~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/smp.c

Version: ~ [ linux-5.8-rc3 ] ~ [ linux-5.7.5 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.48 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.129 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.185 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.228 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.228 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
  4 
  5    This program is free software; you can redistribute it and/or modify
  6    it under the terms of the GNU General Public License version 2 as
  7    published by the Free Software Foundation;
  8 
  9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 17 
 18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 20    SOFTWARE IS DISCLAIMED.
 21 */
 22 
 23 #include <linux/debugfs.h>
 24 #include <linux/scatterlist.h>
 25 #include <linux/crypto.h>
 26 #include <crypto/algapi.h>
 27 #include <crypto/b128ops.h>
 28 #include <crypto/hash.h>
 29 #include <crypto/kpp.h>
 30 
 31 #include <net/bluetooth/bluetooth.h>
 32 #include <net/bluetooth/hci_core.h>
 33 #include <net/bluetooth/l2cap.h>
 34 #include <net/bluetooth/mgmt.h>
 35 
 36 #include "ecdh_helper.h"
 37 #include "smp.h"
 38 
 39 #define SMP_DEV(hdev) \
 40         ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
 41 
 42 /* Low-level debug macros to be used for stuff that we don't want
 43  * accidentially in dmesg, i.e. the values of the various crypto keys
 44  * and the inputs & outputs of crypto functions.
 45  */
 46 #ifdef DEBUG
 47 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
 48                                  ##__VA_ARGS__)
 49 #else
 50 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
 51                                     ##__VA_ARGS__)
 52 #endif
 53 
 54 #define SMP_ALLOW_CMD(smp, code)        set_bit(code, &smp->allow_cmd)
 55 
 56 /* Keys which are not distributed with Secure Connections */
 57 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
 58 
 59 #define SMP_TIMEOUT     msecs_to_jiffies(30000)
 60 
 61 #define AUTH_REQ_MASK(dev)      (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
 62                                  0x3f : 0x07)
 63 #define KEY_DIST_MASK           0x07
 64 
 65 /* Maximum message length that can be passed to aes_cmac */
 66 #define CMAC_MSG_MAX    80
 67 
 68 enum {
 69         SMP_FLAG_TK_VALID,
 70         SMP_FLAG_CFM_PENDING,
 71         SMP_FLAG_MITM_AUTH,
 72         SMP_FLAG_COMPLETE,
 73         SMP_FLAG_INITIATOR,
 74         SMP_FLAG_SC,
 75         SMP_FLAG_REMOTE_PK,
 76         SMP_FLAG_DEBUG_KEY,
 77         SMP_FLAG_WAIT_USER,
 78         SMP_FLAG_DHKEY_PENDING,
 79         SMP_FLAG_REMOTE_OOB,
 80         SMP_FLAG_LOCAL_OOB,
 81         SMP_FLAG_CT2,
 82 };
 83 
 84 struct smp_dev {
 85         /* Secure Connections OOB data */
 86         bool                    local_oob;
 87         u8                      local_pk[64];
 88         u8                      local_rand[16];
 89         bool                    debug_key;
 90 
 91         u8                      min_key_size;
 92         u8                      max_key_size;
 93 
 94         struct crypto_cipher    *tfm_aes;
 95         struct crypto_shash     *tfm_cmac;
 96         struct crypto_kpp       *tfm_ecdh;
 97 };
 98 
 99 struct smp_chan {
100         struct l2cap_conn       *conn;
101         struct delayed_work     security_timer;
102         unsigned long           allow_cmd; /* Bitmask of allowed commands */
103 
104         u8              preq[7]; /* SMP Pairing Request */
105         u8              prsp[7]; /* SMP Pairing Response */
106         u8              prnd[16]; /* SMP Pairing Random (local) */
107         u8              rrnd[16]; /* SMP Pairing Random (remote) */
108         u8              pcnf[16]; /* SMP Pairing Confirm */
109         u8              tk[16]; /* SMP Temporary Key */
110         u8              rr[16]; /* Remote OOB ra/rb value */
111         u8              lr[16]; /* Local OOB ra/rb value */
112         u8              enc_key_size;
113         u8              remote_key_dist;
114         bdaddr_t        id_addr;
115         u8              id_addr_type;
116         u8              irk[16];
117         struct smp_csrk *csrk;
118         struct smp_csrk *slave_csrk;
119         struct smp_ltk  *ltk;
120         struct smp_ltk  *slave_ltk;
121         struct smp_irk  *remote_irk;
122         u8              *link_key;
123         unsigned long   flags;
124         u8              method;
125         u8              passkey_round;
126 
127         /* Secure Connections variables */
128         u8                      local_pk[64];
129         u8                      remote_pk[64];
130         u8                      dhkey[32];
131         u8                      mackey[16];
132 
133         struct crypto_cipher    *tfm_aes;
134         struct crypto_shash     *tfm_cmac;
135         struct crypto_kpp       *tfm_ecdh;
136 };
137 
138 /* These debug key values are defined in the SMP section of the core
139  * specification. debug_pk is the public debug key and debug_sk the
140  * private debug key.
141  */
142 static const u8 debug_pk[64] = {
143                 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
144                 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
145                 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
146                 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
147 
148                 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
149                 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
150                 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
151                 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
152 };
153 
154 static const u8 debug_sk[32] = {
155                 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
156                 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
157                 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
158                 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
159 };
160 
161 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
162 {
163         size_t i;
164 
165         for (i = 0; i < len; i++)
166                 dst[len - 1 - i] = src[i];
167 }
168 
169 /* The following functions map to the LE SC SMP crypto functions
170  * AES-CMAC, f4, f5, f6, g2 and h6.
171  */
172 
173 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
174                     size_t len, u8 mac[16])
175 {
176         uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
177         SHASH_DESC_ON_STACK(desc, tfm);
178         int err;
179 
180         if (len > CMAC_MSG_MAX)
181                 return -EFBIG;
182 
183         if (!tfm) {
184                 BT_ERR("tfm %p", tfm);
185                 return -EINVAL;
186         }
187 
188         desc->tfm = tfm;
189         desc->flags = 0;
190 
191         /* Swap key and message from LSB to MSB */
192         swap_buf(k, tmp, 16);
193         swap_buf(m, msg_msb, len);
194 
195         SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
196         SMP_DBG("key %16phN", k);
197 
198         err = crypto_shash_setkey(tfm, tmp, 16);
199         if (err) {
200                 BT_ERR("cipher setkey failed: %d", err);
201                 return err;
202         }
203 
204         err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
205         shash_desc_zero(desc);
206         if (err) {
207                 BT_ERR("Hash computation error %d", err);
208                 return err;
209         }
210 
211         swap_buf(mac_msb, mac, 16);
212 
213         SMP_DBG("mac %16phN", mac);
214 
215         return 0;
216 }
217 
218 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
219                   const u8 v[32], const u8 x[16], u8 z, u8 res[16])
220 {
221         u8 m[65];
222         int err;
223 
224         SMP_DBG("u %32phN", u);
225         SMP_DBG("v %32phN", v);
226         SMP_DBG("x %16phN z %02x", x, z);
227 
228         m[0] = z;
229         memcpy(m + 1, v, 32);
230         memcpy(m + 33, u, 32);
231 
232         err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
233         if (err)
234                 return err;
235 
236         SMP_DBG("res %16phN", res);
237 
238         return err;
239 }
240 
241 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
242                   const u8 n1[16], const u8 n2[16], const u8 a1[7],
243                   const u8 a2[7], u8 mackey[16], u8 ltk[16])
244 {
245         /* The btle, salt and length "magic" values are as defined in
246          * the SMP section of the Bluetooth core specification. In ASCII
247          * the btle value ends up being 'btle'. The salt is just a
248          * random number whereas length is the value 256 in little
249          * endian format.
250          */
251         const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
252         const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
253                               0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
254         const u8 length[2] = { 0x00, 0x01 };
255         u8 m[53], t[16];
256         int err;
257 
258         SMP_DBG("w %32phN", w);
259         SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
260         SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
261 
262         err = aes_cmac(tfm_cmac, salt, w, 32, t);
263         if (err)
264                 return err;
265 
266         SMP_DBG("t %16phN", t);
267 
268         memcpy(m, length, 2);
269         memcpy(m + 2, a2, 7);
270         memcpy(m + 9, a1, 7);
271         memcpy(m + 16, n2, 16);
272         memcpy(m + 32, n1, 16);
273         memcpy(m + 48, btle, 4);
274 
275         m[52] = 0; /* Counter */
276 
277         err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
278         if (err)
279                 return err;
280 
281         SMP_DBG("mackey %16phN", mackey);
282 
283         m[52] = 1; /* Counter */
284 
285         err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
286         if (err)
287                 return err;
288 
289         SMP_DBG("ltk %16phN", ltk);
290 
291         return 0;
292 }
293 
294 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
295                   const u8 n1[16], const u8 n2[16], const u8 r[16],
296                   const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
297                   u8 res[16])
298 {
299         u8 m[65];
300         int err;
301 
302         SMP_DBG("w %16phN", w);
303         SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
304         SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
305 
306         memcpy(m, a2, 7);
307         memcpy(m + 7, a1, 7);
308         memcpy(m + 14, io_cap, 3);
309         memcpy(m + 17, r, 16);
310         memcpy(m + 33, n2, 16);
311         memcpy(m + 49, n1, 16);
312 
313         err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
314         if (err)
315                 return err;
316 
317         SMP_DBG("res %16phN", res);
318 
319         return err;
320 }
321 
322 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
323                   const u8 x[16], const u8 y[16], u32 *val)
324 {
325         u8 m[80], tmp[16];
326         int err;
327 
328         SMP_DBG("u %32phN", u);
329         SMP_DBG("v %32phN", v);
330         SMP_DBG("x %16phN y %16phN", x, y);
331 
332         memcpy(m, y, 16);
333         memcpy(m + 16, v, 32);
334         memcpy(m + 48, u, 32);
335 
336         err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
337         if (err)
338                 return err;
339 
340         *val = get_unaligned_le32(tmp);
341         *val %= 1000000;
342 
343         SMP_DBG("val %06u", *val);
344 
345         return 0;
346 }
347 
348 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
349                   const u8 key_id[4], u8 res[16])
350 {
351         int err;
352 
353         SMP_DBG("w %16phN key_id %4phN", w, key_id);
354 
355         err = aes_cmac(tfm_cmac, w, key_id, 4, res);
356         if (err)
357                 return err;
358 
359         SMP_DBG("res %16phN", res);
360 
361         return err;
362 }
363 
364 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
365                   const u8 salt[16], u8 res[16])
366 {
367         int err;
368 
369         SMP_DBG("w %16phN salt %16phN", w, salt);
370 
371         err = aes_cmac(tfm_cmac, salt, w, 16, res);
372         if (err)
373                 return err;
374 
375         SMP_DBG("res %16phN", res);
376 
377         return err;
378 }
379 
380 /* The following functions map to the legacy SMP crypto functions e, c1,
381  * s1 and ah.
382  */
383 
384 static int smp_e(struct crypto_cipher *tfm, const u8 *k, u8 *r)
385 {
386         uint8_t tmp[16], data[16];
387         int err;
388 
389         SMP_DBG("k %16phN r %16phN", k, r);
390 
391         if (!tfm) {
392                 BT_ERR("tfm %p", tfm);
393                 return -EINVAL;
394         }
395 
396         /* The most significant octet of key corresponds to k[0] */
397         swap_buf(k, tmp, 16);
398 
399         err = crypto_cipher_setkey(tfm, tmp, 16);
400         if (err) {
401                 BT_ERR("cipher setkey failed: %d", err);
402                 return err;
403         }
404 
405         /* Most significant octet of plaintextData corresponds to data[0] */
406         swap_buf(r, data, 16);
407 
408         crypto_cipher_encrypt_one(tfm, data, data);
409 
410         /* Most significant octet of encryptedData corresponds to data[0] */
411         swap_buf(data, r, 16);
412 
413         SMP_DBG("r %16phN", r);
414 
415         return err;
416 }
417 
418 static int smp_c1(struct crypto_cipher *tfm_aes, const u8 k[16],
419                   const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
420                   const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
421 {
422         u8 p1[16], p2[16];
423         int err;
424 
425         SMP_DBG("k %16phN r %16phN", k, r);
426         SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
427         SMP_DBG("preq %7phN pres %7phN", preq, pres);
428 
429         memset(p1, 0, 16);
430 
431         /* p1 = pres || preq || _rat || _iat */
432         p1[0] = _iat;
433         p1[1] = _rat;
434         memcpy(p1 + 2, preq, 7);
435         memcpy(p1 + 9, pres, 7);
436 
437         SMP_DBG("p1 %16phN", p1);
438 
439         /* res = r XOR p1 */
440         u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
441 
442         /* res = e(k, res) */
443         err = smp_e(tfm_aes, k, res);
444         if (err) {
445                 BT_ERR("Encrypt data error");
446                 return err;
447         }
448 
449         /* p2 = padding || ia || ra */
450         memcpy(p2, ra, 6);
451         memcpy(p2 + 6, ia, 6);
452         memset(p2 + 12, 0, 4);
453 
454         SMP_DBG("p2 %16phN", p2);
455 
456         /* res = res XOR p2 */
457         u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
458 
459         /* res = e(k, res) */
460         err = smp_e(tfm_aes, k, res);
461         if (err)
462                 BT_ERR("Encrypt data error");
463 
464         return err;
465 }
466 
467 static int smp_s1(struct crypto_cipher *tfm_aes, const u8 k[16],
468                   const u8 r1[16], const u8 r2[16], u8 _r[16])
469 {
470         int err;
471 
472         /* Just least significant octets from r1 and r2 are considered */
473         memcpy(_r, r2, 8);
474         memcpy(_r + 8, r1, 8);
475 
476         err = smp_e(tfm_aes, k, _r);
477         if (err)
478                 BT_ERR("Encrypt data error");
479 
480         return err;
481 }
482 
483 static int smp_ah(struct crypto_cipher *tfm, const u8 irk[16],
484                   const u8 r[3], u8 res[3])
485 {
486         u8 _res[16];
487         int err;
488 
489         /* r' = padding || r */
490         memcpy(_res, r, 3);
491         memset(_res + 3, 0, 13);
492 
493         err = smp_e(tfm, irk, _res);
494         if (err) {
495                 BT_ERR("Encrypt error");
496                 return err;
497         }
498 
499         /* The output of the random address function ah is:
500          *      ah(k, r) = e(k, r') mod 2^24
501          * The output of the security function e is then truncated to 24 bits
502          * by taking the least significant 24 bits of the output of e as the
503          * result of ah.
504          */
505         memcpy(res, _res, 3);
506 
507         return 0;
508 }
509 
510 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
511                      const bdaddr_t *bdaddr)
512 {
513         struct l2cap_chan *chan = hdev->smp_data;
514         struct smp_dev *smp;
515         u8 hash[3];
516         int err;
517 
518         if (!chan || !chan->data)
519                 return false;
520 
521         smp = chan->data;
522 
523         BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
524 
525         err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
526         if (err)
527                 return false;
528 
529         return !crypto_memneq(bdaddr->b, hash, 3);
530 }
531 
532 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
533 {
534         struct l2cap_chan *chan = hdev->smp_data;
535         struct smp_dev *smp;
536         int err;
537 
538         if (!chan || !chan->data)
539                 return -EOPNOTSUPP;
540 
541         smp = chan->data;
542 
543         get_random_bytes(&rpa->b[3], 3);
544 
545         rpa->b[5] &= 0x3f;      /* Clear two most significant bits */
546         rpa->b[5] |= 0x40;      /* Set second most significant bit */
547 
548         err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
549         if (err < 0)
550                 return err;
551 
552         BT_DBG("RPA %pMR", rpa);
553 
554         return 0;
555 }
556 
557 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
558 {
559         struct l2cap_chan *chan = hdev->smp_data;
560         struct smp_dev *smp;
561         int err;
562 
563         if (!chan || !chan->data)
564                 return -EOPNOTSUPP;
565 
566         smp = chan->data;
567 
568         if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
569                 BT_DBG("Using debug keys");
570                 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
571                 if (err)
572                         return err;
573                 memcpy(smp->local_pk, debug_pk, 64);
574                 smp->debug_key = true;
575         } else {
576                 while (true) {
577                         /* Generate key pair for Secure Connections */
578                         err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
579                         if (err)
580                                 return err;
581 
582                         /* This is unlikely, but we need to check that
583                          * we didn't accidentially generate a debug key.
584                          */
585                         if (crypto_memneq(smp->local_pk, debug_pk, 64))
586                                 break;
587                 }
588                 smp->debug_key = false;
589         }
590 
591         SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
592         SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
593 
594         get_random_bytes(smp->local_rand, 16);
595 
596         err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
597                      smp->local_rand, 0, hash);
598         if (err < 0)
599                 return err;
600 
601         memcpy(rand, smp->local_rand, 16);
602 
603         smp->local_oob = true;
604 
605         return 0;
606 }
607 
608 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
609 {
610         struct l2cap_chan *chan = conn->smp;
611         struct smp_chan *smp;
612         struct kvec iv[2];
613         struct msghdr msg;
614 
615         if (!chan)
616                 return;
617 
618         BT_DBG("code 0x%2.2x", code);
619 
620         iv[0].iov_base = &code;
621         iv[0].iov_len = 1;
622 
623         iv[1].iov_base = data;
624         iv[1].iov_len = len;
625 
626         memset(&msg, 0, sizeof(msg));
627 
628         iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
629 
630         l2cap_chan_send(chan, &msg, 1 + len);
631 
632         if (!chan->data)
633                 return;
634 
635         smp = chan->data;
636 
637         cancel_delayed_work_sync(&smp->security_timer);
638         schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
639 }
640 
641 static u8 authreq_to_seclevel(u8 authreq)
642 {
643         if (authreq & SMP_AUTH_MITM) {
644                 if (authreq & SMP_AUTH_SC)
645                         return BT_SECURITY_FIPS;
646                 else
647                         return BT_SECURITY_HIGH;
648         } else {
649                 return BT_SECURITY_MEDIUM;
650         }
651 }
652 
653 static __u8 seclevel_to_authreq(__u8 sec_level)
654 {
655         switch (sec_level) {
656         case BT_SECURITY_FIPS:
657         case BT_SECURITY_HIGH:
658                 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
659         case BT_SECURITY_MEDIUM:
660                 return SMP_AUTH_BONDING;
661         default:
662                 return SMP_AUTH_NONE;
663         }
664 }
665 
666 static void build_pairing_cmd(struct l2cap_conn *conn,
667                               struct smp_cmd_pairing *req,
668                               struct smp_cmd_pairing *rsp, __u8 authreq)
669 {
670         struct l2cap_chan *chan = conn->smp;
671         struct smp_chan *smp = chan->data;
672         struct hci_conn *hcon = conn->hcon;
673         struct hci_dev *hdev = hcon->hdev;
674         u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
675 
676         if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
677                 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
678                 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
679                 authreq |= SMP_AUTH_BONDING;
680         } else {
681                 authreq &= ~SMP_AUTH_BONDING;
682         }
683 
684         if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
685                 remote_dist |= SMP_DIST_ID_KEY;
686 
687         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
688                 local_dist |= SMP_DIST_ID_KEY;
689 
690         if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
691             (authreq & SMP_AUTH_SC)) {
692                 struct oob_data *oob_data;
693                 u8 bdaddr_type;
694 
695                 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
696                         local_dist |= SMP_DIST_LINK_KEY;
697                         remote_dist |= SMP_DIST_LINK_KEY;
698                 }
699 
700                 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
701                         bdaddr_type = BDADDR_LE_PUBLIC;
702                 else
703                         bdaddr_type = BDADDR_LE_RANDOM;
704 
705                 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
706                                                     bdaddr_type);
707                 if (oob_data && oob_data->present) {
708                         set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
709                         oob_flag = SMP_OOB_PRESENT;
710                         memcpy(smp->rr, oob_data->rand256, 16);
711                         memcpy(smp->pcnf, oob_data->hash256, 16);
712                         SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
713                         SMP_DBG("OOB Remote Random: %16phN", smp->rr);
714                 }
715 
716         } else {
717                 authreq &= ~SMP_AUTH_SC;
718         }
719 
720         if (rsp == NULL) {
721                 req->io_capability = conn->hcon->io_capability;
722                 req->oob_flag = oob_flag;
723                 req->max_key_size = SMP_DEV(hdev)->max_key_size;
724                 req->init_key_dist = local_dist;
725                 req->resp_key_dist = remote_dist;
726                 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
727 
728                 smp->remote_key_dist = remote_dist;
729                 return;
730         }
731 
732         rsp->io_capability = conn->hcon->io_capability;
733         rsp->oob_flag = oob_flag;
734         rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
735         rsp->init_key_dist = req->init_key_dist & remote_dist;
736         rsp->resp_key_dist = req->resp_key_dist & local_dist;
737         rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
738 
739         smp->remote_key_dist = rsp->init_key_dist;
740 }
741 
742 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
743 {
744         struct l2cap_chan *chan = conn->smp;
745         struct hci_dev *hdev = conn->hcon->hdev;
746         struct smp_chan *smp = chan->data;
747 
748         if (max_key_size > SMP_DEV(hdev)->max_key_size ||
749             max_key_size < SMP_MIN_ENC_KEY_SIZE)
750                 return SMP_ENC_KEY_SIZE;
751 
752         smp->enc_key_size = max_key_size;
753 
754         return 0;
755 }
756 
757 static void smp_chan_destroy(struct l2cap_conn *conn)
758 {
759         struct l2cap_chan *chan = conn->smp;
760         struct smp_chan *smp = chan->data;
761         struct hci_conn *hcon = conn->hcon;
762         bool complete;
763 
764         BUG_ON(!smp);
765 
766         cancel_delayed_work_sync(&smp->security_timer);
767 
768         complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
769         mgmt_smp_complete(hcon, complete);
770 
771         kzfree(smp->csrk);
772         kzfree(smp->slave_csrk);
773         kzfree(smp->link_key);
774 
775         crypto_free_cipher(smp->tfm_aes);
776         crypto_free_shash(smp->tfm_cmac);
777         crypto_free_kpp(smp->tfm_ecdh);
778 
779         /* Ensure that we don't leave any debug key around if debug key
780          * support hasn't been explicitly enabled.
781          */
782         if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
783             !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
784                 list_del_rcu(&smp->ltk->list);
785                 kfree_rcu(smp->ltk, rcu);
786                 smp->ltk = NULL;
787         }
788 
789         /* If pairing failed clean up any keys we might have */
790         if (!complete) {
791                 if (smp->ltk) {
792                         list_del_rcu(&smp->ltk->list);
793                         kfree_rcu(smp->ltk, rcu);
794                 }
795 
796                 if (smp->slave_ltk) {
797                         list_del_rcu(&smp->slave_ltk->list);
798                         kfree_rcu(smp->slave_ltk, rcu);
799                 }
800 
801                 if (smp->remote_irk) {
802                         list_del_rcu(&smp->remote_irk->list);
803                         kfree_rcu(smp->remote_irk, rcu);
804                 }
805         }
806 
807         chan->data = NULL;
808         kzfree(smp);
809         hci_conn_drop(hcon);
810 }
811 
812 static void smp_failure(struct l2cap_conn *conn, u8 reason)
813 {
814         struct hci_conn *hcon = conn->hcon;
815         struct l2cap_chan *chan = conn->smp;
816 
817         if (reason)
818                 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
819                              &reason);
820 
821         mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
822 
823         if (chan->data)
824                 smp_chan_destroy(conn);
825 }
826 
827 #define JUST_WORKS      0x00
828 #define JUST_CFM        0x01
829 #define REQ_PASSKEY     0x02
830 #define CFM_PASSKEY     0x03
831 #define REQ_OOB         0x04
832 #define DSP_PASSKEY     0x05
833 #define OVERLAP         0xFF
834 
835 static const u8 gen_method[5][5] = {
836         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
837         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
838         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
839         { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
840         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
841 };
842 
843 static const u8 sc_method[5][5] = {
844         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
845         { JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
846         { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
847         { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
848         { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
849 };
850 
851 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
852 {
853         /* If either side has unknown io_caps, use JUST_CFM (which gets
854          * converted later to JUST_WORKS if we're initiators.
855          */
856         if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
857             remote_io > SMP_IO_KEYBOARD_DISPLAY)
858                 return JUST_CFM;
859 
860         if (test_bit(SMP_FLAG_SC, &smp->flags))
861                 return sc_method[remote_io][local_io];
862 
863         return gen_method[remote_io][local_io];
864 }
865 
866 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
867                                                 u8 local_io, u8 remote_io)
868 {
869         struct hci_conn *hcon = conn->hcon;
870         struct l2cap_chan *chan = conn->smp;
871         struct smp_chan *smp = chan->data;
872         u32 passkey = 0;
873         int ret = 0;
874 
875         /* Initialize key for JUST WORKS */
876         memset(smp->tk, 0, sizeof(smp->tk));
877         clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
878 
879         BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
880 
881         /* If neither side wants MITM, either "just" confirm an incoming
882          * request or use just-works for outgoing ones. The JUST_CFM
883          * will be converted to JUST_WORKS if necessary later in this
884          * function. If either side has MITM look up the method from the
885          * table.
886          */
887         if (!(auth & SMP_AUTH_MITM))
888                 smp->method = JUST_CFM;
889         else
890                 smp->method = get_auth_method(smp, local_io, remote_io);
891 
892         /* Don't confirm locally initiated pairing attempts */
893         if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
894                                                 &smp->flags))
895                 smp->method = JUST_WORKS;
896 
897         /* Don't bother user space with no IO capabilities */
898         if (smp->method == JUST_CFM &&
899             hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
900                 smp->method = JUST_WORKS;
901 
902         /* If Just Works, Continue with Zero TK */
903         if (smp->method == JUST_WORKS) {
904                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
905                 return 0;
906         }
907 
908         /* If this function is used for SC -> legacy fallback we
909          * can only recover the just-works case.
910          */
911         if (test_bit(SMP_FLAG_SC, &smp->flags))
912                 return -EINVAL;
913 
914         /* Not Just Works/Confirm results in MITM Authentication */
915         if (smp->method != JUST_CFM) {
916                 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
917                 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
918                         hcon->pending_sec_level = BT_SECURITY_HIGH;
919         }
920 
921         /* If both devices have Keyoard-Display I/O, the master
922          * Confirms and the slave Enters the passkey.
923          */
924         if (smp->method == OVERLAP) {
925                 if (hcon->role == HCI_ROLE_MASTER)
926                         smp->method = CFM_PASSKEY;
927                 else
928                         smp->method = REQ_PASSKEY;
929         }
930 
931         /* Generate random passkey. */
932         if (smp->method == CFM_PASSKEY) {
933                 memset(smp->tk, 0, sizeof(smp->tk));
934                 get_random_bytes(&passkey, sizeof(passkey));
935                 passkey %= 1000000;
936                 put_unaligned_le32(passkey, smp->tk);
937                 BT_DBG("PassKey: %d", passkey);
938                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
939         }
940 
941         if (smp->method == REQ_PASSKEY)
942                 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
943                                                 hcon->type, hcon->dst_type);
944         else if (smp->method == JUST_CFM)
945                 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
946                                                 hcon->type, hcon->dst_type,
947                                                 passkey, 1);
948         else
949                 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
950                                                 hcon->type, hcon->dst_type,
951                                                 passkey, 0);
952 
953         return ret;
954 }
955 
956 static u8 smp_confirm(struct smp_chan *smp)
957 {
958         struct l2cap_conn *conn = smp->conn;
959         struct smp_cmd_pairing_confirm cp;
960         int ret;
961 
962         BT_DBG("conn %p", conn);
963 
964         ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
965                      conn->hcon->init_addr_type, &conn->hcon->init_addr,
966                      conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
967                      cp.confirm_val);
968         if (ret)
969                 return SMP_UNSPECIFIED;
970 
971         clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
972 
973         smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
974 
975         if (conn->hcon->out)
976                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
977         else
978                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
979 
980         return 0;
981 }
982 
983 static u8 smp_random(struct smp_chan *smp)
984 {
985         struct l2cap_conn *conn = smp->conn;
986         struct hci_conn *hcon = conn->hcon;
987         u8 confirm[16];
988         int ret;
989 
990         if (IS_ERR_OR_NULL(smp->tfm_aes))
991                 return SMP_UNSPECIFIED;
992 
993         BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
994 
995         ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
996                      hcon->init_addr_type, &hcon->init_addr,
997                      hcon->resp_addr_type, &hcon->resp_addr, confirm);
998         if (ret)
999                 return SMP_UNSPECIFIED;
1000 
1001         if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
1002                 bt_dev_err(hcon->hdev, "pairing failed "
1003                            "(confirmation values mismatch)");
1004                 return SMP_CONFIRM_FAILED;
1005         }
1006 
1007         if (hcon->out) {
1008                 u8 stk[16];
1009                 __le64 rand = 0;
1010                 __le16 ediv = 0;
1011 
1012                 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1013 
1014                 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1015                         return SMP_UNSPECIFIED;
1016 
1017                 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1018                 hcon->enc_key_size = smp->enc_key_size;
1019                 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1020         } else {
1021                 u8 stk[16], auth;
1022                 __le64 rand = 0;
1023                 __le16 ediv = 0;
1024 
1025                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1026                              smp->prnd);
1027 
1028                 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1029 
1030                 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1031                         auth = 1;
1032                 else
1033                         auth = 0;
1034 
1035                 /* Even though there's no _SLAVE suffix this is the
1036                  * slave STK we're adding for later lookup (the master
1037                  * STK never needs to be stored).
1038                  */
1039                 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1040                             SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1041         }
1042 
1043         return 0;
1044 }
1045 
1046 static void smp_notify_keys(struct l2cap_conn *conn)
1047 {
1048         struct l2cap_chan *chan = conn->smp;
1049         struct smp_chan *smp = chan->data;
1050         struct hci_conn *hcon = conn->hcon;
1051         struct hci_dev *hdev = hcon->hdev;
1052         struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1053         struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1054         bool persistent;
1055 
1056         if (hcon->type == ACL_LINK) {
1057                 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1058                         persistent = false;
1059                 else
1060                         persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1061                                                &hcon->flags);
1062         } else {
1063                 /* The LTKs, IRKs and CSRKs should be persistent only if
1064                  * both sides had the bonding bit set in their
1065                  * authentication requests.
1066                  */
1067                 persistent = !!((req->auth_req & rsp->auth_req) &
1068                                 SMP_AUTH_BONDING);
1069         }
1070 
1071         if (smp->remote_irk) {
1072                 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1073 
1074                 /* Now that user space can be considered to know the
1075                  * identity address track the connection based on it
1076                  * from now on (assuming this is an LE link).
1077                  */
1078                 if (hcon->type == LE_LINK) {
1079                         bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1080                         hcon->dst_type = smp->remote_irk->addr_type;
1081                         queue_work(hdev->workqueue, &conn->id_addr_update_work);
1082                 }
1083         }
1084 
1085         if (smp->csrk) {
1086                 smp->csrk->bdaddr_type = hcon->dst_type;
1087                 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1088                 mgmt_new_csrk(hdev, smp->csrk, persistent);
1089         }
1090 
1091         if (smp->slave_csrk) {
1092                 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1093                 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1094                 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1095         }
1096 
1097         if (smp->ltk) {
1098                 smp->ltk->bdaddr_type = hcon->dst_type;
1099                 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1100                 mgmt_new_ltk(hdev, smp->ltk, persistent);
1101         }
1102 
1103         if (smp->slave_ltk) {
1104                 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1105                 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1106                 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1107         }
1108 
1109         if (smp->link_key) {
1110                 struct link_key *key;
1111                 u8 type;
1112 
1113                 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1114                         type = HCI_LK_DEBUG_COMBINATION;
1115                 else if (hcon->sec_level == BT_SECURITY_FIPS)
1116                         type = HCI_LK_AUTH_COMBINATION_P256;
1117                 else
1118                         type = HCI_LK_UNAUTH_COMBINATION_P256;
1119 
1120                 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1121                                        smp->link_key, type, 0, &persistent);
1122                 if (key) {
1123                         mgmt_new_link_key(hdev, key, persistent);
1124 
1125                         /* Don't keep debug keys around if the relevant
1126                          * flag is not set.
1127                          */
1128                         if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1129                             key->type == HCI_LK_DEBUG_COMBINATION) {
1130                                 list_del_rcu(&key->list);
1131                                 kfree_rcu(key, rcu);
1132                         }
1133                 }
1134         }
1135 }
1136 
1137 static void sc_add_ltk(struct smp_chan *smp)
1138 {
1139         struct hci_conn *hcon = smp->conn->hcon;
1140         u8 key_type, auth;
1141 
1142         if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1143                 key_type = SMP_LTK_P256_DEBUG;
1144         else
1145                 key_type = SMP_LTK_P256;
1146 
1147         if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1148                 auth = 1;
1149         else
1150                 auth = 0;
1151 
1152         smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1153                                key_type, auth, smp->tk, smp->enc_key_size,
1154                                0, 0);
1155 }
1156 
1157 static void sc_generate_link_key(struct smp_chan *smp)
1158 {
1159         /* From core spec. Spells out in ASCII as 'lebr'. */
1160         const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1161 
1162         smp->link_key = kzalloc(16, GFP_KERNEL);
1163         if (!smp->link_key)
1164                 return;
1165 
1166         if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1167                 /* SALT = 0x00000000000000000000000000000000746D7031 */
1168                 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1169 
1170                 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1171                         kzfree(smp->link_key);
1172                         smp->link_key = NULL;
1173                         return;
1174                 }
1175         } else {
1176                 /* From core spec. Spells out in ASCII as 'tmp1'. */
1177                 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1178 
1179                 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1180                         kzfree(smp->link_key);
1181                         smp->link_key = NULL;
1182                         return;
1183                 }
1184         }
1185 
1186         if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1187                 kzfree(smp->link_key);
1188                 smp->link_key = NULL;
1189                 return;
1190         }
1191 }
1192 
1193 static void smp_allow_key_dist(struct smp_chan *smp)
1194 {
1195         /* Allow the first expected phase 3 PDU. The rest of the PDUs
1196          * will be allowed in each PDU handler to ensure we receive
1197          * them in the correct order.
1198          */
1199         if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1200                 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1201         else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1202                 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1203         else if (smp->remote_key_dist & SMP_DIST_SIGN)
1204                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1205 }
1206 
1207 static void sc_generate_ltk(struct smp_chan *smp)
1208 {
1209         /* From core spec. Spells out in ASCII as 'brle'. */
1210         const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1211         struct hci_conn *hcon = smp->conn->hcon;
1212         struct hci_dev *hdev = hcon->hdev;
1213         struct link_key *key;
1214 
1215         key = hci_find_link_key(hdev, &hcon->dst);
1216         if (!key) {
1217                 bt_dev_err(hdev, "no Link Key found to generate LTK");
1218                 return;
1219         }
1220 
1221         if (key->type == HCI_LK_DEBUG_COMBINATION)
1222                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1223 
1224         if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1225                 /* SALT = 0x00000000000000000000000000000000746D7032 */
1226                 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1227 
1228                 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1229                         return;
1230         } else {
1231                 /* From core spec. Spells out in ASCII as 'tmp2'. */
1232                 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1233 
1234                 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1235                         return;
1236         }
1237 
1238         if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1239                 return;
1240 
1241         sc_add_ltk(smp);
1242 }
1243 
1244 static void smp_distribute_keys(struct smp_chan *smp)
1245 {
1246         struct smp_cmd_pairing *req, *rsp;
1247         struct l2cap_conn *conn = smp->conn;
1248         struct hci_conn *hcon = conn->hcon;
1249         struct hci_dev *hdev = hcon->hdev;
1250         __u8 *keydist;
1251 
1252         BT_DBG("conn %p", conn);
1253 
1254         rsp = (void *) &smp->prsp[1];
1255 
1256         /* The responder sends its keys first */
1257         if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1258                 smp_allow_key_dist(smp);
1259                 return;
1260         }
1261 
1262         req = (void *) &smp->preq[1];
1263 
1264         if (hcon->out) {
1265                 keydist = &rsp->init_key_dist;
1266                 *keydist &= req->init_key_dist;
1267         } else {
1268                 keydist = &rsp->resp_key_dist;
1269                 *keydist &= req->resp_key_dist;
1270         }
1271 
1272         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1273                 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1274                         sc_generate_link_key(smp);
1275                 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1276                         sc_generate_ltk(smp);
1277 
1278                 /* Clear the keys which are generated but not distributed */
1279                 *keydist &= ~SMP_SC_NO_DIST;
1280         }
1281 
1282         BT_DBG("keydist 0x%x", *keydist);
1283 
1284         if (*keydist & SMP_DIST_ENC_KEY) {
1285                 struct smp_cmd_encrypt_info enc;
1286                 struct smp_cmd_master_ident ident;
1287                 struct smp_ltk *ltk;
1288                 u8 authenticated;
1289                 __le16 ediv;
1290                 __le64 rand;
1291 
1292                 /* Make sure we generate only the significant amount of
1293                  * bytes based on the encryption key size, and set the rest
1294                  * of the value to zeroes.
1295                  */
1296                 get_random_bytes(enc.ltk, smp->enc_key_size);
1297                 memset(enc.ltk + smp->enc_key_size, 0,
1298                        sizeof(enc.ltk) - smp->enc_key_size);
1299 
1300                 get_random_bytes(&ediv, sizeof(ediv));
1301                 get_random_bytes(&rand, sizeof(rand));
1302 
1303                 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1304 
1305                 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1306                 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1307                                   SMP_LTK_SLAVE, authenticated, enc.ltk,
1308                                   smp->enc_key_size, ediv, rand);
1309                 smp->slave_ltk = ltk;
1310 
1311                 ident.ediv = ediv;
1312                 ident.rand = rand;
1313 
1314                 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1315 
1316                 *keydist &= ~SMP_DIST_ENC_KEY;
1317         }
1318 
1319         if (*keydist & SMP_DIST_ID_KEY) {
1320                 struct smp_cmd_ident_addr_info addrinfo;
1321                 struct smp_cmd_ident_info idinfo;
1322 
1323                 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1324 
1325                 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1326 
1327                 /* The hci_conn contains the local identity address
1328                  * after the connection has been established.
1329                  *
1330                  * This is true even when the connection has been
1331                  * established using a resolvable random address.
1332                  */
1333                 bacpy(&addrinfo.bdaddr, &hcon->src);
1334                 addrinfo.addr_type = hcon->src_type;
1335 
1336                 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1337                              &addrinfo);
1338 
1339                 *keydist &= ~SMP_DIST_ID_KEY;
1340         }
1341 
1342         if (*keydist & SMP_DIST_SIGN) {
1343                 struct smp_cmd_sign_info sign;
1344                 struct smp_csrk *csrk;
1345 
1346                 /* Generate a new random key */
1347                 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1348 
1349                 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1350                 if (csrk) {
1351                         if (hcon->sec_level > BT_SECURITY_MEDIUM)
1352                                 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1353                         else
1354                                 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1355                         memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1356                 }
1357                 smp->slave_csrk = csrk;
1358 
1359                 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1360 
1361                 *keydist &= ~SMP_DIST_SIGN;
1362         }
1363 
1364         /* If there are still keys to be received wait for them */
1365         if (smp->remote_key_dist & KEY_DIST_MASK) {
1366                 smp_allow_key_dist(smp);
1367                 return;
1368         }
1369 
1370         set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1371         smp_notify_keys(conn);
1372 
1373         smp_chan_destroy(conn);
1374 }
1375 
1376 static void smp_timeout(struct work_struct *work)
1377 {
1378         struct smp_chan *smp = container_of(work, struct smp_chan,
1379                                             security_timer.work);
1380         struct l2cap_conn *conn = smp->conn;
1381 
1382         BT_DBG("conn %p", conn);
1383 
1384         hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1385 }
1386 
1387 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1388 {
1389         struct l2cap_chan *chan = conn->smp;
1390         struct smp_chan *smp;
1391 
1392         smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1393         if (!smp)
1394                 return NULL;
1395 
1396         smp->tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
1397         if (IS_ERR(smp->tfm_aes)) {
1398                 BT_ERR("Unable to create AES crypto context");
1399                 goto zfree_smp;
1400         }
1401 
1402         smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1403         if (IS_ERR(smp->tfm_cmac)) {
1404                 BT_ERR("Unable to create CMAC crypto context");
1405                 goto free_cipher;
1406         }
1407 
1408         smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1409         if (IS_ERR(smp->tfm_ecdh)) {
1410                 BT_ERR("Unable to create ECDH crypto context");
1411                 goto free_shash;
1412         }
1413 
1414         smp->conn = conn;
1415         chan->data = smp;
1416 
1417         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1418 
1419         INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1420 
1421         hci_conn_hold(conn->hcon);
1422 
1423         return smp;
1424 
1425 free_shash:
1426         crypto_free_shash(smp->tfm_cmac);
1427 free_cipher:
1428         crypto_free_cipher(smp->tfm_aes);
1429 zfree_smp:
1430         kzfree(smp);
1431         return NULL;
1432 }
1433 
1434 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1435 {
1436         struct hci_conn *hcon = smp->conn->hcon;
1437         u8 *na, *nb, a[7], b[7];
1438 
1439         if (hcon->out) {
1440                 na   = smp->prnd;
1441                 nb   = smp->rrnd;
1442         } else {
1443                 na   = smp->rrnd;
1444                 nb   = smp->prnd;
1445         }
1446 
1447         memcpy(a, &hcon->init_addr, 6);
1448         memcpy(b, &hcon->resp_addr, 6);
1449         a[6] = hcon->init_addr_type;
1450         b[6] = hcon->resp_addr_type;
1451 
1452         return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1453 }
1454 
1455 static void sc_dhkey_check(struct smp_chan *smp)
1456 {
1457         struct hci_conn *hcon = smp->conn->hcon;
1458         struct smp_cmd_dhkey_check check;
1459         u8 a[7], b[7], *local_addr, *remote_addr;
1460         u8 io_cap[3], r[16];
1461 
1462         memcpy(a, &hcon->init_addr, 6);
1463         memcpy(b, &hcon->resp_addr, 6);
1464         a[6] = hcon->init_addr_type;
1465         b[6] = hcon->resp_addr_type;
1466 
1467         if (hcon->out) {
1468                 local_addr = a;
1469                 remote_addr = b;
1470                 memcpy(io_cap, &smp->preq[1], 3);
1471         } else {
1472                 local_addr = b;
1473                 remote_addr = a;
1474                 memcpy(io_cap, &smp->prsp[1], 3);
1475         }
1476 
1477         memset(r, 0, sizeof(r));
1478 
1479         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1480                 put_unaligned_le32(hcon->passkey_notify, r);
1481 
1482         if (smp->method == REQ_OOB)
1483                 memcpy(r, smp->rr, 16);
1484 
1485         smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1486                local_addr, remote_addr, check.e);
1487 
1488         smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1489 }
1490 
1491 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1492 {
1493         struct l2cap_conn *conn = smp->conn;
1494         struct hci_conn *hcon = conn->hcon;
1495         struct smp_cmd_pairing_confirm cfm;
1496         u8 r;
1497 
1498         r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1499         r |= 0x80;
1500 
1501         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1502 
1503         if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1504                    cfm.confirm_val))
1505                 return SMP_UNSPECIFIED;
1506 
1507         smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1508 
1509         return 0;
1510 }
1511 
1512 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1513 {
1514         struct l2cap_conn *conn = smp->conn;
1515         struct hci_conn *hcon = conn->hcon;
1516         struct hci_dev *hdev = hcon->hdev;
1517         u8 cfm[16], r;
1518 
1519         /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1520         if (smp->passkey_round >= 20)
1521                 return 0;
1522 
1523         switch (smp_op) {
1524         case SMP_CMD_PAIRING_RANDOM:
1525                 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1526                 r |= 0x80;
1527 
1528                 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1529                            smp->rrnd, r, cfm))
1530                         return SMP_UNSPECIFIED;
1531 
1532                 if (crypto_memneq(smp->pcnf, cfm, 16))
1533                         return SMP_CONFIRM_FAILED;
1534 
1535                 smp->passkey_round++;
1536 
1537                 if (smp->passkey_round == 20) {
1538                         /* Generate MacKey and LTK */
1539                         if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1540                                 return SMP_UNSPECIFIED;
1541                 }
1542 
1543                 /* The round is only complete when the initiator
1544                  * receives pairing random.
1545                  */
1546                 if (!hcon->out) {
1547                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1548                                      sizeof(smp->prnd), smp->prnd);
1549                         if (smp->passkey_round == 20)
1550                                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1551                         else
1552                                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1553                         return 0;
1554                 }
1555 
1556                 /* Start the next round */
1557                 if (smp->passkey_round != 20)
1558                         return sc_passkey_round(smp, 0);
1559 
1560                 /* Passkey rounds are complete - start DHKey Check */
1561                 sc_dhkey_check(smp);
1562                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1563 
1564                 break;
1565 
1566         case SMP_CMD_PAIRING_CONFIRM:
1567                 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1568                         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1569                         return 0;
1570                 }
1571 
1572                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1573 
1574                 if (hcon->out) {
1575                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1576                                      sizeof(smp->prnd), smp->prnd);
1577                         return 0;
1578                 }
1579 
1580                 return sc_passkey_send_confirm(smp);
1581 
1582         case SMP_CMD_PUBLIC_KEY:
1583         default:
1584                 /* Initiating device starts the round */
1585                 if (!hcon->out)
1586                         return 0;
1587 
1588                 BT_DBG("%s Starting passkey round %u", hdev->name,
1589                        smp->passkey_round + 1);
1590 
1591                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1592 
1593                 return sc_passkey_send_confirm(smp);
1594         }
1595 
1596         return 0;
1597 }
1598 
1599 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1600 {
1601         struct l2cap_conn *conn = smp->conn;
1602         struct hci_conn *hcon = conn->hcon;
1603         u8 smp_op;
1604 
1605         clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1606 
1607         switch (mgmt_op) {
1608         case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1609                 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1610                 return 0;
1611         case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1612                 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1613                 return 0;
1614         case MGMT_OP_USER_PASSKEY_REPLY:
1615                 hcon->passkey_notify = le32_to_cpu(passkey);
1616                 smp->passkey_round = 0;
1617 
1618                 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1619                         smp_op = SMP_CMD_PAIRING_CONFIRM;
1620                 else
1621                         smp_op = 0;
1622 
1623                 if (sc_passkey_round(smp, smp_op))
1624                         return -EIO;
1625 
1626                 return 0;
1627         }
1628 
1629         /* Initiator sends DHKey check first */
1630         if (hcon->out) {
1631                 sc_dhkey_check(smp);
1632                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1633         } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1634                 sc_dhkey_check(smp);
1635                 sc_add_ltk(smp);
1636         }
1637 
1638         return 0;
1639 }
1640 
1641 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1642 {
1643         struct l2cap_conn *conn = hcon->l2cap_data;
1644         struct l2cap_chan *chan;
1645         struct smp_chan *smp;
1646         u32 value;
1647         int err;
1648 
1649         BT_DBG("");
1650 
1651         if (!conn)
1652                 return -ENOTCONN;
1653 
1654         chan = conn->smp;
1655         if (!chan)
1656                 return -ENOTCONN;
1657 
1658         l2cap_chan_lock(chan);
1659         if (!chan->data) {
1660                 err = -ENOTCONN;
1661                 goto unlock;
1662         }
1663 
1664         smp = chan->data;
1665 
1666         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1667                 err = sc_user_reply(smp, mgmt_op, passkey);
1668                 goto unlock;
1669         }
1670 
1671         switch (mgmt_op) {
1672         case MGMT_OP_USER_PASSKEY_REPLY:
1673                 value = le32_to_cpu(passkey);
1674                 memset(smp->tk, 0, sizeof(smp->tk));
1675                 BT_DBG("PassKey: %d", value);
1676                 put_unaligned_le32(value, smp->tk);
1677                 /* Fall Through */
1678         case MGMT_OP_USER_CONFIRM_REPLY:
1679                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1680                 break;
1681         case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1682         case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1683                 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1684                 err = 0;
1685                 goto unlock;
1686         default:
1687                 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1688                 err = -EOPNOTSUPP;
1689                 goto unlock;
1690         }
1691 
1692         err = 0;
1693 
1694         /* If it is our turn to send Pairing Confirm, do so now */
1695         if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1696                 u8 rsp = smp_confirm(smp);
1697                 if (rsp)
1698                         smp_failure(conn, rsp);
1699         }
1700 
1701 unlock:
1702         l2cap_chan_unlock(chan);
1703         return err;
1704 }
1705 
1706 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1707                                     struct smp_cmd_pairing *req,
1708                                     struct smp_cmd_pairing *rsp)
1709 {
1710         struct l2cap_conn *conn = smp->conn;
1711         struct hci_dev *hdev = conn->hcon->hdev;
1712         u8 local_dist = 0, remote_dist = 0;
1713 
1714         if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1715                 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1716                 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1717         }
1718 
1719         if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1720                 remote_dist |= SMP_DIST_ID_KEY;
1721 
1722         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1723                 local_dist |= SMP_DIST_ID_KEY;
1724 
1725         if (!rsp) {
1726                 memset(req, 0, sizeof(*req));
1727 
1728                 req->auth_req        = SMP_AUTH_CT2;
1729                 req->init_key_dist   = local_dist;
1730                 req->resp_key_dist   = remote_dist;
1731                 req->max_key_size    = conn->hcon->enc_key_size;
1732 
1733                 smp->remote_key_dist = remote_dist;
1734 
1735                 return;
1736         }
1737 
1738         memset(rsp, 0, sizeof(*rsp));
1739 
1740         rsp->auth_req        = SMP_AUTH_CT2;
1741         rsp->max_key_size    = conn->hcon->enc_key_size;
1742         rsp->init_key_dist   = req->init_key_dist & remote_dist;
1743         rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1744 
1745         smp->remote_key_dist = rsp->init_key_dist;
1746 }
1747 
1748 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1749 {
1750         struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1751         struct l2cap_chan *chan = conn->smp;
1752         struct hci_dev *hdev = conn->hcon->hdev;
1753         struct smp_chan *smp;
1754         u8 key_size, auth, sec_level;
1755         int ret;
1756 
1757         BT_DBG("conn %p", conn);
1758 
1759         if (skb->len < sizeof(*req))
1760                 return SMP_INVALID_PARAMS;
1761 
1762         if (conn->hcon->role != HCI_ROLE_SLAVE)
1763                 return SMP_CMD_NOTSUPP;
1764 
1765         if (!chan->data)
1766                 smp = smp_chan_create(conn);
1767         else
1768                 smp = chan->data;
1769 
1770         if (!smp)
1771                 return SMP_UNSPECIFIED;
1772 
1773         /* We didn't start the pairing, so match remote */
1774         auth = req->auth_req & AUTH_REQ_MASK(hdev);
1775 
1776         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1777             (auth & SMP_AUTH_BONDING))
1778                 return SMP_PAIRING_NOTSUPP;
1779 
1780         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1781                 return SMP_AUTH_REQUIREMENTS;
1782 
1783         smp->preq[0] = SMP_CMD_PAIRING_REQ;
1784         memcpy(&smp->preq[1], req, sizeof(*req));
1785         skb_pull(skb, sizeof(*req));
1786 
1787         /* If the remote side's OOB flag is set it means it has
1788          * successfully received our local OOB data - therefore set the
1789          * flag to indicate that local OOB is in use.
1790          */
1791         if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1792                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1793 
1794         /* SMP over BR/EDR requires special treatment */
1795         if (conn->hcon->type == ACL_LINK) {
1796                 /* We must have a BR/EDR SC link */
1797                 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1798                     !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1799                         return SMP_CROSS_TRANSP_NOT_ALLOWED;
1800 
1801                 set_bit(SMP_FLAG_SC, &smp->flags);
1802 
1803                 build_bredr_pairing_cmd(smp, req, &rsp);
1804 
1805                 if (req->auth_req & SMP_AUTH_CT2)
1806                         set_bit(SMP_FLAG_CT2, &smp->flags);
1807 
1808                 key_size = min(req->max_key_size, rsp.max_key_size);
1809                 if (check_enc_key_size(conn, key_size))
1810                         return SMP_ENC_KEY_SIZE;
1811 
1812                 /* Clear bits which are generated but not distributed */
1813                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1814 
1815                 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1816                 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1817                 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1818 
1819                 smp_distribute_keys(smp);
1820                 return 0;
1821         }
1822 
1823         build_pairing_cmd(conn, req, &rsp, auth);
1824 
1825         if (rsp.auth_req & SMP_AUTH_SC) {
1826                 set_bit(SMP_FLAG_SC, &smp->flags);
1827 
1828                 if (rsp.auth_req & SMP_AUTH_CT2)
1829                         set_bit(SMP_FLAG_CT2, &smp->flags);
1830         }
1831 
1832         if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1833                 sec_level = BT_SECURITY_MEDIUM;
1834         else
1835                 sec_level = authreq_to_seclevel(auth);
1836 
1837         if (sec_level > conn->hcon->pending_sec_level)
1838                 conn->hcon->pending_sec_level = sec_level;
1839 
1840         /* If we need MITM check that it can be achieved */
1841         if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1842                 u8 method;
1843 
1844                 method = get_auth_method(smp, conn->hcon->io_capability,
1845                                          req->io_capability);
1846                 if (method == JUST_WORKS || method == JUST_CFM)
1847                         return SMP_AUTH_REQUIREMENTS;
1848         }
1849 
1850         key_size = min(req->max_key_size, rsp.max_key_size);
1851         if (check_enc_key_size(conn, key_size))
1852                 return SMP_ENC_KEY_SIZE;
1853 
1854         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1855 
1856         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1857         memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1858 
1859         smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1860 
1861         clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1862 
1863         /* Strictly speaking we shouldn't allow Pairing Confirm for the
1864          * SC case, however some implementations incorrectly copy RFU auth
1865          * req bits from our security request, which may create a false
1866          * positive SC enablement.
1867          */
1868         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1869 
1870         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1871                 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1872                 /* Clear bits which are generated but not distributed */
1873                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1874                 /* Wait for Public Key from Initiating Device */
1875                 return 0;
1876         }
1877 
1878         /* Request setup of TK */
1879         ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1880         if (ret)
1881                 return SMP_UNSPECIFIED;
1882 
1883         return 0;
1884 }
1885 
1886 static u8 sc_send_public_key(struct smp_chan *smp)
1887 {
1888         struct hci_dev *hdev = smp->conn->hcon->hdev;
1889 
1890         BT_DBG("");
1891 
1892         if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1893                 struct l2cap_chan *chan = hdev->smp_data;
1894                 struct smp_dev *smp_dev;
1895 
1896                 if (!chan || !chan->data)
1897                         return SMP_UNSPECIFIED;
1898 
1899                 smp_dev = chan->data;
1900 
1901                 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1902                 memcpy(smp->lr, smp_dev->local_rand, 16);
1903 
1904                 if (smp_dev->debug_key)
1905                         set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1906 
1907                 goto done;
1908         }
1909 
1910         if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1911                 BT_DBG("Using debug keys");
1912                 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1913                         return SMP_UNSPECIFIED;
1914                 memcpy(smp->local_pk, debug_pk, 64);
1915                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1916         } else {
1917                 while (true) {
1918                         /* Generate key pair for Secure Connections */
1919                         if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1920                                 return SMP_UNSPECIFIED;
1921 
1922                         /* This is unlikely, but we need to check that
1923                          * we didn't accidentially generate a debug key.
1924                          */
1925                         if (crypto_memneq(smp->local_pk, debug_pk, 64))
1926                                 break;
1927                 }
1928         }
1929 
1930 done:
1931         SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1932         SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1933 
1934         smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1935 
1936         return 0;
1937 }
1938 
1939 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1940 {
1941         struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1942         struct l2cap_chan *chan = conn->smp;
1943         struct smp_chan *smp = chan->data;
1944         struct hci_dev *hdev = conn->hcon->hdev;
1945         u8 key_size, auth;
1946         int ret;
1947 
1948         BT_DBG("conn %p", conn);
1949 
1950         if (skb->len < sizeof(*rsp))
1951                 return SMP_INVALID_PARAMS;
1952 
1953         if (conn->hcon->role != HCI_ROLE_MASTER)
1954                 return SMP_CMD_NOTSUPP;
1955 
1956         skb_pull(skb, sizeof(*rsp));
1957 
1958         req = (void *) &smp->preq[1];
1959 
1960         key_size = min(req->max_key_size, rsp->max_key_size);
1961         if (check_enc_key_size(conn, key_size))
1962                 return SMP_ENC_KEY_SIZE;
1963 
1964         auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1965 
1966         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1967                 return SMP_AUTH_REQUIREMENTS;
1968 
1969         /* If the remote side's OOB flag is set it means it has
1970          * successfully received our local OOB data - therefore set the
1971          * flag to indicate that local OOB is in use.
1972          */
1973         if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1974                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1975 
1976         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1977         memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1978 
1979         /* Update remote key distribution in case the remote cleared
1980          * some bits that we had enabled in our request.
1981          */
1982         smp->remote_key_dist &= rsp->resp_key_dist;
1983 
1984         if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1985                 set_bit(SMP_FLAG_CT2, &smp->flags);
1986 
1987         /* For BR/EDR this means we're done and can start phase 3 */
1988         if (conn->hcon->type == ACL_LINK) {
1989                 /* Clear bits which are generated but not distributed */
1990                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1991                 smp_distribute_keys(smp);
1992                 return 0;
1993         }
1994 
1995         if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1996                 set_bit(SMP_FLAG_SC, &smp->flags);
1997         else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1998                 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1999 
2000         /* If we need MITM check that it can be achieved */
2001         if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
2002                 u8 method;
2003 
2004                 method = get_auth_method(smp, req->io_capability,
2005                                          rsp->io_capability);
2006                 if (method == JUST_WORKS || method == JUST_CFM)
2007                         return SMP_AUTH_REQUIREMENTS;
2008         }
2009 
2010         get_random_bytes(smp->prnd, sizeof(smp->prnd));
2011 
2012         /* Update remote key distribution in case the remote cleared
2013          * some bits that we had enabled in our request.
2014          */
2015         smp->remote_key_dist &= rsp->resp_key_dist;
2016 
2017         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2018                 /* Clear bits which are generated but not distributed */
2019                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2020                 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2021                 return sc_send_public_key(smp);
2022         }
2023 
2024         auth |= req->auth_req;
2025 
2026         ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2027         if (ret)
2028                 return SMP_UNSPECIFIED;
2029 
2030         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2031 
2032         /* Can't compose response until we have been confirmed */
2033         if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2034                 return smp_confirm(smp);
2035 
2036         return 0;
2037 }
2038 
2039 static u8 sc_check_confirm(struct smp_chan *smp)
2040 {
2041         struct l2cap_conn *conn = smp->conn;
2042 
2043         BT_DBG("");
2044 
2045         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2046                 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2047 
2048         if (conn->hcon->out) {
2049                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2050                              smp->prnd);
2051                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2052         }
2053 
2054         return 0;
2055 }
2056 
2057 /* Work-around for some implementations that incorrectly copy RFU bits
2058  * from our security request and thereby create the impression that
2059  * we're doing SC when in fact the remote doesn't support it.
2060  */
2061 static int fixup_sc_false_positive(struct smp_chan *smp)
2062 {
2063         struct l2cap_conn *conn = smp->conn;
2064         struct hci_conn *hcon = conn->hcon;
2065         struct hci_dev *hdev = hcon->hdev;
2066         struct smp_cmd_pairing *req, *rsp;
2067         u8 auth;
2068 
2069         /* The issue is only observed when we're in slave role */
2070         if (hcon->out)
2071                 return SMP_UNSPECIFIED;
2072 
2073         if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2074                 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2075                 return SMP_UNSPECIFIED;
2076         }
2077 
2078         bt_dev_err(hdev, "trying to fall back to legacy SMP");
2079 
2080         req = (void *) &smp->preq[1];
2081         rsp = (void *) &smp->prsp[1];
2082 
2083         /* Rebuild key dist flags which may have been cleared for SC */
2084         smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2085 
2086         auth = req->auth_req & AUTH_REQ_MASK(hdev);
2087 
2088         if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2089                 bt_dev_err(hdev, "failed to fall back to legacy SMP");
2090                 return SMP_UNSPECIFIED;
2091         }
2092 
2093         clear_bit(SMP_FLAG_SC, &smp->flags);
2094 
2095         return 0;
2096 }
2097 
2098 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2099 {
2100         struct l2cap_chan *chan = conn->smp;
2101         struct smp_chan *smp = chan->data;
2102 
2103         BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2104 
2105         if (skb->len < sizeof(smp->pcnf))
2106                 return SMP_INVALID_PARAMS;
2107 
2108         memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2109         skb_pull(skb, sizeof(smp->pcnf));
2110 
2111         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2112                 int ret;
2113 
2114                 /* Public Key exchange must happen before any other steps */
2115                 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2116                         return sc_check_confirm(smp);
2117 
2118                 BT_ERR("Unexpected SMP Pairing Confirm");
2119 
2120                 ret = fixup_sc_false_positive(smp);
2121                 if (ret)
2122                         return ret;
2123         }
2124 
2125         if (conn->hcon->out) {
2126                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2127                              smp->prnd);
2128                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2129                 return 0;
2130         }
2131 
2132         if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2133                 return smp_confirm(smp);
2134 
2135         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2136 
2137         return 0;
2138 }
2139 
2140 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2141 {
2142         struct l2cap_chan *chan = conn->smp;
2143         struct smp_chan *smp = chan->data;
2144         struct hci_conn *hcon = conn->hcon;
2145         u8 *pkax, *pkbx, *na, *nb;
2146         u32 passkey;
2147         int err;
2148 
2149         BT_DBG("conn %p", conn);
2150 
2151         if (skb->len < sizeof(smp->rrnd))
2152                 return SMP_INVALID_PARAMS;
2153 
2154         memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2155         skb_pull(skb, sizeof(smp->rrnd));
2156 
2157         if (!test_bit(SMP_FLAG_SC, &smp->flags))
2158                 return smp_random(smp);
2159 
2160         if (hcon->out) {
2161                 pkax = smp->local_pk;
2162                 pkbx = smp->remote_pk;
2163                 na   = smp->prnd;
2164                 nb   = smp->rrnd;
2165         } else {
2166                 pkax = smp->remote_pk;
2167                 pkbx = smp->local_pk;
2168                 na   = smp->rrnd;
2169                 nb   = smp->prnd;
2170         }
2171 
2172         if (smp->method == REQ_OOB) {
2173                 if (!hcon->out)
2174                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2175                                      sizeof(smp->prnd), smp->prnd);
2176                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177                 goto mackey_and_ltk;
2178         }
2179 
2180         /* Passkey entry has special treatment */
2181         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2182                 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2183 
2184         if (hcon->out) {
2185                 u8 cfm[16];
2186 
2187                 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2188                              smp->rrnd, 0, cfm);
2189                 if (err)
2190                         return SMP_UNSPECIFIED;
2191 
2192                 if (crypto_memneq(smp->pcnf, cfm, 16))
2193                         return SMP_CONFIRM_FAILED;
2194         } else {
2195                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2196                              smp->prnd);
2197                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2198         }
2199 
2200 mackey_and_ltk:
2201         /* Generate MacKey and LTK */
2202         err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2203         if (err)
2204                 return SMP_UNSPECIFIED;
2205 
2206         if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2207                 if (hcon->out) {
2208                         sc_dhkey_check(smp);
2209                         SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2210                 }
2211                 return 0;
2212         }
2213 
2214         err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2215         if (err)
2216                 return SMP_UNSPECIFIED;
2217 
2218         err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2219                                         hcon->dst_type, passkey, 0);
2220         if (err)
2221                 return SMP_UNSPECIFIED;
2222 
2223         set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2224 
2225         return 0;
2226 }
2227 
2228 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2229 {
2230         struct smp_ltk *key;
2231         struct hci_conn *hcon = conn->hcon;
2232 
2233         key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2234         if (!key)
2235                 return false;
2236 
2237         if (smp_ltk_sec_level(key) < sec_level)
2238                 return false;
2239 
2240         if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2241                 return true;
2242 
2243         hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2244         hcon->enc_key_size = key->enc_size;
2245 
2246         /* We never store STKs for master role, so clear this flag */
2247         clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2248 
2249         return true;
2250 }
2251 
2252 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2253                              enum smp_key_pref key_pref)
2254 {
2255         if (sec_level == BT_SECURITY_LOW)
2256                 return true;
2257 
2258         /* If we're encrypted with an STK but the caller prefers using
2259          * LTK claim insufficient security. This way we allow the
2260          * connection to be re-encrypted with an LTK, even if the LTK
2261          * provides the same level of security. Only exception is if we
2262          * don't have an LTK (e.g. because of key distribution bits).
2263          */
2264         if (key_pref == SMP_USE_LTK &&
2265             test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2266             hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2267                 return false;
2268 
2269         if (hcon->sec_level >= sec_level)
2270                 return true;
2271 
2272         return false;
2273 }
2274 
2275 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2276 {
2277         struct smp_cmd_security_req *rp = (void *) skb->data;
2278         struct smp_cmd_pairing cp;
2279         struct hci_conn *hcon = conn->hcon;
2280         struct hci_dev *hdev = hcon->hdev;
2281         struct smp_chan *smp;
2282         u8 sec_level, auth;
2283 
2284         BT_DBG("conn %p", conn);
2285 
2286         if (skb->len < sizeof(*rp))
2287                 return SMP_INVALID_PARAMS;
2288 
2289         if (hcon->role != HCI_ROLE_MASTER)
2290                 return SMP_CMD_NOTSUPP;
2291 
2292         auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2293 
2294         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2295                 return SMP_AUTH_REQUIREMENTS;
2296 
2297         if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2298                 sec_level = BT_SECURITY_MEDIUM;
2299         else
2300                 sec_level = authreq_to_seclevel(auth);
2301 
2302         if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2303                 /* If link is already encrypted with sufficient security we
2304                  * still need refresh encryption as per Core Spec 5.0 Vol 3,
2305                  * Part H 2.4.6
2306                  */
2307                 smp_ltk_encrypt(conn, hcon->sec_level);
2308                 return 0;
2309         }
2310 
2311         if (sec_level > hcon->pending_sec_level)
2312                 hcon->pending_sec_level = sec_level;
2313 
2314         if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2315                 return 0;
2316 
2317         smp = smp_chan_create(conn);
2318         if (!smp)
2319                 return SMP_UNSPECIFIED;
2320 
2321         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2322             (auth & SMP_AUTH_BONDING))
2323                 return SMP_PAIRING_NOTSUPP;
2324 
2325         skb_pull(skb, sizeof(*rp));
2326 
2327         memset(&cp, 0, sizeof(cp));
2328         build_pairing_cmd(conn, &cp, NULL, auth);
2329 
2330         smp->preq[0] = SMP_CMD_PAIRING_REQ;
2331         memcpy(&smp->preq[1], &cp, sizeof(cp));
2332 
2333         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2334         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2335 
2336         return 0;
2337 }
2338 
2339 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2340 {
2341         struct l2cap_conn *conn = hcon->l2cap_data;
2342         struct l2cap_chan *chan;
2343         struct smp_chan *smp;
2344         __u8 authreq;
2345         int ret;
2346 
2347         BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2348 
2349         /* This may be NULL if there's an unexpected disconnection */
2350         if (!conn)
2351                 return 1;
2352 
2353         if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2354                 return 1;
2355 
2356         if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2357                 return 1;
2358 
2359         if (sec_level > hcon->pending_sec_level)
2360                 hcon->pending_sec_level = sec_level;
2361 
2362         if (hcon->role == HCI_ROLE_MASTER)
2363                 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2364                         return 0;
2365 
2366         chan = conn->smp;
2367         if (!chan) {
2368                 bt_dev_err(hcon->hdev, "security requested but not available");
2369                 return 1;
2370         }
2371 
2372         l2cap_chan_lock(chan);
2373 
2374         /* If SMP is already in progress ignore this request */
2375         if (chan->data) {
2376                 ret = 0;
2377                 goto unlock;
2378         }
2379 
2380         smp = smp_chan_create(conn);
2381         if (!smp) {
2382                 ret = 1;
2383                 goto unlock;
2384         }
2385 
2386         authreq = seclevel_to_authreq(sec_level);
2387 
2388         if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2389                 authreq |= SMP_AUTH_SC;
2390                 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2391                         authreq |= SMP_AUTH_CT2;
2392         }
2393 
2394         /* Require MITM if IO Capability allows or the security level
2395          * requires it.
2396          */
2397         if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2398             hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2399                 authreq |= SMP_AUTH_MITM;
2400 
2401         if (hcon->role == HCI_ROLE_MASTER) {
2402                 struct smp_cmd_pairing cp;
2403 
2404                 build_pairing_cmd(conn, &cp, NULL, authreq);
2405                 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2406                 memcpy(&smp->preq[1], &cp, sizeof(cp));
2407 
2408                 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2409                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2410         } else {
2411                 struct smp_cmd_security_req cp;
2412                 cp.auth_req = authreq;
2413                 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2414                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2415         }
2416 
2417         set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2418         ret = 0;
2419 
2420 unlock:
2421         l2cap_chan_unlock(chan);
2422         return ret;
2423 }
2424 
2425 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2426                                   u8 addr_type)
2427 {
2428         struct hci_conn *hcon;
2429         struct l2cap_conn *conn;
2430         struct l2cap_chan *chan;
2431         struct smp_chan *smp;
2432         int err;
2433 
2434         err = hci_remove_ltk(hdev, bdaddr, addr_type);
2435         hci_remove_irk(hdev, bdaddr, addr_type);
2436 
2437         hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2438         if (!hcon)
2439                 goto done;
2440 
2441         conn = hcon->l2cap_data;
2442         if (!conn)
2443                 goto done;
2444 
2445         chan = conn->smp;
2446         if (!chan)
2447                 goto done;
2448 
2449         l2cap_chan_lock(chan);
2450 
2451         smp = chan->data;
2452         if (smp) {
2453                 /* Set keys to NULL to make sure smp_failure() does not try to
2454                  * remove and free already invalidated rcu list entries. */
2455                 smp->ltk = NULL;
2456                 smp->slave_ltk = NULL;
2457                 smp->remote_irk = NULL;
2458 
2459                 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2460                         smp_failure(conn, 0);
2461                 else
2462                         smp_failure(conn, SMP_UNSPECIFIED);
2463                 err = 0;
2464         }
2465 
2466         l2cap_chan_unlock(chan);
2467 
2468 done:
2469         return err;
2470 }
2471 
2472 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2473 {
2474         struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2475         struct l2cap_chan *chan = conn->smp;
2476         struct smp_chan *smp = chan->data;
2477 
2478         BT_DBG("conn %p", conn);
2479 
2480         if (skb->len < sizeof(*rp))
2481                 return SMP_INVALID_PARAMS;
2482 
2483         SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2484 
2485         skb_pull(skb, sizeof(*rp));
2486 
2487         memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2488 
2489         return 0;
2490 }
2491 
2492 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2493 {
2494         struct smp_cmd_master_ident *rp = (void *) skb->data;
2495         struct l2cap_chan *chan = conn->smp;
2496         struct smp_chan *smp = chan->data;
2497         struct hci_dev *hdev = conn->hcon->hdev;
2498         struct hci_conn *hcon = conn->hcon;
2499         struct smp_ltk *ltk;
2500         u8 authenticated;
2501 
2502         BT_DBG("conn %p", conn);
2503 
2504         if (skb->len < sizeof(*rp))
2505                 return SMP_INVALID_PARAMS;
2506 
2507         /* Mark the information as received */
2508         smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2509 
2510         if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2511                 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2512         else if (smp->remote_key_dist & SMP_DIST_SIGN)
2513                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2514 
2515         skb_pull(skb, sizeof(*rp));
2516 
2517         authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2518         ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2519                           authenticated, smp->tk, smp->enc_key_size,
2520                           rp->ediv, rp->rand);
2521         smp->ltk = ltk;
2522         if (!(smp->remote_key_dist & KEY_DIST_MASK))
2523                 smp_distribute_keys(smp);
2524 
2525         return 0;
2526 }
2527 
2528 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2529 {
2530         struct smp_cmd_ident_info *info = (void *) skb->data;
2531         struct l2cap_chan *chan = conn->smp;
2532         struct smp_chan *smp = chan->data;
2533 
2534         BT_DBG("");
2535 
2536         if (skb->len < sizeof(*info))
2537                 return SMP_INVALID_PARAMS;
2538 
2539         SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2540 
2541         skb_pull(skb, sizeof(*info));
2542 
2543         memcpy(smp->irk, info->irk, 16);
2544 
2545         return 0;
2546 }
2547 
2548 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2549                                    struct sk_buff *skb)
2550 {
2551         struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2552         struct l2cap_chan *chan = conn->smp;
2553         struct smp_chan *smp = chan->data;
2554         struct hci_conn *hcon = conn->hcon;
2555         bdaddr_t rpa;
2556 
2557         BT_DBG("");
2558 
2559         if (skb->len < sizeof(*info))
2560                 return SMP_INVALID_PARAMS;
2561 
2562         /* Mark the information as received */
2563         smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2564 
2565         if (smp->remote_key_dist & SMP_DIST_SIGN)
2566                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2567 
2568         skb_pull(skb, sizeof(*info));
2569 
2570         /* Strictly speaking the Core Specification (4.1) allows sending
2571          * an empty address which would force us to rely on just the IRK
2572          * as "identity information". However, since such
2573          * implementations are not known of and in order to not over
2574          * complicate our implementation, simply pretend that we never
2575          * received an IRK for such a device.
2576          *
2577          * The Identity Address must also be a Static Random or Public
2578          * Address, which hci_is_identity_address() checks for.
2579          */
2580         if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2581             !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2582                 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2583                 goto distribute;
2584         }
2585 
2586         bacpy(&smp->id_addr, &info->bdaddr);
2587         smp->id_addr_type = info->addr_type;
2588 
2589         if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2590                 bacpy(&rpa, &hcon->dst);
2591         else
2592                 bacpy(&rpa, BDADDR_ANY);
2593 
2594         smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2595                                       smp->id_addr_type, smp->irk, &rpa);
2596 
2597 distribute:
2598         if (!(smp->remote_key_dist & KEY_DIST_MASK))
2599                 smp_distribute_keys(smp);
2600 
2601         return 0;
2602 }
2603 
2604 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2605 {
2606         struct smp_cmd_sign_info *rp = (void *) skb->data;
2607         struct l2cap_chan *chan = conn->smp;
2608         struct smp_chan *smp = chan->data;
2609         struct smp_csrk *csrk;
2610 
2611         BT_DBG("conn %p", conn);
2612 
2613         if (skb->len < sizeof(*rp))
2614                 return SMP_INVALID_PARAMS;
2615 
2616         /* Mark the information as received */
2617         smp->remote_key_dist &= ~SMP_DIST_SIGN;
2618 
2619         skb_pull(skb, sizeof(*rp));
2620 
2621         csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2622         if (csrk) {
2623                 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2624                         csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2625                 else
2626                         csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2627                 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2628         }
2629         smp->csrk = csrk;
2630         smp_distribute_keys(smp);
2631 
2632         return 0;
2633 }
2634 
2635 static u8 sc_select_method(struct smp_chan *smp)
2636 {
2637         struct l2cap_conn *conn = smp->conn;
2638         struct hci_conn *hcon = conn->hcon;
2639         struct smp_cmd_pairing *local, *remote;
2640         u8 local_mitm, remote_mitm, local_io, remote_io, method;
2641 
2642         if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2643             test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2644                 return REQ_OOB;
2645 
2646         /* The preq/prsp contain the raw Pairing Request/Response PDUs
2647          * which are needed as inputs to some crypto functions. To get
2648          * the "struct smp_cmd_pairing" from them we need to skip the
2649          * first byte which contains the opcode.
2650          */
2651         if (hcon->out) {
2652                 local = (void *) &smp->preq[1];
2653                 remote = (void *) &smp->prsp[1];
2654         } else {
2655                 local = (void *) &smp->prsp[1];
2656                 remote = (void *) &smp->preq[1];
2657         }
2658 
2659         local_io = local->io_capability;
2660         remote_io = remote->io_capability;
2661 
2662         local_mitm = (local->auth_req & SMP_AUTH_MITM);
2663         remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2664 
2665         /* If either side wants MITM, look up the method from the table,
2666          * otherwise use JUST WORKS.
2667          */
2668         if (local_mitm || remote_mitm)
2669                 method = get_auth_method(smp, local_io, remote_io);
2670         else
2671                 method = JUST_WORKS;
2672 
2673         /* Don't confirm locally initiated pairing attempts */
2674         if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2675                 method = JUST_WORKS;
2676 
2677         return method;
2678 }
2679 
2680 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2681 {
2682         struct smp_cmd_public_key *key = (void *) skb->data;
2683         struct hci_conn *hcon = conn->hcon;
2684         struct l2cap_chan *chan = conn->smp;
2685         struct smp_chan *smp = chan->data;
2686         struct hci_dev *hdev = hcon->hdev;
2687         struct crypto_kpp *tfm_ecdh;
2688         struct smp_cmd_pairing_confirm cfm;
2689         int err;
2690 
2691         BT_DBG("conn %p", conn);
2692 
2693         if (skb->len < sizeof(*key))
2694                 return SMP_INVALID_PARAMS;
2695 
2696         memcpy(smp->remote_pk, key, 64);
2697 
2698         if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2699                 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2700                              smp->rr, 0, cfm.confirm_val);
2701                 if (err)
2702                         return SMP_UNSPECIFIED;
2703 
2704                 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2705                         return SMP_CONFIRM_FAILED;
2706         }
2707 
2708         /* Non-initiating device sends its public key after receiving
2709          * the key from the initiating device.
2710          */
2711         if (!hcon->out) {
2712                 err = sc_send_public_key(smp);
2713                 if (err)
2714                         return err;
2715         }
2716 
2717         SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2718         SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2719 
2720         /* Compute the shared secret on the same crypto tfm on which the private
2721          * key was set/generated.
2722          */
2723         if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2724                 struct l2cap_chan *hchan = hdev->smp_data;
2725                 struct smp_dev *smp_dev;
2726 
2727                 if (!hchan || !hchan->data)
2728                         return SMP_UNSPECIFIED;
2729 
2730                 smp_dev = hchan->data;
2731 
2732                 tfm_ecdh = smp_dev->tfm_ecdh;
2733         } else {
2734                 tfm_ecdh = smp->tfm_ecdh;
2735         }
2736 
2737         if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2738                 return SMP_UNSPECIFIED;
2739 
2740         SMP_DBG("DHKey %32phN", smp->dhkey);
2741 
2742         set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2743 
2744         smp->method = sc_select_method(smp);
2745 
2746         BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2747 
2748         /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2749         if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2750                 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2751         else
2752                 hcon->pending_sec_level = BT_SECURITY_FIPS;
2753 
2754         if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2755                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2756 
2757         if (smp->method == DSP_PASSKEY) {
2758                 get_random_bytes(&hcon->passkey_notify,
2759                                  sizeof(hcon->passkey_notify));
2760                 hcon->passkey_notify %= 1000000;
2761                 hcon->passkey_entered = 0;
2762                 smp->passkey_round = 0;
2763                 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2764                                              hcon->dst_type,
2765                                              hcon->passkey_notify,
2766                                              hcon->passkey_entered))
2767                         return SMP_UNSPECIFIED;
2768                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2769                 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2770         }
2771 
2772         if (smp->method == REQ_OOB) {
2773                 if (hcon->out)
2774                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2775                                      sizeof(smp->prnd), smp->prnd);
2776 
2777                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2778 
2779                 return 0;
2780         }
2781 
2782         if (hcon->out)
2783                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2784 
2785         if (smp->method == REQ_PASSKEY) {
2786                 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2787                                               hcon->dst_type))
2788                         return SMP_UNSPECIFIED;
2789                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2790                 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2791                 return 0;
2792         }
2793 
2794         /* The Initiating device waits for the non-initiating device to
2795          * send the confirm value.
2796          */
2797         if (conn->hcon->out)
2798                 return 0;
2799 
2800         err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2801                      0, cfm.confirm_val);
2802         if (err)
2803                 return SMP_UNSPECIFIED;
2804 
2805         smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2806         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2807 
2808         return 0;
2809 }
2810 
2811 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2812 {
2813         struct smp_cmd_dhkey_check *check = (void *) skb->data;
2814         struct l2cap_chan *chan = conn->smp;
2815         struct hci_conn *hcon = conn->hcon;
2816         struct smp_chan *smp = chan->data;
2817         u8 a[7], b[7], *local_addr, *remote_addr;
2818         u8 io_cap[3], r[16], e[16];
2819         int err;
2820 
2821         BT_DBG("conn %p", conn);
2822 
2823         if (skb->len < sizeof(*check))
2824                 return SMP_INVALID_PARAMS;
2825 
2826         memcpy(a, &hcon->init_addr, 6);
2827         memcpy(b, &hcon->resp_addr, 6);
2828         a[6] = hcon->init_addr_type;
2829         b[6] = hcon->resp_addr_type;
2830 
2831         if (hcon->out) {
2832                 local_addr = a;
2833                 remote_addr = b;
2834                 memcpy(io_cap, &smp->prsp[1], 3);
2835         } else {
2836                 local_addr = b;
2837                 remote_addr = a;
2838                 memcpy(io_cap, &smp->preq[1], 3);
2839         }
2840 
2841         memset(r, 0, sizeof(r));
2842 
2843         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2844                 put_unaligned_le32(hcon->passkey_notify, r);
2845         else if (smp->method == REQ_OOB)
2846                 memcpy(r, smp->lr, 16);
2847 
2848         err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2849                      io_cap, remote_addr, local_addr, e);
2850         if (err)
2851                 return SMP_UNSPECIFIED;
2852 
2853         if (crypto_memneq(check->e, e, 16))
2854                 return SMP_DHKEY_CHECK_FAILED;
2855 
2856         if (!hcon->out) {
2857                 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2858                         set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2859                         return 0;
2860                 }
2861 
2862                 /* Slave sends DHKey check as response to master */
2863                 sc_dhkey_check(smp);
2864         }
2865 
2866         sc_add_ltk(smp);
2867 
2868         if (hcon->out) {
2869                 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2870                 hcon->enc_key_size = smp->enc_key_size;
2871         }
2872 
2873         return 0;
2874 }
2875 
2876 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2877                                    struct sk_buff *skb)
2878 {
2879         struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2880 
2881         BT_DBG("value 0x%02x", kp->value);
2882 
2883         return 0;
2884 }
2885 
2886 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2887 {
2888         struct l2cap_conn *conn = chan->conn;
2889         struct hci_conn *hcon = conn->hcon;
2890         struct smp_chan *smp;
2891         __u8 code, reason;
2892         int err = 0;
2893 
2894         if (skb->len < 1)
2895                 return -EILSEQ;
2896 
2897         if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2898                 reason = SMP_PAIRING_NOTSUPP;
2899                 goto done;
2900         }
2901 
2902         code = skb->data[0];
2903         skb_pull(skb, sizeof(code));
2904 
2905         smp = chan->data;
2906 
2907         if (code > SMP_CMD_MAX)
2908                 goto drop;
2909 
2910         if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2911                 goto drop;
2912 
2913         /* If we don't have a context the only allowed commands are
2914          * pairing request and security request.
2915          */
2916         if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2917                 goto drop;
2918 
2919         switch (code) {
2920         case SMP_CMD_PAIRING_REQ:
2921                 reason = smp_cmd_pairing_req(conn, skb);
2922                 break;
2923 
2924         case SMP_CMD_PAIRING_FAIL:
2925                 smp_failure(conn, 0);
2926                 err = -EPERM;
2927                 break;
2928 
2929         case SMP_CMD_PAIRING_RSP:
2930                 reason = smp_cmd_pairing_rsp(conn, skb);
2931                 break;
2932 
2933         case SMP_CMD_SECURITY_REQ:
2934                 reason = smp_cmd_security_req(conn, skb);
2935                 break;
2936 
2937         case SMP_CMD_PAIRING_CONFIRM:
2938                 reason = smp_cmd_pairing_confirm(conn, skb);
2939                 break;
2940 
2941         case SMP_CMD_PAIRING_RANDOM:
2942                 reason = smp_cmd_pairing_random(conn, skb);
2943                 break;
2944 
2945         case SMP_CMD_ENCRYPT_INFO:
2946                 reason = smp_cmd_encrypt_info(conn, skb);
2947                 break;
2948 
2949         case SMP_CMD_MASTER_IDENT:
2950                 reason = smp_cmd_master_ident(conn, skb);
2951                 break;
2952 
2953         case SMP_CMD_IDENT_INFO:
2954                 reason = smp_cmd_ident_info(conn, skb);
2955                 break;
2956 
2957         case SMP_CMD_IDENT_ADDR_INFO:
2958                 reason = smp_cmd_ident_addr_info(conn, skb);
2959                 break;
2960 
2961         case SMP_CMD_SIGN_INFO:
2962                 reason = smp_cmd_sign_info(conn, skb);
2963                 break;
2964 
2965         case SMP_CMD_PUBLIC_KEY:
2966                 reason = smp_cmd_public_key(conn, skb);
2967                 break;
2968 
2969         case SMP_CMD_DHKEY_CHECK:
2970                 reason = smp_cmd_dhkey_check(conn, skb);
2971                 break;
2972 
2973         case SMP_CMD_KEYPRESS_NOTIFY:
2974                 reason = smp_cmd_keypress_notify(conn, skb);
2975                 break;
2976 
2977         default:
2978                 BT_DBG("Unknown command code 0x%2.2x", code);
2979                 reason = SMP_CMD_NOTSUPP;
2980                 goto done;
2981         }
2982 
2983 done:
2984         if (!err) {
2985                 if (reason)
2986                         smp_failure(conn, reason);
2987                 kfree_skb(skb);
2988         }
2989 
2990         return err;
2991 
2992 drop:
2993         bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2994                    code, &hcon->dst);
2995         kfree_skb(skb);
2996         return 0;
2997 }
2998 
2999 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3000 {
3001         struct l2cap_conn *conn = chan->conn;
3002 
3003         BT_DBG("chan %p", chan);
3004 
3005         if (chan->data)
3006                 smp_chan_destroy(conn);
3007 
3008         conn->smp = NULL;
3009         l2cap_chan_put(chan);
3010 }
3011 
3012 static void bredr_pairing(struct l2cap_chan *chan)
3013 {
3014         struct l2cap_conn *conn = chan->conn;
3015         struct hci_conn *hcon = conn->hcon;
3016         struct hci_dev *hdev = hcon->hdev;
3017         struct smp_cmd_pairing req;
3018         struct smp_chan *smp;
3019 
3020         BT_DBG("chan %p", chan);
3021 
3022         /* Only new pairings are interesting */
3023         if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3024                 return;
3025 
3026         /* Don't bother if we're not encrypted */
3027         if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3028                 return;
3029 
3030         /* Only master may initiate SMP over BR/EDR */
3031         if (hcon->role != HCI_ROLE_MASTER)
3032                 return;
3033 
3034         /* Secure Connections support must be enabled */
3035         if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3036                 return;
3037 
3038         /* BR/EDR must use Secure Connections for SMP */
3039         if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3040             !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3041                 return;
3042 
3043         /* If our LE support is not enabled don't do anything */
3044         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3045                 return;
3046 
3047         /* Don't bother if remote LE support is not enabled */
3048         if (!lmp_host_le_capable(hcon))
3049                 return;
3050 
3051         /* Remote must support SMP fixed chan for BR/EDR */
3052         if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3053                 return;
3054 
3055         /* Don't bother if SMP is already ongoing */
3056         if (chan->data)
3057                 return;
3058 
3059         smp = smp_chan_create(conn);
3060         if (!smp) {
3061                 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3062                 return;
3063         }
3064 
3065         set_bit(SMP_FLAG_SC, &smp->flags);
3066 
3067         BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3068 
3069         /* Prepare and send the BR/EDR SMP Pairing Request */
3070         build_bredr_pairing_cmd(smp, &req, NULL);
3071 
3072         smp->preq[0] = SMP_CMD_PAIRING_REQ;
3073         memcpy(&smp->preq[1], &req, sizeof(req));
3074 
3075         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3076         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3077 }
3078 
3079 static void smp_resume_cb(struct l2cap_chan *chan)
3080 {
3081         struct smp_chan *smp = chan->data;
3082         struct l2cap_conn *conn = chan->conn;
3083         struct hci_conn *hcon = conn->hcon;
3084 
3085         BT_DBG("chan %p", chan);
3086 
3087         if (hcon->type == ACL_LINK) {
3088                 bredr_pairing(chan);
3089                 return;
3090         }
3091 
3092         if (!smp)
3093                 return;
3094 
3095         if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3096                 return;
3097 
3098         cancel_delayed_work(&smp->security_timer);
3099 
3100         smp_distribute_keys(smp);
3101 }
3102 
3103 static void smp_ready_cb(struct l2cap_chan *chan)
3104 {
3105         struct l2cap_conn *conn = chan->conn;
3106         struct hci_conn *hcon = conn->hcon;
3107 
3108         BT_DBG("chan %p", chan);
3109 
3110         /* No need to call l2cap_chan_hold() here since we already own
3111          * the reference taken in smp_new_conn_cb(). This is just the
3112          * first time that we tie it to a specific pointer. The code in
3113          * l2cap_core.c ensures that there's no risk this function wont
3114          * get called if smp_new_conn_cb was previously called.
3115          */
3116         conn->smp = chan;
3117 
3118         if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3119                 bredr_pairing(chan);
3120 }
3121 
3122 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3123 {
3124         int err;
3125 
3126         BT_DBG("chan %p", chan);
3127 
3128         err = smp_sig_channel(chan, skb);
3129         if (err) {
3130                 struct smp_chan *smp = chan->data;
3131 
3132                 if (smp)
3133                         cancel_delayed_work_sync(&smp->security_timer);
3134 
3135                 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3136         }
3137 
3138         return err;
3139 }
3140 
3141 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3142                                         unsigned long hdr_len,
3143                                         unsigned long len, int nb)
3144 {
3145         struct sk_buff *skb;
3146 
3147         skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3148         if (!skb)
3149                 return ERR_PTR(-ENOMEM);
3150 
3151         skb->priority = HCI_PRIO_MAX;
3152         bt_cb(skb)->l2cap.chan = chan;
3153 
3154         return skb;
3155 }
3156 
3157 static const struct l2cap_ops smp_chan_ops = {
3158         .name                   = "Security Manager",
3159         .ready                  = smp_ready_cb,
3160         .recv                   = smp_recv_cb,
3161         .alloc_skb              = smp_alloc_skb_cb,
3162         .teardown               = smp_teardown_cb,
3163         .resume                 = smp_resume_cb,
3164 
3165         .new_connection         = l2cap_chan_no_new_connection,
3166         .state_change           = l2cap_chan_no_state_change,
3167         .close                  = l2cap_chan_no_close,
3168         .defer                  = l2cap_chan_no_defer,
3169         .suspend                = l2cap_chan_no_suspend,
3170         .set_shutdown           = l2cap_chan_no_set_shutdown,
3171         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3172 };
3173 
3174 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3175 {
3176         struct l2cap_chan *chan;
3177 
3178         BT_DBG("pchan %p", pchan);
3179 
3180         chan = l2cap_chan_create();
3181         if (!chan)
3182                 return NULL;
3183 
3184         chan->chan_type = pchan->chan_type;
3185         chan->ops       = &smp_chan_ops;
3186         chan->scid      = pchan->scid;
3187         chan->dcid      = chan->scid;
3188         chan->imtu      = pchan->imtu;
3189         chan->omtu      = pchan->omtu;
3190         chan->mode      = pchan->mode;
3191 
3192         /* Other L2CAP channels may request SMP routines in order to
3193          * change the security level. This means that the SMP channel
3194          * lock must be considered in its own category to avoid lockdep
3195          * warnings.
3196          */
3197         atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3198 
3199         BT_DBG("created chan %p", chan);
3200 
3201         return chan;
3202 }
3203 
3204 static const struct l2cap_ops smp_root_chan_ops = {
3205         .name                   = "Security Manager Root",
3206         .new_connection         = smp_new_conn_cb,
3207 
3208         /* None of these are implemented for the root channel */
3209         .close                  = l2cap_chan_no_close,
3210         .alloc_skb              = l2cap_chan_no_alloc_skb,
3211         .recv                   = l2cap_chan_no_recv,
3212         .state_change           = l2cap_chan_no_state_change,
3213         .teardown               = l2cap_chan_no_teardown,
3214         .ready                  = l2cap_chan_no_ready,
3215         .defer                  = l2cap_chan_no_defer,
3216         .suspend                = l2cap_chan_no_suspend,
3217         .resume                 = l2cap_chan_no_resume,
3218         .set_shutdown           = l2cap_chan_no_set_shutdown,
3219         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3220 };
3221 
3222 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3223 {
3224         struct l2cap_chan *chan;
3225         struct smp_dev *smp;
3226         struct crypto_cipher *tfm_aes;
3227         struct crypto_shash *tfm_cmac;
3228         struct crypto_kpp *tfm_ecdh;
3229 
3230         if (cid == L2CAP_CID_SMP_BREDR) {
3231                 smp = NULL;
3232                 goto create_chan;
3233         }
3234 
3235         smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3236         if (!smp)
3237                 return ERR_PTR(-ENOMEM);
3238 
3239         tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3240         if (IS_ERR(tfm_aes)) {
3241                 BT_ERR("Unable to create AES crypto context");
3242                 kzfree(smp);
3243                 return ERR_CAST(tfm_aes);
3244         }
3245 
3246         tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3247         if (IS_ERR(tfm_cmac)) {
3248                 BT_ERR("Unable to create CMAC crypto context");
3249                 crypto_free_cipher(tfm_aes);
3250                 kzfree(smp);
3251                 return ERR_CAST(tfm_cmac);
3252         }
3253 
3254         tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3255         if (IS_ERR(tfm_ecdh)) {
3256                 BT_ERR("Unable to create ECDH crypto context");
3257                 crypto_free_shash(tfm_cmac);
3258                 crypto_free_cipher(tfm_aes);
3259                 kzfree(smp);
3260                 return ERR_CAST(tfm_ecdh);
3261         }
3262 
3263         smp->local_oob = false;
3264         smp->tfm_aes = tfm_aes;
3265         smp->tfm_cmac = tfm_cmac;
3266         smp->tfm_ecdh = tfm_ecdh;
3267         smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3268         smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3269 
3270 create_chan:
3271         chan = l2cap_chan_create();
3272         if (!chan) {
3273                 if (smp) {
3274                         crypto_free_cipher(smp->tfm_aes);
3275                         crypto_free_shash(smp->tfm_cmac);
3276                         crypto_free_kpp(smp->tfm_ecdh);
3277                         kzfree(smp);
3278                 }
3279                 return ERR_PTR(-ENOMEM);
3280         }
3281 
3282         chan->data = smp;
3283 
3284         l2cap_add_scid(chan, cid);
3285 
3286         l2cap_chan_set_defaults(chan);
3287 
3288         if (cid == L2CAP_CID_SMP) {
3289                 u8 bdaddr_type;
3290 
3291                 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3292 
3293                 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3294                         chan->src_type = BDADDR_LE_PUBLIC;
3295                 else
3296                         chan->src_type = BDADDR_LE_RANDOM;
3297         } else {
3298                 bacpy(&chan->src, &hdev->bdaddr);
3299                 chan->src_type = BDADDR_BREDR;
3300         }
3301 
3302         chan->state = BT_LISTEN;
3303         chan->mode = L2CAP_MODE_BASIC;
3304         chan->imtu = L2CAP_DEFAULT_MTU;
3305         chan->ops = &smp_root_chan_ops;
3306 
3307         /* Set correct nesting level for a parent/listening channel */
3308         atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3309 
3310         return chan;
3311 }
3312 
3313 static void smp_del_chan(struct l2cap_chan *chan)
3314 {
3315         struct smp_dev *smp;
3316 
3317         BT_DBG("chan %p", chan);
3318 
3319         smp = chan->data;
3320         if (smp) {
3321                 chan->data = NULL;
3322                 crypto_free_cipher(smp->tfm_aes);
3323                 crypto_free_shash(smp->tfm_cmac);
3324                 crypto_free_kpp(smp->tfm_ecdh);
3325                 kzfree(smp);
3326         }
3327 
3328         l2cap_chan_put(chan);
3329 }
3330 
3331 static ssize_t force_bredr_smp_read(struct file *file,
3332                                     char __user *user_buf,
3333                                     size_t count, loff_t *ppos)
3334 {
3335         struct hci_dev *hdev = file->private_data;
3336         char buf[3];
3337 
3338         buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3339         buf[1] = '\n';
3340         buf[2] = '\0';
3341         return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3342 }
3343 
3344 static ssize_t force_bredr_smp_write(struct file *file,
3345                                      const char __user *user_buf,
3346                                      size_t count, loff_t *ppos)
3347 {
3348         struct hci_dev *hdev = file->private_data;
3349         bool enable;
3350         int err;
3351 
3352         err = kstrtobool_from_user(user_buf, count, &enable);
3353         if (err)
3354                 return err;
3355 
3356         if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3357                 return -EALREADY;
3358 
3359         if (enable) {
3360                 struct l2cap_chan *chan;
3361 
3362                 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3363                 if (IS_ERR(chan))
3364                         return PTR_ERR(chan);
3365 
3366                 hdev->smp_bredr_data = chan;
3367         } else {
3368                 struct l2cap_chan *chan;
3369 
3370                 chan = hdev->smp_bredr_data;
3371                 hdev->smp_bredr_data = NULL;
3372                 smp_del_chan(chan);
3373         }
3374 
3375         hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3376 
3377         return count;
3378 }
3379 
3380 static const struct file_operations force_bredr_smp_fops = {
3381         .open           = simple_open,
3382         .read           = force_bredr_smp_read,
3383         .write          = force_bredr_smp_write,
3384         .llseek         = default_llseek,
3385 };
3386 
3387 static ssize_t le_min_key_size_read(struct file *file,
3388                                      char __user *user_buf,
3389                                      size_t count, loff_t *ppos)
3390 {
3391         struct hci_dev *hdev = file->private_data;
3392         char buf[4];
3393 
3394         snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3395 
3396         return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3397 }
3398 
3399 static ssize_t le_min_key_size_write(struct file *file,
3400                                       const char __user *user_buf,
3401                                       size_t count, loff_t *ppos)
3402 {
3403         struct hci_dev *hdev = file->private_data;
3404         char buf[32];
3405         size_t buf_size = min(count, (sizeof(buf) - 1));
3406         u8 key_size;
3407 
3408         if (copy_from_user(buf, user_buf, buf_size))
3409                 return -EFAULT;
3410 
3411         buf[buf_size] = '\0';
3412 
3413         sscanf(buf, "%hhu", &key_size);
3414 
3415         if (key_size > SMP_DEV(hdev)->max_key_size ||
3416             key_size < SMP_MIN_ENC_KEY_SIZE)
3417                 return -EINVAL;
3418 
3419         SMP_DEV(hdev)->min_key_size = key_size;
3420 
3421         return count;
3422 }
3423 
3424 static const struct file_operations le_min_key_size_fops = {
3425         .open           = simple_open,
3426         .read           = le_min_key_size_read,
3427         .write          = le_min_key_size_write,
3428         .llseek         = default_llseek,
3429 };
3430 
3431 static ssize_t le_max_key_size_read(struct file *file,
3432                                      char __user *user_buf,
3433                                      size_t count, loff_t *ppos)
3434 {
3435         struct hci_dev *hdev = file->private_data;
3436         char buf[4];
3437 
3438         snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3439 
3440         return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3441 }
3442 
3443 static ssize_t le_max_key_size_write(struct file *file,
3444                                       const char __user *user_buf,
3445                                       size_t count, loff_t *ppos)
3446 {
3447         struct hci_dev *hdev = file->private_data;
3448         char buf[32];
3449         size_t buf_size = min(count, (sizeof(buf) - 1));
3450         u8 key_size;
3451 
3452         if (copy_from_user(buf, user_buf, buf_size))
3453                 return -EFAULT;
3454 
3455         buf[buf_size] = '\0';
3456 
3457         sscanf(buf, "%hhu", &key_size);
3458 
3459         if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3460             key_size < SMP_DEV(hdev)->min_key_size)
3461                 return -EINVAL;
3462 
3463         SMP_DEV(hdev)->max_key_size = key_size;
3464 
3465         return count;
3466 }
3467 
3468 static const struct file_operations le_max_key_size_fops = {
3469         .open           = simple_open,
3470         .read           = le_max_key_size_read,
3471         .write          = le_max_key_size_write,
3472         .llseek         = default_llseek,
3473 };
3474 
3475 int smp_register(struct hci_dev *hdev)
3476 {
3477         struct l2cap_chan *chan;
3478 
3479         BT_DBG("%s", hdev->name);
3480 
3481         /* If the controller does not support Low Energy operation, then
3482          * there is also no need to register any SMP channel.
3483          */
3484         if (!lmp_le_capable(hdev))
3485                 return 0;
3486 
3487         if (WARN_ON(hdev->smp_data)) {
3488                 chan = hdev->smp_data;
3489                 hdev->smp_data = NULL;
3490                 smp_del_chan(chan);
3491         }
3492 
3493         chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3494         if (IS_ERR(chan))
3495                 return PTR_ERR(chan);
3496 
3497         hdev->smp_data = chan;
3498 
3499         debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3500                             &le_min_key_size_fops);
3501         debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3502                             &le_max_key_size_fops);
3503 
3504         /* If the controller does not support BR/EDR Secure Connections
3505          * feature, then the BR/EDR SMP channel shall not be present.
3506          *
3507          * To test this with Bluetooth 4.0 controllers, create a debugfs
3508          * switch that allows forcing BR/EDR SMP support and accepting
3509          * cross-transport pairing on non-AES encrypted connections.
3510          */
3511         if (!lmp_sc_capable(hdev)) {
3512                 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3513                                     hdev, &force_bredr_smp_fops);
3514 
3515                 /* Flag can be already set here (due to power toggle) */
3516                 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3517                         return 0;
3518         }
3519 
3520         if (WARN_ON(hdev->smp_bredr_data)) {
3521                 chan = hdev->smp_bredr_data;
3522                 hdev->smp_bredr_data = NULL;
3523                 smp_del_chan(chan);
3524         }
3525 
3526         chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3527         if (IS_ERR(chan)) {
3528                 int err = PTR_ERR(chan);
3529                 chan = hdev->smp_data;
3530                 hdev->smp_data = NULL;
3531                 smp_del_chan(chan);
3532                 return err;
3533         }
3534 
3535         hdev->smp_bredr_data = chan;
3536 
3537         return 0;
3538 }
3539 
3540 void smp_unregister(struct hci_dev *hdev)
3541 {
3542         struct l2cap_chan *chan;
3543 
3544         if (hdev->smp_bredr_data) {
3545                 chan = hdev->smp_bredr_data;
3546                 hdev->smp_bredr_data = NULL;
3547                 smp_del_chan(chan);
3548         }
3549 
3550         if (hdev->smp_data) {
3551                 chan = hdev->smp_data;
3552                 hdev->smp_data = NULL;
3553                 smp_del_chan(chan);
3554         }
3555 }
3556 
3557 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3558 
3559 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3560 {
3561         u8 pk[64];
3562         int err;
3563 
3564         err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3565         if (err)
3566                 return err;
3567 
3568         err = generate_ecdh_public_key(tfm_ecdh, pk);
3569         if (err)
3570                 return err;
3571 
3572         if (crypto_memneq(pk, debug_pk, 64))
3573                 return -EINVAL;
3574 
3575         return 0;
3576 }
3577 
3578 static int __init test_ah(struct crypto_cipher *tfm_aes)
3579 {
3580         const u8 irk[16] = {
3581                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3582                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3583         const u8 r[3] = { 0x94, 0x81, 0x70 };
3584         const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3585         u8 res[3];
3586         int err;
3587 
3588         err = smp_ah(tfm_aes, irk, r, res);
3589         if (err)
3590                 return err;
3591 
3592         if (crypto_memneq(res, exp, 3))
3593                 return -EINVAL;
3594 
3595         return 0;
3596 }
3597 
3598 static int __init test_c1(struct crypto_cipher *tfm_aes)
3599 {
3600         const u8 k[16] = {
3601                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3602                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3603         const u8 r[16] = {
3604                         0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3605                         0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3606         const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3607         const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3608         const u8 _iat = 0x01;
3609         const u8 _rat = 0x00;
3610         const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3611         const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3612         const u8 exp[16] = {
3613                         0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3614                         0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3615         u8 res[16];
3616         int err;
3617 
3618         err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3619         if (err)
3620                 return err;
3621 
3622         if (crypto_memneq(res, exp, 16))
3623                 return -EINVAL;
3624 
3625         return 0;
3626 }
3627 
3628 static int __init test_s1(struct crypto_cipher *tfm_aes)
3629 {
3630         const u8 k[16] = {
3631                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3632                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3633         const u8 r1[16] = {
3634                         0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3635         const u8 r2[16] = {
3636                         0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3637         const u8 exp[16] = {
3638                         0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3639                         0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3640         u8 res[16];
3641         int err;
3642 
3643         err = smp_s1(tfm_aes, k, r1, r2, res);
3644         if (err)
3645                 return err;
3646 
3647         if (crypto_memneq(res, exp, 16))
3648                 return -EINVAL;
3649 
3650         return 0;
3651 }
3652 
3653 static int __init test_f4(struct crypto_shash *tfm_cmac)
3654 {
3655         const u8 u[32] = {
3656                         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3657                         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3658                         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3659                         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3660         const u8 v[32] = {
3661                         0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3662                         0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3663                         0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3664                         0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3665         const u8 x[16] = {
3666                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3667                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3668         const u8 z = 0x00;
3669         const u8 exp[16] = {
3670                         0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3671                         0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3672         u8 res[16];
3673         int err;
3674 
3675         err = smp_f4(tfm_cmac, u, v, x, z, res);
3676         if (err)
3677                 return err;
3678 
3679         if (crypto_memneq(res, exp, 16))
3680                 return -EINVAL;
3681 
3682         return 0;
3683 }
3684 
3685 static int __init test_f5(struct crypto_shash *tfm_cmac)
3686 {
3687         const u8 w[32] = {
3688                         0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3689                         0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3690                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3691                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3692         const u8 n1[16] = {
3693                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3694                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3695         const u8 n2[16] = {
3696                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3697                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3698         const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3699         const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3700         const u8 exp_ltk[16] = {
3701                         0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3702                         0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3703         const u8 exp_mackey[16] = {
3704                         0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3705                         0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3706         u8 mackey[16], ltk[16];
3707         int err;
3708 
3709         err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3710         if (err)
3711                 return err;
3712 
3713         if (crypto_memneq(mackey, exp_mackey, 16))
3714                 return -EINVAL;
3715 
3716         if (crypto_memneq(ltk, exp_ltk, 16))
3717                 return -EINVAL;
3718 
3719         return 0;
3720 }
3721 
3722 static int __init test_f6(struct crypto_shash *tfm_cmac)
3723 {
3724         const u8 w[16] = {
3725                         0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3726                         0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3727         const u8 n1[16] = {
3728                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3729                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3730         const u8 n2[16] = {
3731                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3732                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3733         const u8 r[16] = {
3734                         0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3735                         0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3736         const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3737         const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3738         const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3739         const u8 exp[16] = {
3740                         0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3741                         0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3742         u8 res[16];
3743         int err;
3744 
3745         err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3746         if (err)
3747                 return err;
3748 
3749         if (crypto_memneq(res, exp, 16))
3750                 return -EINVAL;
3751 
3752         return 0;
3753 }
3754 
3755 static int __init test_g2(struct crypto_shash *tfm_cmac)
3756 {
3757         const u8 u[32] = {
3758                         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3759                         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3760                         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3761                         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3762         const u8 v[32] = {
3763                         0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3764                         0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3765                         0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3766                         0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3767         const u8 x[16] = {
3768                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3769                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3770         const u8 y[16] = {
3771                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3772                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3773         const u32 exp_val = 0x2f9ed5ba % 1000000;
3774         u32 val;
3775         int err;
3776 
3777         err = smp_g2(tfm_cmac, u, v, x, y, &val);
3778         if (err)
3779                 return err;
3780 
3781         if (val != exp_val)
3782                 return -EINVAL;
3783 
3784         return 0;
3785 }
3786 
3787 static int __init test_h6(struct crypto_shash *tfm_cmac)
3788 {
3789         const u8 w[16] = {
3790                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3791                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3792         const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3793         const u8 exp[16] = {
3794                         0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3795                         0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3796         u8 res[16];
3797         int err;
3798 
3799         err = smp_h6(tfm_cmac, w, key_id, res);
3800         if (err)
3801                 return err;
3802 
3803         if (crypto_memneq(res, exp, 16))
3804                 return -EINVAL;
3805 
3806         return 0;
3807 }
3808 
3809 static char test_smp_buffer[32];
3810 
3811 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3812                              size_t count, loff_t *ppos)
3813 {
3814         return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3815                                        strlen(test_smp_buffer));
3816 }
3817 
3818 static const struct file_operations test_smp_fops = {
3819         .open           = simple_open,
3820         .read           = test_smp_read,
3821         .llseek         = default_llseek,
3822 };
3823 
3824 static int __init run_selftests(struct crypto_cipher *tfm_aes,
3825                                 struct crypto_shash *tfm_cmac,
3826                                 struct crypto_kpp *tfm_ecdh)
3827 {
3828         ktime_t calltime, delta, rettime;
3829         unsigned long long duration;
3830         int err;
3831 
3832         calltime = ktime_get();
3833 
3834         err = test_debug_key(tfm_ecdh);
3835         if (err) {
3836                 BT_ERR("debug_key test failed");
3837                 goto done;
3838         }
3839 
3840         err = test_ah(tfm_aes);
3841         if (err) {
3842                 BT_ERR("smp_ah test failed");
3843                 goto done;
3844         }
3845 
3846         err = test_c1(tfm_aes);
3847         if (err) {
3848                 BT_ERR("smp_c1 test failed");
3849                 goto done;
3850         }
3851 
3852         err = test_s1(tfm_aes);
3853         if (err) {
3854                 BT_ERR("smp_s1 test failed");
3855                 goto done;
3856         }
3857 
3858         err = test_f4(tfm_cmac);
3859         if (err) {
3860                 BT_ERR("smp_f4 test failed");
3861                 goto done;
3862         }
3863 
3864         err = test_f5(tfm_cmac);
3865         if (err) {
3866                 BT_ERR("smp_f5 test failed");
3867                 goto done;
3868         }
3869 
3870         err = test_f6(tfm_cmac);
3871         if (err) {
3872                 BT_ERR("smp_f6 test failed");
3873                 goto done;
3874         }
3875 
3876         err = test_g2(tfm_cmac);
3877         if (err) {
3878                 BT_ERR("smp_g2 test failed");
3879                 goto done;
3880         }
3881 
3882         err = test_h6(tfm_cmac);
3883         if (err) {
3884                 BT_ERR("smp_h6 test failed");
3885                 goto done;
3886         }
3887 
3888         rettime = ktime_get();
3889         delta = ktime_sub(rettime, calltime);
3890         duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3891 
3892         BT_INFO("SMP test passed in %llu usecs", duration);
3893 
3894 done:
3895         if (!err)
3896                 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3897                          "PASS (%llu usecs)\n", duration);
3898         else
3899                 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3900 
3901         debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3902                             &test_smp_fops);
3903 
3904         return err;
3905 }
3906 
3907 int __init bt_selftest_smp(void)
3908 {
3909         struct crypto_cipher *tfm_aes;
3910         struct crypto_shash *tfm_cmac;
3911         struct crypto_kpp *tfm_ecdh;
3912         int err;
3913 
3914         tfm_aes = crypto_alloc_cipher("aes", 0, CRYPTO_ALG_ASYNC);
3915         if (IS_ERR(tfm_aes)) {
3916                 BT_ERR("Unable to create AES crypto context");
3917                 return PTR_ERR(tfm_aes);
3918         }
3919 
3920         tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3921         if (IS_ERR(tfm_cmac)) {
3922                 BT_ERR("Unable to create CMAC crypto context");
3923                 crypto_free_cipher(tfm_aes);
3924                 return PTR_ERR(tfm_cmac);
3925         }
3926 
3927         tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3928         if (IS_ERR(tfm_ecdh)) {
3929                 BT_ERR("Unable to create ECDH crypto context");
3930                 crypto_free_shash(tfm_cmac);
3931                 crypto_free_cipher(tfm_aes);
3932                 return PTR_ERR(tfm_ecdh);
3933         }
3934 
3935         err = run_selftests(tfm_aes, tfm_cmac, tfm_ecdh);
3936 
3937         crypto_free_shash(tfm_cmac);
3938         crypto_free_cipher(tfm_aes);
3939         crypto_free_kpp(tfm_ecdh);
3940 
3941         return err;
3942 }
3943 
3944 #endif
3945 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp