1 /*
2 * Copyright (c) 2017-2025 Nordic Semiconductor ASA
3 * Copyright (c) 2015 Intel Corporation
4 *
5 * SPDX-License-Identifier: Apache-2.0
6 */
7
8 #include <errno.h>
9 #include <stdint.h>
10
11 #include <zephyr/bluetooth/conn.h>
12 #include <zephyr/sys/byteorder.h>
13
14 #include <zephyr/bluetooth/buf.h>
15 #include <zephyr/bluetooth/hci.h>
16 #include <zephyr/bluetooth/addr.h>
17
18 #include "common/bt_str.h"
19
20 #include "host/keys.h"
21
22 #include "host/hci_core.h"
23 #include "host/conn_internal.h"
24 #include "l2cap_br_internal.h"
25
26 #define LOG_LEVEL CONFIG_BT_HCI_CORE_LOG_LEVEL
27 #include <zephyr/logging/log.h>
28 LOG_MODULE_REGISTER(bt_ssp);
29
30 enum pairing_method {
31 LEGACY, /* Legacy (pre-SSP) pairing */
32 JUST_WORKS, /* JustWorks pairing */
33 PASSKEY_INPUT, /* Passkey Entry input */
34 PASSKEY_DISPLAY, /* Passkey Entry display */
35 PASSKEY_CONFIRM, /* Passkey confirm */
36 };
37
38 /* based on table 5.7, Core Spec 4.2, Vol.3 Part C, 5.2.2.6 */
39 static const uint8_t ssp_method[4 /* remote */][4 /* local */] = {
40 { JUST_WORKS, JUST_WORKS, PASSKEY_INPUT, JUST_WORKS },
41 { JUST_WORKS, PASSKEY_CONFIRM, PASSKEY_INPUT, JUST_WORKS },
42 { PASSKEY_DISPLAY, PASSKEY_DISPLAY, PASSKEY_INPUT, JUST_WORKS },
43 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS },
44 };
45
pin_code_neg_reply(const bt_addr_t * bdaddr)46 static int pin_code_neg_reply(const bt_addr_t *bdaddr)
47 {
48 struct bt_hci_cp_pin_code_neg_reply *cp;
49 struct net_buf *buf;
50
51 LOG_DBG("");
52
53 buf = bt_hci_cmd_create(BT_HCI_OP_PIN_CODE_NEG_REPLY, sizeof(*cp));
54 if (!buf) {
55 return -ENOBUFS;
56 }
57
58 cp = net_buf_add(buf, sizeof(*cp));
59 bt_addr_copy(&cp->bdaddr, bdaddr);
60
61 return bt_hci_cmd_send_sync(BT_HCI_OP_PIN_CODE_NEG_REPLY, buf, NULL);
62 }
63
pin_code_reply(struct bt_conn * conn,const char * pin,uint8_t len)64 static int pin_code_reply(struct bt_conn *conn, const char *pin, uint8_t len)
65 {
66 struct bt_hci_cp_pin_code_reply *cp;
67 struct net_buf *buf;
68
69 LOG_DBG("");
70
71 buf = bt_hci_cmd_create(BT_HCI_OP_PIN_CODE_REPLY, sizeof(*cp));
72 if (!buf) {
73 return -ENOBUFS;
74 }
75
76 cp = net_buf_add(buf, sizeof(*cp));
77
78 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
79 cp->pin_len = len;
80 strncpy((char *)cp->pin_code, pin, sizeof(cp->pin_code));
81
82 return bt_hci_cmd_send_sync(BT_HCI_OP_PIN_CODE_REPLY, buf, NULL);
83 }
84
bt_conn_auth_pincode_entry(struct bt_conn * conn,const char * pin)85 int bt_conn_auth_pincode_entry(struct bt_conn *conn, const char *pin)
86 {
87 size_t len;
88
89 if (!bt_auth) {
90 return -EINVAL;
91 }
92
93 if (!bt_conn_is_type(conn, BT_CONN_TYPE_BR)) {
94 LOG_DBG("Invalid connection type: %u for %p", conn->type, conn);
95 return -EINVAL;
96 }
97
98 len = strlen(pin);
99 if (len > 16) {
100 return -EINVAL;
101 }
102
103 if (conn->required_sec_level == BT_SECURITY_L3 && len < 16) {
104 LOG_WRN("PIN code for %s is not 16 bytes wide", bt_addr_str(&conn->br.dst));
105 return -EPERM;
106 }
107
108 /* Allow user send entered PIN to remote, then reset user state. */
109 if (!atomic_test_and_clear_bit(conn->flags, BT_CONN_USER)) {
110 return -EPERM;
111 }
112
113 if (len == 16) {
114 atomic_set_bit(conn->flags, BT_CONN_BR_LEGACY_SECURE);
115 }
116
117 return pin_code_reply(conn, pin, len);
118 }
119
pin_code_req(struct bt_conn * conn)120 static void pin_code_req(struct bt_conn *conn)
121 {
122 if (bt_auth && bt_auth->pincode_entry) {
123 bool secure = false;
124
125 if (conn->required_sec_level == BT_SECURITY_L3) {
126 secure = true;
127 }
128
129 atomic_set_bit(conn->flags, BT_CONN_USER);
130 atomic_set_bit(conn->flags, BT_CONN_BR_PAIRING);
131 bt_auth->pincode_entry(conn, secure);
132 } else {
133 pin_code_neg_reply(&conn->br.dst);
134 }
135 }
136
get_io_capa(void)137 static uint8_t get_io_capa(void)
138 {
139 if (!bt_auth) {
140 return BT_IO_NO_INPUT_OUTPUT;
141 }
142
143 if (bt_auth->passkey_confirm && bt_auth->passkey_display) {
144 return BT_IO_DISPLAY_YESNO;
145 }
146
147 if (bt_auth->passkey_entry) {
148 return BT_IO_KEYBOARD_ONLY;
149 }
150
151 if (bt_auth->passkey_display) {
152 return BT_IO_DISPLAY_ONLY;
153 }
154
155 return BT_IO_NO_INPUT_OUTPUT;
156 }
157
ssp_pair_method(const struct bt_conn * conn)158 static uint8_t ssp_pair_method(const struct bt_conn *conn)
159 {
160 return ssp_method[conn->br.remote_io_capa][get_io_capa()];
161 }
162
ssp_get_auth(const struct bt_conn * conn)163 static uint8_t ssp_get_auth(const struct bt_conn *conn)
164 {
165 bt_security_t max_sec_level;
166 uint8_t mitm = 0;
167
168 /* Check if the MITM is required by service */
169 max_sec_level = bt_l2cap_br_get_max_sec_level();
170 if ((max_sec_level > BT_SECURITY_L2) && (ssp_pair_method(conn) > JUST_WORKS)) {
171 mitm = BT_MITM;
172 }
173
174 /* Validate no bond auth request, and if valid use it. */
175 if ((conn->br.remote_auth == BT_HCI_NO_BONDING) ||
176 ((conn->br.remote_auth == BT_HCI_NO_BONDING_MITM) &&
177 (ssp_pair_method(conn) > JUST_WORKS))) {
178 return conn->br.remote_auth | mitm;
179 }
180
181 /* Local & remote have enough IO capabilities to get MITM protection. */
182 if (ssp_pair_method(conn) > JUST_WORKS) {
183 return conn->br.remote_auth | BT_MITM;
184 }
185
186 /* No MITM protection possible so ignore remote MITM requirement. */
187 return (conn->br.remote_auth & ~BT_MITM);
188 }
189
ssp_confirm_reply(struct bt_conn * conn)190 static int ssp_confirm_reply(struct bt_conn *conn)
191 {
192 struct bt_hci_cp_user_confirm_reply *cp;
193 struct net_buf *buf;
194
195 LOG_DBG("");
196
197 buf = bt_hci_cmd_create(BT_HCI_OP_USER_CONFIRM_REPLY, sizeof(*cp));
198 if (!buf) {
199 return -ENOBUFS;
200 }
201
202 cp = net_buf_add(buf, sizeof(*cp));
203 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
204
205 return bt_hci_cmd_send_sync(BT_HCI_OP_USER_CONFIRM_REPLY, buf, NULL);
206 }
207
ssp_confirm_neg_reply(struct bt_conn * conn)208 static int ssp_confirm_neg_reply(struct bt_conn *conn)
209 {
210 struct bt_hci_cp_user_confirm_reply *cp;
211 struct net_buf *buf;
212
213 LOG_DBG("");
214
215 buf = bt_hci_cmd_create(BT_HCI_OP_USER_CONFIRM_NEG_REPLY, sizeof(*cp));
216 if (!buf) {
217 return -ENOBUFS;
218 }
219
220 cp = net_buf_add(buf, sizeof(*cp));
221 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
222
223 return bt_hci_cmd_send_sync(BT_HCI_OP_USER_CONFIRM_NEG_REPLY, buf,
224 NULL);
225 }
226
ssp_pairing_complete(struct bt_conn * conn,uint8_t status)227 static void ssp_pairing_complete(struct bt_conn *conn, uint8_t status)
228 {
229 /* When the ssp pairing complete event notified,
230 * clear the pairing flag.
231 */
232 atomic_clear_bit(conn->flags, BT_CONN_BR_PAIRING);
233 atomic_set_bit_to(conn->flags, BT_CONN_BR_PAIRED, !status);
234
235 LOG_DBG("Pairing completed status %d", status);
236
237 if (!status) {
238 bool bond = !atomic_test_bit(conn->flags, BT_CONN_BR_NOBOND);
239 struct bt_conn_auth_info_cb *listener, *next;
240
241 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&bt_auth_info_cbs, listener,
242 next, node) {
243 if (listener->pairing_complete) {
244 listener->pairing_complete(conn, bond);
245 }
246 }
247 } else {
248 struct bt_conn_auth_info_cb *listener, *next;
249
250 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&bt_auth_info_cbs, listener,
251 next, node) {
252 if (listener->pairing_failed) {
253 listener->pairing_failed(conn, status);
254 }
255 }
256 }
257 }
258
ssp_auth(struct bt_conn * conn,uint32_t passkey)259 static void ssp_auth(struct bt_conn *conn, uint32_t passkey)
260 {
261 conn->br.pairing_method = ssp_pair_method(conn);
262
263 /*
264 * If local required security is HIGH then MITM is mandatory.
265 * MITM protection is no achievable when SSP 'justworks' is applied.
266 */
267 if (conn->required_sec_level > BT_SECURITY_L2 &&
268 conn->br.pairing_method == JUST_WORKS) {
269 LOG_DBG("MITM protection infeasible for required security");
270 ssp_confirm_neg_reply(conn);
271 return;
272 }
273
274 switch (conn->br.pairing_method) {
275 case PASSKEY_CONFIRM:
276 atomic_set_bit(conn->flags, BT_CONN_USER);
277 bt_auth->passkey_confirm(conn, passkey);
278 break;
279 case PASSKEY_DISPLAY:
280 atomic_set_bit(conn->flags, BT_CONN_USER);
281 bt_auth->passkey_display(conn, passkey);
282 break;
283 case PASSKEY_INPUT:
284 atomic_set_bit(conn->flags, BT_CONN_USER);
285 bt_auth->passkey_entry(conn);
286 break;
287 case JUST_WORKS:
288 /*
289 * When local host works as pairing acceptor and 'justworks'
290 * model is applied then notify user about such pairing request.
291 * [BT Core 4.2 table 5.7, Vol 3, Part C, 5.2.2.6]
292 */
293 if (bt_auth && bt_auth->pairing_confirm &&
294 !atomic_test_bit(conn->flags,
295 BT_CONN_BR_PAIRING_INITIATOR)) {
296 atomic_set_bit(conn->flags, BT_CONN_USER);
297 bt_auth->pairing_confirm(conn);
298 break;
299 }
300 ssp_confirm_reply(conn);
301 break;
302 default:
303 break;
304 }
305 }
306
ssp_passkey_reply(struct bt_conn * conn,unsigned int passkey)307 static int ssp_passkey_reply(struct bt_conn *conn, unsigned int passkey)
308 {
309 struct bt_hci_cp_user_passkey_reply *cp;
310 struct net_buf *buf;
311
312 LOG_DBG("");
313
314 buf = bt_hci_cmd_create(BT_HCI_OP_USER_PASSKEY_REPLY, sizeof(*cp));
315 if (!buf) {
316 return -ENOBUFS;
317 }
318
319 cp = net_buf_add(buf, sizeof(*cp));
320 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
321 cp->passkey = sys_cpu_to_le32(passkey);
322
323 return bt_hci_cmd_send_sync(BT_HCI_OP_USER_PASSKEY_REPLY, buf, NULL);
324 }
325
ssp_passkey_neg_reply(struct bt_conn * conn)326 static int ssp_passkey_neg_reply(struct bt_conn *conn)
327 {
328 struct bt_hci_cp_user_passkey_neg_reply *cp;
329 struct net_buf *buf;
330
331 LOG_DBG("");
332
333 buf = bt_hci_cmd_create(BT_HCI_OP_USER_PASSKEY_NEG_REPLY, sizeof(*cp));
334 if (!buf) {
335 return -ENOBUFS;
336 }
337
338 cp = net_buf_add(buf, sizeof(*cp));
339 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
340
341 return bt_hci_cmd_send_sync(BT_HCI_OP_USER_PASSKEY_NEG_REPLY, buf,
342 NULL);
343 }
344
conn_auth(struct bt_conn * conn)345 static int conn_auth(struct bt_conn *conn)
346 {
347 struct bt_hci_cp_auth_requested *auth;
348 struct net_buf *buf;
349
350 LOG_DBG("");
351
352 buf = bt_hci_cmd_create(BT_HCI_OP_AUTH_REQUESTED, sizeof(*auth));
353 if (!buf) {
354 return -ENOBUFS;
355 }
356
357 auth = net_buf_add(buf, sizeof(*auth));
358 auth->handle = sys_cpu_to_le16(conn->handle);
359
360 atomic_set_bit(conn->flags, BT_CONN_BR_PAIRING_INITIATOR);
361
362 return bt_hci_cmd_send_sync(BT_HCI_OP_AUTH_REQUESTED, buf, NULL);
363 }
364
bt_ssp_start_security(struct bt_conn * conn)365 int bt_ssp_start_security(struct bt_conn *conn)
366 {
367 if (atomic_test_bit(conn->flags, BT_CONN_BR_PAIRING)) {
368 return -EBUSY;
369 }
370
371 if (get_io_capa() == BT_IO_NO_INPUT_OUTPUT &&
372 conn->required_sec_level > BT_SECURITY_L2) {
373 return -EINVAL;
374 }
375
376 return conn_auth(conn);
377 }
378
bt_ssp_auth_passkey_entry(struct bt_conn * conn,unsigned int passkey)379 int bt_ssp_auth_passkey_entry(struct bt_conn *conn, unsigned int passkey)
380 {
381 /* User entered passkey, reset user state. */
382 if (!atomic_test_and_clear_bit(conn->flags, BT_CONN_USER)) {
383 return -EPERM;
384 }
385
386 if (conn->br.pairing_method == PASSKEY_INPUT) {
387 return ssp_passkey_reply(conn, passkey);
388 }
389
390 return -EINVAL;
391 }
392
bt_ssp_auth_passkey_confirm(struct bt_conn * conn)393 int bt_ssp_auth_passkey_confirm(struct bt_conn *conn)
394 {
395 /* Allow user confirm passkey value, then reset user state. */
396 if (!atomic_test_and_clear_bit(conn->flags, BT_CONN_USER)) {
397 return -EPERM;
398 }
399
400 return ssp_confirm_reply(conn);
401 }
402
bt_ssp_auth_pairing_confirm(struct bt_conn * conn)403 int bt_ssp_auth_pairing_confirm(struct bt_conn *conn)
404 {
405 return ssp_confirm_reply(conn);
406 }
407
bt_ssp_auth_cancel(struct bt_conn * conn)408 int bt_ssp_auth_cancel(struct bt_conn *conn)
409 {
410 /* Allow user cancel authentication, then reset user state. */
411 if (!atomic_test_and_clear_bit(conn->flags, BT_CONN_USER)) {
412 return -EPERM;
413 }
414
415 switch (conn->br.pairing_method) {
416 case JUST_WORKS:
417 case PASSKEY_CONFIRM:
418 return ssp_confirm_neg_reply(conn);
419 case PASSKEY_INPUT:
420 return ssp_passkey_neg_reply(conn);
421 case PASSKEY_DISPLAY:
422 return bt_conn_disconnect(conn,
423 BT_HCI_ERR_AUTH_FAIL);
424 case LEGACY:
425 return pin_code_neg_reply(&conn->br.dst);
426 default:
427 break;
428 }
429
430 return -EINVAL;
431 }
432
bt_hci_pin_code_req(struct net_buf * buf)433 void bt_hci_pin_code_req(struct net_buf *buf)
434 {
435 struct bt_hci_evt_pin_code_req *evt = (void *)buf->data;
436 struct bt_conn *conn;
437
438 LOG_DBG("");
439
440 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
441 if (!conn) {
442 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
443 return;
444 }
445
446 pin_code_req(conn);
447 bt_conn_unref(conn);
448 }
449
bt_hci_link_key_notify(struct net_buf * buf)450 void bt_hci_link_key_notify(struct net_buf *buf)
451 {
452 struct bt_hci_evt_link_key_notify *evt = (void *)buf->data;
453 struct bt_conn *conn;
454
455 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
456 if (!conn) {
457 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
458 return;
459 }
460
461 LOG_DBG("%s, link type 0x%02x", bt_addr_str(&evt->bdaddr), evt->key_type);
462
463 if (IS_ENABLED(CONFIG_BT_SMP_SC_ONLY) && (evt->key_type != BT_LK_AUTH_COMBINATION_P256)) {
464 /*
465 * When in Secure Connections Only mode, all services
466 * (except those allowed to have Security Mode 4, Level 0)
467 * available on the BR/EDR physical transport require Security
468 * Mode 4, Level 4.
469 * Link key type should be P-256 based Secure Simple Pairing
470 * and Secure Authentication.
471 */
472 LOG_WRN("For SC only mode, link key type should be %d",
473 BT_LK_AUTH_COMBINATION_P256);
474 ssp_pairing_complete(conn, bt_security_err_get(BT_HCI_ERR_AUTH_FAIL));
475 bt_conn_disconnect(conn, BT_HCI_ERR_AUTH_FAIL);
476 bt_conn_unref(conn);
477 return;
478 }
479
480 if (!conn->br.link_key) {
481 conn->br.link_key = bt_keys_get_link_key(&evt->bdaddr);
482 }
483 if (!conn->br.link_key) {
484 LOG_ERR("Can't update keys for %s", bt_addr_str(&evt->bdaddr));
485 bt_conn_unref(conn);
486 return;
487 }
488
489 /* clear any old Link Key flags */
490 conn->br.link_key->flags = 0U;
491
492 switch (evt->key_type) {
493 case BT_LK_COMBINATION:
494 /*
495 * Setting Combination Link Key as AUTHENTICATED means it was
496 * successfully generated by 16 digits wide PIN code.
497 */
498 if (atomic_test_and_clear_bit(conn->flags,
499 BT_CONN_BR_LEGACY_SECURE)) {
500 conn->br.link_key->flags |= BT_LINK_KEY_AUTHENTICATED;
501 }
502 memcpy(conn->br.link_key->val, evt->link_key, 16);
503 break;
504 case BT_LK_AUTH_COMBINATION_P192:
505 conn->br.link_key->flags |= BT_LINK_KEY_AUTHENTICATED;
506 __fallthrough;
507 case BT_LK_UNAUTH_COMBINATION_P192:
508 memcpy(conn->br.link_key->val, evt->link_key, 16);
509 break;
510 case BT_LK_AUTH_COMBINATION_P256:
511 conn->br.link_key->flags |= BT_LINK_KEY_AUTHENTICATED;
512 __fallthrough;
513 case BT_LK_UNAUTH_COMBINATION_P256:
514 conn->br.link_key->flags |= BT_LINK_KEY_SC;
515
516 memcpy(conn->br.link_key->val, evt->link_key, 16);
517 break;
518 default:
519 LOG_WRN("Unsupported Link Key type %u", evt->key_type);
520 (void)memset(conn->br.link_key->val, 0,
521 sizeof(conn->br.link_key->val));
522 break;
523 }
524
525 if (IS_ENABLED(CONFIG_BT_SETTINGS) &&
526 !atomic_test_bit(conn->flags, BT_CONN_BR_NOBOND)) {
527 bt_keys_link_key_store(conn->br.link_key);
528 }
529
530 bt_conn_unref(conn);
531 }
532
link_key_neg_reply(const bt_addr_t * bdaddr)533 void link_key_neg_reply(const bt_addr_t *bdaddr)
534 {
535 struct bt_hci_cp_link_key_neg_reply *cp;
536 struct net_buf *buf;
537
538 LOG_DBG("");
539
540 buf = bt_hci_cmd_create(BT_HCI_OP_LINK_KEY_NEG_REPLY, sizeof(*cp));
541 if (!buf) {
542 LOG_ERR("Out of command buffers");
543 return;
544 }
545
546 cp = net_buf_add(buf, sizeof(*cp));
547 bt_addr_copy(&cp->bdaddr, bdaddr);
548 bt_hci_cmd_send_sync(BT_HCI_OP_LINK_KEY_NEG_REPLY, buf, NULL);
549 }
550
link_key_reply(const bt_addr_t * bdaddr,const uint8_t * lk)551 void link_key_reply(const bt_addr_t *bdaddr, const uint8_t *lk)
552 {
553 struct bt_hci_cp_link_key_reply *cp;
554 struct net_buf *buf;
555
556 LOG_DBG("");
557
558 buf = bt_hci_cmd_create(BT_HCI_OP_LINK_KEY_REPLY, sizeof(*cp));
559 if (!buf) {
560 LOG_ERR("Out of command buffers");
561 return;
562 }
563
564 cp = net_buf_add(buf, sizeof(*cp));
565 bt_addr_copy(&cp->bdaddr, bdaddr);
566 memcpy(cp->link_key, lk, 16);
567 bt_hci_cmd_send_sync(BT_HCI_OP_LINK_KEY_REPLY, buf, NULL);
568 }
569
bt_hci_link_key_req(struct net_buf * buf)570 void bt_hci_link_key_req(struct net_buf *buf)
571 {
572 struct bt_hci_evt_link_key_req *evt = (void *)buf->data;
573 struct bt_conn *conn;
574
575 LOG_DBG("%s", bt_addr_str(&evt->bdaddr));
576
577 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
578 if (!conn) {
579 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
580 link_key_neg_reply(&evt->bdaddr);
581 return;
582 }
583
584 if (!conn->br.link_key) {
585 conn->br.link_key = bt_keys_find_link_key(&evt->bdaddr);
586 }
587
588 if (!conn->br.link_key) {
589 link_key_neg_reply(&evt->bdaddr);
590 bt_conn_unref(conn);
591 return;
592 }
593
594 /*
595 * Enforce regenerate by controller stronger link key since found one
596 * in database not covers requested security level.
597 */
598 if (!(conn->br.link_key->flags & BT_LINK_KEY_AUTHENTICATED) &&
599 conn->required_sec_level > BT_SECURITY_L2) {
600 link_key_neg_reply(&evt->bdaddr);
601 bt_conn_unref(conn);
602 return;
603 }
604
605 link_key_reply(&evt->bdaddr, conn->br.link_key->val);
606 bt_conn_unref(conn);
607 }
608
io_capa_neg_reply(const bt_addr_t * bdaddr,const uint8_t reason)609 void io_capa_neg_reply(const bt_addr_t *bdaddr, const uint8_t reason)
610 {
611 struct bt_hci_cp_io_capability_neg_reply *cp;
612 struct net_buf *resp_buf;
613
614 resp_buf = bt_hci_cmd_create(BT_HCI_OP_IO_CAPABILITY_NEG_REPLY,
615 sizeof(*cp));
616 if (!resp_buf) {
617 LOG_ERR("Out of command buffers");
618 return;
619 }
620
621 cp = net_buf_add(resp_buf, sizeof(*cp));
622 bt_addr_copy(&cp->bdaddr, bdaddr);
623 cp->reason = reason;
624 bt_hci_cmd_send_sync(BT_HCI_OP_IO_CAPABILITY_NEG_REPLY, resp_buf, NULL);
625 }
626
bt_hci_io_capa_resp(struct net_buf * buf)627 void bt_hci_io_capa_resp(struct net_buf *buf)
628 {
629 struct bt_hci_evt_io_capa_resp *evt = (void *)buf->data;
630 struct bt_conn *conn;
631
632 LOG_DBG("remote %s, IOcapa 0x%02x, auth 0x%02x", bt_addr_str(&evt->bdaddr), evt->capability,
633 evt->authentication);
634
635 if (evt->authentication > BT_HCI_GENERAL_BONDING_MITM) {
636 LOG_ERR("Invalid remote authentication requirements");
637 io_capa_neg_reply(&evt->bdaddr,
638 BT_HCI_ERR_UNSUPP_FEATURE_PARAM_VAL);
639 return;
640 }
641
642 if (evt->capability > BT_IO_NO_INPUT_OUTPUT) {
643 LOG_ERR("Invalid remote io capability requirements");
644 io_capa_neg_reply(&evt->bdaddr,
645 BT_HCI_ERR_UNSUPP_FEATURE_PARAM_VAL);
646 return;
647 }
648
649 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
650 if (!conn) {
651 LOG_ERR("Unable to find conn for %s", bt_addr_str(&evt->bdaddr));
652 return;
653 }
654
655 conn->br.remote_io_capa = evt->capability;
656 conn->br.remote_auth = evt->authentication;
657 atomic_set_bit(conn->flags, BT_CONN_BR_PAIRING);
658 bt_conn_unref(conn);
659 }
660
661 /* Clear Bonding flag */
662 #define BT_HCI_SET_NO_BONDING(auth) ((auth) & 0x01)
663
664 /* Clear MITM flag */
665 #define BT_HCI_SET_NO_MITM(auth) ((auth) & (~0x01))
666
bt_hci_io_capa_req(struct net_buf * buf)667 void bt_hci_io_capa_req(struct net_buf *buf)
668 {
669 struct bt_hci_evt_io_capa_req *evt = (void *)buf->data;
670 struct net_buf *resp_buf;
671 struct bt_conn *conn;
672 struct bt_hci_cp_io_capability_reply *cp;
673 uint8_t auth;
674
675 LOG_DBG("");
676
677 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
678 if (!conn) {
679 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
680 return;
681 }
682
683 #if defined(CONFIG_BT_SMP_APP_PAIRING_ACCEPT)
684 if (bt_auth && bt_auth->pairing_accept) {
685 enum bt_security_err err;
686
687 err = bt_auth->pairing_accept(conn, NULL);
688 if (err != BT_SECURITY_ERR_SUCCESS) {
689 io_capa_neg_reply(&evt->bdaddr, BT_HCI_ERR_PAIRING_NOT_ALLOWED);
690 bt_conn_unref(conn);
691 return;
692 }
693 }
694 #endif
695
696 /*
697 * Set authentication requirements when acting as pairing initiator to
698 * 'dedicated bond' with MITM protection set if local IO capa
699 * potentially allows it, and for acceptor, based on local IO capa and
700 * remote's authentication set.
701 */
702 if (atomic_test_bit(conn->flags, BT_CONN_BR_PAIRING_INITIATOR)) {
703 if (get_io_capa() != BT_IO_NO_INPUT_OUTPUT) {
704 if (atomic_test_bit(conn->flags, BT_CONN_BR_GENERAL_BONDING)) {
705 auth = BT_HCI_GENERAL_BONDING_MITM;
706 } else {
707 auth = BT_HCI_DEDICATED_BONDING_MITM;
708 }
709 } else {
710 if (atomic_test_bit(conn->flags, BT_CONN_BR_GENERAL_BONDING)) {
711 auth = BT_HCI_GENERAL_BONDING;
712 } else {
713 auth = BT_HCI_DEDICATED_BONDING;
714 }
715 }
716
717 if (conn->required_sec_level < BT_SECURITY_L3) {
718 /* If security level less than L3, clear MITM flag. */
719 auth = BT_HCI_SET_NO_MITM(auth);
720 }
721 } else {
722 auth = ssp_get_auth(conn);
723
724 /*
725 * Core v6.0, Vol 3, Part C, Section 4.3.1 Non-bondable mode
726 * When a Bluetooth device is in non-bondable mode it shall not accept a
727 * pairing request that results in bonding. Devices in non-bondable mode
728 * may accept connections that do not request or require bonding.
729 *
730 * If the peer supports bonding mode, but the local is in non-bondable
731 * mode, it will send a negative response with error code
732 * `BT_HCI_ERR_PAIRING_NOT_ALLOWED`.
733 */
734 if (!atomic_test_bit(conn->flags, BT_CONN_BR_BONDABLE) &&
735 (conn->br.remote_auth > BT_HCI_NO_BONDING_MITM)) {
736 LOG_WRN("Invalid remote bonding requirements");
737 io_capa_neg_reply(&evt->bdaddr,
738 BT_HCI_ERR_PAIRING_NOT_ALLOWED);
739 bt_conn_unref(conn);
740 return;
741 }
742 }
743
744 if (!atomic_test_bit(conn->flags, BT_CONN_BR_BONDABLE)) {
745 /* If bondable is false, clear bonding flag. */
746 auth = BT_HCI_SET_NO_BONDING(auth);
747 }
748
749 resp_buf = bt_hci_cmd_create(BT_HCI_OP_IO_CAPABILITY_REPLY, sizeof(*cp));
750 if (!resp_buf) {
751 LOG_ERR("Out of command buffers");
752 bt_conn_unref(conn);
753 return;
754 }
755
756 cp = net_buf_add(resp_buf, sizeof(*cp));
757 bt_addr_copy(&cp->bdaddr, &evt->bdaddr);
758 cp->capability = get_io_capa();
759 cp->authentication = auth;
760 cp->oob_data = 0U;
761 bt_hci_cmd_send_sync(BT_HCI_OP_IO_CAPABILITY_REPLY, resp_buf, NULL);
762 bt_conn_unref(conn);
763 }
764
bt_hci_ssp_complete(struct net_buf * buf)765 void bt_hci_ssp_complete(struct net_buf *buf)
766 {
767 struct bt_hci_evt_ssp_complete *evt = (void *)buf->data;
768 struct bt_conn *conn;
769
770 LOG_DBG("status 0x%02x", evt->status);
771
772 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
773 if (!conn) {
774 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
775 return;
776 }
777
778 /* Mark no-bond so that link-key will be removed on disconnection */
779 if (ssp_get_auth(conn) < BT_HCI_DEDICATED_BONDING) {
780 atomic_set_bit(conn->flags, BT_CONN_BR_NOBOND);
781 }
782
783 ssp_pairing_complete(conn, bt_security_err_get(evt->status));
784 if (evt->status) {
785 bt_conn_disconnect(conn, BT_HCI_ERR_AUTH_FAIL);
786 }
787
788 bt_conn_unref(conn);
789 }
790
bt_hci_user_confirm_req(struct net_buf * buf)791 void bt_hci_user_confirm_req(struct net_buf *buf)
792 {
793 struct bt_hci_evt_user_confirm_req *evt = (void *)buf->data;
794 struct bt_conn *conn;
795
796 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
797 if (!conn) {
798 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
799 return;
800 }
801
802 ssp_auth(conn, sys_le32_to_cpu(evt->passkey));
803 bt_conn_unref(conn);
804 }
805
bt_hci_user_passkey_notify(struct net_buf * buf)806 void bt_hci_user_passkey_notify(struct net_buf *buf)
807 {
808 struct bt_hci_evt_user_passkey_notify *evt = (void *)buf->data;
809 struct bt_conn *conn;
810
811 LOG_DBG("");
812
813 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
814 if (!conn) {
815 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
816 return;
817 }
818
819 ssp_auth(conn, sys_le32_to_cpu(evt->passkey));
820 bt_conn_unref(conn);
821 }
822
bt_hci_user_passkey_req(struct net_buf * buf)823 void bt_hci_user_passkey_req(struct net_buf *buf)
824 {
825 struct bt_hci_evt_user_passkey_req *evt = (void *)buf->data;
826 struct bt_conn *conn;
827
828 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
829 if (!conn) {
830 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
831 return;
832 }
833
834 ssp_auth(conn, 0);
835 bt_conn_unref(conn);
836 }
837
link_encr(const uint16_t handle)838 static void link_encr(const uint16_t handle)
839 {
840 struct bt_hci_cp_set_conn_encrypt *encr;
841 struct net_buf *buf;
842
843 LOG_DBG("");
844
845 buf = bt_hci_cmd_create(BT_HCI_OP_SET_CONN_ENCRYPT, sizeof(*encr));
846 if (!buf) {
847 LOG_ERR("Out of command buffers");
848 return;
849 }
850
851 encr = net_buf_add(buf, sizeof(*encr));
852 encr->handle = sys_cpu_to_le16(handle);
853 encr->encrypt = 0x01;
854
855 bt_hci_cmd_send_sync(BT_HCI_OP_SET_CONN_ENCRYPT, buf, NULL);
856 }
857
bt_hci_auth_complete(struct net_buf * buf)858 void bt_hci_auth_complete(struct net_buf *buf)
859 {
860 struct bt_hci_evt_auth_complete *evt = (void *)buf->data;
861 struct bt_conn *conn;
862 uint16_t handle = sys_le16_to_cpu(evt->handle);
863
864 LOG_DBG("status 0x%02x, handle %u", evt->status, handle);
865
866 conn = bt_conn_lookup_handle(handle, BT_CONN_TYPE_BR);
867 if (!conn) {
868 LOG_ERR("Can't find conn for handle %u", handle);
869 return;
870 }
871
872 if (evt->status) {
873 /*
874 * Inform layers above HCI about non-zero authentication
875 * status to make them able cleanup pending jobs.
876 */
877 bt_conn_security_changed(conn, evt->status,
878 bt_security_err_get(evt->status));
879 } else {
880 link_encr(handle);
881 }
882
883 bt_conn_unref(conn);
884 }
885
