projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Bluetooth: btintel: Fix offset calculation boot address parameter
[linux-block.git] / net / bluetooth / smp.c
CommitLineData
eb492e01
AB		 1/*
2 BlueZ - Bluetooth protocol stack for Linux
3 Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4
5 This program is free software; you can redistribute it and/or modify
6 it under the terms of the GNU General Public License version 2 as
7 published by the Free Software Foundation;
8
9 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17
18 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20 SOFTWARE IS DISCLAIMED.
21*/
22
300acfde 23#include <linux/debugfs.h>
8c520a59 24#include <linux/scatterlist.h>
a4770e11 25#include <linux/crypto.h>
28a220aa 26#include <crypto/aes.h>
329d8230 27#include <crypto/algapi.h>
71af2f6b 28#include <crypto/hash.h>
47eb2ac8 29#include <crypto/kpp.h>
8c520a59 30
eb492e01
AB		 31#include <net/bluetooth/bluetooth.h>
32#include <net/bluetooth/hci_core.h>
33#include <net/bluetooth/l2cap.h>
2b64d153 34#include <net/bluetooth/mgmt.h>
ac4b7236 35
58771c1c 36#include "ecdh_helper.h"
ac4b7236 37#include "smp.h"
d22ef0bc 38
2fd36558
JH		 39#define SMP_DEV(hdev) \
40 ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
41
c7a3d57d
JH		 42/* Low-level debug macros to be used for stuff that we don't want
43 * accidentially in dmesg, i.e. the values of the various crypto keys
44 * and the inputs & outputs of crypto functions.
45 */
46#ifdef DEBUG
47#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
48 ##__VA_ARGS__)
49#else
50#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
51 ##__VA_ARGS__)
52#endif
53
b28b4943 54#define SMP_ALLOW_CMD(smp, code) set_bit(code, &smp->allow_cmd)
b28b4943 55
3b19146d
JH		 56/* Keys which are not distributed with Secure Connections */
57#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
58
17b02e62 59#define SMP_TIMEOUT msecs_to_jiffies(30000)
5d3de7df 60
d7a5a11d 61#define AUTH_REQ_MASK(dev) (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
a62da6f1 62 0x3f : 0x07)
0edb14de 63#define KEY_DIST_MASK 0x07
065a13e2 64
cbbbe3e2
JH		 65/* Maximum message length that can be passed to aes_cmac */
66#define CMAC_MSG_MAX 80
67
533e35d4
JH		 68enum {
69 SMP_FLAG_TK_VALID,
70 SMP_FLAG_CFM_PENDING,
71 SMP_FLAG_MITM_AUTH,
72 SMP_FLAG_COMPLETE,
73 SMP_FLAG_INITIATOR,
65668776 74 SMP_FLAG_SC,
d8f8edbe 75 SMP_FLAG_REMOTE_PK,
aeb7d461 76 SMP_FLAG_DEBUG_KEY,
38606f14 77 SMP_FLAG_WAIT_USER,
d3e54a87 78 SMP_FLAG_DHKEY_PENDING,
1a8bab4f
JH		 79 SMP_FLAG_REMOTE_OOB,
80 SMP_FLAG_LOCAL_OOB,
a62da6f1 81 SMP_FLAG_CT2,
533e35d4 82};
4bc58f51 83
88a479d9 84struct smp_dev {
60a27d65 85 /* Secure Connections OOB data */
94f14e47 86 bool local_oob;
60a27d65 87 u8 local_pk[64];
fb334fee 88 u8 local_rand[16];
60a27d65
MH		 89 bool debug_key;
90
71af2f6b 91 struct crypto_shash *tfm_cmac;
47eb2ac8 92 struct crypto_kpp *tfm_ecdh;
88a479d9
MH		 93};
94
4bc58f51 95struct smp_chan {
b68fda68
JH		 96 struct l2cap_conn *conn;
97 struct delayed_work security_timer;
b28b4943 98 unsigned long allow_cmd; /* Bitmask of allowed commands */
b68fda68 99
4bc58f51
JH		 100 u8 preq[7]; /* SMP Pairing Request */
101 u8 prsp[7]; /* SMP Pairing Response */
102 u8 prnd[16]; /* SMP Pairing Random (local) */
103 u8 rrnd[16]; /* SMP Pairing Random (remote) */
104 u8 pcnf[16]; /* SMP Pairing Confirm */
105 u8 tk[16]; /* SMP Temporary Key */
882fafad
JH		 106 u8 rr[16]; /* Remote OOB ra/rb value */
107 u8 lr[16]; /* Local OOB ra/rb value */
4bc58f51
JH		 108 u8 enc_key_size;
109 u8 remote_key_dist;
110 bdaddr_t id_addr;
111 u8 id_addr_type;
112 u8 irk[16];
113 struct smp_csrk *csrk;
114 struct smp_csrk *slave_csrk;
115 struct smp_ltk *ltk;
116 struct smp_ltk *slave_ltk;
117 struct smp_irk *remote_irk;
6a77083a 118 u8 *link_key;
4a74d658 119 unsigned long flags;
783e0574 120 u8 method;
38606f14 121 u8 passkey_round;
6a7bd103 122
3b19146d
JH		 123 /* Secure Connections variables */
124 u8 local_pk[64];
d8f8edbe
JH		 125 u8 remote_pk[64];
126 u8 dhkey[32];
760b018b 127 u8 mackey[16];
3b19146d 128
71af2f6b 129 struct crypto_shash *tfm_cmac;
47eb2ac8 130 struct crypto_kpp *tfm_ecdh;
4bc58f51
JH		 131};
132
aeb7d461
JH		 133/* These debug key values are defined in the SMP section of the core
134 * specification. debug_pk is the public debug key and debug_sk the
135 * private debug key.
136 */
137static const u8 debug_pk[64] = {
138 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
142
143 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
147};
148
149static const u8 debug_sk[32] = {
150 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
154};
155
8a2936f4 156static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
d22ef0bc 157{
8a2936f4 158 size_t i;
d22ef0bc 159
8a2936f4
JH		 160 for (i = 0; i < len; i++)
161 dst[len - 1 - i] = src[i];
d22ef0bc
AB		 162}
163
06edf8de
JH		 164/* The following functions map to the LE SC SMP crypto functions
165 * AES-CMAC, f4, f5, f6, g2 and h6.
166 */
167
71af2f6b 168static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
cbbbe3e2
JH		 169 size_t len, u8 mac[16])
170{
171 uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
cbbbe3e2
JH		 172 int err;
173
174 if (len > CMAC_MSG_MAX)
175 return -EFBIG;
176
177 if (!tfm) {
178 BT_ERR("tfm %p", tfm);
179 return -EINVAL;
180 }
181
cbbbe3e2
JH		 182 /* Swap key and message from LSB to MSB */
183 swap_buf(k, tmp, 16);
184 swap_buf(m, msg_msb, len);
185
c7a3d57d
JH		 186 SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
187 SMP_DBG("key %16phN", k);
cbbbe3e2 188
71af2f6b 189 err = crypto_shash_setkey(tfm, tmp, 16);
cbbbe3e2
JH		 190 if (err) {
191 BT_ERR("cipher setkey failed: %d", err);
192 return err;
193 }
194
ec0bf6ed 195 err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
cbbbe3e2 196 if (err) {
71af2f6b 197 BT_ERR("Hash computation error %d", err);
cbbbe3e2
JH		 198 return err;
199 }
200
201 swap_buf(mac_msb, mac, 16);
202
c7a3d57d 203 SMP_DBG("mac %16phN", mac);
cbbbe3e2
JH		 204
205 return 0;
206}
207
71af2f6b
HX		 208static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
209 const u8 v[32], const u8 x[16], u8 z, u8 res[16])
cbbbe3e2
JH		 210{
211 u8 m[65];
212 int err;
213
c7a3d57d
JH		 214 SMP_DBG("u %32phN", u);
215 SMP_DBG("v %32phN", v);
216 SMP_DBG("x %16phN z %02x", x, z);
cbbbe3e2
JH		 217
218 m[0] = z;
219 memcpy(m + 1, v, 32);
220 memcpy(m + 33, u, 32);
221
222 err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
223 if (err)
224 return err;
225
c7a3d57d 226 SMP_DBG("res %16phN", res);
cbbbe3e2
JH		 227
228 return err;
229}
230
71af2f6b 231static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
4da50de8
JH		 232 const u8 n1[16], const u8 n2[16], const u8 a1[7],
233 const u8 a2[7], u8 mackey[16], u8 ltk[16])
760b018b
JH		 234{
235 /* The btle, salt and length "magic" values are as defined in
236 * the SMP section of the Bluetooth core specification. In ASCII
237 * the btle value ends up being 'btle'. The salt is just a
238 * random number whereas length is the value 256 in little
239 * endian format.
240 */
241 const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
242 const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
243 0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
244 const u8 length[2] = { 0x00, 0x01 };
245 u8 m[53], t[16];
246 int err;
247
c7a3d57d
JH		 248 SMP_DBG("w %32phN", w);
249 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
250 SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
760b018b
JH		 251
252 err = aes_cmac(tfm_cmac, salt, w, 32, t);
253 if (err)
254 return err;
255
c7a3d57d 256 SMP_DBG("t %16phN", t);
760b018b
JH		 257
258 memcpy(m, length, 2);
259 memcpy(m + 2, a2, 7);
260 memcpy(m + 9, a1, 7);
261 memcpy(m + 16, n2, 16);
262 memcpy(m + 32, n1, 16);
263 memcpy(m + 48, btle, 4);
264
265 m[52] = 0; /* Counter */
266
267 err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
268 if (err)
269 return err;
270
c7a3d57d 271 SMP_DBG("mackey %16phN", mackey);
760b018b
JH		 272
273 m[52] = 1; /* Counter */
274
275 err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
276 if (err)
277 return err;
278
c7a3d57d 279 SMP_DBG("ltk %16phN", ltk);
760b018b
JH		 280
281 return 0;
282}
283
71af2f6b 284static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
4da50de8 285 const u8 n1[16], const u8 n2[16], const u8 r[16],
760b018b
JH		 286 const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
287 u8 res[16])
288{
289 u8 m[65];
290 int err;
291
c7a3d57d
JH		 292 SMP_DBG("w %16phN", w);
293 SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
294 SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
760b018b
JH		 295
296 memcpy(m, a2, 7);
297 memcpy(m + 7, a1, 7);
298 memcpy(m + 14, io_cap, 3);
299 memcpy(m + 17, r, 16);
300 memcpy(m + 33, n2, 16);
301 memcpy(m + 49, n1, 16);
302
303 err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
304 if (err)
305 return err;
306
203de21b 307 SMP_DBG("res %16phN", res);
760b018b
JH		 308
309 return err;
310}
311
71af2f6b 312static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
191dc7fe
JH		 313 const u8 x[16], const u8 y[16], u32 *val)
314{
315 u8 m[80], tmp[16];
316 int err;
317
c7a3d57d
JH		 318 SMP_DBG("u %32phN", u);
319 SMP_DBG("v %32phN", v);
320 SMP_DBG("x %16phN y %16phN", x, y);
191dc7fe
JH		 321
322 memcpy(m, y, 16);
323 memcpy(m + 16, v, 32);
324 memcpy(m + 48, u, 32);
325
326 err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
327 if (err)
328 return err;
329
330 *val = get_unaligned_le32(tmp);
331 *val %= 1000000;
332
c7a3d57d 333 SMP_DBG("val %06u", *val);
191dc7fe
JH		 334
335 return 0;
336}
337
71af2f6b 338static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
06edf8de
JH		 339 const u8 key_id[4], u8 res[16])
340{
341 int err;
342
343 SMP_DBG("w %16phN key_id %4phN", w, key_id);
344
345 err = aes_cmac(tfm_cmac, w, key_id, 4, res);
346 if (err)
347 return err;
348
349 SMP_DBG("res %16phN", res);
350
351 return err;
352}
353
a62da6f1
JH		 354static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
355 const u8 salt[16], u8 res[16])
356{
357 int err;
358
359 SMP_DBG("w %16phN salt %16phN", w, salt);
360
361 err = aes_cmac(tfm_cmac, salt, w, 16, res);
362 if (err)
363 return err;
364
365 SMP_DBG("res %16phN", res);
366
367 return err;
368}
369
06edf8de
JH		 370/* The following functions map to the legacy SMP crypto functions e, c1,
371 * s1 and ah.
372 */
373
28a220aa 374static int smp_e(const u8 *k, u8 *r)
d22ef0bc 375{
28a220aa 376 struct crypto_aes_ctx ctx;
943a732a 377 uint8_t tmp[16], data[16];
201a5929 378 int err;
d22ef0bc 379
011c391a
JH		 380 SMP_DBG("k %16phN r %16phN", k, r);
381
943a732a 382 /* The most significant octet of key corresponds to k[0] */
8a2936f4 383 swap_buf(k, tmp, 16);
943a732a 384
28a220aa 385 err = aes_expandkey(&ctx, tmp, 16);
d22ef0bc
AB		 386 if (err) {
387 BT_ERR("cipher setkey failed: %d", err);
388 return err;
389 }
390
943a732a 391 /* Most significant octet of plaintextData corresponds to data[0] */
8a2936f4 392 swap_buf(r, data, 16);
943a732a 393
28a220aa 394 aes_encrypt(&ctx, data, data);
d22ef0bc 395
943a732a 396 /* Most significant octet of encryptedData corresponds to data[0] */
8a2936f4 397 swap_buf(data, r, 16);
943a732a 398
011c391a
JH		 399 SMP_DBG("r %16phN", r);
400
28a220aa 401 memzero_explicit(&ctx, sizeof (ctx));
d22ef0bc
AB		 402 return err;
403}
404
28a220aa 405static int smp_c1(const u8 k[16],
06edf8de
JH		 406 const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
407 const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
6a77083a 408{
06edf8de 409 u8 p1[16], p2[16];
6a77083a
JH		 410 int err;
411
011c391a
JH		 412 SMP_DBG("k %16phN r %16phN", k, r);
413 SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
414 SMP_DBG("preq %7phN pres %7phN", preq, pres);
415
06edf8de 416 memset(p1, 0, 16);
6a77083a 417
06edf8de
JH		 418 /* p1 = pres || preq || _rat || _iat */
419 p1[0] = _iat;
420 p1[1] = _rat;
421 memcpy(p1 + 2, preq, 7);
422 memcpy(p1 + 9, pres, 7);
423
011c391a 424 SMP_DBG("p1 %16phN", p1);
06edf8de
JH		 425
426 /* res = r XOR p1 */
ef0bb5ad 427 crypto_xor_cpy(res, r, p1, sizeof(p1));
06edf8de
JH		 428
429 /* res = e(k, res) */
28a220aa 430 err = smp_e(k, res);
06edf8de
JH		 431 if (err) {
432 BT_ERR("Encrypt data error");
6a77083a 433 return err;
06edf8de 434 }
6a77083a 435
011c391a
JH		 436 /* p2 = padding || ia || ra */
437 memcpy(p2, ra, 6);
438 memcpy(p2 + 6, ia, 6);
439 memset(p2 + 12, 0, 4);
440
441 SMP_DBG("p2 %16phN", p2);
442
06edf8de 443 /* res = res XOR p2 */
ef0bb5ad 444 crypto_xor(res, p2, sizeof(p2));
06edf8de
JH		 445
446 /* res = e(k, res) */
28a220aa 447 err = smp_e(k, res);
06edf8de
JH		 448 if (err)
449 BT_ERR("Encrypt data error");
450
451 return err;
452}
453
28a220aa 454static int smp_s1(const u8 k[16],
06edf8de
JH		 455 const u8 r1[16], const u8 r2[16], u8 _r[16])
456{
457 int err;
458
459 /* Just least significant octets from r1 and r2 are considered */
460 memcpy(_r, r2, 8);
461 memcpy(_r + 8, r1, 8);
462
28a220aa 463 err = smp_e(k, _r);
06edf8de
JH		 464 if (err)
465 BT_ERR("Encrypt data error");
6a77083a
JH		 466
467 return err;
468}
469
28a220aa 470static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
60478054 471{
943a732a 472 u8 _res[16];
60478054
JH		 473 int err;
474
475 /* r' = padding || r */
943a732a
JH		 476 memcpy(_res, r, 3);
477 memset(_res + 3, 0, 13);
60478054 478
28a220aa 479 err = smp_e(irk, _res);
60478054
JH		 480 if (err) {
481 BT_ERR("Encrypt error");
482 return err;
483 }
484
485 /* The output of the random address function ah is:
c5080d42 486 * ah(k, r) = e(k, r') mod 2^24
60478054
JH		 487 * The output of the security function e is then truncated to 24 bits
488 * by taking the least significant 24 bits of the output of e as the
489 * result of ah.
490 */
943a732a 491 memcpy(res, _res, 3);
60478054
JH		 492
493 return 0;
494}
495
cd082797
JH		 496bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
497 const bdaddr_t *bdaddr)
60478054 498{
defce9e8 499 struct l2cap_chan *chan = hdev->smp_data;
60478054
JH		 500 u8 hash[3];
501 int err;
502
defce9e8
JH		 503 if (!chan || !chan->data)
504 return false;
505
56860245 506 bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
60478054 507
28a220aa 508 err = smp_ah(irk, &bdaddr->b[3], hash);
60478054
JH		 509 if (err)
510 return false;
511
329d8230 512 return !crypto_memneq(bdaddr->b, hash, 3);
60478054
JH		 513}
514
cd082797 515int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
b1e2b3ae 516{
defce9e8 517 struct l2cap_chan *chan = hdev->smp_data;
b1e2b3ae
JH		 518 int err;
519
defce9e8
JH		 520 if (!chan || !chan->data)
521 return -EOPNOTSUPP;
522
b1e2b3ae
JH		 523 get_random_bytes(&rpa->b[3], 3);
524
525 rpa->b[5] &= 0x3f; /* Clear two most significant bits */
526 rpa->b[5] |= 0x40; /* Set second most significant bit */
527
28a220aa 528 err = smp_ah(irk, &rpa->b[3], rpa->b);
b1e2b3ae
JH		 529 if (err < 0)
530 return err;
531
56860245 532 bt_dev_dbg(hdev, "RPA %pMR", rpa);
b1e2b3ae
JH		 533
534 return 0;
535}
536
60a27d65
MH		 537int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
538{
539 struct l2cap_chan *chan = hdev->smp_data;
540 struct smp_dev *smp;
541 int err;
542
543 if (!chan || !chan->data)
544 return -EOPNOTSUPP;
545
546 smp = chan->data;
547
548 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
56860245 549 bt_dev_dbg(hdev, "Using debug keys");
c0153b0b
TA		 550 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
551 if (err)
552 return err;
60a27d65 553 memcpy(smp->local_pk, debug_pk, 64);
60a27d65
MH		 554 smp->debug_key = true;
555 } else {
556 while (true) {
c0153b0b
TA		 557 /* Generate key pair for Secure Connections */
558 err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
a2976416
TA		 559 if (err)
560 return err;
60a27d65
MH		 561
562 /* This is unlikely, but we need to check that
563 * we didn't accidentially generate a debug key.
564 */
c0153b0b 565 if (crypto_memneq(smp->local_pk, debug_pk, 64))
60a27d65
MH		 566 break;
567 }
568 smp->debug_key = false;
569 }
570
571 SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
572 SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
60a27d65 573
fb334fee 574 get_random_bytes(smp->local_rand, 16);
60a27d65
MH		 575
576 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
fb334fee 577 smp->local_rand, 0, hash);
60a27d65
MH		 578 if (err < 0)
579 return err;
580
fb334fee 581 memcpy(rand, smp->local_rand, 16);
60a27d65 582
94f14e47
JH		 583 smp->local_oob = true;
584
60a27d65
MH		 585 return 0;
586}
587
5d88cc73 588static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
eb492e01 589{
5d88cc73 590 struct l2cap_chan *chan = conn->smp;
b68fda68 591 struct smp_chan *smp;
5d88cc73
JH		 592 struct kvec iv[2];
593 struct msghdr msg;
eb492e01 594
5d88cc73
JH		 595 if (!chan)
596 return;
eb492e01 597
5d88cc73 598 BT_DBG("code 0x%2.2x", code);
eb492e01 599
5d88cc73
JH		 600 iv[0].iov_base = &code;
601 iv[0].iov_len = 1;
eb492e01 602
5d88cc73
JH		 603 iv[1].iov_base = data;
604 iv[1].iov_len = len;
eb492e01 605
5d88cc73 606 memset(&msg, 0, sizeof(msg));
eb492e01 607
aa563d7b 608 iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
eb492e01 609
5d88cc73 610 l2cap_chan_send(chan, &msg, 1 + len);
e2dcd113 611
b68fda68
JH		 612 if (!chan->data)
613 return;
614
615 smp = chan->data;
616
617 cancel_delayed_work_sync(&smp->security_timer);
1b0921d6 618 schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
eb492e01
AB		 619}
620
d2eb9e10 621static u8 authreq_to_seclevel(u8 authreq)
2b64d153 622{
d2eb9e10
JH		 623 if (authreq & SMP_AUTH_MITM) {
624 if (authreq & SMP_AUTH_SC)
625 return BT_SECURITY_FIPS;
626 else
627 return BT_SECURITY_HIGH;
628 } else {
2b64d153 629 return BT_SECURITY_MEDIUM;
d2eb9e10 630 }
2b64d153
BG		 631}
632
633static __u8 seclevel_to_authreq(__u8 sec_level)
634{
635 switch (sec_level) {
d2eb9e10 636 case BT_SECURITY_FIPS:
2b64d153
BG		 637 case BT_SECURITY_HIGH:
638 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
639 case BT_SECURITY_MEDIUM:
640 return SMP_AUTH_BONDING;
641 default:
642 return SMP_AUTH_NONE;
643 }
644}
645
b8e66eac 646static void build_pairing_cmd(struct l2cap_conn *conn,
f1560463
MH		 647 struct smp_cmd_pairing *req,
648 struct smp_cmd_pairing *rsp, __u8 authreq)
b8e66eac 649{
5d88cc73
JH		 650 struct l2cap_chan *chan = conn->smp;
651 struct smp_chan *smp = chan->data;
fd349c02
JH		 652 struct hci_conn *hcon = conn->hcon;
653 struct hci_dev *hdev = hcon->hdev;
02b05bd8 654 u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
54790f73 655
d7a5a11d 656 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
7ee4ea36
MH		 657 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
658 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
54790f73 659 authreq |= SMP_AUTH_BONDING;
2b64d153
BG		 660 } else {
661 authreq &= ~SMP_AUTH_BONDING;
54790f73
VCG		 662 }
663
d7a5a11d 664 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
fd349c02
JH		 665 remote_dist |= SMP_DIST_ID_KEY;
666
d7a5a11d 667 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
863efaf2
JH		 668 local_dist |= SMP_DIST_ID_KEY;
669
d7a5a11d 670 if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
02b05bd8
JH		 671 (authreq & SMP_AUTH_SC)) {
672 struct oob_data *oob_data;
673 u8 bdaddr_type;
674
d7a5a11d 675 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
df8e1a4c
JH		 676 local_dist |= SMP_DIST_LINK_KEY;
677 remote_dist |= SMP_DIST_LINK_KEY;
678 }
02b05bd8
JH		 679
680 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
681 bdaddr_type = BDADDR_LE_PUBLIC;
682 else
683 bdaddr_type = BDADDR_LE_RANDOM;
684
685 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
686 bdaddr_type);
4775a4ea 687 if (oob_data && oob_data->present) {
1a8bab4f 688 set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
02b05bd8 689 oob_flag = SMP_OOB_PRESENT;
a29b0733 690 memcpy(smp->rr, oob_data->rand256, 16);
02b05bd8 691 memcpy(smp->pcnf, oob_data->hash256, 16);
bc07cd69
MH		 692 SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
693 SMP_DBG("OOB Remote Random: %16phN", smp->rr);
02b05bd8
JH		 694 }
695
df8e1a4c
JH		 696 } else {
697 authreq &= ~SMP_AUTH_SC;
698 }
699
54790f73
VCG		 700 if (rsp == NULL) {
701 req->io_capability = conn->hcon->io_capability;
02b05bd8 702 req->oob_flag = oob_flag;
30d65e08 703 req->max_key_size = hdev->le_max_key_size;
fd349c02
JH		 704 req->init_key_dist = local_dist;
705 req->resp_key_dist = remote_dist;
0edb14de 706 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 707
708 smp->remote_key_dist = remote_dist;
54790f73
VCG		 709 return;
710 }
711
712 rsp->io_capability = conn->hcon->io_capability;
02b05bd8 713 rsp->oob_flag = oob_flag;
30d65e08 714 rsp->max_key_size = hdev->le_max_key_size;
fd349c02
JH		 715 rsp->init_key_dist = req->init_key_dist & remote_dist;
716 rsp->resp_key_dist = req->resp_key_dist & local_dist;
0edb14de 717 rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
fd349c02
JH		 718
719 smp->remote_key_dist = rsp->init_key_dist;
b8e66eac
VCG		 720}
721
3158c50c
VCG		 722static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
723{
5d88cc73 724 struct l2cap_chan *chan = conn->smp;
2fd36558 725 struct hci_dev *hdev = conn->hcon->hdev;
5d88cc73 726 struct smp_chan *smp = chan->data;
1c1def09 727
49c06c9e
ŁR		 728 if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
729 max_key_size != SMP_MAX_ENC_KEY_SIZE)
730 return SMP_ENC_KEY_SIZE;
731
30d65e08 732 if (max_key_size > hdev->le_max_key_size ||
2fd36558 733 max_key_size < SMP_MIN_ENC_KEY_SIZE)
3158c50c
VCG		 734 return SMP_ENC_KEY_SIZE;
735
f7aa611a 736 smp->enc_key_size = max_key_size;
3158c50c
VCG		 737
738 return 0;
739}
740
6f48e260
JH		 741static void smp_chan_destroy(struct l2cap_conn *conn)
742{
743 struct l2cap_chan *chan = conn->smp;
744 struct smp_chan *smp = chan->data;
923e2414 745 struct hci_conn *hcon = conn->hcon;
6f48e260
JH		 746 bool complete;
747
748 BUG_ON(!smp);
749
750 cancel_delayed_work_sync(&smp->security_timer);
6f48e260 751
6f48e260 752 complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
923e2414 753 mgmt_smp_complete(hcon, complete);
6f48e260 754
453431a5
WL		 755 kfree_sensitive(smp->csrk);
756 kfree_sensitive(smp->slave_csrk);
757 kfree_sensitive(smp->link_key);
6f48e260 758
71af2f6b 759 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 760 crypto_free_kpp(smp->tfm_ecdh);
6f48e260 761
923e2414
JH		 762 /* Ensure that we don't leave any debug key around if debug key
763 * support hasn't been explicitly enabled.
764 */
765 if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
d7a5a11d 766 !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
923e2414
JH		 767 list_del_rcu(&smp->ltk->list);
768 kfree_rcu(smp->ltk, rcu);
769 smp->ltk = NULL;
770 }
771
6f48e260
JH		 772 /* If pairing failed clean up any keys we might have */
773 if (!complete) {
774 if (smp->ltk) {
970d0f1b
JH		 775 list_del_rcu(&smp->ltk->list);
776 kfree_rcu(smp->ltk, rcu);
6f48e260
JH		 777 }
778
779 if (smp->slave_ltk) {
970d0f1b
JH		 780 list_del_rcu(&smp->slave_ltk->list);
781 kfree_rcu(smp->slave_ltk, rcu);
6f48e260
JH		 782 }
783
784 if (smp->remote_irk) {
adae20cb
JH		 785 list_del_rcu(&smp->remote_irk->list);
786 kfree_rcu(smp->remote_irk, rcu);
6f48e260
JH		 787 }
788 }
789
790 chan->data = NULL;
453431a5 791 kfree_sensitive(smp);
923e2414 792 hci_conn_drop(hcon);
6f48e260
JH		 793}
794
84794e11 795static void smp_failure(struct l2cap_conn *conn, u8 reason)
4f957a76 796{
bab73cb6 797 struct hci_conn *hcon = conn->hcon;
b68fda68 798 struct l2cap_chan *chan = conn->smp;
bab73cb6 799
84794e11 800 if (reason)
4f957a76 801 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
f1560463 802 &reason);
4f957a76 803
e1e930f5 804 mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
f1c09c07 805
fc75cc86 806 if (chan->data)
f1c09c07 807 smp_chan_destroy(conn);
4f957a76
BG		 808}
809
2b64d153
BG		 810#define JUST_WORKS 0x00
811#define JUST_CFM 0x01
812#define REQ_PASSKEY 0x02
813#define CFM_PASSKEY 0x03
814#define REQ_OOB 0x04
5e3d3d9b 815#define DSP_PASSKEY 0x05
2b64d153
BG		 816#define OVERLAP 0xFF
817
818static const u8 gen_method[5][5] = {
819 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
820 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
822 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
823 { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP },
824};
825
5e3d3d9b
JH		 826static const u8 sc_method[5][5] = {
827 { JUST_WORKS, JUST_CFM, REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
828 { JUST_WORKS, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
829 { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
830 { JUST_WORKS, JUST_CFM, JUST_WORKS, JUST_WORKS, JUST_CFM },
831 { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
832};
833
581370cc
JH		 834static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
835{
2bcd4003
JH		 836 /* If either side has unknown io_caps, use JUST_CFM (which gets
837 * converted later to JUST_WORKS if we're initiators.
838 */
581370cc
JH		 839 if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
840 remote_io > SMP_IO_KEYBOARD_DISPLAY)
2bcd4003 841 return JUST_CFM;
581370cc 842
5e3d3d9b
JH		 843 if (test_bit(SMP_FLAG_SC, &smp->flags))
844 return sc_method[remote_io][local_io];
845
581370cc
JH		 846 return gen_method[remote_io][local_io];
847}
848
2b64d153
BG		 849static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
850 u8 local_io, u8 remote_io)
851{
852 struct hci_conn *hcon = conn->hcon;
5d88cc73
JH		 853 struct l2cap_chan *chan = conn->smp;
854 struct smp_chan *smp = chan->data;
2b64d153 855 u32 passkey = 0;
d1d900f8 856 int ret;
2b64d153
BG		 857
858 /* Initialize key for JUST WORKS */
859 memset(smp->tk, 0, sizeof(smp->tk));
4a74d658 860 clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 861
862 BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
863
2bcd4003
JH		 864 /* If neither side wants MITM, either "just" confirm an incoming
865 * request or use just-works for outgoing ones. The JUST_CFM
866 * will be converted to JUST_WORKS if necessary later in this
867 * function. If either side has MITM look up the method from the
868 * table.
869 */
581370cc 870 if (!(auth & SMP_AUTH_MITM))
783e0574 871 smp->method = JUST_CFM;
2b64d153 872 else
783e0574 873 smp->method = get_auth_method(smp, local_io, remote_io);
2b64d153 874
a82505c7 875 /* Don't confirm locally initiated pairing attempts */
783e0574
JH		 876 if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
877 &smp->flags))
878 smp->method = JUST_WORKS;
a82505c7 879
02f3e254 880 /* Don't bother user space with no IO capabilities */
783e0574
JH		 881 if (smp->method == JUST_CFM &&
882 hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
883 smp->method = JUST_WORKS;
02f3e254 884
92516cd9
SS		 885 /* If Just Works, Continue with Zero TK and ask user-space for
886 * confirmation */
783e0574 887 if (smp->method == JUST_WORKS) {
d1d900f8 888 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
92516cd9
SS		 889 hcon->type,
890 hcon->dst_type,
891 passkey, 1);
d1d900f8
GR		 892 if (ret)
893 return ret;
92516cd9 894 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2b64d153
BG		 895 return 0;
896 }
897
19c5ce9c
JH		 898 /* If this function is used for SC -> legacy fallback we
899 * can only recover the just-works case.
900 */
901 if (test_bit(SMP_FLAG_SC, &smp->flags))
902 return -EINVAL;
903
2b64d153 904 /* Not Just Works/Confirm results in MITM Authentication */
783e0574 905 if (smp->method != JUST_CFM) {
4a74d658 906 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
5eb596f5
JH		 907 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
908 hcon->pending_sec_level = BT_SECURITY_HIGH;
909 }
2b64d153
BG		 910
911 /* If both devices have Keyoard-Display I/O, the master
912 * Confirms and the slave Enters the passkey.
913 */
783e0574 914 if (smp->method == OVERLAP) {
40bef302 915 if (hcon->role == HCI_ROLE_MASTER)
783e0574 916 smp->method = CFM_PASSKEY;
2b64d153 917 else
783e0574 918 smp->method = REQ_PASSKEY;
2b64d153
BG		 919 }
920
01ad34d2 921 /* Generate random passkey. */
783e0574 922 if (smp->method == CFM_PASSKEY) {
943a732a 923 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153
BG		 924 get_random_bytes(&passkey, sizeof(passkey));
925 passkey %= 1000000;
943a732a 926 put_unaligned_le32(passkey, smp->tk);
2b64d153 927 BT_DBG("PassKey: %d", passkey);
4a74d658 928 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 929 }
930
783e0574 931 if (smp->method == REQ_PASSKEY)
ce39fb4e 932 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
272d90df 933 hcon->type, hcon->dst_type);
783e0574 934 else if (smp->method == JUST_CFM)
4eb65e66
JH		 935 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
936 hcon->type, hcon->dst_type,
937 passkey, 1);
2b64d153 938 else
01ad34d2 939 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
272d90df 940 hcon->type, hcon->dst_type,
39adbffe 941 passkey, 0);
2b64d153 942
2b64d153
BG		 943 return ret;
944}
945
1cc61144 946static u8 smp_confirm(struct smp_chan *smp)
8aab4757 947{
8aab4757 948 struct l2cap_conn *conn = smp->conn;
8aab4757
VCG		 949 struct smp_cmd_pairing_confirm cp;
950 int ret;
8aab4757
VCG		 951
952 BT_DBG("conn %p", conn);
953
28a220aa 954 ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
b1cd5fd9 955 conn->hcon->init_addr_type, &conn->hcon->init_addr,
943a732a
JH		 956 conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
957 cp.confirm_val);
1cc61144
JH		 958 if (ret)
959 return SMP_UNSPECIFIED;
8aab4757 960
4a74d658 961 clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153 962
8aab4757
VCG		 963 smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
964
b28b4943
JH		 965 if (conn->hcon->out)
966 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
967 else
968 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
969
1cc61144 970 return 0;
8aab4757
VCG		 971}
972
861580a9 973static u8 smp_random(struct smp_chan *smp)
8aab4757 974{
8aab4757
VCG		 975 struct l2cap_conn *conn = smp->conn;
976 struct hci_conn *hcon = conn->hcon;
861580a9 977 u8 confirm[16];
8aab4757
VCG		 978 int ret;
979
8aab4757
VCG		 980 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
981
28a220aa 982 ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
b1cd5fd9 983 hcon->init_addr_type, &hcon->init_addr,
943a732a 984 hcon->resp_addr_type, &hcon->resp_addr, confirm);
861580a9
JH		 985 if (ret)
986 return SMP_UNSPECIFIED;
8aab4757 987
329d8230 988 if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
2064ee33
MH		 989 bt_dev_err(hcon->hdev, "pairing failed "
990 "(confirmation values mismatch)");
861580a9 991 return SMP_CONFIRM_FAILED;
8aab4757
VCG		 992 }
993
994 if (hcon->out) {
fe39c7b2
MH		 995 u8 stk[16];
996 __le64 rand = 0;
997 __le16 ediv = 0;
8aab4757 998
28a220aa 999 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
8aab4757 1000
861580a9
JH		 1001 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1002 return SMP_UNSPECIFIED;
8aab4757 1003
8b76ce34 1004 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
f7aa611a 1005 hcon->enc_key_size = smp->enc_key_size;
fe59a05f 1006 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
8aab4757 1007 } else {
fff3490f 1008 u8 stk[16], auth;
fe39c7b2
MH		 1009 __le64 rand = 0;
1010 __le16 ediv = 0;
8aab4757 1011
943a732a
JH		 1012 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1013 smp->prnd);
8aab4757 1014
28a220aa 1015 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
8aab4757 1016
fff3490f
JH		 1017 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1018 auth = 1;
1019 else
1020 auth = 0;
1021
7d5843b7
JH		 1022 /* Even though there's no _SLAVE suffix this is the
1023 * slave STK we're adding for later lookup (the master
1024 * STK never needs to be stored).
1025 */
ce39fb4e 1026 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2ceba539 1027 SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
8aab4757
VCG		 1028 }
1029
861580a9 1030 return 0;
8aab4757
VCG		 1031}
1032
44f1a7ab
JH		 1033static void smp_notify_keys(struct l2cap_conn *conn)
1034{
1035 struct l2cap_chan *chan = conn->smp;
1036 struct smp_chan *smp = chan->data;
1037 struct hci_conn *hcon = conn->hcon;
1038 struct hci_dev *hdev = hcon->hdev;
1039 struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1040 struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1041 bool persistent;
1042
cad20c27
JH		 1043 if (hcon->type == ACL_LINK) {
1044 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1045 persistent = false;
1046 else
1047 persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1048 &hcon->flags);
1049 } else {
1050 /* The LTKs, IRKs and CSRKs should be persistent only if
1051 * both sides had the bonding bit set in their
1052 * authentication requests.
1053 */
1054 persistent = !!((req->auth_req & rsp->auth_req) &
1055 SMP_AUTH_BONDING);
1056 }
1057
44f1a7ab 1058 if (smp->remote_irk) {
cad20c27
JH		 1059 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1060
44f1a7ab
JH		 1061 /* Now that user space can be considered to know the
1062 * identity address track the connection based on it
b5ae344d 1063 * from now on (assuming this is an LE link).
44f1a7ab 1064 */
b5ae344d
JH		 1065 if (hcon->type == LE_LINK) {
1066 bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1067 hcon->dst_type = smp->remote_irk->addr_type;
1068 queue_work(hdev->workqueue, &conn->id_addr_update_work);
1069 }
44f1a7ab
JH		 1070 }
1071
44f1a7ab
JH		 1072 if (smp->csrk) {
1073 smp->csrk->bdaddr_type = hcon->dst_type;
1074 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1075 mgmt_new_csrk(hdev, smp->csrk, persistent);
1076 }
1077
1078 if (smp->slave_csrk) {
1079 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1080 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1081 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1082 }
1083
1084 if (smp->ltk) {
1085 smp->ltk->bdaddr_type = hcon->dst_type;
1086 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1087 mgmt_new_ltk(hdev, smp->ltk, persistent);
1088 }
1089
1090 if (smp->slave_ltk) {
1091 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1092 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1093 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1094 }
6a77083a
JH		 1095
1096 if (smp->link_key) {
e3befab9
JH		 1097 struct link_key *key;
1098 u8 type;
1099
1100 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1101 type = HCI_LK_DEBUG_COMBINATION;
1102 else if (hcon->sec_level == BT_SECURITY_FIPS)
1103 type = HCI_LK_AUTH_COMBINATION_P256;
1104 else
1105 type = HCI_LK_UNAUTH_COMBINATION_P256;
1106
1107 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1108 smp->link_key, type, 0, &persistent);
1109 if (key) {
1110 mgmt_new_link_key(hdev, key, persistent);
1111
1112 /* Don't keep debug keys around if the relevant
1113 * flag is not set.
1114 */
d7a5a11d 1115 if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
e3befab9
JH		 1116 key->type == HCI_LK_DEBUG_COMBINATION) {
1117 list_del_rcu(&key->list);
1118 kfree_rcu(key, rcu);
1119 }
1120 }
6a77083a
JH		 1121 }
1122}
1123
d3e54a87
JH		 1124static void sc_add_ltk(struct smp_chan *smp)
1125{
1126 struct hci_conn *hcon = smp->conn->hcon;
1127 u8 key_type, auth;
1128
1129 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1130 key_type = SMP_LTK_P256_DEBUG;
1131 else
1132 key_type = SMP_LTK_P256;
1133
1134 if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1135 auth = 1;
1136 else
1137 auth = 0;
1138
d3e54a87
JH		 1139 smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1140 key_type, auth, smp->tk, smp->enc_key_size,
1141 0, 0);
1142}
1143
6a77083a
JH		 1144static void sc_generate_link_key(struct smp_chan *smp)
1145{
a62da6f1 1146 /* From core spec. Spells out in ASCII as 'lebr'. */
6a77083a
JH		 1147 const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1148
1149 smp->link_key = kzalloc(16, GFP_KERNEL);
1150 if (!smp->link_key)
1151 return;
1152
a62da6f1 1153 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
151129df 1154 /* SALT = 0x000000000000000000000000746D7031 */
a62da6f1
JH		 1155 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1156
1157 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
453431a5 1158 kfree_sensitive(smp->link_key);
a62da6f1
JH		 1159 smp->link_key = NULL;
1160 return;
1161 }
1162 } else {
1163 /* From core spec. Spells out in ASCII as 'tmp1'. */
1164 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1165
1166 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
453431a5 1167 kfree_sensitive(smp->link_key);
a62da6f1
JH		 1168 smp->link_key = NULL;
1169 return;
1170 }
6a77083a
JH		 1171 }
1172
1173 if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
453431a5 1174 kfree_sensitive(smp->link_key);
6a77083a
JH		 1175 smp->link_key = NULL;
1176 return;
1177 }
44f1a7ab
JH		 1178}
1179
b28b4943
JH		 1180static void smp_allow_key_dist(struct smp_chan *smp)
1181{
1182 /* Allow the first expected phase 3 PDU. The rest of the PDUs
1183 * will be allowed in each PDU handler to ensure we receive
1184 * them in the correct order.
1185 */
1186 if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1187 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1188 else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1189 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1190 else if (smp->remote_key_dist & SMP_DIST_SIGN)
1191 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1192}
1193
b5ae344d
JH		 1194static void sc_generate_ltk(struct smp_chan *smp)
1195{
a62da6f1 1196 /* From core spec. Spells out in ASCII as 'brle'. */
b5ae344d
JH		 1197 const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1198 struct hci_conn *hcon = smp->conn->hcon;
1199 struct hci_dev *hdev = hcon->hdev;
1200 struct link_key *key;
1201
1202 key = hci_find_link_key(hdev, &hcon->dst);
1203 if (!key) {
2064ee33 1204 bt_dev_err(hdev, "no Link Key found to generate LTK");
b5ae344d
JH		 1205 return;
1206 }
1207
1208 if (key->type == HCI_LK_DEBUG_COMBINATION)
1209 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1210
a62da6f1 1211 if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
151129df 1212 /* SALT = 0x000000000000000000000000746D7032 */
a62da6f1
JH		 1213 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1214
1215 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1216 return;
1217 } else {
1218 /* From core spec. Spells out in ASCII as 'tmp2'. */
1219 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1220
1221 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1222 return;
1223 }
b5ae344d
JH		 1224
1225 if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1226 return;
1227
1228 sc_add_ltk(smp);
1229}
1230
d6268e86 1231static void smp_distribute_keys(struct smp_chan *smp)
44f1a7ab
JH		 1232{
1233 struct smp_cmd_pairing *req, *rsp;
86d1407c 1234 struct l2cap_conn *conn = smp->conn;
44f1a7ab
JH		 1235 struct hci_conn *hcon = conn->hcon;
1236 struct hci_dev *hdev = hcon->hdev;
1237 __u8 *keydist;
1238
1239 BT_DBG("conn %p", conn);
1240
44f1a7ab
JH		 1241 rsp = (void *) &smp->prsp[1];
1242
1243 /* The responder sends its keys first */
b28b4943
JH		 1244 if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1245 smp_allow_key_dist(smp);
86d1407c 1246 return;
b28b4943 1247 }
44f1a7ab
JH		 1248
1249 req = (void *) &smp->preq[1];
1250
1251 if (hcon->out) {
1252 keydist = &rsp->init_key_dist;
1253 *keydist &= req->init_key_dist;
1254 } else {
1255 keydist = &rsp->resp_key_dist;
1256 *keydist &= req->resp_key_dist;
1257 }
1258
6a77083a 1259 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
b5ae344d 1260 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
6a77083a 1261 sc_generate_link_key(smp);
b5ae344d
JH		 1262 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1263 sc_generate_ltk(smp);
6a77083a
JH		 1264
1265 /* Clear the keys which are generated but not distributed */
1266 *keydist &= ~SMP_SC_NO_DIST;
1267 }
1268
44f1a7ab
JH		 1269 BT_DBG("keydist 0x%x", *keydist);
1270
1271 if (*keydist & SMP_DIST_ENC_KEY) {
1272 struct smp_cmd_encrypt_info enc;
1273 struct smp_cmd_master_ident ident;
1274 struct smp_ltk *ltk;
1275 u8 authenticated;
1276 __le16 ediv;
1277 __le64 rand;
1278
1fc62c52
JH		 1279 /* Make sure we generate only the significant amount of
1280 * bytes based on the encryption key size, and set the rest
1281 * of the value to zeroes.
1282 */
1283 get_random_bytes(enc.ltk, smp->enc_key_size);
1284 memset(enc.ltk + smp->enc_key_size, 0,
1285 sizeof(enc.ltk) - smp->enc_key_size);
1286
44f1a7ab
JH		 1287 get_random_bytes(&ediv, sizeof(ediv));
1288 get_random_bytes(&rand, sizeof(rand));
1289
1290 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1291
1292 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1293 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1294 SMP_LTK_SLAVE, authenticated, enc.ltk,
1295 smp->enc_key_size, ediv, rand);
1296 smp->slave_ltk = ltk;
1297
1298 ident.ediv = ediv;
1299 ident.rand = rand;
1300
1301 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1302
1303 *keydist &= ~SMP_DIST_ENC_KEY;
1304 }
1305
1306 if (*keydist & SMP_DIST_ID_KEY) {
1307 struct smp_cmd_ident_addr_info addrinfo;
1308 struct smp_cmd_ident_info idinfo;
1309
1310 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1311
1312 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1313
1314 /* The hci_conn contains the local identity address
1315 * after the connection has been established.
1316 *
1317 * This is true even when the connection has been
1318 * established using a resolvable random address.
1319 */
1320 bacpy(&addrinfo.bdaddr, &hcon->src);
1321 addrinfo.addr_type = hcon->src_type;
1322
1323 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1324 &addrinfo);
1325
1326 *keydist &= ~SMP_DIST_ID_KEY;
1327 }
1328
1329 if (*keydist & SMP_DIST_SIGN) {
1330 struct smp_cmd_sign_info sign;
1331 struct smp_csrk *csrk;
1332
1333 /* Generate a new random key */
1334 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1335
1336 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1337 if (csrk) {
4cd3928a
JH		 1338 if (hcon->sec_level > BT_SECURITY_MEDIUM)
1339 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1340 else
1341 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
44f1a7ab
JH		 1342 memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1343 }
1344 smp->slave_csrk = csrk;
1345
1346 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1347
1348 *keydist &= ~SMP_DIST_SIGN;
1349 }
1350
1351 /* If there are still keys to be received wait for them */
b28b4943
JH		 1352 if (smp->remote_key_dist & KEY_DIST_MASK) {
1353 smp_allow_key_dist(smp);
86d1407c 1354 return;
b28b4943 1355 }
44f1a7ab 1356
44f1a7ab
JH		 1357 set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1358 smp_notify_keys(conn);
1359
1360 smp_chan_destroy(conn);
44f1a7ab
JH		 1361}
1362
b68fda68
JH		 1363static void smp_timeout(struct work_struct *work)
1364{
1365 struct smp_chan *smp = container_of(work, struct smp_chan,
1366 security_timer.work);
1367 struct l2cap_conn *conn = smp->conn;
1368
1369 BT_DBG("conn %p", conn);
1370
1e91c29e 1371 hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
b68fda68
JH		 1372}
1373
8aab4757
VCG		 1374static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1375{
5d88cc73 1376 struct l2cap_chan *chan = conn->smp;
8aab4757
VCG		 1377 struct smp_chan *smp;
1378
f1560463 1379 smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
fc75cc86 1380 if (!smp)
8aab4757
VCG		 1381 return NULL;
1382
71af2f6b 1383 smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
407cecf6
JH		 1384 if (IS_ERR(smp->tfm_cmac)) {
1385 BT_ERR("Unable to create CMAC crypto context");
28a220aa 1386 goto zfree_smp;
47eb2ac8
TA		 1387 }
1388
075f7732 1389 smp->tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
47eb2ac8
TA		 1390 if (IS_ERR(smp->tfm_ecdh)) {
1391 BT_ERR("Unable to create ECDH crypto context");
1392 goto free_shash;
407cecf6
JH		 1393 }
1394
8aab4757 1395 smp->conn = conn;
5d88cc73 1396 chan->data = smp;
8aab4757 1397
b28b4943
JH		 1398 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1399
b68fda68
JH		 1400 INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1401
8aab4757
VCG		 1402 hci_conn_hold(conn->hcon);
1403
1404 return smp;
47eb2ac8
TA		 1405
1406free_shash:
1407 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 1408zfree_smp:
453431a5 1409 kfree_sensitive(smp);
47eb2ac8 1410 return NULL;
8aab4757
VCG		 1411}
1412
760b018b
JH		 1413static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1414{
1415 struct hci_conn *hcon = smp->conn->hcon;
1416 u8 *na, *nb, a[7], b[7];
1417
1418 if (hcon->out) {
1419 na = smp->prnd;
1420 nb = smp->rrnd;
1421 } else {
1422 na = smp->rrnd;
1423 nb = smp->prnd;
1424 }
1425
1426 memcpy(a, &hcon->init_addr, 6);
1427 memcpy(b, &hcon->resp_addr, 6);
1428 a[6] = hcon->init_addr_type;
1429 b[6] = hcon->resp_addr_type;
1430
1431 return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1432}
1433
38606f14 1434static void sc_dhkey_check(struct smp_chan *smp)
760b018b
JH		 1435{
1436 struct hci_conn *hcon = smp->conn->hcon;
1437 struct smp_cmd_dhkey_check check;
1438 u8 a[7], b[7], *local_addr, *remote_addr;
1439 u8 io_cap[3], r[16];
1440
760b018b
JH		 1441 memcpy(a, &hcon->init_addr, 6);
1442 memcpy(b, &hcon->resp_addr, 6);
1443 a[6] = hcon->init_addr_type;
1444 b[6] = hcon->resp_addr_type;
1445
1446 if (hcon->out) {
1447 local_addr = a;
1448 remote_addr = b;
1449 memcpy(io_cap, &smp->preq[1], 3);
1450 } else {
1451 local_addr = b;
1452 remote_addr = a;
1453 memcpy(io_cap, &smp->prsp[1], 3);
1454 }
1455
dddd3059
JH		 1456 memset(r, 0, sizeof(r));
1457
1458 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
38606f14 1459 put_unaligned_le32(hcon->passkey_notify, r);
760b018b 1460
a29b0733
JH		 1461 if (smp->method == REQ_OOB)
1462 memcpy(r, smp->rr, 16);
1463
760b018b
JH		 1464 smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1465 local_addr, remote_addr, check.e);
1466
1467 smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
dddd3059
JH		 1468}
1469
38606f14
JH		 1470static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1471{
1472 struct l2cap_conn *conn = smp->conn;
1473 struct hci_conn *hcon = conn->hcon;
1474 struct smp_cmd_pairing_confirm cfm;
1475 u8 r;
1476
1477 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1478 r |= 0x80;
1479
1480 get_random_bytes(smp->prnd, sizeof(smp->prnd));
1481
1482 if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1483 cfm.confirm_val))
1484 return SMP_UNSPECIFIED;
1485
1486 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1487
1488 return 0;
1489}
1490
1491static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1492{
1493 struct l2cap_conn *conn = smp->conn;
1494 struct hci_conn *hcon = conn->hcon;
1495 struct hci_dev *hdev = hcon->hdev;
1496 u8 cfm[16], r;
1497
1498 /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1499 if (smp->passkey_round >= 20)
1500 return 0;
1501
1502 switch (smp_op) {
1503 case SMP_CMD_PAIRING_RANDOM:
1504 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1505 r |= 0x80;
1506
1507 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1508 smp->rrnd, r, cfm))
1509 return SMP_UNSPECIFIED;
1510
329d8230 1511 if (crypto_memneq(smp->pcnf, cfm, 16))
38606f14
JH		 1512 return SMP_CONFIRM_FAILED;
1513
1514 smp->passkey_round++;
1515
1516 if (smp->passkey_round == 20) {
1517 /* Generate MacKey and LTK */
1518 if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1519 return SMP_UNSPECIFIED;
1520 }
1521
1522 /* The round is only complete when the initiator
1523 * receives pairing random.
1524 */
1525 if (!hcon->out) {
1526 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1527 sizeof(smp->prnd), smp->prnd);
d3e54a87 1528 if (smp->passkey_round == 20)
38606f14 1529 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
d3e54a87 1530 else
38606f14 1531 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
38606f14
JH		 1532 return 0;
1533 }
1534
1535 /* Start the next round */
1536 if (smp->passkey_round != 20)
1537 return sc_passkey_round(smp, 0);
1538
1539 /* Passkey rounds are complete - start DHKey Check */
1540 sc_dhkey_check(smp);
1541 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542
1543 break;
1544
1545 case SMP_CMD_PAIRING_CONFIRM:
1546 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1547 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1548 return 0;
1549 }
1550
1551 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1552
1553 if (hcon->out) {
1554 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1555 sizeof(smp->prnd), smp->prnd);
1556 return 0;
1557 }
1558
1559 return sc_passkey_send_confirm(smp);
1560
1561 case SMP_CMD_PUBLIC_KEY:
1562 default:
1563 /* Initiating device starts the round */
1564 if (!hcon->out)
1565 return 0;
1566
1567 BT_DBG("%s Starting passkey round %u", hdev->name,
1568 smp->passkey_round + 1);
1569
1570 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1571
1572 return sc_passkey_send_confirm(smp);
1573 }
1574
1575 return 0;
1576}
1577
dddd3059
JH		 1578static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1579{
38606f14
JH		 1580 struct l2cap_conn *conn = smp->conn;
1581 struct hci_conn *hcon = conn->hcon;
1582 u8 smp_op;
1583
1584 clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1585
dddd3059
JH		 1586 switch (mgmt_op) {
1587 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1588 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1589 return 0;
1590 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1591 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1592 return 0;
38606f14
JH		 1593 case MGMT_OP_USER_PASSKEY_REPLY:
1594 hcon->passkey_notify = le32_to_cpu(passkey);
1595 smp->passkey_round = 0;
1596
1597 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1598 smp_op = SMP_CMD_PAIRING_CONFIRM;
1599 else
1600 smp_op = 0;
1601
1602 if (sc_passkey_round(smp, smp_op))
1603 return -EIO;
1604
1605 return 0;
dddd3059
JH		 1606 }
1607
d3e54a87
JH		 1608 /* Initiator sends DHKey check first */
1609 if (hcon->out) {
1610 sc_dhkey_check(smp);
1611 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1612 } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1613 sc_dhkey_check(smp);
1614 sc_add_ltk(smp);
1615 }
760b018b
JH		 1616
1617 return 0;
1618}
1619
2b64d153
BG		 1620int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1621{
b10e8017 1622 struct l2cap_conn *conn = hcon->l2cap_data;
5d88cc73 1623 struct l2cap_chan *chan;
2b64d153
BG		 1624 struct smp_chan *smp;
1625 u32 value;
fc75cc86 1626 int err;
2b64d153
BG		 1627
1628 BT_DBG("");
1629
fc75cc86 1630 if (!conn)
2b64d153
BG		 1631 return -ENOTCONN;
1632
5d88cc73
JH		 1633 chan = conn->smp;
1634 if (!chan)
1635 return -ENOTCONN;
1636
fc75cc86
JH		 1637 l2cap_chan_lock(chan);
1638 if (!chan->data) {
1639 err = -ENOTCONN;
1640 goto unlock;
1641 }
1642
5d88cc73 1643 smp = chan->data;
2b64d153 1644
760b018b
JH		 1645 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1646 err = sc_user_reply(smp, mgmt_op, passkey);
1647 goto unlock;
1648 }
1649
2b64d153
BG		 1650 switch (mgmt_op) {
1651 case MGMT_OP_USER_PASSKEY_REPLY:
1652 value = le32_to_cpu(passkey);
943a732a 1653 memset(smp->tk, 0, sizeof(smp->tk));
2b64d153 1654 BT_DBG("PassKey: %d", value);
943a732a 1655 put_unaligned_le32(value, smp->tk);
19186c7b 1656 fallthrough;
2b64d153 1657 case MGMT_OP_USER_CONFIRM_REPLY:
4a74d658 1658 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
2b64d153
BG		 1659 break;
1660 case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1661 case MGMT_OP_USER_CONFIRM_NEG_REPLY:
84794e11 1662 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1663 err = 0;
1664 goto unlock;
2b64d153 1665 default:
84794e11 1666 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
fc75cc86
JH		 1667 err = -EOPNOTSUPP;
1668 goto unlock;
2b64d153
BG		 1669 }
1670
fc75cc86
JH		 1671 err = 0;
1672
2b64d153 1673 /* If it is our turn to send Pairing Confirm, do so now */
1cc61144
JH		 1674 if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1675 u8 rsp = smp_confirm(smp);
1676 if (rsp)
1677 smp_failure(conn, rsp);
1678 }
2b64d153 1679
fc75cc86
JH		 1680unlock:
1681 l2cap_chan_unlock(chan);
1682 return err;
2b64d153
BG		 1683}
1684
b5ae344d
JH		 1685static void build_bredr_pairing_cmd(struct smp_chan *smp,
1686 struct smp_cmd_pairing *req,
1687 struct smp_cmd_pairing *rsp)
1688{
1689 struct l2cap_conn *conn = smp->conn;
1690 struct hci_dev *hdev = conn->hcon->hdev;
1691 u8 local_dist = 0, remote_dist = 0;
1692
d7a5a11d 1693 if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
b5ae344d
JH		 1694 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1695 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696 }
1697
d7a5a11d 1698 if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
b5ae344d
JH		 1699 remote_dist |= SMP_DIST_ID_KEY;
1700
d7a5a11d 1701 if (hci_dev_test_flag(hdev, HCI_PRIVACY))
b5ae344d
JH		 1702 local_dist |= SMP_DIST_ID_KEY;
1703
1704 if (!rsp) {
1705 memset(req, 0, sizeof(*req));
1706
a62da6f1 1707 req->auth_req = SMP_AUTH_CT2;
b5ae344d
JH		 1708 req->init_key_dist = local_dist;
1709 req->resp_key_dist = remote_dist;
e3f6a257 1710 req->max_key_size = conn->hcon->enc_key_size;
b5ae344d
JH		 1711
1712 smp->remote_key_dist = remote_dist;
1713
1714 return;
1715 }
1716
1717 memset(rsp, 0, sizeof(*rsp));
1718
a62da6f1 1719 rsp->auth_req = SMP_AUTH_CT2;
e3f6a257 1720 rsp->max_key_size = conn->hcon->enc_key_size;
b5ae344d
JH		 1721 rsp->init_key_dist = req->init_key_dist & remote_dist;
1722 rsp->resp_key_dist = req->resp_key_dist & local_dist;
1723
1724 smp->remote_key_dist = rsp->init_key_dist;
1725}
1726
da85e5e5 1727static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1728{
3158c50c 1729 struct smp_cmd_pairing rsp, *req = (void *) skb->data;
fc75cc86 1730 struct l2cap_chan *chan = conn->smp;
b3c6410b 1731 struct hci_dev *hdev = conn->hcon->hdev;
8aab4757 1732 struct smp_chan *smp;
c7262e71 1733 u8 key_size, auth, sec_level;
8aab4757 1734 int ret;
88ba43b6
AB		 1735
1736 BT_DBG("conn %p", conn);
1737
c46b98be 1738 if (skb->len < sizeof(*req))
38e4a915 1739 return SMP_INVALID_PARAMS;
c46b98be 1740
40bef302 1741 if (conn->hcon->role != HCI_ROLE_SLAVE)
2b64d153
BG		 1742 return SMP_CMD_NOTSUPP;
1743
fc75cc86 1744 if (!chan->data)
8aab4757 1745 smp = smp_chan_create(conn);
fc75cc86 1746 else
5d88cc73 1747 smp = chan->data;
8aab4757 1748
d08fd0e7
AE		 1749 if (!smp)
1750 return SMP_UNSPECIFIED;
d26a2345 1751
c05b9339 1752 /* We didn't start the pairing, so match remote */
0edb14de 1753 auth = req->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1754
d7a5a11d 1755 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
c05b9339 1756 (auth & SMP_AUTH_BONDING))
b3c6410b
JH		 1757 return SMP_PAIRING_NOTSUPP;
1758
d7a5a11d 1759 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 1760 return SMP_AUTH_REQUIREMENTS;
1761
1c1def09
VCG		 1762 smp->preq[0] = SMP_CMD_PAIRING_REQ;
1763 memcpy(&smp->preq[1], req, sizeof(*req));
3158c50c 1764 skb_pull(skb, sizeof(*req));
88ba43b6 1765
cb06d366
JH		 1766 /* If the remote side's OOB flag is set it means it has
1767 * successfully received our local OOB data - therefore set the
1768 * flag to indicate that local OOB is in use.
1769 */
94f14e47 1770 if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
58428563
JH		 1771 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1772
b5ae344d
JH		 1773 /* SMP over BR/EDR requires special treatment */
1774 if (conn->hcon->type == ACL_LINK) {
1775 /* We must have a BR/EDR SC link */
08f63cc5 1776 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
b7cb93e5 1777 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
b5ae344d
JH		 1778 return SMP_CROSS_TRANSP_NOT_ALLOWED;
1779
1780 set_bit(SMP_FLAG_SC, &smp->flags);
1781
1782 build_bredr_pairing_cmd(smp, req, &rsp);
1783
a62da6f1
JH		 1784 if (req->auth_req & SMP_AUTH_CT2)
1785 set_bit(SMP_FLAG_CT2, &smp->flags);
1786
b5ae344d
JH		 1787 key_size = min(req->max_key_size, rsp.max_key_size);
1788 if (check_enc_key_size(conn, key_size))
1789 return SMP_ENC_KEY_SIZE;
1790
1791 /* Clear bits which are generated but not distributed */
1792 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1793
1794 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1795 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1796 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1797
1798 smp_distribute_keys(smp);
1799 return 0;
1800 }
1801
5e3d3d9b
JH		 1802 build_pairing_cmd(conn, req, &rsp, auth);
1803
a62da6f1 1804 if (rsp.auth_req & SMP_AUTH_SC) {
5e3d3d9b
JH		 1805 set_bit(SMP_FLAG_SC, &smp->flags);
1806
a62da6f1
JH		 1807 if (rsp.auth_req & SMP_AUTH_CT2)
1808 set_bit(SMP_FLAG_CT2, &smp->flags);
1809 }
1810
5be5e275 1811 if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 1812 sec_level = BT_SECURITY_MEDIUM;
1813 else
1814 sec_level = authreq_to_seclevel(auth);
1815
c7262e71
JH		 1816 if (sec_level > conn->hcon->pending_sec_level)
1817 conn->hcon->pending_sec_level = sec_level;
fdde0a26 1818
49c922bb 1819 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1820 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1821 u8 method;
1822
1823 method = get_auth_method(smp, conn->hcon->io_capability,
1824 req->io_capability);
1825 if (method == JUST_WORKS || method == JUST_CFM)
1826 return SMP_AUTH_REQUIREMENTS;
1827 }
1828
3158c50c
VCG		 1829 key_size = min(req->max_key_size, rsp.max_key_size);
1830 if (check_enc_key_size(conn, key_size))
1831 return SMP_ENC_KEY_SIZE;
88ba43b6 1832
e84a6b13 1833 get_random_bytes(smp->prnd, sizeof(smp->prnd));
8aab4757 1834
1c1def09
VCG		 1835 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1836 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
f01ead31 1837
3158c50c 1838 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
3b19146d
JH		 1839
1840 clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1841
19c5ce9c
JH		 1842 /* Strictly speaking we shouldn't allow Pairing Confirm for the
1843 * SC case, however some implementations incorrectly copy RFU auth
1844 * req bits from our security request, which may create a false
1845 * positive SC enablement.
1846 */
1847 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1848
3b19146d
JH		 1849 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1850 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1851 /* Clear bits which are generated but not distributed */
1852 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1853 /* Wait for Public Key from Initiating Device */
1854 return 0;
3b19146d 1855 }
da85e5e5 1856
2b64d153
BG		 1857 /* Request setup of TK */
1858 ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1859 if (ret)
1860 return SMP_UNSPECIFIED;
1861
da85e5e5 1862 return 0;
88ba43b6
AB		 1863}
1864
3b19146d
JH		 1865static u8 sc_send_public_key(struct smp_chan *smp)
1866{
70157ef5
JH		 1867 struct hci_dev *hdev = smp->conn->hcon->hdev;
1868
56860245 1869 bt_dev_dbg(hdev, "");
3b19146d 1870
1a8bab4f 1871 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
33d0c030
MH		 1872 struct l2cap_chan *chan = hdev->smp_data;
1873 struct smp_dev *smp_dev;
1874
1875 if (!chan || !chan->data)
1876 return SMP_UNSPECIFIED;
1877
1878 smp_dev = chan->data;
1879
1880 memcpy(smp->local_pk, smp_dev->local_pk, 64);
fb334fee 1881 memcpy(smp->lr, smp_dev->local_rand, 16);
33d0c030
MH		 1882
1883 if (smp_dev->debug_key)
1884 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1885
1886 goto done;
1887 }
1888
d7a5a11d 1889 if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
70157ef5 1890 BT_DBG("Using debug keys");
c0153b0b
TA		 1891 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1892 return SMP_UNSPECIFIED;
70157ef5 1893 memcpy(smp->local_pk, debug_pk, 64);
70157ef5
JH		 1894 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895 } else {
1896 while (true) {
c0153b0b
TA		 1897 /* Generate key pair for Secure Connections */
1898 if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
70157ef5 1899 return SMP_UNSPECIFIED;
6c0dcc50 1900
70157ef5
JH		 1901 /* This is unlikely, but we need to check that
1902 * we didn't accidentially generate a debug key.
1903 */
c0153b0b 1904 if (crypto_memneq(smp->local_pk, debug_pk, 64))
70157ef5
JH		 1905 break;
1906 }
6c0dcc50 1907 }
3b19146d 1908
33d0c030 1909done:
c7a3d57d 1910 SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
8e4e2ee5 1911 SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
3b19146d
JH		 1912
1913 smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1914
1915 return 0;
1916}
1917
da85e5e5 1918static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 1919{
3158c50c 1920 struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
5d88cc73
JH		 1921 struct l2cap_chan *chan = conn->smp;
1922 struct smp_chan *smp = chan->data;
0edb14de 1923 struct hci_dev *hdev = conn->hcon->hdev;
3a7dbfb8 1924 u8 key_size, auth;
7d24ddcc 1925 int ret;
88ba43b6
AB		 1926
1927 BT_DBG("conn %p", conn);
1928
c46b98be 1929 if (skb->len < sizeof(*rsp))
38e4a915 1930 return SMP_INVALID_PARAMS;
c46b98be 1931
40bef302 1932 if (conn->hcon->role != HCI_ROLE_MASTER)
2b64d153
BG		 1933 return SMP_CMD_NOTSUPP;
1934
3158c50c
VCG		 1935 skb_pull(skb, sizeof(*rsp));
1936
1c1def09 1937 req = (void *) &smp->preq[1];
da85e5e5 1938
3158c50c
VCG		 1939 key_size = min(req->max_key_size, rsp->max_key_size);
1940 if (check_enc_key_size(conn, key_size))
1941 return SMP_ENC_KEY_SIZE;
1942
0edb14de 1943 auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 1944
d7a5a11d 1945 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 1946 return SMP_AUTH_REQUIREMENTS;
1947
cb06d366
JH		 1948 /* If the remote side's OOB flag is set it means it has
1949 * successfully received our local OOB data - therefore set the
1950 * flag to indicate that local OOB is in use.
1951 */
94f14e47 1952 if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
58428563
JH		 1953 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1954
b5ae344d
JH		 1955 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1956 memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1957
1958 /* Update remote key distribution in case the remote cleared
1959 * some bits that we had enabled in our request.
1960 */
1961 smp->remote_key_dist &= rsp->resp_key_dist;
1962
a62da6f1
JH		 1963 if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1964 set_bit(SMP_FLAG_CT2, &smp->flags);
1965
b5ae344d
JH		 1966 /* For BR/EDR this means we're done and can start phase 3 */
1967 if (conn->hcon->type == ACL_LINK) {
1968 /* Clear bits which are generated but not distributed */
1969 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1970 smp_distribute_keys(smp);
1971 return 0;
1972 }
1973
65668776
JH		 1974 if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1975 set_bit(SMP_FLAG_SC, &smp->flags);
d2eb9e10
JH		 1976 else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1977 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
65668776 1978
49c922bb 1979 /* If we need MITM check that it can be achieved */
2ed8f65c
JH		 1980 if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1981 u8 method;
1982
1983 method = get_auth_method(smp, req->io_capability,
1984 rsp->io_capability);
1985 if (method == JUST_WORKS || method == JUST_CFM)
1986 return SMP_AUTH_REQUIREMENTS;
1987 }
1988
e84a6b13 1989 get_random_bytes(smp->prnd, sizeof(smp->prnd));
7d24ddcc 1990
fdcc4bec
JH		 1991 /* Update remote key distribution in case the remote cleared
1992 * some bits that we had enabled in our request.
1993 */
1994 smp->remote_key_dist &= rsp->resp_key_dist;
1995
3b19146d
JH		 1996 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1997 /* Clear bits which are generated but not distributed */
1998 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1999 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2000 return sc_send_public_key(smp);
2001 }
2002
c05b9339 2003 auth |= req->auth_req;
2b64d153 2004
476585ec 2005 ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2b64d153
BG		 2006 if (ret)
2007 return SMP_UNSPECIFIED;
2008
4a74d658 2009 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2b64d153
BG		 2010
2011 /* Can't compose response until we have been confirmed */
4a74d658 2012 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 2013 return smp_confirm(smp);
da85e5e5
VCG		 2014
2015 return 0;
88ba43b6
AB		 2016}
2017
dcee2b32
JH		 2018static u8 sc_check_confirm(struct smp_chan *smp)
2019{
2020 struct l2cap_conn *conn = smp->conn;
2021
2022 BT_DBG("");
2023
38606f14
JH		 2024 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2025 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2026
dcee2b32
JH		 2027 if (conn->hcon->out) {
2028 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2029 smp->prnd);
2030 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2031 }
2032
2033 return 0;
2034}
2035
19c5ce9c
JH		 2036/* Work-around for some implementations that incorrectly copy RFU bits
2037 * from our security request and thereby create the impression that
2038 * we're doing SC when in fact the remote doesn't support it.
2039 */
2040static int fixup_sc_false_positive(struct smp_chan *smp)
2041{
2042 struct l2cap_conn *conn = smp->conn;
2043 struct hci_conn *hcon = conn->hcon;
2044 struct hci_dev *hdev = hcon->hdev;
2045 struct smp_cmd_pairing *req, *rsp;
2046 u8 auth;
2047
2048 /* The issue is only observed when we're in slave role */
2049 if (hcon->out)
2050 return SMP_UNSPECIFIED;
2051
2052 if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2064ee33 2053 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
19c5ce9c
JH		 2054 return SMP_UNSPECIFIED;
2055 }
2056
2064ee33 2057 bt_dev_err(hdev, "trying to fall back to legacy SMP");
19c5ce9c
JH		 2058
2059 req = (void *) &smp->preq[1];
2060 rsp = (void *) &smp->prsp[1];
2061
2062 /* Rebuild key dist flags which may have been cleared for SC */
2063 smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2064
2065 auth = req->auth_req & AUTH_REQ_MASK(hdev);
2066
2067 if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2064ee33 2068 bt_dev_err(hdev, "failed to fall back to legacy SMP");
19c5ce9c
JH		 2069 return SMP_UNSPECIFIED;
2070 }
2071
2072 clear_bit(SMP_FLAG_SC, &smp->flags);
2073
2074 return 0;
2075}
2076
da85e5e5 2077static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 2078{
5d88cc73
JH		 2079 struct l2cap_chan *chan = conn->smp;
2080 struct smp_chan *smp = chan->data;
7d24ddcc 2081
88ba43b6
AB		 2082 BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2083
c46b98be 2084 if (skb->len < sizeof(smp->pcnf))
38e4a915 2085 return SMP_INVALID_PARAMS;
c46b98be 2086
1c1def09
VCG		 2087 memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2088 skb_pull(skb, sizeof(smp->pcnf));
88ba43b6 2089
19c5ce9c
JH		 2090 if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2091 int ret;
2092
2093 /* Public Key exchange must happen before any other steps */
2094 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2095 return sc_check_confirm(smp);
2096
2097 BT_ERR("Unexpected SMP Pairing Confirm");
2098
2099 ret = fixup_sc_false_positive(smp);
2100 if (ret)
2101 return ret;
2102 }
dcee2b32 2103
b28b4943 2104 if (conn->hcon->out) {
943a732a
JH		 2105 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2106 smp->prnd);
b28b4943
JH		 2107 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2108 return 0;
2109 }
2110
2111 if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
1cc61144 2112 return smp_confirm(smp);
983f9814
MH		 2113
2114 set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
da85e5e5
VCG		 2115
2116 return 0;
88ba43b6
AB		 2117}
2118
da85e5e5 2119static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6 2120{
5d88cc73
JH		 2121 struct l2cap_chan *chan = conn->smp;
2122 struct smp_chan *smp = chan->data;
191dc7fe 2123 struct hci_conn *hcon = conn->hcon;
eed467b5 2124 u8 *pkax, *pkbx, *na, *nb, confirm_hint;
191dc7fe
JH		 2125 u32 passkey;
2126 int err;
7d24ddcc 2127
8aab4757 2128 BT_DBG("conn %p", conn);
3158c50c 2129
c46b98be 2130 if (skb->len < sizeof(smp->rrnd))
38e4a915 2131 return SMP_INVALID_PARAMS;
c46b98be 2132
943a732a 2133 memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
8aab4757 2134 skb_pull(skb, sizeof(smp->rrnd));
e7e62c85 2135
191dc7fe
JH		 2136 if (!test_bit(SMP_FLAG_SC, &smp->flags))
2137 return smp_random(smp);
2138
580039e8
JH		 2139 if (hcon->out) {
2140 pkax = smp->local_pk;
2141 pkbx = smp->remote_pk;
2142 na = smp->prnd;
2143 nb = smp->rrnd;
2144 } else {
2145 pkax = smp->remote_pk;
2146 pkbx = smp->local_pk;
2147 na = smp->rrnd;
2148 nb = smp->prnd;
2149 }
2150
a29b0733
JH		 2151 if (smp->method == REQ_OOB) {
2152 if (!hcon->out)
2153 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2154 sizeof(smp->prnd), smp->prnd);
2155 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2156 goto mackey_and_ltk;
2157 }
2158
38606f14
JH		 2159 /* Passkey entry has special treatment */
2160 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2161 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2162
191dc7fe
JH		 2163 if (hcon->out) {
2164 u8 cfm[16];
2165
2166 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2167 smp->rrnd, 0, cfm);
2168 if (err)
2169 return SMP_UNSPECIFIED;
2170
329d8230 2171 if (crypto_memneq(smp->pcnf, cfm, 16))
191dc7fe 2172 return SMP_CONFIRM_FAILED;
191dc7fe
JH		 2173 } else {
2174 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2175 smp->prnd);
2176 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
cee5f20f
HC		 2177
2178 /* Only Just-Works pairing requires extra checks */
2179 if (smp->method != JUST_WORKS)
2180 goto mackey_and_ltk;
2181
2182 /* If there already exists long term key in local host, leave
2183 * the decision to user space since the remote device could
2184 * be legitimate or malicious.
2185 */
2186 if (hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
2187 hcon->role)) {
eed467b5
HC		 2188 /* Set passkey to 0. The value can be any number since
2189 * it'll be ignored anyway.
2190 */
2191 passkey = 0;
2192 confirm_hint = 1;
2193 goto confirm;
cee5f20f 2194 }
191dc7fe
JH		 2195 }
2196
a29b0733 2197mackey_and_ltk:
760b018b
JH		 2198 /* Generate MacKey and LTK */
2199 err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2200 if (err)
2201 return SMP_UNSPECIFIED;
2202
ffee202a 2203 if (smp->method == REQ_OOB) {
dddd3059 2204 if (hcon->out) {
38606f14 2205 sc_dhkey_check(smp);
dddd3059
JH		 2206 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2207 }
2208 return 0;
2209 }
2210
38606f14
JH		 2211 err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2212 if (err)
2213 return SMP_UNSPECIFIED;
2214
eed467b5
HC		 2215 confirm_hint = 0;
2216
2217confirm:
ffee202a
SS		 2218 if (smp->method == JUST_WORKS)
2219 confirm_hint = 1;
2220
38606f14 2221 err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
eed467b5 2222 hcon->dst_type, passkey, confirm_hint);
191dc7fe
JH		 2223 if (err)
2224 return SMP_UNSPECIFIED;
2225
38606f14
JH		 2226 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2227
191dc7fe 2228 return 0;
88ba43b6
AB		 2229}
2230
f81cd823 2231static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
988c5997 2232{
c9839a11 2233 struct smp_ltk *key;
988c5997
VCG		 2234 struct hci_conn *hcon = conn->hcon;
2235
f3a73d97 2236 key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
988c5997 2237 if (!key)
f81cd823 2238 return false;
988c5997 2239
a6f7833c 2240 if (smp_ltk_sec_level(key) < sec_level)
f81cd823 2241 return false;
4dab7864 2242
51a8efd7 2243 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
f81cd823 2244 return true;
988c5997 2245
8b76ce34 2246 hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
c9839a11 2247 hcon->enc_key_size = key->enc_size;
988c5997 2248
fe59a05f
JH		 2249 /* We never store STKs for master role, so clear this flag */
2250 clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2251
f81cd823 2252 return true;
988c5997 2253}
f1560463 2254
35dc6f83
JH		 2255bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2256 enum smp_key_pref key_pref)
854f4727
JH		 2257{
2258 if (sec_level == BT_SECURITY_LOW)
2259 return true;
2260
35dc6f83
JH		 2261 /* If we're encrypted with an STK but the caller prefers using
2262 * LTK claim insufficient security. This way we allow the
2263 * connection to be re-encrypted with an LTK, even if the LTK
2264 * provides the same level of security. Only exception is if we
2265 * don't have an LTK (e.g. because of key distribution bits).
9ab65d60 2266 */
35dc6f83
JH		 2267 if (key_pref == SMP_USE_LTK &&
2268 test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
f3a73d97 2269 hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
9ab65d60
JH		 2270 return false;
2271
854f4727
JH		 2272 if (hcon->sec_level >= sec_level)
2273 return true;
2274
2275 return false;
2276}
2277
da85e5e5 2278static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
88ba43b6
AB		 2279{
2280 struct smp_cmd_security_req *rp = (void *) skb->data;
2281 struct smp_cmd_pairing cp;
f1cb9af5 2282 struct hci_conn *hcon = conn->hcon;
0edb14de 2283 struct hci_dev *hdev = hcon->hdev;
8aab4757 2284 struct smp_chan *smp;
c05b9339 2285 u8 sec_level, auth;
88ba43b6
AB		 2286
2287 BT_DBG("conn %p", conn);
2288
c46b98be 2289 if (skb->len < sizeof(*rp))
38e4a915 2290 return SMP_INVALID_PARAMS;
c46b98be 2291
40bef302 2292 if (hcon->role != HCI_ROLE_MASTER)
86ca9eac
JH		 2293 return SMP_CMD_NOTSUPP;
2294
0edb14de 2295 auth = rp->auth_req & AUTH_REQ_MASK(hdev);
c05b9339 2296
d7a5a11d 2297 if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
903b71c7
JH		 2298 return SMP_AUTH_REQUIREMENTS;
2299
5be5e275 2300 if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1afc2a1a
JH		 2301 sec_level = BT_SECURITY_MEDIUM;
2302 else
2303 sec_level = authreq_to_seclevel(auth);
2304
64e759f5
SJ		 2305 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2306 /* If link is already encrypted with sufficient security we
2307 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2308 * Part H 2.4.6
2309 */
2310 smp_ltk_encrypt(conn, hcon->sec_level);
854f4727 2311 return 0;
64e759f5 2312 }
854f4727 2313
c7262e71
JH		 2314 if (sec_level > hcon->pending_sec_level)
2315 hcon->pending_sec_level = sec_level;
feb45eb5 2316
4dab7864 2317 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
988c5997
VCG		 2318 return 0;
2319
8aab4757 2320 smp = smp_chan_create(conn);
c29d2444
JH		 2321 if (!smp)
2322 return SMP_UNSPECIFIED;
d26a2345 2323
d7a5a11d 2324 if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
c05b9339 2325 (auth & SMP_AUTH_BONDING))
616d55be
JH		 2326 return SMP_PAIRING_NOTSUPP;
2327
88ba43b6 2328 skb_pull(skb, sizeof(*rp));
88ba43b6 2329
da85e5e5 2330 memset(&cp, 0, sizeof(cp));
c05b9339 2331 build_pairing_cmd(conn, &cp, NULL, auth);
88ba43b6 2332
1c1def09
VCG		 2333 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2334 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 2335
88ba43b6 2336 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 2337 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
f1cb9af5 2338
da85e5e5 2339 return 0;
88ba43b6
AB		 2340}
2341
cc110922 2342int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
eb492e01 2343{
cc110922 2344 struct l2cap_conn *conn = hcon->l2cap_data;
c68b7f12 2345 struct l2cap_chan *chan;
0a66cf20 2346 struct smp_chan *smp;
2b64d153 2347 __u8 authreq;
fc75cc86 2348 int ret;
eb492e01 2349
3a0259bb
VCG		 2350 BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2351
0a66cf20
JH		 2352 /* This may be NULL if there's an unexpected disconnection */
2353 if (!conn)
2354 return 1;
2355
d7a5a11d 2356 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2e65c9d2
AG		 2357 return 1;
2358
35dc6f83 2359 if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
eb492e01 2360 return 1;
f1cb9af5 2361
c7262e71
JH		 2362 if (sec_level > hcon->pending_sec_level)
2363 hcon->pending_sec_level = sec_level;
2364
40bef302 2365 if (hcon->role == HCI_ROLE_MASTER)
c7262e71
JH		 2366 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2367 return 0;
d26a2345 2368
d8949aad
JH		 2369 chan = conn->smp;
2370 if (!chan) {
2064ee33 2371 bt_dev_err(hcon->hdev, "security requested but not available");
d8949aad
JH		 2372 return 1;
2373 }
2374
fc75cc86
JH		 2375 l2cap_chan_lock(chan);
2376
2377 /* If SMP is already in progress ignore this request */
2378 if (chan->data) {
2379 ret = 0;
2380 goto unlock;
2381 }
d26a2345 2382
8aab4757 2383 smp = smp_chan_create(conn);
fc75cc86
JH		 2384 if (!smp) {
2385 ret = 1;
2386 goto unlock;
2387 }
2b64d153
BG		 2388
2389 authreq = seclevel_to_authreq(sec_level);
d26a2345 2390
a62da6f1 2391 if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
d2eb9e10 2392 authreq |= SMP_AUTH_SC;
a62da6f1
JH		 2393 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2394 authreq |= SMP_AUTH_CT2;
2395 }
d2eb9e10 2396
c2aa30db
AP		 2397 /* Don't attempt to set MITM if setting is overridden by debugfs
2398 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2e233644 2399 */
c2aa30db
AP		 2400 if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2401 /* Require MITM if IO Capability allows or the security level
2402 * requires it.
2403 */
2404 if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2405 hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2406 authreq |= SMP_AUTH_MITM;
2407 }
2e233644 2408
40bef302 2409 if (hcon->role == HCI_ROLE_MASTER) {
d26a2345 2410 struct smp_cmd_pairing cp;
f01ead31 2411
2b64d153 2412 build_pairing_cmd(conn, &cp, NULL, authreq);
1c1def09
VCG		 2413 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2414 memcpy(&smp->preq[1], &cp, sizeof(cp));
f01ead31 2415
eb492e01 2416 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
b28b4943 2417 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
eb492e01
AB		 2418 } else {
2419 struct smp_cmd_security_req cp;
2b64d153 2420 cp.auth_req = authreq;
eb492e01 2421 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
b28b4943 2422 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
eb492e01
AB		 2423 }
2424
4a74d658 2425 set_bit(SMP_FLAG_INITIATOR, &smp->flags);
fc75cc86 2426 ret = 0;
edca792c 2427
fc75cc86
JH		 2428unlock:
2429 l2cap_chan_unlock(chan);
2430 return ret;
eb492e01
AB		 2431}
2432
cb28c306
MK		 2433int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2434 u8 addr_type)
c81d555a 2435{
cb28c306
MK		 2436 struct hci_conn *hcon;
2437 struct l2cap_conn *conn;
c81d555a
JH		 2438 struct l2cap_chan *chan;
2439 struct smp_chan *smp;
cb28c306
MK		 2440 int err;
2441
2442 err = hci_remove_ltk(hdev, bdaddr, addr_type);
2443 hci_remove_irk(hdev, bdaddr, addr_type);
2444
2445 hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2446 if (!hcon)
2447 goto done;
c81d555a 2448
cb28c306 2449 conn = hcon->l2cap_data;
c81d555a 2450 if (!conn)
cb28c306 2451 goto done;
c81d555a
JH		 2452
2453 chan = conn->smp;
2454 if (!chan)
cb28c306 2455 goto done;
c81d555a
JH		 2456
2457 l2cap_chan_lock(chan);
2458
2459 smp = chan->data;
2460 if (smp) {
cb28c306
MK		 2461 /* Set keys to NULL to make sure smp_failure() does not try to
2462 * remove and free already invalidated rcu list entries. */
2463 smp->ltk = NULL;
2464 smp->slave_ltk = NULL;
2465 smp->remote_irk = NULL;
2466
c81d555a
JH		 2467 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2468 smp_failure(conn, 0);
2469 else
2470 smp_failure(conn, SMP_UNSPECIFIED);
cb28c306 2471 err = 0;
c81d555a
JH		 2472 }
2473
2474 l2cap_chan_unlock(chan);
cb28c306
MK		 2475
2476done:
2477 return err;
c81d555a
JH		 2478}
2479
7034b911
VCG		 2480static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2481{
16b90839 2482 struct smp_cmd_encrypt_info *rp = (void *) skb->data;
5d88cc73
JH		 2483 struct l2cap_chan *chan = conn->smp;
2484 struct smp_chan *smp = chan->data;
16b90839 2485
c46b98be
JH		 2486 BT_DBG("conn %p", conn);
2487
2488 if (skb->len < sizeof(*rp))
38e4a915 2489 return SMP_INVALID_PARAMS;
c46b98be 2490
600a8749
AM		 2491 /* Pairing is aborted if any blocked keys are distributed */
2492 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2493 rp->ltk)) {
2494 bt_dev_warn_ratelimited(conn->hcon->hdev,
2495 "LTK blocked for %pMR",
2496 &conn->hcon->dst);
2497 return SMP_INVALID_PARAMS;
2498 }
2499
b28b4943 2500 SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
6131ddc8 2501
16b90839
VCG		 2502 skb_pull(skb, sizeof(*rp));
2503
1c1def09 2504 memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
16b90839 2505
7034b911
VCG		 2506 return 0;
2507}
2508
2509static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2510{
16b90839 2511 struct smp_cmd_master_ident *rp = (void *) skb->data;
5d88cc73
JH		 2512 struct l2cap_chan *chan = conn->smp;
2513 struct smp_chan *smp = chan->data;
c9839a11
VCG		 2514 struct hci_dev *hdev = conn->hcon->hdev;
2515 struct hci_conn *hcon = conn->hcon;
23d0e128 2516 struct smp_ltk *ltk;
c9839a11 2517 u8 authenticated;
16b90839 2518
c46b98be
JH		 2519 BT_DBG("conn %p", conn);
2520
2521 if (skb->len < sizeof(*rp))
38e4a915 2522 return SMP_INVALID_PARAMS;
c46b98be 2523
9747a9f3
JH		 2524 /* Mark the information as received */
2525 smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2526
b28b4943
JH		 2527 if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2528 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
196332f5
JH		 2529 else if (smp->remote_key_dist & SMP_DIST_SIGN)
2530 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
b28b4943 2531
16b90839 2532 skb_pull(skb, sizeof(*rp));
7034b911 2533
ce39fb4e 2534 authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2ceba539 2535 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
23d0e128
JH		 2536 authenticated, smp->tk, smp->enc_key_size,
2537 rp->ediv, rp->rand);
2538 smp->ltk = ltk;
c6e81e9a 2539 if (!(smp->remote_key_dist & KEY_DIST_MASK))
d6268e86 2540 smp_distribute_keys(smp);
7034b911
VCG		 2541
2542 return 0;
2543}
2544
fd349c02
JH		 2545static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2546{
2547 struct smp_cmd_ident_info *info = (void *) skb->data;
5d88cc73
JH		 2548 struct l2cap_chan *chan = conn->smp;
2549 struct smp_chan *smp = chan->data;
fd349c02
JH		 2550
2551 BT_DBG("");
2552
2553 if (skb->len < sizeof(*info))
38e4a915 2554 return SMP_INVALID_PARAMS;
fd349c02 2555
600a8749
AM		 2556 /* Pairing is aborted if any blocked keys are distributed */
2557 if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2558 info->irk)) {
2559 bt_dev_warn_ratelimited(conn->hcon->hdev,
2560 "Identity key blocked for %pMR",
2561 &conn->hcon->dst);
2562 return SMP_INVALID_PARAMS;
2563 }
2564
b28b4943 2565 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
6131ddc8 2566
fd349c02
JH		 2567 skb_pull(skb, sizeof(*info));
2568
2569 memcpy(smp->irk, info->irk, 16);
2570
2571 return 0;
2572}
2573
2574static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2575 struct sk_buff *skb)
2576{
2577 struct smp_cmd_ident_addr_info *info = (void *) skb->data;
5d88cc73
JH		 2578 struct l2cap_chan *chan = conn->smp;
2579 struct smp_chan *smp = chan->data;
fd349c02
JH		 2580 struct hci_conn *hcon = conn->hcon;
2581 bdaddr_t rpa;
2582
2583 BT_DBG("");
2584
2585 if (skb->len < sizeof(*info))
38e4a915 2586 return SMP_INVALID_PARAMS;
fd349c02 2587
9747a9f3
JH		 2588 /* Mark the information as received */
2589 smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2590
b28b4943
JH		 2591 if (smp->remote_key_dist & SMP_DIST_SIGN)
2592 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2593
fd349c02
JH		 2594 skb_pull(skb, sizeof(*info));
2595
a9a58f86
JH		 2596 /* Strictly speaking the Core Specification (4.1) allows sending
2597 * an empty address which would force us to rely on just the IRK
2598 * as "identity information". However, since such
2599 * implementations are not known of and in order to not over
2600 * complicate our implementation, simply pretend that we never
2601 * received an IRK for such a device.
e12af489
JH		 2602 *
2603 * The Identity Address must also be a Static Random or Public
2604 * Address, which hci_is_identity_address() checks for.
a9a58f86 2605 */
e12af489
JH		 2606 if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2607 !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2064ee33 2608 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
31dd624e 2609 goto distribute;
a9a58f86
JH		 2610 }
2611
1d87b88b
SJ		 2612 /* Drop IRK if peer is using identity address during pairing but is
2613 * providing different address as identity information.
2614 *
2615 * Microsoft Surface Precision Mouse is known to have this bug.
2616 */
2617 if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2618 (bacmp(&info->bdaddr, &hcon->dst) ||
2619 info->addr_type != hcon->dst_type)) {
2620 bt_dev_err(hcon->hdev,
2621 "ignoring IRK with invalid identity address");
2622 goto distribute;
2623 }
2624
fd349c02
JH		 2625 bacpy(&smp->id_addr, &info->bdaddr);
2626 smp->id_addr_type = info->addr_type;
2627
2628 if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2629 bacpy(&rpa, &hcon->dst);
2630 else
2631 bacpy(&rpa, BDADDR_ANY);
2632
23d0e128
JH		 2633 smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2634 smp->id_addr_type, smp->irk, &rpa);
fd349c02 2635
31dd624e 2636distribute:
c6e81e9a
JH		 2637 if (!(smp->remote_key_dist & KEY_DIST_MASK))
2638 smp_distribute_keys(smp);
fd349c02
JH		 2639
2640 return 0;
2641}
2642
7ee4ea36
MH		 2643static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2644{
2645 struct smp_cmd_sign_info *rp = (void *) skb->data;
5d88cc73
JH		 2646 struct l2cap_chan *chan = conn->smp;
2647 struct smp_chan *smp = chan->data;
7ee4ea36
MH		 2648 struct smp_csrk *csrk;
2649
2650 BT_DBG("conn %p", conn);
2651
2652 if (skb->len < sizeof(*rp))
38e4a915 2653 return SMP_INVALID_PARAMS;
7ee4ea36 2654
7ee4ea36
MH		 2655 /* Mark the information as received */
2656 smp->remote_key_dist &= ~SMP_DIST_SIGN;
2657
2658 skb_pull(skb, sizeof(*rp));
2659
7ee4ea36
MH		 2660 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2661 if (csrk) {
4cd3928a
JH		 2662 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2663 csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2664 else
2665 csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
7ee4ea36
MH		 2666 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2667 }
2668 smp->csrk = csrk;
d6268e86 2669 smp_distribute_keys(smp);
7ee4ea36
MH		 2670
2671 return 0;
2672}
2673
5e3d3d9b
JH		 2674static u8 sc_select_method(struct smp_chan *smp)
2675{
2676 struct l2cap_conn *conn = smp->conn;
2677 struct hci_conn *hcon = conn->hcon;
2678 struct smp_cmd_pairing *local, *remote;
2679 u8 local_mitm, remote_mitm, local_io, remote_io, method;
2680
1a8bab4f
JH		 2681 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2682 test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
a29b0733
JH		 2683 return REQ_OOB;
2684
5e3d3d9b
JH		 2685 /* The preq/prsp contain the raw Pairing Request/Response PDUs
2686 * which are needed as inputs to some crypto functions. To get
2687 * the "struct smp_cmd_pairing" from them we need to skip the
2688 * first byte which contains the opcode.
2689 */
2690 if (hcon->out) {
2691 local = (void *) &smp->preq[1];
2692 remote = (void *) &smp->prsp[1];
2693 } else {
2694 local = (void *) &smp->prsp[1];
2695 remote = (void *) &smp->preq[1];
2696 }
2697
2698 local_io = local->io_capability;
2699 remote_io = remote->io_capability;
2700
2701 local_mitm = (local->auth_req & SMP_AUTH_MITM);
2702 remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2703
2704 /* If either side wants MITM, look up the method from the table,
2705 * otherwise use JUST WORKS.
2706 */
2707 if (local_mitm || remote_mitm)
2708 method = get_auth_method(smp, local_io, remote_io);
2709 else
2710 method = JUST_WORKS;
2711
2712 /* Don't confirm locally initiated pairing attempts */
2713 if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2714 method = JUST_WORKS;
2715
2716 return method;
2717}
2718
d8f8edbe
JH		 2719static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2720{
2721 struct smp_cmd_public_key *key = (void *) skb->data;
2722 struct hci_conn *hcon = conn->hcon;
2723 struct l2cap_chan *chan = conn->smp;
2724 struct smp_chan *smp = chan->data;
5e3d3d9b 2725 struct hci_dev *hdev = hcon->hdev;
c0153b0b 2726 struct crypto_kpp *tfm_ecdh;
cbbbe3e2 2727 struct smp_cmd_pairing_confirm cfm;
d8f8edbe
JH		 2728 int err;
2729
2730 BT_DBG("conn %p", conn);
2731
2732 if (skb->len < sizeof(*key))
2733 return SMP_INVALID_PARAMS;
2734
2735 memcpy(smp->remote_pk, key, 64);
2736
a8ca617c
JH		 2737 if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2738 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2739 smp->rr, 0, cfm.confirm_val);
2740 if (err)
2741 return SMP_UNSPECIFIED;
2742
329d8230 2743 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
a8ca617c
JH		 2744 return SMP_CONFIRM_FAILED;
2745 }
2746
d8f8edbe
JH		 2747 /* Non-initiating device sends its public key after receiving
2748 * the key from the initiating device.
2749 */
2750 if (!hcon->out) {
2751 err = sc_send_public_key(smp);
2752 if (err)
2753 return err;
2754 }
2755
c7a3d57d 2756 SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
e091526d 2757 SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
d8f8edbe 2758
c0153b0b
TA		 2759 /* Compute the shared secret on the same crypto tfm on which the private
2760 * key was set/generated.
2761 */
2762 if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
4ba5175f
MK		 2763 struct l2cap_chan *hchan = hdev->smp_data;
2764 struct smp_dev *smp_dev;
2765
2766 if (!hchan || !hchan->data)
2767 return SMP_UNSPECIFIED;
2768
2769 smp_dev = hchan->data;
c0153b0b
TA		 2770
2771 tfm_ecdh = smp_dev->tfm_ecdh;
2772 } else {
2773 tfm_ecdh = smp->tfm_ecdh;
2774 }
2775
2776 if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
d8f8edbe
JH		 2777 return SMP_UNSPECIFIED;
2778
c7a3d57d 2779 SMP_DBG("DHKey %32phN", smp->dhkey);
d8f8edbe
JH		 2780
2781 set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2782
5e3d3d9b
JH		 2783 smp->method = sc_select_method(smp);
2784
2785 BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2786
2787 /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2788 if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2789 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2790 else
2791 hcon->pending_sec_level = BT_SECURITY_FIPS;
2792
329d8230 2793 if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
aeb7d461
JH		 2794 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2795
38606f14
JH		 2796 if (smp->method == DSP_PASSKEY) {
2797 get_random_bytes(&hcon->passkey_notify,
2798 sizeof(hcon->passkey_notify));
2799 hcon->passkey_notify %= 1000000;
2800 hcon->passkey_entered = 0;
2801 smp->passkey_round = 0;
2802 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2803 hcon->dst_type,
2804 hcon->passkey_notify,
2805 hcon->passkey_entered))
2806 return SMP_UNSPECIFIED;
2807 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2808 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2809 }
2810
94ea7257 2811 if (smp->method == REQ_OOB) {
a29b0733
JH		 2812 if (hcon->out)
2813 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2814 sizeof(smp->prnd), smp->prnd);
2815
2816 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2817
2818 return 0;
2819 }
2820
38606f14
JH		 2821 if (hcon->out)
2822 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2823
2824 if (smp->method == REQ_PASSKEY) {
2825 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2826 hcon->dst_type))
2827 return SMP_UNSPECIFIED;
2828 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2829 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2830 return 0;
2831 }
2832
cbbbe3e2
JH		 2833 /* The Initiating device waits for the non-initiating device to
2834 * send the confirm value.
2835 */
2836 if (conn->hcon->out)
2837 return 0;
2838
2839 err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2840 0, cfm.confirm_val);
2841 if (err)
2842 return SMP_UNSPECIFIED;
2843
2844 smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2845 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2846
d8f8edbe
JH		 2847 return 0;
2848}
2849
6433a9a2
JH		 2850static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2851{
2852 struct smp_cmd_dhkey_check *check = (void *) skb->data;
2853 struct l2cap_chan *chan = conn->smp;
2854 struct hci_conn *hcon = conn->hcon;
2855 struct smp_chan *smp = chan->data;
2856 u8 a[7], b[7], *local_addr, *remote_addr;
2857 u8 io_cap[3], r[16], e[16];
2858 int err;
2859
2860 BT_DBG("conn %p", conn);
2861
2862 if (skb->len < sizeof(*check))
2863 return SMP_INVALID_PARAMS;
2864
2865 memcpy(a, &hcon->init_addr, 6);
2866 memcpy(b, &hcon->resp_addr, 6);
2867 a[6] = hcon->init_addr_type;
2868 b[6] = hcon->resp_addr_type;
2869
2870 if (hcon->out) {
2871 local_addr = a;
2872 remote_addr = b;
2873 memcpy(io_cap, &smp->prsp[1], 3);
2874 } else {
2875 local_addr = b;
2876 remote_addr = a;
2877 memcpy(io_cap, &smp->preq[1], 3);
2878 }
2879
2880 memset(r, 0, sizeof(r));
2881
38606f14
JH		 2882 if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2883 put_unaligned_le32(hcon->passkey_notify, r);
882fafad
JH		 2884 else if (smp->method == REQ_OOB)
2885 memcpy(r, smp->lr, 16);
38606f14 2886
6433a9a2
JH		 2887 err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2888 io_cap, remote_addr, local_addr, e);
2889 if (err)
2890 return SMP_UNSPECIFIED;
2891
329d8230 2892 if (crypto_memneq(check->e, e, 16))
6433a9a2
JH		 2893 return SMP_DHKEY_CHECK_FAILED;
2894
d3e54a87
JH		 2895 if (!hcon->out) {
2896 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2897 set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2898 return 0;
2899 }
d378a2d7 2900
d3e54a87
JH		 2901 /* Slave sends DHKey check as response to master */
2902 sc_dhkey_check(smp);
2903 }
d378a2d7 2904
d3e54a87 2905 sc_add_ltk(smp);
6433a9a2
JH		 2906
2907 if (hcon->out) {
8b76ce34 2908 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
6433a9a2
JH		 2909 hcon->enc_key_size = smp->enc_key_size;
2910 }
2911
2912 return 0;
2913}
2914
1408bb6e
JH		 2915static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2916 struct sk_buff *skb)
2917{
2918 struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2919
2920 BT_DBG("value 0x%02x", kp->value);
2921
2922 return 0;
2923}
2924
4befb867 2925static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
eb492e01 2926{
5d88cc73 2927 struct l2cap_conn *conn = chan->conn;
7b9899db 2928 struct hci_conn *hcon = conn->hcon;
b28b4943 2929 struct smp_chan *smp;
92381f5c 2930 __u8 code, reason;
eb492e01
AB		 2931 int err = 0;
2932
8ae9b984 2933 if (skb->len < 1)
92381f5c 2934 return -EILSEQ;
92381f5c 2935
d7a5a11d 2936 if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2e65c9d2
AG		 2937 reason = SMP_PAIRING_NOTSUPP;
2938 goto done;
2939 }
2940
92381f5c 2941 code = skb->data[0];
eb492e01
AB		 2942 skb_pull(skb, sizeof(code));
2943
b28b4943
JH		 2944 smp = chan->data;
2945
2946 if (code > SMP_CMD_MAX)
2947 goto drop;
2948
24bd0bd9 2949 if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
b28b4943
JH		 2950 goto drop;
2951
2952 /* If we don't have a context the only allowed commands are
2953 * pairing request and security request.
8cf9fa12 2954 */
b28b4943
JH		 2955 if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2956 goto drop;
8cf9fa12 2957
eb492e01
AB		 2958 switch (code) {
2959 case SMP_CMD_PAIRING_REQ:
da85e5e5 2960 reason = smp_cmd_pairing_req(conn, skb);
eb492e01
AB		 2961 break;
2962
2963 case SMP_CMD_PAIRING_FAIL:
84794e11 2964 smp_failure(conn, 0);
da85e5e5 2965 err = -EPERM;
eb492e01
AB		 2966 break;
2967
2968 case SMP_CMD_PAIRING_RSP:
da85e5e5 2969 reason = smp_cmd_pairing_rsp(conn, skb);
88ba43b6
AB		 2970 break;
2971
2972 case SMP_CMD_SECURITY_REQ:
da85e5e5 2973 reason = smp_cmd_security_req(conn, skb);
88ba43b6
AB		 2974 break;
2975
eb492e01 2976 case SMP_CMD_PAIRING_CONFIRM:
da85e5e5 2977 reason = smp_cmd_pairing_confirm(conn, skb);
88ba43b6
AB		 2978 break;
2979
eb492e01 2980 case SMP_CMD_PAIRING_RANDOM:
da85e5e5 2981 reason = smp_cmd_pairing_random(conn, skb);
88ba43b6
AB		 2982 break;
2983
eb492e01 2984 case SMP_CMD_ENCRYPT_INFO:
7034b911
VCG		 2985 reason = smp_cmd_encrypt_info(conn, skb);
2986 break;
2987
eb492e01 2988 case SMP_CMD_MASTER_IDENT:
7034b911
VCG		 2989 reason = smp_cmd_master_ident(conn, skb);
2990 break;
2991
eb492e01 2992 case SMP_CMD_IDENT_INFO:
fd349c02
JH		 2993 reason = smp_cmd_ident_info(conn, skb);
2994 break;
2995
eb492e01 2996 case SMP_CMD_IDENT_ADDR_INFO:
fd349c02
JH		 2997 reason = smp_cmd_ident_addr_info(conn, skb);
2998 break;
2999
eb492e01 3000 case SMP_CMD_SIGN_INFO:
7ee4ea36 3001 reason = smp_cmd_sign_info(conn, skb);
7034b911
VCG		 3002 break;
3003
d8f8edbe
JH		 3004 case SMP_CMD_PUBLIC_KEY:
3005 reason = smp_cmd_public_key(conn, skb);
3006 break;
3007
6433a9a2
JH		 3008 case SMP_CMD_DHKEY_CHECK:
3009 reason = smp_cmd_dhkey_check(conn, skb);
3010 break;
3011
1408bb6e
JH		 3012 case SMP_CMD_KEYPRESS_NOTIFY:
3013 reason = smp_cmd_keypress_notify(conn, skb);
3014 break;
3015
eb492e01
AB		 3016 default:
3017 BT_DBG("Unknown command code 0x%2.2x", code);
eb492e01 3018 reason = SMP_CMD_NOTSUPP;
3a0259bb 3019 goto done;
eb492e01
AB		 3020 }
3021
3a0259bb 3022done:
9b7b18ef
JH		 3023 if (!err) {
3024 if (reason)
3025 smp_failure(conn, reason);
8ae9b984 3026 kfree_skb(skb);
9b7b18ef
JH		 3027 }
3028
eb492e01 3029 return err;
b28b4943
JH		 3030
3031drop:
2064ee33
MH		 3032 bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3033 code, &hcon->dst);
b28b4943
JH		 3034 kfree_skb(skb);
3035 return 0;
eb492e01 3036}
7034b911 3037
70db83c4
JH		 3038static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3039{
3040 struct l2cap_conn *conn = chan->conn;
3041
3042 BT_DBG("chan %p", chan);
3043
fc75cc86 3044 if (chan->data)
5d88cc73 3045 smp_chan_destroy(conn);
5d88cc73 3046
70db83c4
JH		 3047 conn->smp = NULL;
3048 l2cap_chan_put(chan);
3049}
3050
b5ae344d
JH		 3051static void bredr_pairing(struct l2cap_chan *chan)
3052{
3053 struct l2cap_conn *conn = chan->conn;
3054 struct hci_conn *hcon = conn->hcon;
3055 struct hci_dev *hdev = hcon->hdev;
3056 struct smp_cmd_pairing req;
3057 struct smp_chan *smp;
3058
3059 BT_DBG("chan %p", chan);
3060
3061 /* Only new pairings are interesting */
3062 if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3063 return;
3064
3065 /* Don't bother if we're not encrypted */
3066 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3067 return;
3068
3069 /* Only master may initiate SMP over BR/EDR */
3070 if (hcon->role != HCI_ROLE_MASTER)
3071 return;
3072
3073 /* Secure Connections support must be enabled */
d7a5a11d 3074 if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
b5ae344d
JH		 3075 return;
3076
3077 /* BR/EDR must use Secure Connections for SMP */
3078 if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
b7cb93e5 3079 !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
b5ae344d
JH		 3080 return;
3081
3082 /* If our LE support is not enabled don't do anything */
d7a5a11d 3083 if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
b5ae344d
JH		 3084 return;
3085
3086 /* Don't bother if remote LE support is not enabled */
3087 if (!lmp_host_le_capable(hcon))
3088 return;
3089
3090 /* Remote must support SMP fixed chan for BR/EDR */
3091 if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3092 return;
3093
3094 /* Don't bother if SMP is already ongoing */
3095 if (chan->data)
3096 return;
3097
3098 smp = smp_chan_create(conn);
3099 if (!smp) {
2064ee33 3100 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
b5ae344d
JH		 3101 return;
3102 }
3103
3104 set_bit(SMP_FLAG_SC, &smp->flags);
3105
3106 BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3107
3108 /* Prepare and send the BR/EDR SMP Pairing Request */
3109 build_bredr_pairing_cmd(smp, &req, NULL);
3110
3111 smp->preq[0] = SMP_CMD_PAIRING_REQ;
3112 memcpy(&smp->preq[1], &req, sizeof(req));
3113
3114 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3115 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3116}
3117
44f1a7ab
JH		 3118static void smp_resume_cb(struct l2cap_chan *chan)
3119{
b68fda68 3120 struct smp_chan *smp = chan->data;
44f1a7ab
JH		 3121 struct l2cap_conn *conn = chan->conn;
3122 struct hci_conn *hcon = conn->hcon;
3123
3124 BT_DBG("chan %p", chan);
3125
b5ae344d
JH		 3126 if (hcon->type == ACL_LINK) {
3127 bredr_pairing(chan);
ef8efe4b 3128 return;
b5ae344d 3129 }
ef8efe4b 3130
86d1407c
JH		 3131 if (!smp)
3132 return;
b68fda68 3133
84bc0db5
JH		 3134 if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3135 return;
3136
86d1407c
JH		 3137 cancel_delayed_work(&smp->security_timer);
3138
d6268e86 3139 smp_distribute_keys(smp);
44f1a7ab
JH		 3140}
3141
70db83c4
JH		 3142static void smp_ready_cb(struct l2cap_chan *chan)
3143{
3144 struct l2cap_conn *conn = chan->conn;
b5ae344d 3145 struct hci_conn *hcon = conn->hcon;
70db83c4
JH		 3146
3147 BT_DBG("chan %p", chan);
3148
7883746b
JH		 3149 /* No need to call l2cap_chan_hold() here since we already own
3150 * the reference taken in smp_new_conn_cb(). This is just the
3151 * first time that we tie it to a specific pointer. The code in
3152 * l2cap_core.c ensures that there's no risk this function wont
3153 * get called if smp_new_conn_cb was previously called.
3154 */
70db83c4 3155 conn->smp = chan;
b5ae344d
JH		 3156
3157 if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3158 bredr_pairing(chan);
70db83c4
JH		 3159}
3160
4befb867
JH		 3161static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3162{
3163 int err;
3164
3165 BT_DBG("chan %p", chan);
3166
3167 err = smp_sig_channel(chan, skb);
3168 if (err) {
b68fda68 3169 struct smp_chan *smp = chan->data;
4befb867 3170
b68fda68
JH		 3171 if (smp)
3172 cancel_delayed_work_sync(&smp->security_timer);
4befb867 3173
1e91c29e 3174 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
4befb867
JH		 3175 }
3176
3177 return err;
3178}
3179
70db83c4
JH		 3180static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3181 unsigned long hdr_len,
3182 unsigned long len, int nb)
3183{
3184 struct sk_buff *skb;
3185
3186 skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3187 if (!skb)
3188 return ERR_PTR(-ENOMEM);
3189
3190 skb->priority = HCI_PRIO_MAX;
a4368ff3 3191 bt_cb(skb)->l2cap.chan = chan;
70db83c4
JH		 3192
3193 return skb;
3194}
3195
3196static const struct l2cap_ops smp_chan_ops = {
3197 .name = "Security Manager",
3198 .ready = smp_ready_cb,
5d88cc73 3199 .recv = smp_recv_cb,
70db83c4
JH		 3200 .alloc_skb = smp_alloc_skb_cb,
3201 .teardown = smp_teardown_cb,
44f1a7ab 3202 .resume = smp_resume_cb,
70db83c4
JH		 3203
3204 .new_connection = l2cap_chan_no_new_connection,
70db83c4
JH		 3205 .state_change = l2cap_chan_no_state_change,
3206 .close = l2cap_chan_no_close,
3207 .defer = l2cap_chan_no_defer,
3208 .suspend = l2cap_chan_no_suspend,
70db83c4
JH		 3209 .set_shutdown = l2cap_chan_no_set_shutdown,
3210 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
70db83c4
JH		 3211};
3212
3213static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3214{
3215 struct l2cap_chan *chan;
3216
3217 BT_DBG("pchan %p", pchan);
3218
3219 chan = l2cap_chan_create();
3220 if (!chan)
3221 return NULL;
3222
3223 chan->chan_type = pchan->chan_type;
3224 chan->ops = &smp_chan_ops;
3225 chan->scid = pchan->scid;
3226 chan->dcid = chan->scid;
3227 chan->imtu = pchan->imtu;
3228 chan->omtu = pchan->omtu;
3229 chan->mode = pchan->mode;
3230
abe84903
JH		 3231 /* Other L2CAP channels may request SMP routines in order to
3232 * change the security level. This means that the SMP channel
3233 * lock must be considered in its own category to avoid lockdep
3234 * warnings.
3235 */
3236 atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3237
70db83c4
JH		 3238 BT_DBG("created chan %p", chan);
3239
3240 return chan;
3241}
3242
3243static const struct l2cap_ops smp_root_chan_ops = {
3244 .name = "Security Manager Root",
3245 .new_connection = smp_new_conn_cb,
3246
3247 /* None of these are implemented for the root channel */
3248 .close = l2cap_chan_no_close,
3249 .alloc_skb = l2cap_chan_no_alloc_skb,
3250 .recv = l2cap_chan_no_recv,
3251 .state_change = l2cap_chan_no_state_change,
3252 .teardown = l2cap_chan_no_teardown,
3253 .ready = l2cap_chan_no_ready,
3254 .defer = l2cap_chan_no_defer,
3255 .suspend = l2cap_chan_no_suspend,
3256 .resume = l2cap_chan_no_resume,
3257 .set_shutdown = l2cap_chan_no_set_shutdown,
3258 .get_sndtimeo = l2cap_chan_no_get_sndtimeo,
70db83c4
JH		 3259};
3260
ef8efe4b 3261static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
711eafe3 3262{
70db83c4 3263 struct l2cap_chan *chan;
88a479d9 3264 struct smp_dev *smp;
71af2f6b 3265 struct crypto_shash *tfm_cmac;
47eb2ac8 3266 struct crypto_kpp *tfm_ecdh;
70db83c4 3267
ef8efe4b 3268 if (cid == L2CAP_CID_SMP_BREDR) {
88a479d9 3269 smp = NULL;
ef8efe4b
JH		 3270 goto create_chan;
3271 }
711eafe3 3272
88a479d9
MH		 3273 smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3274 if (!smp)
3275 return ERR_PTR(-ENOMEM);
3276
71af2f6b 3277 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
6e2dc6d1
MH		 3278 if (IS_ERR(tfm_cmac)) {
3279 BT_ERR("Unable to create CMAC crypto context");
453431a5 3280 kfree_sensitive(smp);
6e2dc6d1
MH		 3281 return ERR_CAST(tfm_cmac);
3282 }
3283
075f7732 3284 tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
47eb2ac8
TA		 3285 if (IS_ERR(tfm_ecdh)) {
3286 BT_ERR("Unable to create ECDH crypto context");
3287 crypto_free_shash(tfm_cmac);
453431a5 3288 kfree_sensitive(smp);
47eb2ac8
TA		 3289 return ERR_CAST(tfm_ecdh);
3290 }
3291
94f14e47 3292 smp->local_oob = false;
6e2dc6d1 3293 smp->tfm_cmac = tfm_cmac;
47eb2ac8 3294 smp->tfm_ecdh = tfm_ecdh;
88a479d9 3295
ef8efe4b 3296create_chan:
70db83c4
JH		 3297 chan = l2cap_chan_create();
3298 if (!chan) {
63511f6d 3299 if (smp) {
71af2f6b 3300 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 3301 crypto_free_kpp(smp->tfm_ecdh);
453431a5 3302 kfree_sensitive(smp);
63511f6d 3303 }
ef8efe4b 3304 return ERR_PTR(-ENOMEM);
70db83c4
JH		 3305 }
3306
88a479d9 3307 chan->data = smp;
defce9e8 3308
ef8efe4b 3309 l2cap_add_scid(chan, cid);
70db83c4
JH		 3310
3311 l2cap_chan_set_defaults(chan);
3312
157029ba 3313 if (cid == L2CAP_CID_SMP) {
39e3e744
JH		 3314 u8 bdaddr_type;
3315
3316 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3317
3318 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
157029ba 3319 chan->src_type = BDADDR_LE_PUBLIC;
39e3e744
JH		 3320 else
3321 chan->src_type = BDADDR_LE_RANDOM;
157029ba
MH		 3322 } else {
3323 bacpy(&chan->src, &hdev->bdaddr);
ef8efe4b 3324 chan->src_type = BDADDR_BREDR;
157029ba
MH		 3325 }
3326
70db83c4
JH		 3327 chan->state = BT_LISTEN;
3328 chan->mode = L2CAP_MODE_BASIC;
3329 chan->imtu = L2CAP_DEFAULT_MTU;
3330 chan->ops = &smp_root_chan_ops;
3331
abe84903
JH		 3332 /* Set correct nesting level for a parent/listening channel */
3333 atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3334
ef8efe4b 3335 return chan;
711eafe3
JH		 3336}
3337
ef8efe4b 3338static void smp_del_chan(struct l2cap_chan *chan)
711eafe3 3339{
88a479d9 3340 struct smp_dev *smp;
70db83c4 3341
ef8efe4b 3342 BT_DBG("chan %p", chan);
711eafe3 3343
88a479d9
MH		 3344 smp = chan->data;
3345 if (smp) {
defce9e8 3346 chan->data = NULL;
71af2f6b 3347 crypto_free_shash(smp->tfm_cmac);
47eb2ac8 3348 crypto_free_kpp(smp->tfm_ecdh);
453431a5 3349 kfree_sensitive(smp);
711eafe3 3350 }
70db83c4 3351
70db83c4 3352 l2cap_chan_put(chan);
711eafe3 3353}
ef8efe4b 3354
82493316 3355int smp_force_bredr(struct hci_dev *hdev, bool enable)
300acfde 3356{
b7cb93e5 3357 if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
300acfde
MH		 3358 return -EALREADY;
3359
3360 if (enable) {
3361 struct l2cap_chan *chan;
3362
3363 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3364 if (IS_ERR(chan))
3365 return PTR_ERR(chan);
3366
3367 hdev->smp_bredr_data = chan;
3368 } else {
3369 struct l2cap_chan *chan;
3370
3371 chan = hdev->smp_bredr_data;
3372 hdev->smp_bredr_data = NULL;
3373 smp_del_chan(chan);
3374 }
3375
b7cb93e5 3376 hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
300acfde 3377
82493316 3378 return 0;
300acfde
MH		 3379}
3380
ef8efe4b
JH		 3381int smp_register(struct hci_dev *hdev)
3382{
3383 struct l2cap_chan *chan;
3384
3385 BT_DBG("%s", hdev->name);
3386
7e7ec445
MH		 3387 /* If the controller does not support Low Energy operation, then
3388 * there is also no need to register any SMP channel.
3389 */
3390 if (!lmp_le_capable(hdev))
3391 return 0;
3392
2b8df323
MH		 3393 if (WARN_ON(hdev->smp_data)) {
3394 chan = hdev->smp_data;
3395 hdev->smp_data = NULL;
3396 smp_del_chan(chan);
3397 }
3398
ef8efe4b
JH		 3399 chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3400 if (IS_ERR(chan))
3401 return PTR_ERR(chan);
3402
3403 hdev->smp_data = chan;
3404
300acfde 3405 if (!lmp_sc_capable(hdev)) {
83ebb9ec
SJ		 3406 /* Flag can be already set here (due to power toggle) */
3407 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3408 return 0;
300acfde 3409 }
ef8efe4b 3410
2b8df323
MH		 3411 if (WARN_ON(hdev->smp_bredr_data)) {
3412 chan = hdev->smp_bredr_data;
3413 hdev->smp_bredr_data = NULL;
3414 smp_del_chan(chan);
3415 }
3416
ef8efe4b
JH		 3417 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3418 if (IS_ERR(chan)) {
3419 int err = PTR_ERR(chan);
3420 chan = hdev->smp_data;
3421 hdev->smp_data = NULL;
3422 smp_del_chan(chan);
3423 return err;
3424 }
3425
3426 hdev->smp_bredr_data = chan;
3427
3428 return 0;
3429}
3430
3431void smp_unregister(struct hci_dev *hdev)
3432{
3433 struct l2cap_chan *chan;
3434
3435 if (hdev->smp_bredr_data) {
3436 chan = hdev->smp_bredr_data;
3437 hdev->smp_bredr_data = NULL;
3438 smp_del_chan(chan);
3439 }
3440
3441 if (hdev->smp_data) {
3442 chan = hdev->smp_data;
3443 hdev->smp_data = NULL;
3444 smp_del_chan(chan);
3445 }
3446}
0a2b0f04
JH		 3447
3448#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3449
47eb2ac8 3450static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
71653eb6 3451{
c0153b0b 3452 u8 pk[64];
a2976416 3453 int err;
71653eb6 3454
c0153b0b 3455 err = set_ecdh_privkey(tfm_ecdh, debug_sk);
a2976416
TA		 3456 if (err)
3457 return err;
71653eb6 3458
c0153b0b
TA		 3459 err = generate_ecdh_public_key(tfm_ecdh, pk);
3460 if (err)
3461 return err;
71653eb6 3462
329d8230 3463 if (crypto_memneq(pk, debug_pk, 64))
71653eb6
MH		 3464 return -EINVAL;
3465
3466 return 0;
3467}
3468
28a220aa 3469static int __init test_ah(void)
cfc4198e
JH		 3470{
3471 const u8 irk[16] = {
3472 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3473 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3474 const u8 r[3] = { 0x94, 0x81, 0x70 };
3475 const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3476 u8 res[3];
3477 int err;
3478
28a220aa 3479 err = smp_ah(irk, r, res);
cfc4198e
JH		 3480 if (err)
3481 return err;
3482
329d8230 3483 if (crypto_memneq(res, exp, 3))
cfc4198e
JH		 3484 return -EINVAL;
3485
3486 return 0;
3487}
3488
28a220aa 3489static int __init test_c1(void)
cfc4198e
JH		 3490{
3491 const u8 k[16] = {
3492 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3493 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3494 const u8 r[16] = {
3495 0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3496 0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3497 const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3498 const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3499 const u8 _iat = 0x01;
3500 const u8 _rat = 0x00;
3501 const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3502 const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3503 const u8 exp[16] = {
3504 0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3505 0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3506 u8 res[16];
3507 int err;
3508
28a220aa 3509 err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
cfc4198e
JH		 3510 if (err)
3511 return err;
3512
329d8230 3513 if (crypto_memneq(res, exp, 16))
cfc4198e
JH		 3514 return -EINVAL;
3515
3516 return 0;
3517}
3518
28a220aa 3519static int __init test_s1(void)
cfc4198e
JH		 3520{
3521 const u8 k[16] = {
3522 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3524 const u8 r1[16] = {
3525 0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3526 const u8 r2[16] = {
3527 0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3528 const u8 exp[16] = {
3529 0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3530 0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3531 u8 res[16];
3532 int err;
3533
28a220aa 3534 err = smp_s1(k, r1, r2, res);
cfc4198e
JH		 3535 if (err)
3536 return err;
3537
329d8230 3538 if (crypto_memneq(res, exp, 16))
cfc4198e
JH		 3539 return -EINVAL;
3540
3541 return 0;
3542}
3543
71af2f6b 3544static int __init test_f4(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3545{
3546 const u8 u[32] = {
3547 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3548 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3549 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3550 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3551 const u8 v[32] = {
3552 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3553 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3554 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3555 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3556 const u8 x[16] = {
3557 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3558 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3559 const u8 z = 0x00;
3560 const u8 exp[16] = {
3561 0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3562 0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3563 u8 res[16];
3564 int err;
3565
3566 err = smp_f4(tfm_cmac, u, v, x, z, res);
3567 if (err)
3568 return err;
3569
329d8230 3570 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3571 return -EINVAL;
3572
3573 return 0;
3574}
3575
71af2f6b 3576static int __init test_f5(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3577{
3578 const u8 w[32] = {
3579 0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3580 0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3581 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3582 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3583 const u8 n1[16] = {
3584 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3585 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3586 const u8 n2[16] = {
3587 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3588 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3589 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3590 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3591 const u8 exp_ltk[16] = {
3592 0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3593 0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3594 const u8 exp_mackey[16] = {
3595 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3596 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3597 u8 mackey[16], ltk[16];
3598 int err;
3599
3600 err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3601 if (err)
3602 return err;
3603
329d8230 3604 if (crypto_memneq(mackey, exp_mackey, 16))
fb2969a3
JH		 3605 return -EINVAL;
3606
329d8230 3607 if (crypto_memneq(ltk, exp_ltk, 16))
fb2969a3
JH		 3608 return -EINVAL;
3609
3610 return 0;
3611}
3612
71af2f6b 3613static int __init test_f6(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3614{
3615 const u8 w[16] = {
3616 0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3617 0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3618 const u8 n1[16] = {
3619 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3620 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3621 const u8 n2[16] = {
3622 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3623 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3624 const u8 r[16] = {
3625 0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3626 0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3627 const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3628 const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3629 const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3630 const u8 exp[16] = {
3631 0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3632 0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3633 u8 res[16];
3634 int err;
3635
3636 err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3637 if (err)
3638 return err;
3639
329d8230 3640 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3641 return -EINVAL;
3642
3643 return 0;
3644}
3645
71af2f6b 3646static int __init test_g2(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3647{
3648 const u8 u[32] = {
3649 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3650 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3651 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3652 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3653 const u8 v[32] = {
3654 0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3655 0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3656 0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3657 0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3658 const u8 x[16] = {
3659 0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3660 0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3661 const u8 y[16] = {
3662 0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3663 0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3664 const u32 exp_val = 0x2f9ed5ba % 1000000;
3665 u32 val;
3666 int err;
3667
3668 err = smp_g2(tfm_cmac, u, v, x, y, &val);
3669 if (err)
3670 return err;
3671
3672 if (val != exp_val)
3673 return -EINVAL;
3674
3675 return 0;
3676}
3677
71af2f6b 3678static int __init test_h6(struct crypto_shash *tfm_cmac)
fb2969a3
JH		 3679{
3680 const u8 w[16] = {
3681 0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3682 0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3683 const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3684 const u8 exp[16] = {
3685 0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3686 0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3687 u8 res[16];
3688 int err;
3689
3690 err = smp_h6(tfm_cmac, w, key_id, res);
3691 if (err)
3692 return err;
3693
329d8230 3694 if (crypto_memneq(res, exp, 16))
fb2969a3
JH		 3695 return -EINVAL;
3696
3697 return 0;
3698}
3699
64dd374e
MH		 3700static char test_smp_buffer[32];
3701
3702static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3703 size_t count, loff_t *ppos)
3704{
3705 return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3706 strlen(test_smp_buffer));
3707}
3708
3709static const struct file_operations test_smp_fops = {
3710 .open = simple_open,
3711 .read = test_smp_read,
3712 .llseek = default_llseek,
3713};
3714
28a220aa 3715static int __init run_selftests(struct crypto_shash *tfm_cmac,
47eb2ac8 3716 struct crypto_kpp *tfm_ecdh)
0a2b0f04 3717{
255047b0
MH		 3718 ktime_t calltime, delta, rettime;
3719 unsigned long long duration;
cfc4198e
JH		 3720 int err;
3721
255047b0
MH		 3722 calltime = ktime_get();
3723
47eb2ac8 3724 err = test_debug_key(tfm_ecdh);
71653eb6
MH		 3725 if (err) {
3726 BT_ERR("debug_key test failed");
3727 goto done;
3728 }
3729
28a220aa 3730 err = test_ah();
cfc4198e
JH		 3731 if (err) {
3732 BT_ERR("smp_ah test failed");
64dd374e 3733 goto done;
cfc4198e
JH		 3734 }
3735
28a220aa 3736 err = test_c1();
cfc4198e
JH		 3737 if (err) {
3738 BT_ERR("smp_c1 test failed");
64dd374e 3739 goto done;
cfc4198e
JH		 3740 }
3741
28a220aa 3742 err = test_s1();
cfc4198e
JH		 3743 if (err) {
3744 BT_ERR("smp_s1 test failed");
64dd374e 3745 goto done;
cfc4198e
JH		 3746 }
3747
fb2969a3
JH		 3748 err = test_f4(tfm_cmac);
3749 if (err) {
3750 BT_ERR("smp_f4 test failed");
64dd374e 3751 goto done;
fb2969a3
JH		 3752 }
3753
3754 err = test_f5(tfm_cmac);
3755 if (err) {
3756 BT_ERR("smp_f5 test failed");
64dd374e 3757 goto done;
fb2969a3
JH		 3758 }
3759
3760 err = test_f6(tfm_cmac);
3761 if (err) {
3762 BT_ERR("smp_f6 test failed");
64dd374e 3763 goto done;
fb2969a3
JH		 3764 }
3765
3766 err = test_g2(tfm_cmac);
3767 if (err) {
3768 BT_ERR("smp_g2 test failed");
64dd374e 3769 goto done;
fb2969a3
JH		 3770 }
3771
3772 err = test_h6(tfm_cmac);
3773 if (err) {
3774 BT_ERR("smp_h6 test failed");
64dd374e 3775 goto done;
fb2969a3
JH		 3776 }
3777
255047b0
MH		 3778 rettime = ktime_get();
3779 delta = ktime_sub(rettime, calltime);
3780 duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3781
5ced2464 3782 BT_INFO("SMP test passed in %llu usecs", duration);
0a2b0f04 3783
64dd374e
MH		 3784done:
3785 if (!err)
3786 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3787 "PASS (%llu usecs)\n", duration);
3788 else
3789 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3790
3791 debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3792 &test_smp_fops);
3793
3794 return err;
0a2b0f04
JH		 3795}
3796
3797int __init bt_selftest_smp(void)
3798{
71af2f6b 3799 struct crypto_shash *tfm_cmac;
47eb2ac8 3800 struct crypto_kpp *tfm_ecdh;
0a2b0f04
JH		 3801 int err;
3802
3d234b33 3803 tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
0a2b0f04
JH		 3804 if (IS_ERR(tfm_cmac)) {
3805 BT_ERR("Unable to create CMAC crypto context");
0a2b0f04
JH		 3806 return PTR_ERR(tfm_cmac);
3807 }
3808
075f7732 3809 tfm_ecdh = crypto_alloc_kpp("ecdh", 0, 0);
47eb2ac8
TA		 3810 if (IS_ERR(tfm_ecdh)) {
3811 BT_ERR("Unable to create ECDH crypto context");
3812 crypto_free_shash(tfm_cmac);
47eb2ac8
TA		 3813 return PTR_ERR(tfm_ecdh);
3814 }
3815
28a220aa 3816 err = run_selftests(tfm_cmac, tfm_ecdh);
0a2b0f04 3817
71af2f6b 3818 crypto_free_shash(tfm_cmac);
47eb2ac8 3819 crypto_free_kpp(tfm_ecdh);
0a2b0f04
JH		 3820
3821 return err;
3822}
3823
3824#endif
Linux 6.x block layer and io_uring tree(s)