• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/b128ops.h>
29 #include <crypto/hash.h>
30 #include <crypto/kpp.h>
31 
32 #include <net/bluetooth/bluetooth.h>
33 #include <net/bluetooth/hci_core.h>
34 #include <net/bluetooth/l2cap.h>
35 #include <net/bluetooth/mgmt.h>
36 
37 #include "ecdh_helper.h"
38 #include "smp.h"
39 
40 #define SMP_DEV(hdev) \
41 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42 
43 /* Low-level debug macros to be used for stuff that we don't want
44  * accidentially in dmesg, i.e. the values of the various crypto keys
45  * and the inputs & outputs of crypto functions.
46  */
47 #ifdef DEBUG
48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 				 ##__VA_ARGS__)
50 #else
51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
52 				    ##__VA_ARGS__)
53 #endif
54 
55 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
56 
57 /* Keys which are not distributed with Secure Connections */
58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
59 
60 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*slave_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*slave_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
swap_buf(const u8 * src,u8 * dst,size_t len)157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
aes_cmac(struct crypto_shash * tfm,const u8 k[16],const u8 * m,size_t len,u8 mac[16])169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	int err;
174 
175 	if (len > CMAC_MSG_MAX)
176 		return -EFBIG;
177 
178 	if (!tfm) {
179 		BT_ERR("tfm %p", tfm);
180 		return -EINVAL;
181 	}
182 
183 	/* Swap key and message from LSB to MSB */
184 	swap_buf(k, tmp, 16);
185 	swap_buf(m, msg_msb, len);
186 
187 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 	SMP_DBG("key %16phN", k);
189 
190 	err = crypto_shash_setkey(tfm, tmp, 16);
191 	if (err) {
192 		BT_ERR("cipher setkey failed: %d", err);
193 		return err;
194 	}
195 
196 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197 	if (err) {
198 		BT_ERR("Hash computation error %d", err);
199 		return err;
200 	}
201 
202 	swap_buf(mac_msb, mac, 16);
203 
204 	SMP_DBG("mac %16phN", mac);
205 
206 	return 0;
207 }
208 
smp_f4(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],u8 z,u8 res[16])209 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211 {
212 	u8 m[65];
213 	int err;
214 
215 	SMP_DBG("u %32phN", u);
216 	SMP_DBG("v %32phN", v);
217 	SMP_DBG("x %16phN z %02x", x, z);
218 
219 	m[0] = z;
220 	memcpy(m + 1, v, 32);
221 	memcpy(m + 33, u, 32);
222 
223 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224 	if (err)
225 		return err;
226 
227 	SMP_DBG("res %16phN", res);
228 
229 	return err;
230 }
231 
smp_f5(struct crypto_shash * tfm_cmac,const u8 w[32],const u8 n1[16],const u8 n2[16],const u8 a1[7],const u8 a2[7],u8 mackey[16],u8 ltk[16])232 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
234 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
235 {
236 	/* The btle, salt and length "magic" values are as defined in
237 	 * the SMP section of the Bluetooth core specification. In ASCII
238 	 * the btle value ends up being 'btle'. The salt is just a
239 	 * random number whereas length is the value 256 in little
240 	 * endian format.
241 	 */
242 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245 	const u8 length[2] = { 0x00, 0x01 };
246 	u8 m[53], t[16];
247 	int err;
248 
249 	SMP_DBG("w %32phN", w);
250 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252 
253 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
254 	if (err)
255 		return err;
256 
257 	SMP_DBG("t %16phN", t);
258 
259 	memcpy(m, length, 2);
260 	memcpy(m + 2, a2, 7);
261 	memcpy(m + 9, a1, 7);
262 	memcpy(m + 16, n2, 16);
263 	memcpy(m + 32, n1, 16);
264 	memcpy(m + 48, btle, 4);
265 
266 	m[52] = 0; /* Counter */
267 
268 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269 	if (err)
270 		return err;
271 
272 	SMP_DBG("mackey %16phN", mackey);
273 
274 	m[52] = 1; /* Counter */
275 
276 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277 	if (err)
278 		return err;
279 
280 	SMP_DBG("ltk %16phN", ltk);
281 
282 	return 0;
283 }
284 
smp_f6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 n1[16],const u8 n2[16],const u8 r[16],const u8 io_cap[3],const u8 a1[7],const u8 a2[7],u8 res[16])285 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
287 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 		  u8 res[16])
289 {
290 	u8 m[65];
291 	int err;
292 
293 	SMP_DBG("w %16phN", w);
294 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296 
297 	memcpy(m, a2, 7);
298 	memcpy(m + 7, a1, 7);
299 	memcpy(m + 14, io_cap, 3);
300 	memcpy(m + 17, r, 16);
301 	memcpy(m + 33, n2, 16);
302 	memcpy(m + 49, n1, 16);
303 
304 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305 	if (err)
306 		return err;
307 
308 	SMP_DBG("res %16phN", res);
309 
310 	return err;
311 }
312 
smp_g2(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],const u8 y[16],u32 * val)313 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314 		  const u8 x[16], const u8 y[16], u32 *val)
315 {
316 	u8 m[80], tmp[16];
317 	int err;
318 
319 	SMP_DBG("u %32phN", u);
320 	SMP_DBG("v %32phN", v);
321 	SMP_DBG("x %16phN y %16phN", x, y);
322 
323 	memcpy(m, y, 16);
324 	memcpy(m + 16, v, 32);
325 	memcpy(m + 48, u, 32);
326 
327 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328 	if (err)
329 		return err;
330 
331 	*val = get_unaligned_le32(tmp);
332 	*val %= 1000000;
333 
334 	SMP_DBG("val %06u", *val);
335 
336 	return 0;
337 }
338 
smp_h6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 key_id[4],u8 res[16])339 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340 		  const u8 key_id[4], u8 res[16])
341 {
342 	int err;
343 
344 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345 
346 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347 	if (err)
348 		return err;
349 
350 	SMP_DBG("res %16phN", res);
351 
352 	return err;
353 }
354 
smp_h7(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 salt[16],u8 res[16])355 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356 		  const u8 salt[16], u8 res[16])
357 {
358 	int err;
359 
360 	SMP_DBG("w %16phN salt %16phN", w, salt);
361 
362 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
363 	if (err)
364 		return err;
365 
366 	SMP_DBG("res %16phN", res);
367 
368 	return err;
369 }
370 
371 /* The following functions map to the legacy SMP crypto functions e, c1,
372  * s1 and ah.
373  */
374 
smp_e(const u8 * k,u8 * r)375 static int smp_e(const u8 *k, u8 *r)
376 {
377 	struct crypto_aes_ctx ctx;
378 	uint8_t tmp[16], data[16];
379 	int err;
380 
381 	SMP_DBG("k %16phN r %16phN", k, r);
382 
383 	/* The most significant octet of key corresponds to k[0] */
384 	swap_buf(k, tmp, 16);
385 
386 	err = aes_expandkey(&ctx, tmp, 16);
387 	if (err) {
388 		BT_ERR("cipher setkey failed: %d", err);
389 		return err;
390 	}
391 
392 	/* Most significant octet of plaintextData corresponds to data[0] */
393 	swap_buf(r, data, 16);
394 
395 	aes_encrypt(&ctx, data, data);
396 
397 	/* Most significant octet of encryptedData corresponds to data[0] */
398 	swap_buf(data, r, 16);
399 
400 	SMP_DBG("r %16phN", r);
401 
402 	memzero_explicit(&ctx, sizeof (ctx));
403 	return err;
404 }
405 
smp_c1(const u8 k[16],const u8 r[16],const u8 preq[7],const u8 pres[7],u8 _iat,const bdaddr_t * ia,u8 _rat,const bdaddr_t * ra,u8 res[16])406 static int smp_c1(const u8 k[16],
407 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409 {
410 	u8 p1[16], p2[16];
411 	int err;
412 
413 	SMP_DBG("k %16phN r %16phN", k, r);
414 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416 
417 	memset(p1, 0, 16);
418 
419 	/* p1 = pres || preq || _rat || _iat */
420 	p1[0] = _iat;
421 	p1[1] = _rat;
422 	memcpy(p1 + 2, preq, 7);
423 	memcpy(p1 + 9, pres, 7);
424 
425 	SMP_DBG("p1 %16phN", p1);
426 
427 	/* res = r XOR p1 */
428 	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
429 
430 	/* res = e(k, res) */
431 	err = smp_e(k, res);
432 	if (err) {
433 		BT_ERR("Encrypt data error");
434 		return err;
435 	}
436 
437 	/* p2 = padding || ia || ra */
438 	memcpy(p2, ra, 6);
439 	memcpy(p2 + 6, ia, 6);
440 	memset(p2 + 12, 0, 4);
441 
442 	SMP_DBG("p2 %16phN", p2);
443 
444 	/* res = res XOR p2 */
445 	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
446 
447 	/* res = e(k, res) */
448 	err = smp_e(k, res);
449 	if (err)
450 		BT_ERR("Encrypt data error");
451 
452 	return err;
453 }
454 
smp_s1(const u8 k[16],const u8 r1[16],const u8 r2[16],u8 _r[16])455 static int smp_s1(const u8 k[16],
456 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
457 {
458 	int err;
459 
460 	/* Just least significant octets from r1 and r2 are considered */
461 	memcpy(_r, r2, 8);
462 	memcpy(_r + 8, r1, 8);
463 
464 	err = smp_e(k, _r);
465 	if (err)
466 		BT_ERR("Encrypt data error");
467 
468 	return err;
469 }
470 
smp_ah(const u8 irk[16],const u8 r[3],u8 res[3])471 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472 {
473 	u8 _res[16];
474 	int err;
475 
476 	/* r' = padding || r */
477 	memcpy(_res, r, 3);
478 	memset(_res + 3, 0, 13);
479 
480 	err = smp_e(irk, _res);
481 	if (err) {
482 		BT_ERR("Encrypt error");
483 		return err;
484 	}
485 
486 	/* The output of the random address function ah is:
487 	 *	ah(k, r) = e(k, r') mod 2^24
488 	 * The output of the security function e is then truncated to 24 bits
489 	 * by taking the least significant 24 bits of the output of e as the
490 	 * result of ah.
491 	 */
492 	memcpy(res, _res, 3);
493 
494 	return 0;
495 }
496 
smp_irk_matches(struct hci_dev * hdev,const u8 irk[16],const bdaddr_t * bdaddr)497 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498 		     const bdaddr_t *bdaddr)
499 {
500 	struct l2cap_chan *chan = hdev->smp_data;
501 	u8 hash[3];
502 	int err;
503 
504 	if (!chan || !chan->data)
505 		return false;
506 
507 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508 
509 	err = smp_ah(irk, &bdaddr->b[3], hash);
510 	if (err)
511 		return false;
512 
513 	return !crypto_memneq(bdaddr->b, hash, 3);
514 }
515 
smp_generate_rpa(struct hci_dev * hdev,const u8 irk[16],bdaddr_t * rpa)516 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517 {
518 	struct l2cap_chan *chan = hdev->smp_data;
519 	int err;
520 
521 	if (!chan || !chan->data)
522 		return -EOPNOTSUPP;
523 
524 	get_random_bytes(&rpa->b[3], 3);
525 
526 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
527 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
528 
529 	err = smp_ah(irk, &rpa->b[3], rpa->b);
530 	if (err < 0)
531 		return err;
532 
533 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534 
535 	return 0;
536 }
537 
smp_generate_oob(struct hci_dev * hdev,u8 hash[16],u8 rand[16])538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 {
540 	struct l2cap_chan *chan = hdev->smp_data;
541 	struct smp_dev *smp;
542 	int err;
543 
544 	if (!chan || !chan->data)
545 		return -EOPNOTSUPP;
546 
547 	smp = chan->data;
548 
549 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 		bt_dev_dbg(hdev, "Using debug keys");
551 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552 		if (err)
553 			return err;
554 		memcpy(smp->local_pk, debug_pk, 64);
555 		smp->debug_key = true;
556 	} else {
557 		while (true) {
558 			/* Generate key pair for Secure Connections */
559 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
560 			if (err)
561 				return err;
562 
563 			/* This is unlikely, but we need to check that
564 			 * we didn't accidentially generate a debug key.
565 			 */
566 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
567 				break;
568 		}
569 		smp->debug_key = false;
570 	}
571 
572 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574 
575 	get_random_bytes(smp->local_rand, 16);
576 
577 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578 		     smp->local_rand, 0, hash);
579 	if (err < 0)
580 		return err;
581 
582 	memcpy(rand, smp->local_rand, 16);
583 
584 	smp->local_oob = true;
585 
586 	return 0;
587 }
588 
smp_send_cmd(struct l2cap_conn * conn,u8 code,u16 len,void * data)589 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590 {
591 	struct l2cap_chan *chan = conn->smp;
592 	struct smp_chan *smp;
593 	struct kvec iv[2];
594 	struct msghdr msg;
595 
596 	if (!chan)
597 		return;
598 
599 	BT_DBG("code 0x%2.2x", code);
600 
601 	iv[0].iov_base = &code;
602 	iv[0].iov_len = 1;
603 
604 	iv[1].iov_base = data;
605 	iv[1].iov_len = len;
606 
607 	memset(&msg, 0, sizeof(msg));
608 
609 	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
610 
611 	l2cap_chan_send(chan, &msg, 1 + len);
612 
613 	if (!chan->data)
614 		return;
615 
616 	smp = chan->data;
617 
618 	cancel_delayed_work_sync(&smp->security_timer);
619 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
620 }
621 
authreq_to_seclevel(u8 authreq)622 static u8 authreq_to_seclevel(u8 authreq)
623 {
624 	if (authreq & SMP_AUTH_MITM) {
625 		if (authreq & SMP_AUTH_SC)
626 			return BT_SECURITY_FIPS;
627 		else
628 			return BT_SECURITY_HIGH;
629 	} else {
630 		return BT_SECURITY_MEDIUM;
631 	}
632 }
633 
seclevel_to_authreq(__u8 sec_level)634 static __u8 seclevel_to_authreq(__u8 sec_level)
635 {
636 	switch (sec_level) {
637 	case BT_SECURITY_FIPS:
638 	case BT_SECURITY_HIGH:
639 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640 	case BT_SECURITY_MEDIUM:
641 		return SMP_AUTH_BONDING;
642 	default:
643 		return SMP_AUTH_NONE;
644 	}
645 }
646 
build_pairing_cmd(struct l2cap_conn * conn,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp,__u8 authreq)647 static void build_pairing_cmd(struct l2cap_conn *conn,
648 			      struct smp_cmd_pairing *req,
649 			      struct smp_cmd_pairing *rsp, __u8 authreq)
650 {
651 	struct l2cap_chan *chan = conn->smp;
652 	struct smp_chan *smp = chan->data;
653 	struct hci_conn *hcon = conn->hcon;
654 	struct hci_dev *hdev = hcon->hdev;
655 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656 
657 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 		authreq |= SMP_AUTH_BONDING;
661 	} else {
662 		authreq &= ~SMP_AUTH_BONDING;
663 	}
664 
665 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666 		remote_dist |= SMP_DIST_ID_KEY;
667 
668 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669 		local_dist |= SMP_DIST_ID_KEY;
670 
671 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672 	    (authreq & SMP_AUTH_SC)) {
673 		struct oob_data *oob_data;
674 		u8 bdaddr_type;
675 
676 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677 			local_dist |= SMP_DIST_LINK_KEY;
678 			remote_dist |= SMP_DIST_LINK_KEY;
679 		}
680 
681 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682 			bdaddr_type = BDADDR_LE_PUBLIC;
683 		else
684 			bdaddr_type = BDADDR_LE_RANDOM;
685 
686 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687 						    bdaddr_type);
688 		if (oob_data && oob_data->present) {
689 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690 			oob_flag = SMP_OOB_PRESENT;
691 			memcpy(smp->rr, oob_data->rand256, 16);
692 			memcpy(smp->pcnf, oob_data->hash256, 16);
693 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695 		}
696 
697 	} else {
698 		authreq &= ~SMP_AUTH_SC;
699 	}
700 
701 	if (rsp == NULL) {
702 		req->io_capability = conn->hcon->io_capability;
703 		req->oob_flag = oob_flag;
704 		req->max_key_size = hdev->le_max_key_size;
705 		req->init_key_dist = local_dist;
706 		req->resp_key_dist = remote_dist;
707 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708 
709 		smp->remote_key_dist = remote_dist;
710 		return;
711 	}
712 
713 	rsp->io_capability = conn->hcon->io_capability;
714 	rsp->oob_flag = oob_flag;
715 	rsp->max_key_size = hdev->le_max_key_size;
716 	rsp->init_key_dist = req->init_key_dist & remote_dist;
717 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719 
720 	smp->remote_key_dist = rsp->init_key_dist;
721 }
722 
check_enc_key_size(struct l2cap_conn * conn,__u8 max_key_size)723 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724 {
725 	struct l2cap_chan *chan = conn->smp;
726 	struct hci_dev *hdev = conn->hcon->hdev;
727 	struct smp_chan *smp = chan->data;
728 
729 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
731 		return SMP_ENC_KEY_SIZE;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
smp_chan_destroy(struct l2cap_conn * conn)742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kfree_sensitive(smp->csrk);
757 	kfree_sensitive(smp->slave_csrk);
758 	kfree_sensitive(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->slave_ltk) {
781 			list_del_rcu(&smp->slave_ltk->list);
782 			kfree_rcu(smp->slave_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kfree_sensitive(smp);
793 	hci_conn_drop(hcon);
794 }
795 
smp_failure(struct l2cap_conn * conn,u8 reason)796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
get_auth_method(struct smp_chan * smp,u8 local_io,u8 remote_io)835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
tk_request(struct l2cap_conn * conn,u8 remote_oob,u8 auth,u8 local_io,u8 remote_io)850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
864 
865 	/* If neither side wants MITM, either "just" confirm an incoming
866 	 * request or use just-works for outgoing ones. The JUST_CFM
867 	 * will be converted to JUST_WORKS if necessary later in this
868 	 * function. If either side has MITM look up the method from the
869 	 * table.
870 	 */
871 	if (!(auth & SMP_AUTH_MITM))
872 		smp->method = JUST_CFM;
873 	else
874 		smp->method = get_auth_method(smp, local_io, remote_io);
875 
876 	/* Don't confirm locally initiated pairing attempts */
877 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
878 						&smp->flags))
879 		smp->method = JUST_WORKS;
880 
881 	/* Don't bother user space with no IO capabilities */
882 	if (smp->method == JUST_CFM &&
883 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 		smp->method = JUST_WORKS;
885 
886 	/* If Just Works, Continue with Zero TK and ask user-space for
887 	 * confirmation */
888 	if (smp->method == JUST_WORKS) {
889 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
890 						hcon->type,
891 						hcon->dst_type,
892 						passkey, 1);
893 		if (ret)
894 			return ret;
895 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
896 		return 0;
897 	}
898 
899 	/* If this function is used for SC -> legacy fallback we
900 	 * can only recover the just-works case.
901 	 */
902 	if (test_bit(SMP_FLAG_SC, &smp->flags))
903 		return -EINVAL;
904 
905 	/* Not Just Works/Confirm results in MITM Authentication */
906 	if (smp->method != JUST_CFM) {
907 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
908 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
909 			hcon->pending_sec_level = BT_SECURITY_HIGH;
910 	}
911 
912 	/* If both devices have Keyboard-Display I/O, the initiator
913 	 * Confirms and the responder Enters the passkey.
914 	 */
915 	if (smp->method == OVERLAP) {
916 		if (hcon->role == HCI_ROLE_MASTER)
917 			smp->method = CFM_PASSKEY;
918 		else
919 			smp->method = REQ_PASSKEY;
920 	}
921 
922 	/* Generate random passkey. */
923 	if (smp->method == CFM_PASSKEY) {
924 		memset(smp->tk, 0, sizeof(smp->tk));
925 		get_random_bytes(&passkey, sizeof(passkey));
926 		passkey %= 1000000;
927 		put_unaligned_le32(passkey, smp->tk);
928 		BT_DBG("PassKey: %d", passkey);
929 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
930 	}
931 
932 	if (smp->method == REQ_PASSKEY)
933 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
934 						hcon->type, hcon->dst_type);
935 	else if (smp->method == JUST_CFM)
936 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
937 						hcon->type, hcon->dst_type,
938 						passkey, 1);
939 	else
940 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
941 						hcon->type, hcon->dst_type,
942 						passkey, 0);
943 
944 	return ret;
945 }
946 
smp_confirm(struct smp_chan * smp)947 static u8 smp_confirm(struct smp_chan *smp)
948 {
949 	struct l2cap_conn *conn = smp->conn;
950 	struct smp_cmd_pairing_confirm cp;
951 	int ret;
952 
953 	BT_DBG("conn %p", conn);
954 
955 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
956 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
957 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
958 		     cp.confirm_val);
959 	if (ret)
960 		return SMP_UNSPECIFIED;
961 
962 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
963 
964 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
965 
966 	if (conn->hcon->out)
967 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
968 	else
969 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
970 
971 	return 0;
972 }
973 
smp_random(struct smp_chan * smp)974 static u8 smp_random(struct smp_chan *smp)
975 {
976 	struct l2cap_conn *conn = smp->conn;
977 	struct hci_conn *hcon = conn->hcon;
978 	u8 confirm[16];
979 	int ret;
980 
981 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
982 
983 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
984 		     hcon->init_addr_type, &hcon->init_addr,
985 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
986 	if (ret)
987 		return SMP_UNSPECIFIED;
988 
989 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
990 		bt_dev_err(hcon->hdev, "pairing failed "
991 			   "(confirmation values mismatch)");
992 		return SMP_CONFIRM_FAILED;
993 	}
994 
995 	if (hcon->out) {
996 		u8 stk[16];
997 		__le64 rand = 0;
998 		__le16 ediv = 0;
999 
1000 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1001 
1002 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1003 			return SMP_UNSPECIFIED;
1004 
1005 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1006 		hcon->enc_key_size = smp->enc_key_size;
1007 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1008 	} else {
1009 		u8 stk[16], auth;
1010 		__le64 rand = 0;
1011 		__le16 ediv = 0;
1012 
1013 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1014 			     smp->prnd);
1015 
1016 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1017 
1018 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1019 			auth = 1;
1020 		else
1021 			auth = 0;
1022 
1023 		/* Even though there's no _SLAVE suffix this is the
1024 		 * slave STK we're adding for later lookup (the master
1025 		 * STK never needs to be stored).
1026 		 */
1027 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1028 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1029 	}
1030 
1031 	return 0;
1032 }
1033 
smp_notify_keys(struct l2cap_conn * conn)1034 static void smp_notify_keys(struct l2cap_conn *conn)
1035 {
1036 	struct l2cap_chan *chan = conn->smp;
1037 	struct smp_chan *smp = chan->data;
1038 	struct hci_conn *hcon = conn->hcon;
1039 	struct hci_dev *hdev = hcon->hdev;
1040 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1041 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1042 	bool persistent;
1043 
1044 	if (hcon->type == ACL_LINK) {
1045 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1046 			persistent = false;
1047 		else
1048 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1049 					       &hcon->flags);
1050 	} else {
1051 		/* The LTKs, IRKs and CSRKs should be persistent only if
1052 		 * both sides had the bonding bit set in their
1053 		 * authentication requests.
1054 		 */
1055 		persistent = !!((req->auth_req & rsp->auth_req) &
1056 				SMP_AUTH_BONDING);
1057 	}
1058 
1059 	if (smp->remote_irk) {
1060 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1061 
1062 		/* Now that user space can be considered to know the
1063 		 * identity address track the connection based on it
1064 		 * from now on (assuming this is an LE link).
1065 		 */
1066 		if (hcon->type == LE_LINK) {
1067 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1068 			hcon->dst_type = smp->remote_irk->addr_type;
1069 			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1070 		}
1071 	}
1072 
1073 	if (smp->csrk) {
1074 		smp->csrk->bdaddr_type = hcon->dst_type;
1075 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1076 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1077 	}
1078 
1079 	if (smp->slave_csrk) {
1080 		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1081 		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1082 		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1083 	}
1084 
1085 	if (smp->ltk) {
1086 		smp->ltk->bdaddr_type = hcon->dst_type;
1087 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1088 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1089 	}
1090 
1091 	if (smp->slave_ltk) {
1092 		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1093 		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1094 		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1095 	}
1096 
1097 	if (smp->link_key) {
1098 		struct link_key *key;
1099 		u8 type;
1100 
1101 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1102 			type = HCI_LK_DEBUG_COMBINATION;
1103 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1104 			type = HCI_LK_AUTH_COMBINATION_P256;
1105 		else
1106 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1107 
1108 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1109 				       smp->link_key, type, 0, &persistent);
1110 		if (key) {
1111 			mgmt_new_link_key(hdev, key, persistent);
1112 
1113 			/* Don't keep debug keys around if the relevant
1114 			 * flag is not set.
1115 			 */
1116 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1117 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1118 				list_del_rcu(&key->list);
1119 				kfree_rcu(key, rcu);
1120 			}
1121 		}
1122 	}
1123 }
1124 
sc_add_ltk(struct smp_chan * smp)1125 static void sc_add_ltk(struct smp_chan *smp)
1126 {
1127 	struct hci_conn *hcon = smp->conn->hcon;
1128 	u8 key_type, auth;
1129 
1130 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1131 		key_type = SMP_LTK_P256_DEBUG;
1132 	else
1133 		key_type = SMP_LTK_P256;
1134 
1135 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1136 		auth = 1;
1137 	else
1138 		auth = 0;
1139 
1140 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1141 			       key_type, auth, smp->tk, smp->enc_key_size,
1142 			       0, 0);
1143 }
1144 
sc_generate_link_key(struct smp_chan * smp)1145 static void sc_generate_link_key(struct smp_chan *smp)
1146 {
1147 	/* From core spec. Spells out in ASCII as 'lebr'. */
1148 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1149 
1150 	smp->link_key = kzalloc(16, GFP_KERNEL);
1151 	if (!smp->link_key)
1152 		return;
1153 
1154 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1155 		/* SALT = 0x000000000000000000000000746D7031 */
1156 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1157 
1158 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1159 			kfree_sensitive(smp->link_key);
1160 			smp->link_key = NULL;
1161 			return;
1162 		}
1163 	} else {
1164 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1165 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1166 
1167 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1168 			kfree_sensitive(smp->link_key);
1169 			smp->link_key = NULL;
1170 			return;
1171 		}
1172 	}
1173 
1174 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1175 		kfree_sensitive(smp->link_key);
1176 		smp->link_key = NULL;
1177 		return;
1178 	}
1179 }
1180 
smp_allow_key_dist(struct smp_chan * smp)1181 static void smp_allow_key_dist(struct smp_chan *smp)
1182 {
1183 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1184 	 * will be allowed in each PDU handler to ensure we receive
1185 	 * them in the correct order.
1186 	 */
1187 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1188 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1189 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1190 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1191 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1192 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1193 }
1194 
sc_generate_ltk(struct smp_chan * smp)1195 static void sc_generate_ltk(struct smp_chan *smp)
1196 {
1197 	/* From core spec. Spells out in ASCII as 'brle'. */
1198 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1199 	struct hci_conn *hcon = smp->conn->hcon;
1200 	struct hci_dev *hdev = hcon->hdev;
1201 	struct link_key *key;
1202 
1203 	key = hci_find_link_key(hdev, &hcon->dst);
1204 	if (!key) {
1205 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1206 		return;
1207 	}
1208 
1209 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1210 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1211 
1212 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1213 		/* SALT = 0x000000000000000000000000746D7032 */
1214 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1215 
1216 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1217 			return;
1218 	} else {
1219 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1220 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1221 
1222 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1223 			return;
1224 	}
1225 
1226 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1227 		return;
1228 
1229 	sc_add_ltk(smp);
1230 }
1231 
smp_distribute_keys(struct smp_chan * smp)1232 static void smp_distribute_keys(struct smp_chan *smp)
1233 {
1234 	struct smp_cmd_pairing *req, *rsp;
1235 	struct l2cap_conn *conn = smp->conn;
1236 	struct hci_conn *hcon = conn->hcon;
1237 	struct hci_dev *hdev = hcon->hdev;
1238 	__u8 *keydist;
1239 
1240 	BT_DBG("conn %p", conn);
1241 
1242 	rsp = (void *) &smp->prsp[1];
1243 
1244 	/* The responder sends its keys first */
1245 	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1246 		smp_allow_key_dist(smp);
1247 		return;
1248 	}
1249 
1250 	req = (void *) &smp->preq[1];
1251 
1252 	if (hcon->out) {
1253 		keydist = &rsp->init_key_dist;
1254 		*keydist &= req->init_key_dist;
1255 	} else {
1256 		keydist = &rsp->resp_key_dist;
1257 		*keydist &= req->resp_key_dist;
1258 	}
1259 
1260 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1261 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1262 			sc_generate_link_key(smp);
1263 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1264 			sc_generate_ltk(smp);
1265 
1266 		/* Clear the keys which are generated but not distributed */
1267 		*keydist &= ~SMP_SC_NO_DIST;
1268 	}
1269 
1270 	BT_DBG("keydist 0x%x", *keydist);
1271 
1272 	if (*keydist & SMP_DIST_ENC_KEY) {
1273 		struct smp_cmd_encrypt_info enc;
1274 		struct smp_cmd_master_ident ident;
1275 		struct smp_ltk *ltk;
1276 		u8 authenticated;
1277 		__le16 ediv;
1278 		__le64 rand;
1279 
1280 		/* Make sure we generate only the significant amount of
1281 		 * bytes based on the encryption key size, and set the rest
1282 		 * of the value to zeroes.
1283 		 */
1284 		get_random_bytes(enc.ltk, smp->enc_key_size);
1285 		memset(enc.ltk + smp->enc_key_size, 0,
1286 		       sizeof(enc.ltk) - smp->enc_key_size);
1287 
1288 		get_random_bytes(&ediv, sizeof(ediv));
1289 		get_random_bytes(&rand, sizeof(rand));
1290 
1291 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1292 
1293 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1294 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1295 				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1296 				  smp->enc_key_size, ediv, rand);
1297 		smp->slave_ltk = ltk;
1298 
1299 		ident.ediv = ediv;
1300 		ident.rand = rand;
1301 
1302 		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1303 
1304 		*keydist &= ~SMP_DIST_ENC_KEY;
1305 	}
1306 
1307 	if (*keydist & SMP_DIST_ID_KEY) {
1308 		struct smp_cmd_ident_addr_info addrinfo;
1309 		struct smp_cmd_ident_info idinfo;
1310 
1311 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1312 
1313 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1314 
1315 		/* The hci_conn contains the local identity address
1316 		 * after the connection has been established.
1317 		 *
1318 		 * This is true even when the connection has been
1319 		 * established using a resolvable random address.
1320 		 */
1321 		bacpy(&addrinfo.bdaddr, &hcon->src);
1322 		addrinfo.addr_type = hcon->src_type;
1323 
1324 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1325 			     &addrinfo);
1326 
1327 		*keydist &= ~SMP_DIST_ID_KEY;
1328 	}
1329 
1330 	if (*keydist & SMP_DIST_SIGN) {
1331 		struct smp_cmd_sign_info sign;
1332 		struct smp_csrk *csrk;
1333 
1334 		/* Generate a new random key */
1335 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1336 
1337 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1338 		if (csrk) {
1339 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1340 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1341 			else
1342 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1343 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1344 		}
1345 		smp->slave_csrk = csrk;
1346 
1347 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1348 
1349 		*keydist &= ~SMP_DIST_SIGN;
1350 	}
1351 
1352 	/* If there are still keys to be received wait for them */
1353 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1354 		smp_allow_key_dist(smp);
1355 		return;
1356 	}
1357 
1358 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1359 	smp_notify_keys(conn);
1360 
1361 	smp_chan_destroy(conn);
1362 }
1363 
smp_timeout(struct work_struct * work)1364 static void smp_timeout(struct work_struct *work)
1365 {
1366 	struct smp_chan *smp = container_of(work, struct smp_chan,
1367 					    security_timer.work);
1368 	struct l2cap_conn *conn = smp->conn;
1369 
1370 	BT_DBG("conn %p", conn);
1371 
1372 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1373 }
1374 
smp_chan_create(struct l2cap_conn * conn)1375 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1376 {
1377 	struct l2cap_chan *chan = conn->smp;
1378 	struct smp_chan *smp;
1379 
1380 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1381 	if (!smp)
1382 		return NULL;
1383 
1384 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1385 	if (IS_ERR(smp->tfm_cmac)) {
1386 		BT_ERR("Unable to create CMAC crypto context");
1387 		goto zfree_smp;
1388 	}
1389 
1390 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
1391 	if (IS_ERR(smp->tfm_ecdh)) {
1392 		BT_ERR("Unable to create ECDH crypto context");
1393 		goto free_shash;
1394 	}
1395 
1396 	smp->conn = conn;
1397 	chan->data = smp;
1398 
1399 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1400 
1401 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1402 
1403 	hci_conn_hold(conn->hcon);
1404 
1405 	return smp;
1406 
1407 free_shash:
1408 	crypto_free_shash(smp->tfm_cmac);
1409 zfree_smp:
1410 	kfree_sensitive(smp);
1411 	return NULL;
1412 }
1413 
sc_mackey_and_ltk(struct smp_chan * smp,u8 mackey[16],u8 ltk[16])1414 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1415 {
1416 	struct hci_conn *hcon = smp->conn->hcon;
1417 	u8 *na, *nb, a[7], b[7];
1418 
1419 	if (hcon->out) {
1420 		na   = smp->prnd;
1421 		nb   = smp->rrnd;
1422 	} else {
1423 		na   = smp->rrnd;
1424 		nb   = smp->prnd;
1425 	}
1426 
1427 	memcpy(a, &hcon->init_addr, 6);
1428 	memcpy(b, &hcon->resp_addr, 6);
1429 	a[6] = hcon->init_addr_type;
1430 	b[6] = hcon->resp_addr_type;
1431 
1432 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1433 }
1434 
sc_dhkey_check(struct smp_chan * smp)1435 static void sc_dhkey_check(struct smp_chan *smp)
1436 {
1437 	struct hci_conn *hcon = smp->conn->hcon;
1438 	struct smp_cmd_dhkey_check check;
1439 	u8 a[7], b[7], *local_addr, *remote_addr;
1440 	u8 io_cap[3], r[16];
1441 
1442 	memcpy(a, &hcon->init_addr, 6);
1443 	memcpy(b, &hcon->resp_addr, 6);
1444 	a[6] = hcon->init_addr_type;
1445 	b[6] = hcon->resp_addr_type;
1446 
1447 	if (hcon->out) {
1448 		local_addr = a;
1449 		remote_addr = b;
1450 		memcpy(io_cap, &smp->preq[1], 3);
1451 	} else {
1452 		local_addr = b;
1453 		remote_addr = a;
1454 		memcpy(io_cap, &smp->prsp[1], 3);
1455 	}
1456 
1457 	memset(r, 0, sizeof(r));
1458 
1459 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1460 		put_unaligned_le32(hcon->passkey_notify, r);
1461 
1462 	if (smp->method == REQ_OOB)
1463 		memcpy(r, smp->rr, 16);
1464 
1465 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1466 	       local_addr, remote_addr, check.e);
1467 
1468 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1469 }
1470 
sc_passkey_send_confirm(struct smp_chan * smp)1471 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1472 {
1473 	struct l2cap_conn *conn = smp->conn;
1474 	struct hci_conn *hcon = conn->hcon;
1475 	struct smp_cmd_pairing_confirm cfm;
1476 	u8 r;
1477 
1478 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1479 	r |= 0x80;
1480 
1481 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1482 
1483 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1484 		   cfm.confirm_val))
1485 		return SMP_UNSPECIFIED;
1486 
1487 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1488 
1489 	return 0;
1490 }
1491 
sc_passkey_round(struct smp_chan * smp,u8 smp_op)1492 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1493 {
1494 	struct l2cap_conn *conn = smp->conn;
1495 	struct hci_conn *hcon = conn->hcon;
1496 	struct hci_dev *hdev = hcon->hdev;
1497 	u8 cfm[16], r;
1498 
1499 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1500 	if (smp->passkey_round >= 20)
1501 		return 0;
1502 
1503 	switch (smp_op) {
1504 	case SMP_CMD_PAIRING_RANDOM:
1505 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1506 		r |= 0x80;
1507 
1508 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1509 			   smp->rrnd, r, cfm))
1510 			return SMP_UNSPECIFIED;
1511 
1512 		if (crypto_memneq(smp->pcnf, cfm, 16))
1513 			return SMP_CONFIRM_FAILED;
1514 
1515 		smp->passkey_round++;
1516 
1517 		if (smp->passkey_round == 20) {
1518 			/* Generate MacKey and LTK */
1519 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1520 				return SMP_UNSPECIFIED;
1521 		}
1522 
1523 		/* The round is only complete when the initiator
1524 		 * receives pairing random.
1525 		 */
1526 		if (!hcon->out) {
1527 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1528 				     sizeof(smp->prnd), smp->prnd);
1529 			if (smp->passkey_round == 20)
1530 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1531 			else
1532 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1533 			return 0;
1534 		}
1535 
1536 		/* Start the next round */
1537 		if (smp->passkey_round != 20)
1538 			return sc_passkey_round(smp, 0);
1539 
1540 		/* Passkey rounds are complete - start DHKey Check */
1541 		sc_dhkey_check(smp);
1542 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1543 
1544 		break;
1545 
1546 	case SMP_CMD_PAIRING_CONFIRM:
1547 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1548 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1549 			return 0;
1550 		}
1551 
1552 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1553 
1554 		if (hcon->out) {
1555 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1556 				     sizeof(smp->prnd), smp->prnd);
1557 			return 0;
1558 		}
1559 
1560 		return sc_passkey_send_confirm(smp);
1561 
1562 	case SMP_CMD_PUBLIC_KEY:
1563 	default:
1564 		/* Initiating device starts the round */
1565 		if (!hcon->out)
1566 			return 0;
1567 
1568 		BT_DBG("%s Starting passkey round %u", hdev->name,
1569 		       smp->passkey_round + 1);
1570 
1571 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1572 
1573 		return sc_passkey_send_confirm(smp);
1574 	}
1575 
1576 	return 0;
1577 }
1578 
sc_user_reply(struct smp_chan * smp,u16 mgmt_op,__le32 passkey)1579 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1580 {
1581 	struct l2cap_conn *conn = smp->conn;
1582 	struct hci_conn *hcon = conn->hcon;
1583 	u8 smp_op;
1584 
1585 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1586 
1587 	switch (mgmt_op) {
1588 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1589 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1590 		return 0;
1591 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1592 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1593 		return 0;
1594 	case MGMT_OP_USER_PASSKEY_REPLY:
1595 		hcon->passkey_notify = le32_to_cpu(passkey);
1596 		smp->passkey_round = 0;
1597 
1598 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1599 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1600 		else
1601 			smp_op = 0;
1602 
1603 		if (sc_passkey_round(smp, smp_op))
1604 			return -EIO;
1605 
1606 		return 0;
1607 	}
1608 
1609 	/* Initiator sends DHKey check first */
1610 	if (hcon->out) {
1611 		sc_dhkey_check(smp);
1612 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1613 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1614 		sc_dhkey_check(smp);
1615 		sc_add_ltk(smp);
1616 	}
1617 
1618 	return 0;
1619 }
1620 
smp_user_confirm_reply(struct hci_conn * hcon,u16 mgmt_op,__le32 passkey)1621 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1622 {
1623 	struct l2cap_conn *conn = hcon->l2cap_data;
1624 	struct l2cap_chan *chan;
1625 	struct smp_chan *smp;
1626 	u32 value;
1627 	int err;
1628 
1629 	BT_DBG("");
1630 
1631 	if (!conn)
1632 		return -ENOTCONN;
1633 
1634 	chan = conn->smp;
1635 	if (!chan)
1636 		return -ENOTCONN;
1637 
1638 	l2cap_chan_lock(chan);
1639 	if (!chan->data) {
1640 		err = -ENOTCONN;
1641 		goto unlock;
1642 	}
1643 
1644 	smp = chan->data;
1645 
1646 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1647 		err = sc_user_reply(smp, mgmt_op, passkey);
1648 		goto unlock;
1649 	}
1650 
1651 	switch (mgmt_op) {
1652 	case MGMT_OP_USER_PASSKEY_REPLY:
1653 		value = le32_to_cpu(passkey);
1654 		memset(smp->tk, 0, sizeof(smp->tk));
1655 		BT_DBG("PassKey: %d", value);
1656 		put_unaligned_le32(value, smp->tk);
1657 		fallthrough;
1658 	case MGMT_OP_USER_CONFIRM_REPLY:
1659 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1660 		break;
1661 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1662 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1663 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1664 		err = 0;
1665 		goto unlock;
1666 	default:
1667 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1668 		err = -EOPNOTSUPP;
1669 		goto unlock;
1670 	}
1671 
1672 	err = 0;
1673 
1674 	/* If it is our turn to send Pairing Confirm, do so now */
1675 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1676 		u8 rsp = smp_confirm(smp);
1677 		if (rsp)
1678 			smp_failure(conn, rsp);
1679 	}
1680 
1681 unlock:
1682 	l2cap_chan_unlock(chan);
1683 	return err;
1684 }
1685 
build_bredr_pairing_cmd(struct smp_chan * smp,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp)1686 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1687 				    struct smp_cmd_pairing *req,
1688 				    struct smp_cmd_pairing *rsp)
1689 {
1690 	struct l2cap_conn *conn = smp->conn;
1691 	struct hci_dev *hdev = conn->hcon->hdev;
1692 	u8 local_dist = 0, remote_dist = 0;
1693 
1694 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1695 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1697 	}
1698 
1699 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1700 		remote_dist |= SMP_DIST_ID_KEY;
1701 
1702 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1703 		local_dist |= SMP_DIST_ID_KEY;
1704 
1705 	if (!rsp) {
1706 		memset(req, 0, sizeof(*req));
1707 
1708 		req->auth_req        = SMP_AUTH_CT2;
1709 		req->init_key_dist   = local_dist;
1710 		req->resp_key_dist   = remote_dist;
1711 		req->max_key_size    = conn->hcon->enc_key_size;
1712 
1713 		smp->remote_key_dist = remote_dist;
1714 
1715 		return;
1716 	}
1717 
1718 	memset(rsp, 0, sizeof(*rsp));
1719 
1720 	rsp->auth_req        = SMP_AUTH_CT2;
1721 	rsp->max_key_size    = conn->hcon->enc_key_size;
1722 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1723 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1724 
1725 	smp->remote_key_dist = rsp->init_key_dist;
1726 }
1727 
smp_cmd_pairing_req(struct l2cap_conn * conn,struct sk_buff * skb)1728 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1729 {
1730 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1731 	struct l2cap_chan *chan = conn->smp;
1732 	struct hci_dev *hdev = conn->hcon->hdev;
1733 	struct smp_chan *smp;
1734 	u8 key_size, auth, sec_level;
1735 	int ret;
1736 
1737 	BT_DBG("conn %p", conn);
1738 
1739 	if (skb->len < sizeof(*req))
1740 		return SMP_INVALID_PARAMS;
1741 
1742 	if (conn->hcon->role != HCI_ROLE_SLAVE)
1743 		return SMP_CMD_NOTSUPP;
1744 
1745 	if (!chan->data)
1746 		smp = smp_chan_create(conn);
1747 	else
1748 		smp = chan->data;
1749 
1750 	if (!smp)
1751 		return SMP_UNSPECIFIED;
1752 
1753 	/* We didn't start the pairing, so match remote */
1754 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1755 
1756 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1757 	    (auth & SMP_AUTH_BONDING))
1758 		return SMP_PAIRING_NOTSUPP;
1759 
1760 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1761 		return SMP_AUTH_REQUIREMENTS;
1762 
1763 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1764 	memcpy(&smp->preq[1], req, sizeof(*req));
1765 	skb_pull(skb, sizeof(*req));
1766 
1767 	/* If the remote side's OOB flag is set it means it has
1768 	 * successfully received our local OOB data - therefore set the
1769 	 * flag to indicate that local OOB is in use.
1770 	 */
1771 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1772 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1773 
1774 	/* SMP over BR/EDR requires special treatment */
1775 	if (conn->hcon->type == ACL_LINK) {
1776 		/* We must have a BR/EDR SC link */
1777 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1778 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1779 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1780 
1781 		set_bit(SMP_FLAG_SC, &smp->flags);
1782 
1783 		build_bredr_pairing_cmd(smp, req, &rsp);
1784 
1785 		if (req->auth_req & SMP_AUTH_CT2)
1786 			set_bit(SMP_FLAG_CT2, &smp->flags);
1787 
1788 		key_size = min(req->max_key_size, rsp.max_key_size);
1789 		if (check_enc_key_size(conn, key_size))
1790 			return SMP_ENC_KEY_SIZE;
1791 
1792 		/* Clear bits which are generated but not distributed */
1793 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1794 
1795 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1796 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1797 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1798 
1799 		smp_distribute_keys(smp);
1800 		return 0;
1801 	}
1802 
1803 	build_pairing_cmd(conn, req, &rsp, auth);
1804 
1805 	if (rsp.auth_req & SMP_AUTH_SC) {
1806 		set_bit(SMP_FLAG_SC, &smp->flags);
1807 
1808 		if (rsp.auth_req & SMP_AUTH_CT2)
1809 			set_bit(SMP_FLAG_CT2, &smp->flags);
1810 	}
1811 
1812 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1813 		sec_level = BT_SECURITY_MEDIUM;
1814 	else
1815 		sec_level = authreq_to_seclevel(auth);
1816 
1817 	if (sec_level > conn->hcon->pending_sec_level)
1818 		conn->hcon->pending_sec_level = sec_level;
1819 
1820 	/* If we need MITM check that it can be achieved */
1821 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1822 		u8 method;
1823 
1824 		method = get_auth_method(smp, conn->hcon->io_capability,
1825 					 req->io_capability);
1826 		if (method == JUST_WORKS || method == JUST_CFM)
1827 			return SMP_AUTH_REQUIREMENTS;
1828 	}
1829 
1830 	key_size = min(req->max_key_size, rsp.max_key_size);
1831 	if (check_enc_key_size(conn, key_size))
1832 		return SMP_ENC_KEY_SIZE;
1833 
1834 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1835 
1836 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1837 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1838 
1839 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1840 
1841 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1842 
1843 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1844 	 * SC case, however some implementations incorrectly copy RFU auth
1845 	 * req bits from our security request, which may create a false
1846 	 * positive SC enablement.
1847 	 */
1848 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1849 
1850 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1851 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1852 		/* Clear bits which are generated but not distributed */
1853 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1854 		/* Wait for Public Key from Initiating Device */
1855 		return 0;
1856 	}
1857 
1858 	/* Request setup of TK */
1859 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1860 	if (ret)
1861 		return SMP_UNSPECIFIED;
1862 
1863 	return 0;
1864 }
1865 
sc_send_public_key(struct smp_chan * smp)1866 static u8 sc_send_public_key(struct smp_chan *smp)
1867 {
1868 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1869 
1870 	bt_dev_dbg(hdev, "");
1871 
1872 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1873 		struct l2cap_chan *chan = hdev->smp_data;
1874 		struct smp_dev *smp_dev;
1875 
1876 		if (!chan || !chan->data)
1877 			return SMP_UNSPECIFIED;
1878 
1879 		smp_dev = chan->data;
1880 
1881 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1882 		memcpy(smp->lr, smp_dev->local_rand, 16);
1883 
1884 		if (smp_dev->debug_key)
1885 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1886 
1887 		goto done;
1888 	}
1889 
1890 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1891 		BT_DBG("Using debug keys");
1892 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1893 			return SMP_UNSPECIFIED;
1894 		memcpy(smp->local_pk, debug_pk, 64);
1895 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1896 	} else {
1897 		while (true) {
1898 			/* Generate key pair for Secure Connections */
1899 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1900 				return SMP_UNSPECIFIED;
1901 
1902 			/* This is unlikely, but we need to check that
1903 			 * we didn't accidentially generate a debug key.
1904 			 */
1905 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1906 				break;
1907 		}
1908 	}
1909 
1910 done:
1911 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1912 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1913 
1914 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1915 
1916 	return 0;
1917 }
1918 
smp_cmd_pairing_rsp(struct l2cap_conn * conn,struct sk_buff * skb)1919 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1920 {
1921 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1922 	struct l2cap_chan *chan = conn->smp;
1923 	struct smp_chan *smp = chan->data;
1924 	struct hci_dev *hdev = conn->hcon->hdev;
1925 	u8 key_size, auth;
1926 	int ret;
1927 
1928 	BT_DBG("conn %p", conn);
1929 
1930 	if (skb->len < sizeof(*rsp))
1931 		return SMP_INVALID_PARAMS;
1932 
1933 	if (conn->hcon->role != HCI_ROLE_MASTER)
1934 		return SMP_CMD_NOTSUPP;
1935 
1936 	skb_pull(skb, sizeof(*rsp));
1937 
1938 	req = (void *) &smp->preq[1];
1939 
1940 	key_size = min(req->max_key_size, rsp->max_key_size);
1941 	if (check_enc_key_size(conn, key_size))
1942 		return SMP_ENC_KEY_SIZE;
1943 
1944 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1945 
1946 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1947 		return SMP_AUTH_REQUIREMENTS;
1948 
1949 	/* If the remote side's OOB flag is set it means it has
1950 	 * successfully received our local OOB data - therefore set the
1951 	 * flag to indicate that local OOB is in use.
1952 	 */
1953 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1954 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1955 
1956 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1957 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1958 
1959 	/* Update remote key distribution in case the remote cleared
1960 	 * some bits that we had enabled in our request.
1961 	 */
1962 	smp->remote_key_dist &= rsp->resp_key_dist;
1963 
1964 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1965 		set_bit(SMP_FLAG_CT2, &smp->flags);
1966 
1967 	/* For BR/EDR this means we're done and can start phase 3 */
1968 	if (conn->hcon->type == ACL_LINK) {
1969 		/* Clear bits which are generated but not distributed */
1970 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1971 		smp_distribute_keys(smp);
1972 		return 0;
1973 	}
1974 
1975 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1976 		set_bit(SMP_FLAG_SC, &smp->flags);
1977 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1978 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1979 
1980 	/* If we need MITM check that it can be achieved */
1981 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1982 		u8 method;
1983 
1984 		method = get_auth_method(smp, req->io_capability,
1985 					 rsp->io_capability);
1986 		if (method == JUST_WORKS || method == JUST_CFM)
1987 			return SMP_AUTH_REQUIREMENTS;
1988 	}
1989 
1990 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1991 
1992 	/* Update remote key distribution in case the remote cleared
1993 	 * some bits that we had enabled in our request.
1994 	 */
1995 	smp->remote_key_dist &= rsp->resp_key_dist;
1996 
1997 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1998 		/* Clear bits which are generated but not distributed */
1999 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2000 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2001 		return sc_send_public_key(smp);
2002 	}
2003 
2004 	auth |= req->auth_req;
2005 
2006 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2007 	if (ret)
2008 		return SMP_UNSPECIFIED;
2009 
2010 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2011 
2012 	/* Can't compose response until we have been confirmed */
2013 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2014 		return smp_confirm(smp);
2015 
2016 	return 0;
2017 }
2018 
sc_check_confirm(struct smp_chan * smp)2019 static u8 sc_check_confirm(struct smp_chan *smp)
2020 {
2021 	struct l2cap_conn *conn = smp->conn;
2022 
2023 	BT_DBG("");
2024 
2025 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2026 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2027 
2028 	if (conn->hcon->out) {
2029 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2030 			     smp->prnd);
2031 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2032 	}
2033 
2034 	return 0;
2035 }
2036 
2037 /* Work-around for some implementations that incorrectly copy RFU bits
2038  * from our security request and thereby create the impression that
2039  * we're doing SC when in fact the remote doesn't support it.
2040  */
fixup_sc_false_positive(struct smp_chan * smp)2041 static int fixup_sc_false_positive(struct smp_chan *smp)
2042 {
2043 	struct l2cap_conn *conn = smp->conn;
2044 	struct hci_conn *hcon = conn->hcon;
2045 	struct hci_dev *hdev = hcon->hdev;
2046 	struct smp_cmd_pairing *req, *rsp;
2047 	u8 auth;
2048 
2049 	/* The issue is only observed when we're in slave role */
2050 	if (hcon->out)
2051 		return SMP_UNSPECIFIED;
2052 
2053 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2054 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2055 		return SMP_UNSPECIFIED;
2056 	}
2057 
2058 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2059 
2060 	req = (void *) &smp->preq[1];
2061 	rsp = (void *) &smp->prsp[1];
2062 
2063 	/* Rebuild key dist flags which may have been cleared for SC */
2064 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2065 
2066 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2067 
2068 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2069 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2070 		return SMP_UNSPECIFIED;
2071 	}
2072 
2073 	clear_bit(SMP_FLAG_SC, &smp->flags);
2074 
2075 	return 0;
2076 }
2077 
smp_cmd_pairing_confirm(struct l2cap_conn * conn,struct sk_buff * skb)2078 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2079 {
2080 	struct l2cap_chan *chan = conn->smp;
2081 	struct smp_chan *smp = chan->data;
2082 
2083 	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2084 
2085 	if (skb->len < sizeof(smp->pcnf))
2086 		return SMP_INVALID_PARAMS;
2087 
2088 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2089 	skb_pull(skb, sizeof(smp->pcnf));
2090 
2091 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2092 		int ret;
2093 
2094 		/* Public Key exchange must happen before any other steps */
2095 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2096 			return sc_check_confirm(smp);
2097 
2098 		BT_ERR("Unexpected SMP Pairing Confirm");
2099 
2100 		ret = fixup_sc_false_positive(smp);
2101 		if (ret)
2102 			return ret;
2103 	}
2104 
2105 	if (conn->hcon->out) {
2106 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2107 			     smp->prnd);
2108 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2109 		return 0;
2110 	}
2111 
2112 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2113 		return smp_confirm(smp);
2114 
2115 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2116 
2117 	return 0;
2118 }
2119 
smp_cmd_pairing_random(struct l2cap_conn * conn,struct sk_buff * skb)2120 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2121 {
2122 	struct l2cap_chan *chan = conn->smp;
2123 	struct smp_chan *smp = chan->data;
2124 	struct hci_conn *hcon = conn->hcon;
2125 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2126 	u32 passkey;
2127 	int err;
2128 
2129 	BT_DBG("conn %p", conn);
2130 
2131 	if (skb->len < sizeof(smp->rrnd))
2132 		return SMP_INVALID_PARAMS;
2133 
2134 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2135 	skb_pull(skb, sizeof(smp->rrnd));
2136 
2137 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2138 		return smp_random(smp);
2139 
2140 	if (hcon->out) {
2141 		pkax = smp->local_pk;
2142 		pkbx = smp->remote_pk;
2143 		na   = smp->prnd;
2144 		nb   = smp->rrnd;
2145 	} else {
2146 		pkax = smp->remote_pk;
2147 		pkbx = smp->local_pk;
2148 		na   = smp->rrnd;
2149 		nb   = smp->prnd;
2150 	}
2151 
2152 	if (smp->method == REQ_OOB) {
2153 		if (!hcon->out)
2154 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2155 				     sizeof(smp->prnd), smp->prnd);
2156 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2157 		goto mackey_and_ltk;
2158 	}
2159 
2160 	/* Passkey entry has special treatment */
2161 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2162 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2163 
2164 	if (hcon->out) {
2165 		u8 cfm[16];
2166 
2167 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2168 			     smp->rrnd, 0, cfm);
2169 		if (err)
2170 			return SMP_UNSPECIFIED;
2171 
2172 		if (crypto_memneq(smp->pcnf, cfm, 16))
2173 			return SMP_CONFIRM_FAILED;
2174 	} else {
2175 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2176 			     smp->prnd);
2177 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2178 
2179 		/* Only Just-Works pairing requires extra checks */
2180 		if (smp->method != JUST_WORKS)
2181 			goto mackey_and_ltk;
2182 
2183 		/* If there already exists long term key in local host, leave
2184 		 * the decision to user space since the remote device could
2185 		 * be legitimate or malicious.
2186 		 */
2187 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2188 				 hcon->role)) {
2189 			/* Set passkey to 0. The value can be any number since
2190 			 * it'll be ignored anyway.
2191 			 */
2192 			passkey = 0;
2193 			confirm_hint = 1;
2194 			goto confirm;
2195 		}
2196 	}
2197 
2198 mackey_and_ltk:
2199 	/* Generate MacKey and LTK */
2200 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2201 	if (err)
2202 		return SMP_UNSPECIFIED;
2203 
2204 	if (smp->method == REQ_OOB) {
2205 		if (hcon->out) {
2206 			sc_dhkey_check(smp);
2207 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2208 		}
2209 		return 0;
2210 	}
2211 
2212 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2213 	if (err)
2214 		return SMP_UNSPECIFIED;
2215 
2216 	confirm_hint = 0;
2217 
2218 confirm:
2219 	if (smp->method == JUST_WORKS)
2220 		confirm_hint = 1;
2221 
2222 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2223 					hcon->dst_type, passkey, confirm_hint);
2224 	if (err)
2225 		return SMP_UNSPECIFIED;
2226 
2227 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2228 
2229 	return 0;
2230 }
2231 
smp_ltk_encrypt(struct l2cap_conn * conn,u8 sec_level)2232 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2233 {
2234 	struct smp_ltk *key;
2235 	struct hci_conn *hcon = conn->hcon;
2236 
2237 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2238 	if (!key)
2239 		return false;
2240 
2241 	if (smp_ltk_sec_level(key) < sec_level)
2242 		return false;
2243 
2244 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2245 		return true;
2246 
2247 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2248 	hcon->enc_key_size = key->enc_size;
2249 
2250 	/* We never store STKs for master role, so clear this flag */
2251 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2252 
2253 	return true;
2254 }
2255 
smp_sufficient_security(struct hci_conn * hcon,u8 sec_level,enum smp_key_pref key_pref)2256 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2257 			     enum smp_key_pref key_pref)
2258 {
2259 	if (sec_level == BT_SECURITY_LOW)
2260 		return true;
2261 
2262 	/* If we're encrypted with an STK but the caller prefers using
2263 	 * LTK claim insufficient security. This way we allow the
2264 	 * connection to be re-encrypted with an LTK, even if the LTK
2265 	 * provides the same level of security. Only exception is if we
2266 	 * don't have an LTK (e.g. because of key distribution bits).
2267 	 */
2268 	if (key_pref == SMP_USE_LTK &&
2269 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2270 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2271 		return false;
2272 
2273 	if (hcon->sec_level >= sec_level)
2274 		return true;
2275 
2276 	return false;
2277 }
2278 
smp_cmd_security_req(struct l2cap_conn * conn,struct sk_buff * skb)2279 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2280 {
2281 	struct smp_cmd_security_req *rp = (void *) skb->data;
2282 	struct smp_cmd_pairing cp;
2283 	struct hci_conn *hcon = conn->hcon;
2284 	struct hci_dev *hdev = hcon->hdev;
2285 	struct smp_chan *smp;
2286 	u8 sec_level, auth;
2287 
2288 	BT_DBG("conn %p", conn);
2289 
2290 	if (skb->len < sizeof(*rp))
2291 		return SMP_INVALID_PARAMS;
2292 
2293 	if (hcon->role != HCI_ROLE_MASTER)
2294 		return SMP_CMD_NOTSUPP;
2295 
2296 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2297 
2298 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2299 		return SMP_AUTH_REQUIREMENTS;
2300 
2301 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2302 		sec_level = BT_SECURITY_MEDIUM;
2303 	else
2304 		sec_level = authreq_to_seclevel(auth);
2305 
2306 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2307 		/* If link is already encrypted with sufficient security we
2308 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2309 		 * Part H 2.4.6
2310 		 */
2311 		smp_ltk_encrypt(conn, hcon->sec_level);
2312 		return 0;
2313 	}
2314 
2315 	if (sec_level > hcon->pending_sec_level)
2316 		hcon->pending_sec_level = sec_level;
2317 
2318 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2319 		return 0;
2320 
2321 	smp = smp_chan_create(conn);
2322 	if (!smp)
2323 		return SMP_UNSPECIFIED;
2324 
2325 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2326 	    (auth & SMP_AUTH_BONDING))
2327 		return SMP_PAIRING_NOTSUPP;
2328 
2329 	skb_pull(skb, sizeof(*rp));
2330 
2331 	memset(&cp, 0, sizeof(cp));
2332 	build_pairing_cmd(conn, &cp, NULL, auth);
2333 
2334 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2335 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2336 
2337 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2338 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2339 
2340 	return 0;
2341 }
2342 
smp_conn_security(struct hci_conn * hcon,__u8 sec_level)2343 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2344 {
2345 	struct l2cap_conn *conn = hcon->l2cap_data;
2346 	struct l2cap_chan *chan;
2347 	struct smp_chan *smp;
2348 	__u8 authreq;
2349 	int ret;
2350 
2351 	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2352 
2353 	/* This may be NULL if there's an unexpected disconnection */
2354 	if (!conn)
2355 		return 1;
2356 
2357 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2358 		return 1;
2359 
2360 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2361 		return 1;
2362 
2363 	if (sec_level > hcon->pending_sec_level)
2364 		hcon->pending_sec_level = sec_level;
2365 
2366 	if (hcon->role == HCI_ROLE_MASTER)
2367 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2368 			return 0;
2369 
2370 	chan = conn->smp;
2371 	if (!chan) {
2372 		bt_dev_err(hcon->hdev, "security requested but not available");
2373 		return 1;
2374 	}
2375 
2376 	l2cap_chan_lock(chan);
2377 
2378 	/* If SMP is already in progress ignore this request */
2379 	if (chan->data) {
2380 		ret = 0;
2381 		goto unlock;
2382 	}
2383 
2384 	smp = smp_chan_create(conn);
2385 	if (!smp) {
2386 		ret = 1;
2387 		goto unlock;
2388 	}
2389 
2390 	authreq = seclevel_to_authreq(sec_level);
2391 
2392 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2393 		authreq |= SMP_AUTH_SC;
2394 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2395 			authreq |= SMP_AUTH_CT2;
2396 	}
2397 
2398 	/* Don't attempt to set MITM if setting is overridden by debugfs
2399 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2400 	 */
2401 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2402 		/* Require MITM if IO Capability allows or the security level
2403 		 * requires it.
2404 		 */
2405 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2406 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2407 			authreq |= SMP_AUTH_MITM;
2408 	}
2409 
2410 	if (hcon->role == HCI_ROLE_MASTER) {
2411 		struct smp_cmd_pairing cp;
2412 
2413 		build_pairing_cmd(conn, &cp, NULL, authreq);
2414 		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2415 		memcpy(&smp->preq[1], &cp, sizeof(cp));
2416 
2417 		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2418 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2419 	} else {
2420 		struct smp_cmd_security_req cp;
2421 		cp.auth_req = authreq;
2422 		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2423 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2424 	}
2425 
2426 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2427 	ret = 0;
2428 
2429 unlock:
2430 	l2cap_chan_unlock(chan);
2431 	return ret;
2432 }
2433 
smp_cancel_and_remove_pairing(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type)2434 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2435 				  u8 addr_type)
2436 {
2437 	struct hci_conn *hcon;
2438 	struct l2cap_conn *conn;
2439 	struct l2cap_chan *chan;
2440 	struct smp_chan *smp;
2441 	int err;
2442 
2443 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2444 	hci_remove_irk(hdev, bdaddr, addr_type);
2445 
2446 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2447 	if (!hcon)
2448 		goto done;
2449 
2450 	conn = hcon->l2cap_data;
2451 	if (!conn)
2452 		goto done;
2453 
2454 	chan = conn->smp;
2455 	if (!chan)
2456 		goto done;
2457 
2458 	l2cap_chan_lock(chan);
2459 
2460 	smp = chan->data;
2461 	if (smp) {
2462 		/* Set keys to NULL to make sure smp_failure() does not try to
2463 		 * remove and free already invalidated rcu list entries. */
2464 		smp->ltk = NULL;
2465 		smp->slave_ltk = NULL;
2466 		smp->remote_irk = NULL;
2467 
2468 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2469 			smp_failure(conn, 0);
2470 		else
2471 			smp_failure(conn, SMP_UNSPECIFIED);
2472 		err = 0;
2473 	}
2474 
2475 	l2cap_chan_unlock(chan);
2476 
2477 done:
2478 	return err;
2479 }
2480 
smp_cmd_encrypt_info(struct l2cap_conn * conn,struct sk_buff * skb)2481 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2482 {
2483 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2484 	struct l2cap_chan *chan = conn->smp;
2485 	struct smp_chan *smp = chan->data;
2486 
2487 	BT_DBG("conn %p", conn);
2488 
2489 	if (skb->len < sizeof(*rp))
2490 		return SMP_INVALID_PARAMS;
2491 
2492 	/* Pairing is aborted if any blocked keys are distributed */
2493 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2494 			       rp->ltk)) {
2495 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2496 					"LTK blocked for %pMR",
2497 					&conn->hcon->dst);
2498 		return SMP_INVALID_PARAMS;
2499 	}
2500 
2501 	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2502 
2503 	skb_pull(skb, sizeof(*rp));
2504 
2505 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2506 
2507 	return 0;
2508 }
2509 
smp_cmd_master_ident(struct l2cap_conn * conn,struct sk_buff * skb)2510 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2511 {
2512 	struct smp_cmd_master_ident *rp = (void *) skb->data;
2513 	struct l2cap_chan *chan = conn->smp;
2514 	struct smp_chan *smp = chan->data;
2515 	struct hci_dev *hdev = conn->hcon->hdev;
2516 	struct hci_conn *hcon = conn->hcon;
2517 	struct smp_ltk *ltk;
2518 	u8 authenticated;
2519 
2520 	BT_DBG("conn %p", conn);
2521 
2522 	if (skb->len < sizeof(*rp))
2523 		return SMP_INVALID_PARAMS;
2524 
2525 	/* Mark the information as received */
2526 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2527 
2528 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2529 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2530 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2531 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2532 
2533 	skb_pull(skb, sizeof(*rp));
2534 
2535 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2536 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2537 			  authenticated, smp->tk, smp->enc_key_size,
2538 			  rp->ediv, rp->rand);
2539 	smp->ltk = ltk;
2540 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2541 		smp_distribute_keys(smp);
2542 
2543 	return 0;
2544 }
2545 
smp_cmd_ident_info(struct l2cap_conn * conn,struct sk_buff * skb)2546 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2547 {
2548 	struct smp_cmd_ident_info *info = (void *) skb->data;
2549 	struct l2cap_chan *chan = conn->smp;
2550 	struct smp_chan *smp = chan->data;
2551 
2552 	BT_DBG("");
2553 
2554 	if (skb->len < sizeof(*info))
2555 		return SMP_INVALID_PARAMS;
2556 
2557 	/* Pairing is aborted if any blocked keys are distributed */
2558 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2559 			       info->irk)) {
2560 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2561 					"Identity key blocked for %pMR",
2562 					&conn->hcon->dst);
2563 		return SMP_INVALID_PARAMS;
2564 	}
2565 
2566 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2567 
2568 	skb_pull(skb, sizeof(*info));
2569 
2570 	memcpy(smp->irk, info->irk, 16);
2571 
2572 	return 0;
2573 }
2574 
smp_cmd_ident_addr_info(struct l2cap_conn * conn,struct sk_buff * skb)2575 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2576 				   struct sk_buff *skb)
2577 {
2578 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2579 	struct l2cap_chan *chan = conn->smp;
2580 	struct smp_chan *smp = chan->data;
2581 	struct hci_conn *hcon = conn->hcon;
2582 	bdaddr_t rpa;
2583 
2584 	BT_DBG("");
2585 
2586 	if (skb->len < sizeof(*info))
2587 		return SMP_INVALID_PARAMS;
2588 
2589 	/* Mark the information as received */
2590 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2591 
2592 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2593 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2594 
2595 	skb_pull(skb, sizeof(*info));
2596 
2597 	/* Strictly speaking the Core Specification (4.1) allows sending
2598 	 * an empty address which would force us to rely on just the IRK
2599 	 * as "identity information". However, since such
2600 	 * implementations are not known of and in order to not over
2601 	 * complicate our implementation, simply pretend that we never
2602 	 * received an IRK for such a device.
2603 	 *
2604 	 * The Identity Address must also be a Static Random or Public
2605 	 * Address, which hci_is_identity_address() checks for.
2606 	 */
2607 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2608 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2609 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2610 		goto distribute;
2611 	}
2612 
2613 	/* Drop IRK if peer is using identity address during pairing but is
2614 	 * providing different address as identity information.
2615 	 *
2616 	 * Microsoft Surface Precision Mouse is known to have this bug.
2617 	 */
2618 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2619 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2620 	     info->addr_type != hcon->dst_type)) {
2621 		bt_dev_err(hcon->hdev,
2622 			   "ignoring IRK with invalid identity address");
2623 		goto distribute;
2624 	}
2625 
2626 	bacpy(&smp->id_addr, &info->bdaddr);
2627 	smp->id_addr_type = info->addr_type;
2628 
2629 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2630 		bacpy(&rpa, &hcon->dst);
2631 	else
2632 		bacpy(&rpa, BDADDR_ANY);
2633 
2634 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2635 				      smp->id_addr_type, smp->irk, &rpa);
2636 
2637 distribute:
2638 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2639 		smp_distribute_keys(smp);
2640 
2641 	return 0;
2642 }
2643 
smp_cmd_sign_info(struct l2cap_conn * conn,struct sk_buff * skb)2644 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2645 {
2646 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2647 	struct l2cap_chan *chan = conn->smp;
2648 	struct smp_chan *smp = chan->data;
2649 	struct smp_csrk *csrk;
2650 
2651 	BT_DBG("conn %p", conn);
2652 
2653 	if (skb->len < sizeof(*rp))
2654 		return SMP_INVALID_PARAMS;
2655 
2656 	/* Mark the information as received */
2657 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2658 
2659 	skb_pull(skb, sizeof(*rp));
2660 
2661 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2662 	if (csrk) {
2663 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2664 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2665 		else
2666 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2667 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2668 	}
2669 	smp->csrk = csrk;
2670 	smp_distribute_keys(smp);
2671 
2672 	return 0;
2673 }
2674 
sc_select_method(struct smp_chan * smp)2675 static u8 sc_select_method(struct smp_chan *smp)
2676 {
2677 	struct l2cap_conn *conn = smp->conn;
2678 	struct hci_conn *hcon = conn->hcon;
2679 	struct smp_cmd_pairing *local, *remote;
2680 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2681 
2682 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2683 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2684 		return REQ_OOB;
2685 
2686 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2687 	 * which are needed as inputs to some crypto functions. To get
2688 	 * the "struct smp_cmd_pairing" from them we need to skip the
2689 	 * first byte which contains the opcode.
2690 	 */
2691 	if (hcon->out) {
2692 		local = (void *) &smp->preq[1];
2693 		remote = (void *) &smp->prsp[1];
2694 	} else {
2695 		local = (void *) &smp->prsp[1];
2696 		remote = (void *) &smp->preq[1];
2697 	}
2698 
2699 	local_io = local->io_capability;
2700 	remote_io = remote->io_capability;
2701 
2702 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2703 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2704 
2705 	/* If either side wants MITM, look up the method from the table,
2706 	 * otherwise use JUST WORKS.
2707 	 */
2708 	if (local_mitm || remote_mitm)
2709 		method = get_auth_method(smp, local_io, remote_io);
2710 	else
2711 		method = JUST_WORKS;
2712 
2713 	/* Don't confirm locally initiated pairing attempts */
2714 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2715 		method = JUST_WORKS;
2716 
2717 	return method;
2718 }
2719 
smp_cmd_public_key(struct l2cap_conn * conn,struct sk_buff * skb)2720 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2721 {
2722 	struct smp_cmd_public_key *key = (void *) skb->data;
2723 	struct hci_conn *hcon = conn->hcon;
2724 	struct l2cap_chan *chan = conn->smp;
2725 	struct smp_chan *smp = chan->data;
2726 	struct hci_dev *hdev = hcon->hdev;
2727 	struct crypto_kpp *tfm_ecdh;
2728 	struct smp_cmd_pairing_confirm cfm;
2729 	int err;
2730 
2731 	BT_DBG("conn %p", conn);
2732 
2733 	if (skb->len < sizeof(*key))
2734 		return SMP_INVALID_PARAMS;
2735 
2736 	/* Check if remote and local public keys are the same and debug key is
2737 	 * not in use.
2738 	 */
2739 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2740 	    !crypto_memneq(key, smp->local_pk, 64)) {
2741 		bt_dev_err(hdev, "Remote and local public keys are identical");
2742 		return SMP_UNSPECIFIED;
2743 	}
2744 
2745 	memcpy(smp->remote_pk, key, 64);
2746 
2747 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2748 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2749 			     smp->rr, 0, cfm.confirm_val);
2750 		if (err)
2751 			return SMP_UNSPECIFIED;
2752 
2753 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2754 			return SMP_CONFIRM_FAILED;
2755 	}
2756 
2757 	/* Non-initiating device sends its public key after receiving
2758 	 * the key from the initiating device.
2759 	 */
2760 	if (!hcon->out) {
2761 		err = sc_send_public_key(smp);
2762 		if (err)
2763 			return err;
2764 	}
2765 
2766 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2767 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2768 
2769 	/* Compute the shared secret on the same crypto tfm on which the private
2770 	 * key was set/generated.
2771 	 */
2772 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2773 		struct l2cap_chan *hchan = hdev->smp_data;
2774 		struct smp_dev *smp_dev;
2775 
2776 		if (!hchan || !hchan->data)
2777 			return SMP_UNSPECIFIED;
2778 
2779 		smp_dev = hchan->data;
2780 
2781 		tfm_ecdh = smp_dev->tfm_ecdh;
2782 	} else {
2783 		tfm_ecdh = smp->tfm_ecdh;
2784 	}
2785 
2786 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2787 		return SMP_UNSPECIFIED;
2788 
2789 	SMP_DBG("DHKey %32phN", smp->dhkey);
2790 
2791 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2792 
2793 	smp->method = sc_select_method(smp);
2794 
2795 	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2796 
2797 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2798 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2799 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2800 	else
2801 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2802 
2803 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2804 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2805 
2806 	if (smp->method == DSP_PASSKEY) {
2807 		get_random_bytes(&hcon->passkey_notify,
2808 				 sizeof(hcon->passkey_notify));
2809 		hcon->passkey_notify %= 1000000;
2810 		hcon->passkey_entered = 0;
2811 		smp->passkey_round = 0;
2812 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2813 					     hcon->dst_type,
2814 					     hcon->passkey_notify,
2815 					     hcon->passkey_entered))
2816 			return SMP_UNSPECIFIED;
2817 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2818 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2819 	}
2820 
2821 	if (smp->method == REQ_OOB) {
2822 		if (hcon->out)
2823 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2824 				     sizeof(smp->prnd), smp->prnd);
2825 
2826 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2827 
2828 		return 0;
2829 	}
2830 
2831 	if (hcon->out)
2832 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2833 
2834 	if (smp->method == REQ_PASSKEY) {
2835 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2836 					      hcon->dst_type))
2837 			return SMP_UNSPECIFIED;
2838 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2839 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2840 		return 0;
2841 	}
2842 
2843 	/* The Initiating device waits for the non-initiating device to
2844 	 * send the confirm value.
2845 	 */
2846 	if (conn->hcon->out)
2847 		return 0;
2848 
2849 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2850 		     0, cfm.confirm_val);
2851 	if (err)
2852 		return SMP_UNSPECIFIED;
2853 
2854 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2855 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2856 
2857 	return 0;
2858 }
2859 
smp_cmd_dhkey_check(struct l2cap_conn * conn,struct sk_buff * skb)2860 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2861 {
2862 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2863 	struct l2cap_chan *chan = conn->smp;
2864 	struct hci_conn *hcon = conn->hcon;
2865 	struct smp_chan *smp = chan->data;
2866 	u8 a[7], b[7], *local_addr, *remote_addr;
2867 	u8 io_cap[3], r[16], e[16];
2868 	int err;
2869 
2870 	BT_DBG("conn %p", conn);
2871 
2872 	if (skb->len < sizeof(*check))
2873 		return SMP_INVALID_PARAMS;
2874 
2875 	memcpy(a, &hcon->init_addr, 6);
2876 	memcpy(b, &hcon->resp_addr, 6);
2877 	a[6] = hcon->init_addr_type;
2878 	b[6] = hcon->resp_addr_type;
2879 
2880 	if (hcon->out) {
2881 		local_addr = a;
2882 		remote_addr = b;
2883 		memcpy(io_cap, &smp->prsp[1], 3);
2884 	} else {
2885 		local_addr = b;
2886 		remote_addr = a;
2887 		memcpy(io_cap, &smp->preq[1], 3);
2888 	}
2889 
2890 	memset(r, 0, sizeof(r));
2891 
2892 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2893 		put_unaligned_le32(hcon->passkey_notify, r);
2894 	else if (smp->method == REQ_OOB)
2895 		memcpy(r, smp->lr, 16);
2896 
2897 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2898 		     io_cap, remote_addr, local_addr, e);
2899 	if (err)
2900 		return SMP_UNSPECIFIED;
2901 
2902 	if (crypto_memneq(check->e, e, 16))
2903 		return SMP_DHKEY_CHECK_FAILED;
2904 
2905 	if (!hcon->out) {
2906 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2907 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2908 			return 0;
2909 		}
2910 
2911 		/* Slave sends DHKey check as response to master */
2912 		sc_dhkey_check(smp);
2913 	}
2914 
2915 	sc_add_ltk(smp);
2916 
2917 	if (hcon->out) {
2918 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2919 		hcon->enc_key_size = smp->enc_key_size;
2920 	}
2921 
2922 	return 0;
2923 }
2924 
smp_cmd_keypress_notify(struct l2cap_conn * conn,struct sk_buff * skb)2925 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2926 				   struct sk_buff *skb)
2927 {
2928 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2929 
2930 	BT_DBG("value 0x%02x", kp->value);
2931 
2932 	return 0;
2933 }
2934 
smp_sig_channel(struct l2cap_chan * chan,struct sk_buff * skb)2935 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2936 {
2937 	struct l2cap_conn *conn = chan->conn;
2938 	struct hci_conn *hcon = conn->hcon;
2939 	struct smp_chan *smp;
2940 	__u8 code, reason;
2941 	int err = 0;
2942 
2943 	if (skb->len < 1)
2944 		return -EILSEQ;
2945 
2946 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2947 		reason = SMP_PAIRING_NOTSUPP;
2948 		goto done;
2949 	}
2950 
2951 	code = skb->data[0];
2952 	skb_pull(skb, sizeof(code));
2953 
2954 	smp = chan->data;
2955 
2956 	if (code > SMP_CMD_MAX)
2957 		goto drop;
2958 
2959 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2960 		goto drop;
2961 
2962 	/* If we don't have a context the only allowed commands are
2963 	 * pairing request and security request.
2964 	 */
2965 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2966 		goto drop;
2967 
2968 	switch (code) {
2969 	case SMP_CMD_PAIRING_REQ:
2970 		reason = smp_cmd_pairing_req(conn, skb);
2971 		break;
2972 
2973 	case SMP_CMD_PAIRING_FAIL:
2974 		smp_failure(conn, 0);
2975 		err = -EPERM;
2976 		break;
2977 
2978 	case SMP_CMD_PAIRING_RSP:
2979 		reason = smp_cmd_pairing_rsp(conn, skb);
2980 		break;
2981 
2982 	case SMP_CMD_SECURITY_REQ:
2983 		reason = smp_cmd_security_req(conn, skb);
2984 		break;
2985 
2986 	case SMP_CMD_PAIRING_CONFIRM:
2987 		reason = smp_cmd_pairing_confirm(conn, skb);
2988 		break;
2989 
2990 	case SMP_CMD_PAIRING_RANDOM:
2991 		reason = smp_cmd_pairing_random(conn, skb);
2992 		break;
2993 
2994 	case SMP_CMD_ENCRYPT_INFO:
2995 		reason = smp_cmd_encrypt_info(conn, skb);
2996 		break;
2997 
2998 	case SMP_CMD_MASTER_IDENT:
2999 		reason = smp_cmd_master_ident(conn, skb);
3000 		break;
3001 
3002 	case SMP_CMD_IDENT_INFO:
3003 		reason = smp_cmd_ident_info(conn, skb);
3004 		break;
3005 
3006 	case SMP_CMD_IDENT_ADDR_INFO:
3007 		reason = smp_cmd_ident_addr_info(conn, skb);
3008 		break;
3009 
3010 	case SMP_CMD_SIGN_INFO:
3011 		reason = smp_cmd_sign_info(conn, skb);
3012 		break;
3013 
3014 	case SMP_CMD_PUBLIC_KEY:
3015 		reason = smp_cmd_public_key(conn, skb);
3016 		break;
3017 
3018 	case SMP_CMD_DHKEY_CHECK:
3019 		reason = smp_cmd_dhkey_check(conn, skb);
3020 		break;
3021 
3022 	case SMP_CMD_KEYPRESS_NOTIFY:
3023 		reason = smp_cmd_keypress_notify(conn, skb);
3024 		break;
3025 
3026 	default:
3027 		BT_DBG("Unknown command code 0x%2.2x", code);
3028 		reason = SMP_CMD_NOTSUPP;
3029 		goto done;
3030 	}
3031 
3032 done:
3033 	if (!err) {
3034 		if (reason)
3035 			smp_failure(conn, reason);
3036 		kfree_skb(skb);
3037 	}
3038 
3039 	return err;
3040 
3041 drop:
3042 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3043 		   code, &hcon->dst);
3044 	kfree_skb(skb);
3045 	return 0;
3046 }
3047 
smp_teardown_cb(struct l2cap_chan * chan,int err)3048 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3049 {
3050 	struct l2cap_conn *conn = chan->conn;
3051 
3052 	BT_DBG("chan %p", chan);
3053 
3054 	if (chan->data)
3055 		smp_chan_destroy(conn);
3056 
3057 	conn->smp = NULL;
3058 	l2cap_chan_put(chan);
3059 }
3060 
bredr_pairing(struct l2cap_chan * chan)3061 static void bredr_pairing(struct l2cap_chan *chan)
3062 {
3063 	struct l2cap_conn *conn = chan->conn;
3064 	struct hci_conn *hcon = conn->hcon;
3065 	struct hci_dev *hdev = hcon->hdev;
3066 	struct smp_cmd_pairing req;
3067 	struct smp_chan *smp;
3068 
3069 	BT_DBG("chan %p", chan);
3070 
3071 	/* Only new pairings are interesting */
3072 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3073 		return;
3074 
3075 	/* Don't bother if we're not encrypted */
3076 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3077 		return;
3078 
3079 	/* Only initiator may initiate SMP over BR/EDR */
3080 	if (hcon->role != HCI_ROLE_MASTER)
3081 		return;
3082 
3083 	/* Secure Connections support must be enabled */
3084 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3085 		return;
3086 
3087 	/* BR/EDR must use Secure Connections for SMP */
3088 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3089 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3090 		return;
3091 
3092 	/* If our LE support is not enabled don't do anything */
3093 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3094 		return;
3095 
3096 	/* Don't bother if remote LE support is not enabled */
3097 	if (!lmp_host_le_capable(hcon))
3098 		return;
3099 
3100 	/* Remote must support SMP fixed chan for BR/EDR */
3101 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3102 		return;
3103 
3104 	/* Don't bother if SMP is already ongoing */
3105 	if (chan->data)
3106 		return;
3107 
3108 	smp = smp_chan_create(conn);
3109 	if (!smp) {
3110 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3111 		return;
3112 	}
3113 
3114 	set_bit(SMP_FLAG_SC, &smp->flags);
3115 
3116 	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3117 
3118 	/* Prepare and send the BR/EDR SMP Pairing Request */
3119 	build_bredr_pairing_cmd(smp, &req, NULL);
3120 
3121 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3122 	memcpy(&smp->preq[1], &req, sizeof(req));
3123 
3124 	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3125 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3126 }
3127 
smp_resume_cb(struct l2cap_chan * chan)3128 static void smp_resume_cb(struct l2cap_chan *chan)
3129 {
3130 	struct smp_chan *smp = chan->data;
3131 	struct l2cap_conn *conn = chan->conn;
3132 	struct hci_conn *hcon = conn->hcon;
3133 
3134 	BT_DBG("chan %p", chan);
3135 
3136 	if (hcon->type == ACL_LINK) {
3137 		bredr_pairing(chan);
3138 		return;
3139 	}
3140 
3141 	if (!smp)
3142 		return;
3143 
3144 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3145 		return;
3146 
3147 	cancel_delayed_work(&smp->security_timer);
3148 
3149 	smp_distribute_keys(smp);
3150 }
3151 
smp_ready_cb(struct l2cap_chan * chan)3152 static void smp_ready_cb(struct l2cap_chan *chan)
3153 {
3154 	struct l2cap_conn *conn = chan->conn;
3155 	struct hci_conn *hcon = conn->hcon;
3156 
3157 	BT_DBG("chan %p", chan);
3158 
3159 	/* No need to call l2cap_chan_hold() here since we already own
3160 	 * the reference taken in smp_new_conn_cb(). This is just the
3161 	 * first time that we tie it to a specific pointer. The code in
3162 	 * l2cap_core.c ensures that there's no risk this function wont
3163 	 * get called if smp_new_conn_cb was previously called.
3164 	 */
3165 	conn->smp = chan;
3166 
3167 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3168 		bredr_pairing(chan);
3169 }
3170 
smp_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)3171 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3172 {
3173 	int err;
3174 
3175 	BT_DBG("chan %p", chan);
3176 
3177 	err = smp_sig_channel(chan, skb);
3178 	if (err) {
3179 		struct smp_chan *smp = chan->data;
3180 
3181 		if (smp)
3182 			cancel_delayed_work_sync(&smp->security_timer);
3183 
3184 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3185 	}
3186 
3187 	return err;
3188 }
3189 
smp_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)3190 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3191 					unsigned long hdr_len,
3192 					unsigned long len, int nb)
3193 {
3194 	struct sk_buff *skb;
3195 
3196 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3197 	if (!skb)
3198 		return ERR_PTR(-ENOMEM);
3199 
3200 	skb->priority = HCI_PRIO_MAX;
3201 	bt_cb(skb)->l2cap.chan = chan;
3202 
3203 	return skb;
3204 }
3205 
3206 static const struct l2cap_ops smp_chan_ops = {
3207 	.name			= "Security Manager",
3208 	.ready			= smp_ready_cb,
3209 	.recv			= smp_recv_cb,
3210 	.alloc_skb		= smp_alloc_skb_cb,
3211 	.teardown		= smp_teardown_cb,
3212 	.resume			= smp_resume_cb,
3213 
3214 	.new_connection		= l2cap_chan_no_new_connection,
3215 	.state_change		= l2cap_chan_no_state_change,
3216 	.close			= l2cap_chan_no_close,
3217 	.defer			= l2cap_chan_no_defer,
3218 	.suspend		= l2cap_chan_no_suspend,
3219 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3220 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3221 };
3222 
smp_new_conn_cb(struct l2cap_chan * pchan)3223 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3224 {
3225 	struct l2cap_chan *chan;
3226 
3227 	BT_DBG("pchan %p", pchan);
3228 
3229 	chan = l2cap_chan_create();
3230 	if (!chan)
3231 		return NULL;
3232 
3233 	chan->chan_type	= pchan->chan_type;
3234 	chan->ops	= &smp_chan_ops;
3235 	chan->scid	= pchan->scid;
3236 	chan->dcid	= chan->scid;
3237 	chan->imtu	= pchan->imtu;
3238 	chan->omtu	= pchan->omtu;
3239 	chan->mode	= pchan->mode;
3240 
3241 	/* Other L2CAP channels may request SMP routines in order to
3242 	 * change the security level. This means that the SMP channel
3243 	 * lock must be considered in its own category to avoid lockdep
3244 	 * warnings.
3245 	 */
3246 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3247 
3248 	BT_DBG("created chan %p", chan);
3249 
3250 	return chan;
3251 }
3252 
3253 static const struct l2cap_ops smp_root_chan_ops = {
3254 	.name			= "Security Manager Root",
3255 	.new_connection		= smp_new_conn_cb,
3256 
3257 	/* None of these are implemented for the root channel */
3258 	.close			= l2cap_chan_no_close,
3259 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3260 	.recv			= l2cap_chan_no_recv,
3261 	.state_change		= l2cap_chan_no_state_change,
3262 	.teardown		= l2cap_chan_no_teardown,
3263 	.ready			= l2cap_chan_no_ready,
3264 	.defer			= l2cap_chan_no_defer,
3265 	.suspend		= l2cap_chan_no_suspend,
3266 	.resume			= l2cap_chan_no_resume,
3267 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3268 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3269 };
3270 
smp_add_cid(struct hci_dev * hdev,u16 cid)3271 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3272 {
3273 	struct l2cap_chan *chan;
3274 	struct smp_dev *smp;
3275 	struct crypto_shash *tfm_cmac;
3276 	struct crypto_kpp *tfm_ecdh;
3277 
3278 	if (cid == L2CAP_CID_SMP_BREDR) {
3279 		smp = NULL;
3280 		goto create_chan;
3281 	}
3282 
3283 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3284 	if (!smp)
3285 		return ERR_PTR(-ENOMEM);
3286 
3287 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3288 	if (IS_ERR(tfm_cmac)) {
3289 		BT_ERR("Unable to create CMAC crypto context");
3290 		kfree_sensitive(smp);
3291 		return ERR_CAST(tfm_cmac);
3292 	}
3293 
3294 	tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
3295 	if (IS_ERR(tfm_ecdh)) {
3296 		BT_ERR("Unable to create ECDH crypto context");
3297 		crypto_free_shash(tfm_cmac);
3298 		kfree_sensitive(smp);
3299 		return ERR_CAST(tfm_ecdh);
3300 	}
3301 
3302 	smp->local_oob = false;
3303 	smp->tfm_cmac = tfm_cmac;
3304 	smp->tfm_ecdh = tfm_ecdh;
3305 
3306 create_chan:
3307 	chan = l2cap_chan_create();
3308 	if (!chan) {
3309 		if (smp) {
3310 			crypto_free_shash(smp->tfm_cmac);
3311 			crypto_free_kpp(smp->tfm_ecdh);
3312 			kfree_sensitive(smp);
3313 		}
3314 		return ERR_PTR(-ENOMEM);
3315 	}
3316 
3317 	chan->data = smp;
3318 
3319 	l2cap_add_scid(chan, cid);
3320 
3321 	l2cap_chan_set_defaults(chan);
3322 
3323 	if (cid == L2CAP_CID_SMP) {
3324 		u8 bdaddr_type;
3325 
3326 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3327 
3328 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3329 			chan->src_type = BDADDR_LE_PUBLIC;
3330 		else
3331 			chan->src_type = BDADDR_LE_RANDOM;
3332 	} else {
3333 		bacpy(&chan->src, &hdev->bdaddr);
3334 		chan->src_type = BDADDR_BREDR;
3335 	}
3336 
3337 	chan->state = BT_LISTEN;
3338 	chan->mode = L2CAP_MODE_BASIC;
3339 	chan->imtu = L2CAP_DEFAULT_MTU;
3340 	chan->ops = &smp_root_chan_ops;
3341 
3342 	/* Set correct nesting level for a parent/listening channel */
3343 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3344 
3345 	return chan;
3346 }
3347 
smp_del_chan(struct l2cap_chan * chan)3348 static void smp_del_chan(struct l2cap_chan *chan)
3349 {
3350 	struct smp_dev *smp;
3351 
3352 	BT_DBG("chan %p", chan);
3353 
3354 	smp = chan->data;
3355 	if (smp) {
3356 		chan->data = NULL;
3357 		crypto_free_shash(smp->tfm_cmac);
3358 		crypto_free_kpp(smp->tfm_ecdh);
3359 		kfree_sensitive(smp);
3360 	}
3361 
3362 	l2cap_chan_put(chan);
3363 }
3364 
force_bredr_smp_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3365 static ssize_t force_bredr_smp_read(struct file *file,
3366 				    char __user *user_buf,
3367 				    size_t count, loff_t *ppos)
3368 {
3369 	struct hci_dev *hdev = file->private_data;
3370 	char buf[3];
3371 
3372 	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3373 	buf[1] = '\n';
3374 	buf[2] = '\0';
3375 	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3376 }
3377 
force_bredr_smp_write(struct file * file,const char __user * user_buf,size_t count,loff_t * ppos)3378 static ssize_t force_bredr_smp_write(struct file *file,
3379 				     const char __user *user_buf,
3380 				     size_t count, loff_t *ppos)
3381 {
3382 	struct hci_dev *hdev = file->private_data;
3383 	bool enable;
3384 	int err;
3385 
3386 	err = kstrtobool_from_user(user_buf, count, &enable);
3387 	if (err)
3388 		return err;
3389 
3390 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3391 		return -EALREADY;
3392 
3393 	if (enable) {
3394 		struct l2cap_chan *chan;
3395 
3396 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3397 		if (IS_ERR(chan))
3398 			return PTR_ERR(chan);
3399 
3400 		hdev->smp_bredr_data = chan;
3401 	} else {
3402 		struct l2cap_chan *chan;
3403 
3404 		chan = hdev->smp_bredr_data;
3405 		hdev->smp_bredr_data = NULL;
3406 		smp_del_chan(chan);
3407 	}
3408 
3409 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3410 
3411 	return count;
3412 }
3413 
3414 static const struct file_operations force_bredr_smp_fops = {
3415 	.open		= simple_open,
3416 	.read		= force_bredr_smp_read,
3417 	.write		= force_bredr_smp_write,
3418 	.llseek		= default_llseek,
3419 };
3420 
smp_register(struct hci_dev * hdev)3421 int smp_register(struct hci_dev *hdev)
3422 {
3423 	struct l2cap_chan *chan;
3424 
3425 	BT_DBG("%s", hdev->name);
3426 
3427 	/* If the controller does not support Low Energy operation, then
3428 	 * there is also no need to register any SMP channel.
3429 	 */
3430 	if (!lmp_le_capable(hdev))
3431 		return 0;
3432 
3433 	if (WARN_ON(hdev->smp_data)) {
3434 		chan = hdev->smp_data;
3435 		hdev->smp_data = NULL;
3436 		smp_del_chan(chan);
3437 	}
3438 
3439 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3440 	if (IS_ERR(chan))
3441 		return PTR_ERR(chan);
3442 
3443 	hdev->smp_data = chan;
3444 
3445 	/* If the controller does not support BR/EDR Secure Connections
3446 	 * feature, then the BR/EDR SMP channel shall not be present.
3447 	 *
3448 	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3449 	 * switch that allows forcing BR/EDR SMP support and accepting
3450 	 * cross-transport pairing on non-AES encrypted connections.
3451 	 */
3452 	if (!lmp_sc_capable(hdev)) {
3453 		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3454 				    hdev, &force_bredr_smp_fops);
3455 
3456 		/* Flag can be already set here (due to power toggle) */
3457 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3458 			return 0;
3459 	}
3460 
3461 	if (WARN_ON(hdev->smp_bredr_data)) {
3462 		chan = hdev->smp_bredr_data;
3463 		hdev->smp_bredr_data = NULL;
3464 		smp_del_chan(chan);
3465 	}
3466 
3467 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3468 	if (IS_ERR(chan)) {
3469 		int err = PTR_ERR(chan);
3470 		chan = hdev->smp_data;
3471 		hdev->smp_data = NULL;
3472 		smp_del_chan(chan);
3473 		return err;
3474 	}
3475 
3476 	hdev->smp_bredr_data = chan;
3477 
3478 	return 0;
3479 }
3480 
smp_unregister(struct hci_dev * hdev)3481 void smp_unregister(struct hci_dev *hdev)
3482 {
3483 	struct l2cap_chan *chan;
3484 
3485 	if (hdev->smp_bredr_data) {
3486 		chan = hdev->smp_bredr_data;
3487 		hdev->smp_bredr_data = NULL;
3488 		smp_del_chan(chan);
3489 	}
3490 
3491 	if (hdev->smp_data) {
3492 		chan = hdev->smp_data;
3493 		hdev->smp_data = NULL;
3494 		smp_del_chan(chan);
3495 	}
3496 }
3497 
3498 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3499 
test_debug_key(struct crypto_kpp * tfm_ecdh)3500 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3501 {
3502 	u8 pk[64];
3503 	int err;
3504 
3505 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3506 	if (err)
3507 		return err;
3508 
3509 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3510 	if (err)
3511 		return err;
3512 
3513 	if (crypto_memneq(pk, debug_pk, 64))
3514 		return -EINVAL;
3515 
3516 	return 0;
3517 }
3518 
test_ah(void)3519 static int __init test_ah(void)
3520 {
3521 	const u8 irk[16] = {
3522 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3523 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3524 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3525 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3526 	u8 res[3];
3527 	int err;
3528 
3529 	err = smp_ah(irk, r, res);
3530 	if (err)
3531 		return err;
3532 
3533 	if (crypto_memneq(res, exp, 3))
3534 		return -EINVAL;
3535 
3536 	return 0;
3537 }
3538 
test_c1(void)3539 static int __init test_c1(void)
3540 {
3541 	const u8 k[16] = {
3542 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3543 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3544 	const u8 r[16] = {
3545 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3546 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3547 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3548 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3549 	const u8 _iat = 0x01;
3550 	const u8 _rat = 0x00;
3551 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3552 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3553 	const u8 exp[16] = {
3554 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3555 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3556 	u8 res[16];
3557 	int err;
3558 
3559 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3560 	if (err)
3561 		return err;
3562 
3563 	if (crypto_memneq(res, exp, 16))
3564 		return -EINVAL;
3565 
3566 	return 0;
3567 }
3568 
test_s1(void)3569 static int __init test_s1(void)
3570 {
3571 	const u8 k[16] = {
3572 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3573 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3574 	const u8 r1[16] = {
3575 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3576 	const u8 r2[16] = {
3577 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3578 	const u8 exp[16] = {
3579 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3580 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3581 	u8 res[16];
3582 	int err;
3583 
3584 	err = smp_s1(k, r1, r2, res);
3585 	if (err)
3586 		return err;
3587 
3588 	if (crypto_memneq(res, exp, 16))
3589 		return -EINVAL;
3590 
3591 	return 0;
3592 }
3593 
test_f4(struct crypto_shash * tfm_cmac)3594 static int __init test_f4(struct crypto_shash *tfm_cmac)
3595 {
3596 	const u8 u[32] = {
3597 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3598 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3599 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3600 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3601 	const u8 v[32] = {
3602 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3603 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3604 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3605 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3606 	const u8 x[16] = {
3607 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609 	const u8 z = 0x00;
3610 	const u8 exp[16] = {
3611 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3612 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3613 	u8 res[16];
3614 	int err;
3615 
3616 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3617 	if (err)
3618 		return err;
3619 
3620 	if (crypto_memneq(res, exp, 16))
3621 		return -EINVAL;
3622 
3623 	return 0;
3624 }
3625 
test_f5(struct crypto_shash * tfm_cmac)3626 static int __init test_f5(struct crypto_shash *tfm_cmac)
3627 {
3628 	const u8 w[32] = {
3629 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3630 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3631 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3632 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3633 	const u8 n1[16] = {
3634 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3635 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3636 	const u8 n2[16] = {
3637 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3638 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3639 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3640 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3641 	const u8 exp_ltk[16] = {
3642 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3643 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3644 	const u8 exp_mackey[16] = {
3645 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3646 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3647 	u8 mackey[16], ltk[16];
3648 	int err;
3649 
3650 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3651 	if (err)
3652 		return err;
3653 
3654 	if (crypto_memneq(mackey, exp_mackey, 16))
3655 		return -EINVAL;
3656 
3657 	if (crypto_memneq(ltk, exp_ltk, 16))
3658 		return -EINVAL;
3659 
3660 	return 0;
3661 }
3662 
test_f6(struct crypto_shash * tfm_cmac)3663 static int __init test_f6(struct crypto_shash *tfm_cmac)
3664 {
3665 	const u8 w[16] = {
3666 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3667 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3668 	const u8 n1[16] = {
3669 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3670 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3671 	const u8 n2[16] = {
3672 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3673 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3674 	const u8 r[16] = {
3675 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3676 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3677 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3678 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3679 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3680 	const u8 exp[16] = {
3681 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3682 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3683 	u8 res[16];
3684 	int err;
3685 
3686 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3687 	if (err)
3688 		return err;
3689 
3690 	if (crypto_memneq(res, exp, 16))
3691 		return -EINVAL;
3692 
3693 	return 0;
3694 }
3695 
test_g2(struct crypto_shash * tfm_cmac)3696 static int __init test_g2(struct crypto_shash *tfm_cmac)
3697 {
3698 	const u8 u[32] = {
3699 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3700 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3701 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3702 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3703 	const u8 v[32] = {
3704 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3705 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3706 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3707 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3708 	const u8 x[16] = {
3709 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3710 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3711 	const u8 y[16] = {
3712 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3713 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3714 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3715 	u32 val;
3716 	int err;
3717 
3718 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3719 	if (err)
3720 		return err;
3721 
3722 	if (val != exp_val)
3723 		return -EINVAL;
3724 
3725 	return 0;
3726 }
3727 
test_h6(struct crypto_shash * tfm_cmac)3728 static int __init test_h6(struct crypto_shash *tfm_cmac)
3729 {
3730 	const u8 w[16] = {
3731 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3732 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3733 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3734 	const u8 exp[16] = {
3735 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3736 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3737 	u8 res[16];
3738 	int err;
3739 
3740 	err = smp_h6(tfm_cmac, w, key_id, res);
3741 	if (err)
3742 		return err;
3743 
3744 	if (crypto_memneq(res, exp, 16))
3745 		return -EINVAL;
3746 
3747 	return 0;
3748 }
3749 
3750 static char test_smp_buffer[32];
3751 
test_smp_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3752 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3753 			     size_t count, loff_t *ppos)
3754 {
3755 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3756 				       strlen(test_smp_buffer));
3757 }
3758 
3759 static const struct file_operations test_smp_fops = {
3760 	.open		= simple_open,
3761 	.read		= test_smp_read,
3762 	.llseek		= default_llseek,
3763 };
3764 
run_selftests(struct crypto_shash * tfm_cmac,struct crypto_kpp * tfm_ecdh)3765 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3766 				struct crypto_kpp *tfm_ecdh)
3767 {
3768 	ktime_t calltime, delta, rettime;
3769 	unsigned long long duration;
3770 	int err;
3771 
3772 	calltime = ktime_get();
3773 
3774 	err = test_debug_key(tfm_ecdh);
3775 	if (err) {
3776 		BT_ERR("debug_key test failed");
3777 		goto done;
3778 	}
3779 
3780 	err = test_ah();
3781 	if (err) {
3782 		BT_ERR("smp_ah test failed");
3783 		goto done;
3784 	}
3785 
3786 	err = test_c1();
3787 	if (err) {
3788 		BT_ERR("smp_c1 test failed");
3789 		goto done;
3790 	}
3791 
3792 	err = test_s1();
3793 	if (err) {
3794 		BT_ERR("smp_s1 test failed");
3795 		goto done;
3796 	}
3797 
3798 	err = test_f4(tfm_cmac);
3799 	if (err) {
3800 		BT_ERR("smp_f4 test failed");
3801 		goto done;
3802 	}
3803 
3804 	err = test_f5(tfm_cmac);
3805 	if (err) {
3806 		BT_ERR("smp_f5 test failed");
3807 		goto done;
3808 	}
3809 
3810 	err = test_f6(tfm_cmac);
3811 	if (err) {
3812 		BT_ERR("smp_f6 test failed");
3813 		goto done;
3814 	}
3815 
3816 	err = test_g2(tfm_cmac);
3817 	if (err) {
3818 		BT_ERR("smp_g2 test failed");
3819 		goto done;
3820 	}
3821 
3822 	err = test_h6(tfm_cmac);
3823 	if (err) {
3824 		BT_ERR("smp_h6 test failed");
3825 		goto done;
3826 	}
3827 
3828 	rettime = ktime_get();
3829 	delta = ktime_sub(rettime, calltime);
3830 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3831 
3832 	BT_INFO("SMP test passed in %llu usecs", duration);
3833 
3834 done:
3835 	if (!err)
3836 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3837 			 "PASS (%llu usecs)\n", duration);
3838 	else
3839 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3840 
3841 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3842 			    &test_smp_fops);
3843 
3844 	return err;
3845 }
3846 
bt_selftest_smp(void)3847 int __init bt_selftest_smp(void)
3848 {
3849 	struct crypto_shash *tfm_cmac;
3850 	struct crypto_kpp *tfm_ecdh;
3851 	int err;
3852 
3853 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3854 	if (IS_ERR(tfm_cmac)) {
3855 		BT_ERR("Unable to create CMAC crypto context");
3856 		return PTR_ERR(tfm_cmac);
3857 	}
3858 
3859 	tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
3860 	if (IS_ERR(tfm_ecdh)) {
3861 		BT_ERR("Unable to create ECDH crypto context");
3862 		crypto_free_shash(tfm_cmac);
3863 		return PTR_ERR(tfm_ecdh);
3864 	}
3865 
3866 	err = run_selftests(tfm_cmac, tfm_ecdh);
3867 
3868 	crypto_free_shash(tfm_cmac);
3869 	crypto_free_kpp(tfm_ecdh);
3870 
3871 	return err;
3872 }
3873 
3874 #endif
3875