]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - net/bluetooth/smp.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Add support for SC just-works pairing
[mirror_ubuntu-artful-kernel.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
26
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
31
32 #include "ecc.h"
33 #include "smp.h"
34
35 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
36
37 /* Keys which are not distributed with Secure Connections */
38 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
39
40 #define SMP_TIMEOUT msecs_to_jiffies(30000)
41
42 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
43 0x1f : 0x07)
44 #define KEY_DIST_MASK 0x07
45
46 /* Maximum message length that can be passed to aes_cmac */
47 #define CMAC_MSG_MAX 80
48
49 enum {
50 SMP_FLAG_TK_VALID,
51 SMP_FLAG_CFM_PENDING,
52 SMP_FLAG_MITM_AUTH,
53 SMP_FLAG_COMPLETE,
54 SMP_FLAG_INITIATOR,
55 SMP_FLAG_SC,
56 SMP_FLAG_REMOTE_PK,
57 SMP_FLAG_DEBUG_KEY,
58 };
59
60 struct smp_chan {
61 struct l2cap_conn *conn;
62 struct delayed_work security_timer;
63 unsigned long allow_cmd; /* Bitmask of allowed commands */
64
65 u8 preq[7]; /* SMP Pairing Request */
66 u8 prsp[7]; /* SMP Pairing Response */
67 u8 prnd[16]; /* SMP Pairing Random (local) */
68 u8 rrnd[16]; /* SMP Pairing Random (remote) */
69 u8 pcnf[16]; /* SMP Pairing Confirm */
70 u8 tk[16]; /* SMP Temporary Key */
71 u8 enc_key_size;
72 u8 remote_key_dist;
73 bdaddr_t id_addr;
74 u8 id_addr_type;
75 u8 irk[16];
76 struct smp_csrk *csrk;
77 struct smp_csrk *slave_csrk;
78 struct smp_ltk *ltk;
79 struct smp_ltk *slave_ltk;
80 struct smp_irk *remote_irk;
81 u8 *link_key;
82 unsigned long flags;
83 u8 method;
84
85 /* Secure Connections variables */
86 u8 local_pk[64];
87 u8 local_sk[32];
88 u8 remote_pk[64];
89 u8 dhkey[32];
90 u8 mackey[16];
91
92 struct crypto_blkcipher *tfm_aes;
93 struct crypto_hash *tfm_cmac;
94 };
95
96 /* These debug key values are defined in the SMP section of the core
97 * specification. debug_pk is the public debug key and debug_sk the
98 * private debug key.
99 */
100 static const u8 debug_pk[64] = {
101 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
102 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
103 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
104 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
105
106 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
107 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
108 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
109 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
110 };
111
112 static const u8 debug_sk[32] = {
113 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
114 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
115 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
116 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
117 };
118
119 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
120 {
121 size_t i;
122
123 for (i = 0; i < len; i++)
124 dst[len - 1 - i] = src[i];
125 }
126
127 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
128 size_t len, u8 mac[16])
129 {
130 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
131 struct hash_desc desc;
132 struct scatterlist sg;
133 int err;
134
135 if (len > CMAC_MSG_MAX)
136 return -EFBIG;
137
138 if (!tfm) {
139 BT_ERR("tfm %p", tfm);
140 return -EINVAL;
141 }
142
143 desc.tfm = tfm;
144 desc.flags = 0;
145
146 crypto_hash_init(&desc);
147
148 /* Swap key and message from LSB to MSB */
149 swap_buf(k, tmp, 16);
150 swap_buf(m, msg_msb, len);
151
152 BT_DBG("msg (len %zu) %*phN", len, (int) len, m);
153 BT_DBG("key %16phN", k);
154
155 err = crypto_hash_setkey(tfm, tmp, 16);
156 if (err) {
157 BT_ERR("cipher setkey failed: %d", err);
158 return err;
159 }
160
161 sg_init_one(&sg, msg_msb, len);
162
163 err = crypto_hash_update(&desc, &sg, len);
164 if (err) {
165 BT_ERR("Hash update error %d", err);
166 return err;
167 }
168
169 err = crypto_hash_final(&desc, mac_msb);
170 if (err) {
171 BT_ERR("Hash final error %d", err);
172 return err;
173 }
174
175 swap_buf(mac_msb, mac, 16);
176
177 BT_DBG("mac %16phN", mac);
178
179 return 0;
180 }
181
182 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
183 const u8 x[16], u8 z, u8 res[16])
184 {
185 u8 m[65];
186 int err;
187
188 BT_DBG("u %32phN", u);
189 BT_DBG("v %32phN", v);
190 BT_DBG("x %16phN z %02x", x, z);
191
192 m[0] = z;
193 memcpy(m + 1, v, 32);
194 memcpy(m + 33, u, 32);
195
196 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
197 if (err)
198 return err;
199
200 BT_DBG("res %16phN", res);
201
202 return err;
203 }
204
205 static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
206 u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
207 {
208 /* The btle, salt and length "magic" values are as defined in
209 * the SMP section of the Bluetooth core specification. In ASCII
210 * the btle value ends up being 'btle'. The salt is just a
211 * random number whereas length is the value 256 in little
212 * endian format.
213 */
214 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
215 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
216 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
217 const u8 length[2] = { 0x00, 0x01 };
218 u8 m[53], t[16];
219 int err;
220
221 BT_DBG("w %32phN", w);
222 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
223 BT_DBG("a1 %7phN a2 %7phN", a1, a2);
224
225 err = aes_cmac(tfm_cmac, salt, w, 32, t);
226 if (err)
227 return err;
228
229 BT_DBG("t %16phN", t);
230
231 memcpy(m, length, 2);
232 memcpy(m + 2, a2, 7);
233 memcpy(m + 9, a1, 7);
234 memcpy(m + 16, n2, 16);
235 memcpy(m + 32, n1, 16);
236 memcpy(m + 48, btle, 4);
237
238 m[52] = 0; /* Counter */
239
240 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
241 if (err)
242 return err;
243
244 BT_DBG("mackey %16phN", mackey);
245
246 m[52] = 1; /* Counter */
247
248 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
249 if (err)
250 return err;
251
252 BT_DBG("ltk %16phN", ltk);
253
254 return 0;
255 }
256
257 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
258 const u8 n1[16], u8 n2[16], const u8 r[16],
259 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
260 u8 res[16])
261 {
262 u8 m[65];
263 int err;
264
265 BT_DBG("w %16phN", w);
266 BT_DBG("n1 %16phN n2 %16phN", n1, n2);
267 BT_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
268
269 memcpy(m, a2, 7);
270 memcpy(m + 7, a1, 7);
271 memcpy(m + 14, io_cap, 3);
272 memcpy(m + 17, r, 16);
273 memcpy(m + 33, n2, 16);
274 memcpy(m + 49, n1, 16);
275
276 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
277 if (err)
278 return err;
279
280 BT_DBG("res %16phN", res);
281
282 return err;
283 }
284
285 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
286 const u8 x[16], const u8 y[16], u32 *val)
287 {
288 u8 m[80], tmp[16];
289 int err;
290
291 BT_DBG("u %32phN", u);
292 BT_DBG("v %32phN", v);
293 BT_DBG("x %16phN y %16phN", x, y);
294
295 memcpy(m, y, 16);
296 memcpy(m + 16, v, 32);
297 memcpy(m + 48, u, 32);
298
299 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
300 if (err)
301 return err;
302
303 *val = get_unaligned_le32(tmp);
304 *val %= 1000000;
305
306 BT_DBG("val %06u", *val);
307
308 return 0;
309 }
310
311 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
312 {
313 struct blkcipher_desc desc;
314 struct scatterlist sg;
315 uint8_t tmp[16], data[16];
316 int err;
317
318 if (tfm == NULL) {
319 BT_ERR("tfm %p", tfm);
320 return -EINVAL;
321 }
322
323 desc.tfm = tfm;
324 desc.flags = 0;
325
326 /* The most significant octet of key corresponds to k[0] */
327 swap_buf(k, tmp, 16);
328
329 err = crypto_blkcipher_setkey(tfm, tmp, 16);
330 if (err) {
331 BT_ERR("cipher setkey failed: %d", err);
332 return err;
333 }
334
335 /* Most significant octet of plaintextData corresponds to data[0] */
336 swap_buf(r, data, 16);
337
338 sg_init_one(&sg, data, 16);
339
340 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
341 if (err)
342 BT_ERR("Encrypt data error %d", err);
343
344 /* Most significant octet of encryptedData corresponds to data[0] */
345 swap_buf(data, r, 16);
346
347 return err;
348 }
349
350 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
351 const u8 key_id[4], u8 res[16])
352 {
353 int err;
354
355 BT_DBG("w %16phN key_id %4phN", w, key_id);
356
357 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
358 if (err)
359 return err;
360
361 BT_DBG("res %16phN", res);
362
363 return err;
364 }
365
366 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
367 {
368 u8 _res[16];
369 int err;
370
371 /* r' = padding || r */
372 memcpy(_res, r, 3);
373 memset(_res + 3, 0, 13);
374
375 err = smp_e(tfm, irk, _res);
376 if (err) {
377 BT_ERR("Encrypt error");
378 return err;
379 }
380
381 /* The output of the random address function ah is:
382 * ah(h, r) = e(k, r') mod 2^24
383 * The output of the security function e is then truncated to 24 bits
384 * by taking the least significant 24 bits of the output of e as the
385 * result of ah.
386 */
387 memcpy(res, _res, 3);
388
389 return 0;
390 }
391
392 bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
393 {
394 struct l2cap_chan *chan = hdev->smp_data;
395 struct crypto_blkcipher *tfm;
396 u8 hash[3];
397 int err;
398
399 if (!chan || !chan->data)
400 return false;
401
402 tfm = chan->data;
403
404 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
405
406 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
407 if (err)
408 return false;
409
410 return !memcmp(bdaddr->b, hash, 3);
411 }
412
413 int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
414 {
415 struct l2cap_chan *chan = hdev->smp_data;
416 struct crypto_blkcipher *tfm;
417 int err;
418
419 if (!chan || !chan->data)
420 return -EOPNOTSUPP;
421
422 tfm = chan->data;
423
424 get_random_bytes(&rpa->b[3], 3);
425
426 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
427 rpa->b[5] |= 0x40; /* Set second most significant bit */
428
429 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
430 if (err < 0)
431 return err;
432
433 BT_DBG("RPA %pMR", rpa);
434
435 return 0;
436 }
437
438 static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
439 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat,
440 bdaddr_t *ra, u8 res[16])
441 {
442 u8 p1[16], p2[16];
443 int err;
444
445 memset(p1, 0, 16);
446
447 /* p1 = pres || preq || _rat || _iat */
448 p1[0] = _iat;
449 p1[1] = _rat;
450 memcpy(p1 + 2, preq, 7);
451 memcpy(p1 + 9, pres, 7);
452
453 /* p2 = padding || ia || ra */
454 memcpy(p2, ra, 6);
455 memcpy(p2 + 6, ia, 6);
456 memset(p2 + 12, 0, 4);
457
458 /* res = r XOR p1 */
459 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
460
461 /* res = e(k, res) */
462 err = smp_e(tfm_aes, k, res);
463 if (err) {
464 BT_ERR("Encrypt data error");
465 return err;
466 }
467
468 /* res = res XOR p2 */
469 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
470
471 /* res = e(k, res) */
472 err = smp_e(tfm_aes, k, res);
473 if (err)
474 BT_ERR("Encrypt data error");
475
476 return err;
477 }
478
479 static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
480 u8 r2[16], u8 _r[16])
481 {
482 int err;
483
484 /* Just least significant octets from r1 and r2 are considered */
485 memcpy(_r, r2, 8);
486 memcpy(_r + 8, r1, 8);
487
488 err = smp_e(tfm_aes, k, _r);
489 if (err)
490 BT_ERR("Encrypt data error");
491
492 return err;
493 }
494
495 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
496 {
497 struct l2cap_chan *chan = conn->smp;
498 struct smp_chan *smp;
499 struct kvec iv[2];
500 struct msghdr msg;
501
502 if (!chan)
503 return;
504
505 BT_DBG("code 0x%2.2x", code);
506
507 iv[0].iov_base = &code;
508 iv[0].iov_len = 1;
509
510 iv[1].iov_base = data;
511 iv[1].iov_len = len;
512
513 memset(&msg, 0, sizeof(msg));
514
515 msg.msg_iov = (struct iovec *) &iv;
516 msg.msg_iovlen = 2;
517
518 l2cap_chan_send(chan, &msg, 1 + len);
519
520 if (!chan->data)
521 return;
522
523 smp = chan->data;
524
525 cancel_delayed_work_sync(&smp->security_timer);
526 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
527 }
528
529 static u8 authreq_to_seclevel(u8 authreq)
530 {
531 if (authreq & SMP_AUTH_MITM) {
532 if (authreq & SMP_AUTH_SC)
533 return BT_SECURITY_FIPS;
534 else
535 return BT_SECURITY_HIGH;
536 } else {
537 return BT_SECURITY_MEDIUM;
538 }
539 }
540
541 static __u8 seclevel_to_authreq(__u8 sec_level)
542 {
543 switch (sec_level) {
544 case BT_SECURITY_FIPS:
545 case BT_SECURITY_HIGH:
546 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
547 case BT_SECURITY_MEDIUM:
548 return SMP_AUTH_BONDING;
549 default:
550 return SMP_AUTH_NONE;
551 }
552 }
553
554 static void build_pairing_cmd(struct l2cap_conn *conn,
555 struct smp_cmd_pairing *req,
556 struct smp_cmd_pairing *rsp, __u8 authreq)
557 {
558 struct l2cap_chan *chan = conn->smp;
559 struct smp_chan *smp = chan->data;
560 struct hci_conn *hcon = conn->hcon;
561 struct hci_dev *hdev = hcon->hdev;
562 u8 local_dist = 0, remote_dist = 0;
563
564 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
565 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
566 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
567 authreq |= SMP_AUTH_BONDING;
568 } else {
569 authreq &= ~SMP_AUTH_BONDING;
570 }
571
572 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
573 remote_dist |= SMP_DIST_ID_KEY;
574
575 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
576 local_dist |= SMP_DIST_ID_KEY;
577
578 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
579 if ((authreq & SMP_AUTH_SC) &&
580 test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
581 local_dist |= SMP_DIST_LINK_KEY;
582 remote_dist |= SMP_DIST_LINK_KEY;
583 }
584 } else {
585 authreq &= ~SMP_AUTH_SC;
586 }
587
588 if (rsp == NULL) {
589 req->io_capability = conn->hcon->io_capability;
590 req->oob_flag = SMP_OOB_NOT_PRESENT;
591 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
592 req->init_key_dist = local_dist;
593 req->resp_key_dist = remote_dist;
594 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
595
596 smp->remote_key_dist = remote_dist;
597 return;
598 }
599
600 rsp->io_capability = conn->hcon->io_capability;
601 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
602 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
603 rsp->init_key_dist = req->init_key_dist & remote_dist;
604 rsp->resp_key_dist = req->resp_key_dist & local_dist;
605 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
606
607 smp->remote_key_dist = rsp->init_key_dist;
608 }
609
610 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
611 {
612 struct l2cap_chan *chan = conn->smp;
613 struct smp_chan *smp = chan->data;
614
615 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
616 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
617 return SMP_ENC_KEY_SIZE;
618
619 smp->enc_key_size = max_key_size;
620
621 return 0;
622 }
623
624 static void smp_chan_destroy(struct l2cap_conn *conn)
625 {
626 struct l2cap_chan *chan = conn->smp;
627 struct smp_chan *smp = chan->data;
628 bool complete;
629
630 BUG_ON(!smp);
631
632 cancel_delayed_work_sync(&smp->security_timer);
633
634 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
635 mgmt_smp_complete(conn->hcon, complete);
636
637 kfree(smp->csrk);
638 kfree(smp->slave_csrk);
639 kfree(smp->link_key);
640
641 crypto_free_blkcipher(smp->tfm_aes);
642 crypto_free_hash(smp->tfm_cmac);
643
644 /* If pairing failed clean up any keys we might have */
645 if (!complete) {
646 if (smp->ltk) {
647 list_del_rcu(&smp->ltk->list);
648 kfree_rcu(smp->ltk, rcu);
649 }
650
651 if (smp->slave_ltk) {
652 list_del_rcu(&smp->slave_ltk->list);
653 kfree_rcu(smp->slave_ltk, rcu);
654 }
655
656 if (smp->remote_irk) {
657 list_del_rcu(&smp->remote_irk->list);
658 kfree_rcu(smp->remote_irk, rcu);
659 }
660 }
661
662 chan->data = NULL;
663 kfree(smp);
664 hci_conn_drop(conn->hcon);
665 }
666
667 static void smp_failure(struct l2cap_conn *conn, u8 reason)
668 {
669 struct hci_conn *hcon = conn->hcon;
670 struct l2cap_chan *chan = conn->smp;
671
672 if (reason)
673 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
674 &reason);
675
676 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
677 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
678
679 if (chan->data)
680 smp_chan_destroy(conn);
681 }
682
683 #define JUST_WORKS 0x00
684 #define JUST_CFM 0x01
685 #define REQ_PASSKEY 0x02
686 #define CFM_PASSKEY 0x03
687 #define REQ_OOB 0x04
688 #define DSP_PASSKEY 0x05
689 #define OVERLAP 0xFF
690
691 static const u8 gen_method[5][5] = {
692 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
693 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
694 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
695 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
696 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
697 };
698
699 static const u8 sc_method[5][5] = {
700 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
701 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
702 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
703 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
704 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
705 };
706
707 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
708 {
709 /* If either side has unknown io_caps, use JUST_CFM (which gets
710 * converted later to JUST_WORKS if we're initiators.
711 */
712 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
713 remote_io > SMP_IO_KEYBOARD_DISPLAY)
714 return JUST_CFM;
715
716 if (test_bit(SMP_FLAG_SC, &smp->flags))
717 return sc_method[remote_io][local_io];
718
719 return gen_method[remote_io][local_io];
720 }
721
722 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
723 u8 local_io, u8 remote_io)
724 {
725 struct hci_conn *hcon = conn->hcon;
726 struct l2cap_chan *chan = conn->smp;
727 struct smp_chan *smp = chan->data;
728 u32 passkey = 0;
729 int ret = 0;
730
731 /* Initialize key for JUST WORKS */
732 memset(smp->tk, 0, sizeof(smp->tk));
733 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
734
735 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
736
737 /* If neither side wants MITM, either "just" confirm an incoming
738 * request or use just-works for outgoing ones. The JUST_CFM
739 * will be converted to JUST_WORKS if necessary later in this
740 * function. If either side has MITM look up the method from the
741 * table.
742 */
743 if (!(auth & SMP_AUTH_MITM))
744 smp->method = JUST_CFM;
745 else
746 smp->method = get_auth_method(smp, local_io, remote_io);
747
748 /* Don't confirm locally initiated pairing attempts */
749 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
750 &smp->flags))
751 smp->method = JUST_WORKS;
752
753 /* Don't bother user space with no IO capabilities */
754 if (smp->method == JUST_CFM &&
755 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
756 smp->method = JUST_WORKS;
757
758 /* If Just Works, Continue with Zero TK */
759 if (smp->method == JUST_WORKS) {
760 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
761 return 0;
762 }
763
764 /* Not Just Works/Confirm results in MITM Authentication */
765 if (smp->method != JUST_CFM) {
766 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
767 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
768 hcon->pending_sec_level = BT_SECURITY_HIGH;
769 }
770
771 /* If both devices have Keyoard-Display I/O, the master
772 * Confirms and the slave Enters the passkey.
773 */
774 if (smp->method == OVERLAP) {
775 if (hcon->role == HCI_ROLE_MASTER)
776 smp->method = CFM_PASSKEY;
777 else
778 smp->method = REQ_PASSKEY;
779 }
780
781 /* Generate random passkey. */
782 if (smp->method == CFM_PASSKEY) {
783 memset(smp->tk, 0, sizeof(smp->tk));
784 get_random_bytes(&passkey, sizeof(passkey));
785 passkey %= 1000000;
786 put_unaligned_le32(passkey, smp->tk);
787 BT_DBG("PassKey: %d", passkey);
788 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
789 }
790
791 if (smp->method == REQ_PASSKEY)
792 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
793 hcon->type, hcon->dst_type);
794 else if (smp->method == JUST_CFM)
795 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
796 hcon->type, hcon->dst_type,
797 passkey, 1);
798 else
799 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
800 hcon->type, hcon->dst_type,
801 passkey, 0);
802
803 return ret;
804 }
805
806 static u8 smp_confirm(struct smp_chan *smp)
807 {
808 struct l2cap_conn *conn = smp->conn;
809 struct smp_cmd_pairing_confirm cp;
810 int ret;
811
812 BT_DBG("conn %p", conn);
813
814 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
815 conn->hcon->init_addr_type, &conn->hcon->init_addr,
816 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
817 cp.confirm_val);
818 if (ret)
819 return SMP_UNSPECIFIED;
820
821 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
822
823 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
824
825 if (conn->hcon->out)
826 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
827 else
828 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
829
830 return 0;
831 }
832
833 static u8 smp_random(struct smp_chan *smp)
834 {
835 struct l2cap_conn *conn = smp->conn;
836 struct hci_conn *hcon = conn->hcon;
837 u8 confirm[16];
838 int ret;
839
840 if (IS_ERR_OR_NULL(smp->tfm_aes))
841 return SMP_UNSPECIFIED;
842
843 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
844
845 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
846 hcon->init_addr_type, &hcon->init_addr,
847 hcon->resp_addr_type, &hcon->resp_addr, confirm);
848 if (ret)
849 return SMP_UNSPECIFIED;
850
851 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
852 BT_ERR("Pairing failed (confirmation values mismatch)");
853 return SMP_CONFIRM_FAILED;
854 }
855
856 if (hcon->out) {
857 u8 stk[16];
858 __le64 rand = 0;
859 __le16 ediv = 0;
860
861 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
862
863 memset(stk + smp->enc_key_size, 0,
864 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
865
866 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
867 return SMP_UNSPECIFIED;
868
869 hci_le_start_enc(hcon, ediv, rand, stk);
870 hcon->enc_key_size = smp->enc_key_size;
871 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
872 } else {
873 u8 stk[16], auth;
874 __le64 rand = 0;
875 __le16 ediv = 0;
876
877 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
878 smp->prnd);
879
880 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
881
882 memset(stk + smp->enc_key_size, 0,
883 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
884
885 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
886 auth = 1;
887 else
888 auth = 0;
889
890 /* Even though there's no _SLAVE suffix this is the
891 * slave STK we're adding for later lookup (the master
892 * STK never needs to be stored).
893 */
894 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
895 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
896 }
897
898 return 0;
899 }
900
901 static void smp_notify_keys(struct l2cap_conn *conn)
902 {
903 struct l2cap_chan *chan = conn->smp;
904 struct smp_chan *smp = chan->data;
905 struct hci_conn *hcon = conn->hcon;
906 struct hci_dev *hdev = hcon->hdev;
907 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
908 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
909 bool persistent;
910
911 if (smp->remote_irk) {
912 mgmt_new_irk(hdev, smp->remote_irk);
913 /* Now that user space can be considered to know the
914 * identity address track the connection based on it
915 * from now on.
916 */
917 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
918 hcon->dst_type = smp->remote_irk->addr_type;
919 queue_work(hdev->workqueue, &conn->id_addr_update_work);
920
921 /* When receiving an indentity resolving key for
922 * a remote device that does not use a resolvable
923 * private address, just remove the key so that
924 * it is possible to use the controller white
925 * list for scanning.
926 *
927 * Userspace will have been told to not store
928 * this key at this point. So it is safe to
929 * just remove it.
930 */
931 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
932 list_del_rcu(&smp->remote_irk->list);
933 kfree_rcu(smp->remote_irk, rcu);
934 smp->remote_irk = NULL;
935 }
936 }
937
938 /* The LTKs and CSRKs should be persistent only if both sides
939 * had the bonding bit set in their authentication requests.
940 */
941 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
942
943 if (smp->csrk) {
944 smp->csrk->bdaddr_type = hcon->dst_type;
945 bacpy(&smp->csrk->bdaddr, &hcon->dst);
946 mgmt_new_csrk(hdev, smp->csrk, persistent);
947 }
948
949 if (smp->slave_csrk) {
950 smp->slave_csrk->bdaddr_type = hcon->dst_type;
951 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
952 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
953 }
954
955 if (smp->ltk) {
956 smp->ltk->bdaddr_type = hcon->dst_type;
957 bacpy(&smp->ltk->bdaddr, &hcon->dst);
958 mgmt_new_ltk(hdev, smp->ltk, persistent);
959 }
960
961 if (smp->slave_ltk) {
962 smp->slave_ltk->bdaddr_type = hcon->dst_type;
963 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
964 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
965 }
966
967 if (smp->link_key) {
968 hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
969 smp->link_key, HCI_LK_AUTH_COMBINATION_P256,
970 0, NULL);
971 }
972 }
973
974 static void sc_generate_link_key(struct smp_chan *smp)
975 {
976 /* These constants are as specified in the core specification.
977 * In ASCII they spell out to 'tmp1' and 'lebr'.
978 */
979 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
980 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
981
982 smp->link_key = kzalloc(16, GFP_KERNEL);
983 if (!smp->link_key)
984 return;
985
986 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
987 kfree(smp->link_key);
988 smp->link_key = NULL;
989 return;
990 }
991
992 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
993 kfree(smp->link_key);
994 smp->link_key = NULL;
995 return;
996 }
997 }
998
999 static void smp_allow_key_dist(struct smp_chan *smp)
1000 {
1001 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1002 * will be allowed in each PDU handler to ensure we receive
1003 * them in the correct order.
1004 */
1005 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1006 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1007 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1008 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1009 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1010 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1011 }
1012
1013 static void smp_distribute_keys(struct smp_chan *smp)
1014 {
1015 struct smp_cmd_pairing *req, *rsp;
1016 struct l2cap_conn *conn = smp->conn;
1017 struct hci_conn *hcon = conn->hcon;
1018 struct hci_dev *hdev = hcon->hdev;
1019 __u8 *keydist;
1020
1021 BT_DBG("conn %p", conn);
1022
1023 rsp = (void *) &smp->prsp[1];
1024
1025 /* The responder sends its keys first */
1026 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1027 smp_allow_key_dist(smp);
1028 return;
1029 }
1030
1031 req = (void *) &smp->preq[1];
1032
1033 if (hcon->out) {
1034 keydist = &rsp->init_key_dist;
1035 *keydist &= req->init_key_dist;
1036 } else {
1037 keydist = &rsp->resp_key_dist;
1038 *keydist &= req->resp_key_dist;
1039 }
1040
1041 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1042 if (*keydist & SMP_DIST_LINK_KEY)
1043 sc_generate_link_key(smp);
1044
1045 /* Clear the keys which are generated but not distributed */
1046 *keydist &= ~SMP_SC_NO_DIST;
1047 }
1048
1049 BT_DBG("keydist 0x%x", *keydist);
1050
1051 if (*keydist & SMP_DIST_ENC_KEY) {
1052 struct smp_cmd_encrypt_info enc;
1053 struct smp_cmd_master_ident ident;
1054 struct smp_ltk *ltk;
1055 u8 authenticated;
1056 __le16 ediv;
1057 __le64 rand;
1058
1059 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1060 get_random_bytes(&ediv, sizeof(ediv));
1061 get_random_bytes(&rand, sizeof(rand));
1062
1063 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1064
1065 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1066 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1067 SMP_LTK_SLAVE, authenticated, enc.ltk,
1068 smp->enc_key_size, ediv, rand);
1069 smp->slave_ltk = ltk;
1070
1071 ident.ediv = ediv;
1072 ident.rand = rand;
1073
1074 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1075
1076 *keydist &= ~SMP_DIST_ENC_KEY;
1077 }
1078
1079 if (*keydist & SMP_DIST_ID_KEY) {
1080 struct smp_cmd_ident_addr_info addrinfo;
1081 struct smp_cmd_ident_info idinfo;
1082
1083 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1084
1085 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1086
1087 /* The hci_conn contains the local identity address
1088 * after the connection has been established.
1089 *
1090 * This is true even when the connection has been
1091 * established using a resolvable random address.
1092 */
1093 bacpy(&addrinfo.bdaddr, &hcon->src);
1094 addrinfo.addr_type = hcon->src_type;
1095
1096 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1097 &addrinfo);
1098
1099 *keydist &= ~SMP_DIST_ID_KEY;
1100 }
1101
1102 if (*keydist & SMP_DIST_SIGN) {
1103 struct smp_cmd_sign_info sign;
1104 struct smp_csrk *csrk;
1105
1106 /* Generate a new random key */
1107 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1108
1109 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1110 if (csrk) {
1111 csrk->master = 0x00;
1112 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1113 }
1114 smp->slave_csrk = csrk;
1115
1116 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1117
1118 *keydist &= ~SMP_DIST_SIGN;
1119 }
1120
1121 /* If there are still keys to be received wait for them */
1122 if (smp->remote_key_dist & KEY_DIST_MASK) {
1123 smp_allow_key_dist(smp);
1124 return;
1125 }
1126
1127 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1128 smp_notify_keys(conn);
1129
1130 smp_chan_destroy(conn);
1131 }
1132
1133 static void smp_timeout(struct work_struct *work)
1134 {
1135 struct smp_chan *smp = container_of(work, struct smp_chan,
1136 security_timer.work);
1137 struct l2cap_conn *conn = smp->conn;
1138
1139 BT_DBG("conn %p", conn);
1140
1141 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1142 }
1143
1144 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1145 {
1146 struct l2cap_chan *chan = conn->smp;
1147 struct smp_chan *smp;
1148
1149 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1150 if (!smp)
1151 return NULL;
1152
1153 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1154 if (IS_ERR(smp->tfm_aes)) {
1155 BT_ERR("Unable to create ECB crypto context");
1156 kfree(smp);
1157 return NULL;
1158 }
1159
1160 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1161 if (IS_ERR(smp->tfm_cmac)) {
1162 BT_ERR("Unable to create CMAC crypto context");
1163 crypto_free_blkcipher(smp->tfm_aes);
1164 kfree(smp);
1165 return NULL;
1166 }
1167
1168 smp->conn = conn;
1169 chan->data = smp;
1170
1171 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1172
1173 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1174
1175 hci_conn_hold(conn->hcon);
1176
1177 return smp;
1178 }
1179
1180 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1181 {
1182 struct hci_conn *hcon = smp->conn->hcon;
1183 u8 *na, *nb, a[7], b[7];
1184
1185 if (hcon->out) {
1186 na = smp->prnd;
1187 nb = smp->rrnd;
1188 } else {
1189 na = smp->rrnd;
1190 nb = smp->prnd;
1191 }
1192
1193 memcpy(a, &hcon->init_addr, 6);
1194 memcpy(b, &hcon->resp_addr, 6);
1195 a[6] = hcon->init_addr_type;
1196 b[6] = hcon->resp_addr_type;
1197
1198 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1199 }
1200
1201 static void sc_dhkey_check(struct smp_chan *smp, __le32 passkey)
1202 {
1203 struct hci_conn *hcon = smp->conn->hcon;
1204 struct smp_cmd_dhkey_check check;
1205 u8 a[7], b[7], *local_addr, *remote_addr;
1206 u8 io_cap[3], r[16];
1207
1208 memcpy(a, &hcon->init_addr, 6);
1209 memcpy(b, &hcon->resp_addr, 6);
1210 a[6] = hcon->init_addr_type;
1211 b[6] = hcon->resp_addr_type;
1212
1213 if (hcon->out) {
1214 local_addr = a;
1215 remote_addr = b;
1216 memcpy(io_cap, &smp->preq[1], 3);
1217 } else {
1218 local_addr = b;
1219 remote_addr = a;
1220 memcpy(io_cap, &smp->prsp[1], 3);
1221 }
1222
1223 memset(r, 0, sizeof(r));
1224
1225 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1226 memcpy(r, &passkey, sizeof(passkey));
1227
1228 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1229 local_addr, remote_addr, check.e);
1230
1231 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1232 }
1233
1234 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1235 {
1236 switch (mgmt_op) {
1237 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1238 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1239 return 0;
1240 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1241 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1242 return 0;
1243 }
1244
1245 sc_dhkey_check(smp, passkey);
1246
1247 return 0;
1248 }
1249
1250 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1251 {
1252 struct l2cap_conn *conn = hcon->l2cap_data;
1253 struct l2cap_chan *chan;
1254 struct smp_chan *smp;
1255 u32 value;
1256 int err;
1257
1258 BT_DBG("");
1259
1260 if (!conn)
1261 return -ENOTCONN;
1262
1263 chan = conn->smp;
1264 if (!chan)
1265 return -ENOTCONN;
1266
1267 l2cap_chan_lock(chan);
1268 if (!chan->data) {
1269 err = -ENOTCONN;
1270 goto unlock;
1271 }
1272
1273 smp = chan->data;
1274
1275 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1276 err = sc_user_reply(smp, mgmt_op, passkey);
1277 goto unlock;
1278 }
1279
1280 switch (mgmt_op) {
1281 case MGMT_OP_USER_PASSKEY_REPLY:
1282 value = le32_to_cpu(passkey);
1283 memset(smp->tk, 0, sizeof(smp->tk));
1284 BT_DBG("PassKey: %d", value);
1285 put_unaligned_le32(value, smp->tk);
1286 /* Fall Through */
1287 case MGMT_OP_USER_CONFIRM_REPLY:
1288 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1289 break;
1290 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1291 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1292 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1293 err = 0;
1294 goto unlock;
1295 default:
1296 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1297 err = -EOPNOTSUPP;
1298 goto unlock;
1299 }
1300
1301 err = 0;
1302
1303 /* If it is our turn to send Pairing Confirm, do so now */
1304 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1305 u8 rsp = smp_confirm(smp);
1306 if (rsp)
1307 smp_failure(conn, rsp);
1308 }
1309
1310 unlock:
1311 l2cap_chan_unlock(chan);
1312 return err;
1313 }
1314
1315 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1316 {
1317 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1318 struct l2cap_chan *chan = conn->smp;
1319 struct hci_dev *hdev = conn->hcon->hdev;
1320 struct smp_chan *smp;
1321 u8 key_size, auth, sec_level;
1322 int ret;
1323
1324 BT_DBG("conn %p", conn);
1325
1326 if (skb->len < sizeof(*req))
1327 return SMP_INVALID_PARAMS;
1328
1329 if (conn->hcon->role != HCI_ROLE_SLAVE)
1330 return SMP_CMD_NOTSUPP;
1331
1332 if (!chan->data)
1333 smp = smp_chan_create(conn);
1334 else
1335 smp = chan->data;
1336
1337 if (!smp)
1338 return SMP_UNSPECIFIED;
1339
1340 /* We didn't start the pairing, so match remote */
1341 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1342
1343 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1344 (auth & SMP_AUTH_BONDING))
1345 return SMP_PAIRING_NOTSUPP;
1346
1347 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1348 memcpy(&smp->preq[1], req, sizeof(*req));
1349 skb_pull(skb, sizeof(*req));
1350
1351 build_pairing_cmd(conn, req, &rsp, auth);
1352
1353 if (rsp.auth_req & SMP_AUTH_SC)
1354 set_bit(SMP_FLAG_SC, &smp->flags);
1355
1356 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1357 sec_level = BT_SECURITY_MEDIUM;
1358 else
1359 sec_level = authreq_to_seclevel(auth);
1360
1361 if (sec_level > conn->hcon->pending_sec_level)
1362 conn->hcon->pending_sec_level = sec_level;
1363
1364 /* If we need MITM check that it can be achieved */
1365 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1366 u8 method;
1367
1368 method = get_auth_method(smp, conn->hcon->io_capability,
1369 req->io_capability);
1370 if (method == JUST_WORKS || method == JUST_CFM)
1371 return SMP_AUTH_REQUIREMENTS;
1372 }
1373
1374 key_size = min(req->max_key_size, rsp.max_key_size);
1375 if (check_enc_key_size(conn, key_size))
1376 return SMP_ENC_KEY_SIZE;
1377
1378 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1379
1380 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1381 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1382
1383 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1384
1385 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1386
1387 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1388 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1389 /* Clear bits which are generated but not distributed */
1390 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1391 /* Wait for Public Key from Initiating Device */
1392 return 0;
1393 } else {
1394 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1395 }
1396
1397 /* Request setup of TK */
1398 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1399 if (ret)
1400 return SMP_UNSPECIFIED;
1401
1402 return 0;
1403 }
1404
1405 static u8 sc_send_public_key(struct smp_chan *smp)
1406 {
1407 BT_DBG("");
1408
1409 while (true) {
1410 /* Generate local key pair for Secure Connections */
1411 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1412 return SMP_UNSPECIFIED;
1413
1414 /* This is unlikely, but we need to check that we didn't
1415 * accidentially generate a debug key.
1416 */
1417 if (memcmp(smp->local_sk, debug_sk, 32))
1418 break;
1419 }
1420
1421 BT_DBG("Local Public Key X: %32phN", smp->local_pk);
1422 BT_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1423 BT_DBG("Local Private Key: %32phN", smp->local_sk);
1424
1425 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1426
1427 return 0;
1428 }
1429
1430 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1431 {
1432 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1433 struct l2cap_chan *chan = conn->smp;
1434 struct smp_chan *smp = chan->data;
1435 struct hci_dev *hdev = conn->hcon->hdev;
1436 u8 key_size, auth;
1437 int ret;
1438
1439 BT_DBG("conn %p", conn);
1440
1441 if (skb->len < sizeof(*rsp))
1442 return SMP_INVALID_PARAMS;
1443
1444 if (conn->hcon->role != HCI_ROLE_MASTER)
1445 return SMP_CMD_NOTSUPP;
1446
1447 skb_pull(skb, sizeof(*rsp));
1448
1449 req = (void *) &smp->preq[1];
1450
1451 key_size = min(req->max_key_size, rsp->max_key_size);
1452 if (check_enc_key_size(conn, key_size))
1453 return SMP_ENC_KEY_SIZE;
1454
1455 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1456
1457 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1458 set_bit(SMP_FLAG_SC, &smp->flags);
1459 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1460 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1461
1462 /* If we need MITM check that it can be achieved */
1463 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1464 u8 method;
1465
1466 method = get_auth_method(smp, req->io_capability,
1467 rsp->io_capability);
1468 if (method == JUST_WORKS || method == JUST_CFM)
1469 return SMP_AUTH_REQUIREMENTS;
1470 }
1471
1472 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1473
1474 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1475 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1476
1477 /* Update remote key distribution in case the remote cleared
1478 * some bits that we had enabled in our request.
1479 */
1480 smp->remote_key_dist &= rsp->resp_key_dist;
1481
1482 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1483 /* Clear bits which are generated but not distributed */
1484 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1485 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1486 return sc_send_public_key(smp);
1487 }
1488
1489 auth |= req->auth_req;
1490
1491 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1492 if (ret)
1493 return SMP_UNSPECIFIED;
1494
1495 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1496
1497 /* Can't compose response until we have been confirmed */
1498 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1499 return smp_confirm(smp);
1500
1501 return 0;
1502 }
1503
1504 static u8 sc_check_confirm(struct smp_chan *smp)
1505 {
1506 struct l2cap_conn *conn = smp->conn;
1507
1508 BT_DBG("");
1509
1510 /* Public Key exchange must happen before any other steps */
1511 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1512 return SMP_UNSPECIFIED;
1513
1514 if (conn->hcon->out) {
1515 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1516 smp->prnd);
1517 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1518 }
1519
1520 return 0;
1521 }
1522
1523 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1524 {
1525 struct l2cap_chan *chan = conn->smp;
1526 struct smp_chan *smp = chan->data;
1527
1528 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1529
1530 if (skb->len < sizeof(smp->pcnf))
1531 return SMP_INVALID_PARAMS;
1532
1533 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1534 skb_pull(skb, sizeof(smp->pcnf));
1535
1536 if (test_bit(SMP_FLAG_SC, &smp->flags))
1537 return sc_check_confirm(smp);
1538
1539 if (conn->hcon->out) {
1540 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1541 smp->prnd);
1542 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1543 return 0;
1544 }
1545
1546 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1547 return smp_confirm(smp);
1548 else
1549 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1550
1551 return 0;
1552 }
1553
1554 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1555 {
1556 struct l2cap_chan *chan = conn->smp;
1557 struct smp_chan *smp = chan->data;
1558 struct hci_conn *hcon = conn->hcon;
1559 u8 *pkax, *pkbx, *na, *nb;
1560 u32 passkey;
1561 int err;
1562
1563 BT_DBG("conn %p", conn);
1564
1565 if (skb->len < sizeof(smp->rrnd))
1566 return SMP_INVALID_PARAMS;
1567
1568 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1569 skb_pull(skb, sizeof(smp->rrnd));
1570
1571 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1572 return smp_random(smp);
1573
1574 if (hcon->out) {
1575 u8 cfm[16];
1576
1577 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1578 smp->rrnd, 0, cfm);
1579 if (err)
1580 return SMP_UNSPECIFIED;
1581
1582 if (memcmp(smp->pcnf, cfm, 16))
1583 return SMP_CONFIRM_FAILED;
1584
1585 pkax = smp->local_pk;
1586 pkbx = smp->remote_pk;
1587 na = smp->prnd;
1588 nb = smp->rrnd;
1589 } else {
1590 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1591 smp->prnd);
1592 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1593
1594 pkax = smp->remote_pk;
1595 pkbx = smp->local_pk;
1596 na = smp->rrnd;
1597 nb = smp->prnd;
1598 }
1599
1600 /* Generate MacKey and LTK */
1601 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1602 if (err)
1603 return SMP_UNSPECIFIED;
1604
1605 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
1606 if (err)
1607 return SMP_UNSPECIFIED;
1608
1609 if (smp->method == JUST_WORKS) {
1610 if (hcon->out) {
1611 sc_dhkey_check(smp, passkey);
1612 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1613 }
1614 return 0;
1615 }
1616
1617 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
1618 hcon->type, hcon->dst_type,
1619 passkey, 0);
1620 if (err)
1621 return SMP_UNSPECIFIED;
1622
1623 return 0;
1624 }
1625
1626 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
1627 {
1628 struct smp_ltk *key;
1629 struct hci_conn *hcon = conn->hcon;
1630
1631 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
1632 if (!key)
1633 return false;
1634
1635 if (smp_ltk_sec_level(key) < sec_level)
1636 return false;
1637
1638 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1639 return true;
1640
1641 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
1642 hcon->enc_key_size = key->enc_size;
1643
1644 /* We never store STKs for master role, so clear this flag */
1645 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1646
1647 return true;
1648 }
1649
1650 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
1651 enum smp_key_pref key_pref)
1652 {
1653 if (sec_level == BT_SECURITY_LOW)
1654 return true;
1655
1656 /* If we're encrypted with an STK but the caller prefers using
1657 * LTK claim insufficient security. This way we allow the
1658 * connection to be re-encrypted with an LTK, even if the LTK
1659 * provides the same level of security. Only exception is if we
1660 * don't have an LTK (e.g. because of key distribution bits).
1661 */
1662 if (key_pref == SMP_USE_LTK &&
1663 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
1664 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
1665 return false;
1666
1667 if (hcon->sec_level >= sec_level)
1668 return true;
1669
1670 return false;
1671 }
1672
1673 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1674 {
1675 struct smp_cmd_security_req *rp = (void *) skb->data;
1676 struct smp_cmd_pairing cp;
1677 struct hci_conn *hcon = conn->hcon;
1678 struct hci_dev *hdev = hcon->hdev;
1679 struct smp_chan *smp;
1680 u8 sec_level, auth;
1681
1682 BT_DBG("conn %p", conn);
1683
1684 if (skb->len < sizeof(*rp))
1685 return SMP_INVALID_PARAMS;
1686
1687 if (hcon->role != HCI_ROLE_MASTER)
1688 return SMP_CMD_NOTSUPP;
1689
1690 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
1691
1692 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1693 sec_level = BT_SECURITY_MEDIUM;
1694 else
1695 sec_level = authreq_to_seclevel(auth);
1696
1697 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1698 return 0;
1699
1700 if (sec_level > hcon->pending_sec_level)
1701 hcon->pending_sec_level = sec_level;
1702
1703 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1704 return 0;
1705
1706 smp = smp_chan_create(conn);
1707 if (!smp)
1708 return SMP_UNSPECIFIED;
1709
1710 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
1711 (auth & SMP_AUTH_BONDING))
1712 return SMP_PAIRING_NOTSUPP;
1713
1714 skb_pull(skb, sizeof(*rp));
1715
1716 memset(&cp, 0, sizeof(cp));
1717 build_pairing_cmd(conn, &cp, NULL, auth);
1718
1719 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1720 memcpy(&smp->preq[1], &cp, sizeof(cp));
1721
1722 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1723 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1724
1725 return 0;
1726 }
1727
1728 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1729 {
1730 struct l2cap_conn *conn = hcon->l2cap_data;
1731 struct l2cap_chan *chan;
1732 struct smp_chan *smp;
1733 __u8 authreq;
1734 int ret;
1735
1736 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
1737
1738 /* This may be NULL if there's an unexpected disconnection */
1739 if (!conn)
1740 return 1;
1741
1742 chan = conn->smp;
1743
1744 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
1745 return 1;
1746
1747 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1748 return 1;
1749
1750 if (sec_level > hcon->pending_sec_level)
1751 hcon->pending_sec_level = sec_level;
1752
1753 if (hcon->role == HCI_ROLE_MASTER)
1754 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1755 return 0;
1756
1757 l2cap_chan_lock(chan);
1758
1759 /* If SMP is already in progress ignore this request */
1760 if (chan->data) {
1761 ret = 0;
1762 goto unlock;
1763 }
1764
1765 smp = smp_chan_create(conn);
1766 if (!smp) {
1767 ret = 1;
1768 goto unlock;
1769 }
1770
1771 authreq = seclevel_to_authreq(sec_level);
1772
1773 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
1774 authreq |= SMP_AUTH_SC;
1775
1776 /* Require MITM if IO Capability allows or the security level
1777 * requires it.
1778 */
1779 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
1780 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
1781 authreq |= SMP_AUTH_MITM;
1782
1783 if (hcon->role == HCI_ROLE_MASTER) {
1784 struct smp_cmd_pairing cp;
1785
1786 build_pairing_cmd(conn, &cp, NULL, authreq);
1787 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1788 memcpy(&smp->preq[1], &cp, sizeof(cp));
1789
1790 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1791 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1792 } else {
1793 struct smp_cmd_security_req cp;
1794 cp.auth_req = authreq;
1795 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
1796 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
1797 }
1798
1799 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
1800 ret = 0;
1801
1802 unlock:
1803 l2cap_chan_unlock(chan);
1804 return ret;
1805 }
1806
1807 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1808 {
1809 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1810 struct l2cap_chan *chan = conn->smp;
1811 struct smp_chan *smp = chan->data;
1812
1813 BT_DBG("conn %p", conn);
1814
1815 if (skb->len < sizeof(*rp))
1816 return SMP_INVALID_PARAMS;
1817
1818 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
1819
1820 skb_pull(skb, sizeof(*rp));
1821
1822 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
1823
1824 return 0;
1825 }
1826
1827 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1828 {
1829 struct smp_cmd_master_ident *rp = (void *) skb->data;
1830 struct l2cap_chan *chan = conn->smp;
1831 struct smp_chan *smp = chan->data;
1832 struct hci_dev *hdev = conn->hcon->hdev;
1833 struct hci_conn *hcon = conn->hcon;
1834 struct smp_ltk *ltk;
1835 u8 authenticated;
1836
1837 BT_DBG("conn %p", conn);
1838
1839 if (skb->len < sizeof(*rp))
1840 return SMP_INVALID_PARAMS;
1841
1842 /* Mark the information as received */
1843 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
1844
1845 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1846 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1847 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1848 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1849
1850 skb_pull(skb, sizeof(*rp));
1851
1852 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
1853 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
1854 authenticated, smp->tk, smp->enc_key_size,
1855 rp->ediv, rp->rand);
1856 smp->ltk = ltk;
1857 if (!(smp->remote_key_dist & KEY_DIST_MASK))
1858 smp_distribute_keys(smp);
1859
1860 return 0;
1861 }
1862
1863 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1864 {
1865 struct smp_cmd_ident_info *info = (void *) skb->data;
1866 struct l2cap_chan *chan = conn->smp;
1867 struct smp_chan *smp = chan->data;
1868
1869 BT_DBG("");
1870
1871 if (skb->len < sizeof(*info))
1872 return SMP_INVALID_PARAMS;
1873
1874 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
1875
1876 skb_pull(skb, sizeof(*info));
1877
1878 memcpy(smp->irk, info->irk, 16);
1879
1880 return 0;
1881 }
1882
1883 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1884 struct sk_buff *skb)
1885 {
1886 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1887 struct l2cap_chan *chan = conn->smp;
1888 struct smp_chan *smp = chan->data;
1889 struct hci_conn *hcon = conn->hcon;
1890 bdaddr_t rpa;
1891
1892 BT_DBG("");
1893
1894 if (skb->len < sizeof(*info))
1895 return SMP_INVALID_PARAMS;
1896
1897 /* Mark the information as received */
1898 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1899
1900 if (smp->remote_key_dist & SMP_DIST_SIGN)
1901 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1902
1903 skb_pull(skb, sizeof(*info));
1904
1905 /* Strictly speaking the Core Specification (4.1) allows sending
1906 * an empty address which would force us to rely on just the IRK
1907 * as "identity information". However, since such
1908 * implementations are not known of and in order to not over
1909 * complicate our implementation, simply pretend that we never
1910 * received an IRK for such a device.
1911 */
1912 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1913 BT_ERR("Ignoring IRK with no identity address");
1914 goto distribute;
1915 }
1916
1917 bacpy(&smp->id_addr, &info->bdaddr);
1918 smp->id_addr_type = info->addr_type;
1919
1920 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1921 bacpy(&rpa, &hcon->dst);
1922 else
1923 bacpy(&rpa, BDADDR_ANY);
1924
1925 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1926 smp->id_addr_type, smp->irk, &rpa);
1927
1928 distribute:
1929 if (!(smp->remote_key_dist & KEY_DIST_MASK))
1930 smp_distribute_keys(smp);
1931
1932 return 0;
1933 }
1934
1935 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1936 {
1937 struct smp_cmd_sign_info *rp = (void *) skb->data;
1938 struct l2cap_chan *chan = conn->smp;
1939 struct smp_chan *smp = chan->data;
1940 struct smp_csrk *csrk;
1941
1942 BT_DBG("conn %p", conn);
1943
1944 if (skb->len < sizeof(*rp))
1945 return SMP_INVALID_PARAMS;
1946
1947 /* Mark the information as received */
1948 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1949
1950 skb_pull(skb, sizeof(*rp));
1951
1952 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1953 if (csrk) {
1954 csrk->master = 0x01;
1955 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1956 }
1957 smp->csrk = csrk;
1958 smp_distribute_keys(smp);
1959
1960 return 0;
1961 }
1962
1963 static u8 sc_select_method(struct smp_chan *smp)
1964 {
1965 struct l2cap_conn *conn = smp->conn;
1966 struct hci_conn *hcon = conn->hcon;
1967 struct smp_cmd_pairing *local, *remote;
1968 u8 local_mitm, remote_mitm, local_io, remote_io, method;
1969
1970 /* The preq/prsp contain the raw Pairing Request/Response PDUs
1971 * which are needed as inputs to some crypto functions. To get
1972 * the "struct smp_cmd_pairing" from them we need to skip the
1973 * first byte which contains the opcode.
1974 */
1975 if (hcon->out) {
1976 local = (void *) &smp->preq[1];
1977 remote = (void *) &smp->prsp[1];
1978 } else {
1979 local = (void *) &smp->prsp[1];
1980 remote = (void *) &smp->preq[1];
1981 }
1982
1983 local_io = local->io_capability;
1984 remote_io = remote->io_capability;
1985
1986 local_mitm = (local->auth_req & SMP_AUTH_MITM);
1987 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
1988
1989 /* If either side wants MITM, look up the method from the table,
1990 * otherwise use JUST WORKS.
1991 */
1992 if (local_mitm || remote_mitm)
1993 method = get_auth_method(smp, local_io, remote_io);
1994 else
1995 method = JUST_WORKS;
1996
1997 /* Don't confirm locally initiated pairing attempts */
1998 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1999 method = JUST_WORKS;
2000
2001 return method;
2002 }
2003
2004 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2005 {
2006 struct smp_cmd_public_key *key = (void *) skb->data;
2007 struct hci_conn *hcon = conn->hcon;
2008 struct l2cap_chan *chan = conn->smp;
2009 struct smp_chan *smp = chan->data;
2010 struct hci_dev *hdev = hcon->hdev;
2011 struct smp_cmd_pairing_confirm cfm;
2012 int err;
2013
2014 BT_DBG("conn %p", conn);
2015
2016 if (skb->len < sizeof(*key))
2017 return SMP_INVALID_PARAMS;
2018
2019 memcpy(smp->remote_pk, key, 64);
2020
2021 /* Non-initiating device sends its public key after receiving
2022 * the key from the initiating device.
2023 */
2024 if (!hcon->out) {
2025 err = sc_send_public_key(smp);
2026 if (err)
2027 return err;
2028 }
2029
2030 BT_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2031 BT_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2032
2033 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2034 return SMP_UNSPECIFIED;
2035
2036 BT_DBG("DHKey %32phN", smp->dhkey);
2037
2038 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2039
2040 smp->method = sc_select_method(smp);
2041
2042 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2043
2044 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2045 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2046 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2047 else
2048 hcon->pending_sec_level = BT_SECURITY_FIPS;
2049
2050 if (!memcmp(debug_pk, smp->remote_pk, 64))
2051 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2052
2053 /* The Initiating device waits for the non-initiating device to
2054 * send the confirm value.
2055 */
2056 if (conn->hcon->out)
2057 return 0;
2058
2059 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2060 0, cfm.confirm_val);
2061 if (err)
2062 return SMP_UNSPECIFIED;
2063
2064 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2065 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2066
2067 return 0;
2068 }
2069
2070 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2071 {
2072 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2073 struct l2cap_chan *chan = conn->smp;
2074 struct hci_conn *hcon = conn->hcon;
2075 struct smp_chan *smp = chan->data;
2076 u8 a[7], b[7], *local_addr, *remote_addr;
2077 u8 io_cap[3], r[16], e[16];
2078 u8 key_type, auth;
2079 int err;
2080
2081 BT_DBG("conn %p", conn);
2082
2083 if (skb->len < sizeof(*check))
2084 return SMP_INVALID_PARAMS;
2085
2086 memcpy(a, &hcon->init_addr, 6);
2087 memcpy(b, &hcon->resp_addr, 6);
2088 a[6] = hcon->init_addr_type;
2089 b[6] = hcon->resp_addr_type;
2090
2091 if (hcon->out) {
2092 local_addr = a;
2093 remote_addr = b;
2094 memcpy(io_cap, &smp->prsp[1], 3);
2095 } else {
2096 local_addr = b;
2097 remote_addr = a;
2098 memcpy(io_cap, &smp->preq[1], 3);
2099 }
2100
2101 memset(r, 0, sizeof(r));
2102
2103 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2104 io_cap, remote_addr, local_addr, e);
2105 if (err)
2106 return SMP_UNSPECIFIED;
2107
2108 if (memcmp(check->e, e, 16))
2109 return SMP_DHKEY_CHECK_FAILED;
2110
2111 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
2112 key_type = SMP_LTK_P256_DEBUG;
2113 else
2114 key_type = SMP_LTK_P256;
2115
2116 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
2117 auth = 1;
2118 else
2119 auth = 0;
2120
2121 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2122 key_type, auth, smp->tk, smp->enc_key_size,
2123 0, 0);
2124
2125 if (hcon->out) {
2126 hci_le_start_enc(hcon, 0, 0, smp->tk);
2127 hcon->enc_key_size = smp->enc_key_size;
2128 }
2129
2130 return 0;
2131 }
2132
2133 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2134 {
2135 struct l2cap_conn *conn = chan->conn;
2136 struct hci_conn *hcon = conn->hcon;
2137 struct smp_chan *smp;
2138 __u8 code, reason;
2139 int err = 0;
2140
2141 if (hcon->type != LE_LINK) {
2142 kfree_skb(skb);
2143 return 0;
2144 }
2145
2146 if (skb->len < 1)
2147 return -EILSEQ;
2148
2149 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2150 reason = SMP_PAIRING_NOTSUPP;
2151 goto done;
2152 }
2153
2154 code = skb->data[0];
2155 skb_pull(skb, sizeof(code));
2156
2157 smp = chan->data;
2158
2159 if (code > SMP_CMD_MAX)
2160 goto drop;
2161
2162 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2163 goto drop;
2164
2165 /* If we don't have a context the only allowed commands are
2166 * pairing request and security request.
2167 */
2168 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2169 goto drop;
2170
2171 switch (code) {
2172 case SMP_CMD_PAIRING_REQ:
2173 reason = smp_cmd_pairing_req(conn, skb);
2174 break;
2175
2176 case SMP_CMD_PAIRING_FAIL:
2177 smp_failure(conn, 0);
2178 err = -EPERM;
2179 break;
2180
2181 case SMP_CMD_PAIRING_RSP:
2182 reason = smp_cmd_pairing_rsp(conn, skb);
2183 break;
2184
2185 case SMP_CMD_SECURITY_REQ:
2186 reason = smp_cmd_security_req(conn, skb);
2187 break;
2188
2189 case SMP_CMD_PAIRING_CONFIRM:
2190 reason = smp_cmd_pairing_confirm(conn, skb);
2191 break;
2192
2193 case SMP_CMD_PAIRING_RANDOM:
2194 reason = smp_cmd_pairing_random(conn, skb);
2195 break;
2196
2197 case SMP_CMD_ENCRYPT_INFO:
2198 reason = smp_cmd_encrypt_info(conn, skb);
2199 break;
2200
2201 case SMP_CMD_MASTER_IDENT:
2202 reason = smp_cmd_master_ident(conn, skb);
2203 break;
2204
2205 case SMP_CMD_IDENT_INFO:
2206 reason = smp_cmd_ident_info(conn, skb);
2207 break;
2208
2209 case SMP_CMD_IDENT_ADDR_INFO:
2210 reason = smp_cmd_ident_addr_info(conn, skb);
2211 break;
2212
2213 case SMP_CMD_SIGN_INFO:
2214 reason = smp_cmd_sign_info(conn, skb);
2215 break;
2216
2217 case SMP_CMD_PUBLIC_KEY:
2218 reason = smp_cmd_public_key(conn, skb);
2219 break;
2220
2221 case SMP_CMD_DHKEY_CHECK:
2222 reason = smp_cmd_dhkey_check(conn, skb);
2223 break;
2224
2225 default:
2226 BT_DBG("Unknown command code 0x%2.2x", code);
2227 reason = SMP_CMD_NOTSUPP;
2228 goto done;
2229 }
2230
2231 done:
2232 if (!err) {
2233 if (reason)
2234 smp_failure(conn, reason);
2235 kfree_skb(skb);
2236 }
2237
2238 return err;
2239
2240 drop:
2241 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2242 code, &hcon->dst);
2243 kfree_skb(skb);
2244 return 0;
2245 }
2246
2247 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2248 {
2249 struct l2cap_conn *conn = chan->conn;
2250
2251 BT_DBG("chan %p", chan);
2252
2253 if (chan->data)
2254 smp_chan_destroy(conn);
2255
2256 conn->smp = NULL;
2257 l2cap_chan_put(chan);
2258 }
2259
2260 static void smp_resume_cb(struct l2cap_chan *chan)
2261 {
2262 struct smp_chan *smp = chan->data;
2263 struct l2cap_conn *conn = chan->conn;
2264 struct hci_conn *hcon = conn->hcon;
2265
2266 BT_DBG("chan %p", chan);
2267
2268 if (!smp)
2269 return;
2270
2271 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2272 return;
2273
2274 cancel_delayed_work(&smp->security_timer);
2275
2276 smp_distribute_keys(smp);
2277 }
2278
2279 static void smp_ready_cb(struct l2cap_chan *chan)
2280 {
2281 struct l2cap_conn *conn = chan->conn;
2282
2283 BT_DBG("chan %p", chan);
2284
2285 conn->smp = chan;
2286 l2cap_chan_hold(chan);
2287 }
2288
2289 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2290 {
2291 int err;
2292
2293 BT_DBG("chan %p", chan);
2294
2295 err = smp_sig_channel(chan, skb);
2296 if (err) {
2297 struct smp_chan *smp = chan->data;
2298
2299 if (smp)
2300 cancel_delayed_work_sync(&smp->security_timer);
2301
2302 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2303 }
2304
2305 return err;
2306 }
2307
2308 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2309 unsigned long hdr_len,
2310 unsigned long len, int nb)
2311 {
2312 struct sk_buff *skb;
2313
2314 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2315 if (!skb)
2316 return ERR_PTR(-ENOMEM);
2317
2318 skb->priority = HCI_PRIO_MAX;
2319 bt_cb(skb)->chan = chan;
2320
2321 return skb;
2322 }
2323
2324 static const struct l2cap_ops smp_chan_ops = {
2325 .name = "Security Manager",
2326 .ready = smp_ready_cb,
2327 .recv = smp_recv_cb,
2328 .alloc_skb = smp_alloc_skb_cb,
2329 .teardown = smp_teardown_cb,
2330 .resume = smp_resume_cb,
2331
2332 .new_connection = l2cap_chan_no_new_connection,
2333 .state_change = l2cap_chan_no_state_change,
2334 .close = l2cap_chan_no_close,
2335 .defer = l2cap_chan_no_defer,
2336 .suspend = l2cap_chan_no_suspend,
2337 .set_shutdown = l2cap_chan_no_set_shutdown,
2338 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2339 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2340 };
2341
2342 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2343 {
2344 struct l2cap_chan *chan;
2345
2346 BT_DBG("pchan %p", pchan);
2347
2348 chan = l2cap_chan_create();
2349 if (!chan)
2350 return NULL;
2351
2352 chan->chan_type = pchan->chan_type;
2353 chan->ops = &smp_chan_ops;
2354 chan->scid = pchan->scid;
2355 chan->dcid = chan->scid;
2356 chan->imtu = pchan->imtu;
2357 chan->omtu = pchan->omtu;
2358 chan->mode = pchan->mode;
2359
2360 /* Other L2CAP channels may request SMP routines in order to
2361 * change the security level. This means that the SMP channel
2362 * lock must be considered in its own category to avoid lockdep
2363 * warnings.
2364 */
2365 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2366
2367 BT_DBG("created chan %p", chan);
2368
2369 return chan;
2370 }
2371
2372 static const struct l2cap_ops smp_root_chan_ops = {
2373 .name = "Security Manager Root",
2374 .new_connection = smp_new_conn_cb,
2375
2376 /* None of these are implemented for the root channel */
2377 .close = l2cap_chan_no_close,
2378 .alloc_skb = l2cap_chan_no_alloc_skb,
2379 .recv = l2cap_chan_no_recv,
2380 .state_change = l2cap_chan_no_state_change,
2381 .teardown = l2cap_chan_no_teardown,
2382 .ready = l2cap_chan_no_ready,
2383 .defer = l2cap_chan_no_defer,
2384 .suspend = l2cap_chan_no_suspend,
2385 .resume = l2cap_chan_no_resume,
2386 .set_shutdown = l2cap_chan_no_set_shutdown,
2387 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2388 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
2389 };
2390
2391 int smp_register(struct hci_dev *hdev)
2392 {
2393 struct l2cap_chan *chan;
2394 struct crypto_blkcipher *tfm_aes;
2395
2396 BT_DBG("%s", hdev->name);
2397
2398 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2399 if (IS_ERR(tfm_aes)) {
2400 int err = PTR_ERR(tfm_aes);
2401 BT_ERR("Unable to create crypto context");
2402 return err;
2403 }
2404
2405 chan = l2cap_chan_create();
2406 if (!chan) {
2407 crypto_free_blkcipher(tfm_aes);
2408 return -ENOMEM;
2409 }
2410
2411 chan->data = tfm_aes;
2412
2413 l2cap_add_scid(chan, L2CAP_CID_SMP);
2414
2415 l2cap_chan_set_defaults(chan);
2416
2417 bacpy(&chan->src, &hdev->bdaddr);
2418 chan->src_type = BDADDR_LE_PUBLIC;
2419 chan->state = BT_LISTEN;
2420 chan->mode = L2CAP_MODE_BASIC;
2421 chan->imtu = L2CAP_DEFAULT_MTU;
2422 chan->ops = &smp_root_chan_ops;
2423
2424 /* Set correct nesting level for a parent/listening channel */
2425 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2426
2427 hdev->smp_data = chan;
2428
2429 return 0;
2430 }
2431
2432 void smp_unregister(struct hci_dev *hdev)
2433 {
2434 struct l2cap_chan *chan = hdev->smp_data;
2435 struct crypto_blkcipher *tfm_aes;
2436
2437 if (!chan)
2438 return;
2439
2440 BT_DBG("%s chan %p", hdev->name, chan);
2441
2442 tfm_aes = chan->data;
2443 if (tfm_aes) {
2444 chan->data = NULL;
2445 crypto_free_blkcipher(tfm_aes);
2446 }
2447
2448 hdev->smp_data = NULL;
2449 l2cap_chan_put(chan);
2450 }
Ubuntu Artful kernel mirror