1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License version 2 as 7 published by the Free Software Foundation; 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 #include <linux/debugfs.h> 24 #include <linux/crypto.h> 25 #include <linux/scatterlist.h> 26 #include <crypto/b128ops.h> 27 28 #include <net/bluetooth/bluetooth.h> 29 #include <net/bluetooth/hci_core.h> 30 #include <net/bluetooth/l2cap.h> 31 #include <net/bluetooth/mgmt.h> 32 33 #include "ecc.h" 34 #include "smp.h" 35 36 /* Low-level debug macros to be used for stuff that we don't want 37 * accidentially in dmesg, i.e. the values of the various crypto keys 38 * and the inputs & outputs of crypto functions. 39 */ 40 #ifdef DEBUG 41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 42 ##__VA_ARGS__) 43 #else 44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 45 ##__VA_ARGS__) 46 #endif 47 48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 49 50 /* Keys which are not distributed with Secure Connections */ 51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY); 52 53 #define SMP_TIMEOUT msecs_to_jiffies(30000) 54 55 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \ 56 0x1f : 0x07) 57 #define KEY_DIST_MASK 0x07 58 59 /* Maximum message length that can be passed to aes_cmac */ 60 #define CMAC_MSG_MAX 80 61 62 enum { 63 SMP_FLAG_TK_VALID, 64 SMP_FLAG_CFM_PENDING, 65 SMP_FLAG_MITM_AUTH, 66 SMP_FLAG_COMPLETE, 67 SMP_FLAG_INITIATOR, 68 SMP_FLAG_SC, 69 SMP_FLAG_REMOTE_PK, 70 SMP_FLAG_DEBUG_KEY, 71 SMP_FLAG_WAIT_USER, 72 SMP_FLAG_DHKEY_PENDING, 73 SMP_FLAG_OOB, 74 }; 75 76 struct smp_chan { 77 struct l2cap_conn *conn; 78 struct delayed_work security_timer; 79 unsigned long allow_cmd; /* Bitmask of allowed commands */ 80 81 u8 preq[7]; /* SMP Pairing Request */ 82 u8 prsp[7]; /* SMP Pairing Response */ 83 u8 prnd[16]; /* SMP Pairing Random (local) */ 84 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 85 u8 pcnf[16]; /* SMP Pairing Confirm */ 86 u8 tk[16]; /* SMP Temporary Key */ 87 u8 rr[16]; 88 u8 enc_key_size; 89 u8 remote_key_dist; 90 bdaddr_t id_addr; 91 u8 id_addr_type; 92 u8 irk[16]; 93 struct smp_csrk *csrk; 94 struct smp_csrk *slave_csrk; 95 struct smp_ltk *ltk; 96 struct smp_ltk *slave_ltk; 97 struct smp_irk *remote_irk; 98 u8 *link_key; 99 unsigned long flags; 100 u8 method; 101 u8 passkey_round; 102 103 /* Secure Connections variables */ 104 u8 local_pk[64]; 105 u8 local_sk[32]; 106 u8 remote_pk[64]; 107 u8 dhkey[32]; 108 u8 mackey[16]; 109 110 struct crypto_blkcipher *tfm_aes; 111 struct crypto_hash *tfm_cmac; 112 }; 113 114 /* These debug key values are defined in the SMP section of the core 115 * specification. debug_pk is the public debug key and debug_sk the 116 * private debug key. 117 */ 118 static const u8 debug_pk[64] = { 119 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 120 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 121 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 122 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 123 124 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 125 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 126 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 127 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 128 }; 129 130 static const u8 debug_sk[32] = { 131 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 132 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 133 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 134 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 135 }; 136 137 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 138 { 139 size_t i; 140 141 for (i = 0; i < len; i++) 142 dst[len - 1 - i] = src[i]; 143 } 144 145 /* The following functions map to the LE SC SMP crypto functions 146 * AES-CMAC, f4, f5, f6, g2 and h6. 147 */ 148 149 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m, 150 size_t len, u8 mac[16]) 151 { 152 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 153 struct hash_desc desc; 154 struct scatterlist sg; 155 int err; 156 157 if (len > CMAC_MSG_MAX) 158 return -EFBIG; 159 160 if (!tfm) { 161 BT_ERR("tfm %p", tfm); 162 return -EINVAL; 163 } 164 165 desc.tfm = tfm; 166 desc.flags = 0; 167 168 crypto_hash_init(&desc); 169 170 /* Swap key and message from LSB to MSB */ 171 swap_buf(k, tmp, 16); 172 swap_buf(m, msg_msb, len); 173 174 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 175 SMP_DBG("key %16phN", k); 176 177 err = crypto_hash_setkey(tfm, tmp, 16); 178 if (err) { 179 BT_ERR("cipher setkey failed: %d", err); 180 return err; 181 } 182 183 sg_init_one(&sg, msg_msb, len); 184 185 err = crypto_hash_update(&desc, &sg, len); 186 if (err) { 187 BT_ERR("Hash update error %d", err); 188 return err; 189 } 190 191 err = crypto_hash_final(&desc, mac_msb); 192 if (err) { 193 BT_ERR("Hash final error %d", err); 194 return err; 195 } 196 197 swap_buf(mac_msb, mac, 16); 198 199 SMP_DBG("mac %16phN", mac); 200 201 return 0; 202 } 203 204 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32], 205 const u8 x[16], u8 z, u8 res[16]) 206 { 207 u8 m[65]; 208 int err; 209 210 SMP_DBG("u %32phN", u); 211 SMP_DBG("v %32phN", v); 212 SMP_DBG("x %16phN z %02x", x, z); 213 214 m[0] = z; 215 memcpy(m + 1, v, 32); 216 memcpy(m + 33, u, 32); 217 218 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res); 219 if (err) 220 return err; 221 222 SMP_DBG("res %16phN", res); 223 224 return err; 225 } 226 227 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32], 228 const u8 n1[16], const u8 n2[16], const u8 a1[7], 229 const u8 a2[7], u8 mackey[16], u8 ltk[16]) 230 { 231 /* The btle, salt and length "magic" values are as defined in 232 * the SMP section of the Bluetooth core specification. In ASCII 233 * the btle value ends up being 'btle'. The salt is just a 234 * random number whereas length is the value 256 in little 235 * endian format. 236 */ 237 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 238 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 239 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 240 const u8 length[2] = { 0x00, 0x01 }; 241 u8 m[53], t[16]; 242 int err; 243 244 SMP_DBG("w %32phN", w); 245 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 246 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 247 248 err = aes_cmac(tfm_cmac, salt, w, 32, t); 249 if (err) 250 return err; 251 252 SMP_DBG("t %16phN", t); 253 254 memcpy(m, length, 2); 255 memcpy(m + 2, a2, 7); 256 memcpy(m + 9, a1, 7); 257 memcpy(m + 16, n2, 16); 258 memcpy(m + 32, n1, 16); 259 memcpy(m + 48, btle, 4); 260 261 m[52] = 0; /* Counter */ 262 263 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey); 264 if (err) 265 return err; 266 267 SMP_DBG("mackey %16phN", mackey); 268 269 m[52] = 1; /* Counter */ 270 271 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk); 272 if (err) 273 return err; 274 275 SMP_DBG("ltk %16phN", ltk); 276 277 return 0; 278 } 279 280 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16], 281 const u8 n1[16], const u8 n2[16], const u8 r[16], 282 const u8 io_cap[3], const u8 a1[7], const u8 a2[7], 283 u8 res[16]) 284 { 285 u8 m[65]; 286 int err; 287 288 SMP_DBG("w %16phN", w); 289 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 290 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 291 292 memcpy(m, a2, 7); 293 memcpy(m + 7, a1, 7); 294 memcpy(m + 14, io_cap, 3); 295 memcpy(m + 17, r, 16); 296 memcpy(m + 33, n2, 16); 297 memcpy(m + 49, n1, 16); 298 299 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res); 300 if (err) 301 return err; 302 303 SMP_DBG("res %16phN", res); 304 305 return err; 306 } 307 308 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32], 309 const u8 x[16], const u8 y[16], u32 *val) 310 { 311 u8 m[80], tmp[16]; 312 int err; 313 314 SMP_DBG("u %32phN", u); 315 SMP_DBG("v %32phN", v); 316 SMP_DBG("x %16phN y %16phN", x, y); 317 318 memcpy(m, y, 16); 319 memcpy(m + 16, v, 32); 320 memcpy(m + 48, u, 32); 321 322 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp); 323 if (err) 324 return err; 325 326 *val = get_unaligned_le32(tmp); 327 *val %= 1000000; 328 329 SMP_DBG("val %06u", *val); 330 331 return 0; 332 } 333 334 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16], 335 const u8 key_id[4], u8 res[16]) 336 { 337 int err; 338 339 SMP_DBG("w %16phN key_id %4phN", w, key_id); 340 341 err = aes_cmac(tfm_cmac, w, key_id, 4, res); 342 if (err) 343 return err; 344 345 SMP_DBG("res %16phN", res); 346 347 return err; 348 } 349 350 /* The following functions map to the legacy SMP crypto functions e, c1, 351 * s1 and ah. 352 */ 353 354 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r) 355 { 356 struct blkcipher_desc desc; 357 struct scatterlist sg; 358 uint8_t tmp[16], data[16]; 359 int err; 360 361 if (!tfm) { 362 BT_ERR("tfm %p", tfm); 363 return -EINVAL; 364 } 365 366 desc.tfm = tfm; 367 desc.flags = 0; 368 369 /* The most significant octet of key corresponds to k[0] */ 370 swap_buf(k, tmp, 16); 371 372 err = crypto_blkcipher_setkey(tfm, tmp, 16); 373 if (err) { 374 BT_ERR("cipher setkey failed: %d", err); 375 return err; 376 } 377 378 /* Most significant octet of plaintextData corresponds to data[0] */ 379 swap_buf(r, data, 16); 380 381 sg_init_one(&sg, data, 16); 382 383 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16); 384 if (err) 385 BT_ERR("Encrypt data error %d", err); 386 387 /* Most significant octet of encryptedData corresponds to data[0] */ 388 swap_buf(data, r, 16); 389 390 return err; 391 } 392 393 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16], 394 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 395 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 396 { 397 u8 p1[16], p2[16]; 398 int err; 399 400 memset(p1, 0, 16); 401 402 /* p1 = pres || preq || _rat || _iat */ 403 p1[0] = _iat; 404 p1[1] = _rat; 405 memcpy(p1 + 2, preq, 7); 406 memcpy(p1 + 9, pres, 7); 407 408 /* p2 = padding || ia || ra */ 409 memcpy(p2, ra, 6); 410 memcpy(p2 + 6, ia, 6); 411 memset(p2 + 12, 0, 4); 412 413 /* res = r XOR p1 */ 414 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1); 415 416 /* res = e(k, res) */ 417 err = smp_e(tfm_aes, k, res); 418 if (err) { 419 BT_ERR("Encrypt data error"); 420 return err; 421 } 422 423 /* res = res XOR p2 */ 424 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2); 425 426 /* res = e(k, res) */ 427 err = smp_e(tfm_aes, k, res); 428 if (err) 429 BT_ERR("Encrypt data error"); 430 431 return err; 432 } 433 434 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16], 435 const u8 r1[16], const u8 r2[16], u8 _r[16]) 436 { 437 int err; 438 439 /* Just least significant octets from r1 and r2 are considered */ 440 memcpy(_r, r2, 8); 441 memcpy(_r + 8, r1, 8); 442 443 err = smp_e(tfm_aes, k, _r); 444 if (err) 445 BT_ERR("Encrypt data error"); 446 447 return err; 448 } 449 450 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16], 451 const u8 r[3], u8 res[3]) 452 { 453 u8 _res[16]; 454 int err; 455 456 /* r' = padding || r */ 457 memcpy(_res, r, 3); 458 memset(_res + 3, 0, 13); 459 460 err = smp_e(tfm, irk, _res); 461 if (err) { 462 BT_ERR("Encrypt error"); 463 return err; 464 } 465 466 /* The output of the random address function ah is: 467 * ah(h, r) = e(k, r') mod 2^24 468 * The output of the security function e is then truncated to 24 bits 469 * by taking the least significant 24 bits of the output of e as the 470 * result of ah. 471 */ 472 memcpy(res, _res, 3); 473 474 return 0; 475 } 476 477 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 478 const bdaddr_t *bdaddr) 479 { 480 struct l2cap_chan *chan = hdev->smp_data; 481 struct crypto_blkcipher *tfm; 482 u8 hash[3]; 483 int err; 484 485 if (!chan || !chan->data) 486 return false; 487 488 tfm = chan->data; 489 490 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk); 491 492 err = smp_ah(tfm, irk, &bdaddr->b[3], hash); 493 if (err) 494 return false; 495 496 return !memcmp(bdaddr->b, hash, 3); 497 } 498 499 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 500 { 501 struct l2cap_chan *chan = hdev->smp_data; 502 struct crypto_blkcipher *tfm; 503 int err; 504 505 if (!chan || !chan->data) 506 return -EOPNOTSUPP; 507 508 tfm = chan->data; 509 510 get_random_bytes(&rpa->b[3], 3); 511 512 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 513 rpa->b[5] |= 0x40; /* Set second most significant bit */ 514 515 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b); 516 if (err < 0) 517 return err; 518 519 BT_DBG("RPA %pMR", rpa); 520 521 return 0; 522 } 523 524 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 525 { 526 struct l2cap_chan *chan = conn->smp; 527 struct smp_chan *smp; 528 struct kvec iv[2]; 529 struct msghdr msg; 530 531 if (!chan) 532 return; 533 534 BT_DBG("code 0x%2.2x", code); 535 536 iv[0].iov_base = &code; 537 iv[0].iov_len = 1; 538 539 iv[1].iov_base = data; 540 iv[1].iov_len = len; 541 542 memset(&msg, 0, sizeof(msg)); 543 544 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len); 545 546 l2cap_chan_send(chan, &msg, 1 + len); 547 548 if (!chan->data) 549 return; 550 551 smp = chan->data; 552 553 cancel_delayed_work_sync(&smp->security_timer); 554 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 555 } 556 557 static u8 authreq_to_seclevel(u8 authreq) 558 { 559 if (authreq & SMP_AUTH_MITM) { 560 if (authreq & SMP_AUTH_SC) 561 return BT_SECURITY_FIPS; 562 else 563 return BT_SECURITY_HIGH; 564 } else { 565 return BT_SECURITY_MEDIUM; 566 } 567 } 568 569 static __u8 seclevel_to_authreq(__u8 sec_level) 570 { 571 switch (sec_level) { 572 case BT_SECURITY_FIPS: 573 case BT_SECURITY_HIGH: 574 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 575 case BT_SECURITY_MEDIUM: 576 return SMP_AUTH_BONDING; 577 default: 578 return SMP_AUTH_NONE; 579 } 580 } 581 582 static void build_pairing_cmd(struct l2cap_conn *conn, 583 struct smp_cmd_pairing *req, 584 struct smp_cmd_pairing *rsp, __u8 authreq) 585 { 586 struct l2cap_chan *chan = conn->smp; 587 struct smp_chan *smp = chan->data; 588 struct hci_conn *hcon = conn->hcon; 589 struct hci_dev *hdev = hcon->hdev; 590 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 591 592 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) { 593 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 594 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 595 authreq |= SMP_AUTH_BONDING; 596 } else { 597 authreq &= ~SMP_AUTH_BONDING; 598 } 599 600 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags)) 601 remote_dist |= SMP_DIST_ID_KEY; 602 603 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) 604 local_dist |= SMP_DIST_ID_KEY; 605 606 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) && 607 (authreq & SMP_AUTH_SC)) { 608 struct oob_data *oob_data; 609 u8 bdaddr_type; 610 611 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) { 612 local_dist |= SMP_DIST_LINK_KEY; 613 remote_dist |= SMP_DIST_LINK_KEY; 614 } 615 616 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 617 bdaddr_type = BDADDR_LE_PUBLIC; 618 else 619 bdaddr_type = BDADDR_LE_RANDOM; 620 621 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 622 bdaddr_type); 623 if (oob_data && oob_data->present) { 624 set_bit(SMP_FLAG_OOB, &smp->flags); 625 oob_flag = SMP_OOB_PRESENT; 626 memcpy(smp->rr, oob_data->rand256, 16); 627 memcpy(smp->pcnf, oob_data->hash256, 16); 628 } 629 630 } else { 631 authreq &= ~SMP_AUTH_SC; 632 } 633 634 if (rsp == NULL) { 635 req->io_capability = conn->hcon->io_capability; 636 req->oob_flag = oob_flag; 637 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 638 req->init_key_dist = local_dist; 639 req->resp_key_dist = remote_dist; 640 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 641 642 smp->remote_key_dist = remote_dist; 643 return; 644 } 645 646 rsp->io_capability = conn->hcon->io_capability; 647 rsp->oob_flag = oob_flag; 648 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 649 rsp->init_key_dist = req->init_key_dist & remote_dist; 650 rsp->resp_key_dist = req->resp_key_dist & local_dist; 651 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 652 653 smp->remote_key_dist = rsp->init_key_dist; 654 } 655 656 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 657 { 658 struct l2cap_chan *chan = conn->smp; 659 struct smp_chan *smp = chan->data; 660 661 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) || 662 (max_key_size < SMP_MIN_ENC_KEY_SIZE)) 663 return SMP_ENC_KEY_SIZE; 664 665 smp->enc_key_size = max_key_size; 666 667 return 0; 668 } 669 670 static void smp_chan_destroy(struct l2cap_conn *conn) 671 { 672 struct l2cap_chan *chan = conn->smp; 673 struct smp_chan *smp = chan->data; 674 struct hci_conn *hcon = conn->hcon; 675 bool complete; 676 677 BUG_ON(!smp); 678 679 cancel_delayed_work_sync(&smp->security_timer); 680 681 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 682 mgmt_smp_complete(hcon, complete); 683 684 kfree(smp->csrk); 685 kfree(smp->slave_csrk); 686 kfree(smp->link_key); 687 688 crypto_free_blkcipher(smp->tfm_aes); 689 crypto_free_hash(smp->tfm_cmac); 690 691 /* Ensure that we don't leave any debug key around if debug key 692 * support hasn't been explicitly enabled. 693 */ 694 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 695 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) { 696 list_del_rcu(&smp->ltk->list); 697 kfree_rcu(smp->ltk, rcu); 698 smp->ltk = NULL; 699 } 700 701 /* If pairing failed clean up any keys we might have */ 702 if (!complete) { 703 if (smp->ltk) { 704 list_del_rcu(&smp->ltk->list); 705 kfree_rcu(smp->ltk, rcu); 706 } 707 708 if (smp->slave_ltk) { 709 list_del_rcu(&smp->slave_ltk->list); 710 kfree_rcu(smp->slave_ltk, rcu); 711 } 712 713 if (smp->remote_irk) { 714 list_del_rcu(&smp->remote_irk->list); 715 kfree_rcu(smp->remote_irk, rcu); 716 } 717 } 718 719 chan->data = NULL; 720 kfree(smp); 721 hci_conn_drop(hcon); 722 } 723 724 static void smp_failure(struct l2cap_conn *conn, u8 reason) 725 { 726 struct hci_conn *hcon = conn->hcon; 727 struct l2cap_chan *chan = conn->smp; 728 729 if (reason) 730 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 731 &reason); 732 733 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags); 734 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 735 736 if (chan->data) 737 smp_chan_destroy(conn); 738 } 739 740 #define JUST_WORKS 0x00 741 #define JUST_CFM 0x01 742 #define REQ_PASSKEY 0x02 743 #define CFM_PASSKEY 0x03 744 #define REQ_OOB 0x04 745 #define DSP_PASSKEY 0x05 746 #define OVERLAP 0xFF 747 748 static const u8 gen_method[5][5] = { 749 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 750 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 751 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 752 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 753 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 754 }; 755 756 static const u8 sc_method[5][5] = { 757 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 758 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 759 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 760 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 761 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 762 }; 763 764 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 765 { 766 /* If either side has unknown io_caps, use JUST_CFM (which gets 767 * converted later to JUST_WORKS if we're initiators. 768 */ 769 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 770 remote_io > SMP_IO_KEYBOARD_DISPLAY) 771 return JUST_CFM; 772 773 if (test_bit(SMP_FLAG_SC, &smp->flags)) 774 return sc_method[remote_io][local_io]; 775 776 return gen_method[remote_io][local_io]; 777 } 778 779 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 780 u8 local_io, u8 remote_io) 781 { 782 struct hci_conn *hcon = conn->hcon; 783 struct l2cap_chan *chan = conn->smp; 784 struct smp_chan *smp = chan->data; 785 u32 passkey = 0; 786 int ret = 0; 787 788 /* Initialize key for JUST WORKS */ 789 memset(smp->tk, 0, sizeof(smp->tk)); 790 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 791 792 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io); 793 794 /* If neither side wants MITM, either "just" confirm an incoming 795 * request or use just-works for outgoing ones. The JUST_CFM 796 * will be converted to JUST_WORKS if necessary later in this 797 * function. If either side has MITM look up the method from the 798 * table. 799 */ 800 if (!(auth & SMP_AUTH_MITM)) 801 smp->method = JUST_CFM; 802 else 803 smp->method = get_auth_method(smp, local_io, remote_io); 804 805 /* Don't confirm locally initiated pairing attempts */ 806 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 807 &smp->flags)) 808 smp->method = JUST_WORKS; 809 810 /* Don't bother user space with no IO capabilities */ 811 if (smp->method == JUST_CFM && 812 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 813 smp->method = JUST_WORKS; 814 815 /* If Just Works, Continue with Zero TK */ 816 if (smp->method == JUST_WORKS) { 817 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 818 return 0; 819 } 820 821 /* Not Just Works/Confirm results in MITM Authentication */ 822 if (smp->method != JUST_CFM) { 823 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 824 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 825 hcon->pending_sec_level = BT_SECURITY_HIGH; 826 } 827 828 /* If both devices have Keyoard-Display I/O, the master 829 * Confirms and the slave Enters the passkey. 830 */ 831 if (smp->method == OVERLAP) { 832 if (hcon->role == HCI_ROLE_MASTER) 833 smp->method = CFM_PASSKEY; 834 else 835 smp->method = REQ_PASSKEY; 836 } 837 838 /* Generate random passkey. */ 839 if (smp->method == CFM_PASSKEY) { 840 memset(smp->tk, 0, sizeof(smp->tk)); 841 get_random_bytes(&passkey, sizeof(passkey)); 842 passkey %= 1000000; 843 put_unaligned_le32(passkey, smp->tk); 844 BT_DBG("PassKey: %d", passkey); 845 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 846 } 847 848 if (smp->method == REQ_PASSKEY) 849 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 850 hcon->type, hcon->dst_type); 851 else if (smp->method == JUST_CFM) 852 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 853 hcon->type, hcon->dst_type, 854 passkey, 1); 855 else 856 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 857 hcon->type, hcon->dst_type, 858 passkey, 0); 859 860 return ret; 861 } 862 863 static u8 smp_confirm(struct smp_chan *smp) 864 { 865 struct l2cap_conn *conn = smp->conn; 866 struct smp_cmd_pairing_confirm cp; 867 int ret; 868 869 BT_DBG("conn %p", conn); 870 871 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp, 872 conn->hcon->init_addr_type, &conn->hcon->init_addr, 873 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 874 cp.confirm_val); 875 if (ret) 876 return SMP_UNSPECIFIED; 877 878 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 879 880 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 881 882 if (conn->hcon->out) 883 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 884 else 885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 886 887 return 0; 888 } 889 890 static u8 smp_random(struct smp_chan *smp) 891 { 892 struct l2cap_conn *conn = smp->conn; 893 struct hci_conn *hcon = conn->hcon; 894 u8 confirm[16]; 895 int ret; 896 897 if (IS_ERR_OR_NULL(smp->tfm_aes)) 898 return SMP_UNSPECIFIED; 899 900 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 901 902 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp, 903 hcon->init_addr_type, &hcon->init_addr, 904 hcon->resp_addr_type, &hcon->resp_addr, confirm); 905 if (ret) 906 return SMP_UNSPECIFIED; 907 908 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) { 909 BT_ERR("Pairing failed (confirmation values mismatch)"); 910 return SMP_CONFIRM_FAILED; 911 } 912 913 if (hcon->out) { 914 u8 stk[16]; 915 __le64 rand = 0; 916 __le16 ediv = 0; 917 918 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk); 919 920 memset(stk + smp->enc_key_size, 0, 921 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size); 922 923 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 924 return SMP_UNSPECIFIED; 925 926 hci_le_start_enc(hcon, ediv, rand, stk); 927 hcon->enc_key_size = smp->enc_key_size; 928 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 929 } else { 930 u8 stk[16], auth; 931 __le64 rand = 0; 932 __le16 ediv = 0; 933 934 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 935 smp->prnd); 936 937 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk); 938 939 memset(stk + smp->enc_key_size, 0, 940 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size); 941 942 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 943 auth = 1; 944 else 945 auth = 0; 946 947 /* Even though there's no _SLAVE suffix this is the 948 * slave STK we're adding for later lookup (the master 949 * STK never needs to be stored). 950 */ 951 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 952 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 953 } 954 955 return 0; 956 } 957 958 static void smp_notify_keys(struct l2cap_conn *conn) 959 { 960 struct l2cap_chan *chan = conn->smp; 961 struct smp_chan *smp = chan->data; 962 struct hci_conn *hcon = conn->hcon; 963 struct hci_dev *hdev = hcon->hdev; 964 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 965 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 966 bool persistent; 967 968 if (smp->remote_irk) { 969 mgmt_new_irk(hdev, smp->remote_irk); 970 /* Now that user space can be considered to know the 971 * identity address track the connection based on it 972 * from now on (assuming this is an LE link). 973 */ 974 if (hcon->type == LE_LINK) { 975 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 976 hcon->dst_type = smp->remote_irk->addr_type; 977 queue_work(hdev->workqueue, &conn->id_addr_update_work); 978 } 979 980 /* When receiving an indentity resolving key for 981 * a remote device that does not use a resolvable 982 * private address, just remove the key so that 983 * it is possible to use the controller white 984 * list for scanning. 985 * 986 * Userspace will have been told to not store 987 * this key at this point. So it is safe to 988 * just remove it. 989 */ 990 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) { 991 list_del_rcu(&smp->remote_irk->list); 992 kfree_rcu(smp->remote_irk, rcu); 993 smp->remote_irk = NULL; 994 } 995 } 996 997 if (hcon->type == ACL_LINK) { 998 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 999 persistent = false; 1000 else 1001 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1002 &hcon->flags); 1003 } else { 1004 /* The LTKs and CSRKs should be persistent only if both sides 1005 * had the bonding bit set in their authentication requests. 1006 */ 1007 persistent = !!((req->auth_req & rsp->auth_req) & 1008 SMP_AUTH_BONDING); 1009 } 1010 1011 1012 if (smp->csrk) { 1013 smp->csrk->bdaddr_type = hcon->dst_type; 1014 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1015 mgmt_new_csrk(hdev, smp->csrk, persistent); 1016 } 1017 1018 if (smp->slave_csrk) { 1019 smp->slave_csrk->bdaddr_type = hcon->dst_type; 1020 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst); 1021 mgmt_new_csrk(hdev, smp->slave_csrk, persistent); 1022 } 1023 1024 if (smp->ltk) { 1025 smp->ltk->bdaddr_type = hcon->dst_type; 1026 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1027 mgmt_new_ltk(hdev, smp->ltk, persistent); 1028 } 1029 1030 if (smp->slave_ltk) { 1031 smp->slave_ltk->bdaddr_type = hcon->dst_type; 1032 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst); 1033 mgmt_new_ltk(hdev, smp->slave_ltk, persistent); 1034 } 1035 1036 if (smp->link_key) { 1037 struct link_key *key; 1038 u8 type; 1039 1040 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1041 type = HCI_LK_DEBUG_COMBINATION; 1042 else if (hcon->sec_level == BT_SECURITY_FIPS) 1043 type = HCI_LK_AUTH_COMBINATION_P256; 1044 else 1045 type = HCI_LK_UNAUTH_COMBINATION_P256; 1046 1047 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1048 smp->link_key, type, 0, &persistent); 1049 if (key) { 1050 mgmt_new_link_key(hdev, key, persistent); 1051 1052 /* Don't keep debug keys around if the relevant 1053 * flag is not set. 1054 */ 1055 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) && 1056 key->type == HCI_LK_DEBUG_COMBINATION) { 1057 list_del_rcu(&key->list); 1058 kfree_rcu(key, rcu); 1059 } 1060 } 1061 } 1062 } 1063 1064 static void sc_add_ltk(struct smp_chan *smp) 1065 { 1066 struct hci_conn *hcon = smp->conn->hcon; 1067 u8 key_type, auth; 1068 1069 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1070 key_type = SMP_LTK_P256_DEBUG; 1071 else 1072 key_type = SMP_LTK_P256; 1073 1074 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1075 auth = 1; 1076 else 1077 auth = 0; 1078 1079 memset(smp->tk + smp->enc_key_size, 0, 1080 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size); 1081 1082 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1083 key_type, auth, smp->tk, smp->enc_key_size, 1084 0, 0); 1085 } 1086 1087 static void sc_generate_link_key(struct smp_chan *smp) 1088 { 1089 /* These constants are as specified in the core specification. 1090 * In ASCII they spell out to 'tmp1' and 'lebr'. 1091 */ 1092 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1093 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1094 1095 smp->link_key = kzalloc(16, GFP_KERNEL); 1096 if (!smp->link_key) 1097 return; 1098 1099 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) { 1100 kfree(smp->link_key); 1101 smp->link_key = NULL; 1102 return; 1103 } 1104 1105 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) { 1106 kfree(smp->link_key); 1107 smp->link_key = NULL; 1108 return; 1109 } 1110 } 1111 1112 static void smp_allow_key_dist(struct smp_chan *smp) 1113 { 1114 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1115 * will be allowed in each PDU handler to ensure we receive 1116 * them in the correct order. 1117 */ 1118 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1119 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1120 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1121 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1122 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1123 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1124 } 1125 1126 static void sc_generate_ltk(struct smp_chan *smp) 1127 { 1128 /* These constants are as specified in the core specification. 1129 * In ASCII they spell out to 'tmp2' and 'brle'. 1130 */ 1131 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1132 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1133 struct hci_conn *hcon = smp->conn->hcon; 1134 struct hci_dev *hdev = hcon->hdev; 1135 struct link_key *key; 1136 1137 key = hci_find_link_key(hdev, &hcon->dst); 1138 if (!key) { 1139 BT_ERR("%s No Link Key found to generate LTK", hdev->name); 1140 return; 1141 } 1142 1143 if (key->type == HCI_LK_DEBUG_COMBINATION) 1144 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1145 1146 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk)) 1147 return; 1148 1149 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk)) 1150 return; 1151 1152 sc_add_ltk(smp); 1153 } 1154 1155 static void smp_distribute_keys(struct smp_chan *smp) 1156 { 1157 struct smp_cmd_pairing *req, *rsp; 1158 struct l2cap_conn *conn = smp->conn; 1159 struct hci_conn *hcon = conn->hcon; 1160 struct hci_dev *hdev = hcon->hdev; 1161 __u8 *keydist; 1162 1163 BT_DBG("conn %p", conn); 1164 1165 rsp = (void *) &smp->prsp[1]; 1166 1167 /* The responder sends its keys first */ 1168 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) { 1169 smp_allow_key_dist(smp); 1170 return; 1171 } 1172 1173 req = (void *) &smp->preq[1]; 1174 1175 if (hcon->out) { 1176 keydist = &rsp->init_key_dist; 1177 *keydist &= req->init_key_dist; 1178 } else { 1179 keydist = &rsp->resp_key_dist; 1180 *keydist &= req->resp_key_dist; 1181 } 1182 1183 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1184 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1185 sc_generate_link_key(smp); 1186 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1187 sc_generate_ltk(smp); 1188 1189 /* Clear the keys which are generated but not distributed */ 1190 *keydist &= ~SMP_SC_NO_DIST; 1191 } 1192 1193 BT_DBG("keydist 0x%x", *keydist); 1194 1195 if (*keydist & SMP_DIST_ENC_KEY) { 1196 struct smp_cmd_encrypt_info enc; 1197 struct smp_cmd_master_ident ident; 1198 struct smp_ltk *ltk; 1199 u8 authenticated; 1200 __le16 ediv; 1201 __le64 rand; 1202 1203 get_random_bytes(enc.ltk, sizeof(enc.ltk)); 1204 get_random_bytes(&ediv, sizeof(ediv)); 1205 get_random_bytes(&rand, sizeof(rand)); 1206 1207 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1208 1209 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1210 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1211 SMP_LTK_SLAVE, authenticated, enc.ltk, 1212 smp->enc_key_size, ediv, rand); 1213 smp->slave_ltk = ltk; 1214 1215 ident.ediv = ediv; 1216 ident.rand = rand; 1217 1218 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident); 1219 1220 *keydist &= ~SMP_DIST_ENC_KEY; 1221 } 1222 1223 if (*keydist & SMP_DIST_ID_KEY) { 1224 struct smp_cmd_ident_addr_info addrinfo; 1225 struct smp_cmd_ident_info idinfo; 1226 1227 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1228 1229 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1230 1231 /* The hci_conn contains the local identity address 1232 * after the connection has been established. 1233 * 1234 * This is true even when the connection has been 1235 * established using a resolvable random address. 1236 */ 1237 bacpy(&addrinfo.bdaddr, &hcon->src); 1238 addrinfo.addr_type = hcon->src_type; 1239 1240 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1241 &addrinfo); 1242 1243 *keydist &= ~SMP_DIST_ID_KEY; 1244 } 1245 1246 if (*keydist & SMP_DIST_SIGN) { 1247 struct smp_cmd_sign_info sign; 1248 struct smp_csrk *csrk; 1249 1250 /* Generate a new random key */ 1251 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1252 1253 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1254 if (csrk) { 1255 csrk->master = 0x00; 1256 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1257 } 1258 smp->slave_csrk = csrk; 1259 1260 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1261 1262 *keydist &= ~SMP_DIST_SIGN; 1263 } 1264 1265 /* If there are still keys to be received wait for them */ 1266 if (smp->remote_key_dist & KEY_DIST_MASK) { 1267 smp_allow_key_dist(smp); 1268 return; 1269 } 1270 1271 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1272 smp_notify_keys(conn); 1273 1274 smp_chan_destroy(conn); 1275 } 1276 1277 static void smp_timeout(struct work_struct *work) 1278 { 1279 struct smp_chan *smp = container_of(work, struct smp_chan, 1280 security_timer.work); 1281 struct l2cap_conn *conn = smp->conn; 1282 1283 BT_DBG("conn %p", conn); 1284 1285 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); 1286 } 1287 1288 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1289 { 1290 struct l2cap_chan *chan = conn->smp; 1291 struct smp_chan *smp; 1292 1293 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 1294 if (!smp) 1295 return NULL; 1296 1297 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC); 1298 if (IS_ERR(smp->tfm_aes)) { 1299 BT_ERR("Unable to create ECB crypto context"); 1300 kfree(smp); 1301 return NULL; 1302 } 1303 1304 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC); 1305 if (IS_ERR(smp->tfm_cmac)) { 1306 BT_ERR("Unable to create CMAC crypto context"); 1307 crypto_free_blkcipher(smp->tfm_aes); 1308 kfree(smp); 1309 return NULL; 1310 } 1311 1312 smp->conn = conn; 1313 chan->data = smp; 1314 1315 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1316 1317 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1318 1319 hci_conn_hold(conn->hcon); 1320 1321 return smp; 1322 } 1323 1324 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1325 { 1326 struct hci_conn *hcon = smp->conn->hcon; 1327 u8 *na, *nb, a[7], b[7]; 1328 1329 if (hcon->out) { 1330 na = smp->prnd; 1331 nb = smp->rrnd; 1332 } else { 1333 na = smp->rrnd; 1334 nb = smp->prnd; 1335 } 1336 1337 memcpy(a, &hcon->init_addr, 6); 1338 memcpy(b, &hcon->resp_addr, 6); 1339 a[6] = hcon->init_addr_type; 1340 b[6] = hcon->resp_addr_type; 1341 1342 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk); 1343 } 1344 1345 static void sc_dhkey_check(struct smp_chan *smp) 1346 { 1347 struct hci_conn *hcon = smp->conn->hcon; 1348 struct smp_cmd_dhkey_check check; 1349 u8 a[7], b[7], *local_addr, *remote_addr; 1350 u8 io_cap[3], r[16]; 1351 1352 memcpy(a, &hcon->init_addr, 6); 1353 memcpy(b, &hcon->resp_addr, 6); 1354 a[6] = hcon->init_addr_type; 1355 b[6] = hcon->resp_addr_type; 1356 1357 if (hcon->out) { 1358 local_addr = a; 1359 remote_addr = b; 1360 memcpy(io_cap, &smp->preq[1], 3); 1361 } else { 1362 local_addr = b; 1363 remote_addr = a; 1364 memcpy(io_cap, &smp->prsp[1], 3); 1365 } 1366 1367 memset(r, 0, sizeof(r)); 1368 1369 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1370 put_unaligned_le32(hcon->passkey_notify, r); 1371 1372 if (smp->method == REQ_OOB) 1373 memcpy(r, smp->rr, 16); 1374 1375 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap, 1376 local_addr, remote_addr, check.e); 1377 1378 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1379 } 1380 1381 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1382 { 1383 struct l2cap_conn *conn = smp->conn; 1384 struct hci_conn *hcon = conn->hcon; 1385 struct smp_cmd_pairing_confirm cfm; 1386 u8 r; 1387 1388 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1389 r |= 0x80; 1390 1391 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1392 1393 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r, 1394 cfm.confirm_val)) 1395 return SMP_UNSPECIFIED; 1396 1397 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1398 1399 return 0; 1400 } 1401 1402 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1403 { 1404 struct l2cap_conn *conn = smp->conn; 1405 struct hci_conn *hcon = conn->hcon; 1406 struct hci_dev *hdev = hcon->hdev; 1407 u8 cfm[16], r; 1408 1409 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1410 if (smp->passkey_round >= 20) 1411 return 0; 1412 1413 switch (smp_op) { 1414 case SMP_CMD_PAIRING_RANDOM: 1415 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1416 r |= 0x80; 1417 1418 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1419 smp->rrnd, r, cfm)) 1420 return SMP_UNSPECIFIED; 1421 1422 if (memcmp(smp->pcnf, cfm, 16)) 1423 return SMP_CONFIRM_FAILED; 1424 1425 smp->passkey_round++; 1426 1427 if (smp->passkey_round == 20) { 1428 /* Generate MacKey and LTK */ 1429 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1430 return SMP_UNSPECIFIED; 1431 } 1432 1433 /* The round is only complete when the initiator 1434 * receives pairing random. 1435 */ 1436 if (!hcon->out) { 1437 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1438 sizeof(smp->prnd), smp->prnd); 1439 if (smp->passkey_round == 20) 1440 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1441 else 1442 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1443 return 0; 1444 } 1445 1446 /* Start the next round */ 1447 if (smp->passkey_round != 20) 1448 return sc_passkey_round(smp, 0); 1449 1450 /* Passkey rounds are complete - start DHKey Check */ 1451 sc_dhkey_check(smp); 1452 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1453 1454 break; 1455 1456 case SMP_CMD_PAIRING_CONFIRM: 1457 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1458 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1459 return 0; 1460 } 1461 1462 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1463 1464 if (hcon->out) { 1465 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1466 sizeof(smp->prnd), smp->prnd); 1467 return 0; 1468 } 1469 1470 return sc_passkey_send_confirm(smp); 1471 1472 case SMP_CMD_PUBLIC_KEY: 1473 default: 1474 /* Initiating device starts the round */ 1475 if (!hcon->out) 1476 return 0; 1477 1478 BT_DBG("%s Starting passkey round %u", hdev->name, 1479 smp->passkey_round + 1); 1480 1481 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1482 1483 return sc_passkey_send_confirm(smp); 1484 } 1485 1486 return 0; 1487 } 1488 1489 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1490 { 1491 struct l2cap_conn *conn = smp->conn; 1492 struct hci_conn *hcon = conn->hcon; 1493 u8 smp_op; 1494 1495 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1496 1497 switch (mgmt_op) { 1498 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1499 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1500 return 0; 1501 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1502 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1503 return 0; 1504 case MGMT_OP_USER_PASSKEY_REPLY: 1505 hcon->passkey_notify = le32_to_cpu(passkey); 1506 smp->passkey_round = 0; 1507 1508 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1509 smp_op = SMP_CMD_PAIRING_CONFIRM; 1510 else 1511 smp_op = 0; 1512 1513 if (sc_passkey_round(smp, smp_op)) 1514 return -EIO; 1515 1516 return 0; 1517 } 1518 1519 /* Initiator sends DHKey check first */ 1520 if (hcon->out) { 1521 sc_dhkey_check(smp); 1522 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1523 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1524 sc_dhkey_check(smp); 1525 sc_add_ltk(smp); 1526 } 1527 1528 return 0; 1529 } 1530 1531 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1532 { 1533 struct l2cap_conn *conn = hcon->l2cap_data; 1534 struct l2cap_chan *chan; 1535 struct smp_chan *smp; 1536 u32 value; 1537 int err; 1538 1539 BT_DBG(""); 1540 1541 if (!conn) 1542 return -ENOTCONN; 1543 1544 chan = conn->smp; 1545 if (!chan) 1546 return -ENOTCONN; 1547 1548 l2cap_chan_lock(chan); 1549 if (!chan->data) { 1550 err = -ENOTCONN; 1551 goto unlock; 1552 } 1553 1554 smp = chan->data; 1555 1556 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1557 err = sc_user_reply(smp, mgmt_op, passkey); 1558 goto unlock; 1559 } 1560 1561 switch (mgmt_op) { 1562 case MGMT_OP_USER_PASSKEY_REPLY: 1563 value = le32_to_cpu(passkey); 1564 memset(smp->tk, 0, sizeof(smp->tk)); 1565 BT_DBG("PassKey: %d", value); 1566 put_unaligned_le32(value, smp->tk); 1567 /* Fall Through */ 1568 case MGMT_OP_USER_CONFIRM_REPLY: 1569 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1570 break; 1571 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1572 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1573 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1574 err = 0; 1575 goto unlock; 1576 default: 1577 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1578 err = -EOPNOTSUPP; 1579 goto unlock; 1580 } 1581 1582 err = 0; 1583 1584 /* If it is our turn to send Pairing Confirm, do so now */ 1585 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1586 u8 rsp = smp_confirm(smp); 1587 if (rsp) 1588 smp_failure(conn, rsp); 1589 } 1590 1591 unlock: 1592 l2cap_chan_unlock(chan); 1593 return err; 1594 } 1595 1596 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1597 struct smp_cmd_pairing *req, 1598 struct smp_cmd_pairing *rsp) 1599 { 1600 struct l2cap_conn *conn = smp->conn; 1601 struct hci_dev *hdev = conn->hcon->hdev; 1602 u8 local_dist = 0, remote_dist = 0; 1603 1604 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) { 1605 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1606 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1607 } 1608 1609 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags)) 1610 remote_dist |= SMP_DIST_ID_KEY; 1611 1612 if (test_bit(HCI_PRIVACY, &hdev->dev_flags)) 1613 local_dist |= SMP_DIST_ID_KEY; 1614 1615 if (!rsp) { 1616 memset(req, 0, sizeof(*req)); 1617 1618 req->init_key_dist = local_dist; 1619 req->resp_key_dist = remote_dist; 1620 req->max_key_size = SMP_MAX_ENC_KEY_SIZE; 1621 1622 smp->remote_key_dist = remote_dist; 1623 1624 return; 1625 } 1626 1627 memset(rsp, 0, sizeof(*rsp)); 1628 1629 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE; 1630 rsp->init_key_dist = req->init_key_dist & remote_dist; 1631 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1632 1633 smp->remote_key_dist = rsp->init_key_dist; 1634 } 1635 1636 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1637 { 1638 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1639 struct l2cap_chan *chan = conn->smp; 1640 struct hci_dev *hdev = conn->hcon->hdev; 1641 struct smp_chan *smp; 1642 u8 key_size, auth, sec_level; 1643 int ret; 1644 1645 BT_DBG("conn %p", conn); 1646 1647 if (skb->len < sizeof(*req)) 1648 return SMP_INVALID_PARAMS; 1649 1650 if (conn->hcon->role != HCI_ROLE_SLAVE) 1651 return SMP_CMD_NOTSUPP; 1652 1653 if (!chan->data) 1654 smp = smp_chan_create(conn); 1655 else 1656 smp = chan->data; 1657 1658 if (!smp) 1659 return SMP_UNSPECIFIED; 1660 1661 /* We didn't start the pairing, so match remote */ 1662 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1663 1664 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) && 1665 (auth & SMP_AUTH_BONDING)) 1666 return SMP_PAIRING_NOTSUPP; 1667 1668 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC)) 1669 return SMP_AUTH_REQUIREMENTS; 1670 1671 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1672 memcpy(&smp->preq[1], req, sizeof(*req)); 1673 skb_pull(skb, sizeof(*req)); 1674 1675 /* SMP over BR/EDR requires special treatment */ 1676 if (conn->hcon->type == ACL_LINK) { 1677 /* We must have a BR/EDR SC link */ 1678 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1679 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags)) 1680 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1681 1682 set_bit(SMP_FLAG_SC, &smp->flags); 1683 1684 build_bredr_pairing_cmd(smp, req, &rsp); 1685 1686 key_size = min(req->max_key_size, rsp.max_key_size); 1687 if (check_enc_key_size(conn, key_size)) 1688 return SMP_ENC_KEY_SIZE; 1689 1690 /* Clear bits which are generated but not distributed */ 1691 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1692 1693 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1694 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1695 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1696 1697 smp_distribute_keys(smp); 1698 return 0; 1699 } 1700 1701 build_pairing_cmd(conn, req, &rsp, auth); 1702 1703 if (rsp.auth_req & SMP_AUTH_SC) 1704 set_bit(SMP_FLAG_SC, &smp->flags); 1705 1706 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1707 sec_level = BT_SECURITY_MEDIUM; 1708 else 1709 sec_level = authreq_to_seclevel(auth); 1710 1711 if (sec_level > conn->hcon->pending_sec_level) 1712 conn->hcon->pending_sec_level = sec_level; 1713 1714 /* If we need MITM check that it can be achieved */ 1715 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1716 u8 method; 1717 1718 method = get_auth_method(smp, conn->hcon->io_capability, 1719 req->io_capability); 1720 if (method == JUST_WORKS || method == JUST_CFM) 1721 return SMP_AUTH_REQUIREMENTS; 1722 } 1723 1724 key_size = min(req->max_key_size, rsp.max_key_size); 1725 if (check_enc_key_size(conn, key_size)) 1726 return SMP_ENC_KEY_SIZE; 1727 1728 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1729 1730 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1731 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1732 1733 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1734 1735 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1736 1737 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1738 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1739 /* Clear bits which are generated but not distributed */ 1740 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1741 /* Wait for Public Key from Initiating Device */ 1742 return 0; 1743 } else { 1744 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1745 } 1746 1747 /* Request setup of TK */ 1748 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1749 if (ret) 1750 return SMP_UNSPECIFIED; 1751 1752 return 0; 1753 } 1754 1755 static u8 sc_send_public_key(struct smp_chan *smp) 1756 { 1757 struct hci_dev *hdev = smp->conn->hcon->hdev; 1758 1759 BT_DBG(""); 1760 1761 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) { 1762 BT_DBG("Using debug keys"); 1763 memcpy(smp->local_pk, debug_pk, 64); 1764 memcpy(smp->local_sk, debug_sk, 32); 1765 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1766 } else { 1767 while (true) { 1768 /* Generate local key pair for Secure Connections */ 1769 if (!ecc_make_key(smp->local_pk, smp->local_sk)) 1770 return SMP_UNSPECIFIED; 1771 1772 /* This is unlikely, but we need to check that 1773 * we didn't accidentially generate a debug key. 1774 */ 1775 if (memcmp(smp->local_sk, debug_sk, 32)) 1776 break; 1777 } 1778 } 1779 1780 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1781 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]); 1782 SMP_DBG("Local Private Key: %32phN", smp->local_sk); 1783 1784 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1785 1786 return 0; 1787 } 1788 1789 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1790 { 1791 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1792 struct l2cap_chan *chan = conn->smp; 1793 struct smp_chan *smp = chan->data; 1794 struct hci_dev *hdev = conn->hcon->hdev; 1795 u8 key_size, auth; 1796 int ret; 1797 1798 BT_DBG("conn %p", conn); 1799 1800 if (skb->len < sizeof(*rsp)) 1801 return SMP_INVALID_PARAMS; 1802 1803 if (conn->hcon->role != HCI_ROLE_MASTER) 1804 return SMP_CMD_NOTSUPP; 1805 1806 skb_pull(skb, sizeof(*rsp)); 1807 1808 req = (void *) &smp->preq[1]; 1809 1810 key_size = min(req->max_key_size, rsp->max_key_size); 1811 if (check_enc_key_size(conn, key_size)) 1812 return SMP_ENC_KEY_SIZE; 1813 1814 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1815 1816 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC)) 1817 return SMP_AUTH_REQUIREMENTS; 1818 1819 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1820 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1821 1822 /* Update remote key distribution in case the remote cleared 1823 * some bits that we had enabled in our request. 1824 */ 1825 smp->remote_key_dist &= rsp->resp_key_dist; 1826 1827 /* For BR/EDR this means we're done and can start phase 3 */ 1828 if (conn->hcon->type == ACL_LINK) { 1829 /* Clear bits which are generated but not distributed */ 1830 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1831 smp_distribute_keys(smp); 1832 return 0; 1833 } 1834 1835 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 1836 set_bit(SMP_FLAG_SC, &smp->flags); 1837 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 1838 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 1839 1840 /* If we need MITM check that it can be achieved */ 1841 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1842 u8 method; 1843 1844 method = get_auth_method(smp, req->io_capability, 1845 rsp->io_capability); 1846 if (method == JUST_WORKS || method == JUST_CFM) 1847 return SMP_AUTH_REQUIREMENTS; 1848 } 1849 1850 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1851 1852 /* Update remote key distribution in case the remote cleared 1853 * some bits that we had enabled in our request. 1854 */ 1855 smp->remote_key_dist &= rsp->resp_key_dist; 1856 1857 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1858 /* Clear bits which are generated but not distributed */ 1859 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1860 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1861 return sc_send_public_key(smp); 1862 } 1863 1864 auth |= req->auth_req; 1865 1866 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 1867 if (ret) 1868 return SMP_UNSPECIFIED; 1869 1870 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1871 1872 /* Can't compose response until we have been confirmed */ 1873 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 1874 return smp_confirm(smp); 1875 1876 return 0; 1877 } 1878 1879 static u8 sc_check_confirm(struct smp_chan *smp) 1880 { 1881 struct l2cap_conn *conn = smp->conn; 1882 1883 BT_DBG(""); 1884 1885 /* Public Key exchange must happen before any other steps */ 1886 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 1887 return SMP_UNSPECIFIED; 1888 1889 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1890 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 1891 1892 if (conn->hcon->out) { 1893 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1894 smp->prnd); 1895 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1896 } 1897 1898 return 0; 1899 } 1900 1901 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 1902 { 1903 struct l2cap_chan *chan = conn->smp; 1904 struct smp_chan *smp = chan->data; 1905 1906 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave"); 1907 1908 if (skb->len < sizeof(smp->pcnf)) 1909 return SMP_INVALID_PARAMS; 1910 1911 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 1912 skb_pull(skb, sizeof(smp->pcnf)); 1913 1914 if (test_bit(SMP_FLAG_SC, &smp->flags)) 1915 return sc_check_confirm(smp); 1916 1917 if (conn->hcon->out) { 1918 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1919 smp->prnd); 1920 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1921 return 0; 1922 } 1923 1924 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 1925 return smp_confirm(smp); 1926 else 1927 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1928 1929 return 0; 1930 } 1931 1932 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 1933 { 1934 struct l2cap_chan *chan = conn->smp; 1935 struct smp_chan *smp = chan->data; 1936 struct hci_conn *hcon = conn->hcon; 1937 u8 *pkax, *pkbx, *na, *nb; 1938 u32 passkey; 1939 int err; 1940 1941 BT_DBG("conn %p", conn); 1942 1943 if (skb->len < sizeof(smp->rrnd)) 1944 return SMP_INVALID_PARAMS; 1945 1946 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 1947 skb_pull(skb, sizeof(smp->rrnd)); 1948 1949 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 1950 return smp_random(smp); 1951 1952 if (hcon->out) { 1953 pkax = smp->local_pk; 1954 pkbx = smp->remote_pk; 1955 na = smp->prnd; 1956 nb = smp->rrnd; 1957 } else { 1958 pkax = smp->remote_pk; 1959 pkbx = smp->local_pk; 1960 na = smp->rrnd; 1961 nb = smp->prnd; 1962 } 1963 1964 if (smp->method == REQ_OOB) { 1965 if (!hcon->out) 1966 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1967 sizeof(smp->prnd), smp->prnd); 1968 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1969 goto mackey_and_ltk; 1970 } 1971 1972 /* Passkey entry has special treatment */ 1973 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1974 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 1975 1976 if (hcon->out) { 1977 u8 cfm[16]; 1978 1979 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1980 smp->rrnd, 0, cfm); 1981 if (err) 1982 return SMP_UNSPECIFIED; 1983 1984 if (memcmp(smp->pcnf, cfm, 16)) 1985 return SMP_CONFIRM_FAILED; 1986 } else { 1987 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1988 smp->prnd); 1989 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1990 } 1991 1992 mackey_and_ltk: 1993 /* Generate MacKey and LTK */ 1994 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 1995 if (err) 1996 return SMP_UNSPECIFIED; 1997 1998 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) { 1999 if (hcon->out) { 2000 sc_dhkey_check(smp); 2001 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2002 } 2003 return 0; 2004 } 2005 2006 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey); 2007 if (err) 2008 return SMP_UNSPECIFIED; 2009 2010 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2011 hcon->dst_type, passkey, 0); 2012 if (err) 2013 return SMP_UNSPECIFIED; 2014 2015 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2016 2017 return 0; 2018 } 2019 2020 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2021 { 2022 struct smp_ltk *key; 2023 struct hci_conn *hcon = conn->hcon; 2024 2025 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2026 if (!key) 2027 return false; 2028 2029 if (smp_ltk_sec_level(key) < sec_level) 2030 return false; 2031 2032 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2033 return true; 2034 2035 hci_le_start_enc(hcon, key->ediv, key->rand, key->val); 2036 hcon->enc_key_size = key->enc_size; 2037 2038 /* We never store STKs for master role, so clear this flag */ 2039 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2040 2041 return true; 2042 } 2043 2044 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2045 enum smp_key_pref key_pref) 2046 { 2047 if (sec_level == BT_SECURITY_LOW) 2048 return true; 2049 2050 /* If we're encrypted with an STK but the caller prefers using 2051 * LTK claim insufficient security. This way we allow the 2052 * connection to be re-encrypted with an LTK, even if the LTK 2053 * provides the same level of security. Only exception is if we 2054 * don't have an LTK (e.g. because of key distribution bits). 2055 */ 2056 if (key_pref == SMP_USE_LTK && 2057 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2058 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2059 return false; 2060 2061 if (hcon->sec_level >= sec_level) 2062 return true; 2063 2064 return false; 2065 } 2066 2067 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2068 { 2069 struct smp_cmd_security_req *rp = (void *) skb->data; 2070 struct smp_cmd_pairing cp; 2071 struct hci_conn *hcon = conn->hcon; 2072 struct hci_dev *hdev = hcon->hdev; 2073 struct smp_chan *smp; 2074 u8 sec_level, auth; 2075 2076 BT_DBG("conn %p", conn); 2077 2078 if (skb->len < sizeof(*rp)) 2079 return SMP_INVALID_PARAMS; 2080 2081 if (hcon->role != HCI_ROLE_MASTER) 2082 return SMP_CMD_NOTSUPP; 2083 2084 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2085 2086 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC)) 2087 return SMP_AUTH_REQUIREMENTS; 2088 2089 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2090 sec_level = BT_SECURITY_MEDIUM; 2091 else 2092 sec_level = authreq_to_seclevel(auth); 2093 2094 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2095 return 0; 2096 2097 if (sec_level > hcon->pending_sec_level) 2098 hcon->pending_sec_level = sec_level; 2099 2100 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2101 return 0; 2102 2103 smp = smp_chan_create(conn); 2104 if (!smp) 2105 return SMP_UNSPECIFIED; 2106 2107 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) && 2108 (auth & SMP_AUTH_BONDING)) 2109 return SMP_PAIRING_NOTSUPP; 2110 2111 skb_pull(skb, sizeof(*rp)); 2112 2113 memset(&cp, 0, sizeof(cp)); 2114 build_pairing_cmd(conn, &cp, NULL, auth); 2115 2116 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2117 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2118 2119 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2120 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2121 2122 return 0; 2123 } 2124 2125 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2126 { 2127 struct l2cap_conn *conn = hcon->l2cap_data; 2128 struct l2cap_chan *chan; 2129 struct smp_chan *smp; 2130 __u8 authreq; 2131 int ret; 2132 2133 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level); 2134 2135 /* This may be NULL if there's an unexpected disconnection */ 2136 if (!conn) 2137 return 1; 2138 2139 chan = conn->smp; 2140 2141 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) 2142 return 1; 2143 2144 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2145 return 1; 2146 2147 if (sec_level > hcon->pending_sec_level) 2148 hcon->pending_sec_level = sec_level; 2149 2150 if (hcon->role == HCI_ROLE_MASTER) 2151 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2152 return 0; 2153 2154 l2cap_chan_lock(chan); 2155 2156 /* If SMP is already in progress ignore this request */ 2157 if (chan->data) { 2158 ret = 0; 2159 goto unlock; 2160 } 2161 2162 smp = smp_chan_create(conn); 2163 if (!smp) { 2164 ret = 1; 2165 goto unlock; 2166 } 2167 2168 authreq = seclevel_to_authreq(sec_level); 2169 2170 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags)) 2171 authreq |= SMP_AUTH_SC; 2172 2173 /* Require MITM if IO Capability allows or the security level 2174 * requires it. 2175 */ 2176 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2177 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2178 authreq |= SMP_AUTH_MITM; 2179 2180 if (hcon->role == HCI_ROLE_MASTER) { 2181 struct smp_cmd_pairing cp; 2182 2183 build_pairing_cmd(conn, &cp, NULL, authreq); 2184 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2185 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2186 2187 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2188 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2189 } else { 2190 struct smp_cmd_security_req cp; 2191 cp.auth_req = authreq; 2192 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2193 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2194 } 2195 2196 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2197 ret = 0; 2198 2199 unlock: 2200 l2cap_chan_unlock(chan); 2201 return ret; 2202 } 2203 2204 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2205 { 2206 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2207 struct l2cap_chan *chan = conn->smp; 2208 struct smp_chan *smp = chan->data; 2209 2210 BT_DBG("conn %p", conn); 2211 2212 if (skb->len < sizeof(*rp)) 2213 return SMP_INVALID_PARAMS; 2214 2215 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT); 2216 2217 skb_pull(skb, sizeof(*rp)); 2218 2219 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2220 2221 return 0; 2222 } 2223 2224 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2225 { 2226 struct smp_cmd_master_ident *rp = (void *) skb->data; 2227 struct l2cap_chan *chan = conn->smp; 2228 struct smp_chan *smp = chan->data; 2229 struct hci_dev *hdev = conn->hcon->hdev; 2230 struct hci_conn *hcon = conn->hcon; 2231 struct smp_ltk *ltk; 2232 u8 authenticated; 2233 2234 BT_DBG("conn %p", conn); 2235 2236 if (skb->len < sizeof(*rp)) 2237 return SMP_INVALID_PARAMS; 2238 2239 /* Mark the information as received */ 2240 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2241 2242 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2243 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2244 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2245 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2246 2247 skb_pull(skb, sizeof(*rp)); 2248 2249 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2250 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2251 authenticated, smp->tk, smp->enc_key_size, 2252 rp->ediv, rp->rand); 2253 smp->ltk = ltk; 2254 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2255 smp_distribute_keys(smp); 2256 2257 return 0; 2258 } 2259 2260 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2261 { 2262 struct smp_cmd_ident_info *info = (void *) skb->data; 2263 struct l2cap_chan *chan = conn->smp; 2264 struct smp_chan *smp = chan->data; 2265 2266 BT_DBG(""); 2267 2268 if (skb->len < sizeof(*info)) 2269 return SMP_INVALID_PARAMS; 2270 2271 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2272 2273 skb_pull(skb, sizeof(*info)); 2274 2275 memcpy(smp->irk, info->irk, 16); 2276 2277 return 0; 2278 } 2279 2280 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2281 struct sk_buff *skb) 2282 { 2283 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2284 struct l2cap_chan *chan = conn->smp; 2285 struct smp_chan *smp = chan->data; 2286 struct hci_conn *hcon = conn->hcon; 2287 bdaddr_t rpa; 2288 2289 BT_DBG(""); 2290 2291 if (skb->len < sizeof(*info)) 2292 return SMP_INVALID_PARAMS; 2293 2294 /* Mark the information as received */ 2295 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2296 2297 if (smp->remote_key_dist & SMP_DIST_SIGN) 2298 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2299 2300 skb_pull(skb, sizeof(*info)); 2301 2302 /* Strictly speaking the Core Specification (4.1) allows sending 2303 * an empty address which would force us to rely on just the IRK 2304 * as "identity information". However, since such 2305 * implementations are not known of and in order to not over 2306 * complicate our implementation, simply pretend that we never 2307 * received an IRK for such a device. 2308 * 2309 * The Identity Address must also be a Static Random or Public 2310 * Address, which hci_is_identity_address() checks for. 2311 */ 2312 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2313 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2314 BT_ERR("Ignoring IRK with no identity address"); 2315 goto distribute; 2316 } 2317 2318 bacpy(&smp->id_addr, &info->bdaddr); 2319 smp->id_addr_type = info->addr_type; 2320 2321 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2322 bacpy(&rpa, &hcon->dst); 2323 else 2324 bacpy(&rpa, BDADDR_ANY); 2325 2326 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2327 smp->id_addr_type, smp->irk, &rpa); 2328 2329 distribute: 2330 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2331 smp_distribute_keys(smp); 2332 2333 return 0; 2334 } 2335 2336 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2337 { 2338 struct smp_cmd_sign_info *rp = (void *) skb->data; 2339 struct l2cap_chan *chan = conn->smp; 2340 struct smp_chan *smp = chan->data; 2341 struct smp_csrk *csrk; 2342 2343 BT_DBG("conn %p", conn); 2344 2345 if (skb->len < sizeof(*rp)) 2346 return SMP_INVALID_PARAMS; 2347 2348 /* Mark the information as received */ 2349 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2350 2351 skb_pull(skb, sizeof(*rp)); 2352 2353 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 2354 if (csrk) { 2355 csrk->master = 0x01; 2356 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2357 } 2358 smp->csrk = csrk; 2359 smp_distribute_keys(smp); 2360 2361 return 0; 2362 } 2363 2364 static u8 sc_select_method(struct smp_chan *smp) 2365 { 2366 struct l2cap_conn *conn = smp->conn; 2367 struct hci_conn *hcon = conn->hcon; 2368 struct smp_cmd_pairing *local, *remote; 2369 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2370 2371 if (test_bit(SMP_FLAG_OOB, &smp->flags)) 2372 return REQ_OOB; 2373 2374 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2375 * which are needed as inputs to some crypto functions. To get 2376 * the "struct smp_cmd_pairing" from them we need to skip the 2377 * first byte which contains the opcode. 2378 */ 2379 if (hcon->out) { 2380 local = (void *) &smp->preq[1]; 2381 remote = (void *) &smp->prsp[1]; 2382 } else { 2383 local = (void *) &smp->prsp[1]; 2384 remote = (void *) &smp->preq[1]; 2385 } 2386 2387 local_io = local->io_capability; 2388 remote_io = remote->io_capability; 2389 2390 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2391 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2392 2393 /* If either side wants MITM, look up the method from the table, 2394 * otherwise use JUST WORKS. 2395 */ 2396 if (local_mitm || remote_mitm) 2397 method = get_auth_method(smp, local_io, remote_io); 2398 else 2399 method = JUST_WORKS; 2400 2401 /* Don't confirm locally initiated pairing attempts */ 2402 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2403 method = JUST_WORKS; 2404 2405 return method; 2406 } 2407 2408 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2409 { 2410 struct smp_cmd_public_key *key = (void *) skb->data; 2411 struct hci_conn *hcon = conn->hcon; 2412 struct l2cap_chan *chan = conn->smp; 2413 struct smp_chan *smp = chan->data; 2414 struct hci_dev *hdev = hcon->hdev; 2415 struct smp_cmd_pairing_confirm cfm; 2416 int err; 2417 2418 BT_DBG("conn %p", conn); 2419 2420 if (skb->len < sizeof(*key)) 2421 return SMP_INVALID_PARAMS; 2422 2423 memcpy(smp->remote_pk, key, 64); 2424 2425 /* Non-initiating device sends its public key after receiving 2426 * the key from the initiating device. 2427 */ 2428 if (!hcon->out) { 2429 err = sc_send_public_key(smp); 2430 if (err) 2431 return err; 2432 } 2433 2434 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2435 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]); 2436 2437 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey)) 2438 return SMP_UNSPECIFIED; 2439 2440 SMP_DBG("DHKey %32phN", smp->dhkey); 2441 2442 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2443 2444 smp->method = sc_select_method(smp); 2445 2446 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method); 2447 2448 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2449 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2450 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2451 else 2452 hcon->pending_sec_level = BT_SECURITY_FIPS; 2453 2454 if (!memcmp(debug_pk, smp->remote_pk, 64)) 2455 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2456 2457 if (smp->method == DSP_PASSKEY) { 2458 get_random_bytes(&hcon->passkey_notify, 2459 sizeof(hcon->passkey_notify)); 2460 hcon->passkey_notify %= 1000000; 2461 hcon->passkey_entered = 0; 2462 smp->passkey_round = 0; 2463 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2464 hcon->dst_type, 2465 hcon->passkey_notify, 2466 hcon->passkey_entered)) 2467 return SMP_UNSPECIFIED; 2468 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2469 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2470 } 2471 2472 if (smp->method == REQ_OOB) { 2473 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk, 2474 smp->rr, 0, cfm.confirm_val); 2475 if (err) 2476 return SMP_UNSPECIFIED; 2477 2478 if (memcmp(cfm.confirm_val, smp->pcnf, 16)) 2479 return SMP_CONFIRM_FAILED; 2480 2481 if (hcon->out) 2482 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2483 sizeof(smp->prnd), smp->prnd); 2484 2485 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2486 2487 return 0; 2488 } 2489 2490 if (hcon->out) 2491 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2492 2493 if (smp->method == REQ_PASSKEY) { 2494 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2495 hcon->dst_type)) 2496 return SMP_UNSPECIFIED; 2497 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2498 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2499 return 0; 2500 } 2501 2502 /* The Initiating device waits for the non-initiating device to 2503 * send the confirm value. 2504 */ 2505 if (conn->hcon->out) 2506 return 0; 2507 2508 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, 2509 0, cfm.confirm_val); 2510 if (err) 2511 return SMP_UNSPECIFIED; 2512 2513 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2514 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2515 2516 return 0; 2517 } 2518 2519 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2520 { 2521 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2522 struct l2cap_chan *chan = conn->smp; 2523 struct hci_conn *hcon = conn->hcon; 2524 struct smp_chan *smp = chan->data; 2525 u8 a[7], b[7], *local_addr, *remote_addr; 2526 u8 io_cap[3], r[16], e[16]; 2527 int err; 2528 2529 BT_DBG("conn %p", conn); 2530 2531 if (skb->len < sizeof(*check)) 2532 return SMP_INVALID_PARAMS; 2533 2534 memcpy(a, &hcon->init_addr, 6); 2535 memcpy(b, &hcon->resp_addr, 6); 2536 a[6] = hcon->init_addr_type; 2537 b[6] = hcon->resp_addr_type; 2538 2539 if (hcon->out) { 2540 local_addr = a; 2541 remote_addr = b; 2542 memcpy(io_cap, &smp->prsp[1], 3); 2543 } else { 2544 local_addr = b; 2545 remote_addr = a; 2546 memcpy(io_cap, &smp->preq[1], 3); 2547 } 2548 2549 memset(r, 0, sizeof(r)); 2550 2551 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2552 put_unaligned_le32(hcon->passkey_notify, r); 2553 2554 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r, 2555 io_cap, remote_addr, local_addr, e); 2556 if (err) 2557 return SMP_UNSPECIFIED; 2558 2559 if (memcmp(check->e, e, 16)) 2560 return SMP_DHKEY_CHECK_FAILED; 2561 2562 if (!hcon->out) { 2563 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2564 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2565 return 0; 2566 } 2567 2568 /* Slave sends DHKey check as response to master */ 2569 sc_dhkey_check(smp); 2570 } 2571 2572 sc_add_ltk(smp); 2573 2574 if (hcon->out) { 2575 hci_le_start_enc(hcon, 0, 0, smp->tk); 2576 hcon->enc_key_size = smp->enc_key_size; 2577 } 2578 2579 return 0; 2580 } 2581 2582 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2583 struct sk_buff *skb) 2584 { 2585 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2586 2587 BT_DBG("value 0x%02x", kp->value); 2588 2589 return 0; 2590 } 2591 2592 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2593 { 2594 struct l2cap_conn *conn = chan->conn; 2595 struct hci_conn *hcon = conn->hcon; 2596 struct smp_chan *smp; 2597 __u8 code, reason; 2598 int err = 0; 2599 2600 if (skb->len < 1) 2601 return -EILSEQ; 2602 2603 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) { 2604 reason = SMP_PAIRING_NOTSUPP; 2605 goto done; 2606 } 2607 2608 code = skb->data[0]; 2609 skb_pull(skb, sizeof(code)); 2610 2611 smp = chan->data; 2612 2613 if (code > SMP_CMD_MAX) 2614 goto drop; 2615 2616 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) 2617 goto drop; 2618 2619 /* If we don't have a context the only allowed commands are 2620 * pairing request and security request. 2621 */ 2622 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2623 goto drop; 2624 2625 switch (code) { 2626 case SMP_CMD_PAIRING_REQ: 2627 reason = smp_cmd_pairing_req(conn, skb); 2628 break; 2629 2630 case SMP_CMD_PAIRING_FAIL: 2631 smp_failure(conn, 0); 2632 err = -EPERM; 2633 break; 2634 2635 case SMP_CMD_PAIRING_RSP: 2636 reason = smp_cmd_pairing_rsp(conn, skb); 2637 break; 2638 2639 case SMP_CMD_SECURITY_REQ: 2640 reason = smp_cmd_security_req(conn, skb); 2641 break; 2642 2643 case SMP_CMD_PAIRING_CONFIRM: 2644 reason = smp_cmd_pairing_confirm(conn, skb); 2645 break; 2646 2647 case SMP_CMD_PAIRING_RANDOM: 2648 reason = smp_cmd_pairing_random(conn, skb); 2649 break; 2650 2651 case SMP_CMD_ENCRYPT_INFO: 2652 reason = smp_cmd_encrypt_info(conn, skb); 2653 break; 2654 2655 case SMP_CMD_MASTER_IDENT: 2656 reason = smp_cmd_master_ident(conn, skb); 2657 break; 2658 2659 case SMP_CMD_IDENT_INFO: 2660 reason = smp_cmd_ident_info(conn, skb); 2661 break; 2662 2663 case SMP_CMD_IDENT_ADDR_INFO: 2664 reason = smp_cmd_ident_addr_info(conn, skb); 2665 break; 2666 2667 case SMP_CMD_SIGN_INFO: 2668 reason = smp_cmd_sign_info(conn, skb); 2669 break; 2670 2671 case SMP_CMD_PUBLIC_KEY: 2672 reason = smp_cmd_public_key(conn, skb); 2673 break; 2674 2675 case SMP_CMD_DHKEY_CHECK: 2676 reason = smp_cmd_dhkey_check(conn, skb); 2677 break; 2678 2679 case SMP_CMD_KEYPRESS_NOTIFY: 2680 reason = smp_cmd_keypress_notify(conn, skb); 2681 break; 2682 2683 default: 2684 BT_DBG("Unknown command code 0x%2.2x", code); 2685 reason = SMP_CMD_NOTSUPP; 2686 goto done; 2687 } 2688 2689 done: 2690 if (!err) { 2691 if (reason) 2692 smp_failure(conn, reason); 2693 kfree_skb(skb); 2694 } 2695 2696 return err; 2697 2698 drop: 2699 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name, 2700 code, &hcon->dst); 2701 kfree_skb(skb); 2702 return 0; 2703 } 2704 2705 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 2706 { 2707 struct l2cap_conn *conn = chan->conn; 2708 2709 BT_DBG("chan %p", chan); 2710 2711 if (chan->data) 2712 smp_chan_destroy(conn); 2713 2714 conn->smp = NULL; 2715 l2cap_chan_put(chan); 2716 } 2717 2718 static void bredr_pairing(struct l2cap_chan *chan) 2719 { 2720 struct l2cap_conn *conn = chan->conn; 2721 struct hci_conn *hcon = conn->hcon; 2722 struct hci_dev *hdev = hcon->hdev; 2723 struct smp_cmd_pairing req; 2724 struct smp_chan *smp; 2725 2726 BT_DBG("chan %p", chan); 2727 2728 /* Only new pairings are interesting */ 2729 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 2730 return; 2731 2732 /* Don't bother if we're not encrypted */ 2733 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 2734 return; 2735 2736 /* Only master may initiate SMP over BR/EDR */ 2737 if (hcon->role != HCI_ROLE_MASTER) 2738 return; 2739 2740 /* Secure Connections support must be enabled */ 2741 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags)) 2742 return; 2743 2744 /* BR/EDR must use Secure Connections for SMP */ 2745 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 2746 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags)) 2747 return; 2748 2749 /* If our LE support is not enabled don't do anything */ 2750 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags)) 2751 return; 2752 2753 /* Don't bother if remote LE support is not enabled */ 2754 if (!lmp_host_le_capable(hcon)) 2755 return; 2756 2757 /* Remote must support SMP fixed chan for BR/EDR */ 2758 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 2759 return; 2760 2761 /* Don't bother if SMP is already ongoing */ 2762 if (chan->data) 2763 return; 2764 2765 smp = smp_chan_create(conn); 2766 if (!smp) { 2767 BT_ERR("%s unable to create SMP context for BR/EDR", 2768 hdev->name); 2769 return; 2770 } 2771 2772 set_bit(SMP_FLAG_SC, &smp->flags); 2773 2774 BT_DBG("%s starting SMP over BR/EDR", hdev->name); 2775 2776 /* Prepare and send the BR/EDR SMP Pairing Request */ 2777 build_bredr_pairing_cmd(smp, &req, NULL); 2778 2779 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2780 memcpy(&smp->preq[1], &req, sizeof(req)); 2781 2782 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req); 2783 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2784 } 2785 2786 static void smp_resume_cb(struct l2cap_chan *chan) 2787 { 2788 struct smp_chan *smp = chan->data; 2789 struct l2cap_conn *conn = chan->conn; 2790 struct hci_conn *hcon = conn->hcon; 2791 2792 BT_DBG("chan %p", chan); 2793 2794 if (hcon->type == ACL_LINK) { 2795 bredr_pairing(chan); 2796 return; 2797 } 2798 2799 if (!smp) 2800 return; 2801 2802 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 2803 return; 2804 2805 cancel_delayed_work(&smp->security_timer); 2806 2807 smp_distribute_keys(smp); 2808 } 2809 2810 static void smp_ready_cb(struct l2cap_chan *chan) 2811 { 2812 struct l2cap_conn *conn = chan->conn; 2813 struct hci_conn *hcon = conn->hcon; 2814 2815 BT_DBG("chan %p", chan); 2816 2817 conn->smp = chan; 2818 l2cap_chan_hold(chan); 2819 2820 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 2821 bredr_pairing(chan); 2822 } 2823 2824 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 2825 { 2826 int err; 2827 2828 BT_DBG("chan %p", chan); 2829 2830 err = smp_sig_channel(chan, skb); 2831 if (err) { 2832 struct smp_chan *smp = chan->data; 2833 2834 if (smp) 2835 cancel_delayed_work_sync(&smp->security_timer); 2836 2837 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 2838 } 2839 2840 return err; 2841 } 2842 2843 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 2844 unsigned long hdr_len, 2845 unsigned long len, int nb) 2846 { 2847 struct sk_buff *skb; 2848 2849 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 2850 if (!skb) 2851 return ERR_PTR(-ENOMEM); 2852 2853 skb->priority = HCI_PRIO_MAX; 2854 bt_cb(skb)->chan = chan; 2855 2856 return skb; 2857 } 2858 2859 static const struct l2cap_ops smp_chan_ops = { 2860 .name = "Security Manager", 2861 .ready = smp_ready_cb, 2862 .recv = smp_recv_cb, 2863 .alloc_skb = smp_alloc_skb_cb, 2864 .teardown = smp_teardown_cb, 2865 .resume = smp_resume_cb, 2866 2867 .new_connection = l2cap_chan_no_new_connection, 2868 .state_change = l2cap_chan_no_state_change, 2869 .close = l2cap_chan_no_close, 2870 .defer = l2cap_chan_no_defer, 2871 .suspend = l2cap_chan_no_suspend, 2872 .set_shutdown = l2cap_chan_no_set_shutdown, 2873 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 2874 }; 2875 2876 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 2877 { 2878 struct l2cap_chan *chan; 2879 2880 BT_DBG("pchan %p", pchan); 2881 2882 chan = l2cap_chan_create(); 2883 if (!chan) 2884 return NULL; 2885 2886 chan->chan_type = pchan->chan_type; 2887 chan->ops = &smp_chan_ops; 2888 chan->scid = pchan->scid; 2889 chan->dcid = chan->scid; 2890 chan->imtu = pchan->imtu; 2891 chan->omtu = pchan->omtu; 2892 chan->mode = pchan->mode; 2893 2894 /* Other L2CAP channels may request SMP routines in order to 2895 * change the security level. This means that the SMP channel 2896 * lock must be considered in its own category to avoid lockdep 2897 * warnings. 2898 */ 2899 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 2900 2901 BT_DBG("created chan %p", chan); 2902 2903 return chan; 2904 } 2905 2906 static const struct l2cap_ops smp_root_chan_ops = { 2907 .name = "Security Manager Root", 2908 .new_connection = smp_new_conn_cb, 2909 2910 /* None of these are implemented for the root channel */ 2911 .close = l2cap_chan_no_close, 2912 .alloc_skb = l2cap_chan_no_alloc_skb, 2913 .recv = l2cap_chan_no_recv, 2914 .state_change = l2cap_chan_no_state_change, 2915 .teardown = l2cap_chan_no_teardown, 2916 .ready = l2cap_chan_no_ready, 2917 .defer = l2cap_chan_no_defer, 2918 .suspend = l2cap_chan_no_suspend, 2919 .resume = l2cap_chan_no_resume, 2920 .set_shutdown = l2cap_chan_no_set_shutdown, 2921 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 2922 }; 2923 2924 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 2925 { 2926 struct l2cap_chan *chan; 2927 struct crypto_blkcipher *tfm_aes; 2928 2929 if (cid == L2CAP_CID_SMP_BREDR) { 2930 tfm_aes = NULL; 2931 goto create_chan; 2932 } 2933 2934 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0); 2935 if (IS_ERR(tfm_aes)) { 2936 BT_ERR("Unable to create crypto context"); 2937 return ERR_CAST(tfm_aes); 2938 } 2939 2940 create_chan: 2941 chan = l2cap_chan_create(); 2942 if (!chan) { 2943 crypto_free_blkcipher(tfm_aes); 2944 return ERR_PTR(-ENOMEM); 2945 } 2946 2947 chan->data = tfm_aes; 2948 2949 l2cap_add_scid(chan, cid); 2950 2951 l2cap_chan_set_defaults(chan); 2952 2953 if (cid == L2CAP_CID_SMP) { 2954 /* If usage of static address is forced or if the devices 2955 * does not have a public address, then listen on the static 2956 * address. 2957 * 2958 * In case BR/EDR has been disabled on a dual-mode controller 2959 * and a static address has been configued, then listen on 2960 * the static address instead. 2961 */ 2962 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dbg_flags) || 2963 !bacmp(&hdev->bdaddr, BDADDR_ANY) || 2964 (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags) && 2965 bacmp(&hdev->static_addr, BDADDR_ANY))) { 2966 bacpy(&chan->src, &hdev->static_addr); 2967 chan->src_type = BDADDR_LE_RANDOM; 2968 } else { 2969 bacpy(&chan->src, &hdev->bdaddr); 2970 chan->src_type = BDADDR_LE_PUBLIC; 2971 } 2972 } else { 2973 bacpy(&chan->src, &hdev->bdaddr); 2974 chan->src_type = BDADDR_BREDR; 2975 } 2976 2977 chan->state = BT_LISTEN; 2978 chan->mode = L2CAP_MODE_BASIC; 2979 chan->imtu = L2CAP_DEFAULT_MTU; 2980 chan->ops = &smp_root_chan_ops; 2981 2982 /* Set correct nesting level for a parent/listening channel */ 2983 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 2984 2985 return chan; 2986 } 2987 2988 static void smp_del_chan(struct l2cap_chan *chan) 2989 { 2990 struct crypto_blkcipher *tfm_aes; 2991 2992 BT_DBG("chan %p", chan); 2993 2994 tfm_aes = chan->data; 2995 if (tfm_aes) { 2996 chan->data = NULL; 2997 crypto_free_blkcipher(tfm_aes); 2998 } 2999 3000 l2cap_chan_put(chan); 3001 } 3002 3003 static ssize_t force_bredr_smp_read(struct file *file, 3004 char __user *user_buf, 3005 size_t count, loff_t *ppos) 3006 { 3007 struct hci_dev *hdev = file->private_data; 3008 char buf[3]; 3009 3010 buf[0] = test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags) ? 'Y': 'N'; 3011 buf[1] = '\n'; 3012 buf[2] = '\0'; 3013 return simple_read_from_buffer(user_buf, count, ppos, buf, 2); 3014 } 3015 3016 static ssize_t force_bredr_smp_write(struct file *file, 3017 const char __user *user_buf, 3018 size_t count, loff_t *ppos) 3019 { 3020 struct hci_dev *hdev = file->private_data; 3021 char buf[32]; 3022 size_t buf_size = min(count, (sizeof(buf)-1)); 3023 bool enable; 3024 3025 if (copy_from_user(buf, user_buf, buf_size)) 3026 return -EFAULT; 3027 3028 buf[buf_size] = '\0'; 3029 if (strtobool(buf, &enable)) 3030 return -EINVAL; 3031 3032 if (enable == test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags)) 3033 return -EALREADY; 3034 3035 if (enable) { 3036 struct l2cap_chan *chan; 3037 3038 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3039 if (IS_ERR(chan)) 3040 return PTR_ERR(chan); 3041 3042 hdev->smp_bredr_data = chan; 3043 } else { 3044 struct l2cap_chan *chan; 3045 3046 chan = hdev->smp_bredr_data; 3047 hdev->smp_bredr_data = NULL; 3048 smp_del_chan(chan); 3049 } 3050 3051 change_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags); 3052 3053 return count; 3054 } 3055 3056 static const struct file_operations force_bredr_smp_fops = { 3057 .open = simple_open, 3058 .read = force_bredr_smp_read, 3059 .write = force_bredr_smp_write, 3060 .llseek = default_llseek, 3061 }; 3062 3063 int smp_register(struct hci_dev *hdev) 3064 { 3065 struct l2cap_chan *chan; 3066 3067 BT_DBG("%s", hdev->name); 3068 3069 /* If the controller does not support Low Energy operation, then 3070 * there is also no need to register any SMP channel. 3071 */ 3072 if (!lmp_le_capable(hdev)) 3073 return 0; 3074 3075 if (WARN_ON(hdev->smp_data)) { 3076 chan = hdev->smp_data; 3077 hdev->smp_data = NULL; 3078 smp_del_chan(chan); 3079 } 3080 3081 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3082 if (IS_ERR(chan)) 3083 return PTR_ERR(chan); 3084 3085 hdev->smp_data = chan; 3086 3087 /* If the controller does not support BR/EDR Secure Connections 3088 * feature, then the BR/EDR SMP channel shall not be present. 3089 * 3090 * To test this with Bluetooth 4.0 controllers, create a debugfs 3091 * switch that allows forcing BR/EDR SMP support and accepting 3092 * cross-transport pairing on non-AES encrypted connections. 3093 */ 3094 if (!lmp_sc_capable(hdev)) { 3095 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs, 3096 hdev, &force_bredr_smp_fops); 3097 return 0; 3098 } 3099 3100 if (WARN_ON(hdev->smp_bredr_data)) { 3101 chan = hdev->smp_bredr_data; 3102 hdev->smp_bredr_data = NULL; 3103 smp_del_chan(chan); 3104 } 3105 3106 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3107 if (IS_ERR(chan)) { 3108 int err = PTR_ERR(chan); 3109 chan = hdev->smp_data; 3110 hdev->smp_data = NULL; 3111 smp_del_chan(chan); 3112 return err; 3113 } 3114 3115 hdev->smp_bredr_data = chan; 3116 3117 return 0; 3118 } 3119 3120 void smp_unregister(struct hci_dev *hdev) 3121 { 3122 struct l2cap_chan *chan; 3123 3124 if (hdev->smp_bredr_data) { 3125 chan = hdev->smp_bredr_data; 3126 hdev->smp_bredr_data = NULL; 3127 smp_del_chan(chan); 3128 } 3129 3130 if (hdev->smp_data) { 3131 chan = hdev->smp_data; 3132 hdev->smp_data = NULL; 3133 smp_del_chan(chan); 3134 } 3135 } 3136 3137 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3138 3139 static int __init test_ah(struct crypto_blkcipher *tfm_aes) 3140 { 3141 const u8 irk[16] = { 3142 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3143 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3144 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3145 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3146 u8 res[3]; 3147 int err; 3148 3149 err = smp_ah(tfm_aes, irk, r, res); 3150 if (err) 3151 return err; 3152 3153 if (memcmp(res, exp, 3)) 3154 return -EINVAL; 3155 3156 return 0; 3157 } 3158 3159 static int __init test_c1(struct crypto_blkcipher *tfm_aes) 3160 { 3161 const u8 k[16] = { 3162 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3164 const u8 r[16] = { 3165 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3166 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3167 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3168 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3169 const u8 _iat = 0x01; 3170 const u8 _rat = 0x00; 3171 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3172 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3173 const u8 exp[16] = { 3174 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3175 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3176 u8 res[16]; 3177 int err; 3178 3179 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3180 if (err) 3181 return err; 3182 3183 if (memcmp(res, exp, 16)) 3184 return -EINVAL; 3185 3186 return 0; 3187 } 3188 3189 static int __init test_s1(struct crypto_blkcipher *tfm_aes) 3190 { 3191 const u8 k[16] = { 3192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3194 const u8 r1[16] = { 3195 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3196 const u8 r2[16] = { 3197 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3198 const u8 exp[16] = { 3199 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3200 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3201 u8 res[16]; 3202 int err; 3203 3204 err = smp_s1(tfm_aes, k, r1, r2, res); 3205 if (err) 3206 return err; 3207 3208 if (memcmp(res, exp, 16)) 3209 return -EINVAL; 3210 3211 return 0; 3212 } 3213 3214 static int __init test_f4(struct crypto_hash *tfm_cmac) 3215 { 3216 const u8 u[32] = { 3217 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3218 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3219 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3220 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3221 const u8 v[32] = { 3222 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3223 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3224 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3225 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3226 const u8 x[16] = { 3227 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3228 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3229 const u8 z = 0x00; 3230 const u8 exp[16] = { 3231 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3232 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3233 u8 res[16]; 3234 int err; 3235 3236 err = smp_f4(tfm_cmac, u, v, x, z, res); 3237 if (err) 3238 return err; 3239 3240 if (memcmp(res, exp, 16)) 3241 return -EINVAL; 3242 3243 return 0; 3244 } 3245 3246 static int __init test_f5(struct crypto_hash *tfm_cmac) 3247 { 3248 const u8 w[32] = { 3249 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3250 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3251 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3252 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3253 const u8 n1[16] = { 3254 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3255 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3256 const u8 n2[16] = { 3257 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3258 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3259 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3260 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3261 const u8 exp_ltk[16] = { 3262 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3263 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3264 const u8 exp_mackey[16] = { 3265 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3266 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3267 u8 mackey[16], ltk[16]; 3268 int err; 3269 3270 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk); 3271 if (err) 3272 return err; 3273 3274 if (memcmp(mackey, exp_mackey, 16)) 3275 return -EINVAL; 3276 3277 if (memcmp(ltk, exp_ltk, 16)) 3278 return -EINVAL; 3279 3280 return 0; 3281 } 3282 3283 static int __init test_f6(struct crypto_hash *tfm_cmac) 3284 { 3285 const u8 w[16] = { 3286 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3287 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3288 const u8 n1[16] = { 3289 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3290 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3291 const u8 n2[16] = { 3292 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3293 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3294 const u8 r[16] = { 3295 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3296 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3297 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3298 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3299 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3300 const u8 exp[16] = { 3301 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3302 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3303 u8 res[16]; 3304 int err; 3305 3306 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res); 3307 if (err) 3308 return err; 3309 3310 if (memcmp(res, exp, 16)) 3311 return -EINVAL; 3312 3313 return 0; 3314 } 3315 3316 static int __init test_g2(struct crypto_hash *tfm_cmac) 3317 { 3318 const u8 u[32] = { 3319 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3320 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3321 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3322 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3323 const u8 v[32] = { 3324 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3325 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3326 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3327 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3328 const u8 x[16] = { 3329 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3330 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3331 const u8 y[16] = { 3332 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3333 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3334 const u32 exp_val = 0x2f9ed5ba % 1000000; 3335 u32 val; 3336 int err; 3337 3338 err = smp_g2(tfm_cmac, u, v, x, y, &val); 3339 if (err) 3340 return err; 3341 3342 if (val != exp_val) 3343 return -EINVAL; 3344 3345 return 0; 3346 } 3347 3348 static int __init test_h6(struct crypto_hash *tfm_cmac) 3349 { 3350 const u8 w[16] = { 3351 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3352 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3353 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3354 const u8 exp[16] = { 3355 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3356 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3357 u8 res[16]; 3358 int err; 3359 3360 err = smp_h6(tfm_cmac, w, key_id, res); 3361 if (err) 3362 return err; 3363 3364 if (memcmp(res, exp, 16)) 3365 return -EINVAL; 3366 3367 return 0; 3368 } 3369 3370 static int __init run_selftests(struct crypto_blkcipher *tfm_aes, 3371 struct crypto_hash *tfm_cmac) 3372 { 3373 ktime_t calltime, delta, rettime; 3374 unsigned long long duration; 3375 int err; 3376 3377 calltime = ktime_get(); 3378 3379 err = test_ah(tfm_aes); 3380 if (err) { 3381 BT_ERR("smp_ah test failed"); 3382 return err; 3383 } 3384 3385 err = test_c1(tfm_aes); 3386 if (err) { 3387 BT_ERR("smp_c1 test failed"); 3388 return err; 3389 } 3390 3391 err = test_s1(tfm_aes); 3392 if (err) { 3393 BT_ERR("smp_s1 test failed"); 3394 return err; 3395 } 3396 3397 err = test_f4(tfm_cmac); 3398 if (err) { 3399 BT_ERR("smp_f4 test failed"); 3400 return err; 3401 } 3402 3403 err = test_f5(tfm_cmac); 3404 if (err) { 3405 BT_ERR("smp_f5 test failed"); 3406 return err; 3407 } 3408 3409 err = test_f6(tfm_cmac); 3410 if (err) { 3411 BT_ERR("smp_f6 test failed"); 3412 return err; 3413 } 3414 3415 err = test_g2(tfm_cmac); 3416 if (err) { 3417 BT_ERR("smp_g2 test failed"); 3418 return err; 3419 } 3420 3421 err = test_h6(tfm_cmac); 3422 if (err) { 3423 BT_ERR("smp_h6 test failed"); 3424 return err; 3425 } 3426 3427 rettime = ktime_get(); 3428 delta = ktime_sub(rettime, calltime); 3429 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3430 3431 BT_INFO("SMP test passed in %llu usecs", duration); 3432 3433 return 0; 3434 } 3435 3436 int __init bt_selftest_smp(void) 3437 { 3438 struct crypto_blkcipher *tfm_aes; 3439 struct crypto_hash *tfm_cmac; 3440 int err; 3441 3442 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC); 3443 if (IS_ERR(tfm_aes)) { 3444 BT_ERR("Unable to create ECB crypto context"); 3445 return PTR_ERR(tfm_aes); 3446 } 3447 3448 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC); 3449 if (IS_ERR(tfm_cmac)) { 3450 BT_ERR("Unable to create CMAC crypto context"); 3451 crypto_free_blkcipher(tfm_aes); 3452 return PTR_ERR(tfm_cmac); 3453 } 3454 3455 err = run_selftests(tfm_aes, tfm_cmac); 3456 3457 crypto_free_hash(tfm_cmac); 3458 crypto_free_blkcipher(tfm_aes); 3459 3460 return err; 3461 } 3462 3463 #endif 3464