projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Use OOB key pair for LE SC pairing with OOB method
[deliverable/linux.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
27
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "ecc.h"
34 #include "smp.h"
35
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
39 */
40 #ifdef DEBUG
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
42 ##__VA_ARGS__)
43 #else
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
45 ##__VA_ARGS__)
46 #endif
47
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
49
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
52
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
54
55 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
56 0x1f : 0x07)
57 #define KEY_DIST_MASK 0x07
58
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
61
62 enum {
63 SMP_FLAG_TK_VALID,
64 SMP_FLAG_CFM_PENDING,
65 SMP_FLAG_MITM_AUTH,
66 SMP_FLAG_COMPLETE,
67 SMP_FLAG_INITIATOR,
68 SMP_FLAG_SC,
69 SMP_FLAG_REMOTE_PK,
70 SMP_FLAG_DEBUG_KEY,
71 SMP_FLAG_WAIT_USER,
72 SMP_FLAG_DHKEY_PENDING,
73 SMP_FLAG_OOB,
74 };
75
76 struct smp_dev {
77 /* Secure Connections OOB data */
78 u8 local_pk[64];
79 u8 local_sk[32];
80 u8 local_rr[16];
81 bool debug_key;
82
83 struct crypto_blkcipher *tfm_aes;
84 struct crypto_hash *tfm_cmac;
85 };
86
87 struct smp_chan {
88 struct l2cap_conn *conn;
89 struct delayed_work security_timer;
90 unsigned long allow_cmd; /* Bitmask of allowed commands */
91
92 u8 preq[7]; /* SMP Pairing Request */
93 u8 prsp[7]; /* SMP Pairing Response */
94 u8 prnd[16]; /* SMP Pairing Random (local) */
95 u8 rrnd[16]; /* SMP Pairing Random (remote) */
96 u8 pcnf[16]; /* SMP Pairing Confirm */
97 u8 tk[16]; /* SMP Temporary Key */
98 u8 rr[16];
99 u8 enc_key_size;
100 u8 remote_key_dist;
101 bdaddr_t id_addr;
102 u8 id_addr_type;
103 u8 irk[16];
104 struct smp_csrk *csrk;
105 struct smp_csrk *slave_csrk;
106 struct smp_ltk *ltk;
107 struct smp_ltk *slave_ltk;
108 struct smp_irk *remote_irk;
109 u8 *link_key;
110 unsigned long flags;
111 u8 method;
112 u8 passkey_round;
113
114 /* Secure Connections variables */
115 u8 local_pk[64];
116 u8 local_sk[32];
117 u8 remote_pk[64];
118 u8 dhkey[32];
119 u8 mackey[16];
120
121 struct crypto_blkcipher *tfm_aes;
122 struct crypto_hash *tfm_cmac;
123 };
124
125 /* These debug key values are defined in the SMP section of the core
126 * specification. debug_pk is the public debug key and debug_sk the
127 * private debug key.
128 */
129 static const u8 debug_pk[64] = {
130 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
131 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
132 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
133 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
134
135 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
136 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
137 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
138 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
139 };
140
141 static const u8 debug_sk[32] = {
142 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
143 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
144 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
145 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
146 };
147
148 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
149 {
150 size_t i;
151
152 for (i = 0; i < len; i++)
153 dst[len - 1 - i] = src[i];
154 }
155
156 /* The following functions map to the LE SC SMP crypto functions
157 * AES-CMAC, f4, f5, f6, g2 and h6.
158 */
159
160 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
161 size_t len, u8 mac[16])
162 {
163 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
164 struct hash_desc desc;
165 struct scatterlist sg;
166 int err;
167
168 if (len > CMAC_MSG_MAX)
169 return -EFBIG;
170
171 if (!tfm) {
172 BT_ERR("tfm %p", tfm);
173 return -EINVAL;
174 }
175
176 desc.tfm = tfm;
177 desc.flags = 0;
178
179 crypto_hash_init(&desc);
180
181 /* Swap key and message from LSB to MSB */
182 swap_buf(k, tmp, 16);
183 swap_buf(m, msg_msb, len);
184
185 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
186 SMP_DBG("key %16phN", k);
187
188 err = crypto_hash_setkey(tfm, tmp, 16);
189 if (err) {
190 BT_ERR("cipher setkey failed: %d", err);
191 return err;
192 }
193
194 sg_init_one(&sg, msg_msb, len);
195
196 err = crypto_hash_update(&desc, &sg, len);
197 if (err) {
198 BT_ERR("Hash update error %d", err);
199 return err;
200 }
201
202 err = crypto_hash_final(&desc, mac_msb);
203 if (err) {
204 BT_ERR("Hash final error %d", err);
205 return err;
206 }
207
208 swap_buf(mac_msb, mac, 16);
209
210 SMP_DBG("mac %16phN", mac);
211
212 return 0;
213 }
214
215 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
216 const u8 x[16], u8 z, u8 res[16])
217 {
218 u8 m[65];
219 int err;
220
221 SMP_DBG("u %32phN", u);
222 SMP_DBG("v %32phN", v);
223 SMP_DBG("x %16phN z %02x", x, z);
224
225 m[0] = z;
226 memcpy(m + 1, v, 32);
227 memcpy(m + 33, u, 32);
228
229 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
230 if (err)
231 return err;
232
233 SMP_DBG("res %16phN", res);
234
235 return err;
236 }
237
238 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
239 const u8 n1[16], const u8 n2[16], const u8 a1[7],
240 const u8 a2[7], u8 mackey[16], u8 ltk[16])
241 {
242 /* The btle, salt and length "magic" values are as defined in
243 * the SMP section of the Bluetooth core specification. In ASCII
244 * the btle value ends up being 'btle'. The salt is just a
245 * random number whereas length is the value 256 in little
246 * endian format.
247 */
248 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
249 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
250 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
251 const u8 length[2] = { 0x00, 0x01 };
252 u8 m[53], t[16];
253 int err;
254
255 SMP_DBG("w %32phN", w);
256 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
257 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
258
259 err = aes_cmac(tfm_cmac, salt, w, 32, t);
260 if (err)
261 return err;
262
263 SMP_DBG("t %16phN", t);
264
265 memcpy(m, length, 2);
266 memcpy(m + 2, a2, 7);
267 memcpy(m + 9, a1, 7);
268 memcpy(m + 16, n2, 16);
269 memcpy(m + 32, n1, 16);
270 memcpy(m + 48, btle, 4);
271
272 m[52] = 0; /* Counter */
273
274 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
275 if (err)
276 return err;
277
278 SMP_DBG("mackey %16phN", mackey);
279
280 m[52] = 1; /* Counter */
281
282 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
283 if (err)
284 return err;
285
286 SMP_DBG("ltk %16phN", ltk);
287
288 return 0;
289 }
290
291 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
292 const u8 n1[16], const u8 n2[16], const u8 r[16],
293 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
294 u8 res[16])
295 {
296 u8 m[65];
297 int err;
298
299 SMP_DBG("w %16phN", w);
300 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
301 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
302
303 memcpy(m, a2, 7);
304 memcpy(m + 7, a1, 7);
305 memcpy(m + 14, io_cap, 3);
306 memcpy(m + 17, r, 16);
307 memcpy(m + 33, n2, 16);
308 memcpy(m + 49, n1, 16);
309
310 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
311 if (err)
312 return err;
313
314 SMP_DBG("res %16phN", res);
315
316 return err;
317 }
318
319 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
320 const u8 x[16], const u8 y[16], u32 *val)
321 {
322 u8 m[80], tmp[16];
323 int err;
324
325 SMP_DBG("u %32phN", u);
326 SMP_DBG("v %32phN", v);
327 SMP_DBG("x %16phN y %16phN", x, y);
328
329 memcpy(m, y, 16);
330 memcpy(m + 16, v, 32);
331 memcpy(m + 48, u, 32);
332
333 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
334 if (err)
335 return err;
336
337 *val = get_unaligned_le32(tmp);
338 *val %= 1000000;
339
340 SMP_DBG("val %06u", *val);
341
342 return 0;
343 }
344
345 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
346 const u8 key_id[4], u8 res[16])
347 {
348 int err;
349
350 SMP_DBG("w %16phN key_id %4phN", w, key_id);
351
352 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
353 if (err)
354 return err;
355
356 SMP_DBG("res %16phN", res);
357
358 return err;
359 }
360
361 /* The following functions map to the legacy SMP crypto functions e, c1,
362 * s1 and ah.
363 */
364
365 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
366 {
367 struct blkcipher_desc desc;
368 struct scatterlist sg;
369 uint8_t tmp[16], data[16];
370 int err;
371
372 if (!tfm) {
373 BT_ERR("tfm %p", tfm);
374 return -EINVAL;
375 }
376
377 desc.tfm = tfm;
378 desc.flags = 0;
379
380 /* The most significant octet of key corresponds to k[0] */
381 swap_buf(k, tmp, 16);
382
383 err = crypto_blkcipher_setkey(tfm, tmp, 16);
384 if (err) {
385 BT_ERR("cipher setkey failed: %d", err);
386 return err;
387 }
388
389 /* Most significant octet of plaintextData corresponds to data[0] */
390 swap_buf(r, data, 16);
391
392 sg_init_one(&sg, data, 16);
393
394 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
395 if (err)
396 BT_ERR("Encrypt data error %d", err);
397
398 /* Most significant octet of encryptedData corresponds to data[0] */
399 swap_buf(data, r, 16);
400
401 return err;
402 }
403
404 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
405 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
406 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
407 {
408 u8 p1[16], p2[16];
409 int err;
410
411 memset(p1, 0, 16);
412
413 /* p1 = pres || preq || _rat || _iat */
414 p1[0] = _iat;
415 p1[1] = _rat;
416 memcpy(p1 + 2, preq, 7);
417 memcpy(p1 + 9, pres, 7);
418
419 /* p2 = padding || ia || ra */
420 memcpy(p2, ra, 6);
421 memcpy(p2 + 6, ia, 6);
422 memset(p2 + 12, 0, 4);
423
424 /* res = r XOR p1 */
425 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
426
427 /* res = e(k, res) */
428 err = smp_e(tfm_aes, k, res);
429 if (err) {
430 BT_ERR("Encrypt data error");
431 return err;
432 }
433
434 /* res = res XOR p2 */
435 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
436
437 /* res = e(k, res) */
438 err = smp_e(tfm_aes, k, res);
439 if (err)
440 BT_ERR("Encrypt data error");
441
442 return err;
443 }
444
445 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
446 const u8 r1[16], const u8 r2[16], u8 _r[16])
447 {
448 int err;
449
450 /* Just least significant octets from r1 and r2 are considered */
451 memcpy(_r, r2, 8);
452 memcpy(_r + 8, r1, 8);
453
454 err = smp_e(tfm_aes, k, _r);
455 if (err)
456 BT_ERR("Encrypt data error");
457
458 return err;
459 }
460
461 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
462 const u8 r[3], u8 res[3])
463 {
464 u8 _res[16];
465 int err;
466
467 /* r' = padding || r */
468 memcpy(_res, r, 3);
469 memset(_res + 3, 0, 13);
470
471 err = smp_e(tfm, irk, _res);
472 if (err) {
473 BT_ERR("Encrypt error");
474 return err;
475 }
476
477 /* The output of the random address function ah is:
478 * ah(h, r) = e(k, r') mod 2^24
479 * The output of the security function e is then truncated to 24 bits
480 * by taking the least significant 24 bits of the output of e as the
481 * result of ah.
482 */
483 memcpy(res, _res, 3);
484
485 return 0;
486 }
487
488 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
489 const bdaddr_t *bdaddr)
490 {
491 struct l2cap_chan *chan = hdev->smp_data;
492 struct smp_dev *smp;
493 u8 hash[3];
494 int err;
495
496 if (!chan || !chan->data)
497 return false;
498
499 smp = chan->data;
500
501 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
502
503 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
504 if (err)
505 return false;
506
507 return !memcmp(bdaddr->b, hash, 3);
508 }
509
510 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
511 {
512 struct l2cap_chan *chan = hdev->smp_data;
513 struct smp_dev *smp;
514 int err;
515
516 if (!chan || !chan->data)
517 return -EOPNOTSUPP;
518
519 smp = chan->data;
520
521 get_random_bytes(&rpa->b[3], 3);
522
523 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
524 rpa->b[5] |= 0x40; /* Set second most significant bit */
525
526 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
527 if (err < 0)
528 return err;
529
530 BT_DBG("RPA %pMR", rpa);
531
532 return 0;
533 }
534
535 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
536 {
537 struct l2cap_chan *chan = hdev->smp_data;
538 struct smp_dev *smp;
539 int err;
540
541 if (!chan || !chan->data)
542 return -EOPNOTSUPP;
543
544 smp = chan->data;
545
546 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
547 BT_DBG("Using debug keys");
548 memcpy(smp->local_pk, debug_pk, 64);
549 memcpy(smp->local_sk, debug_sk, 32);
550 smp->debug_key = true;
551 } else {
552 while (true) {
553 /* Generate local key pair for Secure Connections */
554 if (!ecc_make_key(smp->local_pk, smp->local_sk))
555 return -EIO;
556
557 /* This is unlikely, but we need to check that
558 * we didn't accidentially generate a debug key.
559 */
560 if (memcmp(smp->local_sk, debug_sk, 32))
561 break;
562 }
563 smp->debug_key = false;
564 }
565
566 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
567 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
568 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
569
570 get_random_bytes(smp->local_rr, 16);
571
572 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
573 smp->local_rr, 0, hash);
574 if (err < 0)
575 return err;
576
577 memcpy(rand, smp->local_rr, 16);
578
579 return 0;
580 }
581
582 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
583 {
584 struct l2cap_chan *chan = conn->smp;
585 struct smp_chan *smp;
586 struct kvec iv[2];
587 struct msghdr msg;
588
589 if (!chan)
590 return;
591
592 BT_DBG("code 0x%2.2x", code);
593
594 iv[0].iov_base = &code;
595 iv[0].iov_len = 1;
596
597 iv[1].iov_base = data;
598 iv[1].iov_len = len;
599
600 memset(&msg, 0, sizeof(msg));
601
602 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
603
604 l2cap_chan_send(chan, &msg, 1 + len);
605
606 if (!chan->data)
607 return;
608
609 smp = chan->data;
610
611 cancel_delayed_work_sync(&smp->security_timer);
612 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
613 }
614
615 static u8 authreq_to_seclevel(u8 authreq)
616 {
617 if (authreq & SMP_AUTH_MITM) {
618 if (authreq & SMP_AUTH_SC)
619 return BT_SECURITY_FIPS;
620 else
621 return BT_SECURITY_HIGH;
622 } else {
623 return BT_SECURITY_MEDIUM;
624 }
625 }
626
627 static __u8 seclevel_to_authreq(__u8 sec_level)
628 {
629 switch (sec_level) {
630 case BT_SECURITY_FIPS:
631 case BT_SECURITY_HIGH:
632 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
633 case BT_SECURITY_MEDIUM:
634 return SMP_AUTH_BONDING;
635 default:
636 return SMP_AUTH_NONE;
637 }
638 }
639
640 static void build_pairing_cmd(struct l2cap_conn *conn,
641 struct smp_cmd_pairing *req,
642 struct smp_cmd_pairing *rsp, __u8 authreq)
643 {
644 struct l2cap_chan *chan = conn->smp;
645 struct smp_chan *smp = chan->data;
646 struct hci_conn *hcon = conn->hcon;
647 struct hci_dev *hdev = hcon->hdev;
648 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
649
650 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
651 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
652 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
653 authreq |= SMP_AUTH_BONDING;
654 } else {
655 authreq &= ~SMP_AUTH_BONDING;
656 }
657
658 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
659 remote_dist |= SMP_DIST_ID_KEY;
660
661 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
662 local_dist |= SMP_DIST_ID_KEY;
663
664 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
665 (authreq & SMP_AUTH_SC)) {
666 struct oob_data *oob_data;
667 u8 bdaddr_type;
668
669 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
670 local_dist |= SMP_DIST_LINK_KEY;
671 remote_dist |= SMP_DIST_LINK_KEY;
672 }
673
674 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
675 bdaddr_type = BDADDR_LE_PUBLIC;
676 else
677 bdaddr_type = BDADDR_LE_RANDOM;
678
679 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
680 bdaddr_type);
681 if (oob_data && oob_data->present) {
682 set_bit(SMP_FLAG_OOB, &smp->flags);
683 oob_flag = SMP_OOB_PRESENT;
684 memcpy(smp->rr, oob_data->rand256, 16);
685 memcpy(smp->pcnf, oob_data->hash256, 16);
686 }
687
688 } else {
689 authreq &= ~SMP_AUTH_SC;
690 }
691
692 if (rsp == NULL) {
693 req->io_capability = conn->hcon->io_capability;
694 req->oob_flag = oob_flag;
695 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
696 req->init_key_dist = local_dist;
697 req->resp_key_dist = remote_dist;
698 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
699
700 smp->remote_key_dist = remote_dist;
701 return;
702 }
703
704 rsp->io_capability = conn->hcon->io_capability;
705 rsp->oob_flag = oob_flag;
706 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
707 rsp->init_key_dist = req->init_key_dist & remote_dist;
708 rsp->resp_key_dist = req->resp_key_dist & local_dist;
709 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
710
711 smp->remote_key_dist = rsp->init_key_dist;
712 }
713
714 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
715 {
716 struct l2cap_chan *chan = conn->smp;
717 struct smp_chan *smp = chan->data;
718
719 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
720 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
721 return SMP_ENC_KEY_SIZE;
722
723 smp->enc_key_size = max_key_size;
724
725 return 0;
726 }
727
728 static void smp_chan_destroy(struct l2cap_conn *conn)
729 {
730 struct l2cap_chan *chan = conn->smp;
731 struct smp_chan *smp = chan->data;
732 struct hci_conn *hcon = conn->hcon;
733 bool complete;
734
735 BUG_ON(!smp);
736
737 cancel_delayed_work_sync(&smp->security_timer);
738
739 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
740 mgmt_smp_complete(hcon, complete);
741
742 kzfree(smp->csrk);
743 kzfree(smp->slave_csrk);
744 kzfree(smp->link_key);
745
746 crypto_free_blkcipher(smp->tfm_aes);
747 crypto_free_hash(smp->tfm_cmac);
748
749 /* Ensure that we don't leave any debug key around if debug key
750 * support hasn't been explicitly enabled.
751 */
752 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
753 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
754 list_del_rcu(&smp->ltk->list);
755 kfree_rcu(smp->ltk, rcu);
756 smp->ltk = NULL;
757 }
758
759 /* If pairing failed clean up any keys we might have */
760 if (!complete) {
761 if (smp->ltk) {
762 list_del_rcu(&smp->ltk->list);
763 kfree_rcu(smp->ltk, rcu);
764 }
765
766 if (smp->slave_ltk) {
767 list_del_rcu(&smp->slave_ltk->list);
768 kfree_rcu(smp->slave_ltk, rcu);
769 }
770
771 if (smp->remote_irk) {
772 list_del_rcu(&smp->remote_irk->list);
773 kfree_rcu(smp->remote_irk, rcu);
774 }
775 }
776
777 chan->data = NULL;
778 kzfree(smp);
779 hci_conn_drop(hcon);
780 }
781
782 static void smp_failure(struct l2cap_conn *conn, u8 reason)
783 {
784 struct hci_conn *hcon = conn->hcon;
785 struct l2cap_chan *chan = conn->smp;
786
787 if (reason)
788 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
789 &reason);
790
791 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
792 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
793
794 if (chan->data)
795 smp_chan_destroy(conn);
796 }
797
798 #define JUST_WORKS 0x00
799 #define JUST_CFM 0x01
800 #define REQ_PASSKEY 0x02
801 #define CFM_PASSKEY 0x03
802 #define REQ_OOB 0x04
803 #define DSP_PASSKEY 0x05
804 #define OVERLAP 0xFF
805
806 static const u8 gen_method[5][5] = {
807 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
808 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
809 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
810 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
811 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
812 };
813
814 static const u8 sc_method[5][5] = {
815 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
816 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
817 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
818 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
819 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
820 };
821
822 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
823 {
824 /* If either side has unknown io_caps, use JUST_CFM (which gets
825 * converted later to JUST_WORKS if we're initiators.
826 */
827 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
828 remote_io > SMP_IO_KEYBOARD_DISPLAY)
829 return JUST_CFM;
830
831 if (test_bit(SMP_FLAG_SC, &smp->flags))
832 return sc_method[remote_io][local_io];
833
834 return gen_method[remote_io][local_io];
835 }
836
837 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
838 u8 local_io, u8 remote_io)
839 {
840 struct hci_conn *hcon = conn->hcon;
841 struct l2cap_chan *chan = conn->smp;
842 struct smp_chan *smp = chan->data;
843 u32 passkey = 0;
844 int ret = 0;
845
846 /* Initialize key for JUST WORKS */
847 memset(smp->tk, 0, sizeof(smp->tk));
848 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
849
850 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
851
852 /* If neither side wants MITM, either "just" confirm an incoming
853 * request or use just-works for outgoing ones. The JUST_CFM
854 * will be converted to JUST_WORKS if necessary later in this
855 * function. If either side has MITM look up the method from the
856 * table.
857 */
858 if (!(auth & SMP_AUTH_MITM))
859 smp->method = JUST_CFM;
860 else
861 smp->method = get_auth_method(smp, local_io, remote_io);
862
863 /* Don't confirm locally initiated pairing attempts */
864 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
865 &smp->flags))
866 smp->method = JUST_WORKS;
867
868 /* Don't bother user space with no IO capabilities */
869 if (smp->method == JUST_CFM &&
870 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
871 smp->method = JUST_WORKS;
872
873 /* If Just Works, Continue with Zero TK */
874 if (smp->method == JUST_WORKS) {
875 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
876 return 0;
877 }
878
879 /* Not Just Works/Confirm results in MITM Authentication */
880 if (smp->method != JUST_CFM) {
881 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
882 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
883 hcon->pending_sec_level = BT_SECURITY_HIGH;
884 }
885
886 /* If both devices have Keyoard-Display I/O, the master
887 * Confirms and the slave Enters the passkey.
888 */
889 if (smp->method == OVERLAP) {
890 if (hcon->role == HCI_ROLE_MASTER)
891 smp->method = CFM_PASSKEY;
892 else
893 smp->method = REQ_PASSKEY;
894 }
895
896 /* Generate random passkey. */
897 if (smp->method == CFM_PASSKEY) {
898 memset(smp->tk, 0, sizeof(smp->tk));
899 get_random_bytes(&passkey, sizeof(passkey));
900 passkey %= 1000000;
901 put_unaligned_le32(passkey, smp->tk);
902 BT_DBG("PassKey: %d", passkey);
903 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
904 }
905
906 if (smp->method == REQ_PASSKEY)
907 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
908 hcon->type, hcon->dst_type);
909 else if (smp->method == JUST_CFM)
910 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
911 hcon->type, hcon->dst_type,
912 passkey, 1);
913 else
914 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
915 hcon->type, hcon->dst_type,
916 passkey, 0);
917
918 return ret;
919 }
920
921 static u8 smp_confirm(struct smp_chan *smp)
922 {
923 struct l2cap_conn *conn = smp->conn;
924 struct smp_cmd_pairing_confirm cp;
925 int ret;
926
927 BT_DBG("conn %p", conn);
928
929 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
930 conn->hcon->init_addr_type, &conn->hcon->init_addr,
931 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
932 cp.confirm_val);
933 if (ret)
934 return SMP_UNSPECIFIED;
935
936 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
937
938 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
939
940 if (conn->hcon->out)
941 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
942 else
943 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
944
945 return 0;
946 }
947
948 static u8 smp_random(struct smp_chan *smp)
949 {
950 struct l2cap_conn *conn = smp->conn;
951 struct hci_conn *hcon = conn->hcon;
952 u8 confirm[16];
953 int ret;
954
955 if (IS_ERR_OR_NULL(smp->tfm_aes))
956 return SMP_UNSPECIFIED;
957
958 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
959
960 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
961 hcon->init_addr_type, &hcon->init_addr,
962 hcon->resp_addr_type, &hcon->resp_addr, confirm);
963 if (ret)
964 return SMP_UNSPECIFIED;
965
966 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
967 BT_ERR("Pairing failed (confirmation values mismatch)");
968 return SMP_CONFIRM_FAILED;
969 }
970
971 if (hcon->out) {
972 u8 stk[16];
973 __le64 rand = 0;
974 __le16 ediv = 0;
975
976 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
977
978 memset(stk + smp->enc_key_size, 0,
979 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
980
981 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
982 return SMP_UNSPECIFIED;
983
984 hci_le_start_enc(hcon, ediv, rand, stk);
985 hcon->enc_key_size = smp->enc_key_size;
986 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
987 } else {
988 u8 stk[16], auth;
989 __le64 rand = 0;
990 __le16 ediv = 0;
991
992 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
993 smp->prnd);
994
995 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
996
997 memset(stk + smp->enc_key_size, 0,
998 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
999
1000 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1001 auth = 1;
1002 else
1003 auth = 0;
1004
1005 /* Even though there's no _SLAVE suffix this is the
1006 * slave STK we're adding for later lookup (the master
1007 * STK never needs to be stored).
1008 */
1009 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1010 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1011 }
1012
1013 return 0;
1014 }
1015
1016 static void smp_notify_keys(struct l2cap_conn *conn)
1017 {
1018 struct l2cap_chan *chan = conn->smp;
1019 struct smp_chan *smp = chan->data;
1020 struct hci_conn *hcon = conn->hcon;
1021 struct hci_dev *hdev = hcon->hdev;
1022 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1023 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1024 bool persistent;
1025
1026 if (smp->remote_irk) {
1027 mgmt_new_irk(hdev, smp->remote_irk);
1028 /* Now that user space can be considered to know the
1029 * identity address track the connection based on it
1030 * from now on (assuming this is an LE link).
1031 */
1032 if (hcon->type == LE_LINK) {
1033 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1034 hcon->dst_type = smp->remote_irk->addr_type;
1035 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1036 }
1037
1038 /* When receiving an indentity resolving key for
1039 * a remote device that does not use a resolvable
1040 * private address, just remove the key so that
1041 * it is possible to use the controller white
1042 * list for scanning.
1043 *
1044 * Userspace will have been told to not store
1045 * this key at this point. So it is safe to
1046 * just remove it.
1047 */
1048 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1049 list_del_rcu(&smp->remote_irk->list);
1050 kfree_rcu(smp->remote_irk, rcu);
1051 smp->remote_irk = NULL;
1052 }
1053 }
1054
1055 if (hcon->type == ACL_LINK) {
1056 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1057 persistent = false;
1058 else
1059 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1060 &hcon->flags);
1061 } else {
1062 /* The LTKs and CSRKs should be persistent only if both sides
1063 * had the bonding bit set in their authentication requests.
1064 */
1065 persistent = !!((req->auth_req & rsp->auth_req) &
1066 SMP_AUTH_BONDING);
1067 }
1068
1069
1070 if (smp->csrk) {
1071 smp->csrk->bdaddr_type = hcon->dst_type;
1072 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1073 mgmt_new_csrk(hdev, smp->csrk, persistent);
1074 }
1075
1076 if (smp->slave_csrk) {
1077 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1078 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1079 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1080 }
1081
1082 if (smp->ltk) {
1083 smp->ltk->bdaddr_type = hcon->dst_type;
1084 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1085 mgmt_new_ltk(hdev, smp->ltk, persistent);
1086 }
1087
1088 if (smp->slave_ltk) {
1089 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1090 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1091 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1092 }
1093
1094 if (smp->link_key) {
1095 struct link_key *key;
1096 u8 type;
1097
1098 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1099 type = HCI_LK_DEBUG_COMBINATION;
1100 else if (hcon->sec_level == BT_SECURITY_FIPS)
1101 type = HCI_LK_AUTH_COMBINATION_P256;
1102 else
1103 type = HCI_LK_UNAUTH_COMBINATION_P256;
1104
1105 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1106 smp->link_key, type, 0, &persistent);
1107 if (key) {
1108 mgmt_new_link_key(hdev, key, persistent);
1109
1110 /* Don't keep debug keys around if the relevant
1111 * flag is not set.
1112 */
1113 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1114 key->type == HCI_LK_DEBUG_COMBINATION) {
1115 list_del_rcu(&key->list);
1116 kfree_rcu(key, rcu);
1117 }
1118 }
1119 }
1120 }
1121
1122 static void sc_add_ltk(struct smp_chan *smp)
1123 {
1124 struct hci_conn *hcon = smp->conn->hcon;
1125 u8 key_type, auth;
1126
1127 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1128 key_type = SMP_LTK_P256_DEBUG;
1129 else
1130 key_type = SMP_LTK_P256;
1131
1132 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1133 auth = 1;
1134 else
1135 auth = 0;
1136
1137 memset(smp->tk + smp->enc_key_size, 0,
1138 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1139
1140 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1141 key_type, auth, smp->tk, smp->enc_key_size,
1142 0, 0);
1143 }
1144
1145 static void sc_generate_link_key(struct smp_chan *smp)
1146 {
1147 /* These constants are as specified in the core specification.
1148 * In ASCII they spell out to 'tmp1' and 'lebr'.
1149 */
1150 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1151 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1152
1153 smp->link_key = kzalloc(16, GFP_KERNEL);
1154 if (!smp->link_key)
1155 return;
1156
1157 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1158 kzfree(smp->link_key);
1159 smp->link_key = NULL;
1160 return;
1161 }
1162
1163 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1164 kzfree(smp->link_key);
1165 smp->link_key = NULL;
1166 return;
1167 }
1168 }
1169
1170 static void smp_allow_key_dist(struct smp_chan *smp)
1171 {
1172 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1173 * will be allowed in each PDU handler to ensure we receive
1174 * them in the correct order.
1175 */
1176 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1177 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1178 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1179 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1180 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1181 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1182 }
1183
1184 static void sc_generate_ltk(struct smp_chan *smp)
1185 {
1186 /* These constants are as specified in the core specification.
1187 * In ASCII they spell out to 'tmp2' and 'brle'.
1188 */
1189 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1190 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1191 struct hci_conn *hcon = smp->conn->hcon;
1192 struct hci_dev *hdev = hcon->hdev;
1193 struct link_key *key;
1194
1195 key = hci_find_link_key(hdev, &hcon->dst);
1196 if (!key) {
1197 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1198 return;
1199 }
1200
1201 if (key->type == HCI_LK_DEBUG_COMBINATION)
1202 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1203
1204 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1205 return;
1206
1207 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1208 return;
1209
1210 sc_add_ltk(smp);
1211 }
1212
1213 static void smp_distribute_keys(struct smp_chan *smp)
1214 {
1215 struct smp_cmd_pairing *req, *rsp;
1216 struct l2cap_conn *conn = smp->conn;
1217 struct hci_conn *hcon = conn->hcon;
1218 struct hci_dev *hdev = hcon->hdev;
1219 __u8 *keydist;
1220
1221 BT_DBG("conn %p", conn);
1222
1223 rsp = (void *) &smp->prsp[1];
1224
1225 /* The responder sends its keys first */
1226 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1227 smp_allow_key_dist(smp);
1228 return;
1229 }
1230
1231 req = (void *) &smp->preq[1];
1232
1233 if (hcon->out) {
1234 keydist = &rsp->init_key_dist;
1235 *keydist &= req->init_key_dist;
1236 } else {
1237 keydist = &rsp->resp_key_dist;
1238 *keydist &= req->resp_key_dist;
1239 }
1240
1241 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1242 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1243 sc_generate_link_key(smp);
1244 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1245 sc_generate_ltk(smp);
1246
1247 /* Clear the keys which are generated but not distributed */
1248 *keydist &= ~SMP_SC_NO_DIST;
1249 }
1250
1251 BT_DBG("keydist 0x%x", *keydist);
1252
1253 if (*keydist & SMP_DIST_ENC_KEY) {
1254 struct smp_cmd_encrypt_info enc;
1255 struct smp_cmd_master_ident ident;
1256 struct smp_ltk *ltk;
1257 u8 authenticated;
1258 __le16 ediv;
1259 __le64 rand;
1260
1261 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1262 get_random_bytes(&ediv, sizeof(ediv));
1263 get_random_bytes(&rand, sizeof(rand));
1264
1265 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1266
1267 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1268 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1269 SMP_LTK_SLAVE, authenticated, enc.ltk,
1270 smp->enc_key_size, ediv, rand);
1271 smp->slave_ltk = ltk;
1272
1273 ident.ediv = ediv;
1274 ident.rand = rand;
1275
1276 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1277
1278 *keydist &= ~SMP_DIST_ENC_KEY;
1279 }
1280
1281 if (*keydist & SMP_DIST_ID_KEY) {
1282 struct smp_cmd_ident_addr_info addrinfo;
1283 struct smp_cmd_ident_info idinfo;
1284
1285 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1286
1287 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1288
1289 /* The hci_conn contains the local identity address
1290 * after the connection has been established.
1291 *
1292 * This is true even when the connection has been
1293 * established using a resolvable random address.
1294 */
1295 bacpy(&addrinfo.bdaddr, &hcon->src);
1296 addrinfo.addr_type = hcon->src_type;
1297
1298 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1299 &addrinfo);
1300
1301 *keydist &= ~SMP_DIST_ID_KEY;
1302 }
1303
1304 if (*keydist & SMP_DIST_SIGN) {
1305 struct smp_cmd_sign_info sign;
1306 struct smp_csrk *csrk;
1307
1308 /* Generate a new random key */
1309 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1310
1311 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1312 if (csrk) {
1313 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1314 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1315 else
1316 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1317 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1318 }
1319 smp->slave_csrk = csrk;
1320
1321 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1322
1323 *keydist &= ~SMP_DIST_SIGN;
1324 }
1325
1326 /* If there are still keys to be received wait for them */
1327 if (smp->remote_key_dist & KEY_DIST_MASK) {
1328 smp_allow_key_dist(smp);
1329 return;
1330 }
1331
1332 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1333 smp_notify_keys(conn);
1334
1335 smp_chan_destroy(conn);
1336 }
1337
1338 static void smp_timeout(struct work_struct *work)
1339 {
1340 struct smp_chan *smp = container_of(work, struct smp_chan,
1341 security_timer.work);
1342 struct l2cap_conn *conn = smp->conn;
1343
1344 BT_DBG("conn %p", conn);
1345
1346 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1347 }
1348
1349 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1350 {
1351 struct l2cap_chan *chan = conn->smp;
1352 struct smp_chan *smp;
1353
1354 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1355 if (!smp)
1356 return NULL;
1357
1358 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1359 if (IS_ERR(smp->tfm_aes)) {
1360 BT_ERR("Unable to create ECB crypto context");
1361 kzfree(smp);
1362 return NULL;
1363 }
1364
1365 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1366 if (IS_ERR(smp->tfm_cmac)) {
1367 BT_ERR("Unable to create CMAC crypto context");
1368 crypto_free_blkcipher(smp->tfm_aes);
1369 kzfree(smp);
1370 return NULL;
1371 }
1372
1373 smp->conn = conn;
1374 chan->data = smp;
1375
1376 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1377
1378 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1379
1380 hci_conn_hold(conn->hcon);
1381
1382 return smp;
1383 }
1384
1385 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1386 {
1387 struct hci_conn *hcon = smp->conn->hcon;
1388 u8 *na, *nb, a[7], b[7];
1389
1390 if (hcon->out) {
1391 na = smp->prnd;
1392 nb = smp->rrnd;
1393 } else {
1394 na = smp->rrnd;
1395 nb = smp->prnd;
1396 }
1397
1398 memcpy(a, &hcon->init_addr, 6);
1399 memcpy(b, &hcon->resp_addr, 6);
1400 a[6] = hcon->init_addr_type;
1401 b[6] = hcon->resp_addr_type;
1402
1403 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1404 }
1405
1406 static void sc_dhkey_check(struct smp_chan *smp)
1407 {
1408 struct hci_conn *hcon = smp->conn->hcon;
1409 struct smp_cmd_dhkey_check check;
1410 u8 a[7], b[7], *local_addr, *remote_addr;
1411 u8 io_cap[3], r[16];
1412
1413 memcpy(a, &hcon->init_addr, 6);
1414 memcpy(b, &hcon->resp_addr, 6);
1415 a[6] = hcon->init_addr_type;
1416 b[6] = hcon->resp_addr_type;
1417
1418 if (hcon->out) {
1419 local_addr = a;
1420 remote_addr = b;
1421 memcpy(io_cap, &smp->preq[1], 3);
1422 } else {
1423 local_addr = b;
1424 remote_addr = a;
1425 memcpy(io_cap, &smp->prsp[1], 3);
1426 }
1427
1428 memset(r, 0, sizeof(r));
1429
1430 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1431 put_unaligned_le32(hcon->passkey_notify, r);
1432
1433 if (smp->method == REQ_OOB)
1434 memcpy(r, smp->rr, 16);
1435
1436 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1437 local_addr, remote_addr, check.e);
1438
1439 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1440 }
1441
1442 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1443 {
1444 struct l2cap_conn *conn = smp->conn;
1445 struct hci_conn *hcon = conn->hcon;
1446 struct smp_cmd_pairing_confirm cfm;
1447 u8 r;
1448
1449 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1450 r |= 0x80;
1451
1452 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1453
1454 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1455 cfm.confirm_val))
1456 return SMP_UNSPECIFIED;
1457
1458 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1459
1460 return 0;
1461 }
1462
1463 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1464 {
1465 struct l2cap_conn *conn = smp->conn;
1466 struct hci_conn *hcon = conn->hcon;
1467 struct hci_dev *hdev = hcon->hdev;
1468 u8 cfm[16], r;
1469
1470 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1471 if (smp->passkey_round >= 20)
1472 return 0;
1473
1474 switch (smp_op) {
1475 case SMP_CMD_PAIRING_RANDOM:
1476 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1477 r |= 0x80;
1478
1479 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1480 smp->rrnd, r, cfm))
1481 return SMP_UNSPECIFIED;
1482
1483 if (memcmp(smp->pcnf, cfm, 16))
1484 return SMP_CONFIRM_FAILED;
1485
1486 smp->passkey_round++;
1487
1488 if (smp->passkey_round == 20) {
1489 /* Generate MacKey and LTK */
1490 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1491 return SMP_UNSPECIFIED;
1492 }
1493
1494 /* The round is only complete when the initiator
1495 * receives pairing random.
1496 */
1497 if (!hcon->out) {
1498 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1499 sizeof(smp->prnd), smp->prnd);
1500 if (smp->passkey_round == 20)
1501 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1502 else
1503 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1504 return 0;
1505 }
1506
1507 /* Start the next round */
1508 if (smp->passkey_round != 20)
1509 return sc_passkey_round(smp, 0);
1510
1511 /* Passkey rounds are complete - start DHKey Check */
1512 sc_dhkey_check(smp);
1513 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1514
1515 break;
1516
1517 case SMP_CMD_PAIRING_CONFIRM:
1518 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1519 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1520 return 0;
1521 }
1522
1523 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1524
1525 if (hcon->out) {
1526 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1527 sizeof(smp->prnd), smp->prnd);
1528 return 0;
1529 }
1530
1531 return sc_passkey_send_confirm(smp);
1532
1533 case SMP_CMD_PUBLIC_KEY:
1534 default:
1535 /* Initiating device starts the round */
1536 if (!hcon->out)
1537 return 0;
1538
1539 BT_DBG("%s Starting passkey round %u", hdev->name,
1540 smp->passkey_round + 1);
1541
1542 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1543
1544 return sc_passkey_send_confirm(smp);
1545 }
1546
1547 return 0;
1548 }
1549
1550 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1551 {
1552 struct l2cap_conn *conn = smp->conn;
1553 struct hci_conn *hcon = conn->hcon;
1554 u8 smp_op;
1555
1556 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1557
1558 switch (mgmt_op) {
1559 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1560 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1561 return 0;
1562 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1563 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1564 return 0;
1565 case MGMT_OP_USER_PASSKEY_REPLY:
1566 hcon->passkey_notify = le32_to_cpu(passkey);
1567 smp->passkey_round = 0;
1568
1569 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1570 smp_op = SMP_CMD_PAIRING_CONFIRM;
1571 else
1572 smp_op = 0;
1573
1574 if (sc_passkey_round(smp, smp_op))
1575 return -EIO;
1576
1577 return 0;
1578 }
1579
1580 /* Initiator sends DHKey check first */
1581 if (hcon->out) {
1582 sc_dhkey_check(smp);
1583 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1584 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1585 sc_dhkey_check(smp);
1586 sc_add_ltk(smp);
1587 }
1588
1589 return 0;
1590 }
1591
1592 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1593 {
1594 struct l2cap_conn *conn = hcon->l2cap_data;
1595 struct l2cap_chan *chan;
1596 struct smp_chan *smp;
1597 u32 value;
1598 int err;
1599
1600 BT_DBG("");
1601
1602 if (!conn)
1603 return -ENOTCONN;
1604
1605 chan = conn->smp;
1606 if (!chan)
1607 return -ENOTCONN;
1608
1609 l2cap_chan_lock(chan);
1610 if (!chan->data) {
1611 err = -ENOTCONN;
1612 goto unlock;
1613 }
1614
1615 smp = chan->data;
1616
1617 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1618 err = sc_user_reply(smp, mgmt_op, passkey);
1619 goto unlock;
1620 }
1621
1622 switch (mgmt_op) {
1623 case MGMT_OP_USER_PASSKEY_REPLY:
1624 value = le32_to_cpu(passkey);
1625 memset(smp->tk, 0, sizeof(smp->tk));
1626 BT_DBG("PassKey: %d", value);
1627 put_unaligned_le32(value, smp->tk);
1628 /* Fall Through */
1629 case MGMT_OP_USER_CONFIRM_REPLY:
1630 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1631 break;
1632 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1633 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1634 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1635 err = 0;
1636 goto unlock;
1637 default:
1638 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1639 err = -EOPNOTSUPP;
1640 goto unlock;
1641 }
1642
1643 err = 0;
1644
1645 /* If it is our turn to send Pairing Confirm, do so now */
1646 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1647 u8 rsp = smp_confirm(smp);
1648 if (rsp)
1649 smp_failure(conn, rsp);
1650 }
1651
1652 unlock:
1653 l2cap_chan_unlock(chan);
1654 return err;
1655 }
1656
1657 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1658 struct smp_cmd_pairing *req,
1659 struct smp_cmd_pairing *rsp)
1660 {
1661 struct l2cap_conn *conn = smp->conn;
1662 struct hci_dev *hdev = conn->hcon->hdev;
1663 u8 local_dist = 0, remote_dist = 0;
1664
1665 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1666 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1667 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1668 }
1669
1670 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1671 remote_dist |= SMP_DIST_ID_KEY;
1672
1673 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1674 local_dist |= SMP_DIST_ID_KEY;
1675
1676 if (!rsp) {
1677 memset(req, 0, sizeof(*req));
1678
1679 req->init_key_dist = local_dist;
1680 req->resp_key_dist = remote_dist;
1681 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1682
1683 smp->remote_key_dist = remote_dist;
1684
1685 return;
1686 }
1687
1688 memset(rsp, 0, sizeof(*rsp));
1689
1690 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1691 rsp->init_key_dist = req->init_key_dist & remote_dist;
1692 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1693
1694 smp->remote_key_dist = rsp->init_key_dist;
1695 }
1696
1697 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1698 {
1699 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1700 struct l2cap_chan *chan = conn->smp;
1701 struct hci_dev *hdev = conn->hcon->hdev;
1702 struct smp_chan *smp;
1703 u8 key_size, auth, sec_level;
1704 int ret;
1705
1706 BT_DBG("conn %p", conn);
1707
1708 if (skb->len < sizeof(*req))
1709 return SMP_INVALID_PARAMS;
1710
1711 if (conn->hcon->role != HCI_ROLE_SLAVE)
1712 return SMP_CMD_NOTSUPP;
1713
1714 if (!chan->data)
1715 smp = smp_chan_create(conn);
1716 else
1717 smp = chan->data;
1718
1719 if (!smp)
1720 return SMP_UNSPECIFIED;
1721
1722 /* We didn't start the pairing, so match remote */
1723 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1724
1725 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1726 (auth & SMP_AUTH_BONDING))
1727 return SMP_PAIRING_NOTSUPP;
1728
1729 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1730 return SMP_AUTH_REQUIREMENTS;
1731
1732 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1733 memcpy(&smp->preq[1], req, sizeof(*req));
1734 skb_pull(skb, sizeof(*req));
1735
1736 /* SMP over BR/EDR requires special treatment */
1737 if (conn->hcon->type == ACL_LINK) {
1738 /* We must have a BR/EDR SC link */
1739 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1740 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1741 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1742
1743 set_bit(SMP_FLAG_SC, &smp->flags);
1744
1745 build_bredr_pairing_cmd(smp, req, &rsp);
1746
1747 key_size = min(req->max_key_size, rsp.max_key_size);
1748 if (check_enc_key_size(conn, key_size))
1749 return SMP_ENC_KEY_SIZE;
1750
1751 /* Clear bits which are generated but not distributed */
1752 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1753
1754 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1755 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1756 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1757
1758 smp_distribute_keys(smp);
1759 return 0;
1760 }
1761
1762 build_pairing_cmd(conn, req, &rsp, auth);
1763
1764 if (rsp.auth_req & SMP_AUTH_SC)
1765 set_bit(SMP_FLAG_SC, &smp->flags);
1766
1767 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1768 sec_level = BT_SECURITY_MEDIUM;
1769 else
1770 sec_level = authreq_to_seclevel(auth);
1771
1772 if (sec_level > conn->hcon->pending_sec_level)
1773 conn->hcon->pending_sec_level = sec_level;
1774
1775 /* If we need MITM check that it can be achieved */
1776 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1777 u8 method;
1778
1779 method = get_auth_method(smp, conn->hcon->io_capability,
1780 req->io_capability);
1781 if (method == JUST_WORKS || method == JUST_CFM)
1782 return SMP_AUTH_REQUIREMENTS;
1783 }
1784
1785 key_size = min(req->max_key_size, rsp.max_key_size);
1786 if (check_enc_key_size(conn, key_size))
1787 return SMP_ENC_KEY_SIZE;
1788
1789 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1790
1791 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1792 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1793
1794 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1795
1796 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1797
1798 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1799 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1800 /* Clear bits which are generated but not distributed */
1801 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1802 /* Wait for Public Key from Initiating Device */
1803 return 0;
1804 }
1805
1806 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1807
1808 /* Request setup of TK */
1809 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1810 if (ret)
1811 return SMP_UNSPECIFIED;
1812
1813 return 0;
1814 }
1815
1816 static u8 sc_send_public_key(struct smp_chan *smp)
1817 {
1818 struct hci_dev *hdev = smp->conn->hcon->hdev;
1819
1820 BT_DBG("");
1821
1822 if (test_bit(SMP_FLAG_OOB, &smp->flags)) {
1823 struct l2cap_chan *chan = hdev->smp_data;
1824 struct smp_dev *smp_dev;
1825
1826 if (!chan || !chan->data)
1827 return SMP_UNSPECIFIED;
1828
1829 smp_dev = chan->data;
1830
1831 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1832 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1833 memcpy(smp->rr, smp_dev->local_rr, 16);
1834
1835 if (smp_dev->debug_key)
1836 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1837
1838 goto done;
1839 }
1840
1841 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1842 BT_DBG("Using debug keys");
1843 memcpy(smp->local_pk, debug_pk, 64);
1844 memcpy(smp->local_sk, debug_sk, 32);
1845 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1846 } else {
1847 while (true) {
1848 /* Generate local key pair for Secure Connections */
1849 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1850 return SMP_UNSPECIFIED;
1851
1852 /* This is unlikely, but we need to check that
1853 * we didn't accidentially generate a debug key.
1854 */
1855 if (memcmp(smp->local_sk, debug_sk, 32))
1856 break;
1857 }
1858 }
1859
1860 done:
1861 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1862 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1863 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1864
1865 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1866
1867 return 0;
1868 }
1869
1870 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1871 {
1872 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1873 struct l2cap_chan *chan = conn->smp;
1874 struct smp_chan *smp = chan->data;
1875 struct hci_dev *hdev = conn->hcon->hdev;
1876 u8 key_size, auth;
1877 int ret;
1878
1879 BT_DBG("conn %p", conn);
1880
1881 if (skb->len < sizeof(*rsp))
1882 return SMP_INVALID_PARAMS;
1883
1884 if (conn->hcon->role != HCI_ROLE_MASTER)
1885 return SMP_CMD_NOTSUPP;
1886
1887 skb_pull(skb, sizeof(*rsp));
1888
1889 req = (void *) &smp->preq[1];
1890
1891 key_size = min(req->max_key_size, rsp->max_key_size);
1892 if (check_enc_key_size(conn, key_size))
1893 return SMP_ENC_KEY_SIZE;
1894
1895 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1896
1897 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1898 return SMP_AUTH_REQUIREMENTS;
1899
1900 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1901 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1902
1903 /* Update remote key distribution in case the remote cleared
1904 * some bits that we had enabled in our request.
1905 */
1906 smp->remote_key_dist &= rsp->resp_key_dist;
1907
1908 /* For BR/EDR this means we're done and can start phase 3 */
1909 if (conn->hcon->type == ACL_LINK) {
1910 /* Clear bits which are generated but not distributed */
1911 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1912 smp_distribute_keys(smp);
1913 return 0;
1914 }
1915
1916 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1917 set_bit(SMP_FLAG_SC, &smp->flags);
1918 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1919 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1920
1921 /* If we need MITM check that it can be achieved */
1922 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1923 u8 method;
1924
1925 method = get_auth_method(smp, req->io_capability,
1926 rsp->io_capability);
1927 if (method == JUST_WORKS || method == JUST_CFM)
1928 return SMP_AUTH_REQUIREMENTS;
1929 }
1930
1931 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1932
1933 /* Update remote key distribution in case the remote cleared
1934 * some bits that we had enabled in our request.
1935 */
1936 smp->remote_key_dist &= rsp->resp_key_dist;
1937
1938 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1939 /* Clear bits which are generated but not distributed */
1940 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1941 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1942 return sc_send_public_key(smp);
1943 }
1944
1945 auth |= req->auth_req;
1946
1947 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1948 if (ret)
1949 return SMP_UNSPECIFIED;
1950
1951 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1952
1953 /* Can't compose response until we have been confirmed */
1954 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1955 return smp_confirm(smp);
1956
1957 return 0;
1958 }
1959
1960 static u8 sc_check_confirm(struct smp_chan *smp)
1961 {
1962 struct l2cap_conn *conn = smp->conn;
1963
1964 BT_DBG("");
1965
1966 /* Public Key exchange must happen before any other steps */
1967 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1968 return SMP_UNSPECIFIED;
1969
1970 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1971 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1972
1973 if (conn->hcon->out) {
1974 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1975 smp->prnd);
1976 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1977 }
1978
1979 return 0;
1980 }
1981
1982 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1983 {
1984 struct l2cap_chan *chan = conn->smp;
1985 struct smp_chan *smp = chan->data;
1986
1987 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1988
1989 if (skb->len < sizeof(smp->pcnf))
1990 return SMP_INVALID_PARAMS;
1991
1992 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1993 skb_pull(skb, sizeof(smp->pcnf));
1994
1995 if (test_bit(SMP_FLAG_SC, &smp->flags))
1996 return sc_check_confirm(smp);
1997
1998 if (conn->hcon->out) {
1999 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2000 smp->prnd);
2001 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2002 return 0;
2003 }
2004
2005 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2006 return smp_confirm(smp);
2007
2008 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2009
2010 return 0;
2011 }
2012
2013 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2014 {
2015 struct l2cap_chan *chan = conn->smp;
2016 struct smp_chan *smp = chan->data;
2017 struct hci_conn *hcon = conn->hcon;
2018 u8 *pkax, *pkbx, *na, *nb;
2019 u32 passkey;
2020 int err;
2021
2022 BT_DBG("conn %p", conn);
2023
2024 if (skb->len < sizeof(smp->rrnd))
2025 return SMP_INVALID_PARAMS;
2026
2027 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2028 skb_pull(skb, sizeof(smp->rrnd));
2029
2030 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2031 return smp_random(smp);
2032
2033 if (hcon->out) {
2034 pkax = smp->local_pk;
2035 pkbx = smp->remote_pk;
2036 na = smp->prnd;
2037 nb = smp->rrnd;
2038 } else {
2039 pkax = smp->remote_pk;
2040 pkbx = smp->local_pk;
2041 na = smp->rrnd;
2042 nb = smp->prnd;
2043 }
2044
2045 if (smp->method == REQ_OOB) {
2046 if (!hcon->out)
2047 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2048 sizeof(smp->prnd), smp->prnd);
2049 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2050 goto mackey_and_ltk;
2051 }
2052
2053 /* Passkey entry has special treatment */
2054 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2055 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2056
2057 if (hcon->out) {
2058 u8 cfm[16];
2059
2060 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2061 smp->rrnd, 0, cfm);
2062 if (err)
2063 return SMP_UNSPECIFIED;
2064
2065 if (memcmp(smp->pcnf, cfm, 16))
2066 return SMP_CONFIRM_FAILED;
2067 } else {
2068 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2069 smp->prnd);
2070 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2071 }
2072
2073 mackey_and_ltk:
2074 /* Generate MacKey and LTK */
2075 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2076 if (err)
2077 return SMP_UNSPECIFIED;
2078
2079 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2080 if (hcon->out) {
2081 sc_dhkey_check(smp);
2082 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2083 }
2084 return 0;
2085 }
2086
2087 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2088 if (err)
2089 return SMP_UNSPECIFIED;
2090
2091 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2092 hcon->dst_type, passkey, 0);
2093 if (err)
2094 return SMP_UNSPECIFIED;
2095
2096 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2097
2098 return 0;
2099 }
2100
2101 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2102 {
2103 struct smp_ltk *key;
2104 struct hci_conn *hcon = conn->hcon;
2105
2106 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2107 if (!key)
2108 return false;
2109
2110 if (smp_ltk_sec_level(key) < sec_level)
2111 return false;
2112
2113 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2114 return true;
2115
2116 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2117 hcon->enc_key_size = key->enc_size;
2118
2119 /* We never store STKs for master role, so clear this flag */
2120 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2121
2122 return true;
2123 }
2124
2125 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2126 enum smp_key_pref key_pref)
2127 {
2128 if (sec_level == BT_SECURITY_LOW)
2129 return true;
2130
2131 /* If we're encrypted with an STK but the caller prefers using
2132 * LTK claim insufficient security. This way we allow the
2133 * connection to be re-encrypted with an LTK, even if the LTK
2134 * provides the same level of security. Only exception is if we
2135 * don't have an LTK (e.g. because of key distribution bits).
2136 */
2137 if (key_pref == SMP_USE_LTK &&
2138 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2139 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2140 return false;
2141
2142 if (hcon->sec_level >= sec_level)
2143 return true;
2144
2145 return false;
2146 }
2147
2148 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2149 {
2150 struct smp_cmd_security_req *rp = (void *) skb->data;
2151 struct smp_cmd_pairing cp;
2152 struct hci_conn *hcon = conn->hcon;
2153 struct hci_dev *hdev = hcon->hdev;
2154 struct smp_chan *smp;
2155 u8 sec_level, auth;
2156
2157 BT_DBG("conn %p", conn);
2158
2159 if (skb->len < sizeof(*rp))
2160 return SMP_INVALID_PARAMS;
2161
2162 if (hcon->role != HCI_ROLE_MASTER)
2163 return SMP_CMD_NOTSUPP;
2164
2165 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2166
2167 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2168 return SMP_AUTH_REQUIREMENTS;
2169
2170 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2171 sec_level = BT_SECURITY_MEDIUM;
2172 else
2173 sec_level = authreq_to_seclevel(auth);
2174
2175 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2176 return 0;
2177
2178 if (sec_level > hcon->pending_sec_level)
2179 hcon->pending_sec_level = sec_level;
2180
2181 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2182 return 0;
2183
2184 smp = smp_chan_create(conn);
2185 if (!smp)
2186 return SMP_UNSPECIFIED;
2187
2188 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2189 (auth & SMP_AUTH_BONDING))
2190 return SMP_PAIRING_NOTSUPP;
2191
2192 skb_pull(skb, sizeof(*rp));
2193
2194 memset(&cp, 0, sizeof(cp));
2195 build_pairing_cmd(conn, &cp, NULL, auth);
2196
2197 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2198 memcpy(&smp->preq[1], &cp, sizeof(cp));
2199
2200 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2201 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2202
2203 return 0;
2204 }
2205
2206 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2207 {
2208 struct l2cap_conn *conn = hcon->l2cap_data;
2209 struct l2cap_chan *chan;
2210 struct smp_chan *smp;
2211 __u8 authreq;
2212 int ret;
2213
2214 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2215
2216 /* This may be NULL if there's an unexpected disconnection */
2217 if (!conn)
2218 return 1;
2219
2220 chan = conn->smp;
2221
2222 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2223 return 1;
2224
2225 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2226 return 1;
2227
2228 if (sec_level > hcon->pending_sec_level)
2229 hcon->pending_sec_level = sec_level;
2230
2231 if (hcon->role == HCI_ROLE_MASTER)
2232 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2233 return 0;
2234
2235 l2cap_chan_lock(chan);
2236
2237 /* If SMP is already in progress ignore this request */
2238 if (chan->data) {
2239 ret = 0;
2240 goto unlock;
2241 }
2242
2243 smp = smp_chan_create(conn);
2244 if (!smp) {
2245 ret = 1;
2246 goto unlock;
2247 }
2248
2249 authreq = seclevel_to_authreq(sec_level);
2250
2251 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2252 authreq |= SMP_AUTH_SC;
2253
2254 /* Require MITM if IO Capability allows or the security level
2255 * requires it.
2256 */
2257 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2258 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2259 authreq |= SMP_AUTH_MITM;
2260
2261 if (hcon->role == HCI_ROLE_MASTER) {
2262 struct smp_cmd_pairing cp;
2263
2264 build_pairing_cmd(conn, &cp, NULL, authreq);
2265 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2266 memcpy(&smp->preq[1], &cp, sizeof(cp));
2267
2268 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2269 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2270 } else {
2271 struct smp_cmd_security_req cp;
2272 cp.auth_req = authreq;
2273 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2274 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2275 }
2276
2277 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2278 ret = 0;
2279
2280 unlock:
2281 l2cap_chan_unlock(chan);
2282 return ret;
2283 }
2284
2285 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2286 {
2287 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2288 struct l2cap_chan *chan = conn->smp;
2289 struct smp_chan *smp = chan->data;
2290
2291 BT_DBG("conn %p", conn);
2292
2293 if (skb->len < sizeof(*rp))
2294 return SMP_INVALID_PARAMS;
2295
2296 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2297
2298 skb_pull(skb, sizeof(*rp));
2299
2300 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2301
2302 return 0;
2303 }
2304
2305 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2306 {
2307 struct smp_cmd_master_ident *rp = (void *) skb->data;
2308 struct l2cap_chan *chan = conn->smp;
2309 struct smp_chan *smp = chan->data;
2310 struct hci_dev *hdev = conn->hcon->hdev;
2311 struct hci_conn *hcon = conn->hcon;
2312 struct smp_ltk *ltk;
2313 u8 authenticated;
2314
2315 BT_DBG("conn %p", conn);
2316
2317 if (skb->len < sizeof(*rp))
2318 return SMP_INVALID_PARAMS;
2319
2320 /* Mark the information as received */
2321 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2322
2323 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2324 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2325 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2326 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2327
2328 skb_pull(skb, sizeof(*rp));
2329
2330 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2331 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2332 authenticated, smp->tk, smp->enc_key_size,
2333 rp->ediv, rp->rand);
2334 smp->ltk = ltk;
2335 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2336 smp_distribute_keys(smp);
2337
2338 return 0;
2339 }
2340
2341 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2342 {
2343 struct smp_cmd_ident_info *info = (void *) skb->data;
2344 struct l2cap_chan *chan = conn->smp;
2345 struct smp_chan *smp = chan->data;
2346
2347 BT_DBG("");
2348
2349 if (skb->len < sizeof(*info))
2350 return SMP_INVALID_PARAMS;
2351
2352 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2353
2354 skb_pull(skb, sizeof(*info));
2355
2356 memcpy(smp->irk, info->irk, 16);
2357
2358 return 0;
2359 }
2360
2361 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2362 struct sk_buff *skb)
2363 {
2364 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2365 struct l2cap_chan *chan = conn->smp;
2366 struct smp_chan *smp = chan->data;
2367 struct hci_conn *hcon = conn->hcon;
2368 bdaddr_t rpa;
2369
2370 BT_DBG("");
2371
2372 if (skb->len < sizeof(*info))
2373 return SMP_INVALID_PARAMS;
2374
2375 /* Mark the information as received */
2376 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2377
2378 if (smp->remote_key_dist & SMP_DIST_SIGN)
2379 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2380
2381 skb_pull(skb, sizeof(*info));
2382
2383 /* Strictly speaking the Core Specification (4.1) allows sending
2384 * an empty address which would force us to rely on just the IRK
2385 * as "identity information". However, since such
2386 * implementations are not known of and in order to not over
2387 * complicate our implementation, simply pretend that we never
2388 * received an IRK for such a device.
2389 *
2390 * The Identity Address must also be a Static Random or Public
2391 * Address, which hci_is_identity_address() checks for.
2392 */
2393 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2394 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2395 BT_ERR("Ignoring IRK with no identity address");
2396 goto distribute;
2397 }
2398
2399 bacpy(&smp->id_addr, &info->bdaddr);
2400 smp->id_addr_type = info->addr_type;
2401
2402 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2403 bacpy(&rpa, &hcon->dst);
2404 else
2405 bacpy(&rpa, BDADDR_ANY);
2406
2407 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2408 smp->id_addr_type, smp->irk, &rpa);
2409
2410 distribute:
2411 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2412 smp_distribute_keys(smp);
2413
2414 return 0;
2415 }
2416
2417 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2418 {
2419 struct smp_cmd_sign_info *rp = (void *) skb->data;
2420 struct l2cap_chan *chan = conn->smp;
2421 struct smp_chan *smp = chan->data;
2422 struct smp_csrk *csrk;
2423
2424 BT_DBG("conn %p", conn);
2425
2426 if (skb->len < sizeof(*rp))
2427 return SMP_INVALID_PARAMS;
2428
2429 /* Mark the information as received */
2430 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2431
2432 skb_pull(skb, sizeof(*rp));
2433
2434 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2435 if (csrk) {
2436 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2437 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2438 else
2439 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2440 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2441 }
2442 smp->csrk = csrk;
2443 smp_distribute_keys(smp);
2444
2445 return 0;
2446 }
2447
2448 static u8 sc_select_method(struct smp_chan *smp)
2449 {
2450 struct l2cap_conn *conn = smp->conn;
2451 struct hci_conn *hcon = conn->hcon;
2452 struct smp_cmd_pairing *local, *remote;
2453 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2454
2455 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2456 return REQ_OOB;
2457
2458 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2459 * which are needed as inputs to some crypto functions. To get
2460 * the "struct smp_cmd_pairing" from them we need to skip the
2461 * first byte which contains the opcode.
2462 */
2463 if (hcon->out) {
2464 local = (void *) &smp->preq[1];
2465 remote = (void *) &smp->prsp[1];
2466 } else {
2467 local = (void *) &smp->prsp[1];
2468 remote = (void *) &smp->preq[1];
2469 }
2470
2471 local_io = local->io_capability;
2472 remote_io = remote->io_capability;
2473
2474 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2475 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2476
2477 /* If either side wants MITM, look up the method from the table,
2478 * otherwise use JUST WORKS.
2479 */
2480 if (local_mitm || remote_mitm)
2481 method = get_auth_method(smp, local_io, remote_io);
2482 else
2483 method = JUST_WORKS;
2484
2485 /* Don't confirm locally initiated pairing attempts */
2486 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2487 method = JUST_WORKS;
2488
2489 return method;
2490 }
2491
2492 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2493 {
2494 struct smp_cmd_public_key *key = (void *) skb->data;
2495 struct hci_conn *hcon = conn->hcon;
2496 struct l2cap_chan *chan = conn->smp;
2497 struct smp_chan *smp = chan->data;
2498 struct hci_dev *hdev = hcon->hdev;
2499 struct smp_cmd_pairing_confirm cfm;
2500 int err;
2501
2502 BT_DBG("conn %p", conn);
2503
2504 if (skb->len < sizeof(*key))
2505 return SMP_INVALID_PARAMS;
2506
2507 memcpy(smp->remote_pk, key, 64);
2508
2509 /* Non-initiating device sends its public key after receiving
2510 * the key from the initiating device.
2511 */
2512 if (!hcon->out) {
2513 err = sc_send_public_key(smp);
2514 if (err)
2515 return err;
2516 }
2517
2518 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2519 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2520
2521 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2522 return SMP_UNSPECIFIED;
2523
2524 SMP_DBG("DHKey %32phN", smp->dhkey);
2525
2526 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2527
2528 smp->method = sc_select_method(smp);
2529
2530 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2531
2532 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2533 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2534 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2535 else
2536 hcon->pending_sec_level = BT_SECURITY_FIPS;
2537
2538 if (!memcmp(debug_pk, smp->remote_pk, 64))
2539 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2540
2541 if (smp->method == DSP_PASSKEY) {
2542 get_random_bytes(&hcon->passkey_notify,
2543 sizeof(hcon->passkey_notify));
2544 hcon->passkey_notify %= 1000000;
2545 hcon->passkey_entered = 0;
2546 smp->passkey_round = 0;
2547 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2548 hcon->dst_type,
2549 hcon->passkey_notify,
2550 hcon->passkey_entered))
2551 return SMP_UNSPECIFIED;
2552 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2553 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2554 }
2555
2556 if (smp->method == REQ_OOB) {
2557 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2558 smp->rr, 0, cfm.confirm_val);
2559 if (err)
2560 return SMP_UNSPECIFIED;
2561
2562 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2563 return SMP_CONFIRM_FAILED;
2564
2565 if (hcon->out)
2566 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2567 sizeof(smp->prnd), smp->prnd);
2568
2569 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2570
2571 return 0;
2572 }
2573
2574 if (hcon->out)
2575 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2576
2577 if (smp->method == REQ_PASSKEY) {
2578 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2579 hcon->dst_type))
2580 return SMP_UNSPECIFIED;
2581 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2582 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2583 return 0;
2584 }
2585
2586 /* The Initiating device waits for the non-initiating device to
2587 * send the confirm value.
2588 */
2589 if (conn->hcon->out)
2590 return 0;
2591
2592 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2593 0, cfm.confirm_val);
2594 if (err)
2595 return SMP_UNSPECIFIED;
2596
2597 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2598 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2599
2600 return 0;
2601 }
2602
2603 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2604 {
2605 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2606 struct l2cap_chan *chan = conn->smp;
2607 struct hci_conn *hcon = conn->hcon;
2608 struct smp_chan *smp = chan->data;
2609 u8 a[7], b[7], *local_addr, *remote_addr;
2610 u8 io_cap[3], r[16], e[16];
2611 int err;
2612
2613 BT_DBG("conn %p", conn);
2614
2615 if (skb->len < sizeof(*check))
2616 return SMP_INVALID_PARAMS;
2617
2618 memcpy(a, &hcon->init_addr, 6);
2619 memcpy(b, &hcon->resp_addr, 6);
2620 a[6] = hcon->init_addr_type;
2621 b[6] = hcon->resp_addr_type;
2622
2623 if (hcon->out) {
2624 local_addr = a;
2625 remote_addr = b;
2626 memcpy(io_cap, &smp->prsp[1], 3);
2627 } else {
2628 local_addr = b;
2629 remote_addr = a;
2630 memcpy(io_cap, &smp->preq[1], 3);
2631 }
2632
2633 memset(r, 0, sizeof(r));
2634
2635 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2636 put_unaligned_le32(hcon->passkey_notify, r);
2637
2638 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2639 io_cap, remote_addr, local_addr, e);
2640 if (err)
2641 return SMP_UNSPECIFIED;
2642
2643 if (memcmp(check->e, e, 16))
2644 return SMP_DHKEY_CHECK_FAILED;
2645
2646 if (!hcon->out) {
2647 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2648 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2649 return 0;
2650 }
2651
2652 /* Slave sends DHKey check as response to master */
2653 sc_dhkey_check(smp);
2654 }
2655
2656 sc_add_ltk(smp);
2657
2658 if (hcon->out) {
2659 hci_le_start_enc(hcon, 0, 0, smp->tk);
2660 hcon->enc_key_size = smp->enc_key_size;
2661 }
2662
2663 return 0;
2664 }
2665
2666 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2667 struct sk_buff *skb)
2668 {
2669 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2670
2671 BT_DBG("value 0x%02x", kp->value);
2672
2673 return 0;
2674 }
2675
2676 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2677 {
2678 struct l2cap_conn *conn = chan->conn;
2679 struct hci_conn *hcon = conn->hcon;
2680 struct smp_chan *smp;
2681 __u8 code, reason;
2682 int err = 0;
2683
2684 if (skb->len < 1)
2685 return -EILSEQ;
2686
2687 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2688 reason = SMP_PAIRING_NOTSUPP;
2689 goto done;
2690 }
2691
2692 code = skb->data[0];
2693 skb_pull(skb, sizeof(code));
2694
2695 smp = chan->data;
2696
2697 if (code > SMP_CMD_MAX)
2698 goto drop;
2699
2700 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2701 goto drop;
2702
2703 /* If we don't have a context the only allowed commands are
2704 * pairing request and security request.
2705 */
2706 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2707 goto drop;
2708
2709 switch (code) {
2710 case SMP_CMD_PAIRING_REQ:
2711 reason = smp_cmd_pairing_req(conn, skb);
2712 break;
2713
2714 case SMP_CMD_PAIRING_FAIL:
2715 smp_failure(conn, 0);
2716 err = -EPERM;
2717 break;
2718
2719 case SMP_CMD_PAIRING_RSP:
2720 reason = smp_cmd_pairing_rsp(conn, skb);
2721 break;
2722
2723 case SMP_CMD_SECURITY_REQ:
2724 reason = smp_cmd_security_req(conn, skb);
2725 break;
2726
2727 case SMP_CMD_PAIRING_CONFIRM:
2728 reason = smp_cmd_pairing_confirm(conn, skb);
2729 break;
2730
2731 case SMP_CMD_PAIRING_RANDOM:
2732 reason = smp_cmd_pairing_random(conn, skb);
2733 break;
2734
2735 case SMP_CMD_ENCRYPT_INFO:
2736 reason = smp_cmd_encrypt_info(conn, skb);
2737 break;
2738
2739 case SMP_CMD_MASTER_IDENT:
2740 reason = smp_cmd_master_ident(conn, skb);
2741 break;
2742
2743 case SMP_CMD_IDENT_INFO:
2744 reason = smp_cmd_ident_info(conn, skb);
2745 break;
2746
2747 case SMP_CMD_IDENT_ADDR_INFO:
2748 reason = smp_cmd_ident_addr_info(conn, skb);
2749 break;
2750
2751 case SMP_CMD_SIGN_INFO:
2752 reason = smp_cmd_sign_info(conn, skb);
2753 break;
2754
2755 case SMP_CMD_PUBLIC_KEY:
2756 reason = smp_cmd_public_key(conn, skb);
2757 break;
2758
2759 case SMP_CMD_DHKEY_CHECK:
2760 reason = smp_cmd_dhkey_check(conn, skb);
2761 break;
2762
2763 case SMP_CMD_KEYPRESS_NOTIFY:
2764 reason = smp_cmd_keypress_notify(conn, skb);
2765 break;
2766
2767 default:
2768 BT_DBG("Unknown command code 0x%2.2x", code);
2769 reason = SMP_CMD_NOTSUPP;
2770 goto done;
2771 }
2772
2773 done:
2774 if (!err) {
2775 if (reason)
2776 smp_failure(conn, reason);
2777 kfree_skb(skb);
2778 }
2779
2780 return err;
2781
2782 drop:
2783 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2784 code, &hcon->dst);
2785 kfree_skb(skb);
2786 return 0;
2787 }
2788
2789 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2790 {
2791 struct l2cap_conn *conn = chan->conn;
2792
2793 BT_DBG("chan %p", chan);
2794
2795 if (chan->data)
2796 smp_chan_destroy(conn);
2797
2798 conn->smp = NULL;
2799 l2cap_chan_put(chan);
2800 }
2801
2802 static void bredr_pairing(struct l2cap_chan *chan)
2803 {
2804 struct l2cap_conn *conn = chan->conn;
2805 struct hci_conn *hcon = conn->hcon;
2806 struct hci_dev *hdev = hcon->hdev;
2807 struct smp_cmd_pairing req;
2808 struct smp_chan *smp;
2809
2810 BT_DBG("chan %p", chan);
2811
2812 /* Only new pairings are interesting */
2813 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2814 return;
2815
2816 /* Don't bother if we're not encrypted */
2817 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2818 return;
2819
2820 /* Only master may initiate SMP over BR/EDR */
2821 if (hcon->role != HCI_ROLE_MASTER)
2822 return;
2823
2824 /* Secure Connections support must be enabled */
2825 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2826 return;
2827
2828 /* BR/EDR must use Secure Connections for SMP */
2829 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2830 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2831 return;
2832
2833 /* If our LE support is not enabled don't do anything */
2834 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2835 return;
2836
2837 /* Don't bother if remote LE support is not enabled */
2838 if (!lmp_host_le_capable(hcon))
2839 return;
2840
2841 /* Remote must support SMP fixed chan for BR/EDR */
2842 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2843 return;
2844
2845 /* Don't bother if SMP is already ongoing */
2846 if (chan->data)
2847 return;
2848
2849 smp = smp_chan_create(conn);
2850 if (!smp) {
2851 BT_ERR("%s unable to create SMP context for BR/EDR",
2852 hdev->name);
2853 return;
2854 }
2855
2856 set_bit(SMP_FLAG_SC, &smp->flags);
2857
2858 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2859
2860 /* Prepare and send the BR/EDR SMP Pairing Request */
2861 build_bredr_pairing_cmd(smp, &req, NULL);
2862
2863 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2864 memcpy(&smp->preq[1], &req, sizeof(req));
2865
2866 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2867 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2868 }
2869
2870 static void smp_resume_cb(struct l2cap_chan *chan)
2871 {
2872 struct smp_chan *smp = chan->data;
2873 struct l2cap_conn *conn = chan->conn;
2874 struct hci_conn *hcon = conn->hcon;
2875
2876 BT_DBG("chan %p", chan);
2877
2878 if (hcon->type == ACL_LINK) {
2879 bredr_pairing(chan);
2880 return;
2881 }
2882
2883 if (!smp)
2884 return;
2885
2886 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2887 return;
2888
2889 cancel_delayed_work(&smp->security_timer);
2890
2891 smp_distribute_keys(smp);
2892 }
2893
2894 static void smp_ready_cb(struct l2cap_chan *chan)
2895 {
2896 struct l2cap_conn *conn = chan->conn;
2897 struct hci_conn *hcon = conn->hcon;
2898
2899 BT_DBG("chan %p", chan);
2900
2901 conn->smp = chan;
2902 l2cap_chan_hold(chan);
2903
2904 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2905 bredr_pairing(chan);
2906 }
2907
2908 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2909 {
2910 int err;
2911
2912 BT_DBG("chan %p", chan);
2913
2914 err = smp_sig_channel(chan, skb);
2915 if (err) {
2916 struct smp_chan *smp = chan->data;
2917
2918 if (smp)
2919 cancel_delayed_work_sync(&smp->security_timer);
2920
2921 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2922 }
2923
2924 return err;
2925 }
2926
2927 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2928 unsigned long hdr_len,
2929 unsigned long len, int nb)
2930 {
2931 struct sk_buff *skb;
2932
2933 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2934 if (!skb)
2935 return ERR_PTR(-ENOMEM);
2936
2937 skb->priority = HCI_PRIO_MAX;
2938 bt_cb(skb)->chan = chan;
2939
2940 return skb;
2941 }
2942
2943 static const struct l2cap_ops smp_chan_ops = {
2944 .name = "Security Manager",
2945 .ready = smp_ready_cb,
2946 .recv = smp_recv_cb,
2947 .alloc_skb = smp_alloc_skb_cb,
2948 .teardown = smp_teardown_cb,
2949 .resume = smp_resume_cb,
2950
2951 .new_connection = l2cap_chan_no_new_connection,
2952 .state_change = l2cap_chan_no_state_change,
2953 .close = l2cap_chan_no_close,
2954 .defer = l2cap_chan_no_defer,
2955 .suspend = l2cap_chan_no_suspend,
2956 .set_shutdown = l2cap_chan_no_set_shutdown,
2957 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2958 };
2959
2960 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2961 {
2962 struct l2cap_chan *chan;
2963
2964 BT_DBG("pchan %p", pchan);
2965
2966 chan = l2cap_chan_create();
2967 if (!chan)
2968 return NULL;
2969
2970 chan->chan_type = pchan->chan_type;
2971 chan->ops = &smp_chan_ops;
2972 chan->scid = pchan->scid;
2973 chan->dcid = chan->scid;
2974 chan->imtu = pchan->imtu;
2975 chan->omtu = pchan->omtu;
2976 chan->mode = pchan->mode;
2977
2978 /* Other L2CAP channels may request SMP routines in order to
2979 * change the security level. This means that the SMP channel
2980 * lock must be considered in its own category to avoid lockdep
2981 * warnings.
2982 */
2983 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2984
2985 BT_DBG("created chan %p", chan);
2986
2987 return chan;
2988 }
2989
2990 static const struct l2cap_ops smp_root_chan_ops = {
2991 .name = "Security Manager Root",
2992 .new_connection = smp_new_conn_cb,
2993
2994 /* None of these are implemented for the root channel */
2995 .close = l2cap_chan_no_close,
2996 .alloc_skb = l2cap_chan_no_alloc_skb,
2997 .recv = l2cap_chan_no_recv,
2998 .state_change = l2cap_chan_no_state_change,
2999 .teardown = l2cap_chan_no_teardown,
3000 .ready = l2cap_chan_no_ready,
3001 .defer = l2cap_chan_no_defer,
3002 .suspend = l2cap_chan_no_suspend,
3003 .resume = l2cap_chan_no_resume,
3004 .set_shutdown = l2cap_chan_no_set_shutdown,
3005 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3006 };
3007
3008 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3009 {
3010 struct l2cap_chan *chan;
3011 struct smp_dev *smp;
3012 struct crypto_blkcipher *tfm_aes;
3013 struct crypto_hash *tfm_cmac;
3014
3015 if (cid == L2CAP_CID_SMP_BREDR) {
3016 smp = NULL;
3017 goto create_chan;
3018 }
3019
3020 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3021 if (!smp)
3022 return ERR_PTR(-ENOMEM);
3023
3024 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3025 if (IS_ERR(tfm_aes)) {
3026 BT_ERR("Unable to create ECB crypto context");
3027 kzfree(smp);
3028 return ERR_CAST(tfm_aes);
3029 }
3030
3031 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3032 if (IS_ERR(tfm_cmac)) {
3033 BT_ERR("Unable to create CMAC crypto context");
3034 crypto_free_blkcipher(tfm_aes);
3035 kzfree(smp);
3036 return ERR_CAST(tfm_cmac);
3037 }
3038
3039 smp->tfm_aes = tfm_aes;
3040 smp->tfm_cmac = tfm_cmac;
3041
3042 create_chan:
3043 chan = l2cap_chan_create();
3044 if (!chan) {
3045 crypto_free_blkcipher(smp->tfm_aes);
3046 crypto_free_hash(smp->tfm_cmac);
3047 kzfree(smp);
3048 return ERR_PTR(-ENOMEM);
3049 }
3050
3051 chan->data = smp;
3052
3053 l2cap_add_scid(chan, cid);
3054
3055 l2cap_chan_set_defaults(chan);
3056
3057 if (cid == L2CAP_CID_SMP) {
3058 u8 bdaddr_type;
3059
3060 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3061
3062 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3063 chan->src_type = BDADDR_LE_PUBLIC;
3064 else
3065 chan->src_type = BDADDR_LE_RANDOM;
3066 } else {
3067 bacpy(&chan->src, &hdev->bdaddr);
3068 chan->src_type = BDADDR_BREDR;
3069 }
3070
3071 chan->state = BT_LISTEN;
3072 chan->mode = L2CAP_MODE_BASIC;
3073 chan->imtu = L2CAP_DEFAULT_MTU;
3074 chan->ops = &smp_root_chan_ops;
3075
3076 /* Set correct nesting level for a parent/listening channel */
3077 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3078
3079 return chan;
3080 }
3081
3082 static void smp_del_chan(struct l2cap_chan *chan)
3083 {
3084 struct smp_dev *smp;
3085
3086 BT_DBG("chan %p", chan);
3087
3088 smp = chan->data;
3089 if (smp) {
3090 chan->data = NULL;
3091 if (smp->tfm_aes)
3092 crypto_free_blkcipher(smp->tfm_aes);
3093 if (smp->tfm_cmac)
3094 crypto_free_hash(smp->tfm_cmac);
3095 kzfree(smp);
3096 }
3097
3098 l2cap_chan_put(chan);
3099 }
3100
3101 static ssize_t force_bredr_smp_read(struct file *file,
3102 char __user *user_buf,
3103 size_t count, loff_t *ppos)
3104 {
3105 struct hci_dev *hdev = file->private_data;
3106 char buf[3];
3107
3108 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3109 buf[1] = '\n';
3110 buf[2] = '\0';
3111 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3112 }
3113
3114 static ssize_t force_bredr_smp_write(struct file *file,
3115 const char __user *user_buf,
3116 size_t count, loff_t *ppos)
3117 {
3118 struct hci_dev *hdev = file->private_data;
3119 char buf[32];
3120 size_t buf_size = min(count, (sizeof(buf)-1));
3121 bool enable;
3122
3123 if (copy_from_user(buf, user_buf, buf_size))
3124 return -EFAULT;
3125
3126 buf[buf_size] = '\0';
3127 if (strtobool(buf, &enable))
3128 return -EINVAL;
3129
3130 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3131 return -EALREADY;
3132
3133 if (enable) {
3134 struct l2cap_chan *chan;
3135
3136 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3137 if (IS_ERR(chan))
3138 return PTR_ERR(chan);
3139
3140 hdev->smp_bredr_data = chan;
3141 } else {
3142 struct l2cap_chan *chan;
3143
3144 chan = hdev->smp_bredr_data;
3145 hdev->smp_bredr_data = NULL;
3146 smp_del_chan(chan);
3147 }
3148
3149 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3150
3151 return count;
3152 }
3153
3154 static const struct file_operations force_bredr_smp_fops = {
3155 .open = simple_open,
3156 .read = force_bredr_smp_read,
3157 .write = force_bredr_smp_write,
3158 .llseek = default_llseek,
3159 };
3160
3161 int smp_register(struct hci_dev *hdev)
3162 {
3163 struct l2cap_chan *chan;
3164
3165 BT_DBG("%s", hdev->name);
3166
3167 /* If the controller does not support Low Energy operation, then
3168 * there is also no need to register any SMP channel.
3169 */
3170 if (!lmp_le_capable(hdev))
3171 return 0;
3172
3173 if (WARN_ON(hdev->smp_data)) {
3174 chan = hdev->smp_data;
3175 hdev->smp_data = NULL;
3176 smp_del_chan(chan);
3177 }
3178
3179 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3180 if (IS_ERR(chan))
3181 return PTR_ERR(chan);
3182
3183 hdev->smp_data = chan;
3184
3185 /* If the controller does not support BR/EDR Secure Connections
3186 * feature, then the BR/EDR SMP channel shall not be present.
3187 *
3188 * To test this with Bluetooth 4.0 controllers, create a debugfs
3189 * switch that allows forcing BR/EDR SMP support and accepting
3190 * cross-transport pairing on non-AES encrypted connections.
3191 */
3192 if (!lmp_sc_capable(hdev)) {
3193 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3194 hdev, &force_bredr_smp_fops);
3195 return 0;
3196 }
3197
3198 if (WARN_ON(hdev->smp_bredr_data)) {
3199 chan = hdev->smp_bredr_data;
3200 hdev->smp_bredr_data = NULL;
3201 smp_del_chan(chan);
3202 }
3203
3204 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3205 if (IS_ERR(chan)) {
3206 int err = PTR_ERR(chan);
3207 chan = hdev->smp_data;
3208 hdev->smp_data = NULL;
3209 smp_del_chan(chan);
3210 return err;
3211 }
3212
3213 hdev->smp_bredr_data = chan;
3214
3215 return 0;
3216 }
3217
3218 void smp_unregister(struct hci_dev *hdev)
3219 {
3220 struct l2cap_chan *chan;
3221
3222 if (hdev->smp_bredr_data) {
3223 chan = hdev->smp_bredr_data;
3224 hdev->smp_bredr_data = NULL;
3225 smp_del_chan(chan);
3226 }
3227
3228 if (hdev->smp_data) {
3229 chan = hdev->smp_data;
3230 hdev->smp_data = NULL;
3231 smp_del_chan(chan);
3232 }
3233 }
3234
3235 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3236
3237 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3238 {
3239 const u8 irk[16] = {
3240 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3241 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3242 const u8 r[3] = { 0x94, 0x81, 0x70 };
3243 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3244 u8 res[3];
3245 int err;
3246
3247 err = smp_ah(tfm_aes, irk, r, res);
3248 if (err)
3249 return err;
3250
3251 if (memcmp(res, exp, 3))
3252 return -EINVAL;
3253
3254 return 0;
3255 }
3256
3257 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3258 {
3259 const u8 k[16] = {
3260 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3261 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3262 const u8 r[16] = {
3263 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3264 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3265 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3266 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3267 const u8 _iat = 0x01;
3268 const u8 _rat = 0x00;
3269 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3270 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3271 const u8 exp[16] = {
3272 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3273 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3274 u8 res[16];
3275 int err;
3276
3277 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3278 if (err)
3279 return err;
3280
3281 if (memcmp(res, exp, 16))
3282 return -EINVAL;
3283
3284 return 0;
3285 }
3286
3287 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3288 {
3289 const u8 k[16] = {
3290 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3291 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3292 const u8 r1[16] = {
3293 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3294 const u8 r2[16] = {
3295 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3296 const u8 exp[16] = {
3297 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3298 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3299 u8 res[16];
3300 int err;
3301
3302 err = smp_s1(tfm_aes, k, r1, r2, res);
3303 if (err)
3304 return err;
3305
3306 if (memcmp(res, exp, 16))
3307 return -EINVAL;
3308
3309 return 0;
3310 }
3311
3312 static int __init test_f4(struct crypto_hash *tfm_cmac)
3313 {
3314 const u8 u[32] = {
3315 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3316 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3317 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3318 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3319 const u8 v[32] = {
3320 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3321 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3322 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3323 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3324 const u8 x[16] = {
3325 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3326 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3327 const u8 z = 0x00;
3328 const u8 exp[16] = {
3329 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3330 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3331 u8 res[16];
3332 int err;
3333
3334 err = smp_f4(tfm_cmac, u, v, x, z, res);
3335 if (err)
3336 return err;
3337
3338 if (memcmp(res, exp, 16))
3339 return -EINVAL;
3340
3341 return 0;
3342 }
3343
3344 static int __init test_f5(struct crypto_hash *tfm_cmac)
3345 {
3346 const u8 w[32] = {
3347 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3348 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3349 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3350 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3351 const u8 n1[16] = {
3352 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3353 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3354 const u8 n2[16] = {
3355 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3356 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3357 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3358 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3359 const u8 exp_ltk[16] = {
3360 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3361 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3362 const u8 exp_mackey[16] = {
3363 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3364 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3365 u8 mackey[16], ltk[16];
3366 int err;
3367
3368 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3369 if (err)
3370 return err;
3371
3372 if (memcmp(mackey, exp_mackey, 16))
3373 return -EINVAL;
3374
3375 if (memcmp(ltk, exp_ltk, 16))
3376 return -EINVAL;
3377
3378 return 0;
3379 }
3380
3381 static int __init test_f6(struct crypto_hash *tfm_cmac)
3382 {
3383 const u8 w[16] = {
3384 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3385 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3386 const u8 n1[16] = {
3387 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3388 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3389 const u8 n2[16] = {
3390 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3391 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3392 const u8 r[16] = {
3393 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3394 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3395 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3396 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3397 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3398 const u8 exp[16] = {
3399 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3400 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3401 u8 res[16];
3402 int err;
3403
3404 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3405 if (err)
3406 return err;
3407
3408 if (memcmp(res, exp, 16))
3409 return -EINVAL;
3410
3411 return 0;
3412 }
3413
3414 static int __init test_g2(struct crypto_hash *tfm_cmac)
3415 {
3416 const u8 u[32] = {
3417 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3418 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3419 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3420 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3421 const u8 v[32] = {
3422 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3423 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3424 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3425 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3426 const u8 x[16] = {
3427 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3428 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3429 const u8 y[16] = {
3430 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3431 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3432 const u32 exp_val = 0x2f9ed5ba % 1000000;
3433 u32 val;
3434 int err;
3435
3436 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3437 if (err)
3438 return err;
3439
3440 if (val != exp_val)
3441 return -EINVAL;
3442
3443 return 0;
3444 }
3445
3446 static int __init test_h6(struct crypto_hash *tfm_cmac)
3447 {
3448 const u8 w[16] = {
3449 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3450 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3451 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3452 const u8 exp[16] = {
3453 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3454 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3455 u8 res[16];
3456 int err;
3457
3458 err = smp_h6(tfm_cmac, w, key_id, res);
3459 if (err)
3460 return err;
3461
3462 if (memcmp(res, exp, 16))
3463 return -EINVAL;
3464
3465 return 0;
3466 }
3467
3468 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3469 struct crypto_hash *tfm_cmac)
3470 {
3471 ktime_t calltime, delta, rettime;
3472 unsigned long long duration;
3473 int err;
3474
3475 calltime = ktime_get();
3476
3477 err = test_ah(tfm_aes);
3478 if (err) {
3479 BT_ERR("smp_ah test failed");
3480 return err;
3481 }
3482
3483 err = test_c1(tfm_aes);
3484 if (err) {
3485 BT_ERR("smp_c1 test failed");
3486 return err;
3487 }
3488
3489 err = test_s1(tfm_aes);
3490 if (err) {
3491 BT_ERR("smp_s1 test failed");
3492 return err;
3493 }
3494
3495 err = test_f4(tfm_cmac);
3496 if (err) {
3497 BT_ERR("smp_f4 test failed");
3498 return err;
3499 }
3500
3501 err = test_f5(tfm_cmac);
3502 if (err) {
3503 BT_ERR("smp_f5 test failed");
3504 return err;
3505 }
3506
3507 err = test_f6(tfm_cmac);
3508 if (err) {
3509 BT_ERR("smp_f6 test failed");
3510 return err;
3511 }
3512
3513 err = test_g2(tfm_cmac);
3514 if (err) {
3515 BT_ERR("smp_g2 test failed");
3516 return err;
3517 }
3518
3519 err = test_h6(tfm_cmac);
3520 if (err) {
3521 BT_ERR("smp_h6 test failed");
3522 return err;
3523 }
3524
3525 rettime = ktime_get();
3526 delta = ktime_sub(rettime, calltime);
3527 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3528
3529 BT_INFO("SMP test passed in %llu usecs", duration);
3530
3531 return 0;
3532 }
3533
3534 int __init bt_selftest_smp(void)
3535 {
3536 struct crypto_blkcipher *tfm_aes;
3537 struct crypto_hash *tfm_cmac;
3538 int err;
3539
3540 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3541 if (IS_ERR(tfm_aes)) {
3542 BT_ERR("Unable to create ECB crypto context");
3543 return PTR_ERR(tfm_aes);
3544 }
3545
3546 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3547 if (IS_ERR(tfm_cmac)) {
3548 BT_ERR("Unable to create CMAC crypto context");
3549 crypto_free_blkcipher(tfm_aes);
3550 return PTR_ERR(tfm_cmac);
3551 }
3552
3553 err = run_selftests(tfm_aes, tfm_cmac);
3554
3555 crypto_free_hash(tfm_cmac);
3556 crypto_free_blkcipher(tfm_aes);
3557
3558 return err;
3559 }
3560
3561 #endif
Linux kernel - Deliverables
This page took 0.105289 seconds and 6 git commands to generate.