diff options
| author | Brian Gix <bgix@codeaurora.org> | 2011-12-21 19:12:12 -0500 |
|---|---|---|
| committer | Gustavo F. Padovan <padovan@profusion.mobi> | 2011-12-22 11:18:59 -0500 |
| commit | 2b64d153a0cc9d2b60e47be013cde8490f16e0a5 (patch) | |
| tree | ea075313e9f03379ee1313ca230b07dadd937dad /net/bluetooth | |
| parent | 371fd83563252f550ce59476a7366d0b5171d316 (diff) | |
Bluetooth: Add MITM mechanism to LE-SMP
To achive Man-In-The-Middle (MITM) level security with Low Energy,
we have to enable User Passkey Comparison. This commit modifies the
hard-coded JUST-WORKS pairing mechanism to support query via the MGMT
interface of Passkey comparison and User Confirmation.
Signed-off-by: Brian Gix <bgix@codeaurora.org>
Acked-by: Marcel Holtmann<marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Diffstat (limited to 'net/bluetooth')
| -rw-r--r-- | net/bluetooth/smp.c | 226 |
1 files changed, 204 insertions, 22 deletions
diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 0ee2905a6179..9fea4bfd0eb5 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c | |||
| @@ -23,6 +23,7 @@ | |||
| 23 | #include <net/bluetooth/bluetooth.h> | 23 | #include <net/bluetooth/bluetooth.h> |
| 24 | #include <net/bluetooth/hci_core.h> | 24 | #include <net/bluetooth/hci_core.h> |
| 25 | #include <net/bluetooth/l2cap.h> | 25 | #include <net/bluetooth/l2cap.h> |
| 26 | #include <net/bluetooth/mgmt.h> | ||
| 26 | #include <net/bluetooth/smp.h> | 27 | #include <net/bluetooth/smp.h> |
| 27 | #include <linux/crypto.h> | 28 | #include <linux/crypto.h> |
| 28 | #include <linux/scatterlist.h> | 29 | #include <linux/scatterlist.h> |
| @@ -189,24 +190,45 @@ static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) | |||
| 189 | msecs_to_jiffies(SMP_TIMEOUT)); | 190 | msecs_to_jiffies(SMP_TIMEOUT)); |
| 190 | } | 191 | } |
| 191 | 192 | ||
| 193 | static __u8 authreq_to_seclevel(__u8 authreq) | ||
| 194 | { | ||
| 195 | if (authreq & SMP_AUTH_MITM) | ||
| 196 | return BT_SECURITY_HIGH; | ||
| 197 | else | ||
| 198 | return BT_SECURITY_MEDIUM; | ||
| 199 | } | ||
| 200 | |||
| 201 | static __u8 seclevel_to_authreq(__u8 sec_level) | ||
| 202 | { | ||
| 203 | switch (sec_level) { | ||
| 204 | case BT_SECURITY_HIGH: | ||
| 205 | return SMP_AUTH_MITM | SMP_AUTH_BONDING; | ||
| 206 | case BT_SECURITY_MEDIUM: | ||
| 207 | return SMP_AUTH_BONDING; | ||
| 208 | default: | ||
| 209 | return SMP_AUTH_NONE; | ||
| 210 | } | ||
| 211 | } | ||
| 212 | |||
| 192 | static void build_pairing_cmd(struct l2cap_conn *conn, | 213 | static void build_pairing_cmd(struct l2cap_conn *conn, |
| 193 | struct smp_cmd_pairing *req, | 214 | struct smp_cmd_pairing *req, |
| 194 | struct smp_cmd_pairing *rsp, | 215 | struct smp_cmd_pairing *rsp, |
| 195 | __u8 authreq) | 216 | __u8 authreq) |
| 196 | { | 217 | { |
| 197 | u8 dist_keys; | 218 | u8 dist_keys = 0; |
| 198 | 219 | ||
| 199 | dist_keys = 0; | ||
| 200 | if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) { | 220 | if (test_bit(HCI_PAIRABLE, &conn->hcon->hdev->flags)) { |
| 201 | dist_keys = SMP_DIST_ENC_KEY; | 221 | dist_keys = SMP_DIST_ENC_KEY; |
| 202 | authreq |= SMP_AUTH_BONDING; | 222 | authreq |= SMP_AUTH_BONDING; |
| 223 | } else { | ||
| 224 | authreq &= ~SMP_AUTH_BONDING; | ||
| 203 | } | 225 | } |
| 204 | 226 | ||
| 205 | if (rsp == NULL) { | 227 | if (rsp == NULL) { |
| 206 | req->io_capability = conn->hcon->io_capability; | 228 | req->io_capability = conn->hcon->io_capability; |
| 207 | req->oob_flag = SMP_OOB_NOT_PRESENT; | 229 | req->oob_flag = SMP_OOB_NOT_PRESENT; |
| 208 | req->max_key_size = SMP_MAX_ENC_KEY_SIZE; | 230 | req->max_key_size = SMP_MAX_ENC_KEY_SIZE; |
| 209 | req->init_key_dist = dist_keys; | 231 | req->init_key_dist = 0; |
| 210 | req->resp_key_dist = dist_keys; | 232 | req->resp_key_dist = dist_keys; |
| 211 | req->auth_req = authreq; | 233 | req->auth_req = authreq; |
| 212 | return; | 234 | return; |
| @@ -215,7 +237,7 @@ static void build_pairing_cmd(struct l2cap_conn *conn, | |||
| 215 | rsp->io_capability = conn->hcon->io_capability; | 237 | rsp->io_capability = conn->hcon->io_capability; |
| 216 | rsp->oob_flag = SMP_OOB_NOT_PRESENT; | 238 | rsp->oob_flag = SMP_OOB_NOT_PRESENT; |
| 217 | rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; | 239 | rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; |
| 218 | rsp->init_key_dist = req->init_key_dist & dist_keys; | 240 | rsp->init_key_dist = 0; |
| 219 | rsp->resp_key_dist = req->resp_key_dist & dist_keys; | 241 | rsp->resp_key_dist = req->resp_key_dist & dist_keys; |
| 220 | rsp->auth_req = authreq; | 242 | rsp->auth_req = authreq; |
| 221 | } | 243 | } |
| @@ -245,6 +267,95 @@ static void smp_failure(struct l2cap_conn *conn, u8 reason, u8 send) | |||
| 245 | smp_chan_destroy(conn); | 267 | smp_chan_destroy(conn); |
| 246 | } | 268 | } |
| 247 | 269 | ||
| 270 | #define JUST_WORKS 0x00 | ||
| 271 | #define JUST_CFM 0x01 | ||
| 272 | #define REQ_PASSKEY 0x02 | ||
| 273 | #define CFM_PASSKEY 0x03 | ||
| 274 | #define REQ_OOB 0x04 | ||
| 275 | #define OVERLAP 0xFF | ||
| 276 | |||
| 277 | static const u8 gen_method[5][5] = { | ||
| 278 | { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, | ||
| 279 | { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, | ||
| 280 | { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, | ||
| 281 | { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, | ||
| 282 | { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, | ||
| 283 | }; | ||
| 284 | |||
| 285 | static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, | ||
| 286 | u8 local_io, u8 remote_io) | ||
| 287 | { | ||
| 288 | struct hci_conn *hcon = conn->hcon; | ||
| 289 | struct smp_chan *smp = conn->smp_chan; | ||
| 290 | u8 method; | ||
| 291 | u32 passkey = 0; | ||
| 292 | int ret = 0; | ||
| 293 | |||
| 294 | /* Initialize key for JUST WORKS */ | ||
| 295 | memset(smp->tk, 0, sizeof(smp->tk)); | ||
| 296 | clear_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); | ||
| 297 | |||
| 298 | BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); | ||
| 299 | |||
| 300 | /* If neither side wants MITM, use JUST WORKS */ | ||
| 301 | /* If either side has unknown io_caps, use JUST WORKS */ | ||
| 302 | /* Otherwise, look up method from the table */ | ||
| 303 | if (!(auth & SMP_AUTH_MITM) || | ||
| 304 | local_io > SMP_IO_KEYBOARD_DISPLAY || | ||
| 305 | remote_io > SMP_IO_KEYBOARD_DISPLAY) | ||
| 306 | method = JUST_WORKS; | ||
| 307 | else | ||
| 308 | method = gen_method[local_io][remote_io]; | ||
| 309 | |||
| 310 | /* If not bonding, don't ask user to confirm a Zero TK */ | ||
| 311 | if (!(auth & SMP_AUTH_BONDING) && method == JUST_CFM) | ||
| 312 | method = JUST_WORKS; | ||
| 313 | |||
| 314 | /* If Just Works, Continue with Zero TK */ | ||
| 315 | if (method == JUST_WORKS) { | ||
| 316 | set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); | ||
| 317 | return 0; | ||
| 318 | } | ||
| 319 | |||
| 320 | /* Not Just Works/Confirm results in MITM Authentication */ | ||
| 321 | if (method != JUST_CFM) | ||
| 322 | set_bit(SMP_FLAG_MITM_AUTH, &smp->smp_flags); | ||
| 323 | |||
| 324 | /* If both devices have Keyoard-Display I/O, the master | ||
| 325 | * Confirms and the slave Enters the passkey. | ||
| 326 | */ | ||
| 327 | if (method == OVERLAP) { | ||
| 328 | if (hcon->link_mode & HCI_LM_MASTER) | ||
| 329 | method = CFM_PASSKEY; | ||
| 330 | else | ||
| 331 | method = REQ_PASSKEY; | ||
| 332 | } | ||
| 333 | |||
| 334 | /* Generate random passkey. Not valid until confirmed. */ | ||
| 335 | if (method == CFM_PASSKEY) { | ||
| 336 | u8 key[16]; | ||
| 337 | |||
| 338 | memset(key, 0, sizeof(key)); | ||
| 339 | get_random_bytes(&passkey, sizeof(passkey)); | ||
| 340 | passkey %= 1000000; | ||
| 341 | put_unaligned_le32(passkey, key); | ||
| 342 | swap128(key, smp->tk); | ||
| 343 | BT_DBG("PassKey: %d", passkey); | ||
| 344 | } | ||
| 345 | |||
| 346 | hci_dev_lock(hcon->hdev); | ||
| 347 | |||
| 348 | if (method == REQ_PASSKEY) | ||
| 349 | ret = mgmt_user_passkey_request(hcon->hdev, conn->dst); | ||
| 350 | else | ||
| 351 | ret = mgmt_user_confirm_request(hcon->hdev, conn->dst, | ||
| 352 | cpu_to_le32(passkey), 0); | ||
| 353 | |||
| 354 | hci_dev_unlock(hcon->hdev); | ||
| 355 | |||
| 356 | return ret; | ||
| 357 | } | ||
| 358 | |||
| 248 | static void confirm_work(struct work_struct *work) | 359 | static void confirm_work(struct work_struct *work) |
| 249 | { | 360 | { |
| 250 | struct smp_chan *smp = container_of(work, struct smp_chan, confirm); | 361 | struct smp_chan *smp = container_of(work, struct smp_chan, confirm); |
| @@ -277,6 +388,8 @@ static void confirm_work(struct work_struct *work) | |||
| 277 | goto error; | 388 | goto error; |
| 278 | } | 389 | } |
| 279 | 390 | ||
| 391 | clear_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); | ||
| 392 | |||
| 280 | swap128(res, cp.confirm_val); | 393 | swap128(res, cp.confirm_val); |
| 281 | smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); | 394 | smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); |
| 282 | 395 | ||
| @@ -382,6 +495,7 @@ static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) | |||
| 382 | 495 | ||
| 383 | smp->conn = conn; | 496 | smp->conn = conn; |
| 384 | conn->smp_chan = smp; | 497 | conn->smp_chan = smp; |
| 498 | conn->hcon->smp_conn = conn; | ||
| 385 | 499 | ||
| 386 | hci_conn_hold(conn->hcon); | 500 | hci_conn_hold(conn->hcon); |
| 387 | 501 | ||
| @@ -399,18 +513,64 @@ void smp_chan_destroy(struct l2cap_conn *conn) | |||
| 399 | 513 | ||
| 400 | kfree(smp); | 514 | kfree(smp); |
| 401 | conn->smp_chan = NULL; | 515 | conn->smp_chan = NULL; |
| 516 | conn->hcon->smp_conn = NULL; | ||
| 402 | hci_conn_put(conn->hcon); | 517 | hci_conn_put(conn->hcon); |
| 403 | } | 518 | } |
| 404 | 519 | ||
| 520 | int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) | ||
| 521 | { | ||
| 522 | struct l2cap_conn *conn = hcon->smp_conn; | ||
| 523 | struct smp_chan *smp; | ||
| 524 | u32 value; | ||
| 525 | u8 key[16]; | ||
| 526 | |||
| 527 | BT_DBG(""); | ||
| 528 | |||
| 529 | if (!conn) | ||
| 530 | return -ENOTCONN; | ||
| 531 | |||
| 532 | smp = conn->smp_chan; | ||
| 533 | |||
| 534 | switch (mgmt_op) { | ||
| 535 | case MGMT_OP_USER_PASSKEY_REPLY: | ||
| 536 | value = le32_to_cpu(passkey); | ||
| 537 | memset(key, 0, sizeof(key)); | ||
| 538 | BT_DBG("PassKey: %d", value); | ||
| 539 | put_unaligned_le32(value, key); | ||
| 540 | swap128(key, smp->tk); | ||
| 541 | /* Fall Through */ | ||
| 542 | case MGMT_OP_USER_CONFIRM_REPLY: | ||
| 543 | set_bit(SMP_FLAG_TK_VALID, &smp->smp_flags); | ||
| 544 | break; | ||
| 545 | case MGMT_OP_USER_PASSKEY_NEG_REPLY: | ||
| 546 | case MGMT_OP_USER_CONFIRM_NEG_REPLY: | ||
| 547 | smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED, 1); | ||
| 548 | return 0; | ||
| 549 | default: | ||
| 550 | smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED, 1); | ||
| 551 | return -EOPNOTSUPP; | ||
| 552 | } | ||
| 553 | |||
| 554 | /* If it is our turn to send Pairing Confirm, do so now */ | ||
| 555 | if (test_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags)) | ||
| 556 | queue_work(hcon->hdev->workqueue, &smp->confirm); | ||
| 557 | |||
| 558 | return 0; | ||
| 559 | } | ||
| 560 | |||
| 405 | static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) | 561 | static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) |
| 406 | { | 562 | { |
| 407 | struct smp_cmd_pairing rsp, *req = (void *) skb->data; | 563 | struct smp_cmd_pairing rsp, *req = (void *) skb->data; |
| 408 | struct smp_chan *smp; | 564 | struct smp_chan *smp; |
| 409 | u8 key_size; | 565 | u8 key_size; |
| 566 | u8 auth = SMP_AUTH_NONE; | ||
| 410 | int ret; | 567 | int ret; |
| 411 | 568 | ||
| 412 | BT_DBG("conn %p", conn); | 569 | BT_DBG("conn %p", conn); |
| 413 | 570 | ||
| 571 | if (conn->hcon->link_mode & HCI_LM_MASTER) | ||
| 572 | return SMP_CMD_NOTSUPP; | ||
| 573 | |||
| 414 | if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend)) | 574 | if (!test_and_set_bit(HCI_CONN_LE_SMP_PEND, &conn->hcon->pend)) |
| 415 | smp = smp_chan_create(conn); | 575 | smp = smp_chan_create(conn); |
| 416 | 576 | ||
| @@ -420,19 +580,16 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) | |||
| 420 | memcpy(&smp->preq[1], req, sizeof(*req)); | 580 | memcpy(&smp->preq[1], req, sizeof(*req)); |
| 421 | skb_pull(skb, sizeof(*req)); | 581 | skb_pull(skb, sizeof(*req)); |
| 422 | 582 | ||
| 423 | if (req->oob_flag) | 583 | /* We didn't start the pairing, so match remote */ |
| 424 | return SMP_OOB_NOT_AVAIL; | 584 | if (req->auth_req & SMP_AUTH_BONDING) |
| 585 | auth = req->auth_req; | ||
| 425 | 586 | ||
| 426 | /* We didn't start the pairing, so no requirements */ | 587 | build_pairing_cmd(conn, req, &rsp, auth); |
| 427 | build_pairing_cmd(conn, req, &rsp, SMP_AUTH_NONE); | ||
| 428 | 588 | ||
| 429 | key_size = min(req->max_key_size, rsp.max_key_size); | 589 | key_size = min(req->max_key_size, rsp.max_key_size); |
| 430 | if (check_enc_key_size(conn, key_size)) | 590 | if (check_enc_key_size(conn, key_size)) |
| 431 | return SMP_ENC_KEY_SIZE; | 591 | return SMP_ENC_KEY_SIZE; |
| 432 | 592 | ||
| 433 | /* Just works */ | ||
| 434 | memset(smp->tk, 0, sizeof(smp->tk)); | ||
| 435 | |||
| 436 | ret = smp_rand(smp->prnd); | 593 | ret = smp_rand(smp->prnd); |
| 437 | if (ret) | 594 | if (ret) |
| 438 | return SMP_UNSPECIFIED; | 595 | return SMP_UNSPECIFIED; |
| @@ -442,6 +599,11 @@ static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) | |||
| 442 | 599 | ||
| 443 | smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); | 600 | smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); |
| 444 | 601 | ||
| 602 | /* Request setup of TK */ | ||
| 603 | ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); | ||
| 604 | if (ret) | ||
| 605 | return SMP_UNSPECIFIED; | ||
| 606 | |||
| 445 | return 0; | 607 | return 0; |
| 446 | } | 608 | } |
| 447 | 609 | ||
| @@ -450,11 +612,14 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) | |||
| 450 | struct smp_cmd_pairing *req, *rsp = (void *) skb->data; | 612 | struct smp_cmd_pairing *req, *rsp = (void *) skb->data; |
| 451 | struct smp_chan *smp = conn->smp_chan; | 613 | struct smp_chan *smp = conn->smp_chan; |
| 452 | struct hci_dev *hdev = conn->hcon->hdev; | 614 | struct hci_dev *hdev = conn->hcon->hdev; |
| 453 | u8 key_size; | 615 | u8 key_size, auth = SMP_AUTH_NONE; |
| 454 | int ret; | 616 | int ret; |
| 455 | 617 | ||
| 456 | BT_DBG("conn %p", conn); | 618 | BT_DBG("conn %p", conn); |
| 457 | 619 | ||
| 620 | if (!(conn->hcon->link_mode & HCI_LM_MASTER)) | ||
| 621 | return SMP_CMD_NOTSUPP; | ||
| 622 | |||
| 458 | skb_pull(skb, sizeof(*rsp)); | 623 | skb_pull(skb, sizeof(*rsp)); |
| 459 | 624 | ||
| 460 | req = (void *) &smp->preq[1]; | 625 | req = (void *) &smp->preq[1]; |
| @@ -463,12 +628,6 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) | |||
| 463 | if (check_enc_key_size(conn, key_size)) | 628 | if (check_enc_key_size(conn, key_size)) |
| 464 | return SMP_ENC_KEY_SIZE; | 629 | return SMP_ENC_KEY_SIZE; |
| 465 | 630 | ||
| 466 | if (rsp->oob_flag) | ||
| 467 | return SMP_OOB_NOT_AVAIL; | ||
| 468 | |||
| 469 | /* Just works */ | ||
| 470 | memset(smp->tk, 0, sizeof(smp->tk)); | ||
| 471 | |||
| 472 | ret = smp_rand(smp->prnd); | 631 | ret = smp_rand(smp->prnd); |
| 473 | if (ret) | 632 | if (ret) |
| 474 | return SMP_UNSPECIFIED; | 633 | return SMP_UNSPECIFIED; |
| @@ -476,6 +635,22 @@ static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) | |||
| 476 | smp->prsp[0] = SMP_CMD_PAIRING_RSP; | 635 | smp->prsp[0] = SMP_CMD_PAIRING_RSP; |
| 477 | memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); | 636 | memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); |
| 478 | 637 | ||
| 638 | if ((req->auth_req & SMP_AUTH_BONDING) && | ||
| 639 | (rsp->auth_req & SMP_AUTH_BONDING)) | ||
| 640 | auth = SMP_AUTH_BONDING; | ||
| 641 | |||
| 642 | auth |= (req->auth_req | rsp->auth_req) & SMP_AUTH_MITM; | ||
| 643 | |||
| 644 | ret = tk_request(conn, 0, auth, rsp->io_capability, req->io_capability); | ||
| 645 | if (ret) | ||
| 646 | return SMP_UNSPECIFIED; | ||
| 647 | |||
| 648 | set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); | ||
| 649 | |||
| 650 | /* Can't compose response until we have been confirmed */ | ||
| 651 | if (!test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags)) | ||
| 652 | return 0; | ||
| 653 | |||
| 479 | queue_work(hdev->workqueue, &smp->confirm); | 654 | queue_work(hdev->workqueue, &smp->confirm); |
| 480 | 655 | ||
| 481 | return 0; | 656 | return 0; |
| @@ -497,8 +672,10 @@ static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) | |||
| 497 | swap128(smp->prnd, random); | 672 | swap128(smp->prnd, random); |
| 498 | smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random), | 673 | smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(random), |
| 499 | random); | 674 | random); |
| 500 | } else { | 675 | } else if (test_bit(SMP_FLAG_TK_VALID, &smp->smp_flags)) { |
| 501 | queue_work(hdev->workqueue, &smp->confirm); | 676 | queue_work(hdev->workqueue, &smp->confirm); |
| 677 | } else { | ||
| 678 | set_bit(SMP_FLAG_CFM_PENDING, &smp->smp_flags); | ||
| 502 | } | 679 | } |
| 503 | 680 | ||
| 504 | return 0; | 681 | return 0; |
| @@ -551,7 +728,7 @@ static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) | |||
| 551 | 728 | ||
| 552 | BT_DBG("conn %p", conn); | 729 | BT_DBG("conn %p", conn); |
| 553 | 730 | ||
| 554 | hcon->pending_sec_level = BT_SECURITY_MEDIUM; | 731 | hcon->pending_sec_level = authreq_to_seclevel(rp->auth_req); |
| 555 | 732 | ||
| 556 | if (smp_ltk_encrypt(conn)) | 733 | if (smp_ltk_encrypt(conn)) |
| 557 | return 0; | 734 | return 0; |
| @@ -578,6 +755,7 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level) | |||
| 578 | { | 755 | { |
| 579 | struct hci_conn *hcon = conn->hcon; | 756 | struct hci_conn *hcon = conn->hcon; |
| 580 | struct smp_chan *smp = conn->smp_chan; | 757 | struct smp_chan *smp = conn->smp_chan; |
| 758 | __u8 authreq; | ||
| 581 | 759 | ||
| 582 | BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); | 760 | BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); |
| 583 | 761 | ||
| @@ -598,18 +776,22 @@ int smp_conn_security(struct l2cap_conn *conn, __u8 sec_level) | |||
| 598 | return 0; | 776 | return 0; |
| 599 | 777 | ||
| 600 | smp = smp_chan_create(conn); | 778 | smp = smp_chan_create(conn); |
| 779 | if (!smp) | ||
| 780 | return 1; | ||
| 781 | |||
| 782 | authreq = seclevel_to_authreq(sec_level); | ||
| 601 | 783 | ||
| 602 | if (hcon->link_mode & HCI_LM_MASTER) { | 784 | if (hcon->link_mode & HCI_LM_MASTER) { |
| 603 | struct smp_cmd_pairing cp; | 785 | struct smp_cmd_pairing cp; |
| 604 | 786 | ||
| 605 | build_pairing_cmd(conn, &cp, NULL, SMP_AUTH_NONE); | 787 | build_pairing_cmd(conn, &cp, NULL, authreq); |
| 606 | smp->preq[0] = SMP_CMD_PAIRING_REQ; | 788 | smp->preq[0] = SMP_CMD_PAIRING_REQ; |
| 607 | memcpy(&smp->preq[1], &cp, sizeof(cp)); | 789 | memcpy(&smp->preq[1], &cp, sizeof(cp)); |
| 608 | 790 | ||
| 609 | smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); | 791 | smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); |
| 610 | } else { | 792 | } else { |
| 611 | struct smp_cmd_security_req cp; | 793 | struct smp_cmd_security_req cp; |
| 612 | cp.auth_req = SMP_AUTH_NONE; | 794 | cp.auth_req = authreq; |
| 613 | smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); | 795 | smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); |
| 614 | } | 796 | } |
| 615 | 797 | ||