1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License version 2 as 7 published by the Free Software Foundation; 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 #include <linux/debugfs.h> 24 #include <linux/crypto.h> 25 #include <linux/scatterlist.h> 26 #include <crypto/b128ops.h> 27 28 #include <net/bluetooth/bluetooth.h> 29 #include <net/bluetooth/hci_core.h> 30 #include <net/bluetooth/l2cap.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "ecc.h" 34 #include "smp.h" 35 36 #define SMP_DEV(hdev) \ 37 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data) 38 39 /* Low-level debug macros to be used for stuff that we don't want 40 * accidentially in dmesg, i.e. the values of the various crypto keys 41 * and the inputs & outputs of crypto functions. 42 */ 43 #ifdef DEBUG 44 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 45 ##__VA_ARGS__) 46 #else 47 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 48 ##__VA_ARGS__) 49 #endif 50 51 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 52 53 /* Keys which are not distributed with Secure Connections */ 54 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY); 55 56 #define SMP_TIMEOUT msecs_to_jiffies(30000) 57 58 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \ 59 0x1f : 0x07) 60 #define KEY_DIST_MASK 0x07 61 62 /* Maximum message length that can be passed to aes_cmac */ 63 #define CMAC_MSG_MAX 80 64 65 enum { 66 SMP_FLAG_TK_VALID, 67 SMP_FLAG_CFM_PENDING, 68 SMP_FLAG_MITM_AUTH, 69 SMP_FLAG_COMPLETE, 70 SMP_FLAG_INITIATOR, 71 SMP_FLAG_SC, 72 SMP_FLAG_REMOTE_PK, 73 SMP_FLAG_DEBUG_KEY, 74 SMP_FLAG_WAIT_USER, 75 SMP_FLAG_DHKEY_PENDING, 76 SMP_FLAG_REMOTE_OOB, 77 SMP_FLAG_LOCAL_OOB, 78 }; 79 80 struct smp_dev { 81 /* Secure Connections OOB data */ 82 u8 local_pk[64]; 83 u8 local_sk[32]; 84 u8 local_rand[16]; 85 bool debug_key; 86 87 u8 min_key_size; 88 u8 max_key_size; 89 90 struct crypto_blkcipher *tfm_aes; 91 struct crypto_hash *tfm_cmac; 92 }; 93 94 struct smp_chan { 95 struct l2cap_conn *conn; 96 struct delayed_work security_timer; 97 unsigned long allow_cmd; /* Bitmask of allowed commands */ 98 99 u8 preq[7]; /* SMP Pairing Request */ 100 u8 prsp[7]; /* SMP Pairing Response */ 101 u8 prnd[16]; /* SMP Pairing Random (local) */ 102 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 103 u8 pcnf[16]; /* SMP Pairing Confirm */ 104 u8 tk[16]; /* SMP Temporary Key */ 105 u8 rr[16]; /* Remote OOB ra/rb value */ 106 u8 lr[16]; /* Local OOB ra/rb value */ 107 u8 enc_key_size; 108 u8 remote_key_dist; 109 bdaddr_t id_addr; 110 u8 id_addr_type; 111 u8 irk[16]; 112 struct smp_csrk *csrk; 113 struct smp_csrk *slave_csrk; 114 struct smp_ltk *ltk; 115 struct smp_ltk *slave_ltk; 116 struct smp_irk *remote_irk; 117 u8 *link_key; 118 unsigned long flags; 119 u8 method; 120 u8 passkey_round; 121 122 /* Secure Connections variables */ 123 u8 local_pk[64]; 124 u8 local_sk[32]; 125 u8 remote_pk[64]; 126 u8 dhkey[32]; 127 u8 mackey[16]; 128 129 struct crypto_blkcipher *tfm_aes; 130 struct crypto_hash *tfm_cmac; 131 }; 132 133 /* These debug key values are defined in the SMP section of the core 134 * specification. debug_pk is the public debug key and debug_sk the 135 * private debug key. 136 */ 137 static const u8 debug_pk[64] = { 138 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 139 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 140 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 141 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 142 143 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 144 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 145 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 146 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 147 }; 148 149 static const u8 debug_sk[32] = { 150 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 151 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 152 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 153 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 154 }; 155 156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 157 { 158 size_t i; 159 160 for (i = 0; i < len; i++) 161 dst[len - 1 - i] = src[i]; 162 } 163 164 /* The following functions map to the LE SC SMP crypto functions 165 * AES-CMAC, f4, f5, f6, g2 and h6. 166 */ 167 168 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m, 169 size_t len, u8 mac[16]) 170 { 171 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 172 struct hash_desc desc; 173 struct scatterlist sg; 174 int err; 175 176 if (len > CMAC_MSG_MAX) 177 return -EFBIG; 178 179 if (!tfm) { 180 BT_ERR("tfm %p", tfm); 181 return -EINVAL; 182 } 183 184 desc.tfm = tfm; 185 desc.flags = 0; 186 187 crypto_hash_init(&desc); 188 189 /* Swap key and message from LSB to MSB */ 190 swap_buf(k, tmp, 16); 191 swap_buf(m, msg_msb, len); 192 193 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 194 SMP_DBG("key %16phN", k); 195 196 err = crypto_hash_setkey(tfm, tmp, 16); 197 if (err) { 198 BT_ERR("cipher setkey failed: %d", err); 199 return err; 200 } 201 202 sg_init_one(&sg, msg_msb, len); 203 204 err = crypto_hash_update(&desc, &sg, len); 205 if (err) { 206 BT_ERR("Hash update error %d", err); 207 return err; 208 } 209 210 err = crypto_hash_final(&desc, mac_msb); 211 if (err) { 212 BT_ERR("Hash final error %d", err); 213 return err; 214 } 215 216 swap_buf(mac_msb, mac, 16); 217 218 SMP_DBG("mac %16phN", mac); 219 220 return 0; 221 } 222 223 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32], 224 const u8 x[16], u8 z, u8 res[16]) 225 { 226 u8 m[65]; 227 int err; 228 229 SMP_DBG("u %32phN", u); 230 SMP_DBG("v %32phN", v); 231 SMP_DBG("x %16phN z %02x", x, z); 232 233 m[0] = z; 234 memcpy(m + 1, v, 32); 235 memcpy(m + 33, u, 32); 236 237 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res); 238 if (err) 239 return err; 240 241 SMP_DBG("res %16phN", res); 242 243 return err; 244 } 245 246 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32], 247 const u8 n1[16], const u8 n2[16], const u8 a1[7], 248 const u8 a2[7], u8 mackey[16], u8 ltk[16]) 249 { 250 /* The btle, salt and length "magic" values are as defined in 251 * the SMP section of the Bluetooth core specification. In ASCII 252 * the btle value ends up being 'btle'. The salt is just a 253 * random number whereas length is the value 256 in little 254 * endian format. 255 */ 256 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 257 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 258 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 259 const u8 length[2] = { 0x00, 0x01 }; 260 u8 m[53], t[16]; 261 int err; 262 263 SMP_DBG("w %32phN", w); 264 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 265 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 266 267 err = aes_cmac(tfm_cmac, salt, w, 32, t); 268 if (err) 269 return err; 270 271 SMP_DBG("t %16phN", t); 272 273 memcpy(m, length, 2); 274 memcpy(m + 2, a2, 7); 275 memcpy(m + 9, a1, 7); 276 memcpy(m + 16, n2, 16); 277 memcpy(m + 32, n1, 16); 278 memcpy(m + 48, btle, 4); 279 280 m[52] = 0; /* Counter */ 281 282 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey); 283 if (err) 284 return err; 285 286 SMP_DBG("mackey %16phN", mackey); 287 288 m[52] = 1; /* Counter */ 289 290 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk); 291 if (err) 292 return err; 293 294 SMP_DBG("ltk %16phN", ltk); 295 296 return 0; 297 } 298 299 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16], 300 const u8 n1[16], const u8 n2[16], const u8 r[16], 301 const u8 io_cap[3], const u8 a1[7], const u8 a2[7], 302 u8 res[16]) 303 { 304 u8 m[65]; 305 int err; 306 307 SMP_DBG("w %16phN", w); 308 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 309 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 310 311 memcpy(m, a2, 7); 312 memcpy(m + 7, a1, 7); 313 memcpy(m + 14, io_cap, 3); 314 memcpy(m + 17, r, 16); 315 memcpy(m + 33, n2, 16); 316 memcpy(m + 49, n1, 16); 317 318 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res); 319 if (err) 320 return err; 321 322 SMP_DBG("res %16phN", res); 323 324 return err; 325 } 326 327 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32], 328 const u8 x[16], const u8 y[16], u32 *val) 329 { 330 u8 m[80], tmp[16]; 331 int err; 332 333 SMP_DBG("u %32phN", u); 334 SMP_DBG("v %32phN", v); 335 SMP_DBG("x %16phN y %16phN", x, y); 336 337 memcpy(m, y, 16); 338 memcpy(m + 16, v, 32); 339 memcpy(m + 48, u, 32); 340 341 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp); 342 if (err) 343 return err; 344 345 *val = get_unaligned_le32(tmp); 346 *val %= 1000000; 347 348 SMP_DBG("val %06u", *val); 349 350 return 0; 351 } 352 353 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16], 354 const u8 key_id[4], u8 res[16]) 355 { 356 int err; 357 358 SMP_DBG("w %16phN key_id %4phN", w, key_id); 359 360 err = aes_cmac(tfm_cmac, w, key_id, 4, res); 361 if (err) 362 return err; 363 364 SMP_DBG("res %16phN", res); 365 366 return err; 367 } 368 369 /* The following functions map to the legacy SMP crypto functions e, c1, 370 * s1 and ah. 371 */ 372 373 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r) 374 { 375 struct blkcipher_desc desc; 376 struct scatterlist sg; 377 uint8_t tmp[16], data[16]; 378 int err; 379 380 SMP_DBG("k %16phN r %16phN", k, r); 381 382 if (!tfm) { 383 BT_ERR("tfm %p", tfm); 384 return -EINVAL; 385 } 386 387 desc.tfm = tfm; 388 desc.flags = 0; 389 390 /* The most significant octet of key corresponds to k[0] */ 391 swap_buf(k, tmp, 16); 392 393 err = crypto_blkcipher_setkey(tfm, tmp, 16); 394 if (err) { 395 BT_ERR("cipher setkey failed: %d", err); 396 return err; 397 } 398 399 /* Most significant octet of plaintextData corresponds to data[0] */ 400 swap_buf(r, data, 16); 401 402 sg_init_one(&sg, data, 16); 403 404 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16); 405 if (err) 406 BT_ERR("Encrypt data error %d", err); 407 408 /* Most significant octet of encryptedData corresponds to data[0] */ 409 swap_buf(data, r, 16); 410 411 SMP_DBG("r %16phN", r); 412 413 return err; 414 } 415 416 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16], 417 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 418 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 419 { 420 u8 p1[16], p2[16]; 421 int err; 422 423 SMP_DBG("k %16phN r %16phN", k, r); 424 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra); 425 SMP_DBG("preq %7phN pres %7phN", preq, pres); 426 427 memset(p1, 0, 16); 428 429 /* p1 = pres || preq || _rat || _iat */ 430 p1[0] = _iat; 431 p1[1] = _rat; 432 memcpy(p1 + 2, preq, 7); 433 memcpy(p1 + 9, pres, 7); 434 435 SMP_DBG("p1 %16phN", p1); 436 437 /* res = r XOR p1 */ 438 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1); 439 440 /* res = e(k, res) */ 441 err = smp_e(tfm_aes, k, res); 442 if (err) { 443 BT_ERR("Encrypt data error"); 444 return err; 445 } 446 447 /* p2 = padding || ia || ra */ 448 memcpy(p2, ra, 6); 449 memcpy(p2 + 6, ia, 6); 450 memset(p2 + 12, 0, 4); 451 452 SMP_DBG("p2 %16phN", p2); 453 454 /* res = res XOR p2 */ 455 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2); 456 457 /* res = e(k, res) */ 458 err = smp_e(tfm_aes, k, res); 459 if (err) 460 BT_ERR("Encrypt data error"); 461 462 return err; 463 } 464 465 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16], 466 const u8 r1[16], const u8 r2[16], u8 _r[16]) 467 { 468 int err; 469 470 /* Just least significant octets from r1 and r2 are considered */ 471 memcpy(_r, r2, 8); 472 memcpy(_r + 8, r1, 8); 473 474 err = smp_e(tfm_aes, k, _r); 475 if (err) 476 BT_ERR("Encrypt data error"); 477 478 return err; 479 } 480 481 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16], 482 const u8 r[3], u8 res[3]) 483 { 484 u8 _res[16]; 485 int err; 486 487 /* r' = padding || r */ 488 memcpy(_res, r, 3); 489 memset(_res + 3, 0, 13); 490 491 err = smp_e(tfm, irk, _res); 492 if (err) { 493 BT_ERR("Encrypt error"); 494 return err; 495 } 496 497 /* The output of the random address function ah is: 498 * ah(k, r) = e(k, r') mod 2^24 499 * The output of the security function e is then truncated to 24 bits 500 * by taking the least significant 24 bits of the output of e as the 501 * result of ah. 502 */ 503 memcpy(res, _res, 3); 504 505 return 0; 506 } 507 508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 509 const bdaddr_t *bdaddr) 510 { 511 struct l2cap_chan *chan = hdev->smp_data; 512 struct smp_dev *smp; 513 u8 hash[3]; 514 int err; 515 516 if (!chan || !chan->data) 517 return false; 518 519 smp = chan->data; 520 521 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 522 523 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash); 524 if (err) 525 return false; 526 527 return !memcmp(bdaddr->b, hash, 3); 528 } 529 530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 531 { 532 struct l2cap_chan *chan = hdev->smp_data; 533 struct smp_dev *smp; 534 int err; 535 536 if (!chan || !chan->data) 537 return -EOPNOTSUPP; 538 539 smp = chan->data; 540 541 get_random_bytes(&rpa->b[3], 3); 542 543 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 544 rpa->b[5] |= 0x40; /* Set second most significant bit */ 545 546 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b); 547 if (err < 0) 548 return err; 549 550 BT_DBG("RPA %pMR", rpa); 551 552 return 0; 553 } 554 555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16]) 556 { 557 struct l2cap_chan *chan = hdev->smp_data; 558 struct smp_dev *smp; 559 int err; 560 561 if (!chan || !chan->data) 562 return -EOPNOTSUPP; 563 564 smp = chan->data; 565 566 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 567 BT_DBG("Using debug keys"); 568 memcpy(smp->local_pk, debug_pk, 64); 569 memcpy(smp->local_sk, debug_sk, 32); 570 smp->debug_key = true; 571 } else { 572 while (true) { 573 /* Generate local key pair for Secure Connections */ 574 if (!ecc_make_key(smp->local_pk, smp->local_sk)) 575 return -EIO; 576 577 /* This is unlikely, but we need to check that 578 * we didn't accidentially generate a debug key. 579 */ 580 if (memcmp(smp->local_sk, debug_sk, 32)) 581 break; 582 } 583 smp->debug_key = false; 584 } 585 586 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 587 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 588 SMP_DBG("OOB Private Key: %32phN", smp->local_sk); 589 590 get_random_bytes(smp->local_rand, 16); 591 592 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk, 593 smp->local_rand, 0, hash); 594 if (err < 0) 595 return err; 596 597 memcpy(rand, smp->local_rand, 16); 598 599 return 0; 600 } 601 602 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 603 { 604 struct l2cap_chan *chan = conn->smp; 605 struct smp_chan *smp; 606 struct kvec iv[2]; 607 struct msghdr msg; 608 609 if (!chan) 610 return; 611 612 BT_DBG("code 0x%2.2x", code); 613 614 iv[0].iov_base = &code; 615 iv[0].iov_len = 1; 616 617 iv[1].iov_base = data; 618 iv[1].iov_len = len; 619 620 memset(&msg, 0, sizeof(msg)); 621 622 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len); 623 624 l2cap_chan_send(chan, &msg, 1 + len); 625 626 if (!chan->data) 627 return; 628 629 smp = chan->data; 630 631 cancel_delayed_work_sync(&smp->security_timer); 632 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 633 } 634 635 static u8 authreq_to_seclevel(u8 authreq) 636 { 637 if (authreq & SMP_AUTH_MITM) { 638 if (authreq & SMP_AUTH_SC) 639 return BT_SECURITY_FIPS; 640 else 641 return BT_SECURITY_HIGH; 642 } else { 643 return BT_SECURITY_MEDIUM; 644 } 645 } 646 647 static __u8 seclevel_to_authreq(__u8 sec_level) 648 { 649 switch (sec_level) { 650 case BT_SECURITY_FIPS: 651 case BT_SECURITY_HIGH: 652 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 653 case BT_SECURITY_MEDIUM: 654 return SMP_AUTH_BONDING; 655 default: 656 return SMP_AUTH_NONE; 657 } 658 } 659 660 static void build_pairing_cmd(struct l2cap_conn *conn, 661 struct smp_cmd_pairing *req, 662 struct smp_cmd_pairing *rsp, __u8 authreq) 663 { 664 struct l2cap_chan *chan = conn->smp; 665 struct smp_chan *smp = chan->data; 666 struct hci_conn *hcon = conn->hcon; 667 struct hci_dev *hdev = hcon->hdev; 668 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 669 670 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 671 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 672 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 673 authreq |= SMP_AUTH_BONDING; 674 } else { 675 authreq &= ~SMP_AUTH_BONDING; 676 } 677 678 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 679 remote_dist |= SMP_DIST_ID_KEY; 680 681 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 682 local_dist |= SMP_DIST_ID_KEY; 683 684 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) && 685 (authreq & SMP_AUTH_SC)) { 686 struct oob_data *oob_data; 687 u8 bdaddr_type; 688 689 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) { 690 local_dist |= SMP_DIST_LINK_KEY; 691 remote_dist |= SMP_DIST_LINK_KEY; 692 } 693 694 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 695 bdaddr_type = BDADDR_LE_PUBLIC; 696 else 697 bdaddr_type = BDADDR_LE_RANDOM; 698 699 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 700 bdaddr_type); 701 if (oob_data && oob_data->present) { 702 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags); 703 oob_flag = SMP_OOB_PRESENT; 704 memcpy(smp->rr, oob_data->rand256, 16); 705 memcpy(smp->pcnf, oob_data->hash256, 16); 706 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf); 707 SMP_DBG("OOB Remote Random: %16phN", smp->rr); 708 } 709 710 } else { 711 authreq &= ~SMP_AUTH_SC; 712 } 713 714 if (rsp == NULL) { 715 req->io_capability = conn->hcon->io_capability; 716 req->oob_flag = oob_flag; 717 req->max_key_size = SMP_DEV(hdev)->max_key_size; 718 req->init_key_dist = local_dist; 719 req->resp_key_dist = remote_dist; 720 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 721 722 smp->remote_key_dist = remote_dist; 723 return; 724 } 725 726 rsp->io_capability = conn->hcon->io_capability; 727 rsp->oob_flag = oob_flag; 728 rsp->max_key_size = SMP_DEV(hdev)->max_key_size; 729 rsp->init_key_dist = req->init_key_dist & remote_dist; 730 rsp->resp_key_dist = req->resp_key_dist & local_dist; 731 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 732 733 smp->remote_key_dist = rsp->init_key_dist; 734 } 735 736 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 737 { 738 struct l2cap_chan *chan = conn->smp; 739 struct hci_dev *hdev = conn->hcon->hdev; 740 struct smp_chan *smp = chan->data; 741 742 if (max_key_size > SMP_DEV(hdev)->max_key_size || 743 max_key_size < SMP_MIN_ENC_KEY_SIZE) 744 return SMP_ENC_KEY_SIZE; 745 746 smp->enc_key_size = max_key_size; 747 748 return 0; 749 } 750 751 static void smp_chan_destroy(struct l2cap_conn *conn) 752 { 753 struct l2cap_chan *chan = conn->smp; 754 struct smp_chan *smp = chan->data; 755 struct hci_conn *hcon = conn->hcon; 756 bool complete; 757 758 BUG_ON(!smp); 759 760 cancel_delayed_work_sync(&smp->security_timer); 761 762 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 763 mgmt_smp_complete(hcon, complete); 764 765 kzfree(smp->csrk); 766 kzfree(smp->slave_csrk); 767 kzfree(smp->link_key); 768 769 crypto_free_blkcipher(smp->tfm_aes); 770 crypto_free_hash(smp->tfm_cmac); 771 772 /* Ensure that we don't leave any debug key around if debug key 773 * support hasn't been explicitly enabled. 774 */ 775 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 776 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) { 777 list_del_rcu(&smp->ltk->list); 778 kfree_rcu(smp->ltk, rcu); 779 smp->ltk = NULL; 780 } 781 782 /* If pairing failed clean up any keys we might have */ 783 if (!complete) { 784 if (smp->ltk) { 785 list_del_rcu(&smp->ltk->list); 786 kfree_rcu(smp->ltk, rcu); 787 } 788 789 if (smp->slave_ltk) { 790 list_del_rcu(&smp->slave_ltk->list); 791 kfree_rcu(smp->slave_ltk, rcu); 792 } 793 794 if (smp->remote_irk) { 795 list_del_rcu(&smp->remote_irk->list); 796 kfree_rcu(smp->remote_irk, rcu); 797 } 798 } 799 800 chan->data = NULL; 801 kzfree(smp); 802 hci_conn_drop(hcon); 803 } 804 805 static void smp_failure(struct l2cap_conn *conn, u8 reason) 806 { 807 struct hci_conn *hcon = conn->hcon; 808 struct l2cap_chan *chan = conn->smp; 809 810 if (reason) 811 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 812 &reason); 813 814 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 815 816 if (chan->data) 817 smp_chan_destroy(conn); 818 } 819 820 #define JUST_WORKS 0x00 821 #define JUST_CFM 0x01 822 #define REQ_PASSKEY 0x02 823 #define CFM_PASSKEY 0x03 824 #define REQ_OOB 0x04 825 #define DSP_PASSKEY 0x05 826 #define OVERLAP 0xFF 827 828 static const u8 gen_method[5][5] = { 829 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 830 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 831 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 832 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 833 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 834 }; 835 836 static const u8 sc_method[5][5] = { 837 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 838 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 839 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 840 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 841 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 842 }; 843 844 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 845 { 846 /* If either side has unknown io_caps, use JUST_CFM (which gets 847 * converted later to JUST_WORKS if we're initiators. 848 */ 849 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 850 remote_io > SMP_IO_KEYBOARD_DISPLAY) 851 return JUST_CFM; 852 853 if (test_bit(SMP_FLAG_SC, &smp->flags)) 854 return sc_method[remote_io][local_io]; 855 856 return gen_method[remote_io][local_io]; 857 } 858 859 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 860 u8 local_io, u8 remote_io) 861 { 862 struct hci_conn *hcon = conn->hcon; 863 struct l2cap_chan *chan = conn->smp; 864 struct smp_chan *smp = chan->data; 865 u32 passkey = 0; 866 int ret = 0; 867 868 /* Initialize key for JUST WORKS */ 869 memset(smp->tk, 0, sizeof(smp->tk)); 870 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 871 872 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); 873 874 /* If neither side wants MITM, either "just" confirm an incoming 875 * request or use just-works for outgoing ones. The JUST_CFM 876 * will be converted to JUST_WORKS if necessary later in this 877 * function. If either side has MITM look up the method from the 878 * table. 879 */ 880 if (!(auth & SMP_AUTH_MITM)) 881 smp->method = JUST_CFM; 882 else 883 smp->method = get_auth_method(smp, local_io, remote_io); 884 885 /* Don't confirm locally initiated pairing attempts */ 886 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 887 &smp->flags)) 888 smp->method = JUST_WORKS; 889 890 /* Don't bother user space with no IO capabilities */ 891 if (smp->method == JUST_CFM && 892 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 893 smp->method = JUST_WORKS; 894 895 /* If Just Works, Continue with Zero TK */ 896 if (smp->method == JUST_WORKS) { 897 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 898 return 0; 899 } 900 901 /* If this function is used for SC -> legacy fallback we 902 * can only recover the just-works case. 903 */ 904 if (test_bit(SMP_FLAG_SC, &smp->flags)) 905 return -EINVAL; 906 907 /* Not Just Works/Confirm results in MITM Authentication */ 908 if (smp->method != JUST_CFM) { 909 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 910 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 911 hcon->pending_sec_level = BT_SECURITY_HIGH; 912 } 913 914 /* If both devices have Keyoard-Display I/O, the master 915 * Confirms and the slave Enters the passkey. 916 */ 917 if (smp->method == OVERLAP) { 918 if (hcon->role == HCI_ROLE_MASTER) 919 smp->method = CFM_PASSKEY; 920 else 921 smp->method = REQ_PASSKEY; 922 } 923 924 /* Generate random passkey. */ 925 if (smp->method == CFM_PASSKEY) { 926 memset(smp->tk, 0, sizeof(smp->tk)); 927 get_random_bytes(&passkey, sizeof(passkey)); 928 passkey %= 1000000; 929 put_unaligned_le32(passkey, smp->tk); 930 BT_DBG("PassKey: %d", passkey); 931 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 932 } 933 934 if (smp->method == REQ_PASSKEY) 935 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 936 hcon->type, hcon->dst_type); 937 else if (smp->method == JUST_CFM) 938 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 939 hcon->type, hcon->dst_type, 940 passkey, 1); 941 else 942 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 943 hcon->type, hcon->dst_type, 944 passkey, 0); 945 946 return ret; 947 } 948 949 static u8 smp_confirm(struct smp_chan *smp) 950 { 951 struct l2cap_conn *conn = smp->conn; 952 struct smp_cmd_pairing_confirm cp; 953 int ret; 954 955 BT_DBG("conn %p", conn); 956 957 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp, 958 conn->hcon->init_addr_type, &conn->hcon->init_addr, 959 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 960 cp.confirm_val); 961 if (ret) 962 return SMP_UNSPECIFIED; 963 964 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 965 966 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 967 968 if (conn->hcon->out) 969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 970 else 971 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 972 973 return 0; 974 } 975 976 static u8 smp_random(struct smp_chan *smp) 977 { 978 struct l2cap_conn *conn = smp->conn; 979 struct hci_conn *hcon = conn->hcon; 980 u8 confirm[16]; 981 int ret; 982 983 if (IS_ERR_OR_NULL(smp->tfm_aes)) 984 return SMP_UNSPECIFIED; 985 986 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 987 988 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp, 989 hcon->init_addr_type, &hcon->init_addr, 990 hcon->resp_addr_type, &hcon->resp_addr, confirm); 991 if (ret) 992 return SMP_UNSPECIFIED; 993 994 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) { 995 BT_ERR("Pairing failed (confirmation values mismatch)"); 996 return SMP_CONFIRM_FAILED; 997 } 998 999 if (hcon->out) { 1000 u8 stk[16]; 1001 __le64 rand = 0; 1002 __le16 ediv = 0; 1003 1004 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk); 1005 1006 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 1007 return SMP_UNSPECIFIED; 1008 1009 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size); 1010 hcon->enc_key_size = smp->enc_key_size; 1011 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 1012 } else { 1013 u8 stk[16], auth; 1014 __le64 rand = 0; 1015 __le16 ediv = 0; 1016 1017 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1018 smp->prnd); 1019 1020 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk); 1021 1022 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 1023 auth = 1; 1024 else 1025 auth = 0; 1026 1027 /* Even though there's no _SLAVE suffix this is the 1028 * slave STK we're adding for later lookup (the master 1029 * STK never needs to be stored). 1030 */ 1031 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1032 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 1033 } 1034 1035 return 0; 1036 } 1037 1038 static void smp_notify_keys(struct l2cap_conn *conn) 1039 { 1040 struct l2cap_chan *chan = conn->smp; 1041 struct smp_chan *smp = chan->data; 1042 struct hci_conn *hcon = conn->hcon; 1043 struct hci_dev *hdev = hcon->hdev; 1044 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 1045 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1046 bool persistent; 1047 1048 if (hcon->type == ACL_LINK) { 1049 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 1050 persistent = false; 1051 else 1052 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1053 &hcon->flags); 1054 } else { 1055 /* The LTKs, IRKs and CSRKs should be persistent only if 1056 * both sides had the bonding bit set in their 1057 * authentication requests. 1058 */ 1059 persistent = !!((req->auth_req & rsp->auth_req) & 1060 SMP_AUTH_BONDING); 1061 } 1062 1063 if (smp->remote_irk) { 1064 mgmt_new_irk(hdev, smp->remote_irk, persistent); 1065 1066 /* Now that user space can be considered to know the 1067 * identity address track the connection based on it 1068 * from now on (assuming this is an LE link). 1069 */ 1070 if (hcon->type == LE_LINK) { 1071 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1072 hcon->dst_type = smp->remote_irk->addr_type; 1073 queue_work(hdev->workqueue, &conn->id_addr_update_work); 1074 } 1075 } 1076 1077 if (smp->csrk) { 1078 smp->csrk->bdaddr_type = hcon->dst_type; 1079 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1080 mgmt_new_csrk(hdev, smp->csrk, persistent); 1081 } 1082 1083 if (smp->slave_csrk) { 1084 smp->slave_csrk->bdaddr_type = hcon->dst_type; 1085 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst); 1086 mgmt_new_csrk(hdev, smp->slave_csrk, persistent); 1087 } 1088 1089 if (smp->ltk) { 1090 smp->ltk->bdaddr_type = hcon->dst_type; 1091 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1092 mgmt_new_ltk(hdev, smp->ltk, persistent); 1093 } 1094 1095 if (smp->slave_ltk) { 1096 smp->slave_ltk->bdaddr_type = hcon->dst_type; 1097 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst); 1098 mgmt_new_ltk(hdev, smp->slave_ltk, persistent); 1099 } 1100 1101 if (smp->link_key) { 1102 struct link_key *key; 1103 u8 type; 1104 1105 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1106 type = HCI_LK_DEBUG_COMBINATION; 1107 else if (hcon->sec_level == BT_SECURITY_FIPS) 1108 type = HCI_LK_AUTH_COMBINATION_P256; 1109 else 1110 type = HCI_LK_UNAUTH_COMBINATION_P256; 1111 1112 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1113 smp->link_key, type, 0, &persistent); 1114 if (key) { 1115 mgmt_new_link_key(hdev, key, persistent); 1116 1117 /* Don't keep debug keys around if the relevant 1118 * flag is not set. 1119 */ 1120 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) && 1121 key->type == HCI_LK_DEBUG_COMBINATION) { 1122 list_del_rcu(&key->list); 1123 kfree_rcu(key, rcu); 1124 } 1125 } 1126 } 1127 } 1128 1129 static void sc_add_ltk(struct smp_chan *smp) 1130 { 1131 struct hci_conn *hcon = smp->conn->hcon; 1132 u8 key_type, auth; 1133 1134 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1135 key_type = SMP_LTK_P256_DEBUG; 1136 else 1137 key_type = SMP_LTK_P256; 1138 1139 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1140 auth = 1; 1141 else 1142 auth = 0; 1143 1144 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1145 key_type, auth, smp->tk, smp->enc_key_size, 1146 0, 0); 1147 } 1148 1149 static void sc_generate_link_key(struct smp_chan *smp) 1150 { 1151 /* These constants are as specified in the core specification. 1152 * In ASCII they spell out to 'tmp1' and 'lebr'. 1153 */ 1154 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1155 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1156 1157 smp->link_key = kzalloc(16, GFP_KERNEL); 1158 if (!smp->link_key) 1159 return; 1160 1161 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) { 1162 kzfree(smp->link_key); 1163 smp->link_key = NULL; 1164 return; 1165 } 1166 1167 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) { 1168 kzfree(smp->link_key); 1169 smp->link_key = NULL; 1170 return; 1171 } 1172 } 1173 1174 static void smp_allow_key_dist(struct smp_chan *smp) 1175 { 1176 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1177 * will be allowed in each PDU handler to ensure we receive 1178 * them in the correct order. 1179 */ 1180 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1181 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1182 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1183 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1184 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1185 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1186 } 1187 1188 static void sc_generate_ltk(struct smp_chan *smp) 1189 { 1190 /* These constants are as specified in the core specification. 1191 * In ASCII they spell out to 'tmp2' and 'brle'. 1192 */ 1193 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1194 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1195 struct hci_conn *hcon = smp->conn->hcon; 1196 struct hci_dev *hdev = hcon->hdev; 1197 struct link_key *key; 1198 1199 key = hci_find_link_key(hdev, &hcon->dst); 1200 if (!key) { 1201 BT_ERR("%s No Link Key found to generate LTK", hdev->name); 1202 return; 1203 } 1204 1205 if (key->type == HCI_LK_DEBUG_COMBINATION) 1206 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1207 1208 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk)) 1209 return; 1210 1211 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk)) 1212 return; 1213 1214 sc_add_ltk(smp); 1215 } 1216 1217 static void smp_distribute_keys(struct smp_chan *smp) 1218 { 1219 struct smp_cmd_pairing *req, *rsp; 1220 struct l2cap_conn *conn = smp->conn; 1221 struct hci_conn *hcon = conn->hcon; 1222 struct hci_dev *hdev = hcon->hdev; 1223 __u8 *keydist; 1224 1225 BT_DBG("conn %p", conn); 1226 1227 rsp = (void *) &smp->prsp[1]; 1228 1229 /* The responder sends its keys first */ 1230 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) { 1231 smp_allow_key_dist(smp); 1232 return; 1233 } 1234 1235 req = (void *) &smp->preq[1]; 1236 1237 if (hcon->out) { 1238 keydist = &rsp->init_key_dist; 1239 *keydist &= req->init_key_dist; 1240 } else { 1241 keydist = &rsp->resp_key_dist; 1242 *keydist &= req->resp_key_dist; 1243 } 1244 1245 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1246 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1247 sc_generate_link_key(smp); 1248 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1249 sc_generate_ltk(smp); 1250 1251 /* Clear the keys which are generated but not distributed */ 1252 *keydist &= ~SMP_SC_NO_DIST; 1253 } 1254 1255 BT_DBG("keydist 0x%x", *keydist); 1256 1257 if (*keydist & SMP_DIST_ENC_KEY) { 1258 struct smp_cmd_encrypt_info enc; 1259 struct smp_cmd_master_ident ident; 1260 struct smp_ltk *ltk; 1261 u8 authenticated; 1262 __le16 ediv; 1263 __le64 rand; 1264 1265 /* Make sure we generate only the significant amount of 1266 * bytes based on the encryption key size, and set the rest 1267 * of the value to zeroes. 1268 */ 1269 get_random_bytes(enc.ltk, smp->enc_key_size); 1270 memset(enc.ltk + smp->enc_key_size, 0, 1271 sizeof(enc.ltk) - smp->enc_key_size); 1272 1273 get_random_bytes(&ediv, sizeof(ediv)); 1274 get_random_bytes(&rand, sizeof(rand)); 1275 1276 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1277 1278 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1279 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1280 SMP_LTK_SLAVE, authenticated, enc.ltk, 1281 smp->enc_key_size, ediv, rand); 1282 smp->slave_ltk = ltk; 1283 1284 ident.ediv = ediv; 1285 ident.rand = rand; 1286 1287 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1288 1289 *keydist &= ~SMP_DIST_ENC_KEY; 1290 } 1291 1292 if (*keydist & SMP_DIST_ID_KEY) { 1293 struct smp_cmd_ident_addr_info addrinfo; 1294 struct smp_cmd_ident_info idinfo; 1295 1296 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1297 1298 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1299 1300 /* The hci_conn contains the local identity address 1301 * after the connection has been established. 1302 * 1303 * This is true even when the connection has been 1304 * established using a resolvable random address. 1305 */ 1306 bacpy(&addrinfo.bdaddr, &hcon->src); 1307 addrinfo.addr_type = hcon->src_type; 1308 1309 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1310 &addrinfo); 1311 1312 *keydist &= ~SMP_DIST_ID_KEY; 1313 } 1314 1315 if (*keydist & SMP_DIST_SIGN) { 1316 struct smp_cmd_sign_info sign; 1317 struct smp_csrk *csrk; 1318 1319 /* Generate a new random key */ 1320 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1321 1322 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1323 if (csrk) { 1324 if (hcon->sec_level > BT_SECURITY_MEDIUM) 1325 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED; 1326 else 1327 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED; 1328 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1329 } 1330 smp->slave_csrk = csrk; 1331 1332 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1333 1334 *keydist &= ~SMP_DIST_SIGN; 1335 } 1336 1337 /* If there are still keys to be received wait for them */ 1338 if (smp->remote_key_dist & KEY_DIST_MASK) { 1339 smp_allow_key_dist(smp); 1340 return; 1341 } 1342 1343 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1344 smp_notify_keys(conn); 1345 1346 smp_chan_destroy(conn); 1347 } 1348 1349 static void smp_timeout(struct work_struct *work) 1350 { 1351 struct smp_chan *smp = container_of(work, struct smp_chan, 1352 security_timer.work); 1353 struct l2cap_conn *conn = smp->conn; 1354 1355 BT_DBG("conn %p", conn); 1356 1357 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); 1358 } 1359 1360 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1361 { 1362 struct l2cap_chan *chan = conn->smp; 1363 struct smp_chan *smp; 1364 1365 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 1366 if (!smp) 1367 return NULL; 1368 1369 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC); 1370 if (IS_ERR(smp->tfm_aes)) { 1371 BT_ERR("Unable to create ECB crypto context"); 1372 kzfree(smp); 1373 return NULL; 1374 } 1375 1376 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC); 1377 if (IS_ERR(smp->tfm_cmac)) { 1378 BT_ERR("Unable to create CMAC crypto context"); 1379 crypto_free_blkcipher(smp->tfm_aes); 1380 kzfree(smp); 1381 return NULL; 1382 } 1383 1384 smp->conn = conn; 1385 chan->data = smp; 1386 1387 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1388 1389 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1390 1391 hci_conn_hold(conn->hcon); 1392 1393 return smp; 1394 } 1395 1396 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1397 { 1398 struct hci_conn *hcon = smp->conn->hcon; 1399 u8 *na, *nb, a[7], b[7]; 1400 1401 if (hcon->out) { 1402 na = smp->prnd; 1403 nb = smp->rrnd; 1404 } else { 1405 na = smp->rrnd; 1406 nb = smp->prnd; 1407 } 1408 1409 memcpy(a, &hcon->init_addr, 6); 1410 memcpy(b, &hcon->resp_addr, 6); 1411 a[6] = hcon->init_addr_type; 1412 b[6] = hcon->resp_addr_type; 1413 1414 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk); 1415 } 1416 1417 static void sc_dhkey_check(struct smp_chan *smp) 1418 { 1419 struct hci_conn *hcon = smp->conn->hcon; 1420 struct smp_cmd_dhkey_check check; 1421 u8 a[7], b[7], *local_addr, *remote_addr; 1422 u8 io_cap[3], r[16]; 1423 1424 memcpy(a, &hcon->init_addr, 6); 1425 memcpy(b, &hcon->resp_addr, 6); 1426 a[6] = hcon->init_addr_type; 1427 b[6] = hcon->resp_addr_type; 1428 1429 if (hcon->out) { 1430 local_addr = a; 1431 remote_addr = b; 1432 memcpy(io_cap, &smp->preq[1], 3); 1433 } else { 1434 local_addr = b; 1435 remote_addr = a; 1436 memcpy(io_cap, &smp->prsp[1], 3); 1437 } 1438 1439 memset(r, 0, sizeof(r)); 1440 1441 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1442 put_unaligned_le32(hcon->passkey_notify, r); 1443 1444 if (smp->method == REQ_OOB) 1445 memcpy(r, smp->rr, 16); 1446 1447 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap, 1448 local_addr, remote_addr, check.e); 1449 1450 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1451 } 1452 1453 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1454 { 1455 struct l2cap_conn *conn = smp->conn; 1456 struct hci_conn *hcon = conn->hcon; 1457 struct smp_cmd_pairing_confirm cfm; 1458 u8 r; 1459 1460 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1461 r |= 0x80; 1462 1463 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1464 1465 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r, 1466 cfm.confirm_val)) 1467 return SMP_UNSPECIFIED; 1468 1469 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1470 1471 return 0; 1472 } 1473 1474 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1475 { 1476 struct l2cap_conn *conn = smp->conn; 1477 struct hci_conn *hcon = conn->hcon; 1478 struct hci_dev *hdev = hcon->hdev; 1479 u8 cfm[16], r; 1480 1481 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1482 if (smp->passkey_round >= 20) 1483 return 0; 1484 1485 switch (smp_op) { 1486 case SMP_CMD_PAIRING_RANDOM: 1487 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1488 r |= 0x80; 1489 1490 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1491 smp->rrnd, r, cfm)) 1492 return SMP_UNSPECIFIED; 1493 1494 if (memcmp(smp->pcnf, cfm, 16)) 1495 return SMP_CONFIRM_FAILED; 1496 1497 smp->passkey_round++; 1498 1499 if (smp->passkey_round == 20) { 1500 /* Generate MacKey and LTK */ 1501 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1502 return SMP_UNSPECIFIED; 1503 } 1504 1505 /* The round is only complete when the initiator 1506 * receives pairing random. 1507 */ 1508 if (!hcon->out) { 1509 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1510 sizeof(smp->prnd), smp->prnd); 1511 if (smp->passkey_round == 20) 1512 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1513 else 1514 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1515 return 0; 1516 } 1517 1518 /* Start the next round */ 1519 if (smp->passkey_round != 20) 1520 return sc_passkey_round(smp, 0); 1521 1522 /* Passkey rounds are complete - start DHKey Check */ 1523 sc_dhkey_check(smp); 1524 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1525 1526 break; 1527 1528 case SMP_CMD_PAIRING_CONFIRM: 1529 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1530 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1531 return 0; 1532 } 1533 1534 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1535 1536 if (hcon->out) { 1537 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1538 sizeof(smp->prnd), smp->prnd); 1539 return 0; 1540 } 1541 1542 return sc_passkey_send_confirm(smp); 1543 1544 case SMP_CMD_PUBLIC_KEY: 1545 default: 1546 /* Initiating device starts the round */ 1547 if (!hcon->out) 1548 return 0; 1549 1550 BT_DBG("%s Starting passkey round %u", hdev->name, 1551 smp->passkey_round + 1); 1552 1553 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1554 1555 return sc_passkey_send_confirm(smp); 1556 } 1557 1558 return 0; 1559 } 1560 1561 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1562 { 1563 struct l2cap_conn *conn = smp->conn; 1564 struct hci_conn *hcon = conn->hcon; 1565 u8 smp_op; 1566 1567 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1568 1569 switch (mgmt_op) { 1570 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1571 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1572 return 0; 1573 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1574 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1575 return 0; 1576 case MGMT_OP_USER_PASSKEY_REPLY: 1577 hcon->passkey_notify = le32_to_cpu(passkey); 1578 smp->passkey_round = 0; 1579 1580 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1581 smp_op = SMP_CMD_PAIRING_CONFIRM; 1582 else 1583 smp_op = 0; 1584 1585 if (sc_passkey_round(smp, smp_op)) 1586 return -EIO; 1587 1588 return 0; 1589 } 1590 1591 /* Initiator sends DHKey check first */ 1592 if (hcon->out) { 1593 sc_dhkey_check(smp); 1594 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1595 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1596 sc_dhkey_check(smp); 1597 sc_add_ltk(smp); 1598 } 1599 1600 return 0; 1601 } 1602 1603 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1604 { 1605 struct l2cap_conn *conn = hcon->l2cap_data; 1606 struct l2cap_chan *chan; 1607 struct smp_chan *smp; 1608 u32 value; 1609 int err; 1610 1611 BT_DBG(""); 1612 1613 if (!conn) 1614 return -ENOTCONN; 1615 1616 chan = conn->smp; 1617 if (!chan) 1618 return -ENOTCONN; 1619 1620 l2cap_chan_lock(chan); 1621 if (!chan->data) { 1622 err = -ENOTCONN; 1623 goto unlock; 1624 } 1625 1626 smp = chan->data; 1627 1628 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1629 err = sc_user_reply(smp, mgmt_op, passkey); 1630 goto unlock; 1631 } 1632 1633 switch (mgmt_op) { 1634 case MGMT_OP_USER_PASSKEY_REPLY: 1635 value = le32_to_cpu(passkey); 1636 memset(smp->tk, 0, sizeof(smp->tk)); 1637 BT_DBG("PassKey: %d", value); 1638 put_unaligned_le32(value, smp->tk); 1639 /* Fall Through */ 1640 case MGMT_OP_USER_CONFIRM_REPLY: 1641 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1642 break; 1643 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1644 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1645 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1646 err = 0; 1647 goto unlock; 1648 default: 1649 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1650 err = -EOPNOTSUPP; 1651 goto unlock; 1652 } 1653 1654 err = 0; 1655 1656 /* If it is our turn to send Pairing Confirm, do so now */ 1657 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1658 u8 rsp = smp_confirm(smp); 1659 if (rsp) 1660 smp_failure(conn, rsp); 1661 } 1662 1663 unlock: 1664 l2cap_chan_unlock(chan); 1665 return err; 1666 } 1667 1668 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1669 struct smp_cmd_pairing *req, 1670 struct smp_cmd_pairing *rsp) 1671 { 1672 struct l2cap_conn *conn = smp->conn; 1673 struct hci_dev *hdev = conn->hcon->hdev; 1674 u8 local_dist = 0, remote_dist = 0; 1675 1676 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 1677 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1678 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1679 } 1680 1681 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 1682 remote_dist |= SMP_DIST_ID_KEY; 1683 1684 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 1685 local_dist |= SMP_DIST_ID_KEY; 1686 1687 if (!rsp) { 1688 memset(req, 0, sizeof(*req)); 1689 1690 req->init_key_dist = local_dist; 1691 req->resp_key_dist = remote_dist; 1692 req->max_key_size = conn->hcon->enc_key_size; 1693 1694 smp->remote_key_dist = remote_dist; 1695 1696 return; 1697 } 1698 1699 memset(rsp, 0, sizeof(*rsp)); 1700 1701 rsp->max_key_size = conn->hcon->enc_key_size; 1702 rsp->init_key_dist = req->init_key_dist & remote_dist; 1703 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1704 1705 smp->remote_key_dist = rsp->init_key_dist; 1706 } 1707 1708 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1709 { 1710 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1711 struct l2cap_chan *chan = conn->smp; 1712 struct hci_dev *hdev = conn->hcon->hdev; 1713 struct smp_chan *smp; 1714 u8 key_size, auth, sec_level; 1715 int ret; 1716 1717 BT_DBG("conn %p", conn); 1718 1719 if (skb->len < sizeof(*req)) 1720 return SMP_INVALID_PARAMS; 1721 1722 if (conn->hcon->role != HCI_ROLE_SLAVE) 1723 return SMP_CMD_NOTSUPP; 1724 1725 if (!chan->data) 1726 smp = smp_chan_create(conn); 1727 else 1728 smp = chan->data; 1729 1730 if (!smp) 1731 return SMP_UNSPECIFIED; 1732 1733 /* We didn't start the pairing, so match remote */ 1734 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1735 1736 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 1737 (auth & SMP_AUTH_BONDING)) 1738 return SMP_PAIRING_NOTSUPP; 1739 1740 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1741 return SMP_AUTH_REQUIREMENTS; 1742 1743 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1744 memcpy(&smp->preq[1], req, sizeof(*req)); 1745 skb_pull(skb, sizeof(*req)); 1746 1747 /* If the remote side's OOB flag is set it means it has 1748 * successfully received our local OOB data - therefore set the 1749 * flag to indicate that local OOB is in use. 1750 */ 1751 if (req->oob_flag == SMP_OOB_PRESENT) 1752 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1753 1754 /* SMP over BR/EDR requires special treatment */ 1755 if (conn->hcon->type == ACL_LINK) { 1756 /* We must have a BR/EDR SC link */ 1757 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1758 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 1759 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1760 1761 set_bit(SMP_FLAG_SC, &smp->flags); 1762 1763 build_bredr_pairing_cmd(smp, req, &rsp); 1764 1765 key_size = min(req->max_key_size, rsp.max_key_size); 1766 if (check_enc_key_size(conn, key_size)) 1767 return SMP_ENC_KEY_SIZE; 1768 1769 /* Clear bits which are generated but not distributed */ 1770 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1771 1772 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1773 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1774 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1775 1776 smp_distribute_keys(smp); 1777 return 0; 1778 } 1779 1780 build_pairing_cmd(conn, req, &rsp, auth); 1781 1782 if (rsp.auth_req & SMP_AUTH_SC) 1783 set_bit(SMP_FLAG_SC, &smp->flags); 1784 1785 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1786 sec_level = BT_SECURITY_MEDIUM; 1787 else 1788 sec_level = authreq_to_seclevel(auth); 1789 1790 if (sec_level > conn->hcon->pending_sec_level) 1791 conn->hcon->pending_sec_level = sec_level; 1792 1793 /* If we need MITM check that it can be achieved */ 1794 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1795 u8 method; 1796 1797 method = get_auth_method(smp, conn->hcon->io_capability, 1798 req->io_capability); 1799 if (method == JUST_WORKS || method == JUST_CFM) 1800 return SMP_AUTH_REQUIREMENTS; 1801 } 1802 1803 key_size = min(req->max_key_size, rsp.max_key_size); 1804 if (check_enc_key_size(conn, key_size)) 1805 return SMP_ENC_KEY_SIZE; 1806 1807 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1808 1809 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1810 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1811 1812 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1813 1814 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1815 1816 /* Strictly speaking we shouldn't allow Pairing Confirm for the 1817 * SC case, however some implementations incorrectly copy RFU auth 1818 * req bits from our security request, which may create a false 1819 * positive SC enablement. 1820 */ 1821 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1822 1823 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1824 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1825 /* Clear bits which are generated but not distributed */ 1826 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1827 /* Wait for Public Key from Initiating Device */ 1828 return 0; 1829 } 1830 1831 /* Request setup of TK */ 1832 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1833 if (ret) 1834 return SMP_UNSPECIFIED; 1835 1836 return 0; 1837 } 1838 1839 static u8 sc_send_public_key(struct smp_chan *smp) 1840 { 1841 struct hci_dev *hdev = smp->conn->hcon->hdev; 1842 1843 BT_DBG(""); 1844 1845 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 1846 struct l2cap_chan *chan = hdev->smp_data; 1847 struct smp_dev *smp_dev; 1848 1849 if (!chan || !chan->data) 1850 return SMP_UNSPECIFIED; 1851 1852 smp_dev = chan->data; 1853 1854 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1855 memcpy(smp->local_sk, smp_dev->local_sk, 32); 1856 memcpy(smp->lr, smp_dev->local_rand, 16); 1857 1858 if (smp_dev->debug_key) 1859 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1860 1861 goto done; 1862 } 1863 1864 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1865 BT_DBG("Using debug keys"); 1866 memcpy(smp->local_pk, debug_pk, 64); 1867 memcpy(smp->local_sk, debug_sk, 32); 1868 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1869 } else { 1870 while (true) { 1871 /* Generate local key pair for Secure Connections */ 1872 if (!ecc_make_key(smp->local_pk, smp->local_sk)) 1873 return SMP_UNSPECIFIED; 1874 1875 /* This is unlikely, but we need to check that 1876 * we didn't accidentially generate a debug key. 1877 */ 1878 if (memcmp(smp->local_sk, debug_sk, 32)) 1879 break; 1880 } 1881 } 1882 1883 done: 1884 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1885 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1886 SMP_DBG("Local Private Key: %32phN", smp->local_sk); 1887 1888 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1889 1890 return 0; 1891 } 1892 1893 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1894 { 1895 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1896 struct l2cap_chan *chan = conn->smp; 1897 struct smp_chan *smp = chan->data; 1898 struct hci_dev *hdev = conn->hcon->hdev; 1899 u8 key_size, auth; 1900 int ret; 1901 1902 BT_DBG("conn %p", conn); 1903 1904 if (skb->len < sizeof(*rsp)) 1905 return SMP_INVALID_PARAMS; 1906 1907 if (conn->hcon->role != HCI_ROLE_MASTER) 1908 return SMP_CMD_NOTSUPP; 1909 1910 skb_pull(skb, sizeof(*rsp)); 1911 1912 req = (void *) &smp->preq[1]; 1913 1914 key_size = min(req->max_key_size, rsp->max_key_size); 1915 if (check_enc_key_size(conn, key_size)) 1916 return SMP_ENC_KEY_SIZE; 1917 1918 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1919 1920 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1921 return SMP_AUTH_REQUIREMENTS; 1922 1923 /* If the remote side's OOB flag is set it means it has 1924 * successfully received our local OOB data - therefore set the 1925 * flag to indicate that local OOB is in use. 1926 */ 1927 if (rsp->oob_flag == SMP_OOB_PRESENT) 1928 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1929 1930 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1931 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1932 1933 /* Update remote key distribution in case the remote cleared 1934 * some bits that we had enabled in our request. 1935 */ 1936 smp->remote_key_dist &= rsp->resp_key_dist; 1937 1938 /* For BR/EDR this means we're done and can start phase 3 */ 1939 if (conn->hcon->type == ACL_LINK) { 1940 /* Clear bits which are generated but not distributed */ 1941 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1942 smp_distribute_keys(smp); 1943 return 0; 1944 } 1945 1946 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 1947 set_bit(SMP_FLAG_SC, &smp->flags); 1948 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 1949 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 1950 1951 /* If we need MITM check that it can be achieved */ 1952 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1953 u8 method; 1954 1955 method = get_auth_method(smp, req->io_capability, 1956 rsp->io_capability); 1957 if (method == JUST_WORKS || method == JUST_CFM) 1958 return SMP_AUTH_REQUIREMENTS; 1959 } 1960 1961 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1962 1963 /* Update remote key distribution in case the remote cleared 1964 * some bits that we had enabled in our request. 1965 */ 1966 smp->remote_key_dist &= rsp->resp_key_dist; 1967 1968 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1969 /* Clear bits which are generated but not distributed */ 1970 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1971 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1972 return sc_send_public_key(smp); 1973 } 1974 1975 auth |= req->auth_req; 1976 1977 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 1978 if (ret) 1979 return SMP_UNSPECIFIED; 1980 1981 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1982 1983 /* Can't compose response until we have been confirmed */ 1984 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 1985 return smp_confirm(smp); 1986 1987 return 0; 1988 } 1989 1990 static u8 sc_check_confirm(struct smp_chan *smp) 1991 { 1992 struct l2cap_conn *conn = smp->conn; 1993 1994 BT_DBG(""); 1995 1996 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1997 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 1998 1999 if (conn->hcon->out) { 2000 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2001 smp->prnd); 2002 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2003 } 2004 2005 return 0; 2006 } 2007 2008 /* Work-around for some implementations that incorrectly copy RFU bits 2009 * from our security request and thereby create the impression that 2010 * we're doing SC when in fact the remote doesn't support it. 2011 */ 2012 static int fixup_sc_false_positive(struct smp_chan *smp) 2013 { 2014 struct l2cap_conn *conn = smp->conn; 2015 struct hci_conn *hcon = conn->hcon; 2016 struct hci_dev *hdev = hcon->hdev; 2017 struct smp_cmd_pairing *req, *rsp; 2018 u8 auth; 2019 2020 /* The issue is only observed when we're in slave role */ 2021 if (hcon->out) 2022 return SMP_UNSPECIFIED; 2023 2024 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 2025 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode"); 2026 return SMP_UNSPECIFIED; 2027 } 2028 2029 BT_ERR("Trying to fall back to legacy SMP"); 2030 2031 req = (void *) &smp->preq[1]; 2032 rsp = (void *) &smp->prsp[1]; 2033 2034 /* Rebuild key dist flags which may have been cleared for SC */ 2035 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist); 2036 2037 auth = req->auth_req & AUTH_REQ_MASK(hdev); 2038 2039 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) { 2040 BT_ERR("Failed to fall back to legacy SMP"); 2041 return SMP_UNSPECIFIED; 2042 } 2043 2044 clear_bit(SMP_FLAG_SC, &smp->flags); 2045 2046 return 0; 2047 } 2048 2049 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 2050 { 2051 struct l2cap_chan *chan = conn->smp; 2052 struct smp_chan *smp = chan->data; 2053 2054 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 2055 2056 if (skb->len < sizeof(smp->pcnf)) 2057 return SMP_INVALID_PARAMS; 2058 2059 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 2060 skb_pull(skb, sizeof(smp->pcnf)); 2061 2062 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2063 int ret; 2064 2065 /* Public Key exchange must happen before any other steps */ 2066 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 2067 return sc_check_confirm(smp); 2068 2069 BT_ERR("Unexpected SMP Pairing Confirm"); 2070 2071 ret = fixup_sc_false_positive(smp); 2072 if (ret) 2073 return ret; 2074 } 2075 2076 if (conn->hcon->out) { 2077 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2078 smp->prnd); 2079 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2080 return 0; 2081 } 2082 2083 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2084 return smp_confirm(smp); 2085 2086 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2087 2088 return 0; 2089 } 2090 2091 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 2092 { 2093 struct l2cap_chan *chan = conn->smp; 2094 struct smp_chan *smp = chan->data; 2095 struct hci_conn *hcon = conn->hcon; 2096 u8 *pkax, *pkbx, *na, *nb; 2097 u32 passkey; 2098 int err; 2099 2100 BT_DBG("conn %p", conn); 2101 2102 if (skb->len < sizeof(smp->rrnd)) 2103 return SMP_INVALID_PARAMS; 2104 2105 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 2106 skb_pull(skb, sizeof(smp->rrnd)); 2107 2108 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 2109 return smp_random(smp); 2110 2111 if (hcon->out) { 2112 pkax = smp->local_pk; 2113 pkbx = smp->remote_pk; 2114 na = smp->prnd; 2115 nb = smp->rrnd; 2116 } else { 2117 pkax = smp->remote_pk; 2118 pkbx = smp->local_pk; 2119 na = smp->rrnd; 2120 nb = smp->prnd; 2121 } 2122 2123 if (smp->method == REQ_OOB) { 2124 if (!hcon->out) 2125 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2126 sizeof(smp->prnd), smp->prnd); 2127 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2128 goto mackey_and_ltk; 2129 } 2130 2131 /* Passkey entry has special treatment */ 2132 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2133 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 2134 2135 if (hcon->out) { 2136 u8 cfm[16]; 2137 2138 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 2139 smp->rrnd, 0, cfm); 2140 if (err) 2141 return SMP_UNSPECIFIED; 2142 2143 if (memcmp(smp->pcnf, cfm, 16)) 2144 return SMP_CONFIRM_FAILED; 2145 } else { 2146 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2147 smp->prnd); 2148 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2149 } 2150 2151 mackey_and_ltk: 2152 /* Generate MacKey and LTK */ 2153 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 2154 if (err) 2155 return SMP_UNSPECIFIED; 2156 2157 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) { 2158 if (hcon->out) { 2159 sc_dhkey_check(smp); 2160 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2161 } 2162 return 0; 2163 } 2164 2165 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey); 2166 if (err) 2167 return SMP_UNSPECIFIED; 2168 2169 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2170 hcon->dst_type, passkey, 0); 2171 if (err) 2172 return SMP_UNSPECIFIED; 2173 2174 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2175 2176 return 0; 2177 } 2178 2179 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2180 { 2181 struct smp_ltk *key; 2182 struct hci_conn *hcon = conn->hcon; 2183 2184 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2185 if (!key) 2186 return false; 2187 2188 if (smp_ltk_sec_level(key) < sec_level) 2189 return false; 2190 2191 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2192 return true; 2193 2194 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size); 2195 hcon->enc_key_size = key->enc_size; 2196 2197 /* We never store STKs for master role, so clear this flag */ 2198 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2199 2200 return true; 2201 } 2202 2203 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2204 enum smp_key_pref key_pref) 2205 { 2206 if (sec_level == BT_SECURITY_LOW) 2207 return true; 2208 2209 /* If we're encrypted with an STK but the caller prefers using 2210 * LTK claim insufficient security. This way we allow the 2211 * connection to be re-encrypted with an LTK, even if the LTK 2212 * provides the same level of security. Only exception is if we 2213 * don't have an LTK (e.g. because of key distribution bits). 2214 */ 2215 if (key_pref == SMP_USE_LTK && 2216 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2217 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2218 return false; 2219 2220 if (hcon->sec_level >= sec_level) 2221 return true; 2222 2223 return false; 2224 } 2225 2226 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2227 { 2228 struct smp_cmd_security_req *rp = (void *) skb->data; 2229 struct smp_cmd_pairing cp; 2230 struct hci_conn *hcon = conn->hcon; 2231 struct hci_dev *hdev = hcon->hdev; 2232 struct smp_chan *smp; 2233 u8 sec_level, auth; 2234 2235 BT_DBG("conn %p", conn); 2236 2237 if (skb->len < sizeof(*rp)) 2238 return SMP_INVALID_PARAMS; 2239 2240 if (hcon->role != HCI_ROLE_MASTER) 2241 return SMP_CMD_NOTSUPP; 2242 2243 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2244 2245 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 2246 return SMP_AUTH_REQUIREMENTS; 2247 2248 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2249 sec_level = BT_SECURITY_MEDIUM; 2250 else 2251 sec_level = authreq_to_seclevel(auth); 2252 2253 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2254 return 0; 2255 2256 if (sec_level > hcon->pending_sec_level) 2257 hcon->pending_sec_level = sec_level; 2258 2259 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2260 return 0; 2261 2262 smp = smp_chan_create(conn); 2263 if (!smp) 2264 return SMP_UNSPECIFIED; 2265 2266 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 2267 (auth & SMP_AUTH_BONDING)) 2268 return SMP_PAIRING_NOTSUPP; 2269 2270 skb_pull(skb, sizeof(*rp)); 2271 2272 memset(&cp, 0, sizeof(cp)); 2273 build_pairing_cmd(conn, &cp, NULL, auth); 2274 2275 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2276 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2277 2278 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2279 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2280 2281 return 0; 2282 } 2283 2284 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2285 { 2286 struct l2cap_conn *conn = hcon->l2cap_data; 2287 struct l2cap_chan *chan; 2288 struct smp_chan *smp; 2289 __u8 authreq; 2290 int ret; 2291 2292 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 2293 2294 /* This may be NULL if there's an unexpected disconnection */ 2295 if (!conn) 2296 return 1; 2297 2298 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) 2299 return 1; 2300 2301 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2302 return 1; 2303 2304 if (sec_level > hcon->pending_sec_level) 2305 hcon->pending_sec_level = sec_level; 2306 2307 if (hcon->role == HCI_ROLE_MASTER) 2308 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2309 return 0; 2310 2311 chan = conn->smp; 2312 if (!chan) { 2313 BT_ERR("SMP security requested but not available"); 2314 return 1; 2315 } 2316 2317 l2cap_chan_lock(chan); 2318 2319 /* If SMP is already in progress ignore this request */ 2320 if (chan->data) { 2321 ret = 0; 2322 goto unlock; 2323 } 2324 2325 smp = smp_chan_create(conn); 2326 if (!smp) { 2327 ret = 1; 2328 goto unlock; 2329 } 2330 2331 authreq = seclevel_to_authreq(sec_level); 2332 2333 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) 2334 authreq |= SMP_AUTH_SC; 2335 2336 /* Require MITM if IO Capability allows or the security level 2337 * requires it. 2338 */ 2339 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2340 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2341 authreq |= SMP_AUTH_MITM; 2342 2343 if (hcon->role == HCI_ROLE_MASTER) { 2344 struct smp_cmd_pairing cp; 2345 2346 build_pairing_cmd(conn, &cp, NULL, authreq); 2347 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2348 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2349 2350 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2351 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2352 } else { 2353 struct smp_cmd_security_req cp; 2354 cp.auth_req = authreq; 2355 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2356 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2357 } 2358 2359 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2360 ret = 0; 2361 2362 unlock: 2363 l2cap_chan_unlock(chan); 2364 return ret; 2365 } 2366 2367 void smp_cancel_pairing(struct hci_conn *hcon) 2368 { 2369 struct l2cap_conn *conn = hcon->l2cap_data; 2370 struct l2cap_chan *chan; 2371 struct smp_chan *smp; 2372 2373 if (!conn) 2374 return; 2375 2376 chan = conn->smp; 2377 if (!chan) 2378 return; 2379 2380 l2cap_chan_lock(chan); 2381 2382 smp = chan->data; 2383 if (smp) { 2384 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) 2385 smp_failure(conn, 0); 2386 else 2387 smp_failure(conn, SMP_UNSPECIFIED); 2388 } 2389 2390 l2cap_chan_unlock(chan); 2391 } 2392 2393 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2394 { 2395 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2396 struct l2cap_chan *chan = conn->smp; 2397 struct smp_chan *smp = chan->data; 2398 2399 BT_DBG("conn %p", conn); 2400 2401 if (skb->len < sizeof(*rp)) 2402 return SMP_INVALID_PARAMS; 2403 2404 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT); 2405 2406 skb_pull(skb, sizeof(*rp)); 2407 2408 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2409 2410 return 0; 2411 } 2412 2413 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2414 { 2415 struct smp_cmd_master_ident *rp = (void *) skb->data; 2416 struct l2cap_chan *chan = conn->smp; 2417 struct smp_chan *smp = chan->data; 2418 struct hci_dev *hdev = conn->hcon->hdev; 2419 struct hci_conn *hcon = conn->hcon; 2420 struct smp_ltk *ltk; 2421 u8 authenticated; 2422 2423 BT_DBG("conn %p", conn); 2424 2425 if (skb->len < sizeof(*rp)) 2426 return SMP_INVALID_PARAMS; 2427 2428 /* Mark the information as received */ 2429 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2430 2431 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2432 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2433 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2434 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2435 2436 skb_pull(skb, sizeof(*rp)); 2437 2438 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2439 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2440 authenticated, smp->tk, smp->enc_key_size, 2441 rp->ediv, rp->rand); 2442 smp->ltk = ltk; 2443 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2444 smp_distribute_keys(smp); 2445 2446 return 0; 2447 } 2448 2449 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2450 { 2451 struct smp_cmd_ident_info *info = (void *) skb->data; 2452 struct l2cap_chan *chan = conn->smp; 2453 struct smp_chan *smp = chan->data; 2454 2455 BT_DBG(""); 2456 2457 if (skb->len < sizeof(*info)) 2458 return SMP_INVALID_PARAMS; 2459 2460 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2461 2462 skb_pull(skb, sizeof(*info)); 2463 2464 memcpy(smp->irk, info->irk, 16); 2465 2466 return 0; 2467 } 2468 2469 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2470 struct sk_buff *skb) 2471 { 2472 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2473 struct l2cap_chan *chan = conn->smp; 2474 struct smp_chan *smp = chan->data; 2475 struct hci_conn *hcon = conn->hcon; 2476 bdaddr_t rpa; 2477 2478 BT_DBG(""); 2479 2480 if (skb->len < sizeof(*info)) 2481 return SMP_INVALID_PARAMS; 2482 2483 /* Mark the information as received */ 2484 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2485 2486 if (smp->remote_key_dist & SMP_DIST_SIGN) 2487 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2488 2489 skb_pull(skb, sizeof(*info)); 2490 2491 /* Strictly speaking the Core Specification (4.1) allows sending 2492 * an empty address which would force us to rely on just the IRK 2493 * as "identity information". However, since such 2494 * implementations are not known of and in order to not over 2495 * complicate our implementation, simply pretend that we never 2496 * received an IRK for such a device. 2497 * 2498 * The Identity Address must also be a Static Random or Public 2499 * Address, which hci_is_identity_address() checks for. 2500 */ 2501 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2502 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2503 BT_ERR("Ignoring IRK with no identity address"); 2504 goto distribute; 2505 } 2506 2507 bacpy(&smp->id_addr, &info->bdaddr); 2508 smp->id_addr_type = info->addr_type; 2509 2510 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2511 bacpy(&rpa, &hcon->dst); 2512 else 2513 bacpy(&rpa, BDADDR_ANY); 2514 2515 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2516 smp->id_addr_type, smp->irk, &rpa); 2517 2518 distribute: 2519 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2520 smp_distribute_keys(smp); 2521 2522 return 0; 2523 } 2524 2525 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2526 { 2527 struct smp_cmd_sign_info *rp = (void *) skb->data; 2528 struct l2cap_chan *chan = conn->smp; 2529 struct smp_chan *smp = chan->data; 2530 struct smp_csrk *csrk; 2531 2532 BT_DBG("conn %p", conn); 2533 2534 if (skb->len < sizeof(*rp)) 2535 return SMP_INVALID_PARAMS; 2536 2537 /* Mark the information as received */ 2538 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2539 2540 skb_pull(skb, sizeof(*rp)); 2541 2542 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 2543 if (csrk) { 2544 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM) 2545 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED; 2546 else 2547 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED; 2548 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2549 } 2550 smp->csrk = csrk; 2551 smp_distribute_keys(smp); 2552 2553 return 0; 2554 } 2555 2556 static u8 sc_select_method(struct smp_chan *smp) 2557 { 2558 struct l2cap_conn *conn = smp->conn; 2559 struct hci_conn *hcon = conn->hcon; 2560 struct smp_cmd_pairing *local, *remote; 2561 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2562 2563 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) || 2564 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) 2565 return REQ_OOB; 2566 2567 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2568 * which are needed as inputs to some crypto functions. To get 2569 * the "struct smp_cmd_pairing" from them we need to skip the 2570 * first byte which contains the opcode. 2571 */ 2572 if (hcon->out) { 2573 local = (void *) &smp->preq[1]; 2574 remote = (void *) &smp->prsp[1]; 2575 } else { 2576 local = (void *) &smp->prsp[1]; 2577 remote = (void *) &smp->preq[1]; 2578 } 2579 2580 local_io = local->io_capability; 2581 remote_io = remote->io_capability; 2582 2583 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2584 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2585 2586 /* If either side wants MITM, look up the method from the table, 2587 * otherwise use JUST WORKS. 2588 */ 2589 if (local_mitm || remote_mitm) 2590 method = get_auth_method(smp, local_io, remote_io); 2591 else 2592 method = JUST_WORKS; 2593 2594 /* Don't confirm locally initiated pairing attempts */ 2595 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2596 method = JUST_WORKS; 2597 2598 return method; 2599 } 2600 2601 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2602 { 2603 struct smp_cmd_public_key *key = (void *) skb->data; 2604 struct hci_conn *hcon = conn->hcon; 2605 struct l2cap_chan *chan = conn->smp; 2606 struct smp_chan *smp = chan->data; 2607 struct hci_dev *hdev = hcon->hdev; 2608 struct smp_cmd_pairing_confirm cfm; 2609 int err; 2610 2611 BT_DBG("conn %p", conn); 2612 2613 if (skb->len < sizeof(*key)) 2614 return SMP_INVALID_PARAMS; 2615 2616 memcpy(smp->remote_pk, key, 64); 2617 2618 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) { 2619 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk, 2620 smp->rr, 0, cfm.confirm_val); 2621 if (err) 2622 return SMP_UNSPECIFIED; 2623 2624 if (memcmp(cfm.confirm_val, smp->pcnf, 16)) 2625 return SMP_CONFIRM_FAILED; 2626 } 2627 2628 /* Non-initiating device sends its public key after receiving 2629 * the key from the initiating device. 2630 */ 2631 if (!hcon->out) { 2632 err = sc_send_public_key(smp); 2633 if (err) 2634 return err; 2635 } 2636 2637 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2638 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2639 2640 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey)) 2641 return SMP_UNSPECIFIED; 2642 2643 SMP_DBG("DHKey %32phN", smp->dhkey); 2644 2645 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2646 2647 smp->method = sc_select_method(smp); 2648 2649 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method); 2650 2651 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2652 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2653 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2654 else 2655 hcon->pending_sec_level = BT_SECURITY_FIPS; 2656 2657 if (!memcmp(debug_pk, smp->remote_pk, 64)) 2658 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2659 2660 if (smp->method == DSP_PASSKEY) { 2661 get_random_bytes(&hcon->passkey_notify, 2662 sizeof(hcon->passkey_notify)); 2663 hcon->passkey_notify %= 1000000; 2664 hcon->passkey_entered = 0; 2665 smp->passkey_round = 0; 2666 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2667 hcon->dst_type, 2668 hcon->passkey_notify, 2669 hcon->passkey_entered)) 2670 return SMP_UNSPECIFIED; 2671 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2672 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2673 } 2674 2675 if (smp->method == REQ_OOB) { 2676 if (hcon->out) 2677 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2678 sizeof(smp->prnd), smp->prnd); 2679 2680 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2681 2682 return 0; 2683 } 2684 2685 if (hcon->out) 2686 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2687 2688 if (smp->method == REQ_PASSKEY) { 2689 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2690 hcon->dst_type)) 2691 return SMP_UNSPECIFIED; 2692 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2693 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2694 return 0; 2695 } 2696 2697 /* The Initiating device waits for the non-initiating device to 2698 * send the confirm value. 2699 */ 2700 if (conn->hcon->out) 2701 return 0; 2702 2703 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, 2704 0, cfm.confirm_val); 2705 if (err) 2706 return SMP_UNSPECIFIED; 2707 2708 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2709 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2710 2711 return 0; 2712 } 2713 2714 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2715 { 2716 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2717 struct l2cap_chan *chan = conn->smp; 2718 struct hci_conn *hcon = conn->hcon; 2719 struct smp_chan *smp = chan->data; 2720 u8 a[7], b[7], *local_addr, *remote_addr; 2721 u8 io_cap[3], r[16], e[16]; 2722 int err; 2723 2724 BT_DBG("conn %p", conn); 2725 2726 if (skb->len < sizeof(*check)) 2727 return SMP_INVALID_PARAMS; 2728 2729 memcpy(a, &hcon->init_addr, 6); 2730 memcpy(b, &hcon->resp_addr, 6); 2731 a[6] = hcon->init_addr_type; 2732 b[6] = hcon->resp_addr_type; 2733 2734 if (hcon->out) { 2735 local_addr = a; 2736 remote_addr = b; 2737 memcpy(io_cap, &smp->prsp[1], 3); 2738 } else { 2739 local_addr = b; 2740 remote_addr = a; 2741 memcpy(io_cap, &smp->preq[1], 3); 2742 } 2743 2744 memset(r, 0, sizeof(r)); 2745 2746 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2747 put_unaligned_le32(hcon->passkey_notify, r); 2748 else if (smp->method == REQ_OOB) 2749 memcpy(r, smp->lr, 16); 2750 2751 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r, 2752 io_cap, remote_addr, local_addr, e); 2753 if (err) 2754 return SMP_UNSPECIFIED; 2755 2756 if (memcmp(check->e, e, 16)) 2757 return SMP_DHKEY_CHECK_FAILED; 2758 2759 if (!hcon->out) { 2760 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2761 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2762 return 0; 2763 } 2764 2765 /* Slave sends DHKey check as response to master */ 2766 sc_dhkey_check(smp); 2767 } 2768 2769 sc_add_ltk(smp); 2770 2771 if (hcon->out) { 2772 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size); 2773 hcon->enc_key_size = smp->enc_key_size; 2774 } 2775 2776 return 0; 2777 } 2778 2779 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2780 struct sk_buff *skb) 2781 { 2782 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2783 2784 BT_DBG("value 0x%02x", kp->value); 2785 2786 return 0; 2787 } 2788 2789 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2790 { 2791 struct l2cap_conn *conn = chan->conn; 2792 struct hci_conn *hcon = conn->hcon; 2793 struct smp_chan *smp; 2794 __u8 code, reason; 2795 int err = 0; 2796 2797 if (skb->len < 1) 2798 return -EILSEQ; 2799 2800 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) { 2801 reason = SMP_PAIRING_NOTSUPP; 2802 goto done; 2803 } 2804 2805 code = skb->data[0]; 2806 skb_pull(skb, sizeof(code)); 2807 2808 smp = chan->data; 2809 2810 if (code > SMP_CMD_MAX) 2811 goto drop; 2812 2813 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) 2814 goto drop; 2815 2816 /* If we don't have a context the only allowed commands are 2817 * pairing request and security request. 2818 */ 2819 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2820 goto drop; 2821 2822 switch (code) { 2823 case SMP_CMD_PAIRING_REQ: 2824 reason = smp_cmd_pairing_req(conn, skb); 2825 break; 2826 2827 case SMP_CMD_PAIRING_FAIL: 2828 smp_failure(conn, 0); 2829 err = -EPERM; 2830 break; 2831 2832 case SMP_CMD_PAIRING_RSP: 2833 reason = smp_cmd_pairing_rsp(conn, skb); 2834 break; 2835 2836 case SMP_CMD_SECURITY_REQ: 2837 reason = smp_cmd_security_req(conn, skb); 2838 break; 2839 2840 case SMP_CMD_PAIRING_CONFIRM: 2841 reason = smp_cmd_pairing_confirm(conn, skb); 2842 break; 2843 2844 case SMP_CMD_PAIRING_RANDOM: 2845 reason = smp_cmd_pairing_random(conn, skb); 2846 break; 2847 2848 case SMP_CMD_ENCRYPT_INFO: 2849 reason = smp_cmd_encrypt_info(conn, skb); 2850 break; 2851 2852 case SMP_CMD_MASTER_IDENT: 2853 reason = smp_cmd_master_ident(conn, skb); 2854 break; 2855 2856 case SMP_CMD_IDENT_INFO: 2857 reason = smp_cmd_ident_info(conn, skb); 2858 break; 2859 2860 case SMP_CMD_IDENT_ADDR_INFO: 2861 reason = smp_cmd_ident_addr_info(conn, skb); 2862 break; 2863 2864 case SMP_CMD_SIGN_INFO: 2865 reason = smp_cmd_sign_info(conn, skb); 2866 break; 2867 2868 case SMP_CMD_PUBLIC_KEY: 2869 reason = smp_cmd_public_key(conn, skb); 2870 break; 2871 2872 case SMP_CMD_DHKEY_CHECK: 2873 reason = smp_cmd_dhkey_check(conn, skb); 2874 break; 2875 2876 case SMP_CMD_KEYPRESS_NOTIFY: 2877 reason = smp_cmd_keypress_notify(conn, skb); 2878 break; 2879 2880 default: 2881 BT_DBG("Unknown command code 0x%2.2x", code); 2882 reason = SMP_CMD_NOTSUPP; 2883 goto done; 2884 } 2885 2886 done: 2887 if (!err) { 2888 if (reason) 2889 smp_failure(conn, reason); 2890 kfree_skb(skb); 2891 } 2892 2893 return err; 2894 2895 drop: 2896 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name, 2897 code, &hcon->dst); 2898 kfree_skb(skb); 2899 return 0; 2900 } 2901 2902 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 2903 { 2904 struct l2cap_conn *conn = chan->conn; 2905 2906 BT_DBG("chan %p", chan); 2907 2908 if (chan->data) 2909 smp_chan_destroy(conn); 2910 2911 conn->smp = NULL; 2912 l2cap_chan_put(chan); 2913 } 2914 2915 static void bredr_pairing(struct l2cap_chan *chan) 2916 { 2917 struct l2cap_conn *conn = chan->conn; 2918 struct hci_conn *hcon = conn->hcon; 2919 struct hci_dev *hdev = hcon->hdev; 2920 struct smp_cmd_pairing req; 2921 struct smp_chan *smp; 2922 2923 BT_DBG("chan %p", chan); 2924 2925 /* Only new pairings are interesting */ 2926 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 2927 return; 2928 2929 /* Don't bother if we're not encrypted */ 2930 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 2931 return; 2932 2933 /* Only master may initiate SMP over BR/EDR */ 2934 if (hcon->role != HCI_ROLE_MASTER) 2935 return; 2936 2937 /* Secure Connections support must be enabled */ 2938 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED)) 2939 return; 2940 2941 /* BR/EDR must use Secure Connections for SMP */ 2942 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 2943 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 2944 return; 2945 2946 /* If our LE support is not enabled don't do anything */ 2947 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 2948 return; 2949 2950 /* Don't bother if remote LE support is not enabled */ 2951 if (!lmp_host_le_capable(hcon)) 2952 return; 2953 2954 /* Remote must support SMP fixed chan for BR/EDR */ 2955 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 2956 return; 2957 2958 /* Don't bother if SMP is already ongoing */ 2959 if (chan->data) 2960 return; 2961 2962 smp = smp_chan_create(conn); 2963 if (!smp) { 2964 BT_ERR("%s unable to create SMP context for BR/EDR", 2965 hdev->name); 2966 return; 2967 } 2968 2969 set_bit(SMP_FLAG_SC, &smp->flags); 2970 2971 BT_DBG("%s starting SMP over BR/EDR", hdev->name); 2972 2973 /* Prepare and send the BR/EDR SMP Pairing Request */ 2974 build_bredr_pairing_cmd(smp, &req, NULL); 2975 2976 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2977 memcpy(&smp->preq[1], &req, sizeof(req)); 2978 2979 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req); 2980 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2981 } 2982 2983 static void smp_resume_cb(struct l2cap_chan *chan) 2984 { 2985 struct smp_chan *smp = chan->data; 2986 struct l2cap_conn *conn = chan->conn; 2987 struct hci_conn *hcon = conn->hcon; 2988 2989 BT_DBG("chan %p", chan); 2990 2991 if (hcon->type == ACL_LINK) { 2992 bredr_pairing(chan); 2993 return; 2994 } 2995 2996 if (!smp) 2997 return; 2998 2999 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3000 return; 3001 3002 cancel_delayed_work(&smp->security_timer); 3003 3004 smp_distribute_keys(smp); 3005 } 3006 3007 static void smp_ready_cb(struct l2cap_chan *chan) 3008 { 3009 struct l2cap_conn *conn = chan->conn; 3010 struct hci_conn *hcon = conn->hcon; 3011 3012 BT_DBG("chan %p", chan); 3013 3014 /* No need to call l2cap_chan_hold() here since we already own 3015 * the reference taken in smp_new_conn_cb(). This is just the 3016 * first time that we tie it to a specific pointer. The code in 3017 * l2cap_core.c ensures that there's no risk this function wont 3018 * get called if smp_new_conn_cb was previously called. 3019 */ 3020 conn->smp = chan; 3021 3022 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3023 bredr_pairing(chan); 3024 } 3025 3026 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 3027 { 3028 int err; 3029 3030 BT_DBG("chan %p", chan); 3031 3032 err = smp_sig_channel(chan, skb); 3033 if (err) { 3034 struct smp_chan *smp = chan->data; 3035 3036 if (smp) 3037 cancel_delayed_work_sync(&smp->security_timer); 3038 3039 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 3040 } 3041 3042 return err; 3043 } 3044 3045 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 3046 unsigned long hdr_len, 3047 unsigned long len, int nb) 3048 { 3049 struct sk_buff *skb; 3050 3051 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 3052 if (!skb) 3053 return ERR_PTR(-ENOMEM); 3054 3055 skb->priority = HCI_PRIO_MAX; 3056 bt_cb(skb)->l2cap.chan = chan; 3057 3058 return skb; 3059 } 3060 3061 static const struct l2cap_ops smp_chan_ops = { 3062 .name = "Security Manager", 3063 .ready = smp_ready_cb, 3064 .recv = smp_recv_cb, 3065 .alloc_skb = smp_alloc_skb_cb, 3066 .teardown = smp_teardown_cb, 3067 .resume = smp_resume_cb, 3068 3069 .new_connection = l2cap_chan_no_new_connection, 3070 .state_change = l2cap_chan_no_state_change, 3071 .close = l2cap_chan_no_close, 3072 .defer = l2cap_chan_no_defer, 3073 .suspend = l2cap_chan_no_suspend, 3074 .set_shutdown = l2cap_chan_no_set_shutdown, 3075 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3076 }; 3077 3078 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 3079 { 3080 struct l2cap_chan *chan; 3081 3082 BT_DBG("pchan %p", pchan); 3083 3084 chan = l2cap_chan_create(); 3085 if (!chan) 3086 return NULL; 3087 3088 chan->chan_type = pchan->chan_type; 3089 chan->ops = &smp_chan_ops; 3090 chan->scid = pchan->scid; 3091 chan->dcid = chan->scid; 3092 chan->imtu = pchan->imtu; 3093 chan->omtu = pchan->omtu; 3094 chan->mode = pchan->mode; 3095 3096 /* Other L2CAP channels may request SMP routines in order to 3097 * change the security level. This means that the SMP channel 3098 * lock must be considered in its own category to avoid lockdep 3099 * warnings. 3100 */ 3101 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 3102 3103 BT_DBG("created chan %p", chan); 3104 3105 return chan; 3106 } 3107 3108 static const struct l2cap_ops smp_root_chan_ops = { 3109 .name = "Security Manager Root", 3110 .new_connection = smp_new_conn_cb, 3111 3112 /* None of these are implemented for the root channel */ 3113 .close = l2cap_chan_no_close, 3114 .alloc_skb = l2cap_chan_no_alloc_skb, 3115 .recv = l2cap_chan_no_recv, 3116 .state_change = l2cap_chan_no_state_change, 3117 .teardown = l2cap_chan_no_teardown, 3118 .ready = l2cap_chan_no_ready, 3119 .defer = l2cap_chan_no_defer, 3120 .suspend = l2cap_chan_no_suspend, 3121 .resume = l2cap_chan_no_resume, 3122 .set_shutdown = l2cap_chan_no_set_shutdown, 3123 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3124 }; 3125 3126 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 3127 { 3128 struct l2cap_chan *chan; 3129 struct smp_dev *smp; 3130 struct crypto_blkcipher *tfm_aes; 3131 struct crypto_hash *tfm_cmac; 3132 3133 if (cid == L2CAP_CID_SMP_BREDR) { 3134 smp = NULL; 3135 goto create_chan; 3136 } 3137 3138 smp = kzalloc(sizeof(*smp), GFP_KERNEL); 3139 if (!smp) 3140 return ERR_PTR(-ENOMEM); 3141 3142 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC); 3143 if (IS_ERR(tfm_aes)) { 3144 BT_ERR("Unable to create ECB crypto context"); 3145 kzfree(smp); 3146 return ERR_CAST(tfm_aes); 3147 } 3148 3149 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC); 3150 if (IS_ERR(tfm_cmac)) { 3151 BT_ERR("Unable to create CMAC crypto context"); 3152 crypto_free_blkcipher(tfm_aes); 3153 kzfree(smp); 3154 return ERR_CAST(tfm_cmac); 3155 } 3156 3157 smp->tfm_aes = tfm_aes; 3158 smp->tfm_cmac = tfm_cmac; 3159 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE; 3160 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 3161 3162 create_chan: 3163 chan = l2cap_chan_create(); 3164 if (!chan) { 3165 if (smp) { 3166 crypto_free_blkcipher(smp->tfm_aes); 3167 crypto_free_hash(smp->tfm_cmac); 3168 kzfree(smp); 3169 } 3170 return ERR_PTR(-ENOMEM); 3171 } 3172 3173 chan->data = smp; 3174 3175 l2cap_add_scid(chan, cid); 3176 3177 l2cap_chan_set_defaults(chan); 3178 3179 if (cid == L2CAP_CID_SMP) { 3180 u8 bdaddr_type; 3181 3182 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type); 3183 3184 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 3185 chan->src_type = BDADDR_LE_PUBLIC; 3186 else 3187 chan->src_type = BDADDR_LE_RANDOM; 3188 } else { 3189 bacpy(&chan->src, &hdev->bdaddr); 3190 chan->src_type = BDADDR_BREDR; 3191 } 3192 3193 chan->state = BT_LISTEN; 3194 chan->mode = L2CAP_MODE_BASIC; 3195 chan->imtu = L2CAP_DEFAULT_MTU; 3196 chan->ops = &smp_root_chan_ops; 3197 3198 /* Set correct nesting level for a parent/listening channel */ 3199 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 3200 3201 return chan; 3202 } 3203 3204 static void smp_del_chan(struct l2cap_chan *chan) 3205 { 3206 struct smp_dev *smp; 3207 3208 BT_DBG("chan %p", chan); 3209 3210 smp = chan->data; 3211 if (smp) { 3212 chan->data = NULL; 3213 if (smp->tfm_aes) 3214 crypto_free_blkcipher(smp->tfm_aes); 3215 if (smp->tfm_cmac) 3216 crypto_free_hash(smp->tfm_cmac); 3217 kzfree(smp); 3218 } 3219 3220 l2cap_chan_put(chan); 3221 } 3222 3223 static ssize_t force_bredr_smp_read(struct file *file, 3224 char __user *user_buf, 3225 size_t count, loff_t *ppos) 3226 { 3227 struct hci_dev *hdev = file->private_data; 3228 char buf[3]; 3229 3230 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N'; 3231 buf[1] = '\n'; 3232 buf[2] = '\0'; 3233 return simple_read_from_buffer(user_buf, count, ppos, buf, 2); 3234 } 3235 3236 static ssize_t force_bredr_smp_write(struct file *file, 3237 const char __user *user_buf, 3238 size_t count, loff_t *ppos) 3239 { 3240 struct hci_dev *hdev = file->private_data; 3241 char buf[32]; 3242 size_t buf_size = min(count, (sizeof(buf)-1)); 3243 bool enable; 3244 3245 if (copy_from_user(buf, user_buf, buf_size)) 3246 return -EFAULT; 3247 3248 buf[buf_size] = '\0'; 3249 if (strtobool(buf, &enable)) 3250 return -EINVAL; 3251 3252 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3253 return -EALREADY; 3254 3255 if (enable) { 3256 struct l2cap_chan *chan; 3257 3258 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3259 if (IS_ERR(chan)) 3260 return PTR_ERR(chan); 3261 3262 hdev->smp_bredr_data = chan; 3263 } else { 3264 struct l2cap_chan *chan; 3265 3266 chan = hdev->smp_bredr_data; 3267 hdev->smp_bredr_data = NULL; 3268 smp_del_chan(chan); 3269 } 3270 3271 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP); 3272 3273 return count; 3274 } 3275 3276 static const struct file_operations force_bredr_smp_fops = { 3277 .open = simple_open, 3278 .read = force_bredr_smp_read, 3279 .write = force_bredr_smp_write, 3280 .llseek = default_llseek, 3281 }; 3282 3283 static ssize_t le_min_key_size_read(struct file *file, 3284 char __user *user_buf, 3285 size_t count, loff_t *ppos) 3286 { 3287 struct hci_dev *hdev = file->private_data; 3288 char buf[4]; 3289 3290 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size); 3291 3292 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 3293 } 3294 3295 static ssize_t le_min_key_size_write(struct file *file, 3296 const char __user *user_buf, 3297 size_t count, loff_t *ppos) 3298 { 3299 struct hci_dev *hdev = file->private_data; 3300 char buf[32]; 3301 size_t buf_size = min(count, (sizeof(buf) - 1)); 3302 u8 key_size; 3303 3304 if (copy_from_user(buf, user_buf, buf_size)) 3305 return -EFAULT; 3306 3307 buf[buf_size] = '\0'; 3308 3309 sscanf(buf, "%hhu", &key_size); 3310 3311 if (key_size > SMP_DEV(hdev)->max_key_size || 3312 key_size < SMP_MIN_ENC_KEY_SIZE) 3313 return -EINVAL; 3314 3315 SMP_DEV(hdev)->min_key_size = key_size; 3316 3317 return count; 3318 } 3319 3320 static const struct file_operations le_min_key_size_fops = { 3321 .open = simple_open, 3322 .read = le_min_key_size_read, 3323 .write = le_min_key_size_write, 3324 .llseek = default_llseek, 3325 }; 3326 3327 static ssize_t le_max_key_size_read(struct file *file, 3328 char __user *user_buf, 3329 size_t count, loff_t *ppos) 3330 { 3331 struct hci_dev *hdev = file->private_data; 3332 char buf[4]; 3333 3334 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size); 3335 3336 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 3337 } 3338 3339 static ssize_t le_max_key_size_write(struct file *file, 3340 const char __user *user_buf, 3341 size_t count, loff_t *ppos) 3342 { 3343 struct hci_dev *hdev = file->private_data; 3344 char buf[32]; 3345 size_t buf_size = min(count, (sizeof(buf) - 1)); 3346 u8 key_size; 3347 3348 if (copy_from_user(buf, user_buf, buf_size)) 3349 return -EFAULT; 3350 3351 buf[buf_size] = '\0'; 3352 3353 sscanf(buf, "%hhu", &key_size); 3354 3355 if (key_size > SMP_MAX_ENC_KEY_SIZE || 3356 key_size < SMP_DEV(hdev)->min_key_size) 3357 return -EINVAL; 3358 3359 SMP_DEV(hdev)->max_key_size = key_size; 3360 3361 return count; 3362 } 3363 3364 static const struct file_operations le_max_key_size_fops = { 3365 .open = simple_open, 3366 .read = le_max_key_size_read, 3367 .write = le_max_key_size_write, 3368 .llseek = default_llseek, 3369 }; 3370 3371 int smp_register(struct hci_dev *hdev) 3372 { 3373 struct l2cap_chan *chan; 3374 3375 BT_DBG("%s", hdev->name); 3376 3377 /* If the controller does not support Low Energy operation, then 3378 * there is also no need to register any SMP channel. 3379 */ 3380 if (!lmp_le_capable(hdev)) 3381 return 0; 3382 3383 if (WARN_ON(hdev->smp_data)) { 3384 chan = hdev->smp_data; 3385 hdev->smp_data = NULL; 3386 smp_del_chan(chan); 3387 } 3388 3389 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3390 if (IS_ERR(chan)) 3391 return PTR_ERR(chan); 3392 3393 hdev->smp_data = chan; 3394 3395 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev, 3396 &le_min_key_size_fops); 3397 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev, 3398 &le_max_key_size_fops); 3399 3400 /* If the controller does not support BR/EDR Secure Connections 3401 * feature, then the BR/EDR SMP channel shall not be present. 3402 * 3403 * To test this with Bluetooth 4.0 controllers, create a debugfs 3404 * switch that allows forcing BR/EDR SMP support and accepting 3405 * cross-transport pairing on non-AES encrypted connections. 3406 */ 3407 if (!lmp_sc_capable(hdev)) { 3408 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs, 3409 hdev, &force_bredr_smp_fops); 3410 return 0; 3411 } 3412 3413 if (WARN_ON(hdev->smp_bredr_data)) { 3414 chan = hdev->smp_bredr_data; 3415 hdev->smp_bredr_data = NULL; 3416 smp_del_chan(chan); 3417 } 3418 3419 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3420 if (IS_ERR(chan)) { 3421 int err = PTR_ERR(chan); 3422 chan = hdev->smp_data; 3423 hdev->smp_data = NULL; 3424 smp_del_chan(chan); 3425 return err; 3426 } 3427 3428 hdev->smp_bredr_data = chan; 3429 3430 return 0; 3431 } 3432 3433 void smp_unregister(struct hci_dev *hdev) 3434 { 3435 struct l2cap_chan *chan; 3436 3437 if (hdev->smp_bredr_data) { 3438 chan = hdev->smp_bredr_data; 3439 hdev->smp_bredr_data = NULL; 3440 smp_del_chan(chan); 3441 } 3442 3443 if (hdev->smp_data) { 3444 chan = hdev->smp_data; 3445 hdev->smp_data = NULL; 3446 smp_del_chan(chan); 3447 } 3448 } 3449 3450 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3451 3452 static int __init test_ah(struct crypto_blkcipher *tfm_aes) 3453 { 3454 const u8 irk[16] = { 3455 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3456 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3457 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3458 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3459 u8 res[3]; 3460 int err; 3461 3462 err = smp_ah(tfm_aes, irk, r, res); 3463 if (err) 3464 return err; 3465 3466 if (memcmp(res, exp, 3)) 3467 return -EINVAL; 3468 3469 return 0; 3470 } 3471 3472 static int __init test_c1(struct crypto_blkcipher *tfm_aes) 3473 { 3474 const u8 k[16] = { 3475 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3476 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3477 const u8 r[16] = { 3478 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3479 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3480 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3481 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3482 const u8 _iat = 0x01; 3483 const u8 _rat = 0x00; 3484 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3485 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3486 const u8 exp[16] = { 3487 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3488 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3489 u8 res[16]; 3490 int err; 3491 3492 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3493 if (err) 3494 return err; 3495 3496 if (memcmp(res, exp, 16)) 3497 return -EINVAL; 3498 3499 return 0; 3500 } 3501 3502 static int __init test_s1(struct crypto_blkcipher *tfm_aes) 3503 { 3504 const u8 k[16] = { 3505 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3506 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3507 const u8 r1[16] = { 3508 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3509 const u8 r2[16] = { 3510 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3511 const u8 exp[16] = { 3512 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3513 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3514 u8 res[16]; 3515 int err; 3516 3517 err = smp_s1(tfm_aes, k, r1, r2, res); 3518 if (err) 3519 return err; 3520 3521 if (memcmp(res, exp, 16)) 3522 return -EINVAL; 3523 3524 return 0; 3525 } 3526 3527 static int __init test_f4(struct crypto_hash *tfm_cmac) 3528 { 3529 const u8 u[32] = { 3530 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3531 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3532 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3533 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3534 const u8 v[32] = { 3535 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3536 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3537 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3538 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3539 const u8 x[16] = { 3540 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3541 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3542 const u8 z = 0x00; 3543 const u8 exp[16] = { 3544 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3545 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3546 u8 res[16]; 3547 int err; 3548 3549 err = smp_f4(tfm_cmac, u, v, x, z, res); 3550 if (err) 3551 return err; 3552 3553 if (memcmp(res, exp, 16)) 3554 return -EINVAL; 3555 3556 return 0; 3557 } 3558 3559 static int __init test_f5(struct crypto_hash *tfm_cmac) 3560 { 3561 const u8 w[32] = { 3562 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3563 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3564 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3565 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3566 const u8 n1[16] = { 3567 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3568 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3569 const u8 n2[16] = { 3570 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3571 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3572 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3573 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3574 const u8 exp_ltk[16] = { 3575 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3576 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3577 const u8 exp_mackey[16] = { 3578 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3579 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3580 u8 mackey[16], ltk[16]; 3581 int err; 3582 3583 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk); 3584 if (err) 3585 return err; 3586 3587 if (memcmp(mackey, exp_mackey, 16)) 3588 return -EINVAL; 3589 3590 if (memcmp(ltk, exp_ltk, 16)) 3591 return -EINVAL; 3592 3593 return 0; 3594 } 3595 3596 static int __init test_f6(struct crypto_hash *tfm_cmac) 3597 { 3598 const u8 w[16] = { 3599 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3600 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3601 const u8 n1[16] = { 3602 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3603 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3604 const u8 n2[16] = { 3605 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3606 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3607 const u8 r[16] = { 3608 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3609 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3610 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3611 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3612 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3613 const u8 exp[16] = { 3614 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3615 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3616 u8 res[16]; 3617 int err; 3618 3619 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res); 3620 if (err) 3621 return err; 3622 3623 if (memcmp(res, exp, 16)) 3624 return -EINVAL; 3625 3626 return 0; 3627 } 3628 3629 static int __init test_g2(struct crypto_hash *tfm_cmac) 3630 { 3631 const u8 u[32] = { 3632 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3633 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3634 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3635 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3636 const u8 v[32] = { 3637 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3638 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3639 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3640 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3641 const u8 x[16] = { 3642 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3643 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3644 const u8 y[16] = { 3645 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3646 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3647 const u32 exp_val = 0x2f9ed5ba % 1000000; 3648 u32 val; 3649 int err; 3650 3651 err = smp_g2(tfm_cmac, u, v, x, y, &val); 3652 if (err) 3653 return err; 3654 3655 if (val != exp_val) 3656 return -EINVAL; 3657 3658 return 0; 3659 } 3660 3661 static int __init test_h6(struct crypto_hash *tfm_cmac) 3662 { 3663 const u8 w[16] = { 3664 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3665 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3666 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3667 const u8 exp[16] = { 3668 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3669 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3670 u8 res[16]; 3671 int err; 3672 3673 err = smp_h6(tfm_cmac, w, key_id, res); 3674 if (err) 3675 return err; 3676 3677 if (memcmp(res, exp, 16)) 3678 return -EINVAL; 3679 3680 return 0; 3681 } 3682 3683 static char test_smp_buffer[32]; 3684 3685 static ssize_t test_smp_read(struct file *file, char __user *user_buf, 3686 size_t count, loff_t *ppos) 3687 { 3688 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer, 3689 strlen(test_smp_buffer)); 3690 } 3691 3692 static const struct file_operations test_smp_fops = { 3693 .open = simple_open, 3694 .read = test_smp_read, 3695 .llseek = default_llseek, 3696 }; 3697 3698 static int __init run_selftests(struct crypto_blkcipher *tfm_aes, 3699 struct crypto_hash *tfm_cmac) 3700 { 3701 ktime_t calltime, delta, rettime; 3702 unsigned long long duration; 3703 int err; 3704 3705 calltime = ktime_get(); 3706 3707 err = test_ah(tfm_aes); 3708 if (err) { 3709 BT_ERR("smp_ah test failed"); 3710 goto done; 3711 } 3712 3713 err = test_c1(tfm_aes); 3714 if (err) { 3715 BT_ERR("smp_c1 test failed"); 3716 goto done; 3717 } 3718 3719 err = test_s1(tfm_aes); 3720 if (err) { 3721 BT_ERR("smp_s1 test failed"); 3722 goto done; 3723 } 3724 3725 err = test_f4(tfm_cmac); 3726 if (err) { 3727 BT_ERR("smp_f4 test failed"); 3728 goto done; 3729 } 3730 3731 err = test_f5(tfm_cmac); 3732 if (err) { 3733 BT_ERR("smp_f5 test failed"); 3734 goto done; 3735 } 3736 3737 err = test_f6(tfm_cmac); 3738 if (err) { 3739 BT_ERR("smp_f6 test failed"); 3740 goto done; 3741 } 3742 3743 err = test_g2(tfm_cmac); 3744 if (err) { 3745 BT_ERR("smp_g2 test failed"); 3746 goto done; 3747 } 3748 3749 err = test_h6(tfm_cmac); 3750 if (err) { 3751 BT_ERR("smp_h6 test failed"); 3752 goto done; 3753 } 3754 3755 rettime = ktime_get(); 3756 delta = ktime_sub(rettime, calltime); 3757 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3758 3759 BT_INFO("SMP test passed in %llu usecs", duration); 3760 3761 done: 3762 if (!err) 3763 snprintf(test_smp_buffer, sizeof(test_smp_buffer), 3764 "PASS (%llu usecs)\n", duration); 3765 else 3766 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n"); 3767 3768 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL, 3769 &test_smp_fops); 3770 3771 return err; 3772 } 3773 3774 int __init bt_selftest_smp(void) 3775 { 3776 struct crypto_blkcipher *tfm_aes; 3777 struct crypto_hash *tfm_cmac; 3778 int err; 3779 3780 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC); 3781 if (IS_ERR(tfm_aes)) { 3782 BT_ERR("Unable to create ECB crypto context"); 3783 return PTR_ERR(tfm_aes); 3784 } 3785 3786 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC); 3787 if (IS_ERR(tfm_cmac)) { 3788 BT_ERR("Unable to create CMAC crypto context"); 3789 crypto_free_blkcipher(tfm_aes); 3790 return PTR_ERR(tfm_cmac); 3791 } 3792 3793 err = run_selftests(tfm_aes, tfm_cmac); 3794 3795 crypto_free_hash(tfm_cmac); 3796 crypto_free_blkcipher(tfm_aes); 3797 3798 return err; 3799 } 3800 3801 #endif 3802