1 // SPDX-License-Identifier: GPL-2.0 2 /* 3 BlueZ - Bluetooth protocol stack for Linux 4 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 5 6 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 7 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 8 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 9 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 10 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 11 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 12 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 13 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 14 15 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 16 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 17 SOFTWARE IS DISCLAIMED. 18 */ 19 20 #include <linux/debugfs.h> 21 #include <linux/scatterlist.h> 22 #include <crypto/aes-cbc-macs.h> 23 #include <crypto/aes.h> 24 #include <crypto/kpp.h> 25 #include <crypto/utils.h> 26 27 #include <net/bluetooth/bluetooth.h> 28 #include <net/bluetooth/hci_core.h> 29 #include <net/bluetooth/l2cap.h> 30 #include <net/bluetooth/mgmt.h> 31 32 #include "ecdh_helper.h" 33 #include "smp.h" 34 35 #define SMP_DEV(hdev) \ 36 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data) 37 38 /* Low-level debug macros to be used for stuff that we don't want 39 * accidentally in dmesg, i.e. the values of the various crypto keys 40 * and the inputs & outputs of crypto functions. 41 */ 42 #ifdef DEBUG 43 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 44 ##__VA_ARGS__) 45 #else 46 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 47 ##__VA_ARGS__) 48 #endif 49 50 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 51 52 /* Keys which are not distributed with Secure Connections */ 53 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY) 54 55 #define SMP_TIMEOUT secs_to_jiffies(30) 56 57 #define ID_ADDR_TIMEOUT msecs_to_jiffies(200) 58 59 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \ 60 0x3f : 0x07) 61 #define KEY_DIST_MASK 0x07 62 63 /* Maximum message length that can be passed to smp_aes_cmac */ 64 #define CMAC_MSG_MAX 80 65 66 enum { 67 SMP_FLAG_TK_VALID, 68 SMP_FLAG_CFM_PENDING, 69 SMP_FLAG_MITM_AUTH, 70 SMP_FLAG_COMPLETE, 71 SMP_FLAG_INITIATOR, 72 SMP_FLAG_SC, 73 SMP_FLAG_REMOTE_PK, 74 SMP_FLAG_DEBUG_KEY, 75 SMP_FLAG_WAIT_USER, 76 SMP_FLAG_DHKEY_PENDING, 77 SMP_FLAG_REMOTE_OOB, 78 SMP_FLAG_LOCAL_OOB, 79 SMP_FLAG_CT2, 80 }; 81 82 struct smp_dev { 83 /* Secure Connections OOB data */ 84 bool local_oob; 85 u8 local_pk[64]; 86 u8 local_rand[16]; 87 bool debug_key; 88 89 struct crypto_kpp *tfm_ecdh; 90 }; 91 92 struct smp_chan { 93 struct l2cap_conn *conn; 94 struct delayed_work security_timer; 95 unsigned long allow_cmd; /* Bitmask of allowed commands */ 96 97 u8 preq[7]; /* SMP Pairing Request */ 98 u8 prsp[7]; /* SMP Pairing Response */ 99 u8 prnd[16]; /* SMP Pairing Random (local) */ 100 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 101 u8 pcnf[16]; /* SMP Pairing Confirm */ 102 u8 tk[16]; /* SMP Temporary Key */ 103 u8 rr[16]; /* Remote OOB ra/rb value */ 104 u8 lr[16]; /* Local OOB ra/rb value */ 105 u8 enc_key_size; 106 u8 remote_key_dist; 107 bdaddr_t id_addr; 108 u8 id_addr_type; 109 u8 irk[16]; 110 struct smp_csrk *csrk; 111 struct smp_csrk *responder_csrk; 112 struct smp_ltk *ltk; 113 struct smp_ltk *responder_ltk; 114 struct smp_irk *remote_irk; 115 u8 *link_key; 116 unsigned long flags; 117 u8 method; 118 u8 passkey_round; 119 120 /* Secure Connections variables */ 121 u8 local_pk[64]; 122 u8 remote_pk[64]; 123 u8 dhkey[32]; 124 u8 mackey[16]; 125 126 struct crypto_kpp *tfm_ecdh; 127 }; 128 129 /* These debug key values are defined in the SMP section of the core 130 * specification. debug_pk is the public debug key and debug_sk the 131 * private debug key. 132 */ 133 static const u8 debug_pk[64] = { 134 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 135 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 136 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 137 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 138 139 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 140 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 141 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 142 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 143 }; 144 145 static const u8 debug_sk[32] = { 146 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 147 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 148 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 149 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 150 }; 151 152 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 153 { 154 size_t i; 155 156 for (i = 0; i < len; i++) 157 dst[len - 1 - i] = src[i]; 158 } 159 160 /* The following functions map to the LE SC SMP crypto functions 161 * AES-CMAC, f4, f5, f6, g2 and h6. 162 */ 163 164 static int smp_aes_cmac(const u8 k[16], const u8 *m, size_t len, u8 mac[16]) 165 { 166 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 167 struct aes_cmac_key key; 168 int err; 169 170 if (len > CMAC_MSG_MAX) 171 return -EFBIG; 172 173 /* Swap key and message from LSB to MSB */ 174 swap_buf(k, tmp, 16); 175 swap_buf(m, msg_msb, len); 176 177 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 178 SMP_DBG("key %16phN", k); 179 180 err = aes_cmac_preparekey(&key, tmp, 16); 181 if (WARN_ON_ONCE(err)) /* Should never happen, as 16 is valid keylen */ 182 return err; 183 aes_cmac(&key, msg_msb, len, mac_msb); 184 185 swap_buf(mac_msb, mac, 16); 186 187 SMP_DBG("mac %16phN", mac); 188 189 return 0; 190 } 191 192 static int smp_f4(const u8 u[32], const u8 v[32], const u8 x[16], u8 z, 193 u8 res[16]) 194 { 195 u8 m[65]; 196 int err; 197 198 SMP_DBG("u %32phN", u); 199 SMP_DBG("v %32phN", v); 200 SMP_DBG("x %16phN z %02x", x, z); 201 202 m[0] = z; 203 memcpy(m + 1, v, 32); 204 memcpy(m + 33, u, 32); 205 206 err = smp_aes_cmac(x, m, sizeof(m), res); 207 if (err) 208 return err; 209 210 SMP_DBG("res %16phN", res); 211 212 return err; 213 } 214 215 static int smp_f5(const u8 w[32], const u8 n1[16], const u8 n2[16], 216 const u8 a1[7], const u8 a2[7], u8 mackey[16], u8 ltk[16]) 217 { 218 /* The btle, salt and length "magic" values are as defined in 219 * the SMP section of the Bluetooth core specification. In ASCII 220 * the btle value ends up being 'btle'. The salt is just a 221 * random number whereas length is the value 256 in little 222 * endian format. 223 */ 224 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 225 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 226 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 227 const u8 length[2] = { 0x00, 0x01 }; 228 u8 m[53], t[16]; 229 int err; 230 231 SMP_DBG("w %32phN", w); 232 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 233 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 234 235 err = smp_aes_cmac(salt, w, 32, t); 236 if (err) 237 return err; 238 239 SMP_DBG("t %16phN", t); 240 241 memcpy(m, length, 2); 242 memcpy(m + 2, a2, 7); 243 memcpy(m + 9, a1, 7); 244 memcpy(m + 16, n2, 16); 245 memcpy(m + 32, n1, 16); 246 memcpy(m + 48, btle, 4); 247 248 m[52] = 0; /* Counter */ 249 250 err = smp_aes_cmac(t, m, sizeof(m), mackey); 251 if (err) 252 return err; 253 254 SMP_DBG("mackey %16phN", mackey); 255 256 m[52] = 1; /* Counter */ 257 258 err = smp_aes_cmac(t, m, sizeof(m), ltk); 259 if (err) 260 return err; 261 262 SMP_DBG("ltk %16phN", ltk); 263 264 return 0; 265 } 266 267 static int smp_f6(const u8 w[16], const u8 n1[16], const u8 n2[16], 268 const u8 r[16], const u8 io_cap[3], const u8 a1[7], 269 const u8 a2[7], u8 res[16]) 270 { 271 u8 m[65]; 272 int err; 273 274 SMP_DBG("w %16phN", w); 275 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 276 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 277 278 memcpy(m, a2, 7); 279 memcpy(m + 7, a1, 7); 280 memcpy(m + 14, io_cap, 3); 281 memcpy(m + 17, r, 16); 282 memcpy(m + 33, n2, 16); 283 memcpy(m + 49, n1, 16); 284 285 err = smp_aes_cmac(w, m, sizeof(m), res); 286 if (err) 287 return err; 288 289 SMP_DBG("res %16phN", res); 290 291 return err; 292 } 293 294 static int smp_g2(const u8 u[32], const u8 v[32], const u8 x[16], 295 const u8 y[16], u32 *val) 296 { 297 u8 m[80], tmp[16]; 298 int err; 299 300 SMP_DBG("u %32phN", u); 301 SMP_DBG("v %32phN", v); 302 SMP_DBG("x %16phN y %16phN", x, y); 303 304 memcpy(m, y, 16); 305 memcpy(m + 16, v, 32); 306 memcpy(m + 48, u, 32); 307 308 err = smp_aes_cmac(x, m, sizeof(m), tmp); 309 if (err) 310 return err; 311 312 *val = get_unaligned_le32(tmp); 313 *val %= 1000000; 314 315 SMP_DBG("val %06u", *val); 316 317 return 0; 318 } 319 320 static int smp_h6(const u8 w[16], const u8 key_id[4], u8 res[16]) 321 { 322 int err; 323 324 SMP_DBG("w %16phN key_id %4phN", w, key_id); 325 326 err = smp_aes_cmac(w, key_id, 4, res); 327 if (err) 328 return err; 329 330 SMP_DBG("res %16phN", res); 331 332 return err; 333 } 334 335 static int smp_h7(const u8 w[16], const u8 salt[16], u8 res[16]) 336 { 337 int err; 338 339 SMP_DBG("w %16phN salt %16phN", w, salt); 340 341 err = smp_aes_cmac(salt, w, 16, res); 342 if (err) 343 return err; 344 345 SMP_DBG("res %16phN", res); 346 347 return err; 348 } 349 350 /* The following functions map to the legacy SMP crypto functions e, c1, 351 * s1 and ah. 352 */ 353 354 static int smp_e(const u8 *k, u8 *r) 355 { 356 struct aes_enckey aes; 357 uint8_t tmp[16], data[16]; 358 int err; 359 360 SMP_DBG("k %16phN r %16phN", k, r); 361 362 /* The most significant octet of key corresponds to k[0] */ 363 swap_buf(k, tmp, 16); 364 365 err = aes_prepareenckey(&aes, tmp, 16); 366 if (err) { 367 BT_ERR("cipher setkey failed: %d", err); 368 return err; 369 } 370 371 /* Most significant octet of plaintextData corresponds to data[0] */ 372 swap_buf(r, data, 16); 373 374 aes_encrypt(&aes, data, data); 375 376 /* Most significant octet of encryptedData corresponds to data[0] */ 377 swap_buf(data, r, 16); 378 379 SMP_DBG("r %16phN", r); 380 381 memzero_explicit(&aes, sizeof(aes)); 382 return err; 383 } 384 385 static int smp_c1(const u8 k[16], 386 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 387 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 388 { 389 u8 p1[16], p2[16]; 390 int err; 391 392 SMP_DBG("k %16phN r %16phN", k, r); 393 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra); 394 SMP_DBG("preq %7phN pres %7phN", preq, pres); 395 396 memset(p1, 0, 16); 397 398 /* p1 = pres || preq || _rat || _iat */ 399 p1[0] = _iat; 400 p1[1] = _rat; 401 memcpy(p1 + 2, preq, 7); 402 memcpy(p1 + 9, pres, 7); 403 404 SMP_DBG("p1 %16phN", p1); 405 406 /* res = r XOR p1 */ 407 crypto_xor_cpy(res, r, p1, sizeof(p1)); 408 409 /* res = e(k, res) */ 410 err = smp_e(k, res); 411 if (err) { 412 BT_ERR("Encrypt data error"); 413 return err; 414 } 415 416 /* p2 = padding || ia || ra */ 417 memcpy(p2, ra, 6); 418 memcpy(p2 + 6, ia, 6); 419 memset(p2 + 12, 0, 4); 420 421 SMP_DBG("p2 %16phN", p2); 422 423 /* res = res XOR p2 */ 424 crypto_xor(res, p2, sizeof(p2)); 425 426 /* res = e(k, res) */ 427 err = smp_e(k, res); 428 if (err) 429 BT_ERR("Encrypt data error"); 430 431 return err; 432 } 433 434 static int smp_s1(const u8 k[16], 435 const u8 r1[16], const u8 r2[16], u8 _r[16]) 436 { 437 int err; 438 439 /* Just least significant octets from r1 and r2 are considered */ 440 memcpy(_r, r2, 8); 441 memcpy(_r + 8, r1, 8); 442 443 err = smp_e(k, _r); 444 if (err) 445 BT_ERR("Encrypt data error"); 446 447 return err; 448 } 449 450 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3]) 451 { 452 u8 _res[16]; 453 int err; 454 455 /* r' = padding || r */ 456 memcpy(_res, r, 3); 457 memset(_res + 3, 0, 13); 458 459 err = smp_e(irk, _res); 460 if (err) { 461 BT_ERR("Encrypt error"); 462 return err; 463 } 464 465 /* The output of the random address function ah is: 466 * ah(k, r) = e(k, r') mod 2^24 467 * The output of the security function e is then truncated to 24 bits 468 * by taking the least significant 24 bits of the output of e as the 469 * result of ah. 470 */ 471 memcpy(res, _res, 3); 472 473 return 0; 474 } 475 476 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 477 const bdaddr_t *bdaddr) 478 { 479 struct l2cap_chan *chan = hdev->smp_data; 480 u8 hash[3]; 481 int err; 482 483 if (!chan || !chan->data) 484 return false; 485 486 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk); 487 488 err = smp_ah(irk, &bdaddr->b[3], hash); 489 if (err) 490 return false; 491 492 return !crypto_memneq(bdaddr->b, hash, 3); 493 } 494 495 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 496 { 497 struct l2cap_chan *chan = hdev->smp_data; 498 int err; 499 500 if (!chan || !chan->data) 501 return -EOPNOTSUPP; 502 503 get_random_bytes(&rpa->b[3], 3); 504 505 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 506 rpa->b[5] |= 0x40; /* Set second most significant bit */ 507 508 err = smp_ah(irk, &rpa->b[3], rpa->b); 509 if (err < 0) 510 return err; 511 512 bt_dev_dbg(hdev, "RPA %pMR", rpa); 513 514 return 0; 515 } 516 517 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16]) 518 { 519 struct l2cap_chan *chan = hdev->smp_data; 520 struct smp_dev *smp; 521 int err; 522 523 if (!chan || !chan->data) 524 return -EOPNOTSUPP; 525 526 smp = chan->data; 527 528 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 529 bt_dev_dbg(hdev, "Using debug keys"); 530 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk); 531 if (err) 532 return err; 533 memcpy(smp->local_pk, debug_pk, 64); 534 smp->debug_key = true; 535 } else { 536 while (true) { 537 /* Generate key pair for Secure Connections */ 538 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk); 539 if (err) 540 return err; 541 542 /* This is unlikely, but we need to check that 543 * we didn't accidentally generate a debug key. 544 */ 545 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 546 break; 547 } 548 smp->debug_key = false; 549 } 550 551 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 552 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 553 554 get_random_bytes(smp->local_rand, 16); 555 556 err = smp_f4(smp->local_pk, smp->local_pk, smp->local_rand, 0, hash); 557 if (err < 0) 558 return err; 559 560 memcpy(rand, smp->local_rand, 16); 561 562 smp->local_oob = true; 563 564 return 0; 565 } 566 567 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 568 { 569 struct l2cap_chan *chan = conn->smp; 570 struct smp_chan *smp; 571 struct kvec iv[2]; 572 struct msghdr msg; 573 574 if (!chan) 575 return; 576 577 bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code); 578 579 iv[0].iov_base = &code; 580 iv[0].iov_len = 1; 581 582 iv[1].iov_base = data; 583 iv[1].iov_len = len; 584 585 memset(&msg, 0, sizeof(msg)); 586 587 iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len); 588 589 l2cap_chan_send(chan, &msg, 1 + len, NULL); 590 591 if (!chan->data) 592 return; 593 594 smp = chan->data; 595 596 cancel_delayed_work_sync(&smp->security_timer); 597 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 598 } 599 600 static u8 authreq_to_seclevel(u8 authreq) 601 { 602 if (authreq & SMP_AUTH_MITM) { 603 if (authreq & SMP_AUTH_SC) 604 return BT_SECURITY_FIPS; 605 else 606 return BT_SECURITY_HIGH; 607 } else { 608 return BT_SECURITY_MEDIUM; 609 } 610 } 611 612 static __u8 seclevel_to_authreq(__u8 sec_level) 613 { 614 switch (sec_level) { 615 case BT_SECURITY_FIPS: 616 case BT_SECURITY_HIGH: 617 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 618 case BT_SECURITY_MEDIUM: 619 return SMP_AUTH_BONDING; 620 default: 621 return SMP_AUTH_NONE; 622 } 623 } 624 625 static void build_pairing_cmd(struct l2cap_conn *conn, 626 struct smp_cmd_pairing *req, 627 struct smp_cmd_pairing *rsp, __u8 authreq) 628 { 629 struct l2cap_chan *chan = conn->smp; 630 struct smp_chan *smp = chan->data; 631 struct hci_conn *hcon = conn->hcon; 632 struct hci_dev *hdev = hcon->hdev; 633 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 634 635 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 636 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 637 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 638 authreq |= SMP_AUTH_BONDING; 639 } else { 640 authreq &= ~SMP_AUTH_BONDING; 641 } 642 643 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 644 remote_dist |= SMP_DIST_ID_KEY; 645 646 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 647 local_dist |= SMP_DIST_ID_KEY; 648 649 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) && 650 (authreq & SMP_AUTH_SC)) { 651 struct oob_data *oob_data; 652 u8 bdaddr_type; 653 654 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) { 655 local_dist |= SMP_DIST_LINK_KEY; 656 remote_dist |= SMP_DIST_LINK_KEY; 657 } 658 659 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 660 bdaddr_type = BDADDR_LE_PUBLIC; 661 else 662 bdaddr_type = BDADDR_LE_RANDOM; 663 664 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 665 bdaddr_type); 666 if (oob_data && oob_data->present) { 667 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags); 668 oob_flag = SMP_OOB_PRESENT; 669 memcpy(smp->rr, oob_data->rand256, 16); 670 memcpy(smp->pcnf, oob_data->hash256, 16); 671 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf); 672 SMP_DBG("OOB Remote Random: %16phN", smp->rr); 673 } 674 675 } else { 676 authreq &= ~SMP_AUTH_SC; 677 } 678 679 if (rsp == NULL) { 680 req->io_capability = conn->hcon->io_capability; 681 req->oob_flag = oob_flag; 682 req->max_key_size = hdev->le_max_key_size; 683 req->init_key_dist = local_dist; 684 req->resp_key_dist = remote_dist; 685 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 686 687 smp->remote_key_dist = remote_dist; 688 return; 689 } 690 691 rsp->io_capability = conn->hcon->io_capability; 692 rsp->oob_flag = oob_flag; 693 rsp->max_key_size = hdev->le_max_key_size; 694 rsp->init_key_dist = req->init_key_dist & remote_dist; 695 rsp->resp_key_dist = req->resp_key_dist & local_dist; 696 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 697 698 smp->remote_key_dist = rsp->init_key_dist; 699 } 700 701 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 702 { 703 struct l2cap_chan *chan = conn->smp; 704 struct hci_dev *hdev = conn->hcon->hdev; 705 struct smp_chan *smp = chan->data; 706 707 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS && 708 max_key_size != SMP_MAX_ENC_KEY_SIZE) 709 return SMP_ENC_KEY_SIZE; 710 711 if (max_key_size > hdev->le_max_key_size || 712 max_key_size < SMP_MIN_ENC_KEY_SIZE) 713 return SMP_ENC_KEY_SIZE; 714 715 smp->enc_key_size = max_key_size; 716 717 return 0; 718 } 719 720 static void smp_chan_destroy(struct l2cap_conn *conn) 721 { 722 struct l2cap_chan *chan = conn->smp; 723 struct smp_chan *smp = chan->data; 724 struct hci_conn *hcon = conn->hcon; 725 bool complete; 726 727 BUG_ON(!smp); 728 729 cancel_delayed_work_sync(&smp->security_timer); 730 731 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 732 mgmt_smp_complete(hcon, complete); 733 734 kfree_sensitive(smp->csrk); 735 kfree_sensitive(smp->responder_csrk); 736 kfree_sensitive(smp->link_key); 737 738 crypto_free_kpp(smp->tfm_ecdh); 739 740 /* Ensure that we don't leave any debug key around if debug key 741 * support hasn't been explicitly enabled. 742 */ 743 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 744 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) { 745 list_del_rcu(&smp->ltk->list); 746 kfree_rcu(smp->ltk, rcu); 747 smp->ltk = NULL; 748 } 749 750 /* If pairing failed clean up any keys we might have */ 751 if (!complete) { 752 if (smp->ltk) { 753 list_del_rcu(&smp->ltk->list); 754 kfree_rcu(smp->ltk, rcu); 755 } 756 757 if (smp->responder_ltk) { 758 list_del_rcu(&smp->responder_ltk->list); 759 kfree_rcu(smp->responder_ltk, rcu); 760 } 761 762 if (smp->remote_irk) { 763 list_del_rcu(&smp->remote_irk->list); 764 kfree_rcu(smp->remote_irk, rcu); 765 } 766 } 767 768 chan->data = NULL; 769 kfree_sensitive(smp); 770 hci_conn_drop(hcon); 771 } 772 773 static void smp_failure(struct l2cap_conn *conn, u8 reason) 774 { 775 struct hci_conn *hcon = conn->hcon; 776 struct l2cap_chan *chan = conn->smp; 777 778 if (reason) 779 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 780 &reason); 781 782 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 783 784 if (chan->data) 785 smp_chan_destroy(conn); 786 } 787 788 #define JUST_WORKS 0x00 789 #define JUST_CFM 0x01 790 #define REQ_PASSKEY 0x02 791 #define CFM_PASSKEY 0x03 792 #define REQ_OOB 0x04 793 #define DSP_PASSKEY 0x05 794 #define OVERLAP 0xFF 795 796 static const u8 gen_method[5][5] = { 797 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 798 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 799 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 800 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 801 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 802 }; 803 804 static const u8 sc_method[5][5] = { 805 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 806 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 807 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 808 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 809 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 810 }; 811 812 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 813 { 814 /* If either side has unknown io_caps, use JUST_CFM (which gets 815 * converted later to JUST_WORKS if we're initiators. 816 */ 817 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 818 remote_io > SMP_IO_KEYBOARD_DISPLAY) 819 return JUST_CFM; 820 821 if (test_bit(SMP_FLAG_SC, &smp->flags)) 822 return sc_method[remote_io][local_io]; 823 824 return gen_method[remote_io][local_io]; 825 } 826 827 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 828 u8 local_io, u8 remote_io) 829 { 830 struct hci_conn *hcon = conn->hcon; 831 struct l2cap_chan *chan = conn->smp; 832 struct smp_chan *smp = chan->data; 833 u32 passkey = 0; 834 int ret; 835 836 /* Initialize key for JUST WORKS */ 837 memset(smp->tk, 0, sizeof(smp->tk)); 838 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 839 840 bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io, 841 remote_io); 842 843 /* If neither side wants MITM, either "just" confirm an incoming 844 * request or use just-works for outgoing ones. The JUST_CFM 845 * will be converted to JUST_WORKS if necessary later in this 846 * function. If either side has MITM look up the method from the 847 * table. 848 */ 849 if (!(auth & SMP_AUTH_MITM)) 850 smp->method = JUST_CFM; 851 else 852 smp->method = get_auth_method(smp, local_io, remote_io); 853 854 /* Don't confirm locally initiated pairing attempts */ 855 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 856 &smp->flags)) 857 smp->method = JUST_WORKS; 858 859 /* Don't bother user space with no IO capabilities */ 860 if (smp->method == JUST_CFM && 861 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 862 smp->method = JUST_WORKS; 863 864 /* If Just Works, Continue with Zero TK and ask user-space for 865 * confirmation */ 866 if (smp->method == JUST_WORKS) { 867 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 868 hcon->type, 869 hcon->dst_type, 870 passkey, 1); 871 if (ret) 872 return ret; 873 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 874 return 0; 875 } 876 877 /* If this function is used for SC -> legacy fallback we 878 * can only recover the just-works case. 879 */ 880 if (test_bit(SMP_FLAG_SC, &smp->flags)) 881 return -EINVAL; 882 883 /* Not Just Works/Confirm results in MITM Authentication */ 884 if (smp->method != JUST_CFM) { 885 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 886 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 887 hcon->pending_sec_level = BT_SECURITY_HIGH; 888 } 889 890 /* If both devices have Keyboard-Display I/O, the initiator 891 * Confirms and the responder Enters the passkey. 892 */ 893 if (smp->method == OVERLAP) { 894 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 895 smp->method = CFM_PASSKEY; 896 else 897 smp->method = REQ_PASSKEY; 898 } 899 900 /* Generate random passkey. */ 901 if (smp->method == CFM_PASSKEY) { 902 memset(smp->tk, 0, sizeof(smp->tk)); 903 get_random_bytes(&passkey, sizeof(passkey)); 904 passkey %= 1000000; 905 put_unaligned_le32(passkey, smp->tk); 906 bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey); 907 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 908 } 909 910 if (smp->method == REQ_PASSKEY) 911 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 912 hcon->type, hcon->dst_type); 913 else if (smp->method == JUST_CFM) 914 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 915 hcon->type, hcon->dst_type, 916 passkey, 1); 917 else 918 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 919 hcon->type, hcon->dst_type, 920 passkey, 0); 921 922 return ret; 923 } 924 925 static u8 smp_confirm(struct smp_chan *smp) 926 { 927 struct l2cap_conn *conn = smp->conn; 928 struct smp_cmd_pairing_confirm cp; 929 int ret; 930 931 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 932 933 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp, 934 conn->hcon->init_addr_type, &conn->hcon->init_addr, 935 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 936 cp.confirm_val); 937 if (ret) 938 return SMP_UNSPECIFIED; 939 940 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 941 942 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 943 944 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 945 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 946 else 947 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 948 949 return 0; 950 } 951 952 static u8 smp_random(struct smp_chan *smp) 953 { 954 struct l2cap_conn *conn = smp->conn; 955 struct hci_conn *hcon = conn->hcon; 956 u8 confirm[16]; 957 int ret; 958 959 bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn, 960 test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" : 961 "responder"); 962 963 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp, 964 hcon->init_addr_type, &hcon->init_addr, 965 hcon->resp_addr_type, &hcon->resp_addr, confirm); 966 if (ret) 967 return SMP_UNSPECIFIED; 968 969 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) { 970 bt_dev_err(hcon->hdev, "pairing failed " 971 "(confirmation values mismatch)"); 972 return SMP_CONFIRM_FAILED; 973 } 974 975 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 976 u8 stk[16]; 977 __le64 rand = 0; 978 __le16 ediv = 0; 979 980 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk); 981 982 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 983 return SMP_UNSPECIFIED; 984 985 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size); 986 hcon->enc_key_size = smp->enc_key_size; 987 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 988 } else { 989 u8 stk[16], auth; 990 __le64 rand = 0; 991 __le16 ediv = 0; 992 993 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 994 smp->prnd); 995 996 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk); 997 998 auth = test_bit(SMP_FLAG_MITM_AUTH, &smp->flags) ? 1 : 0; 999 1000 /* Even though there's no _RESPONDER suffix this is the 1001 * responder STK we're adding for later lookup (the initiator 1002 * STK never needs to be stored). 1003 */ 1004 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1005 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 1006 } 1007 1008 return 0; 1009 } 1010 1011 static void smp_notify_keys(struct l2cap_conn *conn) 1012 { 1013 struct l2cap_chan *chan = conn->smp; 1014 struct smp_chan *smp = chan->data; 1015 struct hci_conn *hcon = conn->hcon; 1016 struct hci_dev *hdev = hcon->hdev; 1017 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 1018 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1019 bool persistent; 1020 1021 if (hcon->type == ACL_LINK) { 1022 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 1023 persistent = false; 1024 else 1025 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1026 &hcon->flags); 1027 } else { 1028 /* The LTKs, IRKs and CSRKs should be persistent only if 1029 * both sides had the bonding bit set in their 1030 * authentication requests. 1031 */ 1032 persistent = !!((req->auth_req & rsp->auth_req) & 1033 SMP_AUTH_BONDING); 1034 } 1035 1036 if (smp->remote_irk) { 1037 mgmt_new_irk(hdev, smp->remote_irk, persistent); 1038 1039 /* Now that user space can be considered to know the 1040 * identity address track the connection based on it 1041 * from now on (assuming this is an LE link). 1042 */ 1043 if (hcon->type == LE_LINK) { 1044 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1045 hcon->dst_type = smp->remote_irk->addr_type; 1046 /* Use a short delay to make sure the new address is 1047 * propagated _before_ the channels. 1048 */ 1049 queue_delayed_work(hdev->workqueue, 1050 &conn->id_addr_timer, 1051 ID_ADDR_TIMEOUT); 1052 } 1053 } 1054 1055 if (smp->csrk) { 1056 smp->csrk->bdaddr_type = hcon->dst_type; 1057 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1058 mgmt_new_csrk(hdev, smp->csrk, persistent); 1059 } 1060 1061 if (smp->responder_csrk) { 1062 smp->responder_csrk->bdaddr_type = hcon->dst_type; 1063 bacpy(&smp->responder_csrk->bdaddr, &hcon->dst); 1064 mgmt_new_csrk(hdev, smp->responder_csrk, persistent); 1065 } 1066 1067 if (smp->ltk) { 1068 smp->ltk->bdaddr_type = hcon->dst_type; 1069 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1070 mgmt_new_ltk(hdev, smp->ltk, persistent); 1071 } 1072 1073 if (smp->responder_ltk) { 1074 smp->responder_ltk->bdaddr_type = hcon->dst_type; 1075 bacpy(&smp->responder_ltk->bdaddr, &hcon->dst); 1076 mgmt_new_ltk(hdev, smp->responder_ltk, persistent); 1077 } 1078 1079 if (smp->link_key) { 1080 struct link_key *key; 1081 u8 type; 1082 1083 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1084 type = HCI_LK_DEBUG_COMBINATION; 1085 else if (hcon->sec_level == BT_SECURITY_FIPS) 1086 type = HCI_LK_AUTH_COMBINATION_P256; 1087 else 1088 type = HCI_LK_UNAUTH_COMBINATION_P256; 1089 1090 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1091 smp->link_key, type, 0, &persistent); 1092 if (key) { 1093 mgmt_new_link_key(hdev, key, persistent); 1094 1095 /* Don't keep debug keys around if the relevant 1096 * flag is not set. 1097 */ 1098 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) && 1099 key->type == HCI_LK_DEBUG_COMBINATION) { 1100 list_del_rcu(&key->list); 1101 kfree_rcu(key, rcu); 1102 } 1103 } 1104 } 1105 } 1106 1107 static void sc_add_ltk(struct smp_chan *smp) 1108 { 1109 struct hci_conn *hcon = smp->conn->hcon; 1110 u8 key_type, auth; 1111 1112 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1113 key_type = SMP_LTK_P256_DEBUG; 1114 else 1115 key_type = SMP_LTK_P256; 1116 1117 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1118 auth = 1; 1119 else 1120 auth = 0; 1121 1122 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1123 key_type, auth, smp->tk, smp->enc_key_size, 1124 0, 0); 1125 } 1126 1127 static void sc_generate_link_key(struct smp_chan *smp) 1128 { 1129 /* From core spec. Spells out in ASCII as 'lebr'. */ 1130 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1131 1132 smp->link_key = kzalloc(16, GFP_KERNEL); 1133 if (!smp->link_key) 1134 return; 1135 1136 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1137 /* SALT = 0x000000000000000000000000746D7031 */ 1138 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 }; 1139 1140 if (smp_h7(smp->tk, salt, smp->link_key)) { 1141 kfree_sensitive(smp->link_key); 1142 smp->link_key = NULL; 1143 return; 1144 } 1145 } else { 1146 /* From core spec. Spells out in ASCII as 'tmp1'. */ 1147 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1148 1149 if (smp_h6(smp->tk, tmp1, smp->link_key)) { 1150 kfree_sensitive(smp->link_key); 1151 smp->link_key = NULL; 1152 return; 1153 } 1154 } 1155 1156 if (smp_h6(smp->link_key, lebr, smp->link_key)) { 1157 kfree_sensitive(smp->link_key); 1158 smp->link_key = NULL; 1159 return; 1160 } 1161 } 1162 1163 static void smp_allow_key_dist(struct smp_chan *smp) 1164 { 1165 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1166 * will be allowed in each PDU handler to ensure we receive 1167 * them in the correct order. 1168 */ 1169 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1170 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1171 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1172 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1173 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1174 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1175 } 1176 1177 static void sc_generate_ltk(struct smp_chan *smp) 1178 { 1179 /* From core spec. Spells out in ASCII as 'brle'. */ 1180 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1181 struct hci_conn *hcon = smp->conn->hcon; 1182 struct hci_dev *hdev = hcon->hdev; 1183 struct link_key *key; 1184 1185 key = hci_find_link_key(hdev, &hcon->dst); 1186 if (!key) { 1187 bt_dev_err(hdev, "no Link Key found to generate LTK"); 1188 return; 1189 } 1190 1191 if (key->type == HCI_LK_DEBUG_COMBINATION) 1192 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1193 1194 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1195 /* SALT = 0x000000000000000000000000746D7032 */ 1196 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 }; 1197 1198 if (smp_h7(key->val, salt, smp->tk)) 1199 return; 1200 } else { 1201 /* From core spec. Spells out in ASCII as 'tmp2'. */ 1202 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1203 1204 if (smp_h6(key->val, tmp2, smp->tk)) 1205 return; 1206 } 1207 1208 if (smp_h6(smp->tk, brle, smp->tk)) 1209 return; 1210 1211 sc_add_ltk(smp); 1212 } 1213 1214 static void smp_distribute_keys(struct smp_chan *smp) 1215 { 1216 struct smp_cmd_pairing *req, *rsp; 1217 struct l2cap_conn *conn = smp->conn; 1218 struct hci_conn *hcon = conn->hcon; 1219 struct hci_dev *hdev = hcon->hdev; 1220 __u8 *keydist; 1221 1222 bt_dev_dbg(hdev, "conn %p", conn); 1223 1224 rsp = (void *) &smp->prsp[1]; 1225 1226 /* The responder sends its keys first */ 1227 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) && 1228 (smp->remote_key_dist & KEY_DIST_MASK)) { 1229 smp_allow_key_dist(smp); 1230 return; 1231 } 1232 1233 req = (void *) &smp->preq[1]; 1234 1235 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1236 keydist = &rsp->init_key_dist; 1237 *keydist &= req->init_key_dist; 1238 } else { 1239 keydist = &rsp->resp_key_dist; 1240 *keydist &= req->resp_key_dist; 1241 } 1242 1243 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1244 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1245 sc_generate_link_key(smp); 1246 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1247 sc_generate_ltk(smp); 1248 1249 /* Clear the keys which are generated but not distributed */ 1250 *keydist &= ~SMP_SC_NO_DIST; 1251 } 1252 1253 bt_dev_dbg(hdev, "keydist 0x%x", *keydist); 1254 1255 if (*keydist & SMP_DIST_ENC_KEY) { 1256 struct smp_cmd_encrypt_info enc; 1257 struct smp_cmd_initiator_ident ident; 1258 struct smp_ltk *ltk; 1259 u8 authenticated; 1260 __le16 ediv; 1261 __le64 rand; 1262 1263 /* Make sure we generate only the significant amount of 1264 * bytes based on the encryption key size, and set the rest 1265 * of the value to zeroes. 1266 */ 1267 get_random_bytes(enc.ltk, smp->enc_key_size); 1268 memset(enc.ltk + smp->enc_key_size, 0, 1269 sizeof(enc.ltk) - smp->enc_key_size); 1270 1271 get_random_bytes(&ediv, sizeof(ediv)); 1272 get_random_bytes(&rand, sizeof(rand)); 1273 1274 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1275 1276 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1277 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1278 SMP_LTK_RESPONDER, authenticated, enc.ltk, 1279 smp->enc_key_size, ediv, rand); 1280 smp->responder_ltk = ltk; 1281 1282 ident.ediv = ediv; 1283 ident.rand = rand; 1284 1285 smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident), 1286 &ident); 1287 1288 *keydist &= ~SMP_DIST_ENC_KEY; 1289 } 1290 1291 if (*keydist & SMP_DIST_ID_KEY) { 1292 struct smp_cmd_ident_addr_info addrinfo; 1293 struct smp_cmd_ident_info idinfo; 1294 1295 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1296 1297 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1298 1299 /* The hci_conn contains the local identity address 1300 * after the connection has been established. 1301 * 1302 * This is true even when the connection has been 1303 * established using a resolvable random address. 1304 */ 1305 bacpy(&addrinfo.bdaddr, &hcon->src); 1306 addrinfo.addr_type = hcon->src_type; 1307 1308 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1309 &addrinfo); 1310 1311 *keydist &= ~SMP_DIST_ID_KEY; 1312 } 1313 1314 if (*keydist & SMP_DIST_SIGN) { 1315 struct smp_cmd_sign_info sign; 1316 struct smp_csrk *csrk; 1317 1318 /* Generate a new random key */ 1319 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1320 1321 csrk = kzalloc_obj(*csrk); 1322 if (csrk) { 1323 if (hcon->sec_level > BT_SECURITY_MEDIUM) 1324 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED; 1325 else 1326 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED; 1327 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1328 } 1329 smp->responder_csrk = csrk; 1330 1331 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1332 1333 *keydist &= ~SMP_DIST_SIGN; 1334 } 1335 1336 /* If there are still keys to be received wait for them */ 1337 if (smp->remote_key_dist & KEY_DIST_MASK) { 1338 smp_allow_key_dist(smp); 1339 return; 1340 } 1341 1342 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1343 smp_notify_keys(conn); 1344 1345 smp_chan_destroy(conn); 1346 } 1347 1348 static void smp_timeout(struct work_struct *work) 1349 { 1350 struct smp_chan *smp = container_of(work, struct smp_chan, 1351 security_timer.work); 1352 struct l2cap_conn *conn = smp->conn; 1353 1354 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 1355 1356 hci_disconnect(conn->hcon, HCI_ERROR_AUTH_FAILURE); 1357 } 1358 1359 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1360 { 1361 struct hci_conn *hcon = conn->hcon; 1362 struct l2cap_chan *chan = conn->smp; 1363 struct smp_chan *smp; 1364 1365 smp = kzalloc_obj(*smp, GFP_ATOMIC); 1366 if (!smp) 1367 return NULL; 1368 1369 smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 1370 if (IS_ERR(smp->tfm_ecdh)) { 1371 bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context"); 1372 goto zfree_smp; 1373 } 1374 1375 smp->conn = conn; 1376 chan->data = smp; 1377 1378 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1379 1380 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1381 1382 hci_conn_hold(hcon); 1383 1384 return smp; 1385 1386 zfree_smp: 1387 kfree_sensitive(smp); 1388 return NULL; 1389 } 1390 1391 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1392 { 1393 struct hci_conn *hcon = smp->conn->hcon; 1394 u8 *na, *nb, a[7], b[7]; 1395 1396 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1397 na = smp->prnd; 1398 nb = smp->rrnd; 1399 } else { 1400 na = smp->rrnd; 1401 nb = smp->prnd; 1402 } 1403 1404 memcpy(a, &hcon->init_addr, 6); 1405 memcpy(b, &hcon->resp_addr, 6); 1406 a[6] = hcon->init_addr_type; 1407 b[6] = hcon->resp_addr_type; 1408 1409 return smp_f5(smp->dhkey, na, nb, a, b, mackey, ltk); 1410 } 1411 1412 static void sc_dhkey_check(struct smp_chan *smp) 1413 { 1414 struct hci_conn *hcon = smp->conn->hcon; 1415 struct smp_cmd_dhkey_check check; 1416 u8 a[7], b[7], *local_addr, *remote_addr; 1417 u8 io_cap[3], r[16]; 1418 1419 memcpy(a, &hcon->init_addr, 6); 1420 memcpy(b, &hcon->resp_addr, 6); 1421 a[6] = hcon->init_addr_type; 1422 b[6] = hcon->resp_addr_type; 1423 1424 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1425 local_addr = a; 1426 remote_addr = b; 1427 memcpy(io_cap, &smp->preq[1], 3); 1428 } else { 1429 local_addr = b; 1430 remote_addr = a; 1431 memcpy(io_cap, &smp->prsp[1], 3); 1432 } 1433 1434 memset(r, 0, sizeof(r)); 1435 1436 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1437 put_unaligned_le32(hcon->passkey_notify, r); 1438 1439 if (smp->method == REQ_OOB) 1440 memcpy(r, smp->rr, 16); 1441 1442 smp_f6(smp->mackey, smp->prnd, smp->rrnd, r, io_cap, local_addr, 1443 remote_addr, check.e); 1444 1445 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1446 } 1447 1448 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1449 { 1450 struct l2cap_conn *conn = smp->conn; 1451 struct hci_conn *hcon = conn->hcon; 1452 struct smp_cmd_pairing_confirm cfm; 1453 u8 r; 1454 1455 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1456 r |= 0x80; 1457 1458 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1459 1460 if (smp_f4(smp->local_pk, smp->remote_pk, smp->prnd, r, 1461 cfm.confirm_val)) 1462 return SMP_UNSPECIFIED; 1463 1464 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1465 1466 return 0; 1467 } 1468 1469 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1470 { 1471 struct l2cap_conn *conn = smp->conn; 1472 struct hci_conn *hcon = conn->hcon; 1473 struct hci_dev *hdev = hcon->hdev; 1474 u8 cfm[16], r; 1475 1476 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1477 if (smp->passkey_round >= 20) 1478 return 0; 1479 1480 switch (smp_op) { 1481 case SMP_CMD_PAIRING_RANDOM: 1482 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1483 r |= 0x80; 1484 1485 if (smp_f4(smp->remote_pk, smp->local_pk, smp->rrnd, r, cfm)) 1486 return SMP_UNSPECIFIED; 1487 1488 if (crypto_memneq(smp->pcnf, cfm, 16)) 1489 return SMP_CONFIRM_FAILED; 1490 1491 smp->passkey_round++; 1492 1493 if (smp->passkey_round == 20) { 1494 /* Generate MacKey and LTK */ 1495 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1496 return SMP_UNSPECIFIED; 1497 } 1498 1499 /* The round is only complete when the initiator 1500 * receives pairing random. 1501 */ 1502 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1503 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1504 sizeof(smp->prnd), smp->prnd); 1505 if (smp->passkey_round == 20) 1506 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1507 else 1508 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1509 return 0; 1510 } 1511 1512 /* Start the next round */ 1513 if (smp->passkey_round != 20) 1514 return sc_passkey_round(smp, 0); 1515 1516 /* Passkey rounds are complete - start DHKey Check */ 1517 sc_dhkey_check(smp); 1518 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1519 1520 break; 1521 1522 case SMP_CMD_PAIRING_CONFIRM: 1523 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1524 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1525 return 0; 1526 } 1527 1528 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1529 1530 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1531 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1532 sizeof(smp->prnd), smp->prnd); 1533 return 0; 1534 } 1535 1536 return sc_passkey_send_confirm(smp); 1537 1538 case SMP_CMD_PUBLIC_KEY: 1539 default: 1540 /* Initiating device starts the round */ 1541 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 1542 return 0; 1543 1544 bt_dev_dbg(hdev, "Starting passkey round %u", 1545 smp->passkey_round + 1); 1546 1547 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1548 1549 return sc_passkey_send_confirm(smp); 1550 } 1551 1552 return 0; 1553 } 1554 1555 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1556 { 1557 struct l2cap_conn *conn = smp->conn; 1558 struct hci_conn *hcon = conn->hcon; 1559 u8 smp_op; 1560 1561 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1562 1563 switch (mgmt_op) { 1564 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1565 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1566 return 0; 1567 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1568 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1569 return 0; 1570 case MGMT_OP_USER_PASSKEY_REPLY: 1571 hcon->passkey_notify = le32_to_cpu(passkey); 1572 smp->passkey_round = 0; 1573 1574 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1575 smp_op = SMP_CMD_PAIRING_CONFIRM; 1576 else 1577 smp_op = 0; 1578 1579 if (sc_passkey_round(smp, smp_op)) 1580 return -EIO; 1581 1582 return 0; 1583 } 1584 1585 /* Initiator sends DHKey check first */ 1586 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1587 sc_dhkey_check(smp); 1588 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1589 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1590 sc_dhkey_check(smp); 1591 sc_add_ltk(smp); 1592 } 1593 1594 return 0; 1595 } 1596 1597 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1598 { 1599 struct l2cap_conn *conn = hcon->l2cap_data; 1600 struct l2cap_chan *chan; 1601 struct smp_chan *smp; 1602 u32 value; 1603 int err; 1604 1605 if (!conn) 1606 return -ENOTCONN; 1607 1608 bt_dev_dbg(conn->hcon->hdev, ""); 1609 1610 chan = conn->smp; 1611 if (!chan) 1612 return -ENOTCONN; 1613 1614 l2cap_chan_lock(chan); 1615 if (!chan->data) { 1616 err = -ENOTCONN; 1617 goto unlock; 1618 } 1619 1620 smp = chan->data; 1621 1622 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1623 err = sc_user_reply(smp, mgmt_op, passkey); 1624 goto unlock; 1625 } 1626 1627 switch (mgmt_op) { 1628 case MGMT_OP_USER_PASSKEY_REPLY: 1629 value = le32_to_cpu(passkey); 1630 memset(smp->tk, 0, sizeof(smp->tk)); 1631 bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value); 1632 put_unaligned_le32(value, smp->tk); 1633 fallthrough; 1634 case MGMT_OP_USER_CONFIRM_REPLY: 1635 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1636 break; 1637 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1638 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1639 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1640 err = 0; 1641 goto unlock; 1642 default: 1643 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1644 err = -EOPNOTSUPP; 1645 goto unlock; 1646 } 1647 1648 err = 0; 1649 1650 /* If it is our turn to send Pairing Confirm, do so now */ 1651 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1652 u8 rsp = smp_confirm(smp); 1653 if (rsp) 1654 smp_failure(conn, rsp); 1655 } 1656 1657 unlock: 1658 l2cap_chan_unlock(chan); 1659 return err; 1660 } 1661 1662 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1663 struct smp_cmd_pairing *req, 1664 struct smp_cmd_pairing *rsp) 1665 { 1666 struct l2cap_conn *conn = smp->conn; 1667 struct hci_dev *hdev = conn->hcon->hdev; 1668 u8 local_dist = 0, remote_dist = 0; 1669 1670 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 1671 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1672 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1673 } 1674 1675 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 1676 remote_dist |= SMP_DIST_ID_KEY; 1677 1678 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 1679 local_dist |= SMP_DIST_ID_KEY; 1680 1681 if (!rsp) { 1682 memset(req, 0, sizeof(*req)); 1683 1684 req->auth_req = SMP_AUTH_CT2; 1685 req->init_key_dist = local_dist; 1686 req->resp_key_dist = remote_dist; 1687 req->max_key_size = conn->hcon->enc_key_size; 1688 1689 smp->remote_key_dist = remote_dist; 1690 1691 return; 1692 } 1693 1694 memset(rsp, 0, sizeof(*rsp)); 1695 1696 rsp->auth_req = SMP_AUTH_CT2; 1697 rsp->max_key_size = conn->hcon->enc_key_size; 1698 rsp->init_key_dist = req->init_key_dist & remote_dist; 1699 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1700 1701 smp->remote_key_dist = rsp->init_key_dist; 1702 } 1703 1704 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1705 { 1706 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1707 struct l2cap_chan *chan = conn->smp; 1708 struct hci_dev *hdev = conn->hcon->hdev; 1709 struct smp_chan *smp = chan->data; 1710 u8 key_size, auth, sec_level; 1711 int ret; 1712 1713 bt_dev_dbg(hdev, "conn %p", conn); 1714 1715 if (skb->len < sizeof(*req)) 1716 return SMP_INVALID_PARAMS; 1717 1718 if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 1719 return SMP_CMD_NOTSUPP; 1720 1721 if (!smp) { 1722 smp = smp_chan_create(conn); 1723 if (!smp) 1724 return SMP_UNSPECIFIED; 1725 } 1726 1727 /* We didn't start the pairing, so match remote */ 1728 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1729 1730 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 1731 (auth & SMP_AUTH_BONDING)) 1732 return SMP_PAIRING_NOTSUPP; 1733 1734 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1735 return SMP_AUTH_REQUIREMENTS; 1736 1737 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1738 memcpy(&smp->preq[1], req, sizeof(*req)); 1739 skb_pull(skb, sizeof(*req)); 1740 1741 /* If the remote side's OOB flag is set it means it has 1742 * successfully received our local OOB data - therefore set the 1743 * flag to indicate that local OOB is in use. 1744 */ 1745 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob) 1746 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1747 1748 /* SMP over BR/EDR requires special treatment */ 1749 if (conn->hcon->type == ACL_LINK) { 1750 /* We must have a BR/EDR SC link */ 1751 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1752 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 1753 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1754 1755 set_bit(SMP_FLAG_SC, &smp->flags); 1756 1757 build_bredr_pairing_cmd(smp, req, &rsp); 1758 1759 if (req->auth_req & SMP_AUTH_CT2) 1760 set_bit(SMP_FLAG_CT2, &smp->flags); 1761 1762 key_size = min(req->max_key_size, rsp.max_key_size); 1763 if (check_enc_key_size(conn, key_size)) 1764 return SMP_ENC_KEY_SIZE; 1765 1766 /* Clear bits which are generated but not distributed */ 1767 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1768 1769 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1770 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1771 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1772 1773 smp_distribute_keys(smp); 1774 return 0; 1775 } 1776 1777 build_pairing_cmd(conn, req, &rsp, auth); 1778 1779 if (rsp.auth_req & SMP_AUTH_SC) { 1780 set_bit(SMP_FLAG_SC, &smp->flags); 1781 1782 if (rsp.auth_req & SMP_AUTH_CT2) 1783 set_bit(SMP_FLAG_CT2, &smp->flags); 1784 } 1785 1786 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1787 sec_level = BT_SECURITY_MEDIUM; 1788 else 1789 sec_level = authreq_to_seclevel(auth); 1790 1791 if (sec_level > conn->hcon->pending_sec_level) 1792 conn->hcon->pending_sec_level = sec_level; 1793 1794 /* If we need MITM check that it can be achieved. */ 1795 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1796 u8 method; 1797 1798 method = get_auth_method(smp, conn->hcon->io_capability, 1799 req->io_capability); 1800 if (method == JUST_WORKS || method == JUST_CFM) 1801 return SMP_AUTH_REQUIREMENTS; 1802 1803 /* Force MITM bit if it isn't set by the initiator. */ 1804 auth |= SMP_AUTH_MITM; 1805 rsp.auth_req |= SMP_AUTH_MITM; 1806 } 1807 1808 key_size = min(req->max_key_size, rsp.max_key_size); 1809 if (check_enc_key_size(conn, key_size)) 1810 return SMP_ENC_KEY_SIZE; 1811 1812 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1813 1814 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1815 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1816 1817 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1818 1819 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1820 1821 /* Strictly speaking we shouldn't allow Pairing Confirm for the 1822 * SC case, however some implementations incorrectly copy RFU auth 1823 * req bits from our security request, which may create a false 1824 * positive SC enablement. 1825 */ 1826 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1827 1828 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1829 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1830 /* Clear bits which are generated but not distributed */ 1831 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1832 /* Wait for Public Key from Initiating Device */ 1833 return 0; 1834 } 1835 1836 /* Request setup of TK */ 1837 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1838 if (ret) 1839 return SMP_UNSPECIFIED; 1840 1841 return 0; 1842 } 1843 1844 static u8 sc_send_public_key(struct smp_chan *smp) 1845 { 1846 struct hci_dev *hdev = smp->conn->hcon->hdev; 1847 1848 bt_dev_dbg(hdev, ""); 1849 1850 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 1851 struct l2cap_chan *chan = hdev->smp_data; 1852 struct smp_dev *smp_dev; 1853 1854 if (!chan || !chan->data) 1855 return SMP_UNSPECIFIED; 1856 1857 smp_dev = chan->data; 1858 1859 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1860 memcpy(smp->lr, smp_dev->local_rand, 16); 1861 1862 if (smp_dev->debug_key) 1863 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1864 1865 goto done; 1866 } 1867 1868 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1869 bt_dev_dbg(hdev, "Using debug keys"); 1870 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk)) 1871 return SMP_UNSPECIFIED; 1872 memcpy(smp->local_pk, debug_pk, 64); 1873 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1874 } else { 1875 while (true) { 1876 /* Generate key pair for Secure Connections */ 1877 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk)) 1878 return SMP_UNSPECIFIED; 1879 1880 /* This is unlikely, but we need to check that 1881 * we didn't accidentally generate a debug key. 1882 */ 1883 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 1884 break; 1885 } 1886 } 1887 1888 done: 1889 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1890 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1891 1892 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1893 1894 return 0; 1895 } 1896 1897 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1898 { 1899 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1900 struct l2cap_chan *chan = conn->smp; 1901 struct smp_chan *smp = chan->data; 1902 struct hci_dev *hdev = conn->hcon->hdev; 1903 u8 key_size, auth; 1904 int ret; 1905 1906 bt_dev_dbg(hdev, "conn %p", conn); 1907 1908 if (skb->len < sizeof(*rsp)) 1909 return SMP_INVALID_PARAMS; 1910 1911 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 1912 return SMP_CMD_NOTSUPP; 1913 1914 skb_pull(skb, sizeof(*rsp)); 1915 1916 req = (void *) &smp->preq[1]; 1917 1918 key_size = min(req->max_key_size, rsp->max_key_size); 1919 if (check_enc_key_size(conn, key_size)) 1920 return SMP_ENC_KEY_SIZE; 1921 1922 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1923 1924 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1925 return SMP_AUTH_REQUIREMENTS; 1926 1927 /* If the remote side's OOB flag is set it means it has 1928 * successfully received our local OOB data - therefore set the 1929 * flag to indicate that local OOB is in use. 1930 */ 1931 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob) 1932 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1933 1934 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1935 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1936 1937 /* Update remote key distribution in case the remote cleared 1938 * some bits that we had enabled in our request. 1939 */ 1940 smp->remote_key_dist &= rsp->resp_key_dist; 1941 1942 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2)) 1943 set_bit(SMP_FLAG_CT2, &smp->flags); 1944 1945 /* For BR/EDR this means we're done and can start phase 3 */ 1946 if (conn->hcon->type == ACL_LINK) { 1947 /* Clear bits which are generated but not distributed */ 1948 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1949 smp_distribute_keys(smp); 1950 return 0; 1951 } 1952 1953 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 1954 set_bit(SMP_FLAG_SC, &smp->flags); 1955 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 1956 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 1957 1958 /* If we need MITM check that it can be achieved */ 1959 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1960 u8 method; 1961 1962 method = get_auth_method(smp, req->io_capability, 1963 rsp->io_capability); 1964 if (method == JUST_WORKS || method == JUST_CFM) 1965 return SMP_AUTH_REQUIREMENTS; 1966 } 1967 1968 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1969 1970 /* Update remote key distribution in case the remote cleared 1971 * some bits that we had enabled in our request. 1972 */ 1973 smp->remote_key_dist &= rsp->resp_key_dist; 1974 1975 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1976 /* Clear bits which are generated but not distributed */ 1977 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1978 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1979 return sc_send_public_key(smp); 1980 } 1981 1982 auth |= req->auth_req; 1983 1984 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 1985 if (ret) 1986 return SMP_UNSPECIFIED; 1987 1988 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1989 1990 /* Can't compose response until we have been confirmed */ 1991 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 1992 return smp_confirm(smp); 1993 1994 return 0; 1995 } 1996 1997 static u8 sc_check_confirm(struct smp_chan *smp) 1998 { 1999 struct l2cap_conn *conn = smp->conn; 2000 2001 bt_dev_dbg(conn->hcon->hdev, ""); 2002 2003 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2004 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 2005 2006 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2007 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2008 smp->prnd); 2009 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2010 } 2011 2012 return 0; 2013 } 2014 2015 /* Work-around for some implementations that incorrectly copy RFU bits 2016 * from our security request and thereby create the impression that 2017 * we're doing SC when in fact the remote doesn't support it. 2018 */ 2019 static int fixup_sc_false_positive(struct smp_chan *smp) 2020 { 2021 struct l2cap_conn *conn = smp->conn; 2022 struct hci_conn *hcon = conn->hcon; 2023 struct hci_dev *hdev = hcon->hdev; 2024 struct smp_cmd_pairing *req, *rsp; 2025 u8 auth; 2026 2027 /* The issue is only observed when we're in responder role */ 2028 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2029 return SMP_UNSPECIFIED; 2030 2031 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 2032 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode"); 2033 return SMP_UNSPECIFIED; 2034 } 2035 2036 bt_dev_err(hdev, "trying to fall back to legacy SMP"); 2037 2038 req = (void *) &smp->preq[1]; 2039 rsp = (void *) &smp->prsp[1]; 2040 2041 /* Rebuild key dist flags which may have been cleared for SC */ 2042 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist); 2043 2044 auth = req->auth_req & AUTH_REQ_MASK(hdev); 2045 2046 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) { 2047 bt_dev_err(hdev, "failed to fall back to legacy SMP"); 2048 return SMP_UNSPECIFIED; 2049 } 2050 2051 clear_bit(SMP_FLAG_SC, &smp->flags); 2052 2053 return 0; 2054 } 2055 2056 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 2057 { 2058 struct l2cap_chan *chan = conn->smp; 2059 struct smp_chan *smp = chan->data; 2060 struct hci_conn *hcon = conn->hcon; 2061 struct hci_dev *hdev = hcon->hdev; 2062 2063 bt_dev_dbg(hdev, "conn %p %s", conn, 2064 test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" : 2065 "responder"); 2066 2067 if (skb->len < sizeof(smp->pcnf)) 2068 return SMP_INVALID_PARAMS; 2069 2070 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 2071 skb_pull(skb, sizeof(smp->pcnf)); 2072 2073 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2074 int ret; 2075 2076 /* Public Key exchange must happen before any other steps */ 2077 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 2078 return sc_check_confirm(smp); 2079 2080 bt_dev_err(hdev, "Unexpected SMP Pairing Confirm"); 2081 2082 ret = fixup_sc_false_positive(smp); 2083 if (ret) 2084 return ret; 2085 } 2086 2087 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2088 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2089 smp->prnd); 2090 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2091 return 0; 2092 } 2093 2094 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2095 return smp_confirm(smp); 2096 2097 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2098 2099 return 0; 2100 } 2101 2102 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 2103 { 2104 struct l2cap_chan *chan = conn->smp; 2105 struct smp_chan *smp = chan->data; 2106 struct hci_conn *hcon = conn->hcon; 2107 u8 *pkax, *pkbx, *na, *nb, confirm_hint; 2108 u32 passkey = 0; 2109 int err; 2110 2111 bt_dev_dbg(hcon->hdev, "conn %p", conn); 2112 2113 if (skb->len < sizeof(smp->rrnd)) 2114 return SMP_INVALID_PARAMS; 2115 2116 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 2117 skb_pull(skb, sizeof(smp->rrnd)); 2118 2119 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 2120 return smp_random(smp); 2121 2122 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2123 pkax = smp->local_pk; 2124 pkbx = smp->remote_pk; 2125 na = smp->prnd; 2126 nb = smp->rrnd; 2127 } else { 2128 pkax = smp->remote_pk; 2129 pkbx = smp->local_pk; 2130 na = smp->rrnd; 2131 nb = smp->prnd; 2132 } 2133 2134 if (smp->method == REQ_OOB) { 2135 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2136 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2137 sizeof(smp->prnd), smp->prnd); 2138 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2139 goto mackey_and_ltk; 2140 } 2141 2142 /* Passkey entry has special treatment */ 2143 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2144 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 2145 2146 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2147 u8 cfm[16]; 2148 2149 err = smp_f4(smp->remote_pk, smp->local_pk, smp->rrnd, 0, cfm); 2150 if (err) 2151 return SMP_UNSPECIFIED; 2152 2153 if (crypto_memneq(smp->pcnf, cfm, 16)) 2154 return SMP_CONFIRM_FAILED; 2155 } else { 2156 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2157 smp->prnd); 2158 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2159 } 2160 2161 mackey_and_ltk: 2162 /* Generate MacKey and LTK */ 2163 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 2164 if (err) 2165 return SMP_UNSPECIFIED; 2166 2167 if (smp->method == REQ_OOB) { 2168 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2169 sc_dhkey_check(smp); 2170 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2171 } 2172 return 0; 2173 } 2174 2175 err = smp_g2(pkax, pkbx, na, nb, &passkey); 2176 if (err) 2177 return SMP_UNSPECIFIED; 2178 2179 /* Always require user confirmation for Just-Works pairing to prevent 2180 * impersonation attacks, or in case of a legitimate device that is 2181 * repairing use the confirmation as acknowledgment to proceed with the 2182 * creation of new keys. 2183 */ 2184 confirm_hint = smp->method == JUST_WORKS ? 1 : 0; 2185 2186 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2187 hcon->dst_type, passkey, confirm_hint); 2188 if (err) 2189 return SMP_UNSPECIFIED; 2190 2191 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2192 2193 return 0; 2194 } 2195 2196 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2197 { 2198 struct smp_ltk *key; 2199 struct hci_conn *hcon = conn->hcon; 2200 2201 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2202 if (!key) 2203 return false; 2204 2205 if (smp_ltk_sec_level(key) < sec_level) 2206 return false; 2207 2208 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2209 return true; 2210 2211 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size); 2212 hcon->enc_key_size = key->enc_size; 2213 2214 /* We never store STKs for initiator role, so clear this flag */ 2215 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2216 2217 return true; 2218 } 2219 2220 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2221 enum smp_key_pref key_pref) 2222 { 2223 if (sec_level == BT_SECURITY_LOW) 2224 return true; 2225 2226 /* If we're encrypted with an STK but the caller prefers using 2227 * LTK claim insufficient security. This way we allow the 2228 * connection to be re-encrypted with an LTK, even if the LTK 2229 * provides the same level of security. Only exception is if we 2230 * don't have an LTK (e.g. because of key distribution bits). 2231 */ 2232 if (key_pref == SMP_USE_LTK && 2233 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2234 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2235 return false; 2236 2237 if (hcon->sec_level >= sec_level) 2238 return true; 2239 2240 return false; 2241 } 2242 2243 static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth) 2244 { 2245 struct smp_cmd_pairing cp; 2246 2247 if (smp->conn->hcon->type == ACL_LINK) 2248 build_bredr_pairing_cmd(smp, &cp, NULL); 2249 else 2250 build_pairing_cmd(smp->conn, &cp, NULL, auth); 2251 2252 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2253 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2254 2255 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2256 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2257 2258 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2259 } 2260 2261 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2262 { 2263 struct smp_cmd_security_req *rp = (void *) skb->data; 2264 struct hci_conn *hcon = conn->hcon; 2265 struct hci_dev *hdev = hcon->hdev; 2266 struct smp_chan *smp; 2267 u8 sec_level, auth; 2268 2269 bt_dev_dbg(hdev, "conn %p", conn); 2270 2271 if (skb->len < sizeof(*rp)) 2272 return SMP_INVALID_PARAMS; 2273 2274 if (hcon->role != HCI_ROLE_MASTER) 2275 return SMP_CMD_NOTSUPP; 2276 2277 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2278 2279 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 2280 return SMP_AUTH_REQUIREMENTS; 2281 2282 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2283 sec_level = BT_SECURITY_MEDIUM; 2284 else 2285 sec_level = authreq_to_seclevel(auth); 2286 2287 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) { 2288 /* If link is already encrypted with sufficient security we 2289 * still need refresh encryption as per Core Spec 5.0 Vol 3, 2290 * Part H 2.4.6 2291 */ 2292 smp_ltk_encrypt(conn, hcon->sec_level); 2293 return 0; 2294 } 2295 2296 if (sec_level > hcon->pending_sec_level) 2297 hcon->pending_sec_level = sec_level; 2298 2299 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2300 return 0; 2301 2302 smp = smp_chan_create(conn); 2303 if (!smp) 2304 return SMP_UNSPECIFIED; 2305 2306 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 2307 (auth & SMP_AUTH_BONDING)) 2308 return SMP_PAIRING_NOTSUPP; 2309 2310 skb_pull(skb, sizeof(*rp)); 2311 2312 smp_send_pairing_req(smp, auth); 2313 2314 return 0; 2315 } 2316 2317 static void smp_send_security_req(struct smp_chan *smp, __u8 auth) 2318 { 2319 struct smp_cmd_security_req cp; 2320 2321 cp.auth_req = auth; 2322 smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2323 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2324 2325 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 2326 } 2327 2328 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2329 { 2330 struct l2cap_conn *conn = hcon->l2cap_data; 2331 struct l2cap_chan *chan; 2332 struct smp_chan *smp; 2333 __u8 authreq; 2334 int ret; 2335 2336 bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon, 2337 sec_level); 2338 2339 /* This may be NULL if there's an unexpected disconnection */ 2340 if (!conn) 2341 return 1; 2342 2343 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) 2344 return 1; 2345 2346 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2347 return 1; 2348 2349 if (sec_level > hcon->pending_sec_level) 2350 hcon->pending_sec_level = sec_level; 2351 2352 if (hcon->role == HCI_ROLE_MASTER) 2353 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2354 return 0; 2355 2356 chan = conn->smp; 2357 if (!chan) { 2358 bt_dev_err(hcon->hdev, "security requested but not available"); 2359 return 1; 2360 } 2361 2362 l2cap_chan_lock(chan); 2363 2364 /* If SMP is already in progress ignore this request */ 2365 if (chan->data) { 2366 ret = 0; 2367 goto unlock; 2368 } 2369 2370 smp = smp_chan_create(conn); 2371 if (!smp) { 2372 ret = 1; 2373 goto unlock; 2374 } 2375 2376 authreq = seclevel_to_authreq(sec_level); 2377 2378 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) { 2379 authreq |= SMP_AUTH_SC; 2380 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED)) 2381 authreq |= SMP_AUTH_CT2; 2382 } 2383 2384 /* Don't attempt to set MITM if setting is overridden by debugfs 2385 * Needed to pass certification test SM/MAS/PKE/BV-01-C 2386 */ 2387 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) { 2388 /* Require MITM if IO Capability allows or the security level 2389 * requires it. 2390 */ 2391 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2392 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2393 authreq |= SMP_AUTH_MITM; 2394 } 2395 2396 if (hcon->role == HCI_ROLE_MASTER) 2397 smp_send_pairing_req(smp, authreq); 2398 else 2399 smp_send_security_req(smp, authreq); 2400 2401 ret = 0; 2402 2403 unlock: 2404 l2cap_chan_unlock(chan); 2405 return ret; 2406 } 2407 2408 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, 2409 u8 addr_type) 2410 { 2411 struct hci_conn *hcon; 2412 struct l2cap_conn *conn; 2413 struct l2cap_chan *chan; 2414 struct smp_chan *smp; 2415 int err; 2416 2417 err = hci_remove_ltk(hdev, bdaddr, addr_type); 2418 hci_remove_irk(hdev, bdaddr, addr_type); 2419 2420 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type); 2421 if (!hcon) 2422 goto done; 2423 2424 conn = hcon->l2cap_data; 2425 if (!conn) 2426 goto done; 2427 2428 chan = conn->smp; 2429 if (!chan) 2430 goto done; 2431 2432 l2cap_chan_lock(chan); 2433 2434 smp = chan->data; 2435 if (smp) { 2436 /* Set keys to NULL to make sure smp_failure() does not try to 2437 * remove and free already invalidated rcu list entries. */ 2438 smp->ltk = NULL; 2439 smp->responder_ltk = NULL; 2440 smp->remote_irk = NULL; 2441 2442 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) 2443 smp_failure(conn, 0); 2444 else 2445 smp_failure(conn, SMP_UNSPECIFIED); 2446 err = 0; 2447 } 2448 2449 l2cap_chan_unlock(chan); 2450 2451 done: 2452 return err; 2453 } 2454 2455 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2456 { 2457 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2458 struct l2cap_chan *chan = conn->smp; 2459 struct smp_chan *smp = chan->data; 2460 2461 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 2462 2463 if (skb->len < sizeof(*rp)) 2464 return SMP_INVALID_PARAMS; 2465 2466 /* Pairing is aborted if any blocked keys are distributed */ 2467 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK, 2468 rp->ltk)) { 2469 bt_dev_warn_ratelimited(conn->hcon->hdev, 2470 "LTK blocked for %pMR", 2471 &conn->hcon->dst); 2472 return SMP_INVALID_PARAMS; 2473 } 2474 2475 SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT); 2476 2477 skb_pull(skb, sizeof(*rp)); 2478 2479 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2480 2481 return 0; 2482 } 2483 2484 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2485 { 2486 struct smp_cmd_initiator_ident *rp = (void *)skb->data; 2487 struct l2cap_chan *chan = conn->smp; 2488 struct smp_chan *smp = chan->data; 2489 struct hci_dev *hdev = conn->hcon->hdev; 2490 struct hci_conn *hcon = conn->hcon; 2491 struct smp_ltk *ltk; 2492 u8 authenticated; 2493 2494 bt_dev_dbg(hdev, "conn %p", conn); 2495 2496 if (skb->len < sizeof(*rp)) 2497 return SMP_INVALID_PARAMS; 2498 2499 /* Mark the information as received */ 2500 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2501 2502 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2503 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2504 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2505 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2506 2507 skb_pull(skb, sizeof(*rp)); 2508 2509 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2510 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2511 authenticated, smp->tk, smp->enc_key_size, 2512 rp->ediv, rp->rand); 2513 smp->ltk = ltk; 2514 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2515 smp_distribute_keys(smp); 2516 2517 return 0; 2518 } 2519 2520 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2521 { 2522 struct smp_cmd_ident_info *info = (void *) skb->data; 2523 struct l2cap_chan *chan = conn->smp; 2524 struct smp_chan *smp = chan->data; 2525 2526 bt_dev_dbg(conn->hcon->hdev, ""); 2527 2528 if (skb->len < sizeof(*info)) 2529 return SMP_INVALID_PARAMS; 2530 2531 /* Pairing is aborted if any blocked keys are distributed */ 2532 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK, 2533 info->irk)) { 2534 bt_dev_warn_ratelimited(conn->hcon->hdev, 2535 "Identity key blocked for %pMR", 2536 &conn->hcon->dst); 2537 return SMP_INVALID_PARAMS; 2538 } 2539 2540 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2541 2542 skb_pull(skb, sizeof(*info)); 2543 2544 memcpy(smp->irk, info->irk, 16); 2545 2546 return 0; 2547 } 2548 2549 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2550 struct sk_buff *skb) 2551 { 2552 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2553 struct l2cap_chan *chan = conn->smp; 2554 struct smp_chan *smp = chan->data; 2555 struct hci_conn *hcon = conn->hcon; 2556 bdaddr_t rpa; 2557 2558 bt_dev_dbg(hcon->hdev, ""); 2559 2560 if (skb->len < sizeof(*info)) 2561 return SMP_INVALID_PARAMS; 2562 2563 /* Mark the information as received */ 2564 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2565 2566 if (smp->remote_key_dist & SMP_DIST_SIGN) 2567 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2568 2569 skb_pull(skb, sizeof(*info)); 2570 2571 /* Strictly speaking the Core Specification (4.1) allows sending 2572 * an empty address which would force us to rely on just the IRK 2573 * as "identity information". However, since such 2574 * implementations are not known of and in order to not over 2575 * complicate our implementation, simply pretend that we never 2576 * received an IRK for such a device. 2577 * 2578 * The Identity Address must also be a Static Random or Public 2579 * Address, which hci_is_identity_address() checks for. 2580 */ 2581 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2582 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2583 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address"); 2584 goto distribute; 2585 } 2586 2587 /* Drop IRK if peer is using identity address during pairing but is 2588 * providing different address as identity information. 2589 * 2590 * Microsoft Surface Precision Mouse is known to have this bug. 2591 */ 2592 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) && 2593 (bacmp(&info->bdaddr, &hcon->dst) || 2594 info->addr_type != hcon->dst_type)) { 2595 bt_dev_err(hcon->hdev, 2596 "ignoring IRK with invalid identity address"); 2597 goto distribute; 2598 } 2599 2600 bacpy(&smp->id_addr, &info->bdaddr); 2601 smp->id_addr_type = info->addr_type; 2602 2603 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2604 bacpy(&rpa, &hcon->dst); 2605 else 2606 bacpy(&rpa, BDADDR_ANY); 2607 2608 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2609 smp->id_addr_type, smp->irk, &rpa); 2610 2611 distribute: 2612 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2613 smp_distribute_keys(smp); 2614 2615 return 0; 2616 } 2617 2618 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2619 { 2620 struct smp_cmd_sign_info *rp = (void *) skb->data; 2621 struct l2cap_chan *chan = conn->smp; 2622 struct smp_chan *smp = chan->data; 2623 struct smp_csrk *csrk; 2624 2625 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 2626 2627 if (skb->len < sizeof(*rp)) 2628 return SMP_INVALID_PARAMS; 2629 2630 /* Mark the information as received */ 2631 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2632 2633 skb_pull(skb, sizeof(*rp)); 2634 2635 csrk = kzalloc_obj(*csrk); 2636 if (csrk) { 2637 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM) 2638 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED; 2639 else 2640 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED; 2641 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2642 } 2643 smp->csrk = csrk; 2644 smp_distribute_keys(smp); 2645 2646 return 0; 2647 } 2648 2649 static u8 sc_select_method(struct smp_chan *smp) 2650 { 2651 struct smp_cmd_pairing *local, *remote; 2652 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2653 2654 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) || 2655 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) 2656 return REQ_OOB; 2657 2658 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2659 * which are needed as inputs to some crypto functions. To get 2660 * the "struct smp_cmd_pairing" from them we need to skip the 2661 * first byte which contains the opcode. 2662 */ 2663 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2664 local = (void *) &smp->preq[1]; 2665 remote = (void *) &smp->prsp[1]; 2666 } else { 2667 local = (void *) &smp->prsp[1]; 2668 remote = (void *) &smp->preq[1]; 2669 } 2670 2671 local_io = local->io_capability; 2672 remote_io = remote->io_capability; 2673 2674 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2675 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2676 2677 /* If either side wants MITM, look up the method from the table, 2678 * otherwise use JUST WORKS. 2679 */ 2680 if (local_mitm || remote_mitm) 2681 method = get_auth_method(smp, local_io, remote_io); 2682 else 2683 method = JUST_WORKS; 2684 2685 /* Don't confirm locally initiated pairing attempts */ 2686 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2687 method = JUST_WORKS; 2688 2689 return method; 2690 } 2691 2692 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2693 { 2694 struct smp_cmd_public_key *key = (void *) skb->data; 2695 struct hci_conn *hcon = conn->hcon; 2696 struct l2cap_chan *chan = conn->smp; 2697 struct smp_chan *smp = chan->data; 2698 struct hci_dev *hdev = hcon->hdev; 2699 struct crypto_kpp *tfm_ecdh; 2700 struct smp_cmd_pairing_confirm cfm; 2701 int err; 2702 2703 bt_dev_dbg(hdev, "conn %p", conn); 2704 2705 if (skb->len < sizeof(*key)) 2706 return SMP_INVALID_PARAMS; 2707 2708 /* Check if remote and local public keys are the same and debug key is 2709 * not in use. 2710 */ 2711 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && 2712 !crypto_memneq(key, smp->local_pk, 64)) { 2713 bt_dev_err(hdev, "Remote and local public keys are identical"); 2714 return SMP_DHKEY_CHECK_FAILED; 2715 } 2716 2717 memcpy(smp->remote_pk, key, 64); 2718 2719 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) { 2720 err = smp_f4(smp->remote_pk, smp->remote_pk, smp->rr, 0, 2721 cfm.confirm_val); 2722 if (err) 2723 return SMP_UNSPECIFIED; 2724 2725 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16)) 2726 return SMP_CONFIRM_FAILED; 2727 } 2728 2729 /* Non-initiating device sends its public key after receiving 2730 * the key from the initiating device. 2731 */ 2732 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2733 err = sc_send_public_key(smp); 2734 if (err) 2735 return err; 2736 } 2737 2738 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2739 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2740 2741 /* Compute the shared secret on the same crypto tfm on which the private 2742 * key was set/generated. 2743 */ 2744 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 2745 struct l2cap_chan *hchan = hdev->smp_data; 2746 struct smp_dev *smp_dev; 2747 2748 if (!hchan || !hchan->data) 2749 return SMP_UNSPECIFIED; 2750 2751 smp_dev = hchan->data; 2752 2753 tfm_ecdh = smp_dev->tfm_ecdh; 2754 } else { 2755 tfm_ecdh = smp->tfm_ecdh; 2756 } 2757 2758 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey)) 2759 return SMP_UNSPECIFIED; 2760 2761 SMP_DBG("DHKey %32phN", smp->dhkey); 2762 2763 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2764 2765 smp->method = sc_select_method(smp); 2766 2767 bt_dev_dbg(hdev, "selected method 0x%02x", smp->method); 2768 2769 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2770 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2771 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2772 else 2773 hcon->pending_sec_level = BT_SECURITY_FIPS; 2774 2775 if (!crypto_memneq(debug_pk, smp->remote_pk, 64)) 2776 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2777 2778 if (smp->method == DSP_PASSKEY) { 2779 get_random_bytes(&hcon->passkey_notify, 2780 sizeof(hcon->passkey_notify)); 2781 hcon->passkey_notify %= 1000000; 2782 hcon->passkey_entered = 0; 2783 smp->passkey_round = 0; 2784 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2785 hcon->dst_type, 2786 hcon->passkey_notify, 2787 hcon->passkey_entered)) 2788 return SMP_UNSPECIFIED; 2789 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2790 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2791 } 2792 2793 if (smp->method == REQ_OOB) { 2794 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2795 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2796 sizeof(smp->prnd), smp->prnd); 2797 2798 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2799 2800 return 0; 2801 } 2802 2803 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2804 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2805 2806 if (smp->method == REQ_PASSKEY) { 2807 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2808 hcon->dst_type)) 2809 return SMP_UNSPECIFIED; 2810 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2811 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2812 return 0; 2813 } 2814 2815 /* The Initiating device waits for the non-initiating device to 2816 * send the confirm value. 2817 */ 2818 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2819 return 0; 2820 2821 err = smp_f4(smp->local_pk, smp->remote_pk, smp->prnd, 0, 2822 cfm.confirm_val); 2823 if (err) 2824 return SMP_UNSPECIFIED; 2825 2826 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2827 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2828 2829 return 0; 2830 } 2831 2832 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2833 { 2834 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2835 struct l2cap_chan *chan = conn->smp; 2836 struct hci_conn *hcon = conn->hcon; 2837 struct smp_chan *smp = chan->data; 2838 u8 a[7], b[7], *local_addr, *remote_addr; 2839 u8 io_cap[3], r[16], e[16]; 2840 int err; 2841 2842 bt_dev_dbg(hcon->hdev, "conn %p", conn); 2843 2844 if (skb->len < sizeof(*check)) 2845 return SMP_INVALID_PARAMS; 2846 2847 memcpy(a, &hcon->init_addr, 6); 2848 memcpy(b, &hcon->resp_addr, 6); 2849 a[6] = hcon->init_addr_type; 2850 b[6] = hcon->resp_addr_type; 2851 2852 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2853 local_addr = a; 2854 remote_addr = b; 2855 memcpy(io_cap, &smp->prsp[1], 3); 2856 } else { 2857 local_addr = b; 2858 remote_addr = a; 2859 memcpy(io_cap, &smp->preq[1], 3); 2860 } 2861 2862 memset(r, 0, sizeof(r)); 2863 2864 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2865 put_unaligned_le32(hcon->passkey_notify, r); 2866 else if (smp->method == REQ_OOB) 2867 memcpy(r, smp->lr, 16); 2868 2869 err = smp_f6(smp->mackey, smp->rrnd, smp->prnd, r, io_cap, remote_addr, 2870 local_addr, e); 2871 if (err) 2872 return SMP_UNSPECIFIED; 2873 2874 if (crypto_memneq(check->e, e, 16)) 2875 return SMP_DHKEY_CHECK_FAILED; 2876 2877 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2878 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2879 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2880 return 0; 2881 } 2882 2883 /* Responder sends DHKey check as response to initiator */ 2884 sc_dhkey_check(smp); 2885 } 2886 2887 sc_add_ltk(smp); 2888 2889 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2890 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size); 2891 hcon->enc_key_size = smp->enc_key_size; 2892 } 2893 2894 return 0; 2895 } 2896 2897 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2898 struct sk_buff *skb) 2899 { 2900 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2901 2902 bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value); 2903 2904 return 0; 2905 } 2906 2907 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2908 { 2909 struct l2cap_conn *conn = chan->conn; 2910 struct hci_conn *hcon = conn->hcon; 2911 struct smp_chan *smp; 2912 __u8 code, reason; 2913 int err = 0; 2914 2915 if (skb->len < 1) 2916 return -EILSEQ; 2917 2918 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) { 2919 reason = SMP_PAIRING_NOTSUPP; 2920 goto done; 2921 } 2922 2923 code = skb->data[0]; 2924 skb_pull(skb, sizeof(code)); 2925 2926 smp = chan->data; 2927 2928 if (code > SMP_CMD_MAX) 2929 goto drop; 2930 2931 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) { 2932 /* If there is a context and the command is not allowed consider 2933 * it a failure so the session is cleanup properly. 2934 */ 2935 switch (code) { 2936 case SMP_CMD_IDENT_INFO: 2937 case SMP_CMD_IDENT_ADDR_INFO: 2938 case SMP_CMD_SIGN_INFO: 2939 /* 3.6.1. Key distribution and generation 2940 * 2941 * A device may reject a distributed key by sending the 2942 * Pairing Failed command with the reason set to 2943 * "Key Rejected". 2944 */ 2945 smp_failure(conn, SMP_KEY_REJECTED); 2946 break; 2947 } 2948 goto drop; 2949 } 2950 2951 /* If we don't have a context the only allowed commands are 2952 * pairing request and security request. 2953 */ 2954 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2955 goto drop; 2956 2957 switch (code) { 2958 case SMP_CMD_PAIRING_REQ: 2959 reason = smp_cmd_pairing_req(conn, skb); 2960 break; 2961 2962 case SMP_CMD_PAIRING_FAIL: 2963 smp_failure(conn, 0); 2964 err = -EPERM; 2965 break; 2966 2967 case SMP_CMD_PAIRING_RSP: 2968 reason = smp_cmd_pairing_rsp(conn, skb); 2969 break; 2970 2971 case SMP_CMD_SECURITY_REQ: 2972 reason = smp_cmd_security_req(conn, skb); 2973 break; 2974 2975 case SMP_CMD_PAIRING_CONFIRM: 2976 reason = smp_cmd_pairing_confirm(conn, skb); 2977 break; 2978 2979 case SMP_CMD_PAIRING_RANDOM: 2980 reason = smp_cmd_pairing_random(conn, skb); 2981 break; 2982 2983 case SMP_CMD_ENCRYPT_INFO: 2984 reason = smp_cmd_encrypt_info(conn, skb); 2985 break; 2986 2987 case SMP_CMD_INITIATOR_IDENT: 2988 reason = smp_cmd_initiator_ident(conn, skb); 2989 break; 2990 2991 case SMP_CMD_IDENT_INFO: 2992 reason = smp_cmd_ident_info(conn, skb); 2993 break; 2994 2995 case SMP_CMD_IDENT_ADDR_INFO: 2996 reason = smp_cmd_ident_addr_info(conn, skb); 2997 break; 2998 2999 case SMP_CMD_SIGN_INFO: 3000 reason = smp_cmd_sign_info(conn, skb); 3001 break; 3002 3003 case SMP_CMD_PUBLIC_KEY: 3004 reason = smp_cmd_public_key(conn, skb); 3005 break; 3006 3007 case SMP_CMD_DHKEY_CHECK: 3008 reason = smp_cmd_dhkey_check(conn, skb); 3009 break; 3010 3011 case SMP_CMD_KEYPRESS_NOTIFY: 3012 reason = smp_cmd_keypress_notify(conn, skb); 3013 break; 3014 3015 default: 3016 bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code); 3017 reason = SMP_CMD_NOTSUPP; 3018 goto done; 3019 } 3020 3021 done: 3022 if (!err) { 3023 if (reason) 3024 smp_failure(conn, reason); 3025 kfree_skb(skb); 3026 } 3027 3028 return err; 3029 3030 drop: 3031 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR", 3032 code, &hcon->dst); 3033 kfree_skb(skb); 3034 return 0; 3035 } 3036 3037 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 3038 { 3039 struct l2cap_conn *conn = chan->conn; 3040 3041 bt_dev_dbg(conn->hcon->hdev, "chan %p", chan); 3042 3043 if (chan->data) 3044 smp_chan_destroy(conn); 3045 3046 conn->smp = NULL; 3047 l2cap_chan_put(chan); 3048 } 3049 3050 static void bredr_pairing(struct l2cap_chan *chan) 3051 { 3052 struct l2cap_conn *conn = chan->conn; 3053 struct hci_conn *hcon = conn->hcon; 3054 struct hci_dev *hdev = hcon->hdev; 3055 struct smp_chan *smp; 3056 3057 bt_dev_dbg(hdev, "chan %p", chan); 3058 3059 /* Only new pairings are interesting */ 3060 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 3061 return; 3062 3063 /* Don't bother if we're not encrypted */ 3064 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3065 return; 3066 3067 /* Only initiator may initiate SMP over BR/EDR */ 3068 if (hcon->role != HCI_ROLE_MASTER) 3069 return; 3070 3071 /* Secure Connections support must be enabled */ 3072 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED)) 3073 return; 3074 3075 /* BR/EDR must use Secure Connections for SMP */ 3076 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 3077 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3078 return; 3079 3080 /* If our LE support is not enabled don't do anything */ 3081 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 3082 return; 3083 3084 /* Don't bother if remote LE support is not enabled */ 3085 if (!lmp_host_le_capable(hcon)) 3086 return; 3087 3088 /* Remote must support SMP fixed chan for BR/EDR */ 3089 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 3090 return; 3091 3092 /* Don't bother if SMP is already ongoing */ 3093 if (chan->data) 3094 return; 3095 3096 smp = smp_chan_create(conn); 3097 if (!smp) { 3098 bt_dev_err(hdev, "unable to create SMP context for BR/EDR"); 3099 return; 3100 } 3101 3102 set_bit(SMP_FLAG_SC, &smp->flags); 3103 3104 bt_dev_dbg(hdev, "starting SMP over BR/EDR"); 3105 3106 smp_send_pairing_req(smp, 0x00); 3107 } 3108 3109 static void smp_resume_cb(struct l2cap_chan *chan) 3110 { 3111 struct smp_chan *smp = chan->data; 3112 struct l2cap_conn *conn = chan->conn; 3113 struct hci_conn *hcon = conn->hcon; 3114 3115 bt_dev_dbg(hcon->hdev, "chan %p", chan); 3116 3117 if (hcon->type == ACL_LINK) { 3118 bredr_pairing(chan); 3119 return; 3120 } 3121 3122 if (!smp) 3123 return; 3124 3125 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3126 return; 3127 3128 cancel_delayed_work(&smp->security_timer); 3129 3130 smp_distribute_keys(smp); 3131 } 3132 3133 static void smp_ready_cb(struct l2cap_chan *chan) 3134 { 3135 struct l2cap_conn *conn = chan->conn; 3136 struct hci_conn *hcon = conn->hcon; 3137 3138 bt_dev_dbg(hcon->hdev, "chan %p", chan); 3139 3140 /* No need to call l2cap_chan_hold() here since we already own 3141 * the reference taken in smp_new_conn_cb(). This is just the 3142 * first time that we tie it to a specific pointer. The code in 3143 * l2cap_core.c ensures that there's no risk this function won't 3144 * get called if smp_new_conn_cb was previously called. 3145 */ 3146 conn->smp = chan; 3147 3148 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3149 bredr_pairing(chan); 3150 } 3151 3152 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 3153 { 3154 int err; 3155 3156 bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan); 3157 3158 err = smp_sig_channel(chan, skb); 3159 if (err) { 3160 struct smp_chan *smp = chan->data; 3161 3162 if (smp) 3163 cancel_delayed_work_sync(&smp->security_timer); 3164 3165 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 3166 } 3167 3168 return err; 3169 } 3170 3171 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 3172 unsigned long hdr_len, 3173 unsigned long len, int nb) 3174 { 3175 struct sk_buff *skb; 3176 3177 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 3178 if (!skb) 3179 return ERR_PTR(-ENOMEM); 3180 3181 skb->priority = HCI_PRIO_MAX; 3182 bt_cb(skb)->l2cap.chan = chan; 3183 3184 return skb; 3185 } 3186 3187 static const struct l2cap_ops smp_chan_ops = { 3188 .name = "Security Manager", 3189 .ready = smp_ready_cb, 3190 .recv = smp_recv_cb, 3191 .alloc_skb = smp_alloc_skb_cb, 3192 .teardown = smp_teardown_cb, 3193 .resume = smp_resume_cb, 3194 3195 .new_connection = l2cap_chan_no_new_connection, 3196 .state_change = l2cap_chan_no_state_change, 3197 .close = l2cap_chan_no_close, 3198 .defer = l2cap_chan_no_defer, 3199 .suspend = l2cap_chan_no_suspend, 3200 .set_shutdown = l2cap_chan_no_set_shutdown, 3201 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3202 }; 3203 3204 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 3205 { 3206 struct l2cap_chan *chan; 3207 3208 BT_DBG("pchan %p", pchan); 3209 3210 chan = l2cap_chan_create(); 3211 if (!chan) 3212 return NULL; 3213 3214 chan->chan_type = pchan->chan_type; 3215 chan->ops = &smp_chan_ops; 3216 chan->scid = pchan->scid; 3217 chan->dcid = chan->scid; 3218 chan->imtu = pchan->imtu; 3219 chan->omtu = pchan->omtu; 3220 chan->mode = pchan->mode; 3221 3222 /* Other L2CAP channels may request SMP routines in order to 3223 * change the security level. This means that the SMP channel 3224 * lock must be considered in its own category to avoid lockdep 3225 * warnings. 3226 */ 3227 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 3228 3229 BT_DBG("created chan %p", chan); 3230 3231 return chan; 3232 } 3233 3234 static const struct l2cap_ops smp_root_chan_ops = { 3235 .name = "Security Manager Root", 3236 .new_connection = smp_new_conn_cb, 3237 3238 /* None of these are implemented for the root channel */ 3239 .close = l2cap_chan_no_close, 3240 .alloc_skb = l2cap_chan_no_alloc_skb, 3241 .recv = l2cap_chan_no_recv, 3242 .state_change = l2cap_chan_no_state_change, 3243 .teardown = l2cap_chan_no_teardown, 3244 .ready = l2cap_chan_no_ready, 3245 .defer = l2cap_chan_no_defer, 3246 .suspend = l2cap_chan_no_suspend, 3247 .resume = l2cap_chan_no_resume, 3248 .set_shutdown = l2cap_chan_no_set_shutdown, 3249 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3250 }; 3251 3252 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 3253 { 3254 struct l2cap_chan *chan; 3255 struct smp_dev *smp; 3256 struct crypto_kpp *tfm_ecdh; 3257 3258 if (cid == L2CAP_CID_SMP_BREDR) { 3259 smp = NULL; 3260 goto create_chan; 3261 } 3262 3263 smp = kzalloc_obj(*smp); 3264 if (!smp) 3265 return ERR_PTR(-ENOMEM); 3266 3267 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 3268 if (IS_ERR(tfm_ecdh)) { 3269 bt_dev_err(hdev, "Unable to create ECDH crypto context"); 3270 kfree_sensitive(smp); 3271 return ERR_CAST(tfm_ecdh); 3272 } 3273 3274 smp->local_oob = false; 3275 smp->tfm_ecdh = tfm_ecdh; 3276 3277 create_chan: 3278 chan = l2cap_chan_create(); 3279 if (!chan) { 3280 if (smp) { 3281 crypto_free_kpp(smp->tfm_ecdh); 3282 kfree_sensitive(smp); 3283 } 3284 return ERR_PTR(-ENOMEM); 3285 } 3286 3287 chan->data = smp; 3288 3289 l2cap_add_scid(chan, cid); 3290 3291 l2cap_chan_set_defaults(chan); 3292 3293 if (cid == L2CAP_CID_SMP) { 3294 u8 bdaddr_type; 3295 3296 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type); 3297 3298 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 3299 chan->src_type = BDADDR_LE_PUBLIC; 3300 else 3301 chan->src_type = BDADDR_LE_RANDOM; 3302 } else { 3303 bacpy(&chan->src, &hdev->bdaddr); 3304 chan->src_type = BDADDR_BREDR; 3305 } 3306 3307 chan->state = BT_LISTEN; 3308 chan->mode = L2CAP_MODE_BASIC; 3309 chan->imtu = L2CAP_DEFAULT_MTU; 3310 chan->ops = &smp_root_chan_ops; 3311 3312 /* Set correct nesting level for a parent/listening channel */ 3313 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 3314 3315 return chan; 3316 } 3317 3318 static void smp_del_chan(struct l2cap_chan *chan) 3319 { 3320 struct smp_dev *smp; 3321 3322 BT_DBG("chan %p", chan); 3323 3324 smp = chan->data; 3325 if (smp) { 3326 chan->data = NULL; 3327 crypto_free_kpp(smp->tfm_ecdh); 3328 kfree_sensitive(smp); 3329 } 3330 3331 l2cap_chan_put(chan); 3332 } 3333 3334 int smp_force_bredr(struct hci_dev *hdev, bool enable) 3335 { 3336 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3337 return -EALREADY; 3338 3339 if (enable) { 3340 struct l2cap_chan *chan; 3341 3342 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3343 if (IS_ERR(chan)) 3344 return PTR_ERR(chan); 3345 3346 hdev->smp_bredr_data = chan; 3347 } else { 3348 struct l2cap_chan *chan; 3349 3350 chan = hdev->smp_bredr_data; 3351 hdev->smp_bredr_data = NULL; 3352 smp_del_chan(chan); 3353 } 3354 3355 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP); 3356 3357 return 0; 3358 } 3359 3360 int smp_register(struct hci_dev *hdev) 3361 { 3362 struct l2cap_chan *chan; 3363 3364 bt_dev_dbg(hdev, ""); 3365 3366 /* If the controller does not support Low Energy operation, then 3367 * there is also no need to register any SMP channel. 3368 */ 3369 if (!lmp_le_capable(hdev)) 3370 return 0; 3371 3372 if (WARN_ON(hdev->smp_data)) { 3373 chan = hdev->smp_data; 3374 hdev->smp_data = NULL; 3375 smp_del_chan(chan); 3376 } 3377 3378 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3379 if (IS_ERR(chan)) 3380 return PTR_ERR(chan); 3381 3382 hdev->smp_data = chan; 3383 3384 if (!lmp_sc_capable(hdev)) { 3385 /* Flag can be already set here (due to power toggle) */ 3386 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3387 return 0; 3388 } 3389 3390 if (WARN_ON(hdev->smp_bredr_data)) { 3391 chan = hdev->smp_bredr_data; 3392 hdev->smp_bredr_data = NULL; 3393 smp_del_chan(chan); 3394 } 3395 3396 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3397 if (IS_ERR(chan)) { 3398 int err = PTR_ERR(chan); 3399 chan = hdev->smp_data; 3400 hdev->smp_data = NULL; 3401 smp_del_chan(chan); 3402 return err; 3403 } 3404 3405 hdev->smp_bredr_data = chan; 3406 3407 return 0; 3408 } 3409 3410 void smp_unregister(struct hci_dev *hdev) 3411 { 3412 struct l2cap_chan *chan; 3413 3414 if (hdev->smp_bredr_data) { 3415 chan = hdev->smp_bredr_data; 3416 hdev->smp_bredr_data = NULL; 3417 smp_del_chan(chan); 3418 } 3419 3420 if (hdev->smp_data) { 3421 chan = hdev->smp_data; 3422 hdev->smp_data = NULL; 3423 smp_del_chan(chan); 3424 } 3425 } 3426 3427 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3428 3429 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh) 3430 { 3431 u8 pk[64]; 3432 int err; 3433 3434 err = set_ecdh_privkey(tfm_ecdh, debug_sk); 3435 if (err) 3436 return err; 3437 3438 err = generate_ecdh_public_key(tfm_ecdh, pk); 3439 if (err) 3440 return err; 3441 3442 if (crypto_memneq(pk, debug_pk, 64)) 3443 return -EINVAL; 3444 3445 return 0; 3446 } 3447 3448 static int __init test_ah(void) 3449 { 3450 const u8 irk[16] = { 3451 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3452 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3453 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3454 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3455 u8 res[3]; 3456 int err; 3457 3458 err = smp_ah(irk, r, res); 3459 if (err) 3460 return err; 3461 3462 if (crypto_memneq(res, exp, 3)) 3463 return -EINVAL; 3464 3465 return 0; 3466 } 3467 3468 static int __init test_c1(void) 3469 { 3470 const u8 k[16] = { 3471 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3472 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3473 const u8 r[16] = { 3474 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3475 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3476 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3477 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3478 const u8 _iat = 0x01; 3479 const u8 _rat = 0x00; 3480 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3481 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3482 const u8 exp[16] = { 3483 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3484 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3485 u8 res[16]; 3486 int err; 3487 3488 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3489 if (err) 3490 return err; 3491 3492 if (crypto_memneq(res, exp, 16)) 3493 return -EINVAL; 3494 3495 return 0; 3496 } 3497 3498 static int __init test_s1(void) 3499 { 3500 const u8 k[16] = { 3501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3502 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3503 const u8 r1[16] = { 3504 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3505 const u8 r2[16] = { 3506 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3507 const u8 exp[16] = { 3508 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3509 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3510 u8 res[16]; 3511 int err; 3512 3513 err = smp_s1(k, r1, r2, res); 3514 if (err) 3515 return err; 3516 3517 if (crypto_memneq(res, exp, 16)) 3518 return -EINVAL; 3519 3520 return 0; 3521 } 3522 3523 static int __init test_f4(void) 3524 { 3525 const u8 u[32] = { 3526 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3527 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3528 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3529 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3530 const u8 v[32] = { 3531 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3532 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3533 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3534 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3535 const u8 x[16] = { 3536 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3537 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3538 const u8 z = 0x00; 3539 const u8 exp[16] = { 3540 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3541 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3542 u8 res[16]; 3543 int err; 3544 3545 err = smp_f4(u, v, x, z, res); 3546 if (err) 3547 return err; 3548 3549 if (crypto_memneq(res, exp, 16)) 3550 return -EINVAL; 3551 3552 return 0; 3553 } 3554 3555 static int __init test_f5(void) 3556 { 3557 const u8 w[32] = { 3558 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3559 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3560 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3561 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3562 const u8 n1[16] = { 3563 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3564 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3565 const u8 n2[16] = { 3566 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3567 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3568 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3569 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3570 const u8 exp_ltk[16] = { 3571 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3572 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3573 const u8 exp_mackey[16] = { 3574 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3575 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3576 u8 mackey[16], ltk[16]; 3577 int err; 3578 3579 err = smp_f5(w, n1, n2, a1, a2, mackey, ltk); 3580 if (err) 3581 return err; 3582 3583 if (crypto_memneq(mackey, exp_mackey, 16)) 3584 return -EINVAL; 3585 3586 if (crypto_memneq(ltk, exp_ltk, 16)) 3587 return -EINVAL; 3588 3589 return 0; 3590 } 3591 3592 static int __init test_f6(void) 3593 { 3594 const u8 w[16] = { 3595 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3596 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3597 const u8 n1[16] = { 3598 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3599 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3600 const u8 n2[16] = { 3601 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3602 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3603 const u8 r[16] = { 3604 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3605 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3606 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3607 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3608 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3609 const u8 exp[16] = { 3610 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3611 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3612 u8 res[16]; 3613 int err; 3614 3615 err = smp_f6(w, n1, n2, r, io_cap, a1, a2, res); 3616 if (err) 3617 return err; 3618 3619 if (crypto_memneq(res, exp, 16)) 3620 return -EINVAL; 3621 3622 return 0; 3623 } 3624 3625 static int __init test_g2(void) 3626 { 3627 const u8 u[32] = { 3628 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3629 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3630 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3631 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3632 const u8 v[32] = { 3633 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3634 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3635 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3636 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3637 const u8 x[16] = { 3638 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3639 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3640 const u8 y[16] = { 3641 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3642 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3643 const u32 exp_val = 0x2f9ed5ba % 1000000; 3644 u32 val; 3645 int err; 3646 3647 err = smp_g2(u, v, x, y, &val); 3648 if (err) 3649 return err; 3650 3651 if (val != exp_val) 3652 return -EINVAL; 3653 3654 return 0; 3655 } 3656 3657 static int __init test_h6(void) 3658 { 3659 const u8 w[16] = { 3660 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3661 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3662 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3663 const u8 exp[16] = { 3664 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3665 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3666 u8 res[16]; 3667 int err; 3668 3669 err = smp_h6(w, key_id, res); 3670 if (err) 3671 return err; 3672 3673 if (crypto_memneq(res, exp, 16)) 3674 return -EINVAL; 3675 3676 return 0; 3677 } 3678 3679 static char test_smp_buffer[32]; 3680 3681 static ssize_t test_smp_read(struct file *file, char __user *user_buf, 3682 size_t count, loff_t *ppos) 3683 { 3684 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer, 3685 strlen(test_smp_buffer)); 3686 } 3687 3688 static const struct file_operations test_smp_fops = { 3689 .open = simple_open, 3690 .read = test_smp_read, 3691 .llseek = default_llseek, 3692 }; 3693 3694 static int __init run_selftests(struct crypto_kpp *tfm_ecdh) 3695 { 3696 ktime_t calltime, delta, rettime; 3697 unsigned long long duration; 3698 int err; 3699 3700 calltime = ktime_get(); 3701 3702 err = test_debug_key(tfm_ecdh); 3703 if (err) { 3704 BT_ERR("debug_key test failed"); 3705 goto done; 3706 } 3707 3708 err = test_ah(); 3709 if (err) { 3710 BT_ERR("smp_ah test failed"); 3711 goto done; 3712 } 3713 3714 err = test_c1(); 3715 if (err) { 3716 BT_ERR("smp_c1 test failed"); 3717 goto done; 3718 } 3719 3720 err = test_s1(); 3721 if (err) { 3722 BT_ERR("smp_s1 test failed"); 3723 goto done; 3724 } 3725 3726 err = test_f4(); 3727 if (err) { 3728 BT_ERR("smp_f4 test failed"); 3729 goto done; 3730 } 3731 3732 err = test_f5(); 3733 if (err) { 3734 BT_ERR("smp_f5 test failed"); 3735 goto done; 3736 } 3737 3738 err = test_f6(); 3739 if (err) { 3740 BT_ERR("smp_f6 test failed"); 3741 goto done; 3742 } 3743 3744 err = test_g2(); 3745 if (err) { 3746 BT_ERR("smp_g2 test failed"); 3747 goto done; 3748 } 3749 3750 err = test_h6(); 3751 if (err) { 3752 BT_ERR("smp_h6 test failed"); 3753 goto done; 3754 } 3755 3756 rettime = ktime_get(); 3757 delta = ktime_sub(rettime, calltime); 3758 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3759 3760 BT_INFO("SMP test passed in %llu usecs", duration); 3761 3762 done: 3763 if (!err) 3764 snprintf(test_smp_buffer, sizeof(test_smp_buffer), 3765 "PASS (%llu usecs)\n", duration); 3766 else 3767 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n"); 3768 3769 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL, 3770 &test_smp_fops); 3771 3772 return err; 3773 } 3774 3775 int __init bt_selftest_smp(void) 3776 { 3777 struct crypto_kpp *tfm_ecdh; 3778 int err; 3779 3780 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 3781 if (IS_ERR(tfm_ecdh)) { 3782 BT_ERR("Unable to create ECDH crypto context"); 3783 return PTR_ERR(tfm_ecdh); 3784 } 3785 3786 err = run_selftests(tfm_ecdh); 3787 3788 crypto_free_kpp(tfm_ecdh); 3789 3790 return err; 3791 } 3792 3793 #endif 3794