2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
34 #define SMP_TIMEOUT msecs_to_jiffies(30000)
36 #define AUTH_REQ_MASK 0x07
47 struct l2cap_conn *conn;
48 u8 preq[7]; /* SMP Pairing Request */
49 u8 prsp[7]; /* SMP Pairing Response */
50 u8 prnd[16]; /* SMP Pairing Random (local) */
51 u8 rrnd[16]; /* SMP Pairing Random (remote) */
52 u8 pcnf[16]; /* SMP Pairing Confirm */
53 u8 tk[16]; /* SMP Temporary Key */
59 struct smp_csrk *csrk;
60 struct smp_csrk *slave_csrk;
62 struct smp_ltk *slave_ltk;
63 struct smp_irk *remote_irk;
67 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
71 for (i = 0; i < len; i++)
72 dst[len - 1 - i] = src[i];
75 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
77 struct blkcipher_desc desc;
78 struct scatterlist sg;
79 uint8_t tmp[16], data[16];
83 BT_ERR("tfm %p", tfm);
90 /* The most significant octet of key corresponds to k[0] */
93 err = crypto_blkcipher_setkey(tfm, tmp, 16);
95 BT_ERR("cipher setkey failed: %d", err);
99 /* Most significant octet of plaintextData corresponds to data[0] */
100 swap_buf(r, data, 16);
102 sg_init_one(&sg, data, 16);
104 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
106 BT_ERR("Encrypt data error %d", err);
108 /* Most significant octet of encryptedData corresponds to data[0] */
109 swap_buf(data, r, 16);
114 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
119 /* r' = padding || r */
121 memset(_res + 3, 0, 13);
123 err = smp_e(tfm, irk, _res);
125 BT_ERR("Encrypt error");
129 /* The output of the random address function ah is:
130 * ah(h, r) = e(k, r') mod 2^24
131 * The output of the security function e is then truncated to 24 bits
132 * by taking the least significant 24 bits of the output of e as the
135 memcpy(res, _res, 3);
140 bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
146 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
148 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
152 return !memcmp(bdaddr->b, hash, 3);
155 int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa)
159 get_random_bytes(&rpa->b[3], 3);
161 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
162 rpa->b[5] |= 0x40; /* Set second most significant bit */
164 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
168 BT_DBG("RPA %pMR", rpa);
173 static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
174 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
175 u8 _rat, bdaddr_t *ra, u8 res[16])
182 /* p1 = pres || preq || _rat || _iat */
185 memcpy(p1 + 2, preq, 7);
186 memcpy(p1 + 9, pres, 7);
188 /* p2 = padding || ia || ra */
190 memcpy(p2 + 6, ia, 6);
191 memset(p2 + 12, 0, 4);
194 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
196 /* res = e(k, res) */
197 err = smp_e(tfm, k, res);
199 BT_ERR("Encrypt data error");
203 /* res = res XOR p2 */
204 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
206 /* res = e(k, res) */
207 err = smp_e(tfm, k, res);
209 BT_ERR("Encrypt data error");
214 static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16], u8 r1[16],
215 u8 r2[16], u8 _r[16])
219 /* Just least significant octets from r1 and r2 are considered */
221 memcpy(_r + 8, r1, 8);
223 err = smp_e(tfm, k, _r);
225 BT_ERR("Encrypt data error");
230 static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
231 u16 dlen, void *data)
234 struct l2cap_hdr *lh;
237 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
242 skb = bt_skb_alloc(len, GFP_ATOMIC);
246 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
247 lh->len = cpu_to_le16(sizeof(code) + dlen);
248 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
250 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
252 memcpy(skb_put(skb, dlen), data, dlen);
257 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
259 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
261 BT_DBG("code 0x%2.2x", code);
266 skb->priority = HCI_PRIO_MAX;
267 hci_send_acl(conn->hchan, skb, 0);
269 cancel_delayed_work_sync(&conn->security_timer);
270 schedule_delayed_work(&conn->security_timer, SMP_TIMEOUT);
273 static __u8 authreq_to_seclevel(__u8 authreq)
275 if (authreq & SMP_AUTH_MITM)
276 return BT_SECURITY_HIGH;
278 return BT_SECURITY_MEDIUM;
281 static __u8 seclevel_to_authreq(__u8 sec_level)
284 case BT_SECURITY_HIGH:
285 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
286 case BT_SECURITY_MEDIUM:
287 return SMP_AUTH_BONDING;
289 return SMP_AUTH_NONE;
293 static void build_pairing_cmd(struct l2cap_conn *conn,
294 struct smp_cmd_pairing *req,
295 struct smp_cmd_pairing *rsp, __u8 authreq)
297 struct smp_chan *smp = conn->smp_chan;
298 struct hci_conn *hcon = conn->hcon;
299 struct hci_dev *hdev = hcon->hdev;
300 u8 local_dist = 0, remote_dist = 0;
302 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->dev_flags)) {
303 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
304 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
305 authreq |= SMP_AUTH_BONDING;
307 authreq &= ~SMP_AUTH_BONDING;
310 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
311 remote_dist |= SMP_DIST_ID_KEY;
313 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
314 local_dist |= SMP_DIST_ID_KEY;
317 req->io_capability = conn->hcon->io_capability;
318 req->oob_flag = SMP_OOB_NOT_PRESENT;
319 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
320 req->init_key_dist = local_dist;
321 req->resp_key_dist = remote_dist;
322 req->auth_req = (authreq & AUTH_REQ_MASK);
324 smp->remote_key_dist = remote_dist;
328 rsp->io_capability = conn->hcon->io_capability;
329 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
330 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
331 rsp->init_key_dist = req->init_key_dist & remote_dist;
332 rsp->resp_key_dist = req->resp_key_dist & local_dist;
333 rsp->auth_req = (authreq & AUTH_REQ_MASK);
335 smp->remote_key_dist = rsp->init_key_dist;
338 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
340 struct smp_chan *smp = conn->smp_chan;
342 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
343 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
344 return SMP_ENC_KEY_SIZE;
346 smp->enc_key_size = max_key_size;
351 static void smp_failure(struct l2cap_conn *conn, u8 reason)
353 struct hci_conn *hcon = conn->hcon;
356 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
359 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
360 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type,
361 HCI_ERROR_AUTH_FAILURE);
363 cancel_delayed_work_sync(&conn->security_timer);
365 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
366 smp_chan_destroy(conn);
369 #define JUST_WORKS 0x00
370 #define JUST_CFM 0x01
371 #define REQ_PASSKEY 0x02
372 #define CFM_PASSKEY 0x03
376 static const u8 gen_method[5][5] = {
377 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
378 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
379 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
380 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
381 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
384 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
386 /* If either side has unknown io_caps, use JUST WORKS */
387 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
388 remote_io > SMP_IO_KEYBOARD_DISPLAY)
391 return gen_method[remote_io][local_io];
394 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
395 u8 local_io, u8 remote_io)
397 struct hci_conn *hcon = conn->hcon;
398 struct smp_chan *smp = conn->smp_chan;
403 /* Initialize key for JUST WORKS */
404 memset(smp->tk, 0, sizeof(smp->tk));
405 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
407 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
409 /* If neither side wants MITM, use JUST WORKS */
410 /* Otherwise, look up method from the table */
411 if (!(auth & SMP_AUTH_MITM))
414 method = get_auth_method(smp, local_io, remote_io);
416 /* If not bonding, don't ask user to confirm a Zero TK */
417 if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
420 /* Don't confirm locally initiated pairing attempts */
421 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
424 /* If Just Works, Continue with Zero TK */
425 if (method == JUST_WORKS) {
426 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
430 /* Not Just Works/Confirm results in MITM Authentication */
431 if (method != JUST_CFM)
432 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
434 /* If both devices have Keyoard-Display I/O, the master
435 * Confirms and the slave Enters the passkey.
437 if (method == OVERLAP) {
438 if (test_bit(HCI_CONN_MASTER, &hcon->flags))
439 method = CFM_PASSKEY;
441 method = REQ_PASSKEY;
444 /* Generate random passkey. */
445 if (method == CFM_PASSKEY) {
446 memset(smp->tk, 0, sizeof(smp->tk));
447 get_random_bytes(&passkey, sizeof(passkey));
449 put_unaligned_le32(passkey, smp->tk);
450 BT_DBG("PassKey: %d", passkey);
451 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
454 hci_dev_lock(hcon->hdev);
456 if (method == REQ_PASSKEY)
457 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
458 hcon->type, hcon->dst_type);
459 else if (method == JUST_CFM)
460 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
461 hcon->type, hcon->dst_type,
464 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
465 hcon->type, hcon->dst_type,
468 hci_dev_unlock(hcon->hdev);
473 static u8 smp_confirm(struct smp_chan *smp)
475 struct l2cap_conn *conn = smp->conn;
476 struct hci_dev *hdev = conn->hcon->hdev;
477 struct crypto_blkcipher *tfm = hdev->tfm_aes;
478 struct smp_cmd_pairing_confirm cp;
481 BT_DBG("conn %p", conn);
483 /* Prevent mutual access to hdev->tfm_aes */
486 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
487 conn->hcon->init_addr_type, &conn->hcon->init_addr,
488 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
491 hci_dev_unlock(hdev);
494 return SMP_UNSPECIFIED;
496 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
498 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
503 static u8 smp_random(struct smp_chan *smp)
505 struct l2cap_conn *conn = smp->conn;
506 struct hci_conn *hcon = conn->hcon;
507 struct hci_dev *hdev = hcon->hdev;
508 struct crypto_blkcipher *tfm = hdev->tfm_aes;
512 if (IS_ERR_OR_NULL(tfm))
513 return SMP_UNSPECIFIED;
515 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
517 /* Prevent mutual access to hdev->tfm_aes */
520 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
521 hcon->init_addr_type, &hcon->init_addr,
522 hcon->resp_addr_type, &hcon->resp_addr, confirm);
524 hci_dev_unlock(hdev);
527 return SMP_UNSPECIFIED;
529 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
530 BT_ERR("Pairing failed (confirmation values mismatch)");
531 return SMP_CONFIRM_FAILED;
539 smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, stk);
541 memset(stk + smp->enc_key_size, 0,
542 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
544 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
545 return SMP_UNSPECIFIED;
547 hci_le_start_enc(hcon, ediv, rand, stk);
548 hcon->enc_key_size = smp->enc_key_size;
554 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
557 smp_s1(tfm, smp->tk, smp->prnd, smp->rrnd, stk);
559 memset(stk + smp->enc_key_size, 0,
560 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
562 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
567 /* Even though there's no _SLAVE suffix this is the
568 * slave STK we're adding for later lookup (the master
569 * STK never needs to be stored).
571 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
572 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
578 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
580 struct smp_chan *smp;
582 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
587 conn->smp_chan = smp;
588 conn->hcon->smp_conn = conn;
590 hci_conn_hold(conn->hcon);
595 void smp_chan_destroy(struct l2cap_conn *conn)
597 struct smp_chan *smp = conn->smp_chan;
602 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
603 mgmt_smp_complete(conn->hcon, complete);
606 kfree(smp->slave_csrk);
608 /* If pairing failed clean up any keys we might have */
611 list_del(&smp->ltk->list);
615 if (smp->slave_ltk) {
616 list_del(&smp->slave_ltk->list);
617 kfree(smp->slave_ltk);
620 if (smp->remote_irk) {
621 list_del(&smp->remote_irk->list);
622 kfree(smp->remote_irk);
627 conn->smp_chan = NULL;
628 conn->hcon->smp_conn = NULL;
629 hci_conn_drop(conn->hcon);
632 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
634 struct l2cap_conn *conn = hcon->smp_conn;
635 struct smp_chan *smp;
643 smp = conn->smp_chan;
646 case MGMT_OP_USER_PASSKEY_REPLY:
647 value = le32_to_cpu(passkey);
648 memset(smp->tk, 0, sizeof(smp->tk));
649 BT_DBG("PassKey: %d", value);
650 put_unaligned_le32(value, smp->tk);
652 case MGMT_OP_USER_CONFIRM_REPLY:
653 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
655 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
656 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
657 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
660 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
664 /* If it is our turn to send Pairing Confirm, do so now */
665 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
666 u8 rsp = smp_confirm(smp);
668 smp_failure(conn, rsp);
674 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
676 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
677 struct smp_chan *smp;
678 u8 key_size, auth, sec_level;
681 BT_DBG("conn %p", conn);
683 if (skb->len < sizeof(*req))
684 return SMP_INVALID_PARAMS;
686 if (test_bit(HCI_CONN_MASTER, &conn->hcon->flags))
687 return SMP_CMD_NOTSUPP;
689 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
690 smp = smp_chan_create(conn);
692 smp = conn->smp_chan;
695 return SMP_UNSPECIFIED;
697 smp->preq[0] = SMP_CMD_PAIRING_REQ;
698 memcpy(&smp->preq[1], req, sizeof(*req));
699 skb_pull(skb, sizeof(*req));
701 /* We didn't start the pairing, so match remote */
702 auth = req->auth_req;
704 sec_level = authreq_to_seclevel(auth);
705 if (sec_level > conn->hcon->pending_sec_level)
706 conn->hcon->pending_sec_level = sec_level;
708 /* If we need MITM check that it can be acheived */
709 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
712 method = get_auth_method(smp, conn->hcon->io_capability,
714 if (method == JUST_WORKS || method == JUST_CFM)
715 return SMP_AUTH_REQUIREMENTS;
718 build_pairing_cmd(conn, req, &rsp, auth);
720 key_size = min(req->max_key_size, rsp.max_key_size);
721 if (check_enc_key_size(conn, key_size))
722 return SMP_ENC_KEY_SIZE;
724 get_random_bytes(smp->prnd, sizeof(smp->prnd));
726 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
727 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
729 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
731 /* Request setup of TK */
732 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
734 return SMP_UNSPECIFIED;
736 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
741 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
743 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
744 struct smp_chan *smp = conn->smp_chan;
745 u8 key_size, auth = SMP_AUTH_NONE;
748 BT_DBG("conn %p", conn);
750 if (skb->len < sizeof(*rsp))
751 return SMP_INVALID_PARAMS;
753 if (!test_bit(HCI_CONN_MASTER, &conn->hcon->flags))
754 return SMP_CMD_NOTSUPP;
756 skb_pull(skb, sizeof(*rsp));
758 req = (void *) &smp->preq[1];
760 key_size = min(req->max_key_size, rsp->max_key_size);
761 if (check_enc_key_size(conn, key_size))
762 return SMP_ENC_KEY_SIZE;
764 /* If we need MITM check that it can be acheived */
765 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
768 method = get_auth_method(smp, req->io_capability,
770 if (method == JUST_WORKS || method == JUST_CFM)
771 return SMP_AUTH_REQUIREMENTS;
774 get_random_bytes(smp->prnd, sizeof(smp->prnd));
776 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
777 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
779 /* Update remote key distribution in case the remote cleared
780 * some bits that we had enabled in our request.
782 smp->remote_key_dist &= rsp->resp_key_dist;
784 if ((req->auth_req & SMP_AUTH_BONDING) &&
785 (rsp->auth_req & SMP_AUTH_BONDING))
786 auth = SMP_AUTH_BONDING;
788 auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
790 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
792 return SMP_UNSPECIFIED;
794 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
796 /* Can't compose response until we have been confirmed */
797 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
798 return smp_confirm(smp);
803 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
805 struct smp_chan *smp = conn->smp_chan;
807 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
809 if (skb->len < sizeof(smp->pcnf))
810 return SMP_INVALID_PARAMS;
812 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
813 skb_pull(skb, sizeof(smp->pcnf));
816 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
818 else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
819 return smp_confirm(smp);
821 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
826 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
828 struct smp_chan *smp = conn->smp_chan;
830 BT_DBG("conn %p", conn);
832 if (skb->len < sizeof(smp->rrnd))
833 return SMP_INVALID_PARAMS;
835 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
836 skb_pull(skb, sizeof(smp->rrnd));
838 return smp_random(smp);
841 static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
844 struct hci_conn *hcon = conn->hcon;
846 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
851 if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
854 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
857 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
858 hcon->enc_key_size = key->enc_size;
863 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
865 struct smp_cmd_security_req *rp = (void *) skb->data;
866 struct smp_cmd_pairing cp;
867 struct hci_conn *hcon = conn->hcon;
868 struct smp_chan *smp;
871 BT_DBG("conn %p", conn);
873 if (skb->len < sizeof(*rp))
874 return SMP_INVALID_PARAMS;
876 if (!test_bit(HCI_CONN_MASTER, &conn->hcon->flags))
877 return SMP_CMD_NOTSUPP;
879 sec_level = authreq_to_seclevel(rp->auth_req);
880 if (sec_level > hcon->pending_sec_level)
881 hcon->pending_sec_level = sec_level;
883 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
886 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
889 smp = smp_chan_create(conn);
891 return SMP_UNSPECIFIED;
893 skb_pull(skb, sizeof(*rp));
895 memset(&cp, 0, sizeof(cp));
896 build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
898 smp->preq[0] = SMP_CMD_PAIRING_REQ;
899 memcpy(&smp->preq[1], &cp, sizeof(cp));
901 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
903 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
908 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level)
910 if (sec_level == BT_SECURITY_LOW)
913 if (hcon->sec_level >= sec_level)
919 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
921 struct l2cap_conn *conn = hcon->l2cap_data;
922 struct smp_chan *smp;
925 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
927 /* This may be NULL if there's an unexpected disconnection */
931 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
934 if (smp_sufficient_security(hcon, sec_level))
937 if (sec_level > hcon->pending_sec_level)
938 hcon->pending_sec_level = sec_level;
940 if (test_bit(HCI_CONN_MASTER, &hcon->flags))
941 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
944 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
947 smp = smp_chan_create(conn);
951 authreq = seclevel_to_authreq(sec_level);
953 /* Require MITM if IO Capability allows or the security level
956 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
957 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
958 authreq |= SMP_AUTH_MITM;
960 if (test_bit(HCI_CONN_MASTER, &hcon->flags)) {
961 struct smp_cmd_pairing cp;
963 build_pairing_cmd(conn, &cp, NULL, authreq);
964 smp->preq[0] = SMP_CMD_PAIRING_REQ;
965 memcpy(&smp->preq[1], &cp, sizeof(cp));
967 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
969 struct smp_cmd_security_req cp;
970 cp.auth_req = authreq;
971 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
974 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
979 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
981 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
982 struct smp_chan *smp = conn->smp_chan;
984 BT_DBG("conn %p", conn);
986 if (skb->len < sizeof(*rp))
987 return SMP_INVALID_PARAMS;
989 /* Ignore this PDU if it wasn't requested */
990 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
993 skb_pull(skb, sizeof(*rp));
995 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
1000 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1002 struct smp_cmd_master_ident *rp = (void *) skb->data;
1003 struct smp_chan *smp = conn->smp_chan;
1004 struct hci_dev *hdev = conn->hcon->hdev;
1005 struct hci_conn *hcon = conn->hcon;
1006 struct smp_ltk *ltk;
1009 BT_DBG("conn %p", conn);
1011 if (skb->len < sizeof(*rp))
1012 return SMP_INVALID_PARAMS;
1014 /* Ignore this PDU if it wasn't requested */
1015 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
1018 /* Mark the information as received */
1019 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
1021 skb_pull(skb, sizeof(*rp));
1024 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
1025 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
1026 authenticated, smp->tk, smp->enc_key_size,
1027 rp->ediv, rp->rand);
1029 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1030 smp_distribute_keys(conn);
1031 hci_dev_unlock(hdev);
1036 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1038 struct smp_cmd_ident_info *info = (void *) skb->data;
1039 struct smp_chan *smp = conn->smp_chan;
1043 if (skb->len < sizeof(*info))
1044 return SMP_INVALID_PARAMS;
1046 /* Ignore this PDU if it wasn't requested */
1047 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1050 skb_pull(skb, sizeof(*info));
1052 memcpy(smp->irk, info->irk, 16);
1057 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1058 struct sk_buff *skb)
1060 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1061 struct smp_chan *smp = conn->smp_chan;
1062 struct hci_conn *hcon = conn->hcon;
1067 if (skb->len < sizeof(*info))
1068 return SMP_INVALID_PARAMS;
1070 /* Ignore this PDU if it wasn't requested */
1071 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1074 /* Mark the information as received */
1075 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1077 skb_pull(skb, sizeof(*info));
1079 hci_dev_lock(hcon->hdev);
1081 /* Strictly speaking the Core Specification (4.1) allows sending
1082 * an empty address which would force us to rely on just the IRK
1083 * as "identity information". However, since such
1084 * implementations are not known of and in order to not over
1085 * complicate our implementation, simply pretend that we never
1086 * received an IRK for such a device.
1088 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1089 BT_ERR("Ignoring IRK with no identity address");
1093 bacpy(&smp->id_addr, &info->bdaddr);
1094 smp->id_addr_type = info->addr_type;
1096 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1097 bacpy(&rpa, &hcon->dst);
1099 bacpy(&rpa, BDADDR_ANY);
1101 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1102 smp->id_addr_type, smp->irk, &rpa);
1105 smp_distribute_keys(conn);
1107 hci_dev_unlock(hcon->hdev);
1112 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1114 struct smp_cmd_sign_info *rp = (void *) skb->data;
1115 struct smp_chan *smp = conn->smp_chan;
1116 struct hci_dev *hdev = conn->hcon->hdev;
1117 struct smp_csrk *csrk;
1119 BT_DBG("conn %p", conn);
1121 if (skb->len < sizeof(*rp))
1122 return SMP_INVALID_PARAMS;
1124 /* Ignore this PDU if it wasn't requested */
1125 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1128 /* Mark the information as received */
1129 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1131 skb_pull(skb, sizeof(*rp));
1134 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1136 csrk->master = 0x01;
1137 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1140 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1141 smp_distribute_keys(conn);
1142 hci_dev_unlock(hdev);
1147 int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1149 struct hci_conn *hcon = conn->hcon;
1153 if (hcon->type != LE_LINK) {
1163 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
1165 reason = SMP_PAIRING_NOTSUPP;
1169 code = skb->data[0];
1170 skb_pull(skb, sizeof(code));
1173 * The SMP context must be initialized for all other PDUs except
1174 * pairing and security requests. If we get any other PDU when
1175 * not initialized simply disconnect (done if this function
1176 * returns an error).
1178 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
1180 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1186 case SMP_CMD_PAIRING_REQ:
1187 reason = smp_cmd_pairing_req(conn, skb);
1190 case SMP_CMD_PAIRING_FAIL:
1191 smp_failure(conn, 0);
1196 case SMP_CMD_PAIRING_RSP:
1197 reason = smp_cmd_pairing_rsp(conn, skb);
1200 case SMP_CMD_SECURITY_REQ:
1201 reason = smp_cmd_security_req(conn, skb);
1204 case SMP_CMD_PAIRING_CONFIRM:
1205 reason = smp_cmd_pairing_confirm(conn, skb);
1208 case SMP_CMD_PAIRING_RANDOM:
1209 reason = smp_cmd_pairing_random(conn, skb);
1212 case SMP_CMD_ENCRYPT_INFO:
1213 reason = smp_cmd_encrypt_info(conn, skb);
1216 case SMP_CMD_MASTER_IDENT:
1217 reason = smp_cmd_master_ident(conn, skb);
1220 case SMP_CMD_IDENT_INFO:
1221 reason = smp_cmd_ident_info(conn, skb);
1224 case SMP_CMD_IDENT_ADDR_INFO:
1225 reason = smp_cmd_ident_addr_info(conn, skb);
1228 case SMP_CMD_SIGN_INFO:
1229 reason = smp_cmd_sign_info(conn, skb);
1233 BT_DBG("Unknown command code 0x%2.2x", code);
1235 reason = SMP_CMD_NOTSUPP;
1242 smp_failure(conn, reason);
1248 static void smp_notify_keys(struct l2cap_conn *conn)
1250 struct smp_chan *smp = conn->smp_chan;
1251 struct hci_conn *hcon = conn->hcon;
1252 struct hci_dev *hdev = hcon->hdev;
1253 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1254 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1257 if (smp->remote_irk) {
1258 mgmt_new_irk(hdev, smp->remote_irk);
1259 /* Now that user space can be considered to know the
1260 * identity address track the connection based on it
1263 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1264 hcon->dst_type = smp->remote_irk->addr_type;
1265 l2cap_conn_update_id_addr(hcon);
1268 /* The LTKs and CSRKs should be persistent only if both sides
1269 * had the bonding bit set in their authentication requests.
1271 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
1274 smp->csrk->bdaddr_type = hcon->dst_type;
1275 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1276 mgmt_new_csrk(hdev, smp->csrk, persistent);
1279 if (smp->slave_csrk) {
1280 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1281 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1282 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1286 smp->ltk->bdaddr_type = hcon->dst_type;
1287 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1288 mgmt_new_ltk(hdev, smp->ltk, persistent);
1291 if (smp->slave_ltk) {
1292 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1293 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1294 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1298 int smp_distribute_keys(struct l2cap_conn *conn)
1300 struct smp_cmd_pairing *req, *rsp;
1301 struct smp_chan *smp = conn->smp_chan;
1302 struct hci_conn *hcon = conn->hcon;
1303 struct hci_dev *hdev = hcon->hdev;
1306 BT_DBG("conn %p", conn);
1308 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
1311 rsp = (void *) &smp->prsp[1];
1313 /* The responder sends its keys first */
1314 if (hcon->out && (smp->remote_key_dist & 0x07))
1317 req = (void *) &smp->preq[1];
1320 keydist = &rsp->init_key_dist;
1321 *keydist &= req->init_key_dist;
1323 keydist = &rsp->resp_key_dist;
1324 *keydist &= req->resp_key_dist;
1327 BT_DBG("keydist 0x%x", *keydist);
1329 if (*keydist & SMP_DIST_ENC_KEY) {
1330 struct smp_cmd_encrypt_info enc;
1331 struct smp_cmd_master_ident ident;
1332 struct smp_ltk *ltk;
1337 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1338 get_random_bytes(&ediv, sizeof(ediv));
1339 get_random_bytes(&rand, sizeof(rand));
1341 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1343 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1344 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1345 SMP_LTK_SLAVE, authenticated, enc.ltk,
1346 smp->enc_key_size, ediv, rand);
1347 smp->slave_ltk = ltk;
1352 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1354 *keydist &= ~SMP_DIST_ENC_KEY;
1357 if (*keydist & SMP_DIST_ID_KEY) {
1358 struct smp_cmd_ident_addr_info addrinfo;
1359 struct smp_cmd_ident_info idinfo;
1361 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1363 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1365 /* The hci_conn contains the local identity address
1366 * after the connection has been established.
1368 * This is true even when the connection has been
1369 * established using a resolvable random address.
1371 bacpy(&addrinfo.bdaddr, &hcon->src);
1372 addrinfo.addr_type = hcon->src_type;
1374 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1377 *keydist &= ~SMP_DIST_ID_KEY;
1380 if (*keydist & SMP_DIST_SIGN) {
1381 struct smp_cmd_sign_info sign;
1382 struct smp_csrk *csrk;
1384 /* Generate a new random key */
1385 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1387 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1389 csrk->master = 0x00;
1390 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1392 smp->slave_csrk = csrk;
1394 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1396 *keydist &= ~SMP_DIST_SIGN;
1399 /* If there are still keys to be received wait for them */
1400 if ((smp->remote_key_dist & 0x07))
1403 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1404 cancel_delayed_work_sync(&conn->security_timer);
1405 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1406 smp_notify_keys(conn);
1408 smp_chan_destroy(conn);