projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Add support for LE SC key generation
[deliverable/linux.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
26
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
31
32 #include "ecc.h"
33 #include "smp.h"
34
35 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
36
37 /* Keys which are not distributed with Secure Connections */
38 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
39
40 #define SMP_TIMEOUT msecs_to_jiffies(30000)
41
42 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
43 0x1f : 0x07)
44 #define KEY_DIST_MASK 0x07
45
46 /* Maximum message length that can be passed to aes_cmac */
47 #define CMAC_MSG_MAX 80
48
49 enum {
50 SMP_FLAG_TK_VALID,
51 SMP_FLAG_CFM_PENDING,
52 SMP_FLAG_MITM_AUTH,
53 SMP_FLAG_COMPLETE,
54 SMP_FLAG_INITIATOR,
55 SMP_FLAG_SC,
56 SMP_FLAG_REMOTE_PK,
57 };
58
59 struct smp_chan {
60 struct l2cap_conn *conn;
61 struct delayed_work security_timer;
62 unsigned long allow_cmd; /* Bitmask of allowed commands */
63
64 u8 preq[7]; /* SMP Pairing Request */
65 u8 prsp[7]; /* SMP Pairing Response */
66 u8 prnd[16]; /* SMP Pairing Random (local) */
67 u8 rrnd[16]; /* SMP Pairing Random (remote) */
68 u8 pcnf[16]; /* SMP Pairing Confirm */
69 u8 tk[16]; /* SMP Temporary Key */
70 u8 enc_key_size;
71 u8 remote_key_dist;
72 bdaddr_t id_addr;
73 u8 id_addr_type;
74 u8 irk[16];
75 struct smp_csrk *csrk;
76 struct smp_csrk *slave_csrk;
77 struct smp_ltk *ltk;
78 struct smp_ltk *slave_ltk;
79 struct smp_irk *remote_irk;
80 u8 *link_key;
81 unsigned long flags;
82
83 /* Secure Connections variables */
84 u8 local_pk[64];
85 u8 local_sk[32];
86 u8 remote_pk[64];
87 u8 dhkey[32];
88 u8 mackey[16];
89
90 struct crypto_blkcipher *tfm_aes;
91 struct crypto_hash *tfm_cmac;
92 };
93
94 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
95 {
96 size_t i;
97
98 for (i = 0; i < len; i++)
99 dst[len - 1 - i] = src[i];
100 }
101
102 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
103 size_t len, u8 mac[16])
104 {
105 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
106 struct hash_desc desc;
107 struct scatterlist sg;
108 int err;
109
110 if (len > CMAC_MSG_MAX)
111 return -EFBIG;
112
113 if (!tfm) {
114 BT_ERR("tfm %p", tfm);
115 return -EINVAL;
116 }
117
118 desc.tfm = tfm;
119 desc.flags = 0;
120
121 crypto_hash_init(&desc);
122
123 /* Swap key and message from LSB to MSB */
124 swap_buf(k, tmp, 16);
125 swap_buf(m, msg_msb, len);
126
127 BT_DBG("msg (len %zu) %*phN", len, (int) len, m);
128 BT_DBG("key %16phN", k);
129
130 err = crypto_hash_setkey(tfm, tmp, 16);
131 if (err) {
132 BT_ERR("cipher setkey failed: %d", err);
133 return err;
134 }
135
136 sg_init_one(&sg, msg_msb, len);
137
138 err = crypto_hash_update(&desc, &sg, len);
139 if (err) {
140 BT_ERR("Hash update error %d", err);
141 return err;
142 }
143
144 err = crypto_hash_final(&desc, mac_msb);
145 if (err) {
146 BT_ERR("Hash final error %d", err);
147 return err;
148 }
149
150 swap_buf(mac_msb, mac, 16);
151
152 BT_DBG("mac %16phN", mac);
153
154 return 0;
155 }
156
157 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
158 const u8 x[16], u8 z, u8 res[16])
159 {
160 u8 m[65];
161 int err;
162
163 BT_DBG("u %32phN", u);
164 BT_DBG("v %32phN", v);
165 BT_DBG("x %16phN z %02x", x, z);
166
167 m[0] = z;
168 memcpy(m + 1, v, 32);
169 memcpy(m + 33, u, 32);
170
171 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
172 if (err)
173 return err;
174
175 BT_DBG("res %16phN", res);
176
177 return err;
178 }
179
180 static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
181 u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
182 {
183 /* The btle, salt and length "magic" values are as defined in
184 * the SMP section of the Bluetooth core specification. In ASCII
185 * the btle value ends up being 'btle'. The salt is just a
186 * random number whereas length is the value 256 in little
187 * endian format.
188 */
189 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
190 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
191 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
192 const u8 length[2] = { 0x00, 0x01 };
193 u8 m[53], t[16];
194 int err;
195
196 BT_DBG("w %32phN", w);
197 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
198 BT_DBG("a1 %7phN a2 %7phN", a1, a2);
199
200 err = aes_cmac(tfm_cmac, salt, w, 32, t);
201 if (err)
202 return err;
203
204 BT_DBG("t %16phN", t);
205
206 memcpy(m, length, 2);
207 memcpy(m + 2, a2, 7);
208 memcpy(m + 9, a1, 7);
209 memcpy(m + 16, n2, 16);
210 memcpy(m + 32, n1, 16);
211 memcpy(m + 48, btle, 4);
212
213 m[52] = 0; /* Counter */
214
215 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
216 if (err)
217 return err;
218
219 BT_DBG("mackey %16phN", mackey);
220
221 m[52] = 1; /* Counter */
222
223 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
224 if (err)
225 return err;
226
227 BT_DBG("ltk %16phN", ltk);
228
229 return 0;
230 }
231
232 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
233 const u8 n1[16], u8 n2[16], const u8 r[16],
234 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
235 u8 res[16])
236 {
237 u8 m[65];
238 int err;
239
240 BT_DBG("w %16phN", w);
241 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
242 BT_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
243
244 memcpy(m, a2, 7);
245 memcpy(m + 7, a1, 7);
246 memcpy(m + 14, io_cap, 3);
247 memcpy(m + 17, r, 16);
248 memcpy(m + 33, n2, 16);
249 memcpy(m + 49, n1, 16);
250
251 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
252 if (err)
253 return err;
254
255 BT_DBG("res %16phN", res);
256
257 return err;
258 }
259
260 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
261 const u8 x[16], const u8 y[16], u32 *val)
262 {
263 u8 m[80], tmp[16];
264 int err;
265
266 BT_DBG("u %32phN", u);
267 BT_DBG("v %32phN", v);
268 BT_DBG("x %16phN y %16phN", x, y);
269
270 memcpy(m, y, 16);
271 memcpy(m + 16, v, 32);
272 memcpy(m + 48, u, 32);
273
274 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
275 if (err)
276 return err;
277
278 *val = get_unaligned_le32(tmp);
279 *val %= 1000000;
280
281 BT_DBG("val %06u", *val);
282
283 return 0;
284 }
285
286 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
287 {
288 struct blkcipher_desc desc;
289 struct scatterlist sg;
290 uint8_t tmp[16], data[16];
291 int err;
292
293 if (tfm == NULL) {
294 BT_ERR("tfm %p", tfm);
295 return -EINVAL;
296 }
297
298 desc.tfm = tfm;
299 desc.flags = 0;
300
301 /* The most significant octet of key corresponds to k[0] */
302 swap_buf(k, tmp, 16);
303
304 err = crypto_blkcipher_setkey(tfm, tmp, 16);
305 if (err) {
306 BT_ERR("cipher setkey failed: %d", err);
307 return err;
308 }
309
310 /* Most significant octet of plaintextData corresponds to data[0] */
311 swap_buf(r, data, 16);
312
313 sg_init_one(&sg, data, 16);
314
315 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
316 if (err)
317 BT_ERR("Encrypt data error %d", err);
318
319 /* Most significant octet of encryptedData corresponds to data[0] */
320 swap_buf(data, r, 16);
321
322 return err;
323 }
324
325 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
326 const u8 key_id[4], u8 res[16])
327 {
328 int err;
329
330 BT_DBG("w %16phN key_id %4phN", w, key_id);
331
332 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
333 if (err)
334 return err;
335
336 BT_DBG("res %16phN", res);
337
338 return err;
339 }
340
341 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
342 {
343 u8 _res[16];
344 int err;
345
346 /* r' = padding || r */
347 memcpy(_res, r, 3);
348 memset(_res + 3, 0, 13);
349
350 err = smp_e(tfm, irk, _res);
351 if (err) {
352 BT_ERR("Encrypt error");
353 return err;
354 }
355
356 /* The output of the random address function ah is:
357 * ah(h, r) = e(k, r') mod 2^24
358 * The output of the security function e is then truncated to 24 bits
359 * by taking the least significant 24 bits of the output of e as the
360 * result of ah.
361 */
362 memcpy(res, _res, 3);
363
364 return 0;
365 }
366
367 bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
368 {
369 struct l2cap_chan *chan = hdev->smp_data;
370 struct crypto_blkcipher *tfm;
371 u8 hash[3];
372 int err;
373
374 if (!chan || !chan->data)
375 return false;
376
377 tfm = chan->data;
378
379 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
380
381 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
382 if (err)
383 return false;
384
385 return !memcmp(bdaddr->b, hash, 3);
386 }
387
388 int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
389 {
390 struct l2cap_chan *chan = hdev->smp_data;
391 struct crypto_blkcipher *tfm;
392 int err;
393
394 if (!chan || !chan->data)
395 return -EOPNOTSUPP;
396
397 tfm = chan->data;
398
399 get_random_bytes(&rpa->b[3], 3);
400
401 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
402 rpa->b[5] |= 0x40; /* Set second most significant bit */
403
404 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
405 if (err < 0)
406 return err;
407
408 BT_DBG("RPA %pMR", rpa);
409
410 return 0;
411 }
412
413 static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
414 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat,
415 bdaddr_t *ra, u8 res[16])
416 {
417 u8 p1[16], p2[16];
418 int err;
419
420 memset(p1, 0, 16);
421
422 /* p1 = pres || preq || _rat || _iat */
423 p1[0] = _iat;
424 p1[1] = _rat;
425 memcpy(p1 + 2, preq, 7);
426 memcpy(p1 + 9, pres, 7);
427
428 /* p2 = padding || ia || ra */
429 memcpy(p2, ra, 6);
430 memcpy(p2 + 6, ia, 6);
431 memset(p2 + 12, 0, 4);
432
433 /* res = r XOR p1 */
434 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
435
436 /* res = e(k, res) */
437 err = smp_e(tfm_aes, k, res);
438 if (err) {
439 BT_ERR("Encrypt data error");
440 return err;
441 }
442
443 /* res = res XOR p2 */
444 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
445
446 /* res = e(k, res) */
447 err = smp_e(tfm_aes, k, res);
448 if (err)
449 BT_ERR("Encrypt data error");
450
451 return err;
452 }
453
454 static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
455 u8 r2[16], u8 _r[16])
456 {
457 int err;
458
459 /* Just least significant octets from r1 and r2 are considered */
460 memcpy(_r, r2, 8);
461 memcpy(_r + 8, r1, 8);
462
463 err = smp_e(tfm_aes, k, _r);
464 if (err)
465 BT_ERR("Encrypt data error");
466
467 return err;
468 }
469
470 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
471 {
472 struct l2cap_chan *chan = conn->smp;
473 struct smp_chan *smp;
474 struct kvec iv[2];
475 struct msghdr msg;
476
477 if (!chan)
478 return;
479
480 BT_DBG("code 0x%2.2x", code);
481
482 iv[0].iov_base = &code;
483 iv[0].iov_len = 1;
484
485 iv[1].iov_base = data;
486 iv[1].iov_len = len;
487
488 memset(&msg, 0, sizeof(msg));
489
490 msg.msg_iov = (struct iovec *) &iv;
491 msg.msg_iovlen = 2;
492
493 l2cap_chan_send(chan, &msg, 1 + len);
494
495 if (!chan->data)
496 return;
497
498 smp = chan->data;
499
500 cancel_delayed_work_sync(&smp->security_timer);
501 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
502 }
503
504 static u8 authreq_to_seclevel(u8 authreq)
505 {
506 if (authreq & SMP_AUTH_MITM) {
507 if (authreq & SMP_AUTH_SC)
508 return BT_SECURITY_FIPS;
509 else
510 return BT_SECURITY_HIGH;
511 } else {
512 return BT_SECURITY_MEDIUM;
513 }
514 }
515
516 static __u8 seclevel_to_authreq(__u8 sec_level)
517 {
518 switch (sec_level) {
519 case BT_SECURITY_FIPS:
520 case BT_SECURITY_HIGH:
521 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
522 case BT_SECURITY_MEDIUM:
523 return SMP_AUTH_BONDING;
524 default:
525 return SMP_AUTH_NONE;
526 }
527 }
528
529 static void build_pairing_cmd(struct l2cap_conn *conn,
530 struct smp_cmd_pairing *req,
531 struct smp_cmd_pairing *rsp, __u8 authreq)
532 {
533 struct l2cap_chan *chan = conn->smp;
534 struct smp_chan *smp = chan->data;
535 struct hci_conn *hcon = conn->hcon;
536 struct hci_dev *hdev = hcon->hdev;
537 u8 local_dist = 0, remote_dist = 0;
538
539 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
540 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
541 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
542 authreq |= SMP_AUTH_BONDING;
543 } else {
544 authreq &= ~SMP_AUTH_BONDING;
545 }
546
547 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
548 remote_dist |= SMP_DIST_ID_KEY;
549
550 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
551 local_dist |= SMP_DIST_ID_KEY;
552
553 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
554 if ((authreq & SMP_AUTH_SC) &&
555 test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
556 local_dist |= SMP_DIST_LINK_KEY;
557 remote_dist |= SMP_DIST_LINK_KEY;
558 }
559 } else {
560 authreq &= ~SMP_AUTH_SC;
561 }
562
563 if (rsp == NULL) {
564 req->io_capability = conn->hcon->io_capability;
565 req->oob_flag = SMP_OOB_NOT_PRESENT;
566 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
567 req->init_key_dist = local_dist;
568 req->resp_key_dist = remote_dist;
569 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
570
571 smp->remote_key_dist = remote_dist;
572 return;
573 }
574
575 rsp->io_capability = conn->hcon->io_capability;
576 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
577 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
578 rsp->init_key_dist = req->init_key_dist & remote_dist;
579 rsp->resp_key_dist = req->resp_key_dist & local_dist;
580 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
581
582 smp->remote_key_dist = rsp->init_key_dist;
583 }
584
585 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
586 {
587 struct l2cap_chan *chan = conn->smp;
588 struct smp_chan *smp = chan->data;
589
590 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
591 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
592 return SMP_ENC_KEY_SIZE;
593
594 smp->enc_key_size = max_key_size;
595
596 return 0;
597 }
598
599 static void smp_chan_destroy(struct l2cap_conn *conn)
600 {
601 struct l2cap_chan *chan = conn->smp;
602 struct smp_chan *smp = chan->data;
603 bool complete;
604
605 BUG_ON(!smp);
606
607 cancel_delayed_work_sync(&smp->security_timer);
608
609 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
610 mgmt_smp_complete(conn->hcon, complete);
611
612 kfree(smp->csrk);
613 kfree(smp->slave_csrk);
614 kfree(smp->link_key);
615
616 crypto_free_blkcipher(smp->tfm_aes);
617 crypto_free_hash(smp->tfm_cmac);
618
619 /* If pairing failed clean up any keys we might have */
620 if (!complete) {
621 if (smp->ltk) {
622 list_del_rcu(&smp->ltk->list);
623 kfree_rcu(smp->ltk, rcu);
624 }
625
626 if (smp->slave_ltk) {
627 list_del_rcu(&smp->slave_ltk->list);
628 kfree_rcu(smp->slave_ltk, rcu);
629 }
630
631 if (smp->remote_irk) {
632 list_del_rcu(&smp->remote_irk->list);
633 kfree_rcu(smp->remote_irk, rcu);
634 }
635 }
636
637 chan->data = NULL;
638 kfree(smp);
639 hci_conn_drop(conn->hcon);
640 }
641
642 static void smp_failure(struct l2cap_conn *conn, u8 reason)
643 {
644 struct hci_conn *hcon = conn->hcon;
645 struct l2cap_chan *chan = conn->smp;
646
647 if (reason)
648 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
649 &reason);
650
651 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
652 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
653
654 if (chan->data)
655 smp_chan_destroy(conn);
656 }
657
658 #define JUST_WORKS 0x00
659 #define JUST_CFM 0x01
660 #define REQ_PASSKEY 0x02
661 #define CFM_PASSKEY 0x03
662 #define REQ_OOB 0x04
663 #define OVERLAP 0xFF
664
665 static const u8 gen_method[5][5] = {
666 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
667 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
668 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
669 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
670 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
671 };
672
673 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
674 {
675 /* If either side has unknown io_caps, use JUST_CFM (which gets
676 * converted later to JUST_WORKS if we're initiators.
677 */
678 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
679 remote_io > SMP_IO_KEYBOARD_DISPLAY)
680 return JUST_CFM;
681
682 return gen_method[remote_io][local_io];
683 }
684
685 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
686 u8 local_io, u8 remote_io)
687 {
688 struct hci_conn *hcon = conn->hcon;
689 struct l2cap_chan *chan = conn->smp;
690 struct smp_chan *smp = chan->data;
691 u8 method;
692 u32 passkey = 0;
693 int ret = 0;
694
695 /* Initialize key for JUST WORKS */
696 memset(smp->tk, 0, sizeof(smp->tk));
697 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
698
699 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
700
701 /* If neither side wants MITM, either "just" confirm an incoming
702 * request or use just-works for outgoing ones. The JUST_CFM
703 * will be converted to JUST_WORKS if necessary later in this
704 * function. If either side has MITM look up the method from the
705 * table.
706 */
707 if (!(auth & SMP_AUTH_MITM))
708 method = JUST_CFM;
709 else
710 method = get_auth_method(smp, local_io, remote_io);
711
712 /* Don't confirm locally initiated pairing attempts */
713 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
714 method = JUST_WORKS;
715
716 /* Don't bother user space with no IO capabilities */
717 if (method == JUST_CFM && hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
718 method = JUST_WORKS;
719
720 /* If Just Works, Continue with Zero TK */
721 if (method == JUST_WORKS) {
722 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
723 return 0;
724 }
725
726 /* Not Just Works/Confirm results in MITM Authentication */
727 if (method != JUST_CFM) {
728 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
729 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
730 hcon->pending_sec_level = BT_SECURITY_HIGH;
731 }
732
733 /* If both devices have Keyoard-Display I/O, the master
734 * Confirms and the slave Enters the passkey.
735 */
736 if (method == OVERLAP) {
737 if (hcon->role == HCI_ROLE_MASTER)
738 method = CFM_PASSKEY;
739 else
740 method = REQ_PASSKEY;
741 }
742
743 /* Generate random passkey. */
744 if (method == CFM_PASSKEY) {
745 memset(smp->tk, 0, sizeof(smp->tk));
746 get_random_bytes(&passkey, sizeof(passkey));
747 passkey %= 1000000;
748 put_unaligned_le32(passkey, smp->tk);
749 BT_DBG("PassKey: %d", passkey);
750 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
751 }
752
753 if (method == REQ_PASSKEY)
754 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
755 hcon->type, hcon->dst_type);
756 else if (method == JUST_CFM)
757 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
758 hcon->type, hcon->dst_type,
759 passkey, 1);
760 else
761 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
762 hcon->type, hcon->dst_type,
763 passkey, 0);
764
765 return ret;
766 }
767
768 static u8 smp_confirm(struct smp_chan *smp)
769 {
770 struct l2cap_conn *conn = smp->conn;
771 struct smp_cmd_pairing_confirm cp;
772 int ret;
773
774 BT_DBG("conn %p", conn);
775
776 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
777 conn->hcon->init_addr_type, &conn->hcon->init_addr,
778 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
779 cp.confirm_val);
780 if (ret)
781 return SMP_UNSPECIFIED;
782
783 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
784
785 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
786
787 if (conn->hcon->out)
788 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
789 else
790 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
791
792 return 0;
793 }
794
795 static u8 smp_random(struct smp_chan *smp)
796 {
797 struct l2cap_conn *conn = smp->conn;
798 struct hci_conn *hcon = conn->hcon;
799 u8 confirm[16];
800 int ret;
801
802 if (IS_ERR_OR_NULL(smp->tfm_aes))
803 return SMP_UNSPECIFIED;
804
805 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
806
807 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
808 hcon->init_addr_type, &hcon->init_addr,
809 hcon->resp_addr_type, &hcon->resp_addr, confirm);
810 if (ret)
811 return SMP_UNSPECIFIED;
812
813 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
814 BT_ERR("Pairing failed (confirmation values mismatch)");
815 return SMP_CONFIRM_FAILED;
816 }
817
818 if (hcon->out) {
819 u8 stk[16];
820 __le64 rand = 0;
821 __le16 ediv = 0;
822
823 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
824
825 memset(stk + smp->enc_key_size, 0,
826 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
827
828 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
829 return SMP_UNSPECIFIED;
830
831 hci_le_start_enc(hcon, ediv, rand, stk);
832 hcon->enc_key_size = smp->enc_key_size;
833 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
834 } else {
835 u8 stk[16], auth;
836 __le64 rand = 0;
837 __le16 ediv = 0;
838
839 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
840 smp->prnd);
841
842 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
843
844 memset(stk + smp->enc_key_size, 0,
845 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
846
847 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
848 auth = 1;
849 else
850 auth = 0;
851
852 /* Even though there's no _SLAVE suffix this is the
853 * slave STK we're adding for later lookup (the master
854 * STK never needs to be stored).
855 */
856 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
857 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
858 }
859
860 return 0;
861 }
862
863 static void smp_notify_keys(struct l2cap_conn *conn)
864 {
865 struct l2cap_chan *chan = conn->smp;
866 struct smp_chan *smp = chan->data;
867 struct hci_conn *hcon = conn->hcon;
868 struct hci_dev *hdev = hcon->hdev;
869 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
870 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
871 bool persistent;
872
873 if (smp->remote_irk) {
874 mgmt_new_irk(hdev, smp->remote_irk);
875 /* Now that user space can be considered to know the
876 * identity address track the connection based on it
877 * from now on.
878 */
879 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
880 hcon->dst_type = smp->remote_irk->addr_type;
881 queue_work(hdev->workqueue, &conn->id_addr_update_work);
882
883 /* When receiving an indentity resolving key for
884 * a remote device that does not use a resolvable
885 * private address, just remove the key so that
886 * it is possible to use the controller white
887 * list for scanning.
888 *
889 * Userspace will have been told to not store
890 * this key at this point. So it is safe to
891 * just remove it.
892 */
893 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
894 list_del_rcu(&smp->remote_irk->list);
895 kfree_rcu(smp->remote_irk, rcu);
896 smp->remote_irk = NULL;
897 }
898 }
899
900 /* The LTKs and CSRKs should be persistent only if both sides
901 * had the bonding bit set in their authentication requests.
902 */
903 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
904
905 if (smp->csrk) {
906 smp->csrk->bdaddr_type = hcon->dst_type;
907 bacpy(&smp->csrk->bdaddr, &hcon->dst);
908 mgmt_new_csrk(hdev, smp->csrk, persistent);
909 }
910
911 if (smp->slave_csrk) {
912 smp->slave_csrk->bdaddr_type = hcon->dst_type;
913 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
914 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
915 }
916
917 if (smp->ltk) {
918 smp->ltk->bdaddr_type = hcon->dst_type;
919 bacpy(&smp->ltk->bdaddr, &hcon->dst);
920 mgmt_new_ltk(hdev, smp->ltk, persistent);
921 }
922
923 if (smp->slave_ltk) {
924 smp->slave_ltk->bdaddr_type = hcon->dst_type;
925 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
926 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
927 }
928
929 if (smp->link_key) {
930 hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
931 smp->link_key, HCI_LK_AUTH_COMBINATION_P256,
932 0, NULL);
933 }
934 }
935
936 static void sc_generate_link_key(struct smp_chan *smp)
937 {
938 /* These constants are as specified in the core specification.
939 * In ASCII they spell out to 'tmp1' and 'lebr'.
940 */
941 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
942 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
943
944 smp->link_key = kzalloc(16, GFP_KERNEL);
945 if (!smp->link_key)
946 return;
947
948 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
949 kfree(smp->link_key);
950 smp->link_key = NULL;
951 return;
952 }
953
954 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
955 kfree(smp->link_key);
956 smp->link_key = NULL;
957 return;
958 }
959 }
960
961 static void smp_allow_key_dist(struct smp_chan *smp)
962 {
963 /* Allow the first expected phase 3 PDU. The rest of the PDUs
964 * will be allowed in each PDU handler to ensure we receive
965 * them in the correct order.
966 */
967 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
968 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
969 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
970 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
971 else if (smp->remote_key_dist & SMP_DIST_SIGN)
972 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
973 }
974
975 static void smp_distribute_keys(struct smp_chan *smp)
976 {
977 struct smp_cmd_pairing *req, *rsp;
978 struct l2cap_conn *conn = smp->conn;
979 struct hci_conn *hcon = conn->hcon;
980 struct hci_dev *hdev = hcon->hdev;
981 __u8 *keydist;
982
983 BT_DBG("conn %p", conn);
984
985 rsp = (void *) &smp->prsp[1];
986
987 /* The responder sends its keys first */
988 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
989 smp_allow_key_dist(smp);
990 return;
991 }
992
993 req = (void *) &smp->preq[1];
994
995 if (hcon->out) {
996 keydist = &rsp->init_key_dist;
997 *keydist &= req->init_key_dist;
998 } else {
999 keydist = &rsp->resp_key_dist;
1000 *keydist &= req->resp_key_dist;
1001 }
1002
1003 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1004 if (*keydist & SMP_DIST_LINK_KEY)
1005 sc_generate_link_key(smp);
1006
1007 /* Clear the keys which are generated but not distributed */
1008 *keydist &= ~SMP_SC_NO_DIST;
1009 }
1010
1011 BT_DBG("keydist 0x%x", *keydist);
1012
1013 if (*keydist & SMP_DIST_ENC_KEY) {
1014 struct smp_cmd_encrypt_info enc;
1015 struct smp_cmd_master_ident ident;
1016 struct smp_ltk *ltk;
1017 u8 authenticated;
1018 __le16 ediv;
1019 __le64 rand;
1020
1021 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1022 get_random_bytes(&ediv, sizeof(ediv));
1023 get_random_bytes(&rand, sizeof(rand));
1024
1025 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1026
1027 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1028 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1029 SMP_LTK_SLAVE, authenticated, enc.ltk,
1030 smp->enc_key_size, ediv, rand);
1031 smp->slave_ltk = ltk;
1032
1033 ident.ediv = ediv;
1034 ident.rand = rand;
1035
1036 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1037
1038 *keydist &= ~SMP_DIST_ENC_KEY;
1039 }
1040
1041 if (*keydist & SMP_DIST_ID_KEY) {
1042 struct smp_cmd_ident_addr_info addrinfo;
1043 struct smp_cmd_ident_info idinfo;
1044
1045 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1046
1047 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1048
1049 /* The hci_conn contains the local identity address
1050 * after the connection has been established.
1051 *
1052 * This is true even when the connection has been
1053 * established using a resolvable random address.
1054 */
1055 bacpy(&addrinfo.bdaddr, &hcon->src);
1056 addrinfo.addr_type = hcon->src_type;
1057
1058 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1059 &addrinfo);
1060
1061 *keydist &= ~SMP_DIST_ID_KEY;
1062 }
1063
1064 if (*keydist & SMP_DIST_SIGN) {
1065 struct smp_cmd_sign_info sign;
1066 struct smp_csrk *csrk;
1067
1068 /* Generate a new random key */
1069 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1070
1071 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1072 if (csrk) {
1073 csrk->master = 0x00;
1074 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1075 }
1076 smp->slave_csrk = csrk;
1077
1078 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1079
1080 *keydist &= ~SMP_DIST_SIGN;
1081 }
1082
1083 /* If there are still keys to be received wait for them */
1084 if (smp->remote_key_dist & KEY_DIST_MASK) {
1085 smp_allow_key_dist(smp);
1086 return;
1087 }
1088
1089 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1090 smp_notify_keys(conn);
1091
1092 smp_chan_destroy(conn);
1093 }
1094
1095 static void smp_timeout(struct work_struct *work)
1096 {
1097 struct smp_chan *smp = container_of(work, struct smp_chan,
1098 security_timer.work);
1099 struct l2cap_conn *conn = smp->conn;
1100
1101 BT_DBG("conn %p", conn);
1102
1103 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1104 }
1105
1106 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1107 {
1108 struct l2cap_chan *chan = conn->smp;
1109 struct smp_chan *smp;
1110
1111 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1112 if (!smp)
1113 return NULL;
1114
1115 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1116 if (IS_ERR(smp->tfm_aes)) {
1117 BT_ERR("Unable to create ECB crypto context");
1118 kfree(smp);
1119 return NULL;
1120 }
1121
1122 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1123 if (IS_ERR(smp->tfm_cmac)) {
1124 BT_ERR("Unable to create CMAC crypto context");
1125 crypto_free_blkcipher(smp->tfm_aes);
1126 kfree(smp);
1127 return NULL;
1128 }
1129
1130 smp->conn = conn;
1131 chan->data = smp;
1132
1133 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1134
1135 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1136
1137 hci_conn_hold(conn->hcon);
1138
1139 return smp;
1140 }
1141
1142 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1143 {
1144 struct hci_conn *hcon = smp->conn->hcon;
1145 u8 *na, *nb, a[7], b[7];
1146
1147 if (hcon->out) {
1148 na = smp->prnd;
1149 nb = smp->rrnd;
1150 } else {
1151 na = smp->rrnd;
1152 nb = smp->prnd;
1153 }
1154
1155 memcpy(a, &hcon->init_addr, 6);
1156 memcpy(b, &hcon->resp_addr, 6);
1157 a[6] = hcon->init_addr_type;
1158 b[6] = hcon->resp_addr_type;
1159
1160 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1161 }
1162
1163 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1164 {
1165 struct hci_conn *hcon = smp->conn->hcon;
1166 struct smp_cmd_dhkey_check check;
1167 u8 a[7], b[7], *local_addr, *remote_addr;
1168 u8 io_cap[3], r[16];
1169
1170 switch (mgmt_op) {
1171 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1172 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1173 return 0;
1174 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1175 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1176 return 0;
1177 }
1178
1179 memcpy(a, &hcon->init_addr, 6);
1180 memcpy(b, &hcon->resp_addr, 6);
1181 a[6] = hcon->init_addr_type;
1182 b[6] = hcon->resp_addr_type;
1183
1184 if (hcon->out) {
1185 local_addr = a;
1186 remote_addr = b;
1187 memcpy(io_cap, &smp->preq[1], 3);
1188 } else {
1189 local_addr = b;
1190 remote_addr = a;
1191 memcpy(io_cap, &smp->prsp[1], 3);
1192 }
1193
1194 memcpy(r, &passkey, sizeof(passkey));
1195 memset(r + sizeof(passkey), 0, sizeof(r) - sizeof(passkey));
1196
1197 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1198 local_addr, remote_addr, check.e);
1199
1200 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1201
1202 return 0;
1203 }
1204
1205 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1206 {
1207 struct l2cap_conn *conn = hcon->l2cap_data;
1208 struct l2cap_chan *chan;
1209 struct smp_chan *smp;
1210 u32 value;
1211 int err;
1212
1213 BT_DBG("");
1214
1215 if (!conn)
1216 return -ENOTCONN;
1217
1218 chan = conn->smp;
1219 if (!chan)
1220 return -ENOTCONN;
1221
1222 l2cap_chan_lock(chan);
1223 if (!chan->data) {
1224 err = -ENOTCONN;
1225 goto unlock;
1226 }
1227
1228 smp = chan->data;
1229
1230 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1231 err = sc_user_reply(smp, mgmt_op, passkey);
1232 goto unlock;
1233 }
1234
1235 switch (mgmt_op) {
1236 case MGMT_OP_USER_PASSKEY_REPLY:
1237 value = le32_to_cpu(passkey);
1238 memset(smp->tk, 0, sizeof(smp->tk));
1239 BT_DBG("PassKey: %d", value);
1240 put_unaligned_le32(value, smp->tk);
1241 /* Fall Through */
1242 case MGMT_OP_USER_CONFIRM_REPLY:
1243 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1244 break;
1245 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1246 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1247 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1248 err = 0;
1249 goto unlock;
1250 default:
1251 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1252 err = -EOPNOTSUPP;
1253 goto unlock;
1254 }
1255
1256 err = 0;
1257
1258 /* If it is our turn to send Pairing Confirm, do so now */
1259 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1260 u8 rsp = smp_confirm(smp);
1261 if (rsp)
1262 smp_failure(conn, rsp);
1263 }
1264
1265 unlock:
1266 l2cap_chan_unlock(chan);
1267 return err;
1268 }
1269
1270 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1271 {
1272 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1273 struct l2cap_chan *chan = conn->smp;
1274 struct hci_dev *hdev = conn->hcon->hdev;
1275 struct smp_chan *smp;
1276 u8 key_size, auth, sec_level;
1277 int ret;
1278
1279 BT_DBG("conn %p", conn);
1280
1281 if (skb->len < sizeof(*req))
1282 return SMP_INVALID_PARAMS;
1283
1284 if (conn->hcon->role != HCI_ROLE_SLAVE)
1285 return SMP_CMD_NOTSUPP;
1286
1287 if (!chan->data)
1288 smp = smp_chan_create(conn);
1289 else
1290 smp = chan->data;
1291
1292 if (!smp)
1293 return SMP_UNSPECIFIED;
1294
1295 /* We didn't start the pairing, so match remote */
1296 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1297
1298 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1299 (auth & SMP_AUTH_BONDING))
1300 return SMP_PAIRING_NOTSUPP;
1301
1302 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1303 memcpy(&smp->preq[1], req, sizeof(*req));
1304 skb_pull(skb, sizeof(*req));
1305
1306 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1307 sec_level = BT_SECURITY_MEDIUM;
1308 else
1309 sec_level = authreq_to_seclevel(auth);
1310
1311 if (sec_level > conn->hcon->pending_sec_level)
1312 conn->hcon->pending_sec_level = sec_level;
1313
1314 /* If we need MITM check that it can be achieved */
1315 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1316 u8 method;
1317
1318 method = get_auth_method(smp, conn->hcon->io_capability,
1319 req->io_capability);
1320 if (method == JUST_WORKS || method == JUST_CFM)
1321 return SMP_AUTH_REQUIREMENTS;
1322 }
1323
1324 build_pairing_cmd(conn, req, &rsp, auth);
1325
1326 if (rsp.auth_req & SMP_AUTH_SC)
1327 set_bit(SMP_FLAG_SC, &smp->flags);
1328
1329 key_size = min(req->max_key_size, rsp.max_key_size);
1330 if (check_enc_key_size(conn, key_size))
1331 return SMP_ENC_KEY_SIZE;
1332
1333 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1334
1335 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1336 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1337
1338 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1339
1340 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1341
1342 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1343 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1344 /* Clear bits which are generated but not distributed */
1345 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1346 /* Wait for Public Key from Initiating Device */
1347 return 0;
1348 } else {
1349 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1350 }
1351
1352 /* Request setup of TK */
1353 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1354 if (ret)
1355 return SMP_UNSPECIFIED;
1356
1357 return 0;
1358 }
1359
1360 static u8 sc_send_public_key(struct smp_chan *smp)
1361 {
1362 BT_DBG("");
1363
1364 /* Generate local key pair for Secure Connections */
1365 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1366 return SMP_UNSPECIFIED;
1367
1368 BT_DBG("Local Public Key X: %32phN", smp->local_pk);
1369 BT_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1370 BT_DBG("Local Private Key: %32phN", smp->local_sk);
1371
1372 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1373
1374 return 0;
1375 }
1376
1377 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1378 {
1379 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1380 struct l2cap_chan *chan = conn->smp;
1381 struct smp_chan *smp = chan->data;
1382 struct hci_dev *hdev = conn->hcon->hdev;
1383 u8 key_size, auth;
1384 int ret;
1385
1386 BT_DBG("conn %p", conn);
1387
1388 if (skb->len < sizeof(*rsp))
1389 return SMP_INVALID_PARAMS;
1390
1391 if (conn->hcon->role != HCI_ROLE_MASTER)
1392 return SMP_CMD_NOTSUPP;
1393
1394 skb_pull(skb, sizeof(*rsp));
1395
1396 req = (void *) &smp->preq[1];
1397
1398 key_size = min(req->max_key_size, rsp->max_key_size);
1399 if (check_enc_key_size(conn, key_size))
1400 return SMP_ENC_KEY_SIZE;
1401
1402 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1403
1404 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1405 set_bit(SMP_FLAG_SC, &smp->flags);
1406 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1407 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1408
1409 /* If we need MITM check that it can be achieved */
1410 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1411 u8 method;
1412
1413 method = get_auth_method(smp, req->io_capability,
1414 rsp->io_capability);
1415 if (method == JUST_WORKS || method == JUST_CFM)
1416 return SMP_AUTH_REQUIREMENTS;
1417 }
1418
1419 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1420
1421 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1422 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1423
1424 /* Update remote key distribution in case the remote cleared
1425 * some bits that we had enabled in our request.
1426 */
1427 smp->remote_key_dist &= rsp->resp_key_dist;
1428
1429 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1430 /* Clear bits which are generated but not distributed */
1431 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1432 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1433 return sc_send_public_key(smp);
1434 }
1435
1436 auth |= req->auth_req;
1437
1438 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1439 if (ret)
1440 return SMP_UNSPECIFIED;
1441
1442 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1443
1444 /* Can't compose response until we have been confirmed */
1445 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1446 return smp_confirm(smp);
1447
1448 return 0;
1449 }
1450
1451 static u8 sc_check_confirm(struct smp_chan *smp)
1452 {
1453 struct l2cap_conn *conn = smp->conn;
1454
1455 BT_DBG("");
1456
1457 /* Public Key exchange must happen before any other steps */
1458 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1459 return SMP_UNSPECIFIED;
1460
1461 if (conn->hcon->out) {
1462 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1463 smp->prnd);
1464 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1465 }
1466
1467 return 0;
1468 }
1469
1470 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1471 {
1472 struct l2cap_chan *chan = conn->smp;
1473 struct smp_chan *smp = chan->data;
1474
1475 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1476
1477 if (skb->len < sizeof(smp->pcnf))
1478 return SMP_INVALID_PARAMS;
1479
1480 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1481 skb_pull(skb, sizeof(smp->pcnf));
1482
1483 if (test_bit(SMP_FLAG_SC, &smp->flags))
1484 return sc_check_confirm(smp);
1485
1486 if (conn->hcon->out) {
1487 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1488 smp->prnd);
1489 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1490 return 0;
1491 }
1492
1493 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1494 return smp_confirm(smp);
1495 else
1496 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1497
1498 return 0;
1499 }
1500
1501 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1502 {
1503 struct l2cap_chan *chan = conn->smp;
1504 struct smp_chan *smp = chan->data;
1505 struct hci_conn *hcon = conn->hcon;
1506 u8 *pkax, *pkbx, *na, *nb;
1507 u32 passkey;
1508 int err;
1509
1510 BT_DBG("conn %p", conn);
1511
1512 if (skb->len < sizeof(smp->rrnd))
1513 return SMP_INVALID_PARAMS;
1514
1515 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1516 skb_pull(skb, sizeof(smp->rrnd));
1517
1518 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1519 return smp_random(smp);
1520
1521 if (hcon->out) {
1522 u8 cfm[16];
1523
1524 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1525 smp->rrnd, 0, cfm);
1526 if (err)
1527 return SMP_UNSPECIFIED;
1528
1529 if (memcmp(smp->pcnf, cfm, 16))
1530 return SMP_CONFIRM_FAILED;
1531
1532 pkax = smp->local_pk;
1533 pkbx = smp->remote_pk;
1534 na = smp->prnd;
1535 nb = smp->rrnd;
1536 } else {
1537 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1538 smp->prnd);
1539 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1540
1541 pkax = smp->remote_pk;
1542 pkbx = smp->local_pk;
1543 na = smp->rrnd;
1544 nb = smp->prnd;
1545 }
1546
1547 /* Generate MacKey and LTK */
1548 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1549 if (err)
1550 return SMP_UNSPECIFIED;
1551
1552 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
1553 if (err)
1554 return SMP_UNSPECIFIED;
1555
1556 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
1557 hcon->type, hcon->dst_type,
1558 passkey, 0);
1559 if (err)
1560 return SMP_UNSPECIFIED;
1561
1562 return 0;
1563 }
1564
1565 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
1566 {
1567 struct smp_ltk *key;
1568 struct hci_conn *hcon = conn->hcon;
1569
1570 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
1571 if (!key)
1572 return false;
1573
1574 if (smp_ltk_sec_level(key) < sec_level)
1575 return false;
1576
1577 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1578 return true;
1579
1580 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
1581 hcon->enc_key_size = key->enc_size;
1582
1583 /* We never store STKs for master role, so clear this flag */
1584 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1585
1586 return true;
1587 }
1588
1589 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
1590 enum smp_key_pref key_pref)
1591 {
1592 if (sec_level == BT_SECURITY_LOW)
1593 return true;
1594
1595 /* If we're encrypted with an STK but the caller prefers using
1596 * LTK claim insufficient security. This way we allow the
1597 * connection to be re-encrypted with an LTK, even if the LTK
1598 * provides the same level of security. Only exception is if we
1599 * don't have an LTK (e.g. because of key distribution bits).
1600 */
1601 if (key_pref == SMP_USE_LTK &&
1602 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
1603 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
1604 return false;
1605
1606 if (hcon->sec_level >= sec_level)
1607 return true;
1608
1609 return false;
1610 }
1611
1612 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1613 {
1614 struct smp_cmd_security_req *rp = (void *) skb->data;
1615 struct smp_cmd_pairing cp;
1616 struct hci_conn *hcon = conn->hcon;
1617 struct hci_dev *hdev = hcon->hdev;
1618 struct smp_chan *smp;
1619 u8 sec_level, auth;
1620
1621 BT_DBG("conn %p", conn);
1622
1623 if (skb->len < sizeof(*rp))
1624 return SMP_INVALID_PARAMS;
1625
1626 if (hcon->role != HCI_ROLE_MASTER)
1627 return SMP_CMD_NOTSUPP;
1628
1629 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
1630
1631 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1632 sec_level = BT_SECURITY_MEDIUM;
1633 else
1634 sec_level = authreq_to_seclevel(auth);
1635
1636 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1637 return 0;
1638
1639 if (sec_level > hcon->pending_sec_level)
1640 hcon->pending_sec_level = sec_level;
1641
1642 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1643 return 0;
1644
1645 smp = smp_chan_create(conn);
1646 if (!smp)
1647 return SMP_UNSPECIFIED;
1648
1649 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
1650 (auth & SMP_AUTH_BONDING))
1651 return SMP_PAIRING_NOTSUPP;
1652
1653 skb_pull(skb, sizeof(*rp));
1654
1655 memset(&cp, 0, sizeof(cp));
1656 build_pairing_cmd(conn, &cp, NULL, auth);
1657
1658 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1659 memcpy(&smp->preq[1], &cp, sizeof(cp));
1660
1661 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1662 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1663
1664 return 0;
1665 }
1666
1667 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1668 {
1669 struct l2cap_conn *conn = hcon->l2cap_data;
1670 struct l2cap_chan *chan;
1671 struct smp_chan *smp;
1672 __u8 authreq;
1673 int ret;
1674
1675 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
1676
1677 /* This may be NULL if there's an unexpected disconnection */
1678 if (!conn)
1679 return 1;
1680
1681 chan = conn->smp;
1682
1683 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
1684 return 1;
1685
1686 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1687 return 1;
1688
1689 if (sec_level > hcon->pending_sec_level)
1690 hcon->pending_sec_level = sec_level;
1691
1692 if (hcon->role == HCI_ROLE_MASTER)
1693 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1694 return 0;
1695
1696 l2cap_chan_lock(chan);
1697
1698 /* If SMP is already in progress ignore this request */
1699 if (chan->data) {
1700 ret = 0;
1701 goto unlock;
1702 }
1703
1704 smp = smp_chan_create(conn);
1705 if (!smp) {
1706 ret = 1;
1707 goto unlock;
1708 }
1709
1710 authreq = seclevel_to_authreq(sec_level);
1711
1712 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
1713 authreq |= SMP_AUTH_SC;
1714
1715 /* Require MITM if IO Capability allows or the security level
1716 * requires it.
1717 */
1718 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
1719 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
1720 authreq |= SMP_AUTH_MITM;
1721
1722 if (hcon->role == HCI_ROLE_MASTER) {
1723 struct smp_cmd_pairing cp;
1724
1725 build_pairing_cmd(conn, &cp, NULL, authreq);
1726 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1727 memcpy(&smp->preq[1], &cp, sizeof(cp));
1728
1729 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1730 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1731 } else {
1732 struct smp_cmd_security_req cp;
1733 cp.auth_req = authreq;
1734 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
1735 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
1736 }
1737
1738 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
1739 ret = 0;
1740
1741 unlock:
1742 l2cap_chan_unlock(chan);
1743 return ret;
1744 }
1745
1746 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1747 {
1748 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1749 struct l2cap_chan *chan = conn->smp;
1750 struct smp_chan *smp = chan->data;
1751
1752 BT_DBG("conn %p", conn);
1753
1754 if (skb->len < sizeof(*rp))
1755 return SMP_INVALID_PARAMS;
1756
1757 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
1758
1759 skb_pull(skb, sizeof(*rp));
1760
1761 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
1762
1763 return 0;
1764 }
1765
1766 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1767 {
1768 struct smp_cmd_master_ident *rp = (void *) skb->data;
1769 struct l2cap_chan *chan = conn->smp;
1770 struct smp_chan *smp = chan->data;
1771 struct hci_dev *hdev = conn->hcon->hdev;
1772 struct hci_conn *hcon = conn->hcon;
1773 struct smp_ltk *ltk;
1774 u8 authenticated;
1775
1776 BT_DBG("conn %p", conn);
1777
1778 if (skb->len < sizeof(*rp))
1779 return SMP_INVALID_PARAMS;
1780
1781 /* Mark the information as received */
1782 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
1783
1784 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1785 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1786 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1787 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1788
1789 skb_pull(skb, sizeof(*rp));
1790
1791 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
1792 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
1793 authenticated, smp->tk, smp->enc_key_size,
1794 rp->ediv, rp->rand);
1795 smp->ltk = ltk;
1796 if (!(smp->remote_key_dist & KEY_DIST_MASK))
1797 smp_distribute_keys(smp);
1798
1799 return 0;
1800 }
1801
1802 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1803 {
1804 struct smp_cmd_ident_info *info = (void *) skb->data;
1805 struct l2cap_chan *chan = conn->smp;
1806 struct smp_chan *smp = chan->data;
1807
1808 BT_DBG("");
1809
1810 if (skb->len < sizeof(*info))
1811 return SMP_INVALID_PARAMS;
1812
1813 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
1814
1815 skb_pull(skb, sizeof(*info));
1816
1817 memcpy(smp->irk, info->irk, 16);
1818
1819 return 0;
1820 }
1821
1822 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1823 struct sk_buff *skb)
1824 {
1825 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1826 struct l2cap_chan *chan = conn->smp;
1827 struct smp_chan *smp = chan->data;
1828 struct hci_conn *hcon = conn->hcon;
1829 bdaddr_t rpa;
1830
1831 BT_DBG("");
1832
1833 if (skb->len < sizeof(*info))
1834 return SMP_INVALID_PARAMS;
1835
1836 /* Mark the information as received */
1837 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1838
1839 if (smp->remote_key_dist & SMP_DIST_SIGN)
1840 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1841
1842 skb_pull(skb, sizeof(*info));
1843
1844 /* Strictly speaking the Core Specification (4.1) allows sending
1845 * an empty address which would force us to rely on just the IRK
1846 * as "identity information". However, since such
1847 * implementations are not known of and in order to not over
1848 * complicate our implementation, simply pretend that we never
1849 * received an IRK for such a device.
1850 */
1851 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1852 BT_ERR("Ignoring IRK with no identity address");
1853 goto distribute;
1854 }
1855
1856 bacpy(&smp->id_addr, &info->bdaddr);
1857 smp->id_addr_type = info->addr_type;
1858
1859 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1860 bacpy(&rpa, &hcon->dst);
1861 else
1862 bacpy(&rpa, BDADDR_ANY);
1863
1864 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1865 smp->id_addr_type, smp->irk, &rpa);
1866
1867 distribute:
1868 if (!(smp->remote_key_dist & KEY_DIST_MASK))
1869 smp_distribute_keys(smp);
1870
1871 return 0;
1872 }
1873
1874 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1875 {
1876 struct smp_cmd_sign_info *rp = (void *) skb->data;
1877 struct l2cap_chan *chan = conn->smp;
1878 struct smp_chan *smp = chan->data;
1879 struct smp_csrk *csrk;
1880
1881 BT_DBG("conn %p", conn);
1882
1883 if (skb->len < sizeof(*rp))
1884 return SMP_INVALID_PARAMS;
1885
1886 /* Mark the information as received */
1887 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1888
1889 skb_pull(skb, sizeof(*rp));
1890
1891 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1892 if (csrk) {
1893 csrk->master = 0x01;
1894 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1895 }
1896 smp->csrk = csrk;
1897 smp_distribute_keys(smp);
1898
1899 return 0;
1900 }
1901
1902 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
1903 {
1904 struct smp_cmd_public_key *key = (void *) skb->data;
1905 struct hci_conn *hcon = conn->hcon;
1906 struct l2cap_chan *chan = conn->smp;
1907 struct smp_chan *smp = chan->data;
1908 struct smp_cmd_pairing_confirm cfm;
1909 int err;
1910
1911 BT_DBG("conn %p", conn);
1912
1913 if (skb->len < sizeof(*key))
1914 return SMP_INVALID_PARAMS;
1915
1916 memcpy(smp->remote_pk, key, 64);
1917
1918 /* Non-initiating device sends its public key after receiving
1919 * the key from the initiating device.
1920 */
1921 if (!hcon->out) {
1922 err = sc_send_public_key(smp);
1923 if (err)
1924 return err;
1925 }
1926
1927 BT_DBG("Remote Public Key X: %32phN", smp->remote_pk);
1928 BT_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
1929
1930 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
1931 return SMP_UNSPECIFIED;
1932
1933 BT_DBG("DHKey %32phN", smp->dhkey);
1934
1935 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
1936
1937 /* The Initiating device waits for the non-initiating device to
1938 * send the confirm value.
1939 */
1940 if (conn->hcon->out)
1941 return 0;
1942
1943 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
1944 0, cfm.confirm_val);
1945 if (err)
1946 return SMP_UNSPECIFIED;
1947
1948 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1949 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1950
1951 return 0;
1952 }
1953
1954 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
1955 {
1956 struct smp_cmd_dhkey_check *check = (void *) skb->data;
1957 struct l2cap_chan *chan = conn->smp;
1958 struct hci_conn *hcon = conn->hcon;
1959 struct smp_chan *smp = chan->data;
1960 u8 a[7], b[7], *local_addr, *remote_addr;
1961 u8 io_cap[3], r[16], e[16];
1962 int err;
1963
1964 BT_DBG("conn %p", conn);
1965
1966 if (skb->len < sizeof(*check))
1967 return SMP_INVALID_PARAMS;
1968
1969 memcpy(a, &hcon->init_addr, 6);
1970 memcpy(b, &hcon->resp_addr, 6);
1971 a[6] = hcon->init_addr_type;
1972 b[6] = hcon->resp_addr_type;
1973
1974 if (hcon->out) {
1975 local_addr = a;
1976 remote_addr = b;
1977 memcpy(io_cap, &smp->prsp[1], 3);
1978 } else {
1979 local_addr = b;
1980 remote_addr = a;
1981 memcpy(io_cap, &smp->preq[1], 3);
1982 }
1983
1984 memset(r, 0, sizeof(r));
1985
1986 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
1987 io_cap, remote_addr, local_addr, e);
1988 if (err)
1989 return SMP_UNSPECIFIED;
1990
1991 if (memcmp(check->e, e, 16))
1992 return SMP_DHKEY_CHECK_FAILED;
1993
1994 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1995 SMP_LTK_P256, 0, smp->tk, smp->enc_key_size,
1996 0, 0);
1997
1998 if (hcon->out) {
1999 hci_le_start_enc(hcon, 0, 0, smp->tk);
2000 hcon->enc_key_size = smp->enc_key_size;
2001 }
2002
2003 return 0;
2004 }
2005
2006 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2007 {
2008 struct l2cap_conn *conn = chan->conn;
2009 struct hci_conn *hcon = conn->hcon;
2010 struct smp_chan *smp;
2011 __u8 code, reason;
2012 int err = 0;
2013
2014 if (hcon->type != LE_LINK) {
2015 kfree_skb(skb);
2016 return 0;
2017 }
2018
2019 if (skb->len < 1)
2020 return -EILSEQ;
2021
2022 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2023 reason = SMP_PAIRING_NOTSUPP;
2024 goto done;
2025 }
2026
2027 code = skb->data[0];
2028 skb_pull(skb, sizeof(code));
2029
2030 smp = chan->data;
2031
2032 if (code > SMP_CMD_MAX)
2033 goto drop;
2034
2035 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2036 goto drop;
2037
2038 /* If we don't have a context the only allowed commands are
2039 * pairing request and security request.
2040 */
2041 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2042 goto drop;
2043
2044 switch (code) {
2045 case SMP_CMD_PAIRING_REQ:
2046 reason = smp_cmd_pairing_req(conn, skb);
2047 break;
2048
2049 case SMP_CMD_PAIRING_FAIL:
2050 smp_failure(conn, 0);
2051 err = -EPERM;
2052 break;
2053
2054 case SMP_CMD_PAIRING_RSP:
2055 reason = smp_cmd_pairing_rsp(conn, skb);
2056 break;
2057
2058 case SMP_CMD_SECURITY_REQ:
2059 reason = smp_cmd_security_req(conn, skb);
2060 break;
2061
2062 case SMP_CMD_PAIRING_CONFIRM:
2063 reason = smp_cmd_pairing_confirm(conn, skb);
2064 break;
2065
2066 case SMP_CMD_PAIRING_RANDOM:
2067 reason = smp_cmd_pairing_random(conn, skb);
2068 break;
2069
2070 case SMP_CMD_ENCRYPT_INFO:
2071 reason = smp_cmd_encrypt_info(conn, skb);
2072 break;
2073
2074 case SMP_CMD_MASTER_IDENT:
2075 reason = smp_cmd_master_ident(conn, skb);
2076 break;
2077
2078 case SMP_CMD_IDENT_INFO:
2079 reason = smp_cmd_ident_info(conn, skb);
2080 break;
2081
2082 case SMP_CMD_IDENT_ADDR_INFO:
2083 reason = smp_cmd_ident_addr_info(conn, skb);
2084 break;
2085
2086 case SMP_CMD_SIGN_INFO:
2087 reason = smp_cmd_sign_info(conn, skb);
2088 break;
2089
2090 case SMP_CMD_PUBLIC_KEY:
2091 reason = smp_cmd_public_key(conn, skb);
2092 break;
2093
2094 case SMP_CMD_DHKEY_CHECK:
2095 reason = smp_cmd_dhkey_check(conn, skb);
2096 break;
2097
2098 default:
2099 BT_DBG("Unknown command code 0x%2.2x", code);
2100 reason = SMP_CMD_NOTSUPP;
2101 goto done;
2102 }
2103
2104 done:
2105 if (!err) {
2106 if (reason)
2107 smp_failure(conn, reason);
2108 kfree_skb(skb);
2109 }
2110
2111 return err;
2112
2113 drop:
2114 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2115 code, &hcon->dst);
2116 kfree_skb(skb);
2117 return 0;
2118 }
2119
2120 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2121 {
2122 struct l2cap_conn *conn = chan->conn;
2123
2124 BT_DBG("chan %p", chan);
2125
2126 if (chan->data)
2127 smp_chan_destroy(conn);
2128
2129 conn->smp = NULL;
2130 l2cap_chan_put(chan);
2131 }
2132
2133 static void smp_resume_cb(struct l2cap_chan *chan)
2134 {
2135 struct smp_chan *smp = chan->data;
2136 struct l2cap_conn *conn = chan->conn;
2137 struct hci_conn *hcon = conn->hcon;
2138
2139 BT_DBG("chan %p", chan);
2140
2141 if (!smp)
2142 return;
2143
2144 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2145 return;
2146
2147 cancel_delayed_work(&smp->security_timer);
2148
2149 smp_distribute_keys(smp);
2150 }
2151
2152 static void smp_ready_cb(struct l2cap_chan *chan)
2153 {
2154 struct l2cap_conn *conn = chan->conn;
2155
2156 BT_DBG("chan %p", chan);
2157
2158 conn->smp = chan;
2159 l2cap_chan_hold(chan);
2160 }
2161
2162 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2163 {
2164 int err;
2165
2166 BT_DBG("chan %p", chan);
2167
2168 err = smp_sig_channel(chan, skb);
2169 if (err) {
2170 struct smp_chan *smp = chan->data;
2171
2172 if (smp)
2173 cancel_delayed_work_sync(&smp->security_timer);
2174
2175 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2176 }
2177
2178 return err;
2179 }
2180
2181 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2182 unsigned long hdr_len,
2183 unsigned long len, int nb)
2184 {
2185 struct sk_buff *skb;
2186
2187 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2188 if (!skb)
2189 return ERR_PTR(-ENOMEM);
2190
2191 skb->priority = HCI_PRIO_MAX;
2192 bt_cb(skb)->chan = chan;
2193
2194 return skb;
2195 }
2196
2197 static const struct l2cap_ops smp_chan_ops = {
2198 .name = "Security Manager",
2199 .ready = smp_ready_cb,
2200 .recv = smp_recv_cb,
2201 .alloc_skb = smp_alloc_skb_cb,
2202 .teardown = smp_teardown_cb,
2203 .resume = smp_resume_cb,
2204
2205 .new_connection = l2cap_chan_no_new_connection,
2206 .state_change = l2cap_chan_no_state_change,
2207 .close = l2cap_chan_no_close,
2208 .defer = l2cap_chan_no_defer,
2209 .suspend = l2cap_chan_no_suspend,
2210 .set_shutdown = l2cap_chan_no_set_shutdown,
2211 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2212 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2213 };
2214
2215 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2216 {
2217 struct l2cap_chan *chan;
2218
2219 BT_DBG("pchan %p", pchan);
2220
2221 chan = l2cap_chan_create();
2222 if (!chan)
2223 return NULL;
2224
2225 chan->chan_type = pchan->chan_type;
2226 chan->ops = &smp_chan_ops;
2227 chan->scid = pchan->scid;
2228 chan->dcid = chan->scid;
2229 chan->imtu = pchan->imtu;
2230 chan->omtu = pchan->omtu;
2231 chan->mode = pchan->mode;
2232
2233 /* Other L2CAP channels may request SMP routines in order to
2234 * change the security level. This means that the SMP channel
2235 * lock must be considered in its own category to avoid lockdep
2236 * warnings.
2237 */
2238 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2239
2240 BT_DBG("created chan %p", chan);
2241
2242 return chan;
2243 }
2244
2245 static const struct l2cap_ops smp_root_chan_ops = {
2246 .name = "Security Manager Root",
2247 .new_connection = smp_new_conn_cb,
2248
2249 /* None of these are implemented for the root channel */
2250 .close = l2cap_chan_no_close,
2251 .alloc_skb = l2cap_chan_no_alloc_skb,
2252 .recv = l2cap_chan_no_recv,
2253 .state_change = l2cap_chan_no_state_change,
2254 .teardown = l2cap_chan_no_teardown,
2255 .ready = l2cap_chan_no_ready,
2256 .defer = l2cap_chan_no_defer,
2257 .suspend = l2cap_chan_no_suspend,
2258 .resume = l2cap_chan_no_resume,
2259 .set_shutdown = l2cap_chan_no_set_shutdown,
2260 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2261 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2262 };
2263
2264 int smp_register(struct hci_dev *hdev)
2265 {
2266 struct l2cap_chan *chan;
2267 struct crypto_blkcipher *tfm_aes;
2268
2269 BT_DBG("%s", hdev->name);
2270
2271 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2272 if (IS_ERR(tfm_aes)) {
2273 int err = PTR_ERR(tfm_aes);
2274 BT_ERR("Unable to create crypto context");
2275 return err;
2276 }
2277
2278 chan = l2cap_chan_create();
2279 if (!chan) {
2280 crypto_free_blkcipher(tfm_aes);
2281 return -ENOMEM;
2282 }
2283
2284 chan->data = tfm_aes;
2285
2286 l2cap_add_scid(chan, L2CAP_CID_SMP);
2287
2288 l2cap_chan_set_defaults(chan);
2289
2290 bacpy(&chan->src, &hdev->bdaddr);
2291 chan->src_type = BDADDR_LE_PUBLIC;
2292 chan->state = BT_LISTEN;
2293 chan->mode = L2CAP_MODE_BASIC;
2294 chan->imtu = L2CAP_DEFAULT_MTU;
2295 chan->ops = &smp_root_chan_ops;
2296
2297 /* Set correct nesting level for a parent/listening channel */
2298 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2299
2300 hdev->smp_data = chan;
2301
2302 return 0;
2303 }
2304
2305 void smp_unregister(struct hci_dev *hdev)
2306 {
2307 struct l2cap_chan *chan = hdev->smp_data;
2308 struct crypto_blkcipher *tfm_aes;
2309
2310 if (!chan)
2311 return;
2312
2313 BT_DBG("%s chan %p", hdev->name, chan);
2314
2315 tfm_aes = chan->data;
2316 if (tfm_aes) {
2317 chan->data = NULL;
2318 crypto_free_blkcipher(tfm_aes);
2319 }
2320
2321 hdev->smp_data = NULL;
2322 l2cap_chan_put(chan);
2323 }
Linux kernel - Deliverables
This page took 0.079553 seconds and 5 git commands to generate.