smp.c 92.2 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
/*
   BlueZ - Bluetooth protocol stack for Linux
   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

23
#include <linux/debugfs.h>
24 25
#include <linux/crypto.h>
#include <linux/scatterlist.h>
26
#include <crypto/algapi.h>
27 28
#include <crypto/b128ops.h>

29 30 31
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/l2cap.h>
32
#include <net/bluetooth/mgmt.h>
33

34
#include "ecc.h"
35
#include "smp.h"
36

37 38 39
#define SMP_DEV(hdev) \
	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)

40 41 42 43 44 45 46 47 48 49 50 51
/* Low-level debug macros to be used for stuff that we don't want
 * accidentially in dmesg, i.e. the values of the various crypto keys
 * and the inputs & outputs of crypto functions.
 */
#ifdef DEBUG
#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
				 ##__VA_ARGS__)
#else
#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
				    ##__VA_ARGS__)
#endif

52 53
#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)

54 55 56
/* Keys which are not distributed with Secure Connections */
#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);

57
#define SMP_TIMEOUT	msecs_to_jiffies(30000)
58

59
#define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
60 61
				 0x1f : 0x07)
#define KEY_DIST_MASK		0x07
62

63 64 65
/* Maximum message length that can be passed to aes_cmac */
#define CMAC_MSG_MAX	80

66 67 68 69 70 71
enum {
	SMP_FLAG_TK_VALID,
	SMP_FLAG_CFM_PENDING,
	SMP_FLAG_MITM_AUTH,
	SMP_FLAG_COMPLETE,
	SMP_FLAG_INITIATOR,
72
	SMP_FLAG_SC,
73
	SMP_FLAG_REMOTE_PK,
74
	SMP_FLAG_DEBUG_KEY,
75
	SMP_FLAG_WAIT_USER,
76
	SMP_FLAG_DHKEY_PENDING,
77 78
	SMP_FLAG_REMOTE_OOB,
	SMP_FLAG_LOCAL_OOB,
79
};
80

81
struct smp_dev {
82 83 84
	/* Secure Connections OOB data */
	u8			local_pk[64];
	u8			local_sk[32];
85
	u8			local_rand[16];
86 87
	bool			debug_key;

88
	u8			min_key_size;
89 90
	u8			max_key_size;

91
	struct crypto_blkcipher	*tfm_aes;
92
	struct crypto_hash	*tfm_cmac;
93 94
};

95
struct smp_chan {
96 97
	struct l2cap_conn	*conn;
	struct delayed_work	security_timer;
98
	unsigned long           allow_cmd; /* Bitmask of allowed commands */
99

100 101 102 103 104 105
	u8		preq[7]; /* SMP Pairing Request */
	u8		prsp[7]; /* SMP Pairing Response */
	u8		prnd[16]; /* SMP Pairing Random (local) */
	u8		rrnd[16]; /* SMP Pairing Random (remote) */
	u8		pcnf[16]; /* SMP Pairing Confirm */
	u8		tk[16]; /* SMP Temporary Key */
106 107
	u8		rr[16]; /* Remote OOB ra/rb value */
	u8		lr[16]; /* Local OOB ra/rb value */
108 109 110 111 112 113 114 115 116 117
	u8		enc_key_size;
	u8		remote_key_dist;
	bdaddr_t	id_addr;
	u8		id_addr_type;
	u8		irk[16];
	struct smp_csrk	*csrk;
	struct smp_csrk	*slave_csrk;
	struct smp_ltk	*ltk;
	struct smp_ltk	*slave_ltk;
	struct smp_irk	*remote_irk;
118
	u8		*link_key;
119
	unsigned long	flags;
120
	u8		method;
121
	u8		passkey_round;
122

123 124 125
	/* Secure Connections variables */
	u8			local_pk[64];
	u8			local_sk[32];
126 127
	u8			remote_pk[64];
	u8			dhkey[32];
128
	u8			mackey[16];
129

130
	struct crypto_blkcipher	*tfm_aes;
131
	struct crypto_hash	*tfm_cmac;
132 133
};

134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156
/* These debug key values are defined in the SMP section of the core
 * specification. debug_pk is the public debug key and debug_sk the
 * private debug key.
 */
static const u8 debug_pk[64] = {
		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,

		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
};

static const u8 debug_sk[32] = {
		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
};

157
static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158
{
159
	size_t i;
160

161 162
	for (i = 0; i < len; i++)
		dst[len - 1 - i] = src[i];
163 164
}

165 166 167 168
/* The following functions map to the LE SC SMP crypto functions
 * AES-CMAC, f4, f5, f6, g2 and h6.
 */

169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193
static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
		    size_t len, u8 mac[16])
{
	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
	struct hash_desc desc;
	struct scatterlist sg;
	int err;

	if (len > CMAC_MSG_MAX)
		return -EFBIG;

	if (!tfm) {
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

	crypto_hash_init(&desc);

	/* Swap key and message from LSB to MSB */
	swap_buf(k, tmp, 16);
	swap_buf(m, msg_msb, len);

194 195
	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
	SMP_DBG("key %16phN", k);
196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218

	err = crypto_hash_setkey(tfm, tmp, 16);
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

	sg_init_one(&sg, msg_msb, len);

	err = crypto_hash_update(&desc, &sg, len);
	if (err) {
		BT_ERR("Hash update error %d", err);
		return err;
	}

	err = crypto_hash_final(&desc, mac_msb);
	if (err) {
		BT_ERR("Hash final error %d", err);
		return err;
	}

	swap_buf(mac_msb, mac, 16);

219
	SMP_DBG("mac %16phN", mac);
220 221 222 223 224 225 226 227 228 229

	return 0;
}

static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
		  const u8 x[16], u8 z, u8 res[16])
{
	u8 m[65];
	int err;

230 231 232
	SMP_DBG("u %32phN", u);
	SMP_DBG("v %32phN", v);
	SMP_DBG("x %16phN z %02x", x, z);
233 234 235 236 237 238 239 240 241

	m[0] = z;
	memcpy(m + 1, v, 32);
	memcpy(m + 33, u, 32);

	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
	if (err)
		return err;

242
	SMP_DBG("res %16phN", res);
243 244 245 246

	return err;
}

247 248 249
static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
250 251 252 253 254 255 256 257 258 259 260 261 262 263
{
	/* The btle, salt and length "magic" values are as defined in
	 * the SMP section of the Bluetooth core specification. In ASCII
	 * the btle value ends up being 'btle'. The salt is just a
	 * random number whereas length is the value 256 in little
	 * endian format.
	 */
	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
	const u8 length[2] = { 0x00, 0x01 };
	u8 m[53], t[16];
	int err;

264 265 266
	SMP_DBG("w %32phN", w);
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
267 268 269 270 271

	err = aes_cmac(tfm_cmac, salt, w, 32, t);
	if (err)
		return err;

272
	SMP_DBG("t %16phN", t);
273 274 275 276 277 278 279 280 281 282 283 284 285 286

	memcpy(m, length, 2);
	memcpy(m + 2, a2, 7);
	memcpy(m + 9, a1, 7);
	memcpy(m + 16, n2, 16);
	memcpy(m + 32, n1, 16);
	memcpy(m + 48, btle, 4);

	m[52] = 0; /* Counter */

	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
	if (err)
		return err;

287
	SMP_DBG("mackey %16phN", mackey);
288 289 290 291 292 293 294

	m[52] = 1; /* Counter */

	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
	if (err)
		return err;

295
	SMP_DBG("ltk %16phN", ltk);
296 297 298 299 300

	return 0;
}

static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
301
		  const u8 n1[16], const u8 n2[16], const u8 r[16],
302 303 304 305 306 307
		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
		  u8 res[16])
{
	u8 m[65];
	int err;

308 309 310
	SMP_DBG("w %16phN", w);
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
311 312 313 314 315 316 317 318 319 320 321 322

	memcpy(m, a2, 7);
	memcpy(m + 7, a1, 7);
	memcpy(m + 14, io_cap, 3);
	memcpy(m + 17, r, 16);
	memcpy(m + 33, n2, 16);
	memcpy(m + 49, n1, 16);

	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
	if (err)
		return err;

323
	SMP_DBG("res %16phN", res);
324 325 326 327

	return err;
}

328 329 330 331 332 333
static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
		  const u8 x[16], const u8 y[16], u32 *val)
{
	u8 m[80], tmp[16];
	int err;

334 335 336
	SMP_DBG("u %32phN", u);
	SMP_DBG("v %32phN", v);
	SMP_DBG("x %16phN y %16phN", x, y);
337 338 339 340 341 342 343 344 345 346 347 348

	memcpy(m, y, 16);
	memcpy(m + 16, v, 32);
	memcpy(m + 48, u, 32);

	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
	if (err)
		return err;

	*val = get_unaligned_le32(tmp);
	*val %= 1000000;

349
	SMP_DBG("val %06u", *val);
350 351 352 353

	return 0;
}

354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373
static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
		  const u8 key_id[4], u8 res[16])
{
	int err;

	SMP_DBG("w %16phN key_id %4phN", w, key_id);

	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
	if (err)
		return err;

	SMP_DBG("res %16phN", res);

	return err;
}

/* The following functions map to the legacy SMP crypto functions e, c1,
 * s1 and ah.
 */

374 375 376 377
static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
{
	struct blkcipher_desc desc;
	struct scatterlist sg;
378
	uint8_t tmp[16], data[16];
379
	int err;
380

381 382
	SMP_DBG("k %16phN r %16phN", k, r);

383
	if (!tfm) {
384 385 386 387 388 389 390
		BT_ERR("tfm %p", tfm);
		return -EINVAL;
	}

	desc.tfm = tfm;
	desc.flags = 0;

391
	/* The most significant octet of key corresponds to k[0] */
392
	swap_buf(k, tmp, 16);
393 394

	err = crypto_blkcipher_setkey(tfm, tmp, 16);
395 396 397 398 399
	if (err) {
		BT_ERR("cipher setkey failed: %d", err);
		return err;
	}

400
	/* Most significant octet of plaintextData corresponds to data[0] */
401
	swap_buf(r, data, 16);
402 403

	sg_init_one(&sg, data, 16);
404 405 406 407 408

	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
	if (err)
		BT_ERR("Encrypt data error %d", err);

409
	/* Most significant octet of encryptedData corresponds to data[0] */
410
	swap_buf(data, r, 16);
411

412 413
	SMP_DBG("r %16phN", r);

414 415 416
	return err;
}

417 418 419
static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
420
{
421
	u8 p1[16], p2[16];
422 423
	int err;

424 425 426 427
	SMP_DBG("k %16phN r %16phN", k, r);
	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
	SMP_DBG("preq %7phN pres %7phN", preq, pres);

428
	memset(p1, 0, 16);
429

430 431 432 433 434 435
	/* p1 = pres || preq || _rat || _iat */
	p1[0] = _iat;
	p1[1] = _rat;
	memcpy(p1 + 2, preq, 7);
	memcpy(p1 + 9, pres, 7);

436
	SMP_DBG("p1 %16phN", p1);
437 438 439 440 441 442 443 444

	/* res = r XOR p1 */
	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);

	/* res = e(k, res) */
	err = smp_e(tfm_aes, k, res);
	if (err) {
		BT_ERR("Encrypt data error");
445
		return err;
446
	}
447

448 449 450 451 452 453 454
	/* p2 = padding || ia || ra */
	memcpy(p2, ra, 6);
	memcpy(p2 + 6, ia, 6);
	memset(p2 + 12, 0, 4);

	SMP_DBG("p2 %16phN", p2);

455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477
	/* res = res XOR p2 */
	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);

	/* res = e(k, res) */
	err = smp_e(tfm_aes, k, res);
	if (err)
		BT_ERR("Encrypt data error");

	return err;
}

static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
		  const u8 r1[16], const u8 r2[16], u8 _r[16])
{
	int err;

	/* Just least significant octets from r1 and r2 are considered */
	memcpy(_r, r2, 8);
	memcpy(_r + 8, r1, 8);

	err = smp_e(tfm_aes, k, _r);
	if (err)
		BT_ERR("Encrypt data error");
478 479 480 481

	return err;
}

482 483
static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
		  const u8 r[3], u8 res[3])
484
{
485
	u8 _res[16];
486 487 488
	int err;

	/* r' = padding || r */
489 490
	memcpy(_res, r, 3);
	memset(_res + 3, 0, 13);
491

492
	err = smp_e(tfm, irk, _res);
493 494 495 496 497 498
	if (err) {
		BT_ERR("Encrypt error");
		return err;
	}

	/* The output of the random address function ah is:
499
	 *	ah(k, r) = e(k, r') mod 2^24
500 501 502 503
	 * The output of the security function e is then truncated to 24 bits
	 * by taking the least significant 24 bits of the output of e as the
	 * result of ah.
	 */
504
	memcpy(res, _res, 3);
505 506 507 508

	return 0;
}

509 510
bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
		     const bdaddr_t *bdaddr)
511
{
512
	struct l2cap_chan *chan = hdev->smp_data;
513
	struct smp_dev *smp;
514 515 516
	u8 hash[3];
	int err;

517 518 519
	if (!chan || !chan->data)
		return false;

520
	smp = chan->data;
521

522 523
	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);

524
	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
525 526 527
	if (err)
		return false;

528
	return !crypto_memneq(bdaddr->b, hash, 3);
529 530
}

531
int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
532
{
533
	struct l2cap_chan *chan = hdev->smp_data;
534
	struct smp_dev *smp;
535 536
	int err;

537 538 539
	if (!chan || !chan->data)
		return -EOPNOTSUPP;

540
	smp = chan->data;
541

542 543 544 545 546
	get_random_bytes(&rpa->b[3], 3);

	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
	rpa->b[5] |= 0x40;	/* Set second most significant bit */

547
	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
548 549 550 551 552 553 554 555
	if (err < 0)
		return err;

	BT_DBG("RPA %pMR", rpa);

	return 0;
}

556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580
int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
{
	struct l2cap_chan *chan = hdev->smp_data;
	struct smp_dev *smp;
	int err;

	if (!chan || !chan->data)
		return -EOPNOTSUPP;

	smp = chan->data;

	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
		BT_DBG("Using debug keys");
		memcpy(smp->local_pk, debug_pk, 64);
		memcpy(smp->local_sk, debug_sk, 32);
		smp->debug_key = true;
	} else {
		while (true) {
			/* Generate local key pair for Secure Connections */
			if (!ecc_make_key(smp->local_pk, smp->local_sk))
				return -EIO;

			/* This is unlikely, but we need to check that
			 * we didn't accidentially generate a debug key.
			 */
581
			if (crypto_memneq(smp->local_sk, debug_sk, 32))
582 583 584 585 586 587 588 589 590
				break;
		}
		smp->debug_key = false;
	}

	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
	SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);

591
	get_random_bytes(smp->local_rand, 16);
592 593

	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
594
		     smp->local_rand, 0, hash);
595 596 597
	if (err < 0)
		return err;

598
	memcpy(rand, smp->local_rand, 16);
599 600 601 602

	return 0;
}

603
static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
604
{
605
	struct l2cap_chan *chan = conn->smp;
606
	struct smp_chan *smp;
607 608
	struct kvec iv[2];
	struct msghdr msg;
609

610 611
	if (!chan)
		return;
612

613
	BT_DBG("code 0x%2.2x", code);
614

615 616
	iv[0].iov_base = &code;
	iv[0].iov_len = 1;
617

618 619
	iv[1].iov_base = data;
	iv[1].iov_len = len;
620

621
	memset(&msg, 0, sizeof(msg));
622

623
	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
624

625
	l2cap_chan_send(chan, &msg, 1 + len);
626

627 628 629 630 631 632
	if (!chan->data)
		return;

	smp = chan->data;

	cancel_delayed_work_sync(&smp->security_timer);
633
	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
634 635
}

636
static u8 authreq_to_seclevel(u8 authreq)
637
{
638 639 640 641 642 643
	if (authreq & SMP_AUTH_MITM) {
		if (authreq & SMP_AUTH_SC)
			return BT_SECURITY_FIPS;
		else
			return BT_SECURITY_HIGH;
	} else {
644
		return BT_SECURITY_MEDIUM;
645
	}
646 647 648 649 650
}

static __u8 seclevel_to_authreq(__u8 sec_level)
{
	switch (sec_level) {
651
	case BT_SECURITY_FIPS:
652 653 654 655 656 657 658 659 660
	case BT_SECURITY_HIGH:
		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
	case BT_SECURITY_MEDIUM:
		return SMP_AUTH_BONDING;
	default:
		return SMP_AUTH_NONE;
	}
}

661
static void build_pairing_cmd(struct l2cap_conn *conn,
662 663
			      struct smp_cmd_pairing *req,
			      struct smp_cmd_pairing *rsp, __u8 authreq)
664
{
665 666
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
667 668
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
669
	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
670

671
	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
672 673
		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
674
		authreq |= SMP_AUTH_BONDING;
675 676
	} else {
		authreq &= ~SMP_AUTH_BONDING;
677 678
	}

679
	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
680 681
		remote_dist |= SMP_DIST_ID_KEY;

682
	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
683 684
		local_dist |= SMP_DIST_ID_KEY;

685
	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
686 687 688 689
	    (authreq & SMP_AUTH_SC)) {
		struct oob_data *oob_data;
		u8 bdaddr_type;

690
		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
691 692 693
			local_dist |= SMP_DIST_LINK_KEY;
			remote_dist |= SMP_DIST_LINK_KEY;
		}
694 695 696 697 698 699 700 701

		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
			bdaddr_type = BDADDR_LE_PUBLIC;
		else
			bdaddr_type = BDADDR_LE_RANDOM;

		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
						    bdaddr_type);
702
		if (oob_data && oob_data->present) {
703
			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
704
			oob_flag = SMP_OOB_PRESENT;
705
			memcpy(smp->rr, oob_data->rand256, 16);
706
			memcpy(smp->pcnf, oob_data->hash256, 16);
707 708
			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
709 710
		}

711 712 713 714
	} else {
		authreq &= ~SMP_AUTH_SC;
	}

715 716
	if (rsp == NULL) {
		req->io_capability = conn->hcon->io_capability;
717
		req->oob_flag = oob_flag;
718
		req->max_key_size = SMP_DEV(hdev)->max_key_size;
719 720
		req->init_key_dist = local_dist;
		req->resp_key_dist = remote_dist;
721
		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
722 723

		smp->remote_key_dist = remote_dist;
724 725 726 727
		return;
	}

	rsp->io_capability = conn->hcon->io_capability;
728
	rsp->oob_flag = oob_flag;
729
	rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
730 731
	rsp->init_key_dist = req->init_key_dist & remote_dist;
	rsp->resp_key_dist = req->resp_key_dist & local_dist;
732
	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
733 734

	smp->remote_key_dist = rsp->init_key_dist;
735 736
}

737 738
static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
{
739
	struct l2cap_chan *chan = conn->smp;
740
	struct hci_dev *hdev = conn->hcon->hdev;
741
	struct smp_chan *smp = chan->data;
742

743 744
	if (max_key_size > SMP_DEV(hdev)->max_key_size ||
	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
745 746
		return SMP_ENC_KEY_SIZE;

747
	smp->enc_key_size = max_key_size;
748 749 750 751

	return 0;
}

752 753 754 755
static void smp_chan_destroy(struct l2cap_conn *conn)
{
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
756
	struct hci_conn *hcon = conn->hcon;
757 758 759 760 761 762 763
	bool complete;

	BUG_ON(!smp);

	cancel_delayed_work_sync(&smp->security_timer);

	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
764
	mgmt_smp_complete(hcon, complete);
765

766 767 768
	kzfree(smp->csrk);
	kzfree(smp->slave_csrk);
	kzfree(smp->link_key);
769 770

	crypto_free_blkcipher(smp->tfm_aes);
771
	crypto_free_hash(smp->tfm_cmac);
772

773 774 775 776
	/* Ensure that we don't leave any debug key around if debug key
	 * support hasn't been explicitly enabled.
	 */
	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
777
	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
778 779 780 781 782
		list_del_rcu(&smp->ltk->list);
		kfree_rcu(smp->ltk, rcu);
		smp->ltk = NULL;
	}

783 784 785
	/* If pairing failed clean up any keys we might have */
	if (!complete) {
		if (smp->ltk) {
786 787
			list_del_rcu(&smp->ltk->list);
			kfree_rcu(smp->ltk, rcu);
788 789 790
		}

		if (smp->slave_ltk) {
791 792
			list_del_rcu(&smp->slave_ltk->list);
			kfree_rcu(smp->slave_ltk, rcu);
793 794 795
		}

		if (smp->remote_irk) {
796 797
			list_del_rcu(&smp->remote_irk->list);
			kfree_rcu(smp->remote_irk, rcu);
798 799 800 801
		}
	}

	chan->data = NULL;
802
	kzfree(smp);
803
	hci_conn_drop(hcon);
804 805
}

806
static void smp_failure(struct l2cap_conn *conn, u8 reason)
807
{
808
	struct hci_conn *hcon = conn->hcon;
809
	struct l2cap_chan *chan = conn->smp;
810

811
	if (reason)
812
		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
813
			     &reason);
814

815
	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
816

817
	if (chan->data)
818
		smp_chan_destroy(conn);
819 820
}

821 822 823 824 825
#define JUST_WORKS	0x00
#define JUST_CFM	0x01
#define REQ_PASSKEY	0x02
#define CFM_PASSKEY	0x03
#define REQ_OOB		0x04
826
#define DSP_PASSKEY	0x05
827 828 829 830 831 832 833 834 835 836
#define OVERLAP		0xFF

static const u8 gen_method[5][5] = {
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
};

837 838 839 840 841 842 843 844
static const u8 sc_method[5][5] = {
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
};

845 846
static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
{
847 848 849
	/* If either side has unknown io_caps, use JUST_CFM (which gets
	 * converted later to JUST_WORKS if we're initiators.
	 */
850 851
	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
852
		return JUST_CFM;
853

854 855 856
	if (test_bit(SMP_FLAG_SC, &smp->flags))
		return sc_method[remote_io][local_io];

857 858 859
	return gen_method[remote_io][local_io];
}

860 861 862 863
static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
						u8 local_io, u8 remote_io)
{
	struct hci_conn *hcon = conn->hcon;
864 865
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
866 867 868 869 870
	u32 passkey = 0;
	int ret = 0;

	/* Initialize key for JUST WORKS */
	memset(smp->tk, 0, sizeof(smp->tk));
871
	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
872 873 874

	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);

875 876 877 878 879 880
	/* If neither side wants MITM, either "just" confirm an incoming
	 * request or use just-works for outgoing ones. The JUST_CFM
	 * will be converted to JUST_WORKS if necessary later in this
	 * function. If either side has MITM look up the method from the
	 * table.
	 */
881
	if (!(auth & SMP_AUTH_MITM))
882
		smp->method = JUST_CFM;
883
	else
884
		smp->method = get_auth_method(smp, local_io, remote_io);
885

886
	/* Don't confirm locally initiated pairing attempts */
887 888 889
	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
						&smp->flags))
		smp->method = JUST_WORKS;
890

891
	/* Don't bother user space with no IO capabilities */
892 893 894
	if (smp->method == JUST_CFM &&
	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
		smp->method = JUST_WORKS;
895

896
	/* If Just Works, Continue with Zero TK */
897
	if (smp->method == JUST_WORKS) {
898
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
899 900 901
		return 0;
	}

902 903 904 905 906 907
	/* If this function is used for SC -> legacy fallback we
	 * can only recover the just-works case.
	 */
	if (test_bit(SMP_FLAG_SC, &smp->flags))
		return -EINVAL;

908
	/* Not Just Works/Confirm results in MITM Authentication */
909
	if (smp->method != JUST_CFM) {
910
		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
911 912 913
		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
			hcon->pending_sec_level = BT_SECURITY_HIGH;
	}
914 915 916 917

	/* If both devices have Keyoard-Display I/O, the master
	 * Confirms and the slave Enters the passkey.
	 */
918
	if (smp->method == OVERLAP) {
919
		if (hcon->role == HCI_ROLE_MASTER)
920
			smp->method = CFM_PASSKEY;
921
		else
922
			smp->method = REQ_PASSKEY;
923 924
	}

925
	/* Generate random passkey. */
926
	if (smp->method == CFM_PASSKEY) {
927
		memset(smp->tk, 0, sizeof(smp->tk));
928 929
		get_random_bytes(&passkey, sizeof(passkey));
		passkey %= 1000000;
930
		put_unaligned_le32(passkey, smp->tk);
931
		BT_DBG("PassKey: %d", passkey);
932
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
933 934
	}

935
	if (smp->method == REQ_PASSKEY)
936
		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
937
						hcon->type, hcon->dst_type);
938
	else if (smp->method == JUST_CFM)
939 940 941
		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
						hcon->type, hcon->dst_type,
						passkey, 1);
942
	else
943
		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
944
						hcon->type, hcon->dst_type,
945
						passkey, 0);
946 947 948 949

	return ret;
}

950
static u8 smp_confirm(struct smp_chan *smp)
951 952 953 954 955 956 957
{
	struct l2cap_conn *conn = smp->conn;
	struct smp_cmd_pairing_confirm cp;
	int ret;

	BT_DBG("conn %p", conn);

958
	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
959
		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
960 961
		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
		     cp.confirm_val);
962 963
	if (ret)
		return SMP_UNSPECIFIED;
964

965
	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
966

967 968
	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);

969 970 971 972 973
	if (conn->hcon->out)
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
	else
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);

974
	return 0;
975 976
}

977
static u8 smp_random(struct smp_chan *smp)
978 979 980
{
	struct l2cap_conn *conn = smp->conn;
	struct hci_conn *hcon = conn->hcon;
981
	u8 confirm[16];
982 983
	int ret;

984
	if (IS_ERR_OR_NULL(smp->tfm_aes))
985
		return SMP_UNSPECIFIED;
986 987 988

	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");

989
	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
990
		     hcon->init_addr_type, &hcon->init_addr,
991
		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
992 993
	if (ret)
		return SMP_UNSPECIFIED;
994

995
	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
996
		BT_ERR("Pairing failed (confirmation values mismatch)");
997
		return SMP_CONFIRM_FAILED;
998 999 1000
	}

	if (hcon->out) {
1001 1002 1003
		u8 stk[16];
		__le64 rand = 0;
		__le16 ediv = 0;
1004

1005
		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1006

1007 1008
		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
			return SMP_UNSPECIFIED;
1009

1010
		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1011
		hcon->enc_key_size = smp->enc_key_size;
1012
		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1013
	} else {
1014
		u8 stk[16], auth;
1015 1016
		__le64 rand = 0;
		__le16 ediv = 0;
1017

1018 1019
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
			     smp->prnd);
1020

1021
		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1022

1023 1024 1025 1026 1027
		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
			auth = 1;
		else
			auth = 0;

1028 1029 1030 1031
		/* Even though there's no _SLAVE suffix this is the
		 * slave STK we're adding for later lookup (the master
		 * STK never needs to be stored).
		 */
1032
		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1033
			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1034 1035
	}

1036
	return 0;
1037 1038
}

1039 1040 1041 1042 1043 1044 1045 1046 1047 1048
static void smp_notify_keys(struct l2cap_conn *conn)
{
	struct l2cap_chan *chan = conn->smp;
	struct smp_chan *smp = chan->data;
	struct hci_conn *hcon = conn->hcon;
	struct hci_dev *hdev = hcon->hdev;
	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
	bool persistent;

1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063
	if (hcon->type == ACL_LINK) {
		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
			persistent = false;
		else
			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
					       &hcon->flags);
	} else {
		/* The LTKs, IRKs and CSRKs should be persistent only if
		 * both sides had the bonding bit set in their
		 * authentication requests.
		 */
		persistent = !!((req->auth_req & rsp->auth_req) &
				SMP_AUTH_BONDING);
	}

1064
	if (smp->remote_irk) {
1065 1066
		mgmt_new_irk(hdev, smp->remote_irk, persistent);

1067 1068
		/* Now that user space can be considered to know the
		 * identity address track the connection based on it
1069
		 * from now on (assuming this is an LE link).
1070
		 */
1071 1072 1073 1074 1075
		if (hcon->type == LE_LINK) {
			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
			hcon->dst_type = smp->remote_irk->addr_type;
			queue_work(hdev->workqueue, &conn->id_addr_update_work);
		}
1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100
	}

	if (smp->csrk) {
		smp->csrk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->csrk->bdaddr, &hcon->dst);
		mgmt_new_csrk(hdev, smp->csrk, persistent);
	}

	if (smp->slave_csrk) {
		smp->slave_csrk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
	}

	if (smp->ltk) {
		smp->ltk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->ltk->bdaddr, &hcon->dst);
		mgmt_new_ltk(hdev, smp->ltk, persistent);
	}

	if (smp->slave_ltk) {
		smp->slave_ltk->bdaddr_type = hcon->dst_type;
		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
	}
1101 1102

	if (smp->link_key) {
1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120
		struct link_key *key;
		u8 type;

		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
			type = HCI_LK_DEBUG_COMBINATION;
		else if (hcon->sec_level == BT_SECURITY_FIPS)
			type = HCI_LK_AUTH_COMBINATION_P256;
		else
			type = HCI_LK_UNAUTH_COMBINATION_P256;

		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
				       smp->link_key, type, 0, &persistent);
		if (key) {
			mgmt_new_link_key(hdev, key, persistent);

			/* Don't keep debug keys around if the relevant
			 * flag is not set.
			 */
1121
			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1122 1123 1124 1125 1126
			    key->type == HCI_LK_DEBUG_COMBINATION) {
				list_del_rcu(&key->list);
				kfree_rcu(key, rcu);
			}
		}
1127 1128 1129
	}
}

1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149
static void sc_add_ltk(struct smp_chan *smp)
{
	struct hci_conn *hcon = smp->conn->hcon;
	u8 key_type, auth;

	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
		key_type = SMP_LTK_P256_DEBUG;
	else
		key_type = SMP_LTK_P256;

	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
		auth = 1;
	else
		auth = 0;

	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
			       key_type, auth, smp->tk, smp->enc_key_size,
			       0, 0);
}

1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162
static void sc_generate_link_key(struct smp_chan *smp)
{
	/* These constants are as specified in the core specification.
	 * In ASCII they spell out to 'tmp1' and 'lebr'.
	 */
	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };

	smp->link_key = kzalloc(16, GFP_KERNEL);
	if (!smp->link_key)
		return;

	if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1163
		kzfree(smp->link_key);
1164 1165 1166 1167 1168
		smp->link_key = NULL;
		return;
	}

	if (smp_h6