2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
23 #include <net/bluetooth/bluetooth.h>
24 #include <net/bluetooth/hci_core.h>
25 #include <net/bluetooth/l2cap.h>
26 #include <net/bluetooth/smp.h>
27 #include <linux/crypto.h>
28 #include <linux/scatterlist.h>
29 #include <crypto/b128ops.h>
31 #define SMP_TIMEOUT 30000 /* 30 seconds */
33 static inline void swap128(u8 src[16], u8 dst[16])
36 for (i = 0; i < 16; i++)
40 static inline void swap56(u8 src[7], u8 dst[7])
43 for (i = 0; i < 7; i++)
47 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
49 struct blkcipher_desc desc;
50 struct scatterlist sg;
52 unsigned char iv[128];
55 BT_ERR("tfm %p", tfm);
62 err = crypto_blkcipher_setkey(tfm, k, 16);
64 BT_ERR("cipher setkey failed: %d", err);
68 sg_init_one(&sg, r, 16);
70 iv_len = crypto_blkcipher_ivsize(tfm);
72 memset(&iv, 0xff, iv_len);
73 crypto_blkcipher_set_iv(tfm, iv, iv_len);
76 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
78 BT_ERR("Encrypt data error %d", err);
83 static int smp_c1(struct crypto_blkcipher *tfm, u8 k[16], u8 r[16],
84 u8 preq[7], u8 pres[7], u8 _iat, bdaddr_t *ia,
85 u8 _rat, bdaddr_t *ra, u8 res[16])
92 /* p1 = pres || preq || _rat || _iat */
100 /* p2 = padding || ia || ra */
101 baswap((bdaddr_t *) (p2 + 4), ia);
102 baswap((bdaddr_t *) (p2 + 10), ra);
105 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
107 /* res = e(k, res) */
108 err = smp_e(tfm, k, res);
110 BT_ERR("Encrypt data error");
114 /* res = res XOR p2 */
115 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
117 /* res = e(k, res) */
118 err = smp_e(tfm, k, res);
120 BT_ERR("Encrypt data error");
125 static int smp_s1(struct crypto_blkcipher *tfm, u8 k[16],
126 u8 r1[16], u8 r2[16], u8 _r[16])
130 /* Just least significant octets from r1 and r2 are considered */
131 memcpy(_r, r1 + 8, 8);
132 memcpy(_r + 8, r2 + 8, 8);
134 err = smp_e(tfm, k, _r);
136 BT_ERR("Encrypt data error");
141 static int smp_rand(u8 *buf)
143 get_random_bytes(buf, 16);
148 static struct sk_buff *smp_build_cmd(struct l2cap_conn *conn, u8 code,
149 u16 dlen, void *data)
152 struct l2cap_hdr *lh;
155 len = L2CAP_HDR_SIZE + sizeof(code) + dlen;
160 skb = bt_skb_alloc(len, GFP_ATOMIC);
164 lh = (struct l2cap_hdr *) skb_put(skb, L2CAP_HDR_SIZE);
165 lh->len = cpu_to_le16(sizeof(code) + dlen);
166 lh->cid = cpu_to_le16(L2CAP_CID_SMP);
168 memcpy(skb_put(skb, sizeof(code)), &code, sizeof(code));
170 memcpy(skb_put(skb, dlen), data, dlen);
175 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
177 struct sk_buff *skb = smp_build_cmd(conn, code, len, data);
179 BT_DBG("code 0x%2.2x", code);
184 hci_send_acl(conn->hcon, skb, 0);
187 static __u8 seclevel_to_authreq(__u8 level)
190 case BT_SECURITY_HIGH:
191 /* Right now we don't support bonding */
192 return SMP_AUTH_MITM;
195 return SMP_AUTH_NONE;
199 static void build_pairing_cmd(struct l2cap_conn *conn,
200 struct smp_cmd_pairing *cmd, __u8 authreq)
202 cmd->io_capability = conn->hcon->io_capability;
203 cmd->oob_flag = SMP_OOB_NOT_PRESENT;
204 cmd->max_key_size = SMP_MAX_ENC_KEY_SIZE;
205 cmd->init_key_dist = SMP_DIST_ENC_KEY | SMP_DIST_ID_KEY | SMP_DIST_SIGN;
206 cmd->resp_key_dist = SMP_DIST_ENC_KEY | SMP_DIST_ID_KEY | SMP_DIST_SIGN;
207 cmd->auth_req = authreq;
210 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
212 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
213 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
214 return SMP_ENC_KEY_SIZE;
216 conn->smp_key_size = max_key_size;
221 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
223 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
226 BT_DBG("conn %p", conn);
228 conn->preq[0] = SMP_CMD_PAIRING_REQ;
229 memcpy(&conn->preq[1], req, sizeof(*req));
230 skb_pull(skb, sizeof(*req));
233 return SMP_OOB_NOT_AVAIL;
235 /* We didn't start the pairing, so no requirements */
236 build_pairing_cmd(conn, &rsp, SMP_AUTH_NONE);
238 key_size = min(req->max_key_size, rsp.max_key_size);
239 if (check_enc_key_size(conn, key_size))
240 return SMP_ENC_KEY_SIZE;
243 memset(conn->tk, 0, sizeof(conn->tk));
245 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
246 memcpy(&conn->prsp[1], &rsp, sizeof(rsp));
248 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
250 mod_timer(&conn->security_timer, jiffies +
251 msecs_to_jiffies(SMP_TIMEOUT));
256 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
258 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
259 struct smp_cmd_pairing_confirm cp;
260 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
262 u8 res[16], key_size;
264 BT_DBG("conn %p", conn);
266 skb_pull(skb, sizeof(*rsp));
268 req = (void *) &conn->preq[1];
270 key_size = min(req->max_key_size, rsp->max_key_size);
271 if (check_enc_key_size(conn, key_size))
272 return SMP_ENC_KEY_SIZE;
275 return SMP_OOB_NOT_AVAIL;
278 memset(conn->tk, 0, sizeof(conn->tk));
280 conn->prsp[0] = SMP_CMD_PAIRING_RSP;
281 memcpy(&conn->prsp[1], rsp, sizeof(*rsp));
283 ret = smp_rand(conn->prnd);
285 return SMP_UNSPECIFIED;
287 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp, 0,
288 conn->src, conn->hcon->dst_type, conn->dst, res);
290 return SMP_UNSPECIFIED;
292 swap128(res, cp.confirm_val);
294 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
299 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
301 struct crypto_blkcipher *tfm = conn->hcon->hdev->tfm;
303 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
305 memcpy(conn->pcnf, skb->data, sizeof(conn->pcnf));
306 skb_pull(skb, sizeof(conn->pcnf));
308 if (conn->hcon->out) {
311 swap128(conn->prnd, random);
312 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random),
315 struct smp_cmd_pairing_confirm cp;
319 ret = smp_rand(conn->prnd);
321 return SMP_UNSPECIFIED;
323 ret = smp_c1(tfm, conn->tk, conn->prnd, conn->preq, conn->prsp,
324 conn->hcon->dst_type, conn->dst,
327 return SMP_CONFIRM_FAILED;
329 swap128(res, cp.confirm_val);
331 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
334 mod_timer(&conn->security_timer, jiffies +
335 msecs_to_jiffies(SMP_TIMEOUT));
340 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
342 struct hci_conn *hcon = conn->hcon;
343 struct crypto_blkcipher *tfm = hcon->hdev->tfm;
345 u8 key[16], res[16], random[16], confirm[16];
347 swap128(skb->data, random);
348 skb_pull(skb, sizeof(random));
350 memset(hcon->ltk, 0, sizeof(hcon->ltk));
353 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp, 0,
354 conn->src, conn->hcon->dst_type, conn->dst,
357 ret = smp_c1(tfm, conn->tk, random, conn->preq, conn->prsp,
358 conn->hcon->dst_type, conn->dst, 0, conn->src,
361 return SMP_UNSPECIFIED;
363 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
365 swap128(res, confirm);
367 if (memcmp(conn->pcnf, confirm, sizeof(conn->pcnf)) != 0) {
368 BT_ERR("Pairing failed (confirmation values mismatch)");
369 return SMP_CONFIRM_FAILED;
372 if (conn->hcon->out) {
376 smp_s1(tfm, conn->tk, random, conn->prnd, key);
377 swap128(key, hcon->ltk);
379 memset(hcon->ltk + conn->smp_key_size, 0,
380 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
382 memset(rand, 0, sizeof(rand));
384 hci_le_start_enc(hcon, ediv, rand, hcon->ltk);
388 swap128(conn->prnd, r);
389 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(r), r);
391 smp_s1(tfm, conn->tk, conn->prnd, random, key);
392 swap128(key, hcon->ltk);
394 memset(hcon->ltk + conn->smp_key_size, 0,
395 SMP_MAX_ENC_KEY_SIZE - conn->smp_key_size);
401 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
403 struct smp_cmd_security_req *rp = (void *) skb->data;
404 struct smp_cmd_pairing cp;
405 struct hci_conn *hcon = conn->hcon;
407 BT_DBG("conn %p", conn);
409 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
412 skb_pull(skb, sizeof(*rp));
414 memset(&cp, 0, sizeof(cp));
415 build_pairing_cmd(conn, &cp, rp->auth_req);
417 conn->preq[0] = SMP_CMD_PAIRING_REQ;
418 memcpy(&conn->preq[1], &cp, sizeof(cp));
420 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
422 mod_timer(&conn->security_timer, jiffies +
423 msecs_to_jiffies(SMP_TIMEOUT));
425 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
430 int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level)
432 struct hci_conn *hcon = conn->hcon;
435 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
437 if (!lmp_host_le_capable(hcon->hdev))
440 if (IS_ERR(hcon->hdev->tfm))
443 if (test_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend))
446 if (sec_level == BT_SECURITY_LOW)
449 if (hcon->sec_level >= sec_level)
452 authreq = seclevel_to_authreq(sec_level);
454 if (hcon->link_mode & HCI_LM_MASTER) {
455 struct smp_cmd_pairing cp;
457 build_pairing_cmd(conn, &cp, authreq);
458 conn->preq[0] = SMP_CMD_PAIRING_REQ;
459 memcpy(&conn->preq[1], &cp, sizeof(cp));
461 mod_timer(&conn->security_timer, jiffies +
462 msecs_to_jiffies(SMP_TIMEOUT));
464 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
466 struct smp_cmd_security_req cp;
467 cp.auth_req = authreq;
468 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
471 hcon->pending_sec_level = sec_level;
472 set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->pend);
477 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
479 BT_DBG("conn %p", conn);
480 /* FIXME: store the ltk */
484 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
486 struct smp_cmd_pairing *paircmd = (void *) &conn->prsp[1];
487 u8 keydist = paircmd->init_key_dist;
489 BT_DBG("keydist 0x%x", keydist);
490 /* FIXME: store ediv and rand */
492 smp_distribute_keys(conn, 1);
497 int smp_sig_channel(struct l2cap_conn *conn, struct sk_buff *skb)
499 __u8 code = skb->data[0];
503 if (!lmp_host_le_capable(conn->hcon->hdev)) {
505 reason = SMP_PAIRING_NOTSUPP;
509 if (IS_ERR(conn->hcon->hdev->tfm)) {
510 err = PTR_ERR(conn->hcon->hdev->tfm);
511 reason = SMP_PAIRING_NOTSUPP;
515 skb_pull(skb, sizeof(code));
518 case SMP_CMD_PAIRING_REQ:
519 reason = smp_cmd_pairing_req(conn, skb);
522 case SMP_CMD_PAIRING_FAIL:
527 case SMP_CMD_PAIRING_RSP:
528 reason = smp_cmd_pairing_rsp(conn, skb);
531 case SMP_CMD_SECURITY_REQ:
532 reason = smp_cmd_security_req(conn, skb);
535 case SMP_CMD_PAIRING_CONFIRM:
536 reason = smp_cmd_pairing_confirm(conn, skb);
539 case SMP_CMD_PAIRING_RANDOM:
540 reason = smp_cmd_pairing_random(conn, skb);
543 case SMP_CMD_ENCRYPT_INFO:
544 reason = smp_cmd_encrypt_info(conn, skb);
547 case SMP_CMD_MASTER_IDENT:
548 reason = smp_cmd_master_ident(conn, skb);
551 case SMP_CMD_IDENT_INFO:
552 case SMP_CMD_IDENT_ADDR_INFO:
553 case SMP_CMD_SIGN_INFO:
559 BT_DBG("Unknown command code 0x%2.2x", code);
561 reason = SMP_CMD_NOTSUPP;
568 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
575 int smp_distribute_keys(struct l2cap_conn *conn, __u8 force)
577 struct smp_cmd_pairing *req, *rsp;
580 BT_DBG("conn %p force %d", conn, force);
582 if (IS_ERR(conn->hcon->hdev->tfm))
583 return PTR_ERR(conn->hcon->hdev->tfm);
585 rsp = (void *) &conn->prsp[1];
587 /* The responder sends its keys first */
588 if (!force && conn->hcon->out && (rsp->resp_key_dist & 0x07))
591 req = (void *) &conn->preq[1];
593 if (conn->hcon->out) {
594 keydist = &rsp->init_key_dist;
595 *keydist &= req->init_key_dist;
597 keydist = &rsp->resp_key_dist;
598 *keydist &= req->resp_key_dist;
602 BT_DBG("keydist 0x%x", *keydist);
604 if (*keydist & SMP_DIST_ENC_KEY) {
605 struct smp_cmd_encrypt_info enc;
606 struct smp_cmd_master_ident ident;
609 get_random_bytes(enc.ltk, sizeof(enc.ltk));
610 get_random_bytes(&ediv, sizeof(ediv));
611 get_random_bytes(ident.rand, sizeof(ident.rand));
613 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
615 ident.ediv = cpu_to_le16(ediv);
617 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
619 *keydist &= ~SMP_DIST_ENC_KEY;
622 if (*keydist & SMP_DIST_ID_KEY) {
623 struct smp_cmd_ident_addr_info addrinfo;
624 struct smp_cmd_ident_info idinfo;
626 /* Send a dummy key */
627 get_random_bytes(idinfo.irk, sizeof(idinfo.irk));
629 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
631 /* Just public address */
632 memset(&addrinfo, 0, sizeof(addrinfo));
633 bacpy(&addrinfo.bdaddr, conn->src);
635 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
638 *keydist &= ~SMP_DIST_ID_KEY;
641 if (*keydist & SMP_DIST_SIGN) {
642 struct smp_cmd_sign_info sign;
644 /* Send a dummy key */
645 get_random_bytes(sign.csrk, sizeof(sign.csrk));
647 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
649 *keydist &= ~SMP_DIST_SIGN;