]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - net/bluetooth/smp.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix DHKey Check sending order for slave role
[mirror_ubuntu-bionic-kernel.git] / net / bluetooth / smp.c
CommitLineData
eb492e01
AB		 1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
8c520a59
GP		 23#include <linux/crypto.h>
24#include <linux/scatterlist.h>
25#include <crypto/b128ops.h>
26
eb492e01
AB		 27#include <net/bluetooth/bluetooth.h>
28#include <net/bluetooth/hci_core.h>
29#include <net/bluetooth/l2cap.h>
2b64d153 30#include <net/bluetooth/mgmt.h>
ac4b7236 31
3b19146d 32#include "ecc.h"
ac4b7236 33#include "smp.h"
d22ef0bc 34
b28b4943 35#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
b28b4943 36
3b19146d
JH		 37/* Keys which are not distributed with Secure Connections */
38#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
39
17b02e62 40#define SMP_TIMEOUT msecs_to_jiffies(30000)
5d3de7df 41
0edb14de
JH		 42#define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
43 0x1f : 0x07)
44#define KEY_DIST_MASK 0x07
065a13e2 45
cbbbe3e2
JH		 46/* Maximum message length that can be passed to aes_cmac */
47#define CMAC_MSG_MAX 80
48
533e35d4
JH		 49enum {
50 SMP_FLAG_TK_VALID,
51 SMP_FLAG_CFM_PENDING,
52 SMP_FLAG_MITM_AUTH,
53 SMP_FLAG_COMPLETE,
54 SMP_FLAG_INITIATOR,
65668776 55 SMP_FLAG_SC,
d8f8edbe 56 SMP_FLAG_REMOTE_PK,
aeb7d461 57 SMP_FLAG_DEBUG_KEY,
38606f14 58 SMP_FLAG_WAIT_USER,
d3e54a87 59 SMP_FLAG_DHKEY_PENDING,
533e35d4 60};
4bc58f51
JH		 61
62struct smp_chan {
b68fda68
JH		 63 struct l2cap_conn *conn;
64 struct delayed_work security_timer;
b28b4943 65 unsigned long allow_cmd; /* Bitmask of allowed commands */
b68fda68 66
4bc58f51
JH		 67 u8 preq[7]; /* SMP Pairing Request */
68 u8 prsp[7]; /* SMP Pairing Response */
69 u8 prnd[16]; /* SMP Pairing Random (local) */
70 u8 rrnd[16]; /* SMP Pairing Random (remote) */
71 u8 pcnf[16]; /* SMP Pairing Confirm */
72 u8 tk[16]; /* SMP Temporary Key */
73 u8 enc_key_size;
74 u8 remote_key_dist;
75 bdaddr_t id_addr;
76 u8 id_addr_type;
77 u8 irk[16];
78 struct smp_csrk *csrk;
79 struct smp_csrk *slave_csrk;
80 struct smp_ltk *ltk;
81 struct smp_ltk *slave_ltk;
82 struct smp_irk *remote_irk;
6a77083a 83 u8 *link_key;
4a74d658 84 unsigned long flags;
783e0574 85 u8 method;
38606f14 86 u8 passkey_round;
6a7bd103 87
3b19146d
JH		 88 /* Secure Connections variables */
89 u8 local_pk[64];
90 u8 local_sk[32];
d8f8edbe
JH		 91 u8 remote_pk[64];
92 u8 dhkey[32];
760b018b 93 u8 mackey[16];
3b19146d 94
6a7bd103 95 struct crypto_blkcipher *tfm_aes;
407cecf6 96 struct crypto_hash *tfm_cmac;
4bc58f51
JH		 97};
98
aeb7d461
JH		 99/* These debug key values are defined in the SMP section of the core
100 * specification. debug_pk is the public debug key and debug_sk the
101 * private debug key.
102 */
103static const u8 debug_pk[64] = {
104 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
105 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
106 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
107 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
108
109 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
110 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
111 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
112 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
113};
114
115static const u8 debug_sk[32] = {
116 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
117 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
118 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
119 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
120};
121
8a2936f4 122static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
d22ef0bc 123{
8a2936f4 124 size_t i;
d22ef0bc 125
8a2936f4
JH		 126 for (i = 0; i < len; i++)
127 dst[len - 1 - i] = src[i];
d22ef0bc
AB		 128}
129
cbbbe3e2
JH		 130static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
131 size_t len, u8 mac[16])
132{
133 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
134 struct hash_desc desc;
135 struct scatterlist sg;
136 int err;
137
138 if (len > CMAC_MSG_MAX)
139 return -EFBIG;
140
141 if (!tfm) {
142 BT_ERR("tfm %p", tfm);
143 return -EINVAL;
144 }
145
146 desc.tfm = tfm;
147 desc.flags = 0;
148
149 crypto_hash_init(&desc);
150
151 /* Swap key and message from LSB to MSB */
152 swap_buf(k, tmp, 16);
153 swap_buf(m, msg_msb, len);
154
155 BT_DBG("msg (len %zu) %*phN", len, (int) len, m);
156 BT_DBG("key %16phN", k);
157
158 err = crypto_hash_setkey(tfm, tmp, 16);
159 if (err) {
160 BT_ERR("cipher setkey failed: %d", err);
161 return err;
162 }
163
164 sg_init_one(&sg, msg_msb, len);
165
166 err = crypto_hash_update(&desc, &sg, len);
167 if (err) {
168 BT_ERR("Hash update error %d", err);
169 return err;
170 }
171
172 err = crypto_hash_final(&desc, mac_msb);
173 if (err) {
174 BT_ERR("Hash final error %d", err);
175 return err;
176 }
177
178 swap_buf(mac_msb, mac, 16);
179
180 BT_DBG("mac %16phN", mac);
181
182 return 0;
183}
184
185static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
186 const u8 x[16], u8 z, u8 res[16])
187{
188 u8 m[65];
189 int err;
190
191 BT_DBG("u %32phN", u);
192 BT_DBG("v %32phN", v);
193 BT_DBG("x %16phN z %02x", x, z);
194
195 m[0] = z;
196 memcpy(m + 1, v, 32);
197 memcpy(m + 33, u, 32);
198
199 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
200 if (err)
201 return err;
202
203 BT_DBG("res %16phN", res);
204
205 return err;
206}
207
760b018b
JH		 208static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
209 u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
210{
211 /* The btle, salt and length "magic" values are as defined in
212 * the SMP section of the Bluetooth core specification. In ASCII
213 * the btle value ends up being 'btle'. The salt is just a
214 * random number whereas length is the value 256 in little
215 * endian format.
216 */
217 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
218 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
219 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
220 const u8 length[2] = { 0x00, 0x01 };
221 u8 m[53], t[16];
222 int err;
223
224 BT_DBG("w %32phN", w);
225 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
226 BT_DBG("a1 %7phN a2 %7phN", a1, a2);
227
228 err = aes_cmac(tfm_cmac, salt, w, 32, t);
229 if (err)
230 return err;
231
232 BT_DBG("t %16phN", t);
233
234 memcpy(m, length, 2);
235 memcpy(m + 2, a2, 7);
236 memcpy(m + 9, a1, 7);
237 memcpy(m + 16, n2, 16);
238 memcpy(m + 32, n1, 16);
239 memcpy(m + 48, btle, 4);
240
241 m[52] = 0; /* Counter */
242
243 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
244 if (err)
245 return err;
246
247 BT_DBG("mackey %16phN", mackey);
248
249 m[52] = 1; /* Counter */
250
251 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
252 if (err)
253 return err;
254
255 BT_DBG("ltk %16phN", ltk);
256
257 return 0;
258}
259
260static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
261 const u8 n1[16], u8 n2[16], const u8 r[16],
262 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
263 u8 res[16])
264{
265 u8 m[65];
266 int err;
267
268 BT_DBG("w %16phN", w);
269 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
270 BT_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
271
272 memcpy(m, a2, 7);
273 memcpy(m + 7, a1, 7);
274 memcpy(m + 14, io_cap, 3);
275 memcpy(m + 17, r, 16);
276 memcpy(m + 33, n2, 16);
277 memcpy(m + 49, n1, 16);
278
279 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
280 if (err)
281 return err;
282
283 BT_DBG("res %16phN", res);
284
285 return err;
286}
287
191dc7fe
JH		 288static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
289 const u8 x[16], const u8 y[16], u32 *val)
290{
291 u8 m[80], tmp[16];
292 int err;
293
294 BT_DBG("u %32phN", u);
295 BT_DBG("v %32phN", v);
296 BT_DBG("x %16phN y %16phN", x, y);
297
298 memcpy(m, y, 16);
299 memcpy(m + 16, v, 32);
300 memcpy(m + 48, u, 32);
301
302 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
303 if (err)
304 return err;
305
306 *val = get_unaligned_le32(tmp);
307 *val %= 1000000;
308
309 BT_DBG("val %06u", *val);
310
311 return 0;
312}
313
d22ef0bc
AB		 314static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
315{
316 struct blkcipher_desc desc;
317 struct scatterlist sg;
943a732a 318 uint8_t tmp[16], data[16];
201a5929 319 int err;
d22ef0bc
AB		 320
321 if (tfm == NULL) {
322 BT_ERR("tfm %p", tfm);
323 return -EINVAL;
324 }
325
326 desc.tfm = tfm;
327 desc.flags = 0;
328
943a732a 329 /* The most significant octet of key corresponds to k[0] */
8a2936f4 330 swap_buf(k, tmp, 16);
943a732a
JH		 331
332 err = crypto_blkcipher_setkey(tfm, tmp, 16);
d22ef0bc
AB		 333 if (err) {
334 BT_ERR("cipher setkey failed: %d", err);
335 return err;
336 }
337
943a732a 338 /* Most significant octet of plaintextData corresponds to data[0] */
8a2936f4 339 swap_buf(r, data, 16);
943a732a
JH		 340
341 sg_init_one(&sg, data, 16);
d22ef0bc 342
d22ef0bc
AB		 343 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
344 if (err)
345 BT_ERR("Encrypt data error %d", err);
346
943a732a 347 /* Most significant octet of encryptedData corresponds to data[0] */
8a2936f4 348 swap_buf(data, r, 16);
943a732a 349
d22ef0bc
AB		 350 return err;
351}
352
6a77083a
JH		 353static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
354 const u8 key_id[4], u8 res[16])
355{
356 int err;
357
358 BT_DBG("w %16phN key_id %4phN", w, key_id);
359
360 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
361 if (err)
362 return err;
363
364 BT_DBG("res %16phN", res);
365
366 return err;
367}
368
60478054
JH		 369static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
370{
943a732a 371 u8 _res[16];
60478054
JH		 372 int err;
373
374 /* r' = padding || r */
943a732a
JH		 375 memcpy(_res, r, 3);
376 memset(_res + 3, 0, 13);
60478054 377
943a732a 378 err = smp_e(tfm, irk, _res);
60478054
JH		 379 if (err) {
380 BT_ERR("Encrypt error");
381 return err;
382 }
383
384 /* The output of the random address function ah is:
385 * ah(h, r) = e(k, r') mod 2^24
386 * The output of the security function e is then truncated to 24 bits
387 * by taking the least significant 24 bits of the output of e as the
388 * result of ah.
389 */
943a732a 390 memcpy(res, _res, 3);
60478054
JH		 391
392 return 0;
393}
394
defce9e8 395bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
60478054 396{
defce9e8
JH		 397 struct l2cap_chan *chan = hdev->smp_data;
398 struct crypto_blkcipher *tfm;
60478054
JH		 399 u8 hash[3];
400 int err;
401
defce9e8
JH		 402 if (!chan || !chan->data)
403 return false;
404
405 tfm = chan->data;
406
60478054
JH		 407 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
408
409 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
410 if (err)
411 return false;
412
413 return !memcmp(bdaddr->b, hash, 3);
414}
415
defce9e8 416int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
b1e2b3ae 417{
defce9e8
JH		 418 struct l2cap_chan *chan = hdev->smp_data;
419 struct crypto_blkcipher *tfm;
b1e2b3ae
JH		 420 int err;
421
defce9e8
JH		 422 if (!chan || !chan->data)
423 return -EOPNOTSUPP;
424
425 tfm = chan->data;
426
b1e2b3ae
JH		 427 get_random_bytes(&rpa->b[3], 3);
428
429 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
430 rpa->b[5] |= 0x40; /* Set second most significant bit */
431
432 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
433 if (err < 0)
434 return err;
435
436 BT_DBG("RPA %pMR", rpa);
437
438 return 0;
439}
440
e491eaf3
JH		 441static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
442 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat,
443 bdaddr_t *ra, u8 res[16])
d22ef0bc
AB		 444{
445 u8 p1[16], p2[16];
446 int err;
447
448 memset(p1, 0, 16);
449
450 /* p1 = pres || preq || _rat || _iat */
943a732a
JH		 451 p1[0] = _iat;
452 p1[1] = _rat;
453 memcpy(p1 + 2, preq, 7);
454 memcpy(p1 + 9, pres, 7);
d22ef0bc
AB		 455
456 /* p2 = padding || ia || ra */
943a732a
JH		 457 memcpy(p2, ra, 6);
458 memcpy(p2 + 6, ia, 6);
459 memset(p2 + 12, 0, 4);
d22ef0bc
AB		 460
461 /* res = r XOR p1 */
462 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
463
464 /* res = e(k, res) */
e491eaf3 465 err = smp_e(tfm_aes, k, res);
d22ef0bc
AB		 466 if (err) {
467 BT_ERR("Encrypt data error");
468 return err;
469 }
470
471 /* res = res XOR p2 */
472 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
473
474 /* res = e(k, res) */
e491eaf3 475 err = smp_e(tfm_aes, k, res);
d22ef0bc
AB		 476 if (err)
477 BT_ERR("Encrypt data error");
478
479 return err;
480}
481
e491eaf3
JH		 482static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
483 u8 r2[16], u8 _r[16])
d22ef0bc
AB		 484{
485 int err;
486
487 /* Just least significant octets from r1 and r2 are considered */
943a732a
JH		 488 memcpy(_r, r2, 8);
489 memcpy(_r + 8, r1, 8);
d22ef0bc 490
e491eaf3 491 err = smp_e(tfm_aes, k, _r);
d22ef0bc
AB		 492 if (err)
493 BT_ERR("Encrypt data error");
494
495 return err;
496}
497
5d88cc73 498static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
eb492e01 499{
5d88cc73 500 struct l2cap_chan *chan = conn->smp;
b68fda68 501 struct smp_chan *smp;
5d88cc73
JH		 502 struct kvec iv[2];
503 struct msghdr msg;
eb492e01 504
5d88cc73
JH		 505 if (!chan)
506 return;
eb492e01 507
5d88cc73 508 BT_DBG("code 0x%2.2x", code);
eb492e01 509
5d88cc73
JH		 510 iv[0].iov_base = &code;
511 iv[0].iov_len = 1;
eb492e01 512
5d88cc73
JH		 513 iv[1].iov_base = data;
514 iv[1].iov_len = len;
eb492e01 515
5d88cc73 516 memset(&msg, 0, sizeof(msg));
eb492e01 517
5d88cc73
JH		 518 msg.msg_iov = (struct iovec *) &iv;
519 msg.msg_iovlen = 2;
eb492e01 520
5d88cc73 521 l2cap_chan_send(chan, &msg, 1 + len);
e2dcd113 522
b68fda68
JH		 523 if (!chan->data)
524 return;
525
526 smp = chan->data;
527
528 cancel_delayed_work_sync(&smp->security_timer);
1b0921d6 529 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
eb492e01
AB		 530}
531
d2eb9e10 532static u8 authreq_to_seclevel(u8 authreq)
2b64d153 533{
d2eb9e10
JH		 534 if (authreq & SMP_AUTH_MITM) {
535 if (authreq & SMP_AUTH_SC)
536 return BT_SECURITY_FIPS;
537 else
538 return BT_SECURITY_HIGH;
539 } else {
2b64d153 540 return BT_SECURITY_MEDIUM;
d2eb9e10 541 }
2b64d153
BG		 542}
543
544static __u8 seclevel_to_authreq(__u8 sec_level)
545{
546 switch (sec_level) {
d2eb9e10 547 case BT_SECURITY_FIPS:
2b64d153
BG		 548 case BT_SECURITY_HIGH:
549 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
550 case BT_SECURITY_MEDIUM:
551 return SMP_AUTH_BONDING;
552 default:
553 return SMP_AUTH_NONE;
554 }
555}
556
b8e66eac 557static void build_pairing_cmd(struct l2cap_conn *conn,
f1560463
MH		 558 struct smp_cmd_pairing *req,
559 struct smp_cmd_pairing *rsp, __u8 authreq)
b8e66eac 560{
5d88cc73
JH		 561 struct l2cap_chan *chan = conn->smp;
562 struct smp_chan *smp = chan->data;
fd349c02
JH		 563 struct hci_conn *hcon = conn->hcon;
564 struct hci_dev *hdev = hcon->hdev;
565 u8 local_dist = 0, remote_dist = 0;
54790f73 566
b6ae8457 567 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
7ee4ea36
MH		 568 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
569 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
54790f73 570 authreq |= SMP_AUTH_BONDING;
2b64d153
BG		 571 } else {
572 authreq &= ~SMP_AUTH_BONDING;
54790f73
VCG		 573 }
574
fd349c02
JH		 575 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
576 remote_dist |= SMP_DIST_ID_KEY;
577
863efaf2
JH		 578 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
579 local_dist |= SMP_DIST_ID_KEY;
580
df8e1a4c
JH		 581 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
582 if ((authreq & SMP_AUTH_SC) &&
583 test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
584 local_dist |= SMP_DIST_LINK_KEY;
585 remote_dist |= SMP_DIST_LINK_KEY;
586 }
587 } else {
588 authreq &= ~SMP_AUTH_SC;
589 }
590
54790f73
VCG		 591 if (rsp == NULL) {
592 req->io_capability = conn->hcon->io_capability;
593 req->oob_flag = SMP_OOB_NOT_PRESENT;
594 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
fd349c02
JH		 595 req->init_key_dist = local_dist;
596 req->resp_key_dist = remote_dist;
0edb14de 597 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 598
599 smp->remote_key_dist = remote_dist;
54790f73
VCG		 600 return;
601 }
602
603 rsp->io_capability = conn->hcon->io_capability;
604 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
605 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
fd349c02
JH		 606 rsp->init_key_dist = req->init_key_dist & remote_dist;
607 rsp->resp_key_dist = req->resp_key_dist & local_dist;
0edb14de 608 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 609
610 smp->remote_key_dist = rsp->init_key_dist;
b8e66eac
VCG		 611}
612
3158c50c
VCG		 613static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
614{
5d88cc73
JH		 615 struct l2cap_chan *chan = conn->smp;
616 struct smp_chan *smp = chan->data;
1c1def09 617
3158c50c 618 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
f1560463 619 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
3158c50c
VCG		 620 return SMP_ENC_KEY_SIZE;
621
f7aa611a 622 smp->enc_key_size = max_key_size;
3158c50c
VCG		 623
624 return 0;
625}
626
6f48e260
JH		 627static void smp_chan_destroy(struct l2cap_conn *conn)
628{
629 struct l2cap_chan *chan = conn->smp;
630 struct smp_chan *smp = chan->data;
631 bool complete;
632
633 BUG_ON(!smp);
634
635 cancel_delayed_work_sync(&smp->security_timer);
6f48e260 636
6f48e260
JH		 637 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
638 mgmt_smp_complete(conn->hcon, complete);
639
640 kfree(smp->csrk);
641 kfree(smp->slave_csrk);
6a77083a 642 kfree(smp->link_key);
6f48e260
JH		 643
644 crypto_free_blkcipher(smp->tfm_aes);
407cecf6 645 crypto_free_hash(smp->tfm_cmac);
6f48e260
JH		 646
647 /* If pairing failed clean up any keys we might have */
648 if (!complete) {
649 if (smp->ltk) {
970d0f1b
JH		 650 list_del_rcu(&smp->ltk->list);
651 kfree_rcu(smp->ltk, rcu);
6f48e260
JH		 652 }
653
654 if (smp->slave_ltk) {
970d0f1b
JH		 655 list_del_rcu(&smp->slave_ltk->list);
656 kfree_rcu(smp->slave_ltk, rcu);
6f48e260
JH		 657 }
658
659 if (smp->remote_irk) {
adae20cb
JH		 660 list_del_rcu(&smp->remote_irk->list);
661 kfree_rcu(smp->remote_irk, rcu);
6f48e260
JH		 662 }
663 }
664
665 chan->data = NULL;
666 kfree(smp);
667 hci_conn_drop(conn->hcon);
668}
669
84794e11 670static void smp_failure(struct l2cap_conn *conn, u8 reason)
4f957a76 671{
bab73cb6 672 struct hci_conn *hcon = conn->hcon;
b68fda68 673 struct l2cap_chan *chan = conn->smp;
bab73cb6 674
84794e11 675 if (reason)
4f957a76 676 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
f1560463 677 &reason);
4f957a76 678
ce39fb4e 679 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
e1e930f5 680 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
f1c09c07 681
fc75cc86 682 if (chan->data)
f1c09c07 683 smp_chan_destroy(conn);
4f957a76
BG		 684}
685
2b64d153
BG		 686#define JUST_WORKS 0x00
687#define JUST_CFM 0x01
688#define REQ_PASSKEY 0x02
689#define CFM_PASSKEY 0x03
690#define REQ_OOB 0x04
5e3d3d9b 691#define DSP_PASSKEY 0x05
2b64d153
BG		 692#define OVERLAP 0xFF
693
694static const u8 gen_method[5][5] = {
695 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
696 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
697 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
698 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
699 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
700};
701
5e3d3d9b
JH		 702static const u8 sc_method[5][5] = {
703 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
704 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
705 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
706 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
707 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
708};
709
581370cc
JH		 710static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
711{
2bcd4003
JH		 712 /* If either side has unknown io_caps, use JUST_CFM (which gets
713 * converted later to JUST_WORKS if we're initiators.
714 */
581370cc
JH		 715 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
716 remote_io > SMP_IO_KEYBOARD_DISPLAY)
2bcd4003 717 return JUST_CFM;
581370cc 718
5e3d3d9b
JH		 719 if (test_bit(SMP_FLAG_SC, &smp->flags))
720 return sc_method[remote_io][local_io];
721
581370cc
JH		 722 return gen_method[remote_io][local_io];
723}
724
2b64d153
BG		 725static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
726 u8 local_io, u8 remote_io)
727{
728 struct hci_conn *hcon = conn->hcon;
5d88cc73
JH		 729 struct l2cap_chan *chan = conn->smp;
730 struct smp_chan *smp = chan->data;
2b64d153
BG		 731 u32 passkey = 0;
732 int ret = 0;
733
734 /* Initialize key for JUST WORKS */
735 memset(smp->tk, 0, sizeof(smp->tk));
4a74d658 736 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 737
738 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
739
2bcd4003
JH		 740 /* If neither side wants MITM, either "just" confirm an incoming
741 * request or use just-works for outgoing ones. The JUST_CFM
742 * will be converted to JUST_WORKS if necessary later in this
743 * function. If either side has MITM look up the method from the
744 * table.
745 */
581370cc 746 if (!(auth & SMP_AUTH_MITM))
783e0574 747 smp->method = JUST_CFM;
2b64d153 748 else
783e0574 749 smp->method = get_auth_method(smp, local_io, remote_io);
2b64d153 750
a82505c7 751 /* Don't confirm locally initiated pairing attempts */
783e0574
JH		 752 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
753 &smp->flags))
754 smp->method = JUST_WORKS;
a82505c7 755
02f3e254 756 /* Don't bother user space with no IO capabilities */
783e0574
JH		 757 if (smp->method == JUST_CFM &&
758 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
759 smp->method = JUST_WORKS;
02f3e254 760
2b64d153 761 /* If Just Works, Continue with Zero TK */
783e0574 762 if (smp->method == JUST_WORKS) {
4a74d658 763 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 764 return 0;
765 }
766
767 /* Not Just Works/Confirm results in MITM Authentication */
783e0574 768 if (smp->method != JUST_CFM) {
4a74d658 769 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
5eb596f5
JH		 770 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
771 hcon->pending_sec_level = BT_SECURITY_HIGH;
772 }
2b64d153
BG		 773
774 /* If both devices have Keyoard-Display I/O, the master
775 * Confirms and the slave Enters the passkey.
776 */
783e0574 777 if (smp->method == OVERLAP) {
40bef302 778 if (hcon->role == HCI_ROLE_MASTER)
783e0574 779 smp->method = CFM_PASSKEY;
2b64d153 780 else
783e0574 781 smp->method = REQ_PASSKEY;
2b64d153
BG		 782 }
783
01ad34d2 784 /* Generate random passkey. */
783e0574 785 if (smp->method == CFM_PASSKEY) {
943a732a 786 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153
BG		 787 get_random_bytes(&passkey, sizeof(passkey));
788 passkey %= 1000000;
943a732a 789 put_unaligned_le32(passkey, smp->tk);
2b64d153 790 BT_DBG("PassKey: %d", passkey);
4a74d658 791 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 792 }
793
783e0574 794 if (smp->method == REQ_PASSKEY)
ce39fb4e 795 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
272d90df 796 hcon->type, hcon->dst_type);
783e0574 797 else if (smp->method == JUST_CFM)
4eb65e66
JH		 798 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
799 hcon->type, hcon->dst_type,
800 passkey, 1);
2b64d153 801 else
01ad34d2 802 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
272d90df 803 hcon->type, hcon->dst_type,
39adbffe 804 passkey, 0);
2b64d153 805
2b64d153
BG		 806 return ret;
807}
808
1cc61144 809static u8 smp_confirm(struct smp_chan *smp)
8aab4757 810{
8aab4757 811 struct l2cap_conn *conn = smp->conn;
8aab4757
VCG		 812 struct smp_cmd_pairing_confirm cp;
813 int ret;
8aab4757
VCG		 814
815 BT_DBG("conn %p", conn);
816
e491eaf3 817 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
b1cd5fd9 818 conn->hcon->init_addr_type, &conn->hcon->init_addr,
943a732a
JH		 819 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
820 cp.confirm_val);
1cc61144
JH		 821 if (ret)
822 return SMP_UNSPECIFIED;
8aab4757 823
4a74d658 824 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153 825
8aab4757
VCG		 826 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
827
b28b4943
JH		 828 if (conn->hcon->out)
829 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
830 else
831 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
832
1cc61144 833 return 0;
8aab4757
VCG		 834}
835
861580a9 836static u8 smp_random(struct smp_chan *smp)
8aab4757 837{
8aab4757
VCG		 838 struct l2cap_conn *conn = smp->conn;
839 struct hci_conn *hcon = conn->hcon;
861580a9 840 u8 confirm[16];
8aab4757
VCG		 841 int ret;
842
ec70f36f 843 if (IS_ERR_OR_NULL(smp->tfm_aes))
861580a9 844 return SMP_UNSPECIFIED;
8aab4757
VCG		 845
846 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
847
e491eaf3 848 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
b1cd5fd9 849 hcon->init_addr_type, &hcon->init_addr,
943a732a 850 hcon->resp_addr_type, &hcon->resp_addr, confirm);
861580a9
JH		 851 if (ret)
852 return SMP_UNSPECIFIED;
8aab4757 853
8aab4757
VCG		 854 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
855 BT_ERR("Pairing failed (confirmation values mismatch)");
861580a9 856 return SMP_CONFIRM_FAILED;
8aab4757
VCG		 857 }
858
859 if (hcon->out) {
fe39c7b2
MH		 860 u8 stk[16];
861 __le64 rand = 0;
862 __le16 ediv = 0;
8aab4757 863
e491eaf3 864 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
8aab4757 865
f7aa611a 866 memset(stk + smp->enc_key_size, 0,
04124681 867 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
8aab4757 868
861580a9
JH		 869 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
870 return SMP_UNSPECIFIED;
8aab4757
VCG		 871
872 hci_le_start_enc(hcon, ediv, rand, stk);
f7aa611a 873 hcon->enc_key_size = smp->enc_key_size;
fe59a05f 874 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
8aab4757 875 } else {
fff3490f 876 u8 stk[16], auth;
fe39c7b2
MH		 877 __le64 rand = 0;
878 __le16 ediv = 0;
8aab4757 879
943a732a
JH		 880 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
881 smp->prnd);
8aab4757 882
e491eaf3 883 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
8aab4757 884
f7aa611a 885 memset(stk + smp->enc_key_size, 0,
f1560463 886 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
8aab4757 887
fff3490f
JH		 888 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
889 auth = 1;
890 else
891 auth = 0;
892
7d5843b7
JH		 893 /* Even though there's no _SLAVE suffix this is the
894 * slave STK we're adding for later lookup (the master
895 * STK never needs to be stored).
896 */
ce39fb4e 897 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2ceba539 898 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
8aab4757
VCG		 899 }
900
861580a9 901 return 0;
8aab4757
VCG		 902}
903
44f1a7ab
JH		 904static void smp_notify_keys(struct l2cap_conn *conn)
905{
906 struct l2cap_chan *chan = conn->smp;
907 struct smp_chan *smp = chan->data;
908 struct hci_conn *hcon = conn->hcon;
909 struct hci_dev *hdev = hcon->hdev;
910 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
911 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
912 bool persistent;
913
914 if (smp->remote_irk) {
915 mgmt_new_irk(hdev, smp->remote_irk);
916 /* Now that user space can be considered to know the
917 * identity address track the connection based on it
918 * from now on.
919 */
920 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
921 hcon->dst_type = smp->remote_irk->addr_type;
f3d82d0c 922 queue_work(hdev->workqueue, &conn->id_addr_update_work);
44f1a7ab
JH		 923
924 /* When receiving an indentity resolving key for
925 * a remote device that does not use a resolvable
926 * private address, just remove the key so that
927 * it is possible to use the controller white
928 * list for scanning.
929 *
930 * Userspace will have been told to not store
931 * this key at this point. So it is safe to
932 * just remove it.
933 */
934 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
adae20cb
JH		 935 list_del_rcu(&smp->remote_irk->list);
936 kfree_rcu(smp->remote_irk, rcu);
44f1a7ab
JH		 937 smp->remote_irk = NULL;
938 }
939 }
940
941 /* The LTKs and CSRKs should be persistent only if both sides
942 * had the bonding bit set in their authentication requests.
943 */
944 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
945
946 if (smp->csrk) {
947 smp->csrk->bdaddr_type = hcon->dst_type;
948 bacpy(&smp->csrk->bdaddr, &hcon->dst);
949 mgmt_new_csrk(hdev, smp->csrk, persistent);
950 }
951
952 if (smp->slave_csrk) {
953 smp->slave_csrk->bdaddr_type = hcon->dst_type;
954 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
955 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
956 }
957
958 if (smp->ltk) {
959 smp->ltk->bdaddr_type = hcon->dst_type;
960 bacpy(&smp->ltk->bdaddr, &hcon->dst);
961 mgmt_new_ltk(hdev, smp->ltk, persistent);
962 }
963
964 if (smp->slave_ltk) {
965 smp->slave_ltk->bdaddr_type = hcon->dst_type;
966 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
967 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
968 }
6a77083a
JH		 969
970 if (smp->link_key) {
e3befab9
JH		 971 struct link_key *key;
972 u8 type;
973
974 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
975 type = HCI_LK_DEBUG_COMBINATION;
976 else if (hcon->sec_level == BT_SECURITY_FIPS)
977 type = HCI_LK_AUTH_COMBINATION_P256;
978 else
979 type = HCI_LK_UNAUTH_COMBINATION_P256;
980
981 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
982 smp->link_key, type, 0, &persistent);
983 if (key) {
984 mgmt_new_link_key(hdev, key, persistent);
985
986 /* Don't keep debug keys around if the relevant
987 * flag is not set.
988 */
989 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
990 key->type == HCI_LK_DEBUG_COMBINATION) {
991 list_del_rcu(&key->list);
992 kfree_rcu(key, rcu);
993 }
994 }
6a77083a
JH		 995 }
996}
997
d3e54a87
JH		 998static void sc_add_ltk(struct smp_chan *smp)
999{
1000 struct hci_conn *hcon = smp->conn->hcon;
1001 u8 key_type, auth;
1002
1003 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1004 key_type = SMP_LTK_P256_DEBUG;
1005 else
1006 key_type = SMP_LTK_P256;
1007
1008 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1009 auth = 1;
1010 else
1011 auth = 0;
1012
1013 memset(smp->tk + smp->enc_key_size, 0,
1014 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1015
1016 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1017 key_type, auth, smp->tk, smp->enc_key_size,
1018 0, 0);
1019}
1020
6a77083a
JH		 1021static void sc_generate_link_key(struct smp_chan *smp)
1022{
1023 /* These constants are as specified in the core specification.
1024 * In ASCII they spell out to 'tmp1' and 'lebr'.
1025 */
1026 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1027 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1028
1029 smp->link_key = kzalloc(16, GFP_KERNEL);
1030 if (!smp->link_key)
1031 return;
1032
1033 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1034 kfree(smp->link_key);
1035 smp->link_key = NULL;
1036 return;
1037 }
1038
1039 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1040 kfree(smp->link_key);
1041 smp->link_key = NULL;
1042 return;
1043 }
44f1a7ab
JH		 1044}
1045
b28b4943
JH		 1046static void smp_allow_key_dist(struct smp_chan *smp)
1047{
1048 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1049 * will be allowed in each PDU handler to ensure we receive
1050 * them in the correct order.
1051 */
1052 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1053 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1054 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1055 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1056 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1057 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1058}
1059
d6268e86 1060static void smp_distribute_keys(struct smp_chan *smp)
44f1a7ab
JH		 1061{
1062 struct smp_cmd_pairing *req, *rsp;
86d1407c 1063 struct l2cap_conn *conn = smp->conn;
44f1a7ab
JH		 1064 struct hci_conn *hcon = conn->hcon;
1065 struct hci_dev *hdev = hcon->hdev;
1066 __u8 *keydist;
1067
1068 BT_DBG("conn %p", conn);
1069
44f1a7ab
JH		 1070 rsp = (void *) &smp->prsp[1];
1071
1072 /* The responder sends its keys first */
b28b4943
JH		 1073 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1074 smp_allow_key_dist(smp);
86d1407c 1075 return;
b28b4943 1076 }
44f1a7ab
JH		 1077
1078 req = (void *) &smp->preq[1];
1079
1080 if (hcon->out) {
1081 keydist = &rsp->init_key_dist;
1082 *keydist &= req->init_key_dist;
1083 } else {
1084 keydist = &rsp->resp_key_dist;
1085 *keydist &= req->resp_key_dist;
1086 }
1087
6a77083a
JH		 1088 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1089 if (*keydist & SMP_DIST_LINK_KEY)
1090 sc_generate_link_key(smp);
1091
1092 /* Clear the keys which are generated but not distributed */
1093 *keydist &= ~SMP_SC_NO_DIST;
1094 }
1095
44f1a7ab
JH		 1096 BT_DBG("keydist 0x%x", *keydist);
1097
1098 if (*keydist & SMP_DIST_ENC_KEY) {
1099 struct smp_cmd_encrypt_info enc;
1100 struct smp_cmd_master_ident ident;
1101 struct smp_ltk *ltk;
1102 u8 authenticated;
1103 __le16 ediv;
1104 __le64 rand;
1105
1106 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1107 get_random_bytes(&ediv, sizeof(ediv));
1108 get_random_bytes(&rand, sizeof(rand));
1109
1110 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1111
1112 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1113 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1114 SMP_LTK_SLAVE, authenticated, enc.ltk,
1115 smp->enc_key_size, ediv, rand);
1116 smp->slave_ltk = ltk;
1117
1118 ident.ediv = ediv;
1119 ident.rand = rand;
1120
1121 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1122
1123 *keydist &= ~SMP_DIST_ENC_KEY;
1124 }
1125
1126 if (*keydist & SMP_DIST_ID_KEY) {
1127 struct smp_cmd_ident_addr_info addrinfo;
1128 struct smp_cmd_ident_info idinfo;
1129
1130 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1131
1132 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1133
1134 /* The hci_conn contains the local identity address
1135 * after the connection has been established.
1136 *
1137 * This is true even when the connection has been
1138 * established using a resolvable random address.
1139 */
1140 bacpy(&addrinfo.bdaddr, &hcon->src);
1141 addrinfo.addr_type = hcon->src_type;
1142
1143 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1144 &addrinfo);
1145
1146 *keydist &= ~SMP_DIST_ID_KEY;
1147 }
1148
1149 if (*keydist & SMP_DIST_SIGN) {
1150 struct smp_cmd_sign_info sign;
1151 struct smp_csrk *csrk;
1152
1153 /* Generate a new random key */
1154 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1155
1156 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1157 if (csrk) {
1158 csrk->master = 0x00;
1159 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1160 }
1161 smp->slave_csrk = csrk;
1162
1163 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1164
1165 *keydist &= ~SMP_DIST_SIGN;
1166 }
1167
1168 /* If there are still keys to be received wait for them */
b28b4943
JH		 1169 if (smp->remote_key_dist & KEY_DIST_MASK) {
1170 smp_allow_key_dist(smp);
86d1407c 1171 return;
b28b4943 1172 }
44f1a7ab 1173
44f1a7ab
JH		 1174 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1175 smp_notify_keys(conn);
1176
1177 smp_chan_destroy(conn);
44f1a7ab
JH		 1178}
1179
b68fda68
JH		 1180static void smp_timeout(struct work_struct *work)
1181{
1182 struct smp_chan *smp = container_of(work, struct smp_chan,
1183 security_timer.work);
1184 struct l2cap_conn *conn = smp->conn;
1185
1186 BT_DBG("conn %p", conn);
1187
1e91c29e 1188 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
b68fda68
JH		 1189}
1190
8aab4757
VCG		 1191static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1192{
5d88cc73 1193 struct l2cap_chan *chan = conn->smp;
8aab4757
VCG		 1194 struct smp_chan *smp;
1195
f1560463 1196 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
fc75cc86 1197 if (!smp)
8aab4757
VCG		 1198 return NULL;
1199
6a7bd103
JH		 1200 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1201 if (IS_ERR(smp->tfm_aes)) {
1202 BT_ERR("Unable to create ECB crypto context");
1203 kfree(smp);
1204 return NULL;
1205 }
1206
407cecf6
JH		 1207 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1208 if (IS_ERR(smp->tfm_cmac)) {
1209 BT_ERR("Unable to create CMAC crypto context");
1210 crypto_free_blkcipher(smp->tfm_aes);
1211 kfree(smp);
1212 return NULL;
1213 }
1214
8aab4757 1215 smp->conn = conn;
5d88cc73 1216 chan->data = smp;
8aab4757 1217
b28b4943
JH		 1218 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1219
b68fda68
JH		 1220 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1221
8aab4757
VCG		 1222 hci_conn_hold(conn->hcon);
1223
1224 return smp;
1225}
1226
760b018b
JH		 1227static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1228{
1229 struct hci_conn *hcon = smp->conn->hcon;
1230 u8 *na, *nb, a[7], b[7];
1231
1232 if (hcon->out) {
1233 na = smp->prnd;
1234 nb = smp->rrnd;
1235 } else {
1236 na = smp->rrnd;
1237 nb = smp->prnd;
1238 }
1239
1240 memcpy(a, &hcon->init_addr, 6);
1241 memcpy(b, &hcon->resp_addr, 6);
1242 a[6] = hcon->init_addr_type;
1243 b[6] = hcon->resp_addr_type;
1244
1245 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1246}
1247
38606f14 1248static void sc_dhkey_check(struct smp_chan *smp)
760b018b
JH		 1249{
1250 struct hci_conn *hcon = smp->conn->hcon;
1251 struct smp_cmd_dhkey_check check;
1252 u8 a[7], b[7], *local_addr, *remote_addr;
1253 u8 io_cap[3], r[16];
1254
760b018b
JH		 1255 memcpy(a, &hcon->init_addr, 6);
1256 memcpy(b, &hcon->resp_addr, 6);
1257 a[6] = hcon->init_addr_type;
1258 b[6] = hcon->resp_addr_type;
1259
1260 if (hcon->out) {
1261 local_addr = a;
1262 remote_addr = b;
1263 memcpy(io_cap, &smp->preq[1], 3);
1264 } else {
1265 local_addr = b;
1266 remote_addr = a;
1267 memcpy(io_cap, &smp->prsp[1], 3);
1268 }
1269
dddd3059
JH		 1270 memset(r, 0, sizeof(r));
1271
1272 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
38606f14 1273 put_unaligned_le32(hcon->passkey_notify, r);
760b018b
JH		 1274
1275 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1276 local_addr, remote_addr, check.e);
1277
1278 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
dddd3059
JH		 1279}
1280
38606f14
JH		 1281static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1282{
1283 struct l2cap_conn *conn = smp->conn;
1284 struct hci_conn *hcon = conn->hcon;
1285 struct smp_cmd_pairing_confirm cfm;
1286 u8 r;
1287
1288 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1289 r |= 0x80;
1290
1291 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1292
1293 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1294 cfm.confirm_val))
1295 return SMP_UNSPECIFIED;
1296
1297 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1298
1299 return 0;
1300}
1301
1302static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1303{
1304 struct l2cap_conn *conn = smp->conn;
1305 struct hci_conn *hcon = conn->hcon;
1306 struct hci_dev *hdev = hcon->hdev;
1307 u8 cfm[16], r;
1308
1309 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1310 if (smp->passkey_round >= 20)
1311 return 0;
1312
1313 switch (smp_op) {
1314 case SMP_CMD_PAIRING_RANDOM:
1315 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1316 r |= 0x80;
1317
1318 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1319 smp->rrnd, r, cfm))
1320 return SMP_UNSPECIFIED;
1321
1322 if (memcmp(smp->pcnf, cfm, 16))
1323 return SMP_CONFIRM_FAILED;
1324
1325 smp->passkey_round++;
1326
1327 if (smp->passkey_round == 20) {
1328 /* Generate MacKey and LTK */
1329 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1330 return SMP_UNSPECIFIED;
1331 }
1332
1333 /* The round is only complete when the initiator
1334 * receives pairing random.
1335 */
1336 if (!hcon->out) {
1337 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1338 sizeof(smp->prnd), smp->prnd);
d3e54a87 1339 if (smp->passkey_round == 20)
38606f14 1340 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
d3e54a87 1341 else
38606f14 1342 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
38606f14
JH		 1343 return 0;
1344 }
1345
1346 /* Start the next round */
1347 if (smp->passkey_round != 20)
1348 return sc_passkey_round(smp, 0);
1349
1350 /* Passkey rounds are complete - start DHKey Check */
1351 sc_dhkey_check(smp);
1352 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1353
1354 break;
1355
1356 case SMP_CMD_PAIRING_CONFIRM:
1357 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1358 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1359 return 0;
1360 }
1361
1362 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1363
1364 if (hcon->out) {
1365 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1366 sizeof(smp->prnd), smp->prnd);
1367 return 0;
1368 }
1369
1370 return sc_passkey_send_confirm(smp);
1371
1372 case SMP_CMD_PUBLIC_KEY:
1373 default:
1374 /* Initiating device starts the round */
1375 if (!hcon->out)
1376 return 0;
1377
1378 BT_DBG("%s Starting passkey round %u", hdev->name,
1379 smp->passkey_round + 1);
1380
1381 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1382
1383 return sc_passkey_send_confirm(smp);
1384 }
1385
1386 return 0;
1387}
1388
dddd3059
JH		 1389static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1390{
38606f14
JH		 1391 struct l2cap_conn *conn = smp->conn;
1392 struct hci_conn *hcon = conn->hcon;
1393 u8 smp_op;
1394
1395 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1396
dddd3059
JH		 1397 switch (mgmt_op) {
1398 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1399 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1400 return 0;
1401 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1402 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1403 return 0;
38606f14
JH		 1404 case MGMT_OP_USER_PASSKEY_REPLY:
1405 hcon->passkey_notify = le32_to_cpu(passkey);
1406 smp->passkey_round = 0;
1407
1408 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1409 smp_op = SMP_CMD_PAIRING_CONFIRM;
1410 else
1411 smp_op = 0;
1412
1413 if (sc_passkey_round(smp, smp_op))
1414 return -EIO;
1415
1416 return 0;
dddd3059
JH		 1417 }
1418
d3e54a87
JH		 1419 /* Initiator sends DHKey check first */
1420 if (hcon->out) {
1421 sc_dhkey_check(smp);
1422 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1423 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1424 sc_dhkey_check(smp);
1425 sc_add_ltk(smp);
1426 }
760b018b
JH		 1427
1428 return 0;
1429}
1430
2b64d153
BG		 1431int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1432{
b10e8017 1433 struct l2cap_conn *conn = hcon->l2cap_data;
5d88cc73 1434 struct l2cap_chan *chan;
2b64d153
BG		 1435 struct smp_chan *smp;
1436 u32 value;
fc75cc86 1437 int err;
2b64d153
BG		 1438
1439 BT_DBG("");
1440
fc75cc86 1441 if (!conn)
2b64d153
BG		 1442 return -ENOTCONN;
1443
5d88cc73
JH		 1444 chan = conn->smp;
1445 if (!chan)
1446 return -ENOTCONN;
1447
fc75cc86
JH		 1448 l2cap_chan_lock(chan);
1449 if (!chan->data) {
1450 err = -ENOTCONN;
1451 goto unlock;
1452 }
1453
5d88cc73 1454 smp = chan->data;
2b64d153 1455
760b018b
JH		 1456 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1457 err = sc_user_reply(smp, mgmt_op, passkey);
1458 goto unlock;
1459 }
1460
2b64d153
BG		 1461 switch (mgmt_op) {
1462 case MGMT_OP_USER_PASSKEY_REPLY:
1463 value = le32_to_cpu(passkey);
943a732a 1464 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153 1465 BT_DBG("PassKey: %d", value);
943a732a 1466 put_unaligned_le32(value, smp->tk);
2b64d153
BG		 1467 /* Fall Through */
1468 case MGMT_OP_USER_CONFIRM_REPLY:
4a74d658 1469 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 1470 break;
1471 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1472 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
84794e11 1473 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1474 err = 0;
1475 goto unlock;
2b64d153 1476 default:
84794e11 1477 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1478 err = -EOPNOTSUPP;
1479 goto unlock;
2b64d153
BG		 1480 }
1481
fc75cc86
JH		 1482 err = 0;
1483
2b64d153 1484 /* If it is our turn to send Pairing Confirm, do so now */
1cc61144
JH		 1485 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1486 u8 rsp = smp_confirm(smp);
1487 if (rsp)
1488 smp_failure(conn, rsp);
1489 }
2b64d153 1490
fc75cc86
JH		 1491unlock:
1492 l2cap_chan_unlock(chan);
1493 return err;
2b64d153
BG		 1494}
1495
da85e5e5 1496static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1497{
3158c50c 1498 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
fc75cc86 1499 struct l2cap_chan *chan = conn->smp;
b3c6410b 1500 struct hci_dev *hdev = conn->hcon->hdev;
8aab4757 1501 struct smp_chan *smp;
c7262e71 1502 u8 key_size, auth, sec_level;
8aab4757 1503 int ret;
88ba43b6
AB		 1504
1505 BT_DBG("conn %p", conn);
1506
c46b98be 1507 if (skb->len < sizeof(*req))
38e4a915 1508 return SMP_INVALID_PARAMS;
c46b98be 1509
40bef302 1510 if (conn->hcon->role != HCI_ROLE_SLAVE)
2b64d153
BG		 1511 return SMP_CMD_NOTSUPP;
1512
fc75cc86 1513 if (!chan->data)
8aab4757 1514 smp = smp_chan_create(conn);
fc75cc86 1515 else
5d88cc73 1516 smp = chan->data;
8aab4757 1517
d08fd0e7
AE		 1518 if (!smp)
1519 return SMP_UNSPECIFIED;
d26a2345 1520
c05b9339 1521 /* We didn't start the pairing, so match remote */
0edb14de 1522 auth = req->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1523
b6ae8457 1524 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
c05b9339 1525 (auth & SMP_AUTH_BONDING))
b3c6410b
JH		 1526 return SMP_PAIRING_NOTSUPP;
1527
1c1def09
VCG		 1528 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1529 memcpy(&smp->preq[1], req, sizeof(*req));
3158c50c 1530 skb_pull(skb, sizeof(*req));
88ba43b6 1531
5e3d3d9b
JH		 1532 build_pairing_cmd(conn, req, &rsp, auth);
1533
1534 if (rsp.auth_req & SMP_AUTH_SC)
1535 set_bit(SMP_FLAG_SC, &smp->flags);
1536
5be5e275 1537 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 1538 sec_level = BT_SECURITY_MEDIUM;
1539 else
1540 sec_level = authreq_to_seclevel(auth);
1541
c7262e71
JH		 1542 if (sec_level > conn->hcon->pending_sec_level)
1543 conn->hcon->pending_sec_level = sec_level;
fdde0a26 1544
49c922bb 1545 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1546 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1547 u8 method;
1548
1549 method = get_auth_method(smp, conn->hcon->io_capability,
1550 req->io_capability);
1551 if (method == JUST_WORKS || method == JUST_CFM)
1552 return SMP_AUTH_REQUIREMENTS;
1553 }
1554
3158c50c
VCG		 1555 key_size = min(req->max_key_size, rsp.max_key_size);
1556 if (check_enc_key_size(conn, key_size))
1557 return SMP_ENC_KEY_SIZE;
88ba43b6 1558
e84a6b13 1559 get_random_bytes(smp->prnd, sizeof(smp->prnd));
8aab4757 1560
1c1def09
VCG		 1561 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1562 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
f01ead31 1563
3158c50c 1564 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
3b19146d
JH		 1565
1566 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1567
1568 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1569 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1570 /* Clear bits which are generated but not distributed */
1571 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1572 /* Wait for Public Key from Initiating Device */
1573 return 0;
1574 } else {
1575 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1576 }
da85e5e5 1577
2b64d153
BG		 1578 /* Request setup of TK */
1579 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1580 if (ret)
1581 return SMP_UNSPECIFIED;
1582
da85e5e5 1583 return 0;
88ba43b6
AB		 1584}
1585
3b19146d
JH		 1586static u8 sc_send_public_key(struct smp_chan *smp)
1587{
1588 BT_DBG("");
1589
6c0dcc50
JH		 1590 while (true) {
1591 /* Generate local key pair for Secure Connections */
1592 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1593 return SMP_UNSPECIFIED;
1594
1595 /* This is unlikely, but we need to check that we didn't
1596 * accidentially generate a debug key.
1597 */
1598 if (memcmp(smp->local_sk, debug_sk, 32))
1599 break;
1600 }
3b19146d
JH		 1601
1602 BT_DBG("Local Public Key X: %32phN", smp->local_pk);
1603 BT_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1604 BT_DBG("Local Private Key: %32phN", smp->local_sk);
1605
1606 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1607
1608 return 0;
1609}
1610
da85e5e5 1611static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1612{
3158c50c 1613 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
5d88cc73
JH		 1614 struct l2cap_chan *chan = conn->smp;
1615 struct smp_chan *smp = chan->data;
0edb14de 1616 struct hci_dev *hdev = conn->hcon->hdev;
3a7dbfb8 1617 u8 key_size, auth;
7d24ddcc 1618 int ret;
88ba43b6
AB		 1619
1620 BT_DBG("conn %p", conn);
1621
c46b98be 1622 if (skb->len < sizeof(*rsp))
38e4a915 1623 return SMP_INVALID_PARAMS;
c46b98be 1624
40bef302 1625 if (conn->hcon->role != HCI_ROLE_MASTER)
2b64d153
BG		 1626 return SMP_CMD_NOTSUPP;
1627
3158c50c
VCG		 1628 skb_pull(skb, sizeof(*rsp));
1629
1c1def09 1630 req = (void *) &smp->preq[1];
da85e5e5 1631
3158c50c
VCG		 1632 key_size = min(req->max_key_size, rsp->max_key_size);
1633 if (check_enc_key_size(conn, key_size))
1634 return SMP_ENC_KEY_SIZE;
1635
0edb14de 1636 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1637
65668776
JH		 1638 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1639 set_bit(SMP_FLAG_SC, &smp->flags);
d2eb9e10
JH		 1640 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1641 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
65668776 1642
49c922bb 1643 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1644 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1645 u8 method;
1646
1647 method = get_auth_method(smp, req->io_capability,
1648 rsp->io_capability);
1649 if (method == JUST_WORKS || method == JUST_CFM)
1650 return SMP_AUTH_REQUIREMENTS;
1651 }
1652
e84a6b13 1653 get_random_bytes(smp->prnd, sizeof(smp->prnd));
7d24ddcc 1654
8aab4757
VCG		 1655 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1656 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
7d24ddcc 1657
fdcc4bec
JH		 1658 /* Update remote key distribution in case the remote cleared
1659 * some bits that we had enabled in our request.
1660 */
1661 smp->remote_key_dist &= rsp->resp_key_dist;
1662
3b19146d
JH		 1663 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1664 /* Clear bits which are generated but not distributed */
1665 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1666 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1667 return sc_send_public_key(smp);
1668 }
1669
c05b9339 1670 auth |= req->auth_req;
2b64d153 1671
476585ec 1672 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2b64d153
BG		 1673 if (ret)
1674 return SMP_UNSPECIFIED;
1675
4a74d658 1676 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153
BG		 1677
1678 /* Can't compose response until we have been confirmed */
4a74d658 1679 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 1680 return smp_confirm(smp);
da85e5e5
VCG		 1681
1682 return 0;
88ba43b6
AB		 1683}
1684
dcee2b32
JH		 1685static u8 sc_check_confirm(struct smp_chan *smp)
1686{
1687 struct l2cap_conn *conn = smp->conn;
1688
1689 BT_DBG("");
1690
1691 /* Public Key exchange must happen before any other steps */
1692 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1693 return SMP_UNSPECIFIED;
1694
38606f14
JH		 1695 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1696 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1697
dcee2b32
JH		 1698 if (conn->hcon->out) {
1699 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1700 smp->prnd);
1701 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1702 }
1703
1704 return 0;
1705}
1706
da85e5e5 1707static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1708{
5d88cc73
JH		 1709 struct l2cap_chan *chan = conn->smp;
1710 struct smp_chan *smp = chan->data;
7d24ddcc 1711
88ba43b6
AB		 1712 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1713
c46b98be 1714 if (skb->len < sizeof(smp->pcnf))
38e4a915 1715 return SMP_INVALID_PARAMS;
c46b98be 1716
1c1def09
VCG		 1717 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1718 skb_pull(skb, sizeof(smp->pcnf));
88ba43b6 1719
dcee2b32
JH		 1720 if (test_bit(SMP_FLAG_SC, &smp->flags))
1721 return sc_check_confirm(smp);
1722
b28b4943 1723 if (conn->hcon->out) {
943a732a
JH		 1724 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1725 smp->prnd);
b28b4943
JH		 1726 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1727 return 0;
1728 }
1729
1730 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 1731 return smp_confirm(smp);
943a732a 1732 else
4a74d658 1733 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
da85e5e5
VCG		 1734
1735 return 0;
88ba43b6
AB		 1736}
1737
da85e5e5 1738static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1739{
5d88cc73
JH		 1740 struct l2cap_chan *chan = conn->smp;
1741 struct smp_chan *smp = chan->data;
191dc7fe
JH		 1742 struct hci_conn *hcon = conn->hcon;
1743 u8 *pkax, *pkbx, *na, *nb;
1744 u32 passkey;
1745 int err;
7d24ddcc 1746
8aab4757 1747 BT_DBG("conn %p", conn);
3158c50c 1748
c46b98be 1749 if (skb->len < sizeof(smp->rrnd))
38e4a915 1750 return SMP_INVALID_PARAMS;
c46b98be 1751
943a732a 1752 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
8aab4757 1753 skb_pull(skb, sizeof(smp->rrnd));
e7e62c85 1754
191dc7fe
JH		 1755 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1756 return smp_random(smp);
1757
38606f14
JH		 1758 /* Passkey entry has special treatment */
1759 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1760 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1761
191dc7fe
JH		 1762 if (hcon->out) {
1763 u8 cfm[16];
1764
1765 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1766 smp->rrnd, 0, cfm);
1767 if (err)
1768 return SMP_UNSPECIFIED;
1769
1770 if (memcmp(smp->pcnf, cfm, 16))
1771 return SMP_CONFIRM_FAILED;
1772
1773 pkax = smp->local_pk;
1774 pkbx = smp->remote_pk;
1775 na = smp->prnd;
1776 nb = smp->rrnd;
1777 } else {
1778 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1779 smp->prnd);
1780 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1781
1782 pkax = smp->remote_pk;
1783 pkbx = smp->local_pk;
1784 na = smp->rrnd;
1785 nb = smp->prnd;
1786 }
1787
760b018b
JH		 1788 /* Generate MacKey and LTK */
1789 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1790 if (err)
1791 return SMP_UNSPECIFIED;
1792
dddd3059
JH		 1793 if (smp->method == JUST_WORKS) {
1794 if (hcon->out) {
38606f14 1795 sc_dhkey_check(smp);
dddd3059
JH		 1796 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1797 }
1798 return 0;
1799 }
1800
38606f14
JH		 1801 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
1802 if (err)
1803 return SMP_UNSPECIFIED;
1804
1805 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
1806 hcon->dst_type, passkey, 0);
191dc7fe
JH		 1807 if (err)
1808 return SMP_UNSPECIFIED;
1809
38606f14
JH		 1810 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1811
191dc7fe 1812 return 0;
88ba43b6
AB		 1813}
1814
f81cd823 1815static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
988c5997 1816{
c9839a11 1817 struct smp_ltk *key;
988c5997
VCG		 1818 struct hci_conn *hcon = conn->hcon;
1819
f3a73d97 1820 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
988c5997 1821 if (!key)
f81cd823 1822 return false;
988c5997 1823
a6f7833c 1824 if (smp_ltk_sec_level(key) < sec_level)
f81cd823 1825 return false;
4dab7864 1826
51a8efd7 1827 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
f81cd823 1828 return true;
988c5997 1829
c9839a11
VCG		 1830 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
1831 hcon->enc_key_size = key->enc_size;
988c5997 1832
fe59a05f
JH		 1833 /* We never store STKs for master role, so clear this flag */
1834 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1835
f81cd823 1836 return true;
988c5997 1837}
f1560463 1838
35dc6f83
JH		 1839bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
1840 enum smp_key_pref key_pref)
854f4727
JH		 1841{
1842 if (sec_level == BT_SECURITY_LOW)
1843 return true;
1844
35dc6f83
JH		 1845 /* If we're encrypted with an STK but the caller prefers using
1846 * LTK claim insufficient security. This way we allow the
1847 * connection to be re-encrypted with an LTK, even if the LTK
1848 * provides the same level of security. Only exception is if we
1849 * don't have an LTK (e.g. because of key distribution bits).
9ab65d60 1850 */
35dc6f83
JH		 1851 if (key_pref == SMP_USE_LTK &&
1852 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
f3a73d97 1853 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
9ab65d60
JH		 1854 return false;
1855
854f4727
JH		 1856 if (hcon->sec_level >= sec_level)
1857 return true;
1858
1859 return false;
1860}
1861
da85e5e5 1862static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6
AB		 1863{
1864 struct smp_cmd_security_req *rp = (void *) skb->data;
1865 struct smp_cmd_pairing cp;
f1cb9af5 1866 struct hci_conn *hcon = conn->hcon;
0edb14de 1867 struct hci_dev *hdev = hcon->hdev;
8aab4757 1868 struct smp_chan *smp;
c05b9339 1869 u8 sec_level, auth;
88ba43b6
AB		 1870
1871 BT_DBG("conn %p", conn);
1872
c46b98be 1873 if (skb->len < sizeof(*rp))
38e4a915 1874 return SMP_INVALID_PARAMS;
c46b98be 1875
40bef302 1876 if (hcon->role != HCI_ROLE_MASTER)
86ca9eac
JH		 1877 return SMP_CMD_NOTSUPP;
1878
0edb14de 1879 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1880
5be5e275 1881 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 1882 sec_level = BT_SECURITY_MEDIUM;
1883 else
1884 sec_level = authreq_to_seclevel(auth);
1885
35dc6f83 1886 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
854f4727
JH		 1887 return 0;
1888
c7262e71
JH		 1889 if (sec_level > hcon->pending_sec_level)
1890 hcon->pending_sec_level = sec_level;
feb45eb5 1891
4dab7864 1892 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
988c5997
VCG		 1893 return 0;
1894
8aab4757 1895 smp = smp_chan_create(conn);
c29d2444
JH		 1896 if (!smp)
1897 return SMP_UNSPECIFIED;
d26a2345 1898
b6ae8457 1899 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
c05b9339 1900 (auth & SMP_AUTH_BONDING))
616d55be
JH		 1901 return SMP_PAIRING_NOTSUPP;
1902
88ba43b6 1903 skb_pull(skb, sizeof(*rp));
88ba43b6 1904
da85e5e5 1905 memset(&cp, 0, sizeof(cp));
c05b9339 1906 build_pairing_cmd(conn, &cp, NULL, auth);
88ba43b6 1907
1c1def09
VCG		 1908 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1909 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 1910
88ba43b6 1911 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 1912 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
f1cb9af5 1913
da85e5e5 1914 return 0;
88ba43b6
AB		 1915}
1916
cc110922 1917int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
eb492e01 1918{
cc110922 1919 struct l2cap_conn *conn = hcon->l2cap_data;
c68b7f12 1920 struct l2cap_chan *chan;
0a66cf20 1921 struct smp_chan *smp;
2b64d153 1922 __u8 authreq;
fc75cc86 1923 int ret;
eb492e01 1924
3a0259bb
VCG		 1925 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
1926
0a66cf20
JH		 1927 /* This may be NULL if there's an unexpected disconnection */
1928 if (!conn)
1929 return 1;
1930
c68b7f12
JH		 1931 chan = conn->smp;
1932
757aee0f 1933 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2e65c9d2
AG		 1934 return 1;
1935
35dc6f83 1936 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
eb492e01 1937 return 1;
f1cb9af5 1938
c7262e71
JH		 1939 if (sec_level > hcon->pending_sec_level)
1940 hcon->pending_sec_level = sec_level;
1941
40bef302 1942 if (hcon->role == HCI_ROLE_MASTER)
c7262e71
JH		 1943 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1944 return 0;
d26a2345 1945
fc75cc86
JH		 1946 l2cap_chan_lock(chan);
1947
1948 /* If SMP is already in progress ignore this request */
1949 if (chan->data) {
1950 ret = 0;
1951 goto unlock;
1952 }
d26a2345 1953
8aab4757 1954 smp = smp_chan_create(conn);
fc75cc86
JH		 1955 if (!smp) {
1956 ret = 1;
1957 goto unlock;
1958 }
2b64d153
BG		 1959
1960 authreq = seclevel_to_authreq(sec_level);
d26a2345 1961
d2eb9e10
JH		 1962 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
1963 authreq |= SMP_AUTH_SC;
1964
79897d20
JH		 1965 /* Require MITM if IO Capability allows or the security level
1966 * requires it.
2e233644 1967 */
79897d20 1968 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
c7262e71 1969 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2e233644
JH		 1970 authreq |= SMP_AUTH_MITM;
1971
40bef302 1972 if (hcon->role == HCI_ROLE_MASTER) {
d26a2345 1973 struct smp_cmd_pairing cp;
f01ead31 1974
2b64d153 1975 build_pairing_cmd(conn, &cp, NULL, authreq);
1c1def09
VCG		 1976 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1977 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 1978
eb492e01 1979 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 1980 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
eb492e01
AB		 1981 } else {
1982 struct smp_cmd_security_req cp;
2b64d153 1983 cp.auth_req = authreq;
eb492e01 1984 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
b28b4943 1985 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
eb492e01
AB		 1986 }
1987
4a74d658 1988 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
fc75cc86 1989 ret = 0;
edca792c 1990
fc75cc86
JH		 1991unlock:
1992 l2cap_chan_unlock(chan);
1993 return ret;
eb492e01
AB		 1994}
1995
7034b911
VCG		 1996static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1997{
16b90839 1998 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
5d88cc73
JH		 1999 struct l2cap_chan *chan = conn->smp;
2000 struct smp_chan *smp = chan->data;
16b90839 2001
c46b98be
JH		 2002 BT_DBG("conn %p", conn);
2003
2004 if (skb->len < sizeof(*rp))
38e4a915 2005 return SMP_INVALID_PARAMS;
c46b98be 2006
b28b4943 2007 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
6131ddc8 2008
16b90839
VCG		 2009 skb_pull(skb, sizeof(*rp));
2010
1c1def09 2011 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
16b90839 2012
7034b911
VCG		 2013 return 0;
2014}
2015
2016static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2017{
16b90839 2018 struct smp_cmd_master_ident *rp = (void *) skb->data;
5d88cc73
JH		 2019 struct l2cap_chan *chan = conn->smp;
2020 struct smp_chan *smp = chan->data;
c9839a11
VCG		 2021 struct hci_dev *hdev = conn->hcon->hdev;
2022 struct hci_conn *hcon = conn->hcon;
23d0e128 2023 struct smp_ltk *ltk;
c9839a11 2024 u8 authenticated;
16b90839 2025
c46b98be
JH		 2026 BT_DBG("conn %p", conn);
2027
2028 if (skb->len < sizeof(*rp))
38e4a915 2029 return SMP_INVALID_PARAMS;
c46b98be 2030
9747a9f3
JH		 2031 /* Mark the information as received */
2032 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2033
b28b4943
JH		 2034 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2035 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
196332f5
JH		 2036 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2037 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
b28b4943 2038
16b90839 2039 skb_pull(skb, sizeof(*rp));
7034b911 2040
ce39fb4e 2041 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2ceba539 2042 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
23d0e128
JH		 2043 authenticated, smp->tk, smp->enc_key_size,
2044 rp->ediv, rp->rand);
2045 smp->ltk = ltk;
c6e81e9a 2046 if (!(smp->remote_key_dist & KEY_DIST_MASK))
d6268e86 2047 smp_distribute_keys(smp);
7034b911
VCG		 2048
2049 return 0;
2050}
2051
fd349c02
JH		 2052static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2053{
2054 struct smp_cmd_ident_info *info = (void *) skb->data;
5d88cc73
JH		 2055 struct l2cap_chan *chan = conn->smp;
2056 struct smp_chan *smp = chan->data;
fd349c02
JH		 2057
2058 BT_DBG("");
2059
2060 if (skb->len < sizeof(*info))
38e4a915 2061 return SMP_INVALID_PARAMS;
fd349c02 2062
b28b4943 2063 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
6131ddc8 2064
fd349c02
JH		 2065 skb_pull(skb, sizeof(*info));
2066
2067 memcpy(smp->irk, info->irk, 16);
2068
2069 return 0;
2070}
2071
2072static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2073 struct sk_buff *skb)
2074{
2075 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
5d88cc73
JH		 2076 struct l2cap_chan *chan = conn->smp;
2077 struct smp_chan *smp = chan->data;
fd349c02
JH		 2078 struct hci_conn *hcon = conn->hcon;
2079 bdaddr_t rpa;
2080
2081 BT_DBG("");
2082
2083 if (skb->len < sizeof(*info))
38e4a915 2084 return SMP_INVALID_PARAMS;
fd349c02 2085
9747a9f3
JH		 2086 /* Mark the information as received */
2087 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2088
b28b4943
JH		 2089 if (smp->remote_key_dist & SMP_DIST_SIGN)
2090 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2091
fd349c02
JH		 2092 skb_pull(skb, sizeof(*info));
2093
a9a58f86
JH		 2094 /* Strictly speaking the Core Specification (4.1) allows sending
2095 * an empty address which would force us to rely on just the IRK
2096 * as "identity information". However, since such
2097 * implementations are not known of and in order to not over
2098 * complicate our implementation, simply pretend that we never
2099 * received an IRK for such a device.
2100 */
2101 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
2102 BT_ERR("Ignoring IRK with no identity address");
31dd624e 2103 goto distribute;
a9a58f86
JH		 2104 }
2105
fd349c02
JH		 2106 bacpy(&smp->id_addr, &info->bdaddr);
2107 smp->id_addr_type = info->addr_type;
2108
2109 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2110 bacpy(&rpa, &hcon->dst);
2111 else
2112 bacpy(&rpa, BDADDR_ANY);
2113
23d0e128
JH		 2114 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2115 smp->id_addr_type, smp->irk, &rpa);
fd349c02 2116
31dd624e 2117distribute:
c6e81e9a
JH		 2118 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2119 smp_distribute_keys(smp);
fd349c02
JH		 2120
2121 return 0;
2122}
2123
7ee4ea36
MH		 2124static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2125{
2126 struct smp_cmd_sign_info *rp = (void *) skb->data;
5d88cc73
JH		 2127 struct l2cap_chan *chan = conn->smp;
2128 struct smp_chan *smp = chan->data;
7ee4ea36
MH		 2129 struct smp_csrk *csrk;
2130
2131 BT_DBG("conn %p", conn);
2132
2133 if (skb->len < sizeof(*rp))
38e4a915 2134 return SMP_INVALID_PARAMS;
7ee4ea36 2135
7ee4ea36
MH		 2136 /* Mark the information as received */
2137 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2138
2139 skb_pull(skb, sizeof(*rp));
2140
7ee4ea36
MH		 2141 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2142 if (csrk) {
2143 csrk->master = 0x01;
2144 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2145 }
2146 smp->csrk = csrk;
d6268e86 2147 smp_distribute_keys(smp);
7ee4ea36
MH		 2148
2149 return 0;
2150}
2151
5e3d3d9b
JH		 2152static u8 sc_select_method(struct smp_chan *smp)
2153{
2154 struct l2cap_conn *conn = smp->conn;
2155 struct hci_conn *hcon = conn->hcon;
2156 struct smp_cmd_pairing *local, *remote;
2157 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2158
2159 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2160 * which are needed as inputs to some crypto functions. To get
2161 * the "struct smp_cmd_pairing" from them we need to skip the
2162 * first byte which contains the opcode.
2163 */
2164 if (hcon->out) {
2165 local = (void *) &smp->preq[1];
2166 remote = (void *) &smp->prsp[1];
2167 } else {
2168 local = (void *) &smp->prsp[1];
2169 remote = (void *) &smp->preq[1];
2170 }
2171
2172 local_io = local->io_capability;
2173 remote_io = remote->io_capability;
2174
2175 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2176 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2177
2178 /* If either side wants MITM, look up the method from the table,
2179 * otherwise use JUST WORKS.
2180 */
2181 if (local_mitm || remote_mitm)
2182 method = get_auth_method(smp, local_io, remote_io);
2183 else
2184 method = JUST_WORKS;
2185
2186 /* Don't confirm locally initiated pairing attempts */
2187 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2188 method = JUST_WORKS;
2189
2190 return method;
2191}
2192
d8f8edbe
JH		 2193static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2194{
2195 struct smp_cmd_public_key *key = (void *) skb->data;
2196 struct hci_conn *hcon = conn->hcon;
2197 struct l2cap_chan *chan = conn->smp;
2198 struct smp_chan *smp = chan->data;
5e3d3d9b 2199 struct hci_dev *hdev = hcon->hdev;
cbbbe3e2 2200 struct smp_cmd_pairing_confirm cfm;
d8f8edbe
JH		 2201 int err;
2202
2203 BT_DBG("conn %p", conn);
2204
2205 if (skb->len < sizeof(*key))
2206 return SMP_INVALID_PARAMS;
2207
2208 memcpy(smp->remote_pk, key, 64);
2209
2210 /* Non-initiating device sends its public key after receiving
2211 * the key from the initiating device.
2212 */
2213 if (!hcon->out) {
2214 err = sc_send_public_key(smp);
2215 if (err)
2216 return err;
2217 }
2218
2219 BT_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2220 BT_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2221
2222 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2223 return SMP_UNSPECIFIED;
2224
2225 BT_DBG("DHKey %32phN", smp->dhkey);
2226
2227 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2228
5e3d3d9b
JH		 2229 smp->method = sc_select_method(smp);
2230
2231 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2232
2233 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2234 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2235 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2236 else
2237 hcon->pending_sec_level = BT_SECURITY_FIPS;
2238
aeb7d461
JH		 2239 if (!memcmp(debug_pk, smp->remote_pk, 64))
2240 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2241
38606f14
JH		 2242 if (smp->method == DSP_PASSKEY) {
2243 get_random_bytes(&hcon->passkey_notify,
2244 sizeof(hcon->passkey_notify));
2245 hcon->passkey_notify %= 1000000;
2246 hcon->passkey_entered = 0;
2247 smp->passkey_round = 0;
2248 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2249 hcon->dst_type,
2250 hcon->passkey_notify,
2251 hcon->passkey_entered))
2252 return SMP_UNSPECIFIED;
2253 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2254 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2255 }
2256
2257 if (hcon->out)
2258 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2259
2260 if (smp->method == REQ_PASSKEY) {
2261 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2262 hcon->dst_type))
2263 return SMP_UNSPECIFIED;
2264 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2265 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2266 return 0;
2267 }
2268
cbbbe3e2
JH		 2269 /* The Initiating device waits for the non-initiating device to
2270 * send the confirm value.
2271 */
2272 if (conn->hcon->out)
2273 return 0;
2274
2275 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2276 0, cfm.confirm_val);
2277 if (err)
2278 return SMP_UNSPECIFIED;
2279
2280 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2281 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2282
d8f8edbe
JH		 2283 return 0;
2284}
2285
6433a9a2
JH		 2286static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2287{
2288 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2289 struct l2cap_chan *chan = conn->smp;
2290 struct hci_conn *hcon = conn->hcon;
2291 struct smp_chan *smp = chan->data;
2292 u8 a[7], b[7], *local_addr, *remote_addr;
2293 u8 io_cap[3], r[16], e[16];
2294 int err;
2295
2296 BT_DBG("conn %p", conn);
2297
2298 if (skb->len < sizeof(*check))
2299 return SMP_INVALID_PARAMS;
2300
2301 memcpy(a, &hcon->init_addr, 6);
2302 memcpy(b, &hcon->resp_addr, 6);
2303 a[6] = hcon->init_addr_type;
2304 b[6] = hcon->resp_addr_type;
2305
2306 if (hcon->out) {
2307 local_addr = a;
2308 remote_addr = b;
2309 memcpy(io_cap, &smp->prsp[1], 3);
2310 } else {
2311 local_addr = b;
2312 remote_addr = a;
2313 memcpy(io_cap, &smp->preq[1], 3);
2314 }
2315
2316 memset(r, 0, sizeof(r));
2317
38606f14
JH		 2318 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2319 put_unaligned_le32(hcon->passkey_notify, r);
2320
6433a9a2
JH		 2321 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2322 io_cap, remote_addr, local_addr, e);
2323 if (err)
2324 return SMP_UNSPECIFIED;
2325
2326 if (memcmp(check->e, e, 16))
2327 return SMP_DHKEY_CHECK_FAILED;
2328
d3e54a87
JH		 2329 if (!hcon->out) {
2330 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2331 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2332 return 0;
2333 }
d378a2d7 2334
d3e54a87
JH		 2335 /* Slave sends DHKey check as response to master */
2336 sc_dhkey_check(smp);
2337 }
d378a2d7 2338
d3e54a87 2339 sc_add_ltk(smp);
6433a9a2
JH		 2340
2341 if (hcon->out) {
2342 hci_le_start_enc(hcon, 0, 0, smp->tk);
2343 hcon->enc_key_size = smp->enc_key_size;
2344 }
2345
2346 return 0;
2347}
2348
4befb867 2349static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
eb492e01 2350{
5d88cc73 2351 struct l2cap_conn *conn = chan->conn;
7b9899db 2352 struct hci_conn *hcon = conn->hcon;
b28b4943 2353 struct smp_chan *smp;
92381f5c 2354 __u8 code, reason;
eb492e01
AB		 2355 int err = 0;
2356
7b9899db
MH		 2357 if (hcon->type != LE_LINK) {
2358 kfree_skb(skb);
3432711f 2359 return 0;
7b9899db
MH		 2360 }
2361
8ae9b984 2362 if (skb->len < 1)
92381f5c 2363 return -EILSEQ;
92381f5c 2364
06ae3314 2365 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2e65c9d2
AG		 2366 reason = SMP_PAIRING_NOTSUPP;
2367 goto done;
2368 }
2369
92381f5c 2370 code = skb->data[0];
eb492e01
AB		 2371 skb_pull(skb, sizeof(code));
2372
b28b4943
JH		 2373 smp = chan->data;
2374
2375 if (code > SMP_CMD_MAX)
2376 goto drop;
2377
24bd0bd9 2378 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
b28b4943
JH		 2379 goto drop;
2380
2381 /* If we don't have a context the only allowed commands are
2382 * pairing request and security request.
8cf9fa12 2383 */
b28b4943
JH		 2384 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2385 goto drop;
8cf9fa12 2386
eb492e01
AB		 2387 switch (code) {
2388 case SMP_CMD_PAIRING_REQ:
da85e5e5 2389 reason = smp_cmd_pairing_req(conn, skb);
eb492e01
AB		 2390 break;
2391
2392 case SMP_CMD_PAIRING_FAIL:
84794e11 2393 smp_failure(conn, 0);
da85e5e5 2394 err = -EPERM;
eb492e01
AB		 2395 break;
2396
2397 case SMP_CMD_PAIRING_RSP:
da85e5e5 2398 reason = smp_cmd_pairing_rsp(conn, skb);
88ba43b6
AB		 2399 break;
2400
2401 case SMP_CMD_SECURITY_REQ:
da85e5e5 2402 reason = smp_cmd_security_req(conn, skb);
88ba43b6
AB		 2403 break;
2404
eb492e01 2405 case SMP_CMD_PAIRING_CONFIRM:
da85e5e5 2406 reason = smp_cmd_pairing_confirm(conn, skb);
88ba43b6
AB		 2407 break;
2408
eb492e01 2409 case SMP_CMD_PAIRING_RANDOM:
da85e5e5 2410 reason = smp_cmd_pairing_random(conn, skb);
88ba43b6
AB		 2411 break;
2412
eb492e01 2413 case SMP_CMD_ENCRYPT_INFO:
7034b911
VCG		 2414 reason = smp_cmd_encrypt_info(conn, skb);
2415 break;
2416
eb492e01 2417 case SMP_CMD_MASTER_IDENT:
7034b911
VCG		 2418 reason = smp_cmd_master_ident(conn, skb);
2419 break;
2420
eb492e01 2421 case SMP_CMD_IDENT_INFO:
fd349c02
JH		 2422 reason = smp_cmd_ident_info(conn, skb);
2423 break;
2424
eb492e01 2425 case SMP_CMD_IDENT_ADDR_INFO:
fd349c02
JH		 2426 reason = smp_cmd_ident_addr_info(conn, skb);
2427 break;
2428
eb492e01 2429 case SMP_CMD_SIGN_INFO:
7ee4ea36 2430 reason = smp_cmd_sign_info(conn, skb);
7034b911
VCG		 2431 break;
2432
d8f8edbe
JH		 2433 case SMP_CMD_PUBLIC_KEY:
2434 reason = smp_cmd_public_key(conn, skb);
2435 break;
2436
6433a9a2
JH		 2437 case SMP_CMD_DHKEY_CHECK:
2438 reason = smp_cmd_dhkey_check(conn, skb);
2439 break;
2440
eb492e01
AB		 2441 default:
2442 BT_DBG("Unknown command code 0x%2.2x", code);
eb492e01 2443 reason = SMP_CMD_NOTSUPP;
3a0259bb 2444 goto done;
eb492e01
AB		 2445 }
2446
3a0259bb 2447done:
9b7b18ef
JH		 2448 if (!err) {
2449 if (reason)
2450 smp_failure(conn, reason);
8ae9b984 2451 kfree_skb(skb);
9b7b18ef
JH		 2452 }
2453
eb492e01 2454 return err;
b28b4943
JH		 2455
2456drop:
2457 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2458 code, &hcon->dst);
2459 kfree_skb(skb);
2460 return 0;
eb492e01 2461}
7034b911 2462
70db83c4
JH		 2463static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2464{
2465 struct l2cap_conn *conn = chan->conn;
2466
2467 BT_DBG("chan %p", chan);
2468
fc75cc86 2469 if (chan->data)
5d88cc73 2470 smp_chan_destroy(conn);
5d88cc73 2471
70db83c4
JH		 2472 conn->smp = NULL;
2473 l2cap_chan_put(chan);
2474}
2475
44f1a7ab
JH		 2476static void smp_resume_cb(struct l2cap_chan *chan)
2477{
b68fda68 2478 struct smp_chan *smp = chan->data;
44f1a7ab
JH		 2479 struct l2cap_conn *conn = chan->conn;
2480 struct hci_conn *hcon = conn->hcon;
2481
2482 BT_DBG("chan %p", chan);
2483
86d1407c
JH		 2484 if (!smp)
2485 return;
b68fda68 2486
84bc0db5
JH		 2487 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2488 return;
2489
86d1407c
JH		 2490 cancel_delayed_work(&smp->security_timer);
2491
d6268e86 2492 smp_distribute_keys(smp);
44f1a7ab
JH		 2493}
2494
70db83c4
JH		 2495static void smp_ready_cb(struct l2cap_chan *chan)
2496{
2497 struct l2cap_conn *conn = chan->conn;
2498
2499 BT_DBG("chan %p", chan);
2500
2501 conn->smp = chan;
2502 l2cap_chan_hold(chan);
2503}
2504
4befb867
JH		 2505static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2506{
2507 int err;
2508
2509 BT_DBG("chan %p", chan);
2510
2511 err = smp_sig_channel(chan, skb);
2512 if (err) {
b68fda68 2513 struct smp_chan *smp = chan->data;
4befb867 2514
b68fda68
JH		 2515 if (smp)
2516 cancel_delayed_work_sync(&smp->security_timer);
4befb867 2517
1e91c29e 2518 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
4befb867
JH		 2519 }
2520
2521 return err;
2522}
2523
70db83c4
JH		 2524static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2525 unsigned long hdr_len,
2526 unsigned long len, int nb)
2527{
2528 struct sk_buff *skb;
2529
2530 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2531 if (!skb)
2532 return ERR_PTR(-ENOMEM);
2533
2534 skb->priority = HCI_PRIO_MAX;
2535 bt_cb(skb)->chan = chan;
2536
2537 return skb;
2538}
2539
2540static const struct l2cap_ops smp_chan_ops = {
2541 .name = "Security Manager",
2542 .ready = smp_ready_cb,
5d88cc73 2543 .recv = smp_recv_cb,
70db83c4
JH		 2544 .alloc_skb = smp_alloc_skb_cb,
2545 .teardown = smp_teardown_cb,
44f1a7ab 2546 .resume = smp_resume_cb,
70db83c4
JH		 2547
2548 .new_connection = l2cap_chan_no_new_connection,
70db83c4
JH		 2549 .state_change = l2cap_chan_no_state_change,
2550 .close = l2cap_chan_no_close,
2551 .defer = l2cap_chan_no_defer,
2552 .suspend = l2cap_chan_no_suspend,
70db83c4
JH		 2553 .set_shutdown = l2cap_chan_no_set_shutdown,
2554 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2555 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2556};
2557
2558static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2559{
2560 struct l2cap_chan *chan;
2561
2562 BT_DBG("pchan %p", pchan);
2563
2564 chan = l2cap_chan_create();
2565 if (!chan)
2566 return NULL;
2567
2568 chan->chan_type = pchan->chan_type;
2569 chan->ops = &smp_chan_ops;
2570 chan->scid = pchan->scid;
2571 chan->dcid = chan->scid;
2572 chan->imtu = pchan->imtu;
2573 chan->omtu = pchan->omtu;
2574 chan->mode = pchan->mode;
2575
abe84903
JH		 2576 /* Other L2CAP channels may request SMP routines in order to
2577 * change the security level. This means that the SMP channel
2578 * lock must be considered in its own category to avoid lockdep
2579 * warnings.
2580 */
2581 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2582
70db83c4
JH		 2583 BT_DBG("created chan %p", chan);
2584
2585 return chan;
2586}
2587
2588static const struct l2cap_ops smp_root_chan_ops = {
2589 .name = "Security Manager Root",
2590 .new_connection = smp_new_conn_cb,
2591
2592 /* None of these are implemented for the root channel */
2593 .close = l2cap_chan_no_close,
2594 .alloc_skb = l2cap_chan_no_alloc_skb,
2595 .recv = l2cap_chan_no_recv,
2596 .state_change = l2cap_chan_no_state_change,
2597 .teardown = l2cap_chan_no_teardown,
2598 .ready = l2cap_chan_no_ready,
2599 .defer = l2cap_chan_no_defer,
2600 .suspend = l2cap_chan_no_suspend,
2601 .resume = l2cap_chan_no_resume,
2602 .set_shutdown = l2cap_chan_no_set_shutdown,
2603 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2604 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2605};
2606
711eafe3
JH		 2607int smp_register(struct hci_dev *hdev)
2608{
70db83c4 2609 struct l2cap_chan *chan;
defce9e8 2610 struct crypto_blkcipher *tfm_aes;
70db83c4 2611
711eafe3
JH		 2612 BT_DBG("%s", hdev->name);
2613
adae20cb 2614 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
defce9e8
JH		 2615 if (IS_ERR(tfm_aes)) {
2616 int err = PTR_ERR(tfm_aes);
711eafe3 2617 BT_ERR("Unable to create crypto context");
711eafe3
JH		 2618 return err;
2619 }
2620
70db83c4
JH		 2621 chan = l2cap_chan_create();
2622 if (!chan) {
defce9e8 2623 crypto_free_blkcipher(tfm_aes);
70db83c4
JH		 2624 return -ENOMEM;
2625 }
2626
defce9e8
JH		 2627 chan->data = tfm_aes;
2628
5d88cc73 2629 l2cap_add_scid(chan, L2CAP_CID_SMP);
70db83c4
JH		 2630
2631 l2cap_chan_set_defaults(chan);
2632
2633 bacpy(&chan->src, &hdev->bdaddr);
2634 chan->src_type = BDADDR_LE_PUBLIC;
2635 chan->state = BT_LISTEN;
2636 chan->mode = L2CAP_MODE_BASIC;
2637 chan->imtu = L2CAP_DEFAULT_MTU;
2638 chan->ops = &smp_root_chan_ops;
2639
abe84903
JH		 2640 /* Set correct nesting level for a parent/listening channel */
2641 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2642
70db83c4
JH		 2643 hdev->smp_data = chan;
2644
711eafe3
JH		 2645 return 0;
2646}
2647
2648void smp_unregister(struct hci_dev *hdev)
2649{
70db83c4 2650 struct l2cap_chan *chan = hdev->smp_data;
defce9e8 2651 struct crypto_blkcipher *tfm_aes;
70db83c4
JH		 2652
2653 if (!chan)
2654 return;
2655
2656 BT_DBG("%s chan %p", hdev->name, chan);
711eafe3 2657
defce9e8
JH		 2658 tfm_aes = chan->data;
2659 if (tfm_aes) {
2660 chan->data = NULL;
2661 crypto_free_blkcipher(tfm_aes);
711eafe3 2662 }
70db83c4
JH		 2663
2664 hdev->smp_data = NULL;
2665 l2cap_chan_put(chan);
711eafe3 2666}
ubuntu-bionic-kernel mirror