net/bluetooth/smp.c at v4.16-rc3

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / bluetooth / smp.c
at v4.16-rc3 3911 lines 96 kB view raw
wrap content
   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
   4
   5   This program is free software; you can redistribute it and/or modify
   6   it under the terms of the GNU General Public License version 2 as
   7   published by the Free Software Foundation;
   8
   9   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  10   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  11   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  12   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  13   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  14   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  15   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  16   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  17
  18   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  19   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  20   SOFTWARE IS DISCLAIMED.
  21*/
  22
  23#include <linux/debugfs.h>
  24#include <linux/scatterlist.h>
  25#include <linux/crypto.h>
  26#include <crypto/algapi.h>
  27#include <crypto/b128ops.h>
  28#include <crypto/hash.h>
  29#include <crypto/kpp.h>
  30
  31#include <net/bluetooth/bluetooth.h>
  32#include <net/bluetooth/hci_core.h>
  33#include <net/bluetooth/l2cap.h>
  34#include <net/bluetooth/mgmt.h>
  35
  36#include "ecdh_helper.h"
  37#include "smp.h"
  38
  39#define SMP_DEV(hdev) \
  40	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
  41
  42/* Low-level debug macros to be used for stuff that we don't want
  43 * accidentially in dmesg, i.e. the values of the various crypto keys
  44 * and the inputs & outputs of crypto functions.
  45 */
  46#ifdef DEBUG
  47#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
  48				 ##__VA_ARGS__)
  49#else
  50#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
  51				    ##__VA_ARGS__)
  52#endif
  53
  54#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
  55
  56/* Keys which are not distributed with Secure Connections */
  57#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
  58
  59#define SMP_TIMEOUT	msecs_to_jiffies(30000)
  60
  61#define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
  62				 0x3f : 0x07)
  63#define KEY_DIST_MASK		0x07
  64
  65/* Maximum message length that can be passed to aes_cmac */
  66#define CMAC_MSG_MAX	80
  67
  68enum {
  69	SMP_FLAG_TK_VALID,
  70	SMP_FLAG_CFM_PENDING,
  71	SMP_FLAG_MITM_AUTH,
  72	SMP_FLAG_COMPLETE,
  73	SMP_FLAG_INITIATOR,
  74	SMP_FLAG_SC,
  75	SMP_FLAG_REMOTE_PK,
  76	SMP_FLAG_DEBUG_KEY,
  77	SMP_FLAG_WAIT_USER,
  78	SMP_FLAG_DHKEY_PENDING,
  79	SMP_FLAG_REMOTE_OOB,
  80	SMP_FLAG_LOCAL_OOB,
  81	SMP_FLAG_CT2,
  82};
  83
  84struct smp_dev {
  85	/* Secure Connections OOB data */
  86	u8			local_pk[64];
  87	u8			local_rand[16];
  88	bool			debug_key;
  89
  90	u8			min_key_size;
  91	u8			max_key_size;
  92
  93	struct crypto_cipher	*tfm_aes;
  94	struct crypto_shash	*tfm_cmac;
  95	struct crypto_kpp	*tfm_ecdh;
  96};
  97
  98struct smp_chan {
  99	struct l2cap_conn	*conn;
 100	struct delayed_work	security_timer;
 101	unsigned long           allow_cmd; /* Bitmask of allowed commands */
 102
 103	u8		preq[7]; /* SMP Pairing Request */
 104	u8		prsp[7]; /* SMP Pairing Response */
 105	u8		prnd[16]; /* SMP Pairing Random (local) */
 106	u8		rrnd[16]; /* SMP Pairing Random (remote) */
 107	u8		pcnf[16]; /* SMP Pairing Confirm */
 108	u8		tk[16]; /* SMP Temporary Key */
 109	u8		rr[16]; /* Remote OOB ra/rb value */
 110	u8		lr[16]; /* Local OOB ra/rb value */
 111	u8		enc_key_size;
 112	u8		remote_key_dist;
 113	bdaddr_t	id_addr;
 114	u8		id_addr_type;
 115	u8		irk[16];
 116	struct smp_csrk	*csrk;
 117	struct smp_csrk	*slave_csrk;
 118	struct smp_ltk	*ltk;
 119	struct smp_ltk	*slave_ltk;
 120	struct smp_irk	*remote_irk;
 121	u8		*link_key;
 122	unsigned long	flags;
 123	u8		method;
 124	u8		passkey_round;
 125
 126	/* Secure Connections variables */
 127	u8			local_pk[64];
 128	u8			remote_pk[64];
 129	u8			dhkey[32];
 130	u8			mackey[16];
 131
 132	struct crypto_cipher	*tfm_aes;
 133	struct crypto_shash	*tfm_cmac;
 134	struct crypto_kpp	*tfm_ecdh;
 135};
 136
 137/* These debug key values are defined in the SMP section of the core
 138 * specification. debug_pk is the public debug key and debug_sk the
 139 * private debug key.
 140 */
 141static const u8 debug_pk[64] = {
 142		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
 143		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
 144		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
 145		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
 146
 147		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
 148		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
 149		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
 150		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
 151};
 152
 153static const u8 debug_sk[32] = {
 154		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
 155		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
 156		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
 157		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
 158};
 159
 160static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
 161{
 162	size_t i;
 163
 164	for (i = 0; i < len; i++)
 165		dst[len - 1 - i] = src[i];
 166}
 167
 168/* The following functions map to the LE SC SMP crypto functions
 169 * AES-CMAC, f4, f5, f6, g2 and h6.
 170 */
 171
 172static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
 173		    size_t len, u8 mac[16])
 174{
 175	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
 176	SHASH_DESC_ON_STACK(desc, tfm);
 177	int err;
 178
 179	if (len > CMAC_MSG_MAX)
 180		return -EFBIG;
 181
 182	if (!tfm) {
 183		BT_ERR("tfm %p", tfm);
 184		return -EINVAL;
 185	}
 186
 187	desc->tfm = tfm;
 188	desc->flags = 0;
 189
 190	/* Swap key and message from LSB to MSB */
 191	swap_buf(k, tmp, 16);
 192	swap_buf(m, msg_msb, len);
 193
 194	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
 195	SMP_DBG("key %16phN", k);
 196
 197	err = crypto_shash_setkey(tfm, tmp, 16);
 198	if (err) {
 199		BT_ERR("cipher setkey failed: %d", err);
 200		return err;
 201	}
 202
 203	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
 204	shash_desc_zero(desc);
 205	if (err) {
 206		BT_ERR("Hash computation error %d", err);
 207		return err;
 208	}
 209
 210	swap_buf(mac_msb, mac, 16);
 211
 212	SMP_DBG("mac %16phN", mac);
 213
 214	return 0;
 215}
 216
 217static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
 218		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
 219{
 220	u8 m[65];
 221	int err;
 222
 223	SMP_DBG("u %32phN", u);
 224	SMP_DBG("v %32phN", v);
 225	SMP_DBG("x %16phN z %02x", x, z);
 226
 227	m[0] = z;
 228	memcpy(m + 1, v, 32);
 229	memcpy(m + 33, u, 32);
 230
 231	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
 232	if (err)
 233		return err;
 234
 235	SMP_DBG("res %16phN", res);
 236
 237	return err;
 238}
 239
 240static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
 241		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
 242		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
 243{
 244	/* The btle, salt and length "magic" values are as defined in
 245	 * the SMP section of the Bluetooth core specification. In ASCII
 246	 * the btle value ends up being 'btle'. The salt is just a
 247	 * random number whereas length is the value 256 in little
 248	 * endian format.
 249	 */
 250	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
 251	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
 252			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
 253	const u8 length[2] = { 0x00, 0x01 };
 254	u8 m[53], t[16];
 255	int err;
 256
 257	SMP_DBG("w %32phN", w);
 258	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 259	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
 260
 261	err = aes_cmac(tfm_cmac, salt, w, 32, t);
 262	if (err)
 263		return err;
 264
 265	SMP_DBG("t %16phN", t);
 266
 267	memcpy(m, length, 2);
 268	memcpy(m + 2, a2, 7);
 269	memcpy(m + 9, a1, 7);
 270	memcpy(m + 16, n2, 16);
 271	memcpy(m + 32, n1, 16);
 272	memcpy(m + 48, btle, 4);
 273
 274	m[52] = 0; /* Counter */
 275
 276	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
 277	if (err)
 278		return err;
 279
 280	SMP_DBG("mackey %16phN", mackey);
 281
 282	m[52] = 1; /* Counter */
 283
 284	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
 285	if (err)
 286		return err;
 287
 288	SMP_DBG("ltk %16phN", ltk);
 289
 290	return 0;
 291}
 292
 293static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
 294		  const u8 n1[16], const u8 n2[16], const u8 r[16],
 295		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
 296		  u8 res[16])
 297{
 298	u8 m[65];
 299	int err;
 300
 301	SMP_DBG("w %16phN", w);
 302	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 303	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
 304
 305	memcpy(m, a2, 7);
 306	memcpy(m + 7, a1, 7);
 307	memcpy(m + 14, io_cap, 3);
 308	memcpy(m + 17, r, 16);
 309	memcpy(m + 33, n2, 16);
 310	memcpy(m + 49, n1, 16);
 311
 312	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
 313	if (err)
 314		return err;
 315
 316	SMP_DBG("res %16phN", res);
 317
 318	return err;
 319}
 320
 321static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
 322		  const u8 x[16], const u8 y[16], u32 *val)
 323{
 324	u8 m[80], tmp[16];
 325	int err;
 326
 327	SMP_DBG("u %32phN", u);
 328	SMP_DBG("v %32phN", v);
 329	SMP_DBG("x %16phN y %16phN", x, y);
 330
 331	memcpy(m, y, 16);
 332	memcpy(m + 16, v, 32);
 333	memcpy(m + 48, u, 32);
 334
 335	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
 336	if (err)
 337		return err;
 338
 339	*val = get_unaligned_le32(tmp);
 340	*val %= 1000000;
 341
 342	SMP_DBG("val %06u", *val);
 343
 344	return 0;
 345}
 346
 347static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
 348		  const u8 key_id[4], u8 res[16])
 349{
 350	int err;
 351
 352	SMP_DBG("w %16phN key_id %4phN", w, key_id);
 353
 354	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
 355	if (err)
 356		return err;
 357
 358	SMP_DBG("res %16phN", res);
 359
 360	return err;
 361}
 362
 363static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
 364		  const u8 salt[16], u8 res[16])
 365{
 366	int err;
 367
 368	SMP_DBG("w %16phN salt %16phN", w, salt);
 369
 370	err = aes_cmac(tfm_cmac, salt, w, 16, res);
 371	if (err)
 372		return err;
 373
 374	SMP_DBG("res %16phN", res);
 375
 376	return err;
 377}
 378
 379/* The following functions map to the legacy SMP crypto functions e, c1,
 380 * s1 and ah.
 381 */
 382
 383static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
 384{
 385	uint8_t tmp[16], data[16];
 386	int err;
 387
 388	SMP_DBG("k %16phN r %16phN", k, r);
 389
 390	if (!tfm) {
 391		BT_ERR("tfm %p", tfm);
 392		return -EINVAL;
 393	}
 394
 395	/* The most significant octet of key corresponds to k[0] */
 396	swap_buf(k, tmp, 16);
 397
 398	err = crypto_cipher_setkey(tfm, tmp, 16);
 399	if (err) {
 400		BT_ERR("cipher setkey failed: %d", err);
 401		return err;
 402	}
 403
 404	/* Most significant octet of plaintextData corresponds to data[0] */
 405	swap_buf(r, data, 16);
 406
 407	crypto_cipher_encrypt_one(tfm, data, data);
 408
 409	/* Most significant octet of encryptedData corresponds to data[0] */
 410	swap_buf(data, r, 16);
 411
 412	SMP_DBG("r %16phN", r);
 413
 414	return err;
 415}
 416
 417static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
 418		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
 419		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
 420{
 421	u8 p1[16], p2[16];
 422	int err;
 423
 424	SMP_DBG("k %16phN r %16phN", k, r);
 425	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
 426	SMP_DBG("preq %7phN pres %7phN", preq, pres);
 427
 428	memset(p1, 0, 16);
 429
 430	/* p1 = pres || preq || _rat || _iat */
 431	p1[0] = _iat;
 432	p1[1] = _rat;
 433	memcpy(p1 + 2, preq, 7);
 434	memcpy(p1 + 9, pres, 7);
 435
 436	SMP_DBG("p1 %16phN", p1);
 437
 438	/* res = r XOR p1 */
 439	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
 440
 441	/* res = e(k, res) */
 442	err = smp_e(tfm_aes, k, res);
 443	if (err) {
 444		BT_ERR("Encrypt data error");
 445		return err;
 446	}
 447
 448	/* p2 = padding || ia || ra */
 449	memcpy(p2, ra, 6);
 450	memcpy(p2 + 6, ia, 6);
 451	memset(p2 + 12, 0, 4);
 452
 453	SMP_DBG("p2 %16phN", p2);
 454
 455	/* res = res XOR p2 */
 456	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
 457
 458	/* res = e(k, res) */
 459	err = smp_e(tfm_aes, k, res);
 460	if (err)
 461		BT_ERR("Encrypt data error");
 462
 463	return err;
 464}
 465
 466static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
 467		  const u8 r1[16], const u8 r2[16], u8 _r[16])
 468{
 469	int err;
 470
 471	/* Just least significant octets from r1 and r2 are considered */
 472	memcpy(_r, r2, 8);
 473	memcpy(_r + 8, r1, 8);
 474
 475	err = smp_e(tfm_aes, k, _r);
 476	if (err)
 477		BT_ERR("Encrypt data error");
 478
 479	return err;
 480}
 481
 482static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
 483		  const u8 r[3], u8 res[3])
 484{
 485	u8 _res[16];
 486	int err;
 487
 488	/* r' = padding || r */
 489	memcpy(_res, r, 3);
 490	memset(_res + 3, 0, 13);
 491
 492	err = smp_e(tfm, irk, _res);
 493	if (err) {
 494		BT_ERR("Encrypt error");
 495		return err;
 496	}
 497
 498	/* The output of the random address function ah is:
 499	 *	ah(k, r) = e(k, r') mod 2^24
 500	 * The output of the security function e is then truncated to 24 bits
 501	 * by taking the least significant 24 bits of the output of e as the
 502	 * result of ah.
 503	 */
 504	memcpy(res, _res, 3);
 505
 506	return 0;
 507}
 508
 509bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
 510		     const bdaddr_t *bdaddr)
 511{
 512	struct l2cap_chan *chan = hdev->smp_data;
 513	struct smp_dev *smp;
 514	u8 hash[3];
 515	int err;
 516
 517	if (!chan || !chan->data)
 518		return false;
 519
 520	smp = chan->data;
 521
 522	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
 523
 524	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
 525	if (err)
 526		return false;
 527
 528	return !crypto_memneq(bdaddr->b, hash, 3);
 529}
 530
 531int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
 532{
 533	struct l2cap_chan *chan = hdev->smp_data;
 534	struct smp_dev *smp;
 535	int err;
 536
 537	if (!chan || !chan->data)
 538		return -EOPNOTSUPP;
 539
 540	smp = chan->data;
 541
 542	get_random_bytes(&rpa->b[3], 3);
 543
 544	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
 545	rpa->b[5] |= 0x40;	/* Set second most significant bit */
 546
 547	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
 548	if (err < 0)
 549		return err;
 550
 551	BT_DBG("RPA %pMR", rpa);
 552
 553	return 0;
 554}
 555
 556int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
 557{
 558	struct l2cap_chan *chan = hdev->smp_data;
 559	struct smp_dev *smp;
 560	int err;
 561
 562	if (!chan || !chan->data)
 563		return -EOPNOTSUPP;
 564
 565	smp = chan->data;
 566
 567	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
 568		BT_DBG("Using debug keys");
 569		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
 570		if (err)
 571			return err;
 572		memcpy(smp->local_pk, debug_pk, 64);
 573		smp->debug_key = true;
 574	} else {
 575		while (true) {
 576			/* Generate key pair for Secure Connections */
 577			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
 578			if (err)
 579				return err;
 580
 581			/* This is unlikely, but we need to check that
 582			 * we didn't accidentially generate a debug key.
 583			 */
 584			if (crypto_memneq(smp->local_pk, debug_pk, 64))
 585				break;
 586		}
 587		smp->debug_key = false;
 588	}
 589
 590	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
 591	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
 592
 593	get_random_bytes(smp->local_rand, 16);
 594
 595	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
 596		     smp->local_rand, 0, hash);
 597	if (err < 0)
 598		return err;
 599
 600	memcpy(rand, smp->local_rand, 16);
 601
 602	return 0;
 603}
 604
 605static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
 606{
 607	struct l2cap_chan *chan = conn->smp;
 608	struct smp_chan *smp;
 609	struct kvec iv[2];
 610	struct msghdr msg;
 611
 612	if (!chan)
 613		return;
 614
 615	BT_DBG("code 0x%2.2x", code);
 616
 617	iv[0].iov_base = &code;
 618	iv[0].iov_len = 1;
 619
 620	iv[1].iov_base = data;
 621	iv[1].iov_len = len;
 622
 623	memset(&msg, 0, sizeof(msg));
 624
 625	iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
 626
 627	l2cap_chan_send(chan, &msg, 1 + len);
 628
 629	if (!chan->data)
 630		return;
 631
 632	smp = chan->data;
 633
 634	cancel_delayed_work_sync(&smp->security_timer);
 635	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
 636}
 637
 638static u8 authreq_to_seclevel(u8 authreq)
 639{
 640	if (authreq & SMP_AUTH_MITM) {
 641		if (authreq & SMP_AUTH_SC)
 642			return BT_SECURITY_FIPS;
 643		else
 644			return BT_SECURITY_HIGH;
 645	} else {
 646		return BT_SECURITY_MEDIUM;
 647	}
 648}
 649
 650static __u8 seclevel_to_authreq(__u8 sec_level)
 651{
 652	switch (sec_level) {
 653	case BT_SECURITY_FIPS:
 654	case BT_SECURITY_HIGH:
 655		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
 656	case BT_SECURITY_MEDIUM:
 657		return SMP_AUTH_BONDING;
 658	default:
 659		return SMP_AUTH_NONE;
 660	}
 661}
 662
 663static void build_pairing_cmd(struct l2cap_conn *conn,
 664			      struct smp_cmd_pairing *req,
 665			      struct smp_cmd_pairing *rsp, __u8 authreq)
 666{
 667	struct l2cap_chan *chan = conn->smp;
 668	struct smp_chan *smp = chan->data;
 669	struct hci_conn *hcon = conn->hcon;
 670	struct hci_dev *hdev = hcon->hdev;
 671	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
 672
 673	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
 674		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 675		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 676		authreq |= SMP_AUTH_BONDING;
 677	} else {
 678		authreq &= ~SMP_AUTH_BONDING;
 679	}
 680
 681	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
 682		remote_dist |= SMP_DIST_ID_KEY;
 683
 684	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
 685		local_dist |= SMP_DIST_ID_KEY;
 686
 687	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
 688	    (authreq & SMP_AUTH_SC)) {
 689		struct oob_data *oob_data;
 690		u8 bdaddr_type;
 691
 692		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
 693			local_dist |= SMP_DIST_LINK_KEY;
 694			remote_dist |= SMP_DIST_LINK_KEY;
 695		}
 696
 697		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
 698			bdaddr_type = BDADDR_LE_PUBLIC;
 699		else
 700			bdaddr_type = BDADDR_LE_RANDOM;
 701
 702		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
 703						    bdaddr_type);
 704		if (oob_data && oob_data->present) {
 705			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
 706			oob_flag = SMP_OOB_PRESENT;
 707			memcpy(smp->rr, oob_data->rand256, 16);
 708			memcpy(smp->pcnf, oob_data->hash256, 16);
 709			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
 710			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
 711		}
 712
 713	} else {
 714		authreq &= ~SMP_AUTH_SC;
 715	}
 716
 717	if (rsp == NULL) {
 718		req->io_capability = conn->hcon->io_capability;
 719		req->oob_flag = oob_flag;
 720		req->max_key_size = SMP_DEV(hdev)->max_key_size;
 721		req->init_key_dist = local_dist;
 722		req->resp_key_dist = remote_dist;
 723		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 724
 725		smp->remote_key_dist = remote_dist;
 726		return;
 727	}
 728
 729	rsp->io_capability = conn->hcon->io_capability;
 730	rsp->oob_flag = oob_flag;
 731	rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
 732	rsp->init_key_dist = req->init_key_dist & remote_dist;
 733	rsp->resp_key_dist = req->resp_key_dist & local_dist;
 734	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 735
 736	smp->remote_key_dist = rsp->init_key_dist;
 737}
 738
 739static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
 740{
 741	struct l2cap_chan *chan = conn->smp;
 742	struct hci_dev *hdev = conn->hcon->hdev;
 743	struct smp_chan *smp = chan->data;
 744
 745	if (max_key_size > SMP_DEV(hdev)->max_key_size ||
 746	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
 747		return SMP_ENC_KEY_SIZE;
 748
 749	smp->enc_key_size = max_key_size;
 750
 751	return 0;
 752}
 753
 754static void smp_chan_destroy(struct l2cap_conn *conn)
 755{
 756	struct l2cap_chan *chan = conn->smp;
 757	struct smp_chan *smp = chan->data;
 758	struct hci_conn *hcon = conn->hcon;
 759	bool complete;
 760
 761	BUG_ON(!smp);
 762
 763	cancel_delayed_work_sync(&smp->security_timer);
 764
 765	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
 766	mgmt_smp_complete(hcon, complete);
 767
 768	kzfree(smp->csrk);
 769	kzfree(smp->slave_csrk);
 770	kzfree(smp->link_key);
 771
 772	crypto_free_cipher(smp->tfm_aes);
 773	crypto_free_shash(smp->tfm_cmac);
 774	crypto_free_kpp(smp->tfm_ecdh);
 775
 776	/* Ensure that we don't leave any debug key around if debug key
 777	 * support hasn't been explicitly enabled.
 778	 */
 779	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
 780	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
 781		list_del_rcu(&smp->ltk->list);
 782		kfree_rcu(smp->ltk, rcu);
 783		smp->ltk = NULL;
 784	}
 785
 786	/* If pairing failed clean up any keys we might have */
 787	if (!complete) {
 788		if (smp->ltk) {
 789			list_del_rcu(&smp->ltk->list);
 790			kfree_rcu(smp->ltk, rcu);
 791		}
 792
 793		if (smp->slave_ltk) {
 794			list_del_rcu(&smp->slave_ltk->list);
 795			kfree_rcu(smp->slave_ltk, rcu);
 796		}
 797
 798		if (smp->remote_irk) {
 799			list_del_rcu(&smp->remote_irk->list);
 800			kfree_rcu(smp->remote_irk, rcu);
 801		}
 802	}
 803
 804	chan->data = NULL;
 805	kzfree(smp);
 806	hci_conn_drop(hcon);
 807}
 808
 809static void smp_failure(struct l2cap_conn *conn, u8 reason)
 810{
 811	struct hci_conn *hcon = conn->hcon;
 812	struct l2cap_chan *chan = conn->smp;
 813
 814	if (reason)
 815		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
 816			     &reason);
 817
 818	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
 819
 820	if (chan->data)
 821		smp_chan_destroy(conn);
 822}
 823
 824#define JUST_WORKS	0x00
 825#define JUST_CFM	0x01
 826#define REQ_PASSKEY	0x02
 827#define CFM_PASSKEY	0x03
 828#define REQ_OOB		0x04
 829#define DSP_PASSKEY	0x05
 830#define OVERLAP		0xFF
 831
 832static const u8 gen_method[5][5] = {
 833	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 834	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 835	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 836	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 837	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
 838};
 839
 840static const u8 sc_method[5][5] = {
 841	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 842	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 843	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
 844	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 845	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 846};
 847
 848static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
 849{
 850	/* If either side has unknown io_caps, use JUST_CFM (which gets
 851	 * converted later to JUST_WORKS if we're initiators.
 852	 */
 853	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
 854	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
 855		return JUST_CFM;
 856
 857	if (test_bit(SMP_FLAG_SC, &smp->flags))
 858		return sc_method[remote_io][local_io];
 859
 860	return gen_method[remote_io][local_io];
 861}
 862
 863static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
 864						u8 local_io, u8 remote_io)
 865{
 866	struct hci_conn *hcon = conn->hcon;
 867	struct l2cap_chan *chan = conn->smp;
 868	struct smp_chan *smp = chan->data;
 869	u32 passkey = 0;
 870	int ret = 0;
 871
 872	/* Initialize key for JUST WORKS */
 873	memset(smp->tk, 0, sizeof(smp->tk));
 874	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
 875
 876	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
 877
 878	/* If neither side wants MITM, either "just" confirm an incoming
 879	 * request or use just-works for outgoing ones. The JUST_CFM
 880	 * will be converted to JUST_WORKS if necessary later in this
 881	 * function. If either side has MITM look up the method from the
 882	 * table.
 883	 */
 884	if (!(auth & SMP_AUTH_MITM))
 885		smp->method = JUST_CFM;
 886	else
 887		smp->method = get_auth_method(smp, local_io, remote_io);
 888
 889	/* Don't confirm locally initiated pairing attempts */
 890	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
 891						&smp->flags))
 892		smp->method = JUST_WORKS;
 893
 894	/* Don't bother user space with no IO capabilities */
 895	if (smp->method == JUST_CFM &&
 896	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
 897		smp->method = JUST_WORKS;
 898
 899	/* If Just Works, Continue with Zero TK */
 900	if (smp->method == JUST_WORKS) {
 901		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 902		return 0;
 903	}
 904
 905	/* If this function is used for SC -> legacy fallback we
 906	 * can only recover the just-works case.
 907	 */
 908	if (test_bit(SMP_FLAG_SC, &smp->flags))
 909		return -EINVAL;
 910
 911	/* Not Just Works/Confirm results in MITM Authentication */
 912	if (smp->method != JUST_CFM) {
 913		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
 914		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
 915			hcon->pending_sec_level = BT_SECURITY_HIGH;
 916	}
 917
 918	/* If both devices have Keyoard-Display I/O, the master
 919	 * Confirms and the slave Enters the passkey.
 920	 */
 921	if (smp->method == OVERLAP) {
 922		if (hcon->role == HCI_ROLE_MASTER)
 923			smp->method = CFM_PASSKEY;
 924		else
 925			smp->method = REQ_PASSKEY;
 926	}
 927
 928	/* Generate random passkey. */
 929	if (smp->method == CFM_PASSKEY) {
 930		memset(smp->tk, 0, sizeof(smp->tk));
 931		get_random_bytes(&passkey, sizeof(passkey));
 932		passkey %= 1000000;
 933		put_unaligned_le32(passkey, smp->tk);
 934		BT_DBG("PassKey: %d", passkey);
 935		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 936	}
 937
 938	if (smp->method == REQ_PASSKEY)
 939		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
 940						hcon->type, hcon->dst_type);
 941	else if (smp->method == JUST_CFM)
 942		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
 943						hcon->type, hcon->dst_type,
 944						passkey, 1);
 945	else
 946		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
 947						hcon->type, hcon->dst_type,
 948						passkey, 0);
 949
 950	return ret;
 951}
 952
 953static u8 smp_confirm(struct smp_chan *smp)
 954{
 955	struct l2cap_conn *conn = smp->conn;
 956	struct smp_cmd_pairing_confirm cp;
 957	int ret;
 958
 959	BT_DBG("conn %p", conn);
 960
 961	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
 962		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
 963		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
 964		     cp.confirm_val);
 965	if (ret)
 966		return SMP_UNSPECIFIED;
 967
 968	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
 969
 970	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
 971
 972	if (conn->hcon->out)
 973		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
 974	else
 975		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
 976
 977	return 0;
 978}
 979
 980static u8 smp_random(struct smp_chan *smp)
 981{
 982	struct l2cap_conn *conn = smp->conn;
 983	struct hci_conn *hcon = conn->hcon;
 984	u8 confirm[16];
 985	int ret;
 986
 987	if (IS_ERR_OR_NULL(smp->tfm_aes))
 988		return SMP_UNSPECIFIED;
 989
 990	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
 991
 992	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
 993		     hcon->init_addr_type, &hcon->init_addr,
 994		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
 995	if (ret)
 996		return SMP_UNSPECIFIED;
 997
 998	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
 999		bt_dev_err(hcon->hdev, "pairing failed "
1000			   "(confirmation values mismatch)");
1001		return SMP_CONFIRM_FAILED;
1002	}
1003
1004	if (hcon->out) {
1005		u8 stk[16];
1006		__le64 rand = 0;
1007		__le16 ediv = 0;
1008
1009		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1010
1011		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1012			return SMP_UNSPECIFIED;
1013
1014		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1015		hcon->enc_key_size = smp->enc_key_size;
1016		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1017	} else {
1018		u8 stk[16], auth;
1019		__le64 rand = 0;
1020		__le16 ediv = 0;
1021
1022		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1023			     smp->prnd);
1024
1025		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1026
1027		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1028			auth = 1;
1029		else
1030			auth = 0;
1031
1032		/* Even though there's no _SLAVE suffix this is the
1033		 * slave STK we're adding for later lookup (the master
1034		 * STK never needs to be stored).
1035		 */
1036		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1037			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1038	}
1039
1040	return 0;
1041}
1042
1043static void smp_notify_keys(struct l2cap_conn *conn)
1044{
1045	struct l2cap_chan *chan = conn->smp;
1046	struct smp_chan *smp = chan->data;
1047	struct hci_conn *hcon = conn->hcon;
1048	struct hci_dev *hdev = hcon->hdev;
1049	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1050	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1051	bool persistent;
1052
1053	if (hcon->type == ACL_LINK) {
1054		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1055			persistent = false;
1056		else
1057			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1058					       &hcon->flags);
1059	} else {
1060		/* The LTKs, IRKs and CSRKs should be persistent only if
1061		 * both sides had the bonding bit set in their
1062		 * authentication requests.
1063		 */
1064		persistent = !!((req->auth_req & rsp->auth_req) &
1065				SMP_AUTH_BONDING);
1066	}
1067
1068	if (smp->remote_irk) {
1069		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1070
1071		/* Now that user space can be considered to know the
1072		 * identity address track the connection based on it
1073		 * from now on (assuming this is an LE link).
1074		 */
1075		if (hcon->type == LE_LINK) {
1076			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1077			hcon->dst_type = smp->remote_irk->addr_type;
1078			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1079		}
1080	}
1081
1082	if (smp->csrk) {
1083		smp->csrk->bdaddr_type = hcon->dst_type;
1084		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1085		mgmt_new_csrk(hdev, smp->csrk, persistent);
1086	}
1087
1088	if (smp->slave_csrk) {
1089		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1090		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1091		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1092	}
1093
1094	if (smp->ltk) {
1095		smp->ltk->bdaddr_type = hcon->dst_type;
1096		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1097		mgmt_new_ltk(hdev, smp->ltk, persistent);
1098	}
1099
1100	if (smp->slave_ltk) {
1101		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1102		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1103		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1104	}
1105
1106	if (smp->link_key) {
1107		struct link_key *key;
1108		u8 type;
1109
1110		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1111			type = HCI_LK_DEBUG_COMBINATION;
1112		else if (hcon->sec_level == BT_SECURITY_FIPS)
1113			type = HCI_LK_AUTH_COMBINATION_P256;
1114		else
1115			type = HCI_LK_UNAUTH_COMBINATION_P256;
1116
1117		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1118				       smp->link_key, type, 0, &persistent);
1119		if (key) {
1120			mgmt_new_link_key(hdev, key, persistent);
1121
1122			/* Don't keep debug keys around if the relevant
1123			 * flag is not set.
1124			 */
1125			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1126			    key->type == HCI_LK_DEBUG_COMBINATION) {
1127				list_del_rcu(&key->list);
1128				kfree_rcu(key, rcu);
1129			}
1130		}
1131	}
1132}
1133
1134static void sc_add_ltk(struct smp_chan *smp)
1135{
1136	struct hci_conn *hcon = smp->conn->hcon;
1137	u8 key_type, auth;
1138
1139	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1140		key_type = SMP_LTK_P256_DEBUG;
1141	else
1142		key_type = SMP_LTK_P256;
1143
1144	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1145		auth = 1;
1146	else
1147		auth = 0;
1148
1149	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1150			       key_type, auth, smp->tk, smp->enc_key_size,
1151			       0, 0);
1152}
1153
1154static void sc_generate_link_key(struct smp_chan *smp)
1155{
1156	/* From core spec. Spells out in ASCII as 'lebr'. */
1157	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1158
1159	smp->link_key = kzalloc(16, GFP_KERNEL);
1160	if (!smp->link_key)
1161		return;
1162
1163	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1164		/* SALT = 0x00000000000000000000000000000000746D7031 */
1165		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1166
1167		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1168			kzfree(smp->link_key);
1169			smp->link_key = NULL;
1170			return;
1171		}
1172	} else {
1173		/* From core spec. Spells out in ASCII as 'tmp1'. */
1174		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1175
1176		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1177			kzfree(smp->link_key);
1178			smp->link_key = NULL;
1179			return;
1180		}
1181	}
1182
1183	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1184		kzfree(smp->link_key);
1185		smp->link_key = NULL;
1186		return;
1187	}
1188}
1189
1190static void smp_allow_key_dist(struct smp_chan *smp)
1191{
1192	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1193	 * will be allowed in each PDU handler to ensure we receive
1194	 * them in the correct order.
1195	 */
1196	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1197		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1198	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1199		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1200	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1201		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202}
1203
1204static void sc_generate_ltk(struct smp_chan *smp)
1205{
1206	/* From core spec. Spells out in ASCII as 'brle'. */
1207	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1208	struct hci_conn *hcon = smp->conn->hcon;
1209	struct hci_dev *hdev = hcon->hdev;
1210	struct link_key *key;
1211
1212	key = hci_find_link_key(hdev, &hcon->dst);
1213	if (!key) {
1214		bt_dev_err(hdev, "no Link Key found to generate LTK");
1215		return;
1216	}
1217
1218	if (key->type == HCI_LK_DEBUG_COMBINATION)
1219		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1220
1221	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1222		/* SALT = 0x00000000000000000000000000000000746D7032 */
1223		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1224
1225		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1226			return;
1227	} else {
1228		/* From core spec. Spells out in ASCII as 'tmp2'. */
1229		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1230
1231		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1232			return;
1233	}
1234
1235	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1236		return;
1237
1238	sc_add_ltk(smp);
1239}
1240
1241static void smp_distribute_keys(struct smp_chan *smp)
1242{
1243	struct smp_cmd_pairing *req, *rsp;
1244	struct l2cap_conn *conn = smp->conn;
1245	struct hci_conn *hcon = conn->hcon;
1246	struct hci_dev *hdev = hcon->hdev;
1247	__u8 *keydist;
1248
1249	BT_DBG("conn %p", conn);
1250
1251	rsp = (void *) &smp->prsp[1];
1252
1253	/* The responder sends its keys first */
1254	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1255		smp_allow_key_dist(smp);
1256		return;
1257	}
1258
1259	req = (void *) &smp->preq[1];
1260
1261	if (hcon->out) {
1262		keydist = &rsp->init_key_dist;
1263		*keydist &= req->init_key_dist;
1264	} else {
1265		keydist = &rsp->resp_key_dist;
1266		*keydist &= req->resp_key_dist;
1267	}
1268
1269	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1270		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1271			sc_generate_link_key(smp);
1272		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1273			sc_generate_ltk(smp);
1274
1275		/* Clear the keys which are generated but not distributed */
1276		*keydist &= ~SMP_SC_NO_DIST;
1277	}
1278
1279	BT_DBG("keydist 0x%x", *keydist);
1280
1281	if (*keydist & SMP_DIST_ENC_KEY) {
1282		struct smp_cmd_encrypt_info enc;
1283		struct smp_cmd_master_ident ident;
1284		struct smp_ltk *ltk;
1285		u8 authenticated;
1286		__le16 ediv;
1287		__le64 rand;
1288
1289		/* Make sure we generate only the significant amount of
1290		 * bytes based on the encryption key size, and set the rest
1291		 * of the value to zeroes.
1292		 */
1293		get_random_bytes(enc.ltk, smp->enc_key_size);
1294		memset(enc.ltk + smp->enc_key_size, 0,
1295		       sizeof(enc.ltk) - smp->enc_key_size);
1296
1297		get_random_bytes(&ediv, sizeof(ediv));
1298		get_random_bytes(&rand, sizeof(rand));
1299
1300		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301
1302		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1303		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1304				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1305				  smp->enc_key_size, ediv, rand);
1306		smp->slave_ltk = ltk;
1307
1308		ident.ediv = ediv;
1309		ident.rand = rand;
1310
1311		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1312
1313		*keydist &= ~SMP_DIST_ENC_KEY;
1314	}
1315
1316	if (*keydist & SMP_DIST_ID_KEY) {
1317		struct smp_cmd_ident_addr_info addrinfo;
1318		struct smp_cmd_ident_info idinfo;
1319
1320		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1321
1322		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1323
1324		/* The hci_conn contains the local identity address
1325		 * after the connection has been established.
1326		 *
1327		 * This is true even when the connection has been
1328		 * established using a resolvable random address.
1329		 */
1330		bacpy(&addrinfo.bdaddr, &hcon->src);
1331		addrinfo.addr_type = hcon->src_type;
1332
1333		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1334			     &addrinfo);
1335
1336		*keydist &= ~SMP_DIST_ID_KEY;
1337	}
1338
1339	if (*keydist & SMP_DIST_SIGN) {
1340		struct smp_cmd_sign_info sign;
1341		struct smp_csrk *csrk;
1342
1343		/* Generate a new random key */
1344		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1345
1346		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1347		if (csrk) {
1348			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1349				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1350			else
1351				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1352			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1353		}
1354		smp->slave_csrk = csrk;
1355
1356		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1357
1358		*keydist &= ~SMP_DIST_SIGN;
1359	}
1360
1361	/* If there are still keys to be received wait for them */
1362	if (smp->remote_key_dist & KEY_DIST_MASK) {
1363		smp_allow_key_dist(smp);
1364		return;
1365	}
1366
1367	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1368	smp_notify_keys(conn);
1369
1370	smp_chan_destroy(conn);
1371}
1372
1373static void smp_timeout(struct work_struct *work)
1374{
1375	struct smp_chan *smp = container_of(work, struct smp_chan,
1376					    security_timer.work);
1377	struct l2cap_conn *conn = smp->conn;
1378
1379	BT_DBG("conn %p", conn);
1380
1381	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1382}
1383
1384static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1385{
1386	struct l2cap_chan *chan = conn->smp;
1387	struct smp_chan *smp;
1388
1389	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1390	if (!smp)
1391		return NULL;
1392
1393	smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1394	if (IS_ERR(smp->tfm_aes)) {
1395		BT_ERR("Unable to create AES crypto context");
1396		goto zfree_smp;
1397	}
1398
1399	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1400	if (IS_ERR(smp->tfm_cmac)) {
1401		BT_ERR("Unable to create CMAC crypto context");
1402		goto free_cipher;
1403	}
1404
1405	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1406	if (IS_ERR(smp->tfm_ecdh)) {
1407		BT_ERR("Unable to create ECDH crypto context");
1408		goto free_shash;
1409	}
1410
1411	smp->conn = conn;
1412	chan->data = smp;
1413
1414	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1415
1416	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1417
1418	hci_conn_hold(conn->hcon);
1419
1420	return smp;
1421
1422free_shash:
1423	crypto_free_shash(smp->tfm_cmac);
1424free_cipher:
1425	crypto_free_cipher(smp->tfm_aes);
1426zfree_smp:
1427	kzfree(smp);
1428	return NULL;
1429}
1430
1431static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1432{
1433	struct hci_conn *hcon = smp->conn->hcon;
1434	u8 *na, *nb, a[7], b[7];
1435
1436	if (hcon->out) {
1437		na   = smp->prnd;
1438		nb   = smp->rrnd;
1439	} else {
1440		na   = smp->rrnd;
1441		nb   = smp->prnd;
1442	}
1443
1444	memcpy(a, &hcon->init_addr, 6);
1445	memcpy(b, &hcon->resp_addr, 6);
1446	a[6] = hcon->init_addr_type;
1447	b[6] = hcon->resp_addr_type;
1448
1449	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1450}
1451
1452static void sc_dhkey_check(struct smp_chan *smp)
1453{
1454	struct hci_conn *hcon = smp->conn->hcon;
1455	struct smp_cmd_dhkey_check check;
1456	u8 a[7], b[7], *local_addr, *remote_addr;
1457	u8 io_cap[3], r[16];
1458
1459	memcpy(a, &hcon->init_addr, 6);
1460	memcpy(b, &hcon->resp_addr, 6);
1461	a[6] = hcon->init_addr_type;
1462	b[6] = hcon->resp_addr_type;
1463
1464	if (hcon->out) {
1465		local_addr = a;
1466		remote_addr = b;
1467		memcpy(io_cap, &smp->preq[1], 3);
1468	} else {
1469		local_addr = b;
1470		remote_addr = a;
1471		memcpy(io_cap, &smp->prsp[1], 3);
1472	}
1473
1474	memset(r, 0, sizeof(r));
1475
1476	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1477		put_unaligned_le32(hcon->passkey_notify, r);
1478
1479	if (smp->method == REQ_OOB)
1480		memcpy(r, smp->rr, 16);
1481
1482	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1483	       local_addr, remote_addr, check.e);
1484
1485	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1486}
1487
1488static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1489{
1490	struct l2cap_conn *conn = smp->conn;
1491	struct hci_conn *hcon = conn->hcon;
1492	struct smp_cmd_pairing_confirm cfm;
1493	u8 r;
1494
1495	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1496	r |= 0x80;
1497
1498	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1499
1500	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1501		   cfm.confirm_val))
1502		return SMP_UNSPECIFIED;
1503
1504	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1505
1506	return 0;
1507}
1508
1509static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1510{
1511	struct l2cap_conn *conn = smp->conn;
1512	struct hci_conn *hcon = conn->hcon;
1513	struct hci_dev *hdev = hcon->hdev;
1514	u8 cfm[16], r;
1515
1516	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1517	if (smp->passkey_round >= 20)
1518		return 0;
1519
1520	switch (smp_op) {
1521	case SMP_CMD_PAIRING_RANDOM:
1522		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1523		r |= 0x80;
1524
1525		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1526			   smp->rrnd, r, cfm))
1527			return SMP_UNSPECIFIED;
1528
1529		if (crypto_memneq(smp->pcnf, cfm, 16))
1530			return SMP_CONFIRM_FAILED;
1531
1532		smp->passkey_round++;
1533
1534		if (smp->passkey_round == 20) {
1535			/* Generate MacKey and LTK */
1536			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1537				return SMP_UNSPECIFIED;
1538		}
1539
1540		/* The round is only complete when the initiator
1541		 * receives pairing random.
1542		 */
1543		if (!hcon->out) {
1544			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1545				     sizeof(smp->prnd), smp->prnd);
1546			if (smp->passkey_round == 20)
1547				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1548			else
1549				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1550			return 0;
1551		}
1552
1553		/* Start the next round */
1554		if (smp->passkey_round != 20)
1555			return sc_passkey_round(smp, 0);
1556
1557		/* Passkey rounds are complete - start DHKey Check */
1558		sc_dhkey_check(smp);
1559		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1560
1561		break;
1562
1563	case SMP_CMD_PAIRING_CONFIRM:
1564		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1565			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1566			return 0;
1567		}
1568
1569		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1570
1571		if (hcon->out) {
1572			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1573				     sizeof(smp->prnd), smp->prnd);
1574			return 0;
1575		}
1576
1577		return sc_passkey_send_confirm(smp);
1578
1579	case SMP_CMD_PUBLIC_KEY:
1580	default:
1581		/* Initiating device starts the round */
1582		if (!hcon->out)
1583			return 0;
1584
1585		BT_DBG("%s Starting passkey round %u", hdev->name,
1586		       smp->passkey_round + 1);
1587
1588		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1589
1590		return sc_passkey_send_confirm(smp);
1591	}
1592
1593	return 0;
1594}
1595
1596static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1597{
1598	struct l2cap_conn *conn = smp->conn;
1599	struct hci_conn *hcon = conn->hcon;
1600	u8 smp_op;
1601
1602	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1603
1604	switch (mgmt_op) {
1605	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1606		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1607		return 0;
1608	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1609		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1610		return 0;
1611	case MGMT_OP_USER_PASSKEY_REPLY:
1612		hcon->passkey_notify = le32_to_cpu(passkey);
1613		smp->passkey_round = 0;
1614
1615		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1616			smp_op = SMP_CMD_PAIRING_CONFIRM;
1617		else
1618			smp_op = 0;
1619
1620		if (sc_passkey_round(smp, smp_op))
1621			return -EIO;
1622
1623		return 0;
1624	}
1625
1626	/* Initiator sends DHKey check first */
1627	if (hcon->out) {
1628		sc_dhkey_check(smp);
1629		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1630	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1631		sc_dhkey_check(smp);
1632		sc_add_ltk(smp);
1633	}
1634
1635	return 0;
1636}
1637
1638int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1639{
1640	struct l2cap_conn *conn = hcon->l2cap_data;
1641	struct l2cap_chan *chan;
1642	struct smp_chan *smp;
1643	u32 value;
1644	int err;
1645
1646	BT_DBG("");
1647
1648	if (!conn)
1649		return -ENOTCONN;
1650
1651	chan = conn->smp;
1652	if (!chan)
1653		return -ENOTCONN;
1654
1655	l2cap_chan_lock(chan);
1656	if (!chan->data) {
1657		err = -ENOTCONN;
1658		goto unlock;
1659	}
1660
1661	smp = chan->data;
1662
1663	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1664		err = sc_user_reply(smp, mgmt_op, passkey);
1665		goto unlock;
1666	}
1667
1668	switch (mgmt_op) {
1669	case MGMT_OP_USER_PASSKEY_REPLY:
1670		value = le32_to_cpu(passkey);
1671		memset(smp->tk, 0, sizeof(smp->tk));
1672		BT_DBG("PassKey: %d", value);
1673		put_unaligned_le32(value, smp->tk);
1674		/* Fall Through */
1675	case MGMT_OP_USER_CONFIRM_REPLY:
1676		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1677		break;
1678	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1679	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1680		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1681		err = 0;
1682		goto unlock;
1683	default:
1684		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1685		err = -EOPNOTSUPP;
1686		goto unlock;
1687	}
1688
1689	err = 0;
1690
1691	/* If it is our turn to send Pairing Confirm, do so now */
1692	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1693		u8 rsp = smp_confirm(smp);
1694		if (rsp)
1695			smp_failure(conn, rsp);
1696	}
1697
1698unlock:
1699	l2cap_chan_unlock(chan);
1700	return err;
1701}
1702
1703static void build_bredr_pairing_cmd(struct smp_chan *smp,
1704				    struct smp_cmd_pairing *req,
1705				    struct smp_cmd_pairing *rsp)
1706{
1707	struct l2cap_conn *conn = smp->conn;
1708	struct hci_dev *hdev = conn->hcon->hdev;
1709	u8 local_dist = 0, remote_dist = 0;
1710
1711	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1712		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1714	}
1715
1716	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1717		remote_dist |= SMP_DIST_ID_KEY;
1718
1719	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1720		local_dist |= SMP_DIST_ID_KEY;
1721
1722	if (!rsp) {
1723		memset(req, 0, sizeof(*req));
1724
1725		req->auth_req        = SMP_AUTH_CT2;
1726		req->init_key_dist   = local_dist;
1727		req->resp_key_dist   = remote_dist;
1728		req->max_key_size    = conn->hcon->enc_key_size;
1729
1730		smp->remote_key_dist = remote_dist;
1731
1732		return;
1733	}
1734
1735	memset(rsp, 0, sizeof(*rsp));
1736
1737	rsp->auth_req        = SMP_AUTH_CT2;
1738	rsp->max_key_size    = conn->hcon->enc_key_size;
1739	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1740	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1741
1742	smp->remote_key_dist = rsp->init_key_dist;
1743}
1744
1745static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1746{
1747	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1748	struct l2cap_chan *chan = conn->smp;
1749	struct hci_dev *hdev = conn->hcon->hdev;
1750	struct smp_chan *smp;
1751	u8 key_size, auth, sec_level;
1752	int ret;
1753
1754	BT_DBG("conn %p", conn);
1755
1756	if (skb->len < sizeof(*req))
1757		return SMP_INVALID_PARAMS;
1758
1759	if (conn->hcon->role != HCI_ROLE_SLAVE)
1760		return SMP_CMD_NOTSUPP;
1761
1762	if (!chan->data)
1763		smp = smp_chan_create(conn);
1764	else
1765		smp = chan->data;
1766
1767	if (!smp)
1768		return SMP_UNSPECIFIED;
1769
1770	/* We didn't start the pairing, so match remote */
1771	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1772
1773	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1774	    (auth & SMP_AUTH_BONDING))
1775		return SMP_PAIRING_NOTSUPP;
1776
1777	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1778		return SMP_AUTH_REQUIREMENTS;
1779
1780	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1781	memcpy(&smp->preq[1], req, sizeof(*req));
1782	skb_pull(skb, sizeof(*req));
1783
1784	/* If the remote side's OOB flag is set it means it has
1785	 * successfully received our local OOB data - therefore set the
1786	 * flag to indicate that local OOB is in use.
1787	 */
1788	if (req->oob_flag == SMP_OOB_PRESENT)
1789		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1790
1791	/* SMP over BR/EDR requires special treatment */
1792	if (conn->hcon->type == ACL_LINK) {
1793		/* We must have a BR/EDR SC link */
1794		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1795		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1796			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1797
1798		set_bit(SMP_FLAG_SC, &smp->flags);
1799
1800		build_bredr_pairing_cmd(smp, req, &rsp);
1801
1802		if (req->auth_req & SMP_AUTH_CT2)
1803			set_bit(SMP_FLAG_CT2, &smp->flags);
1804
1805		key_size = min(req->max_key_size, rsp.max_key_size);
1806		if (check_enc_key_size(conn, key_size))
1807			return SMP_ENC_KEY_SIZE;
1808
1809		/* Clear bits which are generated but not distributed */
1810		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1811
1812		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1813		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1814		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1815
1816		smp_distribute_keys(smp);
1817		return 0;
1818	}
1819
1820	build_pairing_cmd(conn, req, &rsp, auth);
1821
1822	if (rsp.auth_req & SMP_AUTH_SC) {
1823		set_bit(SMP_FLAG_SC, &smp->flags);
1824
1825		if (rsp.auth_req & SMP_AUTH_CT2)
1826			set_bit(SMP_FLAG_CT2, &smp->flags);
1827	}
1828
1829	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1830		sec_level = BT_SECURITY_MEDIUM;
1831	else
1832		sec_level = authreq_to_seclevel(auth);
1833
1834	if (sec_level > conn->hcon->pending_sec_level)
1835		conn->hcon->pending_sec_level = sec_level;
1836
1837	/* If we need MITM check that it can be achieved */
1838	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1839		u8 method;
1840
1841		method = get_auth_method(smp, conn->hcon->io_capability,
1842					 req->io_capability);
1843		if (method == JUST_WORKS || method == JUST_CFM)
1844			return SMP_AUTH_REQUIREMENTS;
1845	}
1846
1847	key_size = min(req->max_key_size, rsp.max_key_size);
1848	if (check_enc_key_size(conn, key_size))
1849		return SMP_ENC_KEY_SIZE;
1850
1851	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852
1853	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1854	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1855
1856	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1857
1858	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1859
1860	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1861	 * SC case, however some implementations incorrectly copy RFU auth
1862	 * req bits from our security request, which may create a false
1863	 * positive SC enablement.
1864	 */
1865	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1866
1867	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1868		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1869		/* Clear bits which are generated but not distributed */
1870		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1871		/* Wait for Public Key from Initiating Device */
1872		return 0;
1873	}
1874
1875	/* Request setup of TK */
1876	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1877	if (ret)
1878		return SMP_UNSPECIFIED;
1879
1880	return 0;
1881}
1882
1883static u8 sc_send_public_key(struct smp_chan *smp)
1884{
1885	struct hci_dev *hdev = smp->conn->hcon->hdev;
1886
1887	BT_DBG("");
1888
1889	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1890		struct l2cap_chan *chan = hdev->smp_data;
1891		struct smp_dev *smp_dev;
1892
1893		if (!chan || !chan->data)
1894			return SMP_UNSPECIFIED;
1895
1896		smp_dev = chan->data;
1897
1898		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1899		memcpy(smp->lr, smp_dev->local_rand, 16);
1900
1901		if (smp_dev->debug_key)
1902			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1903
1904		goto done;
1905	}
1906
1907	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1908		BT_DBG("Using debug keys");
1909		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1910			return SMP_UNSPECIFIED;
1911		memcpy(smp->local_pk, debug_pk, 64);
1912		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1913	} else {
1914		while (true) {
1915			/* Generate key pair for Secure Connections */
1916			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1917				return SMP_UNSPECIFIED;
1918
1919			/* This is unlikely, but we need to check that
1920			 * we didn't accidentially generate a debug key.
1921			 */
1922			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1923				break;
1924		}
1925	}
1926
1927done:
1928	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1929	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1930
1931	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1932
1933	return 0;
1934}
1935
1936static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1937{
1938	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1939	struct l2cap_chan *chan = conn->smp;
1940	struct smp_chan *smp = chan->data;
1941	struct hci_dev *hdev = conn->hcon->hdev;
1942	u8 key_size, auth;
1943	int ret;
1944
1945	BT_DBG("conn %p", conn);
1946
1947	if (skb->len < sizeof(*rsp))
1948		return SMP_INVALID_PARAMS;
1949
1950	if (conn->hcon->role != HCI_ROLE_MASTER)
1951		return SMP_CMD_NOTSUPP;
1952
1953	skb_pull(skb, sizeof(*rsp));
1954
1955	req = (void *) &smp->preq[1];
1956
1957	key_size = min(req->max_key_size, rsp->max_key_size);
1958	if (check_enc_key_size(conn, key_size))
1959		return SMP_ENC_KEY_SIZE;
1960
1961	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1962
1963	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1964		return SMP_AUTH_REQUIREMENTS;
1965
1966	/* If the remote side's OOB flag is set it means it has
1967	 * successfully received our local OOB data - therefore set the
1968	 * flag to indicate that local OOB is in use.
1969	 */
1970	if (rsp->oob_flag == SMP_OOB_PRESENT)
1971		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1972
1973	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1974	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1975
1976	/* Update remote key distribution in case the remote cleared
1977	 * some bits that we had enabled in our request.
1978	 */
1979	smp->remote_key_dist &= rsp->resp_key_dist;
1980
1981	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1982		set_bit(SMP_FLAG_CT2, &smp->flags);
1983
1984	/* For BR/EDR this means we're done and can start phase 3 */
1985	if (conn->hcon->type == ACL_LINK) {
1986		/* Clear bits which are generated but not distributed */
1987		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1988		smp_distribute_keys(smp);
1989		return 0;
1990	}
1991
1992	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1993		set_bit(SMP_FLAG_SC, &smp->flags);
1994	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1995		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1996
1997	/* If we need MITM check that it can be achieved */
1998	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1999		u8 method;
2000
2001		method = get_auth_method(smp, req->io_capability,
2002					 rsp->io_capability);
2003		if (method == JUST_WORKS || method == JUST_CFM)
2004			return SMP_AUTH_REQUIREMENTS;
2005	}
2006
2007	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2008
2009	/* Update remote key distribution in case the remote cleared
2010	 * some bits that we had enabled in our request.
2011	 */
2012	smp->remote_key_dist &= rsp->resp_key_dist;
2013
2014	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2015		/* Clear bits which are generated but not distributed */
2016		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2017		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2018		return sc_send_public_key(smp);
2019	}
2020
2021	auth |= req->auth_req;
2022
2023	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2024	if (ret)
2025		return SMP_UNSPECIFIED;
2026
2027	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2028
2029	/* Can't compose response until we have been confirmed */
2030	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2031		return smp_confirm(smp);
2032
2033	return 0;
2034}
2035
2036static u8 sc_check_confirm(struct smp_chan *smp)
2037{
2038	struct l2cap_conn *conn = smp->conn;
2039
2040	BT_DBG("");
2041
2042	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2043		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2044
2045	if (conn->hcon->out) {
2046		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2047			     smp->prnd);
2048		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2049	}
2050
2051	return 0;
2052}
2053
2054/* Work-around for some implementations that incorrectly copy RFU bits
2055 * from our security request and thereby create the impression that
2056 * we're doing SC when in fact the remote doesn't support it.
2057 */
2058static int fixup_sc_false_positive(struct smp_chan *smp)
2059{
2060	struct l2cap_conn *conn = smp->conn;
2061	struct hci_conn *hcon = conn->hcon;
2062	struct hci_dev *hdev = hcon->hdev;
2063	struct smp_cmd_pairing *req, *rsp;
2064	u8 auth;
2065
2066	/* The issue is only observed when we're in slave role */
2067	if (hcon->out)
2068		return SMP_UNSPECIFIED;
2069
2070	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2071		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2072		return SMP_UNSPECIFIED;
2073	}
2074
2075	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2076
2077	req = (void *) &smp->preq[1];
2078	rsp = (void *) &smp->prsp[1];
2079
2080	/* Rebuild key dist flags which may have been cleared for SC */
2081	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2082
2083	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2084
2085	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2086		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2087		return SMP_UNSPECIFIED;
2088	}
2089
2090	clear_bit(SMP_FLAG_SC, &smp->flags);
2091
2092	return 0;
2093}
2094
2095static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2096{
2097	struct l2cap_chan *chan = conn->smp;
2098	struct smp_chan *smp = chan->data;
2099
2100	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2101
2102	if (skb->len < sizeof(smp->pcnf))
2103		return SMP_INVALID_PARAMS;
2104
2105	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2106	skb_pull(skb, sizeof(smp->pcnf));
2107
2108	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2109		int ret;
2110
2111		/* Public Key exchange must happen before any other steps */
2112		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2113			return sc_check_confirm(smp);
2114
2115		BT_ERR("Unexpected SMP Pairing Confirm");
2116
2117		ret = fixup_sc_false_positive(smp);
2118		if (ret)
2119			return ret;
2120	}
2121
2122	if (conn->hcon->out) {
2123		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2124			     smp->prnd);
2125		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2126		return 0;
2127	}
2128
2129	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2130		return smp_confirm(smp);
2131
2132	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2133
2134	return 0;
2135}
2136
2137static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2138{
2139	struct l2cap_chan *chan = conn->smp;
2140	struct smp_chan *smp = chan->data;
2141	struct hci_conn *hcon = conn->hcon;
2142	u8 *pkax, *pkbx, *na, *nb;
2143	u32 passkey;
2144	int err;
2145
2146	BT_DBG("conn %p", conn);
2147
2148	if (skb->len < sizeof(smp->rrnd))
2149		return SMP_INVALID_PARAMS;
2150
2151	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2152	skb_pull(skb, sizeof(smp->rrnd));
2153
2154	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2155		return smp_random(smp);
2156
2157	if (hcon->out) {
2158		pkax = smp->local_pk;
2159		pkbx = smp->remote_pk;
2160		na   = smp->prnd;
2161		nb   = smp->rrnd;
2162	} else {
2163		pkax = smp->remote_pk;
2164		pkbx = smp->local_pk;
2165		na   = smp->rrnd;
2166		nb   = smp->prnd;
2167	}
2168
2169	if (smp->method == REQ_OOB) {
2170		if (!hcon->out)
2171			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2172				     sizeof(smp->prnd), smp->prnd);
2173		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2174		goto mackey_and_ltk;
2175	}
2176
2177	/* Passkey entry has special treatment */
2178	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2179		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2180
2181	if (hcon->out) {
2182		u8 cfm[16];
2183
2184		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2185			     smp->rrnd, 0, cfm);
2186		if (err)
2187			return SMP_UNSPECIFIED;
2188
2189		if (crypto_memneq(smp->pcnf, cfm, 16))
2190			return SMP_CONFIRM_FAILED;
2191	} else {
2192		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2193			     smp->prnd);
2194		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2195	}
2196
2197mackey_and_ltk:
2198	/* Generate MacKey and LTK */
2199	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2200	if (err)
2201		return SMP_UNSPECIFIED;
2202
2203	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2204		if (hcon->out) {
2205			sc_dhkey_check(smp);
2206			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2207		}
2208		return 0;
2209	}
2210
2211	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2212	if (err)
2213		return SMP_UNSPECIFIED;
2214
2215	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2216					hcon->dst_type, passkey, 0);
2217	if (err)
2218		return SMP_UNSPECIFIED;
2219
2220	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2221
2222	return 0;
2223}
2224
2225static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2226{
2227	struct smp_ltk *key;
2228	struct hci_conn *hcon = conn->hcon;
2229
2230	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2231	if (!key)
2232		return false;
2233
2234	if (smp_ltk_sec_level(key) < sec_level)
2235		return false;
2236
2237	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2238		return true;
2239
2240	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2241	hcon->enc_key_size = key->enc_size;
2242
2243	/* We never store STKs for master role, so clear this flag */
2244	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2245
2246	return true;
2247}
2248
2249bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2250			     enum smp_key_pref key_pref)
2251{
2252	if (sec_level == BT_SECURITY_LOW)
2253		return true;
2254
2255	/* If we're encrypted with an STK but the caller prefers using
2256	 * LTK claim insufficient security. This way we allow the
2257	 * connection to be re-encrypted with an LTK, even if the LTK
2258	 * provides the same level of security. Only exception is if we
2259	 * don't have an LTK (e.g. because of key distribution bits).
2260	 */
2261	if (key_pref == SMP_USE_LTK &&
2262	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2263	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2264		return false;
2265
2266	if (hcon->sec_level >= sec_level)
2267		return true;
2268
2269	return false;
2270}
2271
2272static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2273{
2274	struct smp_cmd_security_req *rp = (void *) skb->data;
2275	struct smp_cmd_pairing cp;
2276	struct hci_conn *hcon = conn->hcon;
2277	struct hci_dev *hdev = hcon->hdev;
2278	struct smp_chan *smp;
2279	u8 sec_level, auth;
2280
2281	BT_DBG("conn %p", conn);
2282
2283	if (skb->len < sizeof(*rp))
2284		return SMP_INVALID_PARAMS;
2285
2286	if (hcon->role != HCI_ROLE_MASTER)
2287		return SMP_CMD_NOTSUPP;
2288
2289	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2290
2291	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2292		return SMP_AUTH_REQUIREMENTS;
2293
2294	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2295		sec_level = BT_SECURITY_MEDIUM;
2296	else
2297		sec_level = authreq_to_seclevel(auth);
2298
2299	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2300		return 0;
2301
2302	if (sec_level > hcon->pending_sec_level)
2303		hcon->pending_sec_level = sec_level;
2304
2305	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2306		return 0;
2307
2308	smp = smp_chan_create(conn);
2309	if (!smp)
2310		return SMP_UNSPECIFIED;
2311
2312	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2313	    (auth & SMP_AUTH_BONDING))
2314		return SMP_PAIRING_NOTSUPP;
2315
2316	skb_pull(skb, sizeof(*rp));
2317
2318	memset(&cp, 0, sizeof(cp));
2319	build_pairing_cmd(conn, &cp, NULL, auth);
2320
2321	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2322	memcpy(&smp->preq[1], &cp, sizeof(cp));
2323
2324	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2325	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2326
2327	return 0;
2328}
2329
2330int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2331{
2332	struct l2cap_conn *conn = hcon->l2cap_data;
2333	struct l2cap_chan *chan;
2334	struct smp_chan *smp;
2335	__u8 authreq;
2336	int ret;
2337
2338	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2339
2340	/* This may be NULL if there's an unexpected disconnection */
2341	if (!conn)
2342		return 1;
2343
2344	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2345		return 1;
2346
2347	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2348		return 1;
2349
2350	if (sec_level > hcon->pending_sec_level)
2351		hcon->pending_sec_level = sec_level;
2352
2353	if (hcon->role == HCI_ROLE_MASTER)
2354		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2355			return 0;
2356
2357	chan = conn->smp;
2358	if (!chan) {
2359		bt_dev_err(hcon->hdev, "security requested but not available");
2360		return 1;
2361	}
2362
2363	l2cap_chan_lock(chan);
2364
2365	/* If SMP is already in progress ignore this request */
2366	if (chan->data) {
2367		ret = 0;
2368		goto unlock;
2369	}
2370
2371	smp = smp_chan_create(conn);
2372	if (!smp) {
2373		ret = 1;
2374		goto unlock;
2375	}
2376
2377	authreq = seclevel_to_authreq(sec_level);
2378
2379	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2380		authreq |= SMP_AUTH_SC;
2381		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2382			authreq |= SMP_AUTH_CT2;
2383	}
2384
2385	/* Require MITM if IO Capability allows or the security level
2386	 * requires it.
2387	 */
2388	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2389	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2390		authreq |= SMP_AUTH_MITM;
2391
2392	if (hcon->role == HCI_ROLE_MASTER) {
2393		struct smp_cmd_pairing cp;
2394
2395		build_pairing_cmd(conn, &cp, NULL, authreq);
2396		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2397		memcpy(&smp->preq[1], &cp, sizeof(cp));
2398
2399		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2400		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2401	} else {
2402		struct smp_cmd_security_req cp;
2403		cp.auth_req = authreq;
2404		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2405		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2406	}
2407
2408	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2409	ret = 0;
2410
2411unlock:
2412	l2cap_chan_unlock(chan);
2413	return ret;
2414}
2415
2416void smp_cancel_pairing(struct hci_conn *hcon)
2417{
2418	struct l2cap_conn *conn = hcon->l2cap_data;
2419	struct l2cap_chan *chan;
2420	struct smp_chan *smp;
2421
2422	if (!conn)
2423		return;
2424
2425	chan = conn->smp;
2426	if (!chan)
2427		return;
2428
2429	l2cap_chan_lock(chan);
2430
2431	smp = chan->data;
2432	if (smp) {
2433		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2434			smp_failure(conn, 0);
2435		else
2436			smp_failure(conn, SMP_UNSPECIFIED);
2437	}
2438
2439	l2cap_chan_unlock(chan);
2440}
2441
2442static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2443{
2444	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2445	struct l2cap_chan *chan = conn->smp;
2446	struct smp_chan *smp = chan->data;
2447
2448	BT_DBG("conn %p", conn);
2449
2450	if (skb->len < sizeof(*rp))
2451		return SMP_INVALID_PARAMS;
2452
2453	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2454
2455	skb_pull(skb, sizeof(*rp));
2456
2457	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2458
2459	return 0;
2460}
2461
2462static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2463{
2464	struct smp_cmd_master_ident *rp = (void *) skb->data;
2465	struct l2cap_chan *chan = conn->smp;
2466	struct smp_chan *smp = chan->data;
2467	struct hci_dev *hdev = conn->hcon->hdev;
2468	struct hci_conn *hcon = conn->hcon;
2469	struct smp_ltk *ltk;
2470	u8 authenticated;
2471
2472	BT_DBG("conn %p", conn);
2473
2474	if (skb->len < sizeof(*rp))
2475		return SMP_INVALID_PARAMS;
2476
2477	/* Mark the information as received */
2478	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2479
2480	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2481		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2482	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2483		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2484
2485	skb_pull(skb, sizeof(*rp));
2486
2487	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2488	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2489			  authenticated, smp->tk, smp->enc_key_size,
2490			  rp->ediv, rp->rand);
2491	smp->ltk = ltk;
2492	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2493		smp_distribute_keys(smp);
2494
2495	return 0;
2496}
2497
2498static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2499{
2500	struct smp_cmd_ident_info *info = (void *) skb->data;
2501	struct l2cap_chan *chan = conn->smp;
2502	struct smp_chan *smp = chan->data;
2503
2504	BT_DBG("");
2505
2506	if (skb->len < sizeof(*info))
2507		return SMP_INVALID_PARAMS;
2508
2509	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2510
2511	skb_pull(skb, sizeof(*info));
2512
2513	memcpy(smp->irk, info->irk, 16);
2514
2515	return 0;
2516}
2517
2518static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2519				   struct sk_buff *skb)
2520{
2521	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2522	struct l2cap_chan *chan = conn->smp;
2523	struct smp_chan *smp = chan->data;
2524	struct hci_conn *hcon = conn->hcon;
2525	bdaddr_t rpa;
2526
2527	BT_DBG("");
2528
2529	if (skb->len < sizeof(*info))
2530		return SMP_INVALID_PARAMS;
2531
2532	/* Mark the information as received */
2533	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2534
2535	if (smp->remote_key_dist & SMP_DIST_SIGN)
2536		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2537
2538	skb_pull(skb, sizeof(*info));
2539
2540	/* Strictly speaking the Core Specification (4.1) allows sending
2541	 * an empty address which would force us to rely on just the IRK
2542	 * as "identity information". However, since such
2543	 * implementations are not known of and in order to not over
2544	 * complicate our implementation, simply pretend that we never
2545	 * received an IRK for such a device.
2546	 *
2547	 * The Identity Address must also be a Static Random or Public
2548	 * Address, which hci_is_identity_address() checks for.
2549	 */
2550	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2551	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2552		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2553		goto distribute;
2554	}
2555
2556	bacpy(&smp->id_addr, &info->bdaddr);
2557	smp->id_addr_type = info->addr_type;
2558
2559	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2560		bacpy(&rpa, &hcon->dst);
2561	else
2562		bacpy(&rpa, BDADDR_ANY);
2563
2564	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2565				      smp->id_addr_type, smp->irk, &rpa);
2566
2567distribute:
2568	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2569		smp_distribute_keys(smp);
2570
2571	return 0;
2572}
2573
2574static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2575{
2576	struct smp_cmd_sign_info *rp = (void *) skb->data;
2577	struct l2cap_chan *chan = conn->smp;
2578	struct smp_chan *smp = chan->data;
2579	struct smp_csrk *csrk;
2580
2581	BT_DBG("conn %p", conn);
2582
2583	if (skb->len < sizeof(*rp))
2584		return SMP_INVALID_PARAMS;
2585
2586	/* Mark the information as received */
2587	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2588
2589	skb_pull(skb, sizeof(*rp));
2590
2591	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2592	if (csrk) {
2593		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2594			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2595		else
2596			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2597		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2598	}
2599	smp->csrk = csrk;
2600	smp_distribute_keys(smp);
2601
2602	return 0;
2603}
2604
2605static u8 sc_select_method(struct smp_chan *smp)
2606{
2607	struct l2cap_conn *conn = smp->conn;
2608	struct hci_conn *hcon = conn->hcon;
2609	struct smp_cmd_pairing *local, *remote;
2610	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2611
2612	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2613	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2614		return REQ_OOB;
2615
2616	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2617	 * which are needed as inputs to some crypto functions. To get
2618	 * the "struct smp_cmd_pairing" from them we need to skip the
2619	 * first byte which contains the opcode.
2620	 */
2621	if (hcon->out) {
2622		local = (void *) &smp->preq[1];
2623		remote = (void *) &smp->prsp[1];
2624	} else {
2625		local = (void *) &smp->prsp[1];
2626		remote = (void *) &smp->preq[1];
2627	}
2628
2629	local_io = local->io_capability;
2630	remote_io = remote->io_capability;
2631
2632	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2633	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2634
2635	/* If either side wants MITM, look up the method from the table,
2636	 * otherwise use JUST WORKS.
2637	 */
2638	if (local_mitm || remote_mitm)
2639		method = get_auth_method(smp, local_io, remote_io);
2640	else
2641		method = JUST_WORKS;
2642
2643	/* Don't confirm locally initiated pairing attempts */
2644	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2645		method = JUST_WORKS;
2646
2647	return method;
2648}
2649
2650static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2651{
2652	struct smp_cmd_public_key *key = (void *) skb->data;
2653	struct hci_conn *hcon = conn->hcon;
2654	struct l2cap_chan *chan = conn->smp;
2655	struct smp_chan *smp = chan->data;
2656	struct hci_dev *hdev = hcon->hdev;
2657	struct crypto_kpp *tfm_ecdh;
2658	struct smp_cmd_pairing_confirm cfm;
2659	int err;
2660
2661	BT_DBG("conn %p", conn);
2662
2663	if (skb->len < sizeof(*key))
2664		return SMP_INVALID_PARAMS;
2665
2666	memcpy(smp->remote_pk, key, 64);
2667
2668	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2669		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2670			     smp->rr, 0, cfm.confirm_val);
2671		if (err)
2672			return SMP_UNSPECIFIED;
2673
2674		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2675			return SMP_CONFIRM_FAILED;
2676	}
2677
2678	/* Non-initiating device sends its public key after receiving
2679	 * the key from the initiating device.
2680	 */
2681	if (!hcon->out) {
2682		err = sc_send_public_key(smp);
2683		if (err)
2684			return err;
2685	}
2686
2687	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2688	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2689
2690	/* Compute the shared secret on the same crypto tfm on which the private
2691	 * key was set/generated.
2692	 */
2693	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2694		struct smp_dev *smp_dev = chan->data;
2695
2696		tfm_ecdh = smp_dev->tfm_ecdh;
2697	} else {
2698		tfm_ecdh = smp->tfm_ecdh;
2699	}
2700
2701	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2702		return SMP_UNSPECIFIED;
2703
2704	SMP_DBG("DHKey %32phN", smp->dhkey);
2705
2706	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2707
2708	smp->method = sc_select_method(smp);
2709
2710	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2711
2712	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2713	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2714		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2715	else
2716		hcon->pending_sec_level = BT_SECURITY_FIPS;
2717
2718	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2719		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2720
2721	if (smp->method == DSP_PASSKEY) {
2722		get_random_bytes(&hcon->passkey_notify,
2723				 sizeof(hcon->passkey_notify));
2724		hcon->passkey_notify %= 1000000;
2725		hcon->passkey_entered = 0;
2726		smp->passkey_round = 0;
2727		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2728					     hcon->dst_type,
2729					     hcon->passkey_notify,
2730					     hcon->passkey_entered))
2731			return SMP_UNSPECIFIED;
2732		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2733		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2734	}
2735
2736	if (smp->method == REQ_OOB) {
2737		if (hcon->out)
2738			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2739				     sizeof(smp->prnd), smp->prnd);
2740
2741		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2742
2743		return 0;
2744	}
2745
2746	if (hcon->out)
2747		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2748
2749	if (smp->method == REQ_PASSKEY) {
2750		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2751					      hcon->dst_type))
2752			return SMP_UNSPECIFIED;
2753		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2754		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2755		return 0;
2756	}
2757
2758	/* The Initiating device waits for the non-initiating device to
2759	 * send the confirm value.
2760	 */
2761	if (conn->hcon->out)
2762		return 0;
2763
2764	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2765		     0, cfm.confirm_val);
2766	if (err)
2767		return SMP_UNSPECIFIED;
2768
2769	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2770	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2771
2772	return 0;
2773}
2774
2775static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2776{
2777	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2778	struct l2cap_chan *chan = conn->smp;
2779	struct hci_conn *hcon = conn->hcon;
2780	struct smp_chan *smp = chan->data;
2781	u8 a[7], b[7], *local_addr, *remote_addr;
2782	u8 io_cap[3], r[16], e[16];
2783	int err;
2784
2785	BT_DBG("conn %p", conn);
2786
2787	if (skb->len < sizeof(*check))
2788		return SMP_INVALID_PARAMS;
2789
2790	memcpy(a, &hcon->init_addr, 6);
2791	memcpy(b, &hcon->resp_addr, 6);
2792	a[6] = hcon->init_addr_type;
2793	b[6] = hcon->resp_addr_type;
2794
2795	if (hcon->out) {
2796		local_addr = a;
2797		remote_addr = b;
2798		memcpy(io_cap, &smp->prsp[1], 3);
2799	} else {
2800		local_addr = b;
2801		remote_addr = a;
2802		memcpy(io_cap, &smp->preq[1], 3);
2803	}
2804
2805	memset(r, 0, sizeof(r));
2806
2807	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2808		put_unaligned_le32(hcon->passkey_notify, r);
2809	else if (smp->method == REQ_OOB)
2810		memcpy(r, smp->lr, 16);
2811
2812	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2813		     io_cap, remote_addr, local_addr, e);
2814	if (err)
2815		return SMP_UNSPECIFIED;
2816
2817	if (crypto_memneq(check->e, e, 16))
2818		return SMP_DHKEY_CHECK_FAILED;
2819
2820	if (!hcon->out) {
2821		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2822			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2823			return 0;
2824		}
2825
2826		/* Slave sends DHKey check as response to master */
2827		sc_dhkey_check(smp);
2828	}
2829
2830	sc_add_ltk(smp);
2831
2832	if (hcon->out) {
2833		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2834		hcon->enc_key_size = smp->enc_key_size;
2835	}
2836
2837	return 0;
2838}
2839
2840static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2841				   struct sk_buff *skb)
2842{
2843	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2844
2845	BT_DBG("value 0x%02x", kp->value);
2846
2847	return 0;
2848}
2849
2850static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2851{
2852	struct l2cap_conn *conn = chan->conn;
2853	struct hci_conn *hcon = conn->hcon;
2854	struct smp_chan *smp;
2855	__u8 code, reason;
2856	int err = 0;
2857
2858	if (skb->len < 1)
2859		return -EILSEQ;
2860
2861	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2862		reason = SMP_PAIRING_NOTSUPP;
2863		goto done;
2864	}
2865
2866	code = skb->data[0];
2867	skb_pull(skb, sizeof(code));
2868
2869	smp = chan->data;
2870
2871	if (code > SMP_CMD_MAX)
2872		goto drop;
2873
2874	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2875		goto drop;
2876
2877	/* If we don't have a context the only allowed commands are
2878	 * pairing request and security request.
2879	 */
2880	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2881		goto drop;
2882
2883	switch (code) {
2884	case SMP_CMD_PAIRING_REQ:
2885		reason = smp_cmd_pairing_req(conn, skb);
2886		break;
2887
2888	case SMP_CMD_PAIRING_FAIL:
2889		smp_failure(conn, 0);
2890		err = -EPERM;
2891		break;
2892
2893	case SMP_CMD_PAIRING_RSP:
2894		reason = smp_cmd_pairing_rsp(conn, skb);
2895		break;
2896
2897	case SMP_CMD_SECURITY_REQ:
2898		reason = smp_cmd_security_req(conn, skb);
2899		break;
2900
2901	case SMP_CMD_PAIRING_CONFIRM:
2902		reason = smp_cmd_pairing_confirm(conn, skb);
2903		break;
2904
2905	case SMP_CMD_PAIRING_RANDOM:
2906		reason = smp_cmd_pairing_random(conn, skb);
2907		break;
2908
2909	case SMP_CMD_ENCRYPT_INFO:
2910		reason = smp_cmd_encrypt_info(conn, skb);
2911		break;
2912
2913	case SMP_CMD_MASTER_IDENT:
2914		reason = smp_cmd_master_ident(conn, skb);
2915		break;
2916
2917	case SMP_CMD_IDENT_INFO:
2918		reason = smp_cmd_ident_info(conn, skb);
2919		break;
2920
2921	case SMP_CMD_IDENT_ADDR_INFO:
2922		reason = smp_cmd_ident_addr_info(conn, skb);
2923		break;
2924
2925	case SMP_CMD_SIGN_INFO:
2926		reason = smp_cmd_sign_info(conn, skb);
2927		break;
2928
2929	case SMP_CMD_PUBLIC_KEY:
2930		reason = smp_cmd_public_key(conn, skb);
2931		break;
2932
2933	case SMP_CMD_DHKEY_CHECK:
2934		reason = smp_cmd_dhkey_check(conn, skb);
2935		break;
2936
2937	case SMP_CMD_KEYPRESS_NOTIFY:
2938		reason = smp_cmd_keypress_notify(conn, skb);
2939		break;
2940
2941	default:
2942		BT_DBG("Unknown command code 0x%2.2x", code);
2943		reason = SMP_CMD_NOTSUPP;
2944		goto done;
2945	}
2946
2947done:
2948	if (!err) {
2949		if (reason)
2950			smp_failure(conn, reason);
2951		kfree_skb(skb);
2952	}
2953
2954	return err;
2955
2956drop:
2957	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2958		   code, &hcon->dst);
2959	kfree_skb(skb);
2960	return 0;
2961}
2962
2963static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2964{
2965	struct l2cap_conn *conn = chan->conn;
2966
2967	BT_DBG("chan %p", chan);
2968
2969	if (chan->data)
2970		smp_chan_destroy(conn);
2971
2972	conn->smp = NULL;
2973	l2cap_chan_put(chan);
2974}
2975
2976static void bredr_pairing(struct l2cap_chan *chan)
2977{
2978	struct l2cap_conn *conn = chan->conn;
2979	struct hci_conn *hcon = conn->hcon;
2980	struct hci_dev *hdev = hcon->hdev;
2981	struct smp_cmd_pairing req;
2982	struct smp_chan *smp;
2983
2984	BT_DBG("chan %p", chan);
2985
2986	/* Only new pairings are interesting */
2987	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2988		return;
2989
2990	/* Don't bother if we're not encrypted */
2991	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2992		return;
2993
2994	/* Only master may initiate SMP over BR/EDR */
2995	if (hcon->role != HCI_ROLE_MASTER)
2996		return;
2997
2998	/* Secure Connections support must be enabled */
2999	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3000		return;
3001
3002	/* BR/EDR must use Secure Connections for SMP */
3003	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3004	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3005		return;
3006
3007	/* If our LE support is not enabled don't do anything */
3008	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3009		return;
3010
3011	/* Don't bother if remote LE support is not enabled */
3012	if (!lmp_host_le_capable(hcon))
3013		return;
3014
3015	/* Remote must support SMP fixed chan for BR/EDR */
3016	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3017		return;
3018
3019	/* Don't bother if SMP is already ongoing */
3020	if (chan->data)
3021		return;
3022
3023	smp = smp_chan_create(conn);
3024	if (!smp) {
3025		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3026		return;
3027	}
3028
3029	set_bit(SMP_FLAG_SC, &smp->flags);
3030
3031	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3032
3033	/* Prepare and send the BR/EDR SMP Pairing Request */
3034	build_bredr_pairing_cmd(smp, &req, NULL);
3035
3036	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3037	memcpy(&smp->preq[1], &req, sizeof(req));
3038
3039	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3040	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3041}
3042
3043static void smp_resume_cb(struct l2cap_chan *chan)
3044{
3045	struct smp_chan *smp = chan->data;
3046	struct l2cap_conn *conn = chan->conn;
3047	struct hci_conn *hcon = conn->hcon;
3048
3049	BT_DBG("chan %p", chan);
3050
3051	if (hcon->type == ACL_LINK) {
3052		bredr_pairing(chan);
3053		return;
3054	}
3055
3056	if (!smp)
3057		return;
3058
3059	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3060		return;
3061
3062	cancel_delayed_work(&smp->security_timer);
3063
3064	smp_distribute_keys(smp);
3065}
3066
3067static void smp_ready_cb(struct l2cap_chan *chan)
3068{
3069	struct l2cap_conn *conn = chan->conn;
3070	struct hci_conn *hcon = conn->hcon;
3071
3072	BT_DBG("chan %p", chan);
3073
3074	/* No need to call l2cap_chan_hold() here since we already own
3075	 * the reference taken in smp_new_conn_cb(). This is just the
3076	 * first time that we tie it to a specific pointer. The code in
3077	 * l2cap_core.c ensures that there's no risk this function wont
3078	 * get called if smp_new_conn_cb was previously called.
3079	 */
3080	conn->smp = chan;
3081
3082	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3083		bredr_pairing(chan);
3084}
3085
3086static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3087{
3088	int err;
3089
3090	BT_DBG("chan %p", chan);
3091
3092	err = smp_sig_channel(chan, skb);
3093	if (err) {
3094		struct smp_chan *smp = chan->data;
3095
3096		if (smp)
3097			cancel_delayed_work_sync(&smp->security_timer);
3098
3099		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3100	}
3101
3102	return err;
3103}
3104
3105static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3106					unsigned long hdr_len,
3107					unsigned long len, int nb)
3108{
3109	struct sk_buff *skb;
3110
3111	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3112	if (!skb)
3113		return ERR_PTR(-ENOMEM);
3114
3115	skb->priority = HCI_PRIO_MAX;
3116	bt_cb(skb)->l2cap.chan = chan;
3117
3118	return skb;
3119}
3120
3121static const struct l2cap_ops smp_chan_ops = {
3122	.name			= "Security Manager",
3123	.ready			= smp_ready_cb,
3124	.recv			= smp_recv_cb,
3125	.alloc_skb		= smp_alloc_skb_cb,
3126	.teardown		= smp_teardown_cb,
3127	.resume			= smp_resume_cb,
3128
3129	.new_connection		= l2cap_chan_no_new_connection,
3130	.state_change		= l2cap_chan_no_state_change,
3131	.close			= l2cap_chan_no_close,
3132	.defer			= l2cap_chan_no_defer,
3133	.suspend		= l2cap_chan_no_suspend,
3134	.set_shutdown		= l2cap_chan_no_set_shutdown,
3135	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3136};
3137
3138static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3139{
3140	struct l2cap_chan *chan;
3141
3142	BT_DBG("pchan %p", pchan);
3143
3144	chan = l2cap_chan_create();
3145	if (!chan)
3146		return NULL;
3147
3148	chan->chan_type	= pchan->chan_type;
3149	chan->ops	= &smp_chan_ops;
3150	chan->scid	= pchan->scid;
3151	chan->dcid	= chan->scid;
3152	chan->imtu	= pchan->imtu;
3153	chan->omtu	= pchan->omtu;
3154	chan->mode	= pchan->mode;
3155
3156	/* Other L2CAP channels may request SMP routines in order to
3157	 * change the security level. This means that the SMP channel
3158	 * lock must be considered in its own category to avoid lockdep
3159	 * warnings.
3160	 */
3161	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3162
3163	BT_DBG("created chan %p", chan);
3164
3165	return chan;
3166}
3167
3168static const struct l2cap_ops smp_root_chan_ops = {
3169	.name			= "Security Manager Root",
3170	.new_connection		= smp_new_conn_cb,
3171
3172	/* None of these are implemented for the root channel */
3173	.close			= l2cap_chan_no_close,
3174	.alloc_skb		= l2cap_chan_no_alloc_skb,
3175	.recv			= l2cap_chan_no_recv,
3176	.state_change		= l2cap_chan_no_state_change,
3177	.teardown		= l2cap_chan_no_teardown,
3178	.ready			= l2cap_chan_no_ready,
3179	.defer			= l2cap_chan_no_defer,
3180	.suspend		= l2cap_chan_no_suspend,
3181	.resume			= l2cap_chan_no_resume,
3182	.set_shutdown		= l2cap_chan_no_set_shutdown,
3183	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3184};
3185
3186static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3187{
3188	struct l2cap_chan *chan;
3189	struct smp_dev *smp;
3190	struct crypto_cipher *tfm_aes;
3191	struct crypto_shash *tfm_cmac;
3192	struct crypto_kpp *tfm_ecdh;
3193
3194	if (cid == L2CAP_CID_SMP_BREDR) {
3195		smp = NULL;
3196		goto create_chan;
3197	}
3198
3199	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3200	if (!smp)
3201		return ERR_PTR(-ENOMEM);
3202
3203	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3204	if (IS_ERR(tfm_aes)) {
3205		BT_ERR("Unable to create AES crypto context");
3206		kzfree(smp);
3207		return ERR_CAST(tfm_aes);
3208	}
3209
3210	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3211	if (IS_ERR(tfm_cmac)) {
3212		BT_ERR("Unable to create CMAC crypto context");
3213		crypto_free_cipher(tfm_aes);
3214		kzfree(smp);
3215		return ERR_CAST(tfm_cmac);
3216	}
3217
3218	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3219	if (IS_ERR(tfm_ecdh)) {
3220		BT_ERR("Unable to create ECDH crypto context");
3221		crypto_free_shash(tfm_cmac);
3222		crypto_free_cipher(tfm_aes);
3223		kzfree(smp);
3224		return ERR_CAST(tfm_ecdh);
3225	}
3226
3227	smp->tfm_aes = tfm_aes;
3228	smp->tfm_cmac = tfm_cmac;
3229	smp->tfm_ecdh = tfm_ecdh;
3230	smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3231	smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3232
3233create_chan:
3234	chan = l2cap_chan_create();
3235	if (!chan) {
3236		if (smp) {
3237			crypto_free_cipher(smp->tfm_aes);
3238			crypto_free_shash(smp->tfm_cmac);
3239			crypto_free_kpp(smp->tfm_ecdh);
3240			kzfree(smp);
3241		}
3242		return ERR_PTR(-ENOMEM);
3243	}
3244
3245	chan->data = smp;
3246
3247	l2cap_add_scid(chan, cid);
3248
3249	l2cap_chan_set_defaults(chan);
3250
3251	if (cid == L2CAP_CID_SMP) {
3252		u8 bdaddr_type;
3253
3254		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3255
3256		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3257			chan->src_type = BDADDR_LE_PUBLIC;
3258		else
3259			chan->src_type = BDADDR_LE_RANDOM;
3260	} else {
3261		bacpy(&chan->src, &hdev->bdaddr);
3262		chan->src_type = BDADDR_BREDR;
3263	}
3264
3265	chan->state = BT_LISTEN;
3266	chan->mode = L2CAP_MODE_BASIC;
3267	chan->imtu = L2CAP_DEFAULT_MTU;
3268	chan->ops = &smp_root_chan_ops;
3269
3270	/* Set correct nesting level for a parent/listening channel */
3271	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3272
3273	return chan;
3274}
3275
3276static void smp_del_chan(struct l2cap_chan *chan)
3277{
3278	struct smp_dev *smp;
3279
3280	BT_DBG("chan %p", chan);
3281
3282	smp = chan->data;
3283	if (smp) {
3284		chan->data = NULL;
3285		crypto_free_cipher(smp->tfm_aes);
3286		crypto_free_shash(smp->tfm_cmac);
3287		crypto_free_kpp(smp->tfm_ecdh);
3288		kzfree(smp);
3289	}
3290
3291	l2cap_chan_put(chan);
3292}
3293
3294static ssize_t force_bredr_smp_read(struct file *file,
3295				    char __user *user_buf,
3296				    size_t count, loff_t *ppos)
3297{
3298	struct hci_dev *hdev = file->private_data;
3299	char buf[3];
3300
3301	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3302	buf[1] = '\n';
3303	buf[2] = '\0';
3304	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3305}
3306
3307static ssize_t force_bredr_smp_write(struct file *file,
3308				     const char __user *user_buf,
3309				     size_t count, loff_t *ppos)
3310{
3311	struct hci_dev *hdev = file->private_data;
3312	char buf[32];
3313	size_t buf_size = min(count, (sizeof(buf)-1));
3314	bool enable;
3315
3316	if (copy_from_user(buf, user_buf, buf_size))
3317		return -EFAULT;
3318
3319	buf[buf_size] = '\0';
3320	if (strtobool(buf, &enable))
3321		return -EINVAL;
3322
3323	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3324		return -EALREADY;
3325
3326	if (enable) {
3327		struct l2cap_chan *chan;
3328
3329		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3330		if (IS_ERR(chan))
3331			return PTR_ERR(chan);
3332
3333		hdev->smp_bredr_data = chan;
3334	} else {
3335		struct l2cap_chan *chan;
3336
3337		chan = hdev->smp_bredr_data;
3338		hdev->smp_bredr_data = NULL;
3339		smp_del_chan(chan);
3340	}
3341
3342	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3343
3344	return count;
3345}
3346
3347static const struct file_operations force_bredr_smp_fops = {
3348	.open		= simple_open,
3349	.read		= force_bredr_smp_read,
3350	.write		= force_bredr_smp_write,
3351	.llseek		= default_llseek,
3352};
3353
3354static ssize_t le_min_key_size_read(struct file *file,
3355				     char __user *user_buf,
3356				     size_t count, loff_t *ppos)
3357{
3358	struct hci_dev *hdev = file->private_data;
3359	char buf[4];
3360
3361	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3362
3363	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3364}
3365
3366static ssize_t le_min_key_size_write(struct file *file,
3367				      const char __user *user_buf,
3368				      size_t count, loff_t *ppos)
3369{
3370	struct hci_dev *hdev = file->private_data;
3371	char buf[32];
3372	size_t buf_size = min(count, (sizeof(buf) - 1));
3373	u8 key_size;
3374
3375	if (copy_from_user(buf, user_buf, buf_size))
3376		return -EFAULT;
3377
3378	buf[buf_size] = '\0';
3379
3380	sscanf(buf, "%hhu", &key_size);
3381
3382	if (key_size > SMP_DEV(hdev)->max_key_size ||
3383	    key_size < SMP_MIN_ENC_KEY_SIZE)
3384		return -EINVAL;
3385
3386	SMP_DEV(hdev)->min_key_size = key_size;
3387
3388	return count;
3389}
3390
3391static const struct file_operations le_min_key_size_fops = {
3392	.open		= simple_open,
3393	.read		= le_min_key_size_read,
3394	.write		= le_min_key_size_write,
3395	.llseek		= default_llseek,
3396};
3397
3398static ssize_t le_max_key_size_read(struct file *file,
3399				     char __user *user_buf,
3400				     size_t count, loff_t *ppos)
3401{
3402	struct hci_dev *hdev = file->private_data;
3403	char buf[4];
3404
3405	snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3406
3407	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3408}
3409
3410static ssize_t le_max_key_size_write(struct file *file,
3411				      const char __user *user_buf,
3412				      size_t count, loff_t *ppos)
3413{
3414	struct hci_dev *hdev = file->private_data;
3415	char buf[32];
3416	size_t buf_size = min(count, (sizeof(buf) - 1));
3417	u8 key_size;
3418
3419	if (copy_from_user(buf, user_buf, buf_size))
3420		return -EFAULT;
3421
3422	buf[buf_size] = '\0';
3423
3424	sscanf(buf, "%hhu", &key_size);
3425
3426	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3427	    key_size < SMP_DEV(hdev)->min_key_size)
3428		return -EINVAL;
3429
3430	SMP_DEV(hdev)->max_key_size = key_size;
3431
3432	return count;
3433}
3434
3435static const struct file_operations le_max_key_size_fops = {
3436	.open		= simple_open,
3437	.read		= le_max_key_size_read,
3438	.write		= le_max_key_size_write,
3439	.llseek		= default_llseek,
3440};
3441
3442int smp_register(struct hci_dev *hdev)
3443{
3444	struct l2cap_chan *chan;
3445
3446	BT_DBG("%s", hdev->name);
3447
3448	/* If the controller does not support Low Energy operation, then
3449	 * there is also no need to register any SMP channel.
3450	 */
3451	if (!lmp_le_capable(hdev))
3452		return 0;
3453
3454	if (WARN_ON(hdev->smp_data)) {
3455		chan = hdev->smp_data;
3456		hdev->smp_data = NULL;
3457		smp_del_chan(chan);
3458	}
3459
3460	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3461	if (IS_ERR(chan))
3462		return PTR_ERR(chan);
3463
3464	hdev->smp_data = chan;
3465
3466	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3467			    &le_min_key_size_fops);
3468	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3469			    &le_max_key_size_fops);
3470
3471	/* If the controller does not support BR/EDR Secure Connections
3472	 * feature, then the BR/EDR SMP channel shall not be present.
3473	 *
3474	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3475	 * switch that allows forcing BR/EDR SMP support and accepting
3476	 * cross-transport pairing on non-AES encrypted connections.
3477	 */
3478	if (!lmp_sc_capable(hdev)) {
3479		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3480				    hdev, &force_bredr_smp_fops);
3481
3482		/* Flag can be already set here (due to power toggle) */
3483		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3484			return 0;
3485	}
3486
3487	if (WARN_ON(hdev->smp_bredr_data)) {
3488		chan = hdev->smp_bredr_data;
3489		hdev->smp_bredr_data = NULL;
3490		smp_del_chan(chan);
3491	}
3492
3493	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3494	if (IS_ERR(chan)) {
3495		int err = PTR_ERR(chan);
3496		chan = hdev->smp_data;
3497		hdev->smp_data = NULL;
3498		smp_del_chan(chan);
3499		return err;
3500	}
3501
3502	hdev->smp_bredr_data = chan;
3503
3504	return 0;
3505}
3506
3507void smp_unregister(struct hci_dev *hdev)
3508{
3509	struct l2cap_chan *chan;
3510
3511	if (hdev->smp_bredr_data) {
3512		chan = hdev->smp_bredr_data;
3513		hdev->smp_bredr_data = NULL;
3514		smp_del_chan(chan);
3515	}
3516
3517	if (hdev->smp_data) {
3518		chan = hdev->smp_data;
3519		hdev->smp_data = NULL;
3520		smp_del_chan(chan);
3521	}
3522}
3523
3524#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3525
3526static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3527{
3528	u8 pk[64];
3529	int err;
3530
3531	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3532	if (err)
3533		return err;
3534
3535	err = generate_ecdh_public_key(tfm_ecdh, pk);
3536	if (err)
3537		return err;
3538
3539	if (crypto_memneq(pk, debug_pk, 64))
3540		return -EINVAL;
3541
3542	return 0;
3543}
3544
3545static int __init test_ah(struct crypto_cipher *tfm_aes)
3546{
3547	const u8 irk[16] = {
3548			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3549			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3550	const u8 r[3] = { 0x94, 0x81, 0x70 };
3551	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3552	u8 res[3];
3553	int err;
3554
3555	err = smp_ah(tfm_aes, irk, r, res);
3556	if (err)
3557		return err;
3558
3559	if (crypto_memneq(res, exp, 3))
3560		return -EINVAL;
3561
3562	return 0;
3563}
3564
3565static int __init test_c1(struct crypto_cipher *tfm_aes)
3566{
3567	const u8 k[16] = {
3568			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3569			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3570	const u8 r[16] = {
3571			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3572			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3573	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3574	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3575	const u8 _iat = 0x01;
3576	const u8 _rat = 0x00;
3577	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3578	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3579	const u8 exp[16] = {
3580			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3581			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3582	u8 res[16];
3583	int err;
3584
3585	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3586	if (err)
3587		return err;
3588
3589	if (crypto_memneq(res, exp, 16))
3590		return -EINVAL;
3591
3592	return 0;
3593}
3594
3595static int __init test_s1(struct crypto_cipher *tfm_aes)
3596{
3597	const u8 k[16] = {
3598			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3599			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3600	const u8 r1[16] = {
3601			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3602	const u8 r2[16] = {
3603			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3604	const u8 exp[16] = {
3605			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3606			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3607	u8 res[16];
3608	int err;
3609
3610	err = smp_s1(tfm_aes, k, r1, r2, res);
3611	if (err)
3612		return err;
3613
3614	if (crypto_memneq(res, exp, 16))
3615		return -EINVAL;
3616
3617	return 0;
3618}
3619
3620static int __init test_f4(struct crypto_shash *tfm_cmac)
3621{
3622	const u8 u[32] = {
3623			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3624			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3625			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3626			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3627	const u8 v[32] = {
3628			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3629			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3630			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3631			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3632	const u8 x[16] = {
3633			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3634			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3635	const u8 z = 0x00;
3636	const u8 exp[16] = {
3637			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3638			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3639	u8 res[16];
3640	int err;
3641
3642	err = smp_f4(tfm_cmac, u, v, x, z, res);
3643	if (err)
3644		return err;
3645
3646	if (crypto_memneq(res, exp, 16))
3647		return -EINVAL;
3648
3649	return 0;
3650}
3651
3652static int __init test_f5(struct crypto_shash *tfm_cmac)
3653{
3654	const u8 w[32] = {
3655			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3656			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3657			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3658			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3659	const u8 n1[16] = {
3660			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3661			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3662	const u8 n2[16] = {
3663			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3664			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3665	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3666	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3667	const u8 exp_ltk[16] = {
3668			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3669			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3670	const u8 exp_mackey[16] = {
3671			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3672			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3673	u8 mackey[16], ltk[16];
3674	int err;
3675
3676	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3677	if (err)
3678		return err;
3679
3680	if (crypto_memneq(mackey, exp_mackey, 16))
3681		return -EINVAL;
3682
3683	if (crypto_memneq(ltk, exp_ltk, 16))
3684		return -EINVAL;
3685
3686	return 0;
3687}
3688
3689static int __init test_f6(struct crypto_shash *tfm_cmac)
3690{
3691	const u8 w[16] = {
3692			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3693			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3694	const u8 n1[16] = {
3695			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3696			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3697	const u8 n2[16] = {
3698			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3699			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3700	const u8 r[16] = {
3701			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3702			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3703	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3704	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3705	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3706	const u8 exp[16] = {
3707			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3708			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3709	u8 res[16];
3710	int err;
3711
3712	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3713	if (err)
3714		return err;
3715
3716	if (crypto_memneq(res, exp, 16))
3717		return -EINVAL;
3718
3719	return 0;
3720}
3721
3722static int __init test_g2(struct crypto_shash *tfm_cmac)
3723{
3724	const u8 u[32] = {
3725			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3726			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3727			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3728			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3729	const u8 v[32] = {
3730			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3731			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3732			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3733			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3734	const u8 x[16] = {
3735			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3736			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3737	const u8 y[16] = {
3738			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3739			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3740	const u32 exp_val = 0x2f9ed5ba % 1000000;
3741	u32 val;
3742	int err;
3743
3744	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3745	if (err)
3746		return err;
3747
3748	if (val != exp_val)
3749		return -EINVAL;
3750
3751	return 0;
3752}
3753
3754static int __init test_h6(struct crypto_shash *tfm_cmac)
3755{
3756	const u8 w[16] = {
3757			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3758			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3759	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3760	const u8 exp[16] = {
3761			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3762			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3763	u8 res[16];
3764	int err;
3765
3766	err = smp_h6(tfm_cmac, w, key_id, res);
3767	if (err)
3768		return err;
3769
3770	if (crypto_memneq(res, exp, 16))
3771		return -EINVAL;
3772
3773	return 0;
3774}
3775
3776static char test_smp_buffer[32];
3777
3778static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3779			     size_t count, loff_t *ppos)
3780{
3781	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3782				       strlen(test_smp_buffer));
3783}
3784
3785static const struct file_operations test_smp_fops = {
3786	.open		= simple_open,
3787	.read		= test_smp_read,
3788	.llseek		= default_llseek,
3789};
3790
3791static int __init run_selftests(struct crypto_cipher *tfm_aes,
3792				struct crypto_shash *tfm_cmac,
3793				struct crypto_kpp *tfm_ecdh)
3794{
3795	ktime_t calltime, delta, rettime;
3796	unsigned long long duration;
3797	int err;
3798
3799	calltime = ktime_get();
3800
3801	err = test_debug_key(tfm_ecdh);
3802	if (err) {
3803		BT_ERR("debug_key test failed");
3804		goto done;
3805	}
3806
3807	err = test_ah(tfm_aes);
3808	if (err) {
3809		BT_ERR("smp_ah test failed");
3810		goto done;
3811	}
3812
3813	err = test_c1(tfm_aes);
3814	if (err) {
3815		BT_ERR("smp_c1 test failed");
3816		goto done;
3817	}
3818
3819	err = test_s1(tfm_aes);
3820	if (err) {
3821		BT_ERR("smp_s1 test failed");
3822		goto done;
3823	}
3824
3825	err = test_f4(tfm_cmac);
3826	if (err) {
3827		BT_ERR("smp_f4 test failed");
3828		goto done;
3829	}
3830
3831	err = test_f5(tfm_cmac);
3832	if (err) {
3833		BT_ERR("smp_f5 test failed");
3834		goto done;
3835	}
3836
3837	err = test_f6(tfm_cmac);
3838	if (err) {
3839		BT_ERR("smp_f6 test failed");
3840		goto done;
3841	}
3842
3843	err = test_g2(tfm_cmac);
3844	if (err) {
3845		BT_ERR("smp_g2 test failed");
3846		goto done;
3847	}
3848
3849	err = test_h6(tfm_cmac);
3850	if (err) {
3851		BT_ERR("smp_h6 test failed");
3852		goto done;
3853	}
3854
3855	rettime = ktime_get();
3856	delta = ktime_sub(rettime, calltime);
3857	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3858
3859	BT_INFO("SMP test passed in %llu usecs", duration);
3860
3861done:
3862	if (!err)
3863		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3864			 "PASS (%llu usecs)\n", duration);
3865	else
3866		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3867
3868	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3869			    &test_smp_fops);
3870
3871	return err;
3872}
3873
3874int __init bt_selftest_smp(void)
3875{
3876	struct crypto_cipher *tfm_aes;
3877	struct crypto_shash *tfm_cmac;
3878	struct crypto_kpp *tfm_ecdh;
3879	int err;
3880
3881	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3882	if (IS_ERR(tfm_aes)) {
3883		BT_ERR("Unable to create AES crypto context");
3884		return PTR_ERR(tfm_aes);
3885	}
3886
3887	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3888	if (IS_ERR(tfm_cmac)) {
3889		BT_ERR("Unable to create CMAC crypto context");
3890		crypto_free_cipher(tfm_aes);
3891		return PTR_ERR(tfm_cmac);
3892	}
3893
3894	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3895	if (IS_ERR(tfm_ecdh)) {
3896		BT_ERR("Unable to create ECDH crypto context");
3897		crypto_free_shash(tfm_cmac);
3898		crypto_free_cipher(tfm_aes);
3899		return PTR_ERR(tfm_ecdh);
3900	}
3901
3902	err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
3903
3904	crypto_free_shash(tfm_cmac);
3905	crypto_free_cipher(tfm_aes);
3906	crypto_free_kpp(tfm_ecdh);
3907
3908	return err;
3909}
3910
3911#endif