blob: 7a295d7edc44210ddb4396255da0f97e1f1d62e1 [file] [log] [blame]
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
Gustavo Padovan8c520a52012-05-23 04:04:22 -030023#include <linux/crypto.h>
24#include <linux/scatterlist.h>
25#include <crypto/b128ops.h>
26
Anderson Brigliaeb492e02011-06-09 18:50:40 -030027#include <net/bluetooth/bluetooth.h>
28#include <net/bluetooth/hci_core.h>
29#include <net/bluetooth/l2cap.h>
Brian Gix2b64d152011-12-21 16:12:12 -080030#include <net/bluetooth/mgmt.h>
Marcel Holtmannac4b7232013-10-10 14:54:16 -070031
32#include "smp.h"
Anderson Brigliad22ef0b2011-06-09 18:50:44 -030033
Marcel Holtmann17b02e62012-03-01 14:32:37 -080034#define SMP_TIMEOUT msecs_to_jiffies(30000)
Vinicius Costa Gomes5d3de7d2011-06-14 13:37:41 -030035
Johan Hedberg065a13e2012-10-11 16:26:06 +020036#define AUTH_REQ_MASK 0x07
37
Johan Hedberg533e35d2014-06-16 19:25:18 +030038enum {
39 SMP_FLAG_TK_VALID,
40 SMP_FLAG_CFM_PENDING,
41 SMP_FLAG_MITM_AUTH,
42 SMP_FLAG_COMPLETE,
43 SMP_FLAG_INITIATOR,
44};
Johan Hedberg4bc58f52014-05-20 09:45:47 +030045
46struct smp_chan {
47 struct l2cap_conn *conn;
48 u8 preq[7]; /* SMP Pairing Request */
49 u8 prsp[7]; /* SMP Pairing Response */
50 u8 prnd[16]; /* SMP Pairing Random (local) */
51 u8 rrnd[16]; /* SMP Pairing Random (remote) */
52 u8 pcnf[16]; /* SMP Pairing Confirm */
53 u8 tk[16]; /* SMP Temporary Key */
54 u8 enc_key_size;
55 u8 remote_key_dist;
56 bdaddr_t id_addr;
57 u8 id_addr_type;
58 u8 irk[16];
59 struct smp_csrk *csrk;
60 struct smp_csrk *slave_csrk;
61 struct smp_ltk *ltk;
62 struct smp_ltk *slave_ltk;
63 struct smp_irk *remote_irk;
Johan Hedberg4a74d652014-05-20 09:45:50 +030064 unsigned long flags;
Johan Hedberg6a7bd102014-06-27 14:23:03 +030065
66 struct crypto_blkcipher *tfm_aes;
Johan Hedberg4bc58f52014-05-20 09:45:47 +030067};
68
Johan Hedberg8a2936f2014-06-16 19:25:19 +030069static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
Anderson Brigliad22ef0b2011-06-09 18:50:44 -030070{
Johan Hedberg8a2936f2014-06-16 19:25:19 +030071 size_t i;
Anderson Brigliad22ef0b2011-06-09 18:50:44 -030072
Johan Hedberg8a2936f2014-06-16 19:25:19 +030073 for (i = 0; i < len; i++)
74 dst[len - 1 - i] = src[i];
Anderson Brigliad22ef0b2011-06-09 18:50:44 -030075}
76
77static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
78{
79 struct blkcipher_desc desc;
80 struct scatterlist sg;
Johan Hedberg943a7322014-03-18 12:58:24 +020081 uint8_t tmp[16], data[16];
Johan Hedberg201a5922013-12-02 10:49:04 +020082 int err;
Anderson Brigliad22ef0b2011-06-09 18:50:44 -030083
84 if (tfm == NULL) {
85 BT_ERR("tfm %p", tfm);
86 return -EINVAL;
87 }
88
89 desc.tfm = tfm;
90 desc.flags = 0;
91
Johan Hedberg943a7322014-03-18 12:58:24 +020092 /* The most significant octet of key corresponds to k[0] */
Johan Hedberg8a2936f2014-06-16 19:25:19 +030093 swap_buf(k, tmp, 16);
Johan Hedberg943a7322014-03-18 12:58:24 +020094
95 err = crypto_blkcipher_setkey(tfm, tmp, 16);
Anderson Brigliad22ef0b2011-06-09 18:50:44 -030096 if (err) {
97 BT_ERR("cipher setkey failed: %d", err);
98 return err;
99 }
100
Johan Hedberg943a7322014-03-18 12:58:24 +0200101 /* Most significant octet of plaintextData corresponds to data[0] */
Johan Hedberg8a2936f2014-06-16 19:25:19 +0300102 swap_buf(r, data, 16);
Johan Hedberg943a7322014-03-18 12:58:24 +0200103
104 sg_init_one(&sg, data, 16);
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300105
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300106 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
107 if (err)
108 BT_ERR("Encrypt data error %d", err);
109
Johan Hedberg943a7322014-03-18 12:58:24 +0200110 /* Most significant octet of encryptedData corresponds to data[0] */
Johan Hedberg8a2936f2014-06-16 19:25:19 +0300111 swap_buf(data, r, 16);
Johan Hedberg943a7322014-03-18 12:58:24 +0200112
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300113 return err;
114}
115
Johan Hedberg60478052014-02-18 10:19:31 +0200116static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
117{
Johan Hedberg943a7322014-03-18 12:58:24 +0200118 u8 _res[16];
Johan Hedberg60478052014-02-18 10:19:31 +0200119 int err;
120
121 /* r' = padding || r */
Johan Hedberg943a7322014-03-18 12:58:24 +0200122 memcpy(_res, r, 3);
123 memset(_res + 3, 0, 13);
Johan Hedberg60478052014-02-18 10:19:31 +0200124
Johan Hedberg943a7322014-03-18 12:58:24 +0200125 err = smp_e(tfm, irk, _res);
Johan Hedberg60478052014-02-18 10:19:31 +0200126 if (err) {
127 BT_ERR("Encrypt error");
128 return err;
129 }
130
131 /* The output of the random address function ah is:
132 * ah(h, r) = e(k, r') mod 2^24
133 * The output of the security function e is then truncated to 24 bits
134 * by taking the least significant 24 bits of the output of e as the
135 * result of ah.
136 */
Johan Hedberg943a7322014-03-18 12:58:24 +0200137 memcpy(res, _res, 3);
Johan Hedberg60478052014-02-18 10:19:31 +0200138
139 return 0;
140}
141
Johan Hedbergdefce9e2014-08-08 09:37:17 +0300142bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
Johan Hedberg60478052014-02-18 10:19:31 +0200143{
Johan Hedbergdefce9e2014-08-08 09:37:17 +0300144 struct l2cap_chan *chan = hdev->smp_data;
145 struct crypto_blkcipher *tfm;
Johan Hedberg60478052014-02-18 10:19:31 +0200146 u8 hash[3];
147 int err;
148
Johan Hedbergdefce9e2014-08-08 09:37:17 +0300149 if (!chan || !chan->data)
150 return false;
151
152 tfm = chan->data;
153
Johan Hedberg60478052014-02-18 10:19:31 +0200154 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
155
156 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
157 if (err)
158 return false;
159
160 return !memcmp(bdaddr->b, hash, 3);
161}
162
Johan Hedbergdefce9e2014-08-08 09:37:17 +0300163int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
Johan Hedbergb1e2b3a2014-02-23 19:42:19 +0200164{
Johan Hedbergdefce9e2014-08-08 09:37:17 +0300165 struct l2cap_chan *chan = hdev->smp_data;
166 struct crypto_blkcipher *tfm;
Johan Hedbergb1e2b3a2014-02-23 19:42:19 +0200167 int err;
168
Johan Hedbergdefce9e2014-08-08 09:37:17 +0300169 if (!chan || !chan->data)
170 return -EOPNOTSUPP;
171
172 tfm = chan->data;
173
Johan Hedbergb1e2b3a2014-02-23 19:42:19 +0200174 get_random_bytes(&rpa->b[3], 3);
175
176 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
177 rpa->b[5] |= 0x40; /* Set second most significant bit */
178
179 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
180 if (err < 0)
181 return err;
182
183 BT_DBG("RPA %pMR", rpa);
184
185 return 0;
186}
187
Johan Hedbergec70f362014-06-27 14:23:04 +0300188static int smp_c1(struct smp_chan *smp, u8 k[16], u8 r[16], u8 preq[7],
189 u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat, bdaddr_t *ra,
190 u8 res[16])
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300191{
Johan Hedbergec70f362014-06-27 14:23:04 +0300192 struct hci_dev *hdev = smp->conn->hcon->hdev;
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300193 u8 p1[16], p2[16];
194 int err;
195
Johan Hedbergec70f362014-06-27 14:23:04 +0300196 BT_DBG("%s", hdev->name);
197
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300198 memset(p1, 0, 16);
199
200 /* p1 = pres || preq || _rat || _iat */
Johan Hedberg943a7322014-03-18 12:58:24 +0200201 p1[0] = _iat;
202 p1[1] = _rat;
203 memcpy(p1 + 2, preq, 7);
204 memcpy(p1 + 9, pres, 7);
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300205
206 /* p2 = padding || ia || ra */
Johan Hedberg943a7322014-03-18 12:58:24 +0200207 memcpy(p2, ra, 6);
208 memcpy(p2 + 6, ia, 6);
209 memset(p2 + 12, 0, 4);
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300210
211 /* res = r XOR p1 */
212 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
213
214 /* res = e(k, res) */
Johan Hedbergec70f362014-06-27 14:23:04 +0300215 err = smp_e(smp->tfm_aes, k, res);
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300216 if (err) {
217 BT_ERR("Encrypt data error");
218 return err;
219 }
220
221 /* res = res XOR p2 */
222 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
223
224 /* res = e(k, res) */
Johan Hedbergec70f362014-06-27 14:23:04 +0300225 err = smp_e(smp->tfm_aes, k, res);
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300226 if (err)
227 BT_ERR("Encrypt data error");
228
229 return err;
230}
231
Johan Hedbergec70f362014-06-27 14:23:04 +0300232static int smp_s1(struct smp_chan *smp, u8 k[16], u8 r1[16], u8 r2[16],
233 u8 _r[16])
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300234{
Johan Hedbergec70f362014-06-27 14:23:04 +0300235 struct hci_dev *hdev = smp->conn->hcon->hdev;
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300236 int err;
237
Johan Hedbergec70f362014-06-27 14:23:04 +0300238 BT_DBG("%s", hdev->name);
239
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300240 /* Just least significant octets from r1 and r2 are considered */
Johan Hedberg943a7322014-03-18 12:58:24 +0200241 memcpy(_r, r2, 8);
242 memcpy(_r + 8, r1, 8);
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300243
Johan Hedbergec70f362014-06-27 14:23:04 +0300244 err = smp_e(smp->tfm_aes, k, _r);
Anderson Brigliad22ef0b2011-06-09 18:50:44 -0300245 if (err)
246 BT_ERR("Encrypt data error");
247
248 return err;
249}
250
Anderson Brigliaeb492e02011-06-09 18:50:40 -0300251static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
252{
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300253 struct l2cap_chan *chan = conn->smp;
254 struct kvec iv[2];
255 struct msghdr msg;
256
257 if (!chan)
258 return;
Anderson Brigliaeb492e02011-06-09 18:50:40 -0300259
260 BT_DBG("code 0x%2.2x", code);
261
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300262 iv[0].iov_base = &code;
263 iv[0].iov_len = 1;
Anderson Brigliaeb492e02011-06-09 18:50:40 -0300264
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300265 iv[1].iov_base = data;
266 iv[1].iov_len = len;
267
268 memset(&msg, 0, sizeof(msg));
269
270 msg.msg_iov = (struct iovec *) &iv;
271 msg.msg_iovlen = 2;
272
273 l2cap_chan_send(chan, &msg, 1 + len);
Vinicius Costa Gomese2dcd112011-08-19 21:06:50 -0300274
Gustavo F. Padovan6c9d42a2011-12-20 10:57:27 -0200275 cancel_delayed_work_sync(&conn->security_timer);
Marcel Holtmann17b02e62012-03-01 14:32:37 -0800276 schedule_delayed_work(&conn->security_timer, SMP_TIMEOUT);
Anderson Brigliaeb492e02011-06-09 18:50:40 -0300277}
278
Brian Gix2b64d152011-12-21 16:12:12 -0800279static __u8 authreq_to_seclevel(__u8 authreq)
280{
281 if (authreq & SMP_AUTH_MITM)
282 return BT_SECURITY_HIGH;
283 else
284 return BT_SECURITY_MEDIUM;
285}
286
287static __u8 seclevel_to_authreq(__u8 sec_level)
288{
289 switch (sec_level) {
290 case BT_SECURITY_HIGH:
291 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
292 case BT_SECURITY_MEDIUM:
293 return SMP_AUTH_BONDING;
294 default:
295 return SMP_AUTH_NONE;
296 }
297}
298
Vinicius Costa Gomesb8e66ea2011-06-09 18:50:52 -0300299static void build_pairing_cmd(struct l2cap_conn *conn,
Marcel Holtmannf1560462013-10-13 05:43:25 -0700300 struct smp_cmd_pairing *req,
301 struct smp_cmd_pairing *rsp, __u8 authreq)
Vinicius Costa Gomesb8e66ea2011-06-09 18:50:52 -0300302{
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300303 struct l2cap_chan *chan = conn->smp;
304 struct smp_chan *smp = chan->data;
Johan Hedbergfd349c02014-02-18 10:19:36 +0200305 struct hci_conn *hcon = conn->hcon;
306 struct hci_dev *hdev = hcon->hdev;
307 u8 local_dist = 0, remote_dist = 0;
Vinicius Costa Gomes54790f72011-07-07 18:59:38 -0300308
Johan Hedbergb6ae8452014-07-30 09:22:22 +0300309 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
Marcel Holtmann7ee4ea32014-03-09 12:19:17 -0700310 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
311 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
Vinicius Costa Gomes54790f72011-07-07 18:59:38 -0300312 authreq |= SMP_AUTH_BONDING;
Brian Gix2b64d152011-12-21 16:12:12 -0800313 } else {
314 authreq &= ~SMP_AUTH_BONDING;
Vinicius Costa Gomes54790f72011-07-07 18:59:38 -0300315 }
316
Johan Hedbergfd349c02014-02-18 10:19:36 +0200317 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
318 remote_dist |= SMP_DIST_ID_KEY;
319
Johan Hedberg863efaf2014-02-22 19:06:32 +0200320 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
321 local_dist |= SMP_DIST_ID_KEY;
322
Vinicius Costa Gomes54790f72011-07-07 18:59:38 -0300323 if (rsp == NULL) {
324 req->io_capability = conn->hcon->io_capability;
325 req->oob_flag = SMP_OOB_NOT_PRESENT;
326 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
Johan Hedbergfd349c02014-02-18 10:19:36 +0200327 req->init_key_dist = local_dist;
328 req->resp_key_dist = remote_dist;
Johan Hedberg065a13e2012-10-11 16:26:06 +0200329 req->auth_req = (authreq & AUTH_REQ_MASK);
Johan Hedbergfd349c02014-02-18 10:19:36 +0200330
331 smp->remote_key_dist = remote_dist;
Vinicius Costa Gomes54790f72011-07-07 18:59:38 -0300332 return;
333 }
334
335 rsp->io_capability = conn->hcon->io_capability;
336 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
337 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
Johan Hedbergfd349c02014-02-18 10:19:36 +0200338 rsp->init_key_dist = req->init_key_dist & remote_dist;
339 rsp->resp_key_dist = req->resp_key_dist & local_dist;
Johan Hedberg065a13e2012-10-11 16:26:06 +0200340 rsp->auth_req = (authreq & AUTH_REQ_MASK);
Johan Hedbergfd349c02014-02-18 10:19:36 +0200341
342 smp->remote_key_dist = rsp->init_key_dist;
Vinicius Costa Gomesb8e66ea2011-06-09 18:50:52 -0300343}
344
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300345static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
346{
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300347 struct l2cap_chan *chan = conn->smp;
348 struct smp_chan *smp = chan->data;
Vinicius Costa Gomes1c1def02011-09-05 14:31:30 -0300349
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300350 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
Marcel Holtmannf1560462013-10-13 05:43:25 -0700351 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300352 return SMP_ENC_KEY_SIZE;
353
Vinicius Costa Gomesf7aa6112012-01-30 19:29:12 -0300354 smp->enc_key_size = max_key_size;
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300355
356 return 0;
357}
358
Johan Hedberg84794e12013-11-06 11:24:57 +0200359static void smp_failure(struct l2cap_conn *conn, u8 reason)
Brian Gix4f957a72011-11-23 08:28:36 -0800360{
Johan Hedbergbab73cb2012-02-09 16:07:29 +0200361 struct hci_conn *hcon = conn->hcon;
362
Johan Hedberg84794e12013-11-06 11:24:57 +0200363 if (reason)
Brian Gix4f957a72011-11-23 08:28:36 -0800364 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
Marcel Holtmannf1560462013-10-13 05:43:25 -0700365 &reason);
Brian Gix4f957a72011-11-23 08:28:36 -0800366
Marcel Holtmannce39fb42013-10-13 02:23:39 -0700367 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
368 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type,
369 HCI_ERROR_AUTH_FAILURE);
Vinicius Costa Gomesf1c09c02012-02-01 18:27:56 -0300370
Andre Guedes61a0cfb2012-08-01 20:34:15 -0300371 cancel_delayed_work_sync(&conn->security_timer);
372
Marcel Holtmannce39fb42013-10-13 02:23:39 -0700373 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
Vinicius Costa Gomesf1c09c02012-02-01 18:27:56 -0300374 smp_chan_destroy(conn);
Brian Gix4f957a72011-11-23 08:28:36 -0800375}
376
Brian Gix2b64d152011-12-21 16:12:12 -0800377#define JUST_WORKS 0x00
378#define JUST_CFM 0x01
379#define REQ_PASSKEY 0x02
380#define CFM_PASSKEY 0x03
381#define REQ_OOB 0x04
382#define OVERLAP 0xFF
383
384static const u8 gen_method[5][5] = {
385 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
386 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
387 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
388 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
389 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
390};
391
Johan Hedberg581370c2014-06-17 13:07:38 +0300392static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
393{
Johan Hedberg2bcd4002014-07-09 19:18:09 +0300394 /* If either side has unknown io_caps, use JUST_CFM (which gets
395 * converted later to JUST_WORKS if we're initiators.
396 */
Johan Hedberg581370c2014-06-17 13:07:38 +0300397 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
398 remote_io > SMP_IO_KEYBOARD_DISPLAY)
Johan Hedberg2bcd4002014-07-09 19:18:09 +0300399 return JUST_CFM;
Johan Hedberg581370c2014-06-17 13:07:38 +0300400
401 return gen_method[remote_io][local_io];
402}
403
Brian Gix2b64d152011-12-21 16:12:12 -0800404static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
405 u8 local_io, u8 remote_io)
406{
407 struct hci_conn *hcon = conn->hcon;
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300408 struct l2cap_chan *chan = conn->smp;
409 struct smp_chan *smp = chan->data;
Brian Gix2b64d152011-12-21 16:12:12 -0800410 u8 method;
411 u32 passkey = 0;
412 int ret = 0;
413
414 /* Initialize key for JUST WORKS */
415 memset(smp->tk, 0, sizeof(smp->tk));
Johan Hedberg4a74d652014-05-20 09:45:50 +0300416 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
Brian Gix2b64d152011-12-21 16:12:12 -0800417
418 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
419
Johan Hedberg2bcd4002014-07-09 19:18:09 +0300420 /* If neither side wants MITM, either "just" confirm an incoming
421 * request or use just-works for outgoing ones. The JUST_CFM
422 * will be converted to JUST_WORKS if necessary later in this
423 * function. If either side has MITM look up the method from the
424 * table.
425 */
Johan Hedberg581370c2014-06-17 13:07:38 +0300426 if (!(auth & SMP_AUTH_MITM))
Johan Hedberg2bcd4002014-07-09 19:18:09 +0300427 method = JUST_CFM;
Brian Gix2b64d152011-12-21 16:12:12 -0800428 else
Johan Hedberg581370c2014-06-17 13:07:38 +0300429 method = get_auth_method(smp, local_io, remote_io);
Brian Gix2b64d152011-12-21 16:12:12 -0800430
Johan Hedberga82505c2014-03-24 14:39:07 +0200431 /* Don't confirm locally initiated pairing attempts */
Johan Hedberg4a74d652014-05-20 09:45:50 +0300432 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
Johan Hedberga82505c2014-03-24 14:39:07 +0200433 method = JUST_WORKS;
434
Johan Hedberg02f3e252014-07-16 15:09:13 +0300435 /* Don't bother user space with no IO capabilities */
436 if (method == JUST_CFM && hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
437 method = JUST_WORKS;
438
Brian Gix2b64d152011-12-21 16:12:12 -0800439 /* If Just Works, Continue with Zero TK */
440 if (method == JUST_WORKS) {
Johan Hedberg4a74d652014-05-20 09:45:50 +0300441 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
Brian Gix2b64d152011-12-21 16:12:12 -0800442 return 0;
443 }
444
445 /* Not Just Works/Confirm results in MITM Authentication */
446 if (method != JUST_CFM)
Johan Hedberg4a74d652014-05-20 09:45:50 +0300447 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
Brian Gix2b64d152011-12-21 16:12:12 -0800448
449 /* If both devices have Keyoard-Display I/O, the master
450 * Confirms and the slave Enters the passkey.
451 */
452 if (method == OVERLAP) {
Johan Hedberg40bef302014-07-16 11:42:27 +0300453 if (hcon->role == HCI_ROLE_MASTER)
Brian Gix2b64d152011-12-21 16:12:12 -0800454 method = CFM_PASSKEY;
455 else
456 method = REQ_PASSKEY;
457 }
458
Johan Hedberg01ad34d2014-03-19 14:14:53 +0200459 /* Generate random passkey. */
Brian Gix2b64d152011-12-21 16:12:12 -0800460 if (method == CFM_PASSKEY) {
Johan Hedberg943a7322014-03-18 12:58:24 +0200461 memset(smp->tk, 0, sizeof(smp->tk));
Brian Gix2b64d152011-12-21 16:12:12 -0800462 get_random_bytes(&passkey, sizeof(passkey));
463 passkey %= 1000000;
Johan Hedberg943a7322014-03-18 12:58:24 +0200464 put_unaligned_le32(passkey, smp->tk);
Brian Gix2b64d152011-12-21 16:12:12 -0800465 BT_DBG("PassKey: %d", passkey);
Johan Hedberg4a74d652014-05-20 09:45:50 +0300466 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
Brian Gix2b64d152011-12-21 16:12:12 -0800467 }
468
469 hci_dev_lock(hcon->hdev);
470
471 if (method == REQ_PASSKEY)
Marcel Holtmannce39fb42013-10-13 02:23:39 -0700472 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
Johan Hedberg272d90d2012-02-09 15:26:12 +0200473 hcon->type, hcon->dst_type);
Johan Hedberg4eb65e62014-03-24 14:39:05 +0200474 else if (method == JUST_CFM)
475 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
476 hcon->type, hcon->dst_type,
477 passkey, 1);
Brian Gix2b64d152011-12-21 16:12:12 -0800478 else
Johan Hedberg01ad34d2014-03-19 14:14:53 +0200479 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
Johan Hedberg272d90d2012-02-09 15:26:12 +0200480 hcon->type, hcon->dst_type,
Johan Hedberg39adbff2014-03-20 08:18:14 +0200481 passkey, 0);
Brian Gix2b64d152011-12-21 16:12:12 -0800482
483 hci_dev_unlock(hcon->hdev);
484
485 return ret;
486}
487
Johan Hedberg1cc61142014-05-20 09:45:52 +0300488static u8 smp_confirm(struct smp_chan *smp)
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300489{
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300490 struct l2cap_conn *conn = smp->conn;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300491 struct smp_cmd_pairing_confirm cp;
492 int ret;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300493
494 BT_DBG("conn %p", conn);
495
Johan Hedbergec70f362014-06-27 14:23:04 +0300496 ret = smp_c1(smp, smp->tk, smp->prnd, smp->preq, smp->prsp,
Johan Hedbergb1cd5fd2014-02-28 12:54:17 +0200497 conn->hcon->init_addr_type, &conn->hcon->init_addr,
Johan Hedberg943a7322014-03-18 12:58:24 +0200498 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
499 cp.confirm_val);
Johan Hedberg1cc61142014-05-20 09:45:52 +0300500 if (ret)
501 return SMP_UNSPECIFIED;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300502
Johan Hedberg4a74d652014-05-20 09:45:50 +0300503 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
Brian Gix2b64d152011-12-21 16:12:12 -0800504
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300505 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
506
Johan Hedberg1cc61142014-05-20 09:45:52 +0300507 return 0;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300508}
509
Johan Hedberg861580a2014-05-20 09:45:51 +0300510static u8 smp_random(struct smp_chan *smp)
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300511{
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300512 struct l2cap_conn *conn = smp->conn;
513 struct hci_conn *hcon = conn->hcon;
Johan Hedberg861580a2014-05-20 09:45:51 +0300514 u8 confirm[16];
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300515 int ret;
516
Johan Hedbergec70f362014-06-27 14:23:04 +0300517 if (IS_ERR_OR_NULL(smp->tfm_aes))
Johan Hedberg861580a2014-05-20 09:45:51 +0300518 return SMP_UNSPECIFIED;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300519
520 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
521
Johan Hedbergec70f362014-06-27 14:23:04 +0300522 ret = smp_c1(smp, smp->tk, smp->rrnd, smp->preq, smp->prsp,
Johan Hedbergb1cd5fd2014-02-28 12:54:17 +0200523 hcon->init_addr_type, &hcon->init_addr,
Johan Hedberg943a7322014-03-18 12:58:24 +0200524 hcon->resp_addr_type, &hcon->resp_addr, confirm);
Johan Hedberg861580a2014-05-20 09:45:51 +0300525 if (ret)
526 return SMP_UNSPECIFIED;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300527
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300528 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
529 BT_ERR("Pairing failed (confirmation values mismatch)");
Johan Hedberg861580a2014-05-20 09:45:51 +0300530 return SMP_CONFIRM_FAILED;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300531 }
532
533 if (hcon->out) {
Marcel Holtmannfe39c7b2014-02-27 16:00:28 -0800534 u8 stk[16];
535 __le64 rand = 0;
536 __le16 ediv = 0;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300537
Johan Hedbergec70f362014-06-27 14:23:04 +0300538 smp_s1(smp, smp->tk, smp->rrnd, smp->prnd, stk);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300539
Vinicius Costa Gomesf7aa6112012-01-30 19:29:12 -0300540 memset(stk + smp->enc_key_size, 0,
Gustavo F. Padovan04124682012-03-08 01:25:00 -0300541 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300542
Johan Hedberg861580a2014-05-20 09:45:51 +0300543 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
544 return SMP_UNSPECIFIED;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300545
546 hci_le_start_enc(hcon, ediv, rand, stk);
Vinicius Costa Gomesf7aa6112012-01-30 19:29:12 -0300547 hcon->enc_key_size = smp->enc_key_size;
Johan Hedbergfe59a052014-07-01 19:14:12 +0300548 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300549 } else {
Johan Hedbergfff34902014-06-10 15:19:50 +0300550 u8 stk[16], auth;
Marcel Holtmannfe39c7b2014-02-27 16:00:28 -0800551 __le64 rand = 0;
552 __le16 ediv = 0;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300553
Johan Hedberg943a7322014-03-18 12:58:24 +0200554 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
555 smp->prnd);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300556
Johan Hedbergec70f362014-06-27 14:23:04 +0300557 smp_s1(smp, smp->tk, smp->prnd, smp->rrnd, stk);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300558
Vinicius Costa Gomesf7aa6112012-01-30 19:29:12 -0300559 memset(stk + smp->enc_key_size, 0,
Marcel Holtmannf1560462013-10-13 05:43:25 -0700560 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300561
Johan Hedbergfff34902014-06-10 15:19:50 +0300562 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
563 auth = 1;
564 else
565 auth = 0;
566
Johan Hedberg7d5843b2014-06-16 19:25:15 +0300567 /* Even though there's no _SLAVE suffix this is the
568 * slave STK we're adding for later lookup (the master
569 * STK never needs to be stored).
570 */
Marcel Holtmannce39fb42013-10-13 02:23:39 -0700571 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
Johan Hedberg2ceba532014-06-16 19:25:16 +0300572 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300573 }
574
Johan Hedberg861580a2014-05-20 09:45:51 +0300575 return 0;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300576}
577
Johan Hedberg44f1a7a2014-08-11 22:06:36 +0300578static void smp_notify_keys(struct l2cap_conn *conn)
579{
580 struct l2cap_chan *chan = conn->smp;
581 struct smp_chan *smp = chan->data;
582 struct hci_conn *hcon = conn->hcon;
583 struct hci_dev *hdev = hcon->hdev;
584 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
585 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
586 bool persistent;
587
588 if (smp->remote_irk) {
589 mgmt_new_irk(hdev, smp->remote_irk);
590 /* Now that user space can be considered to know the
591 * identity address track the connection based on it
592 * from now on.
593 */
594 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
595 hcon->dst_type = smp->remote_irk->addr_type;
596 l2cap_conn_update_id_addr(hcon);
597
598 /* When receiving an indentity resolving key for
599 * a remote device that does not use a resolvable
600 * private address, just remove the key so that
601 * it is possible to use the controller white
602 * list for scanning.
603 *
604 * Userspace will have been told to not store
605 * this key at this point. So it is safe to
606 * just remove it.
607 */
608 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
609 list_del(&smp->remote_irk->list);
610 kfree(smp->remote_irk);
611 smp->remote_irk = NULL;
612 }
613 }
614
615 /* The LTKs and CSRKs should be persistent only if both sides
616 * had the bonding bit set in their authentication requests.
617 */
618 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
619
620 if (smp->csrk) {
621 smp->csrk->bdaddr_type = hcon->dst_type;
622 bacpy(&smp->csrk->bdaddr, &hcon->dst);
623 mgmt_new_csrk(hdev, smp->csrk, persistent);
624 }
625
626 if (smp->slave_csrk) {
627 smp->slave_csrk->bdaddr_type = hcon->dst_type;
628 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
629 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
630 }
631
632 if (smp->ltk) {
633 smp->ltk->bdaddr_type = hcon->dst_type;
634 bacpy(&smp->ltk->bdaddr, &hcon->dst);
635 mgmt_new_ltk(hdev, smp->ltk, persistent);
636 }
637
638 if (smp->slave_ltk) {
639 smp->slave_ltk->bdaddr_type = hcon->dst_type;
640 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
641 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
642 }
643}
644
645static int smp_distribute_keys(struct l2cap_conn *conn)
646{
647 struct smp_cmd_pairing *req, *rsp;
648 struct l2cap_chan *chan = conn->smp;
649 struct smp_chan *smp = chan->data;
650 struct hci_conn *hcon = conn->hcon;
651 struct hci_dev *hdev = hcon->hdev;
652 __u8 *keydist;
653
654 BT_DBG("conn %p", conn);
655
656 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
657 return 0;
658
659 rsp = (void *) &smp->prsp[1];
660
661 /* The responder sends its keys first */
662 if (hcon->out && (smp->remote_key_dist & 0x07))
663 return 0;
664
665 req = (void *) &smp->preq[1];
666
667 if (hcon->out) {
668 keydist = &rsp->init_key_dist;
669 *keydist &= req->init_key_dist;
670 } else {
671 keydist = &rsp->resp_key_dist;
672 *keydist &= req->resp_key_dist;
673 }
674
675 BT_DBG("keydist 0x%x", *keydist);
676
677 if (*keydist & SMP_DIST_ENC_KEY) {
678 struct smp_cmd_encrypt_info enc;
679 struct smp_cmd_master_ident ident;
680 struct smp_ltk *ltk;
681 u8 authenticated;
682 __le16 ediv;
683 __le64 rand;
684
685 get_random_bytes(enc.ltk, sizeof(enc.ltk));
686 get_random_bytes(&ediv, sizeof(ediv));
687 get_random_bytes(&rand, sizeof(rand));
688
689 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
690
691 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
692 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
693 SMP_LTK_SLAVE, authenticated, enc.ltk,
694 smp->enc_key_size, ediv, rand);
695 smp->slave_ltk = ltk;
696
697 ident.ediv = ediv;
698 ident.rand = rand;
699
700 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
701
702 *keydist &= ~SMP_DIST_ENC_KEY;
703 }
704
705 if (*keydist & SMP_DIST_ID_KEY) {
706 struct smp_cmd_ident_addr_info addrinfo;
707 struct smp_cmd_ident_info idinfo;
708
709 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
710
711 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
712
713 /* The hci_conn contains the local identity address
714 * after the connection has been established.
715 *
716 * This is true even when the connection has been
717 * established using a resolvable random address.
718 */
719 bacpy(&addrinfo.bdaddr, &hcon->src);
720 addrinfo.addr_type = hcon->src_type;
721
722 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
723 &addrinfo);
724
725 *keydist &= ~SMP_DIST_ID_KEY;
726 }
727
728 if (*keydist & SMP_DIST_SIGN) {
729 struct smp_cmd_sign_info sign;
730 struct smp_csrk *csrk;
731
732 /* Generate a new random key */
733 get_random_bytes(sign.csrk, sizeof(sign.csrk));
734
735 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
736 if (csrk) {
737 csrk->master = 0x00;
738 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
739 }
740 smp->slave_csrk = csrk;
741
742 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
743
744 *keydist &= ~SMP_DIST_SIGN;
745 }
746
747 /* If there are still keys to be received wait for them */
748 if ((smp->remote_key_dist & 0x07))
749 return 0;
750
751 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
752 cancel_delayed_work_sync(&conn->security_timer);
753 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 smp_notify_keys(conn);
755
756 smp_chan_destroy(conn);
757
758 return 0;
759}
760
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300761static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
762{
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300763 struct l2cap_chan *chan = conn->smp;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300764 struct smp_chan *smp;
765
Marcel Holtmannf1560462013-10-13 05:43:25 -0700766 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
Johan Hedberg616d55b2014-07-29 14:18:48 +0300767 if (!smp) {
768 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300769 return NULL;
Johan Hedberg616d55b2014-07-29 14:18:48 +0300770 }
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300771
Johan Hedberg6a7bd102014-06-27 14:23:03 +0300772 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
773 if (IS_ERR(smp->tfm_aes)) {
774 BT_ERR("Unable to create ECB crypto context");
775 kfree(smp);
Johan Hedberg616d55b2014-07-29 14:18:48 +0300776 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
Johan Hedberg6a7bd102014-06-27 14:23:03 +0300777 return NULL;
778 }
779
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300780 smp->conn = conn;
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300781 chan->data = smp;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300782
783 hci_conn_hold(conn->hcon);
784
785 return smp;
786}
787
788void smp_chan_destroy(struct l2cap_conn *conn)
789{
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300790 struct l2cap_chan *chan = conn->smp;
791 struct smp_chan *smp = chan->data;
Johan Hedbergf4a407b2014-02-18 21:41:34 +0200792 bool complete;
Brian Gixc8eb9692011-11-23 08:28:35 -0800793
Vinicius Costa Gomesf1c09c02012-02-01 18:27:56 -0300794 BUG_ON(!smp);
Brian Gixc8eb9692011-11-23 08:28:35 -0800795
Johan Hedberg4a74d652014-05-20 09:45:50 +0300796 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
Johan Hedbergf4a407b2014-02-18 21:41:34 +0200797 mgmt_smp_complete(conn->hcon, complete);
798
Marcel Holtmann7ee4ea32014-03-09 12:19:17 -0700799 kfree(smp->csrk);
800 kfree(smp->slave_csrk);
801
Johan Hedberg6a7bd102014-06-27 14:23:03 +0300802 crypto_free_blkcipher(smp->tfm_aes);
803
Johan Hedberg759331d2014-02-28 10:10:16 +0200804 /* If pairing failed clean up any keys we might have */
805 if (!complete) {
806 if (smp->ltk) {
807 list_del(&smp->ltk->list);
808 kfree(smp->ltk);
809 }
810
811 if (smp->slave_ltk) {
812 list_del(&smp->slave_ltk->list);
813 kfree(smp->slave_ltk);
814 }
815
816 if (smp->remote_irk) {
817 list_del(&smp->remote_irk->list);
818 kfree(smp->remote_irk);
819 }
820 }
821
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300822 chan->data = NULL;
Brian Gixc8eb9692011-11-23 08:28:35 -0800823 kfree(smp);
David Herrmann76a68ba2013-04-06 20:28:37 +0200824 hci_conn_drop(conn->hcon);
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300825}
826
Brian Gix2b64d152011-12-21 16:12:12 -0800827int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
828{
Johan Hedbergb10e8012014-06-27 14:23:07 +0300829 struct l2cap_conn *conn = hcon->l2cap_data;
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300830 struct l2cap_chan *chan;
Brian Gix2b64d152011-12-21 16:12:12 -0800831 struct smp_chan *smp;
832 u32 value;
Brian Gix2b64d152011-12-21 16:12:12 -0800833
834 BT_DBG("");
835
Johan Hedberg642ac772014-06-27 14:23:06 +0300836 if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
Brian Gix2b64d152011-12-21 16:12:12 -0800837 return -ENOTCONN;
838
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300839 chan = conn->smp;
840 if (!chan)
841 return -ENOTCONN;
842
843 smp = chan->data;
Brian Gix2b64d152011-12-21 16:12:12 -0800844
845 switch (mgmt_op) {
846 case MGMT_OP_USER_PASSKEY_REPLY:
847 value = le32_to_cpu(passkey);
Johan Hedberg943a7322014-03-18 12:58:24 +0200848 memset(smp->tk, 0, sizeof(smp->tk));
Brian Gix2b64d152011-12-21 16:12:12 -0800849 BT_DBG("PassKey: %d", value);
Johan Hedberg943a7322014-03-18 12:58:24 +0200850 put_unaligned_le32(value, smp->tk);
Brian Gix2b64d152011-12-21 16:12:12 -0800851 /* Fall Through */
852 case MGMT_OP_USER_CONFIRM_REPLY:
Johan Hedberg4a74d652014-05-20 09:45:50 +0300853 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
Brian Gix2b64d152011-12-21 16:12:12 -0800854 break;
855 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
856 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
Johan Hedberg84794e12013-11-06 11:24:57 +0200857 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
Brian Gix2b64d152011-12-21 16:12:12 -0800858 return 0;
859 default:
Johan Hedberg84794e12013-11-06 11:24:57 +0200860 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
Brian Gix2b64d152011-12-21 16:12:12 -0800861 return -EOPNOTSUPP;
862 }
863
864 /* If it is our turn to send Pairing Confirm, do so now */
Johan Hedberg1cc61142014-05-20 09:45:52 +0300865 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
866 u8 rsp = smp_confirm(smp);
867 if (rsp)
868 smp_failure(conn, rsp);
869 }
Brian Gix2b64d152011-12-21 16:12:12 -0800870
871 return 0;
872}
873
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -0300874static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
Anderson Briglia88ba43b2011-06-09 18:50:42 -0300875{
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300876 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
Johan Hedbergb3c64102014-07-10 11:02:07 +0300877 struct hci_dev *hdev = conn->hcon->hdev;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300878 struct smp_chan *smp;
Johan Hedbergc7262e72014-06-17 13:07:37 +0300879 u8 key_size, auth, sec_level;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300880 int ret;
Anderson Briglia88ba43b2011-06-09 18:50:42 -0300881
882 BT_DBG("conn %p", conn);
883
Johan Hedbergc46b98b2014-02-18 10:19:29 +0200884 if (skb->len < sizeof(*req))
Johan Hedberg38e4a912014-05-08 14:19:11 +0300885 return SMP_INVALID_PARAMS;
Johan Hedbergc46b98b2014-02-18 10:19:29 +0200886
Johan Hedberg40bef302014-07-16 11:42:27 +0300887 if (conn->hcon->role != HCI_ROLE_SLAVE)
Brian Gix2b64d152011-12-21 16:12:12 -0800888 return SMP_CMD_NOTSUPP;
889
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300890 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300891 smp = smp_chan_create(conn);
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300892 } else {
893 struct l2cap_chan *chan = conn->smp;
894 smp = chan->data;
895 }
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300896
Andrei Emeltchenkod08fd0e2012-07-19 17:03:43 +0300897 if (!smp)
898 return SMP_UNSPECIFIED;
Vinicius Costa Gomesd26a2342011-08-19 21:06:51 -0300899
Johan Hedbergb6ae8452014-07-30 09:22:22 +0300900 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
Johan Hedbergb3c64102014-07-10 11:02:07 +0300901 (req->auth_req & SMP_AUTH_BONDING))
902 return SMP_PAIRING_NOTSUPP;
903
Vinicius Costa Gomes1c1def02011-09-05 14:31:30 -0300904 smp->preq[0] = SMP_CMD_PAIRING_REQ;
905 memcpy(&smp->preq[1], req, sizeof(*req));
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300906 skb_pull(skb, sizeof(*req));
Anderson Briglia88ba43b2011-06-09 18:50:42 -0300907
Brian Gix2b64d152011-12-21 16:12:12 -0800908 /* We didn't start the pairing, so match remote */
Johan Hedberg1ef35822014-05-20 09:45:48 +0300909 auth = req->auth_req;
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -0300910
Johan Hedbergc7262e72014-06-17 13:07:37 +0300911 sec_level = authreq_to_seclevel(auth);
912 if (sec_level > conn->hcon->pending_sec_level)
913 conn->hcon->pending_sec_level = sec_level;
Ido Yarivfdde0a22012-03-05 20:09:38 +0200914
Johan Hedberg2ed8f652014-06-17 13:07:39 +0300915 /* If we need MITM check that it can be acheived */
916 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
917 u8 method;
918
919 method = get_auth_method(smp, conn->hcon->io_capability,
920 req->io_capability);
921 if (method == JUST_WORKS || method == JUST_CFM)
922 return SMP_AUTH_REQUIREMENTS;
923 }
924
Brian Gix2b64d152011-12-21 16:12:12 -0800925 build_pairing_cmd(conn, req, &rsp, auth);
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300926
927 key_size = min(req->max_key_size, rsp.max_key_size);
928 if (check_enc_key_size(conn, key_size))
929 return SMP_ENC_KEY_SIZE;
Anderson Briglia88ba43b2011-06-09 18:50:42 -0300930
Johan Hedberge84a6b12013-12-02 10:49:03 +0200931 get_random_bytes(smp->prnd, sizeof(smp->prnd));
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300932
Vinicius Costa Gomes1c1def02011-09-05 14:31:30 -0300933 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
934 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
Anderson Brigliaf01ead32011-06-09 18:50:45 -0300935
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300936 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -0300937
Brian Gix2b64d152011-12-21 16:12:12 -0800938 /* Request setup of TK */
939 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
940 if (ret)
941 return SMP_UNSPECIFIED;
942
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -0300943 return 0;
Anderson Briglia88ba43b2011-06-09 18:50:42 -0300944}
945
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -0300946static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
Anderson Briglia88ba43b2011-06-09 18:50:42 -0300947{
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300948 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
Johan Hedberg5d88cc72014-08-08 09:37:18 +0300949 struct l2cap_chan *chan = conn->smp;
950 struct smp_chan *smp = chan->data;
Brian Gix2b64d152011-12-21 16:12:12 -0800951 u8 key_size, auth = SMP_AUTH_NONE;
Anderson Briglia7d24ddc2011-06-09 18:50:46 -0300952 int ret;
Anderson Briglia88ba43b2011-06-09 18:50:42 -0300953
954 BT_DBG("conn %p", conn);
955
Johan Hedbergc46b98b2014-02-18 10:19:29 +0200956 if (skb->len < sizeof(*rsp))
Johan Hedberg38e4a912014-05-08 14:19:11 +0300957 return SMP_INVALID_PARAMS;
Johan Hedbergc46b98b2014-02-18 10:19:29 +0200958
Johan Hedberg40bef302014-07-16 11:42:27 +0300959 if (conn->hcon->role != HCI_ROLE_MASTER)
Brian Gix2b64d152011-12-21 16:12:12 -0800960 return SMP_CMD_NOTSUPP;
961
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300962 skb_pull(skb, sizeof(*rsp));
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -0300963
Vinicius Costa Gomes1c1def02011-09-05 14:31:30 -0300964 req = (void *) &smp->preq[1];
Vinicius Costa Gomes3158c502011-06-14 13:37:42 -0300965
966 key_size = min(req->max_key_size, rsp->max_key_size);
967 if (check_enc_key_size(conn, key_size))
968 return SMP_ENC_KEY_SIZE;
969
Johan Hedberg2ed8f652014-06-17 13:07:39 +0300970 /* If we need MITM check that it can be acheived */
971 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
972 u8 method;
973
974 method = get_auth_method(smp, req->io_capability,
975 rsp->io_capability);
976 if (method == JUST_WORKS || method == JUST_CFM)
977 return SMP_AUTH_REQUIREMENTS;
978 }
979
Johan Hedberge84a6b12013-12-02 10:49:03 +0200980 get_random_bytes(smp->prnd, sizeof(smp->prnd));
Anderson Briglia7d24ddc2011-06-09 18:50:46 -0300981
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -0300982 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
983 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
Anderson Briglia7d24ddc2011-06-09 18:50:46 -0300984
Johan Hedbergfdcc4be2014-03-14 10:53:50 +0200985 /* Update remote key distribution in case the remote cleared
986 * some bits that we had enabled in our request.
987 */
988 smp->remote_key_dist &= rsp->resp_key_dist;
989
Brian Gix2b64d152011-12-21 16:12:12 -0800990 if ((req->auth_req & SMP_AUTH_BONDING) &&
Marcel Holtmannf1560462013-10-13 05:43:25 -0700991 (rsp->auth_req & SMP_AUTH_BONDING))
Brian Gix2b64d152011-12-21 16:12:12 -0800992 auth = SMP_AUTH_BONDING;
993
994 auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
995
Johan Hedberg476585e2012-06-06 18:54:15 +0800996 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
Brian Gix2b64d152011-12-21 16:12:12 -0800997 if (ret)
998 return SMP_UNSPECIFIED;
999
Johan Hedberg4a74d652014-05-20 09:45:50 +03001000 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
Brian Gix2b64d152011-12-21 16:12:12 -08001001
1002 /* Can't compose response until we have been confirmed */
Johan Hedberg4a74d652014-05-20 09:45:50 +03001003 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
Johan Hedberg1cc61142014-05-20 09:45:52 +03001004 return smp_confirm(smp);
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001005
1006 return 0;
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001007}
1008
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001009static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001010{
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001011 struct l2cap_chan *chan = conn->smp;
1012 struct smp_chan *smp = chan->data;
Anderson Briglia7d24ddc2011-06-09 18:50:46 -03001013
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001014 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1015
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001016 if (skb->len < sizeof(smp->pcnf))
Johan Hedberg38e4a912014-05-08 14:19:11 +03001017 return SMP_INVALID_PARAMS;
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001018
Vinicius Costa Gomes1c1def02011-09-05 14:31:30 -03001019 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1020 skb_pull(skb, sizeof(smp->pcnf));
Anderson Briglia7d24ddc2011-06-09 18:50:46 -03001021
Johan Hedberg943a7322014-03-18 12:58:24 +02001022 if (conn->hcon->out)
1023 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1024 smp->prnd);
Johan Hedberg4a74d652014-05-20 09:45:50 +03001025 else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
Johan Hedberg1cc61142014-05-20 09:45:52 +03001026 return smp_confirm(smp);
Johan Hedberg943a7322014-03-18 12:58:24 +02001027 else
Johan Hedberg4a74d652014-05-20 09:45:50 +03001028 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001029
1030 return 0;
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001031}
1032
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001033static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001034{
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001035 struct l2cap_chan *chan = conn->smp;
1036 struct smp_chan *smp = chan->data;
Anderson Briglia7d24ddc2011-06-09 18:50:46 -03001037
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -03001038 BT_DBG("conn %p", conn);
Anderson Briglia7d24ddc2011-06-09 18:50:46 -03001039
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001040 if (skb->len < sizeof(smp->rrnd))
Johan Hedberg38e4a912014-05-08 14:19:11 +03001041 return SMP_INVALID_PARAMS;
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001042
Johan Hedberg943a7322014-03-18 12:58:24 +02001043 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -03001044 skb_pull(skb, sizeof(smp->rrnd));
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001045
Johan Hedberg861580a2014-05-20 09:45:51 +03001046 return smp_random(smp);
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001047}
1048
Marcel Holtmannf81cd822014-07-01 10:59:24 +02001049static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
Vinicius Costa Gomes988c5992011-08-25 20:02:28 -03001050{
Vinicius Costa Gomesc9839a12012-02-02 21:08:01 -03001051 struct smp_ltk *key;
Vinicius Costa Gomes988c5992011-08-25 20:02:28 -03001052 struct hci_conn *hcon = conn->hcon;
1053
Johan Hedberg98a0b842014-01-30 19:40:00 -08001054 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
Johan Hedberge804d252014-07-16 11:42:28 +03001055 hcon->role);
Vinicius Costa Gomes988c5992011-08-25 20:02:28 -03001056 if (!key)
Marcel Holtmannf81cd822014-07-01 10:59:24 +02001057 return false;
Vinicius Costa Gomes988c5992011-08-25 20:02:28 -03001058
Johan Hedberg4dab7862012-06-07 14:58:37 +08001059 if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
Marcel Holtmannf81cd822014-07-01 10:59:24 +02001060 return false;
Johan Hedberg4dab7862012-06-07 14:58:37 +08001061
Johan Hedberg51a8efd2012-01-16 06:10:31 +02001062 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
Marcel Holtmannf81cd822014-07-01 10:59:24 +02001063 return true;
Vinicius Costa Gomes988c5992011-08-25 20:02:28 -03001064
Vinicius Costa Gomesc9839a12012-02-02 21:08:01 -03001065 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
1066 hcon->enc_key_size = key->enc_size;
Vinicius Costa Gomes988c5992011-08-25 20:02:28 -03001067
Johan Hedbergfe59a052014-07-01 19:14:12 +03001068 /* We never store STKs for master role, so clear this flag */
1069 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1070
Marcel Holtmannf81cd822014-07-01 10:59:24 +02001071 return true;
Vinicius Costa Gomes988c5992011-08-25 20:02:28 -03001072}
Marcel Holtmannf1560462013-10-13 05:43:25 -07001073
Johan Hedberg854f4722014-07-01 18:40:20 +03001074bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level)
1075{
1076 if (sec_level == BT_SECURITY_LOW)
1077 return true;
1078
Johan Hedberg9ab65d602014-07-01 19:14:13 +03001079 /* If we're encrypted with an STK always claim insufficient
1080 * security. This way we allow the connection to be re-encrypted
1081 * with an LTK, even if the LTK provides the same level of
Johan Hedbergb2d5e252014-07-14 14:34:55 +03001082 * security. Only exception is if we don't have an LTK (e.g.
1083 * because of key distribution bits).
Johan Hedberg9ab65d602014-07-01 19:14:13 +03001084 */
Johan Hedbergb2d5e252014-07-14 14:34:55 +03001085 if (test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
1086 hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
Johan Hedberge804d252014-07-16 11:42:28 +03001087 hcon->role))
Johan Hedberg9ab65d602014-07-01 19:14:13 +03001088 return false;
1089
Johan Hedberg854f4722014-07-01 18:40:20 +03001090 if (hcon->sec_level >= sec_level)
1091 return true;
1092
1093 return false;
1094}
1095
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001096static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001097{
1098 struct smp_cmd_security_req *rp = (void *) skb->data;
1099 struct smp_cmd_pairing cp;
Vinicius Costa Gomesf1cb9af2011-01-26 21:42:57 -03001100 struct hci_conn *hcon = conn->hcon;
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -03001101 struct smp_chan *smp;
Johan Hedbergc7262e72014-06-17 13:07:37 +03001102 u8 sec_level;
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001103
1104 BT_DBG("conn %p", conn);
1105
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001106 if (skb->len < sizeof(*rp))
Johan Hedberg38e4a912014-05-08 14:19:11 +03001107 return SMP_INVALID_PARAMS;
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001108
Johan Hedberg40bef302014-07-16 11:42:27 +03001109 if (hcon->role != HCI_ROLE_MASTER)
Johan Hedberg86ca9ea2013-11-05 11:30:39 +02001110 return SMP_CMD_NOTSUPP;
1111
Johan Hedbergc7262e72014-06-17 13:07:37 +03001112 sec_level = authreq_to_seclevel(rp->auth_req);
Johan Hedberg854f4722014-07-01 18:40:20 +03001113 if (smp_sufficient_security(hcon, sec_level))
1114 return 0;
1115
Johan Hedbergc7262e72014-06-17 13:07:37 +03001116 if (sec_level > hcon->pending_sec_level)
1117 hcon->pending_sec_level = sec_level;
Vinicius Costa Gomesfeb45eb2011-08-25 20:02:35 -03001118
Johan Hedberg4dab7862012-06-07 14:58:37 +08001119 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
Vinicius Costa Gomes988c5992011-08-25 20:02:28 -03001120 return 0;
1121
Johan Hedberg51a8efd2012-01-16 06:10:31 +02001122 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001123 return 0;
Vinicius Costa Gomesf1cb9af2011-01-26 21:42:57 -03001124
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -03001125 smp = smp_chan_create(conn);
Johan Hedbergc29d2442014-06-16 19:25:14 +03001126 if (!smp)
1127 return SMP_UNSPECIFIED;
Vinicius Costa Gomesd26a2342011-08-19 21:06:51 -03001128
Johan Hedbergb6ae8452014-07-30 09:22:22 +03001129 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
Johan Hedberg616d55b2014-07-29 14:18:48 +03001130 (rp->auth_req & SMP_AUTH_BONDING))
1131 return SMP_PAIRING_NOTSUPP;
1132
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001133 skb_pull(skb, sizeof(*rp));
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001134
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001135 memset(&cp, 0, sizeof(cp));
Vinicius Costa Gomes54790f72011-07-07 18:59:38 -03001136 build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001137
Vinicius Costa Gomes1c1def02011-09-05 14:31:30 -03001138 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1139 memcpy(&smp->preq[1], &cp, sizeof(cp));
Anderson Brigliaf01ead32011-06-09 18:50:45 -03001140
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001141 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
Vinicius Costa Gomesf1cb9af2011-01-26 21:42:57 -03001142
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001143 return 0;
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001144}
1145
Vinicius Costa Gomescc110922012-08-23 21:32:43 -03001146int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001147{
Vinicius Costa Gomescc110922012-08-23 21:32:43 -03001148 struct l2cap_conn *conn = hcon->l2cap_data;
Johan Hedberg0a66cf22014-03-24 14:39:03 +02001149 struct smp_chan *smp;
Brian Gix2b64d152011-12-21 16:12:12 -08001150 __u8 authreq;
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001151
Vinicius Costa Gomes3a0259b2011-06-09 18:50:43 -03001152 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
1153
Johan Hedberg0a66cf22014-03-24 14:39:03 +02001154 /* This may be NULL if there's an unexpected disconnection */
1155 if (!conn)
1156 return 1;
1157
Johan Hedberg757aee02013-04-24 13:05:32 +03001158 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
Andre Guedes2e65c9d2011-06-30 19:20:56 -03001159 return 1;
1160
Johan Hedbergad32a2f2013-05-14 18:05:12 +03001161 if (smp_sufficient_security(hcon, sec_level))
Vinicius Costa Gomesf1cb9af2011-01-26 21:42:57 -03001162 return 1;
1163
Johan Hedbergc7262e72014-06-17 13:07:37 +03001164 if (sec_level > hcon->pending_sec_level)
1165 hcon->pending_sec_level = sec_level;
1166
Johan Hedberg40bef302014-07-16 11:42:27 +03001167 if (hcon->role == HCI_ROLE_MASTER)
Johan Hedbergc7262e72014-06-17 13:07:37 +03001168 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1169 return 0;
Vinicius Costa Gomesd26a2342011-08-19 21:06:51 -03001170
Johan Hedberg51a8efd2012-01-16 06:10:31 +02001171 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
Vinicius Costa Gomesd26a2342011-08-19 21:06:51 -03001172 return 0;
1173
Vinicius Costa Gomes8aab4752011-09-05 14:31:31 -03001174 smp = smp_chan_create(conn);
Brian Gix2b64d152011-12-21 16:12:12 -08001175 if (!smp)
1176 return 1;
1177
1178 authreq = seclevel_to_authreq(sec_level);
Vinicius Costa Gomesd26a2342011-08-19 21:06:51 -03001179
Johan Hedberg79897d22014-06-01 09:45:24 +03001180 /* Require MITM if IO Capability allows or the security level
1181 * requires it.
Johan Hedberg2e233642014-03-18 15:42:30 +02001182 */
Johan Hedberg79897d22014-06-01 09:45:24 +03001183 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
Johan Hedbergc7262e72014-06-17 13:07:37 +03001184 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
Johan Hedberg2e233642014-03-18 15:42:30 +02001185 authreq |= SMP_AUTH_MITM;
1186
Johan Hedberg40bef302014-07-16 11:42:27 +03001187 if (hcon->role == HCI_ROLE_MASTER) {
Vinicius Costa Gomesd26a2342011-08-19 21:06:51 -03001188 struct smp_cmd_pairing cp;
Anderson Brigliaf01ead32011-06-09 18:50:45 -03001189
Brian Gix2b64d152011-12-21 16:12:12 -08001190 build_pairing_cmd(conn, &cp, NULL, authreq);
Vinicius Costa Gomes1c1def02011-09-05 14:31:30 -03001191 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1192 memcpy(&smp->preq[1], &cp, sizeof(cp));
Anderson Brigliaf01ead32011-06-09 18:50:45 -03001193
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001194 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1195 } else {
1196 struct smp_cmd_security_req cp;
Brian Gix2b64d152011-12-21 16:12:12 -08001197 cp.auth_req = authreq;
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001198 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
1199 }
1200
Johan Hedberg4a74d652014-05-20 09:45:50 +03001201 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
Johan Hedbergedca7922014-03-24 15:54:11 +02001202
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001203 return 0;
1204}
1205
Vinicius Costa Gomes7034b912011-07-07 18:59:34 -03001206static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1207{
Vinicius Costa Gomes16b90832011-07-07 18:59:39 -03001208 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001209 struct l2cap_chan *chan = conn->smp;
1210 struct smp_chan *smp = chan->data;
Vinicius Costa Gomes16b90832011-07-07 18:59:39 -03001211
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001212 BT_DBG("conn %p", conn);
1213
1214 if (skb->len < sizeof(*rp))
Johan Hedberg38e4a912014-05-08 14:19:11 +03001215 return SMP_INVALID_PARAMS;
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001216
Johan Hedberg6131ddc2014-02-18 10:19:37 +02001217 /* Ignore this PDU if it wasn't requested */
1218 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
1219 return 0;
1220
Vinicius Costa Gomes16b90832011-07-07 18:59:39 -03001221 skb_pull(skb, sizeof(*rp));
1222
Vinicius Costa Gomes1c1def02011-09-05 14:31:30 -03001223 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
Vinicius Costa Gomes16b90832011-07-07 18:59:39 -03001224
Vinicius Costa Gomes7034b912011-07-07 18:59:34 -03001225 return 0;
1226}
1227
1228static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1229{
Vinicius Costa Gomes16b90832011-07-07 18:59:39 -03001230 struct smp_cmd_master_ident *rp = (void *) skb->data;
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001231 struct l2cap_chan *chan = conn->smp;
1232 struct smp_chan *smp = chan->data;
Vinicius Costa Gomesc9839a12012-02-02 21:08:01 -03001233 struct hci_dev *hdev = conn->hcon->hdev;
1234 struct hci_conn *hcon = conn->hcon;
Johan Hedberg23d0e122014-02-19 14:57:46 +02001235 struct smp_ltk *ltk;
Vinicius Costa Gomesc9839a12012-02-02 21:08:01 -03001236 u8 authenticated;
Vinicius Costa Gomes7034b912011-07-07 18:59:34 -03001237
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001238 BT_DBG("conn %p", conn);
1239
1240 if (skb->len < sizeof(*rp))
Johan Hedberg38e4a912014-05-08 14:19:11 +03001241 return SMP_INVALID_PARAMS;
Johan Hedbergc46b98b2014-02-18 10:19:29 +02001242
Johan Hedberg6131ddc2014-02-18 10:19:37 +02001243 /* Ignore this PDU if it wasn't requested */
1244 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
1245 return 0;
1246
Johan Hedberg9747a9f2014-02-26 23:33:43 +02001247 /* Mark the information as received */
1248 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
1249
Vinicius Costa Gomes16b90832011-07-07 18:59:39 -03001250 skb_pull(skb, sizeof(*rp));
1251
Vinicius Costa Gomesc9839a12012-02-02 21:08:01 -03001252 hci_dev_lock(hdev);
Marcel Holtmannce39fb42013-10-13 02:23:39 -07001253 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
Johan Hedberg2ceba532014-06-16 19:25:16 +03001254 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
Johan Hedberg23d0e122014-02-19 14:57:46 +02001255 authenticated, smp->tk, smp->enc_key_size,
1256 rp->ediv, rp->rand);
1257 smp->ltk = ltk;
Johan Hedbergfd349c02014-02-18 10:19:36 +02001258 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
Johan Hedberg4bd6d382014-02-26 23:33:45 +02001259 smp_distribute_keys(conn);
Vinicius Costa Gomesc9839a12012-02-02 21:08:01 -03001260 hci_dev_unlock(hdev);
Vinicius Costa Gomes7034b912011-07-07 18:59:34 -03001261
1262 return 0;
1263}
1264
Johan Hedbergfd349c02014-02-18 10:19:36 +02001265static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1266{
1267 struct smp_cmd_ident_info *info = (void *) skb->data;
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001268 struct l2cap_chan *chan = conn->smp;
1269 struct smp_chan *smp = chan->data;
Johan Hedbergfd349c02014-02-18 10:19:36 +02001270
1271 BT_DBG("");
1272
1273 if (skb->len < sizeof(*info))
Johan Hedberg38e4a912014-05-08 14:19:11 +03001274 return SMP_INVALID_PARAMS;
Johan Hedbergfd349c02014-02-18 10:19:36 +02001275
Johan Hedberg6131ddc2014-02-18 10:19:37 +02001276 /* Ignore this PDU if it wasn't requested */
1277 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1278 return 0;
1279
Johan Hedbergfd349c02014-02-18 10:19:36 +02001280 skb_pull(skb, sizeof(*info));
1281
1282 memcpy(smp->irk, info->irk, 16);
1283
1284 return 0;
1285}
1286
1287static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1288 struct sk_buff *skb)
1289{
1290 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001291 struct l2cap_chan *chan = conn->smp;
1292 struct smp_chan *smp = chan->data;
Johan Hedbergfd349c02014-02-18 10:19:36 +02001293 struct hci_conn *hcon = conn->hcon;
1294 bdaddr_t rpa;
1295
1296 BT_DBG("");
1297
1298 if (skb->len < sizeof(*info))
Johan Hedberg38e4a912014-05-08 14:19:11 +03001299 return SMP_INVALID_PARAMS;
Johan Hedbergfd349c02014-02-18 10:19:36 +02001300
Johan Hedberg6131ddc2014-02-18 10:19:37 +02001301 /* Ignore this PDU if it wasn't requested */
1302 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1303 return 0;
1304
Johan Hedberg9747a9f2014-02-26 23:33:43 +02001305 /* Mark the information as received */
1306 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1307
Johan Hedbergfd349c02014-02-18 10:19:36 +02001308 skb_pull(skb, sizeof(*info));
1309
Johan Hedberg31dd6242014-06-27 14:23:02 +03001310 hci_dev_lock(hcon->hdev);
1311
Johan Hedberga9a58f82014-02-25 22:24:37 +02001312 /* Strictly speaking the Core Specification (4.1) allows sending
1313 * an empty address which would force us to rely on just the IRK
1314 * as "identity information". However, since such
1315 * implementations are not known of and in order to not over
1316 * complicate our implementation, simply pretend that we never
1317 * received an IRK for such a device.
1318 */
1319 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1320 BT_ERR("Ignoring IRK with no identity address");
Johan Hedberg31dd6242014-06-27 14:23:02 +03001321 goto distribute;
Johan Hedberga9a58f82014-02-25 22:24:37 +02001322 }
1323
Johan Hedbergfd349c02014-02-18 10:19:36 +02001324 bacpy(&smp->id_addr, &info->bdaddr);
1325 smp->id_addr_type = info->addr_type;
1326
1327 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1328 bacpy(&rpa, &hcon->dst);
1329 else
1330 bacpy(&rpa, BDADDR_ANY);
1331
Johan Hedberg23d0e122014-02-19 14:57:46 +02001332 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1333 smp->id_addr_type, smp->irk, &rpa);
Johan Hedbergfd349c02014-02-18 10:19:36 +02001334
Johan Hedberg31dd6242014-06-27 14:23:02 +03001335distribute:
Johan Hedberg4bd6d382014-02-26 23:33:45 +02001336 smp_distribute_keys(conn);
Johan Hedbergfd349c02014-02-18 10:19:36 +02001337
Johan Hedberg31dd6242014-06-27 14:23:02 +03001338 hci_dev_unlock(hcon->hdev);
1339
Johan Hedbergfd349c02014-02-18 10:19:36 +02001340 return 0;
1341}
1342
Marcel Holtmann7ee4ea32014-03-09 12:19:17 -07001343static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1344{
1345 struct smp_cmd_sign_info *rp = (void *) skb->data;
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001346 struct l2cap_chan *chan = conn->smp;
1347 struct smp_chan *smp = chan->data;
Marcel Holtmann7ee4ea32014-03-09 12:19:17 -07001348 struct hci_dev *hdev = conn->hcon->hdev;
1349 struct smp_csrk *csrk;
1350
1351 BT_DBG("conn %p", conn);
1352
1353 if (skb->len < sizeof(*rp))
Johan Hedberg38e4a912014-05-08 14:19:11 +03001354 return SMP_INVALID_PARAMS;
Marcel Holtmann7ee4ea32014-03-09 12:19:17 -07001355
1356 /* Ignore this PDU if it wasn't requested */
1357 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1358 return 0;
1359
1360 /* Mark the information as received */
1361 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1362
1363 skb_pull(skb, sizeof(*rp));
1364
1365 hci_dev_lock(hdev);
1366 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1367 if (csrk) {
1368 csrk->master = 0x01;
1369 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1370 }
1371 smp->csrk = csrk;
Johan Hedberg5fcb9342014-08-07 10:03:31 +03001372 smp_distribute_keys(conn);
Marcel Holtmann7ee4ea32014-03-09 12:19:17 -07001373 hci_dev_unlock(hdev);
1374
1375 return 0;
1376}
1377
Johan Hedberg4befb862014-08-11 22:06:38 +03001378static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001379{
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001380 struct l2cap_conn *conn = chan->conn;
Marcel Holtmann7b9899d2013-10-03 00:00:57 -07001381 struct hci_conn *hcon = conn->hcon;
Marcel Holtmann92381f52013-10-03 01:23:08 -07001382 __u8 code, reason;
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001383 int err = 0;
1384
Marcel Holtmann7b9899d2013-10-03 00:00:57 -07001385 if (hcon->type != LE_LINK) {
1386 kfree_skb(skb);
Johan Hedberg3432711f2013-10-16 11:37:01 +03001387 return 0;
Marcel Holtmann7b9899d2013-10-03 00:00:57 -07001388 }
1389
Marcel Holtmann92381f52013-10-03 01:23:08 -07001390 if (skb->len < 1) {
1391 kfree_skb(skb);
1392 return -EILSEQ;
1393 }
1394
Marcel Holtmann06ae3312013-10-18 03:43:00 -07001395 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
Johan Hedbergbeb19e42014-07-18 11:15:26 +03001396 err = -EOPNOTSUPP;
Andre Guedes2e65c9d2011-06-30 19:20:56 -03001397 reason = SMP_PAIRING_NOTSUPP;
1398 goto done;
1399 }
1400
Marcel Holtmann92381f52013-10-03 01:23:08 -07001401 code = skb->data[0];
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001402 skb_pull(skb, sizeof(code));
1403
Johan Hedberg8cf9fa12013-01-29 10:44:23 -06001404 /*
1405 * The SMP context must be initialized for all other PDUs except
1406 * pairing and security requests. If we get any other PDU when
1407 * not initialized simply disconnect (done if this function
1408 * returns an error).
1409 */
1410 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
Johan Hedbergd3368602014-08-08 09:28:05 +03001411 !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags)) {
Johan Hedberg8cf9fa12013-01-29 10:44:23 -06001412 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1413 kfree_skb(skb);
Johan Hedbergbeb19e42014-07-18 11:15:26 +03001414 return -EOPNOTSUPP;
Johan Hedberg8cf9fa12013-01-29 10:44:23 -06001415 }
1416
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001417 switch (code) {
1418 case SMP_CMD_PAIRING_REQ:
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001419 reason = smp_cmd_pairing_req(conn, skb);
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001420 break;
1421
1422 case SMP_CMD_PAIRING_FAIL:
Johan Hedberg84794e12013-11-06 11:24:57 +02001423 smp_failure(conn, 0);
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001424 reason = 0;
1425 err = -EPERM;
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001426 break;
1427
1428 case SMP_CMD_PAIRING_RSP:
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001429 reason = smp_cmd_pairing_rsp(conn, skb);
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001430 break;
1431
1432 case SMP_CMD_SECURITY_REQ:
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001433 reason = smp_cmd_security_req(conn, skb);
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001434 break;
1435
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001436 case SMP_CMD_PAIRING_CONFIRM:
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001437 reason = smp_cmd_pairing_confirm(conn, skb);
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001438 break;
1439
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001440 case SMP_CMD_PAIRING_RANDOM:
Vinicius Costa Gomesda85e5e2011-06-09 18:50:53 -03001441 reason = smp_cmd_pairing_random(conn, skb);
Anderson Briglia88ba43b2011-06-09 18:50:42 -03001442 break;
1443
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001444 case SMP_CMD_ENCRYPT_INFO:
Vinicius Costa Gomes7034b912011-07-07 18:59:34 -03001445 reason = smp_cmd_encrypt_info(conn, skb);
1446 break;
1447
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001448 case SMP_CMD_MASTER_IDENT:
Vinicius Costa Gomes7034b912011-07-07 18:59:34 -03001449 reason = smp_cmd_master_ident(conn, skb);
1450 break;
1451
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001452 case SMP_CMD_IDENT_INFO:
Johan Hedbergfd349c02014-02-18 10:19:36 +02001453 reason = smp_cmd_ident_info(conn, skb);
1454 break;
1455
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001456 case SMP_CMD_IDENT_ADDR_INFO:
Johan Hedbergfd349c02014-02-18 10:19:36 +02001457 reason = smp_cmd_ident_addr_info(conn, skb);
1458 break;
1459
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001460 case SMP_CMD_SIGN_INFO:
Marcel Holtmann7ee4ea32014-03-09 12:19:17 -07001461 reason = smp_cmd_sign_info(conn, skb);
Vinicius Costa Gomes7034b912011-07-07 18:59:34 -03001462 break;
1463
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001464 default:
1465 BT_DBG("Unknown command code 0x%2.2x", code);
1466
1467 reason = SMP_CMD_NOTSUPP;
Vinicius Costa Gomes3a0259b2011-06-09 18:50:43 -03001468 err = -EOPNOTSUPP;
1469 goto done;
1470 }
1471
1472done:
1473 if (reason)
Johan Hedberg84794e12013-11-06 11:24:57 +02001474 smp_failure(conn, reason);
Anderson Brigliaeb492e02011-06-09 18:50:40 -03001475
1476 kfree_skb(skb);
1477 return err;
1478}
Vinicius Costa Gomes7034b912011-07-07 18:59:34 -03001479
Johan Hedberg70db83c2014-08-08 09:37:16 +03001480static void smp_teardown_cb(struct l2cap_chan *chan, int err)
1481{
1482 struct l2cap_conn *conn = chan->conn;
1483
1484 BT_DBG("chan %p", chan);
1485
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001486 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags)) {
1487 cancel_delayed_work_sync(&conn->security_timer);
1488 smp_chan_destroy(conn);
1489 }
1490
Johan Hedberg70db83c2014-08-08 09:37:16 +03001491 conn->smp = NULL;
1492 l2cap_chan_put(chan);
1493}
1494
Johan Hedberg44f1a7a2014-08-11 22:06:36 +03001495static void smp_resume_cb(struct l2cap_chan *chan)
1496{
1497 struct l2cap_conn *conn = chan->conn;
1498 struct hci_conn *hcon = conn->hcon;
1499
1500 BT_DBG("chan %p", chan);
1501
1502 if (test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
1503 smp_distribute_keys(conn);
1504 cancel_delayed_work(&conn->security_timer);
1505}
1506
Johan Hedberg70db83c2014-08-08 09:37:16 +03001507static void smp_ready_cb(struct l2cap_chan *chan)
1508{
1509 struct l2cap_conn *conn = chan->conn;
1510
1511 BT_DBG("chan %p", chan);
1512
1513 conn->smp = chan;
1514 l2cap_chan_hold(chan);
1515}
1516
Johan Hedberg4befb862014-08-11 22:06:38 +03001517static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
1518{
1519 int err;
1520
1521 BT_DBG("chan %p", chan);
1522
1523 err = smp_sig_channel(chan, skb);
1524 if (err) {
1525 struct l2cap_conn *conn = chan->conn;
1526
1527 cancel_delayed_work_sync(&conn->security_timer);
1528
1529 l2cap_conn_shutdown(chan->conn, -err);
1530 }
1531
1532 return err;
1533}
1534
Johan Hedberg70db83c2014-08-08 09:37:16 +03001535static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
1536 unsigned long hdr_len,
1537 unsigned long len, int nb)
1538{
1539 struct sk_buff *skb;
1540
1541 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
1542 if (!skb)
1543 return ERR_PTR(-ENOMEM);
1544
1545 skb->priority = HCI_PRIO_MAX;
1546 bt_cb(skb)->chan = chan;
1547
1548 return skb;
1549}
1550
1551static const struct l2cap_ops smp_chan_ops = {
1552 .name = "Security Manager",
1553 .ready = smp_ready_cb,
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001554 .recv = smp_recv_cb,
Johan Hedberg70db83c2014-08-08 09:37:16 +03001555 .alloc_skb = smp_alloc_skb_cb,
1556 .teardown = smp_teardown_cb,
Johan Hedberg44f1a7a2014-08-11 22:06:36 +03001557 .resume = smp_resume_cb,
Johan Hedberg70db83c2014-08-08 09:37:16 +03001558
1559 .new_connection = l2cap_chan_no_new_connection,
Johan Hedberg70db83c2014-08-08 09:37:16 +03001560 .state_change = l2cap_chan_no_state_change,
1561 .close = l2cap_chan_no_close,
1562 .defer = l2cap_chan_no_defer,
1563 .suspend = l2cap_chan_no_suspend,
Johan Hedberg70db83c2014-08-08 09:37:16 +03001564 .set_shutdown = l2cap_chan_no_set_shutdown,
1565 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
1566 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1567};
1568
1569static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
1570{
1571 struct l2cap_chan *chan;
1572
1573 BT_DBG("pchan %p", pchan);
1574
1575 chan = l2cap_chan_create();
1576 if (!chan)
1577 return NULL;
1578
1579 chan->chan_type = pchan->chan_type;
1580 chan->ops = &smp_chan_ops;
1581 chan->scid = pchan->scid;
1582 chan->dcid = chan->scid;
1583 chan->imtu = pchan->imtu;
1584 chan->omtu = pchan->omtu;
1585 chan->mode = pchan->mode;
1586
1587 BT_DBG("created chan %p", chan);
1588
1589 return chan;
1590}
1591
1592static const struct l2cap_ops smp_root_chan_ops = {
1593 .name = "Security Manager Root",
1594 .new_connection = smp_new_conn_cb,
1595
1596 /* None of these are implemented for the root channel */
1597 .close = l2cap_chan_no_close,
1598 .alloc_skb = l2cap_chan_no_alloc_skb,
1599 .recv = l2cap_chan_no_recv,
1600 .state_change = l2cap_chan_no_state_change,
1601 .teardown = l2cap_chan_no_teardown,
1602 .ready = l2cap_chan_no_ready,
1603 .defer = l2cap_chan_no_defer,
1604 .suspend = l2cap_chan_no_suspend,
1605 .resume = l2cap_chan_no_resume,
1606 .set_shutdown = l2cap_chan_no_set_shutdown,
1607 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
1608 .memcpy_fromiovec = l2cap_chan_no_memcpy_fromiovec,
1609};
1610
Johan Hedberg711eafe2014-08-08 09:32:52 +03001611int smp_register(struct hci_dev *hdev)
1612{
Johan Hedberg70db83c2014-08-08 09:37:16 +03001613 struct l2cap_chan *chan;
Johan Hedbergdefce9e2014-08-08 09:37:17 +03001614 struct crypto_blkcipher *tfm_aes;
Johan Hedberg70db83c2014-08-08 09:37:16 +03001615
Johan Hedberg711eafe2014-08-08 09:32:52 +03001616 BT_DBG("%s", hdev->name);
1617
Johan Hedbergdefce9e2014-08-08 09:37:17 +03001618 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1619 if (IS_ERR(tfm_aes)) {
1620 int err = PTR_ERR(tfm_aes);
Johan Hedberg711eafe2014-08-08 09:32:52 +03001621 BT_ERR("Unable to create crypto context");
Johan Hedberg711eafe2014-08-08 09:32:52 +03001622 return err;
1623 }
1624
Johan Hedberg70db83c2014-08-08 09:37:16 +03001625 chan = l2cap_chan_create();
1626 if (!chan) {
Johan Hedbergdefce9e2014-08-08 09:37:17 +03001627 crypto_free_blkcipher(tfm_aes);
Johan Hedberg70db83c2014-08-08 09:37:16 +03001628 return -ENOMEM;
1629 }
1630
Johan Hedbergdefce9e2014-08-08 09:37:17 +03001631 chan->data = tfm_aes;
1632
Johan Hedberg5d88cc72014-08-08 09:37:18 +03001633 l2cap_add_scid(chan, L2CAP_CID_SMP);
Johan Hedberg70db83c2014-08-08 09:37:16 +03001634
1635 l2cap_chan_set_defaults(chan);
1636
1637 bacpy(&chan->src, &hdev->bdaddr);
1638 chan->src_type = BDADDR_LE_PUBLIC;
1639 chan->state = BT_LISTEN;
1640 chan->mode = L2CAP_MODE_BASIC;
1641 chan->imtu = L2CAP_DEFAULT_MTU;
1642 chan->ops = &smp_root_chan_ops;
1643
1644 hdev->smp_data = chan;
1645
Johan Hedberg711eafe2014-08-08 09:32:52 +03001646 return 0;
1647}
1648
1649void smp_unregister(struct hci_dev *hdev)
1650{
Johan Hedberg70db83c2014-08-08 09:37:16 +03001651 struct l2cap_chan *chan = hdev->smp_data;
Johan Hedbergdefce9e2014-08-08 09:37:17 +03001652 struct crypto_blkcipher *tfm_aes;
Johan Hedberg70db83c2014-08-08 09:37:16 +03001653
1654 if (!chan)
1655 return;
1656
1657 BT_DBG("%s chan %p", hdev->name, chan);
Johan Hedberg711eafe2014-08-08 09:32:52 +03001658
Johan Hedbergdefce9e2014-08-08 09:37:17 +03001659 tfm_aes = chan->data;
1660 if (tfm_aes) {
1661 chan->data = NULL;
1662 crypto_free_blkcipher(tfm_aes);
Johan Hedberg711eafe2014-08-08 09:32:52 +03001663 }
Johan Hedberg70db83c2014-08-08 09:37:16 +03001664
1665 hdev->smp_data = NULL;
1666 l2cap_chan_put(chan);
Johan Hedberg711eafe2014-08-08 09:32:52 +03001667}