~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/smp.c

Version: ~ [ linux-5.3-rc1 ] ~ [ linux-5.2.2 ] ~ [ linux-5.1.19 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.60 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.134 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.186 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.186 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.70 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
  4 
  5    This program is free software; you can redistribute it and/or modify
  6    it under the terms of the GNU General Public License version 2 as
  7    published by the Free Software Foundation;
  8 
  9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 17 
 18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 20    SOFTWARE IS DISCLAIMED.
 21 */
 22 
 23 #include <linux/debugfs.h>
 24 #include <linux/scatterlist.h>
 25 #include <linux/crypto.h>
 26 #include <crypto/b128ops.h>
 27 #include <crypto/hash.h>
 28 
 29 #include <net/bluetooth/bluetooth.h>
 30 #include <net/bluetooth/hci_core.h>
 31 #include <net/bluetooth/l2cap.h>
 32 #include <net/bluetooth/mgmt.h>
 33 
 34 #include "ecc.h"
 35 #include "smp.h"
 36 
 37 #define SMP_DEV(hdev) \
 38         ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
 39 
 40 /* Low-level debug macros to be used for stuff that we don't want
 41  * accidentially in dmesg, i.e. the values of the various crypto keys
 42  * and the inputs & outputs of crypto functions.
 43  */
 44 #ifdef DEBUG
 45 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
 46                                  ##__VA_ARGS__)
 47 #else
 48 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
 49                                     ##__VA_ARGS__)
 50 #endif
 51 
 52 #define SMP_ALLOW_CMD(smp, code)        set_bit(code, &smp->allow_cmd)
 53 
 54 /* Keys which are not distributed with Secure Connections */
 55 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
 56 
 57 #define SMP_TIMEOUT     msecs_to_jiffies(30000)
 58 
 59 #define AUTH_REQ_MASK(dev)      (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
 60                                  0x3f : 0x07)
 61 #define KEY_DIST_MASK           0x07
 62 
 63 /* Maximum message length that can be passed to aes_cmac */
 64 #define CMAC_MSG_MAX    80
 65 
 66 enum {
 67         SMP_FLAG_TK_VALID,
 68         SMP_FLAG_CFM_PENDING,
 69         SMP_FLAG_MITM_AUTH,
 70         SMP_FLAG_COMPLETE,
 71         SMP_FLAG_INITIATOR,
 72         SMP_FLAG_SC,
 73         SMP_FLAG_REMOTE_PK,
 74         SMP_FLAG_DEBUG_KEY,
 75         SMP_FLAG_WAIT_USER,
 76         SMP_FLAG_DHKEY_PENDING,
 77         SMP_FLAG_REMOTE_OOB,
 78         SMP_FLAG_LOCAL_OOB,
 79         SMP_FLAG_CT2,
 80 };
 81 
 82 struct smp_dev {
 83         /* Secure Connections OOB data */
 84         u8                      local_pk[64];
 85         u8                      local_sk[32];
 86         u8                      local_rand[16];
 87         bool                    debug_key;
 88 
 89         u8                      min_key_size;
 90         u8                      max_key_size;
 91 
 92         struct crypto_cipher    *tfm_aes;
 93         struct crypto_shash     *tfm_cmac;
 94 };
 95 
 96 struct smp_chan {
 97         struct l2cap_conn       *conn;
 98         struct delayed_work     security_timer;
 99         unsigned long           allow_cmd; /* Bitmask of allowed commands */
100 
101         u8              preq[7]; /* SMP Pairing Request */
102         u8              prsp[7]; /* SMP Pairing Response */
103         u8              prnd[16]; /* SMP Pairing Random (local) */
104         u8              rrnd[16]; /* SMP Pairing Random (remote) */
105         u8              pcnf[16]; /* SMP Pairing Confirm */
106         u8              tk[16]; /* SMP Temporary Key */
107         u8              rr[16]; /* Remote OOB ra/rb value */
108         u8              lr[16]; /* Local OOB ra/rb value */
109         u8              enc_key_size;
110         u8              remote_key_dist;
111         bdaddr_t        id_addr;
112         u8              id_addr_type;
113         u8              irk[16];
114         struct smp_csrk *csrk;
115         struct smp_csrk *slave_csrk;
116         struct smp_ltk  *ltk;
117         struct smp_ltk  *slave_ltk;
118         struct smp_irk  *remote_irk;
119         u8              *link_key;
120         unsigned long   flags;
121         u8              method;
122         u8              passkey_round;
123 
124         /* Secure Connections variables */
125         u8                      local_pk[64];
126         u8                      local_sk[32];
127         u8                      remote_pk[64];
128         u8                      dhkey[32];
129         u8                      mackey[16];
130 
131         struct crypto_cipher    *tfm_aes;
132         struct crypto_shash     *tfm_cmac;
133 };
134 
135 /* These debug key values are defined in the SMP section of the core
136  * specification. debug_pk is the public debug key and debug_sk the
137  * private debug key.
138  */
139 static const u8 debug_pk[64] = {
140                 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
141                 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
142                 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
143                 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
144 
145                 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
146                 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
147                 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
148                 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
149 };
150 
151 static const u8 debug_sk[32] = {
152                 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
153                 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
154                 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
155                 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
156 };
157 
158 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
159 {
160         size_t i;
161 
162         for (i = 0; i < len; i++)
163                 dst[len - 1 - i] = src[i];
164 }
165 
166 /* The following functions map to the LE SC SMP crypto functions
167  * AES-CMAC, f4, f5, f6, g2 and h6.
168  */
169 
170 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
171                     size_t len, u8 mac[16])
172 {
173         uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
174         SHASH_DESC_ON_STACK(desc, tfm);
175         int err;
176 
177         if (len > CMAC_MSG_MAX)
178                 return -EFBIG;
179 
180         if (!tfm) {
181                 BT_ERR("tfm %p", tfm);
182                 return -EINVAL;
183         }
184 
185         desc->tfm = tfm;
186         desc->flags = 0;
187 
188         /* Swap key and message from LSB to MSB */
189         swap_buf(k, tmp, 16);
190         swap_buf(m, msg_msb, len);
191 
192         SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
193         SMP_DBG("key %16phN", k);
194 
195         err = crypto_shash_setkey(tfm, tmp, 16);
196         if (err) {
197                 BT_ERR("cipher setkey failed: %d", err);
198                 return err;
199         }
200 
201         err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
202         shash_desc_zero(desc);
203         if (err) {
204                 BT_ERR("Hash computation error %d", err);
205                 return err;
206         }
207 
208         swap_buf(mac_msb, mac, 16);
209 
210         SMP_DBG("mac %16phN", mac);
211 
212         return 0;
213 }
214 
215 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
216                   const u8 v[32], const u8 x[16], u8 z, u8 res[16])
217 {
218         u8 m[65];
219         int err;
220 
221         SMP_DBG("u %32phN", u);
222         SMP_DBG("v %32phN", v);
223         SMP_DBG("x %16phN z %02x", x, z);
224 
225         m[0] = z;
226         memcpy(m + 1, v, 32);
227         memcpy(m + 33, u, 32);
228 
229         err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
230         if (err)
231                 return err;
232 
233         SMP_DBG("res %16phN", res);
234 
235         return err;
236 }
237 
238 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
239                   const u8 n1[16], const u8 n2[16], const u8 a1[7],
240                   const u8 a2[7], u8 mackey[16], u8 ltk[16])
241 {
242         /* The btle, salt and length "magic" values are as defined in
243          * the SMP section of the Bluetooth core specification. In ASCII
244          * the btle value ends up being 'btle'. The salt is just a
245          * random number whereas length is the value 256 in little
246          * endian format.
247          */
248         const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
249         const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
250                               0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
251         const u8 length[2] = { 0x00, 0x01 };
252         u8 m[53], t[16];
253         int err;
254 
255         SMP_DBG("w %32phN", w);
256         SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
257         SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
258 
259         err = aes_cmac(tfm_cmac, salt, w, 32, t);
260         if (err)
261                 return err;
262 
263         SMP_DBG("t %16phN", t);
264 
265         memcpy(m, length, 2);
266         memcpy(m + 2, a2, 7);
267         memcpy(m + 9, a1, 7);
268         memcpy(m + 16, n2, 16);
269         memcpy(m + 32, n1, 16);
270         memcpy(m + 48, btle, 4);
271 
272         m[52] = 0; /* Counter */
273 
274         err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
275         if (err)
276                 return err;
277 
278         SMP_DBG("mackey %16phN", mackey);
279 
280         m[52] = 1; /* Counter */
281 
282         err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
283         if (err)
284                 return err;
285 
286         SMP_DBG("ltk %16phN", ltk);
287 
288         return 0;
289 }
290 
291 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
292                   const u8 n1[16], const u8 n2[16], const u8 r[16],
293                   const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
294                   u8 res[16])
295 {
296         u8 m[65];
297         int err;
298 
299         SMP_DBG("w %16phN", w);
300         SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
301         SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
302 
303         memcpy(m, a2, 7);
304         memcpy(m + 7, a1, 7);
305         memcpy(m + 14, io_cap, 3);
306         memcpy(m + 17, r, 16);
307         memcpy(m + 33, n2, 16);
308         memcpy(m + 49, n1, 16);
309 
310         err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
311         if (err)
312                 return err;
313 
314         SMP_DBG("res %16phN", res);
315 
316         return err;
317 }
318 
319 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
320                   const u8 x[16], const u8 y[16], u32 *val)
321 {
322         u8 m[80], tmp[16];
323         int err;
324 
325         SMP_DBG("u %32phN", u);
326         SMP_DBG("v %32phN", v);
327         SMP_DBG("x %16phN y %16phN", x, y);
328 
329         memcpy(m, y, 16);
330         memcpy(m + 16, v, 32);
331         memcpy(m + 48, u, 32);
332 
333         err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
334         if (err)
335                 return err;
336 
337         *val = get_unaligned_le32(tmp);
338         *val %= 1000000;
339 
340         SMP_DBG("val %06u", *val);
341 
342         return 0;
343 }
344 
345 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
346                   const u8 key_id[4], u8 res[16])
347 {
348         int err;
349 
350         SMP_DBG("w %16phN key_id %4phN", w, key_id);
351 
352         err = aes_cmac(tfm_cmac, w, key_id, 4, res);
353         if (err)
354                 return err;
355 
356         SMP_DBG("res %16phN", res);
357 
358         return err;
359 }
360 
361 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
362                   const u8 salt[16], u8 res[16])
363 {
364         int err;
365 
366         SMP_DBG("w %16phN salt %16phN", w, salt);
367 
368         err = aes_cmac(tfm_cmac, salt, w, 16, res);
369         if (err)
370                 return err;
371 
372         SMP_DBG("res %16phN", res);
373 
374         return err;
375 }
376 
377 /* The following functions map to the legacy SMP crypto functions e, c1,
378  * s1 and ah.
379  */
380 
381 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
382 {
383         uint8_t tmp[16], data[16];
384         int err;
385 
386         SMP_DBG("k %16phN r %16phN", k, r);
387 
388         if (!tfm) {
389                 BT_ERR("tfm %p", tfm);
390                 return -EINVAL;
391         }
392 
393         /* The most significant octet of key corresponds to k[0] */
394         swap_buf(k, tmp, 16);
395 
396         err = crypto_cipher_setkey(tfm, tmp, 16);
397         if (err) {
398                 BT_ERR("cipher setkey failed: %d", err);
399                 return err;
400         }
401 
402         /* Most significant octet of plaintextData corresponds to data[0] */
403         swap_buf(r, data, 16);
404 
405         crypto_cipher_encrypt_one(tfm, data, data);
406 
407         /* Most significant octet of encryptedData corresponds to data[0] */
408         swap_buf(data, r, 16);
409 
410         SMP_DBG("r %16phN", r);
411 
412         return err;
413 }
414 
415 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
416                   const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
417                   const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
418 {
419         u8 p1[16], p2[16];
420         int err;
421 
422         SMP_DBG("k %16phN r %16phN", k, r);
423         SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
424         SMP_DBG("preq %7phN pres %7phN", preq, pres);
425 
426         memset(p1, 0, 16);
427 
428         /* p1 = pres || preq || _rat || _iat */
429         p1[0] = _iat;
430         p1[1] = _rat;
431         memcpy(p1 + 2, preq, 7);
432         memcpy(p1 + 9, pres, 7);
433 
434         SMP_DBG("p1 %16phN", p1);
435 
436         /* res = r XOR p1 */
437         u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
438 
439         /* res = e(k, res) */
440         err = smp_e(tfm_aes, k, res);
441         if (err) {
442                 BT_ERR("Encrypt data error");
443                 return err;
444         }
445 
446         /* p2 = padding || ia || ra */
447         memcpy(p2, ra, 6);
448         memcpy(p2 + 6, ia, 6);
449         memset(p2 + 12, 0, 4);
450 
451         SMP_DBG("p2 %16phN", p2);
452 
453         /* res = res XOR p2 */
454         u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
455 
456         /* res = e(k, res) */
457         err = smp_e(tfm_aes, k, res);
458         if (err)
459                 BT_ERR("Encrypt data error");
460 
461         return err;
462 }
463 
464 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
465                   const u8 r1[16], const u8 r2[16], u8 _r[16])
466 {
467         int err;
468 
469         /* Just least significant octets from r1 and r2 are considered */
470         memcpy(_r, r2, 8);
471         memcpy(_r + 8, r1, 8);
472 
473         err = smp_e(tfm_aes, k, _r);
474         if (err)
475                 BT_ERR("Encrypt data error");
476 
477         return err;
478 }
479 
480 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
481                   const u8 r[3], u8 res[3])
482 {
483         u8 _res[16];
484         int err;
485 
486         /* r' = padding || r */
487         memcpy(_res, r, 3);
488         memset(_res + 3, 0, 13);
489 
490         err = smp_e(tfm, irk, _res);
491         if (err) {
492                 BT_ERR("Encrypt error");
493                 return err;
494         }
495 
496         /* The output of the random address function ah is:
497          *      ah(k, r) = e(k, r') mod 2^24
498          * The output of the security function e is then truncated to 24 bits
499          * by taking the least significant 24 bits of the output of e as the
500          * result of ah.
501          */
502         memcpy(res, _res, 3);
503 
504         return 0;
505 }
506 
507 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
508                      const bdaddr_t *bdaddr)
509 {
510         struct l2cap_chan *chan = hdev->smp_data;
511         struct smp_dev *smp;
512         u8 hash[3];
513         int err;
514 
515         if (!chan || !chan->data)
516                 return false;
517 
518         smp = chan->data;
519 
520         BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
521 
522         err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
523         if (err)
524                 return false;
525 
526         return !memcmp(bdaddr->b, hash, 3);
527 }
528 
529 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
530 {
531         struct l2cap_chan *chan = hdev->smp_data;
532         struct smp_dev *smp;
533         int err;
534 
535         if (!chan || !chan->data)
536                 return -EOPNOTSUPP;
537 
538         smp = chan->data;
539 
540         get_random_bytes(&rpa->b[3], 3);
541 
542         rpa->b[5] &= 0x3f;      /* Clear two most significant bits */
543         rpa->b[5] |= 0x40;      /* Set second most significant bit */
544 
545         err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
546         if (err < 0)
547                 return err;
548 
549         BT_DBG("RPA %pMR", rpa);
550 
551         return 0;
552 }
553 
554 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
555 {
556         struct l2cap_chan *chan = hdev->smp_data;
557         struct smp_dev *smp;
558         int err;
559 
560         if (!chan || !chan->data)
561                 return -EOPNOTSUPP;
562 
563         smp = chan->data;
564 
565         if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
566                 BT_DBG("Using debug keys");
567                 memcpy(smp->local_pk, debug_pk, 64);
568                 memcpy(smp->local_sk, debug_sk, 32);
569                 smp->debug_key = true;
570         } else {
571                 while (true) {
572                         /* Generate local key pair for Secure Connections */
573                         if (!ecc_make_key(smp->local_pk, smp->local_sk))
574                                 return -EIO;
575 
576                         /* This is unlikely, but we need to check that
577                          * we didn't accidentially generate a debug key.
578                          */
579                         if (memcmp(smp->local_sk, debug_sk, 32))
580                                 break;
581                 }
582                 smp->debug_key = false;
583         }
584 
585         SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
586         SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
587         SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);
588 
589         get_random_bytes(smp->local_rand, 16);
590 
591         err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
592                      smp->local_rand, 0, hash);
593         if (err < 0)
594                 return err;
595 
596         memcpy(rand, smp->local_rand, 16);
597 
598         return 0;
599 }
600 
601 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
602 {
603         struct l2cap_chan *chan = conn->smp;
604         struct smp_chan *smp;
605         struct kvec iv[2];
606         struct msghdr msg;
607 
608         if (!chan)
609                 return;
610 
611         BT_DBG("code 0x%2.2x", code);
612 
613         iv[0].iov_base = &code;
614         iv[0].iov_len = 1;
615 
616         iv[1].iov_base = data;
617         iv[1].iov_len = len;
618 
619         memset(&msg, 0, sizeof(msg));
620 
621         iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
622 
623         l2cap_chan_send(chan, &msg, 1 + len);
624 
625         if (!chan->data)
626                 return;
627 
628         smp = chan->data;
629 
630         cancel_delayed_work_sync(&smp->security_timer);
631         schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
632 }
633 
634 static u8 authreq_to_seclevel(u8 authreq)
635 {
636         if (authreq & SMP_AUTH_MITM) {
637                 if (authreq & SMP_AUTH_SC)
638                         return BT_SECURITY_FIPS;
639                 else
640                         return BT_SECURITY_HIGH;
641         } else {
642                 return BT_SECURITY_MEDIUM;
643         }
644 }
645 
646 static __u8 seclevel_to_authreq(__u8 sec_level)
647 {
648         switch (sec_level) {
649         case BT_SECURITY_FIPS:
650         case BT_SECURITY_HIGH:
651                 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
652         case BT_SECURITY_MEDIUM:
653                 return SMP_AUTH_BONDING;
654         default:
655                 return SMP_AUTH_NONE;
656         }
657 }
658 
659 static void build_pairing_cmd(struct l2cap_conn *conn,
660                               struct smp_cmd_pairing *req,
661                               struct smp_cmd_pairing *rsp, __u8 authreq)
662 {
663         struct l2cap_chan *chan = conn->smp;
664         struct smp_chan *smp = chan->data;
665         struct hci_conn *hcon = conn->hcon;
666         struct hci_dev *hdev = hcon->hdev;
667         u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
668 
669         if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
670                 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
671                 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
672                 authreq |= SMP_AUTH_BONDING;
673         } else {
674                 authreq &= ~SMP_AUTH_BONDING;
675         }
676 
677         if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
678                 remote_dist |= SMP_DIST_ID_KEY;
679 
680         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
681                 local_dist |= SMP_DIST_ID_KEY;
682 
683         if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
684             (authreq & SMP_AUTH_SC)) {
685                 struct oob_data *oob_data;
686                 u8 bdaddr_type;
687 
688                 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
689                         local_dist |= SMP_DIST_LINK_KEY;
690                         remote_dist |= SMP_DIST_LINK_KEY;
691                 }
692 
693                 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
694                         bdaddr_type = BDADDR_LE_PUBLIC;
695                 else
696                         bdaddr_type = BDADDR_LE_RANDOM;
697 
698                 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
699                                                     bdaddr_type);
700                 if (oob_data && oob_data->present) {
701                         set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
702                         oob_flag = SMP_OOB_PRESENT;
703                         memcpy(smp->rr, oob_data->rand256, 16);
704                         memcpy(smp->pcnf, oob_data->hash256, 16);
705                         SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
706                         SMP_DBG("OOB Remote Random: %16phN", smp->rr);
707                 }
708 
709         } else {
710                 authreq &= ~SMP_AUTH_SC;
711         }
712 
713         if (rsp == NULL) {
714                 req->io_capability = conn->hcon->io_capability;
715                 req->oob_flag = oob_flag;
716                 req->max_key_size = SMP_DEV(hdev)->max_key_size;
717                 req->init_key_dist = local_dist;
718                 req->resp_key_dist = remote_dist;
719                 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
720 
721                 smp->remote_key_dist = remote_dist;
722                 return;
723         }
724 
725         rsp->io_capability = conn->hcon->io_capability;
726         rsp->oob_flag = oob_flag;
727         rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
728         rsp->init_key_dist = req->init_key_dist & remote_dist;
729         rsp->resp_key_dist = req->resp_key_dist & local_dist;
730         rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
731 
732         smp->remote_key_dist = rsp->init_key_dist;
733 }
734 
735 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
736 {
737         struct l2cap_chan *chan = conn->smp;
738         struct hci_dev *hdev = conn->hcon->hdev;
739         struct smp_chan *smp = chan->data;
740 
741         if (max_key_size > SMP_DEV(hdev)->max_key_size ||
742             max_key_size < SMP_MIN_ENC_KEY_SIZE)
743                 return SMP_ENC_KEY_SIZE;
744 
745         smp->enc_key_size = max_key_size;
746 
747         return 0;
748 }
749 
750 static void smp_chan_destroy(struct l2cap_conn *conn)
751 {
752         struct l2cap_chan *chan = conn->smp;
753         struct smp_chan *smp = chan->data;
754         struct hci_conn *hcon = conn->hcon;
755         bool complete;
756 
757         BUG_ON(!smp);
758 
759         cancel_delayed_work_sync(&smp->security_timer);
760 
761         complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
762         mgmt_smp_complete(hcon, complete);
763 
764         kzfree(smp->csrk);
765         kzfree(smp->slave_csrk);
766         kzfree(smp->link_key);
767 
768         crypto_free_cipher(smp->tfm_aes);
769         crypto_free_shash(smp->tfm_cmac);
770 
771         /* Ensure that we don't leave any debug key around if debug key
772          * support hasn't been explicitly enabled.
773          */
774         if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
775             !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
776                 list_del_rcu(&smp->ltk->list);
777                 kfree_rcu(smp->ltk, rcu);
778                 smp->ltk = NULL;
779         }
780 
781         /* If pairing failed clean up any keys we might have */
782         if (!complete) {
783                 if (smp->ltk) {
784                         list_del_rcu(&smp->ltk->list);
785                         kfree_rcu(smp->ltk, rcu);
786                 }
787 
788                 if (smp->slave_ltk) {
789                         list_del_rcu(&smp->slave_ltk->list);
790                         kfree_rcu(smp->slave_ltk, rcu);
791                 }
792 
793                 if (smp->remote_irk) {
794                         list_del_rcu(&smp->remote_irk->list);
795                         kfree_rcu(smp->remote_irk, rcu);
796                 }
797         }
798 
799         chan->data = NULL;
800         kzfree(smp);
801         hci_conn_drop(hcon);
802 }
803 
804 static void smp_failure(struct l2cap_conn *conn, u8 reason)
805 {
806         struct hci_conn *hcon = conn->hcon;
807         struct l2cap_chan *chan = conn->smp;
808 
809         if (reason)
810                 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
811                              &reason);
812 
813         mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
814 
815         if (chan->data)
816                 smp_chan_destroy(conn);
817 }
818 
819 #define JUST_WORKS      0x00
820 #define JUST_CFM        0x01
821 #define REQ_PASSKEY     0x02
822 #define CFM_PASSKEY     0x03
823 #define REQ_OOB         0x04
824 #define DSP_PASSKEY     0x05
825 #define OVERLAP         0xFF
826 
827 static const u8 gen_method[5][5] = {
828         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
830         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
831         { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
833 };
834 
835 static const u8 sc_method[5][5] = {
836         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
837         { JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
838         { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
839         { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
840         { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
841 };
842 
843 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
844 {
845         /* If either side has unknown io_caps, use JUST_CFM (which gets
846          * converted later to JUST_WORKS if we're initiators.
847          */
848         if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
849             remote_io > SMP_IO_KEYBOARD_DISPLAY)
850                 return JUST_CFM;
851 
852         if (test_bit(SMP_FLAG_SC, &smp->flags))
853                 return sc_method[remote_io][local_io];
854 
855         return gen_method[remote_io][local_io];
856 }
857 
858 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
859                                                 u8 local_io, u8 remote_io)
860 {
861         struct hci_conn *hcon = conn->hcon;
862         struct l2cap_chan *chan = conn->smp;
863         struct smp_chan *smp = chan->data;
864         u32 passkey = 0;
865         int ret = 0;
866 
867         /* Initialize key for JUST WORKS */
868         memset(smp->tk, 0, sizeof(smp->tk));
869         clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
870 
871         BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
872 
873         /* If neither side wants MITM, either "just" confirm an incoming
874          * request or use just-works for outgoing ones. The JUST_CFM
875          * will be converted to JUST_WORKS if necessary later in this
876          * function. If either side has MITM look up the method from the
877          * table.
878          */
879         if (!(auth & SMP_AUTH_MITM))
880                 smp->method = JUST_CFM;
881         else
882                 smp->method = get_auth_method(smp, local_io, remote_io);
883 
884         /* Don't confirm locally initiated pairing attempts */
885         if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
886                                                 &smp->flags))
887                 smp->method = JUST_WORKS;
888 
889         /* Don't bother user space with no IO capabilities */
890         if (smp->method == JUST_CFM &&
891             hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
892                 smp->method = JUST_WORKS;
893 
894         /* If Just Works, Continue with Zero TK */
895         if (smp->method == JUST_WORKS) {
896                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
897                 return 0;
898         }
899 
900         /* If this function is used for SC -> legacy fallback we
901          * can only recover the just-works case.
902          */
903         if (test_bit(SMP_FLAG_SC, &smp->flags))
904                 return -EINVAL;
905 
906         /* Not Just Works/Confirm results in MITM Authentication */
907         if (smp->method != JUST_CFM) {
908                 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
909                 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910                         hcon->pending_sec_level = BT_SECURITY_HIGH;
911         }
912 
913         /* If both devices have Keyoard-Display I/O, the master
914          * Confirms and the slave Enters the passkey.
915          */
916         if (smp->method == OVERLAP) {
917                 if (hcon->role == HCI_ROLE_MASTER)
918                         smp->method = CFM_PASSKEY;
919                 else
920                         smp->method = REQ_PASSKEY;
921         }
922 
923         /* Generate random passkey. */
924         if (smp->method == CFM_PASSKEY) {
925                 memset(smp->tk, 0, sizeof(smp->tk));
926                 get_random_bytes(&passkey, sizeof(passkey));
927                 passkey %= 1000000;
928                 put_unaligned_le32(passkey, smp->tk);
929                 BT_DBG("PassKey: %d", passkey);
930                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
931         }
932 
933         if (smp->method == REQ_PASSKEY)
934                 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
935                                                 hcon->type, hcon->dst_type);
936         else if (smp->method == JUST_CFM)
937                 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
938                                                 hcon->type, hcon->dst_type,
939                                                 passkey, 1);
940         else
941                 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
942                                                 hcon->type, hcon->dst_type,
943                                                 passkey, 0);
944 
945         return ret;
946 }
947 
948 static u8 smp_confirm(struct smp_chan *smp)
949 {
950         struct l2cap_conn *conn = smp->conn;
951         struct smp_cmd_pairing_confirm cp;
952         int ret;
953 
954         BT_DBG("conn %p", conn);
955 
956         ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
957                      conn->hcon->init_addr_type, &conn->hcon->init_addr,
958                      conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
959                      cp.confirm_val);
960         if (ret)
961                 return SMP_UNSPECIFIED;
962 
963         clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
964 
965         smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
966 
967         if (conn->hcon->out)
968                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969         else
970                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971 
972         return 0;
973 }
974 
975 static u8 smp_random(struct smp_chan *smp)
976 {
977         struct l2cap_conn *conn = smp->conn;
978         struct hci_conn *hcon = conn->hcon;
979         u8 confirm[16];
980         int ret;
981 
982         if (IS_ERR_OR_NULL(smp->tfm_aes))
983                 return SMP_UNSPECIFIED;
984 
985         BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
986 
987         ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
988                      hcon->init_addr_type, &hcon->init_addr,
989                      hcon->resp_addr_type, &hcon->resp_addr, confirm);
990         if (ret)
991                 return SMP_UNSPECIFIED;
992 
993         if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
994                 BT_ERR("Pairing failed (confirmation values mismatch)");
995                 return SMP_CONFIRM_FAILED;
996         }
997 
998         if (hcon->out) {
999                 u8 stk[16];
1000                 __le64 rand = 0;
1001                 __le16 ediv = 0;
1002 
1003                 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1004 
1005                 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006                         return SMP_UNSPECIFIED;
1007 
1008                 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009                 hcon->enc_key_size = smp->enc_key_size;
1010                 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011         } else {
1012                 u8 stk[16], auth;
1013                 __le64 rand = 0;
1014                 __le16 ediv = 0;
1015 
1016                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1017                              smp->prnd);
1018 
1019                 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1020 
1021                 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1022                         auth = 1;
1023                 else
1024                         auth = 0;
1025 
1026                 /* Even though there's no _SLAVE suffix this is the
1027                  * slave STK we're adding for later lookup (the master
1028                  * STK never needs to be stored).
1029                  */
1030                 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031                             SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032         }
1033 
1034         return 0;
1035 }
1036 
1037 static void smp_notify_keys(struct l2cap_conn *conn)
1038 {
1039         struct l2cap_chan *chan = conn->smp;
1040         struct smp_chan *smp = chan->data;
1041         struct hci_conn *hcon = conn->hcon;
1042         struct hci_dev *hdev = hcon->hdev;
1043         struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044         struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1045         bool persistent;
1046 
1047         if (hcon->type == ACL_LINK) {
1048                 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1049                         persistent = false;
1050                 else
1051                         persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1052                                                &hcon->flags);
1053         } else {
1054                 /* The LTKs, IRKs and CSRKs should be persistent only if
1055                  * both sides had the bonding bit set in their
1056                  * authentication requests.
1057                  */
1058                 persistent = !!((req->auth_req & rsp->auth_req) &
1059                                 SMP_AUTH_BONDING);
1060         }
1061 
1062         if (smp->remote_irk) {
1063                 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1064 
1065                 /* Now that user space can be considered to know the
1066                  * identity address track the connection based on it
1067                  * from now on (assuming this is an LE link).
1068                  */
1069                 if (hcon->type == LE_LINK) {
1070                         bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1071                         hcon->dst_type = smp->remote_irk->addr_type;
1072                         queue_work(hdev->workqueue, &conn->id_addr_update_work);
1073                 }
1074         }
1075 
1076         if (smp->csrk) {
1077                 smp->csrk->bdaddr_type = hcon->dst_type;
1078                 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1079                 mgmt_new_csrk(hdev, smp->csrk, persistent);
1080         }
1081 
1082         if (smp->slave_csrk) {
1083                 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1084                 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1085                 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1086         }
1087 
1088         if (smp->ltk) {
1089                 smp->ltk->bdaddr_type = hcon->dst_type;
1090                 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1091                 mgmt_new_ltk(hdev, smp->ltk, persistent);
1092         }
1093 
1094         if (smp->slave_ltk) {
1095                 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1096                 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1097                 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1098         }
1099 
1100         if (smp->link_key) {
1101                 struct link_key *key;
1102                 u8 type;
1103 
1104                 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1105                         type = HCI_LK_DEBUG_COMBINATION;
1106                 else if (hcon->sec_level == BT_SECURITY_FIPS)
1107                         type = HCI_LK_AUTH_COMBINATION_P256;
1108                 else
1109                         type = HCI_LK_UNAUTH_COMBINATION_P256;
1110 
1111                 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1112                                        smp->link_key, type, 0, &persistent);
1113                 if (key) {
1114                         mgmt_new_link_key(hdev, key, persistent);
1115 
1116                         /* Don't keep debug keys around if the relevant
1117                          * flag is not set.
1118                          */
1119                         if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1120                             key->type == HCI_LK_DEBUG_COMBINATION) {
1121                                 list_del_rcu(&key->list);
1122                                 kfree_rcu(key, rcu);
1123                         }
1124                 }
1125         }
1126 }
1127 
1128 static void sc_add_ltk(struct smp_chan *smp)
1129 {
1130         struct hci_conn *hcon = smp->conn->hcon;
1131         u8 key_type, auth;
1132 
1133         if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1134                 key_type = SMP_LTK_P256_DEBUG;
1135         else
1136                 key_type = SMP_LTK_P256;
1137 
1138         if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1139                 auth = 1;
1140         else
1141                 auth = 0;
1142 
1143         smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1144                                key_type, auth, smp->tk, smp->enc_key_size,
1145                                0, 0);
1146 }
1147 
1148 static void sc_generate_link_key(struct smp_chan *smp)
1149 {
1150         /* From core spec. Spells out in ASCII as 'lebr'. */
1151         const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1152 
1153         smp->link_key = kzalloc(16, GFP_KERNEL);
1154         if (!smp->link_key)
1155                 return;
1156 
1157         if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1158                 /* SALT = 0x00000000000000000000000000000000746D7031 */
1159                 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1160 
1161                 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1162                         kzfree(smp->link_key);
1163                         smp->link_key = NULL;
1164                         return;
1165                 }
1166         } else {
1167                 /* From core spec. Spells out in ASCII as 'tmp1'. */
1168                 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1169 
1170                 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1171                         kzfree(smp->link_key);
1172                         smp->link_key = NULL;
1173                         return;
1174                 }
1175         }
1176 
1177         if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1178                 kzfree(smp->link_key);
1179                 smp->link_key = NULL;
1180                 return;
1181         }
1182 }
1183 
1184 static void smp_allow_key_dist(struct smp_chan *smp)
1185 {
1186         /* Allow the first expected phase 3 PDU. The rest of the PDUs
1187          * will be allowed in each PDU handler to ensure we receive
1188          * them in the correct order.
1189          */
1190         if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1191                 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1192         else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1193                 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1194         else if (smp->remote_key_dist & SMP_DIST_SIGN)
1195                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1196 }
1197 
1198 static void sc_generate_ltk(struct smp_chan *smp)
1199 {
1200         /* From core spec. Spells out in ASCII as 'brle'. */
1201         const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1202         struct hci_conn *hcon = smp->conn->hcon;
1203         struct hci_dev *hdev = hcon->hdev;
1204         struct link_key *key;
1205 
1206         key = hci_find_link_key(hdev, &hcon->dst);
1207         if (!key) {
1208                 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1209                 return;
1210         }
1211 
1212         if (key->type == HCI_LK_DEBUG_COMBINATION)
1213                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1214 
1215         if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1216                 /* SALT = 0x00000000000000000000000000000000746D7032 */
1217                 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1218 
1219                 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1220                         return;
1221         } else {
1222                 /* From core spec. Spells out in ASCII as 'tmp2'. */
1223                 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1224 
1225                 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1226                         return;
1227         }
1228 
1229         if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1230                 return;
1231 
1232         sc_add_ltk(smp);
1233 }
1234 
1235 static void smp_distribute_keys(struct smp_chan *smp)
1236 {
1237         struct smp_cmd_pairing *req, *rsp;
1238         struct l2cap_conn *conn = smp->conn;
1239         struct hci_conn *hcon = conn->hcon;
1240         struct hci_dev *hdev = hcon->hdev;
1241         __u8 *keydist;
1242 
1243         BT_DBG("conn %p", conn);
1244 
1245         rsp = (void *) &smp->prsp[1];
1246 
1247         /* The responder sends its keys first */
1248         if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1249                 smp_allow_key_dist(smp);
1250                 return;
1251         }
1252 
1253         req = (void *) &smp->preq[1];
1254 
1255         if (hcon->out) {
1256                 keydist = &rsp->init_key_dist;
1257                 *keydist &= req->init_key_dist;
1258         } else {
1259                 keydist = &rsp->resp_key_dist;
1260                 *keydist &= req->resp_key_dist;
1261         }
1262 
1263         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1264                 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1265                         sc_generate_link_key(smp);
1266                 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1267                         sc_generate_ltk(smp);
1268 
1269                 /* Clear the keys which are generated but not distributed */
1270                 *keydist &= ~SMP_SC_NO_DIST;
1271         }
1272 
1273         BT_DBG("keydist 0x%x", *keydist);
1274 
1275         if (*keydist & SMP_DIST_ENC_KEY) {
1276                 struct smp_cmd_encrypt_info enc;
1277                 struct smp_cmd_master_ident ident;
1278                 struct smp_ltk *ltk;
1279                 u8 authenticated;
1280                 __le16 ediv;
1281                 __le64 rand;
1282 
1283                 /* Make sure we generate only the significant amount of
1284                  * bytes based on the encryption key size, and set the rest
1285                  * of the value to zeroes.
1286                  */
1287                 get_random_bytes(enc.ltk, smp->enc_key_size);
1288                 memset(enc.ltk + smp->enc_key_size, 0,
1289                        sizeof(enc.ltk) - smp->enc_key_size);
1290 
1291                 get_random_bytes(&ediv, sizeof(ediv));
1292                 get_random_bytes(&rand, sizeof(rand));
1293 
1294                 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1295 
1296                 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1297                 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1298                                   SMP_LTK_SLAVE, authenticated, enc.ltk,
1299                                   smp->enc_key_size, ediv, rand);
1300                 smp->slave_ltk = ltk;
1301 
1302                 ident.ediv = ediv;
1303                 ident.rand = rand;
1304 
1305                 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1306 
1307                 *keydist &= ~SMP_DIST_ENC_KEY;
1308         }
1309 
1310         if (*keydist & SMP_DIST_ID_KEY) {
1311                 struct smp_cmd_ident_addr_info addrinfo;
1312                 struct smp_cmd_ident_info idinfo;
1313 
1314                 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1315 
1316                 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1317 
1318                 /* The hci_conn contains the local identity address
1319                  * after the connection has been established.
1320                  *
1321                  * This is true even when the connection has been
1322                  * established using a resolvable random address.
1323                  */
1324                 bacpy(&addrinfo.bdaddr, &hcon->src);
1325                 addrinfo.addr_type = hcon->src_type;
1326 
1327                 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1328                              &addrinfo);
1329 
1330                 *keydist &= ~SMP_DIST_ID_KEY;
1331         }
1332 
1333         if (*keydist & SMP_DIST_SIGN) {
1334                 struct smp_cmd_sign_info sign;
1335                 struct smp_csrk *csrk;
1336 
1337                 /* Generate a new random key */
1338                 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1339 
1340                 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1341                 if (csrk) {
1342                         if (hcon->sec_level > BT_SECURITY_MEDIUM)
1343                                 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1344                         else
1345                                 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1346                         memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1347                 }
1348                 smp->slave_csrk = csrk;
1349 
1350                 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1351 
1352                 *keydist &= ~SMP_DIST_SIGN;
1353         }
1354 
1355         /* If there are still keys to be received wait for them */
1356         if (smp->remote_key_dist & KEY_DIST_MASK) {
1357                 smp_allow_key_dist(smp);
1358                 return;
1359         }
1360 
1361         set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1362         smp_notify_keys(conn);
1363 
1364         smp_chan_destroy(conn);
1365 }
1366 
1367 static void smp_timeout(struct work_struct *work)
1368 {
1369         struct smp_chan *smp = container_of(work, struct smp_chan,
1370                                             security_timer.work);
1371         struct l2cap_conn *conn = smp->conn;
1372 
1373         BT_DBG("conn %p", conn);
1374 
1375         hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1376 }
1377 
1378 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1379 {
1380         struct l2cap_chan *chan = conn->smp;
1381         struct smp_chan *smp;
1382 
1383         smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1384         if (!smp)
1385                 return NULL;
1386 
1387         smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1388         if (IS_ERR(smp->tfm_aes)) {
1389                 BT_ERR("Unable to create AES crypto context");
1390                 kzfree(smp);
1391                 return NULL;
1392         }
1393 
1394         smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1395         if (IS_ERR(smp->tfm_cmac)) {
1396                 BT_ERR("Unable to create CMAC crypto context");
1397                 crypto_free_cipher(smp->tfm_aes);
1398                 kzfree(smp);
1399                 return NULL;
1400         }
1401 
1402         smp->conn = conn;
1403         chan->data = smp;
1404 
1405         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1406 
1407         INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1408 
1409         hci_conn_hold(conn->hcon);
1410 
1411         return smp;
1412 }
1413 
1414 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1415 {
1416         struct hci_conn *hcon = smp->conn->hcon;
1417         u8 *na, *nb, a[7], b[7];
1418 
1419         if (hcon->out) {
1420                 na   = smp->prnd;
1421                 nb   = smp->rrnd;
1422         } else {
1423                 na   = smp->rrnd;
1424                 nb   = smp->prnd;
1425         }
1426 
1427         memcpy(a, &hcon->init_addr, 6);
1428         memcpy(b, &hcon->resp_addr, 6);
1429         a[6] = hcon->init_addr_type;
1430         b[6] = hcon->resp_addr_type;
1431 
1432         return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1433 }
1434 
1435 static void sc_dhkey_check(struct smp_chan *smp)
1436 {
1437         struct hci_conn *hcon = smp->conn->hcon;
1438         struct smp_cmd_dhkey_check check;
1439         u8 a[7], b[7], *local_addr, *remote_addr;
1440         u8 io_cap[3], r[16];
1441 
1442         memcpy(a, &hcon->init_addr, 6);
1443         memcpy(b, &hcon->resp_addr, 6);
1444         a[6] = hcon->init_addr_type;
1445         b[6] = hcon->resp_addr_type;
1446 
1447         if (hcon->out) {
1448                 local_addr = a;
1449                 remote_addr = b;
1450                 memcpy(io_cap, &smp->preq[1], 3);
1451         } else {
1452                 local_addr = b;
1453                 remote_addr = a;
1454                 memcpy(io_cap, &smp->prsp[1], 3);
1455         }
1456 
1457         memset(r, 0, sizeof(r));
1458 
1459         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1460                 put_unaligned_le32(hcon->passkey_notify, r);
1461 
1462         if (smp->method == REQ_OOB)
1463                 memcpy(r, smp->rr, 16);
1464 
1465         smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1466                local_addr, remote_addr, check.e);
1467 
1468         smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1469 }
1470 
1471 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1472 {
1473         struct l2cap_conn *conn = smp->conn;
1474         struct hci_conn *hcon = conn->hcon;
1475         struct smp_cmd_pairing_confirm cfm;
1476         u8 r;
1477 
1478         r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1479         r |= 0x80;
1480 
1481         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1482 
1483         if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1484                    cfm.confirm_val))
1485                 return SMP_UNSPECIFIED;
1486 
1487         smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1488 
1489         return 0;
1490 }
1491 
1492 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1493 {
1494         struct l2cap_conn *conn = smp->conn;
1495         struct hci_conn *hcon = conn->hcon;
1496         struct hci_dev *hdev = hcon->hdev;
1497         u8 cfm[16], r;
1498 
1499         /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1500         if (smp->passkey_round >= 20)
1501                 return 0;
1502 
1503         switch (smp_op) {
1504         case SMP_CMD_PAIRING_RANDOM:
1505                 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1506                 r |= 0x80;
1507 
1508                 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1509                            smp->rrnd, r, cfm))
1510                         return SMP_UNSPECIFIED;
1511 
1512                 if (memcmp(smp->pcnf, cfm, 16))
1513                         return SMP_CONFIRM_FAILED;
1514 
1515                 smp->passkey_round++;
1516 
1517                 if (smp->passkey_round == 20) {
1518                         /* Generate MacKey and LTK */
1519                         if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1520                                 return SMP_UNSPECIFIED;
1521                 }
1522 
1523                 /* The round is only complete when the initiator
1524                  * receives pairing random.
1525                  */
1526                 if (!hcon->out) {
1527                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1528                                      sizeof(smp->prnd), smp->prnd);
1529                         if (smp->passkey_round == 20)
1530                                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1531                         else
1532                                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1533                         return 0;
1534                 }
1535 
1536                 /* Start the next round */
1537                 if (smp->passkey_round != 20)
1538                         return sc_passkey_round(smp, 0);
1539 
1540                 /* Passkey rounds are complete - start DHKey Check */
1541                 sc_dhkey_check(smp);
1542                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1543 
1544                 break;
1545 
1546         case SMP_CMD_PAIRING_CONFIRM:
1547                 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1548                         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1549                         return 0;
1550                 }
1551 
1552                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1553 
1554                 if (hcon->out) {
1555                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1556                                      sizeof(smp->prnd), smp->prnd);
1557                         return 0;
1558                 }
1559 
1560                 return sc_passkey_send_confirm(smp);
1561 
1562         case SMP_CMD_PUBLIC_KEY:
1563         default:
1564                 /* Initiating device starts the round */
1565                 if (!hcon->out)
1566                         return 0;
1567 
1568                 BT_DBG("%s Starting passkey round %u", hdev->name,
1569                        smp->passkey_round + 1);
1570 
1571                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1572 
1573                 return sc_passkey_send_confirm(smp);
1574         }
1575 
1576         return 0;
1577 }
1578 
1579 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1580 {
1581         struct l2cap_conn *conn = smp->conn;
1582         struct hci_conn *hcon = conn->hcon;
1583         u8 smp_op;
1584 
1585         clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1586 
1587         switch (mgmt_op) {
1588         case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1589                 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1590                 return 0;
1591         case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1592                 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1593                 return 0;
1594         case MGMT_OP_USER_PASSKEY_REPLY:
1595                 hcon->passkey_notify = le32_to_cpu(passkey);
1596                 smp->passkey_round = 0;
1597 
1598                 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1599                         smp_op = SMP_CMD_PAIRING_CONFIRM;
1600                 else
1601                         smp_op = 0;
1602 
1603                 if (sc_passkey_round(smp, smp_op))
1604                         return -EIO;
1605 
1606                 return 0;
1607         }
1608 
1609         /* Initiator sends DHKey check first */
1610         if (hcon->out) {
1611                 sc_dhkey_check(smp);
1612                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1613         } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1614                 sc_dhkey_check(smp);
1615                 sc_add_ltk(smp);
1616         }
1617 
1618         return 0;
1619 }
1620 
1621 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1622 {
1623         struct l2cap_conn *conn = hcon->l2cap_data;
1624         struct l2cap_chan *chan;
1625         struct smp_chan *smp;
1626         u32 value;
1627         int err;
1628 
1629         BT_DBG("");
1630 
1631         if (!conn)
1632                 return -ENOTCONN;
1633 
1634         chan = conn->smp;
1635         if (!chan)
1636                 return -ENOTCONN;
1637 
1638         l2cap_chan_lock(chan);
1639         if (!chan->data) {
1640                 err = -ENOTCONN;
1641                 goto unlock;
1642         }
1643 
1644         smp = chan->data;
1645 
1646         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1647                 err = sc_user_reply(smp, mgmt_op, passkey);
1648                 goto unlock;
1649         }
1650 
1651         switch (mgmt_op) {
1652         case MGMT_OP_USER_PASSKEY_REPLY:
1653                 value = le32_to_cpu(passkey);
1654                 memset(smp->tk, 0, sizeof(smp->tk));
1655                 BT_DBG("PassKey: %d", value);
1656                 put_unaligned_le32(value, smp->tk);
1657                 /* Fall Through */
1658         case MGMT_OP_USER_CONFIRM_REPLY:
1659                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1660                 break;
1661         case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1662         case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1663                 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1664                 err = 0;
1665                 goto unlock;
1666         default:
1667                 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1668                 err = -EOPNOTSUPP;
1669                 goto unlock;
1670         }
1671 
1672         err = 0;
1673 
1674         /* If it is our turn to send Pairing Confirm, do so now */
1675         if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1676                 u8 rsp = smp_confirm(smp);
1677                 if (rsp)
1678                         smp_failure(conn, rsp);
1679         }
1680 
1681 unlock:
1682         l2cap_chan_unlock(chan);
1683         return err;
1684 }
1685 
1686 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1687                                     struct smp_cmd_pairing *req,
1688                                     struct smp_cmd_pairing *rsp)
1689 {
1690         struct l2cap_conn *conn = smp->conn;
1691         struct hci_dev *hdev = conn->hcon->hdev;
1692         u8 local_dist = 0, remote_dist = 0;
1693 
1694         if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1695                 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696                 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1697         }
1698 
1699         if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1700                 remote_dist |= SMP_DIST_ID_KEY;
1701 
1702         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1703                 local_dist |= SMP_DIST_ID_KEY;
1704 
1705         if (!rsp) {
1706                 memset(req, 0, sizeof(*req));
1707 
1708                 req->auth_req        = SMP_AUTH_CT2;
1709                 req->init_key_dist   = local_dist;
1710                 req->resp_key_dist   = remote_dist;
1711                 req->max_key_size    = conn->hcon->enc_key_size;
1712 
1713                 smp->remote_key_dist = remote_dist;
1714 
1715                 return;
1716         }
1717 
1718         memset(rsp, 0, sizeof(*rsp));
1719 
1720         rsp->auth_req        = SMP_AUTH_CT2;
1721         rsp->max_key_size    = conn->hcon->enc_key_size;
1722         rsp->init_key_dist   = req->init_key_dist & remote_dist;
1723         rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1724 
1725         smp->remote_key_dist = rsp->init_key_dist;
1726 }
1727 
1728 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1729 {
1730         struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1731         struct l2cap_chan *chan = conn->smp;
1732         struct hci_dev *hdev = conn->hcon->hdev;
1733         struct smp_chan *smp;
1734         u8 key_size, auth, sec_level;
1735         int ret;
1736 
1737         BT_DBG("conn %p", conn);
1738 
1739         if (skb->len < sizeof(*req))
1740                 return SMP_INVALID_PARAMS;
1741 
1742         if (conn->hcon->role != HCI_ROLE_SLAVE)
1743                 return SMP_CMD_NOTSUPP;
1744 
1745         if (!chan->data)
1746                 smp = smp_chan_create(conn);
1747         else
1748                 smp = chan->data;
1749 
1750         if (!smp)
1751                 return SMP_UNSPECIFIED;
1752 
1753         /* We didn't start the pairing, so match remote */
1754         auth = req->auth_req & AUTH_REQ_MASK(hdev);
1755 
1756         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1757             (auth & SMP_AUTH_BONDING))
1758                 return SMP_PAIRING_NOTSUPP;
1759 
1760         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1761                 return SMP_AUTH_REQUIREMENTS;
1762 
1763         smp->preq[0] = SMP_CMD_PAIRING_REQ;
1764         memcpy(&smp->preq[1], req, sizeof(*req));
1765         skb_pull(skb, sizeof(*req));
1766 
1767         /* If the remote side's OOB flag is set it means it has
1768          * successfully received our local OOB data - therefore set the
1769          * flag to indicate that local OOB is in use.
1770          */
1771         if (req->oob_flag == SMP_OOB_PRESENT)
1772                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1773 
1774         /* SMP over BR/EDR requires special treatment */
1775         if (conn->hcon->type == ACL_LINK) {
1776                 /* We must have a BR/EDR SC link */
1777                 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1778                     !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1779                         return SMP_CROSS_TRANSP_NOT_ALLOWED;
1780 
1781                 set_bit(SMP_FLAG_SC, &smp->flags);
1782 
1783                 build_bredr_pairing_cmd(smp, req, &rsp);
1784 
1785                 if (req->auth_req & SMP_AUTH_CT2)
1786                         set_bit(SMP_FLAG_CT2, &smp->flags);
1787 
1788                 key_size = min(req->max_key_size, rsp.max_key_size);
1789                 if (check_enc_key_size(conn, key_size))
1790                         return SMP_ENC_KEY_SIZE;
1791 
1792                 /* Clear bits which are generated but not distributed */
1793                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1794 
1795                 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1796                 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1797                 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1798 
1799                 smp_distribute_keys(smp);
1800                 return 0;
1801         }
1802 
1803         build_pairing_cmd(conn, req, &rsp, auth);
1804 
1805         if (rsp.auth_req & SMP_AUTH_SC) {
1806                 set_bit(SMP_FLAG_SC, &smp->flags);
1807 
1808                 if (rsp.auth_req & SMP_AUTH_CT2)
1809                         set_bit(SMP_FLAG_CT2, &smp->flags);
1810         }
1811 
1812         if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1813                 sec_level = BT_SECURITY_MEDIUM;
1814         else
1815                 sec_level = authreq_to_seclevel(auth);
1816 
1817         if (sec_level > conn->hcon->pending_sec_level)
1818                 conn->hcon->pending_sec_level = sec_level;
1819 
1820         /* If we need MITM check that it can be achieved */
1821         if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1822                 u8 method;
1823 
1824                 method = get_auth_method(smp, conn->hcon->io_capability,
1825                                          req->io_capability);
1826                 if (method == JUST_WORKS || method == JUST_CFM)
1827                         return SMP_AUTH_REQUIREMENTS;
1828         }
1829 
1830         key_size = min(req->max_key_size, rsp.max_key_size);
1831         if (check_enc_key_size(conn, key_size))
1832                 return SMP_ENC_KEY_SIZE;
1833 
1834         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1835 
1836         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1837         memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1838 
1839         smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1840 
1841         clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1842 
1843         /* Strictly speaking we shouldn't allow Pairing Confirm for the
1844          * SC case, however some implementations incorrectly copy RFU auth
1845          * req bits from our security request, which may create a false
1846          * positive SC enablement.
1847          */
1848         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1849 
1850         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1851                 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1852                 /* Clear bits which are generated but not distributed */
1853                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1854                 /* Wait for Public Key from Initiating Device */
1855                 return 0;
1856         }
1857 
1858         /* Request setup of TK */
1859         ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1860         if (ret)
1861                 return SMP_UNSPECIFIED;
1862 
1863         return 0;
1864 }
1865 
1866 static u8 sc_send_public_key(struct smp_chan *smp)
1867 {
1868         struct hci_dev *hdev = smp->conn->hcon->hdev;
1869 
1870         BT_DBG("");
1871 
1872         if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1873                 struct l2cap_chan *chan = hdev->smp_data;
1874                 struct smp_dev *smp_dev;
1875 
1876                 if (!chan || !chan->data)
1877                         return SMP_UNSPECIFIED;
1878 
1879                 smp_dev = chan->data;
1880 
1881                 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1882                 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1883                 memcpy(smp->lr, smp_dev->local_rand, 16);
1884 
1885                 if (smp_dev->debug_key)
1886                         set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1887 
1888                 goto done;
1889         }
1890 
1891         if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1892                 BT_DBG("Using debug keys");
1893                 memcpy(smp->local_pk, debug_pk, 64);
1894                 memcpy(smp->local_sk, debug_sk, 32);
1895                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1896         } else {
1897                 while (true) {
1898                         /* Generate local key pair for Secure Connections */
1899                         if (!ecc_make_key(smp->local_pk, smp->local_sk))
1900                                 return SMP_UNSPECIFIED;
1901 
1902                         /* This is unlikely, but we need to check that
1903                          * we didn't accidentially generate a debug key.
1904                          */
1905                         if (memcmp(smp->local_sk, debug_sk, 32))
1906                                 break;
1907                 }
1908         }
1909 
1910 done:
1911         SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1912         SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1913         SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1914 
1915         smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1916 
1917         return 0;
1918 }
1919 
1920 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1921 {
1922         struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1923         struct l2cap_chan *chan = conn->smp;
1924         struct smp_chan *smp = chan->data;
1925         struct hci_dev *hdev = conn->hcon->hdev;
1926         u8 key_size, auth;
1927         int ret;
1928 
1929         BT_DBG("conn %p", conn);
1930 
1931         if (skb->len < sizeof(*rsp))
1932                 return SMP_INVALID_PARAMS;
1933 
1934         if (conn->hcon->role != HCI_ROLE_MASTER)
1935                 return SMP_CMD_NOTSUPP;
1936 
1937         skb_pull(skb, sizeof(*rsp));
1938 
1939         req = (void *) &smp->preq[1];
1940 
1941         key_size = min(req->max_key_size, rsp->max_key_size);
1942         if (check_enc_key_size(conn, key_size))
1943                 return SMP_ENC_KEY_SIZE;
1944 
1945         auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1946 
1947         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1948                 return SMP_AUTH_REQUIREMENTS;
1949 
1950         /* If the remote side's OOB flag is set it means it has
1951          * successfully received our local OOB data - therefore set the
1952          * flag to indicate that local OOB is in use.
1953          */
1954         if (rsp->oob_flag == SMP_OOB_PRESENT)
1955                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1956 
1957         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1958         memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1959 
1960         /* Update remote key distribution in case the remote cleared
1961          * some bits that we had enabled in our request.
1962          */
1963         smp->remote_key_dist &= rsp->resp_key_dist;
1964 
1965         if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1966                 set_bit(SMP_FLAG_CT2, &smp->flags);
1967 
1968         /* For BR/EDR this means we're done and can start phase 3 */
1969         if (conn->hcon->type == ACL_LINK) {
1970                 /* Clear bits which are generated but not distributed */
1971                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1972                 smp_distribute_keys(smp);
1973                 return 0;
1974         }
1975 
1976         if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1977                 set_bit(SMP_FLAG_SC, &smp->flags);
1978         else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1979                 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1980 
1981         /* If we need MITM check that it can be achieved */
1982         if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1983                 u8 method;
1984 
1985                 method = get_auth_method(smp, req->io_capability,
1986                                          rsp->io_capability);
1987                 if (method == JUST_WORKS || method == JUST_CFM)
1988                         return SMP_AUTH_REQUIREMENTS;
1989         }
1990 
1991         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1992 
1993         /* Update remote key distribution in case the remote cleared
1994          * some bits that we had enabled in our request.
1995          */
1996         smp->remote_key_dist &= rsp->resp_key_dist;
1997 
1998         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1999                 /* Clear bits which are generated but not distributed */
2000                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2001                 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2002                 return sc_send_public_key(smp);
2003         }
2004 
2005         auth |= req->auth_req;
2006 
2007         ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2008         if (ret)
2009                 return SMP_UNSPECIFIED;
2010 
2011         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2012 
2013         /* Can't compose response until we have been confirmed */
2014         if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2015                 return smp_confirm(smp);
2016 
2017         return 0;
2018 }
2019 
2020 static u8 sc_check_confirm(struct smp_chan *smp)
2021 {
2022         struct l2cap_conn *conn = smp->conn;
2023 
2024         BT_DBG("");
2025 
2026         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2027                 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2028 
2029         if (conn->hcon->out) {
2030                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2031                              smp->prnd);
2032                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2033         }
2034 
2035         return 0;
2036 }
2037 
2038 /* Work-around for some implementations that incorrectly copy RFU bits
2039  * from our security request and thereby create the impression that
2040  * we're doing SC when in fact the remote doesn't support it.
2041  */
2042 static int fixup_sc_false_positive(struct smp_chan *smp)
2043 {
2044         struct l2cap_conn *conn = smp->conn;
2045         struct hci_conn *hcon = conn->hcon;
2046         struct hci_dev *hdev = hcon->hdev;
2047         struct smp_cmd_pairing *req, *rsp;
2048         u8 auth;
2049 
2050         /* The issue is only observed when we're in slave role */
2051         if (hcon->out)
2052                 return SMP_UNSPECIFIED;
2053 
2054         if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2055                 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2056                 return SMP_UNSPECIFIED;
2057         }
2058 
2059         BT_ERR("Trying to fall back to legacy SMP");
2060 
2061         req = (void *) &smp->preq[1];
2062         rsp = (void *) &smp->prsp[1];
2063 
2064         /* Rebuild key dist flags which may have been cleared for SC */
2065         smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2066 
2067         auth = req->auth_req & AUTH_REQ_MASK(hdev);
2068 
2069         if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2070                 BT_ERR("Failed to fall back to legacy SMP");
2071                 return SMP_UNSPECIFIED;
2072         }
2073 
2074         clear_bit(SMP_FLAG_SC, &smp->flags);
2075 
2076         return 0;
2077 }
2078 
2079 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2080 {
2081         struct l2cap_chan *chan = conn->smp;
2082         struct smp_chan *smp = chan->data;
2083 
2084         BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2085 
2086         if (skb->len < sizeof(smp->pcnf))
2087                 return SMP_INVALID_PARAMS;
2088 
2089         memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2090         skb_pull(skb, sizeof(smp->pcnf));
2091 
2092         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2093                 int ret;
2094 
2095                 /* Public Key exchange must happen before any other steps */
2096                 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2097                         return sc_check_confirm(smp);
2098 
2099                 BT_ERR("Unexpected SMP Pairing Confirm");
2100 
2101                 ret = fixup_sc_false_positive(smp);
2102                 if (ret)
2103                         return ret;
2104         }
2105 
2106         if (conn->hcon->out) {
2107                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2108                              smp->prnd);
2109                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2110                 return 0;
2111         }
2112 
2113         if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2114                 return smp_confirm(smp);
2115 
2116         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2117 
2118         return 0;
2119 }
2120 
2121 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2122 {
2123         struct l2cap_chan *chan = conn->smp;
2124         struct smp_chan *smp = chan->data;
2125         struct hci_conn *hcon = conn->hcon;
2126         u8 *pkax, *pkbx, *na, *nb;
2127         u32 passkey;
2128         int err;
2129 
2130         BT_DBG("conn %p", conn);
2131 
2132         if (skb->len < sizeof(smp->rrnd))
2133                 return SMP_INVALID_PARAMS;
2134 
2135         memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2136         skb_pull(skb, sizeof(smp->rrnd));
2137 
2138         if (!test_bit(SMP_FLAG_SC, &smp->flags))
2139                 return smp_random(smp);
2140 
2141         if (hcon->out) {
2142                 pkax = smp->local_pk;
2143                 pkbx = smp->remote_pk;
2144                 na   = smp->prnd;
2145                 nb   = smp->rrnd;
2146         } else {
2147                 pkax = smp->remote_pk;
2148                 pkbx = smp->local_pk;
2149                 na   = smp->rrnd;
2150                 nb   = smp->prnd;
2151         }
2152 
2153         if (smp->method == REQ_OOB) {
2154                 if (!hcon->out)
2155                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2156                                      sizeof(smp->prnd), smp->prnd);
2157                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2158                 goto mackey_and_ltk;
2159         }
2160 
2161         /* Passkey entry has special treatment */
2162         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2163                 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2164 
2165         if (hcon->out) {
2166                 u8 cfm[16];
2167 
2168                 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2169                              smp->rrnd, 0, cfm);
2170                 if (err)
2171                         return SMP_UNSPECIFIED;
2172 
2173                 if (memcmp(smp->pcnf, cfm, 16))
2174                         return SMP_CONFIRM_FAILED;
2175         } else {
2176                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2177                              smp->prnd);
2178                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2179         }
2180 
2181 mackey_and_ltk:
2182         /* Generate MacKey and LTK */
2183         err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2184         if (err)
2185                 return SMP_UNSPECIFIED;
2186 
2187         if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2188                 if (hcon->out) {
2189                         sc_dhkey_check(smp);
2190                         SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2191                 }
2192                 return 0;
2193         }
2194 
2195         err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2196         if (err)
2197                 return SMP_UNSPECIFIED;
2198 
2199         err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2200                                         hcon->dst_type, passkey, 0);
2201         if (err)
2202                 return SMP_UNSPECIFIED;
2203 
2204         set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2205 
2206         return 0;
2207 }
2208 
2209 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2210 {
2211         struct smp_ltk *key;
2212         struct hci_conn *hcon = conn->hcon;
2213 
2214         key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2215         if (!key)
2216                 return false;
2217 
2218         if (smp_ltk_sec_level(key) < sec_level)
2219                 return false;
2220 
2221         if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2222                 return true;
2223 
2224         hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2225         hcon->enc_key_size = key->enc_size;
2226 
2227         /* We never store STKs for master role, so clear this flag */
2228         clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2229 
2230         return true;
2231 }
2232 
2233 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2234                              enum smp_key_pref key_pref)
2235 {
2236         if (sec_level == BT_SECURITY_LOW)
2237                 return true;
2238 
2239         /* If we're encrypted with an STK but the caller prefers using
2240          * LTK claim insufficient security. This way we allow the
2241          * connection to be re-encrypted with an LTK, even if the LTK
2242          * provides the same level of security. Only exception is if we
2243          * don't have an LTK (e.g. because of key distribution bits).
2244          */
2245         if (key_pref == SMP_USE_LTK &&
2246             test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2247             hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2248                 return false;
2249 
2250         if (hcon->sec_level >= sec_level)
2251                 return true;
2252 
2253         return false;
2254 }
2255 
2256 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2257 {
2258         struct smp_cmd_security_req *rp = (void *) skb->data;
2259         struct smp_cmd_pairing cp;
2260         struct hci_conn *hcon = conn->hcon;
2261         struct hci_dev *hdev = hcon->hdev;
2262         struct smp_chan *smp;
2263         u8 sec_level, auth;
2264 
2265         BT_DBG("conn %p", conn);
2266 
2267         if (skb->len < sizeof(*rp))
2268                 return SMP_INVALID_PARAMS;
2269 
2270         if (hcon->role != HCI_ROLE_MASTER)
2271                 return SMP_CMD_NOTSUPP;
2272 
2273         auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2274 
2275         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2276                 return SMP_AUTH_REQUIREMENTS;
2277 
2278         if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2279                 sec_level = BT_SECURITY_MEDIUM;
2280         else
2281                 sec_level = authreq_to_seclevel(auth);
2282 
2283         if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2284                 return 0;
2285 
2286         if (sec_level > hcon->pending_sec_level)
2287                 hcon->pending_sec_level = sec_level;
2288 
2289         if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2290                 return 0;
2291 
2292         smp = smp_chan_create(conn);
2293         if (!smp)
2294                 return SMP_UNSPECIFIED;
2295 
2296         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2297             (auth & SMP_AUTH_BONDING))
2298                 return SMP_PAIRING_NOTSUPP;
2299 
2300         skb_pull(skb, sizeof(*rp));
2301 
2302         memset(&cp, 0, sizeof(cp));
2303         build_pairing_cmd(conn, &cp, NULL, auth);
2304 
2305         smp->preq[0] = SMP_CMD_PAIRING_REQ;
2306         memcpy(&smp->preq[1], &cp, sizeof(cp));
2307 
2308         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2309         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2310 
2311         return 0;
2312 }
2313 
2314 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2315 {
2316         struct l2cap_conn *conn = hcon->l2cap_data;
2317         struct l2cap_chan *chan;
2318         struct smp_chan *smp;
2319         __u8 authreq;
2320         int ret;
2321 
2322         BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2323 
2324         /* This may be NULL if there's an unexpected disconnection */
2325         if (!conn)
2326                 return 1;
2327 
2328         if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2329                 return 1;
2330 
2331         if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2332                 return 1;
2333 
2334         if (sec_level > hcon->pending_sec_level)
2335                 hcon->pending_sec_level = sec_level;
2336 
2337         if (hcon->role == HCI_ROLE_MASTER)
2338                 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2339                         return 0;
2340 
2341         chan = conn->smp;
2342         if (!chan) {
2343                 BT_ERR("SMP security requested but not available");
2344                 return 1;
2345         }
2346 
2347         l2cap_chan_lock(chan);
2348 
2349         /* If SMP is already in progress ignore this request */
2350         if (chan->data) {
2351                 ret = 0;
2352                 goto unlock;
2353         }
2354 
2355         smp = smp_chan_create(conn);
2356         if (!smp) {
2357                 ret = 1;
2358                 goto unlock;
2359         }
2360 
2361         authreq = seclevel_to_authreq(sec_level);
2362 
2363         if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2364                 authreq |= SMP_AUTH_SC;
2365                 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2366                         authreq |= SMP_AUTH_CT2;
2367         }
2368 
2369         /* Require MITM if IO Capability allows or the security level
2370          * requires it.
2371          */
2372         if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2373             hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2374                 authreq |= SMP_AUTH_MITM;
2375 
2376         if (hcon->role == HCI_ROLE_MASTER) {
2377                 struct smp_cmd_pairing cp;
2378 
2379                 build_pairing_cmd(conn, &cp, NULL, authreq);
2380                 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2381                 memcpy(&smp->preq[1], &cp, sizeof(cp));
2382 
2383                 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2384                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2385         } else {
2386                 struct smp_cmd_security_req cp;
2387                 cp.auth_req = authreq;
2388                 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2389                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2390         }
2391 
2392         set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2393         ret = 0;
2394 
2395 unlock:
2396         l2cap_chan_unlock(chan);
2397         return ret;
2398 }
2399 
2400 void smp_cancel_pairing(struct hci_conn *hcon)
2401 {
2402         struct l2cap_conn *conn = hcon->l2cap_data;
2403         struct l2cap_chan *chan;
2404         struct smp_chan *smp;
2405 
2406         if (!conn)
2407                 return;
2408 
2409         chan = conn->smp;
2410         if (!chan)
2411                 return;
2412 
2413         l2cap_chan_lock(chan);
2414 
2415         smp = chan->data;
2416         if (smp) {
2417                 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2418                         smp_failure(conn, 0);
2419                 else
2420                         smp_failure(conn, SMP_UNSPECIFIED);
2421         }
2422 
2423         l2cap_chan_unlock(chan);
2424 }
2425 
2426 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2427 {
2428         struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2429         struct l2cap_chan *chan = conn->smp;
2430         struct smp_chan *smp = chan->data;
2431 
2432         BT_DBG("conn %p", conn);
2433 
2434         if (skb->len < sizeof(*rp))
2435                 return SMP_INVALID_PARAMS;
2436 
2437         SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2438 
2439         skb_pull(skb, sizeof(*rp));
2440 
2441         memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2442 
2443         return 0;
2444 }
2445 
2446 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2447 {
2448         struct smp_cmd_master_ident *rp = (void *) skb->data;
2449         struct l2cap_chan *chan = conn->smp;
2450         struct smp_chan *smp = chan->data;
2451         struct hci_dev *hdev = conn->hcon->hdev;
2452         struct hci_conn *hcon = conn->hcon;
2453         struct smp_ltk *ltk;
2454         u8 authenticated;
2455 
2456         BT_DBG("conn %p", conn);
2457 
2458         if (skb->len < sizeof(*rp))
2459                 return SMP_INVALID_PARAMS;
2460 
2461         /* Mark the information as received */
2462         smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2463 
2464         if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2465                 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2466         else if (smp->remote_key_dist & SMP_DIST_SIGN)
2467                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2468 
2469         skb_pull(skb, sizeof(*rp));
2470 
2471         authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2472         ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2473                           authenticated, smp->tk, smp->enc_key_size,
2474                           rp->ediv, rp->rand);
2475         smp->ltk = ltk;
2476         if (!(smp->remote_key_dist & KEY_DIST_MASK))
2477                 smp_distribute_keys(smp);
2478 
2479         return 0;
2480 }
2481 
2482 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2483 {
2484         struct smp_cmd_ident_info *info = (void *) skb->data;
2485         struct l2cap_chan *chan = conn->smp;
2486         struct smp_chan *smp = chan->data;
2487 
2488         BT_DBG("");
2489 
2490         if (skb->len < sizeof(*info))
2491                 return SMP_INVALID_PARAMS;
2492 
2493         SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2494 
2495         skb_pull(skb, sizeof(*info));
2496 
2497         memcpy(smp->irk, info->irk, 16);
2498 
2499         return 0;
2500 }
2501 
2502 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2503                                    struct sk_buff *skb)
2504 {
2505         struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2506         struct l2cap_chan *chan = conn->smp;
2507         struct smp_chan *smp = chan->data;
2508         struct hci_conn *hcon = conn->hcon;
2509         bdaddr_t rpa;
2510 
2511         BT_DBG("");
2512 
2513         if (skb->len < sizeof(*info))
2514                 return SMP_INVALID_PARAMS;
2515 
2516         /* Mark the information as received */
2517         smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2518 
2519         if (smp->remote_key_dist & SMP_DIST_SIGN)
2520                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2521 
2522         skb_pull(skb, sizeof(*info));
2523 
2524         /* Strictly speaking the Core Specification (4.1) allows sending
2525          * an empty address which would force us to rely on just the IRK
2526          * as "identity information". However, since such
2527          * implementations are not known of and in order to not over
2528          * complicate our implementation, simply pretend that we never
2529          * received an IRK for such a device.
2530          *
2531          * The Identity Address must also be a Static Random or Public
2532          * Address, which hci_is_identity_address() checks for.
2533          */
2534         if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2535             !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2536                 BT_ERR("Ignoring IRK with no identity address");
2537                 goto distribute;
2538         }
2539 
2540         bacpy(&smp->id_addr, &info->bdaddr);
2541         smp->id_addr_type = info->addr_type;
2542 
2543         if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2544                 bacpy(&rpa, &hcon->dst);
2545         else
2546                 bacpy(&rpa, BDADDR_ANY);
2547 
2548         smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2549                                       smp->id_addr_type, smp->irk, &rpa);
2550 
2551 distribute:
2552         if (!(smp->remote_key_dist & KEY_DIST_MASK))
2553                 smp_distribute_keys(smp);
2554 
2555         return 0;
2556 }
2557 
2558 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2559 {
2560         struct smp_cmd_sign_info *rp = (void *) skb->data;
2561         struct l2cap_chan *chan = conn->smp;
2562         struct smp_chan *smp = chan->data;
2563         struct smp_csrk *csrk;
2564 
2565         BT_DBG("conn %p", conn);
2566 
2567         if (skb->len < sizeof(*rp))
2568                 return SMP_INVALID_PARAMS;
2569 
2570         /* Mark the information as received */
2571         smp->remote_key_dist &= ~SMP_DIST_SIGN;
2572 
2573         skb_pull(skb, sizeof(*rp));
2574 
2575         csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2576         if (csrk) {
2577                 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2578                         csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2579                 else
2580                         csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2581                 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2582         }
2583         smp->csrk = csrk;
2584         smp_distribute_keys(smp);
2585 
2586         return 0;
2587 }
2588 
2589 static u8 sc_select_method(struct smp_chan *smp)
2590 {
2591         struct l2cap_conn *conn = smp->conn;
2592         struct hci_conn *hcon = conn->hcon;
2593         struct smp_cmd_pairing *local, *remote;
2594         u8 local_mitm, remote_mitm, local_io, remote_io, method;
2595 
2596         if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2597             test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2598                 return REQ_OOB;
2599 
2600         /* The preq/prsp contain the raw Pairing Request/Response PDUs
2601          * which are needed as inputs to some crypto functions. To get
2602          * the "struct smp_cmd_pairing" from them we need to skip the
2603          * first byte which contains the opcode.
2604          */
2605         if (hcon->out) {
2606                 local = (void *) &smp->preq[1];
2607                 remote = (void *) &smp->prsp[1];
2608         } else {
2609                 local = (void *) &smp->prsp[1];
2610                 remote = (void *) &smp->preq[1];
2611         }
2612 
2613         local_io = local->io_capability;
2614         remote_io = remote->io_capability;
2615 
2616         local_mitm = (local->auth_req & SMP_AUTH_MITM);
2617         remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2618 
2619         /* If either side wants MITM, look up the method from the table,
2620          * otherwise use JUST WORKS.
2621          */
2622         if (local_mitm || remote_mitm)
2623                 method = get_auth_method(smp, local_io, remote_io);
2624         else
2625                 method = JUST_WORKS;
2626 
2627         /* Don't confirm locally initiated pairing attempts */
2628         if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2629                 method = JUST_WORKS;
2630 
2631         return method;
2632 }
2633 
2634 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2635 {
2636         struct smp_cmd_public_key *key = (void *) skb->data;
2637         struct hci_conn *hcon = conn->hcon;
2638         struct l2cap_chan *chan = conn->smp;
2639         struct smp_chan *smp = chan->data;
2640         struct hci_dev *hdev = hcon->hdev;
2641         struct smp_cmd_pairing_confirm cfm;
2642         int err;
2643 
2644         BT_DBG("conn %p", conn);
2645 
2646         if (skb->len < sizeof(*key))
2647                 return SMP_INVALID_PARAMS;
2648 
2649         memcpy(smp->remote_pk, key, 64);
2650 
2651         if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2652                 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2653                              smp->rr, 0, cfm.confirm_val);
2654                 if (err)
2655                         return SMP_UNSPECIFIED;
2656 
2657                 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2658                         return SMP_CONFIRM_FAILED;
2659         }
2660 
2661         /* Non-initiating device sends its public key after receiving
2662          * the key from the initiating device.
2663          */
2664         if (!hcon->out) {
2665                 err = sc_send_public_key(smp);
2666                 if (err)
2667                         return err;
2668         }
2669 
2670         SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2671         SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2672 
2673         if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2674                 return SMP_UNSPECIFIED;
2675 
2676         SMP_DBG("DHKey %32phN", smp->dhkey);
2677 
2678         set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2679 
2680         smp->method = sc_select_method(smp);
2681 
2682         BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2683 
2684         /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2685         if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2686                 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2687         else
2688                 hcon->pending_sec_level = BT_SECURITY_FIPS;
2689 
2690         if (!memcmp(debug_pk, smp->remote_pk, 64))
2691                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2692 
2693         if (smp->method == DSP_PASSKEY) {
2694                 get_random_bytes(&hcon->passkey_notify,
2695                                  sizeof(hcon->passkey_notify));
2696                 hcon->passkey_notify %= 1000000;
2697                 hcon->passkey_entered = 0;
2698                 smp->passkey_round = 0;
2699                 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2700                                              hcon->dst_type,
2701                                              hcon->passkey_notify,
2702                                              hcon->passkey_entered))
2703                         return SMP_UNSPECIFIED;
2704                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2705                 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2706         }
2707 
2708         if (smp->method == REQ_OOB) {
2709                 if (hcon->out)
2710                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2711                                      sizeof(smp->prnd), smp->prnd);
2712 
2713                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2714 
2715                 return 0;
2716         }
2717 
2718         if (hcon->out)
2719                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2720 
2721         if (smp->method == REQ_PASSKEY) {
2722                 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2723                                               hcon->dst_type))
2724                         return SMP_UNSPECIFIED;
2725                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2726                 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2727                 return 0;
2728         }
2729 
2730         /* The Initiating device waits for the non-initiating device to
2731          * send the confirm value.
2732          */
2733         if (conn->hcon->out)
2734                 return 0;
2735 
2736         err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2737                      0, cfm.confirm_val);
2738         if (err)
2739                 return SMP_UNSPECIFIED;
2740 
2741         smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2742         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2743 
2744         return 0;
2745 }
2746 
2747 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2748 {
2749         struct smp_cmd_dhkey_check *check = (void *) skb->data;
2750         struct l2cap_chan *chan = conn->smp;
2751         struct hci_conn *hcon = conn->hcon;
2752         struct smp_chan *smp = chan->data;
2753         u8 a[7], b[7], *local_addr, *remote_addr;
2754         u8 io_cap[3], r[16], e[16];
2755         int err;
2756 
2757         BT_DBG("conn %p", conn);
2758 
2759         if (skb->len < sizeof(*check))
2760                 return SMP_INVALID_PARAMS;
2761 
2762         memcpy(a, &hcon->init_addr, 6);
2763         memcpy(b, &hcon->resp_addr, 6);
2764         a[6] = hcon->init_addr_type;
2765         b[6] = hcon->resp_addr_type;
2766 
2767         if (hcon->out) {
2768                 local_addr = a;
2769                 remote_addr = b;
2770                 memcpy(io_cap, &smp->prsp[1], 3);
2771         } else {
2772                 local_addr = b;
2773                 remote_addr = a;
2774                 memcpy(io_cap, &smp->preq[1], 3);
2775         }
2776 
2777         memset(r, 0, sizeof(r));
2778 
2779         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2780                 put_unaligned_le32(hcon->passkey_notify, r);
2781         else if (smp->method == REQ_OOB)
2782                 memcpy(r, smp->lr, 16);
2783 
2784         err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2785                      io_cap, remote_addr, local_addr, e);
2786         if (err)
2787                 return SMP_UNSPECIFIED;
2788 
2789         if (memcmp(check->e, e, 16))
2790                 return SMP_DHKEY_CHECK_FAILED;
2791 
2792         if (!hcon->out) {
2793                 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2794                         set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2795                         return 0;
2796                 }
2797 
2798                 /* Slave sends DHKey check as response to master */
2799                 sc_dhkey_check(smp);
2800         }
2801 
2802         sc_add_ltk(smp);
2803 
2804         if (hcon->out) {
2805                 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2806                 hcon->enc_key_size = smp->enc_key_size;
2807         }
2808 
2809         return 0;
2810 }
2811 
2812 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2813                                    struct sk_buff *skb)
2814 {
2815         struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2816 
2817         BT_DBG("value 0x%02x", kp->value);
2818 
2819         return 0;
2820 }
2821 
2822 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2823 {
2824         struct l2cap_conn *conn = chan->conn;
2825         struct hci_conn *hcon = conn->hcon;
2826         struct smp_chan *smp;
2827         __u8 code, reason;
2828         int err = 0;
2829 
2830         if (skb->len < 1)
2831                 return -EILSEQ;
2832 
2833         if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2834                 reason = SMP_PAIRING_NOTSUPP;
2835                 goto done;
2836         }
2837 
2838         code = skb->data[0];
2839         skb_pull(skb, sizeof(code));
2840 
2841         smp = chan->data;
2842 
2843         if (code > SMP_CMD_MAX)
2844                 goto drop;
2845 
2846         if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2847                 goto drop;
2848 
2849         /* If we don't have a context the only allowed commands are
2850          * pairing request and security request.
2851          */
2852         if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2853                 goto drop;
2854 
2855         switch (code) {
2856         case SMP_CMD_PAIRING_REQ:
2857                 reason = smp_cmd_pairing_req(conn, skb);
2858                 break;
2859 
2860         case SMP_CMD_PAIRING_FAIL:
2861                 smp_failure(conn, 0);
2862                 err = -EPERM;
2863                 break;
2864 
2865         case SMP_CMD_PAIRING_RSP:
2866                 reason = smp_cmd_pairing_rsp(conn, skb);
2867                 break;
2868 
2869         case SMP_CMD_SECURITY_REQ:
2870                 reason = smp_cmd_security_req(conn, skb);
2871                 break;
2872 
2873         case SMP_CMD_PAIRING_CONFIRM:
2874                 reason = smp_cmd_pairing_confirm(conn, skb);
2875                 break;
2876 
2877         case SMP_CMD_PAIRING_RANDOM:
2878                 reason = smp_cmd_pairing_random(conn, skb);
2879                 break;
2880 
2881         case SMP_CMD_ENCRYPT_INFO:
2882                 reason = smp_cmd_encrypt_info(conn, skb);
2883                 break;
2884 
2885         case SMP_CMD_MASTER_IDENT:
2886                 reason = smp_cmd_master_ident(conn, skb);
2887                 break;
2888 
2889         case SMP_CMD_IDENT_INFO:
2890                 reason = smp_cmd_ident_info(conn, skb);
2891                 break;
2892 
2893         case SMP_CMD_IDENT_ADDR_INFO:
2894                 reason = smp_cmd_ident_addr_info(conn, skb);
2895                 break;
2896 
2897         case SMP_CMD_SIGN_INFO:
2898                 reason = smp_cmd_sign_info(conn, skb);
2899                 break;
2900 
2901         case SMP_CMD_PUBLIC_KEY:
2902                 reason = smp_cmd_public_key(conn, skb);
2903                 break;
2904 
2905         case SMP_CMD_DHKEY_CHECK:
2906                 reason = smp_cmd_dhkey_check(conn, skb);
2907                 break;
2908 
2909         case SMP_CMD_KEYPRESS_NOTIFY:
2910                 reason = smp_cmd_keypress_notify(conn, skb);
2911                 break;
2912 
2913         default:
2914                 BT_DBG("Unknown command code 0x%2.2x", code);
2915                 reason = SMP_CMD_NOTSUPP;
2916                 goto done;
2917         }
2918 
2919 done:
2920         if (!err) {
2921                 if (reason)
2922                         smp_failure(conn, reason);
2923                 kfree_skb(skb);
2924         }
2925 
2926         return err;
2927 
2928 drop:
2929         BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2930                code, &hcon->dst);
2931         kfree_skb(skb);
2932         return 0;
2933 }
2934 
2935 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2936 {
2937         struct l2cap_conn *conn = chan->conn;
2938 
2939         BT_DBG("chan %p", chan);
2940 
2941         if (chan->data)
2942                 smp_chan_destroy(conn);
2943 
2944         conn->smp = NULL;
2945         l2cap_chan_put(chan);
2946 }
2947 
2948 static void bredr_pairing(struct l2cap_chan *chan)
2949 {
2950         struct l2cap_conn *conn = chan->conn;
2951         struct hci_conn *hcon = conn->hcon;
2952         struct hci_dev *hdev = hcon->hdev;
2953         struct smp_cmd_pairing req;
2954         struct smp_chan *smp;
2955 
2956         BT_DBG("chan %p", chan);
2957 
2958         /* Only new pairings are interesting */
2959         if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2960                 return;
2961 
2962         /* Don't bother if we're not encrypted */
2963         if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2964                 return;
2965 
2966         /* Only master may initiate SMP over BR/EDR */
2967         if (hcon->role != HCI_ROLE_MASTER)
2968                 return;
2969 
2970         /* Secure Connections support must be enabled */
2971         if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2972                 return;
2973 
2974         /* BR/EDR must use Secure Connections for SMP */
2975         if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2976             !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2977                 return;
2978 
2979         /* If our LE support is not enabled don't do anything */
2980         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2981                 return;
2982 
2983         /* Don't bother if remote LE support is not enabled */
2984         if (!lmp_host_le_capable(hcon))
2985                 return;
2986 
2987         /* Remote must support SMP fixed chan for BR/EDR */
2988         if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2989                 return;
2990 
2991         /* Don't bother if SMP is already ongoing */
2992         if (chan->data)
2993                 return;
2994 
2995         smp = smp_chan_create(conn);
2996         if (!smp) {
2997                 BT_ERR("%s unable to create SMP context for BR/EDR",
2998                        hdev->name);
2999                 return;
3000         }
3001 
3002         set_bit(SMP_FLAG_SC, &smp->flags);
3003 
3004         BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3005 
3006         /* Prepare and send the BR/EDR SMP Pairing Request */
3007         build_bredr_pairing_cmd(smp, &req, NULL);
3008 
3009         smp->preq[0] = SMP_CMD_PAIRING_REQ;
3010         memcpy(&smp->preq[1], &req, sizeof(req));
3011 
3012         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3013         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3014 }
3015 
3016 static void smp_resume_cb(struct l2cap_chan *chan)
3017 {
3018         struct smp_chan *smp = chan->data;
3019         struct l2cap_conn *conn = chan->conn;
3020         struct hci_conn *hcon = conn->hcon;
3021 
3022         BT_DBG("chan %p", chan);
3023 
3024         if (hcon->type == ACL_LINK) {
3025                 bredr_pairing(chan);
3026                 return;
3027         }
3028 
3029         if (!smp)
3030                 return;
3031 
3032         if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3033                 return;
3034 
3035         cancel_delayed_work(&smp->security_timer);
3036 
3037         smp_distribute_keys(smp);
3038 }
3039 
3040 static void smp_ready_cb(struct l2cap_chan *chan)
3041 {
3042         struct l2cap_conn *conn = chan->conn;
3043         struct hci_conn *hcon = conn->hcon;
3044 
3045         BT_DBG("chan %p", chan);
3046 
3047         /* No need to call l2cap_chan_hold() here since we already own
3048          * the reference taken in smp_new_conn_cb(). This is just the
3049          * first time that we tie it to a specific pointer. The code in
3050          * l2cap_core.c ensures that there's no risk this function wont
3051          * get called if smp_new_conn_cb was previously called.
3052          */
3053         conn->smp = chan;
3054 
3055         if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3056                 bredr_pairing(chan);
3057 }
3058 
3059 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3060 {
3061         int err;
3062 
3063         BT_DBG("chan %p", chan);
3064 
3065         err = smp_sig_channel(chan, skb);
3066         if (err) {
3067                 struct smp_chan *smp = chan->data;
3068 
3069                 if (smp)
3070                         cancel_delayed_work_sync(&smp->security_timer);
3071 
3072                 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3073         }
3074 
3075         return err;
3076 }
3077 
3078 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3079                                         unsigned long hdr_len,
3080                                         unsigned long len, int nb)
3081 {
3082         struct sk_buff *skb;
3083 
3084         skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3085         if (!skb)
3086                 return ERR_PTR(-ENOMEM);
3087 
3088         skb->priority = HCI_PRIO_MAX;
3089         bt_cb(skb)->l2cap.chan = chan;
3090 
3091         return skb;
3092 }
3093 
3094 static const struct l2cap_ops smp_chan_ops = {
3095         .name                   = "Security Manager",
3096         .ready                  = smp_ready_cb,
3097         .recv                   = smp_recv_cb,
3098         .alloc_skb              = smp_alloc_skb_cb,
3099         .teardown               = smp_teardown_cb,
3100         .resume                 = smp_resume_cb,
3101 
3102         .new_connection         = l2cap_chan_no_new_connection,
3103         .state_change           = l2cap_chan_no_state_change,
3104         .close                  = l2cap_chan_no_close,
3105         .defer                  = l2cap_chan_no_defer,
3106         .suspend                = l2cap_chan_no_suspend,
3107         .set_shutdown           = l2cap_chan_no_set_shutdown,
3108         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3109 };
3110 
3111 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3112 {
3113         struct l2cap_chan *chan;
3114 
3115         BT_DBG("pchan %p", pchan);
3116 
3117         chan = l2cap_chan_create();
3118         if (!chan)
3119                 return NULL;
3120 
3121         chan->chan_type = pchan->chan_type;
3122         chan->ops       = &smp_chan_ops;
3123         chan->scid      = pchan->scid;
3124         chan->dcid      = chan->scid;
3125         chan->imtu      = pchan->imtu;
3126         chan->omtu      = pchan->omtu;
3127         chan->mode      = pchan->mode;
3128 
3129         /* Other L2CAP channels may request SMP routines in order to
3130          * change the security level. This means that the SMP channel
3131          * lock must be considered in its own category to avoid lockdep
3132          * warnings.
3133          */
3134         atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3135 
3136         BT_DBG("created chan %p", chan);
3137 
3138         return chan;
3139 }
3140 
3141 static const struct l2cap_ops smp_root_chan_ops = {
3142         .name                   = "Security Manager Root",
3143         .new_connection         = smp_new_conn_cb,
3144 
3145         /* None of these are implemented for the root channel */
3146         .close                  = l2cap_chan_no_close,
3147         .alloc_skb              = l2cap_chan_no_alloc_skb,
3148         .recv                   = l2cap_chan_no_recv,
3149         .state_change           = l2cap_chan_no_state_change,
3150         .teardown               = l2cap_chan_no_teardown,
3151         .ready                  = l2cap_chan_no_ready,
3152         .defer                  = l2cap_chan_no_defer,
3153         .suspend                = l2cap_chan_no_suspend,
3154         .resume                 = l2cap_chan_no_resume,
3155         .set_shutdown           = l2cap_chan_no_set_shutdown,
3156         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3157 };
3158 
3159 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3160 {
3161         struct l2cap_chan *chan;
3162         struct smp_dev *smp;
3163         struct crypto_cipher *tfm_aes;
3164         struct crypto_shash *tfm_cmac;
3165 
3166         if (cid == L2CAP_CID_SMP_BREDR) {
3167                 smp = NULL;
3168                 goto create_chan;
3169         }
3170 
3171         smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3172         if (!smp)
3173                 return ERR_PTR(-ENOMEM);
3174 
3175         tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3176         if (IS_ERR(tfm_aes)) {
3177                 BT_ERR("Unable to create AES crypto context");
3178                 kzfree(smp);
3179                 return ERR_CAST(tfm_aes);
3180         }
3181 
3182         tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3183         if (IS_ERR(tfm_cmac)) {
3184                 BT_ERR("Unable to create CMAC crypto context");
3185                 crypto_free_cipher(tfm_aes);
3186                 kzfree(smp);
3187                 return ERR_CAST(tfm_cmac);
3188         }
3189 
3190         smp->tfm_aes = tfm_aes;
3191         smp->tfm_cmac = tfm_cmac;
3192         smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3193         smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3194 
3195 create_chan:
3196         chan = l2cap_chan_create();
3197         if (!chan) {
3198                 if (smp) {
3199                         crypto_free_cipher(smp->tfm_aes);
3200                         crypto_free_shash(smp->tfm_cmac);
3201                         kzfree(smp);
3202                 }
3203                 return ERR_PTR(-ENOMEM);
3204         }
3205 
3206         chan->data = smp;
3207 
3208         l2cap_add_scid(chan, cid);
3209 
3210         l2cap_chan_set_defaults(chan);
3211 
3212         if (cid == L2CAP_CID_SMP) {
3213                 u8 bdaddr_type;
3214 
3215                 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3216 
3217                 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3218                         chan->src_type = BDADDR_LE_PUBLIC;
3219                 else
3220                         chan->src_type = BDADDR_LE_RANDOM;
3221         } else {
3222                 bacpy(&chan->src, &hdev->bdaddr);
3223                 chan->src_type = BDADDR_BREDR;
3224         }
3225 
3226         chan->state = BT_LISTEN;
3227         chan->mode = L2CAP_MODE_BASIC;
3228         chan->imtu = L2CAP_DEFAULT_MTU;
3229         chan->ops = &smp_root_chan_ops;
3230 
3231         /* Set correct nesting level for a parent/listening channel */
3232         atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3233 
3234         return chan;
3235 }
3236 
3237 static void smp_del_chan(struct l2cap_chan *chan)
3238 {
3239         struct smp_dev *smp;
3240 
3241         BT_DBG("chan %p", chan);
3242 
3243         smp = chan->data;
3244         if (smp) {
3245                 chan->data = NULL;
3246                 crypto_free_cipher(smp->tfm_aes);
3247                 crypto_free_shash(smp->tfm_cmac);
3248                 kzfree(smp);
3249         }
3250 
3251         l2cap_chan_put(chan);
3252 }
3253 
3254 static ssize_t force_bredr_smp_read(struct file *file,
3255                                     char __user *user_buf,
3256                                     size_t count, loff_t *ppos)
3257 {
3258         struct hci_dev *hdev = file->private_data;
3259         char buf[3];
3260 
3261         buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3262         buf[1] = '\n';
3263         buf[2] = '\0';
3264         return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3265 }
3266 
3267 static ssize_t force_bredr_smp_write(struct file *file,
3268                                      const char __user *user_buf,
3269                                      size_t count, loff_t *ppos)
3270 {
3271         struct hci_dev *hdev = file->private_data;
3272         char buf[32];
3273         size_t buf_size = min(count, (sizeof(buf)-1));
3274         bool enable;
3275 
3276         if (copy_from_user(buf, user_buf, buf_size))
3277                 return -EFAULT;
3278 
3279         buf[buf_size] = '\0';
3280         if (strtobool(buf, &enable))
3281                 return -EINVAL;
3282 
3283         if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3284                 return -EALREADY;
3285 
3286         if (enable) {
3287                 struct l2cap_chan *chan;
3288 
3289                 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3290                 if (IS_ERR(chan))
3291                         return PTR_ERR(chan);
3292 
3293                 hdev->smp_bredr_data = chan;
3294         } else {
3295                 struct l2cap_chan *chan;
3296 
3297                 chan = hdev->smp_bredr_data;
3298                 hdev->smp_bredr_data = NULL;
3299                 smp_del_chan(chan);
3300         }
3301 
3302         hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3303 
3304         return count;
3305 }
3306 
3307 static const struct file_operations force_bredr_smp_fops = {
3308         .open           = simple_open,
3309         .read           = force_bredr_smp_read,
3310         .write          = force_bredr_smp_write,
3311         .llseek         = default_llseek,
3312 };
3313 
3314 static ssize_t le_min_key_size_read(struct file *file,
3315                                      char __user *user_buf,
3316                                      size_t count, loff_t *ppos)
3317 {
3318         struct hci_dev *hdev = file->private_data;
3319         char buf[4];
3320 
3321         snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3322 
3323         return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3324 }
3325 
3326 static ssize_t le_min_key_size_write(struct file *file,
3327                                       const char __user *user_buf,
3328                                       size_t count, loff_t *ppos)
3329 {
3330         struct hci_dev *hdev = file->private_data;
3331         char buf[32];
3332         size_t buf_size = min(count, (sizeof(buf) - 1));
3333         u8 key_size;
3334 
3335         if (copy_from_user(buf, user_buf, buf_size))
3336                 return -EFAULT;
3337 
3338         buf[buf_size] = '\0';
3339 
3340         sscanf(buf, "%hhu", &key_size);
3341 
3342         if (key_size > SMP_DEV(hdev)->max_key_size ||
3343             key_size < SMP_MIN_ENC_KEY_SIZE)
3344                 return -EINVAL;
3345 
3346         SMP_DEV(hdev)->min_key_size = key_size;
3347 
3348         return count;
3349 }
3350 
3351 static const struct file_operations le_min_key_size_fops = {
3352         .open           = simple_open,
3353         .read           = le_min_key_size_read,
3354         .write          = le_min_key_size_write,
3355         .llseek         = default_llseek,
3356 };
3357 
3358 static ssize_t le_max_key_size_read(struct file *file,
3359                                      char __user *user_buf,
3360                                      size_t count, loff_t *ppos)
3361 {
3362         struct hci_dev *hdev = file->private_data;
3363         char buf[4];
3364 
3365         snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3366 
3367         return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3368 }
3369 
3370 static ssize_t le_max_key_size_write(struct file *file,
3371                                       const char __user *user_buf,
3372                                       size_t count, loff_t *ppos)
3373 {
3374         struct hci_dev *hdev = file->private_data;
3375         char buf[32];
3376         size_t buf_size = min(count, (sizeof(buf) - 1));
3377         u8 key_size;
3378 
3379         if (copy_from_user(buf, user_buf, buf_size))
3380                 return -EFAULT;
3381 
3382         buf[buf_size] = '\0';
3383 
3384         sscanf(buf, "%hhu", &key_size);
3385 
3386         if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3387             key_size < SMP_DEV(hdev)->min_key_size)
3388                 return -EINVAL;
3389 
3390         SMP_DEV(hdev)->max_key_size = key_size;
3391 
3392         return count;
3393 }
3394 
3395 static const struct file_operations le_max_key_size_fops = {
3396         .open           = simple_open,
3397         .read           = le_max_key_size_read,
3398         .write          = le_max_key_size_write,
3399         .llseek         = default_llseek,
3400 };
3401 
3402 int smp_register(struct hci_dev *hdev)
3403 {
3404         struct l2cap_chan *chan;
3405 
3406         BT_DBG("%s", hdev->name);
3407 
3408         /* If the controller does not support Low Energy operation, then
3409          * there is also no need to register any SMP channel.
3410          */
3411         if (!lmp_le_capable(hdev))
3412                 return 0;
3413 
3414         if (WARN_ON(hdev->smp_data)) {
3415                 chan = hdev->smp_data;
3416                 hdev->smp_data = NULL;
3417                 smp_del_chan(chan);
3418         }
3419 
3420         chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3421         if (IS_ERR(chan))
3422                 return PTR_ERR(chan);
3423 
3424         hdev->smp_data = chan;
3425 
3426         debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3427                             &le_min_key_size_fops);
3428         debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3429                             &le_max_key_size_fops);
3430 
3431         /* If the controller does not support BR/EDR Secure Connections
3432          * feature, then the BR/EDR SMP channel shall not be present.
3433          *
3434          * To test this with Bluetooth 4.0 controllers, create a debugfs
3435          * switch that allows forcing BR/EDR SMP support and accepting
3436          * cross-transport pairing on non-AES encrypted connections.
3437          */
3438         if (!lmp_sc_capable(hdev)) {
3439                 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3440                                     hdev, &force_bredr_smp_fops);
3441 
3442                 /* Flag can be already set here (due to power toggle) */
3443                 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3444                         return 0;
3445         }
3446 
3447         if (WARN_ON(hdev->smp_bredr_data)) {
3448                 chan = hdev->smp_bredr_data;
3449                 hdev->smp_bredr_data = NULL;
3450                 smp_del_chan(chan);
3451         }
3452 
3453         chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3454         if (IS_ERR(chan)) {
3455                 int err = PTR_ERR(chan);
3456                 chan = hdev->smp_data;
3457                 hdev->smp_data = NULL;
3458                 smp_del_chan(chan);
3459                 return err;
3460         }
3461 
3462         hdev->smp_bredr_data = chan;
3463 
3464         return 0;
3465 }
3466 
3467 void smp_unregister(struct hci_dev *hdev)
3468 {
3469         struct l2cap_chan *chan;
3470 
3471         if (hdev->smp_bredr_data) {
3472                 chan = hdev->smp_bredr_data;
3473                 hdev->smp_bredr_data = NULL;
3474                 smp_del_chan(chan);
3475         }
3476 
3477         if (hdev->smp_data) {
3478                 chan = hdev->smp_data;
3479                 hdev->smp_data = NULL;
3480                 smp_del_chan(chan);
3481         }
3482 }
3483 
3484 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3485 
3486 static int __init test_ah(struct crypto_cipher *tfm_aes)
3487 {
3488         const u8 irk[16] = {
3489                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3490                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3491         const u8 r[3] = { 0x94, 0x81, 0x70 };
3492         const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3493         u8 res[3];
3494         int err;
3495 
3496         err = smp_ah(tfm_aes, irk, r, res);
3497         if (err)
3498                 return err;
3499 
3500         if (memcmp(res, exp, 3))
3501                 return -EINVAL;
3502 
3503         return 0;
3504 }
3505 
3506 static int __init test_c1(struct crypto_cipher *tfm_aes)
3507 {
3508         const u8 k[16] = {
3509                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3510                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3511         const u8 r[16] = {
3512                         0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3513                         0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3514         const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3515         const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3516         const u8 _iat = 0x01;
3517         const u8 _rat = 0x00;
3518         const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3519         const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3520         const u8 exp[16] = {
3521                         0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3522                         0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3523         u8 res[16];
3524         int err;
3525 
3526         err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3527         if (err)
3528                 return err;
3529 
3530         if (memcmp(res, exp, 16))
3531                 return -EINVAL;
3532 
3533         return 0;
3534 }
3535 
3536 static int __init test_s1(struct crypto_cipher *tfm_aes)
3537 {
3538         const u8 k[16] = {
3539                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3540                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3541         const u8 r1[16] = {
3542                         0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3543         const u8 r2[16] = {
3544                         0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3545         const u8 exp[16] = {
3546                         0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3547                         0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3548         u8 res[16];
3549         int err;
3550 
3551         err = smp_s1(tfm_aes, k, r1, r2, res);
3552         if (err)
3553                 return err;
3554 
3555         if (memcmp(res, exp, 16))
3556                 return -EINVAL;
3557 
3558         return 0;
3559 }
3560 
3561 static int __init test_f4(struct crypto_shash *tfm_cmac)
3562 {
3563         const u8 u[32] = {
3564                         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3565                         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3566                         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3567                         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3568         const u8 v[32] = {
3569                         0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3570                         0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3571                         0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3572                         0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3573         const u8 x[16] = {
3574                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3575                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3576         const u8 z = 0x00;
3577         const u8 exp[16] = {
3578                         0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3579                         0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3580         u8 res[16];
3581         int err;
3582 
3583         err = smp_f4(tfm_cmac, u, v, x, z, res);
3584         if (err)
3585                 return err;
3586 
3587         if (memcmp(res, exp, 16))
3588                 return -EINVAL;
3589 
3590         return 0;
3591 }
3592 
3593 static int __init test_f5(struct crypto_shash *tfm_cmac)
3594 {
3595         const u8 w[32] = {
3596                         0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3597                         0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3598                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3599                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3600         const u8 n1[16] = {
3601                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3602                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3603         const u8 n2[16] = {
3604                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3605                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3606         const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3607         const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3608         const u8 exp_ltk[16] = {
3609                         0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3610                         0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3611         const u8 exp_mackey[16] = {
3612                         0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3613                         0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3614         u8 mackey[16], ltk[16];
3615         int err;
3616 
3617         err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3618         if (err)
3619                 return err;
3620 
3621         if (memcmp(mackey, exp_mackey, 16))
3622                 return -EINVAL;
3623 
3624         if (memcmp(ltk, exp_ltk, 16))
3625                 return -EINVAL;
3626 
3627         return 0;
3628 }
3629 
3630 static int __init test_f6(struct crypto_shash *tfm_cmac)
3631 {
3632         const u8 w[16] = {
3633                         0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3634                         0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3635         const u8 n1[16] = {
3636                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3637                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3638         const u8 n2[16] = {
3639                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3640                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3641         const u8 r[16] = {
3642                         0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3643                         0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3644         const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3645         const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3646         const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3647         const u8 exp[16] = {
3648                         0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3649                         0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3650         u8 res[16];
3651         int err;
3652 
3653         err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3654         if (err)
3655                 return err;
3656 
3657         if (memcmp(res, exp, 16))
3658                 return -EINVAL;
3659 
3660         return 0;
3661 }
3662 
3663 static int __init test_g2(struct crypto_shash *tfm_cmac)
3664 {
3665         const u8 u[32] = {
3666                         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3667                         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3668                         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3669                         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3670         const u8 v[32] = {
3671                         0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3672                         0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3673                         0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3674                         0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3675         const u8 x[16] = {
3676                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3677                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3678         const u8 y[16] = {
3679                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3680                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3681         const u32 exp_val = 0x2f9ed5ba % 1000000;
3682         u32 val;
3683         int err;
3684 
3685         err = smp_g2(tfm_cmac, u, v, x, y, &val);
3686         if (err)
3687                 return err;
3688 
3689         if (val != exp_val)
3690                 return -EINVAL;
3691 
3692         return 0;
3693 }
3694 
3695 static int __init test_h6(struct crypto_shash *tfm_cmac)
3696 {
3697         const u8 w[16] = {
3698                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3699                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3700         const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3701         const u8 exp[16] = {
3702                         0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3703                         0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3704         u8 res[16];
3705         int err;
3706 
3707         err = smp_h6(tfm_cmac, w, key_id, res);
3708         if (err)
3709                 return err;
3710 
3711         if (memcmp(res, exp, 16))
3712                 return -EINVAL;
3713 
3714         return 0;
3715 }
3716 
3717 static char test_smp_buffer[32];
3718 
3719 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3720                              size_t count, loff_t *ppos)
3721 {
3722         return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3723                                        strlen(test_smp_buffer));
3724 }
3725 
3726 static const struct file_operations test_smp_fops = {
3727         .open           = simple_open,
3728         .read           = test_smp_read,
3729         .llseek         = default_llseek,
3730 };
3731 
3732 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3733                                 struct crypto_shash *tfm_cmac)
3734 {
3735         ktime_t calltime, delta, rettime;
3736         unsigned long long duration;
3737         int err;
3738 
3739         calltime = ktime_get();
3740 
3741         err = test_ah(tfm_aes);
3742         if (err) {
3743                 BT_ERR("smp_ah test failed");
3744                 goto done;
3745         }
3746 
3747         err = test_c1(tfm_aes);
3748         if (err) {
3749                 BT_ERR("smp_c1 test failed");
3750                 goto done;
3751         }
3752 
3753         err = test_s1(tfm_aes);
3754         if (err) {
3755                 BT_ERR("smp_s1 test failed");
3756                 goto done;
3757         }
3758 
3759         err = test_f4(tfm_cmac);
3760         if (err) {
3761                 BT_ERR("smp_f4 test failed");
3762                 goto done;
3763         }
3764 
3765         err = test_f5(tfm_cmac);
3766         if (err) {
3767                 BT_ERR("smp_f5 test failed");
3768                 goto done;
3769         }
3770 
3771         err = test_f6(tfm_cmac);
3772         if (err) {
3773                 BT_ERR("smp_f6 test failed");
3774                 goto done;
3775         }
3776 
3777         err = test_g2(tfm_cmac);
3778         if (err) {
3779                 BT_ERR("smp_g2 test failed");
3780                 goto done;
3781         }
3782 
3783         err = test_h6(tfm_cmac);
3784         if (err) {
3785                 BT_ERR("smp_h6 test failed");
3786                 goto done;
3787         }
3788 
3789         rettime = ktime_get();
3790         delta = ktime_sub(rettime, calltime);
3791         duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3792 
3793         BT_INFO("SMP test passed in %llu usecs", duration);
3794 
3795 done:
3796         if (!err)
3797                 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3798                          "PASS (%llu usecs)\n", duration);
3799         else
3800                 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3801 
3802         debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3803                             &test_smp_fops);
3804 
3805         return err;
3806 }
3807 
3808 int __init bt_selftest_smp(void)
3809 {
3810         struct crypto_cipher *tfm_aes;
3811         struct crypto_shash *tfm_cmac;
3812         int err;
3813 
3814         tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3815         if (IS_ERR(tfm_aes)) {
3816                 BT_ERR("Unable to create AES crypto context");
3817                 return PTR_ERR(tfm_aes);
3818         }
3819 
3820         tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3821         if (IS_ERR(tfm_cmac)) {
3822                 BT_ERR("Unable to create CMAC crypto context");
3823                 crypto_free_cipher(tfm_aes);
3824                 return PTR_ERR(tfm_cmac);
3825         }
3826 
3827         err = run_selftests(tfm_aes, tfm_cmac);
3828 
3829         crypto_free_shash(tfm_cmac);
3830         crypto_free_cipher(tfm_aes);
3831 
3832         return err;
3833 }
3834 
3835 #endif
3836 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp