projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Add basic LE SC OOB support for remote OOB data
[deliverable/linux.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
26
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
31
32 #include "ecc.h"
33 #include "smp.h"
34
35 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
36
37 /* Keys which are not distributed with Secure Connections */
38 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
39
40 #define SMP_TIMEOUT msecs_to_jiffies(30000)
41
42 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
43 0x1f : 0x07)
44 #define KEY_DIST_MASK 0x07
45
46 /* Maximum message length that can be passed to aes_cmac */
47 #define CMAC_MSG_MAX 80
48
49 enum {
50 SMP_FLAG_TK_VALID,
51 SMP_FLAG_CFM_PENDING,
52 SMP_FLAG_MITM_AUTH,
53 SMP_FLAG_COMPLETE,
54 SMP_FLAG_INITIATOR,
55 SMP_FLAG_SC,
56 SMP_FLAG_REMOTE_PK,
57 SMP_FLAG_DEBUG_KEY,
58 SMP_FLAG_WAIT_USER,
59 SMP_FLAG_DHKEY_PENDING,
60 SMP_FLAG_OOB,
61 };
62
63 struct smp_chan {
64 struct l2cap_conn *conn;
65 struct delayed_work security_timer;
66 unsigned long allow_cmd; /* Bitmask of allowed commands */
67
68 u8 preq[7]; /* SMP Pairing Request */
69 u8 prsp[7]; /* SMP Pairing Response */
70 u8 prnd[16]; /* SMP Pairing Random (local) */
71 u8 rrnd[16]; /* SMP Pairing Random (remote) */
72 u8 pcnf[16]; /* SMP Pairing Confirm */
73 u8 tk[16]; /* SMP Temporary Key */
74 u8 rr[16];
75 u8 enc_key_size;
76 u8 remote_key_dist;
77 bdaddr_t id_addr;
78 u8 id_addr_type;
79 u8 irk[16];
80 struct smp_csrk *csrk;
81 struct smp_csrk *slave_csrk;
82 struct smp_ltk *ltk;
83 struct smp_ltk *slave_ltk;
84 struct smp_irk *remote_irk;
85 u8 *link_key;
86 unsigned long flags;
87 u8 method;
88 u8 passkey_round;
89
90 /* Secure Connections variables */
91 u8 local_pk[64];
92 u8 local_sk[32];
93 u8 remote_pk[64];
94 u8 dhkey[32];
95 u8 mackey[16];
96
97 struct crypto_blkcipher *tfm_aes;
98 struct crypto_hash *tfm_cmac;
99 };
100
101 /* These debug key values are defined in the SMP section of the core
102 * specification. debug_pk is the public debug key and debug_sk the
103 * private debug key.
104 */
105 static const u8 debug_pk[64] = {
106 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
107 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
108 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
109 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
110
111 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
112 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
113 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
114 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
115 };
116
117 static const u8 debug_sk[32] = {
118 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
119 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
120 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
121 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
122 };
123
124 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
125 {
126 size_t i;
127
128 for (i = 0; i < len; i++)
129 dst[len - 1 - i] = src[i];
130 }
131
132 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
133 size_t len, u8 mac[16])
134 {
135 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
136 struct hash_desc desc;
137 struct scatterlist sg;
138 int err;
139
140 if (len > CMAC_MSG_MAX)
141 return -EFBIG;
142
143 if (!tfm) {
144 BT_ERR("tfm %p", tfm);
145 return -EINVAL;
146 }
147
148 desc.tfm = tfm;
149 desc.flags = 0;
150
151 crypto_hash_init(&desc);
152
153 /* Swap key and message from LSB to MSB */
154 swap_buf(k, tmp, 16);
155 swap_buf(m, msg_msb, len);
156
157 BT_DBG("msg (len %zu) %*phN", len, (int) len, m);
158 BT_DBG("key %16phN", k);
159
160 err = crypto_hash_setkey(tfm, tmp, 16);
161 if (err) {
162 BT_ERR("cipher setkey failed: %d", err);
163 return err;
164 }
165
166 sg_init_one(&sg, msg_msb, len);
167
168 err = crypto_hash_update(&desc, &sg, len);
169 if (err) {
170 BT_ERR("Hash update error %d", err);
171 return err;
172 }
173
174 err = crypto_hash_final(&desc, mac_msb);
175 if (err) {
176 BT_ERR("Hash final error %d", err);
177 return err;
178 }
179
180 swap_buf(mac_msb, mac, 16);
181
182 BT_DBG("mac %16phN", mac);
183
184 return 0;
185 }
186
187 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
188 const u8 x[16], u8 z, u8 res[16])
189 {
190 u8 m[65];
191 int err;
192
193 BT_DBG("u %32phN", u);
194 BT_DBG("v %32phN", v);
195 BT_DBG("x %16phN z %02x", x, z);
196
197 m[0] = z;
198 memcpy(m + 1, v, 32);
199 memcpy(m + 33, u, 32);
200
201 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
202 if (err)
203 return err;
204
205 BT_DBG("res %16phN", res);
206
207 return err;
208 }
209
210 static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
211 u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
212 {
213 /* The btle, salt and length "magic" values are as defined in
214 * the SMP section of the Bluetooth core specification. In ASCII
215 * the btle value ends up being 'btle'. The salt is just a
216 * random number whereas length is the value 256 in little
217 * endian format.
218 */
219 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
220 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
221 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
222 const u8 length[2] = { 0x00, 0x01 };
223 u8 m[53], t[16];
224 int err;
225
226 BT_DBG("w %32phN", w);
227 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
228 BT_DBG("a1 %7phN a2 %7phN", a1, a2);
229
230 err = aes_cmac(tfm_cmac, salt, w, 32, t);
231 if (err)
232 return err;
233
234 BT_DBG("t %16phN", t);
235
236 memcpy(m, length, 2);
237 memcpy(m + 2, a2, 7);
238 memcpy(m + 9, a1, 7);
239 memcpy(m + 16, n2, 16);
240 memcpy(m + 32, n1, 16);
241 memcpy(m + 48, btle, 4);
242
243 m[52] = 0; /* Counter */
244
245 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
246 if (err)
247 return err;
248
249 BT_DBG("mackey %16phN", mackey);
250
251 m[52] = 1; /* Counter */
252
253 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
254 if (err)
255 return err;
256
257 BT_DBG("ltk %16phN", ltk);
258
259 return 0;
260 }
261
262 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
263 const u8 n1[16], u8 n2[16], const u8 r[16],
264 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
265 u8 res[16])
266 {
267 u8 m[65];
268 int err;
269
270 BT_DBG("w %16phN", w);
271 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
272 BT_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
273
274 memcpy(m, a2, 7);
275 memcpy(m + 7, a1, 7);
276 memcpy(m + 14, io_cap, 3);
277 memcpy(m + 17, r, 16);
278 memcpy(m + 33, n2, 16);
279 memcpy(m + 49, n1, 16);
280
281 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
282 if (err)
283 return err;
284
285 BT_DBG("res %16phN", res);
286
287 return err;
288 }
289
290 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
291 const u8 x[16], const u8 y[16], u32 *val)
292 {
293 u8 m[80], tmp[16];
294 int err;
295
296 BT_DBG("u %32phN", u);
297 BT_DBG("v %32phN", v);
298 BT_DBG("x %16phN y %16phN", x, y);
299
300 memcpy(m, y, 16);
301 memcpy(m + 16, v, 32);
302 memcpy(m + 48, u, 32);
303
304 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
305 if (err)
306 return err;
307
308 *val = get_unaligned_le32(tmp);
309 *val %= 1000000;
310
311 BT_DBG("val %06u", *val);
312
313 return 0;
314 }
315
316 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
317 {
318 struct blkcipher_desc desc;
319 struct scatterlist sg;
320 uint8_t tmp[16], data[16];
321 int err;
322
323 if (tfm == NULL) {
324 BT_ERR("tfm %p", tfm);
325 return -EINVAL;
326 }
327
328 desc.tfm = tfm;
329 desc.flags = 0;
330
331 /* The most significant octet of key corresponds to k[0] */
332 swap_buf(k, tmp, 16);
333
334 err = crypto_blkcipher_setkey(tfm, tmp, 16);
335 if (err) {
336 BT_ERR("cipher setkey failed: %d", err);
337 return err;
338 }
339
340 /* Most significant octet of plaintextData corresponds to data[0] */
341 swap_buf(r, data, 16);
342
343 sg_init_one(&sg, data, 16);
344
345 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
346 if (err)
347 BT_ERR("Encrypt data error %d", err);
348
349 /* Most significant octet of encryptedData corresponds to data[0] */
350 swap_buf(data, r, 16);
351
352 return err;
353 }
354
355 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
356 const u8 key_id[4], u8 res[16])
357 {
358 int err;
359
360 BT_DBG("w %16phN key_id %4phN", w, key_id);
361
362 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
363 if (err)
364 return err;
365
366 BT_DBG("res %16phN", res);
367
368 return err;
369 }
370
371 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
372 {
373 u8 _res[16];
374 int err;
375
376 /* r' = padding || r */
377 memcpy(_res, r, 3);
378 memset(_res + 3, 0, 13);
379
380 err = smp_e(tfm, irk, _res);
381 if (err) {
382 BT_ERR("Encrypt error");
383 return err;
384 }
385
386 /* The output of the random address function ah is:
387 * ah(h, r) = e(k, r') mod 2^24
388 * The output of the security function e is then truncated to 24 bits
389 * by taking the least significant 24 bits of the output of e as the
390 * result of ah.
391 */
392 memcpy(res, _res, 3);
393
394 return 0;
395 }
396
397 bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
398 {
399 struct l2cap_chan *chan = hdev->smp_data;
400 struct crypto_blkcipher *tfm;
401 u8 hash[3];
402 int err;
403
404 if (!chan || !chan->data)
405 return false;
406
407 tfm = chan->data;
408
409 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
410
411 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
412 if (err)
413 return false;
414
415 return !memcmp(bdaddr->b, hash, 3);
416 }
417
418 int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
419 {
420 struct l2cap_chan *chan = hdev->smp_data;
421 struct crypto_blkcipher *tfm;
422 int err;
423
424 if (!chan || !chan->data)
425 return -EOPNOTSUPP;
426
427 tfm = chan->data;
428
429 get_random_bytes(&rpa->b[3], 3);
430
431 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
432 rpa->b[5] |= 0x40; /* Set second most significant bit */
433
434 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
435 if (err < 0)
436 return err;
437
438 BT_DBG("RPA %pMR", rpa);
439
440 return 0;
441 }
442
443 static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
444 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat,
445 bdaddr_t *ra, u8 res[16])
446 {
447 u8 p1[16], p2[16];
448 int err;
449
450 memset(p1, 0, 16);
451
452 /* p1 = pres || preq || _rat || _iat */
453 p1[0] = _iat;
454 p1[1] = _rat;
455 memcpy(p1 + 2, preq, 7);
456 memcpy(p1 + 9, pres, 7);
457
458 /* p2 = padding || ia || ra */
459 memcpy(p2, ra, 6);
460 memcpy(p2 + 6, ia, 6);
461 memset(p2 + 12, 0, 4);
462
463 /* res = r XOR p1 */
464 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
465
466 /* res = e(k, res) */
467 err = smp_e(tfm_aes, k, res);
468 if (err) {
469 BT_ERR("Encrypt data error");
470 return err;
471 }
472
473 /* res = res XOR p2 */
474 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
475
476 /* res = e(k, res) */
477 err = smp_e(tfm_aes, k, res);
478 if (err)
479 BT_ERR("Encrypt data error");
480
481 return err;
482 }
483
484 static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
485 u8 r2[16], u8 _r[16])
486 {
487 int err;
488
489 /* Just least significant octets from r1 and r2 are considered */
490 memcpy(_r, r2, 8);
491 memcpy(_r + 8, r1, 8);
492
493 err = smp_e(tfm_aes, k, _r);
494 if (err)
495 BT_ERR("Encrypt data error");
496
497 return err;
498 }
499
500 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
501 {
502 struct l2cap_chan *chan = conn->smp;
503 struct smp_chan *smp;
504 struct kvec iv[2];
505 struct msghdr msg;
506
507 if (!chan)
508 return;
509
510 BT_DBG("code 0x%2.2x", code);
511
512 iv[0].iov_base = &code;
513 iv[0].iov_len = 1;
514
515 iv[1].iov_base = data;
516 iv[1].iov_len = len;
517
518 memset(&msg, 0, sizeof(msg));
519
520 msg.msg_iov = (struct iovec *) &iv;
521 msg.msg_iovlen = 2;
522
523 l2cap_chan_send(chan, &msg, 1 + len);
524
525 if (!chan->data)
526 return;
527
528 smp = chan->data;
529
530 cancel_delayed_work_sync(&smp->security_timer);
531 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
532 }
533
534 static u8 authreq_to_seclevel(u8 authreq)
535 {
536 if (authreq & SMP_AUTH_MITM) {
537 if (authreq & SMP_AUTH_SC)
538 return BT_SECURITY_FIPS;
539 else
540 return BT_SECURITY_HIGH;
541 } else {
542 return BT_SECURITY_MEDIUM;
543 }
544 }
545
546 static __u8 seclevel_to_authreq(__u8 sec_level)
547 {
548 switch (sec_level) {
549 case BT_SECURITY_FIPS:
550 case BT_SECURITY_HIGH:
551 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
552 case BT_SECURITY_MEDIUM:
553 return SMP_AUTH_BONDING;
554 default:
555 return SMP_AUTH_NONE;
556 }
557 }
558
559 static void build_pairing_cmd(struct l2cap_conn *conn,
560 struct smp_cmd_pairing *req,
561 struct smp_cmd_pairing *rsp, __u8 authreq)
562 {
563 struct l2cap_chan *chan = conn->smp;
564 struct smp_chan *smp = chan->data;
565 struct hci_conn *hcon = conn->hcon;
566 struct hci_dev *hdev = hcon->hdev;
567 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
568
569 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
570 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
571 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
572 authreq |= SMP_AUTH_BONDING;
573 } else {
574 authreq &= ~SMP_AUTH_BONDING;
575 }
576
577 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
578 remote_dist |= SMP_DIST_ID_KEY;
579
580 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
581 local_dist |= SMP_DIST_ID_KEY;
582
583 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
584 (authreq & SMP_AUTH_SC)) {
585 struct oob_data *oob_data;
586 u8 bdaddr_type;
587
588 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
589 local_dist |= SMP_DIST_LINK_KEY;
590 remote_dist |= SMP_DIST_LINK_KEY;
591 }
592
593 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
594 bdaddr_type = BDADDR_LE_PUBLIC;
595 else
596 bdaddr_type = BDADDR_LE_RANDOM;
597
598 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
599 bdaddr_type);
600 if (oob_data) {
601 set_bit(SMP_FLAG_OOB, &smp->flags);
602 oob_flag = SMP_OOB_PRESENT;
603 memcpy(smp->rr, oob_data->rand256, 16);
604 memcpy(smp->pcnf, oob_data->hash256, 16);
605 }
606
607 } else {
608 authreq &= ~SMP_AUTH_SC;
609 }
610
611 if (rsp == NULL) {
612 req->io_capability = conn->hcon->io_capability;
613 req->oob_flag = oob_flag;
614 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
615 req->init_key_dist = local_dist;
616 req->resp_key_dist = remote_dist;
617 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
618
619 smp->remote_key_dist = remote_dist;
620 return;
621 }
622
623 rsp->io_capability = conn->hcon->io_capability;
624 rsp->oob_flag = oob_flag;
625 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
626 rsp->init_key_dist = req->init_key_dist & remote_dist;
627 rsp->resp_key_dist = req->resp_key_dist & local_dist;
628 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
629
630 smp->remote_key_dist = rsp->init_key_dist;
631 }
632
633 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
634 {
635 struct l2cap_chan *chan = conn->smp;
636 struct smp_chan *smp = chan->data;
637
638 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
639 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
640 return SMP_ENC_KEY_SIZE;
641
642 smp->enc_key_size = max_key_size;
643
644 return 0;
645 }
646
647 static void smp_chan_destroy(struct l2cap_conn *conn)
648 {
649 struct l2cap_chan *chan = conn->smp;
650 struct smp_chan *smp = chan->data;
651 bool complete;
652
653 BUG_ON(!smp);
654
655 cancel_delayed_work_sync(&smp->security_timer);
656
657 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
658 mgmt_smp_complete(conn->hcon, complete);
659
660 kfree(smp->csrk);
661 kfree(smp->slave_csrk);
662 kfree(smp->link_key);
663
664 crypto_free_blkcipher(smp->tfm_aes);
665 crypto_free_hash(smp->tfm_cmac);
666
667 /* If pairing failed clean up any keys we might have */
668 if (!complete) {
669 if (smp->ltk) {
670 list_del_rcu(&smp->ltk->list);
671 kfree_rcu(smp->ltk, rcu);
672 }
673
674 if (smp->slave_ltk) {
675 list_del_rcu(&smp->slave_ltk->list);
676 kfree_rcu(smp->slave_ltk, rcu);
677 }
678
679 if (smp->remote_irk) {
680 list_del_rcu(&smp->remote_irk->list);
681 kfree_rcu(smp->remote_irk, rcu);
682 }
683 }
684
685 chan->data = NULL;
686 kfree(smp);
687 hci_conn_drop(conn->hcon);
688 }
689
690 static void smp_failure(struct l2cap_conn *conn, u8 reason)
691 {
692 struct hci_conn *hcon = conn->hcon;
693 struct l2cap_chan *chan = conn->smp;
694
695 if (reason)
696 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
697 &reason);
698
699 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
700 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
701
702 if (chan->data)
703 smp_chan_destroy(conn);
704 }
705
706 #define JUST_WORKS 0x00
707 #define JUST_CFM 0x01
708 #define REQ_PASSKEY 0x02
709 #define CFM_PASSKEY 0x03
710 #define REQ_OOB 0x04
711 #define DSP_PASSKEY 0x05
712 #define OVERLAP 0xFF
713
714 static const u8 gen_method[5][5] = {
715 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
716 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
717 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
718 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
719 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
720 };
721
722 static const u8 sc_method[5][5] = {
723 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
724 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
725 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
726 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
727 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
728 };
729
730 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
731 {
732 /* If either side has unknown io_caps, use JUST_CFM (which gets
733 * converted later to JUST_WORKS if we're initiators.
734 */
735 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
736 remote_io > SMP_IO_KEYBOARD_DISPLAY)
737 return JUST_CFM;
738
739 if (test_bit(SMP_FLAG_SC, &smp->flags))
740 return sc_method[remote_io][local_io];
741
742 return gen_method[remote_io][local_io];
743 }
744
745 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
746 u8 local_io, u8 remote_io)
747 {
748 struct hci_conn *hcon = conn->hcon;
749 struct l2cap_chan *chan = conn->smp;
750 struct smp_chan *smp = chan->data;
751 u32 passkey = 0;
752 int ret = 0;
753
754 /* Initialize key for JUST WORKS */
755 memset(smp->tk, 0, sizeof(smp->tk));
756 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
757
758 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
759
760 /* If neither side wants MITM, either "just" confirm an incoming
761 * request or use just-works for outgoing ones. The JUST_CFM
762 * will be converted to JUST_WORKS if necessary later in this
763 * function. If either side has MITM look up the method from the
764 * table.
765 */
766 if (!(auth & SMP_AUTH_MITM))
767 smp->method = JUST_CFM;
768 else
769 smp->method = get_auth_method(smp, local_io, remote_io);
770
771 /* Don't confirm locally initiated pairing attempts */
772 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
773 &smp->flags))
774 smp->method = JUST_WORKS;
775
776 /* Don't bother user space with no IO capabilities */
777 if (smp->method == JUST_CFM &&
778 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
779 smp->method = JUST_WORKS;
780
781 /* If Just Works, Continue with Zero TK */
782 if (smp->method == JUST_WORKS) {
783 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
784 return 0;
785 }
786
787 /* Not Just Works/Confirm results in MITM Authentication */
788 if (smp->method != JUST_CFM) {
789 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
790 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
791 hcon->pending_sec_level = BT_SECURITY_HIGH;
792 }
793
794 /* If both devices have Keyoard-Display I/O, the master
795 * Confirms and the slave Enters the passkey.
796 */
797 if (smp->method == OVERLAP) {
798 if (hcon->role == HCI_ROLE_MASTER)
799 smp->method = CFM_PASSKEY;
800 else
801 smp->method = REQ_PASSKEY;
802 }
803
804 /* Generate random passkey. */
805 if (smp->method == CFM_PASSKEY) {
806 memset(smp->tk, 0, sizeof(smp->tk));
807 get_random_bytes(&passkey, sizeof(passkey));
808 passkey %= 1000000;
809 put_unaligned_le32(passkey, smp->tk);
810 BT_DBG("PassKey: %d", passkey);
811 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
812 }
813
814 if (smp->method == REQ_PASSKEY)
815 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
816 hcon->type, hcon->dst_type);
817 else if (smp->method == JUST_CFM)
818 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
819 hcon->type, hcon->dst_type,
820 passkey, 1);
821 else
822 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
823 hcon->type, hcon->dst_type,
824 passkey, 0);
825
826 return ret;
827 }
828
829 static u8 smp_confirm(struct smp_chan *smp)
830 {
831 struct l2cap_conn *conn = smp->conn;
832 struct smp_cmd_pairing_confirm cp;
833 int ret;
834
835 BT_DBG("conn %p", conn);
836
837 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
838 conn->hcon->init_addr_type, &conn->hcon->init_addr,
839 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
840 cp.confirm_val);
841 if (ret)
842 return SMP_UNSPECIFIED;
843
844 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
845
846 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
847
848 if (conn->hcon->out)
849 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
850 else
851 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
852
853 return 0;
854 }
855
856 static u8 smp_random(struct smp_chan *smp)
857 {
858 struct l2cap_conn *conn = smp->conn;
859 struct hci_conn *hcon = conn->hcon;
860 u8 confirm[16];
861 int ret;
862
863 if (IS_ERR_OR_NULL(smp->tfm_aes))
864 return SMP_UNSPECIFIED;
865
866 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
867
868 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
869 hcon->init_addr_type, &hcon->init_addr,
870 hcon->resp_addr_type, &hcon->resp_addr, confirm);
871 if (ret)
872 return SMP_UNSPECIFIED;
873
874 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
875 BT_ERR("Pairing failed (confirmation values mismatch)");
876 return SMP_CONFIRM_FAILED;
877 }
878
879 if (hcon->out) {
880 u8 stk[16];
881 __le64 rand = 0;
882 __le16 ediv = 0;
883
884 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
885
886 memset(stk + smp->enc_key_size, 0,
887 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
888
889 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
890 return SMP_UNSPECIFIED;
891
892 hci_le_start_enc(hcon, ediv, rand, stk);
893 hcon->enc_key_size = smp->enc_key_size;
894 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
895 } else {
896 u8 stk[16], auth;
897 __le64 rand = 0;
898 __le16 ediv = 0;
899
900 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
901 smp->prnd);
902
903 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
904
905 memset(stk + smp->enc_key_size, 0,
906 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
907
908 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
909 auth = 1;
910 else
911 auth = 0;
912
913 /* Even though there's no _SLAVE suffix this is the
914 * slave STK we're adding for later lookup (the master
915 * STK never needs to be stored).
916 */
917 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
918 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
919 }
920
921 return 0;
922 }
923
924 static void smp_notify_keys(struct l2cap_conn *conn)
925 {
926 struct l2cap_chan *chan = conn->smp;
927 struct smp_chan *smp = chan->data;
928 struct hci_conn *hcon = conn->hcon;
929 struct hci_dev *hdev = hcon->hdev;
930 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
931 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
932 bool persistent;
933
934 if (smp->remote_irk) {
935 mgmt_new_irk(hdev, smp->remote_irk);
936 /* Now that user space can be considered to know the
937 * identity address track the connection based on it
938 * from now on (assuming this is an LE link).
939 */
940 if (hcon->type == LE_LINK) {
941 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
942 hcon->dst_type = smp->remote_irk->addr_type;
943 queue_work(hdev->workqueue, &conn->id_addr_update_work);
944 }
945
946 /* When receiving an indentity resolving key for
947 * a remote device that does not use a resolvable
948 * private address, just remove the key so that
949 * it is possible to use the controller white
950 * list for scanning.
951 *
952 * Userspace will have been told to not store
953 * this key at this point. So it is safe to
954 * just remove it.
955 */
956 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
957 list_del_rcu(&smp->remote_irk->list);
958 kfree_rcu(smp->remote_irk, rcu);
959 smp->remote_irk = NULL;
960 }
961 }
962
963 if (hcon->type == ACL_LINK) {
964 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
965 persistent = false;
966 else
967 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
968 &hcon->flags);
969 } else {
970 /* The LTKs and CSRKs should be persistent only if both sides
971 * had the bonding bit set in their authentication requests.
972 */
973 persistent = !!((req->auth_req & rsp->auth_req) &
974 SMP_AUTH_BONDING);
975 }
976
977
978 if (smp->csrk) {
979 smp->csrk->bdaddr_type = hcon->dst_type;
980 bacpy(&smp->csrk->bdaddr, &hcon->dst);
981 mgmt_new_csrk(hdev, smp->csrk, persistent);
982 }
983
984 if (smp->slave_csrk) {
985 smp->slave_csrk->bdaddr_type = hcon->dst_type;
986 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
987 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
988 }
989
990 if (smp->ltk) {
991 smp->ltk->bdaddr_type = hcon->dst_type;
992 bacpy(&smp->ltk->bdaddr, &hcon->dst);
993 mgmt_new_ltk(hdev, smp->ltk, persistent);
994 }
995
996 if (smp->slave_ltk) {
997 smp->slave_ltk->bdaddr_type = hcon->dst_type;
998 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
999 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1000 }
1001
1002 if (smp->link_key) {
1003 struct link_key *key;
1004 u8 type;
1005
1006 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1007 type = HCI_LK_DEBUG_COMBINATION;
1008 else if (hcon->sec_level == BT_SECURITY_FIPS)
1009 type = HCI_LK_AUTH_COMBINATION_P256;
1010 else
1011 type = HCI_LK_UNAUTH_COMBINATION_P256;
1012
1013 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1014 smp->link_key, type, 0, &persistent);
1015 if (key) {
1016 mgmt_new_link_key(hdev, key, persistent);
1017
1018 /* Don't keep debug keys around if the relevant
1019 * flag is not set.
1020 */
1021 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1022 key->type == HCI_LK_DEBUG_COMBINATION) {
1023 list_del_rcu(&key->list);
1024 kfree_rcu(key, rcu);
1025 }
1026 }
1027 }
1028 }
1029
1030 static void sc_add_ltk(struct smp_chan *smp)
1031 {
1032 struct hci_conn *hcon = smp->conn->hcon;
1033 u8 key_type, auth;
1034
1035 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1036 key_type = SMP_LTK_P256_DEBUG;
1037 else
1038 key_type = SMP_LTK_P256;
1039
1040 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1041 auth = 1;
1042 else
1043 auth = 0;
1044
1045 memset(smp->tk + smp->enc_key_size, 0,
1046 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1047
1048 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1049 key_type, auth, smp->tk, smp->enc_key_size,
1050 0, 0);
1051 }
1052
1053 static void sc_generate_link_key(struct smp_chan *smp)
1054 {
1055 /* These constants are as specified in the core specification.
1056 * In ASCII they spell out to 'tmp1' and 'lebr'.
1057 */
1058 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1059 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1060
1061 smp->link_key = kzalloc(16, GFP_KERNEL);
1062 if (!smp->link_key)
1063 return;
1064
1065 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1066 kfree(smp->link_key);
1067 smp->link_key = NULL;
1068 return;
1069 }
1070
1071 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1072 kfree(smp->link_key);
1073 smp->link_key = NULL;
1074 return;
1075 }
1076 }
1077
1078 static void smp_allow_key_dist(struct smp_chan *smp)
1079 {
1080 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1081 * will be allowed in each PDU handler to ensure we receive
1082 * them in the correct order.
1083 */
1084 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1085 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1086 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1087 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1088 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1089 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1090 }
1091
1092 static void sc_generate_ltk(struct smp_chan *smp)
1093 {
1094 /* These constants are as specified in the core specification.
1095 * In ASCII they spell out to 'tmp2' and 'brle'.
1096 */
1097 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1098 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1099 struct hci_conn *hcon = smp->conn->hcon;
1100 struct hci_dev *hdev = hcon->hdev;
1101 struct link_key *key;
1102
1103 key = hci_find_link_key(hdev, &hcon->dst);
1104 if (!key) {
1105 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1106 return;
1107 }
1108
1109 if (key->type == HCI_LK_DEBUG_COMBINATION)
1110 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1111
1112 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1113 return;
1114
1115 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1116 return;
1117
1118 sc_add_ltk(smp);
1119 }
1120
1121 static void smp_distribute_keys(struct smp_chan *smp)
1122 {
1123 struct smp_cmd_pairing *req, *rsp;
1124 struct l2cap_conn *conn = smp->conn;
1125 struct hci_conn *hcon = conn->hcon;
1126 struct hci_dev *hdev = hcon->hdev;
1127 __u8 *keydist;
1128
1129 BT_DBG("conn %p", conn);
1130
1131 rsp = (void *) &smp->prsp[1];
1132
1133 /* The responder sends its keys first */
1134 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1135 smp_allow_key_dist(smp);
1136 return;
1137 }
1138
1139 req = (void *) &smp->preq[1];
1140
1141 if (hcon->out) {
1142 keydist = &rsp->init_key_dist;
1143 *keydist &= req->init_key_dist;
1144 } else {
1145 keydist = &rsp->resp_key_dist;
1146 *keydist &= req->resp_key_dist;
1147 }
1148
1149 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1150 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1151 sc_generate_link_key(smp);
1152 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1153 sc_generate_ltk(smp);
1154
1155 /* Clear the keys which are generated but not distributed */
1156 *keydist &= ~SMP_SC_NO_DIST;
1157 }
1158
1159 BT_DBG("keydist 0x%x", *keydist);
1160
1161 if (*keydist & SMP_DIST_ENC_KEY) {
1162 struct smp_cmd_encrypt_info enc;
1163 struct smp_cmd_master_ident ident;
1164 struct smp_ltk *ltk;
1165 u8 authenticated;
1166 __le16 ediv;
1167 __le64 rand;
1168
1169 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1170 get_random_bytes(&ediv, sizeof(ediv));
1171 get_random_bytes(&rand, sizeof(rand));
1172
1173 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1174
1175 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1176 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1177 SMP_LTK_SLAVE, authenticated, enc.ltk,
1178 smp->enc_key_size, ediv, rand);
1179 smp->slave_ltk = ltk;
1180
1181 ident.ediv = ediv;
1182 ident.rand = rand;
1183
1184 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1185
1186 *keydist &= ~SMP_DIST_ENC_KEY;
1187 }
1188
1189 if (*keydist & SMP_DIST_ID_KEY) {
1190 struct smp_cmd_ident_addr_info addrinfo;
1191 struct smp_cmd_ident_info idinfo;
1192
1193 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1194
1195 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1196
1197 /* The hci_conn contains the local identity address
1198 * after the connection has been established.
1199 *
1200 * This is true even when the connection has been
1201 * established using a resolvable random address.
1202 */
1203 bacpy(&addrinfo.bdaddr, &hcon->src);
1204 addrinfo.addr_type = hcon->src_type;
1205
1206 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1207 &addrinfo);
1208
1209 *keydist &= ~SMP_DIST_ID_KEY;
1210 }
1211
1212 if (*keydist & SMP_DIST_SIGN) {
1213 struct smp_cmd_sign_info sign;
1214 struct smp_csrk *csrk;
1215
1216 /* Generate a new random key */
1217 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1218
1219 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1220 if (csrk) {
1221 csrk->master = 0x00;
1222 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1223 }
1224 smp->slave_csrk = csrk;
1225
1226 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1227
1228 *keydist &= ~SMP_DIST_SIGN;
1229 }
1230
1231 /* If there are still keys to be received wait for them */
1232 if (smp->remote_key_dist & KEY_DIST_MASK) {
1233 smp_allow_key_dist(smp);
1234 return;
1235 }
1236
1237 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1238 smp_notify_keys(conn);
1239
1240 smp_chan_destroy(conn);
1241 }
1242
1243 static void smp_timeout(struct work_struct *work)
1244 {
1245 struct smp_chan *smp = container_of(work, struct smp_chan,
1246 security_timer.work);
1247 struct l2cap_conn *conn = smp->conn;
1248
1249 BT_DBG("conn %p", conn);
1250
1251 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1252 }
1253
1254 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1255 {
1256 struct l2cap_chan *chan = conn->smp;
1257 struct smp_chan *smp;
1258
1259 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1260 if (!smp)
1261 return NULL;
1262
1263 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1264 if (IS_ERR(smp->tfm_aes)) {
1265 BT_ERR("Unable to create ECB crypto context");
1266 kfree(smp);
1267 return NULL;
1268 }
1269
1270 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1271 if (IS_ERR(smp->tfm_cmac)) {
1272 BT_ERR("Unable to create CMAC crypto context");
1273 crypto_free_blkcipher(smp->tfm_aes);
1274 kfree(smp);
1275 return NULL;
1276 }
1277
1278 smp->conn = conn;
1279 chan->data = smp;
1280
1281 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1282
1283 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1284
1285 hci_conn_hold(conn->hcon);
1286
1287 return smp;
1288 }
1289
1290 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1291 {
1292 struct hci_conn *hcon = smp->conn->hcon;
1293 u8 *na, *nb, a[7], b[7];
1294
1295 if (hcon->out) {
1296 na = smp->prnd;
1297 nb = smp->rrnd;
1298 } else {
1299 na = smp->rrnd;
1300 nb = smp->prnd;
1301 }
1302
1303 memcpy(a, &hcon->init_addr, 6);
1304 memcpy(b, &hcon->resp_addr, 6);
1305 a[6] = hcon->init_addr_type;
1306 b[6] = hcon->resp_addr_type;
1307
1308 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1309 }
1310
1311 static void sc_dhkey_check(struct smp_chan *smp)
1312 {
1313 struct hci_conn *hcon = smp->conn->hcon;
1314 struct smp_cmd_dhkey_check check;
1315 u8 a[7], b[7], *local_addr, *remote_addr;
1316 u8 io_cap[3], r[16];
1317
1318 memcpy(a, &hcon->init_addr, 6);
1319 memcpy(b, &hcon->resp_addr, 6);
1320 a[6] = hcon->init_addr_type;
1321 b[6] = hcon->resp_addr_type;
1322
1323 if (hcon->out) {
1324 local_addr = a;
1325 remote_addr = b;
1326 memcpy(io_cap, &smp->preq[1], 3);
1327 } else {
1328 local_addr = b;
1329 remote_addr = a;
1330 memcpy(io_cap, &smp->prsp[1], 3);
1331 }
1332
1333 memset(r, 0, sizeof(r));
1334
1335 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1336 put_unaligned_le32(hcon->passkey_notify, r);
1337
1338 if (smp->method == REQ_OOB)
1339 memcpy(r, smp->rr, 16);
1340
1341 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1342 local_addr, remote_addr, check.e);
1343
1344 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1345 }
1346
1347 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1348 {
1349 struct l2cap_conn *conn = smp->conn;
1350 struct hci_conn *hcon = conn->hcon;
1351 struct smp_cmd_pairing_confirm cfm;
1352 u8 r;
1353
1354 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1355 r |= 0x80;
1356
1357 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1358
1359 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1360 cfm.confirm_val))
1361 return SMP_UNSPECIFIED;
1362
1363 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1364
1365 return 0;
1366 }
1367
1368 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1369 {
1370 struct l2cap_conn *conn = smp->conn;
1371 struct hci_conn *hcon = conn->hcon;
1372 struct hci_dev *hdev = hcon->hdev;
1373 u8 cfm[16], r;
1374
1375 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1376 if (smp->passkey_round >= 20)
1377 return 0;
1378
1379 switch (smp_op) {
1380 case SMP_CMD_PAIRING_RANDOM:
1381 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1382 r |= 0x80;
1383
1384 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1385 smp->rrnd, r, cfm))
1386 return SMP_UNSPECIFIED;
1387
1388 if (memcmp(smp->pcnf, cfm, 16))
1389 return SMP_CONFIRM_FAILED;
1390
1391 smp->passkey_round++;
1392
1393 if (smp->passkey_round == 20) {
1394 /* Generate MacKey and LTK */
1395 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1396 return SMP_UNSPECIFIED;
1397 }
1398
1399 /* The round is only complete when the initiator
1400 * receives pairing random.
1401 */
1402 if (!hcon->out) {
1403 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1404 sizeof(smp->prnd), smp->prnd);
1405 if (smp->passkey_round == 20)
1406 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1407 else
1408 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1409 return 0;
1410 }
1411
1412 /* Start the next round */
1413 if (smp->passkey_round != 20)
1414 return sc_passkey_round(smp, 0);
1415
1416 /* Passkey rounds are complete - start DHKey Check */
1417 sc_dhkey_check(smp);
1418 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1419
1420 break;
1421
1422 case SMP_CMD_PAIRING_CONFIRM:
1423 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1424 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1425 return 0;
1426 }
1427
1428 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1429
1430 if (hcon->out) {
1431 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1432 sizeof(smp->prnd), smp->prnd);
1433 return 0;
1434 }
1435
1436 return sc_passkey_send_confirm(smp);
1437
1438 case SMP_CMD_PUBLIC_KEY:
1439 default:
1440 /* Initiating device starts the round */
1441 if (!hcon->out)
1442 return 0;
1443
1444 BT_DBG("%s Starting passkey round %u", hdev->name,
1445 smp->passkey_round + 1);
1446
1447 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1448
1449 return sc_passkey_send_confirm(smp);
1450 }
1451
1452 return 0;
1453 }
1454
1455 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1456 {
1457 struct l2cap_conn *conn = smp->conn;
1458 struct hci_conn *hcon = conn->hcon;
1459 u8 smp_op;
1460
1461 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1462
1463 switch (mgmt_op) {
1464 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1465 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1466 return 0;
1467 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1468 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1469 return 0;
1470 case MGMT_OP_USER_PASSKEY_REPLY:
1471 hcon->passkey_notify = le32_to_cpu(passkey);
1472 smp->passkey_round = 0;
1473
1474 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1475 smp_op = SMP_CMD_PAIRING_CONFIRM;
1476 else
1477 smp_op = 0;
1478
1479 if (sc_passkey_round(smp, smp_op))
1480 return -EIO;
1481
1482 return 0;
1483 }
1484
1485 /* Initiator sends DHKey check first */
1486 if (hcon->out) {
1487 sc_dhkey_check(smp);
1488 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1489 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1490 sc_dhkey_check(smp);
1491 sc_add_ltk(smp);
1492 }
1493
1494 return 0;
1495 }
1496
1497 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1498 {
1499 struct l2cap_conn *conn = hcon->l2cap_data;
1500 struct l2cap_chan *chan;
1501 struct smp_chan *smp;
1502 u32 value;
1503 int err;
1504
1505 BT_DBG("");
1506
1507 if (!conn)
1508 return -ENOTCONN;
1509
1510 chan = conn->smp;
1511 if (!chan)
1512 return -ENOTCONN;
1513
1514 l2cap_chan_lock(chan);
1515 if (!chan->data) {
1516 err = -ENOTCONN;
1517 goto unlock;
1518 }
1519
1520 smp = chan->data;
1521
1522 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1523 err = sc_user_reply(smp, mgmt_op, passkey);
1524 goto unlock;
1525 }
1526
1527 switch (mgmt_op) {
1528 case MGMT_OP_USER_PASSKEY_REPLY:
1529 value = le32_to_cpu(passkey);
1530 memset(smp->tk, 0, sizeof(smp->tk));
1531 BT_DBG("PassKey: %d", value);
1532 put_unaligned_le32(value, smp->tk);
1533 /* Fall Through */
1534 case MGMT_OP_USER_CONFIRM_REPLY:
1535 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1536 break;
1537 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1538 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1539 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1540 err = 0;
1541 goto unlock;
1542 default:
1543 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1544 err = -EOPNOTSUPP;
1545 goto unlock;
1546 }
1547
1548 err = 0;
1549
1550 /* If it is our turn to send Pairing Confirm, do so now */
1551 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1552 u8 rsp = smp_confirm(smp);
1553 if (rsp)
1554 smp_failure(conn, rsp);
1555 }
1556
1557 unlock:
1558 l2cap_chan_unlock(chan);
1559 return err;
1560 }
1561
1562 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1563 struct smp_cmd_pairing *req,
1564 struct smp_cmd_pairing *rsp)
1565 {
1566 struct l2cap_conn *conn = smp->conn;
1567 struct hci_dev *hdev = conn->hcon->hdev;
1568 u8 local_dist = 0, remote_dist = 0;
1569
1570 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1571 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1572 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1573 }
1574
1575 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1576 remote_dist |= SMP_DIST_ID_KEY;
1577
1578 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1579 local_dist |= SMP_DIST_ID_KEY;
1580
1581 if (!rsp) {
1582 memset(req, 0, sizeof(*req));
1583
1584 req->init_key_dist = local_dist;
1585 req->resp_key_dist = remote_dist;
1586 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1587
1588 smp->remote_key_dist = remote_dist;
1589
1590 return;
1591 }
1592
1593 memset(rsp, 0, sizeof(*rsp));
1594
1595 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1596 rsp->init_key_dist = req->init_key_dist & remote_dist;
1597 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1598
1599 smp->remote_key_dist = rsp->init_key_dist;
1600 }
1601
1602 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1603 {
1604 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1605 struct l2cap_chan *chan = conn->smp;
1606 struct hci_dev *hdev = conn->hcon->hdev;
1607 struct smp_chan *smp;
1608 u8 key_size, auth, sec_level;
1609 int ret;
1610
1611 BT_DBG("conn %p", conn);
1612
1613 if (skb->len < sizeof(*req))
1614 return SMP_INVALID_PARAMS;
1615
1616 if (conn->hcon->role != HCI_ROLE_SLAVE)
1617 return SMP_CMD_NOTSUPP;
1618
1619 if (!chan->data)
1620 smp = smp_chan_create(conn);
1621 else
1622 smp = chan->data;
1623
1624 if (!smp)
1625 return SMP_UNSPECIFIED;
1626
1627 /* We didn't start the pairing, so match remote */
1628 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1629
1630 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1631 (auth & SMP_AUTH_BONDING))
1632 return SMP_PAIRING_NOTSUPP;
1633
1634 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1635 return SMP_AUTH_REQUIREMENTS;
1636
1637 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1638 memcpy(&smp->preq[1], req, sizeof(*req));
1639 skb_pull(skb, sizeof(*req));
1640
1641 /* SMP over BR/EDR requires special treatment */
1642 if (conn->hcon->type == ACL_LINK) {
1643 /* We must have a BR/EDR SC link */
1644 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags))
1645 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1646
1647 set_bit(SMP_FLAG_SC, &smp->flags);
1648
1649 build_bredr_pairing_cmd(smp, req, &rsp);
1650
1651 key_size = min(req->max_key_size, rsp.max_key_size);
1652 if (check_enc_key_size(conn, key_size))
1653 return SMP_ENC_KEY_SIZE;
1654
1655 /* Clear bits which are generated but not distributed */
1656 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1657
1658 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1659 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1660 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1661
1662 smp_distribute_keys(smp);
1663 return 0;
1664 }
1665
1666 build_pairing_cmd(conn, req, &rsp, auth);
1667
1668 if (rsp.auth_req & SMP_AUTH_SC)
1669 set_bit(SMP_FLAG_SC, &smp->flags);
1670
1671 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1672 sec_level = BT_SECURITY_MEDIUM;
1673 else
1674 sec_level = authreq_to_seclevel(auth);
1675
1676 if (sec_level > conn->hcon->pending_sec_level)
1677 conn->hcon->pending_sec_level = sec_level;
1678
1679 /* If we need MITM check that it can be achieved */
1680 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1681 u8 method;
1682
1683 method = get_auth_method(smp, conn->hcon->io_capability,
1684 req->io_capability);
1685 if (method == JUST_WORKS || method == JUST_CFM)
1686 return SMP_AUTH_REQUIREMENTS;
1687 }
1688
1689 key_size = min(req->max_key_size, rsp.max_key_size);
1690 if (check_enc_key_size(conn, key_size))
1691 return SMP_ENC_KEY_SIZE;
1692
1693 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1694
1695 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1696 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1697
1698 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1699
1700 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1701
1702 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1703 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1704 /* Clear bits which are generated but not distributed */
1705 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1706 /* Wait for Public Key from Initiating Device */
1707 return 0;
1708 } else {
1709 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1710 }
1711
1712 /* Request setup of TK */
1713 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1714 if (ret)
1715 return SMP_UNSPECIFIED;
1716
1717 return 0;
1718 }
1719
1720 static u8 sc_send_public_key(struct smp_chan *smp)
1721 {
1722 struct hci_dev *hdev = smp->conn->hcon->hdev;
1723
1724 BT_DBG("");
1725
1726 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1727 BT_DBG("Using debug keys");
1728 memcpy(smp->local_pk, debug_pk, 64);
1729 memcpy(smp->local_sk, debug_sk, 32);
1730 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1731 } else {
1732 while (true) {
1733 /* Generate local key pair for Secure Connections */
1734 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1735 return SMP_UNSPECIFIED;
1736
1737 /* This is unlikely, but we need to check that
1738 * we didn't accidentially generate a debug key.
1739 */
1740 if (memcmp(smp->local_sk, debug_sk, 32))
1741 break;
1742 }
1743 }
1744
1745 BT_DBG("Local Public Key X: %32phN", smp->local_pk);
1746 BT_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1747 BT_DBG("Local Private Key: %32phN", smp->local_sk);
1748
1749 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1750
1751 return 0;
1752 }
1753
1754 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1755 {
1756 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1757 struct l2cap_chan *chan = conn->smp;
1758 struct smp_chan *smp = chan->data;
1759 struct hci_dev *hdev = conn->hcon->hdev;
1760 u8 key_size, auth;
1761 int ret;
1762
1763 BT_DBG("conn %p", conn);
1764
1765 if (skb->len < sizeof(*rsp))
1766 return SMP_INVALID_PARAMS;
1767
1768 if (conn->hcon->role != HCI_ROLE_MASTER)
1769 return SMP_CMD_NOTSUPP;
1770
1771 skb_pull(skb, sizeof(*rsp));
1772
1773 req = (void *) &smp->preq[1];
1774
1775 key_size = min(req->max_key_size, rsp->max_key_size);
1776 if (check_enc_key_size(conn, key_size))
1777 return SMP_ENC_KEY_SIZE;
1778
1779 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1780
1781 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1782 return SMP_AUTH_REQUIREMENTS;
1783
1784 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1785 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1786
1787 /* Update remote key distribution in case the remote cleared
1788 * some bits that we had enabled in our request.
1789 */
1790 smp->remote_key_dist &= rsp->resp_key_dist;
1791
1792 /* For BR/EDR this means we're done and can start phase 3 */
1793 if (conn->hcon->type == ACL_LINK) {
1794 /* Clear bits which are generated but not distributed */
1795 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1796 smp_distribute_keys(smp);
1797 return 0;
1798 }
1799
1800 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1801 set_bit(SMP_FLAG_SC, &smp->flags);
1802 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1803 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1804
1805 /* If we need MITM check that it can be achieved */
1806 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1807 u8 method;
1808
1809 method = get_auth_method(smp, req->io_capability,
1810 rsp->io_capability);
1811 if (method == JUST_WORKS || method == JUST_CFM)
1812 return SMP_AUTH_REQUIREMENTS;
1813 }
1814
1815 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1816
1817 /* Update remote key distribution in case the remote cleared
1818 * some bits that we had enabled in our request.
1819 */
1820 smp->remote_key_dist &= rsp->resp_key_dist;
1821
1822 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1823 /* Clear bits which are generated but not distributed */
1824 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1825 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1826 return sc_send_public_key(smp);
1827 }
1828
1829 auth |= req->auth_req;
1830
1831 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1832 if (ret)
1833 return SMP_UNSPECIFIED;
1834
1835 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1836
1837 /* Can't compose response until we have been confirmed */
1838 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1839 return smp_confirm(smp);
1840
1841 return 0;
1842 }
1843
1844 static u8 sc_check_confirm(struct smp_chan *smp)
1845 {
1846 struct l2cap_conn *conn = smp->conn;
1847
1848 BT_DBG("");
1849
1850 /* Public Key exchange must happen before any other steps */
1851 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1852 return SMP_UNSPECIFIED;
1853
1854 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1855 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1856
1857 if (conn->hcon->out) {
1858 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1859 smp->prnd);
1860 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1861 }
1862
1863 return 0;
1864 }
1865
1866 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1867 {
1868 struct l2cap_chan *chan = conn->smp;
1869 struct smp_chan *smp = chan->data;
1870
1871 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1872
1873 if (skb->len < sizeof(smp->pcnf))
1874 return SMP_INVALID_PARAMS;
1875
1876 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1877 skb_pull(skb, sizeof(smp->pcnf));
1878
1879 if (test_bit(SMP_FLAG_SC, &smp->flags))
1880 return sc_check_confirm(smp);
1881
1882 if (conn->hcon->out) {
1883 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1884 smp->prnd);
1885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1886 return 0;
1887 }
1888
1889 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1890 return smp_confirm(smp);
1891 else
1892 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1893
1894 return 0;
1895 }
1896
1897 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1898 {
1899 struct l2cap_chan *chan = conn->smp;
1900 struct smp_chan *smp = chan->data;
1901 struct hci_conn *hcon = conn->hcon;
1902 u8 *pkax, *pkbx, *na, *nb;
1903 u32 passkey;
1904 int err;
1905
1906 BT_DBG("conn %p", conn);
1907
1908 if (skb->len < sizeof(smp->rrnd))
1909 return SMP_INVALID_PARAMS;
1910
1911 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1912 skb_pull(skb, sizeof(smp->rrnd));
1913
1914 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1915 return smp_random(smp);
1916
1917 if (smp->method == REQ_OOB) {
1918 if (!hcon->out)
1919 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1920 sizeof(smp->prnd), smp->prnd);
1921 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1922 goto mackey_and_ltk;
1923 }
1924
1925 /* Passkey entry has special treatment */
1926 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1927 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1928
1929 if (hcon->out) {
1930 u8 cfm[16];
1931
1932 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1933 smp->rrnd, 0, cfm);
1934 if (err)
1935 return SMP_UNSPECIFIED;
1936
1937 if (memcmp(smp->pcnf, cfm, 16))
1938 return SMP_CONFIRM_FAILED;
1939
1940 pkax = smp->local_pk;
1941 pkbx = smp->remote_pk;
1942 na = smp->prnd;
1943 nb = smp->rrnd;
1944 } else {
1945 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1946 smp->prnd);
1947 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1948
1949 pkax = smp->remote_pk;
1950 pkbx = smp->local_pk;
1951 na = smp->rrnd;
1952 nb = smp->prnd;
1953 }
1954
1955 mackey_and_ltk:
1956 /* Generate MacKey and LTK */
1957 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1958 if (err)
1959 return SMP_UNSPECIFIED;
1960
1961 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1962 if (hcon->out) {
1963 sc_dhkey_check(smp);
1964 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1965 }
1966 return 0;
1967 }
1968
1969 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
1970 if (err)
1971 return SMP_UNSPECIFIED;
1972
1973 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
1974 hcon->dst_type, passkey, 0);
1975 if (err)
1976 return SMP_UNSPECIFIED;
1977
1978 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1979
1980 return 0;
1981 }
1982
1983 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
1984 {
1985 struct smp_ltk *key;
1986 struct hci_conn *hcon = conn->hcon;
1987
1988 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
1989 if (!key)
1990 return false;
1991
1992 if (smp_ltk_sec_level(key) < sec_level)
1993 return false;
1994
1995 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1996 return true;
1997
1998 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
1999 hcon->enc_key_size = key->enc_size;
2000
2001 /* We never store STKs for master role, so clear this flag */
2002 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2003
2004 return true;
2005 }
2006
2007 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2008 enum smp_key_pref key_pref)
2009 {
2010 if (sec_level == BT_SECURITY_LOW)
2011 return true;
2012
2013 /* If we're encrypted with an STK but the caller prefers using
2014 * LTK claim insufficient security. This way we allow the
2015 * connection to be re-encrypted with an LTK, even if the LTK
2016 * provides the same level of security. Only exception is if we
2017 * don't have an LTK (e.g. because of key distribution bits).
2018 */
2019 if (key_pref == SMP_USE_LTK &&
2020 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2021 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2022 return false;
2023
2024 if (hcon->sec_level >= sec_level)
2025 return true;
2026
2027 return false;
2028 }
2029
2030 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2031 {
2032 struct smp_cmd_security_req *rp = (void *) skb->data;
2033 struct smp_cmd_pairing cp;
2034 struct hci_conn *hcon = conn->hcon;
2035 struct hci_dev *hdev = hcon->hdev;
2036 struct smp_chan *smp;
2037 u8 sec_level, auth;
2038
2039 BT_DBG("conn %p", conn);
2040
2041 if (skb->len < sizeof(*rp))
2042 return SMP_INVALID_PARAMS;
2043
2044 if (hcon->role != HCI_ROLE_MASTER)
2045 return SMP_CMD_NOTSUPP;
2046
2047 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2048
2049 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2050 return SMP_AUTH_REQUIREMENTS;
2051
2052 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2053 sec_level = BT_SECURITY_MEDIUM;
2054 else
2055 sec_level = authreq_to_seclevel(auth);
2056
2057 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2058 return 0;
2059
2060 if (sec_level > hcon->pending_sec_level)
2061 hcon->pending_sec_level = sec_level;
2062
2063 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2064 return 0;
2065
2066 smp = smp_chan_create(conn);
2067 if (!smp)
2068 return SMP_UNSPECIFIED;
2069
2070 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2071 (auth & SMP_AUTH_BONDING))
2072 return SMP_PAIRING_NOTSUPP;
2073
2074 skb_pull(skb, sizeof(*rp));
2075
2076 memset(&cp, 0, sizeof(cp));
2077 build_pairing_cmd(conn, &cp, NULL, auth);
2078
2079 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2080 memcpy(&smp->preq[1], &cp, sizeof(cp));
2081
2082 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2083 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2084
2085 return 0;
2086 }
2087
2088 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2089 {
2090 struct l2cap_conn *conn = hcon->l2cap_data;
2091 struct l2cap_chan *chan;
2092 struct smp_chan *smp;
2093 __u8 authreq;
2094 int ret;
2095
2096 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2097
2098 /* This may be NULL if there's an unexpected disconnection */
2099 if (!conn)
2100 return 1;
2101
2102 chan = conn->smp;
2103
2104 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2105 return 1;
2106
2107 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2108 return 1;
2109
2110 if (sec_level > hcon->pending_sec_level)
2111 hcon->pending_sec_level = sec_level;
2112
2113 if (hcon->role == HCI_ROLE_MASTER)
2114 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2115 return 0;
2116
2117 l2cap_chan_lock(chan);
2118
2119 /* If SMP is already in progress ignore this request */
2120 if (chan->data) {
2121 ret = 0;
2122 goto unlock;
2123 }
2124
2125 smp = smp_chan_create(conn);
2126 if (!smp) {
2127 ret = 1;
2128 goto unlock;
2129 }
2130
2131 authreq = seclevel_to_authreq(sec_level);
2132
2133 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2134 authreq |= SMP_AUTH_SC;
2135
2136 /* Require MITM if IO Capability allows or the security level
2137 * requires it.
2138 */
2139 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2140 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2141 authreq |= SMP_AUTH_MITM;
2142
2143 if (hcon->role == HCI_ROLE_MASTER) {
2144 struct smp_cmd_pairing cp;
2145
2146 build_pairing_cmd(conn, &cp, NULL, authreq);
2147 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2148 memcpy(&smp->preq[1], &cp, sizeof(cp));
2149
2150 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2151 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2152 } else {
2153 struct smp_cmd_security_req cp;
2154 cp.auth_req = authreq;
2155 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2156 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2157 }
2158
2159 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2160 ret = 0;
2161
2162 unlock:
2163 l2cap_chan_unlock(chan);
2164 return ret;
2165 }
2166
2167 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2168 {
2169 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2170 struct l2cap_chan *chan = conn->smp;
2171 struct smp_chan *smp = chan->data;
2172
2173 BT_DBG("conn %p", conn);
2174
2175 if (skb->len < sizeof(*rp))
2176 return SMP_INVALID_PARAMS;
2177
2178 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2179
2180 skb_pull(skb, sizeof(*rp));
2181
2182 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2183
2184 return 0;
2185 }
2186
2187 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2188 {
2189 struct smp_cmd_master_ident *rp = (void *) skb->data;
2190 struct l2cap_chan *chan = conn->smp;
2191 struct smp_chan *smp = chan->data;
2192 struct hci_dev *hdev = conn->hcon->hdev;
2193 struct hci_conn *hcon = conn->hcon;
2194 struct smp_ltk *ltk;
2195 u8 authenticated;
2196
2197 BT_DBG("conn %p", conn);
2198
2199 if (skb->len < sizeof(*rp))
2200 return SMP_INVALID_PARAMS;
2201
2202 /* Mark the information as received */
2203 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2204
2205 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2206 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2207 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2208 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2209
2210 skb_pull(skb, sizeof(*rp));
2211
2212 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2213 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2214 authenticated, smp->tk, smp->enc_key_size,
2215 rp->ediv, rp->rand);
2216 smp->ltk = ltk;
2217 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2218 smp_distribute_keys(smp);
2219
2220 return 0;
2221 }
2222
2223 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2224 {
2225 struct smp_cmd_ident_info *info = (void *) skb->data;
2226 struct l2cap_chan *chan = conn->smp;
2227 struct smp_chan *smp = chan->data;
2228
2229 BT_DBG("");
2230
2231 if (skb->len < sizeof(*info))
2232 return SMP_INVALID_PARAMS;
2233
2234 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2235
2236 skb_pull(skb, sizeof(*info));
2237
2238 memcpy(smp->irk, info->irk, 16);
2239
2240 return 0;
2241 }
2242
2243 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2244 struct sk_buff *skb)
2245 {
2246 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2247 struct l2cap_chan *chan = conn->smp;
2248 struct smp_chan *smp = chan->data;
2249 struct hci_conn *hcon = conn->hcon;
2250 bdaddr_t rpa;
2251
2252 BT_DBG("");
2253
2254 if (skb->len < sizeof(*info))
2255 return SMP_INVALID_PARAMS;
2256
2257 /* Mark the information as received */
2258 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2259
2260 if (smp->remote_key_dist & SMP_DIST_SIGN)
2261 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2262
2263 skb_pull(skb, sizeof(*info));
2264
2265 /* Strictly speaking the Core Specification (4.1) allows sending
2266 * an empty address which would force us to rely on just the IRK
2267 * as "identity information". However, since such
2268 * implementations are not known of and in order to not over
2269 * complicate our implementation, simply pretend that we never
2270 * received an IRK for such a device.
2271 */
2272 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
2273 BT_ERR("Ignoring IRK with no identity address");
2274 goto distribute;
2275 }
2276
2277 bacpy(&smp->id_addr, &info->bdaddr);
2278 smp->id_addr_type = info->addr_type;
2279
2280 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2281 bacpy(&rpa, &hcon->dst);
2282 else
2283 bacpy(&rpa, BDADDR_ANY);
2284
2285 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2286 smp->id_addr_type, smp->irk, &rpa);
2287
2288 distribute:
2289 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2290 smp_distribute_keys(smp);
2291
2292 return 0;
2293 }
2294
2295 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2296 {
2297 struct smp_cmd_sign_info *rp = (void *) skb->data;
2298 struct l2cap_chan *chan = conn->smp;
2299 struct smp_chan *smp = chan->data;
2300 struct smp_csrk *csrk;
2301
2302 BT_DBG("conn %p", conn);
2303
2304 if (skb->len < sizeof(*rp))
2305 return SMP_INVALID_PARAMS;
2306
2307 /* Mark the information as received */
2308 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2309
2310 skb_pull(skb, sizeof(*rp));
2311
2312 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2313 if (csrk) {
2314 csrk->master = 0x01;
2315 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2316 }
2317 smp->csrk = csrk;
2318 smp_distribute_keys(smp);
2319
2320 return 0;
2321 }
2322
2323 static u8 sc_select_method(struct smp_chan *smp)
2324 {
2325 struct l2cap_conn *conn = smp->conn;
2326 struct hci_conn *hcon = conn->hcon;
2327 struct smp_cmd_pairing *local, *remote;
2328 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2329
2330 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2331 return REQ_OOB;
2332
2333 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2334 * which are needed as inputs to some crypto functions. To get
2335 * the "struct smp_cmd_pairing" from them we need to skip the
2336 * first byte which contains the opcode.
2337 */
2338 if (hcon->out) {
2339 local = (void *) &smp->preq[1];
2340 remote = (void *) &smp->prsp[1];
2341 } else {
2342 local = (void *) &smp->prsp[1];
2343 remote = (void *) &smp->preq[1];
2344 }
2345
2346 local_io = local->io_capability;
2347 remote_io = remote->io_capability;
2348
2349 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2350 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2351
2352 /* If either side wants MITM, look up the method from the table,
2353 * otherwise use JUST WORKS.
2354 */
2355 if (local_mitm || remote_mitm)
2356 method = get_auth_method(smp, local_io, remote_io);
2357 else
2358 method = JUST_WORKS;
2359
2360 /* Don't confirm locally initiated pairing attempts */
2361 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2362 method = JUST_WORKS;
2363
2364 return method;
2365 }
2366
2367 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2368 {
2369 struct smp_cmd_public_key *key = (void *) skb->data;
2370 struct hci_conn *hcon = conn->hcon;
2371 struct l2cap_chan *chan = conn->smp;
2372 struct smp_chan *smp = chan->data;
2373 struct hci_dev *hdev = hcon->hdev;
2374 struct smp_cmd_pairing_confirm cfm;
2375 int err;
2376
2377 BT_DBG("conn %p", conn);
2378
2379 if (skb->len < sizeof(*key))
2380 return SMP_INVALID_PARAMS;
2381
2382 memcpy(smp->remote_pk, key, 64);
2383
2384 /* Non-initiating device sends its public key after receiving
2385 * the key from the initiating device.
2386 */
2387 if (!hcon->out) {
2388 err = sc_send_public_key(smp);
2389 if (err)
2390 return err;
2391 }
2392
2393 BT_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2394 BT_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2395
2396 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2397 return SMP_UNSPECIFIED;
2398
2399 BT_DBG("DHKey %32phN", smp->dhkey);
2400
2401 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2402
2403 smp->method = sc_select_method(smp);
2404
2405 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2406
2407 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2408 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2409 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2410 else
2411 hcon->pending_sec_level = BT_SECURITY_FIPS;
2412
2413 if (!memcmp(debug_pk, smp->remote_pk, 64))
2414 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2415
2416 if (smp->method == DSP_PASSKEY) {
2417 get_random_bytes(&hcon->passkey_notify,
2418 sizeof(hcon->passkey_notify));
2419 hcon->passkey_notify %= 1000000;
2420 hcon->passkey_entered = 0;
2421 smp->passkey_round = 0;
2422 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2423 hcon->dst_type,
2424 hcon->passkey_notify,
2425 hcon->passkey_entered))
2426 return SMP_UNSPECIFIED;
2427 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2428 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2429 }
2430
2431 if (smp->method == REQ_OOB) {
2432 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2433 smp->rr, 0, cfm.confirm_val);
2434 if (err)
2435 return SMP_UNSPECIFIED;
2436
2437 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2438 return SMP_CONFIRM_FAILED;
2439
2440 if (hcon->out)
2441 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2442 sizeof(smp->prnd), smp->prnd);
2443
2444 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2445
2446 return 0;
2447 }
2448
2449 if (hcon->out)
2450 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2451
2452 if (smp->method == REQ_PASSKEY) {
2453 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2454 hcon->dst_type))
2455 return SMP_UNSPECIFIED;
2456 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2457 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2458 return 0;
2459 }
2460
2461 /* The Initiating device waits for the non-initiating device to
2462 * send the confirm value.
2463 */
2464 if (conn->hcon->out)
2465 return 0;
2466
2467 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2468 0, cfm.confirm_val);
2469 if (err)
2470 return SMP_UNSPECIFIED;
2471
2472 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2473 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2474
2475 return 0;
2476 }
2477
2478 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2479 {
2480 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2481 struct l2cap_chan *chan = conn->smp;
2482 struct hci_conn *hcon = conn->hcon;
2483 struct smp_chan *smp = chan->data;
2484 u8 a[7], b[7], *local_addr, *remote_addr;
2485 u8 io_cap[3], r[16], e[16];
2486 int err;
2487
2488 BT_DBG("conn %p", conn);
2489
2490 if (skb->len < sizeof(*check))
2491 return SMP_INVALID_PARAMS;
2492
2493 memcpy(a, &hcon->init_addr, 6);
2494 memcpy(b, &hcon->resp_addr, 6);
2495 a[6] = hcon->init_addr_type;
2496 b[6] = hcon->resp_addr_type;
2497
2498 if (hcon->out) {
2499 local_addr = a;
2500 remote_addr = b;
2501 memcpy(io_cap, &smp->prsp[1], 3);
2502 } else {
2503 local_addr = b;
2504 remote_addr = a;
2505 memcpy(io_cap, &smp->preq[1], 3);
2506 }
2507
2508 memset(r, 0, sizeof(r));
2509
2510 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2511 put_unaligned_le32(hcon->passkey_notify, r);
2512
2513 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2514 io_cap, remote_addr, local_addr, e);
2515 if (err)
2516 return SMP_UNSPECIFIED;
2517
2518 if (memcmp(check->e, e, 16))
2519 return SMP_DHKEY_CHECK_FAILED;
2520
2521 if (!hcon->out) {
2522 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2523 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2524 return 0;
2525 }
2526
2527 /* Slave sends DHKey check as response to master */
2528 sc_dhkey_check(smp);
2529 }
2530
2531 sc_add_ltk(smp);
2532
2533 if (hcon->out) {
2534 hci_le_start_enc(hcon, 0, 0, smp->tk);
2535 hcon->enc_key_size = smp->enc_key_size;
2536 }
2537
2538 return 0;
2539 }
2540
2541 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2542 struct sk_buff *skb)
2543 {
2544 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2545
2546 BT_DBG("value 0x%02x", kp->value);
2547
2548 return 0;
2549 }
2550
2551 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2552 {
2553 struct l2cap_conn *conn = chan->conn;
2554 struct hci_conn *hcon = conn->hcon;
2555 struct smp_chan *smp;
2556 __u8 code, reason;
2557 int err = 0;
2558
2559 if (skb->len < 1)
2560 return -EILSEQ;
2561
2562 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2563 reason = SMP_PAIRING_NOTSUPP;
2564 goto done;
2565 }
2566
2567 code = skb->data[0];
2568 skb_pull(skb, sizeof(code));
2569
2570 smp = chan->data;
2571
2572 if (code > SMP_CMD_MAX)
2573 goto drop;
2574
2575 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2576 goto drop;
2577
2578 /* If we don't have a context the only allowed commands are
2579 * pairing request and security request.
2580 */
2581 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2582 goto drop;
2583
2584 switch (code) {
2585 case SMP_CMD_PAIRING_REQ:
2586 reason = smp_cmd_pairing_req(conn, skb);
2587 break;
2588
2589 case SMP_CMD_PAIRING_FAIL:
2590 smp_failure(conn, 0);
2591 err = -EPERM;
2592 break;
2593
2594 case SMP_CMD_PAIRING_RSP:
2595 reason = smp_cmd_pairing_rsp(conn, skb);
2596 break;
2597
2598 case SMP_CMD_SECURITY_REQ:
2599 reason = smp_cmd_security_req(conn, skb);
2600 break;
2601
2602 case SMP_CMD_PAIRING_CONFIRM:
2603 reason = smp_cmd_pairing_confirm(conn, skb);
2604 break;
2605
2606 case SMP_CMD_PAIRING_RANDOM:
2607 reason = smp_cmd_pairing_random(conn, skb);
2608 break;
2609
2610 case SMP_CMD_ENCRYPT_INFO:
2611 reason = smp_cmd_encrypt_info(conn, skb);
2612 break;
2613
2614 case SMP_CMD_MASTER_IDENT:
2615 reason = smp_cmd_master_ident(conn, skb);
2616 break;
2617
2618 case SMP_CMD_IDENT_INFO:
2619 reason = smp_cmd_ident_info(conn, skb);
2620 break;
2621
2622 case SMP_CMD_IDENT_ADDR_INFO:
2623 reason = smp_cmd_ident_addr_info(conn, skb);
2624 break;
2625
2626 case SMP_CMD_SIGN_INFO:
2627 reason = smp_cmd_sign_info(conn, skb);
2628 break;
2629
2630 case SMP_CMD_PUBLIC_KEY:
2631 reason = smp_cmd_public_key(conn, skb);
2632 break;
2633
2634 case SMP_CMD_DHKEY_CHECK:
2635 reason = smp_cmd_dhkey_check(conn, skb);
2636 break;
2637
2638 case SMP_CMD_KEYPRESS_NOTIFY:
2639 reason = smp_cmd_keypress_notify(conn, skb);
2640 break;
2641
2642 default:
2643 BT_DBG("Unknown command code 0x%2.2x", code);
2644 reason = SMP_CMD_NOTSUPP;
2645 goto done;
2646 }
2647
2648 done:
2649 if (!err) {
2650 if (reason)
2651 smp_failure(conn, reason);
2652 kfree_skb(skb);
2653 }
2654
2655 return err;
2656
2657 drop:
2658 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2659 code, &hcon->dst);
2660 kfree_skb(skb);
2661 return 0;
2662 }
2663
2664 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2665 {
2666 struct l2cap_conn *conn = chan->conn;
2667
2668 BT_DBG("chan %p", chan);
2669
2670 if (chan->data)
2671 smp_chan_destroy(conn);
2672
2673 conn->smp = NULL;
2674 l2cap_chan_put(chan);
2675 }
2676
2677 static void bredr_pairing(struct l2cap_chan *chan)
2678 {
2679 struct l2cap_conn *conn = chan->conn;
2680 struct hci_conn *hcon = conn->hcon;
2681 struct hci_dev *hdev = hcon->hdev;
2682 struct smp_cmd_pairing req;
2683 struct smp_chan *smp;
2684
2685 BT_DBG("chan %p", chan);
2686
2687 /* Only new pairings are interesting */
2688 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2689 return;
2690
2691 /* Don't bother if we're not encrypted */
2692 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2693 return;
2694
2695 /* Only master may initiate SMP over BR/EDR */
2696 if (hcon->role != HCI_ROLE_MASTER)
2697 return;
2698
2699 /* Secure Connections support must be enabled */
2700 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2701 return;
2702
2703 /* BR/EDR must use Secure Connections for SMP */
2704 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2705 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2706 return;
2707
2708 /* If our LE support is not enabled don't do anything */
2709 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2710 return;
2711
2712 /* Don't bother if remote LE support is not enabled */
2713 if (!lmp_host_le_capable(hcon))
2714 return;
2715
2716 /* Remote must support SMP fixed chan for BR/EDR */
2717 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2718 return;
2719
2720 /* Don't bother if SMP is already ongoing */
2721 if (chan->data)
2722 return;
2723
2724 smp = smp_chan_create(conn);
2725 if (!smp) {
2726 BT_ERR("%s unable to create SMP context for BR/EDR",
2727 hdev->name);
2728 return;
2729 }
2730
2731 set_bit(SMP_FLAG_SC, &smp->flags);
2732
2733 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2734
2735 /* Prepare and send the BR/EDR SMP Pairing Request */
2736 build_bredr_pairing_cmd(smp, &req, NULL);
2737
2738 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2739 memcpy(&smp->preq[1], &req, sizeof(req));
2740
2741 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2742 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2743 }
2744
2745 static void smp_resume_cb(struct l2cap_chan *chan)
2746 {
2747 struct smp_chan *smp = chan->data;
2748 struct l2cap_conn *conn = chan->conn;
2749 struct hci_conn *hcon = conn->hcon;
2750
2751 BT_DBG("chan %p", chan);
2752
2753 if (hcon->type == ACL_LINK) {
2754 bredr_pairing(chan);
2755 return;
2756 }
2757
2758 if (!smp)
2759 return;
2760
2761 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2762 return;
2763
2764 cancel_delayed_work(&smp->security_timer);
2765
2766 smp_distribute_keys(smp);
2767 }
2768
2769 static void smp_ready_cb(struct l2cap_chan *chan)
2770 {
2771 struct l2cap_conn *conn = chan->conn;
2772 struct hci_conn *hcon = conn->hcon;
2773
2774 BT_DBG("chan %p", chan);
2775
2776 conn->smp = chan;
2777 l2cap_chan_hold(chan);
2778
2779 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2780 bredr_pairing(chan);
2781 }
2782
2783 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2784 {
2785 int err;
2786
2787 BT_DBG("chan %p", chan);
2788
2789 err = smp_sig_channel(chan, skb);
2790 if (err) {
2791 struct smp_chan *smp = chan->data;
2792
2793 if (smp)
2794 cancel_delayed_work_sync(&smp->security_timer);
2795
2796 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2797 }
2798
2799 return err;
2800 }
2801
2802 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2803 unsigned long hdr_len,
2804 unsigned long len, int nb)
2805 {
2806 struct sk_buff *skb;
2807
2808 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2809 if (!skb)
2810 return ERR_PTR(-ENOMEM);
2811
2812 skb->priority = HCI_PRIO_MAX;
2813 bt_cb(skb)->chan = chan;
2814
2815 return skb;
2816 }
2817
2818 static const struct l2cap_ops smp_chan_ops = {
2819 .name = "Security Manager",
2820 .ready = smp_ready_cb,
2821 .recv = smp_recv_cb,
2822 .alloc_skb = smp_alloc_skb_cb,
2823 .teardown = smp_teardown_cb,
2824 .resume = smp_resume_cb,
2825
2826 .new_connection = l2cap_chan_no_new_connection,
2827 .state_change = l2cap_chan_no_state_change,
2828 .close = l2cap_chan_no_close,
2829 .defer = l2cap_chan_no_defer,
2830 .suspend = l2cap_chan_no_suspend,
2831 .set_shutdown = l2cap_chan_no_set_shutdown,
2832 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2833 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2834 };
2835
2836 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2837 {
2838 struct l2cap_chan *chan;
2839
2840 BT_DBG("pchan %p", pchan);
2841
2842 chan = l2cap_chan_create();
2843 if (!chan)
2844 return NULL;
2845
2846 chan->chan_type = pchan->chan_type;
2847 chan->ops = &smp_chan_ops;
2848 chan->scid = pchan->scid;
2849 chan->dcid = chan->scid;
2850 chan->imtu = pchan->imtu;
2851 chan->omtu = pchan->omtu;
2852 chan->mode = pchan->mode;
2853
2854 /* Other L2CAP channels may request SMP routines in order to
2855 * change the security level. This means that the SMP channel
2856 * lock must be considered in its own category to avoid lockdep
2857 * warnings.
2858 */
2859 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2860
2861 BT_DBG("created chan %p", chan);
2862
2863 return chan;
2864 }
2865
2866 static const struct l2cap_ops smp_root_chan_ops = {
2867 .name = "Security Manager Root",
2868 .new_connection = smp_new_conn_cb,
2869
2870 /* None of these are implemented for the root channel */
2871 .close = l2cap_chan_no_close,
2872 .alloc_skb = l2cap_chan_no_alloc_skb,
2873 .recv = l2cap_chan_no_recv,
2874 .state_change = l2cap_chan_no_state_change,
2875 .teardown = l2cap_chan_no_teardown,
2876 .ready = l2cap_chan_no_ready,
2877 .defer = l2cap_chan_no_defer,
2878 .suspend = l2cap_chan_no_suspend,
2879 .resume = l2cap_chan_no_resume,
2880 .set_shutdown = l2cap_chan_no_set_shutdown,
2881 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2882 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2883 };
2884
2885 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2886 {
2887 struct l2cap_chan *chan;
2888 struct crypto_blkcipher *tfm_aes;
2889
2890 if (cid == L2CAP_CID_SMP_BREDR) {
2891 tfm_aes = NULL;
2892 goto create_chan;
2893 }
2894
2895 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2896 if (IS_ERR(tfm_aes)) {
2897 BT_ERR("Unable to create crypto context");
2898 return ERR_PTR(PTR_ERR(tfm_aes));
2899 }
2900
2901 create_chan:
2902 chan = l2cap_chan_create();
2903 if (!chan) {
2904 crypto_free_blkcipher(tfm_aes);
2905 return ERR_PTR(-ENOMEM);
2906 }
2907
2908 chan->data = tfm_aes;
2909
2910 l2cap_add_scid(chan, cid);
2911
2912 l2cap_chan_set_defaults(chan);
2913
2914 bacpy(&chan->src, &hdev->bdaddr);
2915 if (cid == L2CAP_CID_SMP)
2916 chan->src_type = BDADDR_LE_PUBLIC;
2917 else
2918 chan->src_type = BDADDR_BREDR;
2919 chan->state = BT_LISTEN;
2920 chan->mode = L2CAP_MODE_BASIC;
2921 chan->imtu = L2CAP_DEFAULT_MTU;
2922 chan->ops = &smp_root_chan_ops;
2923
2924 /* Set correct nesting level for a parent/listening channel */
2925 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2926
2927 return chan;
2928 }
2929
2930 static void smp_del_chan(struct l2cap_chan *chan)
2931 {
2932 struct crypto_blkcipher *tfm_aes;
2933
2934 BT_DBG("chan %p", chan);
2935
2936 tfm_aes = chan->data;
2937 if (tfm_aes) {
2938 chan->data = NULL;
2939 crypto_free_blkcipher(tfm_aes);
2940 }
2941
2942 l2cap_chan_put(chan);
2943 }
2944
2945 int smp_register(struct hci_dev *hdev)
2946 {
2947 struct l2cap_chan *chan;
2948
2949 BT_DBG("%s", hdev->name);
2950
2951 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
2952 if (IS_ERR(chan))
2953 return PTR_ERR(chan);
2954
2955 hdev->smp_data = chan;
2956
2957 if (!lmp_sc_capable(hdev) &&
2958 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2959 return 0;
2960
2961 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
2962 if (IS_ERR(chan)) {
2963 int err = PTR_ERR(chan);
2964 chan = hdev->smp_data;
2965 hdev->smp_data = NULL;
2966 smp_del_chan(chan);
2967 return err;
2968 }
2969
2970 hdev->smp_bredr_data = chan;
2971
2972 return 0;
2973 }
2974
2975 void smp_unregister(struct hci_dev *hdev)
2976 {
2977 struct l2cap_chan *chan;
2978
2979 if (hdev->smp_bredr_data) {
2980 chan = hdev->smp_bredr_data;
2981 hdev->smp_bredr_data = NULL;
2982 smp_del_chan(chan);
2983 }
2984
2985 if (hdev->smp_data) {
2986 chan = hdev->smp_data;
2987 hdev->smp_data = NULL;
2988 smp_del_chan(chan);
2989 }
2990 }
Linux kernel - Deliverables
This page took 0.222163 seconds and 5 git commands to generate.