1
/*
2
   BlueZ - Bluetooth protocol stack for Linux
3
   Copyright (C) 2011 Nokia Corporation and/or its subsidiary(-ies).
4

5
   This program is free software; you can redistribute it and/or modify
6
   it under the terms of the GNU General Public License version 2 as
7
   published by the Free Software Foundation;
8

9
   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
10
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
11
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
12
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
13
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
14
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17

18
   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
19
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
20
   SOFTWARE IS DISCLAIMED.
21
*/
22

23
#include <linux/debugfs.h>
24
#include <linux/scatterlist.h>
25
#include <crypto/aes.h>
26
#include <crypto/hash.h>
27
#include <crypto/kpp.h>
28
#include <crypto/utils.h>
29

30
#include <net/bluetooth/bluetooth.h>
31
#include <net/bluetooth/hci_core.h>
32
#include <net/bluetooth/l2cap.h>
33
#include <net/bluetooth/mgmt.h>
34

35
#include "ecdh_helper.h"
36
#include "smp.h"
37

38
#define SMP_DEV(hdev) \
39
	((struct smp_dev *)((struct l2cap_chan *)((hdev)->smp_data))->data)
40

41
/* Low-level debug macros to be used for stuff that we don't want
42
 * accidentally in dmesg, i.e. the values of the various crypto keys
43
 * and the inputs & outputs of crypto functions.
44
 */
45
#ifdef DEBUG
46
#define SMP_DBG(fmt, ...) printk(KERN_DEBUG "%s: " fmt, __func__, \
47
				 ##__VA_ARGS__)
48
#else
49
#define SMP_DBG(fmt, ...) no_printk(KERN_DEBUG "%s: " fmt, __func__, \
50
				    ##__VA_ARGS__)
51
#endif
52

53
#define SMP_ALLOW_CMD(smp, code)	set_bit(code, &smp->allow_cmd)
54

55
/* Keys which are not distributed with Secure Connections */
56
#define SMP_SC_NO_DIST (SMP_DIST_ENC_KEY | SMP_DIST_LINK_KEY)
57

58
#define SMP_TIMEOUT	secs_to_jiffies(30)
59

60
#define ID_ADDR_TIMEOUT	msecs_to_jiffies(200)
61

62
#define AUTH_REQ_MASK(dev)	(hci_dev_test_flag(dev, HCI_SC_ENABLED) ? \
63
				 0x3f : 0x07)
64
#define KEY_DIST_MASK		0x07
65

66
/* Maximum message length that can be passed to aes_cmac */
67
#define CMAC_MSG_MAX	80
68

69
enum {
70
	SMP_FLAG_TK_VALID,
71
	SMP_FLAG_CFM_PENDING,
72
	SMP_FLAG_MITM_AUTH,
73
	SMP_FLAG_COMPLETE,
74
	SMP_FLAG_INITIATOR,
75
	SMP_FLAG_SC,
76
	SMP_FLAG_REMOTE_PK,
77
	SMP_FLAG_DEBUG_KEY,
78
	SMP_FLAG_WAIT_USER,
79
	SMP_FLAG_DHKEY_PENDING,
80
	SMP_FLAG_REMOTE_OOB,
81
	SMP_FLAG_LOCAL_OOB,
82
	SMP_FLAG_CT2,
83
};
84

85
struct smp_dev {
86
	/* Secure Connections OOB data */
87
	bool			local_oob;
88
	u8			local_pk[64];
89
	u8			local_rand[16];
90
	bool			debug_key;
91

92
	struct crypto_shash	*tfm_cmac;
93
	struct crypto_kpp	*tfm_ecdh;
94
};
95

96
struct smp_chan {
97
	struct l2cap_conn	*conn;
98
	struct delayed_work	security_timer;
99
	unsigned long           allow_cmd; /* Bitmask of allowed commands */
100

101
	u8		preq[7]; /* SMP Pairing Request */
102
	u8		prsp[7]; /* SMP Pairing Response */
103
	u8		prnd[16]; /* SMP Pairing Random (local) */
104
	u8		rrnd[16]; /* SMP Pairing Random (remote) */
105
	u8		pcnf[16]; /* SMP Pairing Confirm */
106
	u8		tk[16]; /* SMP Temporary Key */
107
	u8		rr[16]; /* Remote OOB ra/rb value */
108
	u8		lr[16]; /* Local OOB ra/rb value */
109
	u8		enc_key_size;
110
	u8		remote_key_dist;
111
	bdaddr_t	id_addr;
112
	u8		id_addr_type;
113
	u8		irk[16];
114
	struct smp_csrk	*csrk;
115
	struct smp_csrk	*responder_csrk;
116
	struct smp_ltk	*ltk;
117
	struct smp_ltk	*responder_ltk;
118
	struct smp_irk	*remote_irk;
119
	u8		*link_key;
120
	unsigned long	flags;
121
	u8		method;
122
	u8		passkey_round;
123

124
	/* Secure Connections variables */
125
	u8			local_pk[64];
126
	u8			remote_pk[64];
127
	u8			dhkey[32];
128
	u8			mackey[16];
129

130
	struct crypto_shash	*tfm_cmac;
131
	struct crypto_kpp	*tfm_ecdh;
132
};
133

134
/* These debug key values are defined in the SMP section of the core
135
 * specification. debug_pk is the public debug key and debug_sk the
136
 * private debug key.
137
 */
138
static const u8 debug_pk[64] = {
139
		0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
140
		0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
141
		0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
142
		0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20,
143

144
		0x8b, 0xd2, 0x89, 0x15, 0xd0, 0x8e, 0x1c, 0x74,
145
		0x24, 0x30, 0xed, 0x8f, 0xc2, 0x45, 0x63, 0x76,
146
		0x5c, 0x15, 0x52, 0x5a, 0xbf, 0x9a, 0x32, 0x63,
147
		0x6d, 0xeb, 0x2a, 0x65, 0x49, 0x9c, 0x80, 0xdc,
148
};
149

150
static const u8 debug_sk[32] = {
151
		0xbd, 0x1a, 0x3c, 0xcd, 0xa6, 0xb8, 0x99, 0x58,
152
		0x99, 0xb7, 0x40, 0xeb, 0x7b, 0x60, 0xff, 0x4a,
153
		0x50, 0x3f, 0x10, 0xd2, 0xe3, 0xb3, 0xc9, 0x74,
154
		0x38, 0x5f, 0xc5, 0xa3, 0xd4, 0xf6, 0x49, 0x3f,
155
};
156

157
static inline void swap_buf(const u8 *src, u8 *dst, size_t len)
158
{
159
	size_t i;
160

161
	for (i = 0; i < len; i++)
162
		dst[len - 1 - i] = src[i];
163
}
164

165
/* The following functions map to the LE SC SMP crypto functions
166
 * AES-CMAC, f4, f5, f6, g2 and h6.
167
 */
168

169
static int aes_cmac(struct crypto_shash *tfm, const u8 k[16], const u8 *m,
170
		    size_t len, u8 mac[16])
171
{
172
	uint8_t tmp[16], mac_msb[16], msg_msb[CMAC_MSG_MAX];
173
	int err;
174

175
	if (len > CMAC_MSG_MAX)
176
		return -EFBIG;
177

178
	if (!tfm) {
179
		BT_ERR("tfm %p", tfm);
180
		return -EINVAL;
181
	}
182

183
	/* Swap key and message from LSB to MSB */
184
	swap_buf(k, tmp, 16);
185
	swap_buf(m, msg_msb, len);
186

187
	SMP_DBG("msg (len %zu) %*phN", len, (int) len, m);
188
	SMP_DBG("key %16phN", k);
189

190
	err = crypto_shash_setkey(tfm, tmp, 16);
191
	if (err) {
192
		BT_ERR("cipher setkey failed: %d", err);
193
		return err;
194
	}
195

196
	err = crypto_shash_tfm_digest(tfm, msg_msb, len, mac_msb);
197
	if (err) {
198
		BT_ERR("Hash computation error %d", err);
199
		return err;
200
	}
201

202
	swap_buf(mac_msb, mac, 16);
203

204
	SMP_DBG("mac %16phN", mac);
205

206
	return 0;
207
}
208

209
static int smp_f4(struct crypto_shash *tfm_cmac, const u8 u[32],
210
		  const u8 v[32], const u8 x[16], u8 z, u8 res[16])
211
{
212
	u8 m[65];
213
	int err;
214

215
	SMP_DBG("u %32phN", u);
216
	SMP_DBG("v %32phN", v);
217
	SMP_DBG("x %16phN z %02x", x, z);
218

219
	m[0] = z;
220
	memcpy(m + 1, v, 32);
221
	memcpy(m + 33, u, 32);
222

223
	err = aes_cmac(tfm_cmac, x, m, sizeof(m), res);
224
	if (err)
225
		return err;
226

227
	SMP_DBG("res %16phN", res);
228

229
	return err;
230
}
231

232
static int smp_f5(struct crypto_shash *tfm_cmac, const u8 w[32],
233
		  const u8 n1[16], const u8 n2[16], const u8 a1[7],
234
		  const u8 a2[7], u8 mackey[16], u8 ltk[16])
235
{
236
	/* The btle, salt and length "magic" values are as defined in
237
	 * the SMP section of the Bluetooth core specification. In ASCII
238
	 * the btle value ends up being 'btle'. The salt is just a
239
	 * random number whereas length is the value 256 in little
240
	 * endian format.
241
	 */
242
	const u8 btle[4] = { 0x65, 0x6c, 0x74, 0x62 };
243
	const u8 salt[16] = { 0xbe, 0x83, 0x60, 0x5a, 0xdb, 0x0b, 0x37, 0x60,
244
			      0x38, 0xa5, 0xf5, 0xaa, 0x91, 0x83, 0x88, 0x6c };
245
	const u8 length[2] = { 0x00, 0x01 };
246
	u8 m[53], t[16];
247
	int err;
248

249
	SMP_DBG("w %32phN", w);
250
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
251
	SMP_DBG("a1 %7phN a2 %7phN", a1, a2);
252

253
	err = aes_cmac(tfm_cmac, salt, w, 32, t);
254
	if (err)
255
		return err;
256

257
	SMP_DBG("t %16phN", t);
258

259
	memcpy(m, length, 2);
260
	memcpy(m + 2, a2, 7);
261
	memcpy(m + 9, a1, 7);
262
	memcpy(m + 16, n2, 16);
263
	memcpy(m + 32, n1, 16);
264
	memcpy(m + 48, btle, 4);
265

266
	m[52] = 0; /* Counter */
267

268
	err = aes_cmac(tfm_cmac, t, m, sizeof(m), mackey);
269
	if (err)
270
		return err;
271

272
	SMP_DBG("mackey %16phN", mackey);
273

274
	m[52] = 1; /* Counter */
275

276
	err = aes_cmac(tfm_cmac, t, m, sizeof(m), ltk);
277
	if (err)
278
		return err;
279

280
	SMP_DBG("ltk %16phN", ltk);
281

282
	return 0;
283
}
284

285
static int smp_f6(struct crypto_shash *tfm_cmac, const u8 w[16],
286
		  const u8 n1[16], const u8 n2[16], const u8 r[16],
287
		  const u8 io_cap[3], const u8 a1[7], const u8 a2[7],
288
		  u8 res[16])
289
{
290
	u8 m[65];
291
	int err;
292

293
	SMP_DBG("w %16phN", w);
294
	SMP_DBG("n1 %16phN n2 %16phN", n1, n2);
295
	SMP_DBG("r %16phN io_cap %3phN a1 %7phN a2 %7phN", r, io_cap, a1, a2);
296

297
	memcpy(m, a2, 7);
298
	memcpy(m + 7, a1, 7);
299
	memcpy(m + 14, io_cap, 3);
300
	memcpy(m + 17, r, 16);
301
	memcpy(m + 33, n2, 16);
302
	memcpy(m + 49, n1, 16);
303

304
	err = aes_cmac(tfm_cmac, w, m, sizeof(m), res);
305
	if (err)
306
		return err;
307

308
	SMP_DBG("res %16phN", res);
309

310
	return err;
311
}
312

313
static int smp_g2(struct crypto_shash *tfm_cmac, const u8 u[32], const u8 v[32],
314
		  const u8 x[16], const u8 y[16], u32 *val)
315
{
316
	u8 m[80], tmp[16];
317
	int err;
318

319
	SMP_DBG("u %32phN", u);
320
	SMP_DBG("v %32phN", v);
321
	SMP_DBG("x %16phN y %16phN", x, y);
322

323
	memcpy(m, y, 16);
324
	memcpy(m + 16, v, 32);
325
	memcpy(m + 48, u, 32);
326

327
	err = aes_cmac(tfm_cmac, x, m, sizeof(m), tmp);
328
	if (err)
329
		return err;
330

331
	*val = get_unaligned_le32(tmp);
332
	*val %= 1000000;
333

334
	SMP_DBG("val %06u", *val);
335

336
	return 0;
337
}
338

339
static int smp_h6(struct crypto_shash *tfm_cmac, const u8 w[16],
340
		  const u8 key_id[4], u8 res[16])
341
{
342
	int err;
343

344
	SMP_DBG("w %16phN key_id %4phN", w, key_id);
345

346
	err = aes_cmac(tfm_cmac, w, key_id, 4, res);
347
	if (err)
348
		return err;
349

350
	SMP_DBG("res %16phN", res);
351

352
	return err;
353
}
354

355
static int smp_h7(struct crypto_shash *tfm_cmac, const u8 w[16],
356
		  const u8 salt[16], u8 res[16])
357
{
358
	int err;
359

360
	SMP_DBG("w %16phN salt %16phN", w, salt);
361

362
	err = aes_cmac(tfm_cmac, salt, w, 16, res);
363
	if (err)
364
		return err;
365

366
	SMP_DBG("res %16phN", res);
367

368
	return err;
369
}
370

371
/* The following functions map to the legacy SMP crypto functions e, c1,
372
 * s1 and ah.
373
 */
374

375
static int smp_e(const u8 *k, u8 *r)
376
{
377
	struct crypto_aes_ctx ctx;
378
	uint8_t tmp[16], data[16];
379
	int err;
380

381
	SMP_DBG("k %16phN r %16phN", k, r);
382

383
	/* The most significant octet of key corresponds to k[0] */
384
	swap_buf(k, tmp, 16);
385

386
	err = aes_expandkey(&ctx, tmp, 16);
387
	if (err) {
388
		BT_ERR("cipher setkey failed: %d", err);
389
		return err;
390
	}
391

392
	/* Most significant octet of plaintextData corresponds to data[0] */
393
	swap_buf(r, data, 16);
394

395
	aes_encrypt(&ctx, data, data);
396

397
	/* Most significant octet of encryptedData corresponds to data[0] */
398
	swap_buf(data, r, 16);
399

400
	SMP_DBG("r %16phN", r);
401

402
	memzero_explicit(&ctx, sizeof(ctx));
403
	return err;
404
}
405

406
static int smp_c1(const u8 k[16],
407
		  const u8 r[16], const u8 preq[7], const u8 pres[7], u8 _iat,
408
		  const bdaddr_t *ia, u8 _rat, const bdaddr_t *ra, u8 res[16])
409
{
410
	u8 p1[16], p2[16];
411
	int err;
412

413
	SMP_DBG("k %16phN r %16phN", k, r);
414
	SMP_DBG("iat %u ia %6phN rat %u ra %6phN", _iat, ia, _rat, ra);
415
	SMP_DBG("preq %7phN pres %7phN", preq, pres);
416

417
	memset(p1, 0, 16);
418

419
	/* p1 = pres || preq || _rat || _iat */
420
	p1[0] = _iat;
421
	p1[1] = _rat;
422
	memcpy(p1 + 2, preq, 7);
423
	memcpy(p1 + 9, pres, 7);
424

425
	SMP_DBG("p1 %16phN", p1);
426

427
	/* res = r XOR p1 */
428
	crypto_xor_cpy(res, r, p1, sizeof(p1));
429

430
	/* res = e(k, res) */
431
	err = smp_e(k, res);
432
	if (err) {
433
		BT_ERR("Encrypt data error");
434
		return err;
435
	}
436

437
	/* p2 = padding || ia || ra */
438
	memcpy(p2, ra, 6);
439
	memcpy(p2 + 6, ia, 6);
440
	memset(p2 + 12, 0, 4);
441

442
	SMP_DBG("p2 %16phN", p2);
443

444
	/* res = res XOR p2 */
445
	crypto_xor(res, p2, sizeof(p2));
446

447
	/* res = e(k, res) */
448
	err = smp_e(k, res);
449
	if (err)
450
		BT_ERR("Encrypt data error");
451

452
	return err;
453
}
454

455
static int smp_s1(const u8 k[16],
456
		  const u8 r1[16], const u8 r2[16], u8 _r[16])
457
{
458
	int err;
459

460
	/* Just least significant octets from r1 and r2 are considered */
461
	memcpy(_r, r2, 8);
462
	memcpy(_r + 8, r1, 8);
463

464
	err = smp_e(k, _r);
465
	if (err)
466
		BT_ERR("Encrypt data error");
467

468
	return err;
469
}
470

471
static int smp_ah(const u8 irk[16], const u8 r[3], u8 res[3])
472
{
473
	u8 _res[16];
474
	int err;
475

476
	/* r' = padding || r */
477
	memcpy(_res, r, 3);
478
	memset(_res + 3, 0, 13);
479

480
	err = smp_e(irk, _res);
481
	if (err) {
482
		BT_ERR("Encrypt error");
483
		return err;
484
	}
485

486
	/* The output of the random address function ah is:
487
	 *	ah(k, r) = e(k, r') mod 2^24
488
	 * The output of the security function e is then truncated to 24 bits
489
	 * by taking the least significant 24 bits of the output of e as the
490
	 * result of ah.
491
	 */
492
	memcpy(res, _res, 3);
493

494
	return 0;
495
}
496

497
bool smp_irk_matches(struct hci_dev *hdev, const u8 irk[16],
498
		     const bdaddr_t *bdaddr)
499
{
500
	struct l2cap_chan *chan = hdev->smp_data;
501
	u8 hash[3];
502
	int err;
503

504
	if (!chan || !chan->data)
505
		return false;
506

507
	bt_dev_dbg(hdev, "RPA %pMR IRK %*phN", bdaddr, 16, irk);
508

509
	err = smp_ah(irk, &bdaddr->b[3], hash);
510
	if (err)
511
		return false;
512

513
	return !crypto_memneq(bdaddr->b, hash, 3);
514
}
515

516
int smp_generate_rpa(struct hci_dev *hdev, const u8 irk[16], bdaddr_t *rpa)
517
{
518
	struct l2cap_chan *chan = hdev->smp_data;
519
	int err;
520

521
	if (!chan || !chan->data)
522
		return -EOPNOTSUPP;
523

524
	get_random_bytes(&rpa->b[3], 3);
525

526
	rpa->b[5] &= 0x3f;	/* Clear two most significant bits */
527
	rpa->b[5] |= 0x40;	/* Set second most significant bit */
528

529
	err = smp_ah(irk, &rpa->b[3], rpa->b);
530
	if (err < 0)
531
		return err;
532

533
	bt_dev_dbg(hdev, "RPA %pMR", rpa);
534

535
	return 0;
536
}
537

538
int smp_generate_oob(struct hci_dev *hdev, u8 hash[16], u8 rand[16])
539
{
540
	struct l2cap_chan *chan = hdev->smp_data;
541
	struct smp_dev *smp;
542
	int err;
543

544
	if (!chan || !chan->data)
545
		return -EOPNOTSUPP;
546

547
	smp = chan->data;
548

549
	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
550
		bt_dev_dbg(hdev, "Using debug keys");
551
		err = set_ecdh_privkey(smp->tfm_ecdh, debug_sk);
552
		if (err)
553
			return err;
554
		memcpy(smp->local_pk, debug_pk, 64);
555
		smp->debug_key = true;
556
	} else {
557
		while (true) {
558
			/* Generate key pair for Secure Connections */
559
			err = generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk);
560
			if (err)
561
				return err;
562

563
			/* This is unlikely, but we need to check that
564
			 * we didn't accidentally generate a debug key.
565
			 */
566
			if (crypto_memneq(smp->local_pk, debug_pk, 64))
567
				break;
568
		}
569
		smp->debug_key = false;
570
	}
571

572
	SMP_DBG("OOB Public Key X: %32phN", smp->local_pk);
573
	SMP_DBG("OOB Public Key Y: %32phN", smp->local_pk + 32);
574

575
	get_random_bytes(smp->local_rand, 16);
576

577
	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->local_pk,
578
		     smp->local_rand, 0, hash);
579
	if (err < 0)
580
		return err;
581

582
	memcpy(rand, smp->local_rand, 16);
583

584
	smp->local_oob = true;
585

586
	return 0;
587
}
588

589
static void smp_send_cmd(struct l2cap_conn *conn, u8 code, u16 len, void *data)
590
{
591
	struct l2cap_chan *chan = conn->smp;
592
	struct smp_chan *smp;
593
	struct kvec iv[2];
594
	struct msghdr msg;
595

596
	if (!chan)
597
		return;
598

599
	bt_dev_dbg(conn->hcon->hdev, "code 0x%2.2x", code);
600

601
	iv[0].iov_base = &code;
602
	iv[0].iov_len = 1;
603

604
	iv[1].iov_base = data;
605
	iv[1].iov_len = len;
606

607
	memset(&msg, 0, sizeof(msg));
608

609
	iov_iter_kvec(&msg.msg_iter, ITER_SOURCE, iv, 2, 1 + len);
610

611
	l2cap_chan_send(chan, &msg, 1 + len, NULL);
612

613
	if (!chan->data)
614
		return;
615

616
	smp = chan->data;
617

618
	cancel_delayed_work_sync(&smp->security_timer);
619
	schedule_delayed_work(&smp->security_timer, SMP_TIMEOUT);
620
}
621

622
static u8 authreq_to_seclevel(u8 authreq)
623
{
624
	if (authreq & SMP_AUTH_MITM) {
625
		if (authreq & SMP_AUTH_SC)
626
			return BT_SECURITY_FIPS;
627
		else
628
			return BT_SECURITY_HIGH;
629
	} else {
630
		return BT_SECURITY_MEDIUM;
631
	}
632
}
633

634
static __u8 seclevel_to_authreq(__u8 sec_level)
635
{
636
	switch (sec_level) {
637
	case BT_SECURITY_FIPS:
638
	case BT_SECURITY_HIGH:
639
		return SMP_AUTH_MITM | SMP_AUTH_BONDING;
640
	case BT_SECURITY_MEDIUM:
641
		return SMP_AUTH_BONDING;
642
	default:
643
		return SMP_AUTH_NONE;
644
	}
645
}
646

647
static void build_pairing_cmd(struct l2cap_conn *conn,
648
			      struct smp_cmd_pairing *req,
649
			      struct smp_cmd_pairing *rsp, __u8 authreq)
650
{
651
	struct l2cap_chan *chan = conn->smp;
652
	struct smp_chan *smp = chan->data;
653
	struct hci_conn *hcon = conn->hcon;
654
	struct hci_dev *hdev = hcon->hdev;
655
	u8 local_dist = 0, remote_dist = 0, oob_flag = SMP_OOB_NOT_PRESENT;
656

657
	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
658
		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
659
		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
660
		authreq |= SMP_AUTH_BONDING;
661
	} else {
662
		authreq &= ~SMP_AUTH_BONDING;
663
	}
664

665
	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
666
		remote_dist |= SMP_DIST_ID_KEY;
667

668
	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
669
		local_dist |= SMP_DIST_ID_KEY;
670

671
	if (hci_dev_test_flag(hdev, HCI_SC_ENABLED) &&
672
	    (authreq & SMP_AUTH_SC)) {
673
		struct oob_data *oob_data;
674
		u8 bdaddr_type;
675

676
		if (hci_dev_test_flag(hdev, HCI_SSP_ENABLED)) {
677
			local_dist |= SMP_DIST_LINK_KEY;
678
			remote_dist |= SMP_DIST_LINK_KEY;
679
		}
680

681
		if (hcon->dst_type == ADDR_LE_DEV_PUBLIC)
682
			bdaddr_type = BDADDR_LE_PUBLIC;
683
		else
684
			bdaddr_type = BDADDR_LE_RANDOM;
685

686
		oob_data = hci_find_remote_oob_data(hdev, &hcon->dst,
687
						    bdaddr_type);
688
		if (oob_data && oob_data->present) {
689
			set_bit(SMP_FLAG_REMOTE_OOB, &smp->flags);
690
			oob_flag = SMP_OOB_PRESENT;
691
			memcpy(smp->rr, oob_data->rand256, 16);
692
			memcpy(smp->pcnf, oob_data->hash256, 16);
693
			SMP_DBG("OOB Remote Confirmation: %16phN", smp->pcnf);
694
			SMP_DBG("OOB Remote Random: %16phN", smp->rr);
695
		}
696

697
	} else {
698
		authreq &= ~SMP_AUTH_SC;
699
	}
700

701
	if (rsp == NULL) {
702
		req->io_capability = conn->hcon->io_capability;
703
		req->oob_flag = oob_flag;
704
		req->max_key_size = hdev->le_max_key_size;
705
		req->init_key_dist = local_dist;
706
		req->resp_key_dist = remote_dist;
707
		req->auth_req = (authreq & AUTH_REQ_MASK(hdev));
708

709
		smp->remote_key_dist = remote_dist;
710
		return;
711
	}
712

713
	rsp->io_capability = conn->hcon->io_capability;
714
	rsp->oob_flag = oob_flag;
715
	rsp->max_key_size = hdev->le_max_key_size;
716
	rsp->init_key_dist = req->init_key_dist & remote_dist;
717
	rsp->resp_key_dist = req->resp_key_dist & local_dist;
718
	rsp->auth_req = (authreq & AUTH_REQ_MASK(hdev));
719

720
	smp->remote_key_dist = rsp->init_key_dist;
721
}
722

723
static u8 check_enc_key_size(struct l2cap_conn *conn, __u8 max_key_size)
724
{
725
	struct l2cap_chan *chan = conn->smp;
726
	struct hci_dev *hdev = conn->hcon->hdev;
727
	struct smp_chan *smp = chan->data;
728

729
	if (conn->hcon->pending_sec_level == BT_SECURITY_FIPS &&
730
	    max_key_size != SMP_MAX_ENC_KEY_SIZE)
731
		return SMP_ENC_KEY_SIZE;
732

733
	if (max_key_size > hdev->le_max_key_size ||
734
	    max_key_size < SMP_MIN_ENC_KEY_SIZE)
735
		return SMP_ENC_KEY_SIZE;
736

737
	smp->enc_key_size = max_key_size;
738

739
	return 0;
740
}
741

742
static void smp_chan_destroy(struct l2cap_conn *conn)
743
{
744
	struct l2cap_chan *chan = conn->smp;
745
	struct smp_chan *smp = chan->data;
746
	struct hci_conn *hcon = conn->hcon;
747
	bool complete;
748

749
	BUG_ON(!smp);
750

751
	cancel_delayed_work_sync(&smp->security_timer);
752

753
	complete = test_bit(SMP_FLAG_COMPLETE, &smp->flags);
754
	mgmt_smp_complete(hcon, complete);
755

756
	kfree_sensitive(smp->csrk);
757
	kfree_sensitive(smp->responder_csrk);
758
	kfree_sensitive(smp->link_key);
759

760
	crypto_free_shash(smp->tfm_cmac);
761
	crypto_free_kpp(smp->tfm_ecdh);
762

763
	/* Ensure that we don't leave any debug key around if debug key
764
	 * support hasn't been explicitly enabled.
765
	 */
766
	if (smp->ltk && smp->ltk->type == SMP_LTK_P256_DEBUG &&
767
	    !hci_dev_test_flag(hcon->hdev, HCI_KEEP_DEBUG_KEYS)) {
768
		list_del_rcu(&smp->ltk->list);
769
		kfree_rcu(smp->ltk, rcu);
770
		smp->ltk = NULL;
771
	}
772

773
	/* If pairing failed clean up any keys we might have */
774
	if (!complete) {
775
		if (smp->ltk) {
776
			list_del_rcu(&smp->ltk->list);
777
			kfree_rcu(smp->ltk, rcu);
778
		}
779

780
		if (smp->responder_ltk) {
781
			list_del_rcu(&smp->responder_ltk->list);
782
			kfree_rcu(smp->responder_ltk, rcu);
783
		}
784

785
		if (smp->remote_irk) {
786
			list_del_rcu(&smp->remote_irk->list);
787
			kfree_rcu(smp->remote_irk, rcu);
788
		}
789
	}
790

791
	chan->data = NULL;
792
	kfree_sensitive(smp);
793
	hci_conn_drop(hcon);
794
}
795

796
static void smp_failure(struct l2cap_conn *conn, u8 reason)
797
{
798
	struct hci_conn *hcon = conn->hcon;
799
	struct l2cap_chan *chan = conn->smp;
800

801
	if (reason)
802
		smp_send_cmd(conn, SMP_CMD_PAIRING_FAIL, sizeof(reason),
803
			     &reason);
804

805
	mgmt_auth_failed(hcon, HCI_ERROR_AUTH_FAILURE);
806

807
	if (chan->data)
808
		smp_chan_destroy(conn);
809
}
810

811
#define JUST_WORKS	0x00
812
#define JUST_CFM	0x01
813
#define REQ_PASSKEY	0x02
814
#define CFM_PASSKEY	0x03
815
#define REQ_OOB		0x04
816
#define DSP_PASSKEY	0x05
817
#define OVERLAP		0xFF
818

819
static const u8 gen_method[5][5] = {
820
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
821
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
822
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
823
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
824
	{ CFM_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, OVERLAP     },
825
};
826

827
static const u8 sc_method[5][5] = {
828
	{ JUST_WORKS,  JUST_CFM,    REQ_PASSKEY, JUST_WORKS, REQ_PASSKEY },
829
	{ JUST_WORKS,  CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
830
	{ DSP_PASSKEY, DSP_PASSKEY, REQ_PASSKEY, JUST_WORKS, DSP_PASSKEY },
831
	{ JUST_WORKS,  JUST_CFM,    JUST_WORKS,  JUST_WORKS, JUST_CFM    },
832
	{ DSP_PASSKEY, CFM_PASSKEY, REQ_PASSKEY, JUST_WORKS, CFM_PASSKEY },
833
};
834

835
static u8 get_auth_method(struct smp_chan *smp, u8 local_io, u8 remote_io)
836
{
837
	/* If either side has unknown io_caps, use JUST_CFM (which gets
838
	 * converted later to JUST_WORKS if we're initiators.
839
	 */
840
	if (local_io > SMP_IO_KEYBOARD_DISPLAY ||
841
	    remote_io > SMP_IO_KEYBOARD_DISPLAY)
842
		return JUST_CFM;
843

844
	if (test_bit(SMP_FLAG_SC, &smp->flags))
845
		return sc_method[remote_io][local_io];
846

847
	return gen_method[remote_io][local_io];
848
}
849

850
static int tk_request(struct l2cap_conn *conn, u8 remote_oob, u8 auth,
851
						u8 local_io, u8 remote_io)
852
{
853
	struct hci_conn *hcon = conn->hcon;
854
	struct l2cap_chan *chan = conn->smp;
855
	struct smp_chan *smp = chan->data;
856
	u32 passkey = 0;
857
	int ret;
858

859
	/* Initialize key for JUST WORKS */
860
	memset(smp->tk, 0, sizeof(smp->tk));
861
	clear_bit(SMP_FLAG_TK_VALID, &smp->flags);
862

863
	bt_dev_dbg(hcon->hdev, "auth:%u lcl:%u rem:%u", auth, local_io,
864
		   remote_io);
865

866
	/* If neither side wants MITM, either "just" confirm an incoming
867
	 * request or use just-works for outgoing ones. The JUST_CFM
868
	 * will be converted to JUST_WORKS if necessary later in this
869
	 * function. If either side has MITM look up the method from the
870
	 * table.
871
	 */
872
	if (!(auth & SMP_AUTH_MITM))
873
		smp->method = JUST_CFM;
874
	else
875
		smp->method = get_auth_method(smp, local_io, remote_io);
876

877
	/* Don't confirm locally initiated pairing attempts */
878
	if (smp->method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR,
879
						&smp->flags))
880
		smp->method = JUST_WORKS;
881

882
	/* Don't bother user space with no IO capabilities */
883
	if (smp->method == JUST_CFM &&
884
	    hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
885
		smp->method = JUST_WORKS;
886

887
	/* If Just Works, Continue with Zero TK and ask user-space for
888
	 * confirmation */
889
	if (smp->method == JUST_WORKS) {
890
		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
891
						hcon->type,
892
						hcon->dst_type,
893
						passkey, 1);
894
		if (ret)
895
			return ret;
896
		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
897
		return 0;
898
	}
899

900
	/* If this function is used for SC -> legacy fallback we
901
	 * can only recover the just-works case.
902
	 */
903
	if (test_bit(SMP_FLAG_SC, &smp->flags))
904
		return -EINVAL;
905

906
	/* Not Just Works/Confirm results in MITM Authentication */
907
	if (smp->method != JUST_CFM) {
908
		set_bit(SMP_FLAG_MITM_AUTH, &smp->flags);
909
		if (hcon->pending_sec_level < BT_SECURITY_HIGH)
910
			hcon->pending_sec_level = BT_SECURITY_HIGH;
911
	}
912

913
	/* If both devices have Keyboard-Display I/O, the initiator
914
	 * Confirms and the responder Enters the passkey.
915
	 */
916
	if (smp->method == OVERLAP) {
917
		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
918
			smp->method = CFM_PASSKEY;
919
		else
920
			smp->method = REQ_PASSKEY;
921
	}
922

923
	/* Generate random passkey. */
924
	if (smp->method == CFM_PASSKEY) {
925
		memset(smp->tk, 0, sizeof(smp->tk));
926
		get_random_bytes(&passkey, sizeof(passkey));
927
		passkey %= 1000000;
928
		put_unaligned_le32(passkey, smp->tk);
929
		bt_dev_dbg(hcon->hdev, "PassKey: %u", passkey);
930
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
931
	}
932

933
	if (smp->method == REQ_PASSKEY)
934
		ret = mgmt_user_passkey_request(hcon->hdev, &hcon->dst,
935
						hcon->type, hcon->dst_type);
936
	else if (smp->method == JUST_CFM)
937
		ret = mgmt_user_confirm_request(hcon->hdev, &hcon->dst,
938
						hcon->type, hcon->dst_type,
939
						passkey, 1);
940
	else
941
		ret = mgmt_user_passkey_notify(hcon->hdev, &hcon->dst,
942
						hcon->type, hcon->dst_type,
943
						passkey, 0);
944

945
	return ret;
946
}
947

948
static u8 smp_confirm(struct smp_chan *smp)
949
{
950
	struct l2cap_conn *conn = smp->conn;
951
	struct smp_cmd_pairing_confirm cp;
952
	int ret;
953

954
	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
955

956
	ret = smp_c1(smp->tk, smp->prnd, smp->preq, smp->prsp,
957
		     conn->hcon->init_addr_type, &conn->hcon->init_addr,
958
		     conn->hcon->resp_addr_type, &conn->hcon->resp_addr,
959
		     cp.confirm_val);
960
	if (ret)
961
		return SMP_UNSPECIFIED;
962

963
	clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
964

965
	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cp), &cp);
966

967
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
968
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
969
	else
970
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
971

972
	return 0;
973
}
974

975
static u8 smp_random(struct smp_chan *smp)
976
{
977
	struct l2cap_conn *conn = smp->conn;
978
	struct hci_conn *hcon = conn->hcon;
979
	u8 confirm[16];
980
	int ret;
981

982
	bt_dev_dbg(conn->hcon->hdev, "conn %p %s", conn,
983
		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
984
		   "responder");
985

986
	ret = smp_c1(smp->tk, smp->rrnd, smp->preq, smp->prsp,
987
		     hcon->init_addr_type, &hcon->init_addr,
988
		     hcon->resp_addr_type, &hcon->resp_addr, confirm);
989
	if (ret)
990
		return SMP_UNSPECIFIED;
991

992
	if (crypto_memneq(smp->pcnf, confirm, sizeof(smp->pcnf))) {
993
		bt_dev_err(hcon->hdev, "pairing failed "
994
			   "(confirmation values mismatch)");
995
		return SMP_CONFIRM_FAILED;
996
	}
997

998
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
999
		u8 stk[16];
1000
		__le64 rand = 0;
1001
		__le16 ediv = 0;
1002

1003
		smp_s1(smp->tk, smp->rrnd, smp->prnd, stk);
1004

1005
		if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
1006
			return SMP_UNSPECIFIED;
1007

1008
		hci_le_start_enc(hcon, ediv, rand, stk, smp->enc_key_size);
1009
		hcon->enc_key_size = smp->enc_key_size;
1010
		set_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
1011
	} else {
1012
		u8 stk[16], auth;
1013
		__le64 rand = 0;
1014
		__le16 ediv = 0;
1015

1016
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
1017
			     smp->prnd);
1018

1019
		smp_s1(smp->tk, smp->prnd, smp->rrnd, stk);
1020

1021
		if (hcon->pending_sec_level == BT_SECURITY_HIGH)
1022
			auth = 1;
1023
		else
1024
			auth = 0;
1025

1026
		/* Even though there's no _RESPONDER suffix this is the
1027
		 * responder STK we're adding for later lookup (the initiator
1028
		 * STK never needs to be stored).
1029
		 */
1030
		hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1031
			    SMP_STK, auth, stk, smp->enc_key_size, ediv, rand);
1032
	}
1033

1034
	return 0;
1035
}
1036

1037
static void smp_notify_keys(struct l2cap_conn *conn)
1038
{
1039
	struct l2cap_chan *chan = conn->smp;
1040
	struct smp_chan *smp = chan->data;
1041
	struct hci_conn *hcon = conn->hcon;
1042
	struct hci_dev *hdev = hcon->hdev;
1043
	struct smp_cmd_pairing *req = (void *) &smp->preq[1];
1044
	struct smp_cmd_pairing *rsp = (void *) &smp->prsp[1];
1045
	bool persistent;
1046

1047
	if (hcon->type == ACL_LINK) {
1048
		if (hcon->key_type == HCI_LK_DEBUG_COMBINATION)
1049
			persistent = false;
1050
		else
1051
			persistent = !test_bit(HCI_CONN_FLUSH_KEY,
1052
					       &hcon->flags);
1053
	} else {
1054
		/* The LTKs, IRKs and CSRKs should be persistent only if
1055
		 * both sides had the bonding bit set in their
1056
		 * authentication requests.
1057
		 */
1058
		persistent = !!((req->auth_req & rsp->auth_req) &
1059
				SMP_AUTH_BONDING);
1060
	}
1061

1062
	if (smp->remote_irk) {
1063
		mgmt_new_irk(hdev, smp->remote_irk, persistent);
1064

1065
		/* Now that user space can be considered to know the
1066
		 * identity address track the connection based on it
1067
		 * from now on (assuming this is an LE link).
1068
		 */
1069
		if (hcon->type == LE_LINK) {
1070
			bacpy(&hcon->dst, &smp->remote_irk->bdaddr);
1071
			hcon->dst_type = smp->remote_irk->addr_type;
1072
			/* Use a short delay to make sure the new address is
1073
			 * propagated _before_ the channels.
1074
			 */
1075
			queue_delayed_work(hdev->workqueue,
1076
					   &conn->id_addr_timer,
1077
					   ID_ADDR_TIMEOUT);
1078
		}
1079
	}
1080

1081
	if (smp->csrk) {
1082
		smp->csrk->bdaddr_type = hcon->dst_type;
1083
		bacpy(&smp->csrk->bdaddr, &hcon->dst);
1084
		mgmt_new_csrk(hdev, smp->csrk, persistent);
1085
	}
1086

1087
	if (smp->responder_csrk) {
1088
		smp->responder_csrk->bdaddr_type = hcon->dst_type;
1089
		bacpy(&smp->responder_csrk->bdaddr, &hcon->dst);
1090
		mgmt_new_csrk(hdev, smp->responder_csrk, persistent);
1091
	}
1092

1093
	if (smp->ltk) {
1094
		smp->ltk->bdaddr_type = hcon->dst_type;
1095
		bacpy(&smp->ltk->bdaddr, &hcon->dst);
1096
		mgmt_new_ltk(hdev, smp->ltk, persistent);
1097
	}
1098

1099
	if (smp->responder_ltk) {
1100
		smp->responder_ltk->bdaddr_type = hcon->dst_type;
1101
		bacpy(&smp->responder_ltk->bdaddr, &hcon->dst);
1102
		mgmt_new_ltk(hdev, smp->responder_ltk, persistent);
1103
	}
1104

1105
	if (smp->link_key) {
1106
		struct link_key *key;
1107
		u8 type;
1108

1109
		if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1110
			type = HCI_LK_DEBUG_COMBINATION;
1111
		else if (hcon->sec_level == BT_SECURITY_FIPS)
1112
			type = HCI_LK_AUTH_COMBINATION_P256;
1113
		else
1114
			type = HCI_LK_UNAUTH_COMBINATION_P256;
1115

1116
		key = hci_add_link_key(hdev, smp->conn->hcon, &hcon->dst,
1117
				       smp->link_key, type, 0, &persistent);
1118
		if (key) {
1119
			mgmt_new_link_key(hdev, key, persistent);
1120

1121
			/* Don't keep debug keys around if the relevant
1122
			 * flag is not set.
1123
			 */
1124
			if (!hci_dev_test_flag(hdev, HCI_KEEP_DEBUG_KEYS) &&
1125
			    key->type == HCI_LK_DEBUG_COMBINATION) {
1126
				list_del_rcu(&key->list);
1127
				kfree_rcu(key, rcu);
1128
			}
1129
		}
1130
	}
1131
}
1132

1133
static void sc_add_ltk(struct smp_chan *smp)
1134
{
1135
	struct hci_conn *hcon = smp->conn->hcon;
1136
	u8 key_type, auth;
1137

1138
	if (test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags))
1139
		key_type = SMP_LTK_P256_DEBUG;
1140
	else
1141
		key_type = SMP_LTK_P256;
1142

1143
	if (hcon->pending_sec_level == BT_SECURITY_FIPS)
1144
		auth = 1;
1145
	else
1146
		auth = 0;
1147

1148
	smp->ltk = hci_add_ltk(hcon->hdev, &hcon->dst, hcon->dst_type,
1149
			       key_type, auth, smp->tk, smp->enc_key_size,
1150
			       0, 0);
1151
}
1152

1153
static void sc_generate_link_key(struct smp_chan *smp)
1154
{
1155
	/* From core spec. Spells out in ASCII as 'lebr'. */
1156
	const u8 lebr[4] = { 0x72, 0x62, 0x65, 0x6c };
1157

1158
	smp->link_key = kzalloc(16, GFP_KERNEL);
1159
	if (!smp->link_key)
1160
		return;
1161

1162
	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1163
		/* SALT = 0x000000000000000000000000746D7031 */
1164
		const u8 salt[16] = { 0x31, 0x70, 0x6d, 0x74 };
1165

1166
		if (smp_h7(smp->tfm_cmac, smp->tk, salt, smp->link_key)) {
1167
			kfree_sensitive(smp->link_key);
1168
			smp->link_key = NULL;
1169
			return;
1170
		}
1171
	} else {
1172
		/* From core spec. Spells out in ASCII as 'tmp1'. */
1173
		const u8 tmp1[4] = { 0x31, 0x70, 0x6d, 0x74 };
1174

1175
		if (smp_h6(smp->tfm_cmac, smp->tk, tmp1, smp->link_key)) {
1176
			kfree_sensitive(smp->link_key);
1177
			smp->link_key = NULL;
1178
			return;
1179
		}
1180
	}
1181

1182
	if (smp_h6(smp->tfm_cmac, smp->link_key, lebr, smp->link_key)) {
1183
		kfree_sensitive(smp->link_key);
1184
		smp->link_key = NULL;
1185
		return;
1186
	}
1187
}
1188

1189
static void smp_allow_key_dist(struct smp_chan *smp)
1190
{
1191
	/* Allow the first expected phase 3 PDU. The rest of the PDUs
1192
	 * will be allowed in each PDU handler to ensure we receive
1193
	 * them in the correct order.
1194
	 */
1195
	if (smp->remote_key_dist & SMP_DIST_ENC_KEY)
1196
		SMP_ALLOW_CMD(smp, SMP_CMD_ENCRYPT_INFO);
1197
	else if (smp->remote_key_dist & SMP_DIST_ID_KEY)
1198
		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
1199
	else if (smp->remote_key_dist & SMP_DIST_SIGN)
1200
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
1201
}
1202

1203
static void sc_generate_ltk(struct smp_chan *smp)
1204
{
1205
	/* From core spec. Spells out in ASCII as 'brle'. */
1206
	const u8 brle[4] = { 0x65, 0x6c, 0x72, 0x62 };
1207
	struct hci_conn *hcon = smp->conn->hcon;
1208
	struct hci_dev *hdev = hcon->hdev;
1209
	struct link_key *key;
1210

1211
	key = hci_find_link_key(hdev, &hcon->dst);
1212
	if (!key) {
1213
		bt_dev_err(hdev, "no Link Key found to generate LTK");
1214
		return;
1215
	}
1216

1217
	if (key->type == HCI_LK_DEBUG_COMBINATION)
1218
		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1219

1220
	if (test_bit(SMP_FLAG_CT2, &smp->flags)) {
1221
		/* SALT = 0x000000000000000000000000746D7032 */
1222
		const u8 salt[16] = { 0x32, 0x70, 0x6d, 0x74 };
1223

1224
		if (smp_h7(smp->tfm_cmac, key->val, salt, smp->tk))
1225
			return;
1226
	} else {
1227
		/* From core spec. Spells out in ASCII as 'tmp2'. */
1228
		const u8 tmp2[4] = { 0x32, 0x70, 0x6d, 0x74 };
1229

1230
		if (smp_h6(smp->tfm_cmac, key->val, tmp2, smp->tk))
1231
			return;
1232
	}
1233

1234
	if (smp_h6(smp->tfm_cmac, smp->tk, brle, smp->tk))
1235
		return;
1236

1237
	sc_add_ltk(smp);
1238
}
1239

1240
static void smp_distribute_keys(struct smp_chan *smp)
1241
{
1242
	struct smp_cmd_pairing *req, *rsp;
1243
	struct l2cap_conn *conn = smp->conn;
1244
	struct hci_conn *hcon = conn->hcon;
1245
	struct hci_dev *hdev = hcon->hdev;
1246
	__u8 *keydist;
1247

1248
	bt_dev_dbg(hdev, "conn %p", conn);
1249

1250
	rsp = (void *) &smp->prsp[1];
1251

1252
	/* The responder sends its keys first */
1253
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags) &&
1254
	    (smp->remote_key_dist & KEY_DIST_MASK)) {
1255
		smp_allow_key_dist(smp);
1256
		return;
1257
	}
1258

1259
	req = (void *) &smp->preq[1];
1260

1261
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1262
		keydist = &rsp->init_key_dist;
1263
		*keydist &= req->init_key_dist;
1264
	} else {
1265
		keydist = &rsp->resp_key_dist;
1266
		*keydist &= req->resp_key_dist;
1267
	}
1268

1269
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1270
		if (hcon->type == LE_LINK && (*keydist & SMP_DIST_LINK_KEY))
1271
			sc_generate_link_key(smp);
1272
		if (hcon->type == ACL_LINK && (*keydist & SMP_DIST_ENC_KEY))
1273
			sc_generate_ltk(smp);
1274

1275
		/* Clear the keys which are generated but not distributed */
1276
		*keydist &= ~SMP_SC_NO_DIST;
1277
	}
1278

1279
	bt_dev_dbg(hdev, "keydist 0x%x", *keydist);
1280

1281
	if (*keydist & SMP_DIST_ENC_KEY) {
1282
		struct smp_cmd_encrypt_info enc;
1283
		struct smp_cmd_initiator_ident ident;
1284
		struct smp_ltk *ltk;
1285
		u8 authenticated;
1286
		__le16 ediv;
1287
		__le64 rand;
1288

1289
		/* Make sure we generate only the significant amount of
1290
		 * bytes based on the encryption key size, and set the rest
1291
		 * of the value to zeroes.
1292
		 */
1293
		get_random_bytes(enc.ltk, smp->enc_key_size);
1294
		memset(enc.ltk + smp->enc_key_size, 0,
1295
		       sizeof(enc.ltk) - smp->enc_key_size);
1296

1297
		get_random_bytes(&ediv, sizeof(ediv));
1298
		get_random_bytes(&rand, sizeof(rand));
1299

1300
		smp_send_cmd(conn, SMP_CMD_ENCRYPT_INFO, sizeof(enc), &enc);
1301

1302
		authenticated = hcon->sec_level == BT_SECURITY_HIGH;
1303
		ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type,
1304
				  SMP_LTK_RESPONDER, authenticated, enc.ltk,
1305
				  smp->enc_key_size, ediv, rand);
1306
		smp->responder_ltk = ltk;
1307

1308
		ident.ediv = ediv;
1309
		ident.rand = rand;
1310

1311
		smp_send_cmd(conn, SMP_CMD_INITIATOR_IDENT, sizeof(ident),
1312
			     &ident);
1313

1314
		*keydist &= ~SMP_DIST_ENC_KEY;
1315
	}
1316

1317
	if (*keydist & SMP_DIST_ID_KEY) {
1318
		struct smp_cmd_ident_addr_info addrinfo;
1319
		struct smp_cmd_ident_info idinfo;
1320

1321
		memcpy(idinfo.irk, hdev->irk, sizeof(idinfo.irk));
1322

1323
		smp_send_cmd(conn, SMP_CMD_IDENT_INFO, sizeof(idinfo), &idinfo);
1324

1325
		/* The hci_conn contains the local identity address
1326
		 * after the connection has been established.
1327
		 *
1328
		 * This is true even when the connection has been
1329
		 * established using a resolvable random address.
1330
		 */
1331
		bacpy(&addrinfo.bdaddr, &hcon->src);
1332
		addrinfo.addr_type = hcon->src_type;
1333

1334
		smp_send_cmd(conn, SMP_CMD_IDENT_ADDR_INFO, sizeof(addrinfo),
1335
			     &addrinfo);
1336

1337
		*keydist &= ~SMP_DIST_ID_KEY;
1338
	}
1339

1340
	if (*keydist & SMP_DIST_SIGN) {
1341
		struct smp_cmd_sign_info sign;
1342
		struct smp_csrk *csrk;
1343

1344
		/* Generate a new random key */
1345
		get_random_bytes(sign.csrk, sizeof(sign.csrk));
1346

1347
		csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
1348
		if (csrk) {
1349
			if (hcon->sec_level > BT_SECURITY_MEDIUM)
1350
				csrk->type = MGMT_CSRK_LOCAL_AUTHENTICATED;
1351
			else
1352
				csrk->type = MGMT_CSRK_LOCAL_UNAUTHENTICATED;
1353
			memcpy(csrk->val, sign.csrk, sizeof(csrk->val));
1354
		}
1355
		smp->responder_csrk = csrk;
1356

1357
		smp_send_cmd(conn, SMP_CMD_SIGN_INFO, sizeof(sign), &sign);
1358

1359
		*keydist &= ~SMP_DIST_SIGN;
1360
	}
1361

1362
	/* If there are still keys to be received wait for them */
1363
	if (smp->remote_key_dist & KEY_DIST_MASK) {
1364
		smp_allow_key_dist(smp);
1365
		return;
1366
	}
1367

1368
	set_bit(SMP_FLAG_COMPLETE, &smp->flags);
1369
	smp_notify_keys(conn);
1370

1371
	smp_chan_destroy(conn);
1372
}
1373

1374
static void smp_timeout(struct work_struct *work)
1375
{
1376
	struct smp_chan *smp = container_of(work, struct smp_chan,
1377
					    security_timer.work);
1378
	struct l2cap_conn *conn = smp->conn;
1379

1380
	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
1381

1382
	hci_disconnect(conn->hcon, HCI_ERROR_AUTH_FAILURE);
1383
}
1384

1385
static struct smp_chan *smp_chan_create(struct l2cap_conn *conn)
1386
{
1387
	struct hci_conn *hcon = conn->hcon;
1388
	struct l2cap_chan *chan = conn->smp;
1389
	struct smp_chan *smp;
1390

1391
	smp = kzalloc(sizeof(*smp), GFP_ATOMIC);
1392
	if (!smp)
1393
		return NULL;
1394

1395
	smp->tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
1396
	if (IS_ERR(smp->tfm_cmac)) {
1397
		bt_dev_err(hcon->hdev, "Unable to create CMAC crypto context");
1398
		goto zfree_smp;
1399
	}
1400

1401
	smp->tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
1402
	if (IS_ERR(smp->tfm_ecdh)) {
1403
		bt_dev_err(hcon->hdev, "Unable to create ECDH crypto context");
1404
		goto free_shash;
1405
	}
1406

1407
	smp->conn = conn;
1408
	chan->data = smp;
1409

1410
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_FAIL);
1411

1412
	INIT_DELAYED_WORK(&smp->security_timer, smp_timeout);
1413

1414
	hci_conn_hold(hcon);
1415

1416
	return smp;
1417

1418
free_shash:
1419
	crypto_free_shash(smp->tfm_cmac);
1420
zfree_smp:
1421
	kfree_sensitive(smp);
1422
	return NULL;
1423
}
1424

1425
static int sc_mackey_and_ltk(struct smp_chan *smp, u8 mackey[16], u8 ltk[16])
1426
{
1427
	struct hci_conn *hcon = smp->conn->hcon;
1428
	u8 *na, *nb, a[7], b[7];
1429

1430
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1431
		na   = smp->prnd;
1432
		nb   = smp->rrnd;
1433
	} else {
1434
		na   = smp->rrnd;
1435
		nb   = smp->prnd;
1436
	}
1437

1438
	memcpy(a, &hcon->init_addr, 6);
1439
	memcpy(b, &hcon->resp_addr, 6);
1440
	a[6] = hcon->init_addr_type;
1441
	b[6] = hcon->resp_addr_type;
1442

1443
	return smp_f5(smp->tfm_cmac, smp->dhkey, na, nb, a, b, mackey, ltk);
1444
}
1445

1446
static void sc_dhkey_check(struct smp_chan *smp)
1447
{
1448
	struct hci_conn *hcon = smp->conn->hcon;
1449
	struct smp_cmd_dhkey_check check;
1450
	u8 a[7], b[7], *local_addr, *remote_addr;
1451
	u8 io_cap[3], r[16];
1452

1453
	memcpy(a, &hcon->init_addr, 6);
1454
	memcpy(b, &hcon->resp_addr, 6);
1455
	a[6] = hcon->init_addr_type;
1456
	b[6] = hcon->resp_addr_type;
1457

1458
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1459
		local_addr = a;
1460
		remote_addr = b;
1461
		memcpy(io_cap, &smp->preq[1], 3);
1462
	} else {
1463
		local_addr = b;
1464
		remote_addr = a;
1465
		memcpy(io_cap, &smp->prsp[1], 3);
1466
	}
1467

1468
	memset(r, 0, sizeof(r));
1469

1470
	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
1471
		put_unaligned_le32(hcon->passkey_notify, r);
1472

1473
	if (smp->method == REQ_OOB)
1474
		memcpy(r, smp->rr, 16);
1475

1476
	smp_f6(smp->tfm_cmac, smp->mackey, smp->prnd, smp->rrnd, r, io_cap,
1477
	       local_addr, remote_addr, check.e);
1478

1479
	smp_send_cmd(smp->conn, SMP_CMD_DHKEY_CHECK, sizeof(check), &check);
1480
}
1481

1482
static u8 sc_passkey_send_confirm(struct smp_chan *smp)
1483
{
1484
	struct l2cap_conn *conn = smp->conn;
1485
	struct hci_conn *hcon = conn->hcon;
1486
	struct smp_cmd_pairing_confirm cfm;
1487
	u8 r;
1488

1489
	r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1490
	r |= 0x80;
1491

1492
	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1493

1494
	if (smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd, r,
1495
		   cfm.confirm_val))
1496
		return SMP_UNSPECIFIED;
1497

1498
	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
1499

1500
	return 0;
1501
}
1502

1503
static u8 sc_passkey_round(struct smp_chan *smp, u8 smp_op)
1504
{
1505
	struct l2cap_conn *conn = smp->conn;
1506
	struct hci_conn *hcon = conn->hcon;
1507
	struct hci_dev *hdev = hcon->hdev;
1508
	u8 cfm[16], r;
1509

1510
	/* Ignore the PDU if we've already done 20 rounds (0 - 19) */
1511
	if (smp->passkey_round >= 20)
1512
		return 0;
1513

1514
	switch (smp_op) {
1515
	case SMP_CMD_PAIRING_RANDOM:
1516
		r = ((hcon->passkey_notify >> smp->passkey_round) & 0x01);
1517
		r |= 0x80;
1518

1519
		if (smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
1520
			   smp->rrnd, r, cfm))
1521
			return SMP_UNSPECIFIED;
1522

1523
		if (crypto_memneq(smp->pcnf, cfm, 16))
1524
			return SMP_CONFIRM_FAILED;
1525

1526
		smp->passkey_round++;
1527

1528
		if (smp->passkey_round == 20) {
1529
			/* Generate MacKey and LTK */
1530
			if (sc_mackey_and_ltk(smp, smp->mackey, smp->tk))
1531
				return SMP_UNSPECIFIED;
1532
		}
1533

1534
		/* The round is only complete when the initiator
1535
		 * receives pairing random.
1536
		 */
1537
		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1538
			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1539
				     sizeof(smp->prnd), smp->prnd);
1540
			if (smp->passkey_round == 20)
1541
				SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1542
			else
1543
				SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1544
			return 0;
1545
		}
1546

1547
		/* Start the next round */
1548
		if (smp->passkey_round != 20)
1549
			return sc_passkey_round(smp, 0);
1550

1551
		/* Passkey rounds are complete - start DHKey Check */
1552
		sc_dhkey_check(smp);
1553
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1554

1555
		break;
1556

1557
	case SMP_CMD_PAIRING_CONFIRM:
1558
		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
1559
			set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
1560
			return 0;
1561
		}
1562

1563
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
1564

1565
		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1566
			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
1567
				     sizeof(smp->prnd), smp->prnd);
1568
			return 0;
1569
		}
1570

1571
		return sc_passkey_send_confirm(smp);
1572

1573
	case SMP_CMD_PUBLIC_KEY:
1574
	default:
1575
		/* Initiating device starts the round */
1576
		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1577
			return 0;
1578

1579
		bt_dev_dbg(hdev, "Starting passkey round %u",
1580
			   smp->passkey_round + 1);
1581

1582
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1583

1584
		return sc_passkey_send_confirm(smp);
1585
	}
1586

1587
	return 0;
1588
}
1589

1590
static int sc_user_reply(struct smp_chan *smp, u16 mgmt_op, __le32 passkey)
1591
{
1592
	struct l2cap_conn *conn = smp->conn;
1593
	struct hci_conn *hcon = conn->hcon;
1594
	u8 smp_op;
1595

1596
	clear_bit(SMP_FLAG_WAIT_USER, &smp->flags);
1597

1598
	switch (mgmt_op) {
1599
	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1600
		smp_failure(smp->conn, SMP_PASSKEY_ENTRY_FAILED);
1601
		return 0;
1602
	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1603
		smp_failure(smp->conn, SMP_NUMERIC_COMP_FAILED);
1604
		return 0;
1605
	case MGMT_OP_USER_PASSKEY_REPLY:
1606
		hcon->passkey_notify = le32_to_cpu(passkey);
1607
		smp->passkey_round = 0;
1608

1609
		if (test_and_clear_bit(SMP_FLAG_CFM_PENDING, &smp->flags))
1610
			smp_op = SMP_CMD_PAIRING_CONFIRM;
1611
		else
1612
			smp_op = 0;
1613

1614
		if (sc_passkey_round(smp, smp_op))
1615
			return -EIO;
1616

1617
		return 0;
1618
	}
1619

1620
	/* Initiator sends DHKey check first */
1621
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
1622
		sc_dhkey_check(smp);
1623
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
1624
	} else if (test_and_clear_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags)) {
1625
		sc_dhkey_check(smp);
1626
		sc_add_ltk(smp);
1627
	}
1628

1629
	return 0;
1630
}
1631

1632
int smp_user_confirm_reply(struct hci_conn *hcon, u16 mgmt_op, __le32 passkey)
1633
{
1634
	struct l2cap_conn *conn = hcon->l2cap_data;
1635
	struct l2cap_chan *chan;
1636
	struct smp_chan *smp;
1637
	u32 value;
1638
	int err;
1639

1640
	if (!conn)
1641
		return -ENOTCONN;
1642

1643
	bt_dev_dbg(conn->hcon->hdev, "");
1644

1645
	chan = conn->smp;
1646
	if (!chan)
1647
		return -ENOTCONN;
1648

1649
	l2cap_chan_lock(chan);
1650
	if (!chan->data) {
1651
		err = -ENOTCONN;
1652
		goto unlock;
1653
	}
1654

1655
	smp = chan->data;
1656

1657
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1658
		err = sc_user_reply(smp, mgmt_op, passkey);
1659
		goto unlock;
1660
	}
1661

1662
	switch (mgmt_op) {
1663
	case MGMT_OP_USER_PASSKEY_REPLY:
1664
		value = le32_to_cpu(passkey);
1665
		memset(smp->tk, 0, sizeof(smp->tk));
1666
		bt_dev_dbg(conn->hcon->hdev, "PassKey: %u", value);
1667
		put_unaligned_le32(value, smp->tk);
1668
		fallthrough;
1669
	case MGMT_OP_USER_CONFIRM_REPLY:
1670
		set_bit(SMP_FLAG_TK_VALID, &smp->flags);
1671
		break;
1672
	case MGMT_OP_USER_PASSKEY_NEG_REPLY:
1673
	case MGMT_OP_USER_CONFIRM_NEG_REPLY:
1674
		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1675
		err = 0;
1676
		goto unlock;
1677
	default:
1678
		smp_failure(conn, SMP_PASSKEY_ENTRY_FAILED);
1679
		err = -EOPNOTSUPP;
1680
		goto unlock;
1681
	}
1682

1683
	err = 0;
1684

1685
	/* If it is our turn to send Pairing Confirm, do so now */
1686
	if (test_bit(SMP_FLAG_CFM_PENDING, &smp->flags)) {
1687
		u8 rsp = smp_confirm(smp);
1688
		if (rsp)
1689
			smp_failure(conn, rsp);
1690
	}
1691

1692
unlock:
1693
	l2cap_chan_unlock(chan);
1694
	return err;
1695
}
1696

1697
static void build_bredr_pairing_cmd(struct smp_chan *smp,
1698
				    struct smp_cmd_pairing *req,
1699
				    struct smp_cmd_pairing *rsp)
1700
{
1701
	struct l2cap_conn *conn = smp->conn;
1702
	struct hci_dev *hdev = conn->hcon->hdev;
1703
	u8 local_dist = 0, remote_dist = 0;
1704

1705
	if (hci_dev_test_flag(hdev, HCI_BONDABLE)) {
1706
		local_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1707
		remote_dist = SMP_DIST_ENC_KEY | SMP_DIST_SIGN;
1708
	}
1709

1710
	if (hci_dev_test_flag(hdev, HCI_RPA_RESOLVING))
1711
		remote_dist |= SMP_DIST_ID_KEY;
1712

1713
	if (hci_dev_test_flag(hdev, HCI_PRIVACY))
1714
		local_dist |= SMP_DIST_ID_KEY;
1715

1716
	if (!rsp) {
1717
		memset(req, 0, sizeof(*req));
1718

1719
		req->auth_req        = SMP_AUTH_CT2;
1720
		req->init_key_dist   = local_dist;
1721
		req->resp_key_dist   = remote_dist;
1722
		req->max_key_size    = conn->hcon->enc_key_size;
1723

1724
		smp->remote_key_dist = remote_dist;
1725

1726
		return;
1727
	}
1728

1729
	memset(rsp, 0, sizeof(*rsp));
1730

1731
	rsp->auth_req        = SMP_AUTH_CT2;
1732
	rsp->max_key_size    = conn->hcon->enc_key_size;
1733
	rsp->init_key_dist   = req->init_key_dist & remote_dist;
1734
	rsp->resp_key_dist   = req->resp_key_dist & local_dist;
1735

1736
	smp->remote_key_dist = rsp->init_key_dist;
1737
}
1738

1739
static u8 smp_cmd_pairing_req(struct l2cap_conn *conn, struct sk_buff *skb)
1740
{
1741
	struct smp_cmd_pairing rsp, *req = (void *) skb->data;
1742
	struct l2cap_chan *chan = conn->smp;
1743
	struct hci_dev *hdev = conn->hcon->hdev;
1744
	struct smp_chan *smp = chan->data;
1745
	u8 key_size, auth, sec_level;
1746
	int ret;
1747

1748
	bt_dev_dbg(hdev, "conn %p", conn);
1749

1750
	if (skb->len < sizeof(*req))
1751
		return SMP_INVALID_PARAMS;
1752

1753
	if (smp && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1754
		return SMP_CMD_NOTSUPP;
1755

1756
	if (!smp) {
1757
		smp = smp_chan_create(conn);
1758
		if (!smp)
1759
			return SMP_UNSPECIFIED;
1760
	}
1761

1762
	/* We didn't start the pairing, so match remote */
1763
	auth = req->auth_req & AUTH_REQ_MASK(hdev);
1764

1765
	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
1766
	    (auth & SMP_AUTH_BONDING))
1767
		return SMP_PAIRING_NOTSUPP;
1768

1769
	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1770
		return SMP_AUTH_REQUIREMENTS;
1771

1772
	smp->preq[0] = SMP_CMD_PAIRING_REQ;
1773
	memcpy(&smp->preq[1], req, sizeof(*req));
1774
	skb_pull(skb, sizeof(*req));
1775

1776
	/* If the remote side's OOB flag is set it means it has
1777
	 * successfully received our local OOB data - therefore set the
1778
	 * flag to indicate that local OOB is in use.
1779
	 */
1780
	if (req->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1781
		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1782

1783
	/* SMP over BR/EDR requires special treatment */
1784
	if (conn->hcon->type == ACL_LINK) {
1785
		/* We must have a BR/EDR SC link */
1786
		if (!test_bit(HCI_CONN_AES_CCM, &conn->hcon->flags) &&
1787
		    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
1788
			return SMP_CROSS_TRANSP_NOT_ALLOWED;
1789

1790
		set_bit(SMP_FLAG_SC, &smp->flags);
1791

1792
		build_bredr_pairing_cmd(smp, req, &rsp);
1793

1794
		if (req->auth_req & SMP_AUTH_CT2)
1795
			set_bit(SMP_FLAG_CT2, &smp->flags);
1796

1797
		key_size = min(req->max_key_size, rsp.max_key_size);
1798
		if (check_enc_key_size(conn, key_size))
1799
			return SMP_ENC_KEY_SIZE;
1800

1801
		/* Clear bits which are generated but not distributed */
1802
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1803

1804
		smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1805
		memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1806
		smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1807

1808
		smp_distribute_keys(smp);
1809
		return 0;
1810
	}
1811

1812
	build_pairing_cmd(conn, req, &rsp, auth);
1813

1814
	if (rsp.auth_req & SMP_AUTH_SC) {
1815
		set_bit(SMP_FLAG_SC, &smp->flags);
1816

1817
		if (rsp.auth_req & SMP_AUTH_CT2)
1818
			set_bit(SMP_FLAG_CT2, &smp->flags);
1819
	}
1820

1821
	if (conn->hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
1822
		sec_level = BT_SECURITY_MEDIUM;
1823
	else
1824
		sec_level = authreq_to_seclevel(auth);
1825

1826
	if (sec_level > conn->hcon->pending_sec_level)
1827
		conn->hcon->pending_sec_level = sec_level;
1828

1829
	/* If we need MITM check that it can be achieved */
1830
	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1831
		u8 method;
1832

1833
		method = get_auth_method(smp, conn->hcon->io_capability,
1834
					 req->io_capability);
1835
		if (method == JUST_WORKS || method == JUST_CFM)
1836
			return SMP_AUTH_REQUIREMENTS;
1837
	}
1838

1839
	key_size = min(req->max_key_size, rsp.max_key_size);
1840
	if (check_enc_key_size(conn, key_size))
1841
		return SMP_ENC_KEY_SIZE;
1842

1843
	get_random_bytes(smp->prnd, sizeof(smp->prnd));
1844

1845
	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1846
	memcpy(&smp->prsp[1], &rsp, sizeof(rsp));
1847

1848
	smp_send_cmd(conn, SMP_CMD_PAIRING_RSP, sizeof(rsp), &rsp);
1849

1850
	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
1851

1852
	/* Strictly speaking we shouldn't allow Pairing Confirm for the
1853
	 * SC case, however some implementations incorrectly copy RFU auth
1854
	 * req bits from our security request, which may create a false
1855
	 * positive SC enablement.
1856
	 */
1857
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
1858

1859
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
1860
		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
1861
		/* Clear bits which are generated but not distributed */
1862
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1863
		/* Wait for Public Key from Initiating Device */
1864
		return 0;
1865
	}
1866

1867
	/* Request setup of TK */
1868
	ret = tk_request(conn, 0, auth, rsp.io_capability, req->io_capability);
1869
	if (ret)
1870
		return SMP_UNSPECIFIED;
1871

1872
	return 0;
1873
}
1874

1875
static u8 sc_send_public_key(struct smp_chan *smp)
1876
{
1877
	struct hci_dev *hdev = smp->conn->hcon->hdev;
1878

1879
	bt_dev_dbg(hdev, "");
1880

1881
	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
1882
		struct l2cap_chan *chan = hdev->smp_data;
1883
		struct smp_dev *smp_dev;
1884

1885
		if (!chan || !chan->data)
1886
			return SMP_UNSPECIFIED;
1887

1888
		smp_dev = chan->data;
1889

1890
		memcpy(smp->local_pk, smp_dev->local_pk, 64);
1891
		memcpy(smp->lr, smp_dev->local_rand, 16);
1892

1893
		if (smp_dev->debug_key)
1894
			set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1895

1896
		goto done;
1897
	}
1898

1899
	if (hci_dev_test_flag(hdev, HCI_USE_DEBUG_KEYS)) {
1900
		bt_dev_dbg(hdev, "Using debug keys");
1901
		if (set_ecdh_privkey(smp->tfm_ecdh, debug_sk))
1902
			return SMP_UNSPECIFIED;
1903
		memcpy(smp->local_pk, debug_pk, 64);
1904
		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
1905
	} else {
1906
		while (true) {
1907
			/* Generate key pair for Secure Connections */
1908
			if (generate_ecdh_keys(smp->tfm_ecdh, smp->local_pk))
1909
				return SMP_UNSPECIFIED;
1910

1911
			/* This is unlikely, but we need to check that
1912
			 * we didn't accidentally generate a debug key.
1913
			 */
1914
			if (crypto_memneq(smp->local_pk, debug_pk, 64))
1915
				break;
1916
		}
1917
	}
1918

1919
done:
1920
	SMP_DBG("Local Public Key X: %32phN", smp->local_pk);
1921
	SMP_DBG("Local Public Key Y: %32phN", smp->local_pk + 32);
1922

1923
	smp_send_cmd(smp->conn, SMP_CMD_PUBLIC_KEY, 64, smp->local_pk);
1924

1925
	return 0;
1926
}
1927

1928
static u8 smp_cmd_pairing_rsp(struct l2cap_conn *conn, struct sk_buff *skb)
1929
{
1930
	struct smp_cmd_pairing *req, *rsp = (void *) skb->data;
1931
	struct l2cap_chan *chan = conn->smp;
1932
	struct smp_chan *smp = chan->data;
1933
	struct hci_dev *hdev = conn->hcon->hdev;
1934
	u8 key_size, auth;
1935
	int ret;
1936

1937
	bt_dev_dbg(hdev, "conn %p", conn);
1938

1939
	if (skb->len < sizeof(*rsp))
1940
		return SMP_INVALID_PARAMS;
1941

1942
	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
1943
		return SMP_CMD_NOTSUPP;
1944

1945
	skb_pull(skb, sizeof(*rsp));
1946

1947
	req = (void *) &smp->preq[1];
1948

1949
	key_size = min(req->max_key_size, rsp->max_key_size);
1950
	if (check_enc_key_size(conn, key_size))
1951
		return SMP_ENC_KEY_SIZE;
1952

1953
	auth = rsp->auth_req & AUTH_REQ_MASK(hdev);
1954

1955
	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
1956
		return SMP_AUTH_REQUIREMENTS;
1957

1958
	/* If the remote side's OOB flag is set it means it has
1959
	 * successfully received our local OOB data - therefore set the
1960
	 * flag to indicate that local OOB is in use.
1961
	 */
1962
	if (rsp->oob_flag == SMP_OOB_PRESENT && SMP_DEV(hdev)->local_oob)
1963
		set_bit(SMP_FLAG_LOCAL_OOB, &smp->flags);
1964

1965
	smp->prsp[0] = SMP_CMD_PAIRING_RSP;
1966
	memcpy(&smp->prsp[1], rsp, sizeof(*rsp));
1967

1968
	/* Update remote key distribution in case the remote cleared
1969
	 * some bits that we had enabled in our request.
1970
	 */
1971
	smp->remote_key_dist &= rsp->resp_key_dist;
1972

1973
	if ((req->auth_req & SMP_AUTH_CT2) && (auth & SMP_AUTH_CT2))
1974
		set_bit(SMP_FLAG_CT2, &smp->flags);
1975

1976
	/* For BR/EDR this means we're done and can start phase 3 */
1977
	if (conn->hcon->type == ACL_LINK) {
1978
		/* Clear bits which are generated but not distributed */
1979
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
1980
		smp_distribute_keys(smp);
1981
		return 0;
1982
	}
1983

1984
	if ((req->auth_req & SMP_AUTH_SC) && (auth & SMP_AUTH_SC))
1985
		set_bit(SMP_FLAG_SC, &smp->flags);
1986
	else if (conn->hcon->pending_sec_level > BT_SECURITY_HIGH)
1987
		conn->hcon->pending_sec_level = BT_SECURITY_HIGH;
1988

1989
	/* If we need MITM check that it can be achieved */
1990
	if (conn->hcon->pending_sec_level >= BT_SECURITY_HIGH) {
1991
		u8 method;
1992

1993
		method = get_auth_method(smp, req->io_capability,
1994
					 rsp->io_capability);
1995
		if (method == JUST_WORKS || method == JUST_CFM)
1996
			return SMP_AUTH_REQUIREMENTS;
1997
	}
1998

1999
	get_random_bytes(smp->prnd, sizeof(smp->prnd));
2000

2001
	/* Update remote key distribution in case the remote cleared
2002
	 * some bits that we had enabled in our request.
2003
	 */
2004
	smp->remote_key_dist &= rsp->resp_key_dist;
2005

2006
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2007
		/* Clear bits which are generated but not distributed */
2008
		smp->remote_key_dist &= ~SMP_SC_NO_DIST;
2009
		SMP_ALLOW_CMD(smp, SMP_CMD_PUBLIC_KEY);
2010
		return sc_send_public_key(smp);
2011
	}
2012

2013
	auth |= req->auth_req;
2014

2015
	ret = tk_request(conn, 0, auth, req->io_capability, rsp->io_capability);
2016
	if (ret)
2017
		return SMP_UNSPECIFIED;
2018

2019
	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2020

2021
	/* Can't compose response until we have been confirmed */
2022
	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2023
		return smp_confirm(smp);
2024

2025
	return 0;
2026
}
2027

2028
static u8 sc_check_confirm(struct smp_chan *smp)
2029
{
2030
	struct l2cap_conn *conn = smp->conn;
2031

2032
	bt_dev_dbg(conn->hcon->hdev, "");
2033

2034
	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2035
		return sc_passkey_round(smp, SMP_CMD_PAIRING_CONFIRM);
2036

2037
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2038
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2039
			     smp->prnd);
2040
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2041
	}
2042

2043
	return 0;
2044
}
2045

2046
/* Work-around for some implementations that incorrectly copy RFU bits
2047
 * from our security request and thereby create the impression that
2048
 * we're doing SC when in fact the remote doesn't support it.
2049
 */
2050
static int fixup_sc_false_positive(struct smp_chan *smp)
2051
{
2052
	struct l2cap_conn *conn = smp->conn;
2053
	struct hci_conn *hcon = conn->hcon;
2054
	struct hci_dev *hdev = hcon->hdev;
2055
	struct smp_cmd_pairing *req, *rsp;
2056
	u8 auth;
2057

2058
	/* The issue is only observed when we're in responder role */
2059
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2060
		return SMP_UNSPECIFIED;
2061

2062
	if (hci_dev_test_flag(hdev, HCI_SC_ONLY)) {
2063
		bt_dev_err(hdev, "refusing legacy fallback in SC-only mode");
2064
		return SMP_UNSPECIFIED;
2065
	}
2066

2067
	bt_dev_err(hdev, "trying to fall back to legacy SMP");
2068

2069
	req = (void *) &smp->preq[1];
2070
	rsp = (void *) &smp->prsp[1];
2071

2072
	/* Rebuild key dist flags which may have been cleared for SC */
2073
	smp->remote_key_dist = (req->init_key_dist & rsp->resp_key_dist);
2074

2075
	auth = req->auth_req & AUTH_REQ_MASK(hdev);
2076

2077
	if (tk_request(conn, 0, auth, rsp->io_capability, req->io_capability)) {
2078
		bt_dev_err(hdev, "failed to fall back to legacy SMP");
2079
		return SMP_UNSPECIFIED;
2080
	}
2081

2082
	clear_bit(SMP_FLAG_SC, &smp->flags);
2083

2084
	return 0;
2085
}
2086

2087
static u8 smp_cmd_pairing_confirm(struct l2cap_conn *conn, struct sk_buff *skb)
2088
{
2089
	struct l2cap_chan *chan = conn->smp;
2090
	struct smp_chan *smp = chan->data;
2091
	struct hci_conn *hcon = conn->hcon;
2092
	struct hci_dev *hdev = hcon->hdev;
2093

2094
	bt_dev_dbg(hdev, "conn %p %s", conn,
2095
		   test_bit(SMP_FLAG_INITIATOR, &smp->flags) ? "initiator" :
2096
		   "responder");
2097

2098
	if (skb->len < sizeof(smp->pcnf))
2099
		return SMP_INVALID_PARAMS;
2100

2101
	memcpy(smp->pcnf, skb->data, sizeof(smp->pcnf));
2102
	skb_pull(skb, sizeof(smp->pcnf));
2103

2104
	if (test_bit(SMP_FLAG_SC, &smp->flags)) {
2105
		int ret;
2106

2107
		/* Public Key exchange must happen before any other steps */
2108
		if (test_bit(SMP_FLAG_REMOTE_PK, &smp->flags))
2109
			return sc_check_confirm(smp);
2110

2111
		bt_dev_err(hdev, "Unexpected SMP Pairing Confirm");
2112

2113
		ret = fixup_sc_false_positive(smp);
2114
		if (ret)
2115
			return ret;
2116
	}
2117

2118
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2119
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2120
			     smp->prnd);
2121
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2122
		return 0;
2123
	}
2124

2125
	if (test_bit(SMP_FLAG_TK_VALID, &smp->flags))
2126
		return smp_confirm(smp);
2127

2128
	set_bit(SMP_FLAG_CFM_PENDING, &smp->flags);
2129

2130
	return 0;
2131
}
2132

2133
static u8 smp_cmd_pairing_random(struct l2cap_conn *conn, struct sk_buff *skb)
2134
{
2135
	struct l2cap_chan *chan = conn->smp;
2136
	struct smp_chan *smp = chan->data;
2137
	struct hci_conn *hcon = conn->hcon;
2138
	u8 *pkax, *pkbx, *na, *nb, confirm_hint;
2139
	u32 passkey = 0;
2140
	int err;
2141

2142
	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2143

2144
	if (skb->len < sizeof(smp->rrnd))
2145
		return SMP_INVALID_PARAMS;
2146

2147
	memcpy(smp->rrnd, skb->data, sizeof(smp->rrnd));
2148
	skb_pull(skb, sizeof(smp->rrnd));
2149

2150
	if (!test_bit(SMP_FLAG_SC, &smp->flags))
2151
		return smp_random(smp);
2152

2153
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2154
		pkax = smp->local_pk;
2155
		pkbx = smp->remote_pk;
2156
		na   = smp->prnd;
2157
		nb   = smp->rrnd;
2158
	} else {
2159
		pkax = smp->remote_pk;
2160
		pkbx = smp->local_pk;
2161
		na   = smp->rrnd;
2162
		nb   = smp->prnd;
2163
	}
2164

2165
	if (smp->method == REQ_OOB) {
2166
		if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2167
			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2168
				     sizeof(smp->prnd), smp->prnd);
2169
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2170
		goto mackey_and_ltk;
2171
	}
2172

2173
	/* Passkey entry has special treatment */
2174
	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2175
		return sc_passkey_round(smp, SMP_CMD_PAIRING_RANDOM);
2176

2177
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2178
		u8 cfm[16];
2179

2180
		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->local_pk,
2181
			     smp->rrnd, 0, cfm);
2182
		if (err)
2183
			return SMP_UNSPECIFIED;
2184

2185
		if (crypto_memneq(smp->pcnf, cfm, 16))
2186
			return SMP_CONFIRM_FAILED;
2187
	} else {
2188
		smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM, sizeof(smp->prnd),
2189
			     smp->prnd);
2190
		SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2191
	}
2192

2193
mackey_and_ltk:
2194
	/* Generate MacKey and LTK */
2195
	err = sc_mackey_and_ltk(smp, smp->mackey, smp->tk);
2196
	if (err)
2197
		return SMP_UNSPECIFIED;
2198

2199
	if (smp->method == REQ_OOB) {
2200
		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2201
			sc_dhkey_check(smp);
2202
			SMP_ALLOW_CMD(smp, SMP_CMD_DHKEY_CHECK);
2203
		}
2204
		return 0;
2205
	}
2206

2207
	err = smp_g2(smp->tfm_cmac, pkax, pkbx, na, nb, &passkey);
2208
	if (err)
2209
		return SMP_UNSPECIFIED;
2210

2211
	/* Always require user confirmation for Just-Works pairing to prevent
2212
	 * impersonation attacks, or in case of a legitimate device that is
2213
	 * repairing use the confirmation as acknowledgment to proceed with the
2214
	 * creation of new keys.
2215
	 */
2216
	confirm_hint = smp->method == JUST_WORKS ? 1 : 0;
2217

2218
	err = mgmt_user_confirm_request(hcon->hdev, &hcon->dst, hcon->type,
2219
					hcon->dst_type, passkey, confirm_hint);
2220
	if (err)
2221
		return SMP_UNSPECIFIED;
2222

2223
	set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2224

2225
	return 0;
2226
}
2227

2228
static bool smp_ltk_encrypt(struct l2cap_conn *conn, u8 sec_level)
2229
{
2230
	struct smp_ltk *key;
2231
	struct hci_conn *hcon = conn->hcon;
2232

2233
	key = hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role);
2234
	if (!key)
2235
		return false;
2236

2237
	if (smp_ltk_sec_level(key) < sec_level)
2238
		return false;
2239

2240
	if (test_and_set_bit(HCI_CONN_ENCRYPT_PEND, &hcon->flags))
2241
		return true;
2242

2243
	hci_le_start_enc(hcon, key->ediv, key->rand, key->val, key->enc_size);
2244
	hcon->enc_key_size = key->enc_size;
2245

2246
	/* We never store STKs for initiator role, so clear this flag */
2247
	clear_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags);
2248

2249
	return true;
2250
}
2251

2252
bool smp_sufficient_security(struct hci_conn *hcon, u8 sec_level,
2253
			     enum smp_key_pref key_pref)
2254
{
2255
	if (sec_level == BT_SECURITY_LOW)
2256
		return true;
2257

2258
	/* If we're encrypted with an STK but the caller prefers using
2259
	 * LTK claim insufficient security. This way we allow the
2260
	 * connection to be re-encrypted with an LTK, even if the LTK
2261
	 * provides the same level of security. Only exception is if we
2262
	 * don't have an LTK (e.g. because of key distribution bits).
2263
	 */
2264
	if (key_pref == SMP_USE_LTK &&
2265
	    test_bit(HCI_CONN_STK_ENCRYPT, &hcon->flags) &&
2266
	    hci_find_ltk(hcon->hdev, &hcon->dst, hcon->dst_type, hcon->role))
2267
		return false;
2268

2269
	if (hcon->sec_level >= sec_level)
2270
		return true;
2271

2272
	return false;
2273
}
2274

2275
static void smp_send_pairing_req(struct smp_chan *smp, __u8 auth)
2276
{
2277
	struct smp_cmd_pairing cp;
2278

2279
	if (smp->conn->hcon->type == ACL_LINK)
2280
		build_bredr_pairing_cmd(smp, &cp, NULL);
2281
	else
2282
		build_pairing_cmd(smp->conn, &cp, NULL, auth);
2283

2284
	smp->preq[0] = SMP_CMD_PAIRING_REQ;
2285
	memcpy(&smp->preq[1], &cp, sizeof(cp));
2286

2287
	smp_send_cmd(smp->conn, SMP_CMD_PAIRING_REQ, sizeof(cp), &cp);
2288
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RSP);
2289

2290
	set_bit(SMP_FLAG_INITIATOR, &smp->flags);
2291
}
2292

2293
static u8 smp_cmd_security_req(struct l2cap_conn *conn, struct sk_buff *skb)
2294
{
2295
	struct smp_cmd_security_req *rp = (void *) skb->data;
2296
	struct hci_conn *hcon = conn->hcon;
2297
	struct hci_dev *hdev = hcon->hdev;
2298
	struct smp_chan *smp;
2299
	u8 sec_level, auth;
2300

2301
	bt_dev_dbg(hdev, "conn %p", conn);
2302

2303
	if (skb->len < sizeof(*rp))
2304
		return SMP_INVALID_PARAMS;
2305

2306
	if (hcon->role != HCI_ROLE_MASTER)
2307
		return SMP_CMD_NOTSUPP;
2308

2309
	auth = rp->auth_req & AUTH_REQ_MASK(hdev);
2310

2311
	if (hci_dev_test_flag(hdev, HCI_SC_ONLY) && !(auth & SMP_AUTH_SC))
2312
		return SMP_AUTH_REQUIREMENTS;
2313

2314
	if (hcon->io_capability == HCI_IO_NO_INPUT_OUTPUT)
2315
		sec_level = BT_SECURITY_MEDIUM;
2316
	else
2317
		sec_level = authreq_to_seclevel(auth);
2318

2319
	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK)) {
2320
		/* If link is already encrypted with sufficient security we
2321
		 * still need refresh encryption as per Core Spec 5.0 Vol 3,
2322
		 * Part H 2.4.6
2323
		 */
2324
		smp_ltk_encrypt(conn, hcon->sec_level);
2325
		return 0;
2326
	}
2327

2328
	if (sec_level > hcon->pending_sec_level)
2329
		hcon->pending_sec_level = sec_level;
2330

2331
	if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2332
		return 0;
2333

2334
	smp = smp_chan_create(conn);
2335
	if (!smp)
2336
		return SMP_UNSPECIFIED;
2337

2338
	if (!hci_dev_test_flag(hdev, HCI_BONDABLE) &&
2339
	    (auth & SMP_AUTH_BONDING))
2340
		return SMP_PAIRING_NOTSUPP;
2341

2342
	skb_pull(skb, sizeof(*rp));
2343

2344
	smp_send_pairing_req(smp, auth);
2345

2346
	return 0;
2347
}
2348

2349
static void smp_send_security_req(struct smp_chan *smp, __u8 auth)
2350
{
2351
	struct smp_cmd_security_req cp;
2352

2353
	cp.auth_req = auth;
2354
	smp_send_cmd(smp->conn, SMP_CMD_SECURITY_REQ, sizeof(cp), &cp);
2355
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_REQ);
2356

2357
	clear_bit(SMP_FLAG_INITIATOR, &smp->flags);
2358
}
2359

2360
int smp_conn_security(struct hci_conn *hcon, __u8 sec_level)
2361
{
2362
	struct l2cap_conn *conn = hcon->l2cap_data;
2363
	struct l2cap_chan *chan;
2364
	struct smp_chan *smp;
2365
	__u8 authreq;
2366
	int ret;
2367

2368
	bt_dev_dbg(hcon->hdev, "conn %p hcon %p level 0x%2.2x", conn, hcon,
2369
		   sec_level);
2370

2371
	/* This may be NULL if there's an unexpected disconnection */
2372
	if (!conn)
2373
		return 1;
2374

2375
	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED))
2376
		return 1;
2377

2378
	if (smp_sufficient_security(hcon, sec_level, SMP_USE_LTK))
2379
		return 1;
2380

2381
	if (sec_level > hcon->pending_sec_level)
2382
		hcon->pending_sec_level = sec_level;
2383

2384
	if (hcon->role == HCI_ROLE_MASTER)
2385
		if (smp_ltk_encrypt(conn, hcon->pending_sec_level))
2386
			return 0;
2387

2388
	chan = conn->smp;
2389
	if (!chan) {
2390
		bt_dev_err(hcon->hdev, "security requested but not available");
2391
		return 1;
2392
	}
2393

2394
	l2cap_chan_lock(chan);
2395

2396
	/* If SMP is already in progress ignore this request */
2397
	if (chan->data) {
2398
		ret = 0;
2399
		goto unlock;
2400
	}
2401

2402
	smp = smp_chan_create(conn);
2403
	if (!smp) {
2404
		ret = 1;
2405
		goto unlock;
2406
	}
2407

2408
	authreq = seclevel_to_authreq(sec_level);
2409

2410
	if (hci_dev_test_flag(hcon->hdev, HCI_SC_ENABLED)) {
2411
		authreq |= SMP_AUTH_SC;
2412
		if (hci_dev_test_flag(hcon->hdev, HCI_SSP_ENABLED))
2413
			authreq |= SMP_AUTH_CT2;
2414
	}
2415

2416
	/* Don't attempt to set MITM if setting is overridden by debugfs
2417
	 * Needed to pass certification test SM/MAS/PKE/BV-01-C
2418
	 */
2419
	if (!hci_dev_test_flag(hcon->hdev, HCI_FORCE_NO_MITM)) {
2420
		/* Require MITM if IO Capability allows or the security level
2421
		 * requires it.
2422
		 */
2423
		if (hcon->io_capability != HCI_IO_NO_INPUT_OUTPUT ||
2424
		    hcon->pending_sec_level > BT_SECURITY_MEDIUM)
2425
			authreq |= SMP_AUTH_MITM;
2426
	}
2427

2428
	if (hcon->role == HCI_ROLE_MASTER)
2429
		smp_send_pairing_req(smp, authreq);
2430
	else
2431
		smp_send_security_req(smp, authreq);
2432

2433
	ret = 0;
2434

2435
unlock:
2436
	l2cap_chan_unlock(chan);
2437
	return ret;
2438
}
2439

2440
int smp_cancel_and_remove_pairing(struct hci_dev *hdev, bdaddr_t *bdaddr,
2441
				  u8 addr_type)
2442
{
2443
	struct hci_conn *hcon;
2444
	struct l2cap_conn *conn;
2445
	struct l2cap_chan *chan;
2446
	struct smp_chan *smp;
2447
	int err;
2448

2449
	err = hci_remove_ltk(hdev, bdaddr, addr_type);
2450
	hci_remove_irk(hdev, bdaddr, addr_type);
2451

2452
	hcon = hci_conn_hash_lookup_le(hdev, bdaddr, addr_type);
2453
	if (!hcon)
2454
		goto done;
2455

2456
	conn = hcon->l2cap_data;
2457
	if (!conn)
2458
		goto done;
2459

2460
	chan = conn->smp;
2461
	if (!chan)
2462
		goto done;
2463

2464
	l2cap_chan_lock(chan);
2465

2466
	smp = chan->data;
2467
	if (smp) {
2468
		/* Set keys to NULL to make sure smp_failure() does not try to
2469
		 * remove and free already invalidated rcu list entries. */
2470
		smp->ltk = NULL;
2471
		smp->responder_ltk = NULL;
2472
		smp->remote_irk = NULL;
2473

2474
		if (test_bit(SMP_FLAG_COMPLETE, &smp->flags))
2475
			smp_failure(conn, 0);
2476
		else
2477
			smp_failure(conn, SMP_UNSPECIFIED);
2478
		err = 0;
2479
	}
2480

2481
	l2cap_chan_unlock(chan);
2482

2483
done:
2484
	return err;
2485
}
2486

2487
static int smp_cmd_encrypt_info(struct l2cap_conn *conn, struct sk_buff *skb)
2488
{
2489
	struct smp_cmd_encrypt_info *rp = (void *) skb->data;
2490
	struct l2cap_chan *chan = conn->smp;
2491
	struct smp_chan *smp = chan->data;
2492

2493
	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2494

2495
	if (skb->len < sizeof(*rp))
2496
		return SMP_INVALID_PARAMS;
2497

2498
	/* Pairing is aborted if any blocked keys are distributed */
2499
	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_LTK,
2500
			       rp->ltk)) {
2501
		bt_dev_warn_ratelimited(conn->hcon->hdev,
2502
					"LTK blocked for %pMR",
2503
					&conn->hcon->dst);
2504
		return SMP_INVALID_PARAMS;
2505
	}
2506

2507
	SMP_ALLOW_CMD(smp, SMP_CMD_INITIATOR_IDENT);
2508

2509
	skb_pull(skb, sizeof(*rp));
2510

2511
	memcpy(smp->tk, rp->ltk, sizeof(smp->tk));
2512

2513
	return 0;
2514
}
2515

2516
static int smp_cmd_initiator_ident(struct l2cap_conn *conn, struct sk_buff *skb)
2517
{
2518
	struct smp_cmd_initiator_ident *rp = (void *)skb->data;
2519
	struct l2cap_chan *chan = conn->smp;
2520
	struct smp_chan *smp = chan->data;
2521
	struct hci_dev *hdev = conn->hcon->hdev;
2522
	struct hci_conn *hcon = conn->hcon;
2523
	struct smp_ltk *ltk;
2524
	u8 authenticated;
2525

2526
	bt_dev_dbg(hdev, "conn %p", conn);
2527

2528
	if (skb->len < sizeof(*rp))
2529
		return SMP_INVALID_PARAMS;
2530

2531
	/* Mark the information as received */
2532
	smp->remote_key_dist &= ~SMP_DIST_ENC_KEY;
2533

2534
	if (smp->remote_key_dist & SMP_DIST_ID_KEY)
2535
		SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_INFO);
2536
	else if (smp->remote_key_dist & SMP_DIST_SIGN)
2537
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2538

2539
	skb_pull(skb, sizeof(*rp));
2540

2541
	authenticated = (hcon->sec_level == BT_SECURITY_HIGH);
2542
	ltk = hci_add_ltk(hdev, &hcon->dst, hcon->dst_type, SMP_LTK,
2543
			  authenticated, smp->tk, smp->enc_key_size,
2544
			  rp->ediv, rp->rand);
2545
	smp->ltk = ltk;
2546
	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2547
		smp_distribute_keys(smp);
2548

2549
	return 0;
2550
}
2551

2552
static int smp_cmd_ident_info(struct l2cap_conn *conn, struct sk_buff *skb)
2553
{
2554
	struct smp_cmd_ident_info *info = (void *) skb->data;
2555
	struct l2cap_chan *chan = conn->smp;
2556
	struct smp_chan *smp = chan->data;
2557

2558
	bt_dev_dbg(conn->hcon->hdev, "");
2559

2560
	if (skb->len < sizeof(*info))
2561
		return SMP_INVALID_PARAMS;
2562

2563
	/* Pairing is aborted if any blocked keys are distributed */
2564
	if (hci_is_blocked_key(conn->hcon->hdev, HCI_BLOCKED_KEY_TYPE_IRK,
2565
			       info->irk)) {
2566
		bt_dev_warn_ratelimited(conn->hcon->hdev,
2567
					"Identity key blocked for %pMR",
2568
					&conn->hcon->dst);
2569
		return SMP_INVALID_PARAMS;
2570
	}
2571

2572
	SMP_ALLOW_CMD(smp, SMP_CMD_IDENT_ADDR_INFO);
2573

2574
	skb_pull(skb, sizeof(*info));
2575

2576
	memcpy(smp->irk, info->irk, 16);
2577

2578
	return 0;
2579
}
2580

2581
static int smp_cmd_ident_addr_info(struct l2cap_conn *conn,
2582
				   struct sk_buff *skb)
2583
{
2584
	struct smp_cmd_ident_addr_info *info = (void *) skb->data;
2585
	struct l2cap_chan *chan = conn->smp;
2586
	struct smp_chan *smp = chan->data;
2587
	struct hci_conn *hcon = conn->hcon;
2588
	bdaddr_t rpa;
2589

2590
	bt_dev_dbg(hcon->hdev, "");
2591

2592
	if (skb->len < sizeof(*info))
2593
		return SMP_INVALID_PARAMS;
2594

2595
	/* Mark the information as received */
2596
	smp->remote_key_dist &= ~SMP_DIST_ID_KEY;
2597

2598
	if (smp->remote_key_dist & SMP_DIST_SIGN)
2599
		SMP_ALLOW_CMD(smp, SMP_CMD_SIGN_INFO);
2600

2601
	skb_pull(skb, sizeof(*info));
2602

2603
	/* Strictly speaking the Core Specification (4.1) allows sending
2604
	 * an empty address which would force us to rely on just the IRK
2605
	 * as "identity information". However, since such
2606
	 * implementations are not known of and in order to not over
2607
	 * complicate our implementation, simply pretend that we never
2608
	 * received an IRK for such a device.
2609
	 *
2610
	 * The Identity Address must also be a Static Random or Public
2611
	 * Address, which hci_is_identity_address() checks for.
2612
	 */
2613
	if (!bacmp(&info->bdaddr, BDADDR_ANY) ||
2614
	    !hci_is_identity_address(&info->bdaddr, info->addr_type)) {
2615
		bt_dev_err(hcon->hdev, "ignoring IRK with no identity address");
2616
		goto distribute;
2617
	}
2618

2619
	/* Drop IRK if peer is using identity address during pairing but is
2620
	 * providing different address as identity information.
2621
	 *
2622
	 * Microsoft Surface Precision Mouse is known to have this bug.
2623
	 */
2624
	if (hci_is_identity_address(&hcon->dst, hcon->dst_type) &&
2625
	    (bacmp(&info->bdaddr, &hcon->dst) ||
2626
	     info->addr_type != hcon->dst_type)) {
2627
		bt_dev_err(hcon->hdev,
2628
			   "ignoring IRK with invalid identity address");
2629
		goto distribute;
2630
	}
2631

2632
	bacpy(&smp->id_addr, &info->bdaddr);
2633
	smp->id_addr_type = info->addr_type;
2634

2635
	if (hci_bdaddr_is_rpa(&hcon->dst, hcon->dst_type))
2636
		bacpy(&rpa, &hcon->dst);
2637
	else
2638
		bacpy(&rpa, BDADDR_ANY);
2639

2640
	smp->remote_irk = hci_add_irk(conn->hcon->hdev, &smp->id_addr,
2641
				      smp->id_addr_type, smp->irk, &rpa);
2642

2643
distribute:
2644
	if (!(smp->remote_key_dist & KEY_DIST_MASK))
2645
		smp_distribute_keys(smp);
2646

2647
	return 0;
2648
}
2649

2650
static int smp_cmd_sign_info(struct l2cap_conn *conn, struct sk_buff *skb)
2651
{
2652
	struct smp_cmd_sign_info *rp = (void *) skb->data;
2653
	struct l2cap_chan *chan = conn->smp;
2654
	struct smp_chan *smp = chan->data;
2655
	struct smp_csrk *csrk;
2656

2657
	bt_dev_dbg(conn->hcon->hdev, "conn %p", conn);
2658

2659
	if (skb->len < sizeof(*rp))
2660
		return SMP_INVALID_PARAMS;
2661

2662
	/* Mark the information as received */
2663
	smp->remote_key_dist &= ~SMP_DIST_SIGN;
2664

2665
	skb_pull(skb, sizeof(*rp));
2666

2667
	csrk = kzalloc(sizeof(*csrk), GFP_KERNEL);
2668
	if (csrk) {
2669
		if (conn->hcon->sec_level > BT_SECURITY_MEDIUM)
2670
			csrk->type = MGMT_CSRK_REMOTE_AUTHENTICATED;
2671
		else
2672
			csrk->type = MGMT_CSRK_REMOTE_UNAUTHENTICATED;
2673
		memcpy(csrk->val, rp->csrk, sizeof(csrk->val));
2674
	}
2675
	smp->csrk = csrk;
2676
	smp_distribute_keys(smp);
2677

2678
	return 0;
2679
}
2680

2681
static u8 sc_select_method(struct smp_chan *smp)
2682
{
2683
	struct smp_cmd_pairing *local, *remote;
2684
	u8 local_mitm, remote_mitm, local_io, remote_io, method;
2685

2686
	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags) ||
2687
	    test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags))
2688
		return REQ_OOB;
2689

2690
	/* The preq/prsp contain the raw Pairing Request/Response PDUs
2691
	 * which are needed as inputs to some crypto functions. To get
2692
	 * the "struct smp_cmd_pairing" from them we need to skip the
2693
	 * first byte which contains the opcode.
2694
	 */
2695
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2696
		local = (void *) &smp->preq[1];
2697
		remote = (void *) &smp->prsp[1];
2698
	} else {
2699
		local = (void *) &smp->prsp[1];
2700
		remote = (void *) &smp->preq[1];
2701
	}
2702

2703
	local_io = local->io_capability;
2704
	remote_io = remote->io_capability;
2705

2706
	local_mitm = (local->auth_req & SMP_AUTH_MITM);
2707
	remote_mitm = (remote->auth_req & SMP_AUTH_MITM);
2708

2709
	/* If either side wants MITM, look up the method from the table,
2710
	 * otherwise use JUST WORKS.
2711
	 */
2712
	if (local_mitm || remote_mitm)
2713
		method = get_auth_method(smp, local_io, remote_io);
2714
	else
2715
		method = JUST_WORKS;
2716

2717
	/* Don't confirm locally initiated pairing attempts */
2718
	if (method == JUST_CFM && test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2719
		method = JUST_WORKS;
2720

2721
	return method;
2722
}
2723

2724
static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
2725
{
2726
	struct smp_cmd_public_key *key = (void *) skb->data;
2727
	struct hci_conn *hcon = conn->hcon;
2728
	struct l2cap_chan *chan = conn->smp;
2729
	struct smp_chan *smp = chan->data;
2730
	struct hci_dev *hdev = hcon->hdev;
2731
	struct crypto_kpp *tfm_ecdh;
2732
	struct smp_cmd_pairing_confirm cfm;
2733
	int err;
2734

2735
	bt_dev_dbg(hdev, "conn %p", conn);
2736

2737
	if (skb->len < sizeof(*key))
2738
		return SMP_INVALID_PARAMS;
2739

2740
	/* Check if remote and local public keys are the same and debug key is
2741
	 * not in use.
2742
	 */
2743
	if (!test_bit(SMP_FLAG_DEBUG_KEY, &smp->flags) &&
2744
	    !crypto_memneq(key, smp->local_pk, 64)) {
2745
		bt_dev_err(hdev, "Remote and local public keys are identical");
2746
		return SMP_UNSPECIFIED;
2747
	}
2748

2749
	memcpy(smp->remote_pk, key, 64);
2750

2751
	if (test_bit(SMP_FLAG_REMOTE_OOB, &smp->flags)) {
2752
		err = smp_f4(smp->tfm_cmac, smp->remote_pk, smp->remote_pk,
2753
			     smp->rr, 0, cfm.confirm_val);
2754
		if (err)
2755
			return SMP_UNSPECIFIED;
2756

2757
		if (crypto_memneq(cfm.confirm_val, smp->pcnf, 16))
2758
			return SMP_CONFIRM_FAILED;
2759
	}
2760

2761
	/* Non-initiating device sends its public key after receiving
2762
	 * the key from the initiating device.
2763
	 */
2764
	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2765
		err = sc_send_public_key(smp);
2766
		if (err)
2767
			return err;
2768
	}
2769

2770
	SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
2771
	SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
2772

2773
	/* Compute the shared secret on the same crypto tfm on which the private
2774
	 * key was set/generated.
2775
	 */
2776
	if (test_bit(SMP_FLAG_LOCAL_OOB, &smp->flags)) {
2777
		struct l2cap_chan *hchan = hdev->smp_data;
2778
		struct smp_dev *smp_dev;
2779

2780
		if (!hchan || !hchan->data)
2781
			return SMP_UNSPECIFIED;
2782

2783
		smp_dev = hchan->data;
2784

2785
		tfm_ecdh = smp_dev->tfm_ecdh;
2786
	} else {
2787
		tfm_ecdh = smp->tfm_ecdh;
2788
	}
2789

2790
	if (compute_ecdh_secret(tfm_ecdh, smp->remote_pk, smp->dhkey))
2791
		return SMP_UNSPECIFIED;
2792

2793
	SMP_DBG("DHKey %32phN", smp->dhkey);
2794

2795
	set_bit(SMP_FLAG_REMOTE_PK, &smp->flags);
2796

2797
	smp->method = sc_select_method(smp);
2798

2799
	bt_dev_dbg(hdev, "selected method 0x%02x", smp->method);
2800

2801
	/* JUST_WORKS and JUST_CFM result in an unauthenticated key */
2802
	if (smp->method == JUST_WORKS || smp->method == JUST_CFM)
2803
		hcon->pending_sec_level = BT_SECURITY_MEDIUM;
2804
	else
2805
		hcon->pending_sec_level = BT_SECURITY_FIPS;
2806

2807
	if (!crypto_memneq(debug_pk, smp->remote_pk, 64))
2808
		set_bit(SMP_FLAG_DEBUG_KEY, &smp->flags);
2809

2810
	if (smp->method == DSP_PASSKEY) {
2811
		get_random_bytes(&hcon->passkey_notify,
2812
				 sizeof(hcon->passkey_notify));
2813
		hcon->passkey_notify %= 1000000;
2814
		hcon->passkey_entered = 0;
2815
		smp->passkey_round = 0;
2816
		if (mgmt_user_passkey_notify(hdev, &hcon->dst, hcon->type,
2817
					     hcon->dst_type,
2818
					     hcon->passkey_notify,
2819
					     hcon->passkey_entered))
2820
			return SMP_UNSPECIFIED;
2821
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2822
		return sc_passkey_round(smp, SMP_CMD_PUBLIC_KEY);
2823
	}
2824

2825
	if (smp->method == REQ_OOB) {
2826
		if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2827
			smp_send_cmd(conn, SMP_CMD_PAIRING_RANDOM,
2828
				     sizeof(smp->prnd), smp->prnd);
2829

2830
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2831

2832
		return 0;
2833
	}
2834

2835
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2836
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2837

2838
	if (smp->method == REQ_PASSKEY) {
2839
		if (mgmt_user_passkey_request(hdev, &hcon->dst, hcon->type,
2840
					      hcon->dst_type))
2841
			return SMP_UNSPECIFIED;
2842
		SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_CONFIRM);
2843
		set_bit(SMP_FLAG_WAIT_USER, &smp->flags);
2844
		return 0;
2845
	}
2846

2847
	/* The Initiating device waits for the non-initiating device to
2848
	 * send the confirm value.
2849
	 */
2850
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags))
2851
		return 0;
2852

2853
	err = smp_f4(smp->tfm_cmac, smp->local_pk, smp->remote_pk, smp->prnd,
2854
		     0, cfm.confirm_val);
2855
	if (err)
2856
		return SMP_UNSPECIFIED;
2857

2858
	smp_send_cmd(conn, SMP_CMD_PAIRING_CONFIRM, sizeof(cfm), &cfm);
2859
	SMP_ALLOW_CMD(smp, SMP_CMD_PAIRING_RANDOM);
2860

2861
	return 0;
2862
}
2863

2864
static int smp_cmd_dhkey_check(struct l2cap_conn *conn, struct sk_buff *skb)
2865
{
2866
	struct smp_cmd_dhkey_check *check = (void *) skb->data;
2867
	struct l2cap_chan *chan = conn->smp;
2868
	struct hci_conn *hcon = conn->hcon;
2869
	struct smp_chan *smp = chan->data;
2870
	u8 a[7], b[7], *local_addr, *remote_addr;
2871
	u8 io_cap[3], r[16], e[16];
2872
	int err;
2873

2874
	bt_dev_dbg(hcon->hdev, "conn %p", conn);
2875

2876
	if (skb->len < sizeof(*check))
2877
		return SMP_INVALID_PARAMS;
2878

2879
	memcpy(a, &hcon->init_addr, 6);
2880
	memcpy(b, &hcon->resp_addr, 6);
2881
	a[6] = hcon->init_addr_type;
2882
	b[6] = hcon->resp_addr_type;
2883

2884
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2885
		local_addr = a;
2886
		remote_addr = b;
2887
		memcpy(io_cap, &smp->prsp[1], 3);
2888
	} else {
2889
		local_addr = b;
2890
		remote_addr = a;
2891
		memcpy(io_cap, &smp->preq[1], 3);
2892
	}
2893

2894
	memset(r, 0, sizeof(r));
2895

2896
	if (smp->method == REQ_PASSKEY || smp->method == DSP_PASSKEY)
2897
		put_unaligned_le32(hcon->passkey_notify, r);
2898
	else if (smp->method == REQ_OOB)
2899
		memcpy(r, smp->lr, 16);
2900

2901
	err = smp_f6(smp->tfm_cmac, smp->mackey, smp->rrnd, smp->prnd, r,
2902
		     io_cap, remote_addr, local_addr, e);
2903
	if (err)
2904
		return SMP_UNSPECIFIED;
2905

2906
	if (crypto_memneq(check->e, e, 16))
2907
		return SMP_DHKEY_CHECK_FAILED;
2908

2909
	if (!test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2910
		if (test_bit(SMP_FLAG_WAIT_USER, &smp->flags)) {
2911
			set_bit(SMP_FLAG_DHKEY_PENDING, &smp->flags);
2912
			return 0;
2913
		}
2914

2915
		/* Responder sends DHKey check as response to initiator */
2916
		sc_dhkey_check(smp);
2917
	}
2918

2919
	sc_add_ltk(smp);
2920

2921
	if (test_bit(SMP_FLAG_INITIATOR, &smp->flags)) {
2922
		hci_le_start_enc(hcon, 0, 0, smp->tk, smp->enc_key_size);
2923
		hcon->enc_key_size = smp->enc_key_size;
2924
	}
2925

2926
	return 0;
2927
}
2928

2929
static int smp_cmd_keypress_notify(struct l2cap_conn *conn,
2930
				   struct sk_buff *skb)
2931
{
2932
	struct smp_cmd_keypress_notify *kp = (void *) skb->data;
2933

2934
	bt_dev_dbg(conn->hcon->hdev, "value 0x%02x", kp->value);
2935

2936
	return 0;
2937
}
2938

2939
static int smp_sig_channel(struct l2cap_chan *chan, struct sk_buff *skb)
2940
{
2941
	struct l2cap_conn *conn = chan->conn;
2942
	struct hci_conn *hcon = conn->hcon;
2943
	struct smp_chan *smp;
2944
	__u8 code, reason;
2945
	int err = 0;
2946

2947
	if (skb->len < 1)
2948
		return -EILSEQ;
2949

2950
	if (!hci_dev_test_flag(hcon->hdev, HCI_LE_ENABLED)) {
2951
		reason = SMP_PAIRING_NOTSUPP;
2952
		goto done;
2953
	}
2954

2955
	code = skb->data[0];
2956
	skb_pull(skb, sizeof(code));
2957

2958
	smp = chan->data;
2959

2960
	if (code > SMP_CMD_MAX)
2961
		goto drop;
2962

2963
	if (smp && !test_and_clear_bit(code, &smp->allow_cmd)) {
2964
		/* If there is a context and the command is not allowed consider
2965
		 * it a failure so the session is cleanup properly.
2966
		 */
2967
		switch (code) {
2968
		case SMP_CMD_IDENT_INFO:
2969
		case SMP_CMD_IDENT_ADDR_INFO:
2970
		case SMP_CMD_SIGN_INFO:
2971
			/* 3.6.1. Key distribution and generation
2972
			 *
2973
			 * A device may reject a distributed key by sending the
2974
			 * Pairing Failed command with the reason set to
2975
			 * "Key Rejected".
2976
			 */
2977
			smp_failure(conn, SMP_KEY_REJECTED);
2978
			break;
2979
		}
2980
		goto drop;
2981
	}
2982

2983
	/* If we don't have a context the only allowed commands are
2984
	 * pairing request and security request.
2985
	 */
2986
	if (!smp && code != SMP_CMD_PAIRING_REQ && code != SMP_CMD_SECURITY_REQ)
2987
		goto drop;
2988

2989
	switch (code) {
2990
	case SMP_CMD_PAIRING_REQ:
2991
		reason = smp_cmd_pairing_req(conn, skb);
2992
		break;
2993

2994
	case SMP_CMD_PAIRING_FAIL:
2995
		smp_failure(conn, 0);
2996
		err = -EPERM;
2997
		break;
2998

2999
	case SMP_CMD_PAIRING_RSP:
3000
		reason = smp_cmd_pairing_rsp(conn, skb);
3001
		break;
3002

3003
	case SMP_CMD_SECURITY_REQ:
3004
		reason = smp_cmd_security_req(conn, skb);
3005
		break;
3006

3007
	case SMP_CMD_PAIRING_CONFIRM:
3008
		reason = smp_cmd_pairing_confirm(conn, skb);
3009
		break;
3010

3011
	case SMP_CMD_PAIRING_RANDOM:
3012
		reason = smp_cmd_pairing_random(conn, skb);
3013
		break;
3014

3015
	case SMP_CMD_ENCRYPT_INFO:
3016
		reason = smp_cmd_encrypt_info(conn, skb);
3017
		break;
3018

3019
	case SMP_CMD_INITIATOR_IDENT:
3020
		reason = smp_cmd_initiator_ident(conn, skb);
3021
		break;
3022

3023
	case SMP_CMD_IDENT_INFO:
3024
		reason = smp_cmd_ident_info(conn, skb);
3025
		break;
3026

3027
	case SMP_CMD_IDENT_ADDR_INFO:
3028
		reason = smp_cmd_ident_addr_info(conn, skb);
3029
		break;
3030

3031
	case SMP_CMD_SIGN_INFO:
3032
		reason = smp_cmd_sign_info(conn, skb);
3033
		break;
3034

3035
	case SMP_CMD_PUBLIC_KEY:
3036
		reason = smp_cmd_public_key(conn, skb);
3037
		break;
3038

3039
	case SMP_CMD_DHKEY_CHECK:
3040
		reason = smp_cmd_dhkey_check(conn, skb);
3041
		break;
3042

3043
	case SMP_CMD_KEYPRESS_NOTIFY:
3044
		reason = smp_cmd_keypress_notify(conn, skb);
3045
		break;
3046

3047
	default:
3048
		bt_dev_dbg(hcon->hdev, "Unknown command code 0x%2.2x", code);
3049
		reason = SMP_CMD_NOTSUPP;
3050
		goto done;
3051
	}
3052

3053
done:
3054
	if (!err) {
3055
		if (reason)
3056
			smp_failure(conn, reason);
3057
		kfree_skb(skb);
3058
	}
3059

3060
	return err;
3061

3062
drop:
3063
	bt_dev_err(hcon->hdev, "unexpected SMP command 0x%02x from %pMR",
3064
		   code, &hcon->dst);
3065
	kfree_skb(skb);
3066
	return 0;
3067
}
3068

3069
static void smp_teardown_cb(struct l2cap_chan *chan, int err)
3070
{
3071
	struct l2cap_conn *conn = chan->conn;
3072

3073
	bt_dev_dbg(conn->hcon->hdev, "chan %p", chan);
3074

3075
	if (chan->data)
3076
		smp_chan_destroy(conn);
3077

3078
	conn->smp = NULL;
3079
	l2cap_chan_put(chan);
3080
}
3081

3082
static void bredr_pairing(struct l2cap_chan *chan)
3083
{
3084
	struct l2cap_conn *conn = chan->conn;
3085
	struct hci_conn *hcon = conn->hcon;
3086
	struct hci_dev *hdev = hcon->hdev;
3087
	struct smp_chan *smp;
3088

3089
	bt_dev_dbg(hdev, "chan %p", chan);
3090

3091
	/* Only new pairings are interesting */
3092
	if (!test_bit(HCI_CONN_NEW_LINK_KEY, &hcon->flags))
3093
		return;
3094

3095
	/* Don't bother if we're not encrypted */
3096
	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3097
		return;
3098

3099
	/* Only initiator may initiate SMP over BR/EDR */
3100
	if (hcon->role != HCI_ROLE_MASTER)
3101
		return;
3102

3103
	/* Secure Connections support must be enabled */
3104
	if (!hci_dev_test_flag(hdev, HCI_SC_ENABLED))
3105
		return;
3106

3107
	/* BR/EDR must use Secure Connections for SMP */
3108
	if (!test_bit(HCI_CONN_AES_CCM, &hcon->flags) &&
3109
	    !hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3110
		return;
3111

3112
	/* If our LE support is not enabled don't do anything */
3113
	if (!hci_dev_test_flag(hdev, HCI_LE_ENABLED))
3114
		return;
3115

3116
	/* Don't bother if remote LE support is not enabled */
3117
	if (!lmp_host_le_capable(hcon))
3118
		return;
3119

3120
	/* Remote must support SMP fixed chan for BR/EDR */
3121
	if (!(conn->remote_fixed_chan & L2CAP_FC_SMP_BREDR))
3122
		return;
3123

3124
	/* Don't bother if SMP is already ongoing */
3125
	if (chan->data)
3126
		return;
3127

3128
	smp = smp_chan_create(conn);
3129
	if (!smp) {
3130
		bt_dev_err(hdev, "unable to create SMP context for BR/EDR");
3131
		return;
3132
	}
3133

3134
	set_bit(SMP_FLAG_SC, &smp->flags);
3135

3136
	bt_dev_dbg(hdev, "starting SMP over BR/EDR");
3137

3138
	smp_send_pairing_req(smp, 0x00);
3139
}
3140

3141
static void smp_resume_cb(struct l2cap_chan *chan)
3142
{
3143
	struct smp_chan *smp = chan->data;
3144
	struct l2cap_conn *conn = chan->conn;
3145
	struct hci_conn *hcon = conn->hcon;
3146

3147
	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3148

3149
	if (hcon->type == ACL_LINK) {
3150
		bredr_pairing(chan);
3151
		return;
3152
	}
3153

3154
	if (!smp)
3155
		return;
3156

3157
	if (!test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3158
		return;
3159

3160
	cancel_delayed_work(&smp->security_timer);
3161

3162
	smp_distribute_keys(smp);
3163
}
3164

3165
static void smp_ready_cb(struct l2cap_chan *chan)
3166
{
3167
	struct l2cap_conn *conn = chan->conn;
3168
	struct hci_conn *hcon = conn->hcon;
3169

3170
	bt_dev_dbg(hcon->hdev, "chan %p", chan);
3171

3172
	/* No need to call l2cap_chan_hold() here since we already own
3173
	 * the reference taken in smp_new_conn_cb(). This is just the
3174
	 * first time that we tie it to a specific pointer. The code in
3175
	 * l2cap_core.c ensures that there's no risk this function won't
3176
	 * get called if smp_new_conn_cb was previously called.
3177
	 */
3178
	conn->smp = chan;
3179

3180
	if (hcon->type == ACL_LINK && test_bit(HCI_CONN_ENCRYPT, &hcon->flags))
3181
		bredr_pairing(chan);
3182
}
3183

3184
static int smp_recv_cb(struct l2cap_chan *chan, struct sk_buff *skb)
3185
{
3186
	int err;
3187

3188
	bt_dev_dbg(chan->conn->hcon->hdev, "chan %p", chan);
3189

3190
	err = smp_sig_channel(chan, skb);
3191
	if (err) {
3192
		struct smp_chan *smp = chan->data;
3193

3194
		if (smp)
3195
			cancel_delayed_work_sync(&smp->security_timer);
3196

3197
		hci_disconnect(chan->conn->hcon, HCI_ERROR_AUTH_FAILURE);
3198
	}
3199

3200
	return err;
3201
}
3202

3203
static struct sk_buff *smp_alloc_skb_cb(struct l2cap_chan *chan,
3204
					unsigned long hdr_len,
3205
					unsigned long len, int nb)
3206
{
3207
	struct sk_buff *skb;
3208

3209
	skb = bt_skb_alloc(hdr_len + len, GFP_KERNEL);
3210
	if (!skb)
3211
		return ERR_PTR(-ENOMEM);
3212

3213
	skb->priority = HCI_PRIO_MAX;
3214
	bt_cb(skb)->l2cap.chan = chan;
3215

3216
	return skb;
3217
}
3218

3219
static const struct l2cap_ops smp_chan_ops = {
3220
	.name			= "Security Manager",
3221
	.ready			= smp_ready_cb,
3222
	.recv			= smp_recv_cb,
3223
	.alloc_skb		= smp_alloc_skb_cb,
3224
	.teardown		= smp_teardown_cb,
3225
	.resume			= smp_resume_cb,
3226

3227
	.new_connection		= l2cap_chan_no_new_connection,
3228
	.state_change		= l2cap_chan_no_state_change,
3229
	.close			= l2cap_chan_no_close,
3230
	.defer			= l2cap_chan_no_defer,
3231
	.suspend		= l2cap_chan_no_suspend,
3232
	.set_shutdown		= l2cap_chan_no_set_shutdown,
3233
	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3234
};
3235

3236
static inline struct l2cap_chan *smp_new_conn_cb(struct l2cap_chan *pchan)
3237
{
3238
	struct l2cap_chan *chan;
3239

3240
	BT_DBG("pchan %p", pchan);
3241

3242
	chan = l2cap_chan_create();
3243
	if (!chan)
3244
		return NULL;
3245

3246
	chan->chan_type	= pchan->chan_type;
3247
	chan->ops	= &smp_chan_ops;
3248
	chan->scid	= pchan->scid;
3249
	chan->dcid	= chan->scid;
3250
	chan->imtu	= pchan->imtu;
3251
	chan->omtu	= pchan->omtu;
3252
	chan->mode	= pchan->mode;
3253

3254
	/* Other L2CAP channels may request SMP routines in order to
3255
	 * change the security level. This means that the SMP channel
3256
	 * lock must be considered in its own category to avoid lockdep
3257
	 * warnings.
3258
	 */
3259
	atomic_set(&chan->nesting, L2CAP_NESTING_SMP);
3260

3261
	BT_DBG("created chan %p", chan);
3262

3263
	return chan;
3264
}
3265

3266
static const struct l2cap_ops smp_root_chan_ops = {
3267
	.name			= "Security Manager Root",
3268
	.new_connection		= smp_new_conn_cb,
3269

3270
	/* None of these are implemented for the root channel */
3271
	.close			= l2cap_chan_no_close,
3272
	.alloc_skb		= l2cap_chan_no_alloc_skb,
3273
	.recv			= l2cap_chan_no_recv,
3274
	.state_change		= l2cap_chan_no_state_change,
3275
	.teardown		= l2cap_chan_no_teardown,
3276
	.ready			= l2cap_chan_no_ready,
3277
	.defer			= l2cap_chan_no_defer,
3278
	.suspend		= l2cap_chan_no_suspend,
3279
	.resume			= l2cap_chan_no_resume,
3280
	.set_shutdown		= l2cap_chan_no_set_shutdown,
3281
	.get_sndtimeo		= l2cap_chan_no_get_sndtimeo,
3282
};
3283

3284
static struct l2cap_chan *smp_add_cid(struct hci_dev *hdev, u16 cid)
3285
{
3286
	struct l2cap_chan *chan;
3287
	struct smp_dev *smp;
3288
	struct crypto_shash *tfm_cmac;
3289
	struct crypto_kpp *tfm_ecdh;
3290

3291
	if (cid == L2CAP_CID_SMP_BREDR) {
3292
		smp = NULL;
3293
		goto create_chan;
3294
	}
3295

3296
	smp = kzalloc(sizeof(*smp), GFP_KERNEL);
3297
	if (!smp)
3298
		return ERR_PTR(-ENOMEM);
3299

3300
	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3301
	if (IS_ERR(tfm_cmac)) {
3302
		bt_dev_err(hdev, "Unable to create CMAC crypto context");
3303
		kfree_sensitive(smp);
3304
		return ERR_CAST(tfm_cmac);
3305
	}
3306

3307
	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3308
	if (IS_ERR(tfm_ecdh)) {
3309
		bt_dev_err(hdev, "Unable to create ECDH crypto context");
3310
		crypto_free_shash(tfm_cmac);
3311
		kfree_sensitive(smp);
3312
		return ERR_CAST(tfm_ecdh);
3313
	}
3314

3315
	smp->local_oob = false;
3316
	smp->tfm_cmac = tfm_cmac;
3317
	smp->tfm_ecdh = tfm_ecdh;
3318

3319
create_chan:
3320
	chan = l2cap_chan_create();
3321
	if (!chan) {
3322
		if (smp) {
3323
			crypto_free_shash(smp->tfm_cmac);
3324
			crypto_free_kpp(smp->tfm_ecdh);
3325
			kfree_sensitive(smp);
3326
		}
3327
		return ERR_PTR(-ENOMEM);
3328
	}
3329

3330
	chan->data = smp;
3331

3332
	l2cap_add_scid(chan, cid);
3333

3334
	l2cap_chan_set_defaults(chan);
3335

3336
	if (cid == L2CAP_CID_SMP) {
3337
		u8 bdaddr_type;
3338

3339
		hci_copy_identity_address(hdev, &chan->src, &bdaddr_type);
3340

3341
		if (bdaddr_type == ADDR_LE_DEV_PUBLIC)
3342
			chan->src_type = BDADDR_LE_PUBLIC;
3343
		else
3344
			chan->src_type = BDADDR_LE_RANDOM;
3345
	} else {
3346
		bacpy(&chan->src, &hdev->bdaddr);
3347
		chan->src_type = BDADDR_BREDR;
3348
	}
3349

3350
	chan->state = BT_LISTEN;
3351
	chan->mode = L2CAP_MODE_BASIC;
3352
	chan->imtu = L2CAP_DEFAULT_MTU;
3353
	chan->ops = &smp_root_chan_ops;
3354

3355
	/* Set correct nesting level for a parent/listening channel */
3356
	atomic_set(&chan->nesting, L2CAP_NESTING_PARENT);
3357

3358
	return chan;
3359
}
3360

3361
static void smp_del_chan(struct l2cap_chan *chan)
3362
{
3363
	struct smp_dev *smp;
3364

3365
	BT_DBG("chan %p", chan);
3366

3367
	smp = chan->data;
3368
	if (smp) {
3369
		chan->data = NULL;
3370
		crypto_free_shash(smp->tfm_cmac);
3371
		crypto_free_kpp(smp->tfm_ecdh);
3372
		kfree_sensitive(smp);
3373
	}
3374

3375
	l2cap_chan_put(chan);
3376
}
3377

3378
int smp_force_bredr(struct hci_dev *hdev, bool enable)
3379
{
3380
	if (enable == hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3381
		return -EALREADY;
3382

3383
	if (enable) {
3384
		struct l2cap_chan *chan;
3385

3386
		chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3387
		if (IS_ERR(chan))
3388
			return PTR_ERR(chan);
3389

3390
		hdev->smp_bredr_data = chan;
3391
	} else {
3392
		struct l2cap_chan *chan;
3393

3394
		chan = hdev->smp_bredr_data;
3395
		hdev->smp_bredr_data = NULL;
3396
		smp_del_chan(chan);
3397
	}
3398

3399
	hci_dev_change_flag(hdev, HCI_FORCE_BREDR_SMP);
3400

3401
	return 0;
3402
}
3403

3404
int smp_register(struct hci_dev *hdev)
3405
{
3406
	struct l2cap_chan *chan;
3407

3408
	bt_dev_dbg(hdev, "");
3409

3410
	/* If the controller does not support Low Energy operation, then
3411
	 * there is also no need to register any SMP channel.
3412
	 */
3413
	if (!lmp_le_capable(hdev))
3414
		return 0;
3415

3416
	if (WARN_ON(hdev->smp_data)) {
3417
		chan = hdev->smp_data;
3418
		hdev->smp_data = NULL;
3419
		smp_del_chan(chan);
3420
	}
3421

3422
	chan = smp_add_cid(hdev, L2CAP_CID_SMP);
3423
	if (IS_ERR(chan))
3424
		return PTR_ERR(chan);
3425

3426
	hdev->smp_data = chan;
3427

3428
	if (!lmp_sc_capable(hdev)) {
3429
		/* Flag can be already set here (due to power toggle) */
3430
		if (!hci_dev_test_flag(hdev, HCI_FORCE_BREDR_SMP))
3431
			return 0;
3432
	}
3433

3434
	if (WARN_ON(hdev->smp_bredr_data)) {
3435
		chan = hdev->smp_bredr_data;
3436
		hdev->smp_bredr_data = NULL;
3437
		smp_del_chan(chan);
3438
	}
3439

3440
	chan = smp_add_cid(hdev, L2CAP_CID_SMP_BREDR);
3441
	if (IS_ERR(chan)) {
3442
		int err = PTR_ERR(chan);
3443
		chan = hdev->smp_data;
3444
		hdev->smp_data = NULL;
3445
		smp_del_chan(chan);
3446
		return err;
3447
	}
3448

3449
	hdev->smp_bredr_data = chan;
3450

3451
	return 0;
3452
}
3453

3454
void smp_unregister(struct hci_dev *hdev)
3455
{
3456
	struct l2cap_chan *chan;
3457

3458
	if (hdev->smp_bredr_data) {
3459
		chan = hdev->smp_bredr_data;
3460
		hdev->smp_bredr_data = NULL;
3461
		smp_del_chan(chan);
3462
	}
3463

3464
	if (hdev->smp_data) {
3465
		chan = hdev->smp_data;
3466
		hdev->smp_data = NULL;
3467
		smp_del_chan(chan);
3468
	}
3469
}
3470

3471
#if IS_ENABLED(CONFIG_BT_SELFTEST_SMP)
3472

3473
static int __init test_debug_key(struct crypto_kpp *tfm_ecdh)
3474
{
3475
	u8 pk[64];
3476
	int err;
3477

3478
	err = set_ecdh_privkey(tfm_ecdh, debug_sk);
3479
	if (err)
3480
		return err;
3481

3482
	err = generate_ecdh_public_key(tfm_ecdh, pk);
3483
	if (err)
3484
		return err;
3485

3486
	if (crypto_memneq(pk, debug_pk, 64))
3487
		return -EINVAL;
3488

3489
	return 0;
3490
}
3491

3492
static int __init test_ah(void)
3493
{
3494
	const u8 irk[16] = {
3495
			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3496
			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3497
	const u8 r[3] = { 0x94, 0x81, 0x70 };
3498
	const u8 exp[3] = { 0xaa, 0xfb, 0x0d };
3499
	u8 res[3];
3500
	int err;
3501

3502
	err = smp_ah(irk, r, res);
3503
	if (err)
3504
		return err;
3505

3506
	if (crypto_memneq(res, exp, 3))
3507
		return -EINVAL;
3508

3509
	return 0;
3510
}
3511

3512
static int __init test_c1(void)
3513
{
3514
	const u8 k[16] = {
3515
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3516
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3517
	const u8 r[16] = {
3518
			0xe0, 0x2e, 0x70, 0xc6, 0x4e, 0x27, 0x88, 0x63,
3519
			0x0e, 0x6f, 0xad, 0x56, 0x21, 0xd5, 0x83, 0x57 };
3520
	const u8 preq[7] = { 0x01, 0x01, 0x00, 0x00, 0x10, 0x07, 0x07 };
3521
	const u8 pres[7] = { 0x02, 0x03, 0x00, 0x00, 0x08, 0x00, 0x05 };
3522
	const u8 _iat = 0x01;
3523
	const u8 _rat = 0x00;
3524
	const bdaddr_t ra = { { 0xb6, 0xb5, 0xb4, 0xb3, 0xb2, 0xb1 } };
3525
	const bdaddr_t ia = { { 0xa6, 0xa5, 0xa4, 0xa3, 0xa2, 0xa1 } };
3526
	const u8 exp[16] = {
3527
			0x86, 0x3b, 0xf1, 0xbe, 0xc5, 0x4d, 0xa7, 0xd2,
3528
			0xea, 0x88, 0x89, 0x87, 0xef, 0x3f, 0x1e, 0x1e };
3529
	u8 res[16];
3530
	int err;
3531

3532
	err = smp_c1(k, r, preq, pres, _iat, &ia, _rat, &ra, res);
3533
	if (err)
3534
		return err;
3535

3536
	if (crypto_memneq(res, exp, 16))
3537
		return -EINVAL;
3538

3539
	return 0;
3540
}
3541

3542
static int __init test_s1(void)
3543
{
3544
	const u8 k[16] = {
3545
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3546
			0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
3547
	const u8 r1[16] = {
3548
			0x88, 0x77, 0x66, 0x55, 0x44, 0x33, 0x22, 0x11 };
3549
	const u8 r2[16] = {
3550
			0x00, 0xff, 0xee, 0xdd, 0xcc, 0xbb, 0xaa, 0x99 };
3551
	const u8 exp[16] = {
3552
			0x62, 0xa0, 0x6d, 0x79, 0xae, 0x16, 0x42, 0x5b,
3553
			0x9b, 0xf4, 0xb0, 0xe8, 0xf0, 0xe1, 0x1f, 0x9a };
3554
	u8 res[16];
3555
	int err;
3556

3557
	err = smp_s1(k, r1, r2, res);
3558
	if (err)
3559
		return err;
3560

3561
	if (crypto_memneq(res, exp, 16))
3562
		return -EINVAL;
3563

3564
	return 0;
3565
}
3566

3567
static int __init test_f4(struct crypto_shash *tfm_cmac)
3568
{
3569
	const u8 u[32] = {
3570
			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3571
			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3572
			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3573
			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3574
	const u8 v[32] = {
3575
			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3576
			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3577
			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3578
			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3579
	const u8 x[16] = {
3580
			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3581
			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3582
	const u8 z = 0x00;
3583
	const u8 exp[16] = {
3584
			0x2d, 0x87, 0x74, 0xa9, 0xbe, 0xa1, 0xed, 0xf1,
3585
			0x1c, 0xbd, 0xa9, 0x07, 0xf1, 0x16, 0xc9, 0xf2 };
3586
	u8 res[16];
3587
	int err;
3588

3589
	err = smp_f4(tfm_cmac, u, v, x, z, res);
3590
	if (err)
3591
		return err;
3592

3593
	if (crypto_memneq(res, exp, 16))
3594
		return -EINVAL;
3595

3596
	return 0;
3597
}
3598

3599
static int __init test_f5(struct crypto_shash *tfm_cmac)
3600
{
3601
	const u8 w[32] = {
3602
			0x98, 0xa6, 0xbf, 0x73, 0xf3, 0x34, 0x8d, 0x86,
3603
			0xf1, 0x66, 0xf8, 0xb4, 0x13, 0x6b, 0x79, 0x99,
3604
			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3605
			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3606
	const u8 n1[16] = {
3607
			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3608
			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3609
	const u8 n2[16] = {
3610
			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3611
			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3612
	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3613
	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3614
	const u8 exp_ltk[16] = {
3615
			0x38, 0x0a, 0x75, 0x94, 0xb5, 0x22, 0x05, 0x98,
3616
			0x23, 0xcd, 0xd7, 0x69, 0x11, 0x79, 0x86, 0x69 };
3617
	const u8 exp_mackey[16] = {
3618
			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3619
			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3620
	u8 mackey[16], ltk[16];
3621
	int err;
3622

3623
	err = smp_f5(tfm_cmac, w, n1, n2, a1, a2, mackey, ltk);
3624
	if (err)
3625
		return err;
3626

3627
	if (crypto_memneq(mackey, exp_mackey, 16))
3628
		return -EINVAL;
3629

3630
	if (crypto_memneq(ltk, exp_ltk, 16))
3631
		return -EINVAL;
3632

3633
	return 0;
3634
}
3635

3636
static int __init test_f6(struct crypto_shash *tfm_cmac)
3637
{
3638
	const u8 w[16] = {
3639
			0x20, 0x6e, 0x63, 0xce, 0x20, 0x6a, 0x3f, 0xfd,
3640
			0x02, 0x4a, 0x08, 0xa1, 0x76, 0xf1, 0x65, 0x29 };
3641
	const u8 n1[16] = {
3642
			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3643
			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3644
	const u8 n2[16] = {
3645
			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3646
			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3647
	const u8 r[16] = {
3648
			0xc8, 0x0f, 0x2d, 0x0c, 0xd2, 0x42, 0xda, 0x08,
3649
			0x54, 0xbb, 0x53, 0xb4, 0x3b, 0x34, 0xa3, 0x12 };
3650
	const u8 io_cap[3] = { 0x02, 0x01, 0x01 };
3651
	const u8 a1[7] = { 0xce, 0xbf, 0x37, 0x37, 0x12, 0x56, 0x00 };
3652
	const u8 a2[7] = { 0xc1, 0xcf, 0x2d, 0x70, 0x13, 0xa7, 0x00 };
3653
	const u8 exp[16] = {
3654
			0x61, 0x8f, 0x95, 0xda, 0x09, 0x0b, 0x6c, 0xd2,
3655
			0xc5, 0xe8, 0xd0, 0x9c, 0x98, 0x73, 0xc4, 0xe3 };
3656
	u8 res[16];
3657
	int err;
3658

3659
	err = smp_f6(tfm_cmac, w, n1, n2, r, io_cap, a1, a2, res);
3660
	if (err)
3661
		return err;
3662

3663
	if (crypto_memneq(res, exp, 16))
3664
		return -EINVAL;
3665

3666
	return 0;
3667
}
3668

3669
static int __init test_g2(struct crypto_shash *tfm_cmac)
3670
{
3671
	const u8 u[32] = {
3672
			0xe6, 0x9d, 0x35, 0x0e, 0x48, 0x01, 0x03, 0xcc,
3673
			0xdb, 0xfd, 0xf4, 0xac, 0x11, 0x91, 0xf4, 0xef,
3674
			0xb9, 0xa5, 0xf9, 0xe9, 0xa7, 0x83, 0x2c, 0x5e,
3675
			0x2c, 0xbe, 0x97, 0xf2, 0xd2, 0x03, 0xb0, 0x20 };
3676
	const u8 v[32] = {
3677
			0xfd, 0xc5, 0x7f, 0xf4, 0x49, 0xdd, 0x4f, 0x6b,
3678
			0xfb, 0x7c, 0x9d, 0xf1, 0xc2, 0x9a, 0xcb, 0x59,
3679
			0x2a, 0xe7, 0xd4, 0xee, 0xfb, 0xfc, 0x0a, 0x90,
3680
			0x9a, 0xbb, 0xf6, 0x32, 0x3d, 0x8b, 0x18, 0x55 };
3681
	const u8 x[16] = {
3682
			0xab, 0xae, 0x2b, 0x71, 0xec, 0xb2, 0xff, 0xff,
3683
			0x3e, 0x73, 0x77, 0xd1, 0x54, 0x84, 0xcb, 0xd5 };
3684
	const u8 y[16] = {
3685
			0xcf, 0xc4, 0x3d, 0xff, 0xf7, 0x83, 0x65, 0x21,
3686
			0x6e, 0x5f, 0xa7, 0x25, 0xcc, 0xe7, 0xe8, 0xa6 };
3687
	const u32 exp_val = 0x2f9ed5ba % 1000000;
3688
	u32 val;
3689
	int err;
3690

3691
	err = smp_g2(tfm_cmac, u, v, x, y, &val);
3692
	if (err)
3693
		return err;
3694

3695
	if (val != exp_val)
3696
		return -EINVAL;
3697

3698
	return 0;
3699
}
3700

3701
static int __init test_h6(struct crypto_shash *tfm_cmac)
3702
{
3703
	const u8 w[16] = {
3704
			0x9b, 0x7d, 0x39, 0x0a, 0xa6, 0x10, 0x10, 0x34,
3705
			0x05, 0xad, 0xc8, 0x57, 0xa3, 0x34, 0x02, 0xec };
3706
	const u8 key_id[4] = { 0x72, 0x62, 0x65, 0x6c };
3707
	const u8 exp[16] = {
3708
			0x99, 0x63, 0xb1, 0x80, 0xe2, 0xa9, 0xd3, 0xe8,
3709
			0x1c, 0xc9, 0x6d, 0xe7, 0x02, 0xe1, 0x9a, 0x2d };
3710
	u8 res[16];
3711
	int err;
3712

3713
	err = smp_h6(tfm_cmac, w, key_id, res);
3714
	if (err)
3715
		return err;
3716

3717
	if (crypto_memneq(res, exp, 16))
3718
		return -EINVAL;
3719

3720
	return 0;
3721
}
3722

3723
static char test_smp_buffer[32];
3724

3725
static ssize_t test_smp_read(struct file *file, char __user *user_buf,
3726
			     size_t count, loff_t *ppos)
3727
{
3728
	return simple_read_from_buffer(user_buf, count, ppos, test_smp_buffer,
3729
				       strlen(test_smp_buffer));
3730
}
3731

3732
static const struct file_operations test_smp_fops = {
3733
	.open		= simple_open,
3734
	.read		= test_smp_read,
3735
	.llseek		= default_llseek,
3736
};
3737

3738
static int __init run_selftests(struct crypto_shash *tfm_cmac,
3739
				struct crypto_kpp *tfm_ecdh)
3740
{
3741
	ktime_t calltime, delta, rettime;
3742
	unsigned long long duration;
3743
	int err;
3744

3745
	calltime = ktime_get();
3746

3747
	err = test_debug_key(tfm_ecdh);
3748
	if (err) {
3749
		BT_ERR("debug_key test failed");
3750
		goto done;
3751
	}
3752

3753
	err = test_ah();
3754
	if (err) {
3755
		BT_ERR("smp_ah test failed");
3756
		goto done;
3757
	}
3758

3759
	err = test_c1();
3760
	if (err) {
3761
		BT_ERR("smp_c1 test failed");
3762
		goto done;
3763
	}
3764

3765
	err = test_s1();
3766
	if (err) {
3767
		BT_ERR("smp_s1 test failed");
3768
		goto done;
3769
	}
3770

3771
	err = test_f4(tfm_cmac);
3772
	if (err) {
3773
		BT_ERR("smp_f4 test failed");
3774
		goto done;
3775
	}
3776

3777
	err = test_f5(tfm_cmac);
3778
	if (err) {
3779
		BT_ERR("smp_f5 test failed");
3780
		goto done;
3781
	}
3782

3783
	err = test_f6(tfm_cmac);
3784
	if (err) {
3785
		BT_ERR("smp_f6 test failed");
3786
		goto done;
3787
	}
3788

3789
	err = test_g2(tfm_cmac);
3790
	if (err) {
3791
		BT_ERR("smp_g2 test failed");
3792
		goto done;
3793
	}
3794

3795
	err = test_h6(tfm_cmac);
3796
	if (err) {
3797
		BT_ERR("smp_h6 test failed");
3798
		goto done;
3799
	}
3800

3801
	rettime = ktime_get();
3802
	delta = ktime_sub(rettime, calltime);
3803
	duration = (unsigned long long) ktime_to_ns(delta) >> 10;
3804

3805
	BT_INFO("SMP test passed in %llu usecs", duration);
3806

3807
done:
3808
	if (!err)
3809
		snprintf(test_smp_buffer, sizeof(test_smp_buffer),
3810
			 "PASS (%llu usecs)\n", duration);
3811
	else
3812
		snprintf(test_smp_buffer, sizeof(test_smp_buffer), "FAIL\n");
3813

3814
	debugfs_create_file("selftest_smp", 0444, bt_debugfs, NULL,
3815
			    &test_smp_fops);
3816

3817
	return err;
3818
}
3819

3820
int __init bt_selftest_smp(void)
3821
{
3822
	struct crypto_shash *tfm_cmac;
3823
	struct crypto_kpp *tfm_ecdh;
3824
	int err;
3825

3826
	tfm_cmac = crypto_alloc_shash("cmac(aes)", 0, 0);
3827
	if (IS_ERR(tfm_cmac)) {
3828
		BT_ERR("Unable to create CMAC crypto context");
3829
		return PTR_ERR(tfm_cmac);
3830
	}
3831

3832
	tfm_ecdh = crypto_alloc_kpp("ecdh-nist-p256", 0, 0);
3833
	if (IS_ERR(tfm_ecdh)) {
3834
		BT_ERR("Unable to create ECDH crypto context");
3835
		crypto_free_shash(tfm_cmac);
3836
		return PTR_ERR(tfm_ecdh);
3837
	}
3838

3839
	err = run_selftests(tfm_cmac, tfm_ecdh);
3840

3841
	crypto_free_shash(tfm_cmac);
3842
	crypto_free_kpp(tfm_ecdh);
3843

3844
	return err;
3845
}
3846

3847
#endif
3848

3849