1 /*
2    BlueZ - Bluetooth protocol stack for Linux
3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4 
5    This program is free software; you can redistribute it and/or modify
6    it under the terms of the GNU General Public License version 2 as
7    published by the Free Software Foundation;
8 
9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 
18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20    SOFTWARE IS DISCLAIMED.
21 */
22 
23 #include <linux/debugfs.h>
24 #include <linux/scatterlist.h>
25 #include <crypto/aes.h>
26 #include <crypto/hash.h>
27 #include <crypto/kpp.h>
28 #include <crypto/utils.h>
29 
30 #include <net/bluetooth/bluetooth.h>
31 #include <net/bluetooth/hci_core.h>
32 #include <net/bluetooth/l2cap.h>
33 #include <net/bluetooth/mgmt.h>
34 
35 #include "ecdh_helper.h"
36 #include "smp.h"
37 
38 #define SMP_DEV(hdev) \
39 	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40 
41 /* Low-level debug macros to be used for stuff that we don't want
42  * accidentally in dmesg, i.e. the values of the various crypto keys
43  * and the inputs & outputs of crypto functions.
44  */
45 #ifdef DEBUG
46 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47 				 ##__VA_ARGS__)
48 #else
49 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50 				    ##__VA_ARGS__)
51 #endif
52 
53 #define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
54 
55 /* Keys which are not distributed with Secure Connections */
56 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
57 
58 #define SMP_TIMEOUT	msecs_to_jiffies(30000)
59 
60 #define ID_ADDR_TIMEOUT	msecs_to_jiffies(200)
61 
62 #define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63 				 0x3f : 0x07)
64 #define KEY_DIST_MASK		0x07
65 
66 /* Maximum message length that can be passed to aes_cmac */
67 #define CMAC_MSG_MAX	80
68 
69 enum {
70 	SMP_FLAG_TK_VALID,
71 	SMP_FLAG_CFM_PENDING,
72 	SMP_FLAG_MITM_AUTH,
73 	SMP_FLAG_COMPLETE,
74 	SMP_FLAG_INITIATOR,
75 	SMP_FLAG_SC,
76 	SMP_FLAG_REMOTE_PK,
77 	SMP_FLAG_DEBUG_KEY,
78 	SMP_FLAG_WAIT_USER,
79 	SMP_FLAG_DHKEY_PENDING,
80 	SMP_FLAG_REMOTE_OOB,
81 	SMP_FLAG_LOCAL_OOB,
82 	SMP_FLAG_CT2,
83 };
84 
85 struct smp_dev {
86 	/* Secure Connections OOB data */
87 	bool			local_oob;
88 	u8			local_pk[64];
89 	u8			local_rand[16];
90 	bool			debug_key;
91 
92 	struct crypto_shash	*tfm_cmac;
93 	struct crypto_kpp	*tfm_ecdh;
94 };
95 
96 struct smp_chan {
97 	struct l2cap_conn	*conn;
98 	struct delayed_work	security_timer;
99 	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101 	u8		preq[7]; /* SMP Pairing Request */
102 	u8		prsp[7]; /* SMP Pairing Response */
103 	u8		prnd[16]; /* SMP Pairing Random (local) */
104 	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105 	u8		pcnf[16]; /* SMP Pairing Confirm */
106 	u8		tk[16]; /* SMP Temporary Key */
107 	u8		rr[16]; /* Remote OOB ra/rb value */
108 	u8		lr[16]; /* Local OOB ra/rb value */
109 	u8		enc_key_size;
110 	u8		remote_key_dist;
111 	bdaddr_t	id_addr;
112 	u8		id_addr_type;
113 	u8		irk[16];
114 	struct smp_csrk	*csrk;
115 	struct smp_csrk	*responder_csrk;
116 	struct smp_ltk	*ltk;
117 	struct smp_ltk	*responder_ltk;
118 	struct smp_irk	*remote_irk;
119 	u8		*link_key;
120 	unsigned long	flags;
121 	u8		method;
122 	u8		passkey_round;
123 
124 	/* Secure Connections variables */
125 	u8			local_pk[64];
126 	u8			remote_pk[64];
127 	u8			dhkey[32];
128 	u8			mackey[16];
129 
130 	struct crypto_shash	*tfm_cmac;
131 	struct crypto_kpp	*tfm_ecdh;
132 };
133 
134 /* These debug key values are defined in the SMP section of the core
135  * specification. debug_pk is the public debug key and debug_sk the
136  * private debug key.
137  */
138 static const u8 debug_pk[64] = {
139 		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143 
144 		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148 };
149 
150 static const u8 debug_sk[32] = {
151 		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155 };
156 
swap_buf(const u8 * src,u8 * dst,size_t len)157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158 {
159 	size_t i;
160 
161 	for (i = 0; i < len; i++)
162 		dst[len - 1 - i] = src[i];
163 }
164 
165 /* The following functions map to the LE SC SMP crypto functions
166  * AES-CMAC, f4, f5, f6, g2 and h6.
167  */
168 
aes_cmac(struct crypto_shash * tfm,const u8 k[16],const u8 * m,size_t len,u8 mac[16])169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170 		    size_t len, u8 mac[16])
171 {
172 	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173 	int err;
174 
175 	if (len > CMAC_MSG_MAX)
176 		return -EFBIG;
177 
178 	if (!tfm) {
179 		BT_ERR("tfm %p", tfm);
180 		return -EINVAL;
181 	}
182 
183 	/* Swap key and message from LSB to MSB */
184 	swap_buf(k, tmp, 16);
185 	swap_buf(m, msg_msb, len);
186 
187 	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 	SMP_DBG("key %16phN", k);
189 
190 	err = crypto_shash_setkey(tfm, tmp, 16);
191 	if (err) {
192 		BT_ERR("cipher setkey failed: %d", err);
193 		return err;
194 	}
195 
196 	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197 	if (err) {
198 		BT_ERR("Hash computation error %d", err);
199 		return err;
200 	}
201 
202 	swap_buf(mac_msb, mac, 16);
203 
204 	SMP_DBG("mac %16phN", mac);
205 
206 	return 0;
207 }
208 
smp_f4(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],u8 z,u8 res[16])209 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210 		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211 {
212 	u8 m[65];
213 	int err;
214 
215 	SMP_DBG("u %32phN", u);
216 	SMP_DBG("v %32phN", v);
217 	SMP_DBG("x %16phN z %02x", x, z);
218 
219 	m[0] = z;
220 	memcpy(m + 1, v, 32);
221 	memcpy(m + 33, u, 32);
222 
223 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224 	if (err)
225 		return err;
226 
227 	SMP_DBG("res %16phN", res);
228 
229 	return err;
230 }
231 
smp_f5(struct crypto_shash * tfm_cmac,const u8 w[32],const u8 n1[16],const u8 n2[16],const u8 a1[7],const u8 a2[7],u8 mackey[16],u8 ltk[16])232 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233 		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
234 		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
235 {
236 	/* The btle, salt and length "magic" values are as defined in
237 	 * the SMP section of the Bluetooth core specification. In ASCII
238 	 * the btle value ends up being 'btle'. The salt is just a
239 	 * random number whereas length is the value 256 in little
240 	 * endian format.
241 	 */
242 	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243 	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244 			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245 	const u8 length[2] = { 0x00, 0x01 };
246 	u8 m[53], t[16];
247 	int err;
248 
249 	SMP_DBG("w %32phN", w);
250 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251 	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252 
253 	err = aes_cmac(tfm_cmac, salt, w, 32, t);
254 	if (err)
255 		return err;
256 
257 	SMP_DBG("t %16phN", t);
258 
259 	memcpy(m, length, 2);
260 	memcpy(m + 2, a2, 7);
261 	memcpy(m + 9, a1, 7);
262 	memcpy(m + 16, n2, 16);
263 	memcpy(m + 32, n1, 16);
264 	memcpy(m + 48, btle, 4);
265 
266 	m[52] = 0; /* Counter */
267 
268 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269 	if (err)
270 		return err;
271 
272 	SMP_DBG("mackey %16phN", mackey);
273 
274 	m[52] = 1; /* Counter */
275 
276 	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277 	if (err)
278 		return err;
279 
280 	SMP_DBG("ltk %16phN", ltk);
281 
282 	return 0;
283 }
284 
smp_f6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 n1[16],const u8 n2[16],const u8 r[16],const u8 io_cap[3],const u8 a1[7],const u8 a2[7],u8 res[16])285 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286 		  const u8 n1[16], const u8 n2[16], const u8 r[16],
287 		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 		  u8 res[16])
289 {
290 	u8 m[65];
291 	int err;
292 
293 	SMP_DBG("w %16phN", w);
294 	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295 	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296 
297 	memcpy(m, a2, 7);
298 	memcpy(m + 7, a1, 7);
299 	memcpy(m + 14, io_cap, 3);
300 	memcpy(m + 17, r, 16);
301 	memcpy(m + 33, n2, 16);
302 	memcpy(m + 49, n1, 16);
303 
304 	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305 	if (err)
306 		return err;
307 
308 	SMP_DBG("res %16phN", res);
309 
310 	return err;
311 }
312 
smp_g2(struct crypto_shash * tfm_cmac,const u8 u[32],const u8 v[32],const u8 x[16],const u8 y[16],u32 * val)313 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314 		  const u8 x[16], const u8 y[16], u32 *val)
315 {
316 	u8 m[80], tmp[16];
317 	int err;
318 
319 	SMP_DBG("u %32phN", u);
320 	SMP_DBG("v %32phN", v);
321 	SMP_DBG("x %16phN y %16phN", x, y);
322 
323 	memcpy(m, y, 16);
324 	memcpy(m + 16, v, 32);
325 	memcpy(m + 48, u, 32);
326 
327 	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328 	if (err)
329 		return err;
330 
331 	*val = get_unaligned_le32(tmp);
332 	*val %= 1000000;
333 
334 	SMP_DBG("val %06u", *val);
335 
336 	return 0;
337 }
338 
smp_h6(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 key_id[4],u8 res[16])339 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340 		  const u8 key_id[4], u8 res[16])
341 {
342 	int err;
343 
344 	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345 
346 	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347 	if (err)
348 		return err;
349 
350 	SMP_DBG("res %16phN", res);
351 
352 	return err;
353 }
354 
smp_h7(struct crypto_shash * tfm_cmac,const u8 w[16],const u8 salt[16],u8 res[16])355 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356 		  const u8 salt[16], u8 res[16])
357 {
358 	int err;
359 
360 	SMP_DBG("w %16phN salt %16phN", w, salt);
361 
362 	err = aes_cmac(tfm_cmac, salt, w, 16, res);
363 	if (err)
364 		return err;
365 
366 	SMP_DBG("res %16phN", res);
367 
368 	return err;
369 }
370 
371 /* The following functions map to the legacy SMP crypto functions e, c1,
372  * s1 and ah.
373  */
374 
smp_e(const u8 * k,u8 * r)375 static int smp_e(const u8 *k, u8 *r)
376 {
377 	struct crypto_aes_ctx ctx;
378 	uint8_t tmp[16], data[16];
379 	int err;
380 
381 	SMP_DBG("k %16phN r %16phN", k, r);
382 
383 	/* The most significant octet of key corresponds to k[0] */
384 	swap_buf(k, tmp, 16);
385 
386 	err = aes_expandkey(&ctx, tmp, 16);
387 	if (err) {
388 		BT_ERR("cipher setkey failed: %d", err);
389 		return err;
390 	}
391 
392 	/* Most significant octet of plaintextData corresponds to data[0] */
393 	swap_buf(r, data, 16);
394 
395 	aes_encrypt(&ctx, data, data);
396 
397 	/* Most significant octet of encryptedData corresponds to data[0] */
398 	swap_buf(data, r, 16);
399 
400 	SMP_DBG("r %16phN", r);
401 
402 	memzero_explicit(&ctx, sizeof(ctx));
403 	return err;
404 }
405 
smp_c1(const u8 k[16],const u8 r[16],const u8 preq[7],const u8 pres[7],u8 _iat,const bdaddr_t * ia,u8 _rat,const bdaddr_t * ra,u8 res[16])406 static int smp_c1(const u8 k[16],
407 		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409 {
410 	u8 p1[16], p2[16];
411 	int err;
412 
413 	SMP_DBG("k %16phN r %16phN", k, r);
414 	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415 	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416 
417 	memset(p1, 0, 16);
418 
419 	/* p1 = pres || preq || _rat || _iat */
420 	p1[0] = _iat;
421 	p1[1] = _rat;
422 	memcpy(p1 + 2, preq, 7);
423 	memcpy(p1 + 9, pres, 7);
424 
425 	SMP_DBG("p1 %16phN", p1);
426 
427 	/* res = r XOR p1 */
428 	crypto_xor_cpy(res, r, p1, sizeof(p1));
429 
430 	/* res = e(k, res) */
431 	err = smp_e(k, res);
432 	if (err) {
433 		BT_ERR("Encrypt data error");
434 		return err;
435 	}
436 
437 	/* p2 = padding || ia || ra */
438 	memcpy(p2, ra, 6);
439 	memcpy(p2 + 6, ia, 6);
440 	memset(p2 + 12, 0, 4);
441 
442 	SMP_DBG("p2 %16phN", p2);
443 
444 	/* res = res XOR p2 */
445 	crypto_xor(res, p2, sizeof(p2));
446 
447 	/* res = e(k, res) */
448 	err = smp_e(k, res);
449 	if (err)
450 		BT_ERR("Encrypt data error");
451 
452 	return err;
453 }
454 
smp_s1(const u8 k[16],const u8 r1[16],const u8 r2[16],u8 _r[16])455 static int smp_s1(const u8 k[16],
456 		  const u8 r1[16], const u8 r2[16], u8 _r[16])
457 {
458 	int err;
459 
460 	/* Just least significant octets from r1 and r2 are considered */
461 	memcpy(_r, r2, 8);
462 	memcpy(_r + 8, r1, 8);
463 
464 	err = smp_e(k, _r);
465 	if (err)
466 		BT_ERR("Encrypt data error");
467 
468 	return err;
469 }
470 
smp_ah(const u8 irk[16],const u8 r[3],u8 res[3])471 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472 {
473 	u8 _res[16];
474 	int err;
475 
476 	/* r' = padding || r */
477 	memcpy(_res, r, 3);
478 	memset(_res + 3, 0, 13);
479 
480 	err = smp_e(irk, _res);
481 	if (err) {
482 		BT_ERR("Encrypt error");
483 		return err;
484 	}
485 
486 	/* The output of the random address function ah is:
487 	 *	ah(k, r) = e(k, r') mod 2^24
488 	 * The output of the security function e is then truncated to 24 bits
489 	 * by taking the least significant 24 bits of the output of e as the
490 	 * result of ah.
491 	 */
492 	memcpy(res, _res, 3);
493 
494 	return 0;
495 }
496 
smp_irk_matches(struct hci_dev * hdev,const u8 irk[16],const bdaddr_t * bdaddr)497 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498 		     const bdaddr_t *bdaddr)
499 {
500 	struct l2cap_chan *chan = hdev->smp_data;
501 	u8 hash[3];
502 	int err;
503 
504 	if (!chan || !chan->data)
505 		return false;
506 
507 	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508 
509 	err = smp_ah(irk, &bdaddr->b[3], hash);
510 	if (err)
511 		return false;
512 
513 	return !crypto_memneq(bdaddr->b, hash, 3);
514 }
515 
smp_generate_rpa(struct hci_dev * hdev,const u8 irk[16],bdaddr_t * rpa)516 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517 {
518 	struct l2cap_chan *chan = hdev->smp_data;
519 	int err;
520 
521 	if (!chan || !chan->data)
522 		return -EOPNOTSUPP;
523 
524 	get_random_bytes(&rpa->b[3], 3);
525 
526 	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
527 	rpa->b[5] |= 0x40;	/* Set second most significant bit */
528 
529 	err = smp_ah(irk, &rpa->b[3], rpa->b);
530 	if (err < 0)
531 		return err;
532 
533 	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534 
535 	return 0;
536 }
537 
smp_generate_oob(struct hci_dev * hdev,u8 hash[16],u8 rand[16])538 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539 {
540 	struct l2cap_chan *chan = hdev->smp_data;
541 	struct smp_dev *smp;
542 	int err;
543 
544 	if (!chan || !chan->data)
545 		return -EOPNOTSUPP;
546 
547 	smp = chan->data;
548 
549 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550 		bt_dev_dbg(hdev, "Using debug keys");
551 		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552 		if (err)
553 			return err;
554 		memcpy(smp->local_pk, debug_pk, 64);
555 		smp->debug_key = true;
556 	} else {
557 		while (true) {
558 			/* Generate key pair for Secure Connections */
559 			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
560 			if (err)
561 				return err;
562 
563 			/* This is unlikely, but we need to check that
564 			 * we didn't accidentally generate a debug key.
565 			 */
566 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
567 				break;
568 		}
569 		smp->debug_key = false;
570 	}
571 
572 	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573 	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574 
575 	get_random_bytes(smp->local_rand, 16);
576 
577 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578 		     smp->local_rand, 0, hash);
579 	if (err < 0)
580 		return err;
581 
582 	memcpy(rand, smp->local_rand, 16);
583 
584 	smp->local_oob = true;
585 
586 	return 0;
587 }
588 
smp_send_cmd(struct l2cap_conn * conn,u8 code,u16 len,void * data)589 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590 {
591 	struct l2cap_chan *chan = conn->smp;
592 	struct smp_chan *smp;
593 	struct kvec iv[2];
594 	struct msghdr msg;
595 
596 	if (!chan)
597 		return;
598 
599 	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600 
601 	iv[0].iov_base = &code;
602 	iv[0].iov_len = 1;
603 
604 	iv[1].iov_base = data;
605 	iv[1].iov_len = len;
606 
607 	memset(&msg, 0, sizeof(msg));
608 
609 	iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
610 
611 	l2cap_chan_send(chan, &msg, 1 + len);
612 
613 	if (!chan->data)
614 		return;
615 
616 	smp = chan->data;
617 
618 	cancel_delayed_work_sync(&smp->security_timer);
619 	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
620 }
621 
authreq_to_seclevel(u8 authreq)622 static u8 authreq_to_seclevel(u8 authreq)
623 {
624 	if (authreq & SMP_AUTH_MITM) {
625 		if (authreq & SMP_AUTH_SC)
626 			return BT_SECURITY_FIPS;
627 		else
628 			return BT_SECURITY_HIGH;
629 	} else {
630 		return BT_SECURITY_MEDIUM;
631 	}
632 }
633 
seclevel_to_authreq(__u8 sec_level)634 static __u8 seclevel_to_authreq(__u8 sec_level)
635 {
636 	switch (sec_level) {
637 	case BT_SECURITY_FIPS:
638 	case BT_SECURITY_HIGH:
639 		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640 	case BT_SECURITY_MEDIUM:
641 		return SMP_AUTH_BONDING;
642 	default:
643 		return SMP_AUTH_NONE;
644 	}
645 }
646 
build_pairing_cmd(struct l2cap_conn * conn,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp,__u8 authreq)647 static void build_pairing_cmd(struct l2cap_conn *conn,
648 			      struct smp_cmd_pairing *req,
649 			      struct smp_cmd_pairing *rsp, __u8 authreq)
650 {
651 	struct l2cap_chan *chan = conn->smp;
652 	struct smp_chan *smp = chan->data;
653 	struct hci_conn *hcon = conn->hcon;
654 	struct hci_dev *hdev = hcon->hdev;
655 	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656 
657 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660 		authreq |= SMP_AUTH_BONDING;
661 	} else {
662 		authreq &= ~SMP_AUTH_BONDING;
663 	}
664 
665 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666 		remote_dist |= SMP_DIST_ID_KEY;
667 
668 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669 		local_dist |= SMP_DIST_ID_KEY;
670 
671 	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672 	    (authreq & SMP_AUTH_SC)) {
673 		struct oob_data *oob_data;
674 		u8 bdaddr_type;
675 
676 		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677 			local_dist |= SMP_DIST_LINK_KEY;
678 			remote_dist |= SMP_DIST_LINK_KEY;
679 		}
680 
681 		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682 			bdaddr_type = BDADDR_LE_PUBLIC;
683 		else
684 			bdaddr_type = BDADDR_LE_RANDOM;
685 
686 		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687 						    bdaddr_type);
688 		if (oob_data && oob_data->present) {
689 			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690 			oob_flag = SMP_OOB_PRESENT;
691 			memcpy(smp->rr, oob_data->rand256, 16);
692 			memcpy(smp->pcnf, oob_data->hash256, 16);
693 			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694 			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695 		}
696 
697 	} else {
698 		authreq &= ~SMP_AUTH_SC;
699 	}
700 
701 	if (rsp == NULL) {
702 		req->io_capability = conn->hcon->io_capability;
703 		req->oob_flag = oob_flag;
704 		req->max_key_size = hdev->le_max_key_size;
705 		req->init_key_dist = local_dist;
706 		req->resp_key_dist = remote_dist;
707 		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708 
709 		smp->remote_key_dist = remote_dist;
710 		return;
711 	}
712 
713 	rsp->io_capability = conn->hcon->io_capability;
714 	rsp->oob_flag = oob_flag;
715 	rsp->max_key_size = hdev->le_max_key_size;
716 	rsp->init_key_dist = req->init_key_dist & remote_dist;
717 	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718 	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719 
720 	smp->remote_key_dist = rsp->init_key_dist;
721 }
722 
check_enc_key_size(struct l2cap_conn * conn,__u8 max_key_size)723 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724 {
725 	struct l2cap_chan *chan = conn->smp;
726 	struct hci_dev *hdev = conn->hcon->hdev;
727 	struct smp_chan *smp = chan->data;
728 
729 	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730 	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
731 		return SMP_ENC_KEY_SIZE;
732 
733 	if (max_key_size > hdev->le_max_key_size ||
734 	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735 		return SMP_ENC_KEY_SIZE;
736 
737 	smp->enc_key_size = max_key_size;
738 
739 	return 0;
740 }
741 
smp_chan_destroy(struct l2cap_conn * conn)742 static void smp_chan_destroy(struct l2cap_conn *conn)
743 {
744 	struct l2cap_chan *chan = conn->smp;
745 	struct smp_chan *smp = chan->data;
746 	struct hci_conn *hcon = conn->hcon;
747 	bool complete;
748 
749 	BUG_ON(!smp);
750 
751 	cancel_delayed_work_sync(&smp->security_timer);
752 
753 	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754 	mgmt_smp_complete(hcon, complete);
755 
756 	kfree_sensitive(smp->csrk);
757 	kfree_sensitive(smp->responder_csrk);
758 	kfree_sensitive(smp->link_key);
759 
760 	crypto_free_shash(smp->tfm_cmac);
761 	crypto_free_kpp(smp->tfm_ecdh);
762 
763 	/* Ensure that we don't leave any debug key around if debug key
764 	 * support hasn't been explicitly enabled.
765 	 */
766 	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767 	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768 		list_del_rcu(&smp->ltk->list);
769 		kfree_rcu(smp->ltk, rcu);
770 		smp->ltk = NULL;
771 	}
772 
773 	/* If pairing failed clean up any keys we might have */
774 	if (!complete) {
775 		if (smp->ltk) {
776 			list_del_rcu(&smp->ltk->list);
777 			kfree_rcu(smp->ltk, rcu);
778 		}
779 
780 		if (smp->responder_ltk) {
781 			list_del_rcu(&smp->responder_ltk->list);
782 			kfree_rcu(smp->responder_ltk, rcu);
783 		}
784 
785 		if (smp->remote_irk) {
786 			list_del_rcu(&smp->remote_irk->list);
787 			kfree_rcu(smp->remote_irk, rcu);
788 		}
789 	}
790 
791 	chan->data = NULL;
792 	kfree_sensitive(smp);
793 	hci_conn_drop(hcon);
794 }
795 
smp_failure(struct l2cap_conn * conn,u8 reason)796 static void smp_failure(struct l2cap_conn *conn, u8 reason)
797 {
798 	struct hci_conn *hcon = conn->hcon;
799 	struct l2cap_chan *chan = conn->smp;
800 
801 	if (reason)
802 		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803 			     &reason);
804 
805 	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806 
807 	if (chan->data)
808 		smp_chan_destroy(conn);
809 }
810 
811 #define JUST_WORKS	0x00
812 #define JUST_CFM	0x01
813 #define REQ_PASSKEY	0x02
814 #define CFM_PASSKEY	0x03
815 #define REQ_OOB		0x04
816 #define DSP_PASSKEY	0x05
817 #define OVERLAP		0xFF
818 
819 static const u8 gen_method[5][5] = {
820 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824 	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825 };
826 
827 static const u8 sc_method[5][5] = {
828 	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832 	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833 };
834 
get_auth_method(struct smp_chan * smp,u8 local_io,u8 remote_io)835 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836 {
837 	/* If either side has unknown io_caps, use JUST_CFM (which gets
838 	 * converted later to JUST_WORKS if we're initiators.
839 	 */
840 	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842 		return JUST_CFM;
843 
844 	if (test_bit(SMP_FLAG_SC, &smp->flags))
845 		return sc_method[remote_io][local_io];
846 
847 	return gen_method[remote_io][local_io];
848 }
849 
tk_request(struct l2cap_conn * conn,u8 remote_oob,u8 auth,u8 local_io,u8 remote_io)850 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 						u8 local_io, u8 remote_io)
852 {
853 	struct hci_conn *hcon = conn->hcon;
854 	struct l2cap_chan *chan = conn->smp;
855 	struct smp_chan *smp = chan->data;
856 	u32 passkey = 0;
857 	int ret;
858 
859 	/* Initialize key for JUST WORKS */
860 	memset(smp->tk, 0, sizeof(smp->tk));
861 	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862 
863 	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
864 		   remote_io);
865 
866 	/* If neither side wants MITM, either "just" confirm an incoming
867 	 * request or use just-works for outgoing ones. The JUST_CFM
868 	 * will be converted to JUST_WORKS if necessary later in this
869 	 * function. If either side has MITM look up the method from the
870 	 * table.
871 	 */
872 	if (!(auth & SMP_AUTH_MITM))
873 		smp->method = JUST_CFM;
874 	else
875 		smp->method = get_auth_method(smp, local_io, remote_io);
876 
877 	/* Don't confirm locally initiated pairing attempts */
878 	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879 						&smp->flags))
880 		smp->method = JUST_WORKS;
881 
882 	/* Don't bother user space with no IO capabilities */
883 	if (smp->method == JUST_CFM &&
884 	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
885 		smp->method = JUST_WORKS;
886 
887 	/* If Just Works, Continue with Zero TK and ask user-space for
888 	 * confirmation */
889 	if (smp->method == JUST_WORKS) {
890 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
891 						hcon->type,
892 						hcon->dst_type,
893 						passkey, 1);
894 		if (ret)
895 			return ret;
896 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
897 		return 0;
898 	}
899 
900 	/* If this function is used for SC -> legacy fallback we
901 	 * can only recover the just-works case.
902 	 */
903 	if (test_bit(SMP_FLAG_SC, &smp->flags))
904 		return -EINVAL;
905 
906 	/* Not Just Works/Confirm results in MITM Authentication */
907 	if (smp->method != JUST_CFM) {
908 		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
909 		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910 			hcon->pending_sec_level = BT_SECURITY_HIGH;
911 	}
912 
913 	/* If both devices have Keyboard-Display I/O, the initiator
914 	 * Confirms and the responder Enters the passkey.
915 	 */
916 	if (smp->method == OVERLAP) {
917 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
918 			smp->method = CFM_PASSKEY;
919 		else
920 			smp->method = REQ_PASSKEY;
921 	}
922 
923 	/* Generate random passkey. */
924 	if (smp->method == CFM_PASSKEY) {
925 		memset(smp->tk, 0, sizeof(smp->tk));
926 		get_random_bytes(&passkey, sizeof(passkey));
927 		passkey %= 1000000;
928 		put_unaligned_le32(passkey, smp->tk);
929 		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
930 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
931 	}
932 
933 	if (smp->method == REQ_PASSKEY)
934 		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
935 						hcon->type, hcon->dst_type);
936 	else if (smp->method == JUST_CFM)
937 		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
938 						hcon->type, hcon->dst_type,
939 						passkey, 1);
940 	else
941 		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
942 						hcon->type, hcon->dst_type,
943 						passkey, 0);
944 
945 	return ret;
946 }
947 
smp_confirm(struct smp_chan * smp)948 static u8 smp_confirm(struct smp_chan *smp)
949 {
950 	struct l2cap_conn *conn = smp->conn;
951 	struct smp_cmd_pairing_confirm cp;
952 	int ret;
953 
954 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
955 
956 	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
957 		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
958 		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
959 		     cp.confirm_val);
960 	if (ret)
961 		return SMP_UNSPECIFIED;
962 
963 	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
964 
965 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
966 
967 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
968 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969 	else
970 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971 
972 	return 0;
973 }
974 
smp_random(struct smp_chan * smp)975 static u8 smp_random(struct smp_chan *smp)
976 {
977 	struct l2cap_conn *conn = smp->conn;
978 	struct hci_conn *hcon = conn->hcon;
979 	u8 confirm[16];
980 	int ret;
981 
982 	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
983 		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
984 		   "responder");
985 
986 	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
987 		     hcon->init_addr_type, &hcon->init_addr,
988 		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
989 	if (ret)
990 		return SMP_UNSPECIFIED;
991 
992 	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
993 		bt_dev_err(hcon->hdev, "pairing failed "
994 			   "(confirmation values mismatch)");
995 		return SMP_CONFIRM_FAILED;
996 	}
997 
998 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
999 		u8 stk[16];
1000 		__le64 rand = 0;
1001 		__le16 ediv = 0;
1002 
1003 		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1004 
1005 		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006 			return SMP_UNSPECIFIED;
1007 
1008 		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009 		hcon->enc_key_size = smp->enc_key_size;
1010 		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011 	} else {
1012 		u8 stk[16], auth;
1013 		__le64 rand = 0;
1014 		__le16 ediv = 0;
1015 
1016 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1017 			     smp->prnd);
1018 
1019 		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1020 
1021 		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1022 			auth = 1;
1023 		else
1024 			auth = 0;
1025 
1026 		/* Even though there's no _RESPONDER suffix this is the
1027 		 * responder STK we're adding for later lookup (the initiator
1028 		 * STK never needs to be stored).
1029 		 */
1030 		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031 			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032 	}
1033 
1034 	return 0;
1035 }
1036 
smp_notify_keys(struct l2cap_conn * conn)1037 static void smp_notify_keys(struct l2cap_conn *conn)
1038 {
1039 	struct l2cap_chan *chan = conn->smp;
1040 	struct smp_chan *smp = chan->data;
1041 	struct hci_conn *hcon = conn->hcon;
1042 	struct hci_dev *hdev = hcon->hdev;
1043 	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044 	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1045 	bool persistent;
1046 
1047 	if (hcon->type == ACL_LINK) {
1048 		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1049 			persistent = false;
1050 		else
1051 			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1052 					       &hcon->flags);
1053 	} else {
1054 		/* The LTKs, IRKs and CSRKs should be persistent only if
1055 		 * both sides had the bonding bit set in their
1056 		 * authentication requests.
1057 		 */
1058 		persistent = !!((req->auth_req & rsp->auth_req) &
1059 				SMP_AUTH_BONDING);
1060 	}
1061 
1062 	if (smp->remote_irk) {
1063 		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1064 
1065 		/* Now that user space can be considered to know the
1066 		 * identity address track the connection based on it
1067 		 * from now on (assuming this is an LE link).
1068 		 */
1069 		if (hcon->type == LE_LINK) {
1070 			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1071 			hcon->dst_type = smp->remote_irk->addr_type;
1072 			/* Use a short delay to make sure the new address is
1073 			 * propagated _before_ the channels.
1074 			 */
1075 			queue_delayed_work(hdev->workqueue,
1076 					   &conn->id_addr_timer,
1077 					   ID_ADDR_TIMEOUT);
1078 		}
1079 	}
1080 
1081 	if (smp->csrk) {
1082 		smp->csrk->bdaddr_type = hcon->dst_type;
1083 		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084 		mgmt_new_csrk(hdev, smp->csrk, persistent);
1085 	}
1086 
1087 	if (smp->responder_csrk) {
1088 		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1089 		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1090 		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1091 	}
1092 
1093 	if (smp->ltk) {
1094 		smp->ltk->bdaddr_type = hcon->dst_type;
1095 		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096 		mgmt_new_ltk(hdev, smp->ltk, persistent);
1097 	}
1098 
1099 	if (smp->responder_ltk) {
1100 		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1101 		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1102 		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1103 	}
1104 
1105 	if (smp->link_key) {
1106 		struct link_key *key;
1107 		u8 type;
1108 
1109 		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110 			type = HCI_LK_DEBUG_COMBINATION;
1111 		else if (hcon->sec_level == BT_SECURITY_FIPS)
1112 			type = HCI_LK_AUTH_COMBINATION_P256;
1113 		else
1114 			type = HCI_LK_UNAUTH_COMBINATION_P256;
1115 
1116 		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117 				       smp->link_key, type, 0, &persistent);
1118 		if (key) {
1119 			mgmt_new_link_key(hdev, key, persistent);
1120 
1121 			/* Don't keep debug keys around if the relevant
1122 			 * flag is not set.
1123 			 */
1124 			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1125 			    key->type == HCI_LK_DEBUG_COMBINATION) {
1126 				list_del_rcu(&key->list);
1127 				kfree_rcu(key, rcu);
1128 			}
1129 		}
1130 	}
1131 }
1132 
sc_add_ltk(struct smp_chan * smp)1133 static void sc_add_ltk(struct smp_chan *smp)
1134 {
1135 	struct hci_conn *hcon = smp->conn->hcon;
1136 	u8 key_type, auth;
1137 
1138 	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139 		key_type = SMP_LTK_P256_DEBUG;
1140 	else
1141 		key_type = SMP_LTK_P256;
1142 
1143 	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144 		auth = 1;
1145 	else
1146 		auth = 0;
1147 
1148 	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149 			       key_type, auth, smp->tk, smp->enc_key_size,
1150 			       0, 0);
1151 }
1152 
sc_generate_link_key(struct smp_chan * smp)1153 static void sc_generate_link_key(struct smp_chan *smp)
1154 {
1155 	/* From core spec. Spells out in ASCII as 'lebr'. */
1156 	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157 
1158 	smp->link_key = kzalloc(16, GFP_KERNEL);
1159 	if (!smp->link_key)
1160 		return;
1161 
1162 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163 		/* SALT = 0x000000000000000000000000746D7031 */
1164 		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165 
1166 		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167 			kfree_sensitive(smp->link_key);
1168 			smp->link_key = NULL;
1169 			return;
1170 		}
1171 	} else {
1172 		/* From core spec. Spells out in ASCII as 'tmp1'. */
1173 		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174 
1175 		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176 			kfree_sensitive(smp->link_key);
1177 			smp->link_key = NULL;
1178 			return;
1179 		}
1180 	}
1181 
1182 	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1183 		kfree_sensitive(smp->link_key);
1184 		smp->link_key = NULL;
1185 		return;
1186 	}
1187 }
1188 
smp_allow_key_dist(struct smp_chan * smp)1189 static void smp_allow_key_dist(struct smp_chan *smp)
1190 {
1191 	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1192 	 * will be allowed in each PDU handler to ensure we receive
1193 	 * them in the correct order.
1194 	 */
1195 	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196 		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197 	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1201 }
1202 
sc_generate_ltk(struct smp_chan * smp)1203 static void sc_generate_ltk(struct smp_chan *smp)
1204 {
1205 	/* From core spec. Spells out in ASCII as 'brle'. */
1206 	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207 	struct hci_conn *hcon = smp->conn->hcon;
1208 	struct hci_dev *hdev = hcon->hdev;
1209 	struct link_key *key;
1210 
1211 	key = hci_find_link_key(hdev, &hcon->dst);
1212 	if (!key) {
1213 		bt_dev_err(hdev, "no Link Key found to generate LTK");
1214 		return;
1215 	}
1216 
1217 	if (key->type == HCI_LK_DEBUG_COMBINATION)
1218 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219 
1220 	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221 		/* SALT = 0x000000000000000000000000746D7032 */
1222 		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223 
1224 		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1225 			return;
1226 	} else {
1227 		/* From core spec. Spells out in ASCII as 'tmp2'. */
1228 		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229 
1230 		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1231 			return;
1232 	}
1233 
1234 	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1235 		return;
1236 
1237 	sc_add_ltk(smp);
1238 }
1239 
smp_distribute_keys(struct smp_chan * smp)1240 static void smp_distribute_keys(struct smp_chan *smp)
1241 {
1242 	struct smp_cmd_pairing *req, *rsp;
1243 	struct l2cap_conn *conn = smp->conn;
1244 	struct hci_conn *hcon = conn->hcon;
1245 	struct hci_dev *hdev = hcon->hdev;
1246 	__u8 *keydist;
1247 
1248 	bt_dev_dbg(hdev, "conn %p", conn);
1249 
1250 	rsp = (void *) &smp->prsp[1];
1251 
1252 	/* The responder sends its keys first */
1253 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) &&
1254 	    (smp->remote_key_dist & KEY_DIST_MASK)) {
1255 		smp_allow_key_dist(smp);
1256 		return;
1257 	}
1258 
1259 	req = (void *) &smp->preq[1];
1260 
1261 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1262 		keydist = &rsp->init_key_dist;
1263 		*keydist &= req->init_key_dist;
1264 	} else {
1265 		keydist = &rsp->resp_key_dist;
1266 		*keydist &= req->resp_key_dist;
1267 	}
1268 
1269 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1270 		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1271 			sc_generate_link_key(smp);
1272 		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1273 			sc_generate_ltk(smp);
1274 
1275 		/* Clear the keys which are generated but not distributed */
1276 		*keydist &= ~SMP_SC_NO_DIST;
1277 	}
1278 
1279 	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1280 
1281 	if (*keydist & SMP_DIST_ENC_KEY) {
1282 		struct smp_cmd_encrypt_info enc;
1283 		struct smp_cmd_initiator_ident ident;
1284 		struct smp_ltk *ltk;
1285 		u8 authenticated;
1286 		__le16 ediv;
1287 		__le64 rand;
1288 
1289 		/* Make sure we generate only the significant amount of
1290 		 * bytes based on the encryption key size, and set the rest
1291 		 * of the value to zeroes.
1292 		 */
1293 		get_random_bytes(enc.ltk, smp->enc_key_size);
1294 		memset(enc.ltk + smp->enc_key_size, 0,
1295 		       sizeof(enc.ltk) - smp->enc_key_size);
1296 
1297 		get_random_bytes(&ediv, sizeof(ediv));
1298 		get_random_bytes(&rand, sizeof(rand));
1299 
1300 		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301 
1302 		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1303 		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1304 				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1305 				  smp->enc_key_size, ediv, rand);
1306 		smp->responder_ltk = ltk;
1307 
1308 		ident.ediv = ediv;
1309 		ident.rand = rand;
1310 
1311 		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1312 			     &ident);
1313 
1314 		*keydist &= ~SMP_DIST_ENC_KEY;
1315 	}
1316 
1317 	if (*keydist & SMP_DIST_ID_KEY) {
1318 		struct smp_cmd_ident_addr_info addrinfo;
1319 		struct smp_cmd_ident_info idinfo;
1320 
1321 		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1322 
1323 		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1324 
1325 		/* The hci_conn contains the local identity address
1326 		 * after the connection has been established.
1327 		 *
1328 		 * This is true even when the connection has been
1329 		 * established using a resolvable random address.
1330 		 */
1331 		bacpy(&addrinfo.bdaddr, &hcon->src);
1332 		addrinfo.addr_type = hcon->src_type;
1333 
1334 		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1335 			     &addrinfo);
1336 
1337 		*keydist &= ~SMP_DIST_ID_KEY;
1338 	}
1339 
1340 	if (*keydist & SMP_DIST_SIGN) {
1341 		struct smp_cmd_sign_info sign;
1342 		struct smp_csrk *csrk;
1343 
1344 		/* Generate a new random key */
1345 		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1346 
1347 		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1348 		if (csrk) {
1349 			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1350 				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1351 			else
1352 				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1353 			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1354 		}
1355 		smp->responder_csrk = csrk;
1356 
1357 		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1358 
1359 		*keydist &= ~SMP_DIST_SIGN;
1360 	}
1361 
1362 	/* If there are still keys to be received wait for them */
1363 	if (smp->remote_key_dist & KEY_DIST_MASK) {
1364 		smp_allow_key_dist(smp);
1365 		return;
1366 	}
1367 
1368 	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1369 	smp_notify_keys(conn);
1370 
1371 	smp_chan_destroy(conn);
1372 }
1373 
smp_timeout(struct work_struct * work)1374 static void smp_timeout(struct work_struct *work)
1375 {
1376 	struct smp_chan *smp = container_of(work, struct smp_chan,
1377 					    security_timer.work);
1378 	struct l2cap_conn *conn = smp->conn;
1379 
1380 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1381 
1382 	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1383 }
1384 
smp_chan_create(struct l2cap_conn * conn)1385 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1386 {
1387 	struct hci_conn *hcon = conn->hcon;
1388 	struct l2cap_chan *chan = conn->smp;
1389 	struct smp_chan *smp;
1390 
1391 	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1392 	if (!smp)
1393 		return NULL;
1394 
1395 	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1396 	if (IS_ERR(smp->tfm_cmac)) {
1397 		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1398 		goto zfree_smp;
1399 	}
1400 
1401 	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1402 	if (IS_ERR(smp->tfm_ecdh)) {
1403 		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1404 		goto free_shash;
1405 	}
1406 
1407 	smp->conn = conn;
1408 	chan->data = smp;
1409 
1410 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1411 
1412 	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1413 
1414 	hci_conn_hold(hcon);
1415 
1416 	return smp;
1417 
1418 free_shash:
1419 	crypto_free_shash(smp->tfm_cmac);
1420 zfree_smp:
1421 	kfree_sensitive(smp);
1422 	return NULL;
1423 }
1424 
sc_mackey_and_ltk(struct smp_chan * smp,u8 mackey[16],u8 ltk[16])1425 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1426 {
1427 	struct hci_conn *hcon = smp->conn->hcon;
1428 	u8 *na, *nb, a[7], b[7];
1429 
1430 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1431 		na   = smp->prnd;
1432 		nb   = smp->rrnd;
1433 	} else {
1434 		na   = smp->rrnd;
1435 		nb   = smp->prnd;
1436 	}
1437 
1438 	memcpy(a, &hcon->init_addr, 6);
1439 	memcpy(b, &hcon->resp_addr, 6);
1440 	a[6] = hcon->init_addr_type;
1441 	b[6] = hcon->resp_addr_type;
1442 
1443 	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1444 }
1445 
sc_dhkey_check(struct smp_chan * smp)1446 static void sc_dhkey_check(struct smp_chan *smp)
1447 {
1448 	struct hci_conn *hcon = smp->conn->hcon;
1449 	struct smp_cmd_dhkey_check check;
1450 	u8 a[7], b[7], *local_addr, *remote_addr;
1451 	u8 io_cap[3], r[16];
1452 
1453 	memcpy(a, &hcon->init_addr, 6);
1454 	memcpy(b, &hcon->resp_addr, 6);
1455 	a[6] = hcon->init_addr_type;
1456 	b[6] = hcon->resp_addr_type;
1457 
1458 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1459 		local_addr = a;
1460 		remote_addr = b;
1461 		memcpy(io_cap, &smp->preq[1], 3);
1462 	} else {
1463 		local_addr = b;
1464 		remote_addr = a;
1465 		memcpy(io_cap, &smp->prsp[1], 3);
1466 	}
1467 
1468 	memset(r, 0, sizeof(r));
1469 
1470 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1471 		put_unaligned_le32(hcon->passkey_notify, r);
1472 
1473 	if (smp->method == REQ_OOB)
1474 		memcpy(r, smp->rr, 16);
1475 
1476 	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1477 	       local_addr, remote_addr, check.e);
1478 
1479 	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1480 }
1481 
sc_passkey_send_confirm(struct smp_chan * smp)1482 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1483 {
1484 	struct l2cap_conn *conn = smp->conn;
1485 	struct hci_conn *hcon = conn->hcon;
1486 	struct smp_cmd_pairing_confirm cfm;
1487 	u8 r;
1488 
1489 	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1490 	r |= 0x80;
1491 
1492 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1493 
1494 	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1495 		   cfm.confirm_val))
1496 		return SMP_UNSPECIFIED;
1497 
1498 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1499 
1500 	return 0;
1501 }
1502 
sc_passkey_round(struct smp_chan * smp,u8 smp_op)1503 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1504 {
1505 	struct l2cap_conn *conn = smp->conn;
1506 	struct hci_conn *hcon = conn->hcon;
1507 	struct hci_dev *hdev = hcon->hdev;
1508 	u8 cfm[16], r;
1509 
1510 	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1511 	if (smp->passkey_round >= 20)
1512 		return 0;
1513 
1514 	switch (smp_op) {
1515 	case SMP_CMD_PAIRING_RANDOM:
1516 		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1517 		r |= 0x80;
1518 
1519 		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1520 			   smp->rrnd, r, cfm))
1521 			return SMP_UNSPECIFIED;
1522 
1523 		if (crypto_memneq(smp->pcnf, cfm, 16))
1524 			return SMP_CONFIRM_FAILED;
1525 
1526 		smp->passkey_round++;
1527 
1528 		if (smp->passkey_round == 20) {
1529 			/* Generate MacKey and LTK */
1530 			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1531 				return SMP_UNSPECIFIED;
1532 		}
1533 
1534 		/* The round is only complete when the initiator
1535 		 * receives pairing random.
1536 		 */
1537 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1538 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1539 				     sizeof(smp->prnd), smp->prnd);
1540 			if (smp->passkey_round == 20)
1541 				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542 			else
1543 				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1544 			return 0;
1545 		}
1546 
1547 		/* Start the next round */
1548 		if (smp->passkey_round != 20)
1549 			return sc_passkey_round(smp, 0);
1550 
1551 		/* Passkey rounds are complete - start DHKey Check */
1552 		sc_dhkey_check(smp);
1553 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1554 
1555 		break;
1556 
1557 	case SMP_CMD_PAIRING_CONFIRM:
1558 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1559 			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1560 			return 0;
1561 		}
1562 
1563 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1564 
1565 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1566 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1567 				     sizeof(smp->prnd), smp->prnd);
1568 			return 0;
1569 		}
1570 
1571 		return sc_passkey_send_confirm(smp);
1572 
1573 	case SMP_CMD_PUBLIC_KEY:
1574 	default:
1575 		/* Initiating device starts the round */
1576 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1577 			return 0;
1578 
1579 		bt_dev_dbg(hdev, "Starting passkey round %u",
1580 			   smp->passkey_round + 1);
1581 
1582 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1583 
1584 		return sc_passkey_send_confirm(smp);
1585 	}
1586 
1587 	return 0;
1588 }
1589 
sc_user_reply(struct smp_chan * smp,u16 mgmt_op,__le32 passkey)1590 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1591 {
1592 	struct l2cap_conn *conn = smp->conn;
1593 	struct hci_conn *hcon = conn->hcon;
1594 	u8 smp_op;
1595 
1596 	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1597 
1598 	switch (mgmt_op) {
1599 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1600 		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1601 		return 0;
1602 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1603 		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1604 		return 0;
1605 	case MGMT_OP_USER_PASSKEY_REPLY:
1606 		hcon->passkey_notify = le32_to_cpu(passkey);
1607 		smp->passkey_round = 0;
1608 
1609 		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1610 			smp_op = SMP_CMD_PAIRING_CONFIRM;
1611 		else
1612 			smp_op = 0;
1613 
1614 		if (sc_passkey_round(smp, smp_op))
1615 			return -EIO;
1616 
1617 		return 0;
1618 	}
1619 
1620 	/* Initiator sends DHKey check first */
1621 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1622 		sc_dhkey_check(smp);
1623 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1624 	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1625 		sc_dhkey_check(smp);
1626 		sc_add_ltk(smp);
1627 	}
1628 
1629 	return 0;
1630 }
1631 
smp_user_confirm_reply(struct hci_conn * hcon,u16 mgmt_op,__le32 passkey)1632 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1633 {
1634 	struct l2cap_conn *conn = hcon->l2cap_data;
1635 	struct l2cap_chan *chan;
1636 	struct smp_chan *smp;
1637 	u32 value;
1638 	int err;
1639 
1640 	if (!conn)
1641 		return -ENOTCONN;
1642 
1643 	bt_dev_dbg(conn->hcon->hdev, "");
1644 
1645 	chan = conn->smp;
1646 	if (!chan)
1647 		return -ENOTCONN;
1648 
1649 	l2cap_chan_lock(chan);
1650 	if (!chan->data) {
1651 		err = -ENOTCONN;
1652 		goto unlock;
1653 	}
1654 
1655 	smp = chan->data;
1656 
1657 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1658 		err = sc_user_reply(smp, mgmt_op, passkey);
1659 		goto unlock;
1660 	}
1661 
1662 	switch (mgmt_op) {
1663 	case MGMT_OP_USER_PASSKEY_REPLY:
1664 		value = le32_to_cpu(passkey);
1665 		memset(smp->tk, 0, sizeof(smp->tk));
1666 		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1667 		put_unaligned_le32(value, smp->tk);
1668 		fallthrough;
1669 	case MGMT_OP_USER_CONFIRM_REPLY:
1670 		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1671 		break;
1672 	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1673 	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1674 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1675 		err = 0;
1676 		goto unlock;
1677 	default:
1678 		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1679 		err = -EOPNOTSUPP;
1680 		goto unlock;
1681 	}
1682 
1683 	err = 0;
1684 
1685 	/* If it is our turn to send Pairing Confirm, do so now */
1686 	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1687 		u8 rsp = smp_confirm(smp);
1688 		if (rsp)
1689 			smp_failure(conn, rsp);
1690 	}
1691 
1692 unlock:
1693 	l2cap_chan_unlock(chan);
1694 	return err;
1695 }
1696 
build_bredr_pairing_cmd(struct smp_chan * smp,struct smp_cmd_pairing * req,struct smp_cmd_pairing * rsp)1697 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1698 				    struct smp_cmd_pairing *req,
1699 				    struct smp_cmd_pairing *rsp)
1700 {
1701 	struct l2cap_conn *conn = smp->conn;
1702 	struct hci_dev *hdev = conn->hcon->hdev;
1703 	u8 local_dist = 0, remote_dist = 0;
1704 
1705 	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1706 		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1707 		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1708 	}
1709 
1710 	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1711 		remote_dist |= SMP_DIST_ID_KEY;
1712 
1713 	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1714 		local_dist |= SMP_DIST_ID_KEY;
1715 
1716 	if (!rsp) {
1717 		memset(req, 0, sizeof(*req));
1718 
1719 		req->auth_req        = SMP_AUTH_CT2;
1720 		req->init_key_dist   = local_dist;
1721 		req->resp_key_dist   = remote_dist;
1722 		req->max_key_size    = conn->hcon->enc_key_size;
1723 
1724 		smp->remote_key_dist = remote_dist;
1725 
1726 		return;
1727 	}
1728 
1729 	memset(rsp, 0, sizeof(*rsp));
1730 
1731 	rsp->auth_req        = SMP_AUTH_CT2;
1732 	rsp->max_key_size    = conn->hcon->enc_key_size;
1733 	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1734 	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1735 
1736 	smp->remote_key_dist = rsp->init_key_dist;
1737 }
1738 
smp_cmd_pairing_req(struct l2cap_conn * conn,struct sk_buff * skb)1739 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1740 {
1741 	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1742 	struct l2cap_chan *chan = conn->smp;
1743 	struct hci_dev *hdev = conn->hcon->hdev;
1744 	struct smp_chan *smp = chan->data;
1745 	u8 key_size, auth, sec_level;
1746 	int ret;
1747 
1748 	bt_dev_dbg(hdev, "conn %p", conn);
1749 
1750 	if (skb->len < sizeof(*req))
1751 		return SMP_INVALID_PARAMS;
1752 
1753 	if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1754 		return SMP_CMD_NOTSUPP;
1755 
1756 	if (!smp) {
1757 		smp = smp_chan_create(conn);
1758 		if (!smp)
1759 			return SMP_UNSPECIFIED;
1760 	}
1761 
1762 	/* We didn't start the pairing, so match remote */
1763 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1764 
1765 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1766 	    (auth & SMP_AUTH_BONDING))
1767 		return SMP_PAIRING_NOTSUPP;
1768 
1769 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1770 		return SMP_AUTH_REQUIREMENTS;
1771 
1772 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1773 	memcpy(&smp->preq[1], req, sizeof(*req));
1774 	skb_pull(skb, sizeof(*req));
1775 
1776 	/* If the remote side's OOB flag is set it means it has
1777 	 * successfully received our local OOB data - therefore set the
1778 	 * flag to indicate that local OOB is in use.
1779 	 */
1780 	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1781 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1782 
1783 	/* SMP over BR/EDR requires special treatment */
1784 	if (conn->hcon->type == ACL_LINK) {
1785 		/* We must have a BR/EDR SC link */
1786 		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1787 		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1788 			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1789 
1790 		set_bit(SMP_FLAG_SC, &smp->flags);
1791 
1792 		build_bredr_pairing_cmd(smp, req, &rsp);
1793 
1794 		if (req->auth_req & SMP_AUTH_CT2)
1795 			set_bit(SMP_FLAG_CT2, &smp->flags);
1796 
1797 		key_size = min(req->max_key_size, rsp.max_key_size);
1798 		if (check_enc_key_size(conn, key_size))
1799 			return SMP_ENC_KEY_SIZE;
1800 
1801 		/* Clear bits which are generated but not distributed */
1802 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1803 
1804 		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1805 		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1806 		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1807 
1808 		smp_distribute_keys(smp);
1809 		return 0;
1810 	}
1811 
1812 	build_pairing_cmd(conn, req, &rsp, auth);
1813 
1814 	if (rsp.auth_req & SMP_AUTH_SC) {
1815 		set_bit(SMP_FLAG_SC, &smp->flags);
1816 
1817 		if (rsp.auth_req & SMP_AUTH_CT2)
1818 			set_bit(SMP_FLAG_CT2, &smp->flags);
1819 	}
1820 
1821 	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1822 		sec_level = BT_SECURITY_MEDIUM;
1823 	else
1824 		sec_level = authreq_to_seclevel(auth);
1825 
1826 	if (sec_level > conn->hcon->pending_sec_level)
1827 		conn->hcon->pending_sec_level = sec_level;
1828 
1829 	/* If we need MITM check that it can be achieved */
1830 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1831 		u8 method;
1832 
1833 		method = get_auth_method(smp, conn->hcon->io_capability,
1834 					 req->io_capability);
1835 		if (method == JUST_WORKS || method == JUST_CFM)
1836 			return SMP_AUTH_REQUIREMENTS;
1837 	}
1838 
1839 	key_size = min(req->max_key_size, rsp.max_key_size);
1840 	if (check_enc_key_size(conn, key_size))
1841 		return SMP_ENC_KEY_SIZE;
1842 
1843 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1844 
1845 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1846 	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1847 
1848 	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1849 
1850 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1851 
1852 	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1853 	 * SC case, however some implementations incorrectly copy RFU auth
1854 	 * req bits from our security request, which may create a false
1855 	 * positive SC enablement.
1856 	 */
1857 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1858 
1859 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1860 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 		/* Clear bits which are generated but not distributed */
1862 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1863 		/* Wait for Public Key from Initiating Device */
1864 		return 0;
1865 	}
1866 
1867 	/* Request setup of TK */
1868 	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1869 	if (ret)
1870 		return SMP_UNSPECIFIED;
1871 
1872 	return 0;
1873 }
1874 
sc_send_public_key(struct smp_chan * smp)1875 static u8 sc_send_public_key(struct smp_chan *smp)
1876 {
1877 	struct hci_dev *hdev = smp->conn->hcon->hdev;
1878 
1879 	bt_dev_dbg(hdev, "");
1880 
1881 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1882 		struct l2cap_chan *chan = hdev->smp_data;
1883 		struct smp_dev *smp_dev;
1884 
1885 		if (!chan || !chan->data)
1886 			return SMP_UNSPECIFIED;
1887 
1888 		smp_dev = chan->data;
1889 
1890 		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1891 		memcpy(smp->lr, smp_dev->local_rand, 16);
1892 
1893 		if (smp_dev->debug_key)
1894 			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895 
1896 		goto done;
1897 	}
1898 
1899 	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1900 		bt_dev_dbg(hdev, "Using debug keys");
1901 		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1902 			return SMP_UNSPECIFIED;
1903 		memcpy(smp->local_pk, debug_pk, 64);
1904 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1905 	} else {
1906 		while (true) {
1907 			/* Generate key pair for Secure Connections */
1908 			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1909 				return SMP_UNSPECIFIED;
1910 
1911 			/* This is unlikely, but we need to check that
1912 			 * we didn't accidentally generate a debug key.
1913 			 */
1914 			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1915 				break;
1916 		}
1917 	}
1918 
1919 done:
1920 	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1921 	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1922 
1923 	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1924 
1925 	return 0;
1926 }
1927 
smp_cmd_pairing_rsp(struct l2cap_conn * conn,struct sk_buff * skb)1928 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1929 {
1930 	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1931 	struct l2cap_chan *chan = conn->smp;
1932 	struct smp_chan *smp = chan->data;
1933 	struct hci_dev *hdev = conn->hcon->hdev;
1934 	u8 key_size, auth;
1935 	int ret;
1936 
1937 	bt_dev_dbg(hdev, "conn %p", conn);
1938 
1939 	if (skb->len < sizeof(*rsp))
1940 		return SMP_INVALID_PARAMS;
1941 
1942 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1943 		return SMP_CMD_NOTSUPP;
1944 
1945 	skb_pull(skb, sizeof(*rsp));
1946 
1947 	req = (void *) &smp->preq[1];
1948 
1949 	key_size = min(req->max_key_size, rsp->max_key_size);
1950 	if (check_enc_key_size(conn, key_size))
1951 		return SMP_ENC_KEY_SIZE;
1952 
1953 	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1954 
1955 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1956 		return SMP_AUTH_REQUIREMENTS;
1957 
1958 	/* If the remote side's OOB flag is set it means it has
1959 	 * successfully received our local OOB data - therefore set the
1960 	 * flag to indicate that local OOB is in use.
1961 	 */
1962 	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1963 		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1964 
1965 	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1966 	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1967 
1968 	/* Update remote key distribution in case the remote cleared
1969 	 * some bits that we had enabled in our request.
1970 	 */
1971 	smp->remote_key_dist &= rsp->resp_key_dist;
1972 
1973 	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1974 		set_bit(SMP_FLAG_CT2, &smp->flags);
1975 
1976 	/* For BR/EDR this means we're done and can start phase 3 */
1977 	if (conn->hcon->type == ACL_LINK) {
1978 		/* Clear bits which are generated but not distributed */
1979 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1980 		smp_distribute_keys(smp);
1981 		return 0;
1982 	}
1983 
1984 	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1985 		set_bit(SMP_FLAG_SC, &smp->flags);
1986 	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1987 		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1988 
1989 	/* If we need MITM check that it can be achieved */
1990 	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1991 		u8 method;
1992 
1993 		method = get_auth_method(smp, req->io_capability,
1994 					 rsp->io_capability);
1995 		if (method == JUST_WORKS || method == JUST_CFM)
1996 			return SMP_AUTH_REQUIREMENTS;
1997 	}
1998 
1999 	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2000 
2001 	/* Update remote key distribution in case the remote cleared
2002 	 * some bits that we had enabled in our request.
2003 	 */
2004 	smp->remote_key_dist &= rsp->resp_key_dist;
2005 
2006 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2007 		/* Clear bits which are generated but not distributed */
2008 		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2009 		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2010 		return sc_send_public_key(smp);
2011 	}
2012 
2013 	auth |= req->auth_req;
2014 
2015 	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2016 	if (ret)
2017 		return SMP_UNSPECIFIED;
2018 
2019 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2020 
2021 	/* Can't compose response until we have been confirmed */
2022 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2023 		return smp_confirm(smp);
2024 
2025 	return 0;
2026 }
2027 
sc_check_confirm(struct smp_chan * smp)2028 static u8 sc_check_confirm(struct smp_chan *smp)
2029 {
2030 	struct l2cap_conn *conn = smp->conn;
2031 
2032 	bt_dev_dbg(conn->hcon->hdev, "");
2033 
2034 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2035 		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2036 
2037 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2038 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2039 			     smp->prnd);
2040 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2041 	}
2042 
2043 	return 0;
2044 }
2045 
2046 /* Work-around for some implementations that incorrectly copy RFU bits
2047  * from our security request and thereby create the impression that
2048  * we're doing SC when in fact the remote doesn't support it.
2049  */
fixup_sc_false_positive(struct smp_chan * smp)2050 static int fixup_sc_false_positive(struct smp_chan *smp)
2051 {
2052 	struct l2cap_conn *conn = smp->conn;
2053 	struct hci_conn *hcon = conn->hcon;
2054 	struct hci_dev *hdev = hcon->hdev;
2055 	struct smp_cmd_pairing *req, *rsp;
2056 	u8 auth;
2057 
2058 	/* The issue is only observed when we're in responder role */
2059 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2060 		return SMP_UNSPECIFIED;
2061 
2062 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2063 		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2064 		return SMP_UNSPECIFIED;
2065 	}
2066 
2067 	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2068 
2069 	req = (void *) &smp->preq[1];
2070 	rsp = (void *) &smp->prsp[1];
2071 
2072 	/* Rebuild key dist flags which may have been cleared for SC */
2073 	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2074 
2075 	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2076 
2077 	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2078 		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2079 		return SMP_UNSPECIFIED;
2080 	}
2081 
2082 	clear_bit(SMP_FLAG_SC, &smp->flags);
2083 
2084 	return 0;
2085 }
2086 
smp_cmd_pairing_confirm(struct l2cap_conn * conn,struct sk_buff * skb)2087 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2088 {
2089 	struct l2cap_chan *chan = conn->smp;
2090 	struct smp_chan *smp = chan->data;
2091 	struct hci_conn *hcon = conn->hcon;
2092 	struct hci_dev *hdev = hcon->hdev;
2093 
2094 	bt_dev_dbg(hdev, "conn %p %s", conn,
2095 		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
2096 		   "responder");
2097 
2098 	if (skb->len < sizeof(smp->pcnf))
2099 		return SMP_INVALID_PARAMS;
2100 
2101 	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2102 	skb_pull(skb, sizeof(smp->pcnf));
2103 
2104 	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2105 		int ret;
2106 
2107 		/* Public Key exchange must happen before any other steps */
2108 		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2109 			return sc_check_confirm(smp);
2110 
2111 		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2112 
2113 		ret = fixup_sc_false_positive(smp);
2114 		if (ret)
2115 			return ret;
2116 	}
2117 
2118 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2119 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2120 			     smp->prnd);
2121 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2122 		return 0;
2123 	}
2124 
2125 	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2126 		return smp_confirm(smp);
2127 
2128 	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2129 
2130 	return 0;
2131 }
2132 
smp_cmd_pairing_random(struct l2cap_conn * conn,struct sk_buff * skb)2133 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2134 {
2135 	struct l2cap_chan *chan = conn->smp;
2136 	struct smp_chan *smp = chan->data;
2137 	struct hci_conn *hcon = conn->hcon;
2138 	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2139 	u32 passkey;
2140 	int err;
2141 
2142 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2143 
2144 	if (skb->len < sizeof(smp->rrnd))
2145 		return SMP_INVALID_PARAMS;
2146 
2147 	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2148 	skb_pull(skb, sizeof(smp->rrnd));
2149 
2150 	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2151 		return smp_random(smp);
2152 
2153 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2154 		pkax = smp->local_pk;
2155 		pkbx = smp->remote_pk;
2156 		na   = smp->prnd;
2157 		nb   = smp->rrnd;
2158 	} else {
2159 		pkax = smp->remote_pk;
2160 		pkbx = smp->local_pk;
2161 		na   = smp->rrnd;
2162 		nb   = smp->prnd;
2163 	}
2164 
2165 	if (smp->method == REQ_OOB) {
2166 		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2167 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2168 				     sizeof(smp->prnd), smp->prnd);
2169 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2170 		goto mackey_and_ltk;
2171 	}
2172 
2173 	/* Passkey entry has special treatment */
2174 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2175 		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2176 
2177 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2178 		u8 cfm[16];
2179 
2180 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2181 			     smp->rrnd, 0, cfm);
2182 		if (err)
2183 			return SMP_UNSPECIFIED;
2184 
2185 		if (crypto_memneq(smp->pcnf, cfm, 16))
2186 			return SMP_CONFIRM_FAILED;
2187 	} else {
2188 		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2189 			     smp->prnd);
2190 		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2191 
2192 		/* Only Just-Works pairing requires extra checks */
2193 		if (smp->method != JUST_WORKS)
2194 			goto mackey_and_ltk;
2195 
2196 		/* If there already exists long term key in local host, leave
2197 		 * the decision to user space since the remote device could
2198 		 * be legitimate or malicious.
2199 		 */
2200 		if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2201 				 hcon->role)) {
2202 			/* Set passkey to 0. The value can be any number since
2203 			 * it'll be ignored anyway.
2204 			 */
2205 			passkey = 0;
2206 			confirm_hint = 1;
2207 			goto confirm;
2208 		}
2209 	}
2210 
2211 mackey_and_ltk:
2212 	/* Generate MacKey and LTK */
2213 	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2214 	if (err)
2215 		return SMP_UNSPECIFIED;
2216 
2217 	if (smp->method == REQ_OOB) {
2218 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2219 			sc_dhkey_check(smp);
2220 			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2221 		}
2222 		return 0;
2223 	}
2224 
2225 	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2226 	if (err)
2227 		return SMP_UNSPECIFIED;
2228 
2229 	confirm_hint = 0;
2230 
2231 confirm:
2232 	if (smp->method == JUST_WORKS)
2233 		confirm_hint = 1;
2234 
2235 	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2236 					hcon->dst_type, passkey, confirm_hint);
2237 	if (err)
2238 		return SMP_UNSPECIFIED;
2239 
2240 	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2241 
2242 	return 0;
2243 }
2244 
smp_ltk_encrypt(struct l2cap_conn * conn,u8 sec_level)2245 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2246 {
2247 	struct smp_ltk *key;
2248 	struct hci_conn *hcon = conn->hcon;
2249 
2250 	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2251 	if (!key)
2252 		return false;
2253 
2254 	if (smp_ltk_sec_level(key) < sec_level)
2255 		return false;
2256 
2257 	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2258 		return true;
2259 
2260 	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2261 	hcon->enc_key_size = key->enc_size;
2262 
2263 	/* We never store STKs for initiator role, so clear this flag */
2264 	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2265 
2266 	return true;
2267 }
2268 
smp_sufficient_security(struct hci_conn * hcon,u8 sec_level,enum smp_key_pref key_pref)2269 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2270 			     enum smp_key_pref key_pref)
2271 {
2272 	if (sec_level == BT_SECURITY_LOW)
2273 		return true;
2274 
2275 	/* If we're encrypted with an STK but the caller prefers using
2276 	 * LTK claim insufficient security. This way we allow the
2277 	 * connection to be re-encrypted with an LTK, even if the LTK
2278 	 * provides the same level of security. Only exception is if we
2279 	 * don't have an LTK (e.g. because of key distribution bits).
2280 	 */
2281 	if (key_pref == SMP_USE_LTK &&
2282 	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2283 	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2284 		return false;
2285 
2286 	if (hcon->sec_level >= sec_level)
2287 		return true;
2288 
2289 	return false;
2290 }
2291 
smp_send_pairing_req(struct smp_chan * smp,__u8 auth)2292 static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth)
2293 {
2294 	struct smp_cmd_pairing cp;
2295 
2296 	if (smp->conn->hcon->type == ACL_LINK)
2297 		build_bredr_pairing_cmd(smp, &cp, NULL);
2298 	else
2299 		build_pairing_cmd(smp->conn, &cp, NULL, auth);
2300 
2301 	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2302 	memcpy(&smp->preq[1], &cp, sizeof(cp));
2303 
2304 	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2305 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2306 
2307 	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2308 }
2309 
smp_cmd_security_req(struct l2cap_conn * conn,struct sk_buff * skb)2310 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2311 {
2312 	struct smp_cmd_security_req *rp = (void *) skb->data;
2313 	struct hci_conn *hcon = conn->hcon;
2314 	struct hci_dev *hdev = hcon->hdev;
2315 	struct smp_chan *smp;
2316 	u8 sec_level, auth;
2317 
2318 	bt_dev_dbg(hdev, "conn %p", conn);
2319 
2320 	if (skb->len < sizeof(*rp))
2321 		return SMP_INVALID_PARAMS;
2322 
2323 	if (hcon->role != HCI_ROLE_MASTER)
2324 		return SMP_CMD_NOTSUPP;
2325 
2326 	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2327 
2328 	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2329 		return SMP_AUTH_REQUIREMENTS;
2330 
2331 	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2332 		sec_level = BT_SECURITY_MEDIUM;
2333 	else
2334 		sec_level = authreq_to_seclevel(auth);
2335 
2336 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2337 		/* If link is already encrypted with sufficient security we
2338 		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2339 		 * Part H 2.4.6
2340 		 */
2341 		smp_ltk_encrypt(conn, hcon->sec_level);
2342 		return 0;
2343 	}
2344 
2345 	if (sec_level > hcon->pending_sec_level)
2346 		hcon->pending_sec_level = sec_level;
2347 
2348 	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2349 		return 0;
2350 
2351 	smp = smp_chan_create(conn);
2352 	if (!smp)
2353 		return SMP_UNSPECIFIED;
2354 
2355 	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2356 	    (auth & SMP_AUTH_BONDING))
2357 		return SMP_PAIRING_NOTSUPP;
2358 
2359 	skb_pull(skb, sizeof(*rp));
2360 
2361 	smp_send_pairing_req(smp, auth);
2362 
2363 	return 0;
2364 }
2365 
smp_send_security_req(struct smp_chan * smp,__u8 auth)2366 static void smp_send_security_req(struct smp_chan *smp, __u8 auth)
2367 {
2368 	struct smp_cmd_security_req cp;
2369 
2370 	cp.auth_req = auth;
2371 	smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2372 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2373 
2374 	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
2375 }
2376 
smp_conn_security(struct hci_conn * hcon,__u8 sec_level)2377 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2378 {
2379 	struct l2cap_conn *conn = hcon->l2cap_data;
2380 	struct l2cap_chan *chan;
2381 	struct smp_chan *smp;
2382 	__u8 authreq;
2383 	int ret;
2384 
2385 	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2386 		   sec_level);
2387 
2388 	/* This may be NULL if there's an unexpected disconnection */
2389 	if (!conn)
2390 		return 1;
2391 
2392 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2393 		return 1;
2394 
2395 	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2396 		return 1;
2397 
2398 	if (sec_level > hcon->pending_sec_level)
2399 		hcon->pending_sec_level = sec_level;
2400 
2401 	if (hcon->role == HCI_ROLE_MASTER)
2402 		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2403 			return 0;
2404 
2405 	chan = conn->smp;
2406 	if (!chan) {
2407 		bt_dev_err(hcon->hdev, "security requested but not available");
2408 		return 1;
2409 	}
2410 
2411 	l2cap_chan_lock(chan);
2412 
2413 	/* If SMP is already in progress ignore this request */
2414 	if (chan->data) {
2415 		ret = 0;
2416 		goto unlock;
2417 	}
2418 
2419 	smp = smp_chan_create(conn);
2420 	if (!smp) {
2421 		ret = 1;
2422 		goto unlock;
2423 	}
2424 
2425 	authreq = seclevel_to_authreq(sec_level);
2426 
2427 	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2428 		authreq |= SMP_AUTH_SC;
2429 		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2430 			authreq |= SMP_AUTH_CT2;
2431 	}
2432 
2433 	/* Don't attempt to set MITM if setting is overridden by debugfs
2434 	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2435 	 */
2436 	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2437 		/* Require MITM if IO Capability allows or the security level
2438 		 * requires it.
2439 		 */
2440 		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2441 		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2442 			authreq |= SMP_AUTH_MITM;
2443 	}
2444 
2445 	if (hcon->role == HCI_ROLE_MASTER)
2446 		smp_send_pairing_req(smp, authreq);
2447 	else
2448 		smp_send_security_req(smp, authreq);
2449 
2450 	ret = 0;
2451 
2452 unlock:
2453 	l2cap_chan_unlock(chan);
2454 	return ret;
2455 }
2456 
smp_cancel_and_remove_pairing(struct hci_dev * hdev,bdaddr_t * bdaddr,u8 addr_type)2457 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2458 				  u8 addr_type)
2459 {
2460 	struct hci_conn *hcon;
2461 	struct l2cap_conn *conn;
2462 	struct l2cap_chan *chan;
2463 	struct smp_chan *smp;
2464 	int err;
2465 
2466 	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2467 	hci_remove_irk(hdev, bdaddr, addr_type);
2468 
2469 	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2470 	if (!hcon)
2471 		goto done;
2472 
2473 	conn = hcon->l2cap_data;
2474 	if (!conn)
2475 		goto done;
2476 
2477 	chan = conn->smp;
2478 	if (!chan)
2479 		goto done;
2480 
2481 	l2cap_chan_lock(chan);
2482 
2483 	smp = chan->data;
2484 	if (smp) {
2485 		/* Set keys to NULL to make sure smp_failure() does not try to
2486 		 * remove and free already invalidated rcu list entries. */
2487 		smp->ltk = NULL;
2488 		smp->responder_ltk = NULL;
2489 		smp->remote_irk = NULL;
2490 
2491 		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2492 			smp_failure(conn, 0);
2493 		else
2494 			smp_failure(conn, SMP_UNSPECIFIED);
2495 		err = 0;
2496 	}
2497 
2498 	l2cap_chan_unlock(chan);
2499 
2500 done:
2501 	return err;
2502 }
2503 
smp_cmd_encrypt_info(struct l2cap_conn * conn,struct sk_buff * skb)2504 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2505 {
2506 	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2507 	struct l2cap_chan *chan = conn->smp;
2508 	struct smp_chan *smp = chan->data;
2509 
2510 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2511 
2512 	if (skb->len < sizeof(*rp))
2513 		return SMP_INVALID_PARAMS;
2514 
2515 	/* Pairing is aborted if any blocked keys are distributed */
2516 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2517 			       rp->ltk)) {
2518 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2519 					"LTK blocked for %pMR",
2520 					&conn->hcon->dst);
2521 		return SMP_INVALID_PARAMS;
2522 	}
2523 
2524 	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2525 
2526 	skb_pull(skb, sizeof(*rp));
2527 
2528 	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2529 
2530 	return 0;
2531 }
2532 
smp_cmd_initiator_ident(struct l2cap_conn * conn,struct sk_buff * skb)2533 static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2534 {
2535 	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2536 	struct l2cap_chan *chan = conn->smp;
2537 	struct smp_chan *smp = chan->data;
2538 	struct hci_dev *hdev = conn->hcon->hdev;
2539 	struct hci_conn *hcon = conn->hcon;
2540 	struct smp_ltk *ltk;
2541 	u8 authenticated;
2542 
2543 	bt_dev_dbg(hdev, "conn %p", conn);
2544 
2545 	if (skb->len < sizeof(*rp))
2546 		return SMP_INVALID_PARAMS;
2547 
2548 	/* Mark the information as received */
2549 	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2550 
2551 	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2552 		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2553 	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2554 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2555 
2556 	skb_pull(skb, sizeof(*rp));
2557 
2558 	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2559 	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2560 			  authenticated, smp->tk, smp->enc_key_size,
2561 			  rp->ediv, rp->rand);
2562 	smp->ltk = ltk;
2563 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2564 		smp_distribute_keys(smp);
2565 
2566 	return 0;
2567 }
2568 
smp_cmd_ident_info(struct l2cap_conn * conn,struct sk_buff * skb)2569 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2570 {
2571 	struct smp_cmd_ident_info *info = (void *) skb->data;
2572 	struct l2cap_chan *chan = conn->smp;
2573 	struct smp_chan *smp = chan->data;
2574 
2575 	bt_dev_dbg(conn->hcon->hdev, "");
2576 
2577 	if (skb->len < sizeof(*info))
2578 		return SMP_INVALID_PARAMS;
2579 
2580 	/* Pairing is aborted if any blocked keys are distributed */
2581 	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2582 			       info->irk)) {
2583 		bt_dev_warn_ratelimited(conn->hcon->hdev,
2584 					"Identity key blocked for %pMR",
2585 					&conn->hcon->dst);
2586 		return SMP_INVALID_PARAMS;
2587 	}
2588 
2589 	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2590 
2591 	skb_pull(skb, sizeof(*info));
2592 
2593 	memcpy(smp->irk, info->irk, 16);
2594 
2595 	return 0;
2596 }
2597 
smp_cmd_ident_addr_info(struct l2cap_conn * conn,struct sk_buff * skb)2598 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2599 				   struct sk_buff *skb)
2600 {
2601 	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2602 	struct l2cap_chan *chan = conn->smp;
2603 	struct smp_chan *smp = chan->data;
2604 	struct hci_conn *hcon = conn->hcon;
2605 	bdaddr_t rpa;
2606 
2607 	bt_dev_dbg(hcon->hdev, "");
2608 
2609 	if (skb->len < sizeof(*info))
2610 		return SMP_INVALID_PARAMS;
2611 
2612 	/* Mark the information as received */
2613 	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2614 
2615 	if (smp->remote_key_dist & SMP_DIST_SIGN)
2616 		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2617 
2618 	skb_pull(skb, sizeof(*info));
2619 
2620 	/* Strictly speaking the Core Specification (4.1) allows sending
2621 	 * an empty address which would force us to rely on just the IRK
2622 	 * as "identity information". However, since such
2623 	 * implementations are not known of and in order to not over
2624 	 * complicate our implementation, simply pretend that we never
2625 	 * received an IRK for such a device.
2626 	 *
2627 	 * The Identity Address must also be a Static Random or Public
2628 	 * Address, which hci_is_identity_address() checks for.
2629 	 */
2630 	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2631 	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2632 		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2633 		goto distribute;
2634 	}
2635 
2636 	/* Drop IRK if peer is using identity address during pairing but is
2637 	 * providing different address as identity information.
2638 	 *
2639 	 * Microsoft Surface Precision Mouse is known to have this bug.
2640 	 */
2641 	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2642 	    (bacmp(&info->bdaddr, &hcon->dst) ||
2643 	     info->addr_type != hcon->dst_type)) {
2644 		bt_dev_err(hcon->hdev,
2645 			   "ignoring IRK with invalid identity address");
2646 		goto distribute;
2647 	}
2648 
2649 	bacpy(&smp->id_addr, &info->bdaddr);
2650 	smp->id_addr_type = info->addr_type;
2651 
2652 	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2653 		bacpy(&rpa, &hcon->dst);
2654 	else
2655 		bacpy(&rpa, BDADDR_ANY);
2656 
2657 	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2658 				      smp->id_addr_type, smp->irk, &rpa);
2659 
2660 distribute:
2661 	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2662 		smp_distribute_keys(smp);
2663 
2664 	return 0;
2665 }
2666 
smp_cmd_sign_info(struct l2cap_conn * conn,struct sk_buff * skb)2667 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2668 {
2669 	struct smp_cmd_sign_info *rp = (void *) skb->data;
2670 	struct l2cap_chan *chan = conn->smp;
2671 	struct smp_chan *smp = chan->data;
2672 	struct smp_csrk *csrk;
2673 
2674 	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2675 
2676 	if (skb->len < sizeof(*rp))
2677 		return SMP_INVALID_PARAMS;
2678 
2679 	/* Mark the information as received */
2680 	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2681 
2682 	skb_pull(skb, sizeof(*rp));
2683 
2684 	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2685 	if (csrk) {
2686 		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2687 			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2688 		else
2689 			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2690 		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2691 	}
2692 	smp->csrk = csrk;
2693 	smp_distribute_keys(smp);
2694 
2695 	return 0;
2696 }
2697 
sc_select_method(struct smp_chan * smp)2698 static u8 sc_select_method(struct smp_chan *smp)
2699 {
2700 	struct smp_cmd_pairing *local, *remote;
2701 	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2702 
2703 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2704 	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2705 		return REQ_OOB;
2706 
2707 	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2708 	 * which are needed as inputs to some crypto functions. To get
2709 	 * the "struct smp_cmd_pairing" from them we need to skip the
2710 	 * first byte which contains the opcode.
2711 	 */
2712 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2713 		local = (void *) &smp->preq[1];
2714 		remote = (void *) &smp->prsp[1];
2715 	} else {
2716 		local = (void *) &smp->prsp[1];
2717 		remote = (void *) &smp->preq[1];
2718 	}
2719 
2720 	local_io = local->io_capability;
2721 	remote_io = remote->io_capability;
2722 
2723 	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2724 	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2725 
2726 	/* If either side wants MITM, look up the method from the table,
2727 	 * otherwise use JUST WORKS.
2728 	 */
2729 	if (local_mitm || remote_mitm)
2730 		method = get_auth_method(smp, local_io, remote_io);
2731 	else
2732 		method = JUST_WORKS;
2733 
2734 	/* Don't confirm locally initiated pairing attempts */
2735 	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2736 		method = JUST_WORKS;
2737 
2738 	return method;
2739 }
2740 
smp_cmd_public_key(struct l2cap_conn * conn,struct sk_buff * skb)2741 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2742 {
2743 	struct smp_cmd_public_key *key = (void *) skb->data;
2744 	struct hci_conn *hcon = conn->hcon;
2745 	struct l2cap_chan *chan = conn->smp;
2746 	struct smp_chan *smp = chan->data;
2747 	struct hci_dev *hdev = hcon->hdev;
2748 	struct crypto_kpp *tfm_ecdh;
2749 	struct smp_cmd_pairing_confirm cfm;
2750 	int err;
2751 
2752 	bt_dev_dbg(hdev, "conn %p", conn);
2753 
2754 	if (skb->len < sizeof(*key))
2755 		return SMP_INVALID_PARAMS;
2756 
2757 	/* Check if remote and local public keys are the same and debug key is
2758 	 * not in use.
2759 	 */
2760 	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2761 	    !crypto_memneq(key, smp->local_pk, 64)) {
2762 		bt_dev_err(hdev, "Remote and local public keys are identical");
2763 		return SMP_UNSPECIFIED;
2764 	}
2765 
2766 	memcpy(smp->remote_pk, key, 64);
2767 
2768 	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2769 		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2770 			     smp->rr, 0, cfm.confirm_val);
2771 		if (err)
2772 			return SMP_UNSPECIFIED;
2773 
2774 		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2775 			return SMP_CONFIRM_FAILED;
2776 	}
2777 
2778 	/* Non-initiating device sends its public key after receiving
2779 	 * the key from the initiating device.
2780 	 */
2781 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2782 		err = sc_send_public_key(smp);
2783 		if (err)
2784 			return err;
2785 	}
2786 
2787 	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2788 	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2789 
2790 	/* Compute the shared secret on the same crypto tfm on which the private
2791 	 * key was set/generated.
2792 	 */
2793 	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2794 		struct l2cap_chan *hchan = hdev->smp_data;
2795 		struct smp_dev *smp_dev;
2796 
2797 		if (!hchan || !hchan->data)
2798 			return SMP_UNSPECIFIED;
2799 
2800 		smp_dev = hchan->data;
2801 
2802 		tfm_ecdh = smp_dev->tfm_ecdh;
2803 	} else {
2804 		tfm_ecdh = smp->tfm_ecdh;
2805 	}
2806 
2807 	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2808 		return SMP_UNSPECIFIED;
2809 
2810 	SMP_DBG("DHKey %32phN", smp->dhkey);
2811 
2812 	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2813 
2814 	smp->method = sc_select_method(smp);
2815 
2816 	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2817 
2818 	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2819 	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2820 		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2821 	else
2822 		hcon->pending_sec_level = BT_SECURITY_FIPS;
2823 
2824 	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2825 		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2826 
2827 	if (smp->method == DSP_PASSKEY) {
2828 		get_random_bytes(&hcon->passkey_notify,
2829 				 sizeof(hcon->passkey_notify));
2830 		hcon->passkey_notify %= 1000000;
2831 		hcon->passkey_entered = 0;
2832 		smp->passkey_round = 0;
2833 		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2834 					     hcon->dst_type,
2835 					     hcon->passkey_notify,
2836 					     hcon->passkey_entered))
2837 			return SMP_UNSPECIFIED;
2838 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2839 		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2840 	}
2841 
2842 	if (smp->method == REQ_OOB) {
2843 		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2844 			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2845 				     sizeof(smp->prnd), smp->prnd);
2846 
2847 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2848 
2849 		return 0;
2850 	}
2851 
2852 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2853 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2854 
2855 	if (smp->method == REQ_PASSKEY) {
2856 		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2857 					      hcon->dst_type))
2858 			return SMP_UNSPECIFIED;
2859 		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2860 		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2861 		return 0;
2862 	}
2863 
2864 	/* The Initiating device waits for the non-initiating device to
2865 	 * send the confirm value.
2866 	 */
2867 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2868 		return 0;
2869 
2870 	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2871 		     0, cfm.confirm_val);
2872 	if (err)
2873 		return SMP_UNSPECIFIED;
2874 
2875 	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2876 	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2877 
2878 	return 0;
2879 }
2880 
smp_cmd_dhkey_check(struct l2cap_conn * conn,struct sk_buff * skb)2881 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2882 {
2883 	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2884 	struct l2cap_chan *chan = conn->smp;
2885 	struct hci_conn *hcon = conn->hcon;
2886 	struct smp_chan *smp = chan->data;
2887 	u8 a[7], b[7], *local_addr, *remote_addr;
2888 	u8 io_cap[3], r[16], e[16];
2889 	int err;
2890 
2891 	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2892 
2893 	if (skb->len < sizeof(*check))
2894 		return SMP_INVALID_PARAMS;
2895 
2896 	memcpy(a, &hcon->init_addr, 6);
2897 	memcpy(b, &hcon->resp_addr, 6);
2898 	a[6] = hcon->init_addr_type;
2899 	b[6] = hcon->resp_addr_type;
2900 
2901 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2902 		local_addr = a;
2903 		remote_addr = b;
2904 		memcpy(io_cap, &smp->prsp[1], 3);
2905 	} else {
2906 		local_addr = b;
2907 		remote_addr = a;
2908 		memcpy(io_cap, &smp->preq[1], 3);
2909 	}
2910 
2911 	memset(r, 0, sizeof(r));
2912 
2913 	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2914 		put_unaligned_le32(hcon->passkey_notify, r);
2915 	else if (smp->method == REQ_OOB)
2916 		memcpy(r, smp->lr, 16);
2917 
2918 	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2919 		     io_cap, remote_addr, local_addr, e);
2920 	if (err)
2921 		return SMP_UNSPECIFIED;
2922 
2923 	if (crypto_memneq(check->e, e, 16))
2924 		return SMP_DHKEY_CHECK_FAILED;
2925 
2926 	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2927 		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2928 			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2929 			return 0;
2930 		}
2931 
2932 		/* Responder sends DHKey check as response to initiator */
2933 		sc_dhkey_check(smp);
2934 	}
2935 
2936 	sc_add_ltk(smp);
2937 
2938 	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2939 		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2940 		hcon->enc_key_size = smp->enc_key_size;
2941 	}
2942 
2943 	return 0;
2944 }
2945 
smp_cmd_keypress_notify(struct l2cap_conn * conn,struct sk_buff * skb)2946 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2947 				   struct sk_buff *skb)
2948 {
2949 	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2950 
2951 	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2952 
2953 	return 0;
2954 }
2955 
smp_sig_channel(struct l2cap_chan * chan,struct sk_buff * skb)2956 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2957 {
2958 	struct l2cap_conn *conn = chan->conn;
2959 	struct hci_conn *hcon = conn->hcon;
2960 	struct smp_chan *smp;
2961 	__u8 code, reason;
2962 	int err = 0;
2963 
2964 	if (skb->len < 1)
2965 		return -EILSEQ;
2966 
2967 	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2968 		reason = SMP_PAIRING_NOTSUPP;
2969 		goto done;
2970 	}
2971 
2972 	code = skb->data[0];
2973 	skb_pull(skb, sizeof(code));
2974 
2975 	smp = chan->data;
2976 
2977 	if (code > SMP_CMD_MAX)
2978 		goto drop;
2979 
2980 	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2981 		goto drop;
2982 
2983 	/* If we don't have a context the only allowed commands are
2984 	 * pairing request and security request.
2985 	 */
2986 	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2987 		goto drop;
2988 
2989 	switch (code) {
2990 	case SMP_CMD_PAIRING_REQ:
2991 		reason = smp_cmd_pairing_req(conn, skb);
2992 		break;
2993 
2994 	case SMP_CMD_PAIRING_FAIL:
2995 		smp_failure(conn, 0);
2996 		err = -EPERM;
2997 		break;
2998 
2999 	case SMP_CMD_PAIRING_RSP:
3000 		reason = smp_cmd_pairing_rsp(conn, skb);
3001 		break;
3002 
3003 	case SMP_CMD_SECURITY_REQ:
3004 		reason = smp_cmd_security_req(conn, skb);
3005 		break;
3006 
3007 	case SMP_CMD_PAIRING_CONFIRM:
3008 		reason = smp_cmd_pairing_confirm(conn, skb);
3009 		break;
3010 
3011 	case SMP_CMD_PAIRING_RANDOM:
3012 		reason = smp_cmd_pairing_random(conn, skb);
3013 		break;
3014 
3015 	case SMP_CMD_ENCRYPT_INFO:
3016 		reason = smp_cmd_encrypt_info(conn, skb);
3017 		break;
3018 
3019 	case SMP_CMD_INITIATOR_IDENT:
3020 		reason = smp_cmd_initiator_ident(conn, skb);
3021 		break;
3022 
3023 	case SMP_CMD_IDENT_INFO:
3024 		reason = smp_cmd_ident_info(conn, skb);
3025 		break;
3026 
3027 	case SMP_CMD_IDENT_ADDR_INFO:
3028 		reason = smp_cmd_ident_addr_info(conn, skb);
3029 		break;
3030 
3031 	case SMP_CMD_SIGN_INFO:
3032 		reason = smp_cmd_sign_info(conn, skb);
3033 		break;
3034 
3035 	case SMP_CMD_PUBLIC_KEY:
3036 		reason = smp_cmd_public_key(conn, skb);
3037 		break;
3038 
3039 	case SMP_CMD_DHKEY_CHECK:
3040 		reason = smp_cmd_dhkey_check(conn, skb);
3041 		break;
3042 
3043 	case SMP_CMD_KEYPRESS_NOTIFY:
3044 		reason = smp_cmd_keypress_notify(conn, skb);
3045 		break;
3046 
3047 	default:
3048 		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3049 		reason = SMP_CMD_NOTSUPP;
3050 		goto done;
3051 	}
3052 
3053 done:
3054 	if (!err) {
3055 		if (reason)
3056 			smp_failure(conn, reason);
3057 		kfree_skb(skb);
3058 	}
3059 
3060 	return err;
3061 
3062 drop:
3063 	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3064 		   code, &hcon->dst);
3065 	kfree_skb(skb);
3066 	return 0;
3067 }
3068 
smp_teardown_cb(struct l2cap_chan * chan,int err)3069 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3070 {
3071 	struct l2cap_conn *conn = chan->conn;
3072 
3073 	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3074 
3075 	if (chan->data)
3076 		smp_chan_destroy(conn);
3077 
3078 	conn->smp = NULL;
3079 	l2cap_chan_put(chan);
3080 }
3081 
bredr_pairing(struct l2cap_chan * chan)3082 static void bredr_pairing(struct l2cap_chan *chan)
3083 {
3084 	struct l2cap_conn *conn = chan->conn;
3085 	struct hci_conn *hcon = conn->hcon;
3086 	struct hci_dev *hdev = hcon->hdev;
3087 	struct smp_chan *smp;
3088 
3089 	bt_dev_dbg(hdev, "chan %p", chan);
3090 
3091 	/* Only new pairings are interesting */
3092 	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3093 		return;
3094 
3095 	/* Don't bother if we're not encrypted */
3096 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3097 		return;
3098 
3099 	/* Only initiator may initiate SMP over BR/EDR */
3100 	if (hcon->role != HCI_ROLE_MASTER)
3101 		return;
3102 
3103 	/* Secure Connections support must be enabled */
3104 	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3105 		return;
3106 
3107 	/* BR/EDR must use Secure Connections for SMP */
3108 	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3109 	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3110 		return;
3111 
3112 	/* If our LE support is not enabled don't do anything */
3113 	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3114 		return;
3115 
3116 	/* Don't bother if remote LE support is not enabled */
3117 	if (!lmp_host_le_capable(hcon))
3118 		return;
3119 
3120 	/* Remote must support SMP fixed chan for BR/EDR */
3121 	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3122 		return;
3123 
3124 	/* Don't bother if SMP is already ongoing */
3125 	if (chan->data)
3126 		return;
3127 
3128 	smp = smp_chan_create(conn);
3129 	if (!smp) {
3130 		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3131 		return;
3132 	}
3133 
3134 	set_bit(SMP_FLAG_SC, &smp->flags);
3135 
3136 	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3137 
3138 	smp_send_pairing_req(smp, 0x00);
3139 }
3140 
smp_resume_cb(struct l2cap_chan * chan)3141 static void smp_resume_cb(struct l2cap_chan *chan)
3142 {
3143 	struct smp_chan *smp = chan->data;
3144 	struct l2cap_conn *conn = chan->conn;
3145 	struct hci_conn *hcon = conn->hcon;
3146 
3147 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3148 
3149 	if (hcon->type == ACL_LINK) {
3150 		bredr_pairing(chan);
3151 		return;
3152 	}
3153 
3154 	if (!smp)
3155 		return;
3156 
3157 	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3158 		return;
3159 
3160 	cancel_delayed_work(&smp->security_timer);
3161 
3162 	smp_distribute_keys(smp);
3163 }
3164 
smp_ready_cb(struct l2cap_chan * chan)3165 static void smp_ready_cb(struct l2cap_chan *chan)
3166 {
3167 	struct l2cap_conn *conn = chan->conn;
3168 	struct hci_conn *hcon = conn->hcon;
3169 
3170 	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3171 
3172 	/* No need to call l2cap_chan_hold() here since we already own
3173 	 * the reference taken in smp_new_conn_cb(). This is just the
3174 	 * first time that we tie it to a specific pointer. The code in
3175 	 * l2cap_core.c ensures that there's no risk this function wont
3176 	 * get called if smp_new_conn_cb was previously called.
3177 	 */
3178 	conn->smp = chan;
3179 
3180 	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3181 		bredr_pairing(chan);
3182 }
3183 
smp_recv_cb(struct l2cap_chan * chan,struct sk_buff * skb)3184 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3185 {
3186 	int err;
3187 
3188 	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3189 
3190 	err = smp_sig_channel(chan, skb);
3191 	if (err) {
3192 		struct smp_chan *smp = chan->data;
3193 
3194 		if (smp)
3195 			cancel_delayed_work_sync(&smp->security_timer);
3196 
3197 		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3198 	}
3199 
3200 	return err;
3201 }
3202 
smp_alloc_skb_cb(struct l2cap_chan * chan,unsigned long hdr_len,unsigned long len,int nb)3203 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3204 					unsigned long hdr_len,
3205 					unsigned long len, int nb)
3206 {
3207 	struct sk_buff *skb;
3208 
3209 	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3210 	if (!skb)
3211 		return ERR_PTR(-ENOMEM);
3212 
3213 	skb->priority = HCI_PRIO_MAX;
3214 	bt_cb(skb)->l2cap.chan = chan;
3215 
3216 	return skb;
3217 }
3218 
3219 static const struct l2cap_ops smp_chan_ops = {
3220 	.name			= "Security Manager",
3221 	.ready			= smp_ready_cb,
3222 	.recv			= smp_recv_cb,
3223 	.alloc_skb		= smp_alloc_skb_cb,
3224 	.teardown		= smp_teardown_cb,
3225 	.resume			= smp_resume_cb,
3226 
3227 	.new_connection		= l2cap_chan_no_new_connection,
3228 	.state_change		= l2cap_chan_no_state_change,
3229 	.close			= l2cap_chan_no_close,
3230 	.defer			= l2cap_chan_no_defer,
3231 	.suspend		= l2cap_chan_no_suspend,
3232 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3233 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3234 };
3235 
smp_new_conn_cb(struct l2cap_chan * pchan)3236 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3237 {
3238 	struct l2cap_chan *chan;
3239 
3240 	BT_DBG("pchan %p", pchan);
3241 
3242 	chan = l2cap_chan_create();
3243 	if (!chan)
3244 		return NULL;
3245 
3246 	chan->chan_type	= pchan->chan_type;
3247 	chan->ops	= &smp_chan_ops;
3248 	chan->scid	= pchan->scid;
3249 	chan->dcid	= chan->scid;
3250 	chan->imtu	= pchan->imtu;
3251 	chan->omtu	= pchan->omtu;
3252 	chan->mode	= pchan->mode;
3253 
3254 	/* Other L2CAP channels may request SMP routines in order to
3255 	 * change the security level. This means that the SMP channel
3256 	 * lock must be considered in its own category to avoid lockdep
3257 	 * warnings.
3258 	 */
3259 	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3260 
3261 	BT_DBG("created chan %p", chan);
3262 
3263 	return chan;
3264 }
3265 
3266 static const struct l2cap_ops smp_root_chan_ops = {
3267 	.name			= "Security Manager Root",
3268 	.new_connection		= smp_new_conn_cb,
3269 
3270 	/* None of these are implemented for the root channel */
3271 	.close			= l2cap_chan_no_close,
3272 	.alloc_skb		= l2cap_chan_no_alloc_skb,
3273 	.recv			= l2cap_chan_no_recv,
3274 	.state_change		= l2cap_chan_no_state_change,
3275 	.teardown		= l2cap_chan_no_teardown,
3276 	.ready			= l2cap_chan_no_ready,
3277 	.defer			= l2cap_chan_no_defer,
3278 	.suspend		= l2cap_chan_no_suspend,
3279 	.resume			= l2cap_chan_no_resume,
3280 	.set_shutdown		= l2cap_chan_no_set_shutdown,
3281 	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3282 };
3283 
smp_add_cid(struct hci_dev * hdev,u16 cid)3284 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3285 {
3286 	struct l2cap_chan *chan;
3287 	struct smp_dev *smp;
3288 	struct crypto_shash *tfm_cmac;
3289 	struct crypto_kpp *tfm_ecdh;
3290 
3291 	if (cid == L2CAP_CID_SMP_BREDR) {
3292 		smp = NULL;
3293 		goto create_chan;
3294 	}
3295 
3296 	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3297 	if (!smp)
3298 		return ERR_PTR(-ENOMEM);
3299 
3300 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3301 	if (IS_ERR(tfm_cmac)) {
3302 		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3303 		kfree_sensitive(smp);
3304 		return ERR_CAST(tfm_cmac);
3305 	}
3306 
3307 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3308 	if (IS_ERR(tfm_ecdh)) {
3309 		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3310 		crypto_free_shash(tfm_cmac);
3311 		kfree_sensitive(smp);
3312 		return ERR_CAST(tfm_ecdh);
3313 	}
3314 
3315 	smp->local_oob = false;
3316 	smp->tfm_cmac = tfm_cmac;
3317 	smp->tfm_ecdh = tfm_ecdh;
3318 
3319 create_chan:
3320 	chan = l2cap_chan_create();
3321 	if (!chan) {
3322 		if (smp) {
3323 			crypto_free_shash(smp->tfm_cmac);
3324 			crypto_free_kpp(smp->tfm_ecdh);
3325 			kfree_sensitive(smp);
3326 		}
3327 		return ERR_PTR(-ENOMEM);
3328 	}
3329 
3330 	chan->data = smp;
3331 
3332 	l2cap_add_scid(chan, cid);
3333 
3334 	l2cap_chan_set_defaults(chan);
3335 
3336 	if (cid == L2CAP_CID_SMP) {
3337 		u8 bdaddr_type;
3338 
3339 		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3340 
3341 		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3342 			chan->src_type = BDADDR_LE_PUBLIC;
3343 		else
3344 			chan->src_type = BDADDR_LE_RANDOM;
3345 	} else {
3346 		bacpy(&chan->src, &hdev->bdaddr);
3347 		chan->src_type = BDADDR_BREDR;
3348 	}
3349 
3350 	chan->state = BT_LISTEN;
3351 	chan->mode = L2CAP_MODE_BASIC;
3352 	chan->imtu = L2CAP_DEFAULT_MTU;
3353 	chan->ops = &smp_root_chan_ops;
3354 
3355 	/* Set correct nesting level for a parent/listening channel */
3356 	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3357 
3358 	return chan;
3359 }
3360 
smp_del_chan(struct l2cap_chan * chan)3361 static void smp_del_chan(struct l2cap_chan *chan)
3362 {
3363 	struct smp_dev *smp;
3364 
3365 	BT_DBG("chan %p", chan);
3366 
3367 	smp = chan->data;
3368 	if (smp) {
3369 		chan->data = NULL;
3370 		crypto_free_shash(smp->tfm_cmac);
3371 		crypto_free_kpp(smp->tfm_ecdh);
3372 		kfree_sensitive(smp);
3373 	}
3374 
3375 	l2cap_chan_put(chan);
3376 }
3377 
smp_force_bredr(struct hci_dev * hdev,bool enable)3378 int smp_force_bredr(struct hci_dev *hdev, bool enable)
3379 {
3380 	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3381 		return -EALREADY;
3382 
3383 	if (enable) {
3384 		struct l2cap_chan *chan;
3385 
3386 		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3387 		if (IS_ERR(chan))
3388 			return PTR_ERR(chan);
3389 
3390 		hdev->smp_bredr_data = chan;
3391 	} else {
3392 		struct l2cap_chan *chan;
3393 
3394 		chan = hdev->smp_bredr_data;
3395 		hdev->smp_bredr_data = NULL;
3396 		smp_del_chan(chan);
3397 	}
3398 
3399 	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3400 
3401 	return 0;
3402 }
3403 
smp_register(struct hci_dev * hdev)3404 int smp_register(struct hci_dev *hdev)
3405 {
3406 	struct l2cap_chan *chan;
3407 
3408 	bt_dev_dbg(hdev, "");
3409 
3410 	/* If the controller does not support Low Energy operation, then
3411 	 * there is also no need to register any SMP channel.
3412 	 */
3413 	if (!lmp_le_capable(hdev))
3414 		return 0;
3415 
3416 	if (WARN_ON(hdev->smp_data)) {
3417 		chan = hdev->smp_data;
3418 		hdev->smp_data = NULL;
3419 		smp_del_chan(chan);
3420 	}
3421 
3422 	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3423 	if (IS_ERR(chan))
3424 		return PTR_ERR(chan);
3425 
3426 	hdev->smp_data = chan;
3427 
3428 	if (!lmp_sc_capable(hdev)) {
3429 		/* Flag can be already set here (due to power toggle) */
3430 		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3431 			return 0;
3432 	}
3433 
3434 	if (WARN_ON(hdev->smp_bredr_data)) {
3435 		chan = hdev->smp_bredr_data;
3436 		hdev->smp_bredr_data = NULL;
3437 		smp_del_chan(chan);
3438 	}
3439 
3440 	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3441 	if (IS_ERR(chan)) {
3442 		int err = PTR_ERR(chan);
3443 		chan = hdev->smp_data;
3444 		hdev->smp_data = NULL;
3445 		smp_del_chan(chan);
3446 		return err;
3447 	}
3448 
3449 	hdev->smp_bredr_data = chan;
3450 
3451 	return 0;
3452 }
3453 
smp_unregister(struct hci_dev * hdev)3454 void smp_unregister(struct hci_dev *hdev)
3455 {
3456 	struct l2cap_chan *chan;
3457 
3458 	if (hdev->smp_bredr_data) {
3459 		chan = hdev->smp_bredr_data;
3460 		hdev->smp_bredr_data = NULL;
3461 		smp_del_chan(chan);
3462 	}
3463 
3464 	if (hdev->smp_data) {
3465 		chan = hdev->smp_data;
3466 		hdev->smp_data = NULL;
3467 		smp_del_chan(chan);
3468 	}
3469 }
3470 
3471 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3472 
test_debug_key(struct crypto_kpp * tfm_ecdh)3473 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3474 {
3475 	u8 pk[64];
3476 	int err;
3477 
3478 	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3479 	if (err)
3480 		return err;
3481 
3482 	err = generate_ecdh_public_key(tfm_ecdh, pk);
3483 	if (err)
3484 		return err;
3485 
3486 	if (crypto_memneq(pk, debug_pk, 64))
3487 		return -EINVAL;
3488 
3489 	return 0;
3490 }
3491 
test_ah(void)3492 static int __init test_ah(void)
3493 {
3494 	const u8 irk[16] = {
3495 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3496 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3497 	const u8 r[3] = { 0x94, 0x81, 0x70 };
3498 	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3499 	u8 res[3];
3500 	int err;
3501 
3502 	err = smp_ah(irk, r, res);
3503 	if (err)
3504 		return err;
3505 
3506 	if (crypto_memneq(res, exp, 3))
3507 		return -EINVAL;
3508 
3509 	return 0;
3510 }
3511 
test_c1(void)3512 static int __init test_c1(void)
3513 {
3514 	const u8 k[16] = {
3515 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3516 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3517 	const u8 r[16] = {
3518 			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3519 			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3520 	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3521 	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3522 	const u8 _iat = 0x01;
3523 	const u8 _rat = 0x00;
3524 	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3525 	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3526 	const u8 exp[16] = {
3527 			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3528 			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3529 	u8 res[16];
3530 	int err;
3531 
3532 	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3533 	if (err)
3534 		return err;
3535 
3536 	if (crypto_memneq(res, exp, 16))
3537 		return -EINVAL;
3538 
3539 	return 0;
3540 }
3541 
test_s1(void)3542 static int __init test_s1(void)
3543 {
3544 	const u8 k[16] = {
3545 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3546 			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3547 	const u8 r1[16] = {
3548 			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3549 	const u8 r2[16] = {
3550 			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3551 	const u8 exp[16] = {
3552 			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3553 			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3554 	u8 res[16];
3555 	int err;
3556 
3557 	err = smp_s1(k, r1, r2, res);
3558 	if (err)
3559 		return err;
3560 
3561 	if (crypto_memneq(res, exp, 16))
3562 		return -EINVAL;
3563 
3564 	return 0;
3565 }
3566 
test_f4(struct crypto_shash * tfm_cmac)3567 static int __init test_f4(struct crypto_shash *tfm_cmac)
3568 {
3569 	const u8 u[32] = {
3570 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3571 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3572 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3573 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3574 	const u8 v[32] = {
3575 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3576 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3577 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3578 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3579 	const u8 x[16] = {
3580 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3581 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3582 	const u8 z = 0x00;
3583 	const u8 exp[16] = {
3584 			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3585 			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3586 	u8 res[16];
3587 	int err;
3588 
3589 	err = smp_f4(tfm_cmac, u, v, x, z, res);
3590 	if (err)
3591 		return err;
3592 
3593 	if (crypto_memneq(res, exp, 16))
3594 		return -EINVAL;
3595 
3596 	return 0;
3597 }
3598 
test_f5(struct crypto_shash * tfm_cmac)3599 static int __init test_f5(struct crypto_shash *tfm_cmac)
3600 {
3601 	const u8 w[32] = {
3602 			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3603 			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3604 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3605 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3606 	const u8 n1[16] = {
3607 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609 	const u8 n2[16] = {
3610 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3611 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3612 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3613 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3614 	const u8 exp_ltk[16] = {
3615 			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3616 			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3617 	const u8 exp_mackey[16] = {
3618 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3619 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3620 	u8 mackey[16], ltk[16];
3621 	int err;
3622 
3623 	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3624 	if (err)
3625 		return err;
3626 
3627 	if (crypto_memneq(mackey, exp_mackey, 16))
3628 		return -EINVAL;
3629 
3630 	if (crypto_memneq(ltk, exp_ltk, 16))
3631 		return -EINVAL;
3632 
3633 	return 0;
3634 }
3635 
test_f6(struct crypto_shash * tfm_cmac)3636 static int __init test_f6(struct crypto_shash *tfm_cmac)
3637 {
3638 	const u8 w[16] = {
3639 			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3640 			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3641 	const u8 n1[16] = {
3642 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3643 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3644 	const u8 n2[16] = {
3645 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3646 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3647 	const u8 r[16] = {
3648 			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3649 			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3650 	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3651 	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3652 	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3653 	const u8 exp[16] = {
3654 			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3655 			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3656 	u8 res[16];
3657 	int err;
3658 
3659 	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3660 	if (err)
3661 		return err;
3662 
3663 	if (crypto_memneq(res, exp, 16))
3664 		return -EINVAL;
3665 
3666 	return 0;
3667 }
3668 
test_g2(struct crypto_shash * tfm_cmac)3669 static int __init test_g2(struct crypto_shash *tfm_cmac)
3670 {
3671 	const u8 u[32] = {
3672 			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3673 			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3674 			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3675 			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3676 	const u8 v[32] = {
3677 			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3678 			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3679 			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3680 			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3681 	const u8 x[16] = {
3682 			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3683 			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3684 	const u8 y[16] = {
3685 			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3686 			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3687 	const u32 exp_val = 0x2f9ed5ba % 1000000;
3688 	u32 val;
3689 	int err;
3690 
3691 	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3692 	if (err)
3693 		return err;
3694 
3695 	if (val != exp_val)
3696 		return -EINVAL;
3697 
3698 	return 0;
3699 }
3700 
test_h6(struct crypto_shash * tfm_cmac)3701 static int __init test_h6(struct crypto_shash *tfm_cmac)
3702 {
3703 	const u8 w[16] = {
3704 			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3705 			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3706 	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3707 	const u8 exp[16] = {
3708 			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3709 			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3710 	u8 res[16];
3711 	int err;
3712 
3713 	err = smp_h6(tfm_cmac, w, key_id, res);
3714 	if (err)
3715 		return err;
3716 
3717 	if (crypto_memneq(res, exp, 16))
3718 		return -EINVAL;
3719 
3720 	return 0;
3721 }
3722 
3723 static char test_smp_buffer[32];
3724 
test_smp_read(struct file * file,char __user * user_buf,size_t count,loff_t * ppos)3725 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3726 			     size_t count, loff_t *ppos)
3727 {
3728 	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3729 				       strlen(test_smp_buffer));
3730 }
3731 
3732 static const struct file_operations test_smp_fops = {
3733 	.open		= simple_open,
3734 	.read		= test_smp_read,
3735 	.llseek		= default_llseek,
3736 };
3737 
run_selftests(struct crypto_shash * tfm_cmac,struct crypto_kpp * tfm_ecdh)3738 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3739 				struct crypto_kpp *tfm_ecdh)
3740 {
3741 	ktime_t calltime, delta, rettime;
3742 	unsigned long long duration;
3743 	int err;
3744 
3745 	calltime = ktime_get();
3746 
3747 	err = test_debug_key(tfm_ecdh);
3748 	if (err) {
3749 		BT_ERR("debug_key test failed");
3750 		goto done;
3751 	}
3752 
3753 	err = test_ah();
3754 	if (err) {
3755 		BT_ERR("smp_ah test failed");
3756 		goto done;
3757 	}
3758 
3759 	err = test_c1();
3760 	if (err) {
3761 		BT_ERR("smp_c1 test failed");
3762 		goto done;
3763 	}
3764 
3765 	err = test_s1();
3766 	if (err) {
3767 		BT_ERR("smp_s1 test failed");
3768 		goto done;
3769 	}
3770 
3771 	err = test_f4(tfm_cmac);
3772 	if (err) {
3773 		BT_ERR("smp_f4 test failed");
3774 		goto done;
3775 	}
3776 
3777 	err = test_f5(tfm_cmac);
3778 	if (err) {
3779 		BT_ERR("smp_f5 test failed");
3780 		goto done;
3781 	}
3782 
3783 	err = test_f6(tfm_cmac);
3784 	if (err) {
3785 		BT_ERR("smp_f6 test failed");
3786 		goto done;
3787 	}
3788 
3789 	err = test_g2(tfm_cmac);
3790 	if (err) {
3791 		BT_ERR("smp_g2 test failed");
3792 		goto done;
3793 	}
3794 
3795 	err = test_h6(tfm_cmac);
3796 	if (err) {
3797 		BT_ERR("smp_h6 test failed");
3798 		goto done;
3799 	}
3800 
3801 	rettime = ktime_get();
3802 	delta = ktime_sub(rettime, calltime);
3803 	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3804 
3805 	BT_INFO("SMP test passed in %llu usecs", duration);
3806 
3807 done:
3808 	if (!err)
3809 		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3810 			 "PASS (%llu usecs)\n", duration);
3811 	else
3812 		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3813 
3814 	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3815 			    &test_smp_fops);
3816 
3817 	return err;
3818 }
3819 
bt_selftest_smp(void)3820 int __init bt_selftest_smp(void)
3821 {
3822 	struct crypto_shash *tfm_cmac;
3823 	struct crypto_kpp *tfm_ecdh;
3824 	int err;
3825 
3826 	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3827 	if (IS_ERR(tfm_cmac)) {
3828 		BT_ERR("Unable to create CMAC crypto context");
3829 		return PTR_ERR(tfm_cmac);
3830 	}
3831 
3832 	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3833 	if (IS_ERR(tfm_ecdh)) {
3834 		BT_ERR("Unable to create ECDH crypto context");
3835 		crypto_free_shash(tfm_cmac);
3836 		return PTR_ERR(tfm_ecdh);
3837 	}
3838 
3839 	err = run_selftests(tfm_cmac, tfm_ecdh);
3840 
3841 	crypto_free_shash(tfm_cmac);
3842 	crypto_free_kpp(tfm_ecdh);
3843 
3844 	return err;
3845 }
3846 
3847 #endif
3848