2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
34 #define SMP_TIMEOUT msecs_to_jiffies(30000)
36 #define AUTH_REQ_MASK 0x07
47 struct l2cap_conn *conn;
48 u8 preq[7]; /* SMP Pairing Request */
49 u8 prsp[7]; /* SMP Pairing Response */
50 u8 prnd[16]; /* SMP Pairing Random (local) */
51 u8 rrnd[16]; /* SMP Pairing Random (remote) */
52 u8 pcnf[16]; /* SMP Pairing Confirm */
53 u8 tk[16]; /* SMP Temporary Key */
59 struct smp_csrk *csrk;
60 struct smp_csrk *slave_csrk;
62 struct smp_ltk *slave_ltk;
63 struct smp_irk *remote_irk;
66 struct crypto_blkcipher *tfm_aes;
69 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
73 for (i = 0; i < len; i++)
74 dst[len - 1 - i] = src[i];
77 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
79 struct blkcipher_desc desc;
80 struct scatterlist sg;
81 uint8_t tmp[16], data[16];
85 BT_ERR("tfm %p", tfm);
92 /* The most significant octet of key corresponds to k[0] */
95 err = crypto_blkcipher_setkey(tfm, tmp, 16);
97 BT_ERR("cipher setkey failed: %d", err);
101 /* Most significant octet of plaintextData corresponds to data[0] */
102 swap_buf(r, data, 16);
104 sg_init_one(&sg, data, 16);
106 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
108 BT_ERR("Encrypt data error %d", err);
110 /* Most significant octet of encryptedData corresponds to data[0] */
111 swap_buf(data, r, 16);
116 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
121 /* r' = padding || r */
123 memset(_res + 3, 0, 13);
125 err = smp_e(tfm, irk, _res);
127 BT_ERR("Encrypt error");
131 /* The output of the random address function ah is:
132 * ah(h, r) = e(k, r') mod 2^24
133 * The output of the security function e is then truncated to 24 bits
134 * by taking the least significant 24 bits of the output of e as the
137 memcpy(res, _res, 3);
142 bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
148 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
150 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
154 return !memcmp(bdaddr->b, hash, 3);
157 int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa)
161 get_random_bytes(&rpa->b[3], 3);
163 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
164 rpa->b[5] |= 0x40; /* Set second most significant bit */
166 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
170 BT_DBG("RPA %pMR", rpa);
175 static int smp_c1(struct smp_chan *smp, u8 k[16], u8 r[16], u8 preq[7],
176 u8 pres[7], u8 _iat, bdaddr_t *ia, u8 _rat, bdaddr_t *ra,
179 struct hci_dev *hdev = smp->conn->hcon->hdev;
183 BT_DBG("%s", hdev->name);
187 /* p1 = pres || preq || _rat || _iat */
190 memcpy(p1 + 2, preq, 7);
191 memcpy(p1 + 9, pres, 7);
193 /* p2 = padding || ia || ra */
195 memcpy(p2 + 6, ia, 6);
196 memset(p2 + 12, 0, 4);
199 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
201 /* res = e(k, res) */
202 err = smp_e(smp->tfm_aes, k, res);
204 BT_ERR("Encrypt data error");
208 /* res = res XOR p2 */
209 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
211 /* res = e(k, res) */
212 err = smp_e(smp->tfm_aes, k, res);
214 BT_ERR("Encrypt data error");
219 static int smp_s1(struct smp_chan *smp, u8 k[16], u8 r1[16], u8 r2[16],
222 struct hci_dev *hdev = smp->conn->hcon->hdev;
225 BT_DBG("%s", hdev->name);
227 /* Just least significant octets from r1 and r2 are considered */
229 memcpy(_r + 8, r1, 8);
231 err = smp_e(smp->tfm_aes, k, _r);
233 BT_ERR("Encrypt data error");
238 static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
239 u16 dlen, void *data)
242 struct l2cap_hdr *lh;
245 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
250 skb = bt_skb_alloc(len, GFP_ATOMIC);
254 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
255 lh->len = cpu_to_le16(sizeof(code) + dlen);
256 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
258 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
260 memcpy(skb_put(skb, dlen), data, dlen);
265 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
267 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
269 BT_DBG("code 0x%2.2x", code);
274 skb->priority = HCI_PRIO_MAX;
275 hci_send_acl(conn->hchan, skb, 0);
277 cancel_delayed_work_sync(&conn->security_timer);
278 schedule_delayed_work(&conn->security_timer, SMP_TIMEOUT);
281 static __u8 authreq_to_seclevel(__u8 authreq)
283 if (authreq & SMP_AUTH_MITM)
284 return BT_SECURITY_HIGH;
286 return BT_SECURITY_MEDIUM;
289 static __u8 seclevel_to_authreq(__u8 sec_level)
292 case BT_SECURITY_HIGH:
293 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
294 case BT_SECURITY_MEDIUM:
295 return SMP_AUTH_BONDING;
297 return SMP_AUTH_NONE;
301 static void build_pairing_cmd(struct l2cap_conn *conn,
302 struct smp_cmd_pairing *req,
303 struct smp_cmd_pairing *rsp, __u8 authreq)
305 struct smp_chan *smp = conn->smp_chan;
306 struct hci_conn *hcon = conn->hcon;
307 struct hci_dev *hdev = hcon->hdev;
308 u8 local_dist = 0, remote_dist = 0;
310 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
311 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
312 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
313 authreq |= SMP_AUTH_BONDING;
315 authreq &= ~SMP_AUTH_BONDING;
318 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
319 remote_dist |= SMP_DIST_ID_KEY;
321 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
322 local_dist |= SMP_DIST_ID_KEY;
325 req->io_capability = conn->hcon->io_capability;
326 req->oob_flag = SMP_OOB_NOT_PRESENT;
327 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
328 req->init_key_dist = local_dist;
329 req->resp_key_dist = remote_dist;
330 req->auth_req = (authreq & AUTH_REQ_MASK);
332 smp->remote_key_dist = remote_dist;
336 rsp->io_capability = conn->hcon->io_capability;
337 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
338 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
339 rsp->init_key_dist = req->init_key_dist & remote_dist;
340 rsp->resp_key_dist = req->resp_key_dist & local_dist;
341 rsp->auth_req = (authreq & AUTH_REQ_MASK);
343 smp->remote_key_dist = rsp->init_key_dist;
346 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
348 struct smp_chan *smp = conn->smp_chan;
350 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
351 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
352 return SMP_ENC_KEY_SIZE;
354 smp->enc_key_size = max_key_size;
359 static void smp_failure(struct l2cap_conn *conn, u8 reason)
361 struct hci_conn *hcon = conn->hcon;
364 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
367 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
368 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type,
369 HCI_ERROR_AUTH_FAILURE);
371 cancel_delayed_work_sync(&conn->security_timer);
373 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
374 smp_chan_destroy(conn);
377 #define JUST_WORKS 0x00
378 #define JUST_CFM 0x01
379 #define REQ_PASSKEY 0x02
380 #define CFM_PASSKEY 0x03
384 static const u8 gen_method[5][5] = {
385 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
386 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
387 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
388 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
389 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
392 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
394 /* If either side has unknown io_caps, use JUST_CFM (which gets
395 * converted later to JUST_WORKS if we're initiators.
397 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
398 remote_io > SMP_IO_KEYBOARD_DISPLAY)
401 return gen_method[remote_io][local_io];
404 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
405 u8 local_io, u8 remote_io)
407 struct hci_conn *hcon = conn->hcon;
408 struct smp_chan *smp = conn->smp_chan;
413 /* Initialize key for JUST WORKS */
414 memset(smp->tk, 0, sizeof(smp->tk));
415 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
417 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
419 /* If neither side wants MITM, either "just" confirm an incoming
420 * request or use just-works for outgoing ones. The JUST_CFM
421 * will be converted to JUST_WORKS if necessary later in this
422 * function. If either side has MITM look up the method from the
425 if (!(auth & SMP_AUTH_MITM))
428 method = get_auth_method(smp, local_io, remote_io);
430 /* Don't confirm locally initiated pairing attempts */
431 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
434 /* Don't bother user space with no IO capabilities */
435 if (method == JUST_CFM && hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
438 /* If Just Works, Continue with Zero TK */
439 if (method == JUST_WORKS) {
440 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
444 /* Not Just Works/Confirm results in MITM Authentication */
445 if (method != JUST_CFM)
446 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
448 /* If both devices have Keyoard-Display I/O, the master
449 * Confirms and the slave Enters the passkey.
451 if (method == OVERLAP) {
452 if (hcon->role == HCI_ROLE_MASTER)
453 method = CFM_PASSKEY;
455 method = REQ_PASSKEY;
458 /* Generate random passkey. */
459 if (method == CFM_PASSKEY) {
460 memset(smp->tk, 0, sizeof(smp->tk));
461 get_random_bytes(&passkey, sizeof(passkey));
463 put_unaligned_le32(passkey, smp->tk);
464 BT_DBG("PassKey: %d", passkey);
465 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
468 hci_dev_lock(hcon->hdev);
470 if (method == REQ_PASSKEY)
471 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
472 hcon->type, hcon->dst_type);
473 else if (method == JUST_CFM)
474 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
475 hcon->type, hcon->dst_type,
478 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
479 hcon->type, hcon->dst_type,
482 hci_dev_unlock(hcon->hdev);
487 static u8 smp_confirm(struct smp_chan *smp)
489 struct l2cap_conn *conn = smp->conn;
490 struct smp_cmd_pairing_confirm cp;
493 BT_DBG("conn %p", conn);
495 ret = smp_c1(smp, smp->tk, smp->prnd, smp->preq, smp->prsp,
496 conn->hcon->init_addr_type, &conn->hcon->init_addr,
497 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
500 return SMP_UNSPECIFIED;
502 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
504 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
509 static u8 smp_random(struct smp_chan *smp)
511 struct l2cap_conn *conn = smp->conn;
512 struct hci_conn *hcon = conn->hcon;
516 if (IS_ERR_OR_NULL(smp->tfm_aes))
517 return SMP_UNSPECIFIED;
519 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
521 ret = smp_c1(smp, smp->tk, smp->rrnd, smp->preq, smp->prsp,
522 hcon->init_addr_type, &hcon->init_addr,
523 hcon->resp_addr_type, &hcon->resp_addr, confirm);
525 return SMP_UNSPECIFIED;
527 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
528 BT_ERR("Pairing failed (confirmation values mismatch)");
529 return SMP_CONFIRM_FAILED;
537 smp_s1(smp, smp->tk, smp->rrnd, smp->prnd, stk);
539 memset(stk + smp->enc_key_size, 0,
540 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
542 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
543 return SMP_UNSPECIFIED;
545 hci_le_start_enc(hcon, ediv, rand, stk);
546 hcon->enc_key_size = smp->enc_key_size;
547 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
553 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
556 smp_s1(smp, smp->tk, smp->prnd, smp->rrnd, stk);
558 memset(stk + smp->enc_key_size, 0,
559 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
561 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
566 /* Even though there's no _SLAVE suffix this is the
567 * slave STK we're adding for later lookup (the master
568 * STK never needs to be stored).
570 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
571 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
577 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
579 struct smp_chan *smp;
581 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
583 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
587 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
588 if (IS_ERR(smp->tfm_aes)) {
589 BT_ERR("Unable to create ECB crypto context");
591 clear_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags);
596 conn->smp_chan = smp;
598 hci_conn_hold(conn->hcon);
603 void smp_chan_destroy(struct l2cap_conn *conn)
605 struct smp_chan *smp = conn->smp_chan;
610 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
611 mgmt_smp_complete(conn->hcon, complete);
614 kfree(smp->slave_csrk);
616 crypto_free_blkcipher(smp->tfm_aes);
618 /* If pairing failed clean up any keys we might have */
621 list_del(&smp->ltk->list);
625 if (smp->slave_ltk) {
626 list_del(&smp->slave_ltk->list);
627 kfree(smp->slave_ltk);
630 if (smp->remote_irk) {
631 list_del(&smp->remote_irk->list);
632 kfree(smp->remote_irk);
637 conn->smp_chan = NULL;
638 hci_conn_drop(conn->hcon);
641 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
643 struct l2cap_conn *conn = hcon->l2cap_data;
644 struct smp_chan *smp;
649 if (!conn || !test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
652 smp = conn->smp_chan;
655 case MGMT_OP_USER_PASSKEY_REPLY:
656 value = le32_to_cpu(passkey);
657 memset(smp->tk, 0, sizeof(smp->tk));
658 BT_DBG("PassKey: %d", value);
659 put_unaligned_le32(value, smp->tk);
661 case MGMT_OP_USER_CONFIRM_REPLY:
662 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
664 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
665 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
666 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
669 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
673 /* If it is our turn to send Pairing Confirm, do so now */
674 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
675 u8 rsp = smp_confirm(smp);
677 smp_failure(conn, rsp);
683 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
685 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
686 struct hci_dev *hdev = conn->hcon->hdev;
687 struct smp_chan *smp;
688 u8 key_size, auth, sec_level;
691 BT_DBG("conn %p", conn);
693 if (skb->len < sizeof(*req))
694 return SMP_INVALID_PARAMS;
696 if (conn->hcon->role != HCI_ROLE_SLAVE)
697 return SMP_CMD_NOTSUPP;
699 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
700 smp = smp_chan_create(conn);
702 smp = conn->smp_chan;
705 return SMP_UNSPECIFIED;
707 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
708 (req->auth_req & SMP_AUTH_BONDING))
709 return SMP_PAIRING_NOTSUPP;
711 smp->preq[0] = SMP_CMD_PAIRING_REQ;
712 memcpy(&smp->preq[1], req, sizeof(*req));
713 skb_pull(skb, sizeof(*req));
715 /* We didn't start the pairing, so match remote */
716 auth = req->auth_req;
718 sec_level = authreq_to_seclevel(auth);
719 if (sec_level > conn->hcon->pending_sec_level)
720 conn->hcon->pending_sec_level = sec_level;
722 /* If we need MITM check that it can be acheived */
723 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
726 method = get_auth_method(smp, conn->hcon->io_capability,
728 if (method == JUST_WORKS || method == JUST_CFM)
729 return SMP_AUTH_REQUIREMENTS;
732 build_pairing_cmd(conn, req, &rsp, auth);
734 key_size = min(req->max_key_size, rsp.max_key_size);
735 if (check_enc_key_size(conn, key_size))
736 return SMP_ENC_KEY_SIZE;
738 get_random_bytes(smp->prnd, sizeof(smp->prnd));
740 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
741 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
743 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
745 /* Request setup of TK */
746 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
748 return SMP_UNSPECIFIED;
753 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
755 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
756 struct smp_chan *smp = conn->smp_chan;
757 u8 key_size, auth = SMP_AUTH_NONE;
760 BT_DBG("conn %p", conn);
762 if (skb->len < sizeof(*rsp))
763 return SMP_INVALID_PARAMS;
765 if (conn->hcon->role != HCI_ROLE_MASTER)
766 return SMP_CMD_NOTSUPP;
768 skb_pull(skb, sizeof(*rsp));
770 req = (void *) &smp->preq[1];
772 key_size = min(req->max_key_size, rsp->max_key_size);
773 if (check_enc_key_size(conn, key_size))
774 return SMP_ENC_KEY_SIZE;
776 /* If we need MITM check that it can be acheived */
777 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
780 method = get_auth_method(smp, req->io_capability,
782 if (method == JUST_WORKS || method == JUST_CFM)
783 return SMP_AUTH_REQUIREMENTS;
786 get_random_bytes(smp->prnd, sizeof(smp->prnd));
788 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
789 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
791 /* Update remote key distribution in case the remote cleared
792 * some bits that we had enabled in our request.
794 smp->remote_key_dist &= rsp->resp_key_dist;
796 if ((req->auth_req & SMP_AUTH_BONDING) &&
797 (rsp->auth_req & SMP_AUTH_BONDING))
798 auth = SMP_AUTH_BONDING;
800 auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
802 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
804 return SMP_UNSPECIFIED;
806 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
808 /* Can't compose response until we have been confirmed */
809 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
810 return smp_confirm(smp);
815 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
817 struct smp_chan *smp = conn->smp_chan;
819 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
821 if (skb->len < sizeof(smp->pcnf))
822 return SMP_INVALID_PARAMS;
824 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
825 skb_pull(skb, sizeof(smp->pcnf));
828 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
830 else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
831 return smp_confirm(smp);
833 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
838 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
840 struct smp_chan *smp = conn->smp_chan;
842 BT_DBG("conn %p", conn);
844 if (skb->len < sizeof(smp->rrnd))
845 return SMP_INVALID_PARAMS;
847 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
848 skb_pull(skb, sizeof(smp->rrnd));
850 return smp_random(smp);
853 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
856 struct hci_conn *hcon = conn->hcon;
858 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
863 if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
866 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
869 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
870 hcon->enc_key_size = key->enc_size;
872 /* We never store STKs for master role, so clear this flag */
873 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
878 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level)
880 if (sec_level == BT_SECURITY_LOW)
883 /* If we're encrypted with an STK always claim insufficient
884 * security. This way we allow the connection to be re-encrypted
885 * with an LTK, even if the LTK provides the same level of
886 * security. Only exception is if we don't have an LTK (e.g.
887 * because of key distribution bits).
889 if (test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
890 hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
894 if (hcon->sec_level >= sec_level)
900 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
902 struct smp_cmd_security_req *rp = (void *) skb->data;
903 struct smp_cmd_pairing cp;
904 struct hci_conn *hcon = conn->hcon;
905 struct smp_chan *smp;
908 BT_DBG("conn %p", conn);
910 if (skb->len < sizeof(*rp))
911 return SMP_INVALID_PARAMS;
913 if (hcon->role != HCI_ROLE_MASTER)
914 return SMP_CMD_NOTSUPP;
916 sec_level = authreq_to_seclevel(rp->auth_req);
917 if (smp_sufficient_security(hcon, sec_level))
920 if (sec_level > hcon->pending_sec_level)
921 hcon->pending_sec_level = sec_level;
923 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
926 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
929 smp = smp_chan_create(conn);
931 return SMP_UNSPECIFIED;
933 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
934 (rp->auth_req & SMP_AUTH_BONDING))
935 return SMP_PAIRING_NOTSUPP;
937 skb_pull(skb, sizeof(*rp));
939 memset(&cp, 0, sizeof(cp));
940 build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
942 smp->preq[0] = SMP_CMD_PAIRING_REQ;
943 memcpy(&smp->preq[1], &cp, sizeof(cp));
945 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
950 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
952 struct l2cap_conn *conn = hcon->l2cap_data;
953 struct smp_chan *smp;
956 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
958 /* This may be NULL if there's an unexpected disconnection */
962 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
965 if (smp_sufficient_security(hcon, sec_level))
968 if (sec_level > hcon->pending_sec_level)
969 hcon->pending_sec_level = sec_level;
971 if (hcon->role == HCI_ROLE_MASTER)
972 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
975 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
978 smp = smp_chan_create(conn);
982 authreq = seclevel_to_authreq(sec_level);
984 /* Require MITM if IO Capability allows or the security level
987 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
988 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
989 authreq |= SMP_AUTH_MITM;
991 if (hcon->role == HCI_ROLE_MASTER) {
992 struct smp_cmd_pairing cp;
994 build_pairing_cmd(conn, &cp, NULL, authreq);
995 smp->preq[0] = SMP_CMD_PAIRING_REQ;
996 memcpy(&smp->preq[1], &cp, sizeof(cp));
998 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
1000 struct smp_cmd_security_req cp;
1001 cp.auth_req = authreq;
1002 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
1005 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
1010 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
1012 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
1013 struct smp_chan *smp = conn->smp_chan;
1015 BT_DBG("conn %p", conn);
1017 if (skb->len < sizeof(*rp))
1018 return SMP_INVALID_PARAMS;
1020 /* Ignore this PDU if it wasn't requested */
1021 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
1024 skb_pull(skb, sizeof(*rp));
1026 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
1031 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
1033 struct smp_cmd_master_ident *rp = (void *) skb->data;
1034 struct smp_chan *smp = conn->smp_chan;
1035 struct hci_dev *hdev = conn->hcon->hdev;
1036 struct hci_conn *hcon = conn->hcon;
1037 struct smp_ltk *ltk;
1040 BT_DBG("conn %p", conn);
1042 if (skb->len < sizeof(*rp))
1043 return SMP_INVALID_PARAMS;
1045 /* Ignore this PDU if it wasn't requested */
1046 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
1049 /* Mark the information as received */
1050 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
1052 skb_pull(skb, sizeof(*rp));
1055 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
1056 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
1057 authenticated, smp->tk, smp->enc_key_size,
1058 rp->ediv, rp->rand);
1060 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1061 smp_distribute_keys(conn);
1062 hci_dev_unlock(hdev);
1067 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1069 struct smp_cmd_ident_info *info = (void *) skb->data;
1070 struct smp_chan *smp = conn->smp_chan;
1074 if (skb->len < sizeof(*info))
1075 return SMP_INVALID_PARAMS;
1077 /* Ignore this PDU if it wasn't requested */
1078 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1081 skb_pull(skb, sizeof(*info));
1083 memcpy(smp->irk, info->irk, 16);
1088 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1089 struct sk_buff *skb)
1091 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1092 struct smp_chan *smp = conn->smp_chan;
1093 struct hci_conn *hcon = conn->hcon;
1098 if (skb->len < sizeof(*info))
1099 return SMP_INVALID_PARAMS;
1101 /* Ignore this PDU if it wasn't requested */
1102 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1105 /* Mark the information as received */
1106 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1108 skb_pull(skb, sizeof(*info));
1110 hci_dev_lock(hcon->hdev);
1112 /* Strictly speaking the Core Specification (4.1) allows sending
1113 * an empty address which would force us to rely on just the IRK
1114 * as "identity information". However, since such
1115 * implementations are not known of and in order to not over
1116 * complicate our implementation, simply pretend that we never
1117 * received an IRK for such a device.
1119 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1120 BT_ERR("Ignoring IRK with no identity address");
1124 bacpy(&smp->id_addr, &info->bdaddr);
1125 smp->id_addr_type = info->addr_type;
1127 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1128 bacpy(&rpa, &hcon->dst);
1130 bacpy(&rpa, BDADDR_ANY);
1132 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1133 smp->id_addr_type, smp->irk, &rpa);
1136 smp_distribute_keys(conn);
1138 hci_dev_unlock(hcon->hdev);
1143 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1145 struct smp_cmd_sign_info *rp = (void *) skb->data;
1146 struct smp_chan *smp = conn->smp_chan;
1147 struct hci_dev *hdev = conn->hcon->hdev;
1148 struct smp_csrk *csrk;
1150 BT_DBG("conn %p", conn);
1152 if (skb->len < sizeof(*rp))
1153 return SMP_INVALID_PARAMS;
1155 /* Ignore this PDU if it wasn't requested */
1156 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1159 /* Mark the information as received */
1160 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1162 skb_pull(skb, sizeof(*rp));
1165 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1167 csrk->master = 0x01;
1168 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1171 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1172 smp_distribute_keys(conn);
1173 hci_dev_unlock(hdev);
1178 int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1180 struct hci_conn *hcon = conn->hcon;
1184 if (hcon->type != LE_LINK) {
1194 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
1196 reason = SMP_PAIRING_NOTSUPP;
1200 code = skb->data[0];
1201 skb_pull(skb, sizeof(code));
1204 * The SMP context must be initialized for all other PDUs except
1205 * pairing and security requests. If we get any other PDU when
1206 * not initialized simply disconnect (done if this function
1207 * returns an error).
1209 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
1211 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1217 case SMP_CMD_PAIRING_REQ:
1218 reason = smp_cmd_pairing_req(conn, skb);
1221 case SMP_CMD_PAIRING_FAIL:
1222 smp_failure(conn, 0);
1227 case SMP_CMD_PAIRING_RSP:
1228 reason = smp_cmd_pairing_rsp(conn, skb);
1231 case SMP_CMD_SECURITY_REQ:
1232 reason = smp_cmd_security_req(conn, skb);
1235 case SMP_CMD_PAIRING_CONFIRM:
1236 reason = smp_cmd_pairing_confirm(conn, skb);
1239 case SMP_CMD_PAIRING_RANDOM:
1240 reason = smp_cmd_pairing_random(conn, skb);
1243 case SMP_CMD_ENCRYPT_INFO:
1244 reason = smp_cmd_encrypt_info(conn, skb);
1247 case SMP_CMD_MASTER_IDENT:
1248 reason = smp_cmd_master_ident(conn, skb);
1251 case SMP_CMD_IDENT_INFO:
1252 reason = smp_cmd_ident_info(conn, skb);
1255 case SMP_CMD_IDENT_ADDR_INFO:
1256 reason = smp_cmd_ident_addr_info(conn, skb);
1259 case SMP_CMD_SIGN_INFO:
1260 reason = smp_cmd_sign_info(conn, skb);
1264 BT_DBG("Unknown command code 0x%2.2x", code);
1266 reason = SMP_CMD_NOTSUPP;
1273 smp_failure(conn, reason);
1279 static void smp_notify_keys(struct l2cap_conn *conn)
1281 struct smp_chan *smp = conn->smp_chan;
1282 struct hci_conn *hcon = conn->hcon;
1283 struct hci_dev *hdev = hcon->hdev;
1284 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1285 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1288 if (smp->remote_irk) {
1289 mgmt_new_irk(hdev, smp->remote_irk);
1290 /* Now that user space can be considered to know the
1291 * identity address track the connection based on it
1294 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1295 hcon->dst_type = smp->remote_irk->addr_type;
1296 l2cap_conn_update_id_addr(hcon);
1298 /* When receiving an indentity resolving key for
1299 * a remote device that does not use a resolvable
1300 * private address, just remove the key so that
1301 * it is possible to use the controller white
1302 * list for scanning.
1304 * Userspace will have been told to not store
1305 * this key at this point. So it is safe to
1308 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1309 list_del(&smp->remote_irk->list);
1310 kfree(smp->remote_irk);
1311 smp->remote_irk = NULL;
1315 /* The LTKs and CSRKs should be persistent only if both sides
1316 * had the bonding bit set in their authentication requests.
1318 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
1321 smp->csrk->bdaddr_type = hcon->dst_type;
1322 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1323 mgmt_new_csrk(hdev, smp->csrk, persistent);
1326 if (smp->slave_csrk) {
1327 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1328 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1329 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1333 smp->ltk->bdaddr_type = hcon->dst_type;
1334 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1335 mgmt_new_ltk(hdev, smp->ltk, persistent);
1338 if (smp->slave_ltk) {
1339 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1340 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1341 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1345 int smp_distribute_keys(struct l2cap_conn *conn)
1347 struct smp_cmd_pairing *req, *rsp;
1348 struct smp_chan *smp = conn->smp_chan;
1349 struct hci_conn *hcon = conn->hcon;
1350 struct hci_dev *hdev = hcon->hdev;
1353 BT_DBG("conn %p", conn);
1355 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
1358 rsp = (void *) &smp->prsp[1];
1360 /* The responder sends its keys first */
1361 if (hcon->out && (smp->remote_key_dist & 0x07))
1364 req = (void *) &smp->preq[1];
1367 keydist = &rsp->init_key_dist;
1368 *keydist &= req->init_key_dist;
1370 keydist = &rsp->resp_key_dist;
1371 *keydist &= req->resp_key_dist;
1374 BT_DBG("keydist 0x%x", *keydist);
1376 if (*keydist & SMP_DIST_ENC_KEY) {
1377 struct smp_cmd_encrypt_info enc;
1378 struct smp_cmd_master_ident ident;
1379 struct smp_ltk *ltk;
1384 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1385 get_random_bytes(&ediv, sizeof(ediv));
1386 get_random_bytes(&rand, sizeof(rand));
1388 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1390 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1391 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1392 SMP_LTK_SLAVE, authenticated, enc.ltk,
1393 smp->enc_key_size, ediv, rand);
1394 smp->slave_ltk = ltk;
1399 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1401 *keydist &= ~SMP_DIST_ENC_KEY;
1404 if (*keydist & SMP_DIST_ID_KEY) {
1405 struct smp_cmd_ident_addr_info addrinfo;
1406 struct smp_cmd_ident_info idinfo;
1408 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1410 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1412 /* The hci_conn contains the local identity address
1413 * after the connection has been established.
1415 * This is true even when the connection has been
1416 * established using a resolvable random address.
1418 bacpy(&addrinfo.bdaddr, &hcon->src);
1419 addrinfo.addr_type = hcon->src_type;
1421 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1424 *keydist &= ~SMP_DIST_ID_KEY;
1427 if (*keydist & SMP_DIST_SIGN) {
1428 struct smp_cmd_sign_info sign;
1429 struct smp_csrk *csrk;
1431 /* Generate a new random key */
1432 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1434 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1436 csrk->master = 0x00;
1437 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1439 smp->slave_csrk = csrk;
1441 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1443 *keydist &= ~SMP_DIST_SIGN;
1446 /* If there are still keys to be received wait for them */
1447 if ((smp->remote_key_dist & 0x07))
1450 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1451 cancel_delayed_work_sync(&conn->security_timer);
1452 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1453 smp_notify_keys(conn);
1455 smp_chan_destroy(conn);