projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Remove dead code
[deliverable/linux.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
27
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "ecc.h"
34 #include "smp.h"
35
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
39 */
40 #ifdef DEBUG
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
42 ##__VA_ARGS__)
43 #else
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
45 ##__VA_ARGS__)
46 #endif
47
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
49
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
52
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
54
55 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
56 0x1f : 0x07)
57 #define KEY_DIST_MASK 0x07
58
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
61
62 enum {
63 SMP_FLAG_TK_VALID,
64 SMP_FLAG_CFM_PENDING,
65 SMP_FLAG_MITM_AUTH,
66 SMP_FLAG_COMPLETE,
67 SMP_FLAG_INITIATOR,
68 SMP_FLAG_SC,
69 SMP_FLAG_REMOTE_PK,
70 SMP_FLAG_DEBUG_KEY,
71 SMP_FLAG_WAIT_USER,
72 SMP_FLAG_DHKEY_PENDING,
73 SMP_FLAG_OOB,
74 };
75
76 struct smp_chan {
77 struct l2cap_conn *conn;
78 struct delayed_work security_timer;
79 unsigned long allow_cmd; /* Bitmask of allowed commands */
80
81 u8 preq[7]; /* SMP Pairing Request */
82 u8 prsp[7]; /* SMP Pairing Response */
83 u8 prnd[16]; /* SMP Pairing Random (local) */
84 u8 rrnd[16]; /* SMP Pairing Random (remote) */
85 u8 pcnf[16]; /* SMP Pairing Confirm */
86 u8 tk[16]; /* SMP Temporary Key */
87 u8 rr[16];
88 u8 enc_key_size;
89 u8 remote_key_dist;
90 bdaddr_t id_addr;
91 u8 id_addr_type;
92 u8 irk[16];
93 struct smp_csrk *csrk;
94 struct smp_csrk *slave_csrk;
95 struct smp_ltk *ltk;
96 struct smp_ltk *slave_ltk;
97 struct smp_irk *remote_irk;
98 u8 *link_key;
99 unsigned long flags;
100 u8 method;
101 u8 passkey_round;
102
103 /* Secure Connections variables */
104 u8 local_pk[64];
105 u8 local_sk[32];
106 u8 remote_pk[64];
107 u8 dhkey[32];
108 u8 mackey[16];
109
110 struct crypto_blkcipher *tfm_aes;
111 struct crypto_hash *tfm_cmac;
112 };
113
114 /* These debug key values are defined in the SMP section of the core
115 * specification. debug_pk is the public debug key and debug_sk the
116 * private debug key.
117 */
118 static const u8 debug_pk[64] = {
119 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
120 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
121 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
122 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
123
124 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
125 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
126 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
127 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
128 };
129
130 static const u8 debug_sk[32] = {
131 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
132 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
133 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
134 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
135 };
136
137 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
138 {
139 size_t i;
140
141 for (i = 0; i < len; i++)
142 dst[len - 1 - i] = src[i];
143 }
144
145 /* The following functions map to the LE SC SMP crypto functions
146 * AES-CMAC, f4, f5, f6, g2 and h6.
147 */
148
149 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
150 size_t len, u8 mac[16])
151 {
152 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
153 struct hash_desc desc;
154 struct scatterlist sg;
155 int err;
156
157 if (len > CMAC_MSG_MAX)
158 return -EFBIG;
159
160 if (!tfm) {
161 BT_ERR("tfm %p", tfm);
162 return -EINVAL;
163 }
164
165 desc.tfm = tfm;
166 desc.flags = 0;
167
168 crypto_hash_init(&desc);
169
170 /* Swap key and message from LSB to MSB */
171 swap_buf(k, tmp, 16);
172 swap_buf(m, msg_msb, len);
173
174 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
175 SMP_DBG("key %16phN", k);
176
177 err = crypto_hash_setkey(tfm, tmp, 16);
178 if (err) {
179 BT_ERR("cipher setkey failed: %d", err);
180 return err;
181 }
182
183 sg_init_one(&sg, msg_msb, len);
184
185 err = crypto_hash_update(&desc, &sg, len);
186 if (err) {
187 BT_ERR("Hash update error %d", err);
188 return err;
189 }
190
191 err = crypto_hash_final(&desc, mac_msb);
192 if (err) {
193 BT_ERR("Hash final error %d", err);
194 return err;
195 }
196
197 swap_buf(mac_msb, mac, 16);
198
199 SMP_DBG("mac %16phN", mac);
200
201 return 0;
202 }
203
204 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
205 const u8 x[16], u8 z, u8 res[16])
206 {
207 u8 m[65];
208 int err;
209
210 SMP_DBG("u %32phN", u);
211 SMP_DBG("v %32phN", v);
212 SMP_DBG("x %16phN z %02x", x, z);
213
214 m[0] = z;
215 memcpy(m + 1, v, 32);
216 memcpy(m + 33, u, 32);
217
218 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
219 if (err)
220 return err;
221
222 SMP_DBG("res %16phN", res);
223
224 return err;
225 }
226
227 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
228 const u8 n1[16], const u8 n2[16], const u8 a1[7],
229 const u8 a2[7], u8 mackey[16], u8 ltk[16])
230 {
231 /* The btle, salt and length "magic" values are as defined in
232 * the SMP section of the Bluetooth core specification. In ASCII
233 * the btle value ends up being 'btle'. The salt is just a
234 * random number whereas length is the value 256 in little
235 * endian format.
236 */
237 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
238 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
239 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
240 const u8 length[2] = { 0x00, 0x01 };
241 u8 m[53], t[16];
242 int err;
243
244 SMP_DBG("w %32phN", w);
245 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
246 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
247
248 err = aes_cmac(tfm_cmac, salt, w, 32, t);
249 if (err)
250 return err;
251
252 SMP_DBG("t %16phN", t);
253
254 memcpy(m, length, 2);
255 memcpy(m + 2, a2, 7);
256 memcpy(m + 9, a1, 7);
257 memcpy(m + 16, n2, 16);
258 memcpy(m + 32, n1, 16);
259 memcpy(m + 48, btle, 4);
260
261 m[52] = 0; /* Counter */
262
263 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
264 if (err)
265 return err;
266
267 SMP_DBG("mackey %16phN", mackey);
268
269 m[52] = 1; /* Counter */
270
271 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
272 if (err)
273 return err;
274
275 SMP_DBG("ltk %16phN", ltk);
276
277 return 0;
278 }
279
280 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
281 const u8 n1[16], const u8 n2[16], const u8 r[16],
282 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
283 u8 res[16])
284 {
285 u8 m[65];
286 int err;
287
288 SMP_DBG("w %16phN", w);
289 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
290 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
291
292 memcpy(m, a2, 7);
293 memcpy(m + 7, a1, 7);
294 memcpy(m + 14, io_cap, 3);
295 memcpy(m + 17, r, 16);
296 memcpy(m + 33, n2, 16);
297 memcpy(m + 49, n1, 16);
298
299 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
300 if (err)
301 return err;
302
303 SMP_DBG("res %16phN", res);
304
305 return err;
306 }
307
308 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
309 const u8 x[16], const u8 y[16], u32 *val)
310 {
311 u8 m[80], tmp[16];
312 int err;
313
314 SMP_DBG("u %32phN", u);
315 SMP_DBG("v %32phN", v);
316 SMP_DBG("x %16phN y %16phN", x, y);
317
318 memcpy(m, y, 16);
319 memcpy(m + 16, v, 32);
320 memcpy(m + 48, u, 32);
321
322 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
323 if (err)
324 return err;
325
326 *val = get_unaligned_le32(tmp);
327 *val %= 1000000;
328
329 SMP_DBG("val %06u", *val);
330
331 return 0;
332 }
333
334 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
335 const u8 key_id[4], u8 res[16])
336 {
337 int err;
338
339 SMP_DBG("w %16phN key_id %4phN", w, key_id);
340
341 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
342 if (err)
343 return err;
344
345 SMP_DBG("res %16phN", res);
346
347 return err;
348 }
349
350 /* The following functions map to the legacy SMP crypto functions e, c1,
351 * s1 and ah.
352 */
353
354 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
355 {
356 struct blkcipher_desc desc;
357 struct scatterlist sg;
358 uint8_t tmp[16], data[16];
359 int err;
360
361 if (!tfm) {
362 BT_ERR("tfm %p", tfm);
363 return -EINVAL;
364 }
365
366 desc.tfm = tfm;
367 desc.flags = 0;
368
369 /* The most significant octet of key corresponds to k[0] */
370 swap_buf(k, tmp, 16);
371
372 err = crypto_blkcipher_setkey(tfm, tmp, 16);
373 if (err) {
374 BT_ERR("cipher setkey failed: %d", err);
375 return err;
376 }
377
378 /* Most significant octet of plaintextData corresponds to data[0] */
379 swap_buf(r, data, 16);
380
381 sg_init_one(&sg, data, 16);
382
383 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
384 if (err)
385 BT_ERR("Encrypt data error %d", err);
386
387 /* Most significant octet of encryptedData corresponds to data[0] */
388 swap_buf(data, r, 16);
389
390 return err;
391 }
392
393 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
394 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
395 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
396 {
397 u8 p1[16], p2[16];
398 int err;
399
400 memset(p1, 0, 16);
401
402 /* p1 = pres || preq || _rat || _iat */
403 p1[0] = _iat;
404 p1[1] = _rat;
405 memcpy(p1 + 2, preq, 7);
406 memcpy(p1 + 9, pres, 7);
407
408 /* p2 = padding || ia || ra */
409 memcpy(p2, ra, 6);
410 memcpy(p2 + 6, ia, 6);
411 memset(p2 + 12, 0, 4);
412
413 /* res = r XOR p1 */
414 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
415
416 /* res = e(k, res) */
417 err = smp_e(tfm_aes, k, res);
418 if (err) {
419 BT_ERR("Encrypt data error");
420 return err;
421 }
422
423 /* res = res XOR p2 */
424 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
425
426 /* res = e(k, res) */
427 err = smp_e(tfm_aes, k, res);
428 if (err)
429 BT_ERR("Encrypt data error");
430
431 return err;
432 }
433
434 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
435 const u8 r1[16], const u8 r2[16], u8 _r[16])
436 {
437 int err;
438
439 /* Just least significant octets from r1 and r2 are considered */
440 memcpy(_r, r2, 8);
441 memcpy(_r + 8, r1, 8);
442
443 err = smp_e(tfm_aes, k, _r);
444 if (err)
445 BT_ERR("Encrypt data error");
446
447 return err;
448 }
449
450 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
451 const u8 r[3], u8 res[3])
452 {
453 u8 _res[16];
454 int err;
455
456 /* r' = padding || r */
457 memcpy(_res, r, 3);
458 memset(_res + 3, 0, 13);
459
460 err = smp_e(tfm, irk, _res);
461 if (err) {
462 BT_ERR("Encrypt error");
463 return err;
464 }
465
466 /* The output of the random address function ah is:
467 * ah(h, r) = e(k, r') mod 2^24
468 * The output of the security function e is then truncated to 24 bits
469 * by taking the least significant 24 bits of the output of e as the
470 * result of ah.
471 */
472 memcpy(res, _res, 3);
473
474 return 0;
475 }
476
477 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
478 const bdaddr_t *bdaddr)
479 {
480 struct l2cap_chan *chan = hdev->smp_data;
481 struct crypto_blkcipher *tfm;
482 u8 hash[3];
483 int err;
484
485 if (!chan || !chan->data)
486 return false;
487
488 tfm = chan->data;
489
490 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
491
492 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
493 if (err)
494 return false;
495
496 return !memcmp(bdaddr->b, hash, 3);
497 }
498
499 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
500 {
501 struct l2cap_chan *chan = hdev->smp_data;
502 struct crypto_blkcipher *tfm;
503 int err;
504
505 if (!chan || !chan->data)
506 return -EOPNOTSUPP;
507
508 tfm = chan->data;
509
510 get_random_bytes(&rpa->b[3], 3);
511
512 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
513 rpa->b[5] |= 0x40; /* Set second most significant bit */
514
515 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
516 if (err < 0)
517 return err;
518
519 BT_DBG("RPA %pMR", rpa);
520
521 return 0;
522 }
523
524 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
525 {
526 struct l2cap_chan *chan = conn->smp;
527 struct smp_chan *smp;
528 struct kvec iv[2];
529 struct msghdr msg;
530
531 if (!chan)
532 return;
533
534 BT_DBG("code 0x%2.2x", code);
535
536 iv[0].iov_base = &code;
537 iv[0].iov_len = 1;
538
539 iv[1].iov_base = data;
540 iv[1].iov_len = len;
541
542 memset(&msg, 0, sizeof(msg));
543
544 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
545
546 l2cap_chan_send(chan, &msg, 1 + len);
547
548 if (!chan->data)
549 return;
550
551 smp = chan->data;
552
553 cancel_delayed_work_sync(&smp->security_timer);
554 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
555 }
556
557 static u8 authreq_to_seclevel(u8 authreq)
558 {
559 if (authreq & SMP_AUTH_MITM) {
560 if (authreq & SMP_AUTH_SC)
561 return BT_SECURITY_FIPS;
562 else
563 return BT_SECURITY_HIGH;
564 } else {
565 return BT_SECURITY_MEDIUM;
566 }
567 }
568
569 static __u8 seclevel_to_authreq(__u8 sec_level)
570 {
571 switch (sec_level) {
572 case BT_SECURITY_FIPS:
573 case BT_SECURITY_HIGH:
574 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
575 case BT_SECURITY_MEDIUM:
576 return SMP_AUTH_BONDING;
577 default:
578 return SMP_AUTH_NONE;
579 }
580 }
581
582 static void build_pairing_cmd(struct l2cap_conn *conn,
583 struct smp_cmd_pairing *req,
584 struct smp_cmd_pairing *rsp, __u8 authreq)
585 {
586 struct l2cap_chan *chan = conn->smp;
587 struct smp_chan *smp = chan->data;
588 struct hci_conn *hcon = conn->hcon;
589 struct hci_dev *hdev = hcon->hdev;
590 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
591
592 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
593 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
595 authreq |= SMP_AUTH_BONDING;
596 } else {
597 authreq &= ~SMP_AUTH_BONDING;
598 }
599
600 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
601 remote_dist |= SMP_DIST_ID_KEY;
602
603 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
604 local_dist |= SMP_DIST_ID_KEY;
605
606 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
607 (authreq & SMP_AUTH_SC)) {
608 struct oob_data *oob_data;
609 u8 bdaddr_type;
610
611 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
612 local_dist |= SMP_DIST_LINK_KEY;
613 remote_dist |= SMP_DIST_LINK_KEY;
614 }
615
616 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
617 bdaddr_type = BDADDR_LE_PUBLIC;
618 else
619 bdaddr_type = BDADDR_LE_RANDOM;
620
621 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
622 bdaddr_type);
623 if (oob_data) {
624 set_bit(SMP_FLAG_OOB, &smp->flags);
625 oob_flag = SMP_OOB_PRESENT;
626 memcpy(smp->rr, oob_data->rand256, 16);
627 memcpy(smp->pcnf, oob_data->hash256, 16);
628 }
629
630 } else {
631 authreq &= ~SMP_AUTH_SC;
632 }
633
634 if (rsp == NULL) {
635 req->io_capability = conn->hcon->io_capability;
636 req->oob_flag = oob_flag;
637 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
638 req->init_key_dist = local_dist;
639 req->resp_key_dist = remote_dist;
640 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
641
642 smp->remote_key_dist = remote_dist;
643 return;
644 }
645
646 rsp->io_capability = conn->hcon->io_capability;
647 rsp->oob_flag = oob_flag;
648 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
649 rsp->init_key_dist = req->init_key_dist & remote_dist;
650 rsp->resp_key_dist = req->resp_key_dist & local_dist;
651 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
652
653 smp->remote_key_dist = rsp->init_key_dist;
654 }
655
656 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
657 {
658 struct l2cap_chan *chan = conn->smp;
659 struct smp_chan *smp = chan->data;
660
661 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
662 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
663 return SMP_ENC_KEY_SIZE;
664
665 smp->enc_key_size = max_key_size;
666
667 return 0;
668 }
669
670 static void smp_chan_destroy(struct l2cap_conn *conn)
671 {
672 struct l2cap_chan *chan = conn->smp;
673 struct smp_chan *smp = chan->data;
674 struct hci_conn *hcon = conn->hcon;
675 bool complete;
676
677 BUG_ON(!smp);
678
679 cancel_delayed_work_sync(&smp->security_timer);
680
681 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
682 mgmt_smp_complete(hcon, complete);
683
684 kfree(smp->csrk);
685 kfree(smp->slave_csrk);
686 kfree(smp->link_key);
687
688 crypto_free_blkcipher(smp->tfm_aes);
689 crypto_free_hash(smp->tfm_cmac);
690
691 /* Ensure that we don't leave any debug key around if debug key
692 * support hasn't been explicitly enabled.
693 */
694 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
695 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
696 list_del_rcu(&smp->ltk->list);
697 kfree_rcu(smp->ltk, rcu);
698 smp->ltk = NULL;
699 }
700
701 /* If pairing failed clean up any keys we might have */
702 if (!complete) {
703 if (smp->ltk) {
704 list_del_rcu(&smp->ltk->list);
705 kfree_rcu(smp->ltk, rcu);
706 }
707
708 if (smp->slave_ltk) {
709 list_del_rcu(&smp->slave_ltk->list);
710 kfree_rcu(smp->slave_ltk, rcu);
711 }
712
713 if (smp->remote_irk) {
714 list_del_rcu(&smp->remote_irk->list);
715 kfree_rcu(smp->remote_irk, rcu);
716 }
717 }
718
719 chan->data = NULL;
720 kfree(smp);
721 hci_conn_drop(hcon);
722 }
723
724 static void smp_failure(struct l2cap_conn *conn, u8 reason)
725 {
726 struct hci_conn *hcon = conn->hcon;
727 struct l2cap_chan *chan = conn->smp;
728
729 if (reason)
730 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
731 &reason);
732
733 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
734 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
735
736 if (chan->data)
737 smp_chan_destroy(conn);
738 }
739
740 #define JUST_WORKS 0x00
741 #define JUST_CFM 0x01
742 #define REQ_PASSKEY 0x02
743 #define CFM_PASSKEY 0x03
744 #define REQ_OOB 0x04
745 #define DSP_PASSKEY 0x05
746 #define OVERLAP 0xFF
747
748 static const u8 gen_method[5][5] = {
749 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
750 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
751 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
752 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
753 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
754 };
755
756 static const u8 sc_method[5][5] = {
757 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
758 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
759 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
760 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
761 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
762 };
763
764 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
765 {
766 /* If either side has unknown io_caps, use JUST_CFM (which gets
767 * converted later to JUST_WORKS if we're initiators.
768 */
769 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
770 remote_io > SMP_IO_KEYBOARD_DISPLAY)
771 return JUST_CFM;
772
773 if (test_bit(SMP_FLAG_SC, &smp->flags))
774 return sc_method[remote_io][local_io];
775
776 return gen_method[remote_io][local_io];
777 }
778
779 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
780 u8 local_io, u8 remote_io)
781 {
782 struct hci_conn *hcon = conn->hcon;
783 struct l2cap_chan *chan = conn->smp;
784 struct smp_chan *smp = chan->data;
785 u32 passkey = 0;
786 int ret = 0;
787
788 /* Initialize key for JUST WORKS */
789 memset(smp->tk, 0, sizeof(smp->tk));
790 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
791
792 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
793
794 /* If neither side wants MITM, either "just" confirm an incoming
795 * request or use just-works for outgoing ones. The JUST_CFM
796 * will be converted to JUST_WORKS if necessary later in this
797 * function. If either side has MITM look up the method from the
798 * table.
799 */
800 if (!(auth & SMP_AUTH_MITM))
801 smp->method = JUST_CFM;
802 else
803 smp->method = get_auth_method(smp, local_io, remote_io);
804
805 /* Don't confirm locally initiated pairing attempts */
806 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
807 &smp->flags))
808 smp->method = JUST_WORKS;
809
810 /* Don't bother user space with no IO capabilities */
811 if (smp->method == JUST_CFM &&
812 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
813 smp->method = JUST_WORKS;
814
815 /* If Just Works, Continue with Zero TK */
816 if (smp->method == JUST_WORKS) {
817 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
818 return 0;
819 }
820
821 /* Not Just Works/Confirm results in MITM Authentication */
822 if (smp->method != JUST_CFM) {
823 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
824 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
825 hcon->pending_sec_level = BT_SECURITY_HIGH;
826 }
827
828 /* If both devices have Keyoard-Display I/O, the master
829 * Confirms and the slave Enters the passkey.
830 */
831 if (smp->method == OVERLAP) {
832 if (hcon->role == HCI_ROLE_MASTER)
833 smp->method = CFM_PASSKEY;
834 else
835 smp->method = REQ_PASSKEY;
836 }
837
838 /* Generate random passkey. */
839 if (smp->method == CFM_PASSKEY) {
840 memset(smp->tk, 0, sizeof(smp->tk));
841 get_random_bytes(&passkey, sizeof(passkey));
842 passkey %= 1000000;
843 put_unaligned_le32(passkey, smp->tk);
844 BT_DBG("PassKey: %d", passkey);
845 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
846 }
847
848 if (smp->method == REQ_PASSKEY)
849 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
850 hcon->type, hcon->dst_type);
851 else if (smp->method == JUST_CFM)
852 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
853 hcon->type, hcon->dst_type,
854 passkey, 1);
855 else
856 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
857 hcon->type, hcon->dst_type,
858 passkey, 0);
859
860 return ret;
861 }
862
863 static u8 smp_confirm(struct smp_chan *smp)
864 {
865 struct l2cap_conn *conn = smp->conn;
866 struct smp_cmd_pairing_confirm cp;
867 int ret;
868
869 BT_DBG("conn %p", conn);
870
871 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
872 conn->hcon->init_addr_type, &conn->hcon->init_addr,
873 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
874 cp.confirm_val);
875 if (ret)
876 return SMP_UNSPECIFIED;
877
878 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
879
880 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
881
882 if (conn->hcon->out)
883 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
884 else
885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
886
887 return 0;
888 }
889
890 static u8 smp_random(struct smp_chan *smp)
891 {
892 struct l2cap_conn *conn = smp->conn;
893 struct hci_conn *hcon = conn->hcon;
894 u8 confirm[16];
895 int ret;
896
897 if (IS_ERR_OR_NULL(smp->tfm_aes))
898 return SMP_UNSPECIFIED;
899
900 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
901
902 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
903 hcon->init_addr_type, &hcon->init_addr,
904 hcon->resp_addr_type, &hcon->resp_addr, confirm);
905 if (ret)
906 return SMP_UNSPECIFIED;
907
908 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
909 BT_ERR("Pairing failed (confirmation values mismatch)");
910 return SMP_CONFIRM_FAILED;
911 }
912
913 if (hcon->out) {
914 u8 stk[16];
915 __le64 rand = 0;
916 __le16 ediv = 0;
917
918 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
919
920 memset(stk + smp->enc_key_size, 0,
921 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
922
923 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
924 return SMP_UNSPECIFIED;
925
926 hci_le_start_enc(hcon, ediv, rand, stk);
927 hcon->enc_key_size = smp->enc_key_size;
928 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
929 } else {
930 u8 stk[16], auth;
931 __le64 rand = 0;
932 __le16 ediv = 0;
933
934 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
935 smp->prnd);
936
937 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
938
939 memset(stk + smp->enc_key_size, 0,
940 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
941
942 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
943 auth = 1;
944 else
945 auth = 0;
946
947 /* Even though there's no _SLAVE suffix this is the
948 * slave STK we're adding for later lookup (the master
949 * STK never needs to be stored).
950 */
951 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
952 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
953 }
954
955 return 0;
956 }
957
958 static void smp_notify_keys(struct l2cap_conn *conn)
959 {
960 struct l2cap_chan *chan = conn->smp;
961 struct smp_chan *smp = chan->data;
962 struct hci_conn *hcon = conn->hcon;
963 struct hci_dev *hdev = hcon->hdev;
964 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
965 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
966 bool persistent;
967
968 if (smp->remote_irk) {
969 mgmt_new_irk(hdev, smp->remote_irk);
970 /* Now that user space can be considered to know the
971 * identity address track the connection based on it
972 * from now on (assuming this is an LE link).
973 */
974 if (hcon->type == LE_LINK) {
975 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
976 hcon->dst_type = smp->remote_irk->addr_type;
977 queue_work(hdev->workqueue, &conn->id_addr_update_work);
978 }
979
980 /* When receiving an indentity resolving key for
981 * a remote device that does not use a resolvable
982 * private address, just remove the key so that
983 * it is possible to use the controller white
984 * list for scanning.
985 *
986 * Userspace will have been told to not store
987 * this key at this point. So it is safe to
988 * just remove it.
989 */
990 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
991 list_del_rcu(&smp->remote_irk->list);
992 kfree_rcu(smp->remote_irk, rcu);
993 smp->remote_irk = NULL;
994 }
995 }
996
997 if (hcon->type == ACL_LINK) {
998 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
999 persistent = false;
1000 else
1001 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1002 &hcon->flags);
1003 } else {
1004 /* The LTKs and CSRKs should be persistent only if both sides
1005 * had the bonding bit set in their authentication requests.
1006 */
1007 persistent = !!((req->auth_req & rsp->auth_req) &
1008 SMP_AUTH_BONDING);
1009 }
1010
1011
1012 if (smp->csrk) {
1013 smp->csrk->bdaddr_type = hcon->dst_type;
1014 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1015 mgmt_new_csrk(hdev, smp->csrk, persistent);
1016 }
1017
1018 if (smp->slave_csrk) {
1019 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1020 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1021 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1022 }
1023
1024 if (smp->ltk) {
1025 smp->ltk->bdaddr_type = hcon->dst_type;
1026 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1027 mgmt_new_ltk(hdev, smp->ltk, persistent);
1028 }
1029
1030 if (smp->slave_ltk) {
1031 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1032 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1033 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1034 }
1035
1036 if (smp->link_key) {
1037 struct link_key *key;
1038 u8 type;
1039
1040 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1041 type = HCI_LK_DEBUG_COMBINATION;
1042 else if (hcon->sec_level == BT_SECURITY_FIPS)
1043 type = HCI_LK_AUTH_COMBINATION_P256;
1044 else
1045 type = HCI_LK_UNAUTH_COMBINATION_P256;
1046
1047 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1048 smp->link_key, type, 0, &persistent);
1049 if (key) {
1050 mgmt_new_link_key(hdev, key, persistent);
1051
1052 /* Don't keep debug keys around if the relevant
1053 * flag is not set.
1054 */
1055 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1056 key->type == HCI_LK_DEBUG_COMBINATION) {
1057 list_del_rcu(&key->list);
1058 kfree_rcu(key, rcu);
1059 }
1060 }
1061 }
1062 }
1063
1064 static void sc_add_ltk(struct smp_chan *smp)
1065 {
1066 struct hci_conn *hcon = smp->conn->hcon;
1067 u8 key_type, auth;
1068
1069 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1070 key_type = SMP_LTK_P256_DEBUG;
1071 else
1072 key_type = SMP_LTK_P256;
1073
1074 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1075 auth = 1;
1076 else
1077 auth = 0;
1078
1079 memset(smp->tk + smp->enc_key_size, 0,
1080 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1081
1082 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1083 key_type, auth, smp->tk, smp->enc_key_size,
1084 0, 0);
1085 }
1086
1087 static void sc_generate_link_key(struct smp_chan *smp)
1088 {
1089 /* These constants are as specified in the core specification.
1090 * In ASCII they spell out to 'tmp1' and 'lebr'.
1091 */
1092 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1093 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1094
1095 smp->link_key = kzalloc(16, GFP_KERNEL);
1096 if (!smp->link_key)
1097 return;
1098
1099 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1100 kfree(smp->link_key);
1101 smp->link_key = NULL;
1102 return;
1103 }
1104
1105 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1106 kfree(smp->link_key);
1107 smp->link_key = NULL;
1108 return;
1109 }
1110 }
1111
1112 static void smp_allow_key_dist(struct smp_chan *smp)
1113 {
1114 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1115 * will be allowed in each PDU handler to ensure we receive
1116 * them in the correct order.
1117 */
1118 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1119 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1120 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1121 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1122 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1123 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1124 }
1125
1126 static void sc_generate_ltk(struct smp_chan *smp)
1127 {
1128 /* These constants are as specified in the core specification.
1129 * In ASCII they spell out to 'tmp2' and 'brle'.
1130 */
1131 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1132 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1133 struct hci_conn *hcon = smp->conn->hcon;
1134 struct hci_dev *hdev = hcon->hdev;
1135 struct link_key *key;
1136
1137 key = hci_find_link_key(hdev, &hcon->dst);
1138 if (!key) {
1139 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1140 return;
1141 }
1142
1143 if (key->type == HCI_LK_DEBUG_COMBINATION)
1144 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1145
1146 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1147 return;
1148
1149 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1150 return;
1151
1152 sc_add_ltk(smp);
1153 }
1154
1155 static void smp_distribute_keys(struct smp_chan *smp)
1156 {
1157 struct smp_cmd_pairing *req, *rsp;
1158 struct l2cap_conn *conn = smp->conn;
1159 struct hci_conn *hcon = conn->hcon;
1160 struct hci_dev *hdev = hcon->hdev;
1161 __u8 *keydist;
1162
1163 BT_DBG("conn %p", conn);
1164
1165 rsp = (void *) &smp->prsp[1];
1166
1167 /* The responder sends its keys first */
1168 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1169 smp_allow_key_dist(smp);
1170 return;
1171 }
1172
1173 req = (void *) &smp->preq[1];
1174
1175 if (hcon->out) {
1176 keydist = &rsp->init_key_dist;
1177 *keydist &= req->init_key_dist;
1178 } else {
1179 keydist = &rsp->resp_key_dist;
1180 *keydist &= req->resp_key_dist;
1181 }
1182
1183 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1184 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1185 sc_generate_link_key(smp);
1186 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1187 sc_generate_ltk(smp);
1188
1189 /* Clear the keys which are generated but not distributed */
1190 *keydist &= ~SMP_SC_NO_DIST;
1191 }
1192
1193 BT_DBG("keydist 0x%x", *keydist);
1194
1195 if (*keydist & SMP_DIST_ENC_KEY) {
1196 struct smp_cmd_encrypt_info enc;
1197 struct smp_cmd_master_ident ident;
1198 struct smp_ltk *ltk;
1199 u8 authenticated;
1200 __le16 ediv;
1201 __le64 rand;
1202
1203 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1204 get_random_bytes(&ediv, sizeof(ediv));
1205 get_random_bytes(&rand, sizeof(rand));
1206
1207 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1208
1209 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1210 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1211 SMP_LTK_SLAVE, authenticated, enc.ltk,
1212 smp->enc_key_size, ediv, rand);
1213 smp->slave_ltk = ltk;
1214
1215 ident.ediv = ediv;
1216 ident.rand = rand;
1217
1218 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1219
1220 *keydist &= ~SMP_DIST_ENC_KEY;
1221 }
1222
1223 if (*keydist & SMP_DIST_ID_KEY) {
1224 struct smp_cmd_ident_addr_info addrinfo;
1225 struct smp_cmd_ident_info idinfo;
1226
1227 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1228
1229 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1230
1231 /* The hci_conn contains the local identity address
1232 * after the connection has been established.
1233 *
1234 * This is true even when the connection has been
1235 * established using a resolvable random address.
1236 */
1237 bacpy(&addrinfo.bdaddr, &hcon->src);
1238 addrinfo.addr_type = hcon->src_type;
1239
1240 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1241 &addrinfo);
1242
1243 *keydist &= ~SMP_DIST_ID_KEY;
1244 }
1245
1246 if (*keydist & SMP_DIST_SIGN) {
1247 struct smp_cmd_sign_info sign;
1248 struct smp_csrk *csrk;
1249
1250 /* Generate a new random key */
1251 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1252
1253 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1254 if (csrk) {
1255 csrk->master = 0x00;
1256 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1257 }
1258 smp->slave_csrk = csrk;
1259
1260 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1261
1262 *keydist &= ~SMP_DIST_SIGN;
1263 }
1264
1265 /* If there are still keys to be received wait for them */
1266 if (smp->remote_key_dist & KEY_DIST_MASK) {
1267 smp_allow_key_dist(smp);
1268 return;
1269 }
1270
1271 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1272 smp_notify_keys(conn);
1273
1274 smp_chan_destroy(conn);
1275 }
1276
1277 static void smp_timeout(struct work_struct *work)
1278 {
1279 struct smp_chan *smp = container_of(work, struct smp_chan,
1280 security_timer.work);
1281 struct l2cap_conn *conn = smp->conn;
1282
1283 BT_DBG("conn %p", conn);
1284
1285 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1286 }
1287
1288 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1289 {
1290 struct l2cap_chan *chan = conn->smp;
1291 struct smp_chan *smp;
1292
1293 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1294 if (!smp)
1295 return NULL;
1296
1297 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1298 if (IS_ERR(smp->tfm_aes)) {
1299 BT_ERR("Unable to create ECB crypto context");
1300 kfree(smp);
1301 return NULL;
1302 }
1303
1304 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1305 if (IS_ERR(smp->tfm_cmac)) {
1306 BT_ERR("Unable to create CMAC crypto context");
1307 crypto_free_blkcipher(smp->tfm_aes);
1308 kfree(smp);
1309 return NULL;
1310 }
1311
1312 smp->conn = conn;
1313 chan->data = smp;
1314
1315 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1316
1317 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1318
1319 hci_conn_hold(conn->hcon);
1320
1321 return smp;
1322 }
1323
1324 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1325 {
1326 struct hci_conn *hcon = smp->conn->hcon;
1327 u8 *na, *nb, a[7], b[7];
1328
1329 if (hcon->out) {
1330 na = smp->prnd;
1331 nb = smp->rrnd;
1332 } else {
1333 na = smp->rrnd;
1334 nb = smp->prnd;
1335 }
1336
1337 memcpy(a, &hcon->init_addr, 6);
1338 memcpy(b, &hcon->resp_addr, 6);
1339 a[6] = hcon->init_addr_type;
1340 b[6] = hcon->resp_addr_type;
1341
1342 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1343 }
1344
1345 static void sc_dhkey_check(struct smp_chan *smp)
1346 {
1347 struct hci_conn *hcon = smp->conn->hcon;
1348 struct smp_cmd_dhkey_check check;
1349 u8 a[7], b[7], *local_addr, *remote_addr;
1350 u8 io_cap[3], r[16];
1351
1352 memcpy(a, &hcon->init_addr, 6);
1353 memcpy(b, &hcon->resp_addr, 6);
1354 a[6] = hcon->init_addr_type;
1355 b[6] = hcon->resp_addr_type;
1356
1357 if (hcon->out) {
1358 local_addr = a;
1359 remote_addr = b;
1360 memcpy(io_cap, &smp->preq[1], 3);
1361 } else {
1362 local_addr = b;
1363 remote_addr = a;
1364 memcpy(io_cap, &smp->prsp[1], 3);
1365 }
1366
1367 memset(r, 0, sizeof(r));
1368
1369 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1370 put_unaligned_le32(hcon->passkey_notify, r);
1371
1372 if (smp->method == REQ_OOB)
1373 memcpy(r, smp->rr, 16);
1374
1375 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1376 local_addr, remote_addr, check.e);
1377
1378 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1379 }
1380
1381 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1382 {
1383 struct l2cap_conn *conn = smp->conn;
1384 struct hci_conn *hcon = conn->hcon;
1385 struct smp_cmd_pairing_confirm cfm;
1386 u8 r;
1387
1388 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1389 r |= 0x80;
1390
1391 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1392
1393 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1394 cfm.confirm_val))
1395 return SMP_UNSPECIFIED;
1396
1397 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1398
1399 return 0;
1400 }
1401
1402 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1403 {
1404 struct l2cap_conn *conn = smp->conn;
1405 struct hci_conn *hcon = conn->hcon;
1406 struct hci_dev *hdev = hcon->hdev;
1407 u8 cfm[16], r;
1408
1409 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1410 if (smp->passkey_round >= 20)
1411 return 0;
1412
1413 switch (smp_op) {
1414 case SMP_CMD_PAIRING_RANDOM:
1415 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1416 r |= 0x80;
1417
1418 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1419 smp->rrnd, r, cfm))
1420 return SMP_UNSPECIFIED;
1421
1422 if (memcmp(smp->pcnf, cfm, 16))
1423 return SMP_CONFIRM_FAILED;
1424
1425 smp->passkey_round++;
1426
1427 if (smp->passkey_round == 20) {
1428 /* Generate MacKey and LTK */
1429 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1430 return SMP_UNSPECIFIED;
1431 }
1432
1433 /* The round is only complete when the initiator
1434 * receives pairing random.
1435 */
1436 if (!hcon->out) {
1437 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1438 sizeof(smp->prnd), smp->prnd);
1439 if (smp->passkey_round == 20)
1440 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1441 else
1442 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1443 return 0;
1444 }
1445
1446 /* Start the next round */
1447 if (smp->passkey_round != 20)
1448 return sc_passkey_round(smp, 0);
1449
1450 /* Passkey rounds are complete - start DHKey Check */
1451 sc_dhkey_check(smp);
1452 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1453
1454 break;
1455
1456 case SMP_CMD_PAIRING_CONFIRM:
1457 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1458 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1459 return 0;
1460 }
1461
1462 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1463
1464 if (hcon->out) {
1465 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1466 sizeof(smp->prnd), smp->prnd);
1467 return 0;
1468 }
1469
1470 return sc_passkey_send_confirm(smp);
1471
1472 case SMP_CMD_PUBLIC_KEY:
1473 default:
1474 /* Initiating device starts the round */
1475 if (!hcon->out)
1476 return 0;
1477
1478 BT_DBG("%s Starting passkey round %u", hdev->name,
1479 smp->passkey_round + 1);
1480
1481 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1482
1483 return sc_passkey_send_confirm(smp);
1484 }
1485
1486 return 0;
1487 }
1488
1489 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1490 {
1491 struct l2cap_conn *conn = smp->conn;
1492 struct hci_conn *hcon = conn->hcon;
1493 u8 smp_op;
1494
1495 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1496
1497 switch (mgmt_op) {
1498 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1499 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1500 return 0;
1501 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1502 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1503 return 0;
1504 case MGMT_OP_USER_PASSKEY_REPLY:
1505 hcon->passkey_notify = le32_to_cpu(passkey);
1506 smp->passkey_round = 0;
1507
1508 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1509 smp_op = SMP_CMD_PAIRING_CONFIRM;
1510 else
1511 smp_op = 0;
1512
1513 if (sc_passkey_round(smp, smp_op))
1514 return -EIO;
1515
1516 return 0;
1517 }
1518
1519 /* Initiator sends DHKey check first */
1520 if (hcon->out) {
1521 sc_dhkey_check(smp);
1522 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1523 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1524 sc_dhkey_check(smp);
1525 sc_add_ltk(smp);
1526 }
1527
1528 return 0;
1529 }
1530
1531 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1532 {
1533 struct l2cap_conn *conn = hcon->l2cap_data;
1534 struct l2cap_chan *chan;
1535 struct smp_chan *smp;
1536 u32 value;
1537 int err;
1538
1539 BT_DBG("");
1540
1541 if (!conn)
1542 return -ENOTCONN;
1543
1544 chan = conn->smp;
1545 if (!chan)
1546 return -ENOTCONN;
1547
1548 l2cap_chan_lock(chan);
1549 if (!chan->data) {
1550 err = -ENOTCONN;
1551 goto unlock;
1552 }
1553
1554 smp = chan->data;
1555
1556 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1557 err = sc_user_reply(smp, mgmt_op, passkey);
1558 goto unlock;
1559 }
1560
1561 switch (mgmt_op) {
1562 case MGMT_OP_USER_PASSKEY_REPLY:
1563 value = le32_to_cpu(passkey);
1564 memset(smp->tk, 0, sizeof(smp->tk));
1565 BT_DBG("PassKey: %d", value);
1566 put_unaligned_le32(value, smp->tk);
1567 /* Fall Through */
1568 case MGMT_OP_USER_CONFIRM_REPLY:
1569 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1570 break;
1571 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1572 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1573 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1574 err = 0;
1575 goto unlock;
1576 default:
1577 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1578 err = -EOPNOTSUPP;
1579 goto unlock;
1580 }
1581
1582 err = 0;
1583
1584 /* If it is our turn to send Pairing Confirm, do so now */
1585 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1586 u8 rsp = smp_confirm(smp);
1587 if (rsp)
1588 smp_failure(conn, rsp);
1589 }
1590
1591 unlock:
1592 l2cap_chan_unlock(chan);
1593 return err;
1594 }
1595
1596 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1597 struct smp_cmd_pairing *req,
1598 struct smp_cmd_pairing *rsp)
1599 {
1600 struct l2cap_conn *conn = smp->conn;
1601 struct hci_dev *hdev = conn->hcon->hdev;
1602 u8 local_dist = 0, remote_dist = 0;
1603
1604 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1605 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1606 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1607 }
1608
1609 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1610 remote_dist |= SMP_DIST_ID_KEY;
1611
1612 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1613 local_dist |= SMP_DIST_ID_KEY;
1614
1615 if (!rsp) {
1616 memset(req, 0, sizeof(*req));
1617
1618 req->init_key_dist = local_dist;
1619 req->resp_key_dist = remote_dist;
1620 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1621
1622 smp->remote_key_dist = remote_dist;
1623
1624 return;
1625 }
1626
1627 memset(rsp, 0, sizeof(*rsp));
1628
1629 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1630 rsp->init_key_dist = req->init_key_dist & remote_dist;
1631 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1632
1633 smp->remote_key_dist = rsp->init_key_dist;
1634 }
1635
1636 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1637 {
1638 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1639 struct l2cap_chan *chan = conn->smp;
1640 struct hci_dev *hdev = conn->hcon->hdev;
1641 struct smp_chan *smp;
1642 u8 key_size, auth, sec_level;
1643 int ret;
1644
1645 BT_DBG("conn %p", conn);
1646
1647 if (skb->len < sizeof(*req))
1648 return SMP_INVALID_PARAMS;
1649
1650 if (conn->hcon->role != HCI_ROLE_SLAVE)
1651 return SMP_CMD_NOTSUPP;
1652
1653 if (!chan->data)
1654 smp = smp_chan_create(conn);
1655 else
1656 smp = chan->data;
1657
1658 if (!smp)
1659 return SMP_UNSPECIFIED;
1660
1661 /* We didn't start the pairing, so match remote */
1662 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1663
1664 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1665 (auth & SMP_AUTH_BONDING))
1666 return SMP_PAIRING_NOTSUPP;
1667
1668 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1669 return SMP_AUTH_REQUIREMENTS;
1670
1671 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1672 memcpy(&smp->preq[1], req, sizeof(*req));
1673 skb_pull(skb, sizeof(*req));
1674
1675 /* SMP over BR/EDR requires special treatment */
1676 if (conn->hcon->type == ACL_LINK) {
1677 /* We must have a BR/EDR SC link */
1678 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1679 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
1680 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1681
1682 set_bit(SMP_FLAG_SC, &smp->flags);
1683
1684 build_bredr_pairing_cmd(smp, req, &rsp);
1685
1686 key_size = min(req->max_key_size, rsp.max_key_size);
1687 if (check_enc_key_size(conn, key_size))
1688 return SMP_ENC_KEY_SIZE;
1689
1690 /* Clear bits which are generated but not distributed */
1691 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1692
1693 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1694 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1695 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1696
1697 smp_distribute_keys(smp);
1698 return 0;
1699 }
1700
1701 build_pairing_cmd(conn, req, &rsp, auth);
1702
1703 if (rsp.auth_req & SMP_AUTH_SC)
1704 set_bit(SMP_FLAG_SC, &smp->flags);
1705
1706 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1707 sec_level = BT_SECURITY_MEDIUM;
1708 else
1709 sec_level = authreq_to_seclevel(auth);
1710
1711 if (sec_level > conn->hcon->pending_sec_level)
1712 conn->hcon->pending_sec_level = sec_level;
1713
1714 /* If we need MITM check that it can be achieved */
1715 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1716 u8 method;
1717
1718 method = get_auth_method(smp, conn->hcon->io_capability,
1719 req->io_capability);
1720 if (method == JUST_WORKS || method == JUST_CFM)
1721 return SMP_AUTH_REQUIREMENTS;
1722 }
1723
1724 key_size = min(req->max_key_size, rsp.max_key_size);
1725 if (check_enc_key_size(conn, key_size))
1726 return SMP_ENC_KEY_SIZE;
1727
1728 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1729
1730 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1731 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1732
1733 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1734
1735 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1736
1737 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1738 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1739 /* Clear bits which are generated but not distributed */
1740 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1741 /* Wait for Public Key from Initiating Device */
1742 return 0;
1743 } else {
1744 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1745 }
1746
1747 /* Request setup of TK */
1748 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1749 if (ret)
1750 return SMP_UNSPECIFIED;
1751
1752 return 0;
1753 }
1754
1755 static u8 sc_send_public_key(struct smp_chan *smp)
1756 {
1757 struct hci_dev *hdev = smp->conn->hcon->hdev;
1758
1759 BT_DBG("");
1760
1761 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1762 BT_DBG("Using debug keys");
1763 memcpy(smp->local_pk, debug_pk, 64);
1764 memcpy(smp->local_sk, debug_sk, 32);
1765 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1766 } else {
1767 while (true) {
1768 /* Generate local key pair for Secure Connections */
1769 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1770 return SMP_UNSPECIFIED;
1771
1772 /* This is unlikely, but we need to check that
1773 * we didn't accidentially generate a debug key.
1774 */
1775 if (memcmp(smp->local_sk, debug_sk, 32))
1776 break;
1777 }
1778 }
1779
1780 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1781 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1782 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1783
1784 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1785
1786 return 0;
1787 }
1788
1789 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1790 {
1791 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1792 struct l2cap_chan *chan = conn->smp;
1793 struct smp_chan *smp = chan->data;
1794 struct hci_dev *hdev = conn->hcon->hdev;
1795 u8 key_size, auth;
1796 int ret;
1797
1798 BT_DBG("conn %p", conn);
1799
1800 if (skb->len < sizeof(*rsp))
1801 return SMP_INVALID_PARAMS;
1802
1803 if (conn->hcon->role != HCI_ROLE_MASTER)
1804 return SMP_CMD_NOTSUPP;
1805
1806 skb_pull(skb, sizeof(*rsp));
1807
1808 req = (void *) &smp->preq[1];
1809
1810 key_size = min(req->max_key_size, rsp->max_key_size);
1811 if (check_enc_key_size(conn, key_size))
1812 return SMP_ENC_KEY_SIZE;
1813
1814 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1815
1816 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1817 return SMP_AUTH_REQUIREMENTS;
1818
1819 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1820 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1821
1822 /* Update remote key distribution in case the remote cleared
1823 * some bits that we had enabled in our request.
1824 */
1825 smp->remote_key_dist &= rsp->resp_key_dist;
1826
1827 /* For BR/EDR this means we're done and can start phase 3 */
1828 if (conn->hcon->type == ACL_LINK) {
1829 /* Clear bits which are generated but not distributed */
1830 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1831 smp_distribute_keys(smp);
1832 return 0;
1833 }
1834
1835 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1836 set_bit(SMP_FLAG_SC, &smp->flags);
1837 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1838 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1839
1840 /* If we need MITM check that it can be achieved */
1841 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1842 u8 method;
1843
1844 method = get_auth_method(smp, req->io_capability,
1845 rsp->io_capability);
1846 if (method == JUST_WORKS || method == JUST_CFM)
1847 return SMP_AUTH_REQUIREMENTS;
1848 }
1849
1850 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1851
1852 /* Update remote key distribution in case the remote cleared
1853 * some bits that we had enabled in our request.
1854 */
1855 smp->remote_key_dist &= rsp->resp_key_dist;
1856
1857 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1858 /* Clear bits which are generated but not distributed */
1859 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1860 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 return sc_send_public_key(smp);
1862 }
1863
1864 auth |= req->auth_req;
1865
1866 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1867 if (ret)
1868 return SMP_UNSPECIFIED;
1869
1870 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1871
1872 /* Can't compose response until we have been confirmed */
1873 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1874 return smp_confirm(smp);
1875
1876 return 0;
1877 }
1878
1879 static u8 sc_check_confirm(struct smp_chan *smp)
1880 {
1881 struct l2cap_conn *conn = smp->conn;
1882
1883 BT_DBG("");
1884
1885 /* Public Key exchange must happen before any other steps */
1886 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1887 return SMP_UNSPECIFIED;
1888
1889 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1890 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1891
1892 if (conn->hcon->out) {
1893 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1894 smp->prnd);
1895 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1896 }
1897
1898 return 0;
1899 }
1900
1901 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1902 {
1903 struct l2cap_chan *chan = conn->smp;
1904 struct smp_chan *smp = chan->data;
1905
1906 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1907
1908 if (skb->len < sizeof(smp->pcnf))
1909 return SMP_INVALID_PARAMS;
1910
1911 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1912 skb_pull(skb, sizeof(smp->pcnf));
1913
1914 if (test_bit(SMP_FLAG_SC, &smp->flags))
1915 return sc_check_confirm(smp);
1916
1917 if (conn->hcon->out) {
1918 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1919 smp->prnd);
1920 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1921 return 0;
1922 }
1923
1924 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1925 return smp_confirm(smp);
1926 else
1927 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1928
1929 return 0;
1930 }
1931
1932 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1933 {
1934 struct l2cap_chan *chan = conn->smp;
1935 struct smp_chan *smp = chan->data;
1936 struct hci_conn *hcon = conn->hcon;
1937 u8 *pkax, *pkbx, *na, *nb;
1938 u32 passkey;
1939 int err;
1940
1941 BT_DBG("conn %p", conn);
1942
1943 if (skb->len < sizeof(smp->rrnd))
1944 return SMP_INVALID_PARAMS;
1945
1946 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1947 skb_pull(skb, sizeof(smp->rrnd));
1948
1949 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1950 return smp_random(smp);
1951
1952 if (hcon->out) {
1953 pkax = smp->local_pk;
1954 pkbx = smp->remote_pk;
1955 na = smp->prnd;
1956 nb = smp->rrnd;
1957 } else {
1958 pkax = smp->remote_pk;
1959 pkbx = smp->local_pk;
1960 na = smp->rrnd;
1961 nb = smp->prnd;
1962 }
1963
1964 if (smp->method == REQ_OOB) {
1965 if (!hcon->out)
1966 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1967 sizeof(smp->prnd), smp->prnd);
1968 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1969 goto mackey_and_ltk;
1970 }
1971
1972 /* Passkey entry has special treatment */
1973 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1974 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1975
1976 if (hcon->out) {
1977 u8 cfm[16];
1978
1979 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1980 smp->rrnd, 0, cfm);
1981 if (err)
1982 return SMP_UNSPECIFIED;
1983
1984 if (memcmp(smp->pcnf, cfm, 16))
1985 return SMP_CONFIRM_FAILED;
1986 } else {
1987 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1988 smp->prnd);
1989 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1990 }
1991
1992 mackey_and_ltk:
1993 /* Generate MacKey and LTK */
1994 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1995 if (err)
1996 return SMP_UNSPECIFIED;
1997
1998 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1999 if (hcon->out) {
2000 sc_dhkey_check(smp);
2001 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2002 }
2003 return 0;
2004 }
2005
2006 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2007 if (err)
2008 return SMP_UNSPECIFIED;
2009
2010 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2011 hcon->dst_type, passkey, 0);
2012 if (err)
2013 return SMP_UNSPECIFIED;
2014
2015 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2016
2017 return 0;
2018 }
2019
2020 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2021 {
2022 struct smp_ltk *key;
2023 struct hci_conn *hcon = conn->hcon;
2024
2025 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2026 if (!key)
2027 return false;
2028
2029 if (smp_ltk_sec_level(key) < sec_level)
2030 return false;
2031
2032 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2033 return true;
2034
2035 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2036 hcon->enc_key_size = key->enc_size;
2037
2038 /* We never store STKs for master role, so clear this flag */
2039 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2040
2041 return true;
2042 }
2043
2044 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2045 enum smp_key_pref key_pref)
2046 {
2047 if (sec_level == BT_SECURITY_LOW)
2048 return true;
2049
2050 /* If we're encrypted with an STK but the caller prefers using
2051 * LTK claim insufficient security. This way we allow the
2052 * connection to be re-encrypted with an LTK, even if the LTK
2053 * provides the same level of security. Only exception is if we
2054 * don't have an LTK (e.g. because of key distribution bits).
2055 */
2056 if (key_pref == SMP_USE_LTK &&
2057 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2058 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2059 return false;
2060
2061 if (hcon->sec_level >= sec_level)
2062 return true;
2063
2064 return false;
2065 }
2066
2067 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2068 {
2069 struct smp_cmd_security_req *rp = (void *) skb->data;
2070 struct smp_cmd_pairing cp;
2071 struct hci_conn *hcon = conn->hcon;
2072 struct hci_dev *hdev = hcon->hdev;
2073 struct smp_chan *smp;
2074 u8 sec_level, auth;
2075
2076 BT_DBG("conn %p", conn);
2077
2078 if (skb->len < sizeof(*rp))
2079 return SMP_INVALID_PARAMS;
2080
2081 if (hcon->role != HCI_ROLE_MASTER)
2082 return SMP_CMD_NOTSUPP;
2083
2084 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2085
2086 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2087 return SMP_AUTH_REQUIREMENTS;
2088
2089 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2090 sec_level = BT_SECURITY_MEDIUM;
2091 else
2092 sec_level = authreq_to_seclevel(auth);
2093
2094 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2095 return 0;
2096
2097 if (sec_level > hcon->pending_sec_level)
2098 hcon->pending_sec_level = sec_level;
2099
2100 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2101 return 0;
2102
2103 smp = smp_chan_create(conn);
2104 if (!smp)
2105 return SMP_UNSPECIFIED;
2106
2107 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2108 (auth & SMP_AUTH_BONDING))
2109 return SMP_PAIRING_NOTSUPP;
2110
2111 skb_pull(skb, sizeof(*rp));
2112
2113 memset(&cp, 0, sizeof(cp));
2114 build_pairing_cmd(conn, &cp, NULL, auth);
2115
2116 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2117 memcpy(&smp->preq[1], &cp, sizeof(cp));
2118
2119 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2120 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2121
2122 return 0;
2123 }
2124
2125 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2126 {
2127 struct l2cap_conn *conn = hcon->l2cap_data;
2128 struct l2cap_chan *chan;
2129 struct smp_chan *smp;
2130 __u8 authreq;
2131 int ret;
2132
2133 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2134
2135 /* This may be NULL if there's an unexpected disconnection */
2136 if (!conn)
2137 return 1;
2138
2139 chan = conn->smp;
2140
2141 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2142 return 1;
2143
2144 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2145 return 1;
2146
2147 if (sec_level > hcon->pending_sec_level)
2148 hcon->pending_sec_level = sec_level;
2149
2150 if (hcon->role == HCI_ROLE_MASTER)
2151 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2152 return 0;
2153
2154 l2cap_chan_lock(chan);
2155
2156 /* If SMP is already in progress ignore this request */
2157 if (chan->data) {
2158 ret = 0;
2159 goto unlock;
2160 }
2161
2162 smp = smp_chan_create(conn);
2163 if (!smp) {
2164 ret = 1;
2165 goto unlock;
2166 }
2167
2168 authreq = seclevel_to_authreq(sec_level);
2169
2170 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2171 authreq |= SMP_AUTH_SC;
2172
2173 /* Require MITM if IO Capability allows or the security level
2174 * requires it.
2175 */
2176 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2177 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2178 authreq |= SMP_AUTH_MITM;
2179
2180 if (hcon->role == HCI_ROLE_MASTER) {
2181 struct smp_cmd_pairing cp;
2182
2183 build_pairing_cmd(conn, &cp, NULL, authreq);
2184 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2185 memcpy(&smp->preq[1], &cp, sizeof(cp));
2186
2187 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2188 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2189 } else {
2190 struct smp_cmd_security_req cp;
2191 cp.auth_req = authreq;
2192 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2193 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2194 }
2195
2196 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2197 ret = 0;
2198
2199 unlock:
2200 l2cap_chan_unlock(chan);
2201 return ret;
2202 }
2203
2204 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2205 {
2206 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2207 struct l2cap_chan *chan = conn->smp;
2208 struct smp_chan *smp = chan->data;
2209
2210 BT_DBG("conn %p", conn);
2211
2212 if (skb->len < sizeof(*rp))
2213 return SMP_INVALID_PARAMS;
2214
2215 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2216
2217 skb_pull(skb, sizeof(*rp));
2218
2219 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2220
2221 return 0;
2222 }
2223
2224 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2225 {
2226 struct smp_cmd_master_ident *rp = (void *) skb->data;
2227 struct l2cap_chan *chan = conn->smp;
2228 struct smp_chan *smp = chan->data;
2229 struct hci_dev *hdev = conn->hcon->hdev;
2230 struct hci_conn *hcon = conn->hcon;
2231 struct smp_ltk *ltk;
2232 u8 authenticated;
2233
2234 BT_DBG("conn %p", conn);
2235
2236 if (skb->len < sizeof(*rp))
2237 return SMP_INVALID_PARAMS;
2238
2239 /* Mark the information as received */
2240 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2241
2242 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2243 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2244 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2245 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2246
2247 skb_pull(skb, sizeof(*rp));
2248
2249 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2250 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2251 authenticated, smp->tk, smp->enc_key_size,
2252 rp->ediv, rp->rand);
2253 smp->ltk = ltk;
2254 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2255 smp_distribute_keys(smp);
2256
2257 return 0;
2258 }
2259
2260 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2261 {
2262 struct smp_cmd_ident_info *info = (void *) skb->data;
2263 struct l2cap_chan *chan = conn->smp;
2264 struct smp_chan *smp = chan->data;
2265
2266 BT_DBG("");
2267
2268 if (skb->len < sizeof(*info))
2269 return SMP_INVALID_PARAMS;
2270
2271 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2272
2273 skb_pull(skb, sizeof(*info));
2274
2275 memcpy(smp->irk, info->irk, 16);
2276
2277 return 0;
2278 }
2279
2280 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2281 struct sk_buff *skb)
2282 {
2283 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2284 struct l2cap_chan *chan = conn->smp;
2285 struct smp_chan *smp = chan->data;
2286 struct hci_conn *hcon = conn->hcon;
2287 bdaddr_t rpa;
2288
2289 BT_DBG("");
2290
2291 if (skb->len < sizeof(*info))
2292 return SMP_INVALID_PARAMS;
2293
2294 /* Mark the information as received */
2295 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2296
2297 if (smp->remote_key_dist & SMP_DIST_SIGN)
2298 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2299
2300 skb_pull(skb, sizeof(*info));
2301
2302 /* Strictly speaking the Core Specification (4.1) allows sending
2303 * an empty address which would force us to rely on just the IRK
2304 * as "identity information". However, since such
2305 * implementations are not known of and in order to not over
2306 * complicate our implementation, simply pretend that we never
2307 * received an IRK for such a device.
2308 */
2309 if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
2310 BT_ERR("Ignoring IRK with no identity address");
2311 goto distribute;
2312 }
2313
2314 bacpy(&smp->id_addr, &info->bdaddr);
2315 smp->id_addr_type = info->addr_type;
2316
2317 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2318 bacpy(&rpa, &hcon->dst);
2319 else
2320 bacpy(&rpa, BDADDR_ANY);
2321
2322 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2323 smp->id_addr_type, smp->irk, &rpa);
2324
2325 distribute:
2326 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2327 smp_distribute_keys(smp);
2328
2329 return 0;
2330 }
2331
2332 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2333 {
2334 struct smp_cmd_sign_info *rp = (void *) skb->data;
2335 struct l2cap_chan *chan = conn->smp;
2336 struct smp_chan *smp = chan->data;
2337 struct smp_csrk *csrk;
2338
2339 BT_DBG("conn %p", conn);
2340
2341 if (skb->len < sizeof(*rp))
2342 return SMP_INVALID_PARAMS;
2343
2344 /* Mark the information as received */
2345 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2346
2347 skb_pull(skb, sizeof(*rp));
2348
2349 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2350 if (csrk) {
2351 csrk->master = 0x01;
2352 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2353 }
2354 smp->csrk = csrk;
2355 smp_distribute_keys(smp);
2356
2357 return 0;
2358 }
2359
2360 static u8 sc_select_method(struct smp_chan *smp)
2361 {
2362 struct l2cap_conn *conn = smp->conn;
2363 struct hci_conn *hcon = conn->hcon;
2364 struct smp_cmd_pairing *local, *remote;
2365 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2366
2367 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2368 return REQ_OOB;
2369
2370 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2371 * which are needed as inputs to some crypto functions. To get
2372 * the "struct smp_cmd_pairing" from them we need to skip the
2373 * first byte which contains the opcode.
2374 */
2375 if (hcon->out) {
2376 local = (void *) &smp->preq[1];
2377 remote = (void *) &smp->prsp[1];
2378 } else {
2379 local = (void *) &smp->prsp[1];
2380 remote = (void *) &smp->preq[1];
2381 }
2382
2383 local_io = local->io_capability;
2384 remote_io = remote->io_capability;
2385
2386 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2387 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2388
2389 /* If either side wants MITM, look up the method from the table,
2390 * otherwise use JUST WORKS.
2391 */
2392 if (local_mitm || remote_mitm)
2393 method = get_auth_method(smp, local_io, remote_io);
2394 else
2395 method = JUST_WORKS;
2396
2397 /* Don't confirm locally initiated pairing attempts */
2398 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2399 method = JUST_WORKS;
2400
2401 return method;
2402 }
2403
2404 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2405 {
2406 struct smp_cmd_public_key *key = (void *) skb->data;
2407 struct hci_conn *hcon = conn->hcon;
2408 struct l2cap_chan *chan = conn->smp;
2409 struct smp_chan *smp = chan->data;
2410 struct hci_dev *hdev = hcon->hdev;
2411 struct smp_cmd_pairing_confirm cfm;
2412 int err;
2413
2414 BT_DBG("conn %p", conn);
2415
2416 if (skb->len < sizeof(*key))
2417 return SMP_INVALID_PARAMS;
2418
2419 memcpy(smp->remote_pk, key, 64);
2420
2421 /* Non-initiating device sends its public key after receiving
2422 * the key from the initiating device.
2423 */
2424 if (!hcon->out) {
2425 err = sc_send_public_key(smp);
2426 if (err)
2427 return err;
2428 }
2429
2430 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2431 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2432
2433 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2434 return SMP_UNSPECIFIED;
2435
2436 SMP_DBG("DHKey %32phN", smp->dhkey);
2437
2438 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2439
2440 smp->method = sc_select_method(smp);
2441
2442 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2443
2444 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2445 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2446 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2447 else
2448 hcon->pending_sec_level = BT_SECURITY_FIPS;
2449
2450 if (!memcmp(debug_pk, smp->remote_pk, 64))
2451 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2452
2453 if (smp->method == DSP_PASSKEY) {
2454 get_random_bytes(&hcon->passkey_notify,
2455 sizeof(hcon->passkey_notify));
2456 hcon->passkey_notify %= 1000000;
2457 hcon->passkey_entered = 0;
2458 smp->passkey_round = 0;
2459 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2460 hcon->dst_type,
2461 hcon->passkey_notify,
2462 hcon->passkey_entered))
2463 return SMP_UNSPECIFIED;
2464 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2465 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2466 }
2467
2468 if (smp->method == REQ_OOB) {
2469 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2470 smp->rr, 0, cfm.confirm_val);
2471 if (err)
2472 return SMP_UNSPECIFIED;
2473
2474 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2475 return SMP_CONFIRM_FAILED;
2476
2477 if (hcon->out)
2478 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2479 sizeof(smp->prnd), smp->prnd);
2480
2481 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2482
2483 return 0;
2484 }
2485
2486 if (hcon->out)
2487 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2488
2489 if (smp->method == REQ_PASSKEY) {
2490 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2491 hcon->dst_type))
2492 return SMP_UNSPECIFIED;
2493 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2494 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2495 return 0;
2496 }
2497
2498 /* The Initiating device waits for the non-initiating device to
2499 * send the confirm value.
2500 */
2501 if (conn->hcon->out)
2502 return 0;
2503
2504 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2505 0, cfm.confirm_val);
2506 if (err)
2507 return SMP_UNSPECIFIED;
2508
2509 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2510 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2511
2512 return 0;
2513 }
2514
2515 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2516 {
2517 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2518 struct l2cap_chan *chan = conn->smp;
2519 struct hci_conn *hcon = conn->hcon;
2520 struct smp_chan *smp = chan->data;
2521 u8 a[7], b[7], *local_addr, *remote_addr;
2522 u8 io_cap[3], r[16], e[16];
2523 int err;
2524
2525 BT_DBG("conn %p", conn);
2526
2527 if (skb->len < sizeof(*check))
2528 return SMP_INVALID_PARAMS;
2529
2530 memcpy(a, &hcon->init_addr, 6);
2531 memcpy(b, &hcon->resp_addr, 6);
2532 a[6] = hcon->init_addr_type;
2533 b[6] = hcon->resp_addr_type;
2534
2535 if (hcon->out) {
2536 local_addr = a;
2537 remote_addr = b;
2538 memcpy(io_cap, &smp->prsp[1], 3);
2539 } else {
2540 local_addr = b;
2541 remote_addr = a;
2542 memcpy(io_cap, &smp->preq[1], 3);
2543 }
2544
2545 memset(r, 0, sizeof(r));
2546
2547 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2548 put_unaligned_le32(hcon->passkey_notify, r);
2549
2550 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2551 io_cap, remote_addr, local_addr, e);
2552 if (err)
2553 return SMP_UNSPECIFIED;
2554
2555 if (memcmp(check->e, e, 16))
2556 return SMP_DHKEY_CHECK_FAILED;
2557
2558 if (!hcon->out) {
2559 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2560 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2561 return 0;
2562 }
2563
2564 /* Slave sends DHKey check as response to master */
2565 sc_dhkey_check(smp);
2566 }
2567
2568 sc_add_ltk(smp);
2569
2570 if (hcon->out) {
2571 hci_le_start_enc(hcon, 0, 0, smp->tk);
2572 hcon->enc_key_size = smp->enc_key_size;
2573 }
2574
2575 return 0;
2576 }
2577
2578 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2579 struct sk_buff *skb)
2580 {
2581 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2582
2583 BT_DBG("value 0x%02x", kp->value);
2584
2585 return 0;
2586 }
2587
2588 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2589 {
2590 struct l2cap_conn *conn = chan->conn;
2591 struct hci_conn *hcon = conn->hcon;
2592 struct smp_chan *smp;
2593 __u8 code, reason;
2594 int err = 0;
2595
2596 if (skb->len < 1)
2597 return -EILSEQ;
2598
2599 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2600 reason = SMP_PAIRING_NOTSUPP;
2601 goto done;
2602 }
2603
2604 code = skb->data[0];
2605 skb_pull(skb, sizeof(code));
2606
2607 smp = chan->data;
2608
2609 if (code > SMP_CMD_MAX)
2610 goto drop;
2611
2612 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2613 goto drop;
2614
2615 /* If we don't have a context the only allowed commands are
2616 * pairing request and security request.
2617 */
2618 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2619 goto drop;
2620
2621 switch (code) {
2622 case SMP_CMD_PAIRING_REQ:
2623 reason = smp_cmd_pairing_req(conn, skb);
2624 break;
2625
2626 case SMP_CMD_PAIRING_FAIL:
2627 smp_failure(conn, 0);
2628 err = -EPERM;
2629 break;
2630
2631 case SMP_CMD_PAIRING_RSP:
2632 reason = smp_cmd_pairing_rsp(conn, skb);
2633 break;
2634
2635 case SMP_CMD_SECURITY_REQ:
2636 reason = smp_cmd_security_req(conn, skb);
2637 break;
2638
2639 case SMP_CMD_PAIRING_CONFIRM:
2640 reason = smp_cmd_pairing_confirm(conn, skb);
2641 break;
2642
2643 case SMP_CMD_PAIRING_RANDOM:
2644 reason = smp_cmd_pairing_random(conn, skb);
2645 break;
2646
2647 case SMP_CMD_ENCRYPT_INFO:
2648 reason = smp_cmd_encrypt_info(conn, skb);
2649 break;
2650
2651 case SMP_CMD_MASTER_IDENT:
2652 reason = smp_cmd_master_ident(conn, skb);
2653 break;
2654
2655 case SMP_CMD_IDENT_INFO:
2656 reason = smp_cmd_ident_info(conn, skb);
2657 break;
2658
2659 case SMP_CMD_IDENT_ADDR_INFO:
2660 reason = smp_cmd_ident_addr_info(conn, skb);
2661 break;
2662
2663 case SMP_CMD_SIGN_INFO:
2664 reason = smp_cmd_sign_info(conn, skb);
2665 break;
2666
2667 case SMP_CMD_PUBLIC_KEY:
2668 reason = smp_cmd_public_key(conn, skb);
2669 break;
2670
2671 case SMP_CMD_DHKEY_CHECK:
2672 reason = smp_cmd_dhkey_check(conn, skb);
2673 break;
2674
2675 case SMP_CMD_KEYPRESS_NOTIFY:
2676 reason = smp_cmd_keypress_notify(conn, skb);
2677 break;
2678
2679 default:
2680 BT_DBG("Unknown command code 0x%2.2x", code);
2681 reason = SMP_CMD_NOTSUPP;
2682 goto done;
2683 }
2684
2685 done:
2686 if (!err) {
2687 if (reason)
2688 smp_failure(conn, reason);
2689 kfree_skb(skb);
2690 }
2691
2692 return err;
2693
2694 drop:
2695 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2696 code, &hcon->dst);
2697 kfree_skb(skb);
2698 return 0;
2699 }
2700
2701 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2702 {
2703 struct l2cap_conn *conn = chan->conn;
2704
2705 BT_DBG("chan %p", chan);
2706
2707 if (chan->data)
2708 smp_chan_destroy(conn);
2709
2710 conn->smp = NULL;
2711 l2cap_chan_put(chan);
2712 }
2713
2714 static void bredr_pairing(struct l2cap_chan *chan)
2715 {
2716 struct l2cap_conn *conn = chan->conn;
2717 struct hci_conn *hcon = conn->hcon;
2718 struct hci_dev *hdev = hcon->hdev;
2719 struct smp_cmd_pairing req;
2720 struct smp_chan *smp;
2721
2722 BT_DBG("chan %p", chan);
2723
2724 /* Only new pairings are interesting */
2725 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2726 return;
2727
2728 /* Don't bother if we're not encrypted */
2729 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2730 return;
2731
2732 /* Only master may initiate SMP over BR/EDR */
2733 if (hcon->role != HCI_ROLE_MASTER)
2734 return;
2735
2736 /* Secure Connections support must be enabled */
2737 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2738 return;
2739
2740 /* BR/EDR must use Secure Connections for SMP */
2741 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2742 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
2743 return;
2744
2745 /* If our LE support is not enabled don't do anything */
2746 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2747 return;
2748
2749 /* Don't bother if remote LE support is not enabled */
2750 if (!lmp_host_le_capable(hcon))
2751 return;
2752
2753 /* Remote must support SMP fixed chan for BR/EDR */
2754 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2755 return;
2756
2757 /* Don't bother if SMP is already ongoing */
2758 if (chan->data)
2759 return;
2760
2761 smp = smp_chan_create(conn);
2762 if (!smp) {
2763 BT_ERR("%s unable to create SMP context for BR/EDR",
2764 hdev->name);
2765 return;
2766 }
2767
2768 set_bit(SMP_FLAG_SC, &smp->flags);
2769
2770 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2771
2772 /* Prepare and send the BR/EDR SMP Pairing Request */
2773 build_bredr_pairing_cmd(smp, &req, NULL);
2774
2775 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2776 memcpy(&smp->preq[1], &req, sizeof(req));
2777
2778 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2779 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2780 }
2781
2782 static void smp_resume_cb(struct l2cap_chan *chan)
2783 {
2784 struct smp_chan *smp = chan->data;
2785 struct l2cap_conn *conn = chan->conn;
2786 struct hci_conn *hcon = conn->hcon;
2787
2788 BT_DBG("chan %p", chan);
2789
2790 if (hcon->type == ACL_LINK) {
2791 bredr_pairing(chan);
2792 return;
2793 }
2794
2795 if (!smp)
2796 return;
2797
2798 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2799 return;
2800
2801 cancel_delayed_work(&smp->security_timer);
2802
2803 smp_distribute_keys(smp);
2804 }
2805
2806 static void smp_ready_cb(struct l2cap_chan *chan)
2807 {
2808 struct l2cap_conn *conn = chan->conn;
2809 struct hci_conn *hcon = conn->hcon;
2810
2811 BT_DBG("chan %p", chan);
2812
2813 conn->smp = chan;
2814 l2cap_chan_hold(chan);
2815
2816 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2817 bredr_pairing(chan);
2818 }
2819
2820 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2821 {
2822 int err;
2823
2824 BT_DBG("chan %p", chan);
2825
2826 err = smp_sig_channel(chan, skb);
2827 if (err) {
2828 struct smp_chan *smp = chan->data;
2829
2830 if (smp)
2831 cancel_delayed_work_sync(&smp->security_timer);
2832
2833 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2834 }
2835
2836 return err;
2837 }
2838
2839 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2840 unsigned long hdr_len,
2841 unsigned long len, int nb)
2842 {
2843 struct sk_buff *skb;
2844
2845 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2846 if (!skb)
2847 return ERR_PTR(-ENOMEM);
2848
2849 skb->priority = HCI_PRIO_MAX;
2850 bt_cb(skb)->chan = chan;
2851
2852 return skb;
2853 }
2854
2855 static const struct l2cap_ops smp_chan_ops = {
2856 .name = "Security Manager",
2857 .ready = smp_ready_cb,
2858 .recv = smp_recv_cb,
2859 .alloc_skb = smp_alloc_skb_cb,
2860 .teardown = smp_teardown_cb,
2861 .resume = smp_resume_cb,
2862
2863 .new_connection = l2cap_chan_no_new_connection,
2864 .state_change = l2cap_chan_no_state_change,
2865 .close = l2cap_chan_no_close,
2866 .defer = l2cap_chan_no_defer,
2867 .suspend = l2cap_chan_no_suspend,
2868 .set_shutdown = l2cap_chan_no_set_shutdown,
2869 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2870 };
2871
2872 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2873 {
2874 struct l2cap_chan *chan;
2875
2876 BT_DBG("pchan %p", pchan);
2877
2878 chan = l2cap_chan_create();
2879 if (!chan)
2880 return NULL;
2881
2882 chan->chan_type = pchan->chan_type;
2883 chan->ops = &smp_chan_ops;
2884 chan->scid = pchan->scid;
2885 chan->dcid = chan->scid;
2886 chan->imtu = pchan->imtu;
2887 chan->omtu = pchan->omtu;
2888 chan->mode = pchan->mode;
2889
2890 /* Other L2CAP channels may request SMP routines in order to
2891 * change the security level. This means that the SMP channel
2892 * lock must be considered in its own category to avoid lockdep
2893 * warnings.
2894 */
2895 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2896
2897 BT_DBG("created chan %p", chan);
2898
2899 return chan;
2900 }
2901
2902 static const struct l2cap_ops smp_root_chan_ops = {
2903 .name = "Security Manager Root",
2904 .new_connection = smp_new_conn_cb,
2905
2906 /* None of these are implemented for the root channel */
2907 .close = l2cap_chan_no_close,
2908 .alloc_skb = l2cap_chan_no_alloc_skb,
2909 .recv = l2cap_chan_no_recv,
2910 .state_change = l2cap_chan_no_state_change,
2911 .teardown = l2cap_chan_no_teardown,
2912 .ready = l2cap_chan_no_ready,
2913 .defer = l2cap_chan_no_defer,
2914 .suspend = l2cap_chan_no_suspend,
2915 .resume = l2cap_chan_no_resume,
2916 .set_shutdown = l2cap_chan_no_set_shutdown,
2917 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2918 };
2919
2920 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2921 {
2922 struct l2cap_chan *chan;
2923 struct crypto_blkcipher *tfm_aes;
2924
2925 if (cid == L2CAP_CID_SMP_BREDR) {
2926 tfm_aes = NULL;
2927 goto create_chan;
2928 }
2929
2930 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2931 if (IS_ERR(tfm_aes)) {
2932 BT_ERR("Unable to create crypto context");
2933 return ERR_CAST(tfm_aes);
2934 }
2935
2936 create_chan:
2937 chan = l2cap_chan_create();
2938 if (!chan) {
2939 crypto_free_blkcipher(tfm_aes);
2940 return ERR_PTR(-ENOMEM);
2941 }
2942
2943 chan->data = tfm_aes;
2944
2945 l2cap_add_scid(chan, cid);
2946
2947 l2cap_chan_set_defaults(chan);
2948
2949 bacpy(&chan->src, &hdev->bdaddr);
2950 if (cid == L2CAP_CID_SMP)
2951 chan->src_type = BDADDR_LE_PUBLIC;
2952 else
2953 chan->src_type = BDADDR_BREDR;
2954 chan->state = BT_LISTEN;
2955 chan->mode = L2CAP_MODE_BASIC;
2956 chan->imtu = L2CAP_DEFAULT_MTU;
2957 chan->ops = &smp_root_chan_ops;
2958
2959 /* Set correct nesting level for a parent/listening channel */
2960 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2961
2962 return chan;
2963 }
2964
2965 static void smp_del_chan(struct l2cap_chan *chan)
2966 {
2967 struct crypto_blkcipher *tfm_aes;
2968
2969 BT_DBG("chan %p", chan);
2970
2971 tfm_aes = chan->data;
2972 if (tfm_aes) {
2973 chan->data = NULL;
2974 crypto_free_blkcipher(tfm_aes);
2975 }
2976
2977 l2cap_chan_put(chan);
2978 }
2979
2980 static ssize_t force_bredr_smp_read(struct file *file,
2981 char __user *user_buf,
2982 size_t count, loff_t *ppos)
2983 {
2984 struct hci_dev *hdev = file->private_data;
2985 char buf[3];
2986
2987 buf[0] = test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags) ? 'Y': 'N';
2988 buf[1] = '\n';
2989 buf[2] = '\0';
2990 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
2991 }
2992
2993 static ssize_t force_bredr_smp_write(struct file *file,
2994 const char __user *user_buf,
2995 size_t count, loff_t *ppos)
2996 {
2997 struct hci_dev *hdev = file->private_data;
2998 char buf[32];
2999 size_t buf_size = min(count, (sizeof(buf)-1));
3000 bool enable;
3001
3002 if (copy_from_user(buf, user_buf, buf_size))
3003 return -EFAULT;
3004
3005 buf[buf_size] = '\0';
3006 if (strtobool(buf, &enable))
3007 return -EINVAL;
3008
3009 if (enable == test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
3010 return -EALREADY;
3011
3012 if (enable) {
3013 struct l2cap_chan *chan;
3014
3015 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3016 if (IS_ERR(chan))
3017 return PTR_ERR(chan);
3018
3019 hdev->smp_bredr_data = chan;
3020 } else {
3021 struct l2cap_chan *chan;
3022
3023 chan = hdev->smp_bredr_data;
3024 hdev->smp_bredr_data = NULL;
3025 smp_del_chan(chan);
3026 }
3027
3028 change_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags);
3029
3030 return count;
3031 }
3032
3033 static const struct file_operations force_bredr_smp_fops = {
3034 .open = simple_open,
3035 .read = force_bredr_smp_read,
3036 .write = force_bredr_smp_write,
3037 .llseek = default_llseek,
3038 };
3039
3040 int smp_register(struct hci_dev *hdev)
3041 {
3042 struct l2cap_chan *chan;
3043
3044 BT_DBG("%s", hdev->name);
3045
3046 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3047 if (IS_ERR(chan))
3048 return PTR_ERR(chan);
3049
3050 hdev->smp_data = chan;
3051
3052 /* If the controller does not support BR/EDR Secure Connections
3053 * feature, then the BR/EDR SMP channel shall not be present.
3054 *
3055 * To test this with Bluetooth 4.0 controllers, create a debugfs
3056 * switch that allows forcing BR/EDR SMP support and accepting
3057 * cross-transport pairing on non-AES encrypted connections.
3058 */
3059 if (!lmp_sc_capable(hdev)) {
3060 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3061 hdev, &force_bredr_smp_fops);
3062 return 0;
3063 }
3064
3065 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3066 if (IS_ERR(chan)) {
3067 int err = PTR_ERR(chan);
3068 chan = hdev->smp_data;
3069 hdev->smp_data = NULL;
3070 smp_del_chan(chan);
3071 return err;
3072 }
3073
3074 hdev->smp_bredr_data = chan;
3075
3076 return 0;
3077 }
3078
3079 void smp_unregister(struct hci_dev *hdev)
3080 {
3081 struct l2cap_chan *chan;
3082
3083 if (hdev->smp_bredr_data) {
3084 chan = hdev->smp_bredr_data;
3085 hdev->smp_bredr_data = NULL;
3086 smp_del_chan(chan);
3087 }
3088
3089 if (hdev->smp_data) {
3090 chan = hdev->smp_data;
3091 hdev->smp_data = NULL;
3092 smp_del_chan(chan);
3093 }
3094 }
3095
3096 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3097
3098 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3099 {
3100 const u8 irk[16] = {
3101 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3102 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3103 const u8 r[3] = { 0x94, 0x81, 0x70 };
3104 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3105 u8 res[3];
3106 int err;
3107
3108 err = smp_ah(tfm_aes, irk, r, res);
3109 if (err)
3110 return err;
3111
3112 if (memcmp(res, exp, 3))
3113 return -EINVAL;
3114
3115 return 0;
3116 }
3117
3118 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3119 {
3120 const u8 k[16] = {
3121 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3123 const u8 r[16] = {
3124 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3125 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3126 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3127 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3128 const u8 _iat = 0x01;
3129 const u8 _rat = 0x00;
3130 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3131 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3132 const u8 exp[16] = {
3133 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3134 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3135 u8 res[16];
3136 int err;
3137
3138 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3139 if (err)
3140 return err;
3141
3142 if (memcmp(res, exp, 16))
3143 return -EINVAL;
3144
3145 return 0;
3146 }
3147
3148 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3149 {
3150 const u8 k[16] = {
3151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3152 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3153 const u8 r1[16] = {
3154 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3155 const u8 r2[16] = {
3156 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3157 const u8 exp[16] = {
3158 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3159 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3160 u8 res[16];
3161 int err;
3162
3163 err = smp_s1(tfm_aes, k, r1, r2, res);
3164 if (err)
3165 return err;
3166
3167 if (memcmp(res, exp, 16))
3168 return -EINVAL;
3169
3170 return 0;
3171 }
3172
3173 static int __init test_f4(struct crypto_hash *tfm_cmac)
3174 {
3175 const u8 u[32] = {
3176 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3177 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3178 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3179 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3180 const u8 v[32] = {
3181 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3182 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3183 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3184 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3185 const u8 x[16] = {
3186 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3187 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3188 const u8 z = 0x00;
3189 const u8 exp[16] = {
3190 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3191 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3192 u8 res[16];
3193 int err;
3194
3195 err = smp_f4(tfm_cmac, u, v, x, z, res);
3196 if (err)
3197 return err;
3198
3199 if (memcmp(res, exp, 16))
3200 return -EINVAL;
3201
3202 return 0;
3203 }
3204
3205 static int __init test_f5(struct crypto_hash *tfm_cmac)
3206 {
3207 const u8 w[32] = {
3208 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3209 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3210 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3211 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3212 const u8 n1[16] = {
3213 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3214 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3215 const u8 n2[16] = {
3216 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3217 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3218 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3219 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3220 const u8 exp_ltk[16] = {
3221 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3222 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3223 const u8 exp_mackey[16] = {
3224 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3225 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3226 u8 mackey[16], ltk[16];
3227 int err;
3228
3229 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3230 if (err)
3231 return err;
3232
3233 if (memcmp(mackey, exp_mackey, 16))
3234 return -EINVAL;
3235
3236 if (memcmp(ltk, exp_ltk, 16))
3237 return -EINVAL;
3238
3239 return 0;
3240 }
3241
3242 static int __init test_f6(struct crypto_hash *tfm_cmac)
3243 {
3244 const u8 w[16] = {
3245 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3246 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3247 const u8 n1[16] = {
3248 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3249 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3250 const u8 n2[16] = {
3251 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3252 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3253 const u8 r[16] = {
3254 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3255 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3256 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3257 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3258 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3259 const u8 exp[16] = {
3260 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3261 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3262 u8 res[16];
3263 int err;
3264
3265 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3266 if (err)
3267 return err;
3268
3269 if (memcmp(res, exp, 16))
3270 return -EINVAL;
3271
3272 return 0;
3273 }
3274
3275 static int __init test_g2(struct crypto_hash *tfm_cmac)
3276 {
3277 const u8 u[32] = {
3278 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3279 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3280 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3281 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3282 const u8 v[32] = {
3283 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3284 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3285 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3286 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3287 const u8 x[16] = {
3288 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3289 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3290 const u8 y[16] = {
3291 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3292 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3293 const u32 exp_val = 0x2f9ed5ba % 1000000;
3294 u32 val;
3295 int err;
3296
3297 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3298 if (err)
3299 return err;
3300
3301 if (val != exp_val)
3302 return -EINVAL;
3303
3304 return 0;
3305 }
3306
3307 static int __init test_h6(struct crypto_hash *tfm_cmac)
3308 {
3309 const u8 w[16] = {
3310 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3311 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3312 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3313 const u8 exp[16] = {
3314 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3315 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3316 u8 res[16];
3317 int err;
3318
3319 err = smp_h6(tfm_cmac, w, key_id, res);
3320 if (err)
3321 return err;
3322
3323 if (memcmp(res, exp, 16))
3324 return -EINVAL;
3325
3326 return 0;
3327 }
3328
3329 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3330 struct crypto_hash *tfm_cmac)
3331 {
3332 ktime_t calltime, delta, rettime;
3333 unsigned long long duration;
3334 int err;
3335
3336 calltime = ktime_get();
3337
3338 err = test_ah(tfm_aes);
3339 if (err) {
3340 BT_ERR("smp_ah test failed");
3341 return err;
3342 }
3343
3344 err = test_c1(tfm_aes);
3345 if (err) {
3346 BT_ERR("smp_c1 test failed");
3347 return err;
3348 }
3349
3350 err = test_s1(tfm_aes);
3351 if (err) {
3352 BT_ERR("smp_s1 test failed");
3353 return err;
3354 }
3355
3356 err = test_f4(tfm_cmac);
3357 if (err) {
3358 BT_ERR("smp_f4 test failed");
3359 return err;
3360 }
3361
3362 err = test_f5(tfm_cmac);
3363 if (err) {
3364 BT_ERR("smp_f5 test failed");
3365 return err;
3366 }
3367
3368 err = test_f6(tfm_cmac);
3369 if (err) {
3370 BT_ERR("smp_f6 test failed");
3371 return err;
3372 }
3373
3374 err = test_g2(tfm_cmac);
3375 if (err) {
3376 BT_ERR("smp_g2 test failed");
3377 return err;
3378 }
3379
3380 err = test_h6(tfm_cmac);
3381 if (err) {
3382 BT_ERR("smp_h6 test failed");
3383 return err;
3384 }
3385
3386 rettime = ktime_get();
3387 delta = ktime_sub(rettime, calltime);
3388 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3389
3390 BT_INFO("SMP test passed in %llu usecs", duration);
3391
3392 return 0;
3393 }
3394
3395 int __init bt_selftest_smp(void)
3396 {
3397 struct crypto_blkcipher *tfm_aes;
3398 struct crypto_hash *tfm_cmac;
3399 int err;
3400
3401 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3402 if (IS_ERR(tfm_aes)) {
3403 BT_ERR("Unable to create ECB crypto context");
3404 return PTR_ERR(tfm_aes);
3405 }
3406
3407 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3408 if (IS_ERR(tfm_cmac)) {
3409 BT_ERR("Unable to create CMAC crypto context");
3410 crypto_free_blkcipher(tfm_aes);
3411 return PTR_ERR(tfm_cmac);
3412 }
3413
3414 err = run_selftests(tfm_aes, tfm_cmac);
3415
3416 crypto_free_hash(tfm_cmac);
3417 crypto_free_blkcipher(tfm_aes);
3418
3419 return err;
3420 }
3421
3422 #endif
Linux kernel - Deliverables
This page took 0.094728 seconds and 6 git commands to generate.