tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Bluetooth: let the crypto subsystem generate the ecc privkey

That Bluetooth SMP knows about the private key is pointless, since the
detection of debug key usage is actually via the public key portion.
With this patch, the Bluetooth SMP will stop keeping a copy of the
ecdh private key and will let the crypto subsystem to generate and
handle the ecdh private key, potentially benefiting of hardware
ecc private key generation and retention.

The loop that tries to generate a correct private key is now removed and
we trust the crypto subsystem to generate a correct private key. This
backup logic should be done in crypto, if really needed.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>

authored by

Tudor Ambarus and committed by
Marcel Holtmann c0153b0b 168ed654

+148 -129
+103 -85
net/bluetooth/ecdh_helper.c
··· 49 49 out[i] = __swab64(in[ndigits - 1 - i]); 50 50 } 51 51 52 + /* compute_ecdh_secret() - function assumes that the private key was 53 + * already set. 54 + * @tfm: KPP tfm handle allocated with crypto_alloc_kpp(). 55 + * @public_key: pair's ecc public key. 56 + * secret: memory where the ecdh computed shared secret will be saved. 57 + * 58 + * Return: zero on success; error code in case of error. 59 + */ 52 60 int compute_ecdh_secret(struct crypto_kpp *tfm, const u8 public_key[64], 53 - const u8 private_key[32], u8 secret[32]) 61 + u8 secret[32]) 54 62 { 55 63 struct kpp_request *req; 56 - struct ecdh p; 64 + u8 *tmp; 57 65 struct ecdh_completion result; 58 66 struct scatterlist src, dst; 59 - u8 *tmp, *buf; 60 - unsigned int buf_len; 61 67 int err; 62 68 63 69 tmp = kmalloc(64, GFP_KERNEL); ··· 77 71 } 78 72 79 73 init_completion(&result.completion); 80 - 81 - /* Security Manager Protocol holds digits in litte-endian order 82 - * while ECC API expect big-endian data 83 - */ 84 - swap_digits((u64 *)private_key, (u64 *)tmp, 4); 85 - p.key = (char *)tmp; 86 - p.key_size = 32; 87 - /* Set curve_id */ 88 - p.curve_id = ECC_CURVE_NIST_P256; 89 - buf_len = crypto_ecdh_key_len(&p); 90 - buf = kmalloc(buf_len, GFP_KERNEL); 91 - if (!buf) { 92 - err = -ENOMEM; 93 - goto free_req; 94 - } 95 - 96 - crypto_ecdh_encode_key(buf, buf_len, &p); 97 - 98 - /* Set A private Key */ 99 - err = crypto_kpp_set_secret(tfm, (void *)buf, buf_len); 100 - if (err) 101 - goto free_all; 102 74 103 75 swap_digits((u64 *)public_key, (u64 *)tmp, 4); /* x */ 104 76 swap_digits((u64 *)&public_key[32], (u64 *)&tmp[32], 4); /* y */ ··· 102 118 memcpy(secret, tmp, 32); 103 119 104 120 free_all: 105 - kzfree(buf); 106 - free_req: 107 121 kpp_request_free(req); 108 122 free_tmp: 109 123 kzfree(tmp); 110 124 return err; 111 125 } 112 126 113 - int generate_ecdh_keys(struct crypto_kpp *tfm, u8 public_key[64], 114 - u8 private_key[32]) 127 + /* set_ecdh_privkey() - set or generate ecc private key. 128 + * 129 + * Function generates an ecc private key in the crypto subsystem when receiving 130 + * a NULL private key or sets the received key when not NULL. 131 + * 132 + * @tfm: KPP tfm handle allocated with crypto_alloc_kpp(). 133 + * @private_key: user's ecc private key. When not NULL, the key is expected 134 + * in little endian format. 135 + * 136 + * Return: zero on success; error code in case of error. 137 + */ 138 + int set_ecdh_privkey(struct crypto_kpp *tfm, const u8 private_key[32]) 115 139 { 116 - struct kpp_request *req; 117 - struct ecdh p; 118 - struct ecdh_completion result; 119 - struct scatterlist dst; 120 - u8 *tmp, *buf; 140 + u8 *buf, *tmp = NULL; 121 141 unsigned int buf_len; 122 142 int err; 123 - const unsigned short max_tries = 16; 124 - unsigned short tries = 0; 143 + struct ecdh p = {0}; 144 + 145 + p.curve_id = ECC_CURVE_NIST_P256; 146 + 147 + if (private_key) { 148 + tmp = kmalloc(32, GFP_KERNEL); 149 + if (!tmp) 150 + return -ENOMEM; 151 + swap_digits((u64 *)private_key, (u64 *)tmp, 4); 152 + p.key = tmp; 153 + p.key_size = 32; 154 + } 155 + 156 + buf_len = crypto_ecdh_key_len(&p); 157 + buf = kmalloc(buf_len, GFP_KERNEL); 158 + if (!buf) { 159 + err = -ENOMEM; 160 + goto free_tmp; 161 + } 162 + 163 + err = crypto_ecdh_encode_key(buf, buf_len, &p); 164 + if (err) 165 + goto free_all; 166 + 167 + err = crypto_kpp_set_secret(tfm, buf, buf_len); 168 + /* fall through */ 169 + free_all: 170 + kzfree(buf); 171 + free_tmp: 172 + kzfree(tmp); 173 + return err; 174 + } 175 + 176 + /* generate_ecdh_public_key() - function assumes that the private key was 177 + * already set. 178 + * 179 + * @tfm: KPP tfm handle allocated with crypto_alloc_kpp(). 180 + * @public_key: memory where the computed ecc public key will be saved. 181 + * 182 + * Return: zero on success; error code in case of error. 183 + */ 184 + int generate_ecdh_public_key(struct crypto_kpp *tfm, u8 public_key[64]) 185 + { 186 + struct kpp_request *req; 187 + u8 *tmp; 188 + struct ecdh_completion result; 189 + struct scatterlist dst; 190 + int err; 125 191 126 192 tmp = kmalloc(64, GFP_KERNEL); 127 193 if (!tmp) ··· 184 150 } 185 151 186 152 init_completion(&result.completion); 153 + sg_init_one(&dst, tmp, 64); 154 + kpp_request_set_input(req, NULL, 0); 155 + kpp_request_set_output(req, &dst, 64); 156 + kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, 157 + ecdh_complete, &result); 187 158 188 - /* Set curve_id */ 189 - p.curve_id = ECC_CURVE_NIST_P256; 190 - p.key_size = 32; 191 - buf_len = crypto_ecdh_key_len(&p); 192 - buf = kmalloc(buf_len, GFP_KERNEL); 193 - if (!buf) 194 - goto free_req; 159 + err = crypto_kpp_generate_public_key(req); 160 + if (err == -EINPROGRESS) { 161 + wait_for_completion(&result.completion); 162 + err = result.err; 163 + } 164 + if (err < 0) 165 + goto free_all; 195 166 196 - do { 197 - if (tries++ >= max_tries) 198 - goto free_all; 199 - 200 - /* Set private Key */ 201 - p.key = (char *)private_key; 202 - crypto_ecdh_encode_key(buf, buf_len, &p); 203 - err = crypto_kpp_set_secret(tfm, buf, buf_len); 204 - if (err) 205 - goto free_all; 206 - 207 - sg_init_one(&dst, tmp, 64); 208 - kpp_request_set_input(req, NULL, 0); 209 - kpp_request_set_output(req, &dst, 64); 210 - kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, 211 - ecdh_complete, &result); 212 - 213 - err = crypto_kpp_generate_public_key(req); 214 - 215 - if (err == -EINPROGRESS) { 216 - wait_for_completion(&result.completion); 217 - err = result.err; 218 - } 219 - 220 - /* Private key is not valid. Regenerate */ 221 - if (err == -EINVAL) 222 - continue; 223 - 224 - if (err < 0) 225 - goto free_all; 226 - else 227 - break; 228 - 229 - } while (true); 230 - 231 - /* Keys are handed back in little endian as expected by Security 232 - * Manager Protocol 167 + /* The public key is handed back in little endian as expected by 168 + * the Security Manager Protocol. 233 169 */ 234 170 swap_digits((u64 *)tmp, (u64 *)public_key, 4); /* x */ 235 171 swap_digits((u64 *)&tmp[32], (u64 *)&public_key[32], 4); /* y */ 236 - swap_digits((u64 *)private_key, (u64 *)tmp, 4); 237 - memcpy(private_key, tmp, 32); 238 172 239 173 free_all: 240 - kzfree(buf); 241 - free_req: 242 174 kpp_request_free(req); 243 175 free_tmp: 244 176 kfree(tmp); 245 177 return err; 178 + } 179 + 180 + /* generate_ecdh_keys() - generate ecc key pair. 181 + * 182 + * @tfm: KPP tfm handle allocated with crypto_alloc_kpp(). 183 + * @public_key: memory where the computed ecc public key will be saved. 184 + * 185 + * Return: zero on success; error code in case of error. 186 + */ 187 + int generate_ecdh_keys(struct crypto_kpp *tfm, u8 public_key[64]) 188 + { 189 + int err; 190 + 191 + err = set_ecdh_privkey(tfm, NULL); 192 + if (err) 193 + return err; 194 + 195 + return generate_ecdh_public_key(tfm, public_key); 246 196 }
+5 -4
net/bluetooth/ecdh_helper.h
··· 23 23 #include <crypto/kpp.h> 24 24 #include <linux/types.h> 25 25 26 - int compute_ecdh_secret(struct crypto_kpp *tfm, const u8 pub_a[64], 27 - const u8 priv_b[32], u8 secret[32]); 28 - int generate_ecdh_keys(struct crypto_kpp *tfm, u8 public_key[64], 29 - u8 private_key[32]); 26 + int compute_ecdh_secret(struct crypto_kpp *tfm, const u8 pair_public_key[64], 27 + u8 secret[32]); 28 + int set_ecdh_privkey(struct crypto_kpp *tfm, const u8 *private_key); 29 + int generate_ecdh_public_key(struct crypto_kpp *tfm, u8 public_key[64]); 30 + int generate_ecdh_keys(struct crypto_kpp *tfm, u8 public_key[64]);
+11 -3
net/bluetooth/selftest.c
··· 152 152 dhkey_a = &tmp[0]; 153 153 dhkey_b = &tmp[32]; 154 154 155 - ret = compute_ecdh_secret(tfm, pub_b, priv_a, dhkey_a); 155 + ret = set_ecdh_privkey(tfm, priv_a); 156 156 if (ret) 157 157 goto out; 158 158 159 - ret = compute_ecdh_secret(tfm, pub_a, priv_b, dhkey_b); 159 + ret = compute_ecdh_secret(tfm, pub_b, dhkey_a); 160 160 if (ret) 161 161 goto out; 162 162 ··· 165 165 goto out; 166 166 } 167 167 168 + ret = set_ecdh_privkey(tfm, priv_b); 169 + if (ret) 170 + goto out; 171 + 172 + ret = compute_ecdh_secret(tfm, pub_a, dhkey_b); 173 + if (ret) 174 + goto out; 175 + 168 176 if (memcmp(dhkey_b, dhkey, 32)) 169 177 ret = -EINVAL; 170 - 178 + /* fall through*/ 171 179 out: 172 180 kfree(tmp); 173 181 return ret;
+29 -37
net/bluetooth/smp.c
··· 84 84 struct smp_dev { 85 85 /* Secure Connections OOB data */ 86 86 u8 local_pk[64]; 87 - u8 local_sk[32]; 88 87 u8 local_rand[16]; 89 88 bool debug_key; 90 89 ··· 125 126 126 127 /* Secure Connections variables */ 127 128 u8 local_pk[64]; 128 - u8 local_sk[32]; 129 129 u8 remote_pk[64]; 130 130 u8 dhkey[32]; 131 131 u8 mackey[16]; ··· 566 568 567 569 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 568 570 BT_DBG("Using debug keys"); 571 + err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk); 572 + if (err) 573 + return err; 569 574 memcpy(smp->local_pk, debug_pk, 64); 570 - memcpy(smp->local_sk, debug_sk, 32); 571 575 smp->debug_key = true; 572 576 } else { 573 577 while (true) { 574 - /* Seed private key with random number */ 575 - get_random_bytes(smp->local_sk, 32); 576 - 577 - /* Generate local key pair for Secure Connections */ 578 - err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk, 579 - smp->local_sk); 578 + /* Generate key pair for Secure Connections */ 579 + err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk); 580 580 if (err) 581 581 return err; 582 582 583 583 /* This is unlikely, but we need to check that 584 584 * we didn't accidentially generate a debug key. 585 585 */ 586 - if (crypto_memneq(smp->local_sk, debug_sk, 32)) 586 + if (crypto_memneq(smp->local_pk, debug_pk, 64)) 587 587 break; 588 588 } 589 589 smp->debug_key = false; ··· 589 593 590 594 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk); 591 595 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32); 592 - SMP_DBG("OOB Private Key: %32phN", smp->local_sk); 593 596 594 597 get_random_bytes(smp->local_rand, 16); 595 598 ··· 1895 1900 smp_dev = chan->data; 1896 1901 1897 1902 memcpy(smp->local_pk, smp_dev->local_pk, 64); 1898 - memcpy(smp->local_sk, smp_dev->local_sk, 32); 1899 1903 memcpy(smp->lr, smp_dev->local_rand, 16); 1900 1904 1901 1905 if (smp_dev->debug_key) ··· 1905 1911 1906 1912 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) { 1907 1913 BT_DBG("Using debug keys"); 1914 + if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk)) 1915 + return SMP_UNSPECIFIED; 1908 1916 memcpy(smp->local_pk, debug_pk, 64); 1909 - memcpy(smp->local_sk, debug_sk, 32); 1910 1917 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags); 1911 1918 } else { 1912 1919 while (true) { 1913 - /* Seed private key with random number */ 1914 - get_random_bytes(smp->local_sk, 32); 1915 - 1916 - /* Generate local key pair for Secure Connections */ 1917 - if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk, 1918 - smp->local_sk)) 1920 + /* Generate key pair for Secure Connections */ 1921 + if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk)) 1919 1922 return SMP_UNSPECIFIED; 1920 1923 1921 1924 /* This is unlikely, but we need to check that 1922 1925 * we didn't accidentially generate a debug key. 1923 1926 */ 1924 - if (crypto_memneq(smp->local_sk, debug_sk, 32)) 1927 + if (crypto_memneq(smp->local_pk, debug_pk, 64)) 1925 1928 break; 1926 1929 } 1927 1930 } ··· 1926 1935 done: 1927 1936 SMP_DBG("Local Public Key X: %32phN", smp->local_pk); 1928 1937 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32); 1929 - SMP_DBG("Local Private Key: %32phN", smp->local_sk); 1930 1938 1931 1939 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk); 1932 1940 ··· 2653 2663 struct l2cap_chan *chan = conn->smp; 2654 2664 struct smp_chan *smp = chan->data; 2655 2665 struct hci_dev *hdev = hcon->hdev; 2666 + struct crypto_kpp *tfm_ecdh; 2656 2667 struct smp_cmd_pairing_confirm cfm; 2657 2668 int err; 2658 2669 ··· 2686 2695 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); 2687 2696 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); 2688 2697 2689 - if (!compute_ecdh_secret(smp->tfm_ecdh, smp->remote_pk, smp->local_sk, 2690 - smp->dhkey)) 2698 + /* Compute the shared secret on the same crypto tfm on which the private 2699 + * key was set/generated. 2700 + */ 2701 + if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) { 2702 + struct smp_dev *smp_dev = chan->data; 2703 + 2704 + tfm_ecdh = smp_dev->tfm_ecdh; 2705 + } else { 2706 + tfm_ecdh = smp->tfm_ecdh; 2707 + } 2708 + 2709 + if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey)) 2691 2710 return SMP_UNSPECIFIED; 2692 2711 2693 2712 SMP_DBG("DHKey %32phN", smp->dhkey); ··· 3523 3522 3524 3523 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP) 3525 3524 3526 - static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits) 3527 - { 3528 - int i; 3529 - 3530 - for (i = 0; i < ndigits; i++) 3531 - out[i] = __swab64(in[ndigits - 1 - i]); 3532 - } 3533 - 3534 3525 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh) 3535 3526 { 3536 - u8 pk[64], sk[32]; 3527 + u8 pk[64]; 3537 3528 int err; 3538 3529 3539 - swap_digits((u64 *)debug_sk, (u64 *)sk, 4); 3540 - 3541 - err = generate_ecdh_keys(tfm_ecdh, pk, sk); 3530 + err = set_ecdh_privkey(tfm_ecdh, debug_sk); 3542 3531 if (err) 3543 3532 return err; 3544 3533 3545 - if (crypto_memneq(sk, debug_sk, 32)) 3546 - return -EINVAL; 3534 + err = generate_ecdh_public_key(tfm_ecdh, pk); 3535 + if (err) 3536 + return err; 3547 3537 3548 3538 if (crypto_memneq(pk, debug_pk, 64)) 3549 3539 return -EINVAL;