1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License version 2 as 7 published by the Free Software Foundation; 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 #include <linux/debugfs.h> 24 #include <linux/scatterlist.h> 25 #include <linux/crypto.h> 26 #include <crypto/algapi.h> 27 #include <crypto/b128ops.h> 28 #include <crypto/hash.h> 29 30 #include <net/bluetooth/bluetooth.h> 31 #include <net/bluetooth/hci_core.h> 32 #include <net/bluetooth/l2cap.h> 33 #include <net/bluetooth/mgmt.h> 34 35 #include "ecdh_helper.h" 36 #include "smp.h" 37 38 #define SMP_DEV(hdev) \ 39 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data) 40 41 /* Low-level debug macros to be used for stuff that we don't want 42 * accidentially in dmesg, i.e. the values of the various crypto keys 43 * and the inputs & outputs of crypto functions. 44 */ 45 #ifdef DEBUG 46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 47 ##__VA_ARGS__) 48 #else 49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 50 ##__VA_ARGS__) 51 #endif 52 53 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 54 55 /* Keys which are not distributed with Secure Connections */ 56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY); 57 58 #define SMP_TIMEOUT msecs_to_jiffies(30000) 59 60 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \ 61 0x3f : 0x07) 62 #define KEY_DIST_MASK 0x07 63 64 /* Maximum message length that can be passed to aes_cmac */ 65 #define CMAC_MSG_MAX 80 66 67 enum { 68 SMP_FLAG_TK_VALID, 69 SMP_FLAG_CFM_PENDING, 70 SMP_FLAG_MITM_AUTH, 71 SMP_FLAG_COMPLETE, 72 SMP_FLAG_INITIATOR, 73 SMP_FLAG_SC, 74 SMP_FLAG_REMOTE_PK, 75 SMP_FLAG_DEBUG_KEY, 76 SMP_FLAG_WAIT_USER, 77 SMP_FLAG_DHKEY_PENDING, 78 SMP_FLAG_REMOTE_OOB, 79 SMP_FLAG_LOCAL_OOB, 80 SMP_FLAG_CT2, 81 }; 82 83 struct smp_dev { 84 /* Secure Connections OOB data */ 85 u8 local_pk[64]; 86 u8 local_sk[32]; 87 u8 local_rand[16]; 88 bool debug_key; 89 90 u8 min_key_size; 91 u8 max_key_size; 92 93 struct crypto_cipher *tfm_aes; 94 struct crypto_shash *tfm_cmac; 95 }; 96 97 struct smp_chan { 98 struct l2cap_conn *conn; 99 struct delayed_work security_timer; 100 unsigned long allow_cmd; /* Bitmask of allowed commands */ 101 102 u8 preq[7]; /* SMP Pairing Request */ 103 u8 prsp[7]; /* SMP Pairing Response */ 104 u8 prnd[16]; /* SMP Pairing Random (local) */ 105 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 106 u8 pcnf[16]; /* SMP Pairing Confirm */ 107 u8 tk[16]; /* SMP Temporary Key */ 108 u8 rr[16]; /* Remote OOB ra/rb value */ 109 u8 lr[16]; /* Local OOB ra/rb value */ 110 u8 enc_key_size; 111 u8 remote_key_dist; 112 bdaddr_t id_addr; 113 u8 id_addr_type; 114 u8 irk[16]; 115 struct smp_csrk *csrk; 116 struct smp_csrk *slave_csrk; 117 struct smp_ltk *ltk; 118 struct smp_ltk *slave_ltk; 119 struct smp_irk *remote_irk; 120 u8 *link_key; 121 unsigned long flags; 122 u8 method; 123 u8 passkey_round; 124 125 /* Secure Connections variables */ 126 u8 local_pk[64]; 127 u8 local_sk[32]; 128 u8 remote_pk[64]; 129 u8 dhkey[32]; 130 u8 mackey[16]; 131 132 struct crypto_cipher *tfm_aes; 133 struct crypto_shash *tfm_cmac; 134 }; 135 136 /* These debug key values are defined in the SMP section of the core 137 * specification. debug_pk is the public debug key and debug_sk the 138 * private debug key. 139 */ 140 static const u8 debug_pk[64] = { 141 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 142 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 143 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 144 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 145 146 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 147 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 148 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 149 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 150 }; 151 152 static const u8 debug_sk[32] = { 153 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 154 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 155 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 156 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 157 }; 158 159 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 160 { 161 size_t i; 162 163 for (i = 0; i < len; i++) 164 dst[len - 1 - i] = src[i]; 165 } 166 167 /* The following functions map to the LE SC SMP crypto functions 168 * AES-CMAC, f4, f5, f6, g2 and h6. 169 */ 170 171 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m, 172 size_t len, u8 mac[16]) 173 { 174 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 175 SHASH_DESC_ON_STACK(desc, tfm); 176 int err; 177 178 if (len > CMAC_MSG_MAX) 179 return -EFBIG; 180 181 if (!tfm) { 182 BT_ERR("tfm %p", tfm); 183 return -EINVAL; 184 } 185 186 desc->tfm = tfm; 187 desc->flags = 0; 188 189 /* Swap key and message from LSB to MSB */ 190 swap_buf(k, tmp, 16); 191 swap_buf(m, msg_msb, len); 192 193 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 194 SMP_DBG("key %16phN", k); 195 196 err = crypto_shash_setkey(tfm, tmp, 16); 197 if (err) { 198 BT_ERR("cipher setkey failed: %d", err); 199 return err; 200 } 201 202 err = crypto_shash_digest(desc, msg_msb, len, mac_msb); 203 shash_desc_zero(desc); 204 if (err) { 205 BT_ERR("Hash computation error %d", err); 206 return err; 207 } 208 209 swap_buf(mac_msb, mac, 16); 210 211 SMP_DBG("mac %16phN", mac); 212 213 return 0; 214 } 215 216 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32], 217 const u8 v[32], const u8 x[16], u8 z, u8 res[16]) 218 { 219 u8 m[65]; 220 int err; 221 222 SMP_DBG("u %32phN", u); 223 SMP_DBG("v %32phN", v); 224 SMP_DBG("x %16phN z %02x", x, z); 225 226 m[0] = z; 227 memcpy(m + 1, v, 32); 228 memcpy(m + 33, u, 32); 229 230 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res); 231 if (err) 232 return err; 233 234 SMP_DBG("res %16phN", res); 235 236 return err; 237 } 238 239 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32], 240 const u8 n1[16], const u8 n2[16], const u8 a1[7], 241 const u8 a2[7], u8 mackey[16], u8 ltk[16]) 242 { 243 /* The btle, salt and length "magic" values are as defined in 244 * the SMP section of the Bluetooth core specification. In ASCII 245 * the btle value ends up being 'btle'. The salt is just a 246 * random number whereas length is the value 256 in little 247 * endian format. 248 */ 249 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 250 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 251 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 252 const u8 length[2] = { 0x00, 0x01 }; 253 u8 m[53], t[16]; 254 int err; 255 256 SMP_DBG("w %32phN", w); 257 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 258 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 259 260 err = aes_cmac(tfm_cmac, salt, w, 32, t); 261 if (err) 262 return err; 263 264 SMP_DBG("t %16phN", t); 265 266 memcpy(m, length, 2); 267 memcpy(m + 2, a2, 7); 268 memcpy(m + 9, a1, 7); 269 memcpy(m + 16, n2, 16); 270 memcpy(m + 32, n1, 16); 271 memcpy(m + 48, btle, 4); 272 273 m[52] = 0; /* Counter */ 274 275 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey); 276 if (err) 277 return err; 278 279 SMP_DBG("mackey %16phN", mackey); 280 281 m[52] = 1; /* Counter */ 282 283 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk); 284 if (err) 285 return err; 286 287 SMP_DBG("ltk %16phN", ltk); 288 289 return 0; 290 } 291 292 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16], 293 const u8 n1[16], const u8 n2[16], const u8 r[16], 294 const u8 io_cap[3], const u8 a1[7], const u8 a2[7], 295 u8 res[16]) 296 { 297 u8 m[65]; 298 int err; 299 300 SMP_DBG("w %16phN", w); 301 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 302 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 303 304 memcpy(m, a2, 7); 305 memcpy(m + 7, a1, 7); 306 memcpy(m + 14, io_cap, 3); 307 memcpy(m + 17, r, 16); 308 memcpy(m + 33, n2, 16); 309 memcpy(m + 49, n1, 16); 310 311 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res); 312 if (err) 313 return err; 314 315 SMP_DBG("res %16phN", res); 316 317 return err; 318 } 319 320 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32], 321 const u8 x[16], const u8 y[16], u32 *val) 322 { 323 u8 m[80], tmp[16]; 324 int err; 325 326 SMP_DBG("u %32phN", u); 327 SMP_DBG("v %32phN", v); 328 SMP_DBG("x %16phN y %16phN", x, y); 329 330 memcpy(m, y, 16); 331 memcpy(m + 16, v, 32); 332 memcpy(m + 48, u, 32); 333 334 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp); 335 if (err) 336 return err; 337 338 *val = get_unaligned_le32(tmp); 339 *val %= 1000000; 340 341 SMP_DBG("val %06u", *val); 342 343 return 0; 344 } 345 346 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16], 347 const u8 key_id[4], u8 res[16]) 348 { 349 int err; 350 351 SMP_DBG("w %16phN key_id %4phN", w, key_id); 352 353 err = aes_cmac(tfm_cmac, w, key_id, 4, res); 354 if (err) 355 return err; 356 357 SMP_DBG("res %16phN", res); 358 359 return err; 360 } 361 362 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16], 363 const u8 salt[16], u8 res[16]) 364 { 365 int err; 366 367 SMP_DBG("w %16phN salt %16phN", w, salt); 368 369 err = aes_cmac(tfm_cmac, salt, w, 16, res); 370 if (err) 371 return err; 372 373 SMP_DBG("res %16phN", res); 374 375 return err; 376 } 377 378 /* The following functions map to the legacy SMP crypto functions e, c1, 379 * s1 and ah. 380 */ 381 382 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r) 383 { 384 uint8_t tmp[16], data[16]; 385 int err; 386 387 SMP_DBG("k %16phN r %16phN", k, r); 388 389 if (!tfm) { 390 BT_ERR("tfm %p", tfm); 391 return -EINVAL; 392 } 393 394 /* The most significant octet of key corresponds to k[0] */ 395 swap_buf(k, tmp, 16); 396 397 err = crypto_cipher_setkey(tfm, tmp, 16); 398 if (err) { 399 BT_ERR("cipher setkey failed: %d", err); 400 return err; 401 } 402 403 /* Most significant octet of plaintextData corresponds to data[0] */ 404 swap_buf(r, data, 16); 405 406 crypto_cipher_encrypt_one(tfm, data, data); 407 408 /* Most significant octet of encryptedData corresponds to data[0] */ 409 swap_buf(data, r, 16); 410 411 SMP_DBG("r %16phN", r); 412 413 return err; 414 } 415 416 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16], 417 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 418 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 419 { 420 u8 p1[16], p2[16]; 421 int err; 422 423 SMP_DBG("k %16phN r %16phN", k, r); 424 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra); 425 SMP_DBG("preq %7phN pres %7phN", preq, pres); 426 427 memset(p1, 0, 16); 428 429 /* p1 = pres || preq || _rat || _iat */ 430 p1[0] = _iat; 431 p1[1] = _rat; 432 memcpy(p1 + 2, preq, 7); 433 memcpy(p1 + 9, pres, 7); 434 435 SMP_DBG("p1 %16phN", p1); 436 437 /* res = r XOR p1 */ 438 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1); 439 440 /* res = e(k, res) */ 441 err = smp_e(tfm_aes, k, res); 442 if (err) { 443 BT_ERR("Encrypt data error"); 444 return err; 445 } 446 447 /* p2 = padding || ia || ra */ 448 memcpy(p2, ra, 6); 449 memcpy(p2 + 6, ia, 6); 450 memset(p2 + 12, 0, 4); 451 452 SMP_DBG("p2 %16phN", p2); 453 454 /* res = res XOR p2 */ 455 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2); 456 457 /* res = e(k, res) */ 458 err = smp_e(tfm_aes, k, res); 459 if (err) 460 BT_ERR("Encrypt data error"); 461 462 return err; 463 } 464 465 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16], 466 const u8 r1[16], const u8 r2[16], u8 _r[16]) 467 { 468 int err; 469 470 /* Just least significant octets from r1 and r2 are considered */ 471 memcpy(_r, r2, 8); 472 memcpy(_r + 8, r1, 8); 473 474 err = smp_e(tfm_aes, k, _r); 475 if (err) 476 BT_ERR("Encrypt data error"); 477 478 return err; 479 } 480 481 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16], 482 const u8 r[3], u8 res[3]) 483 { 484 u8 _res[16]; 485 int err; 486 487 /* r' = padding || r */ 488 memcpy(_res, r, 3); 489 memset(_res + 3, 0, 13); 490 491 err = smp_e(tfm, irk, _res); 492 if (err) { 493 BT_ERR("Encrypt error"); 494 return err; 495 } 496 497 /* The output of the random address function ah is: 498 * ah(k, r) = e(k, r') mod 2^24 499 * The output of the security function e is then truncated to 24 bits 500 * by taking the least significant 24 bits of the output of e as the 501 * result of ah. 502 */ 503 memcpy(res, _res, 3); 504 505 return 0; 506 } 507 508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 509 const bdaddr_t *bdaddr) 510 { 511 struct l2cap_chan *chan = hdev->smp_data; 512 struct smp_dev *smp; 513 u8 hash[3]; 514 int err; 515 516 if (!chan || !chan->data) 517 return false; 518 519 smp = chan->data; 520 521 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 522 523 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash); 524 if (err) 525 return false; 526 527 return !crypto_memneq(bdaddr->b, hash, 3); 528 } 529 530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 531 { 532 struct l2cap_chan *chan = hdev->smp_data; 533 struct smp_dev *smp; 534 int err; 535 536 if (!chan || !chan->data) 537 return -EOPNOTSUPP; 538 539 smp = chan->data; 540 541 get_random_bytes(&rpa->b[3], 3); 542 543 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 544 rpa->b[5] |= 0x40; /* Set second most significant bit */ 545 546 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b); 547 if (err < 0) 548 return err; 549 550 BT_DBG("RPA %pMR", rpa); 551 552 return 0; 553 } 554 555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16]) 556 { 557 struct l2cap_chan *chan = hdev->smp_data; 558 struct smp_dev *smp; 559 int err; 560 561 if (!chan || !chan->data) 562 return -EOPNOTSUPP; 563 564 smp = chan->data; 565 566 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 567 BT_DBG("Using debug keys"); 568 memcpy(smp->local_pk, debug_pk, 64); 569 memcpy(smp->local_sk, debug_sk, 32); 570 smp->debug_key = true; 571 } else { 572 while (true) { 573 /* Seed private key with random number */ 574 get_random_bytes(smp->local_sk, 32); 575 576 /* Generate local key pair for Secure Connections */ 577 if (!generate_ecdh_keys(smp->local_pk, smp->local_sk)) 578 return -EIO; 579 580 /* This is unlikely, but we need to check that 581 * we didn't accidentially generate a debug key. 582 */ 583 if (crypto_memneq(smp->local_sk, debug_sk, 32)) 584 break; 585 } 586 smp->debug_key = false; 587 } 588 589 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 590 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 591 SMP_DBG("OOB Private Key: %32phN", smp->local_sk); 592 593 get_random_bytes(smp->local_rand, 16); 594 595 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk, 596 smp->local_rand, 0, hash); 597 if (err < 0) 598 return err; 599 600 memcpy(rand, smp->local_rand, 16); 601 602 return 0; 603 } 604 605 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 606 { 607 struct l2cap_chan *chan = conn->smp; 608 struct smp_chan *smp; 609 struct kvec iv[2]; 610 struct msghdr msg; 611 612 if (!chan) 613 return; 614 615 BT_DBG("code 0x%2.2x", code); 616 617 iv[0].iov_base = &code; 618 iv[0].iov_len = 1; 619 620 iv[1].iov_base = data; 621 iv[1].iov_len = len; 622 623 memset(&msg, 0, sizeof(msg)); 624 625 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len); 626 627 l2cap_chan_send(chan, &msg, 1 + len); 628 629 if (!chan->data) 630 return; 631 632 smp = chan->data; 633 634 cancel_delayed_work_sync(&smp->security_timer); 635 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 636 } 637 638 static u8 authreq_to_seclevel(u8 authreq) 639 { 640 if (authreq & SMP_AUTH_MITM) { 641 if (authreq & SMP_AUTH_SC) 642 return BT_SECURITY_FIPS; 643 else 644 return BT_SECURITY_HIGH; 645 } else { 646 return BT_SECURITY_MEDIUM; 647 } 648 } 649 650 static __u8 seclevel_to_authreq(__u8 sec_level) 651 { 652 switch (sec_level) { 653 case BT_SECURITY_FIPS: 654 case BT_SECURITY_HIGH: 655 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 656 case BT_SECURITY_MEDIUM: 657 return SMP_AUTH_BONDING; 658 default: 659 return SMP_AUTH_NONE; 660 } 661 } 662 663 static void build_pairing_cmd(struct l2cap_conn *conn, 664 struct smp_cmd_pairing *req, 665 struct smp_cmd_pairing *rsp, __u8 authreq) 666 { 667 struct l2cap_chan *chan = conn->smp; 668 struct smp_chan *smp = chan->data; 669 struct hci_conn *hcon = conn->hcon; 670 struct hci_dev *hdev = hcon->hdev; 671 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 672 673 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 674 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 675 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 676 authreq |= SMP_AUTH_BONDING; 677 } else { 678 authreq &= ~SMP_AUTH_BONDING; 679 } 680 681 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 682 remote_dist |= SMP_DIST_ID_KEY; 683 684 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 685 local_dist |= SMP_DIST_ID_KEY; 686 687 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) && 688 (authreq & SMP_AUTH_SC)) { 689 struct oob_data *oob_data; 690 u8 bdaddr_type; 691 692 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) { 693 local_dist |= SMP_DIST_LINK_KEY; 694 remote_dist |= SMP_DIST_LINK_KEY; 695 } 696 697 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 698 bdaddr_type = BDADDR_LE_PUBLIC; 699 else 700 bdaddr_type = BDADDR_LE_RANDOM; 701 702 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 703 bdaddr_type); 704 if (oob_data && oob_data->present) { 705 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags); 706 oob_flag = SMP_OOB_PRESENT; 707 memcpy(smp->rr, oob_data->rand256, 16); 708 memcpy(smp->pcnf, oob_data->hash256, 16); 709 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf); 710 SMP_DBG("OOB Remote Random: %16phN", smp->rr); 711 } 712 713 } else { 714 authreq &= ~SMP_AUTH_SC; 715 } 716 717 if (rsp == NULL) { 718 req->io_capability = conn->hcon->io_capability; 719 req->oob_flag = oob_flag; 720 req->max_key_size = SMP_DEV(hdev)->max_key_size; 721 req->init_key_dist = local_dist; 722 req->resp_key_dist = remote_dist; 723 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 724 725 smp->remote_key_dist = remote_dist; 726 return; 727 } 728 729 rsp->io_capability = conn->hcon->io_capability; 730 rsp->oob_flag = oob_flag; 731 rsp->max_key_size = SMP_DEV(hdev)->max_key_size; 732 rsp->init_key_dist = req->init_key_dist & remote_dist; 733 rsp->resp_key_dist = req->resp_key_dist & local_dist; 734 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 735 736 smp->remote_key_dist = rsp->init_key_dist; 737 } 738 739 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 740 { 741 struct l2cap_chan *chan = conn->smp; 742 struct hci_dev *hdev = conn->hcon->hdev; 743 struct smp_chan *smp = chan->data; 744 745 if (max_key_size > SMP_DEV(hdev)->max_key_size || 746 max_key_size < SMP_MIN_ENC_KEY_SIZE) 747 return SMP_ENC_KEY_SIZE; 748 749 smp->enc_key_size = max_key_size; 750 751 return 0; 752 } 753 754 static void smp_chan_destroy(struct l2cap_conn *conn) 755 { 756 struct l2cap_chan *chan = conn->smp; 757 struct smp_chan *smp = chan->data; 758 struct hci_conn *hcon = conn->hcon; 759 bool complete; 760 761 BUG_ON(!smp); 762 763 cancel_delayed_work_sync(&smp->security_timer); 764 765 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 766 mgmt_smp_complete(hcon, complete); 767 768 kzfree(smp->csrk); 769 kzfree(smp->slave_csrk); 770 kzfree(smp->link_key); 771 772 crypto_free_cipher(smp->tfm_aes); 773 crypto_free_shash(smp->tfm_cmac); 774 775 /* Ensure that we don't leave any debug key around if debug key 776 * support hasn't been explicitly enabled. 777 */ 778 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 779 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) { 780 list_del_rcu(&smp->ltk->list); 781 kfree_rcu(smp->ltk, rcu); 782 smp->ltk = NULL; 783 } 784 785 /* If pairing failed clean up any keys we might have */ 786 if (!complete) { 787 if (smp->ltk) { 788 list_del_rcu(&smp->ltk->list); 789 kfree_rcu(smp->ltk, rcu); 790 } 791 792 if (smp->slave_ltk) { 793 list_del_rcu(&smp->slave_ltk->list); 794 kfree_rcu(smp->slave_ltk, rcu); 795 } 796 797 if (smp->remote_irk) { 798 list_del_rcu(&smp->remote_irk->list); 799 kfree_rcu(smp->remote_irk, rcu); 800 } 801 } 802 803 chan->data = NULL; 804 kzfree(smp); 805 hci_conn_drop(hcon); 806 } 807 808 static void smp_failure(struct l2cap_conn *conn, u8 reason) 809 { 810 struct hci_conn *hcon = conn->hcon; 811 struct l2cap_chan *chan = conn->smp; 812 813 if (reason) 814 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 815 &reason); 816 817 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 818 819 if (chan->data) 820 smp_chan_destroy(conn); 821 } 822 823 #define JUST_WORKS 0x00 824 #define JUST_CFM 0x01 825 #define REQ_PASSKEY 0x02 826 #define CFM_PASSKEY 0x03 827 #define REQ_OOB 0x04 828 #define DSP_PASSKEY 0x05 829 #define OVERLAP 0xFF 830 831 static const u8 gen_method[5][5] = { 832 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 833 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 834 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 835 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 836 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 837 }; 838 839 static const u8 sc_method[5][5] = { 840 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 841 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 842 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 843 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 844 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 845 }; 846 847 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 848 { 849 /* If either side has unknown io_caps, use JUST_CFM (which gets 850 * converted later to JUST_WORKS if we're initiators. 851 */ 852 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 853 remote_io > SMP_IO_KEYBOARD_DISPLAY) 854 return JUST_CFM; 855 856 if (test_bit(SMP_FLAG_SC, &smp->flags)) 857 return sc_method[remote_io][local_io]; 858 859 return gen_method[remote_io][local_io]; 860 } 861 862 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 863 u8 local_io, u8 remote_io) 864 { 865 struct hci_conn *hcon = conn->hcon; 866 struct l2cap_chan *chan = conn->smp; 867 struct smp_chan *smp = chan->data; 868 u32 passkey = 0; 869 int ret = 0; 870 871 /* Initialize key for JUST WORKS */ 872 memset(smp->tk, 0, sizeof(smp->tk)); 873 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 874 875 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); 876 877 /* If neither side wants MITM, either "just" confirm an incoming 878 * request or use just-works for outgoing ones. The JUST_CFM 879 * will be converted to JUST_WORKS if necessary later in this 880 * function. If either side has MITM look up the method from the 881 * table. 882 */ 883 if (!(auth & SMP_AUTH_MITM)) 884 smp->method = JUST_CFM; 885 else 886 smp->method = get_auth_method(smp, local_io, remote_io); 887 888 /* Don't confirm locally initiated pairing attempts */ 889 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 890 &smp->flags)) 891 smp->method = JUST_WORKS; 892 893 /* Don't bother user space with no IO capabilities */ 894 if (smp->method == JUST_CFM && 895 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 896 smp->method = JUST_WORKS; 897 898 /* If Just Works, Continue with Zero TK */ 899 if (smp->method == JUST_WORKS) { 900 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 901 return 0; 902 } 903 904 /* If this function is used for SC -> legacy fallback we 905 * can only recover the just-works case. 906 */ 907 if (test_bit(SMP_FLAG_SC, &smp->flags)) 908 return -EINVAL; 909 910 /* Not Just Works/Confirm results in MITM Authentication */ 911 if (smp->method != JUST_CFM) { 912 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 913 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 914 hcon->pending_sec_level = BT_SECURITY_HIGH; 915 } 916 917 /* If both devices have Keyoard-Display I/O, the master 918 * Confirms and the slave Enters the passkey. 919 */ 920 if (smp->method == OVERLAP) { 921 if (hcon->role == HCI_ROLE_MASTER) 922 smp->method = CFM_PASSKEY; 923 else 924 smp->method = REQ_PASSKEY; 925 } 926 927 /* Generate random passkey. */ 928 if (smp->method == CFM_PASSKEY) { 929 memset(smp->tk, 0, sizeof(smp->tk)); 930 get_random_bytes(&passkey, sizeof(passkey)); 931 passkey %= 1000000; 932 put_unaligned_le32(passkey, smp->tk); 933 BT_DBG("PassKey: %d", passkey); 934 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 935 } 936 937 if (smp->method == REQ_PASSKEY) 938 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 939 hcon->type, hcon->dst_type); 940 else if (smp->method == JUST_CFM) 941 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 942 hcon->type, hcon->dst_type, 943 passkey, 1); 944 else 945 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 946 hcon->type, hcon->dst_type, 947 passkey, 0); 948 949 return ret; 950 } 951 952 static u8 smp_confirm(struct smp_chan *smp) 953 { 954 struct l2cap_conn *conn = smp->conn; 955 struct smp_cmd_pairing_confirm cp; 956 int ret; 957 958 BT_DBG("conn %p", conn); 959 960 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp, 961 conn->hcon->init_addr_type, &conn->hcon->init_addr, 962 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 963 cp.confirm_val); 964 if (ret) 965 return SMP_UNSPECIFIED; 966 967 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 968 969 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 970 971 if (conn->hcon->out) 972 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 973 else 974 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 975 976 return 0; 977 } 978 979 static u8 smp_random(struct smp_chan *smp) 980 { 981 struct l2cap_conn *conn = smp->conn; 982 struct hci_conn *hcon = conn->hcon; 983 u8 confirm[16]; 984 int ret; 985 986 if (IS_ERR_OR_NULL(smp->tfm_aes)) 987 return SMP_UNSPECIFIED; 988 989 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 990 991 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp, 992 hcon->init_addr_type, &hcon->init_addr, 993 hcon->resp_addr_type, &hcon->resp_addr, confirm); 994 if (ret) 995 return SMP_UNSPECIFIED; 996 997 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) { 998 BT_ERR("Pairing failed (confirmation values mismatch)"); 999 return SMP_CONFIRM_FAILED; 1000 } 1001 1002 if (hcon->out) { 1003 u8 stk[16]; 1004 __le64 rand = 0; 1005 __le16 ediv = 0; 1006 1007 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk); 1008 1009 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 1010 return SMP_UNSPECIFIED; 1011 1012 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size); 1013 hcon->enc_key_size = smp->enc_key_size; 1014 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 1015 } else { 1016 u8 stk[16], auth; 1017 __le64 rand = 0; 1018 __le16 ediv = 0; 1019 1020 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1021 smp->prnd); 1022 1023 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk); 1024 1025 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 1026 auth = 1; 1027 else 1028 auth = 0; 1029 1030 /* Even though there's no _SLAVE suffix this is the 1031 * slave STK we're adding for later lookup (the master 1032 * STK never needs to be stored). 1033 */ 1034 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1035 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 1036 } 1037 1038 return 0; 1039 } 1040 1041 static void smp_notify_keys(struct l2cap_conn *conn) 1042 { 1043 struct l2cap_chan *chan = conn->smp; 1044 struct smp_chan *smp = chan->data; 1045 struct hci_conn *hcon = conn->hcon; 1046 struct hci_dev *hdev = hcon->hdev; 1047 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 1048 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1049 bool persistent; 1050 1051 if (hcon->type == ACL_LINK) { 1052 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 1053 persistent = false; 1054 else 1055 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1056 &hcon->flags); 1057 } else { 1058 /* The LTKs, IRKs and CSRKs should be persistent only if 1059 * both sides had the bonding bit set in their 1060 * authentication requests. 1061 */ 1062 persistent = !!((req->auth_req & rsp->auth_req) & 1063 SMP_AUTH_BONDING); 1064 } 1065 1066 if (smp->remote_irk) { 1067 mgmt_new_irk(hdev, smp->remote_irk, persistent); 1068 1069 /* Now that user space can be considered to know the 1070 * identity address track the connection based on it 1071 * from now on (assuming this is an LE link). 1072 */ 1073 if (hcon->type == LE_LINK) { 1074 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1075 hcon->dst_type = smp->remote_irk->addr_type; 1076 queue_work(hdev->workqueue, &conn->id_addr_update_work); 1077 } 1078 } 1079 1080 if (smp->csrk) { 1081 smp->csrk->bdaddr_type = hcon->dst_type; 1082 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1083 mgmt_new_csrk(hdev, smp->csrk, persistent); 1084 } 1085 1086 if (smp->slave_csrk) { 1087 smp->slave_csrk->bdaddr_type = hcon->dst_type; 1088 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst); 1089 mgmt_new_csrk(hdev, smp->slave_csrk, persistent); 1090 } 1091 1092 if (smp->ltk) { 1093 smp->ltk->bdaddr_type = hcon->dst_type; 1094 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1095 mgmt_new_ltk(hdev, smp->ltk, persistent); 1096 } 1097 1098 if (smp->slave_ltk) { 1099 smp->slave_ltk->bdaddr_type = hcon->dst_type; 1100 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst); 1101 mgmt_new_ltk(hdev, smp->slave_ltk, persistent); 1102 } 1103 1104 if (smp->link_key) { 1105 struct link_key *key; 1106 u8 type; 1107 1108 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1109 type = HCI_LK_DEBUG_COMBINATION; 1110 else if (hcon->sec_level == BT_SECURITY_FIPS) 1111 type = HCI_LK_AUTH_COMBINATION_P256; 1112 else 1113 type = HCI_LK_UNAUTH_COMBINATION_P256; 1114 1115 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1116 smp->link_key, type, 0, &persistent); 1117 if (key) { 1118 mgmt_new_link_key(hdev, key, persistent); 1119 1120 /* Don't keep debug keys around if the relevant 1121 * flag is not set. 1122 */ 1123 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) && 1124 key->type == HCI_LK_DEBUG_COMBINATION) { 1125 list_del_rcu(&key->list); 1126 kfree_rcu(key, rcu); 1127 } 1128 } 1129 } 1130 } 1131 1132 static void sc_add_ltk(struct smp_chan *smp) 1133 { 1134 struct hci_conn *hcon = smp->conn->hcon; 1135 u8 key_type, auth; 1136 1137 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1138 key_type = SMP_LTK_P256_DEBUG; 1139 else 1140 key_type = SMP_LTK_P256; 1141 1142 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1143 auth = 1; 1144 else 1145 auth = 0; 1146 1147 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1148 key_type, auth, smp->tk, smp->enc_key_size, 1149 0, 0); 1150 } 1151 1152 static void sc_generate_link_key(struct smp_chan *smp) 1153 { 1154 /* From core spec. Spells out in ASCII as 'lebr'. */ 1155 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1156 1157 smp->link_key = kzalloc(16, GFP_KERNEL); 1158 if (!smp->link_key) 1159 return; 1160 1161 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1162 /* SALT = 0x00000000000000000000000000000000746D7031 */ 1163 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 }; 1164 1165 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) { 1166 kzfree(smp->link_key); 1167 smp->link_key = NULL; 1168 return; 1169 } 1170 } else { 1171 /* From core spec. Spells out in ASCII as 'tmp1'. */ 1172 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1173 1174 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) { 1175 kzfree(smp->link_key); 1176 smp->link_key = NULL; 1177 return; 1178 } 1179 } 1180 1181 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) { 1182 kzfree(smp->link_key); 1183 smp->link_key = NULL; 1184 return; 1185 } 1186 } 1187 1188 static void smp_allow_key_dist(struct smp_chan *smp) 1189 { 1190 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1191 * will be allowed in each PDU handler to ensure we receive 1192 * them in the correct order. 1193 */ 1194 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1195 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1196 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1197 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1198 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1199 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1200 } 1201 1202 static void sc_generate_ltk(struct smp_chan *smp) 1203 { 1204 /* From core spec. Spells out in ASCII as 'brle'. */ 1205 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1206 struct hci_conn *hcon = smp->conn->hcon; 1207 struct hci_dev *hdev = hcon->hdev; 1208 struct link_key *key; 1209 1210 key = hci_find_link_key(hdev, &hcon->dst); 1211 if (!key) { 1212 BT_ERR("%s No Link Key found to generate LTK", hdev->name); 1213 return; 1214 } 1215 1216 if (key->type == HCI_LK_DEBUG_COMBINATION) 1217 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1218 1219 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1220 /* SALT = 0x00000000000000000000000000000000746D7032 */ 1221 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 }; 1222 1223 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk)) 1224 return; 1225 } else { 1226 /* From core spec. Spells out in ASCII as 'tmp2'. */ 1227 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1228 1229 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk)) 1230 return; 1231 } 1232 1233 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk)) 1234 return; 1235 1236 sc_add_ltk(smp); 1237 } 1238 1239 static void smp_distribute_keys(struct smp_chan *smp) 1240 { 1241 struct smp_cmd_pairing *req, *rsp; 1242 struct l2cap_conn *conn = smp->conn; 1243 struct hci_conn *hcon = conn->hcon; 1244 struct hci_dev *hdev = hcon->hdev; 1245 __u8 *keydist; 1246 1247 BT_DBG("conn %p", conn); 1248 1249 rsp = (void *) &smp->prsp[1]; 1250 1251 /* The responder sends its keys first */ 1252 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) { 1253 smp_allow_key_dist(smp); 1254 return; 1255 } 1256 1257 req = (void *) &smp->preq[1]; 1258 1259 if (hcon->out) { 1260 keydist = &rsp->init_key_dist; 1261 *keydist &= req->init_key_dist; 1262 } else { 1263 keydist = &rsp->resp_key_dist; 1264 *keydist &= req->resp_key_dist; 1265 } 1266 1267 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1268 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1269 sc_generate_link_key(smp); 1270 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1271 sc_generate_ltk(smp); 1272 1273 /* Clear the keys which are generated but not distributed */ 1274 *keydist &= ~SMP_SC_NO_DIST; 1275 } 1276 1277 BT_DBG("keydist 0x%x", *keydist); 1278 1279 if (*keydist & SMP_DIST_ENC_KEY) { 1280 struct smp_cmd_encrypt_info enc; 1281 struct smp_cmd_master_ident ident; 1282 struct smp_ltk *ltk; 1283 u8 authenticated; 1284 __le16 ediv; 1285 __le64 rand; 1286 1287 /* Make sure we generate only the significant amount of 1288 * bytes based on the encryption key size, and set the rest 1289 * of the value to zeroes. 1290 */ 1291 get_random_bytes(enc.ltk, smp->enc_key_size); 1292 memset(enc.ltk + smp->enc_key_size, 0, 1293 sizeof(enc.ltk) - smp->enc_key_size); 1294 1295 get_random_bytes(&ediv, sizeof(ediv)); 1296 get_random_bytes(&rand, sizeof(rand)); 1297 1298 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1299 1300 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1301 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1302 SMP_LTK_SLAVE, authenticated, enc.ltk, 1303 smp->enc_key_size, ediv, rand); 1304 smp->slave_ltk = ltk; 1305 1306 ident.ediv = ediv; 1307 ident.rand = rand; 1308 1309 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1310 1311 *keydist &= ~SMP_DIST_ENC_KEY; 1312 } 1313 1314 if (*keydist & SMP_DIST_ID_KEY) { 1315 struct smp_cmd_ident_addr_info addrinfo; 1316 struct smp_cmd_ident_info idinfo; 1317 1318 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1319 1320 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1321 1322 /* The hci_conn contains the local identity address 1323 * after the connection has been established. 1324 * 1325 * This is true even when the connection has been 1326 * established using a resolvable random address. 1327 */ 1328 bacpy(&addrinfo.bdaddr, &hcon->src); 1329 addrinfo.addr_type = hcon->src_type; 1330 1331 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1332 &addrinfo); 1333 1334 *keydist &= ~SMP_DIST_ID_KEY; 1335 } 1336 1337 if (*keydist & SMP_DIST_SIGN) { 1338 struct smp_cmd_sign_info sign; 1339 struct smp_csrk *csrk; 1340 1341 /* Generate a new random key */ 1342 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1343 1344 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1345 if (csrk) { 1346 if (hcon->sec_level > BT_SECURITY_MEDIUM) 1347 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED; 1348 else 1349 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED; 1350 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1351 } 1352 smp->slave_csrk = csrk; 1353 1354 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1355 1356 *keydist &= ~SMP_DIST_SIGN; 1357 } 1358 1359 /* If there are still keys to be received wait for them */ 1360 if (smp->remote_key_dist & KEY_DIST_MASK) { 1361 smp_allow_key_dist(smp); 1362 return; 1363 } 1364 1365 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1366 smp_notify_keys(conn); 1367 1368 smp_chan_destroy(conn); 1369 } 1370 1371 static void smp_timeout(struct work_struct *work) 1372 { 1373 struct smp_chan *smp = container_of(work, struct smp_chan, 1374 security_timer.work); 1375 struct l2cap_conn *conn = smp->conn; 1376 1377 BT_DBG("conn %p", conn); 1378 1379 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); 1380 } 1381 1382 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1383 { 1384 struct l2cap_chan *chan = conn->smp; 1385 struct smp_chan *smp; 1386 1387 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 1388 if (!smp) 1389 return NULL; 1390 1391 smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 1392 if (IS_ERR(smp->tfm_aes)) { 1393 BT_ERR("Unable to create AES crypto context"); 1394 kzfree(smp); 1395 return NULL; 1396 } 1397 1398 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 1399 if (IS_ERR(smp->tfm_cmac)) { 1400 BT_ERR("Unable to create CMAC crypto context"); 1401 crypto_free_cipher(smp->tfm_aes); 1402 kzfree(smp); 1403 return NULL; 1404 } 1405 1406 smp->conn = conn; 1407 chan->data = smp; 1408 1409 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1410 1411 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1412 1413 hci_conn_hold(conn->hcon); 1414 1415 return smp; 1416 } 1417 1418 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1419 { 1420 struct hci_conn *hcon = smp->conn->hcon; 1421 u8 *na, *nb, a[7], b[7]; 1422 1423 if (hcon->out) { 1424 na = smp->prnd; 1425 nb = smp->rrnd; 1426 } else { 1427 na = smp->rrnd; 1428 nb = smp->prnd; 1429 } 1430 1431 memcpy(a, &hcon->init_addr, 6); 1432 memcpy(b, &hcon->resp_addr, 6); 1433 a[6] = hcon->init_addr_type; 1434 b[6] = hcon->resp_addr_type; 1435 1436 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk); 1437 } 1438 1439 static void sc_dhkey_check(struct smp_chan *smp) 1440 { 1441 struct hci_conn *hcon = smp->conn->hcon; 1442 struct smp_cmd_dhkey_check check; 1443 u8 a[7], b[7], *local_addr, *remote_addr; 1444 u8 io_cap[3], r[16]; 1445 1446 memcpy(a, &hcon->init_addr, 6); 1447 memcpy(b, &hcon->resp_addr, 6); 1448 a[6] = hcon->init_addr_type; 1449 b[6] = hcon->resp_addr_type; 1450 1451 if (hcon->out) { 1452 local_addr = a; 1453 remote_addr = b; 1454 memcpy(io_cap, &smp->preq[1], 3); 1455 } else { 1456 local_addr = b; 1457 remote_addr = a; 1458 memcpy(io_cap, &smp->prsp[1], 3); 1459 } 1460 1461 memset(r, 0, sizeof(r)); 1462 1463 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1464 put_unaligned_le32(hcon->passkey_notify, r); 1465 1466 if (smp->method == REQ_OOB) 1467 memcpy(r, smp->rr, 16); 1468 1469 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap, 1470 local_addr, remote_addr, check.e); 1471 1472 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1473 } 1474 1475 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1476 { 1477 struct l2cap_conn *conn = smp->conn; 1478 struct hci_conn *hcon = conn->hcon; 1479 struct smp_cmd_pairing_confirm cfm; 1480 u8 r; 1481 1482 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1483 r |= 0x80; 1484 1485 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1486 1487 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r, 1488 cfm.confirm_val)) 1489 return SMP_UNSPECIFIED; 1490 1491 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1492 1493 return 0; 1494 } 1495 1496 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1497 { 1498 struct l2cap_conn *conn = smp->conn; 1499 struct hci_conn *hcon = conn->hcon; 1500 struct hci_dev *hdev = hcon->hdev; 1501 u8 cfm[16], r; 1502 1503 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1504 if (smp->passkey_round >= 20) 1505 return 0; 1506 1507 switch (smp_op) { 1508 case SMP_CMD_PAIRING_RANDOM: 1509 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1510 r |= 0x80; 1511 1512 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1513 smp->rrnd, r, cfm)) 1514 return SMP_UNSPECIFIED; 1515 1516 if (crypto_memneq(smp->pcnf, cfm, 16)) 1517 return SMP_CONFIRM_FAILED; 1518 1519 smp->passkey_round++; 1520 1521 if (smp->passkey_round == 20) { 1522 /* Generate MacKey and LTK */ 1523 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1524 return SMP_UNSPECIFIED; 1525 } 1526 1527 /* The round is only complete when the initiator 1528 * receives pairing random. 1529 */ 1530 if (!hcon->out) { 1531 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1532 sizeof(smp->prnd), smp->prnd); 1533 if (smp->passkey_round == 20) 1534 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1535 else 1536 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1537 return 0; 1538 } 1539 1540 /* Start the next round */ 1541 if (smp->passkey_round != 20) 1542 return sc_passkey_round(smp, 0); 1543 1544 /* Passkey rounds are complete - start DHKey Check */ 1545 sc_dhkey_check(smp); 1546 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1547 1548 break; 1549 1550 case SMP_CMD_PAIRING_CONFIRM: 1551 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1552 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1553 return 0; 1554 } 1555 1556 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1557 1558 if (hcon->out) { 1559 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1560 sizeof(smp->prnd), smp->prnd); 1561 return 0; 1562 } 1563 1564 return sc_passkey_send_confirm(smp); 1565 1566 case SMP_CMD_PUBLIC_KEY: 1567 default: 1568 /* Initiating device starts the round */ 1569 if (!hcon->out) 1570 return 0; 1571 1572 BT_DBG("%s Starting passkey round %u", hdev->name, 1573 smp->passkey_round + 1); 1574 1575 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1576 1577 return sc_passkey_send_confirm(smp); 1578 } 1579 1580 return 0; 1581 } 1582 1583 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1584 { 1585 struct l2cap_conn *conn = smp->conn; 1586 struct hci_conn *hcon = conn->hcon; 1587 u8 smp_op; 1588 1589 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1590 1591 switch (mgmt_op) { 1592 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1593 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1594 return 0; 1595 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1596 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1597 return 0; 1598 case MGMT_OP_USER_PASSKEY_REPLY: 1599 hcon->passkey_notify = le32_to_cpu(passkey); 1600 smp->passkey_round = 0; 1601 1602 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1603 smp_op = SMP_CMD_PAIRING_CONFIRM; 1604 else 1605 smp_op = 0; 1606 1607 if (sc_passkey_round(smp, smp_op)) 1608 return -EIO; 1609 1610 return 0; 1611 } 1612 1613 /* Initiator sends DHKey check first */ 1614 if (hcon->out) { 1615 sc_dhkey_check(smp); 1616 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1617 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1618 sc_dhkey_check(smp); 1619 sc_add_ltk(smp); 1620 } 1621 1622 return 0; 1623 } 1624 1625 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1626 { 1627 struct l2cap_conn *conn = hcon->l2cap_data; 1628 struct l2cap_chan *chan; 1629 struct smp_chan *smp; 1630 u32 value; 1631 int err; 1632 1633 BT_DBG(""); 1634 1635 if (!conn) 1636 return -ENOTCONN; 1637 1638 chan = conn->smp; 1639 if (!chan) 1640 return -ENOTCONN; 1641 1642 l2cap_chan_lock(chan); 1643 if (!chan->data) { 1644 err = -ENOTCONN; 1645 goto unlock; 1646 } 1647 1648 smp = chan->data; 1649 1650 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1651 err = sc_user_reply(smp, mgmt_op, passkey); 1652 goto unlock; 1653 } 1654 1655 switch (mgmt_op) { 1656 case MGMT_OP_USER_PASSKEY_REPLY: 1657 value = le32_to_cpu(passkey); 1658 memset(smp->tk, 0, sizeof(smp->tk)); 1659 BT_DBG("PassKey: %d", value); 1660 put_unaligned_le32(value, smp->tk); 1661 /* Fall Through */ 1662 case MGMT_OP_USER_CONFIRM_REPLY: 1663 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1664 break; 1665 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1666 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1667 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1668 err = 0; 1669 goto unlock; 1670 default: 1671 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1672 err = -EOPNOTSUPP; 1673 goto unlock; 1674 } 1675 1676 err = 0; 1677 1678 /* If it is our turn to send Pairing Confirm, do so now */ 1679 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1680 u8 rsp = smp_confirm(smp); 1681 if (rsp) 1682 smp_failure(conn, rsp); 1683 } 1684 1685 unlock: 1686 l2cap_chan_unlock(chan); 1687 return err; 1688 } 1689 1690 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1691 struct smp_cmd_pairing *req, 1692 struct smp_cmd_pairing *rsp) 1693 { 1694 struct l2cap_conn *conn = smp->conn; 1695 struct hci_dev *hdev = conn->hcon->hdev; 1696 u8 local_dist = 0, remote_dist = 0; 1697 1698 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 1699 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1700 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1701 } 1702 1703 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 1704 remote_dist |= SMP_DIST_ID_KEY; 1705 1706 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 1707 local_dist |= SMP_DIST_ID_KEY; 1708 1709 if (!rsp) { 1710 memset(req, 0, sizeof(*req)); 1711 1712 req->auth_req = SMP_AUTH_CT2; 1713 req->init_key_dist = local_dist; 1714 req->resp_key_dist = remote_dist; 1715 req->max_key_size = conn->hcon->enc_key_size; 1716 1717 smp->remote_key_dist = remote_dist; 1718 1719 return; 1720 } 1721 1722 memset(rsp, 0, sizeof(*rsp)); 1723 1724 rsp->auth_req = SMP_AUTH_CT2; 1725 rsp->max_key_size = conn->hcon->enc_key_size; 1726 rsp->init_key_dist = req->init_key_dist & remote_dist; 1727 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1728 1729 smp->remote_key_dist = rsp->init_key_dist; 1730 } 1731 1732 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1733 { 1734 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1735 struct l2cap_chan *chan = conn->smp; 1736 struct hci_dev *hdev = conn->hcon->hdev; 1737 struct smp_chan *smp; 1738 u8 key_size, auth, sec_level; 1739 int ret; 1740 1741 BT_DBG("conn %p", conn); 1742 1743 if (skb->len < sizeof(*req)) 1744 return SMP_INVALID_PARAMS; 1745 1746 if (conn->hcon->role != HCI_ROLE_SLAVE) 1747 return SMP_CMD_NOTSUPP; 1748 1749 if (!chan->data) 1750 smp = smp_chan_create(conn); 1751 else 1752 smp = chan->data; 1753 1754 if (!smp) 1755 return SMP_UNSPECIFIED; 1756 1757 /* We didn't start the pairing, so match remote */ 1758 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1759 1760 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 1761 (auth & SMP_AUTH_BONDING)) 1762 return SMP_PAIRING_NOTSUPP; 1763 1764 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1765 return SMP_AUTH_REQUIREMENTS; 1766 1767 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1768 memcpy(&smp->preq[1], req, sizeof(*req)); 1769 skb_pull(skb, sizeof(*req)); 1770 1771 /* If the remote side's OOB flag is set it means it has 1772 * successfully received our local OOB data - therefore set the 1773 * flag to indicate that local OOB is in use. 1774 */ 1775 if (req->oob_flag == SMP_OOB_PRESENT) 1776 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1777 1778 /* SMP over BR/EDR requires special treatment */ 1779 if (conn->hcon->type == ACL_LINK) { 1780 /* We must have a BR/EDR SC link */ 1781 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1782 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 1783 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1784 1785 set_bit(SMP_FLAG_SC, &smp->flags); 1786 1787 build_bredr_pairing_cmd(smp, req, &rsp); 1788 1789 if (req->auth_req & SMP_AUTH_CT2) 1790 set_bit(SMP_FLAG_CT2, &smp->flags); 1791 1792 key_size = min(req->max_key_size, rsp.max_key_size); 1793 if (check_enc_key_size(conn, key_size)) 1794 return SMP_ENC_KEY_SIZE; 1795 1796 /* Clear bits which are generated but not distributed */ 1797 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1798 1799 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1800 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1801 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1802 1803 smp_distribute_keys(smp); 1804 return 0; 1805 } 1806 1807 build_pairing_cmd(conn, req, &rsp, auth); 1808 1809 if (rsp.auth_req & SMP_AUTH_SC) { 1810 set_bit(SMP_FLAG_SC, &smp->flags); 1811 1812 if (rsp.auth_req & SMP_AUTH_CT2) 1813 set_bit(SMP_FLAG_CT2, &smp->flags); 1814 } 1815 1816 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1817 sec_level = BT_SECURITY_MEDIUM; 1818 else 1819 sec_level = authreq_to_seclevel(auth); 1820 1821 if (sec_level > conn->hcon->pending_sec_level) 1822 conn->hcon->pending_sec_level = sec_level; 1823 1824 /* If we need MITM check that it can be achieved */ 1825 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1826 u8 method; 1827 1828 method = get_auth_method(smp, conn->hcon->io_capability, 1829 req->io_capability); 1830 if (method == JUST_WORKS || method == JUST_CFM) 1831 return SMP_AUTH_REQUIREMENTS; 1832 } 1833 1834 key_size = min(req->max_key_size, rsp.max_key_size); 1835 if (check_enc_key_size(conn, key_size)) 1836 return SMP_ENC_KEY_SIZE; 1837 1838 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1839 1840 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1841 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1842 1843 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1844 1845 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1846 1847 /* Strictly speaking we shouldn't allow Pairing Confirm for the 1848 * SC case, however some implementations incorrectly copy RFU auth 1849 * req bits from our security request, which may create a false 1850 * positive SC enablement. 1851 */ 1852 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1853 1854 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1855 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1856 /* Clear bits which are generated but not distributed */ 1857 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1858 /* Wait for Public Key from Initiating Device */ 1859 return 0; 1860 } 1861 1862 /* Request setup of TK */ 1863 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1864 if (ret) 1865 return SMP_UNSPECIFIED; 1866 1867 return 0; 1868 } 1869 1870 static u8 sc_send_public_key(struct smp_chan *smp) 1871 { 1872 struct hci_dev *hdev = smp->conn->hcon->hdev; 1873 1874 BT_DBG(""); 1875 1876 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 1877 struct l2cap_chan *chan = hdev->smp_data; 1878 struct smp_dev *smp_dev; 1879 1880 if (!chan || !chan->data) 1881 return SMP_UNSPECIFIED; 1882 1883 smp_dev = chan->data; 1884 1885 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1886 memcpy(smp->local_sk, smp_dev->local_sk, 32); 1887 memcpy(smp->lr, smp_dev->local_rand, 16); 1888 1889 if (smp_dev->debug_key) 1890 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1891 1892 goto done; 1893 } 1894 1895 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1896 BT_DBG("Using debug keys"); 1897 memcpy(smp->local_pk, debug_pk, 64); 1898 memcpy(smp->local_sk, debug_sk, 32); 1899 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1900 } else { 1901 while (true) { 1902 /* Seed private key with random number */ 1903 get_random_bytes(smp->local_sk, 32); 1904 1905 /* Generate local key pair for Secure Connections */ 1906 if (!generate_ecdh_keys(smp->local_pk, smp->local_sk)) 1907 return SMP_UNSPECIFIED; 1908 1909 /* This is unlikely, but we need to check that 1910 * we didn't accidentially generate a debug key. 1911 */ 1912 if (crypto_memneq(smp->local_sk, debug_sk, 32)) 1913 break; 1914 } 1915 } 1916 1917 done: 1918 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1919 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1920 SMP_DBG("Local Private Key: %32phN", smp->local_sk); 1921 1922 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1923 1924 return 0; 1925 } 1926 1927 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1928 { 1929 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1930 struct l2cap_chan *chan = conn->smp; 1931 struct smp_chan *smp = chan->data; 1932 struct hci_dev *hdev = conn->hcon->hdev; 1933 u8 key_size, auth; 1934 int ret; 1935 1936 BT_DBG("conn %p", conn); 1937 1938 if (skb->len < sizeof(*rsp)) 1939 return SMP_INVALID_PARAMS; 1940 1941 if (conn->hcon->role != HCI_ROLE_MASTER) 1942 return SMP_CMD_NOTSUPP; 1943 1944 skb_pull(skb, sizeof(*rsp)); 1945 1946 req = (void *) &smp->preq[1]; 1947 1948 key_size = min(req->max_key_size, rsp->max_key_size); 1949 if (check_enc_key_size(conn, key_size)) 1950 return SMP_ENC_KEY_SIZE; 1951 1952 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1953 1954 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1955 return SMP_AUTH_REQUIREMENTS; 1956 1957 /* If the remote side's OOB flag is set it means it has 1958 * successfully received our local OOB data - therefore set the 1959 * flag to indicate that local OOB is in use. 1960 */ 1961 if (rsp->oob_flag == SMP_OOB_PRESENT) 1962 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1963 1964 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1965 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1966 1967 /* Update remote key distribution in case the remote cleared 1968 * some bits that we had enabled in our request. 1969 */ 1970 smp->remote_key_dist &= rsp->resp_key_dist; 1971 1972 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2)) 1973 set_bit(SMP_FLAG_CT2, &smp->flags); 1974 1975 /* For BR/EDR this means we're done and can start phase 3 */ 1976 if (conn->hcon->type == ACL_LINK) { 1977 /* Clear bits which are generated but not distributed */ 1978 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1979 smp_distribute_keys(smp); 1980 return 0; 1981 } 1982 1983 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 1984 set_bit(SMP_FLAG_SC, &smp->flags); 1985 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 1986 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 1987 1988 /* If we need MITM check that it can be achieved */ 1989 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1990 u8 method; 1991 1992 method = get_auth_method(smp, req->io_capability, 1993 rsp->io_capability); 1994 if (method == JUST_WORKS || method == JUST_CFM) 1995 return SMP_AUTH_REQUIREMENTS; 1996 } 1997 1998 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1999 2000 /* Update remote key distribution in case the remote cleared 2001 * some bits that we had enabled in our request. 2002 */ 2003 smp->remote_key_dist &= rsp->resp_key_dist; 2004 2005 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2006 /* Clear bits which are generated but not distributed */ 2007 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 2008 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 2009 return sc_send_public_key(smp); 2010 } 2011 2012 auth |= req->auth_req; 2013 2014 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 2015 if (ret) 2016 return SMP_UNSPECIFIED; 2017 2018 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2019 2020 /* Can't compose response until we have been confirmed */ 2021 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2022 return smp_confirm(smp); 2023 2024 return 0; 2025 } 2026 2027 static u8 sc_check_confirm(struct smp_chan *smp) 2028 { 2029 struct l2cap_conn *conn = smp->conn; 2030 2031 BT_DBG(""); 2032 2033 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2034 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 2035 2036 if (conn->hcon->out) { 2037 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2038 smp->prnd); 2039 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2040 } 2041 2042 return 0; 2043 } 2044 2045 /* Work-around for some implementations that incorrectly copy RFU bits 2046 * from our security request and thereby create the impression that 2047 * we're doing SC when in fact the remote doesn't support it. 2048 */ 2049 static int fixup_sc_false_positive(struct smp_chan *smp) 2050 { 2051 struct l2cap_conn *conn = smp->conn; 2052 struct hci_conn *hcon = conn->hcon; 2053 struct hci_dev *hdev = hcon->hdev; 2054 struct smp_cmd_pairing *req, *rsp; 2055 u8 auth; 2056 2057 /* The issue is only observed when we're in slave role */ 2058 if (hcon->out) 2059 return SMP_UNSPECIFIED; 2060 2061 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 2062 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode"); 2063 return SMP_UNSPECIFIED; 2064 } 2065 2066 BT_ERR("Trying to fall back to legacy SMP"); 2067 2068 req = (void *) &smp->preq[1]; 2069 rsp = (void *) &smp->prsp[1]; 2070 2071 /* Rebuild key dist flags which may have been cleared for SC */ 2072 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist); 2073 2074 auth = req->auth_req & AUTH_REQ_MASK(hdev); 2075 2076 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) { 2077 BT_ERR("Failed to fall back to legacy SMP"); 2078 return SMP_UNSPECIFIED; 2079 } 2080 2081 clear_bit(SMP_FLAG_SC, &smp->flags); 2082 2083 return 0; 2084 } 2085 2086 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 2087 { 2088 struct l2cap_chan *chan = conn->smp; 2089 struct smp_chan *smp = chan->data; 2090 2091 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 2092 2093 if (skb->len < sizeof(smp->pcnf)) 2094 return SMP_INVALID_PARAMS; 2095 2096 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 2097 skb_pull(skb, sizeof(smp->pcnf)); 2098 2099 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2100 int ret; 2101 2102 /* Public Key exchange must happen before any other steps */ 2103 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 2104 return sc_check_confirm(smp); 2105 2106 BT_ERR("Unexpected SMP Pairing Confirm"); 2107 2108 ret = fixup_sc_false_positive(smp); 2109 if (ret) 2110 return ret; 2111 } 2112 2113 if (conn->hcon->out) { 2114 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2115 smp->prnd); 2116 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2117 return 0; 2118 } 2119 2120 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2121 return smp_confirm(smp); 2122 2123 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2124 2125 return 0; 2126 } 2127 2128 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 2129 { 2130 struct l2cap_chan *chan = conn->smp; 2131 struct smp_chan *smp = chan->data; 2132 struct hci_conn *hcon = conn->hcon; 2133 u8 *pkax, *pkbx, *na, *nb; 2134 u32 passkey; 2135 int err; 2136 2137 BT_DBG("conn %p", conn); 2138 2139 if (skb->len < sizeof(smp->rrnd)) 2140 return SMP_INVALID_PARAMS; 2141 2142 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 2143 skb_pull(skb, sizeof(smp->rrnd)); 2144 2145 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 2146 return smp_random(smp); 2147 2148 if (hcon->out) { 2149 pkax = smp->local_pk; 2150 pkbx = smp->remote_pk; 2151 na = smp->prnd; 2152 nb = smp->rrnd; 2153 } else { 2154 pkax = smp->remote_pk; 2155 pkbx = smp->local_pk; 2156 na = smp->rrnd; 2157 nb = smp->prnd; 2158 } 2159 2160 if (smp->method == REQ_OOB) { 2161 if (!hcon->out) 2162 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2163 sizeof(smp->prnd), smp->prnd); 2164 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2165 goto mackey_and_ltk; 2166 } 2167 2168 /* Passkey entry has special treatment */ 2169 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2170 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 2171 2172 if (hcon->out) { 2173 u8 cfm[16]; 2174 2175 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 2176 smp->rrnd, 0, cfm); 2177 if (err) 2178 return SMP_UNSPECIFIED; 2179 2180 if (crypto_memneq(smp->pcnf, cfm, 16)) 2181 return SMP_CONFIRM_FAILED; 2182 } else { 2183 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2184 smp->prnd); 2185 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2186 } 2187 2188 mackey_and_ltk: 2189 /* Generate MacKey and LTK */ 2190 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 2191 if (err) 2192 return SMP_UNSPECIFIED; 2193 2194 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) { 2195 if (hcon->out) { 2196 sc_dhkey_check(smp); 2197 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2198 } 2199 return 0; 2200 } 2201 2202 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey); 2203 if (err) 2204 return SMP_UNSPECIFIED; 2205 2206 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2207 hcon->dst_type, passkey, 0); 2208 if (err) 2209 return SMP_UNSPECIFIED; 2210 2211 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2212 2213 return 0; 2214 } 2215 2216 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2217 { 2218 struct smp_ltk *key; 2219 struct hci_conn *hcon = conn->hcon; 2220 2221 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2222 if (!key) 2223 return false; 2224 2225 if (smp_ltk_sec_level(key) < sec_level) 2226 return false; 2227 2228 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2229 return true; 2230 2231 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size); 2232 hcon->enc_key_size = key->enc_size; 2233 2234 /* We never store STKs for master role, so clear this flag */ 2235 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2236 2237 return true; 2238 } 2239 2240 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2241 enum smp_key_pref key_pref) 2242 { 2243 if (sec_level == BT_SECURITY_LOW) 2244 return true; 2245 2246 /* If we're encrypted with an STK but the caller prefers using 2247 * LTK claim insufficient security. This way we allow the 2248 * connection to be re-encrypted with an LTK, even if the LTK 2249 * provides the same level of security. Only exception is if we 2250 * don't have an LTK (e.g. because of key distribution bits). 2251 */ 2252 if (key_pref == SMP_USE_LTK && 2253 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2254 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2255 return false; 2256 2257 if (hcon->sec_level >= sec_level) 2258 return true; 2259 2260 return false; 2261 } 2262 2263 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2264 { 2265 struct smp_cmd_security_req *rp = (void *) skb->data; 2266 struct smp_cmd_pairing cp; 2267 struct hci_conn *hcon = conn->hcon; 2268 struct hci_dev *hdev = hcon->hdev; 2269 struct smp_chan *smp; 2270 u8 sec_level, auth; 2271 2272 BT_DBG("conn %p", conn); 2273 2274 if (skb->len < sizeof(*rp)) 2275 return SMP_INVALID_PARAMS; 2276 2277 if (hcon->role != HCI_ROLE_MASTER) 2278 return SMP_CMD_NOTSUPP; 2279 2280 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2281 2282 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 2283 return SMP_AUTH_REQUIREMENTS; 2284 2285 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2286 sec_level = BT_SECURITY_MEDIUM; 2287 else 2288 sec_level = authreq_to_seclevel(auth); 2289 2290 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2291 return 0; 2292 2293 if (sec_level > hcon->pending_sec_level) 2294 hcon->pending_sec_level = sec_level; 2295 2296 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2297 return 0; 2298 2299 smp = smp_chan_create(conn); 2300 if (!smp) 2301 return SMP_UNSPECIFIED; 2302 2303 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 2304 (auth & SMP_AUTH_BONDING)) 2305 return SMP_PAIRING_NOTSUPP; 2306 2307 skb_pull(skb, sizeof(*rp)); 2308 2309 memset(&cp, 0, sizeof(cp)); 2310 build_pairing_cmd(conn, &cp, NULL, auth); 2311 2312 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2313 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2314 2315 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2316 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2317 2318 return 0; 2319 } 2320 2321 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2322 { 2323 struct l2cap_conn *conn = hcon->l2cap_data; 2324 struct l2cap_chan *chan; 2325 struct smp_chan *smp; 2326 __u8 authreq; 2327 int ret; 2328 2329 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 2330 2331 /* This may be NULL if there's an unexpected disconnection */ 2332 if (!conn) 2333 return 1; 2334 2335 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) 2336 return 1; 2337 2338 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2339 return 1; 2340 2341 if (sec_level > hcon->pending_sec_level) 2342 hcon->pending_sec_level = sec_level; 2343 2344 if (hcon->role == HCI_ROLE_MASTER) 2345 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2346 return 0; 2347 2348 chan = conn->smp; 2349 if (!chan) { 2350 BT_ERR("SMP security requested but not available"); 2351 return 1; 2352 } 2353 2354 l2cap_chan_lock(chan); 2355 2356 /* If SMP is already in progress ignore this request */ 2357 if (chan->data) { 2358 ret = 0; 2359 goto unlock; 2360 } 2361 2362 smp = smp_chan_create(conn); 2363 if (!smp) { 2364 ret = 1; 2365 goto unlock; 2366 } 2367 2368 authreq = seclevel_to_authreq(sec_level); 2369 2370 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) { 2371 authreq |= SMP_AUTH_SC; 2372 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED)) 2373 authreq |= SMP_AUTH_CT2; 2374 } 2375 2376 /* Require MITM if IO Capability allows or the security level 2377 * requires it. 2378 */ 2379 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2380 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2381 authreq |= SMP_AUTH_MITM; 2382 2383 if (hcon->role == HCI_ROLE_MASTER) { 2384 struct smp_cmd_pairing cp; 2385 2386 build_pairing_cmd(conn, &cp, NULL, authreq); 2387 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2388 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2389 2390 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2391 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2392 } else { 2393 struct smp_cmd_security_req cp; 2394 cp.auth_req = authreq; 2395 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2396 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2397 } 2398 2399 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2400 ret = 0; 2401 2402 unlock: 2403 l2cap_chan_unlock(chan); 2404 return ret; 2405 } 2406 2407 void smp_cancel_pairing(struct hci_conn *hcon) 2408 { 2409 struct l2cap_conn *conn = hcon->l2cap_data; 2410 struct l2cap_chan *chan; 2411 struct smp_chan *smp; 2412 2413 if (!conn) 2414 return; 2415 2416 chan = conn->smp; 2417 if (!chan) 2418 return; 2419 2420 l2cap_chan_lock(chan); 2421 2422 smp = chan->data; 2423 if (smp) { 2424 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) 2425 smp_failure(conn, 0); 2426 else 2427 smp_failure(conn, SMP_UNSPECIFIED); 2428 } 2429 2430 l2cap_chan_unlock(chan); 2431 } 2432 2433 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2434 { 2435 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2436 struct l2cap_chan *chan = conn->smp; 2437 struct smp_chan *smp = chan->data; 2438 2439 BT_DBG("conn %p", conn); 2440 2441 if (skb->len < sizeof(*rp)) 2442 return SMP_INVALID_PARAMS; 2443 2444 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT); 2445 2446 skb_pull(skb, sizeof(*rp)); 2447 2448 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2449 2450 return 0; 2451 } 2452 2453 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2454 { 2455 struct smp_cmd_master_ident *rp = (void *) skb->data; 2456 struct l2cap_chan *chan = conn->smp; 2457 struct smp_chan *smp = chan->data; 2458 struct hci_dev *hdev = conn->hcon->hdev; 2459 struct hci_conn *hcon = conn->hcon; 2460 struct smp_ltk *ltk; 2461 u8 authenticated; 2462 2463 BT_DBG("conn %p", conn); 2464 2465 if (skb->len < sizeof(*rp)) 2466 return SMP_INVALID_PARAMS; 2467 2468 /* Mark the information as received */ 2469 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2470 2471 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2472 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2473 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2474 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2475 2476 skb_pull(skb, sizeof(*rp)); 2477 2478 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2479 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2480 authenticated, smp->tk, smp->enc_key_size, 2481 rp->ediv, rp->rand); 2482 smp->ltk = ltk; 2483 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2484 smp_distribute_keys(smp); 2485 2486 return 0; 2487 } 2488 2489 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2490 { 2491 struct smp_cmd_ident_info *info = (void *) skb->data; 2492 struct l2cap_chan *chan = conn->smp; 2493 struct smp_chan *smp = chan->data; 2494 2495 BT_DBG(""); 2496 2497 if (skb->len < sizeof(*info)) 2498 return SMP_INVALID_PARAMS; 2499 2500 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2501 2502 skb_pull(skb, sizeof(*info)); 2503 2504 memcpy(smp->irk, info->irk, 16); 2505 2506 return 0; 2507 } 2508 2509 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2510 struct sk_buff *skb) 2511 { 2512 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2513 struct l2cap_chan *chan = conn->smp; 2514 struct smp_chan *smp = chan->data; 2515 struct hci_conn *hcon = conn->hcon; 2516 bdaddr_t rpa; 2517 2518 BT_DBG(""); 2519 2520 if (skb->len < sizeof(*info)) 2521 return SMP_INVALID_PARAMS; 2522 2523 /* Mark the information as received */ 2524 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2525 2526 if (smp->remote_key_dist & SMP_DIST_SIGN) 2527 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2528 2529 skb_pull(skb, sizeof(*info)); 2530 2531 /* Strictly speaking the Core Specification (4.1) allows sending 2532 * an empty address which would force us to rely on just the IRK 2533 * as "identity information". However, since such 2534 * implementations are not known of and in order to not over 2535 * complicate our implementation, simply pretend that we never 2536 * received an IRK for such a device. 2537 * 2538 * The Identity Address must also be a Static Random or Public 2539 * Address, which hci_is_identity_address() checks for. 2540 */ 2541 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2542 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2543 BT_ERR("Ignoring IRK with no identity address"); 2544 goto distribute; 2545 } 2546 2547 bacpy(&smp->id_addr, &info->bdaddr); 2548 smp->id_addr_type = info->addr_type; 2549 2550 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2551 bacpy(&rpa, &hcon->dst); 2552 else 2553 bacpy(&rpa, BDADDR_ANY); 2554 2555 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2556 smp->id_addr_type, smp->irk, &rpa); 2557 2558 distribute: 2559 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2560 smp_distribute_keys(smp); 2561 2562 return 0; 2563 } 2564 2565 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2566 { 2567 struct smp_cmd_sign_info *rp = (void *) skb->data; 2568 struct l2cap_chan *chan = conn->smp; 2569 struct smp_chan *smp = chan->data; 2570 struct smp_csrk *csrk; 2571 2572 BT_DBG("conn %p", conn); 2573 2574 if (skb->len < sizeof(*rp)) 2575 return SMP_INVALID_PARAMS; 2576 2577 /* Mark the information as received */ 2578 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2579 2580 skb_pull(skb, sizeof(*rp)); 2581 2582 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 2583 if (csrk) { 2584 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM) 2585 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED; 2586 else 2587 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED; 2588 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2589 } 2590 smp->csrk = csrk; 2591 smp_distribute_keys(smp); 2592 2593 return 0; 2594 } 2595 2596 static u8 sc_select_method(struct smp_chan *smp) 2597 { 2598 struct l2cap_conn *conn = smp->conn; 2599 struct hci_conn *hcon = conn->hcon; 2600 struct smp_cmd_pairing *local, *remote; 2601 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2602 2603 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) || 2604 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) 2605 return REQ_OOB; 2606 2607 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2608 * which are needed as inputs to some crypto functions. To get 2609 * the "struct smp_cmd_pairing" from them we need to skip the 2610 * first byte which contains the opcode. 2611 */ 2612 if (hcon->out) { 2613 local = (void *) &smp->preq[1]; 2614 remote = (void *) &smp->prsp[1]; 2615 } else { 2616 local = (void *) &smp->prsp[1]; 2617 remote = (void *) &smp->preq[1]; 2618 } 2619 2620 local_io = local->io_capability; 2621 remote_io = remote->io_capability; 2622 2623 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2624 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2625 2626 /* If either side wants MITM, look up the method from the table, 2627 * otherwise use JUST WORKS. 2628 */ 2629 if (local_mitm || remote_mitm) 2630 method = get_auth_method(smp, local_io, remote_io); 2631 else 2632 method = JUST_WORKS; 2633 2634 /* Don't confirm locally initiated pairing attempts */ 2635 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2636 method = JUST_WORKS; 2637 2638 return method; 2639 } 2640 2641 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2642 { 2643 struct smp_cmd_public_key *key = (void *) skb->data; 2644 struct hci_conn *hcon = conn->hcon; 2645 struct l2cap_chan *chan = conn->smp; 2646 struct smp_chan *smp = chan->data; 2647 struct hci_dev *hdev = hcon->hdev; 2648 struct smp_cmd_pairing_confirm cfm; 2649 int err; 2650 2651 BT_DBG("conn %p", conn); 2652 2653 if (skb->len < sizeof(*key)) 2654 return SMP_INVALID_PARAMS; 2655 2656 memcpy(smp->remote_pk, key, 64); 2657 2658 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) { 2659 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk, 2660 smp->rr, 0, cfm.confirm_val); 2661 if (err) 2662 return SMP_UNSPECIFIED; 2663 2664 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16)) 2665 return SMP_CONFIRM_FAILED; 2666 } 2667 2668 /* Non-initiating device sends its public key after receiving 2669 * the key from the initiating device. 2670 */ 2671 if (!hcon->out) { 2672 err = sc_send_public_key(smp); 2673 if (err) 2674 return err; 2675 } 2676 2677 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2678 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2679 2680 if (!compute_ecdh_secret(smp->remote_pk, smp->local_sk, smp->dhkey)) 2681 return SMP_UNSPECIFIED; 2682 2683 SMP_DBG("DHKey %32phN", smp->dhkey); 2684 2685 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2686 2687 smp->method = sc_select_method(smp); 2688 2689 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method); 2690 2691 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2692 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2693 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2694 else 2695 hcon->pending_sec_level = BT_SECURITY_FIPS; 2696 2697 if (!crypto_memneq(debug_pk, smp->remote_pk, 64)) 2698 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2699 2700 if (smp->method == DSP_PASSKEY) { 2701 get_random_bytes(&hcon->passkey_notify, 2702 sizeof(hcon->passkey_notify)); 2703 hcon->passkey_notify %= 1000000; 2704 hcon->passkey_entered = 0; 2705 smp->passkey_round = 0; 2706 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2707 hcon->dst_type, 2708 hcon->passkey_notify, 2709 hcon->passkey_entered)) 2710 return SMP_UNSPECIFIED; 2711 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2712 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2713 } 2714 2715 if (smp->method == REQ_OOB) { 2716 if (hcon->out) 2717 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2718 sizeof(smp->prnd), smp->prnd); 2719 2720 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2721 2722 return 0; 2723 } 2724 2725 if (hcon->out) 2726 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2727 2728 if (smp->method == REQ_PASSKEY) { 2729 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2730 hcon->dst_type)) 2731 return SMP_UNSPECIFIED; 2732 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2733 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2734 return 0; 2735 } 2736 2737 /* The Initiating device waits for the non-initiating device to 2738 * send the confirm value. 2739 */ 2740 if (conn->hcon->out) 2741 return 0; 2742 2743 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, 2744 0, cfm.confirm_val); 2745 if (err) 2746 return SMP_UNSPECIFIED; 2747 2748 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2749 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2750 2751 return 0; 2752 } 2753 2754 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2755 { 2756 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2757 struct l2cap_chan *chan = conn->smp; 2758 struct hci_conn *hcon = conn->hcon; 2759 struct smp_chan *smp = chan->data; 2760 u8 a[7], b[7], *local_addr, *remote_addr; 2761 u8 io_cap[3], r[16], e[16]; 2762 int err; 2763 2764 BT_DBG("conn %p", conn); 2765 2766 if (skb->len < sizeof(*check)) 2767 return SMP_INVALID_PARAMS; 2768 2769 memcpy(a, &hcon->init_addr, 6); 2770 memcpy(b, &hcon->resp_addr, 6); 2771 a[6] = hcon->init_addr_type; 2772 b[6] = hcon->resp_addr_type; 2773 2774 if (hcon->out) { 2775 local_addr = a; 2776 remote_addr = b; 2777 memcpy(io_cap, &smp->prsp[1], 3); 2778 } else { 2779 local_addr = b; 2780 remote_addr = a; 2781 memcpy(io_cap, &smp->preq[1], 3); 2782 } 2783 2784 memset(r, 0, sizeof(r)); 2785 2786 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2787 put_unaligned_le32(hcon->passkey_notify, r); 2788 else if (smp->method == REQ_OOB) 2789 memcpy(r, smp->lr, 16); 2790 2791 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r, 2792 io_cap, remote_addr, local_addr, e); 2793 if (err) 2794 return SMP_UNSPECIFIED; 2795 2796 if (crypto_memneq(check->e, e, 16)) 2797 return SMP_DHKEY_CHECK_FAILED; 2798 2799 if (!hcon->out) { 2800 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2801 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2802 return 0; 2803 } 2804 2805 /* Slave sends DHKey check as response to master */ 2806 sc_dhkey_check(smp); 2807 } 2808 2809 sc_add_ltk(smp); 2810 2811 if (hcon->out) { 2812 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size); 2813 hcon->enc_key_size = smp->enc_key_size; 2814 } 2815 2816 return 0; 2817 } 2818 2819 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2820 struct sk_buff *skb) 2821 { 2822 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2823 2824 BT_DBG("value 0x%02x", kp->value); 2825 2826 return 0; 2827 } 2828 2829 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2830 { 2831 struct l2cap_conn *conn = chan->conn; 2832 struct hci_conn *hcon = conn->hcon; 2833 struct smp_chan *smp; 2834 __u8 code, reason; 2835 int err = 0; 2836 2837 if (skb->len < 1) 2838 return -EILSEQ; 2839 2840 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) { 2841 reason = SMP_PAIRING_NOTSUPP; 2842 goto done; 2843 } 2844 2845 code = skb->data[0]; 2846 skb_pull(skb, sizeof(code)); 2847 2848 smp = chan->data; 2849 2850 if (code > SMP_CMD_MAX) 2851 goto drop; 2852 2853 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) 2854 goto drop; 2855 2856 /* If we don't have a context the only allowed commands are 2857 * pairing request and security request. 2858 */ 2859 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2860 goto drop; 2861 2862 switch (code) { 2863 case SMP_CMD_PAIRING_REQ: 2864 reason = smp_cmd_pairing_req(conn, skb); 2865 break; 2866 2867 case SMP_CMD_PAIRING_FAIL: 2868 smp_failure(conn, 0); 2869 err = -EPERM; 2870 break; 2871 2872 case SMP_CMD_PAIRING_RSP: 2873 reason = smp_cmd_pairing_rsp(conn, skb); 2874 break; 2875 2876 case SMP_CMD_SECURITY_REQ: 2877 reason = smp_cmd_security_req(conn, skb); 2878 break; 2879 2880 case SMP_CMD_PAIRING_CONFIRM: 2881 reason = smp_cmd_pairing_confirm(conn, skb); 2882 break; 2883 2884 case SMP_CMD_PAIRING_RANDOM: 2885 reason = smp_cmd_pairing_random(conn, skb); 2886 break; 2887 2888 case SMP_CMD_ENCRYPT_INFO: 2889 reason = smp_cmd_encrypt_info(conn, skb); 2890 break; 2891 2892 case SMP_CMD_MASTER_IDENT: 2893 reason = smp_cmd_master_ident(conn, skb); 2894 break; 2895 2896 case SMP_CMD_IDENT_INFO: 2897 reason = smp_cmd_ident_info(conn, skb); 2898 break; 2899 2900 case SMP_CMD_IDENT_ADDR_INFO: 2901 reason = smp_cmd_ident_addr_info(conn, skb); 2902 break; 2903 2904 case SMP_CMD_SIGN_INFO: 2905 reason = smp_cmd_sign_info(conn, skb); 2906 break; 2907 2908 case SMP_CMD_PUBLIC_KEY: 2909 reason = smp_cmd_public_key(conn, skb); 2910 break; 2911 2912 case SMP_CMD_DHKEY_CHECK: 2913 reason = smp_cmd_dhkey_check(conn, skb); 2914 break; 2915 2916 case SMP_CMD_KEYPRESS_NOTIFY: 2917 reason = smp_cmd_keypress_notify(conn, skb); 2918 break; 2919 2920 default: 2921 BT_DBG("Unknown command code 0x%2.2x", code); 2922 reason = SMP_CMD_NOTSUPP; 2923 goto done; 2924 } 2925 2926 done: 2927 if (!err) { 2928 if (reason) 2929 smp_failure(conn, reason); 2930 kfree_skb(skb); 2931 } 2932 2933 return err; 2934 2935 drop: 2936 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name, 2937 code, &hcon->dst); 2938 kfree_skb(skb); 2939 return 0; 2940 } 2941 2942 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 2943 { 2944 struct l2cap_conn *conn = chan->conn; 2945 2946 BT_DBG("chan %p", chan); 2947 2948 if (chan->data) 2949 smp_chan_destroy(conn); 2950 2951 conn->smp = NULL; 2952 l2cap_chan_put(chan); 2953 } 2954 2955 static void bredr_pairing(struct l2cap_chan *chan) 2956 { 2957 struct l2cap_conn *conn = chan->conn; 2958 struct hci_conn *hcon = conn->hcon; 2959 struct hci_dev *hdev = hcon->hdev; 2960 struct smp_cmd_pairing req; 2961 struct smp_chan *smp; 2962 2963 BT_DBG("chan %p", chan); 2964 2965 /* Only new pairings are interesting */ 2966 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 2967 return; 2968 2969 /* Don't bother if we're not encrypted */ 2970 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 2971 return; 2972 2973 /* Only master may initiate SMP over BR/EDR */ 2974 if (hcon->role != HCI_ROLE_MASTER) 2975 return; 2976 2977 /* Secure Connections support must be enabled */ 2978 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED)) 2979 return; 2980 2981 /* BR/EDR must use Secure Connections for SMP */ 2982 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 2983 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 2984 return; 2985 2986 /* If our LE support is not enabled don't do anything */ 2987 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 2988 return; 2989 2990 /* Don't bother if remote LE support is not enabled */ 2991 if (!lmp_host_le_capable(hcon)) 2992 return; 2993 2994 /* Remote must support SMP fixed chan for BR/EDR */ 2995 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 2996 return; 2997 2998 /* Don't bother if SMP is already ongoing */ 2999 if (chan->data) 3000 return; 3001 3002 smp = smp_chan_create(conn); 3003 if (!smp) { 3004 BT_ERR("%s unable to create SMP context for BR/EDR", 3005 hdev->name); 3006 return; 3007 } 3008 3009 set_bit(SMP_FLAG_SC, &smp->flags); 3010 3011 BT_DBG("%s starting SMP over BR/EDR", hdev->name); 3012 3013 /* Prepare and send the BR/EDR SMP Pairing Request */ 3014 build_bredr_pairing_cmd(smp, &req, NULL); 3015 3016 smp->preq[0] = SMP_CMD_PAIRING_REQ; 3017 memcpy(&smp->preq[1], &req, sizeof(req)); 3018 3019 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req); 3020 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 3021 } 3022 3023 static void smp_resume_cb(struct l2cap_chan *chan) 3024 { 3025 struct smp_chan *smp = chan->data; 3026 struct l2cap_conn *conn = chan->conn; 3027 struct hci_conn *hcon = conn->hcon; 3028 3029 BT_DBG("chan %p", chan); 3030 3031 if (hcon->type == ACL_LINK) { 3032 bredr_pairing(chan); 3033 return; 3034 } 3035 3036 if (!smp) 3037 return; 3038 3039 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3040 return; 3041 3042 cancel_delayed_work(&smp->security_timer); 3043 3044 smp_distribute_keys(smp); 3045 } 3046 3047 static void smp_ready_cb(struct l2cap_chan *chan) 3048 { 3049 struct l2cap_conn *conn = chan->conn; 3050 struct hci_conn *hcon = conn->hcon; 3051 3052 BT_DBG("chan %p", chan); 3053 3054 /* No need to call l2cap_chan_hold() here since we already own 3055 * the reference taken in smp_new_conn_cb(). This is just the 3056 * first time that we tie it to a specific pointer. The code in 3057 * l2cap_core.c ensures that there's no risk this function wont 3058 * get called if smp_new_conn_cb was previously called. 3059 */ 3060 conn->smp = chan; 3061 3062 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3063 bredr_pairing(chan); 3064 } 3065 3066 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 3067 { 3068 int err; 3069 3070 BT_DBG("chan %p", chan); 3071 3072 err = smp_sig_channel(chan, skb); 3073 if (err) { 3074 struct smp_chan *smp = chan->data; 3075 3076 if (smp) 3077 cancel_delayed_work_sync(&smp->security_timer); 3078 3079 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 3080 } 3081 3082 return err; 3083 } 3084 3085 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 3086 unsigned long hdr_len, 3087 unsigned long len, int nb) 3088 { 3089 struct sk_buff *skb; 3090 3091 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 3092 if (!skb) 3093 return ERR_PTR(-ENOMEM); 3094 3095 skb->priority = HCI_PRIO_MAX; 3096 bt_cb(skb)->l2cap.chan = chan; 3097 3098 return skb; 3099 } 3100 3101 static const struct l2cap_ops smp_chan_ops = { 3102 .name = "Security Manager", 3103 .ready = smp_ready_cb, 3104 .recv = smp_recv_cb, 3105 .alloc_skb = smp_alloc_skb_cb, 3106 .teardown = smp_teardown_cb, 3107 .resume = smp_resume_cb, 3108 3109 .new_connection = l2cap_chan_no_new_connection, 3110 .state_change = l2cap_chan_no_state_change, 3111 .close = l2cap_chan_no_close, 3112 .defer = l2cap_chan_no_defer, 3113 .suspend = l2cap_chan_no_suspend, 3114 .set_shutdown = l2cap_chan_no_set_shutdown, 3115 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3116 }; 3117 3118 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 3119 { 3120 struct l2cap_chan *chan; 3121 3122 BT_DBG("pchan %p", pchan); 3123 3124 chan = l2cap_chan_create(); 3125 if (!chan) 3126 return NULL; 3127 3128 chan->chan_type = pchan->chan_type; 3129 chan->ops = &smp_chan_ops; 3130 chan->scid = pchan->scid; 3131 chan->dcid = chan->scid; 3132 chan->imtu = pchan->imtu; 3133 chan->omtu = pchan->omtu; 3134 chan->mode = pchan->mode; 3135 3136 /* Other L2CAP channels may request SMP routines in order to 3137 * change the security level. This means that the SMP channel 3138 * lock must be considered in its own category to avoid lockdep 3139 * warnings. 3140 */ 3141 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 3142 3143 BT_DBG("created chan %p", chan); 3144 3145 return chan; 3146 } 3147 3148 static const struct l2cap_ops smp_root_chan_ops = { 3149 .name = "Security Manager Root", 3150 .new_connection = smp_new_conn_cb, 3151 3152 /* None of these are implemented for the root channel */ 3153 .close = l2cap_chan_no_close, 3154 .alloc_skb = l2cap_chan_no_alloc_skb, 3155 .recv = l2cap_chan_no_recv, 3156 .state_change = l2cap_chan_no_state_change, 3157 .teardown = l2cap_chan_no_teardown, 3158 .ready = l2cap_chan_no_ready, 3159 .defer = l2cap_chan_no_defer, 3160 .suspend = l2cap_chan_no_suspend, 3161 .resume = l2cap_chan_no_resume, 3162 .set_shutdown = l2cap_chan_no_set_shutdown, 3163 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3164 }; 3165 3166 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 3167 { 3168 struct l2cap_chan *chan; 3169 struct smp_dev *smp; 3170 struct crypto_cipher *tfm_aes; 3171 struct crypto_shash *tfm_cmac; 3172 3173 if (cid == L2CAP_CID_SMP_BREDR) { 3174 smp = NULL; 3175 goto create_chan; 3176 } 3177 3178 smp = kzalloc(sizeof(*smp), GFP_KERNEL); 3179 if (!smp) 3180 return ERR_PTR(-ENOMEM); 3181 3182 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 3183 if (IS_ERR(tfm_aes)) { 3184 BT_ERR("Unable to create AES crypto context"); 3185 kzfree(smp); 3186 return ERR_CAST(tfm_aes); 3187 } 3188 3189 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3190 if (IS_ERR(tfm_cmac)) { 3191 BT_ERR("Unable to create CMAC crypto context"); 3192 crypto_free_cipher(tfm_aes); 3193 kzfree(smp); 3194 return ERR_CAST(tfm_cmac); 3195 } 3196 3197 smp->tfm_aes = tfm_aes; 3198 smp->tfm_cmac = tfm_cmac; 3199 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE; 3200 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 3201 3202 create_chan: 3203 chan = l2cap_chan_create(); 3204 if (!chan) { 3205 if (smp) { 3206 crypto_free_cipher(smp->tfm_aes); 3207 crypto_free_shash(smp->tfm_cmac); 3208 kzfree(smp); 3209 } 3210 return ERR_PTR(-ENOMEM); 3211 } 3212 3213 chan->data = smp; 3214 3215 l2cap_add_scid(chan, cid); 3216 3217 l2cap_chan_set_defaults(chan); 3218 3219 if (cid == L2CAP_CID_SMP) { 3220 u8 bdaddr_type; 3221 3222 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type); 3223 3224 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 3225 chan->src_type = BDADDR_LE_PUBLIC; 3226 else 3227 chan->src_type = BDADDR_LE_RANDOM; 3228 } else { 3229 bacpy(&chan->src, &hdev->bdaddr); 3230 chan->src_type = BDADDR_BREDR; 3231 } 3232 3233 chan->state = BT_LISTEN; 3234 chan->mode = L2CAP_MODE_BASIC; 3235 chan->imtu = L2CAP_DEFAULT_MTU; 3236 chan->ops = &smp_root_chan_ops; 3237 3238 /* Set correct nesting level for a parent/listening channel */ 3239 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 3240 3241 return chan; 3242 } 3243 3244 static void smp_del_chan(struct l2cap_chan *chan) 3245 { 3246 struct smp_dev *smp; 3247 3248 BT_DBG("chan %p", chan); 3249 3250 smp = chan->data; 3251 if (smp) { 3252 chan->data = NULL; 3253 crypto_free_cipher(smp->tfm_aes); 3254 crypto_free_shash(smp->tfm_cmac); 3255 kzfree(smp); 3256 } 3257 3258 l2cap_chan_put(chan); 3259 } 3260 3261 static ssize_t force_bredr_smp_read(struct file *file, 3262 char __user *user_buf, 3263 size_t count, loff_t *ppos) 3264 { 3265 struct hci_dev *hdev = file->private_data; 3266 char buf[3]; 3267 3268 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N'; 3269 buf[1] = '\n'; 3270 buf[2] = '\0'; 3271 return simple_read_from_buffer(user_buf, count, ppos, buf, 2); 3272 } 3273 3274 static ssize_t force_bredr_smp_write(struct file *file, 3275 const char __user *user_buf, 3276 size_t count, loff_t *ppos) 3277 { 3278 struct hci_dev *hdev = file->private_data; 3279 char buf[32]; 3280 size_t buf_size = min(count, (sizeof(buf)-1)); 3281 bool enable; 3282 3283 if (copy_from_user(buf, user_buf, buf_size)) 3284 return -EFAULT; 3285 3286 buf[buf_size] = '\0'; 3287 if (strtobool(buf, &enable)) 3288 return -EINVAL; 3289 3290 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3291 return -EALREADY; 3292 3293 if (enable) { 3294 struct l2cap_chan *chan; 3295 3296 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3297 if (IS_ERR(chan)) 3298 return PTR_ERR(chan); 3299 3300 hdev->smp_bredr_data = chan; 3301 } else { 3302 struct l2cap_chan *chan; 3303 3304 chan = hdev->smp_bredr_data; 3305 hdev->smp_bredr_data = NULL; 3306 smp_del_chan(chan); 3307 } 3308 3309 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP); 3310 3311 return count; 3312 } 3313 3314 static const struct file_operations force_bredr_smp_fops = { 3315 .open = simple_open, 3316 .read = force_bredr_smp_read, 3317 .write = force_bredr_smp_write, 3318 .llseek = default_llseek, 3319 }; 3320 3321 static ssize_t le_min_key_size_read(struct file *file, 3322 char __user *user_buf, 3323 size_t count, loff_t *ppos) 3324 { 3325 struct hci_dev *hdev = file->private_data; 3326 char buf[4]; 3327 3328 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size); 3329 3330 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 3331 } 3332 3333 static ssize_t le_min_key_size_write(struct file *file, 3334 const char __user *user_buf, 3335 size_t count, loff_t *ppos) 3336 { 3337 struct hci_dev *hdev = file->private_data; 3338 char buf[32]; 3339 size_t buf_size = min(count, (sizeof(buf) - 1)); 3340 u8 key_size; 3341 3342 if (copy_from_user(buf, user_buf, buf_size)) 3343 return -EFAULT; 3344 3345 buf[buf_size] = '\0'; 3346 3347 sscanf(buf, "%hhu", &key_size); 3348 3349 if (key_size > SMP_DEV(hdev)->max_key_size || 3350 key_size < SMP_MIN_ENC_KEY_SIZE) 3351 return -EINVAL; 3352 3353 SMP_DEV(hdev)->min_key_size = key_size; 3354 3355 return count; 3356 } 3357 3358 static const struct file_operations le_min_key_size_fops = { 3359 .open = simple_open, 3360 .read = le_min_key_size_read, 3361 .write = le_min_key_size_write, 3362 .llseek = default_llseek, 3363 }; 3364 3365 static ssize_t le_max_key_size_read(struct file *file, 3366 char __user *user_buf, 3367 size_t count, loff_t *ppos) 3368 { 3369 struct hci_dev *hdev = file->private_data; 3370 char buf[4]; 3371 3372 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size); 3373 3374 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 3375 } 3376 3377 static ssize_t le_max_key_size_write(struct file *file, 3378 const char __user *user_buf, 3379 size_t count, loff_t *ppos) 3380 { 3381 struct hci_dev *hdev = file->private_data; 3382 char buf[32]; 3383 size_t buf_size = min(count, (sizeof(buf) - 1)); 3384 u8 key_size; 3385 3386 if (copy_from_user(buf, user_buf, buf_size)) 3387 return -EFAULT; 3388 3389 buf[buf_size] = '\0'; 3390 3391 sscanf(buf, "%hhu", &key_size); 3392 3393 if (key_size > SMP_MAX_ENC_KEY_SIZE || 3394 key_size < SMP_DEV(hdev)->min_key_size) 3395 return -EINVAL; 3396 3397 SMP_DEV(hdev)->max_key_size = key_size; 3398 3399 return count; 3400 } 3401 3402 static const struct file_operations le_max_key_size_fops = { 3403 .open = simple_open, 3404 .read = le_max_key_size_read, 3405 .write = le_max_key_size_write, 3406 .llseek = default_llseek, 3407 }; 3408 3409 int smp_register(struct hci_dev *hdev) 3410 { 3411 struct l2cap_chan *chan; 3412 3413 BT_DBG("%s", hdev->name); 3414 3415 /* If the controller does not support Low Energy operation, then 3416 * there is also no need to register any SMP channel. 3417 */ 3418 if (!lmp_le_capable(hdev)) 3419 return 0; 3420 3421 if (WARN_ON(hdev->smp_data)) { 3422 chan = hdev->smp_data; 3423 hdev->smp_data = NULL; 3424 smp_del_chan(chan); 3425 } 3426 3427 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3428 if (IS_ERR(chan)) 3429 return PTR_ERR(chan); 3430 3431 hdev->smp_data = chan; 3432 3433 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev, 3434 &le_min_key_size_fops); 3435 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev, 3436 &le_max_key_size_fops); 3437 3438 /* If the controller does not support BR/EDR Secure Connections 3439 * feature, then the BR/EDR SMP channel shall not be present. 3440 * 3441 * To test this with Bluetooth 4.0 controllers, create a debugfs 3442 * switch that allows forcing BR/EDR SMP support and accepting 3443 * cross-transport pairing on non-AES encrypted connections. 3444 */ 3445 if (!lmp_sc_capable(hdev)) { 3446 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs, 3447 hdev, &force_bredr_smp_fops); 3448 3449 /* Flag can be already set here (due to power toggle) */ 3450 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3451 return 0; 3452 } 3453 3454 if (WARN_ON(hdev->smp_bredr_data)) { 3455 chan = hdev->smp_bredr_data; 3456 hdev->smp_bredr_data = NULL; 3457 smp_del_chan(chan); 3458 } 3459 3460 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3461 if (IS_ERR(chan)) { 3462 int err = PTR_ERR(chan); 3463 chan = hdev->smp_data; 3464 hdev->smp_data = NULL; 3465 smp_del_chan(chan); 3466 return err; 3467 } 3468 3469 hdev->smp_bredr_data = chan; 3470 3471 return 0; 3472 } 3473 3474 void smp_unregister(struct hci_dev *hdev) 3475 { 3476 struct l2cap_chan *chan; 3477 3478 if (hdev->smp_bredr_data) { 3479 chan = hdev->smp_bredr_data; 3480 hdev->smp_bredr_data = NULL; 3481 smp_del_chan(chan); 3482 } 3483 3484 if (hdev->smp_data) { 3485 chan = hdev->smp_data; 3486 hdev->smp_data = NULL; 3487 smp_del_chan(chan); 3488 } 3489 } 3490 3491 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3492 3493 static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits) 3494 { 3495 int i; 3496 3497 for (i = 0; i < ndigits; i++) 3498 out[i] = __swab64(in[ndigits - 1 - i]); 3499 } 3500 3501 static int __init test_debug_key(void) 3502 { 3503 u8 pk[64], sk[32]; 3504 3505 swap_digits((u64 *)debug_sk, (u64 *)sk, 4); 3506 3507 if (!generate_ecdh_keys(pk, sk)) 3508 return -EINVAL; 3509 3510 if (crypto_memneq(sk, debug_sk, 32)) 3511 return -EINVAL; 3512 3513 if (crypto_memneq(pk, debug_pk, 64)) 3514 return -EINVAL; 3515 3516 return 0; 3517 } 3518 3519 static int __init test_ah(struct crypto_cipher *tfm_aes) 3520 { 3521 const u8 irk[16] = { 3522 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3523 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3524 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3525 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3526 u8 res[3]; 3527 int err; 3528 3529 err = smp_ah(tfm_aes, irk, r, res); 3530 if (err) 3531 return err; 3532 3533 if (crypto_memneq(res, exp, 3)) 3534 return -EINVAL; 3535 3536 return 0; 3537 } 3538 3539 static int __init test_c1(struct crypto_cipher *tfm_aes) 3540 { 3541 const u8 k[16] = { 3542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3543 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3544 const u8 r[16] = { 3545 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3546 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3547 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3548 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3549 const u8 _iat = 0x01; 3550 const u8 _rat = 0x00; 3551 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3552 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3553 const u8 exp[16] = { 3554 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3555 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3556 u8 res[16]; 3557 int err; 3558 3559 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3560 if (err) 3561 return err; 3562 3563 if (crypto_memneq(res, exp, 16)) 3564 return -EINVAL; 3565 3566 return 0; 3567 } 3568 3569 static int __init test_s1(struct crypto_cipher *tfm_aes) 3570 { 3571 const u8 k[16] = { 3572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3574 const u8 r1[16] = { 3575 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3576 const u8 r2[16] = { 3577 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3578 const u8 exp[16] = { 3579 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3580 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3581 u8 res[16]; 3582 int err; 3583 3584 err = smp_s1(tfm_aes, k, r1, r2, res); 3585 if (err) 3586 return err; 3587 3588 if (crypto_memneq(res, exp, 16)) 3589 return -EINVAL; 3590 3591 return 0; 3592 } 3593 3594 static int __init test_f4(struct crypto_shash *tfm_cmac) 3595 { 3596 const u8 u[32] = { 3597 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3598 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3599 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3600 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3601 const u8 v[32] = { 3602 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3603 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3604 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3605 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3606 const u8 x[16] = { 3607 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3608 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3609 const u8 z = 0x00; 3610 const u8 exp[16] = { 3611 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3612 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3613 u8 res[16]; 3614 int err; 3615 3616 err = smp_f4(tfm_cmac, u, v, x, z, res); 3617 if (err) 3618 return err; 3619 3620 if (crypto_memneq(res, exp, 16)) 3621 return -EINVAL; 3622 3623 return 0; 3624 } 3625 3626 static int __init test_f5(struct crypto_shash *tfm_cmac) 3627 { 3628 const u8 w[32] = { 3629 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3630 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3631 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3632 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3633 const u8 n1[16] = { 3634 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3635 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3636 const u8 n2[16] = { 3637 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3638 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3639 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3640 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3641 const u8 exp_ltk[16] = { 3642 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3643 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3644 const u8 exp_mackey[16] = { 3645 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3646 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3647 u8 mackey[16], ltk[16]; 3648 int err; 3649 3650 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk); 3651 if (err) 3652 return err; 3653 3654 if (crypto_memneq(mackey, exp_mackey, 16)) 3655 return -EINVAL; 3656 3657 if (crypto_memneq(ltk, exp_ltk, 16)) 3658 return -EINVAL; 3659 3660 return 0; 3661 } 3662 3663 static int __init test_f6(struct crypto_shash *tfm_cmac) 3664 { 3665 const u8 w[16] = { 3666 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3667 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3668 const u8 n1[16] = { 3669 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3670 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3671 const u8 n2[16] = { 3672 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3673 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3674 const u8 r[16] = { 3675 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3676 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3677 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3678 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3679 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3680 const u8 exp[16] = { 3681 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3682 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3683 u8 res[16]; 3684 int err; 3685 3686 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res); 3687 if (err) 3688 return err; 3689 3690 if (crypto_memneq(res, exp, 16)) 3691 return -EINVAL; 3692 3693 return 0; 3694 } 3695 3696 static int __init test_g2(struct crypto_shash *tfm_cmac) 3697 { 3698 const u8 u[32] = { 3699 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3700 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3701 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3702 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3703 const u8 v[32] = { 3704 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3705 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3706 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3707 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3708 const u8 x[16] = { 3709 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3710 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3711 const u8 y[16] = { 3712 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3713 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3714 const u32 exp_val = 0x2f9ed5ba % 1000000; 3715 u32 val; 3716 int err; 3717 3718 err = smp_g2(tfm_cmac, u, v, x, y, &val); 3719 if (err) 3720 return err; 3721 3722 if (val != exp_val) 3723 return -EINVAL; 3724 3725 return 0; 3726 } 3727 3728 static int __init test_h6(struct crypto_shash *tfm_cmac) 3729 { 3730 const u8 w[16] = { 3731 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3732 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3733 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3734 const u8 exp[16] = { 3735 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3736 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3737 u8 res[16]; 3738 int err; 3739 3740 err = smp_h6(tfm_cmac, w, key_id, res); 3741 if (err) 3742 return err; 3743 3744 if (crypto_memneq(res, exp, 16)) 3745 return -EINVAL; 3746 3747 return 0; 3748 } 3749 3750 static char test_smp_buffer[32]; 3751 3752 static ssize_t test_smp_read(struct file *file, char __user *user_buf, 3753 size_t count, loff_t *ppos) 3754 { 3755 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer, 3756 strlen(test_smp_buffer)); 3757 } 3758 3759 static const struct file_operations test_smp_fops = { 3760 .open = simple_open, 3761 .read = test_smp_read, 3762 .llseek = default_llseek, 3763 }; 3764 3765 static int __init run_selftests(struct crypto_cipher *tfm_aes, 3766 struct crypto_shash *tfm_cmac) 3767 { 3768 ktime_t calltime, delta, rettime; 3769 unsigned long long duration; 3770 int err; 3771 3772 calltime = ktime_get(); 3773 3774 err = test_debug_key(); 3775 if (err) { 3776 BT_ERR("debug_key test failed"); 3777 goto done; 3778 } 3779 3780 err = test_ah(tfm_aes); 3781 if (err) { 3782 BT_ERR("smp_ah test failed"); 3783 goto done; 3784 } 3785 3786 err = test_c1(tfm_aes); 3787 if (err) { 3788 BT_ERR("smp_c1 test failed"); 3789 goto done; 3790 } 3791 3792 err = test_s1(tfm_aes); 3793 if (err) { 3794 BT_ERR("smp_s1 test failed"); 3795 goto done; 3796 } 3797 3798 err = test_f4(tfm_cmac); 3799 if (err) { 3800 BT_ERR("smp_f4 test failed"); 3801 goto done; 3802 } 3803 3804 err = test_f5(tfm_cmac); 3805 if (err) { 3806 BT_ERR("smp_f5 test failed"); 3807 goto done; 3808 } 3809 3810 err = test_f6(tfm_cmac); 3811 if (err) { 3812 BT_ERR("smp_f6 test failed"); 3813 goto done; 3814 } 3815 3816 err = test_g2(tfm_cmac); 3817 if (err) { 3818 BT_ERR("smp_g2 test failed"); 3819 goto done; 3820 } 3821 3822 err = test_h6(tfm_cmac); 3823 if (err) { 3824 BT_ERR("smp_h6 test failed"); 3825 goto done; 3826 } 3827 3828 rettime = ktime_get(); 3829 delta = ktime_sub(rettime, calltime); 3830 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3831 3832 BT_INFO("SMP test passed in %llu usecs", duration); 3833 3834 done: 3835 if (!err) 3836 snprintf(test_smp_buffer, sizeof(test_smp_buffer), 3837 "PASS (%llu usecs)\n", duration); 3838 else 3839 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n"); 3840 3841 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL, 3842 &test_smp_fops); 3843 3844 return err; 3845 } 3846 3847 int __init bt_selftest_smp(void) 3848 { 3849 struct crypto_cipher *tfm_aes; 3850 struct crypto_shash *tfm_cmac; 3851 int err; 3852 3853 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC); 3854 if (IS_ERR(tfm_aes)) { 3855 BT_ERR("Unable to create AES crypto context"); 3856 return PTR_ERR(tfm_aes); 3857 } 3858 3859 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC); 3860 if (IS_ERR(tfm_cmac)) { 3861 BT_ERR("Unable to create CMAC crypto context"); 3862 crypto_free_cipher(tfm_aes); 3863 return PTR_ERR(tfm_cmac); 3864 } 3865 3866 err = run_selftests(tfm_aes, tfm_cmac); 3867 3868 crypto_free_shash(tfm_cmac); 3869 crypto_free_cipher(tfm_aes); 3870 3871 return err; 3872 } 3873 3874 #endif 3875