1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License version 2 as 7 published by the Free Software Foundation; 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 #include <linux/debugfs.h> 24 #include <linux/scatterlist.h> 25 #include <linux/crypto.h> 26 #include <crypto/algapi.h> 27 #include <crypto/b128ops.h> 28 #include <crypto/hash.h> 29 #include <crypto/kpp.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/mgmt.h> 35 36 #include "ecdh_helper.h" 37 #include "smp.h" 38 39 #define SMP_DEV(hdev) \ 40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data) 41 42 /* Low-level debug macros to be used for stuff that we don't want 43 * accidentially in dmesg, i.e. the values of the various crypto keys 44 * and the inputs & outputs of crypto functions. 45 */ 46 #ifdef DEBUG 47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 48 ##__VA_ARGS__) 49 #else 50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 51 ##__VA_ARGS__) 52 #endif 53 54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 55 56 /* Keys which are not distributed with Secure Connections */ 57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY); 58 59 #define SMP_TIMEOUT msecs_to_jiffies(30000) 60 61 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \ 62 0x3f : 0x07) 63 #define KEY_DIST_MASK 0x07 64 65 /* Maximum message length that can be passed to aes_cmac */ 66 #define CMAC_MSG_MAX 80 67 68 enum { 69 SMP_FLAG_TK_VALID, 70 SMP_FLAG_CFM_PENDING, 71 SMP_FLAG_MITM_AUTH, 72 SMP_FLAG_COMPLETE, 73 SMP_FLAG_INITIATOR, 74 SMP_FLAG_SC, 75 SMP_FLAG_REMOTE_PK, 76 SMP_FLAG_DEBUG_KEY, 77 SMP_FLAG_WAIT_USER, 78 SMP_FLAG_DHKEY_PENDING, 79 SMP_FLAG_REMOTE_OOB, 80 SMP_FLAG_LOCAL_OOB, 81 SMP_FLAG_CT2, 82 }; 83 84 struct smp_dev { 85 /* Secure Connections OOB data */ 86 u8 local_pk[64]; 87 u8 local_rand[16]; 88 bool debug_key; 89 90 u8 min_key_size; 91 u8 max_key_size; 92 93 struct crypto_cipher *tfm_aes; 94 struct crypto_shash *tfm_cmac; 95 struct crypto_kpp *tfm_ecdh; 96 }; 97 98 struct smp_chan { 99 struct l2cap_conn *conn; 100 struct delayed_work security_timer; 101 unsigned long allow_cmd; /* Bitmask of allowed commands */ 102 103 u8 preq[7]; /* SMP Pairing Request */ 104 u8 prsp[7]; /* SMP Pairing Response */ 105 u8 prnd[16]; /* SMP Pairing Random (local) */ 106 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 107 u8 pcnf[16]; /* SMP Pairing Confirm */ 108 u8 tk[16]; /* SMP Temporary Key */ 109 u8 rr[16]; /* Remote OOB ra/rb value */ 110 u8 lr[16]; /* Local OOB ra/rb value */ 111 u8 enc_key_size; 112 u8 remote_key_dist; 113 bdaddr_t id_addr; 114 u8 id_addr_type; 115 u8 irk[16]; 116 struct smp_csrk *csrk; 117 struct smp_csrk *slave_csrk; 118 struct smp_ltk *ltk; 119 struct smp_ltk *slave_ltk; 120 struct smp_irk *remote_irk; 121 u8 *link_key; 122 unsigned long flags; 123 u8 method; 124 u8 passkey_round; 125 126 /* Secure Connections variables */ 127 u8 local_pk[64]; 128 u8 remote_pk[64]; 129 u8 dhkey[32]; 130 u8 mackey[16]; 131 132 struct crypto_cipher *tfm_aes; 133 struct crypto_shash *tfm_cmac; 134 struct crypto_kpp *tfm_ecdh; 135 }; 136 137 /* These debug key values are defined in the SMP section of the core 138 * specification. debug_pk is the public debug key and debug_sk the 139 * private debug key. 140 */ 141 static const u8 debug_pk[64] = { 142 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 143 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 144 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 145 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 146 147 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 148 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 149 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 150 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 151 }; 152 153 static const u8 debug_sk[32] = { 154 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 155 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 156 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 157 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 158 }; 159 160 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 161 { 162 size_t i; 163 164 for (i = 0; i < len; i++) 165 dst[len - 1 - i] = src[i]; 166 } 167 168 /* The following functions map to the LE SC SMP crypto functions 169 * AES-CMAC, f4, f5, f6, g2 and h6. 170 */ 171 172 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m, 173 size_t len, u8 mac[16]) 174 { 175 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 176 SHASH_DESC_ON_STACK(desc, tfm); 177 int err; 178 179 if (len > CMAC_MSG_MAX) 180 return -EFBIG; 181 182 if (!tfm) { 183 BT_ERR("tfm %p", tfm); 184 return -EINVAL; 185 } 186 187 desc->tfm = tfm; 188 desc->flags = 0; 189 190 /* Swap key and message from LSB to MSB */ 191 swap_buf(k, tmp, 16); 192 swap_buf(m, msg_msb, len); 193 194 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 195 SMP_DBG("key %16phN", k); 196 197 err = crypto_shash_setkey(tfm, tmp, 16); 198 if (err) { 199 BT_ERR("cipher setkey failed: %d", err); 200 return err; 201 } 202 203 err = crypto_shash_digest(desc, msg_msb, len, mac_msb); 204 shash_desc_zero(desc); 205 if (err) { 206 BT_ERR("Hash computation error %d", err); 207 return err; 208 } 209 210 swap_buf(mac_msb, mac, 16); 211 212 SMP_DBG("mac %16phN", mac); 213 214 return 0; 215 } 216 217 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32], 218 const u8 v[32], const u8 x[16], u8 z, u8 res[16]) 219 { 220 u8 m[65]; 221 int err; 222 223 SMP_DBG("u %32phN", u); 224 SMP_DBG("v %32phN", v); 225 SMP_DBG("x %16phN z %02x", x, z); 226 227 m[0] = z; 228 memcpy(m + 1, v, 32); 229 memcpy(m + 33, u, 32); 230 231 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res); 232 if (err) 233 return err; 234 235 SMP_DBG("res %16phN", res); 236 237 return err; 238 } 239 240 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32], 241 const u8 n1[16], const u8 n2[16], const u8 a1[7], 242 const u8 a2[7], u8 mackey[16], u8 ltk[16]) 243 { 244 /* The btle, salt and length "magic" values are as defined in 245 * the SMP section of the Bluetooth core specification. In ASCII 246 * the btle value ends up being 'btle'. The salt is just a 247 * random number whereas length is the value 256 in little 248 * endian format. 249 */ 250 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 251 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 252 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 253 const u8 length[2] = { 0x00, 0x01 }; 254 u8 m[53], t[16]; 255 int err; 256 257 SMP_DBG("w %32phN", w); 258 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 259 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 260 261 err = aes_cmac(tfm_cmac, salt, w, 32, t); 262 if (err) 263 return err; 264 265 SMP_DBG("t %16phN", t); 266 267 memcpy(m, length, 2); 268 memcpy(m + 2, a2, 7); 269 memcpy(m + 9, a1, 7); 270 memcpy(m + 16, n2, 16); 271 memcpy(m + 32, n1, 16); 272 memcpy(m + 48, btle, 4); 273 274 m[52] = 0; /* Counter */ 275 276 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey); 277 if (err) 278 return err; 279 280 SMP_DBG("mackey %16phN", mackey); 281 282 m[52] = 1; /* Counter */ 283 284 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk); 285 if (err) 286 return err; 287 288 SMP_DBG("ltk %16phN", ltk); 289 290 return 0; 291 } 292 293 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16], 294 const u8 n1[16], const u8 n2[16], const u8 r[16], 295 const u8 io_cap[3], const u8 a1[7], const u8 a2[7], 296 u8 res[16]) 297 { 298 u8 m[65]; 299 int err; 300 301 SMP_DBG("w %16phN", w); 302 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 303 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 304 305 memcpy(m, a2, 7); 306 memcpy(m + 7, a1, 7); 307 memcpy(m + 14, io_cap, 3); 308 memcpy(m + 17, r, 16); 309 memcpy(m + 33, n2, 16); 310 memcpy(m + 49, n1, 16); 311 312 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res); 313 if (err) 314 return err; 315 316 SMP_DBG("res %16phN", res); 317 318 return err; 319 } 320 321 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32], 322 const u8 x[16], const u8 y[16], u32 *val) 323 { 324 u8 m[80], tmp[16]; 325 int err; 326 327 SMP_DBG("u %32phN", u); 328 SMP_DBG("v %32phN", v); 329 SMP_DBG("x %16phN y %16phN", x, y); 330 331 memcpy(m, y, 16); 332 memcpy(m + 16, v, 32); 333 memcpy(m + 48, u, 32); 334 335 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp); 336 if (err) 337 return err; 338 339 *val = get_unaligned_le32(tmp); 340 *val %= 1000000; 341 342 SMP_DBG("val %06u", *val); 343 344 return 0; 345 } 346 347 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16], 348 const u8 key_id[4], u8 res[16]) 349 { 350 int err; 351 352 SMP_DBG("w %16phN key_id %4phN", w, key_id); 353 354 err = aes_cmac(tfm_cmac, w, key_id, 4, res); 355 if (err) 356 return err; 357 358 SMP_DBG("res %16phN", res); 359 360 return err; 361 } 362 363 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16], 364 const u8 salt[16], u8 res[16]) 365 { 366 int err; 367 368 SMP_DBG("w %16phN salt %16phN", w, salt); 369 370 err = aes_cmac(tfm_cmac, salt, w, 16, res); 371 if (err) 372 return err; 373 374 SMP_DBG("res %16phN", res); 375 376 return err; 377 } 378 379 /* The following functions map to the legacy SMP crypto functions e, c1, 380 * s1 and ah. 381 */ 382 383 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r) 384 { 385 uint8_t tmp[16], data[16]; 386 int err; 387 388 SMP_DBG("k %16phN r %16phN", k, r); 389 390 if (!tfm) { 391 BT_ERR("tfm %p", tfm); 392 return -EINVAL; 393 } 394 395 /* The most significant octet of key corresponds to k[0] */ 396 swap_buf(k, tmp, 16); 397 398 err = crypto_cipher_setkey(tfm, tmp, 16); 399 if (err) { 400 BT_ERR("cipher setkey failed: %d", err); 401 return err; 402 } 403 404 /* Most significant octet of plaintextData corresponds to data[0] */ 405 swap_buf(r, data, 16); 406 407 crypto_cipher_encrypt_one(tfm, data, data); 408 409 /* Most significant octet of encryptedData corresponds to data[0] */ 410 swap_buf(data, r, 16); 411 412 SMP_DBG("r %16phN", r); 413 414 return err; 415 } 416 417 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16], 418 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 419 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 420 { 421 u8 p1[16], p2[16]; 422 int err; 423 424 SMP_DBG("k %16phN r %16phN", k, r); 425 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra); 426 SMP_DBG("preq %7phN pres %7phN", preq, pres); 427 428 memset(p1, 0, 16); 429 430 /* p1 = pres || preq || _rat || _iat */ 431 p1[0] = _iat; 432 p1[1] = _rat; 433 memcpy(p1 + 2, preq, 7); 434 memcpy(p1 + 9, pres, 7); 435 436 SMP_DBG("p1 %16phN", p1); 437 438 /* res = r XOR p1 */ 439 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1); 440 441 /* res = e(k, res) */ 442 err = smp_e(tfm_aes, k, res); 443 if (err) { 444 BT_ERR("Encrypt data error"); 445 return err; 446 } 447 448 /* p2 = padding || ia || ra */ 449 memcpy(p2, ra, 6); 450 memcpy(p2 + 6, ia, 6); 451 memset(p2 + 12, 0, 4); 452 453 SMP_DBG("p2 %16phN", p2); 454 455 /* res = res XOR p2 */ 456 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2); 457 458 /* res = e(k, res) */ 459 err = smp_e(tfm_aes, k, res); 460 if (err) 461 BT_ERR("Encrypt data error"); 462 463 return err; 464 } 465 466 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16], 467 const u8 r1[16], const u8 r2[16], u8 _r[16]) 468 { 469 int err; 470 471 /* Just least significant octets from r1 and r2 are considered */ 472 memcpy(_r, r2, 8); 473 memcpy(_r + 8, r1, 8); 474 475 err = smp_e(tfm_aes, k, _r); 476 if (err) 477 BT_ERR("Encrypt data error"); 478 479 return err; 480 } 481 482 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16], 483 const u8 r[3], u8 res[3]) 484 { 485 u8 _res[16]; 486 int err; 487 488 /* r' = padding || r */ 489 memcpy(_res, r, 3); 490 memset(_res + 3, 0, 13); 491 492 err = smp_e(tfm, irk, _res); 493 if (err) { 494 BT_ERR("Encrypt error"); 495 return err; 496 } 497 498 /* The output of the random address function ah is: 499 * ah(k, r) = e(k, r') mod 2^24 500 * The output of the security function e is then truncated to 24 bits 501 * by taking the least significant 24 bits of the output of e as the 502 * result of ah. 503 */ 504 memcpy(res, _res, 3); 505 506 return 0; 507 } 508 509 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 510 const bdaddr_t *bdaddr) 511 { 512 struct l2cap_chan *chan = hdev->smp_data; 513 struct smp_dev *smp; 514 u8 hash[3]; 515 int err; 516 517 if (!chan || !chan->data) 518 return false; 519 520 smp = chan->data; 521 522 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 523 524 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash); 525 if (err) 526 return false; 527 528 return !crypto_memneq(bdaddr->b, hash, 3); 529 } 530 531 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 532 { 533 struct l2cap_chan *chan = hdev->smp_data; 534 struct smp_dev *smp; 535 int err; 536 537 if (!chan || !chan->data) 538 return -EOPNOTSUPP; 539 540 smp = chan->data; 541 542 get_random_bytes(&rpa->b[3], 3); 543 544 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 545 rpa->b[5] |= 0x40; /* Set second most significant bit */ 546 547 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b); 548 if (err < 0) 549 return err; 550 551 BT_DBG("RPA %pMR", rpa); 552 553 return 0; 554 } 555 556 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16]) 557 { 558 struct l2cap_chan *chan = hdev->smp_data; 559 struct smp_dev *smp; 560 int err; 561 562 if (!chan || !chan->data) 563 return -EOPNOTSUPP; 564 565 smp = chan->data; 566 567 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 568 BT_DBG("Using debug keys"); 569 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk); 570 if (err) 571 return err; 572 memcpy(smp->local_pk, debug_pk, 64); 573 smp->debug_key = true; 574 } else { 575 while (true) { 576 /* Generate key pair for Secure Connections */ 577 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk); 578 if (err) 579 return err; 580 581 /* This is unlikely, but we need to check that 582 * we didn't accidentially generate a debug key. 583 */ 584 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 585 break; 586 } 587 smp->debug_key = false; 588 } 589 590 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 591 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 592 593 get_random_bytes(smp->local_rand, 16); 594 595 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk, 596 smp->local_rand, 0, hash); 597 if (err < 0) 598 return err; 599 600 memcpy(rand, smp->local_rand, 16); 601 602 return 0; 603 } 604 605 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 606 { 607 struct l2cap_chan *chan = conn->smp; 608 struct smp_chan *smp; 609 struct kvec iv[2]; 610 struct msghdr msg; 611 612 if (!chan) 613 return; 614 615 BT_DBG("code 0x%2.2x", code); 616 617 iv[0].iov_base = &code; 618 iv[0].iov_len = 1; 619 620 iv[1].iov_base = data; 621 iv[1].iov_len = len; 622 623 memset(&msg, 0, sizeof(msg)); 624 625 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len); 626 627 l2cap_chan_send(chan, &msg, 1 + len); 628 629 if (!chan->data) 630 return; 631 632 smp = chan->data; 633 634 cancel_delayed_work_sync(&smp->security_timer); 635 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 636 } 637 638 static u8 authreq_to_seclevel(u8 authreq) 639 { 640 if (authreq & SMP_AUTH_MITM) { 641 if (authreq & SMP_AUTH_SC) 642 return BT_SECURITY_FIPS; 643 else 644 return BT_SECURITY_HIGH; 645 } else { 646 return BT_SECURITY_MEDIUM; 647 } 648 } 649 650 static __u8 seclevel_to_authreq(__u8 sec_level) 651 { 652 switch (sec_level) { 653 case BT_SECURITY_FIPS: 654 case BT_SECURITY_HIGH: 655 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 656 case BT_SECURITY_MEDIUM: 657 return SMP_AUTH_BONDING; 658 default: 659 return SMP_AUTH_NONE; 660 } 661 } 662 663 static void build_pairing_cmd(struct l2cap_conn *conn, 664 struct smp_cmd_pairing *req, 665 struct smp_cmd_pairing *rsp, __u8 authreq) 666 { 667 struct l2cap_chan *chan = conn->smp; 668 struct smp_chan *smp = chan->data; 669 struct hci_conn *hcon = conn->hcon; 670 struct hci_dev *hdev = hcon->hdev; 671 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 672 673 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 674 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 675 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 676 authreq |= SMP_AUTH_BONDING; 677 } else { 678 authreq &= ~SMP_AUTH_BONDING; 679 } 680 681 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 682 remote_dist |= SMP_DIST_ID_KEY; 683 684 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 685 local_dist |= SMP_DIST_ID_KEY; 686 687 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) && 688 (authreq & SMP_AUTH_SC)) { 689 struct oob_data *oob_data; 690 u8 bdaddr_type; 691 692 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) { 693 local_dist |= SMP_DIST_LINK_KEY; 694 remote_dist |= SMP_DIST_LINK_KEY; 695 } 696 697 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 698 bdaddr_type = BDADDR_LE_PUBLIC; 699 else 700 bdaddr_type = BDADDR_LE_RANDOM; 701 702 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 703 bdaddr_type); 704 if (oob_data && oob_data->present) { 705 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags); 706 oob_flag = SMP_OOB_PRESENT; 707 memcpy(smp->rr, oob_data->rand256, 16); 708 memcpy(smp->pcnf, oob_data->hash256, 16); 709 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf); 710 SMP_DBG("OOB Remote Random: %16phN", smp->rr); 711 } 712 713 } else { 714 authreq &= ~SMP_AUTH_SC; 715 } 716 717 if (rsp == NULL) { 718 req->io_capability = conn->hcon->io_capability; 719 req->oob_flag = oob_flag; 720 req->max_key_size = SMP_DEV(hdev)->max_key_size; 721 req->init_key_dist = local_dist; 722 req->resp_key_dist = remote_dist; 723 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 724 725 smp->remote_key_dist = remote_dist; 726 return; 727 } 728 729 rsp->io_capability = conn->hcon->io_capability; 730 rsp->oob_flag = oob_flag; 731 rsp->max_key_size = SMP_DEV(hdev)->max_key_size; 732 rsp->init_key_dist = req->init_key_dist & remote_dist; 733 rsp->resp_key_dist = req->resp_key_dist & local_dist; 734 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 735 736 smp->remote_key_dist = rsp->init_key_dist; 737 } 738 739 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 740 { 741 struct l2cap_chan *chan = conn->smp; 742 struct hci_dev *hdev = conn->hcon->hdev; 743 struct smp_chan *smp = chan->data; 744 745 if (max_key_size > SMP_DEV(hdev)->max_key_size || 746 max_key_size < SMP_MIN_ENC_KEY_SIZE) 747 return SMP_ENC_KEY_SIZE; 748 749 smp->enc_key_size = max_key_size; 750 751 return 0; 752 } 753 754 static void smp_chan_destroy(struct l2cap_conn *conn) 755 { 756 struct l2cap_chan *chan = conn->smp; 757 struct smp_chan *smp = chan->data; 758 struct hci_conn *hcon = conn->hcon; 759 bool complete; 760 761 BUG_ON(!smp); 762 763 cancel_delayed_work_sync(&smp->security_timer); 764 765 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 766 mgmt_smp_complete(hcon, complete); 767 768 kzfree(smp->csrk); 769 kzfree(smp->slave_csrk); 770 kzfree(smp->link_key); 771 772 crypto_free_cipher(smp->tfm_aes); 773 crypto_free_shash(smp->tfm_cmac); 774 crypto_free_kpp(smp->tfm_ecdh); 775 776 /* Ensure that we don't leave any debug key around if debug key 777 * support hasn't been explicitly enabled. 778 */ 779 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 780 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) { 781 list_del_rcu(&smp->ltk->list); 782 kfree_rcu(smp->ltk, rcu); 783 smp->ltk = NULL; 784 } 785 786 /* If pairing failed clean up any keys we might have */ 787 if (!complete) { 788 if (smp->ltk) { 789 list_del_rcu(&smp->ltk->list); 790 kfree_rcu(smp->ltk, rcu); 791 } 792 793 if (smp->slave_ltk) { 794 list_del_rcu(&smp->slave_ltk->list); 795 kfree_rcu(smp->slave_ltk, rcu); 796 } 797 798 if (smp->remote_irk) { 799 list_del_rcu(&smp->remote_irk->list); 800 kfree_rcu(smp->remote_irk, rcu); 801 } 802 } 803 804 chan->data = NULL; 805 kzfree(smp); 806 hci_conn_drop(hcon); 807 } 808 809 static void smp_failure(struct l2cap_conn *conn, u8 reason) 810 { 811 struct hci_conn *hcon = conn->hcon; 812 struct l2cap_chan *chan = conn->smp; 813 814 if (reason) 815 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 816 &reason); 817 818 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 819 820 if (chan->data) 821 smp_chan_destroy(conn); 822 } 823 824 #define JUST_WORKS 0x00 825 #define JUST_CFM 0x01 826 #define REQ_PASSKEY 0x02 827 #define CFM_PASSKEY 0x03 828 #define REQ_OOB 0x04 829 #define DSP_PASSKEY 0x05 830 #define OVERLAP 0xFF 831 832 static const u8 gen_method[5][5] = { 833 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 834 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 835 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 836 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 837 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 838 }; 839 840 static const u8 sc_method[5][5] = { 841 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 842 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 843 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 844 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 845 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 846 }; 847 848 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 849 { 850 /* If either side has unknown io_caps, use JUST_CFM (which gets 851 * converted later to JUST_WORKS if we're initiators. 852 */ 853 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 854 remote_io > SMP_IO_KEYBOARD_DISPLAY) 855 return JUST_CFM; 856 857 if (test_bit(SMP_FLAG_SC, &smp->flags)) 858 return sc_method[remote_io][local_io]; 859 860 return gen_method[remote_io][local_io]; 861 } 862 863 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 864 u8 local_io, u8 remote_io) 865 { 866 struct hci_conn *hcon = conn->hcon; 867 struct l2cap_chan *chan = conn->smp; 868 struct smp_chan *smp = chan->data; 869 u32 passkey = 0; 870 int ret = 0; 871 872 /* Initialize key for JUST WORKS */ 873 memset(smp->tk, 0, sizeof(smp->tk)); 874 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 875 876 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); 877 878 /* If neither side wants MITM, either "just" confirm an incoming 879 * request or use just-works for outgoing ones. The JUST_CFM 880 * will be converted to JUST_WORKS if necessary later in this 881 * function. If either side has MITM look up the method from the 882 * table. 883 */ 884 if (!(auth & SMP_AUTH_MITM)) 885 smp->method = JUST_CFM; 886 else 887 smp->method = get_auth_method(smp, local_io, remote_io); 888 889 /* Don't confirm locally initiated pairing attempts */ 890 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 891 &smp->flags)) 892 smp->method = JUST_WORKS; 893 894 /* Don't bother user space with no IO capabilities */ 895 if (smp->method == JUST_CFM && 896 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 897 smp->method = JUST_WORKS; 898 899 /* If Just Works, Continue with Zero TK */ 900 if (smp->method == JUST_WORKS) { 901 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 902 return 0; 903 } 904 905 /* If this function is used for SC -> legacy fallback we 906 * can only recover the just-works case. 907 */ 908 if (test_bit(SMP_FLAG_SC, &smp->flags)) 909 return -EINVAL; 910 911 /* Not Just Works/Confirm results in MITM Authentication */ 912 if (smp->method != JUST_CFM) { 913 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 914 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 915 hcon->pending_sec_level = BT_SECURITY_HIGH; 916 } 917 918 /* If both devices have Keyoard-Display I/O, the master 919 * Confirms and the slave Enters the passkey. 920 */ 921 if (smp->method == OVERLAP) { 922 if (hcon->role == HCI_ROLE_MASTER) 923 smp->method = CFM_PASSKEY; 924 else 925 smp->method = REQ_PASSKEY; 926 } 927 928 /* Generate random passkey. */ 929 if (smp->method == CFM_PASSKEY) { 930 memset(smp->tk, 0, sizeof(smp->tk)); 931 get_random_bytes(&passkey, sizeof(passkey)); 932 passkey %= 1000000; 933 put_unaligned_le32(passkey, smp->tk); 934 BT_DBG("PassKey: %d", passkey); 935 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 936 } 937 938 if (smp->method == REQ_PASSKEY) 939 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 940 hcon->type, hcon->dst_type); 941 else if (smp->method == JUST_CFM) 942 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 943 hcon->type, hcon->dst_type, 944 passkey, 1); 945 else 946 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 947 hcon->type, hcon->dst_type, 948 passkey, 0); 949 950 return ret; 951 } 952 953 static u8 smp_confirm(struct smp_chan *smp) 954 { 955 struct l2cap_conn *conn = smp->conn; 956 struct smp_cmd_pairing_confirm cp; 957 int ret; 958 959 BT_DBG("conn %p", conn); 960 961 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp, 962 conn->hcon->init_addr_type, &conn->hcon->init_addr, 963 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 964 cp.confirm_val); 965 if (ret) 966 return SMP_UNSPECIFIED; 967 968 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 969 970 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 971 972 if (conn->hcon->out) 973 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 974 else 975 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 976 977 return 0; 978 } 979 980 static u8 smp_random(struct smp_chan *smp) 981 { 982 struct l2cap_conn *conn = smp->conn; 983 struct hci_conn *hcon = conn->hcon; 984 u8 confirm[16]; 985 int ret; 986 987 if (IS_ERR_OR_NULL(smp->tfm_aes)) 988 return SMP_UNSPECIFIED; 989 990 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 991 992 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp, 993 hcon->init_addr_type, &hcon->init_addr, 994 hcon->resp_addr_type, &hcon->resp_addr, confirm); 995 if (ret) 996 return SMP_UNSPECIFIED; 997 998 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) { 999 BT_ERR("Pairing failed (confirmation values mismatch)"); 1000 return SMP_CONFIRM_FAILED; 1001 } 1002 1003 if (hcon->out) { 1004 u8 stk[16]; 1005 __le64 rand = 0; 1006 __le16 ediv = 0; 1007 1008 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk); 1009 1010 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 1011 return SMP_UNSPECIFIED; 1012 1013 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size); 1014 hcon->enc_key_size = smp->enc_key_size; 1015 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 1016 } else { 1017 u8 stk[16], auth; 1018 __le64 rand = 0; 1019 __le16 ediv = 0; 1020 1021 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1022 smp->prnd); 1023 1024 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk); 1025 1026 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 1027 auth = 1; 1028 else 1029 auth = 0; 1030 1031 /* Even though there's no _SLAVE suffix this is the 1032 * slave STK we're adding for later lookup (the master 1033 * STK never needs to be stored). 1034 */ 1035 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1036 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 1037 } 1038 1039 return 0; 1040 } 1041 1042 static void smp_notify_keys(struct l2cap_conn *conn) 1043 { 1044 struct l2cap_chan *chan = conn->smp; 1045 struct smp_chan *smp = chan->data; 1046 struct hci_conn *hcon = conn->hcon; 1047 struct hci_dev *hdev = hcon->hdev; 1048 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 1049 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1050 bool persistent; 1051 1052 if (hcon->type == ACL_LINK) { 1053 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 1054 persistent = false; 1055 else 1056 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1057 &hcon->flags); 1058 } else { 1059 /* The LTKs, IRKs and CSRKs should be persistent only if 1060 * both sides had the bonding bit set in their 1061 * authentication requests. 1062 */ 1063 persistent = !!((req->auth_req & rsp->auth_req) & 1064 SMP_AUTH_BONDING); 1065 } 1066 1067 if (smp->remote_irk) { 1068 mgmt_new_irk(hdev, smp->remote_irk, persistent); 1069 1070 /* Now that user space can be considered to know the 1071 * identity address track the connection based on it 1072 * from now on (assuming this is an LE link). 1073 */ 1074 if (hcon->type == LE_LINK) { 1075 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1076 hcon->dst_type = smp->remote_irk->addr_type; 1077 queue_work(hdev->workqueue, &conn->id_addr_update_work); 1078 } 1079 } 1080 1081 if (smp->csrk) { 1082 smp->csrk->bdaddr_type = hcon->dst_type; 1083 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1084 mgmt_new_csrk(hdev, smp->csrk, persistent); 1085 } 1086 1087 if (smp->slave_csrk) { 1088 smp->slave_csrk->bdaddr_type = hcon->dst_type; 1089 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst); 1090 mgmt_new_csrk(hdev, smp->slave_csrk, persistent); 1091 } 1092 1093 if (smp->ltk) { 1094 smp->ltk->bdaddr_type = hcon->dst_type; 1095 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1096 mgmt_new_ltk(hdev, smp->ltk, persistent); 1097 } 1098 1099 if (smp->slave_ltk) { 1100 smp->slave_ltk->bdaddr_type = hcon->dst_type; 1101 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst); 1102 mgmt_new_ltk(hdev, smp->slave_ltk, persistent); 1103 } 1104 1105 if (smp->link_key) { 1106 struct link_key *key; 1107 u8 type; 1108 1109 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1110 type = HCI_LK_DEBUG_COMBINATION; 1111 else if (hcon->sec_level == BT_SECURITY_FIPS) 1112 type = HCI_LK_AUTH_COMBINATION_P256; 1113 else 1114 type = HCI_LK_UNAUTH_COMBINATION_P256; 1115 1116 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1117 smp->link_key, type, 0, &persistent); 1118 if (key) { 1119 mgmt_new_link_key(hdev, key, persistent); 1120 1121 /* Don't keep debug keys around if the relevant 1122 * flag is not set. 1123 */ 1124 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) && 1125 key->type == HCI_LK_DEBUG_COMBINATION) { 1126 list_del_rcu(&key->list); 1127 kfree_rcu(key, rcu); 1128 } 1129 } 1130 } 1131 } 1132 1133 static void sc_add_ltk(struct smp_chan *smp) 1134 { 1135 struct hci_conn *hcon = smp->conn->hcon; 1136 u8 key_type, auth; 1137 1138 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1139 key_type = SMP_LTK_P256_DEBUG; 1140 else 1141 key_type = SMP_LTK_P256; 1142 1143 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1144 auth = 1; 1145 else 1146 auth = 0; 1147 1148 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1149 key_type, auth, smp->tk, smp->enc_key_size, 1150 0, 0); 1151 } 1152 1153 static void sc_generate_link_key(struct smp_chan *smp) 1154 { 1155 /* From core spec. Spells out in ASCII as 'lebr'. */ 1156 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1157 1158 smp->link_key = kzalloc(16, GFP_KERNEL); 1159 if (!smp->link_key) 1160 return; 1161 1162 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1163 /* SALT = 0x00000000000000000000000000000000746D7031 */ 1164 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 }; 1165 1166 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) { 1167 kzfree(smp->link_key); 1168 smp->link_key = NULL; 1169 return; 1170 } 1171 } else { 1172 /* From core spec. Spells out in ASCII as 'tmp1'. */ 1173 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1174 1175 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) { 1176 kzfree(smp->link_key); 1177 smp->link_key = NULL; 1178 return; 1179 } 1180 } 1181 1182 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) { 1183 kzfree(smp->link_key); 1184 smp->link_key = NULL; 1185 return; 1186 } 1187 } 1188 1189 static void smp_allow_key_dist(struct smp_chan *smp) 1190 { 1191 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1192 * will be allowed in each PDU handler to ensure we receive 1193 * them in the correct order. 1194 */ 1195 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1196 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1197 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1198 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1199 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1200 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1201 } 1202 1203 static void sc_generate_ltk(struct smp_chan *smp) 1204 { 1205 /* From core spec. Spells out in ASCII as 'brle'. */ 1206 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1207 struct hci_conn *hcon = smp->conn->hcon; 1208 struct hci_dev *hdev = hcon->hdev; 1209 struct link_key *key; 1210 1211 key = hci_find_link_key(hdev, &hcon->dst); 1212 if (!key) { 1213 BT_ERR("%s No Link Key found to generate LTK", hdev->name); 1214 return; 1215 } 1216 1217 if (key->type == HCI_LK_DEBUG_COMBINATION) 1218 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1219 1220 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1221 /* SALT = 0x00000000000000000000000000000000746D7032 */ 1222 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 }; 1223 1224 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk)) 1225 return; 1226 } else { 1227 /* From core spec. Spells out in ASCII as 'tmp2'. */ 1228 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1229 1230 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk)) 1231 return; 1232 } 1233 1234 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk)) 1235 return; 1236 1237 sc_add_ltk(smp); 1238 } 1239 1240 static void smp_distribute_keys(struct smp_chan *smp) 1241 { 1242 struct smp_cmd_pairing *req, *rsp; 1243 struct l2cap_conn *conn = smp->conn; 1244 struct hci_conn *hcon = conn->hcon; 1245 struct hci_dev *hdev = hcon->hdev; 1246 __u8 *keydist; 1247 1248 BT_DBG("conn %p", conn); 1249 1250 rsp = (void *) &smp->prsp[1]; 1251 1252 /* The responder sends its keys first */ 1253 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) { 1254 smp_allow_key_dist(smp); 1255 return; 1256 } 1257 1258 req = (void *) &smp->preq[1]; 1259 1260 if (hcon->out) { 1261 keydist = &rsp->init_key_dist; 1262 *keydist &= req->init_key_dist; 1263 } else { 1264 keydist = &rsp->resp_key_dist; 1265 *keydist &= req->resp_key_dist; 1266 } 1267 1268 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1269 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1270 sc_generate_link_key(smp); 1271 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1272 sc_generate_ltk(smp); 1273 1274 /* Clear the keys which are generated but not distributed */ 1275 *keydist &= ~SMP_SC_NO_DIST; 1276 } 1277 1278 BT_DBG("keydist 0x%x", *keydist); 1279 1280 if (*keydist & SMP_DIST_ENC_KEY) { 1281 struct smp_cmd_encrypt_info enc; 1282 struct smp_cmd_master_ident ident; 1283 struct smp_ltk *ltk; 1284 u8 authenticated; 1285 __le16 ediv; 1286 __le64 rand; 1287 1288 /* Make sure we generate only the significant amount of 1289 * bytes based on the encryption key size, and set the rest 1290 * of the value to zeroes. 1291 */ 1292 get_random_bytes(enc.ltk, smp->enc_key_size); 1293 memset(enc.ltk + smp->enc_key_size, 0, 1294 sizeof(enc.ltk) - smp->enc_key_size); 1295 1296 get_random_bytes(&ediv, sizeof(ediv)); 1297 get_random_bytes(&rand, sizeof(rand)); 1298 1299 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1300 1301 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1302 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1303 SMP_LTK_SLAVE, authenticated, enc.ltk, 1304 smp->enc_key_size, ediv, rand); 1305 smp->slave_ltk = ltk; 1306 1307 ident.ediv = ediv; 1308 ident.rand = rand; 1309 1310 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1311 1312 *keydist &= ~SMP_DIST_ENC_KEY; 1313 } 1314 1315 if (*keydist & SMP_DIST_ID_KEY) { 1316 struct smp_cmd_ident_addr_info addrinfo; 1317 struct smp_cmd_ident_info idinfo; 1318 1319 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1320 1321 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1322 1323 /* The hci_conn contains the local identity address 1324 * after the connection has been established. 1325 * 1326 * This is true even when the connection has been 1327 * established using a resolvable random address. 1328 */ 1329 bacpy(&addrinfo.bdaddr, &hcon->src); 1330 addrinfo.addr_type = hcon->src_type; 1331 1332 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1333 &addrinfo); 1334 1335 *keydist &= ~SMP_DIST_ID_KEY; 1336 } 1337 1338 if (*keydist & SMP_DIST_SIGN) { 1339 struct smp_cmd_sign_info sign; 1340 struct smp_csrk *csrk; 1341 1342 /* Generate a new random key */ 1343 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1344 1345 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1346 if (csrk) { 1347 if (hcon->sec_level > BT_SECURITY_MEDIUM) 1348 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED; 1349 else 1350 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED; 1351 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1352 } 1353 smp->slave_csrk = csrk; 1354 1355 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1356 1357 *keydist &= ~SMP_DIST_SIGN; 1358 } 1359 1360 /* If there are still keys to be received wait for them */ 1361 if (smp->remote_key_dist & KEY_DIST_MASK) { 1362 smp_allow_key_dist(smp); 1363 return; 1364 } 1365 1366 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1367 smp_notify_keys(conn); 1368 1369 smp_chan_destroy(conn); 1370 } 1371 1372 static void smp_timeout(struct work_struct *work) 1373 { 1374 struct smp_chan *smp = container_of(work, struct smp_chan, 1375 security_timer.work); 1376 struct l2cap_conn *conn = smp->conn; 1377 1378 BT_DBG("conn %p", conn); 1379 1380 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); 1381 } 1382 1383 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1384 { 1385 struct l2cap_chan *chan = conn->smp; 1386 struct smp_chan *smp; 1387 1388 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 1389 if (!smp) 1390 return NULL; 1391 1392 smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 1393 if (IS_ERR(smp->tfm_aes)) { 1394 BT_ERR("Unable to create AES crypto context"); 1395 goto zfree_smp; 1396 } 1397 1398 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 1399 if (IS_ERR(smp->tfm_cmac)) { 1400 BT_ERR("Unable to create CMAC crypto context"); 1401 goto free_cipher; 1402 } 1403 1404 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 1405 if (IS_ERR(smp->tfm_ecdh)) { 1406 BT_ERR("Unable to create ECDH crypto context"); 1407 goto free_shash; 1408 } 1409 1410 smp->conn = conn; 1411 chan->data = smp; 1412 1413 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1414 1415 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1416 1417 hci_conn_hold(conn->hcon); 1418 1419 return smp; 1420 1421 free_shash: 1422 crypto_free_shash(smp->tfm_cmac); 1423 free_cipher: 1424 crypto_free_cipher(smp->tfm_aes); 1425 zfree_smp: 1426 kzfree(smp); 1427 return NULL; 1428 } 1429 1430 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1431 { 1432 struct hci_conn *hcon = smp->conn->hcon; 1433 u8 *na, *nb, a[7], b[7]; 1434 1435 if (hcon->out) { 1436 na = smp->prnd; 1437 nb = smp->rrnd; 1438 } else { 1439 na = smp->rrnd; 1440 nb = smp->prnd; 1441 } 1442 1443 memcpy(a, &hcon->init_addr, 6); 1444 memcpy(b, &hcon->resp_addr, 6); 1445 a[6] = hcon->init_addr_type; 1446 b[6] = hcon->resp_addr_type; 1447 1448 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk); 1449 } 1450 1451 static void sc_dhkey_check(struct smp_chan *smp) 1452 { 1453 struct hci_conn *hcon = smp->conn->hcon; 1454 struct smp_cmd_dhkey_check check; 1455 u8 a[7], b[7], *local_addr, *remote_addr; 1456 u8 io_cap[3], r[16]; 1457 1458 memcpy(a, &hcon->init_addr, 6); 1459 memcpy(b, &hcon->resp_addr, 6); 1460 a[6] = hcon->init_addr_type; 1461 b[6] = hcon->resp_addr_type; 1462 1463 if (hcon->out) { 1464 local_addr = a; 1465 remote_addr = b; 1466 memcpy(io_cap, &smp->preq[1], 3); 1467 } else { 1468 local_addr = b; 1469 remote_addr = a; 1470 memcpy(io_cap, &smp->prsp[1], 3); 1471 } 1472 1473 memset(r, 0, sizeof(r)); 1474 1475 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1476 put_unaligned_le32(hcon->passkey_notify, r); 1477 1478 if (smp->method == REQ_OOB) 1479 memcpy(r, smp->rr, 16); 1480 1481 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap, 1482 local_addr, remote_addr, check.e); 1483 1484 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1485 } 1486 1487 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1488 { 1489 struct l2cap_conn *conn = smp->conn; 1490 struct hci_conn *hcon = conn->hcon; 1491 struct smp_cmd_pairing_confirm cfm; 1492 u8 r; 1493 1494 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1495 r |= 0x80; 1496 1497 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1498 1499 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r, 1500 cfm.confirm_val)) 1501 return SMP_UNSPECIFIED; 1502 1503 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1504 1505 return 0; 1506 } 1507 1508 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1509 { 1510 struct l2cap_conn *conn = smp->conn; 1511 struct hci_conn *hcon = conn->hcon; 1512 struct hci_dev *hdev = hcon->hdev; 1513 u8 cfm[16], r; 1514 1515 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1516 if (smp->passkey_round >= 20) 1517 return 0; 1518 1519 switch (smp_op) { 1520 case SMP_CMD_PAIRING_RANDOM: 1521 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1522 r |= 0x80; 1523 1524 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1525 smp->rrnd, r, cfm)) 1526 return SMP_UNSPECIFIED; 1527 1528 if (crypto_memneq(smp->pcnf, cfm, 16)) 1529 return SMP_CONFIRM_FAILED; 1530 1531 smp->passkey_round++; 1532 1533 if (smp->passkey_round == 20) { 1534 /* Generate MacKey and LTK */ 1535 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1536 return SMP_UNSPECIFIED; 1537 } 1538 1539 /* The round is only complete when the initiator 1540 * receives pairing random. 1541 */ 1542 if (!hcon->out) { 1543 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1544 sizeof(smp->prnd), smp->prnd); 1545 if (smp->passkey_round == 20) 1546 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1547 else 1548 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1549 return 0; 1550 } 1551 1552 /* Start the next round */ 1553 if (smp->passkey_round != 20) 1554 return sc_passkey_round(smp, 0); 1555 1556 /* Passkey rounds are complete - start DHKey Check */ 1557 sc_dhkey_check(smp); 1558 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1559 1560 break; 1561 1562 case SMP_CMD_PAIRING_CONFIRM: 1563 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1564 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1565 return 0; 1566 } 1567 1568 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1569 1570 if (hcon->out) { 1571 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1572 sizeof(smp->prnd), smp->prnd); 1573 return 0; 1574 } 1575 1576 return sc_passkey_send_confirm(smp); 1577 1578 case SMP_CMD_PUBLIC_KEY: 1579 default: 1580 /* Initiating device starts the round */ 1581 if (!hcon->out) 1582 return 0; 1583 1584 BT_DBG("%s Starting passkey round %u", hdev->name, 1585 smp->passkey_round + 1); 1586 1587 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1588 1589 return sc_passkey_send_confirm(smp); 1590 } 1591 1592 return 0; 1593 } 1594 1595 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1596 { 1597 struct l2cap_conn *conn = smp->conn; 1598 struct hci_conn *hcon = conn->hcon; 1599 u8 smp_op; 1600 1601 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1602 1603 switch (mgmt_op) { 1604 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1605 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1606 return 0; 1607 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1608 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1609 return 0; 1610 case MGMT_OP_USER_PASSKEY_REPLY: 1611 hcon->passkey_notify = le32_to_cpu(passkey); 1612 smp->passkey_round = 0; 1613 1614 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1615 smp_op = SMP_CMD_PAIRING_CONFIRM; 1616 else 1617 smp_op = 0; 1618 1619 if (sc_passkey_round(smp, smp_op)) 1620 return -EIO; 1621 1622 return 0; 1623 } 1624 1625 /* Initiator sends DHKey check first */ 1626 if (hcon->out) { 1627 sc_dhkey_check(smp); 1628 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1629 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1630 sc_dhkey_check(smp); 1631 sc_add_ltk(smp); 1632 } 1633 1634 return 0; 1635 } 1636 1637 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1638 { 1639 struct l2cap_conn *conn = hcon->l2cap_data; 1640 struct l2cap_chan *chan; 1641 struct smp_chan *smp; 1642 u32 value; 1643 int err; 1644 1645 BT_DBG(""); 1646 1647 if (!conn) 1648 return -ENOTCONN; 1649 1650 chan = conn->smp; 1651 if (!chan) 1652 return -ENOTCONN; 1653 1654 l2cap_chan_lock(chan); 1655 if (!chan->data) { 1656 err = -ENOTCONN; 1657 goto unlock; 1658 } 1659 1660 smp = chan->data; 1661 1662 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1663 err = sc_user_reply(smp, mgmt_op, passkey); 1664 goto unlock; 1665 } 1666 1667 switch (mgmt_op) { 1668 case MGMT_OP_USER_PASSKEY_REPLY: 1669 value = le32_to_cpu(passkey); 1670 memset(smp->tk, 0, sizeof(smp->tk)); 1671 BT_DBG("PassKey: %d", value); 1672 put_unaligned_le32(value, smp->tk); 1673 /* Fall Through */ 1674 case MGMT_OP_USER_CONFIRM_REPLY: 1675 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1676 break; 1677 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1678 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1679 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1680 err = 0; 1681 goto unlock; 1682 default: 1683 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1684 err = -EOPNOTSUPP; 1685 goto unlock; 1686 } 1687 1688 err = 0; 1689 1690 /* If it is our turn to send Pairing Confirm, do so now */ 1691 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1692 u8 rsp = smp_confirm(smp); 1693 if (rsp) 1694 smp_failure(conn, rsp); 1695 } 1696 1697 unlock: 1698 l2cap_chan_unlock(chan); 1699 return err; 1700 } 1701 1702 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1703 struct smp_cmd_pairing *req, 1704 struct smp_cmd_pairing *rsp) 1705 { 1706 struct l2cap_conn *conn = smp->conn; 1707 struct hci_dev *hdev = conn->hcon->hdev; 1708 u8 local_dist = 0, remote_dist = 0; 1709 1710 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 1711 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1712 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1713 } 1714 1715 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 1716 remote_dist |= SMP_DIST_ID_KEY; 1717 1718 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 1719 local_dist |= SMP_DIST_ID_KEY; 1720 1721 if (!rsp) { 1722 memset(req, 0, sizeof(*req)); 1723 1724 req->auth_req = SMP_AUTH_CT2; 1725 req->init_key_dist = local_dist; 1726 req->resp_key_dist = remote_dist; 1727 req->max_key_size = conn->hcon->enc_key_size; 1728 1729 smp->remote_key_dist = remote_dist; 1730 1731 return; 1732 } 1733 1734 memset(rsp, 0, sizeof(*rsp)); 1735 1736 rsp->auth_req = SMP_AUTH_CT2; 1737 rsp->max_key_size = conn->hcon->enc_key_size; 1738 rsp->init_key_dist = req->init_key_dist & remote_dist; 1739 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1740 1741 smp->remote_key_dist = rsp->init_key_dist; 1742 } 1743 1744 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1745 { 1746 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1747 struct l2cap_chan *chan = conn->smp; 1748 struct hci_dev *hdev = conn->hcon->hdev; 1749 struct smp_chan *smp; 1750 u8 key_size, auth, sec_level; 1751 int ret; 1752 1753 BT_DBG("conn %p", conn); 1754 1755 if (skb->len < sizeof(*req)) 1756 return SMP_INVALID_PARAMS; 1757 1758 if (conn->hcon->role != HCI_ROLE_SLAVE) 1759 return SMP_CMD_NOTSUPP; 1760 1761 if (!chan->data) 1762 smp = smp_chan_create(conn); 1763 else 1764 smp = chan->data; 1765 1766 if (!smp) 1767 return SMP_UNSPECIFIED; 1768 1769 /* We didn't start the pairing, so match remote */ 1770 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1771 1772 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 1773 (auth & SMP_AUTH_BONDING)) 1774 return SMP_PAIRING_NOTSUPP; 1775 1776 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1777 return SMP_AUTH_REQUIREMENTS; 1778 1779 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1780 memcpy(&smp->preq[1], req, sizeof(*req)); 1781 skb_pull(skb, sizeof(*req)); 1782 1783 /* If the remote side's OOB flag is set it means it has 1784 * successfully received our local OOB data - therefore set the 1785 * flag to indicate that local OOB is in use. 1786 */ 1787 if (req->oob_flag == SMP_OOB_PRESENT) 1788 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1789 1790 /* SMP over BR/EDR requires special treatment */ 1791 if (conn->hcon->type == ACL_LINK) { 1792 /* We must have a BR/EDR SC link */ 1793 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1794 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 1795 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1796 1797 set_bit(SMP_FLAG_SC, &smp->flags); 1798 1799 build_bredr_pairing_cmd(smp, req, &rsp); 1800 1801 if (req->auth_req & SMP_AUTH_CT2) 1802 set_bit(SMP_FLAG_CT2, &smp->flags); 1803 1804 key_size = min(req->max_key_size, rsp.max_key_size); 1805 if (check_enc_key_size(conn, key_size)) 1806 return SMP_ENC_KEY_SIZE; 1807 1808 /* Clear bits which are generated but not distributed */ 1809 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1810 1811 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1812 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1813 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1814 1815 smp_distribute_keys(smp); 1816 return 0; 1817 } 1818 1819 build_pairing_cmd(conn, req, &rsp, auth); 1820 1821 if (rsp.auth_req & SMP_AUTH_SC) { 1822 set_bit(SMP_FLAG_SC, &smp->flags); 1823 1824 if (rsp.auth_req & SMP_AUTH_CT2) 1825 set_bit(SMP_FLAG_CT2, &smp->flags); 1826 } 1827 1828 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1829 sec_level = BT_SECURITY_MEDIUM; 1830 else 1831 sec_level = authreq_to_seclevel(auth); 1832 1833 if (sec_level > conn->hcon->pending_sec_level) 1834 conn->hcon->pending_sec_level = sec_level; 1835 1836 /* If we need MITM check that it can be achieved */ 1837 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1838 u8 method; 1839 1840 method = get_auth_method(smp, conn->hcon->io_capability, 1841 req->io_capability); 1842 if (method == JUST_WORKS || method == JUST_CFM) 1843 return SMP_AUTH_REQUIREMENTS; 1844 } 1845 1846 key_size = min(req->max_key_size, rsp.max_key_size); 1847 if (check_enc_key_size(conn, key_size)) 1848 return SMP_ENC_KEY_SIZE; 1849 1850 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1851 1852 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1853 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1854 1855 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1856 1857 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1858 1859 /* Strictly speaking we shouldn't allow Pairing Confirm for the 1860 * SC case, however some implementations incorrectly copy RFU auth 1861 * req bits from our security request, which may create a false 1862 * positive SC enablement. 1863 */ 1864 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1865 1866 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1867 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1868 /* Clear bits which are generated but not distributed */ 1869 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1870 /* Wait for Public Key from Initiating Device */ 1871 return 0; 1872 } 1873 1874 /* Request setup of TK */ 1875 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1876 if (ret) 1877 return SMP_UNSPECIFIED; 1878 1879 return 0; 1880 } 1881 1882 static u8 sc_send_public_key(struct smp_chan *smp) 1883 { 1884 struct hci_dev *hdev = smp->conn->hcon->hdev; 1885 1886 BT_DBG(""); 1887 1888 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 1889 struct l2cap_chan *chan = hdev->smp_data; 1890 struct smp_dev *smp_dev; 1891 1892 if (!chan || !chan->data) 1893 return SMP_UNSPECIFIED; 1894 1895 smp_dev = chan->data; 1896 1897 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1898 memcpy(smp->lr, smp_dev->local_rand, 16); 1899 1900 if (smp_dev->debug_key) 1901 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1902 1903 goto done; 1904 } 1905 1906 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1907 BT_DBG("Using debug keys"); 1908 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk)) 1909 return SMP_UNSPECIFIED; 1910 memcpy(smp->local_pk, debug_pk, 64); 1911 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1912 } else { 1913 while (true) { 1914 /* Generate key pair for Secure Connections */ 1915 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk)) 1916 return SMP_UNSPECIFIED; 1917 1918 /* This is unlikely, but we need to check that 1919 * we didn't accidentially generate a debug key. 1920 */ 1921 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 1922 break; 1923 } 1924 } 1925 1926 done: 1927 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1928 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1929 1930 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1931 1932 return 0; 1933 } 1934 1935 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1936 { 1937 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1938 struct l2cap_chan *chan = conn->smp; 1939 struct smp_chan *smp = chan->data; 1940 struct hci_dev *hdev = conn->hcon->hdev; 1941 u8 key_size, auth; 1942 int ret; 1943 1944 BT_DBG("conn %p", conn); 1945 1946 if (skb->len < sizeof(*rsp)) 1947 return SMP_INVALID_PARAMS; 1948 1949 if (conn->hcon->role != HCI_ROLE_MASTER) 1950 return SMP_CMD_NOTSUPP; 1951 1952 skb_pull(skb, sizeof(*rsp)); 1953 1954 req = (void *) &smp->preq[1]; 1955 1956 key_size = min(req->max_key_size, rsp->max_key_size); 1957 if (check_enc_key_size(conn, key_size)) 1958 return SMP_ENC_KEY_SIZE; 1959 1960 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1961 1962 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1963 return SMP_AUTH_REQUIREMENTS; 1964 1965 /* If the remote side's OOB flag is set it means it has 1966 * successfully received our local OOB data - therefore set the 1967 * flag to indicate that local OOB is in use. 1968 */ 1969 if (rsp->oob_flag == SMP_OOB_PRESENT) 1970 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1971 1972 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1973 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1974 1975 /* Update remote key distribution in case the remote cleared 1976 * some bits that we had enabled in our request. 1977 */ 1978 smp->remote_key_dist &= rsp->resp_key_dist; 1979 1980 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2)) 1981 set_bit(SMP_FLAG_CT2, &smp->flags); 1982 1983 /* For BR/EDR this means we're done and can start phase 3 */ 1984 if (conn->hcon->type == ACL_LINK) { 1985 /* Clear bits which are generated but not distributed */ 1986 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1987 smp_distribute_keys(smp); 1988 return 0; 1989 } 1990 1991 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 1992 set_bit(SMP_FLAG_SC, &smp->flags); 1993 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 1994 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 1995 1996 /* If we need MITM check that it can be achieved */ 1997 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1998 u8 method; 1999 2000 method = get_auth_method(smp, req->io_capability, 2001 rsp->io_capability); 2002 if (method == JUST_WORKS || method == JUST_CFM) 2003 return SMP_AUTH_REQUIREMENTS; 2004 } 2005 2006 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 2007 2008 /* Update remote key distribution in case the remote cleared 2009 * some bits that we had enabled in our request. 2010 */ 2011 smp->remote_key_dist &= rsp->resp_key_dist; 2012 2013 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2014 /* Clear bits which are generated but not distributed */ 2015 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 2016 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 2017 return sc_send_public_key(smp); 2018 } 2019 2020 auth |= req->auth_req; 2021 2022 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 2023 if (ret) 2024 return SMP_UNSPECIFIED; 2025 2026 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2027 2028 /* Can't compose response until we have been confirmed */ 2029 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2030 return smp_confirm(smp); 2031 2032 return 0; 2033 } 2034 2035 static u8 sc_check_confirm(struct smp_chan *smp) 2036 { 2037 struct l2cap_conn *conn = smp->conn; 2038 2039 BT_DBG(""); 2040 2041 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2042 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 2043 2044 if (conn->hcon->out) { 2045 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2046 smp->prnd); 2047 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2048 } 2049 2050 return 0; 2051 } 2052 2053 /* Work-around for some implementations that incorrectly copy RFU bits 2054 * from our security request and thereby create the impression that 2055 * we're doing SC when in fact the remote doesn't support it. 2056 */ 2057 static int fixup_sc_false_positive(struct smp_chan *smp) 2058 { 2059 struct l2cap_conn *conn = smp->conn; 2060 struct hci_conn *hcon = conn->hcon; 2061 struct hci_dev *hdev = hcon->hdev; 2062 struct smp_cmd_pairing *req, *rsp; 2063 u8 auth; 2064 2065 /* The issue is only observed when we're in slave role */ 2066 if (hcon->out) 2067 return SMP_UNSPECIFIED; 2068 2069 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 2070 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode"); 2071 return SMP_UNSPECIFIED; 2072 } 2073 2074 BT_ERR("Trying to fall back to legacy SMP"); 2075 2076 req = (void *) &smp->preq[1]; 2077 rsp = (void *) &smp->prsp[1]; 2078 2079 /* Rebuild key dist flags which may have been cleared for SC */ 2080 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist); 2081 2082 auth = req->auth_req & AUTH_REQ_MASK(hdev); 2083 2084 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) { 2085 BT_ERR("Failed to fall back to legacy SMP"); 2086 return SMP_UNSPECIFIED; 2087 } 2088 2089 clear_bit(SMP_FLAG_SC, &smp->flags); 2090 2091 return 0; 2092 } 2093 2094 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 2095 { 2096 struct l2cap_chan *chan = conn->smp; 2097 struct smp_chan *smp = chan->data; 2098 2099 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 2100 2101 if (skb->len < sizeof(smp->pcnf)) 2102 return SMP_INVALID_PARAMS; 2103 2104 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 2105 skb_pull(skb, sizeof(smp->pcnf)); 2106 2107 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2108 int ret; 2109 2110 /* Public Key exchange must happen before any other steps */ 2111 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 2112 return sc_check_confirm(smp); 2113 2114 BT_ERR("Unexpected SMP Pairing Confirm"); 2115 2116 ret = fixup_sc_false_positive(smp); 2117 if (ret) 2118 return ret; 2119 } 2120 2121 if (conn->hcon->out) { 2122 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2123 smp->prnd); 2124 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2125 return 0; 2126 } 2127 2128 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2129 return smp_confirm(smp); 2130 2131 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2132 2133 return 0; 2134 } 2135 2136 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 2137 { 2138 struct l2cap_chan *chan = conn->smp; 2139 struct smp_chan *smp = chan->data; 2140 struct hci_conn *hcon = conn->hcon; 2141 u8 *pkax, *pkbx, *na, *nb; 2142 u32 passkey; 2143 int err; 2144 2145 BT_DBG("conn %p", conn); 2146 2147 if (skb->len < sizeof(smp->rrnd)) 2148 return SMP_INVALID_PARAMS; 2149 2150 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 2151 skb_pull(skb, sizeof(smp->rrnd)); 2152 2153 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 2154 return smp_random(smp); 2155 2156 if (hcon->out) { 2157 pkax = smp->local_pk; 2158 pkbx = smp->remote_pk; 2159 na = smp->prnd; 2160 nb = smp->rrnd; 2161 } else { 2162 pkax = smp->remote_pk; 2163 pkbx = smp->local_pk; 2164 na = smp->rrnd; 2165 nb = smp->prnd; 2166 } 2167 2168 if (smp->method == REQ_OOB) { 2169 if (!hcon->out) 2170 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2171 sizeof(smp->prnd), smp->prnd); 2172 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2173 goto mackey_and_ltk; 2174 } 2175 2176 /* Passkey entry has special treatment */ 2177 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2178 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 2179 2180 if (hcon->out) { 2181 u8 cfm[16]; 2182 2183 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 2184 smp->rrnd, 0, cfm); 2185 if (err) 2186 return SMP_UNSPECIFIED; 2187 2188 if (crypto_memneq(smp->pcnf, cfm, 16)) 2189 return SMP_CONFIRM_FAILED; 2190 } else { 2191 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2192 smp->prnd); 2193 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2194 } 2195 2196 mackey_and_ltk: 2197 /* Generate MacKey and LTK */ 2198 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 2199 if (err) 2200 return SMP_UNSPECIFIED; 2201 2202 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) { 2203 if (hcon->out) { 2204 sc_dhkey_check(smp); 2205 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2206 } 2207 return 0; 2208 } 2209 2210 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey); 2211 if (err) 2212 return SMP_UNSPECIFIED; 2213 2214 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2215 hcon->dst_type, passkey, 0); 2216 if (err) 2217 return SMP_UNSPECIFIED; 2218 2219 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2220 2221 return 0; 2222 } 2223 2224 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2225 { 2226 struct smp_ltk *key; 2227 struct hci_conn *hcon = conn->hcon; 2228 2229 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2230 if (!key) 2231 return false; 2232 2233 if (smp_ltk_sec_level(key) < sec_level) 2234 return false; 2235 2236 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2237 return true; 2238 2239 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size); 2240 hcon->enc_key_size = key->enc_size; 2241 2242 /* We never store STKs for master role, so clear this flag */ 2243 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2244 2245 return true; 2246 } 2247 2248 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2249 enum smp_key_pref key_pref) 2250 { 2251 if (sec_level == BT_SECURITY_LOW) 2252 return true; 2253 2254 /* If we're encrypted with an STK but the caller prefers using 2255 * LTK claim insufficient security. This way we allow the 2256 * connection to be re-encrypted with an LTK, even if the LTK 2257 * provides the same level of security. Only exception is if we 2258 * don't have an LTK (e.g. because of key distribution bits). 2259 */ 2260 if (key_pref == SMP_USE_LTK && 2261 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2262 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2263 return false; 2264 2265 if (hcon->sec_level >= sec_level) 2266 return true; 2267 2268 return false; 2269 } 2270 2271 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2272 { 2273 struct smp_cmd_security_req *rp = (void *) skb->data; 2274 struct smp_cmd_pairing cp; 2275 struct hci_conn *hcon = conn->hcon; 2276 struct hci_dev *hdev = hcon->hdev; 2277 struct smp_chan *smp; 2278 u8 sec_level, auth; 2279 2280 BT_DBG("conn %p", conn); 2281 2282 if (skb->len < sizeof(*rp)) 2283 return SMP_INVALID_PARAMS; 2284 2285 if (hcon->role != HCI_ROLE_MASTER) 2286 return SMP_CMD_NOTSUPP; 2287 2288 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2289 2290 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 2291 return SMP_AUTH_REQUIREMENTS; 2292 2293 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2294 sec_level = BT_SECURITY_MEDIUM; 2295 else 2296 sec_level = authreq_to_seclevel(auth); 2297 2298 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2299 return 0; 2300 2301 if (sec_level > hcon->pending_sec_level) 2302 hcon->pending_sec_level = sec_level; 2303 2304 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2305 return 0; 2306 2307 smp = smp_chan_create(conn); 2308 if (!smp) 2309 return SMP_UNSPECIFIED; 2310 2311 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 2312 (auth & SMP_AUTH_BONDING)) 2313 return SMP_PAIRING_NOTSUPP; 2314 2315 skb_pull(skb, sizeof(*rp)); 2316 2317 memset(&cp, 0, sizeof(cp)); 2318 build_pairing_cmd(conn, &cp, NULL, auth); 2319 2320 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2321 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2322 2323 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2324 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2325 2326 return 0; 2327 } 2328 2329 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2330 { 2331 struct l2cap_conn *conn = hcon->l2cap_data; 2332 struct l2cap_chan *chan; 2333 struct smp_chan *smp; 2334 __u8 authreq; 2335 int ret; 2336 2337 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 2338 2339 /* This may be NULL if there's an unexpected disconnection */ 2340 if (!conn) 2341 return 1; 2342 2343 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) 2344 return 1; 2345 2346 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2347 return 1; 2348 2349 if (sec_level > hcon->pending_sec_level) 2350 hcon->pending_sec_level = sec_level; 2351 2352 if (hcon->role == HCI_ROLE_MASTER) 2353 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2354 return 0; 2355 2356 chan = conn->smp; 2357 if (!chan) { 2358 BT_ERR("SMP security requested but not available"); 2359 return 1; 2360 } 2361 2362 l2cap_chan_lock(chan); 2363 2364 /* If SMP is already in progress ignore this request */ 2365 if (chan->data) { 2366 ret = 0; 2367 goto unlock; 2368 } 2369 2370 smp = smp_chan_create(conn); 2371 if (!smp) { 2372 ret = 1; 2373 goto unlock; 2374 } 2375 2376 authreq = seclevel_to_authreq(sec_level); 2377 2378 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) { 2379 authreq |= SMP_AUTH_SC; 2380 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED)) 2381 authreq |= SMP_AUTH_CT2; 2382 } 2383 2384 /* Require MITM if IO Capability allows or the security level 2385 * requires it. 2386 */ 2387 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2388 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2389 authreq |= SMP_AUTH_MITM; 2390 2391 if (hcon->role == HCI_ROLE_MASTER) { 2392 struct smp_cmd_pairing cp; 2393 2394 build_pairing_cmd(conn, &cp, NULL, authreq); 2395 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2396 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2397 2398 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2399 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2400 } else { 2401 struct smp_cmd_security_req cp; 2402 cp.auth_req = authreq; 2403 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2404 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2405 } 2406 2407 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2408 ret = 0; 2409 2410 unlock: 2411 l2cap_chan_unlock(chan); 2412 return ret; 2413 } 2414 2415 void smp_cancel_pairing(struct hci_conn *hcon) 2416 { 2417 struct l2cap_conn *conn = hcon->l2cap_data; 2418 struct l2cap_chan *chan; 2419 struct smp_chan *smp; 2420 2421 if (!conn) 2422 return; 2423 2424 chan = conn->smp; 2425 if (!chan) 2426 return; 2427 2428 l2cap_chan_lock(chan); 2429 2430 smp = chan->data; 2431 if (smp) { 2432 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) 2433 smp_failure(conn, 0); 2434 else 2435 smp_failure(conn, SMP_UNSPECIFIED); 2436 } 2437 2438 l2cap_chan_unlock(chan); 2439 } 2440 2441 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2442 { 2443 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2444 struct l2cap_chan *chan = conn->smp; 2445 struct smp_chan *smp = chan->data; 2446 2447 BT_DBG("conn %p", conn); 2448 2449 if (skb->len < sizeof(*rp)) 2450 return SMP_INVALID_PARAMS; 2451 2452 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT); 2453 2454 skb_pull(skb, sizeof(*rp)); 2455 2456 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2457 2458 return 0; 2459 } 2460 2461 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2462 { 2463 struct smp_cmd_master_ident *rp = (void *) skb->data; 2464 struct l2cap_chan *chan = conn->smp; 2465 struct smp_chan *smp = chan->data; 2466 struct hci_dev *hdev = conn->hcon->hdev; 2467 struct hci_conn *hcon = conn->hcon; 2468 struct smp_ltk *ltk; 2469 u8 authenticated; 2470 2471 BT_DBG("conn %p", conn); 2472 2473 if (skb->len < sizeof(*rp)) 2474 return SMP_INVALID_PARAMS; 2475 2476 /* Mark the information as received */ 2477 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2478 2479 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2480 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2481 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2482 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2483 2484 skb_pull(skb, sizeof(*rp)); 2485 2486 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2487 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2488 authenticated, smp->tk, smp->enc_key_size, 2489 rp->ediv, rp->rand); 2490 smp->ltk = ltk; 2491 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2492 smp_distribute_keys(smp); 2493 2494 return 0; 2495 } 2496 2497 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2498 { 2499 struct smp_cmd_ident_info *info = (void *) skb->data; 2500 struct l2cap_chan *chan = conn->smp; 2501 struct smp_chan *smp = chan->data; 2502 2503 BT_DBG(""); 2504 2505 if (skb->len < sizeof(*info)) 2506 return SMP_INVALID_PARAMS; 2507 2508 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2509 2510 skb_pull(skb, sizeof(*info)); 2511 2512 memcpy(smp->irk, info->irk, 16); 2513 2514 return 0; 2515 } 2516 2517 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2518 struct sk_buff *skb) 2519 { 2520 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2521 struct l2cap_chan *chan = conn->smp; 2522 struct smp_chan *smp = chan->data; 2523 struct hci_conn *hcon = conn->hcon; 2524 bdaddr_t rpa; 2525 2526 BT_DBG(""); 2527 2528 if (skb->len < sizeof(*info)) 2529 return SMP_INVALID_PARAMS; 2530 2531 /* Mark the information as received */ 2532 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2533 2534 if (smp->remote_key_dist & SMP_DIST_SIGN) 2535 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2536 2537 skb_pull(skb, sizeof(*info)); 2538 2539 /* Strictly speaking the Core Specification (4.1) allows sending 2540 * an empty address which would force us to rely on just the IRK 2541 * as "identity information". However, since such 2542 * implementations are not known of and in order to not over 2543 * complicate our implementation, simply pretend that we never 2544 * received an IRK for such a device. 2545 * 2546 * The Identity Address must also be a Static Random or Public 2547 * Address, which hci_is_identity_address() checks for. 2548 */ 2549 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2550 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2551 BT_ERR("Ignoring IRK with no identity address"); 2552 goto distribute; 2553 } 2554 2555 bacpy(&smp->id_addr, &info->bdaddr); 2556 smp->id_addr_type = info->addr_type; 2557 2558 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2559 bacpy(&rpa, &hcon->dst); 2560 else 2561 bacpy(&rpa, BDADDR_ANY); 2562 2563 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2564 smp->id_addr_type, smp->irk, &rpa); 2565 2566 distribute: 2567 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2568 smp_distribute_keys(smp); 2569 2570 return 0; 2571 } 2572 2573 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2574 { 2575 struct smp_cmd_sign_info *rp = (void *) skb->data; 2576 struct l2cap_chan *chan = conn->smp; 2577 struct smp_chan *smp = chan->data; 2578 struct smp_csrk *csrk; 2579 2580 BT_DBG("conn %p", conn); 2581 2582 if (skb->len < sizeof(*rp)) 2583 return SMP_INVALID_PARAMS; 2584 2585 /* Mark the information as received */ 2586 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2587 2588 skb_pull(skb, sizeof(*rp)); 2589 2590 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 2591 if (csrk) { 2592 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM) 2593 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED; 2594 else 2595 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED; 2596 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2597 } 2598 smp->csrk = csrk; 2599 smp_distribute_keys(smp); 2600 2601 return 0; 2602 } 2603 2604 static u8 sc_select_method(struct smp_chan *smp) 2605 { 2606 struct l2cap_conn *conn = smp->conn; 2607 struct hci_conn *hcon = conn->hcon; 2608 struct smp_cmd_pairing *local, *remote; 2609 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2610 2611 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) || 2612 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) 2613 return REQ_OOB; 2614 2615 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2616 * which are needed as inputs to some crypto functions. To get 2617 * the "struct smp_cmd_pairing" from them we need to skip the 2618 * first byte which contains the opcode. 2619 */ 2620 if (hcon->out) { 2621 local = (void *) &smp->preq[1]; 2622 remote = (void *) &smp->prsp[1]; 2623 } else { 2624 local = (void *) &smp->prsp[1]; 2625 remote = (void *) &smp->preq[1]; 2626 } 2627 2628 local_io = local->io_capability; 2629 remote_io = remote->io_capability; 2630 2631 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2632 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2633 2634 /* If either side wants MITM, look up the method from the table, 2635 * otherwise use JUST WORKS. 2636 */ 2637 if (local_mitm || remote_mitm) 2638 method = get_auth_method(smp, local_io, remote_io); 2639 else 2640 method = JUST_WORKS; 2641 2642 /* Don't confirm locally initiated pairing attempts */ 2643 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2644 method = JUST_WORKS; 2645 2646 return method; 2647 } 2648 2649 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2650 { 2651 struct smp_cmd_public_key *key = (void *) skb->data; 2652 struct hci_conn *hcon = conn->hcon; 2653 struct l2cap_chan *chan = conn->smp; 2654 struct smp_chan *smp = chan->data; 2655 struct hci_dev *hdev = hcon->hdev; 2656 struct crypto_kpp *tfm_ecdh; 2657 struct smp_cmd_pairing_confirm cfm; 2658 int err; 2659 2660 BT_DBG("conn %p", conn); 2661 2662 if (skb->len < sizeof(*key)) 2663 return SMP_INVALID_PARAMS; 2664 2665 memcpy(smp->remote_pk, key, 64); 2666 2667 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) { 2668 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk, 2669 smp->rr, 0, cfm.confirm_val); 2670 if (err) 2671 return SMP_UNSPECIFIED; 2672 2673 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16)) 2674 return SMP_CONFIRM_FAILED; 2675 } 2676 2677 /* Non-initiating device sends its public key after receiving 2678 * the key from the initiating device. 2679 */ 2680 if (!hcon->out) { 2681 err = sc_send_public_key(smp); 2682 if (err) 2683 return err; 2684 } 2685 2686 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2687 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2688 2689 /* Compute the shared secret on the same crypto tfm on which the private 2690 * key was set/generated. 2691 */ 2692 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 2693 struct smp_dev *smp_dev = chan->data; 2694 2695 tfm_ecdh = smp_dev->tfm_ecdh; 2696 } else { 2697 tfm_ecdh = smp->tfm_ecdh; 2698 } 2699 2700 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey)) 2701 return SMP_UNSPECIFIED; 2702 2703 SMP_DBG("DHKey %32phN", smp->dhkey); 2704 2705 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2706 2707 smp->method = sc_select_method(smp); 2708 2709 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method); 2710 2711 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2712 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2713 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2714 else 2715 hcon->pending_sec_level = BT_SECURITY_FIPS; 2716 2717 if (!crypto_memneq(debug_pk, smp->remote_pk, 64)) 2718 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2719 2720 if (smp->method == DSP_PASSKEY) { 2721 get_random_bytes(&hcon->passkey_notify, 2722 sizeof(hcon->passkey_notify)); 2723 hcon->passkey_notify %= 1000000; 2724 hcon->passkey_entered = 0; 2725 smp->passkey_round = 0; 2726 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2727 hcon->dst_type, 2728 hcon->passkey_notify, 2729 hcon->passkey_entered)) 2730 return SMP_UNSPECIFIED; 2731 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2732 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2733 } 2734 2735 if (smp->method == REQ_OOB) { 2736 if (hcon->out) 2737 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2738 sizeof(smp->prnd), smp->prnd); 2739 2740 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2741 2742 return 0; 2743 } 2744 2745 if (hcon->out) 2746 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2747 2748 if (smp->method == REQ_PASSKEY) { 2749 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2750 hcon->dst_type)) 2751 return SMP_UNSPECIFIED; 2752 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2753 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2754 return 0; 2755 } 2756 2757 /* The Initiating device waits for the non-initiating device to 2758 * send the confirm value. 2759 */ 2760 if (conn->hcon->out) 2761 return 0; 2762 2763 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, 2764 0, cfm.confirm_val); 2765 if (err) 2766 return SMP_UNSPECIFIED; 2767 2768 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2769 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2770 2771 return 0; 2772 } 2773 2774 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2775 { 2776 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2777 struct l2cap_chan *chan = conn->smp; 2778 struct hci_conn *hcon = conn->hcon; 2779 struct smp_chan *smp = chan->data; 2780 u8 a[7], b[7], *local_addr, *remote_addr; 2781 u8 io_cap[3], r[16], e[16]; 2782 int err; 2783 2784 BT_DBG("conn %p", conn); 2785 2786 if (skb->len < sizeof(*check)) 2787 return SMP_INVALID_PARAMS; 2788 2789 memcpy(a, &hcon->init_addr, 6); 2790 memcpy(b, &hcon->resp_addr, 6); 2791 a[6] = hcon->init_addr_type; 2792 b[6] = hcon->resp_addr_type; 2793 2794 if (hcon->out) { 2795 local_addr = a; 2796 remote_addr = b; 2797 memcpy(io_cap, &smp->prsp[1], 3); 2798 } else { 2799 local_addr = b; 2800 remote_addr = a; 2801 memcpy(io_cap, &smp->preq[1], 3); 2802 } 2803 2804 memset(r, 0, sizeof(r)); 2805 2806 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2807 put_unaligned_le32(hcon->passkey_notify, r); 2808 else if (smp->method == REQ_OOB) 2809 memcpy(r, smp->lr, 16); 2810 2811 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r, 2812 io_cap, remote_addr, local_addr, e); 2813 if (err) 2814 return SMP_UNSPECIFIED; 2815 2816 if (crypto_memneq(check->e, e, 16)) 2817 return SMP_DHKEY_CHECK_FAILED; 2818 2819 if (!hcon->out) { 2820 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2821 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2822 return 0; 2823 } 2824 2825 /* Slave sends DHKey check as response to master */ 2826 sc_dhkey_check(smp); 2827 } 2828 2829 sc_add_ltk(smp); 2830 2831 if (hcon->out) { 2832 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size); 2833 hcon->enc_key_size = smp->enc_key_size; 2834 } 2835 2836 return 0; 2837 } 2838 2839 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2840 struct sk_buff *skb) 2841 { 2842 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2843 2844 BT_DBG("value 0x%02x", kp->value); 2845 2846 return 0; 2847 } 2848 2849 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2850 { 2851 struct l2cap_conn *conn = chan->conn; 2852 struct hci_conn *hcon = conn->hcon; 2853 struct smp_chan *smp; 2854 __u8 code, reason; 2855 int err = 0; 2856 2857 if (skb->len < 1) 2858 return -EILSEQ; 2859 2860 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) { 2861 reason = SMP_PAIRING_NOTSUPP; 2862 goto done; 2863 } 2864 2865 code = skb->data[0]; 2866 skb_pull(skb, sizeof(code)); 2867 2868 smp = chan->data; 2869 2870 if (code > SMP_CMD_MAX) 2871 goto drop; 2872 2873 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) 2874 goto drop; 2875 2876 /* If we don't have a context the only allowed commands are 2877 * pairing request and security request. 2878 */ 2879 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2880 goto drop; 2881 2882 switch (code) { 2883 case SMP_CMD_PAIRING_REQ: 2884 reason = smp_cmd_pairing_req(conn, skb); 2885 break; 2886 2887 case SMP_CMD_PAIRING_FAIL: 2888 smp_failure(conn, 0); 2889 err = -EPERM; 2890 break; 2891 2892 case SMP_CMD_PAIRING_RSP: 2893 reason = smp_cmd_pairing_rsp(conn, skb); 2894 break; 2895 2896 case SMP_CMD_SECURITY_REQ: 2897 reason = smp_cmd_security_req(conn, skb); 2898 break; 2899 2900 case SMP_CMD_PAIRING_CONFIRM: 2901 reason = smp_cmd_pairing_confirm(conn, skb); 2902 break; 2903 2904 case SMP_CMD_PAIRING_RANDOM: 2905 reason = smp_cmd_pairing_random(conn, skb); 2906 break; 2907 2908 case SMP_CMD_ENCRYPT_INFO: 2909 reason = smp_cmd_encrypt_info(conn, skb); 2910 break; 2911 2912 case SMP_CMD_MASTER_IDENT: 2913 reason = smp_cmd_master_ident(conn, skb); 2914 break; 2915 2916 case SMP_CMD_IDENT_INFO: 2917 reason = smp_cmd_ident_info(conn, skb); 2918 break; 2919 2920 case SMP_CMD_IDENT_ADDR_INFO: 2921 reason = smp_cmd_ident_addr_info(conn, skb); 2922 break; 2923 2924 case SMP_CMD_SIGN_INFO: 2925 reason = smp_cmd_sign_info(conn, skb); 2926 break; 2927 2928 case SMP_CMD_PUBLIC_KEY: 2929 reason = smp_cmd_public_key(conn, skb); 2930 break; 2931 2932 case SMP_CMD_DHKEY_CHECK: 2933 reason = smp_cmd_dhkey_check(conn, skb); 2934 break; 2935 2936 case SMP_CMD_KEYPRESS_NOTIFY: 2937 reason = smp_cmd_keypress_notify(conn, skb); 2938 break; 2939 2940 default: 2941 BT_DBG("Unknown command code 0x%2.2x", code); 2942 reason = SMP_CMD_NOTSUPP; 2943 goto done; 2944 } 2945 2946 done: 2947 if (!err) { 2948 if (reason) 2949 smp_failure(conn, reason); 2950 kfree_skb(skb); 2951 } 2952 2953 return err; 2954 2955 drop: 2956 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name, 2957 code, &hcon->dst); 2958 kfree_skb(skb); 2959 return 0; 2960 } 2961 2962 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 2963 { 2964 struct l2cap_conn *conn = chan->conn; 2965 2966 BT_DBG("chan %p", chan); 2967 2968 if (chan->data) 2969 smp_chan_destroy(conn); 2970 2971 conn->smp = NULL; 2972 l2cap_chan_put(chan); 2973 } 2974 2975 static void bredr_pairing(struct l2cap_chan *chan) 2976 { 2977 struct l2cap_conn *conn = chan->conn; 2978 struct hci_conn *hcon = conn->hcon; 2979 struct hci_dev *hdev = hcon->hdev; 2980 struct smp_cmd_pairing req; 2981 struct smp_chan *smp; 2982 2983 BT_DBG("chan %p", chan); 2984 2985 /* Only new pairings are interesting */ 2986 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 2987 return; 2988 2989 /* Don't bother if we're not encrypted */ 2990 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 2991 return; 2992 2993 /* Only master may initiate SMP over BR/EDR */ 2994 if (hcon->role != HCI_ROLE_MASTER) 2995 return; 2996 2997 /* Secure Connections support must be enabled */ 2998 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED)) 2999 return; 3000 3001 /* BR/EDR must use Secure Connections for SMP */ 3002 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 3003 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3004 return; 3005 3006 /* If our LE support is not enabled don't do anything */ 3007 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 3008 return; 3009 3010 /* Don't bother if remote LE support is not enabled */ 3011 if (!lmp_host_le_capable(hcon)) 3012 return; 3013 3014 /* Remote must support SMP fixed chan for BR/EDR */ 3015 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 3016 return; 3017 3018 /* Don't bother if SMP is already ongoing */ 3019 if (chan->data) 3020 return; 3021 3022 smp = smp_chan_create(conn); 3023 if (!smp) { 3024 BT_ERR("%s unable to create SMP context for BR/EDR", 3025 hdev->name); 3026 return; 3027 } 3028 3029 set_bit(SMP_FLAG_SC, &smp->flags); 3030 3031 BT_DBG("%s starting SMP over BR/EDR", hdev->name); 3032 3033 /* Prepare and send the BR/EDR SMP Pairing Request */ 3034 build_bredr_pairing_cmd(smp, &req, NULL); 3035 3036 smp->preq[0] = SMP_CMD_PAIRING_REQ; 3037 memcpy(&smp->preq[1], &req, sizeof(req)); 3038 3039 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req); 3040 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 3041 } 3042 3043 static void smp_resume_cb(struct l2cap_chan *chan) 3044 { 3045 struct smp_chan *smp = chan->data; 3046 struct l2cap_conn *conn = chan->conn; 3047 struct hci_conn *hcon = conn->hcon; 3048 3049 BT_DBG("chan %p", chan); 3050 3051 if (hcon->type == ACL_LINK) { 3052 bredr_pairing(chan); 3053 return; 3054 } 3055 3056 if (!smp) 3057 return; 3058 3059 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3060 return; 3061 3062 cancel_delayed_work(&smp->security_timer); 3063 3064 smp_distribute_keys(smp); 3065 } 3066 3067 static void smp_ready_cb(struct l2cap_chan *chan) 3068 { 3069 struct l2cap_conn *conn = chan->conn; 3070 struct hci_conn *hcon = conn->hcon; 3071 3072 BT_DBG("chan %p", chan); 3073 3074 /* No need to call l2cap_chan_hold() here since we already own 3075 * the reference taken in smp_new_conn_cb(). This is just the 3076 * first time that we tie it to a specific pointer. The code in 3077 * l2cap_core.c ensures that there's no risk this function wont 3078 * get called if smp_new_conn_cb was previously called. 3079 */ 3080 conn->smp = chan; 3081 3082 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3083 bredr_pairing(chan); 3084 } 3085 3086 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 3087 { 3088 int err; 3089 3090 BT_DBG("chan %p", chan); 3091 3092 err = smp_sig_channel(chan, skb); 3093 if (err) { 3094 struct smp_chan *smp = chan->data; 3095 3096 if (smp) 3097 cancel_delayed_work_sync(&smp->security_timer); 3098 3099 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 3100 } 3101 3102 return err; 3103 } 3104 3105 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 3106 unsigned long hdr_len, 3107 unsigned long len, int nb) 3108 { 3109 struct sk_buff *skb; 3110 3111 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 3112 if (!skb) 3113 return ERR_PTR(-ENOMEM); 3114 3115 skb->priority = HCI_PRIO_MAX; 3116 bt_cb(skb)->l2cap.chan = chan; 3117 3118 return skb; 3119 } 3120 3121 static const struct l2cap_ops smp_chan_ops = { 3122 .name = "Security Manager", 3123 .ready = smp_ready_cb, 3124 .recv = smp_recv_cb, 3125 .alloc_skb = smp_alloc_skb_cb, 3126 .teardown = smp_teardown_cb, 3127 .resume = smp_resume_cb, 3128 3129 .new_connection = l2cap_chan_no_new_connection, 3130 .state_change = l2cap_chan_no_state_change, 3131 .close = l2cap_chan_no_close, 3132 .defer = l2cap_chan_no_defer, 3133 .suspend = l2cap_chan_no_suspend, 3134 .set_shutdown = l2cap_chan_no_set_shutdown, 3135 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3136 }; 3137 3138 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 3139 { 3140 struct l2cap_chan *chan; 3141 3142 BT_DBG("pchan %p", pchan); 3143 3144 chan = l2cap_chan_create(); 3145 if (!chan) 3146 return NULL; 3147 3148 chan->chan_type = pchan->chan_type; 3149 chan->ops = &smp_chan_ops; 3150 chan->scid = pchan->scid; 3151 chan->dcid = chan->scid; 3152 chan->imtu = pchan->imtu; 3153 chan->omtu = pchan->omtu; 3154 chan->mode = pchan->mode; 3155 3156 /* Other L2CAP channels may request SMP routines in order to 3157 * change the security level. This means that the SMP channel 3158 * lock must be considered in its own category to avoid lockdep 3159 * warnings. 3160 */ 3161 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 3162 3163 BT_DBG("created chan %p", chan); 3164 3165 return chan; 3166 } 3167 3168 static const struct l2cap_ops smp_root_chan_ops = { 3169 .name = "Security Manager Root", 3170 .new_connection = smp_new_conn_cb, 3171 3172 /* None of these are implemented for the root channel */ 3173 .close = l2cap_chan_no_close, 3174 .alloc_skb = l2cap_chan_no_alloc_skb, 3175 .recv = l2cap_chan_no_recv, 3176 .state_change = l2cap_chan_no_state_change, 3177 .teardown = l2cap_chan_no_teardown, 3178 .ready = l2cap_chan_no_ready, 3179 .defer = l2cap_chan_no_defer, 3180 .suspend = l2cap_chan_no_suspend, 3181 .resume = l2cap_chan_no_resume, 3182 .set_shutdown = l2cap_chan_no_set_shutdown, 3183 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3184 }; 3185 3186 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 3187 { 3188 struct l2cap_chan *chan; 3189 struct smp_dev *smp; 3190 struct crypto_cipher *tfm_aes; 3191 struct crypto_shash *tfm_cmac; 3192 struct crypto_kpp *tfm_ecdh; 3193 3194 if (cid == L2CAP_CID_SMP_BREDR) { 3195 smp = NULL; 3196 goto create_chan; 3197 } 3198 3199 smp = kzalloc(sizeof(*smp), GFP_KERNEL); 3200 if (!smp) 3201 return ERR_PTR(-ENOMEM); 3202 3203 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 3204 if (IS_ERR(tfm_aes)) { 3205 BT_ERR("Unable to create AES crypto context"); 3206 kzfree(smp); 3207 return ERR_CAST(tfm_aes); 3208 } 3209 3210 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3211 if (IS_ERR(tfm_cmac)) { 3212 BT_ERR("Unable to create CMAC crypto context"); 3213 crypto_free_cipher(tfm_aes); 3214 kzfree(smp); 3215 return ERR_CAST(tfm_cmac); 3216 } 3217 3218 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 3219 if (IS_ERR(tfm_ecdh)) { 3220 BT_ERR("Unable to create ECDH crypto context"); 3221 crypto_free_shash(tfm_cmac); 3222 crypto_free_cipher(tfm_aes); 3223 kzfree(smp); 3224 return ERR_CAST(tfm_ecdh); 3225 } 3226 3227 smp->tfm_aes = tfm_aes; 3228 smp->tfm_cmac = tfm_cmac; 3229 smp->tfm_ecdh = tfm_ecdh; 3230 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE; 3231 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 3232 3233 create_chan: 3234 chan = l2cap_chan_create(); 3235 if (!chan) { 3236 if (smp) { 3237 crypto_free_cipher(smp->tfm_aes); 3238 crypto_free_shash(smp->tfm_cmac); 3239 crypto_free_kpp(smp->tfm_ecdh); 3240 kzfree(smp); 3241 } 3242 return ERR_PTR(-ENOMEM); 3243 } 3244 3245 chan->data = smp; 3246 3247 l2cap_add_scid(chan, cid); 3248 3249 l2cap_chan_set_defaults(chan); 3250 3251 if (cid == L2CAP_CID_SMP) { 3252 u8 bdaddr_type; 3253 3254 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type); 3255 3256 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 3257 chan->src_type = BDADDR_LE_PUBLIC; 3258 else 3259 chan->src_type = BDADDR_LE_RANDOM; 3260 } else { 3261 bacpy(&chan->src, &hdev->bdaddr); 3262 chan->src_type = BDADDR_BREDR; 3263 } 3264 3265 chan->state = BT_LISTEN; 3266 chan->mode = L2CAP_MODE_BASIC; 3267 chan->imtu = L2CAP_DEFAULT_MTU; 3268 chan->ops = &smp_root_chan_ops; 3269 3270 /* Set correct nesting level for a parent/listening channel */ 3271 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 3272 3273 return chan; 3274 } 3275 3276 static void smp_del_chan(struct l2cap_chan *chan) 3277 { 3278 struct smp_dev *smp; 3279 3280 BT_DBG("chan %p", chan); 3281 3282 smp = chan->data; 3283 if (smp) { 3284 chan->data = NULL; 3285 crypto_free_cipher(smp->tfm_aes); 3286 crypto_free_shash(smp->tfm_cmac); 3287 crypto_free_kpp(smp->tfm_ecdh); 3288 kzfree(smp); 3289 } 3290 3291 l2cap_chan_put(chan); 3292 } 3293 3294 static ssize_t force_bredr_smp_read(struct file *file, 3295 char __user *user_buf, 3296 size_t count, loff_t *ppos) 3297 { 3298 struct hci_dev *hdev = file->private_data; 3299 char buf[3]; 3300 3301 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N'; 3302 buf[1] = '\n'; 3303 buf[2] = '\0'; 3304 return simple_read_from_buffer(user_buf, count, ppos, buf, 2); 3305 } 3306 3307 static ssize_t force_bredr_smp_write(struct file *file, 3308 const char __user *user_buf, 3309 size_t count, loff_t *ppos) 3310 { 3311 struct hci_dev *hdev = file->private_data; 3312 char buf[32]; 3313 size_t buf_size = min(count, (sizeof(buf)-1)); 3314 bool enable; 3315 3316 if (copy_from_user(buf, user_buf, buf_size)) 3317 return -EFAULT; 3318 3319 buf[buf_size] = '\0'; 3320 if (strtobool(buf, &enable)) 3321 return -EINVAL; 3322 3323 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3324 return -EALREADY; 3325 3326 if (enable) { 3327 struct l2cap_chan *chan; 3328 3329 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3330 if (IS_ERR(chan)) 3331 return PTR_ERR(chan); 3332 3333 hdev->smp_bredr_data = chan; 3334 } else { 3335 struct l2cap_chan *chan; 3336 3337 chan = hdev->smp_bredr_data; 3338 hdev->smp_bredr_data = NULL; 3339 smp_del_chan(chan); 3340 } 3341 3342 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP); 3343 3344 return count; 3345 } 3346 3347 static const struct file_operations force_bredr_smp_fops = { 3348 .open = simple_open, 3349 .read = force_bredr_smp_read, 3350 .write = force_bredr_smp_write, 3351 .llseek = default_llseek, 3352 }; 3353 3354 static ssize_t le_min_key_size_read(struct file *file, 3355 char __user *user_buf, 3356 size_t count, loff_t *ppos) 3357 { 3358 struct hci_dev *hdev = file->private_data; 3359 char buf[4]; 3360 3361 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size); 3362 3363 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 3364 } 3365 3366 static ssize_t le_min_key_size_write(struct file *file, 3367 const char __user *user_buf, 3368 size_t count, loff_t *ppos) 3369 { 3370 struct hci_dev *hdev = file->private_data; 3371 char buf[32]; 3372 size_t buf_size = min(count, (sizeof(buf) - 1)); 3373 u8 key_size; 3374 3375 if (copy_from_user(buf, user_buf, buf_size)) 3376 return -EFAULT; 3377 3378 buf[buf_size] = '\0'; 3379 3380 sscanf(buf, "%hhu", &key_size); 3381 3382 if (key_size > SMP_DEV(hdev)->max_key_size || 3383 key_size < SMP_MIN_ENC_KEY_SIZE) 3384 return -EINVAL; 3385 3386 SMP_DEV(hdev)->min_key_size = key_size; 3387 3388 return count; 3389 } 3390 3391 static const struct file_operations le_min_key_size_fops = { 3392 .open = simple_open, 3393 .read = le_min_key_size_read, 3394 .write = le_min_key_size_write, 3395 .llseek = default_llseek, 3396 }; 3397 3398 static ssize_t le_max_key_size_read(struct file *file, 3399 char __user *user_buf, 3400 size_t count, loff_t *ppos) 3401 { 3402 struct hci_dev *hdev = file->private_data; 3403 char buf[4]; 3404 3405 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size); 3406 3407 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 3408 } 3409 3410 static ssize_t le_max_key_size_write(struct file *file, 3411 const char __user *user_buf, 3412 size_t count, loff_t *ppos) 3413 { 3414 struct hci_dev *hdev = file->private_data; 3415 char buf[32]; 3416 size_t buf_size = min(count, (sizeof(buf) - 1)); 3417 u8 key_size; 3418 3419 if (copy_from_user(buf, user_buf, buf_size)) 3420 return -EFAULT; 3421 3422 buf[buf_size] = '\0'; 3423 3424 sscanf(buf, "%hhu", &key_size); 3425 3426 if (key_size > SMP_MAX_ENC_KEY_SIZE || 3427 key_size < SMP_DEV(hdev)->min_key_size) 3428 return -EINVAL; 3429 3430 SMP_DEV(hdev)->max_key_size = key_size; 3431 3432 return count; 3433 } 3434 3435 static const struct file_operations le_max_key_size_fops = { 3436 .open = simple_open, 3437 .read = le_max_key_size_read, 3438 .write = le_max_key_size_write, 3439 .llseek = default_llseek, 3440 }; 3441 3442 int smp_register(struct hci_dev *hdev) 3443 { 3444 struct l2cap_chan *chan; 3445 3446 BT_DBG("%s", hdev->name); 3447 3448 /* If the controller does not support Low Energy operation, then 3449 * there is also no need to register any SMP channel. 3450 */ 3451 if (!lmp_le_capable(hdev)) 3452 return 0; 3453 3454 if (WARN_ON(hdev->smp_data)) { 3455 chan = hdev->smp_data; 3456 hdev->smp_data = NULL; 3457 smp_del_chan(chan); 3458 } 3459 3460 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3461 if (IS_ERR(chan)) 3462 return PTR_ERR(chan); 3463 3464 hdev->smp_data = chan; 3465 3466 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev, 3467 &le_min_key_size_fops); 3468 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev, 3469 &le_max_key_size_fops); 3470 3471 /* If the controller does not support BR/EDR Secure Connections 3472 * feature, then the BR/EDR SMP channel shall not be present. 3473 * 3474 * To test this with Bluetooth 4.0 controllers, create a debugfs 3475 * switch that allows forcing BR/EDR SMP support and accepting 3476 * cross-transport pairing on non-AES encrypted connections. 3477 */ 3478 if (!lmp_sc_capable(hdev)) { 3479 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs, 3480 hdev, &force_bredr_smp_fops); 3481 3482 /* Flag can be already set here (due to power toggle) */ 3483 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3484 return 0; 3485 } 3486 3487 if (WARN_ON(hdev->smp_bredr_data)) { 3488 chan = hdev->smp_bredr_data; 3489 hdev->smp_bredr_data = NULL; 3490 smp_del_chan(chan); 3491 } 3492 3493 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3494 if (IS_ERR(chan)) { 3495 int err = PTR_ERR(chan); 3496 chan = hdev->smp_data; 3497 hdev->smp_data = NULL; 3498 smp_del_chan(chan); 3499 return err; 3500 } 3501 3502 hdev->smp_bredr_data = chan; 3503 3504 return 0; 3505 } 3506 3507 void smp_unregister(struct hci_dev *hdev) 3508 { 3509 struct l2cap_chan *chan; 3510 3511 if (hdev->smp_bredr_data) { 3512 chan = hdev->smp_bredr_data; 3513 hdev->smp_bredr_data = NULL; 3514 smp_del_chan(chan); 3515 } 3516 3517 if (hdev->smp_data) { 3518 chan = hdev->smp_data; 3519 hdev->smp_data = NULL; 3520 smp_del_chan(chan); 3521 } 3522 } 3523 3524 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3525 3526 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh) 3527 { 3528 u8 pk[64]; 3529 int err; 3530 3531 err = set_ecdh_privkey(tfm_ecdh, debug_sk); 3532 if (err) 3533 return err; 3534 3535 err = generate_ecdh_public_key(tfm_ecdh, pk); 3536 if (err) 3537 return err; 3538 3539 if (crypto_memneq(pk, debug_pk, 64)) 3540 return -EINVAL; 3541 3542 return 0; 3543 } 3544 3545 static int __init test_ah(struct crypto_cipher *tfm_aes) 3546 { 3547 const u8 irk[16] = { 3548 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3549 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3550 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3551 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3552 u8 res[3]; 3553 int err; 3554 3555 err = smp_ah(tfm_aes, irk, r, res); 3556 if (err) 3557 return err; 3558 3559 if (crypto_memneq(res, exp, 3)) 3560 return -EINVAL; 3561 3562 return 0; 3563 } 3564 3565 static int __init test_c1(struct crypto_cipher *tfm_aes) 3566 { 3567 const u8 k[16] = { 3568 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3570 const u8 r[16] = { 3571 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3572 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3573 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3574 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3575 const u8 _iat = 0x01; 3576 const u8 _rat = 0x00; 3577 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3578 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3579 const u8 exp[16] = { 3580 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3581 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3582 u8 res[16]; 3583 int err; 3584 3585 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3586 if (err) 3587 return err; 3588 3589 if (crypto_memneq(res, exp, 16)) 3590 return -EINVAL; 3591 3592 return 0; 3593 } 3594 3595 static int __init test_s1(struct crypto_cipher *tfm_aes) 3596 { 3597 const u8 k[16] = { 3598 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3600 const u8 r1[16] = { 3601 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3602 const u8 r2[16] = { 3603 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3604 const u8 exp[16] = { 3605 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3606 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3607 u8 res[16]; 3608 int err; 3609 3610 err = smp_s1(tfm_aes, k, r1, r2, res); 3611 if (err) 3612 return err; 3613 3614 if (crypto_memneq(res, exp, 16)) 3615 return -EINVAL; 3616 3617 return 0; 3618 } 3619 3620 static int __init test_f4(struct crypto_shash *tfm_cmac) 3621 { 3622 const u8 u[32] = { 3623 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3624 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3625 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3626 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3627 const u8 v[32] = { 3628 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3629 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3630 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3631 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3632 const u8 x[16] = { 3633 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3634 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3635 const u8 z = 0x00; 3636 const u8 exp[16] = { 3637 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3638 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3639 u8 res[16]; 3640 int err; 3641 3642 err = smp_f4(tfm_cmac, u, v, x, z, res); 3643 if (err) 3644 return err; 3645 3646 if (crypto_memneq(res, exp, 16)) 3647 return -EINVAL; 3648 3649 return 0; 3650 } 3651 3652 static int __init test_f5(struct crypto_shash *tfm_cmac) 3653 { 3654 const u8 w[32] = { 3655 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3656 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3657 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3658 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3659 const u8 n1[16] = { 3660 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3661 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3662 const u8 n2[16] = { 3663 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3664 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3665 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3666 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3667 const u8 exp_ltk[16] = { 3668 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3669 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3670 const u8 exp_mackey[16] = { 3671 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3672 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3673 u8 mackey[16], ltk[16]; 3674 int err; 3675 3676 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk); 3677 if (err) 3678 return err; 3679 3680 if (crypto_memneq(mackey, exp_mackey, 16)) 3681 return -EINVAL; 3682 3683 if (crypto_memneq(ltk, exp_ltk, 16)) 3684 return -EINVAL; 3685 3686 return 0; 3687 } 3688 3689 static int __init test_f6(struct crypto_shash *tfm_cmac) 3690 { 3691 const u8 w[16] = { 3692 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3693 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3694 const u8 n1[16] = { 3695 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3696 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3697 const u8 n2[16] = { 3698 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3699 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3700 const u8 r[16] = { 3701 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3702 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3703 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3704 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3705 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3706 const u8 exp[16] = { 3707 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3708 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3709 u8 res[16]; 3710 int err; 3711 3712 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res); 3713 if (err) 3714 return err; 3715 3716 if (crypto_memneq(res, exp, 16)) 3717 return -EINVAL; 3718 3719 return 0; 3720 } 3721 3722 static int __init test_g2(struct crypto_shash *tfm_cmac) 3723 { 3724 const u8 u[32] = { 3725 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3726 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3727 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3728 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3729 const u8 v[32] = { 3730 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3731 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3732 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3733 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3734 const u8 x[16] = { 3735 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3736 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3737 const u8 y[16] = { 3738 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3739 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3740 const u32 exp_val = 0x2f9ed5ba % 1000000; 3741 u32 val; 3742 int err; 3743 3744 err = smp_g2(tfm_cmac, u, v, x, y, &val); 3745 if (err) 3746 return err; 3747 3748 if (val != exp_val) 3749 return -EINVAL; 3750 3751 return 0; 3752 } 3753 3754 static int __init test_h6(struct crypto_shash *tfm_cmac) 3755 { 3756 const u8 w[16] = { 3757 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3758 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3759 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3760 const u8 exp[16] = { 3761 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3762 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3763 u8 res[16]; 3764 int err; 3765 3766 err = smp_h6(tfm_cmac, w, key_id, res); 3767 if (err) 3768 return err; 3769 3770 if (crypto_memneq(res, exp, 16)) 3771 return -EINVAL; 3772 3773 return 0; 3774 } 3775 3776 static char test_smp_buffer[32]; 3777 3778 static ssize_t test_smp_read(struct file *file, char __user *user_buf, 3779 size_t count, loff_t *ppos) 3780 { 3781 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer, 3782 strlen(test_smp_buffer)); 3783 } 3784 3785 static const struct file_operations test_smp_fops = { 3786 .open = simple_open, 3787 .read = test_smp_read, 3788 .llseek = default_llseek, 3789 }; 3790 3791 static int __init run_selftests(struct crypto_cipher *tfm_aes, 3792 struct crypto_shash *tfm_cmac, 3793 struct crypto_kpp *tfm_ecdh) 3794 { 3795 ktime_t calltime, delta, rettime; 3796 unsigned long long duration; 3797 int err; 3798 3799 calltime = ktime_get(); 3800 3801 err = test_debug_key(tfm_ecdh); 3802 if (err) { 3803 BT_ERR("debug_key test failed"); 3804 goto done; 3805 } 3806 3807 err = test_ah(tfm_aes); 3808 if (err) { 3809 BT_ERR("smp_ah test failed"); 3810 goto done; 3811 } 3812 3813 err = test_c1(tfm_aes); 3814 if (err) { 3815 BT_ERR("smp_c1 test failed"); 3816 goto done; 3817 } 3818 3819 err = test_s1(tfm_aes); 3820 if (err) { 3821 BT_ERR("smp_s1 test failed"); 3822 goto done; 3823 } 3824 3825 err = test_f4(tfm_cmac); 3826 if (err) { 3827 BT_ERR("smp_f4 test failed"); 3828 goto done; 3829 } 3830 3831 err = test_f5(tfm_cmac); 3832 if (err) { 3833 BT_ERR("smp_f5 test failed"); 3834 goto done; 3835 } 3836 3837 err = test_f6(tfm_cmac); 3838 if (err) { 3839 BT_ERR("smp_f6 test failed"); 3840 goto done; 3841 } 3842 3843 err = test_g2(tfm_cmac); 3844 if (err) { 3845 BT_ERR("smp_g2 test failed"); 3846 goto done; 3847 } 3848 3849 err = test_h6(tfm_cmac); 3850 if (err) { 3851 BT_ERR("smp_h6 test failed"); 3852 goto done; 3853 } 3854 3855 rettime = ktime_get(); 3856 delta = ktime_sub(rettime, calltime); 3857 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3858 3859 BT_INFO("SMP test passed in %llu usecs", duration); 3860 3861 done: 3862 if (!err) 3863 snprintf(test_smp_buffer, sizeof(test_smp_buffer), 3864 "PASS (%llu usecs)\n", duration); 3865 else 3866 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n"); 3867 3868 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL, 3869 &test_smp_fops); 3870 3871 return err; 3872 } 3873 3874 int __init bt_selftest_smp(void) 3875 { 3876 struct crypto_cipher *tfm_aes; 3877 struct crypto_shash *tfm_cmac; 3878 struct crypto_kpp *tfm_ecdh; 3879 int err; 3880 3881 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 3882 if (IS_ERR(tfm_aes)) { 3883 BT_ERR("Unable to create AES crypto context"); 3884 return PTR_ERR(tfm_aes); 3885 } 3886 3887 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC); 3888 if (IS_ERR(tfm_cmac)) { 3889 BT_ERR("Unable to create CMAC crypto context"); 3890 crypto_free_cipher(tfm_aes); 3891 return PTR_ERR(tfm_cmac); 3892 } 3893 3894 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 3895 if (IS_ERR(tfm_ecdh)) { 3896 BT_ERR("Unable to create ECDH crypto context"); 3897 crypto_free_shash(tfm_cmac); 3898 crypto_free_cipher(tfm_aes); 3899 return PTR_ERR(tfm_ecdh); 3900 } 3901 3902 err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh); 3903 3904 crypto_free_shash(tfm_cmac); 3905 crypto_free_cipher(tfm_aes); 3906 crypto_free_kpp(tfm_ecdh); 3907 3908 return err; 3909 } 3910 3911 #endif 3912