root/net/bluetooth/smp.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. swap_buf
  2. aes_cmac
  3. smp_f4
  4. smp_f5
  5. smp_f6
  6. smp_g2
  7. smp_h6
  8. smp_h7
  9. smp_e
  10. smp_c1
  11. smp_s1
  12. smp_ah
  13. smp_irk_matches
  14. smp_generate_rpa
  15. smp_generate_oob
  16. smp_send_cmd
  17. authreq_to_seclevel
  18. seclevel_to_authreq
  19. build_pairing_cmd
  20. check_enc_key_size
  21. smp_chan_destroy
  22. smp_failure
  23. get_auth_method
  24. tk_request
  25. smp_confirm
  26. smp_random
  27. smp_notify_keys
  28. sc_add_ltk
  29. sc_generate_link_key
  30. smp_allow_key_dist
  31. sc_generate_ltk
  32. smp_distribute_keys
  33. smp_timeout
  34. smp_chan_create
  35. sc_mackey_and_ltk
  36. sc_dhkey_check
  37. sc_passkey_send_confirm
  38. sc_passkey_round
  39. sc_user_reply
  40. smp_user_confirm_reply
  41. build_bredr_pairing_cmd
  42. smp_cmd_pairing_req
  43. sc_send_public_key
  44. smp_cmd_pairing_rsp
  45. sc_check_confirm
  46. fixup_sc_false_positive
  47. smp_cmd_pairing_confirm
  48. smp_cmd_pairing_random
  49. smp_ltk_encrypt
  50. smp_sufficient_security
  51. smp_cmd_security_req
  52. smp_conn_security
  53. smp_cancel_and_remove_pairing
  54. smp_cmd_encrypt_info
  55. smp_cmd_master_ident
  56. smp_cmd_ident_info
  57. smp_cmd_ident_addr_info
  58. smp_cmd_sign_info
  59. sc_select_method
  60. smp_cmd_public_key
  61. smp_cmd_dhkey_check
  62. smp_cmd_keypress_notify
  63. smp_sig_channel
  64. smp_teardown_cb
  65. bredr_pairing
  66. smp_resume_cb
  67. smp_ready_cb
  68. smp_recv_cb
  69. smp_alloc_skb_cb
  70. smp_new_conn_cb
  71. smp_add_cid
  72. smp_del_chan
  73. force_bredr_smp_read
  74. force_bredr_smp_write
  75. le_min_key_size_read
  76. le_min_key_size_write
  77. le_max_key_size_read
  78. le_max_key_size_write
  79. smp_register
  80. smp_unregister
  81. test_debug_key
  82. test_ah
  83. test_c1
  84. test_s1
  85. test_f4
  86. test_f5
  87. test_f6
  88. test_g2
  89. test_h6
  90. test_smp_read
  91. run_selftests
  92. bt_selftest_smp

   1 /*
   2    BlueZ - Bluetooth protocol stack for Linux
   3    Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
   4 
   5    This program is free software; you can redistribute it and/or modify
   6    it under the terms of the GNU General Public License version 2 as
   7    published by the Free Software Foundation;
   8 
   9    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
  10    OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  11    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
  12    IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
  13    CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
  14    WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
  15    ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
  16    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  17 
  18    ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
  19    COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
  20    SOFTWARE IS DISCLAIMED.
  21 */
  22 
  23 #include <linux/debugfs.h>
  24 #include <linux/scatterlist.h>
  25 #include <linux/crypto.h>
  26 #include <crypto/aes.h>
  27 #include <crypto/algapi.h>
  28 #include <crypto/b128ops.h>
  29 #include <crypto/hash.h>
  30 #include <crypto/kpp.h>
  31 
  32 #include <net/bluetooth/bluetooth.h>
  33 #include <net/bluetooth/hci_core.h>
  34 #include <net/bluetooth/l2cap.h>
  35 #include <net/bluetooth/mgmt.h>
  36 
  37 #include "ecdh_helper.h"
  38 #include "smp.h"
  39 
  40 #define SMP_DEV(hdev) \
  41         ((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
  42 
  43 /* Low-level debug macros to be used for stuff that we don't want
  44  * accidentially in dmesg, i.e. the values of the various crypto keys
  45  * and the inputs & outputs of crypto functions.
  46  */
  47 #ifdef DEBUG
  48 #define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
  49                                  ##__VA_ARGS__)
  50 #else
  51 #define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
  52                                     ##__VA_ARGS__)
  53 #endif
  54 
  55 #define SMP_ALLOW_CMD(smp, code)        set_bit(code, &smp->allow_cmd)
  56 
  57 /* Keys which are not distributed with Secure Connections */
  58 #define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY);
  59 
  60 #define SMP_TIMEOUT     msecs_to_jiffies(30000)
  61 
  62 #define AUTH_REQ_MASK(dev)      (hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
  63                                  0x3f : 0x07)
  64 #define KEY_DIST_MASK           0x07
  65 
  66 /* Maximum message length that can be passed to aes_cmac */
  67 #define CMAC_MSG_MAX    80
  68 
  69 enum {
  70         SMP_FLAG_TK_VALID,
  71         SMP_FLAG_CFM_PENDING,
  72         SMP_FLAG_MITM_AUTH,
  73         SMP_FLAG_COMPLETE,
  74         SMP_FLAG_INITIATOR,
  75         SMP_FLAG_SC,
  76         SMP_FLAG_REMOTE_PK,
  77         SMP_FLAG_DEBUG_KEY,
  78         SMP_FLAG_WAIT_USER,
  79         SMP_FLAG_DHKEY_PENDING,
  80         SMP_FLAG_REMOTE_OOB,
  81         SMP_FLAG_LOCAL_OOB,
  82         SMP_FLAG_CT2,
  83 };
  84 
  85 struct smp_dev {
  86         /* Secure Connections OOB data */
  87         bool                    local_oob;
  88         u8                      local_pk[64];
  89         u8                      local_rand[16];
  90         bool                    debug_key;
  91 
  92         struct crypto_shash     *tfm_cmac;
  93         struct crypto_kpp       *tfm_ecdh;
  94 };
  95 
  96 struct smp_chan {
  97         struct l2cap_conn       *conn;
  98         struct delayed_work     security_timer;
  99         unsigned long           allow_cmd; /* Bitmask of allowed commands */
 100 
 101         u8              preq[7]; /* SMP Pairing Request */
 102         u8              prsp[7]; /* SMP Pairing Response */
 103         u8              prnd[16]; /* SMP Pairing Random (local) */
 104         u8              rrnd[16]; /* SMP Pairing Random (remote) */
 105         u8              pcnf[16]; /* SMP Pairing Confirm */
 106         u8              tk[16]; /* SMP Temporary Key */
 107         u8              rr[16]; /* Remote OOB ra/rb value */
 108         u8              lr[16]; /* Local OOB ra/rb value */
 109         u8              enc_key_size;
 110         u8              remote_key_dist;
 111         bdaddr_t        id_addr;
 112         u8              id_addr_type;
 113         u8              irk[16];
 114         struct smp_csrk *csrk;
 115         struct smp_csrk *slave_csrk;
 116         struct smp_ltk  *ltk;
 117         struct smp_ltk  *slave_ltk;
 118         struct smp_irk  *remote_irk;
 119         u8              *link_key;
 120         unsigned long   flags;
 121         u8              method;
 122         u8              passkey_round;
 123 
 124         /* Secure Connections variables */
 125         u8                      local_pk[64];
 126         u8                      remote_pk[64];
 127         u8                      dhkey[32];
 128         u8                      mackey[16];
 129 
 130         struct crypto_shash     *tfm_cmac;
 131         struct crypto_kpp       *tfm_ecdh;
 132 };
 133 
 134 /* These debug key values are defined in the SMP section of the core
 135  * specification. debug_pk is the public debug key and debug_sk the
 136  * private debug key.
 137  */
 138 static const u8 debug_pk[64] = {
 139                 0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
 140                 0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
 141                 0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
 142                 0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
 143 
 144                 0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
 145                 0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
 146                 0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
 147                 0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
 148 };
 149 
 150 static const u8 debug_sk[32] = {
 151                 0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
 152                 0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
 153                 0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
 154                 0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
 155 };
 156 
 157 static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
 158 {
 159         size_t i;
 160 
 161         for (i = 0; i < len; i++)
 162                 dst[len - 1 - i] = src[i];
 163 }
 164 
 165 /* The following functions map to the LE SC SMP crypto functions
 166  * AES-CMAC, f4, f5, f6, g2 and h6.
 167  */
 168 
 169 static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
 170                     size_t len, u8 mac[16])
 171 {
 172         uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
 173         SHASH_DESC_ON_STACK(desc, tfm);
 174         int err;
 175 
 176         if (len > CMAC_MSG_MAX)
 177                 return -EFBIG;
 178 
 179         if (!tfm) {
 180                 BT_ERR("tfm %p", tfm);
 181                 return -EINVAL;
 182         }
 183 
 184         desc->tfm = tfm;
 185 
 186         /* Swap key and message from LSB to MSB */
 187         swap_buf(k, tmp, 16);
 188         swap_buf(m, msg_msb, len);
 189 
 190         SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
 191         SMP_DBG("key %16phN", k);
 192 
 193         err = crypto_shash_setkey(tfm, tmp, 16);
 194         if (err) {
 195                 BT_ERR("cipher setkey failed: %d", err);
 196                 return err;
 197         }
 198 
 199         err = crypto_shash_digest(desc, msg_msb, len, mac_msb);
 200         shash_desc_zero(desc);
 201         if (err) {
 202                 BT_ERR("Hash computation error %d", err);
 203                 return err;
 204         }
 205 
 206         swap_buf(mac_msb, mac, 16);
 207 
 208         SMP_DBG("mac %16phN", mac);
 209 
 210         return 0;
 211 }
 212 
 213 static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
 214                   const u8 v[32], const u8 x[16], u8 z, u8 res[16])
 215 {
 216         u8 m[65];
 217         int err;
 218 
 219         SMP_DBG("u %32phN", u);
 220         SMP_DBG("v %32phN", v);
 221         SMP_DBG("x %16phN z %02x", x, z);
 222 
 223         m[0] = z;
 224         memcpy(m + 1, v, 32);
 225         memcpy(m + 33, u, 32);
 226 
 227         err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
 228         if (err)
 229                 return err;
 230 
 231         SMP_DBG("res %16phN", res);
 232 
 233         return err;
 234 }
 235 
 236 static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
 237                   const u8 n1[16], const u8 n2[16], const u8 a1[7],
 238                   const u8 a2[7], u8 mackey[16], u8 ltk[16])
 239 {
 240         /* The btle, salt and length "magic" values are as defined in
 241          * the SMP section of the Bluetooth core specification. In ASCII
 242          * the btle value ends up being 'btle'. The salt is just a
 243          * random number whereas length is the value 256 in little
 244          * endian format.
 245          */
 246         const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
 247         const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
 248                               0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
 249         const u8 length[2] = { 0x00, 0x01 };
 250         u8 m[53], t[16];
 251         int err;
 252 
 253         SMP_DBG("w %32phN", w);
 254         SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 255         SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
 256 
 257         err = aes_cmac(tfm_cmac, salt, w, 32, t);
 258         if (err)
 259                 return err;
 260 
 261         SMP_DBG("t %16phN", t);
 262 
 263         memcpy(m, length, 2);
 264         memcpy(m + 2, a2, 7);
 265         memcpy(m + 9, a1, 7);
 266         memcpy(m + 16, n2, 16);
 267         memcpy(m + 32, n1, 16);
 268         memcpy(m + 48, btle, 4);
 269 
 270         m[52] = 0; /* Counter */
 271 
 272         err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
 273         if (err)
 274                 return err;
 275 
 276         SMP_DBG("mackey %16phN", mackey);
 277 
 278         m[52] = 1; /* Counter */
 279 
 280         err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
 281         if (err)
 282                 return err;
 283 
 284         SMP_DBG("ltk %16phN", ltk);
 285 
 286         return 0;
 287 }
 288 
 289 static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
 290                   const u8 n1[16], const u8 n2[16], const u8 r[16],
 291                   const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
 292                   u8 res[16])
 293 {
 294         u8 m[65];
 295         int err;
 296 
 297         SMP_DBG("w %16phN", w);
 298         SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
 299         SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
 300 
 301         memcpy(m, a2, 7);
 302         memcpy(m + 7, a1, 7);
 303         memcpy(m + 14, io_cap, 3);
 304         memcpy(m + 17, r, 16);
 305         memcpy(m + 33, n2, 16);
 306         memcpy(m + 49, n1, 16);
 307 
 308         err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
 309         if (err)
 310                 return err;
 311 
 312         SMP_DBG("res %16phN", res);
 313 
 314         return err;
 315 }
 316 
 317 static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
 318                   const u8 x[16], const u8 y[16], u32 *val)
 319 {
 320         u8 m[80], tmp[16];
 321         int err;
 322 
 323         SMP_DBG("u %32phN", u);
 324         SMP_DBG("v %32phN", v);
 325         SMP_DBG("x %16phN y %16phN", x, y);
 326 
 327         memcpy(m, y, 16);
 328         memcpy(m + 16, v, 32);
 329         memcpy(m + 48, u, 32);
 330 
 331         err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
 332         if (err)
 333                 return err;
 334 
 335         *val = get_unaligned_le32(tmp);
 336         *val %= 1000000;
 337 
 338         SMP_DBG("val %06u", *val);
 339 
 340         return 0;
 341 }
 342 
 343 static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
 344                   const u8 key_id[4], u8 res[16])
 345 {
 346         int err;
 347 
 348         SMP_DBG("w %16phN key_id %4phN", w, key_id);
 349 
 350         err = aes_cmac(tfm_cmac, w, key_id, 4, res);
 351         if (err)
 352                 return err;
 353 
 354         SMP_DBG("res %16phN", res);
 355 
 356         return err;
 357 }
 358 
 359 static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
 360                   const u8 salt[16], u8 res[16])
 361 {
 362         int err;
 363 
 364         SMP_DBG("w %16phN salt %16phN", w, salt);
 365 
 366         err = aes_cmac(tfm_cmac, salt, w, 16, res);
 367         if (err)
 368                 return err;
 369 
 370         SMP_DBG("res %16phN", res);
 371 
 372         return err;
 373 }
 374 
 375 /* The following functions map to the legacy SMP crypto functions e, c1,
 376  * s1 and ah.
 377  */
 378 
 379 static int smp_e(const u8 *k, u8 *r)
 380 {
 381         struct crypto_aes_ctx ctx;
 382         uint8_t tmp[16], data[16];
 383         int err;
 384 
 385         SMP_DBG("k %16phN r %16phN", k, r);
 386 
 387         /* The most significant octet of key corresponds to k[0] */
 388         swap_buf(k, tmp, 16);
 389 
 390         err = aes_expandkey(&ctx, tmp, 16);
 391         if (err) {
 392                 BT_ERR("cipher setkey failed: %d", err);
 393                 return err;
 394         }
 395 
 396         /* Most significant octet of plaintextData corresponds to data[0] */
 397         swap_buf(r, data, 16);
 398 
 399         aes_encrypt(&ctx, data, data);
 400 
 401         /* Most significant octet of encryptedData corresponds to data[0] */
 402         swap_buf(data, r, 16);
 403 
 404         SMP_DBG("r %16phN", r);
 405 
 406         memzero_explicit(&ctx, sizeof (ctx));
 407         return err;
 408 }
 409 
 410 static int smp_c1(const u8 k[16],
 411                   const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
 412                   const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
 413 {
 414         u8 p1[16], p2[16];
 415         int err;
 416 
 417         SMP_DBG("k %16phN r %16phN", k, r);
 418         SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
 419         SMP_DBG("preq %7phN pres %7phN", preq, pres);
 420 
 421         memset(p1, 0, 16);
 422 
 423         /* p1 = pres || preq || _rat || _iat */
 424         p1[0] = _iat;
 425         p1[1] = _rat;
 426         memcpy(p1 + 2, preq, 7);
 427         memcpy(p1 + 9, pres, 7);
 428 
 429         SMP_DBG("p1 %16phN", p1);
 430 
 431         /* res = r XOR p1 */
 432         u128_xor((u128 *) res, (u128 *) r, (u128 *) p1);
 433 
 434         /* res = e(k, res) */
 435         err = smp_e(k, res);
 436         if (err) {
 437                 BT_ERR("Encrypt data error");
 438                 return err;
 439         }
 440 
 441         /* p2 = padding || ia || ra */
 442         memcpy(p2, ra, 6);
 443         memcpy(p2 + 6, ia, 6);
 444         memset(p2 + 12, 0, 4);
 445 
 446         SMP_DBG("p2 %16phN", p2);
 447 
 448         /* res = res XOR p2 */
 449         u128_xor((u128 *) res, (u128 *) res, (u128 *) p2);
 450 
 451         /* res = e(k, res) */
 452         err = smp_e(k, res);
 453         if (err)
 454                 BT_ERR("Encrypt data error");
 455 
 456         return err;
 457 }
 458 
 459 static int smp_s1(const u8 k[16],
 460                   const u8 r1[16], const u8 r2[16], u8 _r[16])
 461 {
 462         int err;
 463 
 464         /* Just least significant octets from r1 and r2 are considered */
 465         memcpy(_r, r2, 8);
 466         memcpy(_r + 8, r1, 8);
 467 
 468         err = smp_e(k, _r);
 469         if (err)
 470                 BT_ERR("Encrypt data error");
 471 
 472         return err;
 473 }
 474 
 475 static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
 476 {
 477         u8 _res[16];
 478         int err;
 479 
 480         /* r' = padding || r */
 481         memcpy(_res, r, 3);
 482         memset(_res + 3, 0, 13);
 483 
 484         err = smp_e(irk, _res);
 485         if (err) {
 486                 BT_ERR("Encrypt error");
 487                 return err;
 488         }
 489 
 490         /* The output of the random address function ah is:
 491          *      ah(k, r) = e(k, r') mod 2^24
 492          * The output of the security function e is then truncated to 24 bits
 493          * by taking the least significant 24 bits of the output of e as the
 494          * result of ah.
 495          */
 496         memcpy(res, _res, 3);
 497 
 498         return 0;
 499 }
 500 
 501 bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
 502                      const bdaddr_t *bdaddr)
 503 {
 504         struct l2cap_chan *chan = hdev->smp_data;
 505         struct smp_dev *smp;
 506         u8 hash[3];
 507         int err;
 508 
 509         if (!chan || !chan->data)
 510                 return false;
 511 
 512         smp = chan->data;
 513 
 514         BT_DBG("RPA %pMR IRK %*phN", bdaddr, 16, irk);
 515 
 516         err = smp_ah(irk, &bdaddr->b[3], hash);
 517         if (err)
 518                 return false;
 519 
 520         return !crypto_memneq(bdaddr->b, hash, 3);
 521 }
 522 
 523 int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
 524 {
 525         struct l2cap_chan *chan = hdev->smp_data;
 526         struct smp_dev *smp;
 527         int err;
 528 
 529         if (!chan || !chan->data)
 530                 return -EOPNOTSUPP;
 531 
 532         smp = chan->data;
 533 
 534         get_random_bytes(&rpa->b[3], 3);
 535 
 536         rpa->b[5] &= 0x3f;      /* Clear two most significant bits */
 537         rpa->b[5] |= 0x40;      /* Set second most significant bit */
 538 
 539         err = smp_ah(irk, &rpa->b[3], rpa->b);
 540         if (err < 0)
 541                 return err;
 542 
 543         BT_DBG("RPA %pMR", rpa);
 544 
 545         return 0;
 546 }
 547 
 548 int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
 549 {
 550         struct l2cap_chan *chan = hdev->smp_data;
 551         struct smp_dev *smp;
 552         int err;
 553 
 554         if (!chan || !chan->data)
 555                 return -EOPNOTSUPP;
 556 
 557         smp = chan->data;
 558 
 559         if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
 560                 BT_DBG("Using debug keys");
 561                 err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
 562                 if (err)
 563                         return err;
 564                 memcpy(smp->local_pk, debug_pk, 64);
 565                 smp->debug_key = true;
 566         } else {
 567                 while (true) {
 568                         /* Generate key pair for Secure Connections */
 569                         err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
 570                         if (err)
 571                                 return err;
 572 
 573                         /* This is unlikely, but we need to check that
 574                          * we didn't accidentially generate a debug key.
 575                          */
 576                         if (crypto_memneq(smp->local_pk, debug_pk, 64))
 577                                 break;
 578                 }
 579                 smp->debug_key = false;
 580         }
 581 
 582         SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
 583         SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
 584 
 585         get_random_bytes(smp->local_rand, 16);
 586 
 587         err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
 588                      smp->local_rand, 0, hash);
 589         if (err < 0)
 590                 return err;
 591 
 592         memcpy(rand, smp->local_rand, 16);
 593 
 594         smp->local_oob = true;
 595 
 596         return 0;
 597 }
 598 
 599 static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
 600 {
 601         struct l2cap_chan *chan = conn->smp;
 602         struct smp_chan *smp;
 603         struct kvec iv[2];
 604         struct msghdr msg;
 605 
 606         if (!chan)
 607                 return;
 608 
 609         BT_DBG("code 0x%2.2x", code);
 610 
 611         iv[0].iov_base = &code;
 612         iv[0].iov_len = 1;
 613 
 614         iv[1].iov_base = data;
 615         iv[1].iov_len = len;
 616 
 617         memset(&msg, 0, sizeof(msg));
 618 
 619         iov_iter_kvec(&msg.msg_iter, WRITE, iv, 2, 1 + len);
 620 
 621         l2cap_chan_send(chan, &msg, 1 + len);
 622 
 623         if (!chan->data)
 624                 return;
 625 
 626         smp = chan->data;
 627 
 628         cancel_delayed_work_sync(&smp->security_timer);
 629         schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
 630 }
 631 
 632 static u8 authreq_to_seclevel(u8 authreq)
 633 {
 634         if (authreq & SMP_AUTH_MITM) {
 635                 if (authreq & SMP_AUTH_SC)
 636                         return BT_SECURITY_FIPS;
 637                 else
 638                         return BT_SECURITY_HIGH;
 639         } else {
 640                 return BT_SECURITY_MEDIUM;
 641         }
 642 }
 643 
 644 static __u8 seclevel_to_authreq(__u8 sec_level)
 645 {
 646         switch (sec_level) {
 647         case BT_SECURITY_FIPS:
 648         case BT_SECURITY_HIGH:
 649                 return SMP_AUTH_MITM | SMP_AUTH_BONDING;
 650         case BT_SECURITY_MEDIUM:
 651                 return SMP_AUTH_BONDING;
 652         default:
 653                 return SMP_AUTH_NONE;
 654         }
 655 }
 656 
 657 static void build_pairing_cmd(struct l2cap_conn *conn,
 658                               struct smp_cmd_pairing *req,
 659                               struct smp_cmd_pairing *rsp, __u8 authreq)
 660 {
 661         struct l2cap_chan *chan = conn->smp;
 662         struct smp_chan *smp = chan->data;
 663         struct hci_conn *hcon = conn->hcon;
 664         struct hci_dev *hdev = hcon->hdev;
 665         u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
 666 
 667         if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
 668                 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 669                 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
 670                 authreq |= SMP_AUTH_BONDING;
 671         } else {
 672                 authreq &= ~SMP_AUTH_BONDING;
 673         }
 674 
 675         if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
 676                 remote_dist |= SMP_DIST_ID_KEY;
 677 
 678         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
 679                 local_dist |= SMP_DIST_ID_KEY;
 680 
 681         if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
 682             (authreq & SMP_AUTH_SC)) {
 683                 struct oob_data *oob_data;
 684                 u8 bdaddr_type;
 685 
 686                 if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
 687                         local_dist |= SMP_DIST_LINK_KEY;
 688                         remote_dist |= SMP_DIST_LINK_KEY;
 689                 }
 690 
 691                 if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
 692                         bdaddr_type = BDADDR_LE_PUBLIC;
 693                 else
 694                         bdaddr_type = BDADDR_LE_RANDOM;
 695 
 696                 oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
 697                                                     bdaddr_type);
 698                 if (oob_data && oob_data->present) {
 699                         set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
 700                         oob_flag = SMP_OOB_PRESENT;
 701                         memcpy(smp->rr, oob_data->rand256, 16);
 702                         memcpy(smp->pcnf, oob_data->hash256, 16);
 703                         SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
 704                         SMP_DBG("OOB Remote Random: %16phN", smp->rr);
 705                 }
 706 
 707         } else {
 708                 authreq &= ~SMP_AUTH_SC;
 709         }
 710 
 711         if (rsp == NULL) {
 712                 req->io_capability = conn->hcon->io_capability;
 713                 req->oob_flag = oob_flag;
 714                 req->max_key_size = hdev->le_max_key_size;
 715                 req->init_key_dist = local_dist;
 716                 req->resp_key_dist = remote_dist;
 717                 req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 718 
 719                 smp->remote_key_dist = remote_dist;
 720                 return;
 721         }
 722 
 723         rsp->io_capability = conn->hcon->io_capability;
 724         rsp->oob_flag = oob_flag;
 725         rsp->max_key_size = hdev->le_max_key_size;
 726         rsp->init_key_dist = req->init_key_dist & remote_dist;
 727         rsp->resp_key_dist = req->resp_key_dist & local_dist;
 728         rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
 729 
 730         smp->remote_key_dist = rsp->init_key_dist;
 731 }
 732 
 733 static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
 734 {
 735         struct l2cap_chan *chan = conn->smp;
 736         struct hci_dev *hdev = conn->hcon->hdev;
 737         struct smp_chan *smp = chan->data;
 738 
 739         if (max_key_size > hdev->le_max_key_size ||
 740             max_key_size < SMP_MIN_ENC_KEY_SIZE)
 741                 return SMP_ENC_KEY_SIZE;
 742 
 743         smp->enc_key_size = max_key_size;
 744 
 745         return 0;
 746 }
 747 
 748 static void smp_chan_destroy(struct l2cap_conn *conn)
 749 {
 750         struct l2cap_chan *chan = conn->smp;
 751         struct smp_chan *smp = chan->data;
 752         struct hci_conn *hcon = conn->hcon;
 753         bool complete;
 754 
 755         BUG_ON(!smp);
 756 
 757         cancel_delayed_work_sync(&smp->security_timer);
 758 
 759         complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
 760         mgmt_smp_complete(hcon, complete);
 761 
 762         kzfree(smp->csrk);
 763         kzfree(smp->slave_csrk);
 764         kzfree(smp->link_key);
 765 
 766         crypto_free_shash(smp->tfm_cmac);
 767         crypto_free_kpp(smp->tfm_ecdh);
 768 
 769         /* Ensure that we don't leave any debug key around if debug key
 770          * support hasn't been explicitly enabled.
 771          */
 772         if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
 773             !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
 774                 list_del_rcu(&smp->ltk->list);
 775                 kfree_rcu(smp->ltk, rcu);
 776                 smp->ltk = NULL;
 777         }
 778 
 779         /* If pairing failed clean up any keys we might have */
 780         if (!complete) {
 781                 if (smp->ltk) {
 782                         list_del_rcu(&smp->ltk->list);
 783                         kfree_rcu(smp->ltk, rcu);
 784                 }
 785 
 786                 if (smp->slave_ltk) {
 787                         list_del_rcu(&smp->slave_ltk->list);
 788                         kfree_rcu(smp->slave_ltk, rcu);
 789                 }
 790 
 791                 if (smp->remote_irk) {
 792                         list_del_rcu(&smp->remote_irk->list);
 793                         kfree_rcu(smp->remote_irk, rcu);
 794                 }
 795         }
 796 
 797         chan->data = NULL;
 798         kzfree(smp);
 799         hci_conn_drop(hcon);
 800 }
 801 
 802 static void smp_failure(struct l2cap_conn *conn, u8 reason)
 803 {
 804         struct hci_conn *hcon = conn->hcon;
 805         struct l2cap_chan *chan = conn->smp;
 806 
 807         if (reason)
 808                 smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
 809                              &reason);
 810 
 811         mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
 812 
 813         if (chan->data)
 814                 smp_chan_destroy(conn);
 815 }
 816 
 817 #define JUST_WORKS      0x00
 818 #define JUST_CFM        0x01
 819 #define REQ_PASSKEY     0x02
 820 #define CFM_PASSKEY     0x03
 821 #define REQ_OOB         0x04
 822 #define DSP_PASSKEY     0x05
 823 #define OVERLAP         0xFF
 824 
 825 static const u8 gen_method[5][5] = {
 826         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 827         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 828         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 829         { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 830         { CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
 831 };
 832 
 833 static const u8 sc_method[5][5] = {
 834         { JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
 835         { JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 836         { DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
 837         { JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
 838         { DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
 839 };
 840 
 841 static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
 842 {
 843         /* If either side has unknown io_caps, use JUST_CFM (which gets
 844          * converted later to JUST_WORKS if we're initiators.
 845          */
 846         if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
 847             remote_io > SMP_IO_KEYBOARD_DISPLAY)
 848                 return JUST_CFM;
 849 
 850         if (test_bit(SMP_FLAG_SC, &smp->flags))
 851                 return sc_method[remote_io][local_io];
 852 
 853         return gen_method[remote_io][local_io];
 854 }
 855 
 856 static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
 857                                                 u8 local_io, u8 remote_io)
 858 {
 859         struct hci_conn *hcon = conn->hcon;
 860         struct l2cap_chan *chan = conn->smp;
 861         struct smp_chan *smp = chan->data;
 862         u32 passkey = 0;
 863         int ret = 0;
 864 
 865         /* Initialize key for JUST WORKS */
 866         memset(smp->tk, 0, sizeof(smp->tk));
 867         clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
 868 
 869         BT_DBG("tk_request: auth:%d lcl:%d rem:%d", auth, local_io, remote_io);
 870 
 871         /* If neither side wants MITM, either "just" confirm an incoming
 872          * request or use just-works for outgoing ones. The JUST_CFM
 873          * will be converted to JUST_WORKS if necessary later in this
 874          * function. If either side has MITM look up the method from the
 875          * table.
 876          */
 877         if (!(auth & SMP_AUTH_MITM))
 878                 smp->method = JUST_CFM;
 879         else
 880                 smp->method = get_auth_method(smp, local_io, remote_io);
 881 
 882         /* Don't confirm locally initiated pairing attempts */
 883         if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
 884                                                 &smp->flags))
 885                 smp->method = JUST_WORKS;
 886 
 887         /* Don't bother user space with no IO capabilities */
 888         if (smp->method == JUST_CFM &&
 889             hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
 890                 smp->method = JUST_WORKS;
 891 
 892         /* If Just Works, Continue with Zero TK */
 893         if (smp->method == JUST_WORKS) {
 894                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 895                 return 0;
 896         }
 897 
 898         /* If this function is used for SC -> legacy fallback we
 899          * can only recover the just-works case.
 900          */
 901         if (test_bit(SMP_FLAG_SC, &smp->flags))
 902                 return -EINVAL;
 903 
 904         /* Not Just Works/Confirm results in MITM Authentication */
 905         if (smp->method != JUST_CFM) {
 906                 set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
 907                 if (hcon->pending_sec_level < BT_SECURITY_HIGH)
 908                         hcon->pending_sec_level = BT_SECURITY_HIGH;
 909         }
 910 
 911         /* If both devices have Keyoard-Display I/O, the master
 912          * Confirms and the slave Enters the passkey.
 913          */
 914         if (smp->method == OVERLAP) {
 915                 if (hcon->role == HCI_ROLE_MASTER)
 916                         smp->method = CFM_PASSKEY;
 917                 else
 918                         smp->method = REQ_PASSKEY;
 919         }
 920 
 921         /* Generate random passkey. */
 922         if (smp->method == CFM_PASSKEY) {
 923                 memset(smp->tk, 0, sizeof(smp->tk));
 924                 get_random_bytes(&passkey, sizeof(passkey));
 925                 passkey %= 1000000;
 926                 put_unaligned_le32(passkey, smp->tk);
 927                 BT_DBG("PassKey: %d", passkey);
 928                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
 929         }
 930 
 931         if (smp->method == REQ_PASSKEY)
 932                 ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
 933                                                 hcon->type, hcon->dst_type);
 934         else if (smp->method == JUST_CFM)
 935                 ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
 936                                                 hcon->type, hcon->dst_type,
 937                                                 passkey, 1);
 938         else
 939                 ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
 940                                                 hcon->type, hcon->dst_type,
 941                                                 passkey, 0);
 942 
 943         return ret;
 944 }
 945 
 946 static u8 smp_confirm(struct smp_chan *smp)
 947 {
 948         struct l2cap_conn *conn = smp->conn;
 949         struct smp_cmd_pairing_confirm cp;
 950         int ret;
 951 
 952         BT_DBG("conn %p", conn);
 953 
 954         ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
 955                      conn->hcon->init_addr_type, &conn->hcon->init_addr,
 956                      conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
 957                      cp.confirm_val);
 958         if (ret)
 959                 return SMP_UNSPECIFIED;
 960 
 961         clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
 962 
 963         smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
 964 
 965         if (conn->hcon->out)
 966                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
 967         else
 968                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
 969 
 970         return 0;
 971 }
 972 
 973 static u8 smp_random(struct smp_chan *smp)
 974 {
 975         struct l2cap_conn *conn = smp->conn;
 976         struct hci_conn *hcon = conn->hcon;
 977         u8 confirm[16];
 978         int ret;
 979 
 980         BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
 981 
 982         ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
 983                      hcon->init_addr_type, &hcon->init_addr,
 984                      hcon->resp_addr_type, &hcon->resp_addr, confirm);
 985         if (ret)
 986                 return SMP_UNSPECIFIED;
 987 
 988         if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
 989                 bt_dev_err(hcon->hdev, "pairing failed "
 990                            "(confirmation values mismatch)");
 991                 return SMP_CONFIRM_FAILED;
 992         }
 993 
 994         if (hcon->out) {
 995                 u8 stk[16];
 996                 __le64 rand = 0;
 997                 __le16 ediv = 0;
 998 
 999                 smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1000 
1001                 if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1002                         return SMP_UNSPECIFIED;
1003 
1004                 hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1005                 hcon->enc_key_size = smp->enc_key_size;
1006                 set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1007         } else {
1008                 u8 stk[16], auth;
1009                 __le64 rand = 0;
1010                 __le16 ediv = 0;
1011 
1012                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1013                              smp->prnd);
1014 
1015                 smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1016 
1017                 if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1018                         auth = 1;
1019                 else
1020                         auth = 0;
1021 
1022                 /* Even though there's no _SLAVE suffix this is the
1023                  * slave STK we're adding for later lookup (the master
1024                  * STK never needs to be stored).
1025                  */
1026                 hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1027                             SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1028         }
1029 
1030         return 0;
1031 }
1032 
1033 static void smp_notify_keys(struct l2cap_conn *conn)
1034 {
1035         struct l2cap_chan *chan = conn->smp;
1036         struct smp_chan *smp = chan->data;
1037         struct hci_conn *hcon = conn->hcon;
1038         struct hci_dev *hdev = hcon->hdev;
1039         struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1040         struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1041         bool persistent;
1042 
1043         if (hcon->type == ACL_LINK) {
1044                 if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1045                         persistent = false;
1046                 else
1047                         persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1048                                                &hcon->flags);
1049         } else {
1050                 /* The LTKs, IRKs and CSRKs should be persistent only if
1051                  * both sides had the bonding bit set in their
1052                  * authentication requests.
1053                  */
1054                 persistent = !!((req->auth_req & rsp->auth_req) &
1055                                 SMP_AUTH_BONDING);
1056         }
1057 
1058         if (smp->remote_irk) {
1059                 mgmt_new_irk(hdev, smp->remote_irk, persistent);
1060 
1061                 /* Now that user space can be considered to know the
1062                  * identity address track the connection based on it
1063                  * from now on (assuming this is an LE link).
1064                  */
1065                 if (hcon->type == LE_LINK) {
1066                         bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1067                         hcon->dst_type = smp->remote_irk->addr_type;
1068                         queue_work(hdev->workqueue, &conn->id_addr_update_work);
1069                 }
1070         }
1071 
1072         if (smp->csrk) {
1073                 smp->csrk->bdaddr_type = hcon->dst_type;
1074                 bacpy(&smp->csrk->bdaddr, &hcon->dst);
1075                 mgmt_new_csrk(hdev, smp->csrk, persistent);
1076         }
1077 
1078         if (smp->slave_csrk) {
1079                 smp->slave_csrk->bdaddr_type = hcon->dst_type;
1080                 bacpy(&smp->slave_csrk->bdaddr, &hcon->dst);
1081                 mgmt_new_csrk(hdev, smp->slave_csrk, persistent);
1082         }
1083 
1084         if (smp->ltk) {
1085                 smp->ltk->bdaddr_type = hcon->dst_type;
1086                 bacpy(&smp->ltk->bdaddr, &hcon->dst);
1087                 mgmt_new_ltk(hdev, smp->ltk, persistent);
1088         }
1089 
1090         if (smp->slave_ltk) {
1091                 smp->slave_ltk->bdaddr_type = hcon->dst_type;
1092                 bacpy(&smp->slave_ltk->bdaddr, &hcon->dst);
1093                 mgmt_new_ltk(hdev, smp->slave_ltk, persistent);
1094         }
1095 
1096         if (smp->link_key) {
1097                 struct link_key *key;
1098                 u8 type;
1099 
1100                 if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1101                         type = HCI_LK_DEBUG_COMBINATION;
1102                 else if (hcon->sec_level == BT_SECURITY_FIPS)
1103                         type = HCI_LK_AUTH_COMBINATION_P256;
1104                 else
1105                         type = HCI_LK_UNAUTH_COMBINATION_P256;
1106 
1107                 key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1108                                        smp->link_key, type, 0, &persistent);
1109                 if (key) {
1110                         mgmt_new_link_key(hdev, key, persistent);
1111 
1112                         /* Don't keep debug keys around if the relevant
1113                          * flag is not set.
1114                          */
1115                         if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1116                             key->type == HCI_LK_DEBUG_COMBINATION) {
1117                                 list_del_rcu(&key->list);
1118                                 kfree_rcu(key, rcu);
1119                         }
1120                 }
1121         }
1122 }
1123 
1124 static void sc_add_ltk(struct smp_chan *smp)
1125 {
1126         struct hci_conn *hcon = smp->conn->hcon;
1127         u8 key_type, auth;
1128 
1129         if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1130                 key_type = SMP_LTK_P256_DEBUG;
1131         else
1132                 key_type = SMP_LTK_P256;
1133 
1134         if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1135                 auth = 1;
1136         else
1137                 auth = 0;
1138 
1139         smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1140                                key_type, auth, smp->tk, smp->enc_key_size,
1141                                0, 0);
1142 }
1143 
1144 static void sc_generate_link_key(struct smp_chan *smp)
1145 {
1146         /* From core spec. Spells out in ASCII as 'lebr'. */
1147         const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1148 
1149         smp->link_key = kzalloc(16, GFP_KERNEL);
1150         if (!smp->link_key)
1151                 return;
1152 
1153         if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1154                 /* SALT = 0x00000000000000000000000000000000746D7031 */
1155                 const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1156 
1157                 if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1158                         kzfree(smp->link_key);
1159                         smp->link_key = NULL;
1160                         return;
1161                 }
1162         } else {
1163                 /* From core spec. Spells out in ASCII as 'tmp1'. */
1164                 const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1165 
1166                 if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1167                         kzfree(smp->link_key);
1168                         smp->link_key = NULL;
1169                         return;
1170                 }
1171         }
1172 
1173         if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1174                 kzfree(smp->link_key);
1175                 smp->link_key = NULL;
1176                 return;
1177         }
1178 }
1179 
1180 static void smp_allow_key_dist(struct smp_chan *smp)
1181 {
1182         /* Allow the first expected phase 3 PDU. The rest of the PDUs
1183          * will be allowed in each PDU handler to ensure we receive
1184          * them in the correct order.
1185          */
1186         if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1187                 SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1188         else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1189                 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1190         else if (smp->remote_key_dist & SMP_DIST_SIGN)
1191                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1192 }
1193 
1194 static void sc_generate_ltk(struct smp_chan *smp)
1195 {
1196         /* From core spec. Spells out in ASCII as 'brle'. */
1197         const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1198         struct hci_conn *hcon = smp->conn->hcon;
1199         struct hci_dev *hdev = hcon->hdev;
1200         struct link_key *key;
1201 
1202         key = hci_find_link_key(hdev, &hcon->dst);
1203         if (!key) {
1204                 bt_dev_err(hdev, "no Link Key found to generate LTK");
1205                 return;
1206         }
1207 
1208         if (key->type == HCI_LK_DEBUG_COMBINATION)
1209                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1210 
1211         if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1212                 /* SALT = 0x00000000000000000000000000000000746D7032 */
1213                 const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1214 
1215                 if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1216                         return;
1217         } else {
1218                 /* From core spec. Spells out in ASCII as 'tmp2'. */
1219                 const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1220 
1221                 if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1222                         return;
1223         }
1224 
1225         if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1226                 return;
1227 
1228         sc_add_ltk(smp);
1229 }
1230 
1231 static void smp_distribute_keys(struct smp_chan *smp)
1232 {
1233         struct smp_cmd_pairing *req, *rsp;
1234         struct l2cap_conn *conn = smp->conn;
1235         struct hci_conn *hcon = conn->hcon;
1236         struct hci_dev *hdev = hcon->hdev;
1237         __u8 *keydist;
1238 
1239         BT_DBG("conn %p", conn);
1240 
1241         rsp = (void *) &smp->prsp[1];
1242 
1243         /* The responder sends its keys first */
1244         if (hcon->out && (smp->remote_key_dist & KEY_DIST_MASK)) {
1245                 smp_allow_key_dist(smp);
1246                 return;
1247         }
1248 
1249         req = (void *) &smp->preq[1];
1250 
1251         if (hcon->out) {
1252                 keydist = &rsp->init_key_dist;
1253                 *keydist &= req->init_key_dist;
1254         } else {
1255                 keydist = &rsp->resp_key_dist;
1256                 *keydist &= req->resp_key_dist;
1257         }
1258 
1259         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1260                 if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1261                         sc_generate_link_key(smp);
1262                 if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1263                         sc_generate_ltk(smp);
1264 
1265                 /* Clear the keys which are generated but not distributed */
1266                 *keydist &= ~SMP_SC_NO_DIST;
1267         }
1268 
1269         BT_DBG("keydist 0x%x", *keydist);
1270 
1271         if (*keydist & SMP_DIST_ENC_KEY) {
1272                 struct smp_cmd_encrypt_info enc;
1273                 struct smp_cmd_master_ident ident;
1274                 struct smp_ltk *ltk;
1275                 u8 authenticated;
1276                 __le16 ediv;
1277                 __le64 rand;
1278 
1279                 /* Make sure we generate only the significant amount of
1280                  * bytes based on the encryption key size, and set the rest
1281                  * of the value to zeroes.
1282                  */
1283                 get_random_bytes(enc.ltk, smp->enc_key_size);
1284                 memset(enc.ltk + smp->enc_key_size, 0,
1285                        sizeof(enc.ltk) - smp->enc_key_size);
1286 
1287                 get_random_bytes(&ediv, sizeof(ediv));
1288                 get_random_bytes(&rand, sizeof(rand));
1289 
1290                 smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1291 
1292                 authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1293                 ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1294                                   SMP_LTK_SLAVE, authenticated, enc.ltk,
1295                                   smp->enc_key_size, ediv, rand);
1296                 smp->slave_ltk = ltk;
1297 
1298                 ident.ediv = ediv;
1299                 ident.rand = rand;
1300 
1301                 smp_send_cmd(conn, SMP_CMD_MASTER_IDENT, sizeof(ident), &ident);
1302 
1303                 *keydist &= ~SMP_DIST_ENC_KEY;
1304         }
1305 
1306         if (*keydist & SMP_DIST_ID_KEY) {
1307                 struct smp_cmd_ident_addr_info addrinfo;
1308                 struct smp_cmd_ident_info idinfo;
1309 
1310                 memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1311 
1312                 smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1313 
1314                 /* The hci_conn contains the local identity address
1315                  * after the connection has been established.
1316                  *
1317                  * This is true even when the connection has been
1318                  * established using a resolvable random address.
1319                  */
1320                 bacpy(&addrinfo.bdaddr, &hcon->src);
1321                 addrinfo.addr_type = hcon->src_type;
1322 
1323                 smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1324                              &addrinfo);
1325 
1326                 *keydist &= ~SMP_DIST_ID_KEY;
1327         }
1328 
1329         if (*keydist & SMP_DIST_SIGN) {
1330                 struct smp_cmd_sign_info sign;
1331                 struct smp_csrk *csrk;
1332 
1333                 /* Generate a new random key */
1334                 get_random_bytes(sign.csrk, sizeof(sign.csrk));
1335 
1336                 csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1337                 if (csrk) {
1338                         if (hcon->sec_level > BT_SECURITY_MEDIUM)
1339                                 csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1340                         else
1341                                 csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1342                         memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1343                 }
1344                 smp->slave_csrk = csrk;
1345 
1346                 smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1347 
1348                 *keydist &= ~SMP_DIST_SIGN;
1349         }
1350 
1351         /* If there are still keys to be received wait for them */
1352         if (smp->remote_key_dist & KEY_DIST_MASK) {
1353                 smp_allow_key_dist(smp);
1354                 return;
1355         }
1356 
1357         set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1358         smp_notify_keys(conn);
1359 
1360         smp_chan_destroy(conn);
1361 }
1362 
1363 static void smp_timeout(struct work_struct *work)
1364 {
1365         struct smp_chan *smp = container_of(work, struct smp_chan,
1366                                             security_timer.work);
1367         struct l2cap_conn *conn = smp->conn;
1368 
1369         BT_DBG("conn %p", conn);
1370 
1371         hci_disconnect(conn->hcon, HCI_ERROR_REMOTE_USER_TERM);
1372 }
1373 
1374 static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1375 {
1376         struct l2cap_chan *chan = conn->smp;
1377         struct smp_chan *smp;
1378 
1379         smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1380         if (!smp)
1381                 return NULL;
1382 
1383         smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1384         if (IS_ERR(smp->tfm_cmac)) {
1385                 BT_ERR("Unable to create CMAC crypto context");
1386                 goto zfree_smp;
1387         }
1388 
1389         smp->tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
1390         if (IS_ERR(smp->tfm_ecdh)) {
1391                 BT_ERR("Unable to create ECDH crypto context");
1392                 goto free_shash;
1393         }
1394 
1395         smp->conn = conn;
1396         chan->data = smp;
1397 
1398         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1399 
1400         INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1401 
1402         hci_conn_hold(conn->hcon);
1403 
1404         return smp;
1405 
1406 free_shash:
1407         crypto_free_shash(smp->tfm_cmac);
1408 zfree_smp:
1409         kzfree(smp);
1410         return NULL;
1411 }
1412 
1413 static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1414 {
1415         struct hci_conn *hcon = smp->conn->hcon;
1416         u8 *na, *nb, a[7], b[7];
1417 
1418         if (hcon->out) {
1419                 na   = smp->prnd;
1420                 nb   = smp->rrnd;
1421         } else {
1422                 na   = smp->rrnd;
1423                 nb   = smp->prnd;
1424         }
1425 
1426         memcpy(a, &hcon->init_addr, 6);
1427         memcpy(b, &hcon->resp_addr, 6);
1428         a[6] = hcon->init_addr_type;
1429         b[6] = hcon->resp_addr_type;
1430 
1431         return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1432 }
1433 
1434 static void sc_dhkey_check(struct smp_chan *smp)
1435 {
1436         struct hci_conn *hcon = smp->conn->hcon;
1437         struct smp_cmd_dhkey_check check;
1438         u8 a[7], b[7], *local_addr, *remote_addr;
1439         u8 io_cap[3], r[16];
1440 
1441         memcpy(a, &hcon->init_addr, 6);
1442         memcpy(b, &hcon->resp_addr, 6);
1443         a[6] = hcon->init_addr_type;
1444         b[6] = hcon->resp_addr_type;
1445 
1446         if (hcon->out) {
1447                 local_addr = a;
1448                 remote_addr = b;
1449                 memcpy(io_cap, &smp->preq[1], 3);
1450         } else {
1451                 local_addr = b;
1452                 remote_addr = a;
1453                 memcpy(io_cap, &smp->prsp[1], 3);
1454         }
1455 
1456         memset(r, 0, sizeof(r));
1457 
1458         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1459                 put_unaligned_le32(hcon->passkey_notify, r);
1460 
1461         if (smp->method == REQ_OOB)
1462                 memcpy(r, smp->rr, 16);
1463 
1464         smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1465                local_addr, remote_addr, check.e);
1466 
1467         smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1468 }
1469 
1470 static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1471 {
1472         struct l2cap_conn *conn = smp->conn;
1473         struct hci_conn *hcon = conn->hcon;
1474         struct smp_cmd_pairing_confirm cfm;
1475         u8 r;
1476 
1477         r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1478         r |= 0x80;
1479 
1480         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1481 
1482         if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1483                    cfm.confirm_val))
1484                 return SMP_UNSPECIFIED;
1485 
1486         smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1487 
1488         return 0;
1489 }
1490 
1491 static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1492 {
1493         struct l2cap_conn *conn = smp->conn;
1494         struct hci_conn *hcon = conn->hcon;
1495         struct hci_dev *hdev = hcon->hdev;
1496         u8 cfm[16], r;
1497 
1498         /* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1499         if (smp->passkey_round >= 20)
1500                 return 0;
1501 
1502         switch (smp_op) {
1503         case SMP_CMD_PAIRING_RANDOM:
1504                 r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1505                 r |= 0x80;
1506 
1507                 if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1508                            smp->rrnd, r, cfm))
1509                         return SMP_UNSPECIFIED;
1510 
1511                 if (crypto_memneq(smp->pcnf, cfm, 16))
1512                         return SMP_CONFIRM_FAILED;
1513 
1514                 smp->passkey_round++;
1515 
1516                 if (smp->passkey_round == 20) {
1517                         /* Generate MacKey and LTK */
1518                         if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1519                                 return SMP_UNSPECIFIED;
1520                 }
1521 
1522                 /* The round is only complete when the initiator
1523                  * receives pairing random.
1524                  */
1525                 if (!hcon->out) {
1526                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1527                                      sizeof(smp->prnd), smp->prnd);
1528                         if (smp->passkey_round == 20)
1529                                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1530                         else
1531                                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1532                         return 0;
1533                 }
1534 
1535                 /* Start the next round */
1536                 if (smp->passkey_round != 20)
1537                         return sc_passkey_round(smp, 0);
1538 
1539                 /* Passkey rounds are complete - start DHKey Check */
1540                 sc_dhkey_check(smp);
1541                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542 
1543                 break;
1544 
1545         case SMP_CMD_PAIRING_CONFIRM:
1546                 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1547                         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1548                         return 0;
1549                 }
1550 
1551                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1552 
1553                 if (hcon->out) {
1554                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1555                                      sizeof(smp->prnd), smp->prnd);
1556                         return 0;
1557                 }
1558 
1559                 return sc_passkey_send_confirm(smp);
1560 
1561         case SMP_CMD_PUBLIC_KEY:
1562         default:
1563                 /* Initiating device starts the round */
1564                 if (!hcon->out)
1565                         return 0;
1566 
1567                 BT_DBG("%s Starting passkey round %u", hdev->name,
1568                        smp->passkey_round + 1);
1569 
1570                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1571 
1572                 return sc_passkey_send_confirm(smp);
1573         }
1574 
1575         return 0;
1576 }
1577 
1578 static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1579 {
1580         struct l2cap_conn *conn = smp->conn;
1581         struct hci_conn *hcon = conn->hcon;
1582         u8 smp_op;
1583 
1584         clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1585 
1586         switch (mgmt_op) {
1587         case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1588                 smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1589                 return 0;
1590         case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1591                 smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1592                 return 0;
1593         case MGMT_OP_USER_PASSKEY_REPLY:
1594                 hcon->passkey_notify = le32_to_cpu(passkey);
1595                 smp->passkey_round = 0;
1596 
1597                 if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1598                         smp_op = SMP_CMD_PAIRING_CONFIRM;
1599                 else
1600                         smp_op = 0;
1601 
1602                 if (sc_passkey_round(smp, smp_op))
1603                         return -EIO;
1604 
1605                 return 0;
1606         }
1607 
1608         /* Initiator sends DHKey check first */
1609         if (hcon->out) {
1610                 sc_dhkey_check(smp);
1611                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1612         } else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1613                 sc_dhkey_check(smp);
1614                 sc_add_ltk(smp);
1615         }
1616 
1617         return 0;
1618 }
1619 
1620 int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1621 {
1622         struct l2cap_conn *conn = hcon->l2cap_data;
1623         struct l2cap_chan *chan;
1624         struct smp_chan *smp;
1625         u32 value;
1626         int err;
1627 
1628         BT_DBG("");
1629 
1630         if (!conn)
1631                 return -ENOTCONN;
1632 
1633         chan = conn->smp;
1634         if (!chan)
1635                 return -ENOTCONN;
1636 
1637         l2cap_chan_lock(chan);
1638         if (!chan->data) {
1639                 err = -ENOTCONN;
1640                 goto unlock;
1641         }
1642 
1643         smp = chan->data;
1644 
1645         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1646                 err = sc_user_reply(smp, mgmt_op, passkey);
1647                 goto unlock;
1648         }
1649 
1650         switch (mgmt_op) {
1651         case MGMT_OP_USER_PASSKEY_REPLY:
1652                 value = le32_to_cpu(passkey);
1653                 memset(smp->tk, 0, sizeof(smp->tk));
1654                 BT_DBG("PassKey: %d", value);
1655                 put_unaligned_le32(value, smp->tk);
1656                 /* Fall Through */
1657         case MGMT_OP_USER_CONFIRM_REPLY:
1658                 set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1659                 break;
1660         case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1661         case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1662                 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1663                 err = 0;
1664                 goto unlock;
1665         default:
1666                 smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1667                 err = -EOPNOTSUPP;
1668                 goto unlock;
1669         }
1670 
1671         err = 0;
1672 
1673         /* If it is our turn to send Pairing Confirm, do so now */
1674         if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1675                 u8 rsp = smp_confirm(smp);
1676                 if (rsp)
1677                         smp_failure(conn, rsp);
1678         }
1679 
1680 unlock:
1681         l2cap_chan_unlock(chan);
1682         return err;
1683 }
1684 
1685 static void build_bredr_pairing_cmd(struct smp_chan *smp,
1686                                     struct smp_cmd_pairing *req,
1687                                     struct smp_cmd_pairing *rsp)
1688 {
1689         struct l2cap_conn *conn = smp->conn;
1690         struct hci_dev *hdev = conn->hcon->hdev;
1691         u8 local_dist = 0, remote_dist = 0;
1692 
1693         if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1694                 local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1695                 remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1696         }
1697 
1698         if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1699                 remote_dist |= SMP_DIST_ID_KEY;
1700 
1701         if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1702                 local_dist |= SMP_DIST_ID_KEY;
1703 
1704         if (!rsp) {
1705                 memset(req, 0, sizeof(*req));
1706 
1707                 req->auth_req        = SMP_AUTH_CT2;
1708                 req->init_key_dist   = local_dist;
1709                 req->resp_key_dist   = remote_dist;
1710                 req->max_key_size    = conn->hcon->enc_key_size;
1711 
1712                 smp->remote_key_dist = remote_dist;
1713 
1714                 return;
1715         }
1716 
1717         memset(rsp, 0, sizeof(*rsp));
1718 
1719         rsp->auth_req        = SMP_AUTH_CT2;
1720         rsp->max_key_size    = conn->hcon->enc_key_size;
1721         rsp->init_key_dist   = req->init_key_dist & remote_dist;
1722         rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1723 
1724         smp->remote_key_dist = rsp->init_key_dist;
1725 }
1726 
1727 static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1728 {
1729         struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1730         struct l2cap_chan *chan = conn->smp;
1731         struct hci_dev *hdev = conn->hcon->hdev;
1732         struct smp_chan *smp;
1733         u8 key_size, auth, sec_level;
1734         int ret;
1735 
1736         BT_DBG("conn %p", conn);
1737 
1738         if (skb->len < sizeof(*req))
1739                 return SMP_INVALID_PARAMS;
1740 
1741         if (conn->hcon->role != HCI_ROLE_SLAVE)
1742                 return SMP_CMD_NOTSUPP;
1743 
1744         if (!chan->data)
1745                 smp = smp_chan_create(conn);
1746         else
1747                 smp = chan->data;
1748 
1749         if (!smp)
1750                 return SMP_UNSPECIFIED;
1751 
1752         /* We didn't start the pairing, so match remote */
1753         auth = req->auth_req & AUTH_REQ_MASK(hdev);
1754 
1755         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1756             (auth & SMP_AUTH_BONDING))
1757                 return SMP_PAIRING_NOTSUPP;
1758 
1759         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1760                 return SMP_AUTH_REQUIREMENTS;
1761 
1762         smp->preq[0] = SMP_CMD_PAIRING_REQ;
1763         memcpy(&smp->preq[1], req, sizeof(*req));
1764         skb_pull(skb, sizeof(*req));
1765 
1766         /* If the remote side's OOB flag is set it means it has
1767          * successfully received our local OOB data - therefore set the
1768          * flag to indicate that local OOB is in use.
1769          */
1770         if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1771                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1772 
1773         /* SMP over BR/EDR requires special treatment */
1774         if (conn->hcon->type == ACL_LINK) {
1775                 /* We must have a BR/EDR SC link */
1776                 if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1777                     !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1778                         return SMP_CROSS_TRANSP_NOT_ALLOWED;
1779 
1780                 set_bit(SMP_FLAG_SC, &smp->flags);
1781 
1782                 build_bredr_pairing_cmd(smp, req, &rsp);
1783 
1784                 if (req->auth_req & SMP_AUTH_CT2)
1785                         set_bit(SMP_FLAG_CT2, &smp->flags);
1786 
1787                 key_size = min(req->max_key_size, rsp.max_key_size);
1788                 if (check_enc_key_size(conn, key_size))
1789                         return SMP_ENC_KEY_SIZE;
1790 
1791                 /* Clear bits which are generated but not distributed */
1792                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1793 
1794                 smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1795                 memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1796                 smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1797 
1798                 smp_distribute_keys(smp);
1799                 return 0;
1800         }
1801 
1802         build_pairing_cmd(conn, req, &rsp, auth);
1803 
1804         if (rsp.auth_req & SMP_AUTH_SC) {
1805                 set_bit(SMP_FLAG_SC, &smp->flags);
1806 
1807                 if (rsp.auth_req & SMP_AUTH_CT2)
1808                         set_bit(SMP_FLAG_CT2, &smp->flags);
1809         }
1810 
1811         if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1812                 sec_level = BT_SECURITY_MEDIUM;
1813         else
1814                 sec_level = authreq_to_seclevel(auth);
1815 
1816         if (sec_level > conn->hcon->pending_sec_level)
1817                 conn->hcon->pending_sec_level = sec_level;
1818 
1819         /* If we need MITM check that it can be achieved */
1820         if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1821                 u8 method;
1822 
1823                 method = get_auth_method(smp, conn->hcon->io_capability,
1824                                          req->io_capability);
1825                 if (method == JUST_WORKS || method == JUST_CFM)
1826                         return SMP_AUTH_REQUIREMENTS;
1827         }
1828 
1829         key_size = min(req->max_key_size, rsp.max_key_size);
1830         if (check_enc_key_size(conn, key_size))
1831                 return SMP_ENC_KEY_SIZE;
1832 
1833         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1834 
1835         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1836         memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1837 
1838         smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1839 
1840         clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1841 
1842         /* Strictly speaking we shouldn't allow Pairing Confirm for the
1843          * SC case, however some implementations incorrectly copy RFU auth
1844          * req bits from our security request, which may create a false
1845          * positive SC enablement.
1846          */
1847         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1848 
1849         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1850                 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1851                 /* Clear bits which are generated but not distributed */
1852                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1853                 /* Wait for Public Key from Initiating Device */
1854                 return 0;
1855         }
1856 
1857         /* Request setup of TK */
1858         ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1859         if (ret)
1860                 return SMP_UNSPECIFIED;
1861 
1862         return 0;
1863 }
1864 
1865 static u8 sc_send_public_key(struct smp_chan *smp)
1866 {
1867         struct hci_dev *hdev = smp->conn->hcon->hdev;
1868 
1869         BT_DBG("");
1870 
1871         if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1872                 struct l2cap_chan *chan = hdev->smp_data;
1873                 struct smp_dev *smp_dev;
1874 
1875                 if (!chan || !chan->data)
1876                         return SMP_UNSPECIFIED;
1877 
1878                 smp_dev = chan->data;
1879 
1880                 memcpy(smp->local_pk, smp_dev->local_pk, 64);
1881                 memcpy(smp->lr, smp_dev->local_rand, 16);
1882 
1883                 if (smp_dev->debug_key)
1884                         set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1885 
1886                 goto done;
1887         }
1888 
1889         if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1890                 BT_DBG("Using debug keys");
1891                 if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1892                         return SMP_UNSPECIFIED;
1893                 memcpy(smp->local_pk, debug_pk, 64);
1894                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895         } else {
1896                 while (true) {
1897                         /* Generate key pair for Secure Connections */
1898                         if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1899                                 return SMP_UNSPECIFIED;
1900 
1901                         /* This is unlikely, but we need to check that
1902                          * we didn't accidentially generate a debug key.
1903                          */
1904                         if (crypto_memneq(smp->local_pk, debug_pk, 64))
1905                                 break;
1906                 }
1907         }
1908 
1909 done:
1910         SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1911         SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1912 
1913         smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1914 
1915         return 0;
1916 }
1917 
1918 static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1919 {
1920         struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1921         struct l2cap_chan *chan = conn->smp;
1922         struct smp_chan *smp = chan->data;
1923         struct hci_dev *hdev = conn->hcon->hdev;
1924         u8 key_size, auth;
1925         int ret;
1926 
1927         BT_DBG("conn %p", conn);
1928 
1929         if (skb->len < sizeof(*rsp))
1930                 return SMP_INVALID_PARAMS;
1931 
1932         if (conn->hcon->role != HCI_ROLE_MASTER)
1933                 return SMP_CMD_NOTSUPP;
1934 
1935         skb_pull(skb, sizeof(*rsp));
1936 
1937         req = (void *) &smp->preq[1];
1938 
1939         key_size = min(req->max_key_size, rsp->max_key_size);
1940         if (check_enc_key_size(conn, key_size))
1941                 return SMP_ENC_KEY_SIZE;
1942 
1943         auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1944 
1945         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1946                 return SMP_AUTH_REQUIREMENTS;
1947 
1948         /* If the remote side's OOB flag is set it means it has
1949          * successfully received our local OOB data - therefore set the
1950          * flag to indicate that local OOB is in use.
1951          */
1952         if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1953                 set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1954 
1955         smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1956         memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1957 
1958         /* Update remote key distribution in case the remote cleared
1959          * some bits that we had enabled in our request.
1960          */
1961         smp->remote_key_dist &= rsp->resp_key_dist;
1962 
1963         if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1964                 set_bit(SMP_FLAG_CT2, &smp->flags);
1965 
1966         /* For BR/EDR this means we're done and can start phase 3 */
1967         if (conn->hcon->type == ACL_LINK) {
1968                 /* Clear bits which are generated but not distributed */
1969                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1970                 smp_distribute_keys(smp);
1971                 return 0;
1972         }
1973 
1974         if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1975                 set_bit(SMP_FLAG_SC, &smp->flags);
1976         else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1977                 conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1978 
1979         /* If we need MITM check that it can be achieved */
1980         if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1981                 u8 method;
1982 
1983                 method = get_auth_method(smp, req->io_capability,
1984                                          rsp->io_capability);
1985                 if (method == JUST_WORKS || method == JUST_CFM)
1986                         return SMP_AUTH_REQUIREMENTS;
1987         }
1988 
1989         get_random_bytes(smp->prnd, sizeof(smp->prnd));
1990 
1991         /* Update remote key distribution in case the remote cleared
1992          * some bits that we had enabled in our request.
1993          */
1994         smp->remote_key_dist &= rsp->resp_key_dist;
1995 
1996         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1997                 /* Clear bits which are generated but not distributed */
1998                 smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1999                 SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2000                 return sc_send_public_key(smp);
2001         }
2002 
2003         auth |= req->auth_req;
2004 
2005         ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2006         if (ret)
2007                 return SMP_UNSPECIFIED;
2008 
2009         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2010 
2011         /* Can't compose response until we have been confirmed */
2012         if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2013                 return smp_confirm(smp);
2014 
2015         return 0;
2016 }
2017 
2018 static u8 sc_check_confirm(struct smp_chan *smp)
2019 {
2020         struct l2cap_conn *conn = smp->conn;
2021 
2022         BT_DBG("");
2023 
2024         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2025                 return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2026 
2027         if (conn->hcon->out) {
2028                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2029                              smp->prnd);
2030                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2031         }
2032 
2033         return 0;
2034 }
2035 
2036 /* Work-around for some implementations that incorrectly copy RFU bits
2037  * from our security request and thereby create the impression that
2038  * we're doing SC when in fact the remote doesn't support it.
2039  */
2040 static int fixup_sc_false_positive(struct smp_chan *smp)
2041 {
2042         struct l2cap_conn *conn = smp->conn;
2043         struct hci_conn *hcon = conn->hcon;
2044         struct hci_dev *hdev = hcon->hdev;
2045         struct smp_cmd_pairing *req, *rsp;
2046         u8 auth;
2047 
2048         /* The issue is only observed when we're in slave role */
2049         if (hcon->out)
2050                 return SMP_UNSPECIFIED;
2051 
2052         if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2053                 bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2054                 return SMP_UNSPECIFIED;
2055         }
2056 
2057         bt_dev_err(hdev, "trying to fall back to legacy SMP");
2058 
2059         req = (void *) &smp->preq[1];
2060         rsp = (void *) &smp->prsp[1];
2061 
2062         /* Rebuild key dist flags which may have been cleared for SC */
2063         smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2064 
2065         auth = req->auth_req & AUTH_REQ_MASK(hdev);
2066 
2067         if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2068                 bt_dev_err(hdev, "failed to fall back to legacy SMP");
2069                 return SMP_UNSPECIFIED;
2070         }
2071 
2072         clear_bit(SMP_FLAG_SC, &smp->flags);
2073 
2074         return 0;
2075 }
2076 
2077 static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2078 {
2079         struct l2cap_chan *chan = conn->smp;
2080         struct smp_chan *smp = chan->data;
2081 
2082         BT_DBG("conn %p %s", conn, conn->hcon->out ? "master" : "slave");
2083 
2084         if (skb->len < sizeof(smp->pcnf))
2085                 return SMP_INVALID_PARAMS;
2086 
2087         memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2088         skb_pull(skb, sizeof(smp->pcnf));
2089 
2090         if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2091                 int ret;
2092 
2093                 /* Public Key exchange must happen before any other steps */
2094                 if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2095                         return sc_check_confirm(smp);
2096 
2097                 BT_ERR("Unexpected SMP Pairing Confirm");
2098 
2099                 ret = fixup_sc_false_positive(smp);
2100                 if (ret)
2101                         return ret;
2102         }
2103 
2104         if (conn->hcon->out) {
2105                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2106                              smp->prnd);
2107                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2108                 return 0;
2109         }
2110 
2111         if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2112                 return smp_confirm(smp);
2113 
2114         set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2115 
2116         return 0;
2117 }
2118 
2119 static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2120 {
2121         struct l2cap_chan *chan = conn->smp;
2122         struct smp_chan *smp = chan->data;
2123         struct hci_conn *hcon = conn->hcon;
2124         u8 *pkax, *pkbx, *na, *nb;
2125         u32 passkey;
2126         int err;
2127 
2128         BT_DBG("conn %p", conn);
2129 
2130         if (skb->len < sizeof(smp->rrnd))
2131                 return SMP_INVALID_PARAMS;
2132 
2133         memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2134         skb_pull(skb, sizeof(smp->rrnd));
2135 
2136         if (!test_bit(SMP_FLAG_SC, &smp->flags))
2137                 return smp_random(smp);
2138 
2139         if (hcon->out) {
2140                 pkax = smp->local_pk;
2141                 pkbx = smp->remote_pk;
2142                 na   = smp->prnd;
2143                 nb   = smp->rrnd;
2144         } else {
2145                 pkax = smp->remote_pk;
2146                 pkbx = smp->local_pk;
2147                 na   = smp->rrnd;
2148                 nb   = smp->prnd;
2149         }
2150 
2151         if (smp->method == REQ_OOB) {
2152                 if (!hcon->out)
2153                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2154                                      sizeof(smp->prnd), smp->prnd);
2155                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2156                 goto mackey_and_ltk;
2157         }
2158 
2159         /* Passkey entry has special treatment */
2160         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2161                 return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2162 
2163         if (hcon->out) {
2164                 u8 cfm[16];
2165 
2166                 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2167                              smp->rrnd, 0, cfm);
2168                 if (err)
2169                         return SMP_UNSPECIFIED;
2170 
2171                 if (crypto_memneq(smp->pcnf, cfm, 16))
2172                         return SMP_CONFIRM_FAILED;
2173         } else {
2174                 smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2175                              smp->prnd);
2176                 SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2177         }
2178 
2179 mackey_and_ltk:
2180         /* Generate MacKey and LTK */
2181         err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2182         if (err)
2183                 return SMP_UNSPECIFIED;
2184 
2185         if (smp->method == JUST_WORKS || smp->method == REQ_OOB) {
2186                 if (hcon->out) {
2187                         sc_dhkey_check(smp);
2188                         SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2189                 }
2190                 return 0;
2191         }
2192 
2193         err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2194         if (err)
2195                 return SMP_UNSPECIFIED;
2196 
2197         err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2198                                         hcon->dst_type, passkey, 0);
2199         if (err)
2200                 return SMP_UNSPECIFIED;
2201 
2202         set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2203 
2204         return 0;
2205 }
2206 
2207 static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2208 {
2209         struct smp_ltk *key;
2210         struct hci_conn *hcon = conn->hcon;
2211 
2212         key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2213         if (!key)
2214                 return false;
2215 
2216         if (smp_ltk_sec_level(key) < sec_level)
2217                 return false;
2218 
2219         if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2220                 return true;
2221 
2222         hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2223         hcon->enc_key_size = key->enc_size;
2224 
2225         /* We never store STKs for master role, so clear this flag */
2226         clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2227 
2228         return true;
2229 }
2230 
2231 bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2232                              enum smp_key_pref key_pref)
2233 {
2234         if (sec_level == BT_SECURITY_LOW)
2235                 return true;
2236 
2237         /* If we're encrypted with an STK but the caller prefers using
2238          * LTK claim insufficient security. This way we allow the
2239          * connection to be re-encrypted with an LTK, even if the LTK
2240          * provides the same level of security. Only exception is if we
2241          * don't have an LTK (e.g. because of key distribution bits).
2242          */
2243         if (key_pref == SMP_USE_LTK &&
2244             test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2245             hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2246                 return false;
2247 
2248         if (hcon->sec_level >= sec_level)
2249                 return true;
2250 
2251         return false;
2252 }
2253 
2254 static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2255 {
2256         struct smp_cmd_security_req *rp = (void *) skb->data;
2257         struct smp_cmd_pairing cp;
2258         struct hci_conn *hcon = conn->hcon;
2259         struct hci_dev *hdev = hcon->hdev;
2260         struct smp_chan *smp;
2261         u8 sec_level, auth;
2262 
2263         BT_DBG("conn %p", conn);
2264 
2265         if (skb->len < sizeof(*rp))
2266                 return SMP_INVALID_PARAMS;
2267 
2268         if (hcon->role != HCI_ROLE_MASTER)
2269                 return SMP_CMD_NOTSUPP;
2270 
2271         auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2272 
2273         if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2274                 return SMP_AUTH_REQUIREMENTS;
2275 
2276         if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2277                 sec_level = BT_SECURITY_MEDIUM;
2278         else
2279                 sec_level = authreq_to_seclevel(auth);
2280 
2281         if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2282                 /* If link is already encrypted with sufficient security we
2283                  * still need refresh encryption as per Core Spec 5.0 Vol 3,
2284                  * Part H 2.4.6
2285                  */
2286                 smp_ltk_encrypt(conn, hcon->sec_level);
2287                 return 0;
2288         }
2289 
2290         if (sec_level > hcon->pending_sec_level)
2291                 hcon->pending_sec_level = sec_level;
2292 
2293         if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2294                 return 0;
2295 
2296         smp = smp_chan_create(conn);
2297         if (!smp)
2298                 return SMP_UNSPECIFIED;
2299 
2300         if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2301             (auth & SMP_AUTH_BONDING))
2302                 return SMP_PAIRING_NOTSUPP;
2303 
2304         skb_pull(skb, sizeof(*rp));
2305 
2306         memset(&cp, 0, sizeof(cp));
2307         build_pairing_cmd(conn, &cp, NULL, auth);
2308 
2309         smp->preq[0] = SMP_CMD_PAIRING_REQ;
2310         memcpy(&smp->preq[1], &cp, sizeof(cp));
2311 
2312         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2313         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2314 
2315         return 0;
2316 }
2317 
2318 int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2319 {
2320         struct l2cap_conn *conn = hcon->l2cap_data;
2321         struct l2cap_chan *chan;
2322         struct smp_chan *smp;
2323         __u8 authreq;
2324         int ret;
2325 
2326         BT_DBG("conn %p hcon %p level 0x%2.2x", conn, hcon, sec_level);
2327 
2328         /* This may be NULL if there's an unexpected disconnection */
2329         if (!conn)
2330                 return 1;
2331 
2332         if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2333                 return 1;
2334 
2335         if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2336                 return 1;
2337 
2338         if (sec_level > hcon->pending_sec_level)
2339                 hcon->pending_sec_level = sec_level;
2340 
2341         if (hcon->role == HCI_ROLE_MASTER)
2342                 if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2343                         return 0;
2344 
2345         chan = conn->smp;
2346         if (!chan) {
2347                 bt_dev_err(hcon->hdev, "security requested but not available");
2348                 return 1;
2349         }
2350 
2351         l2cap_chan_lock(chan);
2352 
2353         /* If SMP is already in progress ignore this request */
2354         if (chan->data) {
2355                 ret = 0;
2356                 goto unlock;
2357         }
2358 
2359         smp = smp_chan_create(conn);
2360         if (!smp) {
2361                 ret = 1;
2362                 goto unlock;
2363         }
2364 
2365         authreq = seclevel_to_authreq(sec_level);
2366 
2367         if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2368                 authreq |= SMP_AUTH_SC;
2369                 if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2370                         authreq |= SMP_AUTH_CT2;
2371         }
2372 
2373         /* Require MITM if IO Capability allows or the security level
2374          * requires it.
2375          */
2376         if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2377             hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2378                 authreq |= SMP_AUTH_MITM;
2379 
2380         if (hcon->role == HCI_ROLE_MASTER) {
2381                 struct smp_cmd_pairing cp;
2382 
2383                 build_pairing_cmd(conn, &cp, NULL, authreq);
2384                 smp->preq[0] = SMP_CMD_PAIRING_REQ;
2385                 memcpy(&smp->preq[1], &cp, sizeof(cp));
2386 
2387                 smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2388                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2389         } else {
2390                 struct smp_cmd_security_req cp;
2391                 cp.auth_req = authreq;
2392                 smp_send_cmd(conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2393                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2394         }
2395 
2396         set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2397         ret = 0;
2398 
2399 unlock:
2400         l2cap_chan_unlock(chan);
2401         return ret;
2402 }
2403 
2404 int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2405                                   u8 addr_type)
2406 {
2407         struct hci_conn *hcon;
2408         struct l2cap_conn *conn;
2409         struct l2cap_chan *chan;
2410         struct smp_chan *smp;
2411         int err;
2412 
2413         err = hci_remove_ltk(hdev, bdaddr, addr_type);
2414         hci_remove_irk(hdev, bdaddr, addr_type);
2415 
2416         hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2417         if (!hcon)
2418                 goto done;
2419 
2420         conn = hcon->l2cap_data;
2421         if (!conn)
2422                 goto done;
2423 
2424         chan = conn->smp;
2425         if (!chan)
2426                 goto done;
2427 
2428         l2cap_chan_lock(chan);
2429 
2430         smp = chan->data;
2431         if (smp) {
2432                 /* Set keys to NULL to make sure smp_failure() does not try to
2433                  * remove and free already invalidated rcu list entries. */
2434                 smp->ltk = NULL;
2435                 smp->slave_ltk = NULL;
2436                 smp->remote_irk = NULL;
2437 
2438                 if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2439                         smp_failure(conn, 0);
2440                 else
2441                         smp_failure(conn, SMP_UNSPECIFIED);
2442                 err = 0;
2443         }
2444 
2445         l2cap_chan_unlock(chan);
2446 
2447 done:
2448         return err;
2449 }
2450 
2451 static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2452 {
2453         struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2454         struct l2cap_chan *chan = conn->smp;
2455         struct smp_chan *smp = chan->data;
2456 
2457         BT_DBG("conn %p", conn);
2458 
2459         if (skb->len < sizeof(*rp))
2460                 return SMP_INVALID_PARAMS;
2461 
2462         SMP_ALLOW_CMD(smp, SMP_CMD_MASTER_IDENT);
2463 
2464         skb_pull(skb, sizeof(*rp));
2465 
2466         memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2467 
2468         return 0;
2469 }
2470 
2471 static int smp_cmd_master_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2472 {
2473         struct smp_cmd_master_ident *rp = (void *) skb->data;
2474         struct l2cap_chan *chan = conn->smp;
2475         struct smp_chan *smp = chan->data;
2476         struct hci_dev *hdev = conn->hcon->hdev;
2477         struct hci_conn *hcon = conn->hcon;
2478         struct smp_ltk *ltk;
2479         u8 authenticated;
2480 
2481         BT_DBG("conn %p", conn);
2482 
2483         if (skb->len < sizeof(*rp))
2484                 return SMP_INVALID_PARAMS;
2485 
2486         /* Mark the information as received */
2487         smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2488 
2489         if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2490                 SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2491         else if (smp->remote_key_dist & SMP_DIST_SIGN)
2492                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2493 
2494         skb_pull(skb, sizeof(*rp));
2495 
2496         authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2497         ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2498                           authenticated, smp->tk, smp->enc_key_size,
2499                           rp->ediv, rp->rand);
2500         smp->ltk = ltk;
2501         if (!(smp->remote_key_dist & KEY_DIST_MASK))
2502                 smp_distribute_keys(smp);
2503 
2504         return 0;
2505 }
2506 
2507 static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2508 {
2509         struct smp_cmd_ident_info *info = (void *) skb->data;
2510         struct l2cap_chan *chan = conn->smp;
2511         struct smp_chan *smp = chan->data;
2512 
2513         BT_DBG("");
2514 
2515         if (skb->len < sizeof(*info))
2516                 return SMP_INVALID_PARAMS;
2517 
2518         SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2519 
2520         skb_pull(skb, sizeof(*info));
2521 
2522         memcpy(smp->irk, info->irk, 16);
2523 
2524         return 0;
2525 }
2526 
2527 static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2528                                    struct sk_buff *skb)
2529 {
2530         struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2531         struct l2cap_chan *chan = conn->smp;
2532         struct smp_chan *smp = chan->data;
2533         struct hci_conn *hcon = conn->hcon;
2534         bdaddr_t rpa;
2535 
2536         BT_DBG("");
2537 
2538         if (skb->len < sizeof(*info))
2539                 return SMP_INVALID_PARAMS;
2540 
2541         /* Mark the information as received */
2542         smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2543 
2544         if (smp->remote_key_dist & SMP_DIST_SIGN)
2545                 SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2546 
2547         skb_pull(skb, sizeof(*info));
2548 
2549         /* Strictly speaking the Core Specification (4.1) allows sending
2550          * an empty address which would force us to rely on just the IRK
2551          * as "identity information". However, since such
2552          * implementations are not known of and in order to not over
2553          * complicate our implementation, simply pretend that we never
2554          * received an IRK for such a device.
2555          *
2556          * The Identity Address must also be a Static Random or Public
2557          * Address, which hci_is_identity_address() checks for.
2558          */
2559         if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2560             !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2561                 bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2562                 goto distribute;
2563         }
2564 
2565         /* Drop IRK if peer is using identity address during pairing but is
2566          * providing different address as identity information.
2567          *
2568          * Microsoft Surface Precision Mouse is known to have this bug.
2569          */
2570         if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2571             (bacmp(&info->bdaddr, &hcon->dst) ||
2572              info->addr_type != hcon->dst_type)) {
2573                 bt_dev_err(hcon->hdev,
2574                            "ignoring IRK with invalid identity address");
2575                 goto distribute;
2576         }
2577 
2578         bacpy(&smp->id_addr, &info->bdaddr);
2579         smp->id_addr_type = info->addr_type;
2580 
2581         if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2582                 bacpy(&rpa, &hcon->dst);
2583         else
2584                 bacpy(&rpa, BDADDR_ANY);
2585 
2586         smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2587                                       smp->id_addr_type, smp->irk, &rpa);
2588 
2589 distribute:
2590         if (!(smp->remote_key_dist & KEY_DIST_MASK))
2591                 smp_distribute_keys(smp);
2592 
2593         return 0;
2594 }
2595 
2596 static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2597 {
2598         struct smp_cmd_sign_info *rp = (void *) skb->data;
2599         struct l2cap_chan *chan = conn->smp;
2600         struct smp_chan *smp = chan->data;
2601         struct smp_csrk *csrk;
2602 
2603         BT_DBG("conn %p", conn);
2604 
2605         if (skb->len < sizeof(*rp))
2606                 return SMP_INVALID_PARAMS;
2607 
2608         /* Mark the information as received */
2609         smp->remote_key_dist &= ~SMP_DIST_SIGN;
2610 
2611         skb_pull(skb, sizeof(*rp));
2612 
2613         csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2614         if (csrk) {
2615                 if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2616                         csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2617                 else
2618                         csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2619                 memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2620         }
2621         smp->csrk = csrk;
2622         smp_distribute_keys(smp);
2623 
2624         return 0;
2625 }
2626 
2627 static u8 sc_select_method(struct smp_chan *smp)
2628 {
2629         struct l2cap_conn *conn = smp->conn;
2630         struct hci_conn *hcon = conn->hcon;
2631         struct smp_cmd_pairing *local, *remote;
2632         u8 local_mitm, remote_mitm, local_io, remote_io, method;
2633 
2634         if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2635             test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2636                 return REQ_OOB;
2637 
2638         /* The preq/prsp contain the raw Pairing Request/Response PDUs
2639          * which are needed as inputs to some crypto functions. To get
2640          * the "struct smp_cmd_pairing" from them we need to skip the
2641          * first byte which contains the opcode.
2642          */
2643         if (hcon->out) {
2644                 local = (void *) &smp->preq[1];
2645                 remote = (void *) &smp->prsp[1];
2646         } else {
2647                 local = (void *) &smp->prsp[1];
2648                 remote = (void *) &smp->preq[1];
2649         }
2650 
2651         local_io = local->io_capability;
2652         remote_io = remote->io_capability;
2653 
2654         local_mitm = (local->auth_req & SMP_AUTH_MITM);
2655         remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2656 
2657         /* If either side wants MITM, look up the method from the table,
2658          * otherwise use JUST WORKS.
2659          */
2660         if (local_mitm || remote_mitm)
2661                 method = get_auth_method(smp, local_io, remote_io);
2662         else
2663                 method = JUST_WORKS;
2664 
2665         /* Don't confirm locally initiated pairing attempts */
2666         if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2667                 method = JUST_WORKS;
2668 
2669         return method;
2670 }
2671 
2672 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2673 {
2674         struct smp_cmd_public_key *key = (void *) skb->data;
2675         struct hci_conn *hcon = conn->hcon;
2676         struct l2cap_chan *chan = conn->smp;
2677         struct smp_chan *smp = chan->data;
2678         struct hci_dev *hdev = hcon->hdev;
2679         struct crypto_kpp *tfm_ecdh;
2680         struct smp_cmd_pairing_confirm cfm;
2681         int err;
2682 
2683         BT_DBG("conn %p", conn);
2684 
2685         if (skb->len < sizeof(*key))
2686                 return SMP_INVALID_PARAMS;
2687 
2688         memcpy(smp->remote_pk, key, 64);
2689 
2690         if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2691                 err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2692                              smp->rr, 0, cfm.confirm_val);
2693                 if (err)
2694                         return SMP_UNSPECIFIED;
2695 
2696                 if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2697                         return SMP_CONFIRM_FAILED;
2698         }
2699 
2700         /* Non-initiating device sends its public key after receiving
2701          * the key from the initiating device.
2702          */
2703         if (!hcon->out) {
2704                 err = sc_send_public_key(smp);
2705                 if (err)
2706                         return err;
2707         }
2708 
2709         SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2710         SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2711 
2712         /* Compute the shared secret on the same crypto tfm on which the private
2713          * key was set/generated.
2714          */
2715         if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2716                 struct l2cap_chan *hchan = hdev->smp_data;
2717                 struct smp_dev *smp_dev;
2718 
2719                 if (!hchan || !hchan->data)
2720                         return SMP_UNSPECIFIED;
2721 
2722                 smp_dev = hchan->data;
2723 
2724                 tfm_ecdh = smp_dev->tfm_ecdh;
2725         } else {
2726                 tfm_ecdh = smp->tfm_ecdh;
2727         }
2728 
2729         if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2730                 return SMP_UNSPECIFIED;
2731 
2732         SMP_DBG("DHKey %32phN", smp->dhkey);
2733 
2734         set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2735 
2736         smp->method = sc_select_method(smp);
2737 
2738         BT_DBG("%s selected method 0x%02x", hdev->name, smp->method);
2739 
2740         /* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2741         if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2742                 hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2743         else
2744                 hcon->pending_sec_level = BT_SECURITY_FIPS;
2745 
2746         if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2747                 set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2748 
2749         if (smp->method == DSP_PASSKEY) {
2750                 get_random_bytes(&hcon->passkey_notify,
2751                                  sizeof(hcon->passkey_notify));
2752                 hcon->passkey_notify %= 1000000;
2753                 hcon->passkey_entered = 0;
2754                 smp->passkey_round = 0;
2755                 if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2756                                              hcon->dst_type,
2757                                              hcon->passkey_notify,
2758                                              hcon->passkey_entered))
2759                         return SMP_UNSPECIFIED;
2760                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2761                 return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2762         }
2763 
2764         if (smp->method == REQ_OOB) {
2765                 if (hcon->out)
2766                         smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2767                                      sizeof(smp->prnd), smp->prnd);
2768 
2769                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2770 
2771                 return 0;
2772         }
2773 
2774         if (hcon->out)
2775                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2776 
2777         if (smp->method == REQ_PASSKEY) {
2778                 if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2779                                               hcon->dst_type))
2780                         return SMP_UNSPECIFIED;
2781                 SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2782                 set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2783                 return 0;
2784         }
2785 
2786         /* The Initiating device waits for the non-initiating device to
2787          * send the confirm value.
2788          */
2789         if (conn->hcon->out)
2790                 return 0;
2791 
2792         err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2793                      0, cfm.confirm_val);
2794         if (err)
2795                 return SMP_UNSPECIFIED;
2796 
2797         smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2798         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2799 
2800         return 0;
2801 }
2802 
2803 static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2804 {
2805         struct smp_cmd_dhkey_check *check = (void *) skb->data;
2806         struct l2cap_chan *chan = conn->smp;
2807         struct hci_conn *hcon = conn->hcon;
2808         struct smp_chan *smp = chan->data;
2809         u8 a[7], b[7], *local_addr, *remote_addr;
2810         u8 io_cap[3], r[16], e[16];
2811         int err;
2812 
2813         BT_DBG("conn %p", conn);
2814 
2815         if (skb->len < sizeof(*check))
2816                 return SMP_INVALID_PARAMS;
2817 
2818         memcpy(a, &hcon->init_addr, 6);
2819         memcpy(b, &hcon->resp_addr, 6);
2820         a[6] = hcon->init_addr_type;
2821         b[6] = hcon->resp_addr_type;
2822 
2823         if (hcon->out) {
2824                 local_addr = a;
2825                 remote_addr = b;
2826                 memcpy(io_cap, &smp->prsp[1], 3);
2827         } else {
2828                 local_addr = b;
2829                 remote_addr = a;
2830                 memcpy(io_cap, &smp->preq[1], 3);
2831         }
2832 
2833         memset(r, 0, sizeof(r));
2834 
2835         if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2836                 put_unaligned_le32(hcon->passkey_notify, r);
2837         else if (smp->method == REQ_OOB)
2838                 memcpy(r, smp->lr, 16);
2839 
2840         err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2841                      io_cap, remote_addr, local_addr, e);
2842         if (err)
2843                 return SMP_UNSPECIFIED;
2844 
2845         if (crypto_memneq(check->e, e, 16))
2846                 return SMP_DHKEY_CHECK_FAILED;
2847 
2848         if (!hcon->out) {
2849                 if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2850                         set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2851                         return 0;
2852                 }
2853 
2854                 /* Slave sends DHKey check as response to master */
2855                 sc_dhkey_check(smp);
2856         }
2857 
2858         sc_add_ltk(smp);
2859 
2860         if (hcon->out) {
2861                 hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2862                 hcon->enc_key_size = smp->enc_key_size;
2863         }
2864 
2865         return 0;
2866 }
2867 
2868 static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2869                                    struct sk_buff *skb)
2870 {
2871         struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2872 
2873         BT_DBG("value 0x%02x", kp->value);
2874 
2875         return 0;
2876 }
2877 
2878 static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2879 {
2880         struct l2cap_conn *conn = chan->conn;
2881         struct hci_conn *hcon = conn->hcon;
2882         struct smp_chan *smp;
2883         __u8 code, reason;
2884         int err = 0;
2885 
2886         if (skb->len < 1)
2887                 return -EILSEQ;
2888 
2889         if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2890                 reason = SMP_PAIRING_NOTSUPP;
2891                 goto done;
2892         }
2893 
2894         code = skb->data[0];
2895         skb_pull(skb, sizeof(code));
2896 
2897         smp = chan->data;
2898 
2899         if (code > SMP_CMD_MAX)
2900                 goto drop;
2901 
2902         if (smp && !test_and_clear_bit(code, &smp->allow_cmd))
2903                 goto drop;
2904 
2905         /* If we don't have a context the only allowed commands are
2906          * pairing request and security request.
2907          */
2908         if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2909                 goto drop;
2910 
2911         switch (code) {
2912         case SMP_CMD_PAIRING_REQ:
2913                 reason = smp_cmd_pairing_req(conn, skb);
2914                 break;
2915 
2916         case SMP_CMD_PAIRING_FAIL:
2917                 smp_failure(conn, 0);
2918                 err = -EPERM;
2919                 break;
2920 
2921         case SMP_CMD_PAIRING_RSP:
2922                 reason = smp_cmd_pairing_rsp(conn, skb);
2923                 break;
2924 
2925         case SMP_CMD_SECURITY_REQ:
2926                 reason = smp_cmd_security_req(conn, skb);
2927                 break;
2928 
2929         case SMP_CMD_PAIRING_CONFIRM:
2930                 reason = smp_cmd_pairing_confirm(conn, skb);
2931                 break;
2932 
2933         case SMP_CMD_PAIRING_RANDOM:
2934                 reason = smp_cmd_pairing_random(conn, skb);
2935                 break;
2936 
2937         case SMP_CMD_ENCRYPT_INFO:
2938                 reason = smp_cmd_encrypt_info(conn, skb);
2939                 break;
2940 
2941         case SMP_CMD_MASTER_IDENT:
2942                 reason = smp_cmd_master_ident(conn, skb);
2943                 break;
2944 
2945         case SMP_CMD_IDENT_INFO:
2946                 reason = smp_cmd_ident_info(conn, skb);
2947                 break;
2948 
2949         case SMP_CMD_IDENT_ADDR_INFO:
2950                 reason = smp_cmd_ident_addr_info(conn, skb);
2951                 break;
2952 
2953         case SMP_CMD_SIGN_INFO:
2954                 reason = smp_cmd_sign_info(conn, skb);
2955                 break;
2956 
2957         case SMP_CMD_PUBLIC_KEY:
2958                 reason = smp_cmd_public_key(conn, skb);
2959                 break;
2960 
2961         case SMP_CMD_DHKEY_CHECK:
2962                 reason = smp_cmd_dhkey_check(conn, skb);
2963                 break;
2964 
2965         case SMP_CMD_KEYPRESS_NOTIFY:
2966                 reason = smp_cmd_keypress_notify(conn, skb);
2967                 break;
2968 
2969         default:
2970                 BT_DBG("Unknown command code 0x%2.2x", code);
2971                 reason = SMP_CMD_NOTSUPP;
2972                 goto done;
2973         }
2974 
2975 done:
2976         if (!err) {
2977                 if (reason)
2978                         smp_failure(conn, reason);
2979                 kfree_skb(skb);
2980         }
2981 
2982         return err;
2983 
2984 drop:
2985         bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
2986                    code, &hcon->dst);
2987         kfree_skb(skb);
2988         return 0;
2989 }
2990 
2991 static void smp_teardown_cb(struct l2cap_chan *chan, int err)
2992 {
2993         struct l2cap_conn *conn = chan->conn;
2994 
2995         BT_DBG("chan %p", chan);
2996 
2997         if (chan->data)
2998                 smp_chan_destroy(conn);
2999 
3000         conn->smp = NULL;
3001         l2cap_chan_put(chan);
3002 }
3003 
3004 static void bredr_pairing(struct l2cap_chan *chan)
3005 {
3006         struct l2cap_conn *conn = chan->conn;
3007         struct hci_conn *hcon = conn->hcon;
3008         struct hci_dev *hdev = hcon->hdev;
3009         struct smp_cmd_pairing req;
3010         struct smp_chan *smp;
3011 
3012         BT_DBG("chan %p", chan);
3013 
3014         /* Only new pairings are interesting */
3015         if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3016                 return;
3017 
3018         /* Don't bother if we're not encrypted */
3019         if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3020                 return;
3021 
3022         /* Only master may initiate SMP over BR/EDR */
3023         if (hcon->role != HCI_ROLE_MASTER)
3024                 return;
3025 
3026         /* Secure Connections support must be enabled */
3027         if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3028                 return;
3029 
3030         /* BR/EDR must use Secure Connections for SMP */
3031         if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3032             !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3033                 return;
3034 
3035         /* If our LE support is not enabled don't do anything */
3036         if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3037                 return;
3038 
3039         /* Don't bother if remote LE support is not enabled */
3040         if (!lmp_host_le_capable(hcon))
3041                 return;
3042 
3043         /* Remote must support SMP fixed chan for BR/EDR */
3044         if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3045                 return;
3046 
3047         /* Don't bother if SMP is already ongoing */
3048         if (chan->data)
3049                 return;
3050 
3051         smp = smp_chan_create(conn);
3052         if (!smp) {
3053                 bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3054                 return;
3055         }
3056 
3057         set_bit(SMP_FLAG_SC, &smp->flags);
3058 
3059         BT_DBG("%s starting SMP over BR/EDR", hdev->name);
3060 
3061         /* Prepare and send the BR/EDR SMP Pairing Request */
3062         build_bredr_pairing_cmd(smp, &req, NULL);
3063 
3064         smp->preq[0] = SMP_CMD_PAIRING_REQ;
3065         memcpy(&smp->preq[1], &req, sizeof(req));
3066 
3067         smp_send_cmd(conn, SMP_CMD_PAIRING_REQ, sizeof(req), &req);
3068         SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
3069 }
3070 
3071 static void smp_resume_cb(struct l2cap_chan *chan)
3072 {
3073         struct smp_chan *smp = chan->data;
3074         struct l2cap_conn *conn = chan->conn;
3075         struct hci_conn *hcon = conn->hcon;
3076 
3077         BT_DBG("chan %p", chan);
3078 
3079         if (hcon->type == ACL_LINK) {
3080                 bredr_pairing(chan);
3081                 return;
3082         }
3083 
3084         if (!smp)
3085                 return;
3086 
3087         if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3088                 return;
3089 
3090         cancel_delayed_work(&smp->security_timer);
3091 
3092         smp_distribute_keys(smp);
3093 }
3094 
3095 static void smp_ready_cb(struct l2cap_chan *chan)
3096 {
3097         struct l2cap_conn *conn = chan->conn;
3098         struct hci_conn *hcon = conn->hcon;
3099 
3100         BT_DBG("chan %p", chan);
3101 
3102         /* No need to call l2cap_chan_hold() here since we already own
3103          * the reference taken in smp_new_conn_cb(). This is just the
3104          * first time that we tie it to a specific pointer. The code in
3105          * l2cap_core.c ensures that there's no risk this function wont
3106          * get called if smp_new_conn_cb was previously called.
3107          */
3108         conn->smp = chan;
3109 
3110         if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3111                 bredr_pairing(chan);
3112 }
3113 
3114 static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3115 {
3116         int err;
3117 
3118         BT_DBG("chan %p", chan);
3119 
3120         err = smp_sig_channel(chan, skb);
3121         if (err) {
3122                 struct smp_chan *smp = chan->data;
3123 
3124                 if (smp)
3125                         cancel_delayed_work_sync(&smp->security_timer);
3126 
3127                 hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3128         }
3129 
3130         return err;
3131 }
3132 
3133 static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3134                                         unsigned long hdr_len,
3135                                         unsigned long len, int nb)
3136 {
3137         struct sk_buff *skb;
3138 
3139         skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3140         if (!skb)
3141                 return ERR_PTR(-ENOMEM);
3142 
3143         skb->priority = HCI_PRIO_MAX;
3144         bt_cb(skb)->l2cap.chan = chan;
3145 
3146         return skb;
3147 }
3148 
3149 static const struct l2cap_ops smp_chan_ops = {
3150         .name                   = "Security Manager",
3151         .ready                  = smp_ready_cb,
3152         .recv                   = smp_recv_cb,
3153         .alloc_skb              = smp_alloc_skb_cb,
3154         .teardown               = smp_teardown_cb,
3155         .resume                 = smp_resume_cb,
3156 
3157         .new_connection         = l2cap_chan_no_new_connection,
3158         .state_change           = l2cap_chan_no_state_change,
3159         .close                  = l2cap_chan_no_close,
3160         .defer                  = l2cap_chan_no_defer,
3161         .suspend                = l2cap_chan_no_suspend,
3162         .set_shutdown           = l2cap_chan_no_set_shutdown,
3163         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3164 };
3165 
3166 static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3167 {
3168         struct l2cap_chan *chan;
3169 
3170         BT_DBG("pchan %p", pchan);
3171 
3172         chan = l2cap_chan_create();
3173         if (!chan)
3174                 return NULL;
3175 
3176         chan->chan_type = pchan->chan_type;
3177         chan->ops       = &smp_chan_ops;
3178         chan->scid      = pchan->scid;
3179         chan->dcid      = chan->scid;
3180         chan->imtu      = pchan->imtu;
3181         chan->omtu      = pchan->omtu;
3182         chan->mode      = pchan->mode;
3183 
3184         /* Other L2CAP channels may request SMP routines in order to
3185          * change the security level. This means that the SMP channel
3186          * lock must be considered in its own category to avoid lockdep
3187          * warnings.
3188          */
3189         atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3190 
3191         BT_DBG("created chan %p", chan);
3192 
3193         return chan;
3194 }
3195 
3196 static const struct l2cap_ops smp_root_chan_ops = {
3197         .name                   = "Security Manager Root",
3198         .new_connection         = smp_new_conn_cb,
3199 
3200         /* None of these are implemented for the root channel */
3201         .close                  = l2cap_chan_no_close,
3202         .alloc_skb              = l2cap_chan_no_alloc_skb,
3203         .recv                   = l2cap_chan_no_recv,
3204         .state_change           = l2cap_chan_no_state_change,
3205         .teardown               = l2cap_chan_no_teardown,
3206         .ready                  = l2cap_chan_no_ready,
3207         .defer                  = l2cap_chan_no_defer,
3208         .suspend                = l2cap_chan_no_suspend,
3209         .resume                 = l2cap_chan_no_resume,
3210         .set_shutdown           = l2cap_chan_no_set_shutdown,
3211         .get_sndtimeo           = l2cap_chan_no_get_sndtimeo,
3212 };
3213 
3214 static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3215 {
3216         struct l2cap_chan *chan;
3217         struct smp_dev *smp;
3218         struct crypto_shash *tfm_cmac;
3219         struct crypto_kpp *tfm_ecdh;
3220 
3221         if (cid == L2CAP_CID_SMP_BREDR) {
3222                 smp = NULL;
3223                 goto create_chan;
3224         }
3225 
3226         smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3227         if (!smp)
3228                 return ERR_PTR(-ENOMEM);
3229 
3230         tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3231         if (IS_ERR(tfm_cmac)) {
3232                 BT_ERR("Unable to create CMAC crypto context");
3233                 kzfree(smp);
3234                 return ERR_CAST(tfm_cmac);
3235         }
3236 
3237         tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3238         if (IS_ERR(tfm_ecdh)) {
3239                 BT_ERR("Unable to create ECDH crypto context");
3240                 crypto_free_shash(tfm_cmac);
3241                 kzfree(smp);
3242                 return ERR_CAST(tfm_ecdh);
3243         }
3244 
3245         smp->local_oob = false;
3246         smp->tfm_cmac = tfm_cmac;
3247         smp->tfm_ecdh = tfm_ecdh;
3248 
3249 create_chan:
3250         chan = l2cap_chan_create();
3251         if (!chan) {
3252                 if (smp) {
3253                         crypto_free_shash(smp->tfm_cmac);
3254                         crypto_free_kpp(smp->tfm_ecdh);
3255                         kzfree(smp);
3256                 }
3257                 return ERR_PTR(-ENOMEM);
3258         }
3259 
3260         chan->data = smp;
3261 
3262         l2cap_add_scid(chan, cid);
3263 
3264         l2cap_chan_set_defaults(chan);
3265 
3266         if (cid == L2CAP_CID_SMP) {
3267                 u8 bdaddr_type;
3268 
3269                 hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3270 
3271                 if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3272                         chan->src_type = BDADDR_LE_PUBLIC;
3273                 else
3274                         chan->src_type = BDADDR_LE_RANDOM;
3275         } else {
3276                 bacpy(&chan->src, &hdev->bdaddr);
3277                 chan->src_type = BDADDR_BREDR;
3278         }
3279 
3280         chan->state = BT_LISTEN;
3281         chan->mode = L2CAP_MODE_BASIC;
3282         chan->imtu = L2CAP_DEFAULT_MTU;
3283         chan->ops = &smp_root_chan_ops;
3284 
3285         /* Set correct nesting level for a parent/listening channel */
3286         atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3287 
3288         return chan;
3289 }
3290 
3291 static void smp_del_chan(struct l2cap_chan *chan)
3292 {
3293         struct smp_dev *smp;
3294 
3295         BT_DBG("chan %p", chan);
3296 
3297         smp = chan->data;
3298         if (smp) {
3299                 chan->data = NULL;
3300                 crypto_free_shash(smp->tfm_cmac);
3301                 crypto_free_kpp(smp->tfm_ecdh);
3302                 kzfree(smp);
3303         }
3304 
3305         l2cap_chan_put(chan);
3306 }
3307 
3308 static ssize_t force_bredr_smp_read(struct file *file,
3309                                     char __user *user_buf,
3310                                     size_t count, loff_t *ppos)
3311 {
3312         struct hci_dev *hdev = file->private_data;
3313         char buf[3];
3314 
3315         buf[0] = hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP) ? 'Y': 'N';
3316         buf[1] = '\n';
3317         buf[2] = '\0';
3318         return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
3319 }
3320 
3321 static ssize_t force_bredr_smp_write(struct file *file,
3322                                      const char __user *user_buf,
3323                                      size_t count, loff_t *ppos)
3324 {
3325         struct hci_dev *hdev = file->private_data;
3326         bool enable;
3327         int err;
3328 
3329         err = kstrtobool_from_user(user_buf, count, &enable);
3330         if (err)
3331                 return err;
3332 
3333         if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3334                 return -EALREADY;
3335 
3336         if (enable) {
3337                 struct l2cap_chan *chan;
3338 
3339                 chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3340                 if (IS_ERR(chan))
3341                         return PTR_ERR(chan);
3342 
3343                 hdev->smp_bredr_data = chan;
3344         } else {
3345                 struct l2cap_chan *chan;
3346 
3347                 chan = hdev->smp_bredr_data;
3348                 hdev->smp_bredr_data = NULL;
3349                 smp_del_chan(chan);
3350         }
3351 
3352         hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3353 
3354         return count;
3355 }
3356 
3357 static const struct file_operations force_bredr_smp_fops = {
3358         .open           = simple_open,
3359         .read           = force_bredr_smp_read,
3360         .write          = force_bredr_smp_write,
3361         .llseek         = default_llseek,
3362 };
3363 
3364 static ssize_t le_min_key_size_read(struct file *file,
3365                                      char __user *user_buf,
3366                                      size_t count, loff_t *ppos)
3367 {
3368         struct hci_dev *hdev = file->private_data;
3369         char buf[4];
3370 
3371         snprintf(buf, sizeof(buf), "%2u\n", hdev->le_min_key_size);
3372 
3373         return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3374 }
3375 
3376 static ssize_t le_min_key_size_write(struct file *file,
3377                                       const char __user *user_buf,
3378                                       size_t count, loff_t *ppos)
3379 {
3380         struct hci_dev *hdev = file->private_data;
3381         char buf[32];
3382         size_t buf_size = min(count, (sizeof(buf) - 1));
3383         u8 key_size;
3384 
3385         if (copy_from_user(buf, user_buf, buf_size))
3386                 return -EFAULT;
3387 
3388         buf[buf_size] = '\0';
3389 
3390         sscanf(buf, "%hhu", &key_size);
3391 
3392         if (key_size > hdev->le_max_key_size ||
3393             key_size < SMP_MIN_ENC_KEY_SIZE)
3394                 return -EINVAL;
3395 
3396         hdev->le_min_key_size = key_size;
3397 
3398         return count;
3399 }
3400 
3401 static const struct file_operations le_min_key_size_fops = {
3402         .open           = simple_open,
3403         .read           = le_min_key_size_read,
3404         .write          = le_min_key_size_write,
3405         .llseek         = default_llseek,
3406 };
3407 
3408 static ssize_t le_max_key_size_read(struct file *file,
3409                                      char __user *user_buf,
3410                                      size_t count, loff_t *ppos)
3411 {
3412         struct hci_dev *hdev = file->private_data;
3413         char buf[4];
3414 
3415         snprintf(buf, sizeof(buf), "%2u\n", hdev->le_max_key_size);
3416 
3417         return simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf));
3418 }
3419 
3420 static ssize_t le_max_key_size_write(struct file *file,
3421                                       const char __user *user_buf,
3422                                       size_t count, loff_t *ppos)
3423 {
3424         struct hci_dev *hdev = file->private_data;
3425         char buf[32];
3426         size_t buf_size = min(count, (sizeof(buf) - 1));
3427         u8 key_size;
3428 
3429         if (copy_from_user(buf, user_buf, buf_size))
3430                 return -EFAULT;
3431 
3432         buf[buf_size] = '\0';
3433 
3434         sscanf(buf, "%hhu", &key_size);
3435 
3436         if (key_size > SMP_MAX_ENC_KEY_SIZE ||
3437             key_size < hdev->le_min_key_size)
3438                 return -EINVAL;
3439 
3440         hdev->le_max_key_size = key_size;
3441 
3442         return count;
3443 }
3444 
3445 static const struct file_operations le_max_key_size_fops = {
3446         .open           = simple_open,
3447         .read           = le_max_key_size_read,
3448         .write          = le_max_key_size_write,
3449         .llseek         = default_llseek,
3450 };
3451 
3452 int smp_register(struct hci_dev *hdev)
3453 {
3454         struct l2cap_chan *chan;
3455 
3456         BT_DBG("%s", hdev->name);
3457 
3458         /* If the controller does not support Low Energy operation, then
3459          * there is also no need to register any SMP channel.
3460          */
3461         if (!lmp_le_capable(hdev))
3462                 return 0;
3463 
3464         if (WARN_ON(hdev->smp_data)) {
3465                 chan = hdev->smp_data;
3466                 hdev->smp_data = NULL;
3467                 smp_del_chan(chan);
3468         }
3469 
3470         chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3471         if (IS_ERR(chan))
3472                 return PTR_ERR(chan);
3473 
3474         hdev->smp_data = chan;
3475 
3476         debugfs_create_file("le_min_key_size", 0644, hdev->debugfs, hdev,
3477                             &le_min_key_size_fops);
3478         debugfs_create_file("le_max_key_size", 0644, hdev->debugfs, hdev,
3479                             &le_max_key_size_fops);
3480 
3481         /* If the controller does not support BR/EDR Secure Connections
3482          * feature, then the BR/EDR SMP channel shall not be present.
3483          *
3484          * To test this with Bluetooth 4.0 controllers, create a debugfs
3485          * switch that allows forcing BR/EDR SMP support and accepting
3486          * cross-transport pairing on non-AES encrypted connections.
3487          */
3488         if (!lmp_sc_capable(hdev)) {
3489                 debugfs_create_file("force_bredr_smp", 0644, hdev->debugfs,
3490                                     hdev, &force_bredr_smp_fops);
3491 
3492                 /* Flag can be already set here (due to power toggle) */
3493                 if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3494                         return 0;
3495         }
3496 
3497         if (WARN_ON(hdev->smp_bredr_data)) {
3498                 chan = hdev->smp_bredr_data;
3499                 hdev->smp_bredr_data = NULL;
3500                 smp_del_chan(chan);
3501         }
3502 
3503         chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3504         if (IS_ERR(chan)) {
3505                 int err = PTR_ERR(chan);
3506                 chan = hdev->smp_data;
3507                 hdev->smp_data = NULL;
3508                 smp_del_chan(chan);
3509                 return err;
3510         }
3511 
3512         hdev->smp_bredr_data = chan;
3513 
3514         return 0;
3515 }
3516 
3517 void smp_unregister(struct hci_dev *hdev)
3518 {
3519         struct l2cap_chan *chan;
3520 
3521         if (hdev->smp_bredr_data) {
3522                 chan = hdev->smp_bredr_data;
3523                 hdev->smp_bredr_data = NULL;
3524                 smp_del_chan(chan);
3525         }
3526 
3527         if (hdev->smp_data) {
3528                 chan = hdev->smp_data;
3529                 hdev->smp_data = NULL;
3530                 smp_del_chan(chan);
3531         }
3532 }
3533 
3534 #if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3535 
3536 static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3537 {
3538         u8 pk[64];
3539         int err;
3540 
3541         err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3542         if (err)
3543                 return err;
3544 
3545         err = generate_ecdh_public_key(tfm_ecdh, pk);
3546         if (err)
3547                 return err;
3548 
3549         if (crypto_memneq(pk, debug_pk, 64))
3550                 return -EINVAL;
3551 
3552         return 0;
3553 }
3554 
3555 static int __init test_ah(void)
3556 {
3557         const u8 irk[16] = {
3558                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3559                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3560         const u8 r[3] = { 0x94, 0x81, 0x70 };
3561         const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3562         u8 res[3];
3563         int err;
3564 
3565         err = smp_ah(irk, r, res);
3566         if (err)
3567                 return err;
3568 
3569         if (crypto_memneq(res, exp, 3))
3570                 return -EINVAL;
3571 
3572         return 0;
3573 }
3574 
3575 static int __init test_c1(void)
3576 {
3577         const u8 k[16] = {
3578                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3579                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3580         const u8 r[16] = {
3581                         0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3582                         0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3583         const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3584         const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3585         const u8 _iat = 0x01;
3586         const u8 _rat = 0x00;
3587         const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3588         const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3589         const u8 exp[16] = {
3590                         0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3591                         0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3592         u8 res[16];
3593         int err;
3594 
3595         err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3596         if (err)
3597                 return err;
3598 
3599         if (crypto_memneq(res, exp, 16))
3600                 return -EINVAL;
3601 
3602         return 0;
3603 }
3604 
3605 static int __init test_s1(void)
3606 {
3607         const u8 k[16] = {
3608                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3609                         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3610         const u8 r1[16] = {
3611                         0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3612         const u8 r2[16] = {
3613                         0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3614         const u8 exp[16] = {
3615                         0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3616                         0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3617         u8 res[16];
3618         int err;
3619 
3620         err = smp_s1(k, r1, r2, res);
3621         if (err)
3622                 return err;
3623 
3624         if (crypto_memneq(res, exp, 16))
3625                 return -EINVAL;
3626 
3627         return 0;
3628 }
3629 
3630 static int __init test_f4(struct crypto_shash *tfm_cmac)
3631 {
3632         const u8 u[32] = {
3633                         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3634                         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3635                         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3636                         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3637         const u8 v[32] = {
3638                         0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3639                         0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3640                         0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3641                         0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3642         const u8 x[16] = {
3643                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3644                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3645         const u8 z = 0x00;
3646         const u8 exp[16] = {
3647                         0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3648                         0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3649         u8 res[16];
3650         int err;
3651 
3652         err = smp_f4(tfm_cmac, u, v, x, z, res);
3653         if (err)
3654                 return err;
3655 
3656         if (crypto_memneq(res, exp, 16))
3657                 return -EINVAL;
3658 
3659         return 0;
3660 }
3661 
3662 static int __init test_f5(struct crypto_shash *tfm_cmac)
3663 {
3664         const u8 w[32] = {
3665                         0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3666                         0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3667                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3668                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3669         const u8 n1[16] = {
3670                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3671                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3672         const u8 n2[16] = {
3673                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3674                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3675         const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3676         const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3677         const u8 exp_ltk[16] = {
3678                         0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3679                         0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3680         const u8 exp_mackey[16] = {
3681                         0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3682                         0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3683         u8 mackey[16], ltk[16];
3684         int err;
3685 
3686         err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3687         if (err)
3688                 return err;
3689 
3690         if (crypto_memneq(mackey, exp_mackey, 16))
3691                 return -EINVAL;
3692 
3693         if (crypto_memneq(ltk, exp_ltk, 16))
3694                 return -EINVAL;
3695 
3696         return 0;
3697 }
3698 
3699 static int __init test_f6(struct crypto_shash *tfm_cmac)
3700 {
3701         const u8 w[16] = {
3702                         0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3703                         0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3704         const u8 n1[16] = {
3705                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3706                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3707         const u8 n2[16] = {
3708                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3709                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3710         const u8 r[16] = {
3711                         0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3712                         0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3713         const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3714         const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3715         const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3716         const u8 exp[16] = {
3717                         0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3718                         0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3719         u8 res[16];
3720         int err;
3721 
3722         err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3723         if (err)
3724                 return err;
3725 
3726         if (crypto_memneq(res, exp, 16))
3727                 return -EINVAL;
3728 
3729         return 0;
3730 }
3731 
3732 static int __init test_g2(struct crypto_shash *tfm_cmac)
3733 {
3734         const u8 u[32] = {
3735                         0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3736                         0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3737                         0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3738                         0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3739         const u8 v[32] = {
3740                         0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3741                         0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3742                         0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3743                         0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3744         const u8 x[16] = {
3745                         0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3746                         0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3747         const u8 y[16] = {
3748                         0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3749                         0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3750         const u32 exp_val = 0x2f9ed5ba % 1000000;
3751         u32 val;
3752         int err;
3753 
3754         err = smp_g2(tfm_cmac, u, v, x, y, &val);
3755         if (err)
3756                 return err;
3757 
3758         if (val != exp_val)
3759                 return -EINVAL;
3760 
3761         return 0;
3762 }
3763 
3764 static int __init test_h6(struct crypto_shash *tfm_cmac)
3765 {
3766         const u8 w[16] = {
3767                         0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3768                         0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3769         const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3770         const u8 exp[16] = {
3771                         0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3772                         0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3773         u8 res[16];
3774         int err;
3775 
3776         err = smp_h6(tfm_cmac, w, key_id, res);
3777         if (err)
3778                 return err;
3779 
3780         if (crypto_memneq(res, exp, 16))
3781                 return -EINVAL;
3782 
3783         return 0;
3784 }
3785 
3786 static char test_smp_buffer[32];
3787 
3788 static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3789                              size_t count, loff_t *ppos)
3790 {
3791         return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3792                                        strlen(test_smp_buffer));
3793 }
3794 
3795 static const struct file_operations test_smp_fops = {
3796         .open           = simple_open,
3797         .read           = test_smp_read,
3798         .llseek         = default_llseek,
3799 };
3800 
3801 static int __init run_selftests(struct crypto_shash *tfm_cmac,
3802                                 struct crypto_kpp *tfm_ecdh)
3803 {
3804         ktime_t calltime, delta, rettime;
3805         unsigned long long duration;
3806         int err;
3807 
3808         calltime = ktime_get();
3809 
3810         err = test_debug_key(tfm_ecdh);
3811         if (err) {
3812                 BT_ERR("debug_key test failed");
3813                 goto done;
3814         }
3815 
3816         err = test_ah();
3817         if (err) {
3818                 BT_ERR("smp_ah test failed");
3819                 goto done;
3820         }
3821 
3822         err = test_c1();
3823         if (err) {
3824                 BT_ERR("smp_c1 test failed");
3825                 goto done;
3826         }
3827 
3828         err = test_s1();
3829         if (err) {
3830                 BT_ERR("smp_s1 test failed");
3831                 goto done;
3832         }
3833 
3834         err = test_f4(tfm_cmac);
3835         if (err) {
3836                 BT_ERR("smp_f4 test failed");
3837                 goto done;
3838         }
3839 
3840         err = test_f5(tfm_cmac);
3841         if (err) {
3842                 BT_ERR("smp_f5 test failed");
3843                 goto done;
3844         }
3845 
3846         err = test_f6(tfm_cmac);
3847         if (err) {
3848                 BT_ERR("smp_f6 test failed");
3849                 goto done;
3850         }
3851 
3852         err = test_g2(tfm_cmac);
3853         if (err) {
3854                 BT_ERR("smp_g2 test failed");
3855                 goto done;
3856         }
3857 
3858         err = test_h6(tfm_cmac);
3859         if (err) {
3860                 BT_ERR("smp_h6 test failed");
3861                 goto done;
3862         }
3863 
3864         rettime = ktime_get();
3865         delta = ktime_sub(rettime, calltime);
3866         duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3867 
3868         BT_INFO("SMP test passed in %llu usecs", duration);
3869 
3870 done:
3871         if (!err)
3872                 snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3873                          "PASS (%llu usecs)\n", duration);
3874         else
3875                 snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3876 
3877         debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3878                             &test_smp_fops);
3879 
3880         return err;
3881 }
3882 
3883 int __init bt_selftest_smp(void)
3884 {
3885         struct crypto_shash *tfm_cmac;
3886         struct crypto_kpp *tfm_ecdh;
3887         int err;
3888 
3889         tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3890         if (IS_ERR(tfm_cmac)) {
3891                 BT_ERR("Unable to create CMAC crypto context");
3892                 return PTR_ERR(tfm_cmac);
3893         }
3894 
3895         tfm_ecdh = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
3896         if (IS_ERR(tfm_ecdh)) {
3897                 BT_ERR("Unable to create ECDH crypto context");
3898                 crypto_free_shash(tfm_cmac);
3899                 return PTR_ERR(tfm_ecdh);
3900         }
3901 
3902         err = run_selftests(tfm_cmac, tfm_ecdh);
3903 
3904         crypto_free_shash(tfm_cmac);
3905         crypto_free_kpp(tfm_ecdh);
3906 
3907         return err;
3908 }
3909 
3910 #endif

/* [<][>][^][v][top][bottom][index][help] */