projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Add basic support for sending our LE SC public key
[deliverable/linux.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
26
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
31
32 #include "ecc.h"
33 #include "smp.h"
34
35 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
36
37 /* Keys which are not distributed with Secure Connections */
38 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
39
40 #define SMP_TIMEOUT msecs_to_jiffies(30000)
41
42 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
43 0x1f : 0x07)
44 #define KEY_DIST_MASK 0x07
45
46 enum {
47 SMP_FLAG_TK_VALID,
48 SMP_FLAG_CFM_PENDING,
49 SMP_FLAG_MITM_AUTH,
50 SMP_FLAG_COMPLETE,
51 SMP_FLAG_INITIATOR,
52 SMP_FLAG_SC,
53 };
54
55 struct smp_chan {
56 struct l2cap_conn *conn;
57 struct delayed_work security_timer;
58 unsigned long allow_cmd; /* Bitmask of allowed commands */
59
60 u8 preq[7]; /* SMP Pairing Request */
61 u8 prsp[7]; /* SMP Pairing Response */
62 u8 prnd[16]; /* SMP Pairing Random (local) */
63 u8 rrnd[16]; /* SMP Pairing Random (remote) */
64 u8 pcnf[16]; /* SMP Pairing Confirm */
65 u8 tk[16]; /* SMP Temporary Key */
66 u8 enc_key_size;
67 u8 remote_key_dist;
68 bdaddr_t id_addr;
69 u8 id_addr_type;
70 u8 irk[16];
71 struct smp_csrk *csrk;
72 struct smp_csrk *slave_csrk;
73 struct smp_ltk *ltk;
74 struct smp_ltk *slave_ltk;
75 struct smp_irk *remote_irk;
76 unsigned long flags;
77
78 /* Secure Connections variables */
79 u8 local_pk[64];
80 u8 local_sk[32];
81
82 struct crypto_blkcipher *tfm_aes;
83 struct crypto_hash *tfm_cmac;
84 };
85
86 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
87 {
88 size_t i;
89
90 for (i = 0; i < len; i++)
91 dst[len - 1 - i] = src[i];
92 }
93
94 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
95 {
96 struct blkcipher_desc desc;
97 struct scatterlist sg;
98 uint8_t tmp[16], data[16];
99 int err;
100
101 if (tfm == NULL) {
102 BT_ERR("tfm %p", tfm);
103 return -EINVAL;
104 }
105
106 desc.tfm = tfm;
107 desc.flags = 0;
108
109 /* The most significant octet of key corresponds to k[0] */
110 swap_buf(k, tmp, 16);
111
112 err = crypto_blkcipher_setkey(tfm, tmp, 16);
113 if (err) {
114 BT_ERR("cipher setkey failed: %d", err);
115 return err;
116 }
117
118 /* Most significant octet of plaintextData corresponds to data[0] */
119 swap_buf(r, data, 16);
120
121 sg_init_one(&sg, data, 16);
122
123 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
124 if (err)
125 BT_ERR("Encrypt data error %d", err);
126
127 /* Most significant octet of encryptedData corresponds to data[0] */
128 swap_buf(data, r, 16);
129
130 return err;
131 }
132
133 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
134 {
135 u8 _res[16];
136 int err;
137
138 /* r' = padding || r */
139 memcpy(_res, r, 3);
140 memset(_res + 3, 0, 13);
141
142 err = smp_e(tfm, irk, _res);
143 if (err) {
144 BT_ERR("Encrypt error");
145 return err;
146 }
147
148 /* The output of the random address function ah is:
149 * ah(h, r) = e(k, r') mod 2^24
150 * The output of the security function e is then truncated to 24 bits
151 * by taking the least significant 24 bits of the output of e as the
152 * result of ah.
153 */
154 memcpy(res, _res, 3);
155
156 return 0;
157 }
158
159 bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
160 {
161 struct l2cap_chan *chan = hdev->smp_data;
162 struct crypto_blkcipher *tfm;
163 u8 hash[3];
164 int err;
165
166 if (!chan || !chan->data)
167 return false;
168
169 tfm = chan->data;
170
171 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
172
173 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
174 if (err)
175 return false;
176
177 return !memcmp(bdaddr->b, hash, 3);
178 }
179
180 int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
181 {
182 struct l2cap_chan *chan = hdev->smp_data;
183 struct crypto_blkcipher *tfm;
184 int err;
185
186 if (!chan || !chan->data)
187 return -EOPNOTSUPP;
188
189 tfm = chan->data;
190
191 get_random_bytes(&rpa->b[3], 3);
192
193 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
194 rpa->b[5] |= 0x40; /* Set second most significant bit */
195
196 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
197 if (err < 0)
198 return err;
199
200 BT_DBG("RPA %pMR", rpa);
201
202 return 0;
203 }
204
205 static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
206 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat,
207 bdaddr_t *ra, u8 res[16])
208 {
209 u8 p1[16], p2[16];
210 int err;
211
212 memset(p1, 0, 16);
213
214 /* p1 = pres || preq || _rat || _iat */
215 p1[0] = _iat;
216 p1[1] = _rat;
217 memcpy(p1 + 2, preq, 7);
218 memcpy(p1 + 9, pres, 7);
219
220 /* p2 = padding || ia || ra */
221 memcpy(p2, ra, 6);
222 memcpy(p2 + 6, ia, 6);
223 memset(p2 + 12, 0, 4);
224
225 /* res = r XOR p1 */
226 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
227
228 /* res = e(k, res) */
229 err = smp_e(tfm_aes, k, res);
230 if (err) {
231 BT_ERR("Encrypt data error");
232 return err;
233 }
234
235 /* res = res XOR p2 */
236 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
237
238 /* res = e(k, res) */
239 err = smp_e(tfm_aes, k, res);
240 if (err)
241 BT_ERR("Encrypt data error");
242
243 return err;
244 }
245
246 static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
247 u8 r2[16], u8 _r[16])
248 {
249 int err;
250
251 /* Just least significant octets from r1 and r2 are considered */
252 memcpy(_r, r2, 8);
253 memcpy(_r + 8, r1, 8);
254
255 err = smp_e(tfm_aes, k, _r);
256 if (err)
257 BT_ERR("Encrypt data error");
258
259 return err;
260 }
261
262 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
263 {
264 struct l2cap_chan *chan = conn->smp;
265 struct smp_chan *smp;
266 struct kvec iv[2];
267 struct msghdr msg;
268
269 if (!chan)
270 return;
271
272 BT_DBG("code 0x%2.2x", code);
273
274 iv[0].iov_base = &code;
275 iv[0].iov_len = 1;
276
277 iv[1].iov_base = data;
278 iv[1].iov_len = len;
279
280 memset(&msg, 0, sizeof(msg));
281
282 msg.msg_iov = (struct iovec *) &iv;
283 msg.msg_iovlen = 2;
284
285 l2cap_chan_send(chan, &msg, 1 + len);
286
287 if (!chan->data)
288 return;
289
290 smp = chan->data;
291
292 cancel_delayed_work_sync(&smp->security_timer);
293 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
294 }
295
296 static u8 authreq_to_seclevel(u8 authreq)
297 {
298 if (authreq & SMP_AUTH_MITM) {
299 if (authreq & SMP_AUTH_SC)
300 return BT_SECURITY_FIPS;
301 else
302 return BT_SECURITY_HIGH;
303 } else {
304 return BT_SECURITY_MEDIUM;
305 }
306 }
307
308 static __u8 seclevel_to_authreq(__u8 sec_level)
309 {
310 switch (sec_level) {
311 case BT_SECURITY_FIPS:
312 case BT_SECURITY_HIGH:
313 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
314 case BT_SECURITY_MEDIUM:
315 return SMP_AUTH_BONDING;
316 default:
317 return SMP_AUTH_NONE;
318 }
319 }
320
321 static void build_pairing_cmd(struct l2cap_conn *conn,
322 struct smp_cmd_pairing *req,
323 struct smp_cmd_pairing *rsp, __u8 authreq)
324 {
325 struct l2cap_chan *chan = conn->smp;
326 struct smp_chan *smp = chan->data;
327 struct hci_conn *hcon = conn->hcon;
328 struct hci_dev *hdev = hcon->hdev;
329 u8 local_dist = 0, remote_dist = 0;
330
331 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
332 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
333 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
334 authreq |= SMP_AUTH_BONDING;
335 } else {
336 authreq &= ~SMP_AUTH_BONDING;
337 }
338
339 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
340 remote_dist |= SMP_DIST_ID_KEY;
341
342 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
343 local_dist |= SMP_DIST_ID_KEY;
344
345 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
346 if ((authreq & SMP_AUTH_SC) &&
347 test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
348 local_dist |= SMP_DIST_LINK_KEY;
349 remote_dist |= SMP_DIST_LINK_KEY;
350 }
351 } else {
352 authreq &= ~SMP_AUTH_SC;
353 }
354
355 if (rsp == NULL) {
356 req->io_capability = conn->hcon->io_capability;
357 req->oob_flag = SMP_OOB_NOT_PRESENT;
358 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
359 req->init_key_dist = local_dist;
360 req->resp_key_dist = remote_dist;
361 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
362
363 smp->remote_key_dist = remote_dist;
364 return;
365 }
366
367 rsp->io_capability = conn->hcon->io_capability;
368 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
369 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
370 rsp->init_key_dist = req->init_key_dist & remote_dist;
371 rsp->resp_key_dist = req->resp_key_dist & local_dist;
372 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
373
374 smp->remote_key_dist = rsp->init_key_dist;
375 }
376
377 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
378 {
379 struct l2cap_chan *chan = conn->smp;
380 struct smp_chan *smp = chan->data;
381
382 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
383 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
384 return SMP_ENC_KEY_SIZE;
385
386 smp->enc_key_size = max_key_size;
387
388 return 0;
389 }
390
391 static void smp_chan_destroy(struct l2cap_conn *conn)
392 {
393 struct l2cap_chan *chan = conn->smp;
394 struct smp_chan *smp = chan->data;
395 bool complete;
396
397 BUG_ON(!smp);
398
399 cancel_delayed_work_sync(&smp->security_timer);
400
401 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
402 mgmt_smp_complete(conn->hcon, complete);
403
404 kfree(smp->csrk);
405 kfree(smp->slave_csrk);
406
407 crypto_free_blkcipher(smp->tfm_aes);
408 crypto_free_hash(smp->tfm_cmac);
409
410 /* If pairing failed clean up any keys we might have */
411 if (!complete) {
412 if (smp->ltk) {
413 list_del_rcu(&smp->ltk->list);
414 kfree_rcu(smp->ltk, rcu);
415 }
416
417 if (smp->slave_ltk) {
418 list_del_rcu(&smp->slave_ltk->list);
419 kfree_rcu(smp->slave_ltk, rcu);
420 }
421
422 if (smp->remote_irk) {
423 list_del_rcu(&smp->remote_irk->list);
424 kfree_rcu(smp->remote_irk, rcu);
425 }
426 }
427
428 chan->data = NULL;
429 kfree(smp);
430 hci_conn_drop(conn->hcon);
431 }
432
433 static void smp_failure(struct l2cap_conn *conn, u8 reason)
434 {
435 struct hci_conn *hcon = conn->hcon;
436 struct l2cap_chan *chan = conn->smp;
437
438 if (reason)
439 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
440 &reason);
441
442 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
443 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
444
445 if (chan->data)
446 smp_chan_destroy(conn);
447 }
448
449 #define JUST_WORKS 0x00
450 #define JUST_CFM 0x01
451 #define REQ_PASSKEY 0x02
452 #define CFM_PASSKEY 0x03
453 #define REQ_OOB 0x04
454 #define OVERLAP 0xFF
455
456 static const u8 gen_method[5][5] = {
457 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
458 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
459 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
460 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
461 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
462 };
463
464 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
465 {
466 /* If either side has unknown io_caps, use JUST_CFM (which gets
467 * converted later to JUST_WORKS if we're initiators.
468 */
469 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
470 remote_io > SMP_IO_KEYBOARD_DISPLAY)
471 return JUST_CFM;
472
473 return gen_method[remote_io][local_io];
474 }
475
476 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
477 u8 local_io, u8 remote_io)
478 {
479 struct hci_conn *hcon = conn->hcon;
480 struct l2cap_chan *chan = conn->smp;
481 struct smp_chan *smp = chan->data;
482 u8 method;
483 u32 passkey = 0;
484 int ret = 0;
485
486 /* Initialize key for JUST WORKS */
487 memset(smp->tk, 0, sizeof(smp->tk));
488 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
489
490 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
491
492 /* If neither side wants MITM, either "just" confirm an incoming
493 * request or use just-works for outgoing ones. The JUST_CFM
494 * will be converted to JUST_WORKS if necessary later in this
495 * function. If either side has MITM look up the method from the
496 * table.
497 */
498 if (!(auth & SMP_AUTH_MITM))
499 method = JUST_CFM;
500 else
501 method = get_auth_method(smp, local_io, remote_io);
502
503 /* Don't confirm locally initiated pairing attempts */
504 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
505 method = JUST_WORKS;
506
507 /* Don't bother user space with no IO capabilities */
508 if (method == JUST_CFM && hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
509 method = JUST_WORKS;
510
511 /* If Just Works, Continue with Zero TK */
512 if (method == JUST_WORKS) {
513 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
514 return 0;
515 }
516
517 /* Not Just Works/Confirm results in MITM Authentication */
518 if (method != JUST_CFM) {
519 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
520 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
521 hcon->pending_sec_level = BT_SECURITY_HIGH;
522 }
523
524 /* If both devices have Keyoard-Display I/O, the master
525 * Confirms and the slave Enters the passkey.
526 */
527 if (method == OVERLAP) {
528 if (hcon->role == HCI_ROLE_MASTER)
529 method = CFM_PASSKEY;
530 else
531 method = REQ_PASSKEY;
532 }
533
534 /* Generate random passkey. */
535 if (method == CFM_PASSKEY) {
536 memset(smp->tk, 0, sizeof(smp->tk));
537 get_random_bytes(&passkey, sizeof(passkey));
538 passkey %= 1000000;
539 put_unaligned_le32(passkey, smp->tk);
540 BT_DBG("PassKey: %d", passkey);
541 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
542 }
543
544 if (method == REQ_PASSKEY)
545 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
546 hcon->type, hcon->dst_type);
547 else if (method == JUST_CFM)
548 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
549 hcon->type, hcon->dst_type,
550 passkey, 1);
551 else
552 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
553 hcon->type, hcon->dst_type,
554 passkey, 0);
555
556 return ret;
557 }
558
559 static u8 smp_confirm(struct smp_chan *smp)
560 {
561 struct l2cap_conn *conn = smp->conn;
562 struct smp_cmd_pairing_confirm cp;
563 int ret;
564
565 BT_DBG("conn %p", conn);
566
567 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
568 conn->hcon->init_addr_type, &conn->hcon->init_addr,
569 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
570 cp.confirm_val);
571 if (ret)
572 return SMP_UNSPECIFIED;
573
574 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
575
576 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
577
578 if (conn->hcon->out)
579 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
580 else
581 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
582
583 return 0;
584 }
585
586 static u8 smp_random(struct smp_chan *smp)
587 {
588 struct l2cap_conn *conn = smp->conn;
589 struct hci_conn *hcon = conn->hcon;
590 u8 confirm[16];
591 int ret;
592
593 if (IS_ERR_OR_NULL(smp->tfm_aes))
594 return SMP_UNSPECIFIED;
595
596 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
597
598 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
599 hcon->init_addr_type, &hcon->init_addr,
600 hcon->resp_addr_type, &hcon->resp_addr, confirm);
601 if (ret)
602 return SMP_UNSPECIFIED;
603
604 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
605 BT_ERR("Pairing failed (confirmation values mismatch)");
606 return SMP_CONFIRM_FAILED;
607 }
608
609 if (hcon->out) {
610 u8 stk[16];
611 __le64 rand = 0;
612 __le16 ediv = 0;
613
614 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
615
616 memset(stk + smp->enc_key_size, 0,
617 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
618
619 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
620 return SMP_UNSPECIFIED;
621
622 hci_le_start_enc(hcon, ediv, rand, stk);
623 hcon->enc_key_size = smp->enc_key_size;
624 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
625 } else {
626 u8 stk[16], auth;
627 __le64 rand = 0;
628 __le16 ediv = 0;
629
630 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
631 smp->prnd);
632
633 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
634
635 memset(stk + smp->enc_key_size, 0,
636 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
637
638 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
639 auth = 1;
640 else
641 auth = 0;
642
643 /* Even though there's no _SLAVE suffix this is the
644 * slave STK we're adding for later lookup (the master
645 * STK never needs to be stored).
646 */
647 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
648 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
649 }
650
651 return 0;
652 }
653
654 static void smp_notify_keys(struct l2cap_conn *conn)
655 {
656 struct l2cap_chan *chan = conn->smp;
657 struct smp_chan *smp = chan->data;
658 struct hci_conn *hcon = conn->hcon;
659 struct hci_dev *hdev = hcon->hdev;
660 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
661 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
662 bool persistent;
663
664 if (smp->remote_irk) {
665 mgmt_new_irk(hdev, smp->remote_irk);
666 /* Now that user space can be considered to know the
667 * identity address track the connection based on it
668 * from now on.
669 */
670 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
671 hcon->dst_type = smp->remote_irk->addr_type;
672 queue_work(hdev->workqueue, &conn->id_addr_update_work);
673
674 /* When receiving an indentity resolving key for
675 * a remote device that does not use a resolvable
676 * private address, just remove the key so that
677 * it is possible to use the controller white
678 * list for scanning.
679 *
680 * Userspace will have been told to not store
681 * this key at this point. So it is safe to
682 * just remove it.
683 */
684 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
685 list_del_rcu(&smp->remote_irk->list);
686 kfree_rcu(smp->remote_irk, rcu);
687 smp->remote_irk = NULL;
688 }
689 }
690
691 /* The LTKs and CSRKs should be persistent only if both sides
692 * had the bonding bit set in their authentication requests.
693 */
694 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
695
696 if (smp->csrk) {
697 smp->csrk->bdaddr_type = hcon->dst_type;
698 bacpy(&smp->csrk->bdaddr, &hcon->dst);
699 mgmt_new_csrk(hdev, smp->csrk, persistent);
700 }
701
702 if (smp->slave_csrk) {
703 smp->slave_csrk->bdaddr_type = hcon->dst_type;
704 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
705 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
706 }
707
708 if (smp->ltk) {
709 smp->ltk->bdaddr_type = hcon->dst_type;
710 bacpy(&smp->ltk->bdaddr, &hcon->dst);
711 mgmt_new_ltk(hdev, smp->ltk, persistent);
712 }
713
714 if (smp->slave_ltk) {
715 smp->slave_ltk->bdaddr_type = hcon->dst_type;
716 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
717 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
718 }
719 }
720
721 static void smp_allow_key_dist(struct smp_chan *smp)
722 {
723 /* Allow the first expected phase 3 PDU. The rest of the PDUs
724 * will be allowed in each PDU handler to ensure we receive
725 * them in the correct order.
726 */
727 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
728 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
729 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
730 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
731 else if (smp->remote_key_dist & SMP_DIST_SIGN)
732 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
733 }
734
735 static void smp_distribute_keys(struct smp_chan *smp)
736 {
737 struct smp_cmd_pairing *req, *rsp;
738 struct l2cap_conn *conn = smp->conn;
739 struct hci_conn *hcon = conn->hcon;
740 struct hci_dev *hdev = hcon->hdev;
741 __u8 *keydist;
742
743 BT_DBG("conn %p", conn);
744
745 rsp = (void *) &smp->prsp[1];
746
747 /* The responder sends its keys first */
748 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
749 smp_allow_key_dist(smp);
750 return;
751 }
752
753 req = (void *) &smp->preq[1];
754
755 if (hcon->out) {
756 keydist = &rsp->init_key_dist;
757 *keydist &= req->init_key_dist;
758 } else {
759 keydist = &rsp->resp_key_dist;
760 *keydist &= req->resp_key_dist;
761 }
762
763 BT_DBG("keydist 0x%x", *keydist);
764
765 if (*keydist & SMP_DIST_ENC_KEY) {
766 struct smp_cmd_encrypt_info enc;
767 struct smp_cmd_master_ident ident;
768 struct smp_ltk *ltk;
769 u8 authenticated;
770 __le16 ediv;
771 __le64 rand;
772
773 get_random_bytes(enc.ltk, sizeof(enc.ltk));
774 get_random_bytes(&ediv, sizeof(ediv));
775 get_random_bytes(&rand, sizeof(rand));
776
777 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
778
779 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
780 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
781 SMP_LTK_SLAVE, authenticated, enc.ltk,
782 smp->enc_key_size, ediv, rand);
783 smp->slave_ltk = ltk;
784
785 ident.ediv = ediv;
786 ident.rand = rand;
787
788 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
789
790 *keydist &= ~SMP_DIST_ENC_KEY;
791 }
792
793 if (*keydist & SMP_DIST_ID_KEY) {
794 struct smp_cmd_ident_addr_info addrinfo;
795 struct smp_cmd_ident_info idinfo;
796
797 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
798
799 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
800
801 /* The hci_conn contains the local identity address
802 * after the connection has been established.
803 *
804 * This is true even when the connection has been
805 * established using a resolvable random address.
806 */
807 bacpy(&addrinfo.bdaddr, &hcon->src);
808 addrinfo.addr_type = hcon->src_type;
809
810 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
811 &addrinfo);
812
813 *keydist &= ~SMP_DIST_ID_KEY;
814 }
815
816 if (*keydist & SMP_DIST_SIGN) {
817 struct smp_cmd_sign_info sign;
818 struct smp_csrk *csrk;
819
820 /* Generate a new random key */
821 get_random_bytes(sign.csrk, sizeof(sign.csrk));
822
823 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
824 if (csrk) {
825 csrk->master = 0x00;
826 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
827 }
828 smp->slave_csrk = csrk;
829
830 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
831
832 *keydist &= ~SMP_DIST_SIGN;
833 }
834
835 /* If there are still keys to be received wait for them */
836 if (smp->remote_key_dist & KEY_DIST_MASK) {
837 smp_allow_key_dist(smp);
838 return;
839 }
840
841 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
842 smp_notify_keys(conn);
843
844 smp_chan_destroy(conn);
845 }
846
847 static void smp_timeout(struct work_struct *work)
848 {
849 struct smp_chan *smp = container_of(work, struct smp_chan,
850 security_timer.work);
851 struct l2cap_conn *conn = smp->conn;
852
853 BT_DBG("conn %p", conn);
854
855 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
856 }
857
858 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
859 {
860 struct l2cap_chan *chan = conn->smp;
861 struct smp_chan *smp;
862
863 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
864 if (!smp)
865 return NULL;
866
867 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
868 if (IS_ERR(smp->tfm_aes)) {
869 BT_ERR("Unable to create ECB crypto context");
870 kfree(smp);
871 return NULL;
872 }
873
874 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
875 if (IS_ERR(smp->tfm_cmac)) {
876 BT_ERR("Unable to create CMAC crypto context");
877 crypto_free_blkcipher(smp->tfm_aes);
878 kfree(smp);
879 return NULL;
880 }
881
882 smp->conn = conn;
883 chan->data = smp;
884
885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
886
887 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
888
889 hci_conn_hold(conn->hcon);
890
891 return smp;
892 }
893
894 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
895 {
896 struct l2cap_conn *conn = hcon->l2cap_data;
897 struct l2cap_chan *chan;
898 struct smp_chan *smp;
899 u32 value;
900 int err;
901
902 BT_DBG("");
903
904 if (!conn)
905 return -ENOTCONN;
906
907 chan = conn->smp;
908 if (!chan)
909 return -ENOTCONN;
910
911 l2cap_chan_lock(chan);
912 if (!chan->data) {
913 err = -ENOTCONN;
914 goto unlock;
915 }
916
917 smp = chan->data;
918
919 switch (mgmt_op) {
920 case MGMT_OP_USER_PASSKEY_REPLY:
921 value = le32_to_cpu(passkey);
922 memset(smp->tk, 0, sizeof(smp->tk));
923 BT_DBG("PassKey: %d", value);
924 put_unaligned_le32(value, smp->tk);
925 /* Fall Through */
926 case MGMT_OP_USER_CONFIRM_REPLY:
927 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
928 break;
929 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
930 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
931 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
932 err = 0;
933 goto unlock;
934 default:
935 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
936 err = -EOPNOTSUPP;
937 goto unlock;
938 }
939
940 err = 0;
941
942 /* If it is our turn to send Pairing Confirm, do so now */
943 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
944 u8 rsp = smp_confirm(smp);
945 if (rsp)
946 smp_failure(conn, rsp);
947 }
948
949 unlock:
950 l2cap_chan_unlock(chan);
951 return err;
952 }
953
954 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
955 {
956 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
957 struct l2cap_chan *chan = conn->smp;
958 struct hci_dev *hdev = conn->hcon->hdev;
959 struct smp_chan *smp;
960 u8 key_size, auth, sec_level;
961 int ret;
962
963 BT_DBG("conn %p", conn);
964
965 if (skb->len < sizeof(*req))
966 return SMP_INVALID_PARAMS;
967
968 if (conn->hcon->role != HCI_ROLE_SLAVE)
969 return SMP_CMD_NOTSUPP;
970
971 if (!chan->data)
972 smp = smp_chan_create(conn);
973 else
974 smp = chan->data;
975
976 if (!smp)
977 return SMP_UNSPECIFIED;
978
979 /* We didn't start the pairing, so match remote */
980 auth = req->auth_req & AUTH_REQ_MASK(hdev);
981
982 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
983 (auth & SMP_AUTH_BONDING))
984 return SMP_PAIRING_NOTSUPP;
985
986 smp->preq[0] = SMP_CMD_PAIRING_REQ;
987 memcpy(&smp->preq[1], req, sizeof(*req));
988 skb_pull(skb, sizeof(*req));
989
990 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
991 sec_level = BT_SECURITY_MEDIUM;
992 else
993 sec_level = authreq_to_seclevel(auth);
994
995 if (sec_level > conn->hcon->pending_sec_level)
996 conn->hcon->pending_sec_level = sec_level;
997
998 /* If we need MITM check that it can be achieved */
999 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1000 u8 method;
1001
1002 method = get_auth_method(smp, conn->hcon->io_capability,
1003 req->io_capability);
1004 if (method == JUST_WORKS || method == JUST_CFM)
1005 return SMP_AUTH_REQUIREMENTS;
1006 }
1007
1008 build_pairing_cmd(conn, req, &rsp, auth);
1009
1010 if (rsp.auth_req & SMP_AUTH_SC)
1011 set_bit(SMP_FLAG_SC, &smp->flags);
1012
1013 key_size = min(req->max_key_size, rsp.max_key_size);
1014 if (check_enc_key_size(conn, key_size))
1015 return SMP_ENC_KEY_SIZE;
1016
1017 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1018
1019 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1020 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1021
1022 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1023
1024 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1025
1026 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1027 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1028 /* Clear bits which are generated but not distributed */
1029 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1030 /* Wait for Public Key from Initiating Device */
1031 return 0;
1032 } else {
1033 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1034 }
1035
1036 /* Request setup of TK */
1037 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1038 if (ret)
1039 return SMP_UNSPECIFIED;
1040
1041 return 0;
1042 }
1043
1044 static u8 sc_send_public_key(struct smp_chan *smp)
1045 {
1046 BT_DBG("");
1047
1048 /* Generate local key pair for Secure Connections */
1049 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1050 return SMP_UNSPECIFIED;
1051
1052 BT_DBG("Local Public Key X: %32phN", smp->local_pk);
1053 BT_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1054 BT_DBG("Local Private Key: %32phN", smp->local_sk);
1055
1056 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1057
1058 return 0;
1059 }
1060
1061 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1062 {
1063 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1064 struct l2cap_chan *chan = conn->smp;
1065 struct smp_chan *smp = chan->data;
1066 struct hci_dev *hdev = conn->hcon->hdev;
1067 u8 key_size, auth;
1068 int ret;
1069
1070 BT_DBG("conn %p", conn);
1071
1072 if (skb->len < sizeof(*rsp))
1073 return SMP_INVALID_PARAMS;
1074
1075 if (conn->hcon->role != HCI_ROLE_MASTER)
1076 return SMP_CMD_NOTSUPP;
1077
1078 skb_pull(skb, sizeof(*rsp));
1079
1080 req = (void *) &smp->preq[1];
1081
1082 key_size = min(req->max_key_size, rsp->max_key_size);
1083 if (check_enc_key_size(conn, key_size))
1084 return SMP_ENC_KEY_SIZE;
1085
1086 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1087
1088 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1089 set_bit(SMP_FLAG_SC, &smp->flags);
1090 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1091 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1092
1093 /* If we need MITM check that it can be achieved */
1094 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1095 u8 method;
1096
1097 method = get_auth_method(smp, req->io_capability,
1098 rsp->io_capability);
1099 if (method == JUST_WORKS || method == JUST_CFM)
1100 return SMP_AUTH_REQUIREMENTS;
1101 }
1102
1103 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1104
1105 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1106 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1107
1108 /* Update remote key distribution in case the remote cleared
1109 * some bits that we had enabled in our request.
1110 */
1111 smp->remote_key_dist &= rsp->resp_key_dist;
1112
1113 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1114 /* Clear bits which are generated but not distributed */
1115 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1116 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1117 return sc_send_public_key(smp);
1118 }
1119
1120 auth |= req->auth_req;
1121
1122 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1123 if (ret)
1124 return SMP_UNSPECIFIED;
1125
1126 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1127
1128 /* Can't compose response until we have been confirmed */
1129 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1130 return smp_confirm(smp);
1131
1132 return 0;
1133 }
1134
1135 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1136 {
1137 struct l2cap_chan *chan = conn->smp;
1138 struct smp_chan *smp = chan->data;
1139
1140 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1141
1142 if (skb->len < sizeof(smp->pcnf))
1143 return SMP_INVALID_PARAMS;
1144
1145 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1146 skb_pull(skb, sizeof(smp->pcnf));
1147
1148 if (conn->hcon->out) {
1149 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1150 smp->prnd);
1151 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1152 return 0;
1153 }
1154
1155 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1156 return smp_confirm(smp);
1157 else
1158 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1159
1160 return 0;
1161 }
1162
1163 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1164 {
1165 struct l2cap_chan *chan = conn->smp;
1166 struct smp_chan *smp = chan->data;
1167
1168 BT_DBG("conn %p", conn);
1169
1170 if (skb->len < sizeof(smp->rrnd))
1171 return SMP_INVALID_PARAMS;
1172
1173 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1174 skb_pull(skb, sizeof(smp->rrnd));
1175
1176 return smp_random(smp);
1177 }
1178
1179 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
1180 {
1181 struct smp_ltk *key;
1182 struct hci_conn *hcon = conn->hcon;
1183
1184 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
1185 if (!key)
1186 return false;
1187
1188 if (smp_ltk_sec_level(key) < sec_level)
1189 return false;
1190
1191 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1192 return true;
1193
1194 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
1195 hcon->enc_key_size = key->enc_size;
1196
1197 /* We never store STKs for master role, so clear this flag */
1198 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1199
1200 return true;
1201 }
1202
1203 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
1204 enum smp_key_pref key_pref)
1205 {
1206 if (sec_level == BT_SECURITY_LOW)
1207 return true;
1208
1209 /* If we're encrypted with an STK but the caller prefers using
1210 * LTK claim insufficient security. This way we allow the
1211 * connection to be re-encrypted with an LTK, even if the LTK
1212 * provides the same level of security. Only exception is if we
1213 * don't have an LTK (e.g. because of key distribution bits).
1214 */
1215 if (key_pref == SMP_USE_LTK &&
1216 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
1217 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
1218 return false;
1219
1220 if (hcon->sec_level >= sec_level)
1221 return true;
1222
1223 return false;
1224 }
1225
1226 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1227 {
1228 struct smp_cmd_security_req *rp = (void *) skb->data;
1229 struct smp_cmd_pairing cp;
1230 struct hci_conn *hcon = conn->hcon;
1231 struct hci_dev *hdev = hcon->hdev;
1232 struct smp_chan *smp;
1233 u8 sec_level, auth;
1234
1235 BT_DBG("conn %p", conn);
1236
1237 if (skb->len < sizeof(*rp))
1238 return SMP_INVALID_PARAMS;
1239
1240 if (hcon->role != HCI_ROLE_MASTER)
1241 return SMP_CMD_NOTSUPP;
1242
1243 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
1244
1245 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1246 sec_level = BT_SECURITY_MEDIUM;
1247 else
1248 sec_level = authreq_to_seclevel(auth);
1249
1250 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1251 return 0;
1252
1253 if (sec_level > hcon->pending_sec_level)
1254 hcon->pending_sec_level = sec_level;
1255
1256 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1257 return 0;
1258
1259 smp = smp_chan_create(conn);
1260 if (!smp)
1261 return SMP_UNSPECIFIED;
1262
1263 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
1264 (auth & SMP_AUTH_BONDING))
1265 return SMP_PAIRING_NOTSUPP;
1266
1267 skb_pull(skb, sizeof(*rp));
1268
1269 memset(&cp, 0, sizeof(cp));
1270 build_pairing_cmd(conn, &cp, NULL, auth);
1271
1272 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1273 memcpy(&smp->preq[1], &cp, sizeof(cp));
1274
1275 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1276 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1277
1278 return 0;
1279 }
1280
1281 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1282 {
1283 struct l2cap_conn *conn = hcon->l2cap_data;
1284 struct l2cap_chan *chan;
1285 struct smp_chan *smp;
1286 __u8 authreq;
1287 int ret;
1288
1289 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
1290
1291 /* This may be NULL if there's an unexpected disconnection */
1292 if (!conn)
1293 return 1;
1294
1295 chan = conn->smp;
1296
1297 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
1298 return 1;
1299
1300 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1301 return 1;
1302
1303 if (sec_level > hcon->pending_sec_level)
1304 hcon->pending_sec_level = sec_level;
1305
1306 if (hcon->role == HCI_ROLE_MASTER)
1307 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1308 return 0;
1309
1310 l2cap_chan_lock(chan);
1311
1312 /* If SMP is already in progress ignore this request */
1313 if (chan->data) {
1314 ret = 0;
1315 goto unlock;
1316 }
1317
1318 smp = smp_chan_create(conn);
1319 if (!smp) {
1320 ret = 1;
1321 goto unlock;
1322 }
1323
1324 authreq = seclevel_to_authreq(sec_level);
1325
1326 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
1327 authreq |= SMP_AUTH_SC;
1328
1329 /* Require MITM if IO Capability allows or the security level
1330 * requires it.
1331 */
1332 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
1333 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
1334 authreq |= SMP_AUTH_MITM;
1335
1336 if (hcon->role == HCI_ROLE_MASTER) {
1337 struct smp_cmd_pairing cp;
1338
1339 build_pairing_cmd(conn, &cp, NULL, authreq);
1340 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1341 memcpy(&smp->preq[1], &cp, sizeof(cp));
1342
1343 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1344 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1345 } else {
1346 struct smp_cmd_security_req cp;
1347 cp.auth_req = authreq;
1348 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
1349 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
1350 }
1351
1352 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
1353 ret = 0;
1354
1355 unlock:
1356 l2cap_chan_unlock(chan);
1357 return ret;
1358 }
1359
1360 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1361 {
1362 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1363 struct l2cap_chan *chan = conn->smp;
1364 struct smp_chan *smp = chan->data;
1365
1366 BT_DBG("conn %p", conn);
1367
1368 if (skb->len < sizeof(*rp))
1369 return SMP_INVALID_PARAMS;
1370
1371 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
1372
1373 skb_pull(skb, sizeof(*rp));
1374
1375 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
1376
1377 return 0;
1378 }
1379
1380 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1381 {
1382 struct smp_cmd_master_ident *rp = (void *) skb->data;
1383 struct l2cap_chan *chan = conn->smp;
1384 struct smp_chan *smp = chan->data;
1385 struct hci_dev *hdev = conn->hcon->hdev;
1386 struct hci_conn *hcon = conn->hcon;
1387 struct smp_ltk *ltk;
1388 u8 authenticated;
1389
1390 BT_DBG("conn %p", conn);
1391
1392 if (skb->len < sizeof(*rp))
1393 return SMP_INVALID_PARAMS;
1394
1395 /* Mark the information as received */
1396 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
1397
1398 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1399 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1400 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1401 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1402
1403 skb_pull(skb, sizeof(*rp));
1404
1405 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
1406 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
1407 authenticated, smp->tk, smp->enc_key_size,
1408 rp->ediv, rp->rand);
1409 smp->ltk = ltk;
1410 if (!(smp->remote_key_dist & KEY_DIST_MASK))
1411 smp_distribute_keys(smp);
1412
1413 return 0;
1414 }
1415
1416 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1417 {
1418 struct smp_cmd_ident_info *info = (void *) skb->data;
1419 struct l2cap_chan *chan = conn->smp;
1420 struct smp_chan *smp = chan->data;
1421
1422 BT_DBG("");
1423
1424 if (skb->len < sizeof(*info))
1425 return SMP_INVALID_PARAMS;
1426
1427 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
1428
1429 skb_pull(skb, sizeof(*info));
1430
1431 memcpy(smp->irk, info->irk, 16);
1432
1433 return 0;
1434 }
1435
1436 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1437 struct sk_buff *skb)
1438 {
1439 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1440 struct l2cap_chan *chan = conn->smp;
1441 struct smp_chan *smp = chan->data;
1442 struct hci_conn *hcon = conn->hcon;
1443 bdaddr_t rpa;
1444
1445 BT_DBG("");
1446
1447 if (skb->len < sizeof(*info))
1448 return SMP_INVALID_PARAMS;
1449
1450 /* Mark the information as received */
1451 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1452
1453 if (smp->remote_key_dist & SMP_DIST_SIGN)
1454 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1455
1456 skb_pull(skb, sizeof(*info));
1457
1458 /* Strictly speaking the Core Specification (4.1) allows sending
1459 * an empty address which would force us to rely on just the IRK
1460 * as "identity information". However, since such
1461 * implementations are not known of and in order to not over
1462 * complicate our implementation, simply pretend that we never
1463 * received an IRK for such a device.
1464 */
1465 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1466 BT_ERR("Ignoring IRK with no identity address");
1467 goto distribute;
1468 }
1469
1470 bacpy(&smp->id_addr, &info->bdaddr);
1471 smp->id_addr_type = info->addr_type;
1472
1473 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1474 bacpy(&rpa, &hcon->dst);
1475 else
1476 bacpy(&rpa, BDADDR_ANY);
1477
1478 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1479 smp->id_addr_type, smp->irk, &rpa);
1480
1481 distribute:
1482 if (!(smp->remote_key_dist & KEY_DIST_MASK))
1483 smp_distribute_keys(smp);
1484
1485 return 0;
1486 }
1487
1488 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1489 {
1490 struct smp_cmd_sign_info *rp = (void *) skb->data;
1491 struct l2cap_chan *chan = conn->smp;
1492 struct smp_chan *smp = chan->data;
1493 struct smp_csrk *csrk;
1494
1495 BT_DBG("conn %p", conn);
1496
1497 if (skb->len < sizeof(*rp))
1498 return SMP_INVALID_PARAMS;
1499
1500 /* Mark the information as received */
1501 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1502
1503 skb_pull(skb, sizeof(*rp));
1504
1505 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1506 if (csrk) {
1507 csrk->master = 0x01;
1508 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1509 }
1510 smp->csrk = csrk;
1511 smp_distribute_keys(smp);
1512
1513 return 0;
1514 }
1515
1516 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1517 {
1518 struct l2cap_conn *conn = chan->conn;
1519 struct hci_conn *hcon = conn->hcon;
1520 struct smp_chan *smp;
1521 __u8 code, reason;
1522 int err = 0;
1523
1524 if (hcon->type != LE_LINK) {
1525 kfree_skb(skb);
1526 return 0;
1527 }
1528
1529 if (skb->len < 1)
1530 return -EILSEQ;
1531
1532 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
1533 reason = SMP_PAIRING_NOTSUPP;
1534 goto done;
1535 }
1536
1537 code = skb->data[0];
1538 skb_pull(skb, sizeof(code));
1539
1540 smp = chan->data;
1541
1542 if (code > SMP_CMD_MAX)
1543 goto drop;
1544
1545 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
1546 goto drop;
1547
1548 /* If we don't have a context the only allowed commands are
1549 * pairing request and security request.
1550 */
1551 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
1552 goto drop;
1553
1554 switch (code) {
1555 case SMP_CMD_PAIRING_REQ:
1556 reason = smp_cmd_pairing_req(conn, skb);
1557 break;
1558
1559 case SMP_CMD_PAIRING_FAIL:
1560 smp_failure(conn, 0);
1561 err = -EPERM;
1562 break;
1563
1564 case SMP_CMD_PAIRING_RSP:
1565 reason = smp_cmd_pairing_rsp(conn, skb);
1566 break;
1567
1568 case SMP_CMD_SECURITY_REQ:
1569 reason = smp_cmd_security_req(conn, skb);
1570 break;
1571
1572 case SMP_CMD_PAIRING_CONFIRM:
1573 reason = smp_cmd_pairing_confirm(conn, skb);
1574 break;
1575
1576 case SMP_CMD_PAIRING_RANDOM:
1577 reason = smp_cmd_pairing_random(conn, skb);
1578 break;
1579
1580 case SMP_CMD_ENCRYPT_INFO:
1581 reason = smp_cmd_encrypt_info(conn, skb);
1582 break;
1583
1584 case SMP_CMD_MASTER_IDENT:
1585 reason = smp_cmd_master_ident(conn, skb);
1586 break;
1587
1588 case SMP_CMD_IDENT_INFO:
1589 reason = smp_cmd_ident_info(conn, skb);
1590 break;
1591
1592 case SMP_CMD_IDENT_ADDR_INFO:
1593 reason = smp_cmd_ident_addr_info(conn, skb);
1594 break;
1595
1596 case SMP_CMD_SIGN_INFO:
1597 reason = smp_cmd_sign_info(conn, skb);
1598 break;
1599
1600 default:
1601 BT_DBG("Unknown command code 0x%2.2x", code);
1602 reason = SMP_CMD_NOTSUPP;
1603 goto done;
1604 }
1605
1606 done:
1607 if (!err) {
1608 if (reason)
1609 smp_failure(conn, reason);
1610 kfree_skb(skb);
1611 }
1612
1613 return err;
1614
1615 drop:
1616 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
1617 code, &hcon->dst);
1618 kfree_skb(skb);
1619 return 0;
1620 }
1621
1622 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
1623 {
1624 struct l2cap_conn *conn = chan->conn;
1625
1626 BT_DBG("chan %p", chan);
1627
1628 if (chan->data)
1629 smp_chan_destroy(conn);
1630
1631 conn->smp = NULL;
1632 l2cap_chan_put(chan);
1633 }
1634
1635 static void smp_resume_cb(struct l2cap_chan *chan)
1636 {
1637 struct smp_chan *smp = chan->data;
1638 struct l2cap_conn *conn = chan->conn;
1639 struct hci_conn *hcon = conn->hcon;
1640
1641 BT_DBG("chan %p", chan);
1642
1643 if (!smp)
1644 return;
1645
1646 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
1647 return;
1648
1649 cancel_delayed_work(&smp->security_timer);
1650
1651 smp_distribute_keys(smp);
1652 }
1653
1654 static void smp_ready_cb(struct l2cap_chan *chan)
1655 {
1656 struct l2cap_conn *conn = chan->conn;
1657
1658 BT_DBG("chan %p", chan);
1659
1660 conn->smp = chan;
1661 l2cap_chan_hold(chan);
1662 }
1663
1664 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1665 {
1666 int err;
1667
1668 BT_DBG("chan %p", chan);
1669
1670 err = smp_sig_channel(chan, skb);
1671 if (err) {
1672 struct smp_chan *smp = chan->data;
1673
1674 if (smp)
1675 cancel_delayed_work_sync(&smp->security_timer);
1676
1677 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
1678 }
1679
1680 return err;
1681 }
1682
1683 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
1684 unsigned long hdr_len,
1685 unsigned long len, int nb)
1686 {
1687 struct sk_buff *skb;
1688
1689 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
1690 if (!skb)
1691 return ERR_PTR(-ENOMEM);
1692
1693 skb->priority = HCI_PRIO_MAX;
1694 bt_cb(skb)->chan = chan;
1695
1696 return skb;
1697 }
1698
1699 static const struct l2cap_ops smp_chan_ops = {
1700 .name = "Security Manager",
1701 .ready = smp_ready_cb,
1702 .recv = smp_recv_cb,
1703 .alloc_skb = smp_alloc_skb_cb,
1704 .teardown = smp_teardown_cb,
1705 .resume = smp_resume_cb,
1706
1707 .new_connection = l2cap_chan_no_new_connection,
1708 .state_change = l2cap_chan_no_state_change,
1709 .close = l2cap_chan_no_close,
1710 .defer = l2cap_chan_no_defer,
1711 .suspend = l2cap_chan_no_suspend,
1712 .set_shutdown = l2cap_chan_no_set_shutdown,
1713 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
1714 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1715 };
1716
1717 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
1718 {
1719 struct l2cap_chan *chan;
1720
1721 BT_DBG("pchan %p", pchan);
1722
1723 chan = l2cap_chan_create();
1724 if (!chan)
1725 return NULL;
1726
1727 chan->chan_type = pchan->chan_type;
1728 chan->ops = &smp_chan_ops;
1729 chan->scid = pchan->scid;
1730 chan->dcid = chan->scid;
1731 chan->imtu = pchan->imtu;
1732 chan->omtu = pchan->omtu;
1733 chan->mode = pchan->mode;
1734
1735 /* Other L2CAP channels may request SMP routines in order to
1736 * change the security level. This means that the SMP channel
1737 * lock must be considered in its own category to avoid lockdep
1738 * warnings.
1739 */
1740 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
1741
1742 BT_DBG("created chan %p", chan);
1743
1744 return chan;
1745 }
1746
1747 static const struct l2cap_ops smp_root_chan_ops = {
1748 .name = "Security Manager Root",
1749 .new_connection = smp_new_conn_cb,
1750
1751 /* None of these are implemented for the root channel */
1752 .close = l2cap_chan_no_close,
1753 .alloc_skb = l2cap_chan_no_alloc_skb,
1754 .recv = l2cap_chan_no_recv,
1755 .state_change = l2cap_chan_no_state_change,
1756 .teardown = l2cap_chan_no_teardown,
1757 .ready = l2cap_chan_no_ready,
1758 .defer = l2cap_chan_no_defer,
1759 .suspend = l2cap_chan_no_suspend,
1760 .resume = l2cap_chan_no_resume,
1761 .set_shutdown = l2cap_chan_no_set_shutdown,
1762 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
1763 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1764 };
1765
1766 int smp_register(struct hci_dev *hdev)
1767 {
1768 struct l2cap_chan *chan;
1769 struct crypto_blkcipher *tfm_aes;
1770
1771 BT_DBG("%s", hdev->name);
1772
1773 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
1774 if (IS_ERR(tfm_aes)) {
1775 int err = PTR_ERR(tfm_aes);
1776 BT_ERR("Unable to create crypto context");
1777 return err;
1778 }
1779
1780 chan = l2cap_chan_create();
1781 if (!chan) {
1782 crypto_free_blkcipher(tfm_aes);
1783 return -ENOMEM;
1784 }
1785
1786 chan->data = tfm_aes;
1787
1788 l2cap_add_scid(chan, L2CAP_CID_SMP);
1789
1790 l2cap_chan_set_defaults(chan);
1791
1792 bacpy(&chan->src, &hdev->bdaddr);
1793 chan->src_type = BDADDR_LE_PUBLIC;
1794 chan->state = BT_LISTEN;
1795 chan->mode = L2CAP_MODE_BASIC;
1796 chan->imtu = L2CAP_DEFAULT_MTU;
1797 chan->ops = &smp_root_chan_ops;
1798
1799 /* Set correct nesting level for a parent/listening channel */
1800 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
1801
1802 hdev->smp_data = chan;
1803
1804 return 0;
1805 }
1806
1807 void smp_unregister(struct hci_dev *hdev)
1808 {
1809 struct l2cap_chan *chan = hdev->smp_data;
1810 struct crypto_blkcipher *tfm_aes;
1811
1812 if (!chan)
1813 return;
1814
1815 BT_DBG("%s chan %p", hdev->name, chan);
1816
1817 tfm_aes = chan->data;
1818 if (tfm_aes) {
1819 chan->data = NULL;
1820 crypto_free_blkcipher(tfm_aes);
1821 }
1822
1823 hdev->smp_data = NULL;
1824 l2cap_chan_put(chan);
1825 }
Linux kernel - Deliverables
This page took 0.156557 seconds and 6 git commands to generate.