projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
mm, treewide: rename kzfree() to kfree_sensitive()
[linux-block.git] / net / bluetooth / smp.c
CommitLineData
eb492e01
AB		 1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
300acfde 23#include <linux/debugfs.h>
8c520a59 24#include <linux/scatterlist.h>
a4770e11 25#include <linux/crypto.h>
28a220aa 26#include <crypto/aes.h>
329d8230 27#include <crypto/algapi.h>
8c520a59 28#include <crypto/b128ops.h>
71af2f6b 29#include <crypto/hash.h>
47eb2ac8 30#include <crypto/kpp.h>
8c520a59 31
eb492e01
AB		 32#include <net/bluetooth/bluetooth.h>
33#include <net/bluetooth/hci_core.h>
34#include <net/bluetooth/l2cap.h>
2b64d153 35#include <net/bluetooth/mgmt.h>
ac4b7236 36
58771c1c 37#include "ecdh_helper.h"
ac4b7236 38#include "smp.h"
d22ef0bc 39
2fd36558
JH		 40#define SMP_DEV(hdev) \
41 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
42
c7a3d57d
JH		 43/* Low-level debug macros to be used for stuff that we don't want
44 * accidentially in dmesg, i.e. the values of the various crypto keys
45 * and the inputs & outputs of crypto functions.
46 */
47#ifdef DEBUG
48#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
49 ##__VA_ARGS__)
50#else
51#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
52 ##__VA_ARGS__)
53#endif
54
b28b4943 55#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
b28b4943 56
3b19146d
JH		 57/* Keys which are not distributed with Secure Connections */
58#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
59
17b02e62 60#define SMP_TIMEOUT msecs_to_jiffies(30000)
5d3de7df 61
d7a5a11d 62#define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
a62da6f1 63 0x3f : 0x07)
0edb14de 64#define KEY_DIST_MASK 0x07
065a13e2 65
cbbbe3e2
JH		 66/* Maximum message length that can be passed to aes_cmac */
67#define CMAC_MSG_MAX 80
68
533e35d4
JH		 69enum {
70 SMP_FLAG_TK_VALID,
71 SMP_FLAG_CFM_PENDING,
72 SMP_FLAG_MITM_AUTH,
73 SMP_FLAG_COMPLETE,
74 SMP_FLAG_INITIATOR,
65668776 75 SMP_FLAG_SC,
d8f8edbe 76 SMP_FLAG_REMOTE_PK,
aeb7d461 77 SMP_FLAG_DEBUG_KEY,
38606f14 78 SMP_FLAG_WAIT_USER,
d3e54a87 79 SMP_FLAG_DHKEY_PENDING,
1a8bab4f
JH		 80 SMP_FLAG_REMOTE_OOB,
81 SMP_FLAG_LOCAL_OOB,
a62da6f1 82 SMP_FLAG_CT2,
533e35d4 83};
4bc58f51 84
88a479d9 85struct smp_dev {
60a27d65 86 /* Secure Connections OOB data */
94f14e47 87 bool local_oob;
60a27d65 88 u8 local_pk[64];
fb334fee 89 u8 local_rand[16];
60a27d65
MH		 90 bool debug_key;
91
71af2f6b 92 struct crypto_shash *tfm_cmac;
47eb2ac8 93 struct crypto_kpp *tfm_ecdh;
88a479d9
MH		 94};
95
4bc58f51 96struct smp_chan {
b68fda68
JH		 97 struct l2cap_conn *conn;
98 struct delayed_work security_timer;
b28b4943 99 unsigned long allow_cmd; /* Bitmask of allowed commands */
b68fda68 100
4bc58f51
JH		 101 u8 preq[7]; /* SMP Pairing Request */
102 u8 prsp[7]; /* SMP Pairing Response */
103 u8 prnd[16]; /* SMP Pairing Random (local) */
104 u8 rrnd[16]; /* SMP Pairing Random (remote) */
105 u8 pcnf[16]; /* SMP Pairing Confirm */
106 u8 tk[16]; /* SMP Temporary Key */
882fafad
JH		 107 u8 rr[16]; /* Remote OOB ra/rb value */
108 u8 lr[16]; /* Local OOB ra/rb value */
4bc58f51
JH		 109 u8 enc_key_size;
110 u8 remote_key_dist;
111 bdaddr_t id_addr;
112 u8 id_addr_type;
113 u8 irk[16];
114 struct smp_csrk *csrk;
115 struct smp_csrk *slave_csrk;
116 struct smp_ltk *ltk;
117 struct smp_ltk *slave_ltk;
118 struct smp_irk *remote_irk;
6a77083a 119 u8 *link_key;
4a74d658 120 unsigned long flags;
783e0574 121 u8 method;
38606f14 122 u8 passkey_round;
6a7bd103 123
3b19146d
JH		 124 /* Secure Connections variables */
125 u8 local_pk[64];
d8f8edbe
JH		 126 u8 remote_pk[64];
127 u8 dhkey[32];
760b018b 128 u8 mackey[16];
3b19146d 129
71af2f6b 130 struct crypto_shash *tfm_cmac;
47eb2ac8 131 struct crypto_kpp *tfm_ecdh;
4bc58f51
JH		 132};
133
aeb7d461
JH		 134/* These debug key values are defined in the SMP section of the core
135 * specification. debug_pk is the public debug key and debug_sk the
136 * private debug key.
137 */
138static const u8 debug_pk[64] = {
139 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143
144 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148};
149
150static const u8 debug_sk[32] = {
151 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155};
156
8a2936f4 157static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
d22ef0bc 158{
8a2936f4 159 size_t i;
d22ef0bc 160
8a2936f4
JH		 161 for (i = 0; i < len; i++)
162 dst[len - 1 - i] = src[i];
d22ef0bc
AB		 163}
164
06edf8de
JH		 165/* The following functions map to the LE SC SMP crypto functions
166 * AES-CMAC, f4, f5, f6, g2 and h6.
167 */
168
71af2f6b 169static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
cbbbe3e2
JH		 170 size_t len, u8 mac[16])
171{
172 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
cbbbe3e2
JH		 173 int err;
174
175 if (len > CMAC_MSG_MAX)
176 return -EFBIG;
177
178 if (!tfm) {
179 BT_ERR("tfm %p", tfm);
180 return -EINVAL;
181 }
182
cbbbe3e2
JH		 183 /* Swap key and message from LSB to MSB */
184 swap_buf(k, tmp, 16);
185 swap_buf(m, msg_msb, len);
186
c7a3d57d
JH		 187 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188 SMP_DBG("key %16phN", k);
cbbbe3e2 189
71af2f6b 190 err = crypto_shash_setkey(tfm, tmp, 16);
cbbbe3e2
JH		 191 if (err) {
192 BT_ERR("cipher setkey failed: %d", err);
193 return err;
194 }
195
ec0bf6ed 196 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
cbbbe3e2 197 if (err) {
71af2f6b 198 BT_ERR("Hash computation error %d", err);
cbbbe3e2
JH		 199 return err;
200 }
201
202 swap_buf(mac_msb, mac, 16);
203
c7a3d57d 204 SMP_DBG("mac %16phN", mac);
cbbbe3e2
JH		 205
206 return 0;
207}
208
71af2f6b
HX		 209static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
cbbbe3e2
JH		 211{
212 u8 m[65];
213 int err;
214
c7a3d57d
JH		 215 SMP_DBG("u %32phN", u);
216 SMP_DBG("v %32phN", v);
217 SMP_DBG("x %16phN z %02x", x, z);
cbbbe3e2
JH		 218
219 m[0] = z;
220 memcpy(m + 1, v, 32);
221 memcpy(m + 33, u, 32);
222
223 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224 if (err)
225 return err;
226
c7a3d57d 227 SMP_DBG("res %16phN", res);
cbbbe3e2
JH		 228
229 return err;
230}
231
71af2f6b 232static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
4da50de8
JH		 233 const u8 n1[16], const u8 n2[16], const u8 a1[7],
234 const u8 a2[7], u8 mackey[16], u8 ltk[16])
760b018b
JH		 235{
236 /* The btle, salt and length "magic" values are as defined in
237 * the SMP section of the Bluetooth core specification. In ASCII
238 * the btle value ends up being 'btle'. The salt is just a
239 * random number whereas length is the value 256 in little
240 * endian format.
241 */
242 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245 const u8 length[2] = { 0x00, 0x01 };
246 u8 m[53], t[16];
247 int err;
248
c7a3d57d
JH		 249 SMP_DBG("w %32phN", w);
250 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
760b018b
JH		 252
253 err = aes_cmac(tfm_cmac, salt, w, 32, t);
254 if (err)
255 return err;
256
c7a3d57d 257 SMP_DBG("t %16phN", t);
760b018b
JH		 258
259 memcpy(m, length, 2);
260 memcpy(m + 2, a2, 7);
261 memcpy(m + 9, a1, 7);
262 memcpy(m + 16, n2, 16);
263 memcpy(m + 32, n1, 16);
264 memcpy(m + 48, btle, 4);
265
266 m[52] = 0; /* Counter */
267
268 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269 if (err)
270 return err;
271
c7a3d57d 272 SMP_DBG("mackey %16phN", mackey);
760b018b
JH		 273
274 m[52] = 1; /* Counter */
275
276 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277 if (err)
278 return err;
279
c7a3d57d 280 SMP_DBG("ltk %16phN", ltk);
760b018b
JH		 281
282 return 0;
283}
284
71af2f6b 285static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
4da50de8 286 const u8 n1[16], const u8 n2[16], const u8 r[16],
760b018b
JH		 287 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288 u8 res[16])
289{
290 u8 m[65];
291 int err;
292
c7a3d57d
JH		 293 SMP_DBG("w %16phN", w);
294 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
760b018b
JH		 296
297 memcpy(m, a2, 7);
298 memcpy(m + 7, a1, 7);
299 memcpy(m + 14, io_cap, 3);
300 memcpy(m + 17, r, 16);
301 memcpy(m + 33, n2, 16);
302 memcpy(m + 49, n1, 16);
303
304 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305 if (err)
306 return err;
307
203de21b 308 SMP_DBG("res %16phN", res);
760b018b
JH		 309
310 return err;
311}
312
71af2f6b 313static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
191dc7fe
JH		 314 const u8 x[16], const u8 y[16], u32 *val)
315{
316 u8 m[80], tmp[16];
317 int err;
318
c7a3d57d
JH		 319 SMP_DBG("u %32phN", u);
320 SMP_DBG("v %32phN", v);
321 SMP_DBG("x %16phN y %16phN", x, y);
191dc7fe
JH		 322
323 memcpy(m, y, 16);
324 memcpy(m + 16, v, 32);
325 memcpy(m + 48, u, 32);
326
327 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328 if (err)
329 return err;
330
331 *val = get_unaligned_le32(tmp);
332 *val %= 1000000;
333
c7a3d57d 334 SMP_DBG("val %06u", *val);
191dc7fe
JH		 335
336 return 0;
337}
338
71af2f6b 339static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
06edf8de
JH		 340 const u8 key_id[4], u8 res[16])
341{
342 int err;
343
344 SMP_DBG("w %16phN key_id %4phN", w, key_id);
345
346 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347 if (err)
348 return err;
349
350 SMP_DBG("res %16phN", res);
351
352 return err;
353}
354
a62da6f1
JH		 355static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356 const u8 salt[16], u8 res[16])
357{
358 int err;
359
360 SMP_DBG("w %16phN salt %16phN", w, salt);
361
362 err = aes_cmac(tfm_cmac, salt, w, 16, res);
363 if (err)
364 return err;
365
366 SMP_DBG("res %16phN", res);
367
368 return err;
369}
370
06edf8de
JH		 371/* The following functions map to the legacy SMP crypto functions e, c1,
372 * s1 and ah.
373 */
374
28a220aa 375static int smp_e(const u8 *k, u8 *r)
d22ef0bc 376{
28a220aa 377 struct crypto_aes_ctx ctx;
943a732a 378 uint8_t tmp[16], data[16];
201a5929 379 int err;
d22ef0bc 380
011c391a
JH		 381 SMP_DBG("k %16phN r %16phN", k, r);
382
943a732a 383 /* The most significant octet of key corresponds to k[0] */
8a2936f4 384 swap_buf(k, tmp, 16);
943a732a 385
28a220aa 386 err = aes_expandkey(&ctx, tmp, 16);
d22ef0bc
AB		 387 if (err) {
388 BT_ERR("cipher setkey failed: %d", err);
389 return err;
390 }
391
943a732a 392 /* Most significant octet of plaintextData corresponds to data[0] */
8a2936f4 393 swap_buf(r, data, 16);
943a732a 394
28a220aa 395 aes_encrypt(&ctx, data, data);
d22ef0bc 396
943a732a 397 /* Most significant octet of encryptedData corresponds to data[0] */
8a2936f4 398 swap_buf(data, r, 16);
943a732a 399
011c391a
JH		 400 SMP_DBG("r %16phN", r);
401
28a220aa 402 memzero_explicit(&ctx, sizeof (ctx));
d22ef0bc
AB		 403 return err;
404}
405
28a220aa 406static int smp_c1(const u8 k[16],
06edf8de
JH		 407 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
6a77083a 409{
06edf8de 410 u8 p1[16], p2[16];
6a77083a
JH		 411 int err;
412
011c391a
JH		 413 SMP_DBG("k %16phN r %16phN", k, r);
414 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415 SMP_DBG("preq %7phN pres %7phN", preq, pres);
416
06edf8de 417 memset(p1, 0, 16);
6a77083a 418
06edf8de
JH		 419 /* p1 = pres || preq || _rat || _iat */
420 p1[0] = _iat;
421 p1[1] = _rat;
422 memcpy(p1 + 2, preq, 7);
423 memcpy(p1 + 9, pres, 7);
424
011c391a 425 SMP_DBG("p1 %16phN", p1);
06edf8de
JH		 426
427 /* res = r XOR p1 */
428 u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
429
430 /* res = e(k, res) */
28a220aa 431 err = smp_e(k, res);
06edf8de
JH		 432 if (err) {
433 BT_ERR("Encrypt data error");
6a77083a 434 return err;
06edf8de 435 }
6a77083a 436
011c391a
JH		 437 /* p2 = padding || ia || ra */
438 memcpy(p2, ra, 6);
439 memcpy(p2 + 6, ia, 6);
440 memset(p2 + 12, 0, 4);
441
442 SMP_DBG("p2 %16phN", p2);
443
06edf8de
JH		 444 /* res = res XOR p2 */
445 u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
446
447 /* res = e(k, res) */
28a220aa 448 err = smp_e(k, res);
06edf8de
JH		 449 if (err)
450 BT_ERR("Encrypt data error");
451
452 return err;
453}
454
28a220aa 455static int smp_s1(const u8 k[16],
06edf8de
JH		 456 const u8 r1[16], const u8 r2[16], u8 _r[16])
457{
458 int err;
459
460 /* Just least significant octets from r1 and r2 are considered */
461 memcpy(_r, r2, 8);
462 memcpy(_r + 8, r1, 8);
463
28a220aa 464 err = smp_e(k, _r);
06edf8de
JH		 465 if (err)
466 BT_ERR("Encrypt data error");
6a77083a
JH		 467
468 return err;
469}
470
28a220aa 471static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
60478054 472{
943a732a 473 u8 _res[16];
60478054
JH		 474 int err;
475
476 /* r' = padding || r */
943a732a
JH		 477 memcpy(_res, r, 3);
478 memset(_res + 3, 0, 13);
60478054 479
28a220aa 480 err = smp_e(irk, _res);
60478054
JH		 481 if (err) {
482 BT_ERR("Encrypt error");
483 return err;
484 }
485
486 /* The output of the random address function ah is:
c5080d42 487 * ah(k, r) = e(k, r') mod 2^24
60478054
JH		 488 * The output of the security function e is then truncated to 24 bits
489 * by taking the least significant 24 bits of the output of e as the
490 * result of ah.
491 */
943a732a 492 memcpy(res, _res, 3);
60478054
JH		 493
494 return 0;
495}
496
cd082797
JH		 497bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498 const bdaddr_t *bdaddr)
60478054 499{
defce9e8 500 struct l2cap_chan *chan = hdev->smp_data;
60478054
JH		 501 u8 hash[3];
502 int err;
503
defce9e8
JH		 504 if (!chan || !chan->data)
505 return false;
506
56860245 507 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
60478054 508
28a220aa 509 err = smp_ah(irk, &bdaddr->b[3], hash);
60478054
JH		 510 if (err)
511 return false;
512
329d8230 513 return !crypto_memneq(bdaddr->b, hash, 3);
60478054
JH		 514}
515
cd082797 516int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
b1e2b3ae 517{
defce9e8 518 struct l2cap_chan *chan = hdev->smp_data;
b1e2b3ae
JH		 519 int err;
520
defce9e8
JH		 521 if (!chan || !chan->data)
522 return -EOPNOTSUPP;
523
b1e2b3ae
JH		 524 get_random_bytes(&rpa->b[3], 3);
525
526 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
527 rpa->b[5] |= 0x40; /* Set second most significant bit */
528
28a220aa 529 err = smp_ah(irk, &rpa->b[3], rpa->b);
b1e2b3ae
JH		 530 if (err < 0)
531 return err;
532
56860245 533 bt_dev_dbg(hdev, "RPA %pMR", rpa);
b1e2b3ae
JH		 534
535 return 0;
536}
537
60a27d65
MH		 538int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539{
540 struct l2cap_chan *chan = hdev->smp_data;
541 struct smp_dev *smp;
542 int err;
543
544 if (!chan || !chan->data)
545 return -EOPNOTSUPP;
546
547 smp = chan->data;
548
549 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
56860245 550 bt_dev_dbg(hdev, "Using debug keys");
c0153b0b
TA		 551 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552 if (err)
553 return err;
60a27d65 554 memcpy(smp->local_pk, debug_pk, 64);
60a27d65
MH		 555 smp->debug_key = true;
556 } else {
557 while (true) {
c0153b0b
TA		 558 /* Generate key pair for Secure Connections */
559 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
a2976416
TA		 560 if (err)
561 return err;
60a27d65
MH		 562
563 /* This is unlikely, but we need to check that
564 * we didn't accidentially generate a debug key.
565 */
c0153b0b 566 if (crypto_memneq(smp->local_pk, debug_pk, 64))
60a27d65
MH		 567 break;
568 }
569 smp->debug_key = false;
570 }
571
572 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
60a27d65 574
fb334fee 575 get_random_bytes(smp->local_rand, 16);
60a27d65
MH		 576
577 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
fb334fee 578 smp->local_rand, 0, hash);
60a27d65
MH		 579 if (err < 0)
580 return err;
581
fb334fee 582 memcpy(rand, smp->local_rand, 16);
60a27d65 583
94f14e47
JH		 584 smp->local_oob = true;
585
60a27d65
MH		 586 return 0;
587}
588
5d88cc73 589static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
eb492e01 590{
5d88cc73 591 struct l2cap_chan *chan = conn->smp;
b68fda68 592 struct smp_chan *smp;
5d88cc73
JH		 593 struct kvec iv[2];
594 struct msghdr msg;
eb492e01 595
5d88cc73
JH		 596 if (!chan)
597 return;
eb492e01 598
5d88cc73 599 BT_DBG("code 0x%2.2x", code);
eb492e01 600
5d88cc73
JH		 601 iv[0].iov_base = &code;
602 iv[0].iov_len = 1;
eb492e01 603
5d88cc73
JH		 604 iv[1].iov_base = data;
605 iv[1].iov_len = len;
eb492e01 606
5d88cc73 607 memset(&msg, 0, sizeof(msg));
eb492e01 608
aa563d7b 609 iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
eb492e01 610
5d88cc73 611 l2cap_chan_send(chan, &msg, 1 + len);
e2dcd113 612
b68fda68
JH		 613 if (!chan->data)
614 return;
615
616 smp = chan->data;
617
618 cancel_delayed_work_sync(&smp->security_timer);
1b0921d6 619 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
eb492e01
AB		 620}
621
d2eb9e10 622static u8 authreq_to_seclevel(u8 authreq)
2b64d153 623{
d2eb9e10
JH		 624 if (authreq & SMP_AUTH_MITM) {
625 if (authreq & SMP_AUTH_SC)
626 return BT_SECURITY_FIPS;
627 else
628 return BT_SECURITY_HIGH;
629 } else {
2b64d153 630 return BT_SECURITY_MEDIUM;
d2eb9e10 631 }
2b64d153
BG		 632}
633
634static __u8 seclevel_to_authreq(__u8 sec_level)
635{
636 switch (sec_level) {
d2eb9e10 637 case BT_SECURITY_FIPS:
2b64d153
BG		 638 case BT_SECURITY_HIGH:
639 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640 case BT_SECURITY_MEDIUM:
641 return SMP_AUTH_BONDING;
642 default:
643 return SMP_AUTH_NONE;
644 }
645}
646
b8e66eac 647static void build_pairing_cmd(struct l2cap_conn *conn,
f1560463
MH		 648 struct smp_cmd_pairing *req,
649 struct smp_cmd_pairing *rsp, __u8 authreq)
b8e66eac 650{
5d88cc73
JH		 651 struct l2cap_chan *chan = conn->smp;
652 struct smp_chan *smp = chan->data;
fd349c02
JH		 653 struct hci_conn *hcon = conn->hcon;
654 struct hci_dev *hdev = hcon->hdev;
02b05bd8 655 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
54790f73 656
d7a5a11d 657 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
7ee4ea36
MH		 658 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
54790f73 660 authreq |= SMP_AUTH_BONDING;
2b64d153
BG		 661 } else {
662 authreq &= ~SMP_AUTH_BONDING;
54790f73
VCG		 663 }
664
d7a5a11d 665 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
fd349c02
JH		 666 remote_dist |= SMP_DIST_ID_KEY;
667
d7a5a11d 668 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
863efaf2
JH		 669 local_dist |= SMP_DIST_ID_KEY;
670
d7a5a11d 671 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
02b05bd8
JH		 672 (authreq & SMP_AUTH_SC)) {
673 struct oob_data *oob_data;
674 u8 bdaddr_type;
675
d7a5a11d 676 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
df8e1a4c
JH		 677 local_dist |= SMP_DIST_LINK_KEY;
678 remote_dist |= SMP_DIST_LINK_KEY;
679 }
02b05bd8
JH		 680
681 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682 bdaddr_type = BDADDR_LE_PUBLIC;
683 else
684 bdaddr_type = BDADDR_LE_RANDOM;
685
686 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687 bdaddr_type);
4775a4ea 688 if (oob_data && oob_data->present) {
1a8bab4f 689 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
02b05bd8 690 oob_flag = SMP_OOB_PRESENT;
a29b0733 691 memcpy(smp->rr, oob_data->rand256, 16);
02b05bd8 692 memcpy(smp->pcnf, oob_data->hash256, 16);
bc07cd69
MH		 693 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
02b05bd8
JH		 695 }
696
df8e1a4c
JH		 697 } else {
698 authreq &= ~SMP_AUTH_SC;
699 }
700
54790f73
VCG		 701 if (rsp == NULL) {
702 req->io_capability = conn->hcon->io_capability;
02b05bd8 703 req->oob_flag = oob_flag;
30d65e08 704 req->max_key_size = hdev->le_max_key_size;
fd349c02
JH		 705 req->init_key_dist = local_dist;
706 req->resp_key_dist = remote_dist;
0edb14de 707 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 708
709 smp->remote_key_dist = remote_dist;
54790f73
VCG		 710 return;
711 }
712
713 rsp->io_capability = conn->hcon->io_capability;
02b05bd8 714 rsp->oob_flag = oob_flag;
30d65e08 715 rsp->max_key_size = hdev->le_max_key_size;
fd349c02
JH		 716 rsp->init_key_dist = req->init_key_dist & remote_dist;
717 rsp->resp_key_dist = req->resp_key_dist & local_dist;
0edb14de 718 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 719
720 smp->remote_key_dist = rsp->init_key_dist;
b8e66eac
VCG		 721}
722
3158c50c
VCG		 723static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724{
5d88cc73 725 struct l2cap_chan *chan = conn->smp;
2fd36558 726 struct hci_dev *hdev = conn->hcon->hdev;
5d88cc73 727 struct smp_chan *smp = chan->data;
1c1def09 728
49c06c9e
ŁR		 729 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730 max_key_size != SMP_MAX_ENC_KEY_SIZE)
731 return SMP_ENC_KEY_SIZE;
732
30d65e08 733 if (max_key_size > hdev->le_max_key_size ||
2fd36558 734 max_key_size < SMP_MIN_ENC_KEY_SIZE)
3158c50c
VCG		 735 return SMP_ENC_KEY_SIZE;
736
f7aa611a 737 smp->enc_key_size = max_key_size;
3158c50c
VCG		 738
739 return 0;
740}
741
6f48e260
JH		 742static void smp_chan_destroy(struct l2cap_conn *conn)
743{
744 struct l2cap_chan *chan = conn->smp;
745 struct smp_chan *smp = chan->data;
923e2414 746 struct hci_conn *hcon = conn->hcon;
6f48e260
JH		 747 bool complete;
748
749 BUG_ON(!smp);
750
751 cancel_delayed_work_sync(&smp->security_timer);
6f48e260 752
6f48e260 753 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
923e2414 754 mgmt_smp_complete(hcon, complete);
6f48e260 755
453431a5
WL		 756 kfree_sensitive(smp->csrk);
757 kfree_sensitive(smp->slave_csrk);
758 kfree_sensitive(smp->link_key);
6f48e260 759
71af2f6b 760 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 761 crypto_free_kpp(smp->tfm_ecdh);
6f48e260 762
923e2414
JH		 763 /* Ensure that we don't leave any debug key around if debug key
764 * support hasn't been explicitly enabled.
765 */
766 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
d7a5a11d 767 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
923e2414
JH		 768 list_del_rcu(&smp->ltk->list);
769 kfree_rcu(smp->ltk, rcu);
770 smp->ltk = NULL;
771 }
772
6f48e260
JH		 773 /* If pairing failed clean up any keys we might have */
774 if (!complete) {
775 if (smp->ltk) {
970d0f1b
JH		 776 list_del_rcu(&smp->ltk->list);
777 kfree_rcu(smp->ltk, rcu);
6f48e260
JH		 778 }
779
780 if (smp->slave_ltk) {
970d0f1b
JH		 781 list_del_rcu(&smp->slave_ltk->list);
782 kfree_rcu(smp->slave_ltk, rcu);
6f48e260
JH		 783 }
784
785 if (smp->remote_irk) {
adae20cb
JH		 786 list_del_rcu(&smp->remote_irk->list);
787 kfree_rcu(smp->remote_irk, rcu);
6f48e260
JH		 788 }
789 }
790
791 chan->data = NULL;
453431a5 792 kfree_sensitive(smp);
923e2414 793 hci_conn_drop(hcon);
6f48e260
JH		 794}
795
84794e11 796static void smp_failure(struct l2cap_conn *conn, u8 reason)
4f957a76 797{
bab73cb6 798 struct hci_conn *hcon = conn->hcon;
b68fda68 799 struct l2cap_chan *chan = conn->smp;
bab73cb6 800
84794e11 801 if (reason)
4f957a76 802 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
f1560463 803 &reason);
4f957a76 804
e1e930f5 805 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
f1c09c07 806
fc75cc86 807 if (chan->data)
f1c09c07 808 smp_chan_destroy(conn);
4f957a76
BG		 809}
810
2b64d153
BG		 811#define JUST_WORKS 0x00
812#define JUST_CFM 0x01
813#define REQ_PASSKEY 0x02
814#define CFM_PASSKEY 0x03
815#define REQ_OOB 0x04
5e3d3d9b 816#define DSP_PASSKEY 0x05
2b64d153
BG		 817#define OVERLAP 0xFF
818
819static const u8 gen_method[5][5] = {
820 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
824 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
825};
826
5e3d3d9b
JH		 827static const u8 sc_method[5][5] = {
828 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
832 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833};
834
581370cc
JH		 835static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836{
2bcd4003
JH		 837 /* If either side has unknown io_caps, use JUST_CFM (which gets
838 * converted later to JUST_WORKS if we're initiators.
839 */
581370cc
JH		 840 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841 remote_io > SMP_IO_KEYBOARD_DISPLAY)
2bcd4003 842 return JUST_CFM;
581370cc 843
5e3d3d9b
JH		 844 if (test_bit(SMP_FLAG_SC, &smp->flags))
845 return sc_method[remote_io][local_io];
846
581370cc
JH		 847 return gen_method[remote_io][local_io];
848}
849
2b64d153
BG		 850static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851 u8 local_io, u8 remote_io)
852{
853 struct hci_conn *hcon = conn->hcon;
5d88cc73
JH		 854 struct l2cap_chan *chan = conn->smp;
855 struct smp_chan *smp = chan->data;
2b64d153 856 u32 passkey = 0;
d1d900f8 857 int ret;
2b64d153
BG		 858
859 /* Initialize key for JUST WORKS */
860 memset(smp->tk, 0, sizeof(smp->tk));
4a74d658 861 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 862
863 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
864
2bcd4003
JH		 865 /* If neither side wants MITM, either "just" confirm an incoming
866 * request or use just-works for outgoing ones. The JUST_CFM
867 * will be converted to JUST_WORKS if necessary later in this
868 * function. If either side has MITM look up the method from the
869 * table.
870 */
581370cc 871 if (!(auth & SMP_AUTH_MITM))
783e0574 872 smp->method = JUST_CFM;
2b64d153 873 else
783e0574 874 smp->method = get_auth_method(smp, local_io, remote_io);
2b64d153 875
a82505c7 876 /* Don't confirm locally initiated pairing attempts */
783e0574
JH		 877 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
878 &smp->flags))
879 smp->method = JUST_WORKS;
a82505c7 880
02f3e254 881 /* Don't bother user space with no IO capabilities */
783e0574
JH		 882 if (smp->method == JUST_CFM &&
883 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
884 smp->method = JUST_WORKS;
02f3e254 885
92516cd9
SS		 886 /* If Just Works, Continue with Zero TK and ask user-space for
887 * confirmation */
783e0574 888 if (smp->method == JUST_WORKS) {
d1d900f8 889 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
92516cd9
SS		 890 hcon->type,
891 hcon->dst_type,
892 passkey, 1);
d1d900f8
GR		 893 if (ret)
894 return ret;
92516cd9 895 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2b64d153
BG		 896 return 0;
897 }
898
19c5ce9c
JH		 899 /* If this function is used for SC -> legacy fallback we
900 * can only recover the just-works case.
901 */
902 if (test_bit(SMP_FLAG_SC, &smp->flags))
903 return -EINVAL;
904
2b64d153 905 /* Not Just Works/Confirm results in MITM Authentication */
783e0574 906 if (smp->method != JUST_CFM) {
4a74d658 907 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
5eb596f5
JH		 908 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
909 hcon->pending_sec_level = BT_SECURITY_HIGH;
910 }
2b64d153
BG		 911
912 /* If both devices have Keyoard-Display I/O, the master
913 * Confirms and the slave Enters the passkey.
914 */
783e0574 915 if (smp->method == OVERLAP) {
40bef302 916 if (hcon->role == HCI_ROLE_MASTER)
783e0574 917 smp->method = CFM_PASSKEY;
2b64d153 918 else
783e0574 919 smp->method = REQ_PASSKEY;
2b64d153
BG		 920 }
921
01ad34d2 922 /* Generate random passkey. */
783e0574 923 if (smp->method == CFM_PASSKEY) {
943a732a 924 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153
BG		 925 get_random_bytes(&passkey, sizeof(passkey));
926 passkey %= 1000000;
943a732a 927 put_unaligned_le32(passkey, smp->tk);
2b64d153 928 BT_DBG("PassKey: %d", passkey);
4a74d658 929 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 930 }
931
783e0574 932 if (smp->method == REQ_PASSKEY)
ce39fb4e 933 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
272d90df 934 hcon->type, hcon->dst_type);
783e0574 935 else if (smp->method == JUST_CFM)
4eb65e66
JH		 936 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
937 hcon->type, hcon->dst_type,
938 passkey, 1);
2b64d153 939 else
01ad34d2 940 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
272d90df 941 hcon->type, hcon->dst_type,
39adbffe 942 passkey, 0);
2b64d153 943
2b64d153
BG		 944 return ret;
945}
946
1cc61144 947static u8 smp_confirm(struct smp_chan *smp)
8aab4757 948{
8aab4757 949 struct l2cap_conn *conn = smp->conn;
8aab4757
VCG		 950 struct smp_cmd_pairing_confirm cp;
951 int ret;
8aab4757
VCG		 952
953 BT_DBG("conn %p", conn);
954
28a220aa 955 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
b1cd5fd9 956 conn->hcon->init_addr_type, &conn->hcon->init_addr,
943a732a
JH		 957 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
958 cp.confirm_val);
1cc61144
JH		 959 if (ret)
960 return SMP_UNSPECIFIED;
8aab4757 961
4a74d658 962 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153 963
8aab4757
VCG		 964 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
965
b28b4943
JH		 966 if (conn->hcon->out)
967 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
968 else
969 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
970
1cc61144 971 return 0;
8aab4757
VCG		 972}
973
861580a9 974static u8 smp_random(struct smp_chan *smp)
8aab4757 975{
8aab4757
VCG		 976 struct l2cap_conn *conn = smp->conn;
977 struct hci_conn *hcon = conn->hcon;
861580a9 978 u8 confirm[16];
8aab4757
VCG		 979 int ret;
980
8aab4757
VCG		 981 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
982
28a220aa 983 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
b1cd5fd9 984 hcon->init_addr_type, &hcon->init_addr,
943a732a 985 hcon->resp_addr_type, &hcon->resp_addr, confirm);
861580a9
JH		 986 if (ret)
987 return SMP_UNSPECIFIED;
8aab4757 988
329d8230 989 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
2064ee33
MH		 990 bt_dev_err(hcon->hdev, "pairing failed "
991 "(confirmation values mismatch)");
861580a9 992 return SMP_CONFIRM_FAILED;
8aab4757
VCG		 993 }
994
995 if (hcon->out) {
fe39c7b2
MH		 996 u8 stk[16];
997 __le64 rand = 0;
998 __le16 ediv = 0;
8aab4757 999
28a220aa 1000 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
8aab4757 1001
861580a9
JH		 1002 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1003 return SMP_UNSPECIFIED;
8aab4757 1004
8b76ce34 1005 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
f7aa611a 1006 hcon->enc_key_size = smp->enc_key_size;
fe59a05f 1007 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
8aab4757 1008 } else {
fff3490f 1009 u8 stk[16], auth;
fe39c7b2
MH		 1010 __le64 rand = 0;
1011 __le16 ediv = 0;
8aab4757 1012
943a732a
JH		 1013 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1014 smp->prnd);
8aab4757 1015
28a220aa 1016 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
8aab4757 1017
fff3490f
JH		 1018 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1019 auth = 1;
1020 else
1021 auth = 0;
1022
7d5843b7
JH		 1023 /* Even though there's no _SLAVE suffix this is the
1024 * slave STK we're adding for later lookup (the master
1025 * STK never needs to be stored).
1026 */
ce39fb4e 1027 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2ceba539 1028 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
8aab4757
VCG		 1029 }
1030
861580a9 1031 return 0;
8aab4757
VCG		 1032}
1033
44f1a7ab
JH		 1034static void smp_notify_keys(struct l2cap_conn *conn)
1035{
1036 struct l2cap_chan *chan = conn->smp;
1037 struct smp_chan *smp = chan->data;
1038 struct hci_conn *hcon = conn->hcon;
1039 struct hci_dev *hdev = hcon->hdev;
1040 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1041 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1042 bool persistent;
1043
cad20c27
JH		 1044 if (hcon->type == ACL_LINK) {
1045 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1046 persistent = false;
1047 else
1048 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1049 &hcon->flags);
1050 } else {
1051 /* The LTKs, IRKs and CSRKs should be persistent only if
1052 * both sides had the bonding bit set in their
1053 * authentication requests.
1054 */
1055 persistent = !!((req->auth_req & rsp->auth_req) &
1056 SMP_AUTH_BONDING);
1057 }
1058
44f1a7ab 1059 if (smp->remote_irk) {
cad20c27
JH		 1060 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1061
44f1a7ab
JH		 1062 /* Now that user space can be considered to know the
1063 * identity address track the connection based on it
b5ae344d 1064 * from now on (assuming this is an LE link).
44f1a7ab 1065 */
b5ae344d
JH		 1066 if (hcon->type == LE_LINK) {
1067 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1068 hcon->dst_type = smp->remote_irk->addr_type;
1069 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1070 }
44f1a7ab
JH		 1071 }
1072
44f1a7ab
JH		 1073 if (smp->csrk) {
1074 smp->csrk->bdaddr_type = hcon->dst_type;
1075 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1076 mgmt_new_csrk(hdev, smp->csrk, persistent);
1077 }
1078
1079 if (smp->slave_csrk) {
1080 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1081 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1082 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1083 }
1084
1085 if (smp->ltk) {
1086 smp->ltk->bdaddr_type = hcon->dst_type;
1087 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1088 mgmt_new_ltk(hdev, smp->ltk, persistent);
1089 }
1090
1091 if (smp->slave_ltk) {
1092 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1093 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1094 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1095 }
6a77083a
JH		 1096
1097 if (smp->link_key) {
e3befab9
JH		 1098 struct link_key *key;
1099 u8 type;
1100
1101 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1102 type = HCI_LK_DEBUG_COMBINATION;
1103 else if (hcon->sec_level == BT_SECURITY_FIPS)
1104 type = HCI_LK_AUTH_COMBINATION_P256;
1105 else
1106 type = HCI_LK_UNAUTH_COMBINATION_P256;
1107
1108 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1109 smp->link_key, type, 0, &persistent);
1110 if (key) {
1111 mgmt_new_link_key(hdev, key, persistent);
1112
1113 /* Don't keep debug keys around if the relevant
1114 * flag is not set.
1115 */
d7a5a11d 1116 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
e3befab9
JH		 1117 key->type == HCI_LK_DEBUG_COMBINATION) {
1118 list_del_rcu(&key->list);
1119 kfree_rcu(key, rcu);
1120 }
1121 }
6a77083a
JH		 1122 }
1123}
1124
d3e54a87
JH		 1125static void sc_add_ltk(struct smp_chan *smp)
1126{
1127 struct hci_conn *hcon = smp->conn->hcon;
1128 u8 key_type, auth;
1129
1130 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1131 key_type = SMP_LTK_P256_DEBUG;
1132 else
1133 key_type = SMP_LTK_P256;
1134
1135 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1136 auth = 1;
1137 else
1138 auth = 0;
1139
d3e54a87
JH		 1140 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1141 key_type, auth, smp->tk, smp->enc_key_size,
1142 0, 0);
1143}
1144
6a77083a
JH		 1145static void sc_generate_link_key(struct smp_chan *smp)
1146{
a62da6f1 1147 /* From core spec. Spells out in ASCII as 'lebr'. */
6a77083a
JH		 1148 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1149
1150 smp->link_key = kzalloc(16, GFP_KERNEL);
1151 if (!smp->link_key)
1152 return;
1153
a62da6f1 1154 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
151129df 1155 /* SALT = 0x000000000000000000000000746D7031 */
a62da6f1
JH		 1156 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1157
1158 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
453431a5 1159 kfree_sensitive(smp->link_key);
a62da6f1
JH		 1160 smp->link_key = NULL;
1161 return;
1162 }
1163 } else {
1164 /* From core spec. Spells out in ASCII as 'tmp1'. */
1165 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1166
1167 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
453431a5 1168 kfree_sensitive(smp->link_key);
a62da6f1
JH		 1169 smp->link_key = NULL;
1170 return;
1171 }
6a77083a
JH		 1172 }
1173
1174 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
453431a5 1175 kfree_sensitive(smp->link_key);
6a77083a
JH		 1176 smp->link_key = NULL;
1177 return;
1178 }
44f1a7ab
JH		 1179}
1180
b28b4943
JH		 1181static void smp_allow_key_dist(struct smp_chan *smp)
1182{
1183 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1184 * will be allowed in each PDU handler to ensure we receive
1185 * them in the correct order.
1186 */
1187 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1188 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1189 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1190 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1191 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1192 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1193}
1194
b5ae344d
JH		 1195static void sc_generate_ltk(struct smp_chan *smp)
1196{
a62da6f1 1197 /* From core spec. Spells out in ASCII as 'brle'. */
b5ae344d
JH		 1198 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1199 struct hci_conn *hcon = smp->conn->hcon;
1200 struct hci_dev *hdev = hcon->hdev;
1201 struct link_key *key;
1202
1203 key = hci_find_link_key(hdev, &hcon->dst);
1204 if (!key) {
2064ee33 1205 bt_dev_err(hdev, "no Link Key found to generate LTK");
b5ae344d
JH		 1206 return;
1207 }
1208
1209 if (key->type == HCI_LK_DEBUG_COMBINATION)
1210 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1211
a62da6f1 1212 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
151129df 1213 /* SALT = 0x000000000000000000000000746D7032 */
a62da6f1
JH		 1214 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1215
1216 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1217 return;
1218 } else {
1219 /* From core spec. Spells out in ASCII as 'tmp2'. */
1220 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1221
1222 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1223 return;
1224 }
b5ae344d
JH		 1225
1226 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1227 return;
1228
1229 sc_add_ltk(smp);
1230}
1231
d6268e86 1232static void smp_distribute_keys(struct smp_chan *smp)
44f1a7ab
JH		 1233{
1234 struct smp_cmd_pairing *req, *rsp;
86d1407c 1235 struct l2cap_conn *conn = smp->conn;
44f1a7ab
JH		 1236 struct hci_conn *hcon = conn->hcon;
1237 struct hci_dev *hdev = hcon->hdev;
1238 __u8 *keydist;
1239
1240 BT_DBG("conn %p", conn);
1241
44f1a7ab
JH		 1242 rsp = (void *) &smp->prsp[1];
1243
1244 /* The responder sends its keys first */
b28b4943
JH		 1245 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1246 smp_allow_key_dist(smp);
86d1407c 1247 return;
b28b4943 1248 }
44f1a7ab
JH		 1249
1250 req = (void *) &smp->preq[1];
1251
1252 if (hcon->out) {
1253 keydist = &rsp->init_key_dist;
1254 *keydist &= req->init_key_dist;
1255 } else {
1256 keydist = &rsp->resp_key_dist;
1257 *keydist &= req->resp_key_dist;
1258 }
1259
6a77083a 1260 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
b5ae344d 1261 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
6a77083a 1262 sc_generate_link_key(smp);
b5ae344d
JH		 1263 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1264 sc_generate_ltk(smp);
6a77083a
JH		 1265
1266 /* Clear the keys which are generated but not distributed */
1267 *keydist &= ~SMP_SC_NO_DIST;
1268 }
1269
44f1a7ab
JH		 1270 BT_DBG("keydist 0x%x", *keydist);
1271
1272 if (*keydist & SMP_DIST_ENC_KEY) {
1273 struct smp_cmd_encrypt_info enc;
1274 struct smp_cmd_master_ident ident;
1275 struct smp_ltk *ltk;
1276 u8 authenticated;
1277 __le16 ediv;
1278 __le64 rand;
1279
1fc62c52
JH		 1280 /* Make sure we generate only the significant amount of
1281 * bytes based on the encryption key size, and set the rest
1282 * of the value to zeroes.
1283 */
1284 get_random_bytes(enc.ltk, smp->enc_key_size);
1285 memset(enc.ltk + smp->enc_key_size, 0,
1286 sizeof(enc.ltk) - smp->enc_key_size);
1287
44f1a7ab
JH		 1288 get_random_bytes(&ediv, sizeof(ediv));
1289 get_random_bytes(&rand, sizeof(rand));
1290
1291 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1292
1293 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1294 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1295 SMP_LTK_SLAVE, authenticated, enc.ltk,
1296 smp->enc_key_size, ediv, rand);
1297 smp->slave_ltk = ltk;
1298
1299 ident.ediv = ediv;
1300 ident.rand = rand;
1301
1302 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1303
1304 *keydist &= ~SMP_DIST_ENC_KEY;
1305 }
1306
1307 if (*keydist & SMP_DIST_ID_KEY) {
1308 struct smp_cmd_ident_addr_info addrinfo;
1309 struct smp_cmd_ident_info idinfo;
1310
1311 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1312
1313 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1314
1315 /* The hci_conn contains the local identity address
1316 * after the connection has been established.
1317 *
1318 * This is true even when the connection has been
1319 * established using a resolvable random address.
1320 */
1321 bacpy(&addrinfo.bdaddr, &hcon->src);
1322 addrinfo.addr_type = hcon->src_type;
1323
1324 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1325 &addrinfo);
1326
1327 *keydist &= ~SMP_DIST_ID_KEY;
1328 }
1329
1330 if (*keydist & SMP_DIST_SIGN) {
1331 struct smp_cmd_sign_info sign;
1332 struct smp_csrk *csrk;
1333
1334 /* Generate a new random key */
1335 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1336
1337 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1338 if (csrk) {
4cd3928a
JH		 1339 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1340 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1341 else
1342 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
44f1a7ab
JH		 1343 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1344 }
1345 smp->slave_csrk = csrk;
1346
1347 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1348
1349 *keydist &= ~SMP_DIST_SIGN;
1350 }
1351
1352 /* If there are still keys to be received wait for them */
b28b4943
JH		 1353 if (smp->remote_key_dist & KEY_DIST_MASK) {
1354 smp_allow_key_dist(smp);
86d1407c 1355 return;
b28b4943 1356 }
44f1a7ab 1357
44f1a7ab
JH		 1358 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1359 smp_notify_keys(conn);
1360
1361 smp_chan_destroy(conn);
44f1a7ab
JH		 1362}
1363
b68fda68
JH		 1364static void smp_timeout(struct work_struct *work)
1365{
1366 struct smp_chan *smp = container_of(work, struct smp_chan,
1367 security_timer.work);
1368 struct l2cap_conn *conn = smp->conn;
1369
1370 BT_DBG("conn %p", conn);
1371
1e91c29e 1372 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
b68fda68
JH		 1373}
1374
8aab4757
VCG		 1375static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1376{
5d88cc73 1377 struct l2cap_chan *chan = conn->smp;
8aab4757
VCG		 1378 struct smp_chan *smp;
1379
f1560463 1380 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
fc75cc86 1381 if (!smp)
8aab4757
VCG		 1382 return NULL;
1383
71af2f6b 1384 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
407cecf6
JH		 1385 if (IS_ERR(smp->tfm_cmac)) {
1386 BT_ERR("Unable to create CMAC crypto context");
28a220aa 1387 goto zfree_smp;
47eb2ac8
TA		 1388 }
1389
075f7732 1390 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
47eb2ac8
TA		 1391 if (IS_ERR(smp->tfm_ecdh)) {
1392 BT_ERR("Unable to create ECDH crypto context");
1393 goto free_shash;
407cecf6
JH		 1394 }
1395
8aab4757 1396 smp->conn = conn;
5d88cc73 1397 chan->data = smp;
8aab4757 1398
b28b4943
JH		 1399 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1400
b68fda68
JH		 1401 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1402
8aab4757
VCG		 1403 hci_conn_hold(conn->hcon);
1404
1405 return smp;
47eb2ac8
TA		 1406
1407free_shash:
1408 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 1409zfree_smp:
453431a5 1410 kfree_sensitive(smp);
47eb2ac8 1411 return NULL;
8aab4757
VCG		 1412}
1413
760b018b
JH		 1414static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1415{
1416 struct hci_conn *hcon = smp->conn->hcon;
1417 u8 *na, *nb, a[7], b[7];
1418
1419 if (hcon->out) {
1420 na = smp->prnd;
1421 nb = smp->rrnd;
1422 } else {
1423 na = smp->rrnd;
1424 nb = smp->prnd;
1425 }
1426
1427 memcpy(a, &hcon->init_addr, 6);
1428 memcpy(b, &hcon->resp_addr, 6);
1429 a[6] = hcon->init_addr_type;
1430 b[6] = hcon->resp_addr_type;
1431
1432 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1433}
1434
38606f14 1435static void sc_dhkey_check(struct smp_chan *smp)
760b018b
JH		 1436{
1437 struct hci_conn *hcon = smp->conn->hcon;
1438 struct smp_cmd_dhkey_check check;
1439 u8 a[7], b[7], *local_addr, *remote_addr;
1440 u8 io_cap[3], r[16];
1441
760b018b
JH		 1442 memcpy(a, &hcon->init_addr, 6);
1443 memcpy(b, &hcon->resp_addr, 6);
1444 a[6] = hcon->init_addr_type;
1445 b[6] = hcon->resp_addr_type;
1446
1447 if (hcon->out) {
1448 local_addr = a;
1449 remote_addr = b;
1450 memcpy(io_cap, &smp->preq[1], 3);
1451 } else {
1452 local_addr = b;
1453 remote_addr = a;
1454 memcpy(io_cap, &smp->prsp[1], 3);
1455 }
1456
dddd3059
JH		 1457 memset(r, 0, sizeof(r));
1458
1459 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
38606f14 1460 put_unaligned_le32(hcon->passkey_notify, r);
760b018b 1461
a29b0733
JH		 1462 if (smp->method == REQ_OOB)
1463 memcpy(r, smp->rr, 16);
1464
760b018b
JH		 1465 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1466 local_addr, remote_addr, check.e);
1467
1468 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
dddd3059
JH		 1469}
1470
38606f14
JH		 1471static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1472{
1473 struct l2cap_conn *conn = smp->conn;
1474 struct hci_conn *hcon = conn->hcon;
1475 struct smp_cmd_pairing_confirm cfm;
1476 u8 r;
1477
1478 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1479 r |= 0x80;
1480
1481 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1482
1483 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1484 cfm.confirm_val))
1485 return SMP_UNSPECIFIED;
1486
1487 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1488
1489 return 0;
1490}
1491
1492static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1493{
1494 struct l2cap_conn *conn = smp->conn;
1495 struct hci_conn *hcon = conn->hcon;
1496 struct hci_dev *hdev = hcon->hdev;
1497 u8 cfm[16], r;
1498
1499 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1500 if (smp->passkey_round >= 20)
1501 return 0;
1502
1503 switch (smp_op) {
1504 case SMP_CMD_PAIRING_RANDOM:
1505 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1506 r |= 0x80;
1507
1508 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1509 smp->rrnd, r, cfm))
1510 return SMP_UNSPECIFIED;
1511
329d8230 1512 if (crypto_memneq(smp->pcnf, cfm, 16))
38606f14
JH		 1513 return SMP_CONFIRM_FAILED;
1514
1515 smp->passkey_round++;
1516
1517 if (smp->passkey_round == 20) {
1518 /* Generate MacKey and LTK */
1519 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1520 return SMP_UNSPECIFIED;
1521 }
1522
1523 /* The round is only complete when the initiator
1524 * receives pairing random.
1525 */
1526 if (!hcon->out) {
1527 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1528 sizeof(smp->prnd), smp->prnd);
d3e54a87 1529 if (smp->passkey_round == 20)
38606f14 1530 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
d3e54a87 1531 else
38606f14 1532 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
38606f14
JH		 1533 return 0;
1534 }
1535
1536 /* Start the next round */
1537 if (smp->passkey_round != 20)
1538 return sc_passkey_round(smp, 0);
1539
1540 /* Passkey rounds are complete - start DHKey Check */
1541 sc_dhkey_check(smp);
1542 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1543
1544 break;
1545
1546 case SMP_CMD_PAIRING_CONFIRM:
1547 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1548 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1549 return 0;
1550 }
1551
1552 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1553
1554 if (hcon->out) {
1555 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1556 sizeof(smp->prnd), smp->prnd);
1557 return 0;
1558 }
1559
1560 return sc_passkey_send_confirm(smp);
1561
1562 case SMP_CMD_PUBLIC_KEY:
1563 default:
1564 /* Initiating device starts the round */
1565 if (!hcon->out)
1566 return 0;
1567
1568 BT_DBG("%s Starting passkey round %u", hdev->name,
1569 smp->passkey_round + 1);
1570
1571 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1572
1573 return sc_passkey_send_confirm(smp);
1574 }
1575
1576 return 0;
1577}
1578
dddd3059
JH		 1579static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1580{
38606f14
JH		 1581 struct l2cap_conn *conn = smp->conn;
1582 struct hci_conn *hcon = conn->hcon;
1583 u8 smp_op;
1584
1585 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1586
dddd3059
JH		 1587 switch (mgmt_op) {
1588 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1589 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1590 return 0;
1591 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1592 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1593 return 0;
38606f14
JH		 1594 case MGMT_OP_USER_PASSKEY_REPLY:
1595 hcon->passkey_notify = le32_to_cpu(passkey);
1596 smp->passkey_round = 0;
1597
1598 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1599 smp_op = SMP_CMD_PAIRING_CONFIRM;
1600 else
1601 smp_op = 0;
1602
1603 if (sc_passkey_round(smp, smp_op))
1604 return -EIO;
1605
1606 return 0;
dddd3059
JH		 1607 }
1608
d3e54a87
JH		 1609 /* Initiator sends DHKey check first */
1610 if (hcon->out) {
1611 sc_dhkey_check(smp);
1612 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1613 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1614 sc_dhkey_check(smp);
1615 sc_add_ltk(smp);
1616 }
760b018b
JH		 1617
1618 return 0;
1619}
1620
2b64d153
BG		 1621int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1622{
b10e8017 1623 struct l2cap_conn *conn = hcon->l2cap_data;
5d88cc73 1624 struct l2cap_chan *chan;
2b64d153
BG		 1625 struct smp_chan *smp;
1626 u32 value;
fc75cc86 1627 int err;
2b64d153
BG		 1628
1629 BT_DBG("");
1630
fc75cc86 1631 if (!conn)
2b64d153
BG		 1632 return -ENOTCONN;
1633
5d88cc73
JH		 1634 chan = conn->smp;
1635 if (!chan)
1636 return -ENOTCONN;
1637
fc75cc86
JH		 1638 l2cap_chan_lock(chan);
1639 if (!chan->data) {
1640 err = -ENOTCONN;
1641 goto unlock;
1642 }
1643
5d88cc73 1644 smp = chan->data;
2b64d153 1645
760b018b
JH		 1646 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1647 err = sc_user_reply(smp, mgmt_op, passkey);
1648 goto unlock;
1649 }
1650
2b64d153
BG		 1651 switch (mgmt_op) {
1652 case MGMT_OP_USER_PASSKEY_REPLY:
1653 value = le32_to_cpu(passkey);
943a732a 1654 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153 1655 BT_DBG("PassKey: %d", value);
943a732a 1656 put_unaligned_le32(value, smp->tk);
19186c7b 1657 fallthrough;
2b64d153 1658 case MGMT_OP_USER_CONFIRM_REPLY:
4a74d658 1659 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 1660 break;
1661 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1662 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
84794e11 1663 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1664 err = 0;
1665 goto unlock;
2b64d153 1666 default:
84794e11 1667 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1668 err = -EOPNOTSUPP;
1669 goto unlock;
2b64d153
BG		 1670 }
1671
fc75cc86
JH		 1672 err = 0;
1673
2b64d153 1674 /* If it is our turn to send Pairing Confirm, do so now */
1cc61144
JH		 1675 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1676 u8 rsp = smp_confirm(smp);
1677 if (rsp)
1678 smp_failure(conn, rsp);
1679 }
2b64d153 1680
fc75cc86
JH		 1681unlock:
1682 l2cap_chan_unlock(chan);
1683 return err;
2b64d153
BG		 1684}
1685
b5ae344d
JH		 1686static void build_bredr_pairing_cmd(struct smp_chan *smp,
1687 struct smp_cmd_pairing *req,
1688 struct smp_cmd_pairing *rsp)
1689{
1690 struct l2cap_conn *conn = smp->conn;
1691 struct hci_dev *hdev = conn->hcon->hdev;
1692 u8 local_dist = 0, remote_dist = 0;
1693
d7a5a11d 1694 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
b5ae344d
JH		 1695 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1697 }
1698
d7a5a11d 1699 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
b5ae344d
JH		 1700 remote_dist |= SMP_DIST_ID_KEY;
1701
d7a5a11d 1702 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
b5ae344d
JH		 1703 local_dist |= SMP_DIST_ID_KEY;
1704
1705 if (!rsp) {
1706 memset(req, 0, sizeof(*req));
1707
a62da6f1 1708 req->auth_req = SMP_AUTH_CT2;
b5ae344d
JH		 1709 req->init_key_dist = local_dist;
1710 req->resp_key_dist = remote_dist;
e3f6a257 1711 req->max_key_size = conn->hcon->enc_key_size;
b5ae344d
JH		 1712
1713 smp->remote_key_dist = remote_dist;
1714
1715 return;
1716 }
1717
1718 memset(rsp, 0, sizeof(*rsp));
1719
a62da6f1 1720 rsp->auth_req = SMP_AUTH_CT2;
e3f6a257 1721 rsp->max_key_size = conn->hcon->enc_key_size;
b5ae344d
JH		 1722 rsp->init_key_dist = req->init_key_dist & remote_dist;
1723 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1724
1725 smp->remote_key_dist = rsp->init_key_dist;
1726}
1727
da85e5e5 1728static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1729{
3158c50c 1730 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
fc75cc86 1731 struct l2cap_chan *chan = conn->smp;
b3c6410b 1732 struct hci_dev *hdev = conn->hcon->hdev;
8aab4757 1733 struct smp_chan *smp;
c7262e71 1734 u8 key_size, auth, sec_level;
8aab4757 1735 int ret;
88ba43b6
AB		 1736
1737 BT_DBG("conn %p", conn);
1738
c46b98be 1739 if (skb->len < sizeof(*req))
38e4a915 1740 return SMP_INVALID_PARAMS;
c46b98be 1741
40bef302 1742 if (conn->hcon->role != HCI_ROLE_SLAVE)
2b64d153
BG		 1743 return SMP_CMD_NOTSUPP;
1744
fc75cc86 1745 if (!chan->data)
8aab4757 1746 smp = smp_chan_create(conn);
fc75cc86 1747 else
5d88cc73 1748 smp = chan->data;
8aab4757 1749
d08fd0e7
AE		 1750 if (!smp)
1751 return SMP_UNSPECIFIED;
d26a2345 1752
c05b9339 1753 /* We didn't start the pairing, so match remote */
0edb14de 1754 auth = req->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1755
d7a5a11d 1756 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
c05b9339 1757 (auth & SMP_AUTH_BONDING))
b3c6410b
JH		 1758 return SMP_PAIRING_NOTSUPP;
1759
d7a5a11d 1760 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 1761 return SMP_AUTH_REQUIREMENTS;
1762
1c1def09
VCG		 1763 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1764 memcpy(&smp->preq[1], req, sizeof(*req));
3158c50c 1765 skb_pull(skb, sizeof(*req));
88ba43b6 1766
cb06d366
JH		 1767 /* If the remote side's OOB flag is set it means it has
1768 * successfully received our local OOB data - therefore set the
1769 * flag to indicate that local OOB is in use.
1770 */
94f14e47 1771 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
58428563
JH		 1772 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1773
b5ae344d
JH		 1774 /* SMP over BR/EDR requires special treatment */
1775 if (conn->hcon->type == ACL_LINK) {
1776 /* We must have a BR/EDR SC link */
08f63cc5 1777 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
b7cb93e5 1778 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
b5ae344d
JH		 1779 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1780
1781 set_bit(SMP_FLAG_SC, &smp->flags);
1782
1783 build_bredr_pairing_cmd(smp, req, &rsp);
1784
a62da6f1
JH		 1785 if (req->auth_req & SMP_AUTH_CT2)
1786 set_bit(SMP_FLAG_CT2, &smp->flags);
1787
b5ae344d
JH		 1788 key_size = min(req->max_key_size, rsp.max_key_size);
1789 if (check_enc_key_size(conn, key_size))
1790 return SMP_ENC_KEY_SIZE;
1791
1792 /* Clear bits which are generated but not distributed */
1793 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1794
1795 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1796 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1797 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1798
1799 smp_distribute_keys(smp);
1800 return 0;
1801 }
1802
5e3d3d9b
JH		 1803 build_pairing_cmd(conn, req, &rsp, auth);
1804
a62da6f1 1805 if (rsp.auth_req & SMP_AUTH_SC) {
5e3d3d9b
JH		 1806 set_bit(SMP_FLAG_SC, &smp->flags);
1807
a62da6f1
JH		 1808 if (rsp.auth_req & SMP_AUTH_CT2)
1809 set_bit(SMP_FLAG_CT2, &smp->flags);
1810 }
1811
5be5e275 1812 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 1813 sec_level = BT_SECURITY_MEDIUM;
1814 else
1815 sec_level = authreq_to_seclevel(auth);
1816
c7262e71
JH		 1817 if (sec_level > conn->hcon->pending_sec_level)
1818 conn->hcon->pending_sec_level = sec_level;
fdde0a26 1819
49c922bb 1820 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1821 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1822 u8 method;
1823
1824 method = get_auth_method(smp, conn->hcon->io_capability,
1825 req->io_capability);
1826 if (method == JUST_WORKS || method == JUST_CFM)
1827 return SMP_AUTH_REQUIREMENTS;
1828 }
1829
3158c50c
VCG		 1830 key_size = min(req->max_key_size, rsp.max_key_size);
1831 if (check_enc_key_size(conn, key_size))
1832 return SMP_ENC_KEY_SIZE;
88ba43b6 1833
e84a6b13 1834 get_random_bytes(smp->prnd, sizeof(smp->prnd));
8aab4757 1835
1c1def09
VCG		 1836 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1837 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
f01ead31 1838
3158c50c 1839 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
3b19146d
JH		 1840
1841 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1842
19c5ce9c
JH		 1843 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1844 * SC case, however some implementations incorrectly copy RFU auth
1845 * req bits from our security request, which may create a false
1846 * positive SC enablement.
1847 */
1848 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1849
3b19146d
JH		 1850 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1851 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1852 /* Clear bits which are generated but not distributed */
1853 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1854 /* Wait for Public Key from Initiating Device */
1855 return 0;
3b19146d 1856 }
da85e5e5 1857
2b64d153
BG		 1858 /* Request setup of TK */
1859 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1860 if (ret)
1861 return SMP_UNSPECIFIED;
1862
da85e5e5 1863 return 0;
88ba43b6
AB		 1864}
1865
3b19146d
JH		 1866static u8 sc_send_public_key(struct smp_chan *smp)
1867{
70157ef5
JH		 1868 struct hci_dev *hdev = smp->conn->hcon->hdev;
1869
56860245 1870 bt_dev_dbg(hdev, "");
3b19146d 1871
1a8bab4f 1872 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
33d0c030
MH		 1873 struct l2cap_chan *chan = hdev->smp_data;
1874 struct smp_dev *smp_dev;
1875
1876 if (!chan || !chan->data)
1877 return SMP_UNSPECIFIED;
1878
1879 smp_dev = chan->data;
1880
1881 memcpy(smp->local_pk, smp_dev->local_pk, 64);
fb334fee 1882 memcpy(smp->lr, smp_dev->local_rand, 16);
33d0c030
MH		 1883
1884 if (smp_dev->debug_key)
1885 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1886
1887 goto done;
1888 }
1889
d7a5a11d 1890 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
70157ef5 1891 BT_DBG("Using debug keys");
c0153b0b
TA		 1892 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1893 return SMP_UNSPECIFIED;
70157ef5 1894 memcpy(smp->local_pk, debug_pk, 64);
70157ef5
JH		 1895 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1896 } else {
1897 while (true) {
c0153b0b
TA		 1898 /* Generate key pair for Secure Connections */
1899 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
70157ef5 1900 return SMP_UNSPECIFIED;
6c0dcc50 1901
70157ef5
JH		 1902 /* This is unlikely, but we need to check that
1903 * we didn't accidentially generate a debug key.
1904 */
c0153b0b 1905 if (crypto_memneq(smp->local_pk, debug_pk, 64))
70157ef5
JH		 1906 break;
1907 }
6c0dcc50 1908 }
3b19146d 1909
33d0c030 1910done:
c7a3d57d 1911 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
8e4e2ee5 1912 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
3b19146d
JH		 1913
1914 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1915
1916 return 0;
1917}
1918
da85e5e5 1919static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1920{
3158c50c 1921 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
5d88cc73
JH		 1922 struct l2cap_chan *chan = conn->smp;
1923 struct smp_chan *smp = chan->data;
0edb14de 1924 struct hci_dev *hdev = conn->hcon->hdev;
3a7dbfb8 1925 u8 key_size, auth;
7d24ddcc 1926 int ret;
88ba43b6
AB		 1927
1928 BT_DBG("conn %p", conn);
1929
c46b98be 1930 if (skb->len < sizeof(*rsp))
38e4a915 1931 return SMP_INVALID_PARAMS;
c46b98be 1932
40bef302 1933 if (conn->hcon->role != HCI_ROLE_MASTER)
2b64d153
BG		 1934 return SMP_CMD_NOTSUPP;
1935
3158c50c
VCG		 1936 skb_pull(skb, sizeof(*rsp));
1937
1c1def09 1938 req = (void *) &smp->preq[1];
da85e5e5 1939
3158c50c
VCG		 1940 key_size = min(req->max_key_size, rsp->max_key_size);
1941 if (check_enc_key_size(conn, key_size))
1942 return SMP_ENC_KEY_SIZE;
1943
0edb14de 1944 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1945
d7a5a11d 1946 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 1947 return SMP_AUTH_REQUIREMENTS;
1948
cb06d366
JH		 1949 /* If the remote side's OOB flag is set it means it has
1950 * successfully received our local OOB data - therefore set the
1951 * flag to indicate that local OOB is in use.
1952 */
94f14e47 1953 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
58428563
JH		 1954 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1955
b5ae344d
JH		 1956 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1957 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1958
1959 /* Update remote key distribution in case the remote cleared
1960 * some bits that we had enabled in our request.
1961 */
1962 smp->remote_key_dist &= rsp->resp_key_dist;
1963
a62da6f1
JH		 1964 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1965 set_bit(SMP_FLAG_CT2, &smp->flags);
1966
b5ae344d
JH		 1967 /* For BR/EDR this means we're done and can start phase 3 */
1968 if (conn->hcon->type == ACL_LINK) {
1969 /* Clear bits which are generated but not distributed */
1970 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1971 smp_distribute_keys(smp);
1972 return 0;
1973 }
1974
65668776
JH		 1975 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1976 set_bit(SMP_FLAG_SC, &smp->flags);
d2eb9e10
JH		 1977 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1978 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
65668776 1979
49c922bb 1980 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1981 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1982 u8 method;
1983
1984 method = get_auth_method(smp, req->io_capability,
1985 rsp->io_capability);
1986 if (method == JUST_WORKS || method == JUST_CFM)
1987 return SMP_AUTH_REQUIREMENTS;
1988 }
1989
e84a6b13 1990 get_random_bytes(smp->prnd, sizeof(smp->prnd));
7d24ddcc 1991
fdcc4bec
JH		 1992 /* Update remote key distribution in case the remote cleared
1993 * some bits that we had enabled in our request.
1994 */
1995 smp->remote_key_dist &= rsp->resp_key_dist;
1996
3b19146d
JH		 1997 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1998 /* Clear bits which are generated but not distributed */
1999 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2000 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2001 return sc_send_public_key(smp);
2002 }
2003
c05b9339 2004 auth |= req->auth_req;
2b64d153 2005
476585ec 2006 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2b64d153
BG		 2007 if (ret)
2008 return SMP_UNSPECIFIED;
2009
4a74d658 2010 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153
BG		 2011
2012 /* Can't compose response until we have been confirmed */
4a74d658 2013 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 2014 return smp_confirm(smp);
da85e5e5
VCG		 2015
2016 return 0;
88ba43b6
AB		 2017}
2018
dcee2b32
JH		 2019static u8 sc_check_confirm(struct smp_chan *smp)
2020{
2021 struct l2cap_conn *conn = smp->conn;
2022
2023 BT_DBG("");
2024
38606f14
JH		 2025 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2026 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2027
dcee2b32
JH		 2028 if (conn->hcon->out) {
2029 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2030 smp->prnd);
2031 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2032 }
2033
2034 return 0;
2035}
2036
19c5ce9c
JH		 2037/* Work-around for some implementations that incorrectly copy RFU bits
2038 * from our security request and thereby create the impression that
2039 * we're doing SC when in fact the remote doesn't support it.
2040 */
2041static int fixup_sc_false_positive(struct smp_chan *smp)
2042{
2043 struct l2cap_conn *conn = smp->conn;
2044 struct hci_conn *hcon = conn->hcon;
2045 struct hci_dev *hdev = hcon->hdev;
2046 struct smp_cmd_pairing *req, *rsp;
2047 u8 auth;
2048
2049 /* The issue is only observed when we're in slave role */
2050 if (hcon->out)
2051 return SMP_UNSPECIFIED;
2052
2053 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2064ee33 2054 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
19c5ce9c
JH		 2055 return SMP_UNSPECIFIED;
2056 }
2057
2064ee33 2058 bt_dev_err(hdev, "trying to fall back to legacy SMP");
19c5ce9c
JH		 2059
2060 req = (void *) &smp->preq[1];
2061 rsp = (void *) &smp->prsp[1];
2062
2063 /* Rebuild key dist flags which may have been cleared for SC */
2064 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2065
2066 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2067
2068 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2064ee33 2069 bt_dev_err(hdev, "failed to fall back to legacy SMP");
19c5ce9c
JH		 2070 return SMP_UNSPECIFIED;
2071 }
2072
2073 clear_bit(SMP_FLAG_SC, &smp->flags);
2074
2075 return 0;
2076}
2077
da85e5e5 2078static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 2079{
5d88cc73
JH		 2080 struct l2cap_chan *chan = conn->smp;
2081 struct smp_chan *smp = chan->data;
7d24ddcc 2082
88ba43b6
AB		 2083 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2084
c46b98be 2085 if (skb->len < sizeof(smp->pcnf))
38e4a915 2086 return SMP_INVALID_PARAMS;
c46b98be 2087
1c1def09
VCG		 2088 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2089 skb_pull(skb, sizeof(smp->pcnf));
88ba43b6 2090
19c5ce9c
JH		 2091 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2092 int ret;
2093
2094 /* Public Key exchange must happen before any other steps */
2095 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2096 return sc_check_confirm(smp);
2097
2098 BT_ERR("Unexpected SMP Pairing Confirm");
2099
2100 ret = fixup_sc_false_positive(smp);
2101 if (ret)
2102 return ret;
2103 }
dcee2b32 2104
b28b4943 2105 if (conn->hcon->out) {
943a732a
JH		 2106 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2107 smp->prnd);
b28b4943
JH		 2108 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2109 return 0;
2110 }
2111
2112 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 2113 return smp_confirm(smp);
983f9814
MH		 2114
2115 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
da85e5e5
VCG		 2116
2117 return 0;
88ba43b6
AB		 2118}
2119
da85e5e5 2120static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 2121{
5d88cc73
JH		 2122 struct l2cap_chan *chan = conn->smp;
2123 struct smp_chan *smp = chan->data;
191dc7fe 2124 struct hci_conn *hcon = conn->hcon;
eed467b5 2125 u8 *pkax, *pkbx, *na, *nb, confirm_hint;
191dc7fe
JH		 2126 u32 passkey;
2127 int err;
7d24ddcc 2128
8aab4757 2129 BT_DBG("conn %p", conn);
3158c50c 2130
c46b98be 2131 if (skb->len < sizeof(smp->rrnd))
38e4a915 2132 return SMP_INVALID_PARAMS;
c46b98be 2133
943a732a 2134 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
8aab4757 2135 skb_pull(skb, sizeof(smp->rrnd));
e7e62c85 2136
191dc7fe
JH		 2137 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2138 return smp_random(smp);
2139
580039e8
JH		 2140 if (hcon->out) {
2141 pkax = smp->local_pk;
2142 pkbx = smp->remote_pk;
2143 na = smp->prnd;
2144 nb = smp->rrnd;
2145 } else {
2146 pkax = smp->remote_pk;
2147 pkbx = smp->local_pk;
2148 na = smp->rrnd;
2149 nb = smp->prnd;
2150 }
2151
a29b0733
JH		 2152 if (smp->method == REQ_OOB) {
2153 if (!hcon->out)
2154 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2155 sizeof(smp->prnd), smp->prnd);
2156 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2157 goto mackey_and_ltk;
2158 }
2159
38606f14
JH		 2160 /* Passkey entry has special treatment */
2161 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2162 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2163
191dc7fe
JH		 2164 if (hcon->out) {
2165 u8 cfm[16];
2166
2167 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2168 smp->rrnd, 0, cfm);
2169 if (err)
2170 return SMP_UNSPECIFIED;
2171
329d8230 2172 if (crypto_memneq(smp->pcnf, cfm, 16))
191dc7fe 2173 return SMP_CONFIRM_FAILED;
191dc7fe
JH		 2174 } else {
2175 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2176 smp->prnd);
2177 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
cee5f20f
HC		 2178
2179 /* Only Just-Works pairing requires extra checks */
2180 if (smp->method != JUST_WORKS)
2181 goto mackey_and_ltk;
2182
2183 /* If there already exists long term key in local host, leave
2184 * the decision to user space since the remote device could
2185 * be legitimate or malicious.
2186 */
2187 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2188 hcon->role)) {
eed467b5
HC		 2189 /* Set passkey to 0. The value can be any number since
2190 * it'll be ignored anyway.
2191 */
2192 passkey = 0;
2193 confirm_hint = 1;
2194 goto confirm;
cee5f20f 2195 }
191dc7fe
JH		 2196 }
2197
a29b0733 2198mackey_and_ltk:
760b018b
JH		 2199 /* Generate MacKey and LTK */
2200 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2201 if (err)
2202 return SMP_UNSPECIFIED;
2203
ffee202a 2204 if (smp->method == REQ_OOB) {
dddd3059 2205 if (hcon->out) {
38606f14 2206 sc_dhkey_check(smp);
dddd3059
JH		 2207 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2208 }
2209 return 0;
2210 }
2211
38606f14
JH		 2212 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2213 if (err)
2214 return SMP_UNSPECIFIED;
2215
eed467b5
HC		 2216 confirm_hint = 0;
2217
2218confirm:
ffee202a
SS		 2219 if (smp->method == JUST_WORKS)
2220 confirm_hint = 1;
2221
38606f14 2222 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
eed467b5 2223 hcon->dst_type, passkey, confirm_hint);
191dc7fe
JH		 2224 if (err)
2225 return SMP_UNSPECIFIED;
2226
38606f14
JH		 2227 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2228
191dc7fe 2229 return 0;
88ba43b6
AB		 2230}
2231
f81cd823 2232static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
988c5997 2233{
c9839a11 2234 struct smp_ltk *key;
988c5997
VCG		 2235 struct hci_conn *hcon = conn->hcon;
2236
f3a73d97 2237 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
988c5997 2238 if (!key)
f81cd823 2239 return false;
988c5997 2240
a6f7833c 2241 if (smp_ltk_sec_level(key) < sec_level)
f81cd823 2242 return false;
4dab7864 2243
51a8efd7 2244 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
f81cd823 2245 return true;
988c5997 2246
8b76ce34 2247 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
c9839a11 2248 hcon->enc_key_size = key->enc_size;
988c5997 2249
fe59a05f
JH		 2250 /* We never store STKs for master role, so clear this flag */
2251 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2252
f81cd823 2253 return true;
988c5997 2254}
f1560463 2255
35dc6f83
JH		 2256bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2257 enum smp_key_pref key_pref)
854f4727
JH		 2258{
2259 if (sec_level == BT_SECURITY_LOW)
2260 return true;
2261
35dc6f83
JH		 2262 /* If we're encrypted with an STK but the caller prefers using
2263 * LTK claim insufficient security. This way we allow the
2264 * connection to be re-encrypted with an LTK, even if the LTK
2265 * provides the same level of security. Only exception is if we
2266 * don't have an LTK (e.g. because of key distribution bits).
9ab65d60 2267 */
35dc6f83
JH		 2268 if (key_pref == SMP_USE_LTK &&
2269 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
f3a73d97 2270 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
9ab65d60
JH		 2271 return false;
2272
854f4727
JH		 2273 if (hcon->sec_level >= sec_level)
2274 return true;
2275
2276 return false;
2277}
2278
da85e5e5 2279static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6
AB		 2280{
2281 struct smp_cmd_security_req *rp = (void *) skb->data;
2282 struct smp_cmd_pairing cp;
f1cb9af5 2283 struct hci_conn *hcon = conn->hcon;
0edb14de 2284 struct hci_dev *hdev = hcon->hdev;
8aab4757 2285 struct smp_chan *smp;
c05b9339 2286 u8 sec_level, auth;
88ba43b6
AB		 2287
2288 BT_DBG("conn %p", conn);
2289
c46b98be 2290 if (skb->len < sizeof(*rp))
38e4a915 2291 return SMP_INVALID_PARAMS;
c46b98be 2292
40bef302 2293 if (hcon->role != HCI_ROLE_MASTER)
86ca9eac
JH		 2294 return SMP_CMD_NOTSUPP;
2295
0edb14de 2296 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 2297
d7a5a11d 2298 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 2299 return SMP_AUTH_REQUIREMENTS;
2300
5be5e275 2301 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 2302 sec_level = BT_SECURITY_MEDIUM;
2303 else
2304 sec_level = authreq_to_seclevel(auth);
2305
64e759f5
SJ		 2306 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2307 /* If link is already encrypted with sufficient security we
2308 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2309 * Part H 2.4.6
2310 */
2311 smp_ltk_encrypt(conn, hcon->sec_level);
854f4727 2312 return 0;
64e759f5 2313 }
854f4727 2314
c7262e71
JH		 2315 if (sec_level > hcon->pending_sec_level)
2316 hcon->pending_sec_level = sec_level;
feb45eb5 2317
4dab7864 2318 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
988c5997
VCG		 2319 return 0;
2320
8aab4757 2321 smp = smp_chan_create(conn);
c29d2444
JH		 2322 if (!smp)
2323 return SMP_UNSPECIFIED;
d26a2345 2324
d7a5a11d 2325 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
c05b9339 2326 (auth & SMP_AUTH_BONDING))
616d55be
JH		 2327 return SMP_PAIRING_NOTSUPP;
2328
88ba43b6 2329 skb_pull(skb, sizeof(*rp));
88ba43b6 2330
da85e5e5 2331 memset(&cp, 0, sizeof(cp));
c05b9339 2332 build_pairing_cmd(conn, &cp, NULL, auth);
88ba43b6 2333
1c1def09
VCG		 2334 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2335 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 2336
88ba43b6 2337 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 2338 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
f1cb9af5 2339
da85e5e5 2340 return 0;
88ba43b6
AB		 2341}
2342
cc110922 2343int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
eb492e01 2344{
cc110922 2345 struct l2cap_conn *conn = hcon->l2cap_data;
c68b7f12 2346 struct l2cap_chan *chan;
0a66cf20 2347 struct smp_chan *smp;
2b64d153 2348 __u8 authreq;
fc75cc86 2349 int ret;
eb492e01 2350
3a0259bb
VCG		 2351 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2352
0a66cf20
JH		 2353 /* This may be NULL if there's an unexpected disconnection */
2354 if (!conn)
2355 return 1;
2356
d7a5a11d 2357 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2e65c9d2
AG		 2358 return 1;
2359
35dc6f83 2360 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
eb492e01 2361 return 1;
f1cb9af5 2362
c7262e71
JH		 2363 if (sec_level > hcon->pending_sec_level)
2364 hcon->pending_sec_level = sec_level;
2365
40bef302 2366 if (hcon->role == HCI_ROLE_MASTER)
c7262e71
JH		 2367 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2368 return 0;
d26a2345 2369
d8949aad
JH		 2370 chan = conn->smp;
2371 if (!chan) {
2064ee33 2372 bt_dev_err(hcon->hdev, "security requested but not available");
d8949aad
JH		 2373 return 1;
2374 }
2375
fc75cc86
JH		 2376 l2cap_chan_lock(chan);
2377
2378 /* If SMP is already in progress ignore this request */
2379 if (chan->data) {
2380 ret = 0;
2381 goto unlock;
2382 }
d26a2345 2383
8aab4757 2384 smp = smp_chan_create(conn);
fc75cc86
JH		 2385 if (!smp) {
2386 ret = 1;
2387 goto unlock;
2388 }
2b64d153
BG		 2389
2390 authreq = seclevel_to_authreq(sec_level);
d26a2345 2391
a62da6f1 2392 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
d2eb9e10 2393 authreq |= SMP_AUTH_SC;
a62da6f1
JH		 2394 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2395 authreq |= SMP_AUTH_CT2;
2396 }
d2eb9e10 2397
c2aa30db
AP		 2398 /* Don't attempt to set MITM if setting is overridden by debugfs
2399 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2e233644 2400 */
c2aa30db
AP		 2401 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2402 /* Require MITM if IO Capability allows or the security level
2403 * requires it.
2404 */
2405 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2406 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2407 authreq |= SMP_AUTH_MITM;
2408 }
2e233644 2409
40bef302 2410 if (hcon->role == HCI_ROLE_MASTER) {
d26a2345 2411 struct smp_cmd_pairing cp;
f01ead31 2412
2b64d153 2413 build_pairing_cmd(conn, &cp, NULL, authreq);
1c1def09
VCG		 2414 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2415 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 2416
eb492e01 2417 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 2418 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
eb492e01
AB		 2419 } else {
2420 struct smp_cmd_security_req cp;
2b64d153 2421 cp.auth_req = authreq;
eb492e01 2422 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
b28b4943 2423 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
eb492e01
AB		 2424 }
2425
4a74d658 2426 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
fc75cc86 2427 ret = 0;
edca792c 2428
fc75cc86
JH		 2429unlock:
2430 l2cap_chan_unlock(chan);
2431 return ret;
eb492e01
AB		 2432}
2433
cb28c306
MK		 2434int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2435 u8 addr_type)
c81d555a 2436{
cb28c306
MK		 2437 struct hci_conn *hcon;
2438 struct l2cap_conn *conn;
c81d555a
JH		 2439 struct l2cap_chan *chan;
2440 struct smp_chan *smp;
cb28c306
MK		 2441 int err;
2442
2443 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2444 hci_remove_irk(hdev, bdaddr, addr_type);
2445
2446 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2447 if (!hcon)
2448 goto done;
c81d555a 2449
cb28c306 2450 conn = hcon->l2cap_data;
c81d555a 2451 if (!conn)
cb28c306 2452 goto done;
c81d555a
JH		 2453
2454 chan = conn->smp;
2455 if (!chan)
cb28c306 2456 goto done;
c81d555a
JH		 2457
2458 l2cap_chan_lock(chan);
2459
2460 smp = chan->data;
2461 if (smp) {
cb28c306
MK		 2462 /* Set keys to NULL to make sure smp_failure() does not try to
2463 * remove and free already invalidated rcu list entries. */
2464 smp->ltk = NULL;
2465 smp->slave_ltk = NULL;
2466 smp->remote_irk = NULL;
2467
c81d555a
JH		 2468 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2469 smp_failure(conn, 0);
2470 else
2471 smp_failure(conn, SMP_UNSPECIFIED);
cb28c306 2472 err = 0;
c81d555a
JH		 2473 }
2474
2475 l2cap_chan_unlock(chan);
cb28c306
MK		 2476
2477done:
2478 return err;
c81d555a
JH		 2479}
2480
7034b911
VCG		 2481static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2482{
16b90839 2483 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
5d88cc73
JH		 2484 struct l2cap_chan *chan = conn->smp;
2485 struct smp_chan *smp = chan->data;
16b90839 2486
c46b98be
JH		 2487 BT_DBG("conn %p", conn);
2488
2489 if (skb->len < sizeof(*rp))
38e4a915 2490 return SMP_INVALID_PARAMS;
c46b98be 2491
600a8749
AM		 2492 /* Pairing is aborted if any blocked keys are distributed */
2493 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2494 rp->ltk)) {
2495 bt_dev_warn_ratelimited(conn->hcon->hdev,
2496 "LTK blocked for %pMR",
2497 &conn->hcon->dst);
2498 return SMP_INVALID_PARAMS;
2499 }
2500
b28b4943 2501 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
6131ddc8 2502
16b90839
VCG		 2503 skb_pull(skb, sizeof(*rp));
2504
1c1def09 2505 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
16b90839 2506
7034b911
VCG		 2507 return 0;
2508}
2509
2510static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2511{
16b90839 2512 struct smp_cmd_master_ident *rp = (void *) skb->data;
5d88cc73
JH		 2513 struct l2cap_chan *chan = conn->smp;
2514 struct smp_chan *smp = chan->data;
c9839a11
VCG		 2515 struct hci_dev *hdev = conn->hcon->hdev;
2516 struct hci_conn *hcon = conn->hcon;
23d0e128 2517 struct smp_ltk *ltk;
c9839a11 2518 u8 authenticated;
16b90839 2519
c46b98be
JH		 2520 BT_DBG("conn %p", conn);
2521
2522 if (skb->len < sizeof(*rp))
38e4a915 2523 return SMP_INVALID_PARAMS;
c46b98be 2524
9747a9f3
JH		 2525 /* Mark the information as received */
2526 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2527
b28b4943
JH		 2528 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2529 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
196332f5
JH		 2530 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2531 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
b28b4943 2532
16b90839 2533 skb_pull(skb, sizeof(*rp));
7034b911 2534
ce39fb4e 2535 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2ceba539 2536 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
23d0e128
JH		 2537 authenticated, smp->tk, smp->enc_key_size,
2538 rp->ediv, rp->rand);
2539 smp->ltk = ltk;
c6e81e9a 2540 if (!(smp->remote_key_dist & KEY_DIST_MASK))
d6268e86 2541 smp_distribute_keys(smp);
7034b911
VCG		 2542
2543 return 0;
2544}
2545
fd349c02
JH		 2546static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2547{
2548 struct smp_cmd_ident_info *info = (void *) skb->data;
5d88cc73
JH		 2549 struct l2cap_chan *chan = conn->smp;
2550 struct smp_chan *smp = chan->data;
fd349c02
JH		 2551
2552 BT_DBG("");
2553
2554 if (skb->len < sizeof(*info))
38e4a915 2555 return SMP_INVALID_PARAMS;
fd349c02 2556
600a8749
AM		 2557 /* Pairing is aborted if any blocked keys are distributed */
2558 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2559 info->irk)) {
2560 bt_dev_warn_ratelimited(conn->hcon->hdev,
2561 "Identity key blocked for %pMR",
2562 &conn->hcon->dst);
2563 return SMP_INVALID_PARAMS;
2564 }
2565
b28b4943 2566 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
6131ddc8 2567
fd349c02
JH		 2568 skb_pull(skb, sizeof(*info));
2569
2570 memcpy(smp->irk, info->irk, 16);
2571
2572 return 0;
2573}
2574
2575static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2576 struct sk_buff *skb)
2577{
2578 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
5d88cc73
JH		 2579 struct l2cap_chan *chan = conn->smp;
2580 struct smp_chan *smp = chan->data;
fd349c02
JH		 2581 struct hci_conn *hcon = conn->hcon;
2582 bdaddr_t rpa;
2583
2584 BT_DBG("");
2585
2586 if (skb->len < sizeof(*info))
38e4a915 2587 return SMP_INVALID_PARAMS;
fd349c02 2588
9747a9f3
JH		 2589 /* Mark the information as received */
2590 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2591
b28b4943
JH		 2592 if (smp->remote_key_dist & SMP_DIST_SIGN)
2593 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2594
fd349c02
JH		 2595 skb_pull(skb, sizeof(*info));
2596
a9a58f86
JH		 2597 /* Strictly speaking the Core Specification (4.1) allows sending
2598 * an empty address which would force us to rely on just the IRK
2599 * as "identity information". However, since such
2600 * implementations are not known of and in order to not over
2601 * complicate our implementation, simply pretend that we never
2602 * received an IRK for such a device.
e12af489
JH		 2603 *
2604 * The Identity Address must also be a Static Random or Public
2605 * Address, which hci_is_identity_address() checks for.
a9a58f86 2606 */
e12af489
JH		 2607 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2608 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2064ee33 2609 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
31dd624e 2610 goto distribute;
a9a58f86
JH		 2611 }
2612
1d87b88b
SJ		 2613 /* Drop IRK if peer is using identity address during pairing but is
2614 * providing different address as identity information.
2615 *
2616 * Microsoft Surface Precision Mouse is known to have this bug.
2617 */
2618 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2619 (bacmp(&info->bdaddr, &hcon->dst) ||
2620 info->addr_type != hcon->dst_type)) {
2621 bt_dev_err(hcon->hdev,
2622 "ignoring IRK with invalid identity address");
2623 goto distribute;
2624 }
2625
fd349c02
JH		 2626 bacpy(&smp->id_addr, &info->bdaddr);
2627 smp->id_addr_type = info->addr_type;
2628
2629 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2630 bacpy(&rpa, &hcon->dst);
2631 else
2632 bacpy(&rpa, BDADDR_ANY);
2633
23d0e128
JH		 2634 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2635 smp->id_addr_type, smp->irk, &rpa);
fd349c02 2636
31dd624e 2637distribute:
c6e81e9a
JH		 2638 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2639 smp_distribute_keys(smp);
fd349c02
JH		 2640
2641 return 0;
2642}
2643
7ee4ea36
MH		 2644static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2645{
2646 struct smp_cmd_sign_info *rp = (void *) skb->data;
5d88cc73
JH		 2647 struct l2cap_chan *chan = conn->smp;
2648 struct smp_chan *smp = chan->data;
7ee4ea36
MH		 2649 struct smp_csrk *csrk;
2650
2651 BT_DBG("conn %p", conn);
2652
2653 if (skb->len < sizeof(*rp))
38e4a915 2654 return SMP_INVALID_PARAMS;
7ee4ea36 2655
7ee4ea36
MH		 2656 /* Mark the information as received */
2657 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2658
2659 skb_pull(skb, sizeof(*rp));
2660
7ee4ea36
MH		 2661 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2662 if (csrk) {
4cd3928a
JH		 2663 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2664 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2665 else
2666 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
7ee4ea36
MH		 2667 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2668 }
2669 smp->csrk = csrk;
d6268e86 2670 smp_distribute_keys(smp);
7ee4ea36
MH		 2671
2672 return 0;
2673}
2674
5e3d3d9b
JH		 2675static u8 sc_select_method(struct smp_chan *smp)
2676{
2677 struct l2cap_conn *conn = smp->conn;
2678 struct hci_conn *hcon = conn->hcon;
2679 struct smp_cmd_pairing *local, *remote;
2680 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2681
1a8bab4f
JH		 2682 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2683 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
a29b0733
JH		 2684 return REQ_OOB;
2685
5e3d3d9b
JH		 2686 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2687 * which are needed as inputs to some crypto functions. To get
2688 * the "struct smp_cmd_pairing" from them we need to skip the
2689 * first byte which contains the opcode.
2690 */
2691 if (hcon->out) {
2692 local = (void *) &smp->preq[1];
2693 remote = (void *) &smp->prsp[1];
2694 } else {
2695 local = (void *) &smp->prsp[1];
2696 remote = (void *) &smp->preq[1];
2697 }
2698
2699 local_io = local->io_capability;
2700 remote_io = remote->io_capability;
2701
2702 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2703 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2704
2705 /* If either side wants MITM, look up the method from the table,
2706 * otherwise use JUST WORKS.
2707 */
2708 if (local_mitm || remote_mitm)
2709 method = get_auth_method(smp, local_io, remote_io);
2710 else
2711 method = JUST_WORKS;
2712
2713 /* Don't confirm locally initiated pairing attempts */
2714 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2715 method = JUST_WORKS;
2716
2717 return method;
2718}
2719
d8f8edbe
JH		 2720static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2721{
2722 struct smp_cmd_public_key *key = (void *) skb->data;
2723 struct hci_conn *hcon = conn->hcon;
2724 struct l2cap_chan *chan = conn->smp;
2725 struct smp_chan *smp = chan->data;
5e3d3d9b 2726 struct hci_dev *hdev = hcon->hdev;
c0153b0b 2727 struct crypto_kpp *tfm_ecdh;
cbbbe3e2 2728 struct smp_cmd_pairing_confirm cfm;
d8f8edbe
JH		 2729 int err;
2730
2731 BT_DBG("conn %p", conn);
2732
2733 if (skb->len < sizeof(*key))
2734 return SMP_INVALID_PARAMS;
2735
2736 memcpy(smp->remote_pk, key, 64);
2737
a8ca617c
JH		 2738 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2739 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2740 smp->rr, 0, cfm.confirm_val);
2741 if (err)
2742 return SMP_UNSPECIFIED;
2743
329d8230 2744 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
a8ca617c
JH		 2745 return SMP_CONFIRM_FAILED;
2746 }
2747
d8f8edbe
JH		 2748 /* Non-initiating device sends its public key after receiving
2749 * the key from the initiating device.
2750 */
2751 if (!hcon->out) {
2752 err = sc_send_public_key(smp);
2753 if (err)
2754 return err;
2755 }
2756
c7a3d57d 2757 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
e091526d 2758 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
d8f8edbe 2759
c0153b0b
TA		 2760 /* Compute the shared secret on the same crypto tfm on which the private
2761 * key was set/generated.
2762 */
2763 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
4ba5175f
MK		 2764 struct l2cap_chan *hchan = hdev->smp_data;
2765 struct smp_dev *smp_dev;
2766
2767 if (!hchan || !hchan->data)
2768 return SMP_UNSPECIFIED;
2769
2770 smp_dev = hchan->data;
c0153b0b
TA		 2771
2772 tfm_ecdh = smp_dev->tfm_ecdh;
2773 } else {
2774 tfm_ecdh = smp->tfm_ecdh;
2775 }
2776
2777 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
d8f8edbe
JH		 2778 return SMP_UNSPECIFIED;
2779
c7a3d57d 2780 SMP_DBG("DHKey %32phN", smp->dhkey);
d8f8edbe
JH		 2781
2782 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2783
5e3d3d9b
JH		 2784 smp->method = sc_select_method(smp);
2785
2786 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2787
2788 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2789 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2790 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2791 else
2792 hcon->pending_sec_level = BT_SECURITY_FIPS;
2793
329d8230 2794 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
aeb7d461
JH		 2795 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2796
38606f14
JH		 2797 if (smp->method == DSP_PASSKEY) {
2798 get_random_bytes(&hcon->passkey_notify,
2799 sizeof(hcon->passkey_notify));
2800 hcon->passkey_notify %= 1000000;
2801 hcon->passkey_entered = 0;
2802 smp->passkey_round = 0;
2803 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2804 hcon->dst_type,
2805 hcon->passkey_notify,
2806 hcon->passkey_entered))
2807 return SMP_UNSPECIFIED;
2808 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2809 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2810 }
2811
94ea7257 2812 if (smp->method == REQ_OOB) {
a29b0733
JH		 2813 if (hcon->out)
2814 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2815 sizeof(smp->prnd), smp->prnd);
2816
2817 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2818
2819 return 0;
2820 }
2821
38606f14
JH		 2822 if (hcon->out)
2823 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2824
2825 if (smp->method == REQ_PASSKEY) {
2826 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2827 hcon->dst_type))
2828 return SMP_UNSPECIFIED;
2829 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2830 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2831 return 0;
2832 }
2833
cbbbe3e2
JH		 2834 /* The Initiating device waits for the non-initiating device to
2835 * send the confirm value.
2836 */
2837 if (conn->hcon->out)
2838 return 0;
2839
2840 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2841 0, cfm.confirm_val);
2842 if (err)
2843 return SMP_UNSPECIFIED;
2844
2845 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2846 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2847
d8f8edbe
JH		 2848 return 0;
2849}
2850
6433a9a2
JH		 2851static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2852{
2853 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2854 struct l2cap_chan *chan = conn->smp;
2855 struct hci_conn *hcon = conn->hcon;
2856 struct smp_chan *smp = chan->data;
2857 u8 a[7], b[7], *local_addr, *remote_addr;
2858 u8 io_cap[3], r[16], e[16];
2859 int err;
2860
2861 BT_DBG("conn %p", conn);
2862
2863 if (skb->len < sizeof(*check))
2864 return SMP_INVALID_PARAMS;
2865
2866 memcpy(a, &hcon->init_addr, 6);
2867 memcpy(b, &hcon->resp_addr, 6);
2868 a[6] = hcon->init_addr_type;
2869 b[6] = hcon->resp_addr_type;
2870
2871 if (hcon->out) {
2872 local_addr = a;
2873 remote_addr = b;
2874 memcpy(io_cap, &smp->prsp[1], 3);
2875 } else {
2876 local_addr = b;
2877 remote_addr = a;
2878 memcpy(io_cap, &smp->preq[1], 3);
2879 }
2880
2881 memset(r, 0, sizeof(r));
2882
38606f14
JH		 2883 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2884 put_unaligned_le32(hcon->passkey_notify, r);
882fafad
JH		 2885 else if (smp->method == REQ_OOB)
2886 memcpy(r, smp->lr, 16);
38606f14 2887
6433a9a2
JH		 2888 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2889 io_cap, remote_addr, local_addr, e);
2890 if (err)
2891 return SMP_UNSPECIFIED;
2892
329d8230 2893 if (crypto_memneq(check->e, e, 16))
6433a9a2
JH		 2894 return SMP_DHKEY_CHECK_FAILED;
2895
d3e54a87
JH		 2896 if (!hcon->out) {
2897 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2898 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2899 return 0;
2900 }
d378a2d7 2901
d3e54a87
JH		 2902 /* Slave sends DHKey check as response to master */
2903 sc_dhkey_check(smp);
2904 }
d378a2d7 2905
d3e54a87 2906 sc_add_ltk(smp);
6433a9a2
JH		 2907
2908 if (hcon->out) {
8b76ce34 2909 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
6433a9a2
JH		 2910 hcon->enc_key_size = smp->enc_key_size;
2911 }
2912
2913 return 0;
2914}
2915
1408bb6e
JH		 2916static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2917 struct sk_buff *skb)
2918{
2919 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2920
2921 BT_DBG("value 0x%02x", kp->value);
2922
2923 return 0;
2924}
2925
4befb867 2926static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
eb492e01 2927{
5d88cc73 2928 struct l2cap_conn *conn = chan->conn;
7b9899db 2929 struct hci_conn *hcon = conn->hcon;
b28b4943 2930 struct smp_chan *smp;
92381f5c 2931 __u8 code, reason;
eb492e01
AB		 2932 int err = 0;
2933
8ae9b984 2934 if (skb->len < 1)
92381f5c 2935 return -EILSEQ;
92381f5c 2936
d7a5a11d 2937 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2e65c9d2
AG		 2938 reason = SMP_PAIRING_NOTSUPP;
2939 goto done;
2940 }
2941
92381f5c 2942 code = skb->data[0];
eb492e01
AB		 2943 skb_pull(skb, sizeof(code));
2944
b28b4943
JH		 2945 smp = chan->data;
2946
2947 if (code > SMP_CMD_MAX)
2948 goto drop;
2949
24bd0bd9 2950 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
b28b4943
JH		 2951 goto drop;
2952
2953 /* If we don't have a context the only allowed commands are
2954 * pairing request and security request.
8cf9fa12 2955 */
b28b4943
JH		 2956 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2957 goto drop;
8cf9fa12 2958
eb492e01
AB		 2959 switch (code) {
2960 case SMP_CMD_PAIRING_REQ:
da85e5e5 2961 reason = smp_cmd_pairing_req(conn, skb);
eb492e01
AB		 2962 break;
2963
2964 case SMP_CMD_PAIRING_FAIL:
84794e11 2965 smp_failure(conn, 0);
da85e5e5 2966 err = -EPERM;
eb492e01
AB		 2967 break;
2968
2969 case SMP_CMD_PAIRING_RSP:
da85e5e5 2970 reason = smp_cmd_pairing_rsp(conn, skb);
88ba43b6
AB		 2971 break;
2972
2973 case SMP_CMD_SECURITY_REQ:
da85e5e5 2974 reason = smp_cmd_security_req(conn, skb);
88ba43b6
AB		 2975 break;
2976
eb492e01 2977 case SMP_CMD_PAIRING_CONFIRM:
da85e5e5 2978 reason = smp_cmd_pairing_confirm(conn, skb);
88ba43b6
AB		 2979 break;
2980
eb492e01 2981 case SMP_CMD_PAIRING_RANDOM:
da85e5e5 2982 reason = smp_cmd_pairing_random(conn, skb);
88ba43b6
AB		 2983 break;
2984
eb492e01 2985 case SMP_CMD_ENCRYPT_INFO:
7034b911
VCG		 2986 reason = smp_cmd_encrypt_info(conn, skb);
2987 break;
2988
eb492e01 2989 case SMP_CMD_MASTER_IDENT:
7034b911
VCG		 2990 reason = smp_cmd_master_ident(conn, skb);
2991 break;
2992
eb492e01 2993 case SMP_CMD_IDENT_INFO:
fd349c02
JH		 2994 reason = smp_cmd_ident_info(conn, skb);
2995 break;
2996
eb492e01 2997 case SMP_CMD_IDENT_ADDR_INFO:
fd349c02
JH		 2998 reason = smp_cmd_ident_addr_info(conn, skb);
2999 break;
3000
eb492e01 3001 case SMP_CMD_SIGN_INFO:
7ee4ea36 3002 reason = smp_cmd_sign_info(conn, skb);
7034b911
VCG		 3003 break;
3004
d8f8edbe
JH		 3005 case SMP_CMD_PUBLIC_KEY:
3006 reason = smp_cmd_public_key(conn, skb);
3007 break;
3008
6433a9a2
JH		 3009 case SMP_CMD_DHKEY_CHECK:
3010 reason = smp_cmd_dhkey_check(conn, skb);
3011 break;
3012
1408bb6e
JH		 3013 case SMP_CMD_KEYPRESS_NOTIFY:
3014 reason = smp_cmd_keypress_notify(conn, skb);
3015 break;
3016
eb492e01
AB		 3017 default:
3018 BT_DBG("Unknown command code 0x%2.2x", code);
eb492e01 3019 reason = SMP_CMD_NOTSUPP;
3a0259bb 3020 goto done;
eb492e01
AB		 3021 }
3022
3a0259bb 3023done:
9b7b18ef
JH		 3024 if (!err) {
3025 if (reason)
3026 smp_failure(conn, reason);
8ae9b984 3027 kfree_skb(skb);
9b7b18ef
JH		 3028 }
3029
eb492e01 3030 return err;
b28b4943
JH		 3031
3032drop:
2064ee33
MH		 3033 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3034 code, &hcon->dst);
b28b4943
JH		 3035 kfree_skb(skb);
3036 return 0;
eb492e01 3037}
7034b911 3038
70db83c4
JH		 3039static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3040{
3041 struct l2cap_conn *conn = chan->conn;
3042
3043 BT_DBG("chan %p", chan);
3044
fc75cc86 3045 if (chan->data)
5d88cc73 3046 smp_chan_destroy(conn);
5d88cc73 3047
70db83c4
JH		 3048 conn->smp = NULL;
3049 l2cap_chan_put(chan);
3050}
3051
b5ae344d
JH		 3052static void bredr_pairing(struct l2cap_chan *chan)
3053{
3054 struct l2cap_conn *conn = chan->conn;
3055 struct hci_conn *hcon = conn->hcon;
3056 struct hci_dev *hdev = hcon->hdev;
3057 struct smp_cmd_pairing req;
3058 struct smp_chan *smp;
3059
3060 BT_DBG("chan %p", chan);
3061
3062 /* Only new pairings are interesting */
3063 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3064 return;
3065
3066 /* Don't bother if we're not encrypted */
3067 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3068 return;
3069
3070 /* Only master may initiate SMP over BR/EDR */
3071 if (hcon->role != HCI_ROLE_MASTER)
3072 return;
3073
3074 /* Secure Connections support must be enabled */
d7a5a11d 3075 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
b5ae344d
JH		 3076 return;
3077
3078 /* BR/EDR must use Secure Connections for SMP */
3079 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
b7cb93e5 3080 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
b5ae344d
JH		 3081 return;
3082
3083 /* If our LE support is not enabled don't do anything */
d7a5a11d 3084 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
b5ae344d
JH		 3085 return;
3086
3087 /* Don't bother if remote LE support is not enabled */
3088 if (!lmp_host_le_capable(hcon))
3089 return;
3090
3091 /* Remote must support SMP fixed chan for BR/EDR */
3092 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3093 return;
3094
3095 /* Don't bother if SMP is already ongoing */
3096 if (chan->data)
3097 return;
3098
3099 smp = smp_chan_create(conn);
3100 if (!smp) {
2064ee33 3101 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
b5ae344d
JH		 3102 return;
3103 }
3104
3105 set_bit(SMP_FLAG_SC, &smp->flags);
3106
3107 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3108
3109 /* Prepare and send the BR/EDR SMP Pairing Request */
3110 build_bredr_pairing_cmd(smp, &req, NULL);
3111
3112 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3113 memcpy(&smp->preq[1], &req, sizeof(req));
3114
3115 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3116 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3117}
3118
44f1a7ab
JH		 3119static void smp_resume_cb(struct l2cap_chan *chan)
3120{
b68fda68 3121 struct smp_chan *smp = chan->data;
44f1a7ab
JH		 3122 struct l2cap_conn *conn = chan->conn;
3123 struct hci_conn *hcon = conn->hcon;
3124
3125 BT_DBG("chan %p", chan);
3126
b5ae344d
JH		 3127 if (hcon->type == ACL_LINK) {
3128 bredr_pairing(chan);
ef8efe4b 3129 return;
b5ae344d 3130 }
ef8efe4b 3131
86d1407c
JH		 3132 if (!smp)
3133 return;
b68fda68 3134
84bc0db5
JH		 3135 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3136 return;
3137
86d1407c
JH		 3138 cancel_delayed_work(&smp->security_timer);
3139
d6268e86 3140 smp_distribute_keys(smp);
44f1a7ab
JH		 3141}
3142
70db83c4
JH		 3143static void smp_ready_cb(struct l2cap_chan *chan)
3144{
3145 struct l2cap_conn *conn = chan->conn;
b5ae344d 3146 struct hci_conn *hcon = conn->hcon;
70db83c4
JH		 3147
3148 BT_DBG("chan %p", chan);
3149
7883746b
JH		 3150 /* No need to call l2cap_chan_hold() here since we already own
3151 * the reference taken in smp_new_conn_cb(). This is just the
3152 * first time that we tie it to a specific pointer. The code in
3153 * l2cap_core.c ensures that there's no risk this function wont
3154 * get called if smp_new_conn_cb was previously called.
3155 */
70db83c4 3156 conn->smp = chan;
b5ae344d
JH		 3157
3158 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3159 bredr_pairing(chan);
70db83c4
JH		 3160}
3161
4befb867
JH		 3162static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3163{
3164 int err;
3165
3166 BT_DBG("chan %p", chan);
3167
3168 err = smp_sig_channel(chan, skb);
3169 if (err) {
b68fda68 3170 struct smp_chan *smp = chan->data;
4befb867 3171
b68fda68
JH		 3172 if (smp)
3173 cancel_delayed_work_sync(&smp->security_timer);
4befb867 3174
1e91c29e 3175 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
4befb867
JH		 3176 }
3177
3178 return err;
3179}
3180
70db83c4
JH		 3181static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3182 unsigned long hdr_len,
3183 unsigned long len, int nb)
3184{
3185 struct sk_buff *skb;
3186
3187 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3188 if (!skb)
3189 return ERR_PTR(-ENOMEM);
3190
3191 skb->priority = HCI_PRIO_MAX;
a4368ff3 3192 bt_cb(skb)->l2cap.chan = chan;
70db83c4
JH		 3193
3194 return skb;
3195}
3196
3197static const struct l2cap_ops smp_chan_ops = {
3198 .name = "Security Manager",
3199 .ready = smp_ready_cb,
5d88cc73 3200 .recv = smp_recv_cb,
70db83c4
JH		 3201 .alloc_skb = smp_alloc_skb_cb,
3202 .teardown = smp_teardown_cb,
44f1a7ab 3203 .resume = smp_resume_cb,
70db83c4
JH		 3204
3205 .new_connection = l2cap_chan_no_new_connection,
70db83c4
JH		 3206 .state_change = l2cap_chan_no_state_change,
3207 .close = l2cap_chan_no_close,
3208 .defer = l2cap_chan_no_defer,
3209 .suspend = l2cap_chan_no_suspend,
70db83c4
JH		 3210 .set_shutdown = l2cap_chan_no_set_shutdown,
3211 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
70db83c4
JH		 3212};
3213
3214static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3215{
3216 struct l2cap_chan *chan;
3217
3218 BT_DBG("pchan %p", pchan);
3219
3220 chan = l2cap_chan_create();
3221 if (!chan)
3222 return NULL;
3223
3224 chan->chan_type = pchan->chan_type;
3225 chan->ops = &smp_chan_ops;
3226 chan->scid = pchan->scid;
3227 chan->dcid = chan->scid;
3228 chan->imtu = pchan->imtu;
3229 chan->omtu = pchan->omtu;
3230 chan->mode = pchan->mode;
3231
abe84903
JH		 3232 /* Other L2CAP channels may request SMP routines in order to
3233 * change the security level. This means that the SMP channel
3234 * lock must be considered in its own category to avoid lockdep
3235 * warnings.
3236 */
3237 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3238
70db83c4
JH		 3239 BT_DBG("created chan %p", chan);
3240
3241 return chan;
3242}
3243
3244static const struct l2cap_ops smp_root_chan_ops = {
3245 .name = "Security Manager Root",
3246 .new_connection = smp_new_conn_cb,
3247
3248 /* None of these are implemented for the root channel */
3249 .close = l2cap_chan_no_close,
3250 .alloc_skb = l2cap_chan_no_alloc_skb,
3251 .recv = l2cap_chan_no_recv,
3252 .state_change = l2cap_chan_no_state_change,
3253 .teardown = l2cap_chan_no_teardown,
3254 .ready = l2cap_chan_no_ready,
3255 .defer = l2cap_chan_no_defer,
3256 .suspend = l2cap_chan_no_suspend,
3257 .resume = l2cap_chan_no_resume,
3258 .set_shutdown = l2cap_chan_no_set_shutdown,
3259 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
70db83c4
JH		 3260};
3261
ef8efe4b 3262static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
711eafe3 3263{
70db83c4 3264 struct l2cap_chan *chan;
88a479d9 3265 struct smp_dev *smp;
71af2f6b 3266 struct crypto_shash *tfm_cmac;
47eb2ac8 3267 struct crypto_kpp *tfm_ecdh;
70db83c4 3268
ef8efe4b 3269 if (cid == L2CAP_CID_SMP_BREDR) {
88a479d9 3270 smp = NULL;
ef8efe4b
JH		 3271 goto create_chan;
3272 }
711eafe3 3273
88a479d9
MH		 3274 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3275 if (!smp)
3276 return ERR_PTR(-ENOMEM);
3277
71af2f6b 3278 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
6e2dc6d1
MH		 3279 if (IS_ERR(tfm_cmac)) {
3280 BT_ERR("Unable to create CMAC crypto context");
453431a5 3281 kfree_sensitive(smp);
6e2dc6d1
MH		 3282 return ERR_CAST(tfm_cmac);
3283 }
3284
075f7732 3285 tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
47eb2ac8
TA		 3286 if (IS_ERR(tfm_ecdh)) {
3287 BT_ERR("Unable to create ECDH crypto context");
3288 crypto_free_shash(tfm_cmac);
453431a5 3289 kfree_sensitive(smp);
47eb2ac8
TA		 3290 return ERR_CAST(tfm_ecdh);
3291 }
3292
94f14e47 3293 smp->local_oob = false;
6e2dc6d1 3294 smp->tfm_cmac = tfm_cmac;
47eb2ac8 3295 smp->tfm_ecdh = tfm_ecdh;
88a479d9 3296
ef8efe4b 3297create_chan:
70db83c4
JH		 3298 chan = l2cap_chan_create();
3299 if (!chan) {
63511f6d 3300 if (smp) {
71af2f6b 3301 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 3302 crypto_free_kpp(smp->tfm_ecdh);
453431a5 3303 kfree_sensitive(smp);
63511f6d 3304 }
ef8efe4b 3305 return ERR_PTR(-ENOMEM);
70db83c4
JH		 3306 }
3307
88a479d9 3308 chan->data = smp;
defce9e8 3309
ef8efe4b 3310 l2cap_add_scid(chan, cid);
70db83c4
JH		 3311
3312 l2cap_chan_set_defaults(chan);
3313
157029ba 3314 if (cid == L2CAP_CID_SMP) {
39e3e744
JH		 3315 u8 bdaddr_type;
3316
3317 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3318
3319 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
157029ba 3320 chan->src_type = BDADDR_LE_PUBLIC;
39e3e744
JH		 3321 else
3322 chan->src_type = BDADDR_LE_RANDOM;
157029ba
MH		 3323 } else {
3324 bacpy(&chan->src, &hdev->bdaddr);
ef8efe4b 3325 chan->src_type = BDADDR_BREDR;
157029ba
MH		 3326 }
3327
70db83c4
JH		 3328 chan->state = BT_LISTEN;
3329 chan->mode = L2CAP_MODE_BASIC;
3330 chan->imtu = L2CAP_DEFAULT_MTU;
3331 chan->ops = &smp_root_chan_ops;
3332
abe84903
JH		 3333 /* Set correct nesting level for a parent/listening channel */
3334 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3335
ef8efe4b 3336 return chan;
711eafe3
JH		 3337}
3338
ef8efe4b 3339static void smp_del_chan(struct l2cap_chan *chan)
711eafe3 3340{
88a479d9 3341 struct smp_dev *smp;
70db83c4 3342
ef8efe4b 3343 BT_DBG("chan %p", chan);
711eafe3 3344
88a479d9
MH		 3345 smp = chan->data;
3346 if (smp) {
defce9e8 3347 chan->data = NULL;
71af2f6b 3348 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 3349 crypto_free_kpp(smp->tfm_ecdh);
453431a5 3350 kfree_sensitive(smp);
711eafe3 3351 }
70db83c4 3352
70db83c4 3353 l2cap_chan_put(chan);
711eafe3 3354}
ef8efe4b 3355
300acfde
MH		 3356static ssize_t force_bredr_smp_read(struct file *file,
3357 char __user *user_buf,
3358 size_t count, loff_t *ppos)
3359{
3360 struct hci_dev *hdev = file->private_data;
3361 char buf[3];
3362
b7cb93e5 3363 buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
300acfde
MH		 3364 buf[1] = '\n';
3365 buf[2] = '\0';
3366 return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3367}
3368
3369static ssize_t force_bredr_smp_write(struct file *file,
3370 const char __user *user_buf,
3371 size_t count, loff_t *ppos)
3372{
3373 struct hci_dev *hdev = file->private_data;
300acfde 3374 bool enable;
3bf5e97d 3375 int err;
300acfde 3376
3bf5e97d
AS		 3377 err = kstrtobool_from_user(user_buf, count, &enable);
3378 if (err)
3379 return err;
300acfde 3380
b7cb93e5 3381 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
300acfde
MH		 3382 return -EALREADY;
3383
3384 if (enable) {
3385 struct l2cap_chan *chan;
3386
3387 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3388 if (IS_ERR(chan))
3389 return PTR_ERR(chan);
3390
3391 hdev->smp_bredr_data = chan;
3392 } else {
3393 struct l2cap_chan *chan;
3394
3395 chan = hdev->smp_bredr_data;
3396 hdev->smp_bredr_data = NULL;
3397 smp_del_chan(chan);
3398 }
3399
b7cb93e5 3400 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
300acfde
MH		 3401
3402 return count;
3403}
3404
3405static const struct file_operations force_bredr_smp_fops = {
3406 .open = simple_open,
3407 .read = force_bredr_smp_read,
3408 .write = force_bredr_smp_write,
3409 .llseek = default_llseek,
3410};
3411
ef8efe4b
JH		 3412int smp_register(struct hci_dev *hdev)
3413{
3414 struct l2cap_chan *chan;
3415
3416 BT_DBG("%s", hdev->name);
3417
7e7ec445
MH		 3418 /* If the controller does not support Low Energy operation, then
3419 * there is also no need to register any SMP channel.
3420 */
3421 if (!lmp_le_capable(hdev))
3422 return 0;
3423
2b8df323
MH		 3424 if (WARN_ON(hdev->smp_data)) {
3425 chan = hdev->smp_data;
3426 hdev->smp_data = NULL;
3427 smp_del_chan(chan);
3428 }
3429
ef8efe4b
JH		 3430 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3431 if (IS_ERR(chan))
3432 return PTR_ERR(chan);
3433
3434 hdev->smp_data = chan;
3435
300acfde
MH		 3436 /* If the controller does not support BR/EDR Secure Connections
3437 * feature, then the BR/EDR SMP channel shall not be present.
3438 *
3439 * To test this with Bluetooth 4.0 controllers, create a debugfs
3440 * switch that allows forcing BR/EDR SMP support and accepting
3441 * cross-transport pairing on non-AES encrypted connections.
3442 */
3443 if (!lmp_sc_capable(hdev)) {
3444 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3445 hdev, &force_bredr_smp_fops);
83ebb9ec
SJ		 3446
3447 /* Flag can be already set here (due to power toggle) */
3448 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3449 return 0;
300acfde 3450 }
ef8efe4b 3451
2b8df323
MH		 3452 if (WARN_ON(hdev->smp_bredr_data)) {
3453 chan = hdev->smp_bredr_data;
3454 hdev->smp_bredr_data = NULL;
3455 smp_del_chan(chan);
3456 }
3457
ef8efe4b
JH		 3458 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3459 if (IS_ERR(chan)) {
3460 int err = PTR_ERR(chan);
3461 chan = hdev->smp_data;
3462 hdev->smp_data = NULL;
3463 smp_del_chan(chan);
3464 return err;
3465 }
3466
3467 hdev->smp_bredr_data = chan;
3468
3469 return 0;
3470}
3471
3472void smp_unregister(struct hci_dev *hdev)
3473{
3474 struct l2cap_chan *chan;
3475
3476 if (hdev->smp_bredr_data) {
3477 chan = hdev->smp_bredr_data;
3478 hdev->smp_bredr_data = NULL;
3479 smp_del_chan(chan);
3480 }
3481
3482 if (hdev->smp_data) {
3483 chan = hdev->smp_data;
3484 hdev->smp_data = NULL;
3485 smp_del_chan(chan);
3486 }
3487}
0a2b0f04
JH		 3488
3489#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3490
47eb2ac8 3491static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
71653eb6 3492{
c0153b0b 3493 u8 pk[64];
a2976416 3494 int err;
71653eb6 3495
c0153b0b 3496 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
a2976416
TA		 3497 if (err)
3498 return err;
71653eb6 3499
c0153b0b
TA		 3500 err = generate_ecdh_public_key(tfm_ecdh, pk);
3501 if (err)
3502 return err;
71653eb6 3503
329d8230 3504 if (crypto_memneq(pk, debug_pk, 64))
71653eb6
MH		 3505 return -EINVAL;
3506
3507 return 0;
3508}
3509
28a220aa 3510static int __init test_ah(void)
cfc4198e
JH		 3511{
3512 const u8 irk[16] = {
3513 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3514 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3515 const u8 r[3] = { 0x94, 0x81, 0x70 };
3516 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3517 u8 res[3];
3518 int err;
3519
28a220aa 3520 err = smp_ah(irk, r, res);
cfc4198e
JH		 3521 if (err)
3522 return err;
3523
329d8230 3524 if (crypto_memneq(res, exp, 3))
cfc4198e
JH		 3525 return -EINVAL;
3526
3527 return 0;
3528}
3529
28a220aa 3530static int __init test_c1(void)
cfc4198e
JH		 3531{
3532 const u8 k[16] = {
3533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3534 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3535 const u8 r[16] = {
3536 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3537 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3538 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3539 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3540 const u8 _iat = 0x01;
3541 const u8 _rat = 0x00;
3542 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3543 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3544 const u8 exp[16] = {
3545 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3546 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3547 u8 res[16];
3548 int err;
3549
28a220aa 3550 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
cfc4198e
JH		 3551 if (err)
3552 return err;
3553
329d8230 3554 if (crypto_memneq(res, exp, 16))
cfc4198e
JH		 3555 return -EINVAL;
3556
3557 return 0;
3558}
3559
28a220aa 3560static int __init test_s1(void)
cfc4198e
JH		 3561{
3562 const u8 k[16] = {
3563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3565 const u8 r1[16] = {
3566 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3567 const u8 r2[16] = {
3568 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3569 const u8 exp[16] = {
3570 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3571 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3572 u8 res[16];
3573 int err;
3574
28a220aa 3575 err = smp_s1(k, r1, r2, res);
cfc4198e
JH		 3576 if (err)
3577 return err;
3578
329d8230 3579 if (crypto_memneq(res, exp, 16))
cfc4198e
JH		 3580 return -EINVAL;
3581
3582 return 0;
3583}
3584
71af2f6b 3585static int __init test_f4(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3586{
3587 const u8 u[32] = {
3588 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3589 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3590 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3591 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3592 const u8 v[32] = {
3593 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3594 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3595 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3596 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3597 const u8 x[16] = {
3598 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3599 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3600 const u8 z = 0x00;
3601 const u8 exp[16] = {
3602 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3603 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3604 u8 res[16];
3605 int err;
3606
3607 err = smp_f4(tfm_cmac, u, v, x, z, res);
3608 if (err)
3609 return err;
3610
329d8230 3611 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3612 return -EINVAL;
3613
3614 return 0;
3615}
3616
71af2f6b 3617static int __init test_f5(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3618{
3619 const u8 w[32] = {
3620 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3621 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3622 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3623 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3624 const u8 n1[16] = {
3625 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3626 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3627 const u8 n2[16] = {
3628 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3629 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3630 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3631 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3632 const u8 exp_ltk[16] = {
3633 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3634 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3635 const u8 exp_mackey[16] = {
3636 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3637 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3638 u8 mackey[16], ltk[16];
3639 int err;
3640
3641 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3642 if (err)
3643 return err;
3644
329d8230 3645 if (crypto_memneq(mackey, exp_mackey, 16))
fb2969a3
JH		 3646 return -EINVAL;
3647
329d8230 3648 if (crypto_memneq(ltk, exp_ltk, 16))
fb2969a3
JH		 3649 return -EINVAL;
3650
3651 return 0;
3652}
3653
71af2f6b 3654static int __init test_f6(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3655{
3656 const u8 w[16] = {
3657 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3658 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3659 const u8 n1[16] = {
3660 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3661 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3662 const u8 n2[16] = {
3663 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3664 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3665 const u8 r[16] = {
3666 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3667 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3668 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3669 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3670 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3671 const u8 exp[16] = {
3672 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3673 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3674 u8 res[16];
3675 int err;
3676
3677 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3678 if (err)
3679 return err;
3680
329d8230 3681 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3682 return -EINVAL;
3683
3684 return 0;
3685}
3686
71af2f6b 3687static int __init test_g2(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3688{
3689 const u8 u[32] = {
3690 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3691 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3692 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3693 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3694 const u8 v[32] = {
3695 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3696 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3697 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3698 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3699 const u8 x[16] = {
3700 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3701 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3702 const u8 y[16] = {
3703 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3704 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3705 const u32 exp_val = 0x2f9ed5ba % 1000000;
3706 u32 val;
3707 int err;
3708
3709 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3710 if (err)
3711 return err;
3712
3713 if (val != exp_val)
3714 return -EINVAL;
3715
3716 return 0;
3717}
3718
71af2f6b 3719static int __init test_h6(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3720{
3721 const u8 w[16] = {
3722 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3723 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3724 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3725 const u8 exp[16] = {
3726 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3727 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3728 u8 res[16];
3729 int err;
3730
3731 err = smp_h6(tfm_cmac, w, key_id, res);
3732 if (err)
3733 return err;
3734
329d8230 3735 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3736 return -EINVAL;
3737
3738 return 0;
3739}
3740
64dd374e
MH		 3741static char test_smp_buffer[32];
3742
3743static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3744 size_t count, loff_t *ppos)
3745{
3746 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3747 strlen(test_smp_buffer));
3748}
3749
3750static const struct file_operations test_smp_fops = {
3751 .open = simple_open,
3752 .read = test_smp_read,
3753 .llseek = default_llseek,
3754};
3755
28a220aa 3756static int __init run_selftests(struct crypto_shash *tfm_cmac,
47eb2ac8 3757 struct crypto_kpp *tfm_ecdh)
0a2b0f04 3758{
255047b0
MH		 3759 ktime_t calltime, delta, rettime;
3760 unsigned long long duration;
cfc4198e
JH		 3761 int err;
3762
255047b0
MH		 3763 calltime = ktime_get();
3764
47eb2ac8 3765 err = test_debug_key(tfm_ecdh);
71653eb6
MH		 3766 if (err) {
3767 BT_ERR("debug_key test failed");
3768 goto done;
3769 }
3770
28a220aa 3771 err = test_ah();
cfc4198e
JH		 3772 if (err) {
3773 BT_ERR("smp_ah test failed");
64dd374e 3774 goto done;
cfc4198e
JH		 3775 }
3776
28a220aa 3777 err = test_c1();
cfc4198e
JH		 3778 if (err) {
3779 BT_ERR("smp_c1 test failed");
64dd374e 3780 goto done;
cfc4198e
JH		 3781 }
3782
28a220aa 3783 err = test_s1();
cfc4198e
JH		 3784 if (err) {
3785 BT_ERR("smp_s1 test failed");
64dd374e 3786 goto done;
cfc4198e
JH		 3787 }
3788
fb2969a3
JH		 3789 err = test_f4(tfm_cmac);
3790 if (err) {
3791 BT_ERR("smp_f4 test failed");
64dd374e 3792 goto done;
fb2969a3
JH		 3793 }
3794
3795 err = test_f5(tfm_cmac);
3796 if (err) {
3797 BT_ERR("smp_f5 test failed");
64dd374e 3798 goto done;
fb2969a3
JH		 3799 }
3800
3801 err = test_f6(tfm_cmac);
3802 if (err) {
3803 BT_ERR("smp_f6 test failed");
64dd374e 3804 goto done;
fb2969a3
JH		 3805 }
3806
3807 err = test_g2(tfm_cmac);
3808 if (err) {
3809 BT_ERR("smp_g2 test failed");
64dd374e 3810 goto done;
fb2969a3
JH		 3811 }
3812
3813 err = test_h6(tfm_cmac);
3814 if (err) {
3815 BT_ERR("smp_h6 test failed");
64dd374e 3816 goto done;
fb2969a3
JH		 3817 }
3818
255047b0
MH		 3819 rettime = ktime_get();
3820 delta = ktime_sub(rettime, calltime);
3821 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3822
5ced2464 3823 BT_INFO("SMP test passed in %llu usecs", duration);
0a2b0f04 3824
64dd374e
MH		 3825done:
3826 if (!err)
3827 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3828 "PASS (%llu usecs)\n", duration);
3829 else
3830 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3831
3832 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3833 &test_smp_fops);
3834
3835 return err;
0a2b0f04
JH		 3836}
3837
3838int __init bt_selftest_smp(void)
3839{
71af2f6b 3840 struct crypto_shash *tfm_cmac;
47eb2ac8 3841 struct crypto_kpp *tfm_ecdh;
0a2b0f04
JH		 3842 int err;
3843
3d234b33 3844 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
0a2b0f04
JH		 3845 if (IS_ERR(tfm_cmac)) {
3846 BT_ERR("Unable to create CMAC crypto context");
0a2b0f04
JH		 3847 return PTR_ERR(tfm_cmac);
3848 }
3849
075f7732 3850 tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
47eb2ac8
TA		 3851 if (IS_ERR(tfm_ecdh)) {
3852 BT_ERR("Unable to create ECDH crypto context");
3853 crypto_free_shash(tfm_cmac);
47eb2ac8
TA		 3854 return PTR_ERR(tfm_ecdh);
3855 }
3856
28a220aa 3857 err = run_selftests(tfm_cmac, tfm_ecdh);
0a2b0f04 3858
71af2f6b 3859 crypto_free_shash(tfm_cmac);
47eb2ac8 3860 crypto_free_kpp(tfm_ecdh);
0a2b0f04
JH		 3861
3862 return err;
3863}
3864
3865#endif
Linux 6.x block layer and io_uring tree(s)