smp.c 11.9 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
/*
   BlueZ - Bluetooth protocol stack for Linux
   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
#include <net/bluetooth/smp.h>
27 28 29
#include <linux/crypto.h>
#include <crypto/b128ops.h>

30 31
#define SMP_TIMEOUT 30000 /* 30 seconds */

32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145
static inline void swap128(u8 src[16], u8 dst[16])
{
	int i;
	for (i = 0; i < 16; i++)
		dst[15 - i] = src[i];
}

static inline void swap56(u8 src[7], u8 dst[7])
{
	int i;
	for (i = 0; i < 7; i++)
		dst[6 - i] = src[i];
}

static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
{
	struct blkcipher_desc desc;
	struct scatterlist sg;
	int err, iv_len;
	unsigned char iv[128];

	if (tfm == NULL) {
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

	err = crypto_blkcipher_setkey(tfm, k, 16);
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

	sg_init_one(&sg, r, 16);

	iv_len = crypto_blkcipher_ivsize(tfm);
	if (iv_len) {
		memset(&iv, 0xff, iv_len);
		crypto_blkcipher_set_iv(tfm, iv, iv_len);
	}

	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
	if (err)
		BT_ERR("Encrypt data error %d", err);

	return err;
}

static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
		u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
		u8 _rat, bdaddr_t *ra, u8 res[16])
{
	u8 p1[16], p2[16];
	int err;

	memset(p1, 0, 16);

	/* p1 = pres || preq || _rat || _iat */
	swap56(pres, p1);
	swap56(preq, p1 + 7);
	p1[14] = _rat;
	p1[15] = _iat;

	memset(p2, 0, 16);

	/* p2 = padding || ia || ra */
	baswap((bdaddr_t *) (p2 + 4), ia);
	baswap((bdaddr_t *) (p2 + 10), ra);

	/* res = r XOR p1 */
	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);

	/* res = e(k, res) */
	err = smp_e(tfm, k, res);
	if (err) {
		BT_ERR("Encrypt data error");
		return err;
	}

	/* res = res XOR p2 */
	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);

	/* res = e(k, res) */
	err = smp_e(tfm, k, res);
	if (err)
		BT_ERR("Encrypt data error");

	return err;
}

static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16],
			u8 r1[16], u8 r2[16], u8 _r[16])
{
	int err;

	/* Just least significant octets from r1 and r2 are considered */
	memcpy(_r, r1 + 8, 8);
	memcpy(_r + 8, r2 + 8, 8);

	err = smp_e(tfm, k, _r);
	if (err)
		BT_ERR("Encrypt data error");

	return err;
}

static int smp_rand(u8 *buf)
{
	get_random_bytes(buf, 16);

	return 0;
}
146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185

static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
						u16 dlen, void *data)
{
	struct sk_buff *skb;
	struct l2cap_hdr *lh;
	int len;

	len = L2CAP_HDR_SIZE + sizeof(code) + dlen;

	if (len > conn->mtu)
		return NULL;

	skb = bt_skb_alloc(len, GFP_ATOMIC);
	if (!skb)
		return NULL;

	lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
	lh->len = cpu_to_le16(sizeof(code) + dlen);
	lh->cid = cpu_to_le16(L2CAP_CID_SMP);

	memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));

	memcpy(skb_put(skb, dlen), data, dlen);

	return skb;
}

static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
{
	struct sk_buff *skb = smp_build_cmd(conn, code, len, data);

	BT_DBG("code 0x%2.2x", code);

	if (!skb)
		return;

	hci_send_acl(conn->hcon, skb, 0);
}

186 187 188 189 190 191 192 193 194 195 196 197
static __u8 seclevel_to_authreq(__u8 level)
{
	switch (level) {
	case BT_SECURITY_HIGH:
		/* Right now we don't support bonding */
		return SMP_AUTH_MITM;

	default:
		return SMP_AUTH_NONE;
	}
}

198 199 200 201 202
static void build_pairing_cmd(struct l2cap_conn *conn,
				struct smp_cmd_pairing *cmd, __u8 authreq)
{
	cmd->io_capability = conn->hcon->io_capability;
	cmd->oob_flag = SMP_OOB_NOT_PRESENT;
203
	cmd->max_key_size = SMP_MAX_ENC_KEY_SIZE;
204 205 206 207 208
	cmd->init_key_dist = 0x00;
	cmd->resp_key_dist = 0x00;
	cmd->auth_req = authreq;
}

209 210 211 212 213 214 215 216 217 218 219
static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
{
	if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
			(max_key_size < SMP_MIN_ENC_KEY_SIZE))
		return SMP_ENC_KEY_SIZE;

	conn->smp_key_size = max_key_size;

	return 0;
}

220
static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
221
{
222 223
	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
	u8 key_size;
224 225 226

	BT_DBG("conn %p", conn);

227
	conn->preq[0] = SMP_CMD_PAIRING_REQ;
228 229
	memcpy(&conn->preq[1], req, sizeof(*req));
	skb_pull(skb, sizeof(*req));
230

231
	if (req->oob_flag)
232 233 234
		return SMP_OOB_NOT_AVAIL;

	/* We didn't start the pairing, so no requirements */
235 236 237 238 239
	build_pairing_cmd(conn, &rsp, SMP_AUTH_NONE);

	key_size = min(req->max_key_size, rsp.max_key_size);
	if (check_enc_key_size(conn, key_size))
		return SMP_ENC_KEY_SIZE;
240

241 242 243
	/* Just works */
	memset(conn->tk, 0, sizeof(conn->tk));

244
	conn->prsp[0] = SMP_CMD_PAIRING_RSP;
245
	memcpy(&conn->prsp[1], &rsp, sizeof(rsp));
246

247
	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
248

249 250 251
	mod_timer(&conn->security_timer, jiffies +
					msecs_to_jiffies(SMP_TIMEOUT));

252
	return 0;
253 254
}

255
static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
256
{
257
	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
258
	struct smp_cmd_pairing_confirm cp;
259 260
	struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
	int ret;
261
	u8 res[16], key_size;
262 263 264

	BT_DBG("conn %p", conn);

265 266 267
	skb_pull(skb, sizeof(*rsp));

	req = (void *) &conn->preq[1];
268

269 270 271 272 273
	key_size = min(req->max_key_size, rsp->max_key_size);
	if (check_enc_key_size(conn, key_size))
		return SMP_ENC_KEY_SIZE;

	if (rsp->oob_flag)
274 275
		return SMP_OOB_NOT_AVAIL;

276 277
	/* Just works */
	memset(conn->tk, 0, sizeof(conn->tk));
278

279
	conn->prsp[0] = SMP_CMD_PAIRING_RSP;
280
	memcpy(&conn->prsp[1], rsp, sizeof(*rsp));
281

282 283
	ret = smp_rand(conn->prnd);
	if (ret)
284
		return SMP_UNSPECIFIED;
285 286 287 288

	ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp, 0,
			conn->src, conn->hcon->dst_type, conn->dst, res);
	if (ret)
289
		return SMP_UNSPECIFIED;
290 291 292

	swap128(res, cp.confirm_val);

293
	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
294 295

	return 0;
296 297
}

298
static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
299
{
300 301
	struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;

302 303
	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");

304 305
	memcpy(conn->pcnf, skb->data, sizeof(conn->pcnf));
	skb_pull(skb, sizeof(conn->pcnf));
306

307 308
	if (conn->hcon->out) {
		u8 random[16];
309

310
		swap128(conn->prnd, random);
311
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random),
312
								random);
313
	} else {
314 315 316
		struct smp_cmd_pairing_confirm cp;
		int ret;
		u8 res[16];
317

318 319
		ret = smp_rand(conn->prnd);
		if (ret)
320
			return SMP_UNSPECIFIED;
321

322 323 324 325
		ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp,
						conn->hcon->dst_type, conn->dst,
						0, conn->src, res);
		if (ret)
326
			return SMP_CONFIRM_FAILED;
327 328 329 330

		swap128(res, cp.confirm_val);

		smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
331
	}
332

333 334 335
	mod_timer(&conn->security_timer, jiffies +
					msecs_to_jiffies(SMP_TIMEOUT));

336
	return 0;
337 338
}

339
static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
340
{
341 342
	struct hci_conn *hcon = conn->hcon;
	struct crypto_blkcipher *tfm = hcon->hdev->tfm;
343
	int ret;
344
	u8 key[16], res[16], random[16], confirm[16];
345 346 347 348

	swap128(skb->data, random);
	skb_pull(skb, sizeof(random));

349 350
	memset(hcon->ltk, 0, sizeof(hcon->ltk));

351 352 353 354 355 356 357 358 359
	if (conn->hcon->out)
		ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp, 0,
				conn->src, conn->hcon->dst_type, conn->dst,
				res);
	else
		ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp,
				conn->hcon->dst_type, conn->dst, 0, conn->src,
				res);
	if (ret)
360
		return SMP_UNSPECIFIED;
361 362 363

	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");

364 365 366 367
	swap128(res, confirm);

	if (memcmp(conn->pcnf, confirm, sizeof(conn->pcnf)) != 0) {
		BT_ERR("Pairing failed (confirmation values mismatch)");
368
		return SMP_CONFIRM_FAILED;
369
	}
370 371

	if (conn->hcon->out) {
372 373 374
		__le16 ediv;
		u8 rand[8];

375
		smp_s1(tfm, conn->tk, random, conn->prnd, key);
376
		swap128(key, hcon->ltk);
377

378 379 380
		memset(hcon->ltk + conn->smp_key_size, 0,
				SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);

381 382 383
		memset(rand, 0, sizeof(rand));
		ediv = 0;
		hci_le_start_enc(hcon, ediv, rand, hcon->ltk);
384
	} else {
385 386 387 388 389 390
		u8 r[16];

		swap128(conn->prnd, r);
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r);

		smp_s1(tfm, conn->tk, conn->prnd, random, key);
391
		swap128(key, hcon->ltk);
392 393 394

		memset(hcon->ltk + conn->smp_key_size, 0,
				SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
395
	}
396 397

	return 0;
398 399
}

400
static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
401 402 403
{
	struct smp_cmd_security_req *rp = (void *) skb->data;
	struct smp_cmd_pairing cp;
404
	struct hci_conn *hcon = conn->hcon;
405 406 407

	BT_DBG("conn %p", conn);

408
	if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
409
		return 0;
410

411 412
	skb_pull(skb, sizeof(*rp));

413 414
	memset(&cp, 0, sizeof(cp));
	build_pairing_cmd(conn, &cp, rp->auth_req);
415

416 417 418
	conn->preq[0] = SMP_CMD_PAIRING_REQ;
	memcpy(&conn->preq[1], &cp, sizeof(cp));

419
	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
420

421 422 423
	mod_timer(&conn->security_timer, jiffies +
					msecs_to_jiffies(SMP_TIMEOUT));

424 425
	set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);

426
	return 0;
427 428
}

429 430
int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
{
431
	struct hci_conn *hcon = conn->hcon;
432 433
	__u8 authreq;

434 435 436 437
	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);

	if (IS_ERR(hcon->hdev->tfm))
		return 1;
438

439 440
	if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
		return 0;
441

442 443
	if (sec_level == BT_SECURITY_LOW)
		return 1;
444

445
	if (hcon->sec_level >= sec_level)
446
		return 1;
447 448

	authreq = seclevel_to_authreq(sec_level);
449

450
	if (hcon->link_mode & HCI_LM_MASTER) {
451
		struct smp_cmd_pairing cp;
452

453
		build_pairing_cmd(conn, &cp, authreq);
454 455 456
		conn->preq[0] = SMP_CMD_PAIRING_REQ;
		memcpy(&conn->preq[1], &cp, sizeof(cp));

457 458 459
		mod_timer(&conn->security_timer, jiffies +
					msecs_to_jiffies(SMP_TIMEOUT));

460 461 462 463 464 465 466
		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
	} else {
		struct smp_cmd_security_req cp;
		cp.auth_req = authreq;
		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
	}

467 468 469
	hcon->pending_sec_level = sec_level;
	set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);

470 471 472 473 474 475 476 477 478
	return 0;
}

int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
{
	__u8 code = skb->data[0];
	__u8 reason;
	int err = 0;

479 480 481 482 483 484
	if (IS_ERR(conn->hcon->hdev->tfm)) {
		err = PTR_ERR(conn->hcon->hdev->tfm);
		reason = SMP_PAIRING_NOTSUPP;
		goto done;
	}

485 486 487 488
	skb_pull(skb, sizeof(code));

	switch (code) {
	case SMP_CMD_PAIRING_REQ:
489
		reason = smp_cmd_pairing_req(conn, skb);
490 491 492
		break;

	case SMP_CMD_PAIRING_FAIL:
493 494
		reason = 0;
		err = -EPERM;
495 496 497
		break;

	case SMP_CMD_PAIRING_RSP:
498
		reason = smp_cmd_pairing_rsp(conn, skb);
499 500 501
		break;

	case SMP_CMD_SECURITY_REQ:
502
		reason = smp_cmd_security_req(conn, skb);
503 504
		break;

505
	case SMP_CMD_PAIRING_CONFIRM:
506
		reason = smp_cmd_pairing_confirm(conn, skb);
507 508
		break;

509
	case SMP_CMD_PAIRING_RANDOM:
510
		reason = smp_cmd_pairing_random(conn, skb);
511 512
		break;

513 514 515 516 517 518 519 520 521 522
	case SMP_CMD_ENCRYPT_INFO:
	case SMP_CMD_MASTER_IDENT:
	case SMP_CMD_IDENT_INFO:
	case SMP_CMD_IDENT_ADDR_INFO:
	case SMP_CMD_SIGN_INFO:
	default:
		BT_DBG("Unknown command code 0x%2.2x", code);

		reason = SMP_CMD_NOTSUPP;
		err = -EOPNOTSUPP;
523
		goto done;
524 525
	}

526 527 528 529 530
done:
	if (reason)
		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
								&reason);

531 532 533
	kfree_skb(skb);
	return err;
}