]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - net/bluetooth/smp.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
[mirror_ubuntu-artful-kernel.git] / net / bluetooth / smp.c
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/debugfs.h>
24 #include <linux/crypto.h>
25 #include <linux/scatterlist.h>
26 #include <crypto/b128ops.h>
27
28 #include <net/bluetooth/bluetooth.h>
29 #include <net/bluetooth/hci_core.h>
30 #include <net/bluetooth/l2cap.h>
31 #include <net/bluetooth/mgmt.h>
32
33 #include "ecc.h"
34 #include "smp.h"
35
36 /* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
39 */
40 #ifdef DEBUG
41 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
42 ##__VA_ARGS__)
43 #else
44 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
45 ##__VA_ARGS__)
46 #endif
47
48 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
49
50 /* Keys which are not distributed with Secure Connections */
51 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
52
53 #define SMP_TIMEOUT msecs_to_jiffies(30000)
54
55 #define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
56 0x1f : 0x07)
57 #define KEY_DIST_MASK 0x07
58
59 /* Maximum message length that can be passed to aes_cmac */
60 #define CMAC_MSG_MAX 80
61
62 enum {
63 SMP_FLAG_TK_VALID,
64 SMP_FLAG_CFM_PENDING,
65 SMP_FLAG_MITM_AUTH,
66 SMP_FLAG_COMPLETE,
67 SMP_FLAG_INITIATOR,
68 SMP_FLAG_SC,
69 SMP_FLAG_REMOTE_PK,
70 SMP_FLAG_DEBUG_KEY,
71 SMP_FLAG_WAIT_USER,
72 SMP_FLAG_DHKEY_PENDING,
73 SMP_FLAG_OOB,
74 };
75
76 struct smp_chan {
77 struct l2cap_conn *conn;
78 struct delayed_work security_timer;
79 unsigned long allow_cmd; /* Bitmask of allowed commands */
80
81 u8 preq[7]; /* SMP Pairing Request */
82 u8 prsp[7]; /* SMP Pairing Response */
83 u8 prnd[16]; /* SMP Pairing Random (local) */
84 u8 rrnd[16]; /* SMP Pairing Random (remote) */
85 u8 pcnf[16]; /* SMP Pairing Confirm */
86 u8 tk[16]; /* SMP Temporary Key */
87 u8 rr[16];
88 u8 enc_key_size;
89 u8 remote_key_dist;
90 bdaddr_t id_addr;
91 u8 id_addr_type;
92 u8 irk[16];
93 struct smp_csrk *csrk;
94 struct smp_csrk *slave_csrk;
95 struct smp_ltk *ltk;
96 struct smp_ltk *slave_ltk;
97 struct smp_irk *remote_irk;
98 u8 *link_key;
99 unsigned long flags;
100 u8 method;
101 u8 passkey_round;
102
103 /* Secure Connections variables */
104 u8 local_pk[64];
105 u8 local_sk[32];
106 u8 remote_pk[64];
107 u8 dhkey[32];
108 u8 mackey[16];
109
110 struct crypto_blkcipher *tfm_aes;
111 struct crypto_hash *tfm_cmac;
112 };
113
114 /* These debug key values are defined in the SMP section of the core
115 * specification. debug_pk is the public debug key and debug_sk the
116 * private debug key.
117 */
118 static const u8 debug_pk[64] = {
119 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
120 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
121 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
122 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
123
124 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
125 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
126 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
127 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
128 };
129
130 static const u8 debug_sk[32] = {
131 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
132 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
133 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
134 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
135 };
136
137 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
138 {
139 size_t i;
140
141 for (i = 0; i < len; i++)
142 dst[len - 1 - i] = src[i];
143 }
144
145 /* The following functions map to the LE SC SMP crypto functions
146 * AES-CMAC, f4, f5, f6, g2 and h6.
147 */
148
149 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
150 size_t len, u8 mac[16])
151 {
152 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
153 struct hash_desc desc;
154 struct scatterlist sg;
155 int err;
156
157 if (len > CMAC_MSG_MAX)
158 return -EFBIG;
159
160 if (!tfm) {
161 BT_ERR("tfm %p", tfm);
162 return -EINVAL;
163 }
164
165 desc.tfm = tfm;
166 desc.flags = 0;
167
168 crypto_hash_init(&desc);
169
170 /* Swap key and message from LSB to MSB */
171 swap_buf(k, tmp, 16);
172 swap_buf(m, msg_msb, len);
173
174 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
175 SMP_DBG("key %16phN", k);
176
177 err = crypto_hash_setkey(tfm, tmp, 16);
178 if (err) {
179 BT_ERR("cipher setkey failed: %d", err);
180 return err;
181 }
182
183 sg_init_one(&sg, msg_msb, len);
184
185 err = crypto_hash_update(&desc, &sg, len);
186 if (err) {
187 BT_ERR("Hash update error %d", err);
188 return err;
189 }
190
191 err = crypto_hash_final(&desc, mac_msb);
192 if (err) {
193 BT_ERR("Hash final error %d", err);
194 return err;
195 }
196
197 swap_buf(mac_msb, mac, 16);
198
199 SMP_DBG("mac %16phN", mac);
200
201 return 0;
202 }
203
204 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
205 const u8 x[16], u8 z, u8 res[16])
206 {
207 u8 m[65];
208 int err;
209
210 SMP_DBG("u %32phN", u);
211 SMP_DBG("v %32phN", v);
212 SMP_DBG("x %16phN z %02x", x, z);
213
214 m[0] = z;
215 memcpy(m + 1, v, 32);
216 memcpy(m + 33, u, 32);
217
218 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
219 if (err)
220 return err;
221
222 SMP_DBG("res %16phN", res);
223
224 return err;
225 }
226
227 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
228 const u8 n1[16], const u8 n2[16], const u8 a1[7],
229 const u8 a2[7], u8 mackey[16], u8 ltk[16])
230 {
231 /* The btle, salt and length "magic" values are as defined in
232 * the SMP section of the Bluetooth core specification. In ASCII
233 * the btle value ends up being 'btle'. The salt is just a
234 * random number whereas length is the value 256 in little
235 * endian format.
236 */
237 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
238 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
239 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
240 const u8 length[2] = { 0x00, 0x01 };
241 u8 m[53], t[16];
242 int err;
243
244 SMP_DBG("w %32phN", w);
245 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
246 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
247
248 err = aes_cmac(tfm_cmac, salt, w, 32, t);
249 if (err)
250 return err;
251
252 SMP_DBG("t %16phN", t);
253
254 memcpy(m, length, 2);
255 memcpy(m + 2, a2, 7);
256 memcpy(m + 9, a1, 7);
257 memcpy(m + 16, n2, 16);
258 memcpy(m + 32, n1, 16);
259 memcpy(m + 48, btle, 4);
260
261 m[52] = 0; /* Counter */
262
263 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
264 if (err)
265 return err;
266
267 SMP_DBG("mackey %16phN", mackey);
268
269 m[52] = 1; /* Counter */
270
271 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
272 if (err)
273 return err;
274
275 SMP_DBG("ltk %16phN", ltk);
276
277 return 0;
278 }
279
280 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
281 const u8 n1[16], const u8 n2[16], const u8 r[16],
282 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
283 u8 res[16])
284 {
285 u8 m[65];
286 int err;
287
288 SMP_DBG("w %16phN", w);
289 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
290 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
291
292 memcpy(m, a2, 7);
293 memcpy(m + 7, a1, 7);
294 memcpy(m + 14, io_cap, 3);
295 memcpy(m + 17, r, 16);
296 memcpy(m + 33, n2, 16);
297 memcpy(m + 49, n1, 16);
298
299 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
300 if (err)
301 return err;
302
303 SMP_DBG("res %16phN", res);
304
305 return err;
306 }
307
308 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
309 const u8 x[16], const u8 y[16], u32 *val)
310 {
311 u8 m[80], tmp[16];
312 int err;
313
314 SMP_DBG("u %32phN", u);
315 SMP_DBG("v %32phN", v);
316 SMP_DBG("x %16phN y %16phN", x, y);
317
318 memcpy(m, y, 16);
319 memcpy(m + 16, v, 32);
320 memcpy(m + 48, u, 32);
321
322 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
323 if (err)
324 return err;
325
326 *val = get_unaligned_le32(tmp);
327 *val %= 1000000;
328
329 SMP_DBG("val %06u", *val);
330
331 return 0;
332 }
333
334 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
335 const u8 key_id[4], u8 res[16])
336 {
337 int err;
338
339 SMP_DBG("w %16phN key_id %4phN", w, key_id);
340
341 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
342 if (err)
343 return err;
344
345 SMP_DBG("res %16phN", res);
346
347 return err;
348 }
349
350 /* The following functions map to the legacy SMP crypto functions e, c1,
351 * s1 and ah.
352 */
353
354 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
355 {
356 struct blkcipher_desc desc;
357 struct scatterlist sg;
358 uint8_t tmp[16], data[16];
359 int err;
360
361 if (!tfm) {
362 BT_ERR("tfm %p", tfm);
363 return -EINVAL;
364 }
365
366 desc.tfm = tfm;
367 desc.flags = 0;
368
369 /* The most significant octet of key corresponds to k[0] */
370 swap_buf(k, tmp, 16);
371
372 err = crypto_blkcipher_setkey(tfm, tmp, 16);
373 if (err) {
374 BT_ERR("cipher setkey failed: %d", err);
375 return err;
376 }
377
378 /* Most significant octet of plaintextData corresponds to data[0] */
379 swap_buf(r, data, 16);
380
381 sg_init_one(&sg, data, 16);
382
383 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
384 if (err)
385 BT_ERR("Encrypt data error %d", err);
386
387 /* Most significant octet of encryptedData corresponds to data[0] */
388 swap_buf(data, r, 16);
389
390 return err;
391 }
392
393 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
394 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
395 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
396 {
397 u8 p1[16], p2[16];
398 int err;
399
400 memset(p1, 0, 16);
401
402 /* p1 = pres || preq || _rat || _iat */
403 p1[0] = _iat;
404 p1[1] = _rat;
405 memcpy(p1 + 2, preq, 7);
406 memcpy(p1 + 9, pres, 7);
407
408 /* p2 = padding || ia || ra */
409 memcpy(p2, ra, 6);
410 memcpy(p2 + 6, ia, 6);
411 memset(p2 + 12, 0, 4);
412
413 /* res = r XOR p1 */
414 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
415
416 /* res = e(k, res) */
417 err = smp_e(tfm_aes, k, res);
418 if (err) {
419 BT_ERR("Encrypt data error");
420 return err;
421 }
422
423 /* res = res XOR p2 */
424 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
425
426 /* res = e(k, res) */
427 err = smp_e(tfm_aes, k, res);
428 if (err)
429 BT_ERR("Encrypt data error");
430
431 return err;
432 }
433
434 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
435 const u8 r1[16], const u8 r2[16], u8 _r[16])
436 {
437 int err;
438
439 /* Just least significant octets from r1 and r2 are considered */
440 memcpy(_r, r2, 8);
441 memcpy(_r + 8, r1, 8);
442
443 err = smp_e(tfm_aes, k, _r);
444 if (err)
445 BT_ERR("Encrypt data error");
446
447 return err;
448 }
449
450 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
451 const u8 r[3], u8 res[3])
452 {
453 u8 _res[16];
454 int err;
455
456 /* r' = padding || r */
457 memcpy(_res, r, 3);
458 memset(_res + 3, 0, 13);
459
460 err = smp_e(tfm, irk, _res);
461 if (err) {
462 BT_ERR("Encrypt error");
463 return err;
464 }
465
466 /* The output of the random address function ah is:
467 * ah(h, r) = e(k, r') mod 2^24
468 * The output of the security function e is then truncated to 24 bits
469 * by taking the least significant 24 bits of the output of e as the
470 * result of ah.
471 */
472 memcpy(res, _res, 3);
473
474 return 0;
475 }
476
477 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
478 const bdaddr_t *bdaddr)
479 {
480 struct l2cap_chan *chan = hdev->smp_data;
481 struct crypto_blkcipher *tfm;
482 u8 hash[3];
483 int err;
484
485 if (!chan || !chan->data)
486 return false;
487
488 tfm = chan->data;
489
490 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
491
492 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
493 if (err)
494 return false;
495
496 return !memcmp(bdaddr->b, hash, 3);
497 }
498
499 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
500 {
501 struct l2cap_chan *chan = hdev->smp_data;
502 struct crypto_blkcipher *tfm;
503 int err;
504
505 if (!chan || !chan->data)
506 return -EOPNOTSUPP;
507
508 tfm = chan->data;
509
510 get_random_bytes(&rpa->b[3], 3);
511
512 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
513 rpa->b[5] |= 0x40; /* Set second most significant bit */
514
515 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
516 if (err < 0)
517 return err;
518
519 BT_DBG("RPA %pMR", rpa);
520
521 return 0;
522 }
523
524 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
525 {
526 struct l2cap_chan *chan = conn->smp;
527 struct smp_chan *smp;
528 struct kvec iv[2];
529 struct msghdr msg;
530
531 if (!chan)
532 return;
533
534 BT_DBG("code 0x%2.2x", code);
535
536 iv[0].iov_base = &code;
537 iv[0].iov_len = 1;
538
539 iv[1].iov_base = data;
540 iv[1].iov_len = len;
541
542 memset(&msg, 0, sizeof(msg));
543
544 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
545
546 l2cap_chan_send(chan, &msg, 1 + len);
547
548 if (!chan->data)
549 return;
550
551 smp = chan->data;
552
553 cancel_delayed_work_sync(&smp->security_timer);
554 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
555 }
556
557 static u8 authreq_to_seclevel(u8 authreq)
558 {
559 if (authreq & SMP_AUTH_MITM) {
560 if (authreq & SMP_AUTH_SC)
561 return BT_SECURITY_FIPS;
562 else
563 return BT_SECURITY_HIGH;
564 } else {
565 return BT_SECURITY_MEDIUM;
566 }
567 }
568
569 static __u8 seclevel_to_authreq(__u8 sec_level)
570 {
571 switch (sec_level) {
572 case BT_SECURITY_FIPS:
573 case BT_SECURITY_HIGH:
574 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
575 case BT_SECURITY_MEDIUM:
576 return SMP_AUTH_BONDING;
577 default:
578 return SMP_AUTH_NONE;
579 }
580 }
581
582 static void build_pairing_cmd(struct l2cap_conn *conn,
583 struct smp_cmd_pairing *req,
584 struct smp_cmd_pairing *rsp, __u8 authreq)
585 {
586 struct l2cap_chan *chan = conn->smp;
587 struct smp_chan *smp = chan->data;
588 struct hci_conn *hcon = conn->hcon;
589 struct hci_dev *hdev = hcon->hdev;
590 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
591
592 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
593 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
595 authreq |= SMP_AUTH_BONDING;
596 } else {
597 authreq &= ~SMP_AUTH_BONDING;
598 }
599
600 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
601 remote_dist |= SMP_DIST_ID_KEY;
602
603 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
604 local_dist |= SMP_DIST_ID_KEY;
605
606 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
607 (authreq & SMP_AUTH_SC)) {
608 struct oob_data *oob_data;
609 u8 bdaddr_type;
610
611 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
612 local_dist |= SMP_DIST_LINK_KEY;
613 remote_dist |= SMP_DIST_LINK_KEY;
614 }
615
616 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
617 bdaddr_type = BDADDR_LE_PUBLIC;
618 else
619 bdaddr_type = BDADDR_LE_RANDOM;
620
621 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
622 bdaddr_type);
623 if (oob_data && oob_data->present) {
624 set_bit(SMP_FLAG_OOB, &smp->flags);
625 oob_flag = SMP_OOB_PRESENT;
626 memcpy(smp->rr, oob_data->rand256, 16);
627 memcpy(smp->pcnf, oob_data->hash256, 16);
628 }
629
630 } else {
631 authreq &= ~SMP_AUTH_SC;
632 }
633
634 if (rsp == NULL) {
635 req->io_capability = conn->hcon->io_capability;
636 req->oob_flag = oob_flag;
637 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
638 req->init_key_dist = local_dist;
639 req->resp_key_dist = remote_dist;
640 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
641
642 smp->remote_key_dist = remote_dist;
643 return;
644 }
645
646 rsp->io_capability = conn->hcon->io_capability;
647 rsp->oob_flag = oob_flag;
648 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
649 rsp->init_key_dist = req->init_key_dist & remote_dist;
650 rsp->resp_key_dist = req->resp_key_dist & local_dist;
651 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
652
653 smp->remote_key_dist = rsp->init_key_dist;
654 }
655
656 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
657 {
658 struct l2cap_chan *chan = conn->smp;
659 struct smp_chan *smp = chan->data;
660
661 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
662 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
663 return SMP_ENC_KEY_SIZE;
664
665 smp->enc_key_size = max_key_size;
666
667 return 0;
668 }
669
670 static void smp_chan_destroy(struct l2cap_conn *conn)
671 {
672 struct l2cap_chan *chan = conn->smp;
673 struct smp_chan *smp = chan->data;
674 struct hci_conn *hcon = conn->hcon;
675 bool complete;
676
677 BUG_ON(!smp);
678
679 cancel_delayed_work_sync(&smp->security_timer);
680
681 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
682 mgmt_smp_complete(hcon, complete);
683
684 kfree(smp->csrk);
685 kfree(smp->slave_csrk);
686 kfree(smp->link_key);
687
688 crypto_free_blkcipher(smp->tfm_aes);
689 crypto_free_hash(smp->tfm_cmac);
690
691 /* Ensure that we don't leave any debug key around if debug key
692 * support hasn't been explicitly enabled.
693 */
694 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
695 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
696 list_del_rcu(&smp->ltk->list);
697 kfree_rcu(smp->ltk, rcu);
698 smp->ltk = NULL;
699 }
700
701 /* If pairing failed clean up any keys we might have */
702 if (!complete) {
703 if (smp->ltk) {
704 list_del_rcu(&smp->ltk->list);
705 kfree_rcu(smp->ltk, rcu);
706 }
707
708 if (smp->slave_ltk) {
709 list_del_rcu(&smp->slave_ltk->list);
710 kfree_rcu(smp->slave_ltk, rcu);
711 }
712
713 if (smp->remote_irk) {
714 list_del_rcu(&smp->remote_irk->list);
715 kfree_rcu(smp->remote_irk, rcu);
716 }
717 }
718
719 chan->data = NULL;
720 kfree(smp);
721 hci_conn_drop(hcon);
722 }
723
724 static void smp_failure(struct l2cap_conn *conn, u8 reason)
725 {
726 struct hci_conn *hcon = conn->hcon;
727 struct l2cap_chan *chan = conn->smp;
728
729 if (reason)
730 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
731 &reason);
732
733 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
734 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
735
736 if (chan->data)
737 smp_chan_destroy(conn);
738 }
739
740 #define JUST_WORKS 0x00
741 #define JUST_CFM 0x01
742 #define REQ_PASSKEY 0x02
743 #define CFM_PASSKEY 0x03
744 #define REQ_OOB 0x04
745 #define DSP_PASSKEY 0x05
746 #define OVERLAP 0xFF
747
748 static const u8 gen_method[5][5] = {
749 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
750 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
751 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
752 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
753 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
754 };
755
756 static const u8 sc_method[5][5] = {
757 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
758 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
759 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
760 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
761 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
762 };
763
764 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
765 {
766 /* If either side has unknown io_caps, use JUST_CFM (which gets
767 * converted later to JUST_WORKS if we're initiators.
768 */
769 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
770 remote_io > SMP_IO_KEYBOARD_DISPLAY)
771 return JUST_CFM;
772
773 if (test_bit(SMP_FLAG_SC, &smp->flags))
774 return sc_method[remote_io][local_io];
775
776 return gen_method[remote_io][local_io];
777 }
778
779 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
780 u8 local_io, u8 remote_io)
781 {
782 struct hci_conn *hcon = conn->hcon;
783 struct l2cap_chan *chan = conn->smp;
784 struct smp_chan *smp = chan->data;
785 u32 passkey = 0;
786 int ret = 0;
787
788 /* Initialize key for JUST WORKS */
789 memset(smp->tk, 0, sizeof(smp->tk));
790 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
791
792 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
793
794 /* If neither side wants MITM, either "just" confirm an incoming
795 * request or use just-works for outgoing ones. The JUST_CFM
796 * will be converted to JUST_WORKS if necessary later in this
797 * function. If either side has MITM look up the method from the
798 * table.
799 */
800 if (!(auth & SMP_AUTH_MITM))
801 smp->method = JUST_CFM;
802 else
803 smp->method = get_auth_method(smp, local_io, remote_io);
804
805 /* Don't confirm locally initiated pairing attempts */
806 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
807 &smp->flags))
808 smp->method = JUST_WORKS;
809
810 /* Don't bother user space with no IO capabilities */
811 if (smp->method == JUST_CFM &&
812 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
813 smp->method = JUST_WORKS;
814
815 /* If Just Works, Continue with Zero TK */
816 if (smp->method == JUST_WORKS) {
817 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
818 return 0;
819 }
820
821 /* Not Just Works/Confirm results in MITM Authentication */
822 if (smp->method != JUST_CFM) {
823 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
824 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
825 hcon->pending_sec_level = BT_SECURITY_HIGH;
826 }
827
828 /* If both devices have Keyoard-Display I/O, the master
829 * Confirms and the slave Enters the passkey.
830 */
831 if (smp->method == OVERLAP) {
832 if (hcon->role == HCI_ROLE_MASTER)
833 smp->method = CFM_PASSKEY;
834 else
835 smp->method = REQ_PASSKEY;
836 }
837
838 /* Generate random passkey. */
839 if (smp->method == CFM_PASSKEY) {
840 memset(smp->tk, 0, sizeof(smp->tk));
841 get_random_bytes(&passkey, sizeof(passkey));
842 passkey %= 1000000;
843 put_unaligned_le32(passkey, smp->tk);
844 BT_DBG("PassKey: %d", passkey);
845 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
846 }
847
848 if (smp->method == REQ_PASSKEY)
849 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
850 hcon->type, hcon->dst_type);
851 else if (smp->method == JUST_CFM)
852 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
853 hcon->type, hcon->dst_type,
854 passkey, 1);
855 else
856 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
857 hcon->type, hcon->dst_type,
858 passkey, 0);
859
860 return ret;
861 }
862
863 static u8 smp_confirm(struct smp_chan *smp)
864 {
865 struct l2cap_conn *conn = smp->conn;
866 struct smp_cmd_pairing_confirm cp;
867 int ret;
868
869 BT_DBG("conn %p", conn);
870
871 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
872 conn->hcon->init_addr_type, &conn->hcon->init_addr,
873 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
874 cp.confirm_val);
875 if (ret)
876 return SMP_UNSPECIFIED;
877
878 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
879
880 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
881
882 if (conn->hcon->out)
883 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
884 else
885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
886
887 return 0;
888 }
889
890 static u8 smp_random(struct smp_chan *smp)
891 {
892 struct l2cap_conn *conn = smp->conn;
893 struct hci_conn *hcon = conn->hcon;
894 u8 confirm[16];
895 int ret;
896
897 if (IS_ERR_OR_NULL(smp->tfm_aes))
898 return SMP_UNSPECIFIED;
899
900 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
901
902 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
903 hcon->init_addr_type, &hcon->init_addr,
904 hcon->resp_addr_type, &hcon->resp_addr, confirm);
905 if (ret)
906 return SMP_UNSPECIFIED;
907
908 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
909 BT_ERR("Pairing failed (confirmation values mismatch)");
910 return SMP_CONFIRM_FAILED;
911 }
912
913 if (hcon->out) {
914 u8 stk[16];
915 __le64 rand = 0;
916 __le16 ediv = 0;
917
918 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
919
920 memset(stk + smp->enc_key_size, 0,
921 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
922
923 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
924 return SMP_UNSPECIFIED;
925
926 hci_le_start_enc(hcon, ediv, rand, stk);
927 hcon->enc_key_size = smp->enc_key_size;
928 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
929 } else {
930 u8 stk[16], auth;
931 __le64 rand = 0;
932 __le16 ediv = 0;
933
934 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
935 smp->prnd);
936
937 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
938
939 memset(stk + smp->enc_key_size, 0,
940 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
941
942 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
943 auth = 1;
944 else
945 auth = 0;
946
947 /* Even though there's no _SLAVE suffix this is the
948 * slave STK we're adding for later lookup (the master
949 * STK never needs to be stored).
950 */
951 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
952 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
953 }
954
955 return 0;
956 }
957
958 static void smp_notify_keys(struct l2cap_conn *conn)
959 {
960 struct l2cap_chan *chan = conn->smp;
961 struct smp_chan *smp = chan->data;
962 struct hci_conn *hcon = conn->hcon;
963 struct hci_dev *hdev = hcon->hdev;
964 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
965 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
966 bool persistent;
967
968 if (smp->remote_irk) {
969 mgmt_new_irk(hdev, smp->remote_irk);
970 /* Now that user space can be considered to know the
971 * identity address track the connection based on it
972 * from now on (assuming this is an LE link).
973 */
974 if (hcon->type == LE_LINK) {
975 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
976 hcon->dst_type = smp->remote_irk->addr_type;
977 queue_work(hdev->workqueue, &conn->id_addr_update_work);
978 }
979
980 /* When receiving an indentity resolving key for
981 * a remote device that does not use a resolvable
982 * private address, just remove the key so that
983 * it is possible to use the controller white
984 * list for scanning.
985 *
986 * Userspace will have been told to not store
987 * this key at this point. So it is safe to
988 * just remove it.
989 */
990 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
991 list_del_rcu(&smp->remote_irk->list);
992 kfree_rcu(smp->remote_irk, rcu);
993 smp->remote_irk = NULL;
994 }
995 }
996
997 if (hcon->type == ACL_LINK) {
998 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
999 persistent = false;
1000 else
1001 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1002 &hcon->flags);
1003 } else {
1004 /* The LTKs and CSRKs should be persistent only if both sides
1005 * had the bonding bit set in their authentication requests.
1006 */
1007 persistent = !!((req->auth_req & rsp->auth_req) &
1008 SMP_AUTH_BONDING);
1009 }
1010
1011
1012 if (smp->csrk) {
1013 smp->csrk->bdaddr_type = hcon->dst_type;
1014 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1015 mgmt_new_csrk(hdev, smp->csrk, persistent);
1016 }
1017
1018 if (smp->slave_csrk) {
1019 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1020 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1021 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1022 }
1023
1024 if (smp->ltk) {
1025 smp->ltk->bdaddr_type = hcon->dst_type;
1026 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1027 mgmt_new_ltk(hdev, smp->ltk, persistent);
1028 }
1029
1030 if (smp->slave_ltk) {
1031 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1032 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1033 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1034 }
1035
1036 if (smp->link_key) {
1037 struct link_key *key;
1038 u8 type;
1039
1040 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1041 type = HCI_LK_DEBUG_COMBINATION;
1042 else if (hcon->sec_level == BT_SECURITY_FIPS)
1043 type = HCI_LK_AUTH_COMBINATION_P256;
1044 else
1045 type = HCI_LK_UNAUTH_COMBINATION_P256;
1046
1047 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1048 smp->link_key, type, 0, &persistent);
1049 if (key) {
1050 mgmt_new_link_key(hdev, key, persistent);
1051
1052 /* Don't keep debug keys around if the relevant
1053 * flag is not set.
1054 */
1055 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1056 key->type == HCI_LK_DEBUG_COMBINATION) {
1057 list_del_rcu(&key->list);
1058 kfree_rcu(key, rcu);
1059 }
1060 }
1061 }
1062 }
1063
1064 static void sc_add_ltk(struct smp_chan *smp)
1065 {
1066 struct hci_conn *hcon = smp->conn->hcon;
1067 u8 key_type, auth;
1068
1069 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1070 key_type = SMP_LTK_P256_DEBUG;
1071 else
1072 key_type = SMP_LTK_P256;
1073
1074 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1075 auth = 1;
1076 else
1077 auth = 0;
1078
1079 memset(smp->tk + smp->enc_key_size, 0,
1080 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1081
1082 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1083 key_type, auth, smp->tk, smp->enc_key_size,
1084 0, 0);
1085 }
1086
1087 static void sc_generate_link_key(struct smp_chan *smp)
1088 {
1089 /* These constants are as specified in the core specification.
1090 * In ASCII they spell out to 'tmp1' and 'lebr'.
1091 */
1092 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1093 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1094
1095 smp->link_key = kzalloc(16, GFP_KERNEL);
1096 if (!smp->link_key)
1097 return;
1098
1099 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1100 kfree(smp->link_key);
1101 smp->link_key = NULL;
1102 return;
1103 }
1104
1105 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1106 kfree(smp->link_key);
1107 smp->link_key = NULL;
1108 return;
1109 }
1110 }
1111
1112 static void smp_allow_key_dist(struct smp_chan *smp)
1113 {
1114 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1115 * will be allowed in each PDU handler to ensure we receive
1116 * them in the correct order.
1117 */
1118 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1119 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1120 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1121 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1122 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1123 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1124 }
1125
1126 static void sc_generate_ltk(struct smp_chan *smp)
1127 {
1128 /* These constants are as specified in the core specification.
1129 * In ASCII they spell out to 'tmp2' and 'brle'.
1130 */
1131 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1132 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1133 struct hci_conn *hcon = smp->conn->hcon;
1134 struct hci_dev *hdev = hcon->hdev;
1135 struct link_key *key;
1136
1137 key = hci_find_link_key(hdev, &hcon->dst);
1138 if (!key) {
1139 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1140 return;
1141 }
1142
1143 if (key->type == HCI_LK_DEBUG_COMBINATION)
1144 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1145
1146 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1147 return;
1148
1149 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1150 return;
1151
1152 sc_add_ltk(smp);
1153 }
1154
1155 static void smp_distribute_keys(struct smp_chan *smp)
1156 {
1157 struct smp_cmd_pairing *req, *rsp;
1158 struct l2cap_conn *conn = smp->conn;
1159 struct hci_conn *hcon = conn->hcon;
1160 struct hci_dev *hdev = hcon->hdev;
1161 __u8 *keydist;
1162
1163 BT_DBG("conn %p", conn);
1164
1165 rsp = (void *) &smp->prsp[1];
1166
1167 /* The responder sends its keys first */
1168 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1169 smp_allow_key_dist(smp);
1170 return;
1171 }
1172
1173 req = (void *) &smp->preq[1];
1174
1175 if (hcon->out) {
1176 keydist = &rsp->init_key_dist;
1177 *keydist &= req->init_key_dist;
1178 } else {
1179 keydist = &rsp->resp_key_dist;
1180 *keydist &= req->resp_key_dist;
1181 }
1182
1183 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1184 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1185 sc_generate_link_key(smp);
1186 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1187 sc_generate_ltk(smp);
1188
1189 /* Clear the keys which are generated but not distributed */
1190 *keydist &= ~SMP_SC_NO_DIST;
1191 }
1192
1193 BT_DBG("keydist 0x%x", *keydist);
1194
1195 if (*keydist & SMP_DIST_ENC_KEY) {
1196 struct smp_cmd_encrypt_info enc;
1197 struct smp_cmd_master_ident ident;
1198 struct smp_ltk *ltk;
1199 u8 authenticated;
1200 __le16 ediv;
1201 __le64 rand;
1202
1203 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1204 get_random_bytes(&ediv, sizeof(ediv));
1205 get_random_bytes(&rand, sizeof(rand));
1206
1207 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1208
1209 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1210 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1211 SMP_LTK_SLAVE, authenticated, enc.ltk,
1212 smp->enc_key_size, ediv, rand);
1213 smp->slave_ltk = ltk;
1214
1215 ident.ediv = ediv;
1216 ident.rand = rand;
1217
1218 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1219
1220 *keydist &= ~SMP_DIST_ENC_KEY;
1221 }
1222
1223 if (*keydist & SMP_DIST_ID_KEY) {
1224 struct smp_cmd_ident_addr_info addrinfo;
1225 struct smp_cmd_ident_info idinfo;
1226
1227 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1228
1229 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1230
1231 /* The hci_conn contains the local identity address
1232 * after the connection has been established.
1233 *
1234 * This is true even when the connection has been
1235 * established using a resolvable random address.
1236 */
1237 bacpy(&addrinfo.bdaddr, &hcon->src);
1238 addrinfo.addr_type = hcon->src_type;
1239
1240 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1241 &addrinfo);
1242
1243 *keydist &= ~SMP_DIST_ID_KEY;
1244 }
1245
1246 if (*keydist & SMP_DIST_SIGN) {
1247 struct smp_cmd_sign_info sign;
1248 struct smp_csrk *csrk;
1249
1250 /* Generate a new random key */
1251 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1252
1253 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1254 if (csrk) {
1255 csrk->master = 0x00;
1256 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1257 }
1258 smp->slave_csrk = csrk;
1259
1260 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1261
1262 *keydist &= ~SMP_DIST_SIGN;
1263 }
1264
1265 /* If there are still keys to be received wait for them */
1266 if (smp->remote_key_dist & KEY_DIST_MASK) {
1267 smp_allow_key_dist(smp);
1268 return;
1269 }
1270
1271 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1272 smp_notify_keys(conn);
1273
1274 smp_chan_destroy(conn);
1275 }
1276
1277 static void smp_timeout(struct work_struct *work)
1278 {
1279 struct smp_chan *smp = container_of(work, struct smp_chan,
1280 security_timer.work);
1281 struct l2cap_conn *conn = smp->conn;
1282
1283 BT_DBG("conn %p", conn);
1284
1285 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1286 }
1287
1288 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1289 {
1290 struct l2cap_chan *chan = conn->smp;
1291 struct smp_chan *smp;
1292
1293 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1294 if (!smp)
1295 return NULL;
1296
1297 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1298 if (IS_ERR(smp->tfm_aes)) {
1299 BT_ERR("Unable to create ECB crypto context");
1300 kfree(smp);
1301 return NULL;
1302 }
1303
1304 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1305 if (IS_ERR(smp->tfm_cmac)) {
1306 BT_ERR("Unable to create CMAC crypto context");
1307 crypto_free_blkcipher(smp->tfm_aes);
1308 kfree(smp);
1309 return NULL;
1310 }
1311
1312 smp->conn = conn;
1313 chan->data = smp;
1314
1315 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1316
1317 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1318
1319 hci_conn_hold(conn->hcon);
1320
1321 return smp;
1322 }
1323
1324 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1325 {
1326 struct hci_conn *hcon = smp->conn->hcon;
1327 u8 *na, *nb, a[7], b[7];
1328
1329 if (hcon->out) {
1330 na = smp->prnd;
1331 nb = smp->rrnd;
1332 } else {
1333 na = smp->rrnd;
1334 nb = smp->prnd;
1335 }
1336
1337 memcpy(a, &hcon->init_addr, 6);
1338 memcpy(b, &hcon->resp_addr, 6);
1339 a[6] = hcon->init_addr_type;
1340 b[6] = hcon->resp_addr_type;
1341
1342 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1343 }
1344
1345 static void sc_dhkey_check(struct smp_chan *smp)
1346 {
1347 struct hci_conn *hcon = smp->conn->hcon;
1348 struct smp_cmd_dhkey_check check;
1349 u8 a[7], b[7], *local_addr, *remote_addr;
1350 u8 io_cap[3], r[16];
1351
1352 memcpy(a, &hcon->init_addr, 6);
1353 memcpy(b, &hcon->resp_addr, 6);
1354 a[6] = hcon->init_addr_type;
1355 b[6] = hcon->resp_addr_type;
1356
1357 if (hcon->out) {
1358 local_addr = a;
1359 remote_addr = b;
1360 memcpy(io_cap, &smp->preq[1], 3);
1361 } else {
1362 local_addr = b;
1363 remote_addr = a;
1364 memcpy(io_cap, &smp->prsp[1], 3);
1365 }
1366
1367 memset(r, 0, sizeof(r));
1368
1369 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1370 put_unaligned_le32(hcon->passkey_notify, r);
1371
1372 if (smp->method == REQ_OOB)
1373 memcpy(r, smp->rr, 16);
1374
1375 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1376 local_addr, remote_addr, check.e);
1377
1378 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1379 }
1380
1381 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1382 {
1383 struct l2cap_conn *conn = smp->conn;
1384 struct hci_conn *hcon = conn->hcon;
1385 struct smp_cmd_pairing_confirm cfm;
1386 u8 r;
1387
1388 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1389 r |= 0x80;
1390
1391 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1392
1393 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1394 cfm.confirm_val))
1395 return SMP_UNSPECIFIED;
1396
1397 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1398
1399 return 0;
1400 }
1401
1402 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1403 {
1404 struct l2cap_conn *conn = smp->conn;
1405 struct hci_conn *hcon = conn->hcon;
1406 struct hci_dev *hdev = hcon->hdev;
1407 u8 cfm[16], r;
1408
1409 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1410 if (smp->passkey_round >= 20)
1411 return 0;
1412
1413 switch (smp_op) {
1414 case SMP_CMD_PAIRING_RANDOM:
1415 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1416 r |= 0x80;
1417
1418 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1419 smp->rrnd, r, cfm))
1420 return SMP_UNSPECIFIED;
1421
1422 if (memcmp(smp->pcnf, cfm, 16))
1423 return SMP_CONFIRM_FAILED;
1424
1425 smp->passkey_round++;
1426
1427 if (smp->passkey_round == 20) {
1428 /* Generate MacKey and LTK */
1429 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1430 return SMP_UNSPECIFIED;
1431 }
1432
1433 /* The round is only complete when the initiator
1434 * receives pairing random.
1435 */
1436 if (!hcon->out) {
1437 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1438 sizeof(smp->prnd), smp->prnd);
1439 if (smp->passkey_round == 20)
1440 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1441 else
1442 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1443 return 0;
1444 }
1445
1446 /* Start the next round */
1447 if (smp->passkey_round != 20)
1448 return sc_passkey_round(smp, 0);
1449
1450 /* Passkey rounds are complete - start DHKey Check */
1451 sc_dhkey_check(smp);
1452 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1453
1454 break;
1455
1456 case SMP_CMD_PAIRING_CONFIRM:
1457 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1458 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1459 return 0;
1460 }
1461
1462 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1463
1464 if (hcon->out) {
1465 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1466 sizeof(smp->prnd), smp->prnd);
1467 return 0;
1468 }
1469
1470 return sc_passkey_send_confirm(smp);
1471
1472 case SMP_CMD_PUBLIC_KEY:
1473 default:
1474 /* Initiating device starts the round */
1475 if (!hcon->out)
1476 return 0;
1477
1478 BT_DBG("%s Starting passkey round %u", hdev->name,
1479 smp->passkey_round + 1);
1480
1481 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1482
1483 return sc_passkey_send_confirm(smp);
1484 }
1485
1486 return 0;
1487 }
1488
1489 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1490 {
1491 struct l2cap_conn *conn = smp->conn;
1492 struct hci_conn *hcon = conn->hcon;
1493 u8 smp_op;
1494
1495 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1496
1497 switch (mgmt_op) {
1498 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1499 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1500 return 0;
1501 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1502 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1503 return 0;
1504 case MGMT_OP_USER_PASSKEY_REPLY:
1505 hcon->passkey_notify = le32_to_cpu(passkey);
1506 smp->passkey_round = 0;
1507
1508 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1509 smp_op = SMP_CMD_PAIRING_CONFIRM;
1510 else
1511 smp_op = 0;
1512
1513 if (sc_passkey_round(smp, smp_op))
1514 return -EIO;
1515
1516 return 0;
1517 }
1518
1519 /* Initiator sends DHKey check first */
1520 if (hcon->out) {
1521 sc_dhkey_check(smp);
1522 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1523 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1524 sc_dhkey_check(smp);
1525 sc_add_ltk(smp);
1526 }
1527
1528 return 0;
1529 }
1530
1531 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1532 {
1533 struct l2cap_conn *conn = hcon->l2cap_data;
1534 struct l2cap_chan *chan;
1535 struct smp_chan *smp;
1536 u32 value;
1537 int err;
1538
1539 BT_DBG("");
1540
1541 if (!conn)
1542 return -ENOTCONN;
1543
1544 chan = conn->smp;
1545 if (!chan)
1546 return -ENOTCONN;
1547
1548 l2cap_chan_lock(chan);
1549 if (!chan->data) {
1550 err = -ENOTCONN;
1551 goto unlock;
1552 }
1553
1554 smp = chan->data;
1555
1556 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1557 err = sc_user_reply(smp, mgmt_op, passkey);
1558 goto unlock;
1559 }
1560
1561 switch (mgmt_op) {
1562 case MGMT_OP_USER_PASSKEY_REPLY:
1563 value = le32_to_cpu(passkey);
1564 memset(smp->tk, 0, sizeof(smp->tk));
1565 BT_DBG("PassKey: %d", value);
1566 put_unaligned_le32(value, smp->tk);
1567 /* Fall Through */
1568 case MGMT_OP_USER_CONFIRM_REPLY:
1569 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1570 break;
1571 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1572 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1573 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1574 err = 0;
1575 goto unlock;
1576 default:
1577 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1578 err = -EOPNOTSUPP;
1579 goto unlock;
1580 }
1581
1582 err = 0;
1583
1584 /* If it is our turn to send Pairing Confirm, do so now */
1585 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1586 u8 rsp = smp_confirm(smp);
1587 if (rsp)
1588 smp_failure(conn, rsp);
1589 }
1590
1591 unlock:
1592 l2cap_chan_unlock(chan);
1593 return err;
1594 }
1595
1596 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1597 struct smp_cmd_pairing *req,
1598 struct smp_cmd_pairing *rsp)
1599 {
1600 struct l2cap_conn *conn = smp->conn;
1601 struct hci_dev *hdev = conn->hcon->hdev;
1602 u8 local_dist = 0, remote_dist = 0;
1603
1604 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1605 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1606 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1607 }
1608
1609 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1610 remote_dist |= SMP_DIST_ID_KEY;
1611
1612 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1613 local_dist |= SMP_DIST_ID_KEY;
1614
1615 if (!rsp) {
1616 memset(req, 0, sizeof(*req));
1617
1618 req->init_key_dist = local_dist;
1619 req->resp_key_dist = remote_dist;
1620 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1621
1622 smp->remote_key_dist = remote_dist;
1623
1624 return;
1625 }
1626
1627 memset(rsp, 0, sizeof(*rsp));
1628
1629 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1630 rsp->init_key_dist = req->init_key_dist & remote_dist;
1631 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1632
1633 smp->remote_key_dist = rsp->init_key_dist;
1634 }
1635
1636 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1637 {
1638 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1639 struct l2cap_chan *chan = conn->smp;
1640 struct hci_dev *hdev = conn->hcon->hdev;
1641 struct smp_chan *smp;
1642 u8 key_size, auth, sec_level;
1643 int ret;
1644
1645 BT_DBG("conn %p", conn);
1646
1647 if (skb->len < sizeof(*req))
1648 return SMP_INVALID_PARAMS;
1649
1650 if (conn->hcon->role != HCI_ROLE_SLAVE)
1651 return SMP_CMD_NOTSUPP;
1652
1653 if (!chan->data)
1654 smp = smp_chan_create(conn);
1655 else
1656 smp = chan->data;
1657
1658 if (!smp)
1659 return SMP_UNSPECIFIED;
1660
1661 /* We didn't start the pairing, so match remote */
1662 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1663
1664 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1665 (auth & SMP_AUTH_BONDING))
1666 return SMP_PAIRING_NOTSUPP;
1667
1668 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1669 return SMP_AUTH_REQUIREMENTS;
1670
1671 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1672 memcpy(&smp->preq[1], req, sizeof(*req));
1673 skb_pull(skb, sizeof(*req));
1674
1675 /* SMP over BR/EDR requires special treatment */
1676 if (conn->hcon->type == ACL_LINK) {
1677 /* We must have a BR/EDR SC link */
1678 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1679 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
1680 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1681
1682 set_bit(SMP_FLAG_SC, &smp->flags);
1683
1684 build_bredr_pairing_cmd(smp, req, &rsp);
1685
1686 key_size = min(req->max_key_size, rsp.max_key_size);
1687 if (check_enc_key_size(conn, key_size))
1688 return SMP_ENC_KEY_SIZE;
1689
1690 /* Clear bits which are generated but not distributed */
1691 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1692
1693 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1694 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1695 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1696
1697 smp_distribute_keys(smp);
1698 return 0;
1699 }
1700
1701 build_pairing_cmd(conn, req, &rsp, auth);
1702
1703 if (rsp.auth_req & SMP_AUTH_SC)
1704 set_bit(SMP_FLAG_SC, &smp->flags);
1705
1706 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1707 sec_level = BT_SECURITY_MEDIUM;
1708 else
1709 sec_level = authreq_to_seclevel(auth);
1710
1711 if (sec_level > conn->hcon->pending_sec_level)
1712 conn->hcon->pending_sec_level = sec_level;
1713
1714 /* If we need MITM check that it can be achieved */
1715 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1716 u8 method;
1717
1718 method = get_auth_method(smp, conn->hcon->io_capability,
1719 req->io_capability);
1720 if (method == JUST_WORKS || method == JUST_CFM)
1721 return SMP_AUTH_REQUIREMENTS;
1722 }
1723
1724 key_size = min(req->max_key_size, rsp.max_key_size);
1725 if (check_enc_key_size(conn, key_size))
1726 return SMP_ENC_KEY_SIZE;
1727
1728 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1729
1730 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1731 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1732
1733 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1734
1735 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1736
1737 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1738 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1739 /* Clear bits which are generated but not distributed */
1740 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1741 /* Wait for Public Key from Initiating Device */
1742 return 0;
1743 } else {
1744 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1745 }
1746
1747 /* Request setup of TK */
1748 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1749 if (ret)
1750 return SMP_UNSPECIFIED;
1751
1752 return 0;
1753 }
1754
1755 static u8 sc_send_public_key(struct smp_chan *smp)
1756 {
1757 struct hci_dev *hdev = smp->conn->hcon->hdev;
1758
1759 BT_DBG("");
1760
1761 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1762 BT_DBG("Using debug keys");
1763 memcpy(smp->local_pk, debug_pk, 64);
1764 memcpy(smp->local_sk, debug_sk, 32);
1765 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1766 } else {
1767 while (true) {
1768 /* Generate local key pair for Secure Connections */
1769 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1770 return SMP_UNSPECIFIED;
1771
1772 /* This is unlikely, but we need to check that
1773 * we didn't accidentially generate a debug key.
1774 */
1775 if (memcmp(smp->local_sk, debug_sk, 32))
1776 break;
1777 }
1778 }
1779
1780 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1781 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1782 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1783
1784 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1785
1786 return 0;
1787 }
1788
1789 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1790 {
1791 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1792 struct l2cap_chan *chan = conn->smp;
1793 struct smp_chan *smp = chan->data;
1794 struct hci_dev *hdev = conn->hcon->hdev;
1795 u8 key_size, auth;
1796 int ret;
1797
1798 BT_DBG("conn %p", conn);
1799
1800 if (skb->len < sizeof(*rsp))
1801 return SMP_INVALID_PARAMS;
1802
1803 if (conn->hcon->role != HCI_ROLE_MASTER)
1804 return SMP_CMD_NOTSUPP;
1805
1806 skb_pull(skb, sizeof(*rsp));
1807
1808 req = (void *) &smp->preq[1];
1809
1810 key_size = min(req->max_key_size, rsp->max_key_size);
1811 if (check_enc_key_size(conn, key_size))
1812 return SMP_ENC_KEY_SIZE;
1813
1814 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1815
1816 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1817 return SMP_AUTH_REQUIREMENTS;
1818
1819 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1820 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1821
1822 /* Update remote key distribution in case the remote cleared
1823 * some bits that we had enabled in our request.
1824 */
1825 smp->remote_key_dist &= rsp->resp_key_dist;
1826
1827 /* For BR/EDR this means we're done and can start phase 3 */
1828 if (conn->hcon->type == ACL_LINK) {
1829 /* Clear bits which are generated but not distributed */
1830 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1831 smp_distribute_keys(smp);
1832 return 0;
1833 }
1834
1835 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1836 set_bit(SMP_FLAG_SC, &smp->flags);
1837 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1838 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1839
1840 /* If we need MITM check that it can be achieved */
1841 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1842 u8 method;
1843
1844 method = get_auth_method(smp, req->io_capability,
1845 rsp->io_capability);
1846 if (method == JUST_WORKS || method == JUST_CFM)
1847 return SMP_AUTH_REQUIREMENTS;
1848 }
1849
1850 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1851
1852 /* Update remote key distribution in case the remote cleared
1853 * some bits that we had enabled in our request.
1854 */
1855 smp->remote_key_dist &= rsp->resp_key_dist;
1856
1857 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1858 /* Clear bits which are generated but not distributed */
1859 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1860 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 return sc_send_public_key(smp);
1862 }
1863
1864 auth |= req->auth_req;
1865
1866 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1867 if (ret)
1868 return SMP_UNSPECIFIED;
1869
1870 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1871
1872 /* Can't compose response until we have been confirmed */
1873 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1874 return smp_confirm(smp);
1875
1876 return 0;
1877 }
1878
1879 static u8 sc_check_confirm(struct smp_chan *smp)
1880 {
1881 struct l2cap_conn *conn = smp->conn;
1882
1883 BT_DBG("");
1884
1885 /* Public Key exchange must happen before any other steps */
1886 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1887 return SMP_UNSPECIFIED;
1888
1889 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1890 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1891
1892 if (conn->hcon->out) {
1893 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1894 smp->prnd);
1895 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1896 }
1897
1898 return 0;
1899 }
1900
1901 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1902 {
1903 struct l2cap_chan *chan = conn->smp;
1904 struct smp_chan *smp = chan->data;
1905
1906 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1907
1908 if (skb->len < sizeof(smp->pcnf))
1909 return SMP_INVALID_PARAMS;
1910
1911 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1912 skb_pull(skb, sizeof(smp->pcnf));
1913
1914 if (test_bit(SMP_FLAG_SC, &smp->flags))
1915 return sc_check_confirm(smp);
1916
1917 if (conn->hcon->out) {
1918 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1919 smp->prnd);
1920 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1921 return 0;
1922 }
1923
1924 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1925 return smp_confirm(smp);
1926 else
1927 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1928
1929 return 0;
1930 }
1931
1932 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1933 {
1934 struct l2cap_chan *chan = conn->smp;
1935 struct smp_chan *smp = chan->data;
1936 struct hci_conn *hcon = conn->hcon;
1937 u8 *pkax, *pkbx, *na, *nb;
1938 u32 passkey;
1939 int err;
1940
1941 BT_DBG("conn %p", conn);
1942
1943 if (skb->len < sizeof(smp->rrnd))
1944 return SMP_INVALID_PARAMS;
1945
1946 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1947 skb_pull(skb, sizeof(smp->rrnd));
1948
1949 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1950 return smp_random(smp);
1951
1952 if (hcon->out) {
1953 pkax = smp->local_pk;
1954 pkbx = smp->remote_pk;
1955 na = smp->prnd;
1956 nb = smp->rrnd;
1957 } else {
1958 pkax = smp->remote_pk;
1959 pkbx = smp->local_pk;
1960 na = smp->rrnd;
1961 nb = smp->prnd;
1962 }
1963
1964 if (smp->method == REQ_OOB) {
1965 if (!hcon->out)
1966 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1967 sizeof(smp->prnd), smp->prnd);
1968 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1969 goto mackey_and_ltk;
1970 }
1971
1972 /* Passkey entry has special treatment */
1973 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1974 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1975
1976 if (hcon->out) {
1977 u8 cfm[16];
1978
1979 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1980 smp->rrnd, 0, cfm);
1981 if (err)
1982 return SMP_UNSPECIFIED;
1983
1984 if (memcmp(smp->pcnf, cfm, 16))
1985 return SMP_CONFIRM_FAILED;
1986 } else {
1987 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1988 smp->prnd);
1989 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1990 }
1991
1992 mackey_and_ltk:
1993 /* Generate MacKey and LTK */
1994 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1995 if (err)
1996 return SMP_UNSPECIFIED;
1997
1998 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1999 if (hcon->out) {
2000 sc_dhkey_check(smp);
2001 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2002 }
2003 return 0;
2004 }
2005
2006 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2007 if (err)
2008 return SMP_UNSPECIFIED;
2009
2010 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2011 hcon->dst_type, passkey, 0);
2012 if (err)
2013 return SMP_UNSPECIFIED;
2014
2015 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2016
2017 return 0;
2018 }
2019
2020 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2021 {
2022 struct smp_ltk *key;
2023 struct hci_conn *hcon = conn->hcon;
2024
2025 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2026 if (!key)
2027 return false;
2028
2029 if (smp_ltk_sec_level(key) < sec_level)
2030 return false;
2031
2032 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2033 return true;
2034
2035 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2036 hcon->enc_key_size = key->enc_size;
2037
2038 /* We never store STKs for master role, so clear this flag */
2039 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2040
2041 return true;
2042 }
2043
2044 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2045 enum smp_key_pref key_pref)
2046 {
2047 if (sec_level == BT_SECURITY_LOW)
2048 return true;
2049
2050 /* If we're encrypted with an STK but the caller prefers using
2051 * LTK claim insufficient security. This way we allow the
2052 * connection to be re-encrypted with an LTK, even if the LTK
2053 * provides the same level of security. Only exception is if we
2054 * don't have an LTK (e.g. because of key distribution bits).
2055 */
2056 if (key_pref == SMP_USE_LTK &&
2057 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2058 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2059 return false;
2060
2061 if (hcon->sec_level >= sec_level)
2062 return true;
2063
2064 return false;
2065 }
2066
2067 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2068 {
2069 struct smp_cmd_security_req *rp = (void *) skb->data;
2070 struct smp_cmd_pairing cp;
2071 struct hci_conn *hcon = conn->hcon;
2072 struct hci_dev *hdev = hcon->hdev;
2073 struct smp_chan *smp;
2074 u8 sec_level, auth;
2075
2076 BT_DBG("conn %p", conn);
2077
2078 if (skb->len < sizeof(*rp))
2079 return SMP_INVALID_PARAMS;
2080
2081 if (hcon->role != HCI_ROLE_MASTER)
2082 return SMP_CMD_NOTSUPP;
2083
2084 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2085
2086 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2087 return SMP_AUTH_REQUIREMENTS;
2088
2089 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2090 sec_level = BT_SECURITY_MEDIUM;
2091 else
2092 sec_level = authreq_to_seclevel(auth);
2093
2094 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2095 return 0;
2096
2097 if (sec_level > hcon->pending_sec_level)
2098 hcon->pending_sec_level = sec_level;
2099
2100 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2101 return 0;
2102
2103 smp = smp_chan_create(conn);
2104 if (!smp)
2105 return SMP_UNSPECIFIED;
2106
2107 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2108 (auth & SMP_AUTH_BONDING))
2109 return SMP_PAIRING_NOTSUPP;
2110
2111 skb_pull(skb, sizeof(*rp));
2112
2113 memset(&cp, 0, sizeof(cp));
2114 build_pairing_cmd(conn, &cp, NULL, auth);
2115
2116 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2117 memcpy(&smp->preq[1], &cp, sizeof(cp));
2118
2119 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2120 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2121
2122 return 0;
2123 }
2124
2125 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2126 {
2127 struct l2cap_conn *conn = hcon->l2cap_data;
2128 struct l2cap_chan *chan;
2129 struct smp_chan *smp;
2130 __u8 authreq;
2131 int ret;
2132
2133 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2134
2135 /* This may be NULL if there's an unexpected disconnection */
2136 if (!conn)
2137 return 1;
2138
2139 chan = conn->smp;
2140
2141 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2142 return 1;
2143
2144 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2145 return 1;
2146
2147 if (sec_level > hcon->pending_sec_level)
2148 hcon->pending_sec_level = sec_level;
2149
2150 if (hcon->role == HCI_ROLE_MASTER)
2151 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2152 return 0;
2153
2154 l2cap_chan_lock(chan);
2155
2156 /* If SMP is already in progress ignore this request */
2157 if (chan->data) {
2158 ret = 0;
2159 goto unlock;
2160 }
2161
2162 smp = smp_chan_create(conn);
2163 if (!smp) {
2164 ret = 1;
2165 goto unlock;
2166 }
2167
2168 authreq = seclevel_to_authreq(sec_level);
2169
2170 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2171 authreq |= SMP_AUTH_SC;
2172
2173 /* Require MITM if IO Capability allows or the security level
2174 * requires it.
2175 */
2176 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2177 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2178 authreq |= SMP_AUTH_MITM;
2179
2180 if (hcon->role == HCI_ROLE_MASTER) {
2181 struct smp_cmd_pairing cp;
2182
2183 build_pairing_cmd(conn, &cp, NULL, authreq);
2184 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2185 memcpy(&smp->preq[1], &cp, sizeof(cp));
2186
2187 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2188 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2189 } else {
2190 struct smp_cmd_security_req cp;
2191 cp.auth_req = authreq;
2192 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2193 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2194 }
2195
2196 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2197 ret = 0;
2198
2199 unlock:
2200 l2cap_chan_unlock(chan);
2201 return ret;
2202 }
2203
2204 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2205 {
2206 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2207 struct l2cap_chan *chan = conn->smp;
2208 struct smp_chan *smp = chan->data;
2209
2210 BT_DBG("conn %p", conn);
2211
2212 if (skb->len < sizeof(*rp))
2213 return SMP_INVALID_PARAMS;
2214
2215 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2216
2217 skb_pull(skb, sizeof(*rp));
2218
2219 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2220
2221 return 0;
2222 }
2223
2224 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2225 {
2226 struct smp_cmd_master_ident *rp = (void *) skb->data;
2227 struct l2cap_chan *chan = conn->smp;
2228 struct smp_chan *smp = chan->data;
2229 struct hci_dev *hdev = conn->hcon->hdev;
2230 struct hci_conn *hcon = conn->hcon;
2231 struct smp_ltk *ltk;
2232 u8 authenticated;
2233
2234 BT_DBG("conn %p", conn);
2235
2236 if (skb->len < sizeof(*rp))
2237 return SMP_INVALID_PARAMS;
2238
2239 /* Mark the information as received */
2240 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2241
2242 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2243 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2244 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2245 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2246
2247 skb_pull(skb, sizeof(*rp));
2248
2249 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2250 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2251 authenticated, smp->tk, smp->enc_key_size,
2252 rp->ediv, rp->rand);
2253 smp->ltk = ltk;
2254 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2255 smp_distribute_keys(smp);
2256
2257 return 0;
2258 }
2259
2260 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2261 {
2262 struct smp_cmd_ident_info *info = (void *) skb->data;
2263 struct l2cap_chan *chan = conn->smp;
2264 struct smp_chan *smp = chan->data;
2265
2266 BT_DBG("");
2267
2268 if (skb->len < sizeof(*info))
2269 return SMP_INVALID_PARAMS;
2270
2271 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2272
2273 skb_pull(skb, sizeof(*info));
2274
2275 memcpy(smp->irk, info->irk, 16);
2276
2277 return 0;
2278 }
2279
2280 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2281 struct sk_buff *skb)
2282 {
2283 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2284 struct l2cap_chan *chan = conn->smp;
2285 struct smp_chan *smp = chan->data;
2286 struct hci_conn *hcon = conn->hcon;
2287 bdaddr_t rpa;
2288
2289 BT_DBG("");
2290
2291 if (skb->len < sizeof(*info))
2292 return SMP_INVALID_PARAMS;
2293
2294 /* Mark the information as received */
2295 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2296
2297 if (smp->remote_key_dist & SMP_DIST_SIGN)
2298 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2299
2300 skb_pull(skb, sizeof(*info));
2301
2302 /* Strictly speaking the Core Specification (4.1) allows sending
2303 * an empty address which would force us to rely on just the IRK
2304 * as "identity information". However, since such
2305 * implementations are not known of and in order to not over
2306 * complicate our implementation, simply pretend that we never
2307 * received an IRK for such a device.
2308 *
2309 * The Identity Address must also be a Static Random or Public
2310 * Address, which hci_is_identity_address() checks for.
2311 */
2312 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2313 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2314 BT_ERR("Ignoring IRK with no identity address");
2315 goto distribute;
2316 }
2317
2318 bacpy(&smp->id_addr, &info->bdaddr);
2319 smp->id_addr_type = info->addr_type;
2320
2321 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2322 bacpy(&rpa, &hcon->dst);
2323 else
2324 bacpy(&rpa, BDADDR_ANY);
2325
2326 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2327 smp->id_addr_type, smp->irk, &rpa);
2328
2329 distribute:
2330 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2331 smp_distribute_keys(smp);
2332
2333 return 0;
2334 }
2335
2336 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2337 {
2338 struct smp_cmd_sign_info *rp = (void *) skb->data;
2339 struct l2cap_chan *chan = conn->smp;
2340 struct smp_chan *smp = chan->data;
2341 struct smp_csrk *csrk;
2342
2343 BT_DBG("conn %p", conn);
2344
2345 if (skb->len < sizeof(*rp))
2346 return SMP_INVALID_PARAMS;
2347
2348 /* Mark the information as received */
2349 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2350
2351 skb_pull(skb, sizeof(*rp));
2352
2353 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2354 if (csrk) {
2355 csrk->master = 0x01;
2356 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2357 }
2358 smp->csrk = csrk;
2359 smp_distribute_keys(smp);
2360
2361 return 0;
2362 }
2363
2364 static u8 sc_select_method(struct smp_chan *smp)
2365 {
2366 struct l2cap_conn *conn = smp->conn;
2367 struct hci_conn *hcon = conn->hcon;
2368 struct smp_cmd_pairing *local, *remote;
2369 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2370
2371 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2372 return REQ_OOB;
2373
2374 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2375 * which are needed as inputs to some crypto functions. To get
2376 * the "struct smp_cmd_pairing" from them we need to skip the
2377 * first byte which contains the opcode.
2378 */
2379 if (hcon->out) {
2380 local = (void *) &smp->preq[1];
2381 remote = (void *) &smp->prsp[1];
2382 } else {
2383 local = (void *) &smp->prsp[1];
2384 remote = (void *) &smp->preq[1];
2385 }
2386
2387 local_io = local->io_capability;
2388 remote_io = remote->io_capability;
2389
2390 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2391 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2392
2393 /* If either side wants MITM, look up the method from the table,
2394 * otherwise use JUST WORKS.
2395 */
2396 if (local_mitm || remote_mitm)
2397 method = get_auth_method(smp, local_io, remote_io);
2398 else
2399 method = JUST_WORKS;
2400
2401 /* Don't confirm locally initiated pairing attempts */
2402 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2403 method = JUST_WORKS;
2404
2405 return method;
2406 }
2407
2408 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2409 {
2410 struct smp_cmd_public_key *key = (void *) skb->data;
2411 struct hci_conn *hcon = conn->hcon;
2412 struct l2cap_chan *chan = conn->smp;
2413 struct smp_chan *smp = chan->data;
2414 struct hci_dev *hdev = hcon->hdev;
2415 struct smp_cmd_pairing_confirm cfm;
2416 int err;
2417
2418 BT_DBG("conn %p", conn);
2419
2420 if (skb->len < sizeof(*key))
2421 return SMP_INVALID_PARAMS;
2422
2423 memcpy(smp->remote_pk, key, 64);
2424
2425 /* Non-initiating device sends its public key after receiving
2426 * the key from the initiating device.
2427 */
2428 if (!hcon->out) {
2429 err = sc_send_public_key(smp);
2430 if (err)
2431 return err;
2432 }
2433
2434 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2435 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2436
2437 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2438 return SMP_UNSPECIFIED;
2439
2440 SMP_DBG("DHKey %32phN", smp->dhkey);
2441
2442 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2443
2444 smp->method = sc_select_method(smp);
2445
2446 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2447
2448 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2449 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2450 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2451 else
2452 hcon->pending_sec_level = BT_SECURITY_FIPS;
2453
2454 if (!memcmp(debug_pk, smp->remote_pk, 64))
2455 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2456
2457 if (smp->method == DSP_PASSKEY) {
2458 get_random_bytes(&hcon->passkey_notify,
2459 sizeof(hcon->passkey_notify));
2460 hcon->passkey_notify %= 1000000;
2461 hcon->passkey_entered = 0;
2462 smp->passkey_round = 0;
2463 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2464 hcon->dst_type,
2465 hcon->passkey_notify,
2466 hcon->passkey_entered))
2467 return SMP_UNSPECIFIED;
2468 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2469 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2470 }
2471
2472 if (smp->method == REQ_OOB) {
2473 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2474 smp->rr, 0, cfm.confirm_val);
2475 if (err)
2476 return SMP_UNSPECIFIED;
2477
2478 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2479 return SMP_CONFIRM_FAILED;
2480
2481 if (hcon->out)
2482 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2483 sizeof(smp->prnd), smp->prnd);
2484
2485 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2486
2487 return 0;
2488 }
2489
2490 if (hcon->out)
2491 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2492
2493 if (smp->method == REQ_PASSKEY) {
2494 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2495 hcon->dst_type))
2496 return SMP_UNSPECIFIED;
2497 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2498 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2499 return 0;
2500 }
2501
2502 /* The Initiating device waits for the non-initiating device to
2503 * send the confirm value.
2504 */
2505 if (conn->hcon->out)
2506 return 0;
2507
2508 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2509 0, cfm.confirm_val);
2510 if (err)
2511 return SMP_UNSPECIFIED;
2512
2513 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2514 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2515
2516 return 0;
2517 }
2518
2519 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2520 {
2521 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2522 struct l2cap_chan *chan = conn->smp;
2523 struct hci_conn *hcon = conn->hcon;
2524 struct smp_chan *smp = chan->data;
2525 u8 a[7], b[7], *local_addr, *remote_addr;
2526 u8 io_cap[3], r[16], e[16];
2527 int err;
2528
2529 BT_DBG("conn %p", conn);
2530
2531 if (skb->len < sizeof(*check))
2532 return SMP_INVALID_PARAMS;
2533
2534 memcpy(a, &hcon->init_addr, 6);
2535 memcpy(b, &hcon->resp_addr, 6);
2536 a[6] = hcon->init_addr_type;
2537 b[6] = hcon->resp_addr_type;
2538
2539 if (hcon->out) {
2540 local_addr = a;
2541 remote_addr = b;
2542 memcpy(io_cap, &smp->prsp[1], 3);
2543 } else {
2544 local_addr = b;
2545 remote_addr = a;
2546 memcpy(io_cap, &smp->preq[1], 3);
2547 }
2548
2549 memset(r, 0, sizeof(r));
2550
2551 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2552 put_unaligned_le32(hcon->passkey_notify, r);
2553
2554 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2555 io_cap, remote_addr, local_addr, e);
2556 if (err)
2557 return SMP_UNSPECIFIED;
2558
2559 if (memcmp(check->e, e, 16))
2560 return SMP_DHKEY_CHECK_FAILED;
2561
2562 if (!hcon->out) {
2563 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2564 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2565 return 0;
2566 }
2567
2568 /* Slave sends DHKey check as response to master */
2569 sc_dhkey_check(smp);
2570 }
2571
2572 sc_add_ltk(smp);
2573
2574 if (hcon->out) {
2575 hci_le_start_enc(hcon, 0, 0, smp->tk);
2576 hcon->enc_key_size = smp->enc_key_size;
2577 }
2578
2579 return 0;
2580 }
2581
2582 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2583 struct sk_buff *skb)
2584 {
2585 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2586
2587 BT_DBG("value 0x%02x", kp->value);
2588
2589 return 0;
2590 }
2591
2592 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2593 {
2594 struct l2cap_conn *conn = chan->conn;
2595 struct hci_conn *hcon = conn->hcon;
2596 struct smp_chan *smp;
2597 __u8 code, reason;
2598 int err = 0;
2599
2600 if (skb->len < 1)
2601 return -EILSEQ;
2602
2603 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2604 reason = SMP_PAIRING_NOTSUPP;
2605 goto done;
2606 }
2607
2608 code = skb->data[0];
2609 skb_pull(skb, sizeof(code));
2610
2611 smp = chan->data;
2612
2613 if (code > SMP_CMD_MAX)
2614 goto drop;
2615
2616 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2617 goto drop;
2618
2619 /* If we don't have a context the only allowed commands are
2620 * pairing request and security request.
2621 */
2622 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2623 goto drop;
2624
2625 switch (code) {
2626 case SMP_CMD_PAIRING_REQ:
2627 reason = smp_cmd_pairing_req(conn, skb);
2628 break;
2629
2630 case SMP_CMD_PAIRING_FAIL:
2631 smp_failure(conn, 0);
2632 err = -EPERM;
2633 break;
2634
2635 case SMP_CMD_PAIRING_RSP:
2636 reason = smp_cmd_pairing_rsp(conn, skb);
2637 break;
2638
2639 case SMP_CMD_SECURITY_REQ:
2640 reason = smp_cmd_security_req(conn, skb);
2641 break;
2642
2643 case SMP_CMD_PAIRING_CONFIRM:
2644 reason = smp_cmd_pairing_confirm(conn, skb);
2645 break;
2646
2647 case SMP_CMD_PAIRING_RANDOM:
2648 reason = smp_cmd_pairing_random(conn, skb);
2649 break;
2650
2651 case SMP_CMD_ENCRYPT_INFO:
2652 reason = smp_cmd_encrypt_info(conn, skb);
2653 break;
2654
2655 case SMP_CMD_MASTER_IDENT:
2656 reason = smp_cmd_master_ident(conn, skb);
2657 break;
2658
2659 case SMP_CMD_IDENT_INFO:
2660 reason = smp_cmd_ident_info(conn, skb);
2661 break;
2662
2663 case SMP_CMD_IDENT_ADDR_INFO:
2664 reason = smp_cmd_ident_addr_info(conn, skb);
2665 break;
2666
2667 case SMP_CMD_SIGN_INFO:
2668 reason = smp_cmd_sign_info(conn, skb);
2669 break;
2670
2671 case SMP_CMD_PUBLIC_KEY:
2672 reason = smp_cmd_public_key(conn, skb);
2673 break;
2674
2675 case SMP_CMD_DHKEY_CHECK:
2676 reason = smp_cmd_dhkey_check(conn, skb);
2677 break;
2678
2679 case SMP_CMD_KEYPRESS_NOTIFY:
2680 reason = smp_cmd_keypress_notify(conn, skb);
2681 break;
2682
2683 default:
2684 BT_DBG("Unknown command code 0x%2.2x", code);
2685 reason = SMP_CMD_NOTSUPP;
2686 goto done;
2687 }
2688
2689 done:
2690 if (!err) {
2691 if (reason)
2692 smp_failure(conn, reason);
2693 kfree_skb(skb);
2694 }
2695
2696 return err;
2697
2698 drop:
2699 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2700 code, &hcon->dst);
2701 kfree_skb(skb);
2702 return 0;
2703 }
2704
2705 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2706 {
2707 struct l2cap_conn *conn = chan->conn;
2708
2709 BT_DBG("chan %p", chan);
2710
2711 if (chan->data)
2712 smp_chan_destroy(conn);
2713
2714 conn->smp = NULL;
2715 l2cap_chan_put(chan);
2716 }
2717
2718 static void bredr_pairing(struct l2cap_chan *chan)
2719 {
2720 struct l2cap_conn *conn = chan->conn;
2721 struct hci_conn *hcon = conn->hcon;
2722 struct hci_dev *hdev = hcon->hdev;
2723 struct smp_cmd_pairing req;
2724 struct smp_chan *smp;
2725
2726 BT_DBG("chan %p", chan);
2727
2728 /* Only new pairings are interesting */
2729 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2730 return;
2731
2732 /* Don't bother if we're not encrypted */
2733 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2734 return;
2735
2736 /* Only master may initiate SMP over BR/EDR */
2737 if (hcon->role != HCI_ROLE_MASTER)
2738 return;
2739
2740 /* Secure Connections support must be enabled */
2741 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2742 return;
2743
2744 /* BR/EDR must use Secure Connections for SMP */
2745 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2746 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
2747 return;
2748
2749 /* If our LE support is not enabled don't do anything */
2750 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2751 return;
2752
2753 /* Don't bother if remote LE support is not enabled */
2754 if (!lmp_host_le_capable(hcon))
2755 return;
2756
2757 /* Remote must support SMP fixed chan for BR/EDR */
2758 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2759 return;
2760
2761 /* Don't bother if SMP is already ongoing */
2762 if (chan->data)
2763 return;
2764
2765 smp = smp_chan_create(conn);
2766 if (!smp) {
2767 BT_ERR("%s unable to create SMP context for BR/EDR",
2768 hdev->name);
2769 return;
2770 }
2771
2772 set_bit(SMP_FLAG_SC, &smp->flags);
2773
2774 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2775
2776 /* Prepare and send the BR/EDR SMP Pairing Request */
2777 build_bredr_pairing_cmd(smp, &req, NULL);
2778
2779 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2780 memcpy(&smp->preq[1], &req, sizeof(req));
2781
2782 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2783 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2784 }
2785
2786 static void smp_resume_cb(struct l2cap_chan *chan)
2787 {
2788 struct smp_chan *smp = chan->data;
2789 struct l2cap_conn *conn = chan->conn;
2790 struct hci_conn *hcon = conn->hcon;
2791
2792 BT_DBG("chan %p", chan);
2793
2794 if (hcon->type == ACL_LINK) {
2795 bredr_pairing(chan);
2796 return;
2797 }
2798
2799 if (!smp)
2800 return;
2801
2802 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2803 return;
2804
2805 cancel_delayed_work(&smp->security_timer);
2806
2807 smp_distribute_keys(smp);
2808 }
2809
2810 static void smp_ready_cb(struct l2cap_chan *chan)
2811 {
2812 struct l2cap_conn *conn = chan->conn;
2813 struct hci_conn *hcon = conn->hcon;
2814
2815 BT_DBG("chan %p", chan);
2816
2817 conn->smp = chan;
2818 l2cap_chan_hold(chan);
2819
2820 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2821 bredr_pairing(chan);
2822 }
2823
2824 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2825 {
2826 int err;
2827
2828 BT_DBG("chan %p", chan);
2829
2830 err = smp_sig_channel(chan, skb);
2831 if (err) {
2832 struct smp_chan *smp = chan->data;
2833
2834 if (smp)
2835 cancel_delayed_work_sync(&smp->security_timer);
2836
2837 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2838 }
2839
2840 return err;
2841 }
2842
2843 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2844 unsigned long hdr_len,
2845 unsigned long len, int nb)
2846 {
2847 struct sk_buff *skb;
2848
2849 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2850 if (!skb)
2851 return ERR_PTR(-ENOMEM);
2852
2853 skb->priority = HCI_PRIO_MAX;
2854 bt_cb(skb)->chan = chan;
2855
2856 return skb;
2857 }
2858
2859 static const struct l2cap_ops smp_chan_ops = {
2860 .name = "Security Manager",
2861 .ready = smp_ready_cb,
2862 .recv = smp_recv_cb,
2863 .alloc_skb = smp_alloc_skb_cb,
2864 .teardown = smp_teardown_cb,
2865 .resume = smp_resume_cb,
2866
2867 .new_connection = l2cap_chan_no_new_connection,
2868 .state_change = l2cap_chan_no_state_change,
2869 .close = l2cap_chan_no_close,
2870 .defer = l2cap_chan_no_defer,
2871 .suspend = l2cap_chan_no_suspend,
2872 .set_shutdown = l2cap_chan_no_set_shutdown,
2873 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2874 };
2875
2876 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2877 {
2878 struct l2cap_chan *chan;
2879
2880 BT_DBG("pchan %p", pchan);
2881
2882 chan = l2cap_chan_create();
2883 if (!chan)
2884 return NULL;
2885
2886 chan->chan_type = pchan->chan_type;
2887 chan->ops = &smp_chan_ops;
2888 chan->scid = pchan->scid;
2889 chan->dcid = chan->scid;
2890 chan->imtu = pchan->imtu;
2891 chan->omtu = pchan->omtu;
2892 chan->mode = pchan->mode;
2893
2894 /* Other L2CAP channels may request SMP routines in order to
2895 * change the security level. This means that the SMP channel
2896 * lock must be considered in its own category to avoid lockdep
2897 * warnings.
2898 */
2899 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2900
2901 BT_DBG("created chan %p", chan);
2902
2903 return chan;
2904 }
2905
2906 static const struct l2cap_ops smp_root_chan_ops = {
2907 .name = "Security Manager Root",
2908 .new_connection = smp_new_conn_cb,
2909
2910 /* None of these are implemented for the root channel */
2911 .close = l2cap_chan_no_close,
2912 .alloc_skb = l2cap_chan_no_alloc_skb,
2913 .recv = l2cap_chan_no_recv,
2914 .state_change = l2cap_chan_no_state_change,
2915 .teardown = l2cap_chan_no_teardown,
2916 .ready = l2cap_chan_no_ready,
2917 .defer = l2cap_chan_no_defer,
2918 .suspend = l2cap_chan_no_suspend,
2919 .resume = l2cap_chan_no_resume,
2920 .set_shutdown = l2cap_chan_no_set_shutdown,
2921 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
2922 };
2923
2924 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2925 {
2926 struct l2cap_chan *chan;
2927 struct crypto_blkcipher *tfm_aes;
2928
2929 if (cid == L2CAP_CID_SMP_BREDR) {
2930 tfm_aes = NULL;
2931 goto create_chan;
2932 }
2933
2934 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2935 if (IS_ERR(tfm_aes)) {
2936 BT_ERR("Unable to create crypto context");
2937 return ERR_CAST(tfm_aes);
2938 }
2939
2940 create_chan:
2941 chan = l2cap_chan_create();
2942 if (!chan) {
2943 crypto_free_blkcipher(tfm_aes);
2944 return ERR_PTR(-ENOMEM);
2945 }
2946
2947 chan->data = tfm_aes;
2948
2949 l2cap_add_scid(chan, cid);
2950
2951 l2cap_chan_set_defaults(chan);
2952
2953 if (cid == L2CAP_CID_SMP) {
2954 /* If usage of static address is forced or if the devices
2955 * does not have a public address, then listen on the static
2956 * address.
2957 *
2958 * In case BR/EDR has been disabled on a dual-mode controller
2959 * and a static address has been configued, then listen on
2960 * the static address instead.
2961 */
2962 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dbg_flags) ||
2963 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2964 (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags) &&
2965 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2966 bacpy(&chan->src, &hdev->static_addr);
2967 chan->src_type = BDADDR_LE_RANDOM;
2968 } else {
2969 bacpy(&chan->src, &hdev->bdaddr);
2970 chan->src_type = BDADDR_LE_PUBLIC;
2971 }
2972 } else {
2973 bacpy(&chan->src, &hdev->bdaddr);
2974 chan->src_type = BDADDR_BREDR;
2975 }
2976
2977 chan->state = BT_LISTEN;
2978 chan->mode = L2CAP_MODE_BASIC;
2979 chan->imtu = L2CAP_DEFAULT_MTU;
2980 chan->ops = &smp_root_chan_ops;
2981
2982 /* Set correct nesting level for a parent/listening channel */
2983 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2984
2985 return chan;
2986 }
2987
2988 static void smp_del_chan(struct l2cap_chan *chan)
2989 {
2990 struct crypto_blkcipher *tfm_aes;
2991
2992 BT_DBG("chan %p", chan);
2993
2994 tfm_aes = chan->data;
2995 if (tfm_aes) {
2996 chan->data = NULL;
2997 crypto_free_blkcipher(tfm_aes);
2998 }
2999
3000 l2cap_chan_put(chan);
3001 }
3002
3003 static ssize_t force_bredr_smp_read(struct file *file,
3004 char __user *user_buf,
3005 size_t count, loff_t *ppos)
3006 {
3007 struct hci_dev *hdev = file->private_data;
3008 char buf[3];
3009
3010 buf[0] = test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags) ? 'Y': 'N';
3011 buf[1] = '\n';
3012 buf[2] = '\0';
3013 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3014 }
3015
3016 static ssize_t force_bredr_smp_write(struct file *file,
3017 const char __user *user_buf,
3018 size_t count, loff_t *ppos)
3019 {
3020 struct hci_dev *hdev = file->private_data;
3021 char buf[32];
3022 size_t buf_size = min(count, (sizeof(buf)-1));
3023 bool enable;
3024
3025 if (copy_from_user(buf, user_buf, buf_size))
3026 return -EFAULT;
3027
3028 buf[buf_size] = '\0';
3029 if (strtobool(buf, &enable))
3030 return -EINVAL;
3031
3032 if (enable == test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
3033 return -EALREADY;
3034
3035 if (enable) {
3036 struct l2cap_chan *chan;
3037
3038 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3039 if (IS_ERR(chan))
3040 return PTR_ERR(chan);
3041
3042 hdev->smp_bredr_data = chan;
3043 } else {
3044 struct l2cap_chan *chan;
3045
3046 chan = hdev->smp_bredr_data;
3047 hdev->smp_bredr_data = NULL;
3048 smp_del_chan(chan);
3049 }
3050
3051 change_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags);
3052
3053 return count;
3054 }
3055
3056 static const struct file_operations force_bredr_smp_fops = {
3057 .open = simple_open,
3058 .read = force_bredr_smp_read,
3059 .write = force_bredr_smp_write,
3060 .llseek = default_llseek,
3061 };
3062
3063 int smp_register(struct hci_dev *hdev)
3064 {
3065 struct l2cap_chan *chan;
3066
3067 BT_DBG("%s", hdev->name);
3068
3069 /* If the controller does not support Low Energy operation, then
3070 * there is also no need to register any SMP channel.
3071 */
3072 if (!lmp_le_capable(hdev))
3073 return 0;
3074
3075 if (WARN_ON(hdev->smp_data)) {
3076 chan = hdev->smp_data;
3077 hdev->smp_data = NULL;
3078 smp_del_chan(chan);
3079 }
3080
3081 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3082 if (IS_ERR(chan))
3083 return PTR_ERR(chan);
3084
3085 hdev->smp_data = chan;
3086
3087 /* If the controller does not support BR/EDR Secure Connections
3088 * feature, then the BR/EDR SMP channel shall not be present.
3089 *
3090 * To test this with Bluetooth 4.0 controllers, create a debugfs
3091 * switch that allows forcing BR/EDR SMP support and accepting
3092 * cross-transport pairing on non-AES encrypted connections.
3093 */
3094 if (!lmp_sc_capable(hdev)) {
3095 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3096 hdev, &force_bredr_smp_fops);
3097 return 0;
3098 }
3099
3100 if (WARN_ON(hdev->smp_bredr_data)) {
3101 chan = hdev->smp_bredr_data;
3102 hdev->smp_bredr_data = NULL;
3103 smp_del_chan(chan);
3104 }
3105
3106 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3107 if (IS_ERR(chan)) {
3108 int err = PTR_ERR(chan);
3109 chan = hdev->smp_data;
3110 hdev->smp_data = NULL;
3111 smp_del_chan(chan);
3112 return err;
3113 }
3114
3115 hdev->smp_bredr_data = chan;
3116
3117 return 0;
3118 }
3119
3120 void smp_unregister(struct hci_dev *hdev)
3121 {
3122 struct l2cap_chan *chan;
3123
3124 if (hdev->smp_bredr_data) {
3125 chan = hdev->smp_bredr_data;
3126 hdev->smp_bredr_data = NULL;
3127 smp_del_chan(chan);
3128 }
3129
3130 if (hdev->smp_data) {
3131 chan = hdev->smp_data;
3132 hdev->smp_data = NULL;
3133 smp_del_chan(chan);
3134 }
3135 }
3136
3137 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3138
3139 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3140 {
3141 const u8 irk[16] = {
3142 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3143 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3144 const u8 r[3] = { 0x94, 0x81, 0x70 };
3145 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3146 u8 res[3];
3147 int err;
3148
3149 err = smp_ah(tfm_aes, irk, r, res);
3150 if (err)
3151 return err;
3152
3153 if (memcmp(res, exp, 3))
3154 return -EINVAL;
3155
3156 return 0;
3157 }
3158
3159 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3160 {
3161 const u8 k[16] = {
3162 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3164 const u8 r[16] = {
3165 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3166 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3167 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3168 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3169 const u8 _iat = 0x01;
3170 const u8 _rat = 0x00;
3171 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3172 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3173 const u8 exp[16] = {
3174 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3175 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3176 u8 res[16];
3177 int err;
3178
3179 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3180 if (err)
3181 return err;
3182
3183 if (memcmp(res, exp, 16))
3184 return -EINVAL;
3185
3186 return 0;
3187 }
3188
3189 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3190 {
3191 const u8 k[16] = {
3192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3194 const u8 r1[16] = {
3195 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3196 const u8 r2[16] = {
3197 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3198 const u8 exp[16] = {
3199 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3200 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3201 u8 res[16];
3202 int err;
3203
3204 err = smp_s1(tfm_aes, k, r1, r2, res);
3205 if (err)
3206 return err;
3207
3208 if (memcmp(res, exp, 16))
3209 return -EINVAL;
3210
3211 return 0;
3212 }
3213
3214 static int __init test_f4(struct crypto_hash *tfm_cmac)
3215 {
3216 const u8 u[32] = {
3217 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3218 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3219 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3220 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3221 const u8 v[32] = {
3222 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3223 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3224 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3225 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3226 const u8 x[16] = {
3227 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3228 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3229 const u8 z = 0x00;
3230 const u8 exp[16] = {
3231 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3232 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3233 u8 res[16];
3234 int err;
3235
3236 err = smp_f4(tfm_cmac, u, v, x, z, res);
3237 if (err)
3238 return err;
3239
3240 if (memcmp(res, exp, 16))
3241 return -EINVAL;
3242
3243 return 0;
3244 }
3245
3246 static int __init test_f5(struct crypto_hash *tfm_cmac)
3247 {
3248 const u8 w[32] = {
3249 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3250 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3251 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3252 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3253 const u8 n1[16] = {
3254 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3255 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3256 const u8 n2[16] = {
3257 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3258 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3259 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3260 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3261 const u8 exp_ltk[16] = {
3262 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3263 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3264 const u8 exp_mackey[16] = {
3265 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3266 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3267 u8 mackey[16], ltk[16];
3268 int err;
3269
3270 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3271 if (err)
3272 return err;
3273
3274 if (memcmp(mackey, exp_mackey, 16))
3275 return -EINVAL;
3276
3277 if (memcmp(ltk, exp_ltk, 16))
3278 return -EINVAL;
3279
3280 return 0;
3281 }
3282
3283 static int __init test_f6(struct crypto_hash *tfm_cmac)
3284 {
3285 const u8 w[16] = {
3286 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3287 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3288 const u8 n1[16] = {
3289 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3290 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3291 const u8 n2[16] = {
3292 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3293 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3294 const u8 r[16] = {
3295 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3296 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3297 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3298 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3299 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3300 const u8 exp[16] = {
3301 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3302 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3303 u8 res[16];
3304 int err;
3305
3306 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3307 if (err)
3308 return err;
3309
3310 if (memcmp(res, exp, 16))
3311 return -EINVAL;
3312
3313 return 0;
3314 }
3315
3316 static int __init test_g2(struct crypto_hash *tfm_cmac)
3317 {
3318 const u8 u[32] = {
3319 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3320 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3321 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3322 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3323 const u8 v[32] = {
3324 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3325 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3326 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3327 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3328 const u8 x[16] = {
3329 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3330 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3331 const u8 y[16] = {
3332 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3333 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3334 const u32 exp_val = 0x2f9ed5ba % 1000000;
3335 u32 val;
3336 int err;
3337
3338 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3339 if (err)
3340 return err;
3341
3342 if (val != exp_val)
3343 return -EINVAL;
3344
3345 return 0;
3346 }
3347
3348 static int __init test_h6(struct crypto_hash *tfm_cmac)
3349 {
3350 const u8 w[16] = {
3351 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3352 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3353 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3354 const u8 exp[16] = {
3355 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3356 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3357 u8 res[16];
3358 int err;
3359
3360 err = smp_h6(tfm_cmac, w, key_id, res);
3361 if (err)
3362 return err;
3363
3364 if (memcmp(res, exp, 16))
3365 return -EINVAL;
3366
3367 return 0;
3368 }
3369
3370 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3371 struct crypto_hash *tfm_cmac)
3372 {
3373 ktime_t calltime, delta, rettime;
3374 unsigned long long duration;
3375 int err;
3376
3377 calltime = ktime_get();
3378
3379 err = test_ah(tfm_aes);
3380 if (err) {
3381 BT_ERR("smp_ah test failed");
3382 return err;
3383 }
3384
3385 err = test_c1(tfm_aes);
3386 if (err) {
3387 BT_ERR("smp_c1 test failed");
3388 return err;
3389 }
3390
3391 err = test_s1(tfm_aes);
3392 if (err) {
3393 BT_ERR("smp_s1 test failed");
3394 return err;
3395 }
3396
3397 err = test_f4(tfm_cmac);
3398 if (err) {
3399 BT_ERR("smp_f4 test failed");
3400 return err;
3401 }
3402
3403 err = test_f5(tfm_cmac);
3404 if (err) {
3405 BT_ERR("smp_f5 test failed");
3406 return err;
3407 }
3408
3409 err = test_f6(tfm_cmac);
3410 if (err) {
3411 BT_ERR("smp_f6 test failed");
3412 return err;
3413 }
3414
3415 err = test_g2(tfm_cmac);
3416 if (err) {
3417 BT_ERR("smp_g2 test failed");
3418 return err;
3419 }
3420
3421 err = test_h6(tfm_cmac);
3422 if (err) {
3423 BT_ERR("smp_h6 test failed");
3424 return err;
3425 }
3426
3427 rettime = ktime_get();
3428 delta = ktime_sub(rettime, calltime);
3429 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3430
3431 BT_INFO("SMP test passed in %llu usecs", duration);
3432
3433 return 0;
3434 }
3435
3436 int __init bt_selftest_smp(void)
3437 {
3438 struct crypto_blkcipher *tfm_aes;
3439 struct crypto_hash *tfm_cmac;
3440 int err;
3441
3442 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3443 if (IS_ERR(tfm_aes)) {
3444 BT_ERR("Unable to create ECB crypto context");
3445 return PTR_ERR(tfm_aes);
3446 }
3447
3448 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3449 if (IS_ERR(tfm_cmac)) {
3450 BT_ERR("Unable to create CMAC crypto context");
3451 crypto_free_blkcipher(tfm_aes);
3452 return PTR_ERR(tfm_cmac);
3453 }
3454
3455 err = run_selftests(tfm_aes, tfm_cmac);
3456
3457 crypto_free_hash(tfm_cmac);
3458 crypto_free_blkcipher(tfm_aes);
3459
3460 return err;
3461 }
3462
3463 #endif
Ubuntu Artful kernel mirror