linux/net/bluetooth/smp.c
<<
>>
Prefs
   1/*
   2   BlueZ - Bluetooth protocol stack for Linux
   3   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
   4
   5   This program is free software; you can redistribute it and/or modify
   6   it under the terms of the GNU General Public License version 2 as
   7   published by the Free Software Foundation;
   8
   9   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  10   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  11   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  12   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  13   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  14   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  15   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  16   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  17
  18   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  19   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  20   SOFTWARE IS DISCLAIMED.
  21*/
  22
  23#include <linux/debugfs.h>
  24#include <linux/scatterlist.h>
  25#include <linux/crypto.h>
  26#include <crypto/algapi.h>
  27#include <crypto/b128ops.h>
  28#include <crypto/hash.h>
  29
  30#include <net/bluetooth/bluetooth.h>
  31#include <net/bluetooth/hci_core.h>
  32#include <net/bluetooth/l2cap.h>
  33#include <net/bluetooth/mgmt.h>
  34
  35#include "ecdh_helper.h"
  36#include "smp.h"
  37
  38#define SMP_DEV(hdev) \
  39        ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
  40
  41/* Low-level debug macros to be used for stuff that we don't want
  42 * accidentially in dmesg, i.e. the values of the various crypto keys
  43 * and the inputs & outputs of crypto functions.
  44 */
  45#ifdef DEBUG
  46#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
  47                                 ##__VA_ARGS__)
  48#else
  49#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
  50                                    ##__VA_ARGS__)
  51#endif
  52
  53#define SMP_ALLOW_CMD(smp, code)        set_bit(code, &smp->allow_cmd)
  54
  55/* Keys which are not distributed with Secure Connections */
  56#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
  57
  58#define SMP_TIMEOUT     msecs_to_jiffies(30000)
  59
  60#define AUTH_REQ_MASK(dev)      (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
  61                                 0x3f : 0x07)
  62#define KEY_DIST_MASK           0x07
  63
  64/* Maximum message length that can be passed to aes_cmac */
  65#define CMAC_MSG_MAX    80
  66
  67enum {
  68        SMP_FLAG_TK_VALID,
  69        SMP_FLAG_CFM_PENDING,
  70        SMP_FLAG_MITM_AUTH,
  71        SMP_FLAG_COMPLETE,
  72        SMP_FLAG_INITIATOR,
  73        SMP_FLAG_SC,
  74        SMP_FLAG_REMOTE_PK,
  75        SMP_FLAG_DEBUG_KEY,
  76        SMP_FLAG_WAIT_USER,
  77        SMP_FLAG_DHKEY_PENDING,
  78        SMP_FLAG_REMOTE_OOB,
  79        SMP_FLAG_LOCAL_OOB,
  80        SMP_FLAG_CT2,
  81};
  82
  83struct smp_dev {
  84        /* Secure Connections OOB data */
  85        u8                      local_pk[64];
  86        u8                      local_sk[32];
  87        u8                      local_rand[16];
  88        bool                    debug_key;
  89
  90        u8                      min_key_size;
  91        u8                      max_key_size;
  92
  93        struct crypto_cipher    *tfm_aes;
  94        struct crypto_shash     *tfm_cmac;
  95};
  96
  97struct smp_chan {
  98        struct l2cap_conn       *conn;
  99        struct delayed_work     security_timer;
 100        unsigned long           allow_cmd; /* Bitmask of allowed commands */
 101
 102        u8              preq[7]; /* SMP Pairing Request */
 103        u8              prsp[7]; /* SMP Pairing Response */
 104        u8              prnd[16]; /* SMP Pairing Random (local) */
 105        u8              rrnd[16]; /* SMP Pairing Random (remote) */
 106        u8              pcnf[16]; /* SMP Pairing Confirm */
 107        u8              tk[16]; /* SMP Temporary Key */
 108        u8              rr[16]; /* Remote OOB ra/rb value */
 109        u8              lr[16]; /* Local OOB ra/rb value */
 110        u8              enc_key_size;
 111        u8              remote_key_dist;
 112        bdaddr_t        id_addr;
 113        u8              id_addr_type;
 114        u8              irk[16];
 115        struct smp_csrk *csrk;
 116        struct smp_csrk *slave_csrk;
 117        struct smp_ltk  *ltk;
 118        struct smp_ltk  *slave_ltk;
 119        struct smp_irk  *remote_irk;
 120        u8              *link_key;
 121        unsigned long   flags;
 122        u8              method;
 123        u8              passkey_round;
 124
 125        /* Secure Connections variables */
 126        u8                      local_pk[64];
 127        u8                      local_sk[32];
 128        u8                      remote_pk[64];
 129        u8                      dhkey[32];
 130        u8                      mackey[16];
 131
 132        struct crypto_cipher    *tfm_aes;
 133        struct crypto_shash     *tfm_cmac;
 134};
 135
 136/* These debug key values are defined in the SMP section of the core
 137 * specification. debug_pk is the public debug key and debug_sk the
 138 * private debug key.
 139 */
 140static const u8 debug_pk[64] = {
 141                0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
 142                0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
 143                0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
 144                0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
 145
 146                0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
 147                0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
 148                0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
 149                0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
 150};
 151
 152static const u8 debug_sk[32] = {
 153                0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
 154                0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
 155                0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
 156                0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
 157};
 158
 159static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
 160{
 161        size_t i;
 162
 163        for (i = 0; i < len; i++)
 164                dst[len - 1 - i] = src[i];
 165}
 166
 167/* The following functions map to the LE SC SMP crypto functions
 168 * AES-CMAC, f4, f5, f6, g2 and h6.
 169 */
 170
 171static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
 172                    size_t len, u8 mac[16])
 173{
 174        uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
 175        SHASH_DESC_ON_STACK(desc, tfm);
 176        int err;
 177
 178        if (len > CMAC_MSG_MAX)
 179                return -EFBIG;
 180
 181        if (!tfm) {
 182                BT_ERR("tfm %p", tfm);
 183                return -EINVAL;
 184        }
 185
 186        desc->tfm = tfm;
 187        desc->flags = 0;
 188
 189        /* Swap key and message from LSB to MSB */
 190        swap_buf(k, tmp, 16);
 191        swap_buf(m, msg_msb, len);
 192
 193        SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
 194        SMP_DBG("key %16phN", k);
 195
 196        err = crypto_shash_setkey(tfm, tmp, 16);
 197        if (err) {
 198                BT_ERR("cipher setkey failed: %d", err);
 199                return err;
 200        }
 201
 202        err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
 203        shash_desc_zero(desc);
 204        if (err) {
 205                BT_ERR("Hash computation error %d", err);
 206                return err;
 207        }
 208
 209        swap_buf(mac_msb, mac, 16);
 210
 211        SMP_DBG("mac %16phN", mac);
 212
 213        return 0;
 214}
 215
 216static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
 217                  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
 218{
 219        u8 m[65];
 220        int err;
 221
 222        SMP_DBG("u %32phN", u);
 223        SMP_DBG("v %32phN", v);
 224        SMP_DBG("x %16phN z %02x", x, z);
 225
 226        m[0] = z;
 227        memcpy(m + 1, v, 32);
 228        memcpy(m + 33, u, 32);
 229
 230        err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
 231        if (err)
 232                return err;
 233
 234        SMP_DBG("res %16phN", res);
 235
 236        return err;
 237}
 238
 239static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
 240                  const u8 n1[16], const u8 n2[16], const u8 a1[7],
 241                  const u8 a2[7], u8 mackey[16], u8 ltk[16])
 242{
 243        /* The btle, salt and length "magic" values are as defined in
 244         * the SMP section of the Bluetooth core specification. In ASCII
 245         * the btle value ends up being 'btle'. The salt is just a
 246         * random number whereas length is the value 256 in little
 247         * endian format.
 248         */
 249        const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
 250        const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
 251                              0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
 252        const u8 length[2] = { 0x00, 0x01 };
 253        u8 m[53], t[16];
 254        int err;
 255
 256        SMP_DBG("w %32phN", w);
 257        SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 258        SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
 259
 260        err = aes_cmac(tfm_cmac, salt, w, 32, t);
 261        if (err)
 262                return err;
 263
 264        SMP_DBG("t %16phN", t);
 265
 266        memcpy(m, length, 2);
 267        memcpy(m + 2, a2, 7);
 268        memcpy(m + 9, a1, 7);
 269        memcpy(m + 16, n2, 16);
 270        memcpy(m + 32, n1, 16);
 271        memcpy(m + 48, btle, 4);
 272
 273        m[52] = 0; /* Counter */
 274
 275        err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
 276        if (err)
 277                return err;
 278
 279        SMP_DBG("mackey %16phN", mackey);
 280
 281        m[52] = 1; /* Counter */
 282
 283        err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
 284        if (err)
 285                return err;
 286
 287        SMP_DBG("ltk %16phN", ltk);
 288
 289        return 0;
 290}
 291
 292static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
 293                  const u8 n1[16], const u8 n2[16], const u8 r[16],
 294                  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
 295                  u8 res[16])
 296{
 297        u8 m[65];
 298        int err;
 299
 300        SMP_DBG("w %16phN", w);
 301        SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 302        SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
 303
 304        memcpy(m, a2, 7);
 305        memcpy(m + 7, a1, 7);
 306        memcpy(m + 14, io_cap, 3);
 307        memcpy(m + 17, r, 16);
 308        memcpy(m + 33, n2, 16);
 309        memcpy(m + 49, n1, 16);
 310
 311        err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
 312        if (err)
 313                return err;
 314
 315        SMP_DBG("res %16phN", res);
 316
 317        return err;
 318}
 319
 320static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
 321                  const u8 x[16], const u8 y[16], u32 *val)
 322{
 323        u8 m[80], tmp[16];
 324        int err;
 325
 326        SMP_DBG("u %32phN", u);
 327        SMP_DBG("v %32phN", v);
 328        SMP_DBG("x %16phN y %16phN", x, y);
 329
 330        memcpy(m, y, 16);
 331        memcpy(m + 16, v, 32);
 332        memcpy(m + 48, u, 32);
 333
 334        err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
 335        if (err)
 336                return err;
 337
 338        *val = get_unaligned_le32(tmp);
 339        *val %= 1000000;
 340
 341        SMP_DBG("val %06u", *val);
 342
 343        return 0;
 344}
 345
 346static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
 347                  const u8 key_id[4], u8 res[16])
 348{
 349        int err;
 350
 351        SMP_DBG("w %16phN key_id %4phN", w, key_id);
 352
 353        err = aes_cmac(tfm_cmac, w, key_id, 4, res);
 354        if (err)
 355                return err;
 356
 357        SMP_DBG("res %16phN", res);
 358
 359        return err;
 360}
 361
 362static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
 363                  const u8 salt[16], u8 res[16])
 364{
 365        int err;
 366
 367        SMP_DBG("w %16phN salt %16phN", w, salt);
 368
 369        err = aes_cmac(tfm_cmac, salt, w, 16, res);
 370        if (err)
 371                return err;
 372
 373        SMP_DBG("res %16phN", res);
 374
 375        return err;
 376}
 377
 378/* The following functions map to the legacy SMP crypto functions e, c1,
 379 * s1 and ah.
 380 */
 381
 382static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
 383{
 384        uint8_t tmp[16], data[16];
 385        int err;
 386
 387        SMP_DBG("k %16phN r %16phN", k, r);
 388
 389        if (!tfm) {
 390                BT_ERR("tfm %p", tfm);
 391                return -EINVAL;
 392        }
 393
 394        /* The most significant octet of key corresponds to k[0] */
 395        swap_buf(k, tmp, 16);
 396
 397        err = crypto_cipher_setkey(tfm, tmp, 16);
 398        if (err) {
 399                BT_ERR("cipher setkey failed: %d", err);
 400                return err;
 401        }
 402
 403        /* Most significant octet of plaintextData corresponds to data[0] */
 404        swap_buf(r, data, 16);
 405
 406        crypto_cipher_encrypt_one(tfm, data, data);
 407
 408        /* Most significant octet of encryptedData corresponds to data[0] */
 409        swap_buf(data, r, 16);
 410
 411        SMP_DBG("r %16phN", r);
 412
 413        return err;
 414}
 415
 416static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
 417                  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
 418                  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
 419{
 420        u8 p1[16], p2[16];
 421        int err;
 422
 423        SMP_DBG("k %16phN r %16phN", k, r);
 424        SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
 425        SMP_DBG("preq %7phN pres %7phN", preq, pres);
 426
 427        memset(p1, 0, 16);
 428
 429        /* p1 = pres || preq || _rat || _iat */
 430        p1[0] = _iat;
 431        p1[1] = _rat;
 432        memcpy(p1 + 2, preq, 7);
 433        memcpy(p1 + 9, pres, 7);
 434
 435        SMP_DBG("p1 %16phN", p1);
 436
 437        /* res = r XOR p1 */
 438        u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
 439
 440        /* res = e(k, res) */
 441        err = smp_e(tfm_aes, k, res);
 442        if (err) {
 443                BT_ERR("Encrypt data error");
 444                return err;
 445        }
 446
 447        /* p2 = padding || ia || ra */
 448        memcpy(p2, ra, 6);
 449        memcpy(p2 + 6, ia, 6);
 450        memset(p2 + 12, 0, 4);
 451
 452        SMP_DBG("p2 %16phN", p2);
 453
 454        /* res = res XOR p2 */
 455        u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
 456
 457        /* res = e(k, res) */
 458        err = smp_e(tfm_aes, k, res);
 459        if (err)
 460                BT_ERR("Encrypt data error");
 461
 462        return err;
 463}
 464
 465static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
 466                  const u8 r1[16], const u8 r2[16], u8 _r[16])
 467{
 468        int err;
 469
 470        /* Just least significant octets from r1 and r2 are considered */
 471        memcpy(_r, r2, 8);
 472        memcpy(_r + 8, r1, 8);
 473
 474        err = smp_e(tfm_aes, k, _r);
 475        if (err)
 476                BT_ERR("Encrypt data error");
 477
 478        return err;
 479}
 480
 481static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
 482                  const u8 r[3], u8 res[3])
 483{
 484        u8 _res[16];
 485        int err;
 486
 487        /* r' = padding || r */
 488        memcpy(_res, r, 3);
 489        memset(_res + 3, 0, 13);
 490
 491        err = smp_e(tfm, irk, _res);
 492        if (err) {
 493                BT_ERR("Encrypt error");
 494                return err;
 495        }
 496
 497        /* The output of the random address function ah is:
 498         *      ah(k, r) = e(k, r') mod 2^24
 499         * The output of the security function e is then truncated to 24 bits
 500         * by taking the least significant 24 bits of the output of e as the
 501         * result of ah.
 502         */
 503        memcpy(res, _res, 3);
 504
 505        return 0;
 506}
 507
 508bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
 509                     const bdaddr_t *bdaddr)
 510{
 511        struct l2cap_chan *chan = hdev->smp_data;
 512        struct smp_dev *smp;
 513        u8 hash[3];
 514        int err;
 515
 516        if (!chan || !chan->data)
 517                return false;
 518
 519        smp = chan->data;
 520
 521        BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
 522
 523        err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
 524        if (err)
 525                return false;
 526
 527        return !crypto_memneq(bdaddr->b, hash, 3);
 528}
 529
 530int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
 531{
 532        struct l2cap_chan *chan = hdev->smp_data;
 533        struct smp_dev *smp;
 534        int err;
 535
 536        if (!chan || !chan->data)
 537                return -EOPNOTSUPP;
 538
 539        smp = chan->data;
 540
 541        get_random_bytes(&rpa->b[3], 3);
 542
 543        rpa->b[5] &= 0x3f;      /* Clear two most significant bits */
 544        rpa->b[5] |= 0x40;      /* Set second most significant bit */
 545
 546        err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
 547        if (err < 0)
 548                return err;
 549
 550        BT_DBG("RPA %pMR", rpa);
 551
 552        return 0;
 553}
 554
 555int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
 556{
 557        struct l2cap_chan *chan = hdev->smp_data;
 558        struct smp_dev *smp;
 559        int err;
 560
 561        if (!chan || !chan->data)
 562                return -EOPNOTSUPP;
 563
 564        smp = chan->data;
 565
 566        if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
 567                BT_DBG("Using debug keys");
 568                memcpy(smp->local_pk, debug_pk, 64);
 569                memcpy(smp->local_sk, debug_sk, 32);
 570                smp->debug_key = true;
 571        } else {
 572                while (true) {
 573                        /* Seed private key with random number */
 574                        get_random_bytes(smp->local_sk, 32);
 575
 576                        /* Generate local key pair for Secure Connections */
 577                        if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
 578                                return -EIO;
 579
 580                        /* This is unlikely, but we need to check that
 581                         * we didn't accidentially generate a debug key.
 582                         */
 583                        if (crypto_memneq(smp->local_sk, debug_sk, 32))
 584                                break;
 585                }
 586                smp->debug_key = false;
 587        }
 588
 589        SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
 590        SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
 591        SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);
 592
 593        get_random_bytes(smp->local_rand, 16);
 594
 595        err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
 596                     smp->local_rand, 0, hash);
 597        if (err < 0)
 598                return err;
 599
 600        memcpy(rand, smp->local_rand, 16);
 601
 602        return 0;
 603}
 604
 605static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
 606{
 607        struct l2cap_chan *chan = conn->smp;
 608        struct smp_chan *smp;
 609        struct kvec iv[2];
 610        struct msghdr msg;
 611
 612        if (!chan)
 613                return;
 614
 615        BT_DBG("code 0x%2.2x", code);
 616
 617        iv[0].iov_base = &code;
 618        iv[0].iov_len = 1;
 619
 620        iv[1].iov_base = data;
 621        iv[1].iov_len = len;
 622
 623        memset(&msg, 0, sizeof(msg));
 624
 625        iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
 626
 627        l2cap_chan_send(chan, &msg, 1 + len);
 628
 629        if (!chan->data)
 630                return;
 631
 632        smp = chan->data;
 633
 634        cancel_delayed_work_sync(&smp->security_timer);
 635        schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
 636}
 637
 638static u8 authreq_to_seclevel(u8 authreq)
 639{
 640        if (authreq & SMP_AUTH_MITM) {
 641                if (authreq & SMP_AUTH_SC)
 642                        return BT_SECURITY_FIPS;
 643                else
 644                        return BT_SECURITY_HIGH;
 645        } else {
 646                return BT_SECURITY_MEDIUM;
 647        }
 648}
 649
 650static __u8 seclevel_to_authreq(__u8 sec_level)
 651{
 652        switch (sec_level) {
 653        case BT_SECURITY_FIPS:
 654        case BT_SECURITY_HIGH:
 655                return SMP_AUTH_MITM | SMP_AUTH_BONDING;
 656        case BT_SECURITY_MEDIUM:
 657                return SMP_AUTH_BONDING;
 658        default:
 659                return SMP_AUTH_NONE;
 660        }
 661}
 662
 663static void build_pairing_cmd(struct l2cap_conn *conn,
 664                              struct smp_cmd_pairing *req,
 665                              struct smp_cmd_pairing *rsp, __u8 authreq)
 666{
 667        struct l2cap_chan *chan = conn->smp;
 668        struct smp_chan *smp = chan->data;
 669        struct hci_conn *hcon = conn->hcon;
 670        struct hci_dev *hdev = hcon->hdev;
 671        u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
 672
 673        if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
 674                local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 675                remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 676                authreq |= SMP_AUTH_BONDING;
 677        } else {
 678                authreq &= ~SMP_AUTH_BONDING;
 679        }
 680
 681        if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
 682                remote_dist |= SMP_DIST_ID_KEY;
 683
 684        if (hci_dev_test_flag(hdev, HCI_PRIVACY))
 685                local_dist |= SMP_DIST_ID_KEY;
 686
 687        if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
 688            (authreq & SMP_AUTH_SC)) {
 689                struct oob_data *oob_data;
 690                u8 bdaddr_type;
 691
 692                if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
 693                        local_dist |= SMP_DIST_LINK_KEY;
 694                        remote_dist |= SMP_DIST_LINK_KEY;
 695                }
 696
 697                if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
 698                        bdaddr_type = BDADDR_LE_PUBLIC;
 699                else
 700                        bdaddr_type = BDADDR_LE_RANDOM;
 701
 702                oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
 703                                                    bdaddr_type);
 704                if (oob_data && oob_data->present) {
 705                        set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
 706                        oob_flag = SMP_OOB_PRESENT;
 707                        memcpy(smp->rr, oob_data->rand256, 16);
 708                        memcpy(smp->pcnf, oob_data->hash256, 16);
 709                        SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
 710                        SMP_DBG("OOB Remote Random: %16phN", smp->rr);
 711                }
 712
 713        } else {
 714                authreq &= ~SMP_AUTH_SC;
 715        }
 716
 717        if (rsp == NULL) {
 718                req->io_capability = conn->hcon->io_capability;
 719                req->oob_flag = oob_flag;
 720                req->max_key_size = SMP_DEV(hdev)->max_key_size;
 721                req->init_key_dist = local_dist;
 722                req->resp_key_dist = remote_dist;
 723                req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 724
 725                smp->remote_key_dist = remote_dist;
 726                return;
 727        }
 728
 729        rsp->io_capability = conn->hcon->io_capability;
 730        rsp->oob_flag = oob_flag;
 731        rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
 732        rsp->init_key_dist = req->init_key_dist & remote_dist;
 733        rsp->resp_key_dist = req->resp_key_dist & local_dist;
 734        rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 735
 736        smp->remote_key_dist = rsp->init_key_dist;
 737}
 738
 739static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
 740{
 741        struct l2cap_chan *chan = conn->smp;
 742        struct hci_dev *hdev = conn->hcon->hdev;
 743        struct smp_chan *smp = chan->data;
 744
 745        if (max_key_size > SMP_DEV(hdev)->max_key_size ||
 746            max_key_size < SMP_MIN_ENC_KEY_SIZE)
 747                return SMP_ENC_KEY_SIZE;
 748
 749        smp->enc_key_size = max_key_size;
 750
 751        return 0;
 752}
 753
 754static void smp_chan_destroy(struct l2cap_conn *conn)
 755{
 756        struct l2cap_chan *chan = conn->smp;
 757        struct smp_chan *smp = chan->data;
 758        struct hci_conn *hcon = conn->hcon;
 759        bool complete;
 760
 761        BUG_ON(!smp);
 762
 763        cancel_delayed_work_sync(&smp->security_timer);
 764
 765        complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
 766        mgmt_smp_complete(hcon, complete);
 767
 768        kzfree(smp->csrk);
 769        kzfree(smp->slave_csrk);
 770        kzfree(smp->link_key);
 771
 772        crypto_free_cipher(smp->tfm_aes);
 773        crypto_free_shash(smp->tfm_cmac);
 774
 775        /* Ensure that we don't leave any debug key around if debug key
 776         * support hasn't been explicitly enabled.
 777         */
 778        if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
 779            !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
 780                list_del_rcu(&smp->ltk->list);
 781                kfree_rcu(smp->ltk, rcu);
 782                smp->ltk = NULL;
 783        }
 784
 785        /* If pairing failed clean up any keys we might have */
 786        if (!complete) {
 787                if (smp->ltk) {
 788                        list_del_rcu(&smp->ltk->list);
 789                        kfree_rcu(smp->ltk, rcu);
 790                }
 791
 792                if (smp->slave_ltk) {
 793                        list_del_rcu(&smp->slave_ltk->list);
 794                        kfree_rcu(smp->slave_ltk, rcu);
 795                }
 796
 797                if (smp->remote_irk) {
 798                        list_del_rcu(&smp->remote_irk->list);
 799                        kfree_rcu(smp->remote_irk, rcu);
 800                }
 801        }
 802
 803        chan->data = NULL;
 804        kzfree(smp);
 805        hci_conn_drop(hcon);
 806}
 807
 808static void smp_failure(struct l2cap_conn *conn, u8 reason)
 809{
 810        struct hci_conn *hcon = conn->hcon;
 811        struct l2cap_chan *chan = conn->smp;
 812
 813        if (reason)
 814                smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
 815                             &reason);
 816
 817        mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
 818
 819        if (chan->data)
 820                smp_chan_destroy(conn);
 821}
 822
 823#define JUST_WORKS      0x00
 824#define JUST_CFM        0x01
 825#define REQ_PASSKEY     0x02
 826#define CFM_PASSKEY     0x03
 827#define REQ_OOB         0x04
 828#define DSP_PASSKEY     0x05
 829#define OVERLAP         0xFF
 830
 831static const u8 gen_method[5][5] = {
 832        { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 833        { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 834        { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 835        { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 836        { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
 837};
 838
 839static const u8 sc_method[5][5] = {
 840        { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 841        { JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 842        { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
 843        { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 844        { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 845};
 846
 847static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
 848{
 849        /* If either side has unknown io_caps, use JUST_CFM (which gets
 850         * converted later to JUST_WORKS if we're initiators.
 851         */
 852        if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
 853            remote_io > SMP_IO_KEYBOARD_DISPLAY)
 854                return JUST_CFM;
 855
 856        if (test_bit(SMP_FLAG_SC, &smp->flags))
 857                return sc_method[remote_io][local_io];
 858
 859        return gen_method[remote_io][local_io];
 860}
 861
 862static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
 863                                                u8 local_io, u8 remote_io)
 864{
 865        struct hci_conn *hcon = conn->hcon;
 866        struct l2cap_chan *chan = conn->smp;
 867        struct smp_chan *smp = chan->data;
 868        u32 passkey = 0;
 869        int ret = 0;
 870
 871        /* Initialize key for JUST WORKS */
 872        memset(smp->tk, 0, sizeof(smp->tk));
 873        clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
 874
 875        BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
 876
 877        /* If neither side wants MITM, either "just" confirm an incoming
 878         * request or use just-works for outgoing ones. The JUST_CFM
 879         * will be converted to JUST_WORKS if necessary later in this
 880         * function. If either side has MITM look up the method from the
 881         * table.
 882         */
 883        if (!(auth & SMP_AUTH_MITM))
 884                smp->method = JUST_CFM;
 885        else
 886                smp->method = get_auth_method(smp, local_io, remote_io);
 887
 888        /* Don't confirm locally initiated pairing attempts */
 889        if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
 890                                                &smp->flags))
 891                smp->method = JUST_WORKS;
 892
 893        /* Don't bother user space with no IO capabilities */
 894        if (smp->method == JUST_CFM &&
 895            hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
 896                smp->method = JUST_WORKS;
 897
 898        /* If Just Works, Continue with Zero TK */
 899        if (smp->method == JUST_WORKS) {
 900                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 901                return 0;
 902        }
 903
 904        /* If this function is used for SC -> legacy fallback we
 905         * can only recover the just-works case.
 906         */
 907        if (test_bit(SMP_FLAG_SC, &smp->flags))
 908                return -EINVAL;
 909
 910        /* Not Just Works/Confirm results in MITM Authentication */
 911        if (smp->method != JUST_CFM) {
 912                set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
 913                if (hcon->pending_sec_level < BT_SECURITY_HIGH)
 914                        hcon->pending_sec_level = BT_SECURITY_HIGH;
 915        }
 916
 917        /* If both devices have Keyoard-Display I/O, the master
 918         * Confirms and the slave Enters the passkey.
 919         */
 920        if (smp->method == OVERLAP) {
 921                if (hcon->role == HCI_ROLE_MASTER)
 922                        smp->method = CFM_PASSKEY;
 923                else
 924                        smp->method = REQ_PASSKEY;
 925        }
 926
 927        /* Generate random passkey. */
 928        if (smp->method == CFM_PASSKEY) {
 929                memset(smp->tk, 0, sizeof(smp->tk));
 930                get_random_bytes(&passkey, sizeof(passkey));
 931                passkey %= 1000000;
 932                put_unaligned_le32(passkey, smp->tk);
 933                BT_DBG("PassKey: %d", passkey);
 934                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 935        }
 936
 937        if (smp->method == REQ_PASSKEY)
 938                ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
 939                                                hcon->type, hcon->dst_type);
 940        else if (smp->method == JUST_CFM)
 941                ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
 942                                                hcon->type, hcon->dst_type,
 943                                                passkey, 1);
 944        else
 945                ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
 946                                                hcon->type, hcon->dst_type,
 947                                                passkey, 0);
 948
 949        return ret;
 950}
 951
 952static u8 smp_confirm(struct smp_chan *smp)
 953{
 954        struct l2cap_conn *conn = smp->conn;
 955        struct smp_cmd_pairing_confirm cp;
 956        int ret;
 957
 958        BT_DBG("conn %p", conn);
 959
 960        ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
 961                     conn->hcon->init_addr_type, &conn->hcon->init_addr,
 962                     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
 963                     cp.confirm_val);
 964        if (ret)
 965                return SMP_UNSPECIFIED;
 966
 967        clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
 968
 969        smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
 970
 971        if (conn->hcon->out)
 972                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
 973        else
 974                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
 975
 976        return 0;
 977}
 978
 979static u8 smp_random(struct smp_chan *smp)
 980{
 981        struct l2cap_conn *conn = smp->conn;
 982        struct hci_conn *hcon = conn->hcon;
 983        u8 confirm[16];
 984        int ret;
 985
 986        if (IS_ERR_OR_NULL(smp->tfm_aes))
 987                return SMP_UNSPECIFIED;
 988
 989        BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
 990
 991        ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
 992                     hcon->init_addr_type, &hcon->init_addr,
 993                     hcon->resp_addr_type, &hcon->resp_addr, confirm);
 994        if (ret)
 995                return SMP_UNSPECIFIED;
 996
 997        if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
 998                BT_ERR("Pairing failed (confirmation values mismatch)");
 999                return SMP_CONFIRM_FAILED;
1000        }
1001
1002        if (hcon->out) {
1003                u8 stk[16];
1004                __le64 rand = 0;
1005                __le16 ediv = 0;
1006
1007                smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1008
1009                if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1010                        return SMP_UNSPECIFIED;
1011
1012                hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1013                hcon->enc_key_size = smp->enc_key_size;
1014                set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1015        } else {
1016                u8 stk[16], auth;
1017                __le64 rand = 0;
1018                __le16 ediv = 0;
1019
1020                smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1021                             smp->prnd);
1022
1023                smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1024
1025                if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1026                        auth = 1;
1027                else
1028                        auth = 0;
1029
1030                /* Even though there's no _SLAVE suffix this is the
1031                 * slave STK we're adding for later lookup (the master
1032                 * STK never needs to be stored).
1033                 */
1034                hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1035                            SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1036        }
1037
1038        return 0;
1039}
1040
1041static void smp_notify_keys(struct l2cap_conn *conn)
1042{
1043        struct l2cap_chan *chan = conn->smp;
1044        struct smp_chan *smp = chan->data;
1045        struct hci_conn *hcon = conn->hcon;
1046        struct hci_dev *hdev = hcon->hdev;
1047        struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1048        struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1049        bool persistent;
1050
1051        if (hcon->type == ACL_LINK) {
1052                if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1053                        persistent = false;
1054                else
1055                        persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1056                                               &hcon->flags);
1057        } else {
1058                /* The LTKs, IRKs and CSRKs should be persistent only if
1059                 * both sides had the bonding bit set in their
1060                 * authentication requests.
1061                 */
1062                persistent = !!((req->auth_req & rsp->auth_req) &
1063                                SMP_AUTH_BONDING);
1064        }
1065
1066        if (smp->remote_irk) {
1067                mgmt_new_irk(hdev, smp->remote_irk, persistent);
1068
1069                /* Now that user space can be considered to know the
1070                 * identity address track the connection based on it
1071                 * from now on (assuming this is an LE link).
1072                 */
1073                if (hcon->type == LE_LINK) {
1074                        bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1075                        hcon->dst_type = smp->remote_irk->addr_type;
1076                        queue_work(hdev->workqueue, &conn->id_addr_update_work);
1077                }
1078        }
1079
1080        if (smp->csrk) {
1081                smp->csrk->bdaddr_type = hcon->dst_type;
1082                bacpy(&smp->csrk->bdaddr, &hcon->dst);
1083                mgmt_new_csrk(hdev, smp->csrk, persistent);
1084        }
1085
1086        if (smp->slave_csrk) {
1087                smp->slave_csrk->bdaddr_type = hcon->dst_type;
1088                bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1089                mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1090        }
1091
1092        if (smp->ltk) {
1093                smp->ltk->bdaddr_type = hcon->dst_type;
1094                bacpy(&smp->ltk->bdaddr, &hcon->dst);
1095                mgmt_new_ltk(hdev, smp->ltk, persistent);
1096        }
1097
1098        if (smp->slave_ltk) {
1099                smp->slave_ltk->bdaddr_type = hcon->dst_type;
1100                bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1101                mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1102        }
1103
1104        if (smp->link_key) {
1105                struct link_key *key;
1106                u8 type;
1107
1108                if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1109                        type = HCI_LK_DEBUG_COMBINATION;
1110                else if (hcon->sec_level == BT_SECURITY_FIPS)
1111                        type = HCI_LK_AUTH_COMBINATION_P256;
1112                else
1113                        type = HCI_LK_UNAUTH_COMBINATION_P256;
1114
1115                key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1116                                       smp->link_key, type, 0, &persistent);
1117                if (key) {
1118                        mgmt_new_link_key(hdev, key, persistent);
1119
1120                        /* Don't keep debug keys around if the relevant
1121                         * flag is not set.
1122                         */
1123                        if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1124                            key->type == HCI_LK_DEBUG_COMBINATION) {
1125                                list_del_rcu(&key->list);
1126                                kfree_rcu(key, rcu);
1127                        }
1128                }
1129        }
1130}
1131
1132static void sc_add_ltk(struct smp_chan *smp)
1133{
1134        struct hci_conn *hcon = smp->conn->hcon;
1135        u8 key_type, auth;
1136
1137        if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1138                key_type = SMP_LTK_P256_DEBUG;
1139        else
1140                key_type = SMP_LTK_P256;
1141
1142        if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1143                auth = 1;
1144        else
1145                auth = 0;
1146
1147        smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1148                               key_type, auth, smp->tk, smp->enc_key_size,
1149                               0, 0);
1150}
1151
1152static void sc_generate_link_key(struct smp_chan *smp)
1153{
1154        /* From core spec. Spells out in ASCII as 'lebr'. */
1155        const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1156
1157        smp->link_key = kzalloc(16, GFP_KERNEL);
1158        if (!smp->link_key)
1159                return;
1160
1161        if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1162                /* SALT = 0x00000000000000000000000000000000746D7031 */
1163                const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1164
1165                if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1166                        kzfree(smp->link_key);
1167                        smp->link_key = NULL;
1168                        return;
1169                }
1170        } else {
1171                /* From core spec. Spells out in ASCII as 'tmp1'. */
1172                const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1173
1174                if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1175                        kzfree(smp->link_key);
1176                        smp->link_key = NULL;
1177                        return;
1178                }
1179        }
1180
1181        if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1182                kzfree(smp->link_key);
1183                smp->link_key = NULL;
1184                return;
1185        }
1186}
1187
1188static void smp_allow_key_dist(struct smp_chan *smp)
1189{
1190        /* Allow the first expected phase 3 PDU. The rest of the PDUs
1191         * will be allowed in each PDU handler to ensure we receive
1192         * them in the correct order.
1193         */
1194        if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1195                SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1196        else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1197                SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1198        else if (smp->remote_key_dist & SMP_DIST_SIGN)
1199                SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1200}
1201
1202static void sc_generate_ltk(struct smp_chan *smp)
1203{
1204        /* From core spec. Spells out in ASCII as 'brle'. */
1205        const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1206        struct hci_conn *hcon = smp->conn->hcon;
1207        struct hci_dev *hdev = hcon->hdev;
1208        struct link_key *key;
1209
1210        key = hci_find_link_key(hdev, &hcon->dst);
1211        if (!key) {
1212                BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1213                return;
1214        }
1215
1216        if (key->type == HCI_LK_DEBUG_COMBINATION)
1217                set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1218
1219        if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1220                /* SALT = 0x00000000000000000000000000000000746D7032 */
1221                const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1222
1223                if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1224                        return;
1225        } else {
1226                /* From core spec. Spells out in ASCII as 'tmp2'. */
1227                const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1228
1229                if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1230                        return;
1231        }
1232
1233        if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1234                return;
1235
1236        sc_add_ltk(smp);
1237}
1238
1239static void smp_distribute_keys(struct smp_chan *smp)
1240{
1241        struct smp_cmd_pairing *req, *rsp;
1242        struct l2cap_conn *conn = smp->conn;
1243        struct hci_conn *hcon = conn->hcon;
1244        struct hci_dev *hdev = hcon->hdev;
1245        __u8 *keydist;
1246
1247        BT_DBG("conn %p", conn);
1248
1249        rsp = (void *) &smp->prsp[1];
1250
1251        /* The responder sends its keys first */
1252        if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1253                smp_allow_key_dist(smp);
1254                return;
1255        }
1256
1257        req = (void *) &smp->preq[1];
1258
1259        if (hcon->out) {
1260                keydist = &rsp->init_key_dist;
1261                *keydist &= req->init_key_dist;
1262        } else {
1263                keydist = &rsp->resp_key_dist;
1264                *keydist &= req->resp_key_dist;
1265        }
1266
1267        if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1268                if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1269                        sc_generate_link_key(smp);
1270                if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1271                        sc_generate_ltk(smp);
1272
1273                /* Clear the keys which are generated but not distributed */
1274                *keydist &= ~SMP_SC_NO_DIST;
1275        }
1276
1277        BT_DBG("keydist 0x%x", *keydist);
1278
1279        if (*keydist & SMP_DIST_ENC_KEY) {
1280                struct smp_cmd_encrypt_info enc;
1281                struct smp_cmd_master_ident ident;
1282                struct smp_ltk *ltk;
1283                u8 authenticated;
1284                __le16 ediv;
1285                __le64 rand;
1286
1287                /* Make sure we generate only the significant amount of
1288                 * bytes based on the encryption key size, and set the rest
1289                 * of the value to zeroes.
1290                 */
1291                get_random_bytes(enc.ltk, smp->enc_key_size);
1292                memset(enc.ltk + smp->enc_key_size, 0,
1293                       sizeof(enc.ltk) - smp->enc_key_size);
1294
1295                get_random_bytes(&ediv, sizeof(ediv));
1296                get_random_bytes(&rand, sizeof(rand));
1297
1298                smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1299
1300                authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1301                ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1302                                  SMP_LTK_SLAVE, authenticated, enc.ltk,
1303                                  smp->enc_key_size, ediv, rand);
1304                smp->slave_ltk = ltk;
1305
1306                ident.ediv = ediv;
1307                ident.rand = rand;
1308
1309                smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1310
1311                *keydist &= ~SMP_DIST_ENC_KEY;
1312        }
1313
1314        if (*keydist & SMP_DIST_ID_KEY) {
1315                struct smp_cmd_ident_addr_info addrinfo;
1316                struct smp_cmd_ident_info idinfo;
1317
1318                memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1319
1320                smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1321
1322                /* The hci_conn contains the local identity address
1323                 * after the connection has been established.
1324                 *
1325                 * This is true even when the connection has been
1326                 * established using a resolvable random address.
1327                 */
1328                bacpy(&addrinfo.bdaddr, &hcon->src);
1329                addrinfo.addr_type = hcon->src_type;
1330
1331                smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1332                             &addrinfo);
1333
1334                *keydist &= ~SMP_DIST_ID_KEY;
1335        }
1336
1337        if (*keydist & SMP_DIST_SIGN) {
1338                struct smp_cmd_sign_info sign;
1339                struct smp_csrk *csrk;
1340
1341                /* Generate a new random key */
1342                get_random_bytes(sign.csrk, sizeof(sign.csrk));
1343
1344                csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1345                if (csrk) {
1346                        if (hcon->sec_level > BT_SECURITY_MEDIUM)
1347                                csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1348                        else
1349                                csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1350                        memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1351                }
1352                smp->slave_csrk = csrk;
1353
1354                smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1355
1356                *keydist &= ~SMP_DIST_SIGN;
1357        }
1358
1359        /* If there are still keys to be received wait for them */
1360        if (smp->remote_key_dist & KEY_DIST_MASK) {
1361                smp_allow_key_dist(smp);
1362                return;
1363        }
1364
1365        set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1366        smp_notify_keys(conn);
1367
1368        smp_chan_destroy(conn);
1369}
1370
1371static void smp_timeout(struct work_struct *work)
1372{
1373        struct smp_chan *smp = container_of(work, struct smp_chan,
1374                                            security_timer.work);
1375        struct l2cap_conn *conn = smp->conn;
1376
1377        BT_DBG("conn %p", conn);
1378
1379        hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1380}
1381
1382static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1383{
1384        struct l2cap_chan *chan = conn->smp;
1385        struct smp_chan *smp;
1386
1387        smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1388        if (!smp)
1389                return NULL;
1390
1391        smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1392        if (IS_ERR(smp->tfm_aes)) {
1393                BT_ERR("Unable to create AES crypto context");
1394                kzfree(smp);
1395                return NULL;
1396        }
1397
1398        smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1399        if (IS_ERR(smp->tfm_cmac)) {
1400                BT_ERR("Unable to create CMAC crypto context");
1401                crypto_free_cipher(smp->tfm_aes);
1402                kzfree(smp);
1403                return NULL;
1404        }
1405
1406        smp->conn = conn;
1407        chan->data = smp;
1408
1409        SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1410
1411        INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1412
1413        hci_conn_hold(conn->hcon);
1414
1415        return smp;
1416}
1417
1418static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1419{
1420        struct hci_conn *hcon = smp->conn->hcon;
1421        u8 *na, *nb, a[7], b[7];
1422
1423        if (hcon->out) {
1424                na   = smp->prnd;
1425                nb   = smp->rrnd;
1426        } else {
1427                na   = smp->rrnd;
1428                nb   = smp->prnd;
1429        }
1430
1431        memcpy(a, &hcon->init_addr, 6);
1432        memcpy(b, &hcon->resp_addr, 6);
1433        a[6] = hcon->init_addr_type;
1434        b[6] = hcon->resp_addr_type;
1435
1436        return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1437}
1438
1439static void sc_dhkey_check(struct smp_chan *smp)
1440{
1441        struct hci_conn *hcon = smp->conn->hcon;
1442        struct smp_cmd_dhkey_check check;
1443        u8 a[7], b[7], *local_addr, *remote_addr;
1444        u8 io_cap[3], r[16];
1445
1446        memcpy(a, &hcon->init_addr, 6);
1447        memcpy(b, &hcon->resp_addr, 6);
1448        a[6] = hcon->init_addr_type;
1449        b[6] = hcon->resp_addr_type;
1450
1451        if (hcon->out) {
1452                local_addr = a;
1453                remote_addr = b;
1454                memcpy(io_cap, &smp->preq[1], 3);
1455        } else {
1456                local_addr = b;
1457                remote_addr = a;
1458                memcpy(io_cap, &smp->prsp[1], 3);
1459        }
1460
1461        memset(r, 0, sizeof(r));
1462
1463        if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1464                put_unaligned_le32(hcon->passkey_notify, r);
1465
1466        if (smp->method == REQ_OOB)
1467                memcpy(r, smp->rr, 16);
1468
1469        smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1470               local_addr, remote_addr, check.e);
1471
1472        smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1473}
1474
1475static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1476{
1477        struct l2cap_conn *conn = smp->conn;
1478        struct hci_conn *hcon = conn->hcon;
1479        struct smp_cmd_pairing_confirm cfm;
1480        u8 r;
1481
1482        r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1483        r |= 0x80;
1484
1485        get_random_bytes(smp->prnd, sizeof(smp->prnd));
1486
1487        if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1488                   cfm.confirm_val))
1489                return SMP_UNSPECIFIED;
1490
1491        smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1492
1493        return 0;
1494}
1495
1496static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1497{
1498        struct l2cap_conn *conn = smp->conn;
1499        struct hci_conn *hcon = conn->hcon;
1500        struct hci_dev *hdev = hcon->hdev;
1501        u8 cfm[16], r;
1502
1503        /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1504        if (smp->passkey_round >= 20)
1505                return 0;
1506
1507        switch (smp_op) {
1508        case SMP_CMD_PAIRING_RANDOM:
1509                r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1510                r |= 0x80;
1511
1512                if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1513                           smp->rrnd, r, cfm))
1514                        return SMP_UNSPECIFIED;
1515
1516                if (crypto_memneq(smp->pcnf, cfm, 16))
1517                        return SMP_CONFIRM_FAILED;
1518
1519                smp->passkey_round++;
1520
1521                if (smp->passkey_round == 20) {
1522                        /* Generate MacKey and LTK */
1523                        if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1524                                return SMP_UNSPECIFIED;
1525                }
1526
1527                /* The round is only complete when the initiator
1528                 * receives pairing random.
1529                 */
1530                if (!hcon->out) {
1531                        smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1532                                     sizeof(smp->prnd), smp->prnd);
1533                        if (smp->passkey_round == 20)
1534                                SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1535                        else
1536                                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1537                        return 0;
1538                }
1539
1540                /* Start the next round */
1541                if (smp->passkey_round != 20)
1542                        return sc_passkey_round(smp, 0);
1543
1544                /* Passkey rounds are complete - start DHKey Check */
1545                sc_dhkey_check(smp);
1546                SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1547
1548                break;
1549
1550        case SMP_CMD_PAIRING_CONFIRM:
1551                if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1552                        set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1553                        return 0;
1554                }
1555
1556                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1557
1558                if (hcon->out) {
1559                        smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1560                                     sizeof(smp->prnd), smp->prnd);
1561                        return 0;
1562                }
1563
1564                return sc_passkey_send_confirm(smp);
1565
1566        case SMP_CMD_PUBLIC_KEY:
1567        default:
1568                /* Initiating device starts the round */
1569                if (!hcon->out)
1570                        return 0;
1571
1572                BT_DBG("%s Starting passkey round %u", hdev->name,
1573                       smp->passkey_round + 1);
1574
1575                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1576
1577                return sc_passkey_send_confirm(smp);
1578        }
1579
1580        return 0;
1581}
1582
1583static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1584{
1585        struct l2cap_conn *conn = smp->conn;
1586        struct hci_conn *hcon = conn->hcon;
1587        u8 smp_op;
1588
1589        clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1590
1591        switch (mgmt_op) {
1592        case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1593                smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1594                return 0;
1595        case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1596                smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1597                return 0;
1598        case MGMT_OP_USER_PASSKEY_REPLY:
1599                hcon->passkey_notify = le32_to_cpu(passkey);
1600                smp->passkey_round = 0;
1601
1602                if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1603                        smp_op = SMP_CMD_PAIRING_CONFIRM;
1604                else
1605                        smp_op = 0;
1606
1607                if (sc_passkey_round(smp, smp_op))
1608                        return -EIO;
1609
1610                return 0;
1611        }
1612
1613        /* Initiator sends DHKey check first */
1614        if (hcon->out) {
1615                sc_dhkey_check(smp);
1616                SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1617        } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1618                sc_dhkey_check(smp);
1619                sc_add_ltk(smp);
1620        }
1621
1622        return 0;
1623}
1624
1625int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1626{
1627        struct l2cap_conn *conn = hcon->l2cap_data;
1628        struct l2cap_chan *chan;
1629        struct smp_chan *smp;
1630        u32 value;
1631        int err;
1632
1633        BT_DBG("");
1634
1635        if (!conn)
1636                return -ENOTCONN;
1637
1638        chan = conn->smp;
1639        if (!chan)
1640                return -ENOTCONN;
1641
1642        l2cap_chan_lock(chan);
1643        if (!chan->data) {
1644                err = -ENOTCONN;
1645                goto unlock;
1646        }
1647
1648        smp = chan->data;
1649
1650        if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1651                err = sc_user_reply(smp, mgmt_op, passkey);
1652                goto unlock;
1653        }
1654
1655        switch (mgmt_op) {
1656        case MGMT_OP_USER_PASSKEY_REPLY:
1657                value = le32_to_cpu(passkey);
1658                memset(smp->tk, 0, sizeof(smp->tk));
1659                BT_DBG("PassKey: %d", value);
1660                put_unaligned_le32(value, smp->tk);
1661                /* Fall Through */
1662        case MGMT_OP_USER_CONFIRM_REPLY:
1663                set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1664                break;
1665        case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1666        case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1667                smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1668                err = 0;
1669                goto unlock;
1670        default:
1671                smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1672                err = -EOPNOTSUPP;
1673                goto unlock;
1674        }
1675
1676        err = 0;
1677
1678        /* If it is our turn to send Pairing Confirm, do so now */
1679        if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1680                u8 rsp = smp_confirm(smp);
1681                if (rsp)
1682                        smp_failure(conn, rsp);
1683        }
1684
1685unlock:
1686        l2cap_chan_unlock(chan);
1687        return err;
1688}
1689
1690static void build_bredr_pairing_cmd(struct smp_chan *smp,
1691                                    struct smp_cmd_pairing *req,
1692                                    struct smp_cmd_pairing *rsp)
1693{
1694        struct l2cap_conn *conn = smp->conn;
1695        struct hci_dev *hdev = conn->hcon->hdev;
1696        u8 local_dist = 0, remote_dist = 0;
1697
1698        if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1699                local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1700                remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1701        }
1702
1703        if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1704                remote_dist |= SMP_DIST_ID_KEY;
1705
1706        if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1707                local_dist |= SMP_DIST_ID_KEY;
1708
1709        if (!rsp) {
1710                memset(req, 0, sizeof(*req));
1711
1712                req->auth_req        = SMP_AUTH_CT2;
1713                req->init_key_dist   = local_dist;
1714                req->resp_key_dist   = remote_dist;
1715                req->max_key_size    = conn->hcon->enc_key_size;
1716
1717                smp->remote_key_dist = remote_dist;
1718
1719                return;
1720        }
1721
1722        memset(rsp, 0, sizeof(*rsp));
1723
1724        rsp->auth_req        = SMP_AUTH_CT2;
1725        rsp->max_key_size    = conn->hcon->enc_key_size;
1726        rsp->init_key_dist   = req->init_key_dist & remote_dist;
1727        rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1728
1729        smp->remote_key_dist = rsp->init_key_dist;
1730}
1731
1732static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1733{
1734        struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1735        struct l2cap_chan *chan = conn->smp;
1736        struct hci_dev *hdev = conn->hcon->hdev;
1737        struct smp_chan *smp;
1738        u8 key_size, auth, sec_level;
1739        int ret;
1740
1741        BT_DBG("conn %p", conn);
1742
1743        if (skb->len < sizeof(*req))
1744                return SMP_INVALID_PARAMS;
1745
1746        if (conn->hcon->role != HCI_ROLE_SLAVE)
1747                return SMP_CMD_NOTSUPP;
1748
1749        if (!chan->data)
1750                smp = smp_chan_create(conn);
1751        else
1752                smp = chan->data;
1753
1754        if (!smp)
1755                return SMP_UNSPECIFIED;
1756
1757        /* We didn't start the pairing, so match remote */
1758        auth = req->auth_req & AUTH_REQ_MASK(hdev);
1759
1760        if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1761            (auth & SMP_AUTH_BONDING))
1762                return SMP_PAIRING_NOTSUPP;
1763
1764        if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1765                return SMP_AUTH_REQUIREMENTS;
1766
1767        smp->preq[0] = SMP_CMD_PAIRING_REQ;
1768        memcpy(&smp->preq[1], req, sizeof(*req));
1769        skb_pull(skb, sizeof(*req));
1770
1771        /* If the remote side's OOB flag is set it means it has
1772         * successfully received our local OOB data - therefore set the
1773         * flag to indicate that local OOB is in use.
1774         */
1775        if (req->oob_flag == SMP_OOB_PRESENT)
1776                set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1777
1778        /* SMP over BR/EDR requires special treatment */
1779        if (conn->hcon->type == ACL_LINK) {
1780                /* We must have a BR/EDR SC link */
1781                if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1782                    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1783                        return SMP_CROSS_TRANSP_NOT_ALLOWED;
1784
1785                set_bit(SMP_FLAG_SC, &smp->flags);
1786
1787                build_bredr_pairing_cmd(smp, req, &rsp);
1788
1789                if (req->auth_req & SMP_AUTH_CT2)
1790                        set_bit(SMP_FLAG_CT2, &smp->flags);
1791
1792                key_size = min(req->max_key_size, rsp.max_key_size);
1793                if (check_enc_key_size(conn, key_size))
1794                        return SMP_ENC_KEY_SIZE;
1795
1796                /* Clear bits which are generated but not distributed */
1797                smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1798
1799                smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1800                memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1801                smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1802
1803                smp_distribute_keys(smp);
1804                return 0;
1805        }
1806
1807        build_pairing_cmd(conn, req, &rsp, auth);
1808
1809        if (rsp.auth_req & SMP_AUTH_SC) {
1810                set_bit(SMP_FLAG_SC, &smp->flags);
1811
1812                if (rsp.auth_req & SMP_AUTH_CT2)
1813                        set_bit(SMP_FLAG_CT2, &smp->flags);
1814        }
1815
1816        if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1817                sec_level = BT_SECURITY_MEDIUM;
1818        else
1819                sec_level = authreq_to_seclevel(auth);
1820
1821        if (sec_level > conn->hcon->pending_sec_level)
1822                conn->hcon->pending_sec_level = sec_level;
1823
1824        /* If we need MITM check that it can be achieved */
1825        if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1826                u8 method;
1827
1828                method = get_auth_method(smp, conn->hcon->io_capability,
1829                                         req->io_capability);
1830                if (method == JUST_WORKS || method == JUST_CFM)
1831                        return SMP_AUTH_REQUIREMENTS;
1832        }
1833
1834        key_size = min(req->max_key_size, rsp.max_key_size);
1835        if (check_enc_key_size(conn, key_size))
1836                return SMP_ENC_KEY_SIZE;
1837
1838        get_random_bytes(smp->prnd, sizeof(smp->prnd));
1839
1840        smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1841        memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1842
1843        smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1844
1845        clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1846
1847        /* Strictly speaking we shouldn't allow Pairing Confirm for the
1848         * SC case, however some implementations incorrectly copy RFU auth
1849         * req bits from our security request, which may create a false
1850         * positive SC enablement.
1851         */
1852        SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1853
1854        if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1855                SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1856                /* Clear bits which are generated but not distributed */
1857                smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1858                /* Wait for Public Key from Initiating Device */
1859                return 0;
1860        }
1861
1862        /* Request setup of TK */
1863        ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1864        if (ret)
1865                return SMP_UNSPECIFIED;
1866
1867        return 0;
1868}
1869
1870static u8 sc_send_public_key(struct smp_chan *smp)
1871{
1872        struct hci_dev *hdev = smp->conn->hcon->hdev;
1873
1874        BT_DBG("");
1875
1876        if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1877                struct l2cap_chan *chan = hdev->smp_data;
1878                struct smp_dev *smp_dev;
1879
1880                if (!chan || !chan->data)
1881                        return SMP_UNSPECIFIED;
1882
1883                smp_dev = chan->data;
1884
1885                memcpy(smp->local_pk, smp_dev->local_pk, 64);
1886                memcpy(smp->local_sk, smp_dev->local_sk, 32);
1887                memcpy(smp->lr, smp_dev->local_rand, 16);
1888
1889                if (smp_dev->debug_key)
1890                        set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1891
1892                goto done;
1893        }
1894
1895        if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1896                BT_DBG("Using debug keys");
1897                memcpy(smp->local_pk, debug_pk, 64);
1898                memcpy(smp->local_sk, debug_sk, 32);
1899                set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1900        } else {
1901                while (true) {
1902                        /* Seed private key with random number */
1903                        get_random_bytes(smp->local_sk, 32);
1904
1905                        /* Generate local key pair for Secure Connections */
1906                        if (!generate_ecdh_keys(smp->local_pk, smp->local_sk))
1907                                return SMP_UNSPECIFIED;
1908
1909                        /* This is unlikely, but we need to check that
1910                         * we didn't accidentially generate a debug key.
1911                         */
1912                        if (crypto_memneq(smp->local_sk, debug_sk, 32))
1913                                break;
1914                }
1915        }
1916
1917done:
1918        SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1919        SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1920        SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1921
1922        smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1923
1924        return 0;
1925}
1926
1927static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1928{
1929        struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1930        struct l2cap_chan *chan = conn->smp;
1931        struct smp_chan *smp = chan->data;
1932        struct hci_dev *hdev = conn->hcon->hdev;
1933        u8 key_size, auth;
1934        int ret;
1935
1936        BT_DBG("conn %p", conn);
1937
1938        if (skb->len < sizeof(*rsp))
1939                return SMP_INVALID_PARAMS;
1940
1941        if (conn->hcon->role != HCI_ROLE_MASTER)
1942                return SMP_CMD_NOTSUPP;
1943
1944        skb_pull(skb, sizeof(*rsp));
1945
1946        req = (void *) &smp->preq[1];
1947
1948        key_size = min(req->max_key_size, rsp->max_key_size);
1949        if (check_enc_key_size(conn, key_size))
1950                return SMP_ENC_KEY_SIZE;
1951
1952        auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1953
1954        if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1955                return SMP_AUTH_REQUIREMENTS;
1956
1957        /* If the remote side's OOB flag is set it means it has
1958         * successfully received our local OOB data - therefore set the
1959         * flag to indicate that local OOB is in use.
1960         */
1961        if (rsp->oob_flag == SMP_OOB_PRESENT)
1962                set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1963
1964        smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1965        memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1966
1967        /* Update remote key distribution in case the remote cleared
1968         * some bits that we had enabled in our request.
1969         */
1970        smp->remote_key_dist &= rsp->resp_key_dist;
1971
1972        if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1973                set_bit(SMP_FLAG_CT2, &smp->flags);
1974
1975        /* For BR/EDR this means we're done and can start phase 3 */
1976        if (conn->hcon->type == ACL_LINK) {
1977                /* Clear bits which are generated but not distributed */
1978                smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1979                smp_distribute_keys(smp);
1980                return 0;
1981        }
1982
1983        if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1984                set_bit(SMP_FLAG_SC, &smp->flags);
1985        else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1986                conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1987
1988        /* If we need MITM check that it can be achieved */
1989        if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1990                u8 method;
1991
1992                method = get_auth_method(smp, req->io_capability,
1993                                         rsp->io_capability);
1994                if (method == JUST_WORKS || method == JUST_CFM)
1995                        return SMP_AUTH_REQUIREMENTS;
1996        }
1997
1998        get_random_bytes(smp->prnd, sizeof(smp->prnd));
1999
2000        /* Update remote key distribution in case the remote cleared
2001         * some bits that we had enabled in our request.
2002         */
2003        smp->remote_key_dist &= rsp->resp_key_dist;
2004
2005        if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2006                /* Clear bits which are generated but not distributed */
2007                smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2008                SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2009                return sc_send_public_key(smp);
2010        }
2011
2012        auth |= req->auth_req;
2013
2014        ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2015        if (ret)
2016                return SMP_UNSPECIFIED;
2017
2018        set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2019
2020        /* Can't compose response until we have been confirmed */
2021        if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2022                return smp_confirm(smp);
2023
2024        return 0;
2025}
2026
2027static u8 sc_check_confirm(struct smp_chan *smp)
2028{
2029        struct l2cap_conn *conn = smp->conn;
2030
2031        BT_DBG("");
2032
2033        if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2034                return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2035
2036        if (conn->hcon->out) {
2037                smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2038                             smp->prnd);
2039                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2040        }
2041
2042        return 0;
2043}
2044
2045/* Work-around for some implementations that incorrectly copy RFU bits
2046 * from our security request and thereby create the impression that
2047 * we're doing SC when in fact the remote doesn't support it.
2048 */
2049static int fixup_sc_false_positive(struct smp_chan *smp)
2050{
2051        struct l2cap_conn *conn = smp->conn;
2052        struct hci_conn *hcon = conn->hcon;
2053        struct hci_dev *hdev = hcon->hdev;
2054        struct smp_cmd_pairing *req, *rsp;
2055        u8 auth;
2056
2057        /* The issue is only observed when we're in slave role */
2058        if (hcon->out)
2059                return SMP_UNSPECIFIED;
2060
2061        if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2062                BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2063                return SMP_UNSPECIFIED;
2064        }
2065
2066        BT_ERR("Trying to fall back to legacy SMP");
2067
2068        req = (void *) &smp->preq[1];
2069        rsp = (void *) &smp->prsp[1];
2070
2071        /* Rebuild key dist flags which may have been cleared for SC */
2072        smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2073
2074        auth = req->auth_req & AUTH_REQ_MASK(hdev);
2075
2076        if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2077                BT_ERR("Failed to fall back to legacy SMP");
2078                return SMP_UNSPECIFIED;
2079        }
2080
2081        clear_bit(SMP_FLAG_SC, &smp->flags);
2082
2083        return 0;
2084}
2085
2086static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2087{
2088        struct l2cap_chan *chan = conn->smp;
2089        struct smp_chan *smp = chan->data;
2090
2091        BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2092
2093        if (skb->len < sizeof(smp->pcnf))
2094                return SMP_INVALID_PARAMS;
2095
2096        memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2097        skb_pull(skb, sizeof(smp->pcnf));
2098
2099        if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2100                int ret;
2101
2102                /* Public Key exchange must happen before any other steps */
2103                if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2104                        return sc_check_confirm(smp);
2105
2106                BT_ERR("Unexpected SMP Pairing Confirm");
2107
2108                ret = fixup_sc_false_positive(smp);
2109                if (ret)
2110                        return ret;
2111        }
2112
2113        if (conn->hcon->out) {
2114                smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2115                             smp->prnd);
2116                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2117                return 0;
2118        }
2119
2120        if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2121                return smp_confirm(smp);
2122
2123        set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2124
2125        return 0;
2126}
2127
2128static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2129{
2130        struct l2cap_chan *chan = conn->smp;
2131        struct smp_chan *smp = chan->data;
2132        struct hci_conn *hcon = conn->hcon;
2133        u8 *pkax, *pkbx, *na, *nb;
2134        u32 passkey;
2135        int err;
2136
2137        BT_DBG("conn %p", conn);
2138
2139        if (skb->len < sizeof(smp->rrnd))
2140                return SMP_INVALID_PARAMS;
2141
2142        memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2143        skb_pull(skb, sizeof(smp->rrnd));
2144
2145        if (!test_bit(SMP_FLAG_SC, &smp->flags))
2146                return smp_random(smp);
2147
2148        if (hcon->out) {
2149                pkax = smp->local_pk;
2150                pkbx = smp->remote_pk;
2151                na   = smp->prnd;
2152                nb   = smp->rrnd;
2153        } else {
2154                pkax = smp->remote_pk;
2155                pkbx = smp->local_pk;
2156                na   = smp->rrnd;
2157                nb   = smp->prnd;
2158        }
2159
2160        if (smp->method == REQ_OOB) {
2161                if (!hcon->out)
2162                        smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2163                                     sizeof(smp->prnd), smp->prnd);
2164                SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2165                goto mackey_and_ltk;
2166        }
2167
2168        /* Passkey entry has special treatment */
2169        if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2170                return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2171
2172        if (hcon->out) {
2173                u8 cfm[16];
2174
2175                err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2176                             smp->rrnd, 0, cfm);
2177                if (err)
2178                        return SMP_UNSPECIFIED;
2179
2180                if (crypto_memneq(smp->pcnf, cfm, 16))
2181                        return SMP_CONFIRM_FAILED;
2182        } else {
2183                smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2184                             smp->prnd);
2185                SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2186        }
2187
2188mackey_and_ltk:
2189        /* Generate MacKey and LTK */
2190        err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2191        if (err)
2192                return SMP_UNSPECIFIED;
2193
2194        if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2195                if (hcon->out) {
2196                        sc_dhkey_check(smp);
2197                        SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2198                }
2199                return 0;
2200        }
2201
2202        err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2203        if (err)
2204                return SMP_UNSPECIFIED;
2205
2206        err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2207                                        hcon->dst_type, passkey, 0);
2208        if (err)
2209                return SMP_UNSPECIFIED;
2210
2211        set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2212
2213        return 0;
2214}
2215
2216static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2217{
2218        struct smp_ltk *key;
2219        struct hci_conn *hcon = conn->hcon;
2220
2221        key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2222        if (!key)
2223                return false;
2224
2225        if (smp_ltk_sec_level(key) < sec_level)
2226                return false;
2227
2228        if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2229                return true;
2230
2231        hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2232        hcon->enc_key_size = key->enc_size;
2233
2234        /* We never store STKs for master role, so clear this flag */
2235        clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2236
2237        return true;
2238}
2239
2240bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2241                             enum smp_key_pref key_pref)
2242{
2243        if (sec_level == BT_SECURITY_LOW)
2244                return true;
2245
2246        /* If we're encrypted with an STK but the caller prefers using
2247         * LTK claim insufficient security. This way we allow the
2248         * connection to be re-encrypted with an LTK, even if the LTK
2249         * provides the same level of security. Only exception is if we
2250         * don't have an LTK (e.g. because of key distribution bits).
2251         */
2252        if (key_pref == SMP_USE_LTK &&
2253            test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2254            hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2255                return false;
2256
2257        if (hcon->sec_level >= sec_level)
2258                return true;
2259
2260        return false;
2261}
2262
2263static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2264{
2265        struct smp_cmd_security_req *rp = (void *) skb->data;
2266        struct smp_cmd_pairing cp;
2267        struct hci_conn *hcon = conn->hcon;
2268        struct hci_dev *hdev = hcon->hdev;
2269        struct smp_chan *smp;
2270        u8 sec_level, auth;
2271
2272        BT_DBG("conn %p", conn);
2273
2274        if (skb->len < sizeof(*rp))
2275                return SMP_INVALID_PARAMS;
2276
2277        if (hcon->role != HCI_ROLE_MASTER)
2278                return SMP_CMD_NOTSUPP;
2279
2280        auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2281
2282        if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2283                return SMP_AUTH_REQUIREMENTS;
2284
2285        if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2286                sec_level = BT_SECURITY_MEDIUM;
2287        else
2288                sec_level = authreq_to_seclevel(auth);
2289
2290        if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2291                return 0;
2292
2293        if (sec_level > hcon->pending_sec_level)
2294                hcon->pending_sec_level = sec_level;
2295
2296        if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2297                return 0;
2298
2299        smp = smp_chan_create(conn);
2300        if (!smp)
2301                return SMP_UNSPECIFIED;
2302
2303        if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2304            (auth & SMP_AUTH_BONDING))
2305                return SMP_PAIRING_NOTSUPP;
2306
2307        skb_pull(skb, sizeof(*rp));
2308
2309        memset(&cp, 0, sizeof(cp));
2310        build_pairing_cmd(conn, &cp, NULL, auth);
2311
2312        smp->preq[0] = SMP_CMD_PAIRING_REQ;
2313        memcpy(&smp->preq[1], &cp, sizeof(cp));
2314
2315        smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2316        SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2317
2318        return 0;
2319}
2320
2321int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2322{
2323        struct l2cap_conn *conn = hcon->l2cap_data;
2324        struct l2cap_chan *chan;
2325        struct smp_chan *smp;
2326        __u8 authreq;
2327        int ret;
2328
2329        BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2330
2331        /* This may be NULL if there's an unexpected disconnection */
2332        if (!conn)
2333                return 1;
2334
2335        if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2336                return 1;
2337
2338        if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2339                return 1;
2340
2341        if (sec_level > hcon->pending_sec_level)
2342                hcon->pending_sec_level = sec_level;
2343
2344        if (hcon->role == HCI_ROLE_MASTER)
2345                if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2346                        return 0;
2347
2348        chan = conn->smp;
2349        if (!chan) {
2350                BT_ERR("SMP security requested but not available");
2351                return 1;
2352        }
2353
2354        l2cap_chan_lock(chan);
2355
2356        /* If SMP is already in progress ignore this request */
2357        if (chan->data) {
2358                ret = 0;
2359                goto unlock;
2360        }
2361
2362        smp = smp_chan_create(conn);
2363        if (!smp) {
2364                ret = 1;
2365                goto unlock;
2366        }
2367
2368        authreq = seclevel_to_authreq(sec_level);
2369
2370        if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2371                authreq |= SMP_AUTH_SC;
2372                if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2373                        authreq |= SMP_AUTH_CT2;
2374        }
2375
2376        /* Require MITM if IO Capability allows or the security level
2377         * requires it.
2378         */
2379        if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2380            hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2381                authreq |= SMP_AUTH_MITM;
2382
2383        if (hcon->role == HCI_ROLE_MASTER) {
2384                struct smp_cmd_pairing cp;
2385
2386                build_pairing_cmd(conn, &cp, NULL, authreq);
2387                smp->preq[0] = SMP_CMD_PAIRING_REQ;
2388                memcpy(&smp->preq[1], &cp, sizeof(cp));
2389
2390                smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2391                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2392        } else {
2393                struct smp_cmd_security_req cp;
2394                cp.auth_req = authreq;
2395                smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2396                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2397        }
2398
2399        set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2400        ret = 0;
2401
2402unlock:
2403        l2cap_chan_unlock(chan);
2404        return ret;
2405}
2406
2407void smp_cancel_pairing(struct hci_conn *hcon)
2408{
2409        struct l2cap_conn *conn = hcon->l2cap_data;
2410        struct l2cap_chan *chan;
2411        struct smp_chan *smp;
2412
2413        if (!conn)
2414                return;
2415
2416        chan = conn->smp;
2417        if (!chan)
2418                return;
2419
2420        l2cap_chan_lock(chan);
2421
2422        smp = chan->data;
2423        if (smp) {
2424                if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2425                        smp_failure(conn, 0);
2426                else
2427                        smp_failure(conn, SMP_UNSPECIFIED);
2428        }
2429
2430        l2cap_chan_unlock(chan);
2431}
2432
2433static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2434{
2435        struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2436        struct l2cap_chan *chan = conn->smp;
2437        struct smp_chan *smp = chan->data;
2438
2439        BT_DBG("conn %p", conn);
2440
2441        if (skb->len < sizeof(*rp))
2442                return SMP_INVALID_PARAMS;
2443
2444        SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2445
2446        skb_pull(skb, sizeof(*rp));
2447
2448        memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2449
2450        return 0;
2451}
2452
2453static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2454{
2455        struct smp_cmd_master_ident *rp = (void *) skb->data;
2456        struct l2cap_chan *chan = conn->smp;
2457        struct smp_chan *smp = chan->data;
2458        struct hci_dev *hdev = conn->hcon->hdev;
2459        struct hci_conn *hcon = conn->hcon;
2460        struct smp_ltk *ltk;
2461        u8 authenticated;
2462
2463        BT_DBG("conn %p", conn);
2464
2465        if (skb->len < sizeof(*rp))
2466                return SMP_INVALID_PARAMS;
2467
2468        /* Mark the information as received */
2469        smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2470
2471        if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2472                SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2473        else if (smp->remote_key_dist & SMP_DIST_SIGN)
2474                SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2475
2476        skb_pull(skb, sizeof(*rp));
2477
2478        authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2479        ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2480                          authenticated, smp->tk, smp->enc_key_size,
2481                          rp->ediv, rp->rand);
2482        smp->ltk = ltk;
2483        if (!(smp->remote_key_dist & KEY_DIST_MASK))
2484                smp_distribute_keys(smp);
2485
2486        return 0;
2487}
2488
2489static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2490{
2491        struct smp_cmd_ident_info *info = (void *) skb->data;
2492        struct l2cap_chan *chan = conn->smp;
2493        struct smp_chan *smp = chan->data;
2494
2495        BT_DBG("");
2496
2497        if (skb->len < sizeof(*info))
2498                return SMP_INVALID_PARAMS;
2499
2500        SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2501
2502        skb_pull(skb, sizeof(*info));
2503
2504        memcpy(smp->irk, info->irk, 16);
2505
2506        return 0;
2507}
2508
2509static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2510                                   struct sk_buff *skb)
2511{
2512        struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2513        struct l2cap_chan *chan = conn->smp;
2514        struct smp_chan *smp = chan->data;
2515        struct hci_conn *hcon = conn->hcon;
2516        bdaddr_t rpa;
2517
2518        BT_DBG("");
2519
2520        if (skb->len < sizeof(*info))
2521                return SMP_INVALID_PARAMS;
2522
2523        /* Mark the information as received */
2524        smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2525
2526        if (smp->remote_key_dist & SMP_DIST_SIGN)
2527                SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2528
2529        skb_pull(skb, sizeof(*info));
2530
2531        /* Strictly speaking the Core Specification (4.1) allows sending
2532         * an empty address which would force us to rely on just the IRK
2533         * as "identity information". However, since such
2534         * implementations are not known of and in order to not over
2535         * complicate our implementation, simply pretend that we never
2536         * received an IRK for such a device.
2537         *
2538         * The Identity Address must also be a Static Random or Public
2539         * Address, which hci_is_identity_address() checks for.
2540         */
2541        if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2542            !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2543                BT_ERR("Ignoring IRK with no identity address");
2544                goto distribute;
2545        }
2546
2547        bacpy(&smp->id_addr, &info->bdaddr);
2548        smp->id_addr_type = info->addr_type;
2549
2550        if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2551                bacpy(&rpa, &hcon->dst);
2552        else
2553                bacpy(&rpa, BDADDR_ANY);
2554
2555        smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2556                                      smp->id_addr_type, smp->irk, &rpa);
2557
2558distribute:
2559        if (!(smp->remote_key_dist & KEY_DIST_MASK))
2560                smp_distribute_keys(smp);
2561
2562        return 0;
2563}
2564
2565static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2566{
2567        struct smp_cmd_sign_info *rp = (void *) skb->data;
2568        struct l2cap_chan *chan = conn->smp;
2569        struct smp_chan *smp = chan->data;
2570        struct smp_csrk *csrk;
2571
2572        BT_DBG("conn %p", conn);
2573
2574        if (skb->len < sizeof(*rp))
2575                return SMP_INVALID_PARAMS;
2576
2577        /* Mark the information as received */
2578        smp->remote_key_dist &= ~SMP_DIST_SIGN;
2579
2580        skb_pull(skb, sizeof(*rp));
2581
2582        csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2583        if (csrk) {
2584                if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2585                        csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2586                else
2587                        csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2588                memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2589        }
2590        smp->csrk = csrk;
2591        smp_distribute_keys(smp);
2592
2593        return 0;
2594}
2595
2596static u8 sc_select_method(struct smp_chan *smp)
2597{
2598        struct l2cap_conn *conn = smp->conn;
2599        struct hci_conn *hcon = conn->hcon;
2600        struct smp_cmd_pairing *local, *remote;
2601        u8 local_mitm, remote_mitm, local_io, remote_io, method;
2602
2603        if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2604            test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2605                return REQ_OOB;
2606
2607        /* The preq/prsp contain the raw Pairing Request/Response PDUs
2608         * which are needed as inputs to some crypto functions. To get
2609         * the "struct smp_cmd_pairing" from them we need to skip the
2610         * first byte which contains the opcode.
2611         */
2612        if (hcon->out) {
2613                local = (void *) &smp->preq[1];
2614                remote = (void *) &smp->prsp[1];
2615        } else {
2616                local = (void *) &smp->prsp[1];
2617                remote = (void *) &smp->preq[1];
2618        }
2619
2620        local_io = local->io_capability;
2621        remote_io = remote->io_capability;
2622
2623        local_mitm = (local->auth_req & SMP_AUTH_MITM);
2624        remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2625
2626        /* If either side wants MITM, look up the method from the table,
2627         * otherwise use JUST WORKS.
2628         */
2629        if (local_mitm || remote_mitm)
2630                method = get_auth_method(smp, local_io, remote_io);
2631        else
2632                method = JUST_WORKS;
2633
2634        /* Don't confirm locally initiated pairing attempts */
2635        if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2636                method = JUST_WORKS;
2637
2638        return method;
2639}
2640
2641static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2642{
2643        struct smp_cmd_public_key *key = (void *) skb->data;
2644        struct hci_conn *hcon = conn->hcon;
2645        struct l2cap_chan *chan = conn->smp;
2646        struct smp_chan *smp = chan->data;
2647        struct hci_dev *hdev = hcon->hdev;
2648        struct smp_cmd_pairing_confirm cfm;
2649        int err;
2650
2651        BT_DBG("conn %p", conn);
2652
2653        if (skb->len < sizeof(*key))
2654                return SMP_INVALID_PARAMS;
2655
2656        memcpy(smp->remote_pk, key, 64);
2657
2658        if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2659                err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2660                             smp->rr, 0, cfm.confirm_val);
2661                if (err)
2662                        return SMP_UNSPECIFIED;
2663
2664                if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2665                        return SMP_CONFIRM_FAILED;
2666        }
2667
2668        /* Non-initiating device sends its public key after receiving
2669         * the key from the initiating device.
2670         */
2671        if (!hcon->out) {
2672                err = sc_send_public_key(smp);
2673                if (err)
2674                        return err;
2675        }
2676
2677        SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2678        SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2679
2680        if (!compute_ecdh_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2681                return SMP_UNSPECIFIED;
2682
2683        SMP_DBG("DHKey %32phN", smp->dhkey);
2684
2685        set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2686
2687        smp->method = sc_select_method(smp);
2688
2689        BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2690
2691        /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2692        if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2693                hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2694        else
2695                hcon->pending_sec_level = BT_SECURITY_FIPS;
2696
2697        if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2698                set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2699
2700        if (smp->method == DSP_PASSKEY) {
2701                get_random_bytes(&hcon->passkey_notify,
2702                                 sizeof(hcon->passkey_notify));
2703                hcon->passkey_notify %= 1000000;
2704                hcon->passkey_entered = 0;
2705                smp->passkey_round = 0;
2706                if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2707                                             hcon->dst_type,
2708                                             hcon->passkey_notify,
2709                                             hcon->passkey_entered))
2710                        return SMP_UNSPECIFIED;
2711                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2712                return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2713        }
2714
2715        if (smp->method == REQ_OOB) {
2716                if (hcon->out)
2717                        smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2718                                     sizeof(smp->prnd), smp->prnd);
2719
2720                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2721
2722                return 0;
2723        }
2724
2725        if (hcon->out)
2726                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2727
2728        if (smp->method == REQ_PASSKEY) {
2729                if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2730                                              hcon->dst_type))
2731                        return SMP_UNSPECIFIED;
2732                SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2733                set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2734                return 0;
2735        }
2736
2737        /* The Initiating device waits for the non-initiating device to
2738         * send the confirm value.
2739         */
2740        if (conn->hcon->out)
2741                return 0;
2742
2743        err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2744                     0, cfm.confirm_val);
2745        if (err)
2746                return SMP_UNSPECIFIED;
2747
2748        smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2749        SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2750
2751        return 0;
2752}
2753
2754static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2755{
2756        struct smp_cmd_dhkey_check *check = (void *) skb->data;
2757        struct l2cap_chan *chan = conn->smp;
2758        struct hci_conn *hcon = conn->hcon;
2759        struct smp_chan *smp = chan->data;
2760        u8 a[7], b[7], *local_addr, *remote_addr;
2761        u8 io_cap[3], r[16], e[16];
2762        int err;
2763
2764        BT_DBG("conn %p", conn);
2765
2766        if (skb->len < sizeof(*check))
2767                return SMP_INVALID_PARAMS;
2768
2769        memcpy(a, &hcon->init_addr, 6);
2770        memcpy(b, &hcon->resp_addr, 6);
2771        a[6] = hcon->init_addr_type;
2772        b[6] = hcon->resp_addr_type;
2773
2774        if (hcon->out) {
2775                local_addr = a;
2776                remote_addr = b;
2777                memcpy(io_cap, &smp->prsp[1], 3);
2778        } else {
2779                local_addr = b;
2780                remote_addr = a;
2781                memcpy(io_cap, &smp->preq[1], 3);
2782        }
2783
2784        memset(r, 0, sizeof(r));
2785
2786        if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2787                put_unaligned_le32(hcon->passkey_notify, r);
2788        else if (smp->method == REQ_OOB)
2789                memcpy(r, smp->lr, 16);
2790
2791        err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2792                     io_cap, remote_addr, local_addr, e);
2793        if (err)
2794                return SMP_UNSPECIFIED;
2795
2796        if (crypto_memneq(check->e, e, 16))
2797                return SMP_DHKEY_CHECK_FAILED;
2798
2799        if (!hcon->out) {
2800                if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2801                        set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2802                        return 0;
2803                }
2804
2805                /* Slave sends DHKey check as response to master */
2806                sc_dhkey_check(smp);
2807        }
2808
2809        sc_add_ltk(smp);
2810
2811        if (hcon->out) {
2812                hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2813                hcon->enc_key_size = smp->enc_key_size;
2814        }
2815
2816        return 0;
2817}
2818
2819static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2820                                   struct sk_buff *skb)
2821{
2822        struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2823
2824        BT_DBG("value 0x%02x", kp->value);
2825
2826        return 0;
2827}
2828
2829static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2830{
2831        struct l2cap_conn *conn = chan->conn;
2832        struct hci_conn *hcon = conn->hcon;
2833        struct smp_chan *smp;
2834        __u8 code, reason;
2835        int err = 0;
2836
2837        if (skb->len < 1)
2838                return -EILSEQ;
2839
2840        if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2841                reason = SMP_PAIRING_NOTSUPP;
2842                goto done;
2843        }
2844
2845        code = skb->data[0];
2846        skb_pull(skb, sizeof(code));
2847
2848        smp = chan->data;
2849
2850        if (code > SMP_CMD_MAX)
2851                goto drop;
2852
2853        if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2854                goto drop;
2855
2856        /* If we don't have a context the only allowed commands are
2857         * pairing request and security request.
2858         */
2859        if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2860                goto drop;
2861
2862        switch (code) {
2863        case SMP_CMD_PAIRING_REQ:
2864                reason = smp_cmd_pairing_req(conn, skb);
2865                break;
2866
2867        case SMP_CMD_PAIRING_FAIL:
2868                smp_failure(conn, 0);
2869                err = -EPERM;
2870                break;
2871
2872        case SMP_CMD_PAIRING_RSP:
2873                reason = smp_cmd_pairing_rsp(conn, skb);
2874                break;
2875
2876        case SMP_CMD_SECURITY_REQ:
2877                reason = smp_cmd_security_req(conn, skb);
2878                break;
2879
2880        case SMP_CMD_PAIRING_CONFIRM:
2881                reason = smp_cmd_pairing_confirm(conn, skb);
2882                break;
2883
2884        case SMP_CMD_PAIRING_RANDOM:
2885                reason = smp_cmd_pairing_random(conn, skb);
2886                break;
2887
2888        case SMP_CMD_ENCRYPT_INFO:
2889                reason = smp_cmd_encrypt_info(conn, skb);
2890                break;
2891
2892        case SMP_CMD_MASTER_IDENT:
2893                reason = smp_cmd_master_ident(conn, skb);
2894                break;
2895
2896        case SMP_CMD_IDENT_INFO:
2897                reason = smp_cmd_ident_info(conn, skb);
2898                break;
2899
2900        case SMP_CMD_IDENT_ADDR_INFO:
2901                reason = smp_cmd_ident_addr_info(conn, skb);
2902                break;
2903
2904        case SMP_CMD_SIGN_INFO:
2905                reason = smp_cmd_sign_info(conn, skb);
2906                break;
2907
2908        case SMP_CMD_PUBLIC_KEY:
2909                reason = smp_cmd_public_key(conn, skb);
2910                break;
2911
2912        case SMP_CMD_DHKEY_CHECK:
2913                reason = smp_cmd_dhkey_check(conn, skb);
2914                break;
2915
2916        case SMP_CMD_KEYPRESS_NOTIFY:
2917                reason = smp_cmd_keypress_notify(conn, skb);
2918                break;
2919
2920        default:
2921                BT_DBG("Unknown command code 0x%2.2x", code);
2922                reason = SMP_CMD_NOTSUPP;
2923                goto done;
2924        }
2925
2926done:
2927        if (!err) {
2928                if (reason)
2929                        smp_failure(conn, reason);
2930                kfree_skb(skb);
2931        }
2932
2933        return err;
2934
2935drop:
2936        BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2937               code, &hcon->dst);
2938        kfree_skb(skb);
2939        return 0;
2940}
2941
2942static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2943{
2944        struct l2cap_conn *conn = chan->conn;
2945
2946        BT_DBG("chan %p", chan);
2947
2948        if (chan->data)
2949                smp_chan_destroy(conn);
2950
2951        conn->smp = NULL;
2952        l2cap_chan_put(chan);
2953}
2954
2955static void bredr_pairing(struct l2cap_chan *chan)
2956{
2957        struct l2cap_conn *conn = chan->conn;
2958        struct hci_conn *hcon = conn->hcon;
2959        struct hci_dev *hdev = hcon->hdev;
2960        struct smp_cmd_pairing req;
2961        struct smp_chan *smp;
2962
2963        BT_DBG("chan %p", chan);
2964
2965        /* Only new pairings are interesting */
2966        if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2967                return;
2968
2969        /* Don't bother if we're not encrypted */
2970        if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2971                return;
2972
2973        /* Only master may initiate SMP over BR/EDR */
2974        if (hcon->role != HCI_ROLE_MASTER)
2975                return;
2976
2977        /* Secure Connections support must be enabled */
2978        if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2979                return;
2980
2981        /* BR/EDR must use Secure Connections for SMP */
2982        if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2983            !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2984                return;
2985
2986        /* If our LE support is not enabled don't do anything */
2987        if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2988                return;
2989
2990        /* Don't bother if remote LE support is not enabled */
2991        if (!lmp_host_le_capable(hcon))
2992                return;
2993
2994        /* Remote must support SMP fixed chan for BR/EDR */
2995        if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2996                return;
2997
2998        /* Don't bother if SMP is already ongoing */
2999        if (chan->data)
3000                return;
3001
3002        smp = smp_chan_create(conn);
3003        if (!smp) {
3004                BT_ERR("%s unable to create SMP context for BR/EDR",
3005                       hdev->name);
3006                return;
3007        }
3008
3009        set_bit(SMP_FLAG_SC, &smp->flags);
3010
3011        BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3012
3013        /* Prepare and send the BR/EDR SMP Pairing Request */
3014        build_bredr_pairing_cmd(smp, &req, NULL);
3015
3016        smp->preq[0] = SMP_CMD_PAIRING_REQ;
3017        memcpy(&smp->preq[1], &req, sizeof(req));
3018
3019        smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3020        SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3021}
3022
3023static void smp_resume_cb(struct l2cap_chan *chan)
3024{
3025        struct smp_chan *smp = chan->data;
3026        struct l2cap_conn *conn = chan->conn;
3027        struct hci_conn *hcon = conn->hcon;
3028
3029        BT_DBG("chan %p", chan);
3030
3031        if (hcon->type == ACL_LINK) {
3032                bredr_pairing(chan);
3033                return;
3034        }
3035
3036        if (!smp)
3037                return;
3038
3039        if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3040                return;
3041
3042        cancel_delayed_work(&smp->security_timer);
3043
3044        smp_distribute_keys(smp);
3045}
3046
3047static void smp_ready_cb(struct l2cap_chan *chan)
3048{
3049        struct l2cap_conn *conn = chan->conn;
3050        struct hci_conn *hcon = conn->hcon;
3051
3052        BT_DBG("chan %p", chan);
3053
3054        /* No need to call l2cap_chan_hold() here since we already own
3055         * the reference taken in smp_new_conn_cb(). This is just the
3056         * first time that we tie it to a specific pointer. The code in
3057         * l2cap_core.c ensures that there's no risk this function wont
3058         * get called if smp_new_conn_cb was previously called.
3059         */
3060        conn->smp = chan;
3061
3062        if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3063                bredr_pairing(chan);
3064}
3065
3066static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3067{
3068        int err;
3069
3070        BT_DBG("chan %p", chan);
3071
3072        err = smp_sig_channel(chan, skb);
3073        if (err) {
3074                struct smp_chan *smp = chan->data;
3075
3076                if (smp)
3077                        cancel_delayed_work_sync(&smp->security_timer);
3078
3079                hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3080        }
3081
3082        return err;
3083}
3084
3085static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3086                                        unsigned long hdr_len,
3087                                        unsigned long len, int nb)
3088{
3089        struct sk_buff *skb;
3090
3091        skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3092        if (!skb)
3093                return ERR_PTR(-ENOMEM);
3094
3095        skb->priority = HCI_PRIO_MAX;
3096        bt_cb(skb)->l2cap.chan = chan;
3097
3098        return skb;
3099}
3100
3101static const struct l2cap_ops smp_chan_ops = {
3102        .name                   = "Security Manager",
3103        .ready                  = smp_ready_cb,
3104        .recv                   = smp_recv_cb,
3105        .alloc_skb              = smp_alloc_skb_cb,
3106        .teardown               = smp_teardown_cb,
3107        .resume                 = smp_resume_cb,
3108
3109        .new_connection         = l2cap_chan_no_new_connection,
3110        .state_change           = l2cap_chan_no_state_change,
3111        .close                  = l2cap_chan_no_close,
3112        .defer                  = l2cap_chan_no_defer,
3113        .suspend                = l2cap_chan_no_suspend,
3114        .set_shutdown           = l2cap_chan_no_set_shutdown,
3115        .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3116};
3117
3118static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3119{
3120        struct l2cap_chan *chan;
3121
3122        BT_DBG("pchan %p", pchan);
3123
3124        chan = l2cap_chan_create();
3125        if (!chan)
3126                return NULL;
3127
3128        chan->chan_type = pchan->chan_type;
3129        chan->ops       = &smp_chan_ops;
3130        chan->scid      = pchan->scid;
3131        chan->dcid      = chan->scid;
3132        chan->imtu      = pchan->imtu;
3133        chan->omtu      = pchan->omtu;
3134        chan->mode      = pchan->mode;
3135
3136        /* Other L2CAP channels may request SMP routines in order to
3137         * change the security level. This means that the SMP channel
3138         * lock must be considered in its own category to avoid lockdep
3139         * warnings.
3140         */
3141        atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3142
3143        BT_DBG("created chan %p", chan);
3144
3145        return chan;
3146}
3147
3148static const struct l2cap_ops smp_root_chan_ops = {
3149        .name                   = "Security Manager Root",
3150        .new_connection         = smp_new_conn_cb,
3151
3152        /* None of these are implemented for the root channel */
3153        .close                  = l2cap_chan_no_close,
3154        .alloc_skb              = l2cap_chan_no_alloc_skb,
3155        .recv                   = l2cap_chan_no_recv,
3156        .state_change           = l2cap_chan_no_state_change,
3157        .teardown               = l2cap_chan_no_teardown,
3158        .ready                  = l2cap_chan_no_ready,
3159        .defer                  = l2cap_chan_no_defer,
3160        .suspend                = l2cap_chan_no_suspend,
3161        .resume                 = l2cap_chan_no_resume,
3162        .set_shutdown           = l2cap_chan_no_set_shutdown,
3163        .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3164};
3165
3166static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3167{
3168        struct l2cap_chan *chan;
3169        struct smp_dev *smp;
3170        struct crypto_cipher *tfm_aes;
3171        struct crypto_shash *tfm_cmac;
3172
3173        if (cid == L2CAP_CID_SMP_BREDR) {
3174                smp = NULL;
3175                goto create_chan;
3176        }
3177
3178        smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3179        if (!smp)
3180                return ERR_PTR(-ENOMEM);
3181
3182        tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3183        if (IS_ERR(tfm_aes)) {
3184                BT_ERR("Unable to create AES crypto context");
3185                kzfree(smp);
3186                return ERR_CAST(tfm_aes);
3187        }
3188
3189        tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3190        if (IS_ERR(tfm_cmac)) {
3191                BT_ERR("Unable to create CMAC crypto context");
3192                crypto_free_cipher(tfm_aes);
3193                kzfree(smp);
3194                return ERR_CAST(tfm_cmac);
3195        }
3196
3197        smp->tfm_aes = tfm_aes;
3198        smp->tfm_cmac = tfm_cmac;
3199        smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3200        smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3201
3202create_chan:
3203        chan = l2cap_chan_create();
3204        if (!chan) {
3205                if (smp) {
3206                        crypto_free_cipher(smp->tfm_aes);
3207                        crypto_free_shash(smp->tfm_cmac);
3208                        kzfree(smp);
3209                }
3210                return ERR_PTR(-ENOMEM);
3211        }
3212
3213        chan->data = smp;
3214
3215        l2cap_add_scid(chan, cid);
3216
3217        l2cap_chan_set_defaults(chan);
3218
3219        if (cid == L2CAP_CID_SMP) {
3220                u8 bdaddr_type;
3221
3222                hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3223
3224                if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3225                        chan->src_type = BDADDR_LE_PUBLIC;
3226                else
3227                        chan->src_type = BDADDR_LE_RANDOM;
3228        } else {
3229                bacpy(&chan->src, &hdev->bdaddr);
3230                chan->src_type = BDADDR_BREDR;
3231        }
3232
3233        chan->state = BT_LISTEN;
3234        chan->mode = L2CAP_MODE_BASIC;
3235        chan->imtu = L2CAP_DEFAULT_MTU;
3236        chan->ops = &smp_root_chan_ops;
3237
3238        /* Set correct nesting level for a parent/listening channel */
3239        atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3240
3241        return chan;
3242}
3243
3244static void smp_del_chan(struct l2cap_chan *chan)
3245{
3246        struct smp_dev *smp;
3247
3248        BT_DBG("chan %p", chan);
3249
3250        smp = chan->data;
3251        if (smp) {
3252                chan->data = NULL;
3253                crypto_free_cipher(smp->tfm_aes);
3254                crypto_free_shash(smp->tfm_cmac);
3255                kzfree(smp);
3256        }
3257
3258        l2cap_chan_put(chan);
3259}
3260
3261static ssize_t force_bredr_smp_read(struct file *file,
3262                                    char __user *user_buf,
3263                                    size_t count, loff_t *ppos)
3264{
3265        struct hci_dev *hdev = file->private_data;
3266        char buf[3];
3267
3268        buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3269        buf[1] = '\n';
3270        buf[2] = '\0';
3271        return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3272}
3273
3274static ssize_t force_bredr_smp_write(struct file *file,
3275                                     const char __user *user_buf,
3276                                     size_t count, loff_t *ppos)
3277{
3278        struct hci_dev *hdev = file->private_data;
3279        char buf[32];
3280        size_t buf_size = min(count, (sizeof(buf)-1));
3281        bool enable;
3282
3283        if (copy_from_user(buf, user_buf, buf_size))
3284                return -EFAULT;
3285
3286        buf[buf_size] = '\0';
3287        if (strtobool(buf, &enable))
3288                return -EINVAL;
3289
3290        if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3291                return -EALREADY;
3292
3293        if (enable) {
3294                struct l2cap_chan *chan;
3295
3296                chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3297                if (IS_ERR(chan))
3298                        return PTR_ERR(chan);
3299
3300                hdev->smp_bredr_data = chan;
3301        } else {
3302                struct l2cap_chan *chan;
3303
3304                chan = hdev->smp_bredr_data;
3305                hdev->smp_bredr_data = NULL;
3306                smp_del_chan(chan);
3307        }
3308
3309        hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3310
3311        return count;
3312}
3313
3314static const struct file_operations force_bredr_smp_fops = {
3315        .open           = simple_open,
3316        .read           = force_bredr_smp_read,
3317        .write          = force_bredr_smp_write,
3318        .llseek         = default_llseek,
3319};
3320
3321static ssize_t le_min_key_size_read(struct file *file,
3322                                     char __user *user_buf,
3323                                     size_t count, loff_t *ppos)
3324{
3325        struct hci_dev *hdev = file->private_data;
3326        char buf[4];
3327
3328        snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3329
3330        return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3331}
3332
3333static ssize_t le_min_key_size_write(struct file *file,
3334                                      const char __user *user_buf,
3335                                      size_t count, loff_t *ppos)
3336{
3337        struct hci_dev *hdev = file->private_data;
3338        char buf[32];
3339        size_t buf_size = min(count, (sizeof(buf) - 1));
3340        u8 key_size;
3341
3342        if (copy_from_user(buf, user_buf, buf_size))
3343                return -EFAULT;
3344
3345        buf[buf_size] = '\0';
3346
3347        sscanf(buf, "%hhu", &key_size);
3348
3349        if (key_size > SMP_DEV(hdev)->max_key_size ||
3350            key_size < SMP_MIN_ENC_KEY_SIZE)
3351                return -EINVAL;
3352
3353        SMP_DEV(hdev)->min_key_size = key_size;
3354
3355        return count;
3356}
3357
3358static const struct file_operations le_min_key_size_fops = {
3359        .open           = simple_open,
3360        .read           = le_min_key_size_read,
3361        .write          = le_min_key_size_write,
3362        .llseek         = default_llseek,
3363};
3364
3365static ssize_t le_max_key_size_read(struct file *file,
3366                                     char __user *user_buf,
3367                                     size_t count, loff_t *ppos)
3368{
3369        struct hci_dev *hdev = file->private_data;
3370        char buf[4];
3371
3372        snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3373
3374        return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3375}
3376
3377static ssize_t le_max_key_size_write(struct file *file,
3378                                      const char __user *user_buf,
3379                                      size_t count, loff_t *ppos)
3380{
3381        struct hci_dev *hdev = file->private_data;
3382        char buf[32];
3383        size_t buf_size = min(count, (sizeof(buf) - 1));
3384        u8 key_size;
3385
3386        if (copy_from_user(buf, user_buf, buf_size))
3387                return -EFAULT;
3388
3389        buf[buf_size] = '\0';
3390
3391        sscanf(buf, "%hhu", &key_size);
3392
3393        if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3394            key_size < SMP_DEV(hdev)->min_key_size)
3395                return -EINVAL;
3396
3397        SMP_DEV(hdev)->max_key_size = key_size;
3398
3399        return count;
3400}
3401
3402static const struct file_operations le_max_key_size_fops = {
3403        .open           = simple_open,
3404        .read           = le_max_key_size_read,
3405        .write          = le_max_key_size_write,
3406        .llseek         = default_llseek,
3407};
3408
3409int smp_register(struct hci_dev *hdev)
3410{
3411        struct l2cap_chan *chan;
3412
3413        BT_DBG("%s", hdev->name);
3414
3415        /* If the controller does not support Low Energy operation, then
3416         * there is also no need to register any SMP channel.
3417         */
3418        if (!lmp_le_capable(hdev))
3419                return 0;
3420
3421        if (WARN_ON(hdev->smp_data)) {
3422                chan = hdev->smp_data;
3423                hdev->smp_data = NULL;
3424                smp_del_chan(chan);
3425        }
3426
3427        chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3428        if (IS_ERR(chan))
3429                return PTR_ERR(chan);
3430
3431        hdev->smp_data = chan;
3432
3433        debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3434                            &le_min_key_size_fops);
3435        debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3436                            &le_max_key_size_fops);
3437
3438        /* If the controller does not support BR/EDR Secure Connections
3439         * feature, then the BR/EDR SMP channel shall not be present.
3440         *
3441         * To test this with Bluetooth 4.0 controllers, create a debugfs
3442         * switch that allows forcing BR/EDR SMP support and accepting
3443         * cross-transport pairing on non-AES encrypted connections.
3444         */
3445        if (!lmp_sc_capable(hdev)) {
3446                debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3447                                    hdev, &force_bredr_smp_fops);
3448
3449                /* Flag can be already set here (due to power toggle) */
3450                if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3451                        return 0;
3452        }
3453
3454        if (WARN_ON(hdev->smp_bredr_data)) {
3455                chan = hdev->smp_bredr_data;
3456                hdev->smp_bredr_data = NULL;
3457                smp_del_chan(chan);
3458        }
3459
3460        chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3461        if (IS_ERR(chan)) {
3462                int err = PTR_ERR(chan);
3463                chan = hdev->smp_data;
3464                hdev->smp_data = NULL;
3465                smp_del_chan(chan);
3466                return err;
3467        }
3468
3469        hdev->smp_bredr_data = chan;
3470
3471        return 0;
3472}
3473
3474void smp_unregister(struct hci_dev *hdev)
3475{
3476        struct l2cap_chan *chan;
3477
3478        if (hdev->smp_bredr_data) {
3479                chan = hdev->smp_bredr_data;
3480                hdev->smp_bredr_data = NULL;
3481                smp_del_chan(chan);
3482        }
3483
3484        if (hdev->smp_data) {
3485                chan = hdev->smp_data;
3486                hdev->smp_data = NULL;
3487                smp_del_chan(chan);
3488        }
3489}
3490
3491#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3492
3493static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits)
3494{
3495        int i;
3496
3497        for (i = 0; i < ndigits; i++)
3498                out[i] = __swab64(in[ndigits - 1 - i]);
3499}
3500
3501static int __init test_debug_key(void)
3502{
3503        u8 pk[64], sk[32];
3504
3505        swap_digits((u64 *)debug_sk, (u64 *)sk, 4);
3506
3507        if (!generate_ecdh_keys(pk, sk))
3508                return -EINVAL;
3509
3510        if (crypto_memneq(sk, debug_sk, 32))
3511                return -EINVAL;
3512
3513        if (crypto_memneq(pk, debug_pk, 64))
3514                return -EINVAL;
3515
3516        return 0;
3517}
3518
3519static int __init test_ah(struct crypto_cipher *tfm_aes)
3520{
3521        const u8 irk[16] = {
3522                        0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3523                        0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3524        const u8 r[3] = { 0x94, 0x81, 0x70 };
3525        const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3526        u8 res[3];
3527        int err;
3528
3529        err = smp_ah(tfm_aes, irk, r, res);
3530        if (err)
3531                return err;
3532
3533        if (crypto_memneq(res, exp, 3))
3534                return -EINVAL;
3535
3536        return 0;
3537}
3538
3539static int __init test_c1(struct crypto_cipher *tfm_aes)
3540{
3541        const u8 k[16] = {
3542                        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3543                        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3544        const u8 r[16] = {
3545                        0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3546                        0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3547        const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3548        const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3549        const u8 _iat = 0x01;
3550        const u8 _rat = 0x00;
3551        const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3552        const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3553        const u8 exp[16] = {
3554                        0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3555                        0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3556        u8 res[16];
3557        int err;
3558
3559        err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3560        if (err)
3561                return err;
3562
3563        if (crypto_memneq(res, exp, 16))
3564                return -EINVAL;
3565
3566        return 0;
3567}
3568
3569static int __init test_s1(struct crypto_cipher *tfm_aes)
3570{
3571        const u8 k[16] = {
3572                        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3573                        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3574        const u8 r1[16] = {
3575                        0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3576        const u8 r2[16] = {
3577                        0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3578        const u8 exp[16] = {
3579                        0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3580                        0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3581        u8 res[16];
3582        int err;
3583
3584        err = smp_s1(tfm_aes, k, r1, r2, res);
3585        if (err)
3586                return err;
3587
3588        if (crypto_memneq(res, exp, 16))
3589                return -EINVAL;
3590
3591        return 0;
3592}
3593
3594static int __init test_f4(struct crypto_shash *tfm_cmac)
3595{
3596        const u8 u[32] = {
3597                        0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3598                        0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3599                        0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3600                        0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3601        const u8 v[32] = {
3602                        0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3603                        0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3604                        0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3605                        0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3606        const u8 x[16] = {
3607                        0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608                        0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609        const u8 z = 0x00;
3610        const u8 exp[16] = {
3611                        0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3612                        0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3613        u8 res[16];
3614        int err;
3615
3616        err = smp_f4(tfm_cmac, u, v, x, z, res);
3617        if (err)
3618                return err;
3619
3620        if (crypto_memneq(res, exp, 16))
3621                return -EINVAL;
3622
3623        return 0;
3624}
3625
3626static int __init test_f5(struct crypto_shash *tfm_cmac)
3627{
3628        const u8 w[32] = {
3629                        0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3630                        0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3631                        0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3632                        0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3633        const u8 n1[16] = {
3634                        0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3635                        0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3636        const u8 n2[16] = {
3637                        0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3638                        0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3639        const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3640        const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3641        const u8 exp_ltk[16] = {
3642                        0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3643                        0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3644        const u8 exp_mackey[16] = {
3645                        0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3646                        0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3647        u8 mackey[16], ltk[16];
3648        int err;
3649
3650        err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3651        if (err)
3652                return err;
3653
3654        if (crypto_memneq(mackey, exp_mackey, 16))
3655                return -EINVAL;
3656
3657        if (crypto_memneq(ltk, exp_ltk, 16))
3658                return -EINVAL;
3659
3660        return 0;
3661}
3662
3663static int __init test_f6(struct crypto_shash *tfm_cmac)
3664{
3665        const u8 w[16] = {
3666                        0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3667                        0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3668        const u8 n1[16] = {
3669                        0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3670                        0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3671        const u8 n2[16] = {
3672                        0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3673                        0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3674        const u8 r[16] = {
3675                        0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3676                        0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3677        const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3678        const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3679        const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3680        const u8 exp[16] = {
3681                        0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3682                        0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3683        u8 res[16];
3684        int err;
3685
3686        err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3687        if (err)
3688                return err;
3689
3690        if (crypto_memneq(res, exp, 16))
3691                return -EINVAL;
3692
3693        return 0;
3694}
3695
3696static int __init test_g2(struct crypto_shash *tfm_cmac)
3697{
3698        const u8 u[32] = {
3699                        0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3700                        0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3701                        0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3702                        0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3703        const u8 v[32] = {
3704                        0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3705                        0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3706                        0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3707                        0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3708        const u8 x[16] = {
3709                        0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3710                        0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3711        const u8 y[16] = {
3712                        0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3713                        0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3714        const u32 exp_val = 0x2f9ed5ba % 1000000;
3715        u32 val;
3716        int err;
3717
3718        err = smp_g2(tfm_cmac, u, v, x, y, &val);
3719        if (err)
3720                return err;
3721
3722        if (val != exp_val)
3723                return -EINVAL;
3724
3725        return 0;
3726}
3727
3728static int __init test_h6(struct crypto_shash *tfm_cmac)
3729{
3730        const u8 w[16] = {
3731                        0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3732                        0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3733        const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3734        const u8 exp[16] = {
3735                        0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3736                        0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3737        u8 res[16];
3738        int err;
3739
3740        err = smp_h6(tfm_cmac, w, key_id, res);
3741        if (err)
3742                return err;
3743
3744        if (crypto_memneq(res, exp, 16))
3745                return -EINVAL;
3746
3747        return 0;
3748}
3749
3750static char test_smp_buffer[32];
3751
3752static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3753                             size_t count, loff_t *ppos)
3754{
3755        return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3756                                       strlen(test_smp_buffer));
3757}
3758
3759static const struct file_operations test_smp_fops = {
3760        .open           = simple_open,
3761        .read           = test_smp_read,
3762        .llseek         = default_llseek,
3763};
3764
3765static int __init run_selftests(struct crypto_cipher *tfm_aes,
3766                                struct crypto_shash *tfm_cmac)
3767{
3768        ktime_t calltime, delta, rettime;
3769        unsigned long long duration;
3770        int err;
3771
3772        calltime = ktime_get();
3773
3774        err = test_debug_key();
3775        if (err) {
3776                BT_ERR("debug_key test failed");
3777                goto done;
3778        }
3779
3780        err = test_ah(tfm_aes);
3781        if (err) {
3782                BT_ERR("smp_ah test failed");
3783                goto done;
3784        }
3785
3786        err = test_c1(tfm_aes);
3787        if (err) {
3788                BT_ERR("smp_c1 test failed");
3789                goto done;
3790        }
3791
3792        err = test_s1(tfm_aes);
3793        if (err) {
3794                BT_ERR("smp_s1 test failed");
3795                goto done;
3796        }
3797
3798        err = test_f4(tfm_cmac);
3799        if (err) {
3800                BT_ERR("smp_f4 test failed");
3801                goto done;
3802        }
3803
3804        err = test_f5(tfm_cmac);
3805        if (err) {
3806                BT_ERR("smp_f5 test failed");
3807                goto done;
3808        }
3809
3810        err = test_f6(tfm_cmac);
3811        if (err) {
3812                BT_ERR("smp_f6 test failed");
3813                goto done;
3814        }
3815
3816        err = test_g2(tfm_cmac);
3817        if (err) {
3818                BT_ERR("smp_g2 test failed");
3819                goto done;
3820        }
3821
3822        err = test_h6(tfm_cmac);
3823        if (err) {
3824                BT_ERR("smp_h6 test failed");
3825                goto done;
3826        }
3827
3828        rettime = ktime_get();
3829        delta = ktime_sub(rettime, calltime);
3830        duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3831
3832        BT_INFO("SMP test passed in %llu usecs", duration);
3833
3834done:
3835        if (!err)
3836                snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3837                         "PASS (%llu usecs)\n", duration);
3838        else
3839                snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3840
3841        debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3842                            &test_smp_fops);
3843
3844        return err;
3845}
3846
3847int __init bt_selftest_smp(void)
3848{
3849        struct crypto_cipher *tfm_aes;
3850        struct crypto_shash *tfm_cmac;
3851        int err;
3852
3853        tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3854        if (IS_ERR(tfm_aes)) {
3855                BT_ERR("Unable to create AES crypto context");
3856                return PTR_ERR(tfm_aes);
3857        }
3858
3859        tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3860        if (IS_ERR(tfm_cmac)) {
3861                BT_ERR("Unable to create CMAC crypto context");
3862                crypto_free_cipher(tfm_aes);
3863                return PTR_ERR(tfm_cmac);
3864        }
3865
3866        err = run_selftests(tfm_aes, tfm_cmac);
3867
3868        crypto_free_shash(tfm_cmac);
3869        crypto_free_cipher(tfm_aes);
3870
3871        return err;
3872}
3873
3874#endif
3875