1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License version 2 as 7 published by the Free Software Foundation; 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 #include <linux/debugfs.h> 24 #include <linux/scatterlist.h> 25 #include <linux/crypto.h> 26 #include <crypto/algapi.h> 27 #include <crypto/b128ops.h> 28 #include <crypto/hash.h> 29 #include <crypto/kpp.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/mgmt.h> 35 36 #include "ecdh_helper.h" 37 #include "smp.h" 38 39 #define SMP_DEV(hdev) \ 40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data) 41 42 /* Low-level debug macros to be used for stuff that we don't want 43 * accidentially in dmesg, i.e. the values of the various crypto keys 44 * and the inputs & outputs of crypto functions. 45 */ 46 #ifdef DEBUG 47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 48 ##__VA_ARGS__) 49 #else 50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 51 ##__VA_ARGS__) 52 #endif 53 54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 55 56 /* Keys which are not distributed with Secure Connections */ 57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY); 58 59 #define SMP_TIMEOUT msecs_to_jiffies(30000) 60 61 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \ 62 0x3f : 0x07) 63 #define KEY_DIST_MASK 0x07 64 65 /* Maximum message length that can be passed to aes_cmac */ 66 #define CMAC_MSG_MAX 80 67 68 enum { 69 SMP_FLAG_TK_VALID, 70 SMP_FLAG_CFM_PENDING, 71 SMP_FLAG_MITM_AUTH, 72 SMP_FLAG_COMPLETE, 73 SMP_FLAG_INITIATOR, 74 SMP_FLAG_SC, 75 SMP_FLAG_REMOTE_PK, 76 SMP_FLAG_DEBUG_KEY, 77 SMP_FLAG_WAIT_USER, 78 SMP_FLAG_DHKEY_PENDING, 79 SMP_FLAG_REMOTE_OOB, 80 SMP_FLAG_LOCAL_OOB, 81 SMP_FLAG_CT2, 82 }; 83 84 struct smp_dev { 85 /* Secure Connections OOB data */ 86 u8 local_pk[64]; 87 u8 local_sk[32]; 88 u8 local_rand[16]; 89 bool debug_key; 90 91 u8 min_key_size; 92 u8 max_key_size; 93 94 struct crypto_cipher *tfm_aes; 95 struct crypto_shash *tfm_cmac; 96 struct crypto_kpp *tfm_ecdh; 97 }; 98 99 struct smp_chan { 100 struct l2cap_conn *conn; 101 struct delayed_work security_timer; 102 unsigned long allow_cmd; /* Bitmask of allowed commands */ 103 104 u8 preq[7]; /* SMP Pairing Request */ 105 u8 prsp[7]; /* SMP Pairing Response */ 106 u8 prnd[16]; /* SMP Pairing Random (local) */ 107 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 108 u8 pcnf[16]; /* SMP Pairing Confirm */ 109 u8 tk[16]; /* SMP Temporary Key */ 110 u8 rr[16]; /* Remote OOB ra/rb value */ 111 u8 lr[16]; /* Local OOB ra/rb value */ 112 u8 enc_key_size; 113 u8 remote_key_dist; 114 bdaddr_t id_addr; 115 u8 id_addr_type; 116 u8 irk[16]; 117 struct smp_csrk *csrk; 118 struct smp_csrk *slave_csrk; 119 struct smp_ltk *ltk; 120 struct smp_ltk *slave_ltk; 121 struct smp_irk *remote_irk; 122 u8 *link_key; 123 unsigned long flags; 124 u8 method; 125 u8 passkey_round; 126 127 /* Secure Connections variables */ 128 u8 local_pk[64]; 129 u8 local_sk[32]; 130 u8 remote_pk[64]; 131 u8 dhkey[32]; 132 u8 mackey[16]; 133 134 struct crypto_cipher *tfm_aes; 135 struct crypto_shash *tfm_cmac; 136 struct crypto_kpp *tfm_ecdh; 137 }; 138 139 /* These debug key values are defined in the SMP section of the core 140 * specification. debug_pk is the public debug key and debug_sk the 141 * private debug key. 142 */ 143 static const u8 debug_pk[64] = { 144 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 145 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 146 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 147 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 148 149 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 150 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 151 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 152 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 153 }; 154 155 static const u8 debug_sk[32] = { 156 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 157 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 158 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 159 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 160 }; 161 162 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 163 { 164 size_t i; 165 166 for (i = 0; i < len; i++) 167 dst[len - 1 - i] = src[i]; 168 } 169 170 /* The following functions map to the LE SC SMP crypto functions 171 * AES-CMAC, f4, f5, f6, g2 and h6. 172 */ 173 174 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m, 175 size_t len, u8 mac[16]) 176 { 177 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 178 SHASH_DESC_ON_STACK(desc, tfm); 179 int err; 180 181 if (len > CMAC_MSG_MAX) 182 return -EFBIG; 183 184 if (!tfm) { 185 BT_ERR("tfm %p", tfm); 186 return -EINVAL; 187 } 188 189 desc->tfm = tfm; 190 desc->flags = 0; 191 192 /* Swap key and message from LSB to MSB */ 193 swap_buf(k, tmp, 16); 194 swap_buf(m, msg_msb, len); 195 196 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 197 SMP_DBG("key %16phN", k); 198 199 err = crypto_shash_setkey(tfm, tmp, 16); 200 if (err) { 201 BT_ERR("cipher setkey failed: %d", err); 202 return err; 203 } 204 205 err = crypto_shash_digest(desc, msg_msb, len, mac_msb); 206 shash_desc_zero(desc); 207 if (err) { 208 BT_ERR("Hash computation error %d", err); 209 return err; 210 } 211 212 swap_buf(mac_msb, mac, 16); 213 214 SMP_DBG("mac %16phN", mac); 215 216 return 0; 217 } 218 219 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32], 220 const u8 v[32], const u8 x[16], u8 z, u8 res[16]) 221 { 222 u8 m[65]; 223 int err; 224 225 SMP_DBG("u %32phN", u); 226 SMP_DBG("v %32phN", v); 227 SMP_DBG("x %16phN z %02x", x, z); 228 229 m[0] = z; 230 memcpy(m + 1, v, 32); 231 memcpy(m + 33, u, 32); 232 233 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res); 234 if (err) 235 return err; 236 237 SMP_DBG("res %16phN", res); 238 239 return err; 240 } 241 242 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32], 243 const u8 n1[16], const u8 n2[16], const u8 a1[7], 244 const u8 a2[7], u8 mackey[16], u8 ltk[16]) 245 { 246 /* The btle, salt and length "magic" values are as defined in 247 * the SMP section of the Bluetooth core specification. In ASCII 248 * the btle value ends up being 'btle'. The salt is just a 249 * random number whereas length is the value 256 in little 250 * endian format. 251 */ 252 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 253 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 254 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 255 const u8 length[2] = { 0x00, 0x01 }; 256 u8 m[53], t[16]; 257 int err; 258 259 SMP_DBG("w %32phN", w); 260 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 261 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 262 263 err = aes_cmac(tfm_cmac, salt, w, 32, t); 264 if (err) 265 return err; 266 267 SMP_DBG("t %16phN", t); 268 269 memcpy(m, length, 2); 270 memcpy(m + 2, a2, 7); 271 memcpy(m + 9, a1, 7); 272 memcpy(m + 16, n2, 16); 273 memcpy(m + 32, n1, 16); 274 memcpy(m + 48, btle, 4); 275 276 m[52] = 0; /* Counter */ 277 278 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey); 279 if (err) 280 return err; 281 282 SMP_DBG("mackey %16phN", mackey); 283 284 m[52] = 1; /* Counter */ 285 286 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk); 287 if (err) 288 return err; 289 290 SMP_DBG("ltk %16phN", ltk); 291 292 return 0; 293 } 294 295 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16], 296 const u8 n1[16], const u8 n2[16], const u8 r[16], 297 const u8 io_cap[3], const u8 a1[7], const u8 a2[7], 298 u8 res[16]) 299 { 300 u8 m[65]; 301 int err; 302 303 SMP_DBG("w %16phN", w); 304 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 305 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 306 307 memcpy(m, a2, 7); 308 memcpy(m + 7, a1, 7); 309 memcpy(m + 14, io_cap, 3); 310 memcpy(m + 17, r, 16); 311 memcpy(m + 33, n2, 16); 312 memcpy(m + 49, n1, 16); 313 314 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res); 315 if (err) 316 return err; 317 318 SMP_DBG("res %16phN", res); 319 320 return err; 321 } 322 323 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32], 324 const u8 x[16], const u8 y[16], u32 *val) 325 { 326 u8 m[80], tmp[16]; 327 int err; 328 329 SMP_DBG("u %32phN", u); 330 SMP_DBG("v %32phN", v); 331 SMP_DBG("x %16phN y %16phN", x, y); 332 333 memcpy(m, y, 16); 334 memcpy(m + 16, v, 32); 335 memcpy(m + 48, u, 32); 336 337 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp); 338 if (err) 339 return err; 340 341 *val = get_unaligned_le32(tmp); 342 *val %= 1000000; 343 344 SMP_DBG("val %06u", *val); 345 346 return 0; 347 } 348 349 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16], 350 const u8 key_id[4], u8 res[16]) 351 { 352 int err; 353 354 SMP_DBG("w %16phN key_id %4phN", w, key_id); 355 356 err = aes_cmac(tfm_cmac, w, key_id, 4, res); 357 if (err) 358 return err; 359 360 SMP_DBG("res %16phN", res); 361 362 return err; 363 } 364 365 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16], 366 const u8 salt[16], u8 res[16]) 367 { 368 int err; 369 370 SMP_DBG("w %16phN salt %16phN", w, salt); 371 372 err = aes_cmac(tfm_cmac, salt, w, 16, res); 373 if (err) 374 return err; 375 376 SMP_DBG("res %16phN", res); 377 378 return err; 379 } 380 381 /* The following functions map to the legacy SMP crypto functions e, c1, 382 * s1 and ah. 383 */ 384 385 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r) 386 { 387 uint8_t tmp[16], data[16]; 388 int err; 389 390 SMP_DBG("k %16phN r %16phN", k, r); 391 392 if (!tfm) { 393 BT_ERR("tfm %p", tfm); 394 return -EINVAL; 395 } 396 397 /* The most significant octet of key corresponds to k[0] */ 398 swap_buf(k, tmp, 16); 399 400 err = crypto_cipher_setkey(tfm, tmp, 16); 401 if (err) { 402 BT_ERR("cipher setkey failed: %d", err); 403 return err; 404 } 405 406 /* Most significant octet of plaintextData corresponds to data[0] */ 407 swap_buf(r, data, 16); 408 409 crypto_cipher_encrypt_one(tfm, data, data); 410 411 /* Most significant octet of encryptedData corresponds to data[0] */ 412 swap_buf(data, r, 16); 413 414 SMP_DBG("r %16phN", r); 415 416 return err; 417 } 418 419 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16], 420 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 421 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 422 { 423 u8 p1[16], p2[16]; 424 int err; 425 426 SMP_DBG("k %16phN r %16phN", k, r); 427 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra); 428 SMP_DBG("preq %7phN pres %7phN", preq, pres); 429 430 memset(p1, 0, 16); 431 432 /* p1 = pres || preq || _rat || _iat */ 433 p1[0] = _iat; 434 p1[1] = _rat; 435 memcpy(p1 + 2, preq, 7); 436 memcpy(p1 + 9, pres, 7); 437 438 SMP_DBG("p1 %16phN", p1); 439 440 /* res = r XOR p1 */ 441 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1); 442 443 /* res = e(k, res) */ 444 err = smp_e(tfm_aes, k, res); 445 if (err) { 446 BT_ERR("Encrypt data error"); 447 return err; 448 } 449 450 /* p2 = padding || ia || ra */ 451 memcpy(p2, ra, 6); 452 memcpy(p2 + 6, ia, 6); 453 memset(p2 + 12, 0, 4); 454 455 SMP_DBG("p2 %16phN", p2); 456 457 /* res = res XOR p2 */ 458 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2); 459 460 /* res = e(k, res) */ 461 err = smp_e(tfm_aes, k, res); 462 if (err) 463 BT_ERR("Encrypt data error"); 464 465 return err; 466 } 467 468 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16], 469 const u8 r1[16], const u8 r2[16], u8 _r[16]) 470 { 471 int err; 472 473 /* Just least significant octets from r1 and r2 are considered */ 474 memcpy(_r, r2, 8); 475 memcpy(_r + 8, r1, 8); 476 477 err = smp_e(tfm_aes, k, _r); 478 if (err) 479 BT_ERR("Encrypt data error"); 480 481 return err; 482 } 483 484 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16], 485 const u8 r[3], u8 res[3]) 486 { 487 u8 _res[16]; 488 int err; 489 490 /* r' = padding || r */ 491 memcpy(_res, r, 3); 492 memset(_res + 3, 0, 13); 493 494 err = smp_e(tfm, irk, _res); 495 if (err) { 496 BT_ERR("Encrypt error"); 497 return err; 498 } 499 500 /* The output of the random address function ah is: 501 * ah(k, r) = e(k, r') mod 2^24 502 * The output of the security function e is then truncated to 24 bits 503 * by taking the least significant 24 bits of the output of e as the 504 * result of ah. 505 */ 506 memcpy(res, _res, 3); 507 508 return 0; 509 } 510 511 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 512 const bdaddr_t *bdaddr) 513 { 514 struct l2cap_chan *chan = hdev->smp_data; 515 struct smp_dev *smp; 516 u8 hash[3]; 517 int err; 518 519 if (!chan || !chan->data) 520 return false; 521 522 smp = chan->data; 523 524 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 525 526 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash); 527 if (err) 528 return false; 529 530 return !crypto_memneq(bdaddr->b, hash, 3); 531 } 532 533 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 534 { 535 struct l2cap_chan *chan = hdev->smp_data; 536 struct smp_dev *smp; 537 int err; 538 539 if (!chan || !chan->data) 540 return -EOPNOTSUPP; 541 542 smp = chan->data; 543 544 get_random_bytes(&rpa->b[3], 3); 545 546 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 547 rpa->b[5] |= 0x40; /* Set second most significant bit */ 548 549 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b); 550 if (err < 0) 551 return err; 552 553 BT_DBG("RPA %pMR", rpa); 554 555 return 0; 556 } 557 558 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16]) 559 { 560 struct l2cap_chan *chan = hdev->smp_data; 561 struct smp_dev *smp; 562 int err; 563 564 if (!chan || !chan->data) 565 return -EOPNOTSUPP; 566 567 smp = chan->data; 568 569 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 570 BT_DBG("Using debug keys"); 571 memcpy(smp->local_pk, debug_pk, 64); 572 memcpy(smp->local_sk, debug_sk, 32); 573 smp->debug_key = true; 574 } else { 575 while (true) { 576 /* Seed private key with random number */ 577 get_random_bytes(smp->local_sk, 32); 578 579 /* Generate local key pair for Secure Connections */ 580 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk, 581 smp->local_sk); 582 if (err) 583 return err; 584 585 /* This is unlikely, but we need to check that 586 * we didn't accidentially generate a debug key. 587 */ 588 if (crypto_memneq(smp->local_sk, debug_sk, 32)) 589 break; 590 } 591 smp->debug_key = false; 592 } 593 594 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 595 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 596 SMP_DBG("OOB Private Key: %32phN", smp->local_sk); 597 598 get_random_bytes(smp->local_rand, 16); 599 600 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk, 601 smp->local_rand, 0, hash); 602 if (err < 0) 603 return err; 604 605 memcpy(rand, smp->local_rand, 16); 606 607 return 0; 608 } 609 610 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 611 { 612 struct l2cap_chan *chan = conn->smp; 613 struct smp_chan *smp; 614 struct kvec iv[2]; 615 struct msghdr msg; 616 617 if (!chan) 618 return; 619 620 BT_DBG("code 0x%2.2x", code); 621 622 iv[0].iov_base = &code; 623 iv[0].iov_len = 1; 624 625 iv[1].iov_base = data; 626 iv[1].iov_len = len; 627 628 memset(&msg, 0, sizeof(msg)); 629 630 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len); 631 632 l2cap_chan_send(chan, &msg, 1 + len); 633 634 if (!chan->data) 635 return; 636 637 smp = chan->data; 638 639 cancel_delayed_work_sync(&smp->security_timer); 640 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 641 } 642 643 static u8 authreq_to_seclevel(u8 authreq) 644 { 645 if (authreq & SMP_AUTH_MITM) { 646 if (authreq & SMP_AUTH_SC) 647 return BT_SECURITY_FIPS; 648 else 649 return BT_SECURITY_HIGH; 650 } else { 651 return BT_SECURITY_MEDIUM; 652 } 653 } 654 655 static __u8 seclevel_to_authreq(__u8 sec_level) 656 { 657 switch (sec_level) { 658 case BT_SECURITY_FIPS: 659 case BT_SECURITY_HIGH: 660 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 661 case BT_SECURITY_MEDIUM: 662 return SMP_AUTH_BONDING; 663 default: 664 return SMP_AUTH_NONE; 665 } 666 } 667 668 static void build_pairing_cmd(struct l2cap_conn *conn, 669 struct smp_cmd_pairing *req, 670 struct smp_cmd_pairing *rsp, __u8 authreq) 671 { 672 struct l2cap_chan *chan = conn->smp; 673 struct smp_chan *smp = chan->data; 674 struct hci_conn *hcon = conn->hcon; 675 struct hci_dev *hdev = hcon->hdev; 676 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 677 678 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 679 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 680 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 681 authreq |= SMP_AUTH_BONDING; 682 } else { 683 authreq &= ~SMP_AUTH_BONDING; 684 } 685 686 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 687 remote_dist |= SMP_DIST_ID_KEY; 688 689 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 690 local_dist |= SMP_DIST_ID_KEY; 691 692 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) && 693 (authreq & SMP_AUTH_SC)) { 694 struct oob_data *oob_data; 695 u8 bdaddr_type; 696 697 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) { 698 local_dist |= SMP_DIST_LINK_KEY; 699 remote_dist |= SMP_DIST_LINK_KEY; 700 } 701 702 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 703 bdaddr_type = BDADDR_LE_PUBLIC; 704 else 705 bdaddr_type = BDADDR_LE_RANDOM; 706 707 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 708 bdaddr_type); 709 if (oob_data && oob_data->present) { 710 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags); 711 oob_flag = SMP_OOB_PRESENT; 712 memcpy(smp->rr, oob_data->rand256, 16); 713 memcpy(smp->pcnf, oob_data->hash256, 16); 714 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf); 715 SMP_DBG("OOB Remote Random: %16phN", smp->rr); 716 } 717 718 } else { 719 authreq &= ~SMP_AUTH_SC; 720 } 721 722 if (rsp == NULL) { 723 req->io_capability = conn->hcon->io_capability; 724 req->oob_flag = oob_flag; 725 req->max_key_size = SMP_DEV(hdev)->max_key_size; 726 req->init_key_dist = local_dist; 727 req->resp_key_dist = remote_dist; 728 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 729 730 smp->remote_key_dist = remote_dist; 731 return; 732 } 733 734 rsp->io_capability = conn->hcon->io_capability; 735 rsp->oob_flag = oob_flag; 736 rsp->max_key_size = SMP_DEV(hdev)->max_key_size; 737 rsp->init_key_dist = req->init_key_dist & remote_dist; 738 rsp->resp_key_dist = req->resp_key_dist & local_dist; 739 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 740 741 smp->remote_key_dist = rsp->init_key_dist; 742 } 743 744 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 745 { 746 struct l2cap_chan *chan = conn->smp; 747 struct hci_dev *hdev = conn->hcon->hdev; 748 struct smp_chan *smp = chan->data; 749 750 if (max_key_size > SMP_DEV(hdev)->max_key_size || 751 max_key_size < SMP_MIN_ENC_KEY_SIZE) 752 return SMP_ENC_KEY_SIZE; 753 754 smp->enc_key_size = max_key_size; 755 756 return 0; 757 } 758 759 static void smp_chan_destroy(struct l2cap_conn *conn) 760 { 761 struct l2cap_chan *chan = conn->smp; 762 struct smp_chan *smp = chan->data; 763 struct hci_conn *hcon = conn->hcon; 764 bool complete; 765 766 BUG_ON(!smp); 767 768 cancel_delayed_work_sync(&smp->security_timer); 769 770 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 771 mgmt_smp_complete(hcon, complete); 772 773 kzfree(smp->csrk); 774 kzfree(smp->slave_csrk); 775 kzfree(smp->link_key); 776 777 crypto_free_cipher(smp->tfm_aes); 778 crypto_free_shash(smp->tfm_cmac); 779 crypto_free_kpp(smp->tfm_ecdh); 780 781 /* Ensure that we don't leave any debug key around if debug key 782 * support hasn't been explicitly enabled. 783 */ 784 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 785 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) { 786 list_del_rcu(&smp->ltk->list); 787 kfree_rcu(smp->ltk, rcu); 788 smp->ltk = NULL; 789 } 790 791 /* If pairing failed clean up any keys we might have */ 792 if (!complete) { 793 if (smp->ltk) { 794 list_del_rcu(&smp->ltk->list); 795 kfree_rcu(smp->ltk, rcu); 796 } 797 798 if (smp->slave_ltk) { 799 list_del_rcu(&smp->slave_ltk->list); 800 kfree_rcu(smp->slave_ltk, rcu); 801 } 802 803 if (smp->remote_irk) { 804 list_del_rcu(&smp->remote_irk->list); 805 kfree_rcu(smp->remote_irk, rcu); 806 } 807 } 808 809 chan->data = NULL; 810 kzfree(smp); 811 hci_conn_drop(hcon); 812 } 813 814 static void smp_failure(struct l2cap_conn *conn, u8 reason) 815 { 816 struct hci_conn *hcon = conn->hcon; 817 struct l2cap_chan *chan = conn->smp; 818 819 if (reason) 820 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 821 &reason); 822 823 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 824 825 if (chan->data) 826 smp_chan_destroy(conn); 827 } 828 829 #define JUST_WORKS 0x00 830 #define JUST_CFM 0x01 831 #define REQ_PASSKEY 0x02 832 #define CFM_PASSKEY 0x03 833 #define REQ_OOB 0x04 834 #define DSP_PASSKEY 0x05 835 #define OVERLAP 0xFF 836 837 static const u8 gen_method[5][5] = { 838 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 839 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 840 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 841 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 842 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 843 }; 844 845 static const u8 sc_method[5][5] = { 846 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 847 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 848 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 849 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 850 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 851 }; 852 853 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 854 { 855 /* If either side has unknown io_caps, use JUST_CFM (which gets 856 * converted later to JUST_WORKS if we're initiators. 857 */ 858 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 859 remote_io > SMP_IO_KEYBOARD_DISPLAY) 860 return JUST_CFM; 861 862 if (test_bit(SMP_FLAG_SC, &smp->flags)) 863 return sc_method[remote_io][local_io]; 864 865 return gen_method[remote_io][local_io]; 866 } 867 868 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 869 u8 local_io, u8 remote_io) 870 { 871 struct hci_conn *hcon = conn->hcon; 872 struct l2cap_chan *chan = conn->smp; 873 struct smp_chan *smp = chan->data; 874 u32 passkey = 0; 875 int ret = 0; 876 877 /* Initialize key for JUST WORKS */ 878 memset(smp->tk, 0, sizeof(smp->tk)); 879 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 880 881 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); 882 883 /* If neither side wants MITM, either "just" confirm an incoming 884 * request or use just-works for outgoing ones. The JUST_CFM 885 * will be converted to JUST_WORKS if necessary later in this 886 * function. If either side has MITM look up the method from the 887 * table. 888 */ 889 if (!(auth & SMP_AUTH_MITM)) 890 smp->method = JUST_CFM; 891 else 892 smp->method = get_auth_method(smp, local_io, remote_io); 893 894 /* Don't confirm locally initiated pairing attempts */ 895 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 896 &smp->flags)) 897 smp->method = JUST_WORKS; 898 899 /* Don't bother user space with no IO capabilities */ 900 if (smp->method == JUST_CFM && 901 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 902 smp->method = JUST_WORKS; 903 904 /* If Just Works, Continue with Zero TK */ 905 if (smp->method == JUST_WORKS) { 906 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 907 return 0; 908 } 909 910 /* If this function is used for SC -> legacy fallback we 911 * can only recover the just-works case. 912 */ 913 if (test_bit(SMP_FLAG_SC, &smp->flags)) 914 return -EINVAL; 915 916 /* Not Just Works/Confirm results in MITM Authentication */ 917 if (smp->method != JUST_CFM) { 918 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 919 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 920 hcon->pending_sec_level = BT_SECURITY_HIGH; 921 } 922 923 /* If both devices have Keyoard-Display I/O, the master 924 * Confirms and the slave Enters the passkey. 925 */ 926 if (smp->method == OVERLAP) { 927 if (hcon->role == HCI_ROLE_MASTER) 928 smp->method = CFM_PASSKEY; 929 else 930 smp->method = REQ_PASSKEY; 931 } 932 933 /* Generate random passkey. */ 934 if (smp->method == CFM_PASSKEY) { 935 memset(smp->tk, 0, sizeof(smp->tk)); 936 get_random_bytes(&passkey, sizeof(passkey)); 937 passkey %= 1000000; 938 put_unaligned_le32(passkey, smp->tk); 939 BT_DBG("PassKey: %d", passkey); 940 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 941 } 942 943 if (smp->method == REQ_PASSKEY) 944 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 945 hcon->type, hcon->dst_type); 946 else if (smp->method == JUST_CFM) 947 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 948 hcon->type, hcon->dst_type, 949 passkey, 1); 950 else 951 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 952 hcon->type, hcon->dst_type, 953 passkey, 0); 954 955 return ret; 956 } 957 958 static u8 smp_confirm(struct smp_chan *smp) 959 { 960 struct l2cap_conn *conn = smp->conn; 961 struct smp_cmd_pairing_confirm cp; 962 int ret; 963 964 BT_DBG("conn %p", conn); 965 966 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp, 967 conn->hcon->init_addr_type, &conn->hcon->init_addr, 968 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 969 cp.confirm_val); 970 if (ret) 971 return SMP_UNSPECIFIED; 972 973 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 974 975 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 976 977 if (conn->hcon->out) 978 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 979 else 980 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 981 982 return 0; 983 } 984 985 static u8 smp_random(struct smp_chan *smp) 986 { 987 struct l2cap_conn *conn = smp->conn; 988 struct hci_conn *hcon = conn->hcon; 989 u8 confirm[16]; 990 int ret; 991 992 if (IS_ERR_OR_NULL(smp->tfm_aes)) 993 return SMP_UNSPECIFIED; 994 995 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 996 997 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp, 998 hcon->init_addr_type, &hcon->init_addr, 999 hcon->resp_addr_type, &hcon->resp_addr, confirm); 1000 if (ret) 1001 return SMP_UNSPECIFIED; 1002 1003 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) { 1004 BT_ERR("Pairing failed (confirmation values mismatch)"); 1005 return SMP_CONFIRM_FAILED; 1006 } 1007 1008 if (hcon->out) { 1009 u8 stk[16]; 1010 __le64 rand = 0; 1011 __le16 ediv = 0; 1012 1013 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk); 1014 1015 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 1016 return SMP_UNSPECIFIED; 1017 1018 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size); 1019 hcon->enc_key_size = smp->enc_key_size; 1020 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 1021 } else { 1022 u8 stk[16], auth; 1023 __le64 rand = 0; 1024 __le16 ediv = 0; 1025 1026 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1027 smp->prnd); 1028 1029 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk); 1030 1031 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 1032 auth = 1; 1033 else 1034 auth = 0; 1035 1036 /* Even though there's no _SLAVE suffix this is the 1037 * slave STK we're adding for later lookup (the master 1038 * STK never needs to be stored). 1039 */ 1040 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1041 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 1042 } 1043 1044 return 0; 1045 } 1046 1047 static void smp_notify_keys(struct l2cap_conn *conn) 1048 { 1049 struct l2cap_chan *chan = conn->smp; 1050 struct smp_chan *smp = chan->data; 1051 struct hci_conn *hcon = conn->hcon; 1052 struct hci_dev *hdev = hcon->hdev; 1053 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 1054 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1055 bool persistent; 1056 1057 if (hcon->type == ACL_LINK) { 1058 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 1059 persistent = false; 1060 else 1061 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1062 &hcon->flags); 1063 } else { 1064 /* The LTKs, IRKs and CSRKs should be persistent only if 1065 * both sides had the bonding bit set in their 1066 * authentication requests. 1067 */ 1068 persistent = !!((req->auth_req & rsp->auth_req) & 1069 SMP_AUTH_BONDING); 1070 } 1071 1072 if (smp->remote_irk) { 1073 mgmt_new_irk(hdev, smp->remote_irk, persistent); 1074 1075 /* Now that user space can be considered to know the 1076 * identity address track the connection based on it 1077 * from now on (assuming this is an LE link). 1078 */ 1079 if (hcon->type == LE_LINK) { 1080 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1081 hcon->dst_type = smp->remote_irk->addr_type; 1082 queue_work(hdev->workqueue, &conn->id_addr_update_work); 1083 } 1084 } 1085 1086 if (smp->csrk) { 1087 smp->csrk->bdaddr_type = hcon->dst_type; 1088 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1089 mgmt_new_csrk(hdev, smp->csrk, persistent); 1090 } 1091 1092 if (smp->slave_csrk) { 1093 smp->slave_csrk->bdaddr_type = hcon->dst_type; 1094 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst); 1095 mgmt_new_csrk(hdev, smp->slave_csrk, persistent); 1096 } 1097 1098 if (smp->ltk) { 1099 smp->ltk->bdaddr_type = hcon->dst_type; 1100 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1101 mgmt_new_ltk(hdev, smp->ltk, persistent); 1102 } 1103 1104 if (smp->slave_ltk) { 1105 smp->slave_ltk->bdaddr_type = hcon->dst_type; 1106 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst); 1107 mgmt_new_ltk(hdev, smp->slave_ltk, persistent); 1108 } 1109 1110 if (smp->link_key) { 1111 struct link_key *key; 1112 u8 type; 1113 1114 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1115 type = HCI_LK_DEBUG_COMBINATION; 1116 else if (hcon->sec_level == BT_SECURITY_FIPS) 1117 type = HCI_LK_AUTH_COMBINATION_P256; 1118 else 1119 type = HCI_LK_UNAUTH_COMBINATION_P256; 1120 1121 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1122 smp->link_key, type, 0, &persistent); 1123 if (key) { 1124 mgmt_new_link_key(hdev, key, persistent); 1125 1126 /* Don't keep debug keys around if the relevant 1127 * flag is not set. 1128 */ 1129 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) && 1130 key->type == HCI_LK_DEBUG_COMBINATION) { 1131 list_del_rcu(&key->list); 1132 kfree_rcu(key, rcu); 1133 } 1134 } 1135 } 1136 } 1137 1138 static void sc_add_ltk(struct smp_chan *smp) 1139 { 1140 struct hci_conn *hcon = smp->conn->hcon; 1141 u8 key_type, auth; 1142 1143 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1144 key_type = SMP_LTK_P256_DEBUG; 1145 else 1146 key_type = SMP_LTK_P256; 1147 1148 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1149 auth = 1; 1150 else 1151 auth = 0; 1152 1153 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1154 key_type, auth, smp->tk, smp->enc_key_size, 1155 0, 0); 1156 } 1157 1158 static void sc_generate_link_key(struct smp_chan *smp) 1159 { 1160 /* From core spec. Spells out in ASCII as 'lebr'. */ 1161 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1162 1163 smp->link_key = kzalloc(16, GFP_KERNEL); 1164 if (!smp->link_key) 1165 return; 1166 1167 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1168 /* SALT = 0x00000000000000000000000000000000746D7031 */ 1169 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 }; 1170 1171 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) { 1172 kzfree(smp->link_key); 1173 smp->link_key = NULL; 1174 return; 1175 } 1176 } else { 1177 /* From core spec. Spells out in ASCII as 'tmp1'. */ 1178 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1179 1180 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) { 1181 kzfree(smp->link_key); 1182 smp->link_key = NULL; 1183 return; 1184 } 1185 } 1186 1187 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) { 1188 kzfree(smp->link_key); 1189 smp->link_key = NULL; 1190 return; 1191 } 1192 } 1193 1194 static void smp_allow_key_dist(struct smp_chan *smp) 1195 { 1196 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1197 * will be allowed in each PDU handler to ensure we receive 1198 * them in the correct order. 1199 */ 1200 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1201 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1202 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1203 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1204 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1205 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1206 } 1207 1208 static void sc_generate_ltk(struct smp_chan *smp) 1209 { 1210 /* From core spec. Spells out in ASCII as 'brle'. */ 1211 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1212 struct hci_conn *hcon = smp->conn->hcon; 1213 struct hci_dev *hdev = hcon->hdev; 1214 struct link_key *key; 1215 1216 key = hci_find_link_key(hdev, &hcon->dst); 1217 if (!key) { 1218 BT_ERR("%s No Link Key found to generate LTK", hdev->name); 1219 return; 1220 } 1221 1222 if (key->type == HCI_LK_DEBUG_COMBINATION) 1223 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1224 1225 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1226 /* SALT = 0x00000000000000000000000000000000746D7032 */ 1227 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 }; 1228 1229 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk)) 1230 return; 1231 } else { 1232 /* From core spec. Spells out in ASCII as 'tmp2'. */ 1233 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1234 1235 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk)) 1236 return; 1237 } 1238 1239 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk)) 1240 return; 1241 1242 sc_add_ltk(smp); 1243 } 1244 1245 static void smp_distribute_keys(struct smp_chan *smp) 1246 { 1247 struct smp_cmd_pairing *req, *rsp; 1248 struct l2cap_conn *conn = smp->conn; 1249 struct hci_conn *hcon = conn->hcon; 1250 struct hci_dev *hdev = hcon->hdev; 1251 __u8 *keydist; 1252 1253 BT_DBG("conn %p", conn); 1254 1255 rsp = (void *) &smp->prsp[1]; 1256 1257 /* The responder sends its keys first */ 1258 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) { 1259 smp_allow_key_dist(smp); 1260 return; 1261 } 1262 1263 req = (void *) &smp->preq[1]; 1264 1265 if (hcon->out) { 1266 keydist = &rsp->init_key_dist; 1267 *keydist &= req->init_key_dist; 1268 } else { 1269 keydist = &rsp->resp_key_dist; 1270 *keydist &= req->resp_key_dist; 1271 } 1272 1273 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1274 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1275 sc_generate_link_key(smp); 1276 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1277 sc_generate_ltk(smp); 1278 1279 /* Clear the keys which are generated but not distributed */ 1280 *keydist &= ~SMP_SC_NO_DIST; 1281 } 1282 1283 BT_DBG("keydist 0x%x", *keydist); 1284 1285 if (*keydist & SMP_DIST_ENC_KEY) { 1286 struct smp_cmd_encrypt_info enc; 1287 struct smp_cmd_master_ident ident; 1288 struct smp_ltk *ltk; 1289 u8 authenticated; 1290 __le16 ediv; 1291 __le64 rand; 1292 1293 /* Make sure we generate only the significant amount of 1294 * bytes based on the encryption key size, and set the rest 1295 * of the value to zeroes. 1296 */ 1297 get_random_bytes(enc.ltk, smp->enc_key_size); 1298 memset(enc.ltk + smp->enc_key_size, 0, 1299 sizeof(enc.ltk) - smp->enc_key_size); 1300 1301 get_random_bytes(&ediv, sizeof(ediv)); 1302 get_random_bytes(&rand, sizeof(rand)); 1303 1304 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1305 1306 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1307 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1308 SMP_LTK_SLAVE, authenticated, enc.ltk, 1309 smp->enc_key_size, ediv, rand); 1310 smp->slave_ltk = ltk; 1311 1312 ident.ediv = ediv; 1313 ident.rand = rand; 1314 1315 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1316 1317 *keydist &= ~SMP_DIST_ENC_KEY; 1318 } 1319 1320 if (*keydist & SMP_DIST_ID_KEY) { 1321 struct smp_cmd_ident_addr_info addrinfo; 1322 struct smp_cmd_ident_info idinfo; 1323 1324 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1325 1326 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1327 1328 /* The hci_conn contains the local identity address 1329 * after the connection has been established. 1330 * 1331 * This is true even when the connection has been 1332 * established using a resolvable random address. 1333 */ 1334 bacpy(&addrinfo.bdaddr, &hcon->src); 1335 addrinfo.addr_type = hcon->src_type; 1336 1337 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1338 &addrinfo); 1339 1340 *keydist &= ~SMP_DIST_ID_KEY; 1341 } 1342 1343 if (*keydist & SMP_DIST_SIGN) { 1344 struct smp_cmd_sign_info sign; 1345 struct smp_csrk *csrk; 1346 1347 /* Generate a new random key */ 1348 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1349 1350 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1351 if (csrk) { 1352 if (hcon->sec_level > BT_SECURITY_MEDIUM) 1353 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED; 1354 else 1355 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED; 1356 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1357 } 1358 smp->slave_csrk = csrk; 1359 1360 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1361 1362 *keydist &= ~SMP_DIST_SIGN; 1363 } 1364 1365 /* If there are still keys to be received wait for them */ 1366 if (smp->remote_key_dist & KEY_DIST_MASK) { 1367 smp_allow_key_dist(smp); 1368 return; 1369 } 1370 1371 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1372 smp_notify_keys(conn); 1373 1374 smp_chan_destroy(conn); 1375 } 1376 1377 static void smp_timeout(struct work_struct *work) 1378 { 1379 struct smp_chan *smp = container_of(work, struct smp_chan, 1380 security_timer.work); 1381 struct l2cap_conn *conn = smp->conn; 1382 1383 BT_DBG("conn %p", conn); 1384 1385 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); 1386 } 1387 1388 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1389 { 1390 struct l2cap_chan *chan = conn->smp; 1391 struct smp_chan *smp; 1392 1393 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 1394 if (!smp) 1395 return NULL; 1396 1397 smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 1398 if (IS_ERR(smp->tfm_aes)) { 1399 BT_ERR("Unable to create AES crypto context"); 1400 goto zfree_smp; 1401 } 1402 1403 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 1404 if (IS_ERR(smp->tfm_cmac)) { 1405 BT_ERR("Unable to create CMAC crypto context"); 1406 goto free_cipher; 1407 } 1408 1409 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 1410 if (IS_ERR(smp->tfm_ecdh)) { 1411 BT_ERR("Unable to create ECDH crypto context"); 1412 goto free_shash; 1413 } 1414 1415 smp->conn = conn; 1416 chan->data = smp; 1417 1418 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1419 1420 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1421 1422 hci_conn_hold(conn->hcon); 1423 1424 return smp; 1425 1426 free_shash: 1427 crypto_free_shash(smp->tfm_cmac); 1428 free_cipher: 1429 crypto_free_cipher(smp->tfm_aes); 1430 zfree_smp: 1431 kzfree(smp); 1432 return NULL; 1433 } 1434 1435 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1436 { 1437 struct hci_conn *hcon = smp->conn->hcon; 1438 u8 *na, *nb, a[7], b[7]; 1439 1440 if (hcon->out) { 1441 na = smp->prnd; 1442 nb = smp->rrnd; 1443 } else { 1444 na = smp->rrnd; 1445 nb = smp->prnd; 1446 } 1447 1448 memcpy(a, &hcon->init_addr, 6); 1449 memcpy(b, &hcon->resp_addr, 6); 1450 a[6] = hcon->init_addr_type; 1451 b[6] = hcon->resp_addr_type; 1452 1453 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk); 1454 } 1455 1456 static void sc_dhkey_check(struct smp_chan *smp) 1457 { 1458 struct hci_conn *hcon = smp->conn->hcon; 1459 struct smp_cmd_dhkey_check check; 1460 u8 a[7], b[7], *local_addr, *remote_addr; 1461 u8 io_cap[3], r[16]; 1462 1463 memcpy(a, &hcon->init_addr, 6); 1464 memcpy(b, &hcon->resp_addr, 6); 1465 a[6] = hcon->init_addr_type; 1466 b[6] = hcon->resp_addr_type; 1467 1468 if (hcon->out) { 1469 local_addr = a; 1470 remote_addr = b; 1471 memcpy(io_cap, &smp->preq[1], 3); 1472 } else { 1473 local_addr = b; 1474 remote_addr = a; 1475 memcpy(io_cap, &smp->prsp[1], 3); 1476 } 1477 1478 memset(r, 0, sizeof(r)); 1479 1480 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1481 put_unaligned_le32(hcon->passkey_notify, r); 1482 1483 if (smp->method == REQ_OOB) 1484 memcpy(r, smp->rr, 16); 1485 1486 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap, 1487 local_addr, remote_addr, check.e); 1488 1489 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1490 } 1491 1492 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1493 { 1494 struct l2cap_conn *conn = smp->conn; 1495 struct hci_conn *hcon = conn->hcon; 1496 struct smp_cmd_pairing_confirm cfm; 1497 u8 r; 1498 1499 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1500 r |= 0x80; 1501 1502 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1503 1504 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r, 1505 cfm.confirm_val)) 1506 return SMP_UNSPECIFIED; 1507 1508 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1509 1510 return 0; 1511 } 1512 1513 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1514 { 1515 struct l2cap_conn *conn = smp->conn; 1516 struct hci_conn *hcon = conn->hcon; 1517 struct hci_dev *hdev = hcon->hdev; 1518 u8 cfm[16], r; 1519 1520 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1521 if (smp->passkey_round >= 20) 1522 return 0; 1523 1524 switch (smp_op) { 1525 case SMP_CMD_PAIRING_RANDOM: 1526 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1527 r |= 0x80; 1528 1529 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1530 smp->rrnd, r, cfm)) 1531 return SMP_UNSPECIFIED; 1532 1533 if (crypto_memneq(smp->pcnf, cfm, 16)) 1534 return SMP_CONFIRM_FAILED; 1535 1536 smp->passkey_round++; 1537 1538 if (smp->passkey_round == 20) { 1539 /* Generate MacKey and LTK */ 1540 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1541 return SMP_UNSPECIFIED; 1542 } 1543 1544 /* The round is only complete when the initiator 1545 * receives pairing random. 1546 */ 1547 if (!hcon->out) { 1548 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1549 sizeof(smp->prnd), smp->prnd); 1550 if (smp->passkey_round == 20) 1551 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1552 else 1553 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1554 return 0; 1555 } 1556 1557 /* Start the next round */ 1558 if (smp->passkey_round != 20) 1559 return sc_passkey_round(smp, 0); 1560 1561 /* Passkey rounds are complete - start DHKey Check */ 1562 sc_dhkey_check(smp); 1563 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1564 1565 break; 1566 1567 case SMP_CMD_PAIRING_CONFIRM: 1568 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1569 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1570 return 0; 1571 } 1572 1573 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1574 1575 if (hcon->out) { 1576 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1577 sizeof(smp->prnd), smp->prnd); 1578 return 0; 1579 } 1580 1581 return sc_passkey_send_confirm(smp); 1582 1583 case SMP_CMD_PUBLIC_KEY: 1584 default: 1585 /* Initiating device starts the round */ 1586 if (!hcon->out) 1587 return 0; 1588 1589 BT_DBG("%s Starting passkey round %u", hdev->name, 1590 smp->passkey_round + 1); 1591 1592 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1593 1594 return sc_passkey_send_confirm(smp); 1595 } 1596 1597 return 0; 1598 } 1599 1600 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1601 { 1602 struct l2cap_conn *conn = smp->conn; 1603 struct hci_conn *hcon = conn->hcon; 1604 u8 smp_op; 1605 1606 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1607 1608 switch (mgmt_op) { 1609 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1610 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1611 return 0; 1612 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1613 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1614 return 0; 1615 case MGMT_OP_USER_PASSKEY_REPLY: 1616 hcon->passkey_notify = le32_to_cpu(passkey); 1617 smp->passkey_round = 0; 1618 1619 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1620 smp_op = SMP_CMD_PAIRING_CONFIRM; 1621 else 1622 smp_op = 0; 1623 1624 if (sc_passkey_round(smp, smp_op)) 1625 return -EIO; 1626 1627 return 0; 1628 } 1629 1630 /* Initiator sends DHKey check first */ 1631 if (hcon->out) { 1632 sc_dhkey_check(smp); 1633 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1634 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1635 sc_dhkey_check(smp); 1636 sc_add_ltk(smp); 1637 } 1638 1639 return 0; 1640 } 1641 1642 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1643 { 1644 struct l2cap_conn *conn = hcon->l2cap_data; 1645 struct l2cap_chan *chan; 1646 struct smp_chan *smp; 1647 u32 value; 1648 int err; 1649 1650 BT_DBG(""); 1651 1652 if (!conn) 1653 return -ENOTCONN; 1654 1655 chan = conn->smp; 1656 if (!chan) 1657 return -ENOTCONN; 1658 1659 l2cap_chan_lock(chan); 1660 if (!chan->data) { 1661 err = -ENOTCONN; 1662 goto unlock; 1663 } 1664 1665 smp = chan->data; 1666 1667 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1668 err = sc_user_reply(smp, mgmt_op, passkey); 1669 goto unlock; 1670 } 1671 1672 switch (mgmt_op) { 1673 case MGMT_OP_USER_PASSKEY_REPLY: 1674 value = le32_to_cpu(passkey); 1675 memset(smp->tk, 0, sizeof(smp->tk)); 1676 BT_DBG("PassKey: %d", value); 1677 put_unaligned_le32(value, smp->tk); 1678 /* Fall Through */ 1679 case MGMT_OP_USER_CONFIRM_REPLY: 1680 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1681 break; 1682 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1683 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1684 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1685 err = 0; 1686 goto unlock; 1687 default: 1688 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1689 err = -EOPNOTSUPP; 1690 goto unlock; 1691 } 1692 1693 err = 0; 1694 1695 /* If it is our turn to send Pairing Confirm, do so now */ 1696 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1697 u8 rsp = smp_confirm(smp); 1698 if (rsp) 1699 smp_failure(conn, rsp); 1700 } 1701 1702 unlock: 1703 l2cap_chan_unlock(chan); 1704 return err; 1705 } 1706 1707 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1708 struct smp_cmd_pairing *req, 1709 struct smp_cmd_pairing *rsp) 1710 { 1711 struct l2cap_conn *conn = smp->conn; 1712 struct hci_dev *hdev = conn->hcon->hdev; 1713 u8 local_dist = 0, remote_dist = 0; 1714 1715 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 1716 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1717 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1718 } 1719 1720 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 1721 remote_dist |= SMP_DIST_ID_KEY; 1722 1723 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 1724 local_dist |= SMP_DIST_ID_KEY; 1725 1726 if (!rsp) { 1727 memset(req, 0, sizeof(*req)); 1728 1729 req->auth_req = SMP_AUTH_CT2; 1730 req->init_key_dist = local_dist; 1731 req->resp_key_dist = remote_dist; 1732 req->max_key_size = conn->hcon->enc_key_size; 1733 1734 smp->remote_key_dist = remote_dist; 1735 1736 return; 1737 } 1738 1739 memset(rsp, 0, sizeof(*rsp)); 1740 1741 rsp->auth_req = SMP_AUTH_CT2; 1742 rsp->max_key_size = conn->hcon->enc_key_size; 1743 rsp->init_key_dist = req->init_key_dist & remote_dist; 1744 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1745 1746 smp->remote_key_dist = rsp->init_key_dist; 1747 } 1748 1749 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1750 { 1751 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1752 struct l2cap_chan *chan = conn->smp; 1753 struct hci_dev *hdev = conn->hcon->hdev; 1754 struct smp_chan *smp; 1755 u8 key_size, auth, sec_level; 1756 int ret; 1757 1758 BT_DBG("conn %p", conn); 1759 1760 if (skb->len < sizeof(*req)) 1761 return SMP_INVALID_PARAMS; 1762 1763 if (conn->hcon->role != HCI_ROLE_SLAVE) 1764 return SMP_CMD_NOTSUPP; 1765 1766 if (!chan->data) 1767 smp = smp_chan_create(conn); 1768 else 1769 smp = chan->data; 1770 1771 if (!smp) 1772 return SMP_UNSPECIFIED; 1773 1774 /* We didn't start the pairing, so match remote */ 1775 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1776 1777 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 1778 (auth & SMP_AUTH_BONDING)) 1779 return SMP_PAIRING_NOTSUPP; 1780 1781 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1782 return SMP_AUTH_REQUIREMENTS; 1783 1784 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1785 memcpy(&smp->preq[1], req, sizeof(*req)); 1786 skb_pull(skb, sizeof(*req)); 1787 1788 /* If the remote side's OOB flag is set it means it has 1789 * successfully received our local OOB data - therefore set the 1790 * flag to indicate that local OOB is in use. 1791 */ 1792 if (req->oob_flag == SMP_OOB_PRESENT) 1793 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1794 1795 /* SMP over BR/EDR requires special treatment */ 1796 if (conn->hcon->type == ACL_LINK) { 1797 /* We must have a BR/EDR SC link */ 1798 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1799 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 1800 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1801 1802 set_bit(SMP_FLAG_SC, &smp->flags); 1803 1804 build_bredr_pairing_cmd(smp, req, &rsp); 1805 1806 if (req->auth_req & SMP_AUTH_CT2) 1807 set_bit(SMP_FLAG_CT2, &smp->flags); 1808 1809 key_size = min(req->max_key_size, rsp.max_key_size); 1810 if (check_enc_key_size(conn, key_size)) 1811 return SMP_ENC_KEY_SIZE; 1812 1813 /* Clear bits which are generated but not distributed */ 1814 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1815 1816 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1817 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1818 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1819 1820 smp_distribute_keys(smp); 1821 return 0; 1822 } 1823 1824 build_pairing_cmd(conn, req, &rsp, auth); 1825 1826 if (rsp.auth_req & SMP_AUTH_SC) { 1827 set_bit(SMP_FLAG_SC, &smp->flags); 1828 1829 if (rsp.auth_req & SMP_AUTH_CT2) 1830 set_bit(SMP_FLAG_CT2, &smp->flags); 1831 } 1832 1833 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1834 sec_level = BT_SECURITY_MEDIUM; 1835 else 1836 sec_level = authreq_to_seclevel(auth); 1837 1838 if (sec_level > conn->hcon->pending_sec_level) 1839 conn->hcon->pending_sec_level = sec_level; 1840 1841 /* If we need MITM check that it can be achieved */ 1842 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1843 u8 method; 1844 1845 method = get_auth_method(smp, conn->hcon->io_capability, 1846 req->io_capability); 1847 if (method == JUST_WORKS || method == JUST_CFM) 1848 return SMP_AUTH_REQUIREMENTS; 1849 } 1850 1851 key_size = min(req->max_key_size, rsp.max_key_size); 1852 if (check_enc_key_size(conn, key_size)) 1853 return SMP_ENC_KEY_SIZE; 1854 1855 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1856 1857 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1858 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1859 1860 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1861 1862 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1863 1864 /* Strictly speaking we shouldn't allow Pairing Confirm for the 1865 * SC case, however some implementations incorrectly copy RFU auth 1866 * req bits from our security request, which may create a false 1867 * positive SC enablement. 1868 */ 1869 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1870 1871 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1872 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1873 /* Clear bits which are generated but not distributed */ 1874 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1875 /* Wait for Public Key from Initiating Device */ 1876 return 0; 1877 } 1878 1879 /* Request setup of TK */ 1880 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1881 if (ret) 1882 return SMP_UNSPECIFIED; 1883 1884 return 0; 1885 } 1886 1887 static u8 sc_send_public_key(struct smp_chan *smp) 1888 { 1889 struct hci_dev *hdev = smp->conn->hcon->hdev; 1890 1891 BT_DBG(""); 1892 1893 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 1894 struct l2cap_chan *chan = hdev->smp_data; 1895 struct smp_dev *smp_dev; 1896 1897 if (!chan || !chan->data) 1898 return SMP_UNSPECIFIED; 1899 1900 smp_dev = chan->data; 1901 1902 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1903 memcpy(smp->local_sk, smp_dev->local_sk, 32); 1904 memcpy(smp->lr, smp_dev->local_rand, 16); 1905 1906 if (smp_dev->debug_key) 1907 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1908 1909 goto done; 1910 } 1911 1912 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1913 BT_DBG("Using debug keys"); 1914 memcpy(smp->local_pk, debug_pk, 64); 1915 memcpy(smp->local_sk, debug_sk, 32); 1916 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1917 } else { 1918 while (true) { 1919 /* Seed private key with random number */ 1920 get_random_bytes(smp->local_sk, 32); 1921 1922 /* Generate local key pair for Secure Connections */ 1923 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk, 1924 smp->local_sk)) 1925 return SMP_UNSPECIFIED; 1926 1927 /* This is unlikely, but we need to check that 1928 * we didn't accidentially generate a debug key. 1929 */ 1930 if (crypto_memneq(smp->local_sk, debug_sk, 32)) 1931 break; 1932 } 1933 } 1934 1935 done: 1936 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1937 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1938 SMP_DBG("Local Private Key: %32phN", smp->local_sk); 1939 1940 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1941 1942 return 0; 1943 } 1944 1945 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1946 { 1947 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1948 struct l2cap_chan *chan = conn->smp; 1949 struct smp_chan *smp = chan->data; 1950 struct hci_dev *hdev = conn->hcon->hdev; 1951 u8 key_size, auth; 1952 int ret; 1953 1954 BT_DBG("conn %p", conn); 1955 1956 if (skb->len < sizeof(*rsp)) 1957 return SMP_INVALID_PARAMS; 1958 1959 if (conn->hcon->role != HCI_ROLE_MASTER) 1960 return SMP_CMD_NOTSUPP; 1961 1962 skb_pull(skb, sizeof(*rsp)); 1963 1964 req = (void *) &smp->preq[1]; 1965 1966 key_size = min(req->max_key_size, rsp->max_key_size); 1967 if (check_enc_key_size(conn, key_size)) 1968 return SMP_ENC_KEY_SIZE; 1969 1970 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1971 1972 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1973 return SMP_AUTH_REQUIREMENTS; 1974 1975 /* If the remote side's OOB flag is set it means it has 1976 * successfully received our local OOB data - therefore set the 1977 * flag to indicate that local OOB is in use. 1978 */ 1979 if (rsp->oob_flag == SMP_OOB_PRESENT) 1980 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1981 1982 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1983 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1984 1985 /* Update remote key distribution in case the remote cleared 1986 * some bits that we had enabled in our request. 1987 */ 1988 smp->remote_key_dist &= rsp->resp_key_dist; 1989 1990 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2)) 1991 set_bit(SMP_FLAG_CT2, &smp->flags); 1992 1993 /* For BR/EDR this means we're done and can start phase 3 */ 1994 if (conn->hcon->type == ACL_LINK) { 1995 /* Clear bits which are generated but not distributed */ 1996 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1997 smp_distribute_keys(smp); 1998 return 0; 1999 } 2000 2001 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 2002 set_bit(SMP_FLAG_SC, &smp->flags); 2003 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 2004 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 2005 2006 /* If we need MITM check that it can be achieved */ 2007 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 2008 u8 method; 2009 2010 method = get_auth_method(smp, req->io_capability, 2011 rsp->io_capability); 2012 if (method == JUST_WORKS || method == JUST_CFM) 2013 return SMP_AUTH_REQUIREMENTS; 2014 } 2015 2016 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 2017 2018 /* Update remote key distribution in case the remote cleared 2019 * some bits that we had enabled in our request. 2020 */ 2021 smp->remote_key_dist &= rsp->resp_key_dist; 2022 2023 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2024 /* Clear bits which are generated but not distributed */ 2025 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 2026 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 2027 return sc_send_public_key(smp); 2028 } 2029 2030 auth |= req->auth_req; 2031 2032 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 2033 if (ret) 2034 return SMP_UNSPECIFIED; 2035 2036 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2037 2038 /* Can't compose response until we have been confirmed */ 2039 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2040 return smp_confirm(smp); 2041 2042 return 0; 2043 } 2044 2045 static u8 sc_check_confirm(struct smp_chan *smp) 2046 { 2047 struct l2cap_conn *conn = smp->conn; 2048 2049 BT_DBG(""); 2050 2051 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2052 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 2053 2054 if (conn->hcon->out) { 2055 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2056 smp->prnd); 2057 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2058 } 2059 2060 return 0; 2061 } 2062 2063 /* Work-around for some implementations that incorrectly copy RFU bits 2064 * from our security request and thereby create the impression that 2065 * we're doing SC when in fact the remote doesn't support it. 2066 */ 2067 static int fixup_sc_false_positive(struct smp_chan *smp) 2068 { 2069 struct l2cap_conn *conn = smp->conn; 2070 struct hci_conn *hcon = conn->hcon; 2071 struct hci_dev *hdev = hcon->hdev; 2072 struct smp_cmd_pairing *req, *rsp; 2073 u8 auth; 2074 2075 /* The issue is only observed when we're in slave role */ 2076 if (hcon->out) 2077 return SMP_UNSPECIFIED; 2078 2079 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 2080 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode"); 2081 return SMP_UNSPECIFIED; 2082 } 2083 2084 BT_ERR("Trying to fall back to legacy SMP"); 2085 2086 req = (void *) &smp->preq[1]; 2087 rsp = (void *) &smp->prsp[1]; 2088 2089 /* Rebuild key dist flags which may have been cleared for SC */ 2090 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist); 2091 2092 auth = req->auth_req & AUTH_REQ_MASK(hdev); 2093 2094 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) { 2095 BT_ERR("Failed to fall back to legacy SMP"); 2096 return SMP_UNSPECIFIED; 2097 } 2098 2099 clear_bit(SMP_FLAG_SC, &smp->flags); 2100 2101 return 0; 2102 } 2103 2104 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 2105 { 2106 struct l2cap_chan *chan = conn->smp; 2107 struct smp_chan *smp = chan->data; 2108 2109 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 2110 2111 if (skb->len < sizeof(smp->pcnf)) 2112 return SMP_INVALID_PARAMS; 2113 2114 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 2115 skb_pull(skb, sizeof(smp->pcnf)); 2116 2117 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2118 int ret; 2119 2120 /* Public Key exchange must happen before any other steps */ 2121 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 2122 return sc_check_confirm(smp); 2123 2124 BT_ERR("Unexpected SMP Pairing Confirm"); 2125 2126 ret = fixup_sc_false_positive(smp); 2127 if (ret) 2128 return ret; 2129 } 2130 2131 if (conn->hcon->out) { 2132 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2133 smp->prnd); 2134 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2135 return 0; 2136 } 2137 2138 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2139 return smp_confirm(smp); 2140 2141 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2142 2143 return 0; 2144 } 2145 2146 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 2147 { 2148 struct l2cap_chan *chan = conn->smp; 2149 struct smp_chan *smp = chan->data; 2150 struct hci_conn *hcon = conn->hcon; 2151 u8 *pkax, *pkbx, *na, *nb; 2152 u32 passkey; 2153 int err; 2154 2155 BT_DBG("conn %p", conn); 2156 2157 if (skb->len < sizeof(smp->rrnd)) 2158 return SMP_INVALID_PARAMS; 2159 2160 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 2161 skb_pull(skb, sizeof(smp->rrnd)); 2162 2163 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 2164 return smp_random(smp); 2165 2166 if (hcon->out) { 2167 pkax = smp->local_pk; 2168 pkbx = smp->remote_pk; 2169 na = smp->prnd; 2170 nb = smp->rrnd; 2171 } else { 2172 pkax = smp->remote_pk; 2173 pkbx = smp->local_pk; 2174 na = smp->rrnd; 2175 nb = smp->prnd; 2176 } 2177 2178 if (smp->method == REQ_OOB) { 2179 if (!hcon->out) 2180 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2181 sizeof(smp->prnd), smp->prnd); 2182 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2183 goto mackey_and_ltk; 2184 } 2185 2186 /* Passkey entry has special treatment */ 2187 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2188 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 2189 2190 if (hcon->out) { 2191 u8 cfm[16]; 2192 2193 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 2194 smp->rrnd, 0, cfm); 2195 if (err) 2196 return SMP_UNSPECIFIED; 2197 2198 if (crypto_memneq(smp->pcnf, cfm, 16)) 2199 return SMP_CONFIRM_FAILED; 2200 } else { 2201 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2202 smp->prnd); 2203 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2204 } 2205 2206 mackey_and_ltk: 2207 /* Generate MacKey and LTK */ 2208 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 2209 if (err) 2210 return SMP_UNSPECIFIED; 2211 2212 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) { 2213 if (hcon->out) { 2214 sc_dhkey_check(smp); 2215 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2216 } 2217 return 0; 2218 } 2219 2220 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey); 2221 if (err) 2222 return SMP_UNSPECIFIED; 2223 2224 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2225 hcon->dst_type, passkey, 0); 2226 if (err) 2227 return SMP_UNSPECIFIED; 2228 2229 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2230 2231 return 0; 2232 } 2233 2234 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2235 { 2236 struct smp_ltk *key; 2237 struct hci_conn *hcon = conn->hcon; 2238 2239 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2240 if (!key) 2241 return false; 2242 2243 if (smp_ltk_sec_level(key) < sec_level) 2244 return false; 2245 2246 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2247 return true; 2248 2249 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size); 2250 hcon->enc_key_size = key->enc_size; 2251 2252 /* We never store STKs for master role, so clear this flag */ 2253 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2254 2255 return true; 2256 } 2257 2258 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2259 enum smp_key_pref key_pref) 2260 { 2261 if (sec_level == BT_SECURITY_LOW) 2262 return true; 2263 2264 /* If we're encrypted with an STK but the caller prefers using 2265 * LTK claim insufficient security. This way we allow the 2266 * connection to be re-encrypted with an LTK, even if the LTK 2267 * provides the same level of security. Only exception is if we 2268 * don't have an LTK (e.g. because of key distribution bits). 2269 */ 2270 if (key_pref == SMP_USE_LTK && 2271 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2272 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2273 return false; 2274 2275 if (hcon->sec_level >= sec_level) 2276 return true; 2277 2278 return false; 2279 } 2280 2281 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2282 { 2283 struct smp_cmd_security_req *rp = (void *) skb->data; 2284 struct smp_cmd_pairing cp; 2285 struct hci_conn *hcon = conn->hcon; 2286 struct hci_dev *hdev = hcon->hdev; 2287 struct smp_chan *smp; 2288 u8 sec_level, auth; 2289 2290 BT_DBG("conn %p", conn); 2291 2292 if (skb->len < sizeof(*rp)) 2293 return SMP_INVALID_PARAMS; 2294 2295 if (hcon->role != HCI_ROLE_MASTER) 2296 return SMP_CMD_NOTSUPP; 2297 2298 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2299 2300 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 2301 return SMP_AUTH_REQUIREMENTS; 2302 2303 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2304 sec_level = BT_SECURITY_MEDIUM; 2305 else 2306 sec_level = authreq_to_seclevel(auth); 2307 2308 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2309 return 0; 2310 2311 if (sec_level > hcon->pending_sec_level) 2312 hcon->pending_sec_level = sec_level; 2313 2314 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2315 return 0; 2316 2317 smp = smp_chan_create(conn); 2318 if (!smp) 2319 return SMP_UNSPECIFIED; 2320 2321 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 2322 (auth & SMP_AUTH_BONDING)) 2323 return SMP_PAIRING_NOTSUPP; 2324 2325 skb_pull(skb, sizeof(*rp)); 2326 2327 memset(&cp, 0, sizeof(cp)); 2328 build_pairing_cmd(conn, &cp, NULL, auth); 2329 2330 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2331 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2332 2333 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2334 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2335 2336 return 0; 2337 } 2338 2339 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2340 { 2341 struct l2cap_conn *conn = hcon->l2cap_data; 2342 struct l2cap_chan *chan; 2343 struct smp_chan *smp; 2344 __u8 authreq; 2345 int ret; 2346 2347 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 2348 2349 /* This may be NULL if there's an unexpected disconnection */ 2350 if (!conn) 2351 return 1; 2352 2353 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) 2354 return 1; 2355 2356 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2357 return 1; 2358 2359 if (sec_level > hcon->pending_sec_level) 2360 hcon->pending_sec_level = sec_level; 2361 2362 if (hcon->role == HCI_ROLE_MASTER) 2363 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2364 return 0; 2365 2366 chan = conn->smp; 2367 if (!chan) { 2368 BT_ERR("SMP security requested but not available"); 2369 return 1; 2370 } 2371 2372 l2cap_chan_lock(chan); 2373 2374 /* If SMP is already in progress ignore this request */ 2375 if (chan->data) { 2376 ret = 0; 2377 goto unlock; 2378 } 2379 2380 smp = smp_chan_create(conn); 2381 if (!smp) { 2382 ret = 1; 2383 goto unlock; 2384 } 2385 2386 authreq = seclevel_to_authreq(sec_level); 2387 2388 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) { 2389 authreq |= SMP_AUTH_SC; 2390 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED)) 2391 authreq |= SMP_AUTH_CT2; 2392 } 2393 2394 /* Require MITM if IO Capability allows or the security level 2395 * requires it. 2396 */ 2397 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2398 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2399 authreq |= SMP_AUTH_MITM; 2400 2401 if (hcon->role == HCI_ROLE_MASTER) { 2402 struct smp_cmd_pairing cp; 2403 2404 build_pairing_cmd(conn, &cp, NULL, authreq); 2405 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2406 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2407 2408 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2409 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2410 } else { 2411 struct smp_cmd_security_req cp; 2412 cp.auth_req = authreq; 2413 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2414 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2415 } 2416 2417 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2418 ret = 0; 2419 2420 unlock: 2421 l2cap_chan_unlock(chan); 2422 return ret; 2423 } 2424 2425 void smp_cancel_pairing(struct hci_conn *hcon) 2426 { 2427 struct l2cap_conn *conn = hcon->l2cap_data; 2428 struct l2cap_chan *chan; 2429 struct smp_chan *smp; 2430 2431 if (!conn) 2432 return; 2433 2434 chan = conn->smp; 2435 if (!chan) 2436 return; 2437 2438 l2cap_chan_lock(chan); 2439 2440 smp = chan->data; 2441 if (smp) { 2442 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) 2443 smp_failure(conn, 0); 2444 else 2445 smp_failure(conn, SMP_UNSPECIFIED); 2446 } 2447 2448 l2cap_chan_unlock(chan); 2449 } 2450 2451 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2452 { 2453 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2454 struct l2cap_chan *chan = conn->smp; 2455 struct smp_chan *smp = chan->data; 2456 2457 BT_DBG("conn %p", conn); 2458 2459 if (skb->len < sizeof(*rp)) 2460 return SMP_INVALID_PARAMS; 2461 2462 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT); 2463 2464 skb_pull(skb, sizeof(*rp)); 2465 2466 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2467 2468 return 0; 2469 } 2470 2471 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2472 { 2473 struct smp_cmd_master_ident *rp = (void *) skb->data; 2474 struct l2cap_chan *chan = conn->smp; 2475 struct smp_chan *smp = chan->data; 2476 struct hci_dev *hdev = conn->hcon->hdev; 2477 struct hci_conn *hcon = conn->hcon; 2478 struct smp_ltk *ltk; 2479 u8 authenticated; 2480 2481 BT_DBG("conn %p", conn); 2482 2483 if (skb->len < sizeof(*rp)) 2484 return SMP_INVALID_PARAMS; 2485 2486 /* Mark the information as received */ 2487 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2488 2489 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2490 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2491 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2492 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2493 2494 skb_pull(skb, sizeof(*rp)); 2495 2496 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2497 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2498 authenticated, smp->tk, smp->enc_key_size, 2499 rp->ediv, rp->rand); 2500 smp->ltk = ltk; 2501 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2502 smp_distribute_keys(smp); 2503 2504 return 0; 2505 } 2506 2507 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2508 { 2509 struct smp_cmd_ident_info *info = (void *) skb->data; 2510 struct l2cap_chan *chan = conn->smp; 2511 struct smp_chan *smp = chan->data; 2512 2513 BT_DBG(""); 2514 2515 if (skb->len < sizeof(*info)) 2516 return SMP_INVALID_PARAMS; 2517 2518 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2519 2520 skb_pull(skb, sizeof(*info)); 2521 2522 memcpy(smp->irk, info->irk, 16); 2523 2524 return 0; 2525 } 2526 2527 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2528 struct sk_buff *skb) 2529 { 2530 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2531 struct l2cap_chan *chan = conn->smp; 2532 struct smp_chan *smp = chan->data; 2533 struct hci_conn *hcon = conn->hcon; 2534 bdaddr_t rpa; 2535 2536 BT_DBG(""); 2537 2538 if (skb->len < sizeof(*info)) 2539 return SMP_INVALID_PARAMS; 2540 2541 /* Mark the information as received */ 2542 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2543 2544 if (smp->remote_key_dist & SMP_DIST_SIGN) 2545 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2546 2547 skb_pull(skb, sizeof(*info)); 2548 2549 /* Strictly speaking the Core Specification (4.1) allows sending 2550 * an empty address which would force us to rely on just the IRK 2551 * as "identity information". However, since such 2552 * implementations are not known of and in order to not over 2553 * complicate our implementation, simply pretend that we never 2554 * received an IRK for such a device. 2555 * 2556 * The Identity Address must also be a Static Random or Public 2557 * Address, which hci_is_identity_address() checks for. 2558 */ 2559 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2560 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2561 BT_ERR("Ignoring IRK with no identity address"); 2562 goto distribute; 2563 } 2564 2565 bacpy(&smp->id_addr, &info->bdaddr); 2566 smp->id_addr_type = info->addr_type; 2567 2568 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2569 bacpy(&rpa, &hcon->dst); 2570 else 2571 bacpy(&rpa, BDADDR_ANY); 2572 2573 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2574 smp->id_addr_type, smp->irk, &rpa); 2575 2576 distribute: 2577 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2578 smp_distribute_keys(smp); 2579 2580 return 0; 2581 } 2582 2583 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2584 { 2585 struct smp_cmd_sign_info *rp = (void *) skb->data; 2586 struct l2cap_chan *chan = conn->smp; 2587 struct smp_chan *smp = chan->data; 2588 struct smp_csrk *csrk; 2589 2590 BT_DBG("conn %p", conn); 2591 2592 if (skb->len < sizeof(*rp)) 2593 return SMP_INVALID_PARAMS; 2594 2595 /* Mark the information as received */ 2596 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2597 2598 skb_pull(skb, sizeof(*rp)); 2599 2600 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 2601 if (csrk) { 2602 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM) 2603 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED; 2604 else 2605 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED; 2606 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2607 } 2608 smp->csrk = csrk; 2609 smp_distribute_keys(smp); 2610 2611 return 0; 2612 } 2613 2614 static u8 sc_select_method(struct smp_chan *smp) 2615 { 2616 struct l2cap_conn *conn = smp->conn; 2617 struct hci_conn *hcon = conn->hcon; 2618 struct smp_cmd_pairing *local, *remote; 2619 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2620 2621 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) || 2622 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) 2623 return REQ_OOB; 2624 2625 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2626 * which are needed as inputs to some crypto functions. To get 2627 * the "struct smp_cmd_pairing" from them we need to skip the 2628 * first byte which contains the opcode. 2629 */ 2630 if (hcon->out) { 2631 local = (void *) &smp->preq[1]; 2632 remote = (void *) &smp->prsp[1]; 2633 } else { 2634 local = (void *) &smp->prsp[1]; 2635 remote = (void *) &smp->preq[1]; 2636 } 2637 2638 local_io = local->io_capability; 2639 remote_io = remote->io_capability; 2640 2641 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2642 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2643 2644 /* If either side wants MITM, look up the method from the table, 2645 * otherwise use JUST WORKS. 2646 */ 2647 if (local_mitm || remote_mitm) 2648 method = get_auth_method(smp, local_io, remote_io); 2649 else 2650 method = JUST_WORKS; 2651 2652 /* Don't confirm locally initiated pairing attempts */ 2653 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2654 method = JUST_WORKS; 2655 2656 return method; 2657 } 2658 2659 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2660 { 2661 struct smp_cmd_public_key *key = (void *) skb->data; 2662 struct hci_conn *hcon = conn->hcon; 2663 struct l2cap_chan *chan = conn->smp; 2664 struct smp_chan *smp = chan->data; 2665 struct hci_dev *hdev = hcon->hdev; 2666 struct smp_cmd_pairing_confirm cfm; 2667 int err; 2668 2669 BT_DBG("conn %p", conn); 2670 2671 if (skb->len < sizeof(*key)) 2672 return SMP_INVALID_PARAMS; 2673 2674 memcpy(smp->remote_pk, key, 64); 2675 2676 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) { 2677 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk, 2678 smp->rr, 0, cfm.confirm_val); 2679 if (err) 2680 return SMP_UNSPECIFIED; 2681 2682 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16)) 2683 return SMP_CONFIRM_FAILED; 2684 } 2685 2686 /* Non-initiating device sends its public key after receiving 2687 * the key from the initiating device. 2688 */ 2689 if (!hcon->out) { 2690 err = sc_send_public_key(smp); 2691 if (err) 2692 return err; 2693 } 2694 2695 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2696 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2697 2698 if (!compute_ecdh_secret(smp->tfm_ecdh, smp->remote_pk, smp->local_sk, 2699 smp->dhkey)) 2700 return SMP_UNSPECIFIED; 2701 2702 SMP_DBG("DHKey %32phN", smp->dhkey); 2703 2704 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2705 2706 smp->method = sc_select_method(smp); 2707 2708 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method); 2709 2710 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2711 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2712 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2713 else 2714 hcon->pending_sec_level = BT_SECURITY_FIPS; 2715 2716 if (!crypto_memneq(debug_pk, smp->remote_pk, 64)) 2717 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2718 2719 if (smp->method == DSP_PASSKEY) { 2720 get_random_bytes(&hcon->passkey_notify, 2721 sizeof(hcon->passkey_notify)); 2722 hcon->passkey_notify %= 1000000; 2723 hcon->passkey_entered = 0; 2724 smp->passkey_round = 0; 2725 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2726 hcon->dst_type, 2727 hcon->passkey_notify, 2728 hcon->passkey_entered)) 2729 return SMP_UNSPECIFIED; 2730 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2731 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2732 } 2733 2734 if (smp->method == REQ_OOB) { 2735 if (hcon->out) 2736 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2737 sizeof(smp->prnd), smp->prnd); 2738 2739 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2740 2741 return 0; 2742 } 2743 2744 if (hcon->out) 2745 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2746 2747 if (smp->method == REQ_PASSKEY) { 2748 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2749 hcon->dst_type)) 2750 return SMP_UNSPECIFIED; 2751 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2752 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2753 return 0; 2754 } 2755 2756 /* The Initiating device waits for the non-initiating device to 2757 * send the confirm value. 2758 */ 2759 if (conn->hcon->out) 2760 return 0; 2761 2762 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, 2763 0, cfm.confirm_val); 2764 if (err) 2765 return SMP_UNSPECIFIED; 2766 2767 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2768 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2769 2770 return 0; 2771 } 2772 2773 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2774 { 2775 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2776 struct l2cap_chan *chan = conn->smp; 2777 struct hci_conn *hcon = conn->hcon; 2778 struct smp_chan *smp = chan->data; 2779 u8 a[7], b[7], *local_addr, *remote_addr; 2780 u8 io_cap[3], r[16], e[16]; 2781 int err; 2782 2783 BT_DBG("conn %p", conn); 2784 2785 if (skb->len < sizeof(*check)) 2786 return SMP_INVALID_PARAMS; 2787 2788 memcpy(a, &hcon->init_addr, 6); 2789 memcpy(b, &hcon->resp_addr, 6); 2790 a[6] = hcon->init_addr_type; 2791 b[6] = hcon->resp_addr_type; 2792 2793 if (hcon->out) { 2794 local_addr = a; 2795 remote_addr = b; 2796 memcpy(io_cap, &smp->prsp[1], 3); 2797 } else { 2798 local_addr = b; 2799 remote_addr = a; 2800 memcpy(io_cap, &smp->preq[1], 3); 2801 } 2802 2803 memset(r, 0, sizeof(r)); 2804 2805 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2806 put_unaligned_le32(hcon->passkey_notify, r); 2807 else if (smp->method == REQ_OOB) 2808 memcpy(r, smp->lr, 16); 2809 2810 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r, 2811 io_cap, remote_addr, local_addr, e); 2812 if (err) 2813 return SMP_UNSPECIFIED; 2814 2815 if (crypto_memneq(check->e, e, 16)) 2816 return SMP_DHKEY_CHECK_FAILED; 2817 2818 if (!hcon->out) { 2819 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2820 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2821 return 0; 2822 } 2823 2824 /* Slave sends DHKey check as response to master */ 2825 sc_dhkey_check(smp); 2826 } 2827 2828 sc_add_ltk(smp); 2829 2830 if (hcon->out) { 2831 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size); 2832 hcon->enc_key_size = smp->enc_key_size; 2833 } 2834 2835 return 0; 2836 } 2837 2838 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2839 struct sk_buff *skb) 2840 { 2841 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2842 2843 BT_DBG("value 0x%02x", kp->value); 2844 2845 return 0; 2846 } 2847 2848 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2849 { 2850 struct l2cap_conn *conn = chan->conn; 2851 struct hci_conn *hcon = conn->hcon; 2852 struct smp_chan *smp; 2853 __u8 code, reason; 2854 int err = 0; 2855 2856 if (skb->len < 1) 2857 return -EILSEQ; 2858 2859 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) { 2860 reason = SMP_PAIRING_NOTSUPP; 2861 goto done; 2862 } 2863 2864 code = skb->data[0]; 2865 skb_pull(skb, sizeof(code)); 2866 2867 smp = chan->data; 2868 2869 if (code > SMP_CMD_MAX) 2870 goto drop; 2871 2872 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) 2873 goto drop; 2874 2875 /* If we don't have a context the only allowed commands are 2876 * pairing request and security request. 2877 */ 2878 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2879 goto drop; 2880 2881 switch (code) { 2882 case SMP_CMD_PAIRING_REQ: 2883 reason = smp_cmd_pairing_req(conn, skb); 2884 break; 2885 2886 case SMP_CMD_PAIRING_FAIL: 2887 smp_failure(conn, 0); 2888 err = -EPERM; 2889 break; 2890 2891 case SMP_CMD_PAIRING_RSP: 2892 reason = smp_cmd_pairing_rsp(conn, skb); 2893 break; 2894 2895 case SMP_CMD_SECURITY_REQ: 2896 reason = smp_cmd_security_req(conn, skb); 2897 break; 2898 2899 case SMP_CMD_PAIRING_CONFIRM: 2900 reason = smp_cmd_pairing_confirm(conn, skb); 2901 break; 2902 2903 case SMP_CMD_PAIRING_RANDOM: 2904 reason = smp_cmd_pairing_random(conn, skb); 2905 break; 2906 2907 case SMP_CMD_ENCRYPT_INFO: 2908 reason = smp_cmd_encrypt_info(conn, skb); 2909 break; 2910 2911 case SMP_CMD_MASTER_IDENT: 2912 reason = smp_cmd_master_ident(conn, skb); 2913 break; 2914 2915 case SMP_CMD_IDENT_INFO: 2916 reason = smp_cmd_ident_info(conn, skb); 2917 break; 2918 2919 case SMP_CMD_IDENT_ADDR_INFO: 2920 reason = smp_cmd_ident_addr_info(conn, skb); 2921 break; 2922 2923 case SMP_CMD_SIGN_INFO: 2924 reason = smp_cmd_sign_info(conn, skb); 2925 break; 2926 2927 case SMP_CMD_PUBLIC_KEY: 2928 reason = smp_cmd_public_key(conn, skb); 2929 break; 2930 2931 case SMP_CMD_DHKEY_CHECK: 2932 reason = smp_cmd_dhkey_check(conn, skb); 2933 break; 2934 2935 case SMP_CMD_KEYPRESS_NOTIFY: 2936 reason = smp_cmd_keypress_notify(conn, skb); 2937 break; 2938 2939 default: 2940 BT_DBG("Unknown command code 0x%2.2x", code); 2941 reason = SMP_CMD_NOTSUPP; 2942 goto done; 2943 } 2944 2945 done: 2946 if (!err) { 2947 if (reason) 2948 smp_failure(conn, reason); 2949 kfree_skb(skb); 2950 } 2951 2952 return err; 2953 2954 drop: 2955 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name, 2956 code, &hcon->dst); 2957 kfree_skb(skb); 2958 return 0; 2959 } 2960 2961 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 2962 { 2963 struct l2cap_conn *conn = chan->conn; 2964 2965 BT_DBG("chan %p", chan); 2966 2967 if (chan->data) 2968 smp_chan_destroy(conn); 2969 2970 conn->smp = NULL; 2971 l2cap_chan_put(chan); 2972 } 2973 2974 static void bredr_pairing(struct l2cap_chan *chan) 2975 { 2976 struct l2cap_conn *conn = chan->conn; 2977 struct hci_conn *hcon = conn->hcon; 2978 struct hci_dev *hdev = hcon->hdev; 2979 struct smp_cmd_pairing req; 2980 struct smp_chan *smp; 2981 2982 BT_DBG("chan %p", chan); 2983 2984 /* Only new pairings are interesting */ 2985 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 2986 return; 2987 2988 /* Don't bother if we're not encrypted */ 2989 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 2990 return; 2991 2992 /* Only master may initiate SMP over BR/EDR */ 2993 if (hcon->role != HCI_ROLE_MASTER) 2994 return; 2995 2996 /* Secure Connections support must be enabled */ 2997 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED)) 2998 return; 2999 3000 /* BR/EDR must use Secure Connections for SMP */ 3001 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 3002 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3003 return; 3004 3005 /* If our LE support is not enabled don't do anything */ 3006 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 3007 return; 3008 3009 /* Don't bother if remote LE support is not enabled */ 3010 if (!lmp_host_le_capable(hcon)) 3011 return; 3012 3013 /* Remote must support SMP fixed chan for BR/EDR */ 3014 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 3015 return; 3016 3017 /* Don't bother if SMP is already ongoing */ 3018 if (chan->data) 3019 return; 3020 3021 smp = smp_chan_create(conn); 3022 if (!smp) { 3023 BT_ERR("%s unable to create SMP context for BR/EDR", 3024 hdev->name); 3025 return; 3026 } 3027 3028 set_bit(SMP_FLAG_SC, &smp->flags); 3029 3030 BT_DBG("%s starting SMP over BR/EDR", hdev->name); 3031 3032 /* Prepare and send the BR/EDR SMP Pairing Request */ 3033 build_bredr_pairing_cmd(smp, &req, NULL); 3034 3035 smp->preq[0] = SMP_CMD_PAIRING_REQ; 3036 memcpy(&smp->preq[1], &req, sizeof(req)); 3037 3038 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req); 3039 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 3040 } 3041 3042 static void smp_resume_cb(struct l2cap_chan *chan) 3043 { 3044 struct smp_chan *smp = chan->data; 3045 struct l2cap_conn *conn = chan->conn; 3046 struct hci_conn *hcon = conn->hcon; 3047 3048 BT_DBG("chan %p", chan); 3049 3050 if (hcon->type == ACL_LINK) { 3051 bredr_pairing(chan); 3052 return; 3053 } 3054 3055 if (!smp) 3056 return; 3057 3058 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3059 return; 3060 3061 cancel_delayed_work(&smp->security_timer); 3062 3063 smp_distribute_keys(smp); 3064 } 3065 3066 static void smp_ready_cb(struct l2cap_chan *chan) 3067 { 3068 struct l2cap_conn *conn = chan->conn; 3069 struct hci_conn *hcon = conn->hcon; 3070 3071 BT_DBG("chan %p", chan); 3072 3073 /* No need to call l2cap_chan_hold() here since we already own 3074 * the reference taken in smp_new_conn_cb(). This is just the 3075 * first time that we tie it to a specific pointer. The code in 3076 * l2cap_core.c ensures that there's no risk this function wont 3077 * get called if smp_new_conn_cb was previously called. 3078 */ 3079 conn->smp = chan; 3080 3081 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3082 bredr_pairing(chan); 3083 } 3084 3085 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 3086 { 3087 int err; 3088 3089 BT_DBG("chan %p", chan); 3090 3091 err = smp_sig_channel(chan, skb); 3092 if (err) { 3093 struct smp_chan *smp = chan->data; 3094 3095 if (smp) 3096 cancel_delayed_work_sync(&smp->security_timer); 3097 3098 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 3099 } 3100 3101 return err; 3102 } 3103 3104 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 3105 unsigned long hdr_len, 3106 unsigned long len, int nb) 3107 { 3108 struct sk_buff *skb; 3109 3110 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 3111 if (!skb) 3112 return ERR_PTR(-ENOMEM); 3113 3114 skb->priority = HCI_PRIO_MAX; 3115 bt_cb(skb)->l2cap.chan = chan; 3116 3117 return skb; 3118 } 3119 3120 static const struct l2cap_ops smp_chan_ops = { 3121 .name = "Security Manager", 3122 .ready = smp_ready_cb, 3123 .recv = smp_recv_cb, 3124 .alloc_skb = smp_alloc_skb_cb, 3125 .teardown = smp_teardown_cb, 3126 .resume = smp_resume_cb, 3127 3128 .new_connection = l2cap_chan_no_new_connection, 3129 .state_change = l2cap_chan_no_state_change, 3130 .close = l2cap_chan_no_close, 3131 .defer = l2cap_chan_no_defer, 3132 .suspend = l2cap_chan_no_suspend, 3133 .set_shutdown = l2cap_chan_no_set_shutdown, 3134 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3135 }; 3136 3137 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 3138 { 3139 struct l2cap_chan *chan; 3140 3141 BT_DBG("pchan %p", pchan); 3142 3143 chan = l2cap_chan_create(); 3144 if (!chan) 3145 return NULL; 3146 3147 chan->chan_type = pchan->chan_type; 3148 chan->ops = &smp_chan_ops; 3149 chan->scid = pchan->scid; 3150 chan->dcid = chan->scid; 3151 chan->imtu = pchan->imtu; 3152 chan->omtu = pchan->omtu; 3153 chan->mode = pchan->mode; 3154 3155 /* Other L2CAP channels may request SMP routines in order to 3156 * change the security level. This means that the SMP channel 3157 * lock must be considered in its own category to avoid lockdep 3158 * warnings. 3159 */ 3160 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 3161 3162 BT_DBG("created chan %p", chan); 3163 3164 return chan; 3165 } 3166 3167 static const struct l2cap_ops smp_root_chan_ops = { 3168 .name = "Security Manager Root", 3169 .new_connection = smp_new_conn_cb, 3170 3171 /* None of these are implemented for the root channel */ 3172 .close = l2cap_chan_no_close, 3173 .alloc_skb = l2cap_chan_no_alloc_skb, 3174 .recv = l2cap_chan_no_recv, 3175 .state_change = l2cap_chan_no_state_change, 3176 .teardown = l2cap_chan_no_teardown, 3177 .ready = l2cap_chan_no_ready, 3178 .defer = l2cap_chan_no_defer, 3179 .suspend = l2cap_chan_no_suspend, 3180 .resume = l2cap_chan_no_resume, 3181 .set_shutdown = l2cap_chan_no_set_shutdown, 3182 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3183 }; 3184 3185 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 3186 { 3187 struct l2cap_chan *chan; 3188 struct smp_dev *smp; 3189 struct crypto_cipher *tfm_aes; 3190 struct crypto_shash *tfm_cmac; 3191 struct crypto_kpp *tfm_ecdh; 3192 3193 if (cid == L2CAP_CID_SMP_BREDR) { 3194 smp = NULL; 3195 goto create_chan; 3196 } 3197 3198 smp = kzalloc(sizeof(*smp), GFP_KERNEL); 3199 if (!smp) 3200 return ERR_PTR(-ENOMEM); 3201 3202 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 3203 if (IS_ERR(tfm_aes)) { 3204 BT_ERR("Unable to create AES crypto context"); 3205 kzfree(smp); 3206 return ERR_CAST(tfm_aes); 3207 } 3208 3209 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3210 if (IS_ERR(tfm_cmac)) { 3211 BT_ERR("Unable to create CMAC crypto context"); 3212 crypto_free_cipher(tfm_aes); 3213 kzfree(smp); 3214 return ERR_CAST(tfm_cmac); 3215 } 3216 3217 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 3218 if (IS_ERR(tfm_ecdh)) { 3219 BT_ERR("Unable to create ECDH crypto context"); 3220 crypto_free_shash(tfm_cmac); 3221 crypto_free_cipher(tfm_aes); 3222 kzfree(smp); 3223 return ERR_CAST(tfm_ecdh); 3224 } 3225 3226 smp->tfm_aes = tfm_aes; 3227 smp->tfm_cmac = tfm_cmac; 3228 smp->tfm_ecdh = tfm_ecdh; 3229 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE; 3230 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 3231 3232 create_chan: 3233 chan = l2cap_chan_create(); 3234 if (!chan) { 3235 if (smp) { 3236 crypto_free_cipher(smp->tfm_aes); 3237 crypto_free_shash(smp->tfm_cmac); 3238 crypto_free_kpp(smp->tfm_ecdh); 3239 kzfree(smp); 3240 } 3241 return ERR_PTR(-ENOMEM); 3242 } 3243 3244 chan->data = smp; 3245 3246 l2cap_add_scid(chan, cid); 3247 3248 l2cap_chan_set_defaults(chan); 3249 3250 if (cid == L2CAP_CID_SMP) { 3251 u8 bdaddr_type; 3252 3253 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type); 3254 3255 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 3256 chan->src_type = BDADDR_LE_PUBLIC; 3257 else 3258 chan->src_type = BDADDR_LE_RANDOM; 3259 } else { 3260 bacpy(&chan->src, &hdev->bdaddr); 3261 chan->src_type = BDADDR_BREDR; 3262 } 3263 3264 chan->state = BT_LISTEN; 3265 chan->mode = L2CAP_MODE_BASIC; 3266 chan->imtu = L2CAP_DEFAULT_MTU; 3267 chan->ops = &smp_root_chan_ops; 3268 3269 /* Set correct nesting level for a parent/listening channel */ 3270 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 3271 3272 return chan; 3273 } 3274 3275 static void smp_del_chan(struct l2cap_chan *chan) 3276 { 3277 struct smp_dev *smp; 3278 3279 BT_DBG("chan %p", chan); 3280 3281 smp = chan->data; 3282 if (smp) { 3283 chan->data = NULL; 3284 crypto_free_cipher(smp->tfm_aes); 3285 crypto_free_shash(smp->tfm_cmac); 3286 crypto_free_kpp(smp->tfm_ecdh); 3287 kzfree(smp); 3288 } 3289 3290 l2cap_chan_put(chan); 3291 } 3292 3293 static ssize_t force_bredr_smp_read(struct file *file, 3294 char __user *user_buf, 3295 size_t count, loff_t *ppos) 3296 { 3297 struct hci_dev *hdev = file->private_data; 3298 char buf[3]; 3299 3300 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N'; 3301 buf[1] = '\n'; 3302 buf[2] = '\0'; 3303 return simple_read_from_buffer(user_buf, count, ppos, buf, 2); 3304 } 3305 3306 static ssize_t force_bredr_smp_write(struct file *file, 3307 const char __user *user_buf, 3308 size_t count, loff_t *ppos) 3309 { 3310 struct hci_dev *hdev = file->private_data; 3311 char buf[32]; 3312 size_t buf_size = min(count, (sizeof(buf)-1)); 3313 bool enable; 3314 3315 if (copy_from_user(buf, user_buf, buf_size)) 3316 return -EFAULT; 3317 3318 buf[buf_size] = '\0'; 3319 if (strtobool(buf, &enable)) 3320 return -EINVAL; 3321 3322 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3323 return -EALREADY; 3324 3325 if (enable) { 3326 struct l2cap_chan *chan; 3327 3328 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3329 if (IS_ERR(chan)) 3330 return PTR_ERR(chan); 3331 3332 hdev->smp_bredr_data = chan; 3333 } else { 3334 struct l2cap_chan *chan; 3335 3336 chan = hdev->smp_bredr_data; 3337 hdev->smp_bredr_data = NULL; 3338 smp_del_chan(chan); 3339 } 3340 3341 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP); 3342 3343 return count; 3344 } 3345 3346 static const struct file_operations force_bredr_smp_fops = { 3347 .open = simple_open, 3348 .read = force_bredr_smp_read, 3349 .write = force_bredr_smp_write, 3350 .llseek = default_llseek, 3351 }; 3352 3353 static ssize_t le_min_key_size_read(struct file *file, 3354 char __user *user_buf, 3355 size_t count, loff_t *ppos) 3356 { 3357 struct hci_dev *hdev = file->private_data; 3358 char buf[4]; 3359 3360 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size); 3361 3362 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 3363 } 3364 3365 static ssize_t le_min_key_size_write(struct file *file, 3366 const char __user *user_buf, 3367 size_t count, loff_t *ppos) 3368 { 3369 struct hci_dev *hdev = file->private_data; 3370 char buf[32]; 3371 size_t buf_size = min(count, (sizeof(buf) - 1)); 3372 u8 key_size; 3373 3374 if (copy_from_user(buf, user_buf, buf_size)) 3375 return -EFAULT; 3376 3377 buf[buf_size] = '\0'; 3378 3379 sscanf(buf, "%hhu", &key_size); 3380 3381 if (key_size > SMP_DEV(hdev)->max_key_size || 3382 key_size < SMP_MIN_ENC_KEY_SIZE) 3383 return -EINVAL; 3384 3385 SMP_DEV(hdev)->min_key_size = key_size; 3386 3387 return count; 3388 } 3389 3390 static const struct file_operations le_min_key_size_fops = { 3391 .open = simple_open, 3392 .read = le_min_key_size_read, 3393 .write = le_min_key_size_write, 3394 .llseek = default_llseek, 3395 }; 3396 3397 static ssize_t le_max_key_size_read(struct file *file, 3398 char __user *user_buf, 3399 size_t count, loff_t *ppos) 3400 { 3401 struct hci_dev *hdev = file->private_data; 3402 char buf[4]; 3403 3404 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size); 3405 3406 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 3407 } 3408 3409 static ssize_t le_max_key_size_write(struct file *file, 3410 const char __user *user_buf, 3411 size_t count, loff_t *ppos) 3412 { 3413 struct hci_dev *hdev = file->private_data; 3414 char buf[32]; 3415 size_t buf_size = min(count, (sizeof(buf) - 1)); 3416 u8 key_size; 3417 3418 if (copy_from_user(buf, user_buf, buf_size)) 3419 return -EFAULT; 3420 3421 buf[buf_size] = '\0'; 3422 3423 sscanf(buf, "%hhu", &key_size); 3424 3425 if (key_size > SMP_MAX_ENC_KEY_SIZE || 3426 key_size < SMP_DEV(hdev)->min_key_size) 3427 return -EINVAL; 3428 3429 SMP_DEV(hdev)->max_key_size = key_size; 3430 3431 return count; 3432 } 3433 3434 static const struct file_operations le_max_key_size_fops = { 3435 .open = simple_open, 3436 .read = le_max_key_size_read, 3437 .write = le_max_key_size_write, 3438 .llseek = default_llseek, 3439 }; 3440 3441 int smp_register(struct hci_dev *hdev) 3442 { 3443 struct l2cap_chan *chan; 3444 3445 BT_DBG("%s", hdev->name); 3446 3447 /* If the controller does not support Low Energy operation, then 3448 * there is also no need to register any SMP channel. 3449 */ 3450 if (!lmp_le_capable(hdev)) 3451 return 0; 3452 3453 if (WARN_ON(hdev->smp_data)) { 3454 chan = hdev->smp_data; 3455 hdev->smp_data = NULL; 3456 smp_del_chan(chan); 3457 } 3458 3459 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3460 if (IS_ERR(chan)) 3461 return PTR_ERR(chan); 3462 3463 hdev->smp_data = chan; 3464 3465 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev, 3466 &le_min_key_size_fops); 3467 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev, 3468 &le_max_key_size_fops); 3469 3470 /* If the controller does not support BR/EDR Secure Connections 3471 * feature, then the BR/EDR SMP channel shall not be present. 3472 * 3473 * To test this with Bluetooth 4.0 controllers, create a debugfs 3474 * switch that allows forcing BR/EDR SMP support and accepting 3475 * cross-transport pairing on non-AES encrypted connections. 3476 */ 3477 if (!lmp_sc_capable(hdev)) { 3478 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs, 3479 hdev, &force_bredr_smp_fops); 3480 3481 /* Flag can be already set here (due to power toggle) */ 3482 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3483 return 0; 3484 } 3485 3486 if (WARN_ON(hdev->smp_bredr_data)) { 3487 chan = hdev->smp_bredr_data; 3488 hdev->smp_bredr_data = NULL; 3489 smp_del_chan(chan); 3490 } 3491 3492 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3493 if (IS_ERR(chan)) { 3494 int err = PTR_ERR(chan); 3495 chan = hdev->smp_data; 3496 hdev->smp_data = NULL; 3497 smp_del_chan(chan); 3498 return err; 3499 } 3500 3501 hdev->smp_bredr_data = chan; 3502 3503 return 0; 3504 } 3505 3506 void smp_unregister(struct hci_dev *hdev) 3507 { 3508 struct l2cap_chan *chan; 3509 3510 if (hdev->smp_bredr_data) { 3511 chan = hdev->smp_bredr_data; 3512 hdev->smp_bredr_data = NULL; 3513 smp_del_chan(chan); 3514 } 3515 3516 if (hdev->smp_data) { 3517 chan = hdev->smp_data; 3518 hdev->smp_data = NULL; 3519 smp_del_chan(chan); 3520 } 3521 } 3522 3523 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3524 3525 static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits) 3526 { 3527 int i; 3528 3529 for (i = 0; i < ndigits; i++) 3530 out[i] = __swab64(in[ndigits - 1 - i]); 3531 } 3532 3533 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh) 3534 { 3535 u8 pk[64], sk[32]; 3536 int err; 3537 3538 swap_digits((u64 *)debug_sk, (u64 *)sk, 4); 3539 3540 err = generate_ecdh_keys(tfm_ecdh, pk, sk); 3541 if (err) 3542 return err; 3543 3544 if (crypto_memneq(sk, debug_sk, 32)) 3545 return -EINVAL; 3546 3547 if (crypto_memneq(pk, debug_pk, 64)) 3548 return -EINVAL; 3549 3550 return 0; 3551 } 3552 3553 static int __init test_ah(struct crypto_cipher *tfm_aes) 3554 { 3555 const u8 irk[16] = { 3556 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3557 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3558 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3559 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3560 u8 res[3]; 3561 int err; 3562 3563 err = smp_ah(tfm_aes, irk, r, res); 3564 if (err) 3565 return err; 3566 3567 if (crypto_memneq(res, exp, 3)) 3568 return -EINVAL; 3569 3570 return 0; 3571 } 3572 3573 static int __init test_c1(struct crypto_cipher *tfm_aes) 3574 { 3575 const u8 k[16] = { 3576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3578 const u8 r[16] = { 3579 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3580 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3581 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3582 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3583 const u8 _iat = 0x01; 3584 const u8 _rat = 0x00; 3585 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3586 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3587 const u8 exp[16] = { 3588 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3589 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3590 u8 res[16]; 3591 int err; 3592 3593 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3594 if (err) 3595 return err; 3596 3597 if (crypto_memneq(res, exp, 16)) 3598 return -EINVAL; 3599 3600 return 0; 3601 } 3602 3603 static int __init test_s1(struct crypto_cipher *tfm_aes) 3604 { 3605 const u8 k[16] = { 3606 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3607 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3608 const u8 r1[16] = { 3609 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3610 const u8 r2[16] = { 3611 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3612 const u8 exp[16] = { 3613 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3614 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3615 u8 res[16]; 3616 int err; 3617 3618 err = smp_s1(tfm_aes, k, r1, r2, res); 3619 if (err) 3620 return err; 3621 3622 if (crypto_memneq(res, exp, 16)) 3623 return -EINVAL; 3624 3625 return 0; 3626 } 3627 3628 static int __init test_f4(struct crypto_shash *tfm_cmac) 3629 { 3630 const u8 u[32] = { 3631 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3632 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3633 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3634 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3635 const u8 v[32] = { 3636 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3637 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3638 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3639 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3640 const u8 x[16] = { 3641 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3642 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3643 const u8 z = 0x00; 3644 const u8 exp[16] = { 3645 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3646 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3647 u8 res[16]; 3648 int err; 3649 3650 err = smp_f4(tfm_cmac, u, v, x, z, res); 3651 if (err) 3652 return err; 3653 3654 if (crypto_memneq(res, exp, 16)) 3655 return -EINVAL; 3656 3657 return 0; 3658 } 3659 3660 static int __init test_f5(struct crypto_shash *tfm_cmac) 3661 { 3662 const u8 w[32] = { 3663 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3664 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3665 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3666 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3667 const u8 n1[16] = { 3668 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3669 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3670 const u8 n2[16] = { 3671 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3672 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3673 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3674 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3675 const u8 exp_ltk[16] = { 3676 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3677 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3678 const u8 exp_mackey[16] = { 3679 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3680 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3681 u8 mackey[16], ltk[16]; 3682 int err; 3683 3684 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk); 3685 if (err) 3686 return err; 3687 3688 if (crypto_memneq(mackey, exp_mackey, 16)) 3689 return -EINVAL; 3690 3691 if (crypto_memneq(ltk, exp_ltk, 16)) 3692 return -EINVAL; 3693 3694 return 0; 3695 } 3696 3697 static int __init test_f6(struct crypto_shash *tfm_cmac) 3698 { 3699 const u8 w[16] = { 3700 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3701 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3702 const u8 n1[16] = { 3703 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3704 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3705 const u8 n2[16] = { 3706 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3707 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3708 const u8 r[16] = { 3709 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3710 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3711 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3712 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3713 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3714 const u8 exp[16] = { 3715 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3716 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3717 u8 res[16]; 3718 int err; 3719 3720 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res); 3721 if (err) 3722 return err; 3723 3724 if (crypto_memneq(res, exp, 16)) 3725 return -EINVAL; 3726 3727 return 0; 3728 } 3729 3730 static int __init test_g2(struct crypto_shash *tfm_cmac) 3731 { 3732 const u8 u[32] = { 3733 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3734 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3735 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3736 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3737 const u8 v[32] = { 3738 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3739 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3740 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3741 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3742 const u8 x[16] = { 3743 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3744 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3745 const u8 y[16] = { 3746 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3747 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3748 const u32 exp_val = 0x2f9ed5ba % 1000000; 3749 u32 val; 3750 int err; 3751 3752 err = smp_g2(tfm_cmac, u, v, x, y, &val); 3753 if (err) 3754 return err; 3755 3756 if (val != exp_val) 3757 return -EINVAL; 3758 3759 return 0; 3760 } 3761 3762 static int __init test_h6(struct crypto_shash *tfm_cmac) 3763 { 3764 const u8 w[16] = { 3765 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3766 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3767 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3768 const u8 exp[16] = { 3769 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3770 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3771 u8 res[16]; 3772 int err; 3773 3774 err = smp_h6(tfm_cmac, w, key_id, res); 3775 if (err) 3776 return err; 3777 3778 if (crypto_memneq(res, exp, 16)) 3779 return -EINVAL; 3780 3781 return 0; 3782 } 3783 3784 static char test_smp_buffer[32]; 3785 3786 static ssize_t test_smp_read(struct file *file, char __user *user_buf, 3787 size_t count, loff_t *ppos) 3788 { 3789 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer, 3790 strlen(test_smp_buffer)); 3791 } 3792 3793 static const struct file_operations test_smp_fops = { 3794 .open = simple_open, 3795 .read = test_smp_read, 3796 .llseek = default_llseek, 3797 }; 3798 3799 static int __init run_selftests(struct crypto_cipher *tfm_aes, 3800 struct crypto_shash *tfm_cmac, 3801 struct crypto_kpp *tfm_ecdh) 3802 { 3803 ktime_t calltime, delta, rettime; 3804 unsigned long long duration; 3805 int err; 3806 3807 calltime = ktime_get(); 3808 3809 err = test_debug_key(tfm_ecdh); 3810 if (err) { 3811 BT_ERR("debug_key test failed"); 3812 goto done; 3813 } 3814 3815 err = test_ah(tfm_aes); 3816 if (err) { 3817 BT_ERR("smp_ah test failed"); 3818 goto done; 3819 } 3820 3821 err = test_c1(tfm_aes); 3822 if (err) { 3823 BT_ERR("smp_c1 test failed"); 3824 goto done; 3825 } 3826 3827 err = test_s1(tfm_aes); 3828 if (err) { 3829 BT_ERR("smp_s1 test failed"); 3830 goto done; 3831 } 3832 3833 err = test_f4(tfm_cmac); 3834 if (err) { 3835 BT_ERR("smp_f4 test failed"); 3836 goto done; 3837 } 3838 3839 err = test_f5(tfm_cmac); 3840 if (err) { 3841 BT_ERR("smp_f5 test failed"); 3842 goto done; 3843 } 3844 3845 err = test_f6(tfm_cmac); 3846 if (err) { 3847 BT_ERR("smp_f6 test failed"); 3848 goto done; 3849 } 3850 3851 err = test_g2(tfm_cmac); 3852 if (err) { 3853 BT_ERR("smp_g2 test failed"); 3854 goto done; 3855 } 3856 3857 err = test_h6(tfm_cmac); 3858 if (err) { 3859 BT_ERR("smp_h6 test failed"); 3860 goto done; 3861 } 3862 3863 rettime = ktime_get(); 3864 delta = ktime_sub(rettime, calltime); 3865 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3866 3867 BT_INFO("SMP test passed in %llu usecs", duration); 3868 3869 done: 3870 if (!err) 3871 snprintf(test_smp_buffer, sizeof(test_smp_buffer), 3872 "PASS (%llu usecs)\n", duration); 3873 else 3874 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n"); 3875 3876 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL, 3877 &test_smp_fops); 3878 3879 return err; 3880 } 3881 3882 int __init bt_selftest_smp(void) 3883 { 3884 struct crypto_cipher *tfm_aes; 3885 struct crypto_shash *tfm_cmac; 3886 struct crypto_kpp *tfm_ecdh; 3887 int err; 3888 3889 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 3890 if (IS_ERR(tfm_aes)) { 3891 BT_ERR("Unable to create AES crypto context"); 3892 return PTR_ERR(tfm_aes); 3893 } 3894 3895 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC); 3896 if (IS_ERR(tfm_cmac)) { 3897 BT_ERR("Unable to create CMAC crypto context"); 3898 crypto_free_cipher(tfm_aes); 3899 return PTR_ERR(tfm_cmac); 3900 } 3901 3902 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 3903 if (IS_ERR(tfm_ecdh)) { 3904 BT_ERR("Unable to create ECDH crypto context"); 3905 crypto_free_shash(tfm_cmac); 3906 crypto_free_cipher(tfm_aes); 3907 return PTR_ERR(tfm_ecdh); 3908 } 3909 3910 err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh); 3911 3912 crypto_free_shash(tfm_cmac); 3913 crypto_free_cipher(tfm_aes); 3914 crypto_free_kpp(tfm_ecdh); 3915 3916 return err; 3917 } 3918 3919 #endif 3920