smp.c 51.6 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
/*
   BlueZ - Bluetooth protocol stack for Linux
   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

23 24 25 26
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <crypto/b128ops.h>

27 28 29
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
30
#include <net/bluetooth/mgmt.h>
31

32
#include "ecc.h"
33
#include "smp.h"
34

35 36
#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)

37 38 39
/* Keys which are not distributed with Secure Connections */
#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);

40
#define SMP_TIMEOUT	msecs_to_jiffies(30000)
41

42 43 44
#define AUTH_REQ_MASK(dev)	(test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
				 0x1f : 0x07)
#define KEY_DIST_MASK		0x07
45

46 47 48
/* Maximum message length that can be passed to aes_cmac */
#define CMAC_MSG_MAX	80

49 50 51 52 53 54
enum {
	SMP_FLAG_TK_VALID,
	SMP_FLAG_CFM_PENDING,
	SMP_FLAG_MITM_AUTH,
	SMP_FLAG_COMPLETE,
	SMP_FLAG_INITIATOR,
55
	SMP_FLAG_SC,
56
	SMP_FLAG_REMOTE_PK,
57
};
58 59

struct smp_chan {
60 61
	struct l2cap_conn	*conn;
	struct delayed_work	security_timer;
62
	unsigned long           allow_cmd; /* Bitmask of allowed commands */
63

64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79
	u8		preq[7]; /* SMP Pairing Request */
	u8		prsp[7]; /* SMP Pairing Response */
	u8		prnd[16]; /* SMP Pairing Random (local) */
	u8		rrnd[16]; /* SMP Pairing Random (remote) */
	u8		pcnf[16]; /* SMP Pairing Confirm */
	u8		tk[16]; /* SMP Temporary Key */
	u8		enc_key_size;
	u8		remote_key_dist;
	bdaddr_t	id_addr;
	u8		id_addr_type;
	u8		irk[16];
	struct smp_csrk	*csrk;
	struct smp_csrk	*slave_csrk;
	struct smp_ltk	*ltk;
	struct smp_ltk	*slave_ltk;
	struct smp_irk	*remote_irk;
80
	unsigned long	flags;
81

82 83 84
	/* Secure Connections variables */
	u8			local_pk[64];
	u8			local_sk[32];
85 86
	u8			remote_pk[64];
	u8			dhkey[32];
87
	u8			mackey[16];
88

89
	struct crypto_blkcipher	*tfm_aes;
90
	struct crypto_hash	*tfm_cmac;
91 92
};

93
static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
94
{
95
	size_t i;
96

97 98
	for (i = 0; i < len; i++)
		dst[len - 1 - i] = src[i];
99 100
}

101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178
static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
		    size_t len, u8 mac[16])
{
	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
	struct hash_desc desc;
	struct scatterlist sg;
	int err;

	if (len > CMAC_MSG_MAX)
		return -EFBIG;

	if (!tfm) {
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

	crypto_hash_init(&desc);

	/* Swap key and message from LSB to MSB */
	swap_buf(k, tmp, 16);
	swap_buf(m, msg_msb, len);

	BT_DBG("msg (len %zu) %*phN", len, (int) len, m);
	BT_DBG("key %16phN", k);

	err = crypto_hash_setkey(tfm, tmp, 16);
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

	sg_init_one(&sg, msg_msb, len);

	err = crypto_hash_update(&desc, &sg, len);
	if (err) {
		BT_ERR("Hash update error %d", err);
		return err;
	}

	err = crypto_hash_final(&desc, mac_msb);
	if (err) {
		BT_ERR("Hash final error %d", err);
		return err;
	}

	swap_buf(mac_msb, mac, 16);

	BT_DBG("mac %16phN", mac);

	return 0;
}

static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
		  const u8 x[16], u8 z, u8 res[16])
{
	u8 m[65];
	int err;

	BT_DBG("u %32phN", u);
	BT_DBG("v %32phN", v);
	BT_DBG("x %16phN z %02x", x, z);

	m[0] = z;
	memcpy(m + 1, v, 32);
	memcpy(m + 33, u, 32);

	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
	if (err)
		return err;

	BT_DBG("res %16phN", res);

	return err;
}

179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258
static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
		  u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
{
	/* The btle, salt and length "magic" values are as defined in
	 * the SMP section of the Bluetooth core specification. In ASCII
	 * the btle value ends up being 'btle'. The salt is just a
	 * random number whereas length is the value 256 in little
	 * endian format.
	 */
	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
	const u8 length[2] = { 0x00, 0x01 };
	u8 m[53], t[16];
	int err;

	BT_DBG("w %32phN", w);
	BT_DBG("n1 %16phN n2 %16phN", n1, n2);
	BT_DBG("a1 %7phN a2 %7phN", a1, a2);

	err = aes_cmac(tfm_cmac, salt, w, 32, t);
	if (err)
		return err;

	BT_DBG("t %16phN", t);

	memcpy(m, length, 2);
	memcpy(m + 2, a2, 7);
	memcpy(m + 9, a1, 7);
	memcpy(m + 16, n2, 16);
	memcpy(m + 32, n1, 16);
	memcpy(m + 48, btle, 4);

	m[52] = 0; /* Counter */

	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
	if (err)
		return err;

	BT_DBG("mackey %16phN", mackey);

	m[52] = 1; /* Counter */

	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
	if (err)
		return err;

	BT_DBG("ltk %16phN", ltk);

	return 0;
}

static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
		  const u8 n1[16], u8 n2[16], const u8 r[16],
		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
		  u8 res[16])
{
	u8 m[65];
	int err;

	BT_DBG("w %16phN", w);
	BT_DBG("n1 %16phN n2 %16phN", n1, n2);
	BT_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);

	memcpy(m, a2, 7);
	memcpy(m + 7, a1, 7);
	memcpy(m + 14, io_cap, 3);
	memcpy(m + 17, r, 16);
	memcpy(m + 33, n2, 16);
	memcpy(m + 49, n1, 16);

	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
	if (err)
		return err;

	BT_DBG("res %16phN", res);

	return err;
}

259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284
static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
		  const u8 x[16], const u8 y[16], u32 *val)
{
	u8 m[80], tmp[16];
	int err;

	BT_DBG("u %32phN", u);
	BT_DBG("v %32phN", v);
	BT_DBG("x %16phN y %16phN", x, y);

	memcpy(m, y, 16);
	memcpy(m + 16, v, 32);
	memcpy(m + 48, u, 32);

	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
	if (err)
		return err;

	*val = get_unaligned_le32(tmp);
	*val %= 1000000;

	BT_DBG("val %06u", *val);

	return 0;
}

285 286 287 288
static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
{
	struct blkcipher_desc desc;
	struct scatterlist sg;
289
	uint8_t tmp[16], data[16];
290
	int err;
291 292 293 294 295 296 297 298 299

	if (tfm == NULL) {
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

300
	/* The most significant octet of key corresponds to k[0] */
301
	swap_buf(k, tmp, 16);
302 303

	err = crypto_blkcipher_setkey(tfm, tmp, 16);
304 305 306 307 308
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

309
	/* Most significant octet of plaintextData corresponds to data[0] */
310
	swap_buf(r, data, 16);
311 312

	sg_init_one(&sg, data, 16);
313 314 315 316 317

	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
	if (err)
		BT_ERR("Encrypt data error %d", err);

318
	/* Most significant octet of encryptedData corresponds to data[0] */
319
	swap_buf(data, r, 16);
320

321 322 323
	return err;
}

324 325
static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
{
326
	u8 _res[16];
327 328 329
	int err;

	/* r' = padding || r */
330 331
	memcpy(_res, r, 3);
	memset(_res + 3, 0, 13);
332

333
	err = smp_e(tfm, irk, _res);
334 335 336 337 338 339 340 341 342 343 344
	if (err) {
		BT_ERR("Encrypt error");
		return err;
	}

	/* The output of the random address function ah is:
	 *	ah(h, r) = e(k, r') mod 2^24
	 * The output of the security function e is then truncated to 24 bits
	 * by taking the least significant 24 bits of the output of e as the
	 * result of ah.
	 */
345
	memcpy(res, _res, 3);
346 347 348 349

	return 0;
}

350
bool smp_irk_matches(struct hci_dev *hdev, u8 irk[16], bdaddr_t *bdaddr)
351
{
352 353
	struct l2cap_chan *chan = hdev->smp_data;
	struct crypto_blkcipher *tfm;
354 355 356
	u8 hash[3];
	int err;

357 358 359 360 361
	if (!chan || !chan->data)
		return false;

	tfm = chan->data;

362 363 364 365 366 367 368 369 370
	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);

	err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
	if (err)
		return false;

	return !memcmp(bdaddr->b, hash, 3);
}

371
int smp_generate_rpa(struct hci_dev *hdev, u8 irk[16], bdaddr_t *rpa)
372
{
373 374
	struct l2cap_chan *chan = hdev->smp_data;
	struct crypto_blkcipher *tfm;
375 376
	int err;

377 378 379 380 381
	if (!chan || !chan->data)
		return -EOPNOTSUPP;

	tfm = chan->data;

382 383 384 385 386 387 388 389 390 391 392 393 394 395
	get_random_bytes(&rpa->b[3], 3);

	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
	rpa->b[5] |= 0x40;	/* Set second most significant bit */

	err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
	if (err < 0)
		return err;

	BT_DBG("RPA %pMR", rpa);

	return 0;
}

396 397 398
static int smp_c1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r[16],
		  u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat,
		  bdaddr_t *ra, u8 res[16])
399 400 401 402 403 404 405
{
	u8 p1[16], p2[16];
	int err;

	memset(p1, 0, 16);

	/* p1 = pres || preq || _rat || _iat */
406 407 408 409
	p1[0] = _iat;
	p1[1] = _rat;
	memcpy(p1 + 2, preq, 7);
	memcpy(p1 + 9, pres, 7);
410 411

	/* p2 = padding || ia || ra */
412 413 414
	memcpy(p2, ra, 6);
	memcpy(p2 + 6, ia, 6);
	memset(p2 + 12, 0, 4);
415 416 417 418 419

	/* res = r XOR p1 */
	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);

	/* res = e(k, res) */
420
	err = smp_e(tfm_aes, k, res);
421 422 423 424 425 426 427 428 429
	if (err) {
		BT_ERR("Encrypt data error");
		return err;
	}

	/* res = res XOR p2 */
	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);

	/* res = e(k, res) */
430
	err = smp_e(tfm_aes, k, res);
431 432 433 434 435 436
	if (err)
		BT_ERR("Encrypt data error");

	return err;
}

437 438
static int smp_s1(struct crypto_blkcipher *tfm_aes, u8 k[16], u8 r1[16],
		  u8 r2[16], u8 _r[16])
439 440 441 442
{
	int err;

	/* Just least significant octets from r1 and r2 are considered */
443 444
	memcpy(_r, r2, 8);
	memcpy(_r + 8, r1, 8);
445

446
	err = smp_e(tfm_aes, k, _r);
447 448 449 450 451 452
	if (err)
		BT_ERR("Encrypt data error");

	return err;
}

453
static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
454
{
455
	struct l2cap_chan *chan = conn->smp;
456
	struct smp_chan *smp;
457 458
	struct kvec iv[2];
	struct msghdr msg;
459

460 461
	if (!chan)
		return;
462

463
	BT_DBG("code 0x%2.2x", code);
464

465 466
	iv[0].iov_base = &code;
	iv[0].iov_len = 1;
467

468 469
	iv[1].iov_base = data;
	iv[1].iov_len = len;
470

471
	memset(&msg, 0, sizeof(msg));
472

473 474
	msg.msg_iov = (struct iovec *) &iv;
	msg.msg_iovlen = 2;
475

476
	l2cap_chan_send(chan, &msg, 1 + len);
477

478 479 480 481 482 483
	if (!chan->data)
		return;

	smp = chan->data;

	cancel_delayed_work_sync(&smp->security_timer);
484
	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
485 486
}

487
static u8 authreq_to_seclevel(u8 authreq)
488
{
489 490 491 492 493 494
	if (authreq & SMP_AUTH_MITM) {
		if (authreq & SMP_AUTH_SC)
			return BT_SECURITY_FIPS;
		else
			return BT_SECURITY_HIGH;
	} else {
495
		return BT_SECURITY_MEDIUM;
496
	}
497 498 499 500 501
}

static __u8 seclevel_to_authreq(__u8 sec_level)
{
	switch (sec_level) {
502
	case BT_SECURITY_FIPS:
503 504 505 506 507 508 509 510 511
	case BT_SECURITY_HIGH:
		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
	case BT_SECURITY_MEDIUM:
		return SMP_AUTH_BONDING;
	default:
		return SMP_AUTH_NONE;
	}
}

512
static void build_pairing_cmd(struct l2cap_conn *conn,
513 514
			      struct smp_cmd_pairing *req,
			      struct smp_cmd_pairing *rsp, __u8 authreq)
515
{
516 517
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
518 519 520
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
	u8 local_dist = 0, remote_dist = 0;
521

522
	if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
523 524
		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
525
		authreq |= SMP_AUTH_BONDING;
526 527
	} else {
		authreq &= ~SMP_AUTH_BONDING;
528 529
	}

530 531 532
	if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
		remote_dist |= SMP_DIST_ID_KEY;

533 534 535
	if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
		local_dist |= SMP_DIST_ID_KEY;

536 537 538 539 540 541 542 543 544 545
	if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) {
		if ((authreq & SMP_AUTH_SC) &&
		    test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
			local_dist |= SMP_DIST_LINK_KEY;
			remote_dist |= SMP_DIST_LINK_KEY;
		}
	} else {
		authreq &= ~SMP_AUTH_SC;
	}

546 547 548 549
	if (rsp == NULL) {
		req->io_capability = conn->hcon->io_capability;
		req->oob_flag = SMP_OOB_NOT_PRESENT;
		req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
550 551
		req->init_key_dist = local_dist;
		req->resp_key_dist = remote_dist;
552
		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
553 554

		smp->remote_key_dist = remote_dist;
555 556 557 558 559 560
		return;
	}

	rsp->io_capability = conn->hcon->io_capability;
	rsp->oob_flag = SMP_OOB_NOT_PRESENT;
	rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
561 562
	rsp->init_key_dist = req->init_key_dist & remote_dist;
	rsp->resp_key_dist = req->resp_key_dist & local_dist;
563
	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
564 565

	smp->remote_key_dist = rsp->init_key_dist;
566 567
}

568 569
static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
{
570 571
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
572

573
	if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
574
	    (max_key_size < SMP_MIN_ENC_KEY_SIZE))
575 576
		return SMP_ENC_KEY_SIZE;

577
	smp->enc_key_size = max_key_size;
578 579 580 581

	return 0;
}

582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598
static void smp_chan_destroy(struct l2cap_conn *conn)
{
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
	bool complete;

	BUG_ON(!smp);

	cancel_delayed_work_sync(&smp->security_timer);

	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
	mgmt_smp_complete(conn->hcon, complete);

	kfree(smp->csrk);
	kfree(smp->slave_csrk);

	crypto_free_blkcipher(smp->tfm_aes);
599
	crypto_free_hash(smp->tfm_cmac);
600 601 602 603

	/* If pairing failed clean up any keys we might have */
	if (!complete) {
		if (smp->ltk) {
J
Johan Hedberg 已提交
604 605
			list_del_rcu(&smp->ltk->list);
			kfree_rcu(smp->ltk, rcu);
606 607 608
		}

		if (smp->slave_ltk) {
J
Johan Hedberg 已提交
609 610
			list_del_rcu(&smp->slave_ltk->list);
			kfree_rcu(smp->slave_ltk, rcu);
611 612 613
		}

		if (smp->remote_irk) {
J
Johan Hedberg 已提交
614 615
			list_del_rcu(&smp->remote_irk->list);
			kfree_rcu(smp->remote_irk, rcu);
616 617 618 619 620 621 622 623
		}
	}

	chan->data = NULL;
	kfree(smp);
	hci_conn_drop(conn->hcon);
}

624
static void smp_failure(struct l2cap_conn *conn, u8 reason)
625
{
626
	struct hci_conn *hcon = conn->hcon;
627
	struct l2cap_chan *chan = conn->smp;
628

629
	if (reason)
630
		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
631
			     &reason);
632

633
	clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
634
	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
635

636
	if (chan->data)
637
		smp_chan_destroy(conn);
638 639
}

640 641 642 643 644 645 646 647 648 649 650 651 652 653 654
#define JUST_WORKS	0x00
#define JUST_CFM	0x01
#define REQ_PASSKEY	0x02
#define CFM_PASSKEY	0x03
#define REQ_OOB		0x04
#define OVERLAP		0xFF

static const u8 gen_method[5][5] = {
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
};

655 656
static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
{
657 658 659
	/* If either side has unknown io_caps, use JUST_CFM (which gets
	 * converted later to JUST_WORKS if we're initiators.
	 */
660 661
	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
662
		return JUST_CFM;
663 664 665 666

	return gen_method[remote_io][local_io];
}

667 668 669 670
static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
						u8 local_io, u8 remote_io)
{
	struct hci_conn *hcon = conn->hcon;
671 672
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
673 674 675 676 677 678
	u8 method;
	u32 passkey = 0;
	int ret = 0;

	/* Initialize key for JUST WORKS */
	memset(smp->tk, 0, sizeof(smp->tk));
679
	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
680 681 682

	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);

683 684 685 686 687 688
	/* If neither side wants MITM, either "just" confirm an incoming
	 * request or use just-works for outgoing ones. The JUST_CFM
	 * will be converted to JUST_WORKS if necessary later in this
	 * function. If either side has MITM look up the method from the
	 * table.
	 */
689
	if (!(auth & SMP_AUTH_MITM))
690
		method = JUST_CFM;
691
	else
692
		method = get_auth_method(smp, local_io, remote_io);
693

694
	/* Don't confirm locally initiated pairing attempts */
695
	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
696 697
		method = JUST_WORKS;

698 699 700 701
	/* Don't bother user space with no IO capabilities */
	if (method == JUST_CFM && hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
		method = JUST_WORKS;

702 703
	/* If Just Works, Continue with Zero TK */
	if (method == JUST_WORKS) {
704
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
705 706 707 708
		return 0;
	}

	/* Not Just Works/Confirm results in MITM Authentication */
709
	if (method != JUST_CFM) {
710
		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
711 712 713
		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
			hcon->pending_sec_level = BT_SECURITY_HIGH;
	}
714 715 716 717 718

	/* If both devices have Keyoard-Display I/O, the master
	 * Confirms and the slave Enters the passkey.
	 */
	if (method == OVERLAP) {
719
		if (hcon->role == HCI_ROLE_MASTER)
720 721 722 723 724
			method = CFM_PASSKEY;
		else
			method = REQ_PASSKEY;
	}

725
	/* Generate random passkey. */
726
	if (method == CFM_PASSKEY) {
727
		memset(smp->tk, 0, sizeof(smp->tk));
728 729
		get_random_bytes(&passkey, sizeof(passkey));
		passkey %= 1000000;
730
		put_unaligned_le32(passkey, smp->tk);
731
		BT_DBG("PassKey: %d", passkey);
732
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
733 734 735
	}

	if (method == REQ_PASSKEY)
736
		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
737
						hcon->type, hcon->dst_type);
738 739 740 741
	else if (method == JUST_CFM)
		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
						hcon->type, hcon->dst_type,
						passkey, 1);
742
	else
743
		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
744
						hcon->type, hcon->dst_type,
745
						passkey, 0);
746 747 748 749

	return ret;
}

750
static u8 smp_confirm(struct smp_chan *smp)
751 752 753 754 755 756 757
{
	struct l2cap_conn *conn = smp->conn;
	struct smp_cmd_pairing_confirm cp;
	int ret;

	BT_DBG("conn %p", conn);

758
	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
759
		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
760 761
		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
		     cp.confirm_val);
762 763
	if (ret)
		return SMP_UNSPECIFIED;
764

765
	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
766

767 768
	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);

769 770 771 772 773
	if (conn->hcon->out)
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
	else
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);

774
	return 0;
775 776
}

777
static u8 smp_random(struct smp_chan *smp)
778 779 780
{
	struct l2cap_conn *conn = smp->conn;
	struct hci_conn *hcon = conn->hcon;
781
	u8 confirm[16];
782 783
	int ret;

784
	if (IS_ERR_OR_NULL(smp->tfm_aes))
785
		return SMP_UNSPECIFIED;
786 787 788

	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");

789
	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
790
		     hcon->init_addr_type, &hcon->init_addr,
791
		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
792 793
	if (ret)
		return SMP_UNSPECIFIED;
794 795 796

	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
		BT_ERR("Pairing failed (confirmation values mismatch)");
797
		return SMP_CONFIRM_FAILED;
798 799 800
	}

	if (hcon->out) {
801 802 803
		u8 stk[16];
		__le64 rand = 0;
		__le16 ediv = 0;
804

805
		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
806

807
		memset(stk + smp->enc_key_size, 0,
808
		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
809

810 811
		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
			return SMP_UNSPECIFIED;
812 813

		hci_le_start_enc(hcon, ediv, rand, stk);
814
		hcon->enc_key_size = smp->enc_key_size;
815
		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
816
	} else {
817
		u8 stk[16], auth;
818 819
		__le64 rand = 0;
		__le16 ediv = 0;
820

821 822
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
			     smp->prnd);
823

824
		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
825

826
		memset(stk + smp->enc_key_size, 0,
827
		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
828

829 830 831 832 833
		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
			auth = 1;
		else
			auth = 0;

834 835 836 837
		/* Even though there's no _SLAVE suffix this is the
		 * slave STK we're adding for later lookup (the master
		 * STK never needs to be stored).
		 */
838
		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
839
			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
840 841
	}

842
	return 0;
843 844
}

845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862
static void smp_notify_keys(struct l2cap_conn *conn)
{
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
	bool persistent;

	if (smp->remote_irk) {
		mgmt_new_irk(hdev, smp->remote_irk);
		/* Now that user space can be considered to know the
		 * identity address track the connection based on it
		 * from now on.
		 */
		bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
		hcon->dst_type = smp->remote_irk->addr_type;
863
		queue_work(hdev->workqueue, &conn->id_addr_update_work);
864 865 866 867 868 869 870 871 872 873 874 875

		/* When receiving an indentity resolving key for
		 * a remote device that does not use a resolvable
		 * private address, just remove the key so that
		 * it is possible to use the controller white
		 * list for scanning.
		 *
		 * Userspace will have been told to not store
		 * this key at this point. So it is safe to
		 * just remove it.
		 */
		if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
J
Johan Hedberg 已提交
876 877
			list_del_rcu(&smp->remote_irk->list);
			kfree_rcu(smp->remote_irk, rcu);
878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911
			smp->remote_irk = NULL;
		}
	}

	/* The LTKs and CSRKs should be persistent only if both sides
	 * had the bonding bit set in their authentication requests.
	 */
	persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);

	if (smp->csrk) {
		smp->csrk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->csrk->bdaddr, &hcon->dst);
		mgmt_new_csrk(hdev, smp->csrk, persistent);
	}

	if (smp->slave_csrk) {
		smp->slave_csrk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
	}

	if (smp->ltk) {
		smp->ltk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->ltk->bdaddr, &hcon->dst);
		mgmt_new_ltk(hdev, smp->ltk, persistent);
	}

	if (smp->slave_ltk) {
		smp->slave_ltk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
	}
}

912 913 914 915 916 917 918 919 920 921 922 923 924 925
static void smp_allow_key_dist(struct smp_chan *smp)
{
	/* Allow the first expected phase 3 PDU. The rest of the PDUs
	 * will be allowed in each PDU handler to ensure we receive
	 * them in the correct order.
	 */
	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
	else if (smp->remote_key_dist & SMP_DIST_SIGN)
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
}

926
static void smp_distribute_keys(struct smp_chan *smp)
927 928
{
	struct smp_cmd_pairing *req, *rsp;
929
	struct l2cap_conn *conn = smp->conn;
930 931 932 933 934 935 936 937 938
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
	__u8 *keydist;

	BT_DBG("conn %p", conn);

	rsp = (void *) &smp->prsp[1];

	/* The responder sends its keys first */
939 940
	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
		smp_allow_key_dist(smp);
941
		return;
942
	}
943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026

	req = (void *) &smp->preq[1];

	if (hcon->out) {
		keydist = &rsp->init_key_dist;
		*keydist &= req->init_key_dist;
	} else {
		keydist = &rsp->resp_key_dist;
		*keydist &= req->resp_key_dist;
	}

	BT_DBG("keydist 0x%x", *keydist);

	if (*keydist & SMP_DIST_ENC_KEY) {
		struct smp_cmd_encrypt_info enc;
		struct smp_cmd_master_ident ident;
		struct smp_ltk *ltk;
		u8 authenticated;
		__le16 ediv;
		__le64 rand;

		get_random_bytes(enc.ltk, sizeof(enc.ltk));
		get_random_bytes(&ediv, sizeof(ediv));
		get_random_bytes(&rand, sizeof(rand));

		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);

		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
				  SMP_LTK_SLAVE, authenticated, enc.ltk,
				  smp->enc_key_size, ediv, rand);
		smp->slave_ltk = ltk;

		ident.ediv = ediv;
		ident.rand = rand;

		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);

		*keydist &= ~SMP_DIST_ENC_KEY;
	}

	if (*keydist & SMP_DIST_ID_KEY) {
		struct smp_cmd_ident_addr_info addrinfo;
		struct smp_cmd_ident_info idinfo;

		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));

		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);

		/* The hci_conn contains the local identity address
		 * after the connection has been established.
		 *
		 * This is true even when the connection has been
		 * established using a resolvable random address.
		 */
		bacpy(&addrinfo.bdaddr, &hcon->src);
		addrinfo.addr_type = hcon->src_type;

		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
			     &addrinfo);

		*keydist &= ~SMP_DIST_ID_KEY;
	}

	if (*keydist & SMP_DIST_SIGN) {
		struct smp_cmd_sign_info sign;
		struct smp_csrk *csrk;

		/* Generate a new random key */
		get_random_bytes(sign.csrk, sizeof(sign.csrk));

		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
		if (csrk) {
			csrk->master = 0x00;
			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
		}
		smp->slave_csrk = csrk;

		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);

		*keydist &= ~SMP_DIST_SIGN;
	}

	/* If there are still keys to be received wait for them */
1027 1028
	if (smp->remote_key_dist & KEY_DIST_MASK) {
		smp_allow_key_dist(smp);
1029
		return;
1030
	}
1031 1032 1033 1034 1035 1036 1037

	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
	smp_notify_keys(conn);

	smp_chan_destroy(conn);
}

1038 1039 1040 1041 1042 1043 1044 1045
static void smp_timeout(struct work_struct *work)
{
	struct smp_chan *smp = container_of(work, struct smp_chan,
					    security_timer.work);
	struct l2cap_conn *conn = smp->conn;

	BT_DBG("conn %p", conn);

1046
	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1047 1048
}

1049 1050
static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
{
1051
	struct l2cap_chan *chan = conn->smp;
1052 1053
	struct smp_chan *smp;

1054
	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1055
	if (!smp)
1056 1057
		return NULL;

1058 1059 1060 1061 1062 1063 1064
	smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
	if (IS_ERR(smp->tfm_aes)) {
		BT_ERR("Unable to create ECB crypto context");
		kfree(smp);
		return NULL;
	}

1065 1066 1067 1068 1069 1070 1071 1072
	smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
	if (IS_ERR(smp->tfm_cmac)) {
		BT_ERR("Unable to create CMAC crypto context");
		crypto_free_blkcipher(smp->tfm_aes);
		kfree(smp);
		return NULL;
	}

1073
	smp->conn = conn;
1074
	chan->data = smp;
1075

1076 1077
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);

1078 1079
	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);

1080 1081 1082 1083 1084
	hci_conn_hold(conn->hcon);

	return smp;
}

1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147
static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
{
	struct hci_conn *hcon = smp->conn->hcon;
	u8 *na, *nb, a[7], b[7];

	if (hcon->out) {
		na   = smp->prnd;
		nb   = smp->rrnd;
	} else {
		na   = smp->rrnd;
		nb   = smp->prnd;
	}

	memcpy(a, &hcon->init_addr, 6);
	memcpy(b, &hcon->resp_addr, 6);
	a[6] = hcon->init_addr_type;
	b[6] = hcon->resp_addr_type;

	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
}

static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
{
	struct hci_conn *hcon = smp->conn->hcon;
	struct smp_cmd_dhkey_check check;
	u8 a[7], b[7], *local_addr, *remote_addr;
	u8 io_cap[3], r[16];

	switch (mgmt_op) {
	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
		return 0;
	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
		return 0;
	}

	memcpy(a, &hcon->init_addr, 6);
	memcpy(b, &hcon->resp_addr, 6);
	a[6] = hcon->init_addr_type;
	b[6] = hcon->resp_addr_type;

	if (hcon->out) {
		local_addr = a;
		remote_addr = b;
		memcpy(io_cap, &smp->preq[1], 3);
	} else {
		local_addr = b;
		remote_addr = a;
		memcpy(io_cap, &smp->prsp[1], 3);
	}

	memcpy(r, &passkey, sizeof(passkey));
	memset(r + sizeof(passkey), 0, sizeof(r) - sizeof(passkey));

	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
	       local_addr, remote_addr, check.e);

	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);

	return 0;
}

1148 1149
int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
{
1150
	struct l2cap_conn *conn = hcon->l2cap_data;
1151
	struct l2cap_chan *chan;
1152 1153
	struct smp_chan *smp;
	u32 value;
1154
	int err;
1155 1156 1157

	BT_DBG("");

1158
	if (!conn)
1159 1160
		return -ENOTCONN;

1161 1162 1163 1164
	chan = conn->smp;
	if (!chan)
		return -ENOTCONN;

1165 1166 1167 1168 1169 1170
	l2cap_chan_lock(chan);
	if (!chan->data) {
		err = -ENOTCONN;
		goto unlock;
	}

1171
	smp = chan->data;
1172

1173 1174 1175 1176 1177
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
		err = sc_user_reply(smp, mgmt_op, passkey);
		goto unlock;
	}

1178 1179 1180
	switch (mgmt_op) {
	case MGMT_OP_USER_PASSKEY_REPLY:
		value = le32_to_cpu(passkey);
1181
		memset(smp->tk, 0, sizeof(smp->tk));
1182
		BT_DBG("PassKey: %d", value);
1183
		put_unaligned_le32(value, smp->tk);
1184 1185
		/* Fall Through */
	case MGMT_OP_USER_CONFIRM_REPLY:
1186
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1187 1188 1189
		break;
	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1190
		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1191 1192
		err = 0;
		goto unlock;
1193
	default:
1194
		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1195 1196
		err = -EOPNOTSUPP;
		goto unlock;
1197 1198
	}

1199 1200
	err = 0;

1201
	/* If it is our turn to send Pairing Confirm, do so now */
1202 1203 1204 1205 1206
	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
		u8 rsp = smp_confirm(smp);
		if (rsp)
			smp_failure(conn, rsp);
	}
1207

1208 1209 1210
unlock:
	l2cap_chan_unlock(chan);
	return err;
1211 1212
}

1213
static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1214
{
1215
	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1216
	struct l2cap_chan *chan = conn->smp;
1217
	struct hci_dev *hdev = conn->hcon->hdev;
1218
	struct smp_chan *smp;
1219
	u8 key_size, auth, sec_level;
1220
	int ret;
1221 1222 1223

	BT_DBG("conn %p", conn);

1224
	if (skb->len < sizeof(*req))
1225
		return SMP_INVALID_PARAMS;
1226

1227
	if (conn->hcon->role != HCI_ROLE_SLAVE)
1228 1229
		return SMP_CMD_NOTSUPP;

1230
	if (!chan->data)
1231
		smp = smp_chan_create(conn);
1232
	else
1233
		smp = chan->data;
1234

1235 1236
	if (!smp)
		return SMP_UNSPECIFIED;
1237

1238
	/* We didn't start the pairing, so match remote */
1239
	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1240

1241
	if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1242
	    (auth & SMP_AUTH_BONDING))
1243 1244
		return SMP_PAIRING_NOTSUPP;

1245 1246
	smp->preq[0] = SMP_CMD_PAIRING_REQ;
	memcpy(&smp->preq[1], req, sizeof(*req));
1247
	skb_pull(skb, sizeof(*req));
1248

1249
	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1250 1251 1252 1253
		sec_level = BT_SECURITY_MEDIUM;
	else
		sec_level = authreq_to_seclevel(auth);

1254 1255
	if (sec_level > conn->hcon->pending_sec_level)
		conn->hcon->pending_sec_level = sec_level;
1256

S
Stephen Hemminger 已提交
1257
	/* If we need MITM check that it can be achieved */
1258 1259 1260 1261 1262 1263 1264 1265 1266
	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
		u8 method;

		method = get_auth_method(smp, conn->hcon->io_capability,
					 req->io_capability);
		if (method == JUST_WORKS || method == JUST_CFM)
			return SMP_AUTH_REQUIREMENTS;
	}

1267
	build_pairing_cmd(conn, req, &rsp, auth);
1268

1269 1270 1271
	if (rsp.auth_req & SMP_AUTH_SC)
		set_bit(SMP_FLAG_SC, &smp->flags);

1272 1273 1274
	key_size = min(req->max_key_size, rsp.max_key_size);
	if (check_enc_key_size(conn, key_size))
		return SMP_ENC_KEY_SIZE;
1275

1276
	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1277

1278 1279
	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1280

1281
	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293

	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);

	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
		/* Clear bits which are generated but not distributed */
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
		/* Wait for Public Key from Initiating Device */
		return 0;
	} else {
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
	}
1294

1295 1296 1297 1298 1299
	/* Request setup of TK */
	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
	if (ret)
		return SMP_UNSPECIFIED;

1300
	return 0;
1301 1302
}

1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313 1314 1315 1316 1317 1318 1319
static u8 sc_send_public_key(struct smp_chan *smp)
{
	BT_DBG("");

	/* Generate local key pair for Secure Connections */
	if (!ecc_make_key(smp->local_pk, smp->local_sk))
		return SMP_UNSPECIFIED;

	BT_DBG("Local Public Key X: %32phN", smp->local_pk);
	BT_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
	BT_DBG("Local Private Key:  %32phN", smp->local_sk);

	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);

	return 0;
}

1320
static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1321
{
1322
	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1323 1324
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1325
	struct hci_dev *hdev = conn->hcon->hdev;
1326
	u8 key_size, auth;
1327
	int ret;
1328 1329 1330

	BT_DBG("conn %p", conn);

1331
	if (skb->len < sizeof(*rsp))
1332
		return SMP_INVALID_PARAMS;
1333

1334
	if (conn->hcon->role != HCI_ROLE_MASTER)
1335 1336
		return SMP_CMD_NOTSUPP;

1337 1338
	skb_pull(skb, sizeof(*rsp));

1339
	req = (void *) &smp->preq[1];
1340

1341 1342 1343 1344
	key_size = min(req->max_key_size, rsp->max_key_size);
	if (check_enc_key_size(conn, key_size))
		return SMP_ENC_KEY_SIZE;

1345
	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1346

1347 1348
	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
		set_bit(SMP_FLAG_SC, &smp->flags);
1349 1350
	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1351

S
Stephen Hemminger 已提交
1352
	/* If we need MITM check that it can be achieved */
1353 1354 1355 1356 1357 1358 1359 1360 1361
	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
		u8 method;

		method = get_auth_method(smp, req->io_capability,
					 rsp->io_capability);
		if (method == JUST_WORKS || method == JUST_CFM)
			return SMP_AUTH_REQUIREMENTS;
	}

1362
	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1363

1364 1365
	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1366

1367 1368 1369 1370 1371
	/* Update remote key distribution in case the remote cleared
	 * some bits that we had enabled in our request.
	 */
	smp->remote_key_dist &= rsp->resp_key_dist;

1372 1373 1374 1375 1376 1377 1378
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
		/* Clear bits which are generated but not distributed */
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
		return sc_send_public_key(smp);
	}

1379
	auth |= req->auth_req;
1380

1381
	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1382 1383 1384
	if (ret)
		return SMP_UNSPECIFIED;

1385
	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1386 1387

	/* Can't compose response until we have been confirmed */
1388
	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1389
		return smp_confirm(smp);
1390 1391

	return 0;
1392 1393
}

1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412
static u8 sc_check_confirm(struct smp_chan *smp)
{
	struct l2cap_conn *conn = smp->conn;

	BT_DBG("");

	/* Public Key exchange must happen before any other steps */
	if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
		return SMP_UNSPECIFIED;

	if (conn->hcon->out) {
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
			     smp->prnd);
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
	}

	return 0;
}

1413
static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1414
{
1415 1416
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1417

1418 1419
	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");

1420
	if (skb->len < sizeof(smp->pcnf))
1421
		return SMP_INVALID_PARAMS;
1422

1423 1424
	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
	skb_pull(skb, sizeof(smp->pcnf));
1425

1426 1427 1428
	if (test_bit(SMP_FLAG_SC, &smp->flags))
		return sc_check_confirm(smp);

1429
	if (conn->hcon->out) {
1430 1431
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
			     smp->prnd);
1432 1433 1434 1435 1436
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
		return 0;
	}

	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1437
		return smp_confirm(smp);
1438
	else
1439
		set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1440 1441

	return 0;
1442 1443
}

1444
static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1445
{
1446 1447
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1448 1449 1450 1451
	struct hci_conn *hcon = conn->hcon;
	u8 *pkax, *pkbx, *na, *nb;
	u32 passkey;
	int err;
1452

1453
	BT_DBG("conn %p", conn);
1454

1455
	if (skb->len < sizeof(smp->rrnd))
1456
		return SMP_INVALID_PARAMS;
1457

1458
	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1459
	skb_pull(skb, sizeof(smp->rrnd));
1460

1461 1462 1463 1464 1465 1466 1467 1468 1469 1470 1471 1472 1473 1474 1475 1476 1477 1478 1479 1480 1481 1482 1483 1484 1485 1486 1487 1488 1489
	if (!test_bit(SMP_FLAG_SC, &smp->flags))
		return smp_random(smp);

	if (hcon->out) {
		u8 cfm[16];

		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
			     smp->rrnd, 0, cfm);
		if (err)
			return SMP_UNSPECIFIED;

		if (memcmp(smp->pcnf, cfm, 16))
			return SMP_CONFIRM_FAILED;

		pkax = smp->local_pk;
		pkbx = smp->remote_pk;
		na   = smp->prnd;
		nb   = smp->rrnd;
	} else {
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
			     smp->prnd);
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);

		pkax = smp->remote_pk;
		pkbx = smp->local_pk;
		na   = smp->rrnd;
		nb   = smp->prnd;
	}

1490 1491 1492 1493 1494
	/* Generate MacKey and LTK */
	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
	if (err)
		return SMP_UNSPECIFIED;

1495 1496 1497 1498 1499 1500 1501 1502 1503 1504 1505
	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
	if (err)
		return SMP_UNSPECIFIED;

	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
					hcon->type, hcon->dst_type,
					passkey, 0);
	if (err)
		return SMP_UNSPECIFIED;

	return 0;
1506 1507
}

1508
static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
1509
{
1510
	struct smp_ltk *key;
1511 1512
	struct hci_conn *hcon = conn->hcon;

1513
	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
1514
	if (!key)
1515
		return false;
1516

1517
	if (smp_ltk_sec_level(key) < sec_level)
1518
		return false;
1519

1520
	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1521
		return true;
1522

1523 1524
	hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
	hcon->enc_key_size = key->enc_size;
1525

1526 1527 1528
	/* We never store STKs for master role, so clear this flag */
	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);

1529
	return true;
1530
}
1531

1532 1533
bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
			     enum smp_key_pref key_pref)
1534 1535 1536 1537
{
	if (sec_level == BT_SECURITY_LOW)
		return true;

1538 1539 1540 1541 1542
	/* If we're encrypted with an STK but the caller prefers using
	 * LTK claim insufficient security. This way we allow the
	 * connection to be re-encrypted with an LTK, even if the LTK
	 * provides the same level of security. Only exception is if we
	 * don't have an LTK (e.g. because of key distribution bits).
1543
	 */
1544 1545
	if (key_pref == SMP_USE_LTK &&
	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
1546
	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
1547 1548
		return false;

1549 1550 1551 1552 1553 1554
	if (hcon->sec_level >= sec_level)
		return true;

	return false;
}

1555
static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
1556 1557 1558
{
	struct smp_cmd_security_req *rp = (void *) skb->data;
	struct smp_cmd_pairing cp;
1559
	struct hci_conn *hcon = conn->hcon;
1560
	struct hci_dev *hdev = hcon->hdev;
1561
	struct smp_chan *smp;
1562
	u8 sec_level, auth;
1563 1564 1565

	BT_DBG("conn %p", conn);

1566
	if (skb->len < sizeof(*rp))
1567
		return SMP_INVALID_PARAMS;
1568

1569
	if (hcon->role != HCI_ROLE_MASTER)
1570 1571
		return SMP_CMD_NOTSUPP;

1572
	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
1573

1574
	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1575 1576 1577 1578
		sec_level = BT_SECURITY_MEDIUM;
	else
		sec_level = authreq_to_seclevel(auth);

1579
	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1580 1581
		return 0;

1582 1583
	if (sec_level > hcon->pending_sec_level)
		hcon->pending_sec_level = sec_level;
1584

1585
	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
1586 1587
		return 0;

1588
	smp = smp_chan_create(conn);
1589 1590
	if (!smp)
		return SMP_UNSPECIFIED;
1591

1592
	if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
1593
	    (auth & SMP_AUTH_BONDING))
1594 1595
		return SMP_PAIRING_NOTSUPP;

1596 1597
	skb_pull(skb, sizeof(*rp));

1598
	memset(&cp, 0, sizeof(cp));
1599
	build_pairing_cmd(conn, &cp, NULL, auth);
1600

1601 1602
	smp->preq[0] = SMP_CMD_PAIRING_REQ;
	memcpy(&smp->preq[1], &cp, sizeof(cp));
1603

1604
	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1605
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1606

1607
	return 0;
1608 1609
}

1610
int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
1611
{
1612
	struct l2cap_conn *conn = hcon->l2cap_data;
1613
	struct l2cap_chan *chan;
1614
	struct smp_chan *smp;
1615
	__u8 authreq;
1616
	int ret;
1617

1618 1619
	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);

1620 1621 1622 1623
	/* This may be NULL if there's an unexpected disconnection */
	if (!conn)
		return 1;

1624 1625
	chan = conn->smp;

1626
	if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
1627 1628
		return 1;

1629
	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
1630
		return 1;
1631

1632 1633 1634
	if (sec_level > hcon->pending_sec_level)
		hcon->pending_sec_level = sec_level;

1635
	if (hcon->role == HCI_ROLE_MASTER)
1636 1637
		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
			return 0;
1638

1639 1640 1641 1642 1643 1644 1645
	l2cap_chan_lock(chan);

	/* If SMP is already in progress ignore this request */
	if (chan->data) {
		ret = 0;
		goto unlock;
	}
1646

1647
	smp = smp_chan_create(conn);
1648 1649 1650 1651
	if (!smp) {
		ret = 1;
		goto unlock;
	}
1652 1653

	authreq = seclevel_to_authreq(sec_level);
1654

1655 1656 1657
	if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
		authreq |= SMP_AUTH_SC;

1658 1659
	/* Require MITM if IO Capability allows or the security level
	 * requires it.
1660
	 */
1661
	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
1662
	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
1663 1664
		authreq |= SMP_AUTH_MITM;

1665
	if (hcon->role == HCI_ROLE_MASTER) {
1666
		struct smp_cmd_pairing cp;
1667

1668
		build_pairing_cmd(conn, &cp, NULL, authreq);
1669 1670
		smp->preq[0] = SMP_CMD_PAIRING_REQ;
		memcpy(&smp->preq[1], &cp, sizeof(cp));
1671

1672
		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1673
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
1674 1675
	} else {
		struct smp_cmd_security_req cp;
1676
		cp.auth_req = authreq;
1677
		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
1678
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
1679 1680
	}

1681
	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
1682
	ret = 0;
1683

1684 1685 1686
unlock:
	l2cap_chan_unlock(chan);
	return ret;
1687 1688
}

1689 1690
static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
{
1691
	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1692 1693
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1694

1695 1696 1697
	BT_DBG("conn %p", conn);

	if (skb->len < sizeof(*rp))
1698
		return SMP_INVALID_PARAMS;
1699

1700
	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
1701

1702 1703
	skb_pull(skb, sizeof(*rp));

1704
	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
1705

1706 1707 1708 1709 1710
	return 0;
}

static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
{
1711
	struct smp_cmd_master_ident *rp = (void *) skb->data;
1712 1713
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1714 1715
	struct hci_dev *hdev = conn->hcon->hdev;
	struct hci_conn *hcon = conn->hcon;
1716
	struct smp_ltk *ltk;
1717
	u8 authenticated;
1718

1719 1720 1721
	BT_DBG("conn %p", conn);

	if (skb->len < sizeof(*rp))
1722
		return SMP_INVALID_PARAMS;
1723

1724 1725 1726
	/* Mark the information as received */
	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;

1727 1728
	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1729 1730
	else if (smp->remote_key_dist & SMP_DIST_SIGN)
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1731

1732
	skb_pull(skb, sizeof(*rp));
1733

1734
	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
1735
	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
1736 1737 1738
			  authenticated, smp->tk, smp->enc_key_size,
			  rp->ediv, rp->rand);
	smp->ltk = ltk;
1739
	if (!(smp->remote_key_dist & KEY_DIST_MASK))
1740
		smp_distribute_keys(smp);
1741 1742 1743 1744

	return 0;
}

1745 1746 1747
static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct smp_cmd_ident_info *info = (void *) skb->data;
1748 1749
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1750 1751 1752 1753

	BT_DBG("");

	if (skb->len < sizeof(*info))
1754
		return SMP_INVALID_PARAMS;
1755

1756
	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
1757

1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768
	skb_pull(skb, sizeof(*info));

	memcpy(smp->irk, info->irk, 16);

	return 0;
}

static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
				   struct sk_buff *skb)
{
	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1769 1770
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1771 1772 1773 1774 1775 1776
	struct hci_conn *hcon = conn->hcon;
	bdaddr_t rpa;

	BT_DBG("");

	if (skb->len < sizeof(*info))
1777
		return SMP_INVALID_PARAMS;
1778

1779 1780 1781
	/* Mark the information as received */
	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;

1782 1783 1784
	if (smp->remote_key_dist & SMP_DIST_SIGN)
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);

1785 1786
	skb_pull(skb, sizeof(*info));

1787 1788 1789 1790 1791 1792 1793 1794 1795
	/* Strictly speaking the Core Specification (4.1) allows sending
	 * an empty address which would force us to rely on just the IRK
	 * as "identity information". However, since such
	 * implementations are not known of and in order to not over
	 * complicate our implementation, simply pretend that we never
	 * received an IRK for such a device.
	 */
	if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
		BT_ERR("Ignoring IRK with no identity address");
1796
		goto distribute;
1797 1798
	}

1799 1800 1801 1802 1803 1804 1805 1806
	bacpy(&smp->id_addr, &info->bdaddr);
	smp->id_addr_type = info->addr_type;

	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
		bacpy(&rpa, &hcon->dst);
	else
		bacpy(&rpa, BDADDR_ANY);

1807 1808
	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
				      smp->id_addr_type, smp->irk, &rpa);
1809

1810
distribute:
1811 1812
	if (!(smp->remote_key_dist & KEY_DIST_MASK))
		smp_distribute_keys(smp);
1813 1814 1815 1816

	return 0;
}

1817 1818 1819
static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct smp_cmd_sign_info *rp = (void *) skb->data;
1820 1821
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1822 1823 1824 1825 1826
	struct smp_csrk *csrk;

	BT_DBG("conn %p", conn);

	if (skb->len < sizeof(*rp))
1827
		return SMP_INVALID_PARAMS;
1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839

	/* Mark the information as received */
	smp->remote_key_dist &= ~SMP_DIST_SIGN;

	skb_pull(skb, sizeof(*rp));

	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
	if (csrk) {
		csrk->master = 0x01;
		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
	}
	smp->csrk = csrk;
1840
	smp_distribute_keys(smp);
1841 1842 1843 1844

	return 0;
}

1845 1846 1847 1848 1849 1850
static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
{
	struct smp_cmd_public_key *key = (void *) skb->data;
	struct hci_conn *hcon = conn->hcon;
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
1851
	struct smp_cmd_pairing_confirm cfm;
1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862 1863 1864 1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879
	int err;

	BT_DBG("conn %p", conn);

	if (skb->len < sizeof(*key))
		return SMP_INVALID_PARAMS;

	memcpy(smp->remote_pk, key, 64);

	/* Non-initiating device sends its public key after receiving
	 * the key from the initiating device.
	 */
	if (!hcon->out) {
		err = sc_send_public_key(smp);
		if (err)
			return err;
	}

	BT_DBG("Remote Public Key X: %32phN", smp->remote_pk);
	BT_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);

	if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
		return SMP_UNSPECIFIED;

	BT_DBG("DHKey %32phN", smp->dhkey);

	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);

1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893
	/* The Initiating device waits for the non-initiating device to
	 * send the confirm value.
	 */
	if (conn->hcon->out)
		return 0;

	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
		     0, cfm.confirm_val);
	if (err)
		return SMP_UNSPECIFIED;

	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);

1894 1895 1896
	return 0;
}

1897
static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
1898
{
1899
	struct l2cap_conn *conn = chan->conn;
1900
	struct hci_conn *hcon = conn->hcon;
1901
	struct smp_chan *smp;
1902
	__u8 code, reason;
1903 1904
	int err = 0;

1905 1906
	if (hcon->type != LE_LINK) {
		kfree_skb(skb);
1907
		return 0;
1908 1909
	}

1910
	if (skb->len < 1)
1911 1912
		return -EILSEQ;

1913
	if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
1914 1915 1916 1917
		reason = SMP_PAIRING_NOTSUPP;
		goto done;
	}

1918
	code = skb->data[0];
1919 1920
	skb_pull(skb, sizeof(code));

1921 1922 1923 1924 1925
	smp = chan->data;

	if (code > SMP_CMD_MAX)
		goto drop;

1926
	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
1927 1928 1929 1930
		goto drop;

	/* If we don't have a context the only allowed commands are
	 * pairing request and security request.
1931
	 */
1932 1933
	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
		goto drop;
1934

1935 1936
	switch (code) {
	case SMP_CMD_PAIRING_REQ:
1937
		reason = smp_cmd_pairing_req(conn, skb);
1938 1939 1940
		break;

	case SMP_CMD_PAIRING_FAIL:
1941
		smp_failure(conn, 0);
1942
		err = -EPERM;
1943 1944 1945
		break;

	case SMP_CMD_PAIRING_RSP:
1946
		reason = smp_cmd_pairing_rsp(conn, skb);
1947 1948 1949
		break;

	case SMP_CMD_SECURITY_REQ:
1950
		reason = smp_cmd_security_req(conn, skb);
1951 1952
		break;

1953
	case SMP_CMD_PAIRING_CONFIRM:
1954
		reason = smp_cmd_pairing_confirm(conn, skb);
1955 1956
		break;

1957
	case SMP_CMD_PAIRING_RANDOM:
1958
		reason = smp_cmd_pairing_random(conn, skb);
1959 1960
		break;

1961
	case SMP_CMD_ENCRYPT_INFO:
1962 1963 1964
		reason = smp_cmd_encrypt_info(conn, skb);
		break;

1965
	case SMP_CMD_MASTER_IDENT:
1966 1967 1968
		reason = smp_cmd_master_ident(conn, skb);
		break;

1969
	case SMP_CMD_IDENT_INFO:
1970 1971 1972
		reason = smp_cmd_ident_info(conn, skb);
		break;

1973
	case SMP_CMD_IDENT_ADDR_INFO:
1974 1975 1976
		reason = smp_cmd_ident_addr_info(conn, skb);
		break;

1977
	case SMP_CMD_SIGN_INFO:
1978
		reason = smp_cmd_sign_info(conn, skb);
1979 1980
		break;

1981 1982 1983 1984
	case SMP_CMD_PUBLIC_KEY:
		reason = smp_cmd_public_key(conn, skb);
		break;

1985 1986 1987
	default:
		BT_DBG("Unknown command code 0x%2.2x", code);
		reason = SMP_CMD_NOTSUPP;
1988
		goto done;
1989 1990
	}

1991
done:
1992 1993 1994
	if (!err) {
		if (reason)
			smp_failure(conn, reason);
1995
		kfree_skb(skb);
1996 1997
	}

1998
	return err;
1999 2000 2001 2002 2003 2004

drop:
	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
	       code, &hcon->dst);
	kfree_skb(skb);
	return 0;
2005
}
2006

2007 2008 2009 2010 2011 2012
static void smp_teardown_cb(struct l2cap_chan *chan, int err)
{
	struct l2cap_conn *conn = chan->conn;

	BT_DBG("chan %p", chan);

2013
	if (chan->data)
2014 2015
		smp_chan_destroy(conn);

2016 2017 2018 2019
	conn->smp = NULL;
	l2cap_chan_put(chan);
}

2020 2021
static void smp_resume_cb(struct l2cap_chan *chan)
{
2022
	struct smp_chan *smp = chan->data;
2023 2024 2025 2026 2027
	struct l2cap_conn *conn = chan->conn;
	struct hci_conn *hcon = conn->hcon;

	BT_DBG("chan %p", chan);

2028 2029
	if (!smp)
		return;
2030

2031 2032 2033
	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
		return;

2034 2035
	cancel_delayed_work(&smp->security_timer);

2036
	smp_distribute_keys(smp);
2037 2038
}

2039 2040 2041 2042 2043 2044 2045 2046 2047 2048
static void smp_ready_cb(struct l2cap_chan *chan)
{
	struct l2cap_conn *conn = chan->conn;

	BT_DBG("chan %p", chan);

	conn->smp = chan;
	l2cap_chan_hold(chan);
}

2049 2050 2051 2052 2053 2054 2055 2056
static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
{
	int err;

	BT_DBG("chan %p", chan);

	err = smp_sig_channel(chan, skb);
	if (err) {
2057
		struct smp_chan *smp = chan->data;
2058

2059 2060
		if (smp)
			cancel_delayed_work_sync(&smp->security_timer);
2061

2062
		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2063 2064 2065 2066 2067
	}

	return err;
}

2068 2069 2070 2071 2072 2073 2074 2075 2076 2077 2078 2079 2080 2081 2082 2083 2084 2085 2086
static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
					unsigned long hdr_len,
					unsigned long len, int nb)
{
	struct sk_buff *skb;

	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
	if (!skb)
		return ERR_PTR(-ENOMEM);

	skb->priority = HCI_PRIO_MAX;
	bt_cb(skb)->chan = chan;

	return skb;
}

static const struct l2cap_ops smp_chan_ops = {
	.name			= "Security Manager",
	.ready			= smp_ready_cb,
2087
	.recv			= smp_recv_cb,
2088 2089
	.alloc_skb		= smp_alloc_skb_cb,
	.teardown		= smp_teardown_cb,
2090
	.resume			= smp_resume_cb,
2091 2092 2093 2094 2095 2096 2097 2098 2099 2100 2101 2102 2103 2104 2105 2106 2107 2108 2109 2110 2111 2112 2113 2114 2115 2116 2117 2118 2119

	.new_connection		= l2cap_chan_no_new_connection,
	.state_change		= l2cap_chan_no_state_change,
	.close			= l2cap_chan_no_close,
	.defer			= l2cap_chan_no_defer,
	.suspend		= l2cap_chan_no_suspend,
	.set_shutdown		= l2cap_chan_no_set_shutdown,
	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
	.memcpy_fromiovec	= l2cap_chan_no_memcpy_fromiovec,
};

static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
{
	struct l2cap_chan *chan;

	BT_DBG("pchan %p", pchan);

	chan = l2cap_chan_create();
	if (!chan)
		return NULL;

	chan->chan_type	= pchan->chan_type;
	chan->ops	= &smp_chan_ops;
	chan->scid	= pchan->scid;
	chan->dcid	= chan->scid;
	chan->imtu	= pchan->imtu;
	chan->omtu	= pchan->omtu;
	chan->mode	= pchan->mode;

2120 2121 2122 2123 2124 2125 2126
	/* Other L2CAP channels may request SMP routines in order to
	 * change the security level. This means that the SMP channel
	 * lock must be considered in its own category to avoid lockdep
	 * warnings.
	 */
	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);

2127 2128 2129 2130 2131 2132 2133 2134 2135 2136 2137 2138 2139 2140 2141 2142 2143 2144 2145 2146 2147 2148 2149 2150
	BT_DBG("created chan %p", chan);

	return chan;
}

static const struct l2cap_ops smp_root_chan_ops = {
	.name			= "Security Manager Root",
	.new_connection		= smp_new_conn_cb,

	/* None of these are implemented for the root channel */
	.close			= l2cap_chan_no_close,
	.alloc_skb		= l2cap_chan_no_alloc_skb,
	.recv			= l2cap_chan_no_recv,
	.state_change		= l2cap_chan_no_state_change,
	.teardown		= l2cap_chan_no_teardown,
	.ready			= l2cap_chan_no_ready,
	.defer			= l2cap_chan_no_defer,
	.suspend		= l2cap_chan_no_suspend,
	.resume			= l2cap_chan_no_resume,
	.set_shutdown		= l2cap_chan_no_set_shutdown,
	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
	.memcpy_fromiovec	= l2cap_chan_no_memcpy_fromiovec,
};

2151 2152
int smp_register(struct hci_dev *hdev)
{
2153
	struct l2cap_chan *chan;
2154
	struct crypto_blkcipher	*tfm_aes;
2155

2156 2157
	BT_DBG("%s", hdev->name);

J
Johan Hedberg 已提交
2158
	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2159 2160
	if (IS_ERR(tfm_aes)) {
		int err = PTR_ERR(tfm_aes);
2161 2162 2163 2164
		BT_ERR("Unable to create crypto context");
		return err;
	}

2165 2166
	chan = l2cap_chan_create();
	if (!chan) {
2167
		crypto_free_blkcipher(tfm_aes);
2168 2169 2170
		return -ENOMEM;
	}

2171 2172
	chan->data = tfm_aes;

2173
	l2cap_add_scid(chan, L2CAP_CID_SMP);
2174 2175 2176 2177 2178 2179 2180 2181 2182 2183

	l2cap_chan_set_defaults(chan);

	bacpy(&chan->src, &hdev->bdaddr);
	chan->src_type = BDADDR_LE_PUBLIC;
	chan->state = BT_LISTEN;
	chan->mode = L2CAP_MODE_BASIC;
	chan->imtu = L2CAP_DEFAULT_MTU;
	chan->ops = &smp_root_chan_ops;

2184 2185 2186
	/* Set correct nesting level for a parent/listening channel */
	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);

2187 2188
	hdev->smp_data = chan;

2189 2190 2191 2192 2193
	return 0;
}

void smp_unregister(struct hci_dev *hdev)
{
2194
	struct l2cap_chan *chan = hdev->smp_data;
2195
	struct crypto_blkcipher *tfm_aes;
2196 2197 2198 2199 2200

	if (!chan)
		return;

	BT_DBG("%s chan %p", hdev->name, chan);
2201

2202 2203 2204 2205
	tfm_aes = chan->data;
	if (tfm_aes) {
		chan->data = NULL;
		crypto_free_blkcipher(tfm_aes);
2206
	}
2207 2208 2209

	hdev->smp_data = NULL;
	l2cap_chan_put(chan);
2210
}