1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
29
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
34
35 #include "ecc.h"
36 #include "smp.h"
37
38 #define SMP_DEV(hdev) \
39 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40
41 /* Low-level debug macros to be used for stuff that we don't want
42 * accidentially in dmesg, i.e. the values of the various crypto keys
43 * and the inputs & outputs of crypto functions.
44 */
45 #ifdef DEBUG
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47 ##__VA_ARGS__)
48 #else
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50 ##__VA_ARGS__)
51 #endif
52
53 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
54
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
57
58 #define SMP_TIMEOUT msecs_to_jiffies(30000)
59
60 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
61 0x1f : 0x07)
62 #define KEY_DIST_MASK 0x07
63
64 /* Maximum message length that can be passed to aes_cmac */
65 #define CMAC_MSG_MAX 80
66
67 enum {
68 SMP_FLAG_TK_VALID,
69 SMP_FLAG_CFM_PENDING,
70 SMP_FLAG_MITM_AUTH,
71 SMP_FLAG_COMPLETE,
72 SMP_FLAG_INITIATOR,
73 SMP_FLAG_SC,
74 SMP_FLAG_REMOTE_PK,
75 SMP_FLAG_DEBUG_KEY,
76 SMP_FLAG_WAIT_USER,
77 SMP_FLAG_DHKEY_PENDING,
78 SMP_FLAG_REMOTE_OOB,
79 SMP_FLAG_LOCAL_OOB,
80 };
81
82 struct smp_dev {
83 /* Secure Connections OOB data */
84 u8 local_pk[64];
85 u8 local_sk[32];
86 u8 local_rand[16];
87 bool debug_key;
88
89 u8 min_key_size;
90 u8 max_key_size;
91
92 struct crypto_cipher *tfm_aes;
93 struct crypto_shash *tfm_cmac;
94 };
95
96 struct smp_chan {
97 struct l2cap_conn *conn;
98 struct delayed_work security_timer;
99 unsigned long allow_cmd; /* Bitmask of allowed commands */
100
101 u8 preq[7]; /* SMP Pairing Request */
102 u8 prsp[7]; /* SMP Pairing Response */
103 u8 prnd[16]; /* SMP Pairing Random (local) */
104 u8 rrnd[16]; /* SMP Pairing Random (remote) */
105 u8 pcnf[16]; /* SMP Pairing Confirm */
106 u8 tk[16]; /* SMP Temporary Key */
107 u8 rr[16]; /* Remote OOB ra/rb value */
108 u8 lr[16]; /* Local OOB ra/rb value */
109 u8 enc_key_size;
110 u8 remote_key_dist;
111 bdaddr_t id_addr;
112 u8 id_addr_type;
113 u8 irk[16];
114 struct smp_csrk *csrk;
115 struct smp_csrk *slave_csrk;
116 struct smp_ltk *ltk;
117 struct smp_ltk *slave_ltk;
118 struct smp_irk *remote_irk;
119 u8 *link_key;
120 unsigned long flags;
121 u8 method;
122 u8 passkey_round;
123
124 /* Secure Connections variables */
125 u8 local_pk[64];
126 u8 local_sk[32];
127 u8 remote_pk[64];
128 u8 dhkey[32];
129 u8 mackey[16];
130
131 struct crypto_cipher *tfm_aes;
132 struct crypto_shash *tfm_cmac;
133 };
134
135 /* These debug key values are defined in the SMP section of the core
136 * specification. debug_pk is the public debug key and debug_sk the
137 * private debug key.
138 */
139 static const u8 debug_pk[64] = {
140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144
145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150
151 static const u8 debug_sk[32] = {
152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157
swap_buf(const u8 * src,u8 * dst,size_t len)158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 size_t i;
161
162 for (i = 0; i < len; i++)
163 dst[len - 1 - i] = src[i];
164 }
165
166 /* The following functions map to the LE SC SMP crypto functions
167 * AES-CMAC, f4, f5, f6, g2 and h6.
168 */
169
aes_cmac(struct crypto_shash * tfm,const u8 k[16],const u8 * m,size_t len,u8 mac[16])170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 size_t len, u8 mac[16])
172 {
173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 SHASH_DESC_ON_STACK(desc, tfm);
175 int err;
176
177 if (len > CMAC_MSG_MAX)
178 return -EFBIG;
179
180 if (!tfm) {
181 BT_ERR("tfm %p", tfm);
182 return -EINVAL;
183 }
184
185 desc->tfm = tfm;
186 desc->flags = 0;
187
188 /* Swap key and message from LSB to MSB */
189 swap_buf(k, tmp, 16);
190 swap_buf(m, msg_msb, len);
191
192 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
193 SMP_DBG("key %16phN", k);
194
195 err = crypto_shash_setkey(tfm, tmp, 16);
196 if (err) {
197 BT_ERR("cipher setkey failed: %d", err);
198 return err;
199 }
200
201 err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
202 shash_desc_zero(desc);
203 if (err) {
204 BT_ERR("Hash computation error %d", err);
205 return err;
206 }
207
208 swap_buf(mac_msb, mac, 16);
209
210 SMP_DBG("mac %16phN", mac);
211
212 return 0;
213 }
214
smp_f4(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],u8 z,u8 res[16])215 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
216 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
217 {
218 u8 m[65];
219 int err;
220
221 SMP_DBG("u %32phN", u);
222 SMP_DBG("v %32phN", v);
223 SMP_DBG("x %16phN z %02x", x, z);
224
225 m[0] = z;
226 memcpy(m + 1, v, 32);
227 memcpy(m + 33, u, 32);
228
229 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
230 if (err)
231 return err;
232
233 SMP_DBG("res %16phN", res);
234
235 return err;
236 }
237
smp_f5(struct crypto_shash * tfm_cmac,const u8 w[32],const u8 n1[16],const u8 n2[16],const u8 a1[7],const u8 a2[7],u8 mackey[16],u8 ltk[16])238 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
239 const u8 n1[16], const u8 n2[16], const u8 a1[7],
240 const u8 a2[7], u8 mackey[16], u8 ltk[16])
241 {
242 /* The btle, salt and length "magic" values are as defined in
243 * the SMP section of the Bluetooth core specification. In ASCII
244 * the btle value ends up being 'btle'. The salt is just a
245 * random number whereas length is the value 256 in little
246 * endian format.
247 */
248 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
249 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
250 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
251 const u8 length[2] = { 0x00, 0x01 };
252 u8 m[53], t[16];
253 int err;
254
255 SMP_DBG("w %32phN", w);
256 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
257 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
258
259 err = aes_cmac(tfm_cmac, salt, w, 32, t);
260 if (err)
261 return err;
262
263 SMP_DBG("t %16phN", t);
264
265 memcpy(m, length, 2);
266 memcpy(m + 2, a2, 7);
267 memcpy(m + 9, a1, 7);
268 memcpy(m + 16, n2, 16);
269 memcpy(m + 32, n1, 16);
270 memcpy(m + 48, btle, 4);
271
272 m[52] = 0; /* Counter */
273
274 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
275 if (err)
276 return err;
277
278 SMP_DBG("mackey %16phN", mackey);
279
280 m[52] = 1; /* Counter */
281
282 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
283 if (err)
284 return err;
285
286 SMP_DBG("ltk %16phN", ltk);
287
288 return 0;
289 }
290
smp_f6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 n1[16],const u8 n2[16],const u8 r[16],const u8 io_cap[3],const u8 a1[7],const u8 a2[7],u8 res[16])291 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
292 const u8 n1[16], const u8 n2[16], const u8 r[16],
293 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
294 u8 res[16])
295 {
296 u8 m[65];
297 int err;
298
299 SMP_DBG("w %16phN", w);
300 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
301 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
302
303 memcpy(m, a2, 7);
304 memcpy(m + 7, a1, 7);
305 memcpy(m + 14, io_cap, 3);
306 memcpy(m + 17, r, 16);
307 memcpy(m + 33, n2, 16);
308 memcpy(m + 49, n1, 16);
309
310 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
311 if (err)
312 return err;
313
314 SMP_DBG("res %16phN", res);
315
316 return err;
317 }
318
smp_g2(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],const u8 y[16],u32 * val)319 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
320 const u8 x[16], const u8 y[16], u32 *val)
321 {
322 u8 m[80], tmp[16];
323 int err;
324
325 SMP_DBG("u %32phN", u);
326 SMP_DBG("v %32phN", v);
327 SMP_DBG("x %16phN y %16phN", x, y);
328
329 memcpy(m, y, 16);
330 memcpy(m + 16, v, 32);
331 memcpy(m + 48, u, 32);
332
333 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
334 if (err)
335 return err;
336
337 *val = get_unaligned_le32(tmp);
338 *val %= 1000000;
339
340 SMP_DBG("val %06u", *val);
341
342 return 0;
343 }
344
smp_h6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 key_id[4],u8 res[16])345 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
346 const u8 key_id[4], u8 res[16])
347 {
348 int err;
349
350 SMP_DBG("w %16phN key_id %4phN", w, key_id);
351
352 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
353 if (err)
354 return err;
355
356 SMP_DBG("res %16phN", res);
357
358 return err;
359 }
360
361 /* The following functions map to the legacy SMP crypto functions e, c1,
362 * s1 and ah.
363 */
364
smp_e(struct crypto_cipher * tfm,const u8 * k,u8 * r)365 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
366 {
367 uint8_t tmp[16], data[16];
368 int err;
369
370 SMP_DBG("k %16phN r %16phN", k, r);
371
372 if (!tfm) {
373 BT_ERR("tfm %p", tfm);
374 return -EINVAL;
375 }
376
377 /* The most significant octet of key corresponds to k[0] */
378 swap_buf(k, tmp, 16);
379
380 err = crypto_cipher_setkey(tfm, tmp, 16);
381 if (err) {
382 BT_ERR("cipher setkey failed: %d", err);
383 return err;
384 }
385
386 /* Most significant octet of plaintextData corresponds to data[0] */
387 swap_buf(r, data, 16);
388
389 crypto_cipher_encrypt_one(tfm, data, data);
390
391 /* Most significant octet of encryptedData corresponds to data[0] */
392 swap_buf(data, r, 16);
393
394 SMP_DBG("r %16phN", r);
395
396 return err;
397 }
398
smp_c1(struct crypto_cipher * tfm_aes,const u8 k[16],const u8 r[16],const u8 preq[7],const u8 pres[7],u8 _iat,const bdaddr_t * ia,u8 _rat,const bdaddr_t * ra,u8 res[16])399 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
400 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
401 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
402 {
403 u8 p1[16], p2[16];
404 int err;
405
406 SMP_DBG("k %16phN r %16phN", k, r);
407 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
408 SMP_DBG("preq %7phN pres %7phN", preq, pres);
409
410 memset(p1, 0, 16);
411
412 /* p1 = pres || preq || _rat || _iat */
413 p1[0] = _iat;
414 p1[1] = _rat;
415 memcpy(p1 + 2, preq, 7);
416 memcpy(p1 + 9, pres, 7);
417
418 SMP_DBG("p1 %16phN", p1);
419
420 /* res = r XOR p1 */
421 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
422
423 /* res = e(k, res) */
424 err = smp_e(tfm_aes, k, res);
425 if (err) {
426 BT_ERR("Encrypt data error");
427 return err;
428 }
429
430 /* p2 = padding || ia || ra */
431 memcpy(p2, ra, 6);
432 memcpy(p2 + 6, ia, 6);
433 memset(p2 + 12, 0, 4);
434
435 SMP_DBG("p2 %16phN", p2);
436
437 /* res = res XOR p2 */
438 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
439
440 /* res = e(k, res) */
441 err = smp_e(tfm_aes, k, res);
442 if (err)
443 BT_ERR("Encrypt data error");
444
445 return err;
446 }
447
smp_s1(struct crypto_cipher * tfm_aes,const u8 k[16],const u8 r1[16],const u8 r2[16],u8 _r[16])448 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
449 const u8 r1[16], const u8 r2[16], u8 _r[16])
450 {
451 int err;
452
453 /* Just least significant octets from r1 and r2 are considered */
454 memcpy(_r, r2, 8);
455 memcpy(_r + 8, r1, 8);
456
457 err = smp_e(tfm_aes, k, _r);
458 if (err)
459 BT_ERR("Encrypt data error");
460
461 return err;
462 }
463
smp_ah(struct crypto_cipher * tfm,const u8 irk[16],const u8 r[3],u8 res[3])464 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
465 const u8 r[3], u8 res[3])
466 {
467 u8 _res[16];
468 int err;
469
470 /* r' = padding || r */
471 memcpy(_res, r, 3);
472 memset(_res + 3, 0, 13);
473
474 err = smp_e(tfm, irk, _res);
475 if (err) {
476 BT_ERR("Encrypt error");
477 return err;
478 }
479
480 /* The output of the random address function ah is:
481 * ah(k, r) = e(k, r') mod 2^24
482 * The output of the security function e is then truncated to 24 bits
483 * by taking the least significant 24 bits of the output of e as the
484 * result of ah.
485 */
486 memcpy(res, _res, 3);
487
488 return 0;
489 }
490
smp_irk_matches(struct hci_dev * hdev,const u8 irk[16],const bdaddr_t * bdaddr)491 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
492 const bdaddr_t *bdaddr)
493 {
494 struct l2cap_chan *chan = hdev->smp_data;
495 struct smp_dev *smp;
496 u8 hash[3];
497 int err;
498
499 if (!chan || !chan->data)
500 return false;
501
502 smp = chan->data;
503
504 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
505
506 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
507 if (err)
508 return false;
509
510 return !crypto_memneq(bdaddr->b, hash, 3);
511 }
512
smp_generate_rpa(struct hci_dev * hdev,const u8 irk[16],bdaddr_t * rpa)513 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
514 {
515 struct l2cap_chan *chan = hdev->smp_data;
516 struct smp_dev *smp;
517 int err;
518
519 if (!chan || !chan->data)
520 return -EOPNOTSUPP;
521
522 smp = chan->data;
523
524 get_random_bytes(&rpa->b[3], 3);
525
526 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
527 rpa->b[5] |= 0x40; /* Set second most significant bit */
528
529 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
530 if (err < 0)
531 return err;
532
533 BT_DBG("RPA %pMR", rpa);
534
535 return 0;
536 }
537
smp_generate_oob(struct hci_dev * hdev,u8 hash[16],u8 rand[16])538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 {
540 struct l2cap_chan *chan = hdev->smp_data;
541 struct smp_dev *smp;
542 int err;
543
544 if (!chan || !chan->data)
545 return -EOPNOTSUPP;
546
547 smp = chan->data;
548
549 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 BT_DBG("Using debug keys");
551 memcpy(smp->local_pk, debug_pk, 64);
552 memcpy(smp->local_sk, debug_sk, 32);
553 smp->debug_key = true;
554 } else {
555 while (true) {
556 /* Generate local key pair for Secure Connections */
557 if (!ecc_make_key(smp->local_pk, smp->local_sk))
558 return -EIO;
559
560 /* This is unlikely, but we need to check that
561 * we didn't accidentially generate a debug key.
562 */
563 if (crypto_memneq(smp->local_sk, debug_sk, 32))
564 break;
565 }
566 smp->debug_key = false;
567 }
568
569 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
570 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
571 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
572
573 get_random_bytes(smp->local_rand, 16);
574
575 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
576 smp->local_rand, 0, hash);
577 if (err < 0)
578 return err;
579
580 memcpy(rand, smp->local_rand, 16);
581
582 return 0;
583 }
584
smp_send_cmd(struct l2cap_conn * conn,u8 code,u16 len,void * data)585 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
586 {
587 struct l2cap_chan *chan = conn->smp;
588 struct smp_chan *smp;
589 struct kvec iv[2];
590 struct msghdr msg;
591
592 if (!chan)
593 return;
594
595 BT_DBG("code 0x%2.2x", code);
596
597 iv[0].iov_base = &code;
598 iv[0].iov_len = 1;
599
600 iv[1].iov_base = data;
601 iv[1].iov_len = len;
602
603 memset(&msg, 0, sizeof(msg));
604
605 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
606
607 l2cap_chan_send(chan, &msg, 1 + len);
608
609 if (!chan->data)
610 return;
611
612 smp = chan->data;
613
614 cancel_delayed_work_sync(&smp->security_timer);
615 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
616 }
617
authreq_to_seclevel(u8 authreq)618 static u8 authreq_to_seclevel(u8 authreq)
619 {
620 if (authreq & SMP_AUTH_MITM) {
621 if (authreq & SMP_AUTH_SC)
622 return BT_SECURITY_FIPS;
623 else
624 return BT_SECURITY_HIGH;
625 } else {
626 return BT_SECURITY_MEDIUM;
627 }
628 }
629
seclevel_to_authreq(__u8 sec_level)630 static __u8 seclevel_to_authreq(__u8 sec_level)
631 {
632 switch (sec_level) {
633 case BT_SECURITY_FIPS:
634 case BT_SECURITY_HIGH:
635 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
636 case BT_SECURITY_MEDIUM:
637 return SMP_AUTH_BONDING;
638 default:
639 return SMP_AUTH_NONE;
640 }
641 }
642
build_pairing_cmd(struct l2cap_conn * conn,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp,__u8 authreq)643 static void build_pairing_cmd(struct l2cap_conn *conn,
644 struct smp_cmd_pairing *req,
645 struct smp_cmd_pairing *rsp, __u8 authreq)
646 {
647 struct l2cap_chan *chan = conn->smp;
648 struct smp_chan *smp = chan->data;
649 struct hci_conn *hcon = conn->hcon;
650 struct hci_dev *hdev = hcon->hdev;
651 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
652
653 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
654 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
655 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
656 authreq |= SMP_AUTH_BONDING;
657 } else {
658 authreq &= ~SMP_AUTH_BONDING;
659 }
660
661 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
662 remote_dist |= SMP_DIST_ID_KEY;
663
664 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
665 local_dist |= SMP_DIST_ID_KEY;
666
667 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
668 (authreq & SMP_AUTH_SC)) {
669 struct oob_data *oob_data;
670 u8 bdaddr_type;
671
672 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
673 local_dist |= SMP_DIST_LINK_KEY;
674 remote_dist |= SMP_DIST_LINK_KEY;
675 }
676
677 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
678 bdaddr_type = BDADDR_LE_PUBLIC;
679 else
680 bdaddr_type = BDADDR_LE_RANDOM;
681
682 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
683 bdaddr_type);
684 if (oob_data && oob_data->present) {
685 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
686 oob_flag = SMP_OOB_PRESENT;
687 memcpy(smp->rr, oob_data->rand256, 16);
688 memcpy(smp->pcnf, oob_data->hash256, 16);
689 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
690 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
691 }
692
693 } else {
694 authreq &= ~SMP_AUTH_SC;
695 }
696
697 if (rsp == NULL) {
698 req->io_capability = conn->hcon->io_capability;
699 req->oob_flag = oob_flag;
700 req->max_key_size = SMP_DEV(hdev)->max_key_size;
701 req->init_key_dist = local_dist;
702 req->resp_key_dist = remote_dist;
703 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
704
705 smp->remote_key_dist = remote_dist;
706 return;
707 }
708
709 rsp->io_capability = conn->hcon->io_capability;
710 rsp->oob_flag = oob_flag;
711 rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
712 rsp->init_key_dist = req->init_key_dist & remote_dist;
713 rsp->resp_key_dist = req->resp_key_dist & local_dist;
714 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
715
716 smp->remote_key_dist = rsp->init_key_dist;
717 }
718
check_enc_key_size(struct l2cap_conn * conn,__u8 max_key_size)719 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
720 {
721 struct l2cap_chan *chan = conn->smp;
722 struct hci_dev *hdev = conn->hcon->hdev;
723 struct smp_chan *smp = chan->data;
724
725 if (max_key_size > SMP_DEV(hdev)->max_key_size ||
726 max_key_size < SMP_MIN_ENC_KEY_SIZE)
727 return SMP_ENC_KEY_SIZE;
728
729 smp->enc_key_size = max_key_size;
730
731 return 0;
732 }
733
smp_chan_destroy(struct l2cap_conn * conn)734 static void smp_chan_destroy(struct l2cap_conn *conn)
735 {
736 struct l2cap_chan *chan = conn->smp;
737 struct smp_chan *smp = chan->data;
738 struct hci_conn *hcon = conn->hcon;
739 bool complete;
740
741 BUG_ON(!smp);
742
743 cancel_delayed_work_sync(&smp->security_timer);
744
745 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
746 mgmt_smp_complete(hcon, complete);
747
748 kzfree(smp->csrk);
749 kzfree(smp->slave_csrk);
750 kzfree(smp->link_key);
751
752 crypto_free_cipher(smp->tfm_aes);
753 crypto_free_shash(smp->tfm_cmac);
754
755 /* Ensure that we don't leave any debug key around if debug key
756 * support hasn't been explicitly enabled.
757 */
758 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
759 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
760 list_del_rcu(&smp->ltk->list);
761 kfree_rcu(smp->ltk, rcu);
762 smp->ltk = NULL;
763 }
764
765 /* If pairing failed clean up any keys we might have */
766 if (!complete) {
767 if (smp->ltk) {
768 list_del_rcu(&smp->ltk->list);
769 kfree_rcu(smp->ltk, rcu);
770 }
771
772 if (smp->slave_ltk) {
773 list_del_rcu(&smp->slave_ltk->list);
774 kfree_rcu(smp->slave_ltk, rcu);
775 }
776
777 if (smp->remote_irk) {
778 list_del_rcu(&smp->remote_irk->list);
779 kfree_rcu(smp->remote_irk, rcu);
780 }
781 }
782
783 chan->data = NULL;
784 kzfree(smp);
785 hci_conn_drop(hcon);
786 }
787
smp_failure(struct l2cap_conn * conn,u8 reason)788 static void smp_failure(struct l2cap_conn *conn, u8 reason)
789 {
790 struct hci_conn *hcon = conn->hcon;
791 struct l2cap_chan *chan = conn->smp;
792
793 if (reason)
794 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
795 &reason);
796
797 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
798
799 if (chan->data)
800 smp_chan_destroy(conn);
801 }
802
803 #define JUST_WORKS 0x00
804 #define JUST_CFM 0x01
805 #define REQ_PASSKEY 0x02
806 #define CFM_PASSKEY 0x03
807 #define REQ_OOB 0x04
808 #define DSP_PASSKEY 0x05
809 #define OVERLAP 0xFF
810
811 static const u8 gen_method[5][5] = {
812 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
813 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
814 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
815 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
816 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
817 };
818
819 static const u8 sc_method[5][5] = {
820 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
823 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
824 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
825 };
826
get_auth_method(struct smp_chan * smp,u8 local_io,u8 remote_io)827 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
828 {
829 /* If either side has unknown io_caps, use JUST_CFM (which gets
830 * converted later to JUST_WORKS if we're initiators.
831 */
832 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
833 remote_io > SMP_IO_KEYBOARD_DISPLAY)
834 return JUST_CFM;
835
836 if (test_bit(SMP_FLAG_SC, &smp->flags))
837 return sc_method[remote_io][local_io];
838
839 return gen_method[remote_io][local_io];
840 }
841
tk_request(struct l2cap_conn * conn,u8 remote_oob,u8 auth,u8 local_io,u8 remote_io)842 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
843 u8 local_io, u8 remote_io)
844 {
845 struct hci_conn *hcon = conn->hcon;
846 struct l2cap_chan *chan = conn->smp;
847 struct smp_chan *smp = chan->data;
848 u32 passkey = 0;
849 int ret = 0;
850
851 /* Initialize key for JUST WORKS */
852 memset(smp->tk, 0, sizeof(smp->tk));
853 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
854
855 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
856
857 /* If neither side wants MITM, either "just" confirm an incoming
858 * request or use just-works for outgoing ones. The JUST_CFM
859 * will be converted to JUST_WORKS if necessary later in this
860 * function. If either side has MITM look up the method from the
861 * table.
862 */
863 if (!(auth & SMP_AUTH_MITM))
864 smp->method = JUST_CFM;
865 else
866 smp->method = get_auth_method(smp, local_io, remote_io);
867
868 /* Don't confirm locally initiated pairing attempts */
869 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
870 &smp->flags))
871 smp->method = JUST_WORKS;
872
873 /* Don't bother user space with no IO capabilities */
874 if (smp->method == JUST_CFM &&
875 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
876 smp->method = JUST_WORKS;
877
878 /* If Just Works, Continue with Zero TK */
879 if (smp->method == JUST_WORKS) {
880 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
881 return 0;
882 }
883
884 /* If this function is used for SC -> legacy fallback we
885 * can only recover the just-works case.
886 */
887 if (test_bit(SMP_FLAG_SC, &smp->flags))
888 return -EINVAL;
889
890 /* Not Just Works/Confirm results in MITM Authentication */
891 if (smp->method != JUST_CFM) {
892 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
893 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
894 hcon->pending_sec_level = BT_SECURITY_HIGH;
895 }
896
897 /* If both devices have Keyoard-Display I/O, the master
898 * Confirms and the slave Enters the passkey.
899 */
900 if (smp->method == OVERLAP) {
901 if (hcon->role == HCI_ROLE_MASTER)
902 smp->method = CFM_PASSKEY;
903 else
904 smp->method = REQ_PASSKEY;
905 }
906
907 /* Generate random passkey. */
908 if (smp->method == CFM_PASSKEY) {
909 memset(smp->tk, 0, sizeof(smp->tk));
910 get_random_bytes(&passkey, sizeof(passkey));
911 passkey %= 1000000;
912 put_unaligned_le32(passkey, smp->tk);
913 BT_DBG("PassKey: %d", passkey);
914 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
915 }
916
917 if (smp->method == REQ_PASSKEY)
918 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
919 hcon->type, hcon->dst_type);
920 else if (smp->method == JUST_CFM)
921 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
922 hcon->type, hcon->dst_type,
923 passkey, 1);
924 else
925 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
926 hcon->type, hcon->dst_type,
927 passkey, 0);
928
929 return ret;
930 }
931
smp_confirm(struct smp_chan * smp)932 static u8 smp_confirm(struct smp_chan *smp)
933 {
934 struct l2cap_conn *conn = smp->conn;
935 struct smp_cmd_pairing_confirm cp;
936 int ret;
937
938 BT_DBG("conn %p", conn);
939
940 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
941 conn->hcon->init_addr_type, &conn->hcon->init_addr,
942 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
943 cp.confirm_val);
944 if (ret)
945 return SMP_UNSPECIFIED;
946
947 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
948
949 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
950
951 if (conn->hcon->out)
952 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
953 else
954 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
955
956 return 0;
957 }
958
smp_random(struct smp_chan * smp)959 static u8 smp_random(struct smp_chan *smp)
960 {
961 struct l2cap_conn *conn = smp->conn;
962 struct hci_conn *hcon = conn->hcon;
963 u8 confirm[16];
964 int ret;
965
966 if (IS_ERR_OR_NULL(smp->tfm_aes))
967 return SMP_UNSPECIFIED;
968
969 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
970
971 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
972 hcon->init_addr_type, &hcon->init_addr,
973 hcon->resp_addr_type, &hcon->resp_addr, confirm);
974 if (ret)
975 return SMP_UNSPECIFIED;
976
977 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
978 BT_ERR("Pairing failed (confirmation values mismatch)");
979 return SMP_CONFIRM_FAILED;
980 }
981
982 if (hcon->out) {
983 u8 stk[16];
984 __le64 rand = 0;
985 __le16 ediv = 0;
986
987 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
988
989 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
990 return SMP_UNSPECIFIED;
991
992 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
993 hcon->enc_key_size = smp->enc_key_size;
994 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
995 } else {
996 u8 stk[16], auth;
997 __le64 rand = 0;
998 __le16 ediv = 0;
999
1000 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1001 smp->prnd);
1002
1003 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1004
1005 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1006 auth = 1;
1007 else
1008 auth = 0;
1009
1010 /* Even though there's no _SLAVE suffix this is the
1011 * slave STK we're adding for later lookup (the master
1012 * STK never needs to be stored).
1013 */
1014 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1015 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1016 }
1017
1018 return 0;
1019 }
1020
smp_notify_keys(struct l2cap_conn * conn)1021 static void smp_notify_keys(struct l2cap_conn *conn)
1022 {
1023 struct l2cap_chan *chan = conn->smp;
1024 struct smp_chan *smp = chan->data;
1025 struct hci_conn *hcon = conn->hcon;
1026 struct hci_dev *hdev = hcon->hdev;
1027 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1028 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1029 bool persistent;
1030
1031 if (hcon->type == ACL_LINK) {
1032 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1033 persistent = false;
1034 else
1035 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1036 &hcon->flags);
1037 } else {
1038 /* The LTKs, IRKs and CSRKs should be persistent only if
1039 * both sides had the bonding bit set in their
1040 * authentication requests.
1041 */
1042 persistent = !!((req->auth_req & rsp->auth_req) &
1043 SMP_AUTH_BONDING);
1044 }
1045
1046 if (smp->remote_irk) {
1047 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1048
1049 /* Now that user space can be considered to know the
1050 * identity address track the connection based on it
1051 * from now on (assuming this is an LE link).
1052 */
1053 if (hcon->type == LE_LINK) {
1054 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1055 hcon->dst_type = smp->remote_irk->addr_type;
1056 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1057 }
1058 }
1059
1060 if (smp->csrk) {
1061 smp->csrk->bdaddr_type = hcon->dst_type;
1062 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1063 mgmt_new_csrk(hdev, smp->csrk, persistent);
1064 }
1065
1066 if (smp->slave_csrk) {
1067 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1068 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1069 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1070 }
1071
1072 if (smp->ltk) {
1073 smp->ltk->bdaddr_type = hcon->dst_type;
1074 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1075 mgmt_new_ltk(hdev, smp->ltk, persistent);
1076 }
1077
1078 if (smp->slave_ltk) {
1079 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1080 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1081 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1082 }
1083
1084 if (smp->link_key) {
1085 struct link_key *key;
1086 u8 type;
1087
1088 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1089 type = HCI_LK_DEBUG_COMBINATION;
1090 else if (hcon->sec_level == BT_SECURITY_FIPS)
1091 type = HCI_LK_AUTH_COMBINATION_P256;
1092 else
1093 type = HCI_LK_UNAUTH_COMBINATION_P256;
1094
1095 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1096 smp->link_key, type, 0, &persistent);
1097 if (key) {
1098 mgmt_new_link_key(hdev, key, persistent);
1099
1100 /* Don't keep debug keys around if the relevant
1101 * flag is not set.
1102 */
1103 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1104 key->type == HCI_LK_DEBUG_COMBINATION) {
1105 list_del_rcu(&key->list);
1106 kfree_rcu(key, rcu);
1107 }
1108 }
1109 }
1110 }
1111
sc_add_ltk(struct smp_chan * smp)1112 static void sc_add_ltk(struct smp_chan *smp)
1113 {
1114 struct hci_conn *hcon = smp->conn->hcon;
1115 u8 key_type, auth;
1116
1117 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1118 key_type = SMP_LTK_P256_DEBUG;
1119 else
1120 key_type = SMP_LTK_P256;
1121
1122 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1123 auth = 1;
1124 else
1125 auth = 0;
1126
1127 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1128 key_type, auth, smp->tk, smp->enc_key_size,
1129 0, 0);
1130 }
1131
sc_generate_link_key(struct smp_chan * smp)1132 static void sc_generate_link_key(struct smp_chan *smp)
1133 {
1134 /* These constants are as specified in the core specification.
1135 * In ASCII they spell out to 'tmp1' and 'lebr'.
1136 */
1137 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1138 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1139
1140 smp->link_key = kzalloc(16, GFP_KERNEL);
1141 if (!smp->link_key)
1142 return;
1143
1144 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1145 kzfree(smp->link_key);
1146 smp->link_key = NULL;
1147 return;
1148 }
1149
1150 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1151 kzfree(smp->link_key);
1152 smp->link_key = NULL;
1153 return;
1154 }
1155 }
1156
smp_allow_key_dist(struct smp_chan * smp)1157 static void smp_allow_key_dist(struct smp_chan *smp)
1158 {
1159 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1160 * will be allowed in each PDU handler to ensure we receive
1161 * them in the correct order.
1162 */
1163 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1164 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1165 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1166 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1167 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1168 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1169 }
1170
sc_generate_ltk(struct smp_chan * smp)1171 static void sc_generate_ltk(struct smp_chan *smp)
1172 {
1173 /* These constants are as specified in the core specification.
1174 * In ASCII they spell out to 'tmp2' and 'brle'.
1175 */
1176 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1177 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1178 struct hci_conn *hcon = smp->conn->hcon;
1179 struct hci_dev *hdev = hcon->hdev;
1180 struct link_key *key;
1181
1182 key = hci_find_link_key(hdev, &hcon->dst);
1183 if (!key) {
1184 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1185 return;
1186 }
1187
1188 if (key->type == HCI_LK_DEBUG_COMBINATION)
1189 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1190
1191 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1192 return;
1193
1194 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1195 return;
1196
1197 sc_add_ltk(smp);
1198 }
1199
smp_distribute_keys(struct smp_chan * smp)1200 static void smp_distribute_keys(struct smp_chan *smp)
1201 {
1202 struct smp_cmd_pairing *req, *rsp;
1203 struct l2cap_conn *conn = smp->conn;
1204 struct hci_conn *hcon = conn->hcon;
1205 struct hci_dev *hdev = hcon->hdev;
1206 __u8 *keydist;
1207
1208 BT_DBG("conn %p", conn);
1209
1210 rsp = (void *) &smp->prsp[1];
1211
1212 /* The responder sends its keys first */
1213 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1214 smp_allow_key_dist(smp);
1215 return;
1216 }
1217
1218 req = (void *) &smp->preq[1];
1219
1220 if (hcon->out) {
1221 keydist = &rsp->init_key_dist;
1222 *keydist &= req->init_key_dist;
1223 } else {
1224 keydist = &rsp->resp_key_dist;
1225 *keydist &= req->resp_key_dist;
1226 }
1227
1228 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1229 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1230 sc_generate_link_key(smp);
1231 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1232 sc_generate_ltk(smp);
1233
1234 /* Clear the keys which are generated but not distributed */
1235 *keydist &= ~SMP_SC_NO_DIST;
1236 }
1237
1238 BT_DBG("keydist 0x%x", *keydist);
1239
1240 if (*keydist & SMP_DIST_ENC_KEY) {
1241 struct smp_cmd_encrypt_info enc;
1242 struct smp_cmd_master_ident ident;
1243 struct smp_ltk *ltk;
1244 u8 authenticated;
1245 __le16 ediv;
1246 __le64 rand;
1247
1248 /* Make sure we generate only the significant amount of
1249 * bytes based on the encryption key size, and set the rest
1250 * of the value to zeroes.
1251 */
1252 get_random_bytes(enc.ltk, smp->enc_key_size);
1253 memset(enc.ltk + smp->enc_key_size, 0,
1254 sizeof(enc.ltk) - smp->enc_key_size);
1255
1256 get_random_bytes(&ediv, sizeof(ediv));
1257 get_random_bytes(&rand, sizeof(rand));
1258
1259 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1260
1261 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1262 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1263 SMP_LTK_SLAVE, authenticated, enc.ltk,
1264 smp->enc_key_size, ediv, rand);
1265 smp->slave_ltk = ltk;
1266
1267 ident.ediv = ediv;
1268 ident.rand = rand;
1269
1270 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1271
1272 *keydist &= ~SMP_DIST_ENC_KEY;
1273 }
1274
1275 if (*keydist & SMP_DIST_ID_KEY) {
1276 struct smp_cmd_ident_addr_info addrinfo;
1277 struct smp_cmd_ident_info idinfo;
1278
1279 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1280
1281 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1282
1283 /* The hci_conn contains the local identity address
1284 * after the connection has been established.
1285 *
1286 * This is true even when the connection has been
1287 * established using a resolvable random address.
1288 */
1289 bacpy(&addrinfo.bdaddr, &hcon->src);
1290 addrinfo.addr_type = hcon->src_type;
1291
1292 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1293 &addrinfo);
1294
1295 *keydist &= ~SMP_DIST_ID_KEY;
1296 }
1297
1298 if (*keydist & SMP_DIST_SIGN) {
1299 struct smp_cmd_sign_info sign;
1300 struct smp_csrk *csrk;
1301
1302 /* Generate a new random key */
1303 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1304
1305 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1306 if (csrk) {
1307 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1308 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1309 else
1310 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1311 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1312 }
1313 smp->slave_csrk = csrk;
1314
1315 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1316
1317 *keydist &= ~SMP_DIST_SIGN;
1318 }
1319
1320 /* If there are still keys to be received wait for them */
1321 if (smp->remote_key_dist & KEY_DIST_MASK) {
1322 smp_allow_key_dist(smp);
1323 return;
1324 }
1325
1326 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1327 smp_notify_keys(conn);
1328
1329 smp_chan_destroy(conn);
1330 }
1331
smp_timeout(struct work_struct * work)1332 static void smp_timeout(struct work_struct *work)
1333 {
1334 struct smp_chan *smp = container_of(work, struct smp_chan,
1335 security_timer.work);
1336 struct l2cap_conn *conn = smp->conn;
1337
1338 BT_DBG("conn %p", conn);
1339
1340 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1341 }
1342
smp_chan_create(struct l2cap_conn * conn)1343 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1344 {
1345 struct l2cap_chan *chan = conn->smp;
1346 struct smp_chan *smp;
1347
1348 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1349 if (!smp)
1350 return NULL;
1351
1352 smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1353 if (IS_ERR(smp->tfm_aes)) {
1354 BT_ERR("Unable to create AES crypto context");
1355 kzfree(smp);
1356 return NULL;
1357 }
1358
1359 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1360 if (IS_ERR(smp->tfm_cmac)) {
1361 BT_ERR("Unable to create CMAC crypto context");
1362 crypto_free_cipher(smp->tfm_aes);
1363 kzfree(smp);
1364 return NULL;
1365 }
1366
1367 smp->conn = conn;
1368 chan->data = smp;
1369
1370 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1371
1372 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1373
1374 hci_conn_hold(conn->hcon);
1375
1376 return smp;
1377 }
1378
sc_mackey_and_ltk(struct smp_chan * smp,u8 mackey[16],u8 ltk[16])1379 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1380 {
1381 struct hci_conn *hcon = smp->conn->hcon;
1382 u8 *na, *nb, a[7], b[7];
1383
1384 if (hcon->out) {
1385 na = smp->prnd;
1386 nb = smp->rrnd;
1387 } else {
1388 na = smp->rrnd;
1389 nb = smp->prnd;
1390 }
1391
1392 memcpy(a, &hcon->init_addr, 6);
1393 memcpy(b, &hcon->resp_addr, 6);
1394 a[6] = hcon->init_addr_type;
1395 b[6] = hcon->resp_addr_type;
1396
1397 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1398 }
1399
sc_dhkey_check(struct smp_chan * smp)1400 static void sc_dhkey_check(struct smp_chan *smp)
1401 {
1402 struct hci_conn *hcon = smp->conn->hcon;
1403 struct smp_cmd_dhkey_check check;
1404 u8 a[7], b[7], *local_addr, *remote_addr;
1405 u8 io_cap[3], r[16];
1406
1407 memcpy(a, &hcon->init_addr, 6);
1408 memcpy(b, &hcon->resp_addr, 6);
1409 a[6] = hcon->init_addr_type;
1410 b[6] = hcon->resp_addr_type;
1411
1412 if (hcon->out) {
1413 local_addr = a;
1414 remote_addr = b;
1415 memcpy(io_cap, &smp->preq[1], 3);
1416 } else {
1417 local_addr = b;
1418 remote_addr = a;
1419 memcpy(io_cap, &smp->prsp[1], 3);
1420 }
1421
1422 memset(r, 0, sizeof(r));
1423
1424 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1425 put_unaligned_le32(hcon->passkey_notify, r);
1426
1427 if (smp->method == REQ_OOB)
1428 memcpy(r, smp->rr, 16);
1429
1430 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1431 local_addr, remote_addr, check.e);
1432
1433 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1434 }
1435
sc_passkey_send_confirm(struct smp_chan * smp)1436 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1437 {
1438 struct l2cap_conn *conn = smp->conn;
1439 struct hci_conn *hcon = conn->hcon;
1440 struct smp_cmd_pairing_confirm cfm;
1441 u8 r;
1442
1443 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1444 r |= 0x80;
1445
1446 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1447
1448 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1449 cfm.confirm_val))
1450 return SMP_UNSPECIFIED;
1451
1452 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1453
1454 return 0;
1455 }
1456
sc_passkey_round(struct smp_chan * smp,u8 smp_op)1457 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1458 {
1459 struct l2cap_conn *conn = smp->conn;
1460 struct hci_conn *hcon = conn->hcon;
1461 struct hci_dev *hdev = hcon->hdev;
1462 u8 cfm[16], r;
1463
1464 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1465 if (smp->passkey_round >= 20)
1466 return 0;
1467
1468 switch (smp_op) {
1469 case SMP_CMD_PAIRING_RANDOM:
1470 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1471 r |= 0x80;
1472
1473 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1474 smp->rrnd, r, cfm))
1475 return SMP_UNSPECIFIED;
1476
1477 if (crypto_memneq(smp->pcnf, cfm, 16))
1478 return SMP_CONFIRM_FAILED;
1479
1480 smp->passkey_round++;
1481
1482 if (smp->passkey_round == 20) {
1483 /* Generate MacKey and LTK */
1484 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1485 return SMP_UNSPECIFIED;
1486 }
1487
1488 /* The round is only complete when the initiator
1489 * receives pairing random.
1490 */
1491 if (!hcon->out) {
1492 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1493 sizeof(smp->prnd), smp->prnd);
1494 if (smp->passkey_round == 20)
1495 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1496 else
1497 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1498 return 0;
1499 }
1500
1501 /* Start the next round */
1502 if (smp->passkey_round != 20)
1503 return sc_passkey_round(smp, 0);
1504
1505 /* Passkey rounds are complete - start DHKey Check */
1506 sc_dhkey_check(smp);
1507 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1508
1509 break;
1510
1511 case SMP_CMD_PAIRING_CONFIRM:
1512 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1513 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1514 return 0;
1515 }
1516
1517 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1518
1519 if (hcon->out) {
1520 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1521 sizeof(smp->prnd), smp->prnd);
1522 return 0;
1523 }
1524
1525 return sc_passkey_send_confirm(smp);
1526
1527 case SMP_CMD_PUBLIC_KEY:
1528 default:
1529 /* Initiating device starts the round */
1530 if (!hcon->out)
1531 return 0;
1532
1533 BT_DBG("%s Starting passkey round %u", hdev->name,
1534 smp->passkey_round + 1);
1535
1536 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1537
1538 return sc_passkey_send_confirm(smp);
1539 }
1540
1541 return 0;
1542 }
1543
sc_user_reply(struct smp_chan * smp,u16 mgmt_op,__le32 passkey)1544 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1545 {
1546 struct l2cap_conn *conn = smp->conn;
1547 struct hci_conn *hcon = conn->hcon;
1548 u8 smp_op;
1549
1550 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1551
1552 switch (mgmt_op) {
1553 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1554 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1555 return 0;
1556 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1557 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1558 return 0;
1559 case MGMT_OP_USER_PASSKEY_REPLY:
1560 hcon->passkey_notify = le32_to_cpu(passkey);
1561 smp->passkey_round = 0;
1562
1563 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1564 smp_op = SMP_CMD_PAIRING_CONFIRM;
1565 else
1566 smp_op = 0;
1567
1568 if (sc_passkey_round(smp, smp_op))
1569 return -EIO;
1570
1571 return 0;
1572 }
1573
1574 /* Initiator sends DHKey check first */
1575 if (hcon->out) {
1576 sc_dhkey_check(smp);
1577 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1578 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1579 sc_dhkey_check(smp);
1580 sc_add_ltk(smp);
1581 }
1582
1583 return 0;
1584 }
1585
smp_user_confirm_reply(struct hci_conn * hcon,u16 mgmt_op,__le32 passkey)1586 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1587 {
1588 struct l2cap_conn *conn = hcon->l2cap_data;
1589 struct l2cap_chan *chan;
1590 struct smp_chan *smp;
1591 u32 value;
1592 int err;
1593
1594 BT_DBG("");
1595
1596 if (!conn)
1597 return -ENOTCONN;
1598
1599 chan = conn->smp;
1600 if (!chan)
1601 return -ENOTCONN;
1602
1603 l2cap_chan_lock(chan);
1604 if (!chan->data) {
1605 err = -ENOTCONN;
1606 goto unlock;
1607 }
1608
1609 smp = chan->data;
1610
1611 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1612 err = sc_user_reply(smp, mgmt_op, passkey);
1613 goto unlock;
1614 }
1615
1616 switch (mgmt_op) {
1617 case MGMT_OP_USER_PASSKEY_REPLY:
1618 value = le32_to_cpu(passkey);
1619 memset(smp->tk, 0, sizeof(smp->tk));
1620 BT_DBG("PassKey: %d", value);
1621 put_unaligned_le32(value, smp->tk);
1622 /* Fall Through */
1623 case MGMT_OP_USER_CONFIRM_REPLY:
1624 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1625 break;
1626 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1627 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1628 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1629 err = 0;
1630 goto unlock;
1631 default:
1632 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1633 err = -EOPNOTSUPP;
1634 goto unlock;
1635 }
1636
1637 err = 0;
1638
1639 /* If it is our turn to send Pairing Confirm, do so now */
1640 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1641 u8 rsp = smp_confirm(smp);
1642 if (rsp)
1643 smp_failure(conn, rsp);
1644 }
1645
1646 unlock:
1647 l2cap_chan_unlock(chan);
1648 return err;
1649 }
1650
build_bredr_pairing_cmd(struct smp_chan * smp,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp)1651 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1652 struct smp_cmd_pairing *req,
1653 struct smp_cmd_pairing *rsp)
1654 {
1655 struct l2cap_conn *conn = smp->conn;
1656 struct hci_dev *hdev = conn->hcon->hdev;
1657 u8 local_dist = 0, remote_dist = 0;
1658
1659 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1660 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1661 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1662 }
1663
1664 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1665 remote_dist |= SMP_DIST_ID_KEY;
1666
1667 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1668 local_dist |= SMP_DIST_ID_KEY;
1669
1670 if (!rsp) {
1671 memset(req, 0, sizeof(*req));
1672
1673 req->init_key_dist = local_dist;
1674 req->resp_key_dist = remote_dist;
1675 req->max_key_size = conn->hcon->enc_key_size;
1676
1677 smp->remote_key_dist = remote_dist;
1678
1679 return;
1680 }
1681
1682 memset(rsp, 0, sizeof(*rsp));
1683
1684 rsp->max_key_size = conn->hcon->enc_key_size;
1685 rsp->init_key_dist = req->init_key_dist & remote_dist;
1686 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1687
1688 smp->remote_key_dist = rsp->init_key_dist;
1689 }
1690
smp_cmd_pairing_req(struct l2cap_conn * conn,struct sk_buff * skb)1691 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1692 {
1693 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1694 struct l2cap_chan *chan = conn->smp;
1695 struct hci_dev *hdev = conn->hcon->hdev;
1696 struct smp_chan *smp;
1697 u8 key_size, auth, sec_level;
1698 int ret;
1699
1700 BT_DBG("conn %p", conn);
1701
1702 if (skb->len < sizeof(*req))
1703 return SMP_INVALID_PARAMS;
1704
1705 if (conn->hcon->role != HCI_ROLE_SLAVE)
1706 return SMP_CMD_NOTSUPP;
1707
1708 if (!chan->data)
1709 smp = smp_chan_create(conn);
1710 else
1711 smp = chan->data;
1712
1713 if (!smp)
1714 return SMP_UNSPECIFIED;
1715
1716 /* We didn't start the pairing, so match remote */
1717 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1718
1719 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1720 (auth & SMP_AUTH_BONDING))
1721 return SMP_PAIRING_NOTSUPP;
1722
1723 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1724 return SMP_AUTH_REQUIREMENTS;
1725
1726 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1727 memcpy(&smp->preq[1], req, sizeof(*req));
1728 skb_pull(skb, sizeof(*req));
1729
1730 /* If the remote side's OOB flag is set it means it has
1731 * successfully received our local OOB data - therefore set the
1732 * flag to indicate that local OOB is in use.
1733 */
1734 if (req->oob_flag == SMP_OOB_PRESENT)
1735 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1736
1737 /* SMP over BR/EDR requires special treatment */
1738 if (conn->hcon->type == ACL_LINK) {
1739 /* We must have a BR/EDR SC link */
1740 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1741 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1742 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1743
1744 set_bit(SMP_FLAG_SC, &smp->flags);
1745
1746 build_bredr_pairing_cmd(smp, req, &rsp);
1747
1748 key_size = min(req->max_key_size, rsp.max_key_size);
1749 if (check_enc_key_size(conn, key_size))
1750 return SMP_ENC_KEY_SIZE;
1751
1752 /* Clear bits which are generated but not distributed */
1753 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1754
1755 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1756 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1757 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1758
1759 smp_distribute_keys(smp);
1760 return 0;
1761 }
1762
1763 build_pairing_cmd(conn, req, &rsp, auth);
1764
1765 if (rsp.auth_req & SMP_AUTH_SC)
1766 set_bit(SMP_FLAG_SC, &smp->flags);
1767
1768 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1769 sec_level = BT_SECURITY_MEDIUM;
1770 else
1771 sec_level = authreq_to_seclevel(auth);
1772
1773 if (sec_level > conn->hcon->pending_sec_level)
1774 conn->hcon->pending_sec_level = sec_level;
1775
1776 /* If we need MITM check that it can be achieved */
1777 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1778 u8 method;
1779
1780 method = get_auth_method(smp, conn->hcon->io_capability,
1781 req->io_capability);
1782 if (method == JUST_WORKS || method == JUST_CFM)
1783 return SMP_AUTH_REQUIREMENTS;
1784 }
1785
1786 key_size = min(req->max_key_size, rsp.max_key_size);
1787 if (check_enc_key_size(conn, key_size))
1788 return SMP_ENC_KEY_SIZE;
1789
1790 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1791
1792 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1793 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1794
1795 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1796
1797 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1798
1799 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1800 * SC case, however some implementations incorrectly copy RFU auth
1801 * req bits from our security request, which may create a false
1802 * positive SC enablement.
1803 */
1804 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1805
1806 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1807 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1808 /* Clear bits which are generated but not distributed */
1809 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1810 /* Wait for Public Key from Initiating Device */
1811 return 0;
1812 }
1813
1814 /* Request setup of TK */
1815 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1816 if (ret)
1817 return SMP_UNSPECIFIED;
1818
1819 return 0;
1820 }
1821
sc_send_public_key(struct smp_chan * smp)1822 static u8 sc_send_public_key(struct smp_chan *smp)
1823 {
1824 struct hci_dev *hdev = smp->conn->hcon->hdev;
1825
1826 BT_DBG("");
1827
1828 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1829 struct l2cap_chan *chan = hdev->smp_data;
1830 struct smp_dev *smp_dev;
1831
1832 if (!chan || !chan->data)
1833 return SMP_UNSPECIFIED;
1834
1835 smp_dev = chan->data;
1836
1837 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1838 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1839 memcpy(smp->lr, smp_dev->local_rand, 16);
1840
1841 if (smp_dev->debug_key)
1842 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1843
1844 goto done;
1845 }
1846
1847 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1848 BT_DBG("Using debug keys");
1849 memcpy(smp->local_pk, debug_pk, 64);
1850 memcpy(smp->local_sk, debug_sk, 32);
1851 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1852 } else {
1853 while (true) {
1854 /* Generate local key pair for Secure Connections */
1855 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1856 return SMP_UNSPECIFIED;
1857
1858 /* This is unlikely, but we need to check that
1859 * we didn't accidentially generate a debug key.
1860 */
1861 if (crypto_memneq(smp->local_sk, debug_sk, 32))
1862 break;
1863 }
1864 }
1865
1866 done:
1867 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1868 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1869 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1870
1871 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1872
1873 return 0;
1874 }
1875
smp_cmd_pairing_rsp(struct l2cap_conn * conn,struct sk_buff * skb)1876 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1877 {
1878 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1879 struct l2cap_chan *chan = conn->smp;
1880 struct smp_chan *smp = chan->data;
1881 struct hci_dev *hdev = conn->hcon->hdev;
1882 u8 key_size, auth;
1883 int ret;
1884
1885 BT_DBG("conn %p", conn);
1886
1887 if (skb->len < sizeof(*rsp))
1888 return SMP_INVALID_PARAMS;
1889
1890 if (conn->hcon->role != HCI_ROLE_MASTER)
1891 return SMP_CMD_NOTSUPP;
1892
1893 skb_pull(skb, sizeof(*rsp));
1894
1895 req = (void *) &smp->preq[1];
1896
1897 key_size = min(req->max_key_size, rsp->max_key_size);
1898 if (check_enc_key_size(conn, key_size))
1899 return SMP_ENC_KEY_SIZE;
1900
1901 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1902
1903 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1904 return SMP_AUTH_REQUIREMENTS;
1905
1906 /* If the remote side's OOB flag is set it means it has
1907 * successfully received our local OOB data - therefore set the
1908 * flag to indicate that local OOB is in use.
1909 */
1910 if (rsp->oob_flag == SMP_OOB_PRESENT)
1911 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1912
1913 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1914 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1915
1916 /* Update remote key distribution in case the remote cleared
1917 * some bits that we had enabled in our request.
1918 */
1919 smp->remote_key_dist &= rsp->resp_key_dist;
1920
1921 /* For BR/EDR this means we're done and can start phase 3 */
1922 if (conn->hcon->type == ACL_LINK) {
1923 /* Clear bits which are generated but not distributed */
1924 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1925 smp_distribute_keys(smp);
1926 return 0;
1927 }
1928
1929 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1930 set_bit(SMP_FLAG_SC, &smp->flags);
1931 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1932 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1933
1934 /* If we need MITM check that it can be achieved */
1935 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1936 u8 method;
1937
1938 method = get_auth_method(smp, req->io_capability,
1939 rsp->io_capability);
1940 if (method == JUST_WORKS || method == JUST_CFM)
1941 return SMP_AUTH_REQUIREMENTS;
1942 }
1943
1944 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1945
1946 /* Update remote key distribution in case the remote cleared
1947 * some bits that we had enabled in our request.
1948 */
1949 smp->remote_key_dist &= rsp->resp_key_dist;
1950
1951 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1952 /* Clear bits which are generated but not distributed */
1953 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1954 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1955 return sc_send_public_key(smp);
1956 }
1957
1958 auth |= req->auth_req;
1959
1960 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1961 if (ret)
1962 return SMP_UNSPECIFIED;
1963
1964 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1965
1966 /* Can't compose response until we have been confirmed */
1967 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1968 return smp_confirm(smp);
1969
1970 return 0;
1971 }
1972
sc_check_confirm(struct smp_chan * smp)1973 static u8 sc_check_confirm(struct smp_chan *smp)
1974 {
1975 struct l2cap_conn *conn = smp->conn;
1976
1977 BT_DBG("");
1978
1979 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1980 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1981
1982 if (conn->hcon->out) {
1983 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1984 smp->prnd);
1985 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1986 }
1987
1988 return 0;
1989 }
1990
1991 /* Work-around for some implementations that incorrectly copy RFU bits
1992 * from our security request and thereby create the impression that
1993 * we're doing SC when in fact the remote doesn't support it.
1994 */
fixup_sc_false_positive(struct smp_chan * smp)1995 static int fixup_sc_false_positive(struct smp_chan *smp)
1996 {
1997 struct l2cap_conn *conn = smp->conn;
1998 struct hci_conn *hcon = conn->hcon;
1999 struct hci_dev *hdev = hcon->hdev;
2000 struct smp_cmd_pairing *req, *rsp;
2001 u8 auth;
2002
2003 /* The issue is only observed when we're in slave role */
2004 if (hcon->out)
2005 return SMP_UNSPECIFIED;
2006
2007 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2008 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2009 return SMP_UNSPECIFIED;
2010 }
2011
2012 BT_ERR("Trying to fall back to legacy SMP");
2013
2014 req = (void *) &smp->preq[1];
2015 rsp = (void *) &smp->prsp[1];
2016
2017 /* Rebuild key dist flags which may have been cleared for SC */
2018 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2019
2020 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2021
2022 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2023 BT_ERR("Failed to fall back to legacy SMP");
2024 return SMP_UNSPECIFIED;
2025 }
2026
2027 clear_bit(SMP_FLAG_SC, &smp->flags);
2028
2029 return 0;
2030 }
2031
smp_cmd_pairing_confirm(struct l2cap_conn * conn,struct sk_buff * skb)2032 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2033 {
2034 struct l2cap_chan *chan = conn->smp;
2035 struct smp_chan *smp = chan->data;
2036
2037 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2038
2039 if (skb->len < sizeof(smp->pcnf))
2040 return SMP_INVALID_PARAMS;
2041
2042 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2043 skb_pull(skb, sizeof(smp->pcnf));
2044
2045 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2046 int ret;
2047
2048 /* Public Key exchange must happen before any other steps */
2049 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2050 return sc_check_confirm(smp);
2051
2052 BT_ERR("Unexpected SMP Pairing Confirm");
2053
2054 ret = fixup_sc_false_positive(smp);
2055 if (ret)
2056 return ret;
2057 }
2058
2059 if (conn->hcon->out) {
2060 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2061 smp->prnd);
2062 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2063 return 0;
2064 }
2065
2066 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2067 return smp_confirm(smp);
2068
2069 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2070
2071 return 0;
2072 }
2073
smp_cmd_pairing_random(struct l2cap_conn * conn,struct sk_buff * skb)2074 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2075 {
2076 struct l2cap_chan *chan = conn->smp;
2077 struct smp_chan *smp = chan->data;
2078 struct hci_conn *hcon = conn->hcon;
2079 u8 *pkax, *pkbx, *na, *nb;
2080 u32 passkey;
2081 int err;
2082
2083 BT_DBG("conn %p", conn);
2084
2085 if (skb->len < sizeof(smp->rrnd))
2086 return SMP_INVALID_PARAMS;
2087
2088 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2089 skb_pull(skb, sizeof(smp->rrnd));
2090
2091 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2092 return smp_random(smp);
2093
2094 if (hcon->out) {
2095 pkax = smp->local_pk;
2096 pkbx = smp->remote_pk;
2097 na = smp->prnd;
2098 nb = smp->rrnd;
2099 } else {
2100 pkax = smp->remote_pk;
2101 pkbx = smp->local_pk;
2102 na = smp->rrnd;
2103 nb = smp->prnd;
2104 }
2105
2106 if (smp->method == REQ_OOB) {
2107 if (!hcon->out)
2108 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2109 sizeof(smp->prnd), smp->prnd);
2110 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2111 goto mackey_and_ltk;
2112 }
2113
2114 /* Passkey entry has special treatment */
2115 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2116 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2117
2118 if (hcon->out) {
2119 u8 cfm[16];
2120
2121 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2122 smp->rrnd, 0, cfm);
2123 if (err)
2124 return SMP_UNSPECIFIED;
2125
2126 if (crypto_memneq(smp->pcnf, cfm, 16))
2127 return SMP_CONFIRM_FAILED;
2128 } else {
2129 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2130 smp->prnd);
2131 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2132 }
2133
2134 mackey_and_ltk:
2135 /* Generate MacKey and LTK */
2136 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2137 if (err)
2138 return SMP_UNSPECIFIED;
2139
2140 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2141 if (hcon->out) {
2142 sc_dhkey_check(smp);
2143 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2144 }
2145 return 0;
2146 }
2147
2148 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2149 if (err)
2150 return SMP_UNSPECIFIED;
2151
2152 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2153 hcon->dst_type, passkey, 0);
2154 if (err)
2155 return SMP_UNSPECIFIED;
2156
2157 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2158
2159 return 0;
2160 }
2161
smp_ltk_encrypt(struct l2cap_conn * conn,u8 sec_level)2162 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2163 {
2164 struct smp_ltk *key;
2165 struct hci_conn *hcon = conn->hcon;
2166
2167 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2168 if (!key)
2169 return false;
2170
2171 if (smp_ltk_sec_level(key) < sec_level)
2172 return false;
2173
2174 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2175 return true;
2176
2177 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2178 hcon->enc_key_size = key->enc_size;
2179
2180 /* We never store STKs for master role, so clear this flag */
2181 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2182
2183 return true;
2184 }
2185
smp_sufficient_security(struct hci_conn * hcon,u8 sec_level,enum smp_key_pref key_pref)2186 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2187 enum smp_key_pref key_pref)
2188 {
2189 if (sec_level == BT_SECURITY_LOW)
2190 return true;
2191
2192 /* If we're encrypted with an STK but the caller prefers using
2193 * LTK claim insufficient security. This way we allow the
2194 * connection to be re-encrypted with an LTK, even if the LTK
2195 * provides the same level of security. Only exception is if we
2196 * don't have an LTK (e.g. because of key distribution bits).
2197 */
2198 if (key_pref == SMP_USE_LTK &&
2199 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2200 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2201 return false;
2202
2203 if (hcon->sec_level >= sec_level)
2204 return true;
2205
2206 return false;
2207 }
2208
smp_cmd_security_req(struct l2cap_conn * conn,struct sk_buff * skb)2209 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2210 {
2211 struct smp_cmd_security_req *rp = (void *) skb->data;
2212 struct smp_cmd_pairing cp;
2213 struct hci_conn *hcon = conn->hcon;
2214 struct hci_dev *hdev = hcon->hdev;
2215 struct smp_chan *smp;
2216 u8 sec_level, auth;
2217
2218 BT_DBG("conn %p", conn);
2219
2220 if (skb->len < sizeof(*rp))
2221 return SMP_INVALID_PARAMS;
2222
2223 if (hcon->role != HCI_ROLE_MASTER)
2224 return SMP_CMD_NOTSUPP;
2225
2226 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2227
2228 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2229 return SMP_AUTH_REQUIREMENTS;
2230
2231 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2232 sec_level = BT_SECURITY_MEDIUM;
2233 else
2234 sec_level = authreq_to_seclevel(auth);
2235
2236 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2237 /* If link is already encrypted with sufficient security we
2238 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2239 * Part H 2.4.6
2240 */
2241 smp_ltk_encrypt(conn, hcon->sec_level);
2242 return 0;
2243 }
2244
2245 if (sec_level > hcon->pending_sec_level)
2246 hcon->pending_sec_level = sec_level;
2247
2248 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2249 return 0;
2250
2251 smp = smp_chan_create(conn);
2252 if (!smp)
2253 return SMP_UNSPECIFIED;
2254
2255 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2256 (auth & SMP_AUTH_BONDING))
2257 return SMP_PAIRING_NOTSUPP;
2258
2259 skb_pull(skb, sizeof(*rp));
2260
2261 memset(&cp, 0, sizeof(cp));
2262 build_pairing_cmd(conn, &cp, NULL, auth);
2263
2264 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2265 memcpy(&smp->preq[1], &cp, sizeof(cp));
2266
2267 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2268 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2269
2270 return 0;
2271 }
2272
smp_conn_security(struct hci_conn * hcon,__u8 sec_level)2273 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2274 {
2275 struct l2cap_conn *conn = hcon->l2cap_data;
2276 struct l2cap_chan *chan;
2277 struct smp_chan *smp;
2278 __u8 authreq;
2279 int ret;
2280
2281 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2282
2283 /* This may be NULL if there's an unexpected disconnection */
2284 if (!conn)
2285 return 1;
2286
2287 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2288 return 1;
2289
2290 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2291 return 1;
2292
2293 if (sec_level > hcon->pending_sec_level)
2294 hcon->pending_sec_level = sec_level;
2295
2296 if (hcon->role == HCI_ROLE_MASTER)
2297 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2298 return 0;
2299
2300 chan = conn->smp;
2301 if (!chan) {
2302 BT_ERR("SMP security requested but not available");
2303 return 1;
2304 }
2305
2306 l2cap_chan_lock(chan);
2307
2308 /* If SMP is already in progress ignore this request */
2309 if (chan->data) {
2310 ret = 0;
2311 goto unlock;
2312 }
2313
2314 smp = smp_chan_create(conn);
2315 if (!smp) {
2316 ret = 1;
2317 goto unlock;
2318 }
2319
2320 authreq = seclevel_to_authreq(sec_level);
2321
2322 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2323 authreq |= SMP_AUTH_SC;
2324
2325 /* Require MITM if IO Capability allows or the security level
2326 * requires it.
2327 */
2328 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2329 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2330 authreq |= SMP_AUTH_MITM;
2331
2332 if (hcon->role == HCI_ROLE_MASTER) {
2333 struct smp_cmd_pairing cp;
2334
2335 build_pairing_cmd(conn, &cp, NULL, authreq);
2336 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2337 memcpy(&smp->preq[1], &cp, sizeof(cp));
2338
2339 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2340 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2341 } else {
2342 struct smp_cmd_security_req cp;
2343 cp.auth_req = authreq;
2344 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2345 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2346 }
2347
2348 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2349 ret = 0;
2350
2351 unlock:
2352 l2cap_chan_unlock(chan);
2353 return ret;
2354 }
2355
smp_cancel_pairing(struct hci_conn * hcon)2356 void smp_cancel_pairing(struct hci_conn *hcon)
2357 {
2358 struct l2cap_conn *conn = hcon->l2cap_data;
2359 struct l2cap_chan *chan;
2360 struct smp_chan *smp;
2361
2362 if (!conn)
2363 return;
2364
2365 chan = conn->smp;
2366 if (!chan)
2367 return;
2368
2369 l2cap_chan_lock(chan);
2370
2371 smp = chan->data;
2372 if (smp) {
2373 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2374 smp_failure(conn, 0);
2375 else
2376 smp_failure(conn, SMP_UNSPECIFIED);
2377 }
2378
2379 l2cap_chan_unlock(chan);
2380 }
2381
smp_cmd_encrypt_info(struct l2cap_conn * conn,struct sk_buff * skb)2382 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2383 {
2384 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2385 struct l2cap_chan *chan = conn->smp;
2386 struct smp_chan *smp = chan->data;
2387
2388 BT_DBG("conn %p", conn);
2389
2390 if (skb->len < sizeof(*rp))
2391 return SMP_INVALID_PARAMS;
2392
2393 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2394
2395 skb_pull(skb, sizeof(*rp));
2396
2397 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2398
2399 return 0;
2400 }
2401
smp_cmd_master_ident(struct l2cap_conn * conn,struct sk_buff * skb)2402 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2403 {
2404 struct smp_cmd_master_ident *rp = (void *) skb->data;
2405 struct l2cap_chan *chan = conn->smp;
2406 struct smp_chan *smp = chan->data;
2407 struct hci_dev *hdev = conn->hcon->hdev;
2408 struct hci_conn *hcon = conn->hcon;
2409 struct smp_ltk *ltk;
2410 u8 authenticated;
2411
2412 BT_DBG("conn %p", conn);
2413
2414 if (skb->len < sizeof(*rp))
2415 return SMP_INVALID_PARAMS;
2416
2417 /* Mark the information as received */
2418 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2419
2420 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2421 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2422 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2423 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2424
2425 skb_pull(skb, sizeof(*rp));
2426
2427 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2428 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2429 authenticated, smp->tk, smp->enc_key_size,
2430 rp->ediv, rp->rand);
2431 smp->ltk = ltk;
2432 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2433 smp_distribute_keys(smp);
2434
2435 return 0;
2436 }
2437
smp_cmd_ident_info(struct l2cap_conn * conn,struct sk_buff * skb)2438 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2439 {
2440 struct smp_cmd_ident_info *info = (void *) skb->data;
2441 struct l2cap_chan *chan = conn->smp;
2442 struct smp_chan *smp = chan->data;
2443
2444 BT_DBG("");
2445
2446 if (skb->len < sizeof(*info))
2447 return SMP_INVALID_PARAMS;
2448
2449 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2450
2451 skb_pull(skb, sizeof(*info));
2452
2453 memcpy(smp->irk, info->irk, 16);
2454
2455 return 0;
2456 }
2457
smp_cmd_ident_addr_info(struct l2cap_conn * conn,struct sk_buff * skb)2458 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2459 struct sk_buff *skb)
2460 {
2461 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2462 struct l2cap_chan *chan = conn->smp;
2463 struct smp_chan *smp = chan->data;
2464 struct hci_conn *hcon = conn->hcon;
2465 bdaddr_t rpa;
2466
2467 BT_DBG("");
2468
2469 if (skb->len < sizeof(*info))
2470 return SMP_INVALID_PARAMS;
2471
2472 /* Mark the information as received */
2473 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2474
2475 if (smp->remote_key_dist & SMP_DIST_SIGN)
2476 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2477
2478 skb_pull(skb, sizeof(*info));
2479
2480 /* Strictly speaking the Core Specification (4.1) allows sending
2481 * an empty address which would force us to rely on just the IRK
2482 * as "identity information". However, since such
2483 * implementations are not known of and in order to not over
2484 * complicate our implementation, simply pretend that we never
2485 * received an IRK for such a device.
2486 *
2487 * The Identity Address must also be a Static Random or Public
2488 * Address, which hci_is_identity_address() checks for.
2489 */
2490 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2491 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2492 BT_ERR("Ignoring IRK with no identity address");
2493 goto distribute;
2494 }
2495
2496 bacpy(&smp->id_addr, &info->bdaddr);
2497 smp->id_addr_type = info->addr_type;
2498
2499 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2500 bacpy(&rpa, &hcon->dst);
2501 else
2502 bacpy(&rpa, BDADDR_ANY);
2503
2504 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2505 smp->id_addr_type, smp->irk, &rpa);
2506
2507 distribute:
2508 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2509 smp_distribute_keys(smp);
2510
2511 return 0;
2512 }
2513
smp_cmd_sign_info(struct l2cap_conn * conn,struct sk_buff * skb)2514 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2515 {
2516 struct smp_cmd_sign_info *rp = (void *) skb->data;
2517 struct l2cap_chan *chan = conn->smp;
2518 struct smp_chan *smp = chan->data;
2519 struct smp_csrk *csrk;
2520
2521 BT_DBG("conn %p", conn);
2522
2523 if (skb->len < sizeof(*rp))
2524 return SMP_INVALID_PARAMS;
2525
2526 /* Mark the information as received */
2527 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2528
2529 skb_pull(skb, sizeof(*rp));
2530
2531 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2532 if (csrk) {
2533 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2534 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2535 else
2536 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2537 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2538 }
2539 smp->csrk = csrk;
2540 smp_distribute_keys(smp);
2541
2542 return 0;
2543 }
2544
sc_select_method(struct smp_chan * smp)2545 static u8 sc_select_method(struct smp_chan *smp)
2546 {
2547 struct l2cap_conn *conn = smp->conn;
2548 struct hci_conn *hcon = conn->hcon;
2549 struct smp_cmd_pairing *local, *remote;
2550 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2551
2552 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2553 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2554 return REQ_OOB;
2555
2556 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2557 * which are needed as inputs to some crypto functions. To get
2558 * the "struct smp_cmd_pairing" from them we need to skip the
2559 * first byte which contains the opcode.
2560 */
2561 if (hcon->out) {
2562 local = (void *) &smp->preq[1];
2563 remote = (void *) &smp->prsp[1];
2564 } else {
2565 local = (void *) &smp->prsp[1];
2566 remote = (void *) &smp->preq[1];
2567 }
2568
2569 local_io = local->io_capability;
2570 remote_io = remote->io_capability;
2571
2572 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2573 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2574
2575 /* If either side wants MITM, look up the method from the table,
2576 * otherwise use JUST WORKS.
2577 */
2578 if (local_mitm || remote_mitm)
2579 method = get_auth_method(smp, local_io, remote_io);
2580 else
2581 method = JUST_WORKS;
2582
2583 /* Don't confirm locally initiated pairing attempts */
2584 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2585 method = JUST_WORKS;
2586
2587 return method;
2588 }
2589
smp_cmd_public_key(struct l2cap_conn * conn,struct sk_buff * skb)2590 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2591 {
2592 struct smp_cmd_public_key *key = (void *) skb->data;
2593 struct hci_conn *hcon = conn->hcon;
2594 struct l2cap_chan *chan = conn->smp;
2595 struct smp_chan *smp = chan->data;
2596 struct hci_dev *hdev = hcon->hdev;
2597 struct smp_cmd_pairing_confirm cfm;
2598 int err;
2599
2600 BT_DBG("conn %p", conn);
2601
2602 if (skb->len < sizeof(*key))
2603 return SMP_INVALID_PARAMS;
2604
2605 memcpy(smp->remote_pk, key, 64);
2606
2607 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2608 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2609 smp->rr, 0, cfm.confirm_val);
2610 if (err)
2611 return SMP_UNSPECIFIED;
2612
2613 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2614 return SMP_CONFIRM_FAILED;
2615 }
2616
2617 /* Non-initiating device sends its public key after receiving
2618 * the key from the initiating device.
2619 */
2620 if (!hcon->out) {
2621 err = sc_send_public_key(smp);
2622 if (err)
2623 return err;
2624 }
2625
2626 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2627 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2628
2629 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2630 return SMP_UNSPECIFIED;
2631
2632 SMP_DBG("DHKey %32phN", smp->dhkey);
2633
2634 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2635
2636 smp->method = sc_select_method(smp);
2637
2638 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2639
2640 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2641 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2642 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2643 else
2644 hcon->pending_sec_level = BT_SECURITY_FIPS;
2645
2646 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2647 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2648
2649 if (smp->method == DSP_PASSKEY) {
2650 get_random_bytes(&hcon->passkey_notify,
2651 sizeof(hcon->passkey_notify));
2652 hcon->passkey_notify %= 1000000;
2653 hcon->passkey_entered = 0;
2654 smp->passkey_round = 0;
2655 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2656 hcon->dst_type,
2657 hcon->passkey_notify,
2658 hcon->passkey_entered))
2659 return SMP_UNSPECIFIED;
2660 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2661 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2662 }
2663
2664 if (smp->method == REQ_OOB) {
2665 if (hcon->out)
2666 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2667 sizeof(smp->prnd), smp->prnd);
2668
2669 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2670
2671 return 0;
2672 }
2673
2674 if (hcon->out)
2675 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2676
2677 if (smp->method == REQ_PASSKEY) {
2678 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2679 hcon->dst_type))
2680 return SMP_UNSPECIFIED;
2681 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2682 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2683 return 0;
2684 }
2685
2686 /* The Initiating device waits for the non-initiating device to
2687 * send the confirm value.
2688 */
2689 if (conn->hcon->out)
2690 return 0;
2691
2692 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2693 0, cfm.confirm_val);
2694 if (err)
2695 return SMP_UNSPECIFIED;
2696
2697 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2698 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2699
2700 return 0;
2701 }
2702
smp_cmd_dhkey_check(struct l2cap_conn * conn,struct sk_buff * skb)2703 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2704 {
2705 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2706 struct l2cap_chan *chan = conn->smp;
2707 struct hci_conn *hcon = conn->hcon;
2708 struct smp_chan *smp = chan->data;
2709 u8 a[7], b[7], *local_addr, *remote_addr;
2710 u8 io_cap[3], r[16], e[16];
2711 int err;
2712
2713 BT_DBG("conn %p", conn);
2714
2715 if (skb->len < sizeof(*check))
2716 return SMP_INVALID_PARAMS;
2717
2718 memcpy(a, &hcon->init_addr, 6);
2719 memcpy(b, &hcon->resp_addr, 6);
2720 a[6] = hcon->init_addr_type;
2721 b[6] = hcon->resp_addr_type;
2722
2723 if (hcon->out) {
2724 local_addr = a;
2725 remote_addr = b;
2726 memcpy(io_cap, &smp->prsp[1], 3);
2727 } else {
2728 local_addr = b;
2729 remote_addr = a;
2730 memcpy(io_cap, &smp->preq[1], 3);
2731 }
2732
2733 memset(r, 0, sizeof(r));
2734
2735 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2736 put_unaligned_le32(hcon->passkey_notify, r);
2737 else if (smp->method == REQ_OOB)
2738 memcpy(r, smp->lr, 16);
2739
2740 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2741 io_cap, remote_addr, local_addr, e);
2742 if (err)
2743 return SMP_UNSPECIFIED;
2744
2745 if (crypto_memneq(check->e, e, 16))
2746 return SMP_DHKEY_CHECK_FAILED;
2747
2748 if (!hcon->out) {
2749 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2750 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2751 return 0;
2752 }
2753
2754 /* Slave sends DHKey check as response to master */
2755 sc_dhkey_check(smp);
2756 }
2757
2758 sc_add_ltk(smp);
2759
2760 if (hcon->out) {
2761 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2762 hcon->enc_key_size = smp->enc_key_size;
2763 }
2764
2765 return 0;
2766 }
2767
smp_cmd_keypress_notify(struct l2cap_conn * conn,struct sk_buff * skb)2768 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2769 struct sk_buff *skb)
2770 {
2771 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2772
2773 BT_DBG("value 0x%02x", kp->value);
2774
2775 return 0;
2776 }
2777
smp_sig_channel(struct l2cap_chan * chan,struct sk_buff * skb)2778 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2779 {
2780 struct l2cap_conn *conn = chan->conn;
2781 struct hci_conn *hcon = conn->hcon;
2782 struct smp_chan *smp;
2783 __u8 code, reason;
2784 int err = 0;
2785
2786 if (skb->len < 1)
2787 return -EILSEQ;
2788
2789 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2790 reason = SMP_PAIRING_NOTSUPP;
2791 goto done;
2792 }
2793
2794 code = skb->data[0];
2795 skb_pull(skb, sizeof(code));
2796
2797 smp = chan->data;
2798
2799 if (code > SMP_CMD_MAX)
2800 goto drop;
2801
2802 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2803 goto drop;
2804
2805 /* If we don't have a context the only allowed commands are
2806 * pairing request and security request.
2807 */
2808 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2809 goto drop;
2810
2811 switch (code) {
2812 case SMP_CMD_PAIRING_REQ:
2813 reason = smp_cmd_pairing_req(conn, skb);
2814 break;
2815
2816 case SMP_CMD_PAIRING_FAIL:
2817 smp_failure(conn, 0);
2818 err = -EPERM;
2819 break;
2820
2821 case SMP_CMD_PAIRING_RSP:
2822 reason = smp_cmd_pairing_rsp(conn, skb);
2823 break;
2824
2825 case SMP_CMD_SECURITY_REQ:
2826 reason = smp_cmd_security_req(conn, skb);
2827 break;
2828
2829 case SMP_CMD_PAIRING_CONFIRM:
2830 reason = smp_cmd_pairing_confirm(conn, skb);
2831 break;
2832
2833 case SMP_CMD_PAIRING_RANDOM:
2834 reason = smp_cmd_pairing_random(conn, skb);
2835 break;
2836
2837 case SMP_CMD_ENCRYPT_INFO:
2838 reason = smp_cmd_encrypt_info(conn, skb);
2839 break;
2840
2841 case SMP_CMD_MASTER_IDENT:
2842 reason = smp_cmd_master_ident(conn, skb);
2843 break;
2844
2845 case SMP_CMD_IDENT_INFO:
2846 reason = smp_cmd_ident_info(conn, skb);
2847 break;
2848
2849 case SMP_CMD_IDENT_ADDR_INFO:
2850 reason = smp_cmd_ident_addr_info(conn, skb);
2851 break;
2852
2853 case SMP_CMD_SIGN_INFO:
2854 reason = smp_cmd_sign_info(conn, skb);
2855 break;
2856
2857 case SMP_CMD_PUBLIC_KEY:
2858 reason = smp_cmd_public_key(conn, skb);
2859 break;
2860
2861 case SMP_CMD_DHKEY_CHECK:
2862 reason = smp_cmd_dhkey_check(conn, skb);
2863 break;
2864
2865 case SMP_CMD_KEYPRESS_NOTIFY:
2866 reason = smp_cmd_keypress_notify(conn, skb);
2867 break;
2868
2869 default:
2870 BT_DBG("Unknown command code 0x%2.2x", code);
2871 reason = SMP_CMD_NOTSUPP;
2872 goto done;
2873 }
2874
2875 done:
2876 if (!err) {
2877 if (reason)
2878 smp_failure(conn, reason);
2879 kfree_skb(skb);
2880 }
2881
2882 return err;
2883
2884 drop:
2885 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2886 code, &hcon->dst);
2887 kfree_skb(skb);
2888 return 0;
2889 }
2890
smp_teardown_cb(struct l2cap_chan * chan,int err)2891 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2892 {
2893 struct l2cap_conn *conn = chan->conn;
2894
2895 BT_DBG("chan %p", chan);
2896
2897 if (chan->data)
2898 smp_chan_destroy(conn);
2899
2900 conn->smp = NULL;
2901 l2cap_chan_put(chan);
2902 }
2903
bredr_pairing(struct l2cap_chan * chan)2904 static void bredr_pairing(struct l2cap_chan *chan)
2905 {
2906 struct l2cap_conn *conn = chan->conn;
2907 struct hci_conn *hcon = conn->hcon;
2908 struct hci_dev *hdev = hcon->hdev;
2909 struct smp_cmd_pairing req;
2910 struct smp_chan *smp;
2911
2912 BT_DBG("chan %p", chan);
2913
2914 /* Only new pairings are interesting */
2915 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2916 return;
2917
2918 /* Don't bother if we're not encrypted */
2919 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2920 return;
2921
2922 /* Only master may initiate SMP over BR/EDR */
2923 if (hcon->role != HCI_ROLE_MASTER)
2924 return;
2925
2926 /* Secure Connections support must be enabled */
2927 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2928 return;
2929
2930 /* BR/EDR must use Secure Connections for SMP */
2931 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2932 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2933 return;
2934
2935 /* If our LE support is not enabled don't do anything */
2936 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2937 return;
2938
2939 /* Don't bother if remote LE support is not enabled */
2940 if (!lmp_host_le_capable(hcon))
2941 return;
2942
2943 /* Remote must support SMP fixed chan for BR/EDR */
2944 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2945 return;
2946
2947 /* Don't bother if SMP is already ongoing */
2948 if (chan->data)
2949 return;
2950
2951 smp = smp_chan_create(conn);
2952 if (!smp) {
2953 BT_ERR("%s unable to create SMP context for BR/EDR",
2954 hdev->name);
2955 return;
2956 }
2957
2958 set_bit(SMP_FLAG_SC, &smp->flags);
2959
2960 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2961
2962 /* Prepare and send the BR/EDR SMP Pairing Request */
2963 build_bredr_pairing_cmd(smp, &req, NULL);
2964
2965 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2966 memcpy(&smp->preq[1], &req, sizeof(req));
2967
2968 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2970 }
2971
smp_resume_cb(struct l2cap_chan * chan)2972 static void smp_resume_cb(struct l2cap_chan *chan)
2973 {
2974 struct smp_chan *smp = chan->data;
2975 struct l2cap_conn *conn = chan->conn;
2976 struct hci_conn *hcon = conn->hcon;
2977
2978 BT_DBG("chan %p", chan);
2979
2980 if (hcon->type == ACL_LINK) {
2981 bredr_pairing(chan);
2982 return;
2983 }
2984
2985 if (!smp)
2986 return;
2987
2988 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2989 return;
2990
2991 cancel_delayed_work(&smp->security_timer);
2992
2993 smp_distribute_keys(smp);
2994 }
2995
smp_ready_cb(struct l2cap_chan * chan)2996 static void smp_ready_cb(struct l2cap_chan *chan)
2997 {
2998 struct l2cap_conn *conn = chan->conn;
2999 struct hci_conn *hcon = conn->hcon;
3000
3001 BT_DBG("chan %p", chan);
3002
3003 /* No need to call l2cap_chan_hold() here since we already own
3004 * the reference taken in smp_new_conn_cb(). This is just the
3005 * first time that we tie it to a specific pointer. The code in
3006 * l2cap_core.c ensures that there's no risk this function wont
3007 * get called if smp_new_conn_cb was previously called.
3008 */
3009 conn->smp = chan;
3010
3011 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3012 bredr_pairing(chan);
3013 }
3014
smp_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)3015 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3016 {
3017 int err;
3018
3019 BT_DBG("chan %p", chan);
3020
3021 err = smp_sig_channel(chan, skb);
3022 if (err) {
3023 struct smp_chan *smp = chan->data;
3024
3025 if (smp)
3026 cancel_delayed_work_sync(&smp->security_timer);
3027
3028 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3029 }
3030
3031 return err;
3032 }
3033
smp_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)3034 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3035 unsigned long hdr_len,
3036 unsigned long len, int nb)
3037 {
3038 struct sk_buff *skb;
3039
3040 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3041 if (!skb)
3042 return ERR_PTR(-ENOMEM);
3043
3044 skb->priority = HCI_PRIO_MAX;
3045 bt_cb(skb)->l2cap.chan = chan;
3046
3047 return skb;
3048 }
3049
3050 static const struct l2cap_ops smp_chan_ops = {
3051 .name = "Security Manager",
3052 .ready = smp_ready_cb,
3053 .recv = smp_recv_cb,
3054 .alloc_skb = smp_alloc_skb_cb,
3055 .teardown = smp_teardown_cb,
3056 .resume = smp_resume_cb,
3057
3058 .new_connection = l2cap_chan_no_new_connection,
3059 .state_change = l2cap_chan_no_state_change,
3060 .close = l2cap_chan_no_close,
3061 .defer = l2cap_chan_no_defer,
3062 .suspend = l2cap_chan_no_suspend,
3063 .set_shutdown = l2cap_chan_no_set_shutdown,
3064 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3065 };
3066
smp_new_conn_cb(struct l2cap_chan * pchan)3067 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3068 {
3069 struct l2cap_chan *chan;
3070
3071 BT_DBG("pchan %p", pchan);
3072
3073 chan = l2cap_chan_create();
3074 if (!chan)
3075 return NULL;
3076
3077 chan->chan_type = pchan->chan_type;
3078 chan->ops = &smp_chan_ops;
3079 chan->scid = pchan->scid;
3080 chan->dcid = chan->scid;
3081 chan->imtu = pchan->imtu;
3082 chan->omtu = pchan->omtu;
3083 chan->mode = pchan->mode;
3084
3085 /* Other L2CAP channels may request SMP routines in order to
3086 * change the security level. This means that the SMP channel
3087 * lock must be considered in its own category to avoid lockdep
3088 * warnings.
3089 */
3090 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3091
3092 BT_DBG("created chan %p", chan);
3093
3094 return chan;
3095 }
3096
3097 static const struct l2cap_ops smp_root_chan_ops = {
3098 .name = "Security Manager Root",
3099 .new_connection = smp_new_conn_cb,
3100
3101 /* None of these are implemented for the root channel */
3102 .close = l2cap_chan_no_close,
3103 .alloc_skb = l2cap_chan_no_alloc_skb,
3104 .recv = l2cap_chan_no_recv,
3105 .state_change = l2cap_chan_no_state_change,
3106 .teardown = l2cap_chan_no_teardown,
3107 .ready = l2cap_chan_no_ready,
3108 .defer = l2cap_chan_no_defer,
3109 .suspend = l2cap_chan_no_suspend,
3110 .resume = l2cap_chan_no_resume,
3111 .set_shutdown = l2cap_chan_no_set_shutdown,
3112 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3113 };
3114
smp_add_cid(struct hci_dev * hdev,u16 cid)3115 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3116 {
3117 struct l2cap_chan *chan;
3118 struct smp_dev *smp;
3119 struct crypto_cipher *tfm_aes;
3120 struct crypto_shash *tfm_cmac;
3121
3122 if (cid == L2CAP_CID_SMP_BREDR) {
3123 smp = NULL;
3124 goto create_chan;
3125 }
3126
3127 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3128 if (!smp)
3129 return ERR_PTR(-ENOMEM);
3130
3131 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3132 if (IS_ERR(tfm_aes)) {
3133 BT_ERR("Unable to create AES crypto context");
3134 kzfree(smp);
3135 return ERR_CAST(tfm_aes);
3136 }
3137
3138 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3139 if (IS_ERR(tfm_cmac)) {
3140 BT_ERR("Unable to create CMAC crypto context");
3141 crypto_free_cipher(tfm_aes);
3142 kzfree(smp);
3143 return ERR_CAST(tfm_cmac);
3144 }
3145
3146 smp->tfm_aes = tfm_aes;
3147 smp->tfm_cmac = tfm_cmac;
3148 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3149 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3150
3151 create_chan:
3152 chan = l2cap_chan_create();
3153 if (!chan) {
3154 if (smp) {
3155 crypto_free_cipher(smp->tfm_aes);
3156 crypto_free_shash(smp->tfm_cmac);
3157 kzfree(smp);
3158 }
3159 return ERR_PTR(-ENOMEM);
3160 }
3161
3162 chan->data = smp;
3163
3164 l2cap_add_scid(chan, cid);
3165
3166 l2cap_chan_set_defaults(chan);
3167
3168 if (cid == L2CAP_CID_SMP) {
3169 u8 bdaddr_type;
3170
3171 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3172
3173 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3174 chan->src_type = BDADDR_LE_PUBLIC;
3175 else
3176 chan->src_type = BDADDR_LE_RANDOM;
3177 } else {
3178 bacpy(&chan->src, &hdev->bdaddr);
3179 chan->src_type = BDADDR_BREDR;
3180 }
3181
3182 chan->state = BT_LISTEN;
3183 chan->mode = L2CAP_MODE_BASIC;
3184 chan->imtu = L2CAP_DEFAULT_MTU;
3185 chan->ops = &smp_root_chan_ops;
3186
3187 /* Set correct nesting level for a parent/listening channel */
3188 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3189
3190 return chan;
3191 }
3192
smp_del_chan(struct l2cap_chan * chan)3193 static void smp_del_chan(struct l2cap_chan *chan)
3194 {
3195 struct smp_dev *smp;
3196
3197 BT_DBG("chan %p", chan);
3198
3199 smp = chan->data;
3200 if (smp) {
3201 chan->data = NULL;
3202 crypto_free_cipher(smp->tfm_aes);
3203 crypto_free_shash(smp->tfm_cmac);
3204 kzfree(smp);
3205 }
3206
3207 l2cap_chan_put(chan);
3208 }
3209
force_bredr_smp_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3210 static ssize_t force_bredr_smp_read(struct file *file,
3211 char __user *user_buf,
3212 size_t count, loff_t *ppos)
3213 {
3214 struct hci_dev *hdev = file->private_data;
3215 char buf[3];
3216
3217 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3218 buf[1] = '\n';
3219 buf[2] = '\0';
3220 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3221 }
3222
force_bredr_smp_write(struct file * file,const char __user * user_buf,size_t count,loff_t * ppos)3223 static ssize_t force_bredr_smp_write(struct file *file,
3224 const char __user *user_buf,
3225 size_t count, loff_t *ppos)
3226 {
3227 struct hci_dev *hdev = file->private_data;
3228 char buf[32];
3229 size_t buf_size = min(count, (sizeof(buf)-1));
3230 bool enable;
3231
3232 if (copy_from_user(buf, user_buf, buf_size))
3233 return -EFAULT;
3234
3235 buf[buf_size] = '\0';
3236 if (strtobool(buf, &enable))
3237 return -EINVAL;
3238
3239 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3240 return -EALREADY;
3241
3242 if (enable) {
3243 struct l2cap_chan *chan;
3244
3245 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3246 if (IS_ERR(chan))
3247 return PTR_ERR(chan);
3248
3249 hdev->smp_bredr_data = chan;
3250 } else {
3251 struct l2cap_chan *chan;
3252
3253 chan = hdev->smp_bredr_data;
3254 hdev->smp_bredr_data = NULL;
3255 smp_del_chan(chan);
3256 }
3257
3258 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3259
3260 return count;
3261 }
3262
3263 static const struct file_operations force_bredr_smp_fops = {
3264 .open = simple_open,
3265 .read = force_bredr_smp_read,
3266 .write = force_bredr_smp_write,
3267 .llseek = default_llseek,
3268 };
3269
le_min_key_size_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3270 static ssize_t le_min_key_size_read(struct file *file,
3271 char __user *user_buf,
3272 size_t count, loff_t *ppos)
3273 {
3274 struct hci_dev *hdev = file->private_data;
3275 char buf[4];
3276
3277 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3278
3279 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3280 }
3281
le_min_key_size_write(struct file * file,const char __user * user_buf,size_t count,loff_t * ppos)3282 static ssize_t le_min_key_size_write(struct file *file,
3283 const char __user *user_buf,
3284 size_t count, loff_t *ppos)
3285 {
3286 struct hci_dev *hdev = file->private_data;
3287 char buf[32];
3288 size_t buf_size = min(count, (sizeof(buf) - 1));
3289 u8 key_size;
3290
3291 if (copy_from_user(buf, user_buf, buf_size))
3292 return -EFAULT;
3293
3294 buf[buf_size] = '\0';
3295
3296 sscanf(buf, "%hhu", &key_size);
3297
3298 if (key_size > SMP_DEV(hdev)->max_key_size ||
3299 key_size < SMP_MIN_ENC_KEY_SIZE)
3300 return -EINVAL;
3301
3302 SMP_DEV(hdev)->min_key_size = key_size;
3303
3304 return count;
3305 }
3306
3307 static const struct file_operations le_min_key_size_fops = {
3308 .open = simple_open,
3309 .read = le_min_key_size_read,
3310 .write = le_min_key_size_write,
3311 .llseek = default_llseek,
3312 };
3313
le_max_key_size_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3314 static ssize_t le_max_key_size_read(struct file *file,
3315 char __user *user_buf,
3316 size_t count, loff_t *ppos)
3317 {
3318 struct hci_dev *hdev = file->private_data;
3319 char buf[4];
3320
3321 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3322
3323 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3324 }
3325
le_max_key_size_write(struct file * file,const char __user * user_buf,size_t count,loff_t * ppos)3326 static ssize_t le_max_key_size_write(struct file *file,
3327 const char __user *user_buf,
3328 size_t count, loff_t *ppos)
3329 {
3330 struct hci_dev *hdev = file->private_data;
3331 char buf[32];
3332 size_t buf_size = min(count, (sizeof(buf) - 1));
3333 u8 key_size;
3334
3335 if (copy_from_user(buf, user_buf, buf_size))
3336 return -EFAULT;
3337
3338 buf[buf_size] = '\0';
3339
3340 sscanf(buf, "%hhu", &key_size);
3341
3342 if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3343 key_size < SMP_DEV(hdev)->min_key_size)
3344 return -EINVAL;
3345
3346 SMP_DEV(hdev)->max_key_size = key_size;
3347
3348 return count;
3349 }
3350
3351 static const struct file_operations le_max_key_size_fops = {
3352 .open = simple_open,
3353 .read = le_max_key_size_read,
3354 .write = le_max_key_size_write,
3355 .llseek = default_llseek,
3356 };
3357
smp_register(struct hci_dev * hdev)3358 int smp_register(struct hci_dev *hdev)
3359 {
3360 struct l2cap_chan *chan;
3361
3362 BT_DBG("%s", hdev->name);
3363
3364 /* If the controller does not support Low Energy operation, then
3365 * there is also no need to register any SMP channel.
3366 */
3367 if (!lmp_le_capable(hdev))
3368 return 0;
3369
3370 if (WARN_ON(hdev->smp_data)) {
3371 chan = hdev->smp_data;
3372 hdev->smp_data = NULL;
3373 smp_del_chan(chan);
3374 }
3375
3376 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3377 if (IS_ERR(chan))
3378 return PTR_ERR(chan);
3379
3380 hdev->smp_data = chan;
3381
3382 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3383 &le_min_key_size_fops);
3384 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3385 &le_max_key_size_fops);
3386
3387 /* If the controller does not support BR/EDR Secure Connections
3388 * feature, then the BR/EDR SMP channel shall not be present.
3389 *
3390 * To test this with Bluetooth 4.0 controllers, create a debugfs
3391 * switch that allows forcing BR/EDR SMP support and accepting
3392 * cross-transport pairing on non-AES encrypted connections.
3393 */
3394 if (!lmp_sc_capable(hdev)) {
3395 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3396 hdev, &force_bredr_smp_fops);
3397
3398 /* Flag can be already set here (due to power toggle) */
3399 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3400 return 0;
3401 }
3402
3403 if (WARN_ON(hdev->smp_bredr_data)) {
3404 chan = hdev->smp_bredr_data;
3405 hdev->smp_bredr_data = NULL;
3406 smp_del_chan(chan);
3407 }
3408
3409 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3410 if (IS_ERR(chan)) {
3411 int err = PTR_ERR(chan);
3412 chan = hdev->smp_data;
3413 hdev->smp_data = NULL;
3414 smp_del_chan(chan);
3415 return err;
3416 }
3417
3418 hdev->smp_bredr_data = chan;
3419
3420 return 0;
3421 }
3422
smp_unregister(struct hci_dev * hdev)3423 void smp_unregister(struct hci_dev *hdev)
3424 {
3425 struct l2cap_chan *chan;
3426
3427 if (hdev->smp_bredr_data) {
3428 chan = hdev->smp_bredr_data;
3429 hdev->smp_bredr_data = NULL;
3430 smp_del_chan(chan);
3431 }
3432
3433 if (hdev->smp_data) {
3434 chan = hdev->smp_data;
3435 hdev->smp_data = NULL;
3436 smp_del_chan(chan);
3437 }
3438 }
3439
3440 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3441
test_ah(struct crypto_cipher * tfm_aes)3442 static int __init test_ah(struct crypto_cipher *tfm_aes)
3443 {
3444 const u8 irk[16] = {
3445 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3446 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3447 const u8 r[3] = { 0x94, 0x81, 0x70 };
3448 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3449 u8 res[3];
3450 int err;
3451
3452 err = smp_ah(tfm_aes, irk, r, res);
3453 if (err)
3454 return err;
3455
3456 if (crypto_memneq(res, exp, 3))
3457 return -EINVAL;
3458
3459 return 0;
3460 }
3461
test_c1(struct crypto_cipher * tfm_aes)3462 static int __init test_c1(struct crypto_cipher *tfm_aes)
3463 {
3464 const u8 k[16] = {
3465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3466 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3467 const u8 r[16] = {
3468 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3469 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3470 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3471 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3472 const u8 _iat = 0x01;
3473 const u8 _rat = 0x00;
3474 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3475 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3476 const u8 exp[16] = {
3477 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3478 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3479 u8 res[16];
3480 int err;
3481
3482 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3483 if (err)
3484 return err;
3485
3486 if (crypto_memneq(res, exp, 16))
3487 return -EINVAL;
3488
3489 return 0;
3490 }
3491
test_s1(struct crypto_cipher * tfm_aes)3492 static int __init test_s1(struct crypto_cipher *tfm_aes)
3493 {
3494 const u8 k[16] = {
3495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3497 const u8 r1[16] = {
3498 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3499 const u8 r2[16] = {
3500 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3501 const u8 exp[16] = {
3502 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3503 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3504 u8 res[16];
3505 int err;
3506
3507 err = smp_s1(tfm_aes, k, r1, r2, res);
3508 if (err)
3509 return err;
3510
3511 if (crypto_memneq(res, exp, 16))
3512 return -EINVAL;
3513
3514 return 0;
3515 }
3516
test_f4(struct crypto_shash * tfm_cmac)3517 static int __init test_f4(struct crypto_shash *tfm_cmac)
3518 {
3519 const u8 u[32] = {
3520 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3521 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3522 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3523 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3524 const u8 v[32] = {
3525 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3526 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3527 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3528 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3529 const u8 x[16] = {
3530 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3531 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3532 const u8 z = 0x00;
3533 const u8 exp[16] = {
3534 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3535 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3536 u8 res[16];
3537 int err;
3538
3539 err = smp_f4(tfm_cmac, u, v, x, z, res);
3540 if (err)
3541 return err;
3542
3543 if (crypto_memneq(res, exp, 16))
3544 return -EINVAL;
3545
3546 return 0;
3547 }
3548
test_f5(struct crypto_shash * tfm_cmac)3549 static int __init test_f5(struct crypto_shash *tfm_cmac)
3550 {
3551 const u8 w[32] = {
3552 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3553 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3554 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3555 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3556 const u8 n1[16] = {
3557 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3558 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3559 const u8 n2[16] = {
3560 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3561 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3562 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3563 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3564 const u8 exp_ltk[16] = {
3565 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3566 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3567 const u8 exp_mackey[16] = {
3568 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3569 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3570 u8 mackey[16], ltk[16];
3571 int err;
3572
3573 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3574 if (err)
3575 return err;
3576
3577 if (crypto_memneq(mackey, exp_mackey, 16))
3578 return -EINVAL;
3579
3580 if (crypto_memneq(ltk, exp_ltk, 16))
3581 return -EINVAL;
3582
3583 return 0;
3584 }
3585
test_f6(struct crypto_shash * tfm_cmac)3586 static int __init test_f6(struct crypto_shash *tfm_cmac)
3587 {
3588 const u8 w[16] = {
3589 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3590 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3591 const u8 n1[16] = {
3592 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3593 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3594 const u8 n2[16] = {
3595 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3596 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3597 const u8 r[16] = {
3598 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3599 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3600 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3601 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3602 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3603 const u8 exp[16] = {
3604 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3605 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3606 u8 res[16];
3607 int err;
3608
3609 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3610 if (err)
3611 return err;
3612
3613 if (crypto_memneq(res, exp, 16))
3614 return -EINVAL;
3615
3616 return 0;
3617 }
3618
test_g2(struct crypto_shash * tfm_cmac)3619 static int __init test_g2(struct crypto_shash *tfm_cmac)
3620 {
3621 const u8 u[32] = {
3622 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3623 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3624 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3625 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3626 const u8 v[32] = {
3627 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3628 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3629 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3630 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3631 const u8 x[16] = {
3632 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3633 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3634 const u8 y[16] = {
3635 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3636 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3637 const u32 exp_val = 0x2f9ed5ba % 1000000;
3638 u32 val;
3639 int err;
3640
3641 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3642 if (err)
3643 return err;
3644
3645 if (val != exp_val)
3646 return -EINVAL;
3647
3648 return 0;
3649 }
3650
test_h6(struct crypto_shash * tfm_cmac)3651 static int __init test_h6(struct crypto_shash *tfm_cmac)
3652 {
3653 const u8 w[16] = {
3654 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3655 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3656 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3657 const u8 exp[16] = {
3658 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3659 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3660 u8 res[16];
3661 int err;
3662
3663 err = smp_h6(tfm_cmac, w, key_id, res);
3664 if (err)
3665 return err;
3666
3667 if (crypto_memneq(res, exp, 16))
3668 return -EINVAL;
3669
3670 return 0;
3671 }
3672
3673 static char test_smp_buffer[32];
3674
test_smp_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3675 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3676 size_t count, loff_t *ppos)
3677 {
3678 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3679 strlen(test_smp_buffer));
3680 }
3681
3682 static const struct file_operations test_smp_fops = {
3683 .open = simple_open,
3684 .read = test_smp_read,
3685 .llseek = default_llseek,
3686 };
3687
run_selftests(struct crypto_cipher * tfm_aes,struct crypto_shash * tfm_cmac)3688 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3689 struct crypto_shash *tfm_cmac)
3690 {
3691 ktime_t calltime, delta, rettime;
3692 unsigned long long duration;
3693 int err;
3694
3695 calltime = ktime_get();
3696
3697 err = test_ah(tfm_aes);
3698 if (err) {
3699 BT_ERR("smp_ah test failed");
3700 goto done;
3701 }
3702
3703 err = test_c1(tfm_aes);
3704 if (err) {
3705 BT_ERR("smp_c1 test failed");
3706 goto done;
3707 }
3708
3709 err = test_s1(tfm_aes);
3710 if (err) {
3711 BT_ERR("smp_s1 test failed");
3712 goto done;
3713 }
3714
3715 err = test_f4(tfm_cmac);
3716 if (err) {
3717 BT_ERR("smp_f4 test failed");
3718 goto done;
3719 }
3720
3721 err = test_f5(tfm_cmac);
3722 if (err) {
3723 BT_ERR("smp_f5 test failed");
3724 goto done;
3725 }
3726
3727 err = test_f6(tfm_cmac);
3728 if (err) {
3729 BT_ERR("smp_f6 test failed");
3730 goto done;
3731 }
3732
3733 err = test_g2(tfm_cmac);
3734 if (err) {
3735 BT_ERR("smp_g2 test failed");
3736 goto done;
3737 }
3738
3739 err = test_h6(tfm_cmac);
3740 if (err) {
3741 BT_ERR("smp_h6 test failed");
3742 goto done;
3743 }
3744
3745 rettime = ktime_get();
3746 delta = ktime_sub(rettime, calltime);
3747 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3748
3749 BT_INFO("SMP test passed in %llu usecs", duration);
3750
3751 done:
3752 if (!err)
3753 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3754 "PASS (%llu usecs)\n", duration);
3755 else
3756 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3757
3758 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3759 &test_smp_fops);
3760
3761 return err;
3762 }
3763
bt_selftest_smp(void)3764 int __init bt_selftest_smp(void)
3765 {
3766 struct crypto_cipher *tfm_aes;
3767 struct crypto_shash *tfm_cmac;
3768 int err;
3769
3770 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3771 if (IS_ERR(tfm_aes)) {
3772 BT_ERR("Unable to create AES crypto context");
3773 return PTR_ERR(tfm_aes);
3774 }
3775
3776 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3777 if (IS_ERR(tfm_cmac)) {
3778 BT_ERR("Unable to create CMAC crypto context");
3779 crypto_free_cipher(tfm_aes);
3780 return PTR_ERR(tfm_cmac);
3781 }
3782
3783 err = run_selftests(tfm_aes, tfm_cmac);
3784
3785 crypto_free_shash(tfm_cmac);
3786 crypto_free_cipher(tfm_aes);
3787
3788 return err;
3789 }
3790
3791 #endif
3792