smp.c 91.2 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
/*
   BlueZ - Bluetooth protocol stack for Linux
   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

23
#include <linux/debugfs.h>
24
25
26
27
#include <linux/crypto.h>
#include <linux/scatterlist.h>
#include <crypto/b128ops.h>

28
29
30
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
31
#include <net/bluetooth/mgmt.h>
32

33
#include "ecc.h"
34
#include "smp.h"
35

36
37
38
#define SMP_DEV(hdev) \
	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)

39
40
41
42
43
44
45
46
47
48
49
50
/* Low-level debug macros to be used for stuff that we don't want
 * accidentially in dmesg, i.e. the values of the various crypto keys
 * and the inputs & outputs of crypto functions.
 */
#ifdef DEBUG
#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
				 ##__VA_ARGS__)
#else
#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
				    ##__VA_ARGS__)
#endif

51
52
#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)

53
54
55
/* Keys which are not distributed with Secure Connections */
#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);

56
#define SMP_TIMEOUT	msecs_to_jiffies(30000)
57

58
#define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
59
60
				 0x1f : 0x07)
#define KEY_DIST_MASK		0x07
61

62
63
64
/* Maximum message length that can be passed to aes_cmac */
#define CMAC_MSG_MAX	80

65
66
67
68
69
70
enum {
	SMP_FLAG_TK_VALID,
	SMP_FLAG_CFM_PENDING,
	SMP_FLAG_MITM_AUTH,
	SMP_FLAG_COMPLETE,
	SMP_FLAG_INITIATOR,
71
	SMP_FLAG_SC,
72
	SMP_FLAG_REMOTE_PK,
73
	SMP_FLAG_DEBUG_KEY,
74
	SMP_FLAG_WAIT_USER,
75
	SMP_FLAG_DHKEY_PENDING,
76
77
	SMP_FLAG_REMOTE_OOB,
	SMP_FLAG_LOCAL_OOB,
78
};
79

80
struct smp_dev {
81
82
83
	/* Secure Connections OOB data */
	u8			local_pk[64];
	u8			local_sk[32];
84
	u8			local_rand[16];
85
86
	bool			debug_key;

87
	u8			min_key_size;
88
89
	u8			max_key_size;

90
	struct crypto_blkcipher	*tfm_aes;
91
	struct crypto_hash	*tfm_cmac;
92
93
};

94
struct smp_chan {
95
96
	struct l2cap_conn	*conn;
	struct delayed_work	security_timer;
97
	unsigned long           allow_cmd; /* Bitmask of allowed commands */
98

99
100
101
102
103
104
	u8		preq[7]; /* SMP Pairing Request */
	u8		prsp[7]; /* SMP Pairing Response */
	u8		prnd[16]; /* SMP Pairing Random (local) */
	u8		rrnd[16]; /* SMP Pairing Random (remote) */
	u8		pcnf[16]; /* SMP Pairing Confirm */
	u8		tk[16]; /* SMP Temporary Key */
105
106
	u8		rr[16]; /* Remote OOB ra/rb value */
	u8		lr[16]; /* Local OOB ra/rb value */
107
108
109
110
111
112
113
114
115
116
	u8		enc_key_size;
	u8		remote_key_dist;
	bdaddr_t	id_addr;
	u8		id_addr_type;
	u8		irk[16];
	struct smp_csrk	*csrk;
	struct smp_csrk	*slave_csrk;
	struct smp_ltk	*ltk;
	struct smp_ltk	*slave_ltk;
	struct smp_irk	*remote_irk;
117
	u8		*link_key;
118
	unsigned long	flags;
119
	u8		method;
120
	u8		passkey_round;
121

122
123
124
	/* Secure Connections variables */
	u8			local_pk[64];
	u8			local_sk[32];
125
126
	u8			remote_pk[64];
	u8			dhkey[32];
127
	u8			mackey[16];
128

129
	struct crypto_blkcipher	*tfm_aes;
130
	struct crypto_hash	*tfm_cmac;
131
132
};

133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
/* These debug key values are defined in the SMP section of the core
 * specification. debug_pk is the public debug key and debug_sk the
 * private debug key.
 */
static const u8 debug_pk[64] = {
		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,

		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
};

static const u8 debug_sk[32] = {
		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
};

156
static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
157
{
158
	size_t i;
159

160
161
	for (i = 0; i < len; i++)
		dst[len - 1 - i] = src[i];
162
163
}

164
165
166
167
/* The following functions map to the LE SC SMP crypto functions
 * AES-CMAC, f4, f5, f6, g2 and h6.
 */

168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
		    size_t len, u8 mac[16])
{
	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
	struct hash_desc desc;
	struct scatterlist sg;
	int err;

	if (len > CMAC_MSG_MAX)
		return -EFBIG;

	if (!tfm) {
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

	crypto_hash_init(&desc);

	/* Swap key and message from LSB to MSB */
	swap_buf(k, tmp, 16);
	swap_buf(m, msg_msb, len);

193
194
	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
	SMP_DBG("key %16phN", k);
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217

	err = crypto_hash_setkey(tfm, tmp, 16);
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

	sg_init_one(&sg, msg_msb, len);

	err = crypto_hash_update(&desc, &sg, len);
	if (err) {
		BT_ERR("Hash update error %d", err);
		return err;
	}

	err = crypto_hash_final(&desc, mac_msb);
	if (err) {
		BT_ERR("Hash final error %d", err);
		return err;
	}

	swap_buf(mac_msb, mac, 16);

218
	SMP_DBG("mac %16phN", mac);
219
220
221
222
223
224
225
226
227
228

	return 0;
}

static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
		  const u8 x[16], u8 z, u8 res[16])
{
	u8 m[65];
	int err;

229
230
231
	SMP_DBG("u %32phN", u);
	SMP_DBG("v %32phN", v);
	SMP_DBG("x %16phN z %02x", x, z);
232
233
234
235
236
237
238
239
240

	m[0] = z;
	memcpy(m + 1, v, 32);
	memcpy(m + 33, u, 32);

	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
	if (err)
		return err;

241
	SMP_DBG("res %16phN", res);
242
243
244
245

	return err;
}

246
247
248
static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
249
250
251
252
253
254
255
256
257
258
259
260
261
262
{
	/* The btle, salt and length "magic" values are as defined in
	 * the SMP section of the Bluetooth core specification. In ASCII
	 * the btle value ends up being 'btle'. The salt is just a
	 * random number whereas length is the value 256 in little
	 * endian format.
	 */
	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
	const u8 length[2] = { 0x00, 0x01 };
	u8 m[53], t[16];
	int err;

263
264
265
	SMP_DBG("w %32phN", w);
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
266
267
268
269
270

	err = aes_cmac(tfm_cmac, salt, w, 32, t);
	if (err)
		return err;

271
	SMP_DBG("t %16phN", t);
272
273
274
275
276
277
278
279
280
281
282
283
284
285

	memcpy(m, length, 2);
	memcpy(m + 2, a2, 7);
	memcpy(m + 9, a1, 7);
	memcpy(m + 16, n2, 16);
	memcpy(m + 32, n1, 16);
	memcpy(m + 48, btle, 4);

	m[52] = 0; /* Counter */

	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
	if (err)
		return err;

286
	SMP_DBG("mackey %16phN", mackey);
287
288
289
290
291
292
293

	m[52] = 1; /* Counter */

	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
	if (err)
		return err;

294
	SMP_DBG("ltk %16phN", ltk);
295
296
297
298
299

	return 0;
}

static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
300
		  const u8 n1[16], const u8 n2[16], const u8 r[16],
301
302
303
304
305
306
		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
		  u8 res[16])
{
	u8 m[65];
	int err;

307
308
309
	SMP_DBG("w %16phN", w);
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
310
311
312
313
314
315
316
317
318
319
320
321

	memcpy(m, a2, 7);
	memcpy(m + 7, a1, 7);
	memcpy(m + 14, io_cap, 3);
	memcpy(m + 17, r, 16);
	memcpy(m + 33, n2, 16);
	memcpy(m + 49, n1, 16);

	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
	if (err)
		return err;

322
	SMP_DBG("res %16phN", res);
323
324
325
326

	return err;
}

327
328
329
330
331
332
static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
		  const u8 x[16], const u8 y[16], u32 *val)
{
	u8 m[80], tmp[16];
	int err;

333
334
335
	SMP_DBG("u %32phN", u);
	SMP_DBG("v %32phN", v);
	SMP_DBG("x %16phN y %16phN", x, y);
336
337
338
339
340
341
342
343
344
345
346
347

	memcpy(m, y, 16);
	memcpy(m + 16, v, 32);
	memcpy(m + 48, u, 32);

	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
	if (err)
		return err;

	*val = get_unaligned_le32(tmp);
	*val %= 1000000;

348
	SMP_DBG("val %06u", *val);
349
350
351
352

	return 0;
}

353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
		  const u8 key_id[4], u8 res[16])
{
	int err;

	SMP_DBG("w %16phN key_id %4phN", w, key_id);

	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
	if (err)
		return err;

	SMP_DBG("res %16phN", res);

	return err;
}

/* The following functions map to the legacy SMP crypto functions e, c1,
 * s1 and ah.
 */

373
374
375
376
static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
{
	struct blkcipher_desc desc;
	struct scatterlist sg;
377
	uint8_t tmp[16], data[16];
378
	int err;
379

380
381
	SMP_DBG("k %16phN r %16phN", k, r);

382
	if (!tfm) {
383
384
385
386
387
388
389
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

390
	/* The most significant octet of key corresponds to k[0] */
391
	swap_buf(k, tmp, 16);
392
393

	err = crypto_blkcipher_setkey(tfm, tmp, 16);
394
395
396
397
398
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

399
	/* Most significant octet of plaintextData corresponds to data[0] */
400
	swap_buf(r, data, 16);
401
402

	sg_init_one(&sg, data, 16);
403
404
405
406
407

	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
	if (err)
		BT_ERR("Encrypt data error %d", err);

408
	/* Most significant octet of encryptedData corresponds to data[0] */
409
	swap_buf(data, r, 16);
410

411
412
	SMP_DBG("r %16phN", r);

413
414
415
	return err;
}

416
417
418
static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
419
{
420
	u8 p1[16], p2[16];
421
422
	int err;

423
424
425
426
	SMP_DBG("k %16phN r %16phN", k, r);
	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
	SMP_DBG("preq %7phN pres %7phN", preq, pres);

427
	memset(p1, 0, 16);
428

429
430
431
432
433
434
	/* p1 = pres || preq || _rat || _iat */
	p1[0] = _iat;
	p1[1] = _rat;
	memcpy(p1 + 2, preq, 7);
	memcpy(p1 + 9, pres, 7);

435
	SMP_DBG("p1 %16phN", p1);
436
437
438
439
440
441
442
443

	/* res = r XOR p1 */
	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);

	/* res = e(k, res) */
	err = smp_e(tfm_aes, k, res);
	if (err) {
		BT_ERR("Encrypt data error");
444
		return err;
445
	}
446

447
448
449
450
451
452
453
	/* p2 = padding || ia || ra */
	memcpy(p2, ra, 6);
	memcpy(p2 + 6, ia, 6);
	memset(p2 + 12, 0, 4);

	SMP_DBG("p2 %16phN", p2);

454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
	/* res = res XOR p2 */
	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);

	/* res = e(k, res) */
	err = smp_e(tfm_aes, k, res);
	if (err)
		BT_ERR("Encrypt data error");

	return err;
}

static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
		  const u8 r1[16], const u8 r2[16], u8 _r[16])
{
	int err;

	/* Just least significant octets from r1 and r2 are considered */
	memcpy(_r, r2, 8);
	memcpy(_r + 8, r1, 8);

	err = smp_e(tfm_aes, k, _r);
	if (err)
		BT_ERR("Encrypt data error");
477
478
479
480

	return err;
}

481
482
static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
		  const u8 r[3], u8 res[3])
483
{
484
	u8 _res[16];
485
486
487
	int err;

	/* r' = padding || r */
488
489
	memcpy(_res, r, 3);
	memset(_res + 3, 0, 13);
490

491
	err = smp_e(tfm, irk, _res);
492
493
494
495
496
497
498
499
500
501
502
	if (err) {
		BT_ERR("Encrypt error");
		return err;
	}

	/* The output of the random address function ah is:
	 *	ah(h, r) = e(k, r') mod 2^24
	 * The output of the security function e is then truncated to 24 bits
	 * by taking the least significant 24 bits of the output of e as the
	 * result of ah.
	 */
503
	memcpy(res, _res, 3);
504
505
506
507

	return 0;
}

508
509
bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
		     const bdaddr_t *bdaddr)
510
{
511
	struct l2cap_chan *chan = hdev->smp_data;
512
	struct smp_dev *smp;
513
514
515
	u8 hash[3];
	int err;

516
517
518
	if (!chan || !chan->data)
		return false;

519
	smp = chan->data;
520

521
522
	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);

523
	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
524
525
526
527
528
529
	if (err)
		return false;

	return !memcmp(bdaddr->b, hash, 3);
}

530
int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
531
{
532
	struct l2cap_chan *chan = hdev->smp_data;
533
	struct smp_dev *smp;
534
535
	int err;

536
537
538
	if (!chan || !chan->data)
		return -EOPNOTSUPP;

539
	smp = chan->data;
540

541
542
543
544
545
	get_random_bytes(&rpa->b[3], 3);

	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
	rpa->b[5] |= 0x40;	/* Set second most significant bit */

546
	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
547
548
549
550
551
552
553
554
	if (err < 0)
		return err;

	BT_DBG("RPA %pMR", rpa);

	return 0;
}

555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
{
	struct l2cap_chan *chan = hdev->smp_data;
	struct smp_dev *smp;
	int err;

	if (!chan || !chan->data)
		return -EOPNOTSUPP;

	smp = chan->data;

	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
		BT_DBG("Using debug keys");
		memcpy(smp->local_pk, debug_pk, 64);
		memcpy(smp->local_sk, debug_sk, 32);
		smp->debug_key = true;
	} else {
		while (true) {
			/* Generate local key pair for Secure Connections */
			if (!ecc_make_key(smp->local_pk, smp->local_sk))
				return -EIO;

			/* This is unlikely, but we need to check that
			 * we didn't accidentially generate a debug key.
			 */
			if (memcmp(smp->local_sk, debug_sk, 32))
				break;
		}
		smp->debug_key = false;
	}

	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
	SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);

590
	get_random_bytes(smp->local_rand, 16);
591
592

	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
593
		     smp->local_rand, 0, hash);
594
595
596
	if (err < 0)
		return err;

597
	memcpy(rand, smp->local_rand, 16);
598
599
600
601

	return 0;
}

602
static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
603
{
604
	struct l2cap_chan *chan = conn->smp;
605
	struct smp_chan *smp;
606
607
	struct kvec iv[2];
	struct msghdr msg;
608

609
610
	if (!chan)
		return;
611

612
	BT_DBG("code 0x%2.2x", code);
613

614
615
	iv[0].iov_base = &code;
	iv[0].iov_len = 1;
616

617
618
	iv[1].iov_base = data;
	iv[1].iov_len = len;
619

620
	memset(&msg, 0, sizeof(msg));
621

622
	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
623

624
	l2cap_chan_send(chan, &msg, 1 + len);
625

626
627
628
629
630
631
	if (!chan->data)
		return;

	smp = chan->data;

	cancel_delayed_work_sync(&smp->security_timer);
632
	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
633
634
}

635
static u8 authreq_to_seclevel(u8 authreq)
636
{
637
638
639
640
641
642
	if (authreq & SMP_AUTH_MITM) {
		if (authreq & SMP_AUTH_SC)
			return BT_SECURITY_FIPS;
		else
			return BT_SECURITY_HIGH;
	} else {
643
		return BT_SECURITY_MEDIUM;
644
	}
645
646
647
648
649
}

static __u8 seclevel_to_authreq(__u8 sec_level)
{
	switch (sec_level) {
650
	case BT_SECURITY_FIPS:
651
652
653
654
655
656
657
658
659
	case BT_SECURITY_HIGH:
		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
	case BT_SECURITY_MEDIUM:
		return SMP_AUTH_BONDING;
	default:
		return SMP_AUTH_NONE;
	}
}

660
static void build_pairing_cmd(struct l2cap_conn *conn,
661
662
			      struct smp_cmd_pairing *req,
			      struct smp_cmd_pairing *rsp, __u8 authreq)
663
{
664
665
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
666
667
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
668
	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
669

670
	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
671
672
		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
673
		authreq |= SMP_AUTH_BONDING;
674
675
	} else {
		authreq &= ~SMP_AUTH_BONDING;
676
677
	}

678
	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
679
680
		remote_dist |= SMP_DIST_ID_KEY;

681
	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
682
683
		local_dist |= SMP_DIST_ID_KEY;

684
	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
685
686
687
688
	    (authreq & SMP_AUTH_SC)) {
		struct oob_data *oob_data;
		u8 bdaddr_type;

689
		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
690
691
692
			local_dist |= SMP_DIST_LINK_KEY;
			remote_dist |= SMP_DIST_LINK_KEY;
		}
693
694
695
696
697
698
699
700

		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
			bdaddr_type = BDADDR_LE_PUBLIC;
		else
			bdaddr_type = BDADDR_LE_RANDOM;

		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
						    bdaddr_type);
701
		if (oob_data && oob_data->present) {
702
			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
703
			oob_flag = SMP_OOB_PRESENT;
704
			memcpy(smp->rr, oob_data->rand256, 16);
705
			memcpy(smp->pcnf, oob_data->hash256, 16);
706
707
			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
708
709
		}

710
711
712
713
	} else {
		authreq &= ~SMP_AUTH_SC;
	}

714
715
	if (rsp == NULL) {
		req->io_capability = conn->hcon->io_capability;
716
		req->oob_flag = oob_flag;
717
		req->max_key_size = SMP_DEV(hdev)->max_key_size;
718
719
		req->init_key_dist = local_dist;
		req->resp_key_dist = remote_dist;
720
		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
721
722

		smp->remote_key_dist = remote_dist;
723
724
725
726
		return;
	}

	rsp->io_capability = conn->hcon->io_capability;
727
	rsp->oob_flag = oob_flag;
728
	rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
729
730
	rsp->init_key_dist = req->init_key_dist & remote_dist;
	rsp->resp_key_dist = req->resp_key_dist & local_dist;
731
	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
732
733

	smp->remote_key_dist = rsp->init_key_dist;
734
735
}

736
737
static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
{
738
	struct l2cap_chan *chan = conn->smp;
739
	struct hci_dev *hdev = conn->hcon->hdev;
740
	struct smp_chan *smp = chan->data;
741

742
743
	if (max_key_size > SMP_DEV(hdev)->max_key_size ||
	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
744
745
		return SMP_ENC_KEY_SIZE;

746
	smp->enc_key_size = max_key_size;
747
748
749
750

	return 0;
}

751
752
753
754
static void smp_chan_destroy(struct l2cap_conn *conn)
{
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
755
	struct hci_conn *hcon = conn->hcon;
756
757
758
759
760
761
762
	bool complete;

	BUG_ON(!smp);

	cancel_delayed_work_sync(&smp->security_timer);

	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
763
	mgmt_smp_complete(hcon, complete);
764

765
766
767
	kzfree(smp->csrk);
	kzfree(smp->slave_csrk);
	kzfree(smp->link_key);
768
769

	crypto_free_blkcipher(smp->tfm_aes);
770
	crypto_free_hash(smp->tfm_cmac);
771

772
773
774
775
	/* Ensure that we don't leave any debug key around if debug key
	 * support hasn't been explicitly enabled.
	 */
	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
776
	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
777
778
779
780
781
		list_del_rcu(&smp->ltk->list);
		kfree_rcu(smp->ltk, rcu);
		smp->ltk = NULL;
	}

782
783
784
	/* If pairing failed clean up any keys we might have */
	if (!complete) {
		if (smp->ltk) {
785
786
			list_del_rcu(&smp->ltk->list);
			kfree_rcu(smp->ltk, rcu);
787
788
789
		}

		if (smp->slave_ltk) {
790
791
			list_del_rcu(&smp->slave_ltk->list);
			kfree_rcu(smp->slave_ltk, rcu);
792
793
794
		}

		if (smp->remote_irk) {
795
796
			list_del_rcu(&smp->remote_irk->list);
			kfree_rcu(smp->remote_irk, rcu);
797
798
799
800
		}
	}

	chan->data = NULL;
801
	kzfree(smp);
802
	hci_conn_drop(hcon);
803
804
}

805
static void smp_failure(struct l2cap_conn *conn, u8 reason)
806
{
807
	struct hci_conn *hcon = conn->hcon;
808
	struct l2cap_chan *chan = conn->smp;
809

810
	if (reason)
811
		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
812
			     &reason);
813

814
	clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
815
	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
816

817
	if (chan->data)
818
		smp_chan_destroy(conn);
819
820
}

821
822
823
824
825
#define JUST_WORKS	0x00
#define JUST_CFM	0x01
#define REQ_PASSKEY	0x02
#define CFM_PASSKEY	0x03
#define REQ_OOB		0x04
826
#define DSP_PASSKEY	0x05
827
828
829
830
831
832
833
834
835
836
#define OVERLAP		0xFF

static const u8 gen_method[5][5] = {
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
};

837
838
839
840
841
842
843
844
static const u8 sc_method[5][5] = {
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
};

845
846
static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
{
847
848
849
	/* If either side has unknown io_caps, use JUST_CFM (which gets
	 * converted later to JUST_WORKS if we're initiators.
	 */
850
851
	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
852
		return JUST_CFM;
853

854
855
856
	if (test_bit(SMP_FLAG_SC, &smp->flags))
		return sc_method[remote_io][local_io];

857
858
859
	return gen_method[remote_io][local_io];
}

860
861
862
863
static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
						u8 local_io, u8 remote_io)
{
	struct hci_conn *hcon = conn->hcon;
864
865
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
866
867
868
869
870
	u32 passkey = 0;
	int ret = 0;

	/* Initialize key for JUST WORKS */
	memset(smp->tk, 0, sizeof(smp->tk));
871
	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
872
873
874

	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);

875
876
877
878
879
880
	/* If neither side wants MITM, either "just" confirm an incoming
	 * request or use just-works for outgoing ones. The JUST_CFM
	 * will be converted to JUST_WORKS if necessary later in this
	 * function. If either side has MITM look up the method from the
	 * table.
	 */
881
	if (!(auth & SMP_AUTH_MITM))
882
		smp->method = JUST_CFM;
883
	else
884
		smp->method = get_auth_method(smp, local_io, remote_io);
885

886
	/* Don't confirm locally initiated pairing attempts */
887
888
889
	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
						&smp->flags))
		smp->method = JUST_WORKS;
890

891
	/* Don't bother user space with no IO capabilities */
892
893
894
	if (smp->method == JUST_CFM &&
	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
		smp->method = JUST_WORKS;
895

896
	/* If Just Works, Continue with Zero TK */
897
	if (smp->method == JUST_WORKS) {
898
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
899
900
901
		return 0;
	}

902
903
904
905
906
907
	/* If this function is used for SC -> legacy fallback we
	 * can only recover the just-works case.
	 */
	if (test_bit(SMP_FLAG_SC, &smp->flags))
		return -EINVAL;

908
	/* Not Just Works/Confirm results in MITM Authentication */
909
	if (smp->method != JUST_CFM) {
910
		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
911
912
913
		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
			hcon->pending_sec_level = BT_SECURITY_HIGH;
	}
914
915
916
917

	/* If both devices have Keyoard-Display I/O, the master
	 * Confirms and the slave Enters the passkey.
	 */
918
	if (smp->method == OVERLAP) {
919
		if (hcon->role == HCI_ROLE_MASTER)
920
			smp->method = CFM_PASSKEY;
921
		else
922
			smp->method = REQ_PASSKEY;
923
924
	}

925
	/* Generate random passkey. */
926
	if (smp->method == CFM_PASSKEY) {
927
		memset(smp->tk, 0, sizeof(smp->tk));
928
929
		get_random_bytes(&passkey, sizeof(passkey));
		passkey %= 1000000;
930
		put_unaligned_le32(passkey, smp->tk);
931
		BT_DBG("PassKey: %d", passkey);
932
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
933
934
	}

935
	if (smp->method == REQ_PASSKEY)
936
		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
937
						hcon->type, hcon->dst_type);
938
	else if (smp->method == JUST_CFM)
939
940
941
		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
						hcon->type, hcon->dst_type,
						passkey, 1);
942
	else
943
		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
944
						hcon->type, hcon->dst_type,
945
						passkey, 0);
946
947
948
949

	return ret;
}

950
static u8 smp_confirm(struct smp_chan *smp)
951
952
953
954
955
956
957
{
	struct l2cap_conn *conn = smp->conn;
	struct smp_cmd_pairing_confirm cp;
	int ret;

	BT_DBG("conn %p", conn);

958
	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
959
		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
960
961
		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
		     cp.confirm_val);
962
963
	if (ret)
		return SMP_UNSPECIFIED;
964

965
	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
966

967
968
	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);

969
970
971
972
973
	if (conn->hcon->out)
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
	else
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);

974
	return 0;
975
976
}

977
static u8 smp_random(struct smp_chan *smp)
978
979
980
{
	struct l2cap_conn *conn = smp->conn;
	struct hci_conn *hcon = conn->hcon;
981
	u8 confirm[16];
982
983
	int ret;

984
	if (IS_ERR_OR_NULL(smp->tfm_aes))
985
		return SMP_UNSPECIFIED;
986
987
988

	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");

989
	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
990
		     hcon->init_addr_type, &hcon->init_addr,
991
		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
992
993
	if (ret)
		return SMP_UNSPECIFIED;
994
995
996

	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
		BT_ERR("Pairing failed (confirmation values mismatch)");
997
		return SMP_CONFIRM_FAILED;
998
999
1000
	}

	if (hcon->out) {
For faster browsing, not all history is shown. View entire blame