1 /* 2 BlueZ - Bluetooth protocol stack for Linux 3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies). 4 5 This program is free software; you can redistribute it and/or modify 6 it under the terms of the GNU General Public License version 2 as 7 published by the Free Software Foundation; 8 9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY 13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES 14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS, 19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS 20 SOFTWARE IS DISCLAIMED. 21 */ 22 23 #include <linux/debugfs.h> 24 #include <linux/scatterlist.h> 25 #include <linux/crypto.h> 26 #include <crypto/aes.h> 27 #include <crypto/algapi.h> 28 #include <crypto/hash.h> 29 #include <crypto/kpp.h> 30 31 #include <net/bluetooth/bluetooth.h> 32 #include <net/bluetooth/hci_core.h> 33 #include <net/bluetooth/l2cap.h> 34 #include <net/bluetooth/mgmt.h> 35 36 #include "ecdh_helper.h" 37 #include "smp.h" 38 39 #define SMP_DEV(hdev) \ 40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data) 41 42 /* Low-level debug macros to be used for stuff that we don't want 43 * accidentally in dmesg, i.e. the values of the various crypto keys 44 * and the inputs & outputs of crypto functions. 45 */ 46 #ifdef DEBUG 47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \ 48 ##__VA_ARGS__) 49 #else 50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \ 51 ##__VA_ARGS__) 52 #endif 53 54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd) 55 56 /* Keys which are not distributed with Secure Connections */ 57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY) 58 59 #define SMP_TIMEOUT msecs_to_jiffies(30000) 60 61 #define ID_ADDR_TIMEOUT msecs_to_jiffies(200) 62 63 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \ 64 0x3f : 0x07) 65 #define KEY_DIST_MASK 0x07 66 67 /* Maximum message length that can be passed to aes_cmac */ 68 #define CMAC_MSG_MAX 80 69 70 enum { 71 SMP_FLAG_TK_VALID, 72 SMP_FLAG_CFM_PENDING, 73 SMP_FLAG_MITM_AUTH, 74 SMP_FLAG_COMPLETE, 75 SMP_FLAG_INITIATOR, 76 SMP_FLAG_SC, 77 SMP_FLAG_REMOTE_PK, 78 SMP_FLAG_DEBUG_KEY, 79 SMP_FLAG_WAIT_USER, 80 SMP_FLAG_DHKEY_PENDING, 81 SMP_FLAG_REMOTE_OOB, 82 SMP_FLAG_LOCAL_OOB, 83 SMP_FLAG_CT2, 84 }; 85 86 struct smp_dev { 87 /* Secure Connections OOB data */ 88 bool local_oob; 89 u8 local_pk[64]; 90 u8 local_rand[16]; 91 bool debug_key; 92 93 struct crypto_shash *tfm_cmac; 94 struct crypto_kpp *tfm_ecdh; 95 }; 96 97 struct smp_chan { 98 struct l2cap_conn *conn; 99 struct delayed_work security_timer; 100 unsigned long allow_cmd; /* Bitmask of allowed commands */ 101 102 u8 preq[7]; /* SMP Pairing Request */ 103 u8 prsp[7]; /* SMP Pairing Response */ 104 u8 prnd[16]; /* SMP Pairing Random (local) */ 105 u8 rrnd[16]; /* SMP Pairing Random (remote) */ 106 u8 pcnf[16]; /* SMP Pairing Confirm */ 107 u8 tk[16]; /* SMP Temporary Key */ 108 u8 rr[16]; /* Remote OOB ra/rb value */ 109 u8 lr[16]; /* Local OOB ra/rb value */ 110 u8 enc_key_size; 111 u8 remote_key_dist; 112 bdaddr_t id_addr; 113 u8 id_addr_type; 114 u8 irk[16]; 115 struct smp_csrk *csrk; 116 struct smp_csrk *responder_csrk; 117 struct smp_ltk *ltk; 118 struct smp_ltk *responder_ltk; 119 struct smp_irk *remote_irk; 120 u8 *link_key; 121 unsigned long flags; 122 u8 method; 123 u8 passkey_round; 124 125 /* Secure Connections variables */ 126 u8 local_pk[64]; 127 u8 remote_pk[64]; 128 u8 dhkey[32]; 129 u8 mackey[16]; 130 131 struct crypto_shash *tfm_cmac; 132 struct crypto_kpp *tfm_ecdh; 133 }; 134 135 /* These debug key values are defined in the SMP section of the core 136 * specification. debug_pk is the public debug key and debug_sk the 137 * private debug key. 138 */ 139 static const u8 debug_pk[64] = { 140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20, 144 145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74, 146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76, 147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63, 148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc, 149 }; 150 151 static const u8 debug_sk[32] = { 152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58, 153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a, 154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74, 155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f, 156 }; 157 158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len) 159 { 160 size_t i; 161 162 for (i = 0; i < len; i++) 163 dst[len - 1 - i] = src[i]; 164 } 165 166 /* The following functions map to the LE SC SMP crypto functions 167 * AES-CMAC, f4, f5, f6, g2 and h6. 168 */ 169 170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m, 171 size_t len, u8 mac[16]) 172 { 173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX]; 174 int err; 175 176 if (len > CMAC_MSG_MAX) 177 return -EFBIG; 178 179 if (!tfm) { 180 BT_ERR("tfm %p", tfm); 181 return -EINVAL; 182 } 183 184 /* Swap key and message from LSB to MSB */ 185 swap_buf(k, tmp, 16); 186 swap_buf(m, msg_msb, len); 187 188 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m); 189 SMP_DBG("key %16phN", k); 190 191 err = crypto_shash_setkey(tfm, tmp, 16); 192 if (err) { 193 BT_ERR("cipher setkey failed: %d", err); 194 return err; 195 } 196 197 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb); 198 if (err) { 199 BT_ERR("Hash computation error %d", err); 200 return err; 201 } 202 203 swap_buf(mac_msb, mac, 16); 204 205 SMP_DBG("mac %16phN", mac); 206 207 return 0; 208 } 209 210 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32], 211 const u8 v[32], const u8 x[16], u8 z, u8 res[16]) 212 { 213 u8 m[65]; 214 int err; 215 216 SMP_DBG("u %32phN", u); 217 SMP_DBG("v %32phN", v); 218 SMP_DBG("x %16phN z %02x", x, z); 219 220 m[0] = z; 221 memcpy(m + 1, v, 32); 222 memcpy(m + 33, u, 32); 223 224 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res); 225 if (err) 226 return err; 227 228 SMP_DBG("res %16phN", res); 229 230 return err; 231 } 232 233 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32], 234 const u8 n1[16], const u8 n2[16], const u8 a1[7], 235 const u8 a2[7], u8 mackey[16], u8 ltk[16]) 236 { 237 /* The btle, salt and length "magic" values are as defined in 238 * the SMP section of the Bluetooth core specification. In ASCII 239 * the btle value ends up being 'btle'. The salt is just a 240 * random number whereas length is the value 256 in little 241 * endian format. 242 */ 243 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 }; 244 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60, 245 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c }; 246 const u8 length[2] = { 0x00, 0x01 }; 247 u8 m[53], t[16]; 248 int err; 249 250 SMP_DBG("w %32phN", w); 251 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 252 SMP_DBG("a1 %7phN a2 %7phN", a1, a2); 253 254 err = aes_cmac(tfm_cmac, salt, w, 32, t); 255 if (err) 256 return err; 257 258 SMP_DBG("t %16phN", t); 259 260 memcpy(m, length, 2); 261 memcpy(m + 2, a2, 7); 262 memcpy(m + 9, a1, 7); 263 memcpy(m + 16, n2, 16); 264 memcpy(m + 32, n1, 16); 265 memcpy(m + 48, btle, 4); 266 267 m[52] = 0; /* Counter */ 268 269 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey); 270 if (err) 271 return err; 272 273 SMP_DBG("mackey %16phN", mackey); 274 275 m[52] = 1; /* Counter */ 276 277 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk); 278 if (err) 279 return err; 280 281 SMP_DBG("ltk %16phN", ltk); 282 283 return 0; 284 } 285 286 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16], 287 const u8 n1[16], const u8 n2[16], const u8 r[16], 288 const u8 io_cap[3], const u8 a1[7], const u8 a2[7], 289 u8 res[16]) 290 { 291 u8 m[65]; 292 int err; 293 294 SMP_DBG("w %16phN", w); 295 SMP_DBG("n1 %16phN n2 %16phN", n1, n2); 296 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2); 297 298 memcpy(m, a2, 7); 299 memcpy(m + 7, a1, 7); 300 memcpy(m + 14, io_cap, 3); 301 memcpy(m + 17, r, 16); 302 memcpy(m + 33, n2, 16); 303 memcpy(m + 49, n1, 16); 304 305 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res); 306 if (err) 307 return err; 308 309 SMP_DBG("res %16phN", res); 310 311 return err; 312 } 313 314 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32], 315 const u8 x[16], const u8 y[16], u32 *val) 316 { 317 u8 m[80], tmp[16]; 318 int err; 319 320 SMP_DBG("u %32phN", u); 321 SMP_DBG("v %32phN", v); 322 SMP_DBG("x %16phN y %16phN", x, y); 323 324 memcpy(m, y, 16); 325 memcpy(m + 16, v, 32); 326 memcpy(m + 48, u, 32); 327 328 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp); 329 if (err) 330 return err; 331 332 *val = get_unaligned_le32(tmp); 333 *val %= 1000000; 334 335 SMP_DBG("val %06u", *val); 336 337 return 0; 338 } 339 340 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16], 341 const u8 key_id[4], u8 res[16]) 342 { 343 int err; 344 345 SMP_DBG("w %16phN key_id %4phN", w, key_id); 346 347 err = aes_cmac(tfm_cmac, w, key_id, 4, res); 348 if (err) 349 return err; 350 351 SMP_DBG("res %16phN", res); 352 353 return err; 354 } 355 356 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16], 357 const u8 salt[16], u8 res[16]) 358 { 359 int err; 360 361 SMP_DBG("w %16phN salt %16phN", w, salt); 362 363 err = aes_cmac(tfm_cmac, salt, w, 16, res); 364 if (err) 365 return err; 366 367 SMP_DBG("res %16phN", res); 368 369 return err; 370 } 371 372 /* The following functions map to the legacy SMP crypto functions e, c1, 373 * s1 and ah. 374 */ 375 376 static int smp_e(const u8 *k, u8 *r) 377 { 378 struct crypto_aes_ctx ctx; 379 uint8_t tmp[16], data[16]; 380 int err; 381 382 SMP_DBG("k %16phN r %16phN", k, r); 383 384 /* The most significant octet of key corresponds to k[0] */ 385 swap_buf(k, tmp, 16); 386 387 err = aes_expandkey(&ctx, tmp, 16); 388 if (err) { 389 BT_ERR("cipher setkey failed: %d", err); 390 return err; 391 } 392 393 /* Most significant octet of plaintextData corresponds to data[0] */ 394 swap_buf(r, data, 16); 395 396 aes_encrypt(&ctx, data, data); 397 398 /* Most significant octet of encryptedData corresponds to data[0] */ 399 swap_buf(data, r, 16); 400 401 SMP_DBG("r %16phN", r); 402 403 memzero_explicit(&ctx, sizeof(ctx)); 404 return err; 405 } 406 407 static int smp_c1(const u8 k[16], 408 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat, 409 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16]) 410 { 411 u8 p1[16], p2[16]; 412 int err; 413 414 SMP_DBG("k %16phN r %16phN", k, r); 415 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra); 416 SMP_DBG("preq %7phN pres %7phN", preq, pres); 417 418 memset(p1, 0, 16); 419 420 /* p1 = pres || preq || _rat || _iat */ 421 p1[0] = _iat; 422 p1[1] = _rat; 423 memcpy(p1 + 2, preq, 7); 424 memcpy(p1 + 9, pres, 7); 425 426 SMP_DBG("p1 %16phN", p1); 427 428 /* res = r XOR p1 */ 429 crypto_xor_cpy(res, r, p1, sizeof(p1)); 430 431 /* res = e(k, res) */ 432 err = smp_e(k, res); 433 if (err) { 434 BT_ERR("Encrypt data error"); 435 return err; 436 } 437 438 /* p2 = padding || ia || ra */ 439 memcpy(p2, ra, 6); 440 memcpy(p2 + 6, ia, 6); 441 memset(p2 + 12, 0, 4); 442 443 SMP_DBG("p2 %16phN", p2); 444 445 /* res = res XOR p2 */ 446 crypto_xor(res, p2, sizeof(p2)); 447 448 /* res = e(k, res) */ 449 err = smp_e(k, res); 450 if (err) 451 BT_ERR("Encrypt data error"); 452 453 return err; 454 } 455 456 static int smp_s1(const u8 k[16], 457 const u8 r1[16], const u8 r2[16], u8 _r[16]) 458 { 459 int err; 460 461 /* Just least significant octets from r1 and r2 are considered */ 462 memcpy(_r, r2, 8); 463 memcpy(_r + 8, r1, 8); 464 465 err = smp_e(k, _r); 466 if (err) 467 BT_ERR("Encrypt data error"); 468 469 return err; 470 } 471 472 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3]) 473 { 474 u8 _res[16]; 475 int err; 476 477 /* r' = padding || r */ 478 memcpy(_res, r, 3); 479 memset(_res + 3, 0, 13); 480 481 err = smp_e(irk, _res); 482 if (err) { 483 BT_ERR("Encrypt error"); 484 return err; 485 } 486 487 /* The output of the random address function ah is: 488 * ah(k, r) = e(k, r') mod 2^24 489 * The output of the security function e is then truncated to 24 bits 490 * by taking the least significant 24 bits of the output of e as the 491 * result of ah. 492 */ 493 memcpy(res, _res, 3); 494 495 return 0; 496 } 497 498 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16], 499 const bdaddr_t *bdaddr) 500 { 501 struct l2cap_chan *chan = hdev->smp_data; 502 u8 hash[3]; 503 int err; 504 505 if (!chan || !chan->data) 506 return false; 507 508 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk); 509 510 err = smp_ah(irk, &bdaddr->b[3], hash); 511 if (err) 512 return false; 513 514 return !crypto_memneq(bdaddr->b, hash, 3); 515 } 516 517 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa) 518 { 519 struct l2cap_chan *chan = hdev->smp_data; 520 int err; 521 522 if (!chan || !chan->data) 523 return -EOPNOTSUPP; 524 525 get_random_bytes(&rpa->b[3], 3); 526 527 rpa->b[5] &= 0x3f; /* Clear two most significant bits */ 528 rpa->b[5] |= 0x40; /* Set second most significant bit */ 529 530 err = smp_ah(irk, &rpa->b[3], rpa->b); 531 if (err < 0) 532 return err; 533 534 bt_dev_dbg(hdev, "RPA %pMR", rpa); 535 536 return 0; 537 } 538 539 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16]) 540 { 541 struct l2cap_chan *chan = hdev->smp_data; 542 struct smp_dev *smp; 543 int err; 544 545 if (!chan || !chan->data) 546 return -EOPNOTSUPP; 547 548 smp = chan->data; 549 550 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 551 bt_dev_dbg(hdev, "Using debug keys"); 552 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk); 553 if (err) 554 return err; 555 memcpy(smp->local_pk, debug_pk, 64); 556 smp->debug_key = true; 557 } else { 558 while (true) { 559 /* Generate key pair for Secure Connections */ 560 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk); 561 if (err) 562 return err; 563 564 /* This is unlikely, but we need to check that 565 * we didn't accidentally generate a debug key. 566 */ 567 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 568 break; 569 } 570 smp->debug_key = false; 571 } 572 573 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 574 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 575 576 get_random_bytes(smp->local_rand, 16); 577 578 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk, 579 smp->local_rand, 0, hash); 580 if (err < 0) 581 return err; 582 583 memcpy(rand, smp->local_rand, 16); 584 585 smp->local_oob = true; 586 587 return 0; 588 } 589 590 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data) 591 { 592 struct l2cap_chan *chan = conn->smp; 593 struct smp_chan *smp; 594 struct kvec iv[2]; 595 struct msghdr msg; 596 597 if (!chan) 598 return; 599 600 bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code); 601 602 iv[0].iov_base = &code; 603 iv[0].iov_len = 1; 604 605 iv[1].iov_base = data; 606 iv[1].iov_len = len; 607 608 memset(&msg, 0, sizeof(msg)); 609 610 iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len); 611 612 l2cap_chan_send(chan, &msg, 1 + len); 613 614 if (!chan->data) 615 return; 616 617 smp = chan->data; 618 619 cancel_delayed_work_sync(&smp->security_timer); 620 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT); 621 } 622 623 static u8 authreq_to_seclevel(u8 authreq) 624 { 625 if (authreq & SMP_AUTH_MITM) { 626 if (authreq & SMP_AUTH_SC) 627 return BT_SECURITY_FIPS; 628 else 629 return BT_SECURITY_HIGH; 630 } else { 631 return BT_SECURITY_MEDIUM; 632 } 633 } 634 635 static __u8 seclevel_to_authreq(__u8 sec_level) 636 { 637 switch (sec_level) { 638 case BT_SECURITY_FIPS: 639 case BT_SECURITY_HIGH: 640 return SMP_AUTH_MITM | SMP_AUTH_BONDING; 641 case BT_SECURITY_MEDIUM: 642 return SMP_AUTH_BONDING; 643 default: 644 return SMP_AUTH_NONE; 645 } 646 } 647 648 static void build_pairing_cmd(struct l2cap_conn *conn, 649 struct smp_cmd_pairing *req, 650 struct smp_cmd_pairing *rsp, __u8 authreq) 651 { 652 struct l2cap_chan *chan = conn->smp; 653 struct smp_chan *smp = chan->data; 654 struct hci_conn *hcon = conn->hcon; 655 struct hci_dev *hdev = hcon->hdev; 656 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT; 657 658 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 659 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 660 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 661 authreq |= SMP_AUTH_BONDING; 662 } else { 663 authreq &= ~SMP_AUTH_BONDING; 664 } 665 666 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 667 remote_dist |= SMP_DIST_ID_KEY; 668 669 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 670 local_dist |= SMP_DIST_ID_KEY; 671 672 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) && 673 (authreq & SMP_AUTH_SC)) { 674 struct oob_data *oob_data; 675 u8 bdaddr_type; 676 677 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) { 678 local_dist |= SMP_DIST_LINK_KEY; 679 remote_dist |= SMP_DIST_LINK_KEY; 680 } 681 682 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC) 683 bdaddr_type = BDADDR_LE_PUBLIC; 684 else 685 bdaddr_type = BDADDR_LE_RANDOM; 686 687 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst, 688 bdaddr_type); 689 if (oob_data && oob_data->present) { 690 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags); 691 oob_flag = SMP_OOB_PRESENT; 692 memcpy(smp->rr, oob_data->rand256, 16); 693 memcpy(smp->pcnf, oob_data->hash256, 16); 694 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf); 695 SMP_DBG("OOB Remote Random: %16phN", smp->rr); 696 } 697 698 } else { 699 authreq &= ~SMP_AUTH_SC; 700 } 701 702 if (rsp == NULL) { 703 req->io_capability = conn->hcon->io_capability; 704 req->oob_flag = oob_flag; 705 req->max_key_size = hdev->le_max_key_size; 706 req->init_key_dist = local_dist; 707 req->resp_key_dist = remote_dist; 708 req->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 709 710 smp->remote_key_dist = remote_dist; 711 return; 712 } 713 714 rsp->io_capability = conn->hcon->io_capability; 715 rsp->oob_flag = oob_flag; 716 rsp->max_key_size = hdev->le_max_key_size; 717 rsp->init_key_dist = req->init_key_dist & remote_dist; 718 rsp->resp_key_dist = req->resp_key_dist & local_dist; 719 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev)); 720 721 smp->remote_key_dist = rsp->init_key_dist; 722 } 723 724 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size) 725 { 726 struct l2cap_chan *chan = conn->smp; 727 struct hci_dev *hdev = conn->hcon->hdev; 728 struct smp_chan *smp = chan->data; 729 730 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS && 731 max_key_size != SMP_MAX_ENC_KEY_SIZE) 732 return SMP_ENC_KEY_SIZE; 733 734 if (max_key_size > hdev->le_max_key_size || 735 max_key_size < SMP_MIN_ENC_KEY_SIZE) 736 return SMP_ENC_KEY_SIZE; 737 738 smp->enc_key_size = max_key_size; 739 740 return 0; 741 } 742 743 static void smp_chan_destroy(struct l2cap_conn *conn) 744 { 745 struct l2cap_chan *chan = conn->smp; 746 struct smp_chan *smp = chan->data; 747 struct hci_conn *hcon = conn->hcon; 748 bool complete; 749 750 BUG_ON(!smp); 751 752 cancel_delayed_work_sync(&smp->security_timer); 753 754 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags); 755 mgmt_smp_complete(hcon, complete); 756 757 kfree_sensitive(smp->csrk); 758 kfree_sensitive(smp->responder_csrk); 759 kfree_sensitive(smp->link_key); 760 761 crypto_free_shash(smp->tfm_cmac); 762 crypto_free_kpp(smp->tfm_ecdh); 763 764 /* Ensure that we don't leave any debug key around if debug key 765 * support hasn't been explicitly enabled. 766 */ 767 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG && 768 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) { 769 list_del_rcu(&smp->ltk->list); 770 kfree_rcu(smp->ltk, rcu); 771 smp->ltk = NULL; 772 } 773 774 /* If pairing failed clean up any keys we might have */ 775 if (!complete) { 776 if (smp->ltk) { 777 list_del_rcu(&smp->ltk->list); 778 kfree_rcu(smp->ltk, rcu); 779 } 780 781 if (smp->responder_ltk) { 782 list_del_rcu(&smp->responder_ltk->list); 783 kfree_rcu(smp->responder_ltk, rcu); 784 } 785 786 if (smp->remote_irk) { 787 list_del_rcu(&smp->remote_irk->list); 788 kfree_rcu(smp->remote_irk, rcu); 789 } 790 } 791 792 chan->data = NULL; 793 kfree_sensitive(smp); 794 hci_conn_drop(hcon); 795 } 796 797 static void smp_failure(struct l2cap_conn *conn, u8 reason) 798 { 799 struct hci_conn *hcon = conn->hcon; 800 struct l2cap_chan *chan = conn->smp; 801 802 if (reason) 803 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason), 804 &reason); 805 806 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE); 807 808 if (chan->data) 809 smp_chan_destroy(conn); 810 } 811 812 #define JUST_WORKS 0x00 813 #define JUST_CFM 0x01 814 #define REQ_PASSKEY 0x02 815 #define CFM_PASSKEY 0x03 816 #define REQ_OOB 0x04 817 #define DSP_PASSKEY 0x05 818 #define OVERLAP 0xFF 819 820 static const u8 gen_method[5][5] = { 821 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 822 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 823 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 824 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 825 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP }, 826 }; 827 828 static const u8 sc_method[5][5] = { 829 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY }, 830 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 831 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY }, 832 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM }, 833 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY }, 834 }; 835 836 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io) 837 { 838 /* If either side has unknown io_caps, use JUST_CFM (which gets 839 * converted later to JUST_WORKS if we're initiators. 840 */ 841 if (local_io > SMP_IO_KEYBOARD_DISPLAY || 842 remote_io > SMP_IO_KEYBOARD_DISPLAY) 843 return JUST_CFM; 844 845 if (test_bit(SMP_FLAG_SC, &smp->flags)) 846 return sc_method[remote_io][local_io]; 847 848 return gen_method[remote_io][local_io]; 849 } 850 851 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth, 852 u8 local_io, u8 remote_io) 853 { 854 struct hci_conn *hcon = conn->hcon; 855 struct l2cap_chan *chan = conn->smp; 856 struct smp_chan *smp = chan->data; 857 u32 passkey = 0; 858 int ret; 859 860 /* Initialize key for JUST WORKS */ 861 memset(smp->tk, 0, sizeof(smp->tk)); 862 clear_bit(SMP_FLAG_TK_VALID, &smp->flags); 863 864 bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io, 865 remote_io); 866 867 /* If neither side wants MITM, either "just" confirm an incoming 868 * request or use just-works for outgoing ones. The JUST_CFM 869 * will be converted to JUST_WORKS if necessary later in this 870 * function. If either side has MITM look up the method from the 871 * table. 872 */ 873 if (!(auth & SMP_AUTH_MITM)) 874 smp->method = JUST_CFM; 875 else 876 smp->method = get_auth_method(smp, local_io, remote_io); 877 878 /* Don't confirm locally initiated pairing attempts */ 879 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, 880 &smp->flags)) 881 smp->method = JUST_WORKS; 882 883 /* Don't bother user space with no IO capabilities */ 884 if (smp->method == JUST_CFM && 885 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 886 smp->method = JUST_WORKS; 887 888 /* If Just Works, Continue with Zero TK and ask user-space for 889 * confirmation */ 890 if (smp->method == JUST_WORKS) { 891 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 892 hcon->type, 893 hcon->dst_type, 894 passkey, 1); 895 if (ret) 896 return ret; 897 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 898 return 0; 899 } 900 901 /* If this function is used for SC -> legacy fallback we 902 * can only recover the just-works case. 903 */ 904 if (test_bit(SMP_FLAG_SC, &smp->flags)) 905 return -EINVAL; 906 907 /* Not Just Works/Confirm results in MITM Authentication */ 908 if (smp->method != JUST_CFM) { 909 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags); 910 if (hcon->pending_sec_level < BT_SECURITY_HIGH) 911 hcon->pending_sec_level = BT_SECURITY_HIGH; 912 } 913 914 /* If both devices have Keyboard-Display I/O, the initiator 915 * Confirms and the responder Enters the passkey. 916 */ 917 if (smp->method == OVERLAP) { 918 if (hcon->role == HCI_ROLE_MASTER) 919 smp->method = CFM_PASSKEY; 920 else 921 smp->method = REQ_PASSKEY; 922 } 923 924 /* Generate random passkey. */ 925 if (smp->method == CFM_PASSKEY) { 926 memset(smp->tk, 0, sizeof(smp->tk)); 927 get_random_bytes(&passkey, sizeof(passkey)); 928 passkey %= 1000000; 929 put_unaligned_le32(passkey, smp->tk); 930 bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey); 931 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 932 } 933 934 if (smp->method == REQ_PASSKEY) 935 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst, 936 hcon->type, hcon->dst_type); 937 else if (smp->method == JUST_CFM) 938 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, 939 hcon->type, hcon->dst_type, 940 passkey, 1); 941 else 942 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst, 943 hcon->type, hcon->dst_type, 944 passkey, 0); 945 946 return ret; 947 } 948 949 static u8 smp_confirm(struct smp_chan *smp) 950 { 951 struct l2cap_conn *conn = smp->conn; 952 struct smp_cmd_pairing_confirm cp; 953 int ret; 954 955 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 956 957 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp, 958 conn->hcon->init_addr_type, &conn->hcon->init_addr, 959 conn->hcon->resp_addr_type, &conn->hcon->resp_addr, 960 cp.confirm_val); 961 if (ret) 962 return SMP_UNSPECIFIED; 963 964 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 965 966 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp); 967 968 if (conn->hcon->out) 969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 970 else 971 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 972 973 return 0; 974 } 975 976 static u8 smp_random(struct smp_chan *smp) 977 { 978 struct l2cap_conn *conn = smp->conn; 979 struct hci_conn *hcon = conn->hcon; 980 u8 confirm[16]; 981 int ret; 982 983 bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn, 984 conn->hcon->out ? "initiator" : "responder"); 985 986 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp, 987 hcon->init_addr_type, &hcon->init_addr, 988 hcon->resp_addr_type, &hcon->resp_addr, confirm); 989 if (ret) 990 return SMP_UNSPECIFIED; 991 992 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) { 993 bt_dev_err(hcon->hdev, "pairing failed " 994 "(confirmation values mismatch)"); 995 return SMP_CONFIRM_FAILED; 996 } 997 998 if (hcon->out) { 999 u8 stk[16]; 1000 __le64 rand = 0; 1001 __le16 ediv = 0; 1002 1003 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk); 1004 1005 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 1006 return SMP_UNSPECIFIED; 1007 1008 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size); 1009 hcon->enc_key_size = smp->enc_key_size; 1010 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 1011 } else { 1012 u8 stk[16], auth; 1013 __le64 rand = 0; 1014 __le16 ediv = 0; 1015 1016 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 1017 smp->prnd); 1018 1019 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk); 1020 1021 if (hcon->pending_sec_level == BT_SECURITY_HIGH) 1022 auth = 1; 1023 else 1024 auth = 0; 1025 1026 /* Even though there's no _RESPONDER suffix this is the 1027 * responder STK we're adding for later lookup (the initiator 1028 * STK never needs to be stored). 1029 */ 1030 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1031 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand); 1032 } 1033 1034 return 0; 1035 } 1036 1037 static void smp_notify_keys(struct l2cap_conn *conn) 1038 { 1039 struct l2cap_chan *chan = conn->smp; 1040 struct smp_chan *smp = chan->data; 1041 struct hci_conn *hcon = conn->hcon; 1042 struct hci_dev *hdev = hcon->hdev; 1043 struct smp_cmd_pairing *req = (void *) &smp->preq[1]; 1044 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1]; 1045 bool persistent; 1046 1047 if (hcon->type == ACL_LINK) { 1048 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION) 1049 persistent = false; 1050 else 1051 persistent = !test_bit(HCI_CONN_FLUSH_KEY, 1052 &hcon->flags); 1053 } else { 1054 /* The LTKs, IRKs and CSRKs should be persistent only if 1055 * both sides had the bonding bit set in their 1056 * authentication requests. 1057 */ 1058 persistent = !!((req->auth_req & rsp->auth_req) & 1059 SMP_AUTH_BONDING); 1060 } 1061 1062 if (smp->remote_irk) { 1063 smp->remote_irk->link_type = hcon->type; 1064 mgmt_new_irk(hdev, smp->remote_irk, persistent); 1065 1066 /* Now that user space can be considered to know the 1067 * identity address track the connection based on it 1068 * from now on (assuming this is an LE link). 1069 */ 1070 if (hcon->type == LE_LINK) { 1071 bacpy(&hcon->dst, &smp->remote_irk->bdaddr); 1072 hcon->dst_type = smp->remote_irk->addr_type; 1073 /* Use a short delay to make sure the new address is 1074 * propagated _before_ the channels. 1075 */ 1076 queue_delayed_work(hdev->workqueue, 1077 &conn->id_addr_timer, 1078 ID_ADDR_TIMEOUT); 1079 } 1080 } 1081 1082 if (smp->csrk) { 1083 smp->csrk->link_type = hcon->type; 1084 smp->csrk->bdaddr_type = hcon->dst_type; 1085 bacpy(&smp->csrk->bdaddr, &hcon->dst); 1086 mgmt_new_csrk(hdev, smp->csrk, persistent); 1087 } 1088 1089 if (smp->responder_csrk) { 1090 smp->responder_csrk->link_type = hcon->type; 1091 smp->responder_csrk->bdaddr_type = hcon->dst_type; 1092 bacpy(&smp->responder_csrk->bdaddr, &hcon->dst); 1093 mgmt_new_csrk(hdev, smp->responder_csrk, persistent); 1094 } 1095 1096 if (smp->ltk) { 1097 smp->ltk->link_type = hcon->type; 1098 smp->ltk->bdaddr_type = hcon->dst_type; 1099 bacpy(&smp->ltk->bdaddr, &hcon->dst); 1100 mgmt_new_ltk(hdev, smp->ltk, persistent); 1101 } 1102 1103 if (smp->responder_ltk) { 1104 smp->responder_ltk->link_type = hcon->type; 1105 smp->responder_ltk->bdaddr_type = hcon->dst_type; 1106 bacpy(&smp->responder_ltk->bdaddr, &hcon->dst); 1107 mgmt_new_ltk(hdev, smp->responder_ltk, persistent); 1108 } 1109 1110 if (smp->link_key) { 1111 struct link_key *key; 1112 u8 type; 1113 1114 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1115 type = HCI_LK_DEBUG_COMBINATION; 1116 else if (hcon->sec_level == BT_SECURITY_FIPS) 1117 type = HCI_LK_AUTH_COMBINATION_P256; 1118 else 1119 type = HCI_LK_UNAUTH_COMBINATION_P256; 1120 1121 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst, 1122 smp->link_key, type, 0, &persistent); 1123 if (key) { 1124 key->link_type = hcon->type; 1125 key->bdaddr_type = hcon->dst_type; 1126 mgmt_new_link_key(hdev, key, persistent); 1127 1128 /* Don't keep debug keys around if the relevant 1129 * flag is not set. 1130 */ 1131 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) && 1132 key->type == HCI_LK_DEBUG_COMBINATION) { 1133 list_del_rcu(&key->list); 1134 kfree_rcu(key, rcu); 1135 } 1136 } 1137 } 1138 } 1139 1140 static void sc_add_ltk(struct smp_chan *smp) 1141 { 1142 struct hci_conn *hcon = smp->conn->hcon; 1143 u8 key_type, auth; 1144 1145 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags)) 1146 key_type = SMP_LTK_P256_DEBUG; 1147 else 1148 key_type = SMP_LTK_P256; 1149 1150 if (hcon->pending_sec_level == BT_SECURITY_FIPS) 1151 auth = 1; 1152 else 1153 auth = 0; 1154 1155 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 1156 key_type, auth, smp->tk, smp->enc_key_size, 1157 0, 0); 1158 } 1159 1160 static void sc_generate_link_key(struct smp_chan *smp) 1161 { 1162 /* From core spec. Spells out in ASCII as 'lebr'. */ 1163 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c }; 1164 1165 smp->link_key = kzalloc(16, GFP_KERNEL); 1166 if (!smp->link_key) 1167 return; 1168 1169 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1170 /* SALT = 0x000000000000000000000000746D7031 */ 1171 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 }; 1172 1173 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) { 1174 kfree_sensitive(smp->link_key); 1175 smp->link_key = NULL; 1176 return; 1177 } 1178 } else { 1179 /* From core spec. Spells out in ASCII as 'tmp1'. */ 1180 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 }; 1181 1182 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) { 1183 kfree_sensitive(smp->link_key); 1184 smp->link_key = NULL; 1185 return; 1186 } 1187 } 1188 1189 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) { 1190 kfree_sensitive(smp->link_key); 1191 smp->link_key = NULL; 1192 return; 1193 } 1194 } 1195 1196 static void smp_allow_key_dist(struct smp_chan *smp) 1197 { 1198 /* Allow the first expected phase 3 PDU. The rest of the PDUs 1199 * will be allowed in each PDU handler to ensure we receive 1200 * them in the correct order. 1201 */ 1202 if (smp->remote_key_dist & SMP_DIST_ENC_KEY) 1203 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO); 1204 else if (smp->remote_key_dist & SMP_DIST_ID_KEY) 1205 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 1206 else if (smp->remote_key_dist & SMP_DIST_SIGN) 1207 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 1208 } 1209 1210 static void sc_generate_ltk(struct smp_chan *smp) 1211 { 1212 /* From core spec. Spells out in ASCII as 'brle'. */ 1213 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 }; 1214 struct hci_conn *hcon = smp->conn->hcon; 1215 struct hci_dev *hdev = hcon->hdev; 1216 struct link_key *key; 1217 1218 key = hci_find_link_key(hdev, &hcon->dst); 1219 if (!key) { 1220 bt_dev_err(hdev, "no Link Key found to generate LTK"); 1221 return; 1222 } 1223 1224 if (key->type == HCI_LK_DEBUG_COMBINATION) 1225 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1226 1227 if (test_bit(SMP_FLAG_CT2, &smp->flags)) { 1228 /* SALT = 0x000000000000000000000000746D7032 */ 1229 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 }; 1230 1231 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk)) 1232 return; 1233 } else { 1234 /* From core spec. Spells out in ASCII as 'tmp2'. */ 1235 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 }; 1236 1237 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk)) 1238 return; 1239 } 1240 1241 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk)) 1242 return; 1243 1244 sc_add_ltk(smp); 1245 } 1246 1247 static void smp_distribute_keys(struct smp_chan *smp) 1248 { 1249 struct smp_cmd_pairing *req, *rsp; 1250 struct l2cap_conn *conn = smp->conn; 1251 struct hci_conn *hcon = conn->hcon; 1252 struct hci_dev *hdev = hcon->hdev; 1253 __u8 *keydist; 1254 1255 bt_dev_dbg(hdev, "conn %p", conn); 1256 1257 rsp = (void *) &smp->prsp[1]; 1258 1259 /* The responder sends its keys first */ 1260 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) { 1261 smp_allow_key_dist(smp); 1262 return; 1263 } 1264 1265 req = (void *) &smp->preq[1]; 1266 1267 if (hcon->out) { 1268 keydist = &rsp->init_key_dist; 1269 *keydist &= req->init_key_dist; 1270 } else { 1271 keydist = &rsp->resp_key_dist; 1272 *keydist &= req->resp_key_dist; 1273 } 1274 1275 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1276 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY)) 1277 sc_generate_link_key(smp); 1278 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY)) 1279 sc_generate_ltk(smp); 1280 1281 /* Clear the keys which are generated but not distributed */ 1282 *keydist &= ~SMP_SC_NO_DIST; 1283 } 1284 1285 bt_dev_dbg(hdev, "keydist 0x%x", *keydist); 1286 1287 if (*keydist & SMP_DIST_ENC_KEY) { 1288 struct smp_cmd_encrypt_info enc; 1289 struct smp_cmd_initiator_ident ident; 1290 struct smp_ltk *ltk; 1291 u8 authenticated; 1292 __le16 ediv; 1293 __le64 rand; 1294 1295 /* Make sure we generate only the significant amount of 1296 * bytes based on the encryption key size, and set the rest 1297 * of the value to zeroes. 1298 */ 1299 get_random_bytes(enc.ltk, smp->enc_key_size); 1300 memset(enc.ltk + smp->enc_key_size, 0, 1301 sizeof(enc.ltk) - smp->enc_key_size); 1302 1303 get_random_bytes(&ediv, sizeof(ediv)); 1304 get_random_bytes(&rand, sizeof(rand)); 1305 1306 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc); 1307 1308 authenticated = hcon->sec_level == BT_SECURITY_HIGH; 1309 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, 1310 SMP_LTK_RESPONDER, authenticated, enc.ltk, 1311 smp->enc_key_size, ediv, rand); 1312 smp->responder_ltk = ltk; 1313 1314 ident.ediv = ediv; 1315 ident.rand = rand; 1316 1317 smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident), 1318 &ident); 1319 1320 *keydist &= ~SMP_DIST_ENC_KEY; 1321 } 1322 1323 if (*keydist & SMP_DIST_ID_KEY) { 1324 struct smp_cmd_ident_addr_info addrinfo; 1325 struct smp_cmd_ident_info idinfo; 1326 1327 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk)); 1328 1329 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo); 1330 1331 /* The hci_conn contains the local identity address 1332 * after the connection has been established. 1333 * 1334 * This is true even when the connection has been 1335 * established using a resolvable random address. 1336 */ 1337 bacpy(&addrinfo.bdaddr, &hcon->src); 1338 addrinfo.addr_type = hcon->src_type; 1339 1340 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo), 1341 &addrinfo); 1342 1343 *keydist &= ~SMP_DIST_ID_KEY; 1344 } 1345 1346 if (*keydist & SMP_DIST_SIGN) { 1347 struct smp_cmd_sign_info sign; 1348 struct smp_csrk *csrk; 1349 1350 /* Generate a new random key */ 1351 get_random_bytes(sign.csrk, sizeof(sign.csrk)); 1352 1353 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 1354 if (csrk) { 1355 if (hcon->sec_level > BT_SECURITY_MEDIUM) 1356 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED; 1357 else 1358 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED; 1359 memcpy(csrk->val, sign.csrk, sizeof(csrk->val)); 1360 } 1361 smp->responder_csrk = csrk; 1362 1363 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign); 1364 1365 *keydist &= ~SMP_DIST_SIGN; 1366 } 1367 1368 /* If there are still keys to be received wait for them */ 1369 if (smp->remote_key_dist & KEY_DIST_MASK) { 1370 smp_allow_key_dist(smp); 1371 return; 1372 } 1373 1374 set_bit(SMP_FLAG_COMPLETE, &smp->flags); 1375 smp_notify_keys(conn); 1376 1377 smp_chan_destroy(conn); 1378 } 1379 1380 static void smp_timeout(struct work_struct *work) 1381 { 1382 struct smp_chan *smp = container_of(work, struct smp_chan, 1383 security_timer.work); 1384 struct l2cap_conn *conn = smp->conn; 1385 1386 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 1387 1388 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM); 1389 } 1390 1391 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn) 1392 { 1393 struct hci_conn *hcon = conn->hcon; 1394 struct l2cap_chan *chan = conn->smp; 1395 struct smp_chan *smp; 1396 1397 smp = kzalloc(sizeof(*smp), GFP_ATOMIC); 1398 if (!smp) 1399 return NULL; 1400 1401 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 1402 if (IS_ERR(smp->tfm_cmac)) { 1403 bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context"); 1404 goto zfree_smp; 1405 } 1406 1407 smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 1408 if (IS_ERR(smp->tfm_ecdh)) { 1409 bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context"); 1410 goto free_shash; 1411 } 1412 1413 smp->conn = conn; 1414 chan->data = smp; 1415 1416 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL); 1417 1418 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout); 1419 1420 hci_conn_hold(hcon); 1421 1422 return smp; 1423 1424 free_shash: 1425 crypto_free_shash(smp->tfm_cmac); 1426 zfree_smp: 1427 kfree_sensitive(smp); 1428 return NULL; 1429 } 1430 1431 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16]) 1432 { 1433 struct hci_conn *hcon = smp->conn->hcon; 1434 u8 *na, *nb, a[7], b[7]; 1435 1436 if (hcon->out) { 1437 na = smp->prnd; 1438 nb = smp->rrnd; 1439 } else { 1440 na = smp->rrnd; 1441 nb = smp->prnd; 1442 } 1443 1444 memcpy(a, &hcon->init_addr, 6); 1445 memcpy(b, &hcon->resp_addr, 6); 1446 a[6] = hcon->init_addr_type; 1447 b[6] = hcon->resp_addr_type; 1448 1449 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk); 1450 } 1451 1452 static void sc_dhkey_check(struct smp_chan *smp) 1453 { 1454 struct hci_conn *hcon = smp->conn->hcon; 1455 struct smp_cmd_dhkey_check check; 1456 u8 a[7], b[7], *local_addr, *remote_addr; 1457 u8 io_cap[3], r[16]; 1458 1459 memcpy(a, &hcon->init_addr, 6); 1460 memcpy(b, &hcon->resp_addr, 6); 1461 a[6] = hcon->init_addr_type; 1462 b[6] = hcon->resp_addr_type; 1463 1464 if (hcon->out) { 1465 local_addr = a; 1466 remote_addr = b; 1467 memcpy(io_cap, &smp->preq[1], 3); 1468 } else { 1469 local_addr = b; 1470 remote_addr = a; 1471 memcpy(io_cap, &smp->prsp[1], 3); 1472 } 1473 1474 memset(r, 0, sizeof(r)); 1475 1476 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 1477 put_unaligned_le32(hcon->passkey_notify, r); 1478 1479 if (smp->method == REQ_OOB) 1480 memcpy(r, smp->rr, 16); 1481 1482 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap, 1483 local_addr, remote_addr, check.e); 1484 1485 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check); 1486 } 1487 1488 static u8 sc_passkey_send_confirm(struct smp_chan *smp) 1489 { 1490 struct l2cap_conn *conn = smp->conn; 1491 struct hci_conn *hcon = conn->hcon; 1492 struct smp_cmd_pairing_confirm cfm; 1493 u8 r; 1494 1495 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1496 r |= 0x80; 1497 1498 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1499 1500 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r, 1501 cfm.confirm_val)) 1502 return SMP_UNSPECIFIED; 1503 1504 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 1505 1506 return 0; 1507 } 1508 1509 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op) 1510 { 1511 struct l2cap_conn *conn = smp->conn; 1512 struct hci_conn *hcon = conn->hcon; 1513 struct hci_dev *hdev = hcon->hdev; 1514 u8 cfm[16], r; 1515 1516 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */ 1517 if (smp->passkey_round >= 20) 1518 return 0; 1519 1520 switch (smp_op) { 1521 case SMP_CMD_PAIRING_RANDOM: 1522 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01); 1523 r |= 0x80; 1524 1525 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 1526 smp->rrnd, r, cfm)) 1527 return SMP_UNSPECIFIED; 1528 1529 if (crypto_memneq(smp->pcnf, cfm, 16)) 1530 return SMP_CONFIRM_FAILED; 1531 1532 smp->passkey_round++; 1533 1534 if (smp->passkey_round == 20) { 1535 /* Generate MacKey and LTK */ 1536 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk)) 1537 return SMP_UNSPECIFIED; 1538 } 1539 1540 /* The round is only complete when the initiator 1541 * receives pairing random. 1542 */ 1543 if (!hcon->out) { 1544 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1545 sizeof(smp->prnd), smp->prnd); 1546 if (smp->passkey_round == 20) 1547 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1548 else 1549 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1550 return 0; 1551 } 1552 1553 /* Start the next round */ 1554 if (smp->passkey_round != 20) 1555 return sc_passkey_round(smp, 0); 1556 1557 /* Passkey rounds are complete - start DHKey Check */ 1558 sc_dhkey_check(smp); 1559 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1560 1561 break; 1562 1563 case SMP_CMD_PAIRING_CONFIRM: 1564 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 1565 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 1566 return 0; 1567 } 1568 1569 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 1570 1571 if (hcon->out) { 1572 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 1573 sizeof(smp->prnd), smp->prnd); 1574 return 0; 1575 } 1576 1577 return sc_passkey_send_confirm(smp); 1578 1579 case SMP_CMD_PUBLIC_KEY: 1580 default: 1581 /* Initiating device starts the round */ 1582 if (!hcon->out) 1583 return 0; 1584 1585 bt_dev_dbg(hdev, "Starting passkey round %u", 1586 smp->passkey_round + 1); 1587 1588 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1589 1590 return sc_passkey_send_confirm(smp); 1591 } 1592 1593 return 0; 1594 } 1595 1596 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey) 1597 { 1598 struct l2cap_conn *conn = smp->conn; 1599 struct hci_conn *hcon = conn->hcon; 1600 u8 smp_op; 1601 1602 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags); 1603 1604 switch (mgmt_op) { 1605 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1606 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED); 1607 return 0; 1608 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1609 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED); 1610 return 0; 1611 case MGMT_OP_USER_PASSKEY_REPLY: 1612 hcon->passkey_notify = le32_to_cpu(passkey); 1613 smp->passkey_round = 0; 1614 1615 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) 1616 smp_op = SMP_CMD_PAIRING_CONFIRM; 1617 else 1618 smp_op = 0; 1619 1620 if (sc_passkey_round(smp, smp_op)) 1621 return -EIO; 1622 1623 return 0; 1624 } 1625 1626 /* Initiator sends DHKey check first */ 1627 if (hcon->out) { 1628 sc_dhkey_check(smp); 1629 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 1630 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) { 1631 sc_dhkey_check(smp); 1632 sc_add_ltk(smp); 1633 } 1634 1635 return 0; 1636 } 1637 1638 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey) 1639 { 1640 struct l2cap_conn *conn = hcon->l2cap_data; 1641 struct l2cap_chan *chan; 1642 struct smp_chan *smp; 1643 u32 value; 1644 int err; 1645 1646 if (!conn) 1647 return -ENOTCONN; 1648 1649 bt_dev_dbg(conn->hcon->hdev, ""); 1650 1651 chan = conn->smp; 1652 if (!chan) 1653 return -ENOTCONN; 1654 1655 l2cap_chan_lock(chan); 1656 if (!chan->data) { 1657 err = -ENOTCONN; 1658 goto unlock; 1659 } 1660 1661 smp = chan->data; 1662 1663 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1664 err = sc_user_reply(smp, mgmt_op, passkey); 1665 goto unlock; 1666 } 1667 1668 switch (mgmt_op) { 1669 case MGMT_OP_USER_PASSKEY_REPLY: 1670 value = le32_to_cpu(passkey); 1671 memset(smp->tk, 0, sizeof(smp->tk)); 1672 bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value); 1673 put_unaligned_le32(value, smp->tk); 1674 fallthrough; 1675 case MGMT_OP_USER_CONFIRM_REPLY: 1676 set_bit(SMP_FLAG_TK_VALID, &smp->flags); 1677 break; 1678 case MGMT_OP_USER_PASSKEY_NEG_REPLY: 1679 case MGMT_OP_USER_CONFIRM_NEG_REPLY: 1680 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1681 err = 0; 1682 goto unlock; 1683 default: 1684 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED); 1685 err = -EOPNOTSUPP; 1686 goto unlock; 1687 } 1688 1689 err = 0; 1690 1691 /* If it is our turn to send Pairing Confirm, do so now */ 1692 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) { 1693 u8 rsp = smp_confirm(smp); 1694 if (rsp) 1695 smp_failure(conn, rsp); 1696 } 1697 1698 unlock: 1699 l2cap_chan_unlock(chan); 1700 return err; 1701 } 1702 1703 static void build_bredr_pairing_cmd(struct smp_chan *smp, 1704 struct smp_cmd_pairing *req, 1705 struct smp_cmd_pairing *rsp) 1706 { 1707 struct l2cap_conn *conn = smp->conn; 1708 struct hci_dev *hdev = conn->hcon->hdev; 1709 u8 local_dist = 0, remote_dist = 0; 1710 1711 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) { 1712 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1713 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN; 1714 } 1715 1716 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING)) 1717 remote_dist |= SMP_DIST_ID_KEY; 1718 1719 if (hci_dev_test_flag(hdev, HCI_PRIVACY)) 1720 local_dist |= SMP_DIST_ID_KEY; 1721 1722 if (!rsp) { 1723 memset(req, 0, sizeof(*req)); 1724 1725 req->auth_req = SMP_AUTH_CT2; 1726 req->init_key_dist = local_dist; 1727 req->resp_key_dist = remote_dist; 1728 req->max_key_size = conn->hcon->enc_key_size; 1729 1730 smp->remote_key_dist = remote_dist; 1731 1732 return; 1733 } 1734 1735 memset(rsp, 0, sizeof(*rsp)); 1736 1737 rsp->auth_req = SMP_AUTH_CT2; 1738 rsp->max_key_size = conn->hcon->enc_key_size; 1739 rsp->init_key_dist = req->init_key_dist & remote_dist; 1740 rsp->resp_key_dist = req->resp_key_dist & local_dist; 1741 1742 smp->remote_key_dist = rsp->init_key_dist; 1743 } 1744 1745 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb) 1746 { 1747 struct smp_cmd_pairing rsp, *req = (void *) skb->data; 1748 struct l2cap_chan *chan = conn->smp; 1749 struct hci_dev *hdev = conn->hcon->hdev; 1750 struct smp_chan *smp; 1751 u8 key_size, auth, sec_level; 1752 int ret; 1753 1754 bt_dev_dbg(hdev, "conn %p", conn); 1755 1756 if (skb->len < sizeof(*req)) 1757 return SMP_INVALID_PARAMS; 1758 1759 if (conn->hcon->role != HCI_ROLE_SLAVE) 1760 return SMP_CMD_NOTSUPP; 1761 1762 if (!chan->data) 1763 smp = smp_chan_create(conn); 1764 else 1765 smp = chan->data; 1766 1767 if (!smp) 1768 return SMP_UNSPECIFIED; 1769 1770 /* We didn't start the pairing, so match remote */ 1771 auth = req->auth_req & AUTH_REQ_MASK(hdev); 1772 1773 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 1774 (auth & SMP_AUTH_BONDING)) 1775 return SMP_PAIRING_NOTSUPP; 1776 1777 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1778 return SMP_AUTH_REQUIREMENTS; 1779 1780 smp->preq[0] = SMP_CMD_PAIRING_REQ; 1781 memcpy(&smp->preq[1], req, sizeof(*req)); 1782 skb_pull(skb, sizeof(*req)); 1783 1784 /* If the remote side's OOB flag is set it means it has 1785 * successfully received our local OOB data - therefore set the 1786 * flag to indicate that local OOB is in use. 1787 */ 1788 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob) 1789 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1790 1791 /* SMP over BR/EDR requires special treatment */ 1792 if (conn->hcon->type == ACL_LINK) { 1793 /* We must have a BR/EDR SC link */ 1794 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) && 1795 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 1796 return SMP_CROSS_TRANSP_NOT_ALLOWED; 1797 1798 set_bit(SMP_FLAG_SC, &smp->flags); 1799 1800 build_bredr_pairing_cmd(smp, req, &rsp); 1801 1802 if (req->auth_req & SMP_AUTH_CT2) 1803 set_bit(SMP_FLAG_CT2, &smp->flags); 1804 1805 key_size = min(req->max_key_size, rsp.max_key_size); 1806 if (check_enc_key_size(conn, key_size)) 1807 return SMP_ENC_KEY_SIZE; 1808 1809 /* Clear bits which are generated but not distributed */ 1810 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1811 1812 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1813 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1814 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1815 1816 smp_distribute_keys(smp); 1817 return 0; 1818 } 1819 1820 build_pairing_cmd(conn, req, &rsp, auth); 1821 1822 if (rsp.auth_req & SMP_AUTH_SC) { 1823 set_bit(SMP_FLAG_SC, &smp->flags); 1824 1825 if (rsp.auth_req & SMP_AUTH_CT2) 1826 set_bit(SMP_FLAG_CT2, &smp->flags); 1827 } 1828 1829 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 1830 sec_level = BT_SECURITY_MEDIUM; 1831 else 1832 sec_level = authreq_to_seclevel(auth); 1833 1834 if (sec_level > conn->hcon->pending_sec_level) 1835 conn->hcon->pending_sec_level = sec_level; 1836 1837 /* If we need MITM check that it can be achieved */ 1838 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1839 u8 method; 1840 1841 method = get_auth_method(smp, conn->hcon->io_capability, 1842 req->io_capability); 1843 if (method == JUST_WORKS || method == JUST_CFM) 1844 return SMP_AUTH_REQUIREMENTS; 1845 } 1846 1847 key_size = min(req->max_key_size, rsp.max_key_size); 1848 if (check_enc_key_size(conn, key_size)) 1849 return SMP_ENC_KEY_SIZE; 1850 1851 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 1852 1853 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1854 memcpy(&smp->prsp[1], &rsp, sizeof(rsp)); 1855 1856 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp); 1857 1858 clear_bit(SMP_FLAG_INITIATOR, &smp->flags); 1859 1860 /* Strictly speaking we shouldn't allow Pairing Confirm for the 1861 * SC case, however some implementations incorrectly copy RFU auth 1862 * req bits from our security request, which may create a false 1863 * positive SC enablement. 1864 */ 1865 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 1866 1867 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 1868 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 1869 /* Clear bits which are generated but not distributed */ 1870 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1871 /* Wait for Public Key from Initiating Device */ 1872 return 0; 1873 } 1874 1875 /* Request setup of TK */ 1876 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability); 1877 if (ret) 1878 return SMP_UNSPECIFIED; 1879 1880 return 0; 1881 } 1882 1883 static u8 sc_send_public_key(struct smp_chan *smp) 1884 { 1885 struct hci_dev *hdev = smp->conn->hcon->hdev; 1886 1887 bt_dev_dbg(hdev, ""); 1888 1889 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 1890 struct l2cap_chan *chan = hdev->smp_data; 1891 struct smp_dev *smp_dev; 1892 1893 if (!chan || !chan->data) 1894 return SMP_UNSPECIFIED; 1895 1896 smp_dev = chan->data; 1897 1898 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1899 memcpy(smp->lr, smp_dev->local_rand, 16); 1900 1901 if (smp_dev->debug_key) 1902 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1903 1904 goto done; 1905 } 1906 1907 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1908 bt_dev_dbg(hdev, "Using debug keys"); 1909 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk)) 1910 return SMP_UNSPECIFIED; 1911 memcpy(smp->local_pk, debug_pk, 64); 1912 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1913 } else { 1914 while (true) { 1915 /* Generate key pair for Secure Connections */ 1916 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk)) 1917 return SMP_UNSPECIFIED; 1918 1919 /* This is unlikely, but we need to check that 1920 * we didn't accidentally generate a debug key. 1921 */ 1922 if (crypto_memneq(smp->local_pk, debug_pk, 64)) 1923 break; 1924 } 1925 } 1926 1927 done: 1928 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1929 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1930 1931 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1932 1933 return 0; 1934 } 1935 1936 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb) 1937 { 1938 struct smp_cmd_pairing *req, *rsp = (void *) skb->data; 1939 struct l2cap_chan *chan = conn->smp; 1940 struct smp_chan *smp = chan->data; 1941 struct hci_dev *hdev = conn->hcon->hdev; 1942 u8 key_size, auth; 1943 int ret; 1944 1945 bt_dev_dbg(hdev, "conn %p", conn); 1946 1947 if (skb->len < sizeof(*rsp)) 1948 return SMP_INVALID_PARAMS; 1949 1950 if (conn->hcon->role != HCI_ROLE_MASTER) 1951 return SMP_CMD_NOTSUPP; 1952 1953 skb_pull(skb, sizeof(*rsp)); 1954 1955 req = (void *) &smp->preq[1]; 1956 1957 key_size = min(req->max_key_size, rsp->max_key_size); 1958 if (check_enc_key_size(conn, key_size)) 1959 return SMP_ENC_KEY_SIZE; 1960 1961 auth = rsp->auth_req & AUTH_REQ_MASK(hdev); 1962 1963 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 1964 return SMP_AUTH_REQUIREMENTS; 1965 1966 /* If the remote side's OOB flag is set it means it has 1967 * successfully received our local OOB data - therefore set the 1968 * flag to indicate that local OOB is in use. 1969 */ 1970 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob) 1971 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags); 1972 1973 smp->prsp[0] = SMP_CMD_PAIRING_RSP; 1974 memcpy(&smp->prsp[1], rsp, sizeof(*rsp)); 1975 1976 /* Update remote key distribution in case the remote cleared 1977 * some bits that we had enabled in our request. 1978 */ 1979 smp->remote_key_dist &= rsp->resp_key_dist; 1980 1981 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2)) 1982 set_bit(SMP_FLAG_CT2, &smp->flags); 1983 1984 /* For BR/EDR this means we're done and can start phase 3 */ 1985 if (conn->hcon->type == ACL_LINK) { 1986 /* Clear bits which are generated but not distributed */ 1987 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 1988 smp_distribute_keys(smp); 1989 return 0; 1990 } 1991 1992 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC)) 1993 set_bit(SMP_FLAG_SC, &smp->flags); 1994 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH) 1995 conn->hcon->pending_sec_level = BT_SECURITY_HIGH; 1996 1997 /* If we need MITM check that it can be achieved */ 1998 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) { 1999 u8 method; 2000 2001 method = get_auth_method(smp, req->io_capability, 2002 rsp->io_capability); 2003 if (method == JUST_WORKS || method == JUST_CFM) 2004 return SMP_AUTH_REQUIREMENTS; 2005 } 2006 2007 get_random_bytes(smp->prnd, sizeof(smp->prnd)); 2008 2009 /* Update remote key distribution in case the remote cleared 2010 * some bits that we had enabled in our request. 2011 */ 2012 smp->remote_key_dist &= rsp->resp_key_dist; 2013 2014 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2015 /* Clear bits which are generated but not distributed */ 2016 smp->remote_key_dist &= ~SMP_SC_NO_DIST; 2017 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY); 2018 return sc_send_public_key(smp); 2019 } 2020 2021 auth |= req->auth_req; 2022 2023 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability); 2024 if (ret) 2025 return SMP_UNSPECIFIED; 2026 2027 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2028 2029 /* Can't compose response until we have been confirmed */ 2030 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2031 return smp_confirm(smp); 2032 2033 return 0; 2034 } 2035 2036 static u8 sc_check_confirm(struct smp_chan *smp) 2037 { 2038 struct l2cap_conn *conn = smp->conn; 2039 2040 bt_dev_dbg(conn->hcon->hdev, ""); 2041 2042 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2043 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM); 2044 2045 if (conn->hcon->out) { 2046 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2047 smp->prnd); 2048 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2049 } 2050 2051 return 0; 2052 } 2053 2054 /* Work-around for some implementations that incorrectly copy RFU bits 2055 * from our security request and thereby create the impression that 2056 * we're doing SC when in fact the remote doesn't support it. 2057 */ 2058 static int fixup_sc_false_positive(struct smp_chan *smp) 2059 { 2060 struct l2cap_conn *conn = smp->conn; 2061 struct hci_conn *hcon = conn->hcon; 2062 struct hci_dev *hdev = hcon->hdev; 2063 struct smp_cmd_pairing *req, *rsp; 2064 u8 auth; 2065 2066 /* The issue is only observed when we're in responder role */ 2067 if (hcon->out) 2068 return SMP_UNSPECIFIED; 2069 2070 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) { 2071 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode"); 2072 return SMP_UNSPECIFIED; 2073 } 2074 2075 bt_dev_err(hdev, "trying to fall back to legacy SMP"); 2076 2077 req = (void *) &smp->preq[1]; 2078 rsp = (void *) &smp->prsp[1]; 2079 2080 /* Rebuild key dist flags which may have been cleared for SC */ 2081 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist); 2082 2083 auth = req->auth_req & AUTH_REQ_MASK(hdev); 2084 2085 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) { 2086 bt_dev_err(hdev, "failed to fall back to legacy SMP"); 2087 return SMP_UNSPECIFIED; 2088 } 2089 2090 clear_bit(SMP_FLAG_SC, &smp->flags); 2091 2092 return 0; 2093 } 2094 2095 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb) 2096 { 2097 struct l2cap_chan *chan = conn->smp; 2098 struct smp_chan *smp = chan->data; 2099 struct hci_conn *hcon = conn->hcon; 2100 struct hci_dev *hdev = hcon->hdev; 2101 2102 bt_dev_dbg(hdev, "conn %p %s", conn, 2103 hcon->out ? "initiator" : "responder"); 2104 2105 if (skb->len < sizeof(smp->pcnf)) 2106 return SMP_INVALID_PARAMS; 2107 2108 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf)); 2109 skb_pull(skb, sizeof(smp->pcnf)); 2110 2111 if (test_bit(SMP_FLAG_SC, &smp->flags)) { 2112 int ret; 2113 2114 /* Public Key exchange must happen before any other steps */ 2115 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags)) 2116 return sc_check_confirm(smp); 2117 2118 bt_dev_err(hdev, "Unexpected SMP Pairing Confirm"); 2119 2120 ret = fixup_sc_false_positive(smp); 2121 if (ret) 2122 return ret; 2123 } 2124 2125 if (conn->hcon->out) { 2126 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2127 smp->prnd); 2128 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2129 return 0; 2130 } 2131 2132 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags)) 2133 return smp_confirm(smp); 2134 2135 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags); 2136 2137 return 0; 2138 } 2139 2140 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb) 2141 { 2142 struct l2cap_chan *chan = conn->smp; 2143 struct smp_chan *smp = chan->data; 2144 struct hci_conn *hcon = conn->hcon; 2145 u8 *pkax, *pkbx, *na, *nb, confirm_hint; 2146 u32 passkey; 2147 int err; 2148 2149 bt_dev_dbg(hcon->hdev, "conn %p", conn); 2150 2151 if (skb->len < sizeof(smp->rrnd)) 2152 return SMP_INVALID_PARAMS; 2153 2154 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd)); 2155 skb_pull(skb, sizeof(smp->rrnd)); 2156 2157 if (!test_bit(SMP_FLAG_SC, &smp->flags)) 2158 return smp_random(smp); 2159 2160 if (hcon->out) { 2161 pkax = smp->local_pk; 2162 pkbx = smp->remote_pk; 2163 na = smp->prnd; 2164 nb = smp->rrnd; 2165 } else { 2166 pkax = smp->remote_pk; 2167 pkbx = smp->local_pk; 2168 na = smp->rrnd; 2169 nb = smp->prnd; 2170 } 2171 2172 if (smp->method == REQ_OOB) { 2173 if (!hcon->out) 2174 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2175 sizeof(smp->prnd), smp->prnd); 2176 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2177 goto mackey_and_ltk; 2178 } 2179 2180 /* Passkey entry has special treatment */ 2181 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2182 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM); 2183 2184 if (hcon->out) { 2185 u8 cfm[16]; 2186 2187 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk, 2188 smp->rrnd, 0, cfm); 2189 if (err) 2190 return SMP_UNSPECIFIED; 2191 2192 if (crypto_memneq(smp->pcnf, cfm, 16)) 2193 return SMP_CONFIRM_FAILED; 2194 } else { 2195 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd), 2196 smp->prnd); 2197 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2198 2199 /* Only Just-Works pairing requires extra checks */ 2200 if (smp->method != JUST_WORKS) 2201 goto mackey_and_ltk; 2202 2203 /* If there already exists long term key in local host, leave 2204 * the decision to user space since the remote device could 2205 * be legitimate or malicious. 2206 */ 2207 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, 2208 hcon->role)) { 2209 /* Set passkey to 0. The value can be any number since 2210 * it'll be ignored anyway. 2211 */ 2212 passkey = 0; 2213 confirm_hint = 1; 2214 goto confirm; 2215 } 2216 } 2217 2218 mackey_and_ltk: 2219 /* Generate MacKey and LTK */ 2220 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk); 2221 if (err) 2222 return SMP_UNSPECIFIED; 2223 2224 if (smp->method == REQ_OOB) { 2225 if (hcon->out) { 2226 sc_dhkey_check(smp); 2227 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK); 2228 } 2229 return 0; 2230 } 2231 2232 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey); 2233 if (err) 2234 return SMP_UNSPECIFIED; 2235 2236 confirm_hint = 0; 2237 2238 confirm: 2239 if (smp->method == JUST_WORKS) 2240 confirm_hint = 1; 2241 2242 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type, 2243 hcon->dst_type, passkey, confirm_hint); 2244 if (err) 2245 return SMP_UNSPECIFIED; 2246 2247 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2248 2249 return 0; 2250 } 2251 2252 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level) 2253 { 2254 struct smp_ltk *key; 2255 struct hci_conn *hcon = conn->hcon; 2256 2257 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role); 2258 if (!key) 2259 return false; 2260 2261 if (smp_ltk_sec_level(key) < sec_level) 2262 return false; 2263 2264 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags)) 2265 return true; 2266 2267 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size); 2268 hcon->enc_key_size = key->enc_size; 2269 2270 /* We never store STKs for initiator role, so clear this flag */ 2271 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags); 2272 2273 return true; 2274 } 2275 2276 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level, 2277 enum smp_key_pref key_pref) 2278 { 2279 if (sec_level == BT_SECURITY_LOW) 2280 return true; 2281 2282 /* If we're encrypted with an STK but the caller prefers using 2283 * LTK claim insufficient security. This way we allow the 2284 * connection to be re-encrypted with an LTK, even if the LTK 2285 * provides the same level of security. Only exception is if we 2286 * don't have an LTK (e.g. because of key distribution bits). 2287 */ 2288 if (key_pref == SMP_USE_LTK && 2289 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) && 2290 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role)) 2291 return false; 2292 2293 if (hcon->sec_level >= sec_level) 2294 return true; 2295 2296 return false; 2297 } 2298 2299 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb) 2300 { 2301 struct smp_cmd_security_req *rp = (void *) skb->data; 2302 struct smp_cmd_pairing cp; 2303 struct hci_conn *hcon = conn->hcon; 2304 struct hci_dev *hdev = hcon->hdev; 2305 struct smp_chan *smp; 2306 u8 sec_level, auth; 2307 2308 bt_dev_dbg(hdev, "conn %p", conn); 2309 2310 if (skb->len < sizeof(*rp)) 2311 return SMP_INVALID_PARAMS; 2312 2313 if (hcon->role != HCI_ROLE_MASTER) 2314 return SMP_CMD_NOTSUPP; 2315 2316 auth = rp->auth_req & AUTH_REQ_MASK(hdev); 2317 2318 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC)) 2319 return SMP_AUTH_REQUIREMENTS; 2320 2321 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT) 2322 sec_level = BT_SECURITY_MEDIUM; 2323 else 2324 sec_level = authreq_to_seclevel(auth); 2325 2326 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) { 2327 /* If link is already encrypted with sufficient security we 2328 * still need refresh encryption as per Core Spec 5.0 Vol 3, 2329 * Part H 2.4.6 2330 */ 2331 smp_ltk_encrypt(conn, hcon->sec_level); 2332 return 0; 2333 } 2334 2335 if (sec_level > hcon->pending_sec_level) 2336 hcon->pending_sec_level = sec_level; 2337 2338 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2339 return 0; 2340 2341 smp = smp_chan_create(conn); 2342 if (!smp) 2343 return SMP_UNSPECIFIED; 2344 2345 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) && 2346 (auth & SMP_AUTH_BONDING)) 2347 return SMP_PAIRING_NOTSUPP; 2348 2349 skb_pull(skb, sizeof(*rp)); 2350 2351 memset(&cp, 0, sizeof(cp)); 2352 build_pairing_cmd(conn, &cp, NULL, auth); 2353 2354 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2355 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2356 2357 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2358 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2359 2360 return 0; 2361 } 2362 2363 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level) 2364 { 2365 struct l2cap_conn *conn = hcon->l2cap_data; 2366 struct l2cap_chan *chan; 2367 struct smp_chan *smp; 2368 __u8 authreq; 2369 int ret; 2370 2371 bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon, 2372 sec_level); 2373 2374 /* This may be NULL if there's an unexpected disconnection */ 2375 if (!conn) 2376 return 1; 2377 2378 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) 2379 return 1; 2380 2381 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) 2382 return 1; 2383 2384 if (sec_level > hcon->pending_sec_level) 2385 hcon->pending_sec_level = sec_level; 2386 2387 if (hcon->role == HCI_ROLE_MASTER) 2388 if (smp_ltk_encrypt(conn, hcon->pending_sec_level)) 2389 return 0; 2390 2391 chan = conn->smp; 2392 if (!chan) { 2393 bt_dev_err(hcon->hdev, "security requested but not available"); 2394 return 1; 2395 } 2396 2397 l2cap_chan_lock(chan); 2398 2399 /* If SMP is already in progress ignore this request */ 2400 if (chan->data) { 2401 ret = 0; 2402 goto unlock; 2403 } 2404 2405 smp = smp_chan_create(conn); 2406 if (!smp) { 2407 ret = 1; 2408 goto unlock; 2409 } 2410 2411 authreq = seclevel_to_authreq(sec_level); 2412 2413 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) { 2414 authreq |= SMP_AUTH_SC; 2415 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED)) 2416 authreq |= SMP_AUTH_CT2; 2417 } 2418 2419 /* Don't attempt to set MITM if setting is overridden by debugfs 2420 * Needed to pass certification test SM/MAS/PKE/BV-01-C 2421 */ 2422 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) { 2423 /* Require MITM if IO Capability allows or the security level 2424 * requires it. 2425 */ 2426 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT || 2427 hcon->pending_sec_level > BT_SECURITY_MEDIUM) 2428 authreq |= SMP_AUTH_MITM; 2429 } 2430 2431 if (hcon->role == HCI_ROLE_MASTER) { 2432 struct smp_cmd_pairing cp; 2433 2434 build_pairing_cmd(conn, &cp, NULL, authreq); 2435 smp->preq[0] = SMP_CMD_PAIRING_REQ; 2436 memcpy(&smp->preq[1], &cp, sizeof(cp)); 2437 2438 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp); 2439 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 2440 } else { 2441 struct smp_cmd_security_req cp; 2442 cp.auth_req = authreq; 2443 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp); 2444 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ); 2445 } 2446 2447 set_bit(SMP_FLAG_INITIATOR, &smp->flags); 2448 ret = 0; 2449 2450 unlock: 2451 l2cap_chan_unlock(chan); 2452 return ret; 2453 } 2454 2455 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr, 2456 u8 addr_type) 2457 { 2458 struct hci_conn *hcon; 2459 struct l2cap_conn *conn; 2460 struct l2cap_chan *chan; 2461 struct smp_chan *smp; 2462 int err; 2463 2464 err = hci_remove_ltk(hdev, bdaddr, addr_type); 2465 hci_remove_irk(hdev, bdaddr, addr_type); 2466 2467 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type); 2468 if (!hcon) 2469 goto done; 2470 2471 conn = hcon->l2cap_data; 2472 if (!conn) 2473 goto done; 2474 2475 chan = conn->smp; 2476 if (!chan) 2477 goto done; 2478 2479 l2cap_chan_lock(chan); 2480 2481 smp = chan->data; 2482 if (smp) { 2483 /* Set keys to NULL to make sure smp_failure() does not try to 2484 * remove and free already invalidated rcu list entries. */ 2485 smp->ltk = NULL; 2486 smp->responder_ltk = NULL; 2487 smp->remote_irk = NULL; 2488 2489 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags)) 2490 smp_failure(conn, 0); 2491 else 2492 smp_failure(conn, SMP_UNSPECIFIED); 2493 err = 0; 2494 } 2495 2496 l2cap_chan_unlock(chan); 2497 2498 done: 2499 return err; 2500 } 2501 2502 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb) 2503 { 2504 struct smp_cmd_encrypt_info *rp = (void *) skb->data; 2505 struct l2cap_chan *chan = conn->smp; 2506 struct smp_chan *smp = chan->data; 2507 2508 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 2509 2510 if (skb->len < sizeof(*rp)) 2511 return SMP_INVALID_PARAMS; 2512 2513 /* Pairing is aborted if any blocked keys are distributed */ 2514 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK, 2515 rp->ltk)) { 2516 bt_dev_warn_ratelimited(conn->hcon->hdev, 2517 "LTK blocked for %pMR", 2518 &conn->hcon->dst); 2519 return SMP_INVALID_PARAMS; 2520 } 2521 2522 SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT); 2523 2524 skb_pull(skb, sizeof(*rp)); 2525 2526 memcpy(smp->tk, rp->ltk, sizeof(smp->tk)); 2527 2528 return 0; 2529 } 2530 2531 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb) 2532 { 2533 struct smp_cmd_initiator_ident *rp = (void *)skb->data; 2534 struct l2cap_chan *chan = conn->smp; 2535 struct smp_chan *smp = chan->data; 2536 struct hci_dev *hdev = conn->hcon->hdev; 2537 struct hci_conn *hcon = conn->hcon; 2538 struct smp_ltk *ltk; 2539 u8 authenticated; 2540 2541 bt_dev_dbg(hdev, "conn %p", conn); 2542 2543 if (skb->len < sizeof(*rp)) 2544 return SMP_INVALID_PARAMS; 2545 2546 /* Mark the information as received */ 2547 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY; 2548 2549 if (smp->remote_key_dist & SMP_DIST_ID_KEY) 2550 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO); 2551 else if (smp->remote_key_dist & SMP_DIST_SIGN) 2552 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2553 2554 skb_pull(skb, sizeof(*rp)); 2555 2556 authenticated = (hcon->sec_level == BT_SECURITY_HIGH); 2557 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK, 2558 authenticated, smp->tk, smp->enc_key_size, 2559 rp->ediv, rp->rand); 2560 smp->ltk = ltk; 2561 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2562 smp_distribute_keys(smp); 2563 2564 return 0; 2565 } 2566 2567 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb) 2568 { 2569 struct smp_cmd_ident_info *info = (void *) skb->data; 2570 struct l2cap_chan *chan = conn->smp; 2571 struct smp_chan *smp = chan->data; 2572 2573 bt_dev_dbg(conn->hcon->hdev, ""); 2574 2575 if (skb->len < sizeof(*info)) 2576 return SMP_INVALID_PARAMS; 2577 2578 /* Pairing is aborted if any blocked keys are distributed */ 2579 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK, 2580 info->irk)) { 2581 bt_dev_warn_ratelimited(conn->hcon->hdev, 2582 "Identity key blocked for %pMR", 2583 &conn->hcon->dst); 2584 return SMP_INVALID_PARAMS; 2585 } 2586 2587 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO); 2588 2589 skb_pull(skb, sizeof(*info)); 2590 2591 memcpy(smp->irk, info->irk, 16); 2592 2593 return 0; 2594 } 2595 2596 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn, 2597 struct sk_buff *skb) 2598 { 2599 struct smp_cmd_ident_addr_info *info = (void *) skb->data; 2600 struct l2cap_chan *chan = conn->smp; 2601 struct smp_chan *smp = chan->data; 2602 struct hci_conn *hcon = conn->hcon; 2603 bdaddr_t rpa; 2604 2605 bt_dev_dbg(hcon->hdev, ""); 2606 2607 if (skb->len < sizeof(*info)) 2608 return SMP_INVALID_PARAMS; 2609 2610 /* Mark the information as received */ 2611 smp->remote_key_dist &= ~SMP_DIST_ID_KEY; 2612 2613 if (smp->remote_key_dist & SMP_DIST_SIGN) 2614 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO); 2615 2616 skb_pull(skb, sizeof(*info)); 2617 2618 /* Strictly speaking the Core Specification (4.1) allows sending 2619 * an empty address which would force us to rely on just the IRK 2620 * as "identity information". However, since such 2621 * implementations are not known of and in order to not over 2622 * complicate our implementation, simply pretend that we never 2623 * received an IRK for such a device. 2624 * 2625 * The Identity Address must also be a Static Random or Public 2626 * Address, which hci_is_identity_address() checks for. 2627 */ 2628 if (!bacmp(&info->bdaddr, BDADDR_ANY) || 2629 !hci_is_identity_address(&info->bdaddr, info->addr_type)) { 2630 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address"); 2631 goto distribute; 2632 } 2633 2634 /* Drop IRK if peer is using identity address during pairing but is 2635 * providing different address as identity information. 2636 * 2637 * Microsoft Surface Precision Mouse is known to have this bug. 2638 */ 2639 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) && 2640 (bacmp(&info->bdaddr, &hcon->dst) || 2641 info->addr_type != hcon->dst_type)) { 2642 bt_dev_err(hcon->hdev, 2643 "ignoring IRK with invalid identity address"); 2644 goto distribute; 2645 } 2646 2647 bacpy(&smp->id_addr, &info->bdaddr); 2648 smp->id_addr_type = info->addr_type; 2649 2650 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type)) 2651 bacpy(&rpa, &hcon->dst); 2652 else 2653 bacpy(&rpa, BDADDR_ANY); 2654 2655 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr, 2656 smp->id_addr_type, smp->irk, &rpa); 2657 2658 distribute: 2659 if (!(smp->remote_key_dist & KEY_DIST_MASK)) 2660 smp_distribute_keys(smp); 2661 2662 return 0; 2663 } 2664 2665 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb) 2666 { 2667 struct smp_cmd_sign_info *rp = (void *) skb->data; 2668 struct l2cap_chan *chan = conn->smp; 2669 struct smp_chan *smp = chan->data; 2670 struct smp_csrk *csrk; 2671 2672 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn); 2673 2674 if (skb->len < sizeof(*rp)) 2675 return SMP_INVALID_PARAMS; 2676 2677 /* Mark the information as received */ 2678 smp->remote_key_dist &= ~SMP_DIST_SIGN; 2679 2680 skb_pull(skb, sizeof(*rp)); 2681 2682 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL); 2683 if (csrk) { 2684 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM) 2685 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED; 2686 else 2687 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED; 2688 memcpy(csrk->val, rp->csrk, sizeof(csrk->val)); 2689 } 2690 smp->csrk = csrk; 2691 smp_distribute_keys(smp); 2692 2693 return 0; 2694 } 2695 2696 static u8 sc_select_method(struct smp_chan *smp) 2697 { 2698 struct l2cap_conn *conn = smp->conn; 2699 struct hci_conn *hcon = conn->hcon; 2700 struct smp_cmd_pairing *local, *remote; 2701 u8 local_mitm, remote_mitm, local_io, remote_io, method; 2702 2703 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) || 2704 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) 2705 return REQ_OOB; 2706 2707 /* The preq/prsp contain the raw Pairing Request/Response PDUs 2708 * which are needed as inputs to some crypto functions. To get 2709 * the "struct smp_cmd_pairing" from them we need to skip the 2710 * first byte which contains the opcode. 2711 */ 2712 if (hcon->out) { 2713 local = (void *) &smp->preq[1]; 2714 remote = (void *) &smp->prsp[1]; 2715 } else { 2716 local = (void *) &smp->prsp[1]; 2717 remote = (void *) &smp->preq[1]; 2718 } 2719 2720 local_io = local->io_capability; 2721 remote_io = remote->io_capability; 2722 2723 local_mitm = (local->auth_req & SMP_AUTH_MITM); 2724 remote_mitm = (remote->auth_req & SMP_AUTH_MITM); 2725 2726 /* If either side wants MITM, look up the method from the table, 2727 * otherwise use JUST WORKS. 2728 */ 2729 if (local_mitm || remote_mitm) 2730 method = get_auth_method(smp, local_io, remote_io); 2731 else 2732 method = JUST_WORKS; 2733 2734 /* Don't confirm locally initiated pairing attempts */ 2735 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags)) 2736 method = JUST_WORKS; 2737 2738 return method; 2739 } 2740 2741 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) 2742 { 2743 struct smp_cmd_public_key *key = (void *) skb->data; 2744 struct hci_conn *hcon = conn->hcon; 2745 struct l2cap_chan *chan = conn->smp; 2746 struct smp_chan *smp = chan->data; 2747 struct hci_dev *hdev = hcon->hdev; 2748 struct crypto_kpp *tfm_ecdh; 2749 struct smp_cmd_pairing_confirm cfm; 2750 int err; 2751 2752 bt_dev_dbg(hdev, "conn %p", conn); 2753 2754 if (skb->len < sizeof(*key)) 2755 return SMP_INVALID_PARAMS; 2756 2757 /* Check if remote and local public keys are the same and debug key is 2758 * not in use. 2759 */ 2760 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) && 2761 !crypto_memneq(key, smp->local_pk, 64)) { 2762 bt_dev_err(hdev, "Remote and local public keys are identical"); 2763 return SMP_UNSPECIFIED; 2764 } 2765 2766 memcpy(smp->remote_pk, key, 64); 2767 2768 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) { 2769 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk, 2770 smp->rr, 0, cfm.confirm_val); 2771 if (err) 2772 return SMP_UNSPECIFIED; 2773 2774 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16)) 2775 return SMP_CONFIRM_FAILED; 2776 } 2777 2778 /* Non-initiating device sends its public key after receiving 2779 * the key from the initiating device. 2780 */ 2781 if (!hcon->out) { 2782 err = sc_send_public_key(smp); 2783 if (err) 2784 return err; 2785 } 2786 2787 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2788 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2789 2790 /* Compute the shared secret on the same crypto tfm on which the private 2791 * key was set/generated. 2792 */ 2793 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 2794 struct l2cap_chan *hchan = hdev->smp_data; 2795 struct smp_dev *smp_dev; 2796 2797 if (!hchan || !hchan->data) 2798 return SMP_UNSPECIFIED; 2799 2800 smp_dev = hchan->data; 2801 2802 tfm_ecdh = smp_dev->tfm_ecdh; 2803 } else { 2804 tfm_ecdh = smp->tfm_ecdh; 2805 } 2806 2807 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey)) 2808 return SMP_UNSPECIFIED; 2809 2810 SMP_DBG("DHKey %32phN", smp->dhkey); 2811 2812 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags); 2813 2814 smp->method = sc_select_method(smp); 2815 2816 bt_dev_dbg(hdev, "selected method 0x%02x", smp->method); 2817 2818 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */ 2819 if (smp->method == JUST_WORKS || smp->method == JUST_CFM) 2820 hcon->pending_sec_level = BT_SECURITY_MEDIUM; 2821 else 2822 hcon->pending_sec_level = BT_SECURITY_FIPS; 2823 2824 if (!crypto_memneq(debug_pk, smp->remote_pk, 64)) 2825 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 2826 2827 if (smp->method == DSP_PASSKEY) { 2828 get_random_bytes(&hcon->passkey_notify, 2829 sizeof(hcon->passkey_notify)); 2830 hcon->passkey_notify %= 1000000; 2831 hcon->passkey_entered = 0; 2832 smp->passkey_round = 0; 2833 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type, 2834 hcon->dst_type, 2835 hcon->passkey_notify, 2836 hcon->passkey_entered)) 2837 return SMP_UNSPECIFIED; 2838 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2839 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY); 2840 } 2841 2842 if (smp->method == REQ_OOB) { 2843 if (hcon->out) 2844 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, 2845 sizeof(smp->prnd), smp->prnd); 2846 2847 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2848 2849 return 0; 2850 } 2851 2852 if (hcon->out) 2853 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2854 2855 if (smp->method == REQ_PASSKEY) { 2856 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type, 2857 hcon->dst_type)) 2858 return SMP_UNSPECIFIED; 2859 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM); 2860 set_bit(SMP_FLAG_WAIT_USER, &smp->flags); 2861 return 0; 2862 } 2863 2864 /* The Initiating device waits for the non-initiating device to 2865 * send the confirm value. 2866 */ 2867 if (conn->hcon->out) 2868 return 0; 2869 2870 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, 2871 0, cfm.confirm_val); 2872 if (err) 2873 return SMP_UNSPECIFIED; 2874 2875 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm); 2876 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM); 2877 2878 return 0; 2879 } 2880 2881 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb) 2882 { 2883 struct smp_cmd_dhkey_check *check = (void *) skb->data; 2884 struct l2cap_chan *chan = conn->smp; 2885 struct hci_conn *hcon = conn->hcon; 2886 struct smp_chan *smp = chan->data; 2887 u8 a[7], b[7], *local_addr, *remote_addr; 2888 u8 io_cap[3], r[16], e[16]; 2889 int err; 2890 2891 bt_dev_dbg(hcon->hdev, "conn %p", conn); 2892 2893 if (skb->len < sizeof(*check)) 2894 return SMP_INVALID_PARAMS; 2895 2896 memcpy(a, &hcon->init_addr, 6); 2897 memcpy(b, &hcon->resp_addr, 6); 2898 a[6] = hcon->init_addr_type; 2899 b[6] = hcon->resp_addr_type; 2900 2901 if (hcon->out) { 2902 local_addr = a; 2903 remote_addr = b; 2904 memcpy(io_cap, &smp->prsp[1], 3); 2905 } else { 2906 local_addr = b; 2907 remote_addr = a; 2908 memcpy(io_cap, &smp->preq[1], 3); 2909 } 2910 2911 memset(r, 0, sizeof(r)); 2912 2913 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY) 2914 put_unaligned_le32(hcon->passkey_notify, r); 2915 else if (smp->method == REQ_OOB) 2916 memcpy(r, smp->lr, 16); 2917 2918 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r, 2919 io_cap, remote_addr, local_addr, e); 2920 if (err) 2921 return SMP_UNSPECIFIED; 2922 2923 if (crypto_memneq(check->e, e, 16)) 2924 return SMP_DHKEY_CHECK_FAILED; 2925 2926 if (!hcon->out) { 2927 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) { 2928 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags); 2929 return 0; 2930 } 2931 2932 /* Responder sends DHKey check as response to initiator */ 2933 sc_dhkey_check(smp); 2934 } 2935 2936 sc_add_ltk(smp); 2937 2938 if (hcon->out) { 2939 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size); 2940 hcon->enc_key_size = smp->enc_key_size; 2941 } 2942 2943 return 0; 2944 } 2945 2946 static int smp_cmd_keypress_notify(struct l2cap_conn *conn, 2947 struct sk_buff *skb) 2948 { 2949 struct smp_cmd_keypress_notify *kp = (void *) skb->data; 2950 2951 bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value); 2952 2953 return 0; 2954 } 2955 2956 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb) 2957 { 2958 struct l2cap_conn *conn = chan->conn; 2959 struct hci_conn *hcon = conn->hcon; 2960 struct smp_chan *smp; 2961 __u8 code, reason; 2962 int err = 0; 2963 2964 if (skb->len < 1) 2965 return -EILSEQ; 2966 2967 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) { 2968 reason = SMP_PAIRING_NOTSUPP; 2969 goto done; 2970 } 2971 2972 code = skb->data[0]; 2973 skb_pull(skb, sizeof(code)); 2974 2975 smp = chan->data; 2976 2977 if (code > SMP_CMD_MAX) 2978 goto drop; 2979 2980 if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) 2981 goto drop; 2982 2983 /* If we don't have a context the only allowed commands are 2984 * pairing request and security request. 2985 */ 2986 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ) 2987 goto drop; 2988 2989 switch (code) { 2990 case SMP_CMD_PAIRING_REQ: 2991 reason = smp_cmd_pairing_req(conn, skb); 2992 break; 2993 2994 case SMP_CMD_PAIRING_FAIL: 2995 smp_failure(conn, 0); 2996 err = -EPERM; 2997 break; 2998 2999 case SMP_CMD_PAIRING_RSP: 3000 reason = smp_cmd_pairing_rsp(conn, skb); 3001 break; 3002 3003 case SMP_CMD_SECURITY_REQ: 3004 reason = smp_cmd_security_req(conn, skb); 3005 break; 3006 3007 case SMP_CMD_PAIRING_CONFIRM: 3008 reason = smp_cmd_pairing_confirm(conn, skb); 3009 break; 3010 3011 case SMP_CMD_PAIRING_RANDOM: 3012 reason = smp_cmd_pairing_random(conn, skb); 3013 break; 3014 3015 case SMP_CMD_ENCRYPT_INFO: 3016 reason = smp_cmd_encrypt_info(conn, skb); 3017 break; 3018 3019 case SMP_CMD_INITIATOR_IDENT: 3020 reason = smp_cmd_initiator_ident(conn, skb); 3021 break; 3022 3023 case SMP_CMD_IDENT_INFO: 3024 reason = smp_cmd_ident_info(conn, skb); 3025 break; 3026 3027 case SMP_CMD_IDENT_ADDR_INFO: 3028 reason = smp_cmd_ident_addr_info(conn, skb); 3029 break; 3030 3031 case SMP_CMD_SIGN_INFO: 3032 reason = smp_cmd_sign_info(conn, skb); 3033 break; 3034 3035 case SMP_CMD_PUBLIC_KEY: 3036 reason = smp_cmd_public_key(conn, skb); 3037 break; 3038 3039 case SMP_CMD_DHKEY_CHECK: 3040 reason = smp_cmd_dhkey_check(conn, skb); 3041 break; 3042 3043 case SMP_CMD_KEYPRESS_NOTIFY: 3044 reason = smp_cmd_keypress_notify(conn, skb); 3045 break; 3046 3047 default: 3048 bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code); 3049 reason = SMP_CMD_NOTSUPP; 3050 goto done; 3051 } 3052 3053 done: 3054 if (!err) { 3055 if (reason) 3056 smp_failure(conn, reason); 3057 kfree_skb(skb); 3058 } 3059 3060 return err; 3061 3062 drop: 3063 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR", 3064 code, &hcon->dst); 3065 kfree_skb(skb); 3066 return 0; 3067 } 3068 3069 static void smp_teardown_cb(struct l2cap_chan *chan, int err) 3070 { 3071 struct l2cap_conn *conn = chan->conn; 3072 3073 bt_dev_dbg(conn->hcon->hdev, "chan %p", chan); 3074 3075 if (chan->data) 3076 smp_chan_destroy(conn); 3077 3078 conn->smp = NULL; 3079 l2cap_chan_put(chan); 3080 } 3081 3082 static void bredr_pairing(struct l2cap_chan *chan) 3083 { 3084 struct l2cap_conn *conn = chan->conn; 3085 struct hci_conn *hcon = conn->hcon; 3086 struct hci_dev *hdev = hcon->hdev; 3087 struct smp_cmd_pairing req; 3088 struct smp_chan *smp; 3089 3090 bt_dev_dbg(hdev, "chan %p", chan); 3091 3092 /* Only new pairings are interesting */ 3093 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags)) 3094 return; 3095 3096 /* Don't bother if we're not encrypted */ 3097 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3098 return; 3099 3100 /* Only initiator may initiate SMP over BR/EDR */ 3101 if (hcon->role != HCI_ROLE_MASTER) 3102 return; 3103 3104 /* Secure Connections support must be enabled */ 3105 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED)) 3106 return; 3107 3108 /* BR/EDR must use Secure Connections for SMP */ 3109 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) && 3110 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3111 return; 3112 3113 /* If our LE support is not enabled don't do anything */ 3114 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED)) 3115 return; 3116 3117 /* Don't bother if remote LE support is not enabled */ 3118 if (!lmp_host_le_capable(hcon)) 3119 return; 3120 3121 /* Remote must support SMP fixed chan for BR/EDR */ 3122 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR)) 3123 return; 3124 3125 /* Don't bother if SMP is already ongoing */ 3126 if (chan->data) 3127 return; 3128 3129 smp = smp_chan_create(conn); 3130 if (!smp) { 3131 bt_dev_err(hdev, "unable to create SMP context for BR/EDR"); 3132 return; 3133 } 3134 3135 set_bit(SMP_FLAG_SC, &smp->flags); 3136 3137 bt_dev_dbg(hdev, "starting SMP over BR/EDR"); 3138 3139 /* Prepare and send the BR/EDR SMP Pairing Request */ 3140 build_bredr_pairing_cmd(smp, &req, NULL); 3141 3142 smp->preq[0] = SMP_CMD_PAIRING_REQ; 3143 memcpy(&smp->preq[1], &req, sizeof(req)); 3144 3145 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req); 3146 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP); 3147 } 3148 3149 static void smp_resume_cb(struct l2cap_chan *chan) 3150 { 3151 struct smp_chan *smp = chan->data; 3152 struct l2cap_conn *conn = chan->conn; 3153 struct hci_conn *hcon = conn->hcon; 3154 3155 bt_dev_dbg(hcon->hdev, "chan %p", chan); 3156 3157 if (hcon->type == ACL_LINK) { 3158 bredr_pairing(chan); 3159 return; 3160 } 3161 3162 if (!smp) 3163 return; 3164 3165 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3166 return; 3167 3168 cancel_delayed_work(&smp->security_timer); 3169 3170 smp_distribute_keys(smp); 3171 } 3172 3173 static void smp_ready_cb(struct l2cap_chan *chan) 3174 { 3175 struct l2cap_conn *conn = chan->conn; 3176 struct hci_conn *hcon = conn->hcon; 3177 3178 bt_dev_dbg(hcon->hdev, "chan %p", chan); 3179 3180 /* No need to call l2cap_chan_hold() here since we already own 3181 * the reference taken in smp_new_conn_cb(). This is just the 3182 * first time that we tie it to a specific pointer. The code in 3183 * l2cap_core.c ensures that there's no risk this function wont 3184 * get called if smp_new_conn_cb was previously called. 3185 */ 3186 conn->smp = chan; 3187 3188 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags)) 3189 bredr_pairing(chan); 3190 } 3191 3192 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb) 3193 { 3194 int err; 3195 3196 bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan); 3197 3198 err = smp_sig_channel(chan, skb); 3199 if (err) { 3200 struct smp_chan *smp = chan->data; 3201 3202 if (smp) 3203 cancel_delayed_work_sync(&smp->security_timer); 3204 3205 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE); 3206 } 3207 3208 return err; 3209 } 3210 3211 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan, 3212 unsigned long hdr_len, 3213 unsigned long len, int nb) 3214 { 3215 struct sk_buff *skb; 3216 3217 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL); 3218 if (!skb) 3219 return ERR_PTR(-ENOMEM); 3220 3221 skb->priority = HCI_PRIO_MAX; 3222 bt_cb(skb)->l2cap.chan = chan; 3223 3224 return skb; 3225 } 3226 3227 static const struct l2cap_ops smp_chan_ops = { 3228 .name = "Security Manager", 3229 .ready = smp_ready_cb, 3230 .recv = smp_recv_cb, 3231 .alloc_skb = smp_alloc_skb_cb, 3232 .teardown = smp_teardown_cb, 3233 .resume = smp_resume_cb, 3234 3235 .new_connection = l2cap_chan_no_new_connection, 3236 .state_change = l2cap_chan_no_state_change, 3237 .close = l2cap_chan_no_close, 3238 .defer = l2cap_chan_no_defer, 3239 .suspend = l2cap_chan_no_suspend, 3240 .set_shutdown = l2cap_chan_no_set_shutdown, 3241 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3242 }; 3243 3244 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan) 3245 { 3246 struct l2cap_chan *chan; 3247 3248 BT_DBG("pchan %p", pchan); 3249 3250 chan = l2cap_chan_create(); 3251 if (!chan) 3252 return NULL; 3253 3254 chan->chan_type = pchan->chan_type; 3255 chan->ops = &smp_chan_ops; 3256 chan->scid = pchan->scid; 3257 chan->dcid = chan->scid; 3258 chan->imtu = pchan->imtu; 3259 chan->omtu = pchan->omtu; 3260 chan->mode = pchan->mode; 3261 3262 /* Other L2CAP channels may request SMP routines in order to 3263 * change the security level. This means that the SMP channel 3264 * lock must be considered in its own category to avoid lockdep 3265 * warnings. 3266 */ 3267 atomic_set(&chan->nesting, L2CAP_NESTING_SMP); 3268 3269 BT_DBG("created chan %p", chan); 3270 3271 return chan; 3272 } 3273 3274 static const struct l2cap_ops smp_root_chan_ops = { 3275 .name = "Security Manager Root", 3276 .new_connection = smp_new_conn_cb, 3277 3278 /* None of these are implemented for the root channel */ 3279 .close = l2cap_chan_no_close, 3280 .alloc_skb = l2cap_chan_no_alloc_skb, 3281 .recv = l2cap_chan_no_recv, 3282 .state_change = l2cap_chan_no_state_change, 3283 .teardown = l2cap_chan_no_teardown, 3284 .ready = l2cap_chan_no_ready, 3285 .defer = l2cap_chan_no_defer, 3286 .suspend = l2cap_chan_no_suspend, 3287 .resume = l2cap_chan_no_resume, 3288 .set_shutdown = l2cap_chan_no_set_shutdown, 3289 .get_sndtimeo = l2cap_chan_no_get_sndtimeo, 3290 }; 3291 3292 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid) 3293 { 3294 struct l2cap_chan *chan; 3295 struct smp_dev *smp; 3296 struct crypto_shash *tfm_cmac; 3297 struct crypto_kpp *tfm_ecdh; 3298 3299 if (cid == L2CAP_CID_SMP_BREDR) { 3300 smp = NULL; 3301 goto create_chan; 3302 } 3303 3304 smp = kzalloc(sizeof(*smp), GFP_KERNEL); 3305 if (!smp) 3306 return ERR_PTR(-ENOMEM); 3307 3308 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3309 if (IS_ERR(tfm_cmac)) { 3310 bt_dev_err(hdev, "Unable to create CMAC crypto context"); 3311 kfree_sensitive(smp); 3312 return ERR_CAST(tfm_cmac); 3313 } 3314 3315 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 3316 if (IS_ERR(tfm_ecdh)) { 3317 bt_dev_err(hdev, "Unable to create ECDH crypto context"); 3318 crypto_free_shash(tfm_cmac); 3319 kfree_sensitive(smp); 3320 return ERR_CAST(tfm_ecdh); 3321 } 3322 3323 smp->local_oob = false; 3324 smp->tfm_cmac = tfm_cmac; 3325 smp->tfm_ecdh = tfm_ecdh; 3326 3327 create_chan: 3328 chan = l2cap_chan_create(); 3329 if (!chan) { 3330 if (smp) { 3331 crypto_free_shash(smp->tfm_cmac); 3332 crypto_free_kpp(smp->tfm_ecdh); 3333 kfree_sensitive(smp); 3334 } 3335 return ERR_PTR(-ENOMEM); 3336 } 3337 3338 chan->data = smp; 3339 3340 l2cap_add_scid(chan, cid); 3341 3342 l2cap_chan_set_defaults(chan); 3343 3344 if (cid == L2CAP_CID_SMP) { 3345 u8 bdaddr_type; 3346 3347 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type); 3348 3349 if (bdaddr_type == ADDR_LE_DEV_PUBLIC) 3350 chan->src_type = BDADDR_LE_PUBLIC; 3351 else 3352 chan->src_type = BDADDR_LE_RANDOM; 3353 } else { 3354 bacpy(&chan->src, &hdev->bdaddr); 3355 chan->src_type = BDADDR_BREDR; 3356 } 3357 3358 chan->state = BT_LISTEN; 3359 chan->mode = L2CAP_MODE_BASIC; 3360 chan->imtu = L2CAP_DEFAULT_MTU; 3361 chan->ops = &smp_root_chan_ops; 3362 3363 /* Set correct nesting level for a parent/listening channel */ 3364 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT); 3365 3366 return chan; 3367 } 3368 3369 static void smp_del_chan(struct l2cap_chan *chan) 3370 { 3371 struct smp_dev *smp; 3372 3373 BT_DBG("chan %p", chan); 3374 3375 smp = chan->data; 3376 if (smp) { 3377 chan->data = NULL; 3378 crypto_free_shash(smp->tfm_cmac); 3379 crypto_free_kpp(smp->tfm_ecdh); 3380 kfree_sensitive(smp); 3381 } 3382 3383 l2cap_chan_put(chan); 3384 } 3385 3386 int smp_force_bredr(struct hci_dev *hdev, bool enable) 3387 { 3388 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3389 return -EALREADY; 3390 3391 if (enable) { 3392 struct l2cap_chan *chan; 3393 3394 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3395 if (IS_ERR(chan)) 3396 return PTR_ERR(chan); 3397 3398 hdev->smp_bredr_data = chan; 3399 } else { 3400 struct l2cap_chan *chan; 3401 3402 chan = hdev->smp_bredr_data; 3403 hdev->smp_bredr_data = NULL; 3404 smp_del_chan(chan); 3405 } 3406 3407 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP); 3408 3409 return 0; 3410 } 3411 3412 int smp_register(struct hci_dev *hdev) 3413 { 3414 struct l2cap_chan *chan; 3415 3416 bt_dev_dbg(hdev, ""); 3417 3418 /* If the controller does not support Low Energy operation, then 3419 * there is also no need to register any SMP channel. 3420 */ 3421 if (!lmp_le_capable(hdev)) 3422 return 0; 3423 3424 if (WARN_ON(hdev->smp_data)) { 3425 chan = hdev->smp_data; 3426 hdev->smp_data = NULL; 3427 smp_del_chan(chan); 3428 } 3429 3430 chan = smp_add_cid(hdev, L2CAP_CID_SMP); 3431 if (IS_ERR(chan)) 3432 return PTR_ERR(chan); 3433 3434 hdev->smp_data = chan; 3435 3436 if (!lmp_sc_capable(hdev)) { 3437 /* Flag can be already set here (due to power toggle) */ 3438 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP)) 3439 return 0; 3440 } 3441 3442 if (WARN_ON(hdev->smp_bredr_data)) { 3443 chan = hdev->smp_bredr_data; 3444 hdev->smp_bredr_data = NULL; 3445 smp_del_chan(chan); 3446 } 3447 3448 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR); 3449 if (IS_ERR(chan)) { 3450 int err = PTR_ERR(chan); 3451 chan = hdev->smp_data; 3452 hdev->smp_data = NULL; 3453 smp_del_chan(chan); 3454 return err; 3455 } 3456 3457 hdev->smp_bredr_data = chan; 3458 3459 return 0; 3460 } 3461 3462 void smp_unregister(struct hci_dev *hdev) 3463 { 3464 struct l2cap_chan *chan; 3465 3466 if (hdev->smp_bredr_data) { 3467 chan = hdev->smp_bredr_data; 3468 hdev->smp_bredr_data = NULL; 3469 smp_del_chan(chan); 3470 } 3471 3472 if (hdev->smp_data) { 3473 chan = hdev->smp_data; 3474 hdev->smp_data = NULL; 3475 smp_del_chan(chan); 3476 } 3477 } 3478 3479 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3480 3481 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh) 3482 { 3483 u8 pk[64]; 3484 int err; 3485 3486 err = set_ecdh_privkey(tfm_ecdh, debug_sk); 3487 if (err) 3488 return err; 3489 3490 err = generate_ecdh_public_key(tfm_ecdh, pk); 3491 if (err) 3492 return err; 3493 3494 if (crypto_memneq(pk, debug_pk, 64)) 3495 return -EINVAL; 3496 3497 return 0; 3498 } 3499 3500 static int __init test_ah(void) 3501 { 3502 const u8 irk[16] = { 3503 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3504 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3505 const u8 r[3] = { 0x94, 0x81, 0x70 }; 3506 const u8 exp[3] = { 0xaa, 0xfb, 0x0d }; 3507 u8 res[3]; 3508 int err; 3509 3510 err = smp_ah(irk, r, res); 3511 if (err) 3512 return err; 3513 3514 if (crypto_memneq(res, exp, 3)) 3515 return -EINVAL; 3516 3517 return 0; 3518 } 3519 3520 static int __init test_c1(void) 3521 { 3522 const u8 k[16] = { 3523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3525 const u8 r[16] = { 3526 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63, 3527 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 }; 3528 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 }; 3529 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 }; 3530 const u8 _iat = 0x01; 3531 const u8 _rat = 0x00; 3532 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } }; 3533 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } }; 3534 const u8 exp[16] = { 3535 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2, 3536 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e }; 3537 u8 res[16]; 3538 int err; 3539 3540 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res); 3541 if (err) 3542 return err; 3543 3544 if (crypto_memneq(res, exp, 16)) 3545 return -EINVAL; 3546 3547 return 0; 3548 } 3549 3550 static int __init test_s1(void) 3551 { 3552 const u8 k[16] = { 3553 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 3554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; 3555 const u8 r1[16] = { 3556 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 }; 3557 const u8 r2[16] = { 3558 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 }; 3559 const u8 exp[16] = { 3560 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b, 3561 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a }; 3562 u8 res[16]; 3563 int err; 3564 3565 err = smp_s1(k, r1, r2, res); 3566 if (err) 3567 return err; 3568 3569 if (crypto_memneq(res, exp, 16)) 3570 return -EINVAL; 3571 3572 return 0; 3573 } 3574 3575 static int __init test_f4(struct crypto_shash *tfm_cmac) 3576 { 3577 const u8 u[32] = { 3578 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3579 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3580 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3581 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3582 const u8 v[32] = { 3583 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3584 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3585 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3586 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3587 const u8 x[16] = { 3588 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3589 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3590 const u8 z = 0x00; 3591 const u8 exp[16] = { 3592 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1, 3593 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 }; 3594 u8 res[16]; 3595 int err; 3596 3597 err = smp_f4(tfm_cmac, u, v, x, z, res); 3598 if (err) 3599 return err; 3600 3601 if (crypto_memneq(res, exp, 16)) 3602 return -EINVAL; 3603 3604 return 0; 3605 } 3606 3607 static int __init test_f5(struct crypto_shash *tfm_cmac) 3608 { 3609 const u8 w[32] = { 3610 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86, 3611 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99, 3612 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3613 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3614 const u8 n1[16] = { 3615 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3616 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3617 const u8 n2[16] = { 3618 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3619 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3620 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3621 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3622 const u8 exp_ltk[16] = { 3623 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98, 3624 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 }; 3625 const u8 exp_mackey[16] = { 3626 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3627 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3628 u8 mackey[16], ltk[16]; 3629 int err; 3630 3631 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk); 3632 if (err) 3633 return err; 3634 3635 if (crypto_memneq(mackey, exp_mackey, 16)) 3636 return -EINVAL; 3637 3638 if (crypto_memneq(ltk, exp_ltk, 16)) 3639 return -EINVAL; 3640 3641 return 0; 3642 } 3643 3644 static int __init test_f6(struct crypto_shash *tfm_cmac) 3645 { 3646 const u8 w[16] = { 3647 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd, 3648 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 }; 3649 const u8 n1[16] = { 3650 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3651 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3652 const u8 n2[16] = { 3653 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3654 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3655 const u8 r[16] = { 3656 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08, 3657 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 }; 3658 const u8 io_cap[3] = { 0x02, 0x01, 0x01 }; 3659 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 }; 3660 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 }; 3661 const u8 exp[16] = { 3662 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2, 3663 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 }; 3664 u8 res[16]; 3665 int err; 3666 3667 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res); 3668 if (err) 3669 return err; 3670 3671 if (crypto_memneq(res, exp, 16)) 3672 return -EINVAL; 3673 3674 return 0; 3675 } 3676 3677 static int __init test_g2(struct crypto_shash *tfm_cmac) 3678 { 3679 const u8 u[32] = { 3680 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc, 3681 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef, 3682 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e, 3683 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 }; 3684 const u8 v[32] = { 3685 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b, 3686 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59, 3687 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90, 3688 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 }; 3689 const u8 x[16] = { 3690 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff, 3691 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 }; 3692 const u8 y[16] = { 3693 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21, 3694 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 }; 3695 const u32 exp_val = 0x2f9ed5ba % 1000000; 3696 u32 val; 3697 int err; 3698 3699 err = smp_g2(tfm_cmac, u, v, x, y, &val); 3700 if (err) 3701 return err; 3702 3703 if (val != exp_val) 3704 return -EINVAL; 3705 3706 return 0; 3707 } 3708 3709 static int __init test_h6(struct crypto_shash *tfm_cmac) 3710 { 3711 const u8 w[16] = { 3712 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34, 3713 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec }; 3714 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c }; 3715 const u8 exp[16] = { 3716 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8, 3717 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d }; 3718 u8 res[16]; 3719 int err; 3720 3721 err = smp_h6(tfm_cmac, w, key_id, res); 3722 if (err) 3723 return err; 3724 3725 if (crypto_memneq(res, exp, 16)) 3726 return -EINVAL; 3727 3728 return 0; 3729 } 3730 3731 static char test_smp_buffer[32]; 3732 3733 static ssize_t test_smp_read(struct file *file, char __user *user_buf, 3734 size_t count, loff_t *ppos) 3735 { 3736 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer, 3737 strlen(test_smp_buffer)); 3738 } 3739 3740 static const struct file_operations test_smp_fops = { 3741 .open = simple_open, 3742 .read = test_smp_read, 3743 .llseek = default_llseek, 3744 }; 3745 3746 static int __init run_selftests(struct crypto_shash *tfm_cmac, 3747 struct crypto_kpp *tfm_ecdh) 3748 { 3749 ktime_t calltime, delta, rettime; 3750 unsigned long long duration; 3751 int err; 3752 3753 calltime = ktime_get(); 3754 3755 err = test_debug_key(tfm_ecdh); 3756 if (err) { 3757 BT_ERR("debug_key test failed"); 3758 goto done; 3759 } 3760 3761 err = test_ah(); 3762 if (err) { 3763 BT_ERR("smp_ah test failed"); 3764 goto done; 3765 } 3766 3767 err = test_c1(); 3768 if (err) { 3769 BT_ERR("smp_c1 test failed"); 3770 goto done; 3771 } 3772 3773 err = test_s1(); 3774 if (err) { 3775 BT_ERR("smp_s1 test failed"); 3776 goto done; 3777 } 3778 3779 err = test_f4(tfm_cmac); 3780 if (err) { 3781 BT_ERR("smp_f4 test failed"); 3782 goto done; 3783 } 3784 3785 err = test_f5(tfm_cmac); 3786 if (err) { 3787 BT_ERR("smp_f5 test failed"); 3788 goto done; 3789 } 3790 3791 err = test_f6(tfm_cmac); 3792 if (err) { 3793 BT_ERR("smp_f6 test failed"); 3794 goto done; 3795 } 3796 3797 err = test_g2(tfm_cmac); 3798 if (err) { 3799 BT_ERR("smp_g2 test failed"); 3800 goto done; 3801 } 3802 3803 err = test_h6(tfm_cmac); 3804 if (err) { 3805 BT_ERR("smp_h6 test failed"); 3806 goto done; 3807 } 3808 3809 rettime = ktime_get(); 3810 delta = ktime_sub(rettime, calltime); 3811 duration = (unsigned long long) ktime_to_ns(delta) >> 10; 3812 3813 BT_INFO("SMP test passed in %llu usecs", duration); 3814 3815 done: 3816 if (!err) 3817 snprintf(test_smp_buffer, sizeof(test_smp_buffer), 3818 "PASS (%llu usecs)\n", duration); 3819 else 3820 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n"); 3821 3822 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL, 3823 &test_smp_fops); 3824 3825 return err; 3826 } 3827 3828 int __init bt_selftest_smp(void) 3829 { 3830 struct crypto_shash *tfm_cmac; 3831 struct crypto_kpp *tfm_ecdh; 3832 int err; 3833 3834 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0); 3835 if (IS_ERR(tfm_cmac)) { 3836 BT_ERR("Unable to create CMAC crypto context"); 3837 return PTR_ERR(tfm_cmac); 3838 } 3839 3840 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0); 3841 if (IS_ERR(tfm_ecdh)) { 3842 BT_ERR("Unable to create ECDH crypto context"); 3843 crypto_free_shash(tfm_cmac); 3844 return PTR_ERR(tfm_ecdh); 3845 } 3846 3847 err = run_selftests(tfm_cmac, tfm_ecdh); 3848 3849 crypto_free_shash(tfm_cmac); 3850 crypto_free_kpp(tfm_ecdh); 3851 3852 return err; 3853 } 3854 3855 #endif 3856