1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License version 2 as 7 published by the Free Software Foundation; 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 #include <linux/debugfs.h> 24 #include <linux/scatterlist.h> 25 #include <linux/crypto.h> 26 #include <crypto/aes.h> 27 #include <crypto/algapi.h> 28 #include <crypto/b128ops.h> 29 #include <crypto/hash.h> 30 #include <crypto/kpp.h> 31 32 #include <net/bluetooth/bluetooth.h> 33 #include <net/bluetooth/hci_core.h> 34 #include <net/bluetooth/l2cap.h> 35 #include <net/bluetooth/mgmt.h> 36 37 #include "ecdh_helper.h" 38 #include "smp.h" 39 40 #define SMP_DEV(hdev) \ 41 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data) 42 43 /* Low-level debug macros to be used for stuff that we don't want 44 * accidentially in dmesg, i.e. the values of the various crypto keys 45 * and the inputs & outputs of crypto functions. 46 */ 47 #ifdef DEBUG 48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 49 ##__VA_ARGS__) 50 #else 51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 52 ##__VA_ARGS__) 53 #endif 54 55 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 56 57 /* Keys which are not distributed with Secure Connections */ 58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY); 59 60 #define SMP_TIMEOUT msecs_to_jiffies(30000) 61 62 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \ 63 0x3f : 0x07) 64 #define KEY_DIST_MASK 0x07 65 66 /* Maximum message length that can be passed to aes_cmac */ 67 #define CMAC_MSG_MAX 80 68 69 enum { 70 SMP_FLAG_TK_VALID, 71 SMP_FLAG_CFM_PENDING, 72 SMP_FLAG_MITM_AUTH, 73 SMP_FLAG_COMPLETE, 74 SMP_FLAG_INITIATOR, 75 SMP_FLAG_SC, 76 SMP_FLAG_REMOTE_PK, 77 SMP_FLAG_DEBUG_KEY, 78 SMP_FLAG_WAIT_USER, 79 SMP_FLAG_DHKEY_PENDING, 80 SMP_FLAG_REMOTE_OOB, 81 SMP_FLAG_LOCAL_OOB, 82 SMP_FLAG_CT2, 83 }; 84 85 struct smp_dev { 86 /* Secure Connections OOB data */ 87 bool local_oob; 88 u8 local_pk[64]; 89 u8 local_rand[16]; 90 bool debug_key; 91 92 struct crypto_shash *tfm_cmac; 93 struct crypto_kpp *tfm_ecdh; 94 }; 95 96 struct smp_chan { 97 struct l2cap_conn *conn; 98 struct delayed_work security_timer; 99 unsigned long allow_cmd; /* Bitmask of allowed commands */ 100 101 u8 preq[7]; /* SMP Pairing Request */ 102 u8 prsp[7]; /* SMP Pairing Response */ 103 u8 prnd[16]; /* SMP Pairing Random (local) */ 104 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 105 u8 pcnf[16]; /* SMP Pairing Confirm */ 106 u8 tk[16]; /* SMP Temporary Key */ 107 u8 rr[16]; /* Remote OOB ra/rb value */ 108 u8 lr[16]; /* Local OOB ra/rb value */ 109 u8 enc_key_size; 110 u8 remote_key_dist; 111 bdaddr_t id_addr; 112 u8 id_addr_type; 113 u8 irk[16]; 114 struct smp_csrk *csrk; 115 struct smp_csrk *slave_csrk; 116 struct smp_ltk *ltk; 117 struct smp_ltk *slave_ltk; 118 struct smp_irk *remote_irk; 119 u8 *link_key; 120 unsigned long flags; 121 u8 method; 122 u8 passkey_round; 123 124 /* Secure Connections variables */ 125 u8 local_pk[64]; 126 u8 remote_pk[64]; 127 u8 dhkey[32]; 128 u8 mackey[16]; 129 130 struct crypto_shash *tfm_cmac; 131 struct crypto_kpp *tfm_ecdh; 132 }; 133 134 /* These debug key values are defined in the SMP section of the core 135 * specification. debug_pk is the public debug key and debug_sk the 136 * private debug key. 137 */ 138 static const u8 debug_pk[64] = { 139 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 140 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 141 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 142 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 143 144 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 145 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 146 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 147 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 148 }; 149 150 static const u8 debug_sk[32] = { 151 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 152 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 153 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 154 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 155 }; 156 157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 158 { 159 size_t i; 160 161 for (i = 0; i < len; i++) 162 dst[len - 1 - i] = src[i]; 163 } 164 165 /* The following functions map to the LE SC SMP crypto functions 166 * AES-CMAC, f4, f5, f6, g2 and h6. 167 */ 168 169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m, 170 size_t len, u8 mac[16]) 171 { 172 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 173 int err; 174 175 if (len > CMAC_MSG_MAX) 176 return -EFBIG; 177 178 if (!tfm) { 179 BT_ERR("tfm %p", tfm); 180 return -EINVAL; 181 } 182 183 /* Swap key and message from LSB to MSB */ 184 swap_buf(k, tmp, 16); 185 swap_buf(m, msg_msb, len); 186 187 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 188 SMP_DBG("key %16phN", k); 189 190 err = crypto_shash_setkey(tfm, tmp, 16); 191 if (err) { 192 BT_ERR("cipher setkey failed: %d", err); 193 return err; 194 } 195 196 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb); 197 if (err) { 198 BT_ERR("Hash computation error %d", err); 199 return err; 200 } 201 202 swap_buf(mac_msb, mac, 16); 203 204 SMP_DBG("mac %16phN", mac); 205 206 return 0; 207 } 208 209 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32], 210 const u8 v[32], const u8 x[16], u8 z, u8 res[16]) 211 { 212 u8 m[65]; 213 int err; 214 215 SMP_DBG("u %32phN", u); 216 SMP_DBG("v %32phN", v); 217 SMP_DBG("x %16phN z %02x", x, z); 218 219 m[0] = z; 220 memcpy(m + 1, v, 32); 221 memcpy(m + 33, u, 32); 222 223 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res); 224 if (err) 225 return err; 226 227 SMP_DBG("res %16phN", res); 228 229 return err; 230 } 231 232 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32], 233 const u8 n1[16], const u8 n2[16], const u8 a1[7], 234 const u8 a2[7], u8 mackey[16], u8 ltk[16]) 235 { 236 /* The btle, salt and length "magic" values are as defined in 237 * the SMP section of the Bluetooth core specification. In ASCII 238 * the btle value ends up being 'btle'. The salt is just a 239 * random number whereas length is the value 256 in little 240 * endian format. 241 */ 242 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 243 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 244 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 245 const u8 length[2] = { 0x00, 0x01 }; 246 u8 m[53], t[16]; 247 int err; 248 249 SMP_DBG("w %32phN", w); 250 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 251 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 252 253 err = aes_cmac(tfm_cmac, salt, w, 32, t); 254 if (err) 255 return err; 256 257 SMP_DBG("t %16phN", t); 258 259 memcpy(m, length, 2); 260 memcpy(m + 2, a2, 7); 261 memcpy(m + 9, a1, 7); 262 memcpy(m + 16, n2, 16); 263 memcpy(m + 32, n1, 16); 264 memcpy(m + 48, btle, 4); 265 266 m[52] = 0; /* Counter */ 267 268 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey); 269 if (err) 270 return err; 271 272 SMP_DBG("mackey %16phN", mackey); 273 274 m[52] = 1; /* Counter */ 275 276 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk); 277 if (err) 278 return err; 279 280 SMP_DBG("ltk %16phN", ltk); 281 282 return 0; 283 } 284 285 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16], 286 const u8 n1[16], const u8 n2[16], const u8 r[16], 287 const u8 io_cap[3], const u8 a1[7], const u8 a2[7], 288 u8 res[16]) 289 { 290 u8 m[65]; 291 int err; 292 293 SMP_DBG("w %16phN", w); 294 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 295 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 296 297 memcpy(m, a2, 7); 298 memcpy(m + 7, a1, 7); 299 memcpy(m + 14, io_cap, 3); 300 memcpy(m + 17, r, 16); 301 memcpy(m + 33, n2, 16); 302 memcpy(m + 49, n1, 16); 303 304 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res); 305 if (err) 306 return err; 307 308 SMP_DBG("res %16phN", res); 309 310 return err; 311 } 312 313 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32], 314 const u8 x[16], const u8 y[16], u32 *val) 315 { 316 u8 m[80], tmp[16]; 317 int err; 318 319 SMP_DBG("u %32phN", u); 320 SMP_DBG("v %32phN", v); 321 SMP_DBG("x %16phN y %16phN", x, y); 322 323 memcpy(m, y, 16); 324 memcpy(m + 16, v, 32); 325 memcpy(m + 48, u, 32); 326 327 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp); 328 if (err) 329 return err; 330 331 *val = get_unaligned_le32(tmp); 332 *val %= 1000000; 333 334 SMP_DBG("val %06u", *val); 335 336 return 0; 337 } 338 339 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16], 340 const u8 key_id[4], u8 res[16]) 341 { 342 int err; 343 344 SMP_DBG("w %16phN key_id %4phN", w, key_id); 345 346 err = aes_cmac(tfm_cmac, w, key_id, 4, res); 347 if (err) 348 return err; 349 350 SMP_DBG("res %16phN", res); 351 352 return err; 353 } 354 355 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16], 356 const u8 salt[16], u8 res[16]) 357 { 358 int err; 359 360 SMP_DBG("w %16phN salt %16phN", w, salt); 361 362 err = aes_cmac(tfm_cmac, salt, w, 16, res); 363 if (err) 364 return err; 365 366 SMP_DBG("res %16phN", res); 367 368 return err; 369 } 370 371 /* The following functions map to the legacy SMP crypto functions e, c1, 372 * s1 and ah. 373 */ 374 375 static int smp_e(const u8 *k, u8 *r) 376 { 377 struct crypto_aes_ctx ctx; 378 uint8_t tmp[16], data[16]; 379 int err; 380 381 SMP_DBG("k %16phN r %16phN", k, r); 382 383 /* The most significant octet of key corresponds to k[0] */ 384 swap_buf(k, tmp, 16); 385 386 err = aes_expandkey(&ctx, tmp, 16); 387 if (err) { 388 BT_ERR("cipher setkey failed: %d", err); 389 return err; 390 } 391 392 /* Most significant octet of plaintextData corresponds to data[0] */ 393 swap_buf(r, data, 16); 394 395 aes_encrypt(&ctx, data, data); 396 397 /* Most significant octet of encryptedData corresponds to data[0] */ 398 swap_buf(data, r, 16); 399 400 SMP_DBG("r %16phN", r); 401 402 memzero_explicit(&ctx, sizeof (ctx)); 403 return err; 404 } 405 406 static int smp_c1(const u8 k[16], 407 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 408 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 409 { 410 u8 p1[16], p2[16]; 411 int err; 412 413 SMP_DBG("k %16phN r %16phN", k, r); 414 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra); 415 SMP_DBG("preq %7phN pres %7phN", preq, pres); 416 417 memset(p1, 0, 16); 418 419 /* p1 = pres || preq || _rat || _iat */ 420 p1[0] = _iat; 421 p1[1] = _rat; 422 memcpy(p1 + 2, preq, 7); 423 memcpy(p1 + 9, pres, 7); 424 425 SMP_DBG("p1 %16phN", p1); 426 427 /* res = r XOR p1 */ 428 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1); 429 430 /* res = e(k, res) */ 431 err = smp_e(k, res); 432 if (err) { 433 BT_ERR("Encrypt data error"); 434 return err; 435 } 436 437 /* p2 = padding || ia || ra */ 438 memcpy(p2, ra, 6); 439 memcpy(p2 + 6, ia, 6); 440 memset(p2 + 12, 0, 4); 441 442 SMP_DBG("p2 %16phN", p2); 443 444 /* res = res XOR p2 */ 445 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2); 446 447 /* res = e(k, res) */ 448 err = smp_e(k, res); 449 if (err) 450 BT_ERR("Encrypt data error"); 451 452 return err; 453 } 454 455 static int smp_s1(const u8 k[16], 456 const u8 r1[16], const u8 r2[16], u8 _r[16]) 457 { 458 int err; 459 460 /* Just least significant octets from r1 and r2 are considered */ 461 memcpy(_r, r2, 8); 462 memcpy(_r + 8, r1, 8); 463 464 err = smp_e(k, _r); 465 if (err) 466 BT_ERR("Encrypt data error"); 467 468 return err; 469 } 470 471 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3]) 472 { 473 u8 _res[16]; 474 int err; 475 476 /* r' = padding || r */ 477 memcpy(_res, r, 3); 478 memset(_res + 3, 0, 13); 479 480 err = smp_e(irk, _res); 481 if (err) { 482 BT_ERR("Encrypt error"); 483 return err; 484 } 485 486 /* The output of the random address function ah is: 487 * ah(k, r) = e(k, r') mod 2^24 488 * The output of the security function e is then truncated to 24 bits 489 * by taking the least significant 24 bits of the output of e as the 490 * result of ah. 491 */ 492 memcpy(res, _res, 3); 493 494 return 0; 495 } 496 497 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 498 const bdaddr_t *bdaddr) 499 { 500 struct l2cap_chan *chan = hdev->smp_data; 501 u8 hash[3]; 502 int err; 503 504 if (!chan || !chan->data) 505 return false; 506 507 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 508 509 err = smp_ah(irk, &bdaddr->b[3], hash); 510 if (err) 511 return false; 512 513 return !crypto_memneq(bdaddr->b, hash, 3); 514 } 515 516 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 517 { 518 struct l2cap_chan *chan = hdev->smp_data; 519 int err; 520 521 if (!chan || !chan->data) 522 return -EOPNOTSUPP; 523 524 get_random_bytes(&rpa->b[3], 3); 525 526 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 527 rpa->b[5] |= 0x40; /* Set second most significant bit */ 528 529 err = smp_ah(irk, &rpa->b[3], rpa->b); 530 if (err < 0) 531 return err; 532 533 BT_DBG("RPA %pMR", rpa); 534 535 return 0; 536 } 537 538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16]) 539 { 540 struct l2cap_chan *chan = hdev->smp_data; 541 struct smp_dev *smp; 542 int err; 543 544 if (!chan || !chan->data) 545 return -EOPNOTSUPP; 546 547 smp = chan->data; 548 549 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 550 BT_DBG("Using debug keys"); 551 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk); 552 if (err) 553 return err; 554 memcpy(smp->local_pk, debug_pk, 64); 555 smp->debug_key = true; 556 } else { 557 while (true) { 558 /* Generate key pair for Secure Connections */ 559 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk); 560 if (err) 561 return err; 562 563 /* This is unlikely, but we need to check that 564 * we didn't accidentially generate a debug key. 565 */ 566 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 567 break; 568 } 569 smp->debug_key = false; 570 } 571 572 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 573 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 574 575 get_random_bytes(smp->local_rand, 16); 576 577 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk, 578 smp->local_rand, 0, hash); 579 if (err < 0) 580 return err; 581 582 memcpy(rand, smp->local_rand, 16); 583 584 smp->local_oob = true; 585 586 return 0; 587 } 588 589 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 590 { 591 struct l2cap_chan *chan = conn->smp; 592 struct smp_chan *smp; 593 struct kvec iv[2]; 594 struct msghdr msg; 595 596 if (!chan) 597 return; 598 599 BT_DBG("code 0x%2.2x", code); 600 601 iv[0].iov_base = &code; 602 iv[0].iov_len = 1; 603 604 iv[1].iov_base = data; 605 iv[1].iov_len = len; 606 607 memset(&msg, 0, sizeof(msg)); 608 609 iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len); 610 611 l2cap_chan_send(chan, &msg, 1 + len); 612 613 if (!chan->data) 614 return; 615 616 smp = chan->data; 617 618 cancel_delayed_work_sync(&smp->security_timer); 619 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 620 } 621 622 static u8 authreq_to_seclevel(u8 authreq) 623 { 624 if (authreq & SMP_AUTH_MITM) { 625 if (authreq & SMP_AUTH_SC) 626 return BT_SECURITY_FIPS; 627 else 628 return BT_SECURITY_HIGH; 629 } else { 630 return BT_SECURITY_MEDIUM; 631 } 632 } 633 634 static __u8 seclevel_to_authreq(__u8 sec_level) 635 { 636 switch (sec_level) { 637 case BT_SECURITY_FIPS: 638 case BT_SECURITY_HIGH: 639 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 640 case BT_SECURITY_MEDIUM: 641 return SMP_AUTH_BONDING; 642 default: 643 return SMP_AUTH_NONE; 644 } 645 } 646 647 static void build_pairing_cmd(struct l2cap_conn *conn, 648 struct smp_cmd_pairing *req, 649 struct smp_cmd_pairing *rsp, __u8 authreq) 650 { 651 struct l2cap_chan *chan = conn->smp; 652 struct smp_chan *smp = chan->data; 653 struct hci_conn *hcon = conn->hcon; 654 struct hci_dev *hdev = hcon->hdev; 655 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 656 657 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 658 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 659 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 660 authreq |= SMP_AUTH_BONDING; 661 } else { 662 authreq &= ~SMP_AUTH_BONDING; 663 } 664 665 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 666 remote_dist |= SMP_DIST_ID_KEY; 667 668 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 669 local_dist |= SMP_DIST_ID_KEY; 670 671 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) && 672 (authreq & SMP_AUTH_SC)) { 673 struct oob_data *oob_data; 674 u8 bdaddr_type; 675 676 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) { 677 local_dist |= SMP_DIST_LINK_KEY; 678 remote_dist |= SMP_DIST_LINK_KEY; 679 } 680 681 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 682 bdaddr_type = BDADDR_LE_PUBLIC; 683 else 684 bdaddr_type = BDADDR_LE_RANDOM; 685 686 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 687 bdaddr_type); 688 if (oob_data && oob_data->present) { 689 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags); 690 oob_flag = SMP_OOB_PRESENT; 691 memcpy(smp->rr, oob_data->rand256, 16); 692 memcpy(smp->pcnf, oob_data->hash256, 16); 693 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf); 694 SMP_DBG("OOB Remote Random: %16phN", smp->rr); 695 } 696 697 } else { 698 authreq &= ~SMP_AUTH_SC; 699 } 700 701 if (rsp == NULL) { 702 req->io_capability = conn->hcon->io_capability; 703 req->oob_flag = oob_flag; 704 req->max_key_size = hdev->le_max_key_size; 705 req->init_key_dist = local_dist; 706 req->resp_key_dist = remote_dist; 707 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 708 709 smp->remote_key_dist = remote_dist; 710 return; 711 } 712 713 rsp->io_capability = conn->hcon->io_capability; 714 rsp->oob_flag = oob_flag; 715 rsp->max_key_size = hdev->le_max_key_size; 716 rsp->init_key_dist = req->init_key_dist & remote_dist; 717 rsp->resp_key_dist = req->resp_key_dist & local_dist; 718 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 719 720 smp->remote_key_dist = rsp->init_key_dist; 721 } 722 723 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 724 { 725 struct l2cap_chan *chan = conn->smp; 726 struct hci_dev *hdev = conn->hcon->hdev; 727 struct smp_chan *smp = chan->data; 728 729 if (max_key_size > hdev->le_max_key_size || 730 max_key_size < SMP_MIN_ENC_KEY_SIZE) 731 return SMP_ENC_KEY_SIZE; 732 733 smp->enc_key_size = max_key_size; 734 735 return 0; 736 } 737 738 static void smp_chan_destroy(struct l2cap_conn *conn) 739 { 740 struct l2cap_chan *chan = conn->smp; 741 struct smp_chan *smp = chan->data; 742 struct hci_conn *hcon = conn->hcon; 743 bool complete; 744 745 BUG_ON(!smp); 746 747 cancel_delayed_work_sync(&smp->security_timer); 748 749 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 750 mgmt_smp_complete(hcon, complete); 751 752 kzfree(smp->csrk); 753 kzfree(smp->slave_csrk); 754 kzfree(smp->link_key); 755 756 crypto_free_shash(smp->tfm_cmac); 757 crypto_free_kpp(smp->tfm_ecdh); 758 759 /* Ensure that we don't leave any debug key around if debug key 760 * support hasn't been explicitly enabled. 761 */ 762 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 763 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) { 764 list_del_rcu(&smp->ltk->list); 765 kfree_rcu(smp->ltk, rcu); 766 smp->ltk = NULL; 767 } 768 769 /* If pairing failed clean up any keys we might have */ 770 if (!complete) { 771 if (smp->ltk) { 772 list_del_rcu(&smp->ltk->list); 773 kfree_rcu(smp->ltk, rcu); 774 } 775 776 if (smp->slave_ltk) { 777 list_del_rcu(&smp->slave_ltk->list); 778 kfree_rcu(smp->slave_ltk, rcu); 779 } 780 781 if (smp->remote_irk) { 782 list_del_rcu(&smp->remote_irk->list); 783 kfree_rcu(smp->remote_irk, rcu); 784 } 785 } 786 787 chan->data = NULL; 788 kzfree(smp); 789 hci_conn_drop(hcon); 790 } 791 792 static void smp_failure(struct l2cap_conn *conn, u8 reason) 793 { 794 struct hci_conn *hcon = conn->hcon; 795 struct l2cap_chan *chan = conn->smp; 796 797 if (reason) 798 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 799 &reason); 800 801 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 802 803 if (chan->data) 804 smp_chan_destroy(conn); 805 } 806 807 #define JUST_WORKS 0x00 808 #define JUST_CFM 0x01 809 #define REQ_PASSKEY 0x02 810 #define CFM_PASSKEY 0x03 811 #define REQ_OOB 0x04 812 #define DSP_PASSKEY 0x05 813 #define OVERLAP 0xFF 814 815 static const u8 gen_method[5][5] = { 816 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 817 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 818 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 819 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 820 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 821 }; 822 823 static const u8 sc_method[5][5] = { 824 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 825 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 826 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 827 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 828 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 829 }; 830 831 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 832 { 833 /* If either side has unknown io_caps, use JUST_CFM (which gets 834 * converted later to JUST_WORKS if we're initiators. 835 */ 836 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 837 remote_io > SMP_IO_KEYBOARD_DISPLAY) 838 return JUST_CFM; 839 840 if (test_bit(SMP_FLAG_SC, &smp->flags)) 841 return sc_method[remote_io][local_io]; 842 843 return gen_method[remote_io][local_io]; 844 } 845 846 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 847 u8 local_io, u8 remote_io) 848 { 849 struct hci_conn *hcon = conn->hcon; 850 struct l2cap_chan *chan = conn->smp; 851 struct smp_chan *smp = chan->data; 852 u32 passkey = 0; 853 int ret = 0; 854 855 /* Initialize key for JUST WORKS */ 856 memset(smp->tk, 0, sizeof(smp->tk)); 857 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 858 859 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); 860 861 /* If neither side wants MITM, either "just" confirm an incoming 862 * request or use just-works for outgoing ones. The JUST_CFM 863 * will be converted to JUST_WORKS if necessary later in this 864 * function. If either side has MITM look up the method from the 865 * table. 866 */ 867 if (!(auth & SMP_AUTH_MITM)) 868 smp->method = JUST_CFM; 869 else 870 smp->method = get_auth_method(smp, local_io, remote_io); 871 872 /* Don't confirm locally initiated pairing attempts */ 873 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 874 &smp->flags)) 875 smp->method = JUST_WORKS; 876 877 /* Don't bother user space with no IO capabilities */ 878 if (smp->method == JUST_CFM && 879 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 880 smp->method = JUST_WORKS; 881 882 /* If Just Works, Continue with Zero TK */ 883 if (smp->method == JUST_WORKS) { 884 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 885 return 0; 886 } 887 888 /* If this function is used for SC -> legacy fallback we 889 * can only recover the just-works case. 890 */ 891 if (test_bit(SMP_FLAG_SC, &smp->flags)) 892 return -EINVAL; 893 894 /* Not Just Works/Confirm results in MITM Authentication */ 895 if (smp->method != JUST_CFM) { 896 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 897 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 898 hcon->pending_sec_level = BT_SECURITY_HIGH; 899 } 900 901 /* If both devices have Keyoard-Display I/O, the master 902 * Confirms and the slave Enters the passkey. 903 */ 904 if (smp->method == OVERLAP) { 905 if (hcon->role == HCI_ROLE_MASTER) 906 smp->method = CFM_PASSKEY; 907 else 908 smp->method = REQ_PASSKEY; 909 } 910 911 /* Generate random passkey. */ 912 if (smp->method == CFM_PASSKEY) { 913 memset(smp->tk, 0, sizeof(smp->tk)); 914 get_random_bytes(&passkey, sizeof(passkey)); 915 passkey %= 1000000; 916 put_unaligned_le32(passkey, smp->tk); 917 BT_DBG("PassKey: %d", passkey); 918 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 919 } 920 921 if (smp->method == REQ_PASSKEY) 922 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 923 hcon->type, hcon->dst_type); 924 else if (smp->method == JUST_CFM) 925 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 926 hcon->type, hcon->dst_type, 927 passkey, 1); 928 else 929 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 930 hcon->type, hcon->dst_type, 931 passkey, 0); 932 933 return ret; 934 } 935 936 static u8 smp_confirm(struct smp_chan *smp) 937 { 938 struct l2cap_conn *conn = smp->conn; 939 struct smp_cmd_pairing_confirm cp; 940 int ret; 941 942 BT_DBG("conn %p", conn); 943 944 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp, 945 conn->hcon->init_addr_type, &conn->hcon->init_addr, 946 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 947 cp.confirm_val); 948 if (ret) 949 return SMP_UNSPECIFIED; 950 951 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 952 953 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 954 955 if (conn->hcon->out) 956 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 957 else 958 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 959 960 return 0; 961 } 962 963 static u8 smp_random(struct smp_chan *smp) 964 { 965 struct l2cap_conn *conn = smp->conn; 966 struct hci_conn *hcon = conn->hcon; 967 u8 confirm[16]; 968 int ret; 969 970 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 971 972 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp, 973 hcon->init_addr_type, &hcon->init_addr, 974 hcon->resp_addr_type, &hcon->resp_addr, confirm); 975 if (ret) 976 return SMP_UNSPECIFIED; 977 978 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) { 979 bt_dev_err(hcon->hdev, "pairing failed " 980 "(confirmation values mismatch)"); 981 return SMP_CONFIRM_FAILED; 982 } 983 984 if (hcon->out) { 985 u8 stk[16]; 986 __le64 rand = 0; 987 __le16 ediv = 0; 988 989 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk); 990 991 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 992 return SMP_UNSPECIFIED; 993 994 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size); 995 hcon->enc_key_size = smp->enc_key_size; 996 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 997 } else { 998 u8 stk[16], auth; 999 __le64 rand = 0; 1000 __le16 ediv = 0; 1001 1002 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1003 smp->prnd); 1004 1005 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk); 1006 1007 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 1008 auth = 1; 1009 else 1010 auth = 0; 1011 1012 /* Even though there's no _SLAVE suffix this is the 1013 * slave STK we're adding for later lookup (the master 1014 * STK never needs to be stored). 1015 */ 1016 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1017 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 1018 } 1019 1020 return 0; 1021 } 1022 1023 static void smp_notify_keys(struct l2cap_conn *conn) 1024 { 1025 struct l2cap_chan *chan = conn->smp; 1026 struct smp_chan *smp = chan->data; 1027 struct hci_conn *hcon = conn->hcon; 1028 struct hci_dev *hdev = hcon->hdev; 1029 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 1030 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1031 bool persistent; 1032 1033 if (hcon->type == ACL_LINK) { 1034 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 1035 persistent = false; 1036 else 1037 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1038 &hcon->flags); 1039 } else { 1040 /* The LTKs, IRKs and CSRKs should be persistent only if 1041 * both sides had the bonding bit set in their 1042 * authentication requests. 1043 */ 1044 persistent = !!((req->auth_req & rsp->auth_req) & 1045 SMP_AUTH_BONDING); 1046 } 1047 1048 if (smp->remote_irk) { 1049 mgmt_new_irk(hdev, smp->remote_irk, persistent); 1050 1051 /* Now that user space can be considered to know the 1052 * identity address track the connection based on it 1053 * from now on (assuming this is an LE link). 1054 */ 1055 if (hcon->type == LE_LINK) { 1056 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1057 hcon->dst_type = smp->remote_irk->addr_type; 1058 queue_work(hdev->workqueue, &conn->id_addr_update_work); 1059 } 1060 } 1061 1062 if (smp->csrk) { 1063 smp->csrk->bdaddr_type = hcon->dst_type; 1064 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1065 mgmt_new_csrk(hdev, smp->csrk, persistent); 1066 } 1067 1068 if (smp->slave_csrk) { 1069 smp->slave_csrk->bdaddr_type = hcon->dst_type; 1070 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst); 1071 mgmt_new_csrk(hdev, smp->slave_csrk, persistent); 1072 } 1073 1074 if (smp->ltk) { 1075 smp->ltk->bdaddr_type = hcon->dst_type; 1076 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1077 mgmt_new_ltk(hdev, smp->ltk, persistent); 1078 } 1079 1080 if (smp->slave_ltk) { 1081 smp->slave_ltk->bdaddr_type = hcon->dst_type; 1082 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst); 1083 mgmt_new_ltk(hdev, smp->slave_ltk, persistent); 1084 } 1085 1086 if (smp->link_key) { 1087 struct link_key *key; 1088 u8 type; 1089 1090 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1091 type = HCI_LK_DEBUG_COMBINATION; 1092 else if (hcon->sec_level == BT_SECURITY_FIPS) 1093 type = HCI_LK_AUTH_COMBINATION_P256; 1094 else 1095 type = HCI_LK_UNAUTH_COMBINATION_P256; 1096 1097 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1098 smp->link_key, type, 0, &persistent); 1099 if (key) { 1100 mgmt_new_link_key(hdev, key, persistent); 1101 1102 /* Don't keep debug keys around if the relevant 1103 * flag is not set. 1104 */ 1105 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) && 1106 key->type == HCI_LK_DEBUG_COMBINATION) { 1107 list_del_rcu(&key->list); 1108 kfree_rcu(key, rcu); 1109 } 1110 } 1111 } 1112 } 1113 1114 static void sc_add_ltk(struct smp_chan *smp) 1115 { 1116 struct hci_conn *hcon = smp->conn->hcon; 1117 u8 key_type, auth; 1118 1119 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1120 key_type = SMP_LTK_P256_DEBUG; 1121 else 1122 key_type = SMP_LTK_P256; 1123 1124 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1125 auth = 1; 1126 else 1127 auth = 0; 1128 1129 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1130 key_type, auth, smp->tk, smp->enc_key_size, 1131 0, 0); 1132 } 1133 1134 static void sc_generate_link_key(struct smp_chan *smp) 1135 { 1136 /* From core spec. Spells out in ASCII as 'lebr'. */ 1137 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1138 1139 smp->link_key = kzalloc(16, GFP_KERNEL); 1140 if (!smp->link_key) 1141 return; 1142 1143 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1144 /* SALT = 0x000000000000000000000000746D7031 */ 1145 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 }; 1146 1147 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) { 1148 kzfree(smp->link_key); 1149 smp->link_key = NULL; 1150 return; 1151 } 1152 } else { 1153 /* From core spec. Spells out in ASCII as 'tmp1'. */ 1154 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1155 1156 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) { 1157 kzfree(smp->link_key); 1158 smp->link_key = NULL; 1159 return; 1160 } 1161 } 1162 1163 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) { 1164 kzfree(smp->link_key); 1165 smp->link_key = NULL; 1166 return; 1167 } 1168 } 1169 1170 static void smp_allow_key_dist(struct smp_chan *smp) 1171 { 1172 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1173 * will be allowed in each PDU handler to ensure we receive 1174 * them in the correct order. 1175 */ 1176 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1177 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1178 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1179 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1180 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1181 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1182 } 1183 1184 static void sc_generate_ltk(struct smp_chan *smp) 1185 { 1186 /* From core spec. Spells out in ASCII as 'brle'. */ 1187 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1188 struct hci_conn *hcon = smp->conn->hcon; 1189 struct hci_dev *hdev = hcon->hdev; 1190 struct link_key *key; 1191 1192 key = hci_find_link_key(hdev, &hcon->dst); 1193 if (!key) { 1194 bt_dev_err(hdev, "no Link Key found to generate LTK"); 1195 return; 1196 } 1197 1198 if (key->type == HCI_LK_DEBUG_COMBINATION) 1199 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1200 1201 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1202 /* SALT = 0x000000000000000000000000746D7032 */ 1203 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 }; 1204 1205 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk)) 1206 return; 1207 } else { 1208 /* From core spec. Spells out in ASCII as 'tmp2'. */ 1209 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1210 1211 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk)) 1212 return; 1213 } 1214 1215 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk)) 1216 return; 1217 1218 sc_add_ltk(smp); 1219 } 1220 1221 static void smp_distribute_keys(struct smp_chan *smp) 1222 { 1223 struct smp_cmd_pairing *req, *rsp; 1224 struct l2cap_conn *conn = smp->conn; 1225 struct hci_conn *hcon = conn->hcon; 1226 struct hci_dev *hdev = hcon->hdev; 1227 __u8 *keydist; 1228 1229 BT_DBG("conn %p", conn); 1230 1231 rsp = (void *) &smp->prsp[1]; 1232 1233 /* The responder sends its keys first */ 1234 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) { 1235 smp_allow_key_dist(smp); 1236 return; 1237 } 1238 1239 req = (void *) &smp->preq[1]; 1240 1241 if (hcon->out) { 1242 keydist = &rsp->init_key_dist; 1243 *keydist &= req->init_key_dist; 1244 } else { 1245 keydist = &rsp->resp_key_dist; 1246 *keydist &= req->resp_key_dist; 1247 } 1248 1249 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1250 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1251 sc_generate_link_key(smp); 1252 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1253 sc_generate_ltk(smp); 1254 1255 /* Clear the keys which are generated but not distributed */ 1256 *keydist &= ~SMP_SC_NO_DIST; 1257 } 1258 1259 BT_DBG("keydist 0x%x", *keydist); 1260 1261 if (*keydist & SMP_DIST_ENC_KEY) { 1262 struct smp_cmd_encrypt_info enc; 1263 struct smp_cmd_master_ident ident; 1264 struct smp_ltk *ltk; 1265 u8 authenticated; 1266 __le16 ediv; 1267 __le64 rand; 1268 1269 /* Make sure we generate only the significant amount of 1270 * bytes based on the encryption key size, and set the rest 1271 * of the value to zeroes. 1272 */ 1273 get_random_bytes(enc.ltk, smp->enc_key_size); 1274 memset(enc.ltk + smp->enc_key_size, 0, 1275 sizeof(enc.ltk) - smp->enc_key_size); 1276 1277 get_random_bytes(&ediv, sizeof(ediv)); 1278 get_random_bytes(&rand, sizeof(rand)); 1279 1280 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1281 1282 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1283 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1284 SMP_LTK_SLAVE, authenticated, enc.ltk, 1285 smp->enc_key_size, ediv, rand); 1286 smp->slave_ltk = ltk; 1287 1288 ident.ediv = ediv; 1289 ident.rand = rand; 1290 1291 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1292 1293 *keydist &= ~SMP_DIST_ENC_KEY; 1294 } 1295 1296 if (*keydist & SMP_DIST_ID_KEY) { 1297 struct smp_cmd_ident_addr_info addrinfo; 1298 struct smp_cmd_ident_info idinfo; 1299 1300 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1301 1302 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1303 1304 /* The hci_conn contains the local identity address 1305 * after the connection has been established. 1306 * 1307 * This is true even when the connection has been 1308 * established using a resolvable random address. 1309 */ 1310 bacpy(&addrinfo.bdaddr, &hcon->src); 1311 addrinfo.addr_type = hcon->src_type; 1312 1313 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1314 &addrinfo); 1315 1316 *keydist &= ~SMP_DIST_ID_KEY; 1317 } 1318 1319 if (*keydist & SMP_DIST_SIGN) { 1320 struct smp_cmd_sign_info sign; 1321 struct smp_csrk *csrk; 1322 1323 /* Generate a new random key */ 1324 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1325 1326 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1327 if (csrk) { 1328 if (hcon->sec_level > BT_SECURITY_MEDIUM) 1329 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED; 1330 else 1331 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED; 1332 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1333 } 1334 smp->slave_csrk = csrk; 1335 1336 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1337 1338 *keydist &= ~SMP_DIST_SIGN; 1339 } 1340 1341 /* If there are still keys to be received wait for them */ 1342 if (smp->remote_key_dist & KEY_DIST_MASK) { 1343 smp_allow_key_dist(smp); 1344 return; 1345 } 1346 1347 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1348 smp_notify_keys(conn); 1349 1350 smp_chan_destroy(conn); 1351 } 1352 1353 static void smp_timeout(struct work_struct *work) 1354 { 1355 struct smp_chan *smp = container_of(work, struct smp_chan, 1356 security_timer.work); 1357 struct l2cap_conn *conn = smp->conn; 1358 1359 BT_DBG("conn %p", conn); 1360 1361 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); 1362 } 1363 1364 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1365 { 1366 struct l2cap_chan *chan = conn->smp; 1367 struct smp_chan *smp; 1368 1369 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 1370 if (!smp) 1371 return NULL; 1372 1373 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 1374 if (IS_ERR(smp->tfm_cmac)) { 1375 BT_ERR("Unable to create CMAC crypto context"); 1376 goto zfree_smp; 1377 } 1378 1379 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 1380 if (IS_ERR(smp->tfm_ecdh)) { 1381 BT_ERR("Unable to create ECDH crypto context"); 1382 goto free_shash; 1383 } 1384 1385 smp->conn = conn; 1386 chan->data = smp; 1387 1388 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1389 1390 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1391 1392 hci_conn_hold(conn->hcon); 1393 1394 return smp; 1395 1396 free_shash: 1397 crypto_free_shash(smp->tfm_cmac); 1398 zfree_smp: 1399 kzfree(smp); 1400 return NULL; 1401 } 1402 1403 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1404 { 1405 struct hci_conn *hcon = smp->conn->hcon; 1406 u8 *na, *nb, a[7], b[7]; 1407 1408 if (hcon->out) { 1409 na = smp->prnd; 1410 nb = smp->rrnd; 1411 } else { 1412 na = smp->rrnd; 1413 nb = smp->prnd; 1414 } 1415 1416 memcpy(a, &hcon->init_addr, 6); 1417 memcpy(b, &hcon->resp_addr, 6); 1418 a[6] = hcon->init_addr_type; 1419 b[6] = hcon->resp_addr_type; 1420 1421 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk); 1422 } 1423 1424 static void sc_dhkey_check(struct smp_chan *smp) 1425 { 1426 struct hci_conn *hcon = smp->conn->hcon; 1427 struct smp_cmd_dhkey_check check; 1428 u8 a[7], b[7], *local_addr, *remote_addr; 1429 u8 io_cap[3], r[16]; 1430 1431 memcpy(a, &hcon->init_addr, 6); 1432 memcpy(b, &hcon->resp_addr, 6); 1433 a[6] = hcon->init_addr_type; 1434 b[6] = hcon->resp_addr_type; 1435 1436 if (hcon->out) { 1437 local_addr = a; 1438 remote_addr = b; 1439 memcpy(io_cap, &smp->preq[1], 3); 1440 } else { 1441 local_addr = b; 1442 remote_addr = a; 1443 memcpy(io_cap, &smp->prsp[1], 3); 1444 } 1445 1446 memset(r, 0, sizeof(r)); 1447 1448 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1449 put_unaligned_le32(hcon->passkey_notify, r); 1450 1451 if (smp->method == REQ_OOB) 1452 memcpy(r, smp->rr, 16); 1453 1454 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap, 1455 local_addr, remote_addr, check.e); 1456 1457 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1458 } 1459 1460 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1461 { 1462 struct l2cap_conn *conn = smp->conn; 1463 struct hci_conn *hcon = conn->hcon; 1464 struct smp_cmd_pairing_confirm cfm; 1465 u8 r; 1466 1467 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1468 r |= 0x80; 1469 1470 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1471 1472 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r, 1473 cfm.confirm_val)) 1474 return SMP_UNSPECIFIED; 1475 1476 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1477 1478 return 0; 1479 } 1480 1481 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1482 { 1483 struct l2cap_conn *conn = smp->conn; 1484 struct hci_conn *hcon = conn->hcon; 1485 struct hci_dev *hdev = hcon->hdev; 1486 u8 cfm[16], r; 1487 1488 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1489 if (smp->passkey_round >= 20) 1490 return 0; 1491 1492 switch (smp_op) { 1493 case SMP_CMD_PAIRING_RANDOM: 1494 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1495 r |= 0x80; 1496 1497 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1498 smp->rrnd, r, cfm)) 1499 return SMP_UNSPECIFIED; 1500 1501 if (crypto_memneq(smp->pcnf, cfm, 16)) 1502 return SMP_CONFIRM_FAILED; 1503 1504 smp->passkey_round++; 1505 1506 if (smp->passkey_round == 20) { 1507 /* Generate MacKey and LTK */ 1508 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1509 return SMP_UNSPECIFIED; 1510 } 1511 1512 /* The round is only complete when the initiator 1513 * receives pairing random. 1514 */ 1515 if (!hcon->out) { 1516 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1517 sizeof(smp->prnd), smp->prnd); 1518 if (smp->passkey_round == 20) 1519 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1520 else 1521 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1522 return 0; 1523 } 1524 1525 /* Start the next round */ 1526 if (smp->passkey_round != 20) 1527 return sc_passkey_round(smp, 0); 1528 1529 /* Passkey rounds are complete - start DHKey Check */ 1530 sc_dhkey_check(smp); 1531 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1532 1533 break; 1534 1535 case SMP_CMD_PAIRING_CONFIRM: 1536 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1537 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1538 return 0; 1539 } 1540 1541 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1542 1543 if (hcon->out) { 1544 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1545 sizeof(smp->prnd), smp->prnd); 1546 return 0; 1547 } 1548 1549 return sc_passkey_send_confirm(smp); 1550 1551 case SMP_CMD_PUBLIC_KEY: 1552 default: 1553 /* Initiating device starts the round */ 1554 if (!hcon->out) 1555 return 0; 1556 1557 BT_DBG("%s Starting passkey round %u", hdev->name, 1558 smp->passkey_round + 1); 1559 1560 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1561 1562 return sc_passkey_send_confirm(smp); 1563 } 1564 1565 return 0; 1566 } 1567 1568 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1569 { 1570 struct l2cap_conn *conn = smp->conn; 1571 struct hci_conn *hcon = conn->hcon; 1572 u8 smp_op; 1573 1574 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1575 1576 switch (mgmt_op) { 1577 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1578 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1579 return 0; 1580 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1581 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1582 return 0; 1583 case MGMT_OP_USER_PASSKEY_REPLY: 1584 hcon->passkey_notify = le32_to_cpu(passkey); 1585 smp->passkey_round = 0; 1586 1587 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1588 smp_op = SMP_CMD_PAIRING_CONFIRM; 1589 else 1590 smp_op = 0; 1591 1592 if (sc_passkey_round(smp, smp_op)) 1593 return -EIO; 1594 1595 return 0; 1596 } 1597 1598 /* Initiator sends DHKey check first */ 1599 if (hcon->out) { 1600 sc_dhkey_check(smp); 1601 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1602 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1603 sc_dhkey_check(smp); 1604 sc_add_ltk(smp); 1605 } 1606 1607 return 0; 1608 } 1609 1610 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1611 { 1612 struct l2cap_conn *conn = hcon->l2cap_data; 1613 struct l2cap_chan *chan; 1614 struct smp_chan *smp; 1615 u32 value; 1616 int err; 1617 1618 BT_DBG(""); 1619 1620 if (!conn) 1621 return -ENOTCONN; 1622 1623 chan = conn->smp; 1624 if (!chan) 1625 return -ENOTCONN; 1626 1627 l2cap_chan_lock(chan); 1628 if (!chan->data) { 1629 err = -ENOTCONN; 1630 goto unlock; 1631 } 1632 1633 smp = chan->data; 1634 1635 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1636 err = sc_user_reply(smp, mgmt_op, passkey); 1637 goto unlock; 1638 } 1639 1640 switch (mgmt_op) { 1641 case MGMT_OP_USER_PASSKEY_REPLY: 1642 value = le32_to_cpu(passkey); 1643 memset(smp->tk, 0, sizeof(smp->tk)); 1644 BT_DBG("PassKey: %d", value); 1645 put_unaligned_le32(value, smp->tk); 1646 /* Fall Through */ 1647 case MGMT_OP_USER_CONFIRM_REPLY: 1648 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1649 break; 1650 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1651 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1652 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1653 err = 0; 1654 goto unlock; 1655 default: 1656 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1657 err = -EOPNOTSUPP; 1658 goto unlock; 1659 } 1660 1661 err = 0; 1662 1663 /* If it is our turn to send Pairing Confirm, do so now */ 1664 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1665 u8 rsp = smp_confirm(smp); 1666 if (rsp) 1667 smp_failure(conn, rsp); 1668 } 1669 1670 unlock: 1671 l2cap_chan_unlock(chan); 1672 return err; 1673 } 1674 1675 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1676 struct smp_cmd_pairing *req, 1677 struct smp_cmd_pairing *rsp) 1678 { 1679 struct l2cap_conn *conn = smp->conn; 1680 struct hci_dev *hdev = conn->hcon->hdev; 1681 u8 local_dist = 0, remote_dist = 0; 1682 1683 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 1684 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1685 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1686 } 1687 1688 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 1689 remote_dist |= SMP_DIST_ID_KEY; 1690 1691 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 1692 local_dist |= SMP_DIST_ID_KEY; 1693 1694 if (!rsp) { 1695 memset(req, 0, sizeof(*req)); 1696 1697 req->auth_req = SMP_AUTH_CT2; 1698 req->init_key_dist = local_dist; 1699 req->resp_key_dist = remote_dist; 1700 req->max_key_size = conn->hcon->enc_key_size; 1701 1702 smp->remote_key_dist = remote_dist; 1703 1704 return; 1705 } 1706 1707 memset(rsp, 0, sizeof(*rsp)); 1708 1709 rsp->auth_req = SMP_AUTH_CT2; 1710 rsp->max_key_size = conn->hcon->enc_key_size; 1711 rsp->init_key_dist = req->init_key_dist & remote_dist; 1712 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1713 1714 smp->remote_key_dist = rsp->init_key_dist; 1715 } 1716 1717 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1718 { 1719 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1720 struct l2cap_chan *chan = conn->smp; 1721 struct hci_dev *hdev = conn->hcon->hdev; 1722 struct smp_chan *smp; 1723 u8 key_size, auth, sec_level; 1724 int ret; 1725 1726 BT_DBG("conn %p", conn); 1727 1728 if (skb->len < sizeof(*req)) 1729 return SMP_INVALID_PARAMS; 1730 1731 if (conn->hcon->role != HCI_ROLE_SLAVE) 1732 return SMP_CMD_NOTSUPP; 1733 1734 if (!chan->data) 1735 smp = smp_chan_create(conn); 1736 else 1737 smp = chan->data; 1738 1739 if (!smp) 1740 return SMP_UNSPECIFIED; 1741 1742 /* We didn't start the pairing, so match remote */ 1743 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1744 1745 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 1746 (auth & SMP_AUTH_BONDING)) 1747 return SMP_PAIRING_NOTSUPP; 1748 1749 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1750 return SMP_AUTH_REQUIREMENTS; 1751 1752 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1753 memcpy(&smp->preq[1], req, sizeof(*req)); 1754 skb_pull(skb, sizeof(*req)); 1755 1756 /* If the remote side's OOB flag is set it means it has 1757 * successfully received our local OOB data - therefore set the 1758 * flag to indicate that local OOB is in use. 1759 */ 1760 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob) 1761 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1762 1763 /* SMP over BR/EDR requires special treatment */ 1764 if (conn->hcon->type == ACL_LINK) { 1765 /* We must have a BR/EDR SC link */ 1766 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1767 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 1768 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1769 1770 set_bit(SMP_FLAG_SC, &smp->flags); 1771 1772 build_bredr_pairing_cmd(smp, req, &rsp); 1773 1774 if (req->auth_req & SMP_AUTH_CT2) 1775 set_bit(SMP_FLAG_CT2, &smp->flags); 1776 1777 key_size = min(req->max_key_size, rsp.max_key_size); 1778 if (check_enc_key_size(conn, key_size)) 1779 return SMP_ENC_KEY_SIZE; 1780 1781 /* Clear bits which are generated but not distributed */ 1782 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1783 1784 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1785 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1786 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1787 1788 smp_distribute_keys(smp); 1789 return 0; 1790 } 1791 1792 build_pairing_cmd(conn, req, &rsp, auth); 1793 1794 if (rsp.auth_req & SMP_AUTH_SC) { 1795 set_bit(SMP_FLAG_SC, &smp->flags); 1796 1797 if (rsp.auth_req & SMP_AUTH_CT2) 1798 set_bit(SMP_FLAG_CT2, &smp->flags); 1799 } 1800 1801 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1802 sec_level = BT_SECURITY_MEDIUM; 1803 else 1804 sec_level = authreq_to_seclevel(auth); 1805 1806 if (sec_level > conn->hcon->pending_sec_level) 1807 conn->hcon->pending_sec_level = sec_level; 1808 1809 /* If we need MITM check that it can be achieved */ 1810 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1811 u8 method; 1812 1813 method = get_auth_method(smp, conn->hcon->io_capability, 1814 req->io_capability); 1815 if (method == JUST_WORKS || method == JUST_CFM) 1816 return SMP_AUTH_REQUIREMENTS; 1817 } 1818 1819 key_size = min(req->max_key_size, rsp.max_key_size); 1820 if (check_enc_key_size(conn, key_size)) 1821 return SMP_ENC_KEY_SIZE; 1822 1823 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1824 1825 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1826 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1827 1828 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1829 1830 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1831 1832 /* Strictly speaking we shouldn't allow Pairing Confirm for the 1833 * SC case, however some implementations incorrectly copy RFU auth 1834 * req bits from our security request, which may create a false 1835 * positive SC enablement. 1836 */ 1837 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1838 1839 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1840 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1841 /* Clear bits which are generated but not distributed */ 1842 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1843 /* Wait for Public Key from Initiating Device */ 1844 return 0; 1845 } 1846 1847 /* Request setup of TK */ 1848 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1849 if (ret) 1850 return SMP_UNSPECIFIED; 1851 1852 return 0; 1853 } 1854 1855 static u8 sc_send_public_key(struct smp_chan *smp) 1856 { 1857 struct hci_dev *hdev = smp->conn->hcon->hdev; 1858 1859 BT_DBG(""); 1860 1861 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 1862 struct l2cap_chan *chan = hdev->smp_data; 1863 struct smp_dev *smp_dev; 1864 1865 if (!chan || !chan->data) 1866 return SMP_UNSPECIFIED; 1867 1868 smp_dev = chan->data; 1869 1870 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1871 memcpy(smp->lr, smp_dev->local_rand, 16); 1872 1873 if (smp_dev->debug_key) 1874 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1875 1876 goto done; 1877 } 1878 1879 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1880 BT_DBG("Using debug keys"); 1881 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk)) 1882 return SMP_UNSPECIFIED; 1883 memcpy(smp->local_pk, debug_pk, 64); 1884 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1885 } else { 1886 while (true) { 1887 /* Generate key pair for Secure Connections */ 1888 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk)) 1889 return SMP_UNSPECIFIED; 1890 1891 /* This is unlikely, but we need to check that 1892 * we didn't accidentially generate a debug key. 1893 */ 1894 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 1895 break; 1896 } 1897 } 1898 1899 done: 1900 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1901 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1902 1903 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1904 1905 return 0; 1906 } 1907 1908 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1909 { 1910 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1911 struct l2cap_chan *chan = conn->smp; 1912 struct smp_chan *smp = chan->data; 1913 struct hci_dev *hdev = conn->hcon->hdev; 1914 u8 key_size, auth; 1915 int ret; 1916 1917 BT_DBG("conn %p", conn); 1918 1919 if (skb->len < sizeof(*rsp)) 1920 return SMP_INVALID_PARAMS; 1921 1922 if (conn->hcon->role != HCI_ROLE_MASTER) 1923 return SMP_CMD_NOTSUPP; 1924 1925 skb_pull(skb, sizeof(*rsp)); 1926 1927 req = (void *) &smp->preq[1]; 1928 1929 key_size = min(req->max_key_size, rsp->max_key_size); 1930 if (check_enc_key_size(conn, key_size)) 1931 return SMP_ENC_KEY_SIZE; 1932 1933 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1934 1935 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1936 return SMP_AUTH_REQUIREMENTS; 1937 1938 /* If the remote side's OOB flag is set it means it has 1939 * successfully received our local OOB data - therefore set the 1940 * flag to indicate that local OOB is in use. 1941 */ 1942 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob) 1943 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1944 1945 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1946 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1947 1948 /* Update remote key distribution in case the remote cleared 1949 * some bits that we had enabled in our request. 1950 */ 1951 smp->remote_key_dist &= rsp->resp_key_dist; 1952 1953 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2)) 1954 set_bit(SMP_FLAG_CT2, &smp->flags); 1955 1956 /* For BR/EDR this means we're done and can start phase 3 */ 1957 if (conn->hcon->type == ACL_LINK) { 1958 /* Clear bits which are generated but not distributed */ 1959 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1960 smp_distribute_keys(smp); 1961 return 0; 1962 } 1963 1964 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 1965 set_bit(SMP_FLAG_SC, &smp->flags); 1966 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 1967 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 1968 1969 /* If we need MITM check that it can be achieved */ 1970 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1971 u8 method; 1972 1973 method = get_auth_method(smp, req->io_capability, 1974 rsp->io_capability); 1975 if (method == JUST_WORKS || method == JUST_CFM) 1976 return SMP_AUTH_REQUIREMENTS; 1977 } 1978 1979 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1980 1981 /* Update remote key distribution in case the remote cleared 1982 * some bits that we had enabled in our request. 1983 */ 1984 smp->remote_key_dist &= rsp->resp_key_dist; 1985 1986 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1987 /* Clear bits which are generated but not distributed */ 1988 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1989 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1990 return sc_send_public_key(smp); 1991 } 1992 1993 auth |= req->auth_req; 1994 1995 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 1996 if (ret) 1997 return SMP_UNSPECIFIED; 1998 1999 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2000 2001 /* Can't compose response until we have been confirmed */ 2002 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2003 return smp_confirm(smp); 2004 2005 return 0; 2006 } 2007 2008 static u8 sc_check_confirm(struct smp_chan *smp) 2009 { 2010 struct l2cap_conn *conn = smp->conn; 2011 2012 BT_DBG(""); 2013 2014 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2015 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 2016 2017 if (conn->hcon->out) { 2018 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2019 smp->prnd); 2020 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2021 } 2022 2023 return 0; 2024 } 2025 2026 /* Work-around for some implementations that incorrectly copy RFU bits 2027 * from our security request and thereby create the impression that 2028 * we're doing SC when in fact the remote doesn't support it. 2029 */ 2030 static int fixup_sc_false_positive(struct smp_chan *smp) 2031 { 2032 struct l2cap_conn *conn = smp->conn; 2033 struct hci_conn *hcon = conn->hcon; 2034 struct hci_dev *hdev = hcon->hdev; 2035 struct smp_cmd_pairing *req, *rsp; 2036 u8 auth; 2037 2038 /* The issue is only observed when we're in slave role */ 2039 if (hcon->out) 2040 return SMP_UNSPECIFIED; 2041 2042 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 2043 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode"); 2044 return SMP_UNSPECIFIED; 2045 } 2046 2047 bt_dev_err(hdev, "trying to fall back to legacy SMP"); 2048 2049 req = (void *) &smp->preq[1]; 2050 rsp = (void *) &smp->prsp[1]; 2051 2052 /* Rebuild key dist flags which may have been cleared for SC */ 2053 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist); 2054 2055 auth = req->auth_req & AUTH_REQ_MASK(hdev); 2056 2057 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) { 2058 bt_dev_err(hdev, "failed to fall back to legacy SMP"); 2059 return SMP_UNSPECIFIED; 2060 } 2061 2062 clear_bit(SMP_FLAG_SC, &smp->flags); 2063 2064 return 0; 2065 } 2066 2067 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 2068 { 2069 struct l2cap_chan *chan = conn->smp; 2070 struct smp_chan *smp = chan->data; 2071 2072 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 2073 2074 if (skb->len < sizeof(smp->pcnf)) 2075 return SMP_INVALID_PARAMS; 2076 2077 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 2078 skb_pull(skb, sizeof(smp->pcnf)); 2079 2080 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2081 int ret; 2082 2083 /* Public Key exchange must happen before any other steps */ 2084 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 2085 return sc_check_confirm(smp); 2086 2087 BT_ERR("Unexpected SMP Pairing Confirm"); 2088 2089 ret = fixup_sc_false_positive(smp); 2090 if (ret) 2091 return ret; 2092 } 2093 2094 if (conn->hcon->out) { 2095 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2096 smp->prnd); 2097 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2098 return 0; 2099 } 2100 2101 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2102 return smp_confirm(smp); 2103 2104 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2105 2106 return 0; 2107 } 2108 2109 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 2110 { 2111 struct l2cap_chan *chan = conn->smp; 2112 struct smp_chan *smp = chan->data; 2113 struct hci_conn *hcon = conn->hcon; 2114 u8 *pkax, *pkbx, *na, *nb, confirm_hint; 2115 u32 passkey; 2116 int err; 2117 2118 BT_DBG("conn %p", conn); 2119 2120 if (skb->len < sizeof(smp->rrnd)) 2121 return SMP_INVALID_PARAMS; 2122 2123 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 2124 skb_pull(skb, sizeof(smp->rrnd)); 2125 2126 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 2127 return smp_random(smp); 2128 2129 if (hcon->out) { 2130 pkax = smp->local_pk; 2131 pkbx = smp->remote_pk; 2132 na = smp->prnd; 2133 nb = smp->rrnd; 2134 } else { 2135 pkax = smp->remote_pk; 2136 pkbx = smp->local_pk; 2137 na = smp->rrnd; 2138 nb = smp->prnd; 2139 } 2140 2141 if (smp->method == REQ_OOB) { 2142 if (!hcon->out) 2143 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2144 sizeof(smp->prnd), smp->prnd); 2145 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2146 goto mackey_and_ltk; 2147 } 2148 2149 /* Passkey entry has special treatment */ 2150 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2151 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 2152 2153 if (hcon->out) { 2154 u8 cfm[16]; 2155 2156 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 2157 smp->rrnd, 0, cfm); 2158 if (err) 2159 return SMP_UNSPECIFIED; 2160 2161 if (crypto_memneq(smp->pcnf, cfm, 16)) 2162 return SMP_CONFIRM_FAILED; 2163 } else { 2164 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2165 smp->prnd); 2166 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2167 2168 /* Only Just-Works pairing requires extra checks */ 2169 if (smp->method != JUST_WORKS) 2170 goto mackey_and_ltk; 2171 2172 /* If there already exists long term key in local host, leave 2173 * the decision to user space since the remote device could 2174 * be legitimate or malicious. 2175 */ 2176 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 2177 hcon->role)) { 2178 /* Set passkey to 0. The value can be any number since 2179 * it'll be ignored anyway. 2180 */ 2181 passkey = 0; 2182 confirm_hint = 1; 2183 goto confirm; 2184 } 2185 } 2186 2187 mackey_and_ltk: 2188 /* Generate MacKey and LTK */ 2189 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 2190 if (err) 2191 return SMP_UNSPECIFIED; 2192 2193 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) { 2194 if (hcon->out) { 2195 sc_dhkey_check(smp); 2196 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2197 } 2198 return 0; 2199 } 2200 2201 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey); 2202 if (err) 2203 return SMP_UNSPECIFIED; 2204 2205 confirm_hint = 0; 2206 2207 confirm: 2208 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2209 hcon->dst_type, passkey, confirm_hint); 2210 if (err) 2211 return SMP_UNSPECIFIED; 2212 2213 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2214 2215 return 0; 2216 } 2217 2218 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2219 { 2220 struct smp_ltk *key; 2221 struct hci_conn *hcon = conn->hcon; 2222 2223 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2224 if (!key) 2225 return false; 2226 2227 if (smp_ltk_sec_level(key) < sec_level) 2228 return false; 2229 2230 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2231 return true; 2232 2233 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size); 2234 hcon->enc_key_size = key->enc_size; 2235 2236 /* We never store STKs for master role, so clear this flag */ 2237 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2238 2239 return true; 2240 } 2241 2242 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2243 enum smp_key_pref key_pref) 2244 { 2245 if (sec_level == BT_SECURITY_LOW) 2246 return true; 2247 2248 /* If we're encrypted with an STK but the caller prefers using 2249 * LTK claim insufficient security. This way we allow the 2250 * connection to be re-encrypted with an LTK, even if the LTK 2251 * provides the same level of security. Only exception is if we 2252 * don't have an LTK (e.g. because of key distribution bits). 2253 */ 2254 if (key_pref == SMP_USE_LTK && 2255 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2256 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2257 return false; 2258 2259 if (hcon->sec_level >= sec_level) 2260 return true; 2261 2262 return false; 2263 } 2264 2265 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2266 { 2267 struct smp_cmd_security_req *rp = (void *) skb->data; 2268 struct smp_cmd_pairing cp; 2269 struct hci_conn *hcon = conn->hcon; 2270 struct hci_dev *hdev = hcon->hdev; 2271 struct smp_chan *smp; 2272 u8 sec_level, auth; 2273 2274 BT_DBG("conn %p", conn); 2275 2276 if (skb->len < sizeof(*rp)) 2277 return SMP_INVALID_PARAMS; 2278 2279 if (hcon->role != HCI_ROLE_MASTER) 2280 return SMP_CMD_NOTSUPP; 2281 2282 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2283 2284 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 2285 return SMP_AUTH_REQUIREMENTS; 2286 2287 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2288 sec_level = BT_SECURITY_MEDIUM; 2289 else 2290 sec_level = authreq_to_seclevel(auth); 2291 2292 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) { 2293 /* If link is already encrypted with sufficient security we 2294 * still need refresh encryption as per Core Spec 5.0 Vol 3, 2295 * Part H 2.4.6 2296 */ 2297 smp_ltk_encrypt(conn, hcon->sec_level); 2298 return 0; 2299 } 2300 2301 if (sec_level > hcon->pending_sec_level) 2302 hcon->pending_sec_level = sec_level; 2303 2304 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2305 return 0; 2306 2307 smp = smp_chan_create(conn); 2308 if (!smp) 2309 return SMP_UNSPECIFIED; 2310 2311 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 2312 (auth & SMP_AUTH_BONDING)) 2313 return SMP_PAIRING_NOTSUPP; 2314 2315 skb_pull(skb, sizeof(*rp)); 2316 2317 memset(&cp, 0, sizeof(cp)); 2318 build_pairing_cmd(conn, &cp, NULL, auth); 2319 2320 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2321 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2322 2323 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2324 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2325 2326 return 0; 2327 } 2328 2329 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2330 { 2331 struct l2cap_conn *conn = hcon->l2cap_data; 2332 struct l2cap_chan *chan; 2333 struct smp_chan *smp; 2334 __u8 authreq; 2335 int ret; 2336 2337 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 2338 2339 /* This may be NULL if there's an unexpected disconnection */ 2340 if (!conn) 2341 return 1; 2342 2343 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) 2344 return 1; 2345 2346 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2347 return 1; 2348 2349 if (sec_level > hcon->pending_sec_level) 2350 hcon->pending_sec_level = sec_level; 2351 2352 if (hcon->role == HCI_ROLE_MASTER) 2353 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2354 return 0; 2355 2356 chan = conn->smp; 2357 if (!chan) { 2358 bt_dev_err(hcon->hdev, "security requested but not available"); 2359 return 1; 2360 } 2361 2362 l2cap_chan_lock(chan); 2363 2364 /* If SMP is already in progress ignore this request */ 2365 if (chan->data) { 2366 ret = 0; 2367 goto unlock; 2368 } 2369 2370 smp = smp_chan_create(conn); 2371 if (!smp) { 2372 ret = 1; 2373 goto unlock; 2374 } 2375 2376 authreq = seclevel_to_authreq(sec_level); 2377 2378 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) { 2379 authreq |= SMP_AUTH_SC; 2380 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED)) 2381 authreq |= SMP_AUTH_CT2; 2382 } 2383 2384 /* Require MITM if IO Capability allows or the security level 2385 * requires it. 2386 */ 2387 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2388 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2389 authreq |= SMP_AUTH_MITM; 2390 2391 if (hcon->role == HCI_ROLE_MASTER) { 2392 struct smp_cmd_pairing cp; 2393 2394 build_pairing_cmd(conn, &cp, NULL, authreq); 2395 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2396 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2397 2398 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2399 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2400 } else { 2401 struct smp_cmd_security_req cp; 2402 cp.auth_req = authreq; 2403 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2404 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2405 } 2406 2407 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2408 ret = 0; 2409 2410 unlock: 2411 l2cap_chan_unlock(chan); 2412 return ret; 2413 } 2414 2415 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, 2416 u8 addr_type) 2417 { 2418 struct hci_conn *hcon; 2419 struct l2cap_conn *conn; 2420 struct l2cap_chan *chan; 2421 struct smp_chan *smp; 2422 int err; 2423 2424 err = hci_remove_ltk(hdev, bdaddr, addr_type); 2425 hci_remove_irk(hdev, bdaddr, addr_type); 2426 2427 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type); 2428 if (!hcon) 2429 goto done; 2430 2431 conn = hcon->l2cap_data; 2432 if (!conn) 2433 goto done; 2434 2435 chan = conn->smp; 2436 if (!chan) 2437 goto done; 2438 2439 l2cap_chan_lock(chan); 2440 2441 smp = chan->data; 2442 if (smp) { 2443 /* Set keys to NULL to make sure smp_failure() does not try to 2444 * remove and free already invalidated rcu list entries. */ 2445 smp->ltk = NULL; 2446 smp->slave_ltk = NULL; 2447 smp->remote_irk = NULL; 2448 2449 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) 2450 smp_failure(conn, 0); 2451 else 2452 smp_failure(conn, SMP_UNSPECIFIED); 2453 err = 0; 2454 } 2455 2456 l2cap_chan_unlock(chan); 2457 2458 done: 2459 return err; 2460 } 2461 2462 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2463 { 2464 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2465 struct l2cap_chan *chan = conn->smp; 2466 struct smp_chan *smp = chan->data; 2467 2468 BT_DBG("conn %p", conn); 2469 2470 if (skb->len < sizeof(*rp)) 2471 return SMP_INVALID_PARAMS; 2472 2473 /* Pairing is aborted if any blocked keys are distributed */ 2474 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK, 2475 rp->ltk)) { 2476 bt_dev_warn_ratelimited(conn->hcon->hdev, 2477 "LTK blocked for %pMR", 2478 &conn->hcon->dst); 2479 return SMP_INVALID_PARAMS; 2480 } 2481 2482 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT); 2483 2484 skb_pull(skb, sizeof(*rp)); 2485 2486 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2487 2488 return 0; 2489 } 2490 2491 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2492 { 2493 struct smp_cmd_master_ident *rp = (void *) skb->data; 2494 struct l2cap_chan *chan = conn->smp; 2495 struct smp_chan *smp = chan->data; 2496 struct hci_dev *hdev = conn->hcon->hdev; 2497 struct hci_conn *hcon = conn->hcon; 2498 struct smp_ltk *ltk; 2499 u8 authenticated; 2500 2501 BT_DBG("conn %p", conn); 2502 2503 if (skb->len < sizeof(*rp)) 2504 return SMP_INVALID_PARAMS; 2505 2506 /* Mark the information as received */ 2507 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2508 2509 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2510 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2511 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2512 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2513 2514 skb_pull(skb, sizeof(*rp)); 2515 2516 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2517 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2518 authenticated, smp->tk, smp->enc_key_size, 2519 rp->ediv, rp->rand); 2520 smp->ltk = ltk; 2521 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2522 smp_distribute_keys(smp); 2523 2524 return 0; 2525 } 2526 2527 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2528 { 2529 struct smp_cmd_ident_info *info = (void *) skb->data; 2530 struct l2cap_chan *chan = conn->smp; 2531 struct smp_chan *smp = chan->data; 2532 2533 BT_DBG(""); 2534 2535 if (skb->len < sizeof(*info)) 2536 return SMP_INVALID_PARAMS; 2537 2538 /* Pairing is aborted if any blocked keys are distributed */ 2539 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK, 2540 info->irk)) { 2541 bt_dev_warn_ratelimited(conn->hcon->hdev, 2542 "Identity key blocked for %pMR", 2543 &conn->hcon->dst); 2544 return SMP_INVALID_PARAMS; 2545 } 2546 2547 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2548 2549 skb_pull(skb, sizeof(*info)); 2550 2551 memcpy(smp->irk, info->irk, 16); 2552 2553 return 0; 2554 } 2555 2556 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2557 struct sk_buff *skb) 2558 { 2559 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2560 struct l2cap_chan *chan = conn->smp; 2561 struct smp_chan *smp = chan->data; 2562 struct hci_conn *hcon = conn->hcon; 2563 bdaddr_t rpa; 2564 2565 BT_DBG(""); 2566 2567 if (skb->len < sizeof(*info)) 2568 return SMP_INVALID_PARAMS; 2569 2570 /* Mark the information as received */ 2571 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2572 2573 if (smp->remote_key_dist & SMP_DIST_SIGN) 2574 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2575 2576 skb_pull(skb, sizeof(*info)); 2577 2578 /* Strictly speaking the Core Specification (4.1) allows sending 2579 * an empty address which would force us to rely on just the IRK 2580 * as "identity information". However, since such 2581 * implementations are not known of and in order to not over 2582 * complicate our implementation, simply pretend that we never 2583 * received an IRK for such a device. 2584 * 2585 * The Identity Address must also be a Static Random or Public 2586 * Address, which hci_is_identity_address() checks for. 2587 */ 2588 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2589 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2590 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address"); 2591 goto distribute; 2592 } 2593 2594 /* Drop IRK if peer is using identity address during pairing but is 2595 * providing different address as identity information. 2596 * 2597 * Microsoft Surface Precision Mouse is known to have this bug. 2598 */ 2599 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) && 2600 (bacmp(&info->bdaddr, &hcon->dst) || 2601 info->addr_type != hcon->dst_type)) { 2602 bt_dev_err(hcon->hdev, 2603 "ignoring IRK with invalid identity address"); 2604 goto distribute; 2605 } 2606 2607 bacpy(&smp->id_addr, &info->bdaddr); 2608 smp->id_addr_type = info->addr_type; 2609 2610 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2611 bacpy(&rpa, &hcon->dst); 2612 else 2613 bacpy(&rpa, BDADDR_ANY); 2614 2615 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2616 smp->id_addr_type, smp->irk, &rpa); 2617 2618 distribute: 2619 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2620 smp_distribute_keys(smp); 2621 2622 return 0; 2623 } 2624 2625 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2626 { 2627 struct smp_cmd_sign_info *rp = (void *) skb->data; 2628 struct l2cap_chan *chan = conn->smp; 2629 struct smp_chan *smp = chan->data; 2630 struct smp_csrk *csrk; 2631 2632 BT_DBG("conn %p", conn); 2633 2634 if (skb->len < sizeof(*rp)) 2635 return SMP_INVALID_PARAMS; 2636 2637 /* Mark the information as received */ 2638 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2639 2640 skb_pull(skb, sizeof(*rp)); 2641 2642 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 2643 if (csrk) { 2644 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM) 2645 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED; 2646 else 2647 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED; 2648 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2649 } 2650 smp->csrk = csrk; 2651 smp_distribute_keys(smp); 2652 2653 return 0; 2654 } 2655 2656 static u8 sc_select_method(struct smp_chan *smp) 2657 { 2658 struct l2cap_conn *conn = smp->conn; 2659 struct hci_conn *hcon = conn->hcon; 2660 struct smp_cmd_pairing *local, *remote; 2661 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2662 2663 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) || 2664 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) 2665 return REQ_OOB; 2666 2667 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2668 * which are needed as inputs to some crypto functions. To get 2669 * the "struct smp_cmd_pairing" from them we need to skip the 2670 * first byte which contains the opcode. 2671 */ 2672 if (hcon->out) { 2673 local = (void *) &smp->preq[1]; 2674 remote = (void *) &smp->prsp[1]; 2675 } else { 2676 local = (void *) &smp->prsp[1]; 2677 remote = (void *) &smp->preq[1]; 2678 } 2679 2680 local_io = local->io_capability; 2681 remote_io = remote->io_capability; 2682 2683 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2684 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2685 2686 /* If either side wants MITM, look up the method from the table, 2687 * otherwise use JUST WORKS. 2688 */ 2689 if (local_mitm || remote_mitm) 2690 method = get_auth_method(smp, local_io, remote_io); 2691 else 2692 method = JUST_WORKS; 2693 2694 /* Don't confirm locally initiated pairing attempts */ 2695 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2696 method = JUST_WORKS; 2697 2698 return method; 2699 } 2700 2701 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2702 { 2703 struct smp_cmd_public_key *key = (void *) skb->data; 2704 struct hci_conn *hcon = conn->hcon; 2705 struct l2cap_chan *chan = conn->smp; 2706 struct smp_chan *smp = chan->data; 2707 struct hci_dev *hdev = hcon->hdev; 2708 struct crypto_kpp *tfm_ecdh; 2709 struct smp_cmd_pairing_confirm cfm; 2710 int err; 2711 2712 BT_DBG("conn %p", conn); 2713 2714 if (skb->len < sizeof(*key)) 2715 return SMP_INVALID_PARAMS; 2716 2717 memcpy(smp->remote_pk, key, 64); 2718 2719 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) { 2720 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk, 2721 smp->rr, 0, cfm.confirm_val); 2722 if (err) 2723 return SMP_UNSPECIFIED; 2724 2725 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16)) 2726 return SMP_CONFIRM_FAILED; 2727 } 2728 2729 /* Non-initiating device sends its public key after receiving 2730 * the key from the initiating device. 2731 */ 2732 if (!hcon->out) { 2733 err = sc_send_public_key(smp); 2734 if (err) 2735 return err; 2736 } 2737 2738 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2739 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2740 2741 /* Compute the shared secret on the same crypto tfm on which the private 2742 * key was set/generated. 2743 */ 2744 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 2745 struct l2cap_chan *hchan = hdev->smp_data; 2746 struct smp_dev *smp_dev; 2747 2748 if (!hchan || !hchan->data) 2749 return SMP_UNSPECIFIED; 2750 2751 smp_dev = hchan->data; 2752 2753 tfm_ecdh = smp_dev->tfm_ecdh; 2754 } else { 2755 tfm_ecdh = smp->tfm_ecdh; 2756 } 2757 2758 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey)) 2759 return SMP_UNSPECIFIED; 2760 2761 SMP_DBG("DHKey %32phN", smp->dhkey); 2762 2763 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2764 2765 smp->method = sc_select_method(smp); 2766 2767 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method); 2768 2769 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2770 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2771 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2772 else 2773 hcon->pending_sec_level = BT_SECURITY_FIPS; 2774 2775 if (!crypto_memneq(debug_pk, smp->remote_pk, 64)) 2776 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2777 2778 if (smp->method == DSP_PASSKEY) { 2779 get_random_bytes(&hcon->passkey_notify, 2780 sizeof(hcon->passkey_notify)); 2781 hcon->passkey_notify %= 1000000; 2782 hcon->passkey_entered = 0; 2783 smp->passkey_round = 0; 2784 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2785 hcon->dst_type, 2786 hcon->passkey_notify, 2787 hcon->passkey_entered)) 2788 return SMP_UNSPECIFIED; 2789 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2790 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2791 } 2792 2793 if (smp->method == REQ_OOB) { 2794 if (hcon->out) 2795 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2796 sizeof(smp->prnd), smp->prnd); 2797 2798 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2799 2800 return 0; 2801 } 2802 2803 if (hcon->out) 2804 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2805 2806 if (smp->method == REQ_PASSKEY) { 2807 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2808 hcon->dst_type)) 2809 return SMP_UNSPECIFIED; 2810 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2811 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2812 return 0; 2813 } 2814 2815 /* The Initiating device waits for the non-initiating device to 2816 * send the confirm value. 2817 */ 2818 if (conn->hcon->out) 2819 return 0; 2820 2821 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, 2822 0, cfm.confirm_val); 2823 if (err) 2824 return SMP_UNSPECIFIED; 2825 2826 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2827 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2828 2829 return 0; 2830 } 2831 2832 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2833 { 2834 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2835 struct l2cap_chan *chan = conn->smp; 2836 struct hci_conn *hcon = conn->hcon; 2837 struct smp_chan *smp = chan->data; 2838 u8 a[7], b[7], *local_addr, *remote_addr; 2839 u8 io_cap[3], r[16], e[16]; 2840 int err; 2841 2842 BT_DBG("conn %p", conn); 2843 2844 if (skb->len < sizeof(*check)) 2845 return SMP_INVALID_PARAMS; 2846 2847 memcpy(a, &hcon->init_addr, 6); 2848 memcpy(b, &hcon->resp_addr, 6); 2849 a[6] = hcon->init_addr_type; 2850 b[6] = hcon->resp_addr_type; 2851 2852 if (hcon->out) { 2853 local_addr = a; 2854 remote_addr = b; 2855 memcpy(io_cap, &smp->prsp[1], 3); 2856 } else { 2857 local_addr = b; 2858 remote_addr = a; 2859 memcpy(io_cap, &smp->preq[1], 3); 2860 } 2861 2862 memset(r, 0, sizeof(r)); 2863 2864 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2865 put_unaligned_le32(hcon->passkey_notify, r); 2866 else if (smp->method == REQ_OOB) 2867 memcpy(r, smp->lr, 16); 2868 2869 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r, 2870 io_cap, remote_addr, local_addr, e); 2871 if (err) 2872 return SMP_UNSPECIFIED; 2873 2874 if (crypto_memneq(check->e, e, 16)) 2875 return SMP_DHKEY_CHECK_FAILED; 2876 2877 if (!hcon->out) { 2878 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2879 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2880 return 0; 2881 } 2882 2883 /* Slave sends DHKey check as response to master */ 2884 sc_dhkey_check(smp); 2885 } 2886 2887 sc_add_ltk(smp); 2888 2889 if (hcon->out) { 2890 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size); 2891 hcon->enc_key_size = smp->enc_key_size; 2892 } 2893 2894 return 0; 2895 } 2896 2897 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2898 struct sk_buff *skb) 2899 { 2900 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2901 2902 BT_DBG("value 0x%02x", kp->value); 2903 2904 return 0; 2905 } 2906 2907 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2908 { 2909 struct l2cap_conn *conn = chan->conn; 2910 struct hci_conn *hcon = conn->hcon; 2911 struct smp_chan *smp; 2912 __u8 code, reason; 2913 int err = 0; 2914 2915 if (skb->len < 1) 2916 return -EILSEQ; 2917 2918 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) { 2919 reason = SMP_PAIRING_NOTSUPP; 2920 goto done; 2921 } 2922 2923 code = skb->data[0]; 2924 skb_pull(skb, sizeof(code)); 2925 2926 smp = chan->data; 2927 2928 if (code > SMP_CMD_MAX) 2929 goto drop; 2930 2931 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) 2932 goto drop; 2933 2934 /* If we don't have a context the only allowed commands are 2935 * pairing request and security request. 2936 */ 2937 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2938 goto drop; 2939 2940 switch (code) { 2941 case SMP_CMD_PAIRING_REQ: 2942 reason = smp_cmd_pairing_req(conn, skb); 2943 break; 2944 2945 case SMP_CMD_PAIRING_FAIL: 2946 smp_failure(conn, 0); 2947 err = -EPERM; 2948 break; 2949 2950 case SMP_CMD_PAIRING_RSP: 2951 reason = smp_cmd_pairing_rsp(conn, skb); 2952 break; 2953 2954 case SMP_CMD_SECURITY_REQ: 2955 reason = smp_cmd_security_req(conn, skb); 2956 break; 2957 2958 case SMP_CMD_PAIRING_CONFIRM: 2959 reason = smp_cmd_pairing_confirm(conn, skb); 2960 break; 2961 2962 case SMP_CMD_PAIRING_RANDOM: 2963 reason = smp_cmd_pairing_random(conn, skb); 2964 break; 2965 2966 case SMP_CMD_ENCRYPT_INFO: 2967 reason = smp_cmd_encrypt_info(conn, skb); 2968 break; 2969 2970 case SMP_CMD_MASTER_IDENT: 2971 reason = smp_cmd_master_ident(conn, skb); 2972 break; 2973 2974 case SMP_CMD_IDENT_INFO: 2975 reason = smp_cmd_ident_info(conn, skb); 2976 break; 2977 2978 case SMP_CMD_IDENT_ADDR_INFO: 2979 reason = smp_cmd_ident_addr_info(conn, skb); 2980 break; 2981 2982 case SMP_CMD_SIGN_INFO: 2983 reason = smp_cmd_sign_info(conn, skb); 2984 break; 2985 2986 case SMP_CMD_PUBLIC_KEY: 2987 reason = smp_cmd_public_key(conn, skb); 2988 break; 2989 2990 case SMP_CMD_DHKEY_CHECK: 2991 reason = smp_cmd_dhkey_check(conn, skb); 2992 break; 2993 2994 case SMP_CMD_KEYPRESS_NOTIFY: 2995 reason = smp_cmd_keypress_notify(conn, skb); 2996 break; 2997 2998 default: 2999 BT_DBG("Unknown command code 0x%2.2x", code); 3000 reason = SMP_CMD_NOTSUPP; 3001 goto done; 3002 } 3003 3004 done: 3005 if (!err) { 3006 if (reason) 3007 smp_failure(conn, reason); 3008 kfree_skb(skb); 3009 } 3010 3011 return err; 3012 3013 drop: 3014 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR", 3015 code, &hcon->dst); 3016 kfree_skb(skb); 3017 return 0; 3018 } 3019 3020 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 3021 { 3022 struct l2cap_conn *conn = chan->conn; 3023 3024 BT_DBG("chan %p", chan); 3025 3026 if (chan->data) 3027 smp_chan_destroy(conn); 3028 3029 conn->smp = NULL; 3030 l2cap_chan_put(chan); 3031 } 3032 3033 static void bredr_pairing(struct l2cap_chan *chan) 3034 { 3035 struct l2cap_conn *conn = chan->conn; 3036 struct hci_conn *hcon = conn->hcon; 3037 struct hci_dev *hdev = hcon->hdev; 3038 struct smp_cmd_pairing req; 3039 struct smp_chan *smp; 3040 3041 BT_DBG("chan %p", chan); 3042 3043 /* Only new pairings are interesting */ 3044 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 3045 return; 3046 3047 /* Don't bother if we're not encrypted */ 3048 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3049 return; 3050 3051 /* Only master may initiate SMP over BR/EDR */ 3052 if (hcon->role != HCI_ROLE_MASTER) 3053 return; 3054 3055 /* Secure Connections support must be enabled */ 3056 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED)) 3057 return; 3058 3059 /* BR/EDR must use Secure Connections for SMP */ 3060 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 3061 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3062 return; 3063 3064 /* If our LE support is not enabled don't do anything */ 3065 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 3066 return; 3067 3068 /* Don't bother if remote LE support is not enabled */ 3069 if (!lmp_host_le_capable(hcon)) 3070 return; 3071 3072 /* Remote must support SMP fixed chan for BR/EDR */ 3073 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 3074 return; 3075 3076 /* Don't bother if SMP is already ongoing */ 3077 if (chan->data) 3078 return; 3079 3080 smp = smp_chan_create(conn); 3081 if (!smp) { 3082 bt_dev_err(hdev, "unable to create SMP context for BR/EDR"); 3083 return; 3084 } 3085 3086 set_bit(SMP_FLAG_SC, &smp->flags); 3087 3088 BT_DBG("%s starting SMP over BR/EDR", hdev->name); 3089 3090 /* Prepare and send the BR/EDR SMP Pairing Request */ 3091 build_bredr_pairing_cmd(smp, &req, NULL); 3092 3093 smp->preq[0] = SMP_CMD_PAIRING_REQ; 3094 memcpy(&smp->preq[1], &req, sizeof(req)); 3095 3096 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req); 3097 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 3098 } 3099 3100 static void smp_resume_cb(struct l2cap_chan *chan) 3101 { 3102 struct smp_chan *smp = chan->data; 3103 struct l2cap_conn *conn = chan->conn; 3104 struct hci_conn *hcon = conn->hcon; 3105 3106 BT_DBG("chan %p", chan); 3107 3108 if (hcon->type == ACL_LINK) { 3109 bredr_pairing(chan); 3110 return; 3111 } 3112 3113 if (!smp) 3114 return; 3115 3116 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3117 return; 3118 3119 cancel_delayed_work(&smp->security_timer); 3120 3121 smp_distribute_keys(smp); 3122 } 3123 3124 static void smp_ready_cb(struct l2cap_chan *chan) 3125 { 3126 struct l2cap_conn *conn = chan->conn; 3127 struct hci_conn *hcon = conn->hcon; 3128 3129 BT_DBG("chan %p", chan); 3130 3131 /* No need to call l2cap_chan_hold() here since we already own 3132 * the reference taken in smp_new_conn_cb(). This is just the 3133 * first time that we tie it to a specific pointer. The code in 3134 * l2cap_core.c ensures that there's no risk this function wont 3135 * get called if smp_new_conn_cb was previously called. 3136 */ 3137 conn->smp = chan; 3138 3139 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3140 bredr_pairing(chan); 3141 } 3142 3143 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 3144 { 3145 int err; 3146 3147 BT_DBG("chan %p", chan); 3148 3149 err = smp_sig_channel(chan, skb); 3150 if (err) { 3151 struct smp_chan *smp = chan->data; 3152 3153 if (smp) 3154 cancel_delayed_work_sync(&smp->security_timer); 3155 3156 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 3157 } 3158 3159 return err; 3160 } 3161 3162 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 3163 unsigned long hdr_len, 3164 unsigned long len, int nb) 3165 { 3166 struct sk_buff *skb; 3167 3168 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 3169 if (!skb) 3170 return ERR_PTR(-ENOMEM); 3171 3172 skb->priority = HCI_PRIO_MAX; 3173 bt_cb(skb)->l2cap.chan = chan; 3174 3175 return skb; 3176 } 3177 3178 static const struct l2cap_ops smp_chan_ops = { 3179 .name = "Security Manager", 3180 .ready = smp_ready_cb, 3181 .recv = smp_recv_cb, 3182 .alloc_skb = smp_alloc_skb_cb, 3183 .teardown = smp_teardown_cb, 3184 .resume = smp_resume_cb, 3185 3186 .new_connection = l2cap_chan_no_new_connection, 3187 .state_change = l2cap_chan_no_state_change, 3188 .close = l2cap_chan_no_close, 3189 .defer = l2cap_chan_no_defer, 3190 .suspend = l2cap_chan_no_suspend, 3191 .set_shutdown = l2cap_chan_no_set_shutdown, 3192 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3193 }; 3194 3195 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 3196 { 3197 struct l2cap_chan *chan; 3198 3199 BT_DBG("pchan %p", pchan); 3200 3201 chan = l2cap_chan_create(); 3202 if (!chan) 3203 return NULL; 3204 3205 chan->chan_type = pchan->chan_type; 3206 chan->ops = &smp_chan_ops; 3207 chan->scid = pchan->scid; 3208 chan->dcid = chan->scid; 3209 chan->imtu = pchan->imtu; 3210 chan->omtu = pchan->omtu; 3211 chan->mode = pchan->mode; 3212 3213 /* Other L2CAP channels may request SMP routines in order to 3214 * change the security level. This means that the SMP channel 3215 * lock must be considered in its own category to avoid lockdep 3216 * warnings. 3217 */ 3218 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 3219 3220 BT_DBG("created chan %p", chan); 3221 3222 return chan; 3223 } 3224 3225 static const struct l2cap_ops smp_root_chan_ops = { 3226 .name = "Security Manager Root", 3227 .new_connection = smp_new_conn_cb, 3228 3229 /* None of these are implemented for the root channel */ 3230 .close = l2cap_chan_no_close, 3231 .alloc_skb = l2cap_chan_no_alloc_skb, 3232 .recv = l2cap_chan_no_recv, 3233 .state_change = l2cap_chan_no_state_change, 3234 .teardown = l2cap_chan_no_teardown, 3235 .ready = l2cap_chan_no_ready, 3236 .defer = l2cap_chan_no_defer, 3237 .suspend = l2cap_chan_no_suspend, 3238 .resume = l2cap_chan_no_resume, 3239 .set_shutdown = l2cap_chan_no_set_shutdown, 3240 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3241 }; 3242 3243 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 3244 { 3245 struct l2cap_chan *chan; 3246 struct smp_dev *smp; 3247 struct crypto_shash *tfm_cmac; 3248 struct crypto_kpp *tfm_ecdh; 3249 3250 if (cid == L2CAP_CID_SMP_BREDR) { 3251 smp = NULL; 3252 goto create_chan; 3253 } 3254 3255 smp = kzalloc(sizeof(*smp), GFP_KERNEL); 3256 if (!smp) 3257 return ERR_PTR(-ENOMEM); 3258 3259 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3260 if (IS_ERR(tfm_cmac)) { 3261 BT_ERR("Unable to create CMAC crypto context"); 3262 kzfree(smp); 3263 return ERR_CAST(tfm_cmac); 3264 } 3265 3266 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 3267 if (IS_ERR(tfm_ecdh)) { 3268 BT_ERR("Unable to create ECDH crypto context"); 3269 crypto_free_shash(tfm_cmac); 3270 kzfree(smp); 3271 return ERR_CAST(tfm_ecdh); 3272 } 3273 3274 smp->local_oob = false; 3275 smp->tfm_cmac = tfm_cmac; 3276 smp->tfm_ecdh = tfm_ecdh; 3277 3278 create_chan: 3279 chan = l2cap_chan_create(); 3280 if (!chan) { 3281 if (smp) { 3282 crypto_free_shash(smp->tfm_cmac); 3283 crypto_free_kpp(smp->tfm_ecdh); 3284 kzfree(smp); 3285 } 3286 return ERR_PTR(-ENOMEM); 3287 } 3288 3289 chan->data = smp; 3290 3291 l2cap_add_scid(chan, cid); 3292 3293 l2cap_chan_set_defaults(chan); 3294 3295 if (cid == L2CAP_CID_SMP) { 3296 u8 bdaddr_type; 3297 3298 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type); 3299 3300 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 3301 chan->src_type = BDADDR_LE_PUBLIC; 3302 else 3303 chan->src_type = BDADDR_LE_RANDOM; 3304 } else { 3305 bacpy(&chan->src, &hdev->bdaddr); 3306 chan->src_type = BDADDR_BREDR; 3307 } 3308 3309 chan->state = BT_LISTEN; 3310 chan->mode = L2CAP_MODE_BASIC; 3311 chan->imtu = L2CAP_DEFAULT_MTU; 3312 chan->ops = &smp_root_chan_ops; 3313 3314 /* Set correct nesting level for a parent/listening channel */ 3315 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 3316 3317 return chan; 3318 } 3319 3320 static void smp_del_chan(struct l2cap_chan *chan) 3321 { 3322 struct smp_dev *smp; 3323 3324 BT_DBG("chan %p", chan); 3325 3326 smp = chan->data; 3327 if (smp) { 3328 chan->data = NULL; 3329 crypto_free_shash(smp->tfm_cmac); 3330 crypto_free_kpp(smp->tfm_ecdh); 3331 kzfree(smp); 3332 } 3333 3334 l2cap_chan_put(chan); 3335 } 3336 3337 static ssize_t force_bredr_smp_read(struct file *file, 3338 char __user *user_buf, 3339 size_t count, loff_t *ppos) 3340 { 3341 struct hci_dev *hdev = file->private_data; 3342 char buf[3]; 3343 3344 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N'; 3345 buf[1] = '\n'; 3346 buf[2] = '\0'; 3347 return simple_read_from_buffer(user_buf, count, ppos, buf, 2); 3348 } 3349 3350 static ssize_t force_bredr_smp_write(struct file *file, 3351 const char __user *user_buf, 3352 size_t count, loff_t *ppos) 3353 { 3354 struct hci_dev *hdev = file->private_data; 3355 bool enable; 3356 int err; 3357 3358 err = kstrtobool_from_user(user_buf, count, &enable); 3359 if (err) 3360 return err; 3361 3362 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3363 return -EALREADY; 3364 3365 if (enable) { 3366 struct l2cap_chan *chan; 3367 3368 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3369 if (IS_ERR(chan)) 3370 return PTR_ERR(chan); 3371 3372 hdev->smp_bredr_data = chan; 3373 } else { 3374 struct l2cap_chan *chan; 3375 3376 chan = hdev->smp_bredr_data; 3377 hdev->smp_bredr_data = NULL; 3378 smp_del_chan(chan); 3379 } 3380 3381 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP); 3382 3383 return count; 3384 } 3385 3386 static const struct file_operations force_bredr_smp_fops = { 3387 .open = simple_open, 3388 .read = force_bredr_smp_read, 3389 .write = force_bredr_smp_write, 3390 .llseek = default_llseek, 3391 }; 3392 3393 int smp_register(struct hci_dev *hdev) 3394 { 3395 struct l2cap_chan *chan; 3396 3397 BT_DBG("%s", hdev->name); 3398 3399 /* If the controller does not support Low Energy operation, then 3400 * there is also no need to register any SMP channel. 3401 */ 3402 if (!lmp_le_capable(hdev)) 3403 return 0; 3404 3405 if (WARN_ON(hdev->smp_data)) { 3406 chan = hdev->smp_data; 3407 hdev->smp_data = NULL; 3408 smp_del_chan(chan); 3409 } 3410 3411 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3412 if (IS_ERR(chan)) 3413 return PTR_ERR(chan); 3414 3415 hdev->smp_data = chan; 3416 3417 /* If the controller does not support BR/EDR Secure Connections 3418 * feature, then the BR/EDR SMP channel shall not be present. 3419 * 3420 * To test this with Bluetooth 4.0 controllers, create a debugfs 3421 * switch that allows forcing BR/EDR SMP support and accepting 3422 * cross-transport pairing on non-AES encrypted connections. 3423 */ 3424 if (!lmp_sc_capable(hdev)) { 3425 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs, 3426 hdev, &force_bredr_smp_fops); 3427 3428 /* Flag can be already set here (due to power toggle) */ 3429 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3430 return 0; 3431 } 3432 3433 if (WARN_ON(hdev->smp_bredr_data)) { 3434 chan = hdev->smp_bredr_data; 3435 hdev->smp_bredr_data = NULL; 3436 smp_del_chan(chan); 3437 } 3438 3439 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3440 if (IS_ERR(chan)) { 3441 int err = PTR_ERR(chan); 3442 chan = hdev->smp_data; 3443 hdev->smp_data = NULL; 3444 smp_del_chan(chan); 3445 return err; 3446 } 3447 3448 hdev->smp_bredr_data = chan; 3449 3450 return 0; 3451 } 3452 3453 void smp_unregister(struct hci_dev *hdev) 3454 { 3455 struct l2cap_chan *chan; 3456 3457 if (hdev->smp_bredr_data) { 3458 chan = hdev->smp_bredr_data; 3459 hdev->smp_bredr_data = NULL; 3460 smp_del_chan(chan); 3461 } 3462 3463 if (hdev->smp_data) { 3464 chan = hdev->smp_data; 3465 hdev->smp_data = NULL; 3466 smp_del_chan(chan); 3467 } 3468 } 3469 3470 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3471 3472 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh) 3473 { 3474 u8 pk[64]; 3475 int err; 3476 3477 err = set_ecdh_privkey(tfm_ecdh, debug_sk); 3478 if (err) 3479 return err; 3480 3481 err = generate_ecdh_public_key(tfm_ecdh, pk); 3482 if (err) 3483 return err; 3484 3485 if (crypto_memneq(pk, debug_pk, 64)) 3486 return -EINVAL; 3487 3488 return 0; 3489 } 3490 3491 static int __init test_ah(void) 3492 { 3493 const u8 irk[16] = { 3494 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3495 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3496 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3497 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3498 u8 res[3]; 3499 int err; 3500 3501 err = smp_ah(irk, r, res); 3502 if (err) 3503 return err; 3504 3505 if (crypto_memneq(res, exp, 3)) 3506 return -EINVAL; 3507 3508 return 0; 3509 } 3510 3511 static int __init test_c1(void) 3512 { 3513 const u8 k[16] = { 3514 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3515 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3516 const u8 r[16] = { 3517 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3518 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3519 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3520 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3521 const u8 _iat = 0x01; 3522 const u8 _rat = 0x00; 3523 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3524 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3525 const u8 exp[16] = { 3526 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3527 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3528 u8 res[16]; 3529 int err; 3530 3531 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3532 if (err) 3533 return err; 3534 3535 if (crypto_memneq(res, exp, 16)) 3536 return -EINVAL; 3537 3538 return 0; 3539 } 3540 3541 static int __init test_s1(void) 3542 { 3543 const u8 k[16] = { 3544 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3546 const u8 r1[16] = { 3547 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3548 const u8 r2[16] = { 3549 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3550 const u8 exp[16] = { 3551 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3552 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3553 u8 res[16]; 3554 int err; 3555 3556 err = smp_s1(k, r1, r2, res); 3557 if (err) 3558 return err; 3559 3560 if (crypto_memneq(res, exp, 16)) 3561 return -EINVAL; 3562 3563 return 0; 3564 } 3565 3566 static int __init test_f4(struct crypto_shash *tfm_cmac) 3567 { 3568 const u8 u[32] = { 3569 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3570 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3571 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3572 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3573 const u8 v[32] = { 3574 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3575 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3576 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3577 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3578 const u8 x[16] = { 3579 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3580 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3581 const u8 z = 0x00; 3582 const u8 exp[16] = { 3583 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3584 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3585 u8 res[16]; 3586 int err; 3587 3588 err = smp_f4(tfm_cmac, u, v, x, z, res); 3589 if (err) 3590 return err; 3591 3592 if (crypto_memneq(res, exp, 16)) 3593 return -EINVAL; 3594 3595 return 0; 3596 } 3597 3598 static int __init test_f5(struct crypto_shash *tfm_cmac) 3599 { 3600 const u8 w[32] = { 3601 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3602 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3603 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3604 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3605 const u8 n1[16] = { 3606 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3607 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3608 const u8 n2[16] = { 3609 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3610 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3611 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3612 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3613 const u8 exp_ltk[16] = { 3614 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3615 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3616 const u8 exp_mackey[16] = { 3617 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3618 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3619 u8 mackey[16], ltk[16]; 3620 int err; 3621 3622 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk); 3623 if (err) 3624 return err; 3625 3626 if (crypto_memneq(mackey, exp_mackey, 16)) 3627 return -EINVAL; 3628 3629 if (crypto_memneq(ltk, exp_ltk, 16)) 3630 return -EINVAL; 3631 3632 return 0; 3633 } 3634 3635 static int __init test_f6(struct crypto_shash *tfm_cmac) 3636 { 3637 const u8 w[16] = { 3638 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3639 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3640 const u8 n1[16] = { 3641 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3642 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3643 const u8 n2[16] = { 3644 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3645 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3646 const u8 r[16] = { 3647 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3648 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3649 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3650 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3651 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3652 const u8 exp[16] = { 3653 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3654 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3655 u8 res[16]; 3656 int err; 3657 3658 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res); 3659 if (err) 3660 return err; 3661 3662 if (crypto_memneq(res, exp, 16)) 3663 return -EINVAL; 3664 3665 return 0; 3666 } 3667 3668 static int __init test_g2(struct crypto_shash *tfm_cmac) 3669 { 3670 const u8 u[32] = { 3671 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3672 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3673 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3674 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3675 const u8 v[32] = { 3676 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3677 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3678 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3679 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3680 const u8 x[16] = { 3681 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3682 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3683 const u8 y[16] = { 3684 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3685 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3686 const u32 exp_val = 0x2f9ed5ba % 1000000; 3687 u32 val; 3688 int err; 3689 3690 err = smp_g2(tfm_cmac, u, v, x, y, &val); 3691 if (err) 3692 return err; 3693 3694 if (val != exp_val) 3695 return -EINVAL; 3696 3697 return 0; 3698 } 3699 3700 static int __init test_h6(struct crypto_shash *tfm_cmac) 3701 { 3702 const u8 w[16] = { 3703 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3704 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3705 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3706 const u8 exp[16] = { 3707 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3708 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3709 u8 res[16]; 3710 int err; 3711 3712 err = smp_h6(tfm_cmac, w, key_id, res); 3713 if (err) 3714 return err; 3715 3716 if (crypto_memneq(res, exp, 16)) 3717 return -EINVAL; 3718 3719 return 0; 3720 } 3721 3722 static char test_smp_buffer[32]; 3723 3724 static ssize_t test_smp_read(struct file *file, char __user *user_buf, 3725 size_t count, loff_t *ppos) 3726 { 3727 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer, 3728 strlen(test_smp_buffer)); 3729 } 3730 3731 static const struct file_operations test_smp_fops = { 3732 .open = simple_open, 3733 .read = test_smp_read, 3734 .llseek = default_llseek, 3735 }; 3736 3737 static int __init run_selftests(struct crypto_shash *tfm_cmac, 3738 struct crypto_kpp *tfm_ecdh) 3739 { 3740 ktime_t calltime, delta, rettime; 3741 unsigned long long duration; 3742 int err; 3743 3744 calltime = ktime_get(); 3745 3746 err = test_debug_key(tfm_ecdh); 3747 if (err) { 3748 BT_ERR("debug_key test failed"); 3749 goto done; 3750 } 3751 3752 err = test_ah(); 3753 if (err) { 3754 BT_ERR("smp_ah test failed"); 3755 goto done; 3756 } 3757 3758 err = test_c1(); 3759 if (err) { 3760 BT_ERR("smp_c1 test failed"); 3761 goto done; 3762 } 3763 3764 err = test_s1(); 3765 if (err) { 3766 BT_ERR("smp_s1 test failed"); 3767 goto done; 3768 } 3769 3770 err = test_f4(tfm_cmac); 3771 if (err) { 3772 BT_ERR("smp_f4 test failed"); 3773 goto done; 3774 } 3775 3776 err = test_f5(tfm_cmac); 3777 if (err) { 3778 BT_ERR("smp_f5 test failed"); 3779 goto done; 3780 } 3781 3782 err = test_f6(tfm_cmac); 3783 if (err) { 3784 BT_ERR("smp_f6 test failed"); 3785 goto done; 3786 } 3787 3788 err = test_g2(tfm_cmac); 3789 if (err) { 3790 BT_ERR("smp_g2 test failed"); 3791 goto done; 3792 } 3793 3794 err = test_h6(tfm_cmac); 3795 if (err) { 3796 BT_ERR("smp_h6 test failed"); 3797 goto done; 3798 } 3799 3800 rettime = ktime_get(); 3801 delta = ktime_sub(rettime, calltime); 3802 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3803 3804 BT_INFO("SMP test passed in %llu usecs", duration); 3805 3806 done: 3807 if (!err) 3808 snprintf(test_smp_buffer, sizeof(test_smp_buffer), 3809 "PASS (%llu usecs)\n", duration); 3810 else 3811 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n"); 3812 3813 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL, 3814 &test_smp_fops); 3815 3816 return err; 3817 } 3818 3819 int __init bt_selftest_smp(void) 3820 { 3821 struct crypto_shash *tfm_cmac; 3822 struct crypto_kpp *tfm_ecdh; 3823 int err; 3824 3825 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3826 if (IS_ERR(tfm_cmac)) { 3827 BT_ERR("Unable to create CMAC crypto context"); 3828 return PTR_ERR(tfm_cmac); 3829 } 3830 3831 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); 3832 if (IS_ERR(tfm_ecdh)) { 3833 BT_ERR("Unable to create ECDH crypto context"); 3834 crypto_free_shash(tfm_cmac); 3835 return PTR_ERR(tfm_ecdh); 3836 } 3837 3838 err = run_selftests(tfm_cmac, tfm_ecdh); 3839 3840 crypto_free_shash(tfm_cmac); 3841 crypto_free_kpp(tfm_ecdh); 3842 3843 return err; 3844 } 3845 3846 #endif 3847