projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
ALSA: hda - Update descriptions about new position_fix values
[linux-2.6-block.git] / net / bluetooth / smp.c
CommitLineData
eb492e01
AB		 1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
300acfde 23#include <linux/debugfs.h>
8c520a59 24#include <linux/scatterlist.h>
a4770e11 25#include <linux/crypto.h>
329d8230 26#include <crypto/algapi.h>
8c520a59 27#include <crypto/b128ops.h>
71af2f6b 28#include <crypto/hash.h>
47eb2ac8 29#include <crypto/kpp.h>
8c520a59 30
eb492e01
AB		 31#include <net/bluetooth/bluetooth.h>
32#include <net/bluetooth/hci_core.h>
33#include <net/bluetooth/l2cap.h>
2b64d153 34#include <net/bluetooth/mgmt.h>
ac4b7236 35
58771c1c 36#include "ecdh_helper.h"
ac4b7236 37#include "smp.h"
d22ef0bc 38
2fd36558
JH		 39#define SMP_DEV(hdev) \
40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41
c7a3d57d
JH		 42/* Low-level debug macros to be used for stuff that we don't want
43 * accidentially in dmesg, i.e. the values of the various crypto keys
44 * and the inputs & outputs of crypto functions.
45 */
46#ifdef DEBUG
47#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 ##__VA_ARGS__)
49#else
50#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 ##__VA_ARGS__)
52#endif
53
b28b4943 54#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
b28b4943 55
3b19146d
JH		 56/* Keys which are not distributed with Secure Connections */
57#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58
17b02e62 59#define SMP_TIMEOUT msecs_to_jiffies(30000)
5d3de7df 60
d7a5a11d 61#define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
a62da6f1 62 0x3f : 0x07)
0edb14de 63#define KEY_DIST_MASK 0x07
065a13e2 64
cbbbe3e2
JH		 65/* Maximum message length that can be passed to aes_cmac */
66#define CMAC_MSG_MAX 80
67
533e35d4
JH		 68enum {
69 SMP_FLAG_TK_VALID,
70 SMP_FLAG_CFM_PENDING,
71 SMP_FLAG_MITM_AUTH,
72 SMP_FLAG_COMPLETE,
73 SMP_FLAG_INITIATOR,
65668776 74 SMP_FLAG_SC,
d8f8edbe 75 SMP_FLAG_REMOTE_PK,
aeb7d461 76 SMP_FLAG_DEBUG_KEY,
38606f14 77 SMP_FLAG_WAIT_USER,
d3e54a87 78 SMP_FLAG_DHKEY_PENDING,
1a8bab4f
JH		 79 SMP_FLAG_REMOTE_OOB,
80 SMP_FLAG_LOCAL_OOB,
a62da6f1 81 SMP_FLAG_CT2,
533e35d4 82};
4bc58f51 83
88a479d9 84struct smp_dev {
60a27d65 85 /* Secure Connections OOB data */
94f14e47 86 bool local_oob;
60a27d65 87 u8 local_pk[64];
fb334fee 88 u8 local_rand[16];
60a27d65
MH		 89 bool debug_key;
90
a4770e11 91 struct crypto_cipher *tfm_aes;
71af2f6b 92 struct crypto_shash *tfm_cmac;
47eb2ac8 93 struct crypto_kpp *tfm_ecdh;
88a479d9
MH		 94};
95
4bc58f51 96struct smp_chan {
b68fda68
JH		 97 struct l2cap_conn *conn;
98 struct delayed_work security_timer;
b28b4943 99 unsigned long allow_cmd; /* Bitmask of allowed commands */
b68fda68 100
4bc58f51
JH		 101 u8 preq[7]; /* SMP Pairing Request */
102 u8 prsp[7]; /* SMP Pairing Response */
103 u8 prnd[16]; /* SMP Pairing Random (local) */
104 u8 rrnd[16]; /* SMP Pairing Random (remote) */
105 u8 pcnf[16]; /* SMP Pairing Confirm */
106 u8 tk[16]; /* SMP Temporary Key */
882fafad
JH		 107 u8 rr[16]; /* Remote OOB ra/rb value */
108 u8 lr[16]; /* Local OOB ra/rb value */
4bc58f51
JH		 109 u8 enc_key_size;
110 u8 remote_key_dist;
111 bdaddr_t id_addr;
112 u8 id_addr_type;
113 u8 irk[16];
114 struct smp_csrk *csrk;
115 struct smp_csrk *slave_csrk;
116 struct smp_ltk *ltk;
117 struct smp_ltk *slave_ltk;
118 struct smp_irk *remote_irk;
6a77083a 119 u8 *link_key;
4a74d658 120 unsigned long flags;
783e0574 121 u8 method;
38606f14 122 u8 passkey_round;
6a7bd103 123
3b19146d
JH		 124 /* Secure Connections variables */
125 u8 local_pk[64];
d8f8edbe
JH		 126 u8 remote_pk[64];
127 u8 dhkey[32];
760b018b 128 u8 mackey[16];
3b19146d 129
a4770e11 130 struct crypto_cipher *tfm_aes;
71af2f6b 131 struct crypto_shash *tfm_cmac;
47eb2ac8 132 struct crypto_kpp *tfm_ecdh;
4bc58f51
JH		 133};
134
aeb7d461
JH		 135/* These debug key values are defined in the SMP section of the core
136 * specification. debug_pk is the public debug key and debug_sk the
137 * private debug key.
138 */
139static const u8 debug_pk[64] = {
140 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144
145 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149};
150
151static const u8 debug_sk[32] = {
152 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156};
157
8a2936f4 158static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
d22ef0bc 159{
8a2936f4 160 size_t i;
d22ef0bc 161
8a2936f4
JH		 162 for (i = 0; i < len; i++)
163 dst[len - 1 - i] = src[i];
d22ef0bc
AB		 164}
165
06edf8de
JH		 166/* The following functions map to the LE SC SMP crypto functions
167 * AES-CMAC, f4, f5, f6, g2 and h6.
168 */
169
71af2f6b 170static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
cbbbe3e2
JH		 171 size_t len, u8 mac[16])
172{
173 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
71af2f6b 174 SHASH_DESC_ON_STACK(desc, tfm);
cbbbe3e2
JH		 175 int err;
176
177 if (len > CMAC_MSG_MAX)
178 return -EFBIG;
179
180 if (!tfm) {
181 BT_ERR("tfm %p", tfm);
182 return -EINVAL;
183 }
184
71af2f6b 185 desc->tfm = tfm;
cbbbe3e2
JH		 186
187 /* Swap key and message from LSB to MSB */
188 swap_buf(k, tmp, 16);
189 swap_buf(m, msg_msb, len);
190
c7a3d57d
JH		 191 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
192 SMP_DBG("key %16phN", k);
cbbbe3e2 193
71af2f6b 194 err = crypto_shash_setkey(tfm, tmp, 16);
cbbbe3e2
JH		 195 if (err) {
196 BT_ERR("cipher setkey failed: %d", err);
197 return err;
198 }
199
71af2f6b
HX		 200 err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
201 shash_desc_zero(desc);
cbbbe3e2 202 if (err) {
71af2f6b 203 BT_ERR("Hash computation error %d", err);
cbbbe3e2
JH		 204 return err;
205 }
206
207 swap_buf(mac_msb, mac, 16);
208
c7a3d57d 209 SMP_DBG("mac %16phN", mac);
cbbbe3e2
JH		 210
211 return 0;
212}
213
71af2f6b
HX		 214static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
215 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
cbbbe3e2
JH		 216{
217 u8 m[65];
218 int err;
219
c7a3d57d
JH		 220 SMP_DBG("u %32phN", u);
221 SMP_DBG("v %32phN", v);
222 SMP_DBG("x %16phN z %02x", x, z);
cbbbe3e2
JH		 223
224 m[0] = z;
225 memcpy(m + 1, v, 32);
226 memcpy(m + 33, u, 32);
227
228 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
229 if (err)
230 return err;
231
c7a3d57d 232 SMP_DBG("res %16phN", res);
cbbbe3e2
JH		 233
234 return err;
235}
236
71af2f6b 237static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
4da50de8
JH		 238 const u8 n1[16], const u8 n2[16], const u8 a1[7],
239 const u8 a2[7], u8 mackey[16], u8 ltk[16])
760b018b
JH		 240{
241 /* The btle, salt and length "magic" values are as defined in
242 * the SMP section of the Bluetooth core specification. In ASCII
243 * the btle value ends up being 'btle'. The salt is just a
244 * random number whereas length is the value 256 in little
245 * endian format.
246 */
247 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
248 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
249 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
250 const u8 length[2] = { 0x00, 0x01 };
251 u8 m[53], t[16];
252 int err;
253
c7a3d57d
JH		 254 SMP_DBG("w %32phN", w);
255 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
256 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
760b018b
JH		 257
258 err = aes_cmac(tfm_cmac, salt, w, 32, t);
259 if (err)
260 return err;
261
c7a3d57d 262 SMP_DBG("t %16phN", t);
760b018b
JH		 263
264 memcpy(m, length, 2);
265 memcpy(m + 2, a2, 7);
266 memcpy(m + 9, a1, 7);
267 memcpy(m + 16, n2, 16);
268 memcpy(m + 32, n1, 16);
269 memcpy(m + 48, btle, 4);
270
271 m[52] = 0; /* Counter */
272
273 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
274 if (err)
275 return err;
276
c7a3d57d 277 SMP_DBG("mackey %16phN", mackey);
760b018b
JH		 278
279 m[52] = 1; /* Counter */
280
281 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
282 if (err)
283 return err;
284
c7a3d57d 285 SMP_DBG("ltk %16phN", ltk);
760b018b
JH		 286
287 return 0;
288}
289
71af2f6b 290static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
4da50de8 291 const u8 n1[16], const u8 n2[16], const u8 r[16],
760b018b
JH		 292 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
293 u8 res[16])
294{
295 u8 m[65];
296 int err;
297
c7a3d57d
JH		 298 SMP_DBG("w %16phN", w);
299 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
300 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
760b018b
JH		 301
302 memcpy(m, a2, 7);
303 memcpy(m + 7, a1, 7);
304 memcpy(m + 14, io_cap, 3);
305 memcpy(m + 17, r, 16);
306 memcpy(m + 33, n2, 16);
307 memcpy(m + 49, n1, 16);
308
309 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
310 if (err)
311 return err;
312
203de21b 313 SMP_DBG("res %16phN", res);
760b018b
JH		 314
315 return err;
316}
317
71af2f6b 318static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
191dc7fe
JH		 319 const u8 x[16], const u8 y[16], u32 *val)
320{
321 u8 m[80], tmp[16];
322 int err;
323
c7a3d57d
JH		 324 SMP_DBG("u %32phN", u);
325 SMP_DBG("v %32phN", v);
326 SMP_DBG("x %16phN y %16phN", x, y);
191dc7fe
JH		 327
328 memcpy(m, y, 16);
329 memcpy(m + 16, v, 32);
330 memcpy(m + 48, u, 32);
331
332 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
333 if (err)
334 return err;
335
336 *val = get_unaligned_le32(tmp);
337 *val %= 1000000;
338
c7a3d57d 339 SMP_DBG("val %06u", *val);
191dc7fe
JH		 340
341 return 0;
342}
343
71af2f6b 344static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
06edf8de
JH		 345 const u8 key_id[4], u8 res[16])
346{
347 int err;
348
349 SMP_DBG("w %16phN key_id %4phN", w, key_id);
350
351 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
352 if (err)
353 return err;
354
355 SMP_DBG("res %16phN", res);
356
357 return err;
358}
359
a62da6f1
JH		 360static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
361 const u8 salt[16], u8 res[16])
362{
363 int err;
364
365 SMP_DBG("w %16phN salt %16phN", w, salt);
366
367 err = aes_cmac(tfm_cmac, salt, w, 16, res);
368 if (err)
369 return err;
370
371 SMP_DBG("res %16phN", res);
372
373 return err;
374}
375
06edf8de
JH		 376/* The following functions map to the legacy SMP crypto functions e, c1,
377 * s1 and ah.
378 */
379
a4770e11 380static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
d22ef0bc 381{
943a732a 382 uint8_t tmp[16], data[16];
201a5929 383 int err;
d22ef0bc 384
011c391a
JH		 385 SMP_DBG("k %16phN r %16phN", k, r);
386
7f376cd6 387 if (!tfm) {
d22ef0bc
AB		 388 BT_ERR("tfm %p", tfm);
389 return -EINVAL;
390 }
391
943a732a 392 /* The most significant octet of key corresponds to k[0] */
8a2936f4 393 swap_buf(k, tmp, 16);
943a732a 394
a4770e11 395 err = crypto_cipher_setkey(tfm, tmp, 16);
d22ef0bc
AB		 396 if (err) {
397 BT_ERR("cipher setkey failed: %d", err);
398 return err;
399 }
400
943a732a 401 /* Most significant octet of plaintextData corresponds to data[0] */
8a2936f4 402 swap_buf(r, data, 16);
943a732a 403
a4770e11 404 crypto_cipher_encrypt_one(tfm, data, data);
d22ef0bc 405
943a732a 406 /* Most significant octet of encryptedData corresponds to data[0] */
8a2936f4 407 swap_buf(data, r, 16);
943a732a 408
011c391a
JH		 409 SMP_DBG("r %16phN", r);
410
d22ef0bc
AB		 411 return err;
412}
413
a4770e11 414static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
06edf8de
JH		 415 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
416 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
6a77083a 417{
06edf8de 418 u8 p1[16], p2[16];
6a77083a
JH		 419 int err;
420
011c391a
JH		 421 SMP_DBG("k %16phN r %16phN", k, r);
422 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
423 SMP_DBG("preq %7phN pres %7phN", preq, pres);
424
06edf8de 425 memset(p1, 0, 16);
6a77083a 426
06edf8de
JH		 427 /* p1 = pres || preq || _rat || _iat */
428 p1[0] = _iat;
429 p1[1] = _rat;
430 memcpy(p1 + 2, preq, 7);
431 memcpy(p1 + 9, pres, 7);
432
011c391a 433 SMP_DBG("p1 %16phN", p1);
06edf8de
JH		 434
435 /* res = r XOR p1 */
436 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
437
438 /* res = e(k, res) */
439 err = smp_e(tfm_aes, k, res);
440 if (err) {
441 BT_ERR("Encrypt data error");
6a77083a 442 return err;
06edf8de 443 }
6a77083a 444
011c391a
JH		 445 /* p2 = padding || ia || ra */
446 memcpy(p2, ra, 6);
447 memcpy(p2 + 6, ia, 6);
448 memset(p2 + 12, 0, 4);
449
450 SMP_DBG("p2 %16phN", p2);
451
06edf8de
JH		 452 /* res = res XOR p2 */
453 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
454
455 /* res = e(k, res) */
456 err = smp_e(tfm_aes, k, res);
457 if (err)
458 BT_ERR("Encrypt data error");
459
460 return err;
461}
462
a4770e11 463static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
06edf8de
JH		 464 const u8 r1[16], const u8 r2[16], u8 _r[16])
465{
466 int err;
467
468 /* Just least significant octets from r1 and r2 are considered */
469 memcpy(_r, r2, 8);
470 memcpy(_r + 8, r1, 8);
471
472 err = smp_e(tfm_aes, k, _r);
473 if (err)
474 BT_ERR("Encrypt data error");
6a77083a
JH		 475
476 return err;
477}
478
a4770e11 479static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
cd082797 480 const u8 r[3], u8 res[3])
60478054 481{
943a732a 482 u8 _res[16];
60478054
JH		 483 int err;
484
485 /* r' = padding || r */
943a732a
JH		 486 memcpy(_res, r, 3);
487 memset(_res + 3, 0, 13);
60478054 488
943a732a 489 err = smp_e(tfm, irk, _res);
60478054
JH		 490 if (err) {
491 BT_ERR("Encrypt error");
492 return err;
493 }
494
495 /* The output of the random address function ah is:
c5080d42 496 * ah(k, r) = e(k, r') mod 2^24
60478054
JH		 497 * The output of the security function e is then truncated to 24 bits
498 * by taking the least significant 24 bits of the output of e as the
499 * result of ah.
500 */
943a732a 501 memcpy(res, _res, 3);
60478054
JH		 502
503 return 0;
504}
505
cd082797
JH		 506bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
507 const bdaddr_t *bdaddr)
60478054 508{
defce9e8 509 struct l2cap_chan *chan = hdev->smp_data;
88a479d9 510 struct smp_dev *smp;
60478054
JH		 511 u8 hash[3];
512 int err;
513
defce9e8
JH		 514 if (!chan || !chan->data)
515 return false;
516
88a479d9 517 smp = chan->data;
defce9e8 518
60478054
JH		 519 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
520
88a479d9 521 err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
60478054
JH		 522 if (err)
523 return false;
524
329d8230 525 return !crypto_memneq(bdaddr->b, hash, 3);
60478054
JH		 526}
527
cd082797 528int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
b1e2b3ae 529{
defce9e8 530 struct l2cap_chan *chan = hdev->smp_data;
88a479d9 531 struct smp_dev *smp;
b1e2b3ae
JH		 532 int err;
533
defce9e8
JH		 534 if (!chan || !chan->data)
535 return -EOPNOTSUPP;
536
88a479d9 537 smp = chan->data;
defce9e8 538
b1e2b3ae
JH		 539 get_random_bytes(&rpa->b[3], 3);
540
541 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
542 rpa->b[5] |= 0x40; /* Set second most significant bit */
543
88a479d9 544 err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
b1e2b3ae
JH		 545 if (err < 0)
546 return err;
547
548 BT_DBG("RPA %pMR", rpa);
549
550 return 0;
551}
552
60a27d65
MH		 553int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
554{
555 struct l2cap_chan *chan = hdev->smp_data;
556 struct smp_dev *smp;
557 int err;
558
559 if (!chan || !chan->data)
560 return -EOPNOTSUPP;
561
562 smp = chan->data;
563
564 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
565 BT_DBG("Using debug keys");
c0153b0b
TA		 566 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
567 if (err)
568 return err;
60a27d65 569 memcpy(smp->local_pk, debug_pk, 64);
60a27d65
MH		 570 smp->debug_key = true;
571 } else {
572 while (true) {
c0153b0b
TA		 573 /* Generate key pair for Secure Connections */
574 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
a2976416
TA		 575 if (err)
576 return err;
60a27d65
MH		 577
578 /* This is unlikely, but we need to check that
579 * we didn't accidentially generate a debug key.
580 */
c0153b0b 581 if (crypto_memneq(smp->local_pk, debug_pk, 64))
60a27d65
MH		 582 break;
583 }
584 smp->debug_key = false;
585 }
586
587 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
588 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
60a27d65 589
fb334fee 590 get_random_bytes(smp->local_rand, 16);
60a27d65
MH		 591
592 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
fb334fee 593 smp->local_rand, 0, hash);
60a27d65
MH		 594 if (err < 0)
595 return err;
596
fb334fee 597 memcpy(rand, smp->local_rand, 16);
60a27d65 598
94f14e47
JH		 599 smp->local_oob = true;
600
60a27d65
MH		 601 return 0;
602}
603
5d88cc73 604static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
eb492e01 605{
5d88cc73 606 struct l2cap_chan *chan = conn->smp;
b68fda68 607 struct smp_chan *smp;
5d88cc73
JH		 608 struct kvec iv[2];
609 struct msghdr msg;
eb492e01 610
5d88cc73
JH		 611 if (!chan)
612 return;
eb492e01 613
5d88cc73 614 BT_DBG("code 0x%2.2x", code);
eb492e01 615
5d88cc73
JH		 616 iv[0].iov_base = &code;
617 iv[0].iov_len = 1;
eb492e01 618
5d88cc73
JH		 619 iv[1].iov_base = data;
620 iv[1].iov_len = len;
eb492e01 621
5d88cc73 622 memset(&msg, 0, sizeof(msg));
eb492e01 623
aa563d7b 624 iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
eb492e01 625
5d88cc73 626 l2cap_chan_send(chan, &msg, 1 + len);
e2dcd113 627
b68fda68
JH		 628 if (!chan->data)
629 return;
630
631 smp = chan->data;
632
633 cancel_delayed_work_sync(&smp->security_timer);
1b0921d6 634 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
eb492e01
AB		 635}
636
d2eb9e10 637static u8 authreq_to_seclevel(u8 authreq)
2b64d153 638{
d2eb9e10
JH		 639 if (authreq & SMP_AUTH_MITM) {
640 if (authreq & SMP_AUTH_SC)
641 return BT_SECURITY_FIPS;
642 else
643 return BT_SECURITY_HIGH;
644 } else {
2b64d153 645 return BT_SECURITY_MEDIUM;
d2eb9e10 646 }
2b64d153
BG		 647}
648
649static __u8 seclevel_to_authreq(__u8 sec_level)
650{
651 switch (sec_level) {
d2eb9e10 652 case BT_SECURITY_FIPS:
2b64d153
BG		 653 case BT_SECURITY_HIGH:
654 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
655 case BT_SECURITY_MEDIUM:
656 return SMP_AUTH_BONDING;
657 default:
658 return SMP_AUTH_NONE;
659 }
660}
661
b8e66eac 662static void build_pairing_cmd(struct l2cap_conn *conn,
f1560463
MH		 663 struct smp_cmd_pairing *req,
664 struct smp_cmd_pairing *rsp, __u8 authreq)
b8e66eac 665{
5d88cc73
JH		 666 struct l2cap_chan *chan = conn->smp;
667 struct smp_chan *smp = chan->data;
fd349c02
JH		 668 struct hci_conn *hcon = conn->hcon;
669 struct hci_dev *hdev = hcon->hdev;
02b05bd8 670 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
54790f73 671
d7a5a11d 672 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
7ee4ea36
MH		 673 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
674 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
54790f73 675 authreq |= SMP_AUTH_BONDING;
2b64d153
BG		 676 } else {
677 authreq &= ~SMP_AUTH_BONDING;
54790f73
VCG		 678 }
679
d7a5a11d 680 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
fd349c02
JH		 681 remote_dist |= SMP_DIST_ID_KEY;
682
d7a5a11d 683 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
863efaf2
JH		 684 local_dist |= SMP_DIST_ID_KEY;
685
d7a5a11d 686 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
02b05bd8
JH		 687 (authreq & SMP_AUTH_SC)) {
688 struct oob_data *oob_data;
689 u8 bdaddr_type;
690
d7a5a11d 691 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
df8e1a4c
JH		 692 local_dist |= SMP_DIST_LINK_KEY;
693 remote_dist |= SMP_DIST_LINK_KEY;
694 }
02b05bd8
JH		 695
696 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
697 bdaddr_type = BDADDR_LE_PUBLIC;
698 else
699 bdaddr_type = BDADDR_LE_RANDOM;
700
701 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
702 bdaddr_type);
4775a4ea 703 if (oob_data && oob_data->present) {
1a8bab4f 704 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
02b05bd8 705 oob_flag = SMP_OOB_PRESENT;
a29b0733 706 memcpy(smp->rr, oob_data->rand256, 16);
02b05bd8 707 memcpy(smp->pcnf, oob_data->hash256, 16);
bc07cd69
MH		 708 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
709 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
02b05bd8
JH		 710 }
711
df8e1a4c
JH		 712 } else {
713 authreq &= ~SMP_AUTH_SC;
714 }
715
54790f73
VCG		 716 if (rsp == NULL) {
717 req->io_capability = conn->hcon->io_capability;
02b05bd8 718 req->oob_flag = oob_flag;
30d65e08 719 req->max_key_size = hdev->le_max_key_size;
fd349c02
JH		 720 req->init_key_dist = local_dist;
721 req->resp_key_dist = remote_dist;
0edb14de 722 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 723
724 smp->remote_key_dist = remote_dist;
54790f73
VCG		 725 return;
726 }
727
728 rsp->io_capability = conn->hcon->io_capability;
02b05bd8 729 rsp->oob_flag = oob_flag;
30d65e08 730 rsp->max_key_size = hdev->le_max_key_size;
fd349c02
JH		 731 rsp->init_key_dist = req->init_key_dist & remote_dist;
732 rsp->resp_key_dist = req->resp_key_dist & local_dist;
0edb14de 733 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 734
735 smp->remote_key_dist = rsp->init_key_dist;
b8e66eac
VCG		 736}
737
3158c50c
VCG		 738static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
739{
5d88cc73 740 struct l2cap_chan *chan = conn->smp;
2fd36558 741 struct hci_dev *hdev = conn->hcon->hdev;
5d88cc73 742 struct smp_chan *smp = chan->data;
1c1def09 743
30d65e08 744 if (max_key_size > hdev->le_max_key_size ||
2fd36558 745 max_key_size < SMP_MIN_ENC_KEY_SIZE)
3158c50c
VCG		 746 return SMP_ENC_KEY_SIZE;
747
f7aa611a 748 smp->enc_key_size = max_key_size;
3158c50c
VCG		 749
750 return 0;
751}
752
6f48e260
JH		 753static void smp_chan_destroy(struct l2cap_conn *conn)
754{
755 struct l2cap_chan *chan = conn->smp;
756 struct smp_chan *smp = chan->data;
923e2414 757 struct hci_conn *hcon = conn->hcon;
6f48e260
JH		 758 bool complete;
759
760 BUG_ON(!smp);
761
762 cancel_delayed_work_sync(&smp->security_timer);
6f48e260 763
6f48e260 764 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
923e2414 765 mgmt_smp_complete(hcon, complete);
6f48e260 766
276812ec
MH		 767 kzfree(smp->csrk);
768 kzfree(smp->slave_csrk);
769 kzfree(smp->link_key);
6f48e260 770
a4770e11 771 crypto_free_cipher(smp->tfm_aes);
71af2f6b 772 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 773 crypto_free_kpp(smp->tfm_ecdh);
6f48e260 774
923e2414
JH		 775 /* Ensure that we don't leave any debug key around if debug key
776 * support hasn't been explicitly enabled.
777 */
778 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
d7a5a11d 779 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
923e2414
JH		 780 list_del_rcu(&smp->ltk->list);
781 kfree_rcu(smp->ltk, rcu);
782 smp->ltk = NULL;
783 }
784
6f48e260
JH		 785 /* If pairing failed clean up any keys we might have */
786 if (!complete) {
787 if (smp->ltk) {
970d0f1b
JH		 788 list_del_rcu(&smp->ltk->list);
789 kfree_rcu(smp->ltk, rcu);
6f48e260
JH		 790 }
791
792 if (smp->slave_ltk) {
970d0f1b
JH		 793 list_del_rcu(&smp->slave_ltk->list);
794 kfree_rcu(smp->slave_ltk, rcu);
6f48e260
JH		 795 }
796
797 if (smp->remote_irk) {
adae20cb
JH		 798 list_del_rcu(&smp->remote_irk->list);
799 kfree_rcu(smp->remote_irk, rcu);
6f48e260
JH		 800 }
801 }
802
803 chan->data = NULL;
276812ec 804 kzfree(smp);
923e2414 805 hci_conn_drop(hcon);
6f48e260
JH		 806}
807
84794e11 808static void smp_failure(struct l2cap_conn *conn, u8 reason)
4f957a76 809{
bab73cb6 810 struct hci_conn *hcon = conn->hcon;
b68fda68 811 struct l2cap_chan *chan = conn->smp;
bab73cb6 812
84794e11 813 if (reason)
4f957a76 814 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
f1560463 815 &reason);
4f957a76 816
e1e930f5 817 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
f1c09c07 818
fc75cc86 819 if (chan->data)
f1c09c07 820 smp_chan_destroy(conn);
4f957a76
BG		 821}
822
2b64d153
BG		 823#define JUST_WORKS 0x00
824#define JUST_CFM 0x01
825#define REQ_PASSKEY 0x02
826#define CFM_PASSKEY 0x03
827#define REQ_OOB 0x04
5e3d3d9b 828#define DSP_PASSKEY 0x05
2b64d153
BG		 829#define OVERLAP 0xFF
830
831static const u8 gen_method[5][5] = {
832 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
833 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
834 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
835 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
836 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
837};
838
5e3d3d9b
JH		 839static const u8 sc_method[5][5] = {
840 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
841 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
842 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
843 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
844 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
845};
846
581370cc
JH		 847static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
848{
2bcd4003
JH		 849 /* If either side has unknown io_caps, use JUST_CFM (which gets
850 * converted later to JUST_WORKS if we're initiators.
851 */
581370cc
JH		 852 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
853 remote_io > SMP_IO_KEYBOARD_DISPLAY)
2bcd4003 854 return JUST_CFM;
581370cc 855
5e3d3d9b
JH		 856 if (test_bit(SMP_FLAG_SC, &smp->flags))
857 return sc_method[remote_io][local_io];
858
581370cc
JH		 859 return gen_method[remote_io][local_io];
860}
861
2b64d153
BG		 862static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
863 u8 local_io, u8 remote_io)
864{
865 struct hci_conn *hcon = conn->hcon;
5d88cc73
JH		 866 struct l2cap_chan *chan = conn->smp;
867 struct smp_chan *smp = chan->data;
2b64d153
BG		 868 u32 passkey = 0;
869 int ret = 0;
870
871 /* Initialize key for JUST WORKS */
872 memset(smp->tk, 0, sizeof(smp->tk));
4a74d658 873 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 874
875 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
876
2bcd4003
JH		 877 /* If neither side wants MITM, either "just" confirm an incoming
878 * request or use just-works for outgoing ones. The JUST_CFM
879 * will be converted to JUST_WORKS if necessary later in this
880 * function. If either side has MITM look up the method from the
881 * table.
882 */
581370cc 883 if (!(auth & SMP_AUTH_MITM))
783e0574 884 smp->method = JUST_CFM;
2b64d153 885 else
783e0574 886 smp->method = get_auth_method(smp, local_io, remote_io);
2b64d153 887
a82505c7 888 /* Don't confirm locally initiated pairing attempts */
783e0574
JH		 889 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
890 &smp->flags))
891 smp->method = JUST_WORKS;
a82505c7 892
02f3e254 893 /* Don't bother user space with no IO capabilities */
783e0574
JH		 894 if (smp->method == JUST_CFM &&
895 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
896 smp->method = JUST_WORKS;
02f3e254 897
2b64d153 898 /* If Just Works, Continue with Zero TK */
783e0574 899 if (smp->method == JUST_WORKS) {
4a74d658 900 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 901 return 0;
902 }
903
19c5ce9c
JH		 904 /* If this function is used for SC -> legacy fallback we
905 * can only recover the just-works case.
906 */
907 if (test_bit(SMP_FLAG_SC, &smp->flags))
908 return -EINVAL;
909
2b64d153 910 /* Not Just Works/Confirm results in MITM Authentication */
783e0574 911 if (smp->method != JUST_CFM) {
4a74d658 912 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
5eb596f5
JH		 913 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
914 hcon->pending_sec_level = BT_SECURITY_HIGH;
915 }
2b64d153
BG		 916
917 /* If both devices have Keyoard-Display I/O, the master
918 * Confirms and the slave Enters the passkey.
919 */
783e0574 920 if (smp->method == OVERLAP) {
40bef302 921 if (hcon->role == HCI_ROLE_MASTER)
783e0574 922 smp->method = CFM_PASSKEY;
2b64d153 923 else
783e0574 924 smp->method = REQ_PASSKEY;
2b64d153
BG		 925 }
926
01ad34d2 927 /* Generate random passkey. */
783e0574 928 if (smp->method == CFM_PASSKEY) {
943a732a 929 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153
BG		 930 get_random_bytes(&passkey, sizeof(passkey));
931 passkey %= 1000000;
943a732a 932 put_unaligned_le32(passkey, smp->tk);
2b64d153 933 BT_DBG("PassKey: %d", passkey);
4a74d658 934 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 935 }
936
783e0574 937 if (smp->method == REQ_PASSKEY)
ce39fb4e 938 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
272d90df 939 hcon->type, hcon->dst_type);
783e0574 940 else if (smp->method == JUST_CFM)
4eb65e66
JH		 941 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
942 hcon->type, hcon->dst_type,
943 passkey, 1);
2b64d153 944 else
01ad34d2 945 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
272d90df 946 hcon->type, hcon->dst_type,
39adbffe 947 passkey, 0);
2b64d153 948
2b64d153
BG		 949 return ret;
950}
951
1cc61144 952static u8 smp_confirm(struct smp_chan *smp)
8aab4757 953{
8aab4757 954 struct l2cap_conn *conn = smp->conn;
8aab4757
VCG		 955 struct smp_cmd_pairing_confirm cp;
956 int ret;
8aab4757
VCG		 957
958 BT_DBG("conn %p", conn);
959
e491eaf3 960 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
b1cd5fd9 961 conn->hcon->init_addr_type, &conn->hcon->init_addr,
943a732a
JH		 962 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
963 cp.confirm_val);
1cc61144
JH		 964 if (ret)
965 return SMP_UNSPECIFIED;
8aab4757 966
4a74d658 967 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153 968
8aab4757
VCG		 969 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
970
b28b4943
JH		 971 if (conn->hcon->out)
972 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
973 else
974 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
975
1cc61144 976 return 0;
8aab4757
VCG		 977}
978
861580a9 979static u8 smp_random(struct smp_chan *smp)
8aab4757 980{
8aab4757
VCG		 981 struct l2cap_conn *conn = smp->conn;
982 struct hci_conn *hcon = conn->hcon;
861580a9 983 u8 confirm[16];
8aab4757
VCG		 984 int ret;
985
ec70f36f 986 if (IS_ERR_OR_NULL(smp->tfm_aes))
861580a9 987 return SMP_UNSPECIFIED;
8aab4757
VCG		 988
989 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
990
e491eaf3 991 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
b1cd5fd9 992 hcon->init_addr_type, &hcon->init_addr,
943a732a 993 hcon->resp_addr_type, &hcon->resp_addr, confirm);
861580a9
JH		 994 if (ret)
995 return SMP_UNSPECIFIED;
8aab4757 996
329d8230 997 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
2064ee33
MH		 998 bt_dev_err(hcon->hdev, "pairing failed "
999 "(confirmation values mismatch)");
861580a9 1000 return SMP_CONFIRM_FAILED;
8aab4757
VCG		 1001 }
1002
1003 if (hcon->out) {
fe39c7b2
MH		 1004 u8 stk[16];
1005 __le64 rand = 0;
1006 __le16 ediv = 0;
8aab4757 1007
e491eaf3 1008 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
8aab4757 1009
861580a9
JH		 1010 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1011 return SMP_UNSPECIFIED;
8aab4757 1012
8b76ce34 1013 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
f7aa611a 1014 hcon->enc_key_size = smp->enc_key_size;
fe59a05f 1015 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
8aab4757 1016 } else {
fff3490f 1017 u8 stk[16], auth;
fe39c7b2
MH		 1018 __le64 rand = 0;
1019 __le16 ediv = 0;
8aab4757 1020
943a732a
JH		 1021 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1022 smp->prnd);
8aab4757 1023
e491eaf3 1024 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
8aab4757 1025
fff3490f
JH		 1026 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1027 auth = 1;
1028 else
1029 auth = 0;
1030
7d5843b7
JH		 1031 /* Even though there's no _SLAVE suffix this is the
1032 * slave STK we're adding for later lookup (the master
1033 * STK never needs to be stored).
1034 */
ce39fb4e 1035 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2ceba539 1036 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
8aab4757
VCG		 1037 }
1038
861580a9 1039 return 0;
8aab4757
VCG		 1040}
1041
44f1a7ab
JH		 1042static void smp_notify_keys(struct l2cap_conn *conn)
1043{
1044 struct l2cap_chan *chan = conn->smp;
1045 struct smp_chan *smp = chan->data;
1046 struct hci_conn *hcon = conn->hcon;
1047 struct hci_dev *hdev = hcon->hdev;
1048 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1049 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1050 bool persistent;
1051
cad20c27
JH		 1052 if (hcon->type == ACL_LINK) {
1053 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1054 persistent = false;
1055 else
1056 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1057 &hcon->flags);
1058 } else {
1059 /* The LTKs, IRKs and CSRKs should be persistent only if
1060 * both sides had the bonding bit set in their
1061 * authentication requests.
1062 */
1063 persistent = !!((req->auth_req & rsp->auth_req) &
1064 SMP_AUTH_BONDING);
1065 }
1066
44f1a7ab 1067 if (smp->remote_irk) {
cad20c27
JH		 1068 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1069
44f1a7ab
JH		 1070 /* Now that user space can be considered to know the
1071 * identity address track the connection based on it
b5ae344d 1072 * from now on (assuming this is an LE link).
44f1a7ab 1073 */
b5ae344d
JH		 1074 if (hcon->type == LE_LINK) {
1075 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1076 hcon->dst_type = smp->remote_irk->addr_type;
1077 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1078 }
44f1a7ab
JH		 1079 }
1080
44f1a7ab
JH		 1081 if (smp->csrk) {
1082 smp->csrk->bdaddr_type = hcon->dst_type;
1083 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084 mgmt_new_csrk(hdev, smp->csrk, persistent);
1085 }
1086
1087 if (smp->slave_csrk) {
1088 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1089 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1090 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1091 }
1092
1093 if (smp->ltk) {
1094 smp->ltk->bdaddr_type = hcon->dst_type;
1095 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096 mgmt_new_ltk(hdev, smp->ltk, persistent);
1097 }
1098
1099 if (smp->slave_ltk) {
1100 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1101 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1102 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1103 }
6a77083a
JH		 1104
1105 if (smp->link_key) {
e3befab9
JH		 1106 struct link_key *key;
1107 u8 type;
1108
1109 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110 type = HCI_LK_DEBUG_COMBINATION;
1111 else if (hcon->sec_level == BT_SECURITY_FIPS)
1112 type = HCI_LK_AUTH_COMBINATION_P256;
1113 else
1114 type = HCI_LK_UNAUTH_COMBINATION_P256;
1115
1116 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117 smp->link_key, type, 0, &persistent);
1118 if (key) {
1119 mgmt_new_link_key(hdev, key, persistent);
1120
1121 /* Don't keep debug keys around if the relevant
1122 * flag is not set.
1123 */
d7a5a11d 1124 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
e3befab9
JH		 1125 key->type == HCI_LK_DEBUG_COMBINATION) {
1126 list_del_rcu(&key->list);
1127 kfree_rcu(key, rcu);
1128 }
1129 }
6a77083a
JH		 1130 }
1131}
1132
d3e54a87
JH		 1133static void sc_add_ltk(struct smp_chan *smp)
1134{
1135 struct hci_conn *hcon = smp->conn->hcon;
1136 u8 key_type, auth;
1137
1138 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139 key_type = SMP_LTK_P256_DEBUG;
1140 else
1141 key_type = SMP_LTK_P256;
1142
1143 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144 auth = 1;
1145 else
1146 auth = 0;
1147
d3e54a87
JH		 1148 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149 key_type, auth, smp->tk, smp->enc_key_size,
1150 0, 0);
1151}
1152
6a77083a
JH		 1153static void sc_generate_link_key(struct smp_chan *smp)
1154{
a62da6f1 1155 /* From core spec. Spells out in ASCII as 'lebr'. */
6a77083a
JH		 1156 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157
1158 smp->link_key = kzalloc(16, GFP_KERNEL);
1159 if (!smp->link_key)
1160 return;
1161
a62da6f1
JH		 1162 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163 /* SALT = 0x00000000000000000000000000000000746D7031 */
1164 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165
1166 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167 kzfree(smp->link_key);
1168 smp->link_key = NULL;
1169 return;
1170 }
1171 } else {
1172 /* From core spec. Spells out in ASCII as 'tmp1'. */
1173 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174
1175 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176 kzfree(smp->link_key);
1177 smp->link_key = NULL;
1178 return;
1179 }
6a77083a
JH		 1180 }
1181
1182 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
276812ec 1183 kzfree(smp->link_key);
6a77083a
JH		 1184 smp->link_key = NULL;
1185 return;
1186 }
44f1a7ab
JH		 1187}
1188
b28b4943
JH		 1189static void smp_allow_key_dist(struct smp_chan *smp)
1190{
1191 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1192 * will be allowed in each PDU handler to ensure we receive
1193 * them in the correct order.
1194 */
1195 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1201}
1202
b5ae344d
JH		 1203static void sc_generate_ltk(struct smp_chan *smp)
1204{
a62da6f1 1205 /* From core spec. Spells out in ASCII as 'brle'. */
b5ae344d
JH		 1206 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207 struct hci_conn *hcon = smp->conn->hcon;
1208 struct hci_dev *hdev = hcon->hdev;
1209 struct link_key *key;
1210
1211 key = hci_find_link_key(hdev, &hcon->dst);
1212 if (!key) {
2064ee33 1213 bt_dev_err(hdev, "no Link Key found to generate LTK");
b5ae344d
JH		 1214 return;
1215 }
1216
1217 if (key->type == HCI_LK_DEBUG_COMBINATION)
1218 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219
a62da6f1
JH		 1220 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221 /* SALT = 0x00000000000000000000000000000000746D7032 */
1222 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223
1224 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1225 return;
1226 } else {
1227 /* From core spec. Spells out in ASCII as 'tmp2'. */
1228 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229
1230 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1231 return;
1232 }
b5ae344d
JH		 1233
1234 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1235 return;
1236
1237 sc_add_ltk(smp);
1238}
1239
d6268e86 1240static void smp_distribute_keys(struct smp_chan *smp)
44f1a7ab
JH		 1241{
1242 struct smp_cmd_pairing *req, *rsp;
86d1407c 1243 struct l2cap_conn *conn = smp->conn;
44f1a7ab
JH		 1244 struct hci_conn *hcon = conn->hcon;
1245 struct hci_dev *hdev = hcon->hdev;
1246 __u8 *keydist;
1247
1248 BT_DBG("conn %p", conn);
1249
44f1a7ab
JH		 1250 rsp = (void *) &smp->prsp[1];
1251
1252 /* The responder sends its keys first */
b28b4943
JH		 1253 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1254 smp_allow_key_dist(smp);
86d1407c 1255 return;
b28b4943 1256 }
44f1a7ab
JH		 1257
1258 req = (void *) &smp->preq[1];
1259
1260 if (hcon->out) {
1261 keydist = &rsp->init_key_dist;
1262 *keydist &= req->init_key_dist;
1263 } else {
1264 keydist = &rsp->resp_key_dist;
1265 *keydist &= req->resp_key_dist;
1266 }
1267
6a77083a 1268 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
b5ae344d 1269 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
6a77083a 1270 sc_generate_link_key(smp);
b5ae344d
JH		 1271 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1272 sc_generate_ltk(smp);
6a77083a
JH		 1273
1274 /* Clear the keys which are generated but not distributed */
1275 *keydist &= ~SMP_SC_NO_DIST;
1276 }
1277
44f1a7ab
JH		 1278 BT_DBG("keydist 0x%x", *keydist);
1279
1280 if (*keydist & SMP_DIST_ENC_KEY) {
1281 struct smp_cmd_encrypt_info enc;
1282 struct smp_cmd_master_ident ident;
1283 struct smp_ltk *ltk;
1284 u8 authenticated;
1285 __le16 ediv;
1286 __le64 rand;
1287
1fc62c52
JH		 1288 /* Make sure we generate only the significant amount of
1289 * bytes based on the encryption key size, and set the rest
1290 * of the value to zeroes.
1291 */
1292 get_random_bytes(enc.ltk, smp->enc_key_size);
1293 memset(enc.ltk + smp->enc_key_size, 0,
1294 sizeof(enc.ltk) - smp->enc_key_size);
1295
44f1a7ab
JH		 1296 get_random_bytes(&ediv, sizeof(ediv));
1297 get_random_bytes(&rand, sizeof(rand));
1298
1299 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1300
1301 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1302 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1303 SMP_LTK_SLAVE, authenticated, enc.ltk,
1304 smp->enc_key_size, ediv, rand);
1305 smp->slave_ltk = ltk;
1306
1307 ident.ediv = ediv;
1308 ident.rand = rand;
1309
1310 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1311
1312 *keydist &= ~SMP_DIST_ENC_KEY;
1313 }
1314
1315 if (*keydist & SMP_DIST_ID_KEY) {
1316 struct smp_cmd_ident_addr_info addrinfo;
1317 struct smp_cmd_ident_info idinfo;
1318
1319 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1320
1321 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1322
1323 /* The hci_conn contains the local identity address
1324 * after the connection has been established.
1325 *
1326 * This is true even when the connection has been
1327 * established using a resolvable random address.
1328 */
1329 bacpy(&addrinfo.bdaddr, &hcon->src);
1330 addrinfo.addr_type = hcon->src_type;
1331
1332 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1333 &addrinfo);
1334
1335 *keydist &= ~SMP_DIST_ID_KEY;
1336 }
1337
1338 if (*keydist & SMP_DIST_SIGN) {
1339 struct smp_cmd_sign_info sign;
1340 struct smp_csrk *csrk;
1341
1342 /* Generate a new random key */
1343 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1344
1345 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1346 if (csrk) {
4cd3928a
JH		 1347 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1348 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1349 else
1350 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
44f1a7ab
JH		 1351 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1352 }
1353 smp->slave_csrk = csrk;
1354
1355 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1356
1357 *keydist &= ~SMP_DIST_SIGN;
1358 }
1359
1360 /* If there are still keys to be received wait for them */
b28b4943
JH		 1361 if (smp->remote_key_dist & KEY_DIST_MASK) {
1362 smp_allow_key_dist(smp);
86d1407c 1363 return;
b28b4943 1364 }
44f1a7ab 1365
44f1a7ab
JH		 1366 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1367 smp_notify_keys(conn);
1368
1369 smp_chan_destroy(conn);
44f1a7ab
JH		 1370}
1371
b68fda68
JH		 1372static void smp_timeout(struct work_struct *work)
1373{
1374 struct smp_chan *smp = container_of(work, struct smp_chan,
1375 security_timer.work);
1376 struct l2cap_conn *conn = smp->conn;
1377
1378 BT_DBG("conn %p", conn);
1379
1e91c29e 1380 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
b68fda68
JH		 1381}
1382
8aab4757
VCG		 1383static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1384{
5d88cc73 1385 struct l2cap_chan *chan = conn->smp;
8aab4757
VCG		 1386 struct smp_chan *smp;
1387
f1560463 1388 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
fc75cc86 1389 if (!smp)
8aab4757
VCG		 1390 return NULL;
1391
1ad0f160 1392 smp->tfm_aes = crypto_alloc_cipher("aes", 0, 0);
6a7bd103 1393 if (IS_ERR(smp->tfm_aes)) {
a4770e11 1394 BT_ERR("Unable to create AES crypto context");
47eb2ac8 1395 goto zfree_smp;
6a7bd103
JH		 1396 }
1397
71af2f6b 1398 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
407cecf6
JH		 1399 if (IS_ERR(smp->tfm_cmac)) {
1400 BT_ERR("Unable to create CMAC crypto context");
47eb2ac8
TA		 1401 goto free_cipher;
1402 }
1403
1404 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1405 if (IS_ERR(smp->tfm_ecdh)) {
1406 BT_ERR("Unable to create ECDH crypto context");
1407 goto free_shash;
407cecf6
JH		 1408 }
1409
8aab4757 1410 smp->conn = conn;
5d88cc73 1411 chan->data = smp;
8aab4757 1412
b28b4943
JH		 1413 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1414
b68fda68
JH		 1415 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1416
8aab4757
VCG		 1417 hci_conn_hold(conn->hcon);
1418
1419 return smp;
47eb2ac8
TA		 1420
1421free_shash:
1422 crypto_free_shash(smp->tfm_cmac);
1423free_cipher:
1424 crypto_free_cipher(smp->tfm_aes);
1425zfree_smp:
1426 kzfree(smp);
1427 return NULL;
8aab4757
VCG		 1428}
1429
760b018b
JH		 1430static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1431{
1432 struct hci_conn *hcon = smp->conn->hcon;
1433 u8 *na, *nb, a[7], b[7];
1434
1435 if (hcon->out) {
1436 na = smp->prnd;
1437 nb = smp->rrnd;
1438 } else {
1439 na = smp->rrnd;
1440 nb = smp->prnd;
1441 }
1442
1443 memcpy(a, &hcon->init_addr, 6);
1444 memcpy(b, &hcon->resp_addr, 6);
1445 a[6] = hcon->init_addr_type;
1446 b[6] = hcon->resp_addr_type;
1447
1448 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1449}
1450
38606f14 1451static void sc_dhkey_check(struct smp_chan *smp)
760b018b
JH		 1452{
1453 struct hci_conn *hcon = smp->conn->hcon;
1454 struct smp_cmd_dhkey_check check;
1455 u8 a[7], b[7], *local_addr, *remote_addr;
1456 u8 io_cap[3], r[16];
1457
760b018b
JH		 1458 memcpy(a, &hcon->init_addr, 6);
1459 memcpy(b, &hcon->resp_addr, 6);
1460 a[6] = hcon->init_addr_type;
1461 b[6] = hcon->resp_addr_type;
1462
1463 if (hcon->out) {
1464 local_addr = a;
1465 remote_addr = b;
1466 memcpy(io_cap, &smp->preq[1], 3);
1467 } else {
1468 local_addr = b;
1469 remote_addr = a;
1470 memcpy(io_cap, &smp->prsp[1], 3);
1471 }
1472
dddd3059
JH		 1473 memset(r, 0, sizeof(r));
1474
1475 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
38606f14 1476 put_unaligned_le32(hcon->passkey_notify, r);
760b018b 1477
a29b0733
JH		 1478 if (smp->method == REQ_OOB)
1479 memcpy(r, smp->rr, 16);
1480
760b018b
JH		 1481 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1482 local_addr, remote_addr, check.e);
1483
1484 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
dddd3059
JH		 1485}
1486
38606f14
JH		 1487static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1488{
1489 struct l2cap_conn *conn = smp->conn;
1490 struct hci_conn *hcon = conn->hcon;
1491 struct smp_cmd_pairing_confirm cfm;
1492 u8 r;
1493
1494 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1495 r |= 0x80;
1496
1497 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1498
1499 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1500 cfm.confirm_val))
1501 return SMP_UNSPECIFIED;
1502
1503 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1504
1505 return 0;
1506}
1507
1508static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1509{
1510 struct l2cap_conn *conn = smp->conn;
1511 struct hci_conn *hcon = conn->hcon;
1512 struct hci_dev *hdev = hcon->hdev;
1513 u8 cfm[16], r;
1514
1515 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1516 if (smp->passkey_round >= 20)
1517 return 0;
1518
1519 switch (smp_op) {
1520 case SMP_CMD_PAIRING_RANDOM:
1521 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1522 r |= 0x80;
1523
1524 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1525 smp->rrnd, r, cfm))
1526 return SMP_UNSPECIFIED;
1527
329d8230 1528 if (crypto_memneq(smp->pcnf, cfm, 16))
38606f14
JH		 1529 return SMP_CONFIRM_FAILED;
1530
1531 smp->passkey_round++;
1532
1533 if (smp->passkey_round == 20) {
1534 /* Generate MacKey and LTK */
1535 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1536 return SMP_UNSPECIFIED;
1537 }
1538
1539 /* The round is only complete when the initiator
1540 * receives pairing random.
1541 */
1542 if (!hcon->out) {
1543 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1544 sizeof(smp->prnd), smp->prnd);
d3e54a87 1545 if (smp->passkey_round == 20)
38606f14 1546 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
d3e54a87 1547 else
38606f14 1548 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
38606f14
JH		 1549 return 0;
1550 }
1551
1552 /* Start the next round */
1553 if (smp->passkey_round != 20)
1554 return sc_passkey_round(smp, 0);
1555
1556 /* Passkey rounds are complete - start DHKey Check */
1557 sc_dhkey_check(smp);
1558 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1559
1560 break;
1561
1562 case SMP_CMD_PAIRING_CONFIRM:
1563 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1564 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1565 return 0;
1566 }
1567
1568 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1569
1570 if (hcon->out) {
1571 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1572 sizeof(smp->prnd), smp->prnd);
1573 return 0;
1574 }
1575
1576 return sc_passkey_send_confirm(smp);
1577
1578 case SMP_CMD_PUBLIC_KEY:
1579 default:
1580 /* Initiating device starts the round */
1581 if (!hcon->out)
1582 return 0;
1583
1584 BT_DBG("%s Starting passkey round %u", hdev->name,
1585 smp->passkey_round + 1);
1586
1587 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1588
1589 return sc_passkey_send_confirm(smp);
1590 }
1591
1592 return 0;
1593}
1594
dddd3059
JH		 1595static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1596{
38606f14
JH		 1597 struct l2cap_conn *conn = smp->conn;
1598 struct hci_conn *hcon = conn->hcon;
1599 u8 smp_op;
1600
1601 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1602
dddd3059
JH		 1603 switch (mgmt_op) {
1604 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1605 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1606 return 0;
1607 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1608 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1609 return 0;
38606f14
JH		 1610 case MGMT_OP_USER_PASSKEY_REPLY:
1611 hcon->passkey_notify = le32_to_cpu(passkey);
1612 smp->passkey_round = 0;
1613
1614 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1615 smp_op = SMP_CMD_PAIRING_CONFIRM;
1616 else
1617 smp_op = 0;
1618
1619 if (sc_passkey_round(smp, smp_op))
1620 return -EIO;
1621
1622 return 0;
dddd3059
JH		 1623 }
1624
d3e54a87
JH		 1625 /* Initiator sends DHKey check first */
1626 if (hcon->out) {
1627 sc_dhkey_check(smp);
1628 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1629 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1630 sc_dhkey_check(smp);
1631 sc_add_ltk(smp);
1632 }
760b018b
JH		 1633
1634 return 0;
1635}
1636
2b64d153
BG		 1637int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1638{
b10e8017 1639 struct l2cap_conn *conn = hcon->l2cap_data;
5d88cc73 1640 struct l2cap_chan *chan;
2b64d153
BG		 1641 struct smp_chan *smp;
1642 u32 value;
fc75cc86 1643 int err;
2b64d153
BG		 1644
1645 BT_DBG("");
1646
fc75cc86 1647 if (!conn)
2b64d153
BG		 1648 return -ENOTCONN;
1649
5d88cc73
JH		 1650 chan = conn->smp;
1651 if (!chan)
1652 return -ENOTCONN;
1653
fc75cc86
JH		 1654 l2cap_chan_lock(chan);
1655 if (!chan->data) {
1656 err = -ENOTCONN;
1657 goto unlock;
1658 }
1659
5d88cc73 1660 smp = chan->data;
2b64d153 1661
760b018b
JH		 1662 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1663 err = sc_user_reply(smp, mgmt_op, passkey);
1664 goto unlock;
1665 }
1666
2b64d153
BG		 1667 switch (mgmt_op) {
1668 case MGMT_OP_USER_PASSKEY_REPLY:
1669 value = le32_to_cpu(passkey);
943a732a 1670 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153 1671 BT_DBG("PassKey: %d", value);
943a732a 1672 put_unaligned_le32(value, smp->tk);
2b64d153
BG		 1673 /* Fall Through */
1674 case MGMT_OP_USER_CONFIRM_REPLY:
4a74d658 1675 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 1676 break;
1677 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1678 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
84794e11 1679 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1680 err = 0;
1681 goto unlock;
2b64d153 1682 default:
84794e11 1683 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1684 err = -EOPNOTSUPP;
1685 goto unlock;
2b64d153
BG		 1686 }
1687
fc75cc86
JH		 1688 err = 0;
1689
2b64d153 1690 /* If it is our turn to send Pairing Confirm, do so now */
1cc61144
JH		 1691 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1692 u8 rsp = smp_confirm(smp);
1693 if (rsp)
1694 smp_failure(conn, rsp);
1695 }
2b64d153 1696
fc75cc86
JH		 1697unlock:
1698 l2cap_chan_unlock(chan);
1699 return err;
2b64d153
BG		 1700}
1701
b5ae344d
JH		 1702static void build_bredr_pairing_cmd(struct smp_chan *smp,
1703 struct smp_cmd_pairing *req,
1704 struct smp_cmd_pairing *rsp)
1705{
1706 struct l2cap_conn *conn = smp->conn;
1707 struct hci_dev *hdev = conn->hcon->hdev;
1708 u8 local_dist = 0, remote_dist = 0;
1709
d7a5a11d 1710 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
b5ae344d
JH		 1711 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1712 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1713 }
1714
d7a5a11d 1715 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
b5ae344d
JH		 1716 remote_dist |= SMP_DIST_ID_KEY;
1717
d7a5a11d 1718 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
b5ae344d
JH		 1719 local_dist |= SMP_DIST_ID_KEY;
1720
1721 if (!rsp) {
1722 memset(req, 0, sizeof(*req));
1723
a62da6f1 1724 req->auth_req = SMP_AUTH_CT2;
b5ae344d
JH		 1725 req->init_key_dist = local_dist;
1726 req->resp_key_dist = remote_dist;
e3f6a257 1727 req->max_key_size = conn->hcon->enc_key_size;
b5ae344d
JH		 1728
1729 smp->remote_key_dist = remote_dist;
1730
1731 return;
1732 }
1733
1734 memset(rsp, 0, sizeof(*rsp));
1735
a62da6f1 1736 rsp->auth_req = SMP_AUTH_CT2;
e3f6a257 1737 rsp->max_key_size = conn->hcon->enc_key_size;
b5ae344d
JH		 1738 rsp->init_key_dist = req->init_key_dist & remote_dist;
1739 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1740
1741 smp->remote_key_dist = rsp->init_key_dist;
1742}
1743
da85e5e5 1744static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1745{
3158c50c 1746 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
fc75cc86 1747 struct l2cap_chan *chan = conn->smp;
b3c6410b 1748 struct hci_dev *hdev = conn->hcon->hdev;
8aab4757 1749 struct smp_chan *smp;
c7262e71 1750 u8 key_size, auth, sec_level;
8aab4757 1751 int ret;
88ba43b6
AB		 1752
1753 BT_DBG("conn %p", conn);
1754
c46b98be 1755 if (skb->len < sizeof(*req))
38e4a915 1756 return SMP_INVALID_PARAMS;
c46b98be 1757
40bef302 1758 if (conn->hcon->role != HCI_ROLE_SLAVE)
2b64d153
BG		 1759 return SMP_CMD_NOTSUPP;
1760
fc75cc86 1761 if (!chan->data)
8aab4757 1762 smp = smp_chan_create(conn);
fc75cc86 1763 else
5d88cc73 1764 smp = chan->data;
8aab4757 1765
d08fd0e7
AE		 1766 if (!smp)
1767 return SMP_UNSPECIFIED;
d26a2345 1768
c05b9339 1769 /* We didn't start the pairing, so match remote */
0edb14de 1770 auth = req->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1771
d7a5a11d 1772 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
c05b9339 1773 (auth & SMP_AUTH_BONDING))
b3c6410b
JH		 1774 return SMP_PAIRING_NOTSUPP;
1775
d7a5a11d 1776 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 1777 return SMP_AUTH_REQUIREMENTS;
1778
1c1def09
VCG		 1779 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1780 memcpy(&smp->preq[1], req, sizeof(*req));
3158c50c 1781 skb_pull(skb, sizeof(*req));
88ba43b6 1782
cb06d366
JH		 1783 /* If the remote side's OOB flag is set it means it has
1784 * successfully received our local OOB data - therefore set the
1785 * flag to indicate that local OOB is in use.
1786 */
94f14e47 1787 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
58428563
JH		 1788 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1789
b5ae344d
JH		 1790 /* SMP over BR/EDR requires special treatment */
1791 if (conn->hcon->type == ACL_LINK) {
1792 /* We must have a BR/EDR SC link */
08f63cc5 1793 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
b7cb93e5 1794 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
b5ae344d
JH		 1795 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1796
1797 set_bit(SMP_FLAG_SC, &smp->flags);
1798
1799 build_bredr_pairing_cmd(smp, req, &rsp);
1800
a62da6f1
JH		 1801 if (req->auth_req & SMP_AUTH_CT2)
1802 set_bit(SMP_FLAG_CT2, &smp->flags);
1803
b5ae344d
JH		 1804 key_size = min(req->max_key_size, rsp.max_key_size);
1805 if (check_enc_key_size(conn, key_size))
1806 return SMP_ENC_KEY_SIZE;
1807
1808 /* Clear bits which are generated but not distributed */
1809 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1810
1811 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1812 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1813 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1814
1815 smp_distribute_keys(smp);
1816 return 0;
1817 }
1818
5e3d3d9b
JH		 1819 build_pairing_cmd(conn, req, &rsp, auth);
1820
a62da6f1 1821 if (rsp.auth_req & SMP_AUTH_SC) {
5e3d3d9b
JH		 1822 set_bit(SMP_FLAG_SC, &smp->flags);
1823
a62da6f1
JH		 1824 if (rsp.auth_req & SMP_AUTH_CT2)
1825 set_bit(SMP_FLAG_CT2, &smp->flags);
1826 }
1827
5be5e275 1828 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 1829 sec_level = BT_SECURITY_MEDIUM;
1830 else
1831 sec_level = authreq_to_seclevel(auth);
1832
c7262e71
JH		 1833 if (sec_level > conn->hcon->pending_sec_level)
1834 conn->hcon->pending_sec_level = sec_level;
fdde0a26 1835
49c922bb 1836 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1837 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1838 u8 method;
1839
1840 method = get_auth_method(smp, conn->hcon->io_capability,
1841 req->io_capability);
1842 if (method == JUST_WORKS || method == JUST_CFM)
1843 return SMP_AUTH_REQUIREMENTS;
1844 }
1845
3158c50c
VCG		 1846 key_size = min(req->max_key_size, rsp.max_key_size);
1847 if (check_enc_key_size(conn, key_size))
1848 return SMP_ENC_KEY_SIZE;
88ba43b6 1849
e84a6b13 1850 get_random_bytes(smp->prnd, sizeof(smp->prnd));
8aab4757 1851
1c1def09
VCG		 1852 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1853 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
f01ead31 1854
3158c50c 1855 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
3b19146d
JH		 1856
1857 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1858
19c5ce9c
JH		 1859 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1860 * SC case, however some implementations incorrectly copy RFU auth
1861 * req bits from our security request, which may create a false
1862 * positive SC enablement.
1863 */
1864 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1865
3b19146d
JH		 1866 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1867 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1868 /* Clear bits which are generated but not distributed */
1869 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1870 /* Wait for Public Key from Initiating Device */
1871 return 0;
3b19146d 1872 }
da85e5e5 1873
2b64d153
BG		 1874 /* Request setup of TK */
1875 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1876 if (ret)
1877 return SMP_UNSPECIFIED;
1878
da85e5e5 1879 return 0;
88ba43b6
AB		 1880}
1881
3b19146d
JH		 1882static u8 sc_send_public_key(struct smp_chan *smp)
1883{
70157ef5
JH		 1884 struct hci_dev *hdev = smp->conn->hcon->hdev;
1885
3b19146d
JH		 1886 BT_DBG("");
1887
1a8bab4f 1888 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
33d0c030
MH		 1889 struct l2cap_chan *chan = hdev->smp_data;
1890 struct smp_dev *smp_dev;
1891
1892 if (!chan || !chan->data)
1893 return SMP_UNSPECIFIED;
1894
1895 smp_dev = chan->data;
1896
1897 memcpy(smp->local_pk, smp_dev->local_pk, 64);
fb334fee 1898 memcpy(smp->lr, smp_dev->local_rand, 16);
33d0c030
MH		 1899
1900 if (smp_dev->debug_key)
1901 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1902
1903 goto done;
1904 }
1905
d7a5a11d 1906 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
70157ef5 1907 BT_DBG("Using debug keys");
c0153b0b
TA		 1908 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1909 return SMP_UNSPECIFIED;
70157ef5 1910 memcpy(smp->local_pk, debug_pk, 64);
70157ef5
JH		 1911 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1912 } else {
1913 while (true) {
c0153b0b
TA		 1914 /* Generate key pair for Secure Connections */
1915 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
70157ef5 1916 return SMP_UNSPECIFIED;
6c0dcc50 1917
70157ef5
JH		 1918 /* This is unlikely, but we need to check that
1919 * we didn't accidentially generate a debug key.
1920 */
c0153b0b 1921 if (crypto_memneq(smp->local_pk, debug_pk, 64))
70157ef5
JH		 1922 break;
1923 }
6c0dcc50 1924 }
3b19146d 1925
33d0c030 1926done:
c7a3d57d 1927 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
8e4e2ee5 1928 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
3b19146d
JH		 1929
1930 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1931
1932 return 0;
1933}
1934
da85e5e5 1935static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1936{
3158c50c 1937 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
5d88cc73
JH		 1938 struct l2cap_chan *chan = conn->smp;
1939 struct smp_chan *smp = chan->data;
0edb14de 1940 struct hci_dev *hdev = conn->hcon->hdev;
3a7dbfb8 1941 u8 key_size, auth;
7d24ddcc 1942 int ret;
88ba43b6
AB		 1943
1944 BT_DBG("conn %p", conn);
1945
c46b98be 1946 if (skb->len < sizeof(*rsp))
38e4a915 1947 return SMP_INVALID_PARAMS;
c46b98be 1948
40bef302 1949 if (conn->hcon->role != HCI_ROLE_MASTER)
2b64d153
BG		 1950 return SMP_CMD_NOTSUPP;
1951
3158c50c
VCG		 1952 skb_pull(skb, sizeof(*rsp));
1953
1c1def09 1954 req = (void *) &smp->preq[1];
da85e5e5 1955
3158c50c
VCG		 1956 key_size = min(req->max_key_size, rsp->max_key_size);
1957 if (check_enc_key_size(conn, key_size))
1958 return SMP_ENC_KEY_SIZE;
1959
0edb14de 1960 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1961
d7a5a11d 1962 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 1963 return SMP_AUTH_REQUIREMENTS;
1964
cb06d366
JH		 1965 /* If the remote side's OOB flag is set it means it has
1966 * successfully received our local OOB data - therefore set the
1967 * flag to indicate that local OOB is in use.
1968 */
94f14e47 1969 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
58428563
JH		 1970 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1971
b5ae344d
JH		 1972 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1973 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1974
1975 /* Update remote key distribution in case the remote cleared
1976 * some bits that we had enabled in our request.
1977 */
1978 smp->remote_key_dist &= rsp->resp_key_dist;
1979
a62da6f1
JH		 1980 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1981 set_bit(SMP_FLAG_CT2, &smp->flags);
1982
b5ae344d
JH		 1983 /* For BR/EDR this means we're done and can start phase 3 */
1984 if (conn->hcon->type == ACL_LINK) {
1985 /* Clear bits which are generated but not distributed */
1986 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987 smp_distribute_keys(smp);
1988 return 0;
1989 }
1990
65668776
JH		 1991 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1992 set_bit(SMP_FLAG_SC, &smp->flags);
d2eb9e10
JH		 1993 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1994 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
65668776 1995
49c922bb 1996 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1997 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1998 u8 method;
1999
2000 method = get_auth_method(smp, req->io_capability,
2001 rsp->io_capability);
2002 if (method == JUST_WORKS || method == JUST_CFM)
2003 return SMP_AUTH_REQUIREMENTS;
2004 }
2005
e84a6b13 2006 get_random_bytes(smp->prnd, sizeof(smp->prnd));
7d24ddcc 2007
fdcc4bec
JH		 2008 /* Update remote key distribution in case the remote cleared
2009 * some bits that we had enabled in our request.
2010 */
2011 smp->remote_key_dist &= rsp->resp_key_dist;
2012
3b19146d
JH		 2013 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2014 /* Clear bits which are generated but not distributed */
2015 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2016 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2017 return sc_send_public_key(smp);
2018 }
2019
c05b9339 2020 auth |= req->auth_req;
2b64d153 2021
476585ec 2022 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2b64d153
BG		 2023 if (ret)
2024 return SMP_UNSPECIFIED;
2025
4a74d658 2026 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153
BG		 2027
2028 /* Can't compose response until we have been confirmed */
4a74d658 2029 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 2030 return smp_confirm(smp);
da85e5e5
VCG		 2031
2032 return 0;
88ba43b6
AB		 2033}
2034
dcee2b32
JH		 2035static u8 sc_check_confirm(struct smp_chan *smp)
2036{
2037 struct l2cap_conn *conn = smp->conn;
2038
2039 BT_DBG("");
2040
38606f14
JH		 2041 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2042 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2043
dcee2b32
JH		 2044 if (conn->hcon->out) {
2045 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2046 smp->prnd);
2047 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2048 }
2049
2050 return 0;
2051}
2052
19c5ce9c
JH		 2053/* Work-around for some implementations that incorrectly copy RFU bits
2054 * from our security request and thereby create the impression that
2055 * we're doing SC when in fact the remote doesn't support it.
2056 */
2057static int fixup_sc_false_positive(struct smp_chan *smp)
2058{
2059 struct l2cap_conn *conn = smp->conn;
2060 struct hci_conn *hcon = conn->hcon;
2061 struct hci_dev *hdev = hcon->hdev;
2062 struct smp_cmd_pairing *req, *rsp;
2063 u8 auth;
2064
2065 /* The issue is only observed when we're in slave role */
2066 if (hcon->out)
2067 return SMP_UNSPECIFIED;
2068
2069 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2064ee33 2070 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
19c5ce9c
JH		 2071 return SMP_UNSPECIFIED;
2072 }
2073
2064ee33 2074 bt_dev_err(hdev, "trying to fall back to legacy SMP");
19c5ce9c
JH		 2075
2076 req = (void *) &smp->preq[1];
2077 rsp = (void *) &smp->prsp[1];
2078
2079 /* Rebuild key dist flags which may have been cleared for SC */
2080 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2081
2082 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2083
2084 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2064ee33 2085 bt_dev_err(hdev, "failed to fall back to legacy SMP");
19c5ce9c
JH		 2086 return SMP_UNSPECIFIED;
2087 }
2088
2089 clear_bit(SMP_FLAG_SC, &smp->flags);
2090
2091 return 0;
2092}
2093
da85e5e5 2094static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 2095{
5d88cc73
JH		 2096 struct l2cap_chan *chan = conn->smp;
2097 struct smp_chan *smp = chan->data;
7d24ddcc 2098
88ba43b6
AB		 2099 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2100
c46b98be 2101 if (skb->len < sizeof(smp->pcnf))
38e4a915 2102 return SMP_INVALID_PARAMS;
c46b98be 2103
1c1def09
VCG		 2104 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2105 skb_pull(skb, sizeof(smp->pcnf));
88ba43b6 2106
19c5ce9c
JH		 2107 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2108 int ret;
2109
2110 /* Public Key exchange must happen before any other steps */
2111 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2112 return sc_check_confirm(smp);
2113
2114 BT_ERR("Unexpected SMP Pairing Confirm");
2115
2116 ret = fixup_sc_false_positive(smp);
2117 if (ret)
2118 return ret;
2119 }
dcee2b32 2120
b28b4943 2121 if (conn->hcon->out) {
943a732a
JH		 2122 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2123 smp->prnd);
b28b4943
JH		 2124 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2125 return 0;
2126 }
2127
2128 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 2129 return smp_confirm(smp);
983f9814
MH		 2130
2131 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
da85e5e5
VCG		 2132
2133 return 0;
88ba43b6
AB		 2134}
2135
da85e5e5 2136static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 2137{
5d88cc73
JH		 2138 struct l2cap_chan *chan = conn->smp;
2139 struct smp_chan *smp = chan->data;
191dc7fe
JH		 2140 struct hci_conn *hcon = conn->hcon;
2141 u8 *pkax, *pkbx, *na, *nb;
2142 u32 passkey;
2143 int err;
7d24ddcc 2144
8aab4757 2145 BT_DBG("conn %p", conn);
3158c50c 2146
c46b98be 2147 if (skb->len < sizeof(smp->rrnd))
38e4a915 2148 return SMP_INVALID_PARAMS;
c46b98be 2149
943a732a 2150 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
8aab4757 2151 skb_pull(skb, sizeof(smp->rrnd));
e7e62c85 2152
191dc7fe
JH		 2153 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2154 return smp_random(smp);
2155
580039e8
JH		 2156 if (hcon->out) {
2157 pkax = smp->local_pk;
2158 pkbx = smp->remote_pk;
2159 na = smp->prnd;
2160 nb = smp->rrnd;
2161 } else {
2162 pkax = smp->remote_pk;
2163 pkbx = smp->local_pk;
2164 na = smp->rrnd;
2165 nb = smp->prnd;
2166 }
2167
a29b0733
JH		 2168 if (smp->method == REQ_OOB) {
2169 if (!hcon->out)
2170 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2171 sizeof(smp->prnd), smp->prnd);
2172 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2173 goto mackey_and_ltk;
2174 }
2175
38606f14
JH		 2176 /* Passkey entry has special treatment */
2177 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2178 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2179
191dc7fe
JH		 2180 if (hcon->out) {
2181 u8 cfm[16];
2182
2183 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2184 smp->rrnd, 0, cfm);
2185 if (err)
2186 return SMP_UNSPECIFIED;
2187
329d8230 2188 if (crypto_memneq(smp->pcnf, cfm, 16))
191dc7fe 2189 return SMP_CONFIRM_FAILED;
191dc7fe
JH		 2190 } else {
2191 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2192 smp->prnd);
2193 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
191dc7fe
JH		 2194 }
2195
a29b0733 2196mackey_and_ltk:
760b018b
JH		 2197 /* Generate MacKey and LTK */
2198 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2199 if (err)
2200 return SMP_UNSPECIFIED;
2201
a29b0733 2202 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
dddd3059 2203 if (hcon->out) {
38606f14 2204 sc_dhkey_check(smp);
dddd3059
JH		 2205 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2206 }
2207 return 0;
2208 }
2209
38606f14
JH		 2210 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2211 if (err)
2212 return SMP_UNSPECIFIED;
2213
2214 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2215 hcon->dst_type, passkey, 0);
191dc7fe
JH		 2216 if (err)
2217 return SMP_UNSPECIFIED;
2218
38606f14
JH		 2219 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2220
191dc7fe 2221 return 0;
88ba43b6
AB		 2222}
2223
f81cd823 2224static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
988c5997 2225{
c9839a11 2226 struct smp_ltk *key;
988c5997
VCG		 2227 struct hci_conn *hcon = conn->hcon;
2228
f3a73d97 2229 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
988c5997 2230 if (!key)
f81cd823 2231 return false;
988c5997 2232
a6f7833c 2233 if (smp_ltk_sec_level(key) < sec_level)
f81cd823 2234 return false;
4dab7864 2235
51a8efd7 2236 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
f81cd823 2237 return true;
988c5997 2238
8b76ce34 2239 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
c9839a11 2240 hcon->enc_key_size = key->enc_size;
988c5997 2241
fe59a05f
JH		 2242 /* We never store STKs for master role, so clear this flag */
2243 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2244
f81cd823 2245 return true;
988c5997 2246}
f1560463 2247
35dc6f83
JH		 2248bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2249 enum smp_key_pref key_pref)
854f4727
JH		 2250{
2251 if (sec_level == BT_SECURITY_LOW)
2252 return true;
2253
35dc6f83
JH		 2254 /* If we're encrypted with an STK but the caller prefers using
2255 * LTK claim insufficient security. This way we allow the
2256 * connection to be re-encrypted with an LTK, even if the LTK
2257 * provides the same level of security. Only exception is if we
2258 * don't have an LTK (e.g. because of key distribution bits).
9ab65d60 2259 */
35dc6f83
JH		 2260 if (key_pref == SMP_USE_LTK &&
2261 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
f3a73d97 2262 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
9ab65d60
JH		 2263 return false;
2264
854f4727
JH		 2265 if (hcon->sec_level >= sec_level)
2266 return true;
2267
2268 return false;
2269}
2270
da85e5e5 2271static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6
AB		 2272{
2273 struct smp_cmd_security_req *rp = (void *) skb->data;
2274 struct smp_cmd_pairing cp;
f1cb9af5 2275 struct hci_conn *hcon = conn->hcon;
0edb14de 2276 struct hci_dev *hdev = hcon->hdev;
8aab4757 2277 struct smp_chan *smp;
c05b9339 2278 u8 sec_level, auth;
88ba43b6
AB		 2279
2280 BT_DBG("conn %p", conn);
2281
c46b98be 2282 if (skb->len < sizeof(*rp))
38e4a915 2283 return SMP_INVALID_PARAMS;
c46b98be 2284
40bef302 2285 if (hcon->role != HCI_ROLE_MASTER)
86ca9eac
JH		 2286 return SMP_CMD_NOTSUPP;
2287
0edb14de 2288 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 2289
d7a5a11d 2290 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 2291 return SMP_AUTH_REQUIREMENTS;
2292
5be5e275 2293 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 2294 sec_level = BT_SECURITY_MEDIUM;
2295 else
2296 sec_level = authreq_to_seclevel(auth);
2297
64e759f5
SJ		 2298 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2299 /* If link is already encrypted with sufficient security we
2300 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2301 * Part H 2.4.6
2302 */
2303 smp_ltk_encrypt(conn, hcon->sec_level);
854f4727 2304 return 0;
64e759f5 2305 }
854f4727 2306
c7262e71
JH		 2307 if (sec_level > hcon->pending_sec_level)
2308 hcon->pending_sec_level = sec_level;
feb45eb5 2309
4dab7864 2310 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
988c5997
VCG		 2311 return 0;
2312
8aab4757 2313 smp = smp_chan_create(conn);
c29d2444
JH		 2314 if (!smp)
2315 return SMP_UNSPECIFIED;
d26a2345 2316
d7a5a11d 2317 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
c05b9339 2318 (auth & SMP_AUTH_BONDING))
616d55be
JH		 2319 return SMP_PAIRING_NOTSUPP;
2320
88ba43b6 2321 skb_pull(skb, sizeof(*rp));
88ba43b6 2322
da85e5e5 2323 memset(&cp, 0, sizeof(cp));
c05b9339 2324 build_pairing_cmd(conn, &cp, NULL, auth);
88ba43b6 2325
1c1def09
VCG		 2326 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2327 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 2328
88ba43b6 2329 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 2330 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
f1cb9af5 2331
da85e5e5 2332 return 0;
88ba43b6
AB		 2333}
2334
cc110922 2335int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
eb492e01 2336{
cc110922 2337 struct l2cap_conn *conn = hcon->l2cap_data;
c68b7f12 2338 struct l2cap_chan *chan;
0a66cf20 2339 struct smp_chan *smp;
2b64d153 2340 __u8 authreq;
fc75cc86 2341 int ret;
eb492e01 2342
3a0259bb
VCG		 2343 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2344
0a66cf20
JH		 2345 /* This may be NULL if there's an unexpected disconnection */
2346 if (!conn)
2347 return 1;
2348
d7a5a11d 2349 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2e65c9d2
AG		 2350 return 1;
2351
35dc6f83 2352 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
eb492e01 2353 return 1;
f1cb9af5 2354
c7262e71
JH		 2355 if (sec_level > hcon->pending_sec_level)
2356 hcon->pending_sec_level = sec_level;
2357
40bef302 2358 if (hcon->role == HCI_ROLE_MASTER)
c7262e71
JH		 2359 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2360 return 0;
d26a2345 2361
d8949aad
JH		 2362 chan = conn->smp;
2363 if (!chan) {
2064ee33 2364 bt_dev_err(hcon->hdev, "security requested but not available");
d8949aad
JH		 2365 return 1;
2366 }
2367
fc75cc86
JH		 2368 l2cap_chan_lock(chan);
2369
2370 /* If SMP is already in progress ignore this request */
2371 if (chan->data) {
2372 ret = 0;
2373 goto unlock;
2374 }
d26a2345 2375
8aab4757 2376 smp = smp_chan_create(conn);
fc75cc86
JH		 2377 if (!smp) {
2378 ret = 1;
2379 goto unlock;
2380 }
2b64d153
BG		 2381
2382 authreq = seclevel_to_authreq(sec_level);
d26a2345 2383
a62da6f1 2384 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
d2eb9e10 2385 authreq |= SMP_AUTH_SC;
a62da6f1
JH		 2386 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2387 authreq |= SMP_AUTH_CT2;
2388 }
d2eb9e10 2389
79897d20
JH		 2390 /* Require MITM if IO Capability allows or the security level
2391 * requires it.
2e233644 2392 */
79897d20 2393 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
c7262e71 2394 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2e233644
JH		 2395 authreq |= SMP_AUTH_MITM;
2396
40bef302 2397 if (hcon->role == HCI_ROLE_MASTER) {
d26a2345 2398 struct smp_cmd_pairing cp;
f01ead31 2399
2b64d153 2400 build_pairing_cmd(conn, &cp, NULL, authreq);
1c1def09
VCG		 2401 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2402 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 2403
eb492e01 2404 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 2405 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
eb492e01
AB		 2406 } else {
2407 struct smp_cmd_security_req cp;
2b64d153 2408 cp.auth_req = authreq;
eb492e01 2409 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
b28b4943 2410 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
eb492e01
AB		 2411 }
2412
4a74d658 2413 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
fc75cc86 2414 ret = 0;
edca792c 2415
fc75cc86
JH		 2416unlock:
2417 l2cap_chan_unlock(chan);
2418 return ret;
eb492e01
AB		 2419}
2420
cb28c306
MK		 2421int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2422 u8 addr_type)
c81d555a 2423{
cb28c306
MK		 2424 struct hci_conn *hcon;
2425 struct l2cap_conn *conn;
c81d555a
JH		 2426 struct l2cap_chan *chan;
2427 struct smp_chan *smp;
cb28c306
MK		 2428 int err;
2429
2430 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2431 hci_remove_irk(hdev, bdaddr, addr_type);
2432
2433 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2434 if (!hcon)
2435 goto done;
c81d555a 2436
cb28c306 2437 conn = hcon->l2cap_data;
c81d555a 2438 if (!conn)
cb28c306 2439 goto done;
c81d555a
JH		 2440
2441 chan = conn->smp;
2442 if (!chan)
cb28c306 2443 goto done;
c81d555a
JH		 2444
2445 l2cap_chan_lock(chan);
2446
2447 smp = chan->data;
2448 if (smp) {
cb28c306
MK		 2449 /* Set keys to NULL to make sure smp_failure() does not try to
2450 * remove and free already invalidated rcu list entries. */
2451 smp->ltk = NULL;
2452 smp->slave_ltk = NULL;
2453 smp->remote_irk = NULL;
2454
c81d555a
JH		 2455 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2456 smp_failure(conn, 0);
2457 else
2458 smp_failure(conn, SMP_UNSPECIFIED);
cb28c306 2459 err = 0;
c81d555a
JH		 2460 }
2461
2462 l2cap_chan_unlock(chan);
cb28c306
MK		 2463
2464done:
2465 return err;
c81d555a
JH		 2466}
2467
7034b911
VCG		 2468static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2469{
16b90839 2470 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
5d88cc73
JH		 2471 struct l2cap_chan *chan = conn->smp;
2472 struct smp_chan *smp = chan->data;
16b90839 2473
c46b98be
JH		 2474 BT_DBG("conn %p", conn);
2475
2476 if (skb->len < sizeof(*rp))
38e4a915 2477 return SMP_INVALID_PARAMS;
c46b98be 2478
b28b4943 2479 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
6131ddc8 2480
16b90839
VCG		 2481 skb_pull(skb, sizeof(*rp));
2482
1c1def09 2483 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
16b90839 2484
7034b911
VCG		 2485 return 0;
2486}
2487
2488static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2489{
16b90839 2490 struct smp_cmd_master_ident *rp = (void *) skb->data;
5d88cc73
JH		 2491 struct l2cap_chan *chan = conn->smp;
2492 struct smp_chan *smp = chan->data;
c9839a11
VCG		 2493 struct hci_dev *hdev = conn->hcon->hdev;
2494 struct hci_conn *hcon = conn->hcon;
23d0e128 2495 struct smp_ltk *ltk;
c9839a11 2496 u8 authenticated;
16b90839 2497
c46b98be
JH		 2498 BT_DBG("conn %p", conn);
2499
2500 if (skb->len < sizeof(*rp))
38e4a915 2501 return SMP_INVALID_PARAMS;
c46b98be 2502
9747a9f3
JH		 2503 /* Mark the information as received */
2504 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2505
b28b4943
JH		 2506 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2507 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
196332f5
JH		 2508 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2509 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
b28b4943 2510
16b90839 2511 skb_pull(skb, sizeof(*rp));
7034b911 2512
ce39fb4e 2513 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2ceba539 2514 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
23d0e128
JH		 2515 authenticated, smp->tk, smp->enc_key_size,
2516 rp->ediv, rp->rand);
2517 smp->ltk = ltk;
c6e81e9a 2518 if (!(smp->remote_key_dist & KEY_DIST_MASK))
d6268e86 2519 smp_distribute_keys(smp);
7034b911
VCG		 2520
2521 return 0;
2522}
2523
fd349c02
JH		 2524static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2525{
2526 struct smp_cmd_ident_info *info = (void *) skb->data;
5d88cc73
JH		 2527 struct l2cap_chan *chan = conn->smp;
2528 struct smp_chan *smp = chan->data;
fd349c02
JH		 2529
2530 BT_DBG("");
2531
2532 if (skb->len < sizeof(*info))
38e4a915 2533 return SMP_INVALID_PARAMS;
fd349c02 2534
b28b4943 2535 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
6131ddc8 2536
fd349c02
JH		 2537 skb_pull(skb, sizeof(*info));
2538
2539 memcpy(smp->irk, info->irk, 16);
2540
2541 return 0;
2542}
2543
2544static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2545 struct sk_buff *skb)
2546{
2547 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
5d88cc73
JH		 2548 struct l2cap_chan *chan = conn->smp;
2549 struct smp_chan *smp = chan->data;
fd349c02
JH		 2550 struct hci_conn *hcon = conn->hcon;
2551 bdaddr_t rpa;
2552
2553 BT_DBG("");
2554
2555 if (skb->len < sizeof(*info))
38e4a915 2556 return SMP_INVALID_PARAMS;
fd349c02 2557
9747a9f3
JH		 2558 /* Mark the information as received */
2559 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2560
b28b4943
JH		 2561 if (smp->remote_key_dist & SMP_DIST_SIGN)
2562 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2563
fd349c02
JH		 2564 skb_pull(skb, sizeof(*info));
2565
a9a58f86
JH		 2566 /* Strictly speaking the Core Specification (4.1) allows sending
2567 * an empty address which would force us to rely on just the IRK
2568 * as "identity information". However, since such
2569 * implementations are not known of and in order to not over
2570 * complicate our implementation, simply pretend that we never
2571 * received an IRK for such a device.
e12af489
JH		 2572 *
2573 * The Identity Address must also be a Static Random or Public
2574 * Address, which hci_is_identity_address() checks for.
a9a58f86 2575 */
e12af489
JH		 2576 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2577 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2064ee33 2578 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
31dd624e 2579 goto distribute;
a9a58f86
JH		 2580 }
2581
1d87b88b
SJ		 2582 /* Drop IRK if peer is using identity address during pairing but is
2583 * providing different address as identity information.
2584 *
2585 * Microsoft Surface Precision Mouse is known to have this bug.
2586 */
2587 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2588 (bacmp(&info->bdaddr, &hcon->dst) ||
2589 info->addr_type != hcon->dst_type)) {
2590 bt_dev_err(hcon->hdev,
2591 "ignoring IRK with invalid identity address");
2592 goto distribute;
2593 }
2594
fd349c02
JH		 2595 bacpy(&smp->id_addr, &info->bdaddr);
2596 smp->id_addr_type = info->addr_type;
2597
2598 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2599 bacpy(&rpa, &hcon->dst);
2600 else
2601 bacpy(&rpa, BDADDR_ANY);
2602
23d0e128
JH		 2603 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2604 smp->id_addr_type, smp->irk, &rpa);
fd349c02 2605
31dd624e 2606distribute:
c6e81e9a
JH		 2607 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2608 smp_distribute_keys(smp);
fd349c02
JH		 2609
2610 return 0;
2611}
2612
7ee4ea36
MH		 2613static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2614{
2615 struct smp_cmd_sign_info *rp = (void *) skb->data;
5d88cc73
JH		 2616 struct l2cap_chan *chan = conn->smp;
2617 struct smp_chan *smp = chan->data;
7ee4ea36
MH		 2618 struct smp_csrk *csrk;
2619
2620 BT_DBG("conn %p", conn);
2621
2622 if (skb->len < sizeof(*rp))
38e4a915 2623 return SMP_INVALID_PARAMS;
7ee4ea36 2624
7ee4ea36
MH		 2625 /* Mark the information as received */
2626 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2627
2628 skb_pull(skb, sizeof(*rp));
2629
7ee4ea36
MH		 2630 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2631 if (csrk) {
4cd3928a
JH		 2632 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2633 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2634 else
2635 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
7ee4ea36
MH		 2636 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2637 }
2638 smp->csrk = csrk;
d6268e86 2639 smp_distribute_keys(smp);
7ee4ea36
MH		 2640
2641 return 0;
2642}
2643
5e3d3d9b
JH		 2644static u8 sc_select_method(struct smp_chan *smp)
2645{
2646 struct l2cap_conn *conn = smp->conn;
2647 struct hci_conn *hcon = conn->hcon;
2648 struct smp_cmd_pairing *local, *remote;
2649 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2650
1a8bab4f
JH		 2651 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2652 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
a29b0733
JH		 2653 return REQ_OOB;
2654
5e3d3d9b
JH		 2655 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2656 * which are needed as inputs to some crypto functions. To get
2657 * the "struct smp_cmd_pairing" from them we need to skip the
2658 * first byte which contains the opcode.
2659 */
2660 if (hcon->out) {
2661 local = (void *) &smp->preq[1];
2662 remote = (void *) &smp->prsp[1];
2663 } else {
2664 local = (void *) &smp->prsp[1];
2665 remote = (void *) &smp->preq[1];
2666 }
2667
2668 local_io = local->io_capability;
2669 remote_io = remote->io_capability;
2670
2671 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2672 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2673
2674 /* If either side wants MITM, look up the method from the table,
2675 * otherwise use JUST WORKS.
2676 */
2677 if (local_mitm || remote_mitm)
2678 method = get_auth_method(smp, local_io, remote_io);
2679 else
2680 method = JUST_WORKS;
2681
2682 /* Don't confirm locally initiated pairing attempts */
2683 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2684 method = JUST_WORKS;
2685
2686 return method;
2687}
2688
d8f8edbe
JH		 2689static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2690{
2691 struct smp_cmd_public_key *key = (void *) skb->data;
2692 struct hci_conn *hcon = conn->hcon;
2693 struct l2cap_chan *chan = conn->smp;
2694 struct smp_chan *smp = chan->data;
5e3d3d9b 2695 struct hci_dev *hdev = hcon->hdev;
c0153b0b 2696 struct crypto_kpp *tfm_ecdh;
cbbbe3e2 2697 struct smp_cmd_pairing_confirm cfm;
d8f8edbe
JH		 2698 int err;
2699
2700 BT_DBG("conn %p", conn);
2701
2702 if (skb->len < sizeof(*key))
2703 return SMP_INVALID_PARAMS;
2704
2705 memcpy(smp->remote_pk, key, 64);
2706
a8ca617c
JH		 2707 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2708 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2709 smp->rr, 0, cfm.confirm_val);
2710 if (err)
2711 return SMP_UNSPECIFIED;
2712
329d8230 2713 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
a8ca617c
JH		 2714 return SMP_CONFIRM_FAILED;
2715 }
2716
d8f8edbe
JH		 2717 /* Non-initiating device sends its public key after receiving
2718 * the key from the initiating device.
2719 */
2720 if (!hcon->out) {
2721 err = sc_send_public_key(smp);
2722 if (err)
2723 return err;
2724 }
2725
c7a3d57d 2726 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
e091526d 2727 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
d8f8edbe 2728
c0153b0b
TA		 2729 /* Compute the shared secret on the same crypto tfm on which the private
2730 * key was set/generated.
2731 */
2732 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
4ba5175f
MK		 2733 struct l2cap_chan *hchan = hdev->smp_data;
2734 struct smp_dev *smp_dev;
2735
2736 if (!hchan || !hchan->data)
2737 return SMP_UNSPECIFIED;
2738
2739 smp_dev = hchan->data;
c0153b0b
TA		 2740
2741 tfm_ecdh = smp_dev->tfm_ecdh;
2742 } else {
2743 tfm_ecdh = smp->tfm_ecdh;
2744 }
2745
2746 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
d8f8edbe
JH		 2747 return SMP_UNSPECIFIED;
2748
c7a3d57d 2749 SMP_DBG("DHKey %32phN", smp->dhkey);
d8f8edbe
JH		 2750
2751 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2752
5e3d3d9b
JH		 2753 smp->method = sc_select_method(smp);
2754
2755 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2756
2757 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2758 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2759 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2760 else
2761 hcon->pending_sec_level = BT_SECURITY_FIPS;
2762
329d8230 2763 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
aeb7d461
JH		 2764 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2765
38606f14
JH		 2766 if (smp->method == DSP_PASSKEY) {
2767 get_random_bytes(&hcon->passkey_notify,
2768 sizeof(hcon->passkey_notify));
2769 hcon->passkey_notify %= 1000000;
2770 hcon->passkey_entered = 0;
2771 smp->passkey_round = 0;
2772 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2773 hcon->dst_type,
2774 hcon->passkey_notify,
2775 hcon->passkey_entered))
2776 return SMP_UNSPECIFIED;
2777 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2778 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2779 }
2780
94ea7257 2781 if (smp->method == REQ_OOB) {
a29b0733
JH		 2782 if (hcon->out)
2783 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2784 sizeof(smp->prnd), smp->prnd);
2785
2786 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2787
2788 return 0;
2789 }
2790
38606f14
JH		 2791 if (hcon->out)
2792 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2793
2794 if (smp->method == REQ_PASSKEY) {
2795 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2796 hcon->dst_type))
2797 return SMP_UNSPECIFIED;
2798 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2799 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2800 return 0;
2801 }
2802
cbbbe3e2
JH		 2803 /* The Initiating device waits for the non-initiating device to
2804 * send the confirm value.
2805 */
2806 if (conn->hcon->out)
2807 return 0;
2808
2809 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2810 0, cfm.confirm_val);
2811 if (err)
2812 return SMP_UNSPECIFIED;
2813
2814 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2815 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2816
d8f8edbe
JH		 2817 return 0;
2818}
2819
6433a9a2
JH		 2820static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2821{
2822 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2823 struct l2cap_chan *chan = conn->smp;
2824 struct hci_conn *hcon = conn->hcon;
2825 struct smp_chan *smp = chan->data;
2826 u8 a[7], b[7], *local_addr, *remote_addr;
2827 u8 io_cap[3], r[16], e[16];
2828 int err;
2829
2830 BT_DBG("conn %p", conn);
2831
2832 if (skb->len < sizeof(*check))
2833 return SMP_INVALID_PARAMS;
2834
2835 memcpy(a, &hcon->init_addr, 6);
2836 memcpy(b, &hcon->resp_addr, 6);
2837 a[6] = hcon->init_addr_type;
2838 b[6] = hcon->resp_addr_type;
2839
2840 if (hcon->out) {
2841 local_addr = a;
2842 remote_addr = b;
2843 memcpy(io_cap, &smp->prsp[1], 3);
2844 } else {
2845 local_addr = b;
2846 remote_addr = a;
2847 memcpy(io_cap, &smp->preq[1], 3);
2848 }
2849
2850 memset(r, 0, sizeof(r));
2851
38606f14
JH		 2852 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2853 put_unaligned_le32(hcon->passkey_notify, r);
882fafad
JH		 2854 else if (smp->method == REQ_OOB)
2855 memcpy(r, smp->lr, 16);
38606f14 2856
6433a9a2
JH		 2857 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2858 io_cap, remote_addr, local_addr, e);
2859 if (err)
2860 return SMP_UNSPECIFIED;
2861
329d8230 2862 if (crypto_memneq(check->e, e, 16))
6433a9a2
JH		 2863 return SMP_DHKEY_CHECK_FAILED;
2864
d3e54a87
JH		 2865 if (!hcon->out) {
2866 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2867 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2868 return 0;
2869 }
d378a2d7 2870
d3e54a87
JH		 2871 /* Slave sends DHKey check as response to master */
2872 sc_dhkey_check(smp);
2873 }
d378a2d7 2874
d3e54a87 2875 sc_add_ltk(smp);
6433a9a2
JH		 2876
2877 if (hcon->out) {
8b76ce34 2878 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
6433a9a2
JH		 2879 hcon->enc_key_size = smp->enc_key_size;
2880 }
2881
2882 return 0;
2883}
2884
1408bb6e
JH		 2885static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2886 struct sk_buff *skb)
2887{
2888 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2889
2890 BT_DBG("value 0x%02x", kp->value);
2891
2892 return 0;
2893}
2894
4befb867 2895static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
eb492e01 2896{
5d88cc73 2897 struct l2cap_conn *conn = chan->conn;
7b9899db 2898 struct hci_conn *hcon = conn->hcon;
b28b4943 2899 struct smp_chan *smp;
92381f5c 2900 __u8 code, reason;
eb492e01
AB		 2901 int err = 0;
2902
8ae9b984 2903 if (skb->len < 1)
92381f5c 2904 return -EILSEQ;
92381f5c 2905
d7a5a11d 2906 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2e65c9d2
AG		 2907 reason = SMP_PAIRING_NOTSUPP;
2908 goto done;
2909 }
2910
92381f5c 2911 code = skb->data[0];
eb492e01
AB		 2912 skb_pull(skb, sizeof(code));
2913
b28b4943
JH		 2914 smp = chan->data;
2915
2916 if (code > SMP_CMD_MAX)
2917 goto drop;
2918
24bd0bd9 2919 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
b28b4943
JH		 2920 goto drop;
2921
2922 /* If we don't have a context the only allowed commands are
2923 * pairing request and security request.
8cf9fa12 2924 */
b28b4943
JH		 2925 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2926 goto drop;
8cf9fa12 2927
eb492e01
AB		 2928 switch (code) {
2929 case SMP_CMD_PAIRING_REQ:
da85e5e5 2930 reason = smp_cmd_pairing_req(conn, skb);
eb492e01
AB		 2931 break;
2932
2933 case SMP_CMD_PAIRING_FAIL:
84794e11 2934 smp_failure(conn, 0);
da85e5e5 2935 err = -EPERM;
eb492e01
AB		 2936 break;
2937
2938 case SMP_CMD_PAIRING_RSP:
da85e5e5 2939 reason = smp_cmd_pairing_rsp(conn, skb);
88ba43b6
AB		 2940 break;
2941
2942 case SMP_CMD_SECURITY_REQ:
da85e5e5 2943 reason = smp_cmd_security_req(conn, skb);
88ba43b6
AB		 2944 break;
2945
eb492e01 2946 case SMP_CMD_PAIRING_CONFIRM:
da85e5e5 2947 reason = smp_cmd_pairing_confirm(conn, skb);
88ba43b6
AB		 2948 break;
2949
eb492e01 2950 case SMP_CMD_PAIRING_RANDOM:
da85e5e5 2951 reason = smp_cmd_pairing_random(conn, skb);
88ba43b6
AB		 2952 break;
2953
eb492e01 2954 case SMP_CMD_ENCRYPT_INFO:
7034b911
VCG		 2955 reason = smp_cmd_encrypt_info(conn, skb);
2956 break;
2957
eb492e01 2958 case SMP_CMD_MASTER_IDENT:
7034b911
VCG		 2959 reason = smp_cmd_master_ident(conn, skb);
2960 break;
2961
eb492e01 2962 case SMP_CMD_IDENT_INFO:
fd349c02
JH		 2963 reason = smp_cmd_ident_info(conn, skb);
2964 break;
2965
eb492e01 2966 case SMP_CMD_IDENT_ADDR_INFO:
fd349c02
JH		 2967 reason = smp_cmd_ident_addr_info(conn, skb);
2968 break;
2969
eb492e01 2970 case SMP_CMD_SIGN_INFO:
7ee4ea36 2971 reason = smp_cmd_sign_info(conn, skb);
7034b911
VCG		 2972 break;
2973
d8f8edbe
JH		 2974 case SMP_CMD_PUBLIC_KEY:
2975 reason = smp_cmd_public_key(conn, skb);
2976 break;
2977
6433a9a2
JH		 2978 case SMP_CMD_DHKEY_CHECK:
2979 reason = smp_cmd_dhkey_check(conn, skb);
2980 break;
2981
1408bb6e
JH		 2982 case SMP_CMD_KEYPRESS_NOTIFY:
2983 reason = smp_cmd_keypress_notify(conn, skb);
2984 break;
2985
eb492e01
AB		 2986 default:
2987 BT_DBG("Unknown command code 0x%2.2x", code);
eb492e01 2988 reason = SMP_CMD_NOTSUPP;
3a0259bb 2989 goto done;
eb492e01
AB		 2990 }
2991
3a0259bb 2992done:
9b7b18ef
JH		 2993 if (!err) {
2994 if (reason)
2995 smp_failure(conn, reason);
8ae9b984 2996 kfree_skb(skb);
9b7b18ef
JH		 2997 }
2998
eb492e01 2999 return err;
b28b4943
JH		 3000
3001drop:
2064ee33
MH		 3002 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3003 code, &hcon->dst);
b28b4943
JH		 3004 kfree_skb(skb);
3005 return 0;
eb492e01 3006}
7034b911 3007
70db83c4
JH		 3008static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3009{
3010 struct l2cap_conn *conn = chan->conn;
3011
3012 BT_DBG("chan %p", chan);
3013
fc75cc86 3014 if (chan->data)
5d88cc73 3015 smp_chan_destroy(conn);
5d88cc73 3016
70db83c4
JH		 3017 conn->smp = NULL;
3018 l2cap_chan_put(chan);
3019}
3020
b5ae344d
JH		 3021static void bredr_pairing(struct l2cap_chan *chan)
3022{
3023 struct l2cap_conn *conn = chan->conn;
3024 struct hci_conn *hcon = conn->hcon;
3025 struct hci_dev *hdev = hcon->hdev;
3026 struct smp_cmd_pairing req;
3027 struct smp_chan *smp;
3028
3029 BT_DBG("chan %p", chan);
3030
3031 /* Only new pairings are interesting */
3032 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3033 return;
3034
3035 /* Don't bother if we're not encrypted */
3036 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3037 return;
3038
3039 /* Only master may initiate SMP over BR/EDR */
3040 if (hcon->role != HCI_ROLE_MASTER)
3041 return;
3042
3043 /* Secure Connections support must be enabled */
d7a5a11d 3044 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
b5ae344d
JH		 3045 return;
3046
3047 /* BR/EDR must use Secure Connections for SMP */
3048 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
b7cb93e5 3049 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
b5ae344d
JH		 3050 return;
3051
3052 /* If our LE support is not enabled don't do anything */
d7a5a11d 3053 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
b5ae344d
JH		 3054 return;
3055
3056 /* Don't bother if remote LE support is not enabled */
3057 if (!lmp_host_le_capable(hcon))
3058 return;
3059
3060 /* Remote must support SMP fixed chan for BR/EDR */
3061 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3062 return;
3063
3064 /* Don't bother if SMP is already ongoing */
3065 if (chan->data)
3066 return;
3067
3068 smp = smp_chan_create(conn);
3069 if (!smp) {
2064ee33 3070 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
b5ae344d
JH		 3071 return;
3072 }
3073
3074 set_bit(SMP_FLAG_SC, &smp->flags);
3075
3076 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3077
3078 /* Prepare and send the BR/EDR SMP Pairing Request */
3079 build_bredr_pairing_cmd(smp, &req, NULL);
3080
3081 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3082 memcpy(&smp->preq[1], &req, sizeof(req));
3083
3084 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3085 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3086}
3087
44f1a7ab
JH		 3088static void smp_resume_cb(struct l2cap_chan *chan)
3089{
b68fda68 3090 struct smp_chan *smp = chan->data;
44f1a7ab
JH		 3091 struct l2cap_conn *conn = chan->conn;
3092 struct hci_conn *hcon = conn->hcon;
3093
3094 BT_DBG("chan %p", chan);
3095
b5ae344d
JH		 3096 if (hcon->type == ACL_LINK) {
3097 bredr_pairing(chan);
ef8efe4b 3098 return;
b5ae344d 3099 }
ef8efe4b 3100
86d1407c
JH		 3101 if (!smp)
3102 return;
b68fda68 3103
84bc0db5
JH		 3104 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3105 return;
3106
86d1407c
JH		 3107 cancel_delayed_work(&smp->security_timer);
3108
d6268e86 3109 smp_distribute_keys(smp);
44f1a7ab
JH		 3110}
3111
70db83c4
JH		 3112static void smp_ready_cb(struct l2cap_chan *chan)
3113{
3114 struct l2cap_conn *conn = chan->conn;
b5ae344d 3115 struct hci_conn *hcon = conn->hcon;
70db83c4
JH		 3116
3117 BT_DBG("chan %p", chan);
3118
7883746b
JH		 3119 /* No need to call l2cap_chan_hold() here since we already own
3120 * the reference taken in smp_new_conn_cb(). This is just the
3121 * first time that we tie it to a specific pointer. The code in
3122 * l2cap_core.c ensures that there's no risk this function wont
3123 * get called if smp_new_conn_cb was previously called.
3124 */
70db83c4 3125 conn->smp = chan;
b5ae344d
JH		 3126
3127 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3128 bredr_pairing(chan);
70db83c4
JH		 3129}
3130
4befb867
JH		 3131static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3132{
3133 int err;
3134
3135 BT_DBG("chan %p", chan);
3136
3137 err = smp_sig_channel(chan, skb);
3138 if (err) {
b68fda68 3139 struct smp_chan *smp = chan->data;
4befb867 3140
b68fda68
JH		 3141 if (smp)
3142 cancel_delayed_work_sync(&smp->security_timer);
4befb867 3143
1e91c29e 3144 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
4befb867
JH		 3145 }
3146
3147 return err;
3148}
3149
70db83c4
JH		 3150static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3151 unsigned long hdr_len,
3152 unsigned long len, int nb)
3153{
3154 struct sk_buff *skb;
3155
3156 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3157 if (!skb)
3158 return ERR_PTR(-ENOMEM);
3159
3160 skb->priority = HCI_PRIO_MAX;
a4368ff3 3161 bt_cb(skb)->l2cap.chan = chan;
70db83c4
JH		 3162
3163 return skb;
3164}
3165
3166static const struct l2cap_ops smp_chan_ops = {
3167 .name = "Security Manager",
3168 .ready = smp_ready_cb,
5d88cc73 3169 .recv = smp_recv_cb,
70db83c4
JH		 3170 .alloc_skb = smp_alloc_skb_cb,
3171 .teardown = smp_teardown_cb,
44f1a7ab 3172 .resume = smp_resume_cb,
70db83c4
JH		 3173
3174 .new_connection = l2cap_chan_no_new_connection,
70db83c4
JH		 3175 .state_change = l2cap_chan_no_state_change,
3176 .close = l2cap_chan_no_close,
3177 .defer = l2cap_chan_no_defer,
3178 .suspend = l2cap_chan_no_suspend,
70db83c4
JH		 3179 .set_shutdown = l2cap_chan_no_set_shutdown,
3180 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
70db83c4
JH		 3181};
3182
3183static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3184{
3185 struct l2cap_chan *chan;
3186
3187 BT_DBG("pchan %p", pchan);
3188
3189 chan = l2cap_chan_create();
3190 if (!chan)
3191 return NULL;
3192
3193 chan->chan_type = pchan->chan_type;
3194 chan->ops = &smp_chan_ops;
3195 chan->scid = pchan->scid;
3196 chan->dcid = chan->scid;
3197 chan->imtu = pchan->imtu;
3198 chan->omtu = pchan->omtu;
3199 chan->mode = pchan->mode;
3200
abe84903
JH		 3201 /* Other L2CAP channels may request SMP routines in order to
3202 * change the security level. This means that the SMP channel
3203 * lock must be considered in its own category to avoid lockdep
3204 * warnings.
3205 */
3206 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3207
70db83c4
JH		 3208 BT_DBG("created chan %p", chan);
3209
3210 return chan;
3211}
3212
3213static const struct l2cap_ops smp_root_chan_ops = {
3214 .name = "Security Manager Root",
3215 .new_connection = smp_new_conn_cb,
3216
3217 /* None of these are implemented for the root channel */
3218 .close = l2cap_chan_no_close,
3219 .alloc_skb = l2cap_chan_no_alloc_skb,
3220 .recv = l2cap_chan_no_recv,
3221 .state_change = l2cap_chan_no_state_change,
3222 .teardown = l2cap_chan_no_teardown,
3223 .ready = l2cap_chan_no_ready,
3224 .defer = l2cap_chan_no_defer,
3225 .suspend = l2cap_chan_no_suspend,
3226 .resume = l2cap_chan_no_resume,
3227 .set_shutdown = l2cap_chan_no_set_shutdown,
3228 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
70db83c4
JH		 3229};
3230
ef8efe4b 3231static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
711eafe3 3232{
70db83c4 3233 struct l2cap_chan *chan;
88a479d9 3234 struct smp_dev *smp;
a4770e11 3235 struct crypto_cipher *tfm_aes;
71af2f6b 3236 struct crypto_shash *tfm_cmac;
47eb2ac8 3237 struct crypto_kpp *tfm_ecdh;
70db83c4 3238
ef8efe4b 3239 if (cid == L2CAP_CID_SMP_BREDR) {
88a479d9 3240 smp = NULL;
ef8efe4b
JH		 3241 goto create_chan;
3242 }
711eafe3 3243
88a479d9
MH		 3244 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3245 if (!smp)
3246 return ERR_PTR(-ENOMEM);
3247
1ad0f160 3248 tfm_aes = crypto_alloc_cipher("aes", 0, 0);
defce9e8 3249 if (IS_ERR(tfm_aes)) {
a4770e11 3250 BT_ERR("Unable to create AES crypto context");
88a479d9 3251 kzfree(smp);
fe700771 3252 return ERR_CAST(tfm_aes);
711eafe3
JH		 3253 }
3254
71af2f6b 3255 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
6e2dc6d1
MH		 3256 if (IS_ERR(tfm_cmac)) {
3257 BT_ERR("Unable to create CMAC crypto context");
a4770e11 3258 crypto_free_cipher(tfm_aes);
6e2dc6d1
MH		 3259 kzfree(smp);
3260 return ERR_CAST(tfm_cmac);
3261 }
3262
47eb2ac8
TA		 3263 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3264 if (IS_ERR(tfm_ecdh)) {
3265 BT_ERR("Unable to create ECDH crypto context");
3266 crypto_free_shash(tfm_cmac);
3267 crypto_free_cipher(tfm_aes);
3268 kzfree(smp);
3269 return ERR_CAST(tfm_ecdh);
3270 }
3271
94f14e47 3272 smp->local_oob = false;
88a479d9 3273 smp->tfm_aes = tfm_aes;
6e2dc6d1 3274 smp->tfm_cmac = tfm_cmac;
47eb2ac8 3275 smp->tfm_ecdh = tfm_ecdh;
88a479d9 3276
ef8efe4b 3277create_chan:
70db83c4
JH		 3278 chan = l2cap_chan_create();
3279 if (!chan) {
63511f6d 3280 if (smp) {
a4770e11 3281 crypto_free_cipher(smp->tfm_aes);
71af2f6b 3282 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 3283 crypto_free_kpp(smp->tfm_ecdh);
63511f6d
MH		 3284 kzfree(smp);
3285 }
ef8efe4b 3286 return ERR_PTR(-ENOMEM);
70db83c4
JH		 3287 }
3288
88a479d9 3289 chan->data = smp;
defce9e8 3290
ef8efe4b 3291 l2cap_add_scid(chan, cid);
70db83c4
JH		 3292
3293 l2cap_chan_set_defaults(chan);
3294
157029ba 3295 if (cid == L2CAP_CID_SMP) {
39e3e744
JH		 3296 u8 bdaddr_type;
3297
3298 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3299
3300 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
157029ba 3301 chan->src_type = BDADDR_LE_PUBLIC;
39e3e744
JH		 3302 else
3303 chan->src_type = BDADDR_LE_RANDOM;
157029ba
MH		 3304 } else {
3305 bacpy(&chan->src, &hdev->bdaddr);
ef8efe4b 3306 chan->src_type = BDADDR_BREDR;
157029ba
MH		 3307 }
3308
70db83c4
JH		 3309 chan->state = BT_LISTEN;
3310 chan->mode = L2CAP_MODE_BASIC;
3311 chan->imtu = L2CAP_DEFAULT_MTU;
3312 chan->ops = &smp_root_chan_ops;
3313
abe84903
JH		 3314 /* Set correct nesting level for a parent/listening channel */
3315 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3316
ef8efe4b 3317 return chan;
711eafe3
JH		 3318}
3319
ef8efe4b 3320static void smp_del_chan(struct l2cap_chan *chan)
711eafe3 3321{
88a479d9 3322 struct smp_dev *smp;
70db83c4 3323
ef8efe4b 3324 BT_DBG("chan %p", chan);
711eafe3 3325
88a479d9
MH		 3326 smp = chan->data;
3327 if (smp) {
defce9e8 3328 chan->data = NULL;
a4770e11 3329 crypto_free_cipher(smp->tfm_aes);
71af2f6b 3330 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 3331 crypto_free_kpp(smp->tfm_ecdh);
88a479d9 3332 kzfree(smp);
711eafe3 3333 }
70db83c4 3334
70db83c4 3335 l2cap_chan_put(chan);
711eafe3 3336}
ef8efe4b 3337
300acfde
MH		 3338static ssize_t force_bredr_smp_read(struct file *file,
3339 char __user *user_buf,
3340 size_t count, loff_t *ppos)
3341{
3342 struct hci_dev *hdev = file->private_data;
3343 char buf[3];
3344
b7cb93e5 3345 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
300acfde
MH		 3346 buf[1] = '\n';
3347 buf[2] = '\0';
3348 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3349}
3350
3351static ssize_t force_bredr_smp_write(struct file *file,
3352 const char __user *user_buf,
3353 size_t count, loff_t *ppos)
3354{
3355 struct hci_dev *hdev = file->private_data;
300acfde 3356 bool enable;
3bf5e97d 3357 int err;
300acfde 3358
3bf5e97d
AS		 3359 err = kstrtobool_from_user(user_buf, count, &enable);
3360 if (err)
3361 return err;
300acfde 3362
b7cb93e5 3363 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
300acfde
MH		 3364 return -EALREADY;
3365
3366 if (enable) {
3367 struct l2cap_chan *chan;
3368
3369 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3370 if (IS_ERR(chan))
3371 return PTR_ERR(chan);
3372
3373 hdev->smp_bredr_data = chan;
3374 } else {
3375 struct l2cap_chan *chan;
3376
3377 chan = hdev->smp_bredr_data;
3378 hdev->smp_bredr_data = NULL;
3379 smp_del_chan(chan);
3380 }
3381
b7cb93e5 3382 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
300acfde
MH		 3383
3384 return count;
3385}
3386
3387static const struct file_operations force_bredr_smp_fops = {
3388 .open = simple_open,
3389 .read = force_bredr_smp_read,
3390 .write = force_bredr_smp_write,
3391 .llseek = default_llseek,
3392};
3393
b1f663c9
JH		 3394static ssize_t le_min_key_size_read(struct file *file,
3395 char __user *user_buf,
3396 size_t count, loff_t *ppos)
3397{
3398 struct hci_dev *hdev = file->private_data;
3399 char buf[4];
3400
30d65e08 3401 snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
b1f663c9
JH		 3402
3403 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3404}
3405
3406static ssize_t le_min_key_size_write(struct file *file,
3407 const char __user *user_buf,
3408 size_t count, loff_t *ppos)
3409{
3410 struct hci_dev *hdev = file->private_data;
3411 char buf[32];
3412 size_t buf_size = min(count, (sizeof(buf) - 1));
3413 u8 key_size;
3414
3415 if (copy_from_user(buf, user_buf, buf_size))
3416 return -EFAULT;
3417
3418 buf[buf_size] = '\0';
3419
3420 sscanf(buf, "%hhu", &key_size);
3421
30d65e08 3422 if (key_size > hdev->le_max_key_size ||
b1f663c9
JH		 3423 key_size < SMP_MIN_ENC_KEY_SIZE)
3424 return -EINVAL;
3425
30d65e08 3426 hdev->le_min_key_size = key_size;
b1f663c9
JH		 3427
3428 return count;
3429}
3430
3431static const struct file_operations le_min_key_size_fops = {
3432 .open = simple_open,
3433 .read = le_min_key_size_read,
3434 .write = le_min_key_size_write,
3435 .llseek = default_llseek,
3436};
3437
2fd36558
JH		 3438static ssize_t le_max_key_size_read(struct file *file,
3439 char __user *user_buf,
3440 size_t count, loff_t *ppos)
3441{
3442 struct hci_dev *hdev = file->private_data;
3443 char buf[4];
3444
30d65e08 3445 snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
2fd36558
JH		 3446
3447 return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3448}
3449
3450static ssize_t le_max_key_size_write(struct file *file,
3451 const char __user *user_buf,
3452 size_t count, loff_t *ppos)
3453{
3454 struct hci_dev *hdev = file->private_data;
3455 char buf[32];
3456 size_t buf_size = min(count, (sizeof(buf) - 1));
3457 u8 key_size;
3458
3459 if (copy_from_user(buf, user_buf, buf_size))
3460 return -EFAULT;
3461
3462 buf[buf_size] = '\0';
3463
3464 sscanf(buf, "%hhu", &key_size);
3465
b1f663c9 3466 if (key_size > SMP_MAX_ENC_KEY_SIZE ||
30d65e08 3467 key_size < hdev->le_min_key_size)
2fd36558
JH		 3468 return -EINVAL;
3469
30d65e08 3470 hdev->le_max_key_size = key_size;
2fd36558
JH		 3471
3472 return count;
3473}
3474
3475static const struct file_operations le_max_key_size_fops = {
3476 .open = simple_open,
3477 .read = le_max_key_size_read,
3478 .write = le_max_key_size_write,
3479 .llseek = default_llseek,
3480};
3481
ef8efe4b
JH		 3482int smp_register(struct hci_dev *hdev)
3483{
3484 struct l2cap_chan *chan;
3485
3486 BT_DBG("%s", hdev->name);
3487
7e7ec445
MH		 3488 /* If the controller does not support Low Energy operation, then
3489 * there is also no need to register any SMP channel.
3490 */
3491 if (!lmp_le_capable(hdev))
3492 return 0;
3493
2b8df323
MH		 3494 if (WARN_ON(hdev->smp_data)) {
3495 chan = hdev->smp_data;
3496 hdev->smp_data = NULL;
3497 smp_del_chan(chan);
3498 }
3499
ef8efe4b
JH		 3500 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3501 if (IS_ERR(chan))
3502 return PTR_ERR(chan);
3503
3504 hdev->smp_data = chan;
3505
b1f663c9
JH		 3506 debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3507 &le_min_key_size_fops);
2fd36558
JH		 3508 debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3509 &le_max_key_size_fops);
3510
300acfde
MH		 3511 /* If the controller does not support BR/EDR Secure Connections
3512 * feature, then the BR/EDR SMP channel shall not be present.
3513 *
3514 * To test this with Bluetooth 4.0 controllers, create a debugfs
3515 * switch that allows forcing BR/EDR SMP support and accepting
3516 * cross-transport pairing on non-AES encrypted connections.
3517 */
3518 if (!lmp_sc_capable(hdev)) {
3519 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3520 hdev, &force_bredr_smp_fops);
83ebb9ec
SJ		 3521
3522 /* Flag can be already set here (due to power toggle) */
3523 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3524 return 0;
300acfde 3525 }
ef8efe4b 3526
2b8df323
MH		 3527 if (WARN_ON(hdev->smp_bredr_data)) {
3528 chan = hdev->smp_bredr_data;
3529 hdev->smp_bredr_data = NULL;
3530 smp_del_chan(chan);
3531 }
3532
ef8efe4b
JH		 3533 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3534 if (IS_ERR(chan)) {
3535 int err = PTR_ERR(chan);
3536 chan = hdev->smp_data;
3537 hdev->smp_data = NULL;
3538 smp_del_chan(chan);
3539 return err;
3540 }
3541
3542 hdev->smp_bredr_data = chan;
3543
3544 return 0;
3545}
3546
3547void smp_unregister(struct hci_dev *hdev)
3548{
3549 struct l2cap_chan *chan;
3550
3551 if (hdev->smp_bredr_data) {
3552 chan = hdev->smp_bredr_data;
3553 hdev->smp_bredr_data = NULL;
3554 smp_del_chan(chan);
3555 }
3556
3557 if (hdev->smp_data) {
3558 chan = hdev->smp_data;
3559 hdev->smp_data = NULL;
3560 smp_del_chan(chan);
3561 }
3562}
0a2b0f04
JH		 3563
3564#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3565
47eb2ac8 3566static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
71653eb6 3567{
c0153b0b 3568 u8 pk[64];
a2976416 3569 int err;
71653eb6 3570
c0153b0b 3571 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
a2976416
TA		 3572 if (err)
3573 return err;
71653eb6 3574
c0153b0b
TA		 3575 err = generate_ecdh_public_key(tfm_ecdh, pk);
3576 if (err)
3577 return err;
71653eb6 3578
329d8230 3579 if (crypto_memneq(pk, debug_pk, 64))
71653eb6
MH		 3580 return -EINVAL;
3581
3582 return 0;
3583}
3584
a4770e11 3585static int __init test_ah(struct crypto_cipher *tfm_aes)
cfc4198e
JH		 3586{
3587 const u8 irk[16] = {
3588 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3589 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3590 const u8 r[3] = { 0x94, 0x81, 0x70 };
3591 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3592 u8 res[3];
3593 int err;
3594
3595 err = smp_ah(tfm_aes, irk, r, res);
3596 if (err)
3597 return err;
3598
329d8230 3599 if (crypto_memneq(res, exp, 3))
cfc4198e
JH		 3600 return -EINVAL;
3601
3602 return 0;
3603}
3604
a4770e11 3605static int __init test_c1(struct crypto_cipher *tfm_aes)
cfc4198e
JH		 3606{
3607 const u8 k[16] = {
3608 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3609 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3610 const u8 r[16] = {
3611 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3612 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3613 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3614 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3615 const u8 _iat = 0x01;
3616 const u8 _rat = 0x00;
3617 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3618 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3619 const u8 exp[16] = {
3620 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3621 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3622 u8 res[16];
3623 int err;
3624
3625 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3626 if (err)
3627 return err;
3628
329d8230 3629 if (crypto_memneq(res, exp, 16))
cfc4198e
JH		 3630 return -EINVAL;
3631
3632 return 0;
3633}
3634
a4770e11 3635static int __init test_s1(struct crypto_cipher *tfm_aes)
cfc4198e
JH		 3636{
3637 const u8 k[16] = {
3638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3640 const u8 r1[16] = {
3641 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3642 const u8 r2[16] = {
3643 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3644 const u8 exp[16] = {
3645 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3646 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3647 u8 res[16];
3648 int err;
3649
3650 err = smp_s1(tfm_aes, k, r1, r2, res);
3651 if (err)
3652 return err;
3653
329d8230 3654 if (crypto_memneq(res, exp, 16))
cfc4198e
JH		 3655 return -EINVAL;
3656
3657 return 0;
3658}
3659
71af2f6b 3660static int __init test_f4(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3661{
3662 const u8 u[32] = {
3663 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3664 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3665 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3666 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3667 const u8 v[32] = {
3668 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3669 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3670 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3671 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3672 const u8 x[16] = {
3673 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3674 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3675 const u8 z = 0x00;
3676 const u8 exp[16] = {
3677 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3678 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3679 u8 res[16];
3680 int err;
3681
3682 err = smp_f4(tfm_cmac, u, v, x, z, res);
3683 if (err)
3684 return err;
3685
329d8230 3686 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3687 return -EINVAL;
3688
3689 return 0;
3690}
3691
71af2f6b 3692static int __init test_f5(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3693{
3694 const u8 w[32] = {
3695 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3696 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3697 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3698 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3699 const u8 n1[16] = {
3700 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3701 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3702 const u8 n2[16] = {
3703 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3704 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3705 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3706 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3707 const u8 exp_ltk[16] = {
3708 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3709 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3710 const u8 exp_mackey[16] = {
3711 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3712 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3713 u8 mackey[16], ltk[16];
3714 int err;
3715
3716 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3717 if (err)
3718 return err;
3719
329d8230 3720 if (crypto_memneq(mackey, exp_mackey, 16))
fb2969a3
JH		 3721 return -EINVAL;
3722
329d8230 3723 if (crypto_memneq(ltk, exp_ltk, 16))
fb2969a3
JH		 3724 return -EINVAL;
3725
3726 return 0;
3727}
3728
71af2f6b 3729static int __init test_f6(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3730{
3731 const u8 w[16] = {
3732 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3733 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3734 const u8 n1[16] = {
3735 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3736 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3737 const u8 n2[16] = {
3738 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3739 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3740 const u8 r[16] = {
3741 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3742 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3743 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3744 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3745 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3746 const u8 exp[16] = {
3747 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3748 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3749 u8 res[16];
3750 int err;
3751
3752 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3753 if (err)
3754 return err;
3755
329d8230 3756 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3757 return -EINVAL;
3758
3759 return 0;
3760}
3761
71af2f6b 3762static int __init test_g2(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3763{
3764 const u8 u[32] = {
3765 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3766 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3767 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3768 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3769 const u8 v[32] = {
3770 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3771 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3772 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3773 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3774 const u8 x[16] = {
3775 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3776 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3777 const u8 y[16] = {
3778 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3779 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3780 const u32 exp_val = 0x2f9ed5ba % 1000000;
3781 u32 val;
3782 int err;
3783
3784 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3785 if (err)
3786 return err;
3787
3788 if (val != exp_val)
3789 return -EINVAL;
3790
3791 return 0;
3792}
3793
71af2f6b 3794static int __init test_h6(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3795{
3796 const u8 w[16] = {
3797 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3798 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3799 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3800 const u8 exp[16] = {
3801 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3802 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3803 u8 res[16];
3804 int err;
3805
3806 err = smp_h6(tfm_cmac, w, key_id, res);
3807 if (err)
3808 return err;
3809
329d8230 3810 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3811 return -EINVAL;
3812
3813 return 0;
3814}
3815
64dd374e
MH		 3816static char test_smp_buffer[32];
3817
3818static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3819 size_t count, loff_t *ppos)
3820{
3821 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3822 strlen(test_smp_buffer));
3823}
3824
3825static const struct file_operations test_smp_fops = {
3826 .open = simple_open,
3827 .read = test_smp_read,
3828 .llseek = default_llseek,
3829};
3830
a4770e11 3831static int __init run_selftests(struct crypto_cipher *tfm_aes,
47eb2ac8
TA		 3832 struct crypto_shash *tfm_cmac,
3833 struct crypto_kpp *tfm_ecdh)
0a2b0f04 3834{
255047b0
MH		 3835 ktime_t calltime, delta, rettime;
3836 unsigned long long duration;
cfc4198e
JH		 3837 int err;
3838
255047b0
MH		 3839 calltime = ktime_get();
3840
47eb2ac8 3841 err = test_debug_key(tfm_ecdh);
71653eb6
MH		 3842 if (err) {
3843 BT_ERR("debug_key test failed");
3844 goto done;
3845 }
3846
cfc4198e
JH		 3847 err = test_ah(tfm_aes);
3848 if (err) {
3849 BT_ERR("smp_ah test failed");
64dd374e 3850 goto done;
cfc4198e
JH		 3851 }
3852
3853 err = test_c1(tfm_aes);
3854 if (err) {
3855 BT_ERR("smp_c1 test failed");
64dd374e 3856 goto done;
cfc4198e
JH		 3857 }
3858
3859 err = test_s1(tfm_aes);
3860 if (err) {
3861 BT_ERR("smp_s1 test failed");
64dd374e 3862 goto done;
cfc4198e
JH		 3863 }
3864
fb2969a3
JH		 3865 err = test_f4(tfm_cmac);
3866 if (err) {
3867 BT_ERR("smp_f4 test failed");
64dd374e 3868 goto done;
fb2969a3
JH		 3869 }
3870
3871 err = test_f5(tfm_cmac);
3872 if (err) {
3873 BT_ERR("smp_f5 test failed");
64dd374e 3874 goto done;
fb2969a3
JH		 3875 }
3876
3877 err = test_f6(tfm_cmac);
3878 if (err) {
3879 BT_ERR("smp_f6 test failed");
64dd374e 3880 goto done;
fb2969a3
JH		 3881 }
3882
3883 err = test_g2(tfm_cmac);
3884 if (err) {
3885 BT_ERR("smp_g2 test failed");
64dd374e 3886 goto done;
fb2969a3
JH		 3887 }
3888
3889 err = test_h6(tfm_cmac);
3890 if (err) {
3891 BT_ERR("smp_h6 test failed");
64dd374e 3892 goto done;
fb2969a3
JH		 3893 }
3894
255047b0
MH		 3895 rettime = ktime_get();
3896 delta = ktime_sub(rettime, calltime);
3897 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3898
5ced2464 3899 BT_INFO("SMP test passed in %llu usecs", duration);
0a2b0f04 3900
64dd374e
MH		 3901done:
3902 if (!err)
3903 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3904 "PASS (%llu usecs)\n", duration);
3905 else
3906 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3907
3908 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3909 &test_smp_fops);
3910
3911 return err;
0a2b0f04
JH		 3912}
3913
3914int __init bt_selftest_smp(void)
3915{
a4770e11 3916 struct crypto_cipher *tfm_aes;
71af2f6b 3917 struct crypto_shash *tfm_cmac;
47eb2ac8 3918 struct crypto_kpp *tfm_ecdh;
0a2b0f04
JH		 3919 int err;
3920
1ad0f160 3921 tfm_aes = crypto_alloc_cipher("aes", 0, 0);
0a2b0f04 3922 if (IS_ERR(tfm_aes)) {
a4770e11 3923 BT_ERR("Unable to create AES crypto context");
0a2b0f04
JH		 3924 return PTR_ERR(tfm_aes);
3925 }
3926
3d234b33 3927 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
0a2b0f04
JH		 3928 if (IS_ERR(tfm_cmac)) {
3929 BT_ERR("Unable to create CMAC crypto context");
a4770e11 3930 crypto_free_cipher(tfm_aes);
0a2b0f04
JH		 3931 return PTR_ERR(tfm_cmac);
3932 }
3933
47eb2ac8
TA		 3934 tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3935 if (IS_ERR(tfm_ecdh)) {
3936 BT_ERR("Unable to create ECDH crypto context");
3937 crypto_free_shash(tfm_cmac);
3938 crypto_free_cipher(tfm_aes);
3939 return PTR_ERR(tfm_ecdh);
3940 }
3941
3942 err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
0a2b0f04 3943
71af2f6b 3944 crypto_free_shash(tfm_cmac);
a4770e11 3945 crypto_free_cipher(tfm_aes);
47eb2ac8 3946 crypto_free_kpp(tfm_ecdh);
0a2b0f04
JH		 3947
3948 return err;
3949}
3950
3951#endif
Linux 6.x block layer and io_uring tree(s)