projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Bluetooth: Fix local OOB data handling for SMP
[deliverable/linux.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
27
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "ecc.h"
34 #include "smp.h"
35
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
39 */
40 #ifdef DEBUG
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
42 ##__VA_ARGS__)
43 #else
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
45 ##__VA_ARGS__)
46 #endif
47
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
49
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
52
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
54
55 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
56 0x1f : 0x07)
57 #define KEY_DIST_MASK 0x07
58
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
61
62 enum {
63 SMP_FLAG_TK_VALID,
64 SMP_FLAG_CFM_PENDING,
65 SMP_FLAG_MITM_AUTH,
66 SMP_FLAG_COMPLETE,
67 SMP_FLAG_INITIATOR,
68 SMP_FLAG_SC,
69 SMP_FLAG_REMOTE_PK,
70 SMP_FLAG_DEBUG_KEY,
71 SMP_FLAG_WAIT_USER,
72 SMP_FLAG_DHKEY_PENDING,
73 SMP_FLAG_OOB,
74 };
75
76 struct smp_dev {
77 /* Secure Connections OOB data */
78 u8 local_pk[64];
79 u8 local_sk[32];
80 u8 local_rr[16];
81 bool debug_key;
82
83 struct crypto_blkcipher *tfm_aes;
84 struct crypto_hash *tfm_cmac;
85 };
86
87 struct smp_chan {
88 struct l2cap_conn *conn;
89 struct delayed_work security_timer;
90 unsigned long allow_cmd; /* Bitmask of allowed commands */
91
92 u8 preq[7]; /* SMP Pairing Request */
93 u8 prsp[7]; /* SMP Pairing Response */
94 u8 prnd[16]; /* SMP Pairing Random (local) */
95 u8 rrnd[16]; /* SMP Pairing Random (remote) */
96 u8 pcnf[16]; /* SMP Pairing Confirm */
97 u8 tk[16]; /* SMP Temporary Key */
98 u8 rr[16]; /* Remote OOB ra/rb value */
99 u8 lr[16]; /* Local OOB ra/rb value */
100 u8 enc_key_size;
101 u8 remote_key_dist;
102 bdaddr_t id_addr;
103 u8 id_addr_type;
104 u8 irk[16];
105 struct smp_csrk *csrk;
106 struct smp_csrk *slave_csrk;
107 struct smp_ltk *ltk;
108 struct smp_ltk *slave_ltk;
109 struct smp_irk *remote_irk;
110 u8 *link_key;
111 unsigned long flags;
112 u8 method;
113 u8 passkey_round;
114
115 /* Secure Connections variables */
116 u8 local_pk[64];
117 u8 local_sk[32];
118 u8 remote_pk[64];
119 u8 dhkey[32];
120 u8 mackey[16];
121
122 struct crypto_blkcipher *tfm_aes;
123 struct crypto_hash *tfm_cmac;
124 };
125
126 /* These debug key values are defined in the SMP section of the core
127 * specification. debug_pk is the public debug key and debug_sk the
128 * private debug key.
129 */
130 static const u8 debug_pk[64] = {
131 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
132 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
133 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
134 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
135
136 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
137 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
138 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
139 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
140 };
141
142 static const u8 debug_sk[32] = {
143 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
144 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
145 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
146 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
147 };
148
149 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
150 {
151 size_t i;
152
153 for (i = 0; i < len; i++)
154 dst[len - 1 - i] = src[i];
155 }
156
157 /* The following functions map to the LE SC SMP crypto functions
158 * AES-CMAC, f4, f5, f6, g2 and h6.
159 */
160
161 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
162 size_t len, u8 mac[16])
163 {
164 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
165 struct hash_desc desc;
166 struct scatterlist sg;
167 int err;
168
169 if (len > CMAC_MSG_MAX)
170 return -EFBIG;
171
172 if (!tfm) {
173 BT_ERR("tfm %p", tfm);
174 return -EINVAL;
175 }
176
177 desc.tfm = tfm;
178 desc.flags = 0;
179
180 crypto_hash_init(&desc);
181
182 /* Swap key and message from LSB to MSB */
183 swap_buf(k, tmp, 16);
184 swap_buf(m, msg_msb, len);
185
186 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
187 SMP_DBG("key %16phN", k);
188
189 err = crypto_hash_setkey(tfm, tmp, 16);
190 if (err) {
191 BT_ERR("cipher setkey failed: %d", err);
192 return err;
193 }
194
195 sg_init_one(&sg, msg_msb, len);
196
197 err = crypto_hash_update(&desc, &sg, len);
198 if (err) {
199 BT_ERR("Hash update error %d", err);
200 return err;
201 }
202
203 err = crypto_hash_final(&desc, mac_msb);
204 if (err) {
205 BT_ERR("Hash final error %d", err);
206 return err;
207 }
208
209 swap_buf(mac_msb, mac, 16);
210
211 SMP_DBG("mac %16phN", mac);
212
213 return 0;
214 }
215
216 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
217 const u8 x[16], u8 z, u8 res[16])
218 {
219 u8 m[65];
220 int err;
221
222 SMP_DBG("u %32phN", u);
223 SMP_DBG("v %32phN", v);
224 SMP_DBG("x %16phN z %02x", x, z);
225
226 m[0] = z;
227 memcpy(m + 1, v, 32);
228 memcpy(m + 33, u, 32);
229
230 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
231 if (err)
232 return err;
233
234 SMP_DBG("res %16phN", res);
235
236 return err;
237 }
238
239 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
240 const u8 n1[16], const u8 n2[16], const u8 a1[7],
241 const u8 a2[7], u8 mackey[16], u8 ltk[16])
242 {
243 /* The btle, salt and length "magic" values are as defined in
244 * the SMP section of the Bluetooth core specification. In ASCII
245 * the btle value ends up being 'btle'. The salt is just a
246 * random number whereas length is the value 256 in little
247 * endian format.
248 */
249 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
250 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
251 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
252 const u8 length[2] = { 0x00, 0x01 };
253 u8 m[53], t[16];
254 int err;
255
256 SMP_DBG("w %32phN", w);
257 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
258 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
259
260 err = aes_cmac(tfm_cmac, salt, w, 32, t);
261 if (err)
262 return err;
263
264 SMP_DBG("t %16phN", t);
265
266 memcpy(m, length, 2);
267 memcpy(m + 2, a2, 7);
268 memcpy(m + 9, a1, 7);
269 memcpy(m + 16, n2, 16);
270 memcpy(m + 32, n1, 16);
271 memcpy(m + 48, btle, 4);
272
273 m[52] = 0; /* Counter */
274
275 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
276 if (err)
277 return err;
278
279 SMP_DBG("mackey %16phN", mackey);
280
281 m[52] = 1; /* Counter */
282
283 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
284 if (err)
285 return err;
286
287 SMP_DBG("ltk %16phN", ltk);
288
289 return 0;
290 }
291
292 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
293 const u8 n1[16], const u8 n2[16], const u8 r[16],
294 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
295 u8 res[16])
296 {
297 u8 m[65];
298 int err;
299
300 SMP_DBG("w %16phN", w);
301 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
302 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
303
304 memcpy(m, a2, 7);
305 memcpy(m + 7, a1, 7);
306 memcpy(m + 14, io_cap, 3);
307 memcpy(m + 17, r, 16);
308 memcpy(m + 33, n2, 16);
309 memcpy(m + 49, n1, 16);
310
311 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
312 if (err)
313 return err;
314
315 SMP_DBG("res %16phN", res);
316
317 return err;
318 }
319
320 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
321 const u8 x[16], const u8 y[16], u32 *val)
322 {
323 u8 m[80], tmp[16];
324 int err;
325
326 SMP_DBG("u %32phN", u);
327 SMP_DBG("v %32phN", v);
328 SMP_DBG("x %16phN y %16phN", x, y);
329
330 memcpy(m, y, 16);
331 memcpy(m + 16, v, 32);
332 memcpy(m + 48, u, 32);
333
334 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
335 if (err)
336 return err;
337
338 *val = get_unaligned_le32(tmp);
339 *val %= 1000000;
340
341 SMP_DBG("val %06u", *val);
342
343 return 0;
344 }
345
346 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
347 const u8 key_id[4], u8 res[16])
348 {
349 int err;
350
351 SMP_DBG("w %16phN key_id %4phN", w, key_id);
352
353 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
354 if (err)
355 return err;
356
357 SMP_DBG("res %16phN", res);
358
359 return err;
360 }
361
362 /* The following functions map to the legacy SMP crypto functions e, c1,
363 * s1 and ah.
364 */
365
366 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
367 {
368 struct blkcipher_desc desc;
369 struct scatterlist sg;
370 uint8_t tmp[16], data[16];
371 int err;
372
373 if (!tfm) {
374 BT_ERR("tfm %p", tfm);
375 return -EINVAL;
376 }
377
378 desc.tfm = tfm;
379 desc.flags = 0;
380
381 /* The most significant octet of key corresponds to k[0] */
382 swap_buf(k, tmp, 16);
383
384 err = crypto_blkcipher_setkey(tfm, tmp, 16);
385 if (err) {
386 BT_ERR("cipher setkey failed: %d", err);
387 return err;
388 }
389
390 /* Most significant octet of plaintextData corresponds to data[0] */
391 swap_buf(r, data, 16);
392
393 sg_init_one(&sg, data, 16);
394
395 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
396 if (err)
397 BT_ERR("Encrypt data error %d", err);
398
399 /* Most significant octet of encryptedData corresponds to data[0] */
400 swap_buf(data, r, 16);
401
402 return err;
403 }
404
405 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
406 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
407 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
408 {
409 u8 p1[16], p2[16];
410 int err;
411
412 memset(p1, 0, 16);
413
414 /* p1 = pres || preq || _rat || _iat */
415 p1[0] = _iat;
416 p1[1] = _rat;
417 memcpy(p1 + 2, preq, 7);
418 memcpy(p1 + 9, pres, 7);
419
420 /* p2 = padding || ia || ra */
421 memcpy(p2, ra, 6);
422 memcpy(p2 + 6, ia, 6);
423 memset(p2 + 12, 0, 4);
424
425 /* res = r XOR p1 */
426 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
427
428 /* res = e(k, res) */
429 err = smp_e(tfm_aes, k, res);
430 if (err) {
431 BT_ERR("Encrypt data error");
432 return err;
433 }
434
435 /* res = res XOR p2 */
436 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
437
438 /* res = e(k, res) */
439 err = smp_e(tfm_aes, k, res);
440 if (err)
441 BT_ERR("Encrypt data error");
442
443 return err;
444 }
445
446 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
447 const u8 r1[16], const u8 r2[16], u8 _r[16])
448 {
449 int err;
450
451 /* Just least significant octets from r1 and r2 are considered */
452 memcpy(_r, r2, 8);
453 memcpy(_r + 8, r1, 8);
454
455 err = smp_e(tfm_aes, k, _r);
456 if (err)
457 BT_ERR("Encrypt data error");
458
459 return err;
460 }
461
462 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
463 const u8 r[3], u8 res[3])
464 {
465 u8 _res[16];
466 int err;
467
468 /* r' = padding || r */
469 memcpy(_res, r, 3);
470 memset(_res + 3, 0, 13);
471
472 err = smp_e(tfm, irk, _res);
473 if (err) {
474 BT_ERR("Encrypt error");
475 return err;
476 }
477
478 /* The output of the random address function ah is:
479 * ah(h, r) = e(k, r') mod 2^24
480 * The output of the security function e is then truncated to 24 bits
481 * by taking the least significant 24 bits of the output of e as the
482 * result of ah.
483 */
484 memcpy(res, _res, 3);
485
486 return 0;
487 }
488
489 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
490 const bdaddr_t *bdaddr)
491 {
492 struct l2cap_chan *chan = hdev->smp_data;
493 struct smp_dev *smp;
494 u8 hash[3];
495 int err;
496
497 if (!chan || !chan->data)
498 return false;
499
500 smp = chan->data;
501
502 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
503
504 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
505 if (err)
506 return false;
507
508 return !memcmp(bdaddr->b, hash, 3);
509 }
510
511 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
512 {
513 struct l2cap_chan *chan = hdev->smp_data;
514 struct smp_dev *smp;
515 int err;
516
517 if (!chan || !chan->data)
518 return -EOPNOTSUPP;
519
520 smp = chan->data;
521
522 get_random_bytes(&rpa->b[3], 3);
523
524 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
525 rpa->b[5] |= 0x40; /* Set second most significant bit */
526
527 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
528 if (err < 0)
529 return err;
530
531 BT_DBG("RPA %pMR", rpa);
532
533 return 0;
534 }
535
536 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
537 {
538 struct l2cap_chan *chan = hdev->smp_data;
539 struct smp_dev *smp;
540 int err;
541
542 if (!chan || !chan->data)
543 return -EOPNOTSUPP;
544
545 smp = chan->data;
546
547 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
548 BT_DBG("Using debug keys");
549 memcpy(smp->local_pk, debug_pk, 64);
550 memcpy(smp->local_sk, debug_sk, 32);
551 smp->debug_key = true;
552 } else {
553 while (true) {
554 /* Generate local key pair for Secure Connections */
555 if (!ecc_make_key(smp->local_pk, smp->local_sk))
556 return -EIO;
557
558 /* This is unlikely, but we need to check that
559 * we didn't accidentially generate a debug key.
560 */
561 if (memcmp(smp->local_sk, debug_sk, 32))
562 break;
563 }
564 smp->debug_key = false;
565 }
566
567 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
568 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
569 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
570
571 get_random_bytes(smp->local_rr, 16);
572
573 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
574 smp->local_rr, 0, hash);
575 if (err < 0)
576 return err;
577
578 memcpy(rand, smp->local_rr, 16);
579
580 return 0;
581 }
582
583 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
584 {
585 struct l2cap_chan *chan = conn->smp;
586 struct smp_chan *smp;
587 struct kvec iv[2];
588 struct msghdr msg;
589
590 if (!chan)
591 return;
592
593 BT_DBG("code 0x%2.2x", code);
594
595 iv[0].iov_base = &code;
596 iv[0].iov_len = 1;
597
598 iv[1].iov_base = data;
599 iv[1].iov_len = len;
600
601 memset(&msg, 0, sizeof(msg));
602
603 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
604
605 l2cap_chan_send(chan, &msg, 1 + len);
606
607 if (!chan->data)
608 return;
609
610 smp = chan->data;
611
612 cancel_delayed_work_sync(&smp->security_timer);
613 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
614 }
615
616 static u8 authreq_to_seclevel(u8 authreq)
617 {
618 if (authreq & SMP_AUTH_MITM) {
619 if (authreq & SMP_AUTH_SC)
620 return BT_SECURITY_FIPS;
621 else
622 return BT_SECURITY_HIGH;
623 } else {
624 return BT_SECURITY_MEDIUM;
625 }
626 }
627
628 static __u8 seclevel_to_authreq(__u8 sec_level)
629 {
630 switch (sec_level) {
631 case BT_SECURITY_FIPS:
632 case BT_SECURITY_HIGH:
633 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
634 case BT_SECURITY_MEDIUM:
635 return SMP_AUTH_BONDING;
636 default:
637 return SMP_AUTH_NONE;
638 }
639 }
640
641 static void build_pairing_cmd(struct l2cap_conn *conn,
642 struct smp_cmd_pairing *req,
643 struct smp_cmd_pairing *rsp, __u8 authreq)
644 {
645 struct l2cap_chan *chan = conn->smp;
646 struct smp_chan *smp = chan->data;
647 struct hci_conn *hcon = conn->hcon;
648 struct hci_dev *hdev = hcon->hdev;
649 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
650
651 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
652 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
653 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
654 authreq |= SMP_AUTH_BONDING;
655 } else {
656 authreq &= ~SMP_AUTH_BONDING;
657 }
658
659 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
660 remote_dist |= SMP_DIST_ID_KEY;
661
662 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
663 local_dist |= SMP_DIST_ID_KEY;
664
665 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
666 (authreq & SMP_AUTH_SC)) {
667 struct oob_data *oob_data;
668 u8 bdaddr_type;
669
670 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
671 local_dist |= SMP_DIST_LINK_KEY;
672 remote_dist |= SMP_DIST_LINK_KEY;
673 }
674
675 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
676 bdaddr_type = BDADDR_LE_PUBLIC;
677 else
678 bdaddr_type = BDADDR_LE_RANDOM;
679
680 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
681 bdaddr_type);
682 if (oob_data && oob_data->present) {
683 set_bit(SMP_FLAG_OOB, &smp->flags);
684 oob_flag = SMP_OOB_PRESENT;
685 memcpy(smp->rr, oob_data->rand256, 16);
686 memcpy(smp->pcnf, oob_data->hash256, 16);
687 }
688
689 } else {
690 authreq &= ~SMP_AUTH_SC;
691 }
692
693 if (rsp == NULL) {
694 req->io_capability = conn->hcon->io_capability;
695 req->oob_flag = oob_flag;
696 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
697 req->init_key_dist = local_dist;
698 req->resp_key_dist = remote_dist;
699 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
700
701 smp->remote_key_dist = remote_dist;
702 return;
703 }
704
705 rsp->io_capability = conn->hcon->io_capability;
706 rsp->oob_flag = oob_flag;
707 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
708 rsp->init_key_dist = req->init_key_dist & remote_dist;
709 rsp->resp_key_dist = req->resp_key_dist & local_dist;
710 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
711
712 smp->remote_key_dist = rsp->init_key_dist;
713 }
714
715 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
716 {
717 struct l2cap_chan *chan = conn->smp;
718 struct smp_chan *smp = chan->data;
719
720 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
721 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
722 return SMP_ENC_KEY_SIZE;
723
724 smp->enc_key_size = max_key_size;
725
726 return 0;
727 }
728
729 static void smp_chan_destroy(struct l2cap_conn *conn)
730 {
731 struct l2cap_chan *chan = conn->smp;
732 struct smp_chan *smp = chan->data;
733 struct hci_conn *hcon = conn->hcon;
734 bool complete;
735
736 BUG_ON(!smp);
737
738 cancel_delayed_work_sync(&smp->security_timer);
739
740 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
741 mgmt_smp_complete(hcon, complete);
742
743 kzfree(smp->csrk);
744 kzfree(smp->slave_csrk);
745 kzfree(smp->link_key);
746
747 crypto_free_blkcipher(smp->tfm_aes);
748 crypto_free_hash(smp->tfm_cmac);
749
750 /* Ensure that we don't leave any debug key around if debug key
751 * support hasn't been explicitly enabled.
752 */
753 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
754 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
755 list_del_rcu(&smp->ltk->list);
756 kfree_rcu(smp->ltk, rcu);
757 smp->ltk = NULL;
758 }
759
760 /* If pairing failed clean up any keys we might have */
761 if (!complete) {
762 if (smp->ltk) {
763 list_del_rcu(&smp->ltk->list);
764 kfree_rcu(smp->ltk, rcu);
765 }
766
767 if (smp->slave_ltk) {
768 list_del_rcu(&smp->slave_ltk->list);
769 kfree_rcu(smp->slave_ltk, rcu);
770 }
771
772 if (smp->remote_irk) {
773 list_del_rcu(&smp->remote_irk->list);
774 kfree_rcu(smp->remote_irk, rcu);
775 }
776 }
777
778 chan->data = NULL;
779 kzfree(smp);
780 hci_conn_drop(hcon);
781 }
782
783 static void smp_failure(struct l2cap_conn *conn, u8 reason)
784 {
785 struct hci_conn *hcon = conn->hcon;
786 struct l2cap_chan *chan = conn->smp;
787
788 if (reason)
789 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
790 &reason);
791
792 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
793 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
794
795 if (chan->data)
796 smp_chan_destroy(conn);
797 }
798
799 #define JUST_WORKS 0x00
800 #define JUST_CFM 0x01
801 #define REQ_PASSKEY 0x02
802 #define CFM_PASSKEY 0x03
803 #define REQ_OOB 0x04
804 #define DSP_PASSKEY 0x05
805 #define OVERLAP 0xFF
806
807 static const u8 gen_method[5][5] = {
808 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
809 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
810 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
811 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
812 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
813 };
814
815 static const u8 sc_method[5][5] = {
816 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
817 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
818 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
819 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
820 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
821 };
822
823 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
824 {
825 /* If either side has unknown io_caps, use JUST_CFM (which gets
826 * converted later to JUST_WORKS if we're initiators.
827 */
828 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
829 remote_io > SMP_IO_KEYBOARD_DISPLAY)
830 return JUST_CFM;
831
832 if (test_bit(SMP_FLAG_SC, &smp->flags))
833 return sc_method[remote_io][local_io];
834
835 return gen_method[remote_io][local_io];
836 }
837
838 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
839 u8 local_io, u8 remote_io)
840 {
841 struct hci_conn *hcon = conn->hcon;
842 struct l2cap_chan *chan = conn->smp;
843 struct smp_chan *smp = chan->data;
844 u32 passkey = 0;
845 int ret = 0;
846
847 /* Initialize key for JUST WORKS */
848 memset(smp->tk, 0, sizeof(smp->tk));
849 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
850
851 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
852
853 /* If neither side wants MITM, either "just" confirm an incoming
854 * request or use just-works for outgoing ones. The JUST_CFM
855 * will be converted to JUST_WORKS if necessary later in this
856 * function. If either side has MITM look up the method from the
857 * table.
858 */
859 if (!(auth & SMP_AUTH_MITM))
860 smp->method = JUST_CFM;
861 else
862 smp->method = get_auth_method(smp, local_io, remote_io);
863
864 /* Don't confirm locally initiated pairing attempts */
865 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
866 &smp->flags))
867 smp->method = JUST_WORKS;
868
869 /* Don't bother user space with no IO capabilities */
870 if (smp->method == JUST_CFM &&
871 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
872 smp->method = JUST_WORKS;
873
874 /* If Just Works, Continue with Zero TK */
875 if (smp->method == JUST_WORKS) {
876 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
877 return 0;
878 }
879
880 /* Not Just Works/Confirm results in MITM Authentication */
881 if (smp->method != JUST_CFM) {
882 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
883 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
884 hcon->pending_sec_level = BT_SECURITY_HIGH;
885 }
886
887 /* If both devices have Keyoard-Display I/O, the master
888 * Confirms and the slave Enters the passkey.
889 */
890 if (smp->method == OVERLAP) {
891 if (hcon->role == HCI_ROLE_MASTER)
892 smp->method = CFM_PASSKEY;
893 else
894 smp->method = REQ_PASSKEY;
895 }
896
897 /* Generate random passkey. */
898 if (smp->method == CFM_PASSKEY) {
899 memset(smp->tk, 0, sizeof(smp->tk));
900 get_random_bytes(&passkey, sizeof(passkey));
901 passkey %= 1000000;
902 put_unaligned_le32(passkey, smp->tk);
903 BT_DBG("PassKey: %d", passkey);
904 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
905 }
906
907 if (smp->method == REQ_PASSKEY)
908 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
909 hcon->type, hcon->dst_type);
910 else if (smp->method == JUST_CFM)
911 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
912 hcon->type, hcon->dst_type,
913 passkey, 1);
914 else
915 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
916 hcon->type, hcon->dst_type,
917 passkey, 0);
918
919 return ret;
920 }
921
922 static u8 smp_confirm(struct smp_chan *smp)
923 {
924 struct l2cap_conn *conn = smp->conn;
925 struct smp_cmd_pairing_confirm cp;
926 int ret;
927
928 BT_DBG("conn %p", conn);
929
930 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
931 conn->hcon->init_addr_type, &conn->hcon->init_addr,
932 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
933 cp.confirm_val);
934 if (ret)
935 return SMP_UNSPECIFIED;
936
937 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
938
939 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
940
941 if (conn->hcon->out)
942 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
943 else
944 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
945
946 return 0;
947 }
948
949 static u8 smp_random(struct smp_chan *smp)
950 {
951 struct l2cap_conn *conn = smp->conn;
952 struct hci_conn *hcon = conn->hcon;
953 u8 confirm[16];
954 int ret;
955
956 if (IS_ERR_OR_NULL(smp->tfm_aes))
957 return SMP_UNSPECIFIED;
958
959 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
960
961 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
962 hcon->init_addr_type, &hcon->init_addr,
963 hcon->resp_addr_type, &hcon->resp_addr, confirm);
964 if (ret)
965 return SMP_UNSPECIFIED;
966
967 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
968 BT_ERR("Pairing failed (confirmation values mismatch)");
969 return SMP_CONFIRM_FAILED;
970 }
971
972 if (hcon->out) {
973 u8 stk[16];
974 __le64 rand = 0;
975 __le16 ediv = 0;
976
977 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
978
979 memset(stk + smp->enc_key_size, 0,
980 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
981
982 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
983 return SMP_UNSPECIFIED;
984
985 hci_le_start_enc(hcon, ediv, rand, stk);
986 hcon->enc_key_size = smp->enc_key_size;
987 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
988 } else {
989 u8 stk[16], auth;
990 __le64 rand = 0;
991 __le16 ediv = 0;
992
993 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
994 smp->prnd);
995
996 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
997
998 memset(stk + smp->enc_key_size, 0,
999 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1000
1001 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1002 auth = 1;
1003 else
1004 auth = 0;
1005
1006 /* Even though there's no _SLAVE suffix this is the
1007 * slave STK we're adding for later lookup (the master
1008 * STK never needs to be stored).
1009 */
1010 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1011 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1012 }
1013
1014 return 0;
1015 }
1016
1017 static void smp_notify_keys(struct l2cap_conn *conn)
1018 {
1019 struct l2cap_chan *chan = conn->smp;
1020 struct smp_chan *smp = chan->data;
1021 struct hci_conn *hcon = conn->hcon;
1022 struct hci_dev *hdev = hcon->hdev;
1023 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1024 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1025 bool persistent;
1026
1027 if (smp->remote_irk) {
1028 mgmt_new_irk(hdev, smp->remote_irk);
1029 /* Now that user space can be considered to know the
1030 * identity address track the connection based on it
1031 * from now on (assuming this is an LE link).
1032 */
1033 if (hcon->type == LE_LINK) {
1034 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1035 hcon->dst_type = smp->remote_irk->addr_type;
1036 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1037 }
1038
1039 /* When receiving an indentity resolving key for
1040 * a remote device that does not use a resolvable
1041 * private address, just remove the key so that
1042 * it is possible to use the controller white
1043 * list for scanning.
1044 *
1045 * Userspace will have been told to not store
1046 * this key at this point. So it is safe to
1047 * just remove it.
1048 */
1049 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1050 list_del_rcu(&smp->remote_irk->list);
1051 kfree_rcu(smp->remote_irk, rcu);
1052 smp->remote_irk = NULL;
1053 }
1054 }
1055
1056 if (hcon->type == ACL_LINK) {
1057 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1058 persistent = false;
1059 else
1060 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1061 &hcon->flags);
1062 } else {
1063 /* The LTKs and CSRKs should be persistent only if both sides
1064 * had the bonding bit set in their authentication requests.
1065 */
1066 persistent = !!((req->auth_req & rsp->auth_req) &
1067 SMP_AUTH_BONDING);
1068 }
1069
1070
1071 if (smp->csrk) {
1072 smp->csrk->bdaddr_type = hcon->dst_type;
1073 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1074 mgmt_new_csrk(hdev, smp->csrk, persistent);
1075 }
1076
1077 if (smp->slave_csrk) {
1078 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1079 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1080 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1081 }
1082
1083 if (smp->ltk) {
1084 smp->ltk->bdaddr_type = hcon->dst_type;
1085 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1086 mgmt_new_ltk(hdev, smp->ltk, persistent);
1087 }
1088
1089 if (smp->slave_ltk) {
1090 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1091 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1092 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1093 }
1094
1095 if (smp->link_key) {
1096 struct link_key *key;
1097 u8 type;
1098
1099 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1100 type = HCI_LK_DEBUG_COMBINATION;
1101 else if (hcon->sec_level == BT_SECURITY_FIPS)
1102 type = HCI_LK_AUTH_COMBINATION_P256;
1103 else
1104 type = HCI_LK_UNAUTH_COMBINATION_P256;
1105
1106 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1107 smp->link_key, type, 0, &persistent);
1108 if (key) {
1109 mgmt_new_link_key(hdev, key, persistent);
1110
1111 /* Don't keep debug keys around if the relevant
1112 * flag is not set.
1113 */
1114 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1115 key->type == HCI_LK_DEBUG_COMBINATION) {
1116 list_del_rcu(&key->list);
1117 kfree_rcu(key, rcu);
1118 }
1119 }
1120 }
1121 }
1122
1123 static void sc_add_ltk(struct smp_chan *smp)
1124 {
1125 struct hci_conn *hcon = smp->conn->hcon;
1126 u8 key_type, auth;
1127
1128 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1129 key_type = SMP_LTK_P256_DEBUG;
1130 else
1131 key_type = SMP_LTK_P256;
1132
1133 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1134 auth = 1;
1135 else
1136 auth = 0;
1137
1138 memset(smp->tk + smp->enc_key_size, 0,
1139 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1140
1141 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1142 key_type, auth, smp->tk, smp->enc_key_size,
1143 0, 0);
1144 }
1145
1146 static void sc_generate_link_key(struct smp_chan *smp)
1147 {
1148 /* These constants are as specified in the core specification.
1149 * In ASCII they spell out to 'tmp1' and 'lebr'.
1150 */
1151 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1152 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1153
1154 smp->link_key = kzalloc(16, GFP_KERNEL);
1155 if (!smp->link_key)
1156 return;
1157
1158 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1159 kzfree(smp->link_key);
1160 smp->link_key = NULL;
1161 return;
1162 }
1163
1164 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1165 kzfree(smp->link_key);
1166 smp->link_key = NULL;
1167 return;
1168 }
1169 }
1170
1171 static void smp_allow_key_dist(struct smp_chan *smp)
1172 {
1173 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1174 * will be allowed in each PDU handler to ensure we receive
1175 * them in the correct order.
1176 */
1177 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1178 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1179 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1180 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1181 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1182 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1183 }
1184
1185 static void sc_generate_ltk(struct smp_chan *smp)
1186 {
1187 /* These constants are as specified in the core specification.
1188 * In ASCII they spell out to 'tmp2' and 'brle'.
1189 */
1190 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1191 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1192 struct hci_conn *hcon = smp->conn->hcon;
1193 struct hci_dev *hdev = hcon->hdev;
1194 struct link_key *key;
1195
1196 key = hci_find_link_key(hdev, &hcon->dst);
1197 if (!key) {
1198 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1199 return;
1200 }
1201
1202 if (key->type == HCI_LK_DEBUG_COMBINATION)
1203 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1204
1205 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1206 return;
1207
1208 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1209 return;
1210
1211 sc_add_ltk(smp);
1212 }
1213
1214 static void smp_distribute_keys(struct smp_chan *smp)
1215 {
1216 struct smp_cmd_pairing *req, *rsp;
1217 struct l2cap_conn *conn = smp->conn;
1218 struct hci_conn *hcon = conn->hcon;
1219 struct hci_dev *hdev = hcon->hdev;
1220 __u8 *keydist;
1221
1222 BT_DBG("conn %p", conn);
1223
1224 rsp = (void *) &smp->prsp[1];
1225
1226 /* The responder sends its keys first */
1227 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1228 smp_allow_key_dist(smp);
1229 return;
1230 }
1231
1232 req = (void *) &smp->preq[1];
1233
1234 if (hcon->out) {
1235 keydist = &rsp->init_key_dist;
1236 *keydist &= req->init_key_dist;
1237 } else {
1238 keydist = &rsp->resp_key_dist;
1239 *keydist &= req->resp_key_dist;
1240 }
1241
1242 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1243 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1244 sc_generate_link_key(smp);
1245 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1246 sc_generate_ltk(smp);
1247
1248 /* Clear the keys which are generated but not distributed */
1249 *keydist &= ~SMP_SC_NO_DIST;
1250 }
1251
1252 BT_DBG("keydist 0x%x", *keydist);
1253
1254 if (*keydist & SMP_DIST_ENC_KEY) {
1255 struct smp_cmd_encrypt_info enc;
1256 struct smp_cmd_master_ident ident;
1257 struct smp_ltk *ltk;
1258 u8 authenticated;
1259 __le16 ediv;
1260 __le64 rand;
1261
1262 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1263 get_random_bytes(&ediv, sizeof(ediv));
1264 get_random_bytes(&rand, sizeof(rand));
1265
1266 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1267
1268 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1269 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1270 SMP_LTK_SLAVE, authenticated, enc.ltk,
1271 smp->enc_key_size, ediv, rand);
1272 smp->slave_ltk = ltk;
1273
1274 ident.ediv = ediv;
1275 ident.rand = rand;
1276
1277 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1278
1279 *keydist &= ~SMP_DIST_ENC_KEY;
1280 }
1281
1282 if (*keydist & SMP_DIST_ID_KEY) {
1283 struct smp_cmd_ident_addr_info addrinfo;
1284 struct smp_cmd_ident_info idinfo;
1285
1286 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1287
1288 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1289
1290 /* The hci_conn contains the local identity address
1291 * after the connection has been established.
1292 *
1293 * This is true even when the connection has been
1294 * established using a resolvable random address.
1295 */
1296 bacpy(&addrinfo.bdaddr, &hcon->src);
1297 addrinfo.addr_type = hcon->src_type;
1298
1299 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1300 &addrinfo);
1301
1302 *keydist &= ~SMP_DIST_ID_KEY;
1303 }
1304
1305 if (*keydist & SMP_DIST_SIGN) {
1306 struct smp_cmd_sign_info sign;
1307 struct smp_csrk *csrk;
1308
1309 /* Generate a new random key */
1310 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1311
1312 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1313 if (csrk) {
1314 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1315 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1316 else
1317 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1318 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1319 }
1320 smp->slave_csrk = csrk;
1321
1322 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1323
1324 *keydist &= ~SMP_DIST_SIGN;
1325 }
1326
1327 /* If there are still keys to be received wait for them */
1328 if (smp->remote_key_dist & KEY_DIST_MASK) {
1329 smp_allow_key_dist(smp);
1330 return;
1331 }
1332
1333 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1334 smp_notify_keys(conn);
1335
1336 smp_chan_destroy(conn);
1337 }
1338
1339 static void smp_timeout(struct work_struct *work)
1340 {
1341 struct smp_chan *smp = container_of(work, struct smp_chan,
1342 security_timer.work);
1343 struct l2cap_conn *conn = smp->conn;
1344
1345 BT_DBG("conn %p", conn);
1346
1347 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1348 }
1349
1350 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1351 {
1352 struct l2cap_chan *chan = conn->smp;
1353 struct smp_chan *smp;
1354
1355 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1356 if (!smp)
1357 return NULL;
1358
1359 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1360 if (IS_ERR(smp->tfm_aes)) {
1361 BT_ERR("Unable to create ECB crypto context");
1362 kzfree(smp);
1363 return NULL;
1364 }
1365
1366 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1367 if (IS_ERR(smp->tfm_cmac)) {
1368 BT_ERR("Unable to create CMAC crypto context");
1369 crypto_free_blkcipher(smp->tfm_aes);
1370 kzfree(smp);
1371 return NULL;
1372 }
1373
1374 smp->conn = conn;
1375 chan->data = smp;
1376
1377 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1378
1379 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1380
1381 hci_conn_hold(conn->hcon);
1382
1383 return smp;
1384 }
1385
1386 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1387 {
1388 struct hci_conn *hcon = smp->conn->hcon;
1389 u8 *na, *nb, a[7], b[7];
1390
1391 if (hcon->out) {
1392 na = smp->prnd;
1393 nb = smp->rrnd;
1394 } else {
1395 na = smp->rrnd;
1396 nb = smp->prnd;
1397 }
1398
1399 memcpy(a, &hcon->init_addr, 6);
1400 memcpy(b, &hcon->resp_addr, 6);
1401 a[6] = hcon->init_addr_type;
1402 b[6] = hcon->resp_addr_type;
1403
1404 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1405 }
1406
1407 static void sc_dhkey_check(struct smp_chan *smp)
1408 {
1409 struct hci_conn *hcon = smp->conn->hcon;
1410 struct smp_cmd_dhkey_check check;
1411 u8 a[7], b[7], *local_addr, *remote_addr;
1412 u8 io_cap[3], r[16];
1413
1414 memcpy(a, &hcon->init_addr, 6);
1415 memcpy(b, &hcon->resp_addr, 6);
1416 a[6] = hcon->init_addr_type;
1417 b[6] = hcon->resp_addr_type;
1418
1419 if (hcon->out) {
1420 local_addr = a;
1421 remote_addr = b;
1422 memcpy(io_cap, &smp->preq[1], 3);
1423 } else {
1424 local_addr = b;
1425 remote_addr = a;
1426 memcpy(io_cap, &smp->prsp[1], 3);
1427 }
1428
1429 memset(r, 0, sizeof(r));
1430
1431 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1432 put_unaligned_le32(hcon->passkey_notify, r);
1433
1434 if (smp->method == REQ_OOB)
1435 memcpy(r, smp->rr, 16);
1436
1437 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1438 local_addr, remote_addr, check.e);
1439
1440 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1441 }
1442
1443 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1444 {
1445 struct l2cap_conn *conn = smp->conn;
1446 struct hci_conn *hcon = conn->hcon;
1447 struct smp_cmd_pairing_confirm cfm;
1448 u8 r;
1449
1450 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1451 r |= 0x80;
1452
1453 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1454
1455 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1456 cfm.confirm_val))
1457 return SMP_UNSPECIFIED;
1458
1459 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1460
1461 return 0;
1462 }
1463
1464 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1465 {
1466 struct l2cap_conn *conn = smp->conn;
1467 struct hci_conn *hcon = conn->hcon;
1468 struct hci_dev *hdev = hcon->hdev;
1469 u8 cfm[16], r;
1470
1471 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1472 if (smp->passkey_round >= 20)
1473 return 0;
1474
1475 switch (smp_op) {
1476 case SMP_CMD_PAIRING_RANDOM:
1477 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1478 r |= 0x80;
1479
1480 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1481 smp->rrnd, r, cfm))
1482 return SMP_UNSPECIFIED;
1483
1484 if (memcmp(smp->pcnf, cfm, 16))
1485 return SMP_CONFIRM_FAILED;
1486
1487 smp->passkey_round++;
1488
1489 if (smp->passkey_round == 20) {
1490 /* Generate MacKey and LTK */
1491 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1492 return SMP_UNSPECIFIED;
1493 }
1494
1495 /* The round is only complete when the initiator
1496 * receives pairing random.
1497 */
1498 if (!hcon->out) {
1499 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1500 sizeof(smp->prnd), smp->prnd);
1501 if (smp->passkey_round == 20)
1502 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1503 else
1504 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1505 return 0;
1506 }
1507
1508 /* Start the next round */
1509 if (smp->passkey_round != 20)
1510 return sc_passkey_round(smp, 0);
1511
1512 /* Passkey rounds are complete - start DHKey Check */
1513 sc_dhkey_check(smp);
1514 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1515
1516 break;
1517
1518 case SMP_CMD_PAIRING_CONFIRM:
1519 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1520 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1521 return 0;
1522 }
1523
1524 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1525
1526 if (hcon->out) {
1527 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1528 sizeof(smp->prnd), smp->prnd);
1529 return 0;
1530 }
1531
1532 return sc_passkey_send_confirm(smp);
1533
1534 case SMP_CMD_PUBLIC_KEY:
1535 default:
1536 /* Initiating device starts the round */
1537 if (!hcon->out)
1538 return 0;
1539
1540 BT_DBG("%s Starting passkey round %u", hdev->name,
1541 smp->passkey_round + 1);
1542
1543 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1544
1545 return sc_passkey_send_confirm(smp);
1546 }
1547
1548 return 0;
1549 }
1550
1551 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1552 {
1553 struct l2cap_conn *conn = smp->conn;
1554 struct hci_conn *hcon = conn->hcon;
1555 u8 smp_op;
1556
1557 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1558
1559 switch (mgmt_op) {
1560 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1561 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1562 return 0;
1563 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1564 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1565 return 0;
1566 case MGMT_OP_USER_PASSKEY_REPLY:
1567 hcon->passkey_notify = le32_to_cpu(passkey);
1568 smp->passkey_round = 0;
1569
1570 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1571 smp_op = SMP_CMD_PAIRING_CONFIRM;
1572 else
1573 smp_op = 0;
1574
1575 if (sc_passkey_round(smp, smp_op))
1576 return -EIO;
1577
1578 return 0;
1579 }
1580
1581 /* Initiator sends DHKey check first */
1582 if (hcon->out) {
1583 sc_dhkey_check(smp);
1584 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1585 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1586 sc_dhkey_check(smp);
1587 sc_add_ltk(smp);
1588 }
1589
1590 return 0;
1591 }
1592
1593 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1594 {
1595 struct l2cap_conn *conn = hcon->l2cap_data;
1596 struct l2cap_chan *chan;
1597 struct smp_chan *smp;
1598 u32 value;
1599 int err;
1600
1601 BT_DBG("");
1602
1603 if (!conn)
1604 return -ENOTCONN;
1605
1606 chan = conn->smp;
1607 if (!chan)
1608 return -ENOTCONN;
1609
1610 l2cap_chan_lock(chan);
1611 if (!chan->data) {
1612 err = -ENOTCONN;
1613 goto unlock;
1614 }
1615
1616 smp = chan->data;
1617
1618 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1619 err = sc_user_reply(smp, mgmt_op, passkey);
1620 goto unlock;
1621 }
1622
1623 switch (mgmt_op) {
1624 case MGMT_OP_USER_PASSKEY_REPLY:
1625 value = le32_to_cpu(passkey);
1626 memset(smp->tk, 0, sizeof(smp->tk));
1627 BT_DBG("PassKey: %d", value);
1628 put_unaligned_le32(value, smp->tk);
1629 /* Fall Through */
1630 case MGMT_OP_USER_CONFIRM_REPLY:
1631 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1632 break;
1633 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1634 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1635 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1636 err = 0;
1637 goto unlock;
1638 default:
1639 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1640 err = -EOPNOTSUPP;
1641 goto unlock;
1642 }
1643
1644 err = 0;
1645
1646 /* If it is our turn to send Pairing Confirm, do so now */
1647 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1648 u8 rsp = smp_confirm(smp);
1649 if (rsp)
1650 smp_failure(conn, rsp);
1651 }
1652
1653 unlock:
1654 l2cap_chan_unlock(chan);
1655 return err;
1656 }
1657
1658 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1659 struct smp_cmd_pairing *req,
1660 struct smp_cmd_pairing *rsp)
1661 {
1662 struct l2cap_conn *conn = smp->conn;
1663 struct hci_dev *hdev = conn->hcon->hdev;
1664 u8 local_dist = 0, remote_dist = 0;
1665
1666 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1667 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1668 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1669 }
1670
1671 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1672 remote_dist |= SMP_DIST_ID_KEY;
1673
1674 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1675 local_dist |= SMP_DIST_ID_KEY;
1676
1677 if (!rsp) {
1678 memset(req, 0, sizeof(*req));
1679
1680 req->init_key_dist = local_dist;
1681 req->resp_key_dist = remote_dist;
1682 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1683
1684 smp->remote_key_dist = remote_dist;
1685
1686 return;
1687 }
1688
1689 memset(rsp, 0, sizeof(*rsp));
1690
1691 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1692 rsp->init_key_dist = req->init_key_dist & remote_dist;
1693 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1694
1695 smp->remote_key_dist = rsp->init_key_dist;
1696 }
1697
1698 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1699 {
1700 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1701 struct l2cap_chan *chan = conn->smp;
1702 struct hci_dev *hdev = conn->hcon->hdev;
1703 struct smp_chan *smp;
1704 u8 key_size, auth, sec_level;
1705 int ret;
1706
1707 BT_DBG("conn %p", conn);
1708
1709 if (skb->len < sizeof(*req))
1710 return SMP_INVALID_PARAMS;
1711
1712 if (conn->hcon->role != HCI_ROLE_SLAVE)
1713 return SMP_CMD_NOTSUPP;
1714
1715 if (!chan->data)
1716 smp = smp_chan_create(conn);
1717 else
1718 smp = chan->data;
1719
1720 if (!smp)
1721 return SMP_UNSPECIFIED;
1722
1723 /* We didn't start the pairing, so match remote */
1724 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1725
1726 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1727 (auth & SMP_AUTH_BONDING))
1728 return SMP_PAIRING_NOTSUPP;
1729
1730 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1731 return SMP_AUTH_REQUIREMENTS;
1732
1733 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1734 memcpy(&smp->preq[1], req, sizeof(*req));
1735 skb_pull(skb, sizeof(*req));
1736
1737 /* SMP over BR/EDR requires special treatment */
1738 if (conn->hcon->type == ACL_LINK) {
1739 /* We must have a BR/EDR SC link */
1740 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1741 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1742 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1743
1744 set_bit(SMP_FLAG_SC, &smp->flags);
1745
1746 build_bredr_pairing_cmd(smp, req, &rsp);
1747
1748 key_size = min(req->max_key_size, rsp.max_key_size);
1749 if (check_enc_key_size(conn, key_size))
1750 return SMP_ENC_KEY_SIZE;
1751
1752 /* Clear bits which are generated but not distributed */
1753 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1754
1755 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1756 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1757 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1758
1759 smp_distribute_keys(smp);
1760 return 0;
1761 }
1762
1763 build_pairing_cmd(conn, req, &rsp, auth);
1764
1765 if (rsp.auth_req & SMP_AUTH_SC)
1766 set_bit(SMP_FLAG_SC, &smp->flags);
1767
1768 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1769 sec_level = BT_SECURITY_MEDIUM;
1770 else
1771 sec_level = authreq_to_seclevel(auth);
1772
1773 if (sec_level > conn->hcon->pending_sec_level)
1774 conn->hcon->pending_sec_level = sec_level;
1775
1776 /* If we need MITM check that it can be achieved */
1777 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1778 u8 method;
1779
1780 method = get_auth_method(smp, conn->hcon->io_capability,
1781 req->io_capability);
1782 if (method == JUST_WORKS || method == JUST_CFM)
1783 return SMP_AUTH_REQUIREMENTS;
1784 }
1785
1786 key_size = min(req->max_key_size, rsp.max_key_size);
1787 if (check_enc_key_size(conn, key_size))
1788 return SMP_ENC_KEY_SIZE;
1789
1790 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1791
1792 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1793 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1794
1795 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1796
1797 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1798
1799 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1800 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1801 /* Clear bits which are generated but not distributed */
1802 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1803 /* Wait for Public Key from Initiating Device */
1804 return 0;
1805 }
1806
1807 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1808
1809 /* Request setup of TK */
1810 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1811 if (ret)
1812 return SMP_UNSPECIFIED;
1813
1814 return 0;
1815 }
1816
1817 static u8 sc_send_public_key(struct smp_chan *smp)
1818 {
1819 struct hci_dev *hdev = smp->conn->hcon->hdev;
1820
1821 BT_DBG("");
1822
1823 if (test_bit(SMP_FLAG_OOB, &smp->flags)) {
1824 struct l2cap_chan *chan = hdev->smp_data;
1825 struct smp_dev *smp_dev;
1826
1827 if (!chan || !chan->data)
1828 return SMP_UNSPECIFIED;
1829
1830 smp_dev = chan->data;
1831
1832 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1833 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1834 memcpy(smp->lr, smp_dev->local_rr, 16);
1835
1836 if (smp_dev->debug_key)
1837 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1838
1839 goto done;
1840 }
1841
1842 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1843 BT_DBG("Using debug keys");
1844 memcpy(smp->local_pk, debug_pk, 64);
1845 memcpy(smp->local_sk, debug_sk, 32);
1846 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1847 } else {
1848 while (true) {
1849 /* Generate local key pair for Secure Connections */
1850 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1851 return SMP_UNSPECIFIED;
1852
1853 /* This is unlikely, but we need to check that
1854 * we didn't accidentially generate a debug key.
1855 */
1856 if (memcmp(smp->local_sk, debug_sk, 32))
1857 break;
1858 }
1859 }
1860
1861 done:
1862 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1863 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1864 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1865
1866 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1867
1868 return 0;
1869 }
1870
1871 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1872 {
1873 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1874 struct l2cap_chan *chan = conn->smp;
1875 struct smp_chan *smp = chan->data;
1876 struct hci_dev *hdev = conn->hcon->hdev;
1877 u8 key_size, auth;
1878 int ret;
1879
1880 BT_DBG("conn %p", conn);
1881
1882 if (skb->len < sizeof(*rsp))
1883 return SMP_INVALID_PARAMS;
1884
1885 if (conn->hcon->role != HCI_ROLE_MASTER)
1886 return SMP_CMD_NOTSUPP;
1887
1888 skb_pull(skb, sizeof(*rsp));
1889
1890 req = (void *) &smp->preq[1];
1891
1892 key_size = min(req->max_key_size, rsp->max_key_size);
1893 if (check_enc_key_size(conn, key_size))
1894 return SMP_ENC_KEY_SIZE;
1895
1896 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1897
1898 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1899 return SMP_AUTH_REQUIREMENTS;
1900
1901 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1902 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1903
1904 /* Update remote key distribution in case the remote cleared
1905 * some bits that we had enabled in our request.
1906 */
1907 smp->remote_key_dist &= rsp->resp_key_dist;
1908
1909 /* For BR/EDR this means we're done and can start phase 3 */
1910 if (conn->hcon->type == ACL_LINK) {
1911 /* Clear bits which are generated but not distributed */
1912 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1913 smp_distribute_keys(smp);
1914 return 0;
1915 }
1916
1917 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1918 set_bit(SMP_FLAG_SC, &smp->flags);
1919 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1920 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1921
1922 /* If we need MITM check that it can be achieved */
1923 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1924 u8 method;
1925
1926 method = get_auth_method(smp, req->io_capability,
1927 rsp->io_capability);
1928 if (method == JUST_WORKS || method == JUST_CFM)
1929 return SMP_AUTH_REQUIREMENTS;
1930 }
1931
1932 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1933
1934 /* Update remote key distribution in case the remote cleared
1935 * some bits that we had enabled in our request.
1936 */
1937 smp->remote_key_dist &= rsp->resp_key_dist;
1938
1939 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1940 /* Clear bits which are generated but not distributed */
1941 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1942 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1943 return sc_send_public_key(smp);
1944 }
1945
1946 auth |= req->auth_req;
1947
1948 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1949 if (ret)
1950 return SMP_UNSPECIFIED;
1951
1952 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1953
1954 /* Can't compose response until we have been confirmed */
1955 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1956 return smp_confirm(smp);
1957
1958 return 0;
1959 }
1960
1961 static u8 sc_check_confirm(struct smp_chan *smp)
1962 {
1963 struct l2cap_conn *conn = smp->conn;
1964
1965 BT_DBG("");
1966
1967 /* Public Key exchange must happen before any other steps */
1968 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1969 return SMP_UNSPECIFIED;
1970
1971 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1972 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1973
1974 if (conn->hcon->out) {
1975 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1976 smp->prnd);
1977 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1978 }
1979
1980 return 0;
1981 }
1982
1983 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1984 {
1985 struct l2cap_chan *chan = conn->smp;
1986 struct smp_chan *smp = chan->data;
1987
1988 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1989
1990 if (skb->len < sizeof(smp->pcnf))
1991 return SMP_INVALID_PARAMS;
1992
1993 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1994 skb_pull(skb, sizeof(smp->pcnf));
1995
1996 if (test_bit(SMP_FLAG_SC, &smp->flags))
1997 return sc_check_confirm(smp);
1998
1999 if (conn->hcon->out) {
2000 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2001 smp->prnd);
2002 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2003 return 0;
2004 }
2005
2006 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2007 return smp_confirm(smp);
2008
2009 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2010
2011 return 0;
2012 }
2013
2014 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2015 {
2016 struct l2cap_chan *chan = conn->smp;
2017 struct smp_chan *smp = chan->data;
2018 struct hci_conn *hcon = conn->hcon;
2019 u8 *pkax, *pkbx, *na, *nb;
2020 u32 passkey;
2021 int err;
2022
2023 BT_DBG("conn %p", conn);
2024
2025 if (skb->len < sizeof(smp->rrnd))
2026 return SMP_INVALID_PARAMS;
2027
2028 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2029 skb_pull(skb, sizeof(smp->rrnd));
2030
2031 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2032 return smp_random(smp);
2033
2034 if (hcon->out) {
2035 pkax = smp->local_pk;
2036 pkbx = smp->remote_pk;
2037 na = smp->prnd;
2038 nb = smp->rrnd;
2039 } else {
2040 pkax = smp->remote_pk;
2041 pkbx = smp->local_pk;
2042 na = smp->rrnd;
2043 nb = smp->prnd;
2044 }
2045
2046 if (smp->method == REQ_OOB) {
2047 if (!hcon->out)
2048 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2049 sizeof(smp->prnd), smp->prnd);
2050 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2051 goto mackey_and_ltk;
2052 }
2053
2054 /* Passkey entry has special treatment */
2055 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2056 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2057
2058 if (hcon->out) {
2059 u8 cfm[16];
2060
2061 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2062 smp->rrnd, 0, cfm);
2063 if (err)
2064 return SMP_UNSPECIFIED;
2065
2066 if (memcmp(smp->pcnf, cfm, 16))
2067 return SMP_CONFIRM_FAILED;
2068 } else {
2069 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2070 smp->prnd);
2071 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2072 }
2073
2074 mackey_and_ltk:
2075 /* Generate MacKey and LTK */
2076 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2077 if (err)
2078 return SMP_UNSPECIFIED;
2079
2080 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2081 if (hcon->out) {
2082 sc_dhkey_check(smp);
2083 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2084 }
2085 return 0;
2086 }
2087
2088 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2089 if (err)
2090 return SMP_UNSPECIFIED;
2091
2092 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2093 hcon->dst_type, passkey, 0);
2094 if (err)
2095 return SMP_UNSPECIFIED;
2096
2097 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2098
2099 return 0;
2100 }
2101
2102 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2103 {
2104 struct smp_ltk *key;
2105 struct hci_conn *hcon = conn->hcon;
2106
2107 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2108 if (!key)
2109 return false;
2110
2111 if (smp_ltk_sec_level(key) < sec_level)
2112 return false;
2113
2114 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2115 return true;
2116
2117 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2118 hcon->enc_key_size = key->enc_size;
2119
2120 /* We never store STKs for master role, so clear this flag */
2121 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2122
2123 return true;
2124 }
2125
2126 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2127 enum smp_key_pref key_pref)
2128 {
2129 if (sec_level == BT_SECURITY_LOW)
2130 return true;
2131
2132 /* If we're encrypted with an STK but the caller prefers using
2133 * LTK claim insufficient security. This way we allow the
2134 * connection to be re-encrypted with an LTK, even if the LTK
2135 * provides the same level of security. Only exception is if we
2136 * don't have an LTK (e.g. because of key distribution bits).
2137 */
2138 if (key_pref == SMP_USE_LTK &&
2139 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2140 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2141 return false;
2142
2143 if (hcon->sec_level >= sec_level)
2144 return true;
2145
2146 return false;
2147 }
2148
2149 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2150 {
2151 struct smp_cmd_security_req *rp = (void *) skb->data;
2152 struct smp_cmd_pairing cp;
2153 struct hci_conn *hcon = conn->hcon;
2154 struct hci_dev *hdev = hcon->hdev;
2155 struct smp_chan *smp;
2156 u8 sec_level, auth;
2157
2158 BT_DBG("conn %p", conn);
2159
2160 if (skb->len < sizeof(*rp))
2161 return SMP_INVALID_PARAMS;
2162
2163 if (hcon->role != HCI_ROLE_MASTER)
2164 return SMP_CMD_NOTSUPP;
2165
2166 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2167
2168 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2169 return SMP_AUTH_REQUIREMENTS;
2170
2171 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2172 sec_level = BT_SECURITY_MEDIUM;
2173 else
2174 sec_level = authreq_to_seclevel(auth);
2175
2176 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2177 return 0;
2178
2179 if (sec_level > hcon->pending_sec_level)
2180 hcon->pending_sec_level = sec_level;
2181
2182 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2183 return 0;
2184
2185 smp = smp_chan_create(conn);
2186 if (!smp)
2187 return SMP_UNSPECIFIED;
2188
2189 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2190 (auth & SMP_AUTH_BONDING))
2191 return SMP_PAIRING_NOTSUPP;
2192
2193 skb_pull(skb, sizeof(*rp));
2194
2195 memset(&cp, 0, sizeof(cp));
2196 build_pairing_cmd(conn, &cp, NULL, auth);
2197
2198 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2199 memcpy(&smp->preq[1], &cp, sizeof(cp));
2200
2201 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2202 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2203
2204 return 0;
2205 }
2206
2207 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2208 {
2209 struct l2cap_conn *conn = hcon->l2cap_data;
2210 struct l2cap_chan *chan;
2211 struct smp_chan *smp;
2212 __u8 authreq;
2213 int ret;
2214
2215 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2216
2217 /* This may be NULL if there's an unexpected disconnection */
2218 if (!conn)
2219 return 1;
2220
2221 chan = conn->smp;
2222
2223 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2224 return 1;
2225
2226 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2227 return 1;
2228
2229 if (sec_level > hcon->pending_sec_level)
2230 hcon->pending_sec_level = sec_level;
2231
2232 if (hcon->role == HCI_ROLE_MASTER)
2233 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2234 return 0;
2235
2236 l2cap_chan_lock(chan);
2237
2238 /* If SMP is already in progress ignore this request */
2239 if (chan->data) {
2240 ret = 0;
2241 goto unlock;
2242 }
2243
2244 smp = smp_chan_create(conn);
2245 if (!smp) {
2246 ret = 1;
2247 goto unlock;
2248 }
2249
2250 authreq = seclevel_to_authreq(sec_level);
2251
2252 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2253 authreq |= SMP_AUTH_SC;
2254
2255 /* Require MITM if IO Capability allows or the security level
2256 * requires it.
2257 */
2258 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2259 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2260 authreq |= SMP_AUTH_MITM;
2261
2262 if (hcon->role == HCI_ROLE_MASTER) {
2263 struct smp_cmd_pairing cp;
2264
2265 build_pairing_cmd(conn, &cp, NULL, authreq);
2266 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2267 memcpy(&smp->preq[1], &cp, sizeof(cp));
2268
2269 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2270 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2271 } else {
2272 struct smp_cmd_security_req cp;
2273 cp.auth_req = authreq;
2274 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2275 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2276 }
2277
2278 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2279 ret = 0;
2280
2281 unlock:
2282 l2cap_chan_unlock(chan);
2283 return ret;
2284 }
2285
2286 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2287 {
2288 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2289 struct l2cap_chan *chan = conn->smp;
2290 struct smp_chan *smp = chan->data;
2291
2292 BT_DBG("conn %p", conn);
2293
2294 if (skb->len < sizeof(*rp))
2295 return SMP_INVALID_PARAMS;
2296
2297 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2298
2299 skb_pull(skb, sizeof(*rp));
2300
2301 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2302
2303 return 0;
2304 }
2305
2306 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2307 {
2308 struct smp_cmd_master_ident *rp = (void *) skb->data;
2309 struct l2cap_chan *chan = conn->smp;
2310 struct smp_chan *smp = chan->data;
2311 struct hci_dev *hdev = conn->hcon->hdev;
2312 struct hci_conn *hcon = conn->hcon;
2313 struct smp_ltk *ltk;
2314 u8 authenticated;
2315
2316 BT_DBG("conn %p", conn);
2317
2318 if (skb->len < sizeof(*rp))
2319 return SMP_INVALID_PARAMS;
2320
2321 /* Mark the information as received */
2322 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2323
2324 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2325 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2326 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2327 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2328
2329 skb_pull(skb, sizeof(*rp));
2330
2331 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2332 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2333 authenticated, smp->tk, smp->enc_key_size,
2334 rp->ediv, rp->rand);
2335 smp->ltk = ltk;
2336 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2337 smp_distribute_keys(smp);
2338
2339 return 0;
2340 }
2341
2342 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2343 {
2344 struct smp_cmd_ident_info *info = (void *) skb->data;
2345 struct l2cap_chan *chan = conn->smp;
2346 struct smp_chan *smp = chan->data;
2347
2348 BT_DBG("");
2349
2350 if (skb->len < sizeof(*info))
2351 return SMP_INVALID_PARAMS;
2352
2353 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2354
2355 skb_pull(skb, sizeof(*info));
2356
2357 memcpy(smp->irk, info->irk, 16);
2358
2359 return 0;
2360 }
2361
2362 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2363 struct sk_buff *skb)
2364 {
2365 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2366 struct l2cap_chan *chan = conn->smp;
2367 struct smp_chan *smp = chan->data;
2368 struct hci_conn *hcon = conn->hcon;
2369 bdaddr_t rpa;
2370
2371 BT_DBG("");
2372
2373 if (skb->len < sizeof(*info))
2374 return SMP_INVALID_PARAMS;
2375
2376 /* Mark the information as received */
2377 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2378
2379 if (smp->remote_key_dist & SMP_DIST_SIGN)
2380 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2381
2382 skb_pull(skb, sizeof(*info));
2383
2384 /* Strictly speaking the Core Specification (4.1) allows sending
2385 * an empty address which would force us to rely on just the IRK
2386 * as "identity information". However, since such
2387 * implementations are not known of and in order to not over
2388 * complicate our implementation, simply pretend that we never
2389 * received an IRK for such a device.
2390 *
2391 * The Identity Address must also be a Static Random or Public
2392 * Address, which hci_is_identity_address() checks for.
2393 */
2394 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2395 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2396 BT_ERR("Ignoring IRK with no identity address");
2397 goto distribute;
2398 }
2399
2400 bacpy(&smp->id_addr, &info->bdaddr);
2401 smp->id_addr_type = info->addr_type;
2402
2403 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2404 bacpy(&rpa, &hcon->dst);
2405 else
2406 bacpy(&rpa, BDADDR_ANY);
2407
2408 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2409 smp->id_addr_type, smp->irk, &rpa);
2410
2411 distribute:
2412 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2413 smp_distribute_keys(smp);
2414
2415 return 0;
2416 }
2417
2418 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2419 {
2420 struct smp_cmd_sign_info *rp = (void *) skb->data;
2421 struct l2cap_chan *chan = conn->smp;
2422 struct smp_chan *smp = chan->data;
2423 struct smp_csrk *csrk;
2424
2425 BT_DBG("conn %p", conn);
2426
2427 if (skb->len < sizeof(*rp))
2428 return SMP_INVALID_PARAMS;
2429
2430 /* Mark the information as received */
2431 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2432
2433 skb_pull(skb, sizeof(*rp));
2434
2435 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2436 if (csrk) {
2437 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2438 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2439 else
2440 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2441 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2442 }
2443 smp->csrk = csrk;
2444 smp_distribute_keys(smp);
2445
2446 return 0;
2447 }
2448
2449 static u8 sc_select_method(struct smp_chan *smp)
2450 {
2451 struct l2cap_conn *conn = smp->conn;
2452 struct hci_conn *hcon = conn->hcon;
2453 struct smp_cmd_pairing *local, *remote;
2454 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2455
2456 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2457 return REQ_OOB;
2458
2459 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2460 * which are needed as inputs to some crypto functions. To get
2461 * the "struct smp_cmd_pairing" from them we need to skip the
2462 * first byte which contains the opcode.
2463 */
2464 if (hcon->out) {
2465 local = (void *) &smp->preq[1];
2466 remote = (void *) &smp->prsp[1];
2467 } else {
2468 local = (void *) &smp->prsp[1];
2469 remote = (void *) &smp->preq[1];
2470 }
2471
2472 local_io = local->io_capability;
2473 remote_io = remote->io_capability;
2474
2475 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2476 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2477
2478 /* If either side wants MITM, look up the method from the table,
2479 * otherwise use JUST WORKS.
2480 */
2481 if (local_mitm || remote_mitm)
2482 method = get_auth_method(smp, local_io, remote_io);
2483 else
2484 method = JUST_WORKS;
2485
2486 /* Don't confirm locally initiated pairing attempts */
2487 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2488 method = JUST_WORKS;
2489
2490 return method;
2491 }
2492
2493 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2494 {
2495 struct smp_cmd_public_key *key = (void *) skb->data;
2496 struct hci_conn *hcon = conn->hcon;
2497 struct l2cap_chan *chan = conn->smp;
2498 struct smp_chan *smp = chan->data;
2499 struct hci_dev *hdev = hcon->hdev;
2500 struct smp_cmd_pairing_confirm cfm;
2501 int err;
2502
2503 BT_DBG("conn %p", conn);
2504
2505 if (skb->len < sizeof(*key))
2506 return SMP_INVALID_PARAMS;
2507
2508 memcpy(smp->remote_pk, key, 64);
2509
2510 /* Non-initiating device sends its public key after receiving
2511 * the key from the initiating device.
2512 */
2513 if (!hcon->out) {
2514 err = sc_send_public_key(smp);
2515 if (err)
2516 return err;
2517 }
2518
2519 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2520 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2521
2522 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2523 return SMP_UNSPECIFIED;
2524
2525 SMP_DBG("DHKey %32phN", smp->dhkey);
2526
2527 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2528
2529 smp->method = sc_select_method(smp);
2530
2531 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2532
2533 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2534 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2535 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2536 else
2537 hcon->pending_sec_level = BT_SECURITY_FIPS;
2538
2539 if (!memcmp(debug_pk, smp->remote_pk, 64))
2540 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2541
2542 if (smp->method == DSP_PASSKEY) {
2543 get_random_bytes(&hcon->passkey_notify,
2544 sizeof(hcon->passkey_notify));
2545 hcon->passkey_notify %= 1000000;
2546 hcon->passkey_entered = 0;
2547 smp->passkey_round = 0;
2548 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2549 hcon->dst_type,
2550 hcon->passkey_notify,
2551 hcon->passkey_entered))
2552 return SMP_UNSPECIFIED;
2553 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2554 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2555 }
2556
2557 if (smp->method == REQ_OOB) {
2558 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2559 smp->rr, 0, cfm.confirm_val);
2560 if (err)
2561 return SMP_UNSPECIFIED;
2562
2563 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2564 return SMP_CONFIRM_FAILED;
2565
2566 if (hcon->out)
2567 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2568 sizeof(smp->prnd), smp->prnd);
2569
2570 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2571
2572 return 0;
2573 }
2574
2575 if (hcon->out)
2576 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2577
2578 if (smp->method == REQ_PASSKEY) {
2579 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2580 hcon->dst_type))
2581 return SMP_UNSPECIFIED;
2582 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2583 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2584 return 0;
2585 }
2586
2587 /* The Initiating device waits for the non-initiating device to
2588 * send the confirm value.
2589 */
2590 if (conn->hcon->out)
2591 return 0;
2592
2593 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2594 0, cfm.confirm_val);
2595 if (err)
2596 return SMP_UNSPECIFIED;
2597
2598 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2599 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2600
2601 return 0;
2602 }
2603
2604 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2605 {
2606 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2607 struct l2cap_chan *chan = conn->smp;
2608 struct hci_conn *hcon = conn->hcon;
2609 struct smp_chan *smp = chan->data;
2610 u8 a[7], b[7], *local_addr, *remote_addr;
2611 u8 io_cap[3], r[16], e[16];
2612 int err;
2613
2614 BT_DBG("conn %p", conn);
2615
2616 if (skb->len < sizeof(*check))
2617 return SMP_INVALID_PARAMS;
2618
2619 memcpy(a, &hcon->init_addr, 6);
2620 memcpy(b, &hcon->resp_addr, 6);
2621 a[6] = hcon->init_addr_type;
2622 b[6] = hcon->resp_addr_type;
2623
2624 if (hcon->out) {
2625 local_addr = a;
2626 remote_addr = b;
2627 memcpy(io_cap, &smp->prsp[1], 3);
2628 } else {
2629 local_addr = b;
2630 remote_addr = a;
2631 memcpy(io_cap, &smp->preq[1], 3);
2632 }
2633
2634 memset(r, 0, sizeof(r));
2635
2636 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2637 put_unaligned_le32(hcon->passkey_notify, r);
2638 else if (smp->method == REQ_OOB)
2639 memcpy(r, smp->lr, 16);
2640
2641 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2642 io_cap, remote_addr, local_addr, e);
2643 if (err)
2644 return SMP_UNSPECIFIED;
2645
2646 if (memcmp(check->e, e, 16))
2647 return SMP_DHKEY_CHECK_FAILED;
2648
2649 if (!hcon->out) {
2650 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2651 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2652 return 0;
2653 }
2654
2655 /* Slave sends DHKey check as response to master */
2656 sc_dhkey_check(smp);
2657 }
2658
2659 sc_add_ltk(smp);
2660
2661 if (hcon->out) {
2662 hci_le_start_enc(hcon, 0, 0, smp->tk);
2663 hcon->enc_key_size = smp->enc_key_size;
2664 }
2665
2666 return 0;
2667 }
2668
2669 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2670 struct sk_buff *skb)
2671 {
2672 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2673
2674 BT_DBG("value 0x%02x", kp->value);
2675
2676 return 0;
2677 }
2678
2679 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2680 {
2681 struct l2cap_conn *conn = chan->conn;
2682 struct hci_conn *hcon = conn->hcon;
2683 struct smp_chan *smp;
2684 __u8 code, reason;
2685 int err = 0;
2686
2687 if (skb->len < 1)
2688 return -EILSEQ;
2689
2690 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2691 reason = SMP_PAIRING_NOTSUPP;
2692 goto done;
2693 }
2694
2695 code = skb->data[0];
2696 skb_pull(skb, sizeof(code));
2697
2698 smp = chan->data;
2699
2700 if (code > SMP_CMD_MAX)
2701 goto drop;
2702
2703 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2704 goto drop;
2705
2706 /* If we don't have a context the only allowed commands are
2707 * pairing request and security request.
2708 */
2709 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2710 goto drop;
2711
2712 switch (code) {
2713 case SMP_CMD_PAIRING_REQ:
2714 reason = smp_cmd_pairing_req(conn, skb);
2715 break;
2716
2717 case SMP_CMD_PAIRING_FAIL:
2718 smp_failure(conn, 0);
2719 err = -EPERM;
2720 break;
2721
2722 case SMP_CMD_PAIRING_RSP:
2723 reason = smp_cmd_pairing_rsp(conn, skb);
2724 break;
2725
2726 case SMP_CMD_SECURITY_REQ:
2727 reason = smp_cmd_security_req(conn, skb);
2728 break;
2729
2730 case SMP_CMD_PAIRING_CONFIRM:
2731 reason = smp_cmd_pairing_confirm(conn, skb);
2732 break;
2733
2734 case SMP_CMD_PAIRING_RANDOM:
2735 reason = smp_cmd_pairing_random(conn, skb);
2736 break;
2737
2738 case SMP_CMD_ENCRYPT_INFO:
2739 reason = smp_cmd_encrypt_info(conn, skb);
2740 break;
2741
2742 case SMP_CMD_MASTER_IDENT:
2743 reason = smp_cmd_master_ident(conn, skb);
2744 break;
2745
2746 case SMP_CMD_IDENT_INFO:
2747 reason = smp_cmd_ident_info(conn, skb);
2748 break;
2749
2750 case SMP_CMD_IDENT_ADDR_INFO:
2751 reason = smp_cmd_ident_addr_info(conn, skb);
2752 break;
2753
2754 case SMP_CMD_SIGN_INFO:
2755 reason = smp_cmd_sign_info(conn, skb);
2756 break;
2757
2758 case SMP_CMD_PUBLIC_KEY:
2759 reason = smp_cmd_public_key(conn, skb);
2760 break;
2761
2762 case SMP_CMD_DHKEY_CHECK:
2763 reason = smp_cmd_dhkey_check(conn, skb);
2764 break;
2765
2766 case SMP_CMD_KEYPRESS_NOTIFY:
2767 reason = smp_cmd_keypress_notify(conn, skb);
2768 break;
2769
2770 default:
2771 BT_DBG("Unknown command code 0x%2.2x", code);
2772 reason = SMP_CMD_NOTSUPP;
2773 goto done;
2774 }
2775
2776 done:
2777 if (!err) {
2778 if (reason)
2779 smp_failure(conn, reason);
2780 kfree_skb(skb);
2781 }
2782
2783 return err;
2784
2785 drop:
2786 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2787 code, &hcon->dst);
2788 kfree_skb(skb);
2789 return 0;
2790 }
2791
2792 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2793 {
2794 struct l2cap_conn *conn = chan->conn;
2795
2796 BT_DBG("chan %p", chan);
2797
2798 if (chan->data)
2799 smp_chan_destroy(conn);
2800
2801 conn->smp = NULL;
2802 l2cap_chan_put(chan);
2803 }
2804
2805 static void bredr_pairing(struct l2cap_chan *chan)
2806 {
2807 struct l2cap_conn *conn = chan->conn;
2808 struct hci_conn *hcon = conn->hcon;
2809 struct hci_dev *hdev = hcon->hdev;
2810 struct smp_cmd_pairing req;
2811 struct smp_chan *smp;
2812
2813 BT_DBG("chan %p", chan);
2814
2815 /* Only new pairings are interesting */
2816 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2817 return;
2818
2819 /* Don't bother if we're not encrypted */
2820 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2821 return;
2822
2823 /* Only master may initiate SMP over BR/EDR */
2824 if (hcon->role != HCI_ROLE_MASTER)
2825 return;
2826
2827 /* Secure Connections support must be enabled */
2828 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2829 return;
2830
2831 /* BR/EDR must use Secure Connections for SMP */
2832 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2833 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2834 return;
2835
2836 /* If our LE support is not enabled don't do anything */
2837 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2838 return;
2839
2840 /* Don't bother if remote LE support is not enabled */
2841 if (!lmp_host_le_capable(hcon))
2842 return;
2843
2844 /* Remote must support SMP fixed chan for BR/EDR */
2845 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2846 return;
2847
2848 /* Don't bother if SMP is already ongoing */
2849 if (chan->data)
2850 return;
2851
2852 smp = smp_chan_create(conn);
2853 if (!smp) {
2854 BT_ERR("%s unable to create SMP context for BR/EDR",
2855 hdev->name);
2856 return;
2857 }
2858
2859 set_bit(SMP_FLAG_SC, &smp->flags);
2860
2861 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2862
2863 /* Prepare and send the BR/EDR SMP Pairing Request */
2864 build_bredr_pairing_cmd(smp, &req, NULL);
2865
2866 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2867 memcpy(&smp->preq[1], &req, sizeof(req));
2868
2869 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2870 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2871 }
2872
2873 static void smp_resume_cb(struct l2cap_chan *chan)
2874 {
2875 struct smp_chan *smp = chan->data;
2876 struct l2cap_conn *conn = chan->conn;
2877 struct hci_conn *hcon = conn->hcon;
2878
2879 BT_DBG("chan %p", chan);
2880
2881 if (hcon->type == ACL_LINK) {
2882 bredr_pairing(chan);
2883 return;
2884 }
2885
2886 if (!smp)
2887 return;
2888
2889 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2890 return;
2891
2892 cancel_delayed_work(&smp->security_timer);
2893
2894 smp_distribute_keys(smp);
2895 }
2896
2897 static void smp_ready_cb(struct l2cap_chan *chan)
2898 {
2899 struct l2cap_conn *conn = chan->conn;
2900 struct hci_conn *hcon = conn->hcon;
2901
2902 BT_DBG("chan %p", chan);
2903
2904 conn->smp = chan;
2905 l2cap_chan_hold(chan);
2906
2907 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2908 bredr_pairing(chan);
2909 }
2910
2911 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2912 {
2913 int err;
2914
2915 BT_DBG("chan %p", chan);
2916
2917 err = smp_sig_channel(chan, skb);
2918 if (err) {
2919 struct smp_chan *smp = chan->data;
2920
2921 if (smp)
2922 cancel_delayed_work_sync(&smp->security_timer);
2923
2924 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2925 }
2926
2927 return err;
2928 }
2929
2930 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2931 unsigned long hdr_len,
2932 unsigned long len, int nb)
2933 {
2934 struct sk_buff *skb;
2935
2936 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2937 if (!skb)
2938 return ERR_PTR(-ENOMEM);
2939
2940 skb->priority = HCI_PRIO_MAX;
2941 bt_cb(skb)->chan = chan;
2942
2943 return skb;
2944 }
2945
2946 static const struct l2cap_ops smp_chan_ops = {
2947 .name = "Security Manager",
2948 .ready = smp_ready_cb,
2949 .recv = smp_recv_cb,
2950 .alloc_skb = smp_alloc_skb_cb,
2951 .teardown = smp_teardown_cb,
2952 .resume = smp_resume_cb,
2953
2954 .new_connection = l2cap_chan_no_new_connection,
2955 .state_change = l2cap_chan_no_state_change,
2956 .close = l2cap_chan_no_close,
2957 .defer = l2cap_chan_no_defer,
2958 .suspend = l2cap_chan_no_suspend,
2959 .set_shutdown = l2cap_chan_no_set_shutdown,
2960 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2961 };
2962
2963 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2964 {
2965 struct l2cap_chan *chan;
2966
2967 BT_DBG("pchan %p", pchan);
2968
2969 chan = l2cap_chan_create();
2970 if (!chan)
2971 return NULL;
2972
2973 chan->chan_type = pchan->chan_type;
2974 chan->ops = &smp_chan_ops;
2975 chan->scid = pchan->scid;
2976 chan->dcid = chan->scid;
2977 chan->imtu = pchan->imtu;
2978 chan->omtu = pchan->omtu;
2979 chan->mode = pchan->mode;
2980
2981 /* Other L2CAP channels may request SMP routines in order to
2982 * change the security level. This means that the SMP channel
2983 * lock must be considered in its own category to avoid lockdep
2984 * warnings.
2985 */
2986 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2987
2988 BT_DBG("created chan %p", chan);
2989
2990 return chan;
2991 }
2992
2993 static const struct l2cap_ops smp_root_chan_ops = {
2994 .name = "Security Manager Root",
2995 .new_connection = smp_new_conn_cb,
2996
2997 /* None of these are implemented for the root channel */
2998 .close = l2cap_chan_no_close,
2999 .alloc_skb = l2cap_chan_no_alloc_skb,
3000 .recv = l2cap_chan_no_recv,
3001 .state_change = l2cap_chan_no_state_change,
3002 .teardown = l2cap_chan_no_teardown,
3003 .ready = l2cap_chan_no_ready,
3004 .defer = l2cap_chan_no_defer,
3005 .suspend = l2cap_chan_no_suspend,
3006 .resume = l2cap_chan_no_resume,
3007 .set_shutdown = l2cap_chan_no_set_shutdown,
3008 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3009 };
3010
3011 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3012 {
3013 struct l2cap_chan *chan;
3014 struct smp_dev *smp;
3015 struct crypto_blkcipher *tfm_aes;
3016 struct crypto_hash *tfm_cmac;
3017
3018 if (cid == L2CAP_CID_SMP_BREDR) {
3019 smp = NULL;
3020 goto create_chan;
3021 }
3022
3023 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3024 if (!smp)
3025 return ERR_PTR(-ENOMEM);
3026
3027 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3028 if (IS_ERR(tfm_aes)) {
3029 BT_ERR("Unable to create ECB crypto context");
3030 kzfree(smp);
3031 return ERR_CAST(tfm_aes);
3032 }
3033
3034 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3035 if (IS_ERR(tfm_cmac)) {
3036 BT_ERR("Unable to create CMAC crypto context");
3037 crypto_free_blkcipher(tfm_aes);
3038 kzfree(smp);
3039 return ERR_CAST(tfm_cmac);
3040 }
3041
3042 smp->tfm_aes = tfm_aes;
3043 smp->tfm_cmac = tfm_cmac;
3044
3045 create_chan:
3046 chan = l2cap_chan_create();
3047 if (!chan) {
3048 crypto_free_blkcipher(smp->tfm_aes);
3049 crypto_free_hash(smp->tfm_cmac);
3050 kzfree(smp);
3051 return ERR_PTR(-ENOMEM);
3052 }
3053
3054 chan->data = smp;
3055
3056 l2cap_add_scid(chan, cid);
3057
3058 l2cap_chan_set_defaults(chan);
3059
3060 if (cid == L2CAP_CID_SMP) {
3061 u8 bdaddr_type;
3062
3063 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3064
3065 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3066 chan->src_type = BDADDR_LE_PUBLIC;
3067 else
3068 chan->src_type = BDADDR_LE_RANDOM;
3069 } else {
3070 bacpy(&chan->src, &hdev->bdaddr);
3071 chan->src_type = BDADDR_BREDR;
3072 }
3073
3074 chan->state = BT_LISTEN;
3075 chan->mode = L2CAP_MODE_BASIC;
3076 chan->imtu = L2CAP_DEFAULT_MTU;
3077 chan->ops = &smp_root_chan_ops;
3078
3079 /* Set correct nesting level for a parent/listening channel */
3080 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3081
3082 return chan;
3083 }
3084
3085 static void smp_del_chan(struct l2cap_chan *chan)
3086 {
3087 struct smp_dev *smp;
3088
3089 BT_DBG("chan %p", chan);
3090
3091 smp = chan->data;
3092 if (smp) {
3093 chan->data = NULL;
3094 if (smp->tfm_aes)
3095 crypto_free_blkcipher(smp->tfm_aes);
3096 if (smp->tfm_cmac)
3097 crypto_free_hash(smp->tfm_cmac);
3098 kzfree(smp);
3099 }
3100
3101 l2cap_chan_put(chan);
3102 }
3103
3104 static ssize_t force_bredr_smp_read(struct file *file,
3105 char __user *user_buf,
3106 size_t count, loff_t *ppos)
3107 {
3108 struct hci_dev *hdev = file->private_data;
3109 char buf[3];
3110
3111 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3112 buf[1] = '\n';
3113 buf[2] = '\0';
3114 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3115 }
3116
3117 static ssize_t force_bredr_smp_write(struct file *file,
3118 const char __user *user_buf,
3119 size_t count, loff_t *ppos)
3120 {
3121 struct hci_dev *hdev = file->private_data;
3122 char buf[32];
3123 size_t buf_size = min(count, (sizeof(buf)-1));
3124 bool enable;
3125
3126 if (copy_from_user(buf, user_buf, buf_size))
3127 return -EFAULT;
3128
3129 buf[buf_size] = '\0';
3130 if (strtobool(buf, &enable))
3131 return -EINVAL;
3132
3133 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3134 return -EALREADY;
3135
3136 if (enable) {
3137 struct l2cap_chan *chan;
3138
3139 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3140 if (IS_ERR(chan))
3141 return PTR_ERR(chan);
3142
3143 hdev->smp_bredr_data = chan;
3144 } else {
3145 struct l2cap_chan *chan;
3146
3147 chan = hdev->smp_bredr_data;
3148 hdev->smp_bredr_data = NULL;
3149 smp_del_chan(chan);
3150 }
3151
3152 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3153
3154 return count;
3155 }
3156
3157 static const struct file_operations force_bredr_smp_fops = {
3158 .open = simple_open,
3159 .read = force_bredr_smp_read,
3160 .write = force_bredr_smp_write,
3161 .llseek = default_llseek,
3162 };
3163
3164 int smp_register(struct hci_dev *hdev)
3165 {
3166 struct l2cap_chan *chan;
3167
3168 BT_DBG("%s", hdev->name);
3169
3170 /* If the controller does not support Low Energy operation, then
3171 * there is also no need to register any SMP channel.
3172 */
3173 if (!lmp_le_capable(hdev))
3174 return 0;
3175
3176 if (WARN_ON(hdev->smp_data)) {
3177 chan = hdev->smp_data;
3178 hdev->smp_data = NULL;
3179 smp_del_chan(chan);
3180 }
3181
3182 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3183 if (IS_ERR(chan))
3184 return PTR_ERR(chan);
3185
3186 hdev->smp_data = chan;
3187
3188 /* If the controller does not support BR/EDR Secure Connections
3189 * feature, then the BR/EDR SMP channel shall not be present.
3190 *
3191 * To test this with Bluetooth 4.0 controllers, create a debugfs
3192 * switch that allows forcing BR/EDR SMP support and accepting
3193 * cross-transport pairing on non-AES encrypted connections.
3194 */
3195 if (!lmp_sc_capable(hdev)) {
3196 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3197 hdev, &force_bredr_smp_fops);
3198 return 0;
3199 }
3200
3201 if (WARN_ON(hdev->smp_bredr_data)) {
3202 chan = hdev->smp_bredr_data;
3203 hdev->smp_bredr_data = NULL;
3204 smp_del_chan(chan);
3205 }
3206
3207 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3208 if (IS_ERR(chan)) {
3209 int err = PTR_ERR(chan);
3210 chan = hdev->smp_data;
3211 hdev->smp_data = NULL;
3212 smp_del_chan(chan);
3213 return err;
3214 }
3215
3216 hdev->smp_bredr_data = chan;
3217
3218 return 0;
3219 }
3220
3221 void smp_unregister(struct hci_dev *hdev)
3222 {
3223 struct l2cap_chan *chan;
3224
3225 if (hdev->smp_bredr_data) {
3226 chan = hdev->smp_bredr_data;
3227 hdev->smp_bredr_data = NULL;
3228 smp_del_chan(chan);
3229 }
3230
3231 if (hdev->smp_data) {
3232 chan = hdev->smp_data;
3233 hdev->smp_data = NULL;
3234 smp_del_chan(chan);
3235 }
3236 }
3237
3238 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3239
3240 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3241 {
3242 const u8 irk[16] = {
3243 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3244 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3245 const u8 r[3] = { 0x94, 0x81, 0x70 };
3246 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3247 u8 res[3];
3248 int err;
3249
3250 err = smp_ah(tfm_aes, irk, r, res);
3251 if (err)
3252 return err;
3253
3254 if (memcmp(res, exp, 3))
3255 return -EINVAL;
3256
3257 return 0;
3258 }
3259
3260 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3261 {
3262 const u8 k[16] = {
3263 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3264 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3265 const u8 r[16] = {
3266 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3267 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3268 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3269 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3270 const u8 _iat = 0x01;
3271 const u8 _rat = 0x00;
3272 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3273 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3274 const u8 exp[16] = {
3275 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3276 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3277 u8 res[16];
3278 int err;
3279
3280 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3281 if (err)
3282 return err;
3283
3284 if (memcmp(res, exp, 16))
3285 return -EINVAL;
3286
3287 return 0;
3288 }
3289
3290 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3291 {
3292 const u8 k[16] = {
3293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3294 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3295 const u8 r1[16] = {
3296 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3297 const u8 r2[16] = {
3298 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3299 const u8 exp[16] = {
3300 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3301 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3302 u8 res[16];
3303 int err;
3304
3305 err = smp_s1(tfm_aes, k, r1, r2, res);
3306 if (err)
3307 return err;
3308
3309 if (memcmp(res, exp, 16))
3310 return -EINVAL;
3311
3312 return 0;
3313 }
3314
3315 static int __init test_f4(struct crypto_hash *tfm_cmac)
3316 {
3317 const u8 u[32] = {
3318 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3319 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3320 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3321 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3322 const u8 v[32] = {
3323 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3324 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3325 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3326 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3327 const u8 x[16] = {
3328 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3329 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3330 const u8 z = 0x00;
3331 const u8 exp[16] = {
3332 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3333 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3334 u8 res[16];
3335 int err;
3336
3337 err = smp_f4(tfm_cmac, u, v, x, z, res);
3338 if (err)
3339 return err;
3340
3341 if (memcmp(res, exp, 16))
3342 return -EINVAL;
3343
3344 return 0;
3345 }
3346
3347 static int __init test_f5(struct crypto_hash *tfm_cmac)
3348 {
3349 const u8 w[32] = {
3350 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3351 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3352 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3353 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3354 const u8 n1[16] = {
3355 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3356 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3357 const u8 n2[16] = {
3358 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3359 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3360 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3361 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3362 const u8 exp_ltk[16] = {
3363 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3364 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3365 const u8 exp_mackey[16] = {
3366 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3367 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3368 u8 mackey[16], ltk[16];
3369 int err;
3370
3371 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3372 if (err)
3373 return err;
3374
3375 if (memcmp(mackey, exp_mackey, 16))
3376 return -EINVAL;
3377
3378 if (memcmp(ltk, exp_ltk, 16))
3379 return -EINVAL;
3380
3381 return 0;
3382 }
3383
3384 static int __init test_f6(struct crypto_hash *tfm_cmac)
3385 {
3386 const u8 w[16] = {
3387 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3388 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3389 const u8 n1[16] = {
3390 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3391 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3392 const u8 n2[16] = {
3393 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3394 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3395 const u8 r[16] = {
3396 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3397 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3398 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3399 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3400 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3401 const u8 exp[16] = {
3402 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3403 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3404 u8 res[16];
3405 int err;
3406
3407 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3408 if (err)
3409 return err;
3410
3411 if (memcmp(res, exp, 16))
3412 return -EINVAL;
3413
3414 return 0;
3415 }
3416
3417 static int __init test_g2(struct crypto_hash *tfm_cmac)
3418 {
3419 const u8 u[32] = {
3420 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3421 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3422 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3423 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3424 const u8 v[32] = {
3425 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3426 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3427 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3428 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3429 const u8 x[16] = {
3430 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3431 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3432 const u8 y[16] = {
3433 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3434 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3435 const u32 exp_val = 0x2f9ed5ba % 1000000;
3436 u32 val;
3437 int err;
3438
3439 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3440 if (err)
3441 return err;
3442
3443 if (val != exp_val)
3444 return -EINVAL;
3445
3446 return 0;
3447 }
3448
3449 static int __init test_h6(struct crypto_hash *tfm_cmac)
3450 {
3451 const u8 w[16] = {
3452 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3453 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3454 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3455 const u8 exp[16] = {
3456 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3457 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3458 u8 res[16];
3459 int err;
3460
3461 err = smp_h6(tfm_cmac, w, key_id, res);
3462 if (err)
3463 return err;
3464
3465 if (memcmp(res, exp, 16))
3466 return -EINVAL;
3467
3468 return 0;
3469 }
3470
3471 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3472 struct crypto_hash *tfm_cmac)
3473 {
3474 ktime_t calltime, delta, rettime;
3475 unsigned long long duration;
3476 int err;
3477
3478 calltime = ktime_get();
3479
3480 err = test_ah(tfm_aes);
3481 if (err) {
3482 BT_ERR("smp_ah test failed");
3483 return err;
3484 }
3485
3486 err = test_c1(tfm_aes);
3487 if (err) {
3488 BT_ERR("smp_c1 test failed");
3489 return err;
3490 }
3491
3492 err = test_s1(tfm_aes);
3493 if (err) {
3494 BT_ERR("smp_s1 test failed");
3495 return err;
3496 }
3497
3498 err = test_f4(tfm_cmac);
3499 if (err) {
3500 BT_ERR("smp_f4 test failed");
3501 return err;
3502 }
3503
3504 err = test_f5(tfm_cmac);
3505 if (err) {
3506 BT_ERR("smp_f5 test failed");
3507 return err;
3508 }
3509
3510 err = test_f6(tfm_cmac);
3511 if (err) {
3512 BT_ERR("smp_f6 test failed");
3513 return err;
3514 }
3515
3516 err = test_g2(tfm_cmac);
3517 if (err) {
3518 BT_ERR("smp_g2 test failed");
3519 return err;
3520 }
3521
3522 err = test_h6(tfm_cmac);
3523 if (err) {
3524 BT_ERR("smp_h6 test failed");
3525 return err;
3526 }
3527
3528 rettime = ktime_get();
3529 delta = ktime_sub(rettime, calltime);
3530 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3531
3532 BT_INFO("SMP test passed in %llu usecs", duration);
3533
3534 return 0;
3535 }
3536
3537 int __init bt_selftest_smp(void)
3538 {
3539 struct crypto_blkcipher *tfm_aes;
3540 struct crypto_hash *tfm_cmac;
3541 int err;
3542
3543 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3544 if (IS_ERR(tfm_aes)) {
3545 BT_ERR("Unable to create ECB crypto context");
3546 return PTR_ERR(tfm_aes);
3547 }
3548
3549 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3550 if (IS_ERR(tfm_cmac)) {
3551 BT_ERR("Unable to create CMAC crypto context");
3552 crypto_free_blkcipher(tfm_aes);
3553 return PTR_ERR(tfm_cmac);
3554 }
3555
3556 err = run_selftests(tfm_aes, tfm_cmac);
3557
3558 crypto_free_hash(tfm_cmac);
3559 crypto_free_blkcipher(tfm_aes);
3560
3561 return err;
3562 }
3563
3564 #endif
Linux kernel - Deliverables
This page took 0.100436 seconds and 6 git commands to generate.