projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Organize SMP crypto functions to logical sections
[deliverable/linux.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
26
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
31
32 #include "ecc.h"
33 #include "smp.h"
34
35 /* Low-level debug macros to be used for stuff that we don't want
36 * accidentially in dmesg, i.e. the values of the various crypto keys
37 * and the inputs & outputs of crypto functions.
38 */
39 #ifdef DEBUG
40 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
41 ##__VA_ARGS__)
42 #else
43 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
44 ##__VA_ARGS__)
45 #endif
46
47 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
48
49 /* Keys which are not distributed with Secure Connections */
50 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
51
52 #define SMP_TIMEOUT msecs_to_jiffies(30000)
53
54 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
55 0x1f : 0x07)
56 #define KEY_DIST_MASK 0x07
57
58 /* Maximum message length that can be passed to aes_cmac */
59 #define CMAC_MSG_MAX 80
60
61 enum {
62 SMP_FLAG_TK_VALID,
63 SMP_FLAG_CFM_PENDING,
64 SMP_FLAG_MITM_AUTH,
65 SMP_FLAG_COMPLETE,
66 SMP_FLAG_INITIATOR,
67 SMP_FLAG_SC,
68 SMP_FLAG_REMOTE_PK,
69 SMP_FLAG_DEBUG_KEY,
70 SMP_FLAG_WAIT_USER,
71 SMP_FLAG_DHKEY_PENDING,
72 SMP_FLAG_OOB,
73 };
74
75 struct smp_chan {
76 struct l2cap_conn *conn;
77 struct delayed_work security_timer;
78 unsigned long allow_cmd; /* Bitmask of allowed commands */
79
80 u8 preq[7]; /* SMP Pairing Request */
81 u8 prsp[7]; /* SMP Pairing Response */
82 u8 prnd[16]; /* SMP Pairing Random (local) */
83 u8 rrnd[16]; /* SMP Pairing Random (remote) */
84 u8 pcnf[16]; /* SMP Pairing Confirm */
85 u8 tk[16]; /* SMP Temporary Key */
86 u8 rr[16];
87 u8 enc_key_size;
88 u8 remote_key_dist;
89 bdaddr_t id_addr;
90 u8 id_addr_type;
91 u8 irk[16];
92 struct smp_csrk *csrk;
93 struct smp_csrk *slave_csrk;
94 struct smp_ltk *ltk;
95 struct smp_ltk *slave_ltk;
96 struct smp_irk *remote_irk;
97 u8 *link_key;
98 unsigned long flags;
99 u8 method;
100 u8 passkey_round;
101
102 /* Secure Connections variables */
103 u8 local_pk[64];
104 u8 local_sk[32];
105 u8 remote_pk[64];
106 u8 dhkey[32];
107 u8 mackey[16];
108
109 struct crypto_blkcipher *tfm_aes;
110 struct crypto_hash *tfm_cmac;
111 };
112
113 /* These debug key values are defined in the SMP section of the core
114 * specification. debug_pk is the public debug key and debug_sk the
115 * private debug key.
116 */
117 static const u8 debug_pk[64] = {
118 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
119 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
120 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
121 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
122
123 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
124 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
125 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
126 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
127 };
128
129 static const u8 debug_sk[32] = {
130 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
131 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
132 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
133 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
134 };
135
136 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
137 {
138 size_t i;
139
140 for (i = 0; i < len; i++)
141 dst[len - 1 - i] = src[i];
142 }
143
144 /* The following functions map to the LE SC SMP crypto functions
145 * AES-CMAC, f4, f5, f6, g2 and h6.
146 */
147
148 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
149 size_t len, u8 mac[16])
150 {
151 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
152 struct hash_desc desc;
153 struct scatterlist sg;
154 int err;
155
156 if (len > CMAC_MSG_MAX)
157 return -EFBIG;
158
159 if (!tfm) {
160 BT_ERR("tfm %p", tfm);
161 return -EINVAL;
162 }
163
164 desc.tfm = tfm;
165 desc.flags = 0;
166
167 crypto_hash_init(&desc);
168
169 /* Swap key and message from LSB to MSB */
170 swap_buf(k, tmp, 16);
171 swap_buf(m, msg_msb, len);
172
173 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
174 SMP_DBG("key %16phN", k);
175
176 err = crypto_hash_setkey(tfm, tmp, 16);
177 if (err) {
178 BT_ERR("cipher setkey failed: %d", err);
179 return err;
180 }
181
182 sg_init_one(&sg, msg_msb, len);
183
184 err = crypto_hash_update(&desc, &sg, len);
185 if (err) {
186 BT_ERR("Hash update error %d", err);
187 return err;
188 }
189
190 err = crypto_hash_final(&desc, mac_msb);
191 if (err) {
192 BT_ERR("Hash final error %d", err);
193 return err;
194 }
195
196 swap_buf(mac_msb, mac, 16);
197
198 SMP_DBG("mac %16phN", mac);
199
200 return 0;
201 }
202
203 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
204 const u8 x[16], u8 z, u8 res[16])
205 {
206 u8 m[65];
207 int err;
208
209 SMP_DBG("u %32phN", u);
210 SMP_DBG("v %32phN", v);
211 SMP_DBG("x %16phN z %02x", x, z);
212
213 m[0] = z;
214 memcpy(m + 1, v, 32);
215 memcpy(m + 33, u, 32);
216
217 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
218 if (err)
219 return err;
220
221 SMP_DBG("res %16phN", res);
222
223 return err;
224 }
225
226 static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
227 u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
228 {
229 /* The btle, salt and length "magic" values are as defined in
230 * the SMP section of the Bluetooth core specification. In ASCII
231 * the btle value ends up being 'btle'. The salt is just a
232 * random number whereas length is the value 256 in little
233 * endian format.
234 */
235 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
236 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
237 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
238 const u8 length[2] = { 0x00, 0x01 };
239 u8 m[53], t[16];
240 int err;
241
242 SMP_DBG("w %32phN", w);
243 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
244 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
245
246 err = aes_cmac(tfm_cmac, salt, w, 32, t);
247 if (err)
248 return err;
249
250 SMP_DBG("t %16phN", t);
251
252 memcpy(m, length, 2);
253 memcpy(m + 2, a2, 7);
254 memcpy(m + 9, a1, 7);
255 memcpy(m + 16, n2, 16);
256 memcpy(m + 32, n1, 16);
257 memcpy(m + 48, btle, 4);
258
259 m[52] = 0; /* Counter */
260
261 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
262 if (err)
263 return err;
264
265 SMP_DBG("mackey %16phN", mackey);
266
267 m[52] = 1; /* Counter */
268
269 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
270 if (err)
271 return err;
272
273 SMP_DBG("ltk %16phN", ltk);
274
275 return 0;
276 }
277
278 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
279 const u8 n1[16], u8 n2[16], const u8 r[16],
280 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
281 u8 res[16])
282 {
283 u8 m[65];
284 int err;
285
286 SMP_DBG("w %16phN", w);
287 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
288 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
289
290 memcpy(m, a2, 7);
291 memcpy(m + 7, a1, 7);
292 memcpy(m + 14, io_cap, 3);
293 memcpy(m + 17, r, 16);
294 memcpy(m + 33, n2, 16);
295 memcpy(m + 49, n1, 16);
296
297 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
298 if (err)
299 return err;
300
301 BT_DBG("res %16phN", res);
302
303 return err;
304 }
305
306 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
307 const u8 x[16], const u8 y[16], u32 *val)
308 {
309 u8 m[80], tmp[16];
310 int err;
311
312 SMP_DBG("u %32phN", u);
313 SMP_DBG("v %32phN", v);
314 SMP_DBG("x %16phN y %16phN", x, y);
315
316 memcpy(m, y, 16);
317 memcpy(m + 16, v, 32);
318 memcpy(m + 48, u, 32);
319
320 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
321 if (err)
322 return err;
323
324 *val = get_unaligned_le32(tmp);
325 *val %= 1000000;
326
327 SMP_DBG("val %06u", *val);
328
329 return 0;
330 }
331
332 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
333 const u8 key_id[4], u8 res[16])
334 {
335 int err;
336
337 SMP_DBG("w %16phN key_id %4phN", w, key_id);
338
339 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
340 if (err)
341 return err;
342
343 SMP_DBG("res %16phN", res);
344
345 return err;
346 }
347
348 /* The following functions map to the legacy SMP crypto functions e, c1,
349 * s1 and ah.
350 */
351
352 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
353 {
354 struct blkcipher_desc desc;
355 struct scatterlist sg;
356 uint8_t tmp[16], data[16];
357 int err;
358
359 if (tfm == NULL) {
360 BT_ERR("tfm %p", tfm);
361 return -EINVAL;
362 }
363
364 desc.tfm = tfm;
365 desc.flags = 0;
366
367 /* The most significant octet of key corresponds to k[0] */
368 swap_buf(k, tmp, 16);
369
370 err = crypto_blkcipher_setkey(tfm, tmp, 16);
371 if (err) {
372 BT_ERR("cipher setkey failed: %d", err);
373 return err;
374 }
375
376 /* Most significant octet of plaintextData corresponds to data[0] */
377 swap_buf(r, data, 16);
378
379 sg_init_one(&sg, data, 16);
380
381 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
382 if (err)
383 BT_ERR("Encrypt data error %d", err);
384
385 /* Most significant octet of encryptedData corresponds to data[0] */
386 swap_buf(data, r, 16);
387
388 return err;
389 }
390
391 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
392 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
393 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
394 {
395 u8 p1[16], p2[16];
396 int err;
397
398 memset(p1, 0, 16);
399
400 /* p1 = pres || preq || _rat || _iat */
401 p1[0] = _iat;
402 p1[1] = _rat;
403 memcpy(p1 + 2, preq, 7);
404 memcpy(p1 + 9, pres, 7);
405
406 /* p2 = padding || ia || ra */
407 memcpy(p2, ra, 6);
408 memcpy(p2 + 6, ia, 6);
409 memset(p2 + 12, 0, 4);
410
411 /* res = r XOR p1 */
412 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
413
414 /* res = e(k, res) */
415 err = smp_e(tfm_aes, k, res);
416 if (err) {
417 BT_ERR("Encrypt data error");
418 return err;
419 }
420
421 /* res = res XOR p2 */
422 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
423
424 /* res = e(k, res) */
425 err = smp_e(tfm_aes, k, res);
426 if (err)
427 BT_ERR("Encrypt data error");
428
429 return err;
430 }
431
432 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
433 const u8 r1[16], const u8 r2[16], u8 _r[16])
434 {
435 int err;
436
437 /* Just least significant octets from r1 and r2 are considered */
438 memcpy(_r, r2, 8);
439 memcpy(_r + 8, r1, 8);
440
441 err = smp_e(tfm_aes, k, _r);
442 if (err)
443 BT_ERR("Encrypt data error");
444
445 return err;
446 }
447
448 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
449 const u8 r[3], u8 res[3])
450 {
451 u8 _res[16];
452 int err;
453
454 /* r' = padding || r */
455 memcpy(_res, r, 3);
456 memset(_res + 3, 0, 13);
457
458 err = smp_e(tfm, irk, _res);
459 if (err) {
460 BT_ERR("Encrypt error");
461 return err;
462 }
463
464 /* The output of the random address function ah is:
465 * ah(h, r) = e(k, r') mod 2^24
466 * The output of the security function e is then truncated to 24 bits
467 * by taking the least significant 24 bits of the output of e as the
468 * result of ah.
469 */
470 memcpy(res, _res, 3);
471
472 return 0;
473 }
474
475 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
476 const bdaddr_t *bdaddr)
477 {
478 struct l2cap_chan *chan = hdev->smp_data;
479 struct crypto_blkcipher *tfm;
480 u8 hash[3];
481 int err;
482
483 if (!chan || !chan->data)
484 return false;
485
486 tfm = chan->data;
487
488 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
489
490 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
491 if (err)
492 return false;
493
494 return !memcmp(bdaddr->b, hash, 3);
495 }
496
497 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
498 {
499 struct l2cap_chan *chan = hdev->smp_data;
500 struct crypto_blkcipher *tfm;
501 int err;
502
503 if (!chan || !chan->data)
504 return -EOPNOTSUPP;
505
506 tfm = chan->data;
507
508 get_random_bytes(&rpa->b[3], 3);
509
510 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
511 rpa->b[5] |= 0x40; /* Set second most significant bit */
512
513 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
514 if (err < 0)
515 return err;
516
517 BT_DBG("RPA %pMR", rpa);
518
519 return 0;
520 }
521
522 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
523 {
524 struct l2cap_chan *chan = conn->smp;
525 struct smp_chan *smp;
526 struct kvec iv[2];
527 struct msghdr msg;
528
529 if (!chan)
530 return;
531
532 BT_DBG("code 0x%2.2x", code);
533
534 iv[0].iov_base = &code;
535 iv[0].iov_len = 1;
536
537 iv[1].iov_base = data;
538 iv[1].iov_len = len;
539
540 memset(&msg, 0, sizeof(msg));
541
542 msg.msg_iov = (struct iovec *) &iv;
543 msg.msg_iovlen = 2;
544
545 l2cap_chan_send(chan, &msg, 1 + len);
546
547 if (!chan->data)
548 return;
549
550 smp = chan->data;
551
552 cancel_delayed_work_sync(&smp->security_timer);
553 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
554 }
555
556 static u8 authreq_to_seclevel(u8 authreq)
557 {
558 if (authreq & SMP_AUTH_MITM) {
559 if (authreq & SMP_AUTH_SC)
560 return BT_SECURITY_FIPS;
561 else
562 return BT_SECURITY_HIGH;
563 } else {
564 return BT_SECURITY_MEDIUM;
565 }
566 }
567
568 static __u8 seclevel_to_authreq(__u8 sec_level)
569 {
570 switch (sec_level) {
571 case BT_SECURITY_FIPS:
572 case BT_SECURITY_HIGH:
573 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
574 case BT_SECURITY_MEDIUM:
575 return SMP_AUTH_BONDING;
576 default:
577 return SMP_AUTH_NONE;
578 }
579 }
580
581 static void build_pairing_cmd(struct l2cap_conn *conn,
582 struct smp_cmd_pairing *req,
583 struct smp_cmd_pairing *rsp, __u8 authreq)
584 {
585 struct l2cap_chan *chan = conn->smp;
586 struct smp_chan *smp = chan->data;
587 struct hci_conn *hcon = conn->hcon;
588 struct hci_dev *hdev = hcon->hdev;
589 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
590
591 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
592 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
593 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 authreq |= SMP_AUTH_BONDING;
595 } else {
596 authreq &= ~SMP_AUTH_BONDING;
597 }
598
599 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
600 remote_dist |= SMP_DIST_ID_KEY;
601
602 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
603 local_dist |= SMP_DIST_ID_KEY;
604
605 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
606 (authreq & SMP_AUTH_SC)) {
607 struct oob_data *oob_data;
608 u8 bdaddr_type;
609
610 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
611 local_dist |= SMP_DIST_LINK_KEY;
612 remote_dist |= SMP_DIST_LINK_KEY;
613 }
614
615 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
616 bdaddr_type = BDADDR_LE_PUBLIC;
617 else
618 bdaddr_type = BDADDR_LE_RANDOM;
619
620 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
621 bdaddr_type);
622 if (oob_data) {
623 set_bit(SMP_FLAG_OOB, &smp->flags);
624 oob_flag = SMP_OOB_PRESENT;
625 memcpy(smp->rr, oob_data->rand256, 16);
626 memcpy(smp->pcnf, oob_data->hash256, 16);
627 }
628
629 } else {
630 authreq &= ~SMP_AUTH_SC;
631 }
632
633 if (rsp == NULL) {
634 req->io_capability = conn->hcon->io_capability;
635 req->oob_flag = oob_flag;
636 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
637 req->init_key_dist = local_dist;
638 req->resp_key_dist = remote_dist;
639 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
640
641 smp->remote_key_dist = remote_dist;
642 return;
643 }
644
645 rsp->io_capability = conn->hcon->io_capability;
646 rsp->oob_flag = oob_flag;
647 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
648 rsp->init_key_dist = req->init_key_dist & remote_dist;
649 rsp->resp_key_dist = req->resp_key_dist & local_dist;
650 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
651
652 smp->remote_key_dist = rsp->init_key_dist;
653 }
654
655 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
656 {
657 struct l2cap_chan *chan = conn->smp;
658 struct smp_chan *smp = chan->data;
659
660 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
661 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
662 return SMP_ENC_KEY_SIZE;
663
664 smp->enc_key_size = max_key_size;
665
666 return 0;
667 }
668
669 static void smp_chan_destroy(struct l2cap_conn *conn)
670 {
671 struct l2cap_chan *chan = conn->smp;
672 struct smp_chan *smp = chan->data;
673 bool complete;
674
675 BUG_ON(!smp);
676
677 cancel_delayed_work_sync(&smp->security_timer);
678
679 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
680 mgmt_smp_complete(conn->hcon, complete);
681
682 kfree(smp->csrk);
683 kfree(smp->slave_csrk);
684 kfree(smp->link_key);
685
686 crypto_free_blkcipher(smp->tfm_aes);
687 crypto_free_hash(smp->tfm_cmac);
688
689 /* If pairing failed clean up any keys we might have */
690 if (!complete) {
691 if (smp->ltk) {
692 list_del_rcu(&smp->ltk->list);
693 kfree_rcu(smp->ltk, rcu);
694 }
695
696 if (smp->slave_ltk) {
697 list_del_rcu(&smp->slave_ltk->list);
698 kfree_rcu(smp->slave_ltk, rcu);
699 }
700
701 if (smp->remote_irk) {
702 list_del_rcu(&smp->remote_irk->list);
703 kfree_rcu(smp->remote_irk, rcu);
704 }
705 }
706
707 chan->data = NULL;
708 kfree(smp);
709 hci_conn_drop(conn->hcon);
710 }
711
712 static void smp_failure(struct l2cap_conn *conn, u8 reason)
713 {
714 struct hci_conn *hcon = conn->hcon;
715 struct l2cap_chan *chan = conn->smp;
716
717 if (reason)
718 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
719 &reason);
720
721 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
722 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
723
724 if (chan->data)
725 smp_chan_destroy(conn);
726 }
727
728 #define JUST_WORKS 0x00
729 #define JUST_CFM 0x01
730 #define REQ_PASSKEY 0x02
731 #define CFM_PASSKEY 0x03
732 #define REQ_OOB 0x04
733 #define DSP_PASSKEY 0x05
734 #define OVERLAP 0xFF
735
736 static const u8 gen_method[5][5] = {
737 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
738 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
739 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
740 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
741 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
742 };
743
744 static const u8 sc_method[5][5] = {
745 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
746 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
747 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
748 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
749 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
750 };
751
752 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
753 {
754 /* If either side has unknown io_caps, use JUST_CFM (which gets
755 * converted later to JUST_WORKS if we're initiators.
756 */
757 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
758 remote_io > SMP_IO_KEYBOARD_DISPLAY)
759 return JUST_CFM;
760
761 if (test_bit(SMP_FLAG_SC, &smp->flags))
762 return sc_method[remote_io][local_io];
763
764 return gen_method[remote_io][local_io];
765 }
766
767 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
768 u8 local_io, u8 remote_io)
769 {
770 struct hci_conn *hcon = conn->hcon;
771 struct l2cap_chan *chan = conn->smp;
772 struct smp_chan *smp = chan->data;
773 u32 passkey = 0;
774 int ret = 0;
775
776 /* Initialize key for JUST WORKS */
777 memset(smp->tk, 0, sizeof(smp->tk));
778 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
779
780 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
781
782 /* If neither side wants MITM, either "just" confirm an incoming
783 * request or use just-works for outgoing ones. The JUST_CFM
784 * will be converted to JUST_WORKS if necessary later in this
785 * function. If either side has MITM look up the method from the
786 * table.
787 */
788 if (!(auth & SMP_AUTH_MITM))
789 smp->method = JUST_CFM;
790 else
791 smp->method = get_auth_method(smp, local_io, remote_io);
792
793 /* Don't confirm locally initiated pairing attempts */
794 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
795 &smp->flags))
796 smp->method = JUST_WORKS;
797
798 /* Don't bother user space with no IO capabilities */
799 if (smp->method == JUST_CFM &&
800 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
801 smp->method = JUST_WORKS;
802
803 /* If Just Works, Continue with Zero TK */
804 if (smp->method == JUST_WORKS) {
805 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
806 return 0;
807 }
808
809 /* Not Just Works/Confirm results in MITM Authentication */
810 if (smp->method != JUST_CFM) {
811 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
812 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
813 hcon->pending_sec_level = BT_SECURITY_HIGH;
814 }
815
816 /* If both devices have Keyoard-Display I/O, the master
817 * Confirms and the slave Enters the passkey.
818 */
819 if (smp->method == OVERLAP) {
820 if (hcon->role == HCI_ROLE_MASTER)
821 smp->method = CFM_PASSKEY;
822 else
823 smp->method = REQ_PASSKEY;
824 }
825
826 /* Generate random passkey. */
827 if (smp->method == CFM_PASSKEY) {
828 memset(smp->tk, 0, sizeof(smp->tk));
829 get_random_bytes(&passkey, sizeof(passkey));
830 passkey %= 1000000;
831 put_unaligned_le32(passkey, smp->tk);
832 BT_DBG("PassKey: %d", passkey);
833 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
834 }
835
836 if (smp->method == REQ_PASSKEY)
837 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
838 hcon->type, hcon->dst_type);
839 else if (smp->method == JUST_CFM)
840 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
841 hcon->type, hcon->dst_type,
842 passkey, 1);
843 else
844 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
845 hcon->type, hcon->dst_type,
846 passkey, 0);
847
848 return ret;
849 }
850
851 static u8 smp_confirm(struct smp_chan *smp)
852 {
853 struct l2cap_conn *conn = smp->conn;
854 struct smp_cmd_pairing_confirm cp;
855 int ret;
856
857 BT_DBG("conn %p", conn);
858
859 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
860 conn->hcon->init_addr_type, &conn->hcon->init_addr,
861 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
862 cp.confirm_val);
863 if (ret)
864 return SMP_UNSPECIFIED;
865
866 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
867
868 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
869
870 if (conn->hcon->out)
871 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
872 else
873 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
874
875 return 0;
876 }
877
878 static u8 smp_random(struct smp_chan *smp)
879 {
880 struct l2cap_conn *conn = smp->conn;
881 struct hci_conn *hcon = conn->hcon;
882 u8 confirm[16];
883 int ret;
884
885 if (IS_ERR_OR_NULL(smp->tfm_aes))
886 return SMP_UNSPECIFIED;
887
888 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
889
890 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
891 hcon->init_addr_type, &hcon->init_addr,
892 hcon->resp_addr_type, &hcon->resp_addr, confirm);
893 if (ret)
894 return SMP_UNSPECIFIED;
895
896 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
897 BT_ERR("Pairing failed (confirmation values mismatch)");
898 return SMP_CONFIRM_FAILED;
899 }
900
901 if (hcon->out) {
902 u8 stk[16];
903 __le64 rand = 0;
904 __le16 ediv = 0;
905
906 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
907
908 memset(stk + smp->enc_key_size, 0,
909 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
910
911 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
912 return SMP_UNSPECIFIED;
913
914 hci_le_start_enc(hcon, ediv, rand, stk);
915 hcon->enc_key_size = smp->enc_key_size;
916 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
917 } else {
918 u8 stk[16], auth;
919 __le64 rand = 0;
920 __le16 ediv = 0;
921
922 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
923 smp->prnd);
924
925 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
926
927 memset(stk + smp->enc_key_size, 0,
928 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
929
930 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
931 auth = 1;
932 else
933 auth = 0;
934
935 /* Even though there's no _SLAVE suffix this is the
936 * slave STK we're adding for later lookup (the master
937 * STK never needs to be stored).
938 */
939 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
940 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
941 }
942
943 return 0;
944 }
945
946 static void smp_notify_keys(struct l2cap_conn *conn)
947 {
948 struct l2cap_chan *chan = conn->smp;
949 struct smp_chan *smp = chan->data;
950 struct hci_conn *hcon = conn->hcon;
951 struct hci_dev *hdev = hcon->hdev;
952 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
953 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
954 bool persistent;
955
956 if (smp->remote_irk) {
957 mgmt_new_irk(hdev, smp->remote_irk);
958 /* Now that user space can be considered to know the
959 * identity address track the connection based on it
960 * from now on (assuming this is an LE link).
961 */
962 if (hcon->type == LE_LINK) {
963 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
964 hcon->dst_type = smp->remote_irk->addr_type;
965 queue_work(hdev->workqueue, &conn->id_addr_update_work);
966 }
967
968 /* When receiving an indentity resolving key for
969 * a remote device that does not use a resolvable
970 * private address, just remove the key so that
971 * it is possible to use the controller white
972 * list for scanning.
973 *
974 * Userspace will have been told to not store
975 * this key at this point. So it is safe to
976 * just remove it.
977 */
978 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
979 list_del_rcu(&smp->remote_irk->list);
980 kfree_rcu(smp->remote_irk, rcu);
981 smp->remote_irk = NULL;
982 }
983 }
984
985 if (hcon->type == ACL_LINK) {
986 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
987 persistent = false;
988 else
989 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
990 &hcon->flags);
991 } else {
992 /* The LTKs and CSRKs should be persistent only if both sides
993 * had the bonding bit set in their authentication requests.
994 */
995 persistent = !!((req->auth_req & rsp->auth_req) &
996 SMP_AUTH_BONDING);
997 }
998
999
1000 if (smp->csrk) {
1001 smp->csrk->bdaddr_type = hcon->dst_type;
1002 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1003 mgmt_new_csrk(hdev, smp->csrk, persistent);
1004 }
1005
1006 if (smp->slave_csrk) {
1007 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1008 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1009 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1010 }
1011
1012 if (smp->ltk) {
1013 smp->ltk->bdaddr_type = hcon->dst_type;
1014 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1015 mgmt_new_ltk(hdev, smp->ltk, persistent);
1016 }
1017
1018 if (smp->slave_ltk) {
1019 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1020 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1021 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1022 }
1023
1024 if (smp->link_key) {
1025 struct link_key *key;
1026 u8 type;
1027
1028 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1029 type = HCI_LK_DEBUG_COMBINATION;
1030 else if (hcon->sec_level == BT_SECURITY_FIPS)
1031 type = HCI_LK_AUTH_COMBINATION_P256;
1032 else
1033 type = HCI_LK_UNAUTH_COMBINATION_P256;
1034
1035 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1036 smp->link_key, type, 0, &persistent);
1037 if (key) {
1038 mgmt_new_link_key(hdev, key, persistent);
1039
1040 /* Don't keep debug keys around if the relevant
1041 * flag is not set.
1042 */
1043 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1044 key->type == HCI_LK_DEBUG_COMBINATION) {
1045 list_del_rcu(&key->list);
1046 kfree_rcu(key, rcu);
1047 }
1048 }
1049 }
1050 }
1051
1052 static void sc_add_ltk(struct smp_chan *smp)
1053 {
1054 struct hci_conn *hcon = smp->conn->hcon;
1055 u8 key_type, auth;
1056
1057 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1058 key_type = SMP_LTK_P256_DEBUG;
1059 else
1060 key_type = SMP_LTK_P256;
1061
1062 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1063 auth = 1;
1064 else
1065 auth = 0;
1066
1067 memset(smp->tk + smp->enc_key_size, 0,
1068 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1069
1070 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1071 key_type, auth, smp->tk, smp->enc_key_size,
1072 0, 0);
1073 }
1074
1075 static void sc_generate_link_key(struct smp_chan *smp)
1076 {
1077 /* These constants are as specified in the core specification.
1078 * In ASCII they spell out to 'tmp1' and 'lebr'.
1079 */
1080 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1081 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1082
1083 smp->link_key = kzalloc(16, GFP_KERNEL);
1084 if (!smp->link_key)
1085 return;
1086
1087 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1088 kfree(smp->link_key);
1089 smp->link_key = NULL;
1090 return;
1091 }
1092
1093 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1094 kfree(smp->link_key);
1095 smp->link_key = NULL;
1096 return;
1097 }
1098 }
1099
1100 static void smp_allow_key_dist(struct smp_chan *smp)
1101 {
1102 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1103 * will be allowed in each PDU handler to ensure we receive
1104 * them in the correct order.
1105 */
1106 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1107 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1108 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1109 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1110 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1111 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1112 }
1113
1114 static void sc_generate_ltk(struct smp_chan *smp)
1115 {
1116 /* These constants are as specified in the core specification.
1117 * In ASCII they spell out to 'tmp2' and 'brle'.
1118 */
1119 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1120 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1121 struct hci_conn *hcon = smp->conn->hcon;
1122 struct hci_dev *hdev = hcon->hdev;
1123 struct link_key *key;
1124
1125 key = hci_find_link_key(hdev, &hcon->dst);
1126 if (!key) {
1127 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1128 return;
1129 }
1130
1131 if (key->type == HCI_LK_DEBUG_COMBINATION)
1132 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1133
1134 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1135 return;
1136
1137 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1138 return;
1139
1140 sc_add_ltk(smp);
1141 }
1142
1143 static void smp_distribute_keys(struct smp_chan *smp)
1144 {
1145 struct smp_cmd_pairing *req, *rsp;
1146 struct l2cap_conn *conn = smp->conn;
1147 struct hci_conn *hcon = conn->hcon;
1148 struct hci_dev *hdev = hcon->hdev;
1149 __u8 *keydist;
1150
1151 BT_DBG("conn %p", conn);
1152
1153 rsp = (void *) &smp->prsp[1];
1154
1155 /* The responder sends its keys first */
1156 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1157 smp_allow_key_dist(smp);
1158 return;
1159 }
1160
1161 req = (void *) &smp->preq[1];
1162
1163 if (hcon->out) {
1164 keydist = &rsp->init_key_dist;
1165 *keydist &= req->init_key_dist;
1166 } else {
1167 keydist = &rsp->resp_key_dist;
1168 *keydist &= req->resp_key_dist;
1169 }
1170
1171 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1172 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1173 sc_generate_link_key(smp);
1174 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1175 sc_generate_ltk(smp);
1176
1177 /* Clear the keys which are generated but not distributed */
1178 *keydist &= ~SMP_SC_NO_DIST;
1179 }
1180
1181 BT_DBG("keydist 0x%x", *keydist);
1182
1183 if (*keydist & SMP_DIST_ENC_KEY) {
1184 struct smp_cmd_encrypt_info enc;
1185 struct smp_cmd_master_ident ident;
1186 struct smp_ltk *ltk;
1187 u8 authenticated;
1188 __le16 ediv;
1189 __le64 rand;
1190
1191 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1192 get_random_bytes(&ediv, sizeof(ediv));
1193 get_random_bytes(&rand, sizeof(rand));
1194
1195 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1196
1197 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1198 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1199 SMP_LTK_SLAVE, authenticated, enc.ltk,
1200 smp->enc_key_size, ediv, rand);
1201 smp->slave_ltk = ltk;
1202
1203 ident.ediv = ediv;
1204 ident.rand = rand;
1205
1206 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1207
1208 *keydist &= ~SMP_DIST_ENC_KEY;
1209 }
1210
1211 if (*keydist & SMP_DIST_ID_KEY) {
1212 struct smp_cmd_ident_addr_info addrinfo;
1213 struct smp_cmd_ident_info idinfo;
1214
1215 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1216
1217 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1218
1219 /* The hci_conn contains the local identity address
1220 * after the connection has been established.
1221 *
1222 * This is true even when the connection has been
1223 * established using a resolvable random address.
1224 */
1225 bacpy(&addrinfo.bdaddr, &hcon->src);
1226 addrinfo.addr_type = hcon->src_type;
1227
1228 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1229 &addrinfo);
1230
1231 *keydist &= ~SMP_DIST_ID_KEY;
1232 }
1233
1234 if (*keydist & SMP_DIST_SIGN) {
1235 struct smp_cmd_sign_info sign;
1236 struct smp_csrk *csrk;
1237
1238 /* Generate a new random key */
1239 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1240
1241 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1242 if (csrk) {
1243 csrk->master = 0x00;
1244 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1245 }
1246 smp->slave_csrk = csrk;
1247
1248 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1249
1250 *keydist &= ~SMP_DIST_SIGN;
1251 }
1252
1253 /* If there are still keys to be received wait for them */
1254 if (smp->remote_key_dist & KEY_DIST_MASK) {
1255 smp_allow_key_dist(smp);
1256 return;
1257 }
1258
1259 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1260 smp_notify_keys(conn);
1261
1262 smp_chan_destroy(conn);
1263 }
1264
1265 static void smp_timeout(struct work_struct *work)
1266 {
1267 struct smp_chan *smp = container_of(work, struct smp_chan,
1268 security_timer.work);
1269 struct l2cap_conn *conn = smp->conn;
1270
1271 BT_DBG("conn %p", conn);
1272
1273 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1274 }
1275
1276 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1277 {
1278 struct l2cap_chan *chan = conn->smp;
1279 struct smp_chan *smp;
1280
1281 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1282 if (!smp)
1283 return NULL;
1284
1285 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1286 if (IS_ERR(smp->tfm_aes)) {
1287 BT_ERR("Unable to create ECB crypto context");
1288 kfree(smp);
1289 return NULL;
1290 }
1291
1292 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1293 if (IS_ERR(smp->tfm_cmac)) {
1294 BT_ERR("Unable to create CMAC crypto context");
1295 crypto_free_blkcipher(smp->tfm_aes);
1296 kfree(smp);
1297 return NULL;
1298 }
1299
1300 smp->conn = conn;
1301 chan->data = smp;
1302
1303 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1304
1305 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1306
1307 hci_conn_hold(conn->hcon);
1308
1309 return smp;
1310 }
1311
1312 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1313 {
1314 struct hci_conn *hcon = smp->conn->hcon;
1315 u8 *na, *nb, a[7], b[7];
1316
1317 if (hcon->out) {
1318 na = smp->prnd;
1319 nb = smp->rrnd;
1320 } else {
1321 na = smp->rrnd;
1322 nb = smp->prnd;
1323 }
1324
1325 memcpy(a, &hcon->init_addr, 6);
1326 memcpy(b, &hcon->resp_addr, 6);
1327 a[6] = hcon->init_addr_type;
1328 b[6] = hcon->resp_addr_type;
1329
1330 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1331 }
1332
1333 static void sc_dhkey_check(struct smp_chan *smp)
1334 {
1335 struct hci_conn *hcon = smp->conn->hcon;
1336 struct smp_cmd_dhkey_check check;
1337 u8 a[7], b[7], *local_addr, *remote_addr;
1338 u8 io_cap[3], r[16];
1339
1340 memcpy(a, &hcon->init_addr, 6);
1341 memcpy(b, &hcon->resp_addr, 6);
1342 a[6] = hcon->init_addr_type;
1343 b[6] = hcon->resp_addr_type;
1344
1345 if (hcon->out) {
1346 local_addr = a;
1347 remote_addr = b;
1348 memcpy(io_cap, &smp->preq[1], 3);
1349 } else {
1350 local_addr = b;
1351 remote_addr = a;
1352 memcpy(io_cap, &smp->prsp[1], 3);
1353 }
1354
1355 memset(r, 0, sizeof(r));
1356
1357 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1358 put_unaligned_le32(hcon->passkey_notify, r);
1359
1360 if (smp->method == REQ_OOB)
1361 memcpy(r, smp->rr, 16);
1362
1363 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1364 local_addr, remote_addr, check.e);
1365
1366 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1367 }
1368
1369 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1370 {
1371 struct l2cap_conn *conn = smp->conn;
1372 struct hci_conn *hcon = conn->hcon;
1373 struct smp_cmd_pairing_confirm cfm;
1374 u8 r;
1375
1376 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1377 r |= 0x80;
1378
1379 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1380
1381 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1382 cfm.confirm_val))
1383 return SMP_UNSPECIFIED;
1384
1385 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1386
1387 return 0;
1388 }
1389
1390 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1391 {
1392 struct l2cap_conn *conn = smp->conn;
1393 struct hci_conn *hcon = conn->hcon;
1394 struct hci_dev *hdev = hcon->hdev;
1395 u8 cfm[16], r;
1396
1397 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1398 if (smp->passkey_round >= 20)
1399 return 0;
1400
1401 switch (smp_op) {
1402 case SMP_CMD_PAIRING_RANDOM:
1403 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1404 r |= 0x80;
1405
1406 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1407 smp->rrnd, r, cfm))
1408 return SMP_UNSPECIFIED;
1409
1410 if (memcmp(smp->pcnf, cfm, 16))
1411 return SMP_CONFIRM_FAILED;
1412
1413 smp->passkey_round++;
1414
1415 if (smp->passkey_round == 20) {
1416 /* Generate MacKey and LTK */
1417 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1418 return SMP_UNSPECIFIED;
1419 }
1420
1421 /* The round is only complete when the initiator
1422 * receives pairing random.
1423 */
1424 if (!hcon->out) {
1425 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1426 sizeof(smp->prnd), smp->prnd);
1427 if (smp->passkey_round == 20)
1428 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1429 else
1430 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1431 return 0;
1432 }
1433
1434 /* Start the next round */
1435 if (smp->passkey_round != 20)
1436 return sc_passkey_round(smp, 0);
1437
1438 /* Passkey rounds are complete - start DHKey Check */
1439 sc_dhkey_check(smp);
1440 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1441
1442 break;
1443
1444 case SMP_CMD_PAIRING_CONFIRM:
1445 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1446 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1447 return 0;
1448 }
1449
1450 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1451
1452 if (hcon->out) {
1453 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1454 sizeof(smp->prnd), smp->prnd);
1455 return 0;
1456 }
1457
1458 return sc_passkey_send_confirm(smp);
1459
1460 case SMP_CMD_PUBLIC_KEY:
1461 default:
1462 /* Initiating device starts the round */
1463 if (!hcon->out)
1464 return 0;
1465
1466 BT_DBG("%s Starting passkey round %u", hdev->name,
1467 smp->passkey_round + 1);
1468
1469 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1470
1471 return sc_passkey_send_confirm(smp);
1472 }
1473
1474 return 0;
1475 }
1476
1477 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1478 {
1479 struct l2cap_conn *conn = smp->conn;
1480 struct hci_conn *hcon = conn->hcon;
1481 u8 smp_op;
1482
1483 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1484
1485 switch (mgmt_op) {
1486 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1487 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1488 return 0;
1489 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1490 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1491 return 0;
1492 case MGMT_OP_USER_PASSKEY_REPLY:
1493 hcon->passkey_notify = le32_to_cpu(passkey);
1494 smp->passkey_round = 0;
1495
1496 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1497 smp_op = SMP_CMD_PAIRING_CONFIRM;
1498 else
1499 smp_op = 0;
1500
1501 if (sc_passkey_round(smp, smp_op))
1502 return -EIO;
1503
1504 return 0;
1505 }
1506
1507 /* Initiator sends DHKey check first */
1508 if (hcon->out) {
1509 sc_dhkey_check(smp);
1510 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1511 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1512 sc_dhkey_check(smp);
1513 sc_add_ltk(smp);
1514 }
1515
1516 return 0;
1517 }
1518
1519 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1520 {
1521 struct l2cap_conn *conn = hcon->l2cap_data;
1522 struct l2cap_chan *chan;
1523 struct smp_chan *smp;
1524 u32 value;
1525 int err;
1526
1527 BT_DBG("");
1528
1529 if (!conn)
1530 return -ENOTCONN;
1531
1532 chan = conn->smp;
1533 if (!chan)
1534 return -ENOTCONN;
1535
1536 l2cap_chan_lock(chan);
1537 if (!chan->data) {
1538 err = -ENOTCONN;
1539 goto unlock;
1540 }
1541
1542 smp = chan->data;
1543
1544 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1545 err = sc_user_reply(smp, mgmt_op, passkey);
1546 goto unlock;
1547 }
1548
1549 switch (mgmt_op) {
1550 case MGMT_OP_USER_PASSKEY_REPLY:
1551 value = le32_to_cpu(passkey);
1552 memset(smp->tk, 0, sizeof(smp->tk));
1553 BT_DBG("PassKey: %d", value);
1554 put_unaligned_le32(value, smp->tk);
1555 /* Fall Through */
1556 case MGMT_OP_USER_CONFIRM_REPLY:
1557 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1558 break;
1559 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1560 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1561 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1562 err = 0;
1563 goto unlock;
1564 default:
1565 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1566 err = -EOPNOTSUPP;
1567 goto unlock;
1568 }
1569
1570 err = 0;
1571
1572 /* If it is our turn to send Pairing Confirm, do so now */
1573 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1574 u8 rsp = smp_confirm(smp);
1575 if (rsp)
1576 smp_failure(conn, rsp);
1577 }
1578
1579 unlock:
1580 l2cap_chan_unlock(chan);
1581 return err;
1582 }
1583
1584 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1585 struct smp_cmd_pairing *req,
1586 struct smp_cmd_pairing *rsp)
1587 {
1588 struct l2cap_conn *conn = smp->conn;
1589 struct hci_dev *hdev = conn->hcon->hdev;
1590 u8 local_dist = 0, remote_dist = 0;
1591
1592 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1593 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1594 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1595 }
1596
1597 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1598 remote_dist |= SMP_DIST_ID_KEY;
1599
1600 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1601 local_dist |= SMP_DIST_ID_KEY;
1602
1603 if (!rsp) {
1604 memset(req, 0, sizeof(*req));
1605
1606 req->init_key_dist = local_dist;
1607 req->resp_key_dist = remote_dist;
1608 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1609
1610 smp->remote_key_dist = remote_dist;
1611
1612 return;
1613 }
1614
1615 memset(rsp, 0, sizeof(*rsp));
1616
1617 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1618 rsp->init_key_dist = req->init_key_dist & remote_dist;
1619 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1620
1621 smp->remote_key_dist = rsp->init_key_dist;
1622 }
1623
1624 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1625 {
1626 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1627 struct l2cap_chan *chan = conn->smp;
1628 struct hci_dev *hdev = conn->hcon->hdev;
1629 struct smp_chan *smp;
1630 u8 key_size, auth, sec_level;
1631 int ret;
1632
1633 BT_DBG("conn %p", conn);
1634
1635 if (skb->len < sizeof(*req))
1636 return SMP_INVALID_PARAMS;
1637
1638 if (conn->hcon->role != HCI_ROLE_SLAVE)
1639 return SMP_CMD_NOTSUPP;
1640
1641 if (!chan->data)
1642 smp = smp_chan_create(conn);
1643 else
1644 smp = chan->data;
1645
1646 if (!smp)
1647 return SMP_UNSPECIFIED;
1648
1649 /* We didn't start the pairing, so match remote */
1650 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1651
1652 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1653 (auth & SMP_AUTH_BONDING))
1654 return SMP_PAIRING_NOTSUPP;
1655
1656 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1657 return SMP_AUTH_REQUIREMENTS;
1658
1659 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1660 memcpy(&smp->preq[1], req, sizeof(*req));
1661 skb_pull(skb, sizeof(*req));
1662
1663 /* SMP over BR/EDR requires special treatment */
1664 if (conn->hcon->type == ACL_LINK) {
1665 /* We must have a BR/EDR SC link */
1666 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags))
1667 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1668
1669 set_bit(SMP_FLAG_SC, &smp->flags);
1670
1671 build_bredr_pairing_cmd(smp, req, &rsp);
1672
1673 key_size = min(req->max_key_size, rsp.max_key_size);
1674 if (check_enc_key_size(conn, key_size))
1675 return SMP_ENC_KEY_SIZE;
1676
1677 /* Clear bits which are generated but not distributed */
1678 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1679
1680 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1681 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1682 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1683
1684 smp_distribute_keys(smp);
1685 return 0;
1686 }
1687
1688 build_pairing_cmd(conn, req, &rsp, auth);
1689
1690 if (rsp.auth_req & SMP_AUTH_SC)
1691 set_bit(SMP_FLAG_SC, &smp->flags);
1692
1693 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1694 sec_level = BT_SECURITY_MEDIUM;
1695 else
1696 sec_level = authreq_to_seclevel(auth);
1697
1698 if (sec_level > conn->hcon->pending_sec_level)
1699 conn->hcon->pending_sec_level = sec_level;
1700
1701 /* If we need MITM check that it can be achieved */
1702 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1703 u8 method;
1704
1705 method = get_auth_method(smp, conn->hcon->io_capability,
1706 req->io_capability);
1707 if (method == JUST_WORKS || method == JUST_CFM)
1708 return SMP_AUTH_REQUIREMENTS;
1709 }
1710
1711 key_size = min(req->max_key_size, rsp.max_key_size);
1712 if (check_enc_key_size(conn, key_size))
1713 return SMP_ENC_KEY_SIZE;
1714
1715 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1716
1717 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1718 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1719
1720 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1721
1722 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1723
1724 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1725 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1726 /* Clear bits which are generated but not distributed */
1727 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1728 /* Wait for Public Key from Initiating Device */
1729 return 0;
1730 } else {
1731 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1732 }
1733
1734 /* Request setup of TK */
1735 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1736 if (ret)
1737 return SMP_UNSPECIFIED;
1738
1739 return 0;
1740 }
1741
1742 static u8 sc_send_public_key(struct smp_chan *smp)
1743 {
1744 struct hci_dev *hdev = smp->conn->hcon->hdev;
1745
1746 BT_DBG("");
1747
1748 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1749 BT_DBG("Using debug keys");
1750 memcpy(smp->local_pk, debug_pk, 64);
1751 memcpy(smp->local_sk, debug_sk, 32);
1752 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1753 } else {
1754 while (true) {
1755 /* Generate local key pair for Secure Connections */
1756 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1757 return SMP_UNSPECIFIED;
1758
1759 /* This is unlikely, but we need to check that
1760 * we didn't accidentially generate a debug key.
1761 */
1762 if (memcmp(smp->local_sk, debug_sk, 32))
1763 break;
1764 }
1765 }
1766
1767 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1768 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1769 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1770
1771 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1772
1773 return 0;
1774 }
1775
1776 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1777 {
1778 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1779 struct l2cap_chan *chan = conn->smp;
1780 struct smp_chan *smp = chan->data;
1781 struct hci_dev *hdev = conn->hcon->hdev;
1782 u8 key_size, auth;
1783 int ret;
1784
1785 BT_DBG("conn %p", conn);
1786
1787 if (skb->len < sizeof(*rsp))
1788 return SMP_INVALID_PARAMS;
1789
1790 if (conn->hcon->role != HCI_ROLE_MASTER)
1791 return SMP_CMD_NOTSUPP;
1792
1793 skb_pull(skb, sizeof(*rsp));
1794
1795 req = (void *) &smp->preq[1];
1796
1797 key_size = min(req->max_key_size, rsp->max_key_size);
1798 if (check_enc_key_size(conn, key_size))
1799 return SMP_ENC_KEY_SIZE;
1800
1801 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1802
1803 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1804 return SMP_AUTH_REQUIREMENTS;
1805
1806 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1807 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1808
1809 /* Update remote key distribution in case the remote cleared
1810 * some bits that we had enabled in our request.
1811 */
1812 smp->remote_key_dist &= rsp->resp_key_dist;
1813
1814 /* For BR/EDR this means we're done and can start phase 3 */
1815 if (conn->hcon->type == ACL_LINK) {
1816 /* Clear bits which are generated but not distributed */
1817 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1818 smp_distribute_keys(smp);
1819 return 0;
1820 }
1821
1822 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1823 set_bit(SMP_FLAG_SC, &smp->flags);
1824 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1825 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1826
1827 /* If we need MITM check that it can be achieved */
1828 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1829 u8 method;
1830
1831 method = get_auth_method(smp, req->io_capability,
1832 rsp->io_capability);
1833 if (method == JUST_WORKS || method == JUST_CFM)
1834 return SMP_AUTH_REQUIREMENTS;
1835 }
1836
1837 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1838
1839 /* Update remote key distribution in case the remote cleared
1840 * some bits that we had enabled in our request.
1841 */
1842 smp->remote_key_dist &= rsp->resp_key_dist;
1843
1844 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1845 /* Clear bits which are generated but not distributed */
1846 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1847 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1848 return sc_send_public_key(smp);
1849 }
1850
1851 auth |= req->auth_req;
1852
1853 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1854 if (ret)
1855 return SMP_UNSPECIFIED;
1856
1857 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1858
1859 /* Can't compose response until we have been confirmed */
1860 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1861 return smp_confirm(smp);
1862
1863 return 0;
1864 }
1865
1866 static u8 sc_check_confirm(struct smp_chan *smp)
1867 {
1868 struct l2cap_conn *conn = smp->conn;
1869
1870 BT_DBG("");
1871
1872 /* Public Key exchange must happen before any other steps */
1873 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1874 return SMP_UNSPECIFIED;
1875
1876 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1877 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1878
1879 if (conn->hcon->out) {
1880 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1881 smp->prnd);
1882 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1883 }
1884
1885 return 0;
1886 }
1887
1888 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1889 {
1890 struct l2cap_chan *chan = conn->smp;
1891 struct smp_chan *smp = chan->data;
1892
1893 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1894
1895 if (skb->len < sizeof(smp->pcnf))
1896 return SMP_INVALID_PARAMS;
1897
1898 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1899 skb_pull(skb, sizeof(smp->pcnf));
1900
1901 if (test_bit(SMP_FLAG_SC, &smp->flags))
1902 return sc_check_confirm(smp);
1903
1904 if (conn->hcon->out) {
1905 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1906 smp->prnd);
1907 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1908 return 0;
1909 }
1910
1911 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1912 return smp_confirm(smp);
1913 else
1914 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1915
1916 return 0;
1917 }
1918
1919 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1920 {
1921 struct l2cap_chan *chan = conn->smp;
1922 struct smp_chan *smp = chan->data;
1923 struct hci_conn *hcon = conn->hcon;
1924 u8 *pkax, *pkbx, *na, *nb;
1925 u32 passkey;
1926 int err;
1927
1928 BT_DBG("conn %p", conn);
1929
1930 if (skb->len < sizeof(smp->rrnd))
1931 return SMP_INVALID_PARAMS;
1932
1933 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1934 skb_pull(skb, sizeof(smp->rrnd));
1935
1936 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1937 return smp_random(smp);
1938
1939 if (smp->method == REQ_OOB) {
1940 if (!hcon->out)
1941 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1942 sizeof(smp->prnd), smp->prnd);
1943 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1944 goto mackey_and_ltk;
1945 }
1946
1947 /* Passkey entry has special treatment */
1948 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1949 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1950
1951 if (hcon->out) {
1952 u8 cfm[16];
1953
1954 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1955 smp->rrnd, 0, cfm);
1956 if (err)
1957 return SMP_UNSPECIFIED;
1958
1959 if (memcmp(smp->pcnf, cfm, 16))
1960 return SMP_CONFIRM_FAILED;
1961
1962 pkax = smp->local_pk;
1963 pkbx = smp->remote_pk;
1964 na = smp->prnd;
1965 nb = smp->rrnd;
1966 } else {
1967 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1968 smp->prnd);
1969 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1970
1971 pkax = smp->remote_pk;
1972 pkbx = smp->local_pk;
1973 na = smp->rrnd;
1974 nb = smp->prnd;
1975 }
1976
1977 mackey_and_ltk:
1978 /* Generate MacKey and LTK */
1979 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1980 if (err)
1981 return SMP_UNSPECIFIED;
1982
1983 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1984 if (hcon->out) {
1985 sc_dhkey_check(smp);
1986 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1987 }
1988 return 0;
1989 }
1990
1991 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
1992 if (err)
1993 return SMP_UNSPECIFIED;
1994
1995 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
1996 hcon->dst_type, passkey, 0);
1997 if (err)
1998 return SMP_UNSPECIFIED;
1999
2000 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2001
2002 return 0;
2003 }
2004
2005 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2006 {
2007 struct smp_ltk *key;
2008 struct hci_conn *hcon = conn->hcon;
2009
2010 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2011 if (!key)
2012 return false;
2013
2014 if (smp_ltk_sec_level(key) < sec_level)
2015 return false;
2016
2017 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2018 return true;
2019
2020 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2021 hcon->enc_key_size = key->enc_size;
2022
2023 /* We never store STKs for master role, so clear this flag */
2024 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2025
2026 return true;
2027 }
2028
2029 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2030 enum smp_key_pref key_pref)
2031 {
2032 if (sec_level == BT_SECURITY_LOW)
2033 return true;
2034
2035 /* If we're encrypted with an STK but the caller prefers using
2036 * LTK claim insufficient security. This way we allow the
2037 * connection to be re-encrypted with an LTK, even if the LTK
2038 * provides the same level of security. Only exception is if we
2039 * don't have an LTK (e.g. because of key distribution bits).
2040 */
2041 if (key_pref == SMP_USE_LTK &&
2042 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2043 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2044 return false;
2045
2046 if (hcon->sec_level >= sec_level)
2047 return true;
2048
2049 return false;
2050 }
2051
2052 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2053 {
2054 struct smp_cmd_security_req *rp = (void *) skb->data;
2055 struct smp_cmd_pairing cp;
2056 struct hci_conn *hcon = conn->hcon;
2057 struct hci_dev *hdev = hcon->hdev;
2058 struct smp_chan *smp;
2059 u8 sec_level, auth;
2060
2061 BT_DBG("conn %p", conn);
2062
2063 if (skb->len < sizeof(*rp))
2064 return SMP_INVALID_PARAMS;
2065
2066 if (hcon->role != HCI_ROLE_MASTER)
2067 return SMP_CMD_NOTSUPP;
2068
2069 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2070
2071 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2072 return SMP_AUTH_REQUIREMENTS;
2073
2074 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2075 sec_level = BT_SECURITY_MEDIUM;
2076 else
2077 sec_level = authreq_to_seclevel(auth);
2078
2079 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2080 return 0;
2081
2082 if (sec_level > hcon->pending_sec_level)
2083 hcon->pending_sec_level = sec_level;
2084
2085 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2086 return 0;
2087
2088 smp = smp_chan_create(conn);
2089 if (!smp)
2090 return SMP_UNSPECIFIED;
2091
2092 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2093 (auth & SMP_AUTH_BONDING))
2094 return SMP_PAIRING_NOTSUPP;
2095
2096 skb_pull(skb, sizeof(*rp));
2097
2098 memset(&cp, 0, sizeof(cp));
2099 build_pairing_cmd(conn, &cp, NULL, auth);
2100
2101 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2102 memcpy(&smp->preq[1], &cp, sizeof(cp));
2103
2104 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2105 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2106
2107 return 0;
2108 }
2109
2110 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2111 {
2112 struct l2cap_conn *conn = hcon->l2cap_data;
2113 struct l2cap_chan *chan;
2114 struct smp_chan *smp;
2115 __u8 authreq;
2116 int ret;
2117
2118 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2119
2120 /* This may be NULL if there's an unexpected disconnection */
2121 if (!conn)
2122 return 1;
2123
2124 chan = conn->smp;
2125
2126 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2127 return 1;
2128
2129 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2130 return 1;
2131
2132 if (sec_level > hcon->pending_sec_level)
2133 hcon->pending_sec_level = sec_level;
2134
2135 if (hcon->role == HCI_ROLE_MASTER)
2136 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2137 return 0;
2138
2139 l2cap_chan_lock(chan);
2140
2141 /* If SMP is already in progress ignore this request */
2142 if (chan->data) {
2143 ret = 0;
2144 goto unlock;
2145 }
2146
2147 smp = smp_chan_create(conn);
2148 if (!smp) {
2149 ret = 1;
2150 goto unlock;
2151 }
2152
2153 authreq = seclevel_to_authreq(sec_level);
2154
2155 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2156 authreq |= SMP_AUTH_SC;
2157
2158 /* Require MITM if IO Capability allows or the security level
2159 * requires it.
2160 */
2161 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2162 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2163 authreq |= SMP_AUTH_MITM;
2164
2165 if (hcon->role == HCI_ROLE_MASTER) {
2166 struct smp_cmd_pairing cp;
2167
2168 build_pairing_cmd(conn, &cp, NULL, authreq);
2169 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2170 memcpy(&smp->preq[1], &cp, sizeof(cp));
2171
2172 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2173 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2174 } else {
2175 struct smp_cmd_security_req cp;
2176 cp.auth_req = authreq;
2177 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2178 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2179 }
2180
2181 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2182 ret = 0;
2183
2184 unlock:
2185 l2cap_chan_unlock(chan);
2186 return ret;
2187 }
2188
2189 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2190 {
2191 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2192 struct l2cap_chan *chan = conn->smp;
2193 struct smp_chan *smp = chan->data;
2194
2195 BT_DBG("conn %p", conn);
2196
2197 if (skb->len < sizeof(*rp))
2198 return SMP_INVALID_PARAMS;
2199
2200 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2201
2202 skb_pull(skb, sizeof(*rp));
2203
2204 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2205
2206 return 0;
2207 }
2208
2209 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2210 {
2211 struct smp_cmd_master_ident *rp = (void *) skb->data;
2212 struct l2cap_chan *chan = conn->smp;
2213 struct smp_chan *smp = chan->data;
2214 struct hci_dev *hdev = conn->hcon->hdev;
2215 struct hci_conn *hcon = conn->hcon;
2216 struct smp_ltk *ltk;
2217 u8 authenticated;
2218
2219 BT_DBG("conn %p", conn);
2220
2221 if (skb->len < sizeof(*rp))
2222 return SMP_INVALID_PARAMS;
2223
2224 /* Mark the information as received */
2225 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2226
2227 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2228 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2229 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2230 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2231
2232 skb_pull(skb, sizeof(*rp));
2233
2234 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2235 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2236 authenticated, smp->tk, smp->enc_key_size,
2237 rp->ediv, rp->rand);
2238 smp->ltk = ltk;
2239 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2240 smp_distribute_keys(smp);
2241
2242 return 0;
2243 }
2244
2245 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2246 {
2247 struct smp_cmd_ident_info *info = (void *) skb->data;
2248 struct l2cap_chan *chan = conn->smp;
2249 struct smp_chan *smp = chan->data;
2250
2251 BT_DBG("");
2252
2253 if (skb->len < sizeof(*info))
2254 return SMP_INVALID_PARAMS;
2255
2256 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2257
2258 skb_pull(skb, sizeof(*info));
2259
2260 memcpy(smp->irk, info->irk, 16);
2261
2262 return 0;
2263 }
2264
2265 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2266 struct sk_buff *skb)
2267 {
2268 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2269 struct l2cap_chan *chan = conn->smp;
2270 struct smp_chan *smp = chan->data;
2271 struct hci_conn *hcon = conn->hcon;
2272 bdaddr_t rpa;
2273
2274 BT_DBG("");
2275
2276 if (skb->len < sizeof(*info))
2277 return SMP_INVALID_PARAMS;
2278
2279 /* Mark the information as received */
2280 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2281
2282 if (smp->remote_key_dist & SMP_DIST_SIGN)
2283 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2284
2285 skb_pull(skb, sizeof(*info));
2286
2287 /* Strictly speaking the Core Specification (4.1) allows sending
2288 * an empty address which would force us to rely on just the IRK
2289 * as "identity information". However, since such
2290 * implementations are not known of and in order to not over
2291 * complicate our implementation, simply pretend that we never
2292 * received an IRK for such a device.
2293 */
2294 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
2295 BT_ERR("Ignoring IRK with no identity address");
2296 goto distribute;
2297 }
2298
2299 bacpy(&smp->id_addr, &info->bdaddr);
2300 smp->id_addr_type = info->addr_type;
2301
2302 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2303 bacpy(&rpa, &hcon->dst);
2304 else
2305 bacpy(&rpa, BDADDR_ANY);
2306
2307 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2308 smp->id_addr_type, smp->irk, &rpa);
2309
2310 distribute:
2311 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2312 smp_distribute_keys(smp);
2313
2314 return 0;
2315 }
2316
2317 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2318 {
2319 struct smp_cmd_sign_info *rp = (void *) skb->data;
2320 struct l2cap_chan *chan = conn->smp;
2321 struct smp_chan *smp = chan->data;
2322 struct smp_csrk *csrk;
2323
2324 BT_DBG("conn %p", conn);
2325
2326 if (skb->len < sizeof(*rp))
2327 return SMP_INVALID_PARAMS;
2328
2329 /* Mark the information as received */
2330 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2331
2332 skb_pull(skb, sizeof(*rp));
2333
2334 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2335 if (csrk) {
2336 csrk->master = 0x01;
2337 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2338 }
2339 smp->csrk = csrk;
2340 smp_distribute_keys(smp);
2341
2342 return 0;
2343 }
2344
2345 static u8 sc_select_method(struct smp_chan *smp)
2346 {
2347 struct l2cap_conn *conn = smp->conn;
2348 struct hci_conn *hcon = conn->hcon;
2349 struct smp_cmd_pairing *local, *remote;
2350 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2351
2352 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2353 return REQ_OOB;
2354
2355 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2356 * which are needed as inputs to some crypto functions. To get
2357 * the "struct smp_cmd_pairing" from them we need to skip the
2358 * first byte which contains the opcode.
2359 */
2360 if (hcon->out) {
2361 local = (void *) &smp->preq[1];
2362 remote = (void *) &smp->prsp[1];
2363 } else {
2364 local = (void *) &smp->prsp[1];
2365 remote = (void *) &smp->preq[1];
2366 }
2367
2368 local_io = local->io_capability;
2369 remote_io = remote->io_capability;
2370
2371 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2372 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2373
2374 /* If either side wants MITM, look up the method from the table,
2375 * otherwise use JUST WORKS.
2376 */
2377 if (local_mitm || remote_mitm)
2378 method = get_auth_method(smp, local_io, remote_io);
2379 else
2380 method = JUST_WORKS;
2381
2382 /* Don't confirm locally initiated pairing attempts */
2383 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2384 method = JUST_WORKS;
2385
2386 return method;
2387 }
2388
2389 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2390 {
2391 struct smp_cmd_public_key *key = (void *) skb->data;
2392 struct hci_conn *hcon = conn->hcon;
2393 struct l2cap_chan *chan = conn->smp;
2394 struct smp_chan *smp = chan->data;
2395 struct hci_dev *hdev = hcon->hdev;
2396 struct smp_cmd_pairing_confirm cfm;
2397 int err;
2398
2399 BT_DBG("conn %p", conn);
2400
2401 if (skb->len < sizeof(*key))
2402 return SMP_INVALID_PARAMS;
2403
2404 memcpy(smp->remote_pk, key, 64);
2405
2406 /* Non-initiating device sends its public key after receiving
2407 * the key from the initiating device.
2408 */
2409 if (!hcon->out) {
2410 err = sc_send_public_key(smp);
2411 if (err)
2412 return err;
2413 }
2414
2415 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2416 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2417
2418 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2419 return SMP_UNSPECIFIED;
2420
2421 SMP_DBG("DHKey %32phN", smp->dhkey);
2422
2423 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2424
2425 smp->method = sc_select_method(smp);
2426
2427 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2428
2429 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2430 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2431 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2432 else
2433 hcon->pending_sec_level = BT_SECURITY_FIPS;
2434
2435 if (!memcmp(debug_pk, smp->remote_pk, 64))
2436 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2437
2438 if (smp->method == DSP_PASSKEY) {
2439 get_random_bytes(&hcon->passkey_notify,
2440 sizeof(hcon->passkey_notify));
2441 hcon->passkey_notify %= 1000000;
2442 hcon->passkey_entered = 0;
2443 smp->passkey_round = 0;
2444 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2445 hcon->dst_type,
2446 hcon->passkey_notify,
2447 hcon->passkey_entered))
2448 return SMP_UNSPECIFIED;
2449 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2450 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2451 }
2452
2453 if (smp->method == REQ_OOB) {
2454 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2455 smp->rr, 0, cfm.confirm_val);
2456 if (err)
2457 return SMP_UNSPECIFIED;
2458
2459 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2460 return SMP_CONFIRM_FAILED;
2461
2462 if (hcon->out)
2463 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2464 sizeof(smp->prnd), smp->prnd);
2465
2466 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2467
2468 return 0;
2469 }
2470
2471 if (hcon->out)
2472 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2473
2474 if (smp->method == REQ_PASSKEY) {
2475 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2476 hcon->dst_type))
2477 return SMP_UNSPECIFIED;
2478 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2479 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2480 return 0;
2481 }
2482
2483 /* The Initiating device waits for the non-initiating device to
2484 * send the confirm value.
2485 */
2486 if (conn->hcon->out)
2487 return 0;
2488
2489 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2490 0, cfm.confirm_val);
2491 if (err)
2492 return SMP_UNSPECIFIED;
2493
2494 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2495 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2496
2497 return 0;
2498 }
2499
2500 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2501 {
2502 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2503 struct l2cap_chan *chan = conn->smp;
2504 struct hci_conn *hcon = conn->hcon;
2505 struct smp_chan *smp = chan->data;
2506 u8 a[7], b[7], *local_addr, *remote_addr;
2507 u8 io_cap[3], r[16], e[16];
2508 int err;
2509
2510 BT_DBG("conn %p", conn);
2511
2512 if (skb->len < sizeof(*check))
2513 return SMP_INVALID_PARAMS;
2514
2515 memcpy(a, &hcon->init_addr, 6);
2516 memcpy(b, &hcon->resp_addr, 6);
2517 a[6] = hcon->init_addr_type;
2518 b[6] = hcon->resp_addr_type;
2519
2520 if (hcon->out) {
2521 local_addr = a;
2522 remote_addr = b;
2523 memcpy(io_cap, &smp->prsp[1], 3);
2524 } else {
2525 local_addr = b;
2526 remote_addr = a;
2527 memcpy(io_cap, &smp->preq[1], 3);
2528 }
2529
2530 memset(r, 0, sizeof(r));
2531
2532 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2533 put_unaligned_le32(hcon->passkey_notify, r);
2534
2535 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2536 io_cap, remote_addr, local_addr, e);
2537 if (err)
2538 return SMP_UNSPECIFIED;
2539
2540 if (memcmp(check->e, e, 16))
2541 return SMP_DHKEY_CHECK_FAILED;
2542
2543 if (!hcon->out) {
2544 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2545 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2546 return 0;
2547 }
2548
2549 /* Slave sends DHKey check as response to master */
2550 sc_dhkey_check(smp);
2551 }
2552
2553 sc_add_ltk(smp);
2554
2555 if (hcon->out) {
2556 hci_le_start_enc(hcon, 0, 0, smp->tk);
2557 hcon->enc_key_size = smp->enc_key_size;
2558 }
2559
2560 return 0;
2561 }
2562
2563 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2564 struct sk_buff *skb)
2565 {
2566 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2567
2568 BT_DBG("value 0x%02x", kp->value);
2569
2570 return 0;
2571 }
2572
2573 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2574 {
2575 struct l2cap_conn *conn = chan->conn;
2576 struct hci_conn *hcon = conn->hcon;
2577 struct smp_chan *smp;
2578 __u8 code, reason;
2579 int err = 0;
2580
2581 if (skb->len < 1)
2582 return -EILSEQ;
2583
2584 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2585 reason = SMP_PAIRING_NOTSUPP;
2586 goto done;
2587 }
2588
2589 code = skb->data[0];
2590 skb_pull(skb, sizeof(code));
2591
2592 smp = chan->data;
2593
2594 if (code > SMP_CMD_MAX)
2595 goto drop;
2596
2597 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2598 goto drop;
2599
2600 /* If we don't have a context the only allowed commands are
2601 * pairing request and security request.
2602 */
2603 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2604 goto drop;
2605
2606 switch (code) {
2607 case SMP_CMD_PAIRING_REQ:
2608 reason = smp_cmd_pairing_req(conn, skb);
2609 break;
2610
2611 case SMP_CMD_PAIRING_FAIL:
2612 smp_failure(conn, 0);
2613 err = -EPERM;
2614 break;
2615
2616 case SMP_CMD_PAIRING_RSP:
2617 reason = smp_cmd_pairing_rsp(conn, skb);
2618 break;
2619
2620 case SMP_CMD_SECURITY_REQ:
2621 reason = smp_cmd_security_req(conn, skb);
2622 break;
2623
2624 case SMP_CMD_PAIRING_CONFIRM:
2625 reason = smp_cmd_pairing_confirm(conn, skb);
2626 break;
2627
2628 case SMP_CMD_PAIRING_RANDOM:
2629 reason = smp_cmd_pairing_random(conn, skb);
2630 break;
2631
2632 case SMP_CMD_ENCRYPT_INFO:
2633 reason = smp_cmd_encrypt_info(conn, skb);
2634 break;
2635
2636 case SMP_CMD_MASTER_IDENT:
2637 reason = smp_cmd_master_ident(conn, skb);
2638 break;
2639
2640 case SMP_CMD_IDENT_INFO:
2641 reason = smp_cmd_ident_info(conn, skb);
2642 break;
2643
2644 case SMP_CMD_IDENT_ADDR_INFO:
2645 reason = smp_cmd_ident_addr_info(conn, skb);
2646 break;
2647
2648 case SMP_CMD_SIGN_INFO:
2649 reason = smp_cmd_sign_info(conn, skb);
2650 break;
2651
2652 case SMP_CMD_PUBLIC_KEY:
2653 reason = smp_cmd_public_key(conn, skb);
2654 break;
2655
2656 case SMP_CMD_DHKEY_CHECK:
2657 reason = smp_cmd_dhkey_check(conn, skb);
2658 break;
2659
2660 case SMP_CMD_KEYPRESS_NOTIFY:
2661 reason = smp_cmd_keypress_notify(conn, skb);
2662 break;
2663
2664 default:
2665 BT_DBG("Unknown command code 0x%2.2x", code);
2666 reason = SMP_CMD_NOTSUPP;
2667 goto done;
2668 }
2669
2670 done:
2671 if (!err) {
2672 if (reason)
2673 smp_failure(conn, reason);
2674 kfree_skb(skb);
2675 }
2676
2677 return err;
2678
2679 drop:
2680 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2681 code, &hcon->dst);
2682 kfree_skb(skb);
2683 return 0;
2684 }
2685
2686 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2687 {
2688 struct l2cap_conn *conn = chan->conn;
2689
2690 BT_DBG("chan %p", chan);
2691
2692 if (chan->data)
2693 smp_chan_destroy(conn);
2694
2695 conn->smp = NULL;
2696 l2cap_chan_put(chan);
2697 }
2698
2699 static void bredr_pairing(struct l2cap_chan *chan)
2700 {
2701 struct l2cap_conn *conn = chan->conn;
2702 struct hci_conn *hcon = conn->hcon;
2703 struct hci_dev *hdev = hcon->hdev;
2704 struct smp_cmd_pairing req;
2705 struct smp_chan *smp;
2706
2707 BT_DBG("chan %p", chan);
2708
2709 /* Only new pairings are interesting */
2710 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2711 return;
2712
2713 /* Don't bother if we're not encrypted */
2714 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2715 return;
2716
2717 /* Only master may initiate SMP over BR/EDR */
2718 if (hcon->role != HCI_ROLE_MASTER)
2719 return;
2720
2721 /* Secure Connections support must be enabled */
2722 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2723 return;
2724
2725 /* BR/EDR must use Secure Connections for SMP */
2726 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2727 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2728 return;
2729
2730 /* If our LE support is not enabled don't do anything */
2731 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2732 return;
2733
2734 /* Don't bother if remote LE support is not enabled */
2735 if (!lmp_host_le_capable(hcon))
2736 return;
2737
2738 /* Remote must support SMP fixed chan for BR/EDR */
2739 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2740 return;
2741
2742 /* Don't bother if SMP is already ongoing */
2743 if (chan->data)
2744 return;
2745
2746 smp = smp_chan_create(conn);
2747 if (!smp) {
2748 BT_ERR("%s unable to create SMP context for BR/EDR",
2749 hdev->name);
2750 return;
2751 }
2752
2753 set_bit(SMP_FLAG_SC, &smp->flags);
2754
2755 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2756
2757 /* Prepare and send the BR/EDR SMP Pairing Request */
2758 build_bredr_pairing_cmd(smp, &req, NULL);
2759
2760 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2761 memcpy(&smp->preq[1], &req, sizeof(req));
2762
2763 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2764 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2765 }
2766
2767 static void smp_resume_cb(struct l2cap_chan *chan)
2768 {
2769 struct smp_chan *smp = chan->data;
2770 struct l2cap_conn *conn = chan->conn;
2771 struct hci_conn *hcon = conn->hcon;
2772
2773 BT_DBG("chan %p", chan);
2774
2775 if (hcon->type == ACL_LINK) {
2776 bredr_pairing(chan);
2777 return;
2778 }
2779
2780 if (!smp)
2781 return;
2782
2783 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2784 return;
2785
2786 cancel_delayed_work(&smp->security_timer);
2787
2788 smp_distribute_keys(smp);
2789 }
2790
2791 static void smp_ready_cb(struct l2cap_chan *chan)
2792 {
2793 struct l2cap_conn *conn = chan->conn;
2794 struct hci_conn *hcon = conn->hcon;
2795
2796 BT_DBG("chan %p", chan);
2797
2798 conn->smp = chan;
2799 l2cap_chan_hold(chan);
2800
2801 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2802 bredr_pairing(chan);
2803 }
2804
2805 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2806 {
2807 int err;
2808
2809 BT_DBG("chan %p", chan);
2810
2811 err = smp_sig_channel(chan, skb);
2812 if (err) {
2813 struct smp_chan *smp = chan->data;
2814
2815 if (smp)
2816 cancel_delayed_work_sync(&smp->security_timer);
2817
2818 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2819 }
2820
2821 return err;
2822 }
2823
2824 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2825 unsigned long hdr_len,
2826 unsigned long len, int nb)
2827 {
2828 struct sk_buff *skb;
2829
2830 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2831 if (!skb)
2832 return ERR_PTR(-ENOMEM);
2833
2834 skb->priority = HCI_PRIO_MAX;
2835 bt_cb(skb)->chan = chan;
2836
2837 return skb;
2838 }
2839
2840 static const struct l2cap_ops smp_chan_ops = {
2841 .name = "Security Manager",
2842 .ready = smp_ready_cb,
2843 .recv = smp_recv_cb,
2844 .alloc_skb = smp_alloc_skb_cb,
2845 .teardown = smp_teardown_cb,
2846 .resume = smp_resume_cb,
2847
2848 .new_connection = l2cap_chan_no_new_connection,
2849 .state_change = l2cap_chan_no_state_change,
2850 .close = l2cap_chan_no_close,
2851 .defer = l2cap_chan_no_defer,
2852 .suspend = l2cap_chan_no_suspend,
2853 .set_shutdown = l2cap_chan_no_set_shutdown,
2854 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2855 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2856 };
2857
2858 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2859 {
2860 struct l2cap_chan *chan;
2861
2862 BT_DBG("pchan %p", pchan);
2863
2864 chan = l2cap_chan_create();
2865 if (!chan)
2866 return NULL;
2867
2868 chan->chan_type = pchan->chan_type;
2869 chan->ops = &smp_chan_ops;
2870 chan->scid = pchan->scid;
2871 chan->dcid = chan->scid;
2872 chan->imtu = pchan->imtu;
2873 chan->omtu = pchan->omtu;
2874 chan->mode = pchan->mode;
2875
2876 /* Other L2CAP channels may request SMP routines in order to
2877 * change the security level. This means that the SMP channel
2878 * lock must be considered in its own category to avoid lockdep
2879 * warnings.
2880 */
2881 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2882
2883 BT_DBG("created chan %p", chan);
2884
2885 return chan;
2886 }
2887
2888 static const struct l2cap_ops smp_root_chan_ops = {
2889 .name = "Security Manager Root",
2890 .new_connection = smp_new_conn_cb,
2891
2892 /* None of these are implemented for the root channel */
2893 .close = l2cap_chan_no_close,
2894 .alloc_skb = l2cap_chan_no_alloc_skb,
2895 .recv = l2cap_chan_no_recv,
2896 .state_change = l2cap_chan_no_state_change,
2897 .teardown = l2cap_chan_no_teardown,
2898 .ready = l2cap_chan_no_ready,
2899 .defer = l2cap_chan_no_defer,
2900 .suspend = l2cap_chan_no_suspend,
2901 .resume = l2cap_chan_no_resume,
2902 .set_shutdown = l2cap_chan_no_set_shutdown,
2903 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2904 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2905 };
2906
2907 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2908 {
2909 struct l2cap_chan *chan;
2910 struct crypto_blkcipher *tfm_aes;
2911
2912 if (cid == L2CAP_CID_SMP_BREDR) {
2913 tfm_aes = NULL;
2914 goto create_chan;
2915 }
2916
2917 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2918 if (IS_ERR(tfm_aes)) {
2919 BT_ERR("Unable to create crypto context");
2920 return ERR_PTR(PTR_ERR(tfm_aes));
2921 }
2922
2923 create_chan:
2924 chan = l2cap_chan_create();
2925 if (!chan) {
2926 crypto_free_blkcipher(tfm_aes);
2927 return ERR_PTR(-ENOMEM);
2928 }
2929
2930 chan->data = tfm_aes;
2931
2932 l2cap_add_scid(chan, cid);
2933
2934 l2cap_chan_set_defaults(chan);
2935
2936 bacpy(&chan->src, &hdev->bdaddr);
2937 if (cid == L2CAP_CID_SMP)
2938 chan->src_type = BDADDR_LE_PUBLIC;
2939 else
2940 chan->src_type = BDADDR_BREDR;
2941 chan->state = BT_LISTEN;
2942 chan->mode = L2CAP_MODE_BASIC;
2943 chan->imtu = L2CAP_DEFAULT_MTU;
2944 chan->ops = &smp_root_chan_ops;
2945
2946 /* Set correct nesting level for a parent/listening channel */
2947 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2948
2949 return chan;
2950 }
2951
2952 static void smp_del_chan(struct l2cap_chan *chan)
2953 {
2954 struct crypto_blkcipher *tfm_aes;
2955
2956 BT_DBG("chan %p", chan);
2957
2958 tfm_aes = chan->data;
2959 if (tfm_aes) {
2960 chan->data = NULL;
2961 crypto_free_blkcipher(tfm_aes);
2962 }
2963
2964 l2cap_chan_put(chan);
2965 }
2966
2967 int smp_register(struct hci_dev *hdev)
2968 {
2969 struct l2cap_chan *chan;
2970
2971 BT_DBG("%s", hdev->name);
2972
2973 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
2974 if (IS_ERR(chan))
2975 return PTR_ERR(chan);
2976
2977 hdev->smp_data = chan;
2978
2979 if (!lmp_sc_capable(hdev) &&
2980 !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2981 return 0;
2982
2983 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
2984 if (IS_ERR(chan)) {
2985 int err = PTR_ERR(chan);
2986 chan = hdev->smp_data;
2987 hdev->smp_data = NULL;
2988 smp_del_chan(chan);
2989 return err;
2990 }
2991
2992 hdev->smp_bredr_data = chan;
2993
2994 return 0;
2995 }
2996
2997 void smp_unregister(struct hci_dev *hdev)
2998 {
2999 struct l2cap_chan *chan;
3000
3001 if (hdev->smp_bredr_data) {
3002 chan = hdev->smp_bredr_data;
3003 hdev->smp_bredr_data = NULL;
3004 smp_del_chan(chan);
3005 }
3006
3007 if (hdev->smp_data) {
3008 chan = hdev->smp_data;
3009 hdev->smp_data = NULL;
3010 smp_del_chan(chan);
3011 }
3012 }
Linux kernel - Deliverables
This page took 0.097256 seconds and 5 git commands to generate.