1 /*
2 * Copyright (c) 2017 Nordic Semiconductor ASA
3 * Copyright (c) 2015 Intel Corporation
4 *
5 * SPDX-License-Identifier: Apache-2.0
6 */
7
8 #include <stdint.h>
9
10 #include <zephyr/sys/byteorder.h>
11
12 #include <zephyr/bluetooth/buf.h>
13 #include <zephyr/bluetooth/hci.h>
14 #include <zephyr/bluetooth/addr.h>
15
16 #include "common/bt_str.h"
17
18 #include "host/keys.h"
19
20 #include "host/hci_core.h"
21 #include "host/conn_internal.h"
22
23 #define LOG_LEVEL CONFIG_BT_HCI_CORE_LOG_LEVEL
24 #include <zephyr/logging/log.h>
25 LOG_MODULE_REGISTER(bt_ssp);
26
27 enum pairing_method {
28 LEGACY, /* Legacy (pre-SSP) pairing */
29 JUST_WORKS, /* JustWorks pairing */
30 PASSKEY_INPUT, /* Passkey Entry input */
31 PASSKEY_DISPLAY, /* Passkey Entry display */
32 PASSKEY_CONFIRM, /* Passkey confirm */
33 };
34
35 /* based on table 5.7, Core Spec 4.2, Vol.3 Part C, 5.2.2.6 */
36 static const uint8_t ssp_method[4 /* remote */][4 /* local */] = {
37 { JUST_WORKS, JUST_WORKS, PASSKEY_INPUT, JUST_WORKS },
38 { JUST_WORKS, PASSKEY_CONFIRM, PASSKEY_INPUT, JUST_WORKS },
39 { PASSKEY_DISPLAY, PASSKEY_DISPLAY, PASSKEY_INPUT, JUST_WORKS },
40 { JUST_WORKS, JUST_WORKS, JUST_WORKS, JUST_WORKS },
41 };
42
pin_code_neg_reply(const bt_addr_t * bdaddr)43 static int pin_code_neg_reply(const bt_addr_t *bdaddr)
44 {
45 struct bt_hci_cp_pin_code_neg_reply *cp;
46 struct net_buf *buf;
47
48 LOG_DBG("");
49
50 buf = bt_hci_cmd_create(BT_HCI_OP_PIN_CODE_NEG_REPLY, sizeof(*cp));
51 if (!buf) {
52 return -ENOBUFS;
53 }
54
55 cp = net_buf_add(buf, sizeof(*cp));
56 bt_addr_copy(&cp->bdaddr, bdaddr);
57
58 return bt_hci_cmd_send_sync(BT_HCI_OP_PIN_CODE_NEG_REPLY, buf, NULL);
59 }
60
pin_code_reply(struct bt_conn * conn,const char * pin,uint8_t len)61 static int pin_code_reply(struct bt_conn *conn, const char *pin, uint8_t len)
62 {
63 struct bt_hci_cp_pin_code_reply *cp;
64 struct net_buf *buf;
65
66 LOG_DBG("");
67
68 buf = bt_hci_cmd_create(BT_HCI_OP_PIN_CODE_REPLY, sizeof(*cp));
69 if (!buf) {
70 return -ENOBUFS;
71 }
72
73 cp = net_buf_add(buf, sizeof(*cp));
74
75 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
76 cp->pin_len = len;
77 strncpy((char *)cp->pin_code, pin, sizeof(cp->pin_code));
78
79 return bt_hci_cmd_send_sync(BT_HCI_OP_PIN_CODE_REPLY, buf, NULL);
80 }
81
bt_conn_auth_pincode_entry(struct bt_conn * conn,const char * pin)82 int bt_conn_auth_pincode_entry(struct bt_conn *conn, const char *pin)
83 {
84 size_t len;
85
86 if (!bt_auth) {
87 return -EINVAL;
88 }
89
90 if (conn->type != BT_CONN_TYPE_BR) {
91 return -EINVAL;
92 }
93
94 len = strlen(pin);
95 if (len > 16) {
96 return -EINVAL;
97 }
98
99 if (conn->required_sec_level == BT_SECURITY_L3 && len < 16) {
100 LOG_WRN("PIN code for %s is not 16 bytes wide", bt_addr_str(&conn->br.dst));
101 return -EPERM;
102 }
103
104 /* Allow user send entered PIN to remote, then reset user state. */
105 if (!atomic_test_and_clear_bit(conn->flags, BT_CONN_USER)) {
106 return -EPERM;
107 }
108
109 if (len == 16) {
110 atomic_set_bit(conn->flags, BT_CONN_BR_LEGACY_SECURE);
111 }
112
113 return pin_code_reply(conn, pin, len);
114 }
115
pin_code_req(struct bt_conn * conn)116 static void pin_code_req(struct bt_conn *conn)
117 {
118 if (bt_auth && bt_auth->pincode_entry) {
119 bool secure = false;
120
121 if (conn->required_sec_level == BT_SECURITY_L3) {
122 secure = true;
123 }
124
125 atomic_set_bit(conn->flags, BT_CONN_USER);
126 atomic_set_bit(conn->flags, BT_CONN_BR_PAIRING);
127 bt_auth->pincode_entry(conn, secure);
128 } else {
129 pin_code_neg_reply(&conn->br.dst);
130 }
131 }
132
get_io_capa(void)133 static uint8_t get_io_capa(void)
134 {
135 if (!bt_auth) {
136 return BT_IO_NO_INPUT_OUTPUT;
137 }
138
139 if (bt_auth->passkey_confirm && bt_auth->passkey_display) {
140 return BT_IO_DISPLAY_YESNO;
141 }
142
143 if (bt_auth->passkey_entry) {
144 return BT_IO_KEYBOARD_ONLY;
145 }
146
147 if (bt_auth->passkey_display) {
148 return BT_IO_DISPLAY_ONLY;
149 }
150
151 return BT_IO_NO_INPUT_OUTPUT;
152 }
153
ssp_pair_method(const struct bt_conn * conn)154 static uint8_t ssp_pair_method(const struct bt_conn *conn)
155 {
156 return ssp_method[conn->br.remote_io_capa][get_io_capa()];
157 }
158
ssp_get_auth(const struct bt_conn * conn)159 static uint8_t ssp_get_auth(const struct bt_conn *conn)
160 {
161 /* Validate no bond auth request, and if valid use it. */
162 if ((conn->br.remote_auth == BT_HCI_NO_BONDING) ||
163 ((conn->br.remote_auth == BT_HCI_NO_BONDING_MITM) &&
164 (ssp_pair_method(conn) > JUST_WORKS))) {
165 return conn->br.remote_auth;
166 }
167
168 /* Local & remote have enough IO capabilities to get MITM protection. */
169 if (ssp_pair_method(conn) > JUST_WORKS) {
170 return conn->br.remote_auth | BT_MITM;
171 }
172
173 /* No MITM protection possible so ignore remote MITM requirement. */
174 return (conn->br.remote_auth & ~BT_MITM);
175 }
176
ssp_confirm_reply(struct bt_conn * conn)177 static int ssp_confirm_reply(struct bt_conn *conn)
178 {
179 struct bt_hci_cp_user_confirm_reply *cp;
180 struct net_buf *buf;
181
182 LOG_DBG("");
183
184 buf = bt_hci_cmd_create(BT_HCI_OP_USER_CONFIRM_REPLY, sizeof(*cp));
185 if (!buf) {
186 return -ENOBUFS;
187 }
188
189 cp = net_buf_add(buf, sizeof(*cp));
190 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
191
192 return bt_hci_cmd_send_sync(BT_HCI_OP_USER_CONFIRM_REPLY, buf, NULL);
193 }
194
ssp_confirm_neg_reply(struct bt_conn * conn)195 static int ssp_confirm_neg_reply(struct bt_conn *conn)
196 {
197 struct bt_hci_cp_user_confirm_reply *cp;
198 struct net_buf *buf;
199
200 LOG_DBG("");
201
202 buf = bt_hci_cmd_create(BT_HCI_OP_USER_CONFIRM_NEG_REPLY, sizeof(*cp));
203 if (!buf) {
204 return -ENOBUFS;
205 }
206
207 cp = net_buf_add(buf, sizeof(*cp));
208 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
209
210 return bt_hci_cmd_send_sync(BT_HCI_OP_USER_CONFIRM_NEG_REPLY, buf,
211 NULL);
212 }
213
ssp_pairing_complete(struct bt_conn * conn,uint8_t status)214 static void ssp_pairing_complete(struct bt_conn *conn, uint8_t status)
215 {
216 /* When the ssp pairing complete event notified,
217 * clear the pairing flag.
218 */
219 atomic_clear_bit(conn->flags, BT_CONN_BR_PAIRING);
220 atomic_set_bit_to(conn->flags, BT_CONN_BR_PAIRED, !status);
221
222 LOG_DBG("Pairing completed status %d", status);
223
224 if (!status) {
225 bool bond = !atomic_test_bit(conn->flags, BT_CONN_BR_NOBOND);
226 struct bt_conn_auth_info_cb *listener, *next;
227
228 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&bt_auth_info_cbs, listener,
229 next, node) {
230 if (listener->pairing_complete) {
231 listener->pairing_complete(conn, bond);
232 }
233 }
234 } else {
235 struct bt_conn_auth_info_cb *listener, *next;
236
237 SYS_SLIST_FOR_EACH_CONTAINER_SAFE(&bt_auth_info_cbs, listener,
238 next, node) {
239 if (listener->pairing_failed) {
240 listener->pairing_failed(conn, status);
241 }
242 }
243 }
244 }
245
ssp_auth(struct bt_conn * conn,uint32_t passkey)246 static void ssp_auth(struct bt_conn *conn, uint32_t passkey)
247 {
248 conn->br.pairing_method = ssp_pair_method(conn);
249
250 /*
251 * If local required security is HIGH then MITM is mandatory.
252 * MITM protection is no achievable when SSP 'justworks' is applied.
253 */
254 if (conn->required_sec_level > BT_SECURITY_L2 &&
255 conn->br.pairing_method == JUST_WORKS) {
256 LOG_DBG("MITM protection infeasible for required security");
257 ssp_confirm_neg_reply(conn);
258 return;
259 }
260
261 switch (conn->br.pairing_method) {
262 case PASSKEY_CONFIRM:
263 atomic_set_bit(conn->flags, BT_CONN_USER);
264 bt_auth->passkey_confirm(conn, passkey);
265 break;
266 case PASSKEY_DISPLAY:
267 atomic_set_bit(conn->flags, BT_CONN_USER);
268 bt_auth->passkey_display(conn, passkey);
269 break;
270 case PASSKEY_INPUT:
271 atomic_set_bit(conn->flags, BT_CONN_USER);
272 bt_auth->passkey_entry(conn);
273 break;
274 case JUST_WORKS:
275 /*
276 * When local host works as pairing acceptor and 'justworks'
277 * model is applied then notify user about such pairing request.
278 * [BT Core 4.2 table 5.7, Vol 3, Part C, 5.2.2.6]
279 */
280 if (bt_auth && bt_auth->pairing_confirm &&
281 !atomic_test_bit(conn->flags,
282 BT_CONN_BR_PAIRING_INITIATOR)) {
283 atomic_set_bit(conn->flags, BT_CONN_USER);
284 bt_auth->pairing_confirm(conn);
285 break;
286 }
287 ssp_confirm_reply(conn);
288 break;
289 default:
290 break;
291 }
292 }
293
ssp_passkey_reply(struct bt_conn * conn,unsigned int passkey)294 static int ssp_passkey_reply(struct bt_conn *conn, unsigned int passkey)
295 {
296 struct bt_hci_cp_user_passkey_reply *cp;
297 struct net_buf *buf;
298
299 LOG_DBG("");
300
301 buf = bt_hci_cmd_create(BT_HCI_OP_USER_PASSKEY_REPLY, sizeof(*cp));
302 if (!buf) {
303 return -ENOBUFS;
304 }
305
306 cp = net_buf_add(buf, sizeof(*cp));
307 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
308 cp->passkey = sys_cpu_to_le32(passkey);
309
310 return bt_hci_cmd_send_sync(BT_HCI_OP_USER_PASSKEY_REPLY, buf, NULL);
311 }
312
ssp_passkey_neg_reply(struct bt_conn * conn)313 static int ssp_passkey_neg_reply(struct bt_conn *conn)
314 {
315 struct bt_hci_cp_user_passkey_neg_reply *cp;
316 struct net_buf *buf;
317
318 LOG_DBG("");
319
320 buf = bt_hci_cmd_create(BT_HCI_OP_USER_PASSKEY_NEG_REPLY, sizeof(*cp));
321 if (!buf) {
322 return -ENOBUFS;
323 }
324
325 cp = net_buf_add(buf, sizeof(*cp));
326 bt_addr_copy(&cp->bdaddr, &conn->br.dst);
327
328 return bt_hci_cmd_send_sync(BT_HCI_OP_USER_PASSKEY_NEG_REPLY, buf,
329 NULL);
330 }
331
conn_auth(struct bt_conn * conn)332 static int conn_auth(struct bt_conn *conn)
333 {
334 struct bt_hci_cp_auth_requested *auth;
335 struct net_buf *buf;
336
337 LOG_DBG("");
338
339 buf = bt_hci_cmd_create(BT_HCI_OP_AUTH_REQUESTED, sizeof(*auth));
340 if (!buf) {
341 return -ENOBUFS;
342 }
343
344 auth = net_buf_add(buf, sizeof(*auth));
345 auth->handle = sys_cpu_to_le16(conn->handle);
346
347 atomic_set_bit(conn->flags, BT_CONN_BR_PAIRING_INITIATOR);
348
349 return bt_hci_cmd_send_sync(BT_HCI_OP_AUTH_REQUESTED, buf, NULL);
350 }
351
bt_ssp_start_security(struct bt_conn * conn)352 int bt_ssp_start_security(struct bt_conn *conn)
353 {
354 if (atomic_test_bit(conn->flags, BT_CONN_BR_PAIRING)) {
355 return -EBUSY;
356 }
357
358 if (get_io_capa() == BT_IO_NO_INPUT_OUTPUT &&
359 conn->required_sec_level > BT_SECURITY_L2) {
360 return -EINVAL;
361 }
362
363 return conn_auth(conn);
364 }
365
bt_ssp_auth_passkey_entry(struct bt_conn * conn,unsigned int passkey)366 int bt_ssp_auth_passkey_entry(struct bt_conn *conn, unsigned int passkey)
367 {
368 /* User entered passkey, reset user state. */
369 if (!atomic_test_and_clear_bit(conn->flags, BT_CONN_USER)) {
370 return -EPERM;
371 }
372
373 if (conn->br.pairing_method == PASSKEY_INPUT) {
374 return ssp_passkey_reply(conn, passkey);
375 }
376
377 return -EINVAL;
378 }
379
bt_ssp_auth_passkey_confirm(struct bt_conn * conn)380 int bt_ssp_auth_passkey_confirm(struct bt_conn *conn)
381 {
382 /* Allow user confirm passkey value, then reset user state. */
383 if (!atomic_test_and_clear_bit(conn->flags, BT_CONN_USER)) {
384 return -EPERM;
385 }
386
387 return ssp_confirm_reply(conn);
388 }
389
bt_ssp_auth_pairing_confirm(struct bt_conn * conn)390 int bt_ssp_auth_pairing_confirm(struct bt_conn *conn)
391 {
392 return ssp_confirm_reply(conn);
393 }
394
bt_ssp_auth_cancel(struct bt_conn * conn)395 int bt_ssp_auth_cancel(struct bt_conn *conn)
396 {
397 /* Allow user cancel authentication, then reset user state. */
398 if (!atomic_test_and_clear_bit(conn->flags, BT_CONN_USER)) {
399 return -EPERM;
400 }
401
402 switch (conn->br.pairing_method) {
403 case JUST_WORKS:
404 case PASSKEY_CONFIRM:
405 return ssp_confirm_neg_reply(conn);
406 case PASSKEY_INPUT:
407 return ssp_passkey_neg_reply(conn);
408 case PASSKEY_DISPLAY:
409 return bt_conn_disconnect(conn,
410 BT_HCI_ERR_AUTH_FAIL);
411 case LEGACY:
412 return pin_code_neg_reply(&conn->br.dst);
413 default:
414 break;
415 }
416
417 return -EINVAL;
418 }
419
bt_hci_pin_code_req(struct net_buf * buf)420 void bt_hci_pin_code_req(struct net_buf *buf)
421 {
422 struct bt_hci_evt_pin_code_req *evt = (void *)buf->data;
423 struct bt_conn *conn;
424
425 LOG_DBG("");
426
427 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
428 if (!conn) {
429 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
430 return;
431 }
432
433 pin_code_req(conn);
434 bt_conn_unref(conn);
435 }
436
bt_hci_link_key_notify(struct net_buf * buf)437 void bt_hci_link_key_notify(struct net_buf *buf)
438 {
439 struct bt_hci_evt_link_key_notify *evt = (void *)buf->data;
440 struct bt_conn *conn;
441
442 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
443 if (!conn) {
444 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
445 return;
446 }
447
448 LOG_DBG("%s, link type 0x%02x", bt_addr_str(&evt->bdaddr), evt->key_type);
449
450 if (IS_ENABLED(CONFIG_BT_SMP_SC_ONLY) && (evt->key_type != BT_LK_AUTH_COMBINATION_P256)) {
451 /*
452 * When in Secure Connections Only mode, all services
453 * (except those allowed to have Security Mode 4, Level 0)
454 * available on the BR/EDR physical transport require Security
455 * Mode 4, Level 4.
456 * Link key type should be P-256 based Secure Simple Pairing
457 * and Secure Authentication.
458 */
459 LOG_WRN("For SC only mode, link key type should be %d",
460 BT_LK_AUTH_COMBINATION_P256);
461 ssp_pairing_complete(conn, bt_security_err_get(BT_HCI_ERR_AUTH_FAIL));
462 bt_conn_disconnect(conn, BT_HCI_ERR_AUTH_FAIL);
463 bt_conn_unref(conn);
464 return;
465 }
466
467 if (!conn->br.link_key) {
468 conn->br.link_key = bt_keys_get_link_key(&evt->bdaddr);
469 }
470 if (!conn->br.link_key) {
471 LOG_ERR("Can't update keys for %s", bt_addr_str(&evt->bdaddr));
472 bt_conn_unref(conn);
473 return;
474 }
475
476 /* clear any old Link Key flags */
477 conn->br.link_key->flags = 0U;
478
479 switch (evt->key_type) {
480 case BT_LK_COMBINATION:
481 /*
482 * Setting Combination Link Key as AUTHENTICATED means it was
483 * successfully generated by 16 digits wide PIN code.
484 */
485 if (atomic_test_and_clear_bit(conn->flags,
486 BT_CONN_BR_LEGACY_SECURE)) {
487 conn->br.link_key->flags |= BT_LINK_KEY_AUTHENTICATED;
488 }
489 memcpy(conn->br.link_key->val, evt->link_key, 16);
490 break;
491 case BT_LK_AUTH_COMBINATION_P192:
492 conn->br.link_key->flags |= BT_LINK_KEY_AUTHENTICATED;
493 __fallthrough;
494 case BT_LK_UNAUTH_COMBINATION_P192:
495 memcpy(conn->br.link_key->val, evt->link_key, 16);
496 break;
497 case BT_LK_AUTH_COMBINATION_P256:
498 conn->br.link_key->flags |= BT_LINK_KEY_AUTHENTICATED;
499 __fallthrough;
500 case BT_LK_UNAUTH_COMBINATION_P256:
501 conn->br.link_key->flags |= BT_LINK_KEY_SC;
502
503 memcpy(conn->br.link_key->val, evt->link_key, 16);
504 break;
505 default:
506 LOG_WRN("Unsupported Link Key type %u", evt->key_type);
507 (void)memset(conn->br.link_key->val, 0,
508 sizeof(conn->br.link_key->val));
509 break;
510 }
511
512 if (IS_ENABLED(CONFIG_BT_SETTINGS) &&
513 !atomic_test_bit(conn->flags, BT_CONN_BR_NOBOND)) {
514 bt_keys_link_key_store(conn->br.link_key);
515 }
516
517 bt_conn_unref(conn);
518 }
519
link_key_neg_reply(const bt_addr_t * bdaddr)520 void link_key_neg_reply(const bt_addr_t *bdaddr)
521 {
522 struct bt_hci_cp_link_key_neg_reply *cp;
523 struct net_buf *buf;
524
525 LOG_DBG("");
526
527 buf = bt_hci_cmd_create(BT_HCI_OP_LINK_KEY_NEG_REPLY, sizeof(*cp));
528 if (!buf) {
529 LOG_ERR("Out of command buffers");
530 return;
531 }
532
533 cp = net_buf_add(buf, sizeof(*cp));
534 bt_addr_copy(&cp->bdaddr, bdaddr);
535 bt_hci_cmd_send_sync(BT_HCI_OP_LINK_KEY_NEG_REPLY, buf, NULL);
536 }
537
link_key_reply(const bt_addr_t * bdaddr,const uint8_t * lk)538 void link_key_reply(const bt_addr_t *bdaddr, const uint8_t *lk)
539 {
540 struct bt_hci_cp_link_key_reply *cp;
541 struct net_buf *buf;
542
543 LOG_DBG("");
544
545 buf = bt_hci_cmd_create(BT_HCI_OP_LINK_KEY_REPLY, sizeof(*cp));
546 if (!buf) {
547 LOG_ERR("Out of command buffers");
548 return;
549 }
550
551 cp = net_buf_add(buf, sizeof(*cp));
552 bt_addr_copy(&cp->bdaddr, bdaddr);
553 memcpy(cp->link_key, lk, 16);
554 bt_hci_cmd_send_sync(BT_HCI_OP_LINK_KEY_REPLY, buf, NULL);
555 }
556
bt_hci_link_key_req(struct net_buf * buf)557 void bt_hci_link_key_req(struct net_buf *buf)
558 {
559 struct bt_hci_evt_link_key_req *evt = (void *)buf->data;
560 struct bt_conn *conn;
561
562 LOG_DBG("%s", bt_addr_str(&evt->bdaddr));
563
564 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
565 if (!conn) {
566 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
567 link_key_neg_reply(&evt->bdaddr);
568 return;
569 }
570
571 if (!conn->br.link_key) {
572 conn->br.link_key = bt_keys_find_link_key(&evt->bdaddr);
573 }
574
575 if (!conn->br.link_key) {
576 link_key_neg_reply(&evt->bdaddr);
577 bt_conn_unref(conn);
578 return;
579 }
580
581 /*
582 * Enforce regenerate by controller stronger link key since found one
583 * in database not covers requested security level.
584 */
585 if (!(conn->br.link_key->flags & BT_LINK_KEY_AUTHENTICATED) &&
586 conn->required_sec_level > BT_SECURITY_L2) {
587 link_key_neg_reply(&evt->bdaddr);
588 bt_conn_unref(conn);
589 return;
590 }
591
592 link_key_reply(&evt->bdaddr, conn->br.link_key->val);
593 bt_conn_unref(conn);
594 }
595
io_capa_neg_reply(const bt_addr_t * bdaddr,const uint8_t reason)596 void io_capa_neg_reply(const bt_addr_t *bdaddr, const uint8_t reason)
597 {
598 struct bt_hci_cp_io_capability_neg_reply *cp;
599 struct net_buf *resp_buf;
600
601 resp_buf = bt_hci_cmd_create(BT_HCI_OP_IO_CAPABILITY_NEG_REPLY,
602 sizeof(*cp));
603 if (!resp_buf) {
604 LOG_ERR("Out of command buffers");
605 return;
606 }
607
608 cp = net_buf_add(resp_buf, sizeof(*cp));
609 bt_addr_copy(&cp->bdaddr, bdaddr);
610 cp->reason = reason;
611 bt_hci_cmd_send_sync(BT_HCI_OP_IO_CAPABILITY_NEG_REPLY, resp_buf, NULL);
612 }
613
bt_hci_io_capa_resp(struct net_buf * buf)614 void bt_hci_io_capa_resp(struct net_buf *buf)
615 {
616 struct bt_hci_evt_io_capa_resp *evt = (void *)buf->data;
617 struct bt_conn *conn;
618
619 LOG_DBG("remote %s, IOcapa 0x%02x, auth 0x%02x", bt_addr_str(&evt->bdaddr), evt->capability,
620 evt->authentication);
621
622 if (evt->authentication > BT_HCI_GENERAL_BONDING_MITM) {
623 LOG_ERR("Invalid remote authentication requirements");
624 io_capa_neg_reply(&evt->bdaddr,
625 BT_HCI_ERR_UNSUPP_FEATURE_PARAM_VAL);
626 return;
627 }
628
629 if (evt->capability > BT_IO_NO_INPUT_OUTPUT) {
630 LOG_ERR("Invalid remote io capability requirements");
631 io_capa_neg_reply(&evt->bdaddr,
632 BT_HCI_ERR_UNSUPP_FEATURE_PARAM_VAL);
633 return;
634 }
635
636 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
637 if (!conn) {
638 LOG_ERR("Unable to find conn for %s", bt_addr_str(&evt->bdaddr));
639 return;
640 }
641
642 conn->br.remote_io_capa = evt->capability;
643 conn->br.remote_auth = evt->authentication;
644 atomic_set_bit(conn->flags, BT_CONN_BR_PAIRING);
645 bt_conn_unref(conn);
646 }
647
648 /* Clear Bonding flag */
649 #define BT_HCI_SET_NO_BONDING(auth) ((auth) & 0x01)
650
651 /* Clear MITM flag */
652 #define BT_HCI_SET_NO_MITM(auth) ((auth) & (~0x01))
653
bt_hci_io_capa_req(struct net_buf * buf)654 void bt_hci_io_capa_req(struct net_buf *buf)
655 {
656 struct bt_hci_evt_io_capa_req *evt = (void *)buf->data;
657 struct net_buf *resp_buf;
658 struct bt_conn *conn;
659 struct bt_hci_cp_io_capability_reply *cp;
660 uint8_t auth;
661
662 LOG_DBG("");
663
664 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
665 if (!conn) {
666 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
667 return;
668 }
669
670 #if defined(CONFIG_BT_SMP_APP_PAIRING_ACCEPT)
671 if (bt_auth && bt_auth->pairing_accept) {
672 enum bt_security_err err;
673
674 err = bt_auth->pairing_accept(conn, NULL);
675 if (err != BT_SECURITY_ERR_SUCCESS) {
676 io_capa_neg_reply(&evt->bdaddr,
677 BT_HCI_ERR_PAIRING_NOT_ALLOWED);
678 return;
679 }
680 }
681 #endif
682
683 resp_buf = bt_hci_cmd_create(BT_HCI_OP_IO_CAPABILITY_REPLY,
684 sizeof(*cp));
685 if (!resp_buf) {
686 LOG_ERR("Out of command buffers");
687 bt_conn_unref(conn);
688 return;
689 }
690
691 /*
692 * Set authentication requirements when acting as pairing initiator to
693 * 'dedicated bond' with MITM protection set if local IO capa
694 * potentially allows it, and for acceptor, based on local IO capa and
695 * remote's authentication set.
696 */
697 if (atomic_test_bit(conn->flags, BT_CONN_BR_PAIRING_INITIATOR)) {
698 if (get_io_capa() != BT_IO_NO_INPUT_OUTPUT) {
699 if (atomic_test_bit(conn->flags, BT_CONN_BR_GENERAL_BONDING)) {
700 auth = BT_HCI_GENERAL_BONDING_MITM;
701 } else {
702 auth = BT_HCI_DEDICATED_BONDING_MITM;
703 }
704 } else {
705 if (atomic_test_bit(conn->flags, BT_CONN_BR_GENERAL_BONDING)) {
706 auth = BT_HCI_GENERAL_BONDING;
707 } else {
708 auth = BT_HCI_DEDICATED_BONDING;
709 }
710 }
711
712 if (conn->required_sec_level < BT_SECURITY_L3) {
713 /* If security level less than L3, clear MITM flag. */
714 auth = BT_HCI_SET_NO_MITM(auth);
715 }
716 } else {
717 auth = ssp_get_auth(conn);
718 }
719
720 if (!atomic_test_bit(conn->flags, BT_CONN_BR_BONDABLE)) {
721 /* If bondable is false, clear bonding flag. */
722 auth = BT_HCI_SET_NO_BONDING(auth);
723 }
724
725 cp = net_buf_add(resp_buf, sizeof(*cp));
726 bt_addr_copy(&cp->bdaddr, &evt->bdaddr);
727 cp->capability = get_io_capa();
728 cp->authentication = auth;
729 cp->oob_data = 0U;
730 bt_hci_cmd_send_sync(BT_HCI_OP_IO_CAPABILITY_REPLY, resp_buf, NULL);
731 bt_conn_unref(conn);
732 }
733
bt_hci_ssp_complete(struct net_buf * buf)734 void bt_hci_ssp_complete(struct net_buf *buf)
735 {
736 struct bt_hci_evt_ssp_complete *evt = (void *)buf->data;
737 struct bt_conn *conn;
738
739 LOG_DBG("status 0x%02x", evt->status);
740
741 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
742 if (!conn) {
743 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
744 return;
745 }
746
747 /* Mark no-bond so that link-key will be removed on disconnection */
748 if (ssp_get_auth(conn) < BT_HCI_DEDICATED_BONDING) {
749 atomic_set_bit(conn->flags, BT_CONN_BR_NOBOND);
750 }
751
752 ssp_pairing_complete(conn, bt_security_err_get(evt->status));
753 if (evt->status) {
754 bt_conn_disconnect(conn, BT_HCI_ERR_AUTH_FAIL);
755 }
756
757 bt_conn_unref(conn);
758 }
759
bt_hci_user_confirm_req(struct net_buf * buf)760 void bt_hci_user_confirm_req(struct net_buf *buf)
761 {
762 struct bt_hci_evt_user_confirm_req *evt = (void *)buf->data;
763 struct bt_conn *conn;
764
765 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
766 if (!conn) {
767 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
768 return;
769 }
770
771 ssp_auth(conn, sys_le32_to_cpu(evt->passkey));
772 bt_conn_unref(conn);
773 }
774
bt_hci_user_passkey_notify(struct net_buf * buf)775 void bt_hci_user_passkey_notify(struct net_buf *buf)
776 {
777 struct bt_hci_evt_user_passkey_notify *evt = (void *)buf->data;
778 struct bt_conn *conn;
779
780 LOG_DBG("");
781
782 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
783 if (!conn) {
784 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
785 return;
786 }
787
788 ssp_auth(conn, sys_le32_to_cpu(evt->passkey));
789 bt_conn_unref(conn);
790 }
791
bt_hci_user_passkey_req(struct net_buf * buf)792 void bt_hci_user_passkey_req(struct net_buf *buf)
793 {
794 struct bt_hci_evt_user_passkey_req *evt = (void *)buf->data;
795 struct bt_conn *conn;
796
797 conn = bt_conn_lookup_addr_br(&evt->bdaddr);
798 if (!conn) {
799 LOG_ERR("Can't find conn for %s", bt_addr_str(&evt->bdaddr));
800 return;
801 }
802
803 ssp_auth(conn, 0);
804 bt_conn_unref(conn);
805 }
806
link_encr(const uint16_t handle)807 static void link_encr(const uint16_t handle)
808 {
809 struct bt_hci_cp_set_conn_encrypt *encr;
810 struct net_buf *buf;
811
812 LOG_DBG("");
813
814 buf = bt_hci_cmd_create(BT_HCI_OP_SET_CONN_ENCRYPT, sizeof(*encr));
815 if (!buf) {
816 LOG_ERR("Out of command buffers");
817 return;
818 }
819
820 encr = net_buf_add(buf, sizeof(*encr));
821 encr->handle = sys_cpu_to_le16(handle);
822 encr->encrypt = 0x01;
823
824 bt_hci_cmd_send_sync(BT_HCI_OP_SET_CONN_ENCRYPT, buf, NULL);
825 }
826
bt_hci_auth_complete(struct net_buf * buf)827 void bt_hci_auth_complete(struct net_buf *buf)
828 {
829 struct bt_hci_evt_auth_complete *evt = (void *)buf->data;
830 struct bt_conn *conn;
831 uint16_t handle = sys_le16_to_cpu(evt->handle);
832
833 LOG_DBG("status 0x%02x, handle %u", evt->status, handle);
834
835 conn = bt_conn_lookup_handle(handle, BT_CONN_TYPE_BR);
836 if (!conn) {
837 LOG_ERR("Can't find conn for handle %u", handle);
838 return;
839 }
840
841 if (evt->status) {
842 /*
843 * Inform layers above HCI about non-zero authentication
844 * status to make them able cleanup pending jobs.
845 */
846 bt_conn_security_changed(conn, evt->status,
847 bt_security_err_get(evt->status));
848 } else {
849 link_encr(handle);
850 }
851
852 bt_conn_unref(conn);
853 }
854
