1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License version 2 as 7 published by the Free Software Foundation; 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 #include <linux/debugfs.h> 24 #include <linux/scatterlist.h> 25 #include <linux/crypto.h> 26 #include <crypto/aes.h> 27 #include <crypto/algapi.h> 28 #include <crypto/hash.h> 29 #include <crypto/kpp.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/mgmt.h> 35 36 #include "ecdh_helper.h" 37 #include "smp.h" 38 39 #define SMP_DEV(hdev) \ 40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data) 41 42 /* Low-level debug macros to be used for stuff that we don't want 43 * accidentally in dmesg, i.e. the values of the various crypto keys 44 * and the inputs & outputs of crypto functions. 45 */ 46 #ifdef DEBUG 47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 48 ##__VA_ARGS__) 49 #else 50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 51 ##__VA_ARGS__) 52 #endif 53 54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 55 56 /* Keys which are not distributed with Secure Connections */ 57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY) 58 59 #define SMP_TIMEOUT msecs_to_jiffies(30000) 60 61 #define ID_ADDR_TIMEOUT msecs_to_jiffies(200) 62 63 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \ 64 0x3f : 0x07) 65 #define KEY_DIST_MASK 0x07 66 67 /* Maximum message length that can be passed to aes_cmac */ 68 #define CMAC_MSG_MAX 80 69 70 enum { 71 SMP_FLAG_TK_VALID, 72 SMP_FLAG_CFM_PENDING, 73 SMP_FLAG_MITM_AUTH, 74 SMP_FLAG_COMPLETE, 75 SMP_FLAG_INITIATOR, 76 SMP_FLAG_SC, 77 SMP_FLAG_REMOTE_PK, 78 SMP_FLAG_DEBUG_KEY, 79 SMP_FLAG_WAIT_USER, 80 SMP_FLAG_DHKEY_PENDING, 81 SMP_FLAG_REMOTE_OOB, 82 SMP_FLAG_LOCAL_OOB, 83 SMP_FLAG_CT2, 84 }; 85 86 struct smp_dev { 87 /* Secure Connections OOB data */ 88 bool local_oob; 89 u8 local_pk[64]; 90 u8 local_rand[16]; 91 bool debug_key; 92 93 struct crypto_shash *tfm_cmac; 94 struct crypto_kpp *tfm_ecdh; 95 }; 96 97 struct smp_chan { 98 struct l2cap_conn *conn; 99 struct delayed_work security_timer; 100 unsigned long allow_cmd; /* Bitmask of allowed commands */ 101 102 u8 preq[7]; /* SMP Pairing Request */ 103 u8 prsp[7]; /* SMP Pairing Response */ 104 u8 prnd[16]; /* SMP Pairing Random (local) */ 105 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 106 u8 pcnf[16]; /* SMP Pairing Confirm */ 107 u8 tk[16]; /* SMP Temporary Key */ 108 u8 rr[16]; /* Remote OOB ra/rb value */ 109 u8 lr[16]; /* Local OOB ra/rb value */ 110 u8 enc_key_size; 111 u8 remote_key_dist; 112 bdaddr_t id_addr; 113 u8 id_addr_type; 114 u8 irk[16]; 115 struct smp_csrk *csrk; 116 struct smp_csrk *responder_csrk; 117 struct smp_ltk *ltk; 118 struct smp_ltk *responder_ltk; 119 struct smp_irk *remote_irk; 120 u8 *link_key; 121 unsigned long flags; 122 u8 method; 123 u8 passkey_round; 124 125 /* Secure Connections variables */ 126 u8 local_pk[64]; 127 u8 remote_pk[64]; 128 u8 dhkey[32]; 129 u8 mackey[16]; 130 131 struct crypto_shash *tfm_cmac; 132 struct crypto_kpp *tfm_ecdh; 133 }; 134 135 /* These debug key values are defined in the SMP section of the core 136 * specification. debug_pk is the public debug key and debug_sk the 137 * private debug key. 138 */ 139 static const u8 debug_pk[64] = { 140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 144 145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 149 }; 150 151 static const u8 debug_sk[32] = { 152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 156 }; 157 158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 159 { 160 size_t i; 161 162 for (i = 0; i < len; i++) 163 dst[len - 1 - i] = src[i]; 164 } 165 166 /* The following functions map to the LE SC SMP crypto functions 167 * AES-CMAC, f4, f5, f6, g2 and h6. 168 */ 169 170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m, 171 size_t len, u8 mac[16]) 172 { 173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 174 int err; 175 176 if (len > CMAC_MSG_MAX) 177 return -EFBIG; 178 179 if (!tfm) { 180 BT_ERR("tfm %p", tfm); 181 return -EINVAL; 182 } 183 184 /* Swap key and message from LSB to MSB */ 185 swap_buf(k, tmp, 16); 186 swap_buf(m, msg_msb, len); 187 188 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 189 SMP_DBG("key %16phN", k); 190 191 err = crypto_shash_setkey(tfm, tmp, 16); 192 if (err) { 193 BT_ERR("cipher setkey failed: %d", err); 194 return err; 195 } 196 197 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb); 198 if (err) { 199 BT_ERR("Hash computation error %d", err); 200 return err; 201 } 202 203 swap_buf(mac_msb, mac, 16); 204 205 SMP_DBG("mac %16phN", mac); 206 207 return 0; 208 } 209 210 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32], 211 const u8 v[32], const u8 x[16], u8 z, u8 res[16]) 212 { 213 u8 m[65]; 214 int err; 215 216 SMP_DBG("u %32phN", u); 217 SMP_DBG("v %32phN", v); 218 SMP_DBG("x %16phN z %02x", x, z); 219 220 m[0] = z; 221 memcpy(m + 1, v, 32); 222 memcpy(m + 33, u, 32); 223 224 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res); 225 if (err) 226 return err; 227 228 SMP_DBG("res %16phN", res); 229 230 return err; 231 } 232 233 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32], 234 const u8 n1[16], const u8 n2[16], const u8 a1[7], 235 const u8 a2[7], u8 mackey[16], u8 ltk[16]) 236 { 237 /* The btle, salt and length "magic" values are as defined in 238 * the SMP section of the Bluetooth core specification. In ASCII 239 * the btle value ends up being 'btle'. The salt is just a 240 * random number whereas length is the value 256 in little 241 * endian format. 242 */ 243 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 244 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 245 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 246 const u8 length[2] = { 0x00, 0x01 }; 247 u8 m[53], t[16]; 248 int err; 249 250 SMP_DBG("w %32phN", w); 251 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 252 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 253 254 err = aes_cmac(tfm_cmac, salt, w, 32, t); 255 if (err) 256 return err; 257 258 SMP_DBG("t %16phN", t); 259 260 memcpy(m, length, 2); 261 memcpy(m + 2, a2, 7); 262 memcpy(m + 9, a1, 7); 263 memcpy(m + 16, n2, 16); 264 memcpy(m + 32, n1, 16); 265 memcpy(m + 48, btle, 4); 266 267 m[52] = 0; /* Counter */ 268 269 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey); 270 if (err) 271 return err; 272 273 SMP_DBG("mackey %16phN", mackey); 274 275 m[52] = 1; /* Counter */ 276 277 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk); 278 if (err) 279 return err; 280 281 SMP_DBG("ltk %16phN", ltk); 282 283 return 0; 284 } 285 286 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16], 287 const u8 n1[16], const u8 n2[16], const u8 r[16], 288 const u8 io_cap[3], const u8 a1[7], const u8 a2[7], 289 u8 res[16]) 290 { 291 u8 m[65]; 292 int err; 293 294 SMP_DBG("w %16phN", w); 295 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 296 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 297 298 memcpy(m, a2, 7); 299 memcpy(m + 7, a1, 7); 300 memcpy(m + 14, io_cap, 3); 301 memcpy(m + 17, r, 16); 302 memcpy(m + 33, n2, 16); 303 memcpy(m + 49, n1, 16); 304 305 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res); 306 if (err) 307 return err; 308 309 SMP_DBG("res %16phN", res); 310 311 return err; 312 } 313 314 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32], 315 const u8 x[16], const u8 y[16], u32 *val) 316 { 317 u8 m[80], tmp[16]; 318 int err; 319 320 SMP_DBG("u %32phN", u); 321 SMP_DBG("v %32phN", v); 322 SMP_DBG("x %16phN y %16phN", x, y); 323 324 memcpy(m, y, 16); 325 memcpy(m + 16, v, 32); 326 memcpy(m + 48, u, 32); 327 328 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp); 329 if (err) 330 return err; 331 332 *val = get_unaligned_le32(tmp); 333 *val %= 1000000; 334 335 SMP_DBG("val %06u", *val); 336 337 return 0; 338 } 339 340 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16], 341 const u8 key_id[4], u8 res[16]) 342 { 343 int err; 344 345 SMP_DBG("w %16phN key_id %4phN", w, key_id); 346 347 err = aes_cmac(tfm_cmac, w, key_id, 4, res); 348 if (err) 349 return err; 350 351 SMP_DBG("res %16phN", res); 352 353 return err; 354 } 355 356 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16], 357 const u8 salt[16], u8 res[16]) 358 { 359 int err; 360 361 SMP_DBG("w %16phN salt %16phN", w, salt); 362 363 err = aes_cmac(tfm_cmac, salt, w, 16, res); 364 if (err) 365 return err; 366 367 SMP_DBG("res %16phN", res); 368 369 return err; 370 } 371 372 /* The following functions map to the legacy SMP crypto functions e, c1, 373 * s1 and ah. 374 */ 375 376 static int smp_e(const u8 *k, u8 *r) 377 { 378 struct crypto_aes_ctx ctx; 379 uint8_t tmp[16], data[16]; 380 int err; 381 382 SMP_DBG("k %16phN r %16phN", k, r); 383 384 /* The most significant octet of key corresponds to k[0] */ 385 swap_buf(k, tmp, 16); 386 387 err = aes_expandkey(&ctx, tmp, 16); 388 if (err) { 389 BT_ERR("cipher setkey failed: %d", err); 390 return err; 391 } 392 393 /* Most significant octet of plaintextData corresponds to data[0] */ 394 swap_buf(r, data, 16); 395 396 aes_encrypt(&ctx, data, data); 397 398 /* Most significant octet of encryptedData corresponds to data[0] */ 399 swap_buf(data, r, 16); 400 401 SMP_DBG("r %16phN", r); 402 403 memzero_explicit(&ctx, sizeof(ctx)); 404 return err; 405 } 406 407 static int smp_c1(const u8 k[16], 408 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 409 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 410 { 411 u8 p1[16], p2[16]; 412 int err; 413 414 SMP_DBG("k %16phN r %16phN", k, r); 415 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra); 416 SMP_DBG("preq %7phN pres %7phN", preq, pres); 417 418 memset(p1, 0, 16); 419 420 /* p1 = pres || preq || _rat || _iat */ 421 p1[0] = _iat; 422 p1[1] = _rat; 423 memcpy(p1 + 2, preq, 7); 424 memcpy(p1 + 9, pres, 7); 425 426 SMP_DBG("p1 %16phN", p1); 427 428 /* res = r XOR p1 */ 429 crypto_xor_cpy(res, r, p1, sizeof(p1)); 430 431 /* res = e(k, res) */ 432 err = smp_e(k, res); 433 if (err) { 434 BT_ERR("Encrypt data error"); 435 return err; 436 } 437 438 /* p2 = padding || ia || ra */ 439 memcpy(p2, ra, 6); 440 memcpy(p2 + 6, ia, 6); 441 memset(p2 + 12, 0, 4); 442 443 SMP_DBG("p2 %16phN", p2); 444 445 /* res = res XOR p2 */ 446 crypto_xor(res, p2, sizeof(p2)); 447 448 /* res = e(k, res) */ 449 err = smp_e(k, res); 450 if (err) 451 BT_ERR("Encrypt data error"); 452 453 return err; 454 } 455 456 static int smp_s1(const u8 k[16], 457 const u8 r1[16], const u8 r2[16], u8 _r[16]) 458 { 459 int err; 460 461 /* Just least significant octets from r1 and r2 are considered */ 462 memcpy(_r, r2, 8); 463 memcpy(_r + 8, r1, 8); 464 465 err = smp_e(k, _r); 466 if (err) 467 BT_ERR("Encrypt data error"); 468 469 return err; 470 } 471 472 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3]) 473 { 474 u8 _res[16]; 475 int err; 476 477 /* r' = padding || r */ 478 memcpy(_res, r, 3); 479 memset(_res + 3, 0, 13); 480 481 err = smp_e(irk, _res); 482 if (err) { 483 BT_ERR("Encrypt error"); 484 return err; 485 } 486 487 /* The output of the random address function ah is: 488 * ah(k, r) = e(k, r') mod 2^24 489 * The output of the security function e is then truncated to 24 bits 490 * by taking the least significant 24 bits of the output of e as the 491 * result of ah. 492 */ 493 memcpy(res, _res, 3); 494 495 return 0; 496 } 497 498 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 499 const bdaddr_t *bdaddr) 500 { 501 struct l2cap_chan *chan = hdev->smp_data; 502 u8 hash[3]; 503 int err; 504 505 if (!chan || !chan->data) 506 return false; 507 508 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk); 509 510 err = smp_ah(irk, &bdaddr->b[3], hash); 511 if (err) 512 return false; 513 514 return !crypto_memneq(bdaddr->b, hash, 3); 515 } 516 517 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 518 { 519 struct l2cap_chan *chan = hdev->smp_data; 520 int err; 521 522 if (!chan || !chan->data) 523 return -EOPNOTSUPP; 524 525 get_random_bytes(&rpa->b[3], 3); 526 527 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 528 rpa->b[5] |= 0x40; /* Set second most significant bit */ 529 530 err = smp_ah(irk, &rpa->b[3], rpa->b); 531 if (err < 0) 532 return err; 533 534 bt_dev_dbg(hdev, "RPA %pMR", rpa); 535 536 return 0; 537 } 538 539 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16]) 540 { 541 struct l2cap_chan *chan = hdev->smp_data; 542 struct smp_dev *smp; 543 int err; 544 545 if (!chan || !chan->data) 546 return -EOPNOTSUPP; 547 548 smp = chan->data; 549 550 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 551 bt_dev_dbg(hdev, "Using debug keys"); 552 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk); 553 if (err) 554 return err; 555 memcpy(smp->local_pk, debug_pk, 64); 556 smp->debug_key = true; 557 } else { 558 while (true) { 559 /* Generate key pair for Secure Connections */ 560 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk); 561 if (err) 562 return err; 563 564 /* This is unlikely, but we need to check that 565 * we didn't accidentally generate a debug key. 566 */ 567 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 568 break; 569 } 570 smp->debug_key = false; 571 } 572 573 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 574 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 575 576 get_random_bytes(smp->local_rand, 16); 577 578 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk, 579 smp->local_rand, 0, hash); 580 if (err < 0) 581 return err; 582 583 memcpy(rand, smp->local_rand, 16); 584 585 smp->local_oob = true; 586 587 return 0; 588 } 589 590 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 591 { 592 struct l2cap_chan *chan = conn->smp; 593 struct smp_chan *smp; 594 struct kvec iv[2]; 595 struct msghdr msg; 596 597 if (!chan) 598 return; 599 600 bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code); 601 602 iv[0].iov_base = &code; 603 iv[0].iov_len = 1; 604 605 iv[1].iov_base = data; 606 iv[1].iov_len = len; 607 608 memset(&msg, 0, sizeof(msg)); 609 610 iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len); 611 612 l2cap_chan_send(chan, &msg, 1 + len); 613 614 if (!chan->data) 615 return; 616 617 smp = chan->data; 618 619 cancel_delayed_work_sync(&smp->security_timer); 620 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 621 } 622 623 static u8 authreq_to_seclevel(u8 authreq) 624 { 625 if (authreq & SMP_AUTH_MITM) { 626 if (authreq & SMP_AUTH_SC) 627 return BT_SECURITY_FIPS; 628 else 629 return BT_SECURITY_HIGH; 630 } else { 631 return BT_SECURITY_MEDIUM; 632 } 633 } 634 635 static __u8 seclevel_to_authreq(__u8 sec_level) 636 { 637 switch (sec_level) { 638 case BT_SECURITY_FIPS: 639 case BT_SECURITY_HIGH: 640 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 641 case BT_SECURITY_MEDIUM: 642 return SMP_AUTH_BONDING; 643 default: 644 return SMP_AUTH_NONE; 645 } 646 } 647 648 static void build_pairing_cmd(struct l2cap_conn *conn, 649 struct smp_cmd_pairing *req, 650 struct smp_cmd_pairing *rsp, __u8 authreq) 651 { 652 struct l2cap_chan *chan = conn->smp; 653 struct smp_chan *smp = chan->data; 654 struct hci_conn *hcon = conn->hcon; 655 struct hci_dev *hdev = hcon->hdev; 656 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 657 658 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 659 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 660 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 661 authreq |= SMP_AUTH_BONDING; 662 } else { 663 authreq &= ~SMP_AUTH_BONDING; 664 } 665 666 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 667 remote_dist |= SMP_DIST_ID_KEY; 668 669 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 670 local_dist |= SMP_DIST_ID_KEY; 671 672 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) && 673 (authreq & SMP_AUTH_SC)) { 674 struct oob_data *oob_data; 675 u8 bdaddr_type; 676 677 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) { 678 local_dist |= SMP_DIST_LINK_KEY; 679 remote_dist |= SMP_DIST_LINK_KEY; 680 } 681 682 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 683 bdaddr_type = BDADDR_LE_PUBLIC; 684 else 685 bdaddr_type = BDADDR_LE_RANDOM; 686 687 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 688 bdaddr_type); 689 if (oob_data && oob_data->present) { 690 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags); 691 oob_flag = SMP_OOB_PRESENT; 692 memcpy(smp->rr, oob_data->rand256, 16); 693 memcpy(smp->pcnf, oob_data->hash256, 16); 694 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf); 695 SMP_DBG("OOB Remote Random: %16phN", smp->rr); 696 } 697 698 } else { 699 authreq &= ~SMP_AUTH_SC; 700 } 701 702 if (rsp == NULL) { 703 req->io_capability = conn->hcon->io_capability; 704 req->oob_flag = oob_flag; 705 req->max_key_size = hdev->le_max_key_size; 706 req->init_key_dist = local_dist; 707 req->resp_key_dist = remote_dist; 708 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 709 710 smp->remote_key_dist = remote_dist; 711 return; 712 } 713 714 rsp->io_capability = conn->hcon->io_capability; 715 rsp->oob_flag = oob_flag; 716 rsp->max_key_size = hdev->le_max_key_size; 717 rsp->init_key_dist = req->init_key_dist & remote_dist; 718 rsp->resp_key_dist = req->resp_key_dist & local_dist; 719 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 720 721 smp->remote_key_dist = rsp->init_key_dist; 722 } 723 724 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 725 { 726 struct l2cap_chan *chan = conn->smp; 727 struct hci_dev *hdev = conn->hcon->hdev; 728 struct smp_chan *smp = chan->data; 729 730 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS && 731 max_key_size != SMP_MAX_ENC_KEY_SIZE) 732 return SMP_ENC_KEY_SIZE; 733 734 if (max_key_size > hdev->le_max_key_size || 735 max_key_size < SMP_MIN_ENC_KEY_SIZE) 736 return SMP_ENC_KEY_SIZE; 737 738 smp->enc_key_size = max_key_size; 739 740 return 0; 741 } 742 743 static void smp_chan_destroy(struct l2cap_conn *conn) 744 { 745 struct l2cap_chan *chan = conn->smp; 746 struct smp_chan *smp = chan->data; 747 struct hci_conn *hcon = conn->hcon; 748 bool complete; 749 750 BUG_ON(!smp); 751 752 cancel_delayed_work_sync(&smp->security_timer); 753 754 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 755 mgmt_smp_complete(hcon, complete); 756 757 kfree_sensitive(smp->csrk); 758 kfree_sensitive(smp->responder_csrk); 759 kfree_sensitive(smp->link_key); 760 761 crypto_free_shash(smp->tfm_cmac); 762 crypto_free_kpp(smp->tfm_ecdh); 763 764 /* Ensure that we don't leave any debug key around if debug key 765 * support hasn't been explicitly enabled. 766 */ 767 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 768 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) { 769 list_del_rcu(&smp->ltk->list); 770 kfree_rcu(smp->ltk, rcu); 771 smp->ltk = NULL; 772 } 773 774 /* If pairing failed clean up any keys we might have */ 775 if (!complete) { 776 if (smp->ltk) { 777 list_del_rcu(&smp->ltk->list); 778 kfree_rcu(smp->ltk, rcu); 779 } 780 781 if (smp->responder_ltk) { 782 list_del_rcu(&smp->responder_ltk->list); 783 kfree_rcu(smp->responder_ltk, rcu); 784 } 785 786 if (smp->remote_irk) { 787 list_del_rcu(&smp->remote_irk->list); 788 kfree_rcu(smp->remote_irk, rcu); 789 } 790 } 791 792 chan->data = NULL; 793 kfree_sensitive(smp); 794 hci_conn_drop(hcon); 795 } 796 797 static void smp_failure(struct l2cap_conn *conn, u8 reason) 798 { 799 struct hci_conn *hcon = conn->hcon; 800 struct l2cap_chan *chan = conn->smp; 801 802 if (reason) 803 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 804 &reason); 805 806 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 807 808 if (chan->data) 809 smp_chan_destroy(conn); 810 } 811 812 #define JUST_WORKS 0x00 813 #define JUST_CFM 0x01 814 #define REQ_PASSKEY 0x02 815 #define CFM_PASSKEY 0x03 816 #define REQ_OOB 0x04 817 #define DSP_PASSKEY 0x05 818 #define OVERLAP 0xFF 819 820 static const u8 gen_method[5][5] = { 821 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 822 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 823 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 824 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 825 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 826 }; 827 828 static const u8 sc_method[5][5] = { 829 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 830 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 831 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 832 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 833 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 834 }; 835 836 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 837 { 838 /* If either side has unknown io_caps, use JUST_CFM (which gets 839 * converted later to JUST_WORKS if we're initiators. 840 */ 841 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 842 remote_io > SMP_IO_KEYBOARD_DISPLAY) 843 return JUST_CFM; 844 845 if (test_bit(SMP_FLAG_SC, &smp->flags)) 846 return sc_method[remote_io][local_io]; 847 848 return gen_method[remote_io][local_io]; 849 } 850 851 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 852 u8 local_io, u8 remote_io) 853 { 854 struct hci_conn *hcon = conn->hcon; 855 struct l2cap_chan *chan = conn->smp; 856 struct smp_chan *smp = chan->data; 857 u32 passkey = 0; 858 int ret; 859 860 /* Initialize key for JUST WORKS */ 861 memset(smp->tk, 0, sizeof(smp->tk)); 862 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 863 864 bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io, 865 remote_io); 866 867 /* If neither side wants MITM, either "just" confirm an incoming 868 * request or use just-works for outgoing ones. The JUST_CFM 869 * will be converted to JUST_WORKS if necessary later in this 870 * function. If either side has MITM look up the method from the 871 * table. 872 */ 873 if (!(auth & SMP_AUTH_MITM)) 874 smp->method = JUST_CFM; 875 else 876 smp->method = get_auth_method(smp, local_io, remote_io); 877 878 /* Don't confirm locally initiated pairing attempts */ 879 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 880 &smp->flags)) 881 smp->method = JUST_WORKS; 882 883 /* Don't bother user space with no IO capabilities */ 884 if (smp->method == JUST_CFM && 885 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 886 smp->method = JUST_WORKS; 887 888 /* If Just Works, Continue with Zero TK and ask user-space for 889 * confirmation */ 890 if (smp->method == JUST_WORKS) { 891 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 892 hcon->type, 893 hcon->dst_type, 894 passkey, 1); 895 if (ret) 896 return ret; 897 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 898 return 0; 899 } 900 901 /* If this function is used for SC -> legacy fallback we 902 * can only recover the just-works case. 903 */ 904 if (test_bit(SMP_FLAG_SC, &smp->flags)) 905 return -EINVAL; 906 907 /* Not Just Works/Confirm results in MITM Authentication */ 908 if (smp->method != JUST_CFM) { 909 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 910 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 911 hcon->pending_sec_level = BT_SECURITY_HIGH; 912 } 913 914 /* If both devices have Keyboard-Display I/O, the initiator 915 * Confirms and the responder Enters the passkey. 916 */ 917 if (smp->method == OVERLAP) { 918 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 919 smp->method = CFM_PASSKEY; 920 else 921 smp->method = REQ_PASSKEY; 922 } 923 924 /* Generate random passkey. */ 925 if (smp->method == CFM_PASSKEY) { 926 memset(smp->tk, 0, sizeof(smp->tk)); 927 get_random_bytes(&passkey, sizeof(passkey)); 928 passkey %= 1000000; 929 put_unaligned_le32(passkey, smp->tk); 930 bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey); 931 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 932 } 933 934 if (smp->method == REQ_PASSKEY) 935 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 936 hcon->type, hcon->dst_type); 937 else if (smp->method == JUST_CFM) 938 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 939 hcon->type, hcon->dst_type, 940 passkey, 1); 941 else 942 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 943 hcon->type, hcon->dst_type, 944 passkey, 0); 945 946 return ret; 947 } 948 949 static u8 smp_confirm(struct smp_chan *smp) 950 { 951 struct l2cap_conn *conn = smp->conn; 952 struct smp_cmd_pairing_confirm cp; 953 int ret; 954 955 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 956 957 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp, 958 conn->hcon->init_addr_type, &conn->hcon->init_addr, 959 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 960 cp.confirm_val); 961 if (ret) 962 return SMP_UNSPECIFIED; 963 964 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 965 966 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 967 968 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 970 else 971 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 972 973 return 0; 974 } 975 976 static u8 smp_random(struct smp_chan *smp) 977 { 978 struct l2cap_conn *conn = smp->conn; 979 struct hci_conn *hcon = conn->hcon; 980 u8 confirm[16]; 981 int ret; 982 983 bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn, 984 test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" : 985 "responder"); 986 987 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp, 988 hcon->init_addr_type, &hcon->init_addr, 989 hcon->resp_addr_type, &hcon->resp_addr, confirm); 990 if (ret) 991 return SMP_UNSPECIFIED; 992 993 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) { 994 bt_dev_err(hcon->hdev, "pairing failed " 995 "(confirmation values mismatch)"); 996 return SMP_CONFIRM_FAILED; 997 } 998 999 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1000 u8 stk[16]; 1001 __le64 rand = 0; 1002 __le16 ediv = 0; 1003 1004 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk); 1005 1006 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 1007 return SMP_UNSPECIFIED; 1008 1009 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size); 1010 hcon->enc_key_size = smp->enc_key_size; 1011 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 1012 } else { 1013 u8 stk[16], auth; 1014 __le64 rand = 0; 1015 __le16 ediv = 0; 1016 1017 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1018 smp->prnd); 1019 1020 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk); 1021 1022 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 1023 auth = 1; 1024 else 1025 auth = 0; 1026 1027 /* Even though there's no _RESPONDER suffix this is the 1028 * responder STK we're adding for later lookup (the initiator 1029 * STK never needs to be stored). 1030 */ 1031 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1032 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 1033 } 1034 1035 return 0; 1036 } 1037 1038 static void smp_notify_keys(struct l2cap_conn *conn) 1039 { 1040 struct l2cap_chan *chan = conn->smp; 1041 struct smp_chan *smp = chan->data; 1042 struct hci_conn *hcon = conn->hcon; 1043 struct hci_dev *hdev = hcon->hdev; 1044 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 1045 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1046 bool persistent; 1047 1048 if (hcon->type == ACL_LINK) { 1049 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 1050 persistent = false; 1051 else 1052 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1053 &hcon->flags); 1054 } else { 1055 /* The LTKs, IRKs and CSRKs should be persistent only if 1056 * both sides had the bonding bit set in their 1057 * authentication requests. 1058 */ 1059 persistent = !!((req->auth_req & rsp->auth_req) & 1060 SMP_AUTH_BONDING); 1061 } 1062 1063 if (smp->remote_irk) { 1064 smp->remote_irk->link_type = hcon->type; 1065 mgmt_new_irk(hdev, smp->remote_irk, persistent); 1066 1067 /* Now that user space can be considered to know the 1068 * identity address track the connection based on it 1069 * from now on (assuming this is an LE link). 1070 */ 1071 if (hcon->type == LE_LINK) { 1072 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1073 hcon->dst_type = smp->remote_irk->addr_type; 1074 /* Use a short delay to make sure the new address is 1075 * propagated _before_ the channels. 1076 */ 1077 queue_delayed_work(hdev->workqueue, 1078 &conn->id_addr_timer, 1079 ID_ADDR_TIMEOUT); 1080 } 1081 } 1082 1083 if (smp->csrk) { 1084 smp->csrk->link_type = hcon->type; 1085 smp->csrk->bdaddr_type = hcon->dst_type; 1086 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1087 mgmt_new_csrk(hdev, smp->csrk, persistent); 1088 } 1089 1090 if (smp->responder_csrk) { 1091 smp->responder_csrk->link_type = hcon->type; 1092 smp->responder_csrk->bdaddr_type = hcon->dst_type; 1093 bacpy(&smp->responder_csrk->bdaddr, &hcon->dst); 1094 mgmt_new_csrk(hdev, smp->responder_csrk, persistent); 1095 } 1096 1097 if (smp->ltk) { 1098 smp->ltk->link_type = hcon->type; 1099 smp->ltk->bdaddr_type = hcon->dst_type; 1100 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1101 mgmt_new_ltk(hdev, smp->ltk, persistent); 1102 } 1103 1104 if (smp->responder_ltk) { 1105 smp->responder_ltk->link_type = hcon->type; 1106 smp->responder_ltk->bdaddr_type = hcon->dst_type; 1107 bacpy(&smp->responder_ltk->bdaddr, &hcon->dst); 1108 mgmt_new_ltk(hdev, smp->responder_ltk, persistent); 1109 } 1110 1111 if (smp->link_key) { 1112 struct link_key *key; 1113 u8 type; 1114 1115 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1116 type = HCI_LK_DEBUG_COMBINATION; 1117 else if (hcon->sec_level == BT_SECURITY_FIPS) 1118 type = HCI_LK_AUTH_COMBINATION_P256; 1119 else 1120 type = HCI_LK_UNAUTH_COMBINATION_P256; 1121 1122 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1123 smp->link_key, type, 0, &persistent); 1124 if (key) { 1125 key->link_type = hcon->type; 1126 key->bdaddr_type = hcon->dst_type; 1127 mgmt_new_link_key(hdev, key, persistent); 1128 1129 /* Don't keep debug keys around if the relevant 1130 * flag is not set. 1131 */ 1132 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) && 1133 key->type == HCI_LK_DEBUG_COMBINATION) { 1134 list_del_rcu(&key->list); 1135 kfree_rcu(key, rcu); 1136 } 1137 } 1138 } 1139 } 1140 1141 static void sc_add_ltk(struct smp_chan *smp) 1142 { 1143 struct hci_conn *hcon = smp->conn->hcon; 1144 u8 key_type, auth; 1145 1146 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1147 key_type = SMP_LTK_P256_DEBUG; 1148 else 1149 key_type = SMP_LTK_P256; 1150 1151 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1152 auth = 1; 1153 else 1154 auth = 0; 1155 1156 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1157 key_type, auth, smp->tk, smp->enc_key_size, 1158 0, 0); 1159 } 1160 1161 static void sc_generate_link_key(struct smp_chan *smp) 1162 { 1163 /* From core spec. Spells out in ASCII as 'lebr'. */ 1164 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1165 1166 smp->link_key = kzalloc(16, GFP_KERNEL); 1167 if (!smp->link_key) 1168 return; 1169 1170 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1171 /* SALT = 0x000000000000000000000000746D7031 */ 1172 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 }; 1173 1174 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) { 1175 kfree_sensitive(smp->link_key); 1176 smp->link_key = NULL; 1177 return; 1178 } 1179 } else { 1180 /* From core spec. Spells out in ASCII as 'tmp1'. */ 1181 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1182 1183 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) { 1184 kfree_sensitive(smp->link_key); 1185 smp->link_key = NULL; 1186 return; 1187 } 1188 } 1189 1190 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) { 1191 kfree_sensitive(smp->link_key); 1192 smp->link_key = NULL; 1193 return; 1194 } 1195 } 1196 1197 static void smp_allow_key_dist(struct smp_chan *smp) 1198 { 1199 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1200 * will be allowed in each PDU handler to ensure we receive 1201 * them in the correct order. 1202 */ 1203 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1204 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1205 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1206 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1207 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1208 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1209 } 1210 1211 static void sc_generate_ltk(struct smp_chan *smp) 1212 { 1213 /* From core spec. Spells out in ASCII as 'brle'. */ 1214 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1215 struct hci_conn *hcon = smp->conn->hcon; 1216 struct hci_dev *hdev = hcon->hdev; 1217 struct link_key *key; 1218 1219 key = hci_find_link_key(hdev, &hcon->dst); 1220 if (!key) { 1221 bt_dev_err(hdev, "no Link Key found to generate LTK"); 1222 return; 1223 } 1224 1225 if (key->type == HCI_LK_DEBUG_COMBINATION) 1226 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1227 1228 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1229 /* SALT = 0x000000000000000000000000746D7032 */ 1230 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 }; 1231 1232 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk)) 1233 return; 1234 } else { 1235 /* From core spec. Spells out in ASCII as 'tmp2'. */ 1236 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1237 1238 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk)) 1239 return; 1240 } 1241 1242 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk)) 1243 return; 1244 1245 sc_add_ltk(smp); 1246 } 1247 1248 static void smp_distribute_keys(struct smp_chan *smp) 1249 { 1250 struct smp_cmd_pairing *req, *rsp; 1251 struct l2cap_conn *conn = smp->conn; 1252 struct hci_conn *hcon = conn->hcon; 1253 struct hci_dev *hdev = hcon->hdev; 1254 __u8 *keydist; 1255 1256 bt_dev_dbg(hdev, "conn %p", conn); 1257 1258 rsp = (void *) &smp->prsp[1]; 1259 1260 /* The responder sends its keys first */ 1261 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) && 1262 (smp->remote_key_dist & KEY_DIST_MASK)) { 1263 smp_allow_key_dist(smp); 1264 return; 1265 } 1266 1267 req = (void *) &smp->preq[1]; 1268 1269 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1270 keydist = &rsp->init_key_dist; 1271 *keydist &= req->init_key_dist; 1272 } else { 1273 keydist = &rsp->resp_key_dist; 1274 *keydist &= req->resp_key_dist; 1275 } 1276 1277 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1278 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1279 sc_generate_link_key(smp); 1280 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1281 sc_generate_ltk(smp); 1282 1283 /* Clear the keys which are generated but not distributed */ 1284 *keydist &= ~SMP_SC_NO_DIST; 1285 } 1286 1287 bt_dev_dbg(hdev, "keydist 0x%x", *keydist); 1288 1289 if (*keydist & SMP_DIST_ENC_KEY) { 1290 struct smp_cmd_encrypt_info enc; 1291 struct smp_cmd_initiator_ident ident; 1292 struct smp_ltk *ltk; 1293 u8 authenticated; 1294 __le16 ediv; 1295 __le64 rand; 1296 1297 /* Make sure we generate only the significant amount of 1298 * bytes based on the encryption key size, and set the rest 1299 * of the value to zeroes. 1300 */ 1301 get_random_bytes(enc.ltk, smp->enc_key_size); 1302 memset(enc.ltk + smp->enc_key_size, 0, 1303 sizeof(enc.ltk) - smp->enc_key_size); 1304 1305 get_random_bytes(&ediv, sizeof(ediv)); 1306 get_random_bytes(&rand, sizeof(rand)); 1307 1308 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1309 1310 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1311 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1312 SMP_LTK_RESPONDER, authenticated, enc.ltk, 1313 smp->enc_key_size, ediv, rand); 1314 smp->responder_ltk = ltk; 1315 1316 ident.ediv = ediv; 1317 ident.rand = rand; 1318 1319 smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident), 1320 &ident); 1321 1322 *keydist &= ~SMP_DIST_ENC_KEY; 1323 } 1324 1325 if (*keydist & SMP_DIST_ID_KEY) { 1326 struct smp_cmd_ident_addr_info addrinfo; 1327 struct smp_cmd_ident_info idinfo; 1328 1329 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1330 1331 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1332 1333 /* The hci_conn contains the local identity address 1334 * after the connection has been established. 1335 * 1336 * This is true even when the connection has been 1337 * established using a resolvable random address. 1338 */ 1339 bacpy(&addrinfo.bdaddr, &hcon->src); 1340 addrinfo.addr_type = hcon->src_type; 1341 1342 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1343 &addrinfo); 1344 1345 *keydist &= ~SMP_DIST_ID_KEY; 1346 } 1347 1348 if (*keydist & SMP_DIST_SIGN) { 1349 struct smp_cmd_sign_info sign; 1350 struct smp_csrk *csrk; 1351 1352 /* Generate a new random key */ 1353 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1354 1355 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1356 if (csrk) { 1357 if (hcon->sec_level > BT_SECURITY_MEDIUM) 1358 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED; 1359 else 1360 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED; 1361 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1362 } 1363 smp->responder_csrk = csrk; 1364 1365 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1366 1367 *keydist &= ~SMP_DIST_SIGN; 1368 } 1369 1370 /* If there are still keys to be received wait for them */ 1371 if (smp->remote_key_dist & KEY_DIST_MASK) { 1372 smp_allow_key_dist(smp); 1373 return; 1374 } 1375 1376 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1377 smp_notify_keys(conn); 1378 1379 smp_chan_destroy(conn); 1380 } 1381 1382 static void smp_timeout(struct work_struct *work) 1383 { 1384 struct smp_chan *smp = container_of(work, struct smp_chan, 1385 security_timer.work); 1386 struct l2cap_conn *conn = smp->conn; 1387 1388 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 1389 1390 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); 1391 } 1392 1393 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1394 { 1395 struct hci_conn *hcon = conn->hcon; 1396 struct l2cap_chan *chan = conn->smp; 1397 struct smp_chan *smp; 1398 1399 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 1400 if (!smp) 1401 return NULL; 1402 1403 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 1404 if (IS_ERR(smp->tfm_cmac)) { 1405 bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context"); 1406 goto zfree_smp; 1407 } 1408 1409 smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 1410 if (IS_ERR(smp->tfm_ecdh)) { 1411 bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context"); 1412 goto free_shash; 1413 } 1414 1415 smp->conn = conn; 1416 chan->data = smp; 1417 1418 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1419 1420 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1421 1422 hci_conn_hold(hcon); 1423 1424 return smp; 1425 1426 free_shash: 1427 crypto_free_shash(smp->tfm_cmac); 1428 zfree_smp: 1429 kfree_sensitive(smp); 1430 return NULL; 1431 } 1432 1433 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1434 { 1435 struct hci_conn *hcon = smp->conn->hcon; 1436 u8 *na, *nb, a[7], b[7]; 1437 1438 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1439 na = smp->prnd; 1440 nb = smp->rrnd; 1441 } else { 1442 na = smp->rrnd; 1443 nb = smp->prnd; 1444 } 1445 1446 memcpy(a, &hcon->init_addr, 6); 1447 memcpy(b, &hcon->resp_addr, 6); 1448 a[6] = hcon->init_addr_type; 1449 b[6] = hcon->resp_addr_type; 1450 1451 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk); 1452 } 1453 1454 static void sc_dhkey_check(struct smp_chan *smp) 1455 { 1456 struct hci_conn *hcon = smp->conn->hcon; 1457 struct smp_cmd_dhkey_check check; 1458 u8 a[7], b[7], *local_addr, *remote_addr; 1459 u8 io_cap[3], r[16]; 1460 1461 memcpy(a, &hcon->init_addr, 6); 1462 memcpy(b, &hcon->resp_addr, 6); 1463 a[6] = hcon->init_addr_type; 1464 b[6] = hcon->resp_addr_type; 1465 1466 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1467 local_addr = a; 1468 remote_addr = b; 1469 memcpy(io_cap, &smp->preq[1], 3); 1470 } else { 1471 local_addr = b; 1472 remote_addr = a; 1473 memcpy(io_cap, &smp->prsp[1], 3); 1474 } 1475 1476 memset(r, 0, sizeof(r)); 1477 1478 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1479 put_unaligned_le32(hcon->passkey_notify, r); 1480 1481 if (smp->method == REQ_OOB) 1482 memcpy(r, smp->rr, 16); 1483 1484 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap, 1485 local_addr, remote_addr, check.e); 1486 1487 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1488 } 1489 1490 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1491 { 1492 struct l2cap_conn *conn = smp->conn; 1493 struct hci_conn *hcon = conn->hcon; 1494 struct smp_cmd_pairing_confirm cfm; 1495 u8 r; 1496 1497 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1498 r |= 0x80; 1499 1500 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1501 1502 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r, 1503 cfm.confirm_val)) 1504 return SMP_UNSPECIFIED; 1505 1506 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1507 1508 return 0; 1509 } 1510 1511 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1512 { 1513 struct l2cap_conn *conn = smp->conn; 1514 struct hci_conn *hcon = conn->hcon; 1515 struct hci_dev *hdev = hcon->hdev; 1516 u8 cfm[16], r; 1517 1518 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1519 if (smp->passkey_round >= 20) 1520 return 0; 1521 1522 switch (smp_op) { 1523 case SMP_CMD_PAIRING_RANDOM: 1524 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1525 r |= 0x80; 1526 1527 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1528 smp->rrnd, r, cfm)) 1529 return SMP_UNSPECIFIED; 1530 1531 if (crypto_memneq(smp->pcnf, cfm, 16)) 1532 return SMP_CONFIRM_FAILED; 1533 1534 smp->passkey_round++; 1535 1536 if (smp->passkey_round == 20) { 1537 /* Generate MacKey and LTK */ 1538 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1539 return SMP_UNSPECIFIED; 1540 } 1541 1542 /* The round is only complete when the initiator 1543 * receives pairing random. 1544 */ 1545 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1546 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1547 sizeof(smp->prnd), smp->prnd); 1548 if (smp->passkey_round == 20) 1549 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1550 else 1551 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1552 return 0; 1553 } 1554 1555 /* Start the next round */ 1556 if (smp->passkey_round != 20) 1557 return sc_passkey_round(smp, 0); 1558 1559 /* Passkey rounds are complete - start DHKey Check */ 1560 sc_dhkey_check(smp); 1561 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1562 1563 break; 1564 1565 case SMP_CMD_PAIRING_CONFIRM: 1566 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1567 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1568 return 0; 1569 } 1570 1571 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1572 1573 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1574 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1575 sizeof(smp->prnd), smp->prnd); 1576 return 0; 1577 } 1578 1579 return sc_passkey_send_confirm(smp); 1580 1581 case SMP_CMD_PUBLIC_KEY: 1582 default: 1583 /* Initiating device starts the round */ 1584 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 1585 return 0; 1586 1587 bt_dev_dbg(hdev, "Starting passkey round %u", 1588 smp->passkey_round + 1); 1589 1590 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1591 1592 return sc_passkey_send_confirm(smp); 1593 } 1594 1595 return 0; 1596 } 1597 1598 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1599 { 1600 struct l2cap_conn *conn = smp->conn; 1601 struct hci_conn *hcon = conn->hcon; 1602 u8 smp_op; 1603 1604 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1605 1606 switch (mgmt_op) { 1607 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1608 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1609 return 0; 1610 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1611 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1612 return 0; 1613 case MGMT_OP_USER_PASSKEY_REPLY: 1614 hcon->passkey_notify = le32_to_cpu(passkey); 1615 smp->passkey_round = 0; 1616 1617 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1618 smp_op = SMP_CMD_PAIRING_CONFIRM; 1619 else 1620 smp_op = 0; 1621 1622 if (sc_passkey_round(smp, smp_op)) 1623 return -EIO; 1624 1625 return 0; 1626 } 1627 1628 /* Initiator sends DHKey check first */ 1629 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 1630 sc_dhkey_check(smp); 1631 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1632 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1633 sc_dhkey_check(smp); 1634 sc_add_ltk(smp); 1635 } 1636 1637 return 0; 1638 } 1639 1640 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1641 { 1642 struct l2cap_conn *conn = hcon->l2cap_data; 1643 struct l2cap_chan *chan; 1644 struct smp_chan *smp; 1645 u32 value; 1646 int err; 1647 1648 if (!conn) 1649 return -ENOTCONN; 1650 1651 bt_dev_dbg(conn->hcon->hdev, ""); 1652 1653 chan = conn->smp; 1654 if (!chan) 1655 return -ENOTCONN; 1656 1657 l2cap_chan_lock(chan); 1658 if (!chan->data) { 1659 err = -ENOTCONN; 1660 goto unlock; 1661 } 1662 1663 smp = chan->data; 1664 1665 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1666 err = sc_user_reply(smp, mgmt_op, passkey); 1667 goto unlock; 1668 } 1669 1670 switch (mgmt_op) { 1671 case MGMT_OP_USER_PASSKEY_REPLY: 1672 value = le32_to_cpu(passkey); 1673 memset(smp->tk, 0, sizeof(smp->tk)); 1674 bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value); 1675 put_unaligned_le32(value, smp->tk); 1676 fallthrough; 1677 case MGMT_OP_USER_CONFIRM_REPLY: 1678 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1679 break; 1680 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1681 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1682 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1683 err = 0; 1684 goto unlock; 1685 default: 1686 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1687 err = -EOPNOTSUPP; 1688 goto unlock; 1689 } 1690 1691 err = 0; 1692 1693 /* If it is our turn to send Pairing Confirm, do so now */ 1694 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1695 u8 rsp = smp_confirm(smp); 1696 if (rsp) 1697 smp_failure(conn, rsp); 1698 } 1699 1700 unlock: 1701 l2cap_chan_unlock(chan); 1702 return err; 1703 } 1704 1705 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1706 struct smp_cmd_pairing *req, 1707 struct smp_cmd_pairing *rsp) 1708 { 1709 struct l2cap_conn *conn = smp->conn; 1710 struct hci_dev *hdev = conn->hcon->hdev; 1711 u8 local_dist = 0, remote_dist = 0; 1712 1713 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 1714 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1715 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1716 } 1717 1718 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 1719 remote_dist |= SMP_DIST_ID_KEY; 1720 1721 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 1722 local_dist |= SMP_DIST_ID_KEY; 1723 1724 if (!rsp) { 1725 memset(req, 0, sizeof(*req)); 1726 1727 req->auth_req = SMP_AUTH_CT2; 1728 req->init_key_dist = local_dist; 1729 req->resp_key_dist = remote_dist; 1730 req->max_key_size = conn->hcon->enc_key_size; 1731 1732 smp->remote_key_dist = remote_dist; 1733 1734 return; 1735 } 1736 1737 memset(rsp, 0, sizeof(*rsp)); 1738 1739 rsp->auth_req = SMP_AUTH_CT2; 1740 rsp->max_key_size = conn->hcon->enc_key_size; 1741 rsp->init_key_dist = req->init_key_dist & remote_dist; 1742 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1743 1744 smp->remote_key_dist = rsp->init_key_dist; 1745 } 1746 1747 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1748 { 1749 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1750 struct l2cap_chan *chan = conn->smp; 1751 struct hci_dev *hdev = conn->hcon->hdev; 1752 struct smp_chan *smp = chan->data; 1753 u8 key_size, auth, sec_level; 1754 int ret; 1755 1756 bt_dev_dbg(hdev, "conn %p", conn); 1757 1758 if (skb->len < sizeof(*req)) 1759 return SMP_INVALID_PARAMS; 1760 1761 if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 1762 return SMP_CMD_NOTSUPP; 1763 1764 if (!smp) { 1765 smp = smp_chan_create(conn); 1766 if (!smp) 1767 return SMP_UNSPECIFIED; 1768 } 1769 1770 /* We didn't start the pairing, so match remote */ 1771 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1772 1773 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 1774 (auth & SMP_AUTH_BONDING)) 1775 return SMP_PAIRING_NOTSUPP; 1776 1777 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1778 return SMP_AUTH_REQUIREMENTS; 1779 1780 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1781 memcpy(&smp->preq[1], req, sizeof(*req)); 1782 skb_pull(skb, sizeof(*req)); 1783 1784 /* If the remote side's OOB flag is set it means it has 1785 * successfully received our local OOB data - therefore set the 1786 * flag to indicate that local OOB is in use. 1787 */ 1788 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob) 1789 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1790 1791 /* SMP over BR/EDR requires special treatment */ 1792 if (conn->hcon->type == ACL_LINK) { 1793 /* We must have a BR/EDR SC link */ 1794 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1795 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 1796 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1797 1798 set_bit(SMP_FLAG_SC, &smp->flags); 1799 1800 build_bredr_pairing_cmd(smp, req, &rsp); 1801 1802 if (req->auth_req & SMP_AUTH_CT2) 1803 set_bit(SMP_FLAG_CT2, &smp->flags); 1804 1805 key_size = min(req->max_key_size, rsp.max_key_size); 1806 if (check_enc_key_size(conn, key_size)) 1807 return SMP_ENC_KEY_SIZE; 1808 1809 /* Clear bits which are generated but not distributed */ 1810 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1811 1812 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1813 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1814 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1815 1816 smp_distribute_keys(smp); 1817 return 0; 1818 } 1819 1820 build_pairing_cmd(conn, req, &rsp, auth); 1821 1822 if (rsp.auth_req & SMP_AUTH_SC) { 1823 set_bit(SMP_FLAG_SC, &smp->flags); 1824 1825 if (rsp.auth_req & SMP_AUTH_CT2) 1826 set_bit(SMP_FLAG_CT2, &smp->flags); 1827 } 1828 1829 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1830 sec_level = BT_SECURITY_MEDIUM; 1831 else 1832 sec_level = authreq_to_seclevel(auth); 1833 1834 if (sec_level > conn->hcon->pending_sec_level) 1835 conn->hcon->pending_sec_level = sec_level; 1836 1837 /* If we need MITM check that it can be achieved */ 1838 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1839 u8 method; 1840 1841 method = get_auth_method(smp, conn->hcon->io_capability, 1842 req->io_capability); 1843 if (method == JUST_WORKS || method == JUST_CFM) 1844 return SMP_AUTH_REQUIREMENTS; 1845 } 1846 1847 key_size = min(req->max_key_size, rsp.max_key_size); 1848 if (check_enc_key_size(conn, key_size)) 1849 return SMP_ENC_KEY_SIZE; 1850 1851 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1852 1853 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1854 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1855 1856 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1857 1858 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1859 1860 /* Strictly speaking we shouldn't allow Pairing Confirm for the 1861 * SC case, however some implementations incorrectly copy RFU auth 1862 * req bits from our security request, which may create a false 1863 * positive SC enablement. 1864 */ 1865 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1866 1867 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1868 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1869 /* Clear bits which are generated but not distributed */ 1870 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1871 /* Wait for Public Key from Initiating Device */ 1872 return 0; 1873 } 1874 1875 /* Request setup of TK */ 1876 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1877 if (ret) 1878 return SMP_UNSPECIFIED; 1879 1880 return 0; 1881 } 1882 1883 static u8 sc_send_public_key(struct smp_chan *smp) 1884 { 1885 struct hci_dev *hdev = smp->conn->hcon->hdev; 1886 1887 bt_dev_dbg(hdev, ""); 1888 1889 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 1890 struct l2cap_chan *chan = hdev->smp_data; 1891 struct smp_dev *smp_dev; 1892 1893 if (!chan || !chan->data) 1894 return SMP_UNSPECIFIED; 1895 1896 smp_dev = chan->data; 1897 1898 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1899 memcpy(smp->lr, smp_dev->local_rand, 16); 1900 1901 if (smp_dev->debug_key) 1902 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1903 1904 goto done; 1905 } 1906 1907 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1908 bt_dev_dbg(hdev, "Using debug keys"); 1909 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk)) 1910 return SMP_UNSPECIFIED; 1911 memcpy(smp->local_pk, debug_pk, 64); 1912 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1913 } else { 1914 while (true) { 1915 /* Generate key pair for Secure Connections */ 1916 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk)) 1917 return SMP_UNSPECIFIED; 1918 1919 /* This is unlikely, but we need to check that 1920 * we didn't accidentally generate a debug key. 1921 */ 1922 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 1923 break; 1924 } 1925 } 1926 1927 done: 1928 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1929 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1930 1931 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1932 1933 return 0; 1934 } 1935 1936 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1937 { 1938 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1939 struct l2cap_chan *chan = conn->smp; 1940 struct smp_chan *smp = chan->data; 1941 struct hci_dev *hdev = conn->hcon->hdev; 1942 u8 key_size, auth; 1943 int ret; 1944 1945 bt_dev_dbg(hdev, "conn %p", conn); 1946 1947 if (skb->len < sizeof(*rsp)) 1948 return SMP_INVALID_PARAMS; 1949 1950 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 1951 return SMP_CMD_NOTSUPP; 1952 1953 skb_pull(skb, sizeof(*rsp)); 1954 1955 req = (void *) &smp->preq[1]; 1956 1957 key_size = min(req->max_key_size, rsp->max_key_size); 1958 if (check_enc_key_size(conn, key_size)) 1959 return SMP_ENC_KEY_SIZE; 1960 1961 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1962 1963 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1964 return SMP_AUTH_REQUIREMENTS; 1965 1966 /* If the remote side's OOB flag is set it means it has 1967 * successfully received our local OOB data - therefore set the 1968 * flag to indicate that local OOB is in use. 1969 */ 1970 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob) 1971 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1972 1973 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1974 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1975 1976 /* Update remote key distribution in case the remote cleared 1977 * some bits that we had enabled in our request. 1978 */ 1979 smp->remote_key_dist &= rsp->resp_key_dist; 1980 1981 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2)) 1982 set_bit(SMP_FLAG_CT2, &smp->flags); 1983 1984 /* For BR/EDR this means we're done and can start phase 3 */ 1985 if (conn->hcon->type == ACL_LINK) { 1986 /* Clear bits which are generated but not distributed */ 1987 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1988 smp_distribute_keys(smp); 1989 return 0; 1990 } 1991 1992 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 1993 set_bit(SMP_FLAG_SC, &smp->flags); 1994 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 1995 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 1996 1997 /* If we need MITM check that it can be achieved */ 1998 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1999 u8 method; 2000 2001 method = get_auth_method(smp, req->io_capability, 2002 rsp->io_capability); 2003 if (method == JUST_WORKS || method == JUST_CFM) 2004 return SMP_AUTH_REQUIREMENTS; 2005 } 2006 2007 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 2008 2009 /* Update remote key distribution in case the remote cleared 2010 * some bits that we had enabled in our request. 2011 */ 2012 smp->remote_key_dist &= rsp->resp_key_dist; 2013 2014 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2015 /* Clear bits which are generated but not distributed */ 2016 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 2017 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 2018 return sc_send_public_key(smp); 2019 } 2020 2021 auth |= req->auth_req; 2022 2023 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 2024 if (ret) 2025 return SMP_UNSPECIFIED; 2026 2027 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2028 2029 /* Can't compose response until we have been confirmed */ 2030 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2031 return smp_confirm(smp); 2032 2033 return 0; 2034 } 2035 2036 static u8 sc_check_confirm(struct smp_chan *smp) 2037 { 2038 struct l2cap_conn *conn = smp->conn; 2039 2040 bt_dev_dbg(conn->hcon->hdev, ""); 2041 2042 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2043 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 2044 2045 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2046 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2047 smp->prnd); 2048 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2049 } 2050 2051 return 0; 2052 } 2053 2054 /* Work-around for some implementations that incorrectly copy RFU bits 2055 * from our security request and thereby create the impression that 2056 * we're doing SC when in fact the remote doesn't support it. 2057 */ 2058 static int fixup_sc_false_positive(struct smp_chan *smp) 2059 { 2060 struct l2cap_conn *conn = smp->conn; 2061 struct hci_conn *hcon = conn->hcon; 2062 struct hci_dev *hdev = hcon->hdev; 2063 struct smp_cmd_pairing *req, *rsp; 2064 u8 auth; 2065 2066 /* The issue is only observed when we're in responder role */ 2067 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2068 return SMP_UNSPECIFIED; 2069 2070 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 2071 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode"); 2072 return SMP_UNSPECIFIED; 2073 } 2074 2075 bt_dev_err(hdev, "trying to fall back to legacy SMP"); 2076 2077 req = (void *) &smp->preq[1]; 2078 rsp = (void *) &smp->prsp[1]; 2079 2080 /* Rebuild key dist flags which may have been cleared for SC */ 2081 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist); 2082 2083 auth = req->auth_req & AUTH_REQ_MASK(hdev); 2084 2085 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) { 2086 bt_dev_err(hdev, "failed to fall back to legacy SMP"); 2087 return SMP_UNSPECIFIED; 2088 } 2089 2090 clear_bit(SMP_FLAG_SC, &smp->flags); 2091 2092 return 0; 2093 } 2094 2095 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 2096 { 2097 struct l2cap_chan *chan = conn->smp; 2098 struct smp_chan *smp = chan->data; 2099 struct hci_conn *hcon = conn->hcon; 2100 struct hci_dev *hdev = hcon->hdev; 2101 2102 bt_dev_dbg(hdev, "conn %p %s", conn, 2103 test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" : 2104 "responder"); 2105 2106 if (skb->len < sizeof(smp->pcnf)) 2107 return SMP_INVALID_PARAMS; 2108 2109 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 2110 skb_pull(skb, sizeof(smp->pcnf)); 2111 2112 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2113 int ret; 2114 2115 /* Public Key exchange must happen before any other steps */ 2116 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 2117 return sc_check_confirm(smp); 2118 2119 bt_dev_err(hdev, "Unexpected SMP Pairing Confirm"); 2120 2121 ret = fixup_sc_false_positive(smp); 2122 if (ret) 2123 return ret; 2124 } 2125 2126 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2127 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2128 smp->prnd); 2129 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2130 return 0; 2131 } 2132 2133 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2134 return smp_confirm(smp); 2135 2136 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2137 2138 return 0; 2139 } 2140 2141 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 2142 { 2143 struct l2cap_chan *chan = conn->smp; 2144 struct smp_chan *smp = chan->data; 2145 struct hci_conn *hcon = conn->hcon; 2146 u8 *pkax, *pkbx, *na, *nb, confirm_hint; 2147 u32 passkey; 2148 int err; 2149 2150 bt_dev_dbg(hcon->hdev, "conn %p", conn); 2151 2152 if (skb->len < sizeof(smp->rrnd)) 2153 return SMP_INVALID_PARAMS; 2154 2155 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 2156 skb_pull(skb, sizeof(smp->rrnd)); 2157 2158 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 2159 return smp_random(smp); 2160 2161 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2162 pkax = smp->local_pk; 2163 pkbx = smp->remote_pk; 2164 na = smp->prnd; 2165 nb = smp->rrnd; 2166 } else { 2167 pkax = smp->remote_pk; 2168 pkbx = smp->local_pk; 2169 na = smp->rrnd; 2170 nb = smp->prnd; 2171 } 2172 2173 if (smp->method == REQ_OOB) { 2174 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2175 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2176 sizeof(smp->prnd), smp->prnd); 2177 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2178 goto mackey_and_ltk; 2179 } 2180 2181 /* Passkey entry has special treatment */ 2182 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2183 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 2184 2185 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2186 u8 cfm[16]; 2187 2188 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 2189 smp->rrnd, 0, cfm); 2190 if (err) 2191 return SMP_UNSPECIFIED; 2192 2193 if (crypto_memneq(smp->pcnf, cfm, 16)) 2194 return SMP_CONFIRM_FAILED; 2195 } else { 2196 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2197 smp->prnd); 2198 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2199 2200 /* Only Just-Works pairing requires extra checks */ 2201 if (smp->method != JUST_WORKS) 2202 goto mackey_and_ltk; 2203 2204 /* If there already exists long term key in local host, leave 2205 * the decision to user space since the remote device could 2206 * be legitimate or malicious. 2207 */ 2208 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 2209 hcon->role)) { 2210 /* Set passkey to 0. The value can be any number since 2211 * it'll be ignored anyway. 2212 */ 2213 passkey = 0; 2214 confirm_hint = 1; 2215 goto confirm; 2216 } 2217 } 2218 2219 mackey_and_ltk: 2220 /* Generate MacKey and LTK */ 2221 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 2222 if (err) 2223 return SMP_UNSPECIFIED; 2224 2225 if (smp->method == REQ_OOB) { 2226 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2227 sc_dhkey_check(smp); 2228 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2229 } 2230 return 0; 2231 } 2232 2233 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey); 2234 if (err) 2235 return SMP_UNSPECIFIED; 2236 2237 confirm_hint = 0; 2238 2239 confirm: 2240 if (smp->method == JUST_WORKS) 2241 confirm_hint = 1; 2242 2243 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2244 hcon->dst_type, passkey, confirm_hint); 2245 if (err) 2246 return SMP_UNSPECIFIED; 2247 2248 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2249 2250 return 0; 2251 } 2252 2253 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2254 { 2255 struct smp_ltk *key; 2256 struct hci_conn *hcon = conn->hcon; 2257 2258 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2259 if (!key) 2260 return false; 2261 2262 if (smp_ltk_sec_level(key) < sec_level) 2263 return false; 2264 2265 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2266 return true; 2267 2268 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size); 2269 hcon->enc_key_size = key->enc_size; 2270 2271 /* We never store STKs for initiator role, so clear this flag */ 2272 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2273 2274 return true; 2275 } 2276 2277 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2278 enum smp_key_pref key_pref) 2279 { 2280 if (sec_level == BT_SECURITY_LOW) 2281 return true; 2282 2283 /* If we're encrypted with an STK but the caller prefers using 2284 * LTK claim insufficient security. This way we allow the 2285 * connection to be re-encrypted with an LTK, even if the LTK 2286 * provides the same level of security. Only exception is if we 2287 * don't have an LTK (e.g. because of key distribution bits). 2288 */ 2289 if (key_pref == SMP_USE_LTK && 2290 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2291 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2292 return false; 2293 2294 if (hcon->sec_level >= sec_level) 2295 return true; 2296 2297 return false; 2298 } 2299 2300 static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth) 2301 { 2302 struct smp_cmd_pairing cp; 2303 2304 if (smp->conn->hcon->type == ACL_LINK) 2305 build_bredr_pairing_cmd(smp, &cp, NULL); 2306 else 2307 build_pairing_cmd(smp->conn, &cp, NULL, auth); 2308 2309 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2310 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2311 2312 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2313 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2314 2315 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2316 } 2317 2318 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2319 { 2320 struct smp_cmd_security_req *rp = (void *) skb->data; 2321 struct hci_conn *hcon = conn->hcon; 2322 struct hci_dev *hdev = hcon->hdev; 2323 struct smp_chan *smp; 2324 u8 sec_level, auth; 2325 2326 bt_dev_dbg(hdev, "conn %p", conn); 2327 2328 if (skb->len < sizeof(*rp)) 2329 return SMP_INVALID_PARAMS; 2330 2331 if (hcon->role != HCI_ROLE_MASTER) 2332 return SMP_CMD_NOTSUPP; 2333 2334 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2335 2336 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 2337 return SMP_AUTH_REQUIREMENTS; 2338 2339 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2340 sec_level = BT_SECURITY_MEDIUM; 2341 else 2342 sec_level = authreq_to_seclevel(auth); 2343 2344 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) { 2345 /* If link is already encrypted with sufficient security we 2346 * still need refresh encryption as per Core Spec 5.0 Vol 3, 2347 * Part H 2.4.6 2348 */ 2349 smp_ltk_encrypt(conn, hcon->sec_level); 2350 return 0; 2351 } 2352 2353 if (sec_level > hcon->pending_sec_level) 2354 hcon->pending_sec_level = sec_level; 2355 2356 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2357 return 0; 2358 2359 smp = smp_chan_create(conn); 2360 if (!smp) 2361 return SMP_UNSPECIFIED; 2362 2363 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 2364 (auth & SMP_AUTH_BONDING)) 2365 return SMP_PAIRING_NOTSUPP; 2366 2367 skb_pull(skb, sizeof(*rp)); 2368 2369 smp_send_pairing_req(smp, auth); 2370 2371 return 0; 2372 } 2373 2374 static void smp_send_security_req(struct smp_chan *smp, __u8 auth) 2375 { 2376 struct smp_cmd_security_req cp; 2377 2378 cp.auth_req = auth; 2379 smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2380 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2381 2382 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 2383 } 2384 2385 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2386 { 2387 struct l2cap_conn *conn = hcon->l2cap_data; 2388 struct l2cap_chan *chan; 2389 struct smp_chan *smp; 2390 __u8 authreq; 2391 int ret; 2392 2393 bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon, 2394 sec_level); 2395 2396 /* This may be NULL if there's an unexpected disconnection */ 2397 if (!conn) 2398 return 1; 2399 2400 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) 2401 return 1; 2402 2403 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2404 return 1; 2405 2406 if (sec_level > hcon->pending_sec_level) 2407 hcon->pending_sec_level = sec_level; 2408 2409 if (hcon->role == HCI_ROLE_MASTER) 2410 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2411 return 0; 2412 2413 chan = conn->smp; 2414 if (!chan) { 2415 bt_dev_err(hcon->hdev, "security requested but not available"); 2416 return 1; 2417 } 2418 2419 l2cap_chan_lock(chan); 2420 2421 /* If SMP is already in progress ignore this request */ 2422 if (chan->data) { 2423 ret = 0; 2424 goto unlock; 2425 } 2426 2427 smp = smp_chan_create(conn); 2428 if (!smp) { 2429 ret = 1; 2430 goto unlock; 2431 } 2432 2433 authreq = seclevel_to_authreq(sec_level); 2434 2435 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) { 2436 authreq |= SMP_AUTH_SC; 2437 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED)) 2438 authreq |= SMP_AUTH_CT2; 2439 } 2440 2441 /* Don't attempt to set MITM if setting is overridden by debugfs 2442 * Needed to pass certification test SM/MAS/PKE/BV-01-C 2443 */ 2444 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) { 2445 /* Require MITM if IO Capability allows or the security level 2446 * requires it. 2447 */ 2448 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2449 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2450 authreq |= SMP_AUTH_MITM; 2451 } 2452 2453 if (hcon->role == HCI_ROLE_MASTER) 2454 smp_send_pairing_req(smp, authreq); 2455 else 2456 smp_send_security_req(smp, authreq); 2457 2458 ret = 0; 2459 2460 unlock: 2461 l2cap_chan_unlock(chan); 2462 return ret; 2463 } 2464 2465 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, 2466 u8 addr_type) 2467 { 2468 struct hci_conn *hcon; 2469 struct l2cap_conn *conn; 2470 struct l2cap_chan *chan; 2471 struct smp_chan *smp; 2472 int err; 2473 2474 err = hci_remove_ltk(hdev, bdaddr, addr_type); 2475 hci_remove_irk(hdev, bdaddr, addr_type); 2476 2477 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type); 2478 if (!hcon) 2479 goto done; 2480 2481 conn = hcon->l2cap_data; 2482 if (!conn) 2483 goto done; 2484 2485 chan = conn->smp; 2486 if (!chan) 2487 goto done; 2488 2489 l2cap_chan_lock(chan); 2490 2491 smp = chan->data; 2492 if (smp) { 2493 /* Set keys to NULL to make sure smp_failure() does not try to 2494 * remove and free already invalidated rcu list entries. */ 2495 smp->ltk = NULL; 2496 smp->responder_ltk = NULL; 2497 smp->remote_irk = NULL; 2498 2499 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) 2500 smp_failure(conn, 0); 2501 else 2502 smp_failure(conn, SMP_UNSPECIFIED); 2503 err = 0; 2504 } 2505 2506 l2cap_chan_unlock(chan); 2507 2508 done: 2509 return err; 2510 } 2511 2512 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2513 { 2514 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2515 struct l2cap_chan *chan = conn->smp; 2516 struct smp_chan *smp = chan->data; 2517 2518 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 2519 2520 if (skb->len < sizeof(*rp)) 2521 return SMP_INVALID_PARAMS; 2522 2523 /* Pairing is aborted if any blocked keys are distributed */ 2524 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK, 2525 rp->ltk)) { 2526 bt_dev_warn_ratelimited(conn->hcon->hdev, 2527 "LTK blocked for %pMR", 2528 &conn->hcon->dst); 2529 return SMP_INVALID_PARAMS; 2530 } 2531 2532 SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT); 2533 2534 skb_pull(skb, sizeof(*rp)); 2535 2536 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2537 2538 return 0; 2539 } 2540 2541 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2542 { 2543 struct smp_cmd_initiator_ident *rp = (void *)skb->data; 2544 struct l2cap_chan *chan = conn->smp; 2545 struct smp_chan *smp = chan->data; 2546 struct hci_dev *hdev = conn->hcon->hdev; 2547 struct hci_conn *hcon = conn->hcon; 2548 struct smp_ltk *ltk; 2549 u8 authenticated; 2550 2551 bt_dev_dbg(hdev, "conn %p", conn); 2552 2553 if (skb->len < sizeof(*rp)) 2554 return SMP_INVALID_PARAMS; 2555 2556 /* Mark the information as received */ 2557 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2558 2559 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2560 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2561 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2562 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2563 2564 skb_pull(skb, sizeof(*rp)); 2565 2566 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2567 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2568 authenticated, smp->tk, smp->enc_key_size, 2569 rp->ediv, rp->rand); 2570 smp->ltk = ltk; 2571 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2572 smp_distribute_keys(smp); 2573 2574 return 0; 2575 } 2576 2577 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2578 { 2579 struct smp_cmd_ident_info *info = (void *) skb->data; 2580 struct l2cap_chan *chan = conn->smp; 2581 struct smp_chan *smp = chan->data; 2582 2583 bt_dev_dbg(conn->hcon->hdev, ""); 2584 2585 if (skb->len < sizeof(*info)) 2586 return SMP_INVALID_PARAMS; 2587 2588 /* Pairing is aborted if any blocked keys are distributed */ 2589 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK, 2590 info->irk)) { 2591 bt_dev_warn_ratelimited(conn->hcon->hdev, 2592 "Identity key blocked for %pMR", 2593 &conn->hcon->dst); 2594 return SMP_INVALID_PARAMS; 2595 } 2596 2597 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2598 2599 skb_pull(skb, sizeof(*info)); 2600 2601 memcpy(smp->irk, info->irk, 16); 2602 2603 return 0; 2604 } 2605 2606 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2607 struct sk_buff *skb) 2608 { 2609 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2610 struct l2cap_chan *chan = conn->smp; 2611 struct smp_chan *smp = chan->data; 2612 struct hci_conn *hcon = conn->hcon; 2613 bdaddr_t rpa; 2614 2615 bt_dev_dbg(hcon->hdev, ""); 2616 2617 if (skb->len < sizeof(*info)) 2618 return SMP_INVALID_PARAMS; 2619 2620 /* Mark the information as received */ 2621 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2622 2623 if (smp->remote_key_dist & SMP_DIST_SIGN) 2624 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2625 2626 skb_pull(skb, sizeof(*info)); 2627 2628 /* Strictly speaking the Core Specification (4.1) allows sending 2629 * an empty address which would force us to rely on just the IRK 2630 * as "identity information". However, since such 2631 * implementations are not known of and in order to not over 2632 * complicate our implementation, simply pretend that we never 2633 * received an IRK for such a device. 2634 * 2635 * The Identity Address must also be a Static Random or Public 2636 * Address, which hci_is_identity_address() checks for. 2637 */ 2638 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2639 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2640 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address"); 2641 goto distribute; 2642 } 2643 2644 /* Drop IRK if peer is using identity address during pairing but is 2645 * providing different address as identity information. 2646 * 2647 * Microsoft Surface Precision Mouse is known to have this bug. 2648 */ 2649 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) && 2650 (bacmp(&info->bdaddr, &hcon->dst) || 2651 info->addr_type != hcon->dst_type)) { 2652 bt_dev_err(hcon->hdev, 2653 "ignoring IRK with invalid identity address"); 2654 goto distribute; 2655 } 2656 2657 bacpy(&smp->id_addr, &info->bdaddr); 2658 smp->id_addr_type = info->addr_type; 2659 2660 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2661 bacpy(&rpa, &hcon->dst); 2662 else 2663 bacpy(&rpa, BDADDR_ANY); 2664 2665 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2666 smp->id_addr_type, smp->irk, &rpa); 2667 2668 distribute: 2669 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2670 smp_distribute_keys(smp); 2671 2672 return 0; 2673 } 2674 2675 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2676 { 2677 struct smp_cmd_sign_info *rp = (void *) skb->data; 2678 struct l2cap_chan *chan = conn->smp; 2679 struct smp_chan *smp = chan->data; 2680 struct smp_csrk *csrk; 2681 2682 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 2683 2684 if (skb->len < sizeof(*rp)) 2685 return SMP_INVALID_PARAMS; 2686 2687 /* Mark the information as received */ 2688 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2689 2690 skb_pull(skb, sizeof(*rp)); 2691 2692 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 2693 if (csrk) { 2694 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM) 2695 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED; 2696 else 2697 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED; 2698 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2699 } 2700 smp->csrk = csrk; 2701 smp_distribute_keys(smp); 2702 2703 return 0; 2704 } 2705 2706 static u8 sc_select_method(struct smp_chan *smp) 2707 { 2708 struct smp_cmd_pairing *local, *remote; 2709 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2710 2711 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) || 2712 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) 2713 return REQ_OOB; 2714 2715 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2716 * which are needed as inputs to some crypto functions. To get 2717 * the "struct smp_cmd_pairing" from them we need to skip the 2718 * first byte which contains the opcode. 2719 */ 2720 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2721 local = (void *) &smp->preq[1]; 2722 remote = (void *) &smp->prsp[1]; 2723 } else { 2724 local = (void *) &smp->prsp[1]; 2725 remote = (void *) &smp->preq[1]; 2726 } 2727 2728 local_io = local->io_capability; 2729 remote_io = remote->io_capability; 2730 2731 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2732 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2733 2734 /* If either side wants MITM, look up the method from the table, 2735 * otherwise use JUST WORKS. 2736 */ 2737 if (local_mitm || remote_mitm) 2738 method = get_auth_method(smp, local_io, remote_io); 2739 else 2740 method = JUST_WORKS; 2741 2742 /* Don't confirm locally initiated pairing attempts */ 2743 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2744 method = JUST_WORKS; 2745 2746 return method; 2747 } 2748 2749 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2750 { 2751 struct smp_cmd_public_key *key = (void *) skb->data; 2752 struct hci_conn *hcon = conn->hcon; 2753 struct l2cap_chan *chan = conn->smp; 2754 struct smp_chan *smp = chan->data; 2755 struct hci_dev *hdev = hcon->hdev; 2756 struct crypto_kpp *tfm_ecdh; 2757 struct smp_cmd_pairing_confirm cfm; 2758 int err; 2759 2760 bt_dev_dbg(hdev, "conn %p", conn); 2761 2762 if (skb->len < sizeof(*key)) 2763 return SMP_INVALID_PARAMS; 2764 2765 /* Check if remote and local public keys are the same and debug key is 2766 * not in use. 2767 */ 2768 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && 2769 !crypto_memneq(key, smp->local_pk, 64)) { 2770 bt_dev_err(hdev, "Remote and local public keys are identical"); 2771 return SMP_UNSPECIFIED; 2772 } 2773 2774 memcpy(smp->remote_pk, key, 64); 2775 2776 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) { 2777 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk, 2778 smp->rr, 0, cfm.confirm_val); 2779 if (err) 2780 return SMP_UNSPECIFIED; 2781 2782 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16)) 2783 return SMP_CONFIRM_FAILED; 2784 } 2785 2786 /* Non-initiating device sends its public key after receiving 2787 * the key from the initiating device. 2788 */ 2789 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2790 err = sc_send_public_key(smp); 2791 if (err) 2792 return err; 2793 } 2794 2795 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2796 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2797 2798 /* Compute the shared secret on the same crypto tfm on which the private 2799 * key was set/generated. 2800 */ 2801 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 2802 struct l2cap_chan *hchan = hdev->smp_data; 2803 struct smp_dev *smp_dev; 2804 2805 if (!hchan || !hchan->data) 2806 return SMP_UNSPECIFIED; 2807 2808 smp_dev = hchan->data; 2809 2810 tfm_ecdh = smp_dev->tfm_ecdh; 2811 } else { 2812 tfm_ecdh = smp->tfm_ecdh; 2813 } 2814 2815 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey)) 2816 return SMP_UNSPECIFIED; 2817 2818 SMP_DBG("DHKey %32phN", smp->dhkey); 2819 2820 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2821 2822 smp->method = sc_select_method(smp); 2823 2824 bt_dev_dbg(hdev, "selected method 0x%02x", smp->method); 2825 2826 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2827 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2828 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2829 else 2830 hcon->pending_sec_level = BT_SECURITY_FIPS; 2831 2832 if (!crypto_memneq(debug_pk, smp->remote_pk, 64)) 2833 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2834 2835 if (smp->method == DSP_PASSKEY) { 2836 get_random_bytes(&hcon->passkey_notify, 2837 sizeof(hcon->passkey_notify)); 2838 hcon->passkey_notify %= 1000000; 2839 hcon->passkey_entered = 0; 2840 smp->passkey_round = 0; 2841 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2842 hcon->dst_type, 2843 hcon->passkey_notify, 2844 hcon->passkey_entered)) 2845 return SMP_UNSPECIFIED; 2846 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2847 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2848 } 2849 2850 if (smp->method == REQ_OOB) { 2851 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2852 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2853 sizeof(smp->prnd), smp->prnd); 2854 2855 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2856 2857 return 0; 2858 } 2859 2860 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2861 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2862 2863 if (smp->method == REQ_PASSKEY) { 2864 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2865 hcon->dst_type)) 2866 return SMP_UNSPECIFIED; 2867 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2868 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2869 return 0; 2870 } 2871 2872 /* The Initiating device waits for the non-initiating device to 2873 * send the confirm value. 2874 */ 2875 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2876 return 0; 2877 2878 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, 2879 0, cfm.confirm_val); 2880 if (err) 2881 return SMP_UNSPECIFIED; 2882 2883 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2884 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2885 2886 return 0; 2887 } 2888 2889 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2890 { 2891 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2892 struct l2cap_chan *chan = conn->smp; 2893 struct hci_conn *hcon = conn->hcon; 2894 struct smp_chan *smp = chan->data; 2895 u8 a[7], b[7], *local_addr, *remote_addr; 2896 u8 io_cap[3], r[16], e[16]; 2897 int err; 2898 2899 bt_dev_dbg(hcon->hdev, "conn %p", conn); 2900 2901 if (skb->len < sizeof(*check)) 2902 return SMP_INVALID_PARAMS; 2903 2904 memcpy(a, &hcon->init_addr, 6); 2905 memcpy(b, &hcon->resp_addr, 6); 2906 a[6] = hcon->init_addr_type; 2907 b[6] = hcon->resp_addr_type; 2908 2909 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2910 local_addr = a; 2911 remote_addr = b; 2912 memcpy(io_cap, &smp->prsp[1], 3); 2913 } else { 2914 local_addr = b; 2915 remote_addr = a; 2916 memcpy(io_cap, &smp->preq[1], 3); 2917 } 2918 2919 memset(r, 0, sizeof(r)); 2920 2921 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2922 put_unaligned_le32(hcon->passkey_notify, r); 2923 else if (smp->method == REQ_OOB) 2924 memcpy(r, smp->lr, 16); 2925 2926 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r, 2927 io_cap, remote_addr, local_addr, e); 2928 if (err) 2929 return SMP_UNSPECIFIED; 2930 2931 if (crypto_memneq(check->e, e, 16)) 2932 return SMP_DHKEY_CHECK_FAILED; 2933 2934 if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2935 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2936 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2937 return 0; 2938 } 2939 2940 /* Responder sends DHKey check as response to initiator */ 2941 sc_dhkey_check(smp); 2942 } 2943 2944 sc_add_ltk(smp); 2945 2946 if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) { 2947 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size); 2948 hcon->enc_key_size = smp->enc_key_size; 2949 } 2950 2951 return 0; 2952 } 2953 2954 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2955 struct sk_buff *skb) 2956 { 2957 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2958 2959 bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value); 2960 2961 return 0; 2962 } 2963 2964 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2965 { 2966 struct l2cap_conn *conn = chan->conn; 2967 struct hci_conn *hcon = conn->hcon; 2968 struct smp_chan *smp; 2969 __u8 code, reason; 2970 int err = 0; 2971 2972 if (skb->len < 1) 2973 return -EILSEQ; 2974 2975 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) { 2976 reason = SMP_PAIRING_NOTSUPP; 2977 goto done; 2978 } 2979 2980 code = skb->data[0]; 2981 skb_pull(skb, sizeof(code)); 2982 2983 smp = chan->data; 2984 2985 if (code > SMP_CMD_MAX) 2986 goto drop; 2987 2988 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) 2989 goto drop; 2990 2991 /* If we don't have a context the only allowed commands are 2992 * pairing request and security request. 2993 */ 2994 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2995 goto drop; 2996 2997 switch (code) { 2998 case SMP_CMD_PAIRING_REQ: 2999 reason = smp_cmd_pairing_req(conn, skb); 3000 break; 3001 3002 case SMP_CMD_PAIRING_FAIL: 3003 smp_failure(conn, 0); 3004 err = -EPERM; 3005 break; 3006 3007 case SMP_CMD_PAIRING_RSP: 3008 reason = smp_cmd_pairing_rsp(conn, skb); 3009 break; 3010 3011 case SMP_CMD_SECURITY_REQ: 3012 reason = smp_cmd_security_req(conn, skb); 3013 break; 3014 3015 case SMP_CMD_PAIRING_CONFIRM: 3016 reason = smp_cmd_pairing_confirm(conn, skb); 3017 break; 3018 3019 case SMP_CMD_PAIRING_RANDOM: 3020 reason = smp_cmd_pairing_random(conn, skb); 3021 break; 3022 3023 case SMP_CMD_ENCRYPT_INFO: 3024 reason = smp_cmd_encrypt_info(conn, skb); 3025 break; 3026 3027 case SMP_CMD_INITIATOR_IDENT: 3028 reason = smp_cmd_initiator_ident(conn, skb); 3029 break; 3030 3031 case SMP_CMD_IDENT_INFO: 3032 reason = smp_cmd_ident_info(conn, skb); 3033 break; 3034 3035 case SMP_CMD_IDENT_ADDR_INFO: 3036 reason = smp_cmd_ident_addr_info(conn, skb); 3037 break; 3038 3039 case SMP_CMD_SIGN_INFO: 3040 reason = smp_cmd_sign_info(conn, skb); 3041 break; 3042 3043 case SMP_CMD_PUBLIC_KEY: 3044 reason = smp_cmd_public_key(conn, skb); 3045 break; 3046 3047 case SMP_CMD_DHKEY_CHECK: 3048 reason = smp_cmd_dhkey_check(conn, skb); 3049 break; 3050 3051 case SMP_CMD_KEYPRESS_NOTIFY: 3052 reason = smp_cmd_keypress_notify(conn, skb); 3053 break; 3054 3055 default: 3056 bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code); 3057 reason = SMP_CMD_NOTSUPP; 3058 goto done; 3059 } 3060 3061 done: 3062 if (!err) { 3063 if (reason) 3064 smp_failure(conn, reason); 3065 kfree_skb(skb); 3066 } 3067 3068 return err; 3069 3070 drop: 3071 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR", 3072 code, &hcon->dst); 3073 kfree_skb(skb); 3074 return 0; 3075 } 3076 3077 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 3078 { 3079 struct l2cap_conn *conn = chan->conn; 3080 3081 bt_dev_dbg(conn->hcon->hdev, "chan %p", chan); 3082 3083 if (chan->data) 3084 smp_chan_destroy(conn); 3085 3086 conn->smp = NULL; 3087 l2cap_chan_put(chan); 3088 } 3089 3090 static void bredr_pairing(struct l2cap_chan *chan) 3091 { 3092 struct l2cap_conn *conn = chan->conn; 3093 struct hci_conn *hcon = conn->hcon; 3094 struct hci_dev *hdev = hcon->hdev; 3095 struct smp_chan *smp; 3096 3097 bt_dev_dbg(hdev, "chan %p", chan); 3098 3099 /* Only new pairings are interesting */ 3100 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 3101 return; 3102 3103 /* Don't bother if we're not encrypted */ 3104 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3105 return; 3106 3107 /* Only initiator may initiate SMP over BR/EDR */ 3108 if (hcon->role != HCI_ROLE_MASTER) 3109 return; 3110 3111 /* Secure Connections support must be enabled */ 3112 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED)) 3113 return; 3114 3115 /* BR/EDR must use Secure Connections for SMP */ 3116 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 3117 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3118 return; 3119 3120 /* If our LE support is not enabled don't do anything */ 3121 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 3122 return; 3123 3124 /* Don't bother if remote LE support is not enabled */ 3125 if (!lmp_host_le_capable(hcon)) 3126 return; 3127 3128 /* Remote must support SMP fixed chan for BR/EDR */ 3129 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 3130 return; 3131 3132 /* Don't bother if SMP is already ongoing */ 3133 if (chan->data) 3134 return; 3135 3136 smp = smp_chan_create(conn); 3137 if (!smp) { 3138 bt_dev_err(hdev, "unable to create SMP context for BR/EDR"); 3139 return; 3140 } 3141 3142 set_bit(SMP_FLAG_SC, &smp->flags); 3143 3144 bt_dev_dbg(hdev, "starting SMP over BR/EDR"); 3145 3146 smp_send_pairing_req(smp, 0x00); 3147 } 3148 3149 static void smp_resume_cb(struct l2cap_chan *chan) 3150 { 3151 struct smp_chan *smp = chan->data; 3152 struct l2cap_conn *conn = chan->conn; 3153 struct hci_conn *hcon = conn->hcon; 3154 3155 bt_dev_dbg(hcon->hdev, "chan %p", chan); 3156 3157 if (hcon->type == ACL_LINK) { 3158 bredr_pairing(chan); 3159 return; 3160 } 3161 3162 if (!smp) 3163 return; 3164 3165 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3166 return; 3167 3168 cancel_delayed_work(&smp->security_timer); 3169 3170 smp_distribute_keys(smp); 3171 } 3172 3173 static void smp_ready_cb(struct l2cap_chan *chan) 3174 { 3175 struct l2cap_conn *conn = chan->conn; 3176 struct hci_conn *hcon = conn->hcon; 3177 3178 bt_dev_dbg(hcon->hdev, "chan %p", chan); 3179 3180 /* No need to call l2cap_chan_hold() here since we already own 3181 * the reference taken in smp_new_conn_cb(). This is just the 3182 * first time that we tie it to a specific pointer. The code in 3183 * l2cap_core.c ensures that there's no risk this function wont 3184 * get called if smp_new_conn_cb was previously called. 3185 */ 3186 conn->smp = chan; 3187 3188 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3189 bredr_pairing(chan); 3190 } 3191 3192 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 3193 { 3194 int err; 3195 3196 bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan); 3197 3198 err = smp_sig_channel(chan, skb); 3199 if (err) { 3200 struct smp_chan *smp = chan->data; 3201 3202 if (smp) 3203 cancel_delayed_work_sync(&smp->security_timer); 3204 3205 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 3206 } 3207 3208 return err; 3209 } 3210 3211 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 3212 unsigned long hdr_len, 3213 unsigned long len, int nb) 3214 { 3215 struct sk_buff *skb; 3216 3217 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 3218 if (!skb) 3219 return ERR_PTR(-ENOMEM); 3220 3221 skb->priority = HCI_PRIO_MAX; 3222 bt_cb(skb)->l2cap.chan = chan; 3223 3224 return skb; 3225 } 3226 3227 static const struct l2cap_ops smp_chan_ops = { 3228 .name = "Security Manager", 3229 .ready = smp_ready_cb, 3230 .recv = smp_recv_cb, 3231 .alloc_skb = smp_alloc_skb_cb, 3232 .teardown = smp_teardown_cb, 3233 .resume = smp_resume_cb, 3234 3235 .new_connection = l2cap_chan_no_new_connection, 3236 .state_change = l2cap_chan_no_state_change, 3237 .close = l2cap_chan_no_close, 3238 .defer = l2cap_chan_no_defer, 3239 .suspend = l2cap_chan_no_suspend, 3240 .set_shutdown = l2cap_chan_no_set_shutdown, 3241 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3242 }; 3243 3244 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 3245 { 3246 struct l2cap_chan *chan; 3247 3248 BT_DBG("pchan %p", pchan); 3249 3250 chan = l2cap_chan_create(); 3251 if (!chan) 3252 return NULL; 3253 3254 chan->chan_type = pchan->chan_type; 3255 chan->ops = &smp_chan_ops; 3256 chan->scid = pchan->scid; 3257 chan->dcid = chan->scid; 3258 chan->imtu = pchan->imtu; 3259 chan->omtu = pchan->omtu; 3260 chan->mode = pchan->mode; 3261 3262 /* Other L2CAP channels may request SMP routines in order to 3263 * change the security level. This means that the SMP channel 3264 * lock must be considered in its own category to avoid lockdep 3265 * warnings. 3266 */ 3267 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 3268 3269 BT_DBG("created chan %p", chan); 3270 3271 return chan; 3272 } 3273 3274 static const struct l2cap_ops smp_root_chan_ops = { 3275 .name = "Security Manager Root", 3276 .new_connection = smp_new_conn_cb, 3277 3278 /* None of these are implemented for the root channel */ 3279 .close = l2cap_chan_no_close, 3280 .alloc_skb = l2cap_chan_no_alloc_skb, 3281 .recv = l2cap_chan_no_recv, 3282 .state_change = l2cap_chan_no_state_change, 3283 .teardown = l2cap_chan_no_teardown, 3284 .ready = l2cap_chan_no_ready, 3285 .defer = l2cap_chan_no_defer, 3286 .suspend = l2cap_chan_no_suspend, 3287 .resume = l2cap_chan_no_resume, 3288 .set_shutdown = l2cap_chan_no_set_shutdown, 3289 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3290 }; 3291 3292 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 3293 { 3294 struct l2cap_chan *chan; 3295 struct smp_dev *smp; 3296 struct crypto_shash *tfm_cmac; 3297 struct crypto_kpp *tfm_ecdh; 3298 3299 if (cid == L2CAP_CID_SMP_BREDR) { 3300 smp = NULL; 3301 goto create_chan; 3302 } 3303 3304 smp = kzalloc(sizeof(*smp), GFP_KERNEL); 3305 if (!smp) 3306 return ERR_PTR(-ENOMEM); 3307 3308 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3309 if (IS_ERR(tfm_cmac)) { 3310 bt_dev_err(hdev, "Unable to create CMAC crypto context"); 3311 kfree_sensitive(smp); 3312 return ERR_CAST(tfm_cmac); 3313 } 3314 3315 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 3316 if (IS_ERR(tfm_ecdh)) { 3317 bt_dev_err(hdev, "Unable to create ECDH crypto context"); 3318 crypto_free_shash(tfm_cmac); 3319 kfree_sensitive(smp); 3320 return ERR_CAST(tfm_ecdh); 3321 } 3322 3323 smp->local_oob = false; 3324 smp->tfm_cmac = tfm_cmac; 3325 smp->tfm_ecdh = tfm_ecdh; 3326 3327 create_chan: 3328 chan = l2cap_chan_create(); 3329 if (!chan) { 3330 if (smp) { 3331 crypto_free_shash(smp->tfm_cmac); 3332 crypto_free_kpp(smp->tfm_ecdh); 3333 kfree_sensitive(smp); 3334 } 3335 return ERR_PTR(-ENOMEM); 3336 } 3337 3338 chan->data = smp; 3339 3340 l2cap_add_scid(chan, cid); 3341 3342 l2cap_chan_set_defaults(chan); 3343 3344 if (cid == L2CAP_CID_SMP) { 3345 u8 bdaddr_type; 3346 3347 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type); 3348 3349 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 3350 chan->src_type = BDADDR_LE_PUBLIC; 3351 else 3352 chan->src_type = BDADDR_LE_RANDOM; 3353 } else { 3354 bacpy(&chan->src, &hdev->bdaddr); 3355 chan->src_type = BDADDR_BREDR; 3356 } 3357 3358 chan->state = BT_LISTEN; 3359 chan->mode = L2CAP_MODE_BASIC; 3360 chan->imtu = L2CAP_DEFAULT_MTU; 3361 chan->ops = &smp_root_chan_ops; 3362 3363 /* Set correct nesting level for a parent/listening channel */ 3364 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 3365 3366 return chan; 3367 } 3368 3369 static void smp_del_chan(struct l2cap_chan *chan) 3370 { 3371 struct smp_dev *smp; 3372 3373 BT_DBG("chan %p", chan); 3374 3375 smp = chan->data; 3376 if (smp) { 3377 chan->data = NULL; 3378 crypto_free_shash(smp->tfm_cmac); 3379 crypto_free_kpp(smp->tfm_ecdh); 3380 kfree_sensitive(smp); 3381 } 3382 3383 l2cap_chan_put(chan); 3384 } 3385 3386 int smp_force_bredr(struct hci_dev *hdev, bool enable) 3387 { 3388 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3389 return -EALREADY; 3390 3391 if (enable) { 3392 struct l2cap_chan *chan; 3393 3394 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3395 if (IS_ERR(chan)) 3396 return PTR_ERR(chan); 3397 3398 hdev->smp_bredr_data = chan; 3399 } else { 3400 struct l2cap_chan *chan; 3401 3402 chan = hdev->smp_bredr_data; 3403 hdev->smp_bredr_data = NULL; 3404 smp_del_chan(chan); 3405 } 3406 3407 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP); 3408 3409 return 0; 3410 } 3411 3412 int smp_register(struct hci_dev *hdev) 3413 { 3414 struct l2cap_chan *chan; 3415 3416 bt_dev_dbg(hdev, ""); 3417 3418 /* If the controller does not support Low Energy operation, then 3419 * there is also no need to register any SMP channel. 3420 */ 3421 if (!lmp_le_capable(hdev)) 3422 return 0; 3423 3424 if (WARN_ON(hdev->smp_data)) { 3425 chan = hdev->smp_data; 3426 hdev->smp_data = NULL; 3427 smp_del_chan(chan); 3428 } 3429 3430 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3431 if (IS_ERR(chan)) 3432 return PTR_ERR(chan); 3433 3434 hdev->smp_data = chan; 3435 3436 if (!lmp_sc_capable(hdev)) { 3437 /* Flag can be already set here (due to power toggle) */ 3438 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3439 return 0; 3440 } 3441 3442 if (WARN_ON(hdev->smp_bredr_data)) { 3443 chan = hdev->smp_bredr_data; 3444 hdev->smp_bredr_data = NULL; 3445 smp_del_chan(chan); 3446 } 3447 3448 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3449 if (IS_ERR(chan)) { 3450 int err = PTR_ERR(chan); 3451 chan = hdev->smp_data; 3452 hdev->smp_data = NULL; 3453 smp_del_chan(chan); 3454 return err; 3455 } 3456 3457 hdev->smp_bredr_data = chan; 3458 3459 return 0; 3460 } 3461 3462 void smp_unregister(struct hci_dev *hdev) 3463 { 3464 struct l2cap_chan *chan; 3465 3466 if (hdev->smp_bredr_data) { 3467 chan = hdev->smp_bredr_data; 3468 hdev->smp_bredr_data = NULL; 3469 smp_del_chan(chan); 3470 } 3471 3472 if (hdev->smp_data) { 3473 chan = hdev->smp_data; 3474 hdev->smp_data = NULL; 3475 smp_del_chan(chan); 3476 } 3477 } 3478 3479 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3480 3481 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh) 3482 { 3483 u8 pk[64]; 3484 int err; 3485 3486 err = set_ecdh_privkey(tfm_ecdh, debug_sk); 3487 if (err) 3488 return err; 3489 3490 err = generate_ecdh_public_key(tfm_ecdh, pk); 3491 if (err) 3492 return err; 3493 3494 if (crypto_memneq(pk, debug_pk, 64)) 3495 return -EINVAL; 3496 3497 return 0; 3498 } 3499 3500 static int __init test_ah(void) 3501 { 3502 const u8 irk[16] = { 3503 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3504 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3505 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3506 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3507 u8 res[3]; 3508 int err; 3509 3510 err = smp_ah(irk, r, res); 3511 if (err) 3512 return err; 3513 3514 if (crypto_memneq(res, exp, 3)) 3515 return -EINVAL; 3516 3517 return 0; 3518 } 3519 3520 static int __init test_c1(void) 3521 { 3522 const u8 k[16] = { 3523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3525 const u8 r[16] = { 3526 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3527 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3528 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3529 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3530 const u8 _iat = 0x01; 3531 const u8 _rat = 0x00; 3532 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3533 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3534 const u8 exp[16] = { 3535 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3536 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3537 u8 res[16]; 3538 int err; 3539 3540 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3541 if (err) 3542 return err; 3543 3544 if (crypto_memneq(res, exp, 16)) 3545 return -EINVAL; 3546 3547 return 0; 3548 } 3549 3550 static int __init test_s1(void) 3551 { 3552 const u8 k[16] = { 3553 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3555 const u8 r1[16] = { 3556 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3557 const u8 r2[16] = { 3558 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3559 const u8 exp[16] = { 3560 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3561 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3562 u8 res[16]; 3563 int err; 3564 3565 err = smp_s1(k, r1, r2, res); 3566 if (err) 3567 return err; 3568 3569 if (crypto_memneq(res, exp, 16)) 3570 return -EINVAL; 3571 3572 return 0; 3573 } 3574 3575 static int __init test_f4(struct crypto_shash *tfm_cmac) 3576 { 3577 const u8 u[32] = { 3578 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3579 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3580 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3581 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3582 const u8 v[32] = { 3583 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3584 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3585 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3586 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3587 const u8 x[16] = { 3588 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3589 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3590 const u8 z = 0x00; 3591 const u8 exp[16] = { 3592 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3593 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3594 u8 res[16]; 3595 int err; 3596 3597 err = smp_f4(tfm_cmac, u, v, x, z, res); 3598 if (err) 3599 return err; 3600 3601 if (crypto_memneq(res, exp, 16)) 3602 return -EINVAL; 3603 3604 return 0; 3605 } 3606 3607 static int __init test_f5(struct crypto_shash *tfm_cmac) 3608 { 3609 const u8 w[32] = { 3610 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3611 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3612 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3613 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3614 const u8 n1[16] = { 3615 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3616 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3617 const u8 n2[16] = { 3618 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3619 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3620 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3621 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3622 const u8 exp_ltk[16] = { 3623 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3624 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3625 const u8 exp_mackey[16] = { 3626 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3627 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3628 u8 mackey[16], ltk[16]; 3629 int err; 3630 3631 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk); 3632 if (err) 3633 return err; 3634 3635 if (crypto_memneq(mackey, exp_mackey, 16)) 3636 return -EINVAL; 3637 3638 if (crypto_memneq(ltk, exp_ltk, 16)) 3639 return -EINVAL; 3640 3641 return 0; 3642 } 3643 3644 static int __init test_f6(struct crypto_shash *tfm_cmac) 3645 { 3646 const u8 w[16] = { 3647 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3648 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3649 const u8 n1[16] = { 3650 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3651 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3652 const u8 n2[16] = { 3653 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3654 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3655 const u8 r[16] = { 3656 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3657 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3658 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3659 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3660 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3661 const u8 exp[16] = { 3662 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3663 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3664 u8 res[16]; 3665 int err; 3666 3667 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res); 3668 if (err) 3669 return err; 3670 3671 if (crypto_memneq(res, exp, 16)) 3672 return -EINVAL; 3673 3674 return 0; 3675 } 3676 3677 static int __init test_g2(struct crypto_shash *tfm_cmac) 3678 { 3679 const u8 u[32] = { 3680 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3681 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3682 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3683 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3684 const u8 v[32] = { 3685 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3686 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3687 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3688 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3689 const u8 x[16] = { 3690 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3691 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3692 const u8 y[16] = { 3693 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3694 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3695 const u32 exp_val = 0x2f9ed5ba % 1000000; 3696 u32 val; 3697 int err; 3698 3699 err = smp_g2(tfm_cmac, u, v, x, y, &val); 3700 if (err) 3701 return err; 3702 3703 if (val != exp_val) 3704 return -EINVAL; 3705 3706 return 0; 3707 } 3708 3709 static int __init test_h6(struct crypto_shash *tfm_cmac) 3710 { 3711 const u8 w[16] = { 3712 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3713 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3714 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3715 const u8 exp[16] = { 3716 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3717 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3718 u8 res[16]; 3719 int err; 3720 3721 err = smp_h6(tfm_cmac, w, key_id, res); 3722 if (err) 3723 return err; 3724 3725 if (crypto_memneq(res, exp, 16)) 3726 return -EINVAL; 3727 3728 return 0; 3729 } 3730 3731 static char test_smp_buffer[32]; 3732 3733 static ssize_t test_smp_read(struct file *file, char __user *user_buf, 3734 size_t count, loff_t *ppos) 3735 { 3736 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer, 3737 strlen(test_smp_buffer)); 3738 } 3739 3740 static const struct file_operations test_smp_fops = { 3741 .open = simple_open, 3742 .read = test_smp_read, 3743 .llseek = default_llseek, 3744 }; 3745 3746 static int __init run_selftests(struct crypto_shash *tfm_cmac, 3747 struct crypto_kpp *tfm_ecdh) 3748 { 3749 ktime_t calltime, delta, rettime; 3750 unsigned long long duration; 3751 int err; 3752 3753 calltime = ktime_get(); 3754 3755 err = test_debug_key(tfm_ecdh); 3756 if (err) { 3757 BT_ERR("debug_key test failed"); 3758 goto done; 3759 } 3760 3761 err = test_ah(); 3762 if (err) { 3763 BT_ERR("smp_ah test failed"); 3764 goto done; 3765 } 3766 3767 err = test_c1(); 3768 if (err) { 3769 BT_ERR("smp_c1 test failed"); 3770 goto done; 3771 } 3772 3773 err = test_s1(); 3774 if (err) { 3775 BT_ERR("smp_s1 test failed"); 3776 goto done; 3777 } 3778 3779 err = test_f4(tfm_cmac); 3780 if (err) { 3781 BT_ERR("smp_f4 test failed"); 3782 goto done; 3783 } 3784 3785 err = test_f5(tfm_cmac); 3786 if (err) { 3787 BT_ERR("smp_f5 test failed"); 3788 goto done; 3789 } 3790 3791 err = test_f6(tfm_cmac); 3792 if (err) { 3793 BT_ERR("smp_f6 test failed"); 3794 goto done; 3795 } 3796 3797 err = test_g2(tfm_cmac); 3798 if (err) { 3799 BT_ERR("smp_g2 test failed"); 3800 goto done; 3801 } 3802 3803 err = test_h6(tfm_cmac); 3804 if (err) { 3805 BT_ERR("smp_h6 test failed"); 3806 goto done; 3807 } 3808 3809 rettime = ktime_get(); 3810 delta = ktime_sub(rettime, calltime); 3811 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3812 3813 BT_INFO("SMP test passed in %llu usecs", duration); 3814 3815 done: 3816 if (!err) 3817 snprintf(test_smp_buffer, sizeof(test_smp_buffer), 3818 "PASS (%llu usecs)\n", duration); 3819 else 3820 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n"); 3821 3822 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL, 3823 &test_smp_fops); 3824 3825 return err; 3826 } 3827 3828 int __init bt_selftest_smp(void) 3829 { 3830 struct crypto_shash *tfm_cmac; 3831 struct crypto_kpp *tfm_ecdh; 3832 int err; 3833 3834 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3835 if (IS_ERR(tfm_cmac)) { 3836 BT_ERR("Unable to create CMAC crypto context"); 3837 return PTR_ERR(tfm_cmac); 3838 } 3839 3840 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 3841 if (IS_ERR(tfm_ecdh)) { 3842 BT_ERR("Unable to create ECDH crypto context"); 3843 crypto_free_shash(tfm_cmac); 3844 return PTR_ERR(tfm_ecdh); 3845 } 3846 3847 err = run_selftests(tfm_cmac, tfm_ecdh); 3848 3849 crypto_free_shash(tfm_cmac); 3850 crypto_free_kpp(tfm_ecdh); 3851 3852 return err; 3853 } 3854 3855 #endif 3856