~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/bluetooth/smp.c

Version: ~ [ linux-5.4-rc7 ] ~ [ linux-5.3.10 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.83 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.153 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.200 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.200 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.76 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2    BlueZ - Bluetooth protocol stack for Linux
  3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
  4 
  5    This program is free software; you can redistribute it and/or modify
  6    it under the terms of the GNU General Public License version 2 as
  7    published by the Free Software Foundation;
  8 
  9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
 10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
 12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
 13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
 14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 17 
 18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
 19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
 20    SOFTWARE IS DISCLAIMED.
 21 */
 22 
 23 #include <linux/debugfs.h>
 24 #include <linux/crypto.h>
 25 #include <linux/scatterlist.h>
 26 #include <crypto/b128ops.h>
 27 
 28 #include <net/bluetooth/bluetooth.h>
 29 #include <net/bluetooth/hci_core.h>
 30 #include <net/bluetooth/l2cap.h>
 31 #include <net/bluetooth/mgmt.h>
 32 
 33 #include "ecc.h"
 34 #include "smp.h"
 35 
 36 #define SMP_DEV(hdev) \
 37         ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
 38 
 39 /* Low-level debug macros to be used for stuff that we don't want
 40  * accidentially in dmesg, i.e. the values of the various crypto keys
 41  * and the inputs & outputs of crypto functions.
 42  */
 43 #ifdef DEBUG
 44 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
 45                                  ##__VA_ARGS__)
 46 #else
 47 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
 48                                     ##__VA_ARGS__)
 49 #endif
 50 
 51 #define SMP_ALLOW_CMD(smp, code)        set_bit(code, &smp->allow_cmd)
 52 
 53 /* Keys which are not distributed with Secure Connections */
 54 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
 55 
 56 #define SMP_TIMEOUT     msecs_to_jiffies(30000)
 57 
 58 #define AUTH_REQ_MASK(dev)      (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
 59                                  0x1f : 0x07)
 60 #define KEY_DIST_MASK           0x07
 61 
 62 /* Maximum message length that can be passed to aes_cmac */
 63 #define CMAC_MSG_MAX    80
 64 
 65 enum {
 66         SMP_FLAG_TK_VALID,
 67         SMP_FLAG_CFM_PENDING,
 68         SMP_FLAG_MITM_AUTH,
 69         SMP_FLAG_COMPLETE,
 70         SMP_FLAG_INITIATOR,
 71         SMP_FLAG_SC,
 72         SMP_FLAG_REMOTE_PK,
 73         SMP_FLAG_DEBUG_KEY,
 74         SMP_FLAG_WAIT_USER,
 75         SMP_FLAG_DHKEY_PENDING,
 76         SMP_FLAG_REMOTE_OOB,
 77         SMP_FLAG_LOCAL_OOB,
 78 };
 79 
 80 struct smp_dev {
 81         /* Secure Connections OOB data */
 82         u8                      local_pk[64];
 83         u8                      local_sk[32];
 84         u8                      local_rand[16];
 85         bool                    debug_key;
 86 
 87         u8                      min_key_size;
 88         u8                      max_key_size;
 89 
 90         struct crypto_blkcipher *tfm_aes;
 91         struct crypto_hash      *tfm_cmac;
 92 };
 93 
 94 struct smp_chan {
 95         struct l2cap_conn       *conn;
 96         struct delayed_work     security_timer;
 97         unsigned long           allow_cmd; /* Bitmask of allowed commands */
 98 
 99         u8              preq[7]; /* SMP Pairing Request */
100         u8              prsp[7]; /* SMP Pairing Response */
101         u8              prnd[16]; /* SMP Pairing Random (local) */
102         u8              rrnd[16]; /* SMP Pairing Random (remote) */
103         u8              pcnf[16]; /* SMP Pairing Confirm */
104         u8              tk[16]; /* SMP Temporary Key */
105         u8              rr[16]; /* Remote OOB ra/rb value */
106         u8              lr[16]; /* Local OOB ra/rb value */
107         u8              enc_key_size;
108         u8              remote_key_dist;
109         bdaddr_t        id_addr;
110         u8              id_addr_type;
111         u8              irk[16];
112         struct smp_csrk *csrk;
113         struct smp_csrk *slave_csrk;
114         struct smp_ltk  *ltk;
115         struct smp_ltk  *slave_ltk;
116         struct smp_irk  *remote_irk;
117         u8              *link_key;
118         unsigned long   flags;
119         u8              method;
120         u8              passkey_round;
121 
122         /* Secure Connections variables */
123         u8                      local_pk[64];
124         u8                      local_sk[32];
125         u8                      remote_pk[64];
126         u8                      dhkey[32];
127         u8                      mackey[16];
128 
129         struct crypto_blkcipher *tfm_aes;
130         struct crypto_hash      *tfm_cmac;
131 };
132 
133 /* These debug key values are defined in the SMP section of the core
134  * specification. debug_pk is the public debug key and debug_sk the
135  * private debug key.
136  */
137 static const u8 debug_pk[64] = {
138                 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
139                 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
140                 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
141                 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
142 
143                 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
144                 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
145                 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
146                 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
147 };
148 
149 static const u8 debug_sk[32] = {
150                 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
151                 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
152                 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
153                 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
154 };
155 
156 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
157 {
158         size_t i;
159 
160         for (i = 0; i < len; i++)
161                 dst[len - 1 - i] = src[i];
162 }
163 
164 /* The following functions map to the LE SC SMP crypto functions
165  * AES-CMAC, f4, f5, f6, g2 and h6.
166  */
167 
168 static int aes_cmac(struct crypto_hash *tfm, const u8 k[16], const u8 *m,
169                     size_t len, u8 mac[16])
170 {
171         uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
172         struct hash_desc desc;
173         struct scatterlist sg;
174         int err;
175 
176         if (len > CMAC_MSG_MAX)
177                 return -EFBIG;
178 
179         if (!tfm) {
180                 BT_ERR("tfm %p", tfm);
181                 return -EINVAL;
182         }
183 
184         desc.tfm = tfm;
185         desc.flags = 0;
186 
187         crypto_hash_init(&desc);
188 
189         /* Swap key and message from LSB to MSB */
190         swap_buf(k, tmp, 16);
191         swap_buf(m, msg_msb, len);
192 
193         SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
194         SMP_DBG("key %16phN", k);
195 
196         err = crypto_hash_setkey(tfm, tmp, 16);
197         if (err) {
198                 BT_ERR("cipher setkey failed: %d", err);
199                 return err;
200         }
201 
202         sg_init_one(&sg, msg_msb, len);
203 
204         err = crypto_hash_update(&desc, &sg, len);
205         if (err) {
206                 BT_ERR("Hash update error %d", err);
207                 return err;
208         }
209 
210         err = crypto_hash_final(&desc, mac_msb);
211         if (err) {
212                 BT_ERR("Hash final error %d", err);
213                 return err;
214         }
215 
216         swap_buf(mac_msb, mac, 16);
217 
218         SMP_DBG("mac %16phN", mac);
219 
220         return 0;
221 }
222 
223 static int smp_f4(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
224                   const u8 x[16], u8 z, u8 res[16])
225 {
226         u8 m[65];
227         int err;
228 
229         SMP_DBG("u %32phN", u);
230         SMP_DBG("v %32phN", v);
231         SMP_DBG("x %16phN z %02x", x, z);
232 
233         m[0] = z;
234         memcpy(m + 1, v, 32);
235         memcpy(m + 33, u, 32);
236 
237         err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
238         if (err)
239                 return err;
240 
241         SMP_DBG("res %16phN", res);
242 
243         return err;
244 }
245 
246 static int smp_f5(struct crypto_hash *tfm_cmac, const u8 w[32],
247                   const u8 n1[16], const u8 n2[16], const u8 a1[7],
248                   const u8 a2[7], u8 mackey[16], u8 ltk[16])
249 {
250         /* The btle, salt and length "magic" values are as defined in
251          * the SMP section of the Bluetooth core specification. In ASCII
252          * the btle value ends up being 'btle'. The salt is just a
253          * random number whereas length is the value 256 in little
254          * endian format.
255          */
256         const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
257         const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
258                               0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
259         const u8 length[2] = { 0x00, 0x01 };
260         u8 m[53], t[16];
261         int err;
262 
263         SMP_DBG("w %32phN", w);
264         SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
265         SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
266 
267         err = aes_cmac(tfm_cmac, salt, w, 32, t);
268         if (err)
269                 return err;
270 
271         SMP_DBG("t %16phN", t);
272 
273         memcpy(m, length, 2);
274         memcpy(m + 2, a2, 7);
275         memcpy(m + 9, a1, 7);
276         memcpy(m + 16, n2, 16);
277         memcpy(m + 32, n1, 16);
278         memcpy(m + 48, btle, 4);
279 
280         m[52] = 0; /* Counter */
281 
282         err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
283         if (err)
284                 return err;
285 
286         SMP_DBG("mackey %16phN", mackey);
287 
288         m[52] = 1; /* Counter */
289 
290         err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
291         if (err)
292                 return err;
293 
294         SMP_DBG("ltk %16phN", ltk);
295 
296         return 0;
297 }
298 
299 static int smp_f6(struct crypto_hash *tfm_cmac, const u8 w[16],
300                   const u8 n1[16], const u8 n2[16], const u8 r[16],
301                   const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
302                   u8 res[16])
303 {
304         u8 m[65];
305         int err;
306 
307         SMP_DBG("w %16phN", w);
308         SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
309         SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
310 
311         memcpy(m, a2, 7);
312         memcpy(m + 7, a1, 7);
313         memcpy(m + 14, io_cap, 3);
314         memcpy(m + 17, r, 16);
315         memcpy(m + 33, n2, 16);
316         memcpy(m + 49, n1, 16);
317 
318         err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
319         if (err)
320                 return err;
321 
322         SMP_DBG("res %16phN", res);
323 
324         return err;
325 }
326 
327 static int smp_g2(struct crypto_hash *tfm_cmac, const u8 u[32], const u8 v[32],
328                   const u8 x[16], const u8 y[16], u32 *val)
329 {
330         u8 m[80], tmp[16];
331         int err;
332 
333         SMP_DBG("u %32phN", u);
334         SMP_DBG("v %32phN", v);
335         SMP_DBG("x %16phN y %16phN", x, y);
336 
337         memcpy(m, y, 16);
338         memcpy(m + 16, v, 32);
339         memcpy(m + 48, u, 32);
340 
341         err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
342         if (err)
343                 return err;
344 
345         *val = get_unaligned_le32(tmp);
346         *val %= 1000000;
347 
348         SMP_DBG("val %06u", *val);
349 
350         return 0;
351 }
352 
353 static int smp_h6(struct crypto_hash *tfm_cmac, const u8 w[16],
354                   const u8 key_id[4], u8 res[16])
355 {
356         int err;
357 
358         SMP_DBG("w %16phN key_id %4phN", w, key_id);
359 
360         err = aes_cmac(tfm_cmac, w, key_id, 4, res);
361         if (err)
362                 return err;
363 
364         SMP_DBG("res %16phN", res);
365 
366         return err;
367 }
368 
369 /* The following functions map to the legacy SMP crypto functions e, c1,
370  * s1 and ah.
371  */
372 
373 static int smp_e(struct crypto_blkcipher *tfm, const u8 *k, u8 *r)
374 {
375         struct blkcipher_desc desc;
376         struct scatterlist sg;
377         uint8_t tmp[16], data[16];
378         int err;
379 
380         SMP_DBG("k %16phN r %16phN", k, r);
381 
382         if (!tfm) {
383                 BT_ERR("tfm %p", tfm);
384                 return -EINVAL;
385         }
386 
387         desc.tfm = tfm;
388         desc.flags = 0;
389 
390         /* The most significant octet of key corresponds to k[0] */
391         swap_buf(k, tmp, 16);
392 
393         err = crypto_blkcipher_setkey(tfm, tmp, 16);
394         if (err) {
395                 BT_ERR("cipher setkey failed: %d", err);
396                 return err;
397         }
398 
399         /* Most significant octet of plaintextData corresponds to data[0] */
400         swap_buf(r, data, 16);
401 
402         sg_init_one(&sg, data, 16);
403 
404         err = crypto_blkcipher_encrypt(&desc, &sg, &sg, 16);
405         if (err)
406                 BT_ERR("Encrypt data error %d", err);
407 
408         /* Most significant octet of encryptedData corresponds to data[0] */
409         swap_buf(data, r, 16);
410 
411         SMP_DBG("r %16phN", r);
412 
413         return err;
414 }
415 
416 static int smp_c1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
417                   const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
418                   const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
419 {
420         u8 p1[16], p2[16];
421         int err;
422 
423         SMP_DBG("k %16phN r %16phN", k, r);
424         SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
425         SMP_DBG("preq %7phN pres %7phN", preq, pres);
426 
427         memset(p1, 0, 16);
428 
429         /* p1 = pres || preq || _rat || _iat */
430         p1[0] = _iat;
431         p1[1] = _rat;
432         memcpy(p1 + 2, preq, 7);
433         memcpy(p1 + 9, pres, 7);
434 
435         SMP_DBG("p1 %16phN", p1);
436 
437         /* res = r XOR p1 */
438         u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
439 
440         /* res = e(k, res) */
441         err = smp_e(tfm_aes, k, res);
442         if (err) {
443                 BT_ERR("Encrypt data error");
444                 return err;
445         }
446 
447         /* p2 = padding || ia || ra */
448         memcpy(p2, ra, 6);
449         memcpy(p2 + 6, ia, 6);
450         memset(p2 + 12, 0, 4);
451 
452         SMP_DBG("p2 %16phN", p2);
453 
454         /* res = res XOR p2 */
455         u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
456 
457         /* res = e(k, res) */
458         err = smp_e(tfm_aes, k, res);
459         if (err)
460                 BT_ERR("Encrypt data error");
461 
462         return err;
463 }
464 
465 static int smp_s1(struct crypto_blkcipher *tfm_aes, const u8 k[16],
466                   const u8 r1[16], const u8 r2[16], u8 _r[16])
467 {
468         int err;
469 
470         /* Just least significant octets from r1 and r2 are considered */
471         memcpy(_r, r2, 8);
472         memcpy(_r + 8, r1, 8);
473 
474         err = smp_e(tfm_aes, k, _r);
475         if (err)
476                 BT_ERR("Encrypt data error");
477 
478         return err;
479 }
480 
481 static int smp_ah(struct crypto_blkcipher *tfm, const u8 irk[16],
482                   const u8 r[3], u8 res[3])
483 {
484         u8 _res[16];
485         int err;
486 
487         /* r' = padding || r */
488         memcpy(_res, r, 3);
489         memset(_res + 3, 0, 13);
490 
491         err = smp_e(tfm, irk, _res);
492         if (err) {
493                 BT_ERR("Encrypt error");
494                 return err;
495         }
496 
497         /* The output of the random address function ah is:
498          *      ah(h, r) = e(k, r') mod 2^24
499          * The output of the security function e is then truncated to 24 bits
500          * by taking the least significant 24 bits of the output of e as the
501          * result of ah.
502          */
503         memcpy(res, _res, 3);
504 
505         return 0;
506 }
507 
508 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
509                      const bdaddr_t *bdaddr)
510 {
511         struct l2cap_chan *chan = hdev->smp_data;
512         struct smp_dev *smp;
513         u8 hash[3];
514         int err;
515 
516         if (!chan || !chan->data)
517                 return false;
518 
519         smp = chan->data;
520 
521         BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
522 
523         err = smp_ah(smp->tfm_aes, irk, &bdaddr->b[3], hash);
524         if (err)
525                 return false;
526 
527         return !memcmp(bdaddr->b, hash, 3);
528 }
529 
530 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
531 {
532         struct l2cap_chan *chan = hdev->smp_data;
533         struct smp_dev *smp;
534         int err;
535 
536         if (!chan || !chan->data)
537                 return -EOPNOTSUPP;
538 
539         smp = chan->data;
540 
541         get_random_bytes(&rpa->b[3], 3);
542 
543         rpa->b[5] &= 0x3f;      /* Clear two most significant bits */
544         rpa->b[5] |= 0x40;      /* Set second most significant bit */
545 
546         err = smp_ah(smp->tfm_aes, irk, &rpa->b[3], rpa->b);
547         if (err < 0)
548                 return err;
549 
550         BT_DBG("RPA %pMR", rpa);
551 
552         return 0;
553 }
554 
555 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
556 {
557         struct l2cap_chan *chan = hdev->smp_data;
558         struct smp_dev *smp;
559         int err;
560 
561         if (!chan || !chan->data)
562                 return -EOPNOTSUPP;
563 
564         smp = chan->data;
565 
566         if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
567                 BT_DBG("Using debug keys");
568                 memcpy(smp->local_pk, debug_pk, 64);
569                 memcpy(smp->local_sk, debug_sk, 32);
570                 smp->debug_key = true;
571         } else {
572                 while (true) {
573                         /* Generate local key pair for Secure Connections */
574                         if (!ecc_make_key(smp->local_pk, smp->local_sk))
575                                 return -EIO;
576 
577                         /* This is unlikely, but we need to check that
578                          * we didn't accidentially generate a debug key.
579                          */
580                         if (memcmp(smp->local_sk, debug_sk, 32))
581                                 break;
582                 }
583                 smp->debug_key = false;
584         }
585 
586         SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
587         SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
588         SMP_DBG("OOB Private Key:  %32phN", smp->local_sk);
589 
590         get_random_bytes(smp->local_rand, 16);
591 
592         err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
593                      smp->local_rand, 0, hash);
594         if (err < 0)
595                 return err;
596 
597         memcpy(rand, smp->local_rand, 16);
598 
599         return 0;
600 }
601 
602 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
603 {
604         struct l2cap_chan *chan = conn->smp;
605         struct smp_chan *smp;
606         struct kvec iv[2];
607         struct msghdr msg;
608 
609         if (!chan)
610                 return;
611 
612         BT_DBG("code 0x%2.2x", code);
613 
614         iv[0].iov_base = &code;
615         iv[0].iov_len = 1;
616 
617         iv[1].iov_base = data;
618         iv[1].iov_len = len;
619 
620         memset(&msg, 0, sizeof(msg));
621 
622         iov_iter_kvec(&msg.msg_iter, WRITE | ITER_KVEC, iv, 2, 1 + len);
623 
624         l2cap_chan_send(chan, &msg, 1 + len);
625 
626         if (!chan->data)
627                 return;
628 
629         smp = chan->data;
630 
631         cancel_delayed_work_sync(&smp->security_timer);
632         schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
633 }
634 
635 static u8 authreq_to_seclevel(u8 authreq)
636 {
637         if (authreq & SMP_AUTH_MITM) {
638                 if (authreq & SMP_AUTH_SC)
639                         return BT_SECURITY_FIPS;
640                 else
641                         return BT_SECURITY_HIGH;
642         } else {
643                 return BT_SECURITY_MEDIUM;
644         }
645 }
646 
647 static __u8 seclevel_to_authreq(__u8 sec_level)
648 {
649         switch (sec_level) {
650         case BT_SECURITY_FIPS:
651         case BT_SECURITY_HIGH:
652                 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
653         case BT_SECURITY_MEDIUM:
654                 return SMP_AUTH_BONDING;
655         default:
656                 return SMP_AUTH_NONE;
657         }
658 }
659 
660 static void build_pairing_cmd(struct l2cap_conn *conn,
661                               struct smp_cmd_pairing *req,
662                               struct smp_cmd_pairing *rsp, __u8 authreq)
663 {
664         struct l2cap_chan *chan = conn->smp;
665         struct smp_chan *smp = chan->data;
666         struct hci_conn *hcon = conn->hcon;
667         struct hci_dev *hdev = hcon->hdev;
668         u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
669 
670         if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
671                 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
672                 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
673                 authreq |= SMP_AUTH_BONDING;
674         } else {
675                 authreq &= ~SMP_AUTH_BONDING;
676         }
677 
678         if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
679                 remote_dist |= SMP_DIST_ID_KEY;
680 
681         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
682                 local_dist |= SMP_DIST_ID_KEY;
683 
684         if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
685             (authreq & SMP_AUTH_SC)) {
686                 struct oob_data *oob_data;
687                 u8 bdaddr_type;
688 
689                 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
690                         local_dist |= SMP_DIST_LINK_KEY;
691                         remote_dist |= SMP_DIST_LINK_KEY;
692                 }
693 
694                 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
695                         bdaddr_type = BDADDR_LE_PUBLIC;
696                 else
697                         bdaddr_type = BDADDR_LE_RANDOM;
698 
699                 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
700                                                     bdaddr_type);
701                 if (oob_data && oob_data->present) {
702                         set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
703                         oob_flag = SMP_OOB_PRESENT;
704                         memcpy(smp->rr, oob_data->rand256, 16);
705                         memcpy(smp->pcnf, oob_data->hash256, 16);
706                         SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
707                         SMP_DBG("OOB Remote Random: %16phN", smp->rr);
708                 }
709 
710         } else {
711                 authreq &= ~SMP_AUTH_SC;
712         }
713 
714         if (rsp == NULL) {
715                 req->io_capability = conn->hcon->io_capability;
716                 req->oob_flag = oob_flag;
717                 req->max_key_size = SMP_DEV(hdev)->max_key_size;
718                 req->init_key_dist = local_dist;
719                 req->resp_key_dist = remote_dist;
720                 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
721 
722                 smp->remote_key_dist = remote_dist;
723                 return;
724         }
725 
726         rsp->io_capability = conn->hcon->io_capability;
727         rsp->oob_flag = oob_flag;
728         rsp->max_key_size = SMP_DEV(hdev)->max_key_size;
729         rsp->init_key_dist = req->init_key_dist & remote_dist;
730         rsp->resp_key_dist = req->resp_key_dist & local_dist;
731         rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
732 
733         smp->remote_key_dist = rsp->init_key_dist;
734 }
735 
736 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
737 {
738         struct l2cap_chan *chan = conn->smp;
739         struct hci_dev *hdev = conn->hcon->hdev;
740         struct smp_chan *smp = chan->data;
741 
742         if (max_key_size > SMP_DEV(hdev)->max_key_size ||
743             max_key_size < SMP_MIN_ENC_KEY_SIZE)
744                 return SMP_ENC_KEY_SIZE;
745 
746         smp->enc_key_size = max_key_size;
747 
748         return 0;
749 }
750 
751 static void smp_chan_destroy(struct l2cap_conn *conn)
752 {
753         struct l2cap_chan *chan = conn->smp;
754         struct smp_chan *smp = chan->data;
755         struct hci_conn *hcon = conn->hcon;
756         bool complete;
757 
758         BUG_ON(!smp);
759 
760         cancel_delayed_work_sync(&smp->security_timer);
761 
762         complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
763         mgmt_smp_complete(hcon, complete);
764 
765         kzfree(smp->csrk);
766         kzfree(smp->slave_csrk);
767         kzfree(smp->link_key);
768 
769         crypto_free_blkcipher(smp->tfm_aes);
770         crypto_free_hash(smp->tfm_cmac);
771 
772         /* Ensure that we don't leave any debug key around if debug key
773          * support hasn't been explicitly enabled.
774          */
775         if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
776             !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
777                 list_del_rcu(&smp->ltk->list);
778                 kfree_rcu(smp->ltk, rcu);
779                 smp->ltk = NULL;
780         }
781 
782         /* If pairing failed clean up any keys we might have */
783         if (!complete) {
784                 if (smp->ltk) {
785                         list_del_rcu(&smp->ltk->list);
786                         kfree_rcu(smp->ltk, rcu);
787                 }
788 
789                 if (smp->slave_ltk) {
790                         list_del_rcu(&smp->slave_ltk->list);
791                         kfree_rcu(smp->slave_ltk, rcu);
792                 }
793 
794                 if (smp->remote_irk) {
795                         list_del_rcu(&smp->remote_irk->list);
796                         kfree_rcu(smp->remote_irk, rcu);
797                 }
798         }
799 
800         chan->data = NULL;
801         kzfree(smp);
802         hci_conn_drop(hcon);
803 }
804 
805 static void smp_failure(struct l2cap_conn *conn, u8 reason)
806 {
807         struct hci_conn *hcon = conn->hcon;
808         struct l2cap_chan *chan = conn->smp;
809 
810         if (reason)
811                 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
812                              &reason);
813 
814         clear_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags);
815         mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
816 
817         if (chan->data)
818                 smp_chan_destroy(conn);
819 }
820 
821 #define JUST_WORKS      0x00
822 #define JUST_CFM        0x01
823 #define REQ_PASSKEY     0x02
824 #define CFM_PASSKEY     0x03
825 #define REQ_OOB         0x04
826 #define DSP_PASSKEY     0x05
827 #define OVERLAP         0xFF
828 
829 static const u8 gen_method[5][5] = {
830         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
831         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
832         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833         { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
834         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
835 };
836 
837 static const u8 sc_method[5][5] = {
838         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
839         { JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
840         { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
841         { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
842         { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
843 };
844 
845 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
846 {
847         /* If either side has unknown io_caps, use JUST_CFM (which gets
848          * converted later to JUST_WORKS if we're initiators.
849          */
850         if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
851             remote_io > SMP_IO_KEYBOARD_DISPLAY)
852                 return JUST_CFM;
853 
854         if (test_bit(SMP_FLAG_SC, &smp->flags))
855                 return sc_method[remote_io][local_io];
856 
857         return gen_method[remote_io][local_io];
858 }
859 
860 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
861                                                 u8 local_io, u8 remote_io)
862 {
863         struct hci_conn *hcon = conn->hcon;
864         struct l2cap_chan *chan = conn->smp;
865         struct smp_chan *smp = chan->data;
866         u32 passkey = 0;
867         int ret = 0;
868 
869         /* Initialize key for JUST WORKS */
870         memset(smp->tk, 0, sizeof(smp->tk));
871         clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
872 
873         BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
874 
875         /* If neither side wants MITM, either "just" confirm an incoming
876          * request or use just-works for outgoing ones. The JUST_CFM
877          * will be converted to JUST_WORKS if necessary later in this
878          * function. If either side has MITM look up the method from the
879          * table.
880          */
881         if (!(auth & SMP_AUTH_MITM))
882                 smp->method = JUST_CFM;
883         else
884                 smp->method = get_auth_method(smp, local_io, remote_io);
885 
886         /* Don't confirm locally initiated pairing attempts */
887         if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
888                                                 &smp->flags))
889                 smp->method = JUST_WORKS;
890 
891         /* Don't bother user space with no IO capabilities */
892         if (smp->method == JUST_CFM &&
893             hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
894                 smp->method = JUST_WORKS;
895 
896         /* If Just Works, Continue with Zero TK */
897         if (smp->method == JUST_WORKS) {
898                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
899                 return 0;
900         }
901 
902         /* If this function is used for SC -> legacy fallback we
903          * can only recover the just-works case.
904          */
905         if (test_bit(SMP_FLAG_SC, &smp->flags))
906                 return -EINVAL;
907 
908         /* Not Just Works/Confirm results in MITM Authentication */
909         if (smp->method != JUST_CFM) {
910                 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
911                 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
912                         hcon->pending_sec_level = BT_SECURITY_HIGH;
913         }
914 
915         /* If both devices have Keyoard-Display I/O, the master
916          * Confirms and the slave Enters the passkey.
917          */
918         if (smp->method == OVERLAP) {
919                 if (hcon->role == HCI_ROLE_MASTER)
920                         smp->method = CFM_PASSKEY;
921                 else
922                         smp->method = REQ_PASSKEY;
923         }
924 
925         /* Generate random passkey. */
926         if (smp->method == CFM_PASSKEY) {
927                 memset(smp->tk, 0, sizeof(smp->tk));
928                 get_random_bytes(&passkey, sizeof(passkey));
929                 passkey %= 1000000;
930                 put_unaligned_le32(passkey, smp->tk);
931                 BT_DBG("PassKey: %d", passkey);
932                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
933         }
934 
935         if (smp->method == REQ_PASSKEY)
936                 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
937                                                 hcon->type, hcon->dst_type);
938         else if (smp->method == JUST_CFM)
939                 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
940                                                 hcon->type, hcon->dst_type,
941                                                 passkey, 1);
942         else
943                 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
944                                                 hcon->type, hcon->dst_type,
945                                                 passkey, 0);
946 
947         return ret;
948 }
949 
950 static u8 smp_confirm(struct smp_chan *smp)
951 {
952         struct l2cap_conn *conn = smp->conn;
953         struct smp_cmd_pairing_confirm cp;
954         int ret;
955 
956         BT_DBG("conn %p", conn);
957 
958         ret = smp_c1(smp->tfm_aes, smp->tk, smp->prnd, smp->preq, smp->prsp,
959                      conn->hcon->init_addr_type, &conn->hcon->init_addr,
960                      conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
961                      cp.confirm_val);
962         if (ret)
963                 return SMP_UNSPECIFIED;
964 
965         clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
966 
967         smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
968 
969         if (conn->hcon->out)
970                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
971         else
972                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
973 
974         return 0;
975 }
976 
977 static u8 smp_random(struct smp_chan *smp)
978 {
979         struct l2cap_conn *conn = smp->conn;
980         struct hci_conn *hcon = conn->hcon;
981         u8 confirm[16];
982         int ret;
983 
984         if (IS_ERR_OR_NULL(smp->tfm_aes))
985                 return SMP_UNSPECIFIED;
986 
987         BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
988 
989         ret = smp_c1(smp->tfm_aes, smp->tk, smp->rrnd, smp->preq, smp->prsp,
990                      hcon->init_addr_type, &hcon->init_addr,
991                      hcon->resp_addr_type, &hcon->resp_addr, confirm);
992         if (ret)
993                 return SMP_UNSPECIFIED;
994 
995         if (memcmp(smp->pcnf, confirm, sizeof(smp->pcnf)) != 0) {
996                 BT_ERR("Pairing failed (confirmation values mismatch)");
997                 return SMP_CONFIRM_FAILED;
998         }
999 
1000         if (hcon->out) {
1001                 u8 stk[16];
1002                 __le64 rand = 0;
1003                 __le16 ediv = 0;
1004 
1005                 smp_s1(smp->tfm_aes, smp->tk, smp->rrnd, smp->prnd, stk);
1006 
1007                 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1008                         return SMP_UNSPECIFIED;
1009 
1010                 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1011                 hcon->enc_key_size = smp->enc_key_size;
1012                 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1013         } else {
1014                 u8 stk[16], auth;
1015                 __le64 rand = 0;
1016                 __le16 ediv = 0;
1017 
1018                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1019                              smp->prnd);
1020 
1021                 smp_s1(smp->tfm_aes, smp->tk, smp->prnd, smp->rrnd, stk);
1022 
1023                 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1024                         auth = 1;
1025                 else
1026                         auth = 0;
1027 
1028                 /* Even though there's no _SLAVE suffix this is the
1029                  * slave STK we're adding for later lookup (the master
1030                  * STK never needs to be stored).
1031                  */
1032                 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1033                             SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1034         }
1035 
1036         return 0;
1037 }
1038 
1039 static void smp_notify_keys(struct l2cap_conn *conn)
1040 {
1041         struct l2cap_chan *chan = conn->smp;
1042         struct smp_chan *smp = chan->data;
1043         struct hci_conn *hcon = conn->hcon;
1044         struct hci_dev *hdev = hcon->hdev;
1045         struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1046         struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1047         bool persistent;
1048 
1049         if (smp->remote_irk) {
1050                 mgmt_new_irk(hdev, smp->remote_irk);
1051                 /* Now that user space can be considered to know the
1052                  * identity address track the connection based on it
1053                  * from now on (assuming this is an LE link).
1054                  */
1055                 if (hcon->type == LE_LINK) {
1056                         bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1057                         hcon->dst_type = smp->remote_irk->addr_type;
1058                         queue_work(hdev->workqueue, &conn->id_addr_update_work);
1059                 }
1060 
1061                 /* When receiving an indentity resolving key for
1062                  * a remote device that does not use a resolvable
1063                  * private address, just remove the key so that
1064                  * it is possible to use the controller white
1065                  * list for scanning.
1066                  *
1067                  * Userspace will have been told to not store
1068                  * this key at this point. So it is safe to
1069                  * just remove it.
1070                  */
1071                 if (!bacmp(&smp->remote_irk->rpa, BDADDR_ANY)) {
1072                         list_del_rcu(&smp->remote_irk->list);
1073                         kfree_rcu(smp->remote_irk, rcu);
1074                         smp->remote_irk = NULL;
1075                 }
1076         }
1077 
1078         if (hcon->type == ACL_LINK) {
1079                 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1080                         persistent = false;
1081                 else
1082                         persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1083                                                &hcon->flags);
1084         } else {
1085                 /* The LTKs and CSRKs should be persistent only if both sides
1086                  * had the bonding bit set in their authentication requests.
1087                  */
1088                 persistent = !!((req->auth_req & rsp->auth_req) &
1089                                 SMP_AUTH_BONDING);
1090         }
1091 
1092 
1093         if (smp->csrk) {
1094                 smp->csrk->bdaddr_type = hcon->dst_type;
1095                 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1096                 mgmt_new_csrk(hdev, smp->csrk, persistent);
1097         }
1098 
1099         if (smp->slave_csrk) {
1100                 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1101                 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1102                 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1103         }
1104 
1105         if (smp->ltk) {
1106                 smp->ltk->bdaddr_type = hcon->dst_type;
1107                 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1108                 mgmt_new_ltk(hdev, smp->ltk, persistent);
1109         }
1110 
1111         if (smp->slave_ltk) {
1112                 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1113                 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1114                 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1115         }
1116 
1117         if (smp->link_key) {
1118                 struct link_key *key;
1119                 u8 type;
1120 
1121                 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1122                         type = HCI_LK_DEBUG_COMBINATION;
1123                 else if (hcon->sec_level == BT_SECURITY_FIPS)
1124                         type = HCI_LK_AUTH_COMBINATION_P256;
1125                 else
1126                         type = HCI_LK_UNAUTH_COMBINATION_P256;
1127 
1128                 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1129                                        smp->link_key, type, 0, &persistent);
1130                 if (key) {
1131                         mgmt_new_link_key(hdev, key, persistent);
1132 
1133                         /* Don't keep debug keys around if the relevant
1134                          * flag is not set.
1135                          */
1136                         if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1137                             key->type == HCI_LK_DEBUG_COMBINATION) {
1138                                 list_del_rcu(&key->list);
1139                                 kfree_rcu(key, rcu);
1140                         }
1141                 }
1142         }
1143 }
1144 
1145 static void sc_add_ltk(struct smp_chan *smp)
1146 {
1147         struct hci_conn *hcon = smp->conn->hcon;
1148         u8 key_type, auth;
1149 
1150         if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1151                 key_type = SMP_LTK_P256_DEBUG;
1152         else
1153                 key_type = SMP_LTK_P256;
1154 
1155         if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1156                 auth = 1;
1157         else
1158                 auth = 0;
1159 
1160         smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1161                                key_type, auth, smp->tk, smp->enc_key_size,
1162                                0, 0);
1163 }
1164 
1165 static void sc_generate_link_key(struct smp_chan *smp)
1166 {
1167         /* These constants are as specified in the core specification.
1168          * In ASCII they spell out to 'tmp1' and 'lebr'.
1169          */
1170         const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1171         const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1172 
1173         smp->link_key = kzalloc(16, GFP_KERNEL);
1174         if (!smp->link_key)
1175                 return;
1176 
1177         if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1178                 kzfree(smp->link_key);
1179                 smp->link_key = NULL;
1180                 return;
1181         }
1182 
1183         if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1184                 kzfree(smp->link_key);
1185                 smp->link_key = NULL;
1186                 return;
1187         }
1188 }
1189 
1190 static void smp_allow_key_dist(struct smp_chan *smp)
1191 {
1192         /* Allow the first expected phase 3 PDU. The rest of the PDUs
1193          * will be allowed in each PDU handler to ensure we receive
1194          * them in the correct order.
1195          */
1196         if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1197                 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1198         else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1199                 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1200         else if (smp->remote_key_dist & SMP_DIST_SIGN)
1201                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1202 }
1203 
1204 static void sc_generate_ltk(struct smp_chan *smp)
1205 {
1206         /* These constants are as specified in the core specification.
1207          * In ASCII they spell out to 'tmp2' and 'brle'.
1208          */
1209         const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1210         const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1211         struct hci_conn *hcon = smp->conn->hcon;
1212         struct hci_dev *hdev = hcon->hdev;
1213         struct link_key *key;
1214 
1215         key = hci_find_link_key(hdev, &hcon->dst);
1216         if (!key) {
1217                 BT_ERR("%s No Link Key found to generate LTK", hdev->name);
1218                 return;
1219         }
1220 
1221         if (key->type == HCI_LK_DEBUG_COMBINATION)
1222                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1223 
1224         if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1225                 return;
1226 
1227         if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1228                 return;
1229 
1230         sc_add_ltk(smp);
1231 }
1232 
1233 static void smp_distribute_keys(struct smp_chan *smp)
1234 {
1235         struct smp_cmd_pairing *req, *rsp;
1236         struct l2cap_conn *conn = smp->conn;
1237         struct hci_conn *hcon = conn->hcon;
1238         struct hci_dev *hdev = hcon->hdev;
1239         __u8 *keydist;
1240 
1241         BT_DBG("conn %p", conn);
1242 
1243         rsp = (void *) &smp->prsp[1];
1244 
1245         /* The responder sends its keys first */
1246         if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1247                 smp_allow_key_dist(smp);
1248                 return;
1249         }
1250 
1251         req = (void *) &smp->preq[1];
1252 
1253         if (hcon->out) {
1254                 keydist = &rsp->init_key_dist;
1255                 *keydist &= req->init_key_dist;
1256         } else {
1257                 keydist = &rsp->resp_key_dist;
1258                 *keydist &= req->resp_key_dist;
1259         }
1260 
1261         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1262                 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1263                         sc_generate_link_key(smp);
1264                 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1265                         sc_generate_ltk(smp);
1266 
1267                 /* Clear the keys which are generated but not distributed */
1268                 *keydist &= ~SMP_SC_NO_DIST;
1269         }
1270 
1271         BT_DBG("keydist 0x%x", *keydist);
1272 
1273         if (*keydist & SMP_DIST_ENC_KEY) {
1274                 struct smp_cmd_encrypt_info enc;
1275                 struct smp_cmd_master_ident ident;
1276                 struct smp_ltk *ltk;
1277                 u8 authenticated;
1278                 __le16 ediv;
1279                 __le64 rand;
1280 
1281                 /* Make sure we generate only the significant amount of
1282                  * bytes based on the encryption key size, and set the rest
1283                  * of the value to zeroes.
1284                  */
1285                 get_random_bytes(enc.ltk, smp->enc_key_size);
1286                 memset(enc.ltk + smp->enc_key_size, 0,
1287                        sizeof(enc.ltk) - smp->enc_key_size);
1288 
1289                 get_random_bytes(&ediv, sizeof(ediv));
1290                 get_random_bytes(&rand, sizeof(rand));
1291 
1292                 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1293 
1294                 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1295                 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1296                                   SMP_LTK_SLAVE, authenticated, enc.ltk,
1297                                   smp->enc_key_size, ediv, rand);
1298                 smp->slave_ltk = ltk;
1299 
1300                 ident.ediv = ediv;
1301                 ident.rand = rand;
1302 
1303                 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1304 
1305                 *keydist &= ~SMP_DIST_ENC_KEY;
1306         }
1307 
1308         if (*keydist & SMP_DIST_ID_KEY) {
1309                 struct smp_cmd_ident_addr_info addrinfo;
1310                 struct smp_cmd_ident_info idinfo;
1311 
1312                 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1313 
1314                 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1315 
1316                 /* The hci_conn contains the local identity address
1317                  * after the connection has been established.
1318                  *
1319                  * This is true even when the connection has been
1320                  * established using a resolvable random address.
1321                  */
1322                 bacpy(&addrinfo.bdaddr, &hcon->src);
1323                 addrinfo.addr_type = hcon->src_type;
1324 
1325                 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1326                              &addrinfo);
1327 
1328                 *keydist &= ~SMP_DIST_ID_KEY;
1329         }
1330 
1331         if (*keydist & SMP_DIST_SIGN) {
1332                 struct smp_cmd_sign_info sign;
1333                 struct smp_csrk *csrk;
1334 
1335                 /* Generate a new random key */
1336                 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1337 
1338                 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1339                 if (csrk) {
1340                         if (hcon->sec_level > BT_SECURITY_MEDIUM)
1341                                 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1342                         else
1343                                 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1344                         memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1345                 }
1346                 smp->slave_csrk = csrk;
1347 
1348                 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1349 
1350                 *keydist &= ~SMP_DIST_SIGN;
1351         }
1352 
1353         /* If there are still keys to be received wait for them */
1354         if (smp->remote_key_dist & KEY_DIST_MASK) {
1355                 smp_allow_key_dist(smp);
1356                 return;
1357         }
1358 
1359         set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1360         smp_notify_keys(conn);
1361 
1362         smp_chan_destroy(conn);
1363 }
1364 
1365 static void smp_timeout(struct work_struct *work)
1366 {
1367         struct smp_chan *smp = container_of(work, struct smp_chan,
1368                                             security_timer.work);
1369         struct l2cap_conn *conn = smp->conn;
1370 
1371         BT_DBG("conn %p", conn);
1372 
1373         hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1374 }
1375 
1376 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1377 {
1378         struct l2cap_chan *chan = conn->smp;
1379         struct smp_chan *smp;
1380 
1381         smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1382         if (!smp)
1383                 return NULL;
1384 
1385         smp->tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
1386         if (IS_ERR(smp->tfm_aes)) {
1387                 BT_ERR("Unable to create ECB crypto context");
1388                 kzfree(smp);
1389                 return NULL;
1390         }
1391 
1392         smp->tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
1393         if (IS_ERR(smp->tfm_cmac)) {
1394                 BT_ERR("Unable to create CMAC crypto context");
1395                 crypto_free_blkcipher(smp->tfm_aes);
1396                 kzfree(smp);
1397                 return NULL;
1398         }
1399 
1400         smp->conn = conn;
1401         chan->data = smp;
1402 
1403         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1404 
1405         INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1406 
1407         hci_conn_hold(conn->hcon);
1408 
1409         return smp;
1410 }
1411 
1412 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1413 {
1414         struct hci_conn *hcon = smp->conn->hcon;
1415         u8 *na, *nb, a[7], b[7];
1416 
1417         if (hcon->out) {
1418                 na   = smp->prnd;
1419                 nb   = smp->rrnd;
1420         } else {
1421                 na   = smp->rrnd;
1422                 nb   = smp->prnd;
1423         }
1424 
1425         memcpy(a, &hcon->init_addr, 6);
1426         memcpy(b, &hcon->resp_addr, 6);
1427         a[6] = hcon->init_addr_type;
1428         b[6] = hcon->resp_addr_type;
1429 
1430         return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1431 }
1432 
1433 static void sc_dhkey_check(struct smp_chan *smp)
1434 {
1435         struct hci_conn *hcon = smp->conn->hcon;
1436         struct smp_cmd_dhkey_check check;
1437         u8 a[7], b[7], *local_addr, *remote_addr;
1438         u8 io_cap[3], r[16];
1439 
1440         memcpy(a, &hcon->init_addr, 6);
1441         memcpy(b, &hcon->resp_addr, 6);
1442         a[6] = hcon->init_addr_type;
1443         b[6] = hcon->resp_addr_type;
1444 
1445         if (hcon->out) {
1446                 local_addr = a;
1447                 remote_addr = b;
1448                 memcpy(io_cap, &smp->preq[1], 3);
1449         } else {
1450                 local_addr = b;
1451                 remote_addr = a;
1452                 memcpy(io_cap, &smp->prsp[1], 3);
1453         }
1454 
1455         memset(r, 0, sizeof(r));
1456 
1457         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1458                 put_unaligned_le32(hcon->passkey_notify, r);
1459 
1460         if (smp->method == REQ_OOB)
1461                 memcpy(r, smp->rr, 16);
1462 
1463         smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1464                local_addr, remote_addr, check.e);
1465 
1466         smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1467 }
1468 
1469 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1470 {
1471         struct l2cap_conn *conn = smp->conn;
1472         struct hci_conn *hcon = conn->hcon;
1473         struct smp_cmd_pairing_confirm cfm;
1474         u8 r;
1475 
1476         r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1477         r |= 0x80;
1478 
1479         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1480 
1481         if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1482                    cfm.confirm_val))
1483                 return SMP_UNSPECIFIED;
1484 
1485         smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1486 
1487         return 0;
1488 }
1489 
1490 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1491 {
1492         struct l2cap_conn *conn = smp->conn;
1493         struct hci_conn *hcon = conn->hcon;
1494         struct hci_dev *hdev = hcon->hdev;
1495         u8 cfm[16], r;
1496 
1497         /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1498         if (smp->passkey_round >= 20)
1499                 return 0;
1500 
1501         switch (smp_op) {
1502         case SMP_CMD_PAIRING_RANDOM:
1503                 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1504                 r |= 0x80;
1505 
1506                 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1507                            smp->rrnd, r, cfm))
1508                         return SMP_UNSPECIFIED;
1509 
1510                 if (memcmp(smp->pcnf, cfm, 16))
1511                         return SMP_CONFIRM_FAILED;
1512 
1513                 smp->passkey_round++;
1514 
1515                 if (smp->passkey_round == 20) {
1516                         /* Generate MacKey and LTK */
1517                         if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1518                                 return SMP_UNSPECIFIED;
1519                 }
1520 
1521                 /* The round is only complete when the initiator
1522                  * receives pairing random.
1523                  */
1524                 if (!hcon->out) {
1525                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1526                                      sizeof(smp->prnd), smp->prnd);
1527                         if (smp->passkey_round == 20)
1528                                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1529                         else
1530                                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1531                         return 0;
1532                 }
1533 
1534                 /* Start the next round */
1535                 if (smp->passkey_round != 20)
1536                         return sc_passkey_round(smp, 0);
1537 
1538                 /* Passkey rounds are complete - start DHKey Check */
1539                 sc_dhkey_check(smp);
1540                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1541 
1542                 break;
1543 
1544         case SMP_CMD_PAIRING_CONFIRM:
1545                 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1546                         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1547                         return 0;
1548                 }
1549 
1550                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1551 
1552                 if (hcon->out) {
1553                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1554                                      sizeof(smp->prnd), smp->prnd);
1555                         return 0;
1556                 }
1557 
1558                 return sc_passkey_send_confirm(smp);
1559 
1560         case SMP_CMD_PUBLIC_KEY:
1561         default:
1562                 /* Initiating device starts the round */
1563                 if (!hcon->out)
1564                         return 0;
1565 
1566                 BT_DBG("%s Starting passkey round %u", hdev->name,
1567                        smp->passkey_round + 1);
1568 
1569                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1570 
1571                 return sc_passkey_send_confirm(smp);
1572         }
1573 
1574         return 0;
1575 }
1576 
1577 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1578 {
1579         struct l2cap_conn *conn = smp->conn;
1580         struct hci_conn *hcon = conn->hcon;
1581         u8 smp_op;
1582 
1583         clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1584 
1585         switch (mgmt_op) {
1586         case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1587                 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1588                 return 0;
1589         case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1590                 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1591                 return 0;
1592         case MGMT_OP_USER_PASSKEY_REPLY:
1593                 hcon->passkey_notify = le32_to_cpu(passkey);
1594                 smp->passkey_round = 0;
1595 
1596                 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1597                         smp_op = SMP_CMD_PAIRING_CONFIRM;
1598                 else
1599                         smp_op = 0;
1600 
1601                 if (sc_passkey_round(smp, smp_op))
1602                         return -EIO;
1603 
1604                 return 0;
1605         }
1606 
1607         /* Initiator sends DHKey check first */
1608         if (hcon->out) {
1609                 sc_dhkey_check(smp);
1610                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1611         } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1612                 sc_dhkey_check(smp);
1613                 sc_add_ltk(smp);
1614         }
1615 
1616         return 0;
1617 }
1618 
1619 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1620 {
1621         struct l2cap_conn *conn = hcon->l2cap_data;
1622         struct l2cap_chan *chan;
1623         struct smp_chan *smp;
1624         u32 value;
1625         int err;
1626 
1627         BT_DBG("");
1628 
1629         if (!conn)
1630                 return -ENOTCONN;
1631 
1632         chan = conn->smp;
1633         if (!chan)
1634                 return -ENOTCONN;
1635 
1636         l2cap_chan_lock(chan);
1637         if (!chan->data) {
1638                 err = -ENOTCONN;
1639                 goto unlock;
1640         }
1641 
1642         smp = chan->data;
1643 
1644         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1645                 err = sc_user_reply(smp, mgmt_op, passkey);
1646                 goto unlock;
1647         }
1648 
1649         switch (mgmt_op) {
1650         case MGMT_OP_USER_PASSKEY_REPLY:
1651                 value = le32_to_cpu(passkey);
1652                 memset(smp->tk, 0, sizeof(smp->tk));
1653                 BT_DBG("PassKey: %d", value);
1654                 put_unaligned_le32(value, smp->tk);
1655                 /* Fall Through */
1656         case MGMT_OP_USER_CONFIRM_REPLY:
1657                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1658                 break;
1659         case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1660         case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1661                 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1662                 err = 0;
1663                 goto unlock;
1664         default:
1665                 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1666                 err = -EOPNOTSUPP;
1667                 goto unlock;
1668         }
1669 
1670         err = 0;
1671 
1672         /* If it is our turn to send Pairing Confirm, do so now */
1673         if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1674                 u8 rsp = smp_confirm(smp);
1675                 if (rsp)
1676                         smp_failure(conn, rsp);
1677         }
1678 
1679 unlock:
1680         l2cap_chan_unlock(chan);
1681         return err;
1682 }
1683 
1684 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1685                                     struct smp_cmd_pairing *req,
1686                                     struct smp_cmd_pairing *rsp)
1687 {
1688         struct l2cap_conn *conn = smp->conn;
1689         struct hci_dev *hdev = conn->hcon->hdev;
1690         u8 local_dist = 0, remote_dist = 0;
1691 
1692         if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1693                 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1694                 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1695         }
1696 
1697         if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1698                 remote_dist |= SMP_DIST_ID_KEY;
1699 
1700         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1701                 local_dist |= SMP_DIST_ID_KEY;
1702 
1703         if (!rsp) {
1704                 memset(req, 0, sizeof(*req));
1705 
1706                 req->init_key_dist   = local_dist;
1707                 req->resp_key_dist   = remote_dist;
1708                 req->max_key_size    = conn->hcon->enc_key_size;
1709 
1710                 smp->remote_key_dist = remote_dist;
1711 
1712                 return;
1713         }
1714 
1715         memset(rsp, 0, sizeof(*rsp));
1716 
1717         rsp->max_key_size    = conn->hcon->enc_key_size;
1718         rsp->init_key_dist   = req->init_key_dist & remote_dist;
1719         rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1720 
1721         smp->remote_key_dist = rsp->init_key_dist;
1722 }
1723 
1724 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1725 {
1726         struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1727         struct l2cap_chan *chan = conn->smp;
1728         struct hci_dev *hdev = conn->hcon->hdev;
1729         struct smp_chan *smp;
1730         u8 key_size, auth, sec_level;
1731         int ret;
1732 
1733         BT_DBG("conn %p", conn);
1734 
1735         if (skb->len < sizeof(*req))
1736                 return SMP_INVALID_PARAMS;
1737 
1738         if (conn->hcon->role != HCI_ROLE_SLAVE)
1739                 return SMP_CMD_NOTSUPP;
1740 
1741         if (!chan->data)
1742                 smp = smp_chan_create(conn);
1743         else
1744                 smp = chan->data;
1745 
1746         if (!smp)
1747                 return SMP_UNSPECIFIED;
1748 
1749         /* We didn't start the pairing, so match remote */
1750         auth = req->auth_req & AUTH_REQ_MASK(hdev);
1751 
1752         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1753             (auth & SMP_AUTH_BONDING))
1754                 return SMP_PAIRING_NOTSUPP;
1755 
1756         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1757                 return SMP_AUTH_REQUIREMENTS;
1758 
1759         smp->preq[0] = SMP_CMD_PAIRING_REQ;
1760         memcpy(&smp->preq[1], req, sizeof(*req));
1761         skb_pull(skb, sizeof(*req));
1762 
1763         /* If the remote side's OOB flag is set it means it has
1764          * successfully received our local OOB data - therefore set the
1765          * flag to indicate that local OOB is in use.
1766          */
1767         if (req->oob_flag == SMP_OOB_PRESENT)
1768                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1769 
1770         /* SMP over BR/EDR requires special treatment */
1771         if (conn->hcon->type == ACL_LINK) {
1772                 /* We must have a BR/EDR SC link */
1773                 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1774                     !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1775                         return SMP_CROSS_TRANSP_NOT_ALLOWED;
1776 
1777                 set_bit(SMP_FLAG_SC, &smp->flags);
1778 
1779                 build_bredr_pairing_cmd(smp, req, &rsp);
1780 
1781                 key_size = min(req->max_key_size, rsp.max_key_size);
1782                 if (check_enc_key_size(conn, key_size))
1783                         return SMP_ENC_KEY_SIZE;
1784 
1785                 /* Clear bits which are generated but not distributed */
1786                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1787 
1788                 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1789                 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1790                 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1791 
1792                 smp_distribute_keys(smp);
1793                 return 0;
1794         }
1795 
1796         build_pairing_cmd(conn, req, &rsp, auth);
1797 
1798         if (rsp.auth_req & SMP_AUTH_SC)
1799                 set_bit(SMP_FLAG_SC, &smp->flags);
1800 
1801         if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1802                 sec_level = BT_SECURITY_MEDIUM;
1803         else
1804                 sec_level = authreq_to_seclevel(auth);
1805 
1806         if (sec_level > conn->hcon->pending_sec_level)
1807                 conn->hcon->pending_sec_level = sec_level;
1808 
1809         /* If we need MITM check that it can be achieved */
1810         if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1811                 u8 method;
1812 
1813                 method = get_auth_method(smp, conn->hcon->io_capability,
1814                                          req->io_capability);
1815                 if (method == JUST_WORKS || method == JUST_CFM)
1816                         return SMP_AUTH_REQUIREMENTS;
1817         }
1818 
1819         key_size = min(req->max_key_size, rsp.max_key_size);
1820         if (check_enc_key_size(conn, key_size))
1821                 return SMP_ENC_KEY_SIZE;
1822 
1823         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1824 
1825         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1826         memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1827 
1828         smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1829 
1830         clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1831 
1832         /* Strictly speaking we shouldn't allow Pairing Confirm for the
1833          * SC case, however some implementations incorrectly copy RFU auth
1834          * req bits from our security request, which may create a false
1835          * positive SC enablement.
1836          */
1837         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1838 
1839         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1840                 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1841                 /* Clear bits which are generated but not distributed */
1842                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1843                 /* Wait for Public Key from Initiating Device */
1844                 return 0;
1845         }
1846 
1847         /* Request setup of TK */
1848         ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1849         if (ret)
1850                 return SMP_UNSPECIFIED;
1851 
1852         return 0;
1853 }
1854 
1855 static u8 sc_send_public_key(struct smp_chan *smp)
1856 {
1857         struct hci_dev *hdev = smp->conn->hcon->hdev;
1858 
1859         BT_DBG("");
1860 
1861         if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1862                 struct l2cap_chan *chan = hdev->smp_data;
1863                 struct smp_dev *smp_dev;
1864 
1865                 if (!chan || !chan->data)
1866                         return SMP_UNSPECIFIED;
1867 
1868                 smp_dev = chan->data;
1869 
1870                 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1871                 memcpy(smp->local_sk, smp_dev->local_sk, 32);
1872                 memcpy(smp->lr, smp_dev->local_rand, 16);
1873 
1874                 if (smp_dev->debug_key)
1875                         set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1876 
1877                 goto done;
1878         }
1879 
1880         if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1881                 BT_DBG("Using debug keys");
1882                 memcpy(smp->local_pk, debug_pk, 64);
1883                 memcpy(smp->local_sk, debug_sk, 32);
1884                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1885         } else {
1886                 while (true) {
1887                         /* Generate local key pair for Secure Connections */
1888                         if (!ecc_make_key(smp->local_pk, smp->local_sk))
1889                                 return SMP_UNSPECIFIED;
1890 
1891                         /* This is unlikely, but we need to check that
1892                          * we didn't accidentially generate a debug key.
1893                          */
1894                         if (memcmp(smp->local_sk, debug_sk, 32))
1895                                 break;
1896                 }
1897         }
1898 
1899 done:
1900         SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1901         SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1902         SMP_DBG("Local Private Key:  %32phN", smp->local_sk);
1903 
1904         smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1905 
1906         return 0;
1907 }
1908 
1909 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1910 {
1911         struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1912         struct l2cap_chan *chan = conn->smp;
1913         struct smp_chan *smp = chan->data;
1914         struct hci_dev *hdev = conn->hcon->hdev;
1915         u8 key_size, auth;
1916         int ret;
1917 
1918         BT_DBG("conn %p", conn);
1919 
1920         if (skb->len < sizeof(*rsp))
1921                 return SMP_INVALID_PARAMS;
1922 
1923         if (conn->hcon->role != HCI_ROLE_MASTER)
1924                 return SMP_CMD_NOTSUPP;
1925 
1926         skb_pull(skb, sizeof(*rsp));
1927 
1928         req = (void *) &smp->preq[1];
1929 
1930         key_size = min(req->max_key_size, rsp->max_key_size);
1931         if (check_enc_key_size(conn, key_size))
1932                 return SMP_ENC_KEY_SIZE;
1933 
1934         auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1935 
1936         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1937                 return SMP_AUTH_REQUIREMENTS;
1938 
1939         /* If the remote side's OOB flag is set it means it has
1940          * successfully received our local OOB data - therefore set the
1941          * flag to indicate that local OOB is in use.
1942          */
1943         if (rsp->oob_flag == SMP_OOB_PRESENT)
1944                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1945 
1946         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1947         memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1948 
1949         /* Update remote key distribution in case the remote cleared
1950          * some bits that we had enabled in our request.
1951          */
1952         smp->remote_key_dist &= rsp->resp_key_dist;
1953 
1954         /* For BR/EDR this means we're done and can start phase 3 */
1955         if (conn->hcon->type == ACL_LINK) {
1956                 /* Clear bits which are generated but not distributed */
1957                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1958                 smp_distribute_keys(smp);
1959                 return 0;
1960         }
1961 
1962         if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1963                 set_bit(SMP_FLAG_SC, &smp->flags);
1964         else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1965                 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1966 
1967         /* If we need MITM check that it can be achieved */
1968         if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1969                 u8 method;
1970 
1971                 method = get_auth_method(smp, req->io_capability,
1972                                          rsp->io_capability);
1973                 if (method == JUST_WORKS || method == JUST_CFM)
1974                         return SMP_AUTH_REQUIREMENTS;
1975         }
1976 
1977         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1978 
1979         /* Update remote key distribution in case the remote cleared
1980          * some bits that we had enabled in our request.
1981          */
1982         smp->remote_key_dist &= rsp->resp_key_dist;
1983 
1984         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1985                 /* Clear bits which are generated but not distributed */
1986                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1987                 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1988                 return sc_send_public_key(smp);
1989         }
1990 
1991         auth |= req->auth_req;
1992 
1993         ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
1994         if (ret)
1995                 return SMP_UNSPECIFIED;
1996 
1997         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1998 
1999         /* Can't compose response until we have been confirmed */
2000         if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2001                 return smp_confirm(smp);
2002 
2003         return 0;
2004 }
2005 
2006 static u8 sc_check_confirm(struct smp_chan *smp)
2007 {
2008         struct l2cap_conn *conn = smp->conn;
2009 
2010         BT_DBG("");
2011 
2012         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2013                 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2014 
2015         if (conn->hcon->out) {
2016                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2017                              smp->prnd);
2018                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2019         }
2020 
2021         return 0;
2022 }
2023 
2024 /* Work-around for some implementations that incorrectly copy RFU bits
2025  * from our security request and thereby create the impression that
2026  * we're doing SC when in fact the remote doesn't support it.
2027  */
2028 static int fixup_sc_false_positive(struct smp_chan *smp)
2029 {
2030         struct l2cap_conn *conn = smp->conn;
2031         struct hci_conn *hcon = conn->hcon;
2032         struct hci_dev *hdev = hcon->hdev;
2033         struct smp_cmd_pairing *req, *rsp;
2034         u8 auth;
2035 
2036         /* The issue is only observed when we're in slave role */
2037         if (hcon->out)
2038                 return SMP_UNSPECIFIED;
2039 
2040         if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2041                 BT_ERR("Refusing SMP SC -> legacy fallback in SC-only mode");
2042                 return SMP_UNSPECIFIED;
2043         }
2044 
2045         BT_ERR("Trying to fall back to legacy SMP");
2046 
2047         req = (void *) &smp->preq[1];
2048         rsp = (void *) &smp->prsp[1];
2049 
2050         /* Rebuild key dist flags which may have been cleared for SC */
2051         smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2052 
2053         auth = req->auth_req & AUTH_REQ_MASK(hdev);
2054 
2055         if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2056                 BT_ERR("Failed to fall back to legacy SMP");
2057                 return SMP_UNSPECIFIED;
2058         }
2059 
2060         clear_bit(SMP_FLAG_SC, &smp->flags);
2061 
2062         return 0;
2063 }
2064 
2065 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2066 {
2067         struct l2cap_chan *chan = conn->smp;
2068         struct smp_chan *smp = chan->data;
2069 
2070         BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2071 
2072         if (skb->len < sizeof(smp->pcnf))
2073                 return SMP_INVALID_PARAMS;
2074 
2075         memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2076         skb_pull(skb, sizeof(smp->pcnf));
2077 
2078         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2079                 int ret;
2080 
2081                 /* Public Key exchange must happen before any other steps */
2082                 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2083                         return sc_check_confirm(smp);
2084 
2085                 BT_ERR("Unexpected SMP Pairing Confirm");
2086 
2087                 ret = fixup_sc_false_positive(smp);
2088                 if (ret)
2089                         return ret;
2090         }
2091 
2092         if (conn->hcon->out) {
2093                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2094                              smp->prnd);
2095                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2096                 return 0;
2097         }
2098 
2099         if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2100                 return smp_confirm(smp);
2101 
2102         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2103 
2104         return 0;
2105 }
2106 
2107 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2108 {
2109         struct l2cap_chan *chan = conn->smp;
2110         struct smp_chan *smp = chan->data;
2111         struct hci_conn *hcon = conn->hcon;
2112         u8 *pkax, *pkbx, *na, *nb;
2113         u32 passkey;
2114         int err;
2115 
2116         BT_DBG("conn %p", conn);
2117 
2118         if (skb->len < sizeof(smp->rrnd))
2119                 return SMP_INVALID_PARAMS;
2120 
2121         memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2122         skb_pull(skb, sizeof(smp->rrnd));
2123 
2124         if (!test_bit(SMP_FLAG_SC, &smp->flags))
2125                 return smp_random(smp);
2126 
2127         if (hcon->out) {
2128                 pkax = smp->local_pk;
2129                 pkbx = smp->remote_pk;
2130                 na   = smp->prnd;
2131                 nb   = smp->rrnd;
2132         } else {
2133                 pkax = smp->remote_pk;
2134                 pkbx = smp->local_pk;
2135                 na   = smp->rrnd;
2136                 nb   = smp->prnd;
2137         }
2138 
2139         if (smp->method == REQ_OOB) {
2140                 if (!hcon->out)
2141                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2142                                      sizeof(smp->prnd), smp->prnd);
2143                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2144                 goto mackey_and_ltk;
2145         }
2146 
2147         /* Passkey entry has special treatment */
2148         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2149                 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2150 
2151         if (hcon->out) {
2152                 u8 cfm[16];
2153 
2154                 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2155                              smp->rrnd, 0, cfm);
2156                 if (err)
2157                         return SMP_UNSPECIFIED;
2158 
2159                 if (memcmp(smp->pcnf, cfm, 16))
2160                         return SMP_CONFIRM_FAILED;
2161         } else {
2162                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2163                              smp->prnd);
2164                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2165         }
2166 
2167 mackey_and_ltk:
2168         /* Generate MacKey and LTK */
2169         err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2170         if (err)
2171                 return SMP_UNSPECIFIED;
2172 
2173         if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2174                 if (hcon->out) {
2175                         sc_dhkey_check(smp);
2176                         SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177                 }
2178                 return 0;
2179         }
2180 
2181         err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2182         if (err)
2183                 return SMP_UNSPECIFIED;
2184 
2185         err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2186                                         hcon->dst_type, passkey, 0);
2187         if (err)
2188                 return SMP_UNSPECIFIED;
2189 
2190         set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2191 
2192         return 0;
2193 }
2194 
2195 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2196 {
2197         struct smp_ltk *key;
2198         struct hci_conn *hcon = conn->hcon;
2199 
2200         key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2201         if (!key)
2202                 return false;
2203 
2204         if (smp_ltk_sec_level(key) < sec_level)
2205                 return false;
2206 
2207         if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2208                 return true;
2209 
2210         hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2211         hcon->enc_key_size = key->enc_size;
2212 
2213         /* We never store STKs for master role, so clear this flag */
2214         clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2215 
2216         return true;
2217 }
2218 
2219 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2220                              enum smp_key_pref key_pref)
2221 {
2222         if (sec_level == BT_SECURITY_LOW)
2223                 return true;
2224 
2225         /* If we're encrypted with an STK but the caller prefers using
2226          * LTK claim insufficient security. This way we allow the
2227          * connection to be re-encrypted with an LTK, even if the LTK
2228          * provides the same level of security. Only exception is if we
2229          * don't have an LTK (e.g. because of key distribution bits).
2230          */
2231         if (key_pref == SMP_USE_LTK &&
2232             test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2233             hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2234                 return false;
2235 
2236         if (hcon->sec_level >= sec_level)
2237                 return true;
2238 
2239         return false;
2240 }
2241 
2242 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2243 {
2244         struct smp_cmd_security_req *rp = (void *) skb->data;
2245         struct smp_cmd_pairing cp;
2246         struct hci_conn *hcon = conn->hcon;
2247         struct hci_dev *hdev = hcon->hdev;
2248         struct smp_chan *smp;
2249         u8 sec_level, auth;
2250 
2251         BT_DBG("conn %p", conn);
2252 
2253         if (skb->len < sizeof(*rp))
2254                 return SMP_INVALID_PARAMS;
2255 
2256         if (hcon->role != HCI_ROLE_MASTER)
2257                 return SMP_CMD_NOTSUPP;
2258 
2259         auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2260 
2261         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2262                 return SMP_AUTH_REQUIREMENTS;
2263 
2264         if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2265                 sec_level = BT_SECURITY_MEDIUM;
2266         else
2267                 sec_level = authreq_to_seclevel(auth);
2268 
2269         if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2270                 return 0;
2271 
2272         if (sec_level > hcon->pending_sec_level)
2273                 hcon->pending_sec_level = sec_level;
2274 
2275         if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2276                 return 0;
2277 
2278         smp = smp_chan_create(conn);
2279         if (!smp)
2280                 return SMP_UNSPECIFIED;
2281 
2282         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2283             (auth & SMP_AUTH_BONDING))
2284                 return SMP_PAIRING_NOTSUPP;
2285 
2286         skb_pull(skb, sizeof(*rp));
2287 
2288         memset(&cp, 0, sizeof(cp));
2289         build_pairing_cmd(conn, &cp, NULL, auth);
2290 
2291         smp->preq[0] = SMP_CMD_PAIRING_REQ;
2292         memcpy(&smp->preq[1], &cp, sizeof(cp));
2293 
2294         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2295         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2296 
2297         return 0;
2298 }
2299 
2300 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2301 {
2302         struct l2cap_conn *conn = hcon->l2cap_data;
2303         struct l2cap_chan *chan;
2304         struct smp_chan *smp;
2305         __u8 authreq;
2306         int ret;
2307 
2308         BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2309 
2310         /* This may be NULL if there's an unexpected disconnection */
2311         if (!conn)
2312                 return 1;
2313 
2314         if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2315                 return 1;
2316 
2317         if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2318                 return 1;
2319 
2320         if (sec_level > hcon->pending_sec_level)
2321                 hcon->pending_sec_level = sec_level;
2322 
2323         if (hcon->role == HCI_ROLE_MASTER)
2324                 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2325                         return 0;
2326 
2327         chan = conn->smp;
2328         if (!chan) {
2329                 BT_ERR("SMP security requested but not available");
2330                 return 1;
2331         }
2332 
2333         l2cap_chan_lock(chan);
2334 
2335         /* If SMP is already in progress ignore this request */
2336         if (chan->data) {
2337                 ret = 0;
2338                 goto unlock;
2339         }
2340 
2341         smp = smp_chan_create(conn);
2342         if (!smp) {
2343                 ret = 1;
2344                 goto unlock;
2345         }
2346 
2347         authreq = seclevel_to_authreq(sec_level);
2348 
2349         if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED))
2350                 authreq |= SMP_AUTH_SC;
2351 
2352         /* Require MITM if IO Capability allows or the security level
2353          * requires it.
2354          */
2355         if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2356             hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2357                 authreq |= SMP_AUTH_MITM;
2358 
2359         if (hcon->role == HCI_ROLE_MASTER) {
2360                 struct smp_cmd_pairing cp;
2361 
2362                 build_pairing_cmd(conn, &cp, NULL, authreq);
2363                 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2364                 memcpy(&smp->preq[1], &cp, sizeof(cp));
2365 
2366                 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2367                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2368         } else {
2369                 struct smp_cmd_security_req cp;
2370                 cp.auth_req = authreq;
2371                 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2372                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2373         }
2374 
2375         set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2376         ret = 0;
2377 
2378 unlock:
2379         l2cap_chan_unlock(chan);
2380         return ret;
2381 }
2382 
2383 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2384 {
2385         struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2386         struct l2cap_chan *chan = conn->smp;
2387         struct smp_chan *smp = chan->data;
2388 
2389         BT_DBG("conn %p", conn);
2390 
2391         if (skb->len < sizeof(*rp))
2392                 return SMP_INVALID_PARAMS;
2393 
2394         SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2395 
2396         skb_pull(skb, sizeof(*rp));
2397 
2398         memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2399 
2400         return 0;
2401 }
2402 
2403 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2404 {
2405         struct smp_cmd_master_ident *rp = (void *) skb->data;
2406         struct l2cap_chan *chan = conn->smp;
2407         struct smp_chan *smp = chan->data;
2408         struct hci_dev *hdev = conn->hcon->hdev;
2409         struct hci_conn *hcon = conn->hcon;
2410         struct smp_ltk *ltk;
2411         u8 authenticated;
2412 
2413         BT_DBG("conn %p", conn);
2414 
2415         if (skb->len < sizeof(*rp))
2416                 return SMP_INVALID_PARAMS;
2417 
2418         /* Mark the information as received */
2419         smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2420 
2421         if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2422                 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2423         else if (smp->remote_key_dist & SMP_DIST_SIGN)
2424                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2425 
2426         skb_pull(skb, sizeof(*rp));
2427 
2428         authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2429         ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2430                           authenticated, smp->tk, smp->enc_key_size,
2431                           rp->ediv, rp->rand);
2432         smp->ltk = ltk;
2433         if (!(smp->remote_key_dist & KEY_DIST_MASK))
2434                 smp_distribute_keys(smp);
2435 
2436         return 0;
2437 }
2438 
2439 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2440 {
2441         struct smp_cmd_ident_info *info = (void *) skb->data;
2442         struct l2cap_chan *chan = conn->smp;
2443         struct smp_chan *smp = chan->data;
2444 
2445         BT_DBG("");
2446 
2447         if (skb->len < sizeof(*info))
2448                 return SMP_INVALID_PARAMS;
2449 
2450         SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2451 
2452         skb_pull(skb, sizeof(*info));
2453 
2454         memcpy(smp->irk, info->irk, 16);
2455 
2456         return 0;
2457 }
2458 
2459 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2460                                    struct sk_buff *skb)
2461 {
2462         struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2463         struct l2cap_chan *chan = conn->smp;
2464         struct smp_chan *smp = chan->data;
2465         struct hci_conn *hcon = conn->hcon;
2466         bdaddr_t rpa;
2467 
2468         BT_DBG("");
2469 
2470         if (skb->len < sizeof(*info))
2471                 return SMP_INVALID_PARAMS;
2472 
2473         /* Mark the information as received */
2474         smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2475 
2476         if (smp->remote_key_dist & SMP_DIST_SIGN)
2477                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2478 
2479         skb_pull(skb, sizeof(*info));
2480 
2481         /* Strictly speaking the Core Specification (4.1) allows sending
2482          * an empty address which would force us to rely on just the IRK
2483          * as "identity information". However, since such
2484          * implementations are not known of and in order to not over
2485          * complicate our implementation, simply pretend that we never
2486          * received an IRK for such a device.
2487          *
2488          * The Identity Address must also be a Static Random or Public
2489          * Address, which hci_is_identity_address() checks for.
2490          */
2491         if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2492             !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2493                 BT_ERR("Ignoring IRK with no identity address");
2494                 goto distribute;
2495         }
2496 
2497         bacpy(&smp->id_addr, &info->bdaddr);
2498         smp->id_addr_type = info->addr_type;
2499 
2500         if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2501                 bacpy(&rpa, &hcon->dst);
2502         else
2503                 bacpy(&rpa, BDADDR_ANY);
2504 
2505         smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2506                                       smp->id_addr_type, smp->irk, &rpa);
2507 
2508 distribute:
2509         if (!(smp->remote_key_dist & KEY_DIST_MASK))
2510                 smp_distribute_keys(smp);
2511 
2512         return 0;
2513 }
2514 
2515 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2516 {
2517         struct smp_cmd_sign_info *rp = (void *) skb->data;
2518         struct l2cap_chan *chan = conn->smp;
2519         struct smp_chan *smp = chan->data;
2520         struct smp_csrk *csrk;
2521 
2522         BT_DBG("conn %p", conn);
2523 
2524         if (skb->len < sizeof(*rp))
2525                 return SMP_INVALID_PARAMS;
2526 
2527         /* Mark the information as received */
2528         smp->remote_key_dist &= ~SMP_DIST_SIGN;
2529 
2530         skb_pull(skb, sizeof(*rp));
2531 
2532         csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2533         if (csrk) {
2534                 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2535                         csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2536                 else
2537                         csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2538                 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2539         }
2540         smp->csrk = csrk;
2541         smp_distribute_keys(smp);
2542 
2543         return 0;
2544 }
2545 
2546 static u8 sc_select_method(struct smp_chan *smp)
2547 {
2548         struct l2cap_conn *conn = smp->conn;
2549         struct hci_conn *hcon = conn->hcon;
2550         struct smp_cmd_pairing *local, *remote;
2551         u8 local_mitm, remote_mitm, local_io, remote_io, method;
2552 
2553         if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2554             test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2555                 return REQ_OOB;
2556 
2557         /* The preq/prsp contain the raw Pairing Request/Response PDUs
2558          * which are needed as inputs to some crypto functions. To get
2559          * the "struct smp_cmd_pairing" from them we need to skip the
2560          * first byte which contains the opcode.
2561          */
2562         if (hcon->out) {
2563                 local = (void *) &smp->preq[1];
2564                 remote = (void *) &smp->prsp[1];
2565         } else {
2566                 local = (void *) &smp->prsp[1];
2567                 remote = (void *) &smp->preq[1];
2568         }
2569 
2570         local_io = local->io_capability;
2571         remote_io = remote->io_capability;
2572 
2573         local_mitm = (local->auth_req & SMP_AUTH_MITM);
2574         remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2575 
2576         /* If either side wants MITM, look up the method from the table,
2577          * otherwise use JUST WORKS.
2578          */
2579         if (local_mitm || remote_mitm)
2580                 method = get_auth_method(smp, local_io, remote_io);
2581         else
2582                 method = JUST_WORKS;
2583 
2584         /* Don't confirm locally initiated pairing attempts */
2585         if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2586                 method = JUST_WORKS;
2587 
2588         return method;
2589 }
2590 
2591 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2592 {
2593         struct smp_cmd_public_key *key = (void *) skb->data;
2594         struct hci_conn *hcon = conn->hcon;
2595         struct l2cap_chan *chan = conn->smp;
2596         struct smp_chan *smp = chan->data;
2597         struct hci_dev *hdev = hcon->hdev;
2598         struct smp_cmd_pairing_confirm cfm;
2599         int err;
2600 
2601         BT_DBG("conn %p", conn);
2602 
2603         if (skb->len < sizeof(*key))
2604                 return SMP_INVALID_PARAMS;
2605 
2606         memcpy(smp->remote_pk, key, 64);
2607 
2608         if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2609                 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2610                              smp->rr, 0, cfm.confirm_val);
2611                 if (err)
2612                         return SMP_UNSPECIFIED;
2613 
2614                 if (memcmp(cfm.confirm_val, smp->pcnf, 16))
2615                         return SMP_CONFIRM_FAILED;
2616         }
2617 
2618         /* Non-initiating device sends its public key after receiving
2619          * the key from the initiating device.
2620          */
2621         if (!hcon->out) {
2622                 err = sc_send_public_key(smp);
2623                 if (err)
2624                         return err;
2625         }
2626 
2627         SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2628         SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2629 
2630         if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
2631                 return SMP_UNSPECIFIED;
2632 
2633         SMP_DBG("DHKey %32phN", smp->dhkey);
2634 
2635         set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2636 
2637         smp->method = sc_select_method(smp);
2638 
2639         BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2640 
2641         /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2642         if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2643                 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2644         else
2645                 hcon->pending_sec_level = BT_SECURITY_FIPS;
2646 
2647         if (!memcmp(debug_pk, smp->remote_pk, 64))
2648                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2649 
2650         if (smp->method == DSP_PASSKEY) {
2651                 get_random_bytes(&hcon->passkey_notify,
2652                                  sizeof(hcon->passkey_notify));
2653                 hcon->passkey_notify %= 1000000;
2654                 hcon->passkey_entered = 0;
2655                 smp->passkey_round = 0;
2656                 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2657                                              hcon->dst_type,
2658                                              hcon->passkey_notify,
2659                                              hcon->passkey_entered))
2660                         return SMP_UNSPECIFIED;
2661                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2662                 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2663         }
2664 
2665         if (smp->method == REQ_OOB) {
2666                 if (hcon->out)
2667                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2668                                      sizeof(smp->prnd), smp->prnd);
2669 
2670                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2671 
2672                 return 0;
2673         }
2674 
2675         if (hcon->out)
2676                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2677 
2678         if (smp->method == REQ_PASSKEY) {
2679                 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2680                                               hcon->dst_type))
2681                         return SMP_UNSPECIFIED;
2682                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2683                 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2684                 return 0;
2685         }
2686 
2687         /* The Initiating device waits for the non-initiating device to
2688          * send the confirm value.
2689          */
2690         if (conn->hcon->out)
2691                 return 0;
2692 
2693         err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2694                      0, cfm.confirm_val);
2695         if (err)
2696                 return SMP_UNSPECIFIED;
2697 
2698         smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2699         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2700 
2701         return 0;
2702 }
2703 
2704 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2705 {
2706         struct smp_cmd_dhkey_check *check = (void *) skb->data;
2707         struct l2cap_chan *chan = conn->smp;
2708         struct hci_conn *hcon = conn->hcon;
2709         struct smp_chan *smp = chan->data;
2710         u8 a[7], b[7], *local_addr, *remote_addr;
2711         u8 io_cap[3], r[16], e[16];
2712         int err;
2713 
2714         BT_DBG("conn %p", conn);
2715 
2716         if (skb->len < sizeof(*check))
2717                 return SMP_INVALID_PARAMS;
2718 
2719         memcpy(a, &hcon->init_addr, 6);
2720         memcpy(b, &hcon->resp_addr, 6);
2721         a[6] = hcon->init_addr_type;
2722         b[6] = hcon->resp_addr_type;
2723 
2724         if (hcon->out) {
2725                 local_addr = a;
2726                 remote_addr = b;
2727                 memcpy(io_cap, &smp->prsp[1], 3);
2728         } else {
2729                 local_addr = b;
2730                 remote_addr = a;
2731                 memcpy(io_cap, &smp->preq[1], 3);
2732         }
2733 
2734         memset(r, 0, sizeof(r));
2735 
2736         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2737                 put_unaligned_le32(hcon->passkey_notify, r);
2738         else if (smp->method == REQ_OOB)
2739                 memcpy(r, smp->lr, 16);
2740 
2741         err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2742                      io_cap, remote_addr, local_addr, e);
2743         if (err)
2744                 return SMP_UNSPECIFIED;
2745 
2746         if (memcmp(check->e, e, 16))
2747                 return SMP_DHKEY_CHECK_FAILED;
2748 
2749         if (!hcon->out) {
2750                 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2751                         set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2752                         return 0;
2753                 }
2754 
2755                 /* Slave sends DHKey check as response to master */
2756                 sc_dhkey_check(smp);
2757         }
2758 
2759         sc_add_ltk(smp);
2760 
2761         if (hcon->out) {
2762                 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2763                 hcon->enc_key_size = smp->enc_key_size;
2764         }
2765 
2766         return 0;
2767 }
2768 
2769 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2770                                    struct sk_buff *skb)
2771 {
2772         struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2773 
2774         BT_DBG("value 0x%02x", kp->value);
2775 
2776         return 0;
2777 }
2778 
2779 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2780 {
2781         struct l2cap_conn *conn = chan->conn;
2782         struct hci_conn *hcon = conn->hcon;
2783         struct smp_chan *smp;
2784         __u8 code, reason;
2785         int err = 0;
2786 
2787         if (skb->len < 1)
2788                 return -EILSEQ;
2789 
2790         if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2791                 reason = SMP_PAIRING_NOTSUPP;
2792                 goto done;
2793         }
2794 
2795         code = skb->data[0];
2796         skb_pull(skb, sizeof(code));
2797 
2798         smp = chan->data;
2799 
2800         if (code > SMP_CMD_MAX)
2801                 goto drop;
2802 
2803         if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2804                 goto drop;
2805 
2806         /* If we don't have a context the only allowed commands are
2807          * pairing request and security request.
2808          */
2809         if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2810                 goto drop;
2811 
2812         switch (code) {
2813         case SMP_CMD_PAIRING_REQ:
2814                 reason = smp_cmd_pairing_req(conn, skb);
2815                 break;
2816 
2817         case SMP_CMD_PAIRING_FAIL:
2818                 smp_failure(conn, 0);
2819                 err = -EPERM;
2820                 break;
2821 
2822         case SMP_CMD_PAIRING_RSP:
2823                 reason = smp_cmd_pairing_rsp(conn, skb);
2824                 break;
2825 
2826         case SMP_CMD_SECURITY_REQ:
2827                 reason = smp_cmd_security_req(conn, skb);
2828                 break;
2829 
2830         case SMP_CMD_PAIRING_CONFIRM:
2831                 reason = smp_cmd_pairing_confirm(conn, skb);
2832                 break;
2833 
2834         case SMP_CMD_PAIRING_RANDOM:
2835                 reason = smp_cmd_pairing_random(conn, skb);
2836                 break;
2837 
2838         case SMP_CMD_ENCRYPT_INFO:
2839                 reason = smp_cmd_encrypt_info(conn, skb);
2840                 break;
2841 
2842         case SMP_CMD_MASTER_IDENT:
2843                 reason = smp_cmd_master_ident(conn, skb);
2844                 break;
2845 
2846         case SMP_CMD_IDENT_INFO:
2847                 reason = smp_cmd_ident_info(conn, skb);
2848                 break;
2849 
2850         case SMP_CMD_IDENT_ADDR_INFO:
2851                 reason = smp_cmd_ident_addr_info(conn, skb);
2852                 break;
2853 
2854         case SMP_CMD_SIGN_INFO:
2855                 reason = smp_cmd_sign_info(conn, skb);
2856                 break;
2857 
2858         case SMP_CMD_PUBLIC_KEY:
2859                 reason = smp_cmd_public_key(conn, skb);
2860                 break;
2861 
2862         case SMP_CMD_DHKEY_CHECK:
2863                 reason = smp_cmd_dhkey_check(conn, skb);
2864                 break;
2865 
2866         case SMP_CMD_KEYPRESS_NOTIFY:
2867                 reason = smp_cmd_keypress_notify(conn, skb);
2868                 break;
2869 
2870         default:
2871                 BT_DBG("Unknown command code 0x%2.2x", code);
2872                 reason = SMP_CMD_NOTSUPP;
2873                 goto done;
2874         }
2875 
2876 done:
2877         if (!err) {
2878                 if (reason)
2879                         smp_failure(conn, reason);
2880                 kfree_skb(skb);
2881         }
2882 
2883         return err;
2884 
2885 drop:
2886         BT_ERR("%s unexpected SMP command 0x%02x from %pMR", hcon->hdev->name,
2887                code, &hcon->dst);
2888         kfree_skb(skb);
2889         return 0;
2890 }
2891 
2892 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2893 {
2894         struct l2cap_conn *conn = chan->conn;
2895 
2896         BT_DBG("chan %p", chan);
2897 
2898         if (chan->data)
2899                 smp_chan_destroy(conn);
2900 
2901         conn->smp = NULL;
2902         l2cap_chan_put(chan);
2903 }
2904 
2905 static void bredr_pairing(struct l2cap_chan *chan)
2906 {
2907         struct l2cap_conn *conn = chan->conn;
2908         struct hci_conn *hcon = conn->hcon;
2909         struct hci_dev *hdev = hcon->hdev;
2910         struct smp_cmd_pairing req;
2911         struct smp_chan *smp;
2912 
2913         BT_DBG("chan %p", chan);
2914 
2915         /* Only new pairings are interesting */
2916         if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
2917                 return;
2918 
2919         /* Don't bother if we're not encrypted */
2920         if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2921                 return;
2922 
2923         /* Only master may initiate SMP over BR/EDR */
2924         if (hcon->role != HCI_ROLE_MASTER)
2925                 return;
2926 
2927         /* Secure Connections support must be enabled */
2928         if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
2929                 return;
2930 
2931         /* BR/EDR must use Secure Connections for SMP */
2932         if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
2933             !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
2934                 return;
2935 
2936         /* If our LE support is not enabled don't do anything */
2937         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
2938                 return;
2939 
2940         /* Don't bother if remote LE support is not enabled */
2941         if (!lmp_host_le_capable(hcon))
2942                 return;
2943 
2944         /* Remote must support SMP fixed chan for BR/EDR */
2945         if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
2946                 return;
2947 
2948         /* Don't bother if SMP is already ongoing */
2949         if (chan->data)
2950                 return;
2951 
2952         smp = smp_chan_create(conn);
2953         if (!smp) {
2954                 BT_ERR("%s unable to create SMP context for BR/EDR",
2955                        hdev->name);
2956                 return;
2957         }
2958 
2959         set_bit(SMP_FLAG_SC, &smp->flags);
2960 
2961         BT_DBG("%s starting SMP over BR/EDR", hdev->name);
2962 
2963         /* Prepare and send the BR/EDR SMP Pairing Request */
2964         build_bredr_pairing_cmd(smp, &req, NULL);
2965 
2966         smp->preq[0] = SMP_CMD_PAIRING_REQ;
2967         memcpy(&smp->preq[1], &req, sizeof(req));
2968 
2969         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
2970         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2971 }
2972 
2973 static void smp_resume_cb(struct l2cap_chan *chan)
2974 {
2975         struct smp_chan *smp = chan->data;
2976         struct l2cap_conn *conn = chan->conn;
2977         struct hci_conn *hcon = conn->hcon;
2978 
2979         BT_DBG("chan %p", chan);
2980 
2981         if (hcon->type == ACL_LINK) {
2982                 bredr_pairing(chan);
2983                 return;
2984         }
2985 
2986         if (!smp)
2987                 return;
2988 
2989         if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
2990                 return;
2991 
2992         cancel_delayed_work(&smp->security_timer);
2993 
2994         smp_distribute_keys(smp);
2995 }
2996 
2997 static void smp_ready_cb(struct l2cap_chan *chan)
2998 {
2999         struct l2cap_conn *conn = chan->conn;
3000         struct hci_conn *hcon = conn->hcon;
3001 
3002         BT_DBG("chan %p", chan);
3003 
3004         conn->smp = chan;
3005         l2cap_chan_hold(chan);
3006 
3007         if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3008                 bredr_pairing(chan);
3009 }
3010 
3011 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3012 {
3013         int err;
3014 
3015         BT_DBG("chan %p", chan);
3016 
3017         err = smp_sig_channel(chan, skb);
3018         if (err) {
3019                 struct smp_chan *smp = chan->data;
3020 
3021                 if (smp)
3022                         cancel_delayed_work_sync(&smp->security_timer);
3023 
3024                 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3025         }
3026 
3027         return err;
3028 }
3029 
3030 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3031                                         unsigned long hdr_len,
3032                                         unsigned long len, int nb)
3033 {
3034         struct sk_buff *skb;
3035 
3036         skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3037         if (!skb)
3038                 return ERR_PTR(-ENOMEM);
3039 
3040         skb->priority = HCI_PRIO_MAX;
3041         bt_cb(skb)->l2cap.chan = chan;
3042 
3043         return skb;
3044 }
3045 
3046 static const struct l2cap_ops smp_chan_ops = {
3047         .name                   = "Security Manager",
3048         .ready                  = smp_ready_cb,
3049         .recv                   = smp_recv_cb,
3050         .alloc_skb              = smp_alloc_skb_cb,
3051         .teardown               = smp_teardown_cb,
3052         .resume                 = smp_resume_cb,
3053 
3054         .new_connection         = l2cap_chan_no_new_connection,
3055         .state_change           = l2cap_chan_no_state_change,
3056         .close                  = l2cap_chan_no_close,
3057         .defer                  = l2cap_chan_no_defer,
3058         .suspend                = l2cap_chan_no_suspend,
3059         .set_shutdown           = l2cap_chan_no_set_shutdown,
3060         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3061 };
3062 
3063 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3064 {
3065         struct l2cap_chan *chan;
3066 
3067         BT_DBG("pchan %p", pchan);
3068 
3069         chan = l2cap_chan_create();
3070         if (!chan)
3071                 return NULL;
3072 
3073         chan->chan_type = pchan->chan_type;
3074         chan->ops       = &smp_chan_ops;
3075         chan->scid      = pchan->scid;
3076         chan->dcid      = chan->scid;
3077         chan->imtu      = pchan->imtu;
3078         chan->omtu      = pchan->omtu;
3079         chan->mode      = pchan->mode;
3080 
3081         /* Other L2CAP channels may request SMP routines in order to
3082          * change the security level. This means that the SMP channel
3083          * lock must be considered in its own category to avoid lockdep
3084          * warnings.
3085          */
3086         atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3087 
3088         BT_DBG("created chan %p", chan);
3089 
3090         return chan;
3091 }
3092 
3093 static const struct l2cap_ops smp_root_chan_ops = {
3094         .name                   = "Security Manager Root",
3095         .new_connection         = smp_new_conn_cb,
3096 
3097         /* None of these are implemented for the root channel */
3098         .close                  = l2cap_chan_no_close,
3099         .alloc_skb              = l2cap_chan_no_alloc_skb,
3100         .recv                   = l2cap_chan_no_recv,
3101         .state_change           = l2cap_chan_no_state_change,
3102         .teardown               = l2cap_chan_no_teardown,
3103         .ready                  = l2cap_chan_no_ready,
3104         .defer                  = l2cap_chan_no_defer,
3105         .suspend                = l2cap_chan_no_suspend,
3106         .resume                 = l2cap_chan_no_resume,
3107         .set_shutdown           = l2cap_chan_no_set_shutdown,
3108         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3109 };
3110 
3111 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3112 {
3113         struct l2cap_chan *chan;
3114         struct smp_dev *smp;
3115         struct crypto_blkcipher *tfm_aes;
3116         struct crypto_hash *tfm_cmac;
3117 
3118         if (cid == L2CAP_CID_SMP_BREDR) {
3119                 smp = NULL;
3120                 goto create_chan;
3121         }
3122 
3123         smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3124         if (!smp)
3125                 return ERR_PTR(-ENOMEM);
3126 
3127         tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3128         if (IS_ERR(tfm_aes)) {
3129                 BT_ERR("Unable to create ECB crypto context");
3130                 kzfree(smp);
3131                 return ERR_CAST(tfm_aes);
3132         }
3133 
3134         tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3135         if (IS_ERR(tfm_cmac)) {
3136                 BT_ERR("Unable to create CMAC crypto context");
3137                 crypto_free_blkcipher(tfm_aes);
3138                 kzfree(smp);
3139                 return ERR_CAST(tfm_cmac);
3140         }
3141 
3142         smp->tfm_aes = tfm_aes;
3143         smp->tfm_cmac = tfm_cmac;
3144         smp->min_key_size = SMP_MIN_ENC_KEY_SIZE;
3145         smp->max_key_size = SMP_MAX_ENC_KEY_SIZE;
3146 
3147 create_chan:
3148         chan = l2cap_chan_create();
3149         if (!chan) {
3150                 if (smp) {
3151                         crypto_free_blkcipher(smp->tfm_aes);
3152                         crypto_free_hash(smp->tfm_cmac);
3153                         kzfree(smp);
3154                 }
3155                 return ERR_PTR(-ENOMEM);
3156         }
3157 
3158         chan->data = smp;
3159 
3160         l2cap_add_scid(chan, cid);
3161 
3162         l2cap_chan_set_defaults(chan);
3163 
3164         if (cid == L2CAP_CID_SMP) {
3165                 u8 bdaddr_type;
3166 
3167                 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3168 
3169                 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3170                         chan->src_type = BDADDR_LE_PUBLIC;
3171                 else
3172                         chan->src_type = BDADDR_LE_RANDOM;
3173         } else {
3174                 bacpy(&chan->src, &hdev->bdaddr);
3175                 chan->src_type = BDADDR_BREDR;
3176         }
3177 
3178         chan->state = BT_LISTEN;
3179         chan->mode = L2CAP_MODE_BASIC;
3180         chan->imtu = L2CAP_DEFAULT_MTU;
3181         chan->ops = &smp_root_chan_ops;
3182 
3183         /* Set correct nesting level for a parent/listening channel */
3184         atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3185 
3186         return chan;
3187 }
3188 
3189 static void smp_del_chan(struct l2cap_chan *chan)
3190 {
3191         struct smp_dev *smp;
3192 
3193         BT_DBG("chan %p", chan);
3194 
3195         smp = chan->data;
3196         if (smp) {
3197                 chan->data = NULL;
3198                 if (smp->tfm_aes)
3199                         crypto_free_blkcipher(smp->tfm_aes);
3200                 if (smp->tfm_cmac)
3201                         crypto_free_hash(smp->tfm_cmac);
3202                 kzfree(smp);
3203         }
3204 
3205         l2cap_chan_put(chan);
3206 }
3207 
3208 static ssize_t force_bredr_smp_read(struct file *file,
3209                                     char __user *user_buf,
3210                                     size_t count, loff_t *ppos)
3211 {
3212         struct hci_dev *hdev = file->private_data;
3213         char buf[3];
3214 
3215         buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3216         buf[1] = '\n';
3217         buf[2] = '\0';
3218         return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3219 }
3220 
3221 static ssize_t force_bredr_smp_write(struct file *file,
3222                                      const char __user *user_buf,
3223                                      size_t count, loff_t *ppos)
3224 {
3225         struct hci_dev *hdev = file->private_data;
3226         char buf[32];
3227         size_t buf_size = min(count, (sizeof(buf)-1));
3228         bool enable;
3229 
3230         if (copy_from_user(buf, user_buf, buf_size))
3231                 return -EFAULT;
3232 
3233         buf[buf_size] = '\0';
3234         if (strtobool(buf, &enable))
3235                 return -EINVAL;
3236 
3237         if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3238                 return -EALREADY;
3239 
3240         if (enable) {
3241                 struct l2cap_chan *chan;
3242 
3243                 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3244                 if (IS_ERR(chan))
3245                         return PTR_ERR(chan);
3246 
3247                 hdev->smp_bredr_data = chan;
3248         } else {
3249                 struct l2cap_chan *chan;
3250 
3251                 chan = hdev->smp_bredr_data;
3252                 hdev->smp_bredr_data = NULL;
3253                 smp_del_chan(chan);
3254         }
3255 
3256         hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3257 
3258         return count;
3259 }
3260 
3261 static const struct file_operations force_bredr_smp_fops = {
3262         .open           = simple_open,
3263         .read           = force_bredr_smp_read,
3264         .write          = force_bredr_smp_write,
3265         .llseek         = default_llseek,
3266 };
3267 
3268 static ssize_t le_min_key_size_read(struct file *file,
3269                                      char __user *user_buf,
3270                                      size_t count, loff_t *ppos)
3271 {
3272         struct hci_dev *hdev = file->private_data;
3273         char buf[4];
3274 
3275         snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->min_key_size);
3276 
3277         return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3278 }
3279 
3280 static ssize_t le_min_key_size_write(struct file *file,
3281                                       const char __user *user_buf,
3282                                       size_t count, loff_t *ppos)
3283 {
3284         struct hci_dev *hdev = file->private_data;
3285         char buf[32];
3286         size_t buf_size = min(count, (sizeof(buf) - 1));
3287         u8 key_size;
3288 
3289         if (copy_from_user(buf, user_buf, buf_size))
3290                 return -EFAULT;
3291 
3292         buf[buf_size] = '\0';
3293 
3294         sscanf(buf, "%hhu", &key_size);
3295 
3296         if (key_size > SMP_DEV(hdev)->max_key_size ||
3297             key_size < SMP_MIN_ENC_KEY_SIZE)
3298                 return -EINVAL;
3299 
3300         SMP_DEV(hdev)->min_key_size = key_size;
3301 
3302         return count;
3303 }
3304 
3305 static const struct file_operations le_min_key_size_fops = {
3306         .open           = simple_open,
3307         .read           = le_min_key_size_read,
3308         .write          = le_min_key_size_write,
3309         .llseek         = default_llseek,
3310 };
3311 
3312 static ssize_t le_max_key_size_read(struct file *file,
3313                                      char __user *user_buf,
3314                                      size_t count, loff_t *ppos)
3315 {
3316         struct hci_dev *hdev = file->private_data;
3317         char buf[4];
3318 
3319         snprintf(buf, sizeof(buf), "%2u\n", SMP_DEV(hdev)->max_key_size);
3320 
3321         return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3322 }
3323 
3324 static ssize_t le_max_key_size_write(struct file *file,
3325                                       const char __user *user_buf,
3326                                       size_t count, loff_t *ppos)
3327 {
3328         struct hci_dev *hdev = file->private_data;
3329         char buf[32];
3330         size_t buf_size = min(count, (sizeof(buf) - 1));
3331         u8 key_size;
3332 
3333         if (copy_from_user(buf, user_buf, buf_size))
3334                 return -EFAULT;
3335 
3336         buf[buf_size] = '\0';
3337 
3338         sscanf(buf, "%hhu", &key_size);
3339 
3340         if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3341             key_size < SMP_DEV(hdev)->min_key_size)
3342                 return -EINVAL;
3343 
3344         SMP_DEV(hdev)->max_key_size = key_size;
3345 
3346         return count;
3347 }
3348 
3349 static const struct file_operations le_max_key_size_fops = {
3350         .open           = simple_open,
3351         .read           = le_max_key_size_read,
3352         .write          = le_max_key_size_write,
3353         .llseek         = default_llseek,
3354 };
3355 
3356 int smp_register(struct hci_dev *hdev)
3357 {
3358         struct l2cap_chan *chan;
3359 
3360         BT_DBG("%s", hdev->name);
3361 
3362         /* If the controller does not support Low Energy operation, then
3363          * there is also no need to register any SMP channel.
3364          */
3365         if (!lmp_le_capable(hdev))
3366                 return 0;
3367 
3368         if (WARN_ON(hdev->smp_data)) {
3369                 chan = hdev->smp_data;
3370                 hdev->smp_data = NULL;
3371                 smp_del_chan(chan);
3372         }
3373 
3374         chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3375         if (IS_ERR(chan))
3376                 return PTR_ERR(chan);
3377 
3378         hdev->smp_data = chan;
3379 
3380         debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3381                             &le_min_key_size_fops);
3382         debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3383                             &le_max_key_size_fops);
3384 
3385         /* If the controller does not support BR/EDR Secure Connections
3386          * feature, then the BR/EDR SMP channel shall not be present.
3387          *
3388          * To test this with Bluetooth 4.0 controllers, create a debugfs
3389          * switch that allows forcing BR/EDR SMP support and accepting
3390          * cross-transport pairing on non-AES encrypted connections.
3391          */
3392         if (!lmp_sc_capable(hdev)) {
3393                 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3394                                     hdev, &force_bredr_smp_fops);
3395                 return 0;
3396         }
3397 
3398         if (WARN_ON(hdev->smp_bredr_data)) {
3399                 chan = hdev->smp_bredr_data;
3400                 hdev->smp_bredr_data = NULL;
3401                 smp_del_chan(chan);
3402         }
3403 
3404         chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3405         if (IS_ERR(chan)) {
3406                 int err = PTR_ERR(chan);
3407                 chan = hdev->smp_data;
3408                 hdev->smp_data = NULL;
3409                 smp_del_chan(chan);
3410                 return err;
3411         }
3412 
3413         hdev->smp_bredr_data = chan;
3414 
3415         return 0;
3416 }
3417 
3418 void smp_unregister(struct hci_dev *hdev)
3419 {
3420         struct l2cap_chan *chan;
3421 
3422         if (hdev->smp_bredr_data) {
3423                 chan = hdev->smp_bredr_data;
3424                 hdev->smp_bredr_data = NULL;
3425                 smp_del_chan(chan);
3426         }
3427 
3428         if (hdev->smp_data) {
3429                 chan = hdev->smp_data;
3430                 hdev->smp_data = NULL;
3431                 smp_del_chan(chan);
3432         }
3433 }
3434 
3435 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3436 
3437 static int __init test_ah(struct crypto_blkcipher *tfm_aes)
3438 {
3439         const u8 irk[16] = {
3440                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3441                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3442         const u8 r[3] = { 0x94, 0x81, 0x70 };
3443         const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3444         u8 res[3];
3445         int err;
3446 
3447         err = smp_ah(tfm_aes, irk, r, res);
3448         if (err)
3449                 return err;
3450 
3451         if (memcmp(res, exp, 3))
3452                 return -EINVAL;
3453 
3454         return 0;
3455 }
3456 
3457 static int __init test_c1(struct crypto_blkcipher *tfm_aes)
3458 {
3459         const u8 k[16] = {
3460                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3461                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3462         const u8 r[16] = {
3463                         0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3464                         0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3465         const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3466         const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3467         const u8 _iat = 0x01;
3468         const u8 _rat = 0x00;
3469         const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3470         const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3471         const u8 exp[16] = {
3472                         0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3473                         0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3474         u8 res[16];
3475         int err;
3476 
3477         err = smp_c1(tfm_aes, k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3478         if (err)
3479                 return err;
3480 
3481         if (memcmp(res, exp, 16))
3482                 return -EINVAL;
3483 
3484         return 0;
3485 }
3486 
3487 static int __init test_s1(struct crypto_blkcipher *tfm_aes)
3488 {
3489         const u8 k[16] = {
3490                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3491                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3492         const u8 r1[16] = {
3493                         0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3494         const u8 r2[16] = {
3495                         0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3496         const u8 exp[16] = {
3497                         0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3498                         0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3499         u8 res[16];
3500         int err;
3501 
3502         err = smp_s1(tfm_aes, k, r1, r2, res);
3503         if (err)
3504                 return err;
3505 
3506         if (memcmp(res, exp, 16))
3507                 return -EINVAL;
3508 
3509         return 0;
3510 }
3511 
3512 static int __init test_f4(struct crypto_hash *tfm_cmac)
3513 {
3514         const u8 u[32] = {
3515                         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3516                         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3517                         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3518                         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3519         const u8 v[32] = {
3520                         0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3521                         0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3522                         0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3523                         0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3524         const u8 x[16] = {
3525                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3526                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3527         const u8 z = 0x00;
3528         const u8 exp[16] = {
3529                         0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3530                         0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3531         u8 res[16];
3532         int err;
3533 
3534         err = smp_f4(tfm_cmac, u, v, x, z, res);
3535         if (err)
3536                 return err;
3537 
3538         if (memcmp(res, exp, 16))
3539                 return -EINVAL;
3540 
3541         return 0;
3542 }
3543 
3544 static int __init test_f5(struct crypto_hash *tfm_cmac)
3545 {
3546         const u8 w[32] = {
3547                         0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3548                         0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3549                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3550                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3551         const u8 n1[16] = {
3552                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3553                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3554         const u8 n2[16] = {
3555                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3556                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3557         const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3558         const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3559         const u8 exp_ltk[16] = {
3560                         0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3561                         0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3562         const u8 exp_mackey[16] = {
3563                         0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3564                         0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3565         u8 mackey[16], ltk[16];
3566         int err;
3567 
3568         err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3569         if (err)
3570                 return err;
3571 
3572         if (memcmp(mackey, exp_mackey, 16))
3573                 return -EINVAL;
3574 
3575         if (memcmp(ltk, exp_ltk, 16))
3576                 return -EINVAL;
3577 
3578         return 0;
3579 }
3580 
3581 static int __init test_f6(struct crypto_hash *tfm_cmac)
3582 {
3583         const u8 w[16] = {
3584                         0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3585                         0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3586         const u8 n1[16] = {
3587                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3588                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3589         const u8 n2[16] = {
3590                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3591                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3592         const u8 r[16] = {
3593                         0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3594                         0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3595         const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3596         const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3597         const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3598         const u8 exp[16] = {
3599                         0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3600                         0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3601         u8 res[16];
3602         int err;
3603 
3604         err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3605         if (err)
3606                 return err;
3607 
3608         if (memcmp(res, exp, 16))
3609                 return -EINVAL;
3610 
3611         return 0;
3612 }
3613 
3614 static int __init test_g2(struct crypto_hash *tfm_cmac)
3615 {
3616         const u8 u[32] = {
3617                         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3618                         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3619                         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3620                         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3621         const u8 v[32] = {
3622                         0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3623                         0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3624                         0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3625                         0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3626         const u8 x[16] = {
3627                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3628                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3629         const u8 y[16] = {
3630                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3631                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3632         const u32 exp_val = 0x2f9ed5ba % 1000000;
3633         u32 val;
3634         int err;
3635 
3636         err = smp_g2(tfm_cmac, u, v, x, y, &val);
3637         if (err)
3638                 return err;
3639 
3640         if (val != exp_val)
3641                 return -EINVAL;
3642 
3643         return 0;
3644 }
3645 
3646 static int __init test_h6(struct crypto_hash *tfm_cmac)
3647 {
3648         const u8 w[16] = {
3649                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3650                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3651         const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3652         const u8 exp[16] = {
3653                         0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3654                         0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3655         u8 res[16];
3656         int err;
3657 
3658         err = smp_h6(tfm_cmac, w, key_id, res);
3659         if (err)
3660                 return err;
3661 
3662         if (memcmp(res, exp, 16))
3663                 return -EINVAL;
3664 
3665         return 0;
3666 }
3667 
3668 static char test_smp_buffer[32];
3669 
3670 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3671                              size_t count, loff_t *ppos)
3672 {
3673         return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3674                                        strlen(test_smp_buffer));
3675 }
3676 
3677 static const struct file_operations test_smp_fops = {
3678         .open           = simple_open,
3679         .read           = test_smp_read,
3680         .llseek         = default_llseek,
3681 };
3682 
3683 static int __init run_selftests(struct crypto_blkcipher *tfm_aes,
3684                                 struct crypto_hash *tfm_cmac)
3685 {
3686         ktime_t calltime, delta, rettime;
3687         unsigned long long duration;
3688         int err;
3689 
3690         calltime = ktime_get();
3691 
3692         err = test_ah(tfm_aes);
3693         if (err) {
3694                 BT_ERR("smp_ah test failed");
3695                 goto done;
3696         }
3697 
3698         err = test_c1(tfm_aes);
3699         if (err) {
3700                 BT_ERR("smp_c1 test failed");
3701                 goto done;
3702         }
3703 
3704         err = test_s1(tfm_aes);
3705         if (err) {
3706                 BT_ERR("smp_s1 test failed");
3707                 goto done;
3708         }
3709 
3710         err = test_f4(tfm_cmac);
3711         if (err) {
3712                 BT_ERR("smp_f4 test failed");
3713                 goto done;
3714         }
3715 
3716         err = test_f5(tfm_cmac);
3717         if (err) {
3718                 BT_ERR("smp_f5 test failed");
3719                 goto done;
3720         }
3721 
3722         err = test_f6(tfm_cmac);
3723         if (err) {
3724                 BT_ERR("smp_f6 test failed");
3725                 goto done;
3726         }
3727 
3728         err = test_g2(tfm_cmac);
3729         if (err) {
3730                 BT_ERR("smp_g2 test failed");
3731                 goto done;
3732         }
3733 
3734         err = test_h6(tfm_cmac);
3735         if (err) {
3736                 BT_ERR("smp_h6 test failed");
3737                 goto done;
3738         }
3739 
3740         rettime = ktime_get();
3741         delta = ktime_sub(rettime, calltime);
3742         duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3743 
3744         BT_INFO("SMP test passed in %llu usecs", duration);
3745 
3746 done:
3747         if (!err)
3748                 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3749                          "PASS (%llu usecs)\n", duration);
3750         else
3751                 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3752 
3753         debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3754                             &test_smp_fops);
3755 
3756         return err;
3757 }
3758 
3759 int __init bt_selftest_smp(void)
3760 {
3761         struct crypto_blkcipher *tfm_aes;
3762         struct crypto_hash *tfm_cmac;
3763         int err;
3764 
3765         tfm_aes = crypto_alloc_blkcipher("ecb(aes)", 0, CRYPTO_ALG_ASYNC);
3766         if (IS_ERR(tfm_aes)) {
3767                 BT_ERR("Unable to create ECB crypto context");
3768                 return PTR_ERR(tfm_aes);
3769         }
3770 
3771         tfm_cmac = crypto_alloc_hash("cmac(aes)", 0, CRYPTO_ALG_ASYNC);
3772         if (IS_ERR(tfm_cmac)) {
3773                 BT_ERR("Unable to create CMAC crypto context");
3774                 crypto_free_blkcipher(tfm_aes);
3775                 return PTR_ERR(tfm_cmac);
3776         }
3777 
3778         err = run_selftests(tfm_aes, tfm_cmac);
3779 
3780         crypto_free_hash(tfm_cmac);
3781         crypto_free_blkcipher(tfm_aes);
3782 
3783         return err;
3784 }
3785 
3786 #endif
3787 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp