2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
34 #define SMP_TIMEOUT msecs_to_jiffies(30000)
36 #define AUTH_REQ_MASK 0x07
47 struct l2cap_conn
*conn
;
48 u8 preq
[7]; /* SMP Pairing Request */
49 u8 prsp
[7]; /* SMP Pairing Response */
50 u8 prnd
[16]; /* SMP Pairing Random (local) */
51 u8 rrnd
[16]; /* SMP Pairing Random (remote) */
52 u8 pcnf
[16]; /* SMP Pairing Confirm */
53 u8 tk
[16]; /* SMP Temporary Key */
59 struct smp_csrk
*csrk
;
60 struct smp_csrk
*slave_csrk
;
62 struct smp_ltk
*slave_ltk
;
63 struct smp_irk
*remote_irk
;
66 struct crypto_blkcipher
*tfm_aes
;
69 static inline void swap_buf(const u8
*src
, u8
*dst
, size_t len
)
73 for (i
= 0; i
< len
; i
++)
74 dst
[len
- 1 - i
] = src
[i
];
77 static int smp_e(struct crypto_blkcipher
*tfm
, const u8
*k
, u8
*r
)
79 struct blkcipher_desc desc
;
80 struct scatterlist sg
;
81 uint8_t tmp
[16], data
[16];
85 BT_ERR("tfm %p", tfm
);
92 /* The most significant octet of key corresponds to k[0] */
95 err
= crypto_blkcipher_setkey(tfm
, tmp
, 16);
97 BT_ERR("cipher setkey failed: %d", err
);
101 /* Most significant octet of plaintextData corresponds to data[0] */
102 swap_buf(r
, data
, 16);
104 sg_init_one(&sg
, data
, 16);
106 err
= crypto_blkcipher_encrypt(&desc
, &sg
, &sg
, 16);
108 BT_ERR("Encrypt data error %d", err
);
110 /* Most significant octet of encryptedData corresponds to data[0] */
111 swap_buf(data
, r
, 16);
116 static int smp_ah(struct crypto_blkcipher
*tfm
, u8 irk
[16], u8 r
[3], u8 res
[3])
121 /* r' = padding || r */
123 memset(_res
+ 3, 0, 13);
125 err
= smp_e(tfm
, irk
, _res
);
127 BT_ERR("Encrypt error");
131 /* The output of the random address function ah is:
132 * ah(h, r) = e(k, r') mod 2^24
133 * The output of the security function e is then truncated to 24 bits
134 * by taking the least significant 24 bits of the output of e as the
137 memcpy(res
, _res
, 3);
142 bool smp_irk_matches(struct crypto_blkcipher
*tfm
, u8 irk
[16],
148 BT_DBG("RPA %pMR IRK %*phN", bdaddr
, 16, irk
);
150 err
= smp_ah(tfm
, irk
, &bdaddr
->b
[3], hash
);
154 return !memcmp(bdaddr
->b
, hash
, 3);
157 int smp_generate_rpa(struct crypto_blkcipher
*tfm
, u8 irk
[16], bdaddr_t
*rpa
)
161 get_random_bytes(&rpa
->b
[3], 3);
163 rpa
->b
[5] &= 0x3f; /* Clear two most significant bits */
164 rpa
->b
[5] |= 0x40; /* Set second most significant bit */
166 err
= smp_ah(tfm
, irk
, &rpa
->b
[3], rpa
->b
);
170 BT_DBG("RPA %pMR", rpa
);
175 static int smp_c1(struct smp_chan
*smp
, u8 k
[16], u8 r
[16], u8 preq
[7],
176 u8 pres
[7], u8 _iat
, bdaddr_t
*ia
, u8 _rat
, bdaddr_t
*ra
,
179 struct hci_dev
*hdev
= smp
->conn
->hcon
->hdev
;
183 BT_DBG("%s", hdev
->name
);
187 /* p1 = pres || preq || _rat || _iat */
190 memcpy(p1
+ 2, preq
, 7);
191 memcpy(p1
+ 9, pres
, 7);
193 /* p2 = padding || ia || ra */
195 memcpy(p2
+ 6, ia
, 6);
196 memset(p2
+ 12, 0, 4);
199 u128_xor((u128
*) res
, (u128
*) r
, (u128
*) p1
);
201 /* res = e(k, res) */
202 err
= smp_e(smp
->tfm_aes
, k
, res
);
204 BT_ERR("Encrypt data error");
208 /* res = res XOR p2 */
209 u128_xor((u128
*) res
, (u128
*) res
, (u128
*) p2
);
211 /* res = e(k, res) */
212 err
= smp_e(smp
->tfm_aes
, k
, res
);
214 BT_ERR("Encrypt data error");
219 static int smp_s1(struct smp_chan
*smp
, u8 k
[16], u8 r1
[16], u8 r2
[16],
222 struct hci_dev
*hdev
= smp
->conn
->hcon
->hdev
;
225 BT_DBG("%s", hdev
->name
);
227 /* Just least significant octets from r1 and r2 are considered */
229 memcpy(_r
+ 8, r1
, 8);
231 err
= smp_e(smp
->tfm_aes
, k
, _r
);
233 BT_ERR("Encrypt data error");
238 static struct sk_buff
*smp_build_cmd(struct l2cap_conn
*conn
, u8 code
,
239 u16 dlen
, void *data
)
242 struct l2cap_hdr
*lh
;
245 len
= L2CAP_HDR_SIZE
+ sizeof(code
) + dlen
;
250 skb
= bt_skb_alloc(len
, GFP_ATOMIC
);
254 lh
= (struct l2cap_hdr
*) skb_put(skb
, L2CAP_HDR_SIZE
);
255 lh
->len
= cpu_to_le16(sizeof(code
) + dlen
);
256 lh
->cid
= cpu_to_le16(L2CAP_CID_SMP
);
258 memcpy(skb_put(skb
, sizeof(code
)), &code
, sizeof(code
));
260 memcpy(skb_put(skb
, dlen
), data
, dlen
);
265 static void smp_send_cmd(struct l2cap_conn
*conn
, u8 code
, u16 len
, void *data
)
267 struct sk_buff
*skb
= smp_build_cmd(conn
, code
, len
, data
);
269 BT_DBG("code 0x%2.2x", code
);
274 skb
->priority
= HCI_PRIO_MAX
;
275 hci_send_acl(conn
->hchan
, skb
, 0);
277 cancel_delayed_work_sync(&conn
->security_timer
);
278 schedule_delayed_work(&conn
->security_timer
, SMP_TIMEOUT
);
281 static __u8
authreq_to_seclevel(__u8 authreq
)
283 if (authreq
& SMP_AUTH_MITM
)
284 return BT_SECURITY_HIGH
;
286 return BT_SECURITY_MEDIUM
;
289 static __u8
seclevel_to_authreq(__u8 sec_level
)
292 case BT_SECURITY_HIGH
:
293 return SMP_AUTH_MITM
| SMP_AUTH_BONDING
;
294 case BT_SECURITY_MEDIUM
:
295 return SMP_AUTH_BONDING
;
297 return SMP_AUTH_NONE
;
301 static void build_pairing_cmd(struct l2cap_conn
*conn
,
302 struct smp_cmd_pairing
*req
,
303 struct smp_cmd_pairing
*rsp
, __u8 authreq
)
305 struct smp_chan
*smp
= conn
->smp_chan
;
306 struct hci_conn
*hcon
= conn
->hcon
;
307 struct hci_dev
*hdev
= hcon
->hdev
;
308 u8 local_dist
= 0, remote_dist
= 0;
310 if (test_bit(HCI_PAIRABLE
, &conn
->hcon
->hdev
->dev_flags
)) {
311 local_dist
= SMP_DIST_ENC_KEY
| SMP_DIST_SIGN
;
312 remote_dist
= SMP_DIST_ENC_KEY
| SMP_DIST_SIGN
;
313 authreq
|= SMP_AUTH_BONDING
;
315 authreq
&= ~SMP_AUTH_BONDING
;
318 if (test_bit(HCI_RPA_RESOLVING
, &hdev
->dev_flags
))
319 remote_dist
|= SMP_DIST_ID_KEY
;
321 if (test_bit(HCI_PRIVACY
, &hdev
->dev_flags
))
322 local_dist
|= SMP_DIST_ID_KEY
;
325 req
->io_capability
= conn
->hcon
->io_capability
;
326 req
->oob_flag
= SMP_OOB_NOT_PRESENT
;
327 req
->max_key_size
= SMP_MAX_ENC_KEY_SIZE
;
328 req
->init_key_dist
= local_dist
;
329 req
->resp_key_dist
= remote_dist
;
330 req
->auth_req
= (authreq
& AUTH_REQ_MASK
);
332 smp
->remote_key_dist
= remote_dist
;
336 rsp
->io_capability
= conn
->hcon
->io_capability
;
337 rsp
->oob_flag
= SMP_OOB_NOT_PRESENT
;
338 rsp
->max_key_size
= SMP_MAX_ENC_KEY_SIZE
;
339 rsp
->init_key_dist
= req
->init_key_dist
& remote_dist
;
340 rsp
->resp_key_dist
= req
->resp_key_dist
& local_dist
;
341 rsp
->auth_req
= (authreq
& AUTH_REQ_MASK
);
343 smp
->remote_key_dist
= rsp
->init_key_dist
;
346 static u8
check_enc_key_size(struct l2cap_conn
*conn
, __u8 max_key_size
)
348 struct smp_chan
*smp
= conn
->smp_chan
;
350 if ((max_key_size
> SMP_MAX_ENC_KEY_SIZE
) ||
351 (max_key_size
< SMP_MIN_ENC_KEY_SIZE
))
352 return SMP_ENC_KEY_SIZE
;
354 smp
->enc_key_size
= max_key_size
;
359 static void smp_failure(struct l2cap_conn
*conn
, u8 reason
)
361 struct hci_conn
*hcon
= conn
->hcon
;
364 smp_send_cmd(conn
, SMP_CMD_PAIRING_FAIL
, sizeof(reason
),
367 clear_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
);
368 mgmt_auth_failed(hcon
->hdev
, &hcon
->dst
, hcon
->type
, hcon
->dst_type
,
369 HCI_ERROR_AUTH_FAILURE
);
371 cancel_delayed_work_sync(&conn
->security_timer
);
373 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND
, &hcon
->flags
))
374 smp_chan_destroy(conn
);
377 #define JUST_WORKS 0x00
378 #define JUST_CFM 0x01
379 #define REQ_PASSKEY 0x02
380 #define CFM_PASSKEY 0x03
384 static const u8 gen_method
[5][5] = {
385 { JUST_WORKS
, JUST_CFM
, REQ_PASSKEY
, JUST_WORKS
, REQ_PASSKEY
},
386 { JUST_WORKS
, JUST_CFM
, REQ_PASSKEY
, JUST_WORKS
, REQ_PASSKEY
},
387 { CFM_PASSKEY
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, CFM_PASSKEY
},
388 { JUST_WORKS
, JUST_CFM
, JUST_WORKS
, JUST_WORKS
, JUST_CFM
},
389 { CFM_PASSKEY
, CFM_PASSKEY
, REQ_PASSKEY
, JUST_WORKS
, OVERLAP
},
392 static u8
get_auth_method(struct smp_chan
*smp
, u8 local_io
, u8 remote_io
)
394 /* If either side has unknown io_caps, use JUST WORKS */
395 if (local_io
> SMP_IO_KEYBOARD_DISPLAY
||
396 remote_io
> SMP_IO_KEYBOARD_DISPLAY
)
399 return gen_method
[remote_io
][local_io
];
402 static int tk_request(struct l2cap_conn
*conn
, u8 remote_oob
, u8 auth
,
403 u8 local_io
, u8 remote_io
)
405 struct hci_conn
*hcon
= conn
->hcon
;
406 struct smp_chan
*smp
= conn
->smp_chan
;
411 /* Initialize key for JUST WORKS */
412 memset(smp
->tk
, 0, sizeof(smp
->tk
));
413 clear_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
415 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth
, local_io
, remote_io
);
417 /* If neither side wants MITM, use JUST WORKS */
418 /* Otherwise, look up method from the table */
419 if (!(auth
& SMP_AUTH_MITM
))
422 method
= get_auth_method(smp
, local_io
, remote_io
);
424 /* If not bonding, don't ask user to confirm a Zero TK */
425 if (!(auth
& SMP_AUTH_BONDING
) && method
== JUST_CFM
)
428 /* Don't confirm locally initiated pairing attempts */
429 if (method
== JUST_CFM
&& test_bit(SMP_FLAG_INITIATOR
, &smp
->flags
))
432 /* If Just Works, Continue with Zero TK */
433 if (method
== JUST_WORKS
) {
434 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
438 /* Not Just Works/Confirm results in MITM Authentication */
439 if (method
!= JUST_CFM
)
440 set_bit(SMP_FLAG_MITM_AUTH
, &smp
->flags
);
442 /* If both devices have Keyoard-Display I/O, the master
443 * Confirms and the slave Enters the passkey.
445 if (method
== OVERLAP
) {
446 if (test_bit(HCI_CONN_MASTER
, &hcon
->flags
))
447 method
= CFM_PASSKEY
;
449 method
= REQ_PASSKEY
;
452 /* Generate random passkey. */
453 if (method
== CFM_PASSKEY
) {
454 memset(smp
->tk
, 0, sizeof(smp
->tk
));
455 get_random_bytes(&passkey
, sizeof(passkey
));
457 put_unaligned_le32(passkey
, smp
->tk
);
458 BT_DBG("PassKey: %d", passkey
);
459 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
462 hci_dev_lock(hcon
->hdev
);
464 if (method
== REQ_PASSKEY
)
465 ret
= mgmt_user_passkey_request(hcon
->hdev
, &hcon
->dst
,
466 hcon
->type
, hcon
->dst_type
);
467 else if (method
== JUST_CFM
)
468 ret
= mgmt_user_confirm_request(hcon
->hdev
, &hcon
->dst
,
469 hcon
->type
, hcon
->dst_type
,
472 ret
= mgmt_user_passkey_notify(hcon
->hdev
, &hcon
->dst
,
473 hcon
->type
, hcon
->dst_type
,
476 hci_dev_unlock(hcon
->hdev
);
481 static u8
smp_confirm(struct smp_chan
*smp
)
483 struct l2cap_conn
*conn
= smp
->conn
;
484 struct smp_cmd_pairing_confirm cp
;
487 BT_DBG("conn %p", conn
);
489 ret
= smp_c1(smp
, smp
->tk
, smp
->prnd
, smp
->preq
, smp
->prsp
,
490 conn
->hcon
->init_addr_type
, &conn
->hcon
->init_addr
,
491 conn
->hcon
->resp_addr_type
, &conn
->hcon
->resp_addr
,
494 return SMP_UNSPECIFIED
;
496 clear_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
498 smp_send_cmd(smp
->conn
, SMP_CMD_PAIRING_CONFIRM
, sizeof(cp
), &cp
);
503 static u8
smp_random(struct smp_chan
*smp
)
505 struct l2cap_conn
*conn
= smp
->conn
;
506 struct hci_conn
*hcon
= conn
->hcon
;
510 if (IS_ERR_OR_NULL(smp
->tfm_aes
))
511 return SMP_UNSPECIFIED
;
513 BT_DBG("conn %p %s", conn
, conn
->hcon
->out
? "master" : "slave");
515 ret
= smp_c1(smp
, smp
->tk
, smp
->rrnd
, smp
->preq
, smp
->prsp
,
516 hcon
->init_addr_type
, &hcon
->init_addr
,
517 hcon
->resp_addr_type
, &hcon
->resp_addr
, confirm
);
519 return SMP_UNSPECIFIED
;
521 if (memcmp(smp
->pcnf
, confirm
, sizeof(smp
->pcnf
)) != 0) {
522 BT_ERR("Pairing failed (confirmation values mismatch)");
523 return SMP_CONFIRM_FAILED
;
531 smp_s1(smp
, smp
->tk
, smp
->rrnd
, smp
->prnd
, stk
);
533 memset(stk
+ smp
->enc_key_size
, 0,
534 SMP_MAX_ENC_KEY_SIZE
- smp
->enc_key_size
);
536 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
))
537 return SMP_UNSPECIFIED
;
539 hci_le_start_enc(hcon
, ediv
, rand
, stk
);
540 hcon
->enc_key_size
= smp
->enc_key_size
;
541 set_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
);
547 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
550 smp_s1(smp
, smp
->tk
, smp
->prnd
, smp
->rrnd
, stk
);
552 memset(stk
+ smp
->enc_key_size
, 0,
553 SMP_MAX_ENC_KEY_SIZE
- smp
->enc_key_size
);
555 if (hcon
->pending_sec_level
== BT_SECURITY_HIGH
)
560 /* Even though there's no _SLAVE suffix this is the
561 * slave STK we're adding for later lookup (the master
562 * STK never needs to be stored).
564 hci_add_ltk(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
,
565 SMP_STK
, auth
, stk
, smp
->enc_key_size
, ediv
, rand
);
571 static struct smp_chan
*smp_chan_create(struct l2cap_conn
*conn
)
573 struct smp_chan
*smp
;
575 smp
= kzalloc(sizeof(*smp
), GFP_ATOMIC
);
579 smp
->tfm_aes
= crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC
);
580 if (IS_ERR(smp
->tfm_aes
)) {
581 BT_ERR("Unable to create ECB crypto context");
587 conn
->smp_chan
= smp
;
589 hci_conn_hold(conn
->hcon
);
594 void smp_chan_destroy(struct l2cap_conn
*conn
)
596 struct smp_chan
*smp
= conn
->smp_chan
;
601 complete
= test_bit(SMP_FLAG_COMPLETE
, &smp
->flags
);
602 mgmt_smp_complete(conn
->hcon
, complete
);
605 kfree(smp
->slave_csrk
);
607 crypto_free_blkcipher(smp
->tfm_aes
);
609 /* If pairing failed clean up any keys we might have */
612 list_del(&smp
->ltk
->list
);
616 if (smp
->slave_ltk
) {
617 list_del(&smp
->slave_ltk
->list
);
618 kfree(smp
->slave_ltk
);
621 if (smp
->remote_irk
) {
622 list_del(&smp
->remote_irk
->list
);
623 kfree(smp
->remote_irk
);
628 conn
->smp_chan
= NULL
;
629 hci_conn_drop(conn
->hcon
);
632 int smp_user_confirm_reply(struct hci_conn
*hcon
, u16 mgmt_op
, __le32 passkey
)
634 struct l2cap_conn
*conn
= hcon
->l2cap_data
;
635 struct smp_chan
*smp
;
640 if (!conn
|| !test_bit(HCI_CONN_LE_SMP_PEND
, &hcon
->flags
))
643 smp
= conn
->smp_chan
;
646 case MGMT_OP_USER_PASSKEY_REPLY
:
647 value
= le32_to_cpu(passkey
);
648 memset(smp
->tk
, 0, sizeof(smp
->tk
));
649 BT_DBG("PassKey: %d", value
);
650 put_unaligned_le32(value
, smp
->tk
);
652 case MGMT_OP_USER_CONFIRM_REPLY
:
653 set_bit(SMP_FLAG_TK_VALID
, &smp
->flags
);
655 case MGMT_OP_USER_PASSKEY_NEG_REPLY
:
656 case MGMT_OP_USER_CONFIRM_NEG_REPLY
:
657 smp_failure(conn
, SMP_PASSKEY_ENTRY_FAILED
);
660 smp_failure(conn
, SMP_PASSKEY_ENTRY_FAILED
);
664 /* If it is our turn to send Pairing Confirm, do so now */
665 if (test_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
)) {
666 u8 rsp
= smp_confirm(smp
);
668 smp_failure(conn
, rsp
);
674 static u8
smp_cmd_pairing_req(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
676 struct smp_cmd_pairing rsp
, *req
= (void *) skb
->data
;
677 struct smp_chan
*smp
;
678 u8 key_size
, auth
, sec_level
;
681 BT_DBG("conn %p", conn
);
683 if (skb
->len
< sizeof(*req
))
684 return SMP_INVALID_PARAMS
;
686 if (test_bit(HCI_CONN_MASTER
, &conn
->hcon
->flags
))
687 return SMP_CMD_NOTSUPP
;
689 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND
, &conn
->hcon
->flags
))
690 smp
= smp_chan_create(conn
);
692 smp
= conn
->smp_chan
;
695 return SMP_UNSPECIFIED
;
697 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
698 memcpy(&smp
->preq
[1], req
, sizeof(*req
));
699 skb_pull(skb
, sizeof(*req
));
701 /* We didn't start the pairing, so match remote */
702 auth
= req
->auth_req
;
704 sec_level
= authreq_to_seclevel(auth
);
705 if (sec_level
> conn
->hcon
->pending_sec_level
)
706 conn
->hcon
->pending_sec_level
= sec_level
;
708 /* If we need MITM check that it can be acheived */
709 if (conn
->hcon
->pending_sec_level
>= BT_SECURITY_HIGH
) {
712 method
= get_auth_method(smp
, conn
->hcon
->io_capability
,
714 if (method
== JUST_WORKS
|| method
== JUST_CFM
)
715 return SMP_AUTH_REQUIREMENTS
;
718 build_pairing_cmd(conn
, req
, &rsp
, auth
);
720 key_size
= min(req
->max_key_size
, rsp
.max_key_size
);
721 if (check_enc_key_size(conn
, key_size
))
722 return SMP_ENC_KEY_SIZE
;
724 get_random_bytes(smp
->prnd
, sizeof(smp
->prnd
));
726 smp
->prsp
[0] = SMP_CMD_PAIRING_RSP
;
727 memcpy(&smp
->prsp
[1], &rsp
, sizeof(rsp
));
729 smp_send_cmd(conn
, SMP_CMD_PAIRING_RSP
, sizeof(rsp
), &rsp
);
731 /* Request setup of TK */
732 ret
= tk_request(conn
, 0, auth
, rsp
.io_capability
, req
->io_capability
);
734 return SMP_UNSPECIFIED
;
736 clear_bit(SMP_FLAG_INITIATOR
, &smp
->flags
);
741 static u8
smp_cmd_pairing_rsp(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
743 struct smp_cmd_pairing
*req
, *rsp
= (void *) skb
->data
;
744 struct smp_chan
*smp
= conn
->smp_chan
;
745 u8 key_size
, auth
= SMP_AUTH_NONE
;
748 BT_DBG("conn %p", conn
);
750 if (skb
->len
< sizeof(*rsp
))
751 return SMP_INVALID_PARAMS
;
753 if (!test_bit(HCI_CONN_MASTER
, &conn
->hcon
->flags
))
754 return SMP_CMD_NOTSUPP
;
756 skb_pull(skb
, sizeof(*rsp
));
758 req
= (void *) &smp
->preq
[1];
760 key_size
= min(req
->max_key_size
, rsp
->max_key_size
);
761 if (check_enc_key_size(conn
, key_size
))
762 return SMP_ENC_KEY_SIZE
;
764 /* If we need MITM check that it can be acheived */
765 if (conn
->hcon
->pending_sec_level
>= BT_SECURITY_HIGH
) {
768 method
= get_auth_method(smp
, req
->io_capability
,
770 if (method
== JUST_WORKS
|| method
== JUST_CFM
)
771 return SMP_AUTH_REQUIREMENTS
;
774 get_random_bytes(smp
->prnd
, sizeof(smp
->prnd
));
776 smp
->prsp
[0] = SMP_CMD_PAIRING_RSP
;
777 memcpy(&smp
->prsp
[1], rsp
, sizeof(*rsp
));
779 /* Update remote key distribution in case the remote cleared
780 * some bits that we had enabled in our request.
782 smp
->remote_key_dist
&= rsp
->resp_key_dist
;
784 if ((req
->auth_req
& SMP_AUTH_BONDING
) &&
785 (rsp
->auth_req
& SMP_AUTH_BONDING
))
786 auth
= SMP_AUTH_BONDING
;
788 auth
|= (req
->auth_req
| rsp
->auth_req
) & SMP_AUTH_MITM
;
790 ret
= tk_request(conn
, 0, auth
, req
->io_capability
, rsp
->io_capability
);
792 return SMP_UNSPECIFIED
;
794 set_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
796 /* Can't compose response until we have been confirmed */
797 if (test_bit(SMP_FLAG_TK_VALID
, &smp
->flags
))
798 return smp_confirm(smp
);
803 static u8
smp_cmd_pairing_confirm(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
805 struct smp_chan
*smp
= conn
->smp_chan
;
807 BT_DBG("conn %p %s", conn
, conn
->hcon
->out
? "master" : "slave");
809 if (skb
->len
< sizeof(smp
->pcnf
))
810 return SMP_INVALID_PARAMS
;
812 memcpy(smp
->pcnf
, skb
->data
, sizeof(smp
->pcnf
));
813 skb_pull(skb
, sizeof(smp
->pcnf
));
816 smp_send_cmd(conn
, SMP_CMD_PAIRING_RANDOM
, sizeof(smp
->prnd
),
818 else if (test_bit(SMP_FLAG_TK_VALID
, &smp
->flags
))
819 return smp_confirm(smp
);
821 set_bit(SMP_FLAG_CFM_PENDING
, &smp
->flags
);
826 static u8
smp_cmd_pairing_random(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
828 struct smp_chan
*smp
= conn
->smp_chan
;
830 BT_DBG("conn %p", conn
);
832 if (skb
->len
< sizeof(smp
->rrnd
))
833 return SMP_INVALID_PARAMS
;
835 memcpy(smp
->rrnd
, skb
->data
, sizeof(smp
->rrnd
));
836 skb_pull(skb
, sizeof(smp
->rrnd
));
838 return smp_random(smp
);
841 static bool smp_ltk_encrypt(struct l2cap_conn
*conn
, u8 sec_level
)
844 struct hci_conn
*hcon
= conn
->hcon
;
846 key
= hci_find_ltk_by_addr(hcon
->hdev
, &hcon
->dst
, hcon
->dst_type
,
851 if (sec_level
> BT_SECURITY_MEDIUM
&& !key
->authenticated
)
854 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND
, &hcon
->flags
))
857 hci_le_start_enc(hcon
, key
->ediv
, key
->rand
, key
->val
);
858 hcon
->enc_key_size
= key
->enc_size
;
860 /* We never store STKs for master role, so clear this flag */
861 clear_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
);
866 bool smp_sufficient_security(struct hci_conn
*hcon
, u8 sec_level
)
868 if (sec_level
== BT_SECURITY_LOW
)
871 /* If we're encrypted with an STK always claim insufficient
872 * security. This way we allow the connection to be re-encrypted
873 * with an LTK, even if the LTK provides the same level of
876 if (test_bit(HCI_CONN_STK_ENCRYPT
, &hcon
->flags
))
879 if (hcon
->sec_level
>= sec_level
)
885 static u8
smp_cmd_security_req(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
887 struct smp_cmd_security_req
*rp
= (void *) skb
->data
;
888 struct smp_cmd_pairing cp
;
889 struct hci_conn
*hcon
= conn
->hcon
;
890 struct smp_chan
*smp
;
893 BT_DBG("conn %p", conn
);
895 if (skb
->len
< sizeof(*rp
))
896 return SMP_INVALID_PARAMS
;
898 if (!test_bit(HCI_CONN_MASTER
, &conn
->hcon
->flags
))
899 return SMP_CMD_NOTSUPP
;
901 sec_level
= authreq_to_seclevel(rp
->auth_req
);
902 if (smp_sufficient_security(hcon
, sec_level
))
905 if (sec_level
> hcon
->pending_sec_level
)
906 hcon
->pending_sec_level
= sec_level
;
908 if (smp_ltk_encrypt(conn
, hcon
->pending_sec_level
))
911 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND
, &hcon
->flags
))
914 smp
= smp_chan_create(conn
);
916 return SMP_UNSPECIFIED
;
918 skb_pull(skb
, sizeof(*rp
));
920 memset(&cp
, 0, sizeof(cp
));
921 build_pairing_cmd(conn
, &cp
, NULL
, rp
->auth_req
);
923 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
924 memcpy(&smp
->preq
[1], &cp
, sizeof(cp
));
926 smp_send_cmd(conn
, SMP_CMD_PAIRING_REQ
, sizeof(cp
), &cp
);
928 clear_bit(SMP_FLAG_INITIATOR
, &smp
->flags
);
933 int smp_conn_security(struct hci_conn
*hcon
, __u8 sec_level
)
935 struct l2cap_conn
*conn
= hcon
->l2cap_data
;
936 struct smp_chan
*smp
;
939 BT_DBG("conn %p hcon %p level 0x%2.2x", conn
, hcon
, sec_level
);
941 /* This may be NULL if there's an unexpected disconnection */
945 if (!test_bit(HCI_LE_ENABLED
, &hcon
->hdev
->dev_flags
))
948 if (smp_sufficient_security(hcon
, sec_level
))
951 if (sec_level
> hcon
->pending_sec_level
)
952 hcon
->pending_sec_level
= sec_level
;
954 if (test_bit(HCI_CONN_MASTER
, &hcon
->flags
))
955 if (smp_ltk_encrypt(conn
, hcon
->pending_sec_level
))
958 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND
, &hcon
->flags
))
961 smp
= smp_chan_create(conn
);
965 authreq
= seclevel_to_authreq(sec_level
);
967 /* Require MITM if IO Capability allows or the security level
970 if (hcon
->io_capability
!= HCI_IO_NO_INPUT_OUTPUT
||
971 hcon
->pending_sec_level
> BT_SECURITY_MEDIUM
)
972 authreq
|= SMP_AUTH_MITM
;
974 if (test_bit(HCI_CONN_MASTER
, &hcon
->flags
)) {
975 struct smp_cmd_pairing cp
;
977 build_pairing_cmd(conn
, &cp
, NULL
, authreq
);
978 smp
->preq
[0] = SMP_CMD_PAIRING_REQ
;
979 memcpy(&smp
->preq
[1], &cp
, sizeof(cp
));
981 smp_send_cmd(conn
, SMP_CMD_PAIRING_REQ
, sizeof(cp
), &cp
);
983 struct smp_cmd_security_req cp
;
984 cp
.auth_req
= authreq
;
985 smp_send_cmd(conn
, SMP_CMD_SECURITY_REQ
, sizeof(cp
), &cp
);
988 set_bit(SMP_FLAG_INITIATOR
, &smp
->flags
);
993 static int smp_cmd_encrypt_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
995 struct smp_cmd_encrypt_info
*rp
= (void *) skb
->data
;
996 struct smp_chan
*smp
= conn
->smp_chan
;
998 BT_DBG("conn %p", conn
);
1000 if (skb
->len
< sizeof(*rp
))
1001 return SMP_INVALID_PARAMS
;
1003 /* Ignore this PDU if it wasn't requested */
1004 if (!(smp
->remote_key_dist
& SMP_DIST_ENC_KEY
))
1007 skb_pull(skb
, sizeof(*rp
));
1009 memcpy(smp
->tk
, rp
->ltk
, sizeof(smp
->tk
));
1014 static int smp_cmd_master_ident(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1016 struct smp_cmd_master_ident
*rp
= (void *) skb
->data
;
1017 struct smp_chan
*smp
= conn
->smp_chan
;
1018 struct hci_dev
*hdev
= conn
->hcon
->hdev
;
1019 struct hci_conn
*hcon
= conn
->hcon
;
1020 struct smp_ltk
*ltk
;
1023 BT_DBG("conn %p", conn
);
1025 if (skb
->len
< sizeof(*rp
))
1026 return SMP_INVALID_PARAMS
;
1028 /* Ignore this PDU if it wasn't requested */
1029 if (!(smp
->remote_key_dist
& SMP_DIST_ENC_KEY
))
1032 /* Mark the information as received */
1033 smp
->remote_key_dist
&= ~SMP_DIST_ENC_KEY
;
1035 skb_pull(skb
, sizeof(*rp
));
1038 authenticated
= (hcon
->sec_level
== BT_SECURITY_HIGH
);
1039 ltk
= hci_add_ltk(hdev
, &hcon
->dst
, hcon
->dst_type
, SMP_LTK
,
1040 authenticated
, smp
->tk
, smp
->enc_key_size
,
1041 rp
->ediv
, rp
->rand
);
1043 if (!(smp
->remote_key_dist
& SMP_DIST_ID_KEY
))
1044 smp_distribute_keys(conn
);
1045 hci_dev_unlock(hdev
);
1050 static int smp_cmd_ident_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1052 struct smp_cmd_ident_info
*info
= (void *) skb
->data
;
1053 struct smp_chan
*smp
= conn
->smp_chan
;
1057 if (skb
->len
< sizeof(*info
))
1058 return SMP_INVALID_PARAMS
;
1060 /* Ignore this PDU if it wasn't requested */
1061 if (!(smp
->remote_key_dist
& SMP_DIST_ID_KEY
))
1064 skb_pull(skb
, sizeof(*info
));
1066 memcpy(smp
->irk
, info
->irk
, 16);
1071 static int smp_cmd_ident_addr_info(struct l2cap_conn
*conn
,
1072 struct sk_buff
*skb
)
1074 struct smp_cmd_ident_addr_info
*info
= (void *) skb
->data
;
1075 struct smp_chan
*smp
= conn
->smp_chan
;
1076 struct hci_conn
*hcon
= conn
->hcon
;
1081 if (skb
->len
< sizeof(*info
))
1082 return SMP_INVALID_PARAMS
;
1084 /* Ignore this PDU if it wasn't requested */
1085 if (!(smp
->remote_key_dist
& SMP_DIST_ID_KEY
))
1088 /* Mark the information as received */
1089 smp
->remote_key_dist
&= ~SMP_DIST_ID_KEY
;
1091 skb_pull(skb
, sizeof(*info
));
1093 hci_dev_lock(hcon
->hdev
);
1095 /* Strictly speaking the Core Specification (4.1) allows sending
1096 * an empty address which would force us to rely on just the IRK
1097 * as "identity information". However, since such
1098 * implementations are not known of and in order to not over
1099 * complicate our implementation, simply pretend that we never
1100 * received an IRK for such a device.
1102 if (!bacmp(&info
->bdaddr
, BDADDR_ANY
)) {
1103 BT_ERR("Ignoring IRK with no identity address");
1107 bacpy(&smp
->id_addr
, &info
->bdaddr
);
1108 smp
->id_addr_type
= info
->addr_type
;
1110 if (hci_bdaddr_is_rpa(&hcon
->dst
, hcon
->dst_type
))
1111 bacpy(&rpa
, &hcon
->dst
);
1113 bacpy(&rpa
, BDADDR_ANY
);
1115 smp
->remote_irk
= hci_add_irk(conn
->hcon
->hdev
, &smp
->id_addr
,
1116 smp
->id_addr_type
, smp
->irk
, &rpa
);
1119 smp_distribute_keys(conn
);
1121 hci_dev_unlock(hcon
->hdev
);
1126 static int smp_cmd_sign_info(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1128 struct smp_cmd_sign_info
*rp
= (void *) skb
->data
;
1129 struct smp_chan
*smp
= conn
->smp_chan
;
1130 struct hci_dev
*hdev
= conn
->hcon
->hdev
;
1131 struct smp_csrk
*csrk
;
1133 BT_DBG("conn %p", conn
);
1135 if (skb
->len
< sizeof(*rp
))
1136 return SMP_INVALID_PARAMS
;
1138 /* Ignore this PDU if it wasn't requested */
1139 if (!(smp
->remote_key_dist
& SMP_DIST_SIGN
))
1142 /* Mark the information as received */
1143 smp
->remote_key_dist
&= ~SMP_DIST_SIGN
;
1145 skb_pull(skb
, sizeof(*rp
));
1148 csrk
= kzalloc(sizeof(*csrk
), GFP_KERNEL
);
1150 csrk
->master
= 0x01;
1151 memcpy(csrk
->val
, rp
->csrk
, sizeof(csrk
->val
));
1154 if (!(smp
->remote_key_dist
& SMP_DIST_SIGN
))
1155 smp_distribute_keys(conn
);
1156 hci_dev_unlock(hdev
);
1161 int smp_sig_channel(struct l2cap_conn
*conn
, struct sk_buff
*skb
)
1163 struct hci_conn
*hcon
= conn
->hcon
;
1167 if (hcon
->type
!= LE_LINK
) {
1177 if (!test_bit(HCI_LE_ENABLED
, &hcon
->hdev
->dev_flags
)) {
1179 reason
= SMP_PAIRING_NOTSUPP
;
1183 code
= skb
->data
[0];
1184 skb_pull(skb
, sizeof(code
));
1187 * The SMP context must be initialized for all other PDUs except
1188 * pairing and security requests. If we get any other PDU when
1189 * not initialized simply disconnect (done if this function
1190 * returns an error).
1192 if (code
!= SMP_CMD_PAIRING_REQ
&& code
!= SMP_CMD_SECURITY_REQ
&&
1194 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code
);
1200 case SMP_CMD_PAIRING_REQ
:
1201 reason
= smp_cmd_pairing_req(conn
, skb
);
1204 case SMP_CMD_PAIRING_FAIL
:
1205 smp_failure(conn
, 0);
1210 case SMP_CMD_PAIRING_RSP
:
1211 reason
= smp_cmd_pairing_rsp(conn
, skb
);
1214 case SMP_CMD_SECURITY_REQ
:
1215 reason
= smp_cmd_security_req(conn
, skb
);
1218 case SMP_CMD_PAIRING_CONFIRM
:
1219 reason
= smp_cmd_pairing_confirm(conn
, skb
);
1222 case SMP_CMD_PAIRING_RANDOM
:
1223 reason
= smp_cmd_pairing_random(conn
, skb
);
1226 case SMP_CMD_ENCRYPT_INFO
:
1227 reason
= smp_cmd_encrypt_info(conn
, skb
);
1230 case SMP_CMD_MASTER_IDENT
:
1231 reason
= smp_cmd_master_ident(conn
, skb
);
1234 case SMP_CMD_IDENT_INFO
:
1235 reason
= smp_cmd_ident_info(conn
, skb
);
1238 case SMP_CMD_IDENT_ADDR_INFO
:
1239 reason
= smp_cmd_ident_addr_info(conn
, skb
);
1242 case SMP_CMD_SIGN_INFO
:
1243 reason
= smp_cmd_sign_info(conn
, skb
);
1247 BT_DBG("Unknown command code 0x%2.2x", code
);
1249 reason
= SMP_CMD_NOTSUPP
;
1256 smp_failure(conn
, reason
);
1262 static void smp_notify_keys(struct l2cap_conn
*conn
)
1264 struct smp_chan
*smp
= conn
->smp_chan
;
1265 struct hci_conn
*hcon
= conn
->hcon
;
1266 struct hci_dev
*hdev
= hcon
->hdev
;
1267 struct smp_cmd_pairing
*req
= (void *) &smp
->preq
[1];
1268 struct smp_cmd_pairing
*rsp
= (void *) &smp
->prsp
[1];
1271 if (smp
->remote_irk
) {
1272 mgmt_new_irk(hdev
, smp
->remote_irk
);
1273 /* Now that user space can be considered to know the
1274 * identity address track the connection based on it
1277 bacpy(&hcon
->dst
, &smp
->remote_irk
->bdaddr
);
1278 hcon
->dst_type
= smp
->remote_irk
->addr_type
;
1279 l2cap_conn_update_id_addr(hcon
);
1282 /* The LTKs and CSRKs should be persistent only if both sides
1283 * had the bonding bit set in their authentication requests.
1285 persistent
= !!((req
->auth_req
& rsp
->auth_req
) & SMP_AUTH_BONDING
);
1288 smp
->csrk
->bdaddr_type
= hcon
->dst_type
;
1289 bacpy(&smp
->csrk
->bdaddr
, &hcon
->dst
);
1290 mgmt_new_csrk(hdev
, smp
->csrk
, persistent
);
1293 if (smp
->slave_csrk
) {
1294 smp
->slave_csrk
->bdaddr_type
= hcon
->dst_type
;
1295 bacpy(&smp
->slave_csrk
->bdaddr
, &hcon
->dst
);
1296 mgmt_new_csrk(hdev
, smp
->slave_csrk
, persistent
);
1300 smp
->ltk
->bdaddr_type
= hcon
->dst_type
;
1301 bacpy(&smp
->ltk
->bdaddr
, &hcon
->dst
);
1302 mgmt_new_ltk(hdev
, smp
->ltk
, persistent
);
1305 if (smp
->slave_ltk
) {
1306 smp
->slave_ltk
->bdaddr_type
= hcon
->dst_type
;
1307 bacpy(&smp
->slave_ltk
->bdaddr
, &hcon
->dst
);
1308 mgmt_new_ltk(hdev
, smp
->slave_ltk
, persistent
);
1312 int smp_distribute_keys(struct l2cap_conn
*conn
)
1314 struct smp_cmd_pairing
*req
, *rsp
;
1315 struct smp_chan
*smp
= conn
->smp_chan
;
1316 struct hci_conn
*hcon
= conn
->hcon
;
1317 struct hci_dev
*hdev
= hcon
->hdev
;
1320 BT_DBG("conn %p", conn
);
1322 if (!test_bit(HCI_CONN_LE_SMP_PEND
, &hcon
->flags
))
1325 rsp
= (void *) &smp
->prsp
[1];
1327 /* The responder sends its keys first */
1328 if (hcon
->out
&& (smp
->remote_key_dist
& 0x07))
1331 req
= (void *) &smp
->preq
[1];
1334 keydist
= &rsp
->init_key_dist
;
1335 *keydist
&= req
->init_key_dist
;
1337 keydist
= &rsp
->resp_key_dist
;
1338 *keydist
&= req
->resp_key_dist
;
1341 BT_DBG("keydist 0x%x", *keydist
);
1343 if (*keydist
& SMP_DIST_ENC_KEY
) {
1344 struct smp_cmd_encrypt_info enc
;
1345 struct smp_cmd_master_ident ident
;
1346 struct smp_ltk
*ltk
;
1351 get_random_bytes(enc
.ltk
, sizeof(enc
.ltk
));
1352 get_random_bytes(&ediv
, sizeof(ediv
));
1353 get_random_bytes(&rand
, sizeof(rand
));
1355 smp_send_cmd(conn
, SMP_CMD_ENCRYPT_INFO
, sizeof(enc
), &enc
);
1357 authenticated
= hcon
->sec_level
== BT_SECURITY_HIGH
;
1358 ltk
= hci_add_ltk(hdev
, &hcon
->dst
, hcon
->dst_type
,
1359 SMP_LTK_SLAVE
, authenticated
, enc
.ltk
,
1360 smp
->enc_key_size
, ediv
, rand
);
1361 smp
->slave_ltk
= ltk
;
1366 smp_send_cmd(conn
, SMP_CMD_MASTER_IDENT
, sizeof(ident
), &ident
);
1368 *keydist
&= ~SMP_DIST_ENC_KEY
;
1371 if (*keydist
& SMP_DIST_ID_KEY
) {
1372 struct smp_cmd_ident_addr_info addrinfo
;
1373 struct smp_cmd_ident_info idinfo
;
1375 memcpy(idinfo
.irk
, hdev
->irk
, sizeof(idinfo
.irk
));
1377 smp_send_cmd(conn
, SMP_CMD_IDENT_INFO
, sizeof(idinfo
), &idinfo
);
1379 /* The hci_conn contains the local identity address
1380 * after the connection has been established.
1382 * This is true even when the connection has been
1383 * established using a resolvable random address.
1385 bacpy(&addrinfo
.bdaddr
, &hcon
->src
);
1386 addrinfo
.addr_type
= hcon
->src_type
;
1388 smp_send_cmd(conn
, SMP_CMD_IDENT_ADDR_INFO
, sizeof(addrinfo
),
1391 *keydist
&= ~SMP_DIST_ID_KEY
;
1394 if (*keydist
& SMP_DIST_SIGN
) {
1395 struct smp_cmd_sign_info sign
;
1396 struct smp_csrk
*csrk
;
1398 /* Generate a new random key */
1399 get_random_bytes(sign
.csrk
, sizeof(sign
.csrk
));
1401 csrk
= kzalloc(sizeof(*csrk
), GFP_KERNEL
);
1403 csrk
->master
= 0x00;
1404 memcpy(csrk
->val
, sign
.csrk
, sizeof(csrk
->val
));
1406 smp
->slave_csrk
= csrk
;
1408 smp_send_cmd(conn
, SMP_CMD_SIGN_INFO
, sizeof(sign
), &sign
);
1410 *keydist
&= ~SMP_DIST_SIGN
;
1413 /* If there are still keys to be received wait for them */
1414 if ((smp
->remote_key_dist
& 0x07))
1417 clear_bit(HCI_CONN_LE_SMP_PEND
, &hcon
->flags
);
1418 cancel_delayed_work_sync(&conn
->security_timer
);
1419 set_bit(SMP_FLAG_COMPLETE
, &smp
->flags
);
1420 smp_notify_keys(conn
);
1422 smp_chan_destroy(conn
);