projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge 3.16-rc5 into char-misc-next
[deliverable/linux.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/crypto.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/b128ops.h>
26
27 #include <net/bluetooth/bluetooth.h>
28 #include <net/bluetooth/hci_core.h>
29 #include <net/bluetooth/l2cap.h>
30 #include <net/bluetooth/mgmt.h>
31
32 #include "smp.h"
33
34 #define SMP_TIMEOUT msecs_to_jiffies(30000)
35
36 #define AUTH_REQ_MASK 0x07
37
38 #define SMP_FLAG_TK_VALID 1
39 #define SMP_FLAG_CFM_PENDING 2
40 #define SMP_FLAG_MITM_AUTH 3
41 #define SMP_FLAG_COMPLETE 4
42 #define SMP_FLAG_INITIATOR 5
43
44 struct smp_chan {
45 struct l2cap_conn *conn;
46 u8 preq[7]; /* SMP Pairing Request */
47 u8 prsp[7]; /* SMP Pairing Response */
48 u8 prnd[16]; /* SMP Pairing Random (local) */
49 u8 rrnd[16]; /* SMP Pairing Random (remote) */
50 u8 pcnf[16]; /* SMP Pairing Confirm */
51 u8 tk[16]; /* SMP Temporary Key */
52 u8 enc_key_size;
53 u8 remote_key_dist;
54 bdaddr_t id_addr;
55 u8 id_addr_type;
56 u8 irk[16];
57 struct smp_csrk *csrk;
58 struct smp_csrk *slave_csrk;
59 struct smp_ltk *ltk;
60 struct smp_ltk *slave_ltk;
61 struct smp_irk *remote_irk;
62 unsigned long flags;
63 };
64
65 static inline void swap128(const u8 src[16], u8 dst[16])
66 {
67 int i;
68 for (i = 0; i < 16; i++)
69 dst[15 - i] = src[i];
70 }
71
72 static inline void swap56(const u8 src[7], u8 dst[7])
73 {
74 int i;
75 for (i = 0; i < 7; i++)
76 dst[6 - i] = src[i];
77 }
78
79 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
80 {
81 struct blkcipher_desc desc;
82 struct scatterlist sg;
83 uint8_t tmp[16], data[16];
84 int err;
85
86 if (tfm == NULL) {
87 BT_ERR("tfm %p", tfm);
88 return -EINVAL;
89 }
90
91 desc.tfm = tfm;
92 desc.flags = 0;
93
94 /* The most significant octet of key corresponds to k[0] */
95 swap128(k, tmp);
96
97 err = crypto_blkcipher_setkey(tfm, tmp, 16);
98 if (err) {
99 BT_ERR("cipher setkey failed: %d", err);
100 return err;
101 }
102
103 /* Most significant octet of plaintextData corresponds to data[0] */
104 swap128(r, data);
105
106 sg_init_one(&sg, data, 16);
107
108 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
109 if (err)
110 BT_ERR("Encrypt data error %d", err);
111
112 /* Most significant octet of encryptedData corresponds to data[0] */
113 swap128(data, r);
114
115 return err;
116 }
117
118 static int smp_ah(struct crypto_blkcipher *tfm, u8 irk[16], u8 r[3], u8 res[3])
119 {
120 u8 _res[16];
121 int err;
122
123 /* r' = padding || r */
124 memcpy(_res, r, 3);
125 memset(_res + 3, 0, 13);
126
127 err = smp_e(tfm, irk, _res);
128 if (err) {
129 BT_ERR("Encrypt error");
130 return err;
131 }
132
133 /* The output of the random address function ah is:
134 * ah(h, r) = e(k, r') mod 2^24
135 * The output of the security function e is then truncated to 24 bits
136 * by taking the least significant 24 bits of the output of e as the
137 * result of ah.
138 */
139 memcpy(res, _res, 3);
140
141 return 0;
142 }
143
144 bool smp_irk_matches(struct crypto_blkcipher *tfm, u8 irk[16],
145 bdaddr_t *bdaddr)
146 {
147 u8 hash[3];
148 int err;
149
150 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
151
152 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
153 if (err)
154 return false;
155
156 return !memcmp(bdaddr->b, hash, 3);
157 }
158
159 int smp_generate_rpa(struct crypto_blkcipher *tfm, u8 irk[16], bdaddr_t *rpa)
160 {
161 int err;
162
163 get_random_bytes(&rpa->b[3], 3);
164
165 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
166 rpa->b[5] |= 0x40; /* Set second most significant bit */
167
168 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
169 if (err < 0)
170 return err;
171
172 BT_DBG("RPA %pMR", rpa);
173
174 return 0;
175 }
176
177 static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
178 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
179 u8 _rat, bdaddr_t *ra, u8 res[16])
180 {
181 u8 p1[16], p2[16];
182 int err;
183
184 memset(p1, 0, 16);
185
186 /* p1 = pres || preq || _rat || _iat */
187 p1[0] = _iat;
188 p1[1] = _rat;
189 memcpy(p1 + 2, preq, 7);
190 memcpy(p1 + 9, pres, 7);
191
192 /* p2 = padding || ia || ra */
193 memcpy(p2, ra, 6);
194 memcpy(p2 + 6, ia, 6);
195 memset(p2 + 12, 0, 4);
196
197 /* res = r XOR p1 */
198 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
199
200 /* res = e(k, res) */
201 err = smp_e(tfm, k, res);
202 if (err) {
203 BT_ERR("Encrypt data error");
204 return err;
205 }
206
207 /* res = res XOR p2 */
208 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
209
210 /* res = e(k, res) */
211 err = smp_e(tfm, k, res);
212 if (err)
213 BT_ERR("Encrypt data error");
214
215 return err;
216 }
217
218 static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16], u8 r1[16],
219 u8 r2[16], u8 _r[16])
220 {
221 int err;
222
223 /* Just least significant octets from r1 and r2 are considered */
224 memcpy(_r, r2, 8);
225 memcpy(_r + 8, r1, 8);
226
227 err = smp_e(tfm, k, _r);
228 if (err)
229 BT_ERR("Encrypt data error");
230
231 return err;
232 }
233
234 static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
235 u16 dlen, void *data)
236 {
237 struct sk_buff *skb;
238 struct l2cap_hdr *lh;
239 int len;
240
241 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
242
243 if (len > conn->mtu)
244 return NULL;
245
246 skb = bt_skb_alloc(len, GFP_ATOMIC);
247 if (!skb)
248 return NULL;
249
250 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
251 lh->len = cpu_to_le16(sizeof(code) + dlen);
252 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
253
254 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
255
256 memcpy(skb_put(skb, dlen), data, dlen);
257
258 return skb;
259 }
260
261 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
262 {
263 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
264
265 BT_DBG("code 0x%2.2x", code);
266
267 if (!skb)
268 return;
269
270 skb->priority = HCI_PRIO_MAX;
271 hci_send_acl(conn->hchan, skb, 0);
272
273 cancel_delayed_work_sync(&conn->security_timer);
274 schedule_delayed_work(&conn->security_timer, SMP_TIMEOUT);
275 }
276
277 static __u8 authreq_to_seclevel(__u8 authreq)
278 {
279 if (authreq & SMP_AUTH_MITM)
280 return BT_SECURITY_HIGH;
281 else
282 return BT_SECURITY_MEDIUM;
283 }
284
285 static __u8 seclevel_to_authreq(__u8 sec_level)
286 {
287 switch (sec_level) {
288 case BT_SECURITY_HIGH:
289 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
290 case BT_SECURITY_MEDIUM:
291 return SMP_AUTH_BONDING;
292 default:
293 return SMP_AUTH_NONE;
294 }
295 }
296
297 static void build_pairing_cmd(struct l2cap_conn *conn,
298 struct smp_cmd_pairing *req,
299 struct smp_cmd_pairing *rsp, __u8 authreq)
300 {
301 struct smp_chan *smp = conn->smp_chan;
302 struct hci_conn *hcon = conn->hcon;
303 struct hci_dev *hdev = hcon->hdev;
304 u8 local_dist = 0, remote_dist = 0;
305
306 if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->dev_flags)) {
307 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
308 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
309 authreq |= SMP_AUTH_BONDING;
310 } else {
311 authreq &= ~SMP_AUTH_BONDING;
312 }
313
314 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
315 remote_dist |= SMP_DIST_ID_KEY;
316
317 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
318 local_dist |= SMP_DIST_ID_KEY;
319
320 if (rsp == NULL) {
321 req->io_capability = conn->hcon->io_capability;
322 req->oob_flag = SMP_OOB_NOT_PRESENT;
323 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
324 req->init_key_dist = local_dist;
325 req->resp_key_dist = remote_dist;
326 req->auth_req = (authreq & AUTH_REQ_MASK);
327
328 smp->remote_key_dist = remote_dist;
329 return;
330 }
331
332 rsp->io_capability = conn->hcon->io_capability;
333 rsp->oob_flag = SMP_OOB_NOT_PRESENT;
334 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
335 rsp->init_key_dist = req->init_key_dist & remote_dist;
336 rsp->resp_key_dist = req->resp_key_dist & local_dist;
337 rsp->auth_req = (authreq & AUTH_REQ_MASK);
338
339 smp->remote_key_dist = rsp->init_key_dist;
340 }
341
342 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
343 {
344 struct smp_chan *smp = conn->smp_chan;
345
346 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
347 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
348 return SMP_ENC_KEY_SIZE;
349
350 smp->enc_key_size = max_key_size;
351
352 return 0;
353 }
354
355 static void smp_failure(struct l2cap_conn *conn, u8 reason)
356 {
357 struct hci_conn *hcon = conn->hcon;
358
359 if (reason)
360 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
361 &reason);
362
363 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
364 mgmt_auth_failed(hcon->hdev, &hcon->dst, hcon->type, hcon->dst_type,
365 HCI_ERROR_AUTH_FAILURE);
366
367 cancel_delayed_work_sync(&conn->security_timer);
368
369 if (test_and_clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
370 smp_chan_destroy(conn);
371 }
372
373 #define JUST_WORKS 0x00
374 #define JUST_CFM 0x01
375 #define REQ_PASSKEY 0x02
376 #define CFM_PASSKEY 0x03
377 #define REQ_OOB 0x04
378 #define OVERLAP 0xFF
379
380 static const u8 gen_method[5][5] = {
381 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
382 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
383 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
384 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
385 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
386 };
387
388 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
389 u8 local_io, u8 remote_io)
390 {
391 struct hci_conn *hcon = conn->hcon;
392 struct smp_chan *smp = conn->smp_chan;
393 u8 method;
394 u32 passkey = 0;
395 int ret = 0;
396
397 /* Initialize key for JUST WORKS */
398 memset(smp->tk, 0, sizeof(smp->tk));
399 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
400
401 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
402
403 /* If neither side wants MITM, use JUST WORKS */
404 /* If either side has unknown io_caps, use JUST WORKS */
405 /* Otherwise, look up method from the table */
406 if (!(auth & SMP_AUTH_MITM) ||
407 local_io > SMP_IO_KEYBOARD_DISPLAY ||
408 remote_io > SMP_IO_KEYBOARD_DISPLAY)
409 method = JUST_WORKS;
410 else
411 method = gen_method[remote_io][local_io];
412
413 /* If not bonding, don't ask user to confirm a Zero TK */
414 if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM)
415 method = JUST_WORKS;
416
417 /* Don't confirm locally initiated pairing attempts */
418 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
419 method = JUST_WORKS;
420
421 /* If Just Works, Continue with Zero TK */
422 if (method == JUST_WORKS) {
423 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
424 return 0;
425 }
426
427 /* Not Just Works/Confirm results in MITM Authentication */
428 if (method != JUST_CFM)
429 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
430
431 /* If both devices have Keyoard-Display I/O, the master
432 * Confirms and the slave Enters the passkey.
433 */
434 if (method == OVERLAP) {
435 if (hcon->link_mode & HCI_LM_MASTER)
436 method = CFM_PASSKEY;
437 else
438 method = REQ_PASSKEY;
439 }
440
441 /* Generate random passkey. */
442 if (method == CFM_PASSKEY) {
443 memset(smp->tk, 0, sizeof(smp->tk));
444 get_random_bytes(&passkey, sizeof(passkey));
445 passkey %= 1000000;
446 put_unaligned_le32(passkey, smp->tk);
447 BT_DBG("PassKey: %d", passkey);
448 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
449 }
450
451 hci_dev_lock(hcon->hdev);
452
453 if (method == REQ_PASSKEY)
454 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
455 hcon->type, hcon->dst_type);
456 else if (method == JUST_CFM)
457 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
458 hcon->type, hcon->dst_type,
459 passkey, 1);
460 else
461 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
462 hcon->type, hcon->dst_type,
463 passkey, 0);
464
465 hci_dev_unlock(hcon->hdev);
466
467 return ret;
468 }
469
470 static u8 smp_confirm(struct smp_chan *smp)
471 {
472 struct l2cap_conn *conn = smp->conn;
473 struct hci_dev *hdev = conn->hcon->hdev;
474 struct crypto_blkcipher *tfm = hdev->tfm_aes;
475 struct smp_cmd_pairing_confirm cp;
476 int ret;
477
478 BT_DBG("conn %p", conn);
479
480 /* Prevent mutual access to hdev->tfm_aes */
481 hci_dev_lock(hdev);
482
483 ret = smp_c1(tfm, smp->tk, smp->prnd, smp->preq, smp->prsp,
484 conn->hcon->init_addr_type, &conn->hcon->init_addr,
485 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
486 cp.confirm_val);
487
488 hci_dev_unlock(hdev);
489
490 if (ret)
491 return SMP_UNSPECIFIED;
492
493 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
494
495 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
496
497 return 0;
498 }
499
500 static u8 smp_random(struct smp_chan *smp)
501 {
502 struct l2cap_conn *conn = smp->conn;
503 struct hci_conn *hcon = conn->hcon;
504 struct hci_dev *hdev = hcon->hdev;
505 struct crypto_blkcipher *tfm = hdev->tfm_aes;
506 u8 confirm[16];
507 int ret;
508
509 if (IS_ERR_OR_NULL(tfm))
510 return SMP_UNSPECIFIED;
511
512 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
513
514 /* Prevent mutual access to hdev->tfm_aes */
515 hci_dev_lock(hdev);
516
517 ret = smp_c1(tfm, smp->tk, smp->rrnd, smp->preq, smp->prsp,
518 hcon->init_addr_type, &hcon->init_addr,
519 hcon->resp_addr_type, &hcon->resp_addr, confirm);
520
521 hci_dev_unlock(hdev);
522
523 if (ret)
524 return SMP_UNSPECIFIED;
525
526 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
527 BT_ERR("Pairing failed (confirmation values mismatch)");
528 return SMP_CONFIRM_FAILED;
529 }
530
531 if (hcon->out) {
532 u8 stk[16];
533 __le64 rand = 0;
534 __le16 ediv = 0;
535
536 smp_s1(tfm, smp->tk, smp->rrnd, smp->prnd, stk);
537
538 memset(stk + smp->enc_key_size, 0,
539 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
540
541 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
542 return SMP_UNSPECIFIED;
543
544 hci_le_start_enc(hcon, ediv, rand, stk);
545 hcon->enc_key_size = smp->enc_key_size;
546 } else {
547 u8 stk[16], auth;
548 __le64 rand = 0;
549 __le16 ediv = 0;
550
551 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
552 smp->prnd);
553
554 smp_s1(tfm, smp->tk, smp->prnd, smp->rrnd, stk);
555
556 memset(stk + smp->enc_key_size, 0,
557 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
558
559 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
560 auth = 1;
561 else
562 auth = 0;
563
564 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
565 HCI_SMP_STK_SLAVE, auth, stk, smp->enc_key_size,
566 ediv, rand);
567 }
568
569 return 0;
570 }
571
572 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
573 {
574 struct smp_chan *smp;
575
576 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
577 if (!smp)
578 return NULL;
579
580 smp->conn = conn;
581 conn->smp_chan = smp;
582 conn->hcon->smp_conn = conn;
583
584 hci_conn_hold(conn->hcon);
585
586 return smp;
587 }
588
589 void smp_chan_destroy(struct l2cap_conn *conn)
590 {
591 struct smp_chan *smp = conn->smp_chan;
592 bool complete;
593
594 BUG_ON(!smp);
595
596 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
597 mgmt_smp_complete(conn->hcon, complete);
598
599 kfree(smp->csrk);
600 kfree(smp->slave_csrk);
601
602 /* If pairing failed clean up any keys we might have */
603 if (!complete) {
604 if (smp->ltk) {
605 list_del(&smp->ltk->list);
606 kfree(smp->ltk);
607 }
608
609 if (smp->slave_ltk) {
610 list_del(&smp->slave_ltk->list);
611 kfree(smp->slave_ltk);
612 }
613
614 if (smp->remote_irk) {
615 list_del(&smp->remote_irk->list);
616 kfree(smp->remote_irk);
617 }
618 }
619
620 kfree(smp);
621 conn->smp_chan = NULL;
622 conn->hcon->smp_conn = NULL;
623 hci_conn_drop(conn->hcon);
624 }
625
626 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
627 {
628 struct l2cap_conn *conn = hcon->smp_conn;
629 struct smp_chan *smp;
630 u32 value;
631
632 BT_DBG("");
633
634 if (!conn)
635 return -ENOTCONN;
636
637 smp = conn->smp_chan;
638
639 switch (mgmt_op) {
640 case MGMT_OP_USER_PASSKEY_REPLY:
641 value = le32_to_cpu(passkey);
642 memset(smp->tk, 0, sizeof(smp->tk));
643 BT_DBG("PassKey: %d", value);
644 put_unaligned_le32(value, smp->tk);
645 /* Fall Through */
646 case MGMT_OP_USER_CONFIRM_REPLY:
647 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
648 break;
649 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
650 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
651 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
652 return 0;
653 default:
654 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
655 return -EOPNOTSUPP;
656 }
657
658 /* If it is our turn to send Pairing Confirm, do so now */
659 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
660 u8 rsp = smp_confirm(smp);
661 if (rsp)
662 smp_failure(conn, rsp);
663 }
664
665 return 0;
666 }
667
668 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
669 {
670 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
671 struct smp_chan *smp;
672 u8 key_size, auth;
673 int ret;
674
675 BT_DBG("conn %p", conn);
676
677 if (skb->len < sizeof(*req))
678 return SMP_INVALID_PARAMS;
679
680 if (conn->hcon->link_mode & HCI_LM_MASTER)
681 return SMP_CMD_NOTSUPP;
682
683 if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->flags))
684 smp = smp_chan_create(conn);
685 else
686 smp = conn->smp_chan;
687
688 if (!smp)
689 return SMP_UNSPECIFIED;
690
691 smp->preq[0] = SMP_CMD_PAIRING_REQ;
692 memcpy(&smp->preq[1], req, sizeof(*req));
693 skb_pull(skb, sizeof(*req));
694
695 /* We didn't start the pairing, so match remote */
696 auth = req->auth_req;
697
698 conn->hcon->pending_sec_level = authreq_to_seclevel(auth);
699
700 build_pairing_cmd(conn, req, &rsp, auth);
701
702 key_size = min(req->max_key_size, rsp.max_key_size);
703 if (check_enc_key_size(conn, key_size))
704 return SMP_ENC_KEY_SIZE;
705
706 get_random_bytes(smp->prnd, sizeof(smp->prnd));
707
708 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
709 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
710
711 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
712
713 /* Request setup of TK */
714 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
715 if (ret)
716 return SMP_UNSPECIFIED;
717
718 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
719
720 return 0;
721 }
722
723 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
724 {
725 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
726 struct smp_chan *smp = conn->smp_chan;
727 u8 key_size, auth = SMP_AUTH_NONE;
728 int ret;
729
730 BT_DBG("conn %p", conn);
731
732 if (skb->len < sizeof(*rsp))
733 return SMP_INVALID_PARAMS;
734
735 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
736 return SMP_CMD_NOTSUPP;
737
738 skb_pull(skb, sizeof(*rsp));
739
740 req = (void *) &smp->preq[1];
741
742 key_size = min(req->max_key_size, rsp->max_key_size);
743 if (check_enc_key_size(conn, key_size))
744 return SMP_ENC_KEY_SIZE;
745
746 get_random_bytes(smp->prnd, sizeof(smp->prnd));
747
748 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
749 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
750
751 /* Update remote key distribution in case the remote cleared
752 * some bits that we had enabled in our request.
753 */
754 smp->remote_key_dist &= rsp->resp_key_dist;
755
756 if ((req->auth_req & SMP_AUTH_BONDING) &&
757 (rsp->auth_req & SMP_AUTH_BONDING))
758 auth = SMP_AUTH_BONDING;
759
760 auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM;
761
762 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
763 if (ret)
764 return SMP_UNSPECIFIED;
765
766 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
767
768 /* Can't compose response until we have been confirmed */
769 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
770 return smp_confirm(smp);
771
772 return 0;
773 }
774
775 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
776 {
777 struct smp_chan *smp = conn->smp_chan;
778
779 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
780
781 if (skb->len < sizeof(smp->pcnf))
782 return SMP_INVALID_PARAMS;
783
784 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
785 skb_pull(skb, sizeof(smp->pcnf));
786
787 if (conn->hcon->out)
788 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
789 smp->prnd);
790 else if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
791 return smp_confirm(smp);
792 else
793 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
794
795 return 0;
796 }
797
798 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
799 {
800 struct smp_chan *smp = conn->smp_chan;
801
802 BT_DBG("conn %p", conn);
803
804 if (skb->len < sizeof(smp->rrnd))
805 return SMP_INVALID_PARAMS;
806
807 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
808 skb_pull(skb, sizeof(smp->rrnd));
809
810 return smp_random(smp);
811 }
812
813 static u8 smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
814 {
815 struct smp_ltk *key;
816 struct hci_conn *hcon = conn->hcon;
817
818 key = hci_find_ltk_by_addr(hcon->hdev, &hcon->dst, hcon->dst_type,
819 hcon->out);
820 if (!key)
821 return 0;
822
823 if (sec_level > BT_SECURITY_MEDIUM && !key->authenticated)
824 return 0;
825
826 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
827 return 1;
828
829 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
830 hcon->enc_key_size = key->enc_size;
831
832 return 1;
833 }
834
835 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
836 {
837 struct smp_cmd_security_req *rp = (void *) skb->data;
838 struct smp_cmd_pairing cp;
839 struct hci_conn *hcon = conn->hcon;
840 struct smp_chan *smp;
841
842 BT_DBG("conn %p", conn);
843
844 if (skb->len < sizeof(*rp))
845 return SMP_INVALID_PARAMS;
846
847 if (!(conn->hcon->link_mode & HCI_LM_MASTER))
848 return SMP_CMD_NOTSUPP;
849
850 hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req);
851
852 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
853 return 0;
854
855 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
856 return 0;
857
858 smp = smp_chan_create(conn);
859
860 skb_pull(skb, sizeof(*rp));
861
862 memset(&cp, 0, sizeof(cp));
863 build_pairing_cmd(conn, &cp, NULL, rp->auth_req);
864
865 smp->preq[0] = SMP_CMD_PAIRING_REQ;
866 memcpy(&smp->preq[1], &cp, sizeof(cp));
867
868 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
869
870 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
871
872 return 0;
873 }
874
875 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level)
876 {
877 if (sec_level == BT_SECURITY_LOW)
878 return true;
879
880 if (hcon->sec_level >= sec_level)
881 return true;
882
883 return false;
884 }
885
886 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
887 {
888 struct l2cap_conn *conn = hcon->l2cap_data;
889 struct smp_chan *smp;
890 __u8 authreq;
891
892 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
893
894 /* This may be NULL if there's an unexpected disconnection */
895 if (!conn)
896 return 1;
897
898 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
899 return 1;
900
901 if (smp_sufficient_security(hcon, sec_level))
902 return 1;
903
904 if (hcon->link_mode & HCI_LM_MASTER)
905 if (smp_ltk_encrypt(conn, sec_level))
906 goto done;
907
908 if (test_and_set_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
909 return 0;
910
911 smp = smp_chan_create(conn);
912 if (!smp)
913 return 1;
914
915 authreq = seclevel_to_authreq(sec_level);
916
917 /* Require MITM if IO Capability allows or the security level
918 * requires it.
919 */
920 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
921 sec_level > BT_SECURITY_MEDIUM)
922 authreq |= SMP_AUTH_MITM;
923
924 if (hcon->link_mode & HCI_LM_MASTER) {
925 struct smp_cmd_pairing cp;
926
927 build_pairing_cmd(conn, &cp, NULL, authreq);
928 smp->preq[0] = SMP_CMD_PAIRING_REQ;
929 memcpy(&smp->preq[1], &cp, sizeof(cp));
930
931 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
932 } else {
933 struct smp_cmd_security_req cp;
934 cp.auth_req = authreq;
935 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
936 }
937
938 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
939
940 done:
941 hcon->pending_sec_level = sec_level;
942
943 return 0;
944 }
945
946 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
947 {
948 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
949 struct smp_chan *smp = conn->smp_chan;
950
951 BT_DBG("conn %p", conn);
952
953 if (skb->len < sizeof(*rp))
954 return SMP_INVALID_PARAMS;
955
956 /* Ignore this PDU if it wasn't requested */
957 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
958 return 0;
959
960 skb_pull(skb, sizeof(*rp));
961
962 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
963
964 return 0;
965 }
966
967 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
968 {
969 struct smp_cmd_master_ident *rp = (void *) skb->data;
970 struct smp_chan *smp = conn->smp_chan;
971 struct hci_dev *hdev = conn->hcon->hdev;
972 struct hci_conn *hcon = conn->hcon;
973 struct smp_ltk *ltk;
974 u8 authenticated;
975
976 BT_DBG("conn %p", conn);
977
978 if (skb->len < sizeof(*rp))
979 return SMP_INVALID_PARAMS;
980
981 /* Ignore this PDU if it wasn't requested */
982 if (!(smp->remote_key_dist & SMP_DIST_ENC_KEY))
983 return 0;
984
985 /* Mark the information as received */
986 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
987
988 skb_pull(skb, sizeof(*rp));
989
990 hci_dev_lock(hdev);
991 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
992 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, HCI_SMP_LTK,
993 authenticated, smp->tk, smp->enc_key_size,
994 rp->ediv, rp->rand);
995 smp->ltk = ltk;
996 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
997 smp_distribute_keys(conn);
998 hci_dev_unlock(hdev);
999
1000 return 0;
1001 }
1002
1003 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
1004 {
1005 struct smp_cmd_ident_info *info = (void *) skb->data;
1006 struct smp_chan *smp = conn->smp_chan;
1007
1008 BT_DBG("");
1009
1010 if (skb->len < sizeof(*info))
1011 return SMP_INVALID_PARAMS;
1012
1013 /* Ignore this PDU if it wasn't requested */
1014 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1015 return 0;
1016
1017 skb_pull(skb, sizeof(*info));
1018
1019 memcpy(smp->irk, info->irk, 16);
1020
1021 return 0;
1022 }
1023
1024 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
1025 struct sk_buff *skb)
1026 {
1027 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
1028 struct smp_chan *smp = conn->smp_chan;
1029 struct hci_conn *hcon = conn->hcon;
1030 bdaddr_t rpa;
1031
1032 BT_DBG("");
1033
1034 if (skb->len < sizeof(*info))
1035 return SMP_INVALID_PARAMS;
1036
1037 /* Ignore this PDU if it wasn't requested */
1038 if (!(smp->remote_key_dist & SMP_DIST_ID_KEY))
1039 return 0;
1040
1041 /* Mark the information as received */
1042 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
1043
1044 skb_pull(skb, sizeof(*info));
1045
1046 /* Strictly speaking the Core Specification (4.1) allows sending
1047 * an empty address which would force us to rely on just the IRK
1048 * as "identity information". However, since such
1049 * implementations are not known of and in order to not over
1050 * complicate our implementation, simply pretend that we never
1051 * received an IRK for such a device.
1052 */
1053 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
1054 BT_ERR("Ignoring IRK with no identity address");
1055 smp_distribute_keys(conn);
1056 return 0;
1057 }
1058
1059 bacpy(&smp->id_addr, &info->bdaddr);
1060 smp->id_addr_type = info->addr_type;
1061
1062 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
1063 bacpy(&rpa, &hcon->dst);
1064 else
1065 bacpy(&rpa, BDADDR_ANY);
1066
1067 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
1068 smp->id_addr_type, smp->irk, &rpa);
1069
1070 smp_distribute_keys(conn);
1071
1072 return 0;
1073 }
1074
1075 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
1076 {
1077 struct smp_cmd_sign_info *rp = (void *) skb->data;
1078 struct smp_chan *smp = conn->smp_chan;
1079 struct hci_dev *hdev = conn->hcon->hdev;
1080 struct smp_csrk *csrk;
1081
1082 BT_DBG("conn %p", conn);
1083
1084 if (skb->len < sizeof(*rp))
1085 return SMP_INVALID_PARAMS;
1086
1087 /* Ignore this PDU if it wasn't requested */
1088 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1089 return 0;
1090
1091 /* Mark the information as received */
1092 smp->remote_key_dist &= ~SMP_DIST_SIGN;
1093
1094 skb_pull(skb, sizeof(*rp));
1095
1096 hci_dev_lock(hdev);
1097 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1098 if (csrk) {
1099 csrk->master = 0x01;
1100 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
1101 }
1102 smp->csrk = csrk;
1103 if (!(smp->remote_key_dist & SMP_DIST_SIGN))
1104 smp_distribute_keys(conn);
1105 hci_dev_unlock(hdev);
1106
1107 return 0;
1108 }
1109
1110 int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
1111 {
1112 struct hci_conn *hcon = conn->hcon;
1113 __u8 code, reason;
1114 int err = 0;
1115
1116 if (hcon->type != LE_LINK) {
1117 kfree_skb(skb);
1118 return 0;
1119 }
1120
1121 if (skb->len < 1) {
1122 kfree_skb(skb);
1123 return -EILSEQ;
1124 }
1125
1126 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
1127 err = -ENOTSUPP;
1128 reason = SMP_PAIRING_NOTSUPP;
1129 goto done;
1130 }
1131
1132 code = skb->data[0];
1133 skb_pull(skb, sizeof(code));
1134
1135 /*
1136 * The SMP context must be initialized for all other PDUs except
1137 * pairing and security requests. If we get any other PDU when
1138 * not initialized simply disconnect (done if this function
1139 * returns an error).
1140 */
1141 if (code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ &&
1142 !conn->smp_chan) {
1143 BT_ERR("Unexpected SMP command 0x%02x. Disconnecting.", code);
1144 kfree_skb(skb);
1145 return -ENOTSUPP;
1146 }
1147
1148 switch (code) {
1149 case SMP_CMD_PAIRING_REQ:
1150 reason = smp_cmd_pairing_req(conn, skb);
1151 break;
1152
1153 case SMP_CMD_PAIRING_FAIL:
1154 smp_failure(conn, 0);
1155 reason = 0;
1156 err = -EPERM;
1157 break;
1158
1159 case SMP_CMD_PAIRING_RSP:
1160 reason = smp_cmd_pairing_rsp(conn, skb);
1161 break;
1162
1163 case SMP_CMD_SECURITY_REQ:
1164 reason = smp_cmd_security_req(conn, skb);
1165 break;
1166
1167 case SMP_CMD_PAIRING_CONFIRM:
1168 reason = smp_cmd_pairing_confirm(conn, skb);
1169 break;
1170
1171 case SMP_CMD_PAIRING_RANDOM:
1172 reason = smp_cmd_pairing_random(conn, skb);
1173 break;
1174
1175 case SMP_CMD_ENCRYPT_INFO:
1176 reason = smp_cmd_encrypt_info(conn, skb);
1177 break;
1178
1179 case SMP_CMD_MASTER_IDENT:
1180 reason = smp_cmd_master_ident(conn, skb);
1181 break;
1182
1183 case SMP_CMD_IDENT_INFO:
1184 reason = smp_cmd_ident_info(conn, skb);
1185 break;
1186
1187 case SMP_CMD_IDENT_ADDR_INFO:
1188 reason = smp_cmd_ident_addr_info(conn, skb);
1189 break;
1190
1191 case SMP_CMD_SIGN_INFO:
1192 reason = smp_cmd_sign_info(conn, skb);
1193 break;
1194
1195 default:
1196 BT_DBG("Unknown command code 0x%2.2x", code);
1197
1198 reason = SMP_CMD_NOTSUPP;
1199 err = -EOPNOTSUPP;
1200 goto done;
1201 }
1202
1203 done:
1204 if (reason)
1205 smp_failure(conn, reason);
1206
1207 kfree_skb(skb);
1208 return err;
1209 }
1210
1211 static void smp_notify_keys(struct l2cap_conn *conn)
1212 {
1213 struct smp_chan *smp = conn->smp_chan;
1214 struct hci_conn *hcon = conn->hcon;
1215 struct hci_dev *hdev = hcon->hdev;
1216 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1217 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1218 bool persistent;
1219
1220 if (smp->remote_irk) {
1221 mgmt_new_irk(hdev, smp->remote_irk);
1222 /* Now that user space can be considered to know the
1223 * identity address track the connection based on it
1224 * from now on.
1225 */
1226 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1227 hcon->dst_type = smp->remote_irk->addr_type;
1228 l2cap_conn_update_id_addr(hcon);
1229 }
1230
1231 /* The LTKs and CSRKs should be persistent only if both sides
1232 * had the bonding bit set in their authentication requests.
1233 */
1234 persistent = !!((req->auth_req & rsp->auth_req) & SMP_AUTH_BONDING);
1235
1236 if (smp->csrk) {
1237 smp->csrk->bdaddr_type = hcon->dst_type;
1238 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1239 mgmt_new_csrk(hdev, smp->csrk, persistent);
1240 }
1241
1242 if (smp->slave_csrk) {
1243 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1244 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1245 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1246 }
1247
1248 if (smp->ltk) {
1249 smp->ltk->bdaddr_type = hcon->dst_type;
1250 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1251 mgmt_new_ltk(hdev, smp->ltk, persistent);
1252 }
1253
1254 if (smp->slave_ltk) {
1255 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1256 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1257 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1258 }
1259 }
1260
1261 int smp_distribute_keys(struct l2cap_conn *conn)
1262 {
1263 struct smp_cmd_pairing *req, *rsp;
1264 struct smp_chan *smp = conn->smp_chan;
1265 struct hci_conn *hcon = conn->hcon;
1266 struct hci_dev *hdev = hcon->hdev;
1267 __u8 *keydist;
1268
1269 BT_DBG("conn %p", conn);
1270
1271 if (!test_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags))
1272 return 0;
1273
1274 rsp = (void *) &smp->prsp[1];
1275
1276 /* The responder sends its keys first */
1277 if (hcon->out && (smp->remote_key_dist & 0x07))
1278 return 0;
1279
1280 req = (void *) &smp->preq[1];
1281
1282 if (hcon->out) {
1283 keydist = &rsp->init_key_dist;
1284 *keydist &= req->init_key_dist;
1285 } else {
1286 keydist = &rsp->resp_key_dist;
1287 *keydist &= req->resp_key_dist;
1288 }
1289
1290 BT_DBG("keydist 0x%x", *keydist);
1291
1292 if (*keydist & SMP_DIST_ENC_KEY) {
1293 struct smp_cmd_encrypt_info enc;
1294 struct smp_cmd_master_ident ident;
1295 struct smp_ltk *ltk;
1296 u8 authenticated;
1297 __le16 ediv;
1298 __le64 rand;
1299
1300 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1301 get_random_bytes(&ediv, sizeof(ediv));
1302 get_random_bytes(&rand, sizeof(rand));
1303
1304 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1305
1306 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1307 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1308 HCI_SMP_LTK_SLAVE, authenticated, enc.ltk,
1309 smp->enc_key_size, ediv, rand);
1310 smp->slave_ltk = ltk;
1311
1312 ident.ediv = ediv;
1313 ident.rand = rand;
1314
1315 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1316
1317 *keydist &= ~SMP_DIST_ENC_KEY;
1318 }
1319
1320 if (*keydist & SMP_DIST_ID_KEY) {
1321 struct smp_cmd_ident_addr_info addrinfo;
1322 struct smp_cmd_ident_info idinfo;
1323
1324 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1325
1326 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1327
1328 /* The hci_conn contains the local identity address
1329 * after the connection has been established.
1330 *
1331 * This is true even when the connection has been
1332 * established using a resolvable random address.
1333 */
1334 bacpy(&addrinfo.bdaddr, &hcon->src);
1335 addrinfo.addr_type = hcon->src_type;
1336
1337 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1338 &addrinfo);
1339
1340 *keydist &= ~SMP_DIST_ID_KEY;
1341 }
1342
1343 if (*keydist & SMP_DIST_SIGN) {
1344 struct smp_cmd_sign_info sign;
1345 struct smp_csrk *csrk;
1346
1347 /* Generate a new random key */
1348 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1349
1350 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1351 if (csrk) {
1352 csrk->master = 0x00;
1353 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1354 }
1355 smp->slave_csrk = csrk;
1356
1357 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1358
1359 *keydist &= ~SMP_DIST_SIGN;
1360 }
1361
1362 /* If there are still keys to be received wait for them */
1363 if ((smp->remote_key_dist & 0x07))
1364 return 0;
1365
1366 clear_bit(HCI_CONN_LE_SMP_PEND, &hcon->flags);
1367 cancel_delayed_work_sync(&conn->security_timer);
1368 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1369 smp_notify_keys(conn);
1370
1371 smp_chan_destroy(conn);
1372
1373 return 0;
1374 }
Linux kernel - Deliverables
This page took 0.068377 seconds and 5 git commands to generate.