Loading...
Note: File does not exist in v6.13.7.
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 Copyright (c) 2011,2012 Intel Corp.
4
5*/
6
7#include <net/bluetooth/bluetooth.h>
8#include <net/bluetooth/hci.h>
9#include <net/bluetooth/hci_core.h>
10#include <crypto/hash.h>
11
12#include "hci_request.h"
13#include "a2mp.h"
14#include "amp.h"
15
16/* Remote AMP Controllers interface */
17void amp_ctrl_get(struct amp_ctrl *ctrl)
18{
19 BT_DBG("ctrl %p orig refcnt %d", ctrl,
20 kref_read(&ctrl->kref));
21
22 kref_get(&ctrl->kref);
23}
24
25static void amp_ctrl_destroy(struct kref *kref)
26{
27 struct amp_ctrl *ctrl = container_of(kref, struct amp_ctrl, kref);
28
29 BT_DBG("ctrl %p", ctrl);
30
31 kfree(ctrl->assoc);
32 kfree(ctrl);
33}
34
35int amp_ctrl_put(struct amp_ctrl *ctrl)
36{
37 BT_DBG("ctrl %p orig refcnt %d", ctrl,
38 kref_read(&ctrl->kref));
39
40 return kref_put(&ctrl->kref, &_ctrl_destroy);
41}
42
43struct amp_ctrl *amp_ctrl_add(struct amp_mgr *mgr, u8 id)
44{
45 struct amp_ctrl *ctrl;
46
47 ctrl = kzalloc(sizeof(*ctrl), GFP_KERNEL);
48 if (!ctrl)
49 return NULL;
50
51 kref_init(&ctrl->kref);
52 ctrl->id = id;
53
54 mutex_lock(&mgr->amp_ctrls_lock);
55 list_add(&ctrl->list, &mgr->amp_ctrls);
56 mutex_unlock(&mgr->amp_ctrls_lock);
57
58 BT_DBG("mgr %p ctrl %p", mgr, ctrl);
59
60 return ctrl;
61}
62
63void amp_ctrl_list_flush(struct amp_mgr *mgr)
64{
65 struct amp_ctrl *ctrl, *n;
66
67 BT_DBG("mgr %p", mgr);
68
69 mutex_lock(&mgr->amp_ctrls_lock);
70 list_for_each_entry_safe(ctrl, n, &mgr->amp_ctrls, list) {
71 list_del(&ctrl->list);
72 amp_ctrl_put(ctrl);
73 }
74 mutex_unlock(&mgr->amp_ctrls_lock);
75}
76
77struct amp_ctrl *amp_ctrl_lookup(struct amp_mgr *mgr, u8 id)
78{
79 struct amp_ctrl *ctrl;
80
81 BT_DBG("mgr %p id %u", mgr, id);
82
83 mutex_lock(&mgr->amp_ctrls_lock);
84 list_for_each_entry(ctrl, &mgr->amp_ctrls, list) {
85 if (ctrl->id == id) {
86 amp_ctrl_get(ctrl);
87 mutex_unlock(&mgr->amp_ctrls_lock);
88 return ctrl;
89 }
90 }
91 mutex_unlock(&mgr->amp_ctrls_lock);
92
93 return NULL;
94}
95
96/* Physical Link interface */
97static u8 __next_handle(struct amp_mgr *mgr)
98{
99 if (++mgr->handle == 0)
100 mgr->handle = 1;
101
102 return mgr->handle;
103}
104
105struct hci_conn *phylink_add(struct hci_dev *hdev, struct amp_mgr *mgr,
106 u8 remote_id, bool out)
107{
108 bdaddr_t *dst = &mgr->l2cap_conn->hcon->dst;
109 struct hci_conn *hcon;
110 u8 role = out ? HCI_ROLE_MASTER : HCI_ROLE_SLAVE;
111
112 hcon = hci_conn_add(hdev, AMP_LINK, dst, role, __next_handle(mgr));
113 if (!hcon)
114 return NULL;
115
116 BT_DBG("hcon %p dst %pMR", hcon, dst);
117
118 hcon->state = BT_CONNECT;
119 hcon->attempt++;
120 hcon->remote_id = remote_id;
121 hcon->amp_mgr = amp_mgr_get(mgr);
122
123 return hcon;
124}
125
126/* AMP crypto key generation interface */
127static int hmac_sha256(u8 *key, u8 ksize, char *plaintext, u8 psize, u8 *output)
128{
129 struct crypto_shash *tfm;
130 struct shash_desc *shash;
131 int ret;
132
133 if (!ksize)
134 return -EINVAL;
135
136 tfm = crypto_alloc_shash("hmac(sha256)", 0, 0);
137 if (IS_ERR(tfm)) {
138 BT_DBG("crypto_alloc_ahash failed: err %ld", PTR_ERR(tfm));
139 return PTR_ERR(tfm);
140 }
141
142 ret = crypto_shash_setkey(tfm, key, ksize);
143 if (ret) {
144 BT_DBG("crypto_ahash_setkey failed: err %d", ret);
145 goto failed;
146 }
147
148 shash = kzalloc(sizeof(*shash) + crypto_shash_descsize(tfm),
149 GFP_KERNEL);
150 if (!shash) {
151 ret = -ENOMEM;
152 goto failed;
153 }
154
155 shash->tfm = tfm;
156
157 ret = crypto_shash_digest(shash, plaintext, psize, output);
158
159 kfree(shash);
160
161failed:
162 crypto_free_shash(tfm);
163 return ret;
164}
165
166int phylink_gen_key(struct hci_conn *conn, u8 *data, u8 *len, u8 *type)
167{
168 struct hci_dev *hdev = conn->hdev;
169 struct link_key *key;
170 u8 keybuf[HCI_AMP_LINK_KEY_SIZE];
171 u8 gamp_key[HCI_AMP_LINK_KEY_SIZE];
172 int err;
173
174 if (!hci_conn_check_link_mode(conn))
175 return -EACCES;
176
177 BT_DBG("conn %p key_type %d", conn, conn->key_type);
178
179 /* Legacy key */
180 if (conn->key_type < 3) {
181 bt_dev_err(hdev, "legacy key type %u", conn->key_type);
182 return -EACCES;
183 }
184
185 *type = conn->key_type;
186 *len = HCI_AMP_LINK_KEY_SIZE;
187
188 key = hci_find_link_key(hdev, &conn->dst);
189 if (!key) {
190 BT_DBG("No Link key for conn %p dst %pMR", conn, &conn->dst);
191 return -EACCES;
192 }
193
194 /* BR/EDR Link Key concatenated together with itself */
195 memcpy(&keybuf[0], key->val, HCI_LINK_KEY_SIZE);
196 memcpy(&keybuf[HCI_LINK_KEY_SIZE], key->val, HCI_LINK_KEY_SIZE);
197
198 /* Derive Generic AMP Link Key (gamp) */
199 err = hmac_sha256(keybuf, HCI_AMP_LINK_KEY_SIZE, "gamp", 4, gamp_key);
200 if (err) {
201 bt_dev_err(hdev, "could not derive Generic AMP Key: err %d", err);
202 return err;
203 }
204
205 if (conn->key_type == HCI_LK_DEBUG_COMBINATION) {
206 BT_DBG("Use Generic AMP Key (gamp)");
207 memcpy(data, gamp_key, HCI_AMP_LINK_KEY_SIZE);
208 return err;
209 }
210
211 /* Derive Dedicated AMP Link Key: "802b" is 802.11 PAL keyID */
212 return hmac_sha256(gamp_key, HCI_AMP_LINK_KEY_SIZE, "802b", 4, data);
213}
214
215static void read_local_amp_assoc_complete(struct hci_dev *hdev, u8 status,
216 u16 opcode, struct sk_buff *skb)
217{
218 struct hci_rp_read_local_amp_assoc *rp = (void *)skb->data;
219 struct amp_assoc *assoc = &hdev->loc_assoc;
220 size_t rem_len, frag_len;
221
222 BT_DBG("%s status 0x%2.2x", hdev->name, rp->status);
223
224 if (rp->status)
225 goto send_rsp;
226
227 frag_len = skb->len - sizeof(*rp);
228 rem_len = __le16_to_cpu(rp->rem_len);
229
230 if (rem_len > frag_len) {
231 BT_DBG("frag_len %zu rem_len %zu", frag_len, rem_len);
232
233 memcpy(assoc->data + assoc->offset, rp->frag, frag_len);
234 assoc->offset += frag_len;
235
236 /* Read other fragments */
237 amp_read_loc_assoc_frag(hdev, rp->phy_handle);
238
239 return;
240 }
241
242 memcpy(assoc->data + assoc->offset, rp->frag, rem_len);
243 assoc->len = assoc->offset + rem_len;
244 assoc->offset = 0;
245
246send_rsp:
247 /* Send A2MP Rsp when all fragments are received */
248 a2mp_send_getampassoc_rsp(hdev, rp->status);
249 a2mp_send_create_phy_link_req(hdev, rp->status);
250}
251
252void amp_read_loc_assoc_frag(struct hci_dev *hdev, u8 phy_handle)
253{
254 struct hci_cp_read_local_amp_assoc cp;
255 struct amp_assoc *loc_assoc = &hdev->loc_assoc;
256 struct hci_request req;
257 int err;
258
259 BT_DBG("%s handle %u", hdev->name, phy_handle);
260
261 cp.phy_handle = phy_handle;
262 cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
263 cp.len_so_far = cpu_to_le16(loc_assoc->offset);
264
265 hci_req_init(&req, hdev);
266 hci_req_add(&req, HCI_OP_READ_LOCAL_AMP_ASSOC, sizeof(cp), &cp);
267 err = hci_req_run_skb(&req, read_local_amp_assoc_complete);
268 if (err < 0)
269 a2mp_send_getampassoc_rsp(hdev, A2MP_STATUS_INVALID_CTRL_ID);
270}
271
272void amp_read_loc_assoc(struct hci_dev *hdev, struct amp_mgr *mgr)
273{
274 struct hci_cp_read_local_amp_assoc cp;
275 struct hci_request req;
276 int err;
277
278 memset(&hdev->loc_assoc, 0, sizeof(struct amp_assoc));
279 memset(&cp, 0, sizeof(cp));
280
281 cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
282
283 set_bit(READ_LOC_AMP_ASSOC, &mgr->state);
284 hci_req_init(&req, hdev);
285 hci_req_add(&req, HCI_OP_READ_LOCAL_AMP_ASSOC, sizeof(cp), &cp);
286 err = hci_req_run_skb(&req, read_local_amp_assoc_complete);
287 if (err < 0)
288 a2mp_send_getampassoc_rsp(hdev, A2MP_STATUS_INVALID_CTRL_ID);
289}
290
291void amp_read_loc_assoc_final_data(struct hci_dev *hdev,
292 struct hci_conn *hcon)
293{
294 struct hci_cp_read_local_amp_assoc cp;
295 struct amp_mgr *mgr = hcon->amp_mgr;
296 struct hci_request req;
297 int err;
298
299 if (!mgr)
300 return;
301
302 cp.phy_handle = hcon->handle;
303 cp.len_so_far = cpu_to_le16(0);
304 cp.max_len = cpu_to_le16(hdev->amp_assoc_size);
305
306 set_bit(READ_LOC_AMP_ASSOC_FINAL, &mgr->state);
307
308 /* Read Local AMP Assoc final link information data */
309 hci_req_init(&req, hdev);
310 hci_req_add(&req, HCI_OP_READ_LOCAL_AMP_ASSOC, sizeof(cp), &cp);
311 err = hci_req_run_skb(&req, read_local_amp_assoc_complete);
312 if (err < 0)
313 a2mp_send_getampassoc_rsp(hdev, A2MP_STATUS_INVALID_CTRL_ID);
314}
315
316static void write_remote_amp_assoc_complete(struct hci_dev *hdev, u8 status,
317 u16 opcode, struct sk_buff *skb)
318{
319 struct hci_rp_write_remote_amp_assoc *rp = (void *)skb->data;
320
321 BT_DBG("%s status 0x%2.2x phy_handle 0x%2.2x",
322 hdev->name, rp->status, rp->phy_handle);
323
324 if (rp->status)
325 return;
326
327 amp_write_rem_assoc_continue(hdev, rp->phy_handle);
328}
329
330/* Write AMP Assoc data fragments, returns true with last fragment written*/
331static bool amp_write_rem_assoc_frag(struct hci_dev *hdev,
332 struct hci_conn *hcon)
333{
334 struct hci_cp_write_remote_amp_assoc *cp;
335 struct amp_mgr *mgr = hcon->amp_mgr;
336 struct amp_ctrl *ctrl;
337 struct hci_request req;
338 u16 frag_len, len;
339
340 ctrl = amp_ctrl_lookup(mgr, hcon->remote_id);
341 if (!ctrl)
342 return false;
343
344 if (!ctrl->assoc_rem_len) {
345 BT_DBG("all fragments are written");
346 ctrl->assoc_rem_len = ctrl->assoc_len;
347 ctrl->assoc_len_so_far = 0;
348
349 amp_ctrl_put(ctrl);
350 return true;
351 }
352
353 frag_len = min_t(u16, 248, ctrl->assoc_rem_len);
354 len = frag_len + sizeof(*cp);
355
356 cp = kzalloc(len, GFP_KERNEL);
357 if (!cp) {
358 amp_ctrl_put(ctrl);
359 return false;
360 }
361
362 BT_DBG("hcon %p ctrl %p frag_len %u assoc_len %u rem_len %u",
363 hcon, ctrl, frag_len, ctrl->assoc_len, ctrl->assoc_rem_len);
364
365 cp->phy_handle = hcon->handle;
366 cp->len_so_far = cpu_to_le16(ctrl->assoc_len_so_far);
367 cp->rem_len = cpu_to_le16(ctrl->assoc_rem_len);
368 memcpy(cp->frag, ctrl->assoc, frag_len);
369
370 ctrl->assoc_len_so_far += frag_len;
371 ctrl->assoc_rem_len -= frag_len;
372
373 amp_ctrl_put(ctrl);
374
375 hci_req_init(&req, hdev);
376 hci_req_add(&req, HCI_OP_WRITE_REMOTE_AMP_ASSOC, len, cp);
377 hci_req_run_skb(&req, write_remote_amp_assoc_complete);
378
379 kfree(cp);
380
381 return false;
382}
383
384void amp_write_rem_assoc_continue(struct hci_dev *hdev, u8 handle)
385{
386 struct hci_conn *hcon;
387
388 BT_DBG("%s phy handle 0x%2.2x", hdev->name, handle);
389
390 hcon = hci_conn_hash_lookup_handle(hdev, handle);
391 if (!hcon)
392 return;
393
394 /* Send A2MP create phylink rsp when all fragments are written */
395 if (amp_write_rem_assoc_frag(hdev, hcon))
396 a2mp_send_create_phy_link_rsp(hdev, 0);
397}
398
399void amp_write_remote_assoc(struct hci_dev *hdev, u8 handle)
400{
401 struct hci_conn *hcon;
402
403 BT_DBG("%s phy handle 0x%2.2x", hdev->name, handle);
404
405 hcon = hci_conn_hash_lookup_handle(hdev, handle);
406 if (!hcon)
407 return;
408
409 BT_DBG("%s phy handle 0x%2.2x hcon %p", hdev->name, handle, hcon);
410
411 amp_write_rem_assoc_frag(hdev, hcon);
412}
413
414static void create_phylink_complete(struct hci_dev *hdev, u8 status,
415 u16 opcode)
416{
417 struct hci_cp_create_phy_link *cp;
418
419 BT_DBG("%s status 0x%2.2x", hdev->name, status);
420
421 cp = hci_sent_cmd_data(hdev, HCI_OP_CREATE_PHY_LINK);
422 if (!cp)
423 return;
424
425 hci_dev_lock(hdev);
426
427 if (status) {
428 struct hci_conn *hcon;
429
430 hcon = hci_conn_hash_lookup_handle(hdev, cp->phy_handle);
431 if (hcon)
432 hci_conn_del(hcon);
433 } else {
434 amp_write_remote_assoc(hdev, cp->phy_handle);
435 }
436
437 hci_dev_unlock(hdev);
438}
439
440void amp_create_phylink(struct hci_dev *hdev, struct amp_mgr *mgr,
441 struct hci_conn *hcon)
442{
443 struct hci_cp_create_phy_link cp;
444 struct hci_request req;
445
446 cp.phy_handle = hcon->handle;
447
448 BT_DBG("%s hcon %p phy handle 0x%2.2x", hdev->name, hcon,
449 hcon->handle);
450
451 if (phylink_gen_key(mgr->l2cap_conn->hcon, cp.key, &cp.key_len,
452 &cp.key_type)) {
453 BT_DBG("Cannot create link key");
454 return;
455 }
456
457 hci_req_init(&req, hdev);
458 hci_req_add(&req, HCI_OP_CREATE_PHY_LINK, sizeof(cp), &cp);
459 hci_req_run(&req, create_phylink_complete);
460}
461
462static void accept_phylink_complete(struct hci_dev *hdev, u8 status,
463 u16 opcode)
464{
465 struct hci_cp_accept_phy_link *cp;
466
467 BT_DBG("%s status 0x%2.2x", hdev->name, status);
468
469 if (status)
470 return;
471
472 cp = hci_sent_cmd_data(hdev, HCI_OP_ACCEPT_PHY_LINK);
473 if (!cp)
474 return;
475
476 amp_write_remote_assoc(hdev, cp->phy_handle);
477}
478
479void amp_accept_phylink(struct hci_dev *hdev, struct amp_mgr *mgr,
480 struct hci_conn *hcon)
481{
482 struct hci_cp_accept_phy_link cp;
483 struct hci_request req;
484
485 cp.phy_handle = hcon->handle;
486
487 BT_DBG("%s hcon %p phy handle 0x%2.2x", hdev->name, hcon,
488 hcon->handle);
489
490 if (phylink_gen_key(mgr->l2cap_conn->hcon, cp.key, &cp.key_len,
491 &cp.key_type)) {
492 BT_DBG("Cannot create link key");
493 return;
494 }
495
496 hci_req_init(&req, hdev);
497 hci_req_add(&req, HCI_OP_ACCEPT_PHY_LINK, sizeof(cp), &cp);
498 hci_req_run(&req, accept_phylink_complete);
499}
500
501void amp_physical_cfm(struct hci_conn *bredr_hcon, struct hci_conn *hs_hcon)
502{
503 struct hci_dev *bredr_hdev = hci_dev_hold(bredr_hcon->hdev);
504 struct amp_mgr *mgr = hs_hcon->amp_mgr;
505 struct l2cap_chan *bredr_chan;
506
507 BT_DBG("bredr_hcon %p hs_hcon %p mgr %p", bredr_hcon, hs_hcon, mgr);
508
509 if (!bredr_hdev || !mgr || !mgr->bredr_chan)
510 return;
511
512 bredr_chan = mgr->bredr_chan;
513
514 l2cap_chan_lock(bredr_chan);
515
516 set_bit(FLAG_EFS_ENABLE, &bredr_chan->flags);
517 bredr_chan->remote_amp_id = hs_hcon->remote_id;
518 bredr_chan->local_amp_id = hs_hcon->hdev->id;
519 bredr_chan->hs_hcon = hs_hcon;
520 bredr_chan->conn->mtu = hs_hcon->hdev->block_mtu;
521
522 __l2cap_physical_cfm(bredr_chan, 0);
523
524 l2cap_chan_unlock(bredr_chan);
525
526 hci_dev_put(bredr_hdev);
527}
528
529void amp_create_logical_link(struct l2cap_chan *chan)
530{
531 struct hci_conn *hs_hcon = chan->hs_hcon;
532 struct hci_cp_create_accept_logical_link cp;
533 struct hci_dev *hdev;
534
535 BT_DBG("chan %p hs_hcon %p dst %pMR", chan, hs_hcon,
536 &chan->conn->hcon->dst);
537
538 if (!hs_hcon)
539 return;
540
541 hdev = hci_dev_hold(chan->hs_hcon->hdev);
542 if (!hdev)
543 return;
544
545 cp.phy_handle = hs_hcon->handle;
546
547 cp.tx_flow_spec.id = chan->local_id;
548 cp.tx_flow_spec.stype = chan->local_stype;
549 cp.tx_flow_spec.msdu = cpu_to_le16(chan->local_msdu);
550 cp.tx_flow_spec.sdu_itime = cpu_to_le32(chan->local_sdu_itime);
551 cp.tx_flow_spec.acc_lat = cpu_to_le32(chan->local_acc_lat);
552 cp.tx_flow_spec.flush_to = cpu_to_le32(chan->local_flush_to);
553
554 cp.rx_flow_spec.id = chan->remote_id;
555 cp.rx_flow_spec.stype = chan->remote_stype;
556 cp.rx_flow_spec.msdu = cpu_to_le16(chan->remote_msdu);
557 cp.rx_flow_spec.sdu_itime = cpu_to_le32(chan->remote_sdu_itime);
558 cp.rx_flow_spec.acc_lat = cpu_to_le32(chan->remote_acc_lat);
559 cp.rx_flow_spec.flush_to = cpu_to_le32(chan->remote_flush_to);
560
561 if (hs_hcon->out)
562 hci_send_cmd(hdev, HCI_OP_CREATE_LOGICAL_LINK, sizeof(cp),
563 &cp);
564 else
565 hci_send_cmd(hdev, HCI_OP_ACCEPT_LOGICAL_LINK, sizeof(cp),
566 &cp);
567
568 hci_dev_put(hdev);
569}
570
571void amp_disconnect_logical_link(struct hci_chan *hchan)
572{
573 struct hci_conn *hcon = hchan->conn;
574 struct hci_cp_disconn_logical_link cp;
575
576 if (hcon->state != BT_CONNECTED) {
577 BT_DBG("hchan %p not connected", hchan);
578 return;
579 }
580
581 cp.log_handle = cpu_to_le16(hchan->handle);
582 hci_send_cmd(hcon->hdev, HCI_OP_DISCONN_LOGICAL_LINK, sizeof(cp), &cp);
583}
584
585void amp_destroy_logical_link(struct hci_chan *hchan, u8 reason)
586{
587 BT_DBG("hchan %p", hchan);
588
589 hci_chan_del(hchan);
590}