1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35
36 #include "ecdh_helper.h"
37 #include "smp.h"
38
39 #define SMP_DEV(hdev) \
40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41
42 /* Low-level debug macros to be used for stuff that we don't want
43 * accidentally in dmesg, i.e. the values of the various crypto keys
44 * and the inputs & outputs of crypto functions.
45 */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 ##__VA_ARGS__)
52 #endif
53
54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
55
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
58
59 #define SMP_TIMEOUT msecs_to_jiffies(30000)
60
61 #define ID_ADDR_TIMEOUT msecs_to_jiffies(200)
62
63 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
64 0x3f : 0x07)
65 #define KEY_DIST_MASK 0x07
66
67 /* Maximum message length that can be passed to aes_cmac */
68 #define CMAC_MSG_MAX 80
69
70 enum {
71 SMP_FLAG_TK_VALID,
72 SMP_FLAG_CFM_PENDING,
73 SMP_FLAG_MITM_AUTH,
74 SMP_FLAG_COMPLETE,
75 SMP_FLAG_INITIATOR,
76 SMP_FLAG_SC,
77 SMP_FLAG_REMOTE_PK,
78 SMP_FLAG_DEBUG_KEY,
79 SMP_FLAG_WAIT_USER,
80 SMP_FLAG_DHKEY_PENDING,
81 SMP_FLAG_REMOTE_OOB,
82 SMP_FLAG_LOCAL_OOB,
83 SMP_FLAG_CT2,
84 };
85
86 struct smp_dev {
87 /* Secure Connections OOB data */
88 bool local_oob;
89 u8 local_pk[64];
90 u8 local_rand[16];
91 bool debug_key;
92
93 struct crypto_shash *tfm_cmac;
94 struct crypto_kpp *tfm_ecdh;
95 };
96
97 struct smp_chan {
98 struct l2cap_conn *conn;
99 struct delayed_work security_timer;
100 unsigned long allow_cmd; /* Bitmask of allowed commands */
101
102 u8 preq[7]; /* SMP Pairing Request */
103 u8 prsp[7]; /* SMP Pairing Response */
104 u8 prnd[16]; /* SMP Pairing Random (local) */
105 u8 rrnd[16]; /* SMP Pairing Random (remote) */
106 u8 pcnf[16]; /* SMP Pairing Confirm */
107 u8 tk[16]; /* SMP Temporary Key */
108 u8 rr[16]; /* Remote OOB ra/rb value */
109 u8 lr[16]; /* Local OOB ra/rb value */
110 u8 enc_key_size;
111 u8 remote_key_dist;
112 bdaddr_t id_addr;
113 u8 id_addr_type;
114 u8 irk[16];
115 struct smp_csrk *csrk;
116 struct smp_csrk *responder_csrk;
117 struct smp_ltk *ltk;
118 struct smp_ltk *responder_ltk;
119 struct smp_irk *remote_irk;
120 u8 *link_key;
121 unsigned long flags;
122 u8 method;
123 u8 passkey_round;
124
125 /* Secure Connections variables */
126 u8 local_pk[64];
127 u8 remote_pk[64];
128 u8 dhkey[32];
129 u8 mackey[16];
130
131 struct crypto_shash *tfm_cmac;
132 struct crypto_kpp *tfm_ecdh;
133 };
134
135 /* These debug key values are defined in the SMP section of the core
136 * specification. debug_pk is the public debug key and debug_sk the
137 * private debug key.
138 */
139 static const u8 debug_pk[64] = {
140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144
145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150
151 static const u8 debug_sk[32] = {
152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157
swap_buf(const u8 * src,u8 * dst,size_t len)158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 size_t i;
161
162 for (i = 0; i < len; i++)
163 dst[len - 1 - i] = src[i];
164 }
165
166 /* The following functions map to the LE SC SMP crypto functions
167 * AES-CMAC, f4, f5, f6, g2 and h6.
168 */
169
aes_cmac(struct crypto_shash * tfm,const u8 k[16],const u8 * m,size_t len,u8 mac[16])170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 size_t len, u8 mac[16])
172 {
173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 int err;
175
176 if (len > CMAC_MSG_MAX)
177 return -EFBIG;
178
179 if (!tfm) {
180 BT_ERR("tfm %p", tfm);
181 return -EINVAL;
182 }
183
184 /* Swap key and message from LSB to MSB */
185 swap_buf(k, tmp, 16);
186 swap_buf(m, msg_msb, len);
187
188 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
189 SMP_DBG("key %16phN", k);
190
191 err = crypto_shash_setkey(tfm, tmp, 16);
192 if (err) {
193 BT_ERR("cipher setkey failed: %d", err);
194 return err;
195 }
196
197 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
198 if (err) {
199 BT_ERR("Hash computation error %d", err);
200 return err;
201 }
202
203 swap_buf(mac_msb, mac, 16);
204
205 SMP_DBG("mac %16phN", mac);
206
207 return 0;
208 }
209
smp_f4(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],u8 z,u8 res[16])210 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
211 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
212 {
213 u8 m[65];
214 int err;
215
216 SMP_DBG("u %32phN", u);
217 SMP_DBG("v %32phN", v);
218 SMP_DBG("x %16phN z %02x", x, z);
219
220 m[0] = z;
221 memcpy(m + 1, v, 32);
222 memcpy(m + 33, u, 32);
223
224 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
225 if (err)
226 return err;
227
228 SMP_DBG("res %16phN", res);
229
230 return err;
231 }
232
smp_f5(struct crypto_shash * tfm_cmac,const u8 w[32],const u8 n1[16],const u8 n2[16],const u8 a1[7],const u8 a2[7],u8 mackey[16],u8 ltk[16])233 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
234 const u8 n1[16], const u8 n2[16], const u8 a1[7],
235 const u8 a2[7], u8 mackey[16], u8 ltk[16])
236 {
237 /* The btle, salt and length "magic" values are as defined in
238 * the SMP section of the Bluetooth core specification. In ASCII
239 * the btle value ends up being 'btle'. The salt is just a
240 * random number whereas length is the value 256 in little
241 * endian format.
242 */
243 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
244 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
245 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
246 const u8 length[2] = { 0x00, 0x01 };
247 u8 m[53], t[16];
248 int err;
249
250 SMP_DBG("w %32phN", w);
251 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
252 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
253
254 err = aes_cmac(tfm_cmac, salt, w, 32, t);
255 if (err)
256 return err;
257
258 SMP_DBG("t %16phN", t);
259
260 memcpy(m, length, 2);
261 memcpy(m + 2, a2, 7);
262 memcpy(m + 9, a1, 7);
263 memcpy(m + 16, n2, 16);
264 memcpy(m + 32, n1, 16);
265 memcpy(m + 48, btle, 4);
266
267 m[52] = 0; /* Counter */
268
269 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
270 if (err)
271 return err;
272
273 SMP_DBG("mackey %16phN", mackey);
274
275 m[52] = 1; /* Counter */
276
277 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
278 if (err)
279 return err;
280
281 SMP_DBG("ltk %16phN", ltk);
282
283 return 0;
284 }
285
smp_f6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 n1[16],const u8 n2[16],const u8 r[16],const u8 io_cap[3],const u8 a1[7],const u8 a2[7],u8 res[16])286 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
287 const u8 n1[16], const u8 n2[16], const u8 r[16],
288 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
289 u8 res[16])
290 {
291 u8 m[65];
292 int err;
293
294 SMP_DBG("w %16phN", w);
295 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
296 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
297
298 memcpy(m, a2, 7);
299 memcpy(m + 7, a1, 7);
300 memcpy(m + 14, io_cap, 3);
301 memcpy(m + 17, r, 16);
302 memcpy(m + 33, n2, 16);
303 memcpy(m + 49, n1, 16);
304
305 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
306 if (err)
307 return err;
308
309 SMP_DBG("res %16phN", res);
310
311 return err;
312 }
313
smp_g2(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],const u8 y[16],u32 * val)314 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
315 const u8 x[16], const u8 y[16], u32 *val)
316 {
317 u8 m[80], tmp[16];
318 int err;
319
320 SMP_DBG("u %32phN", u);
321 SMP_DBG("v %32phN", v);
322 SMP_DBG("x %16phN y %16phN", x, y);
323
324 memcpy(m, y, 16);
325 memcpy(m + 16, v, 32);
326 memcpy(m + 48, u, 32);
327
328 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
329 if (err)
330 return err;
331
332 *val = get_unaligned_le32(tmp);
333 *val %= 1000000;
334
335 SMP_DBG("val %06u", *val);
336
337 return 0;
338 }
339
smp_h6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 key_id[4],u8 res[16])340 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
341 const u8 key_id[4], u8 res[16])
342 {
343 int err;
344
345 SMP_DBG("w %16phN key_id %4phN", w, key_id);
346
347 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
348 if (err)
349 return err;
350
351 SMP_DBG("res %16phN", res);
352
353 return err;
354 }
355
smp_h7(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 salt[16],u8 res[16])356 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
357 const u8 salt[16], u8 res[16])
358 {
359 int err;
360
361 SMP_DBG("w %16phN salt %16phN", w, salt);
362
363 err = aes_cmac(tfm_cmac, salt, w, 16, res);
364 if (err)
365 return err;
366
367 SMP_DBG("res %16phN", res);
368
369 return err;
370 }
371
372 /* The following functions map to the legacy SMP crypto functions e, c1,
373 * s1 and ah.
374 */
375
smp_e(const u8 * k,u8 * r)376 static int smp_e(const u8 *k, u8 *r)
377 {
378 struct crypto_aes_ctx ctx;
379 uint8_t tmp[16], data[16];
380 int err;
381
382 SMP_DBG("k %16phN r %16phN", k, r);
383
384 /* The most significant octet of key corresponds to k[0] */
385 swap_buf(k, tmp, 16);
386
387 err = aes_expandkey(&ctx, tmp, 16);
388 if (err) {
389 BT_ERR("cipher setkey failed: %d", err);
390 return err;
391 }
392
393 /* Most significant octet of plaintextData corresponds to data[0] */
394 swap_buf(r, data, 16);
395
396 aes_encrypt(&ctx, data, data);
397
398 /* Most significant octet of encryptedData corresponds to data[0] */
399 swap_buf(data, r, 16);
400
401 SMP_DBG("r %16phN", r);
402
403 memzero_explicit(&ctx, sizeof(ctx));
404 return err;
405 }
406
smp_c1(const u8 k[16],const u8 r[16],const u8 preq[7],const u8 pres[7],u8 _iat,const bdaddr_t * ia,u8 _rat,const bdaddr_t * ra,u8 res[16])407 static int smp_c1(const u8 k[16],
408 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
409 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
410 {
411 u8 p1[16], p2[16];
412 int err;
413
414 SMP_DBG("k %16phN r %16phN", k, r);
415 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
416 SMP_DBG("preq %7phN pres %7phN", preq, pres);
417
418 memset(p1, 0, 16);
419
420 /* p1 = pres || preq || _rat || _iat */
421 p1[0] = _iat;
422 p1[1] = _rat;
423 memcpy(p1 + 2, preq, 7);
424 memcpy(p1 + 9, pres, 7);
425
426 SMP_DBG("p1 %16phN", p1);
427
428 /* res = r XOR p1 */
429 crypto_xor_cpy(res, r, p1, sizeof(p1));
430
431 /* res = e(k, res) */
432 err = smp_e(k, res);
433 if (err) {
434 BT_ERR("Encrypt data error");
435 return err;
436 }
437
438 /* p2 = padding || ia || ra */
439 memcpy(p2, ra, 6);
440 memcpy(p2 + 6, ia, 6);
441 memset(p2 + 12, 0, 4);
442
443 SMP_DBG("p2 %16phN", p2);
444
445 /* res = res XOR p2 */
446 crypto_xor(res, p2, sizeof(p2));
447
448 /* res = e(k, res) */
449 err = smp_e(k, res);
450 if (err)
451 BT_ERR("Encrypt data error");
452
453 return err;
454 }
455
smp_s1(const u8 k[16],const u8 r1[16],const u8 r2[16],u8 _r[16])456 static int smp_s1(const u8 k[16],
457 const u8 r1[16], const u8 r2[16], u8 _r[16])
458 {
459 int err;
460
461 /* Just least significant octets from r1 and r2 are considered */
462 memcpy(_r, r2, 8);
463 memcpy(_r + 8, r1, 8);
464
465 err = smp_e(k, _r);
466 if (err)
467 BT_ERR("Encrypt data error");
468
469 return err;
470 }
471
smp_ah(const u8 irk[16],const u8 r[3],u8 res[3])472 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
473 {
474 u8 _res[16];
475 int err;
476
477 /* r' = padding || r */
478 memcpy(_res, r, 3);
479 memset(_res + 3, 0, 13);
480
481 err = smp_e(irk, _res);
482 if (err) {
483 BT_ERR("Encrypt error");
484 return err;
485 }
486
487 /* The output of the random address function ah is:
488 * ah(k, r) = e(k, r') mod 2^24
489 * The output of the security function e is then truncated to 24 bits
490 * by taking the least significant 24 bits of the output of e as the
491 * result of ah.
492 */
493 memcpy(res, _res, 3);
494
495 return 0;
496 }
497
smp_irk_matches(struct hci_dev * hdev,const u8 irk[16],const bdaddr_t * bdaddr)498 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
499 const bdaddr_t *bdaddr)
500 {
501 struct l2cap_chan *chan = hdev->smp_data;
502 u8 hash[3];
503 int err;
504
505 if (!chan || !chan->data)
506 return false;
507
508 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
509
510 err = smp_ah(irk, &bdaddr->b[3], hash);
511 if (err)
512 return false;
513
514 return !crypto_memneq(bdaddr->b, hash, 3);
515 }
516
smp_generate_rpa(struct hci_dev * hdev,const u8 irk[16],bdaddr_t * rpa)517 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
518 {
519 struct l2cap_chan *chan = hdev->smp_data;
520 int err;
521
522 if (!chan || !chan->data)
523 return -EOPNOTSUPP;
524
525 get_random_bytes(&rpa->b[3], 3);
526
527 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
528 rpa->b[5] |= 0x40; /* Set second most significant bit */
529
530 err = smp_ah(irk, &rpa->b[3], rpa->b);
531 if (err < 0)
532 return err;
533
534 bt_dev_dbg(hdev, "RPA %pMR", rpa);
535
536 return 0;
537 }
538
smp_generate_oob(struct hci_dev * hdev,u8 hash[16],u8 rand[16])539 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
540 {
541 struct l2cap_chan *chan = hdev->smp_data;
542 struct smp_dev *smp;
543 int err;
544
545 if (!chan || !chan->data)
546 return -EOPNOTSUPP;
547
548 smp = chan->data;
549
550 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
551 bt_dev_dbg(hdev, "Using debug keys");
552 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
553 if (err)
554 return err;
555 memcpy(smp->local_pk, debug_pk, 64);
556 smp->debug_key = true;
557 } else {
558 while (true) {
559 /* Generate key pair for Secure Connections */
560 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
561 if (err)
562 return err;
563
564 /* This is unlikely, but we need to check that
565 * we didn't accidentally generate a debug key.
566 */
567 if (crypto_memneq(smp->local_pk, debug_pk, 64))
568 break;
569 }
570 smp->debug_key = false;
571 }
572
573 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
574 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
575
576 get_random_bytes(smp->local_rand, 16);
577
578 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
579 smp->local_rand, 0, hash);
580 if (err < 0)
581 return err;
582
583 memcpy(rand, smp->local_rand, 16);
584
585 smp->local_oob = true;
586
587 return 0;
588 }
589
smp_send_cmd(struct l2cap_conn * conn,u8 code,u16 len,void * data)590 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
591 {
592 struct l2cap_chan *chan = conn->smp;
593 struct smp_chan *smp;
594 struct kvec iv[2];
595 struct msghdr msg;
596
597 if (!chan)
598 return;
599
600 bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
601
602 iv[0].iov_base = &code;
603 iv[0].iov_len = 1;
604
605 iv[1].iov_base = data;
606 iv[1].iov_len = len;
607
608 memset(&msg, 0, sizeof(msg));
609
610 iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
611
612 l2cap_chan_send(chan, &msg, 1 + len);
613
614 if (!chan->data)
615 return;
616
617 smp = chan->data;
618
619 cancel_delayed_work_sync(&smp->security_timer);
620 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
621 }
622
authreq_to_seclevel(u8 authreq)623 static u8 authreq_to_seclevel(u8 authreq)
624 {
625 if (authreq & SMP_AUTH_MITM) {
626 if (authreq & SMP_AUTH_SC)
627 return BT_SECURITY_FIPS;
628 else
629 return BT_SECURITY_HIGH;
630 } else {
631 return BT_SECURITY_MEDIUM;
632 }
633 }
634
seclevel_to_authreq(__u8 sec_level)635 static __u8 seclevel_to_authreq(__u8 sec_level)
636 {
637 switch (sec_level) {
638 case BT_SECURITY_FIPS:
639 case BT_SECURITY_HIGH:
640 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
641 case BT_SECURITY_MEDIUM:
642 return SMP_AUTH_BONDING;
643 default:
644 return SMP_AUTH_NONE;
645 }
646 }
647
build_pairing_cmd(struct l2cap_conn * conn,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp,__u8 authreq)648 static void build_pairing_cmd(struct l2cap_conn *conn,
649 struct smp_cmd_pairing *req,
650 struct smp_cmd_pairing *rsp, __u8 authreq)
651 {
652 struct l2cap_chan *chan = conn->smp;
653 struct smp_chan *smp = chan->data;
654 struct hci_conn *hcon = conn->hcon;
655 struct hci_dev *hdev = hcon->hdev;
656 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
657
658 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
659 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
661 authreq |= SMP_AUTH_BONDING;
662 } else {
663 authreq &= ~SMP_AUTH_BONDING;
664 }
665
666 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
667 remote_dist |= SMP_DIST_ID_KEY;
668
669 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
670 local_dist |= SMP_DIST_ID_KEY;
671
672 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
673 (authreq & SMP_AUTH_SC)) {
674 struct oob_data *oob_data;
675 u8 bdaddr_type;
676
677 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
678 local_dist |= SMP_DIST_LINK_KEY;
679 remote_dist |= SMP_DIST_LINK_KEY;
680 }
681
682 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
683 bdaddr_type = BDADDR_LE_PUBLIC;
684 else
685 bdaddr_type = BDADDR_LE_RANDOM;
686
687 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
688 bdaddr_type);
689 if (oob_data && oob_data->present) {
690 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
691 oob_flag = SMP_OOB_PRESENT;
692 memcpy(smp->rr, oob_data->rand256, 16);
693 memcpy(smp->pcnf, oob_data->hash256, 16);
694 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
695 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
696 }
697
698 } else {
699 authreq &= ~SMP_AUTH_SC;
700 }
701
702 if (rsp == NULL) {
703 req->io_capability = conn->hcon->io_capability;
704 req->oob_flag = oob_flag;
705 req->max_key_size = hdev->le_max_key_size;
706 req->init_key_dist = local_dist;
707 req->resp_key_dist = remote_dist;
708 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
709
710 smp->remote_key_dist = remote_dist;
711 return;
712 }
713
714 rsp->io_capability = conn->hcon->io_capability;
715 rsp->oob_flag = oob_flag;
716 rsp->max_key_size = hdev->le_max_key_size;
717 rsp->init_key_dist = req->init_key_dist & remote_dist;
718 rsp->resp_key_dist = req->resp_key_dist & local_dist;
719 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
720
721 smp->remote_key_dist = rsp->init_key_dist;
722 }
723
check_enc_key_size(struct l2cap_conn * conn,__u8 max_key_size)724 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
725 {
726 struct l2cap_chan *chan = conn->smp;
727 struct hci_dev *hdev = conn->hcon->hdev;
728 struct smp_chan *smp = chan->data;
729
730 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
731 max_key_size != SMP_MAX_ENC_KEY_SIZE)
732 return SMP_ENC_KEY_SIZE;
733
734 if (max_key_size > hdev->le_max_key_size ||
735 max_key_size < SMP_MIN_ENC_KEY_SIZE)
736 return SMP_ENC_KEY_SIZE;
737
738 smp->enc_key_size = max_key_size;
739
740 return 0;
741 }
742
smp_chan_destroy(struct l2cap_conn * conn)743 static void smp_chan_destroy(struct l2cap_conn *conn)
744 {
745 struct l2cap_chan *chan = conn->smp;
746 struct smp_chan *smp = chan->data;
747 struct hci_conn *hcon = conn->hcon;
748 bool complete;
749
750 BUG_ON(!smp);
751
752 cancel_delayed_work_sync(&smp->security_timer);
753
754 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
755 mgmt_smp_complete(hcon, complete);
756
757 kfree_sensitive(smp->csrk);
758 kfree_sensitive(smp->responder_csrk);
759 kfree_sensitive(smp->link_key);
760
761 crypto_free_shash(smp->tfm_cmac);
762 crypto_free_kpp(smp->tfm_ecdh);
763
764 /* Ensure that we don't leave any debug key around if debug key
765 * support hasn't been explicitly enabled.
766 */
767 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
768 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
769 list_del_rcu(&smp->ltk->list);
770 kfree_rcu(smp->ltk, rcu);
771 smp->ltk = NULL;
772 }
773
774 /* If pairing failed clean up any keys we might have */
775 if (!complete) {
776 if (smp->ltk) {
777 list_del_rcu(&smp->ltk->list);
778 kfree_rcu(smp->ltk, rcu);
779 }
780
781 if (smp->responder_ltk) {
782 list_del_rcu(&smp->responder_ltk->list);
783 kfree_rcu(smp->responder_ltk, rcu);
784 }
785
786 if (smp->remote_irk) {
787 list_del_rcu(&smp->remote_irk->list);
788 kfree_rcu(smp->remote_irk, rcu);
789 }
790 }
791
792 chan->data = NULL;
793 kfree_sensitive(smp);
794 hci_conn_drop(hcon);
795 }
796
smp_failure(struct l2cap_conn * conn,u8 reason)797 static void smp_failure(struct l2cap_conn *conn, u8 reason)
798 {
799 struct hci_conn *hcon = conn->hcon;
800 struct l2cap_chan *chan = conn->smp;
801
802 if (reason)
803 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
804 &reason);
805
806 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
807
808 if (chan->data)
809 smp_chan_destroy(conn);
810 }
811
812 #define JUST_WORKS 0x00
813 #define JUST_CFM 0x01
814 #define REQ_PASSKEY 0x02
815 #define CFM_PASSKEY 0x03
816 #define REQ_OOB 0x04
817 #define DSP_PASSKEY 0x05
818 #define OVERLAP 0xFF
819
820 static const u8 gen_method[5][5] = {
821 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
823 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
824 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
825 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
826 };
827
828 static const u8 sc_method[5][5] = {
829 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
831 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
832 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
833 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
834 };
835
get_auth_method(struct smp_chan * smp,u8 local_io,u8 remote_io)836 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
837 {
838 /* If either side has unknown io_caps, use JUST_CFM (which gets
839 * converted later to JUST_WORKS if we're initiators.
840 */
841 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
842 remote_io > SMP_IO_KEYBOARD_DISPLAY)
843 return JUST_CFM;
844
845 if (test_bit(SMP_FLAG_SC, &smp->flags))
846 return sc_method[remote_io][local_io];
847
848 return gen_method[remote_io][local_io];
849 }
850
tk_request(struct l2cap_conn * conn,u8 remote_oob,u8 auth,u8 local_io,u8 remote_io)851 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
852 u8 local_io, u8 remote_io)
853 {
854 struct hci_conn *hcon = conn->hcon;
855 struct l2cap_chan *chan = conn->smp;
856 struct smp_chan *smp = chan->data;
857 u32 passkey = 0;
858 int ret;
859
860 /* Initialize key for JUST WORKS */
861 memset(smp->tk, 0, sizeof(smp->tk));
862 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
863
864 bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
865 remote_io);
866
867 /* If neither side wants MITM, either "just" confirm an incoming
868 * request or use just-works for outgoing ones. The JUST_CFM
869 * will be converted to JUST_WORKS if necessary later in this
870 * function. If either side has MITM look up the method from the
871 * table.
872 */
873 if (!(auth & SMP_AUTH_MITM))
874 smp->method = JUST_CFM;
875 else
876 smp->method = get_auth_method(smp, local_io, remote_io);
877
878 /* Don't confirm locally initiated pairing attempts */
879 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
880 &smp->flags))
881 smp->method = JUST_WORKS;
882
883 /* Don't bother user space with no IO capabilities */
884 if (smp->method == JUST_CFM &&
885 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
886 smp->method = JUST_WORKS;
887
888 /* If Just Works, Continue with Zero TK and ask user-space for
889 * confirmation */
890 if (smp->method == JUST_WORKS) {
891 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
892 hcon->type,
893 hcon->dst_type,
894 passkey, 1);
895 if (ret)
896 return ret;
897 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
898 return 0;
899 }
900
901 /* If this function is used for SC -> legacy fallback we
902 * can only recover the just-works case.
903 */
904 if (test_bit(SMP_FLAG_SC, &smp->flags))
905 return -EINVAL;
906
907 /* Not Just Works/Confirm results in MITM Authentication */
908 if (smp->method != JUST_CFM) {
909 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
910 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
911 hcon->pending_sec_level = BT_SECURITY_HIGH;
912 }
913
914 /* If both devices have Keyboard-Display I/O, the initiator
915 * Confirms and the responder Enters the passkey.
916 */
917 if (smp->method == OVERLAP) {
918 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
919 smp->method = CFM_PASSKEY;
920 else
921 smp->method = REQ_PASSKEY;
922 }
923
924 /* Generate random passkey. */
925 if (smp->method == CFM_PASSKEY) {
926 memset(smp->tk, 0, sizeof(smp->tk));
927 get_random_bytes(&passkey, sizeof(passkey));
928 passkey %= 1000000;
929 put_unaligned_le32(passkey, smp->tk);
930 bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
931 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
932 }
933
934 if (smp->method == REQ_PASSKEY)
935 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
936 hcon->type, hcon->dst_type);
937 else if (smp->method == JUST_CFM)
938 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
939 hcon->type, hcon->dst_type,
940 passkey, 1);
941 else
942 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
943 hcon->type, hcon->dst_type,
944 passkey, 0);
945
946 return ret;
947 }
948
smp_confirm(struct smp_chan * smp)949 static u8 smp_confirm(struct smp_chan *smp)
950 {
951 struct l2cap_conn *conn = smp->conn;
952 struct smp_cmd_pairing_confirm cp;
953 int ret;
954
955 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
956
957 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
958 conn->hcon->init_addr_type, &conn->hcon->init_addr,
959 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
960 cp.confirm_val);
961 if (ret)
962 return SMP_UNSPECIFIED;
963
964 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
965
966 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
967
968 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
970 else
971 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
972
973 return 0;
974 }
975
smp_random(struct smp_chan * smp)976 static u8 smp_random(struct smp_chan *smp)
977 {
978 struct l2cap_conn *conn = smp->conn;
979 struct hci_conn *hcon = conn->hcon;
980 u8 confirm[16];
981 int ret;
982
983 bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
984 test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
985 "responder");
986
987 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
988 hcon->init_addr_type, &hcon->init_addr,
989 hcon->resp_addr_type, &hcon->resp_addr, confirm);
990 if (ret)
991 return SMP_UNSPECIFIED;
992
993 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
994 bt_dev_err(hcon->hdev, "pairing failed "
995 "(confirmation values mismatch)");
996 return SMP_CONFIRM_FAILED;
997 }
998
999 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1000 u8 stk[16];
1001 __le64 rand = 0;
1002 __le16 ediv = 0;
1003
1004 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1005
1006 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1007 return SMP_UNSPECIFIED;
1008
1009 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1010 hcon->enc_key_size = smp->enc_key_size;
1011 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1012 } else {
1013 u8 stk[16], auth;
1014 __le64 rand = 0;
1015 __le16 ediv = 0;
1016
1017 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1018 smp->prnd);
1019
1020 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1021
1022 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1023 auth = 1;
1024 else
1025 auth = 0;
1026
1027 /* Even though there's no _RESPONDER suffix this is the
1028 * responder STK we're adding for later lookup (the initiator
1029 * STK never needs to be stored).
1030 */
1031 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1032 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1033 }
1034
1035 return 0;
1036 }
1037
smp_notify_keys(struct l2cap_conn * conn)1038 static void smp_notify_keys(struct l2cap_conn *conn)
1039 {
1040 struct l2cap_chan *chan = conn->smp;
1041 struct smp_chan *smp = chan->data;
1042 struct hci_conn *hcon = conn->hcon;
1043 struct hci_dev *hdev = hcon->hdev;
1044 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1045 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1046 bool persistent;
1047
1048 if (hcon->type == ACL_LINK) {
1049 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1050 persistent = false;
1051 else
1052 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1053 &hcon->flags);
1054 } else {
1055 /* The LTKs, IRKs and CSRKs should be persistent only if
1056 * both sides had the bonding bit set in their
1057 * authentication requests.
1058 */
1059 persistent = !!((req->auth_req & rsp->auth_req) &
1060 SMP_AUTH_BONDING);
1061 }
1062
1063 if (smp->remote_irk) {
1064 smp->remote_irk->link_type = hcon->type;
1065 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1066
1067 /* Now that user space can be considered to know the
1068 * identity address track the connection based on it
1069 * from now on (assuming this is an LE link).
1070 */
1071 if (hcon->type == LE_LINK) {
1072 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1073 hcon->dst_type = smp->remote_irk->addr_type;
1074 /* Use a short delay to make sure the new address is
1075 * propagated _before_ the channels.
1076 */
1077 queue_delayed_work(hdev->workqueue,
1078 &conn->id_addr_timer,
1079 ID_ADDR_TIMEOUT);
1080 }
1081 }
1082
1083 if (smp->csrk) {
1084 smp->csrk->link_type = hcon->type;
1085 smp->csrk->bdaddr_type = hcon->dst_type;
1086 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1087 mgmt_new_csrk(hdev, smp->csrk, persistent);
1088 }
1089
1090 if (smp->responder_csrk) {
1091 smp->responder_csrk->link_type = hcon->type;
1092 smp->responder_csrk->bdaddr_type = hcon->dst_type;
1093 bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1094 mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1095 }
1096
1097 if (smp->ltk) {
1098 smp->ltk->link_type = hcon->type;
1099 smp->ltk->bdaddr_type = hcon->dst_type;
1100 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1101 mgmt_new_ltk(hdev, smp->ltk, persistent);
1102 }
1103
1104 if (smp->responder_ltk) {
1105 smp->responder_ltk->link_type = hcon->type;
1106 smp->responder_ltk->bdaddr_type = hcon->dst_type;
1107 bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1108 mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1109 }
1110
1111 if (smp->link_key) {
1112 struct link_key *key;
1113 u8 type;
1114
1115 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1116 type = HCI_LK_DEBUG_COMBINATION;
1117 else if (hcon->sec_level == BT_SECURITY_FIPS)
1118 type = HCI_LK_AUTH_COMBINATION_P256;
1119 else
1120 type = HCI_LK_UNAUTH_COMBINATION_P256;
1121
1122 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1123 smp->link_key, type, 0, &persistent);
1124 if (key) {
1125 key->link_type = hcon->type;
1126 key->bdaddr_type = hcon->dst_type;
1127 mgmt_new_link_key(hdev, key, persistent);
1128
1129 /* Don't keep debug keys around if the relevant
1130 * flag is not set.
1131 */
1132 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1133 key->type == HCI_LK_DEBUG_COMBINATION) {
1134 list_del_rcu(&key->list);
1135 kfree_rcu(key, rcu);
1136 }
1137 }
1138 }
1139 }
1140
sc_add_ltk(struct smp_chan * smp)1141 static void sc_add_ltk(struct smp_chan *smp)
1142 {
1143 struct hci_conn *hcon = smp->conn->hcon;
1144 u8 key_type, auth;
1145
1146 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1147 key_type = SMP_LTK_P256_DEBUG;
1148 else
1149 key_type = SMP_LTK_P256;
1150
1151 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1152 auth = 1;
1153 else
1154 auth = 0;
1155
1156 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1157 key_type, auth, smp->tk, smp->enc_key_size,
1158 0, 0);
1159 }
1160
sc_generate_link_key(struct smp_chan * smp)1161 static void sc_generate_link_key(struct smp_chan *smp)
1162 {
1163 /* From core spec. Spells out in ASCII as 'lebr'. */
1164 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1165
1166 smp->link_key = kzalloc(16, GFP_KERNEL);
1167 if (!smp->link_key)
1168 return;
1169
1170 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1171 /* SALT = 0x000000000000000000000000746D7031 */
1172 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1173
1174 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1175 kfree_sensitive(smp->link_key);
1176 smp->link_key = NULL;
1177 return;
1178 }
1179 } else {
1180 /* From core spec. Spells out in ASCII as 'tmp1'. */
1181 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1182
1183 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1184 kfree_sensitive(smp->link_key);
1185 smp->link_key = NULL;
1186 return;
1187 }
1188 }
1189
1190 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1191 kfree_sensitive(smp->link_key);
1192 smp->link_key = NULL;
1193 return;
1194 }
1195 }
1196
smp_allow_key_dist(struct smp_chan * smp)1197 static void smp_allow_key_dist(struct smp_chan *smp)
1198 {
1199 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1200 * will be allowed in each PDU handler to ensure we receive
1201 * them in the correct order.
1202 */
1203 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1204 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1205 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1206 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1207 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1208 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1209 }
1210
sc_generate_ltk(struct smp_chan * smp)1211 static void sc_generate_ltk(struct smp_chan *smp)
1212 {
1213 /* From core spec. Spells out in ASCII as 'brle'. */
1214 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1215 struct hci_conn *hcon = smp->conn->hcon;
1216 struct hci_dev *hdev = hcon->hdev;
1217 struct link_key *key;
1218
1219 key = hci_find_link_key(hdev, &hcon->dst);
1220 if (!key) {
1221 bt_dev_err(hdev, "no Link Key found to generate LTK");
1222 return;
1223 }
1224
1225 if (key->type == HCI_LK_DEBUG_COMBINATION)
1226 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1227
1228 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1229 /* SALT = 0x000000000000000000000000746D7032 */
1230 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1231
1232 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1233 return;
1234 } else {
1235 /* From core spec. Spells out in ASCII as 'tmp2'. */
1236 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1237
1238 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1239 return;
1240 }
1241
1242 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1243 return;
1244
1245 sc_add_ltk(smp);
1246 }
1247
smp_distribute_keys(struct smp_chan * smp)1248 static void smp_distribute_keys(struct smp_chan *smp)
1249 {
1250 struct smp_cmd_pairing *req, *rsp;
1251 struct l2cap_conn *conn = smp->conn;
1252 struct hci_conn *hcon = conn->hcon;
1253 struct hci_dev *hdev = hcon->hdev;
1254 __u8 *keydist;
1255
1256 bt_dev_dbg(hdev, "conn %p", conn);
1257
1258 rsp = (void *) &smp->prsp[1];
1259
1260 /* The responder sends its keys first */
1261 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) &&
1262 (smp->remote_key_dist & KEY_DIST_MASK)) {
1263 smp_allow_key_dist(smp);
1264 return;
1265 }
1266
1267 req = (void *) &smp->preq[1];
1268
1269 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1270 keydist = &rsp->init_key_dist;
1271 *keydist &= req->init_key_dist;
1272 } else {
1273 keydist = &rsp->resp_key_dist;
1274 *keydist &= req->resp_key_dist;
1275 }
1276
1277 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1278 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1279 sc_generate_link_key(smp);
1280 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1281 sc_generate_ltk(smp);
1282
1283 /* Clear the keys which are generated but not distributed */
1284 *keydist &= ~SMP_SC_NO_DIST;
1285 }
1286
1287 bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1288
1289 if (*keydist & SMP_DIST_ENC_KEY) {
1290 struct smp_cmd_encrypt_info enc;
1291 struct smp_cmd_initiator_ident ident;
1292 struct smp_ltk *ltk;
1293 u8 authenticated;
1294 __le16 ediv;
1295 __le64 rand;
1296
1297 /* Make sure we generate only the significant amount of
1298 * bytes based on the encryption key size, and set the rest
1299 * of the value to zeroes.
1300 */
1301 get_random_bytes(enc.ltk, smp->enc_key_size);
1302 memset(enc.ltk + smp->enc_key_size, 0,
1303 sizeof(enc.ltk) - smp->enc_key_size);
1304
1305 get_random_bytes(&ediv, sizeof(ediv));
1306 get_random_bytes(&rand, sizeof(rand));
1307
1308 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1309
1310 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1311 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1312 SMP_LTK_RESPONDER, authenticated, enc.ltk,
1313 smp->enc_key_size, ediv, rand);
1314 smp->responder_ltk = ltk;
1315
1316 ident.ediv = ediv;
1317 ident.rand = rand;
1318
1319 smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1320 &ident);
1321
1322 *keydist &= ~SMP_DIST_ENC_KEY;
1323 }
1324
1325 if (*keydist & SMP_DIST_ID_KEY) {
1326 struct smp_cmd_ident_addr_info addrinfo;
1327 struct smp_cmd_ident_info idinfo;
1328
1329 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1330
1331 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1332
1333 /* The hci_conn contains the local identity address
1334 * after the connection has been established.
1335 *
1336 * This is true even when the connection has been
1337 * established using a resolvable random address.
1338 */
1339 bacpy(&addrinfo.bdaddr, &hcon->src);
1340 addrinfo.addr_type = hcon->src_type;
1341
1342 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1343 &addrinfo);
1344
1345 *keydist &= ~SMP_DIST_ID_KEY;
1346 }
1347
1348 if (*keydist & SMP_DIST_SIGN) {
1349 struct smp_cmd_sign_info sign;
1350 struct smp_csrk *csrk;
1351
1352 /* Generate a new random key */
1353 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1354
1355 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1356 if (csrk) {
1357 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1358 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1359 else
1360 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1361 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1362 }
1363 smp->responder_csrk = csrk;
1364
1365 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1366
1367 *keydist &= ~SMP_DIST_SIGN;
1368 }
1369
1370 /* If there are still keys to be received wait for them */
1371 if (smp->remote_key_dist & KEY_DIST_MASK) {
1372 smp_allow_key_dist(smp);
1373 return;
1374 }
1375
1376 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1377 smp_notify_keys(conn);
1378
1379 smp_chan_destroy(conn);
1380 }
1381
smp_timeout(struct work_struct * work)1382 static void smp_timeout(struct work_struct *work)
1383 {
1384 struct smp_chan *smp = container_of(work, struct smp_chan,
1385 security_timer.work);
1386 struct l2cap_conn *conn = smp->conn;
1387
1388 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1389
1390 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1391 }
1392
smp_chan_create(struct l2cap_conn * conn)1393 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1394 {
1395 struct hci_conn *hcon = conn->hcon;
1396 struct l2cap_chan *chan = conn->smp;
1397 struct smp_chan *smp;
1398
1399 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1400 if (!smp)
1401 return NULL;
1402
1403 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1404 if (IS_ERR(smp->tfm_cmac)) {
1405 bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1406 goto zfree_smp;
1407 }
1408
1409 smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1410 if (IS_ERR(smp->tfm_ecdh)) {
1411 bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1412 goto free_shash;
1413 }
1414
1415 smp->conn = conn;
1416 chan->data = smp;
1417
1418 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1419
1420 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1421
1422 hci_conn_hold(hcon);
1423
1424 return smp;
1425
1426 free_shash:
1427 crypto_free_shash(smp->tfm_cmac);
1428 zfree_smp:
1429 kfree_sensitive(smp);
1430 return NULL;
1431 }
1432
sc_mackey_and_ltk(struct smp_chan * smp,u8 mackey[16],u8 ltk[16])1433 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1434 {
1435 struct hci_conn *hcon = smp->conn->hcon;
1436 u8 *na, *nb, a[7], b[7];
1437
1438 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1439 na = smp->prnd;
1440 nb = smp->rrnd;
1441 } else {
1442 na = smp->rrnd;
1443 nb = smp->prnd;
1444 }
1445
1446 memcpy(a, &hcon->init_addr, 6);
1447 memcpy(b, &hcon->resp_addr, 6);
1448 a[6] = hcon->init_addr_type;
1449 b[6] = hcon->resp_addr_type;
1450
1451 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1452 }
1453
sc_dhkey_check(struct smp_chan * smp)1454 static void sc_dhkey_check(struct smp_chan *smp)
1455 {
1456 struct hci_conn *hcon = smp->conn->hcon;
1457 struct smp_cmd_dhkey_check check;
1458 u8 a[7], b[7], *local_addr, *remote_addr;
1459 u8 io_cap[3], r[16];
1460
1461 memcpy(a, &hcon->init_addr, 6);
1462 memcpy(b, &hcon->resp_addr, 6);
1463 a[6] = hcon->init_addr_type;
1464 b[6] = hcon->resp_addr_type;
1465
1466 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1467 local_addr = a;
1468 remote_addr = b;
1469 memcpy(io_cap, &smp->preq[1], 3);
1470 } else {
1471 local_addr = b;
1472 remote_addr = a;
1473 memcpy(io_cap, &smp->prsp[1], 3);
1474 }
1475
1476 memset(r, 0, sizeof(r));
1477
1478 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1479 put_unaligned_le32(hcon->passkey_notify, r);
1480
1481 if (smp->method == REQ_OOB)
1482 memcpy(r, smp->rr, 16);
1483
1484 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1485 local_addr, remote_addr, check.e);
1486
1487 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1488 }
1489
sc_passkey_send_confirm(struct smp_chan * smp)1490 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1491 {
1492 struct l2cap_conn *conn = smp->conn;
1493 struct hci_conn *hcon = conn->hcon;
1494 struct smp_cmd_pairing_confirm cfm;
1495 u8 r;
1496
1497 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1498 r |= 0x80;
1499
1500 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1501
1502 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1503 cfm.confirm_val))
1504 return SMP_UNSPECIFIED;
1505
1506 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1507
1508 return 0;
1509 }
1510
sc_passkey_round(struct smp_chan * smp,u8 smp_op)1511 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1512 {
1513 struct l2cap_conn *conn = smp->conn;
1514 struct hci_conn *hcon = conn->hcon;
1515 struct hci_dev *hdev = hcon->hdev;
1516 u8 cfm[16], r;
1517
1518 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1519 if (smp->passkey_round >= 20)
1520 return 0;
1521
1522 switch (smp_op) {
1523 case SMP_CMD_PAIRING_RANDOM:
1524 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1525 r |= 0x80;
1526
1527 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1528 smp->rrnd, r, cfm))
1529 return SMP_UNSPECIFIED;
1530
1531 if (crypto_memneq(smp->pcnf, cfm, 16))
1532 return SMP_CONFIRM_FAILED;
1533
1534 smp->passkey_round++;
1535
1536 if (smp->passkey_round == 20) {
1537 /* Generate MacKey and LTK */
1538 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1539 return SMP_UNSPECIFIED;
1540 }
1541
1542 /* The round is only complete when the initiator
1543 * receives pairing random.
1544 */
1545 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1546 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1547 sizeof(smp->prnd), smp->prnd);
1548 if (smp->passkey_round == 20)
1549 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1550 else
1551 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1552 return 0;
1553 }
1554
1555 /* Start the next round */
1556 if (smp->passkey_round != 20)
1557 return sc_passkey_round(smp, 0);
1558
1559 /* Passkey rounds are complete - start DHKey Check */
1560 sc_dhkey_check(smp);
1561 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1562
1563 break;
1564
1565 case SMP_CMD_PAIRING_CONFIRM:
1566 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1567 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1568 return 0;
1569 }
1570
1571 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1572
1573 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1574 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1575 sizeof(smp->prnd), smp->prnd);
1576 return 0;
1577 }
1578
1579 return sc_passkey_send_confirm(smp);
1580
1581 case SMP_CMD_PUBLIC_KEY:
1582 default:
1583 /* Initiating device starts the round */
1584 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1585 return 0;
1586
1587 bt_dev_dbg(hdev, "Starting passkey round %u",
1588 smp->passkey_round + 1);
1589
1590 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1591
1592 return sc_passkey_send_confirm(smp);
1593 }
1594
1595 return 0;
1596 }
1597
sc_user_reply(struct smp_chan * smp,u16 mgmt_op,__le32 passkey)1598 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1599 {
1600 struct l2cap_conn *conn = smp->conn;
1601 struct hci_conn *hcon = conn->hcon;
1602 u8 smp_op;
1603
1604 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1605
1606 switch (mgmt_op) {
1607 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1608 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1609 return 0;
1610 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1611 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1612 return 0;
1613 case MGMT_OP_USER_PASSKEY_REPLY:
1614 hcon->passkey_notify = le32_to_cpu(passkey);
1615 smp->passkey_round = 0;
1616
1617 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1618 smp_op = SMP_CMD_PAIRING_CONFIRM;
1619 else
1620 smp_op = 0;
1621
1622 if (sc_passkey_round(smp, smp_op))
1623 return -EIO;
1624
1625 return 0;
1626 }
1627
1628 /* Initiator sends DHKey check first */
1629 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1630 sc_dhkey_check(smp);
1631 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1632 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1633 sc_dhkey_check(smp);
1634 sc_add_ltk(smp);
1635 }
1636
1637 return 0;
1638 }
1639
smp_user_confirm_reply(struct hci_conn * hcon,u16 mgmt_op,__le32 passkey)1640 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1641 {
1642 struct l2cap_conn *conn = hcon->l2cap_data;
1643 struct l2cap_chan *chan;
1644 struct smp_chan *smp;
1645 u32 value;
1646 int err;
1647
1648 if (!conn)
1649 return -ENOTCONN;
1650
1651 bt_dev_dbg(conn->hcon->hdev, "");
1652
1653 chan = conn->smp;
1654 if (!chan)
1655 return -ENOTCONN;
1656
1657 l2cap_chan_lock(chan);
1658 if (!chan->data) {
1659 err = -ENOTCONN;
1660 goto unlock;
1661 }
1662
1663 smp = chan->data;
1664
1665 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1666 err = sc_user_reply(smp, mgmt_op, passkey);
1667 goto unlock;
1668 }
1669
1670 switch (mgmt_op) {
1671 case MGMT_OP_USER_PASSKEY_REPLY:
1672 value = le32_to_cpu(passkey);
1673 memset(smp->tk, 0, sizeof(smp->tk));
1674 bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1675 put_unaligned_le32(value, smp->tk);
1676 fallthrough;
1677 case MGMT_OP_USER_CONFIRM_REPLY:
1678 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1679 break;
1680 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1681 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1682 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1683 err = 0;
1684 goto unlock;
1685 default:
1686 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1687 err = -EOPNOTSUPP;
1688 goto unlock;
1689 }
1690
1691 err = 0;
1692
1693 /* If it is our turn to send Pairing Confirm, do so now */
1694 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1695 u8 rsp = smp_confirm(smp);
1696 if (rsp)
1697 smp_failure(conn, rsp);
1698 }
1699
1700 unlock:
1701 l2cap_chan_unlock(chan);
1702 return err;
1703 }
1704
build_bredr_pairing_cmd(struct smp_chan * smp,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp)1705 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1706 struct smp_cmd_pairing *req,
1707 struct smp_cmd_pairing *rsp)
1708 {
1709 struct l2cap_conn *conn = smp->conn;
1710 struct hci_dev *hdev = conn->hcon->hdev;
1711 u8 local_dist = 0, remote_dist = 0;
1712
1713 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1714 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1715 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1716 }
1717
1718 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1719 remote_dist |= SMP_DIST_ID_KEY;
1720
1721 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1722 local_dist |= SMP_DIST_ID_KEY;
1723
1724 if (!rsp) {
1725 memset(req, 0, sizeof(*req));
1726
1727 req->auth_req = SMP_AUTH_CT2;
1728 req->init_key_dist = local_dist;
1729 req->resp_key_dist = remote_dist;
1730 req->max_key_size = conn->hcon->enc_key_size;
1731
1732 smp->remote_key_dist = remote_dist;
1733
1734 return;
1735 }
1736
1737 memset(rsp, 0, sizeof(*rsp));
1738
1739 rsp->auth_req = SMP_AUTH_CT2;
1740 rsp->max_key_size = conn->hcon->enc_key_size;
1741 rsp->init_key_dist = req->init_key_dist & remote_dist;
1742 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1743
1744 smp->remote_key_dist = rsp->init_key_dist;
1745 }
1746
smp_cmd_pairing_req(struct l2cap_conn * conn,struct sk_buff * skb)1747 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1748 {
1749 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1750 struct l2cap_chan *chan = conn->smp;
1751 struct hci_dev *hdev = conn->hcon->hdev;
1752 struct smp_chan *smp = chan->data;
1753 u8 key_size, auth, sec_level;
1754 int ret;
1755
1756 bt_dev_dbg(hdev, "conn %p", conn);
1757
1758 if (skb->len < sizeof(*req))
1759 return SMP_INVALID_PARAMS;
1760
1761 if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1762 return SMP_CMD_NOTSUPP;
1763
1764 if (!smp) {
1765 smp = smp_chan_create(conn);
1766 if (!smp)
1767 return SMP_UNSPECIFIED;
1768 }
1769
1770 /* We didn't start the pairing, so match remote */
1771 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1772
1773 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1774 (auth & SMP_AUTH_BONDING))
1775 return SMP_PAIRING_NOTSUPP;
1776
1777 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1778 return SMP_AUTH_REQUIREMENTS;
1779
1780 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1781 memcpy(&smp->preq[1], req, sizeof(*req));
1782 skb_pull(skb, sizeof(*req));
1783
1784 /* If the remote side's OOB flag is set it means it has
1785 * successfully received our local OOB data - therefore set the
1786 * flag to indicate that local OOB is in use.
1787 */
1788 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1789 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1790
1791 /* SMP over BR/EDR requires special treatment */
1792 if (conn->hcon->type == ACL_LINK) {
1793 /* We must have a BR/EDR SC link */
1794 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1795 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1796 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1797
1798 set_bit(SMP_FLAG_SC, &smp->flags);
1799
1800 build_bredr_pairing_cmd(smp, req, &rsp);
1801
1802 if (req->auth_req & SMP_AUTH_CT2)
1803 set_bit(SMP_FLAG_CT2, &smp->flags);
1804
1805 key_size = min(req->max_key_size, rsp.max_key_size);
1806 if (check_enc_key_size(conn, key_size))
1807 return SMP_ENC_KEY_SIZE;
1808
1809 /* Clear bits which are generated but not distributed */
1810 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1811
1812 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1813 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1814 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1815
1816 smp_distribute_keys(smp);
1817 return 0;
1818 }
1819
1820 build_pairing_cmd(conn, req, &rsp, auth);
1821
1822 if (rsp.auth_req & SMP_AUTH_SC) {
1823 set_bit(SMP_FLAG_SC, &smp->flags);
1824
1825 if (rsp.auth_req & SMP_AUTH_CT2)
1826 set_bit(SMP_FLAG_CT2, &smp->flags);
1827 }
1828
1829 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1830 sec_level = BT_SECURITY_MEDIUM;
1831 else
1832 sec_level = authreq_to_seclevel(auth);
1833
1834 if (sec_level > conn->hcon->pending_sec_level)
1835 conn->hcon->pending_sec_level = sec_level;
1836
1837 /* If we need MITM check that it can be achieved */
1838 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1839 u8 method;
1840
1841 method = get_auth_method(smp, conn->hcon->io_capability,
1842 req->io_capability);
1843 if (method == JUST_WORKS || method == JUST_CFM)
1844 return SMP_AUTH_REQUIREMENTS;
1845 }
1846
1847 key_size = min(req->max_key_size, rsp.max_key_size);
1848 if (check_enc_key_size(conn, key_size))
1849 return SMP_ENC_KEY_SIZE;
1850
1851 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852
1853 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1854 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1855
1856 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1857
1858 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1859
1860 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1861 * SC case, however some implementations incorrectly copy RFU auth
1862 * req bits from our security request, which may create a false
1863 * positive SC enablement.
1864 */
1865 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1866
1867 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1868 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1869 /* Clear bits which are generated but not distributed */
1870 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1871 /* Wait for Public Key from Initiating Device */
1872 return 0;
1873 }
1874
1875 /* Request setup of TK */
1876 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1877 if (ret)
1878 return SMP_UNSPECIFIED;
1879
1880 return 0;
1881 }
1882
sc_send_public_key(struct smp_chan * smp)1883 static u8 sc_send_public_key(struct smp_chan *smp)
1884 {
1885 struct hci_dev *hdev = smp->conn->hcon->hdev;
1886
1887 bt_dev_dbg(hdev, "");
1888
1889 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1890 struct l2cap_chan *chan = hdev->smp_data;
1891 struct smp_dev *smp_dev;
1892
1893 if (!chan || !chan->data)
1894 return SMP_UNSPECIFIED;
1895
1896 smp_dev = chan->data;
1897
1898 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1899 memcpy(smp->lr, smp_dev->local_rand, 16);
1900
1901 if (smp_dev->debug_key)
1902 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1903
1904 goto done;
1905 }
1906
1907 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1908 bt_dev_dbg(hdev, "Using debug keys");
1909 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1910 return SMP_UNSPECIFIED;
1911 memcpy(smp->local_pk, debug_pk, 64);
1912 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1913 } else {
1914 while (true) {
1915 /* Generate key pair for Secure Connections */
1916 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1917 return SMP_UNSPECIFIED;
1918
1919 /* This is unlikely, but we need to check that
1920 * we didn't accidentally generate a debug key.
1921 */
1922 if (crypto_memneq(smp->local_pk, debug_pk, 64))
1923 break;
1924 }
1925 }
1926
1927 done:
1928 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1929 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1930
1931 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1932
1933 return 0;
1934 }
1935
smp_cmd_pairing_rsp(struct l2cap_conn * conn,struct sk_buff * skb)1936 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1937 {
1938 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1939 struct l2cap_chan *chan = conn->smp;
1940 struct smp_chan *smp = chan->data;
1941 struct hci_dev *hdev = conn->hcon->hdev;
1942 u8 key_size, auth;
1943 int ret;
1944
1945 bt_dev_dbg(hdev, "conn %p", conn);
1946
1947 if (skb->len < sizeof(*rsp))
1948 return SMP_INVALID_PARAMS;
1949
1950 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1951 return SMP_CMD_NOTSUPP;
1952
1953 skb_pull(skb, sizeof(*rsp));
1954
1955 req = (void *) &smp->preq[1];
1956
1957 key_size = min(req->max_key_size, rsp->max_key_size);
1958 if (check_enc_key_size(conn, key_size))
1959 return SMP_ENC_KEY_SIZE;
1960
1961 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1962
1963 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1964 return SMP_AUTH_REQUIREMENTS;
1965
1966 /* If the remote side's OOB flag is set it means it has
1967 * successfully received our local OOB data - therefore set the
1968 * flag to indicate that local OOB is in use.
1969 */
1970 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1971 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1972
1973 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1974 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1975
1976 /* Update remote key distribution in case the remote cleared
1977 * some bits that we had enabled in our request.
1978 */
1979 smp->remote_key_dist &= rsp->resp_key_dist;
1980
1981 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1982 set_bit(SMP_FLAG_CT2, &smp->flags);
1983
1984 /* For BR/EDR this means we're done and can start phase 3 */
1985 if (conn->hcon->type == ACL_LINK) {
1986 /* Clear bits which are generated but not distributed */
1987 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1988 smp_distribute_keys(smp);
1989 return 0;
1990 }
1991
1992 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1993 set_bit(SMP_FLAG_SC, &smp->flags);
1994 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1995 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1996
1997 /* If we need MITM check that it can be achieved */
1998 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1999 u8 method;
2000
2001 method = get_auth_method(smp, req->io_capability,
2002 rsp->io_capability);
2003 if (method == JUST_WORKS || method == JUST_CFM)
2004 return SMP_AUTH_REQUIREMENTS;
2005 }
2006
2007 get_random_bytes(smp->prnd, sizeof(smp->prnd));
2008
2009 /* Update remote key distribution in case the remote cleared
2010 * some bits that we had enabled in our request.
2011 */
2012 smp->remote_key_dist &= rsp->resp_key_dist;
2013
2014 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2015 /* Clear bits which are generated but not distributed */
2016 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2017 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2018 return sc_send_public_key(smp);
2019 }
2020
2021 auth |= req->auth_req;
2022
2023 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2024 if (ret)
2025 return SMP_UNSPECIFIED;
2026
2027 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2028
2029 /* Can't compose response until we have been confirmed */
2030 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2031 return smp_confirm(smp);
2032
2033 return 0;
2034 }
2035
sc_check_confirm(struct smp_chan * smp)2036 static u8 sc_check_confirm(struct smp_chan *smp)
2037 {
2038 struct l2cap_conn *conn = smp->conn;
2039
2040 bt_dev_dbg(conn->hcon->hdev, "");
2041
2042 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2043 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2044
2045 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2046 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2047 smp->prnd);
2048 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2049 }
2050
2051 return 0;
2052 }
2053
2054 /* Work-around for some implementations that incorrectly copy RFU bits
2055 * from our security request and thereby create the impression that
2056 * we're doing SC when in fact the remote doesn't support it.
2057 */
fixup_sc_false_positive(struct smp_chan * smp)2058 static int fixup_sc_false_positive(struct smp_chan *smp)
2059 {
2060 struct l2cap_conn *conn = smp->conn;
2061 struct hci_conn *hcon = conn->hcon;
2062 struct hci_dev *hdev = hcon->hdev;
2063 struct smp_cmd_pairing *req, *rsp;
2064 u8 auth;
2065
2066 /* The issue is only observed when we're in responder role */
2067 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2068 return SMP_UNSPECIFIED;
2069
2070 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2071 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2072 return SMP_UNSPECIFIED;
2073 }
2074
2075 bt_dev_err(hdev, "trying to fall back to legacy SMP");
2076
2077 req = (void *) &smp->preq[1];
2078 rsp = (void *) &smp->prsp[1];
2079
2080 /* Rebuild key dist flags which may have been cleared for SC */
2081 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2082
2083 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2084
2085 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2086 bt_dev_err(hdev, "failed to fall back to legacy SMP");
2087 return SMP_UNSPECIFIED;
2088 }
2089
2090 clear_bit(SMP_FLAG_SC, &smp->flags);
2091
2092 return 0;
2093 }
2094
smp_cmd_pairing_confirm(struct l2cap_conn * conn,struct sk_buff * skb)2095 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2096 {
2097 struct l2cap_chan *chan = conn->smp;
2098 struct smp_chan *smp = chan->data;
2099 struct hci_conn *hcon = conn->hcon;
2100 struct hci_dev *hdev = hcon->hdev;
2101
2102 bt_dev_dbg(hdev, "conn %p %s", conn,
2103 test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
2104 "responder");
2105
2106 if (skb->len < sizeof(smp->pcnf))
2107 return SMP_INVALID_PARAMS;
2108
2109 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2110 skb_pull(skb, sizeof(smp->pcnf));
2111
2112 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2113 int ret;
2114
2115 /* Public Key exchange must happen before any other steps */
2116 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2117 return sc_check_confirm(smp);
2118
2119 bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2120
2121 ret = fixup_sc_false_positive(smp);
2122 if (ret)
2123 return ret;
2124 }
2125
2126 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2127 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2128 smp->prnd);
2129 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2130 return 0;
2131 }
2132
2133 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2134 return smp_confirm(smp);
2135
2136 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2137
2138 return 0;
2139 }
2140
smp_cmd_pairing_random(struct l2cap_conn * conn,struct sk_buff * skb)2141 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2142 {
2143 struct l2cap_chan *chan = conn->smp;
2144 struct smp_chan *smp = chan->data;
2145 struct hci_conn *hcon = conn->hcon;
2146 u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2147 u32 passkey;
2148 int err;
2149
2150 bt_dev_dbg(hcon->hdev, "conn %p", conn);
2151
2152 if (skb->len < sizeof(smp->rrnd))
2153 return SMP_INVALID_PARAMS;
2154
2155 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2156 skb_pull(skb, sizeof(smp->rrnd));
2157
2158 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2159 return smp_random(smp);
2160
2161 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2162 pkax = smp->local_pk;
2163 pkbx = smp->remote_pk;
2164 na = smp->prnd;
2165 nb = smp->rrnd;
2166 } else {
2167 pkax = smp->remote_pk;
2168 pkbx = smp->local_pk;
2169 na = smp->rrnd;
2170 nb = smp->prnd;
2171 }
2172
2173 if (smp->method == REQ_OOB) {
2174 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2175 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2176 sizeof(smp->prnd), smp->prnd);
2177 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2178 goto mackey_and_ltk;
2179 }
2180
2181 /* Passkey entry has special treatment */
2182 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2183 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2184
2185 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2186 u8 cfm[16];
2187
2188 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2189 smp->rrnd, 0, cfm);
2190 if (err)
2191 return SMP_UNSPECIFIED;
2192
2193 if (crypto_memneq(smp->pcnf, cfm, 16))
2194 return SMP_CONFIRM_FAILED;
2195 } else {
2196 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2197 smp->prnd);
2198 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2199
2200 /* Only Just-Works pairing requires extra checks */
2201 if (smp->method != JUST_WORKS)
2202 goto mackey_and_ltk;
2203
2204 /* If there already exists long term key in local host, leave
2205 * the decision to user space since the remote device could
2206 * be legitimate or malicious.
2207 */
2208 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2209 hcon->role)) {
2210 /* Set passkey to 0. The value can be any number since
2211 * it'll be ignored anyway.
2212 */
2213 passkey = 0;
2214 confirm_hint = 1;
2215 goto confirm;
2216 }
2217 }
2218
2219 mackey_and_ltk:
2220 /* Generate MacKey and LTK */
2221 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2222 if (err)
2223 return SMP_UNSPECIFIED;
2224
2225 if (smp->method == REQ_OOB) {
2226 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2227 sc_dhkey_check(smp);
2228 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2229 }
2230 return 0;
2231 }
2232
2233 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2234 if (err)
2235 return SMP_UNSPECIFIED;
2236
2237 confirm_hint = 0;
2238
2239 confirm:
2240 if (smp->method == JUST_WORKS)
2241 confirm_hint = 1;
2242
2243 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2244 hcon->dst_type, passkey, confirm_hint);
2245 if (err)
2246 return SMP_UNSPECIFIED;
2247
2248 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2249
2250 return 0;
2251 }
2252
smp_ltk_encrypt(struct l2cap_conn * conn,u8 sec_level)2253 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2254 {
2255 struct smp_ltk *key;
2256 struct hci_conn *hcon = conn->hcon;
2257
2258 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2259 if (!key)
2260 return false;
2261
2262 if (smp_ltk_sec_level(key) < sec_level)
2263 return false;
2264
2265 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2266 return true;
2267
2268 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2269 hcon->enc_key_size = key->enc_size;
2270
2271 /* We never store STKs for initiator role, so clear this flag */
2272 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2273
2274 return true;
2275 }
2276
smp_sufficient_security(struct hci_conn * hcon,u8 sec_level,enum smp_key_pref key_pref)2277 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2278 enum smp_key_pref key_pref)
2279 {
2280 if (sec_level == BT_SECURITY_LOW)
2281 return true;
2282
2283 /* If we're encrypted with an STK but the caller prefers using
2284 * LTK claim insufficient security. This way we allow the
2285 * connection to be re-encrypted with an LTK, even if the LTK
2286 * provides the same level of security. Only exception is if we
2287 * don't have an LTK (e.g. because of key distribution bits).
2288 */
2289 if (key_pref == SMP_USE_LTK &&
2290 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2291 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2292 return false;
2293
2294 if (hcon->sec_level >= sec_level)
2295 return true;
2296
2297 return false;
2298 }
2299
smp_send_pairing_req(struct smp_chan * smp,__u8 auth)2300 static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth)
2301 {
2302 struct smp_cmd_pairing cp;
2303
2304 if (smp->conn->hcon->type == ACL_LINK)
2305 build_bredr_pairing_cmd(smp, &cp, NULL);
2306 else
2307 build_pairing_cmd(smp->conn, &cp, NULL, auth);
2308
2309 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2310 memcpy(&smp->preq[1], &cp, sizeof(cp));
2311
2312 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2313 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2314
2315 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2316 }
2317
smp_cmd_security_req(struct l2cap_conn * conn,struct sk_buff * skb)2318 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2319 {
2320 struct smp_cmd_security_req *rp = (void *) skb->data;
2321 struct hci_conn *hcon = conn->hcon;
2322 struct hci_dev *hdev = hcon->hdev;
2323 struct smp_chan *smp;
2324 u8 sec_level, auth;
2325
2326 bt_dev_dbg(hdev, "conn %p", conn);
2327
2328 if (skb->len < sizeof(*rp))
2329 return SMP_INVALID_PARAMS;
2330
2331 if (hcon->role != HCI_ROLE_MASTER)
2332 return SMP_CMD_NOTSUPP;
2333
2334 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2335
2336 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2337 return SMP_AUTH_REQUIREMENTS;
2338
2339 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2340 sec_level = BT_SECURITY_MEDIUM;
2341 else
2342 sec_level = authreq_to_seclevel(auth);
2343
2344 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2345 /* If link is already encrypted with sufficient security we
2346 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2347 * Part H 2.4.6
2348 */
2349 smp_ltk_encrypt(conn, hcon->sec_level);
2350 return 0;
2351 }
2352
2353 if (sec_level > hcon->pending_sec_level)
2354 hcon->pending_sec_level = sec_level;
2355
2356 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2357 return 0;
2358
2359 smp = smp_chan_create(conn);
2360 if (!smp)
2361 return SMP_UNSPECIFIED;
2362
2363 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2364 (auth & SMP_AUTH_BONDING))
2365 return SMP_PAIRING_NOTSUPP;
2366
2367 skb_pull(skb, sizeof(*rp));
2368
2369 smp_send_pairing_req(smp, auth);
2370
2371 return 0;
2372 }
2373
smp_send_security_req(struct smp_chan * smp,__u8 auth)2374 static void smp_send_security_req(struct smp_chan *smp, __u8 auth)
2375 {
2376 struct smp_cmd_security_req cp;
2377
2378 cp.auth_req = auth;
2379 smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2380 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2381
2382 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
2383 }
2384
smp_conn_security(struct hci_conn * hcon,__u8 sec_level)2385 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2386 {
2387 struct l2cap_conn *conn = hcon->l2cap_data;
2388 struct l2cap_chan *chan;
2389 struct smp_chan *smp;
2390 __u8 authreq;
2391 int ret;
2392
2393 bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2394 sec_level);
2395
2396 /* This may be NULL if there's an unexpected disconnection */
2397 if (!conn)
2398 return 1;
2399
2400 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2401 return 1;
2402
2403 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2404 return 1;
2405
2406 if (sec_level > hcon->pending_sec_level)
2407 hcon->pending_sec_level = sec_level;
2408
2409 if (hcon->role == HCI_ROLE_MASTER)
2410 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2411 return 0;
2412
2413 chan = conn->smp;
2414 if (!chan) {
2415 bt_dev_err(hcon->hdev, "security requested but not available");
2416 return 1;
2417 }
2418
2419 l2cap_chan_lock(chan);
2420
2421 /* If SMP is already in progress ignore this request */
2422 if (chan->data) {
2423 ret = 0;
2424 goto unlock;
2425 }
2426
2427 smp = smp_chan_create(conn);
2428 if (!smp) {
2429 ret = 1;
2430 goto unlock;
2431 }
2432
2433 authreq = seclevel_to_authreq(sec_level);
2434
2435 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2436 authreq |= SMP_AUTH_SC;
2437 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2438 authreq |= SMP_AUTH_CT2;
2439 }
2440
2441 /* Don't attempt to set MITM if setting is overridden by debugfs
2442 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2443 */
2444 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2445 /* Require MITM if IO Capability allows or the security level
2446 * requires it.
2447 */
2448 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2449 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2450 authreq |= SMP_AUTH_MITM;
2451 }
2452
2453 if (hcon->role == HCI_ROLE_MASTER)
2454 smp_send_pairing_req(smp, authreq);
2455 else
2456 smp_send_security_req(smp, authreq);
2457
2458 ret = 0;
2459
2460 unlock:
2461 l2cap_chan_unlock(chan);
2462 return ret;
2463 }
2464
smp_cancel_and_remove_pairing(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type)2465 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2466 u8 addr_type)
2467 {
2468 struct hci_conn *hcon;
2469 struct l2cap_conn *conn;
2470 struct l2cap_chan *chan;
2471 struct smp_chan *smp;
2472 int err;
2473
2474 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2475 hci_remove_irk(hdev, bdaddr, addr_type);
2476
2477 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2478 if (!hcon)
2479 goto done;
2480
2481 conn = hcon->l2cap_data;
2482 if (!conn)
2483 goto done;
2484
2485 chan = conn->smp;
2486 if (!chan)
2487 goto done;
2488
2489 l2cap_chan_lock(chan);
2490
2491 smp = chan->data;
2492 if (smp) {
2493 /* Set keys to NULL to make sure smp_failure() does not try to
2494 * remove and free already invalidated rcu list entries. */
2495 smp->ltk = NULL;
2496 smp->responder_ltk = NULL;
2497 smp->remote_irk = NULL;
2498
2499 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2500 smp_failure(conn, 0);
2501 else
2502 smp_failure(conn, SMP_UNSPECIFIED);
2503 err = 0;
2504 }
2505
2506 l2cap_chan_unlock(chan);
2507
2508 done:
2509 return err;
2510 }
2511
smp_cmd_encrypt_info(struct l2cap_conn * conn,struct sk_buff * skb)2512 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2513 {
2514 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2515 struct l2cap_chan *chan = conn->smp;
2516 struct smp_chan *smp = chan->data;
2517
2518 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2519
2520 if (skb->len < sizeof(*rp))
2521 return SMP_INVALID_PARAMS;
2522
2523 /* Pairing is aborted if any blocked keys are distributed */
2524 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2525 rp->ltk)) {
2526 bt_dev_warn_ratelimited(conn->hcon->hdev,
2527 "LTK blocked for %pMR",
2528 &conn->hcon->dst);
2529 return SMP_INVALID_PARAMS;
2530 }
2531
2532 SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2533
2534 skb_pull(skb, sizeof(*rp));
2535
2536 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2537
2538 return 0;
2539 }
2540
smp_cmd_initiator_ident(struct l2cap_conn * conn,struct sk_buff * skb)2541 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2542 {
2543 struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2544 struct l2cap_chan *chan = conn->smp;
2545 struct smp_chan *smp = chan->data;
2546 struct hci_dev *hdev = conn->hcon->hdev;
2547 struct hci_conn *hcon = conn->hcon;
2548 struct smp_ltk *ltk;
2549 u8 authenticated;
2550
2551 bt_dev_dbg(hdev, "conn %p", conn);
2552
2553 if (skb->len < sizeof(*rp))
2554 return SMP_INVALID_PARAMS;
2555
2556 /* Mark the information as received */
2557 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2558
2559 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2560 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2561 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2562 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2563
2564 skb_pull(skb, sizeof(*rp));
2565
2566 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2567 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2568 authenticated, smp->tk, smp->enc_key_size,
2569 rp->ediv, rp->rand);
2570 smp->ltk = ltk;
2571 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2572 smp_distribute_keys(smp);
2573
2574 return 0;
2575 }
2576
smp_cmd_ident_info(struct l2cap_conn * conn,struct sk_buff * skb)2577 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2578 {
2579 struct smp_cmd_ident_info *info = (void *) skb->data;
2580 struct l2cap_chan *chan = conn->smp;
2581 struct smp_chan *smp = chan->data;
2582
2583 bt_dev_dbg(conn->hcon->hdev, "");
2584
2585 if (skb->len < sizeof(*info))
2586 return SMP_INVALID_PARAMS;
2587
2588 /* Pairing is aborted if any blocked keys are distributed */
2589 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2590 info->irk)) {
2591 bt_dev_warn_ratelimited(conn->hcon->hdev,
2592 "Identity key blocked for %pMR",
2593 &conn->hcon->dst);
2594 return SMP_INVALID_PARAMS;
2595 }
2596
2597 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2598
2599 skb_pull(skb, sizeof(*info));
2600
2601 memcpy(smp->irk, info->irk, 16);
2602
2603 return 0;
2604 }
2605
smp_cmd_ident_addr_info(struct l2cap_conn * conn,struct sk_buff * skb)2606 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2607 struct sk_buff *skb)
2608 {
2609 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2610 struct l2cap_chan *chan = conn->smp;
2611 struct smp_chan *smp = chan->data;
2612 struct hci_conn *hcon = conn->hcon;
2613 bdaddr_t rpa;
2614
2615 bt_dev_dbg(hcon->hdev, "");
2616
2617 if (skb->len < sizeof(*info))
2618 return SMP_INVALID_PARAMS;
2619
2620 /* Mark the information as received */
2621 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2622
2623 if (smp->remote_key_dist & SMP_DIST_SIGN)
2624 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2625
2626 skb_pull(skb, sizeof(*info));
2627
2628 /* Strictly speaking the Core Specification (4.1) allows sending
2629 * an empty address which would force us to rely on just the IRK
2630 * as "identity information". However, since such
2631 * implementations are not known of and in order to not over
2632 * complicate our implementation, simply pretend that we never
2633 * received an IRK for such a device.
2634 *
2635 * The Identity Address must also be a Static Random or Public
2636 * Address, which hci_is_identity_address() checks for.
2637 */
2638 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2639 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2640 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2641 goto distribute;
2642 }
2643
2644 /* Drop IRK if peer is using identity address during pairing but is
2645 * providing different address as identity information.
2646 *
2647 * Microsoft Surface Precision Mouse is known to have this bug.
2648 */
2649 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2650 (bacmp(&info->bdaddr, &hcon->dst) ||
2651 info->addr_type != hcon->dst_type)) {
2652 bt_dev_err(hcon->hdev,
2653 "ignoring IRK with invalid identity address");
2654 goto distribute;
2655 }
2656
2657 bacpy(&smp->id_addr, &info->bdaddr);
2658 smp->id_addr_type = info->addr_type;
2659
2660 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2661 bacpy(&rpa, &hcon->dst);
2662 else
2663 bacpy(&rpa, BDADDR_ANY);
2664
2665 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2666 smp->id_addr_type, smp->irk, &rpa);
2667
2668 distribute:
2669 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2670 smp_distribute_keys(smp);
2671
2672 return 0;
2673 }
2674
smp_cmd_sign_info(struct l2cap_conn * conn,struct sk_buff * skb)2675 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2676 {
2677 struct smp_cmd_sign_info *rp = (void *) skb->data;
2678 struct l2cap_chan *chan = conn->smp;
2679 struct smp_chan *smp = chan->data;
2680 struct smp_csrk *csrk;
2681
2682 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2683
2684 if (skb->len < sizeof(*rp))
2685 return SMP_INVALID_PARAMS;
2686
2687 /* Mark the information as received */
2688 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2689
2690 skb_pull(skb, sizeof(*rp));
2691
2692 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2693 if (csrk) {
2694 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2695 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2696 else
2697 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2698 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2699 }
2700 smp->csrk = csrk;
2701 smp_distribute_keys(smp);
2702
2703 return 0;
2704 }
2705
sc_select_method(struct smp_chan * smp)2706 static u8 sc_select_method(struct smp_chan *smp)
2707 {
2708 struct smp_cmd_pairing *local, *remote;
2709 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2710
2711 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2712 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2713 return REQ_OOB;
2714
2715 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2716 * which are needed as inputs to some crypto functions. To get
2717 * the "struct smp_cmd_pairing" from them we need to skip the
2718 * first byte which contains the opcode.
2719 */
2720 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2721 local = (void *) &smp->preq[1];
2722 remote = (void *) &smp->prsp[1];
2723 } else {
2724 local = (void *) &smp->prsp[1];
2725 remote = (void *) &smp->preq[1];
2726 }
2727
2728 local_io = local->io_capability;
2729 remote_io = remote->io_capability;
2730
2731 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2732 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2733
2734 /* If either side wants MITM, look up the method from the table,
2735 * otherwise use JUST WORKS.
2736 */
2737 if (local_mitm || remote_mitm)
2738 method = get_auth_method(smp, local_io, remote_io);
2739 else
2740 method = JUST_WORKS;
2741
2742 /* Don't confirm locally initiated pairing attempts */
2743 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2744 method = JUST_WORKS;
2745
2746 return method;
2747 }
2748
smp_cmd_public_key(struct l2cap_conn * conn,struct sk_buff * skb)2749 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2750 {
2751 struct smp_cmd_public_key *key = (void *) skb->data;
2752 struct hci_conn *hcon = conn->hcon;
2753 struct l2cap_chan *chan = conn->smp;
2754 struct smp_chan *smp = chan->data;
2755 struct hci_dev *hdev = hcon->hdev;
2756 struct crypto_kpp *tfm_ecdh;
2757 struct smp_cmd_pairing_confirm cfm;
2758 int err;
2759
2760 bt_dev_dbg(hdev, "conn %p", conn);
2761
2762 if (skb->len < sizeof(*key))
2763 return SMP_INVALID_PARAMS;
2764
2765 /* Check if remote and local public keys are the same and debug key is
2766 * not in use.
2767 */
2768 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2769 !crypto_memneq(key, smp->local_pk, 64)) {
2770 bt_dev_err(hdev, "Remote and local public keys are identical");
2771 return SMP_UNSPECIFIED;
2772 }
2773
2774 memcpy(smp->remote_pk, key, 64);
2775
2776 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2777 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2778 smp->rr, 0, cfm.confirm_val);
2779 if (err)
2780 return SMP_UNSPECIFIED;
2781
2782 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2783 return SMP_CONFIRM_FAILED;
2784 }
2785
2786 /* Non-initiating device sends its public key after receiving
2787 * the key from the initiating device.
2788 */
2789 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2790 err = sc_send_public_key(smp);
2791 if (err)
2792 return err;
2793 }
2794
2795 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2796 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2797
2798 /* Compute the shared secret on the same crypto tfm on which the private
2799 * key was set/generated.
2800 */
2801 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2802 struct l2cap_chan *hchan = hdev->smp_data;
2803 struct smp_dev *smp_dev;
2804
2805 if (!hchan || !hchan->data)
2806 return SMP_UNSPECIFIED;
2807
2808 smp_dev = hchan->data;
2809
2810 tfm_ecdh = smp_dev->tfm_ecdh;
2811 } else {
2812 tfm_ecdh = smp->tfm_ecdh;
2813 }
2814
2815 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2816 return SMP_UNSPECIFIED;
2817
2818 SMP_DBG("DHKey %32phN", smp->dhkey);
2819
2820 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2821
2822 smp->method = sc_select_method(smp);
2823
2824 bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2825
2826 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2827 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2828 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2829 else
2830 hcon->pending_sec_level = BT_SECURITY_FIPS;
2831
2832 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2833 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2834
2835 if (smp->method == DSP_PASSKEY) {
2836 get_random_bytes(&hcon->passkey_notify,
2837 sizeof(hcon->passkey_notify));
2838 hcon->passkey_notify %= 1000000;
2839 hcon->passkey_entered = 0;
2840 smp->passkey_round = 0;
2841 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2842 hcon->dst_type,
2843 hcon->passkey_notify,
2844 hcon->passkey_entered))
2845 return SMP_UNSPECIFIED;
2846 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2847 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2848 }
2849
2850 if (smp->method == REQ_OOB) {
2851 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2852 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2853 sizeof(smp->prnd), smp->prnd);
2854
2855 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2856
2857 return 0;
2858 }
2859
2860 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2861 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2862
2863 if (smp->method == REQ_PASSKEY) {
2864 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2865 hcon->dst_type))
2866 return SMP_UNSPECIFIED;
2867 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2868 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2869 return 0;
2870 }
2871
2872 /* The Initiating device waits for the non-initiating device to
2873 * send the confirm value.
2874 */
2875 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2876 return 0;
2877
2878 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2879 0, cfm.confirm_val);
2880 if (err)
2881 return SMP_UNSPECIFIED;
2882
2883 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2884 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2885
2886 return 0;
2887 }
2888
smp_cmd_dhkey_check(struct l2cap_conn * conn,struct sk_buff * skb)2889 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2890 {
2891 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2892 struct l2cap_chan *chan = conn->smp;
2893 struct hci_conn *hcon = conn->hcon;
2894 struct smp_chan *smp = chan->data;
2895 u8 a[7], b[7], *local_addr, *remote_addr;
2896 u8 io_cap[3], r[16], e[16];
2897 int err;
2898
2899 bt_dev_dbg(hcon->hdev, "conn %p", conn);
2900
2901 if (skb->len < sizeof(*check))
2902 return SMP_INVALID_PARAMS;
2903
2904 memcpy(a, &hcon->init_addr, 6);
2905 memcpy(b, &hcon->resp_addr, 6);
2906 a[6] = hcon->init_addr_type;
2907 b[6] = hcon->resp_addr_type;
2908
2909 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2910 local_addr = a;
2911 remote_addr = b;
2912 memcpy(io_cap, &smp->prsp[1], 3);
2913 } else {
2914 local_addr = b;
2915 remote_addr = a;
2916 memcpy(io_cap, &smp->preq[1], 3);
2917 }
2918
2919 memset(r, 0, sizeof(r));
2920
2921 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2922 put_unaligned_le32(hcon->passkey_notify, r);
2923 else if (smp->method == REQ_OOB)
2924 memcpy(r, smp->lr, 16);
2925
2926 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2927 io_cap, remote_addr, local_addr, e);
2928 if (err)
2929 return SMP_UNSPECIFIED;
2930
2931 if (crypto_memneq(check->e, e, 16))
2932 return SMP_DHKEY_CHECK_FAILED;
2933
2934 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2935 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2936 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2937 return 0;
2938 }
2939
2940 /* Responder sends DHKey check as response to initiator */
2941 sc_dhkey_check(smp);
2942 }
2943
2944 sc_add_ltk(smp);
2945
2946 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2947 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2948 hcon->enc_key_size = smp->enc_key_size;
2949 }
2950
2951 return 0;
2952 }
2953
smp_cmd_keypress_notify(struct l2cap_conn * conn,struct sk_buff * skb)2954 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2955 struct sk_buff *skb)
2956 {
2957 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2958
2959 bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2960
2961 return 0;
2962 }
2963
smp_sig_channel(struct l2cap_chan * chan,struct sk_buff * skb)2964 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2965 {
2966 struct l2cap_conn *conn = chan->conn;
2967 struct hci_conn *hcon = conn->hcon;
2968 struct smp_chan *smp;
2969 __u8 code, reason;
2970 int err = 0;
2971
2972 if (skb->len < 1)
2973 return -EILSEQ;
2974
2975 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2976 reason = SMP_PAIRING_NOTSUPP;
2977 goto done;
2978 }
2979
2980 code = skb->data[0];
2981 skb_pull(skb, sizeof(code));
2982
2983 smp = chan->data;
2984
2985 if (code > SMP_CMD_MAX)
2986 goto drop;
2987
2988 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2989 goto drop;
2990
2991 /* If we don't have a context the only allowed commands are
2992 * pairing request and security request.
2993 */
2994 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2995 goto drop;
2996
2997 switch (code) {
2998 case SMP_CMD_PAIRING_REQ:
2999 reason = smp_cmd_pairing_req(conn, skb);
3000 break;
3001
3002 case SMP_CMD_PAIRING_FAIL:
3003 smp_failure(conn, 0);
3004 err = -EPERM;
3005 break;
3006
3007 case SMP_CMD_PAIRING_RSP:
3008 reason = smp_cmd_pairing_rsp(conn, skb);
3009 break;
3010
3011 case SMP_CMD_SECURITY_REQ:
3012 reason = smp_cmd_security_req(conn, skb);
3013 break;
3014
3015 case SMP_CMD_PAIRING_CONFIRM:
3016 reason = smp_cmd_pairing_confirm(conn, skb);
3017 break;
3018
3019 case SMP_CMD_PAIRING_RANDOM:
3020 reason = smp_cmd_pairing_random(conn, skb);
3021 break;
3022
3023 case SMP_CMD_ENCRYPT_INFO:
3024 reason = smp_cmd_encrypt_info(conn, skb);
3025 break;
3026
3027 case SMP_CMD_INITIATOR_IDENT:
3028 reason = smp_cmd_initiator_ident(conn, skb);
3029 break;
3030
3031 case SMP_CMD_IDENT_INFO:
3032 reason = smp_cmd_ident_info(conn, skb);
3033 break;
3034
3035 case SMP_CMD_IDENT_ADDR_INFO:
3036 reason = smp_cmd_ident_addr_info(conn, skb);
3037 break;
3038
3039 case SMP_CMD_SIGN_INFO:
3040 reason = smp_cmd_sign_info(conn, skb);
3041 break;
3042
3043 case SMP_CMD_PUBLIC_KEY:
3044 reason = smp_cmd_public_key(conn, skb);
3045 break;
3046
3047 case SMP_CMD_DHKEY_CHECK:
3048 reason = smp_cmd_dhkey_check(conn, skb);
3049 break;
3050
3051 case SMP_CMD_KEYPRESS_NOTIFY:
3052 reason = smp_cmd_keypress_notify(conn, skb);
3053 break;
3054
3055 default:
3056 bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3057 reason = SMP_CMD_NOTSUPP;
3058 goto done;
3059 }
3060
3061 done:
3062 if (!err) {
3063 if (reason)
3064 smp_failure(conn, reason);
3065 kfree_skb(skb);
3066 }
3067
3068 return err;
3069
3070 drop:
3071 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3072 code, &hcon->dst);
3073 kfree_skb(skb);
3074 return 0;
3075 }
3076
smp_teardown_cb(struct l2cap_chan * chan,int err)3077 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3078 {
3079 struct l2cap_conn *conn = chan->conn;
3080
3081 bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3082
3083 if (chan->data)
3084 smp_chan_destroy(conn);
3085
3086 conn->smp = NULL;
3087 l2cap_chan_put(chan);
3088 }
3089
bredr_pairing(struct l2cap_chan * chan)3090 static void bredr_pairing(struct l2cap_chan *chan)
3091 {
3092 struct l2cap_conn *conn = chan->conn;
3093 struct hci_conn *hcon = conn->hcon;
3094 struct hci_dev *hdev = hcon->hdev;
3095 struct smp_chan *smp;
3096
3097 bt_dev_dbg(hdev, "chan %p", chan);
3098
3099 /* Only new pairings are interesting */
3100 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3101 return;
3102
3103 /* Don't bother if we're not encrypted */
3104 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3105 return;
3106
3107 /* Only initiator may initiate SMP over BR/EDR */
3108 if (hcon->role != HCI_ROLE_MASTER)
3109 return;
3110
3111 /* Secure Connections support must be enabled */
3112 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3113 return;
3114
3115 /* BR/EDR must use Secure Connections for SMP */
3116 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3117 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3118 return;
3119
3120 /* If our LE support is not enabled don't do anything */
3121 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3122 return;
3123
3124 /* Don't bother if remote LE support is not enabled */
3125 if (!lmp_host_le_capable(hcon))
3126 return;
3127
3128 /* Remote must support SMP fixed chan for BR/EDR */
3129 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3130 return;
3131
3132 /* Don't bother if SMP is already ongoing */
3133 if (chan->data)
3134 return;
3135
3136 smp = smp_chan_create(conn);
3137 if (!smp) {
3138 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3139 return;
3140 }
3141
3142 set_bit(SMP_FLAG_SC, &smp->flags);
3143
3144 bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3145
3146 smp_send_pairing_req(smp, 0x00);
3147 }
3148
smp_resume_cb(struct l2cap_chan * chan)3149 static void smp_resume_cb(struct l2cap_chan *chan)
3150 {
3151 struct smp_chan *smp = chan->data;
3152 struct l2cap_conn *conn = chan->conn;
3153 struct hci_conn *hcon = conn->hcon;
3154
3155 bt_dev_dbg(hcon->hdev, "chan %p", chan);
3156
3157 if (hcon->type == ACL_LINK) {
3158 bredr_pairing(chan);
3159 return;
3160 }
3161
3162 if (!smp)
3163 return;
3164
3165 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3166 return;
3167
3168 cancel_delayed_work(&smp->security_timer);
3169
3170 smp_distribute_keys(smp);
3171 }
3172
smp_ready_cb(struct l2cap_chan * chan)3173 static void smp_ready_cb(struct l2cap_chan *chan)
3174 {
3175 struct l2cap_conn *conn = chan->conn;
3176 struct hci_conn *hcon = conn->hcon;
3177
3178 bt_dev_dbg(hcon->hdev, "chan %p", chan);
3179
3180 /* No need to call l2cap_chan_hold() here since we already own
3181 * the reference taken in smp_new_conn_cb(). This is just the
3182 * first time that we tie it to a specific pointer. The code in
3183 * l2cap_core.c ensures that there's no risk this function wont
3184 * get called if smp_new_conn_cb was previously called.
3185 */
3186 conn->smp = chan;
3187
3188 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3189 bredr_pairing(chan);
3190 }
3191
smp_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)3192 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3193 {
3194 int err;
3195
3196 bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3197
3198 err = smp_sig_channel(chan, skb);
3199 if (err) {
3200 struct smp_chan *smp = chan->data;
3201
3202 if (smp)
3203 cancel_delayed_work_sync(&smp->security_timer);
3204
3205 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3206 }
3207
3208 return err;
3209 }
3210
smp_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)3211 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3212 unsigned long hdr_len,
3213 unsigned long len, int nb)
3214 {
3215 struct sk_buff *skb;
3216
3217 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3218 if (!skb)
3219 return ERR_PTR(-ENOMEM);
3220
3221 skb->priority = HCI_PRIO_MAX;
3222 bt_cb(skb)->l2cap.chan = chan;
3223
3224 return skb;
3225 }
3226
3227 static const struct l2cap_ops smp_chan_ops = {
3228 .name = "Security Manager",
3229 .ready = smp_ready_cb,
3230 .recv = smp_recv_cb,
3231 .alloc_skb = smp_alloc_skb_cb,
3232 .teardown = smp_teardown_cb,
3233 .resume = smp_resume_cb,
3234
3235 .new_connection = l2cap_chan_no_new_connection,
3236 .state_change = l2cap_chan_no_state_change,
3237 .close = l2cap_chan_no_close,
3238 .defer = l2cap_chan_no_defer,
3239 .suspend = l2cap_chan_no_suspend,
3240 .set_shutdown = l2cap_chan_no_set_shutdown,
3241 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3242 };
3243
smp_new_conn_cb(struct l2cap_chan * pchan)3244 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3245 {
3246 struct l2cap_chan *chan;
3247
3248 BT_DBG("pchan %p", pchan);
3249
3250 chan = l2cap_chan_create();
3251 if (!chan)
3252 return NULL;
3253
3254 chan->chan_type = pchan->chan_type;
3255 chan->ops = &smp_chan_ops;
3256 chan->scid = pchan->scid;
3257 chan->dcid = chan->scid;
3258 chan->imtu = pchan->imtu;
3259 chan->omtu = pchan->omtu;
3260 chan->mode = pchan->mode;
3261
3262 /* Other L2CAP channels may request SMP routines in order to
3263 * change the security level. This means that the SMP channel
3264 * lock must be considered in its own category to avoid lockdep
3265 * warnings.
3266 */
3267 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3268
3269 BT_DBG("created chan %p", chan);
3270
3271 return chan;
3272 }
3273
3274 static const struct l2cap_ops smp_root_chan_ops = {
3275 .name = "Security Manager Root",
3276 .new_connection = smp_new_conn_cb,
3277
3278 /* None of these are implemented for the root channel */
3279 .close = l2cap_chan_no_close,
3280 .alloc_skb = l2cap_chan_no_alloc_skb,
3281 .recv = l2cap_chan_no_recv,
3282 .state_change = l2cap_chan_no_state_change,
3283 .teardown = l2cap_chan_no_teardown,
3284 .ready = l2cap_chan_no_ready,
3285 .defer = l2cap_chan_no_defer,
3286 .suspend = l2cap_chan_no_suspend,
3287 .resume = l2cap_chan_no_resume,
3288 .set_shutdown = l2cap_chan_no_set_shutdown,
3289 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3290 };
3291
smp_add_cid(struct hci_dev * hdev,u16 cid)3292 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3293 {
3294 struct l2cap_chan *chan;
3295 struct smp_dev *smp;
3296 struct crypto_shash *tfm_cmac;
3297 struct crypto_kpp *tfm_ecdh;
3298
3299 if (cid == L2CAP_CID_SMP_BREDR) {
3300 smp = NULL;
3301 goto create_chan;
3302 }
3303
3304 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3305 if (!smp)
3306 return ERR_PTR(-ENOMEM);
3307
3308 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3309 if (IS_ERR(tfm_cmac)) {
3310 bt_dev_err(hdev, "Unable to create CMAC crypto context");
3311 kfree_sensitive(smp);
3312 return ERR_CAST(tfm_cmac);
3313 }
3314
3315 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3316 if (IS_ERR(tfm_ecdh)) {
3317 bt_dev_err(hdev, "Unable to create ECDH crypto context");
3318 crypto_free_shash(tfm_cmac);
3319 kfree_sensitive(smp);
3320 return ERR_CAST(tfm_ecdh);
3321 }
3322
3323 smp->local_oob = false;
3324 smp->tfm_cmac = tfm_cmac;
3325 smp->tfm_ecdh = tfm_ecdh;
3326
3327 create_chan:
3328 chan = l2cap_chan_create();
3329 if (!chan) {
3330 if (smp) {
3331 crypto_free_shash(smp->tfm_cmac);
3332 crypto_free_kpp(smp->tfm_ecdh);
3333 kfree_sensitive(smp);
3334 }
3335 return ERR_PTR(-ENOMEM);
3336 }
3337
3338 chan->data = smp;
3339
3340 l2cap_add_scid(chan, cid);
3341
3342 l2cap_chan_set_defaults(chan);
3343
3344 if (cid == L2CAP_CID_SMP) {
3345 u8 bdaddr_type;
3346
3347 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3348
3349 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3350 chan->src_type = BDADDR_LE_PUBLIC;
3351 else
3352 chan->src_type = BDADDR_LE_RANDOM;
3353 } else {
3354 bacpy(&chan->src, &hdev->bdaddr);
3355 chan->src_type = BDADDR_BREDR;
3356 }
3357
3358 chan->state = BT_LISTEN;
3359 chan->mode = L2CAP_MODE_BASIC;
3360 chan->imtu = L2CAP_DEFAULT_MTU;
3361 chan->ops = &smp_root_chan_ops;
3362
3363 /* Set correct nesting level for a parent/listening channel */
3364 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3365
3366 return chan;
3367 }
3368
smp_del_chan(struct l2cap_chan * chan)3369 static void smp_del_chan(struct l2cap_chan *chan)
3370 {
3371 struct smp_dev *smp;
3372
3373 BT_DBG("chan %p", chan);
3374
3375 smp = chan->data;
3376 if (smp) {
3377 chan->data = NULL;
3378 crypto_free_shash(smp->tfm_cmac);
3379 crypto_free_kpp(smp->tfm_ecdh);
3380 kfree_sensitive(smp);
3381 }
3382
3383 l2cap_chan_put(chan);
3384 }
3385
smp_force_bredr(struct hci_dev * hdev,bool enable)3386 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3387 {
3388 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3389 return -EALREADY;
3390
3391 if (enable) {
3392 struct l2cap_chan *chan;
3393
3394 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3395 if (IS_ERR(chan))
3396 return PTR_ERR(chan);
3397
3398 hdev->smp_bredr_data = chan;
3399 } else {
3400 struct l2cap_chan *chan;
3401
3402 chan = hdev->smp_bredr_data;
3403 hdev->smp_bredr_data = NULL;
3404 smp_del_chan(chan);
3405 }
3406
3407 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3408
3409 return 0;
3410 }
3411
smp_register(struct hci_dev * hdev)3412 int smp_register(struct hci_dev *hdev)
3413 {
3414 struct l2cap_chan *chan;
3415
3416 bt_dev_dbg(hdev, "");
3417
3418 /* If the controller does not support Low Energy operation, then
3419 * there is also no need to register any SMP channel.
3420 */
3421 if (!lmp_le_capable(hdev))
3422 return 0;
3423
3424 if (WARN_ON(hdev->smp_data)) {
3425 chan = hdev->smp_data;
3426 hdev->smp_data = NULL;
3427 smp_del_chan(chan);
3428 }
3429
3430 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3431 if (IS_ERR(chan))
3432 return PTR_ERR(chan);
3433
3434 hdev->smp_data = chan;
3435
3436 if (!lmp_sc_capable(hdev)) {
3437 /* Flag can be already set here (due to power toggle) */
3438 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3439 return 0;
3440 }
3441
3442 if (WARN_ON(hdev->smp_bredr_data)) {
3443 chan = hdev->smp_bredr_data;
3444 hdev->smp_bredr_data = NULL;
3445 smp_del_chan(chan);
3446 }
3447
3448 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3449 if (IS_ERR(chan)) {
3450 int err = PTR_ERR(chan);
3451 chan = hdev->smp_data;
3452 hdev->smp_data = NULL;
3453 smp_del_chan(chan);
3454 return err;
3455 }
3456
3457 hdev->smp_bredr_data = chan;
3458
3459 return 0;
3460 }
3461
smp_unregister(struct hci_dev * hdev)3462 void smp_unregister(struct hci_dev *hdev)
3463 {
3464 struct l2cap_chan *chan;
3465
3466 if (hdev->smp_bredr_data) {
3467 chan = hdev->smp_bredr_data;
3468 hdev->smp_bredr_data = NULL;
3469 smp_del_chan(chan);
3470 }
3471
3472 if (hdev->smp_data) {
3473 chan = hdev->smp_data;
3474 hdev->smp_data = NULL;
3475 smp_del_chan(chan);
3476 }
3477 }
3478
3479 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3480
test_debug_key(struct crypto_kpp * tfm_ecdh)3481 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3482 {
3483 u8 pk[64];
3484 int err;
3485
3486 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3487 if (err)
3488 return err;
3489
3490 err = generate_ecdh_public_key(tfm_ecdh, pk);
3491 if (err)
3492 return err;
3493
3494 if (crypto_memneq(pk, debug_pk, 64))
3495 return -EINVAL;
3496
3497 return 0;
3498 }
3499
test_ah(void)3500 static int __init test_ah(void)
3501 {
3502 const u8 irk[16] = {
3503 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3504 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3505 const u8 r[3] = { 0x94, 0x81, 0x70 };
3506 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3507 u8 res[3];
3508 int err;
3509
3510 err = smp_ah(irk, r, res);
3511 if (err)
3512 return err;
3513
3514 if (crypto_memneq(res, exp, 3))
3515 return -EINVAL;
3516
3517 return 0;
3518 }
3519
test_c1(void)3520 static int __init test_c1(void)
3521 {
3522 const u8 k[16] = {
3523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3525 const u8 r[16] = {
3526 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3527 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3528 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3529 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3530 const u8 _iat = 0x01;
3531 const u8 _rat = 0x00;
3532 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3533 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3534 const u8 exp[16] = {
3535 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3536 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3537 u8 res[16];
3538 int err;
3539
3540 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3541 if (err)
3542 return err;
3543
3544 if (crypto_memneq(res, exp, 16))
3545 return -EINVAL;
3546
3547 return 0;
3548 }
3549
test_s1(void)3550 static int __init test_s1(void)
3551 {
3552 const u8 k[16] = {
3553 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3555 const u8 r1[16] = {
3556 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3557 const u8 r2[16] = {
3558 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3559 const u8 exp[16] = {
3560 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3561 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3562 u8 res[16];
3563 int err;
3564
3565 err = smp_s1(k, r1, r2, res);
3566 if (err)
3567 return err;
3568
3569 if (crypto_memneq(res, exp, 16))
3570 return -EINVAL;
3571
3572 return 0;
3573 }
3574
test_f4(struct crypto_shash * tfm_cmac)3575 static int __init test_f4(struct crypto_shash *tfm_cmac)
3576 {
3577 const u8 u[32] = {
3578 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3579 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3580 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3581 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3582 const u8 v[32] = {
3583 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3584 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3585 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3586 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3587 const u8 x[16] = {
3588 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3589 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3590 const u8 z = 0x00;
3591 const u8 exp[16] = {
3592 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3593 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3594 u8 res[16];
3595 int err;
3596
3597 err = smp_f4(tfm_cmac, u, v, x, z, res);
3598 if (err)
3599 return err;
3600
3601 if (crypto_memneq(res, exp, 16))
3602 return -EINVAL;
3603
3604 return 0;
3605 }
3606
test_f5(struct crypto_shash * tfm_cmac)3607 static int __init test_f5(struct crypto_shash *tfm_cmac)
3608 {
3609 const u8 w[32] = {
3610 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3611 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3612 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3613 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3614 const u8 n1[16] = {
3615 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3616 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3617 const u8 n2[16] = {
3618 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3619 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3620 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3621 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3622 const u8 exp_ltk[16] = {
3623 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3624 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3625 const u8 exp_mackey[16] = {
3626 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3627 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3628 u8 mackey[16], ltk[16];
3629 int err;
3630
3631 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3632 if (err)
3633 return err;
3634
3635 if (crypto_memneq(mackey, exp_mackey, 16))
3636 return -EINVAL;
3637
3638 if (crypto_memneq(ltk, exp_ltk, 16))
3639 return -EINVAL;
3640
3641 return 0;
3642 }
3643
test_f6(struct crypto_shash * tfm_cmac)3644 static int __init test_f6(struct crypto_shash *tfm_cmac)
3645 {
3646 const u8 w[16] = {
3647 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3648 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3649 const u8 n1[16] = {
3650 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3651 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3652 const u8 n2[16] = {
3653 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3654 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3655 const u8 r[16] = {
3656 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3657 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3658 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3659 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3660 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3661 const u8 exp[16] = {
3662 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3663 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3664 u8 res[16];
3665 int err;
3666
3667 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3668 if (err)
3669 return err;
3670
3671 if (crypto_memneq(res, exp, 16))
3672 return -EINVAL;
3673
3674 return 0;
3675 }
3676
test_g2(struct crypto_shash * tfm_cmac)3677 static int __init test_g2(struct crypto_shash *tfm_cmac)
3678 {
3679 const u8 u[32] = {
3680 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3681 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3682 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3683 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3684 const u8 v[32] = {
3685 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3686 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3687 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3688 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3689 const u8 x[16] = {
3690 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3691 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3692 const u8 y[16] = {
3693 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3694 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3695 const u32 exp_val = 0x2f9ed5ba % 1000000;
3696 u32 val;
3697 int err;
3698
3699 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3700 if (err)
3701 return err;
3702
3703 if (val != exp_val)
3704 return -EINVAL;
3705
3706 return 0;
3707 }
3708
test_h6(struct crypto_shash * tfm_cmac)3709 static int __init test_h6(struct crypto_shash *tfm_cmac)
3710 {
3711 const u8 w[16] = {
3712 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3713 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3714 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3715 const u8 exp[16] = {
3716 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3717 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3718 u8 res[16];
3719 int err;
3720
3721 err = smp_h6(tfm_cmac, w, key_id, res);
3722 if (err)
3723 return err;
3724
3725 if (crypto_memneq(res, exp, 16))
3726 return -EINVAL;
3727
3728 return 0;
3729 }
3730
3731 static char test_smp_buffer[32];
3732
test_smp_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3733 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3734 size_t count, loff_t *ppos)
3735 {
3736 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3737 strlen(test_smp_buffer));
3738 }
3739
3740 static const struct file_operations test_smp_fops = {
3741 .open = simple_open,
3742 .read = test_smp_read,
3743 .llseek = default_llseek,
3744 };
3745
run_selftests(struct crypto_shash * tfm_cmac,struct crypto_kpp * tfm_ecdh)3746 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3747 struct crypto_kpp *tfm_ecdh)
3748 {
3749 ktime_t calltime, delta, rettime;
3750 unsigned long long duration;
3751 int err;
3752
3753 calltime = ktime_get();
3754
3755 err = test_debug_key(tfm_ecdh);
3756 if (err) {
3757 BT_ERR("debug_key test failed");
3758 goto done;
3759 }
3760
3761 err = test_ah();
3762 if (err) {
3763 BT_ERR("smp_ah test failed");
3764 goto done;
3765 }
3766
3767 err = test_c1();
3768 if (err) {
3769 BT_ERR("smp_c1 test failed");
3770 goto done;
3771 }
3772
3773 err = test_s1();
3774 if (err) {
3775 BT_ERR("smp_s1 test failed");
3776 goto done;
3777 }
3778
3779 err = test_f4(tfm_cmac);
3780 if (err) {
3781 BT_ERR("smp_f4 test failed");
3782 goto done;
3783 }
3784
3785 err = test_f5(tfm_cmac);
3786 if (err) {
3787 BT_ERR("smp_f5 test failed");
3788 goto done;
3789 }
3790
3791 err = test_f6(tfm_cmac);
3792 if (err) {
3793 BT_ERR("smp_f6 test failed");
3794 goto done;
3795 }
3796
3797 err = test_g2(tfm_cmac);
3798 if (err) {
3799 BT_ERR("smp_g2 test failed");
3800 goto done;
3801 }
3802
3803 err = test_h6(tfm_cmac);
3804 if (err) {
3805 BT_ERR("smp_h6 test failed");
3806 goto done;
3807 }
3808
3809 rettime = ktime_get();
3810 delta = ktime_sub(rettime, calltime);
3811 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3812
3813 BT_INFO("SMP test passed in %llu usecs", duration);
3814
3815 done:
3816 if (!err)
3817 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3818 "PASS (%llu usecs)\n", duration);
3819 else
3820 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3821
3822 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3823 &test_smp_fops);
3824
3825 return err;
3826 }
3827
bt_selftest_smp(void)3828 int __init bt_selftest_smp(void)
3829 {
3830 struct crypto_shash *tfm_cmac;
3831 struct crypto_kpp *tfm_ecdh;
3832 int err;
3833
3834 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3835 if (IS_ERR(tfm_cmac)) {
3836 BT_ERR("Unable to create CMAC crypto context");
3837 return PTR_ERR(tfm_cmac);
3838 }
3839
3840 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3841 if (IS_ERR(tfm_ecdh)) {
3842 BT_ERR("Unable to create ECDH crypto context");
3843 crypto_free_shash(tfm_cmac);
3844 return PTR_ERR(tfm_ecdh);
3845 }
3846
3847 err = run_selftests(tfm_cmac, tfm_ecdh);
3848
3849 crypto_free_shash(tfm_cmac);
3850 crypto_free_kpp(tfm_ecdh);
3851
3852 return err;
3853 }
3854
3855 #endif
3856