1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/aes.h>
27 #include <crypto/algapi.h>
28 #include <crypto/hash.h>
29 #include <crypto/kpp.h>
30
31 #include <net/bluetooth/bluetooth.h>
32 #include <net/bluetooth/hci_core.h>
33 #include <net/bluetooth/l2cap.h>
34 #include <net/bluetooth/mgmt.h>
35
36 #include "ecdh_helper.h"
37 #include "smp.h"
38
39 #define SMP_DEV(hdev) \
40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41
42 /* Low-level debug macros to be used for stuff that we don't want
43 * accidentally in dmesg, i.e. the values of the various crypto keys
44 * and the inputs & outputs of crypto functions.
45 */
46 #ifdef DEBUG
47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 ##__VA_ARGS__)
49 #else
50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 ##__VA_ARGS__)
52 #endif
53
54 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
55
56 /* Keys which are not distributed with Secure Connections */
57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
58
59 #define SMP_TIMEOUT msecs_to_jiffies(30000)
60
61 #define ID_ADDR_TIMEOUT msecs_to_jiffies(200)
62
63 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
64 0x3f : 0x07)
65 #define KEY_DIST_MASK 0x07
66
67 /* Maximum message length that can be passed to aes_cmac */
68 #define CMAC_MSG_MAX 80
69
70 enum {
71 SMP_FLAG_TK_VALID,
72 SMP_FLAG_CFM_PENDING,
73 SMP_FLAG_MITM_AUTH,
74 SMP_FLAG_COMPLETE,
75 SMP_FLAG_INITIATOR,
76 SMP_FLAG_SC,
77 SMP_FLAG_REMOTE_PK,
78 SMP_FLAG_DEBUG_KEY,
79 SMP_FLAG_WAIT_USER,
80 SMP_FLAG_DHKEY_PENDING,
81 SMP_FLAG_REMOTE_OOB,
82 SMP_FLAG_LOCAL_OOB,
83 SMP_FLAG_CT2,
84 };
85
86 struct smp_dev {
87 /* Secure Connections OOB data */
88 bool local_oob;
89 u8 local_pk[64];
90 u8 local_rand[16];
91 bool debug_key;
92
93 struct crypto_shash *tfm_cmac;
94 struct crypto_kpp *tfm_ecdh;
95 };
96
97 struct smp_chan {
98 struct l2cap_conn *conn;
99 struct delayed_work security_timer;
100 unsigned long allow_cmd; /* Bitmask of allowed commands */
101
102 u8 preq[7]; /* SMP Pairing Request */
103 u8 prsp[7]; /* SMP Pairing Response */
104 u8 prnd[16]; /* SMP Pairing Random (local) */
105 u8 rrnd[16]; /* SMP Pairing Random (remote) */
106 u8 pcnf[16]; /* SMP Pairing Confirm */
107 u8 tk[16]; /* SMP Temporary Key */
108 u8 rr[16]; /* Remote OOB ra/rb value */
109 u8 lr[16]; /* Local OOB ra/rb value */
110 u8 enc_key_size;
111 u8 remote_key_dist;
112 bdaddr_t id_addr;
113 u8 id_addr_type;
114 u8 irk[16];
115 struct smp_csrk *csrk;
116 struct smp_csrk *responder_csrk;
117 struct smp_ltk *ltk;
118 struct smp_ltk *responder_ltk;
119 struct smp_irk *remote_irk;
120 u8 *link_key;
121 unsigned long flags;
122 u8 method;
123 u8 passkey_round;
124
125 /* Secure Connections variables */
126 u8 local_pk[64];
127 u8 remote_pk[64];
128 u8 dhkey[32];
129 u8 mackey[16];
130
131 struct crypto_shash *tfm_cmac;
132 struct crypto_kpp *tfm_ecdh;
133 };
134
135 /* These debug key values are defined in the SMP section of the core
136 * specification. debug_pk is the public debug key and debug_sk the
137 * private debug key.
138 */
139 static const u8 debug_pk[64] = {
140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144
145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150
151 static const u8 debug_sk[32] = {
152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157
swap_buf(const u8 * src,u8 * dst,size_t len)158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160 size_t i;
161
162 for (i = 0; i < len; i++)
163 dst[len - 1 - i] = src[i];
164 }
165
166 /* The following functions map to the LE SC SMP crypto functions
167 * AES-CMAC, f4, f5, f6, g2 and h6.
168 */
169
aes_cmac(struct crypto_shash * tfm,const u8 k[16],const u8 * m,size_t len,u8 mac[16])170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171 size_t len, u8 mac[16])
172 {
173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174 int err;
175
176 if (len > CMAC_MSG_MAX)
177 return -EFBIG;
178
179 if (!tfm) {
180 BT_ERR("tfm %p", tfm);
181 return -EINVAL;
182 }
183
184 /* Swap key and message from LSB to MSB */
185 swap_buf(k, tmp, 16);
186 swap_buf(m, msg_msb, len);
187
188 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
189 SMP_DBG("key %16phN", k);
190
191 err = crypto_shash_setkey(tfm, tmp, 16);
192 if (err) {
193 BT_ERR("cipher setkey failed: %d", err);
194 return err;
195 }
196
197 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
198 if (err) {
199 BT_ERR("Hash computation error %d", err);
200 return err;
201 }
202
203 swap_buf(mac_msb, mac, 16);
204
205 SMP_DBG("mac %16phN", mac);
206
207 return 0;
208 }
209
smp_f4(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],u8 z,u8 res[16])210 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
211 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
212 {
213 u8 m[65];
214 int err;
215
216 SMP_DBG("u %32phN", u);
217 SMP_DBG("v %32phN", v);
218 SMP_DBG("x %16phN z %02x", x, z);
219
220 m[0] = z;
221 memcpy(m + 1, v, 32);
222 memcpy(m + 33, u, 32);
223
224 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
225 if (err)
226 return err;
227
228 SMP_DBG("res %16phN", res);
229
230 return err;
231 }
232
smp_f5(struct crypto_shash * tfm_cmac,const u8 w[32],const u8 n1[16],const u8 n2[16],const u8 a1[7],const u8 a2[7],u8 mackey[16],u8 ltk[16])233 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
234 const u8 n1[16], const u8 n2[16], const u8 a1[7],
235 const u8 a2[7], u8 mackey[16], u8 ltk[16])
236 {
237 /* The btle, salt and length "magic" values are as defined in
238 * the SMP section of the Bluetooth core specification. In ASCII
239 * the btle value ends up being 'btle'. The salt is just a
240 * random number whereas length is the value 256 in little
241 * endian format.
242 */
243 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
244 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
245 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
246 const u8 length[2] = { 0x00, 0x01 };
247 u8 m[53], t[16];
248 int err;
249
250 SMP_DBG("w %32phN", w);
251 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
252 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
253
254 err = aes_cmac(tfm_cmac, salt, w, 32, t);
255 if (err)
256 return err;
257
258 SMP_DBG("t %16phN", t);
259
260 memcpy(m, length, 2);
261 memcpy(m + 2, a2, 7);
262 memcpy(m + 9, a1, 7);
263 memcpy(m + 16, n2, 16);
264 memcpy(m + 32, n1, 16);
265 memcpy(m + 48, btle, 4);
266
267 m[52] = 0; /* Counter */
268
269 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
270 if (err)
271 return err;
272
273 SMP_DBG("mackey %16phN", mackey);
274
275 m[52] = 1; /* Counter */
276
277 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
278 if (err)
279 return err;
280
281 SMP_DBG("ltk %16phN", ltk);
282
283 return 0;
284 }
285
smp_f6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 n1[16],const u8 n2[16],const u8 r[16],const u8 io_cap[3],const u8 a1[7],const u8 a2[7],u8 res[16])286 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
287 const u8 n1[16], const u8 n2[16], const u8 r[16],
288 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
289 u8 res[16])
290 {
291 u8 m[65];
292 int err;
293
294 SMP_DBG("w %16phN", w);
295 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
296 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
297
298 memcpy(m, a2, 7);
299 memcpy(m + 7, a1, 7);
300 memcpy(m + 14, io_cap, 3);
301 memcpy(m + 17, r, 16);
302 memcpy(m + 33, n2, 16);
303 memcpy(m + 49, n1, 16);
304
305 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
306 if (err)
307 return err;
308
309 SMP_DBG("res %16phN", res);
310
311 return err;
312 }
313
smp_g2(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],const u8 y[16],u32 * val)314 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
315 const u8 x[16], const u8 y[16], u32 *val)
316 {
317 u8 m[80], tmp[16];
318 int err;
319
320 SMP_DBG("u %32phN", u);
321 SMP_DBG("v %32phN", v);
322 SMP_DBG("x %16phN y %16phN", x, y);
323
324 memcpy(m, y, 16);
325 memcpy(m + 16, v, 32);
326 memcpy(m + 48, u, 32);
327
328 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
329 if (err)
330 return err;
331
332 *val = get_unaligned_le32(tmp);
333 *val %= 1000000;
334
335 SMP_DBG("val %06u", *val);
336
337 return 0;
338 }
339
smp_h6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 key_id[4],u8 res[16])340 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
341 const u8 key_id[4], u8 res[16])
342 {
343 int err;
344
345 SMP_DBG("w %16phN key_id %4phN", w, key_id);
346
347 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
348 if (err)
349 return err;
350
351 SMP_DBG("res %16phN", res);
352
353 return err;
354 }
355
smp_h7(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 salt[16],u8 res[16])356 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
357 const u8 salt[16], u8 res[16])
358 {
359 int err;
360
361 SMP_DBG("w %16phN salt %16phN", w, salt);
362
363 err = aes_cmac(tfm_cmac, salt, w, 16, res);
364 if (err)
365 return err;
366
367 SMP_DBG("res %16phN", res);
368
369 return err;
370 }
371
372 /* The following functions map to the legacy SMP crypto functions e, c1,
373 * s1 and ah.
374 */
375
smp_e(const u8 * k,u8 * r)376 static int smp_e(const u8 *k, u8 *r)
377 {
378 struct crypto_aes_ctx ctx;
379 uint8_t tmp[16], data[16];
380 int err;
381
382 SMP_DBG("k %16phN r %16phN", k, r);
383
384 /* The most significant octet of key corresponds to k[0] */
385 swap_buf(k, tmp, 16);
386
387 err = aes_expandkey(&ctx, tmp, 16);
388 if (err) {
389 BT_ERR("cipher setkey failed: %d", err);
390 return err;
391 }
392
393 /* Most significant octet of plaintextData corresponds to data[0] */
394 swap_buf(r, data, 16);
395
396 aes_encrypt(&ctx, data, data);
397
398 /* Most significant octet of encryptedData corresponds to data[0] */
399 swap_buf(data, r, 16);
400
401 SMP_DBG("r %16phN", r);
402
403 memzero_explicit(&ctx, sizeof(ctx));
404 return err;
405 }
406
smp_c1(const u8 k[16],const u8 r[16],const u8 preq[7],const u8 pres[7],u8 _iat,const bdaddr_t * ia,u8 _rat,const bdaddr_t * ra,u8 res[16])407 static int smp_c1(const u8 k[16],
408 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
409 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
410 {
411 u8 p1[16], p2[16];
412 int err;
413
414 SMP_DBG("k %16phN r %16phN", k, r);
415 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
416 SMP_DBG("preq %7phN pres %7phN", preq, pres);
417
418 memset(p1, 0, 16);
419
420 /* p1 = pres || preq || _rat || _iat */
421 p1[0] = _iat;
422 p1[1] = _rat;
423 memcpy(p1 + 2, preq, 7);
424 memcpy(p1 + 9, pres, 7);
425
426 SMP_DBG("p1 %16phN", p1);
427
428 /* res = r XOR p1 */
429 crypto_xor_cpy(res, r, p1, sizeof(p1));
430
431 /* res = e(k, res) */
432 err = smp_e(k, res);
433 if (err) {
434 BT_ERR("Encrypt data error");
435 return err;
436 }
437
438 /* p2 = padding || ia || ra */
439 memcpy(p2, ra, 6);
440 memcpy(p2 + 6, ia, 6);
441 memset(p2 + 12, 0, 4);
442
443 SMP_DBG("p2 %16phN", p2);
444
445 /* res = res XOR p2 */
446 crypto_xor(res, p2, sizeof(p2));
447
448 /* res = e(k, res) */
449 err = smp_e(k, res);
450 if (err)
451 BT_ERR("Encrypt data error");
452
453 return err;
454 }
455
smp_s1(const u8 k[16],const u8 r1[16],const u8 r2[16],u8 _r[16])456 static int smp_s1(const u8 k[16],
457 const u8 r1[16], const u8 r2[16], u8 _r[16])
458 {
459 int err;
460
461 /* Just least significant octets from r1 and r2 are considered */
462 memcpy(_r, r2, 8);
463 memcpy(_r + 8, r1, 8);
464
465 err = smp_e(k, _r);
466 if (err)
467 BT_ERR("Encrypt data error");
468
469 return err;
470 }
471
smp_ah(const u8 irk[16],const u8 r[3],u8 res[3])472 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
473 {
474 u8 _res[16];
475 int err;
476
477 /* r' = padding || r */
478 memcpy(_res, r, 3);
479 memset(_res + 3, 0, 13);
480
481 err = smp_e(irk, _res);
482 if (err) {
483 BT_ERR("Encrypt error");
484 return err;
485 }
486
487 /* The output of the random address function ah is:
488 * ah(k, r) = e(k, r') mod 2^24
489 * The output of the security function e is then truncated to 24 bits
490 * by taking the least significant 24 bits of the output of e as the
491 * result of ah.
492 */
493 memcpy(res, _res, 3);
494
495 return 0;
496 }
497
smp_irk_matches(struct hci_dev * hdev,const u8 irk[16],const bdaddr_t * bdaddr)498 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
499 const bdaddr_t *bdaddr)
500 {
501 struct l2cap_chan *chan = hdev->smp_data;
502 u8 hash[3];
503 int err;
504
505 if (!chan || !chan->data)
506 return false;
507
508 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
509
510 err = smp_ah(irk, &bdaddr->b[3], hash);
511 if (err)
512 return false;
513
514 return !crypto_memneq(bdaddr->b, hash, 3);
515 }
516
smp_generate_rpa(struct hci_dev * hdev,const u8 irk[16],bdaddr_t * rpa)517 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
518 {
519 struct l2cap_chan *chan = hdev->smp_data;
520 int err;
521
522 if (!chan || !chan->data)
523 return -EOPNOTSUPP;
524
525 get_random_bytes(&rpa->b[3], 3);
526
527 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
528 rpa->b[5] |= 0x40; /* Set second most significant bit */
529
530 err = smp_ah(irk, &rpa->b[3], rpa->b);
531 if (err < 0)
532 return err;
533
534 bt_dev_dbg(hdev, "RPA %pMR", rpa);
535
536 return 0;
537 }
538
smp_generate_oob(struct hci_dev * hdev,u8 hash[16],u8 rand[16])539 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
540 {
541 struct l2cap_chan *chan = hdev->smp_data;
542 struct smp_dev *smp;
543 int err;
544
545 if (!chan || !chan->data)
546 return -EOPNOTSUPP;
547
548 smp = chan->data;
549
550 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
551 bt_dev_dbg(hdev, "Using debug keys");
552 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
553 if (err)
554 return err;
555 memcpy(smp->local_pk, debug_pk, 64);
556 smp->debug_key = true;
557 } else {
558 while (true) {
559 /* Generate key pair for Secure Connections */
560 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
561 if (err)
562 return err;
563
564 /* This is unlikely, but we need to check that
565 * we didn't accidentally generate a debug key.
566 */
567 if (crypto_memneq(smp->local_pk, debug_pk, 64))
568 break;
569 }
570 smp->debug_key = false;
571 }
572
573 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
574 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
575
576 get_random_bytes(smp->local_rand, 16);
577
578 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
579 smp->local_rand, 0, hash);
580 if (err < 0)
581 return err;
582
583 memcpy(rand, smp->local_rand, 16);
584
585 smp->local_oob = true;
586
587 return 0;
588 }
589
smp_send_cmd(struct l2cap_conn * conn,u8 code,u16 len,void * data)590 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
591 {
592 struct l2cap_chan *chan = conn->smp;
593 struct smp_chan *smp;
594 struct kvec iv[2];
595 struct msghdr msg;
596
597 if (!chan)
598 return;
599
600 bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
601
602 iv[0].iov_base = &code;
603 iv[0].iov_len = 1;
604
605 iv[1].iov_base = data;
606 iv[1].iov_len = len;
607
608 memset(&msg, 0, sizeof(msg));
609
610 iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
611
612 l2cap_chan_send(chan, &msg, 1 + len);
613
614 if (!chan->data)
615 return;
616
617 smp = chan->data;
618
619 cancel_delayed_work_sync(&smp->security_timer);
620 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
621 }
622
authreq_to_seclevel(u8 authreq)623 static u8 authreq_to_seclevel(u8 authreq)
624 {
625 if (authreq & SMP_AUTH_MITM) {
626 if (authreq & SMP_AUTH_SC)
627 return BT_SECURITY_FIPS;
628 else
629 return BT_SECURITY_HIGH;
630 } else {
631 return BT_SECURITY_MEDIUM;
632 }
633 }
634
seclevel_to_authreq(__u8 sec_level)635 static __u8 seclevel_to_authreq(__u8 sec_level)
636 {
637 switch (sec_level) {
638 case BT_SECURITY_FIPS:
639 case BT_SECURITY_HIGH:
640 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
641 case BT_SECURITY_MEDIUM:
642 return SMP_AUTH_BONDING;
643 default:
644 return SMP_AUTH_NONE;
645 }
646 }
647
build_pairing_cmd(struct l2cap_conn * conn,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp,__u8 authreq)648 static void build_pairing_cmd(struct l2cap_conn *conn,
649 struct smp_cmd_pairing *req,
650 struct smp_cmd_pairing *rsp, __u8 authreq)
651 {
652 struct l2cap_chan *chan = conn->smp;
653 struct smp_chan *smp = chan->data;
654 struct hci_conn *hcon = conn->hcon;
655 struct hci_dev *hdev = hcon->hdev;
656 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
657
658 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
659 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
661 authreq |= SMP_AUTH_BONDING;
662 } else {
663 authreq &= ~SMP_AUTH_BONDING;
664 }
665
666 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
667 remote_dist |= SMP_DIST_ID_KEY;
668
669 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
670 local_dist |= SMP_DIST_ID_KEY;
671
672 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
673 (authreq & SMP_AUTH_SC)) {
674 struct oob_data *oob_data;
675 u8 bdaddr_type;
676
677 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
678 local_dist |= SMP_DIST_LINK_KEY;
679 remote_dist |= SMP_DIST_LINK_KEY;
680 }
681
682 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
683 bdaddr_type = BDADDR_LE_PUBLIC;
684 else
685 bdaddr_type = BDADDR_LE_RANDOM;
686
687 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
688 bdaddr_type);
689 if (oob_data && oob_data->present) {
690 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
691 oob_flag = SMP_OOB_PRESENT;
692 memcpy(smp->rr, oob_data->rand256, 16);
693 memcpy(smp->pcnf, oob_data->hash256, 16);
694 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
695 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
696 }
697
698 } else {
699 authreq &= ~SMP_AUTH_SC;
700 }
701
702 if (rsp == NULL) {
703 req->io_capability = conn->hcon->io_capability;
704 req->oob_flag = oob_flag;
705 req->max_key_size = hdev->le_max_key_size;
706 req->init_key_dist = local_dist;
707 req->resp_key_dist = remote_dist;
708 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
709
710 smp->remote_key_dist = remote_dist;
711 return;
712 }
713
714 rsp->io_capability = conn->hcon->io_capability;
715 rsp->oob_flag = oob_flag;
716 rsp->max_key_size = hdev->le_max_key_size;
717 rsp->init_key_dist = req->init_key_dist & remote_dist;
718 rsp->resp_key_dist = req->resp_key_dist & local_dist;
719 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
720
721 smp->remote_key_dist = rsp->init_key_dist;
722 }
723
check_enc_key_size(struct l2cap_conn * conn,__u8 max_key_size)724 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
725 {
726 struct l2cap_chan *chan = conn->smp;
727 struct hci_dev *hdev = conn->hcon->hdev;
728 struct smp_chan *smp = chan->data;
729
730 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
731 max_key_size != SMP_MAX_ENC_KEY_SIZE)
732 return SMP_ENC_KEY_SIZE;
733
734 if (max_key_size > hdev->le_max_key_size ||
735 max_key_size < SMP_MIN_ENC_KEY_SIZE)
736 return SMP_ENC_KEY_SIZE;
737
738 smp->enc_key_size = max_key_size;
739
740 return 0;
741 }
742
smp_chan_destroy(struct l2cap_conn * conn)743 static void smp_chan_destroy(struct l2cap_conn *conn)
744 {
745 struct l2cap_chan *chan = conn->smp;
746 struct smp_chan *smp = chan->data;
747 struct hci_conn *hcon = conn->hcon;
748 bool complete;
749
750 BUG_ON(!smp);
751
752 cancel_delayed_work_sync(&smp->security_timer);
753
754 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
755 mgmt_smp_complete(hcon, complete);
756
757 kfree_sensitive(smp->csrk);
758 kfree_sensitive(smp->responder_csrk);
759 kfree_sensitive(smp->link_key);
760
761 crypto_free_shash(smp->tfm_cmac);
762 crypto_free_kpp(smp->tfm_ecdh);
763
764 /* Ensure that we don't leave any debug key around if debug key
765 * support hasn't been explicitly enabled.
766 */
767 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
768 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
769 list_del_rcu(&smp->ltk->list);
770 kfree_rcu(smp->ltk, rcu);
771 smp->ltk = NULL;
772 }
773
774 /* If pairing failed clean up any keys we might have */
775 if (!complete) {
776 if (smp->ltk) {
777 list_del_rcu(&smp->ltk->list);
778 kfree_rcu(smp->ltk, rcu);
779 }
780
781 if (smp->responder_ltk) {
782 list_del_rcu(&smp->responder_ltk->list);
783 kfree_rcu(smp->responder_ltk, rcu);
784 }
785
786 if (smp->remote_irk) {
787 list_del_rcu(&smp->remote_irk->list);
788 kfree_rcu(smp->remote_irk, rcu);
789 }
790 }
791
792 chan->data = NULL;
793 kfree_sensitive(smp);
794 hci_conn_drop(hcon);
795 }
796
smp_failure(struct l2cap_conn * conn,u8 reason)797 static void smp_failure(struct l2cap_conn *conn, u8 reason)
798 {
799 struct hci_conn *hcon = conn->hcon;
800 struct l2cap_chan *chan = conn->smp;
801
802 if (reason)
803 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
804 &reason);
805
806 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
807
808 if (chan->data)
809 smp_chan_destroy(conn);
810 }
811
812 #define JUST_WORKS 0x00
813 #define JUST_CFM 0x01
814 #define REQ_PASSKEY 0x02
815 #define CFM_PASSKEY 0x03
816 #define REQ_OOB 0x04
817 #define DSP_PASSKEY 0x05
818 #define OVERLAP 0xFF
819
820 static const u8 gen_method[5][5] = {
821 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
823 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
824 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
825 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
826 };
827
828 static const u8 sc_method[5][5] = {
829 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
831 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
832 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
833 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
834 };
835
get_auth_method(struct smp_chan * smp,u8 local_io,u8 remote_io)836 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
837 {
838 /* If either side has unknown io_caps, use JUST_CFM (which gets
839 * converted later to JUST_WORKS if we're initiators.
840 */
841 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
842 remote_io > SMP_IO_KEYBOARD_DISPLAY)
843 return JUST_CFM;
844
845 if (test_bit(SMP_FLAG_SC, &smp->flags))
846 return sc_method[remote_io][local_io];
847
848 return gen_method[remote_io][local_io];
849 }
850
tk_request(struct l2cap_conn * conn,u8 remote_oob,u8 auth,u8 local_io,u8 remote_io)851 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
852 u8 local_io, u8 remote_io)
853 {
854 struct hci_conn *hcon = conn->hcon;
855 struct l2cap_chan *chan = conn->smp;
856 struct smp_chan *smp = chan->data;
857 u32 passkey = 0;
858 int ret;
859
860 /* Initialize key for JUST WORKS */
861 memset(smp->tk, 0, sizeof(smp->tk));
862 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
863
864 bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
865 remote_io);
866
867 /* If neither side wants MITM, either "just" confirm an incoming
868 * request or use just-works for outgoing ones. The JUST_CFM
869 * will be converted to JUST_WORKS if necessary later in this
870 * function. If either side has MITM look up the method from the
871 * table.
872 */
873 if (!(auth & SMP_AUTH_MITM))
874 smp->method = JUST_CFM;
875 else
876 smp->method = get_auth_method(smp, local_io, remote_io);
877
878 /* Don't confirm locally initiated pairing attempts */
879 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
880 &smp->flags))
881 smp->method = JUST_WORKS;
882
883 /* Don't bother user space with no IO capabilities */
884 if (smp->method == JUST_CFM &&
885 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
886 smp->method = JUST_WORKS;
887
888 /* If Just Works, Continue with Zero TK and ask user-space for
889 * confirmation */
890 if (smp->method == JUST_WORKS) {
891 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
892 hcon->type,
893 hcon->dst_type,
894 passkey, 1);
895 if (ret)
896 return ret;
897 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
898 return 0;
899 }
900
901 /* If this function is used for SC -> legacy fallback we
902 * can only recover the just-works case.
903 */
904 if (test_bit(SMP_FLAG_SC, &smp->flags))
905 return -EINVAL;
906
907 /* Not Just Works/Confirm results in MITM Authentication */
908 if (smp->method != JUST_CFM) {
909 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
910 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
911 hcon->pending_sec_level = BT_SECURITY_HIGH;
912 }
913
914 /* If both devices have Keyboard-Display I/O, the initiator
915 * Confirms and the responder Enters the passkey.
916 */
917 if (smp->method == OVERLAP) {
918 if (hcon->role == HCI_ROLE_MASTER)
919 smp->method = CFM_PASSKEY;
920 else
921 smp->method = REQ_PASSKEY;
922 }
923
924 /* Generate random passkey. */
925 if (smp->method == CFM_PASSKEY) {
926 memset(smp->tk, 0, sizeof(smp->tk));
927 get_random_bytes(&passkey, sizeof(passkey));
928 passkey %= 1000000;
929 put_unaligned_le32(passkey, smp->tk);
930 bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
931 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
932 }
933
934 if (smp->method == REQ_PASSKEY)
935 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
936 hcon->type, hcon->dst_type);
937 else if (smp->method == JUST_CFM)
938 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
939 hcon->type, hcon->dst_type,
940 passkey, 1);
941 else
942 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
943 hcon->type, hcon->dst_type,
944 passkey, 0);
945
946 return ret;
947 }
948
smp_confirm(struct smp_chan * smp)949 static u8 smp_confirm(struct smp_chan *smp)
950 {
951 struct l2cap_conn *conn = smp->conn;
952 struct smp_cmd_pairing_confirm cp;
953 int ret;
954
955 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
956
957 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
958 conn->hcon->init_addr_type, &conn->hcon->init_addr,
959 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
960 cp.confirm_val);
961 if (ret)
962 return SMP_UNSPECIFIED;
963
964 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
965
966 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
967
968 if (conn->hcon->out)
969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
970 else
971 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
972
973 return 0;
974 }
975
smp_random(struct smp_chan * smp)976 static u8 smp_random(struct smp_chan *smp)
977 {
978 struct l2cap_conn *conn = smp->conn;
979 struct hci_conn *hcon = conn->hcon;
980 u8 confirm[16];
981 int ret;
982
983 bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
984 conn->hcon->out ? "initiator" : "responder");
985
986 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
987 hcon->init_addr_type, &hcon->init_addr,
988 hcon->resp_addr_type, &hcon->resp_addr, confirm);
989 if (ret)
990 return SMP_UNSPECIFIED;
991
992 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
993 bt_dev_err(hcon->hdev, "pairing failed "
994 "(confirmation values mismatch)");
995 return SMP_CONFIRM_FAILED;
996 }
997
998 if (hcon->out) {
999 u8 stk[16];
1000 __le64 rand = 0;
1001 __le16 ediv = 0;
1002
1003 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1004
1005 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006 return SMP_UNSPECIFIED;
1007
1008 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009 hcon->enc_key_size = smp->enc_key_size;
1010 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011 } else {
1012 u8 stk[16], auth;
1013 __le64 rand = 0;
1014 __le16 ediv = 0;
1015
1016 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1017 smp->prnd);
1018
1019 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1020
1021 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1022 auth = 1;
1023 else
1024 auth = 0;
1025
1026 /* Even though there's no _RESPONDER suffix this is the
1027 * responder STK we're adding for later lookup (the initiator
1028 * STK never needs to be stored).
1029 */
1030 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032 }
1033
1034 return 0;
1035 }
1036
smp_notify_keys(struct l2cap_conn * conn)1037 static void smp_notify_keys(struct l2cap_conn *conn)
1038 {
1039 struct l2cap_chan *chan = conn->smp;
1040 struct smp_chan *smp = chan->data;
1041 struct hci_conn *hcon = conn->hcon;
1042 struct hci_dev *hdev = hcon->hdev;
1043 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1045 bool persistent;
1046
1047 if (hcon->type == ACL_LINK) {
1048 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1049 persistent = false;
1050 else
1051 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1052 &hcon->flags);
1053 } else {
1054 /* The LTKs, IRKs and CSRKs should be persistent only if
1055 * both sides had the bonding bit set in their
1056 * authentication requests.
1057 */
1058 persistent = !!((req->auth_req & rsp->auth_req) &
1059 SMP_AUTH_BONDING);
1060 }
1061
1062 if (smp->remote_irk) {
1063 smp->remote_irk->link_type = hcon->type;
1064 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1065
1066 /* Now that user space can be considered to know the
1067 * identity address track the connection based on it
1068 * from now on (assuming this is an LE link).
1069 */
1070 if (hcon->type == LE_LINK) {
1071 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1072 hcon->dst_type = smp->remote_irk->addr_type;
1073 /* Use a short delay to make sure the new address is
1074 * propagated _before_ the channels.
1075 */
1076 queue_delayed_work(hdev->workqueue,
1077 &conn->id_addr_timer,
1078 ID_ADDR_TIMEOUT);
1079 }
1080 }
1081
1082 if (smp->csrk) {
1083 smp->csrk->link_type = hcon->type;
1084 smp->csrk->bdaddr_type = hcon->dst_type;
1085 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1086 mgmt_new_csrk(hdev, smp->csrk, persistent);
1087 }
1088
1089 if (smp->responder_csrk) {
1090 smp->responder_csrk->link_type = hcon->type;
1091 smp->responder_csrk->bdaddr_type = hcon->dst_type;
1092 bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1093 mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1094 }
1095
1096 if (smp->ltk) {
1097 smp->ltk->link_type = hcon->type;
1098 smp->ltk->bdaddr_type = hcon->dst_type;
1099 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1100 mgmt_new_ltk(hdev, smp->ltk, persistent);
1101 }
1102
1103 if (smp->responder_ltk) {
1104 smp->responder_ltk->link_type = hcon->type;
1105 smp->responder_ltk->bdaddr_type = hcon->dst_type;
1106 bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1107 mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1108 }
1109
1110 if (smp->link_key) {
1111 struct link_key *key;
1112 u8 type;
1113
1114 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1115 type = HCI_LK_DEBUG_COMBINATION;
1116 else if (hcon->sec_level == BT_SECURITY_FIPS)
1117 type = HCI_LK_AUTH_COMBINATION_P256;
1118 else
1119 type = HCI_LK_UNAUTH_COMBINATION_P256;
1120
1121 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1122 smp->link_key, type, 0, &persistent);
1123 if (key) {
1124 key->link_type = hcon->type;
1125 key->bdaddr_type = hcon->dst_type;
1126 mgmt_new_link_key(hdev, key, persistent);
1127
1128 /* Don't keep debug keys around if the relevant
1129 * flag is not set.
1130 */
1131 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1132 key->type == HCI_LK_DEBUG_COMBINATION) {
1133 list_del_rcu(&key->list);
1134 kfree_rcu(key, rcu);
1135 }
1136 }
1137 }
1138 }
1139
sc_add_ltk(struct smp_chan * smp)1140 static void sc_add_ltk(struct smp_chan *smp)
1141 {
1142 struct hci_conn *hcon = smp->conn->hcon;
1143 u8 key_type, auth;
1144
1145 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1146 key_type = SMP_LTK_P256_DEBUG;
1147 else
1148 key_type = SMP_LTK_P256;
1149
1150 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1151 auth = 1;
1152 else
1153 auth = 0;
1154
1155 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1156 key_type, auth, smp->tk, smp->enc_key_size,
1157 0, 0);
1158 }
1159
sc_generate_link_key(struct smp_chan * smp)1160 static void sc_generate_link_key(struct smp_chan *smp)
1161 {
1162 /* From core spec. Spells out in ASCII as 'lebr'. */
1163 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1164
1165 smp->link_key = kzalloc(16, GFP_KERNEL);
1166 if (!smp->link_key)
1167 return;
1168
1169 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1170 /* SALT = 0x000000000000000000000000746D7031 */
1171 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1172
1173 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1174 kfree_sensitive(smp->link_key);
1175 smp->link_key = NULL;
1176 return;
1177 }
1178 } else {
1179 /* From core spec. Spells out in ASCII as 'tmp1'. */
1180 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1181
1182 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1183 kfree_sensitive(smp->link_key);
1184 smp->link_key = NULL;
1185 return;
1186 }
1187 }
1188
1189 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1190 kfree_sensitive(smp->link_key);
1191 smp->link_key = NULL;
1192 return;
1193 }
1194 }
1195
smp_allow_key_dist(struct smp_chan * smp)1196 static void smp_allow_key_dist(struct smp_chan *smp)
1197 {
1198 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1199 * will be allowed in each PDU handler to ensure we receive
1200 * them in the correct order.
1201 */
1202 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1203 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1204 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1205 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1206 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1207 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1208 }
1209
sc_generate_ltk(struct smp_chan * smp)1210 static void sc_generate_ltk(struct smp_chan *smp)
1211 {
1212 /* From core spec. Spells out in ASCII as 'brle'. */
1213 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1214 struct hci_conn *hcon = smp->conn->hcon;
1215 struct hci_dev *hdev = hcon->hdev;
1216 struct link_key *key;
1217
1218 key = hci_find_link_key(hdev, &hcon->dst);
1219 if (!key) {
1220 bt_dev_err(hdev, "no Link Key found to generate LTK");
1221 return;
1222 }
1223
1224 if (key->type == HCI_LK_DEBUG_COMBINATION)
1225 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1226
1227 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1228 /* SALT = 0x000000000000000000000000746D7032 */
1229 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1230
1231 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1232 return;
1233 } else {
1234 /* From core spec. Spells out in ASCII as 'tmp2'. */
1235 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1236
1237 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1238 return;
1239 }
1240
1241 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1242 return;
1243
1244 sc_add_ltk(smp);
1245 }
1246
smp_distribute_keys(struct smp_chan * smp)1247 static void smp_distribute_keys(struct smp_chan *smp)
1248 {
1249 struct smp_cmd_pairing *req, *rsp;
1250 struct l2cap_conn *conn = smp->conn;
1251 struct hci_conn *hcon = conn->hcon;
1252 struct hci_dev *hdev = hcon->hdev;
1253 __u8 *keydist;
1254
1255 bt_dev_dbg(hdev, "conn %p", conn);
1256
1257 rsp = (void *) &smp->prsp[1];
1258
1259 /* The responder sends its keys first */
1260 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1261 smp_allow_key_dist(smp);
1262 return;
1263 }
1264
1265 req = (void *) &smp->preq[1];
1266
1267 if (hcon->out) {
1268 keydist = &rsp->init_key_dist;
1269 *keydist &= req->init_key_dist;
1270 } else {
1271 keydist = &rsp->resp_key_dist;
1272 *keydist &= req->resp_key_dist;
1273 }
1274
1275 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1276 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1277 sc_generate_link_key(smp);
1278 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1279 sc_generate_ltk(smp);
1280
1281 /* Clear the keys which are generated but not distributed */
1282 *keydist &= ~SMP_SC_NO_DIST;
1283 }
1284
1285 bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1286
1287 if (*keydist & SMP_DIST_ENC_KEY) {
1288 struct smp_cmd_encrypt_info enc;
1289 struct smp_cmd_initiator_ident ident;
1290 struct smp_ltk *ltk;
1291 u8 authenticated;
1292 __le16 ediv;
1293 __le64 rand;
1294
1295 /* Make sure we generate only the significant amount of
1296 * bytes based on the encryption key size, and set the rest
1297 * of the value to zeroes.
1298 */
1299 get_random_bytes(enc.ltk, smp->enc_key_size);
1300 memset(enc.ltk + smp->enc_key_size, 0,
1301 sizeof(enc.ltk) - smp->enc_key_size);
1302
1303 get_random_bytes(&ediv, sizeof(ediv));
1304 get_random_bytes(&rand, sizeof(rand));
1305
1306 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1307
1308 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1309 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1310 SMP_LTK_RESPONDER, authenticated, enc.ltk,
1311 smp->enc_key_size, ediv, rand);
1312 smp->responder_ltk = ltk;
1313
1314 ident.ediv = ediv;
1315 ident.rand = rand;
1316
1317 smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1318 &ident);
1319
1320 *keydist &= ~SMP_DIST_ENC_KEY;
1321 }
1322
1323 if (*keydist & SMP_DIST_ID_KEY) {
1324 struct smp_cmd_ident_addr_info addrinfo;
1325 struct smp_cmd_ident_info idinfo;
1326
1327 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1328
1329 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1330
1331 /* The hci_conn contains the local identity address
1332 * after the connection has been established.
1333 *
1334 * This is true even when the connection has been
1335 * established using a resolvable random address.
1336 */
1337 bacpy(&addrinfo.bdaddr, &hcon->src);
1338 addrinfo.addr_type = hcon->src_type;
1339
1340 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1341 &addrinfo);
1342
1343 *keydist &= ~SMP_DIST_ID_KEY;
1344 }
1345
1346 if (*keydist & SMP_DIST_SIGN) {
1347 struct smp_cmd_sign_info sign;
1348 struct smp_csrk *csrk;
1349
1350 /* Generate a new random key */
1351 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1352
1353 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1354 if (csrk) {
1355 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1356 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1357 else
1358 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1359 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1360 }
1361 smp->responder_csrk = csrk;
1362
1363 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1364
1365 *keydist &= ~SMP_DIST_SIGN;
1366 }
1367
1368 /* If there are still keys to be received wait for them */
1369 if (smp->remote_key_dist & KEY_DIST_MASK) {
1370 smp_allow_key_dist(smp);
1371 return;
1372 }
1373
1374 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1375 smp_notify_keys(conn);
1376
1377 smp_chan_destroy(conn);
1378 }
1379
smp_timeout(struct work_struct * work)1380 static void smp_timeout(struct work_struct *work)
1381 {
1382 struct smp_chan *smp = container_of(work, struct smp_chan,
1383 security_timer.work);
1384 struct l2cap_conn *conn = smp->conn;
1385
1386 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1387
1388 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1389 }
1390
smp_chan_create(struct l2cap_conn * conn)1391 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1392 {
1393 struct hci_conn *hcon = conn->hcon;
1394 struct l2cap_chan *chan = conn->smp;
1395 struct smp_chan *smp;
1396
1397 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1398 if (!smp)
1399 return NULL;
1400
1401 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1402 if (IS_ERR(smp->tfm_cmac)) {
1403 bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1404 goto zfree_smp;
1405 }
1406
1407 smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1408 if (IS_ERR(smp->tfm_ecdh)) {
1409 bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1410 goto free_shash;
1411 }
1412
1413 smp->conn = conn;
1414 chan->data = smp;
1415
1416 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1417
1418 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1419
1420 hci_conn_hold(hcon);
1421
1422 return smp;
1423
1424 free_shash:
1425 crypto_free_shash(smp->tfm_cmac);
1426 zfree_smp:
1427 kfree_sensitive(smp);
1428 return NULL;
1429 }
1430
sc_mackey_and_ltk(struct smp_chan * smp,u8 mackey[16],u8 ltk[16])1431 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1432 {
1433 struct hci_conn *hcon = smp->conn->hcon;
1434 u8 *na, *nb, a[7], b[7];
1435
1436 if (hcon->out) {
1437 na = smp->prnd;
1438 nb = smp->rrnd;
1439 } else {
1440 na = smp->rrnd;
1441 nb = smp->prnd;
1442 }
1443
1444 memcpy(a, &hcon->init_addr, 6);
1445 memcpy(b, &hcon->resp_addr, 6);
1446 a[6] = hcon->init_addr_type;
1447 b[6] = hcon->resp_addr_type;
1448
1449 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1450 }
1451
sc_dhkey_check(struct smp_chan * smp)1452 static void sc_dhkey_check(struct smp_chan *smp)
1453 {
1454 struct hci_conn *hcon = smp->conn->hcon;
1455 struct smp_cmd_dhkey_check check;
1456 u8 a[7], b[7], *local_addr, *remote_addr;
1457 u8 io_cap[3], r[16];
1458
1459 memcpy(a, &hcon->init_addr, 6);
1460 memcpy(b, &hcon->resp_addr, 6);
1461 a[6] = hcon->init_addr_type;
1462 b[6] = hcon->resp_addr_type;
1463
1464 if (hcon->out) {
1465 local_addr = a;
1466 remote_addr = b;
1467 memcpy(io_cap, &smp->preq[1], 3);
1468 } else {
1469 local_addr = b;
1470 remote_addr = a;
1471 memcpy(io_cap, &smp->prsp[1], 3);
1472 }
1473
1474 memset(r, 0, sizeof(r));
1475
1476 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1477 put_unaligned_le32(hcon->passkey_notify, r);
1478
1479 if (smp->method == REQ_OOB)
1480 memcpy(r, smp->rr, 16);
1481
1482 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1483 local_addr, remote_addr, check.e);
1484
1485 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1486 }
1487
sc_passkey_send_confirm(struct smp_chan * smp)1488 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1489 {
1490 struct l2cap_conn *conn = smp->conn;
1491 struct hci_conn *hcon = conn->hcon;
1492 struct smp_cmd_pairing_confirm cfm;
1493 u8 r;
1494
1495 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1496 r |= 0x80;
1497
1498 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1499
1500 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1501 cfm.confirm_val))
1502 return SMP_UNSPECIFIED;
1503
1504 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1505
1506 return 0;
1507 }
1508
sc_passkey_round(struct smp_chan * smp,u8 smp_op)1509 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1510 {
1511 struct l2cap_conn *conn = smp->conn;
1512 struct hci_conn *hcon = conn->hcon;
1513 struct hci_dev *hdev = hcon->hdev;
1514 u8 cfm[16], r;
1515
1516 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1517 if (smp->passkey_round >= 20)
1518 return 0;
1519
1520 switch (smp_op) {
1521 case SMP_CMD_PAIRING_RANDOM:
1522 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1523 r |= 0x80;
1524
1525 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1526 smp->rrnd, r, cfm))
1527 return SMP_UNSPECIFIED;
1528
1529 if (crypto_memneq(smp->pcnf, cfm, 16))
1530 return SMP_CONFIRM_FAILED;
1531
1532 smp->passkey_round++;
1533
1534 if (smp->passkey_round == 20) {
1535 /* Generate MacKey and LTK */
1536 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1537 return SMP_UNSPECIFIED;
1538 }
1539
1540 /* The round is only complete when the initiator
1541 * receives pairing random.
1542 */
1543 if (!hcon->out) {
1544 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1545 sizeof(smp->prnd), smp->prnd);
1546 if (smp->passkey_round == 20)
1547 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1548 else
1549 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1550 return 0;
1551 }
1552
1553 /* Start the next round */
1554 if (smp->passkey_round != 20)
1555 return sc_passkey_round(smp, 0);
1556
1557 /* Passkey rounds are complete - start DHKey Check */
1558 sc_dhkey_check(smp);
1559 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1560
1561 break;
1562
1563 case SMP_CMD_PAIRING_CONFIRM:
1564 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1565 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1566 return 0;
1567 }
1568
1569 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1570
1571 if (hcon->out) {
1572 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1573 sizeof(smp->prnd), smp->prnd);
1574 return 0;
1575 }
1576
1577 return sc_passkey_send_confirm(smp);
1578
1579 case SMP_CMD_PUBLIC_KEY:
1580 default:
1581 /* Initiating device starts the round */
1582 if (!hcon->out)
1583 return 0;
1584
1585 bt_dev_dbg(hdev, "Starting passkey round %u",
1586 smp->passkey_round + 1);
1587
1588 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1589
1590 return sc_passkey_send_confirm(smp);
1591 }
1592
1593 return 0;
1594 }
1595
sc_user_reply(struct smp_chan * smp,u16 mgmt_op,__le32 passkey)1596 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1597 {
1598 struct l2cap_conn *conn = smp->conn;
1599 struct hci_conn *hcon = conn->hcon;
1600 u8 smp_op;
1601
1602 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1603
1604 switch (mgmt_op) {
1605 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1606 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1607 return 0;
1608 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1609 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1610 return 0;
1611 case MGMT_OP_USER_PASSKEY_REPLY:
1612 hcon->passkey_notify = le32_to_cpu(passkey);
1613 smp->passkey_round = 0;
1614
1615 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1616 smp_op = SMP_CMD_PAIRING_CONFIRM;
1617 else
1618 smp_op = 0;
1619
1620 if (sc_passkey_round(smp, smp_op))
1621 return -EIO;
1622
1623 return 0;
1624 }
1625
1626 /* Initiator sends DHKey check first */
1627 if (hcon->out) {
1628 sc_dhkey_check(smp);
1629 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1630 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1631 sc_dhkey_check(smp);
1632 sc_add_ltk(smp);
1633 }
1634
1635 return 0;
1636 }
1637
smp_user_confirm_reply(struct hci_conn * hcon,u16 mgmt_op,__le32 passkey)1638 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1639 {
1640 struct l2cap_conn *conn = hcon->l2cap_data;
1641 struct l2cap_chan *chan;
1642 struct smp_chan *smp;
1643 u32 value;
1644 int err;
1645
1646 if (!conn)
1647 return -ENOTCONN;
1648
1649 bt_dev_dbg(conn->hcon->hdev, "");
1650
1651 chan = conn->smp;
1652 if (!chan)
1653 return -ENOTCONN;
1654
1655 l2cap_chan_lock(chan);
1656 if (!chan->data) {
1657 err = -ENOTCONN;
1658 goto unlock;
1659 }
1660
1661 smp = chan->data;
1662
1663 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1664 err = sc_user_reply(smp, mgmt_op, passkey);
1665 goto unlock;
1666 }
1667
1668 switch (mgmt_op) {
1669 case MGMT_OP_USER_PASSKEY_REPLY:
1670 value = le32_to_cpu(passkey);
1671 memset(smp->tk, 0, sizeof(smp->tk));
1672 bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1673 put_unaligned_le32(value, smp->tk);
1674 fallthrough;
1675 case MGMT_OP_USER_CONFIRM_REPLY:
1676 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1677 break;
1678 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1679 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1680 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1681 err = 0;
1682 goto unlock;
1683 default:
1684 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1685 err = -EOPNOTSUPP;
1686 goto unlock;
1687 }
1688
1689 err = 0;
1690
1691 /* If it is our turn to send Pairing Confirm, do so now */
1692 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1693 u8 rsp = smp_confirm(smp);
1694 if (rsp)
1695 smp_failure(conn, rsp);
1696 }
1697
1698 unlock:
1699 l2cap_chan_unlock(chan);
1700 return err;
1701 }
1702
build_bredr_pairing_cmd(struct smp_chan * smp,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp)1703 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1704 struct smp_cmd_pairing *req,
1705 struct smp_cmd_pairing *rsp)
1706 {
1707 struct l2cap_conn *conn = smp->conn;
1708 struct hci_dev *hdev = conn->hcon->hdev;
1709 u8 local_dist = 0, remote_dist = 0;
1710
1711 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1712 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1714 }
1715
1716 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1717 remote_dist |= SMP_DIST_ID_KEY;
1718
1719 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1720 local_dist |= SMP_DIST_ID_KEY;
1721
1722 if (!rsp) {
1723 memset(req, 0, sizeof(*req));
1724
1725 req->auth_req = SMP_AUTH_CT2;
1726 req->init_key_dist = local_dist;
1727 req->resp_key_dist = remote_dist;
1728 req->max_key_size = conn->hcon->enc_key_size;
1729
1730 smp->remote_key_dist = remote_dist;
1731
1732 return;
1733 }
1734
1735 memset(rsp, 0, sizeof(*rsp));
1736
1737 rsp->auth_req = SMP_AUTH_CT2;
1738 rsp->max_key_size = conn->hcon->enc_key_size;
1739 rsp->init_key_dist = req->init_key_dist & remote_dist;
1740 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1741
1742 smp->remote_key_dist = rsp->init_key_dist;
1743 }
1744
smp_cmd_pairing_req(struct l2cap_conn * conn,struct sk_buff * skb)1745 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1746 {
1747 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1748 struct l2cap_chan *chan = conn->smp;
1749 struct hci_dev *hdev = conn->hcon->hdev;
1750 struct smp_chan *smp;
1751 u8 key_size, auth, sec_level;
1752 int ret;
1753
1754 bt_dev_dbg(hdev, "conn %p", conn);
1755
1756 if (skb->len < sizeof(*req))
1757 return SMP_INVALID_PARAMS;
1758
1759 if (conn->hcon->role != HCI_ROLE_SLAVE)
1760 return SMP_CMD_NOTSUPP;
1761
1762 if (!chan->data)
1763 smp = smp_chan_create(conn);
1764 else
1765 smp = chan->data;
1766
1767 if (!smp)
1768 return SMP_UNSPECIFIED;
1769
1770 /* We didn't start the pairing, so match remote */
1771 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1772
1773 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1774 (auth & SMP_AUTH_BONDING))
1775 return SMP_PAIRING_NOTSUPP;
1776
1777 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1778 return SMP_AUTH_REQUIREMENTS;
1779
1780 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1781 memcpy(&smp->preq[1], req, sizeof(*req));
1782 skb_pull(skb, sizeof(*req));
1783
1784 /* If the remote side's OOB flag is set it means it has
1785 * successfully received our local OOB data - therefore set the
1786 * flag to indicate that local OOB is in use.
1787 */
1788 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1789 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1790
1791 /* SMP over BR/EDR requires special treatment */
1792 if (conn->hcon->type == ACL_LINK) {
1793 /* We must have a BR/EDR SC link */
1794 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1795 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1796 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1797
1798 set_bit(SMP_FLAG_SC, &smp->flags);
1799
1800 build_bredr_pairing_cmd(smp, req, &rsp);
1801
1802 if (req->auth_req & SMP_AUTH_CT2)
1803 set_bit(SMP_FLAG_CT2, &smp->flags);
1804
1805 key_size = min(req->max_key_size, rsp.max_key_size);
1806 if (check_enc_key_size(conn, key_size))
1807 return SMP_ENC_KEY_SIZE;
1808
1809 /* Clear bits which are generated but not distributed */
1810 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1811
1812 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1813 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1814 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1815
1816 smp_distribute_keys(smp);
1817 return 0;
1818 }
1819
1820 build_pairing_cmd(conn, req, &rsp, auth);
1821
1822 if (rsp.auth_req & SMP_AUTH_SC) {
1823 set_bit(SMP_FLAG_SC, &smp->flags);
1824
1825 if (rsp.auth_req & SMP_AUTH_CT2)
1826 set_bit(SMP_FLAG_CT2, &smp->flags);
1827 }
1828
1829 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1830 sec_level = BT_SECURITY_MEDIUM;
1831 else
1832 sec_level = authreq_to_seclevel(auth);
1833
1834 if (sec_level > conn->hcon->pending_sec_level)
1835 conn->hcon->pending_sec_level = sec_level;
1836
1837 /* If we need MITM check that it can be achieved */
1838 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1839 u8 method;
1840
1841 method = get_auth_method(smp, conn->hcon->io_capability,
1842 req->io_capability);
1843 if (method == JUST_WORKS || method == JUST_CFM)
1844 return SMP_AUTH_REQUIREMENTS;
1845 }
1846
1847 key_size = min(req->max_key_size, rsp.max_key_size);
1848 if (check_enc_key_size(conn, key_size))
1849 return SMP_ENC_KEY_SIZE;
1850
1851 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852
1853 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1854 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1855
1856 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1857
1858 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1859
1860 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1861 * SC case, however some implementations incorrectly copy RFU auth
1862 * req bits from our security request, which may create a false
1863 * positive SC enablement.
1864 */
1865 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1866
1867 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1868 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1869 /* Clear bits which are generated but not distributed */
1870 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1871 /* Wait for Public Key from Initiating Device */
1872 return 0;
1873 }
1874
1875 /* Request setup of TK */
1876 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1877 if (ret)
1878 return SMP_UNSPECIFIED;
1879
1880 return 0;
1881 }
1882
sc_send_public_key(struct smp_chan * smp)1883 static u8 sc_send_public_key(struct smp_chan *smp)
1884 {
1885 struct hci_dev *hdev = smp->conn->hcon->hdev;
1886
1887 bt_dev_dbg(hdev, "");
1888
1889 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1890 struct l2cap_chan *chan = hdev->smp_data;
1891 struct smp_dev *smp_dev;
1892
1893 if (!chan || !chan->data)
1894 return SMP_UNSPECIFIED;
1895
1896 smp_dev = chan->data;
1897
1898 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1899 memcpy(smp->lr, smp_dev->local_rand, 16);
1900
1901 if (smp_dev->debug_key)
1902 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1903
1904 goto done;
1905 }
1906
1907 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1908 bt_dev_dbg(hdev, "Using debug keys");
1909 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1910 return SMP_UNSPECIFIED;
1911 memcpy(smp->local_pk, debug_pk, 64);
1912 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1913 } else {
1914 while (true) {
1915 /* Generate key pair for Secure Connections */
1916 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1917 return SMP_UNSPECIFIED;
1918
1919 /* This is unlikely, but we need to check that
1920 * we didn't accidentally generate a debug key.
1921 */
1922 if (crypto_memneq(smp->local_pk, debug_pk, 64))
1923 break;
1924 }
1925 }
1926
1927 done:
1928 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1929 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1930
1931 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1932
1933 return 0;
1934 }
1935
smp_cmd_pairing_rsp(struct l2cap_conn * conn,struct sk_buff * skb)1936 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1937 {
1938 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1939 struct l2cap_chan *chan = conn->smp;
1940 struct smp_chan *smp = chan->data;
1941 struct hci_dev *hdev = conn->hcon->hdev;
1942 u8 key_size, auth;
1943 int ret;
1944
1945 bt_dev_dbg(hdev, "conn %p", conn);
1946
1947 if (skb->len < sizeof(*rsp))
1948 return SMP_INVALID_PARAMS;
1949
1950 if (conn->hcon->role != HCI_ROLE_MASTER)
1951 return SMP_CMD_NOTSUPP;
1952
1953 skb_pull(skb, sizeof(*rsp));
1954
1955 req = (void *) &smp->preq[1];
1956
1957 key_size = min(req->max_key_size, rsp->max_key_size);
1958 if (check_enc_key_size(conn, key_size))
1959 return SMP_ENC_KEY_SIZE;
1960
1961 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1962
1963 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1964 return SMP_AUTH_REQUIREMENTS;
1965
1966 /* If the remote side's OOB flag is set it means it has
1967 * successfully received our local OOB data - therefore set the
1968 * flag to indicate that local OOB is in use.
1969 */
1970 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1971 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1972
1973 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1974 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1975
1976 /* Update remote key distribution in case the remote cleared
1977 * some bits that we had enabled in our request.
1978 */
1979 smp->remote_key_dist &= rsp->resp_key_dist;
1980
1981 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1982 set_bit(SMP_FLAG_CT2, &smp->flags);
1983
1984 /* For BR/EDR this means we're done and can start phase 3 */
1985 if (conn->hcon->type == ACL_LINK) {
1986 /* Clear bits which are generated but not distributed */
1987 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1988 smp_distribute_keys(smp);
1989 return 0;
1990 }
1991
1992 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1993 set_bit(SMP_FLAG_SC, &smp->flags);
1994 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1995 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1996
1997 /* If we need MITM check that it can be achieved */
1998 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1999 u8 method;
2000
2001 method = get_auth_method(smp, req->io_capability,
2002 rsp->io_capability);
2003 if (method == JUST_WORKS || method == JUST_CFM)
2004 return SMP_AUTH_REQUIREMENTS;
2005 }
2006
2007 get_random_bytes(smp->prnd, sizeof(smp->prnd));
2008
2009 /* Update remote key distribution in case the remote cleared
2010 * some bits that we had enabled in our request.
2011 */
2012 smp->remote_key_dist &= rsp->resp_key_dist;
2013
2014 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2015 /* Clear bits which are generated but not distributed */
2016 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2017 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2018 return sc_send_public_key(smp);
2019 }
2020
2021 auth |= req->auth_req;
2022
2023 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2024 if (ret)
2025 return SMP_UNSPECIFIED;
2026
2027 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2028
2029 /* Can't compose response until we have been confirmed */
2030 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2031 return smp_confirm(smp);
2032
2033 return 0;
2034 }
2035
sc_check_confirm(struct smp_chan * smp)2036 static u8 sc_check_confirm(struct smp_chan *smp)
2037 {
2038 struct l2cap_conn *conn = smp->conn;
2039
2040 bt_dev_dbg(conn->hcon->hdev, "");
2041
2042 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2043 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2044
2045 if (conn->hcon->out) {
2046 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2047 smp->prnd);
2048 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2049 }
2050
2051 return 0;
2052 }
2053
2054 /* Work-around for some implementations that incorrectly copy RFU bits
2055 * from our security request and thereby create the impression that
2056 * we're doing SC when in fact the remote doesn't support it.
2057 */
fixup_sc_false_positive(struct smp_chan * smp)2058 static int fixup_sc_false_positive(struct smp_chan *smp)
2059 {
2060 struct l2cap_conn *conn = smp->conn;
2061 struct hci_conn *hcon = conn->hcon;
2062 struct hci_dev *hdev = hcon->hdev;
2063 struct smp_cmd_pairing *req, *rsp;
2064 u8 auth;
2065
2066 /* The issue is only observed when we're in responder role */
2067 if (hcon->out)
2068 return SMP_UNSPECIFIED;
2069
2070 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2071 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2072 return SMP_UNSPECIFIED;
2073 }
2074
2075 bt_dev_err(hdev, "trying to fall back to legacy SMP");
2076
2077 req = (void *) &smp->preq[1];
2078 rsp = (void *) &smp->prsp[1];
2079
2080 /* Rebuild key dist flags which may have been cleared for SC */
2081 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2082
2083 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2084
2085 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2086 bt_dev_err(hdev, "failed to fall back to legacy SMP");
2087 return SMP_UNSPECIFIED;
2088 }
2089
2090 clear_bit(SMP_FLAG_SC, &smp->flags);
2091
2092 return 0;
2093 }
2094
smp_cmd_pairing_confirm(struct l2cap_conn * conn,struct sk_buff * skb)2095 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2096 {
2097 struct l2cap_chan *chan = conn->smp;
2098 struct smp_chan *smp = chan->data;
2099 struct hci_conn *hcon = conn->hcon;
2100 struct hci_dev *hdev = hcon->hdev;
2101
2102 bt_dev_dbg(hdev, "conn %p %s", conn,
2103 hcon->out ? "initiator" : "responder");
2104
2105 if (skb->len < sizeof(smp->pcnf))
2106 return SMP_INVALID_PARAMS;
2107
2108 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2109 skb_pull(skb, sizeof(smp->pcnf));
2110
2111 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2112 int ret;
2113
2114 /* Public Key exchange must happen before any other steps */
2115 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2116 return sc_check_confirm(smp);
2117
2118 bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2119
2120 ret = fixup_sc_false_positive(smp);
2121 if (ret)
2122 return ret;
2123 }
2124
2125 if (conn->hcon->out) {
2126 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2127 smp->prnd);
2128 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2129 return 0;
2130 }
2131
2132 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2133 return smp_confirm(smp);
2134
2135 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2136
2137 return 0;
2138 }
2139
smp_cmd_pairing_random(struct l2cap_conn * conn,struct sk_buff * skb)2140 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2141 {
2142 struct l2cap_chan *chan = conn->smp;
2143 struct smp_chan *smp = chan->data;
2144 struct hci_conn *hcon = conn->hcon;
2145 u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2146 u32 passkey;
2147 int err;
2148
2149 bt_dev_dbg(hcon->hdev, "conn %p", conn);
2150
2151 if (skb->len < sizeof(smp->rrnd))
2152 return SMP_INVALID_PARAMS;
2153
2154 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2155 skb_pull(skb, sizeof(smp->rrnd));
2156
2157 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2158 return smp_random(smp);
2159
2160 if (hcon->out) {
2161 pkax = smp->local_pk;
2162 pkbx = smp->remote_pk;
2163 na = smp->prnd;
2164 nb = smp->rrnd;
2165 } else {
2166 pkax = smp->remote_pk;
2167 pkbx = smp->local_pk;
2168 na = smp->rrnd;
2169 nb = smp->prnd;
2170 }
2171
2172 if (smp->method == REQ_OOB) {
2173 if (!hcon->out)
2174 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2175 sizeof(smp->prnd), smp->prnd);
2176 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177 goto mackey_and_ltk;
2178 }
2179
2180 /* Passkey entry has special treatment */
2181 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2182 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2183
2184 if (hcon->out) {
2185 u8 cfm[16];
2186
2187 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2188 smp->rrnd, 0, cfm);
2189 if (err)
2190 return SMP_UNSPECIFIED;
2191
2192 if (crypto_memneq(smp->pcnf, cfm, 16))
2193 return SMP_CONFIRM_FAILED;
2194 } else {
2195 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2196 smp->prnd);
2197 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2198
2199 /* Only Just-Works pairing requires extra checks */
2200 if (smp->method != JUST_WORKS)
2201 goto mackey_and_ltk;
2202
2203 /* If there already exists long term key in local host, leave
2204 * the decision to user space since the remote device could
2205 * be legitimate or malicious.
2206 */
2207 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2208 hcon->role)) {
2209 /* Set passkey to 0. The value can be any number since
2210 * it'll be ignored anyway.
2211 */
2212 passkey = 0;
2213 confirm_hint = 1;
2214 goto confirm;
2215 }
2216 }
2217
2218 mackey_and_ltk:
2219 /* Generate MacKey and LTK */
2220 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2221 if (err)
2222 return SMP_UNSPECIFIED;
2223
2224 if (smp->method == REQ_OOB) {
2225 if (hcon->out) {
2226 sc_dhkey_check(smp);
2227 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2228 }
2229 return 0;
2230 }
2231
2232 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2233 if (err)
2234 return SMP_UNSPECIFIED;
2235
2236 confirm_hint = 0;
2237
2238 confirm:
2239 if (smp->method == JUST_WORKS)
2240 confirm_hint = 1;
2241
2242 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2243 hcon->dst_type, passkey, confirm_hint);
2244 if (err)
2245 return SMP_UNSPECIFIED;
2246
2247 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2248
2249 return 0;
2250 }
2251
smp_ltk_encrypt(struct l2cap_conn * conn,u8 sec_level)2252 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2253 {
2254 struct smp_ltk *key;
2255 struct hci_conn *hcon = conn->hcon;
2256
2257 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2258 if (!key)
2259 return false;
2260
2261 if (smp_ltk_sec_level(key) < sec_level)
2262 return false;
2263
2264 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2265 return true;
2266
2267 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2268 hcon->enc_key_size = key->enc_size;
2269
2270 /* We never store STKs for initiator role, so clear this flag */
2271 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2272
2273 return true;
2274 }
2275
smp_sufficient_security(struct hci_conn * hcon,u8 sec_level,enum smp_key_pref key_pref)2276 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2277 enum smp_key_pref key_pref)
2278 {
2279 if (sec_level == BT_SECURITY_LOW)
2280 return true;
2281
2282 /* If we're encrypted with an STK but the caller prefers using
2283 * LTK claim insufficient security. This way we allow the
2284 * connection to be re-encrypted with an LTK, even if the LTK
2285 * provides the same level of security. Only exception is if we
2286 * don't have an LTK (e.g. because of key distribution bits).
2287 */
2288 if (key_pref == SMP_USE_LTK &&
2289 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2290 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2291 return false;
2292
2293 if (hcon->sec_level >= sec_level)
2294 return true;
2295
2296 return false;
2297 }
2298
smp_cmd_security_req(struct l2cap_conn * conn,struct sk_buff * skb)2299 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2300 {
2301 struct smp_cmd_security_req *rp = (void *) skb->data;
2302 struct smp_cmd_pairing cp;
2303 struct hci_conn *hcon = conn->hcon;
2304 struct hci_dev *hdev = hcon->hdev;
2305 struct smp_chan *smp;
2306 u8 sec_level, auth;
2307
2308 bt_dev_dbg(hdev, "conn %p", conn);
2309
2310 if (skb->len < sizeof(*rp))
2311 return SMP_INVALID_PARAMS;
2312
2313 if (hcon->role != HCI_ROLE_MASTER)
2314 return SMP_CMD_NOTSUPP;
2315
2316 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2317
2318 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2319 return SMP_AUTH_REQUIREMENTS;
2320
2321 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2322 sec_level = BT_SECURITY_MEDIUM;
2323 else
2324 sec_level = authreq_to_seclevel(auth);
2325
2326 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2327 /* If link is already encrypted with sufficient security we
2328 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2329 * Part H 2.4.6
2330 */
2331 smp_ltk_encrypt(conn, hcon->sec_level);
2332 return 0;
2333 }
2334
2335 if (sec_level > hcon->pending_sec_level)
2336 hcon->pending_sec_level = sec_level;
2337
2338 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2339 return 0;
2340
2341 smp = smp_chan_create(conn);
2342 if (!smp)
2343 return SMP_UNSPECIFIED;
2344
2345 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2346 (auth & SMP_AUTH_BONDING))
2347 return SMP_PAIRING_NOTSUPP;
2348
2349 skb_pull(skb, sizeof(*rp));
2350
2351 memset(&cp, 0, sizeof(cp));
2352 build_pairing_cmd(conn, &cp, NULL, auth);
2353
2354 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2355 memcpy(&smp->preq[1], &cp, sizeof(cp));
2356
2357 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2358 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2359
2360 return 0;
2361 }
2362
smp_conn_security(struct hci_conn * hcon,__u8 sec_level)2363 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2364 {
2365 struct l2cap_conn *conn = hcon->l2cap_data;
2366 struct l2cap_chan *chan;
2367 struct smp_chan *smp;
2368 __u8 authreq;
2369 int ret;
2370
2371 bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2372 sec_level);
2373
2374 /* This may be NULL if there's an unexpected disconnection */
2375 if (!conn)
2376 return 1;
2377
2378 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2379 return 1;
2380
2381 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2382 return 1;
2383
2384 if (sec_level > hcon->pending_sec_level)
2385 hcon->pending_sec_level = sec_level;
2386
2387 if (hcon->role == HCI_ROLE_MASTER)
2388 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2389 return 0;
2390
2391 chan = conn->smp;
2392 if (!chan) {
2393 bt_dev_err(hcon->hdev, "security requested but not available");
2394 return 1;
2395 }
2396
2397 l2cap_chan_lock(chan);
2398
2399 /* If SMP is already in progress ignore this request */
2400 if (chan->data) {
2401 ret = 0;
2402 goto unlock;
2403 }
2404
2405 smp = smp_chan_create(conn);
2406 if (!smp) {
2407 ret = 1;
2408 goto unlock;
2409 }
2410
2411 authreq = seclevel_to_authreq(sec_level);
2412
2413 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2414 authreq |= SMP_AUTH_SC;
2415 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2416 authreq |= SMP_AUTH_CT2;
2417 }
2418
2419 /* Don't attempt to set MITM if setting is overridden by debugfs
2420 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2421 */
2422 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2423 /* Require MITM if IO Capability allows or the security level
2424 * requires it.
2425 */
2426 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2427 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2428 authreq |= SMP_AUTH_MITM;
2429 }
2430
2431 if (hcon->role == HCI_ROLE_MASTER) {
2432 struct smp_cmd_pairing cp;
2433
2434 build_pairing_cmd(conn, &cp, NULL, authreq);
2435 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2436 memcpy(&smp->preq[1], &cp, sizeof(cp));
2437
2438 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2439 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2440 } else {
2441 struct smp_cmd_security_req cp;
2442 cp.auth_req = authreq;
2443 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2444 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2445 }
2446
2447 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2448 ret = 0;
2449
2450 unlock:
2451 l2cap_chan_unlock(chan);
2452 return ret;
2453 }
2454
smp_cancel_and_remove_pairing(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type)2455 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2456 u8 addr_type)
2457 {
2458 struct hci_conn *hcon;
2459 struct l2cap_conn *conn;
2460 struct l2cap_chan *chan;
2461 struct smp_chan *smp;
2462 int err;
2463
2464 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2465 hci_remove_irk(hdev, bdaddr, addr_type);
2466
2467 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2468 if (!hcon)
2469 goto done;
2470
2471 conn = hcon->l2cap_data;
2472 if (!conn)
2473 goto done;
2474
2475 chan = conn->smp;
2476 if (!chan)
2477 goto done;
2478
2479 l2cap_chan_lock(chan);
2480
2481 smp = chan->data;
2482 if (smp) {
2483 /* Set keys to NULL to make sure smp_failure() does not try to
2484 * remove and free already invalidated rcu list entries. */
2485 smp->ltk = NULL;
2486 smp->responder_ltk = NULL;
2487 smp->remote_irk = NULL;
2488
2489 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2490 smp_failure(conn, 0);
2491 else
2492 smp_failure(conn, SMP_UNSPECIFIED);
2493 err = 0;
2494 }
2495
2496 l2cap_chan_unlock(chan);
2497
2498 done:
2499 return err;
2500 }
2501
smp_cmd_encrypt_info(struct l2cap_conn * conn,struct sk_buff * skb)2502 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2503 {
2504 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2505 struct l2cap_chan *chan = conn->smp;
2506 struct smp_chan *smp = chan->data;
2507
2508 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2509
2510 if (skb->len < sizeof(*rp))
2511 return SMP_INVALID_PARAMS;
2512
2513 /* Pairing is aborted if any blocked keys are distributed */
2514 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2515 rp->ltk)) {
2516 bt_dev_warn_ratelimited(conn->hcon->hdev,
2517 "LTK blocked for %pMR",
2518 &conn->hcon->dst);
2519 return SMP_INVALID_PARAMS;
2520 }
2521
2522 SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2523
2524 skb_pull(skb, sizeof(*rp));
2525
2526 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2527
2528 return 0;
2529 }
2530
smp_cmd_initiator_ident(struct l2cap_conn * conn,struct sk_buff * skb)2531 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2532 {
2533 struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2534 struct l2cap_chan *chan = conn->smp;
2535 struct smp_chan *smp = chan->data;
2536 struct hci_dev *hdev = conn->hcon->hdev;
2537 struct hci_conn *hcon = conn->hcon;
2538 struct smp_ltk *ltk;
2539 u8 authenticated;
2540
2541 bt_dev_dbg(hdev, "conn %p", conn);
2542
2543 if (skb->len < sizeof(*rp))
2544 return SMP_INVALID_PARAMS;
2545
2546 /* Mark the information as received */
2547 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2548
2549 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2550 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2551 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2552 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2553
2554 skb_pull(skb, sizeof(*rp));
2555
2556 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2557 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2558 authenticated, smp->tk, smp->enc_key_size,
2559 rp->ediv, rp->rand);
2560 smp->ltk = ltk;
2561 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2562 smp_distribute_keys(smp);
2563
2564 return 0;
2565 }
2566
smp_cmd_ident_info(struct l2cap_conn * conn,struct sk_buff * skb)2567 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2568 {
2569 struct smp_cmd_ident_info *info = (void *) skb->data;
2570 struct l2cap_chan *chan = conn->smp;
2571 struct smp_chan *smp = chan->data;
2572
2573 bt_dev_dbg(conn->hcon->hdev, "");
2574
2575 if (skb->len < sizeof(*info))
2576 return SMP_INVALID_PARAMS;
2577
2578 /* Pairing is aborted if any blocked keys are distributed */
2579 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2580 info->irk)) {
2581 bt_dev_warn_ratelimited(conn->hcon->hdev,
2582 "Identity key blocked for %pMR",
2583 &conn->hcon->dst);
2584 return SMP_INVALID_PARAMS;
2585 }
2586
2587 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2588
2589 skb_pull(skb, sizeof(*info));
2590
2591 memcpy(smp->irk, info->irk, 16);
2592
2593 return 0;
2594 }
2595
smp_cmd_ident_addr_info(struct l2cap_conn * conn,struct sk_buff * skb)2596 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2597 struct sk_buff *skb)
2598 {
2599 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2600 struct l2cap_chan *chan = conn->smp;
2601 struct smp_chan *smp = chan->data;
2602 struct hci_conn *hcon = conn->hcon;
2603 bdaddr_t rpa;
2604
2605 bt_dev_dbg(hcon->hdev, "");
2606
2607 if (skb->len < sizeof(*info))
2608 return SMP_INVALID_PARAMS;
2609
2610 /* Mark the information as received */
2611 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2612
2613 if (smp->remote_key_dist & SMP_DIST_SIGN)
2614 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2615
2616 skb_pull(skb, sizeof(*info));
2617
2618 /* Strictly speaking the Core Specification (4.1) allows sending
2619 * an empty address which would force us to rely on just the IRK
2620 * as "identity information". However, since such
2621 * implementations are not known of and in order to not over
2622 * complicate our implementation, simply pretend that we never
2623 * received an IRK for such a device.
2624 *
2625 * The Identity Address must also be a Static Random or Public
2626 * Address, which hci_is_identity_address() checks for.
2627 */
2628 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2629 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2630 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2631 goto distribute;
2632 }
2633
2634 /* Drop IRK if peer is using identity address during pairing but is
2635 * providing different address as identity information.
2636 *
2637 * Microsoft Surface Precision Mouse is known to have this bug.
2638 */
2639 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2640 (bacmp(&info->bdaddr, &hcon->dst) ||
2641 info->addr_type != hcon->dst_type)) {
2642 bt_dev_err(hcon->hdev,
2643 "ignoring IRK with invalid identity address");
2644 goto distribute;
2645 }
2646
2647 bacpy(&smp->id_addr, &info->bdaddr);
2648 smp->id_addr_type = info->addr_type;
2649
2650 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2651 bacpy(&rpa, &hcon->dst);
2652 else
2653 bacpy(&rpa, BDADDR_ANY);
2654
2655 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2656 smp->id_addr_type, smp->irk, &rpa);
2657
2658 distribute:
2659 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2660 smp_distribute_keys(smp);
2661
2662 return 0;
2663 }
2664
smp_cmd_sign_info(struct l2cap_conn * conn,struct sk_buff * skb)2665 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2666 {
2667 struct smp_cmd_sign_info *rp = (void *) skb->data;
2668 struct l2cap_chan *chan = conn->smp;
2669 struct smp_chan *smp = chan->data;
2670 struct smp_csrk *csrk;
2671
2672 bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2673
2674 if (skb->len < sizeof(*rp))
2675 return SMP_INVALID_PARAMS;
2676
2677 /* Mark the information as received */
2678 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2679
2680 skb_pull(skb, sizeof(*rp));
2681
2682 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2683 if (csrk) {
2684 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2685 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2686 else
2687 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2688 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2689 }
2690 smp->csrk = csrk;
2691 smp_distribute_keys(smp);
2692
2693 return 0;
2694 }
2695
sc_select_method(struct smp_chan * smp)2696 static u8 sc_select_method(struct smp_chan *smp)
2697 {
2698 struct l2cap_conn *conn = smp->conn;
2699 struct hci_conn *hcon = conn->hcon;
2700 struct smp_cmd_pairing *local, *remote;
2701 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2702
2703 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2704 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2705 return REQ_OOB;
2706
2707 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2708 * which are needed as inputs to some crypto functions. To get
2709 * the "struct smp_cmd_pairing" from them we need to skip the
2710 * first byte which contains the opcode.
2711 */
2712 if (hcon->out) {
2713 local = (void *) &smp->preq[1];
2714 remote = (void *) &smp->prsp[1];
2715 } else {
2716 local = (void *) &smp->prsp[1];
2717 remote = (void *) &smp->preq[1];
2718 }
2719
2720 local_io = local->io_capability;
2721 remote_io = remote->io_capability;
2722
2723 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2724 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2725
2726 /* If either side wants MITM, look up the method from the table,
2727 * otherwise use JUST WORKS.
2728 */
2729 if (local_mitm || remote_mitm)
2730 method = get_auth_method(smp, local_io, remote_io);
2731 else
2732 method = JUST_WORKS;
2733
2734 /* Don't confirm locally initiated pairing attempts */
2735 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2736 method = JUST_WORKS;
2737
2738 return method;
2739 }
2740
smp_cmd_public_key(struct l2cap_conn * conn,struct sk_buff * skb)2741 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2742 {
2743 struct smp_cmd_public_key *key = (void *) skb->data;
2744 struct hci_conn *hcon = conn->hcon;
2745 struct l2cap_chan *chan = conn->smp;
2746 struct smp_chan *smp = chan->data;
2747 struct hci_dev *hdev = hcon->hdev;
2748 struct crypto_kpp *tfm_ecdh;
2749 struct smp_cmd_pairing_confirm cfm;
2750 int err;
2751
2752 bt_dev_dbg(hdev, "conn %p", conn);
2753
2754 if (skb->len < sizeof(*key))
2755 return SMP_INVALID_PARAMS;
2756
2757 /* Check if remote and local public keys are the same and debug key is
2758 * not in use.
2759 */
2760 if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2761 !crypto_memneq(key, smp->local_pk, 64)) {
2762 bt_dev_err(hdev, "Remote and local public keys are identical");
2763 return SMP_UNSPECIFIED;
2764 }
2765
2766 memcpy(smp->remote_pk, key, 64);
2767
2768 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2769 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2770 smp->rr, 0, cfm.confirm_val);
2771 if (err)
2772 return SMP_UNSPECIFIED;
2773
2774 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2775 return SMP_CONFIRM_FAILED;
2776 }
2777
2778 /* Non-initiating device sends its public key after receiving
2779 * the key from the initiating device.
2780 */
2781 if (!hcon->out) {
2782 err = sc_send_public_key(smp);
2783 if (err)
2784 return err;
2785 }
2786
2787 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2788 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2789
2790 /* Compute the shared secret on the same crypto tfm on which the private
2791 * key was set/generated.
2792 */
2793 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2794 struct l2cap_chan *hchan = hdev->smp_data;
2795 struct smp_dev *smp_dev;
2796
2797 if (!hchan || !hchan->data)
2798 return SMP_UNSPECIFIED;
2799
2800 smp_dev = hchan->data;
2801
2802 tfm_ecdh = smp_dev->tfm_ecdh;
2803 } else {
2804 tfm_ecdh = smp->tfm_ecdh;
2805 }
2806
2807 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2808 return SMP_UNSPECIFIED;
2809
2810 SMP_DBG("DHKey %32phN", smp->dhkey);
2811
2812 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2813
2814 smp->method = sc_select_method(smp);
2815
2816 bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2817
2818 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2819 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2820 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2821 else
2822 hcon->pending_sec_level = BT_SECURITY_FIPS;
2823
2824 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2825 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2826
2827 if (smp->method == DSP_PASSKEY) {
2828 get_random_bytes(&hcon->passkey_notify,
2829 sizeof(hcon->passkey_notify));
2830 hcon->passkey_notify %= 1000000;
2831 hcon->passkey_entered = 0;
2832 smp->passkey_round = 0;
2833 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2834 hcon->dst_type,
2835 hcon->passkey_notify,
2836 hcon->passkey_entered))
2837 return SMP_UNSPECIFIED;
2838 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2839 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2840 }
2841
2842 if (smp->method == REQ_OOB) {
2843 if (hcon->out)
2844 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2845 sizeof(smp->prnd), smp->prnd);
2846
2847 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2848
2849 return 0;
2850 }
2851
2852 if (hcon->out)
2853 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2854
2855 if (smp->method == REQ_PASSKEY) {
2856 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2857 hcon->dst_type))
2858 return SMP_UNSPECIFIED;
2859 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2860 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2861 return 0;
2862 }
2863
2864 /* The Initiating device waits for the non-initiating device to
2865 * send the confirm value.
2866 */
2867 if (conn->hcon->out)
2868 return 0;
2869
2870 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2871 0, cfm.confirm_val);
2872 if (err)
2873 return SMP_UNSPECIFIED;
2874
2875 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2876 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2877
2878 return 0;
2879 }
2880
smp_cmd_dhkey_check(struct l2cap_conn * conn,struct sk_buff * skb)2881 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2882 {
2883 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2884 struct l2cap_chan *chan = conn->smp;
2885 struct hci_conn *hcon = conn->hcon;
2886 struct smp_chan *smp = chan->data;
2887 u8 a[7], b[7], *local_addr, *remote_addr;
2888 u8 io_cap[3], r[16], e[16];
2889 int err;
2890
2891 bt_dev_dbg(hcon->hdev, "conn %p", conn);
2892
2893 if (skb->len < sizeof(*check))
2894 return SMP_INVALID_PARAMS;
2895
2896 memcpy(a, &hcon->init_addr, 6);
2897 memcpy(b, &hcon->resp_addr, 6);
2898 a[6] = hcon->init_addr_type;
2899 b[6] = hcon->resp_addr_type;
2900
2901 if (hcon->out) {
2902 local_addr = a;
2903 remote_addr = b;
2904 memcpy(io_cap, &smp->prsp[1], 3);
2905 } else {
2906 local_addr = b;
2907 remote_addr = a;
2908 memcpy(io_cap, &smp->preq[1], 3);
2909 }
2910
2911 memset(r, 0, sizeof(r));
2912
2913 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2914 put_unaligned_le32(hcon->passkey_notify, r);
2915 else if (smp->method == REQ_OOB)
2916 memcpy(r, smp->lr, 16);
2917
2918 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2919 io_cap, remote_addr, local_addr, e);
2920 if (err)
2921 return SMP_UNSPECIFIED;
2922
2923 if (crypto_memneq(check->e, e, 16))
2924 return SMP_DHKEY_CHECK_FAILED;
2925
2926 if (!hcon->out) {
2927 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2928 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2929 return 0;
2930 }
2931
2932 /* Responder sends DHKey check as response to initiator */
2933 sc_dhkey_check(smp);
2934 }
2935
2936 sc_add_ltk(smp);
2937
2938 if (hcon->out) {
2939 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2940 hcon->enc_key_size = smp->enc_key_size;
2941 }
2942
2943 return 0;
2944 }
2945
smp_cmd_keypress_notify(struct l2cap_conn * conn,struct sk_buff * skb)2946 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2947 struct sk_buff *skb)
2948 {
2949 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2950
2951 bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2952
2953 return 0;
2954 }
2955
smp_sig_channel(struct l2cap_chan * chan,struct sk_buff * skb)2956 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2957 {
2958 struct l2cap_conn *conn = chan->conn;
2959 struct hci_conn *hcon = conn->hcon;
2960 struct smp_chan *smp;
2961 __u8 code, reason;
2962 int err = 0;
2963
2964 if (skb->len < 1)
2965 return -EILSEQ;
2966
2967 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2968 reason = SMP_PAIRING_NOTSUPP;
2969 goto done;
2970 }
2971
2972 code = skb->data[0];
2973 skb_pull(skb, sizeof(code));
2974
2975 smp = chan->data;
2976
2977 if (code > SMP_CMD_MAX)
2978 goto drop;
2979
2980 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2981 goto drop;
2982
2983 /* If we don't have a context the only allowed commands are
2984 * pairing request and security request.
2985 */
2986 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2987 goto drop;
2988
2989 switch (code) {
2990 case SMP_CMD_PAIRING_REQ:
2991 reason = smp_cmd_pairing_req(conn, skb);
2992 break;
2993
2994 case SMP_CMD_PAIRING_FAIL:
2995 smp_failure(conn, 0);
2996 err = -EPERM;
2997 break;
2998
2999 case SMP_CMD_PAIRING_RSP:
3000 reason = smp_cmd_pairing_rsp(conn, skb);
3001 break;
3002
3003 case SMP_CMD_SECURITY_REQ:
3004 reason = smp_cmd_security_req(conn, skb);
3005 break;
3006
3007 case SMP_CMD_PAIRING_CONFIRM:
3008 reason = smp_cmd_pairing_confirm(conn, skb);
3009 break;
3010
3011 case SMP_CMD_PAIRING_RANDOM:
3012 reason = smp_cmd_pairing_random(conn, skb);
3013 break;
3014
3015 case SMP_CMD_ENCRYPT_INFO:
3016 reason = smp_cmd_encrypt_info(conn, skb);
3017 break;
3018
3019 case SMP_CMD_INITIATOR_IDENT:
3020 reason = smp_cmd_initiator_ident(conn, skb);
3021 break;
3022
3023 case SMP_CMD_IDENT_INFO:
3024 reason = smp_cmd_ident_info(conn, skb);
3025 break;
3026
3027 case SMP_CMD_IDENT_ADDR_INFO:
3028 reason = smp_cmd_ident_addr_info(conn, skb);
3029 break;
3030
3031 case SMP_CMD_SIGN_INFO:
3032 reason = smp_cmd_sign_info(conn, skb);
3033 break;
3034
3035 case SMP_CMD_PUBLIC_KEY:
3036 reason = smp_cmd_public_key(conn, skb);
3037 break;
3038
3039 case SMP_CMD_DHKEY_CHECK:
3040 reason = smp_cmd_dhkey_check(conn, skb);
3041 break;
3042
3043 case SMP_CMD_KEYPRESS_NOTIFY:
3044 reason = smp_cmd_keypress_notify(conn, skb);
3045 break;
3046
3047 default:
3048 bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3049 reason = SMP_CMD_NOTSUPP;
3050 goto done;
3051 }
3052
3053 done:
3054 if (!err) {
3055 if (reason)
3056 smp_failure(conn, reason);
3057 kfree_skb(skb);
3058 }
3059
3060 return err;
3061
3062 drop:
3063 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3064 code, &hcon->dst);
3065 kfree_skb(skb);
3066 return 0;
3067 }
3068
smp_teardown_cb(struct l2cap_chan * chan,int err)3069 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3070 {
3071 struct l2cap_conn *conn = chan->conn;
3072
3073 bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3074
3075 if (chan->data)
3076 smp_chan_destroy(conn);
3077
3078 conn->smp = NULL;
3079 l2cap_chan_put(chan);
3080 }
3081
bredr_pairing(struct l2cap_chan * chan)3082 static void bredr_pairing(struct l2cap_chan *chan)
3083 {
3084 struct l2cap_conn *conn = chan->conn;
3085 struct hci_conn *hcon = conn->hcon;
3086 struct hci_dev *hdev = hcon->hdev;
3087 struct smp_cmd_pairing req;
3088 struct smp_chan *smp;
3089
3090 bt_dev_dbg(hdev, "chan %p", chan);
3091
3092 /* Only new pairings are interesting */
3093 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3094 return;
3095
3096 /* Don't bother if we're not encrypted */
3097 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3098 return;
3099
3100 /* Only initiator may initiate SMP over BR/EDR */
3101 if (hcon->role != HCI_ROLE_MASTER)
3102 return;
3103
3104 /* Secure Connections support must be enabled */
3105 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3106 return;
3107
3108 /* BR/EDR must use Secure Connections for SMP */
3109 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3110 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3111 return;
3112
3113 /* If our LE support is not enabled don't do anything */
3114 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3115 return;
3116
3117 /* Don't bother if remote LE support is not enabled */
3118 if (!lmp_host_le_capable(hcon))
3119 return;
3120
3121 /* Remote must support SMP fixed chan for BR/EDR */
3122 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3123 return;
3124
3125 /* Don't bother if SMP is already ongoing */
3126 if (chan->data)
3127 return;
3128
3129 smp = smp_chan_create(conn);
3130 if (!smp) {
3131 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3132 return;
3133 }
3134
3135 set_bit(SMP_FLAG_SC, &smp->flags);
3136
3137 bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3138
3139 /* Prepare and send the BR/EDR SMP Pairing Request */
3140 build_bredr_pairing_cmd(smp, &req, NULL);
3141
3142 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3143 memcpy(&smp->preq[1], &req, sizeof(req));
3144
3145 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3146 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3147 }
3148
smp_resume_cb(struct l2cap_chan * chan)3149 static void smp_resume_cb(struct l2cap_chan *chan)
3150 {
3151 struct smp_chan *smp = chan->data;
3152 struct l2cap_conn *conn = chan->conn;
3153 struct hci_conn *hcon = conn->hcon;
3154
3155 bt_dev_dbg(hcon->hdev, "chan %p", chan);
3156
3157 if (hcon->type == ACL_LINK) {
3158 bredr_pairing(chan);
3159 return;
3160 }
3161
3162 if (!smp)
3163 return;
3164
3165 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3166 return;
3167
3168 cancel_delayed_work(&smp->security_timer);
3169
3170 smp_distribute_keys(smp);
3171 }
3172
smp_ready_cb(struct l2cap_chan * chan)3173 static void smp_ready_cb(struct l2cap_chan *chan)
3174 {
3175 struct l2cap_conn *conn = chan->conn;
3176 struct hci_conn *hcon = conn->hcon;
3177
3178 bt_dev_dbg(hcon->hdev, "chan %p", chan);
3179
3180 /* No need to call l2cap_chan_hold() here since we already own
3181 * the reference taken in smp_new_conn_cb(). This is just the
3182 * first time that we tie it to a specific pointer. The code in
3183 * l2cap_core.c ensures that there's no risk this function wont
3184 * get called if smp_new_conn_cb was previously called.
3185 */
3186 conn->smp = chan;
3187
3188 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3189 bredr_pairing(chan);
3190 }
3191
smp_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)3192 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3193 {
3194 int err;
3195
3196 bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3197
3198 err = smp_sig_channel(chan, skb);
3199 if (err) {
3200 struct smp_chan *smp = chan->data;
3201
3202 if (smp)
3203 cancel_delayed_work_sync(&smp->security_timer);
3204
3205 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3206 }
3207
3208 return err;
3209 }
3210
smp_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)3211 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3212 unsigned long hdr_len,
3213 unsigned long len, int nb)
3214 {
3215 struct sk_buff *skb;
3216
3217 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3218 if (!skb)
3219 return ERR_PTR(-ENOMEM);
3220
3221 skb->priority = HCI_PRIO_MAX;
3222 bt_cb(skb)->l2cap.chan = chan;
3223
3224 return skb;
3225 }
3226
3227 static const struct l2cap_ops smp_chan_ops = {
3228 .name = "Security Manager",
3229 .ready = smp_ready_cb,
3230 .recv = smp_recv_cb,
3231 .alloc_skb = smp_alloc_skb_cb,
3232 .teardown = smp_teardown_cb,
3233 .resume = smp_resume_cb,
3234
3235 .new_connection = l2cap_chan_no_new_connection,
3236 .state_change = l2cap_chan_no_state_change,
3237 .close = l2cap_chan_no_close,
3238 .defer = l2cap_chan_no_defer,
3239 .suspend = l2cap_chan_no_suspend,
3240 .set_shutdown = l2cap_chan_no_set_shutdown,
3241 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3242 };
3243
smp_new_conn_cb(struct l2cap_chan * pchan)3244 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3245 {
3246 struct l2cap_chan *chan;
3247
3248 BT_DBG("pchan %p", pchan);
3249
3250 chan = l2cap_chan_create();
3251 if (!chan)
3252 return NULL;
3253
3254 chan->chan_type = pchan->chan_type;
3255 chan->ops = &smp_chan_ops;
3256 chan->scid = pchan->scid;
3257 chan->dcid = chan->scid;
3258 chan->imtu = pchan->imtu;
3259 chan->omtu = pchan->omtu;
3260 chan->mode = pchan->mode;
3261
3262 /* Other L2CAP channels may request SMP routines in order to
3263 * change the security level. This means that the SMP channel
3264 * lock must be considered in its own category to avoid lockdep
3265 * warnings.
3266 */
3267 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3268
3269 BT_DBG("created chan %p", chan);
3270
3271 return chan;
3272 }
3273
3274 static const struct l2cap_ops smp_root_chan_ops = {
3275 .name = "Security Manager Root",
3276 .new_connection = smp_new_conn_cb,
3277
3278 /* None of these are implemented for the root channel */
3279 .close = l2cap_chan_no_close,
3280 .alloc_skb = l2cap_chan_no_alloc_skb,
3281 .recv = l2cap_chan_no_recv,
3282 .state_change = l2cap_chan_no_state_change,
3283 .teardown = l2cap_chan_no_teardown,
3284 .ready = l2cap_chan_no_ready,
3285 .defer = l2cap_chan_no_defer,
3286 .suspend = l2cap_chan_no_suspend,
3287 .resume = l2cap_chan_no_resume,
3288 .set_shutdown = l2cap_chan_no_set_shutdown,
3289 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3290 };
3291
smp_add_cid(struct hci_dev * hdev,u16 cid)3292 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3293 {
3294 struct l2cap_chan *chan;
3295 struct smp_dev *smp;
3296 struct crypto_shash *tfm_cmac;
3297 struct crypto_kpp *tfm_ecdh;
3298
3299 if (cid == L2CAP_CID_SMP_BREDR) {
3300 smp = NULL;
3301 goto create_chan;
3302 }
3303
3304 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3305 if (!smp)
3306 return ERR_PTR(-ENOMEM);
3307
3308 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3309 if (IS_ERR(tfm_cmac)) {
3310 bt_dev_err(hdev, "Unable to create CMAC crypto context");
3311 kfree_sensitive(smp);
3312 return ERR_CAST(tfm_cmac);
3313 }
3314
3315 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3316 if (IS_ERR(tfm_ecdh)) {
3317 bt_dev_err(hdev, "Unable to create ECDH crypto context");
3318 crypto_free_shash(tfm_cmac);
3319 kfree_sensitive(smp);
3320 return ERR_CAST(tfm_ecdh);
3321 }
3322
3323 smp->local_oob = false;
3324 smp->tfm_cmac = tfm_cmac;
3325 smp->tfm_ecdh = tfm_ecdh;
3326
3327 create_chan:
3328 chan = l2cap_chan_create();
3329 if (!chan) {
3330 if (smp) {
3331 crypto_free_shash(smp->tfm_cmac);
3332 crypto_free_kpp(smp->tfm_ecdh);
3333 kfree_sensitive(smp);
3334 }
3335 return ERR_PTR(-ENOMEM);
3336 }
3337
3338 chan->data = smp;
3339
3340 l2cap_add_scid(chan, cid);
3341
3342 l2cap_chan_set_defaults(chan);
3343
3344 if (cid == L2CAP_CID_SMP) {
3345 u8 bdaddr_type;
3346
3347 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3348
3349 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3350 chan->src_type = BDADDR_LE_PUBLIC;
3351 else
3352 chan->src_type = BDADDR_LE_RANDOM;
3353 } else {
3354 bacpy(&chan->src, &hdev->bdaddr);
3355 chan->src_type = BDADDR_BREDR;
3356 }
3357
3358 chan->state = BT_LISTEN;
3359 chan->mode = L2CAP_MODE_BASIC;
3360 chan->imtu = L2CAP_DEFAULT_MTU;
3361 chan->ops = &smp_root_chan_ops;
3362
3363 /* Set correct nesting level for a parent/listening channel */
3364 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3365
3366 return chan;
3367 }
3368
smp_del_chan(struct l2cap_chan * chan)3369 static void smp_del_chan(struct l2cap_chan *chan)
3370 {
3371 struct smp_dev *smp;
3372
3373 BT_DBG("chan %p", chan);
3374
3375 smp = chan->data;
3376 if (smp) {
3377 chan->data = NULL;
3378 crypto_free_shash(smp->tfm_cmac);
3379 crypto_free_kpp(smp->tfm_ecdh);
3380 kfree_sensitive(smp);
3381 }
3382
3383 l2cap_chan_put(chan);
3384 }
3385
smp_force_bredr(struct hci_dev * hdev,bool enable)3386 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3387 {
3388 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3389 return -EALREADY;
3390
3391 if (enable) {
3392 struct l2cap_chan *chan;
3393
3394 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3395 if (IS_ERR(chan))
3396 return PTR_ERR(chan);
3397
3398 hdev->smp_bredr_data = chan;
3399 } else {
3400 struct l2cap_chan *chan;
3401
3402 chan = hdev->smp_bredr_data;
3403 hdev->smp_bredr_data = NULL;
3404 smp_del_chan(chan);
3405 }
3406
3407 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3408
3409 return 0;
3410 }
3411
smp_register(struct hci_dev * hdev)3412 int smp_register(struct hci_dev *hdev)
3413 {
3414 struct l2cap_chan *chan;
3415
3416 bt_dev_dbg(hdev, "");
3417
3418 /* If the controller does not support Low Energy operation, then
3419 * there is also no need to register any SMP channel.
3420 */
3421 if (!lmp_le_capable(hdev))
3422 return 0;
3423
3424 if (WARN_ON(hdev->smp_data)) {
3425 chan = hdev->smp_data;
3426 hdev->smp_data = NULL;
3427 smp_del_chan(chan);
3428 }
3429
3430 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3431 if (IS_ERR(chan))
3432 return PTR_ERR(chan);
3433
3434 hdev->smp_data = chan;
3435
3436 if (!lmp_sc_capable(hdev)) {
3437 /* Flag can be already set here (due to power toggle) */
3438 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3439 return 0;
3440 }
3441
3442 if (WARN_ON(hdev->smp_bredr_data)) {
3443 chan = hdev->smp_bredr_data;
3444 hdev->smp_bredr_data = NULL;
3445 smp_del_chan(chan);
3446 }
3447
3448 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3449 if (IS_ERR(chan)) {
3450 int err = PTR_ERR(chan);
3451 chan = hdev->smp_data;
3452 hdev->smp_data = NULL;
3453 smp_del_chan(chan);
3454 return err;
3455 }
3456
3457 hdev->smp_bredr_data = chan;
3458
3459 return 0;
3460 }
3461
smp_unregister(struct hci_dev * hdev)3462 void smp_unregister(struct hci_dev *hdev)
3463 {
3464 struct l2cap_chan *chan;
3465
3466 if (hdev->smp_bredr_data) {
3467 chan = hdev->smp_bredr_data;
3468 hdev->smp_bredr_data = NULL;
3469 smp_del_chan(chan);
3470 }
3471
3472 if (hdev->smp_data) {
3473 chan = hdev->smp_data;
3474 hdev->smp_data = NULL;
3475 smp_del_chan(chan);
3476 }
3477 }
3478
3479 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3480
test_debug_key(struct crypto_kpp * tfm_ecdh)3481 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3482 {
3483 u8 pk[64];
3484 int err;
3485
3486 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3487 if (err)
3488 return err;
3489
3490 err = generate_ecdh_public_key(tfm_ecdh, pk);
3491 if (err)
3492 return err;
3493
3494 if (crypto_memneq(pk, debug_pk, 64))
3495 return -EINVAL;
3496
3497 return 0;
3498 }
3499
test_ah(void)3500 static int __init test_ah(void)
3501 {
3502 const u8 irk[16] = {
3503 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3504 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3505 const u8 r[3] = { 0x94, 0x81, 0x70 };
3506 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3507 u8 res[3];
3508 int err;
3509
3510 err = smp_ah(irk, r, res);
3511 if (err)
3512 return err;
3513
3514 if (crypto_memneq(res, exp, 3))
3515 return -EINVAL;
3516
3517 return 0;
3518 }
3519
test_c1(void)3520 static int __init test_c1(void)
3521 {
3522 const u8 k[16] = {
3523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3525 const u8 r[16] = {
3526 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3527 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3528 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3529 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3530 const u8 _iat = 0x01;
3531 const u8 _rat = 0x00;
3532 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3533 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3534 const u8 exp[16] = {
3535 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3536 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3537 u8 res[16];
3538 int err;
3539
3540 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3541 if (err)
3542 return err;
3543
3544 if (crypto_memneq(res, exp, 16))
3545 return -EINVAL;
3546
3547 return 0;
3548 }
3549
test_s1(void)3550 static int __init test_s1(void)
3551 {
3552 const u8 k[16] = {
3553 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3555 const u8 r1[16] = {
3556 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3557 const u8 r2[16] = {
3558 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3559 const u8 exp[16] = {
3560 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3561 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3562 u8 res[16];
3563 int err;
3564
3565 err = smp_s1(k, r1, r2, res);
3566 if (err)
3567 return err;
3568
3569 if (crypto_memneq(res, exp, 16))
3570 return -EINVAL;
3571
3572 return 0;
3573 }
3574
test_f4(struct crypto_shash * tfm_cmac)3575 static int __init test_f4(struct crypto_shash *tfm_cmac)
3576 {
3577 const u8 u[32] = {
3578 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3579 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3580 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3581 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3582 const u8 v[32] = {
3583 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3584 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3585 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3586 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3587 const u8 x[16] = {
3588 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3589 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3590 const u8 z = 0x00;
3591 const u8 exp[16] = {
3592 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3593 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3594 u8 res[16];
3595 int err;
3596
3597 err = smp_f4(tfm_cmac, u, v, x, z, res);
3598 if (err)
3599 return err;
3600
3601 if (crypto_memneq(res, exp, 16))
3602 return -EINVAL;
3603
3604 return 0;
3605 }
3606
test_f5(struct crypto_shash * tfm_cmac)3607 static int __init test_f5(struct crypto_shash *tfm_cmac)
3608 {
3609 const u8 w[32] = {
3610 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3611 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3612 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3613 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3614 const u8 n1[16] = {
3615 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3616 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3617 const u8 n2[16] = {
3618 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3619 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3620 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3621 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3622 const u8 exp_ltk[16] = {
3623 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3624 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3625 const u8 exp_mackey[16] = {
3626 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3627 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3628 u8 mackey[16], ltk[16];
3629 int err;
3630
3631 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3632 if (err)
3633 return err;
3634
3635 if (crypto_memneq(mackey, exp_mackey, 16))
3636 return -EINVAL;
3637
3638 if (crypto_memneq(ltk, exp_ltk, 16))
3639 return -EINVAL;
3640
3641 return 0;
3642 }
3643
test_f6(struct crypto_shash * tfm_cmac)3644 static int __init test_f6(struct crypto_shash *tfm_cmac)
3645 {
3646 const u8 w[16] = {
3647 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3648 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3649 const u8 n1[16] = {
3650 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3651 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3652 const u8 n2[16] = {
3653 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3654 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3655 const u8 r[16] = {
3656 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3657 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3658 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3659 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3660 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3661 const u8 exp[16] = {
3662 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3663 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3664 u8 res[16];
3665 int err;
3666
3667 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3668 if (err)
3669 return err;
3670
3671 if (crypto_memneq(res, exp, 16))
3672 return -EINVAL;
3673
3674 return 0;
3675 }
3676
test_g2(struct crypto_shash * tfm_cmac)3677 static int __init test_g2(struct crypto_shash *tfm_cmac)
3678 {
3679 const u8 u[32] = {
3680 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3681 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3682 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3683 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3684 const u8 v[32] = {
3685 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3686 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3687 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3688 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3689 const u8 x[16] = {
3690 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3691 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3692 const u8 y[16] = {
3693 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3694 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3695 const u32 exp_val = 0x2f9ed5ba % 1000000;
3696 u32 val;
3697 int err;
3698
3699 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3700 if (err)
3701 return err;
3702
3703 if (val != exp_val)
3704 return -EINVAL;
3705
3706 return 0;
3707 }
3708
test_h6(struct crypto_shash * tfm_cmac)3709 static int __init test_h6(struct crypto_shash *tfm_cmac)
3710 {
3711 const u8 w[16] = {
3712 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3713 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3714 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3715 const u8 exp[16] = {
3716 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3717 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3718 u8 res[16];
3719 int err;
3720
3721 err = smp_h6(tfm_cmac, w, key_id, res);
3722 if (err)
3723 return err;
3724
3725 if (crypto_memneq(res, exp, 16))
3726 return -EINVAL;
3727
3728 return 0;
3729 }
3730
3731 static char test_smp_buffer[32];
3732
test_smp_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3733 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3734 size_t count, loff_t *ppos)
3735 {
3736 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3737 strlen(test_smp_buffer));
3738 }
3739
3740 static const struct file_operations test_smp_fops = {
3741 .open = simple_open,
3742 .read = test_smp_read,
3743 .llseek = default_llseek,
3744 };
3745
run_selftests(struct crypto_shash * tfm_cmac,struct crypto_kpp * tfm_ecdh)3746 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3747 struct crypto_kpp *tfm_ecdh)
3748 {
3749 ktime_t calltime, delta, rettime;
3750 unsigned long long duration;
3751 int err;
3752
3753 calltime = ktime_get();
3754
3755 err = test_debug_key(tfm_ecdh);
3756 if (err) {
3757 BT_ERR("debug_key test failed");
3758 goto done;
3759 }
3760
3761 err = test_ah();
3762 if (err) {
3763 BT_ERR("smp_ah test failed");
3764 goto done;
3765 }
3766
3767 err = test_c1();
3768 if (err) {
3769 BT_ERR("smp_c1 test failed");
3770 goto done;
3771 }
3772
3773 err = test_s1();
3774 if (err) {
3775 BT_ERR("smp_s1 test failed");
3776 goto done;
3777 }
3778
3779 err = test_f4(tfm_cmac);
3780 if (err) {
3781 BT_ERR("smp_f4 test failed");
3782 goto done;
3783 }
3784
3785 err = test_f5(tfm_cmac);
3786 if (err) {
3787 BT_ERR("smp_f5 test failed");
3788 goto done;
3789 }
3790
3791 err = test_f6(tfm_cmac);
3792 if (err) {
3793 BT_ERR("smp_f6 test failed");
3794 goto done;
3795 }
3796
3797 err = test_g2(tfm_cmac);
3798 if (err) {
3799 BT_ERR("smp_g2 test failed");
3800 goto done;
3801 }
3802
3803 err = test_h6(tfm_cmac);
3804 if (err) {
3805 BT_ERR("smp_h6 test failed");
3806 goto done;
3807 }
3808
3809 rettime = ktime_get();
3810 delta = ktime_sub(rettime, calltime);
3811 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3812
3813 BT_INFO("SMP test passed in %llu usecs", duration);
3814
3815 done:
3816 if (!err)
3817 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3818 "PASS (%llu usecs)\n", duration);
3819 else
3820 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3821
3822 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3823 &test_smp_fops);
3824
3825 return err;
3826 }
3827
bt_selftest_smp(void)3828 int __init bt_selftest_smp(void)
3829 {
3830 struct crypto_shash *tfm_cmac;
3831 struct crypto_kpp *tfm_ecdh;
3832 int err;
3833
3834 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3835 if (IS_ERR(tfm_cmac)) {
3836 BT_ERR("Unable to create CMAC crypto context");
3837 return PTR_ERR(tfm_cmac);
3838 }
3839
3840 tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3841 if (IS_ERR(tfm_ecdh)) {
3842 BT_ERR("Unable to create ECDH crypto context");
3843 crypto_free_shash(tfm_cmac);
3844 return PTR_ERR(tfm_ecdh);
3845 }
3846
3847 err = run_selftests(tfm_cmac, tfm_ecdh);
3848
3849 crypto_free_shash(tfm_cmac);
3850 crypto_free_kpp(tfm_ecdh);
3851
3852 return err;
3853 }
3854
3855 #endif
3856