci_add_ltk(hcon->hdev, 0, conn->dst, smp->smp_key_size, | |
351 | ediv, rand, stk); | |
352 | } | |
353 | ||
354 | return; | |
355 | ||
356 | error: | |
357 | smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), &reason); | |
358 | smp_chan_destroy(conn); | |
359 | } | |
360 | ||
361 | static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) | |
362 | { | |
363 | struct smp_chan *smp; | |
364 | ||
365 | smp = kzalloc(sizeof(struct smp_chan), GFP_ATOMIC); | |
366 | if (!smp) | |
367 | return NULL; | |
368 | ||
369 | INIT_WORK(&smp->confirm, confirm_work); | |
370 | INIT_WORK(&smp->random, random_work); | |
371 | ||
372 | smp->conn = conn; | |
373 | conn->smp_chan = smp; | |
374 | ||
375 | hci_conn_hold(conn->hcon); | |
376 | ||
377 | return smp; | |
378 | } | |
379 | ||
380 | void smp_chan_destroy(struct l2cap_conn *conn) | |
381 | { | |
c8eb9690 BG |
382 | struct smp_chan *smp = conn->smp_chan; |
383 | ||
384 | clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend); | |
385 | ||
386 | if (smp->tfm) | |
387 | crypto_free_blkcipher(smp->tfm); | |
388 | ||
389 | kfree(smp); | |
390 | conn->smp_chan = NULL; | |
8aab4757 VCG |
391 | hci_conn_put(conn->hcon); |
392 | } | |
393 | ||
da85e5e5 | 394 | static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) |
88ba43b6 | 395 | { |
3158c50c | 396 | struct smp_cmd_pairing rsp, *req = (void *) skb->data; |
8aab4757 | 397 | struct smp_chan *smp; |
3158c50c | 398 | u8 key_size; |
8aab4757 | 399 | int ret; |
88ba43b6 AB |
400 | |
401 | BT_DBG("conn %p", conn); | |
402 | ||
d26a2345 | 403 | if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend)) |
8aab4757 VCG |
404 | smp = smp_chan_create(conn); |
405 | ||
406 | smp = conn->smp_chan; | |
d26a2345 | 407 | |
1c1def09 VCG |
408 | smp->preq[0] = SMP_CMD_PAIRING_REQ; |
409 | memcpy(&smp->preq[1], req, sizeof(*req)); | |
3158c50c | 410 | skb_pull(skb, sizeof(*req)); |
88ba43b6 | 411 | |
3158c50c | 412 | if (req->oob_flag) |
da85e5e5 VCG |
413 | return SMP_OOB_NOT_AVAIL; |
414 | ||
415 | /* We didn't start the pairing, so no requirements */ | |
54790f73 | 416 | build_pairing_cmd(conn, req, &rsp, SMP_AUTH_NONE); |
3158c50c VCG |
417 | |
418 | key_size = min(req->max_key_size, rsp.max_key_size); | |
419 | if (check_enc_key_size(conn, key_size)) | |
420 | return SMP_ENC_KEY_SIZE; | |
88ba43b6 | 421 | |
7d24ddcc | 422 | /* Just works */ |
1c1def09 | 423 | memset(smp->tk, 0, sizeof(smp->tk)); |
7d24ddcc | 424 | |
8aab4757 VCG |
425 | ret = smp_rand(smp->prnd); |
426 | if (ret) | |
427 | return SMP_UNSPECIFIED; | |
428 | ||
1c1def09 VCG |
429 | smp->prsp[0] = SMP_CMD_PAIRING_RSP; |
430 | memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); | |
f01ead31 | 431 | |
3158c50c | 432 | smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); |
da85e5e5 VCG |
433 | |
434 | return 0; | |
88ba43b6 AB |
435 | } |
436 | ||
da85e5e5 | 437 | static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) |
88ba43b6 | 438 | { |
3158c50c | 439 | struct smp_cmd_pairing *req, *rsp = (void *) skb->data; |
1c1def09 | 440 | struct smp_chan *smp = conn->smp_chan; |
8aab4757 VCG |
441 | struct hci_dev *hdev = conn->hcon->hdev; |
442 | u8 key_size; | |
7d24ddcc | 443 | int ret; |
88ba43b6 AB |
444 | |
445 | BT_DBG("conn %p", conn); | |
446 | ||
3158c50c VCG |
447 | skb_pull(skb, sizeof(*rsp)); |
448 | ||
1c1def09 | 449 | req = (void *) &smp->preq[1]; |
da85e5e5 | 450 | |
3158c50c VCG |
451 | key_size = min(req->max_key_size, rsp->max_key_size); |
452 | if (check_enc_key_size(conn, key_size)) | |
453 | return SMP_ENC_KEY_SIZE; | |
454 | ||
455 | if (rsp->oob_flag) | |
da85e5e5 VCG |
456 | return SMP_OOB_NOT_AVAIL; |
457 | ||
7d24ddcc | 458 | /* Just works */ |
1c1def09 | 459 | memset(smp->tk, 0, sizeof(smp->tk)); |
88ba43b6 | 460 | |
1c1def09 | 461 | ret = smp_rand(smp->prnd); |
7d24ddcc | 462 | if (ret) |
da85e5e5 | 463 | return SMP_UNSPECIFIED; |
7d24ddcc | 464 | |
8aab4757 VCG |
465 | smp->prsp[0] = SMP_CMD_PAIRING_RSP; |
466 | memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); | |
7d24ddcc | 467 | |
8aab4757 | 468 | queue_work(hdev->workqueue, &smp->confirm); |
da85e5e5 VCG |
469 | |
470 | return 0; | |
88ba43b6 AB |
471 | } |
472 | ||
da85e5e5 | 473 | static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) |
88ba43b6 | 474 | { |
1c1def09 | 475 | struct smp_chan *smp = conn->smp_chan; |
8aab4757 | 476 | struct hci_dev *hdev = conn->hcon->hdev; |
7d24ddcc | 477 | |
88ba43b6 AB |
478 | BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); |
479 | ||
1c1def09 VCG |
480 | memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); |
481 | skb_pull(skb, sizeof(smp->pcnf)); | |
88ba43b6 | 482 | |
7d24ddcc AB |
483 | if (conn->hcon->out) { |
484 | u8 random[16]; | |
88ba43b6 | 485 | |
1c1def09 | 486 | swap128(smp->prnd, random); |
88ba43b6 | 487 | smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random), |
7d24ddcc | 488 | random); |
88ba43b6 | 489 | } else { |
8aab4757 | 490 | queue_work(hdev->workqueue, &smp->confirm); |
88ba43b6 | 491 | } |
da85e5e5 VCG |
492 | |
493 | return 0; | |
88ba43b6 AB |
494 | } |
495 | ||
da85e5e5 | 496 | static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) |
88ba43b6 | 497 | { |
1c1def09 | 498 | struct smp_chan *smp = conn->smp_chan; |
8aab4757 | 499 | struct hci_dev *hdev = conn->hcon->hdev; |
7d24ddcc | 500 | |
8aab4757 | 501 | BT_DBG("conn %p", conn); |
3158c50c | 502 | |
8aab4757 VCG |
503 | swap128(skb->data, smp->rrnd); |
504 | skb_pull(skb, sizeof(smp->rrnd)); | |
e7e62c85 | 505 | |
8aab4757 | 506 | queue_work(hdev->workqueue, &smp->random); |
da85e5e5 VCG |
507 | |
508 | return 0; | |
88ba43b6 AB |
509 | } |
510 | ||
988c5997 VCG |
511 | static u8 smp_ltk_encrypt(struct l2cap_conn *conn) |
512 | { | |
513 | struct link_key *key; | |
514 | struct key_master_id *master; | |
515 | struct hci_conn *hcon = conn->hcon; | |
516 | ||
517 | key = hci_find_link_key_type(hcon->hdev, conn->dst, | |
518 | HCI_LK_SMP_LTK); | |
519 | if (!key) | |
520 | return 0; | |
521 | ||
522 | if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, | |
523 | &hcon->pend)) | |
524 | return 1; | |
525 | ||
526 | master = (void *) key->data; | |
527 | hci_le_start_enc(hcon, master->ediv, master->rand, | |
528 | key->val); | |
529 | hcon->enc_key_size = key->pin_len; | |
530 | ||
531 | return 1; | |
532 | ||
533 | } | |
da85e5e5 | 534 | static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) |
88ba43b6 AB |
535 | { |
536 | struct smp_cmd_security_req *rp = (void *) skb->data; | |
537 | struct smp_cmd_pairing cp; | |
f1cb9af5 | 538 | struct hci_conn *hcon = conn->hcon; |
8aab4757 | 539 | struct smp_chan *smp; |
88ba43b6 AB |
540 | |
541 | BT_DBG("conn %p", conn); | |
542 | ||
feb45eb5 VCG |
543 | hcon->pending_sec_level = BT_SECURITY_MEDIUM; |
544 | ||
988c5997 VCG |
545 | if (smp_ltk_encrypt(conn)) |
546 | return 0; | |
547 | ||
d26a2345 | 548 | if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) |
da85e5e5 | 549 | return 0; |
f1cb9af5 | 550 | |
8aab4757 | 551 | smp = smp_chan_create(conn); |
d26a2345 | 552 | |
88ba43b6 | 553 | skb_pull(skb, sizeof(*rp)); |
88ba43b6 | 554 | |
da85e5e5 | 555 | memset(&cp, 0, sizeof(cp)); |
54790f73 | 556 | build_pairing_cmd(conn, &cp, NULL, rp->auth_req); |
88ba43b6 | 557 | |
1c1def09 VCG |
558 | smp->preq[0] = SMP_CMD_PAIRING_REQ; |
559 | memcpy(&smp->preq[1], &cp, sizeof(cp)); | |
f01ead31 | 560 | |
88ba43b6 | 561 | smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); |
f1cb9af5 | 562 | |
da85e5e5 | 563 | return 0; |
88ba43b6 AB |
564 | } |
565 | ||
eb492e01 AB |
566 | int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level) |
567 | { | |
3a0259bb | 568 | struct hci_conn *hcon = conn->hcon; |
1c1def09 | 569 | struct smp_chan *smp = conn->smp_chan; |
eb492e01 | 570 | |
3a0259bb VCG |
571 | BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); |
572 | ||
2e65c9d2 AG |
573 | if (!lmp_host_le_capable(hcon->hdev)) |
574 | return 1; | |
575 | ||
f1cb9af5 VCG |
576 | if (sec_level == BT_SECURITY_LOW) |
577 | return 1; | |
eb492e01 | 578 | |
f1cb9af5 | 579 | if (hcon->sec_level >= sec_level) |
eb492e01 | 580 | return 1; |
f1cb9af5 | 581 | |
988c5997 VCG |
582 | if (hcon->link_mode & HCI_LM_MASTER) |
583 | if (smp_ltk_encrypt(conn)) | |
02bc7455 | 584 | goto done; |
d26a2345 VCG |
585 | |
586 | if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->pend)) | |
587 | return 0; | |
588 | ||
8aab4757 | 589 | smp = smp_chan_create(conn); |
d26a2345 | 590 | |
d26a2345 VCG |
591 | if (hcon->link_mode & HCI_LM_MASTER) { |
592 | struct smp_cmd_pairing cp; | |
f01ead31 | 593 | |
0fb4eb6f | 594 | build_pairing_cmd(conn, &cp, NULL, SMP_AUTH_NONE); |
1c1def09 VCG |
595 | smp->preq[0] = SMP_CMD_PAIRING_REQ; |
596 | memcpy(&smp->preq[1], &cp, sizeof(cp)); | |
f01ead31 | 597 | |
eb492e01 AB |
598 | smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); |
599 | } else { | |
600 | struct smp_cmd_security_req cp; | |
0fb4eb6f | 601 | cp.auth_req = SMP_AUTH_NONE; |
eb492e01 AB |
602 | smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); |
603 | } | |
604 | ||
02bc7455 | 605 | done: |
f1cb9af5 | 606 | hcon->pending_sec_level = sec_level; |
f1cb9af5 | 607 | |
eb492e01 AB |
608 | return 0; |
609 | } | |
610 | ||
7034b911 VCG |
611 | static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) |
612 | { | |
16b90839 | 613 | struct smp_cmd_encrypt_info *rp = (void *) skb->data; |
1c1def09 | 614 | struct smp_chan *smp = conn->smp_chan; |
16b90839 VCG |
615 | |
616 | skb_pull(skb, sizeof(*rp)); | |
617 | ||
1c1def09 | 618 | memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); |
16b90839 | 619 | |
7034b911 VCG |
620 | return 0; |
621 | } | |
622 | ||
623 | static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) | |
624 | { | |
16b90839 | 625 | struct smp_cmd_master_ident *rp = (void *) skb->data; |
1c1def09 | 626 | struct smp_chan *smp = conn->smp_chan; |
16b90839 VCG |
627 | |
628 | skb_pull(skb, sizeof(*rp)); | |
7034b911 | 629 | |
1c1def09 VCG |
630 | hci_add_ltk(conn->hcon->hdev, 1, conn->src, smp->smp_key_size, |
631 | rp->ediv, rp->rand, smp->tk); | |
7034b911 VCG |
632 | |
633 | smp_distribute_keys(conn, 1); | |
634 | ||
635 | return 0; | |
636 | } | |
637 | ||
eb492e01 AB |
638 | int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb) |
639 | { | |
640 | __u8 code = skb->data[0]; | |
641 | __u8 reason; | |
642 | int err = 0; | |
643 | ||
2e65c9d2 AG |
644 | if (!lmp_host_le_capable(conn->hcon->hdev)) { |
645 | err = -ENOTSUPP; | |
646 | reason = SMP_PAIRING_NOTSUPP; | |
647 | goto done; | |
648 | } | |
649 | ||
eb492e01 AB |
650 | skb_pull(skb, sizeof(code)); |
651 | ||
652 | switch (code) { | |
653 | case SMP_CMD_PAIRING_REQ: | |
da85e5e5 | 654 | reason = smp_cmd_pairing_req(conn, skb); |
eb492e01 AB |
655 | break; |
656 | ||
657 | case SMP_CMD_PAIRING_FAIL: | |
da85e5e5 VCG |
658 | reason = 0; |
659 | err = -EPERM; | |
eb492e01 AB |
660 | break; |
661 | ||
662 | case SMP_CMD_PAIRING_RSP: | |
da85e5e5 | 663 | reason = smp_cmd_pairing_rsp(conn, skb); |
88ba43b6 AB |
664 | break; |
665 | ||
666 | case SMP_CMD_SECURITY_REQ: | |
da85e5e5 | 667 | reason = smp_cmd_security_req(conn, skb); |
88ba43b6 AB |
668 | break; |
669 | ||
eb492e01 | 670 | case SMP_CMD_PAIRING_CONFIRM: |
da85e5e5 | 671 | reason = smp_cmd_pairing_confirm(conn, skb); |
88ba43b6 AB |
672 | break; |
673 | ||
eb492e01 | 674 | case SMP_CMD_PAIRING_RANDOM: |
da85e5e5 | 675 | reason = smp_cmd_pairing_random(conn, skb); |
88ba43b6 AB |
676 | break; |
677 | ||
eb492e01 | 678 | case SMP_CMD_ENCRYPT_INFO: |
7034b911 VCG |
679 | reason = smp_cmd_encrypt_info(conn, skb); |
680 | break; | |
681 | ||
eb492e01 | 682 | case SMP_CMD_MASTER_IDENT: |
7034b911 VCG |
683 | reason = smp_cmd_master_ident(conn, skb); |
684 | break; | |
685 | ||
eb492e01 AB |
686 | case SMP_CMD_IDENT_INFO: |
687 | case SMP_CMD_IDENT_ADDR_INFO: | |
688 | case SMP_CMD_SIGN_INFO: | |
7034b911 VCG |
689 | /* Just ignored */ |
690 | reason = 0; | |
691 | break; | |
692 | ||
eb492e01 AB |
693 | default: |
694 | BT_DBG("Unknown command code 0x%2.2x", code); | |
695 | ||
696 | reason = SMP_CMD_NOTSUPP; | |
eb492e01 | 697 | err = -EOPNOTSUPP; |
3a0259bb | 698 | goto done; |
eb492e01 AB |
699 | } |
700 | ||
3a0259bb VCG |
701 | done: |
702 | if (reason) | |
703 | smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), | |
704 | &reason); | |
705 | ||
eb492e01 AB |
706 | kfree_skb(skb); |
707 | return err; | |
708 | } | |
7034b911 VCG |
709 | |
710 | int smp_distribute_keys(struct l2cap_conn *conn, __u8 force) | |
711 | { | |
712 | struct smp_cmd_pairing *req, *rsp; | |
1c1def09 | 713 | struct smp_chan *smp = conn->smp_chan; |
7034b911 VCG |
714 | __u8 *keydist; |
715 | ||
716 | BT_DBG("conn %p force %d", conn, force); | |
717 | ||
d26a2345 VCG |
718 | if (!test_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend)) |
719 | return 0; | |
720 | ||
1c1def09 | 721 | rsp = (void *) &smp->prsp[1]; |
7034b911 VCG |
722 | |
723 | /* The responder sends its keys first */ | |
724 | if (!force && conn->hcon->out && (rsp->resp_key_dist & 0x07)) | |
725 | return 0; | |
726 | ||
1c1def09 | 727 | req = (void *) &smp->preq[1]; |
7034b911 VCG |
728 | |
729 | if (conn->hcon->out) { | |
730 | keydist = &rsp->init_key_dist; | |
731 | *keydist &= req->init_key_dist; | |
732 | } else { | |
733 | keydist = &rsp->resp_key_dist; | |
734 | *keydist &= req->resp_key_dist; | |
735 | } | |
736 | ||
737 | ||
738 | BT_DBG("keydist 0x%x", *keydist); | |
739 | ||
740 | if (*keydist & SMP_DIST_ENC_KEY) { | |
741 | struct smp_cmd_encrypt_info enc; | |
742 | struct smp_cmd_master_ident ident; | |
743 | __le16 ediv; | |
744 | ||
745 | get_random_bytes(enc.ltk, sizeof(enc.ltk)); | |
746 | get_random_bytes(&ediv, sizeof(ediv)); | |
747 | get_random_bytes(ident.rand, sizeof(ident.rand)); | |
748 | ||
749 | smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); | |
750 | ||
1c1def09 | 751 | hci_add_ltk(conn->hcon->hdev, 1, conn->dst, smp->smp_key_size, |
726b4ffc | 752 | ediv, ident.rand, enc.ltk); |
16b90839 | 753 | |
7034b911 VCG |
754 | ident.ediv = cpu_to_le16(ediv); |
755 | ||
756 | smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); | |
757 | ||
758 | *keydist &= ~SMP_DIST_ENC_KEY; | |
759 | } | |
760 | ||
761 | if (*keydist & SMP_DIST_ID_KEY) { | |
762 | struct smp_cmd_ident_addr_info addrinfo; | |
763 | struct smp_cmd_ident_info idinfo; | |
764 | ||
765 | /* Send a dummy key */ | |
766 | get_random_bytes(idinfo.irk, sizeof(idinfo.irk)); | |
767 | ||
768 | smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); | |
769 | ||
770 | /* Just public address */ | |
771 | memset(&addrinfo, 0, sizeof(addrinfo)); | |
772 | bacpy(&addrinfo.bdaddr, conn->src); | |
773 | ||
774 | smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), | |
775 | &addrinfo); | |
776 | ||
777 | *keydist &= ~SMP_DIST_ID_KEY; | |
778 | } | |
779 | ||
780 | if (*keydist & SMP_DIST_SIGN) { | |
781 | struct smp_cmd_sign_info sign; | |
782 | ||
783 | /* Send a dummy key */ | |
784 | get_random_bytes(sign.csrk, sizeof(sign.csrk)); | |
785 | ||
786 | smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); | |
787 | ||
788 | *keydist &= ~SMP_DIST_SIGN; | |
789 | } | |
790 | ||
d26a2345 VCG |
791 | if (conn->hcon->out || force) { |
792 | clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend); | |
793 | del_timer(&conn->security_timer); | |
8aab4757 | 794 | smp_chan_destroy(conn); |
d26a2345 VCG |
795 | } |
796 | ||
7034b911 VCG |
797 | return 0; |
798 | } |