net/bluetooth/smp.c at v3.19-rc3

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / bluetooth / smp.c
at v3.19-rc3 3023 lines 74 kB view raw
wrap content
   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
   4
   5   This program is free software; you can redistribute it and/or modify
   6   it under the terms of the GNU General Public License version 2 as
   7   published by the Free Software Foundation;
   8
   9   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  10   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  11   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  12   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  13   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  14   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  15   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  16   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  17
  18   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  19   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  20   SOFTWARE IS DISCLAIMED.
  21*/
  22
  23#include <linux/crypto.h>
  24#include <linux/scatterlist.h>
  25#include <crypto/b128ops.h>
  26
  27#include <net/bluetooth/bluetooth.h>
  28#include <net/bluetooth/hci_core.h>
  29#include <net/bluetooth/l2cap.h>
  30#include <net/bluetooth/mgmt.h>
  31
  32#include "ecc.h"
  33#include "smp.h"
  34
  35/* Low-level debug macros to be used for stuff that we don't want
  36 * accidentially in dmesg, i.e. the values of the various crypto keys
  37 * and the inputs & outputs of crypto functions.
  38 */
  39#ifdef DEBUG
  40#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
  41				 ##__VA_ARGS__)
  42#else
  43#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
  44				    ##__VA_ARGS__)
  45#endif
  46
  47#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
  48
  49/* Keys which are not distributed with Secure Connections */
  50#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
  51
  52#define SMP_TIMEOUT	msecs_to_jiffies(30000)
  53
  54#define AUTH_REQ_MASK(dev)	(test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
  55				 0x1f : 0x07)
  56#define KEY_DIST_MASK		0x07
  57
  58/* Maximum message length that can be passed to aes_cmac */
  59#define CMAC_MSG_MAX	80
  60
  61enum {
  62	SMP_FLAG_TK_VALID,
  63	SMP_FLAG_CFM_PENDING,
  64	SMP_FLAG_MITM_AUTH,
  65	SMP_FLAG_COMPLETE,
  66	SMP_FLAG_INITIATOR,
  67	SMP_FLAG_SC,
  68	SMP_FLAG_REMOTE_PK,
  69	SMP_FLAG_DEBUG_KEY,
  70	SMP_FLAG_WAIT_USER,
  71	SMP_FLAG_DHKEY_PENDING,
  72	SMP_FLAG_OOB,
  73};
  74
  75struct smp_chan {
  76	struct l2cap_conn	*conn;
  77	struct delayed_work	security_timer;
  78	unsigned long           allow_cmd; /* Bitmask of allowed commands */
  79
  80	u8		preq[7]; /* SMP Pairing Request */
  81	u8		prsp[7]; /* SMP Pairing Response */
  82	u8		prnd[16]; /* SMP Pairing Random (local) */
  83	u8		rrnd[16]; /* SMP Pairing Random (remote) */
  84	u8		pcnf[16]; /* SMP Pairing Confirm */
  85	u8		tk[16]; /* SMP Temporary Key */
  86	u8		rr[16];
  87	u8		enc_key_size;
  88	u8		remote_key_dist;
  89	bdaddr_t	id_addr;
  90	u8		id_addr_type;
  91	u8		irk[16];
  92	struct smp_csrk	*csrk;
  93	struct smp_csrk	*slave_csrk;
  94	struct smp_ltk	*ltk;
  95	struct smp_ltk	*slave_ltk;
  96	struct smp_irk	*remote_irk;
  97	u8		*link_key;
  98	unsigned long	flags;
  99	u8		method;
 100	u8		passkey_round;
 101
 102	/* Secure Connections variables */
 103	u8			local_pk[64];
 104	u8			local_sk[32];
 105	u8			remote_pk[64];
 106	u8			dhkey[32];
 107	u8			mackey[16];
 108
 109	struct crypto_blkcipher	*tfm_aes;
 110	struct crypto_hash	*tfm_cmac;
 111};
 112
 113/* These debug key values are defined in the SMP section of the core
 114 * specification. debug_pk is the public debug key and debug_sk the
 115 * private debug key.
 116 */
 117static const u8 debug_pk[64] = {
 118		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
 119		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
 120		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
 121		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
 122
 123		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
 124		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
 125		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
 126		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
 127};
 128
 129static const u8 debug_sk[32] = {
 130		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
 131		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
 132		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
 133		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
 134};
 135
 136static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
 137{
 138	size_t i;
 139
 140	for (i = 0; i < len; i++)
 141		dst[len - 1 - i] = src[i];
 142}
 143
 144/* The following functions map to the LE SC SMP crypto functions
 145 * AES-CMAC, f4, f5, f6, g2 and h6.
 146 */
 147
 148static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
 149		    size_t len, u8 mac[16])
 150{
 151	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
 152	struct hash_desc desc;
 153	struct scatterlist sg;
 154	int err;
 155
 156	if (len > CMAC_MSG_MAX)
 157		return -EFBIG;
 158
 159	if (!tfm) {
 160		BT_ERR("tfm %p", tfm);
 161		return -EINVAL;
 162	}
 163
 164	desc.tfm = tfm;
 165	desc.flags = 0;
 166
 167	crypto_hash_init(&desc);
 168
 169	/* Swap key and message from LSB to MSB */
 170	swap_buf(k, tmp, 16);
 171	swap_buf(m, msg_msb, len);
 172
 173	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
 174	SMP_DBG("key %16phN", k);
 175
 176	err = crypto_hash_setkey(tfm, tmp, 16);
 177	if (err) {
 178		BT_ERR("cipher setkey failed: %d", err);
 179		return err;
 180	}
 181
 182	sg_init_one(&sg, msg_msb, len);
 183
 184	err = crypto_hash_update(&desc, &sg, len);
 185	if (err) {
 186		BT_ERR("Hash update error %d", err);
 187		return err;
 188	}
 189
 190	err = crypto_hash_final(&desc, mac_msb);
 191	if (err) {
 192		BT_ERR("Hash final error %d", err);
 193		return err;
 194	}
 195
 196	swap_buf(mac_msb, mac, 16);
 197
 198	SMP_DBG("mac %16phN", mac);
 199
 200	return 0;
 201}
 202
 203static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
 204		  const u8 x[16], u8 z, u8 res[16])
 205{
 206	u8 m[65];
 207	int err;
 208
 209	SMP_DBG("u %32phN", u);
 210	SMP_DBG("v %32phN", v);
 211	SMP_DBG("x %16phN z %02x", x, z);
 212
 213	m[0] = z;
 214	memcpy(m + 1, v, 32);
 215	memcpy(m + 33, u, 32);
 216
 217	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
 218	if (err)
 219		return err;
 220
 221	SMP_DBG("res %16phN", res);
 222
 223	return err;
 224}
 225
 226static int smp_f5(struct crypto_hash *tfm_cmac, u8 w[32], u8 n1[16], u8 n2[16],
 227		  u8 a1[7], u8 a2[7], u8 mackey[16], u8 ltk[16])
 228{
 229	/* The btle, salt and length "magic" values are as defined in
 230	 * the SMP section of the Bluetooth core specification. In ASCII
 231	 * the btle value ends up being 'btle'. The salt is just a
 232	 * random number whereas length is the value 256 in little
 233	 * endian format.
 234	 */
 235	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
 236	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
 237			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
 238	const u8 length[2] = { 0x00, 0x01 };
 239	u8 m[53], t[16];
 240	int err;
 241
 242	SMP_DBG("w %32phN", w);
 243	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 244	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
 245
 246	err = aes_cmac(tfm_cmac, salt, w, 32, t);
 247	if (err)
 248		return err;
 249
 250	SMP_DBG("t %16phN", t);
 251
 252	memcpy(m, length, 2);
 253	memcpy(m + 2, a2, 7);
 254	memcpy(m + 9, a1, 7);
 255	memcpy(m + 16, n2, 16);
 256	memcpy(m + 32, n1, 16);
 257	memcpy(m + 48, btle, 4);
 258
 259	m[52] = 0; /* Counter */
 260
 261	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
 262	if (err)
 263		return err;
 264
 265	SMP_DBG("mackey %16phN", mackey);
 266
 267	m[52] = 1; /* Counter */
 268
 269	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
 270	if (err)
 271		return err;
 272
 273	SMP_DBG("ltk %16phN", ltk);
 274
 275	return 0;
 276}
 277
 278static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
 279		  const u8 n1[16], u8 n2[16], const u8 r[16],
 280		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
 281		  u8 res[16])
 282{
 283	u8 m[65];
 284	int err;
 285
 286	SMP_DBG("w %16phN", w);
 287	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 288	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
 289
 290	memcpy(m, a2, 7);
 291	memcpy(m + 7, a1, 7);
 292	memcpy(m + 14, io_cap, 3);
 293	memcpy(m + 17, r, 16);
 294	memcpy(m + 33, n2, 16);
 295	memcpy(m + 49, n1, 16);
 296
 297	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
 298	if (err)
 299		return err;
 300
 301	BT_DBG("res %16phN", res);
 302
 303	return err;
 304}
 305
 306static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
 307		  const u8 x[16], const u8 y[16], u32 *val)
 308{
 309	u8 m[80], tmp[16];
 310	int err;
 311
 312	SMP_DBG("u %32phN", u);
 313	SMP_DBG("v %32phN", v);
 314	SMP_DBG("x %16phN y %16phN", x, y);
 315
 316	memcpy(m, y, 16);
 317	memcpy(m + 16, v, 32);
 318	memcpy(m + 48, u, 32);
 319
 320	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
 321	if (err)
 322		return err;
 323
 324	*val = get_unaligned_le32(tmp);
 325	*val %= 1000000;
 326
 327	SMP_DBG("val %06u", *val);
 328
 329	return 0;
 330}
 331
 332static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
 333		  const u8 key_id[4], u8 res[16])
 334{
 335	int err;
 336
 337	SMP_DBG("w %16phN key_id %4phN", w, key_id);
 338
 339	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
 340	if (err)
 341		return err;
 342
 343	SMP_DBG("res %16phN", res);
 344
 345	return err;
 346}
 347
 348/* The following functions map to the legacy SMP crypto functions e, c1,
 349 * s1 and ah.
 350 */
 351
 352static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
 353{
 354	struct blkcipher_desc desc;
 355	struct scatterlist sg;
 356	uint8_t tmp[16], data[16];
 357	int err;
 358
 359	if (!tfm) {
 360		BT_ERR("tfm %p", tfm);
 361		return -EINVAL;
 362	}
 363
 364	desc.tfm = tfm;
 365	desc.flags = 0;
 366
 367	/* The most significant octet of key corresponds to k[0] */
 368	swap_buf(k, tmp, 16);
 369
 370	err = crypto_blkcipher_setkey(tfm, tmp, 16);
 371	if (err) {
 372		BT_ERR("cipher setkey failed: %d", err);
 373		return err;
 374	}
 375
 376	/* Most significant octet of plaintextData corresponds to data[0] */
 377	swap_buf(r, data, 16);
 378
 379	sg_init_one(&sg, data, 16);
 380
 381	err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
 382	if (err)
 383		BT_ERR("Encrypt data error %d", err);
 384
 385	/* Most significant octet of encryptedData corresponds to data[0] */
 386	swap_buf(data, r, 16);
 387
 388	return err;
 389}
 390
 391static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
 392		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
 393		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
 394{
 395	u8 p1[16], p2[16];
 396	int err;
 397
 398	memset(p1, 0, 16);
 399
 400	/* p1 = pres || preq || _rat || _iat */
 401	p1[0] = _iat;
 402	p1[1] = _rat;
 403	memcpy(p1 + 2, preq, 7);
 404	memcpy(p1 + 9, pres, 7);
 405
 406	/* p2 = padding || ia || ra */
 407	memcpy(p2, ra, 6);
 408	memcpy(p2 + 6, ia, 6);
 409	memset(p2 + 12, 0, 4);
 410
 411	/* res = r XOR p1 */
 412	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
 413
 414	/* res = e(k, res) */
 415	err = smp_e(tfm_aes, k, res);
 416	if (err) {
 417		BT_ERR("Encrypt data error");
 418		return err;
 419	}
 420
 421	/* res = res XOR p2 */
 422	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
 423
 424	/* res = e(k, res) */
 425	err = smp_e(tfm_aes, k, res);
 426	if (err)
 427		BT_ERR("Encrypt data error");
 428
 429	return err;
 430}
 431
 432static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
 433		  const u8 r1[16], const u8 r2[16], u8 _r[16])
 434{
 435	int err;
 436
 437	/* Just least significant octets from r1 and r2 are considered */
 438	memcpy(_r, r2, 8);
 439	memcpy(_r + 8, r1, 8);
 440
 441	err = smp_e(tfm_aes, k, _r);
 442	if (err)
 443		BT_ERR("Encrypt data error");
 444
 445	return err;
 446}
 447
 448static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
 449		  const u8 r[3], u8 res[3])
 450{
 451	u8 _res[16];
 452	int err;
 453
 454	/* r' = padding || r */
 455	memcpy(_res, r, 3);
 456	memset(_res + 3, 0, 13);
 457
 458	err = smp_e(tfm, irk, _res);
 459	if (err) {
 460		BT_ERR("Encrypt error");
 461		return err;
 462	}
 463
 464	/* The output of the random address function ah is:
 465	 *	ah(h, r) = e(k, r') mod 2^24
 466	 * The output of the security function e is then truncated to 24 bits
 467	 * by taking the least significant 24 bits of the output of e as the
 468	 * result of ah.
 469	 */
 470	memcpy(res, _res, 3);
 471
 472	return 0;
 473}
 474
 475bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
 476		     const bdaddr_t *bdaddr)
 477{
 478	struct l2cap_chan *chan = hdev->smp_data;
 479	struct crypto_blkcipher *tfm;
 480	u8 hash[3];
 481	int err;
 482
 483	if (!chan || !chan->data)
 484		return false;
 485
 486	tfm = chan->data;
 487
 488	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
 489
 490	err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
 491	if (err)
 492		return false;
 493
 494	return !memcmp(bdaddr->b, hash, 3);
 495}
 496
 497int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
 498{
 499	struct l2cap_chan *chan = hdev->smp_data;
 500	struct crypto_blkcipher *tfm;
 501	int err;
 502
 503	if (!chan || !chan->data)
 504		return -EOPNOTSUPP;
 505
 506	tfm = chan->data;
 507
 508	get_random_bytes(&rpa->b[3], 3);
 509
 510	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
 511	rpa->b[5] |= 0x40;	/* Set second most significant bit */
 512
 513	err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
 514	if (err < 0)
 515		return err;
 516
 517	BT_DBG("RPA %pMR", rpa);
 518
 519	return 0;
 520}
 521
 522static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
 523{
 524	struct l2cap_chan *chan = conn->smp;
 525	struct smp_chan *smp;
 526	struct kvec iv[2];
 527	struct msghdr msg;
 528
 529	if (!chan)
 530		return;
 531
 532	BT_DBG("code 0x%2.2x", code);
 533
 534	iv[0].iov_base = &code;
 535	iv[0].iov_len = 1;
 536
 537	iv[1].iov_base = data;
 538	iv[1].iov_len = len;
 539
 540	memset(&msg, 0, sizeof(msg));
 541
 542	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
 543
 544	l2cap_chan_send(chan, &msg, 1 + len);
 545
 546	if (!chan->data)
 547		return;
 548
 549	smp = chan->data;
 550
 551	cancel_delayed_work_sync(&smp->security_timer);
 552	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
 553}
 554
 555static u8 authreq_to_seclevel(u8 authreq)
 556{
 557	if (authreq & SMP_AUTH_MITM) {
 558		if (authreq & SMP_AUTH_SC)
 559			return BT_SECURITY_FIPS;
 560		else
 561			return BT_SECURITY_HIGH;
 562	} else {
 563		return BT_SECURITY_MEDIUM;
 564	}
 565}
 566
 567static __u8 seclevel_to_authreq(__u8 sec_level)
 568{
 569	switch (sec_level) {
 570	case BT_SECURITY_FIPS:
 571	case BT_SECURITY_HIGH:
 572		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
 573	case BT_SECURITY_MEDIUM:
 574		return SMP_AUTH_BONDING;
 575	default:
 576		return SMP_AUTH_NONE;
 577	}
 578}
 579
 580static void build_pairing_cmd(struct l2cap_conn *conn,
 581			      struct smp_cmd_pairing *req,
 582			      struct smp_cmd_pairing *rsp, __u8 authreq)
 583{
 584	struct l2cap_chan *chan = conn->smp;
 585	struct smp_chan *smp = chan->data;
 586	struct hci_conn *hcon = conn->hcon;
 587	struct hci_dev *hdev = hcon->hdev;
 588	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
 589
 590	if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
 591		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 592		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 593		authreq |= SMP_AUTH_BONDING;
 594	} else {
 595		authreq &= ~SMP_AUTH_BONDING;
 596	}
 597
 598	if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
 599		remote_dist |= SMP_DIST_ID_KEY;
 600
 601	if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
 602		local_dist |= SMP_DIST_ID_KEY;
 603
 604	if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
 605	    (authreq & SMP_AUTH_SC)) {
 606		struct oob_data *oob_data;
 607		u8 bdaddr_type;
 608
 609		if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
 610			local_dist |= SMP_DIST_LINK_KEY;
 611			remote_dist |= SMP_DIST_LINK_KEY;
 612		}
 613
 614		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
 615			bdaddr_type = BDADDR_LE_PUBLIC;
 616		else
 617			bdaddr_type = BDADDR_LE_RANDOM;
 618
 619		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
 620						    bdaddr_type);
 621		if (oob_data) {
 622			set_bit(SMP_FLAG_OOB, &smp->flags);
 623			oob_flag = SMP_OOB_PRESENT;
 624			memcpy(smp->rr, oob_data->rand256, 16);
 625			memcpy(smp->pcnf, oob_data->hash256, 16);
 626		}
 627
 628	} else {
 629		authreq &= ~SMP_AUTH_SC;
 630	}
 631
 632	if (rsp == NULL) {
 633		req->io_capability = conn->hcon->io_capability;
 634		req->oob_flag = oob_flag;
 635		req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
 636		req->init_key_dist = local_dist;
 637		req->resp_key_dist = remote_dist;
 638		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 639
 640		smp->remote_key_dist = remote_dist;
 641		return;
 642	}
 643
 644	rsp->io_capability = conn->hcon->io_capability;
 645	rsp->oob_flag = oob_flag;
 646	rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
 647	rsp->init_key_dist = req->init_key_dist & remote_dist;
 648	rsp->resp_key_dist = req->resp_key_dist & local_dist;
 649	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 650
 651	smp->remote_key_dist = rsp->init_key_dist;
 652}
 653
 654static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
 655{
 656	struct l2cap_chan *chan = conn->smp;
 657	struct smp_chan *smp = chan->data;
 658
 659	if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
 660	    (max_key_size < SMP_MIN_ENC_KEY_SIZE))
 661		return SMP_ENC_KEY_SIZE;
 662
 663	smp->enc_key_size = max_key_size;
 664
 665	return 0;
 666}
 667
 668static void smp_chan_destroy(struct l2cap_conn *conn)
 669{
 670	struct l2cap_chan *chan = conn->smp;
 671	struct smp_chan *smp = chan->data;
 672	struct hci_conn *hcon = conn->hcon;
 673	bool complete;
 674
 675	BUG_ON(!smp);
 676
 677	cancel_delayed_work_sync(&smp->security_timer);
 678
 679	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
 680	mgmt_smp_complete(hcon, complete);
 681
 682	kfree(smp->csrk);
 683	kfree(smp->slave_csrk);
 684	kfree(smp->link_key);
 685
 686	crypto_free_blkcipher(smp->tfm_aes);
 687	crypto_free_hash(smp->tfm_cmac);
 688
 689	/* Ensure that we don't leave any debug key around if debug key
 690	 * support hasn't been explicitly enabled.
 691	 */
 692	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
 693	    !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
 694		list_del_rcu(&smp->ltk->list);
 695		kfree_rcu(smp->ltk, rcu);
 696		smp->ltk = NULL;
 697	}
 698
 699	/* If pairing failed clean up any keys we might have */
 700	if (!complete) {
 701		if (smp->ltk) {
 702			list_del_rcu(&smp->ltk->list);
 703			kfree_rcu(smp->ltk, rcu);
 704		}
 705
 706		if (smp->slave_ltk) {
 707			list_del_rcu(&smp->slave_ltk->list);
 708			kfree_rcu(smp->slave_ltk, rcu);
 709		}
 710
 711		if (smp->remote_irk) {
 712			list_del_rcu(&smp->remote_irk->list);
 713			kfree_rcu(smp->remote_irk, rcu);
 714		}
 715	}
 716
 717	chan->data = NULL;
 718	kfree(smp);
 719	hci_conn_drop(hcon);
 720}
 721
 722static void smp_failure(struct l2cap_conn *conn, u8 reason)
 723{
 724	struct hci_conn *hcon = conn->hcon;
 725	struct l2cap_chan *chan = conn->smp;
 726
 727	if (reason)
 728		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
 729			     &reason);
 730
 731	clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
 732	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
 733
 734	if (chan->data)
 735		smp_chan_destroy(conn);
 736}
 737
 738#define JUST_WORKS	0x00
 739#define JUST_CFM	0x01
 740#define REQ_PASSKEY	0x02
 741#define CFM_PASSKEY	0x03
 742#define REQ_OOB		0x04
 743#define DSP_PASSKEY	0x05
 744#define OVERLAP		0xFF
 745
 746static const u8 gen_method[5][5] = {
 747	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 748	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 749	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 750	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 751	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
 752};
 753
 754static const u8 sc_method[5][5] = {
 755	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 756	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 757	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
 758	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 759	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 760};
 761
 762static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
 763{
 764	/* If either side has unknown io_caps, use JUST_CFM (which gets
 765	 * converted later to JUST_WORKS if we're initiators.
 766	 */
 767	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
 768	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
 769		return JUST_CFM;
 770
 771	if (test_bit(SMP_FLAG_SC, &smp->flags))
 772		return sc_method[remote_io][local_io];
 773
 774	return gen_method[remote_io][local_io];
 775}
 776
 777static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
 778						u8 local_io, u8 remote_io)
 779{
 780	struct hci_conn *hcon = conn->hcon;
 781	struct l2cap_chan *chan = conn->smp;
 782	struct smp_chan *smp = chan->data;
 783	u32 passkey = 0;
 784	int ret = 0;
 785
 786	/* Initialize key for JUST WORKS */
 787	memset(smp->tk, 0, sizeof(smp->tk));
 788	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
 789
 790	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
 791
 792	/* If neither side wants MITM, either "just" confirm an incoming
 793	 * request or use just-works for outgoing ones. The JUST_CFM
 794	 * will be converted to JUST_WORKS if necessary later in this
 795	 * function. If either side has MITM look up the method from the
 796	 * table.
 797	 */
 798	if (!(auth & SMP_AUTH_MITM))
 799		smp->method = JUST_CFM;
 800	else
 801		smp->method = get_auth_method(smp, local_io, remote_io);
 802
 803	/* Don't confirm locally initiated pairing attempts */
 804	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
 805						&smp->flags))
 806		smp->method = JUST_WORKS;
 807
 808	/* Don't bother user space with no IO capabilities */
 809	if (smp->method == JUST_CFM &&
 810	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
 811		smp->method = JUST_WORKS;
 812
 813	/* If Just Works, Continue with Zero TK */
 814	if (smp->method == JUST_WORKS) {
 815		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 816		return 0;
 817	}
 818
 819	/* Not Just Works/Confirm results in MITM Authentication */
 820	if (smp->method != JUST_CFM) {
 821		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
 822		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
 823			hcon->pending_sec_level = BT_SECURITY_HIGH;
 824	}
 825
 826	/* If both devices have Keyoard-Display I/O, the master
 827	 * Confirms and the slave Enters the passkey.
 828	 */
 829	if (smp->method == OVERLAP) {
 830		if (hcon->role == HCI_ROLE_MASTER)
 831			smp->method = CFM_PASSKEY;
 832		else
 833			smp->method = REQ_PASSKEY;
 834	}
 835
 836	/* Generate random passkey. */
 837	if (smp->method == CFM_PASSKEY) {
 838		memset(smp->tk, 0, sizeof(smp->tk));
 839		get_random_bytes(&passkey, sizeof(passkey));
 840		passkey %= 1000000;
 841		put_unaligned_le32(passkey, smp->tk);
 842		BT_DBG("PassKey: %d", passkey);
 843		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 844	}
 845
 846	if (smp->method == REQ_PASSKEY)
 847		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
 848						hcon->type, hcon->dst_type);
 849	else if (smp->method == JUST_CFM)
 850		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
 851						hcon->type, hcon->dst_type,
 852						passkey, 1);
 853	else
 854		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
 855						hcon->type, hcon->dst_type,
 856						passkey, 0);
 857
 858	return ret;
 859}
 860
 861static u8 smp_confirm(struct smp_chan *smp)
 862{
 863	struct l2cap_conn *conn = smp->conn;
 864	struct smp_cmd_pairing_confirm cp;
 865	int ret;
 866
 867	BT_DBG("conn %p", conn);
 868
 869	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
 870		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
 871		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
 872		     cp.confirm_val);
 873	if (ret)
 874		return SMP_UNSPECIFIED;
 875
 876	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
 877
 878	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
 879
 880	if (conn->hcon->out)
 881		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
 882	else
 883		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
 884
 885	return 0;
 886}
 887
 888static u8 smp_random(struct smp_chan *smp)
 889{
 890	struct l2cap_conn *conn = smp->conn;
 891	struct hci_conn *hcon = conn->hcon;
 892	u8 confirm[16];
 893	int ret;
 894
 895	if (IS_ERR_OR_NULL(smp->tfm_aes))
 896		return SMP_UNSPECIFIED;
 897
 898	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
 899
 900	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
 901		     hcon->init_addr_type, &hcon->init_addr,
 902		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
 903	if (ret)
 904		return SMP_UNSPECIFIED;
 905
 906	if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
 907		BT_ERR("Pairing failed (confirmation values mismatch)");
 908		return SMP_CONFIRM_FAILED;
 909	}
 910
 911	if (hcon->out) {
 912		u8 stk[16];
 913		__le64 rand = 0;
 914		__le16 ediv = 0;
 915
 916		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
 917
 918		memset(stk + smp->enc_key_size, 0,
 919		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
 920
 921		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
 922			return SMP_UNSPECIFIED;
 923
 924		hci_le_start_enc(hcon, ediv, rand, stk);
 925		hcon->enc_key_size = smp->enc_key_size;
 926		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
 927	} else {
 928		u8 stk[16], auth;
 929		__le64 rand = 0;
 930		__le16 ediv = 0;
 931
 932		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
 933			     smp->prnd);
 934
 935		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
 936
 937		memset(stk + smp->enc_key_size, 0,
 938		       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
 939
 940		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
 941			auth = 1;
 942		else
 943			auth = 0;
 944
 945		/* Even though there's no _SLAVE suffix this is the
 946		 * slave STK we're adding for later lookup (the master
 947		 * STK never needs to be stored).
 948		 */
 949		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
 950			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
 951	}
 952
 953	return 0;
 954}
 955
 956static void smp_notify_keys(struct l2cap_conn *conn)
 957{
 958	struct l2cap_chan *chan = conn->smp;
 959	struct smp_chan *smp = chan->data;
 960	struct hci_conn *hcon = conn->hcon;
 961	struct hci_dev *hdev = hcon->hdev;
 962	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
 963	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
 964	bool persistent;
 965
 966	if (smp->remote_irk) {
 967		mgmt_new_irk(hdev, smp->remote_irk);
 968		/* Now that user space can be considered to know the
 969		 * identity address track the connection based on it
 970		 * from now on (assuming this is an LE link).
 971		 */
 972		if (hcon->type == LE_LINK) {
 973			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
 974			hcon->dst_type = smp->remote_irk->addr_type;
 975			queue_work(hdev->workqueue, &conn->id_addr_update_work);
 976		}
 977
 978		/* When receiving an indentity resolving key for
 979		 * a remote device that does not use a resolvable
 980		 * private address, just remove the key so that
 981		 * it is possible to use the controller white
 982		 * list for scanning.
 983		 *
 984		 * Userspace will have been told to not store
 985		 * this key at this point. So it is safe to
 986		 * just remove it.
 987		 */
 988		if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
 989			list_del_rcu(&smp->remote_irk->list);
 990			kfree_rcu(smp->remote_irk, rcu);
 991			smp->remote_irk = NULL;
 992		}
 993	}
 994
 995	if (hcon->type == ACL_LINK) {
 996		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
 997			persistent = false;
 998		else
 999			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1000					       &hcon->flags);
1001	} else {
1002		/* The LTKs and CSRKs should be persistent only if both sides
1003		 * had the bonding bit set in their authentication requests.
1004		 */
1005		persistent = !!((req->auth_req & rsp->auth_req) &
1006				SMP_AUTH_BONDING);
1007	}
1008
1009
1010	if (smp->csrk) {
1011		smp->csrk->bdaddr_type = hcon->dst_type;
1012		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1013		mgmt_new_csrk(hdev, smp->csrk, persistent);
1014	}
1015
1016	if (smp->slave_csrk) {
1017		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1018		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1019		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1020	}
1021
1022	if (smp->ltk) {
1023		smp->ltk->bdaddr_type = hcon->dst_type;
1024		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1025		mgmt_new_ltk(hdev, smp->ltk, persistent);
1026	}
1027
1028	if (smp->slave_ltk) {
1029		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1030		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1031		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1032	}
1033
1034	if (smp->link_key) {
1035		struct link_key *key;
1036		u8 type;
1037
1038		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1039			type = HCI_LK_DEBUG_COMBINATION;
1040		else if (hcon->sec_level == BT_SECURITY_FIPS)
1041			type = HCI_LK_AUTH_COMBINATION_P256;
1042		else
1043			type = HCI_LK_UNAUTH_COMBINATION_P256;
1044
1045		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1046				       smp->link_key, type, 0, &persistent);
1047		if (key) {
1048			mgmt_new_link_key(hdev, key, persistent);
1049
1050			/* Don't keep debug keys around if the relevant
1051			 * flag is not set.
1052			 */
1053			if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1054			    key->type == HCI_LK_DEBUG_COMBINATION) {
1055				list_del_rcu(&key->list);
1056				kfree_rcu(key, rcu);
1057			}
1058		}
1059	}
1060}
1061
1062static void sc_add_ltk(struct smp_chan *smp)
1063{
1064	struct hci_conn *hcon = smp->conn->hcon;
1065	u8 key_type, auth;
1066
1067	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1068		key_type = SMP_LTK_P256_DEBUG;
1069	else
1070		key_type = SMP_LTK_P256;
1071
1072	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1073		auth = 1;
1074	else
1075		auth = 0;
1076
1077	memset(smp->tk + smp->enc_key_size, 0,
1078	       SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1079
1080	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1081			       key_type, auth, smp->tk, smp->enc_key_size,
1082			       0, 0);
1083}
1084
1085static void sc_generate_link_key(struct smp_chan *smp)
1086{
1087	/* These constants are as specified in the core specification.
1088	 * In ASCII they spell out to 'tmp1' and 'lebr'.
1089	 */
1090	const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1091	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1092
1093	smp->link_key = kzalloc(16, GFP_KERNEL);
1094	if (!smp->link_key)
1095		return;
1096
1097	if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1098		kfree(smp->link_key);
1099		smp->link_key = NULL;
1100		return;
1101	}
1102
1103	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1104		kfree(smp->link_key);
1105		smp->link_key = NULL;
1106		return;
1107	}
1108}
1109
1110static void smp_allow_key_dist(struct smp_chan *smp)
1111{
1112	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1113	 * will be allowed in each PDU handler to ensure we receive
1114	 * them in the correct order.
1115	 */
1116	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1117		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1118	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1119		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1120	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1121		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1122}
1123
1124static void sc_generate_ltk(struct smp_chan *smp)
1125{
1126	/* These constants are as specified in the core specification.
1127	 * In ASCII they spell out to 'tmp2' and 'brle'.
1128	 */
1129	const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1130	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1131	struct hci_conn *hcon = smp->conn->hcon;
1132	struct hci_dev *hdev = hcon->hdev;
1133	struct link_key *key;
1134
1135	key = hci_find_link_key(hdev, &hcon->dst);
1136	if (!key) {
1137		BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1138		return;
1139	}
1140
1141	if (key->type == HCI_LK_DEBUG_COMBINATION)
1142		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1143
1144	if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1145		return;
1146
1147	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1148		return;
1149
1150	sc_add_ltk(smp);
1151}
1152
1153static void smp_distribute_keys(struct smp_chan *smp)
1154{
1155	struct smp_cmd_pairing *req, *rsp;
1156	struct l2cap_conn *conn = smp->conn;
1157	struct hci_conn *hcon = conn->hcon;
1158	struct hci_dev *hdev = hcon->hdev;
1159	__u8 *keydist;
1160
1161	BT_DBG("conn %p", conn);
1162
1163	rsp = (void *) &smp->prsp[1];
1164
1165	/* The responder sends its keys first */
1166	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1167		smp_allow_key_dist(smp);
1168		return;
1169	}
1170
1171	req = (void *) &smp->preq[1];
1172
1173	if (hcon->out) {
1174		keydist = &rsp->init_key_dist;
1175		*keydist &= req->init_key_dist;
1176	} else {
1177		keydist = &rsp->resp_key_dist;
1178		*keydist &= req->resp_key_dist;
1179	}
1180
1181	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1182		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1183			sc_generate_link_key(smp);
1184		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1185			sc_generate_ltk(smp);
1186
1187		/* Clear the keys which are generated but not distributed */
1188		*keydist &= ~SMP_SC_NO_DIST;
1189	}
1190
1191	BT_DBG("keydist 0x%x", *keydist);
1192
1193	if (*keydist & SMP_DIST_ENC_KEY) {
1194		struct smp_cmd_encrypt_info enc;
1195		struct smp_cmd_master_ident ident;
1196		struct smp_ltk *ltk;
1197		u8 authenticated;
1198		__le16 ediv;
1199		__le64 rand;
1200
1201		get_random_bytes(enc.ltk, sizeof(enc.ltk));
1202		get_random_bytes(&ediv, sizeof(ediv));
1203		get_random_bytes(&rand, sizeof(rand));
1204
1205		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1206
1207		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1208		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1209				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1210				  smp->enc_key_size, ediv, rand);
1211		smp->slave_ltk = ltk;
1212
1213		ident.ediv = ediv;
1214		ident.rand = rand;
1215
1216		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1217
1218		*keydist &= ~SMP_DIST_ENC_KEY;
1219	}
1220
1221	if (*keydist & SMP_DIST_ID_KEY) {
1222		struct smp_cmd_ident_addr_info addrinfo;
1223		struct smp_cmd_ident_info idinfo;
1224
1225		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1226
1227		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1228
1229		/* The hci_conn contains the local identity address
1230		 * after the connection has been established.
1231		 *
1232		 * This is true even when the connection has been
1233		 * established using a resolvable random address.
1234		 */
1235		bacpy(&addrinfo.bdaddr, &hcon->src);
1236		addrinfo.addr_type = hcon->src_type;
1237
1238		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1239			     &addrinfo);
1240
1241		*keydist &= ~SMP_DIST_ID_KEY;
1242	}
1243
1244	if (*keydist & SMP_DIST_SIGN) {
1245		struct smp_cmd_sign_info sign;
1246		struct smp_csrk *csrk;
1247
1248		/* Generate a new random key */
1249		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1250
1251		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1252		if (csrk) {
1253			csrk->master = 0x00;
1254			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1255		}
1256		smp->slave_csrk = csrk;
1257
1258		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1259
1260		*keydist &= ~SMP_DIST_SIGN;
1261	}
1262
1263	/* If there are still keys to be received wait for them */
1264	if (smp->remote_key_dist & KEY_DIST_MASK) {
1265		smp_allow_key_dist(smp);
1266		return;
1267	}
1268
1269	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1270	smp_notify_keys(conn);
1271
1272	smp_chan_destroy(conn);
1273}
1274
1275static void smp_timeout(struct work_struct *work)
1276{
1277	struct smp_chan *smp = container_of(work, struct smp_chan,
1278					    security_timer.work);
1279	struct l2cap_conn *conn = smp->conn;
1280
1281	BT_DBG("conn %p", conn);
1282
1283	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1284}
1285
1286static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1287{
1288	struct l2cap_chan *chan = conn->smp;
1289	struct smp_chan *smp;
1290
1291	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1292	if (!smp)
1293		return NULL;
1294
1295	smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1296	if (IS_ERR(smp->tfm_aes)) {
1297		BT_ERR("Unable to create ECB crypto context");
1298		kfree(smp);
1299		return NULL;
1300	}
1301
1302	smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1303	if (IS_ERR(smp->tfm_cmac)) {
1304		BT_ERR("Unable to create CMAC crypto context");
1305		crypto_free_blkcipher(smp->tfm_aes);
1306		kfree(smp);
1307		return NULL;
1308	}
1309
1310	smp->conn = conn;
1311	chan->data = smp;
1312
1313	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1314
1315	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1316
1317	hci_conn_hold(conn->hcon);
1318
1319	return smp;
1320}
1321
1322static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1323{
1324	struct hci_conn *hcon = smp->conn->hcon;
1325	u8 *na, *nb, a[7], b[7];
1326
1327	if (hcon->out) {
1328		na   = smp->prnd;
1329		nb   = smp->rrnd;
1330	} else {
1331		na   = smp->rrnd;
1332		nb   = smp->prnd;
1333	}
1334
1335	memcpy(a, &hcon->init_addr, 6);
1336	memcpy(b, &hcon->resp_addr, 6);
1337	a[6] = hcon->init_addr_type;
1338	b[6] = hcon->resp_addr_type;
1339
1340	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1341}
1342
1343static void sc_dhkey_check(struct smp_chan *smp)
1344{
1345	struct hci_conn *hcon = smp->conn->hcon;
1346	struct smp_cmd_dhkey_check check;
1347	u8 a[7], b[7], *local_addr, *remote_addr;
1348	u8 io_cap[3], r[16];
1349
1350	memcpy(a, &hcon->init_addr, 6);
1351	memcpy(b, &hcon->resp_addr, 6);
1352	a[6] = hcon->init_addr_type;
1353	b[6] = hcon->resp_addr_type;
1354
1355	if (hcon->out) {
1356		local_addr = a;
1357		remote_addr = b;
1358		memcpy(io_cap, &smp->preq[1], 3);
1359	} else {
1360		local_addr = b;
1361		remote_addr = a;
1362		memcpy(io_cap, &smp->prsp[1], 3);
1363	}
1364
1365	memset(r, 0, sizeof(r));
1366
1367	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1368		put_unaligned_le32(hcon->passkey_notify, r);
1369
1370	if (smp->method == REQ_OOB)
1371		memcpy(r, smp->rr, 16);
1372
1373	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1374	       local_addr, remote_addr, check.e);
1375
1376	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1377}
1378
1379static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1380{
1381	struct l2cap_conn *conn = smp->conn;
1382	struct hci_conn *hcon = conn->hcon;
1383	struct smp_cmd_pairing_confirm cfm;
1384	u8 r;
1385
1386	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1387	r |= 0x80;
1388
1389	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1390
1391	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1392		   cfm.confirm_val))
1393		return SMP_UNSPECIFIED;
1394
1395	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1396
1397	return 0;
1398}
1399
1400static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1401{
1402	struct l2cap_conn *conn = smp->conn;
1403	struct hci_conn *hcon = conn->hcon;
1404	struct hci_dev *hdev = hcon->hdev;
1405	u8 cfm[16], r;
1406
1407	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1408	if (smp->passkey_round >= 20)
1409		return 0;
1410
1411	switch (smp_op) {
1412	case SMP_CMD_PAIRING_RANDOM:
1413		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1414		r |= 0x80;
1415
1416		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1417			   smp->rrnd, r, cfm))
1418			return SMP_UNSPECIFIED;
1419
1420		if (memcmp(smp->pcnf, cfm, 16))
1421			return SMP_CONFIRM_FAILED;
1422
1423		smp->passkey_round++;
1424
1425		if (smp->passkey_round == 20) {
1426			/* Generate MacKey and LTK */
1427			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1428				return SMP_UNSPECIFIED;
1429		}
1430
1431		/* The round is only complete when the initiator
1432		 * receives pairing random.
1433		 */
1434		if (!hcon->out) {
1435			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1436				     sizeof(smp->prnd), smp->prnd);
1437			if (smp->passkey_round == 20)
1438				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1439			else
1440				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1441			return 0;
1442		}
1443
1444		/* Start the next round */
1445		if (smp->passkey_round != 20)
1446			return sc_passkey_round(smp, 0);
1447
1448		/* Passkey rounds are complete - start DHKey Check */
1449		sc_dhkey_check(smp);
1450		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1451
1452		break;
1453
1454	case SMP_CMD_PAIRING_CONFIRM:
1455		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1456			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1457			return 0;
1458		}
1459
1460		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1461
1462		if (hcon->out) {
1463			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1464				     sizeof(smp->prnd), smp->prnd);
1465			return 0;
1466		}
1467
1468		return sc_passkey_send_confirm(smp);
1469
1470	case SMP_CMD_PUBLIC_KEY:
1471	default:
1472		/* Initiating device starts the round */
1473		if (!hcon->out)
1474			return 0;
1475
1476		BT_DBG("%s Starting passkey round %u", hdev->name,
1477		       smp->passkey_round + 1);
1478
1479		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1480
1481		return sc_passkey_send_confirm(smp);
1482	}
1483
1484	return 0;
1485}
1486
1487static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1488{
1489	struct l2cap_conn *conn = smp->conn;
1490	struct hci_conn *hcon = conn->hcon;
1491	u8 smp_op;
1492
1493	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1494
1495	switch (mgmt_op) {
1496	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1497		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1498		return 0;
1499	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1500		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1501		return 0;
1502	case MGMT_OP_USER_PASSKEY_REPLY:
1503		hcon->passkey_notify = le32_to_cpu(passkey);
1504		smp->passkey_round = 0;
1505
1506		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1507			smp_op = SMP_CMD_PAIRING_CONFIRM;
1508		else
1509			smp_op = 0;
1510
1511		if (sc_passkey_round(smp, smp_op))
1512			return -EIO;
1513
1514		return 0;
1515	}
1516
1517	/* Initiator sends DHKey check first */
1518	if (hcon->out) {
1519		sc_dhkey_check(smp);
1520		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1521	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1522		sc_dhkey_check(smp);
1523		sc_add_ltk(smp);
1524	}
1525
1526	return 0;
1527}
1528
1529int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1530{
1531	struct l2cap_conn *conn = hcon->l2cap_data;
1532	struct l2cap_chan *chan;
1533	struct smp_chan *smp;
1534	u32 value;
1535	int err;
1536
1537	BT_DBG("");
1538
1539	if (!conn)
1540		return -ENOTCONN;
1541
1542	chan = conn->smp;
1543	if (!chan)
1544		return -ENOTCONN;
1545
1546	l2cap_chan_lock(chan);
1547	if (!chan->data) {
1548		err = -ENOTCONN;
1549		goto unlock;
1550	}
1551
1552	smp = chan->data;
1553
1554	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1555		err = sc_user_reply(smp, mgmt_op, passkey);
1556		goto unlock;
1557	}
1558
1559	switch (mgmt_op) {
1560	case MGMT_OP_USER_PASSKEY_REPLY:
1561		value = le32_to_cpu(passkey);
1562		memset(smp->tk, 0, sizeof(smp->tk));
1563		BT_DBG("PassKey: %d", value);
1564		put_unaligned_le32(value, smp->tk);
1565		/* Fall Through */
1566	case MGMT_OP_USER_CONFIRM_REPLY:
1567		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1568		break;
1569	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1570	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1571		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1572		err = 0;
1573		goto unlock;
1574	default:
1575		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1576		err = -EOPNOTSUPP;
1577		goto unlock;
1578	}
1579
1580	err = 0;
1581
1582	/* If it is our turn to send Pairing Confirm, do so now */
1583	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1584		u8 rsp = smp_confirm(smp);
1585		if (rsp)
1586			smp_failure(conn, rsp);
1587	}
1588
1589unlock:
1590	l2cap_chan_unlock(chan);
1591	return err;
1592}
1593
1594static void build_bredr_pairing_cmd(struct smp_chan *smp,
1595				    struct smp_cmd_pairing *req,
1596				    struct smp_cmd_pairing *rsp)
1597{
1598	struct l2cap_conn *conn = smp->conn;
1599	struct hci_dev *hdev = conn->hcon->hdev;
1600	u8 local_dist = 0, remote_dist = 0;
1601
1602	if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1603		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1604		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1605	}
1606
1607	if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1608		remote_dist |= SMP_DIST_ID_KEY;
1609
1610	if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1611		local_dist |= SMP_DIST_ID_KEY;
1612
1613	if (!rsp) {
1614		memset(req, 0, sizeof(*req));
1615
1616		req->init_key_dist   = local_dist;
1617		req->resp_key_dist   = remote_dist;
1618		req->max_key_size    = SMP_MAX_ENC_KEY_SIZE;
1619
1620		smp->remote_key_dist = remote_dist;
1621
1622		return;
1623	}
1624
1625	memset(rsp, 0, sizeof(*rsp));
1626
1627	rsp->max_key_size    = SMP_MAX_ENC_KEY_SIZE;
1628	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1629	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1630
1631	smp->remote_key_dist = rsp->init_key_dist;
1632}
1633
1634static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1635{
1636	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1637	struct l2cap_chan *chan = conn->smp;
1638	struct hci_dev *hdev = conn->hcon->hdev;
1639	struct smp_chan *smp;
1640	u8 key_size, auth, sec_level;
1641	int ret;
1642
1643	BT_DBG("conn %p", conn);
1644
1645	if (skb->len < sizeof(*req))
1646		return SMP_INVALID_PARAMS;
1647
1648	if (conn->hcon->role != HCI_ROLE_SLAVE)
1649		return SMP_CMD_NOTSUPP;
1650
1651	if (!chan->data)
1652		smp = smp_chan_create(conn);
1653	else
1654		smp = chan->data;
1655
1656	if (!smp)
1657		return SMP_UNSPECIFIED;
1658
1659	/* We didn't start the pairing, so match remote */
1660	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1661
1662	if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
1663	    (auth & SMP_AUTH_BONDING))
1664		return SMP_PAIRING_NOTSUPP;
1665
1666	if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1667		return SMP_AUTH_REQUIREMENTS;
1668
1669	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1670	memcpy(&smp->preq[1], req, sizeof(*req));
1671	skb_pull(skb, sizeof(*req));
1672
1673	/* SMP over BR/EDR requires special treatment */
1674	if (conn->hcon->type == ACL_LINK) {
1675		/* We must have a BR/EDR SC link */
1676		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1677		    !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
1678			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1679
1680		set_bit(SMP_FLAG_SC, &smp->flags);
1681
1682		build_bredr_pairing_cmd(smp, req, &rsp);
1683
1684		key_size = min(req->max_key_size, rsp.max_key_size);
1685		if (check_enc_key_size(conn, key_size))
1686			return SMP_ENC_KEY_SIZE;
1687
1688		/* Clear bits which are generated but not distributed */
1689		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1690
1691		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1692		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1693		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1694
1695		smp_distribute_keys(smp);
1696		return 0;
1697	}
1698
1699	build_pairing_cmd(conn, req, &rsp, auth);
1700
1701	if (rsp.auth_req & SMP_AUTH_SC)
1702		set_bit(SMP_FLAG_SC, &smp->flags);
1703
1704	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1705		sec_level = BT_SECURITY_MEDIUM;
1706	else
1707		sec_level = authreq_to_seclevel(auth);
1708
1709	if (sec_level > conn->hcon->pending_sec_level)
1710		conn->hcon->pending_sec_level = sec_level;
1711
1712	/* If we need MITM check that it can be achieved */
1713	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1714		u8 method;
1715
1716		method = get_auth_method(smp, conn->hcon->io_capability,
1717					 req->io_capability);
1718		if (method == JUST_WORKS || method == JUST_CFM)
1719			return SMP_AUTH_REQUIREMENTS;
1720	}
1721
1722	key_size = min(req->max_key_size, rsp.max_key_size);
1723	if (check_enc_key_size(conn, key_size))
1724		return SMP_ENC_KEY_SIZE;
1725
1726	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1727
1728	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1729	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1730
1731	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1732
1733	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1734
1735	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1736		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1737		/* Clear bits which are generated but not distributed */
1738		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1739		/* Wait for Public Key from Initiating Device */
1740		return 0;
1741	} else {
1742		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1743	}
1744
1745	/* Request setup of TK */
1746	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1747	if (ret)
1748		return SMP_UNSPECIFIED;
1749
1750	return 0;
1751}
1752
1753static u8 sc_send_public_key(struct smp_chan *smp)
1754{
1755	struct hci_dev *hdev = smp->conn->hcon->hdev;
1756
1757	BT_DBG("");
1758
1759	if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1760		BT_DBG("Using debug keys");
1761		memcpy(smp->local_pk, debug_pk, 64);
1762		memcpy(smp->local_sk, debug_sk, 32);
1763		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1764	} else {
1765		while (true) {
1766			/* Generate local key pair for Secure Connections */
1767			if (!ecc_make_key(smp->local_pk, smp->local_sk))
1768				return SMP_UNSPECIFIED;
1769
1770			/* This is unlikely, but we need to check that
1771			 * we didn't accidentially generate a debug key.
1772			 */
1773			if (memcmp(smp->local_sk, debug_sk, 32))
1774				break;
1775		}
1776	}
1777
1778	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1779	SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1780	SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1781
1782	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1783
1784	return 0;
1785}
1786
1787static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1788{
1789	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1790	struct l2cap_chan *chan = conn->smp;
1791	struct smp_chan *smp = chan->data;
1792	struct hci_dev *hdev = conn->hcon->hdev;
1793	u8 key_size, auth;
1794	int ret;
1795
1796	BT_DBG("conn %p", conn);
1797
1798	if (skb->len < sizeof(*rsp))
1799		return SMP_INVALID_PARAMS;
1800
1801	if (conn->hcon->role != HCI_ROLE_MASTER)
1802		return SMP_CMD_NOTSUPP;
1803
1804	skb_pull(skb, sizeof(*rsp));
1805
1806	req = (void *) &smp->preq[1];
1807
1808	key_size = min(req->max_key_size, rsp->max_key_size);
1809	if (check_enc_key_size(conn, key_size))
1810		return SMP_ENC_KEY_SIZE;
1811
1812	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1813
1814	if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1815		return SMP_AUTH_REQUIREMENTS;
1816
1817	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1818	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1819
1820	/* Update remote key distribution in case the remote cleared
1821	 * some bits that we had enabled in our request.
1822	 */
1823	smp->remote_key_dist &= rsp->resp_key_dist;
1824
1825	/* For BR/EDR this means we're done and can start phase 3 */
1826	if (conn->hcon->type == ACL_LINK) {
1827		/* Clear bits which are generated but not distributed */
1828		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1829		smp_distribute_keys(smp);
1830		return 0;
1831	}
1832
1833	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1834		set_bit(SMP_FLAG_SC, &smp->flags);
1835	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1836		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1837
1838	/* If we need MITM check that it can be achieved */
1839	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1840		u8 method;
1841
1842		method = get_auth_method(smp, req->io_capability,
1843					 rsp->io_capability);
1844		if (method == JUST_WORKS || method == JUST_CFM)
1845			return SMP_AUTH_REQUIREMENTS;
1846	}
1847
1848	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1849
1850	/* Update remote key distribution in case the remote cleared
1851	 * some bits that we had enabled in our request.
1852	 */
1853	smp->remote_key_dist &= rsp->resp_key_dist;
1854
1855	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1856		/* Clear bits which are generated but not distributed */
1857		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1858		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1859		return sc_send_public_key(smp);
1860	}
1861
1862	auth |= req->auth_req;
1863
1864	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1865	if (ret)
1866		return SMP_UNSPECIFIED;
1867
1868	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1869
1870	/* Can't compose response until we have been confirmed */
1871	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1872		return smp_confirm(smp);
1873
1874	return 0;
1875}
1876
1877static u8 sc_check_confirm(struct smp_chan *smp)
1878{
1879	struct l2cap_conn *conn = smp->conn;
1880
1881	BT_DBG("");
1882
1883	/* Public Key exchange must happen before any other steps */
1884	if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1885		return SMP_UNSPECIFIED;
1886
1887	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1888		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1889
1890	if (conn->hcon->out) {
1891		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1892			     smp->prnd);
1893		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1894	}
1895
1896	return 0;
1897}
1898
1899static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
1900{
1901	struct l2cap_chan *chan = conn->smp;
1902	struct smp_chan *smp = chan->data;
1903
1904	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1905
1906	if (skb->len < sizeof(smp->pcnf))
1907		return SMP_INVALID_PARAMS;
1908
1909	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1910	skb_pull(skb, sizeof(smp->pcnf));
1911
1912	if (test_bit(SMP_FLAG_SC, &smp->flags))
1913		return sc_check_confirm(smp);
1914
1915	if (conn->hcon->out) {
1916		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1917			     smp->prnd);
1918		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1919		return 0;
1920	}
1921
1922	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1923		return smp_confirm(smp);
1924	else
1925		set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1926
1927	return 0;
1928}
1929
1930static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
1931{
1932	struct l2cap_chan *chan = conn->smp;
1933	struct smp_chan *smp = chan->data;
1934	struct hci_conn *hcon = conn->hcon;
1935	u8 *pkax, *pkbx, *na, *nb;
1936	u32 passkey;
1937	int err;
1938
1939	BT_DBG("conn %p", conn);
1940
1941	if (skb->len < sizeof(smp->rrnd))
1942		return SMP_INVALID_PARAMS;
1943
1944	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
1945	skb_pull(skb, sizeof(smp->rrnd));
1946
1947	if (!test_bit(SMP_FLAG_SC, &smp->flags))
1948		return smp_random(smp);
1949
1950	if (hcon->out) {
1951		pkax = smp->local_pk;
1952		pkbx = smp->remote_pk;
1953		na   = smp->prnd;
1954		nb   = smp->rrnd;
1955	} else {
1956		pkax = smp->remote_pk;
1957		pkbx = smp->local_pk;
1958		na   = smp->rrnd;
1959		nb   = smp->prnd;
1960	}
1961
1962	if (smp->method == REQ_OOB) {
1963		if (!hcon->out)
1964			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1965				     sizeof(smp->prnd), smp->prnd);
1966		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1967		goto mackey_and_ltk;
1968	}
1969
1970	/* Passkey entry has special treatment */
1971	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1972		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1973
1974	if (hcon->out) {
1975		u8 cfm[16];
1976
1977		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1978			     smp->rrnd, 0, cfm);
1979		if (err)
1980			return SMP_UNSPECIFIED;
1981
1982		if (memcmp(smp->pcnf, cfm, 16))
1983			return SMP_CONFIRM_FAILED;
1984	} else {
1985		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1986			     smp->prnd);
1987		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1988	}
1989
1990mackey_and_ltk:
1991	/* Generate MacKey and LTK */
1992	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1993	if (err)
1994		return SMP_UNSPECIFIED;
1995
1996	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
1997		if (hcon->out) {
1998			sc_dhkey_check(smp);
1999			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2000		}
2001		return 0;
2002	}
2003
2004	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2005	if (err)
2006		return SMP_UNSPECIFIED;
2007
2008	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2009					hcon->dst_type, passkey, 0);
2010	if (err)
2011		return SMP_UNSPECIFIED;
2012
2013	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2014
2015	return 0;
2016}
2017
2018static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2019{
2020	struct smp_ltk *key;
2021	struct hci_conn *hcon = conn->hcon;
2022
2023	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2024	if (!key)
2025		return false;
2026
2027	if (smp_ltk_sec_level(key) < sec_level)
2028		return false;
2029
2030	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2031		return true;
2032
2033	hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2034	hcon->enc_key_size = key->enc_size;
2035
2036	/* We never store STKs for master role, so clear this flag */
2037	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2038
2039	return true;
2040}
2041
2042bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2043			     enum smp_key_pref key_pref)
2044{
2045	if (sec_level == BT_SECURITY_LOW)
2046		return true;
2047
2048	/* If we're encrypted with an STK but the caller prefers using
2049	 * LTK claim insufficient security. This way we allow the
2050	 * connection to be re-encrypted with an LTK, even if the LTK
2051	 * provides the same level of security. Only exception is if we
2052	 * don't have an LTK (e.g. because of key distribution bits).
2053	 */
2054	if (key_pref == SMP_USE_LTK &&
2055	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2056	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2057		return false;
2058
2059	if (hcon->sec_level >= sec_level)
2060		return true;
2061
2062	return false;
2063}
2064
2065static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2066{
2067	struct smp_cmd_security_req *rp = (void *) skb->data;
2068	struct smp_cmd_pairing cp;
2069	struct hci_conn *hcon = conn->hcon;
2070	struct hci_dev *hdev = hcon->hdev;
2071	struct smp_chan *smp;
2072	u8 sec_level, auth;
2073
2074	BT_DBG("conn %p", conn);
2075
2076	if (skb->len < sizeof(*rp))
2077		return SMP_INVALID_PARAMS;
2078
2079	if (hcon->role != HCI_ROLE_MASTER)
2080		return SMP_CMD_NOTSUPP;
2081
2082	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2083
2084	if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2085		return SMP_AUTH_REQUIREMENTS;
2086
2087	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2088		sec_level = BT_SECURITY_MEDIUM;
2089	else
2090		sec_level = authreq_to_seclevel(auth);
2091
2092	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2093		return 0;
2094
2095	if (sec_level > hcon->pending_sec_level)
2096		hcon->pending_sec_level = sec_level;
2097
2098	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2099		return 0;
2100
2101	smp = smp_chan_create(conn);
2102	if (!smp)
2103		return SMP_UNSPECIFIED;
2104
2105	if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
2106	    (auth & SMP_AUTH_BONDING))
2107		return SMP_PAIRING_NOTSUPP;
2108
2109	skb_pull(skb, sizeof(*rp));
2110
2111	memset(&cp, 0, sizeof(cp));
2112	build_pairing_cmd(conn, &cp, NULL, auth);
2113
2114	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2115	memcpy(&smp->preq[1], &cp, sizeof(cp));
2116
2117	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2118	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2119
2120	return 0;
2121}
2122
2123int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2124{
2125	struct l2cap_conn *conn = hcon->l2cap_data;
2126	struct l2cap_chan *chan;
2127	struct smp_chan *smp;
2128	__u8 authreq;
2129	int ret;
2130
2131	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2132
2133	/* This may be NULL if there's an unexpected disconnection */
2134	if (!conn)
2135		return 1;
2136
2137	chan = conn->smp;
2138
2139	if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2140		return 1;
2141
2142	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2143		return 1;
2144
2145	if (sec_level > hcon->pending_sec_level)
2146		hcon->pending_sec_level = sec_level;
2147
2148	if (hcon->role == HCI_ROLE_MASTER)
2149		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2150			return 0;
2151
2152	l2cap_chan_lock(chan);
2153
2154	/* If SMP is already in progress ignore this request */
2155	if (chan->data) {
2156		ret = 0;
2157		goto unlock;
2158	}
2159
2160	smp = smp_chan_create(conn);
2161	if (!smp) {
2162		ret = 1;
2163		goto unlock;
2164	}
2165
2166	authreq = seclevel_to_authreq(sec_level);
2167
2168	if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2169		authreq |= SMP_AUTH_SC;
2170
2171	/* Require MITM if IO Capability allows or the security level
2172	 * requires it.
2173	 */
2174	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2175	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2176		authreq |= SMP_AUTH_MITM;
2177
2178	if (hcon->role == HCI_ROLE_MASTER) {
2179		struct smp_cmd_pairing cp;
2180
2181		build_pairing_cmd(conn, &cp, NULL, authreq);
2182		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2183		memcpy(&smp->preq[1], &cp, sizeof(cp));
2184
2185		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2186		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2187	} else {
2188		struct smp_cmd_security_req cp;
2189		cp.auth_req = authreq;
2190		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2191		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2192	}
2193
2194	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2195	ret = 0;
2196
2197unlock:
2198	l2cap_chan_unlock(chan);
2199	return ret;
2200}
2201
2202static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2203{
2204	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2205	struct l2cap_chan *chan = conn->smp;
2206	struct smp_chan *smp = chan->data;
2207
2208	BT_DBG("conn %p", conn);
2209
2210	if (skb->len < sizeof(*rp))
2211		return SMP_INVALID_PARAMS;
2212
2213	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2214
2215	skb_pull(skb, sizeof(*rp));
2216
2217	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2218
2219	return 0;
2220}
2221
2222static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2223{
2224	struct smp_cmd_master_ident *rp = (void *) skb->data;
2225	struct l2cap_chan *chan = conn->smp;
2226	struct smp_chan *smp = chan->data;
2227	struct hci_dev *hdev = conn->hcon->hdev;
2228	struct hci_conn *hcon = conn->hcon;
2229	struct smp_ltk *ltk;
2230	u8 authenticated;
2231
2232	BT_DBG("conn %p", conn);
2233
2234	if (skb->len < sizeof(*rp))
2235		return SMP_INVALID_PARAMS;
2236
2237	/* Mark the information as received */
2238	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2239
2240	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2241		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2242	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2243		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2244
2245	skb_pull(skb, sizeof(*rp));
2246
2247	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2248	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2249			  authenticated, smp->tk, smp->enc_key_size,
2250			  rp->ediv, rp->rand);
2251	smp->ltk = ltk;
2252	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2253		smp_distribute_keys(smp);
2254
2255	return 0;
2256}
2257
2258static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2259{
2260	struct smp_cmd_ident_info *info = (void *) skb->data;
2261	struct l2cap_chan *chan = conn->smp;
2262	struct smp_chan *smp = chan->data;
2263
2264	BT_DBG("");
2265
2266	if (skb->len < sizeof(*info))
2267		return SMP_INVALID_PARAMS;
2268
2269	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2270
2271	skb_pull(skb, sizeof(*info));
2272
2273	memcpy(smp->irk, info->irk, 16);
2274
2275	return 0;
2276}
2277
2278static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2279				   struct sk_buff *skb)
2280{
2281	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2282	struct l2cap_chan *chan = conn->smp;
2283	struct smp_chan *smp = chan->data;
2284	struct hci_conn *hcon = conn->hcon;
2285	bdaddr_t rpa;
2286
2287	BT_DBG("");
2288
2289	if (skb->len < sizeof(*info))
2290		return SMP_INVALID_PARAMS;
2291
2292	/* Mark the information as received */
2293	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2294
2295	if (smp->remote_key_dist & SMP_DIST_SIGN)
2296		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2297
2298	skb_pull(skb, sizeof(*info));
2299
2300	/* Strictly speaking the Core Specification (4.1) allows sending
2301	 * an empty address which would force us to rely on just the IRK
2302	 * as "identity information". However, since such
2303	 * implementations are not known of and in order to not over
2304	 * complicate our implementation, simply pretend that we never
2305	 * received an IRK for such a device.
2306	 */
2307	if (!bacmp(&info->bdaddr, BDADDR_ANY)) {
2308		BT_ERR("Ignoring IRK with no identity address");
2309		goto distribute;
2310	}
2311
2312	bacpy(&smp->id_addr, &info->bdaddr);
2313	smp->id_addr_type = info->addr_type;
2314
2315	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2316		bacpy(&rpa, &hcon->dst);
2317	else
2318		bacpy(&rpa, BDADDR_ANY);
2319
2320	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2321				      smp->id_addr_type, smp->irk, &rpa);
2322
2323distribute:
2324	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2325		smp_distribute_keys(smp);
2326
2327	return 0;
2328}
2329
2330static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2331{
2332	struct smp_cmd_sign_info *rp = (void *) skb->data;
2333	struct l2cap_chan *chan = conn->smp;
2334	struct smp_chan *smp = chan->data;
2335	struct smp_csrk *csrk;
2336
2337	BT_DBG("conn %p", conn);
2338
2339	if (skb->len < sizeof(*rp))
2340		return SMP_INVALID_PARAMS;
2341
2342	/* Mark the information as received */
2343	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2344
2345	skb_pull(skb, sizeof(*rp));
2346
2347	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2348	if (csrk) {
2349		csrk->master = 0x01;
2350		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2351	}
2352	smp->csrk = csrk;
2353	smp_distribute_keys(smp);
2354
2355	return 0;
2356}
2357
2358static u8 sc_select_method(struct smp_chan *smp)
2359{
2360	struct l2cap_conn *conn = smp->conn;
2361	struct hci_conn *hcon = conn->hcon;
2362	struct smp_cmd_pairing *local, *remote;
2363	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2364
2365	if (test_bit(SMP_FLAG_OOB, &smp->flags))
2366		return REQ_OOB;
2367
2368	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2369	 * which are needed as inputs to some crypto functions. To get
2370	 * the "struct smp_cmd_pairing" from them we need to skip the
2371	 * first byte which contains the opcode.
2372	 */
2373	if (hcon->out) {
2374		local = (void *) &smp->preq[1];
2375		remote = (void *) &smp->prsp[1];
2376	} else {
2377		local = (void *) &smp->prsp[1];
2378		remote = (void *) &smp->preq[1];
2379	}
2380
2381	local_io = local->io_capability;
2382	remote_io = remote->io_capability;
2383
2384	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2385	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2386
2387	/* If either side wants MITM, look up the method from the table,
2388	 * otherwise use JUST WORKS.
2389	 */
2390	if (local_mitm || remote_mitm)
2391		method = get_auth_method(smp, local_io, remote_io);
2392	else
2393		method = JUST_WORKS;
2394
2395	/* Don't confirm locally initiated pairing attempts */
2396	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2397		method = JUST_WORKS;
2398
2399	return method;
2400}
2401
2402static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2403{
2404	struct smp_cmd_public_key *key = (void *) skb->data;
2405	struct hci_conn *hcon = conn->hcon;
2406	struct l2cap_chan *chan = conn->smp;
2407	struct smp_chan *smp = chan->data;
2408	struct hci_dev *hdev = hcon->hdev;
2409	struct smp_cmd_pairing_confirm cfm;
2410	int err;
2411
2412	BT_DBG("conn %p", conn);
2413
2414	if (skb->len < sizeof(*key))
2415		return SMP_INVALID_PARAMS;
2416
2417	memcpy(smp->remote_pk, key, 64);
2418
2419	/* Non-initiating device sends its public key after receiving
2420	 * the key from the initiating device.
2421	 */
2422	if (!hcon->out) {
2423		err = sc_send_public_key(smp);
2424		if (err)
2425			return err;
2426	}
2427
2428	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2429	SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
2430
2431	if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2432		return SMP_UNSPECIFIED;
2433
2434	SMP_DBG("DHKey %32phN", smp->dhkey);
2435
2436	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2437
2438	smp->method = sc_select_method(smp);
2439
2440	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2441
2442	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2443	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2444		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2445	else
2446		hcon->pending_sec_level = BT_SECURITY_FIPS;
2447
2448	if (!memcmp(debug_pk, smp->remote_pk, 64))
2449		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2450
2451	if (smp->method == DSP_PASSKEY) {
2452		get_random_bytes(&hcon->passkey_notify,
2453				 sizeof(hcon->passkey_notify));
2454		hcon->passkey_notify %= 1000000;
2455		hcon->passkey_entered = 0;
2456		smp->passkey_round = 0;
2457		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2458					     hcon->dst_type,
2459					     hcon->passkey_notify,
2460					     hcon->passkey_entered))
2461			return SMP_UNSPECIFIED;
2462		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2463		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2464	}
2465
2466	if (smp->method == REQ_OOB) {
2467		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2468			     smp->rr, 0, cfm.confirm_val);
2469		if (err)
2470			return SMP_UNSPECIFIED;
2471
2472		if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2473			return SMP_CONFIRM_FAILED;
2474
2475		if (hcon->out)
2476			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2477				     sizeof(smp->prnd), smp->prnd);
2478
2479		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2480
2481		return 0;
2482	}
2483
2484	if (hcon->out)
2485		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2486
2487	if (smp->method == REQ_PASSKEY) {
2488		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2489					      hcon->dst_type))
2490			return SMP_UNSPECIFIED;
2491		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2492		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2493		return 0;
2494	}
2495
2496	/* The Initiating device waits for the non-initiating device to
2497	 * send the confirm value.
2498	 */
2499	if (conn->hcon->out)
2500		return 0;
2501
2502	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2503		     0, cfm.confirm_val);
2504	if (err)
2505		return SMP_UNSPECIFIED;
2506
2507	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2508	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2509
2510	return 0;
2511}
2512
2513static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2514{
2515	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2516	struct l2cap_chan *chan = conn->smp;
2517	struct hci_conn *hcon = conn->hcon;
2518	struct smp_chan *smp = chan->data;
2519	u8 a[7], b[7], *local_addr, *remote_addr;
2520	u8 io_cap[3], r[16], e[16];
2521	int err;
2522
2523	BT_DBG("conn %p", conn);
2524
2525	if (skb->len < sizeof(*check))
2526		return SMP_INVALID_PARAMS;
2527
2528	memcpy(a, &hcon->init_addr, 6);
2529	memcpy(b, &hcon->resp_addr, 6);
2530	a[6] = hcon->init_addr_type;
2531	b[6] = hcon->resp_addr_type;
2532
2533	if (hcon->out) {
2534		local_addr = a;
2535		remote_addr = b;
2536		memcpy(io_cap, &smp->prsp[1], 3);
2537	} else {
2538		local_addr = b;
2539		remote_addr = a;
2540		memcpy(io_cap, &smp->preq[1], 3);
2541	}
2542
2543	memset(r, 0, sizeof(r));
2544
2545	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2546		put_unaligned_le32(hcon->passkey_notify, r);
2547
2548	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2549		     io_cap, remote_addr, local_addr, e);
2550	if (err)
2551		return SMP_UNSPECIFIED;
2552
2553	if (memcmp(check->e, e, 16))
2554		return SMP_DHKEY_CHECK_FAILED;
2555
2556	if (!hcon->out) {
2557		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2558			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2559			return 0;
2560		}
2561
2562		/* Slave sends DHKey check as response to master */
2563		sc_dhkey_check(smp);
2564	}
2565
2566	sc_add_ltk(smp);
2567
2568	if (hcon->out) {
2569		hci_le_start_enc(hcon, 0, 0, smp->tk);
2570		hcon->enc_key_size = smp->enc_key_size;
2571	}
2572
2573	return 0;
2574}
2575
2576static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2577				   struct sk_buff *skb)
2578{
2579	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2580
2581	BT_DBG("value 0x%02x", kp->value);
2582
2583	return 0;
2584}
2585
2586static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2587{
2588	struct l2cap_conn *conn = chan->conn;
2589	struct hci_conn *hcon = conn->hcon;
2590	struct smp_chan *smp;
2591	__u8 code, reason;
2592	int err = 0;
2593
2594	if (skb->len < 1)
2595		return -EILSEQ;
2596
2597	if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2598		reason = SMP_PAIRING_NOTSUPP;
2599		goto done;
2600	}
2601
2602	code = skb->data[0];
2603	skb_pull(skb, sizeof(code));
2604
2605	smp = chan->data;
2606
2607	if (code > SMP_CMD_MAX)
2608		goto drop;
2609
2610	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2611		goto drop;
2612
2613	/* If we don't have a context the only allowed commands are
2614	 * pairing request and security request.
2615	 */
2616	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2617		goto drop;
2618
2619	switch (code) {
2620	case SMP_CMD_PAIRING_REQ:
2621		reason = smp_cmd_pairing_req(conn, skb);
2622		break;
2623
2624	case SMP_CMD_PAIRING_FAIL:
2625		smp_failure(conn, 0);
2626		err = -EPERM;
2627		break;
2628
2629	case SMP_CMD_PAIRING_RSP:
2630		reason = smp_cmd_pairing_rsp(conn, skb);
2631		break;
2632
2633	case SMP_CMD_SECURITY_REQ:
2634		reason = smp_cmd_security_req(conn, skb);
2635		break;
2636
2637	case SMP_CMD_PAIRING_CONFIRM:
2638		reason = smp_cmd_pairing_confirm(conn, skb);
2639		break;
2640
2641	case SMP_CMD_PAIRING_RANDOM:
2642		reason = smp_cmd_pairing_random(conn, skb);
2643		break;
2644
2645	case SMP_CMD_ENCRYPT_INFO:
2646		reason = smp_cmd_encrypt_info(conn, skb);
2647		break;
2648
2649	case SMP_CMD_MASTER_IDENT:
2650		reason = smp_cmd_master_ident(conn, skb);
2651		break;
2652
2653	case SMP_CMD_IDENT_INFO:
2654		reason = smp_cmd_ident_info(conn, skb);
2655		break;
2656
2657	case SMP_CMD_IDENT_ADDR_INFO:
2658		reason = smp_cmd_ident_addr_info(conn, skb);
2659		break;
2660
2661	case SMP_CMD_SIGN_INFO:
2662		reason = smp_cmd_sign_info(conn, skb);
2663		break;
2664
2665	case SMP_CMD_PUBLIC_KEY:
2666		reason = smp_cmd_public_key(conn, skb);
2667		break;
2668
2669	case SMP_CMD_DHKEY_CHECK:
2670		reason = smp_cmd_dhkey_check(conn, skb);
2671		break;
2672
2673	case SMP_CMD_KEYPRESS_NOTIFY:
2674		reason = smp_cmd_keypress_notify(conn, skb);
2675		break;
2676
2677	default:
2678		BT_DBG("Unknown command code 0x%2.2x", code);
2679		reason = SMP_CMD_NOTSUPP;
2680		goto done;
2681	}
2682
2683done:
2684	if (!err) {
2685		if (reason)
2686			smp_failure(conn, reason);
2687		kfree_skb(skb);
2688	}
2689
2690	return err;
2691
2692drop:
2693	BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2694	       code, &hcon->dst);
2695	kfree_skb(skb);
2696	return 0;
2697}
2698
2699static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2700{
2701	struct l2cap_conn *conn = chan->conn;
2702
2703	BT_DBG("chan %p", chan);
2704
2705	if (chan->data)
2706		smp_chan_destroy(conn);
2707
2708	conn->smp = NULL;
2709	l2cap_chan_put(chan);
2710}
2711
2712static void bredr_pairing(struct l2cap_chan *chan)
2713{
2714	struct l2cap_conn *conn = chan->conn;
2715	struct hci_conn *hcon = conn->hcon;
2716	struct hci_dev *hdev = hcon->hdev;
2717	struct smp_cmd_pairing req;
2718	struct smp_chan *smp;
2719
2720	BT_DBG("chan %p", chan);
2721
2722	/* Only new pairings are interesting */
2723	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2724		return;
2725
2726	/* Don't bother if we're not encrypted */
2727	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2728		return;
2729
2730	/* Only master may initiate SMP over BR/EDR */
2731	if (hcon->role != HCI_ROLE_MASTER)
2732		return;
2733
2734	/* Secure Connections support must be enabled */
2735	if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2736		return;
2737
2738	/* BR/EDR must use Secure Connections for SMP */
2739	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2740	    !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2741		return;
2742
2743	/* If our LE support is not enabled don't do anything */
2744	if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2745		return;
2746
2747	/* Don't bother if remote LE support is not enabled */
2748	if (!lmp_host_le_capable(hcon))
2749		return;
2750
2751	/* Remote must support SMP fixed chan for BR/EDR */
2752	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2753		return;
2754
2755	/* Don't bother if SMP is already ongoing */
2756	if (chan->data)
2757		return;
2758
2759	smp = smp_chan_create(conn);
2760	if (!smp) {
2761		BT_ERR("%s unable to create SMP context for BR/EDR",
2762		       hdev->name);
2763		return;
2764	}
2765
2766	set_bit(SMP_FLAG_SC, &smp->flags);
2767
2768	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2769
2770	/* Prepare and send the BR/EDR SMP Pairing Request */
2771	build_bredr_pairing_cmd(smp, &req, NULL);
2772
2773	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2774	memcpy(&smp->preq[1], &req, sizeof(req));
2775
2776	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2777	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2778}
2779
2780static void smp_resume_cb(struct l2cap_chan *chan)
2781{
2782	struct smp_chan *smp = chan->data;
2783	struct l2cap_conn *conn = chan->conn;
2784	struct hci_conn *hcon = conn->hcon;
2785
2786	BT_DBG("chan %p", chan);
2787
2788	if (hcon->type == ACL_LINK) {
2789		bredr_pairing(chan);
2790		return;
2791	}
2792
2793	if (!smp)
2794		return;
2795
2796	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2797		return;
2798
2799	cancel_delayed_work(&smp->security_timer);
2800
2801	smp_distribute_keys(smp);
2802}
2803
2804static void smp_ready_cb(struct l2cap_chan *chan)
2805{
2806	struct l2cap_conn *conn = chan->conn;
2807	struct hci_conn *hcon = conn->hcon;
2808
2809	BT_DBG("chan %p", chan);
2810
2811	conn->smp = chan;
2812	l2cap_chan_hold(chan);
2813
2814	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2815		bredr_pairing(chan);
2816}
2817
2818static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2819{
2820	int err;
2821
2822	BT_DBG("chan %p", chan);
2823
2824	err = smp_sig_channel(chan, skb);
2825	if (err) {
2826		struct smp_chan *smp = chan->data;
2827
2828		if (smp)
2829			cancel_delayed_work_sync(&smp->security_timer);
2830
2831		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
2832	}
2833
2834	return err;
2835}
2836
2837static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2838					unsigned long hdr_len,
2839					unsigned long len, int nb)
2840{
2841	struct sk_buff *skb;
2842
2843	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2844	if (!skb)
2845		return ERR_PTR(-ENOMEM);
2846
2847	skb->priority = HCI_PRIO_MAX;
2848	bt_cb(skb)->chan = chan;
2849
2850	return skb;
2851}
2852
2853static const struct l2cap_ops smp_chan_ops = {
2854	.name			= "Security Manager",
2855	.ready			= smp_ready_cb,
2856	.recv			= smp_recv_cb,
2857	.alloc_skb		= smp_alloc_skb_cb,
2858	.teardown		= smp_teardown_cb,
2859	.resume			= smp_resume_cb,
2860
2861	.new_connection		= l2cap_chan_no_new_connection,
2862	.state_change		= l2cap_chan_no_state_change,
2863	.close			= l2cap_chan_no_close,
2864	.defer			= l2cap_chan_no_defer,
2865	.suspend		= l2cap_chan_no_suspend,
2866	.set_shutdown		= l2cap_chan_no_set_shutdown,
2867	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
2868};
2869
2870static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2871{
2872	struct l2cap_chan *chan;
2873
2874	BT_DBG("pchan %p", pchan);
2875
2876	chan = l2cap_chan_create();
2877	if (!chan)
2878		return NULL;
2879
2880	chan->chan_type	= pchan->chan_type;
2881	chan->ops	= &smp_chan_ops;
2882	chan->scid	= pchan->scid;
2883	chan->dcid	= chan->scid;
2884	chan->imtu	= pchan->imtu;
2885	chan->omtu	= pchan->omtu;
2886	chan->mode	= pchan->mode;
2887
2888	/* Other L2CAP channels may request SMP routines in order to
2889	 * change the security level. This means that the SMP channel
2890	 * lock must be considered in its own category to avoid lockdep
2891	 * warnings.
2892	 */
2893	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2894
2895	BT_DBG("created chan %p", chan);
2896
2897	return chan;
2898}
2899
2900static const struct l2cap_ops smp_root_chan_ops = {
2901	.name			= "Security Manager Root",
2902	.new_connection		= smp_new_conn_cb,
2903
2904	/* None of these are implemented for the root channel */
2905	.close			= l2cap_chan_no_close,
2906	.alloc_skb		= l2cap_chan_no_alloc_skb,
2907	.recv			= l2cap_chan_no_recv,
2908	.state_change		= l2cap_chan_no_state_change,
2909	.teardown		= l2cap_chan_no_teardown,
2910	.ready			= l2cap_chan_no_ready,
2911	.defer			= l2cap_chan_no_defer,
2912	.suspend		= l2cap_chan_no_suspend,
2913	.resume			= l2cap_chan_no_resume,
2914	.set_shutdown		= l2cap_chan_no_set_shutdown,
2915	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
2916};
2917
2918static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
2919{
2920	struct l2cap_chan *chan;
2921	struct crypto_blkcipher	*tfm_aes;
2922
2923	if (cid == L2CAP_CID_SMP_BREDR) {
2924		tfm_aes = NULL;
2925		goto create_chan;
2926	}
2927
2928	tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
2929	if (IS_ERR(tfm_aes)) {
2930		BT_ERR("Unable to create crypto context");
2931		return ERR_CAST(tfm_aes);
2932	}
2933
2934create_chan:
2935	chan = l2cap_chan_create();
2936	if (!chan) {
2937		crypto_free_blkcipher(tfm_aes);
2938		return ERR_PTR(-ENOMEM);
2939	}
2940
2941	chan->data = tfm_aes;
2942
2943	l2cap_add_scid(chan, cid);
2944
2945	l2cap_chan_set_defaults(chan);
2946
2947	bacpy(&chan->src, &hdev->bdaddr);
2948	if (cid == L2CAP_CID_SMP)
2949		chan->src_type = BDADDR_LE_PUBLIC;
2950	else
2951		chan->src_type = BDADDR_BREDR;
2952	chan->state = BT_LISTEN;
2953	chan->mode = L2CAP_MODE_BASIC;
2954	chan->imtu = L2CAP_DEFAULT_MTU;
2955	chan->ops = &smp_root_chan_ops;
2956
2957	/* Set correct nesting level for a parent/listening channel */
2958	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2959
2960	return chan;
2961}
2962
2963static void smp_del_chan(struct l2cap_chan *chan)
2964{
2965	struct crypto_blkcipher	*tfm_aes;
2966
2967	BT_DBG("chan %p", chan);
2968
2969	tfm_aes = chan->data;
2970	if (tfm_aes) {
2971		chan->data = NULL;
2972		crypto_free_blkcipher(tfm_aes);
2973	}
2974
2975	l2cap_chan_put(chan);
2976}
2977
2978int smp_register(struct hci_dev *hdev)
2979{
2980	struct l2cap_chan *chan;
2981
2982	BT_DBG("%s", hdev->name);
2983
2984	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
2985	if (IS_ERR(chan))
2986		return PTR_ERR(chan);
2987
2988	hdev->smp_data = chan;
2989
2990	if (!lmp_sc_capable(hdev) &&
2991	    !test_bit(HCI_FORCE_LESC, &hdev->dbg_flags))
2992		return 0;
2993
2994	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
2995	if (IS_ERR(chan)) {
2996		int err = PTR_ERR(chan);
2997		chan = hdev->smp_data;
2998		hdev->smp_data = NULL;
2999		smp_del_chan(chan);
3000		return err;
3001	}
3002
3003	hdev->smp_bredr_data = chan;
3004
3005	return 0;
3006}
3007
3008void smp_unregister(struct hci_dev *hdev)
3009{
3010	struct l2cap_chan *chan;
3011
3012	if (hdev->smp_bredr_data) {
3013		chan = hdev->smp_bredr_data;
3014		hdev->smp_bredr_data = NULL;
3015		smp_del_chan(chan);
3016	}
3017
3018	if (hdev->smp_data) {
3019		chan = hdev->smp_data;
3020		hdev->smp_data = NULL;
3021		smp_del_chan(chan);
3022	}
3023}
Configure Feed

Configure Feed
