net/bluetooth/smp.c at v4.20-rc7

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / bluetooth / smp.c
at v4.20-rc7 3939 lines 97 kB view raw
wrap content
   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
   4
   5   This program is free software; you can redistribute it and/or modify
   6   it under the terms of the GNU General Public License version 2 as
   7   published by the Free Software Foundation;
   8
   9   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  10   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  11   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  12   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  13   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  14   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  15   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  16   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  17
  18   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  19   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  20   SOFTWARE IS DISCLAIMED.
  21*/
  22
  23#include <linux/debugfs.h>
  24#include <linux/scatterlist.h>
  25#include <linux/crypto.h>
  26#include <crypto/algapi.h>
  27#include <crypto/b128ops.h>
  28#include <crypto/hash.h>
  29#include <crypto/kpp.h>
  30
  31#include <net/bluetooth/bluetooth.h>
  32#include <net/bluetooth/hci_core.h>
  33#include <net/bluetooth/l2cap.h>
  34#include <net/bluetooth/mgmt.h>
  35
  36#include "ecdh_helper.h"
  37#include "smp.h"
  38
  39#define SMP_DEV(hdev) \
  40	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
  41
  42/* Low-level debug macros to be used for stuff that we don't want
  43 * accidentially in dmesg, i.e. the values of the various crypto keys
  44 * and the inputs & outputs of crypto functions.
  45 */
  46#ifdef DEBUG
  47#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
  48				 ##__VA_ARGS__)
  49#else
  50#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
  51				    ##__VA_ARGS__)
  52#endif
  53
  54#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
  55
  56/* Keys which are not distributed with Secure Connections */
  57#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
  58
  59#define SMP_TIMEOUT	msecs_to_jiffies(30000)
  60
  61#define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
  62				 0x3f : 0x07)
  63#define KEY_DIST_MASK		0x07
  64
  65/* Maximum message length that can be passed to aes_cmac */
  66#define CMAC_MSG_MAX	80
  67
  68enum {
  69	SMP_FLAG_TK_VALID,
  70	SMP_FLAG_CFM_PENDING,
  71	SMP_FLAG_MITM_AUTH,
  72	SMP_FLAG_COMPLETE,
  73	SMP_FLAG_INITIATOR,
  74	SMP_FLAG_SC,
  75	SMP_FLAG_REMOTE_PK,
  76	SMP_FLAG_DEBUG_KEY,
  77	SMP_FLAG_WAIT_USER,
  78	SMP_FLAG_DHKEY_PENDING,
  79	SMP_FLAG_REMOTE_OOB,
  80	SMP_FLAG_LOCAL_OOB,
  81	SMP_FLAG_CT2,
  82};
  83
  84struct smp_dev {
  85	/* Secure Connections OOB data */
  86	bool			local_oob;
  87	u8			local_pk[64];
  88	u8			local_rand[16];
  89	bool			debug_key;
  90
  91	struct crypto_cipher	*tfm_aes;
  92	struct crypto_shash	*tfm_cmac;
  93	struct crypto_kpp	*tfm_ecdh;
  94};
  95
  96struct smp_chan {
  97	struct l2cap_conn	*conn;
  98	struct delayed_work	security_timer;
  99	unsigned long           allow_cmd; /* Bitmask of allowed commands */
 100
 101	u8		preq[7]; /* SMP Pairing Request */
 102	u8		prsp[7]; /* SMP Pairing Response */
 103	u8		prnd[16]; /* SMP Pairing Random (local) */
 104	u8		rrnd[16]; /* SMP Pairing Random (remote) */
 105	u8		pcnf[16]; /* SMP Pairing Confirm */
 106	u8		tk[16]; /* SMP Temporary Key */
 107	u8		rr[16]; /* Remote OOB ra/rb value */
 108	u8		lr[16]; /* Local OOB ra/rb value */
 109	u8		enc_key_size;
 110	u8		remote_key_dist;
 111	bdaddr_t	id_addr;
 112	u8		id_addr_type;
 113	u8		irk[16];
 114	struct smp_csrk	*csrk;
 115	struct smp_csrk	*slave_csrk;
 116	struct smp_ltk	*ltk;
 117	struct smp_ltk	*slave_ltk;
 118	struct smp_irk	*remote_irk;
 119	u8		*link_key;
 120	unsigned long	flags;
 121	u8		method;
 122	u8		passkey_round;
 123
 124	/* Secure Connections variables */
 125	u8			local_pk[64];
 126	u8			remote_pk[64];
 127	u8			dhkey[32];
 128	u8			mackey[16];
 129
 130	struct crypto_cipher	*tfm_aes;
 131	struct crypto_shash	*tfm_cmac;
 132	struct crypto_kpp	*tfm_ecdh;
 133};
 134
 135/* These debug key values are defined in the SMP section of the core
 136 * specification. debug_pk is the public debug key and debug_sk the
 137 * private debug key.
 138 */
 139static const u8 debug_pk[64] = {
 140		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
 141		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
 142		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
 143		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
 144
 145		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
 146		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
 147		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
 148		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
 149};
 150
 151static const u8 debug_sk[32] = {
 152		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
 153		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
 154		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
 155		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
 156};
 157
 158static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
 159{
 160	size_t i;
 161
 162	for (i = 0; i < len; i++)
 163		dst[len - 1 - i] = src[i];
 164}
 165
 166/* The following functions map to the LE SC SMP crypto functions
 167 * AES-CMAC, f4, f5, f6, g2 and h6.
 168 */
 169
 170static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
 171		    size_t len, u8 mac[16])
 172{
 173	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
 174	SHASH_DESC_ON_STACK(desc, tfm);
 175	int err;
 176
 177	if (len > CMAC_MSG_MAX)
 178		return -EFBIG;
 179
 180	if (!tfm) {
 181		BT_ERR("tfm %p", tfm);
 182		return -EINVAL;
 183	}
 184
 185	desc->tfm = tfm;
 186	desc->flags = 0;
 187
 188	/* Swap key and message from LSB to MSB */
 189	swap_buf(k, tmp, 16);
 190	swap_buf(m, msg_msb, len);
 191
 192	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
 193	SMP_DBG("key %16phN", k);
 194
 195	err = crypto_shash_setkey(tfm, tmp, 16);
 196	if (err) {
 197		BT_ERR("cipher setkey failed: %d", err);
 198		return err;
 199	}
 200
 201	err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
 202	shash_desc_zero(desc);
 203	if (err) {
 204		BT_ERR("Hash computation error %d", err);
 205		return err;
 206	}
 207
 208	swap_buf(mac_msb, mac, 16);
 209
 210	SMP_DBG("mac %16phN", mac);
 211
 212	return 0;
 213}
 214
 215static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
 216		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
 217{
 218	u8 m[65];
 219	int err;
 220
 221	SMP_DBG("u %32phN", u);
 222	SMP_DBG("v %32phN", v);
 223	SMP_DBG("x %16phN z %02x", x, z);
 224
 225	m[0] = z;
 226	memcpy(m + 1, v, 32);
 227	memcpy(m + 33, u, 32);
 228
 229	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
 230	if (err)
 231		return err;
 232
 233	SMP_DBG("res %16phN", res);
 234
 235	return err;
 236}
 237
 238static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
 239		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
 240		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
 241{
 242	/* The btle, salt and length "magic" values are as defined in
 243	 * the SMP section of the Bluetooth core specification. In ASCII
 244	 * the btle value ends up being 'btle'. The salt is just a
 245	 * random number whereas length is the value 256 in little
 246	 * endian format.
 247	 */
 248	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
 249	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
 250			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
 251	const u8 length[2] = { 0x00, 0x01 };
 252	u8 m[53], t[16];
 253	int err;
 254
 255	SMP_DBG("w %32phN", w);
 256	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 257	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
 258
 259	err = aes_cmac(tfm_cmac, salt, w, 32, t);
 260	if (err)
 261		return err;
 262
 263	SMP_DBG("t %16phN", t);
 264
 265	memcpy(m, length, 2);
 266	memcpy(m + 2, a2, 7);
 267	memcpy(m + 9, a1, 7);
 268	memcpy(m + 16, n2, 16);
 269	memcpy(m + 32, n1, 16);
 270	memcpy(m + 48, btle, 4);
 271
 272	m[52] = 0; /* Counter */
 273
 274	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
 275	if (err)
 276		return err;
 277
 278	SMP_DBG("mackey %16phN", mackey);
 279
 280	m[52] = 1; /* Counter */
 281
 282	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
 283	if (err)
 284		return err;
 285
 286	SMP_DBG("ltk %16phN", ltk);
 287
 288	return 0;
 289}
 290
 291static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
 292		  const u8 n1[16], const u8 n2[16], const u8 r[16],
 293		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
 294		  u8 res[16])
 295{
 296	u8 m[65];
 297	int err;
 298
 299	SMP_DBG("w %16phN", w);
 300	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 301	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
 302
 303	memcpy(m, a2, 7);
 304	memcpy(m + 7, a1, 7);
 305	memcpy(m + 14, io_cap, 3);
 306	memcpy(m + 17, r, 16);
 307	memcpy(m + 33, n2, 16);
 308	memcpy(m + 49, n1, 16);
 309
 310	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
 311	if (err)
 312		return err;
 313
 314	SMP_DBG("res %16phN", res);
 315
 316	return err;
 317}
 318
 319static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
 320		  const u8 x[16], const u8 y[16], u32 *val)
 321{
 322	u8 m[80], tmp[16];
 323	int err;
 324
 325	SMP_DBG("u %32phN", u);
 326	SMP_DBG("v %32phN", v);
 327	SMP_DBG("x %16phN y %16phN", x, y);
 328
 329	memcpy(m, y, 16);
 330	memcpy(m + 16, v, 32);
 331	memcpy(m + 48, u, 32);
 332
 333	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
 334	if (err)
 335		return err;
 336
 337	*val = get_unaligned_le32(tmp);
 338	*val %= 1000000;
 339
 340	SMP_DBG("val %06u", *val);
 341
 342	return 0;
 343}
 344
 345static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
 346		  const u8 key_id[4], u8 res[16])
 347{
 348	int err;
 349
 350	SMP_DBG("w %16phN key_id %4phN", w, key_id);
 351
 352	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
 353	if (err)
 354		return err;
 355
 356	SMP_DBG("res %16phN", res);
 357
 358	return err;
 359}
 360
 361static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
 362		  const u8 salt[16], u8 res[16])
 363{
 364	int err;
 365
 366	SMP_DBG("w %16phN salt %16phN", w, salt);
 367
 368	err = aes_cmac(tfm_cmac, salt, w, 16, res);
 369	if (err)
 370		return err;
 371
 372	SMP_DBG("res %16phN", res);
 373
 374	return err;
 375}
 376
 377/* The following functions map to the legacy SMP crypto functions e, c1,
 378 * s1 and ah.
 379 */
 380
 381static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
 382{
 383	uint8_t tmp[16], data[16];
 384	int err;
 385
 386	SMP_DBG("k %16phN r %16phN", k, r);
 387
 388	if (!tfm) {
 389		BT_ERR("tfm %p", tfm);
 390		return -EINVAL;
 391	}
 392
 393	/* The most significant octet of key corresponds to k[0] */
 394	swap_buf(k, tmp, 16);
 395
 396	err = crypto_cipher_setkey(tfm, tmp, 16);
 397	if (err) {
 398		BT_ERR("cipher setkey failed: %d", err);
 399		return err;
 400	}
 401
 402	/* Most significant octet of plaintextData corresponds to data[0] */
 403	swap_buf(r, data, 16);
 404
 405	crypto_cipher_encrypt_one(tfm, data, data);
 406
 407	/* Most significant octet of encryptedData corresponds to data[0] */
 408	swap_buf(data, r, 16);
 409
 410	SMP_DBG("r %16phN", r);
 411
 412	return err;
 413}
 414
 415static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
 416		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
 417		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
 418{
 419	u8 p1[16], p2[16];
 420	int err;
 421
 422	SMP_DBG("k %16phN r %16phN", k, r);
 423	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
 424	SMP_DBG("preq %7phN pres %7phN", preq, pres);
 425
 426	memset(p1, 0, 16);
 427
 428	/* p1 = pres || preq || _rat || _iat */
 429	p1[0] = _iat;
 430	p1[1] = _rat;
 431	memcpy(p1 + 2, preq, 7);
 432	memcpy(p1 + 9, pres, 7);
 433
 434	SMP_DBG("p1 %16phN", p1);
 435
 436	/* res = r XOR p1 */
 437	u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
 438
 439	/* res = e(k, res) */
 440	err = smp_e(tfm_aes, k, res);
 441	if (err) {
 442		BT_ERR("Encrypt data error");
 443		return err;
 444	}
 445
 446	/* p2 = padding || ia || ra */
 447	memcpy(p2, ra, 6);
 448	memcpy(p2 + 6, ia, 6);
 449	memset(p2 + 12, 0, 4);
 450
 451	SMP_DBG("p2 %16phN", p2);
 452
 453	/* res = res XOR p2 */
 454	u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
 455
 456	/* res = e(k, res) */
 457	err = smp_e(tfm_aes, k, res);
 458	if (err)
 459		BT_ERR("Encrypt data error");
 460
 461	return err;
 462}
 463
 464static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
 465		  const u8 r1[16], const u8 r2[16], u8 _r[16])
 466{
 467	int err;
 468
 469	/* Just least significant octets from r1 and r2 are considered */
 470	memcpy(_r, r2, 8);
 471	memcpy(_r + 8, r1, 8);
 472
 473	err = smp_e(tfm_aes, k, _r);
 474	if (err)
 475		BT_ERR("Encrypt data error");
 476
 477	return err;
 478}
 479
 480static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
 481		  const u8 r[3], u8 res[3])
 482{
 483	u8 _res[16];
 484	int err;
 485
 486	/* r' = padding || r */
 487	memcpy(_res, r, 3);
 488	memset(_res + 3, 0, 13);
 489
 490	err = smp_e(tfm, irk, _res);
 491	if (err) {
 492		BT_ERR("Encrypt error");
 493		return err;
 494	}
 495
 496	/* The output of the random address function ah is:
 497	 *	ah(k, r) = e(k, r') mod 2^24
 498	 * The output of the security function e is then truncated to 24 bits
 499	 * by taking the least significant 24 bits of the output of e as the
 500	 * result of ah.
 501	 */
 502	memcpy(res, _res, 3);
 503
 504	return 0;
 505}
 506
 507bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
 508		     const bdaddr_t *bdaddr)
 509{
 510	struct l2cap_chan *chan = hdev->smp_data;
 511	struct smp_dev *smp;
 512	u8 hash[3];
 513	int err;
 514
 515	if (!chan || !chan->data)
 516		return false;
 517
 518	smp = chan->data;
 519
 520	BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
 521
 522	err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
 523	if (err)
 524		return false;
 525
 526	return !crypto_memneq(bdaddr->b, hash, 3);
 527}
 528
 529int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
 530{
 531	struct l2cap_chan *chan = hdev->smp_data;
 532	struct smp_dev *smp;
 533	int err;
 534
 535	if (!chan || !chan->data)
 536		return -EOPNOTSUPP;
 537
 538	smp = chan->data;
 539
 540	get_random_bytes(&rpa->b[3], 3);
 541
 542	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
 543	rpa->b[5] |= 0x40;	/* Set second most significant bit */
 544
 545	err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
 546	if (err < 0)
 547		return err;
 548
 549	BT_DBG("RPA %pMR", rpa);
 550
 551	return 0;
 552}
 553
 554int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
 555{
 556	struct l2cap_chan *chan = hdev->smp_data;
 557	struct smp_dev *smp;
 558	int err;
 559
 560	if (!chan || !chan->data)
 561		return -EOPNOTSUPP;
 562
 563	smp = chan->data;
 564
 565	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
 566		BT_DBG("Using debug keys");
 567		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
 568		if (err)
 569			return err;
 570		memcpy(smp->local_pk, debug_pk, 64);
 571		smp->debug_key = true;
 572	} else {
 573		while (true) {
 574			/* Generate key pair for Secure Connections */
 575			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
 576			if (err)
 577				return err;
 578
 579			/* This is unlikely, but we need to check that
 580			 * we didn't accidentially generate a debug key.
 581			 */
 582			if (crypto_memneq(smp->local_pk, debug_pk, 64))
 583				break;
 584		}
 585		smp->debug_key = false;
 586	}
 587
 588	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
 589	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
 590
 591	get_random_bytes(smp->local_rand, 16);
 592
 593	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
 594		     smp->local_rand, 0, hash);
 595	if (err < 0)
 596		return err;
 597
 598	memcpy(rand, smp->local_rand, 16);
 599
 600	smp->local_oob = true;
 601
 602	return 0;
 603}
 604
 605static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
 606{
 607	struct l2cap_chan *chan = conn->smp;
 608	struct smp_chan *smp;
 609	struct kvec iv[2];
 610	struct msghdr msg;
 611
 612	if (!chan)
 613		return;
 614
 615	BT_DBG("code 0x%2.2x", code);
 616
 617	iv[0].iov_base = &code;
 618	iv[0].iov_len = 1;
 619
 620	iv[1].iov_base = data;
 621	iv[1].iov_len = len;
 622
 623	memset(&msg, 0, sizeof(msg));
 624
 625	iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
 626
 627	l2cap_chan_send(chan, &msg, 1 + len);
 628
 629	if (!chan->data)
 630		return;
 631
 632	smp = chan->data;
 633
 634	cancel_delayed_work_sync(&smp->security_timer);
 635	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
 636}
 637
 638static u8 authreq_to_seclevel(u8 authreq)
 639{
 640	if (authreq & SMP_AUTH_MITM) {
 641		if (authreq & SMP_AUTH_SC)
 642			return BT_SECURITY_FIPS;
 643		else
 644			return BT_SECURITY_HIGH;
 645	} else {
 646		return BT_SECURITY_MEDIUM;
 647	}
 648}
 649
 650static __u8 seclevel_to_authreq(__u8 sec_level)
 651{
 652	switch (sec_level) {
 653	case BT_SECURITY_FIPS:
 654	case BT_SECURITY_HIGH:
 655		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
 656	case BT_SECURITY_MEDIUM:
 657		return SMP_AUTH_BONDING;
 658	default:
 659		return SMP_AUTH_NONE;
 660	}
 661}
 662
 663static void build_pairing_cmd(struct l2cap_conn *conn,
 664			      struct smp_cmd_pairing *req,
 665			      struct smp_cmd_pairing *rsp, __u8 authreq)
 666{
 667	struct l2cap_chan *chan = conn->smp;
 668	struct smp_chan *smp = chan->data;
 669	struct hci_conn *hcon = conn->hcon;
 670	struct hci_dev *hdev = hcon->hdev;
 671	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
 672
 673	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
 674		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 675		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 676		authreq |= SMP_AUTH_BONDING;
 677	} else {
 678		authreq &= ~SMP_AUTH_BONDING;
 679	}
 680
 681	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
 682		remote_dist |= SMP_DIST_ID_KEY;
 683
 684	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
 685		local_dist |= SMP_DIST_ID_KEY;
 686
 687	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
 688	    (authreq & SMP_AUTH_SC)) {
 689		struct oob_data *oob_data;
 690		u8 bdaddr_type;
 691
 692		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
 693			local_dist |= SMP_DIST_LINK_KEY;
 694			remote_dist |= SMP_DIST_LINK_KEY;
 695		}
 696
 697		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
 698			bdaddr_type = BDADDR_LE_PUBLIC;
 699		else
 700			bdaddr_type = BDADDR_LE_RANDOM;
 701
 702		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
 703						    bdaddr_type);
 704		if (oob_data && oob_data->present) {
 705			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
 706			oob_flag = SMP_OOB_PRESENT;
 707			memcpy(smp->rr, oob_data->rand256, 16);
 708			memcpy(smp->pcnf, oob_data->hash256, 16);
 709			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
 710			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
 711		}
 712
 713	} else {
 714		authreq &= ~SMP_AUTH_SC;
 715	}
 716
 717	if (rsp == NULL) {
 718		req->io_capability = conn->hcon->io_capability;
 719		req->oob_flag = oob_flag;
 720		req->max_key_size = hdev->le_max_key_size;
 721		req->init_key_dist = local_dist;
 722		req->resp_key_dist = remote_dist;
 723		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 724
 725		smp->remote_key_dist = remote_dist;
 726		return;
 727	}
 728
 729	rsp->io_capability = conn->hcon->io_capability;
 730	rsp->oob_flag = oob_flag;
 731	rsp->max_key_size = hdev->le_max_key_size;
 732	rsp->init_key_dist = req->init_key_dist & remote_dist;
 733	rsp->resp_key_dist = req->resp_key_dist & local_dist;
 734	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 735
 736	smp->remote_key_dist = rsp->init_key_dist;
 737}
 738
 739static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
 740{
 741	struct l2cap_chan *chan = conn->smp;
 742	struct hci_dev *hdev = conn->hcon->hdev;
 743	struct smp_chan *smp = chan->data;
 744
 745	if (max_key_size > hdev->le_max_key_size ||
 746	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
 747		return SMP_ENC_KEY_SIZE;
 748
 749	smp->enc_key_size = max_key_size;
 750
 751	return 0;
 752}
 753
 754static void smp_chan_destroy(struct l2cap_conn *conn)
 755{
 756	struct l2cap_chan *chan = conn->smp;
 757	struct smp_chan *smp = chan->data;
 758	struct hci_conn *hcon = conn->hcon;
 759	bool complete;
 760
 761	BUG_ON(!smp);
 762
 763	cancel_delayed_work_sync(&smp->security_timer);
 764
 765	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
 766	mgmt_smp_complete(hcon, complete);
 767
 768	kzfree(smp->csrk);
 769	kzfree(smp->slave_csrk);
 770	kzfree(smp->link_key);
 771
 772	crypto_free_cipher(smp->tfm_aes);
 773	crypto_free_shash(smp->tfm_cmac);
 774	crypto_free_kpp(smp->tfm_ecdh);
 775
 776	/* Ensure that we don't leave any debug key around if debug key
 777	 * support hasn't been explicitly enabled.
 778	 */
 779	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
 780	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
 781		list_del_rcu(&smp->ltk->list);
 782		kfree_rcu(smp->ltk, rcu);
 783		smp->ltk = NULL;
 784	}
 785
 786	/* If pairing failed clean up any keys we might have */
 787	if (!complete) {
 788		if (smp->ltk) {
 789			list_del_rcu(&smp->ltk->list);
 790			kfree_rcu(smp->ltk, rcu);
 791		}
 792
 793		if (smp->slave_ltk) {
 794			list_del_rcu(&smp->slave_ltk->list);
 795			kfree_rcu(smp->slave_ltk, rcu);
 796		}
 797
 798		if (smp->remote_irk) {
 799			list_del_rcu(&smp->remote_irk->list);
 800			kfree_rcu(smp->remote_irk, rcu);
 801		}
 802	}
 803
 804	chan->data = NULL;
 805	kzfree(smp);
 806	hci_conn_drop(hcon);
 807}
 808
 809static void smp_failure(struct l2cap_conn *conn, u8 reason)
 810{
 811	struct hci_conn *hcon = conn->hcon;
 812	struct l2cap_chan *chan = conn->smp;
 813
 814	if (reason)
 815		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
 816			     &reason);
 817
 818	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
 819
 820	if (chan->data)
 821		smp_chan_destroy(conn);
 822}
 823
 824#define JUST_WORKS	0x00
 825#define JUST_CFM	0x01
 826#define REQ_PASSKEY	0x02
 827#define CFM_PASSKEY	0x03
 828#define REQ_OOB		0x04
 829#define DSP_PASSKEY	0x05
 830#define OVERLAP		0xFF
 831
 832static const u8 gen_method[5][5] = {
 833	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 834	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 835	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 836	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 837	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
 838};
 839
 840static const u8 sc_method[5][5] = {
 841	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 842	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 843	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
 844	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 845	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 846};
 847
 848static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
 849{
 850	/* If either side has unknown io_caps, use JUST_CFM (which gets
 851	 * converted later to JUST_WORKS if we're initiators.
 852	 */
 853	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
 854	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
 855		return JUST_CFM;
 856
 857	if (test_bit(SMP_FLAG_SC, &smp->flags))
 858		return sc_method[remote_io][local_io];
 859
 860	return gen_method[remote_io][local_io];
 861}
 862
 863static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
 864						u8 local_io, u8 remote_io)
 865{
 866	struct hci_conn *hcon = conn->hcon;
 867	struct l2cap_chan *chan = conn->smp;
 868	struct smp_chan *smp = chan->data;
 869	u32 passkey = 0;
 870	int ret = 0;
 871
 872	/* Initialize key for JUST WORKS */
 873	memset(smp->tk, 0, sizeof(smp->tk));
 874	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
 875
 876	BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
 877
 878	/* If neither side wants MITM, either "just" confirm an incoming
 879	 * request or use just-works for outgoing ones. The JUST_CFM
 880	 * will be converted to JUST_WORKS if necessary later in this
 881	 * function. If either side has MITM look up the method from the
 882	 * table.
 883	 */
 884	if (!(auth & SMP_AUTH_MITM))
 885		smp->method = JUST_CFM;
 886	else
 887		smp->method = get_auth_method(smp, local_io, remote_io);
 888
 889	/* Don't confirm locally initiated pairing attempts */
 890	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
 891						&smp->flags))
 892		smp->method = JUST_WORKS;
 893
 894	/* Don't bother user space with no IO capabilities */
 895	if (smp->method == JUST_CFM &&
 896	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
 897		smp->method = JUST_WORKS;
 898
 899	/* If Just Works, Continue with Zero TK */
 900	if (smp->method == JUST_WORKS) {
 901		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 902		return 0;
 903	}
 904
 905	/* If this function is used for SC -> legacy fallback we
 906	 * can only recover the just-works case.
 907	 */
 908	if (test_bit(SMP_FLAG_SC, &smp->flags))
 909		return -EINVAL;
 910
 911	/* Not Just Works/Confirm results in MITM Authentication */
 912	if (smp->method != JUST_CFM) {
 913		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
 914		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
 915			hcon->pending_sec_level = BT_SECURITY_HIGH;
 916	}
 917
 918	/* If both devices have Keyoard-Display I/O, the master
 919	 * Confirms and the slave Enters the passkey.
 920	 */
 921	if (smp->method == OVERLAP) {
 922		if (hcon->role == HCI_ROLE_MASTER)
 923			smp->method = CFM_PASSKEY;
 924		else
 925			smp->method = REQ_PASSKEY;
 926	}
 927
 928	/* Generate random passkey. */
 929	if (smp->method == CFM_PASSKEY) {
 930		memset(smp->tk, 0, sizeof(smp->tk));
 931		get_random_bytes(&passkey, sizeof(passkey));
 932		passkey %= 1000000;
 933		put_unaligned_le32(passkey, smp->tk);
 934		BT_DBG("PassKey: %d", passkey);
 935		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 936	}
 937
 938	if (smp->method == REQ_PASSKEY)
 939		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
 940						hcon->type, hcon->dst_type);
 941	else if (smp->method == JUST_CFM)
 942		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
 943						hcon->type, hcon->dst_type,
 944						passkey, 1);
 945	else
 946		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
 947						hcon->type, hcon->dst_type,
 948						passkey, 0);
 949
 950	return ret;
 951}
 952
 953static u8 smp_confirm(struct smp_chan *smp)
 954{
 955	struct l2cap_conn *conn = smp->conn;
 956	struct smp_cmd_pairing_confirm cp;
 957	int ret;
 958
 959	BT_DBG("conn %p", conn);
 960
 961	ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
 962		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
 963		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
 964		     cp.confirm_val);
 965	if (ret)
 966		return SMP_UNSPECIFIED;
 967
 968	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
 969
 970	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
 971
 972	if (conn->hcon->out)
 973		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
 974	else
 975		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
 976
 977	return 0;
 978}
 979
 980static u8 smp_random(struct smp_chan *smp)
 981{
 982	struct l2cap_conn *conn = smp->conn;
 983	struct hci_conn *hcon = conn->hcon;
 984	u8 confirm[16];
 985	int ret;
 986
 987	if (IS_ERR_OR_NULL(smp->tfm_aes))
 988		return SMP_UNSPECIFIED;
 989
 990	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
 991
 992	ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
 993		     hcon->init_addr_type, &hcon->init_addr,
 994		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
 995	if (ret)
 996		return SMP_UNSPECIFIED;
 997
 998	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
 999		bt_dev_err(hcon->hdev, "pairing failed "
1000			   "(confirmation values mismatch)");
1001		return SMP_CONFIRM_FAILED;
1002	}
1003
1004	if (hcon->out) {
1005		u8 stk[16];
1006		__le64 rand = 0;
1007		__le16 ediv = 0;
1008
1009		smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1010
1011		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1012			return SMP_UNSPECIFIED;
1013
1014		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1015		hcon->enc_key_size = smp->enc_key_size;
1016		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1017	} else {
1018		u8 stk[16], auth;
1019		__le64 rand = 0;
1020		__le16 ediv = 0;
1021
1022		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1023			     smp->prnd);
1024
1025		smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1026
1027		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1028			auth = 1;
1029		else
1030			auth = 0;
1031
1032		/* Even though there's no _SLAVE suffix this is the
1033		 * slave STK we're adding for later lookup (the master
1034		 * STK never needs to be stored).
1035		 */
1036		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1037			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1038	}
1039
1040	return 0;
1041}
1042
1043static void smp_notify_keys(struct l2cap_conn *conn)
1044{
1045	struct l2cap_chan *chan = conn->smp;
1046	struct smp_chan *smp = chan->data;
1047	struct hci_conn *hcon = conn->hcon;
1048	struct hci_dev *hdev = hcon->hdev;
1049	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1050	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1051	bool persistent;
1052
1053	if (hcon->type == ACL_LINK) {
1054		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1055			persistent = false;
1056		else
1057			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1058					       &hcon->flags);
1059	} else {
1060		/* The LTKs, IRKs and CSRKs should be persistent only if
1061		 * both sides had the bonding bit set in their
1062		 * authentication requests.
1063		 */
1064		persistent = !!((req->auth_req & rsp->auth_req) &
1065				SMP_AUTH_BONDING);
1066	}
1067
1068	if (smp->remote_irk) {
1069		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1070
1071		/* Now that user space can be considered to know the
1072		 * identity address track the connection based on it
1073		 * from now on (assuming this is an LE link).
1074		 */
1075		if (hcon->type == LE_LINK) {
1076			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1077			hcon->dst_type = smp->remote_irk->addr_type;
1078			queue_work(hdev->workqueue, &conn->id_addr_update_work);
1079		}
1080	}
1081
1082	if (smp->csrk) {
1083		smp->csrk->bdaddr_type = hcon->dst_type;
1084		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1085		mgmt_new_csrk(hdev, smp->csrk, persistent);
1086	}
1087
1088	if (smp->slave_csrk) {
1089		smp->slave_csrk->bdaddr_type = hcon->dst_type;
1090		bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1091		mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1092	}
1093
1094	if (smp->ltk) {
1095		smp->ltk->bdaddr_type = hcon->dst_type;
1096		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1097		mgmt_new_ltk(hdev, smp->ltk, persistent);
1098	}
1099
1100	if (smp->slave_ltk) {
1101		smp->slave_ltk->bdaddr_type = hcon->dst_type;
1102		bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1103		mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1104	}
1105
1106	if (smp->link_key) {
1107		struct link_key *key;
1108		u8 type;
1109
1110		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1111			type = HCI_LK_DEBUG_COMBINATION;
1112		else if (hcon->sec_level == BT_SECURITY_FIPS)
1113			type = HCI_LK_AUTH_COMBINATION_P256;
1114		else
1115			type = HCI_LK_UNAUTH_COMBINATION_P256;
1116
1117		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1118				       smp->link_key, type, 0, &persistent);
1119		if (key) {
1120			mgmt_new_link_key(hdev, key, persistent);
1121
1122			/* Don't keep debug keys around if the relevant
1123			 * flag is not set.
1124			 */
1125			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1126			    key->type == HCI_LK_DEBUG_COMBINATION) {
1127				list_del_rcu(&key->list);
1128				kfree_rcu(key, rcu);
1129			}
1130		}
1131	}
1132}
1133
1134static void sc_add_ltk(struct smp_chan *smp)
1135{
1136	struct hci_conn *hcon = smp->conn->hcon;
1137	u8 key_type, auth;
1138
1139	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1140		key_type = SMP_LTK_P256_DEBUG;
1141	else
1142		key_type = SMP_LTK_P256;
1143
1144	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1145		auth = 1;
1146	else
1147		auth = 0;
1148
1149	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1150			       key_type, auth, smp->tk, smp->enc_key_size,
1151			       0, 0);
1152}
1153
1154static void sc_generate_link_key(struct smp_chan *smp)
1155{
1156	/* From core spec. Spells out in ASCII as 'lebr'. */
1157	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1158
1159	smp->link_key = kzalloc(16, GFP_KERNEL);
1160	if (!smp->link_key)
1161		return;
1162
1163	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1164		/* SALT = 0x00000000000000000000000000000000746D7031 */
1165		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1166
1167		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1168			kzfree(smp->link_key);
1169			smp->link_key = NULL;
1170			return;
1171		}
1172	} else {
1173		/* From core spec. Spells out in ASCII as 'tmp1'. */
1174		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1175
1176		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1177			kzfree(smp->link_key);
1178			smp->link_key = NULL;
1179			return;
1180		}
1181	}
1182
1183	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1184		kzfree(smp->link_key);
1185		smp->link_key = NULL;
1186		return;
1187	}
1188}
1189
1190static void smp_allow_key_dist(struct smp_chan *smp)
1191{
1192	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1193	 * will be allowed in each PDU handler to ensure we receive
1194	 * them in the correct order.
1195	 */
1196	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1197		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1198	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1199		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1200	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1201		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202}
1203
1204static void sc_generate_ltk(struct smp_chan *smp)
1205{
1206	/* From core spec. Spells out in ASCII as 'brle'. */
1207	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1208	struct hci_conn *hcon = smp->conn->hcon;
1209	struct hci_dev *hdev = hcon->hdev;
1210	struct link_key *key;
1211
1212	key = hci_find_link_key(hdev, &hcon->dst);
1213	if (!key) {
1214		bt_dev_err(hdev, "no Link Key found to generate LTK");
1215		return;
1216	}
1217
1218	if (key->type == HCI_LK_DEBUG_COMBINATION)
1219		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1220
1221	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1222		/* SALT = 0x00000000000000000000000000000000746D7032 */
1223		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1224
1225		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1226			return;
1227	} else {
1228		/* From core spec. Spells out in ASCII as 'tmp2'. */
1229		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1230
1231		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1232			return;
1233	}
1234
1235	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1236		return;
1237
1238	sc_add_ltk(smp);
1239}
1240
1241static void smp_distribute_keys(struct smp_chan *smp)
1242{
1243	struct smp_cmd_pairing *req, *rsp;
1244	struct l2cap_conn *conn = smp->conn;
1245	struct hci_conn *hcon = conn->hcon;
1246	struct hci_dev *hdev = hcon->hdev;
1247	__u8 *keydist;
1248
1249	BT_DBG("conn %p", conn);
1250
1251	rsp = (void *) &smp->prsp[1];
1252
1253	/* The responder sends its keys first */
1254	if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1255		smp_allow_key_dist(smp);
1256		return;
1257	}
1258
1259	req = (void *) &smp->preq[1];
1260
1261	if (hcon->out) {
1262		keydist = &rsp->init_key_dist;
1263		*keydist &= req->init_key_dist;
1264	} else {
1265		keydist = &rsp->resp_key_dist;
1266		*keydist &= req->resp_key_dist;
1267	}
1268
1269	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1270		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1271			sc_generate_link_key(smp);
1272		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1273			sc_generate_ltk(smp);
1274
1275		/* Clear the keys which are generated but not distributed */
1276		*keydist &= ~SMP_SC_NO_DIST;
1277	}
1278
1279	BT_DBG("keydist 0x%x", *keydist);
1280
1281	if (*keydist & SMP_DIST_ENC_KEY) {
1282		struct smp_cmd_encrypt_info enc;
1283		struct smp_cmd_master_ident ident;
1284		struct smp_ltk *ltk;
1285		u8 authenticated;
1286		__le16 ediv;
1287		__le64 rand;
1288
1289		/* Make sure we generate only the significant amount of
1290		 * bytes based on the encryption key size, and set the rest
1291		 * of the value to zeroes.
1292		 */
1293		get_random_bytes(enc.ltk, smp->enc_key_size);
1294		memset(enc.ltk + smp->enc_key_size, 0,
1295		       sizeof(enc.ltk) - smp->enc_key_size);
1296
1297		get_random_bytes(&ediv, sizeof(ediv));
1298		get_random_bytes(&rand, sizeof(rand));
1299
1300		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301
1302		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1303		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1304				  SMP_LTK_SLAVE, authenticated, enc.ltk,
1305				  smp->enc_key_size, ediv, rand);
1306		smp->slave_ltk = ltk;
1307
1308		ident.ediv = ediv;
1309		ident.rand = rand;
1310
1311		smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1312
1313		*keydist &= ~SMP_DIST_ENC_KEY;
1314	}
1315
1316	if (*keydist & SMP_DIST_ID_KEY) {
1317		struct smp_cmd_ident_addr_info addrinfo;
1318		struct smp_cmd_ident_info idinfo;
1319
1320		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1321
1322		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1323
1324		/* The hci_conn contains the local identity address
1325		 * after the connection has been established.
1326		 *
1327		 * This is true even when the connection has been
1328		 * established using a resolvable random address.
1329		 */
1330		bacpy(&addrinfo.bdaddr, &hcon->src);
1331		addrinfo.addr_type = hcon->src_type;
1332
1333		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1334			     &addrinfo);
1335
1336		*keydist &= ~SMP_DIST_ID_KEY;
1337	}
1338
1339	if (*keydist & SMP_DIST_SIGN) {
1340		struct smp_cmd_sign_info sign;
1341		struct smp_csrk *csrk;
1342
1343		/* Generate a new random key */
1344		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1345
1346		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1347		if (csrk) {
1348			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1349				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1350			else
1351				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1352			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1353		}
1354		smp->slave_csrk = csrk;
1355
1356		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1357
1358		*keydist &= ~SMP_DIST_SIGN;
1359	}
1360
1361	/* If there are still keys to be received wait for them */
1362	if (smp->remote_key_dist & KEY_DIST_MASK) {
1363		smp_allow_key_dist(smp);
1364		return;
1365	}
1366
1367	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1368	smp_notify_keys(conn);
1369
1370	smp_chan_destroy(conn);
1371}
1372
1373static void smp_timeout(struct work_struct *work)
1374{
1375	struct smp_chan *smp = container_of(work, struct smp_chan,
1376					    security_timer.work);
1377	struct l2cap_conn *conn = smp->conn;
1378
1379	BT_DBG("conn %p", conn);
1380
1381	hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1382}
1383
1384static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1385{
1386	struct l2cap_chan *chan = conn->smp;
1387	struct smp_chan *smp;
1388
1389	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1390	if (!smp)
1391		return NULL;
1392
1393	smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1394	if (IS_ERR(smp->tfm_aes)) {
1395		BT_ERR("Unable to create AES crypto context");
1396		goto zfree_smp;
1397	}
1398
1399	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1400	if (IS_ERR(smp->tfm_cmac)) {
1401		BT_ERR("Unable to create CMAC crypto context");
1402		goto free_cipher;
1403	}
1404
1405	smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1406	if (IS_ERR(smp->tfm_ecdh)) {
1407		BT_ERR("Unable to create ECDH crypto context");
1408		goto free_shash;
1409	}
1410
1411	smp->conn = conn;
1412	chan->data = smp;
1413
1414	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1415
1416	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1417
1418	hci_conn_hold(conn->hcon);
1419
1420	return smp;
1421
1422free_shash:
1423	crypto_free_shash(smp->tfm_cmac);
1424free_cipher:
1425	crypto_free_cipher(smp->tfm_aes);
1426zfree_smp:
1427	kzfree(smp);
1428	return NULL;
1429}
1430
1431static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1432{
1433	struct hci_conn *hcon = smp->conn->hcon;
1434	u8 *na, *nb, a[7], b[7];
1435
1436	if (hcon->out) {
1437		na   = smp->prnd;
1438		nb   = smp->rrnd;
1439	} else {
1440		na   = smp->rrnd;
1441		nb   = smp->prnd;
1442	}
1443
1444	memcpy(a, &hcon->init_addr, 6);
1445	memcpy(b, &hcon->resp_addr, 6);
1446	a[6] = hcon->init_addr_type;
1447	b[6] = hcon->resp_addr_type;
1448
1449	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1450}
1451
1452static void sc_dhkey_check(struct smp_chan *smp)
1453{
1454	struct hci_conn *hcon = smp->conn->hcon;
1455	struct smp_cmd_dhkey_check check;
1456	u8 a[7], b[7], *local_addr, *remote_addr;
1457	u8 io_cap[3], r[16];
1458
1459	memcpy(a, &hcon->init_addr, 6);
1460	memcpy(b, &hcon->resp_addr, 6);
1461	a[6] = hcon->init_addr_type;
1462	b[6] = hcon->resp_addr_type;
1463
1464	if (hcon->out) {
1465		local_addr = a;
1466		remote_addr = b;
1467		memcpy(io_cap, &smp->preq[1], 3);
1468	} else {
1469		local_addr = b;
1470		remote_addr = a;
1471		memcpy(io_cap, &smp->prsp[1], 3);
1472	}
1473
1474	memset(r, 0, sizeof(r));
1475
1476	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1477		put_unaligned_le32(hcon->passkey_notify, r);
1478
1479	if (smp->method == REQ_OOB)
1480		memcpy(r, smp->rr, 16);
1481
1482	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1483	       local_addr, remote_addr, check.e);
1484
1485	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1486}
1487
1488static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1489{
1490	struct l2cap_conn *conn = smp->conn;
1491	struct hci_conn *hcon = conn->hcon;
1492	struct smp_cmd_pairing_confirm cfm;
1493	u8 r;
1494
1495	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1496	r |= 0x80;
1497
1498	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1499
1500	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1501		   cfm.confirm_val))
1502		return SMP_UNSPECIFIED;
1503
1504	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1505
1506	return 0;
1507}
1508
1509static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1510{
1511	struct l2cap_conn *conn = smp->conn;
1512	struct hci_conn *hcon = conn->hcon;
1513	struct hci_dev *hdev = hcon->hdev;
1514	u8 cfm[16], r;
1515
1516	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1517	if (smp->passkey_round >= 20)
1518		return 0;
1519
1520	switch (smp_op) {
1521	case SMP_CMD_PAIRING_RANDOM:
1522		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1523		r |= 0x80;
1524
1525		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1526			   smp->rrnd, r, cfm))
1527			return SMP_UNSPECIFIED;
1528
1529		if (crypto_memneq(smp->pcnf, cfm, 16))
1530			return SMP_CONFIRM_FAILED;
1531
1532		smp->passkey_round++;
1533
1534		if (smp->passkey_round == 20) {
1535			/* Generate MacKey and LTK */
1536			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1537				return SMP_UNSPECIFIED;
1538		}
1539
1540		/* The round is only complete when the initiator
1541		 * receives pairing random.
1542		 */
1543		if (!hcon->out) {
1544			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1545				     sizeof(smp->prnd), smp->prnd);
1546			if (smp->passkey_round == 20)
1547				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1548			else
1549				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1550			return 0;
1551		}
1552
1553		/* Start the next round */
1554		if (smp->passkey_round != 20)
1555			return sc_passkey_round(smp, 0);
1556
1557		/* Passkey rounds are complete - start DHKey Check */
1558		sc_dhkey_check(smp);
1559		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1560
1561		break;
1562
1563	case SMP_CMD_PAIRING_CONFIRM:
1564		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1565			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1566			return 0;
1567		}
1568
1569		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1570
1571		if (hcon->out) {
1572			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1573				     sizeof(smp->prnd), smp->prnd);
1574			return 0;
1575		}
1576
1577		return sc_passkey_send_confirm(smp);
1578
1579	case SMP_CMD_PUBLIC_KEY:
1580	default:
1581		/* Initiating device starts the round */
1582		if (!hcon->out)
1583			return 0;
1584
1585		BT_DBG("%s Starting passkey round %u", hdev->name,
1586		       smp->passkey_round + 1);
1587
1588		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1589
1590		return sc_passkey_send_confirm(smp);
1591	}
1592
1593	return 0;
1594}
1595
1596static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1597{
1598	struct l2cap_conn *conn = smp->conn;
1599	struct hci_conn *hcon = conn->hcon;
1600	u8 smp_op;
1601
1602	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1603
1604	switch (mgmt_op) {
1605	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1606		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1607		return 0;
1608	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1609		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1610		return 0;
1611	case MGMT_OP_USER_PASSKEY_REPLY:
1612		hcon->passkey_notify = le32_to_cpu(passkey);
1613		smp->passkey_round = 0;
1614
1615		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1616			smp_op = SMP_CMD_PAIRING_CONFIRM;
1617		else
1618			smp_op = 0;
1619
1620		if (sc_passkey_round(smp, smp_op))
1621			return -EIO;
1622
1623		return 0;
1624	}
1625
1626	/* Initiator sends DHKey check first */
1627	if (hcon->out) {
1628		sc_dhkey_check(smp);
1629		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1630	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1631		sc_dhkey_check(smp);
1632		sc_add_ltk(smp);
1633	}
1634
1635	return 0;
1636}
1637
1638int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1639{
1640	struct l2cap_conn *conn = hcon->l2cap_data;
1641	struct l2cap_chan *chan;
1642	struct smp_chan *smp;
1643	u32 value;
1644	int err;
1645
1646	BT_DBG("");
1647
1648	if (!conn)
1649		return -ENOTCONN;
1650
1651	chan = conn->smp;
1652	if (!chan)
1653		return -ENOTCONN;
1654
1655	l2cap_chan_lock(chan);
1656	if (!chan->data) {
1657		err = -ENOTCONN;
1658		goto unlock;
1659	}
1660
1661	smp = chan->data;
1662
1663	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1664		err = sc_user_reply(smp, mgmt_op, passkey);
1665		goto unlock;
1666	}
1667
1668	switch (mgmt_op) {
1669	case MGMT_OP_USER_PASSKEY_REPLY:
1670		value = le32_to_cpu(passkey);
1671		memset(smp->tk, 0, sizeof(smp->tk));
1672		BT_DBG("PassKey: %d", value);
1673		put_unaligned_le32(value, smp->tk);
1674		/* Fall Through */
1675	case MGMT_OP_USER_CONFIRM_REPLY:
1676		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1677		break;
1678	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1679	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1680		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1681		err = 0;
1682		goto unlock;
1683	default:
1684		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1685		err = -EOPNOTSUPP;
1686		goto unlock;
1687	}
1688
1689	err = 0;
1690
1691	/* If it is our turn to send Pairing Confirm, do so now */
1692	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1693		u8 rsp = smp_confirm(smp);
1694		if (rsp)
1695			smp_failure(conn, rsp);
1696	}
1697
1698unlock:
1699	l2cap_chan_unlock(chan);
1700	return err;
1701}
1702
1703static void build_bredr_pairing_cmd(struct smp_chan *smp,
1704				    struct smp_cmd_pairing *req,
1705				    struct smp_cmd_pairing *rsp)
1706{
1707	struct l2cap_conn *conn = smp->conn;
1708	struct hci_dev *hdev = conn->hcon->hdev;
1709	u8 local_dist = 0, remote_dist = 0;
1710
1711	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1712		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1714	}
1715
1716	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1717		remote_dist |= SMP_DIST_ID_KEY;
1718
1719	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1720		local_dist |= SMP_DIST_ID_KEY;
1721
1722	if (!rsp) {
1723		memset(req, 0, sizeof(*req));
1724
1725		req->auth_req        = SMP_AUTH_CT2;
1726		req->init_key_dist   = local_dist;
1727		req->resp_key_dist   = remote_dist;
1728		req->max_key_size    = conn->hcon->enc_key_size;
1729
1730		smp->remote_key_dist = remote_dist;
1731
1732		return;
1733	}
1734
1735	memset(rsp, 0, sizeof(*rsp));
1736
1737	rsp->auth_req        = SMP_AUTH_CT2;
1738	rsp->max_key_size    = conn->hcon->enc_key_size;
1739	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1740	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1741
1742	smp->remote_key_dist = rsp->init_key_dist;
1743}
1744
1745static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1746{
1747	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1748	struct l2cap_chan *chan = conn->smp;
1749	struct hci_dev *hdev = conn->hcon->hdev;
1750	struct smp_chan *smp;
1751	u8 key_size, auth, sec_level;
1752	int ret;
1753
1754	BT_DBG("conn %p", conn);
1755
1756	if (skb->len < sizeof(*req))
1757		return SMP_INVALID_PARAMS;
1758
1759	if (conn->hcon->role != HCI_ROLE_SLAVE)
1760		return SMP_CMD_NOTSUPP;
1761
1762	if (!chan->data)
1763		smp = smp_chan_create(conn);
1764	else
1765		smp = chan->data;
1766
1767	if (!smp)
1768		return SMP_UNSPECIFIED;
1769
1770	/* We didn't start the pairing, so match remote */
1771	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1772
1773	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1774	    (auth & SMP_AUTH_BONDING))
1775		return SMP_PAIRING_NOTSUPP;
1776
1777	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1778		return SMP_AUTH_REQUIREMENTS;
1779
1780	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1781	memcpy(&smp->preq[1], req, sizeof(*req));
1782	skb_pull(skb, sizeof(*req));
1783
1784	/* If the remote side's OOB flag is set it means it has
1785	 * successfully received our local OOB data - therefore set the
1786	 * flag to indicate that local OOB is in use.
1787	 */
1788	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1789		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1790
1791	/* SMP over BR/EDR requires special treatment */
1792	if (conn->hcon->type == ACL_LINK) {
1793		/* We must have a BR/EDR SC link */
1794		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1795		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1796			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1797
1798		set_bit(SMP_FLAG_SC, &smp->flags);
1799
1800		build_bredr_pairing_cmd(smp, req, &rsp);
1801
1802		if (req->auth_req & SMP_AUTH_CT2)
1803			set_bit(SMP_FLAG_CT2, &smp->flags);
1804
1805		key_size = min(req->max_key_size, rsp.max_key_size);
1806		if (check_enc_key_size(conn, key_size))
1807			return SMP_ENC_KEY_SIZE;
1808
1809		/* Clear bits which are generated but not distributed */
1810		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1811
1812		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1813		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1814		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1815
1816		smp_distribute_keys(smp);
1817		return 0;
1818	}
1819
1820	build_pairing_cmd(conn, req, &rsp, auth);
1821
1822	if (rsp.auth_req & SMP_AUTH_SC) {
1823		set_bit(SMP_FLAG_SC, &smp->flags);
1824
1825		if (rsp.auth_req & SMP_AUTH_CT2)
1826			set_bit(SMP_FLAG_CT2, &smp->flags);
1827	}
1828
1829	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1830		sec_level = BT_SECURITY_MEDIUM;
1831	else
1832		sec_level = authreq_to_seclevel(auth);
1833
1834	if (sec_level > conn->hcon->pending_sec_level)
1835		conn->hcon->pending_sec_level = sec_level;
1836
1837	/* If we need MITM check that it can be achieved */
1838	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1839		u8 method;
1840
1841		method = get_auth_method(smp, conn->hcon->io_capability,
1842					 req->io_capability);
1843		if (method == JUST_WORKS || method == JUST_CFM)
1844			return SMP_AUTH_REQUIREMENTS;
1845	}
1846
1847	key_size = min(req->max_key_size, rsp.max_key_size);
1848	if (check_enc_key_size(conn, key_size))
1849		return SMP_ENC_KEY_SIZE;
1850
1851	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1852
1853	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1854	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1855
1856	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1857
1858	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1859
1860	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1861	 * SC case, however some implementations incorrectly copy RFU auth
1862	 * req bits from our security request, which may create a false
1863	 * positive SC enablement.
1864	 */
1865	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1866
1867	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1868		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1869		/* Clear bits which are generated but not distributed */
1870		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1871		/* Wait for Public Key from Initiating Device */
1872		return 0;
1873	}
1874
1875	/* Request setup of TK */
1876	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1877	if (ret)
1878		return SMP_UNSPECIFIED;
1879
1880	return 0;
1881}
1882
1883static u8 sc_send_public_key(struct smp_chan *smp)
1884{
1885	struct hci_dev *hdev = smp->conn->hcon->hdev;
1886
1887	BT_DBG("");
1888
1889	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1890		struct l2cap_chan *chan = hdev->smp_data;
1891		struct smp_dev *smp_dev;
1892
1893		if (!chan || !chan->data)
1894			return SMP_UNSPECIFIED;
1895
1896		smp_dev = chan->data;
1897
1898		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1899		memcpy(smp->lr, smp_dev->local_rand, 16);
1900
1901		if (smp_dev->debug_key)
1902			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1903
1904		goto done;
1905	}
1906
1907	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1908		BT_DBG("Using debug keys");
1909		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1910			return SMP_UNSPECIFIED;
1911		memcpy(smp->local_pk, debug_pk, 64);
1912		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1913	} else {
1914		while (true) {
1915			/* Generate key pair for Secure Connections */
1916			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1917				return SMP_UNSPECIFIED;
1918
1919			/* This is unlikely, but we need to check that
1920			 * we didn't accidentially generate a debug key.
1921			 */
1922			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1923				break;
1924		}
1925	}
1926
1927done:
1928	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1929	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1930
1931	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1932
1933	return 0;
1934}
1935
1936static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1937{
1938	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1939	struct l2cap_chan *chan = conn->smp;
1940	struct smp_chan *smp = chan->data;
1941	struct hci_dev *hdev = conn->hcon->hdev;
1942	u8 key_size, auth;
1943	int ret;
1944
1945	BT_DBG("conn %p", conn);
1946
1947	if (skb->len < sizeof(*rsp))
1948		return SMP_INVALID_PARAMS;
1949
1950	if (conn->hcon->role != HCI_ROLE_MASTER)
1951		return SMP_CMD_NOTSUPP;
1952
1953	skb_pull(skb, sizeof(*rsp));
1954
1955	req = (void *) &smp->preq[1];
1956
1957	key_size = min(req->max_key_size, rsp->max_key_size);
1958	if (check_enc_key_size(conn, key_size))
1959		return SMP_ENC_KEY_SIZE;
1960
1961	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1962
1963	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1964		return SMP_AUTH_REQUIREMENTS;
1965
1966	/* If the remote side's OOB flag is set it means it has
1967	 * successfully received our local OOB data - therefore set the
1968	 * flag to indicate that local OOB is in use.
1969	 */
1970	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1971		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1972
1973	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1974	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1975
1976	/* Update remote key distribution in case the remote cleared
1977	 * some bits that we had enabled in our request.
1978	 */
1979	smp->remote_key_dist &= rsp->resp_key_dist;
1980
1981	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1982		set_bit(SMP_FLAG_CT2, &smp->flags);
1983
1984	/* For BR/EDR this means we're done and can start phase 3 */
1985	if (conn->hcon->type == ACL_LINK) {
1986		/* Clear bits which are generated but not distributed */
1987		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1988		smp_distribute_keys(smp);
1989		return 0;
1990	}
1991
1992	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1993		set_bit(SMP_FLAG_SC, &smp->flags);
1994	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1995		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1996
1997	/* If we need MITM check that it can be achieved */
1998	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1999		u8 method;
2000
2001		method = get_auth_method(smp, req->io_capability,
2002					 rsp->io_capability);
2003		if (method == JUST_WORKS || method == JUST_CFM)
2004			return SMP_AUTH_REQUIREMENTS;
2005	}
2006
2007	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2008
2009	/* Update remote key distribution in case the remote cleared
2010	 * some bits that we had enabled in our request.
2011	 */
2012	smp->remote_key_dist &= rsp->resp_key_dist;
2013
2014	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2015		/* Clear bits which are generated but not distributed */
2016		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2017		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2018		return sc_send_public_key(smp);
2019	}
2020
2021	auth |= req->auth_req;
2022
2023	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2024	if (ret)
2025		return SMP_UNSPECIFIED;
2026
2027	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2028
2029	/* Can't compose response until we have been confirmed */
2030	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2031		return smp_confirm(smp);
2032
2033	return 0;
2034}
2035
2036static u8 sc_check_confirm(struct smp_chan *smp)
2037{
2038	struct l2cap_conn *conn = smp->conn;
2039
2040	BT_DBG("");
2041
2042	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2043		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2044
2045	if (conn->hcon->out) {
2046		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2047			     smp->prnd);
2048		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2049	}
2050
2051	return 0;
2052}
2053
2054/* Work-around for some implementations that incorrectly copy RFU bits
2055 * from our security request and thereby create the impression that
2056 * we're doing SC when in fact the remote doesn't support it.
2057 */
2058static int fixup_sc_false_positive(struct smp_chan *smp)
2059{
2060	struct l2cap_conn *conn = smp->conn;
2061	struct hci_conn *hcon = conn->hcon;
2062	struct hci_dev *hdev = hcon->hdev;
2063	struct smp_cmd_pairing *req, *rsp;
2064	u8 auth;
2065
2066	/* The issue is only observed when we're in slave role */
2067	if (hcon->out)
2068		return SMP_UNSPECIFIED;
2069
2070	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2071		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2072		return SMP_UNSPECIFIED;
2073	}
2074
2075	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2076
2077	req = (void *) &smp->preq[1];
2078	rsp = (void *) &smp->prsp[1];
2079
2080	/* Rebuild key dist flags which may have been cleared for SC */
2081	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2082
2083	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2084
2085	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2086		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2087		return SMP_UNSPECIFIED;
2088	}
2089
2090	clear_bit(SMP_FLAG_SC, &smp->flags);
2091
2092	return 0;
2093}
2094
2095static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2096{
2097	struct l2cap_chan *chan = conn->smp;
2098	struct smp_chan *smp = chan->data;
2099
2100	BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2101
2102	if (skb->len < sizeof(smp->pcnf))
2103		return SMP_INVALID_PARAMS;
2104
2105	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2106	skb_pull(skb, sizeof(smp->pcnf));
2107
2108	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2109		int ret;
2110
2111		/* Public Key exchange must happen before any other steps */
2112		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2113			return sc_check_confirm(smp);
2114
2115		BT_ERR("Unexpected SMP Pairing Confirm");
2116
2117		ret = fixup_sc_false_positive(smp);
2118		if (ret)
2119			return ret;
2120	}
2121
2122	if (conn->hcon->out) {
2123		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2124			     smp->prnd);
2125		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2126		return 0;
2127	}
2128
2129	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2130		return smp_confirm(smp);
2131
2132	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2133
2134	return 0;
2135}
2136
2137static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2138{
2139	struct l2cap_chan *chan = conn->smp;
2140	struct smp_chan *smp = chan->data;
2141	struct hci_conn *hcon = conn->hcon;
2142	u8 *pkax, *pkbx, *na, *nb;
2143	u32 passkey;
2144	int err;
2145
2146	BT_DBG("conn %p", conn);
2147
2148	if (skb->len < sizeof(smp->rrnd))
2149		return SMP_INVALID_PARAMS;
2150
2151	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2152	skb_pull(skb, sizeof(smp->rrnd));
2153
2154	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2155		return smp_random(smp);
2156
2157	if (hcon->out) {
2158		pkax = smp->local_pk;
2159		pkbx = smp->remote_pk;
2160		na   = smp->prnd;
2161		nb   = smp->rrnd;
2162	} else {
2163		pkax = smp->remote_pk;
2164		pkbx = smp->local_pk;
2165		na   = smp->rrnd;
2166		nb   = smp->prnd;
2167	}
2168
2169	if (smp->method == REQ_OOB) {
2170		if (!hcon->out)
2171			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2172				     sizeof(smp->prnd), smp->prnd);
2173		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2174		goto mackey_and_ltk;
2175	}
2176
2177	/* Passkey entry has special treatment */
2178	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2179		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2180
2181	if (hcon->out) {
2182		u8 cfm[16];
2183
2184		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2185			     smp->rrnd, 0, cfm);
2186		if (err)
2187			return SMP_UNSPECIFIED;
2188
2189		if (crypto_memneq(smp->pcnf, cfm, 16))
2190			return SMP_CONFIRM_FAILED;
2191	} else {
2192		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2193			     smp->prnd);
2194		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2195	}
2196
2197mackey_and_ltk:
2198	/* Generate MacKey and LTK */
2199	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2200	if (err)
2201		return SMP_UNSPECIFIED;
2202
2203	if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2204		if (hcon->out) {
2205			sc_dhkey_check(smp);
2206			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2207		}
2208		return 0;
2209	}
2210
2211	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2212	if (err)
2213		return SMP_UNSPECIFIED;
2214
2215	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2216					hcon->dst_type, passkey, 0);
2217	if (err)
2218		return SMP_UNSPECIFIED;
2219
2220	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2221
2222	return 0;
2223}
2224
2225static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2226{
2227	struct smp_ltk *key;
2228	struct hci_conn *hcon = conn->hcon;
2229
2230	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2231	if (!key)
2232		return false;
2233
2234	if (smp_ltk_sec_level(key) < sec_level)
2235		return false;
2236
2237	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2238		return true;
2239
2240	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2241	hcon->enc_key_size = key->enc_size;
2242
2243	/* We never store STKs for master role, so clear this flag */
2244	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2245
2246	return true;
2247}
2248
2249bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2250			     enum smp_key_pref key_pref)
2251{
2252	if (sec_level == BT_SECURITY_LOW)
2253		return true;
2254
2255	/* If we're encrypted with an STK but the caller prefers using
2256	 * LTK claim insufficient security. This way we allow the
2257	 * connection to be re-encrypted with an LTK, even if the LTK
2258	 * provides the same level of security. Only exception is if we
2259	 * don't have an LTK (e.g. because of key distribution bits).
2260	 */
2261	if (key_pref == SMP_USE_LTK &&
2262	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2263	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2264		return false;
2265
2266	if (hcon->sec_level >= sec_level)
2267		return true;
2268
2269	return false;
2270}
2271
2272static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2273{
2274	struct smp_cmd_security_req *rp = (void *) skb->data;
2275	struct smp_cmd_pairing cp;
2276	struct hci_conn *hcon = conn->hcon;
2277	struct hci_dev *hdev = hcon->hdev;
2278	struct smp_chan *smp;
2279	u8 sec_level, auth;
2280
2281	BT_DBG("conn %p", conn);
2282
2283	if (skb->len < sizeof(*rp))
2284		return SMP_INVALID_PARAMS;
2285
2286	if (hcon->role != HCI_ROLE_MASTER)
2287		return SMP_CMD_NOTSUPP;
2288
2289	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2290
2291	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2292		return SMP_AUTH_REQUIREMENTS;
2293
2294	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2295		sec_level = BT_SECURITY_MEDIUM;
2296	else
2297		sec_level = authreq_to_seclevel(auth);
2298
2299	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2300		/* If link is already encrypted with sufficient security we
2301		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2302		 * Part H 2.4.6
2303		 */
2304		smp_ltk_encrypt(conn, hcon->sec_level);
2305		return 0;
2306	}
2307
2308	if (sec_level > hcon->pending_sec_level)
2309		hcon->pending_sec_level = sec_level;
2310
2311	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2312		return 0;
2313
2314	smp = smp_chan_create(conn);
2315	if (!smp)
2316		return SMP_UNSPECIFIED;
2317
2318	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2319	    (auth & SMP_AUTH_BONDING))
2320		return SMP_PAIRING_NOTSUPP;
2321
2322	skb_pull(skb, sizeof(*rp));
2323
2324	memset(&cp, 0, sizeof(cp));
2325	build_pairing_cmd(conn, &cp, NULL, auth);
2326
2327	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2328	memcpy(&smp->preq[1], &cp, sizeof(cp));
2329
2330	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2331	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2332
2333	return 0;
2334}
2335
2336int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2337{
2338	struct l2cap_conn *conn = hcon->l2cap_data;
2339	struct l2cap_chan *chan;
2340	struct smp_chan *smp;
2341	__u8 authreq;
2342	int ret;
2343
2344	BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2345
2346	/* This may be NULL if there's an unexpected disconnection */
2347	if (!conn)
2348		return 1;
2349
2350	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2351		return 1;
2352
2353	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2354		return 1;
2355
2356	if (sec_level > hcon->pending_sec_level)
2357		hcon->pending_sec_level = sec_level;
2358
2359	if (hcon->role == HCI_ROLE_MASTER)
2360		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2361			return 0;
2362
2363	chan = conn->smp;
2364	if (!chan) {
2365		bt_dev_err(hcon->hdev, "security requested but not available");
2366		return 1;
2367	}
2368
2369	l2cap_chan_lock(chan);
2370
2371	/* If SMP is already in progress ignore this request */
2372	if (chan->data) {
2373		ret = 0;
2374		goto unlock;
2375	}
2376
2377	smp = smp_chan_create(conn);
2378	if (!smp) {
2379		ret = 1;
2380		goto unlock;
2381	}
2382
2383	authreq = seclevel_to_authreq(sec_level);
2384
2385	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2386		authreq |= SMP_AUTH_SC;
2387		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2388			authreq |= SMP_AUTH_CT2;
2389	}
2390
2391	/* Require MITM if IO Capability allows or the security level
2392	 * requires it.
2393	 */
2394	if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2395	    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2396		authreq |= SMP_AUTH_MITM;
2397
2398	if (hcon->role == HCI_ROLE_MASTER) {
2399		struct smp_cmd_pairing cp;
2400
2401		build_pairing_cmd(conn, &cp, NULL, authreq);
2402		smp->preq[0] = SMP_CMD_PAIRING_REQ;
2403		memcpy(&smp->preq[1], &cp, sizeof(cp));
2404
2405		smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2406		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2407	} else {
2408		struct smp_cmd_security_req cp;
2409		cp.auth_req = authreq;
2410		smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2411		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2412	}
2413
2414	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2415	ret = 0;
2416
2417unlock:
2418	l2cap_chan_unlock(chan);
2419	return ret;
2420}
2421
2422int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2423				  u8 addr_type)
2424{
2425	struct hci_conn *hcon;
2426	struct l2cap_conn *conn;
2427	struct l2cap_chan *chan;
2428	struct smp_chan *smp;
2429	int err;
2430
2431	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2432	hci_remove_irk(hdev, bdaddr, addr_type);
2433
2434	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2435	if (!hcon)
2436		goto done;
2437
2438	conn = hcon->l2cap_data;
2439	if (!conn)
2440		goto done;
2441
2442	chan = conn->smp;
2443	if (!chan)
2444		goto done;
2445
2446	l2cap_chan_lock(chan);
2447
2448	smp = chan->data;
2449	if (smp) {
2450		/* Set keys to NULL to make sure smp_failure() does not try to
2451		 * remove and free already invalidated rcu list entries. */
2452		smp->ltk = NULL;
2453		smp->slave_ltk = NULL;
2454		smp->remote_irk = NULL;
2455
2456		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2457			smp_failure(conn, 0);
2458		else
2459			smp_failure(conn, SMP_UNSPECIFIED);
2460		err = 0;
2461	}
2462
2463	l2cap_chan_unlock(chan);
2464
2465done:
2466	return err;
2467}
2468
2469static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2470{
2471	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2472	struct l2cap_chan *chan = conn->smp;
2473	struct smp_chan *smp = chan->data;
2474
2475	BT_DBG("conn %p", conn);
2476
2477	if (skb->len < sizeof(*rp))
2478		return SMP_INVALID_PARAMS;
2479
2480	SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2481
2482	skb_pull(skb, sizeof(*rp));
2483
2484	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2485
2486	return 0;
2487}
2488
2489static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2490{
2491	struct smp_cmd_master_ident *rp = (void *) skb->data;
2492	struct l2cap_chan *chan = conn->smp;
2493	struct smp_chan *smp = chan->data;
2494	struct hci_dev *hdev = conn->hcon->hdev;
2495	struct hci_conn *hcon = conn->hcon;
2496	struct smp_ltk *ltk;
2497	u8 authenticated;
2498
2499	BT_DBG("conn %p", conn);
2500
2501	if (skb->len < sizeof(*rp))
2502		return SMP_INVALID_PARAMS;
2503
2504	/* Mark the information as received */
2505	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2506
2507	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2508		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2509	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2510		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2511
2512	skb_pull(skb, sizeof(*rp));
2513
2514	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2515	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2516			  authenticated, smp->tk, smp->enc_key_size,
2517			  rp->ediv, rp->rand);
2518	smp->ltk = ltk;
2519	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2520		smp_distribute_keys(smp);
2521
2522	return 0;
2523}
2524
2525static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2526{
2527	struct smp_cmd_ident_info *info = (void *) skb->data;
2528	struct l2cap_chan *chan = conn->smp;
2529	struct smp_chan *smp = chan->data;
2530
2531	BT_DBG("");
2532
2533	if (skb->len < sizeof(*info))
2534		return SMP_INVALID_PARAMS;
2535
2536	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2537
2538	skb_pull(skb, sizeof(*info));
2539
2540	memcpy(smp->irk, info->irk, 16);
2541
2542	return 0;
2543}
2544
2545static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2546				   struct sk_buff *skb)
2547{
2548	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2549	struct l2cap_chan *chan = conn->smp;
2550	struct smp_chan *smp = chan->data;
2551	struct hci_conn *hcon = conn->hcon;
2552	bdaddr_t rpa;
2553
2554	BT_DBG("");
2555
2556	if (skb->len < sizeof(*info))
2557		return SMP_INVALID_PARAMS;
2558
2559	/* Mark the information as received */
2560	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2561
2562	if (smp->remote_key_dist & SMP_DIST_SIGN)
2563		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2564
2565	skb_pull(skb, sizeof(*info));
2566
2567	/* Strictly speaking the Core Specification (4.1) allows sending
2568	 * an empty address which would force us to rely on just the IRK
2569	 * as "identity information". However, since such
2570	 * implementations are not known of and in order to not over
2571	 * complicate our implementation, simply pretend that we never
2572	 * received an IRK for such a device.
2573	 *
2574	 * The Identity Address must also be a Static Random or Public
2575	 * Address, which hci_is_identity_address() checks for.
2576	 */
2577	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2578	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2579		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2580		goto distribute;
2581	}
2582
2583	bacpy(&smp->id_addr, &info->bdaddr);
2584	smp->id_addr_type = info->addr_type;
2585
2586	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2587		bacpy(&rpa, &hcon->dst);
2588	else
2589		bacpy(&rpa, BDADDR_ANY);
2590
2591	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2592				      smp->id_addr_type, smp->irk, &rpa);
2593
2594distribute:
2595	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2596		smp_distribute_keys(smp);
2597
2598	return 0;
2599}
2600
2601static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2602{
2603	struct smp_cmd_sign_info *rp = (void *) skb->data;
2604	struct l2cap_chan *chan = conn->smp;
2605	struct smp_chan *smp = chan->data;
2606	struct smp_csrk *csrk;
2607
2608	BT_DBG("conn %p", conn);
2609
2610	if (skb->len < sizeof(*rp))
2611		return SMP_INVALID_PARAMS;
2612
2613	/* Mark the information as received */
2614	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2615
2616	skb_pull(skb, sizeof(*rp));
2617
2618	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2619	if (csrk) {
2620		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2621			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2622		else
2623			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2624		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2625	}
2626	smp->csrk = csrk;
2627	smp_distribute_keys(smp);
2628
2629	return 0;
2630}
2631
2632static u8 sc_select_method(struct smp_chan *smp)
2633{
2634	struct l2cap_conn *conn = smp->conn;
2635	struct hci_conn *hcon = conn->hcon;
2636	struct smp_cmd_pairing *local, *remote;
2637	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2638
2639	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2640	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2641		return REQ_OOB;
2642
2643	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2644	 * which are needed as inputs to some crypto functions. To get
2645	 * the "struct smp_cmd_pairing" from them we need to skip the
2646	 * first byte which contains the opcode.
2647	 */
2648	if (hcon->out) {
2649		local = (void *) &smp->preq[1];
2650		remote = (void *) &smp->prsp[1];
2651	} else {
2652		local = (void *) &smp->prsp[1];
2653		remote = (void *) &smp->preq[1];
2654	}
2655
2656	local_io = local->io_capability;
2657	remote_io = remote->io_capability;
2658
2659	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2660	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2661
2662	/* If either side wants MITM, look up the method from the table,
2663	 * otherwise use JUST WORKS.
2664	 */
2665	if (local_mitm || remote_mitm)
2666		method = get_auth_method(smp, local_io, remote_io);
2667	else
2668		method = JUST_WORKS;
2669
2670	/* Don't confirm locally initiated pairing attempts */
2671	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2672		method = JUST_WORKS;
2673
2674	return method;
2675}
2676
2677static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2678{
2679	struct smp_cmd_public_key *key = (void *) skb->data;
2680	struct hci_conn *hcon = conn->hcon;
2681	struct l2cap_chan *chan = conn->smp;
2682	struct smp_chan *smp = chan->data;
2683	struct hci_dev *hdev = hcon->hdev;
2684	struct crypto_kpp *tfm_ecdh;
2685	struct smp_cmd_pairing_confirm cfm;
2686	int err;
2687
2688	BT_DBG("conn %p", conn);
2689
2690	if (skb->len < sizeof(*key))
2691		return SMP_INVALID_PARAMS;
2692
2693	memcpy(smp->remote_pk, key, 64);
2694
2695	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2696		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2697			     smp->rr, 0, cfm.confirm_val);
2698		if (err)
2699			return SMP_UNSPECIFIED;
2700
2701		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2702			return SMP_CONFIRM_FAILED;
2703	}
2704
2705	/* Non-initiating device sends its public key after receiving
2706	 * the key from the initiating device.
2707	 */
2708	if (!hcon->out) {
2709		err = sc_send_public_key(smp);
2710		if (err)
2711			return err;
2712	}
2713
2714	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2715	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2716
2717	/* Compute the shared secret on the same crypto tfm on which the private
2718	 * key was set/generated.
2719	 */
2720	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2721		struct l2cap_chan *hchan = hdev->smp_data;
2722		struct smp_dev *smp_dev;
2723
2724		if (!hchan || !hchan->data)
2725			return SMP_UNSPECIFIED;
2726
2727		smp_dev = hchan->data;
2728
2729		tfm_ecdh = smp_dev->tfm_ecdh;
2730	} else {
2731		tfm_ecdh = smp->tfm_ecdh;
2732	}
2733
2734	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2735		return SMP_UNSPECIFIED;
2736
2737	SMP_DBG("DHKey %32phN", smp->dhkey);
2738
2739	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2740
2741	smp->method = sc_select_method(smp);
2742
2743	BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2744
2745	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2746	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2747		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2748	else
2749		hcon->pending_sec_level = BT_SECURITY_FIPS;
2750
2751	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2752		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2753
2754	if (smp->method == DSP_PASSKEY) {
2755		get_random_bytes(&hcon->passkey_notify,
2756				 sizeof(hcon->passkey_notify));
2757		hcon->passkey_notify %= 1000000;
2758		hcon->passkey_entered = 0;
2759		smp->passkey_round = 0;
2760		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2761					     hcon->dst_type,
2762					     hcon->passkey_notify,
2763					     hcon->passkey_entered))
2764			return SMP_UNSPECIFIED;
2765		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2766		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2767	}
2768
2769	if (smp->method == REQ_OOB) {
2770		if (hcon->out)
2771			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2772				     sizeof(smp->prnd), smp->prnd);
2773
2774		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2775
2776		return 0;
2777	}
2778
2779	if (hcon->out)
2780		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2781
2782	if (smp->method == REQ_PASSKEY) {
2783		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2784					      hcon->dst_type))
2785			return SMP_UNSPECIFIED;
2786		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2787		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2788		return 0;
2789	}
2790
2791	/* The Initiating device waits for the non-initiating device to
2792	 * send the confirm value.
2793	 */
2794	if (conn->hcon->out)
2795		return 0;
2796
2797	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2798		     0, cfm.confirm_val);
2799	if (err)
2800		return SMP_UNSPECIFIED;
2801
2802	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2803	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2804
2805	return 0;
2806}
2807
2808static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2809{
2810	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2811	struct l2cap_chan *chan = conn->smp;
2812	struct hci_conn *hcon = conn->hcon;
2813	struct smp_chan *smp = chan->data;
2814	u8 a[7], b[7], *local_addr, *remote_addr;
2815	u8 io_cap[3], r[16], e[16];
2816	int err;
2817
2818	BT_DBG("conn %p", conn);
2819
2820	if (skb->len < sizeof(*check))
2821		return SMP_INVALID_PARAMS;
2822
2823	memcpy(a, &hcon->init_addr, 6);
2824	memcpy(b, &hcon->resp_addr, 6);
2825	a[6] = hcon->init_addr_type;
2826	b[6] = hcon->resp_addr_type;
2827
2828	if (hcon->out) {
2829		local_addr = a;
2830		remote_addr = b;
2831		memcpy(io_cap, &smp->prsp[1], 3);
2832	} else {
2833		local_addr = b;
2834		remote_addr = a;
2835		memcpy(io_cap, &smp->preq[1], 3);
2836	}
2837
2838	memset(r, 0, sizeof(r));
2839
2840	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2841		put_unaligned_le32(hcon->passkey_notify, r);
2842	else if (smp->method == REQ_OOB)
2843		memcpy(r, smp->lr, 16);
2844
2845	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2846		     io_cap, remote_addr, local_addr, e);
2847	if (err)
2848		return SMP_UNSPECIFIED;
2849
2850	if (crypto_memneq(check->e, e, 16))
2851		return SMP_DHKEY_CHECK_FAILED;
2852
2853	if (!hcon->out) {
2854		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2855			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2856			return 0;
2857		}
2858
2859		/* Slave sends DHKey check as response to master */
2860		sc_dhkey_check(smp);
2861	}
2862
2863	sc_add_ltk(smp);
2864
2865	if (hcon->out) {
2866		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2867		hcon->enc_key_size = smp->enc_key_size;
2868	}
2869
2870	return 0;
2871}
2872
2873static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2874				   struct sk_buff *skb)
2875{
2876	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2877
2878	BT_DBG("value 0x%02x", kp->value);
2879
2880	return 0;
2881}
2882
2883static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2884{
2885	struct l2cap_conn *conn = chan->conn;
2886	struct hci_conn *hcon = conn->hcon;
2887	struct smp_chan *smp;
2888	__u8 code, reason;
2889	int err = 0;
2890
2891	if (skb->len < 1)
2892		return -EILSEQ;
2893
2894	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2895		reason = SMP_PAIRING_NOTSUPP;
2896		goto done;
2897	}
2898
2899	code = skb->data[0];
2900	skb_pull(skb, sizeof(code));
2901
2902	smp = chan->data;
2903
2904	if (code > SMP_CMD_MAX)
2905		goto drop;
2906
2907	if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2908		goto drop;
2909
2910	/* If we don't have a context the only allowed commands are
2911	 * pairing request and security request.
2912	 */
2913	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2914		goto drop;
2915
2916	switch (code) {
2917	case SMP_CMD_PAIRING_REQ:
2918		reason = smp_cmd_pairing_req(conn, skb);
2919		break;
2920
2921	case SMP_CMD_PAIRING_FAIL:
2922		smp_failure(conn, 0);
2923		err = -EPERM;
2924		break;
2925
2926	case SMP_CMD_PAIRING_RSP:
2927		reason = smp_cmd_pairing_rsp(conn, skb);
2928		break;
2929
2930	case SMP_CMD_SECURITY_REQ:
2931		reason = smp_cmd_security_req(conn, skb);
2932		break;
2933
2934	case SMP_CMD_PAIRING_CONFIRM:
2935		reason = smp_cmd_pairing_confirm(conn, skb);
2936		break;
2937
2938	case SMP_CMD_PAIRING_RANDOM:
2939		reason = smp_cmd_pairing_random(conn, skb);
2940		break;
2941
2942	case SMP_CMD_ENCRYPT_INFO:
2943		reason = smp_cmd_encrypt_info(conn, skb);
2944		break;
2945
2946	case SMP_CMD_MASTER_IDENT:
2947		reason = smp_cmd_master_ident(conn, skb);
2948		break;
2949
2950	case SMP_CMD_IDENT_INFO:
2951		reason = smp_cmd_ident_info(conn, skb);
2952		break;
2953
2954	case SMP_CMD_IDENT_ADDR_INFO:
2955		reason = smp_cmd_ident_addr_info(conn, skb);
2956		break;
2957
2958	case SMP_CMD_SIGN_INFO:
2959		reason = smp_cmd_sign_info(conn, skb);
2960		break;
2961
2962	case SMP_CMD_PUBLIC_KEY:
2963		reason = smp_cmd_public_key(conn, skb);
2964		break;
2965
2966	case SMP_CMD_DHKEY_CHECK:
2967		reason = smp_cmd_dhkey_check(conn, skb);
2968		break;
2969
2970	case SMP_CMD_KEYPRESS_NOTIFY:
2971		reason = smp_cmd_keypress_notify(conn, skb);
2972		break;
2973
2974	default:
2975		BT_DBG("Unknown command code 0x%2.2x", code);
2976		reason = SMP_CMD_NOTSUPP;
2977		goto done;
2978	}
2979
2980done:
2981	if (!err) {
2982		if (reason)
2983			smp_failure(conn, reason);
2984		kfree_skb(skb);
2985	}
2986
2987	return err;
2988
2989drop:
2990	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2991		   code, &hcon->dst);
2992	kfree_skb(skb);
2993	return 0;
2994}
2995
2996static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2997{
2998	struct l2cap_conn *conn = chan->conn;
2999
3000	BT_DBG("chan %p", chan);
3001
3002	if (chan->data)
3003		smp_chan_destroy(conn);
3004
3005	conn->smp = NULL;
3006	l2cap_chan_put(chan);
3007}
3008
3009static void bredr_pairing(struct l2cap_chan *chan)
3010{
3011	struct l2cap_conn *conn = chan->conn;
3012	struct hci_conn *hcon = conn->hcon;
3013	struct hci_dev *hdev = hcon->hdev;
3014	struct smp_cmd_pairing req;
3015	struct smp_chan *smp;
3016
3017	BT_DBG("chan %p", chan);
3018
3019	/* Only new pairings are interesting */
3020	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3021		return;
3022
3023	/* Don't bother if we're not encrypted */
3024	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3025		return;
3026
3027	/* Only master may initiate SMP over BR/EDR */
3028	if (hcon->role != HCI_ROLE_MASTER)
3029		return;
3030
3031	/* Secure Connections support must be enabled */
3032	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3033		return;
3034
3035	/* BR/EDR must use Secure Connections for SMP */
3036	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3037	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3038		return;
3039
3040	/* If our LE support is not enabled don't do anything */
3041	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3042		return;
3043
3044	/* Don't bother if remote LE support is not enabled */
3045	if (!lmp_host_le_capable(hcon))
3046		return;
3047
3048	/* Remote must support SMP fixed chan for BR/EDR */
3049	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3050		return;
3051
3052	/* Don't bother if SMP is already ongoing */
3053	if (chan->data)
3054		return;
3055
3056	smp = smp_chan_create(conn);
3057	if (!smp) {
3058		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3059		return;
3060	}
3061
3062	set_bit(SMP_FLAG_SC, &smp->flags);
3063
3064	BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3065
3066	/* Prepare and send the BR/EDR SMP Pairing Request */
3067	build_bredr_pairing_cmd(smp, &req, NULL);
3068
3069	smp->preq[0] = SMP_CMD_PAIRING_REQ;
3070	memcpy(&smp->preq[1], &req, sizeof(req));
3071
3072	smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3073	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3074}
3075
3076static void smp_resume_cb(struct l2cap_chan *chan)
3077{
3078	struct smp_chan *smp = chan->data;
3079	struct l2cap_conn *conn = chan->conn;
3080	struct hci_conn *hcon = conn->hcon;
3081
3082	BT_DBG("chan %p", chan);
3083
3084	if (hcon->type == ACL_LINK) {
3085		bredr_pairing(chan);
3086		return;
3087	}
3088
3089	if (!smp)
3090		return;
3091
3092	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3093		return;
3094
3095	cancel_delayed_work(&smp->security_timer);
3096
3097	smp_distribute_keys(smp);
3098}
3099
3100static void smp_ready_cb(struct l2cap_chan *chan)
3101{
3102	struct l2cap_conn *conn = chan->conn;
3103	struct hci_conn *hcon = conn->hcon;
3104
3105	BT_DBG("chan %p", chan);
3106
3107	/* No need to call l2cap_chan_hold() here since we already own
3108	 * the reference taken in smp_new_conn_cb(). This is just the
3109	 * first time that we tie it to a specific pointer. The code in
3110	 * l2cap_core.c ensures that there's no risk this function wont
3111	 * get called if smp_new_conn_cb was previously called.
3112	 */
3113	conn->smp = chan;
3114
3115	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3116		bredr_pairing(chan);
3117}
3118
3119static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3120{
3121	int err;
3122
3123	BT_DBG("chan %p", chan);
3124
3125	err = smp_sig_channel(chan, skb);
3126	if (err) {
3127		struct smp_chan *smp = chan->data;
3128
3129		if (smp)
3130			cancel_delayed_work_sync(&smp->security_timer);
3131
3132		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3133	}
3134
3135	return err;
3136}
3137
3138static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3139					unsigned long hdr_len,
3140					unsigned long len, int nb)
3141{
3142	struct sk_buff *skb;
3143
3144	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3145	if (!skb)
3146		return ERR_PTR(-ENOMEM);
3147
3148	skb->priority = HCI_PRIO_MAX;
3149	bt_cb(skb)->l2cap.chan = chan;
3150
3151	return skb;
3152}
3153
3154static const struct l2cap_ops smp_chan_ops = {
3155	.name			= "Security Manager",
3156	.ready			= smp_ready_cb,
3157	.recv			= smp_recv_cb,
3158	.alloc_skb		= smp_alloc_skb_cb,
3159	.teardown		= smp_teardown_cb,
3160	.resume			= smp_resume_cb,
3161
3162	.new_connection		= l2cap_chan_no_new_connection,
3163	.state_change		= l2cap_chan_no_state_change,
3164	.close			= l2cap_chan_no_close,
3165	.defer			= l2cap_chan_no_defer,
3166	.suspend		= l2cap_chan_no_suspend,
3167	.set_shutdown		= l2cap_chan_no_set_shutdown,
3168	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3169};
3170
3171static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3172{
3173	struct l2cap_chan *chan;
3174
3175	BT_DBG("pchan %p", pchan);
3176
3177	chan = l2cap_chan_create();
3178	if (!chan)
3179		return NULL;
3180
3181	chan->chan_type	= pchan->chan_type;
3182	chan->ops	= &smp_chan_ops;
3183	chan->scid	= pchan->scid;
3184	chan->dcid	= chan->scid;
3185	chan->imtu	= pchan->imtu;
3186	chan->omtu	= pchan->omtu;
3187	chan->mode	= pchan->mode;
3188
3189	/* Other L2CAP channels may request SMP routines in order to
3190	 * change the security level. This means that the SMP channel
3191	 * lock must be considered in its own category to avoid lockdep
3192	 * warnings.
3193	 */
3194	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3195
3196	BT_DBG("created chan %p", chan);
3197
3198	return chan;
3199}
3200
3201static const struct l2cap_ops smp_root_chan_ops = {
3202	.name			= "Security Manager Root",
3203	.new_connection		= smp_new_conn_cb,
3204
3205	/* None of these are implemented for the root channel */
3206	.close			= l2cap_chan_no_close,
3207	.alloc_skb		= l2cap_chan_no_alloc_skb,
3208	.recv			= l2cap_chan_no_recv,
3209	.state_change		= l2cap_chan_no_state_change,
3210	.teardown		= l2cap_chan_no_teardown,
3211	.ready			= l2cap_chan_no_ready,
3212	.defer			= l2cap_chan_no_defer,
3213	.suspend		= l2cap_chan_no_suspend,
3214	.resume			= l2cap_chan_no_resume,
3215	.set_shutdown		= l2cap_chan_no_set_shutdown,
3216	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3217};
3218
3219static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3220{
3221	struct l2cap_chan *chan;
3222	struct smp_dev *smp;
3223	struct crypto_cipher *tfm_aes;
3224	struct crypto_shash *tfm_cmac;
3225	struct crypto_kpp *tfm_ecdh;
3226
3227	if (cid == L2CAP_CID_SMP_BREDR) {
3228		smp = NULL;
3229		goto create_chan;
3230	}
3231
3232	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3233	if (!smp)
3234		return ERR_PTR(-ENOMEM);
3235
3236	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3237	if (IS_ERR(tfm_aes)) {
3238		BT_ERR("Unable to create AES crypto context");
3239		kzfree(smp);
3240		return ERR_CAST(tfm_aes);
3241	}
3242
3243	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3244	if (IS_ERR(tfm_cmac)) {
3245		BT_ERR("Unable to create CMAC crypto context");
3246		crypto_free_cipher(tfm_aes);
3247		kzfree(smp);
3248		return ERR_CAST(tfm_cmac);
3249	}
3250
3251	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3252	if (IS_ERR(tfm_ecdh)) {
3253		BT_ERR("Unable to create ECDH crypto context");
3254		crypto_free_shash(tfm_cmac);
3255		crypto_free_cipher(tfm_aes);
3256		kzfree(smp);
3257		return ERR_CAST(tfm_ecdh);
3258	}
3259
3260	smp->local_oob = false;
3261	smp->tfm_aes = tfm_aes;
3262	smp->tfm_cmac = tfm_cmac;
3263	smp->tfm_ecdh = tfm_ecdh;
3264
3265create_chan:
3266	chan = l2cap_chan_create();
3267	if (!chan) {
3268		if (smp) {
3269			crypto_free_cipher(smp->tfm_aes);
3270			crypto_free_shash(smp->tfm_cmac);
3271			crypto_free_kpp(smp->tfm_ecdh);
3272			kzfree(smp);
3273		}
3274		return ERR_PTR(-ENOMEM);
3275	}
3276
3277	chan->data = smp;
3278
3279	l2cap_add_scid(chan, cid);
3280
3281	l2cap_chan_set_defaults(chan);
3282
3283	if (cid == L2CAP_CID_SMP) {
3284		u8 bdaddr_type;
3285
3286		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3287
3288		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3289			chan->src_type = BDADDR_LE_PUBLIC;
3290		else
3291			chan->src_type = BDADDR_LE_RANDOM;
3292	} else {
3293		bacpy(&chan->src, &hdev->bdaddr);
3294		chan->src_type = BDADDR_BREDR;
3295	}
3296
3297	chan->state = BT_LISTEN;
3298	chan->mode = L2CAP_MODE_BASIC;
3299	chan->imtu = L2CAP_DEFAULT_MTU;
3300	chan->ops = &smp_root_chan_ops;
3301
3302	/* Set correct nesting level for a parent/listening channel */
3303	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3304
3305	return chan;
3306}
3307
3308static void smp_del_chan(struct l2cap_chan *chan)
3309{
3310	struct smp_dev *smp;
3311
3312	BT_DBG("chan %p", chan);
3313
3314	smp = chan->data;
3315	if (smp) {
3316		chan->data = NULL;
3317		crypto_free_cipher(smp->tfm_aes);
3318		crypto_free_shash(smp->tfm_cmac);
3319		crypto_free_kpp(smp->tfm_ecdh);
3320		kzfree(smp);
3321	}
3322
3323	l2cap_chan_put(chan);
3324}
3325
3326static ssize_t force_bredr_smp_read(struct file *file,
3327				    char __user *user_buf,
3328				    size_t count, loff_t *ppos)
3329{
3330	struct hci_dev *hdev = file->private_data;
3331	char buf[3];
3332
3333	buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3334	buf[1] = '\n';
3335	buf[2] = '\0';
3336	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3337}
3338
3339static ssize_t force_bredr_smp_write(struct file *file,
3340				     const char __user *user_buf,
3341				     size_t count, loff_t *ppos)
3342{
3343	struct hci_dev *hdev = file->private_data;
3344	bool enable;
3345	int err;
3346
3347	err = kstrtobool_from_user(user_buf, count, &enable);
3348	if (err)
3349		return err;
3350
3351	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3352		return -EALREADY;
3353
3354	if (enable) {
3355		struct l2cap_chan *chan;
3356
3357		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3358		if (IS_ERR(chan))
3359			return PTR_ERR(chan);
3360
3361		hdev->smp_bredr_data = chan;
3362	} else {
3363		struct l2cap_chan *chan;
3364
3365		chan = hdev->smp_bredr_data;
3366		hdev->smp_bredr_data = NULL;
3367		smp_del_chan(chan);
3368	}
3369
3370	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3371
3372	return count;
3373}
3374
3375static const struct file_operations force_bredr_smp_fops = {
3376	.open		= simple_open,
3377	.read		= force_bredr_smp_read,
3378	.write		= force_bredr_smp_write,
3379	.llseek		= default_llseek,
3380};
3381
3382static ssize_t le_min_key_size_read(struct file *file,
3383				     char __user *user_buf,
3384				     size_t count, loff_t *ppos)
3385{
3386	struct hci_dev *hdev = file->private_data;
3387	char buf[4];
3388
3389	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
3390
3391	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3392}
3393
3394static ssize_t le_min_key_size_write(struct file *file,
3395				      const char __user *user_buf,
3396				      size_t count, loff_t *ppos)
3397{
3398	struct hci_dev *hdev = file->private_data;
3399	char buf[32];
3400	size_t buf_size = min(count, (sizeof(buf) - 1));
3401	u8 key_size;
3402
3403	if (copy_from_user(buf, user_buf, buf_size))
3404		return -EFAULT;
3405
3406	buf[buf_size] = '\0';
3407
3408	sscanf(buf, "%hhu", &key_size);
3409
3410	if (key_size > hdev->le_max_key_size ||
3411	    key_size < SMP_MIN_ENC_KEY_SIZE)
3412		return -EINVAL;
3413
3414	hdev->le_min_key_size = key_size;
3415
3416	return count;
3417}
3418
3419static const struct file_operations le_min_key_size_fops = {
3420	.open		= simple_open,
3421	.read		= le_min_key_size_read,
3422	.write		= le_min_key_size_write,
3423	.llseek		= default_llseek,
3424};
3425
3426static ssize_t le_max_key_size_read(struct file *file,
3427				     char __user *user_buf,
3428				     size_t count, loff_t *ppos)
3429{
3430	struct hci_dev *hdev = file->private_data;
3431	char buf[4];
3432
3433	snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
3434
3435	return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3436}
3437
3438static ssize_t le_max_key_size_write(struct file *file,
3439				      const char __user *user_buf,
3440				      size_t count, loff_t *ppos)
3441{
3442	struct hci_dev *hdev = file->private_data;
3443	char buf[32];
3444	size_t buf_size = min(count, (sizeof(buf) - 1));
3445	u8 key_size;
3446
3447	if (copy_from_user(buf, user_buf, buf_size))
3448		return -EFAULT;
3449
3450	buf[buf_size] = '\0';
3451
3452	sscanf(buf, "%hhu", &key_size);
3453
3454	if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3455	    key_size < hdev->le_min_key_size)
3456		return -EINVAL;
3457
3458	hdev->le_max_key_size = key_size;
3459
3460	return count;
3461}
3462
3463static const struct file_operations le_max_key_size_fops = {
3464	.open		= simple_open,
3465	.read		= le_max_key_size_read,
3466	.write		= le_max_key_size_write,
3467	.llseek		= default_llseek,
3468};
3469
3470int smp_register(struct hci_dev *hdev)
3471{
3472	struct l2cap_chan *chan;
3473
3474	BT_DBG("%s", hdev->name);
3475
3476	/* If the controller does not support Low Energy operation, then
3477	 * there is also no need to register any SMP channel.
3478	 */
3479	if (!lmp_le_capable(hdev))
3480		return 0;
3481
3482	if (WARN_ON(hdev->smp_data)) {
3483		chan = hdev->smp_data;
3484		hdev->smp_data = NULL;
3485		smp_del_chan(chan);
3486	}
3487
3488	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3489	if (IS_ERR(chan))
3490		return PTR_ERR(chan);
3491
3492	hdev->smp_data = chan;
3493
3494	debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3495			    &le_min_key_size_fops);
3496	debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3497			    &le_max_key_size_fops);
3498
3499	/* If the controller does not support BR/EDR Secure Connections
3500	 * feature, then the BR/EDR SMP channel shall not be present.
3501	 *
3502	 * To test this with Bluetooth 4.0 controllers, create a debugfs
3503	 * switch that allows forcing BR/EDR SMP support and accepting
3504	 * cross-transport pairing on non-AES encrypted connections.
3505	 */
3506	if (!lmp_sc_capable(hdev)) {
3507		debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3508				    hdev, &force_bredr_smp_fops);
3509
3510		/* Flag can be already set here (due to power toggle) */
3511		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3512			return 0;
3513	}
3514
3515	if (WARN_ON(hdev->smp_bredr_data)) {
3516		chan = hdev->smp_bredr_data;
3517		hdev->smp_bredr_data = NULL;
3518		smp_del_chan(chan);
3519	}
3520
3521	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3522	if (IS_ERR(chan)) {
3523		int err = PTR_ERR(chan);
3524		chan = hdev->smp_data;
3525		hdev->smp_data = NULL;
3526		smp_del_chan(chan);
3527		return err;
3528	}
3529
3530	hdev->smp_bredr_data = chan;
3531
3532	return 0;
3533}
3534
3535void smp_unregister(struct hci_dev *hdev)
3536{
3537	struct l2cap_chan *chan;
3538
3539	if (hdev->smp_bredr_data) {
3540		chan = hdev->smp_bredr_data;
3541		hdev->smp_bredr_data = NULL;
3542		smp_del_chan(chan);
3543	}
3544
3545	if (hdev->smp_data) {
3546		chan = hdev->smp_data;
3547		hdev->smp_data = NULL;
3548		smp_del_chan(chan);
3549	}
3550}
3551
3552#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3553
3554static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3555{
3556	u8 pk[64];
3557	int err;
3558
3559	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3560	if (err)
3561		return err;
3562
3563	err = generate_ecdh_public_key(tfm_ecdh, pk);
3564	if (err)
3565		return err;
3566
3567	if (crypto_memneq(pk, debug_pk, 64))
3568		return -EINVAL;
3569
3570	return 0;
3571}
3572
3573static int __init test_ah(struct crypto_cipher *tfm_aes)
3574{
3575	const u8 irk[16] = {
3576			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3577			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3578	const u8 r[3] = { 0x94, 0x81, 0x70 };
3579	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3580	u8 res[3];
3581	int err;
3582
3583	err = smp_ah(tfm_aes, irk, r, res);
3584	if (err)
3585		return err;
3586
3587	if (crypto_memneq(res, exp, 3))
3588		return -EINVAL;
3589
3590	return 0;
3591}
3592
3593static int __init test_c1(struct crypto_cipher *tfm_aes)
3594{
3595	const u8 k[16] = {
3596			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3597			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3598	const u8 r[16] = {
3599			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3600			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3601	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3602	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3603	const u8 _iat = 0x01;
3604	const u8 _rat = 0x00;
3605	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3606	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3607	const u8 exp[16] = {
3608			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3609			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3610	u8 res[16];
3611	int err;
3612
3613	err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3614	if (err)
3615		return err;
3616
3617	if (crypto_memneq(res, exp, 16))
3618		return -EINVAL;
3619
3620	return 0;
3621}
3622
3623static int __init test_s1(struct crypto_cipher *tfm_aes)
3624{
3625	const u8 k[16] = {
3626			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3627			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3628	const u8 r1[16] = {
3629			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3630	const u8 r2[16] = {
3631			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3632	const u8 exp[16] = {
3633			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3634			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3635	u8 res[16];
3636	int err;
3637
3638	err = smp_s1(tfm_aes, k, r1, r2, res);
3639	if (err)
3640		return err;
3641
3642	if (crypto_memneq(res, exp, 16))
3643		return -EINVAL;
3644
3645	return 0;
3646}
3647
3648static int __init test_f4(struct crypto_shash *tfm_cmac)
3649{
3650	const u8 u[32] = {
3651			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3652			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3653			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3654			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3655	const u8 v[32] = {
3656			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3657			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3658			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3659			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3660	const u8 x[16] = {
3661			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3662			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3663	const u8 z = 0x00;
3664	const u8 exp[16] = {
3665			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3666			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3667	u8 res[16];
3668	int err;
3669
3670	err = smp_f4(tfm_cmac, u, v, x, z, res);
3671	if (err)
3672		return err;
3673
3674	if (crypto_memneq(res, exp, 16))
3675		return -EINVAL;
3676
3677	return 0;
3678}
3679
3680static int __init test_f5(struct crypto_shash *tfm_cmac)
3681{
3682	const u8 w[32] = {
3683			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3684			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3685			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3686			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3687	const u8 n1[16] = {
3688			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3689			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3690	const u8 n2[16] = {
3691			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3692			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3693	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3694	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3695	const u8 exp_ltk[16] = {
3696			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3697			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3698	const u8 exp_mackey[16] = {
3699			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3700			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3701	u8 mackey[16], ltk[16];
3702	int err;
3703
3704	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3705	if (err)
3706		return err;
3707
3708	if (crypto_memneq(mackey, exp_mackey, 16))
3709		return -EINVAL;
3710
3711	if (crypto_memneq(ltk, exp_ltk, 16))
3712		return -EINVAL;
3713
3714	return 0;
3715}
3716
3717static int __init test_f6(struct crypto_shash *tfm_cmac)
3718{
3719	const u8 w[16] = {
3720			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3721			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3722	const u8 n1[16] = {
3723			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3724			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3725	const u8 n2[16] = {
3726			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3727			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3728	const u8 r[16] = {
3729			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3730			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3731	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3732	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3733	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3734	const u8 exp[16] = {
3735			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3736			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3737	u8 res[16];
3738	int err;
3739
3740	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3741	if (err)
3742		return err;
3743
3744	if (crypto_memneq(res, exp, 16))
3745		return -EINVAL;
3746
3747	return 0;
3748}
3749
3750static int __init test_g2(struct crypto_shash *tfm_cmac)
3751{
3752	const u8 u[32] = {
3753			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3754			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3755			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3756			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3757	const u8 v[32] = {
3758			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3759			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3760			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3761			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3762	const u8 x[16] = {
3763			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3764			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3765	const u8 y[16] = {
3766			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3767			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3768	const u32 exp_val = 0x2f9ed5ba % 1000000;
3769	u32 val;
3770	int err;
3771
3772	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3773	if (err)
3774		return err;
3775
3776	if (val != exp_val)
3777		return -EINVAL;
3778
3779	return 0;
3780}
3781
3782static int __init test_h6(struct crypto_shash *tfm_cmac)
3783{
3784	const u8 w[16] = {
3785			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3786			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3787	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3788	const u8 exp[16] = {
3789			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3790			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3791	u8 res[16];
3792	int err;
3793
3794	err = smp_h6(tfm_cmac, w, key_id, res);
3795	if (err)
3796		return err;
3797
3798	if (crypto_memneq(res, exp, 16))
3799		return -EINVAL;
3800
3801	return 0;
3802}
3803
3804static char test_smp_buffer[32];
3805
3806static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3807			     size_t count, loff_t *ppos)
3808{
3809	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3810				       strlen(test_smp_buffer));
3811}
3812
3813static const struct file_operations test_smp_fops = {
3814	.open		= simple_open,
3815	.read		= test_smp_read,
3816	.llseek		= default_llseek,
3817};
3818
3819static int __init run_selftests(struct crypto_cipher *tfm_aes,
3820				struct crypto_shash *tfm_cmac,
3821				struct crypto_kpp *tfm_ecdh)
3822{
3823	ktime_t calltime, delta, rettime;
3824	unsigned long long duration;
3825	int err;
3826
3827	calltime = ktime_get();
3828
3829	err = test_debug_key(tfm_ecdh);
3830	if (err) {
3831		BT_ERR("debug_key test failed");
3832		goto done;
3833	}
3834
3835	err = test_ah(tfm_aes);
3836	if (err) {
3837		BT_ERR("smp_ah test failed");
3838		goto done;
3839	}
3840
3841	err = test_c1(tfm_aes);
3842	if (err) {
3843		BT_ERR("smp_c1 test failed");
3844		goto done;
3845	}
3846
3847	err = test_s1(tfm_aes);
3848	if (err) {
3849		BT_ERR("smp_s1 test failed");
3850		goto done;
3851	}
3852
3853	err = test_f4(tfm_cmac);
3854	if (err) {
3855		BT_ERR("smp_f4 test failed");
3856		goto done;
3857	}
3858
3859	err = test_f5(tfm_cmac);
3860	if (err) {
3861		BT_ERR("smp_f5 test failed");
3862		goto done;
3863	}
3864
3865	err = test_f6(tfm_cmac);
3866	if (err) {
3867		BT_ERR("smp_f6 test failed");
3868		goto done;
3869	}
3870
3871	err = test_g2(tfm_cmac);
3872	if (err) {
3873		BT_ERR("smp_g2 test failed");
3874		goto done;
3875	}
3876
3877	err = test_h6(tfm_cmac);
3878	if (err) {
3879		BT_ERR("smp_h6 test failed");
3880		goto done;
3881	}
3882
3883	rettime = ktime_get();
3884	delta = ktime_sub(rettime, calltime);
3885	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3886
3887	BT_INFO("SMP test passed in %llu usecs", duration);
3888
3889done:
3890	if (!err)
3891		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3892			 "PASS (%llu usecs)\n", duration);
3893	else
3894		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3895
3896	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3897			    &test_smp_fops);
3898
3899	return err;
3900}
3901
3902int __init bt_selftest_smp(void)
3903{
3904	struct crypto_cipher *tfm_aes;
3905	struct crypto_shash *tfm_cmac;
3906	struct crypto_kpp *tfm_ecdh;
3907	int err;
3908
3909	tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3910	if (IS_ERR(tfm_aes)) {
3911		BT_ERR("Unable to create AES crypto context");
3912		return PTR_ERR(tfm_aes);
3913	}
3914
3915	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3916	if (IS_ERR(tfm_cmac)) {
3917		BT_ERR("Unable to create CMAC crypto context");
3918		crypto_free_cipher(tfm_aes);
3919		return PTR_ERR(tfm_cmac);
3920	}
3921
3922	tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3923	if (IS_ERR(tfm_ecdh)) {
3924		BT_ERR("Unable to create ECDH crypto context");
3925		crypto_free_shash(tfm_cmac);
3926		crypto_free_cipher(tfm_aes);
3927		return PTR_ERR(tfm_ecdh);
3928	}
3929
3930	err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
3931
3932	crypto_free_shash(tfm_cmac);
3933	crypto_free_cipher(tfm_aes);
3934	crypto_free_kpp(tfm_ecdh);
3935
3936	return err;
3937}
3938
3939#endif