projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: Fix LE SMP channel source address and source address type
[linux-2.6-block.git] / net / bluetooth / smp.c
CommitLineData
eb492e01
AB		 1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
300acfde 23#include <linux/debugfs.h>
8c520a59
GP		 24#include <linux/crypto.h>
25#include <linux/scatterlist.h>
26#include <crypto/b128ops.h>
27
eb492e01
AB		 28#include <net/bluetooth/bluetooth.h>
29#include <net/bluetooth/hci_core.h>
30#include <net/bluetooth/l2cap.h>
2b64d153 31#include <net/bluetooth/mgmt.h>
ac4b7236 32
3b19146d 33#include "ecc.h"
ac4b7236 34#include "smp.h"
d22ef0bc 35
c7a3d57d
JH		 36/* Low-level debug macros to be used for stuff that we don't want
37 * accidentially in dmesg, i.e. the values of the various crypto keys
38 * and the inputs & outputs of crypto functions.
39 */
40#ifdef DEBUG
41#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
42 ##__VA_ARGS__)
43#else
44#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
45 ##__VA_ARGS__)
46#endif
47
b28b4943 48#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
b28b4943 49
3b19146d
JH		 50/* Keys which are not distributed with Secure Connections */
51#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
52
17b02e62 53#define SMP_TIMEOUT msecs_to_jiffies(30000)
5d3de7df 54
0edb14de
JH		 55#define AUTH_REQ_MASK(dev) (test_bit(HCI_SC_ENABLED, &(dev)->dev_flags) ? \
56 0x1f : 0x07)
57#define KEY_DIST_MASK 0x07
065a13e2 58
cbbbe3e2
JH		 59/* Maximum message length that can be passed to aes_cmac */
60#define CMAC_MSG_MAX 80
61
533e35d4
JH		 62enum {
63 SMP_FLAG_TK_VALID,
64 SMP_FLAG_CFM_PENDING,
65 SMP_FLAG_MITM_AUTH,
66 SMP_FLAG_COMPLETE,
67 SMP_FLAG_INITIATOR,
65668776 68 SMP_FLAG_SC,
d8f8edbe 69 SMP_FLAG_REMOTE_PK,
aeb7d461 70 SMP_FLAG_DEBUG_KEY,
38606f14 71 SMP_FLAG_WAIT_USER,
d3e54a87 72 SMP_FLAG_DHKEY_PENDING,
02b05bd8 73 SMP_FLAG_OOB,
533e35d4 74};
4bc58f51
JH		 75
76struct smp_chan {
b68fda68
JH		 77 struct l2cap_conn *conn;
78 struct delayed_work security_timer;
b28b4943 79 unsigned long allow_cmd; /* Bitmask of allowed commands */
b68fda68 80
4bc58f51
JH		 81 u8 preq[7]; /* SMP Pairing Request */
82 u8 prsp[7]; /* SMP Pairing Response */
83 u8 prnd[16]; /* SMP Pairing Random (local) */
84 u8 rrnd[16]; /* SMP Pairing Random (remote) */
85 u8 pcnf[16]; /* SMP Pairing Confirm */
86 u8 tk[16]; /* SMP Temporary Key */
a29b0733 87 u8 rr[16];
4bc58f51
JH		 88 u8 enc_key_size;
89 u8 remote_key_dist;
90 bdaddr_t id_addr;
91 u8 id_addr_type;
92 u8 irk[16];
93 struct smp_csrk *csrk;
94 struct smp_csrk *slave_csrk;
95 struct smp_ltk *ltk;
96 struct smp_ltk *slave_ltk;
97 struct smp_irk *remote_irk;
6a77083a 98 u8 *link_key;
4a74d658 99 unsigned long flags;
783e0574 100 u8 method;
38606f14 101 u8 passkey_round;
6a7bd103 102
3b19146d
JH		 103 /* Secure Connections variables */
104 u8 local_pk[64];
105 u8 local_sk[32];
d8f8edbe
JH		 106 u8 remote_pk[64];
107 u8 dhkey[32];
760b018b 108 u8 mackey[16];
3b19146d 109
6a7bd103 110 struct crypto_blkcipher *tfm_aes;
407cecf6 111 struct crypto_hash *tfm_cmac;
4bc58f51
JH		 112};
113
aeb7d461
JH		 114/* These debug key values are defined in the SMP section of the core
115 * specification. debug_pk is the public debug key and debug_sk the
116 * private debug key.
117 */
118static const u8 debug_pk[64] = {
119 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
120 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
121 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
122 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
123
124 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
125 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
126 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
127 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
128};
129
130static const u8 debug_sk[32] = {
131 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
132 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
133 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
134 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
135};
136
8a2936f4 137static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
d22ef0bc 138{
8a2936f4 139 size_t i;
d22ef0bc 140
8a2936f4
JH		 141 for (i = 0; i < len; i++)
142 dst[len - 1 - i] = src[i];
d22ef0bc
AB		 143}
144
06edf8de
JH		 145/* The following functions map to the LE SC SMP crypto functions
146 * AES-CMAC, f4, f5, f6, g2 and h6.
147 */
148
cbbbe3e2
JH		 149static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
150 size_t len, u8 mac[16])
151{
152 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
153 struct hash_desc desc;
154 struct scatterlist sg;
155 int err;
156
157 if (len > CMAC_MSG_MAX)
158 return -EFBIG;
159
160 if (!tfm) {
161 BT_ERR("tfm %p", tfm);
162 return -EINVAL;
163 }
164
165 desc.tfm = tfm;
166 desc.flags = 0;
167
168 crypto_hash_init(&desc);
169
170 /* Swap key and message from LSB to MSB */
171 swap_buf(k, tmp, 16);
172 swap_buf(m, msg_msb, len);
173
c7a3d57d
JH		 174 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
175 SMP_DBG("key %16phN", k);
cbbbe3e2
JH		 176
177 err = crypto_hash_setkey(tfm, tmp, 16);
178 if (err) {
179 BT_ERR("cipher setkey failed: %d", err);
180 return err;
181 }
182
183 sg_init_one(&sg, msg_msb, len);
184
185 err = crypto_hash_update(&desc, &sg, len);
186 if (err) {
187 BT_ERR("Hash update error %d", err);
188 return err;
189 }
190
191 err = crypto_hash_final(&desc, mac_msb);
192 if (err) {
193 BT_ERR("Hash final error %d", err);
194 return err;
195 }
196
197 swap_buf(mac_msb, mac, 16);
198
c7a3d57d 199 SMP_DBG("mac %16phN", mac);
cbbbe3e2
JH		 200
201 return 0;
202}
203
204static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
205 const u8 x[16], u8 z, u8 res[16])
206{
207 u8 m[65];
208 int err;
209
c7a3d57d
JH		 210 SMP_DBG("u %32phN", u);
211 SMP_DBG("v %32phN", v);
212 SMP_DBG("x %16phN z %02x", x, z);
cbbbe3e2
JH		 213
214 m[0] = z;
215 memcpy(m + 1, v, 32);
216 memcpy(m + 33, u, 32);
217
218 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
219 if (err)
220 return err;
221
c7a3d57d 222 SMP_DBG("res %16phN", res);
cbbbe3e2
JH		 223
224 return err;
225}
226
4da50de8
JH		 227static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
228 const u8 n1[16], const u8 n2[16], const u8 a1[7],
229 const u8 a2[7], u8 mackey[16], u8 ltk[16])
760b018b
JH		 230{
231 /* The btle, salt and length "magic" values are as defined in
232 * the SMP section of the Bluetooth core specification. In ASCII
233 * the btle value ends up being 'btle'. The salt is just a
234 * random number whereas length is the value 256 in little
235 * endian format.
236 */
237 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
238 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
239 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
240 const u8 length[2] = { 0x00, 0x01 };
241 u8 m[53], t[16];
242 int err;
243
c7a3d57d
JH		 244 SMP_DBG("w %32phN", w);
245 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
246 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
760b018b
JH		 247
248 err = aes_cmac(tfm_cmac, salt, w, 32, t);
249 if (err)
250 return err;
251
c7a3d57d 252 SMP_DBG("t %16phN", t);
760b018b
JH		 253
254 memcpy(m, length, 2);
255 memcpy(m + 2, a2, 7);
256 memcpy(m + 9, a1, 7);
257 memcpy(m + 16, n2, 16);
258 memcpy(m + 32, n1, 16);
259 memcpy(m + 48, btle, 4);
260
261 m[52] = 0; /* Counter */
262
263 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
264 if (err)
265 return err;
266
c7a3d57d 267 SMP_DBG("mackey %16phN", mackey);
760b018b
JH		 268
269 m[52] = 1; /* Counter */
270
271 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
272 if (err)
273 return err;
274
c7a3d57d 275 SMP_DBG("ltk %16phN", ltk);
760b018b
JH		 276
277 return 0;
278}
279
280static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
4da50de8 281 const u8 n1[16], const u8 n2[16], const u8 r[16],
760b018b
JH		 282 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
283 u8 res[16])
284{
285 u8 m[65];
286 int err;
287
c7a3d57d
JH		 288 SMP_DBG("w %16phN", w);
289 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
290 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
760b018b
JH		 291
292 memcpy(m, a2, 7);
293 memcpy(m + 7, a1, 7);
294 memcpy(m + 14, io_cap, 3);
295 memcpy(m + 17, r, 16);
296 memcpy(m + 33, n2, 16);
297 memcpy(m + 49, n1, 16);
298
299 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
300 if (err)
301 return err;
302
203de21b 303 SMP_DBG("res %16phN", res);
760b018b
JH		 304
305 return err;
306}
307
191dc7fe
JH		 308static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
309 const u8 x[16], const u8 y[16], u32 *val)
310{
311 u8 m[80], tmp[16];
312 int err;
313
c7a3d57d
JH		 314 SMP_DBG("u %32phN", u);
315 SMP_DBG("v %32phN", v);
316 SMP_DBG("x %16phN y %16phN", x, y);
191dc7fe
JH		 317
318 memcpy(m, y, 16);
319 memcpy(m + 16, v, 32);
320 memcpy(m + 48, u, 32);
321
322 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
323 if (err)
324 return err;
325
326 *val = get_unaligned_le32(tmp);
327 *val %= 1000000;
328
c7a3d57d 329 SMP_DBG("val %06u", *val);
191dc7fe
JH		 330
331 return 0;
332}
333
06edf8de
JH		 334static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
335 const u8 key_id[4], u8 res[16])
336{
337 int err;
338
339 SMP_DBG("w %16phN key_id %4phN", w, key_id);
340
341 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
342 if (err)
343 return err;
344
345 SMP_DBG("res %16phN", res);
346
347 return err;
348}
349
350/* The following functions map to the legacy SMP crypto functions e, c1,
351 * s1 and ah.
352 */
353
d22ef0bc
AB		 354static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
355{
356 struct blkcipher_desc desc;
357 struct scatterlist sg;
943a732a 358 uint8_t tmp[16], data[16];
201a5929 359 int err;
d22ef0bc 360
7f376cd6 361 if (!tfm) {
d22ef0bc
AB		 362 BT_ERR("tfm %p", tfm);
363 return -EINVAL;
364 }
365
366 desc.tfm = tfm;
367 desc.flags = 0;
368
943a732a 369 /* The most significant octet of key corresponds to k[0] */
8a2936f4 370 swap_buf(k, tmp, 16);
943a732a
JH		 371
372 err = crypto_blkcipher_setkey(tfm, tmp, 16);
d22ef0bc
AB		 373 if (err) {
374 BT_ERR("cipher setkey failed: %d", err);
375 return err;
376 }
377
943a732a 378 /* Most significant octet of plaintextData corresponds to data[0] */
8a2936f4 379 swap_buf(r, data, 16);
943a732a
JH		 380
381 sg_init_one(&sg, data, 16);
d22ef0bc 382
d22ef0bc
AB		 383 err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
384 if (err)
385 BT_ERR("Encrypt data error %d", err);
386
943a732a 387 /* Most significant octet of encryptedData corresponds to data[0] */
8a2936f4 388 swap_buf(data, r, 16);
943a732a 389
d22ef0bc
AB		 390 return err;
391}
392
06edf8de
JH		 393static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
394 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
395 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
6a77083a 396{
06edf8de 397 u8 p1[16], p2[16];
6a77083a
JH		 398 int err;
399
06edf8de 400 memset(p1, 0, 16);
6a77083a 401
06edf8de
JH		 402 /* p1 = pres || preq || _rat || _iat */
403 p1[0] = _iat;
404 p1[1] = _rat;
405 memcpy(p1 + 2, preq, 7);
406 memcpy(p1 + 9, pres, 7);
407
408 /* p2 = padding || ia || ra */
409 memcpy(p2, ra, 6);
410 memcpy(p2 + 6, ia, 6);
411 memset(p2 + 12, 0, 4);
412
413 /* res = r XOR p1 */
414 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
415
416 /* res = e(k, res) */
417 err = smp_e(tfm_aes, k, res);
418 if (err) {
419 BT_ERR("Encrypt data error");
6a77083a 420 return err;
06edf8de 421 }
6a77083a 422
06edf8de
JH		 423 /* res = res XOR p2 */
424 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
425
426 /* res = e(k, res) */
427 err = smp_e(tfm_aes, k, res);
428 if (err)
429 BT_ERR("Encrypt data error");
430
431 return err;
432}
433
434static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
435 const u8 r1[16], const u8 r2[16], u8 _r[16])
436{
437 int err;
438
439 /* Just least significant octets from r1 and r2 are considered */
440 memcpy(_r, r2, 8);
441 memcpy(_r + 8, r1, 8);
442
443 err = smp_e(tfm_aes, k, _r);
444 if (err)
445 BT_ERR("Encrypt data error");
6a77083a
JH		 446
447 return err;
448}
449
cd082797
JH		 450static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
451 const u8 r[3], u8 res[3])
60478054 452{
943a732a 453 u8 _res[16];
60478054
JH		 454 int err;
455
456 /* r' = padding || r */
943a732a
JH		 457 memcpy(_res, r, 3);
458 memset(_res + 3, 0, 13);
60478054 459
943a732a 460 err = smp_e(tfm, irk, _res);
60478054
JH		 461 if (err) {
462 BT_ERR("Encrypt error");
463 return err;
464 }
465
466 /* The output of the random address function ah is:
467 * ah(h, r) = e(k, r') mod 2^24
468 * The output of the security function e is then truncated to 24 bits
469 * by taking the least significant 24 bits of the output of e as the
470 * result of ah.
471 */
943a732a 472 memcpy(res, _res, 3);
60478054
JH		 473
474 return 0;
475}
476
cd082797
JH		 477bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
478 const bdaddr_t *bdaddr)
60478054 479{
defce9e8
JH		 480 struct l2cap_chan *chan = hdev->smp_data;
481 struct crypto_blkcipher *tfm;
60478054
JH		 482 u8 hash[3];
483 int err;
484
defce9e8
JH		 485 if (!chan || !chan->data)
486 return false;
487
488 tfm = chan->data;
489
60478054
JH		 490 BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
491
492 err = smp_ah(tfm, irk, &bdaddr->b[3], hash);
493 if (err)
494 return false;
495
496 return !memcmp(bdaddr->b, hash, 3);
497}
498
cd082797 499int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
b1e2b3ae 500{
defce9e8
JH		 501 struct l2cap_chan *chan = hdev->smp_data;
502 struct crypto_blkcipher *tfm;
b1e2b3ae
JH		 503 int err;
504
defce9e8
JH		 505 if (!chan || !chan->data)
506 return -EOPNOTSUPP;
507
508 tfm = chan->data;
509
b1e2b3ae
JH		 510 get_random_bytes(&rpa->b[3], 3);
511
512 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
513 rpa->b[5] |= 0x40; /* Set second most significant bit */
514
515 err = smp_ah(tfm, irk, &rpa->b[3], rpa->b);
516 if (err < 0)
517 return err;
518
519 BT_DBG("RPA %pMR", rpa);
520
521 return 0;
522}
523
5d88cc73 524static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
eb492e01 525{
5d88cc73 526 struct l2cap_chan *chan = conn->smp;
b68fda68 527 struct smp_chan *smp;
5d88cc73
JH		 528 struct kvec iv[2];
529 struct msghdr msg;
eb492e01 530
5d88cc73
JH		 531 if (!chan)
532 return;
eb492e01 533
5d88cc73 534 BT_DBG("code 0x%2.2x", code);
eb492e01 535
5d88cc73
JH		 536 iv[0].iov_base = &code;
537 iv[0].iov_len = 1;
eb492e01 538
5d88cc73
JH		 539 iv[1].iov_base = data;
540 iv[1].iov_len = len;
eb492e01 541
5d88cc73 542 memset(&msg, 0, sizeof(msg));
eb492e01 543
17836394 544 iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
eb492e01 545
5d88cc73 546 l2cap_chan_send(chan, &msg, 1 + len);
e2dcd113 547
b68fda68
JH		 548 if (!chan->data)
549 return;
550
551 smp = chan->data;
552
553 cancel_delayed_work_sync(&smp->security_timer);
1b0921d6 554 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
eb492e01
AB		 555}
556
d2eb9e10 557static u8 authreq_to_seclevel(u8 authreq)
2b64d153 558{
d2eb9e10
JH		 559 if (authreq & SMP_AUTH_MITM) {
560 if (authreq & SMP_AUTH_SC)
561 return BT_SECURITY_FIPS;
562 else
563 return BT_SECURITY_HIGH;
564 } else {
2b64d153 565 return BT_SECURITY_MEDIUM;
d2eb9e10 566 }
2b64d153
BG		 567}
568
569static __u8 seclevel_to_authreq(__u8 sec_level)
570{
571 switch (sec_level) {
d2eb9e10 572 case BT_SECURITY_FIPS:
2b64d153
BG		 573 case BT_SECURITY_HIGH:
574 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
575 case BT_SECURITY_MEDIUM:
576 return SMP_AUTH_BONDING;
577 default:
578 return SMP_AUTH_NONE;
579 }
580}
581
b8e66eac 582static void build_pairing_cmd(struct l2cap_conn *conn,
f1560463
MH		 583 struct smp_cmd_pairing *req,
584 struct smp_cmd_pairing *rsp, __u8 authreq)
b8e66eac 585{
5d88cc73
JH		 586 struct l2cap_chan *chan = conn->smp;
587 struct smp_chan *smp = chan->data;
fd349c02
JH		 588 struct hci_conn *hcon = conn->hcon;
589 struct hci_dev *hdev = hcon->hdev;
02b05bd8 590 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
54790f73 591
b6ae8457 592 if (test_bit(HCI_BONDABLE, &conn->hcon->hdev->dev_flags)) {
7ee4ea36
MH		 593 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
594 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
54790f73 595 authreq |= SMP_AUTH_BONDING;
2b64d153
BG		 596 } else {
597 authreq &= ~SMP_AUTH_BONDING;
54790f73
VCG		 598 }
599
fd349c02
JH		 600 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
601 remote_dist |= SMP_DIST_ID_KEY;
602
863efaf2
JH		 603 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
604 local_dist |= SMP_DIST_ID_KEY;
605
02b05bd8
JH		 606 if (test_bit(HCI_SC_ENABLED, &hdev->dev_flags) &&
607 (authreq & SMP_AUTH_SC)) {
608 struct oob_data *oob_data;
609 u8 bdaddr_type;
610
611 if (test_bit(HCI_SSP_ENABLED, &hdev->dev_flags)) {
df8e1a4c
JH		 612 local_dist |= SMP_DIST_LINK_KEY;
613 remote_dist |= SMP_DIST_LINK_KEY;
614 }
02b05bd8
JH		 615
616 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
617 bdaddr_type = BDADDR_LE_PUBLIC;
618 else
619 bdaddr_type = BDADDR_LE_RANDOM;
620
621 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
622 bdaddr_type);
623 if (oob_data) {
624 set_bit(SMP_FLAG_OOB, &smp->flags);
625 oob_flag = SMP_OOB_PRESENT;
a29b0733 626 memcpy(smp->rr, oob_data->rand256, 16);
02b05bd8
JH		 627 memcpy(smp->pcnf, oob_data->hash256, 16);
628 }
629
df8e1a4c
JH		 630 } else {
631 authreq &= ~SMP_AUTH_SC;
632 }
633
54790f73
VCG		 634 if (rsp == NULL) {
635 req->io_capability = conn->hcon->io_capability;
02b05bd8 636 req->oob_flag = oob_flag;
54790f73 637 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
fd349c02
JH		 638 req->init_key_dist = local_dist;
639 req->resp_key_dist = remote_dist;
0edb14de 640 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 641
642 smp->remote_key_dist = remote_dist;
54790f73
VCG		 643 return;
644 }
645
646 rsp->io_capability = conn->hcon->io_capability;
02b05bd8 647 rsp->oob_flag = oob_flag;
54790f73 648 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
fd349c02
JH		 649 rsp->init_key_dist = req->init_key_dist & remote_dist;
650 rsp->resp_key_dist = req->resp_key_dist & local_dist;
0edb14de 651 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 652
653 smp->remote_key_dist = rsp->init_key_dist;
b8e66eac
VCG		 654}
655
3158c50c
VCG		 656static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
657{
5d88cc73
JH		 658 struct l2cap_chan *chan = conn->smp;
659 struct smp_chan *smp = chan->data;
1c1def09 660
3158c50c 661 if ((max_key_size > SMP_MAX_ENC_KEY_SIZE) ||
f1560463 662 (max_key_size < SMP_MIN_ENC_KEY_SIZE))
3158c50c
VCG		 663 return SMP_ENC_KEY_SIZE;
664
f7aa611a 665 smp->enc_key_size = max_key_size;
3158c50c
VCG		 666
667 return 0;
668}
669
6f48e260
JH		 670static void smp_chan_destroy(struct l2cap_conn *conn)
671{
672 struct l2cap_chan *chan = conn->smp;
673 struct smp_chan *smp = chan->data;
923e2414 674 struct hci_conn *hcon = conn->hcon;
6f48e260
JH		 675 bool complete;
676
677 BUG_ON(!smp);
678
679 cancel_delayed_work_sync(&smp->security_timer);
6f48e260 680
6f48e260 681 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
923e2414 682 mgmt_smp_complete(hcon, complete);
6f48e260
JH		 683
684 kfree(smp->csrk);
685 kfree(smp->slave_csrk);
6a77083a 686 kfree(smp->link_key);
6f48e260
JH		 687
688 crypto_free_blkcipher(smp->tfm_aes);
407cecf6 689 crypto_free_hash(smp->tfm_cmac);
6f48e260 690
923e2414
JH		 691 /* Ensure that we don't leave any debug key around if debug key
692 * support hasn't been explicitly enabled.
693 */
694 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
695 !test_bit(HCI_KEEP_DEBUG_KEYS, &hcon->hdev->dev_flags)) {
696 list_del_rcu(&smp->ltk->list);
697 kfree_rcu(smp->ltk, rcu);
698 smp->ltk = NULL;
699 }
700
6f48e260
JH		 701 /* If pairing failed clean up any keys we might have */
702 if (!complete) {
703 if (smp->ltk) {
970d0f1b
JH		 704 list_del_rcu(&smp->ltk->list);
705 kfree_rcu(smp->ltk, rcu);
6f48e260
JH		 706 }
707
708 if (smp->slave_ltk) {
970d0f1b
JH		 709 list_del_rcu(&smp->slave_ltk->list);
710 kfree_rcu(smp->slave_ltk, rcu);
6f48e260
JH		 711 }
712
713 if (smp->remote_irk) {
adae20cb
JH		 714 list_del_rcu(&smp->remote_irk->list);
715 kfree_rcu(smp->remote_irk, rcu);
6f48e260
JH		 716 }
717 }
718
719 chan->data = NULL;
720 kfree(smp);
923e2414 721 hci_conn_drop(hcon);
6f48e260
JH		 722}
723
84794e11 724static void smp_failure(struct l2cap_conn *conn, u8 reason)
4f957a76 725{
bab73cb6 726 struct hci_conn *hcon = conn->hcon;
b68fda68 727 struct l2cap_chan *chan = conn->smp;
bab73cb6 728
84794e11 729 if (reason)
4f957a76 730 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
f1560463 731 &reason);
4f957a76 732
ce39fb4e 733 clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
e1e930f5 734 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
f1c09c07 735
fc75cc86 736 if (chan->data)
f1c09c07 737 smp_chan_destroy(conn);
4f957a76
BG		 738}
739
2b64d153
BG		 740#define JUST_WORKS 0x00
741#define JUST_CFM 0x01
742#define REQ_PASSKEY 0x02
743#define CFM_PASSKEY 0x03
744#define REQ_OOB 0x04
5e3d3d9b 745#define DSP_PASSKEY 0x05
2b64d153
BG		 746#define OVERLAP 0xFF
747
748static const u8 gen_method[5][5] = {
749 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
750 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
751 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
752 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
753 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
754};
755
5e3d3d9b
JH		 756static const u8 sc_method[5][5] = {
757 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
758 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
759 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
760 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
761 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
762};
763
581370cc
JH		 764static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
765{
2bcd4003
JH		 766 /* If either side has unknown io_caps, use JUST_CFM (which gets
767 * converted later to JUST_WORKS if we're initiators.
768 */
581370cc
JH		 769 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
770 remote_io > SMP_IO_KEYBOARD_DISPLAY)
2bcd4003 771 return JUST_CFM;
581370cc 772
5e3d3d9b
JH		 773 if (test_bit(SMP_FLAG_SC, &smp->flags))
774 return sc_method[remote_io][local_io];
775
581370cc
JH		 776 return gen_method[remote_io][local_io];
777}
778
2b64d153
BG		 779static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
780 u8 local_io, u8 remote_io)
781{
782 struct hci_conn *hcon = conn->hcon;
5d88cc73
JH		 783 struct l2cap_chan *chan = conn->smp;
784 struct smp_chan *smp = chan->data;
2b64d153
BG		 785 u32 passkey = 0;
786 int ret = 0;
787
788 /* Initialize key for JUST WORKS */
789 memset(smp->tk, 0, sizeof(smp->tk));
4a74d658 790 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 791
792 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
793
2bcd4003
JH		 794 /* If neither side wants MITM, either "just" confirm an incoming
795 * request or use just-works for outgoing ones. The JUST_CFM
796 * will be converted to JUST_WORKS if necessary later in this
797 * function. If either side has MITM look up the method from the
798 * table.
799 */
581370cc 800 if (!(auth & SMP_AUTH_MITM))
783e0574 801 smp->method = JUST_CFM;
2b64d153 802 else
783e0574 803 smp->method = get_auth_method(smp, local_io, remote_io);
2b64d153 804
a82505c7 805 /* Don't confirm locally initiated pairing attempts */
783e0574
JH		 806 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
807 &smp->flags))
808 smp->method = JUST_WORKS;
a82505c7 809
02f3e254 810 /* Don't bother user space with no IO capabilities */
783e0574
JH		 811 if (smp->method == JUST_CFM &&
812 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
813 smp->method = JUST_WORKS;
02f3e254 814
2b64d153 815 /* If Just Works, Continue with Zero TK */
783e0574 816 if (smp->method == JUST_WORKS) {
4a74d658 817 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 818 return 0;
819 }
820
821 /* Not Just Works/Confirm results in MITM Authentication */
783e0574 822 if (smp->method != JUST_CFM) {
4a74d658 823 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
5eb596f5
JH		 824 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
825 hcon->pending_sec_level = BT_SECURITY_HIGH;
826 }
2b64d153
BG		 827
828 /* If both devices have Keyoard-Display I/O, the master
829 * Confirms and the slave Enters the passkey.
830 */
783e0574 831 if (smp->method == OVERLAP) {
40bef302 832 if (hcon->role == HCI_ROLE_MASTER)
783e0574 833 smp->method = CFM_PASSKEY;
2b64d153 834 else
783e0574 835 smp->method = REQ_PASSKEY;
2b64d153
BG		 836 }
837
01ad34d2 838 /* Generate random passkey. */
783e0574 839 if (smp->method == CFM_PASSKEY) {
943a732a 840 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153
BG		 841 get_random_bytes(&passkey, sizeof(passkey));
842 passkey %= 1000000;
943a732a 843 put_unaligned_le32(passkey, smp->tk);
2b64d153 844 BT_DBG("PassKey: %d", passkey);
4a74d658 845 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 846 }
847
783e0574 848 if (smp->method == REQ_PASSKEY)
ce39fb4e 849 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
272d90df 850 hcon->type, hcon->dst_type);
783e0574 851 else if (smp->method == JUST_CFM)
4eb65e66
JH		 852 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
853 hcon->type, hcon->dst_type,
854 passkey, 1);
2b64d153 855 else
01ad34d2 856 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
272d90df 857 hcon->type, hcon->dst_type,
39adbffe 858 passkey, 0);
2b64d153 859
2b64d153
BG		 860 return ret;
861}
862
1cc61144 863static u8 smp_confirm(struct smp_chan *smp)
8aab4757 864{
8aab4757 865 struct l2cap_conn *conn = smp->conn;
8aab4757
VCG		 866 struct smp_cmd_pairing_confirm cp;
867 int ret;
8aab4757
VCG		 868
869 BT_DBG("conn %p", conn);
870
e491eaf3 871 ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
b1cd5fd9 872 conn->hcon->init_addr_type, &conn->hcon->init_addr,
943a732a
JH		 873 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
874 cp.confirm_val);
1cc61144
JH		 875 if (ret)
876 return SMP_UNSPECIFIED;
8aab4757 877
4a74d658 878 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153 879
8aab4757
VCG		 880 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
881
b28b4943
JH		 882 if (conn->hcon->out)
883 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
884 else
885 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
886
1cc61144 887 return 0;
8aab4757
VCG		 888}
889
861580a9 890static u8 smp_random(struct smp_chan *smp)
8aab4757 891{
8aab4757
VCG		 892 struct l2cap_conn *conn = smp->conn;
893 struct hci_conn *hcon = conn->hcon;
861580a9 894 u8 confirm[16];
8aab4757
VCG		 895 int ret;
896
ec70f36f 897 if (IS_ERR_OR_NULL(smp->tfm_aes))
861580a9 898 return SMP_UNSPECIFIED;
8aab4757
VCG		 899
900 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
901
e491eaf3 902 ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
b1cd5fd9 903 hcon->init_addr_type, &hcon->init_addr,
943a732a 904 hcon->resp_addr_type, &hcon->resp_addr, confirm);
861580a9
JH		 905 if (ret)
906 return SMP_UNSPECIFIED;
8aab4757 907
8aab4757
VCG		 908 if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
909 BT_ERR("Pairing failed (confirmation values mismatch)");
861580a9 910 return SMP_CONFIRM_FAILED;
8aab4757
VCG		 911 }
912
913 if (hcon->out) {
fe39c7b2
MH		 914 u8 stk[16];
915 __le64 rand = 0;
916 __le16 ediv = 0;
8aab4757 917
e491eaf3 918 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
8aab4757 919
f7aa611a 920 memset(stk + smp->enc_key_size, 0,
04124681 921 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
8aab4757 922
861580a9
JH		 923 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
924 return SMP_UNSPECIFIED;
8aab4757
VCG		 925
926 hci_le_start_enc(hcon, ediv, rand, stk);
f7aa611a 927 hcon->enc_key_size = smp->enc_key_size;
fe59a05f 928 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
8aab4757 929 } else {
fff3490f 930 u8 stk[16], auth;
fe39c7b2
MH		 931 __le64 rand = 0;
932 __le16 ediv = 0;
8aab4757 933
943a732a
JH		 934 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
935 smp->prnd);
8aab4757 936
e491eaf3 937 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
8aab4757 938
f7aa611a 939 memset(stk + smp->enc_key_size, 0,
f1560463 940 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
8aab4757 941
fff3490f
JH		 942 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
943 auth = 1;
944 else
945 auth = 0;
946
7d5843b7
JH		 947 /* Even though there's no _SLAVE suffix this is the
948 * slave STK we're adding for later lookup (the master
949 * STK never needs to be stored).
950 */
ce39fb4e 951 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2ceba539 952 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
8aab4757
VCG		 953 }
954
861580a9 955 return 0;
8aab4757
VCG		 956}
957
44f1a7ab
JH		 958static void smp_notify_keys(struct l2cap_conn *conn)
959{
960 struct l2cap_chan *chan = conn->smp;
961 struct smp_chan *smp = chan->data;
962 struct hci_conn *hcon = conn->hcon;
963 struct hci_dev *hdev = hcon->hdev;
964 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
965 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
966 bool persistent;
967
968 if (smp->remote_irk) {
969 mgmt_new_irk(hdev, smp->remote_irk);
970 /* Now that user space can be considered to know the
971 * identity address track the connection based on it
b5ae344d 972 * from now on (assuming this is an LE link).
44f1a7ab 973 */
b5ae344d
JH		 974 if (hcon->type == LE_LINK) {
975 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
976 hcon->dst_type = smp->remote_irk->addr_type;
977 queue_work(hdev->workqueue, &conn->id_addr_update_work);
978 }
44f1a7ab
JH		 979
980 /* When receiving an indentity resolving key for
981 * a remote device that does not use a resolvable
982 * private address, just remove the key so that
983 * it is possible to use the controller white
984 * list for scanning.
985 *
986 * Userspace will have been told to not store
987 * this key at this point. So it is safe to
988 * just remove it.
989 */
990 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
adae20cb
JH		 991 list_del_rcu(&smp->remote_irk->list);
992 kfree_rcu(smp->remote_irk, rcu);
44f1a7ab
JH		 993 smp->remote_irk = NULL;
994 }
995 }
996
b5ae344d
JH		 997 if (hcon->type == ACL_LINK) {
998 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
999 persistent = false;
1000 else
1001 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1002 &hcon->flags);
1003 } else {
1004 /* The LTKs and CSRKs should be persistent only if both sides
1005 * had the bonding bit set in their authentication requests.
1006 */
1007 persistent = !!((req->auth_req & rsp->auth_req) &
1008 SMP_AUTH_BONDING);
1009 }
1010
44f1a7ab
JH		 1011
1012 if (smp->csrk) {
1013 smp->csrk->bdaddr_type = hcon->dst_type;
1014 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1015 mgmt_new_csrk(hdev, smp->csrk, persistent);
1016 }
1017
1018 if (smp->slave_csrk) {
1019 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1020 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1021 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1022 }
1023
1024 if (smp->ltk) {
1025 smp->ltk->bdaddr_type = hcon->dst_type;
1026 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1027 mgmt_new_ltk(hdev, smp->ltk, persistent);
1028 }
1029
1030 if (smp->slave_ltk) {
1031 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1032 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1033 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1034 }
6a77083a
JH		 1035
1036 if (smp->link_key) {
e3befab9
JH		 1037 struct link_key *key;
1038 u8 type;
1039
1040 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1041 type = HCI_LK_DEBUG_COMBINATION;
1042 else if (hcon->sec_level == BT_SECURITY_FIPS)
1043 type = HCI_LK_AUTH_COMBINATION_P256;
1044 else
1045 type = HCI_LK_UNAUTH_COMBINATION_P256;
1046
1047 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1048 smp->link_key, type, 0, &persistent);
1049 if (key) {
1050 mgmt_new_link_key(hdev, key, persistent);
1051
1052 /* Don't keep debug keys around if the relevant
1053 * flag is not set.
1054 */
1055 if (!test_bit(HCI_KEEP_DEBUG_KEYS, &hdev->dev_flags) &&
1056 key->type == HCI_LK_DEBUG_COMBINATION) {
1057 list_del_rcu(&key->list);
1058 kfree_rcu(key, rcu);
1059 }
1060 }
6a77083a
JH		 1061 }
1062}
1063
d3e54a87
JH		 1064static void sc_add_ltk(struct smp_chan *smp)
1065{
1066 struct hci_conn *hcon = smp->conn->hcon;
1067 u8 key_type, auth;
1068
1069 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1070 key_type = SMP_LTK_P256_DEBUG;
1071 else
1072 key_type = SMP_LTK_P256;
1073
1074 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1075 auth = 1;
1076 else
1077 auth = 0;
1078
1079 memset(smp->tk + smp->enc_key_size, 0,
1080 SMP_MAX_ENC_KEY_SIZE - smp->enc_key_size);
1081
1082 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1083 key_type, auth, smp->tk, smp->enc_key_size,
1084 0, 0);
1085}
1086
6a77083a
JH		 1087static void sc_generate_link_key(struct smp_chan *smp)
1088{
1089 /* These constants are as specified in the core specification.
1090 * In ASCII they spell out to 'tmp1' and 'lebr'.
1091 */
1092 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1093 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1094
1095 smp->link_key = kzalloc(16, GFP_KERNEL);
1096 if (!smp->link_key)
1097 return;
1098
1099 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1100 kfree(smp->link_key);
1101 smp->link_key = NULL;
1102 return;
1103 }
1104
1105 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1106 kfree(smp->link_key);
1107 smp->link_key = NULL;
1108 return;
1109 }
44f1a7ab
JH		 1110}
1111
b28b4943
JH		 1112static void smp_allow_key_dist(struct smp_chan *smp)
1113{
1114 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1115 * will be allowed in each PDU handler to ensure we receive
1116 * them in the correct order.
1117 */
1118 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1119 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1120 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1121 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1122 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1123 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1124}
1125
b5ae344d
JH		 1126static void sc_generate_ltk(struct smp_chan *smp)
1127{
1128 /* These constants are as specified in the core specification.
1129 * In ASCII they spell out to 'tmp2' and 'brle'.
1130 */
1131 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1132 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1133 struct hci_conn *hcon = smp->conn->hcon;
1134 struct hci_dev *hdev = hcon->hdev;
1135 struct link_key *key;
1136
1137 key = hci_find_link_key(hdev, &hcon->dst);
1138 if (!key) {
1139 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1140 return;
1141 }
1142
1143 if (key->type == HCI_LK_DEBUG_COMBINATION)
1144 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1145
1146 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1147 return;
1148
1149 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1150 return;
1151
1152 sc_add_ltk(smp);
1153}
1154
d6268e86 1155static void smp_distribute_keys(struct smp_chan *smp)
44f1a7ab
JH		 1156{
1157 struct smp_cmd_pairing *req, *rsp;
86d1407c 1158 struct l2cap_conn *conn = smp->conn;
44f1a7ab
JH		 1159 struct hci_conn *hcon = conn->hcon;
1160 struct hci_dev *hdev = hcon->hdev;
1161 __u8 *keydist;
1162
1163 BT_DBG("conn %p", conn);
1164
44f1a7ab
JH		 1165 rsp = (void *) &smp->prsp[1];
1166
1167 /* The responder sends its keys first */
b28b4943
JH		 1168 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1169 smp_allow_key_dist(smp);
86d1407c 1170 return;
b28b4943 1171 }
44f1a7ab
JH		 1172
1173 req = (void *) &smp->preq[1];
1174
1175 if (hcon->out) {
1176 keydist = &rsp->init_key_dist;
1177 *keydist &= req->init_key_dist;
1178 } else {
1179 keydist = &rsp->resp_key_dist;
1180 *keydist &= req->resp_key_dist;
1181 }
1182
6a77083a 1183 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
b5ae344d 1184 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
6a77083a 1185 sc_generate_link_key(smp);
b5ae344d
JH		 1186 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1187 sc_generate_ltk(smp);
6a77083a
JH		 1188
1189 /* Clear the keys which are generated but not distributed */
1190 *keydist &= ~SMP_SC_NO_DIST;
1191 }
1192
44f1a7ab
JH		 1193 BT_DBG("keydist 0x%x", *keydist);
1194
1195 if (*keydist & SMP_DIST_ENC_KEY) {
1196 struct smp_cmd_encrypt_info enc;
1197 struct smp_cmd_master_ident ident;
1198 struct smp_ltk *ltk;
1199 u8 authenticated;
1200 __le16 ediv;
1201 __le64 rand;
1202
1203 get_random_bytes(enc.ltk, sizeof(enc.ltk));
1204 get_random_bytes(&ediv, sizeof(ediv));
1205 get_random_bytes(&rand, sizeof(rand));
1206
1207 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1208
1209 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1210 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1211 SMP_LTK_SLAVE, authenticated, enc.ltk,
1212 smp->enc_key_size, ediv, rand);
1213 smp->slave_ltk = ltk;
1214
1215 ident.ediv = ediv;
1216 ident.rand = rand;
1217
1218 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1219
1220 *keydist &= ~SMP_DIST_ENC_KEY;
1221 }
1222
1223 if (*keydist & SMP_DIST_ID_KEY) {
1224 struct smp_cmd_ident_addr_info addrinfo;
1225 struct smp_cmd_ident_info idinfo;
1226
1227 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1228
1229 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1230
1231 /* The hci_conn contains the local identity address
1232 * after the connection has been established.
1233 *
1234 * This is true even when the connection has been
1235 * established using a resolvable random address.
1236 */
1237 bacpy(&addrinfo.bdaddr, &hcon->src);
1238 addrinfo.addr_type = hcon->src_type;
1239
1240 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1241 &addrinfo);
1242
1243 *keydist &= ~SMP_DIST_ID_KEY;
1244 }
1245
1246 if (*keydist & SMP_DIST_SIGN) {
1247 struct smp_cmd_sign_info sign;
1248 struct smp_csrk *csrk;
1249
1250 /* Generate a new random key */
1251 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1252
1253 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1254 if (csrk) {
1255 csrk->master = 0x00;
1256 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1257 }
1258 smp->slave_csrk = csrk;
1259
1260 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1261
1262 *keydist &= ~SMP_DIST_SIGN;
1263 }
1264
1265 /* If there are still keys to be received wait for them */
b28b4943
JH		 1266 if (smp->remote_key_dist & KEY_DIST_MASK) {
1267 smp_allow_key_dist(smp);
86d1407c 1268 return;
b28b4943 1269 }
44f1a7ab 1270
44f1a7ab
JH		 1271 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1272 smp_notify_keys(conn);
1273
1274 smp_chan_destroy(conn);
44f1a7ab
JH		 1275}
1276
b68fda68
JH		 1277static void smp_timeout(struct work_struct *work)
1278{
1279 struct smp_chan *smp = container_of(work, struct smp_chan,
1280 security_timer.work);
1281 struct l2cap_conn *conn = smp->conn;
1282
1283 BT_DBG("conn %p", conn);
1284
1e91c29e 1285 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
b68fda68
JH		 1286}
1287
8aab4757
VCG		 1288static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1289{
5d88cc73 1290 struct l2cap_chan *chan = conn->smp;
8aab4757
VCG		 1291 struct smp_chan *smp;
1292
f1560463 1293 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
fc75cc86 1294 if (!smp)
8aab4757
VCG		 1295 return NULL;
1296
6a7bd103
JH		 1297 smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1298 if (IS_ERR(smp->tfm_aes)) {
1299 BT_ERR("Unable to create ECB crypto context");
1300 kfree(smp);
1301 return NULL;
1302 }
1303
407cecf6
JH		 1304 smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1305 if (IS_ERR(smp->tfm_cmac)) {
1306 BT_ERR("Unable to create CMAC crypto context");
1307 crypto_free_blkcipher(smp->tfm_aes);
1308 kfree(smp);
1309 return NULL;
1310 }
1311
8aab4757 1312 smp->conn = conn;
5d88cc73 1313 chan->data = smp;
8aab4757 1314
b28b4943
JH		 1315 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1316
b68fda68
JH		 1317 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1318
8aab4757
VCG		 1319 hci_conn_hold(conn->hcon);
1320
1321 return smp;
1322}
1323
760b018b
JH		 1324static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1325{
1326 struct hci_conn *hcon = smp->conn->hcon;
1327 u8 *na, *nb, a[7], b[7];
1328
1329 if (hcon->out) {
1330 na = smp->prnd;
1331 nb = smp->rrnd;
1332 } else {
1333 na = smp->rrnd;
1334 nb = smp->prnd;
1335 }
1336
1337 memcpy(a, &hcon->init_addr, 6);
1338 memcpy(b, &hcon->resp_addr, 6);
1339 a[6] = hcon->init_addr_type;
1340 b[6] = hcon->resp_addr_type;
1341
1342 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1343}
1344
38606f14 1345static void sc_dhkey_check(struct smp_chan *smp)
760b018b
JH		 1346{
1347 struct hci_conn *hcon = smp->conn->hcon;
1348 struct smp_cmd_dhkey_check check;
1349 u8 a[7], b[7], *local_addr, *remote_addr;
1350 u8 io_cap[3], r[16];
1351
760b018b
JH		 1352 memcpy(a, &hcon->init_addr, 6);
1353 memcpy(b, &hcon->resp_addr, 6);
1354 a[6] = hcon->init_addr_type;
1355 b[6] = hcon->resp_addr_type;
1356
1357 if (hcon->out) {
1358 local_addr = a;
1359 remote_addr = b;
1360 memcpy(io_cap, &smp->preq[1], 3);
1361 } else {
1362 local_addr = b;
1363 remote_addr = a;
1364 memcpy(io_cap, &smp->prsp[1], 3);
1365 }
1366
dddd3059
JH		 1367 memset(r, 0, sizeof(r));
1368
1369 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
38606f14 1370 put_unaligned_le32(hcon->passkey_notify, r);
760b018b 1371
a29b0733
JH		 1372 if (smp->method == REQ_OOB)
1373 memcpy(r, smp->rr, 16);
1374
760b018b
JH		 1375 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1376 local_addr, remote_addr, check.e);
1377
1378 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
dddd3059
JH		 1379}
1380
38606f14
JH		 1381static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1382{
1383 struct l2cap_conn *conn = smp->conn;
1384 struct hci_conn *hcon = conn->hcon;
1385 struct smp_cmd_pairing_confirm cfm;
1386 u8 r;
1387
1388 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1389 r |= 0x80;
1390
1391 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1392
1393 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1394 cfm.confirm_val))
1395 return SMP_UNSPECIFIED;
1396
1397 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1398
1399 return 0;
1400}
1401
1402static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1403{
1404 struct l2cap_conn *conn = smp->conn;
1405 struct hci_conn *hcon = conn->hcon;
1406 struct hci_dev *hdev = hcon->hdev;
1407 u8 cfm[16], r;
1408
1409 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1410 if (smp->passkey_round >= 20)
1411 return 0;
1412
1413 switch (smp_op) {
1414 case SMP_CMD_PAIRING_RANDOM:
1415 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1416 r |= 0x80;
1417
1418 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1419 smp->rrnd, r, cfm))
1420 return SMP_UNSPECIFIED;
1421
1422 if (memcmp(smp->pcnf, cfm, 16))
1423 return SMP_CONFIRM_FAILED;
1424
1425 smp->passkey_round++;
1426
1427 if (smp->passkey_round == 20) {
1428 /* Generate MacKey and LTK */
1429 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1430 return SMP_UNSPECIFIED;
1431 }
1432
1433 /* The round is only complete when the initiator
1434 * receives pairing random.
1435 */
1436 if (!hcon->out) {
1437 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1438 sizeof(smp->prnd), smp->prnd);
d3e54a87 1439 if (smp->passkey_round == 20)
38606f14 1440 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
d3e54a87 1441 else
38606f14 1442 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
38606f14
JH		 1443 return 0;
1444 }
1445
1446 /* Start the next round */
1447 if (smp->passkey_round != 20)
1448 return sc_passkey_round(smp, 0);
1449
1450 /* Passkey rounds are complete - start DHKey Check */
1451 sc_dhkey_check(smp);
1452 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1453
1454 break;
1455
1456 case SMP_CMD_PAIRING_CONFIRM:
1457 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1458 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1459 return 0;
1460 }
1461
1462 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1463
1464 if (hcon->out) {
1465 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1466 sizeof(smp->prnd), smp->prnd);
1467 return 0;
1468 }
1469
1470 return sc_passkey_send_confirm(smp);
1471
1472 case SMP_CMD_PUBLIC_KEY:
1473 default:
1474 /* Initiating device starts the round */
1475 if (!hcon->out)
1476 return 0;
1477
1478 BT_DBG("%s Starting passkey round %u", hdev->name,
1479 smp->passkey_round + 1);
1480
1481 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1482
1483 return sc_passkey_send_confirm(smp);
1484 }
1485
1486 return 0;
1487}
1488
dddd3059
JH		 1489static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1490{
38606f14
JH		 1491 struct l2cap_conn *conn = smp->conn;
1492 struct hci_conn *hcon = conn->hcon;
1493 u8 smp_op;
1494
1495 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1496
dddd3059
JH		 1497 switch (mgmt_op) {
1498 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1499 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1500 return 0;
1501 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1502 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1503 return 0;
38606f14
JH		 1504 case MGMT_OP_USER_PASSKEY_REPLY:
1505 hcon->passkey_notify = le32_to_cpu(passkey);
1506 smp->passkey_round = 0;
1507
1508 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1509 smp_op = SMP_CMD_PAIRING_CONFIRM;
1510 else
1511 smp_op = 0;
1512
1513 if (sc_passkey_round(smp, smp_op))
1514 return -EIO;
1515
1516 return 0;
dddd3059
JH		 1517 }
1518
d3e54a87
JH		 1519 /* Initiator sends DHKey check first */
1520 if (hcon->out) {
1521 sc_dhkey_check(smp);
1522 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1523 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1524 sc_dhkey_check(smp);
1525 sc_add_ltk(smp);
1526 }
760b018b
JH		 1527
1528 return 0;
1529}
1530
2b64d153
BG		 1531int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1532{
b10e8017 1533 struct l2cap_conn *conn = hcon->l2cap_data;
5d88cc73 1534 struct l2cap_chan *chan;
2b64d153
BG		 1535 struct smp_chan *smp;
1536 u32 value;
fc75cc86 1537 int err;
2b64d153
BG		 1538
1539 BT_DBG("");
1540
fc75cc86 1541 if (!conn)
2b64d153
BG		 1542 return -ENOTCONN;
1543
5d88cc73
JH		 1544 chan = conn->smp;
1545 if (!chan)
1546 return -ENOTCONN;
1547
fc75cc86
JH		 1548 l2cap_chan_lock(chan);
1549 if (!chan->data) {
1550 err = -ENOTCONN;
1551 goto unlock;
1552 }
1553
5d88cc73 1554 smp = chan->data;
2b64d153 1555
760b018b
JH		 1556 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1557 err = sc_user_reply(smp, mgmt_op, passkey);
1558 goto unlock;
1559 }
1560
2b64d153
BG		 1561 switch (mgmt_op) {
1562 case MGMT_OP_USER_PASSKEY_REPLY:
1563 value = le32_to_cpu(passkey);
943a732a 1564 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153 1565 BT_DBG("PassKey: %d", value);
943a732a 1566 put_unaligned_le32(value, smp->tk);
2b64d153
BG		 1567 /* Fall Through */
1568 case MGMT_OP_USER_CONFIRM_REPLY:
4a74d658 1569 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 1570 break;
1571 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1572 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
84794e11 1573 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1574 err = 0;
1575 goto unlock;
2b64d153 1576 default:
84794e11 1577 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1578 err = -EOPNOTSUPP;
1579 goto unlock;
2b64d153
BG		 1580 }
1581
fc75cc86
JH		 1582 err = 0;
1583
2b64d153 1584 /* If it is our turn to send Pairing Confirm, do so now */
1cc61144
JH		 1585 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1586 u8 rsp = smp_confirm(smp);
1587 if (rsp)
1588 smp_failure(conn, rsp);
1589 }
2b64d153 1590
fc75cc86
JH		 1591unlock:
1592 l2cap_chan_unlock(chan);
1593 return err;
2b64d153
BG		 1594}
1595
b5ae344d
JH		 1596static void build_bredr_pairing_cmd(struct smp_chan *smp,
1597 struct smp_cmd_pairing *req,
1598 struct smp_cmd_pairing *rsp)
1599{
1600 struct l2cap_conn *conn = smp->conn;
1601 struct hci_dev *hdev = conn->hcon->hdev;
1602 u8 local_dist = 0, remote_dist = 0;
1603
1604 if (test_bit(HCI_BONDABLE, &hdev->dev_flags)) {
1605 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1606 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1607 }
1608
1609 if (test_bit(HCI_RPA_RESOLVING, &hdev->dev_flags))
1610 remote_dist |= SMP_DIST_ID_KEY;
1611
1612 if (test_bit(HCI_PRIVACY, &hdev->dev_flags))
1613 local_dist |= SMP_DIST_ID_KEY;
1614
1615 if (!rsp) {
1616 memset(req, 0, sizeof(*req));
1617
1618 req->init_key_dist = local_dist;
1619 req->resp_key_dist = remote_dist;
1620 req->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1621
1622 smp->remote_key_dist = remote_dist;
1623
1624 return;
1625 }
1626
1627 memset(rsp, 0, sizeof(*rsp));
1628
1629 rsp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
1630 rsp->init_key_dist = req->init_key_dist & remote_dist;
1631 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1632
1633 smp->remote_key_dist = rsp->init_key_dist;
1634}
1635
da85e5e5 1636static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1637{
3158c50c 1638 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
fc75cc86 1639 struct l2cap_chan *chan = conn->smp;
b3c6410b 1640 struct hci_dev *hdev = conn->hcon->hdev;
8aab4757 1641 struct smp_chan *smp;
c7262e71 1642 u8 key_size, auth, sec_level;
8aab4757 1643 int ret;
88ba43b6
AB		 1644
1645 BT_DBG("conn %p", conn);
1646
c46b98be 1647 if (skb->len < sizeof(*req))
38e4a915 1648 return SMP_INVALID_PARAMS;
c46b98be 1649
40bef302 1650 if (conn->hcon->role != HCI_ROLE_SLAVE)
2b64d153
BG		 1651 return SMP_CMD_NOTSUPP;
1652
fc75cc86 1653 if (!chan->data)
8aab4757 1654 smp = smp_chan_create(conn);
fc75cc86 1655 else
5d88cc73 1656 smp = chan->data;
8aab4757 1657
d08fd0e7
AE		 1658 if (!smp)
1659 return SMP_UNSPECIFIED;
d26a2345 1660
c05b9339 1661 /* We didn't start the pairing, so match remote */
0edb14de 1662 auth = req->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1663
b6ae8457 1664 if (!test_bit(HCI_BONDABLE, &hdev->dev_flags) &&
c05b9339 1665 (auth & SMP_AUTH_BONDING))
b3c6410b
JH		 1666 return SMP_PAIRING_NOTSUPP;
1667
903b71c7
JH		 1668 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1669 return SMP_AUTH_REQUIREMENTS;
1670
1c1def09
VCG		 1671 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1672 memcpy(&smp->preq[1], req, sizeof(*req));
3158c50c 1673 skb_pull(skb, sizeof(*req));
88ba43b6 1674
b5ae344d
JH		 1675 /* SMP over BR/EDR requires special treatment */
1676 if (conn->hcon->type == ACL_LINK) {
1677 /* We must have a BR/EDR SC link */
08f63cc5 1678 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
300acfde 1679 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
b5ae344d
JH		 1680 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1681
1682 set_bit(SMP_FLAG_SC, &smp->flags);
1683
1684 build_bredr_pairing_cmd(smp, req, &rsp);
1685
1686 key_size = min(req->max_key_size, rsp.max_key_size);
1687 if (check_enc_key_size(conn, key_size))
1688 return SMP_ENC_KEY_SIZE;
1689
1690 /* Clear bits which are generated but not distributed */
1691 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1692
1693 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1694 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1695 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1696
1697 smp_distribute_keys(smp);
1698 return 0;
1699 }
1700
5e3d3d9b
JH		 1701 build_pairing_cmd(conn, req, &rsp, auth);
1702
1703 if (rsp.auth_req & SMP_AUTH_SC)
1704 set_bit(SMP_FLAG_SC, &smp->flags);
1705
5be5e275 1706 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 1707 sec_level = BT_SECURITY_MEDIUM;
1708 else
1709 sec_level = authreq_to_seclevel(auth);
1710
c7262e71
JH		 1711 if (sec_level > conn->hcon->pending_sec_level)
1712 conn->hcon->pending_sec_level = sec_level;
fdde0a26 1713
49c922bb 1714 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1715 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1716 u8 method;
1717
1718 method = get_auth_method(smp, conn->hcon->io_capability,
1719 req->io_capability);
1720 if (method == JUST_WORKS || method == JUST_CFM)
1721 return SMP_AUTH_REQUIREMENTS;
1722 }
1723
3158c50c
VCG		 1724 key_size = min(req->max_key_size, rsp.max_key_size);
1725 if (check_enc_key_size(conn, key_size))
1726 return SMP_ENC_KEY_SIZE;
88ba43b6 1727
e84a6b13 1728 get_random_bytes(smp->prnd, sizeof(smp->prnd));
8aab4757 1729
1c1def09
VCG		 1730 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1731 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
f01ead31 1732
3158c50c 1733 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
3b19146d
JH		 1734
1735 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1736
1737 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1738 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1739 /* Clear bits which are generated but not distributed */
1740 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1741 /* Wait for Public Key from Initiating Device */
1742 return 0;
1743 } else {
1744 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1745 }
da85e5e5 1746
2b64d153
BG		 1747 /* Request setup of TK */
1748 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1749 if (ret)
1750 return SMP_UNSPECIFIED;
1751
da85e5e5 1752 return 0;
88ba43b6
AB		 1753}
1754
3b19146d
JH		 1755static u8 sc_send_public_key(struct smp_chan *smp)
1756{
70157ef5
JH		 1757 struct hci_dev *hdev = smp->conn->hcon->hdev;
1758
3b19146d
JH		 1759 BT_DBG("");
1760
70157ef5
JH		 1761 if (test_bit(HCI_USE_DEBUG_KEYS, &hdev->dev_flags)) {
1762 BT_DBG("Using debug keys");
1763 memcpy(smp->local_pk, debug_pk, 64);
1764 memcpy(smp->local_sk, debug_sk, 32);
1765 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1766 } else {
1767 while (true) {
1768 /* Generate local key pair for Secure Connections */
1769 if (!ecc_make_key(smp->local_pk, smp->local_sk))
1770 return SMP_UNSPECIFIED;
6c0dcc50 1771
70157ef5
JH		 1772 /* This is unlikely, but we need to check that
1773 * we didn't accidentially generate a debug key.
1774 */
1775 if (memcmp(smp->local_sk, debug_sk, 32))
1776 break;
1777 }
6c0dcc50 1778 }
3b19146d 1779
c7a3d57d
JH		 1780 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1781 SMP_DBG("Local Public Key Y: %32phN", &smp->local_pk[32]);
1782 SMP_DBG("Local Private Key: %32phN", smp->local_sk);
3b19146d
JH		 1783
1784 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1785
1786 return 0;
1787}
1788
da85e5e5 1789static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1790{
3158c50c 1791 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
5d88cc73
JH		 1792 struct l2cap_chan *chan = conn->smp;
1793 struct smp_chan *smp = chan->data;
0edb14de 1794 struct hci_dev *hdev = conn->hcon->hdev;
3a7dbfb8 1795 u8 key_size, auth;
7d24ddcc 1796 int ret;
88ba43b6
AB		 1797
1798 BT_DBG("conn %p", conn);
1799
c46b98be 1800 if (skb->len < sizeof(*rsp))
38e4a915 1801 return SMP_INVALID_PARAMS;
c46b98be 1802
40bef302 1803 if (conn->hcon->role != HCI_ROLE_MASTER)
2b64d153
BG		 1804 return SMP_CMD_NOTSUPP;
1805
3158c50c
VCG		 1806 skb_pull(skb, sizeof(*rsp));
1807
1c1def09 1808 req = (void *) &smp->preq[1];
da85e5e5 1809
3158c50c
VCG		 1810 key_size = min(req->max_key_size, rsp->max_key_size);
1811 if (check_enc_key_size(conn, key_size))
1812 return SMP_ENC_KEY_SIZE;
1813
0edb14de 1814 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1815
903b71c7
JH		 1816 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
1817 return SMP_AUTH_REQUIREMENTS;
1818
b5ae344d
JH		 1819 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1820 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1821
1822 /* Update remote key distribution in case the remote cleared
1823 * some bits that we had enabled in our request.
1824 */
1825 smp->remote_key_dist &= rsp->resp_key_dist;
1826
1827 /* For BR/EDR this means we're done and can start phase 3 */
1828 if (conn->hcon->type == ACL_LINK) {
1829 /* Clear bits which are generated but not distributed */
1830 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1831 smp_distribute_keys(smp);
1832 return 0;
1833 }
1834
65668776
JH		 1835 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1836 set_bit(SMP_FLAG_SC, &smp->flags);
d2eb9e10
JH		 1837 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1838 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
65668776 1839
49c922bb 1840 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1841 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1842 u8 method;
1843
1844 method = get_auth_method(smp, req->io_capability,
1845 rsp->io_capability);
1846 if (method == JUST_WORKS || method == JUST_CFM)
1847 return SMP_AUTH_REQUIREMENTS;
1848 }
1849
e84a6b13 1850 get_random_bytes(smp->prnd, sizeof(smp->prnd));
7d24ddcc 1851
fdcc4bec
JH		 1852 /* Update remote key distribution in case the remote cleared
1853 * some bits that we had enabled in our request.
1854 */
1855 smp->remote_key_dist &= rsp->resp_key_dist;
1856
3b19146d
JH		 1857 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1858 /* Clear bits which are generated but not distributed */
1859 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1860 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861 return sc_send_public_key(smp);
1862 }
1863
c05b9339 1864 auth |= req->auth_req;
2b64d153 1865
476585ec 1866 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2b64d153
BG		 1867 if (ret)
1868 return SMP_UNSPECIFIED;
1869
4a74d658 1870 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153
BG		 1871
1872 /* Can't compose response until we have been confirmed */
4a74d658 1873 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 1874 return smp_confirm(smp);
da85e5e5
VCG		 1875
1876 return 0;
88ba43b6
AB		 1877}
1878
dcee2b32
JH		 1879static u8 sc_check_confirm(struct smp_chan *smp)
1880{
1881 struct l2cap_conn *conn = smp->conn;
1882
1883 BT_DBG("");
1884
1885 /* Public Key exchange must happen before any other steps */
1886 if (!test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
1887 return SMP_UNSPECIFIED;
1888
38606f14
JH		 1889 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1890 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
1891
dcee2b32
JH		 1892 if (conn->hcon->out) {
1893 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1894 smp->prnd);
1895 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1896 }
1897
1898 return 0;
1899}
1900
da85e5e5 1901static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1902{
5d88cc73
JH		 1903 struct l2cap_chan *chan = conn->smp;
1904 struct smp_chan *smp = chan->data;
7d24ddcc 1905
88ba43b6
AB		 1906 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
1907
c46b98be 1908 if (skb->len < sizeof(smp->pcnf))
38e4a915 1909 return SMP_INVALID_PARAMS;
c46b98be 1910
1c1def09
VCG		 1911 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
1912 skb_pull(skb, sizeof(smp->pcnf));
88ba43b6 1913
dcee2b32
JH		 1914 if (test_bit(SMP_FLAG_SC, &smp->flags))
1915 return sc_check_confirm(smp);
1916
b28b4943 1917 if (conn->hcon->out) {
943a732a
JH		 1918 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1919 smp->prnd);
b28b4943
JH		 1920 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1921 return 0;
1922 }
1923
1924 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 1925 return smp_confirm(smp);
943a732a 1926 else
4a74d658 1927 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
da85e5e5
VCG		 1928
1929 return 0;
88ba43b6
AB		 1930}
1931
da85e5e5 1932static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1933{
5d88cc73
JH		 1934 struct l2cap_chan *chan = conn->smp;
1935 struct smp_chan *smp = chan->data;
191dc7fe
JH		 1936 struct hci_conn *hcon = conn->hcon;
1937 u8 *pkax, *pkbx, *na, *nb;
1938 u32 passkey;
1939 int err;
7d24ddcc 1940
8aab4757 1941 BT_DBG("conn %p", conn);
3158c50c 1942
c46b98be 1943 if (skb->len < sizeof(smp->rrnd))
38e4a915 1944 return SMP_INVALID_PARAMS;
c46b98be 1945
943a732a 1946 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
8aab4757 1947 skb_pull(skb, sizeof(smp->rrnd));
e7e62c85 1948
191dc7fe
JH		 1949 if (!test_bit(SMP_FLAG_SC, &smp->flags))
1950 return smp_random(smp);
1951
580039e8
JH		 1952 if (hcon->out) {
1953 pkax = smp->local_pk;
1954 pkbx = smp->remote_pk;
1955 na = smp->prnd;
1956 nb = smp->rrnd;
1957 } else {
1958 pkax = smp->remote_pk;
1959 pkbx = smp->local_pk;
1960 na = smp->rrnd;
1961 nb = smp->prnd;
1962 }
1963
a29b0733
JH		 1964 if (smp->method == REQ_OOB) {
1965 if (!hcon->out)
1966 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1967 sizeof(smp->prnd), smp->prnd);
1968 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1969 goto mackey_and_ltk;
1970 }
1971
38606f14
JH		 1972 /* Passkey entry has special treatment */
1973 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1974 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
1975
191dc7fe
JH		 1976 if (hcon->out) {
1977 u8 cfm[16];
1978
1979 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1980 smp->rrnd, 0, cfm);
1981 if (err)
1982 return SMP_UNSPECIFIED;
1983
1984 if (memcmp(smp->pcnf, cfm, 16))
1985 return SMP_CONFIRM_FAILED;
191dc7fe
JH		 1986 } else {
1987 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1988 smp->prnd);
1989 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
191dc7fe
JH		 1990 }
1991
a29b0733 1992mackey_and_ltk:
760b018b
JH		 1993 /* Generate MacKey and LTK */
1994 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
1995 if (err)
1996 return SMP_UNSPECIFIED;
1997
a29b0733 1998 if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
dddd3059 1999 if (hcon->out) {
38606f14 2000 sc_dhkey_check(smp);
dddd3059
JH		 2001 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2002 }
2003 return 0;
2004 }
2005
38606f14
JH		 2006 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2007 if (err)
2008 return SMP_UNSPECIFIED;
2009
2010 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2011 hcon->dst_type, passkey, 0);
191dc7fe
JH		 2012 if (err)
2013 return SMP_UNSPECIFIED;
2014
38606f14
JH		 2015 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2016
191dc7fe 2017 return 0;
88ba43b6
AB		 2018}
2019
f81cd823 2020static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
988c5997 2021{
c9839a11 2022 struct smp_ltk *key;
988c5997
VCG		 2023 struct hci_conn *hcon = conn->hcon;
2024
f3a73d97 2025 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
988c5997 2026 if (!key)
f81cd823 2027 return false;
988c5997 2028
a6f7833c 2029 if (smp_ltk_sec_level(key) < sec_level)
f81cd823 2030 return false;
4dab7864 2031
51a8efd7 2032 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
f81cd823 2033 return true;
988c5997 2034
c9839a11
VCG		 2035 hci_le_start_enc(hcon, key->ediv, key->rand, key->val);
2036 hcon->enc_key_size = key->enc_size;
988c5997 2037
fe59a05f
JH		 2038 /* We never store STKs for master role, so clear this flag */
2039 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2040
f81cd823 2041 return true;
988c5997 2042}
f1560463 2043
35dc6f83
JH		 2044bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2045 enum smp_key_pref key_pref)
854f4727
JH		 2046{
2047 if (sec_level == BT_SECURITY_LOW)
2048 return true;
2049
35dc6f83
JH		 2050 /* If we're encrypted with an STK but the caller prefers using
2051 * LTK claim insufficient security. This way we allow the
2052 * connection to be re-encrypted with an LTK, even if the LTK
2053 * provides the same level of security. Only exception is if we
2054 * don't have an LTK (e.g. because of key distribution bits).
9ab65d60 2055 */
35dc6f83
JH		 2056 if (key_pref == SMP_USE_LTK &&
2057 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
f3a73d97 2058 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
9ab65d60
JH		 2059 return false;
2060
854f4727
JH		 2061 if (hcon->sec_level >= sec_level)
2062 return true;
2063
2064 return false;
2065}
2066
da85e5e5 2067static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6
AB		 2068{
2069 struct smp_cmd_security_req *rp = (void *) skb->data;
2070 struct smp_cmd_pairing cp;
f1cb9af5 2071 struct hci_conn *hcon = conn->hcon;
0edb14de 2072 struct hci_dev *hdev = hcon->hdev;
8aab4757 2073 struct smp_chan *smp;
c05b9339 2074 u8 sec_level, auth;
88ba43b6
AB		 2075
2076 BT_DBG("conn %p", conn);
2077
c46b98be 2078 if (skb->len < sizeof(*rp))
38e4a915 2079 return SMP_INVALID_PARAMS;
c46b98be 2080
40bef302 2081 if (hcon->role != HCI_ROLE_MASTER)
86ca9eac
JH		 2082 return SMP_CMD_NOTSUPP;
2083
0edb14de 2084 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 2085
903b71c7
JH		 2086 if (test_bit(HCI_SC_ONLY, &hdev->dev_flags) && !(auth & SMP_AUTH_SC))
2087 return SMP_AUTH_REQUIREMENTS;
2088
5be5e275 2089 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 2090 sec_level = BT_SECURITY_MEDIUM;
2091 else
2092 sec_level = authreq_to_seclevel(auth);
2093
35dc6f83 2094 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
854f4727
JH		 2095 return 0;
2096
c7262e71
JH		 2097 if (sec_level > hcon->pending_sec_level)
2098 hcon->pending_sec_level = sec_level;
feb45eb5 2099
4dab7864 2100 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
988c5997
VCG		 2101 return 0;
2102
8aab4757 2103 smp = smp_chan_create(conn);
c29d2444
JH		 2104 if (!smp)
2105 return SMP_UNSPECIFIED;
d26a2345 2106
b6ae8457 2107 if (!test_bit(HCI_BONDABLE, &hcon->hdev->dev_flags) &&
c05b9339 2108 (auth & SMP_AUTH_BONDING))
616d55be
JH		 2109 return SMP_PAIRING_NOTSUPP;
2110
88ba43b6 2111 skb_pull(skb, sizeof(*rp));
88ba43b6 2112
da85e5e5 2113 memset(&cp, 0, sizeof(cp));
c05b9339 2114 build_pairing_cmd(conn, &cp, NULL, auth);
88ba43b6 2115
1c1def09
VCG		 2116 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2117 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 2118
88ba43b6 2119 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 2120 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
f1cb9af5 2121
da85e5e5 2122 return 0;
88ba43b6
AB		 2123}
2124
cc110922 2125int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
eb492e01 2126{
cc110922 2127 struct l2cap_conn *conn = hcon->l2cap_data;
c68b7f12 2128 struct l2cap_chan *chan;
0a66cf20 2129 struct smp_chan *smp;
2b64d153 2130 __u8 authreq;
fc75cc86 2131 int ret;
eb492e01 2132
3a0259bb
VCG		 2133 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2134
0a66cf20
JH		 2135 /* This may be NULL if there's an unexpected disconnection */
2136 if (!conn)
2137 return 1;
2138
c68b7f12
JH		 2139 chan = conn->smp;
2140
757aee0f 2141 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags))
2e65c9d2
AG		 2142 return 1;
2143
35dc6f83 2144 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
eb492e01 2145 return 1;
f1cb9af5 2146
c7262e71
JH		 2147 if (sec_level > hcon->pending_sec_level)
2148 hcon->pending_sec_level = sec_level;
2149
40bef302 2150 if (hcon->role == HCI_ROLE_MASTER)
c7262e71
JH		 2151 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2152 return 0;
d26a2345 2153
fc75cc86
JH		 2154 l2cap_chan_lock(chan);
2155
2156 /* If SMP is already in progress ignore this request */
2157 if (chan->data) {
2158 ret = 0;
2159 goto unlock;
2160 }
d26a2345 2161
8aab4757 2162 smp = smp_chan_create(conn);
fc75cc86
JH		 2163 if (!smp) {
2164 ret = 1;
2165 goto unlock;
2166 }
2b64d153
BG		 2167
2168 authreq = seclevel_to_authreq(sec_level);
d26a2345 2169
d2eb9e10
JH		 2170 if (test_bit(HCI_SC_ENABLED, &hcon->hdev->dev_flags))
2171 authreq |= SMP_AUTH_SC;
2172
79897d20
JH		 2173 /* Require MITM if IO Capability allows or the security level
2174 * requires it.
2e233644 2175 */
79897d20 2176 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
c7262e71 2177 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2e233644
JH		 2178 authreq |= SMP_AUTH_MITM;
2179
40bef302 2180 if (hcon->role == HCI_ROLE_MASTER) {
d26a2345 2181 struct smp_cmd_pairing cp;
f01ead31 2182
2b64d153 2183 build_pairing_cmd(conn, &cp, NULL, authreq);
1c1def09
VCG		 2184 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2185 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 2186
eb492e01 2187 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 2188 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
eb492e01
AB		 2189 } else {
2190 struct smp_cmd_security_req cp;
2b64d153 2191 cp.auth_req = authreq;
eb492e01 2192 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
b28b4943 2193 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
eb492e01
AB		 2194 }
2195
4a74d658 2196 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
fc75cc86 2197 ret = 0;
edca792c 2198
fc75cc86
JH		 2199unlock:
2200 l2cap_chan_unlock(chan);
2201 return ret;
eb492e01
AB		 2202}
2203
7034b911
VCG		 2204static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2205{
16b90839 2206 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
5d88cc73
JH		 2207 struct l2cap_chan *chan = conn->smp;
2208 struct smp_chan *smp = chan->data;
16b90839 2209
c46b98be
JH		 2210 BT_DBG("conn %p", conn);
2211
2212 if (skb->len < sizeof(*rp))
38e4a915 2213 return SMP_INVALID_PARAMS;
c46b98be 2214
b28b4943 2215 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
6131ddc8 2216
16b90839
VCG		 2217 skb_pull(skb, sizeof(*rp));
2218
1c1def09 2219 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
16b90839 2220
7034b911
VCG		 2221 return 0;
2222}
2223
2224static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2225{
16b90839 2226 struct smp_cmd_master_ident *rp = (void *) skb->data;
5d88cc73
JH		 2227 struct l2cap_chan *chan = conn->smp;
2228 struct smp_chan *smp = chan->data;
c9839a11
VCG		 2229 struct hci_dev *hdev = conn->hcon->hdev;
2230 struct hci_conn *hcon = conn->hcon;
23d0e128 2231 struct smp_ltk *ltk;
c9839a11 2232 u8 authenticated;
16b90839 2233
c46b98be
JH		 2234 BT_DBG("conn %p", conn);
2235
2236 if (skb->len < sizeof(*rp))
38e4a915 2237 return SMP_INVALID_PARAMS;
c46b98be 2238
9747a9f3
JH		 2239 /* Mark the information as received */
2240 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2241
b28b4943
JH		 2242 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2243 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
196332f5
JH		 2244 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2245 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
b28b4943 2246
16b90839 2247 skb_pull(skb, sizeof(*rp));
7034b911 2248
ce39fb4e 2249 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2ceba539 2250 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
23d0e128
JH		 2251 authenticated, smp->tk, smp->enc_key_size,
2252 rp->ediv, rp->rand);
2253 smp->ltk = ltk;
c6e81e9a 2254 if (!(smp->remote_key_dist & KEY_DIST_MASK))
d6268e86 2255 smp_distribute_keys(smp);
7034b911
VCG		 2256
2257 return 0;
2258}
2259
fd349c02
JH		 2260static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2261{
2262 struct smp_cmd_ident_info *info = (void *) skb->data;
5d88cc73
JH		 2263 struct l2cap_chan *chan = conn->smp;
2264 struct smp_chan *smp = chan->data;
fd349c02
JH		 2265
2266 BT_DBG("");
2267
2268 if (skb->len < sizeof(*info))
38e4a915 2269 return SMP_INVALID_PARAMS;
fd349c02 2270
b28b4943 2271 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
6131ddc8 2272
fd349c02
JH		 2273 skb_pull(skb, sizeof(*info));
2274
2275 memcpy(smp->irk, info->irk, 16);
2276
2277 return 0;
2278}
2279
2280static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2281 struct sk_buff *skb)
2282{
2283 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
5d88cc73
JH		 2284 struct l2cap_chan *chan = conn->smp;
2285 struct smp_chan *smp = chan->data;
fd349c02
JH		 2286 struct hci_conn *hcon = conn->hcon;
2287 bdaddr_t rpa;
2288
2289 BT_DBG("");
2290
2291 if (skb->len < sizeof(*info))
38e4a915 2292 return SMP_INVALID_PARAMS;
fd349c02 2293
9747a9f3
JH		 2294 /* Mark the information as received */
2295 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2296
b28b4943
JH		 2297 if (smp->remote_key_dist & SMP_DIST_SIGN)
2298 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2299
fd349c02
JH		 2300 skb_pull(skb, sizeof(*info));
2301
a9a58f86
JH		 2302 /* Strictly speaking the Core Specification (4.1) allows sending
2303 * an empty address which would force us to rely on just the IRK
2304 * as "identity information". However, since such
2305 * implementations are not known of and in order to not over
2306 * complicate our implementation, simply pretend that we never
2307 * received an IRK for such a device.
e12af489
JH		 2308 *
2309 * The Identity Address must also be a Static Random or Public
2310 * Address, which hci_is_identity_address() checks for.
a9a58f86 2311 */
e12af489
JH		 2312 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2313 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
a9a58f86 2314 BT_ERR("Ignoring IRK with no identity address");
31dd624e 2315 goto distribute;
a9a58f86
JH		 2316 }
2317
fd349c02
JH		 2318 bacpy(&smp->id_addr, &info->bdaddr);
2319 smp->id_addr_type = info->addr_type;
2320
2321 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2322 bacpy(&rpa, &hcon->dst);
2323 else
2324 bacpy(&rpa, BDADDR_ANY);
2325
23d0e128
JH		 2326 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2327 smp->id_addr_type, smp->irk, &rpa);
fd349c02 2328
31dd624e 2329distribute:
c6e81e9a
JH		 2330 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2331 smp_distribute_keys(smp);
fd349c02
JH		 2332
2333 return 0;
2334}
2335
7ee4ea36
MH		 2336static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2337{
2338 struct smp_cmd_sign_info *rp = (void *) skb->data;
5d88cc73
JH		 2339 struct l2cap_chan *chan = conn->smp;
2340 struct smp_chan *smp = chan->data;
7ee4ea36
MH		 2341 struct smp_csrk *csrk;
2342
2343 BT_DBG("conn %p", conn);
2344
2345 if (skb->len < sizeof(*rp))
38e4a915 2346 return SMP_INVALID_PARAMS;
7ee4ea36 2347
7ee4ea36
MH		 2348 /* Mark the information as received */
2349 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2350
2351 skb_pull(skb, sizeof(*rp));
2352
7ee4ea36
MH		 2353 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2354 if (csrk) {
2355 csrk->master = 0x01;
2356 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2357 }
2358 smp->csrk = csrk;
d6268e86 2359 smp_distribute_keys(smp);
7ee4ea36
MH		 2360
2361 return 0;
2362}
2363
5e3d3d9b
JH		 2364static u8 sc_select_method(struct smp_chan *smp)
2365{
2366 struct l2cap_conn *conn = smp->conn;
2367 struct hci_conn *hcon = conn->hcon;
2368 struct smp_cmd_pairing *local, *remote;
2369 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2370
a29b0733
JH		 2371 if (test_bit(SMP_FLAG_OOB, &smp->flags))
2372 return REQ_OOB;
2373
5e3d3d9b
JH		 2374 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2375 * which are needed as inputs to some crypto functions. To get
2376 * the "struct smp_cmd_pairing" from them we need to skip the
2377 * first byte which contains the opcode.
2378 */
2379 if (hcon->out) {
2380 local = (void *) &smp->preq[1];
2381 remote = (void *) &smp->prsp[1];
2382 } else {
2383 local = (void *) &smp->prsp[1];
2384 remote = (void *) &smp->preq[1];
2385 }
2386
2387 local_io = local->io_capability;
2388 remote_io = remote->io_capability;
2389
2390 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2391 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2392
2393 /* If either side wants MITM, look up the method from the table,
2394 * otherwise use JUST WORKS.
2395 */
2396 if (local_mitm || remote_mitm)
2397 method = get_auth_method(smp, local_io, remote_io);
2398 else
2399 method = JUST_WORKS;
2400
2401 /* Don't confirm locally initiated pairing attempts */
2402 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2403 method = JUST_WORKS;
2404
2405 return method;
2406}
2407
d8f8edbe
JH		 2408static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2409{
2410 struct smp_cmd_public_key *key = (void *) skb->data;
2411 struct hci_conn *hcon = conn->hcon;
2412 struct l2cap_chan *chan = conn->smp;
2413 struct smp_chan *smp = chan->data;
5e3d3d9b 2414 struct hci_dev *hdev = hcon->hdev;
cbbbe3e2 2415 struct smp_cmd_pairing_confirm cfm;
d8f8edbe
JH		 2416 int err;
2417
2418 BT_DBG("conn %p", conn);
2419
2420 if (skb->len < sizeof(*key))
2421 return SMP_INVALID_PARAMS;
2422
2423 memcpy(smp->remote_pk, key, 64);
2424
2425 /* Non-initiating device sends its public key after receiving
2426 * the key from the initiating device.
2427 */
2428 if (!hcon->out) {
2429 err = sc_send_public_key(smp);
2430 if (err)
2431 return err;
2432 }
2433
c7a3d57d
JH		 2434 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2435 SMP_DBG("Remote Public Key Y: %32phN", &smp->remote_pk[32]);
d8f8edbe
JH		 2436
2437 if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2438 return SMP_UNSPECIFIED;
2439
c7a3d57d 2440 SMP_DBG("DHKey %32phN", smp->dhkey);
d8f8edbe
JH		 2441
2442 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2443
5e3d3d9b
JH		 2444 smp->method = sc_select_method(smp);
2445
2446 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2447
2448 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2449 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2450 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2451 else
2452 hcon->pending_sec_level = BT_SECURITY_FIPS;
2453
aeb7d461
JH		 2454 if (!memcmp(debug_pk, smp->remote_pk, 64))
2455 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2456
38606f14
JH		 2457 if (smp->method == DSP_PASSKEY) {
2458 get_random_bytes(&hcon->passkey_notify,
2459 sizeof(hcon->passkey_notify));
2460 hcon->passkey_notify %= 1000000;
2461 hcon->passkey_entered = 0;
2462 smp->passkey_round = 0;
2463 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2464 hcon->dst_type,
2465 hcon->passkey_notify,
2466 hcon->passkey_entered))
2467 return SMP_UNSPECIFIED;
2468 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2469 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2470 }
2471
a29b0733
JH		 2472 if (smp->method == REQ_OOB) {
2473 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2474 smp->rr, 0, cfm.confirm_val);
2475 if (err)
2476 return SMP_UNSPECIFIED;
2477
2478 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2479 return SMP_CONFIRM_FAILED;
2480
2481 if (hcon->out)
2482 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2483 sizeof(smp->prnd), smp->prnd);
2484
2485 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2486
2487 return 0;
2488 }
2489
38606f14
JH		 2490 if (hcon->out)
2491 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2492
2493 if (smp->method == REQ_PASSKEY) {
2494 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2495 hcon->dst_type))
2496 return SMP_UNSPECIFIED;
2497 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2498 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2499 return 0;
2500 }
2501
cbbbe3e2
JH		 2502 /* The Initiating device waits for the non-initiating device to
2503 * send the confirm value.
2504 */
2505 if (conn->hcon->out)
2506 return 0;
2507
2508 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2509 0, cfm.confirm_val);
2510 if (err)
2511 return SMP_UNSPECIFIED;
2512
2513 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2514 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2515
d8f8edbe
JH		 2516 return 0;
2517}
2518
6433a9a2
JH		 2519static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2520{
2521 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2522 struct l2cap_chan *chan = conn->smp;
2523 struct hci_conn *hcon = conn->hcon;
2524 struct smp_chan *smp = chan->data;
2525 u8 a[7], b[7], *local_addr, *remote_addr;
2526 u8 io_cap[3], r[16], e[16];
2527 int err;
2528
2529 BT_DBG("conn %p", conn);
2530
2531 if (skb->len < sizeof(*check))
2532 return SMP_INVALID_PARAMS;
2533
2534 memcpy(a, &hcon->init_addr, 6);
2535 memcpy(b, &hcon->resp_addr, 6);
2536 a[6] = hcon->init_addr_type;
2537 b[6] = hcon->resp_addr_type;
2538
2539 if (hcon->out) {
2540 local_addr = a;
2541 remote_addr = b;
2542 memcpy(io_cap, &smp->prsp[1], 3);
2543 } else {
2544 local_addr = b;
2545 remote_addr = a;
2546 memcpy(io_cap, &smp->preq[1], 3);
2547 }
2548
2549 memset(r, 0, sizeof(r));
2550
38606f14
JH		 2551 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2552 put_unaligned_le32(hcon->passkey_notify, r);
2553
6433a9a2
JH		 2554 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2555 io_cap, remote_addr, local_addr, e);
2556 if (err)
2557 return SMP_UNSPECIFIED;
2558
2559 if (memcmp(check->e, e, 16))
2560 return SMP_DHKEY_CHECK_FAILED;
2561
d3e54a87
JH		 2562 if (!hcon->out) {
2563 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2564 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2565 return 0;
2566 }
d378a2d7 2567
d3e54a87
JH		 2568 /* Slave sends DHKey check as response to master */
2569 sc_dhkey_check(smp);
2570 }
d378a2d7 2571
d3e54a87 2572 sc_add_ltk(smp);
6433a9a2
JH		 2573
2574 if (hcon->out) {
2575 hci_le_start_enc(hcon, 0, 0, smp->tk);
2576 hcon->enc_key_size = smp->enc_key_size;
2577 }
2578
2579 return 0;
2580}
2581
1408bb6e
JH		 2582static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2583 struct sk_buff *skb)
2584{
2585 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2586
2587 BT_DBG("value 0x%02x", kp->value);
2588
2589 return 0;
2590}
2591
4befb867 2592static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
eb492e01 2593{
5d88cc73 2594 struct l2cap_conn *conn = chan->conn;
7b9899db 2595 struct hci_conn *hcon = conn->hcon;
b28b4943 2596 struct smp_chan *smp;
92381f5c 2597 __u8 code, reason;
eb492e01
AB		 2598 int err = 0;
2599
8ae9b984 2600 if (skb->len < 1)
92381f5c 2601 return -EILSEQ;
92381f5c 2602
06ae3314 2603 if (!test_bit(HCI_LE_ENABLED, &hcon->hdev->dev_flags)) {
2e65c9d2
AG		 2604 reason = SMP_PAIRING_NOTSUPP;
2605 goto done;
2606 }
2607
92381f5c 2608 code = skb->data[0];
eb492e01
AB		 2609 skb_pull(skb, sizeof(code));
2610
b28b4943
JH		 2611 smp = chan->data;
2612
2613 if (code > SMP_CMD_MAX)
2614 goto drop;
2615
24bd0bd9 2616 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
b28b4943
JH		 2617 goto drop;
2618
2619 /* If we don't have a context the only allowed commands are
2620 * pairing request and security request.
8cf9fa12 2621 */
b28b4943
JH		 2622 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2623 goto drop;
8cf9fa12 2624
eb492e01
AB		 2625 switch (code) {
2626 case SMP_CMD_PAIRING_REQ:
da85e5e5 2627 reason = smp_cmd_pairing_req(conn, skb);
eb492e01
AB		 2628 break;
2629
2630 case SMP_CMD_PAIRING_FAIL:
84794e11 2631 smp_failure(conn, 0);
da85e5e5 2632 err = -EPERM;
eb492e01
AB		 2633 break;
2634
2635 case SMP_CMD_PAIRING_RSP:
da85e5e5 2636 reason = smp_cmd_pairing_rsp(conn, skb);
88ba43b6
AB		 2637 break;
2638
2639 case SMP_CMD_SECURITY_REQ:
da85e5e5 2640 reason = smp_cmd_security_req(conn, skb);
88ba43b6
AB		 2641 break;
2642
eb492e01 2643 case SMP_CMD_PAIRING_CONFIRM:
da85e5e5 2644 reason = smp_cmd_pairing_confirm(conn, skb);
88ba43b6
AB		 2645 break;
2646
eb492e01 2647 case SMP_CMD_PAIRING_RANDOM:
da85e5e5 2648 reason = smp_cmd_pairing_random(conn, skb);
88ba43b6
AB		 2649 break;
2650
eb492e01 2651 case SMP_CMD_ENCRYPT_INFO:
7034b911
VCG		 2652 reason = smp_cmd_encrypt_info(conn, skb);
2653 break;
2654
eb492e01 2655 case SMP_CMD_MASTER_IDENT:
7034b911
VCG		 2656 reason = smp_cmd_master_ident(conn, skb);
2657 break;
2658
eb492e01 2659 case SMP_CMD_IDENT_INFO:
fd349c02
JH		 2660 reason = smp_cmd_ident_info(conn, skb);
2661 break;
2662
eb492e01 2663 case SMP_CMD_IDENT_ADDR_INFO:
fd349c02
JH		 2664 reason = smp_cmd_ident_addr_info(conn, skb);
2665 break;
2666
eb492e01 2667 case SMP_CMD_SIGN_INFO:
7ee4ea36 2668 reason = smp_cmd_sign_info(conn, skb);
7034b911
VCG		 2669 break;
2670
d8f8edbe
JH		 2671 case SMP_CMD_PUBLIC_KEY:
2672 reason = smp_cmd_public_key(conn, skb);
2673 break;
2674
6433a9a2
JH		 2675 case SMP_CMD_DHKEY_CHECK:
2676 reason = smp_cmd_dhkey_check(conn, skb);
2677 break;
2678
1408bb6e
JH		 2679 case SMP_CMD_KEYPRESS_NOTIFY:
2680 reason = smp_cmd_keypress_notify(conn, skb);
2681 break;
2682
eb492e01
AB		 2683 default:
2684 BT_DBG("Unknown command code 0x%2.2x", code);
eb492e01 2685 reason = SMP_CMD_NOTSUPP;
3a0259bb 2686 goto done;
eb492e01
AB		 2687 }
2688
3a0259bb 2689done:
9b7b18ef
JH		 2690 if (!err) {
2691 if (reason)
2692 smp_failure(conn, reason);
8ae9b984 2693 kfree_skb(skb);
9b7b18ef
JH		 2694 }
2695
eb492e01 2696 return err;
b28b4943
JH		 2697
2698drop:
2699 BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2700 code, &hcon->dst);
2701 kfree_skb(skb);
2702 return 0;
eb492e01 2703}
7034b911 2704
70db83c4
JH		 2705static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2706{
2707 struct l2cap_conn *conn = chan->conn;
2708
2709 BT_DBG("chan %p", chan);
2710
fc75cc86 2711 if (chan->data)
5d88cc73 2712 smp_chan_destroy(conn);
5d88cc73 2713
70db83c4
JH		 2714 conn->smp = NULL;
2715 l2cap_chan_put(chan);
2716}
2717
b5ae344d
JH		 2718static void bredr_pairing(struct l2cap_chan *chan)
2719{
2720 struct l2cap_conn *conn = chan->conn;
2721 struct hci_conn *hcon = conn->hcon;
2722 struct hci_dev *hdev = hcon->hdev;
2723 struct smp_cmd_pairing req;
2724 struct smp_chan *smp;
2725
2726 BT_DBG("chan %p", chan);
2727
2728 /* Only new pairings are interesting */
2729 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2730 return;
2731
2732 /* Don't bother if we're not encrypted */
2733 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2734 return;
2735
2736 /* Only master may initiate SMP over BR/EDR */
2737 if (hcon->role != HCI_ROLE_MASTER)
2738 return;
2739
2740 /* Secure Connections support must be enabled */
2741 if (!test_bit(HCI_SC_ENABLED, &hdev->dev_flags))
2742 return;
2743
2744 /* BR/EDR must use Secure Connections for SMP */
2745 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
300acfde 2746 !test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
b5ae344d
JH		 2747 return;
2748
2749 /* If our LE support is not enabled don't do anything */
2750 if (!test_bit(HCI_LE_ENABLED, &hdev->dev_flags))
2751 return;
2752
2753 /* Don't bother if remote LE support is not enabled */
2754 if (!lmp_host_le_capable(hcon))
2755 return;
2756
2757 /* Remote must support SMP fixed chan for BR/EDR */
2758 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2759 return;
2760
2761 /* Don't bother if SMP is already ongoing */
2762 if (chan->data)
2763 return;
2764
2765 smp = smp_chan_create(conn);
2766 if (!smp) {
2767 BT_ERR("%s unable to create SMP context for BR/EDR",
2768 hdev->name);
2769 return;
2770 }
2771
2772 set_bit(SMP_FLAG_SC, &smp->flags);
2773
2774 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2775
2776 /* Prepare and send the BR/EDR SMP Pairing Request */
2777 build_bredr_pairing_cmd(smp, &req, NULL);
2778
2779 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2780 memcpy(&smp->preq[1], &req, sizeof(req));
2781
2782 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2783 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2784}
2785
44f1a7ab
JH		 2786static void smp_resume_cb(struct l2cap_chan *chan)
2787{
b68fda68 2788 struct smp_chan *smp = chan->data;
44f1a7ab
JH		 2789 struct l2cap_conn *conn = chan->conn;
2790 struct hci_conn *hcon = conn->hcon;
2791
2792 BT_DBG("chan %p", chan);
2793
b5ae344d
JH		 2794 if (hcon->type == ACL_LINK) {
2795 bredr_pairing(chan);
ef8efe4b 2796 return;
b5ae344d 2797 }
ef8efe4b 2798
86d1407c
JH		 2799 if (!smp)
2800 return;
b68fda68 2801
84bc0db5
JH		 2802 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2803 return;
2804
86d1407c
JH		 2805 cancel_delayed_work(&smp->security_timer);
2806
d6268e86 2807 smp_distribute_keys(smp);
44f1a7ab
JH		 2808}
2809
70db83c4
JH		 2810static void smp_ready_cb(struct l2cap_chan *chan)
2811{
2812 struct l2cap_conn *conn = chan->conn;
b5ae344d 2813 struct hci_conn *hcon = conn->hcon;
70db83c4
JH		 2814
2815 BT_DBG("chan %p", chan);
2816
2817 conn->smp = chan;
2818 l2cap_chan_hold(chan);
b5ae344d
JH		 2819
2820 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2821 bredr_pairing(chan);
70db83c4
JH		 2822}
2823
4befb867
JH		 2824static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
2825{
2826 int err;
2827
2828 BT_DBG("chan %p", chan);
2829
2830 err = smp_sig_channel(chan, skb);
2831 if (err) {
b68fda68 2832 struct smp_chan *smp = chan->data;
4befb867 2833
b68fda68
JH		 2834 if (smp)
2835 cancel_delayed_work_sync(&smp->security_timer);
4befb867 2836
1e91c29e 2837 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
4befb867
JH		 2838 }
2839
2840 return err;
2841}
2842
70db83c4
JH		 2843static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
2844 unsigned long hdr_len,
2845 unsigned long len, int nb)
2846{
2847 struct sk_buff *skb;
2848
2849 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
2850 if (!skb)
2851 return ERR_PTR(-ENOMEM);
2852
2853 skb->priority = HCI_PRIO_MAX;
2854 bt_cb(skb)->chan = chan;
2855
2856 return skb;
2857}
2858
2859static const struct l2cap_ops smp_chan_ops = {
2860 .name = "Security Manager",
2861 .ready = smp_ready_cb,
5d88cc73 2862 .recv = smp_recv_cb,
70db83c4
JH		 2863 .alloc_skb = smp_alloc_skb_cb,
2864 .teardown = smp_teardown_cb,
44f1a7ab 2865 .resume = smp_resume_cb,
70db83c4
JH		 2866
2867 .new_connection = l2cap_chan_no_new_connection,
70db83c4
JH		 2868 .state_change = l2cap_chan_no_state_change,
2869 .close = l2cap_chan_no_close,
2870 .defer = l2cap_chan_no_defer,
2871 .suspend = l2cap_chan_no_suspend,
70db83c4
JH		 2872 .set_shutdown = l2cap_chan_no_set_shutdown,
2873 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
70db83c4
JH		 2874};
2875
2876static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
2877{
2878 struct l2cap_chan *chan;
2879
2880 BT_DBG("pchan %p", pchan);
2881
2882 chan = l2cap_chan_create();
2883 if (!chan)
2884 return NULL;
2885
2886 chan->chan_type = pchan->chan_type;
2887 chan->ops = &smp_chan_ops;
2888 chan->scid = pchan->scid;
2889 chan->dcid = chan->scid;
2890 chan->imtu = pchan->imtu;
2891 chan->omtu = pchan->omtu;
2892 chan->mode = pchan->mode;
2893
abe84903
JH		 2894 /* Other L2CAP channels may request SMP routines in order to
2895 * change the security level. This means that the SMP channel
2896 * lock must be considered in its own category to avoid lockdep
2897 * warnings.
2898 */
2899 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
2900
70db83c4
JH		 2901 BT_DBG("created chan %p", chan);
2902
2903 return chan;
2904}
2905
2906static const struct l2cap_ops smp_root_chan_ops = {
2907 .name = "Security Manager Root",
2908 .new_connection = smp_new_conn_cb,
2909
2910 /* None of these are implemented for the root channel */
2911 .close = l2cap_chan_no_close,
2912 .alloc_skb = l2cap_chan_no_alloc_skb,
2913 .recv = l2cap_chan_no_recv,
2914 .state_change = l2cap_chan_no_state_change,
2915 .teardown = l2cap_chan_no_teardown,
2916 .ready = l2cap_chan_no_ready,
2917 .defer = l2cap_chan_no_defer,
2918 .suspend = l2cap_chan_no_suspend,
2919 .resume = l2cap_chan_no_resume,
2920 .set_shutdown = l2cap_chan_no_set_shutdown,
2921 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
70db83c4
JH		 2922};
2923
ef8efe4b 2924static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
711eafe3 2925{
70db83c4 2926 struct l2cap_chan *chan;
defce9e8 2927 struct crypto_blkcipher *tfm_aes;
70db83c4 2928
ef8efe4b
JH		 2929 if (cid == L2CAP_CID_SMP_BREDR) {
2930 tfm_aes = NULL;
2931 goto create_chan;
2932 }
711eafe3 2933
adae20cb 2934 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, 0);
defce9e8 2935 if (IS_ERR(tfm_aes)) {
711eafe3 2936 BT_ERR("Unable to create crypto context");
fe700771 2937 return ERR_CAST(tfm_aes);
711eafe3
JH		 2938 }
2939
ef8efe4b 2940create_chan:
70db83c4
JH		 2941 chan = l2cap_chan_create();
2942 if (!chan) {
defce9e8 2943 crypto_free_blkcipher(tfm_aes);
ef8efe4b 2944 return ERR_PTR(-ENOMEM);
70db83c4
JH		 2945 }
2946
defce9e8
JH		 2947 chan->data = tfm_aes;
2948
ef8efe4b 2949 l2cap_add_scid(chan, cid);
70db83c4
JH		 2950
2951 l2cap_chan_set_defaults(chan);
2952
157029ba
MH		 2953 if (cid == L2CAP_CID_SMP) {
2954 /* If usage of static address is forced or if the devices
2955 * does not have a public address, then listen on the static
2956 * address.
2957 *
2958 * In case BR/EDR has been disabled on a dual-mode controller
2959 * and a static address has been configued, then listen on
2960 * the static address instead.
2961 */
2962 if (test_bit(HCI_FORCE_STATIC_ADDR, &hdev->dbg_flags) ||
2963 !bacmp(&hdev->bdaddr, BDADDR_ANY) ||
2964 (!test_bit(HCI_BREDR_ENABLED, &hdev->dev_flags) &&
2965 bacmp(&hdev->static_addr, BDADDR_ANY))) {
2966 bacpy(&chan->src, &hdev->static_addr);
2967 chan->src_type = BDADDR_LE_RANDOM;
2968 } else {
2969 bacpy(&chan->src, &hdev->bdaddr);
2970 chan->src_type = BDADDR_LE_PUBLIC;
2971 }
2972 } else {
2973 bacpy(&chan->src, &hdev->bdaddr);
ef8efe4b 2974 chan->src_type = BDADDR_BREDR;
157029ba
MH		 2975 }
2976
70db83c4
JH		 2977 chan->state = BT_LISTEN;
2978 chan->mode = L2CAP_MODE_BASIC;
2979 chan->imtu = L2CAP_DEFAULT_MTU;
2980 chan->ops = &smp_root_chan_ops;
2981
abe84903
JH		 2982 /* Set correct nesting level for a parent/listening channel */
2983 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
2984
ef8efe4b 2985 return chan;
711eafe3
JH		 2986}
2987
ef8efe4b 2988static void smp_del_chan(struct l2cap_chan *chan)
711eafe3 2989{
ef8efe4b 2990 struct crypto_blkcipher *tfm_aes;
70db83c4 2991
ef8efe4b 2992 BT_DBG("chan %p", chan);
711eafe3 2993
defce9e8
JH		 2994 tfm_aes = chan->data;
2995 if (tfm_aes) {
2996 chan->data = NULL;
2997 crypto_free_blkcipher(tfm_aes);
711eafe3 2998 }
70db83c4 2999
70db83c4 3000 l2cap_chan_put(chan);
711eafe3 3001}
ef8efe4b 3002
300acfde
MH		 3003static ssize_t force_bredr_smp_read(struct file *file,
3004 char __user *user_buf,
3005 size_t count, loff_t *ppos)
3006{
3007 struct hci_dev *hdev = file->private_data;
3008 char buf[3];
3009
3010 buf[0] = test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags) ? 'Y': 'N';
3011 buf[1] = '\n';
3012 buf[2] = '\0';
3013 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3014}
3015
3016static ssize_t force_bredr_smp_write(struct file *file,
3017 const char __user *user_buf,
3018 size_t count, loff_t *ppos)
3019{
3020 struct hci_dev *hdev = file->private_data;
3021 char buf[32];
3022 size_t buf_size = min(count, (sizeof(buf)-1));
3023 bool enable;
3024
3025 if (copy_from_user(buf, user_buf, buf_size))
3026 return -EFAULT;
3027
3028 buf[buf_size] = '\0';
3029 if (strtobool(buf, &enable))
3030 return -EINVAL;
3031
3032 if (enable == test_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags))
3033 return -EALREADY;
3034
3035 if (enable) {
3036 struct l2cap_chan *chan;
3037
3038 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3039 if (IS_ERR(chan))
3040 return PTR_ERR(chan);
3041
3042 hdev->smp_bredr_data = chan;
3043 } else {
3044 struct l2cap_chan *chan;
3045
3046 chan = hdev->smp_bredr_data;
3047 hdev->smp_bredr_data = NULL;
3048 smp_del_chan(chan);
3049 }
3050
3051 change_bit(HCI_FORCE_BREDR_SMP, &hdev->dbg_flags);
3052
3053 return count;
3054}
3055
3056static const struct file_operations force_bredr_smp_fops = {
3057 .open = simple_open,
3058 .read = force_bredr_smp_read,
3059 .write = force_bredr_smp_write,
3060 .llseek = default_llseek,
3061};
3062
ef8efe4b
JH		 3063int smp_register(struct hci_dev *hdev)
3064{
3065 struct l2cap_chan *chan;
3066
3067 BT_DBG("%s", hdev->name);
3068
3069 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3070 if (IS_ERR(chan))
3071 return PTR_ERR(chan);
3072
3073 hdev->smp_data = chan;
3074
300acfde
MH		 3075 /* If the controller does not support BR/EDR Secure Connections
3076 * feature, then the BR/EDR SMP channel shall not be present.
3077 *
3078 * To test this with Bluetooth 4.0 controllers, create a debugfs
3079 * switch that allows forcing BR/EDR SMP support and accepting
3080 * cross-transport pairing on non-AES encrypted connections.
3081 */
3082 if (!lmp_sc_capable(hdev)) {
3083 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3084 hdev, &force_bredr_smp_fops);
ef8efe4b 3085 return 0;
300acfde 3086 }
ef8efe4b
JH		 3087
3088 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3089 if (IS_ERR(chan)) {
3090 int err = PTR_ERR(chan);
3091 chan = hdev->smp_data;
3092 hdev->smp_data = NULL;
3093 smp_del_chan(chan);
3094 return err;
3095 }
3096
3097 hdev->smp_bredr_data = chan;
3098
3099 return 0;
3100}
3101
3102void smp_unregister(struct hci_dev *hdev)
3103{
3104 struct l2cap_chan *chan;
3105
3106 if (hdev->smp_bredr_data) {
3107 chan = hdev->smp_bredr_data;
3108 hdev->smp_bredr_data = NULL;
3109 smp_del_chan(chan);
3110 }
3111
3112 if (hdev->smp_data) {
3113 chan = hdev->smp_data;
3114 hdev->smp_data = NULL;
3115 smp_del_chan(chan);
3116 }
3117}
0a2b0f04
JH		 3118
3119#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3120
cfc4198e
JH		 3121static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3122{
3123 const u8 irk[16] = {
3124 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3125 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3126 const u8 r[3] = { 0x94, 0x81, 0x70 };
3127 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3128 u8 res[3];
3129 int err;
3130
3131 err = smp_ah(tfm_aes, irk, r, res);
3132 if (err)
3133 return err;
3134
3135 if (memcmp(res, exp, 3))
3136 return -EINVAL;
3137
3138 return 0;
3139}
3140
3141static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3142{
3143 const u8 k[16] = {
3144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3146 const u8 r[16] = {
3147 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3148 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3149 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3150 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3151 const u8 _iat = 0x01;
3152 const u8 _rat = 0x00;
3153 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3154 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3155 const u8 exp[16] = {
3156 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3157 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3158 u8 res[16];
3159 int err;
3160
3161 err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3162 if (err)
3163 return err;
3164
3165 if (memcmp(res, exp, 16))
3166 return -EINVAL;
3167
3168 return 0;
3169}
3170
3171static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3172{
3173 const u8 k[16] = {
3174 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3175 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3176 const u8 r1[16] = {
3177 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3178 const u8 r2[16] = {
3179 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3180 const u8 exp[16] = {
3181 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3182 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3183 u8 res[16];
3184 int err;
3185
3186 err = smp_s1(tfm_aes, k, r1, r2, res);
3187 if (err)
3188 return err;
3189
3190 if (memcmp(res, exp, 16))
3191 return -EINVAL;
3192
3193 return 0;
3194}
3195
fb2969a3
JH		 3196static int __init test_f4(struct crypto_hash *tfm_cmac)
3197{
3198 const u8 u[32] = {
3199 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3200 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3201 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3202 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3203 const u8 v[32] = {
3204 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3205 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3206 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3207 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3208 const u8 x[16] = {
3209 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3210 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3211 const u8 z = 0x00;
3212 const u8 exp[16] = {
3213 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3214 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3215 u8 res[16];
3216 int err;
3217
3218 err = smp_f4(tfm_cmac, u, v, x, z, res);
3219 if (err)
3220 return err;
3221
3222 if (memcmp(res, exp, 16))
3223 return -EINVAL;
3224
3225 return 0;
3226}
3227
3228static int __init test_f5(struct crypto_hash *tfm_cmac)
3229{
3230 const u8 w[32] = {
3231 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3232 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3233 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3234 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3235 const u8 n1[16] = {
3236 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3237 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3238 const u8 n2[16] = {
3239 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3240 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3241 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3242 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3243 const u8 exp_ltk[16] = {
3244 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3245 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3246 const u8 exp_mackey[16] = {
3247 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3248 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3249 u8 mackey[16], ltk[16];
3250 int err;
3251
3252 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3253 if (err)
3254 return err;
3255
3256 if (memcmp(mackey, exp_mackey, 16))
3257 return -EINVAL;
3258
3259 if (memcmp(ltk, exp_ltk, 16))
3260 return -EINVAL;
3261
3262 return 0;
3263}
3264
3265static int __init test_f6(struct crypto_hash *tfm_cmac)
3266{
3267 const u8 w[16] = {
3268 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3269 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3270 const u8 n1[16] = {
3271 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3272 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3273 const u8 n2[16] = {
3274 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3275 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3276 const u8 r[16] = {
3277 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3278 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3279 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3280 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3281 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3282 const u8 exp[16] = {
3283 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3284 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3285 u8 res[16];
3286 int err;
3287
3288 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3289 if (err)
3290 return err;
3291
3292 if (memcmp(res, exp, 16))
3293 return -EINVAL;
3294
3295 return 0;
3296}
3297
3298static int __init test_g2(struct crypto_hash *tfm_cmac)
3299{
3300 const u8 u[32] = {
3301 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3302 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3303 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3304 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3305 const u8 v[32] = {
3306 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3307 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3308 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3309 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3310 const u8 x[16] = {
3311 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3312 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3313 const u8 y[16] = {
3314 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3315 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3316 const u32 exp_val = 0x2f9ed5ba % 1000000;
3317 u32 val;
3318 int err;
3319
3320 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3321 if (err)
3322 return err;
3323
3324 if (val != exp_val)
3325 return -EINVAL;
3326
3327 return 0;
3328}
3329
3330static int __init test_h6(struct crypto_hash *tfm_cmac)
3331{
3332 const u8 w[16] = {
3333 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3334 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3335 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3336 const u8 exp[16] = {
3337 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3338 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3339 u8 res[16];
3340 int err;
3341
3342 err = smp_h6(tfm_cmac, w, key_id, res);
3343 if (err)
3344 return err;
3345
3346 if (memcmp(res, exp, 16))
3347 return -EINVAL;
3348
3349 return 0;
3350}
3351
0a2b0f04
JH		 3352static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3353 struct crypto_hash *tfm_cmac)
3354{
255047b0
MH		 3355 ktime_t calltime, delta, rettime;
3356 unsigned long long duration;
cfc4198e
JH		 3357 int err;
3358
255047b0
MH		 3359 calltime = ktime_get();
3360
cfc4198e
JH		 3361 err = test_ah(tfm_aes);
3362 if (err) {
3363 BT_ERR("smp_ah test failed");
3364 return err;
3365 }
3366
3367 err = test_c1(tfm_aes);
3368 if (err) {
3369 BT_ERR("smp_c1 test failed");
3370 return err;
3371 }
3372
3373 err = test_s1(tfm_aes);
3374 if (err) {
3375 BT_ERR("smp_s1 test failed");
3376 return err;
3377 }
3378
fb2969a3
JH		 3379 err = test_f4(tfm_cmac);
3380 if (err) {
3381 BT_ERR("smp_f4 test failed");
3382 return err;
3383 }
3384
3385 err = test_f5(tfm_cmac);
3386 if (err) {
3387 BT_ERR("smp_f5 test failed");
3388 return err;
3389 }
3390
3391 err = test_f6(tfm_cmac);
3392 if (err) {
3393 BT_ERR("smp_f6 test failed");
3394 return err;
3395 }
3396
3397 err = test_g2(tfm_cmac);
3398 if (err) {
3399 BT_ERR("smp_g2 test failed");
3400 return err;
3401 }
3402
3403 err = test_h6(tfm_cmac);
3404 if (err) {
3405 BT_ERR("smp_h6 test failed");
3406 return err;
3407 }
3408
255047b0
MH		 3409 rettime = ktime_get();
3410 delta = ktime_sub(rettime, calltime);
3411 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3412
5ced2464 3413 BT_INFO("SMP test passed in %llu usecs", duration);
0a2b0f04
JH		 3414
3415 return 0;
3416}
3417
3418int __init bt_selftest_smp(void)
3419{
3420 struct crypto_blkcipher *tfm_aes;
3421 struct crypto_hash *tfm_cmac;
3422 int err;
3423
3424 tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3425 if (IS_ERR(tfm_aes)) {
3426 BT_ERR("Unable to create ECB crypto context");
3427 return PTR_ERR(tfm_aes);
3428 }
3429
3430 tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3431 if (IS_ERR(tfm_cmac)) {
3432 BT_ERR("Unable to create CMAC crypto context");
3433 crypto_free_blkcipher(tfm_aes);
3434 return PTR_ERR(tfm_cmac);
3435 }
3436
3437 err = run_selftests(tfm_aes, tfm_cmac);
3438
3439 crypto_free_hash(tfm_cmac);
3440 crypto_free_blkcipher(tfm_aes);
3441
3442 return err;
3443}
3444
3445#endif
Linux 6.x block layer and io_uring tree(s)