search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mlxsw: spectrum_router: Add helpers for neighbor access
[linux-2.6/btrfs-unstable.git] / net / bluetooth / smp.c
bloba0ef89772c366c53097c3a18760e48d302d00656
1 /*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21 */
22
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <linux/crypto.h>
26 #include <crypto/algapi.h>
27 #include <crypto/b128ops.h>
28 #include <crypto/hash.h>
29
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
34
35 #include "ecdh_helper.h"
36 #include "smp.h"
37
38 #define SMP_DEV(hdev) \
39 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40
41 /* Low-level debug macros to be used for stuff that we don't want
42 * accidentially in dmesg, i.e. the values of the various crypto keys
43 * and the inputs & outputs of crypto functions.
44 */
45 #ifdef DEBUG
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47 ##__VA_ARGS__)
48 #else
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50 ##__VA_ARGS__)
51 #endif
52
53 #define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
54
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
57
58 #define SMP_TIMEOUT msecs_to_jiffies(30000)
59
60 #define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
61 0x3f : 0x07)
62 #define KEY_DIST_MASK 0x07
63
64 /* Maximum message length that can be passed to aes_cmac */
65 #define CMAC_MSG_MAX 80
66
67 enum {
68 SMP_FLAG_TK_VALID,
69 SMP_FLAG_CFM_PENDING,
70 SMP_FLAG_MITM_AUTH,
71 SMP_FLAG_COMPLETE,
72 SMP_FLAG_INITIATOR,
73 SMP_FLAG_SC,
74 SMP_FLAG_REMOTE_PK,
75 SMP_FLAG_DEBUG_KEY,
76 SMP_FLAG_WAIT_USER,
77 SMP_FLAG_DHKEY_PENDING,
78 SMP_FLAG_REMOTE_OOB,
79 SMP_FLAG_LOCAL_OOB,
80 SMP_FLAG_CT2,
81 };
82
83 struct smp_dev {
84 /* Secure Connections OOB data */
85 u8 local_pk[64];
86 u8 local_sk[32];
87 u8 local_rand[16];
88 bool debug_key;
89
90 u8 min_key_size;
91 u8 max_key_size;
92
93 struct crypto_cipher *tfm_aes;
94 struct crypto_shash *tfm_cmac;
95 };
96
97 struct smp_chan {
98 struct l2cap_conn *conn;
99 struct delayed_work security_timer;
100 unsigned long allow_cmd; /* Bitmask of allowed commands */
101
102 u8 preq[7]; /* SMP Pairing Request */
103 u8 prsp[7]; /* SMP Pairing Response */
104 u8 prnd[16]; /* SMP Pairing Random (local) */
105 u8 rrnd[16]; /* SMP Pairing Random (remote) */
106 u8 pcnf[16]; /* SMP Pairing Confirm */
107 u8 tk[16]; /* SMP Temporary Key */
108 u8 rr[16]; /* Remote OOB ra/rb value */
109 u8 lr[16]; /* Local OOB ra/rb value */
110 u8 enc_key_size;
111 u8 remote_key_dist;
112 bdaddr_t id_addr;
113 u8 id_addr_type;
114 u8 irk[16];
115 struct smp_csrk *csrk;
116 struct smp_csrk *slave_csrk;
117 struct smp_ltk *ltk;
118 struct smp_ltk *slave_ltk;
119 struct smp_irk *remote_irk;
120 u8 *link_key;
121 unsigned long flags;
122 u8 method;
123 u8 passkey_round;
124
125 /* Secure Connections variables */
126 u8 local_pk[64];
127 u8 local_sk[32];
128 u8 remote_pk[64];
129 u8 dhkey[32];
130 u8 mackey[16];
131
132 struct crypto_cipher *tfm_aes;
133 struct crypto_shash *tfm_cmac;
134 };
135
136 /* These debug key values are defined in the SMP section of the core
137 * specification. debug_pk is the public debug key and debug_sk the
138 * private debug key.
139 */
140 static const u8 debug_pk[64] = {
141 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
142 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
143 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
144 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
145
146 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
147 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
148 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
149 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
150 };
151
152 static const u8 debug_sk[32] = {
153 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
154 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
155 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
156 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
157 };
158
159 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
160 {
161 size_t i;
162
163 for (i = 0; i < len; i++)
164 dst[len - 1 - i] = src[i];
165 }
166
167 /* The following functions map to the LE SC SMP crypto functions
168 * AES-CMAC, f4, f5, f6, g2 and h6.
169 */
170
171 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
172 size_t len, u8 mac[16])
173 {
174 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
175 SHASH_DESC_ON_STACK(desc, tfm);
176 int err;
177
178 if (len > CMAC_MSG_MAX)
179 return -EFBIG;
180
181 if (!tfm) {
182 BT_ERR("tfm %p", tfm);
183 return -EINVAL;
184 }
185
186 desc->tfm = tfm;
187 desc->flags = 0;
188
189 /* Swap key and message from LSB to MSB */
190 swap_buf(k, tmp, 16);
191 swap_buf(m, msg_msb, len);
192
193 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
194 SMP_DBG("key %16phN", k);
195
196 err = crypto_shash_setkey(tfm, tmp, 16);
197 if (err) {
198 BT_ERR("cipher setkey failed: %d", err);
199 return err;
200 }
201
202 err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
203 shash_desc_zero(desc);
204 if (err) {
205 BT_ERR("Hash computation error %d", err);
206 return err;
207 }
208
209 swap_buf(mac_msb, mac, 16);
210
211 SMP_DBG("mac %16phN", mac);
212
213 return 0;
214 }
215
216 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
217 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
218 {
219 u8 m[65];
220 int err;
221
222 SMP_DBG("u %32phN", u);
223 SMP_DBG("v %32phN", v);
224 SMP_DBG("x %16phN z %02x", x, z);
225
226 m[0] = z;
227 memcpy(m + 1, v, 32);
228 memcpy(m + 33, u, 32);
229
230 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
231 if (err)
232 return err;
233
234 SMP_DBG("res %16phN", res);
235
236 return err;
237 }
238
239 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
240 const u8 n1[16], const u8 n2[16], const u8 a1[7],
241 const u8 a2[7], u8 mackey[16], u8 ltk[16])
242 {
243 /* The btle, salt and length "magic" values are as defined in
244 * the SMP section of the Bluetooth core specification. In ASCII
245 * the btle value ends up being 'btle'. The salt is just a
246 * random number whereas length is the value 256 in little
247 * endian format.
248 */
249 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
250 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
251 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
252 const u8 length[2] = { 0x00, 0x01 };
253 u8 m[53], t[16];
254 int err;
255
256 SMP_DBG("w %32phN", w);
257 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
258 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
259
260 err = aes_cmac(tfm_cmac, salt, w, 32, t);
261 if (err)
262 return err;
263
264 SMP_DBG("t %16phN", t);
265
266 memcpy(m, length, 2);
267 memcpy(m + 2, a2, 7);
268 memcpy(m + 9, a1, 7);
269 memcpy(m + 16, n2, 16);
270 memcpy(m + 32, n1, 16);
271 memcpy(m + 48, btle, 4);
272
273 m[52] = 0; /* Counter */
274
275 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
276 if (err)
277 return err;
278
279 SMP_DBG("mackey %16phN", mackey);
280
281 m[52] = 1; /* Counter */
282
283 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
284 if (err)
285 return err;
286
287 SMP_DBG("ltk %16phN", ltk);
288
289 return 0;
290 }
291
292 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
293 const u8 n1[16], const u8 n2[16], const u8 r[16],
294 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
295 u8 res[16])
296 {
297 u8 m[65];
298 int err;
299
300 SMP_DBG("w %16phN", w);
301 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
302 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
303
304 memcpy(m, a2, 7);
305 memcpy(m + 7, a1, 7);
306 memcpy(m + 14, io_cap, 3);
307 memcpy(m + 17, r, 16);
308 memcpy(m + 33, n2, 16);
309 memcpy(m + 49, n1, 16);
310
311 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
312 if (err)
313 return err;
314
315 SMP_DBG("res %16phN", res);
316
317 return err;
318 }
319
320 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
321 const u8 x[16], const u8 y[16], u32 *val)
322 {
323 u8 m[80], tmp[16];
324 int err;
325
326 SMP_DBG("u %32phN", u);
327 SMP_DBG("v %32phN", v);
328 SMP_DBG("x %16phN y %16phN", x, y);
329
330 memcpy(m, y, 16);
331 memcpy(m + 16, v, 32);
332 memcpy(m + 48, u, 32);
333
334 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
335 if (err)
336 return err;
337
338 *val = get_unaligned_le32(tmp);
339 *val %= 1000000;
340
341 SMP_DBG("val %06u", *val);
342
343 return 0;
344 }
345
346 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
347 const u8 key_id[4], u8 res[16])
348 {
349 int err;
350
351 SMP_DBG("w %16phN key_id %4phN", w, key_id);
352
353 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
354 if (err)
355 return err;
356
357 SMP_DBG("res %16phN", res);
358
359 return err;
360 }
361
362 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
363 const u8 salt[16], u8 res[16])
364 {
365 int err;
366
367 SMP_DBG("w %16phN salt %16phN", w, salt);
368
369 err = aes_cmac(tfm_cmac, salt, w, 16, res);
370 if (err)
371 return err;
372
373 SMP_DBG("res %16phN", res);
374
375 return err;
376 }
377
378 /* The following functions map to the legacy SMP crypto functions e, c1,
379 * s1 and ah.
380 */
381
382 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
383 {
384 uint8_t tmp[16], data[16];
385 int err;
386
387 SMP_DBG("k %16phN r %16phN", k, r);
388
389 if (!tfm) {
390 BT_ERR("tfm %p", tfm);
391 return -EINVAL;
392 }
393
394 /* The most significant octet of key corresponds to k[0] */
395 swap_buf(k, tmp, 16);
396
397 err = crypto_cipher_setkey(tfm, tmp, 16);
398 if (err) {
399 BT_ERR("cipher setkey failed: %d", err);
400 return err;
401 }
402
403 /* Most significant octet of plaintextData corresponds to data[0] */
404 swap_buf(r, data, 16);
405
406 crypto_cipher_encrypt_one(tfm, data, data);
407
408 /* Most significant octet of encryptedData corresponds to data[0] */
409 swap_buf(data, r, 16);
410
411 SMP_DBG("r %16phN", r);
412
413 return err;
414 }
415
416 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
417 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
418 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
419 {
420 u8 p1[16], p2[16];
421 int err;
422
423 SMP_DBG("k %16phN r %16phN", k, r);
424 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
425 SMP_DBG("preq %7phN pres %7phN", preq, pres);
426
427 memset(p1, 0, 16);
428
429 /* p1 = pres || preq || _rat || _iat */
430 p1[0] = _iat;
431 p1[1] = _rat;
432 memcpy(p1 + 2, preq, 7);
433 memcpy(p1 + 9, pres, 7);
434
435 SMP_DBG("p1 %16phN", p1);
436
437 /* res = r XOR p1 */
438 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
439
440 /* res = e(k, res) */
441 err = smp_e(tfm_aes, k, res);
442 if (err) {
443 BT_ERR("Encrypt data error");
444 return err;
445 }
446
447 /* p2 = padding || ia || ra */
448 memcpy(p2, ra, 6);
449 memcpy(p2 + 6, ia, 6);
450 memset(p2 + 12, 0, 4);
451
452 SMP_DBG("p2 %16phN", p2);
453
454 /* res = res XOR p2 */
455 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
456
457 /* res = e(k, res) */
458 err = smp_e(tfm_aes, k, res);
459 if (err)
460 BT_ERR("Encrypt data error");
461
462 return err;
463 }
464
465 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
466 const u8 r1[16], const u8 r2[16], u8 _r[16])
467 {
468 int err;
469
470 /* Just least significant octets from r1 and r2 are considered */
471 memcpy(_r, r2, 8);
472 memcpy(_r + 8, r1, 8);
473
474 err = smp_e(tfm_aes, k, _r);
475 if (err)
476 BT_ERR("Encrypt data error");
477
478 return err;
479 }
480
481 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
482 const u8 r[3], u8 res[3])
483 {
484 u8 _res[16];
485 int err;
486
487 /* r' = padding || r */
488 memcpy(_res, r, 3);
489 memset(_res + 3, 0, 13);
490
491 err = smp_e(tfm, irk, _res);
492 if (err) {
493 BT_ERR("Encrypt error");
494 return err;
495 }
496
497 /* The output of the random address function ah is:
498 * ah(k, r) = e(k, r') mod 2^24
499 * The output of the security function e is then truncated to 24 bits
500 * by taking the least significant 24 bits of the output of e as the
501 * result of ah.
502 */
503 memcpy(res, _res, 3);
504
505 return 0;
506 }
507
508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
509 const bdaddr_t *bdaddr)
510 {
511 struct l2cap_chan *chan = hdev->smp_data;
512 struct smp_dev *smp;
513 u8 hash[3];
514 int err;
515
516 if (!chan || !chan->data)
517 return false;
518
519 smp = chan->data;
520
521 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
522
523 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
524 if (err)
525 return false;
526
527 return !crypto_memneq(bdaddr->b, hash, 3);
528 }
529
530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
531 {
532 struct l2cap_chan *chan = hdev->smp_data;
533 struct smp_dev *smp;
534 int err;
535
536 if (!chan || !chan->data)
537 return -EOPNOTSUPP;
538
539 smp = chan->data;
540
541 get_random_bytes(&rpa->b[3], 3);
542
543 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
544 rpa->b[5] |= 0x40; /* Set second most significant bit */
545
546 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
547 if (err < 0)
548 return err;
549
550 BT_DBG("RPA %pMR", rpa);
551
552 return 0;
553 }
554
555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
556 {
557 struct l2cap_chan *chan = hdev->smp_data;
558 struct smp_dev *smp;
559 int err;
560
561 if (!chan || !chan->data)
562 return -EOPNOTSUPP;
563
564 smp = chan->data;
565
566 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
567 BT_DBG("Using debug keys");
568 memcpy(smp->local_pk, debug_pk, 64);
569 memcpy(smp->local_sk, debug_sk, 32);
570 smp->debug_key = true;
571 } else {
572 while (true) {
573 /* Seed private key with random number */
574 get_random_bytes(smp->local_sk, 32);
575
576 /* Generate local key pair for Secure Connections */
577 if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
578 return -EIO;
579
580 /* This is unlikely, but we need to check that
581 * we didn't accidentially generate a debug key.
582 */
583 if (crypto_memneq(smp->local_sk, debug_sk, 32))
584 break;
585 }
586 smp->debug_key = false;
587 }
588
589 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
590 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
591 SMP_DBG("OOB Private Key: %32phN", smp->local_sk);
592
593 get_random_bytes(smp->local_rand, 16);
594
595 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
596 smp->local_rand, 0, hash);
597 if (err < 0)
598 return err;
599
600 memcpy(rand, smp->local_rand, 16);
601
602 return 0;
603 }
604
605 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
606 {
607 struct l2cap_chan *chan = conn->smp;
608 struct smp_chan *smp;
609 struct kvec iv[2];
610 struct msghdr msg;
611
612 if (!chan)
613 return;
614
615 BT_DBG("code 0x%2.2x", code);
616
617 iv[0].iov_base = &code;
618 iv[0].iov_len = 1;
619
620 iv[1].iov_base = data;
621 iv[1].iov_len = len;
622
623 memset(&msg, 0, sizeof(msg));
624
625 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
626
627 l2cap_chan_send(chan, &msg, 1 + len);
628
629 if (!chan->data)
630 return;
631
632 smp = chan->data;
633
634 cancel_delayed_work_sync(&smp->security_timer);
635 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
636 }
637
638 static u8 authreq_to_seclevel(u8 authreq)
639 {
640 if (authreq & SMP_AUTH_MITM) {
641 if (authreq & SMP_AUTH_SC)
642 return BT_SECURITY_FIPS;
643 else
644 return BT_SECURITY_HIGH;
645 } else {
646 return BT_SECURITY_MEDIUM;
647 }
648 }
649
650 static __u8 seclevel_to_authreq(__u8 sec_level)
651 {
652 switch (sec_level) {
653 case BT_SECURITY_FIPS:
654 case BT_SECURITY_HIGH:
655 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
656 case BT_SECURITY_MEDIUM:
657 return SMP_AUTH_BONDING;
658 default:
659 return SMP_AUTH_NONE;
660 }
661 }
662
663 static void build_pairing_cmd(struct l2cap_conn *conn,
664 struct smp_cmd_pairing *req,
665 struct smp_cmd_pairing *rsp, __u8 authreq)
666 {
667 struct l2cap_chan *chan = conn->smp;
668 struct smp_chan *smp = chan->data;
669 struct hci_conn *hcon = conn->hcon;
670 struct hci_dev *hdev = hcon->hdev;
671 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
672
673 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
674 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
675 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
676 authreq |= SMP_AUTH_BONDING;
677 } else {
678 authreq &= ~SMP_AUTH_BONDING;
679 }
680
681 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
682 remote_dist |= SMP_DIST_ID_KEY;
683
684 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
685 local_dist |= SMP_DIST_ID_KEY;
686
687 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
688 (authreq & SMP_AUTH_SC)) {
689 struct oob_data *oob_data;
690 u8 bdaddr_type;
691
692 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
693 local_dist |= SMP_DIST_LINK_KEY;
694 remote_dist |= SMP_DIST_LINK_KEY;
695 }
696
697 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
698 bdaddr_type = BDADDR_LE_PUBLIC;
699 else
700 bdaddr_type = BDADDR_LE_RANDOM;
701
702 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
703 bdaddr_type);
704 if (oob_data && oob_data->present) {
705 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
706 oob_flag = SMP_OOB_PRESENT;
707 memcpy(smp->rr, oob_data->rand256, 16);
708 memcpy(smp->pcnf, oob_data->hash256, 16);
709 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
710 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
711 }
712
713 } else {
714 authreq &= ~SMP_AUTH_SC;
715 }
716
717 if (rsp == NULL) {
718 req->io_capability = conn->hcon->io_capability;
719 req->oob_flag = oob_flag;
720 req->max_key_size = SMP_DEV(hdev)->max_key_size;
721 req->init_key_dist = local_dist;
722 req->resp_key_dist = remote_dist;
723 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
724
725 smp->remote_key_dist = remote_dist;
726 return;
727 }
728
729 rsp->io_capability = conn->hcon->io_capability;
730 rsp->oob_flag = oob_flag;
731 rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
732 rsp->init_key_dist = req->init_key_dist & remote_dist;
733 rsp->resp_key_dist = req->resp_key_dist & local_dist;
734 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
735
736 smp->remote_key_dist = rsp->init_key_dist;
737 }
738
739 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
740 {
741 struct l2cap_chan *chan = conn->smp;
742 struct hci_dev *hdev = conn->hcon->hdev;
743 struct smp_chan *smp = chan->data;
744
745 if (max_key_size > SMP_DEV(hdev)->max_key_size ||
746 max_key_size < SMP_MIN_ENC_KEY_SIZE)
747 return SMP_ENC_KEY_SIZE;
748
749 smp->enc_key_size = max_key_size;
750
751 return 0;
752 }
753
754 static void smp_chan_destroy(struct l2cap_conn *conn)
755 {
756 struct l2cap_chan *chan = conn->smp;
757 struct smp_chan *smp = chan->data;
758 struct hci_conn *hcon = conn->hcon;
759 bool complete;
760
761 BUG_ON(!smp);
762
763 cancel_delayed_work_sync(&smp->security_timer);
764
765 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
766 mgmt_smp_complete(hcon, complete);
767
768 kzfree(smp->csrk);
769 kzfree(smp->slave_csrk);
770 kzfree(smp->link_key);
771
772 crypto_free_cipher(smp->tfm_aes);
773 crypto_free_shash(smp->tfm_cmac);
774
775 /* Ensure that we don't leave any debug key around if debug key
776 * support hasn't been explicitly enabled.
777 */
778 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
779 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
780 list_del_rcu(&smp->ltk->list);
781 kfree_rcu(smp->ltk, rcu);
782 smp->ltk = NULL;
783 }
784
785 /* If pairing failed clean up any keys we might have */
786 if (!complete) {
787 if (smp->ltk) {
788 list_del_rcu(&smp->ltk->list);
789 kfree_rcu(smp->ltk, rcu);
790 }
791
792 if (smp->slave_ltk) {
793 list_del_rcu(&smp->slave_ltk->list);
794 kfree_rcu(smp->slave_ltk, rcu);
795 }
796
797 if (smp->remote_irk) {
798 list_del_rcu(&smp->remote_irk->list);
799 kfree_rcu(smp->remote_irk, rcu);
800 }
801 }
802
803 chan->data = NULL;
804 kzfree(smp);
805 hci_conn_drop(hcon);
806 }
807
808 static void smp_failure(struct l2cap_conn *conn, u8 reason)
809 {
810 struct hci_conn *hcon = conn->hcon;
811 struct l2cap_chan *chan = conn->smp;
812
813 if (reason)
814 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
815 &reason);
816
817 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
818
819 if (chan->data)
820 smp_chan_destroy(conn);
821 }
822
823 #define JUST_WORKS 0x00
824 #define JUST_CFM 0x01
825 #define REQ_PASSKEY 0x02
826 #define CFM_PASSKEY 0x03
827 #define REQ_OOB 0x04
828 #define DSP_PASSKEY 0x05
829 #define OVERLAP 0xFF
830
831 static const u8 gen_method[5][5] = {
832 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
833 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
835 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
836 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
837 };
838
839 static const u8 sc_method[5][5] = {
840 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
841 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
842 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
843 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
844 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
845 };
846
847 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
848 {
849 /* If either side has unknown io_caps, use JUST_CFM (which gets
850 * converted later to JUST_WORKS if we're initiators.
851 */
852 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
853 remote_io > SMP_IO_KEYBOARD_DISPLAY)
854 return JUST_CFM;
855
856 if (test_bit(SMP_FLAG_SC, &smp->flags))
857 return sc_method[remote_io][local_io];
858
859 return gen_method[remote_io][local_io];
860 }
861
862 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
863 u8 local_io, u8 remote_io)
864 {
865 struct hci_conn *hcon = conn->hcon;
866 struct l2cap_chan *chan = conn->smp;
867 struct smp_chan *smp = chan->data;
868 u32 passkey = 0;
869 int ret = 0;
870
871 /* Initialize key for JUST WORKS */
872 memset(smp->tk, 0, sizeof(smp->tk));
873 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
874
875 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
876
877 /* If neither side wants MITM, either "just" confirm an incoming
878 * request or use just-works for outgoing ones. The JUST_CFM
879 * will be converted to JUST_WORKS if necessary later in this
880 * function. If either side has MITM look up the method from the
881 * table.
882 */
883 if (!(auth & SMP_AUTH_MITM))
884 smp->method = JUST_CFM;
885 else
886 smp->method = get_auth_method(smp, local_io, remote_io);
887
888 /* Don't confirm locally initiated pairing attempts */
889 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
890 &smp->flags))
891 smp->method = JUST_WORKS;
892
893 /* Don't bother user space with no IO capabilities */
894 if (smp->method == JUST_CFM &&
895 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
896 smp->method = JUST_WORKS;
897
898 /* If Just Works, Continue with Zero TK */
899 if (smp->method == JUST_WORKS) {
900 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
901 return 0;
902 }
903
904 /* If this function is used for SC -> legacy fallback we
905 * can only recover the just-works case.
906 */
907 if (test_bit(SMP_FLAG_SC, &smp->flags))
908 return -EINVAL;
909
910 /* Not Just Works/Confirm results in MITM Authentication */
911 if (smp->method != JUST_CFM) {
912 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
913 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
914 hcon->pending_sec_level = BT_SECURITY_HIGH;
915 }
916
917 /* If both devices have Keyoard-Display I/O, the master
918 * Confirms and the slave Enters the passkey.
919 */
920 if (smp->method == OVERLAP) {
921 if (hcon->role == HCI_ROLE_MASTER)
922 smp->method = CFM_PASSKEY;
923 else
924 smp->method = REQ_PASSKEY;
925 }
926
927 /* Generate random passkey. */
928 if (smp->method == CFM_PASSKEY) {
929 memset(smp->tk, 0, sizeof(smp->tk));
930 get_random_bytes(&passkey, sizeof(passkey));
931 passkey %= 1000000;
932 put_unaligned_le32(passkey, smp->tk);
933 BT_DBG("PassKey: %d", passkey);
934 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
935 }
936
937 if (smp->method == REQ_PASSKEY)
938 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
939 hcon->type, hcon->dst_type);
940 else if (smp->method == JUST_CFM)
941 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
942 hcon->type, hcon->dst_type,
943 passkey, 1);
944 else
945 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
946 hcon->type, hcon->dst_type,
947 passkey, 0);
948
949 return ret;
950 }
951
952 static u8 smp_confirm(struct smp_chan *smp)
953 {
954 struct l2cap_conn *conn = smp->conn;
955 struct smp_cmd_pairing_confirm cp;
956 int ret;
957
958 BT_DBG("conn %p", conn);
959
960 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
961 conn->hcon->init_addr_type, &conn->hcon->init_addr,
962 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
963 cp.confirm_val);
964 if (ret)
965 return SMP_UNSPECIFIED;
966
967 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
968
969 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
970
971 if (conn->hcon->out)
972 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
973 else
974 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
975
976 return 0;
977 }
978
979 static u8 smp_random(struct smp_chan *smp)
980 {
981 struct l2cap_conn *conn = smp->conn;
982 struct hci_conn *hcon = conn->hcon;
983 u8 confirm[16];
984 int ret;
985
986 if (IS_ERR_OR_NULL(smp->tfm_aes))
987 return SMP_UNSPECIFIED;
988
989 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
990
991 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
992 hcon->init_addr_type, &hcon->init_addr,
993 hcon->resp_addr_type, &hcon->resp_addr, confirm);
994 if (ret)
995 return SMP_UNSPECIFIED;
996
997 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
998 BT_ERR("Pairing failed (confirmation values mismatch)");
999 return SMP_CONFIRM_FAILED;
1000 }
1001
1002 if (hcon->out) {
1003 u8 stk[16];
1004 __le64 rand = 0;
1005 __le16 ediv = 0;
1006
1007 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1008
1009 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1010 return SMP_UNSPECIFIED;
1011
1012 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1013 hcon->enc_key_size = smp->enc_key_size;
1014 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1015 } else {
1016 u8 stk[16], auth;
1017 __le64 rand = 0;
1018 __le16 ediv = 0;
1019
1020 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1021 smp->prnd);
1022
1023 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1024
1025 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1026 auth = 1;
1027 else
1028 auth = 0;
1029
1030 /* Even though there's no _SLAVE suffix this is the
1031 * slave STK we're adding for later lookup (the master
1032 * STK never needs to be stored).
1033 */
1034 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1035 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1036 }
1037
1038 return 0;
1039 }
1040
1041 static void smp_notify_keys(struct l2cap_conn *conn)
1042 {
1043 struct l2cap_chan *chan = conn->smp;
1044 struct smp_chan *smp = chan->data;
1045 struct hci_conn *hcon = conn->hcon;
1046 struct hci_dev *hdev = hcon->hdev;
1047 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1048 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1049 bool persistent;
1050
1051 if (hcon->type == ACL_LINK) {
1052 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1053 persistent = false;
1054 else
1055 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1056 &hcon->flags);
1057 } else {
1058 /* The LTKs, IRKs and CSRKs should be persistent only if
1059 * both sides had the bonding bit set in their
1060 * authentication requests.
1061 */
1062 persistent = !!((req->auth_req & rsp->auth_req) &
1063 SMP_AUTH_BONDING);
1064 }
1065
1066 if (smp->remote_irk) {
1067 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1068
1069 /* Now that user space can be considered to know the
1070 * identity address track the connection based on it
1071 * from now on (assuming this is an LE link).
1072 */
1073 if (hcon->type == LE_LINK) {
1074 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1075 hcon->dst_type = smp->remote_irk->addr_type;
1076 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1077 }
1078 }
1079
1080 if (smp->csrk) {
1081 smp->csrk->bdaddr_type = hcon->dst_type;
1082 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1083 mgmt_new_csrk(hdev, smp->csrk, persistent);
1084 }
1085
1086 if (smp->slave_csrk) {
1087 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1088 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1089 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1090 }
1091
1092 if (smp->ltk) {
1093 smp->ltk->bdaddr_type = hcon->dst_type;
1094 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1095 mgmt_new_ltk(hdev, smp->ltk, persistent);
1096 }
1097
1098 if (smp->slave_ltk) {
1099 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1100 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1101 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1102 }
1103
1104 if (smp->link_key) {
1105 struct link_key *key;
1106 u8 type;
1107
1108 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1109 type = HCI_LK_DEBUG_COMBINATION;
1110 else if (hcon->sec_level == BT_SECURITY_FIPS)
1111 type = HCI_LK_AUTH_COMBINATION_P256;
1112 else
1113 type = HCI_LK_UNAUTH_COMBINATION_P256;
1114
1115 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1116 smp->link_key, type, 0, &persistent);
1117 if (key) {
1118 mgmt_new_link_key(hdev, key, persistent);
1119
1120 /* Don't keep debug keys around if the relevant
1121 * flag is not set.
1122 */
1123 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1124 key->type == HCI_LK_DEBUG_COMBINATION) {
1125 list_del_rcu(&key->list);
1126 kfree_rcu(key, rcu);
1127 }
1128 }
1129 }
1130 }
1131
1132 static void sc_add_ltk(struct smp_chan *smp)
1133 {
1134 struct hci_conn *hcon = smp->conn->hcon;
1135 u8 key_type, auth;
1136
1137 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1138 key_type = SMP_LTK_P256_DEBUG;
1139 else
1140 key_type = SMP_LTK_P256;
1141
1142 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1143 auth = 1;
1144 else
1145 auth = 0;
1146
1147 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1148 key_type, auth, smp->tk, smp->enc_key_size,
1149 0, 0);
1150 }
1151
1152 static void sc_generate_link_key(struct smp_chan *smp)
1153 {
1154 /* From core spec. Spells out in ASCII as 'lebr'. */
1155 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1156
1157 smp->link_key = kzalloc(16, GFP_KERNEL);
1158 if (!smp->link_key)
1159 return;
1160
1161 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1162 /* SALT = 0x00000000000000000000000000000000746D7031 */
1163 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1164
1165 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1166 kzfree(smp->link_key);
1167 smp->link_key = NULL;
1168 return;
1169 }
1170 } else {
1171 /* From core spec. Spells out in ASCII as 'tmp1'. */
1172 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1173
1174 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1175 kzfree(smp->link_key);
1176 smp->link_key = NULL;
1177 return;
1178 }
1179 }
1180
1181 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1182 kzfree(smp->link_key);
1183 smp->link_key = NULL;
1184 return;
1185 }
1186 }
1187
1188 static void smp_allow_key_dist(struct smp_chan *smp)
1189 {
1190 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1191 * will be allowed in each PDU handler to ensure we receive
1192 * them in the correct order.
1193 */
1194 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1195 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1196 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1197 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1198 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1199 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1200 }
1201
1202 static void sc_generate_ltk(struct smp_chan *smp)
1203 {
1204 /* From core spec. Spells out in ASCII as 'brle'. */
1205 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1206 struct hci_conn *hcon = smp->conn->hcon;
1207 struct hci_dev *hdev = hcon->hdev;
1208 struct link_key *key;
1209
1210 key = hci_find_link_key(hdev, &hcon->dst);
1211 if (!key) {
1212 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1213 return;
1214 }
1215
1216 if (key->type == HCI_LK_DEBUG_COMBINATION)
1217 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1218
1219 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1220 /* SALT = 0x00000000000000000000000000000000746D7032 */
1221 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1222
1223 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1224 return;
1225 } else {
1226 /* From core spec. Spells out in ASCII as 'tmp2'. */
1227 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1228
1229 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1230 return;
1231 }
1232
1233 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1234 return;
1235
1236 sc_add_ltk(smp);
1237 }
1238
1239 static void smp_distribute_keys(struct smp_chan *smp)
1240 {
1241 struct smp_cmd_pairing *req, *rsp;
1242 struct l2cap_conn *conn = smp->conn;
1243 struct hci_conn *hcon = conn->hcon;
1244 struct hci_dev *hdev = hcon->hdev;
1245 __u8 *keydist;
1246
1247 BT_DBG("conn %p", conn);
1248
1249 rsp = (void *) &smp->prsp[1];
1250
1251 /* The responder sends its keys first */
1252 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1253 smp_allow_key_dist(smp);
1254 return;
1255 }
1256
1257 req = (void *) &smp->preq[1];
1258
1259 if (hcon->out) {
1260 keydist = &rsp->init_key_dist;
1261 *keydist &= req->init_key_dist;
1262 } else {
1263 keydist = &rsp->resp_key_dist;
1264 *keydist &= req->resp_key_dist;
1265 }
1266
1267 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1268 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1269 sc_generate_link_key(smp);
1270 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1271 sc_generate_ltk(smp);
1272
1273 /* Clear the keys which are generated but not distributed */
1274 *keydist &= ~SMP_SC_NO_DIST;
1275 }
1276
1277 BT_DBG("keydist 0x%x", *keydist);
1278
1279 if (*keydist & SMP_DIST_ENC_KEY) {
1280 struct smp_cmd_encrypt_info enc;
1281 struct smp_cmd_master_ident ident;
1282 struct smp_ltk *ltk;
1283 u8 authenticated;
1284 __le16 ediv;
1285 __le64 rand;
1286
1287 /* Make sure we generate only the significant amount of
1288 * bytes based on the encryption key size, and set the rest
1289 * of the value to zeroes.
1290 */
1291 get_random_bytes(enc.ltk, smp->enc_key_size);
1292 memset(enc.ltk + smp->enc_key_size, 0,
1293 sizeof(enc.ltk) - smp->enc_key_size);
1294
1295 get_random_bytes(&ediv, sizeof(ediv));
1296 get_random_bytes(&rand, sizeof(rand));
1297
1298 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1299
1300 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1301 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1302 SMP_LTK_SLAVE, authenticated, enc.ltk,
1303 smp->enc_key_size, ediv, rand);
1304 smp->slave_ltk = ltk;
1305
1306 ident.ediv = ediv;
1307 ident.rand = rand;
1308
1309 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1310
1311 *keydist &= ~SMP_DIST_ENC_KEY;
1312 }
1313
1314 if (*keydist & SMP_DIST_ID_KEY) {
1315 struct smp_cmd_ident_addr_info addrinfo;
1316 struct smp_cmd_ident_info idinfo;
1317
1318 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1319
1320 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1321
1322 /* The hci_conn contains the local identity address
1323 * after the connection has been established.
1324 *
1325 * This is true even when the connection has been
1326 * established using a resolvable random address.
1327 */
1328 bacpy(&addrinfo.bdaddr, &hcon->src);
1329 addrinfo.addr_type = hcon->src_type;
1330
1331 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1332 &addrinfo);
1333
1334 *keydist &= ~SMP_DIST_ID_KEY;
1335 }
1336
1337 if (*keydist & SMP_DIST_SIGN) {
1338 struct smp_cmd_sign_info sign;
1339 struct smp_csrk *csrk;
1340
1341 /* Generate a new random key */
1342 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1343
1344 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1345 if (csrk) {
1346 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1347 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1348 else
1349 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1350 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1351 }
1352 smp->slave_csrk = csrk;
1353
1354 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1355
1356 *keydist &= ~SMP_DIST_SIGN;
1357 }
1358
1359 /* If there are still keys to be received wait for them */
1360 if (smp->remote_key_dist & KEY_DIST_MASK) {
1361 smp_allow_key_dist(smp);
1362 return;
1363 }
1364
1365 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1366 smp_notify_keys(conn);
1367
1368 smp_chan_destroy(conn);
1369 }
1370
1371 static void smp_timeout(struct work_struct *work)
1372 {
1373 struct smp_chan *smp = container_of(work, struct smp_chan,
1374 security_timer.work);
1375 struct l2cap_conn *conn = smp->conn;
1376
1377 BT_DBG("conn %p", conn);
1378
1379 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1380 }
1381
1382 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1383 {
1384 struct l2cap_chan *chan = conn->smp;
1385 struct smp_chan *smp;
1386
1387 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1388 if (!smp)
1389 return NULL;
1390
1391 smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1392 if (IS_ERR(smp->tfm_aes)) {
1393 BT_ERR("Unable to create AES crypto context");
1394 kzfree(smp);
1395 return NULL;
1396 }
1397
1398 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1399 if (IS_ERR(smp->tfm_cmac)) {
1400 BT_ERR("Unable to create CMAC crypto context");
1401 crypto_free_cipher(smp->tfm_aes);
1402 kzfree(smp);
1403 return NULL;
1404 }
1405
1406 smp->conn = conn;
1407 chan->data = smp;
1408
1409 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1410
1411 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1412
1413 hci_conn_hold(conn->hcon);
1414
1415 return smp;
1416 }
1417
1418 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1419 {
1420 struct hci_conn *hcon = smp->conn->hcon;
1421 u8 *na, *nb, a[7], b[7];
1422
1423 if (hcon->out) {
1424 na = smp->prnd;
1425 nb = smp->rrnd;
1426 } else {
1427 na = smp->rrnd;
1428 nb = smp->prnd;
1429 }
1430
1431 memcpy(a, &hcon->init_addr, 6);
1432 memcpy(b, &hcon->resp_addr, 6);
1433 a[6] = hcon->init_addr_type;
1434 b[6] = hcon->resp_addr_type;
1435
1436 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1437 }
1438
1439 static void sc_dhkey_check(struct smp_chan *smp)
1440 {
1441 struct hci_conn *hcon = smp->conn->hcon;
1442 struct smp_cmd_dhkey_check check;
1443 u8 a[7], b[7], *local_addr, *remote_addr;
1444 u8 io_cap[3], r[16];
1445
1446 memcpy(a, &hcon->init_addr, 6);
1447 memcpy(b, &hcon->resp_addr, 6);
1448 a[6] = hcon->init_addr_type;
1449 b[6] = hcon->resp_addr_type;
1450
1451 if (hcon->out) {
1452 local_addr = a;
1453 remote_addr = b;
1454 memcpy(io_cap, &smp->preq[1], 3);
1455 } else {
1456 local_addr = b;
1457 remote_addr = a;
1458 memcpy(io_cap, &smp->prsp[1], 3);
1459 }
1460
1461 memset(r, 0, sizeof(r));
1462
1463 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1464 put_unaligned_le32(hcon->passkey_notify, r);
1465
1466 if (smp->method == REQ_OOB)
1467 memcpy(r, smp->rr, 16);
1468
1469 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1470 local_addr, remote_addr, check.e);
1471
1472 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1473 }
1474
1475 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1476 {
1477 struct l2cap_conn *conn = smp->conn;
1478 struct hci_conn *hcon = conn->hcon;
1479 struct smp_cmd_pairing_confirm cfm;
1480 u8 r;
1481
1482 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1483 r |= 0x80;
1484
1485 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1486
1487 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1488 cfm.confirm_val))
1489 return SMP_UNSPECIFIED;
1490
1491 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1492
1493 return 0;
1494 }
1495
1496 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1497 {
1498 struct l2cap_conn *conn = smp->conn;
1499 struct hci_conn *hcon = conn->hcon;
1500 struct hci_dev *hdev = hcon->hdev;
1501 u8 cfm[16], r;
1502
1503 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1504 if (smp->passkey_round >= 20)
1505 return 0;
1506
1507 switch (smp_op) {
1508 case SMP_CMD_PAIRING_RANDOM:
1509 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1510 r |= 0x80;
1511
1512 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1513 smp->rrnd, r, cfm))
1514 return SMP_UNSPECIFIED;
1515
1516 if (crypto_memneq(smp->pcnf, cfm, 16))
1517 return SMP_CONFIRM_FAILED;
1518
1519 smp->passkey_round++;
1520
1521 if (smp->passkey_round == 20) {
1522 /* Generate MacKey and LTK */
1523 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1524 return SMP_UNSPECIFIED;
1525 }
1526
1527 /* The round is only complete when the initiator
1528 * receives pairing random.
1529 */
1530 if (!hcon->out) {
1531 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1532 sizeof(smp->prnd), smp->prnd);
1533 if (smp->passkey_round == 20)
1534 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1535 else
1536 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1537 return 0;
1538 }
1539
1540 /* Start the next round */
1541 if (smp->passkey_round != 20)
1542 return sc_passkey_round(smp, 0);
1543
1544 /* Passkey rounds are complete - start DHKey Check */
1545 sc_dhkey_check(smp);
1546 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1547
1548 break;
1549
1550 case SMP_CMD_PAIRING_CONFIRM:
1551 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1552 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1553 return 0;
1554 }
1555
1556 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1557
1558 if (hcon->out) {
1559 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1560 sizeof(smp->prnd), smp->prnd);
1561 return 0;
1562 }
1563
1564 return sc_passkey_send_confirm(smp);
1565
1566 case SMP_CMD_PUBLIC_KEY:
1567 default:
1568 /* Initiating device starts the round */
1569 if (!hcon->out)
1570 return 0;
1571
1572 BT_DBG("%s Starting passkey round %u", hdev->name,
1573 smp->passkey_round + 1);
1574
1575 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1576
1577 return sc_passkey_send_confirm(smp);
1578 }
1579
1580 return 0;
1581 }
1582
1583 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1584 {
1585 struct l2cap_conn *conn = smp->conn;
1586 struct hci_conn *hcon = conn->hcon;
1587 u8 smp_op;
1588
1589 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1590
1591 switch (mgmt_op) {
1592 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1593 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1594 return 0;
1595 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1596 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1597 return 0;
1598 case MGMT_OP_USER_PASSKEY_REPLY:
1599 hcon->passkey_notify = le32_to_cpu(passkey);
1600 smp->passkey_round = 0;
1601
1602 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1603 smp_op = SMP_CMD_PAIRING_CONFIRM;
1604 else
1605 smp_op = 0;
1606
1607 if (sc_passkey_round(smp, smp_op))
1608 return -EIO;
1609
1610 return 0;
1611 }
1612
1613 /* Initiator sends DHKey check first */
1614 if (hcon->out) {
1615 sc_dhkey_check(smp);
1616 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1617 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1618 sc_dhkey_check(smp);
1619 sc_add_ltk(smp);
1620 }
1621
1622 return 0;
1623 }
1624
1625 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1626 {
1627 struct l2cap_conn *conn = hcon->l2cap_data;
1628 struct l2cap_chan *chan;
1629 struct smp_chan *smp;
1630 u32 value;
1631 int err;
1632
1633 BT_DBG("");
1634
1635 if (!conn)
1636 return -ENOTCONN;
1637
1638 chan = conn->smp;
1639 if (!chan)
1640 return -ENOTCONN;
1641
1642 l2cap_chan_lock(chan);
1643 if (!chan->data) {
1644 err = -ENOTCONN;
1645 goto unlock;
1646 }
1647
1648 smp = chan->data;
1649
1650 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1651 err = sc_user_reply(smp, mgmt_op, passkey);
1652 goto unlock;
1653 }
1654
1655 switch (mgmt_op) {
1656 case MGMT_OP_USER_PASSKEY_REPLY:
1657 value = le32_to_cpu(passkey);
1658 memset(smp->tk, 0, sizeof(smp->tk));
1659 BT_DBG("PassKey: %d", value);
1660 put_unaligned_le32(value, smp->tk);
1661 /* Fall Through */
1662 case MGMT_OP_USER_CONFIRM_REPLY:
1663 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1664 break;
1665 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1666 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1667 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1668 err = 0;
1669 goto unlock;
1670 default:
1671 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1672 err = -EOPNOTSUPP;
1673 goto unlock;
1674 }
1675
1676 err = 0;
1677
1678 /* If it is our turn to send Pairing Confirm, do so now */
1679 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1680 u8 rsp = smp_confirm(smp);
1681 if (rsp)
1682 smp_failure(conn, rsp);
1683 }
1684
1685 unlock:
1686 l2cap_chan_unlock(chan);
1687 return err;
1688 }
1689
1690 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1691 struct smp_cmd_pairing *req,
1692 struct smp_cmd_pairing *rsp)
1693 {
1694 struct l2cap_conn *conn = smp->conn;
1695 struct hci_dev *hdev = conn->hcon->hdev;
1696 u8 local_dist = 0, remote_dist = 0;
1697
1698 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1699 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1700 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1701 }
1702
1703 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1704 remote_dist |= SMP_DIST_ID_KEY;
1705
1706 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1707 local_dist |= SMP_DIST_ID_KEY;
1708
1709 if (!rsp) {
1710 memset(req, 0, sizeof(*req));
1711
1712 req->auth_req = SMP_AUTH_CT2;
1713 req->init_key_dist = local_dist;
1714 req->resp_key_dist = remote_dist;
1715 req->max_key_size = conn->hcon->enc_key_size;
1716
1717 smp->remote_key_dist = remote_dist;
1718
1719 return;
1720 }
1721
1722 memset(rsp, 0, sizeof(*rsp));
1723
1724 rsp->auth_req = SMP_AUTH_CT2;
1725 rsp->max_key_size = conn->hcon->enc_key_size;
1726 rsp->init_key_dist = req->init_key_dist & remote_dist;
1727 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1728
1729 smp->remote_key_dist = rsp->init_key_dist;
1730 }
1731
1732 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1733 {
1734 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1735 struct l2cap_chan *chan = conn->smp;
1736 struct hci_dev *hdev = conn->hcon->hdev;
1737 struct smp_chan *smp;
1738 u8 key_size, auth, sec_level;
1739 int ret;
1740
1741 BT_DBG("conn %p", conn);
1742
1743 if (skb->len < sizeof(*req))
1744 return SMP_INVALID_PARAMS;
1745
1746 if (conn->hcon->role != HCI_ROLE_SLAVE)
1747 return SMP_CMD_NOTSUPP;
1748
1749 if (!chan->data)
1750 smp = smp_chan_create(conn);
1751 else
1752 smp = chan->data;
1753
1754 if (!smp)
1755 return SMP_UNSPECIFIED;
1756
1757 /* We didn't start the pairing, so match remote */
1758 auth = req->auth_req & AUTH_REQ_MASK(hdev);
1759
1760 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1761 (auth & SMP_AUTH_BONDING))
1762 return SMP_PAIRING_NOTSUPP;
1763
1764 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1765 return SMP_AUTH_REQUIREMENTS;
1766
1767 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1768 memcpy(&smp->preq[1], req, sizeof(*req));
1769 skb_pull(skb, sizeof(*req));
1770
1771 /* If the remote side's OOB flag is set it means it has
1772 * successfully received our local OOB data - therefore set the
1773 * flag to indicate that local OOB is in use.
1774 */
1775 if (req->oob_flag == SMP_OOB_PRESENT)
1776 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1777
1778 /* SMP over BR/EDR requires special treatment */
1779 if (conn->hcon->type == ACL_LINK) {
1780 /* We must have a BR/EDR SC link */
1781 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1782 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1783 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1784
1785 set_bit(SMP_FLAG_SC, &smp->flags);
1786
1787 build_bredr_pairing_cmd(smp, req, &rsp);
1788
1789 if (req->auth_req & SMP_AUTH_CT2)
1790 set_bit(SMP_FLAG_CT2, &smp->flags);
1791
1792 key_size = min(req->max_key_size, rsp.max_key_size);
1793 if (check_enc_key_size(conn, key_size))
1794 return SMP_ENC_KEY_SIZE;
1795
1796 /* Clear bits which are generated but not distributed */
1797 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1798
1799 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1800 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1801 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1802
1803 smp_distribute_keys(smp);
1804 return 0;
1805 }
1806
1807 build_pairing_cmd(conn, req, &rsp, auth);
1808
1809 if (rsp.auth_req & SMP_AUTH_SC) {
1810 set_bit(SMP_FLAG_SC, &smp->flags);
1811
1812 if (rsp.auth_req & SMP_AUTH_CT2)
1813 set_bit(SMP_FLAG_CT2, &smp->flags);
1814 }
1815
1816 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1817 sec_level = BT_SECURITY_MEDIUM;
1818 else
1819 sec_level = authreq_to_seclevel(auth);
1820
1821 if (sec_level > conn->hcon->pending_sec_level)
1822 conn->hcon->pending_sec_level = sec_level;
1823
1824 /* If we need MITM check that it can be achieved */
1825 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1826 u8 method;
1827
1828 method = get_auth_method(smp, conn->hcon->io_capability,
1829 req->io_capability);
1830 if (method == JUST_WORKS || method == JUST_CFM)
1831 return SMP_AUTH_REQUIREMENTS;
1832 }
1833
1834 key_size = min(req->max_key_size, rsp.max_key_size);
1835 if (check_enc_key_size(conn, key_size))
1836 return SMP_ENC_KEY_SIZE;
1837
1838 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1839
1840 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1841 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1842
1843 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1844
1845 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1846
1847 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1848 * SC case, however some implementations incorrectly copy RFU auth
1849 * req bits from our security request, which may create a false
1850 * positive SC enablement.
1851 */
1852 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1853
1854 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1855 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1856 /* Clear bits which are generated but not distributed */
1857 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1858 /* Wait for Public Key from Initiating Device */
1859 return 0;
1860 }
1861
1862 /* Request setup of TK */
1863 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1864 if (ret)
1865 return SMP_UNSPECIFIED;
1866
1867 return 0;
1868 }
1869
1870 static u8 sc_send_public_key(struct smp_chan *smp)
1871 {
1872 struct hci_dev *hdev = smp->conn->hcon->hdev;
1873
1874 BT_DBG("");
1875
1876 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1877 struct l2cap_chan *chan = hdev->smp_data;
1878 struct smp_dev *smp_dev;
1879
1880 if (!chan || !chan->data)
1881 return SMP_UNSPECIFIED;
1882
1883 smp_dev = chan->data;
1884
1885 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1886 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1887 memcpy(smp->lr, smp_dev->local_rand, 16);
1888
1889 if (smp_dev->debug_key)
1890 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1891
1892 goto done;
1893 }
1894
1895 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1896 BT_DBG("Using debug keys");
1897 memcpy(smp->local_pk, debug_pk, 64);
1898 memcpy(smp->local_sk, debug_sk, 32);
1899 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1900 } else {
1901 while (true) {
1902 /* Seed private key with random number */
1903 get_random_bytes(smp->local_sk, 32);
1904
1905 /* Generate local key pair for Secure Connections */
1906 if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
1907 return SMP_UNSPECIFIED;
1908
1909 /* This is unlikely, but we need to check that
1910 * we didn't accidentially generate a debug key.
1911 */
1912 if (crypto_memneq(smp->local_sk, debug_sk, 32))
1913 break;
1914 }
1915 }
1916
1917 done:
1918 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1919 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1920 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
1921
1922 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1923
1924 return 0;
1925 }
1926
1927 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1928 {
1929 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1930 struct l2cap_chan *chan = conn->smp;
1931 struct smp_chan *smp = chan->data;
1932 struct hci_dev *hdev = conn->hcon->hdev;
1933 u8 key_size, auth;
1934 int ret;
1935
1936 BT_DBG("conn %p", conn);
1937
1938 if (skb->len < sizeof(*rsp))
1939 return SMP_INVALID_PARAMS;
1940
1941 if (conn->hcon->role != HCI_ROLE_MASTER)
1942 return SMP_CMD_NOTSUPP;
1943
1944 skb_pull(skb, sizeof(*rsp));
1945
1946 req = (void *) &smp->preq[1];
1947
1948 key_size = min(req->max_key_size, rsp->max_key_size);
1949 if (check_enc_key_size(conn, key_size))
1950 return SMP_ENC_KEY_SIZE;
1951
1952 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1953
1954 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1955 return SMP_AUTH_REQUIREMENTS;
1956
1957 /* If the remote side's OOB flag is set it means it has
1958 * successfully received our local OOB data - therefore set the
1959 * flag to indicate that local OOB is in use.
1960 */
1961 if (rsp->oob_flag == SMP_OOB_PRESENT)
1962 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1963
1964 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1965 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1966
1967 /* Update remote key distribution in case the remote cleared
1968 * some bits that we had enabled in our request.
1969 */
1970 smp->remote_key_dist &= rsp->resp_key_dist;
1971
1972 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1973 set_bit(SMP_FLAG_CT2, &smp->flags);
1974
1975 /* For BR/EDR this means we're done and can start phase 3 */
1976 if (conn->hcon->type == ACL_LINK) {
1977 /* Clear bits which are generated but not distributed */
1978 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1979 smp_distribute_keys(smp);
1980 return 0;
1981 }
1982
1983 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1984 set_bit(SMP_FLAG_SC, &smp->flags);
1985 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1986 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1987
1988 /* If we need MITM check that it can be achieved */
1989 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1990 u8 method;
1991
1992 method = get_auth_method(smp, req->io_capability,
1993 rsp->io_capability);
1994 if (method == JUST_WORKS || method == JUST_CFM)
1995 return SMP_AUTH_REQUIREMENTS;
1996 }
1997
1998 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1999
2000 /* Update remote key distribution in case the remote cleared
2001 * some bits that we had enabled in our request.
2002 */
2003 smp->remote_key_dist &= rsp->resp_key_dist;
2004
2005 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2006 /* Clear bits which are generated but not distributed */
2007 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2008 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2009 return sc_send_public_key(smp);
2010 }
2011
2012 auth |= req->auth_req;
2013
2014 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2015 if (ret)
2016 return SMP_UNSPECIFIED;
2017
2018 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2019
2020 /* Can't compose response until we have been confirmed */
2021 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2022 return smp_confirm(smp);
2023
2024 return 0;
2025 }
2026
2027 static u8 sc_check_confirm(struct smp_chan *smp)
2028 {
2029 struct l2cap_conn *conn = smp->conn;
2030
2031 BT_DBG("");
2032
2033 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2034 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2035
2036 if (conn->hcon->out) {
2037 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2038 smp->prnd);
2039 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2040 }
2041
2042 return 0;
2043 }
2044
2045 /* Work-around for some implementations that incorrectly copy RFU bits
2046 * from our security request and thereby create the impression that
2047 * we're doing SC when in fact the remote doesn't support it.
2048 */
2049 static int fixup_sc_false_positive(struct smp_chan *smp)
2050 {
2051 struct l2cap_conn *conn = smp->conn;
2052 struct hci_conn *hcon = conn->hcon;
2053 struct hci_dev *hdev = hcon->hdev;
2054 struct smp_cmd_pairing *req, *rsp;
2055 u8 auth;
2056
2057 /* The issue is only observed when we're in slave role */
2058 if (hcon->out)
2059 return SMP_UNSPECIFIED;
2060
2061 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2062 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2063 return SMP_UNSPECIFIED;
2064 }
2065
2066 BT_ERR("Trying to fall back to legacy SMP");
2067
2068 req = (void *) &smp->preq[1];
2069 rsp = (void *) &smp->prsp[1];
2070
2071 /* Rebuild key dist flags which may have been cleared for SC */
2072 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2073
2074 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2075
2076 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2077 BT_ERR("Failed to fall back to legacy SMP");
2078 return SMP_UNSPECIFIED;
2079 }
2080
2081 clear_bit(SMP_FLAG_SC, &smp->flags);
2082
2083 return 0;
2084 }
2085
2086 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2087 {
2088 struct l2cap_chan *chan = conn->smp;
2089 struct smp_chan *smp = chan->data;
2090
2091 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2092
2093 if (skb->len < sizeof(smp->pcnf))
2094 return SMP_INVALID_PARAMS;
2095
2096 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2097 skb_pull(skb, sizeof(smp->pcnf));
2098
2099 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2100 int ret;
2101
2102 /* Public Key exchange must happen before any other steps */
2103 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2104 return sc_check_confirm(smp);
2105
2106 BT_ERR("Unexpected SMP Pairing Confirm");
2107
2108 ret = fixup_sc_false_positive(smp);
2109 if (ret)
2110 return ret;
2111 }
2112
2113 if (conn->hcon->out) {
2114 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2115 smp->prnd);
2116 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2117 return 0;
2118 }
2119
2120 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2121 return smp_confirm(smp);
2122
2123 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2124
2125 return 0;
2126 }
2127
2128 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2129 {
2130 struct l2cap_chan *chan = conn->smp;
2131 struct smp_chan *smp = chan->data;
2132 struct hci_conn *hcon = conn->hcon;
2133 u8 *pkax, *pkbx, *na, *nb;
2134 u32 passkey;
2135 int err;
2136
2137 BT_DBG("conn %p", conn);
2138
2139 if (skb->len < sizeof(smp->rrnd))
2140 return SMP_INVALID_PARAMS;
2141
2142 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2143 skb_pull(skb, sizeof(smp->rrnd));
2144
2145 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2146 return smp_random(smp);
2147
2148 if (hcon->out) {
2149 pkax = smp->local_pk;
2150 pkbx = smp->remote_pk;
2151 na = smp->prnd;
2152 nb = smp->rrnd;
2153 } else {
2154 pkax = smp->remote_pk;
2155 pkbx = smp->local_pk;
2156 na = smp->rrnd;
2157 nb = smp->prnd;
2158 }
2159
2160 if (smp->method == REQ_OOB) {
2161 if (!hcon->out)
2162 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2163 sizeof(smp->prnd), smp->prnd);
2164 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2165 goto mackey_and_ltk;
2166 }
2167
2168 /* Passkey entry has special treatment */
2169 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2170 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2171
2172 if (hcon->out) {
2173 u8 cfm[16];
2174
2175 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2176 smp->rrnd, 0, cfm);
2177 if (err)
2178 return SMP_UNSPECIFIED;
2179
2180 if (crypto_memneq(smp->pcnf, cfm, 16))
2181 return SMP_CONFIRM_FAILED;
2182 } else {
2183 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2184 smp->prnd);
2185 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2186 }
2187
2188 mackey_and_ltk:
2189 /* Generate MacKey and LTK */
2190 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2191 if (err)
2192 return SMP_UNSPECIFIED;
2193
2194 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2195 if (hcon->out) {
2196 sc_dhkey_check(smp);
2197 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2198 }
2199 return 0;
2200 }
2201
2202 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2203 if (err)
2204 return SMP_UNSPECIFIED;
2205
2206 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2207 hcon->dst_type, passkey, 0);
2208 if (err)
2209 return SMP_UNSPECIFIED;
2210
2211 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2212
2213 return 0;
2214 }
2215
2216 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2217 {
2218 struct smp_ltk *key;
2219 struct hci_conn *hcon = conn->hcon;
2220
2221 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2222 if (!key)
2223 return false;
2224
2225 if (smp_ltk_sec_level(key) < sec_level)
2226 return false;
2227
2228 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2229 return true;
2230
2231 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2232 hcon->enc_key_size = key->enc_size;
2233
2234 /* We never store STKs for master role, so clear this flag */
2235 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2236
2237 return true;
2238 }
2239
2240 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2241 enum smp_key_pref key_pref)
2242 {
2243 if (sec_level == BT_SECURITY_LOW)
2244 return true;
2245
2246 /* If we're encrypted with an STK but the caller prefers using
2247 * LTK claim insufficient security. This way we allow the
2248 * connection to be re-encrypted with an LTK, even if the LTK
2249 * provides the same level of security. Only exception is if we
2250 * don't have an LTK (e.g. because of key distribution bits).
2251 */
2252 if (key_pref == SMP_USE_LTK &&
2253 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2254 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2255 return false;
2256
2257 if (hcon->sec_level >= sec_level)
2258 return true;
2259
2260 return false;
2261 }
2262
2263 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2264 {
2265 struct smp_cmd_security_req *rp = (void *) skb->data;
2266 struct smp_cmd_pairing cp;
2267 struct hci_conn *hcon = conn->hcon;
2268 struct hci_dev *hdev = hcon->hdev;
2269 struct smp_chan *smp;
2270 u8 sec_level, auth;
2271
2272 BT_DBG("conn %p", conn);
2273
2274 if (skb->len < sizeof(*rp))
2275 return SMP_INVALID_PARAMS;
2276
2277 if (hcon->role != HCI_ROLE_MASTER)
2278 return SMP_CMD_NOTSUPP;
2279
2280 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2281
2282 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2283 return SMP_AUTH_REQUIREMENTS;
2284
2285 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2286 sec_level = BT_SECURITY_MEDIUM;
2287 else
2288 sec_level = authreq_to_seclevel(auth);
2289
2290 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2291 return 0;
2292
2293 if (sec_level > hcon->pending_sec_level)
2294 hcon->pending_sec_level = sec_level;
2295
2296 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2297 return 0;
2298
2299 smp = smp_chan_create(conn);
2300 if (!smp)
2301 return SMP_UNSPECIFIED;
2302
2303 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2304 (auth & SMP_AUTH_BONDING))
2305 return SMP_PAIRING_NOTSUPP;
2306
2307 skb_pull(skb, sizeof(*rp));
2308
2309 memset(&cp, 0, sizeof(cp));
2310 build_pairing_cmd(conn, &cp, NULL, auth);
2311
2312 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2313 memcpy(&smp->preq[1], &cp, sizeof(cp));
2314
2315 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2316 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2317
2318 return 0;
2319 }
2320
2321 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2322 {
2323 struct l2cap_conn *conn = hcon->l2cap_data;
2324 struct l2cap_chan *chan;
2325 struct smp_chan *smp;
2326 __u8 authreq;
2327 int ret;
2328
2329 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2330
2331 /* This may be NULL if there's an unexpected disconnection */
2332 if (!conn)
2333 return 1;
2334
2335 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2336 return 1;
2337
2338 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2339 return 1;
2340
2341 if (sec_level > hcon->pending_sec_level)
2342 hcon->pending_sec_level = sec_level;
2343
2344 if (hcon->role == HCI_ROLE_MASTER)
2345 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2346 return 0;
2347
2348 chan = conn->smp;
2349 if (!chan) {
2350 BT_ERR("SMP security requested but not available");
2351 return 1;
2352 }
2353
2354 l2cap_chan_lock(chan);
2355
2356 /* If SMP is already in progress ignore this request */
2357 if (chan->data) {
2358 ret = 0;
2359 goto unlock;
2360 }
2361
2362 smp = smp_chan_create(conn);
2363 if (!smp) {
2364 ret = 1;
2365 goto unlock;
2366 }
2367
2368 authreq = seclevel_to_authreq(sec_level);
2369
2370 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2371 authreq |= SMP_AUTH_SC;
2372 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2373 authreq |= SMP_AUTH_CT2;
2374 }
2375
2376 /* Require MITM if IO Capability allows or the security level
2377 * requires it.
2378 */
2379 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2380 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2381 authreq |= SMP_AUTH_MITM;
2382
2383 if (hcon->role == HCI_ROLE_MASTER) {
2384 struct smp_cmd_pairing cp;
2385
2386 build_pairing_cmd(conn, &cp, NULL, authreq);
2387 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2388 memcpy(&smp->preq[1], &cp, sizeof(cp));
2389
2390 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2391 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2392 } else {
2393 struct smp_cmd_security_req cp;
2394 cp.auth_req = authreq;
2395 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2396 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2397 }
2398
2399 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2400 ret = 0;
2401
2402 unlock:
2403 l2cap_chan_unlock(chan);
2404 return ret;
2405 }
2406
2407 void smp_cancel_pairing(struct hci_conn *hcon)
2408 {
2409 struct l2cap_conn *conn = hcon->l2cap_data;
2410 struct l2cap_chan *chan;
2411 struct smp_chan *smp;
2412
2413 if (!conn)
2414 return;
2415
2416 chan = conn->smp;
2417 if (!chan)
2418 return;
2419
2420 l2cap_chan_lock(chan);
2421
2422 smp = chan->data;
2423 if (smp) {
2424 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2425 smp_failure(conn, 0);
2426 else
2427 smp_failure(conn, SMP_UNSPECIFIED);
2428 }
2429
2430 l2cap_chan_unlock(chan);
2431 }
2432
2433 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2434 {
2435 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2436 struct l2cap_chan *chan = conn->smp;
2437 struct smp_chan *smp = chan->data;
2438
2439 BT_DBG("conn %p", conn);
2440
2441 if (skb->len < sizeof(*rp))
2442 return SMP_INVALID_PARAMS;
2443
2444 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2445
2446 skb_pull(skb, sizeof(*rp));
2447
2448 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2449
2450 return 0;
2451 }
2452
2453 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2454 {
2455 struct smp_cmd_master_ident *rp = (void *) skb->data;
2456 struct l2cap_chan *chan = conn->smp;
2457 struct smp_chan *smp = chan->data;
2458 struct hci_dev *hdev = conn->hcon->hdev;
2459 struct hci_conn *hcon = conn->hcon;
2460 struct smp_ltk *ltk;
2461 u8 authenticated;
2462
2463 BT_DBG("conn %p", conn);
2464
2465 if (skb->len < sizeof(*rp))
2466 return SMP_INVALID_PARAMS;
2467
2468 /* Mark the information as received */
2469 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2470
2471 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2472 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2473 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2474 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2475
2476 skb_pull(skb, sizeof(*rp));
2477
2478 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2479 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2480 authenticated, smp->tk, smp->enc_key_size,
2481 rp->ediv, rp->rand);
2482 smp->ltk = ltk;
2483 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2484 smp_distribute_keys(smp);
2485
2486 return 0;
2487 }
2488
2489 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2490 {
2491 struct smp_cmd_ident_info *info = (void *) skb->data;
2492 struct l2cap_chan *chan = conn->smp;
2493 struct smp_chan *smp = chan->data;
2494
2495 BT_DBG("");
2496
2497 if (skb->len < sizeof(*info))
2498 return SMP_INVALID_PARAMS;
2499
2500 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2501
2502 skb_pull(skb, sizeof(*info));
2503
2504 memcpy(smp->irk, info->irk, 16);
2505
2506 return 0;
2507 }
2508
2509 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2510 struct sk_buff *skb)
2511 {
2512 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2513 struct l2cap_chan *chan = conn->smp;
2514 struct smp_chan *smp = chan->data;
2515 struct hci_conn *hcon = conn->hcon;
2516 bdaddr_t rpa;
2517
2518 BT_DBG("");
2519
2520 if (skb->len < sizeof(*info))
2521 return SMP_INVALID_PARAMS;
2522
2523 /* Mark the information as received */
2524 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2525
2526 if (smp->remote_key_dist & SMP_DIST_SIGN)
2527 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2528
2529 skb_pull(skb, sizeof(*info));
2530
2531 /* Strictly speaking the Core Specification (4.1) allows sending
2532 * an empty address which would force us to rely on just the IRK
2533 * as "identity information". However, since such
2534 * implementations are not known of and in order to not over
2535 * complicate our implementation, simply pretend that we never
2536 * received an IRK for such a device.
2537 *
2538 * The Identity Address must also be a Static Random or Public
2539 * Address, which hci_is_identity_address() checks for.
2540 */
2541 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2542 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2543 BT_ERR("Ignoring IRK with no identity address");
2544 goto distribute;
2545 }
2546
2547 bacpy(&smp->id_addr, &info->bdaddr);
2548 smp->id_addr_type = info->addr_type;
2549
2550 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2551 bacpy(&rpa, &hcon->dst);
2552 else
2553 bacpy(&rpa, BDADDR_ANY);
2554
2555 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2556 smp->id_addr_type, smp->irk, &rpa);
2557
2558 distribute:
2559 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2560 smp_distribute_keys(smp);
2561
2562 return 0;
2563 }
2564
2565 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2566 {
2567 struct smp_cmd_sign_info *rp = (void *) skb->data;
2568 struct l2cap_chan *chan = conn->smp;
2569 struct smp_chan *smp = chan->data;
2570 struct smp_csrk *csrk;
2571
2572 BT_DBG("conn %p", conn);
2573
2574 if (skb->len < sizeof(*rp))
2575 return SMP_INVALID_PARAMS;
2576
2577 /* Mark the information as received */
2578 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2579
2580 skb_pull(skb, sizeof(*rp));
2581
2582 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2583 if (csrk) {
2584 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2585 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2586 else
2587 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2588 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2589 }
2590 smp->csrk = csrk;
2591 smp_distribute_keys(smp);
2592
2593 return 0;
2594 }
2595
2596 static u8 sc_select_method(struct smp_chan *smp)
2597 {
2598 struct l2cap_conn *conn = smp->conn;
2599 struct hci_conn *hcon = conn->hcon;
2600 struct smp_cmd_pairing *local, *remote;
2601 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2602
2603 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2604 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2605 return REQ_OOB;
2606
2607 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2608 * which are needed as inputs to some crypto functions. To get
2609 * the "struct smp_cmd_pairing" from them we need to skip the
2610 * first byte which contains the opcode.
2611 */
2612 if (hcon->out) {
2613 local = (void *) &smp->preq[1];
2614 remote = (void *) &smp->prsp[1];
2615 } else {
2616 local = (void *) &smp->prsp[1];
2617 remote = (void *) &smp->preq[1];
2618 }
2619
2620 local_io = local->io_capability;
2621 remote_io = remote->io_capability;
2622
2623 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2624 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2625
2626 /* If either side wants MITM, look up the method from the table,
2627 * otherwise use JUST WORKS.
2628 */
2629 if (local_mitm || remote_mitm)
2630 method = get_auth_method(smp, local_io, remote_io);
2631 else
2632 method = JUST_WORKS;
2633
2634 /* Don't confirm locally initiated pairing attempts */
2635 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2636 method = JUST_WORKS;
2637
2638 return method;
2639 }
2640
2641 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2642 {
2643 struct smp_cmd_public_key *key = (void *) skb->data;
2644 struct hci_conn *hcon = conn->hcon;
2645 struct l2cap_chan *chan = conn->smp;
2646 struct smp_chan *smp = chan->data;
2647 struct hci_dev *hdev = hcon->hdev;
2648 struct smp_cmd_pairing_confirm cfm;
2649 int err;
2650
2651 BT_DBG("conn %p", conn);
2652
2653 if (skb->len < sizeof(*key))
2654 return SMP_INVALID_PARAMS;
2655
2656 memcpy(smp->remote_pk, key, 64);
2657
2658 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2659 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2660 smp->rr, 0, cfm.confirm_val);
2661 if (err)
2662 return SMP_UNSPECIFIED;
2663
2664 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2665 return SMP_CONFIRM_FAILED;
2666 }
2667
2668 /* Non-initiating device sends its public key after receiving
2669 * the key from the initiating device.
2670 */
2671 if (!hcon->out) {
2672 err = sc_send_public_key(smp);
2673 if (err)
2674 return err;
2675 }
2676
2677 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2678 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2679
2680 if (!compute_ecdh_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2681 return SMP_UNSPECIFIED;
2682
2683 SMP_DBG("DHKey %32phN", smp->dhkey);
2684
2685 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2686
2687 smp->method = sc_select_method(smp);
2688
2689 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2690
2691 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2692 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2693 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2694 else
2695 hcon->pending_sec_level = BT_SECURITY_FIPS;
2696
2697 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2698 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2699
2700 if (smp->method == DSP_PASSKEY) {
2701 get_random_bytes(&hcon->passkey_notify,
2702 sizeof(hcon->passkey_notify));
2703 hcon->passkey_notify %= 1000000;
2704 hcon->passkey_entered = 0;
2705 smp->passkey_round = 0;
2706 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2707 hcon->dst_type,
2708 hcon->passkey_notify,
2709 hcon->passkey_entered))
2710 return SMP_UNSPECIFIED;
2711 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2712 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2713 }
2714
2715 if (smp->method == REQ_OOB) {
2716 if (hcon->out)
2717 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2718 sizeof(smp->prnd), smp->prnd);
2719
2720 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2721
2722 return 0;
2723 }
2724
2725 if (hcon->out)
2726 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2727
2728 if (smp->method == REQ_PASSKEY) {
2729 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2730 hcon->dst_type))
2731 return SMP_UNSPECIFIED;
2732 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2733 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2734 return 0;
2735 }
2736
2737 /* The Initiating device waits for the non-initiating device to
2738 * send the confirm value.
2739 */
2740 if (conn->hcon->out)
2741 return 0;
2742
2743 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2744 0, cfm.confirm_val);
2745 if (err)
2746 return SMP_UNSPECIFIED;
2747
2748 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2749 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2750
2751 return 0;
2752 }
2753
2754 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2755 {
2756 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2757 struct l2cap_chan *chan = conn->smp;
2758 struct hci_conn *hcon = conn->hcon;
2759 struct smp_chan *smp = chan->data;
2760 u8 a[7], b[7], *local_addr, *remote_addr;
2761 u8 io_cap[3], r[16], e[16];
2762 int err;
2763
2764 BT_DBG("conn %p", conn);
2765
2766 if (skb->len < sizeof(*check))
2767 return SMP_INVALID_PARAMS;
2768
2769 memcpy(a, &hcon->init_addr, 6);
2770 memcpy(b, &hcon->resp_addr, 6);
2771 a[6] = hcon->init_addr_type;
2772 b[6] = hcon->resp_addr_type;
2773
2774 if (hcon->out) {
2775 local_addr = a;
2776 remote_addr = b;
2777 memcpy(io_cap, &smp->prsp[1], 3);
2778 } else {
2779 local_addr = b;
2780 remote_addr = a;
2781 memcpy(io_cap, &smp->preq[1], 3);
2782 }
2783
2784 memset(r, 0, sizeof(r));
2785
2786 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2787 put_unaligned_le32(hcon->passkey_notify, r);
2788 else if (smp->method == REQ_OOB)
2789 memcpy(r, smp->lr, 16);
2790
2791 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2792 io_cap, remote_addr, local_addr, e);
2793 if (err)
2794 return SMP_UNSPECIFIED;
2795
2796 if (crypto_memneq(check->e, e, 16))
2797 return SMP_DHKEY_CHECK_FAILED;
2798
2799 if (!hcon->out) {
2800 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2801 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2802 return 0;
2803 }
2804
2805 /* Slave sends DHKey check as response to master */
2806 sc_dhkey_check(smp);
2807 }
2808
2809 sc_add_ltk(smp);
2810
2811 if (hcon->out) {
2812 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2813 hcon->enc_key_size = smp->enc_key_size;
2814 }
2815
2816 return 0;
2817 }
2818
2819 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2820 struct sk_buff *skb)
2821 {
2822 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2823
2824 BT_DBG("value 0x%02x", kp->value);
2825
2826 return 0;
2827 }
2828
2829 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2830 {
2831 struct l2cap_conn *conn = chan->conn;
2832 struct hci_conn *hcon = conn->hcon;
2833 struct smp_chan *smp;
2834 __u8 code, reason;
2835 int err = 0;
2836
2837 if (skb->len < 1)
2838 return -EILSEQ;
2839
2840 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2841 reason = SMP_PAIRING_NOTSUPP;
2842 goto done;
2843 }
2844
2845 code = skb->data[0];
2846 skb_pull(skb, sizeof(code));
2847
2848 smp = chan->data;
2849
2850 if (code > SMP_CMD_MAX)
2851 goto drop;
2852
2853 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2854 goto drop;
2855
2856 /* If we don't have a context the only allowed commands are
2857 * pairing request and security request.
2858 */
2859 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2860 goto drop;
2861
2862 switch (code) {
2863 case SMP_CMD_PAIRING_REQ:
2864 reason = smp_cmd_pairing_req(conn, skb);
2865 break;
2866
2867 case SMP_CMD_PAIRING_FAIL:
2868 smp_failure(conn, 0);
2869 err = -EPERM;
2870 break;
2871
2872 case SMP_CMD_PAIRING_RSP:
2873 reason = smp_cmd_pairing_rsp(conn, skb);
2874 break;
2875
2876 case SMP_CMD_SECURITY_REQ:
2877 reason = smp_cmd_security_req(conn, skb);
2878 break;
2879
2880 case SMP_CMD_PAIRING_CONFIRM:
2881 reason = smp_cmd_pairing_confirm(conn, skb);
2882 break;
2883
2884 case SMP_CMD_PAIRING_RANDOM:
2885 reason = smp_cmd_pairing_random(conn, skb);
2886 break;
2887
2888 case SMP_CMD_ENCRYPT_INFO:
2889 reason = smp_cmd_encrypt_info(conn, skb);
2890 break;
2891
2892 case SMP_CMD_MASTER_IDENT:
2893 reason = smp_cmd_master_ident(conn, skb);
2894 break;
2895
2896 case SMP_CMD_IDENT_INFO:
2897 reason = smp_cmd_ident_info(conn, skb);
2898 break;
2899
2900 case SMP_CMD_IDENT_ADDR_INFO:
2901 reason = smp_cmd_ident_addr_info(conn, skb);
2902 break;
2903
2904 case SMP_CMD_SIGN_INFO:
2905 reason = smp_cmd_sign_info(conn, skb);
2906 break;
2907
2908 case SMP_CMD_PUBLIC_KEY:
2909 reason = smp_cmd_public_key(conn, skb);
2910 break;
2911
2912 case SMP_CMD_DHKEY_CHECK:
2913 reason = smp_cmd_dhkey_check(conn, skb);
2914 break;
2915
2916 case SMP_CMD_KEYPRESS_NOTIFY:
2917 reason = smp_cmd_keypress_notify(conn, skb);
2918 break;
2919
2920 default:
2921 BT_DBG("Unknown command code 0x%2.2x", code);
2922 reason = SMP_CMD_NOTSUPP;
2923 goto done;
2924 }
2925
2926 done:
2927 if (!err) {
2928 if (reason)
2929 smp_failure(conn, reason);
2930 kfree_skb(skb);
2931 }
2932
2933 return err;
2934
2935 drop:
2936 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2937 code, &hcon->dst);
2938 kfree_skb(skb);
2939 return 0;
2940 }
2941
2942 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2943 {
2944 struct l2cap_conn *conn = chan->conn;
2945
2946 BT_DBG("chan %p", chan);
2947
2948 if (chan->data)
2949 smp_chan_destroy(conn);
2950
2951 conn->smp = NULL;
2952 l2cap_chan_put(chan);
2953 }
2954
2955 static void bredr_pairing(struct l2cap_chan *chan)
2956 {
2957 struct l2cap_conn *conn = chan->conn;
2958 struct hci_conn *hcon = conn->hcon;
2959 struct hci_dev *hdev = hcon->hdev;
2960 struct smp_cmd_pairing req;
2961 struct smp_chan *smp;
2962
2963 BT_DBG("chan %p", chan);
2964
2965 /* Only new pairings are interesting */
2966 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2967 return;
2968
2969 /* Don't bother if we're not encrypted */
2970 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2971 return;
2972
2973 /* Only master may initiate SMP over BR/EDR */
2974 if (hcon->role != HCI_ROLE_MASTER)
2975 return;
2976
2977 /* Secure Connections support must be enabled */
2978 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2979 return;
2980
2981 /* BR/EDR must use Secure Connections for SMP */
2982 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2983 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2984 return;
2985
2986 /* If our LE support is not enabled don't do anything */
2987 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2988 return;
2989
2990 /* Don't bother if remote LE support is not enabled */
2991 if (!lmp_host_le_capable(hcon))
2992 return;
2993
2994 /* Remote must support SMP fixed chan for BR/EDR */
2995 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2996 return;
2997
2998 /* Don't bother if SMP is already ongoing */
2999 if (chan->data)
3000 return;
3001
3002 smp = smp_chan_create(conn);
3003 if (!smp) {
3004 BT_ERR("%s unable to create SMP context for BR/EDR",
3005 hdev->name);
3006 return;
3007 }
3008
3009 set_bit(SMP_FLAG_SC, &smp->flags);
3010
3011 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3012
3013 /* Prepare and send the BR/EDR SMP Pairing Request */
3014 build_bredr_pairing_cmd(smp, &req, NULL);
3015
3016 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3017 memcpy(&smp->preq[1], &req, sizeof(req));
3018
3019 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3020 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3021 }
3022
3023 static void smp_resume_cb(struct l2cap_chan *chan)
3024 {
3025 struct smp_chan *smp = chan->data;
3026 struct l2cap_conn *conn = chan->conn;
3027 struct hci_conn *hcon = conn->hcon;
3028
3029 BT_DBG("chan %p", chan);
3030
3031 if (hcon->type == ACL_LINK) {
3032 bredr_pairing(chan);
3033 return;
3034 }
3035
3036 if (!smp)
3037 return;
3038
3039 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3040 return;
3041
3042 cancel_delayed_work(&smp->security_timer);
3043
3044 smp_distribute_keys(smp);
3045 }
3046
3047 static void smp_ready_cb(struct l2cap_chan *chan)
3048 {
3049 struct l2cap_conn *conn = chan->conn;
3050 struct hci_conn *hcon = conn->hcon;
3051
3052 BT_DBG("chan %p", chan);
3053
3054 /* No need to call l2cap_chan_hold() here since we already own
3055 * the reference taken in smp_new_conn_cb(). This is just the
3056 * first time that we tie it to a specific pointer. The code in
3057 * l2cap_core.c ensures that there's no risk this function wont
3058 * get called if smp_new_conn_cb was previously called.
3059 */
3060 conn->smp = chan;
3061
3062 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3063 bredr_pairing(chan);
3064 }
3065
3066 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3067 {
3068 int err;
3069
3070 BT_DBG("chan %p", chan);
3071
3072 err = smp_sig_channel(chan, skb);
3073 if (err) {
3074 struct smp_chan *smp = chan->data;
3075
3076 if (smp)
3077 cancel_delayed_work_sync(&smp->security_timer);
3078
3079 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3080 }
3081
3082 return err;
3083 }
3084
3085 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3086 unsigned long hdr_len,
3087 unsigned long len, int nb)
3088 {
3089 struct sk_buff *skb;
3090
3091 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3092 if (!skb)
3093 return ERR_PTR(-ENOMEM);
3094
3095 skb->priority = HCI_PRIO_MAX;
3096 bt_cb(skb)->l2cap.chan = chan;
3097
3098 return skb;
3099 }
3100
3101 static const struct l2cap_ops smp_chan_ops = {
3102 .name = "Security Manager",
3103 .ready = smp_ready_cb,
3104 .recv = smp_recv_cb,
3105 .alloc_skb = smp_alloc_skb_cb,
3106 .teardown = smp_teardown_cb,
3107 .resume = smp_resume_cb,
3108
3109 .new_connection = l2cap_chan_no_new_connection,
3110 .state_change = l2cap_chan_no_state_change,
3111 .close = l2cap_chan_no_close,
3112 .defer = l2cap_chan_no_defer,
3113 .suspend = l2cap_chan_no_suspend,
3114 .set_shutdown = l2cap_chan_no_set_shutdown,
3115 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3116 };
3117
3118 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3119 {
3120 struct l2cap_chan *chan;
3121
3122 BT_DBG("pchan %p", pchan);
3123
3124 chan = l2cap_chan_create();
3125 if (!chan)
3126 return NULL;
3127
3128 chan->chan_type = pchan->chan_type;
3129 chan->ops = &smp_chan_ops;
3130 chan->scid = pchan->scid;
3131 chan->dcid = chan->scid;
3132 chan->imtu = pchan->imtu;
3133 chan->omtu = pchan->omtu;
3134 chan->mode = pchan->mode;
3135
3136 /* Other L2CAP channels may request SMP routines in order to
3137 * change the security level. This means that the SMP channel
3138 * lock must be considered in its own category to avoid lockdep
3139 * warnings.
3140 */
3141 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3142
3143 BT_DBG("created chan %p", chan);
3144
3145 return chan;
3146 }
3147
3148 static const struct l2cap_ops smp_root_chan_ops = {
3149 .name = "Security Manager Root",
3150 .new_connection = smp_new_conn_cb,
3151
3152 /* None of these are implemented for the root channel */
3153 .close = l2cap_chan_no_close,
3154 .alloc_skb = l2cap_chan_no_alloc_skb,
3155 .recv = l2cap_chan_no_recv,
3156 .state_change = l2cap_chan_no_state_change,
3157 .teardown = l2cap_chan_no_teardown,
3158 .ready = l2cap_chan_no_ready,
3159 .defer = l2cap_chan_no_defer,
3160 .suspend = l2cap_chan_no_suspend,
3161 .resume = l2cap_chan_no_resume,
3162 .set_shutdown = l2cap_chan_no_set_shutdown,
3163 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
3164 };
3165
3166 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3167 {
3168 struct l2cap_chan *chan;
3169 struct smp_dev *smp;
3170 struct crypto_cipher *tfm_aes;
3171 struct crypto_shash *tfm_cmac;
3172
3173 if (cid == L2CAP_CID_SMP_BREDR) {
3174 smp = NULL;
3175 goto create_chan;
3176 }
3177
3178 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3179 if (!smp)
3180 return ERR_PTR(-ENOMEM);
3181
3182 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3183 if (IS_ERR(tfm_aes)) {
3184 BT_ERR("Unable to create AES crypto context");
3185 kzfree(smp);
3186 return ERR_CAST(tfm_aes);
3187 }
3188
3189 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3190 if (IS_ERR(tfm_cmac)) {
3191 BT_ERR("Unable to create CMAC crypto context");
3192 crypto_free_cipher(tfm_aes);
3193 kzfree(smp);
3194 return ERR_CAST(tfm_cmac);
3195 }
3196
3197 smp->tfm_aes = tfm_aes;
3198 smp->tfm_cmac = tfm_cmac;
3199 smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3200 smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3201
3202 create_chan:
3203 chan = l2cap_chan_create();
3204 if (!chan) {
3205 if (smp) {
3206 crypto_free_cipher(smp->tfm_aes);
3207 crypto_free_shash(smp->tfm_cmac);
3208 kzfree(smp);
3209 }
3210 return ERR_PTR(-ENOMEM);
3211 }
3212
3213 chan->data = smp;
3214
3215 l2cap_add_scid(chan, cid);
3216
3217 l2cap_chan_set_defaults(chan);
3218
3219 if (cid == L2CAP_CID_SMP) {
3220 u8 bdaddr_type;
3221
3222 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3223
3224 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3225 chan->src_type = BDADDR_LE_PUBLIC;
3226 else
3227 chan->src_type = BDADDR_LE_RANDOM;
3228 } else {
3229 bacpy(&chan->src, &hdev->bdaddr);
3230 chan->src_type = BDADDR_BREDR;
3231 }
3232
3233 chan->state = BT_LISTEN;
3234 chan->mode = L2CAP_MODE_BASIC;
3235 chan->imtu = L2CAP_DEFAULT_MTU;
3236 chan->ops = &smp_root_chan_ops;
3237
3238 /* Set correct nesting level for a parent/listening channel */
3239 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3240
3241 return chan;
3242 }
3243
3244 static void smp_del_chan(struct l2cap_chan *chan)
3245 {
3246 struct smp_dev *smp;
3247
3248 BT_DBG("chan %p", chan);
3249
3250 smp = chan->data;
3251 if (smp) {
3252 chan->data = NULL;
3253 crypto_free_cipher(smp->tfm_aes);
3254 crypto_free_shash(smp->tfm_cmac);
3255 kzfree(smp);
3256 }
3257
3258 l2cap_chan_put(chan);
3259 }
3260
3261 static ssize_t force_bredr_smp_read(struct file *file,
3262 char __user *user_buf,
3263 size_t count, loff_t *ppos)
3264 {
3265 struct hci_dev *hdev = file->private_data;
3266 char buf[3];
3267
3268 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3269 buf[1] = '\n';
3270 buf[2] = '\0';
3271 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3272 }
3273
3274 static ssize_t force_bredr_smp_write(struct file *file,
3275 const char __user *user_buf,
3276 size_t count, loff_t *ppos)
3277 {
3278 struct hci_dev *hdev = file->private_data;
3279 char buf[32];
3280 size_t buf_size = min(count, (sizeof(buf)-1));
3281 bool enable;
3282
3283 if (copy_from_user(buf, user_buf, buf_size))
3284 return -EFAULT;
3285
3286 buf[buf_size] = '\0';
3287 if (strtobool(buf, &enable))
3288 return -EINVAL;
3289
3290 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3291 return -EALREADY;
3292
3293 if (enable) {
3294 struct l2cap_chan *chan;
3295
3296 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3297 if (IS_ERR(chan))
3298 return PTR_ERR(chan);
3299
3300 hdev->smp_bredr_data = chan;
3301 } else {
3302 struct l2cap_chan *chan;
3303
3304 chan = hdev->smp_bredr_data;
3305 hdev->smp_bredr_data = NULL;
3306 smp_del_chan(chan);
3307 }
3308
3309 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3310
3311 return count;
3312 }
3313
3314 static const struct file_operations force_bredr_smp_fops = {
3315 .open = simple_open,
3316 .read = force_bredr_smp_read,
3317 .write = force_bredr_smp_write,
3318 .llseek = default_llseek,
3319 };
3320
3321 static ssize_t le_min_key_size_read(struct file *file,
3322 char __user *user_buf,
3323 size_t count, loff_t *ppos)
3324 {
3325 struct hci_dev *hdev = file->private_data;
3326 char buf[4];
3327
3328 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3329
3330 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3331 }
3332
3333 static ssize_t le_min_key_size_write(struct file *file,
3334 const char __user *user_buf,
3335 size_t count, loff_t *ppos)
3336 {
3337 struct hci_dev *hdev = file->private_data;
3338 char buf[32];
3339 size_t buf_size = min(count, (sizeof(buf) - 1));
3340 u8 key_size;
3341
3342 if (copy_from_user(buf, user_buf, buf_size))
3343 return -EFAULT;
3344
3345 buf[buf_size] = '\0';
3346
3347 sscanf(buf, "%hhu", &key_size);
3348
3349 if (key_size > SMP_DEV(hdev)->max_key_size ||
3350 key_size < SMP_MIN_ENC_KEY_SIZE)
3351 return -EINVAL;
3352
3353 SMP_DEV(hdev)->min_key_size = key_size;
3354
3355 return count;
3356 }
3357
3358 static const struct file_operations le_min_key_size_fops = {
3359 .open = simple_open,
3360 .read = le_min_key_size_read,
3361 .write = le_min_key_size_write,
3362 .llseek = default_llseek,
3363 };
3364
3365 static ssize_t le_max_key_size_read(struct file *file,
3366 char __user *user_buf,
3367 size_t count, loff_t *ppos)
3368 {
3369 struct hci_dev *hdev = file->private_data;
3370 char buf[4];
3371
3372 snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3373
3374 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3375 }
3376
3377 static ssize_t le_max_key_size_write(struct file *file,
3378 const char __user *user_buf,
3379 size_t count, loff_t *ppos)
3380 {
3381 struct hci_dev *hdev = file->private_data;
3382 char buf[32];
3383 size_t buf_size = min(count, (sizeof(buf) - 1));
3384 u8 key_size;
3385
3386 if (copy_from_user(buf, user_buf, buf_size))
3387 return -EFAULT;
3388
3389 buf[buf_size] = '\0';
3390
3391 sscanf(buf, "%hhu", &key_size);
3392
3393 if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3394 key_size < SMP_DEV(hdev)->min_key_size)
3395 return -EINVAL;
3396
3397 SMP_DEV(hdev)->max_key_size = key_size;
3398
3399 return count;
3400 }
3401
3402 static const struct file_operations le_max_key_size_fops = {
3403 .open = simple_open,
3404 .read = le_max_key_size_read,
3405 .write = le_max_key_size_write,
3406 .llseek = default_llseek,
3407 };
3408
3409 int smp_register(struct hci_dev *hdev)
3410 {
3411 struct l2cap_chan *chan;
3412
3413 BT_DBG("%s", hdev->name);
3414
3415 /* If the controller does not support Low Energy operation, then
3416 * there is also no need to register any SMP channel.
3417 */
3418 if (!lmp_le_capable(hdev))
3419 return 0;
3420
3421 if (WARN_ON(hdev->smp_data)) {
3422 chan = hdev->smp_data;
3423 hdev->smp_data = NULL;
3424 smp_del_chan(chan);
3425 }
3426
3427 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3428 if (IS_ERR(chan))
3429 return PTR_ERR(chan);
3430
3431 hdev->smp_data = chan;
3432
3433 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3434 &le_min_key_size_fops);
3435 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3436 &le_max_key_size_fops);
3437
3438 /* If the controller does not support BR/EDR Secure Connections
3439 * feature, then the BR/EDR SMP channel shall not be present.
3440 *
3441 * To test this with Bluetooth 4.0 controllers, create a debugfs
3442 * switch that allows forcing BR/EDR SMP support and accepting
3443 * cross-transport pairing on non-AES encrypted connections.
3444 */
3445 if (!lmp_sc_capable(hdev)) {
3446 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3447 hdev, &force_bredr_smp_fops);
3448
3449 /* Flag can be already set here (due to power toggle) */
3450 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3451 return 0;
3452 }
3453
3454 if (WARN_ON(hdev->smp_bredr_data)) {
3455 chan = hdev->smp_bredr_data;
3456 hdev->smp_bredr_data = NULL;
3457 smp_del_chan(chan);
3458 }
3459
3460 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3461 if (IS_ERR(chan)) {
3462 int err = PTR_ERR(chan);
3463 chan = hdev->smp_data;
3464 hdev->smp_data = NULL;
3465 smp_del_chan(chan);
3466 return err;
3467 }
3468
3469 hdev->smp_bredr_data = chan;
3470
3471 return 0;
3472 }
3473
3474 void smp_unregister(struct hci_dev *hdev)
3475 {
3476 struct l2cap_chan *chan;
3477
3478 if (hdev->smp_bredr_data) {
3479 chan = hdev->smp_bredr_data;
3480 hdev->smp_bredr_data = NULL;
3481 smp_del_chan(chan);
3482 }
3483
3484 if (hdev->smp_data) {
3485 chan = hdev->smp_data;
3486 hdev->smp_data = NULL;
3487 smp_del_chan(chan);
3488 }
3489 }
3490
3491 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3492
3493 static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits)
3494 {
3495 int i;
3496
3497 for (i = 0; i < ndigits; i++)
3498 out[i] = __swab64(in[ndigits - 1 - i]);
3499 }
3500
3501 static int __init test_debug_key(void)
3502 {
3503 u8 pk[64], sk[32];
3504
3505 swap_digits((u64 *)debug_sk, (u64 *)sk, 4);
3506
3507 if (!generate_ecdh_keys(pk, sk))
3508 return -EINVAL;
3509
3510 if (crypto_memneq(sk, debug_sk, 32))
3511 return -EINVAL;
3512
3513 if (crypto_memneq(pk, debug_pk, 64))
3514 return -EINVAL;
3515
3516 return 0;
3517 }
3518
3519 static int __init test_ah(struct crypto_cipher *tfm_aes)
3520 {
3521 const u8 irk[16] = {
3522 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3523 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3524 const u8 r[3] = { 0x94, 0x81, 0x70 };
3525 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3526 u8 res[3];
3527 int err;
3528
3529 err = smp_ah(tfm_aes, irk, r, res);
3530 if (err)
3531 return err;
3532
3533 if (crypto_memneq(res, exp, 3))
3534 return -EINVAL;
3535
3536 return 0;
3537 }
3538
3539 static int __init test_c1(struct crypto_cipher *tfm_aes)
3540 {
3541 const u8 k[16] = {
3542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3543 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3544 const u8 r[16] = {
3545 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3546 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3547 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3548 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3549 const u8 _iat = 0x01;
3550 const u8 _rat = 0x00;
3551 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3552 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3553 const u8 exp[16] = {
3554 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3555 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3556 u8 res[16];
3557 int err;
3558
3559 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3560 if (err)
3561 return err;
3562
3563 if (crypto_memneq(res, exp, 16))
3564 return -EINVAL;
3565
3566 return 0;
3567 }
3568
3569 static int __init test_s1(struct crypto_cipher *tfm_aes)
3570 {
3571 const u8 k[16] = {
3572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3574 const u8 r1[16] = {
3575 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3576 const u8 r2[16] = {
3577 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3578 const u8 exp[16] = {
3579 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3580 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3581 u8 res[16];
3582 int err;
3583
3584 err = smp_s1(tfm_aes, k, r1, r2, res);
3585 if (err)
3586 return err;
3587
3588 if (crypto_memneq(res, exp, 16))
3589 return -EINVAL;
3590
3591 return 0;
3592 }
3593
3594 static int __init test_f4(struct crypto_shash *tfm_cmac)
3595 {
3596 const u8 u[32] = {
3597 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3598 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3599 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3600 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3601 const u8 v[32] = {
3602 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3603 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3604 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3605 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3606 const u8 x[16] = {
3607 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609 const u8 z = 0x00;
3610 const u8 exp[16] = {
3611 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3612 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3613 u8 res[16];
3614 int err;
3615
3616 err = smp_f4(tfm_cmac, u, v, x, z, res);
3617 if (err)
3618 return err;
3619
3620 if (crypto_memneq(res, exp, 16))
3621 return -EINVAL;
3622
3623 return 0;
3624 }
3625
3626 static int __init test_f5(struct crypto_shash *tfm_cmac)
3627 {
3628 const u8 w[32] = {
3629 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3630 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3631 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3632 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3633 const u8 n1[16] = {
3634 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3635 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3636 const u8 n2[16] = {
3637 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3638 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3639 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3640 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3641 const u8 exp_ltk[16] = {
3642 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3643 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3644 const u8 exp_mackey[16] = {
3645 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3646 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3647 u8 mackey[16], ltk[16];
3648 int err;
3649
3650 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3651 if (err)
3652 return err;
3653
3654 if (crypto_memneq(mackey, exp_mackey, 16))
3655 return -EINVAL;
3656
3657 if (crypto_memneq(ltk, exp_ltk, 16))
3658 return -EINVAL;
3659
3660 return 0;
3661 }
3662
3663 static int __init test_f6(struct crypto_shash *tfm_cmac)
3664 {
3665 const u8 w[16] = {
3666 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3667 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3668 const u8 n1[16] = {
3669 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3670 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3671 const u8 n2[16] = {
3672 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3673 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3674 const u8 r[16] = {
3675 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3676 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3677 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3678 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3679 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3680 const u8 exp[16] = {
3681 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3682 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3683 u8 res[16];
3684 int err;
3685
3686 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3687 if (err)
3688 return err;
3689
3690 if (crypto_memneq(res, exp, 16))
3691 return -EINVAL;
3692
3693 return 0;
3694 }
3695
3696 static int __init test_g2(struct crypto_shash *tfm_cmac)
3697 {
3698 const u8 u[32] = {
3699 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3700 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3701 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3702 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3703 const u8 v[32] = {
3704 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3705 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3706 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3707 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3708 const u8 x[16] = {
3709 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3710 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3711 const u8 y[16] = {
3712 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3713 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3714 const u32 exp_val = 0x2f9ed5ba % 1000000;
3715 u32 val;
3716 int err;
3717
3718 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3719 if (err)
3720 return err;
3721
3722 if (val != exp_val)
3723 return -EINVAL;
3724
3725 return 0;
3726 }
3727
3728 static int __init test_h6(struct crypto_shash *tfm_cmac)
3729 {
3730 const u8 w[16] = {
3731 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3732 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3733 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3734 const u8 exp[16] = {
3735 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3736 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3737 u8 res[16];
3738 int err;
3739
3740 err = smp_h6(tfm_cmac, w, key_id, res);
3741 if (err)
3742 return err;
3743
3744 if (crypto_memneq(res, exp, 16))
3745 return -EINVAL;
3746
3747 return 0;
3748 }
3749
3750 static char test_smp_buffer[32];
3751
3752 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3753 size_t count, loff_t *ppos)
3754 {
3755 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3756 strlen(test_smp_buffer));
3757 }
3758
3759 static const struct file_operations test_smp_fops = {
3760 .open = simple_open,
3761 .read = test_smp_read,
3762 .llseek = default_llseek,
3763 };
3764
3765 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3766 struct crypto_shash *tfm_cmac)
3767 {
3768 ktime_t calltime, delta, rettime;
3769 unsigned long long duration;
3770 int err;
3771
3772 calltime = ktime_get();
3773
3774 err = test_debug_key();
3775 if (err) {
3776 BT_ERR("debug_key test failed");
3777 goto done;
3778 }
3779
3780 err = test_ah(tfm_aes);
3781 if (err) {
3782 BT_ERR("smp_ah test failed");
3783 goto done;
3784 }
3785
3786 err = test_c1(tfm_aes);
3787 if (err) {
3788 BT_ERR("smp_c1 test failed");
3789 goto done;
3790 }
3791
3792 err = test_s1(tfm_aes);
3793 if (err) {
3794 BT_ERR("smp_s1 test failed");
3795 goto done;
3796 }
3797
3798 err = test_f4(tfm_cmac);
3799 if (err) {
3800 BT_ERR("smp_f4 test failed");
3801 goto done;
3802 }
3803
3804 err = test_f5(tfm_cmac);
3805 if (err) {
3806 BT_ERR("smp_f5 test failed");
3807 goto done;
3808 }
3809
3810 err = test_f6(tfm_cmac);
3811 if (err) {
3812 BT_ERR("smp_f6 test failed");
3813 goto done;
3814 }
3815
3816 err = test_g2(tfm_cmac);
3817 if (err) {
3818 BT_ERR("smp_g2 test failed");
3819 goto done;
3820 }
3821
3822 err = test_h6(tfm_cmac);
3823 if (err) {
3824 BT_ERR("smp_h6 test failed");
3825 goto done;
3826 }
3827
3828 rettime = ktime_get();
3829 delta = ktime_sub(rettime, calltime);
3830 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3831
3832 BT_INFO("SMP test passed in %llu usecs", duration);
3833
3834 done:
3835 if (!err)
3836 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3837 "PASS (%llu usecs)\n", duration);
3838 else
3839 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3840
3841 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3842 &test_smp_fops);
3843
3844 return err;
3845 }
3846
3847 int __init bt_selftest_smp(void)
3848 {
3849 struct crypto_cipher *tfm_aes;
3850 struct crypto_shash *tfm_cmac;
3851 int err;
3852
3853 tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3854 if (IS_ERR(tfm_aes)) {
3855 BT_ERR("Unable to create AES crypto context");
3856 return PTR_ERR(tfm_aes);
3857 }
3858
3859 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3860 if (IS_ERR(tfm_cmac)) {
3861 BT_ERR("Unable to create CMAC crypto context");
3862 crypto_free_cipher(tfm_aes);
3863 return PTR_ERR(tfm_cmac);
3864 }
3865
3866 err = run_selftests(tfm_aes, tfm_cmac);
3867
3868 crypto_free_shash(tfm_cmac);
3869 crypto_free_cipher(tfm_aes);
3870
3871 return err;
3872 }
3873
3874 #endif
(deprecated) Btrfs devel tree